|
Calling Sequence
|
|
NewBitGenerator( seed, opt1, opt2, ... )
|
|
Parameters
|
|
seed
|
-
|
an integer, the seed for the generator
|
opt1, opt2, ...
|
-
|
(optional) argument of the form option=value where option is one of primes, numbits, or output
|
|
|
|
|
Description
|
|
•
|
The NewBitGenerator command outputs a Maple procedure, a pseudo-random bit generator, which when called outputs one pseudo-random bit, a 0 or 1. The generator is a Blum-Blum-Shub (BBS) generator. A BBS generator uses the following quadratic recurrence to generate a sequence of integers from which cryptographically secure pseudo-random bits are extracted:
|
–
|
is a product of two large primes p and q,
|
–
|
is determined from the seed s.
|
|
Each iteration of , the least significant bits of , generates cryptographically secure bits. The output of the generator depends on the options described below. The default is to output one bit.
|
•
|
The cryptographic security of the BBS generator assumes that the number theoretic problem of distinguishing a quadratic residue from a pseudo-square in Z mod n is computationally infeasible when n is the product of two primes p and q and the factorization of n is not known. Thus it also assumes that integer factorization is computationally infeasible. Recall the definitions of a quadratic residue and pseudo-square:
|
|
Definition: An integer x in Z mod n is a quadratic residue if (i) and (ii) for some integer y.
|
|
Definition: An integer z in Z mod n where is a pseudo-square if (i) , (ii) z is not a quadratic residue in Z mod p, and (iii) z is not a quadratic residue in Z mod q.
|
•
|
The primes p and q are chosen to be of the form and where s and t are prime and 2 is a primitive element in both Z mod s and Z mod t. This choice guarantees that p and q are both congruent to 3 mod 4 (a requirement for the security of the generator) and also that the period of the generator for for any quadratic residue other than 1 is either or or , all of which are large. Random primes p and q, and their product , satisfying these requirements of lengths 512 bits, 768 bits, and 1024 bits have been precomputed and the prime factorization discarded (Maple does not have the factorizations). Thus there are three choices for of lengths 308, 462, and 616 decimal digits, providing a range of security for cryptographic applications.
|
•
|
The argument seed=s determines the seed for the generator. The value used for used must be a "random" quadratic residue which is not equal to 1 (to avoid a short period). The value used for is computed from the seed s. For cryptographic applications the seed should be chosen by the user to be a random integer from a large set, e.g., from 0..10^100. It will be automatically reduced modulo n.
|
•
|
The following optional arguments are supported. They are input as equations in any order.
|
|
primes = , or
|
|
The integer l, which must be one of , or specifies the length of the primes p and q in bits. The default is .
|
|
This specifies how many bits are computed and output by each call to the generator. The default is 1.
|
|
This specifies how the bits are output. If integer is specified, the output is a Maple integer in the range 0 to 2^b-1. If bits is specified, the output will be a Maple sequence of b bits. The default is bits.
|
•
|
The RandomTools[BlumBlumShub] module also exports the NewGenerator function. This function's interface is compatible with the NewGenerator functions of other RandomTools pseudo-random number generator subpackages.
|
|
|
Examples
|
|
>
|
|
| (1) |
>
|
|
| (2) |
>
|
|
>
|
|
| (9) |
|
|
|