### UC Berkeley, MICS, W202-Cryptography
### Week 06 Breakout 4
### PRNG - Pseudo Random Number Generators 

In our lecture, we learned about Knuth's recommended Linear-congruential LCG PRNG:

* pass most statistical tests for randomness

* not good enough for security purposes

* if we can observe a sequence of pseudo random numbers output, we can infer constants used in the algorithm

We will use the naming conventions from our lectures:

* p = large prime

* s_0 = random seed (must be kept secret)

* a = multiplier

* b = increment

* s_i+1 = a * s_i + b (mod p)

Knuth shows the output itself as being random numbers.  As our lecture notes mention, we can also use it to generate a bit stream of 1's and 0's by adding the following step:

* b_i = s_i mod 2

Knuth notes that we must choose the above numbers carefully to get an even and uniform distribution of random numbers. In his book the math behind how to choose proper values is quite lengthy, so we won't be able to present it in this course. Knuth gave several recommended sets of numbers.  

In this breakout we will first examine Knuth's recommendations using his various sets of recommended numbers.

We will then take a look at converting it into a bit stream.

In lectures, we learned that Knuth's recommended method is not cryptographically strong.  To be cryptographically strong a PRNG:

* MUST add an encryption step to the internal state to prevent inferring constants used in the algorithm from the pseudo random numbers output

* HOWEVER, adding encryption is computationally intensive

In this breakout, we will take Knuth's first recommended algorithm for LCG PRNG and add an encryption step 

#### Knuth's recommended LCG PRNG with several of his recommended values

Note that since it outputs random numbers and not a bit string, there is no internal state.  By observing the random numbers generated, it is possible to recover the parameters and generate the sequence going forward.  Therefore, it is not cryptographically secure.

In [1]:
# Run this cell first! The pip command may take a few minutes the first time it's run
from sage.all import *
!pip install pycryptodome==3.4.3

Defaulting to user installation because normal site-packages is not writeable




In [2]:
def my_LCG_PRNG(name, p, seed, a, b, max_prn):
    "given values for p, seed, a, b, construct an LCG PRNG, and calculate k pseudo random numbers"
    
    print ("\n")
    print ("name: " + name + "\n")
    print ("p: " + str(p))
    print ("seed: " + str(seed))
    print ("a (multiplier): " + str(a))
    print ("b (increment): " + str(b) + "\n")
    
    s = seed
    
    for i in range(1, max_prn+1):
        
        s = ((a * s) + b) % p
        
        f = float(s/p)
        
        print ("iternation: " + str(i) )
        print ("    pseudo random number: " + str(s))
        print ("    as a floating point >= 0 and <= 1: " + str(f))
        

In [3]:
# Knuth 1

name = "Knuth 1"
p = (2 ** 31) - 1
a = 16807
b = 0

# try different values for the seed and see what happens
seed = 1234567890

my_LCG_PRNG(name, p, seed, a, b, 25)



name: Knuth 1

p: 2147483647
seed: 1234567890
a (multiplier): 16807
b (increment): 0

iternation: 1
    pseudo random number: 395529916
    as a floating point >= 0 and <= 1: 0.18418296993904884
iternation: 2
    pseudo random number: 1209410747
    as a floating point >= 0 and <= 1: 0.5631757655940837
iternation: 3
    pseudo random number: 633705974
    as a floating point >= 0 and <= 1: 0.2950923397648578
iternation: 4
    pseudo random number: 1324899545
    as a floating point >= 0 and <= 1: 0.6169544279654298
iternation: 5
    pseudo random number: 328717072
    as a floating point >= 0 and <= 1: 0.15307081497882996
iternation: 6
    pseudo random number: 1419889020
    as a floating point >= 0 and <= 1: 0.6611873491952137
iternation: 7
    pseudo random number: 1236473676
    as a floating point >= 0 and <= 1: 0.57577792395641
iternation: 8
    pseudo random number: 213820513
    as a floating point >= 0 and <= 1: 0.09956793538274614
iternation: 9
    pseudo random number: 941

