\begin{document}
\author{Jacques M. Bahi, Rapha\"{e}l Couturier, Christophe
-Guyeux, and Pierre-Cyrille Heam\thanks{Authors in alphabetic order}}
+Guyeux, and Pierre-Cyrille Héam\thanks{Authors in alphabetic order}}
\maketitle
Furthermore, we show that the proposed post-treatment preserves the
cryptographical security of the inputted PRNG, when this last has such a
property.
-Last, but not least, we propose a rewritting of the Blum-Goldwasser asymmetric
+Last, but not least, we propose a rewriting of the Blum-Goldwasser asymmetric
key encryption protocol by using the proposed method.
The remainder of this paper is organized as follows. In Section~\ref{section:related
\label{equation Oplus}
\end{equation}
where $\oplus$ is for the bitwise exclusive or between two integers.
-This rewritting can be understood as follows. The $n-$th term $S^n$ of the
+This rewriting can be understood as follows. The $n-$th term $S^n$ of the
sequence $S$, which is an integer of $\mathsf{N}$ binary digits, presents
the list of cells to update in the state $x^n$ of the system (represented
as an integer having $\mathsf{N}$ bits too). More precisely, the $k-$th
An iteration of the system is simply the bitwise exclusive or between
the last computed state and the current strategy.
Topological properties of disorder exhibited by chaotic
-iterations can be inherited by the inputted generator, hoping by doing so to
+iterations can be inherited by the inputted generator, we hope by doing so to
obtain some statistical improvements while preserving speed.
Obviously, having these requirements in mind, it is possible to build
a program similar to the one presented in Listing
\ref{algo:seqCIPRNG}, which computes pseudorandom numbers on GPU. To
-do so, we must firstly remind that in the CUDA~\cite{Nvid10}
+do so, we must firstly recall that in the CUDA~\cite{Nvid10}
environment, threads have a local identifier called
\texttt{ThreadIdx}, which is relative to the block containing
them. Furthermore, in CUDA, parts of the code that are executed by the GPU, are
The simple principle consists in making each thread of the GPU computing the CPU version of our PRNG.
Of course, the three xor-like
PRNGs used in these computations must have different parameters.
-In a given thread, these lasts are
+In a given thread, these parameters are
randomly picked from another PRNGs.
The initialization stage is performed by the CPU.
To do it, the ISAAC PRNG~\cite{Jenkins96} is used to set all the
Algorithm~\ref{algo:gpu_kernel} presents a naive implementation of the proposed PRNG on
GPU. Due to the available memory in the GPU and the number of threads
-used simultenaously, the number of random numbers that a thread can generate
+used simultaneously, the number of random numbers that a thread can generate
inside a kernel is limited (\emph{i.e.}, the variable \texttt{n} in
algorithm~\ref{algo:gpu_kernel}). For instance, if $100,000$ threads are used and
if $n=100$\footnote{in fact, we need to add the initial seed (a 32-bits number)},
BBS-based PRNG on GPU. On the Tesla C1060 we obtain approximately 700MSample/s
and on the GTX 280 about 670MSample/s, which is obviously slower than the
xorlike-based PRNG on GPU. However, we will show in the next sections that this
-new PRNG has a strong level of security, which is necessary paid by a speed
+new PRNG has a strong level of security, which is necessarily paid by a speed
reduction.
\begin{figure}[htbp]
All these experiments allow us to conclude that it is possible to
generate a very large quantity of pseudorandom numbers statistically perfect with the xor-like version.
-In a certain extend, it is the case too with the secure BBS-based version, the speed deflation being
+To a certain extend, it is also the case with the secure BBS-based version, the speed deflation being
explained by the fact that the former version has ``only''
chaotic properties and statistical perfection, whereas the latter is also cryptographically secure,
as it is shown in the next sections.
denoted by $uv$.
In a cryptographic context, a pseudorandom generator is a deterministic
algorithm $G$ transforming strings into strings and such that, for any
-seed $k$ of length $k$, $G(k)$ (the output of $G$ on the input $k$) has size
-$\ell_G(k)$ with $\ell_G(k)>k$.
+seed $s$ of length $m$, $G(s)$ (the output of $G$ on the input $s$) has size
+$\ell_G(m)$ with $\ell_G(m)>m$.
The notion of {\it secure} PRNGs can now be defined as follows.
\begin{definition}
A cryptographic PRNG $G$ is secure if for any probabilistic polynomial time
algorithm $D$, for any positive polynomial $p$, and for all sufficiently
-large $k$'s,
-$$| \mathrm{Pr}[D(G(U_k))=1]-Pr[D(U_{\ell_G(k)})=1]|< \frac{1}{p(k)},$$
+large $m$'s,
+$$| \mathrm{Pr}[D(G(U_m))=1]-Pr[D(U_{\ell_G(m)})=1]|< \frac{1}{p(m)},$$
where $U_r$ is the uniform distribution over $\{0,1\}^r$ and the
-probabilities are taken over $U_N$, $U_{\ell_G(N)}$ as well as over the
+probabilities are taken over $U_m$, $U_{\ell_G(m)}$ as well as over the
internal coin tosses of $D$.
\end{definition}
negligible probability. The interested reader is referred
to~\cite[chapter~3]{Goldreich} for more information. Note that it is
quite easily possible to change the function $\ell$ into any polynomial
-function $\ell^\prime$ satisfying $\ell^\prime(N)>N)$~\cite[Chapter 3.3]{Goldreich}.
+function $\ell^\prime$ satisfying $\ell^\prime(m)>m)$~\cite[Chapter 3.3]{Goldreich}.
