Uniform Generators and Combinatorial Designs Alexis Bonnecaze and Pierre Liardet IML/ERISCS, Université de la Méditerranée and LATP , Université de Provence CryptoPuces, 2011 A. Bonnecaze, P. Liardet (IML and LATP) Uniform Generators and Combinatorial Designs 2011 1 / 16
Table of contents Random generators k -out-of- n generators Background in coding theory and combinatorial designs Background in automorphism groups and random walks Our algorithm Conclusion A. Bonnecaze, P. Liardet (IML and LATP) Uniform Generators and Combinatorial Designs 2011 2 / 16
Random generators Computational or physical device designed to generate a sequence of symbols that appears as random. Physical devices (not always practical): true random generators Computational devices: pseudo-random generators For many applications, pseudo-random generators are used instead of true random generators, except in cryptography Examples Jitter effect in semiconductor oscillators and white noise From a computer’s real time clock as the seed LFSR From arithmetic properties From /dev/random etc. A. Bonnecaze, P. Liardet (IML and LATP) Uniform Generators and Combinatorial Designs 2011 3 / 16
Applications Main application: cryptography Secret keys for block ciphers Secret keys for stream ciphers, like one time pad (problem of key size) Private keys for asymmetric cryptography Random numbers for crypto protocols (nounce, salt, etc.) Other applications: Network security Information theory Genetic algorithms But also (Quasi) Monte Carlo Method and simulations A. Bonnecaze, P. Liardet (IML and LATP) Uniform Generators and Combinatorial Designs 2011 4 / 16
Example: Client/Server architecture Server is a weak point Server may be corrupted or victim of denial of service attacks (DoS) The problem may not have a malicious origin but a hardware or software origin. How to prevent the server from failing? One solution: use a multiserver architecture (for example n servers). For each request to the system, k servers out of the n servers are randomly chosen to process the request These k servers are said to be the active servers An attacker does not know a priori what are the active servers for a given request. Main problem: How to construct a k -out-of- n random generator from a Bernoulli binary generator? A. Bonnecaze, P. Liardet (IML and LATP) Uniform Generators and Combinatorial Designs 2011 5 / 16
Three sorts of algorithms Algorithms that output the uniform distribution on letters in a bounded running time Las Vegas algorithms: they output the uniform distribution on letters with unbounded running time but with a finite expectation Monte Carlo algorithms: they end in a bounded running time, output a distribution usually distinct to the uniform distribution but arbitrarily closed to it in term of total variation A. Bonnecaze, P. Liardet (IML and LATP) Uniform Generators and Combinatorial Designs 2011 6 / 16
Existing solutions Naive solution (Las Vegas type): Pick an integer a 1 belonging to E := [ 1 .. n ] Pick another element in E 1 := E \ { a 1 } Next, pick an another element in E 2 := E 1 \ { a 2 } and so on, until obtaining k integers Probabilistic algorithm based on Fisher-Yates shuffle algorithm (Las Vegas type) RANKSB algorithm (Nijenhuis and Wilf, 1978), These solutions lead to important bias in comparison to the uniform distribution A. Bonnecaze, P. Liardet (IML and LATP) Uniform Generators and Combinatorial Designs 2011 7 / 16
Our solution (Monte Carlo type) Based on combinatorial properties of error correcting codes Every code having a design can be used to construct such a generator Our method uses a random walk on the automorphism group of the code We focus on the extended binary Golay code which leads to a 5 out of 24 uniform generator A. Bonnecaze, P. Liardet (IML and LATP) Uniform Generators and Combinatorial Designs 2011 8 / 16