In [4]:
# Knuth 2

name = "Knuth 2"
p = (2 ** 31) - 249
a = 40692
b = 0

# try different values for the seed and see what happens
seed = 1234567890

my_LCG_PRNG(name, p, seed, a, b, 25)



name: Knuth 2

p: 2147483399
seed: 1234567890
a (multiplier): 40692
b (increment): 0

iternation: 1
    pseudo random number: 957427073
    as a floating point >= 0 and <= 1: 0.44583677501108354
iternation: 2
    pseudo random number: 2126113257
    as a floating point >= 0 and <= 1: 0.9900487510124869
iternation: 3
    pseudo random number: 136958331
    as a floating point >= 0 and <= 1: 0.0637762001158082
iternation: 4
    pseudo random number: 388984647
    as a floating point >= 0 and <= 1: 0.18113511246752134
iternation: 5
    pseudo random number: 1610605094
    as a floating point >= 0 and <= 1: 0.7499965283782852
iternation: 6
    pseudo random number: 1844114366
    as a floating point >= 0 and <= 1: 0.8587327691840285
iternation: 7
    pseudo random number: 1189370015
    as a floating point >= 0 and <= 1: 0.5538436364881067
iternation: 8
    pseudo random number: 11287117
    as a floating point >= 0 and <= 1: 0.005255974041641474
iternation: 9
    pseudo random number: 1

In [5]:
# Knuth 3

name = "Knuth 3"
p = (2 ** 64) - 1
a = 6364136223846793005
b = 0

# try different values for the seed and see what happens
seed = 1234567890

my_LCG_PRNG(name, p, seed, a, b, 25)



name: Knuth 3

p: 18446744073709551615
seed: 1234567890
a (multiplier): 6364136223846793005
b (increment): 0



iternation: 1
    pseudo random number: 1478351238639766665
    as a floating point >= 0 and <= 1: 0.08014158123149358
iternation: 2
    pseudo random number: 12071536704926676600
    as a floating point >= 0 and <= 1: 0.6543993160360005
iternation: 3
    pseudo random number: 16569749568914942025
    as a floating point >= 0 and <= 1: 0.8982479240079165
iternation: 4
    pseudo random number: 6677231707540154595
    as a floating point >= 0 and <= 1: 0.3619734561752065
iternation: 5
    pseudo random number: 14559684490296345555
    as a floating point >= 0 and <= 1: 0.78928207775414
iternation: 6
    pseudo random number: 13623911123569589040
    as a floating point >= 0 and <= 1: 0.7385537018961789
iternation: 7
    pseudo random number: 768325973130498300
    as a floating point >= 0 and <= 1: 0.04165103446225628
iternation: 8
    pseudo random number: 13614546925016750850
    as a floating point >= 0 and <= 1: 0.7380460676754502
iternation: 9
    pseudo random number: 54433190379

#### Bit Stream Output Version of Knuth's recommended LCG PRNG with several of his recommended values

Because we are generating a bit stream this time, we will have an internal state.  By observing the bit steam generated, it is possible to recover the internal state and generate the bit stream going forward.  Therefore, it is not cryptographically secure.

In [6]:
def my_LCG_PRNG_bit_stream(name, p, seed, a, b, bits):
    "given values for p, seed, a, b, construct an LCG PRNG, and calculate k pseudo random numbers"
    
    print ("\n")
    print ("name: " + name + "\n")
    print ("p: " + str(p))
    print ("seed: " + str(seed))
    print ("a (multiplier): " + str(a))
    print ("b (increment): " + str(b))
    
    bit_string = ""
    
    s = seed
    
    for i in range(0, bits):
        
        s = ((a * s) + b) % p
        
        bit_value = s % 2
        
        bit_string = str(bit_value) + bit_string
        
        print ("\nbit: " + str(i))
        print ("internal state: " + str(s))
        print ("bit value: " + str(bit_value))
        
    print ("\nBit String: " + bit_string)
    print ("Pseudo Random Number: " + str(int(bit_string,2)))
    print ("As a floating point >= 0 and <= 1: " + str(float(int(bit_string,2) / 2 ** bits)))

