Blum Blum Shub

Last updated January 20, 2025

Blum Blum Shub (B.B.S.) is a pseudorandom number generator proposed in 1986 by Lenore Blum, Manuel Blum and Michael Shub ^[1] that is derived from Michael O. Rabin's one-way function. Blum Blum Shub takes the form

Security

There is a proof reducing its security to the computational difficulty of factoring.^[1] When the primes are chosen appropriately, and O(log log M) lower-order bits of each x_n are output, then in the limit as M grows large, distinguishing the output bits from random should be at least as difficult as solving the quadratic residuosity problem modulo M.

The performance of the BBS random-number generator depends on the size of the modulus M and the number of bits per iteration j. While lowering M or increasing j makes the algorithm faster, doing so also reduces the security. A 2005 paper gives concrete, as opposed to asymptotic, security proof of BBS, for a given M and j. The result can also be used to guide choices of the two numbers by balancing expected security against computational cost.^[2]

Example

Let $p=11$ , $q=23$ and $s=3$ (where $s$ is the seed). We can expect to get a large cycle length for those small numbers, because ${\rm {gcd}}((p-3)/2,(q-3)/2)=2$ . The generator starts to evaluate $x_{0}$ by using $x_{-1}=s$ and creates the sequence $x_{0}$ , $x_{1}$ , $x_{2}$ , $\ldots$ $x_{5}$ = 9, 81, 236, 36, 31, 202. The following table shows the output (in bits) for the different bit selection methods used to determine the output.

Parity bit	Least significant bit
0 1 1 0 1 0	1 1 0 0 1 0

The following is a Python implementation that does check for primality.

importsympydefblum_blum_shub(p1,p2,seed,iterations):assertp1%4==3assertp2%4==3assertsympy.isprime(p1//2)assertsympy.isprime(p2//2)n=p1*p2numbers=[]for_inrange(iterations):seed=(seed**2)%nifseedinnumbers:print(f"The RNG has fallen into a loop at {len(numbers)} steps")returnnumbersnumbers.append(seed)returnnumbersprint(blum_blum_shub(11,23,3,100))

The following Common Lisp implementation provides a simple demonstration of the generator, in particular regarding the three bit selection methods. It is important to note that the requirements imposed upon the parameters p, q and s (seed) are not checked.

(defunget-number-of-1-bits(bits)"Returns the number of 1-valued bits in the integer-encoded BITS."(declare(type(integer0*)bits))(the(integer0*)(logcountbits)))(defunget-even-parity-bit(bits)"Returns the even parity bit of the integer-encoded BITS."(declare(type(integer0*)bits))(thebit(mod(get-number-of-1-bitsbits)2)))(defunget-least-significant-bit(bits)"Returns the least significant bit of the integer-encoded BITS."(declare(type(integer0*)bits))(thebit(ldb(byte10)bits)))(defunmake-blum-blum-shub(&key(p11)(q23)(s3))"Returns a function of no arguments which represents a simple   Blum-Blum-Shub pseudorandom number generator, configured to use the   generator parameters P, Q, and S (seed), and returning three values:   (1) the number x[n+1],   (2) the even parity bit of the number,   (3) the least significant bit of the number.   ---   Please note that the parameters P, Q, and S are not checked in   accordance to the conditions described in the article."(declare(type(integer0*)pqs))(let((M(*pq));; M  = p * q(x[n]s));; x0 = seed(declare(type(integer0*)Mx[n]))#'(lambda();; x[n+1] = x[n]^2 mod M(let((x[n+1](mod(*x[n]x[n])M)))(declare(type(integer0*)x[n+1]));; Compute the random bit(s) based on x[n+1].(let((even-parity-bit(get-even-parity-bitx[n+1]))(least-significant-bit(get-least-significant-bitx[n+1])))(declare(typebiteven-parity-bit))(declare(typebitleast-significant-bit));; Update the state such that x[n+1] becomes the new x[n].(setfx[n]x[n+1])(valuesx[n+1]even-parity-bitleast-significant-bit))))));; Print the exemplary outputs.(let((bbs(make-blum-blum-shub:p11:q23:s3)))(declare(type(function()(values(integer0*)bitbit))bbs))(formatT"~&Keys: E = even parity, L = least significant")(formatT"~2%")(formatT"~&x[n+1] | E | L")(formatT"~&--------------")(looprepeat6do(multiple-value-bind(x[n+1]even-parity-bitleast-significant-bit)(funcallbbs)(declare(type(integer0*)x[n+1]))(declare(typebiteven-parity-bit))(declare(typebitleast-significant-bit))(formatT"~&~6d | ~d | ~d"x[n+1]even-parity-bitleast-significant-bit))))

