Generalized Elias Schemes for Truly Random Bits

Generalized Elias Schemes for Eﬃcient
Harvesting of Truly Random Bits
Riccardo Bernardini and Roberto Rinaldo
University of Udine
riccardo.bernardini@uniud.it, rinaldo@uniud.it
http://link.springer.com/article/10.1007/s10207-016-0358-5
DOI: 10.1007/s10207-016-0358-5
Int. J. Inf. Secur. (2017), Springer
2 January 2017

Generalized Elias Schemes for Eﬃcient Harvesting of Truly Random Bits
Outline
• Why true random numbers?
• Why Poisson sources?
• What is a (Generalized) Elias Scheme?
• Elias for Poisson
• Conclusions
1
DIEGM University of Udine

Why random numbers?
• Widely used in cryptography
– Challenges
– Keys (temporary & long-term)
– Prime numbers
• Critical requirement: true unpredictability
• Usual generators not good enough
– Cryptographically strong PRNG
– They need truly random seed
2

Example: Prime number generation
Uniformly distributed
3

How many bits?
• # primes less than N ≈ N
ln N
# of expected iterations ln(2b) ×
# of bit/iteration b − 1 =
Total # of bit required O(b2)
• For two 1024-bit primes we need ≈ 1.4 · 106 random bits
• /dev/random generates ≈ 300 bit/s
1.4 · 106bit
300 bit/s
= 4800 s ≈ 1h 20m
4

Why?
• Very common
– Radioactive decay
– Photon arrivals on a photodiode
– Shot noise
– . . .
5

Sampling a Poisson source
n = Interarrival time modulo 2M (in units of ∆)
P[n = k] = C · pk, k ∈ [0, 2M − 1], geometric, but ﬁnite
6

Performance
# bit/s ≈ λ log2 e − λ log2(λ∆) λ = intensity,M → ∞
−5 0 5 10 15 20
0
5
10
15
20
M
Eaten by the mod...
Rate (bit/event)
−log2
(λ∆)
H(N)(bits)
Approximation
True entropy
7

However. . .
• Samples not uniform
P[n = k] =



C · pk k ∈ {0, 1, . . . , 2M − 1}
0 else
• We need to extract a sequence of iid bits
• Note
– We can rely on the Poisson hypothesis
– We cannot rely on the exact value of p
8

The conditioning problem
• A random process {Xk}k∈N with alphabet A
• Variables Xk iid, but probabilities P[Xk = a] not exactly known
• We want to map {Xk}k∈N into a sequence {Bk}k∈N of unbiased,
iid bits
9

Blockwise conditioner
• A map
f : AL →{0, 1}∗
Set of all ﬁnite bitstrings
• Output process
f(X1, . . . , XL)
S1
& f(XL+1, . . . , X2L)
S2
& f(X2L+1, . . . , X3L)
S3
& · · ·
Note: the length of bitstrings Sn may vary (it can be even zero)
• Output process iid and unbiased. Moreover, we would like
Output rate =
E [|f(X1, . . . , XL)|]
L
≈ H(X)
10

Von Neumman
• Blocksize = 2. Binary input A = {0, 1}.
X2n X2n+1 bn = f(X2n, X2n+1)
0 0 φ
0 1 0
1 0 1
1 1 φ
iid ⇒ P[(X2n, X2n+1) = (0, 1)] = P[(X2n, X2n+1) = (1, 0)]
⇒ P[bn = 0] = P[bn = 1]
• Requires only iid
• Not eﬃcient
11

Elias
Use larger blocks & exploit iid
Use “binary expansion” of isoprobability sets
12

Generalized Elias
First (and key) step Partition AL in isoprobability sets Wi
• In Elias: isoprobability set = permutation class
• In Generalized Elias: isoprobability set = chosen by “user”
Second step Split Wi into sets whose cardinality is a power of two
Properties
• The partition of a GES is coarser than the partition of Elias
• If only iid is assumed, Elias is the only possibility
13

GES Performance
⇒ We can buy performance with generality ⇐
14

Geometric variables
• If Xk are obtained by M-bit sampling a Poisson process
P[Xk = n] = C · pn n ∈ {0, . . . , 2M − 1}
We do not know the exact value of p
• Note that
P[X1 = n1, . . . , XL = nL] = CL · p k nk
depends only on k nk
Isoprobability = Isosum
15

Why?
• Partition sizes
PElias
L =
2M + L − 1
L
>
≈
2M
L
L
PGeom
L = L2M
• Example, M = 16, L = 128, [H( )/L ≤ 0.25]
PElias
L ≈ 2.8 · 1042 PGeom
L = 8192
log2 PElias
L
L
≈ 4.4
log2 PGeom
L
L
≈ 0.4
16

Experimental Results
2M = 16 2M = 64
2 3 4 5 6 7 8 9 10
0
0.5
1
1.5
2
2.5
3
3.5
4
4.5
5
Block size
bit/symbol
Elias
Proposed
no mod
mod M
2 3 4 5 6 7 8 9 10
0
0.5
1
1.5
2
2.5
3
3.5
4
4.5
5
Block size
bit/symbol
Elias
Proposed
no mod
mod M
p = 0.1, H(geometric) = 4.69
17

Extension to continuous r.v.
The idea of isoprobability sets can be extended to the case of con-
tinuous random variables
1. Collect the variables in vectors of length L
2. Partition RL with a vector quantizer
3. Collect the decision regions of the vector quantizer into iso-probability
sets
4. Use the iso-probability sets like in the discrete case
18

Example: Gaussian variables
• If Xi, i = 1, . . . , L are Gaussian iid, the joint pdf depends only on
X2
1 + X2
2 + · · · + X2
L = r2
• This suggests the following approach
1. Partition the space in spherical shells
Sk = {x ∈ RL
: rk−1 ≤ x < rk}
2. Partition the unit sphere in iso-area sections Uj
3. Deﬁne the (k, j)-th decision region Vk,j as (see next slide)
Vk,j = {x : x ∈ Sk, x/ x ∈ Uj}
4. Note that P[X ∈ Vk,j depends only on k
5. The k-th iso-probabilty set is ∪jVk,j
19

Example of partitioning in Gaussian case
20

Conclusions
• A blockwise conditioner for Poisson processes has been presented
• The proposed conditioner is a GES that uses iso-sum sets as iso-
probability sets
The size of the resulting partition is order of magnitude smaller
than the Elias partition
The proposed scheme is much more eﬃcient than classic Elias
21

Generalized Elias Schemes for Truly Random Bits

Recommended

Recommended

More Related Content

What's hot

What's hot (17)

Viewers also liked

Viewers also liked (20)

Similar to Generalized Elias Schemes for Truly Random Bits

Similar to Generalized Elias Schemes for Truly Random Bits (20)

More from Riccardo Bernardini

More from Riccardo Bernardini (7)

Recently uploaded

Recently uploaded (20)

Generalized Elias Schemes for Truly Random Bits