In 1997, Moni Naor and Omer Reingold described efficient constructions for various cryptographic primitives in private key as well as public-key cryptography. Their result is the construction of an efficient pseudorandom function. Let p and l be prime numbers with l |p−1. Select an element g ∈
| * | |
| {F | |
| p} |
(Fl)n+1
fa(x)=
| |||||||||||||||||||||||||
| g |
\inFp
where x = x1 ... xn is the bit representation of integer x, 0 ≤ x ≤ 2n−1, with some extra leading zeros if necessary.
Let p = 7 and l = 3; so l |p−1. Select g = 4 ∈
| * | |
| {F | |
| 7} |
fa(5)
fa(x)=
| |||||||||||||||||||||||||
| g |
\inFp
fa(5)=
| 1 ⋅ 112011 | |
| 4 |
=41=4\inF7
The evaluation of function
fa(x)
fa(x)
The Naor–Reingold function can be used as the basis of many cryptographic schemes including symmetric encryption, authentication and digital signatures.
Assume that an attacker sees several outputs of the function, e.g.
fa(1)=
| a1 | |
| g |
,fa(2)=
| a2 | |
| g |
,fa(3)=
| a1a2 | |
| g |
fa(k)=
| ||||||||||||||||||||||
| g |
fa(k+1)
fa(1)=
| a1 | |
| g |
fa(k)=
| ||||||||||||||||
| g |
fa(k+1)=
| |||||||||||||||||||
| g |
fa(k+1)
Example:An attacker sees several outputs of the function e.g.
fa(5)=
| 112011 | |
| 4 |
=41=4
fa(1)=
| 102011 | |
| 4 |
=41=4
fa(6)
fa(6)
fa(1)
fa(5)
There are other attacks that would be very bad for a pseudorandom number generator: the user expects to get random numbers from the output, so of course the stream should not be predictable, but even more, it should be indistinguishable from a random string. Let
l{A}f
l{A}
fa(x)
Fp
l{A}
| fa(x) | |
| Pr[l{A} |
(p,g)\to1]-Pr[l{A}R(p,g)\to1]
The first probability is taken over the choice of the seed s = (p, g, a) and the second probability is taken over the random distribution induced on p, g by
l{I}l{G}(n)
Ra(x)
\{0,1\}n\toFp
One natural measure of how useful a sequence may be for cryptographic purposes is the size of its linear complexity. The linear complexity of an n-element sequence W(x), x = 0,1,2,...,n – 1, over a ring
l{R}
l{R}
For some
\gamma
\gamma
logl
\delta>0
fa(x)
La
La\geqslant\begin{cases} l1- \delta&,if\gamma\geqslant2\\ l\left{2- \delta}\right)}&,if\gamma<2 \end{cases}
for all except possibly at most
3(l-1)n
(Fl)n
logp ≈ logn ≈ {n.}
The statistical distribution of
fa(x)
(Fl)n
Let
{D}a
\{fa(x)|0\leqx\leq2n-1\}
n=logp
(Fl)n
{D}a\leq\Delta(l,p)
\Delta(l,p)=\begin{cases} p\left{2}\right)}l\left{2}\right)}log2p&ifl\geqslantp\gamma\\ p\left{2}\right)}l-1log2p&ifp\gamma>l\geqslantp\left{3}\right)}\\ p\left{4}\right)}l\left{8}\right)}log2p&ifp\left{3}\right)}>l\geqslantp\left{2}\right)}\\ p\left{8}\right)}l\left{8}\right)}log2p&ifp\left{2}\right)}>l\geqslantp\left{3}\right)}\\ \end{cases}
\gamma=2.5-log3=0.9150 …
Although this property does not seem to have any immediate cryptographic implications, the inverse fact, namely non uniform distribution, if true would have disastrous consequences for applications of this function.
The elliptic curve version of this function is of interest as well. In particular, it may help to improve the cryptographic security of the corresponding system. Let p > 3 be prime and let E be an elliptic curve over
Fp
\langleG\rangle
Fa(x)=
| x1 | |
| (a | |
| 1 |
| x2 | |
| a | |
| 2 |
...
| xn | |
| a | |
| n |
)G
where
x=x1...xn
x,0\leqx\leq2n-1
uk=X(fa(k)) whereX(P)istheabscissaof P\inE.
uk