Pseudo‐Random Number Generators

The material from the early part of this course relates to Chapters 1 and 3 of Goldreich. We will begin the course proper by discussing " pseudo-random number generators ". Recall the motivation from one-time pads. We have a n-bit random key K but we wished we had a long random key. So we " stretch " K to K ′ = G(K) using a pseudo-random number generator G to obtain K ′ of length l(n) > n. To an efficient adversary, it should " look " as if K ′ were randomly chosen. Informally, a pseudo-random number generator is an efficiently computable function that on an n-bit input, outputs a longer string, and such that the probability distribution induced on the longer strings is indistinguishable from the truly random distribution, from the point of view of any efficient algorithm. That is, the induced distribution passes every (efficient) statistical test. A number generator is a polynomial time computable function G : {0, 1} * → {0, 1} * , such that |G(s)| = l(|s|) > |s| for some function l and every string s. For convenience we also insist that |s| is determined by l(|s|). (That is, l is one-one. Of course, G need not be one-one.) We also assume for convenience that l is monotone: n < m ⇒ l(n) < l(m). The number generator G is pseudo-random if the following holds for every D: Let D (for distinguisher) be a probabilistic, polynomial time algorithm with inputs of the form α ∈ {0, 1} * ; D has a 1-bit output indicating whether or not the input is accepted. For each n ∈ N, define p D (n) = the probability that if s is randomly chosen from {0, 1} n and D is run on G(s), then D accepts; r D (n) = the probability that if α is randomly chosen from {0, 1} l(n) , and D is run on α, then D accepts. THEN for every c and sufficiently large n, |p D (n) − r D (n)| ≤ 1 n c. (We may omit the subscript D if it is understood.) Note that D, given α of length l(n), is able (if he wants) to determine n. Since l is one-one, all he has to do is compute G on strings length 0, 1, 2,. .. until he computes a string whose length is the …

[1]  H. Solomon,et al.  On Combining Pseudorandom Number Generators , 1979 .

[2]  I. D. Hill,et al.  An Efficient and Portable Pseudo‐Random Number Generator , 1982 .

[3]  J. P. R. Tootill,et al.  An Asymptotically Random Tausworthe Sequence , 1973, JACM.

[4]  R. Tausworthe Random Numbers Generated by Linear Recurrence Modulo Two , 1965 .

[5]  J. P. R. Tootill,et al.  The Runs Up-and-Down Performance of Tausworthe Pseudo-Random Number Generators , 1971, JACM.

[6]  R. R. Coveyou,et al.  Fourier Analysis of Uniform Random Number Generators , 1967, JACM.

[7]  H. Niederreiter Quasi-Monte Carlo methods and pseudo-random numbers , 1978 .

[8]  G. Marsaglia Random numbers fall mainly in the planes. , 1968, Proceedings of the National Academy of Sciences of the United States of America.

[9]  Carter Bays,et al.  Improving a Poor Random Number Generator , 1976, TOMS.

[10]  Shu Tezuka,et al.  The k-distribution of generalized feedback shift register pseudorandom numbers , 1983, CACM.

[11]  W. H. Payne,et al.  Coding the Lehmer pseudo-random number generator , 1969, CACM.

[12]  George Marsaglia,et al.  Uniform Random Number Generators , 1965, JACM.

[13]  Dimitris G. Maritsas,et al.  Partitioning the Period of a Class of m-Sequences and Application to Pseudorandom Number Generation , 1978, JACM.

[14]  Herbert S. Bright,et al.  Quasi-Random Number Sequences from a Long-Period TLP Generator with Remarks on Application to Cryptography , 1979, CSUR.

[15]  G. Marsaglia The Structure of Linear Congruential Sequences , 1972 .

[16]  Ted G. Lewis,et al.  Generalized Feedback Shift Register Pseudorandom Number Algorithm , 1973, JACM.

[17]  P. A. W. Lewis,et al.  A Pseudo-Random Number Generator for the System/360 , 1969, IBM Syst. J..

[18]  T. E. Hull,et al.  Random Number Generators , 1962 .

[19]  George Marsaglia,et al.  One-line random number generators and their use in combinations , 1968, Commun. ACM.