In [7]:
# Knuth 1

name = "Knuth 1"
p = (2 ** 31) - 1
a = 16807
b = 0

# try different values for the seed and see what happens
seed = 1234567890

my_LCG_PRNG_bit_stream(name, p, seed, a, b, 32)



name: Knuth 1

p: 2147483647
seed: 1234567890
a (multiplier): 16807
b (increment): 0

bit: 0
internal state: 395529916
bit value: 0

bit: 1
internal state: 1209410747
bit value: 1

bit: 2
internal state: 633705974
bit value: 0

bit: 3
internal state: 1324899545
bit value: 1

bit: 4
internal state: 328717072
bit value: 0

bit: 5
internal state: 1419889020
bit value: 0

bit: 6
internal state: 1236473676
bit value: 0

bit: 7
internal state: 213820513
bit value: 1

bit: 8
internal state: 941220560
bit value: 0

bit: 9
internal state: 729408118
bit value: 0

bit: 10
internal state: 1325582150
bit value: 0

bit: 11
internal state: 1063841072
bit value: 0

bit: 12
internal state: 28052182
bit value: 0

bit: 13
internal state: 1174104181
bit value: 1

bit: 14
internal state: 2089221431
bit value: 1

bit: 15
internal state: 39478720
bit value: 0

bit: 16
internal state: 2093883764
bit value: 0

bit: 17
internal state: 1089898159
bit value: 1

bit: 18
internal state: 2030333050
bit value: 0

b

In [8]:
# Knuth 2

name = "Knuth 2"
p = (2 ** 31) - 249
a = 40692
b = 0

# try different values for the seed and see what happens
seed = 1234567890

my_LCG_PRNG_bit_stream(name, p, seed, a, b, 32)



name: Knuth 2

p: 2147483399
seed: 1234567890
a (multiplier): 40692
b (increment): 0

bit: 0
internal state: 957427073
bit value: 1

bit: 1
internal state: 2126113257
bit value: 1

bit: 2
internal state: 136958331
bit value: 1

bit: 3
internal state: 388984647
bit value: 1

bit: 4
internal state: 1610605094
bit value: 0

bit: 5
internal state: 1844114366
bit value: 0

bit: 6
internal state: 1189370015
bit value: 1

bit: 7
internal state: 11287117
bit value: 1

bit: 8
internal state: 1881400977
bit value: 1

bit: 9
internal state: 185381734
bit value: 0

bit: 10
internal state: 1591822640
bit value: 0

bit: 11
internal state: 2052586242
bit value: 0

bit: 12
internal state: 1767522157
bit value: 1

bit: 13
internal state: 497613336
bit value: 0

bit: 14
internal state: 260899341
bit value: 1

bit: 15
internal state: 1505542715
bit value: 1

bit: 16
internal state: 137752108
bit value: 0

bit: 17
internal state: 477107346
bit value: 0

bit: 18
internal state: 1202196472
bit value: 0

b

In [9]:
# Knuth 3

name = "Knuth 3"
p = (2 ** 64) - 1
a = 6364136223846793005
b = 0

# try different values for the seed and see what happens
seed = 1234567890

my_LCG_PRNG_bit_stream(name, p, seed, a, b, 32)



name: Knuth 3

p: 18446744073709551615
seed: 1234567890
a (multiplier): 6364136223846793005
b (increment): 0