Background on coding and combinatorial designs Linear block codes A binary linear block code C of length n is a subspace of F n 2 Parameters of C are [ n , k , d ] , where k is the dimension, d is the minimal distance Combinatorial designs Let Y be a v -set (a set of v elements). a t − ( v , k , λ ) design is a collection of distincts k -subsets of Y (the blocks) with the property that every t -set of Y is covered by exactly λ blocks. If λ = 1, the design is called a Steiner system A. Bonnecaze, P. Liardet (IML and LATP) Uniform Generators and Combinatorial Designs 2011 9 / 16
Background on coding and combinatorial designs Example: the binary Golay code [ 24 , 12 , 8 ] : G 24 An octad of G 24 is a codeword of Hamming weight 8 The octads form the blocks of a 5 − ( 24 , 8 , 1 ) design. The octads form a Steiner system Any binary vector of length 24 and Hamming weight 5 is covered by exactly one octad of G 24 binary vector: ( 010000010010100000000100 ) octad of G 24 : ( 010010010010110001000100 ) A. Bonnecaze, P. Liardet (IML and LATP) Uniform Generators and Combinatorial Designs 2011 10 / 16
Automorphism group of G 24 The automorphism group of G 24 is the Mathieu group M 24 . M 24 is generated by four permutations acting on the coordinates of the codewords : i �→ i + 1 , : i �→ 2 i , : i �→ − 1 / i S V U and ∞ �→ 0 , 0 �→ ∞ i �→ − ( i / 2 ) 2 W : if i is a quadratic residu modulo 23 i �→ ( 2 i ) 2 otherwise. This group is 5-homogeneous and 5-transitive on octads # M 24 = 210 . 33 . 5 . 7 . 11 . 23 A. Bonnecaze, P. Liardet (IML and LATP) Uniform Generators and Combinatorial Designs 2011 11 / 16
Random walks Random walks on some groups can lead to uniform k -out-of- n generators Since the size of M 24 is huge, the speed of convergence of a walk on the Mathieu group would be rather low. We introduce a Markov walk on the set of blocks of a Steiner system. The Markov walk is done on the set of octads by the action of the four generators of M 24 : S , V , U et W . Let I be the identity. We make the walk symmetrical by taking the transition set E = { I , S , S − 1 , U , V , V − 1 , W , W − 1 } , with the uniform probability. A. Bonnecaze, P. Liardet (IML and LATP) Uniform Generators and Combinatorial Designs 2011 12 / 16
G5-24(N) Algorithm INPUT : N OUTPUT : a binary vector of Hamming weight 5 and length 24 (a) choose an octad of G 24 : m (b) replace m by m ′ , replacing the first three coordinates equal to 1 in m by zeros (c) randomly act on m ′ the four generators or their inverse or the identity, N times (d) output the obtained word. Theorem G5-24(N) Algorithm realizes a uniform k -out-of- n generator asymptotically with exponential speediness. A. Bonnecaze, P. Liardet (IML and LATP) Uniform Generators and Combinatorial Designs 2011 13 / 16
G5-24(N) Algorithm Total number of octads is 759 Number of octads Number of steps to obtain 759 octads 683 6 76 7 This table shows that for 683 octads out of 759, 6 steps are sufficient to obtain all the octads All octads can be reached from any octad in exactly 7 steps A. Bonnecaze, P. Liardet (IML and LATP) Uniform Generators and Combinatorial Designs 2011 14 / 16
Generalization : Gk-n(N) Algorihm INPUT : N OUTPUT : a binary vector of Hamming weight k and length n Choose a block m of weight b among the blocks of a k − ( n , b , λ ) design. The automorphism group A of the design must be transitive on the blocks. If A is ( b − k ) -transitive on the blocks, then (b.1) replace m by m ′ , replacing the first b − k coordinates equal to 1 in m by zeros (b.2) randomly act on m ′ the generators of G , N times (b.3) output the obtained word. else (c.1) randomly act on m the generators of G , N times, and obtain m ′ (c.2) randomly choose k coordinates equal to 1 in m ′ using a k -out-of- b generator (c.3) output the obtained word. A. Bonnecaze, P. Liardet (IML and LATP) Uniform Generators and Combinatorial Designs 2011 15 / 16
Conclusion We introduced a method to construct k -out-of- n generators Our constructions are applicable whenever there exists a k − ( n , b , λ ) design. They make use of t − designs in order to obtain uniformity They make use of random walks in order to control the accuracy of convergence. The speed of convergence is better than any existing k -out-of- n generators. A. Bonnecaze, P. Liardet (IML and LATP) Uniform Generators and Combinatorial Designs 2011 16 / 16
Recommend
More recommend