JP6678958B2 - Pseudo-random number generation device and pseudo-random number generation program - Google Patents

Description

  The present invention relates to a pseudo random number generation device and a pseudo random number generation program in which it is difficult to estimate seed information such as an initial mapping value and a parameter sequence from a generated pseudo random number. The present invention belongs to a pseudo-random number generation method that obtains a random number using random data obtained by repeating chaotic maps.

  Conventionally, many pseudorandom number generation methods and encryption methods based on chaotic maps have been proposed. As the pseudo-random number generation method and the encryption method, there are various realization methods depending on the difference in the way of thinking / how to apply the characteristics of chaos.

  The above-mentioned pseudo-random number generation method based on the chaotic map has a short history as compared with the pseudo-random number generation method and the encryption method which are generally used today. The inventors of the present invention solve the problem that occurs when a chaotic map is implemented in a computer (digital computer) of finite precision, and are defined by, for example, NIST (National Institute of Standards and Technology). Pass the A. Rukhin. And et al, “A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications,” NIST, Special Publication 800-22 Revision1A, April 2010. In terms of "statistical evaluation", the initial goal was to obtain good random numbers.

  Pseudo-random number generation methods that can obtain good evaluation results from a statistical aspect include, for example, Patent Document 1, Patent Document 2, Patent Document 3, Patent Document 4, Patent Document 5, Patent Document 6, Patent Document 6, Patent Document. 7, Patent Document 8, Non-Patent Document 1, and Non-Patent Document 2 can be cited. Further, although the structure is slightly different, the pseudo random number generation method using the repetition of the chaotic mapping can also include those described in Non-Patent Documents 3, 4, 5, 6, and 7.

FIG. 1 shows a rudimentary method (hereinafter referred to as a rudimentary method) having the simplest configuration among the methods belonging to the pseudo random number generation based on the chaotic mapping. In this elementary method, a seed s and a desired random bit string length n are input in the initialization unit S11, an initial value x ₀ is obtained from the seed s, a parameter value a is obtained from the seed s, and a counter value i is obtained. Set to 0. In the next count-up unit S12, the counter value i is incremented by 1.

Further, in the next mapping calculation unit S13, the mapping value x _i is updated using the mapping f _a of the parameter value a (mapping itself / iterative mapping), and in the next random bit extraction unit S14, for each mapping. Bits at arbitrary predetermined positions of x _i are extracted to obtain a pseudo random bit string b = {b ₁ , b ₂ , ..., B _n }.

  Further, the end determination unit S15 determines whether the counter value i becomes n. If i <n, the process returns to the count-up unit S12 and continues the processing. On the other hand, when the counter value i becomes n in the end determination unit S15, the process ends and the process ends.

  Next, characteristics of the “pseudo-random number generator” in the methods disclosed in Patent Documents 1 to 8 and Non-Patent Documents 1 and 2 will be described.

While the random bit extraction unit of the elementary method has a configuration for extracting one specific bit from the mapping value x _i , in Reference 2, a plurality of thresholds are provided and a plurality of bits (bit string) are provided from the mapping value x _i. A method of obtaining these and finally combining them (exclusive OR) is shown (Patent Document 1 FIG. 9). In Patent Document 1, this improves the randomness.

  Patent Document 2 discloses a method of combining (exclusive OR) the outputs of a plurality of chaotic maps (the elementary method and the method shown in Patent Document 1) (Patent Document 2 FIG. 16). In Patent Document 2, this can improve randomness.

Patent Document 3 discloses securing a register size in which a high-order numerical value is stored larger than a register size in which a low-order numerical value is stored in a portion corresponding to a rudimentary method mapping calculation unit. There is. For example, it is disclosed to secure a large memory space for storing a square x ² of a certain numerical value x. Furthermore, Patent Document 3 discloses an arithmetic method corresponding to the above (Patent Document 3 FIG. 1). In Patent Document 3, this causes a fundamental problem in implementing a chaotic map on a computer such as a finite precision digital computer (for example, a problem that degeneration of adjacent trajectories caused by digit rounding causes a short period). Can be avoided at a predetermined level, and the random number can have a long period.

  Patent Document 4 discloses a device in which a means for applying a one-way function is further added to the output of the portion corresponding to the random bit extraction unit of the elementary method (Patent Document 4 FIG. 1). As a result, in Patent Document 4, the randomness is improved.

