Concrete Security of the Blum-Blum-Shub Pseudorandom Generator

The asymptotic security of the Blum-Blum-Shub (BBS) pseudorandom generator has been studied by Alexi et al. and Vazirani and Vazirani, who proved independently that O(log log N) bits can be extracted on each iteration, where N is the modulus (a Blum integer). The concrete security of this generator has been analyzed previously by Fischlin and Schnorr and by Knuth. In this paper we continue to analyse the concrete security the BBS generator. We show how to select both the size of the modulus and the number of bits extracted on each iteration such that a desired level of security is reached, while minimizing the computational effort per output bit. We will assume a concrete lower bound on the hardness of integer factoring, which is obtained by extrapolating the best factorization results to date. While for asymptotic security it suffices to give a polynomial time reduction a successful attack to factoring, we need for concrete security a reduction that is as efficient as possible. Our reduction algorithm relies on the techniques of Fischlin and Schnorr, as well as ideas of Vazirani and Vazirani, but combining these in a novel way for the case that more than one bit is output on each iteration.

[1]  Victor Shoup On the Security of a Practical Identification Scheme , 1996, EUROCRYPT.

[2]  Vijay V. Vazirani,et al.  Efficient and Secure Pseudo-Random Number Generation , 1984, CRYPTO.

[3]  Arjen K. Lenstra,et al.  Selecting Cryptographic Key Sizes , 2000, Journal of Cryptology.

[4]  Ueli Maurer,et al.  Advances in Cryptology — EUROCRYPT ’96 , 2001, Lecture Notes in Computer Science.

[5]  Jonathan Katz,et al.  Efficiency improvements for signature schemes with tight security reductions , 2003, CCS '03.

[6]  Mihir Bellare Advances in Cryptology — CRYPTO 2000 , 2000, Lecture Notes in Computer Science.

[7]  Oded Goldreich,et al.  RSA and Rabin Functions: Certain Parts are as Hard as the Whole , 1988, SIAM J. Comput..

[8]  M. Rabin DIGITALIZED SIGNATURES AND PUBLIC-KEY FUNCTIONS AS INTRACTABLE AS FACTORIZATION , 1979 .

[9]  Mihir Bellare,et al.  The Exact Security of Digital Signatures - HOw to Sign with RSA and Rabin , 1996, EUROCRYPT.

[10]  Manuel Blum,et al.  A Simple Unpredictable Pseudo-Random Number Generator , 1986, SIAM J. Comput..

[11]  Oded Goldreich,et al.  Three XOR-Lemmas - An Exposition , 1995, Electron. Colloquium Comput. Complex..

[12]  Claus-Peter Schnorr,et al.  Stronger Security Proofs for RSA and Rabin Bits , 1997, Journal of Cryptology.

[13]  Rosario Gennaro,et al.  An Improved Pseudo-random Generator Based on Discrete Log , 2000, CRYPTO.

[14]  W. Hoeffding Probability Inequalities for sums of Bounded Random Variables , 1963 .

[15]  Andrew Chi-Chih Yao,et al.  Theory and application of trapdoor functions , 1982, 23rd Annual Symposium on Foundations of Computer Science (sfcs 1982).