Random Number Generation

5.7.5 Shor’s Algorithm

In 1994 Peter Shor published an algorithm that promises a highly efficient method of factorization on a quantum computer. The details of how the properties of a quantum computer speeds up the algorithm are beyond the remit of this course, but the basic idea is quite simple.

Suppose we are trying to factor the odd composite number n. Let a be an integer whose order in Zn is 2k, i.e. is even. Then we know that a^2k ≡ 1 (mod n), and so

n| (a^k+ 1)(a^k− 1).

As 2k is the order of a, we know that a^k 6≡ 1 (mod n), so n does not divide a^k− 1. If n does not divide a^k+ 1, each prime factor of n must divide either a^k+ 1 or a^k− 1. So if we calculate gcd(n, a^k± 1), we must find non-trivial factors of n. We reduce mod n first of course: if p| n and a^k≡ r (mod n), then p | (a^k± 1) iff p | (r ± 1).

The hard part of Shor’s algorithm is finding the integer a of even order. In practice this is done by picking a random a < n that is coprime to n — obviously if we pick a and it is not coprime to n we have a factor. The quantum part of the calculation is then involved in finding the order of a. If the order is odd, or n| a^k+ 1, we pick another a and start again.

Shor’s algorithm (with the quantum speed up for finding the order) is polynomial time in the number of digits: a huge improvement on the exponential time classical algorithms, but of course requires actually having a quantum computer.

5.8 Random Number Generation

In our cryptography section we will need single random integers as well as sequences of random integers. Generating random numbers is vitally important¹ in other scientific applications as well e.g. for simulations and code testing and is a field of active research.

How are they generated?

5.8.1 Truly random processes

Truly random proceses are all physical processes such as particle counts from radioactive decay, output from zener diodes, and so on. These are difficult to incorporate into comput-ing applications. The web site www.random.org claims to generate true random numbers from atmospheric noise.

Even these physical processes are not always truly random but follow some probability distribution and so have to be processed further.

Numbers generated by some mathematical or computing process (with the aim of producing “random numbers”) are called pseudo-random numbers.

1The late Robert R. Coveyou once titled an article “The generation of random numbers is too important to be left to chance”.

5.8.2 Middle Squares Method

The middle squares method was introduced by John von Neumann in 1949. To generate a sequences on n digit numbers, start with such a number, the seed, x0. Square it and (if necessary) pad out with leading zeros to a 2n digit number. Then x₁ is the middle n digits of the square. Repeat.

I mention this method as it is quite handy for creating sequences with a calculator, but it is not useful for any serious applications (as von Neumann knew). It tends to repeat quickly for one thing (try it with x0 = 2100 or 3792 for 4 digit numbers).

5.8.3 Linear congruential

Given a, b, m and seed x0, iterate xi+1 ≡ axⁱ + b (mod m) to produce the sequence x1, x2, . . .

This method for generating pseudo-random numbers is often used in practice. For example, NAG’s pseudo-random number generator uses

a = 13¹³, b = 0, m = 2⁵⁹, x0 = 123456789× (2³²+ 1) or an x0 of the user’s choice, and Maple uses

a = 427419669081, b = 0, m = 999999999989, x0 = 1, where x0 can also be reset.

These produce sequences with good properties, but, as with any bounded iterative computing process that uses a fixed number of previous result, it is eventually periodic.

NAG’s generator has period 2⁵⁷ which is quite large and so is useful in most simulation situations.

In many typical applications, the seed is generated on the fly from internal registers in the computer e.g. the users ID, local time, the time since the computer was last booted etc.

(See Knuth Art of Computer Programming Vol 2 for analysis of the period of the linear congruential random number generator.)

Unfortunately this method is useless in any cryptographic process, since:

If m is known, then the three consecutive values xi−1, xi, xi+1 give enough linear con-gruence equations to solve to give a, b.

