 We've looked at block ciphers for encrypting, say, 64 bits or 128 bits at a time. We mentioned, actually earlier, there is stream ciphers as well. Stream ciphers encrypt one bit or one byte at a time, and they usually have a slightly different design than the block ciphers, and related to them, random numbers. So we combine that topic of random numbers and stream ciphers together and we're starting with random numbers. Why do we care about random numbers? What's one reason we need random numbers for encryption and for cryptography? When you choose a key, okay, when you choose a key, a secret key, don't choose one just from your head or something that makes a pattern. Choose something that is hard for an attacker to guess, and that means choose random. So we assume that when we choose a secret key, it's randomly chosen, randomly chosen by a computer, not by you choosing a number between 0 and 10 in your head. But we need to understand how a computer generates a random number, because in the simplest form we can think a computer does whatever we program it to do, whatever we tell it to do is deterministic, and it doesn't do things randomly, okay? So it's not an easy problem to generate random numbers, they are difficult. So random numbers are important for security in a number of applications. One of them is generating keys, and we use an algorithm to generate these random numbers, we'll see. So if we don't have a good random number generator, then what an attacker can do, let's say we've got some software on my computer that generates random keys. If it's a poor implementation or a poor algorithm, then the attacker, when I generate my random key for my encryption, if it's a poor algorithm, then the attacker may be able to predict what key I used, without just having to guess all possible values, but predict based upon the random number generator I used. So it's very important to have good random number generators. Let's talk a bit about random numbers. Starting with some simple examples. Is this a random number? 27? Yes. Yes? Why do you say it's random? I just made it up. Are you sure? Maybe I was thinking about someone's birthday or their age. What, well we can't really say if this is random, we need to know a little bit more. Well, how did I select it? Where was it selected from? Was it selected from a set of values? Or maybe if you say 27, what if I select another random number? That's the second random number I select. Does that look random now? Maybe it doesn't look so random anymore. And if you see that the third number I select is also 27 and 27, if we look at a sequence of numbers now, then you may say, well that doesn't appear like a random sequence. We need to understand what is a random sequence and then eventually what algorithms can be used to generate such random sequences. I think we have an idea in our head what is random, but it's sometimes hard to measure that in order to find it. So let's consider in fact we don't look at an individual number and say is that number random. We look at a sequence of numbers in practice, a set of numbers and see is that sequence random. Another sequence appearing random yet? What do you notice about this sequence so far? Anything? Random? Why would you say random? The sequence doesn't make sense. What do you mean by doesn't make sense? How could our computer determine that? There's no equation that we can think of that could combine or show a pattern between those numbers. It may appear that it's random because there's no pattern that we can observe. We need to be careful here that even if you cannot observe a pattern, maybe someone else can observe a pattern. We care about not just whether something's observable. In this simple example, maybe we can't observe a pattern here, but we need to be a bit more precise that it doesn't necessarily mean it's a random sequence. There may be a pattern, you just can't see it. So we need measures to determine how well or how random a particular sequence here, not just on what you observe. Someone who generated this may be able to observe that there is a pattern. Maybe I had something in my head and I will not tell you that generated this sequence. So there's something about observability. What can we see? Well when we deal with computer generated sequences, we need to be very specific and be able to give statistics of the likelihood of particular numbers. An important thing about a random sequence is that given the past that the next value, what do you think it will be? Would be unpredictable is a nice property that we'd expect. The unpredictability of the next number in the sequence is important. Even if you observe these numbers, if you cannot predict what the next one is, then that's a good characteristic of that algorithm to use to generate these numbers. So let's consider the unpredictability, maybe an obvious one here. Do you want to predict the next number? Anyone want to? 26, why? Difference of 8. Okay, so in that case with these first three numbers, maybe, again we don't know for sure, but here we can think, well can we predict the next number based upon the old ones? So if we can, then that's not a good property of that sequence. So the predictability of numbers is important for security. It should be such that if the attacker can observe a sequence, they cannot predict the next value in the sequence, okay? Because if they can predict what the value is, they can maybe then predict what's the random key you're going to choose for your secret key. So predictability is another issue. Some other aspects of random numbers just by our example. Let's find an example from before. I just hope they'll fit on. Just print two random sequences of bits in this case. Might have to zoom out. The first sequence and the second sequence, right? Here's the first sequence and here's the second sequence of bits this time. What can you tell me about those two sequences? The first one, random, why would you say it's not random? 