Patent Documents 5 and 6 and Non-Patent Documents 1 and 2 disclose that the means for changing the internal state is added to the elementary method. That is, as shown in FIG. 2, the internal state changing unit S21 is executed between the random bit extracting unit S14 and the end determining unit S15 in the flowchart of the elementary method shown in FIG. In the internal state changing unit S21, as an example, the parameter value a is updated with the original parameter value a and the seed s, and the mapping value x _i is updated with the original mapping value x _i and the seed s. As a result, the short-period problem similar to that described above is solved, and it becomes possible to use values other than commonly used parameter values (the state space that can be handled is dramatically expanded). Furthermore, according to the methods described in Patent Documents 5 and 6 and Non-Patent Documents 1 and 2, it is possible to obtain high-quality random numbers. "Taka Iwano, Manabu Kaneda, Hidetoshi Okutomi," Regarding the effect of parameter fluctuation on random number generation, "2007 Cryptography and Information Security Symposium (SCIS2007), 3E2-5, January 2007" (Reference 2), "Takashi Iwano, Manabu Kaneda, Hidetoshi Okutomi," Using one-dimensional mapping On the effect of variable parameters on pseudo-random number generation, "Technical Report, Vol.106, No.596, ISEC2006-123, pp.47-51, March 2007" (Reference 3), "Takashi Iwano, Manabu Kaneda, Hidetoshi Okutomi. , “On the effect of internal state fluctuation in pseudo-random number generation using tent-type mapping,” 2008 Cryptography and Information Security Symposium (SCIS2008), 2A2-4, January 2008, is shown (Reference 4).

  The above-mentioned “generally used parameters” means that the control parameter 2 is used in the tent map and the control parameter 4 is used in the logistic map. It has been found that when parameters other than these are used, the distribution of mapping values is biased.

  In Patent Document 7, a plurality of mapping values (initial values) are prepared to be a vector, a plurality of mappings are prepared to be a matrix, and after mapping is performed by vector calculation (matrix calculation), A pseudo-random number generation method using a method of rotating a vector is shown (Patent Document 7, FIG. 1). This method is equivalent to preparing a plurality of elementary methods and replacing each mapping value after mapping. In Patent Document 7, this improves the randomness.

The random bit extraction unit of the elementary method extracts one specific bit from the mapping value x _i , whereas Patent Document 8 is limited to the case of using the logistic mapping when the control parameter is 4, but the mapping is performed. Intermediate stage of calculation of the value x _i (assumed to be N bits), that is, the portion corresponding to the right side of x _i = 4x _i−1 (1-x _i−1 ) temporarily becomes 2N bits, and therefore, that stage Discloses a method of performing an exclusive OR operation on upper and lower N bits to efficiently obtain a random number.

  However, when implementing the above elementary method with limited arithmetic accuracy, "S. Araki, T. Miyazaki, and S. Uehara," Analysis for Pseudorandom Number Generators Using Logistic Map ", Proc. Of 2006 International Symposium on Information Theory and its Applications, 2006. "(Reference 5))," S. Araki, T. Miyazaki, S. Uehara and K. Kakizaki, "A Study on Precision of Pseudorandom Number Generators Using the Logistic Map," Proc. of 2012 International Symposium on Information Theory and its Applications, 2012, pp. 740-744, 2012. ”(Reference 6),“ Shunsuke Araki, Takeshi Miyazaki, Satoshi Uehara, Kenichi Hirezaki, “Using integer tent maps A Study on Pseudo Random Number Generator, "Symposium on Cryptography and Information Security 2013 (SCIS2013), 2F3-4, January 2013." (Reference 7), Pseudo Random Bit Sequence with sufficiently good statistical aspect Can't get When the logistic map is used, at least 53 bits or more are required as shown in the documents 5 and 6, and when the tent map is used, at least the operation precision far exceeding that of today's computers is required. "Hidetoshi Okutomi, Katsuhiro Nakamura," A Method for Estimating Initial Values of Pseudo Random Bit Sequences Obtained from Tent-type Mapping, "IEICE Transactions VOL.J92-A, No.7, pp.487-497, July 2009. (Reference 8).

