From f246e742e53adda3e727bd541ccfabbc38d8810a Mon Sep 17 00:00:00 2001 From: couturie Date: Mon, 29 Jun 2015 23:11:46 +0200 Subject: [PATCH 1/1] correct papier --- prng_gpu.tex | 80 ++++++++++++++++++++++++++-------------------------- 1 file changed, 40 insertions(+), 40 deletions(-) diff --git a/prng_gpu.tex b/prng_gpu.tex index 27702e8..6ae1ef6 100644 --- a/prng_gpu.tex +++ b/prng_gpu.tex @@ -106,8 +106,8 @@ a recurrent problem is that a deflation of the statistical qualities is often reported, when the parallelization of a good PRNG is realized. This is why ad-hoc PRNGs for each possible architecture must be found to achieve both speed and randomness. -On the other side, speed is not the main requirement in cryptography: the great -need is to define \emph{secure} generators able to withstand malicious +On the other hand, speed is not the main requirement in cryptography: the most +important aspect is to define \emph{secure} generators able to withstand malicious attacks. Roughly speaking, an attacker should not be able in practice to make the distinction between numbers obtained with the secure generator and a true random sequence. Or, in an equivalent formulation, he or she should not be @@ -119,15 +119,15 @@ of the difficulty of this challenge when the size of the parameters of the PRNG Finally, a small part of the community working in this domain focuses on a third requirement, that is to define chaotic generators. -The main idea is to take benefits from a chaotic dynamical system to obtain a -generator that is unpredictable, disordered, sensible to its seed, or in other word chaotic. -Their desire is to map a given chaotic dynamics into a sequence that seems random +The main idea is to take advantage from a chaotic dynamical system to obtain a +generator that is unpredictable, disordered, sensible to its seed, or in other words chaotic. +Their goal is to map a given chaotic dynamics into a sequence that seems random and unassailable due to chaos. -However, the chaotic maps used as a pattern are defined in the real line +However, the chaotic maps used as patterns are defined in the real line whereas computers deal with finite precision numbers. This distortion leads to a deflation of both chaotic properties and speed. Furthermore, authors of such chaotic generators often claim their PRNG -as secure due to their chaos properties, but there is no obvious relation +are secure due to their chaos properties, but there is no obvious relation between chaos and security as it is understood in cryptography. This is why the use of chaos for PRNG still remains marginal and disputable. @@ -136,7 +136,7 @@ properly defined in the mathematical theory of chaos, can reinforce the quality of a PRNG. But they are not substitutable for security or statistical perfection. Indeed, to the authors' mind, such properties can be useful in the two following situations. On the one hand, a post-treatment based on a chaotic dynamical system can be applied -to a PRNG statistically deflective, in order to improve its statistical +to a statistically deflective PRNG, in order to improve its statistical properties. Such an improvement can be found, for instance, in~\cite{bgw09:ip,bcgr11:ip}. On the other hand, chaos can be added to a fast, statistically perfect PRNG and/or a cryptographically secure one, in case where chaos can be of interest, @@ -151,7 +151,7 @@ statistical perfection refers to the ability to pass the whole stringent statistical evaluation of a sequence claimed as random. This battery can be found in the well-known TestU01 package~\cite{LEcuyerS07}. More precisely, each time we performed a test on a PRNG, we ran it -twice in order to observe if all $p-$values are inside [0.01, 0.99]. In +twice in order to observe if all $p-$values were inside [0.01, 0.99]. In fact, we observed that few $p-$values (less than ten) are sometimes outside this interval but inside [0.001, 0.999], so that is why a second run allows us to confirm that the values outside are not for @@ -171,15 +171,15 @@ The proposition of this paper is to improve widely the speed of the formerly proposed generator, without any lack of chaos or statistical properties. In particular, a version of this PRNG on graphics processing units (GPU) is proposed. -Although GPU was initially designed to accelerate +Although GPUs were initially designed to accelerate the manipulation of images, they are nowadays commonly used in