Even if m is unknown, then given enough consecutive terms, all of a, b and m can be found.

5.8.4 Polynomial congruential and LFSR

Given a prime p and a0, a1, . . . , an−1 ∈ Z^p and seeds x0, x1, . . . , xn−1, iterate x_i+n ≡ aⁿ−1xi+n−1+ an−2xi+n−2+ . . . + a₀xi (mod p)

This “recurrence relation” or “difference equation” has characteristic polynomial f (r) = rⁿ− aⁿ−1rⁿ⁻¹− aⁿ−2rⁿ⁻²− . . . − a0.

5.8. RANDOM NUMBER GENERATION 117 The sequence generated by this recurrence has the maximal possible period length, which is pⁿ− 1, provided f(r) is a primitive polynomial over Z^p.

When p = 2, such sequences can be generated by linear feedback shift registers (LFSRs) and so are often used in practice also.

Sn−1 Sn−2 · · · S1 S0 output

· · ·

⊕ ⊕ ⊕

an−1 an−2 a1 a0

Here, the switches are closed if and only if ai = 1 and ⊕ indicates mod 2 addition (performed instantly).

Initial values x0, . . . , xn−1 are placed in the shift registers s0, . . . , sn−1

then the machine is allowed to produce output one bit per clock cycle,

and the stored values move following the arrows to the next shift register once per clock cycle.

Example: the polynomial x³+x²+1 is primitive over Z2and corresponds to the recurrence x_i+3 = x_i+2+ xi.

This means that the s2+ s0 values are fed back into s2 at the next cycle.

S2 S1 S0 output

⊕

Now, starting with say x₀ = 1, x₁ = 0, x₂ = 0 we have the states S2 S1 S0 output initial 0 0 1

last s2+ s0 → 1 0 0 1

1 1 0 0

1 1 1 0

0 1 1 1

1 0 1 1

0 1 0 1

0 0 1 0

This then cycles and has cycle length = 7 = 2³− 1.

All non zero patterns of 3 bits are produced equally often as consecutive triples in the output.

In general, since there are φ(2ⁿ− 1)/n different primitive polynomials of degree n over Z2, there are that many different LFSRs of length n.

Again these pseudo-random generators are insecure, since knowing 2n + 1 consecutive terms means you can find a0, . . . , an−1.

5.8.5 Non-linear feedback shift registers

Given x0, . . . , xn−1 and some non-linear function f of n variables iterate

xi+n= f (xi, xi+1, . . . , xi+n−1).

Not much is known theoretically about these except in some special cases.

For example, it is known that the N-LFSR given by x0 ≡ 2 (mod 4) and

xi+1 ≡ xⁱ(xi+ 1) (mod 2^k), k > 2 is efficient and has long period.

5.8.6 Cryptographic generators

In cryptography, a function Ek depending on a key k is used to encrypt messages. (See Chapter 7.) We can use these functions to build cryptographic random number generators as follows: take some cryptographic function Ek(x) depending on a key k and take a seed x0 and iterate xi+1 = Ek(xi), or iterate xi+1 = Exi(c) for some constant c.

These are as secure as the cryptographic function, but their randomness properties are usually unknown.

One exception is the Blum, Blum, Shub (quadratic) random bit generator (1986).

Let n = pq where p, q are primes ≡ 3 (mod 4) (these are called Blum primes) and take seed x0.

Generate x0, x1, . . . , xk by xi+1 ≡ x²i (mod n)

then output the corresponding least significant bit in reverse order. That is, the output equals

b0, b1, . . . , bk where bj = 1, if and only if xk−j is odd.

[Alternatively use xj ≡ x^2j(mod (p−1)(q−1))

0 (mod n) for any order].

This is a provably secure and random generator of bits, but is very slow.

5.8.7 Multiplexing of sequences

Multiplexing means combining two or more sequences of pseudo-random numbers, to both increase the period and make the combined sequence more secure.