  What is common to the conventional methods shown in Patent Documents 1 to 8 and Non-Patent Documents 1 to 7 is to use a sequence obtained by iterative calculation of chaotic mapping. Among them, the method of extracting the most significant bit of the mapping value for each mapping to configure the pseudo random bit string is known to be able to infer a part of the seed information used for generating the pseudo random bit string. "Kenji Okuma, Kouichi Sakurai," Cryptographic security of chaotic pseudorandom sequences based on one-dimensional mapping, "1999 Cryptography and Information Security Symposium (SCIS'99), A-7-1, 1999." (Reference 9), "E.Alvarez, H.Montoya, M.Romera, G.pastor," Gray codes and 1D quadratic maps, "Electronics Letters 34 (1998) 1304-1306." (Reference 10), "Cusick TW," Gray codes and the symbolic dynamics of quadratic maps, "Electronic Letters 35 (1999) 468-469." (Reference 11), "E.Alvarez, H.Montoya, M.Romera, G.pastor," Cryptanalysis of a chaotic encryption. system, "Physics Letters A276 (2000) 191-196." (Reference 12), "E. Alvarez, H. Montoya, M. Romera, G. pastor," Cryptanalysis of an ergodic h. aotic cypher, "Physics Letters A311 (2003) 172-179." (Reference 13), "Xiaogang Wu, Hanping Hu, Baoliang Zhag," Parameter estimation only from the symbolic sequences generated by chaos system, "Chaos, Solitons and Fractals 22. (2004) 359-366. ”(Reference 14),“ Hidetoshi Okutomi, Takashi Iwano, Katsuhiro Nakamura, “A method for estimating initial value of pseudo-random bit sequence obtained from first-order nonlinear mapping,” 30th Information Theory and Its application symposium (SITA2007), 2.3, November 2007. ”(Ref. 15),“ Hidetoshi Okutomi, Takashi Iwano, Katsuhiro Nakamura, “Inference method of initial value of random bit sequence obtained from tent-type mapping,” 2008 Cryptography and Information Security Symposium (SCIS2008), 2A2-1, January 2008. ”(Reference 16),“ Hidetoshi Okutomi, Katsuhiro Nakamura, “A Study on Parameter Estimation Method for Pseudo Random Bit Sequences Obtained from Tent Mapping,” 2010 Cryptography and Information Security Symposium (SCIS2 010), 2D1-2, January 2010. "(Reference 17).

Regarding the elementary method, the initial values used to generate the pseudo-random bit string b = {b ₁ , b ₂ , ..., B _n } using the attack methods shown in the above-mentioned documents 8 to 17. It is possible to obtain more efficiently than brute force attacking part or all of x ₀ and the parameter value a.

  The above-mentioned attack refers to the act of trying to obtain seed information used to generate the random number sequence when the pseudo random number sequence generated from the pseudo random number generation method is used as known information. , Means for achieving it (here, mathematical means or calculation algorithm).

  The above-mentioned conventional method is mainly aimed at obtaining a good pseudo-random number sequence in the statistical aspect. However, as long as these conventional methods are used in the computer simulation field, there is no problem in considering the use in the information security field, in addition to providing statistically good random numbers, at least against known attack methods. It will be necessary to take measures against it.

JP, 9-116533, A JP, 9-288565, A JP-A-9-292978 JP, 10-2078, A JP 2001-285277 A JP, 2004-266495, A JP 2007-26447 A JP, 2009-129432, A

Hidetoshi Okutomi, Katsuhiro Nakamura, "Pseudo-random number generation method using parameter-variable nonlinear mapping based on integer arithmetic and its evaluation," SITA2003, 8.1, November 2003. Hidetoshi OKUTOMI, Katsuhiro NAKAMURA, “Pseudo Random Number Generation Method based on Nonlinear Integer Mapping with Parameters Variable and its Randomness Evaluation,” 2004 International Symposium on Information Theory and its Applications (ISITA2004), paper # 358, October 2004. S. Phatak, and S. Rao, “Logistic map: A possible random number generator,” Phys. Rev. E, Vol.51, No. 4, pp.3670-3678, 1995. M.S.Baptista, “Cryptography with chaos,” Physics Letters A240 (1998) 50-54. E. Alvarez, A, Fernandez, P. Garcia, J. Jimenez, A. Marcano, “New approach to chaotic encryption,” Physics Letters A263 (1999) 373-375. Wai-kit Wong, Lap-piu Lee, Kwok-wo Wong, “A modi_ed chaotic cryptographic method,” Computer Physics Communications 138 (2001) 234 {236. G. Jakimov, L. Kocarev, "Chaos and Cryptography: Block Encryption Cipher Based on Chaotic Maps," IEEE Transactions on Circuits and Systems-I: Fundamental Theory and Applications, Vol.49, No.2, February 2001.