many scientific applications. Therefore, it is important to be able to generate pseudorandom -numbers inside a GPU when a scientific application runs in it. This remark +numbers inside a GPU when it is run by a scientific application runs in it. This remark motivates our proposal of a chaotic and statistically perfect PRNG for GPU. Such device allows us to generate almost 20 billion of pseudorandom numbers per second. Furthermore, we show that the proposed post-treatment preserves the -cryptographical security of the inputted PRNG, when this last has such a +cryptographical security of the inputted PRNG, when the latter has such a property. Last, but not least, we propose a rewriting of the Blum-Goldwasser asymmetric key encryption protocol by using the proposed method. @@ -187,8 +187,8 @@ key encryption protocol by using the proposed method. {\bf Main contributions.} In this paper a new PRNG using chaotic iteration is defined. From a theoretical point of view, it is proven that it has fine -topological chaotic properties and that it is cryptographically secured (when -the initial PRNG is also cryptographically secured). From a practical point of +topological chaotic properties and that it is cryptographically secure (when +the initial PRNG is also cryptographically secure). From a practical point of view, experiments point out a very good statistical behavior. An optimized original implementation of this PRNG is also proposed and experimented. Pseudorandom numbers are generated at a rate of 20GSamples/s, which is faster @@ -222,7 +222,7 @@ our pseudorandom generators, in particular with a GPU implementation. Such generators are experimented in Section~\ref{sec:experiments}. We show in Section~\ref{sec:security analysis} that, if the inputted -generator is cryptographically secure, then it is the case too for the +generator is cryptographically secure, then it is also the case of the generator provided by the post-treatment. A practical security evaluation is also outlined in Section~\ref{sec:Practicak evaluation}. @@ -241,7 +241,7 @@ summarized and intended future work is presented. Numerous research works on defining GPU based PRNGs have already been proposed in the literature, so that exhaustivity is impossible. -This is why authors of this document only give reference to the most significant attempts +This is why the authors of this document only only refer to the most significant attempts in this domain, from their subjective point of view. The quantity of pseudorandom numbers generated per second is mentioned here only when the information is given in the related work. @@ -249,7 +249,7 @@ A million numbers per second will be simply written as 1MSample/s whereas a billion numbers per second is 1GSample/s. In \cite{Pang:2008:cec} a PRNG based on cellular automata is defined -with no requirement to an high precision integer arithmetic or to any bitwise +with no requirement to a high precision integer arithmetic or to any bitwise operations. Authors can generate about 3.2MSamples/s on a GeForce 7800 GTX GPU, which is quite an old card now. However, there is neither a mention of statistical tests nor any proof of @@ -265,12 +265,12 @@ However the evaluations of the proposed PRNGs are only statistical ones. Authors of~\cite{conf/fpga/ThomasHL09} have studied the implementation of some PRNGs on different computing architectures: CPU, field-programmable gate array -(FPGA), massively parallel processors, and GPU. This study is of interest, because +(FPGA), massively parallel processors, and GPU. This study is interesting, because the performance of the same PRNGs on different architectures are compared. FPGA appears as the fastest and the most efficient architecture, providing the fastest number of generated pseudorandom numbers per joule. -However, we notice that authors can ``only'' generate between 11 and 16GSamples/s +However, we notice that the authors can ``only'' generate between 11 and 16GSamples/s with a GTX 280 GPU, which should be compared with the results presented in this document. We can remark too that the PRNGs proposed in~\cite{conf/fpga/ThomasHL09} are only @@ -281,10 +281,10 @@ Curand~\cite{curand11}. Several PRNGs are implemented, other things Xorwow~\cite{Marsaglia2003} and some variants of Sobol. The tests reported show that their fastest version provides 15GSamples/s on the new Fermi C2050 card. -But their PRNGs cannot pass the whole TestU01 battery (only one test is failed). +But their PRNGs cannot pass the whole TestU01 battery (only one test has failed). \newline \newline -We can finally remark that, to the best of our knowledge, no GPU implementation has been proven to be chaotic, and the cryptographically secure property has surprisingly never been considered. +We can finally remark that, to the best of our knowledge, no GPU implementation has ever been proven to be chaotic, and the cryptographically secure property has surprisingly never been considered. \section{Basic Recalls} \label{section:BASIC RECALLS} @@ -362,7 +362,7 @@ Let us consider a \emph{system} with a finite number $\mathsf{N} \in \mathds{N}^*$ of elements (or \emph{cells}), so that each cell has a Boolean \emph{state}. Having $\mathsf{N}$ Boolean values for these cells leads to the definition of a particular \emph{state of the -system}. A sequence which elements belong to $\llbracket 1;\mathsf{N} +system}. A sequence whose elements belong to $\llbracket 1;\mathsf{N} \rrbracket $ is called a \emph{strategy}. The set of all strategies is denoted by $\llbracket 1, \mathsf{N} \rrbracket^\mathds{N}.$ @@ -691,8 +691,8 @@ inputted defective generators we have investigated. For instance, when considering the TestU01 battery with its 588 tests, we obtained 261 failures for a PRNG based on the logistic map alone, and this number of failures falls below 138 in the Old CI(Logistic,Logistic) generator. -In the XORshift case (146 failures when considering it alone), the results are more amazing, -as the chaotic iterations post-treatment makes it fails only 8 tests. +In the XORshift case (146 failures when considering it alone), the results are more impressive, +as the chaotic iterations post-treatment fails with only 8 tests of the TestU01 battery. Further investigations have been systematically realized in \cite{bfg12a:ip} using a large set of inputted defective PRNGs, the three most used batteries of tests (DieHARD, NIST, and TestU01), and for all the versions of generators we have proposed. @@ -726,8 +726,8 @@ component of this state (a binary digit) changes if and only if the $k-$th digit in the binary decomposition of $S^n$ is 1. \begin{color}{red} Obviously, when $S$ is periodic of period $p$, then $x$ is periodic too of -period either $p$ or $2p$, depending of the fact that, after $p$ iterations, -the state of the system may or not be the same than before these iterations. +period either $p$ or $2p$, depending on the fact that, after $p$ iterations, +the state of the system may or not be the same as before these iterations. \end{color} The single basic component presented in Eq.~\ref{equation Oplus} is of @@ -863,7 +863,7 @@ The function $d$ defined in Eq.~\ref{nouveau d} is a metric on $\mathcal{X}$. \begin{proof} $d_e$ is the Hamming distance. We will prove that $d_s$ is a distance -too, thus $d$, as being the sum of two distances, will also be a distance. +too, thus $d$, being the sum of two distances, will also be a distance. \begin{itemize} \item Obviously, $d_s(S,\check{S})\geqslant 0$, and if $S=\check{S}$, then $d_s(S,\check{S})=0$. Conversely, if $d_s(S,\check{S})=0$, then @@ -982,7 +982,7 @@ where $(s^0,s^1, \hdots)$ is the strategy of $Y$, satisfies the properties claimed in the lemma. \end{proof} -We can now prove the Theorem~\ref{t:chaos des general}. +We can now prove Theorem~\ref{t:chaos des general}. \begin{proof}[Theorem~\ref{t:chaos des general}] Firstly, strong transitivity implies transitivity. @@ -1431,7 +1431,7 @@ In order to take benefits from the computing power of GPU, a program needs to have independent blocks of threads that can be computed simultaneously. In general, the larger the number of threads is, the more local memory is used, and the less branching instructions are -used (if, while, ...), the better the performances on GPU is. +used (if, while, ...), the better the performances on GPU are. Obviously, having these requirements in mind, it is possible to build a program similar to the one presented in Listing \ref{algo:seqCIPRNG}, which computes pseudorandom numbers on GPU. To @@ -1445,14 +1445,14 @@ called {\it kernels}. \subsection{Naive Version for GPU} -It is possible to deduce from the CPU version a quite similar version adapted to GPU. +It is possible to deduce from the CPU version a fairly similar version adapted to GPU. The simple principle consists in making each thread of the GPU computing the CPU