bit: 0
internal state: 1478351238639766665
bit value: 1

bit: 1
internal state: 12071536704926676600
bit value: 0

bit: 2
internal state: 16569749568914942025
bit value: 1

bit: 3
internal state: 6677231707540154595
bit value: 1

bit: 4
internal state: 14559684490296345555
bit value: 1

bit: 5
internal state: 13623911123569589040
bit value: 0

bit: 6
internal state: 768325973130498300
bit value: 0

bit: 7
internal state: 13614546925016750850
bit value: 0

bit: 8
internal state: 5443319037989131515
bit value: 1

bit: 9
internal state: 1681301872891623675
bit value: 1

bit: 10
internal state: 17573542101121999785
bit value: 1

bit: 11
internal state: 1024960575160914225
bit value: 1

bit: 12
internal state: 7882734601556528460
bit value: 0

bit: 13
internal state: 12889819650850296510
bit value: 0

bit: 14
internal state: 5036505263280185820
bit value: 0

bit: 15
internal state

#### Encrypted Internal State Version of the Bit Stream Output Version of LCG PRNG

With the added encryption, the internal state cannot be recovered from the output stream.  We will use symmetric encrytion with AES 256, which we will cover in the next week.  With proper encryption, pseudo random number generators can be made cryptographically secure.  Someone observing the output bits can recover the current state, but without the encryption key, they cannot determine the next state nor the next output bit.  (This is a simple example for learning purposes, not intended for production use)

In [10]:
import hashlib
from Crypto.Cipher import AES

In [11]:
def my_encrypt(key, integer_plain_text):
    "given an s as integer in plain text in an LCG PRNG, encrypt it using the key and AES256"
    
    # our key need to be exactly 256 bytes.  we will use sha256 to ensure this.
    sha256_key = hashlib.sha256(key.encode('utf-8')).digest()
    
    # our integer in plain text needs to also be 256 bytes.  we will use sha256 to ensure this.
    sha256_int = hashlib.sha256(str(integer_plain_text).encode('utf-8')).digest()
  
    # since we only have 1 block, we will use ECB Electonic Code Book mode
    my_aes = AES.new(sha256_key, AES.MODE_ECB)
    
    # encrypt the block and convert it to a hex string
    cipher_text = my_aes.encrypt(sha256_int)
    cipher_text = cipher_text.hex()

    # convert the hex string into an integer
    cipher_int = int(cipher_text, 16)
    
    return cipher_int

In [12]:
def my_encrypted_LCG_PRNG_bit_stream(key, seed, bits):
    "given values for a key, a seed, and number of output bits, build a LCG PRNG that uses encryption for the state calculation"
    
    print ("\n")
    print ("Encrypted LCG PRNG outputting a bit string:\n")
        
    bit_string = ""
    
    s = seed
    
    for i in range(0, bits):
        
        # we will encrypt the s value for the calculation
        
        s = my_encrypt(key, s) % p
        
        bit_value = s % 2
        
        bit_string = str(bit_value) + bit_string
        
        print ("\nbit: " + str(i))
        print ("internal state: " + str(s))
        print ("bit value: " + str(bit_value))
        
    print ("\nBit String: " + bit_string)
    print ("Pseudo Random Number: " + str(int(bit_string,2)))
    print ("As a floating point >= 0 and <= 1: " + str(float(int(bit_string,2) / 2 ** bits)))

In [13]:
# encrypted version

# try different values for the seed and the key and see what happens

seed = 1234567890
bits = 32
key = "38mvkmekur829u,lqmkhieoir3mkabli3m4l;2jpo"

my_encrypted_LCG_PRNG_bit_stream(key, seed, bits)



Encrypted LCG PRNG outputting a bit string:


bit: 0
internal state: 9270652574397368717
bit value: 1

bit: 1
internal state: 8653782304757091127
bit value: 1

bit: 2
internal state: 3677383810786493459
bit value: 1

bit: 3
internal state: 9037320610516413060
bit value: 0

bit: 4
internal state: 12147394734436497869
bit value: 1

bit: 5
internal state: 17525746761847625877
bit value: 1

bit: 6
internal state: 4297624782328591530
bit value: 0

bit: 7
internal state: 1255412671083426992
bit value: 0

bit: 8
internal state: 9854549867911102618
bit value: 0

bit: 9
internal state: 6028938098918527697
bit value: 1

bit: 10
internal state: 327778731016653602
bit value: 0

bit: 11
internal state: 5784382352050089079
bit value: 1

bit: 12
internal state: 2758960576387829642
bit value: 0

bit: 13
internal state: 9215606330107768155
bit value: 1

bit: 14
internal state: 400371183653330106
bit value: 0

bit: 15
internal state: 16933139504727516486
bit value: 0

bit: 16
internal state: 544582801