  The present invention has been made in view of the present situation in pseudo-random number generation as described above, and an object thereof is a statistically good pseudo-random number (pseudo-random number) equivalent to the pseudo-random number generation method based on the conventionally proposed chaotic mapping. (EN) A pseudo random number generation device and a pseudo random number generation program capable of generating a random bit string. Along with this, a pseudo-random number generation device equipped with means for making it difficult to infer the initial mapping value used for generating the pseudo-random bit string, the seed-related value such as the parameter string, from the output pseudo-random bit string, The purpose is to provide a pseudo-random number generator.

The pseudo-random number generation device according to the present invention performs a pre-stage mapping calculation unit that performs a pre-stage mapping calculation based on a parameter sequence and a mapping value, and a mapping calculation that is different from the pre-stage mapping calculation based on the calculation result by the pre-stage mapping calculation unit. and a subsequent mapping calculation means for returning to the pre-stage mapping calculation means results, the mapping operation by the loop of the subsequent mapping calculating means and the front mapping calculation means a pseudo-random number generator repeated predetermined times, the front mapping calculations Extraction means for extracting the original data which is a part of the output random bit string based on the calculation result by the means, and bit calculation means for selectively executing a predetermined process based on the original data and calculating a part of the output random bit string Be equipped with
The extraction means is for extracting reference data to be referred to when selecting a predetermined process executed by the bit calculation means, and is composed of an output random bit string based on a calculation result obtained from the pre-stage mapping calculation means. It is characterized by generating random numbers.

  In the pseudo random number generation device according to the present invention, the bit calculation means has a selection means for selecting a part of the original data, and determines whether or not the selection means executes selection based on the reference data, When performing the selection by the selection means, it is characterized in that which bit of the original data is selected based on the reference data.

  In the pseudo-random number generating device according to the present invention, the bit calculating means includes a transposing means for performing a transposing operation on the bit selected by the selecting means, and determines whether to perform the transposing by the transposing means based on the reference data. It is characterized by performing.

  In the pseudo-random number generation device according to the present invention, the transposing unit has a plurality of transposition operation units, and determines which of the plurality of transposition operation units is used to perform the transposition based on the reference data. Characterize.

  The pseudo-random number generator according to the present invention has a holding means for temporarily holding the bit string of the transposition result by the transposing means, and when the holding means holds the bit string of a predetermined length, the holding means holds the bit string. It is characterized in that the bit string is output as an output random bit string.

  In the pseudo-random number generation device according to the present invention, the latter-stage mapping calculation means is provided with a plurality of mapping calculation units, and it is possible to determine which of the plurality of mapping calculation units is used to perform the mapping based on the reference data. It is characterized by performing.

  In the pseudo-random number generator according to the present invention, the internal state changing means for receiving the calculation result of the latter-stage mapping calculating means and changing the parameter used by the former-stage mapping calculating means, wherein the internal-state changing means includes the reference data It is characterized in that whether or not to change the parameter used by the pre-stage mapping calculation means is determined based on the above.

  In the pseudo random number generation device according to the present invention, the front-stage mapping calculation means is characterized in that a plurality of mapping calculation units that respectively perform different mapping calculations are connected in cascade.

  In the pseudo-random number generation device according to the present invention, the latter-stage mapping calculation means is characterized by integerizing the mapping result by the former-stage mapping calculation means.

  The pseudo-random number generation device according to the present invention includes a preprocessing unit for generating an initial value including at least an initial mapping value and an initial parameter sequence to be given to the pre-stage mapping calculation means at the start of processing. It is characterized by

A pseudo-random number generation program according to the present invention includes a computer that performs pseudo-random number generation, a pre-stage mapping calculation unit that performs a pre-stage mapping calculation based on a parameter sequence and a mapping value, and a pre-stage mapping calculation based on a calculation result by the pre-stage mapping calculation unit. A different mapping calculation is performed, and the calculation result is returned to the front-stage mapping calculation means to function as a rear-stage mapping calculation means, and the computer loops the front-stage mapping calculation means and the rear-stage mapping calculation means to repeat the mapping calculation a predetermined number of times. Extracting means for extracting the original data forming a part of the output random bit string based on the calculation result by the pre-stage mapping calculating means, and selecting and executing a predetermined process on the basis of the original data to output random data. The computer is made to function as a bit calculating means for calculating a part of a bit string, and As means, wherein along with features to make so-bit calculation means for extracting the reference data to be referred to when the predetermined processing of the selection to be executed, further the computer, the output random bit sequence based on the calculation results obtained from the preceding stage mapping calculation means It is characterized by causing it to function so as to generate a pseudo-random number constituted by.