0 1, 0 1, 0 1, 0 1, okay? So we would say by observation that that's not a random if we think of it as sequence of bits. We generate those bits one at a time. If my algorithm that generated those bits created the first one as 0, all right, maybe it's random. The next one is 1, all right, maybe. But then it keeps going 0 1, 0 1. We think that the algorithm that generated that sequence is not generating a random sequence. The second one, it's not easy to observe any pattern in the second sequence. Can anyone observe a pattern? I don't think there's one. I think it was from the example generated randomly from memory. So that's the case where we can't observe a pattern. That's the first and the second. In the first one, it could be a random number, okay? If we think of this as one long number, we could say that's a random number. But if we think of it as sequence of bits, we'd say that sequence of bits is not random. It doesn't exhibit randomness. And one simple way to compare these two, the first sequence can be described with a few words. 0 1 repeated 32 times. I think there were 64 bits. So we could describe the first sequence as say that the words 0 1 repeated 32 times. The second sequence, it's hard to describe it without writing down the actual bits. I'd need to write down the 64 zeros and ones to describe the second sequence. So that's another measure of randomness. If we can describe a sequence in a shorter way than writing down the actual sequence, then that is considered does not exhibit randomness. So the first one can be, if I write down the sequence, the amount of characters I need to write, the first sequence compared to the second sequence, the first sequence I can write in less characters and get the same sequence. So that's another way that people compare and say is something random. The first one needs 20 characters or so, the second one needs a full 64 characters. What else if we look at those two sequences? Another way for a computer to check if those sequences are random, what could it do? What about this sequence? Can you write a piece of software that checks whether the third sequence is random or not? What would you do to check? That is, your software takes this sequence as input and it should return random or not random. What could you do? It's considering the third one first. That may be easier. Why would you say the third sequence is not random? What should we expect? Maybe I make it clear. Here we're dealing with binary zeros and ones. For a random sequence of bits, what would you expect in terms of zeros and ones? About the same number, equal number of zeros and ones. So one thing we could do as a check, count the number of zeros and ones. If there are about the equal number of zeros and ones, then maybe it is a random sequence. This third sequence would not pass that. It's 64 or however many it is, zeros and zero ones. So your software could check how many zeros and ones. We need about 50%. The longer the sequence, the more close it should be to 50% of zeros and ones. So there's one test. Count the number of zeros and ones. Apply that on the first sequence. It doesn't help. The first sequence has the same number of zeros and ones. So it's not as easy as just counting zeros and ones. Another thing we can count repetitions of bits or runs of bits. How many times do we have two ones in a row? How many times do we have three ones in a row? How many times do we have 10 ones in a row? In the third sequence, that would say, we have a sequence with 64 zeros in a row. We'd expect to have the same number of runs for both zeros and ones. And we'd expect to have a very low number of long-length runs. We shouldn't see 64 zeros in a row very often. So this is called a run, a run of zeros. And it's a very long one in this case. That should be very unlikely to see. So counting the number of runs is another way to look at whether exhibits randomness. How many times particular patterns repeat? So if we count the number of zeros and ones, there should be 50% of zeros and ones. Count the number of pairs of zeros, pairs of ones, or pairs of zero, one, pairs, one, zero, should be about 25% of each of those four values. Count the number of triples of zero, zero, zero, one, and down to one, one, one. So the thing is that there are tests to check if a particular sequence appears random. But none of them prove if a sequence is random. We don't get that far as saying this sequence is random. We just do some statistical tests and say, yes, it meets these conditions, so it's likely random. It's not necessarily provably random. When we say it's not necessarily truly random. We will say it's pseudo-random. It's close to random. And hence, we talk about pseudo-random numbers. Not true random numbers, but ones which appear to be random. And we'll look at algorithms for generating pseudo-random numbers, pseudo-random number generators. So after those quick examples, let's look at some of the principles and then look at some of the algorithms that are available for cryptography. Why do we care about random numbers in security? Because they're used in many different aspects of cryptographic algorithms. Used for key generation to generate a secret key for symmetric key block ciphers. A number of protocols we'll see mainly after the midterm about how to exchange keys, how to authenticate users, use random numbers. We've talked about symmetric key ciphers and we use a random number to generate the key. We'll see public key ciphers such as RSA also depend upon random numbers. We'll see in this type extreme ciphers use random numbers to encrypt. They're important in many different