HOME

TheInfoList



Click Here for Items Related To - Blum Blum Shub Generator
OR:
Blum Blum Shub Generator on:   [Wikipedia]   [Google]   [Amazon]

Blum Blum Shub (B.B.S.) is a
pseudorandom number generator A pseudorandom number generator (PRNG), also known as a deterministic random bit generator (DRBG), is an algorithm for generating a sequence of numbers whose properties approximate the properties of sequences of random numbers. The PRNG-generate ...
proposed in 1986 by Lenore Blum, Manuel Blum and Michael Shub that is derived from
Michael O. Rabin Michael Oser Rabin ( he, מִיכָאֵל עוזר רַבִּין; born September 1, 1931) is an Israeli mathematician and computer scientist and a recipient of the Turing Award. Biography Early life and education Rabin was born in 1931 in ...
's one-way function. __TOC__ Blum Blum Shub takes the form :x_ = x_n^2 \bmod M, where ''M'' = ''pq'' is the product of two large
primes A prime number (or a prime) is a natural number greater than 1 that is not a product of two smaller natural numbers. A natural number greater than 1 that is not prime is called a composite number. For example, 5 is prime because the only ways ...
''p'' and ''q''. At each step of the algorithm, some output is derived from ''x''''n''+1; the output is commonly either the bit parity of ''x''''n''+1 or one or more of the least significant bits of ''x''''n''+1''. The
seed A seed is an embryonic plant enclosed in a protective outer covering, along with a food reserve. The formation of the seed is a part of the process of reproduction in seed plants, the spermatophytes, including the gymnosperm and angiosper ...
''x''0 should be an integer that is co-prime to ''M'' (i.e. ''p'' and ''q'' are not factors of ''x''0) and not 1 or 0. The two primes, ''p'' and ''q'', should both be congruent to 3 (mod 4) (this guarantees that each
quadratic residue In number theory, an integer ''q'' is called a quadratic residue modulo ''n'' if it is congruent to a perfect square modulo ''n''; i.e., if there exists an integer ''x'' such that: :x^2\equiv q \pmod. Otherwise, ''q'' is called a quadratic non ...
has one
square root In mathematics, a square root of a number is a number such that ; in other words, a number whose ''square'' (the result of multiplying the number by itself, or  ⋅ ) is . For example, 4 and −4 are square roots of 16, because . ...
which is also a quadratic residue), and should be
safe prime In number theory, a prime number ''p'' is a if 2''p'' + 1 is also prime. The number 2''p'' + 1 associated with a Sophie Germain prime is called a . For example, 11 is a Sophie Germain prime and 2 × 11 +  ...
s with a small gcd((''p-3'')''/2'', (''q-3'')''/2'') (this makes the cycle length large). An interesting characteristic of the Blum Blum Shub generator is the possibility to calculate any ''x''''i'' value directly (via
Euler's theorem In number theory, Euler's theorem (also known as the Fermat–Euler theorem or Euler's totient theorem) states that, if and are coprime positive integers, and \varphi(n) is Euler's totient function, then raised to the power \varphi(n) is congr ...
): :x_i = \left( x_0^ \right) \bmod M, where \lambda is the Carmichael function. (Here we have \lambda(M) = \lambda(p\cdot q) = \operatorname(p-1, q-1)).


Security

There is a proof reducing its security to the computational difficulty of factoring. When the primes are chosen appropriately, and ''O''( log log ''M'') lower-order bits of each ''xn'' are output, then in the limit as ''M'' grows large, distinguishing the output bits from random should be at least as difficult as solving the
quadratic residuosity problem The quadratic residuosity problem (QRP) in computational number theory is to decide, given integers a and N, whether a is a quadratic residue modulo N or not. Here N = p_1 p_2 for two unknown primes p_1 and p_2, and a is among the numbers which are ...
modulo ''M''.


Example

Let p=11, q=23 and s=3 (where s is the seed). We can expect to get a large cycle length for those small numbers, because ((p-3)/2, (q-3)/2)=2. The generator starts to evaluate x_0 by using x_=s and creates the sequence x_0, x_1, x_2, \ldots x_5 = 9, 81, 236, 36, 31, 202. The following table shows the output (in bits) for the different bit selection methods used to determine the output. The following
Common Lisp Common Lisp (CL) is a dialect of the Lisp programming language, published in ANSI standard document ''ANSI INCITS 226-1994 (S20018)'' (formerly ''X3.226-1994 (R1999)''). The Common Lisp HyperSpec, a hyperlinked HTML version, has been derived fr ...
implementation provides a simple demonstration of the generator, in particular regarding the three bit selection methods. It is important to note that the requirements imposed upon the parameters ''p'', ''q'' and ''s'' (seed) are not checked. (defun get-number-of-1-bits (bits) "Returns the number of 1-valued bits in the integer-encoded BITS." (declare (type (integer 0 *) bits)) (the (integer 0 *) (logcount bits))) (defun get-even-parity-bit (bits) "Returns the even parity bit of the integer-encoded BITS." (declare (type (integer 0 *) bits)) (the bit (mod (get-number-of-1-bits bits) 2))) (defun get-least-significant-bit (bits) "Returns the least significant bit of the integer-encoded BITS." (declare (type (integer 0 *) bits)) (the bit (ldb (byte 1 0) bits))) (defun make-blum-blum-shub (&key (p 11) (q 23) (s 3)) "Returns a function of no arguments which represents a simple Blum-Blum-Shub pseudorandom number generator, configured to use the generator parameters P, Q, and S (seed), and returning three values: (1) the number x +1 (2) the even parity bit of the number, (3) the least significant bit of the number. --- Please note that the parameters P, Q, and S are not checked in accordance to the conditions described in the article." (declare (type (integer 0 *) p q s)) (let ((M (* p q)) ;; M = p * q (x s)) ;; x0 = seed (declare (type (integer 0 *) M x ) #'(lambda () ;; x +1= x 2 mod M (let ((x +1(mod (* x x M))) (declare (type (integer 0 *) x +1) ;; Compute the random bit(s) based on x +1 (let ((even-parity-bit (get-even-parity-bit x +1) (least-significant-bit (get-least-significant-bit x +1)) (declare (type bit even-parity-bit)) (declare (type bit least-significant-bit)) ;; Update the state such that x +1becomes the new x (setf x x +1 (values x +1 even-parity-bit least-significant-bit)))))) ;; Print the exemplary outputs. (let ((bbs (make-blum-blum-shub :p 11 :q 23 :s 3))) (declare (type (function () (values (integer 0 *) bit bit)) bbs)) (format T "~&Keys: E = even parity, L = least significant") (format T "~2%") (format T "~&x +1, E , L") (format T "~&--------------") (loop repeat 6 do (multiple-value-bind (x +1even-parity-bit least-significant-bit) (funcall bbs) (declare (type (integer 0 *) x +1) (declare (type bit even-parity-bit)) (declare (type bit least-significant-bit)) (format T "~&~6d , ~d , ~d" x +1even-parity-bit least-significant-bit))))


References


Citations


Sources

* * * {{refend


External links


GMPBBS, a C-language implementation by Mark Rossmiller

BlumBlumShub, a Java-language implementation by Mark Rossmiller

An implementation in Java

Randomness tests
Pseudorandom number generators Cryptographically secure pseudorandom number generators