version of our PRNG. Of course, the three xor-like PRNGs used in these computations must have different parameters. In a given thread, these parameters are randomly picked from another PRNGs. The initialization stage is performed by the CPU. -To do it, the ISAAC PRNG~\cite{Jenkins96} is used to set all the +To do so, the ISAAC PRNG~\cite{Jenkins96} is used to set all the parameters embedded into each thread. The implementation of the three @@ -1516,7 +1516,7 @@ for all the different nodes involved in the computation. \subsection{Improved Version for GPU} -As GPU cards using CUDA have shared memory between threads of the same block, it +As GPU cards using CUDA have a shared memory between threads of the same block, it is possible to use this feature in order to simplify the previous algorithm, i.e., to use less than 3 xor-like PRNGs. The solution consists in computing only one xor-like PRNG by thread, saving it into the shared memory, and then to use the results @@ -1577,7 +1577,7 @@ To be certain that we are in the framework of Theorem~\ref{t:chaos des general}, we must guarantee that this dynamical system iterates on the space $\mathcal{X} = \mathcal{P}\left(\llbracket 1, \mathsf{N} \rrbracket\right)^\mathds{N}\times\mathds{B}^\mathsf{N}$. The left term $x$ obviously belongs to $\mathds{B}^ \mathsf{N}$. -To prevent from any flaws of chaotic properties, we must check that the right +To prevent any flaws of chaotic properties, we must check that the right term (the last $t$), corresponding to the strategies, can possibly be equal to any integer of $\llbracket 1, \mathsf{N} \rrbracket$. @@ -1618,7 +1618,7 @@ per second is almost constant. With the naive version, this value ranges from 3GSamples/s. With the optimized version, it is approximately equal to 20GSamples/s. Finally we can remark that both GPU cards are quite similar, but in practice, the Tesla C1060 has more memory than the GTX 280, and this memory -should be of better quality. +is of better quality. As a comparison, Listing~\ref{algo:seqCIPRNG} leads to the generation of about 138MSample/s when using one core of the Xeon E5530. @@ -1654,7 +1654,7 @@ generate a very large quantity of pseudorandom numbers statistically perfect wi To a certain extend, it is also the case with the secure BBS-based version, the speed deflation being explained by the fact that the former version has ``only'' chaotic properties and statistical perfection, whereas the latter is also cryptographically secure, -as it is shown in the next sections. +as shown in the next sections. @@ -1873,7 +1873,7 @@ integer. A direct numerical application shows that this attacker -cannot achieve its $(10^{12},0.2)$ distinguishing +cannot achieve his/her $(10^{12},0.2)$ distinguishing attack in that context. @@ -1896,8 +1896,8 @@ very slow and only usable for cryptographic applications. The modulus operation is the most time consuming operation for current GPU cards. So in order to obtain quite reasonable performances, it is required to use only modulus on 32-bits integer numbers. Consequently -$x_n^2$ need to be lesser than $2^{32}$, and thus the number $M$ must be -lesser than $2^{16}$. So in practice we can choose prime numbers around +$x_n^2$ need to be inferior than $2^{32}$, and thus the number $M$ must be +inferior than $2^{16}$. So in practice we can choose prime numbers around 256 that are congruent to 3 modulus 4. With 32-bits numbers, only the 4 least significant bits of $x_n$ can be chosen (the maximum number of indistinguishable bits is lesser than or equals to @@ -2029,7 +2029,7 @@ proposed parameters, or if it is only a very fast and statistically perfect generator on GPU, its $(T,\varepsilon)-$security must be determined, and a formulation similar to Eq.\eqref{mesureConcrete} -must be established. Authors +must be established. The authors hope to achieve this difficult task in a future work. @@ -2115,7 +2115,7 @@ have shown that a very large quantity of pseudorandom numbers can be generated p namely the BigCrush. Furthermore, we have shown that when the inputted generator is cryptographically secure, then it is the case too for the PRNG we propose, thus leading to -the possibility to develop fast and secure PRNGs using the GPU architecture. +the possibility of developping fast and secure PRNGs using the GPU architecture. An improvement of the Blum-Goldwasser cryptosystem, making it behave chaotically, has finally been proposed. -- 2.39.5