cryptographic ergodic sequence generators?

John S. Denker jsd at av8n.com
Tue Oct 14 01:59:54 EDT 2003 

Perry E. Metzger wrote:

 >>I've noted to others on this before that for an application like
 >>the IP fragmentation id, it might be even better if no repeats
 >>occurred in any block of 2^31 (n being 32) but the sequence did not
 >>repeat itself (or at least could be harmlessly reseeded at very very
 >>long intervals).

I assume the point of the reseeding is to make
the ID-values more unpredictable.

On 09/07/2003 11:18 AM, David Wagner wrote:
 >
 > Let E_k(.) be a secure block cipher on 31 bits with key k.
 > Pick an unending sequence of keys k0, k1, k2, ... for E.
 >
 > Then your desired sequence can be constructed by
 >   E_k0(0), E_k0(1), E_k0(2), ..., E_k0(2^31 - 1),
 >   2^31 + E_k1(0), 2^31 + E_k1(1), ..., 2^31 + E_k1(2^31 - 1),
 >   E_k2(0), E_k2(1), E_k2(2), ..., E_k2(2^31 - 1),
 >   2^31 + E_k3(0), 2^31 + E_k3(1), ..., 2^31 + E_k3(2^31 - 1),

Again if we assume the point is to make the values
unpredictable (not just ergodic), then there is
room for improvement.

To see what I mean, divide the values into generations
G=0,1,2,3... where each row in the tableau above is
one generation.

The problem is that at the end of each generation,
the values become highly predictable, à la Blackjack.

David's proposal can be improved by the method used
by Blackjack dealers:  shuffle early.  In each
generation, let the argument of E_kG(.) max out at
some fraction (f) of 2^(n-1).  A limit of f=1/2 is
the obvious choice, although other f values e.g. f=2/3
work nicely too.  The domain and range of E_kG(.) are
still unrestricted (n-1)-bit numbers.

This gives us the following properties
  -- Guaranteed no repeats within the last f*2^(n-1) IDs.
  -- Probably no repeats in an even longer time.
  -- Even if the opponent is a hard-working Blackjack
     player, he has only one chance in (1-f)*2^(n-1)
     of guessing the next value.  To put this number in
     context, note that the opposition has one chance
     in 2^(n-1) of guessing the next value without any
     work at all, just by random guessing.

Setting f too near zero degrades the no-repeat guarantee.
Setting f too near unity leads to the Blackjack problem.
Setting f somewhere in the middle should be just fine.

=================

Discussion of conceivable refinements:

A proposal that keeps coming up is to take the values
generated above and run them through an additional
encryption stage, with a key that is randomly chosen
at start-up time (then held fixed for all generations).
The domain and range of this post-processing stage
are n-bit numbers.

This makes the output seem more elegant, in that we
have unpredictability spread over the whole n-bit word,
rather than having n-1 hard-to-predict bits plus one
almost-constant bit.

Define the phase to be P := (G mod 2).

The opponent will have to collect roughly 2^n data
points before being able to figure out which values
belong to which phase, so initially his guess rate
will be closer to one in 2^n, which is a twofold
improvement ... temporarily.

This temporary improvement is not permanent, if we
allow the opponent to have on the order of 2^n
memory.  He will in the long run learn which values
belong to which phase.  I see no way to prevent this.

So as far as I can tell, the proposed post-processing
is more in the nature of a temporary annoyance to the
opposition, and should not be considered industrial-strength
cryptography.

Perhaps more to the point, if we are going to allow
the opposition to have 2^n memory, it would be only
fair to allow the good guys to have 2^n memory.  In
that case, all the schemes discussed above pale in
comparison to something I suggested previously, namely
generating an ID absolutely randomly, but using a
look-up table to check if it has been used recently,
in which case we veto it and generate another.  If
you can afford the look-up table, these randomly
generated IDs have the maximum possible unpredictability.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list