  In the pseudo-random number generation program according to the present invention, in the bit calculation means, the computer is caused to function as a selection means for selecting a part of the original data, and whether or not the selection means executes the selection based on the reference data. When performing the selection by the selection means, which bit of the original data is selected based on the reference data is determined.

In the pseudo-random number generation program according to the present invention, in the bit calculation means, the computer is caused to function as a transposition means for performing a transposition operation on the bit selected by the selection means,
It is characterized in that whether or not the transposition is performed by the transposition means is determined based on the reference data.

  In the pseudo-random number generation program according to the present invention, the transposing means causes the computer to function as a plurality of transposition operation units, and which of the plurality of transposition operation units is used to perform the transposition based on the reference data. It is characterized by performing.

  The pseudo-random number generation program according to the present invention has holding means for temporarily holding the bit string of the transposition result by the transposing means, and when the holding means holds a bit string of a predetermined length, the holding means holds the bit string. It is characterized in that the bit string is output as an output random bit string.

  In the pseudo-random number generation program according to the present invention, in the latter-stage mapping calculation means, the computer is caused to function as a plurality of mapping calculation units, and which of the plurality of mapping calculation units is used to perform the mapping based on the reference data. Is characterized in that

  In the pseudo-random number generation program according to the present invention, the computer is caused to function as an internal state changing unit that receives a calculation result of the latter-stage mapping calculating unit and changes a parameter used by the former-stage mapping calculating unit, Is characterized by determining whether or not to change the parameter used by the pre-stage mapping calculation means based on the reference data.

  The pseudo-random number generation program according to the present invention is characterized in that, in the front-stage mapping calculation means, the computer is caused to function so that a plurality of mapping calculation units that respectively perform different mapping calculations are connected in cascade.

  In the pseudo-random number generation program according to the present invention, the latter-stage mapping calculation means is characterized by integerizing the mapping result by the former-stage mapping calculation means.

  In the pseudo-random number generation program according to the present invention, the computer further performs a pre-processing for generating an initial value including at least an initial mapping value and an initial parameter sequence to be given to the pre-stage mapping calculation means at the start of the processing. The feature is that it functions as a section.

  According to the pseudo random number generation device and the pseudo random number generation program of the present invention, it is possible to generate statistically good quality pseudo random numbers (pseudo random bit strings).

  Also, according to the pseudo-random number generation device and the pseudo-random number generation program according to the present invention, from the output pseudo-random bit string, the initial mapping value used in the generation of the pseudo-random bit string, the seed-related value of the parameter string, etc. Guessing can be difficult.

The flowchart which shows the algorithm of the conventional pseudorandom number generation. 9 is a flowchart showing a conventional algorithm for generating pseudo-random numbers, which is an improvement of the conventional example shown in FIG. 1. 6 is a flowchart showing an algorithm for generating pseudo-random numbers of the pseudo-random number generation device and the pseudo-random number generation program according to the embodiment of the present invention. 3 is a flowchart showing a main part algorithm of the pseudo random number generation device and the pseudo random number generation program according to the embodiment of the present invention.

  Hereinafter, a pseudo random number generation device and a pseudo random number generation program according to embodiments of the present invention will be described with reference to the accompanying drawings. In each of the drawings, the same constituents are designated by the same reference numerals, and overlapping description will be omitted. FIG. 3 shows a block diagram of a pseudo random number generation device according to the embodiment of the present invention. FIG. 3 is also a flowchart of the operation of the pseudo random number generation program according to the embodiment of the present invention.

  This pseudo random number generation device includes a front stage mapping calculation unit 201 and a rear stage mapping calculation unit 203. The pre-stage mapping calculation means 201 performs a pre-stage mapping calculation based on the parameter sequence and the mapping value. The pre-stage mapping calculation means 201 may perform a mapping operation composed of operations related to enlargement of the mapping value such as multiplication, addition, left bit shift operation, etc. for calculation of chaotic mapping. The initial parameter sequence and the initial mapping value used for the first pre-stage mapping calculation may be held by the pre-stage mapping calculation means 201, but in the present embodiment, they are generated by the pre-processing unit 101 described later.