aspects of security. What is randomness? Well, we can think of, if we have a sequence of numbers, zeros and ones, it should be a uniform distribution that is an equal occurrence of zeros and ones. That's one measure. If it's not equal number of zeros and ones, then it does not exhibit randomness. But if it does, it doesn't necessarily mean it exhibits randomness. It's one criteria. Another thing that we often think about is independence is that we cannot work out what the next one will be based upon the past ones. Independence or it cannot be inferred and we talk about unpredictability. And that's a key part for security that given an algorithm that generates random numbers, it should be hard to predict what the next one comes out to be. We'll return to that when we see some examples of generating algorithms. We will distinguish between true random numbers and pseudo random numbers. A computer will normally generate pseudo random numbers. A computer does what we program it to do is deterministic. We can determine what the outcome will be. So something that's deterministic cannot produce something that's random. Something that's random we cannot determine the outcome of. What's the next number in the sequence? We said it should be unpredictable. We cannot determine it. But an algorithm will always be able to know what's the next one. So there's a conflict there. What we will see for cryptography is that we need algorithms that generate random numbers which appear to be random, or close to random. We'll call them pseudo random. True random number generators come from non-deterministic sources. Something that we have no way to determine what the next value will be. And they usually come from nature. So some of the sources is if you measure radiation, the level of radiation in the atmosphere, then as best as we understand that the variations of the radiation levels appear to be random. We say that's a true random number generator in that if we measure those random, those variations, we'll see, we'll count that as a true random sequence of values. Electronic devices, when they operate, they vibrate, they create noise. So the electronics on your phone, on your laptop, is actually, as it's operating, is generating some noise as output. So the characteristics of that noise is considered random as well. We cannot predict that. We have no, it's so complex that we say that's a true random source. So therefore, if we could measure that, if our computer could measure that, we could use that as a random number generator for our security applications. And that can be done in some cases. If you measure the noise that comes out of your, it comes into your headphones, your microphone jack on your laptop where you plugged your microphone in, you have nothing plugged in, but if you measure what the noise it's picking up, those measurements would appear random as well. Your mouse and keyboard activity, which is a common one used in operating systems, is considered random in some parts. That is, if you look at where you click on the screen over a long period of time, and you look at the timestamps of when you click that, every millisecond, every microsecond in which you click different points, then that can be sometimes considered as a sequence of random numbers, a true random number source. When you, or the time between clicks on keys, in some cases, can be considered as random operations. Now, not just over a short period of time, usually across a very long period of time under certain conditions. The input-output operations of your hard disk are on your computer. That is, every time you read a file, your hard disk seeks to a different position. So the time when it does that, when it seeks to different positions, so the exact microsecond or millisecond when your hard disk does different operations, they can be considered random. And in fact, operating systems use this information as a source of random numbers. The problem with getting all of these values into your computer is you need to measure something, usually physically. How do you measure radiation in an environment? Can your mobile phone measure that? You need a Geiger count or whatever, some device on there to measure that. If you did, the measurements could be used as a true random number source. But in practice, most devices don't have the equipment to do the measurements. So that's the issue here. So how do you measure the noise from the resistors on your motherboard? Again, in theory, it can be done, but in practice, most devices don't have the equipment to do the measurements. So they would produce what we call true random numbers, but they're very hard to use for general purpose applications. And the thing is that they often, we have to look over a very long period of time to consider them random. That is, over a short period of time, the set of numbers, the sequence that is produced is not very large. So inconvenient to use, and they do not produce many random numbers per second. I'll show you an example shortly. So in many cryptographic applications, we need an algorithm that implements a pseudo-random number generator. It generates, using software or hardware, a sequence of numbers, which we call pseudo-random. And that's what we look at. The algorithm has an input which we'll refer to as C, so we'll give some examples of that. We will talk about pseudo-random number generators, which generate a sequence of values. That is, if we take a pseudo-random number generator, we run it. It will just keep generating numbers as output, and we'll think of that as a sequence of numbers. Some cases we need to generate just one number, one random number, and the precise name there will use a pseudo-random function. And I think on your slides, I realize there's some word that the algorithm as a