Related Research Articles

The Collatz conjecture is one of the most famous unsolved problems in mathematics. The conjecture asks whether repeating two simple arithmetic operations will eventually transform every positive integer into 1. It concerns sequences of integers in which each term is obtained from the previous term as follows: if a term is even, the next term is one half of it. If a term is odd, the next term is 3 times the previous term plus 1. The conjecture is that these sequences always reach 1, no matter which positive integer is chosen to start the sequence. The conjecture has been shown to hold for all positive integers up to 2.95×10²⁰, but no general proof has been found.

A pseudorandom number generator (PRNG), also known as a deterministic random bit generator (DRBG), is an algorithm for generating a sequence of numbers whose properties approximate the properties of sequences of random numbers. The PRNG-generated sequence is not truly random, because it is completely determined by an initial value, called the PRNG's seed. Although sequences that are closer to truly random can be generated using hardware random number generators, pseudorandom number generators are important in practice for their speed in number generation and their reproducibility.

A linear congruential generator (LCG) is an algorithm that yields a sequence of pseudo-randomized numbers calculated with a discontinuous piecewise linear equation. The method represents one of the oldest and best-known pseudorandom number generator algorithms. The theory behind them is relatively easy to understand, and they are easily implemented and fast, especially on computer hardware which can provide modular arithmetic by storage-bit truncation.

A cryptographically secure pseudorandom number generator (CSPRNG) or cryptographic pseudorandom number generator (CPRNG) is a pseudorandom number generator (PRNG) with properties that make it suitable for use in cryptography. It is also referred to as a cryptographic random number generator (CRNG).

The Rabin cryptosystem is a family of public-key encryption schemes based on a trapdoor function whose security, like that of RSA, is related to the difficulty of integer factorization.

In modular arithmetic computation, Montgomery modular multiplication, more commonly referred to as Montgomery multiplication, is a method for performing fast modular multiplication. It was introduced in 1985 by the American mathematician Peter L. Montgomery.

<span class="mw-page-title-main">Inversive congruential generator</span>

Inversive congruential generators are a type of nonlinear congruential pseudorandom number generator, which use the modular multiplicative inverse to generate the next number in a sequence. The standard formula for an inversive congruential generator, modulo some prime q is:

In computational number theory, the index calculus algorithm is a probabilistic algorithm for computing discrete logarithms. Dedicated to the discrete logarithm in $where is a prime, index calculus leads to a family of algorithms adapted to finite fields and to some families of elliptic curves. The algorithm collects relations among the discrete logarithms of small primes, computes them by a linear algebra procedure and finally expresses the desired discrete logarithm with respect to the discrete logarithms of small primes.$

In additive number theory, Fermat's theorem on sums of two squares states that an odd prime p can be expressed as:

The Goldwasser–Micali (GM) cryptosystem is an asymmetric key encryption algorithm developed by Shafi Goldwasser and Silvio Micali in 1982. GM has the distinction of being the first probabilistic public-key encryption scheme which is provably secure under standard cryptographic assumptions. However, it is not an efficient cryptosystem, as ciphertexts may be several hundred times larger than the initial plaintext. To prove the security properties of the cryptosystem, Goldwasser and Micali proposed the widely used definition of semantic security.

The Blum–Goldwasser (BG) cryptosystem is an asymmetric key encryption algorithm proposed by Manuel Blum and Shafi Goldwasser in 1984. Blum–Goldwasser is a probabilistic, semantically secure cryptosystem with a constant-size ciphertext expansion. The encryption algorithm implements an XOR-based stream cipher using the Blum-Blum-Shub (BBS) pseudo-random number generator to generate the keystream. Decryption is accomplished by manipulating the final state of the BBS generator using the private key, in order to find the initial seed and reconstruct the keystream.

In mathematics and computing, universal hashing refers to selecting a hash function at random from a family of hash functions with a certain mathematical property. This guarantees a low number of collisions in expectation, even if the data is chosen by an adversary. Many universal families are known, and their evaluation is often very efficient. Universal hashing has numerous uses in computer science, for example in implementations of hash tables, randomized algorithms, and cryptography.