  The rear-stage map calculation means 203 performs a map calculation different from the front-stage map calculation based on the calculation result of the front-stage map calculation means 201, and returns the calculation result to the front-stage map calculation means 201. The latter-stage mapping calculation unit 203 performs a mapping operation including operations related to reduction of the mapping value, such as division (operation to obtain a quotient of division), remainder calculation (operation to obtain a remainder of division), and right bit shift operation. can do.

  This pseudo-random number generation device employs a configuration in which a mapping operation by a loop of the preceding stage mapping calculation means 201 and the following stage mapping calculation means 203 is repeated a predetermined number of times. The pseudo random number generation device can generate a pseudo random number composed of the output random bit sequence 802 based on the calculation result obtained from the preceding stage mapping calculation means 201.

  Further, the pseudo random number generation device includes an extraction unit 301 and a bit calculation unit 400. The extraction means 301 extracts the original data 303 which is a part of the output random bit string 802 based on the calculation result by the preceding stage mapping calculation means 201. The bit calculating means 400 selects and executes a predetermined process based on the original data 303 to calculate a part of the output random bit string 802. Further, the extraction unit 301 extracts the reference data 302 to be referred to when selecting the predetermined process executed by the bit calculation unit 400.

  The bit calculation means 400 has a selection means 402 for selecting a part of the original data 303, and the selection determination unit 401 determines whether or not the selection means 402 performs the selection based on the reference data 302. When performing the selection by the selection means 402, it is determined which bit of the original data 303 is selected based on the reference data 302.

  The bit calculating means 400 includes a transposing means 502 which performs a transposing operation on the bit string selected by the selecting means 402, and whether the transposition determining section 501 performs the transposing by the transposing means 502 based on the value of the random bit length counter 404. Whether or not it is determined.

  As shown in FIG. 4, the transposing means 502 has a plurality of transposing operation units 502-1 to 502-u, and the determining unit 500 determines the transposing operation units 502-1 to 502 based on the reference data 302. It is determined which of u is used for transposition.

  A holding unit 503 for temporarily holding the bit string resulting from the transposition by the transposing unit 502 is provided, and when the holding unit 503 holds a bit string of a predetermined length, the bit string held in the holding unit 503 is output as a random bit string 802. Output as.

  In this device, the reference data 302 and the original data 303 are treated as independent data, and part or all of the reference data 302 is not diverted to part or all of the original data 303. A part or the whole of the reference data 302 is not diverted.

  The latter-stage mapping calculation unit 203 is provided with a plurality of mapping calculation units 203-0 to 203- (m-1) that respectively perform different fraction processing, and the latter-stage mapping selection unit 202 uses the plurality of mapping data based on the reference data 302. It is determined which of the mapping calculation units 203-0 to 203- (m-1) is used to perform the mapping. The latter-stage mapping calculation unit 203 may be configured to perform an integer operation on the mapping result of the preceding-stage mapping calculation unit 201.

  The apparatus further includes an internal state changing unit 602. The internal state changing means 602 changes the parameter sequence used by the preceding stage mapping calculating means 201 in response to the calculation result of the latter stage mapping calculating means 203. The internal state changing means 602 determines whether or not to change the parameter sequence used by the pre-stage mapping calculation means 201 in the change determining unit 601 based on the reference data 302. As a result, it is possible to achieve the internal state fluctuation (map function type change) at random timing.

  In FIG. 3, the pre-stage mapping calculation means 201 is one type, but the invention is not limited to this. That is, the pre-stage mapping calculation means 201 may have a configuration in which a plurality of mapping calculation units that respectively perform different mapping calculations are connected in cascade, and the mapping calculation is performed in sequence.