pseudo-random number generator produces a string of bits of some fixed length, is the bit at the bottom. PRNG generates a continuous sequence, a pseudo-random function, PRF generates just one value of fixed length. We'll look at pseudo-random number generators. A true random number generator takes some source of true randomness, like radiation levels, that goes from electronics and converts that into binary, converts it into bits which we can use in our computer. So we need a device normally to do that conversion, and it produces a sequence of bits that come out. We call that a random bit stream. A stream of bits come out. So equipment that does that is measuring some different sources, usually, and then producing zeros and ones that come out, and we can then use that for other purposes. A pseudo-random number generator uses an algorithm implemented in software or hardware that takes some initial value, which we'll call the seed, and that algorithm uses a seed and generates a pseudo-random bit stream. It just generates zeros and ones coming out, and often there's some looping that it comes back and keeps running the algorithm forever, generating zeros and ones out continuously. It's not a random bit stream because it's not coming from a true source of randomness. It's coming from an algorithm. The last one, which we will not talk about, a pseudo-random function, very similar, but just generates one value as output, not a stream of values, and we can use almost the same approach between the last two. So an example, a quick one, and then we'll explain what happens. On my computer, I need to somehow generate random numbers. How do I do that? Maybe you need to write some software that does some encryption, and you need to generate a random key. How are you going to do that in your favorite programming language? Has anyone generated random numbers before or called a function that generates random numbers? Type RAND. So different programming languages often have a function called RAND, or some variation of that. So you call the RAND function, and it returns some number. You call the RAND function again, and it returns another number. All right? Your computer engineers, maybe you need to write that software. Not to use the RAND function, but I ask you to write the RAND function. What are you going to write? Your task, write the RAND function and do implementation of the RAND function. What would it do? The function, you just call it, and it returns a number which should be part of a pseudo-random sequence. How would you implement that function? I know you're all good programmers. Are you checking on your phone? How are you going to implement it in Android or in iOS on your phone? A random number generator. No, I want you to implement the RAND function. Not use it. Write as this RAND function. Take time as input. Time for what? Time of your clock. So your computer has a clock. Take that as input. So your clock is random? No, your clock is just incrementing, isn't it? That doesn't appear random to me. So what are you going to do with that? What else could you take as input? Take a part of a file that what? So your code takes a file from your hard disk. So your code is find the file starting with or the top of the file list, the first in alphabetical order and then grab something from that file. Again, that's not random because it will always grab the same file if it's always at the top. So if you apply it many times, which file to grab? Grab a random file from your computer but you need to implement the RAND function to know which file to grab. Use the gyroscope. So use some equipment on your phone that measures something about the physical environment. So your phones do have equipment that can measure external sources. Now don't just measure the exact position right now but maybe over time measure positions and look how positions change and maybe look at every microsecond maybe the difference record the position now at this microsecond and maybe when it comes back to that exact same position after some microseconds what is the difference between those microseconds? Then maybe that starts to appear random. That is the same position at two different time points what is the difference in microseconds? And then the same but different position at two different time points what is the difference in microseconds? Those differences may start to appear random at least a lot less structured than the current approaches. But the point is use some external source. Most operating systems do that. So your operating system usually provides random numbers to your software. When you do call the RAND function it may use as an input something from the operating system. I can generate random numbers on my operating system by just saying show me the random value and if I keep going and look at those numbers we would see that it roughly appears random so just show me the random value that my operating system has at the time. It is actually a very simple algorithm that generates that as an equation that it calls. Every time I run that command it calculates from an equation and generates a value. It is only up to I think 64000, 0 to 64000. So if I do it many times it will eventually come back to the same number and we will see that the sequence will then repeat. And that is another issue. It will go through those 65000 values and then come back to the start with the same 65000 values and then the same 65000 values. So the way that we get to get a different set of 65000 values is we change the initial value called the seed. So our functions will have a seed which initializes it. So what we want for convenience we would like to use a software or hardware implementation of a random number generator. It will be able to generate a continuous stream of bits which exhibit