The art of cryptography: Heads and tails –
Cryptographic random generation
summer 2015
The Blum-Blum-Shub generator
Computer
C ose
C
b-it
Prof. Dr. Joachim von zur Gathen
SeCurity
Corollary. Let G be a group of order d and a ∈ Z coprime to d.
Then the exponentiation map πa : x 7→ xa is a permutation of G.
22/24
Zd
dexpg
dlogg
G
21/24
Chinese Remainder Theorem (CRT). Suppose that the
integer N factors as N = q1 · · · qr with pairwise coprime q1 , . . . ,
qr . Then the group homomorphism
Z×
N
x mod N
×
→ Z×
q1 × · · · × Zqr
7→ (x mod q1 , . . . , x mod qr )
is an isomorphism.
20/24
Theorem. Let p be an odd prime, e ≥ 1 and
×
×
e
e−1 (p − 1),
pe = {b2 : b ∈ Z×
pe } in Zpe . Then #Zpe = φ(p ) = p
and
i. #pe = φ(pe )/2.
φ(p
ii. For any a ∈ Z×
pe , a ∈ pe ⇐⇒ a
e )/2
= 1.
iii. Any a ∈ pe has exactly two square roots b1 and b2 , and
b1 + b2 = 0.
iv. There is a probabilistic polynomial-time algorithm which, on
input pe and a ∈ Z×
pe , determines whether a ∈ pe , and if so,
2
computes a square root b ∈ Z×
pe with a = b .
19/24
There is a concise way of associating to each number a the value of
an indicator yes/no telling whether a is a square or not. Taking ±1
for yes/no, we have the Legendre symbol for a ∈ Z and a prime p:

if p | a,

0
a
= 1
if p ∤ a and a is a square in Z×
p,

p

−1 otherwise.
18/24
F×
17
1
-1
4
-4
2
6
-2
-6
7
8
-7
5
3
5
-3
6
4
2
-5
-9
9
-4
-8
-2
3
-3
8
-1
F×
19
-7
1
-5
-8
7
-6
17/24
When N = p · q is the product of two distinct odd primes, then the
situation is much more interesting. On the one hand, we can again
consider the set
N = {b2 : b ∈ Z×
N}
of squares modulo N . The CRT decomposes Z×
N into two
constituents:
×
∼ ×
Z×
N = Zp × Zq .
Now some a ∈ Z×
N is a square if and only if it is a square both in
×
×
Zp and in Zq . These conditions are independent, and therefore
only a quarter of the φ(N ) = (p − 1)(q − 1) elements of Z×
N are
squares.
16/24
-2
5
10
4
-5
2
-10
-4
Z×
21
-1
8
1
-8
15/24
The quadratic residuosity problem in ZN is to decide on input
a ∈ N ∪ ⊠N whether a ∈ N . Of course, given
p and
the factors
a
a
q, this becomes easy since we can compute p and q . But no
polynomial-time algorithm is known if these factors are not
provided.
14/24
Under the isomorphism
×
×
χ : Z×
N −→ Zp × Zq
of the CRT, we have
χ(N ) = p × q ,
χ(⊠N ) = ⊠p × ⊠q .
×
We consider the squaring map σp : Z×
p −→ p ⊆ Zp with
2
σp (a) = a . If p is 3 modulo 4, then −1 is not a square modulo p,
and exactly one of the two square roots a and −a of a2 is a square.
13/24
We now assume that p and q are both 3 modulo 4. Then N = pq is
called a Blum integer. If χ(a) = (u, v), then χ(a2 ) has the four
square roots
(u, v), (−u, v), (u, −v), (−u, −v).
Exactly one of them is a square, and χ−1 of this square is called
the principal (square) root of a2 . If, say, u ∈ p and v ∈ ⊠p , then
(u, −v) is the square among the four.
12/24
a
q
=1
a
q
= −1
=1
= −1
a
N
a
p
a
p
=1
= −1
N
p × q
(u, −v)
a
N = −1
⊠p × q
(−u, −v)
a
N
p × ⊠q
(u, v)
a
N =1
⊠N
⊠p × ⊠q
(−u, v)
11/24
Example. We let p = 3 and q = 7, so that N = 21 and
Z×
21 = {−10, −8, −5, −4, −2, −1, 1, 2, 4, 5, 8, 10} in the symmetric
system. Then 3 = {1}, ⊠3 = {−1}, 7 = {−3, 1, 2, }, and
⊠7 = {−2, −1, 3}. Not surprisingly, 1 is the principal root of 1, and
4 that of −5 = 16. But also −5 (and not 2) is the principal root of
4. In other words, −5 = 16 is the principal root of 25 = 4 in Z21 .
10/24
−3, 1, 2
1
4 ↔ (1, −3)
−2 ↔ (1, −2)
1 ↔ (1, 1)
−8 ↔ (1, −1)
−5 ↔ (1, 2)
−10 ↔ (−1, −3)
−1
−2, −1, 3
10 ↔ (1, 3)
5 ↔ (−1, −2)
8 ↔ (−1, 1)
−1 ↔ (−1, −1)
2 ↔ (−1, 2)
−4 ↔ (−1, 3)
9/24
For an n-bit Blum integer N , an integer ℓ > 0 as the bit-length of
the desired output, and a seed u = u20 ∈ N for u0 ←− Z×
N , we
define its output as
(ℓ)
ℓ−1
BBSN (u) = (lsb(u), lsb(u2 ), lsb(u4 ), . . . , lsb(u2
)).
8/24
BBS-distinguisher
lsb-postdictor
ℓ
distinguish
Given
N, u2 ,
(ℓ)
BBSN (u) from v ←− {0, 1}ℓ
Given N, u2 , find lsb(u)
square root finder
Given N, z ∈ N ,
find u with z = u2
factoring algorithm
Given N = pq, find p, q
7/24
Reduction. Lsb-postdictor L from BBS(ℓ) -distinguisher B.
Input: N ∈ Z, z = u2 ∈ N .
Output: A bit in {0, 1}.
1. k ←− {1, . . . , ℓ}.
2. (v1 , . . . , vk−1 , b) ←− Bk .
ℓ−k−1
)) ∈
3. v ← (v1 , . . . , vk−1 , b, lsb(z), lsb(z 2 ), . . . , lsb(z 2
{0, 1}ℓ .
ℓ−k
4. b∗ ← B(N, z 2 , v).
5. Return b ⊕ b∗ ⊕ 1.
6/24
Lemma. Let B be a BBS(ℓ) -distinguisher with advantage ǫ. Then
L as in Reduction is an lsb-postdictor with advantage ǫ/2ℓ.
5/24
Reduction. Square root finder S from lsb-postdictor L.
Input: An n-bit Blum integer N and y ∈ N .
2
Output: x ∈ Z×
N with x = y or “failure”.
1.
2.
3.
4.
5.
6.
7.
8.
a0 , b ←− ZN .
3
u0 ←− ǫ8 · [0 .. ǫ83 ), v ←− 8ǫ · [0 .. 8ǫ ).
α0 , β ←− B.
For t from 1 to n do steps 5–10
at ← [at−1 /2]N , ut ← (ut−1 + αt−1 )/2.
At ← {i ∈ Z : |2i + 1| ≤ 2⌈nǫ−2 ⌉}.
For i ∈ At do steps 8–9.
ct,i ← [(2i + 1)at + b]N , wt,i ← ⌊(2i + 1)ut + v⌋.
9. αt,i ← L(N, c2t,i y) + β + wt,i mod 2.
P
αt,i < #At /2 then αt ← 0 else αt ← 1.
10. If
i∈At
11. x ← [a−1
un N + 21 ]N .
n
12. If x2 = y in ZN then return x else return “failure”.
4/24
Lemma. Let N = pq be a Blum integer, y ∈ N , and L a
polynomial-time lsb-postdictor as above with advantage at least ǫ.
Then the square root finder S from Reduction on input N and y
returns x satisfying x2 = y in ZN with success probability at least
2−9 ǫ4 , and uses time polynomial in n and ǫ−1 .
3/24
Reduction. Factoring algorithm F from square root finder S.
Input: Positive odd integer N .
Output: A proper factor p of N or “failure”.
1. v ←− Z×
N.
2. If S(N, v 2 ) returns “failure” then return “failure” else
v ∗ ← S(N, v 2 ).
3. If v ∈ ±v ∗ in ZN then return “failure”.
4. p ← gcd(v − v ∗ , N ).
5. Return p.
2/24
Lemma. Let N = pq be a Blum integer and S a square-root
finder as above with success probability at least σ. Then F as in
Reduction returns a proper factor of N with probability σ/2.
1/24
Theorem. Under the factoring assumption, the Blum-Blum-Shub
generator is a pseudorandom generator.
0/24