The generation schema developed in (\ref{equation Oplus}) is based on a
pseudorandom generator. Let $H$ be a cryptographic PRNG. We may assume,
the $S_i$'s). The cryptographic PRNG $X$ defined in (\ref{equation Oplus})
is the algorithm mapping any string of length $2N$ $x_0S_0$ into the string
$(x_0\oplus S_0 \oplus S_1)(x_0\oplus S_0 \oplus S_1\oplus S_2)\ldots
-(x_o\bigoplus_{i=0}^{i=k}S_i)$. Particularly one has $\ell_{X}(2N)=kN=\ell_H(N)$.
+(x_o\bigoplus_{i=0}^{i=k}S_i)$. One in particular has $\ell_{X}(2N)=kN=\ell_H(N)$.
We claim now that if this PRNG is secure,
then the new one is secure too.
\mathrm{Pr}[D^\prime(H(U_{N}))=1]=\mathrm{Pr}[D(U_{2N})=1].
\end{equation}
From (\ref{PCH-2}) and (\ref{PCH-4}), one can deduce that
-there exist a polynomial time probabilistic
+there exists a polynomial time probabilistic
algorithm $D^\prime$, a positive polynomial $p$, such that for all $k_0$ there exists
$N\geq \frac{k_0}{2}$ satisfying
$$| \mathrm{Pr}[D(H(U_{N}))=1]-\mathrm{Pr}[D(U_{kN}=1]|\geq \frac{1}{p(2N)},$$
-proving that $H$ is not secure, a contradiction.
+proving that $H$ is not secure, which is a contradiction.
\end{proof}
indistinguishable bits is lesser than or equals to
$log_2(log_2(M))$). In other words, to generate a 32-bits number, we need to use
8 times the BBS algorithm with possibly different combinations of $M$. This
-approach is not sufficient to be able to pass all the TestU01,
+approach is not sufficient to be able to pass all the tests of TestU01,
as small values of $M$ for the BBS lead to
- small periods. So, in order to add randomness we proceed with
+ small periods. So, in order to add randomness we have proceeded with
the followings modifications.
\begin{itemize}
\item
Firstly, we define 16 arrangement arrays instead of 2 (as described in
Algorithm \ref{algo:gpu_kernel2}), but only 2 of them are used at each call of
-the PRNG kernels. In practice, the selection of combinations
+the PRNG kernels. In practice, the selection of combination
arrays to be used is different for all the threads. It is determined
by using the three last bits of two internal variables used by BBS.
%This approach adds more randomness.
In Algorithm~\ref{algo:bbs_gpu},
character \& is for the bitwise AND. Thus using \&7 with a number
-gives the last 3 bits, providing so a number between 0 and 7.
+gives the last 3 bits, thus providing a number between 0 and 7.
\item
Secondly, after the generation of the 8 BBS numbers for each thread, we
have a 32-bits number whose period is possibly quite small. So
shift the 32-bits numbers, and add up to 6 new bits. This improvement is
described in Algorithm~\ref{algo:bbs_gpu}. In practice, the last 2 bits
of the first new BBS number are used to make a left shift of at most
-3 bits. The last 3 bits of the second new BBS number are add to the
+3 bits. The last 3 bits of the second new BBS number are added to the
strategy whatever the value of the first left shift. The third and the
fourth new BBS numbers are used similarly to apply a new left shift
and add 3 new bits.
most} 3 bits, represented by \texttt{shift} in the algorithm, and we put
\emph{exactly} the \texttt{shift} last bits from a BBS into the \texttt{shift}
last bits of $t$. For this, an array named \texttt{array\_shift}, containing the
-correspondance between the shift and the number obtained with \texttt{shift} 1
+correspondence between the shift and the number obtained with \texttt{shift} 1
to make the \texttt{and} operation is used. For example, with a left shift of 0,
we make an and operation with 0, with a left shift of 3, we make an and
operation with 7 (represented by 111 in binary mode).
\item Using the secret key $(p,q)$, she computes $r_p = y^{((p+1)/4)^{L}}~mod~p$ and $r_q = y^{((q+1)/4)^{L}}~mod~q$.
\item The initial seed can be obtained using the following procedure: $x_0=q(q^{-1}~{mod}~p)r_p + p(p^{-1}~{mod}~q)r_q~{mod}~N$.
\item She recomputes the bit-vector $b$ by using BBS and $x_0$.
-\item Alice computes finally the plaintext by XORing the keystream with the ciphertext: $ m = c \oplus b$.
+\item Alice finally computes the plaintext by XORing the keystream with the ciphertext: $ m = c \oplus b$.
\end{enumerate}
The same decryption stage as in Blum-Goldwasser leads to the sequence
$\left(m_0 \oplus S^0, m_1 \oplus S^0, \hdots, m_{L-1} \oplus S^0 \right)$.
-Thus, with a simple use of $S^0$, Alice can obtained the plaintext.
+Thus, with a simple use of $S^0$, Alice can obtain the plaintext.
By doing so, the proposed generator is used in place of BBS, leading to
the inheritance of all the properties presented in this paper.
has been generalized to improve its speed. It has been proven to be
chaotic according to Devaney.
Efficient implementations on GPU using xor-like PRNGs as input generators
-shown that a very large quantity of pseudorandom numbers can be generated per second (about
+have shown that a very large quantity of pseudorandom numbers can be generated per second (about
20Gsamples/s), and that these proposed PRNGs succeed to pass the hardest battery in TestU01,
namely the BigCrush.
Furthermore, we have shown that when the inputted generator is cryptographically