randomness. Continuous maybe thousands, millions per second as many as we want basically. That may take an input or that will take an input to initialize this sequence. And that input is called the seed. And to initialize the sequence if we all initialize to the same value I choose zero as the initial value and you use zero and everyone else chooses zero as the initial value we all may get the same sequence. So that's a bad thing. So one thing that we should do is to choose a random value for that initial value. That is the initial value of our pseudo random number generator should in itself be random. So a practical way to do that is to use a true random number generator to generate that seed value. That is, you use your measuring device your gyroscope which is not so common but the measurements of noise of your hard disk operations your mouse and keyboard that is what's called the entropy source that is the physical things we measure a true random number generator combines all that data and produces a random number as output doesn't produce as many per seconds but it does produce a random number a true random number that is then used into the pseudo random number generator to generate many random numbers as output. So that's a common implementation used by operating systems and some software. If you don't have this first step then where do you get the seed from either the user-chooser or it's always the same value and if it's always the same value then we may not get the randomness that we want. So let's go direct to an example of a very simple algorithm that generates random pseudo random numbers it's used in the command I just run here so we'll go through the algorithm and then analyze the effectiveness and it's called the linear congruential generator LCG for short and it's a very simple equation that we'll use with some inputs and we'll see and try and evaluate how good it is. So the algorithm is here we generate a sequence and the next value in that sequence xn plus 1 is generated from taking the previous number in the sequence xn multiplying by some constant a adding some constant c and then modding by some modulus some other constant m a c and m are constants so fixed xn is the the pass value xn plus 1 is the next value in our sequence and we keep applying this and to generate a sequence of values a is the multiplier c is the increment we add m is the modulus here what we'll do is we'll go through some examples using this equation and I'll choose some specific values c and m and we'll see how good the sequence is and we need another fourth value to choose what's the first value of x x0 because the next value depends upon the past one we must start with some initial one and that's what we call the seed x0 let's consider some examples I'll choose the initial values you can work out the rest this is just to remind us xn plus 1 is a times xn plus some increment c mod by m so example 1 let's choose some initial values let's say a is the constant a is 1 keep it simple c is 1 m is 100 and I want you to generate the first maybe 5 or 10 numbers in that sequence using those constants and let's set the seed x0 47 let's say I did have a true random number source to generate the seed and it returned 47 now tell me the next value in the sequence what's x1 and then what's x2 x3 and so on write down the few of them it won't take long calculate x1 the answer at the back is our volunteer come down the front and tell us x1 you write it down and show the others calculate x1 what are you going to do for x1 look at the equation I've given you a, c and m so what are you going to do x1 100 x0 is 47 so xn is 47 1 is so a is 1 xn is 47 1 times 47, help me plus 1 mod 100 48 good, easy easiest calculation for this course simply 1 times the previous value 47 plus 1 100 x2 49 so and you can see the pattern I think we're just incrementing by 1 we can say our sequence in that case we started at 47 that was x0 if we write x as the sequence 47, 48 49 keeps going what's the highest number 99 and then what when we get 100, mod 100 it comes back to 0 so when we start with 0 then we add 1 and we'll go up to 1 and then it gets to what about, it gets to 46, what comes after 46 after 45 we get to 46 and then next is 46, 47 because the first value and then it's going to repeat so our sequence the last number in this sequence we can say is 46 because the next value is 47 and once we get back to the same value with this pseudo random number generator we're just going to generate the same sequence again so we get to 46, 47, 48 and just keep repeating this sequence so that's common with pseudo random number generators we'll repeat a sequence the length of that sequence is the period just a characteristic of this generator we can say this sequence has a period of 100 is it a good sequence if I say the first value is 47 48, 49, 50 is that a good pseudo random sequence do you think they look like random numbers no, very predictable so this is an example of using this algorithm that it doesn't produce random looking numbers it produces something very predictable but if we change some of the parameters we may get something different so let's try some different values of our initial A, C and M another example example 2 we set A to 7 make it easy C is 0 the increment is 0 M is 32 and to make it simple to calculate let's set the C to be 1 calculate the first few values or generate the entire sequence so I think you can for this one same algorithm is initial values we won't get a volunteer from the back so don't calculate X and X2 C is 0 so we can ignore that it's simply 7 times our past value mod 32 7 times 1 mod 32 gives us with 7 X2 7 times 7 49 mod 32 we're left over with 17 17 times 7 119 mod 32 20 23 7 times 23 161 mod 32 161 mod 32 is 1 5 times 32 is 160 so 161 mod 32 