GPS signals are broadcast by Global Positioning System satellites to enable satellite navigation. Using these signals, receivers on or near the Earth's surface can determine Position, Velocity and Time (PVT) of the receiver. The GPS satellite constellation is operated by the 2nd Space Operations Squadron (2SOPS) of Space Delta 8, United States Space Force.

The cyclic redundancy check (CRC) is a check of the remainder after division in the ring of polynomials over GF(2). That is, the set of polynomials where each coefficient is either zero or one, and arithmetic operations wrap around.

In computer science, multiply-with-carry (MWC) is a method invented by George Marsaglia for generating sequences of random integers based on an initial set from two to many thousands of randomly chosen seed values. The main advantages of the MWC method are that it invokes simple computer integer arithmetic and leads to very fast generation of sequences of random numbers with immense periods, ranging from around $to .$

The Lehmer random number generator, sometimes also referred to as the Park–Miller random number generator, is a type of linear congruential generator (LCG) that operates in multiplicative group of integers modulo n. The general formula is

The Blum–Micali algorithm is a cryptographically secure pseudorandom number generator. The algorithm gets its security from the difficulty of computing discrete logarithms.

In sequence design, a Feedback with Carry Shift Register is the arithmetic or with carry analog of a linear-feedback shift register (LFSR). If $is an integer, then an N -ary FCSR of length is a finite state device with a state consisting of a vector of elements in and an integer . The state change operation is determined by a set of coefficients and is defined as follows: compute . Express s as with in . Then the new state is . By iterating the state change an FCSR generates an infinite, eventually periodic sequence of numbers in .$

In cryptography, Very Smooth Hash (VSH) is a provably secure cryptographic hash function invented in 2005 by Scott Contini, Arjen Lenstra, and Ron Steinfeld. Provably secure means that finding collisions is as difficult as some known hard mathematical problem. Unlike other provably secure collision-resistant hashes, VSH is efficient and usable in practice. Asymptotically, it only requires a single multiplication per $log(n)$ message-bits and uses RSA-type arithmetic. Therefore, VSH can be useful in embedded environments where code space is limited.

Badger is a message authentication code (MAC) based on the idea of universal hashing and was developed by Boesgaard, Scavenius, Pedersen, Christensen, and Zenner. It is constructed by strengthening the ∆-universal hash family MMH using an ϵ-almost strongly universal (ASU) hash function family after the application of ENH, where the value of ϵ is $. Since Badger is a MAC function based on the universal hash function approach, the conditions needed for the security of Badger are the same as those for other universal hash functions such as UMAC.$

References

Citations

1 2 Blum, Blum & Shub 1986, pp. 364–383.
↑ Sidorenko, Andrey; Schoenmakers, Berry (2005). "Concrete Security of the Blum-Blum-Shub Pseudorandom Generator". Cryptography and Coding. Lecture Notes in Computer Science. Vol. 3796. pp. 355–375. doi:10.1007/11586821_24. ISBN 978-3-540-30276-6.

Sources

Blum, Lenore; Blum, Manuel; Shub, Michael (1983). "Comparison of Two Pseudo-Random Number Generators". Advances in Cryptology. Boston, MA: Springer US. pp. 61–78. doi:10.1007/978-1-4757-0602-4_6. ISBN 978-1-4757-0604-8.
Blum, L.; Blum, M.; Shub, M. (1986). "A Simple Unpredictable Pseudo-Random Number Generator" (PDF). SIAM Journal on Computing. 15 (2). Society for Industrial & Applied Mathematics (SIAM): 364–383. doi:10.1137/0215025. ISSN 0097-5397. Archived (PDF) from the original on 2021-08-14.
Geisler, Martin; Krøigård, Mikkel; Danielsen, Andreas (December 2004), About Random Bits (PDF), CiteSeerX 10.1.1.90.3779 , archived (PDF) from the original on 2016-03-31

External links

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[FOOTNOTEBlumBlumShub1986364–383-1] 1 2 Blum, Blum & Shub 1986, pp. 364–383.

[2] Sidorenko, Andrey; Schoenmakers, Berry (2005). "Concrete Security of the Blum-Blum-Shub Pseudorandom Generator". Cryptography and Coding. Lecture Notes in Computer Science. Vol. 3796. pp. 355–375. doi:10.1007/11586821_24. ISBN 978-3-540-30276-6.

[1]

[2]