For example, suppose

x0, x1, . . . is the output of a maximal length n LFSR and

y₀, y₁, . . . is the output of a maximal length m LFSR where 2^m− 1 ≤ n.

Form the binary number

Nt = yt+ 2 yt+1+ . . . + 2^m−1yt+m−1 .

5.8. RANDOM NUMBER GENERATION 119 Then 1≤ N^t ≤ 2^m− 1. For a fixed one-one function

f : {1, 2, 3, . . . , 2^m− 1} −→ Zⁿ form the new sequence z0, z1, . . . by

zt = xt+f (Nt).

If gcd(m, n) = 1, then this has period (2^m− 1)(2ⁿ− 1) and needs more than 2n(2^m − 1) consecutive terms before it can be predicted.

This is quite a good pseudo-random number generator.

Chapter 6

Algebraic Coding

In Chapter 2 we considered codes designed to detect and correct errors, including the Hamming Codes. There are many other families of codes which can be constructed using more complicated mathematics: we could generalise all that work from Zp to GF(p^k), for example.

Instead, we will look at an important family of codes called BCH codes which arise when we look at Hamming Codes from an algebraic point of view. These codes were discovered independently by Bose and Ray-Chaudhuri (1960) and by Hocquenghem (1959).

BCH codes have good error correcting properties when the length is not too great and they can be encoded and decoded relatively easily. A special subset of BCH codes are the Reed-Solomon codes which are used in many digital communications and storage devices (e.g. DVD players, digital televisions, satellite communications, mobile phones, high-speed modems and QR codes). See Bose’s book for more details.

We then close the chapter by considering cyclic codes, which have very nice structural properties. In particular, encoding and decoding using cyclic codes can be performed efficiently using linear switching circuits. There are two very special cyclic codes called Golay codes which we construct. One is a binary code, one is a ternary code and they are both perfect.

6.1 Hamming codes revisited

Consider the Hamming (15,11) code rearranged in the following very particular standard form (which is no longer directly related to binary numbers):

H =







1 0 0 0 1 0 0 1 1 0 1 0 1 1 1 0 1 0 0 1 1 0 1 0 1 1 1 1 0 0 0 0 1 0 0 1 1 0 1 0 1 1 1 1 0 0 0 0 1 0 0 1 1 0 1 0 1 1 1 1







Recall the field GF (16) = Z₂[x]/hx⁴ + x + 1i studied in Section 5.4. Notice that the columns of H are given by the coordinate vectors of 1, α, α², . . . , α¹⁴ with respect to the

ordered basis{1, α, α², α³}. For example, α⁵ = α + α² so α⁵ has coordinate vector





 0 1 1 0





, which is the sixth column of H.

121

By a slight abuse of notation, we will replace each column of H by the element of F that it represents. Hence we write

H = 1 α α² α³ α⁴ · · · α¹⁴
.

This gives us a shorthand for H. Since the first column of H corresponds to α⁰ and, more generally, the jth column of H corresponds to α^j−1, we speak of “the column of H corresponding to α^j”.

Now let c = (c0, c1, . . . , c14) ∈ C be a codeword. (Again, notice that now we number entries from 0 instead of 1.) The syndrome of c is

S(c) = Hc = c0+ c1α + c2α²+· · · + c¹⁴α¹⁴= C(α)

where C(x) = c0+ c1x +· · · + c¹⁴x¹⁴ is the polynomial corresponding to c. This allows us to describe the code in terms of polynomials.

We will now generalise these ideas to obtain the BCH (Bose, Chaudhuri & Hoc-quenghem) codes.

WARNING: in some past exam papers you will see that the bits are given in the opposite order, such as (c14, c13, . . . , c0). But we will always order our bits in the order (c0, c1, . . . , c14), as described above. This ensures that the check matrix H is in standard form.

In document MATH3411 2015 S2 Lecture Notes UNSW (Page 121-128)