is 1 there's 1 left over we get back to our initial value X4 would be 1 in this sequence so if we want to write the unique sequence we can say it's in this case 1 7 17 23 a period of 4 those 4 numbers do they appear random do you see any pattern in those 4 numbers 6 10 6 is the difference between them or a 23 to 1 maybe not maybe not, depends on what you're looking for it's hard to tell with just 4 numbers we need a much longer sequence let's try one more example and then we'll discuss and compare some of the sequences generated and then we'll look at what we're trying to generate or what are the good properties of these sequences we'll change the multiplier the increment is still 0 the modulus is still 32 we multiply by 5 instead of 7 same seed what do you get the seed is the same as the previous example the seed is 1 1 times 5 mod 32 5 5 times 5 mod 32 25 times 5 125 mod 32 125 mod 32 I've got the answer 29 you'll check and generate the next few it's the 25 times 5 mod 32 29 times 5 mod 32 17 times 5 mod 32 21 13 we're going to finish we get back to the start there so that sequence that we generated the unique sequence there period of 8 which one's better example 2 or example 3 maybe sometimes it's hard to answer what's the difference or the period is one thing that we notice the longer the period the better the sequence in general doesn't mean the sequence is better but when we look at other statistics as well we generally want a long period that is we don't want to repeat if I want to generate a thousand numbers if I use the first instance I will get these four numbers all the time if I use the second I'll get at least another four so a longer period is better when we compare from that perspective if we have how do we get a longer period with this linear LCG what what parameter can give us a long period in this case what's the longest period we could get in LCG in theory what's the longest we could get it depends on mod m so it depends on m when we mod by m the numbers are always going to range between 0 and m-1 so the period can be the longest it can be is m so a parameter of this algorithm m should be set to be very large the larger the value of m the larger potential period of the sequence if it's 32 the period can be no longer than 32 if we set it to a million the period could be up to 1 million it may be less but it can in theory go up to 1 million so generally we set the value of m to be very large how large is very large on your computer well it depends usually on the implementation how do you store numbers if you store it as a 32 bit number for example so it depends upon your implementation but a common value is to store it as if you have a 32 bit operating system in the past now they're 64 bits but a 32 bit operating system you store a 32 bit number so 2 to the power of 32 is a large number that can be stored the other parameters it makes a difference as well here we had the same value of m but the multiplier gave us a longer period so we need to choose those carefully and if we choose the initial values long period but not a good random sequence so we need to carefully choose the multiplier and the increment here and make the modulus as large as possible both sequences don't have easily observable patterns maybe there's differences here but in this case 4, 20 4 what's the difference here if we wrap around 20 is it 4 what are we doing wrapping around here 20 if you do look at the difference there you see it's repeating the parameters is important the last point with this example because it's an easy one to calculate if we change the seed what happens same parameters, different seed instead of 1 start with 3 3 times 5 mod 15 mod 32 we get 15 times 5 mod 32 we get 11 times 5 mod 32 23 did I do something wrong then and I let you keep going the point is different seed gives you a different sequence so we need to choose a different seed and change the seed on a regular basis so that we get a different sequence if we both of our computers use this same algorithm and the same parameters and I use it to generate a key and use use it to generate the key will generate the same number if we use the same seed if we both had a seed of 1 we generate this exact same sequence the same as on both computers so therefore it's important to choose a random seed start with a random number how do we choose a random number for our random number generator use a true random number generator is the best approach then so that comes back to this picture we saw an example of a pseudo random number generator lcg it takes a seed as an input where should that seed come from come from some other random number generator and say on your computer you need to take some measurements and get a true random number to get the seed so that's the common approach lcg is a very or is it quite an old algorithm it's very simple simple to describe and calculate it's been used in some cases but it's not considered cryptographically secure because there are some ways for the attacker to predict values once they know the parameters and one of the numbers they can easily determine the subsequent numbers but it's an easy one to consider what parameter values to use m should be large and when you mod by a prime number it will give you better results each iteration so m should be a large prime number 2 to the power of 31 minus 1 such a number c can be 0 and people have found that a there are not many good values but one of them is this magic number of 7 to the power of 5 so for this particular algorithm the parameters are important but we'll mention the names later we'll say that different algorithms and we'll come back to the use of block ciphers for pseudo-random numbers but we'll stop there we'll continue next week and finish on this and look at some number theory next week