Next, the operation of the pseudo random number generation device shown in FIGS. 3 and 4 will be described. This pseudo random number generation device has a pre-processing unit 101 for generating an initial value to be given to the pre-stage mapping calculation means 201 etc. at the start of processing. The pre-processing unit 101 obtains the seed seed and the pseudo random bit string length n as the input information 801 given to the pseudo random number generation device / pseudo random number generation program in this embodiment,
Initial mapping value: X ₀
The initial parameter _{sequence: a [1] ~a [n} a]
Seed-specific parameters _{column: k a [1] ~k a} [n a]
Parameter change amount column _{102: p a [1] ~p} a [n a]
Generates an initial value composed of
Here, n _a is a system fixed value that means the number of elements of the initial parameter sequence a [], the seed-specific parameter sequence k _a [], and the parameter variation amount sequence p _a [], and a specific embodiment described later. In 1 and 2, n _a = 32. Pre-processing unit 101, the initial mapping value _{X 0} produced in the above was set in the mapping value register 103, and sets the initial parameter sequence _{a [1] ~a [n a} ] in the parameter column register 104.

Furthermore, the preprocessing unit 101
Minimum value of parameter A _min
Maximum value of parameter A _max
Total state of parameter Δ _A
Minimum value of parameter variable B _A
Is set as a predetermined value (constant / fixed value).
Also,
Initial loop counter i = 0,
Initial parameter number j = 1,
Set.

In the above, the seed seed is a seed of random numbers. The random bit string length n is the length of the random bit string to be generated. The parameter change amount column 102 is information unique to the seed seed and is used by the internal state changing unit 602 of the present embodiment. More specifically, the parameter change amount sequence 102 is used as a reference value for changing the parameter sequence in the internal state changing means 602. The initial mapping value X ₀ means the “initial value of the mapping value” regarding the mapping calculation in the front-stage mapping calculation means 201 and the rear-stage mapping calculation means 203. The mapping value is updated by the latter-stage mapping calculation unit 203 and is updated for each loop. The parameter sequence is a sequence of control parameters of the mapping function used in the mapping calculation in the front-stage mapping calculation unit 201 and the rear-stage mapping calculation unit 203. When the variation determination unit 601 returns Yes, the parameter sequence is updated in the internal state variation unit 602 with reference to the parameter variation sequence 102 and the reference data 302, which are information unique to the seed (unlike the mapping value, Not updated every loop). The parameter change amount sequence 102 is information unique to the seed, and gives a part of the change amount when the internal condition variation means 602 varies the parameter sequence.

After the initial value is generated by the preprocessing unit 101, the initial parameter string set in the parameter string register 104 and the initial mapping value X ₀ set in the mapping value register 103 are sent to the pre-stage mapping calculation means 201. Given. Therefore, the pre-stage mapping calculation means 201 performs the pre-stage mapping calculation constituted by the above-described calculation based on the initial parameter sequence and the initial mapping value X ₀ . The result of the pre-stage mapping operation is given to the extraction means 301. The extraction unit 301 extracts a bit string at a predetermined position of the value calculated by the pre-stage mapping calculation unit 201 as the reference data 302, and a bit string at another position as the original data 303, which is stored in two. . The predetermined position when performing bit extraction is preferably a position that allows statistically good extraction of a random bit string. For example, "Shunsuke Araki, Takeshi Miyazaki, Satoshi Uehara," in the range used in the pseudo-random number generator A Study on Logistic Mapping, "Proceedings of the 30th Information Theory and its Application Symposium (SITA2007), 2.1, November 2007." (Reference 18), "Shunsuke Araki, Takeshi Miyazaki, Satoshi Uehara," Used for pseudo random number generators A Consideration on Logistic Map over Integers, "2008 Cryptographic and Information Security Symposium Proceedings (SCIS2008), 2A2-5, January 2008." (Reference 19), "Shunsuke Araki, Takeru Miyazaki, and Satoshi Uehara," A Study on Occurrence Rates per Bit for Outputs of the Logistic Map over Integers, "Proc. of 2008 International Symposium on Information Theory and its Applications, pp.1316-1320, 2008." (Reference 20), "Shunsuke Araki, Take Miyazaki, Uehara. Satoshi, “on integer A Study on Frequency of Occurrence of Each Bit in Logistic Map, "Proceedings of 2009 Symposium on Cryptography and Information Security (SCIS2009), 2F1-3, January 2009." (Reference 21), "Shunsuke Araki, Take Miyazaki, Satoshi Uehara, Akizaki" Kenichi, “Study on bit-wise appearance rate in logistic mapping on integers,” Journal of Japan Society for Applied Mathematics, Vol.25, No.3, pp.191-206, 2015. (Reference 22), etc. A technique can be adopted.

  As is apparent from FIG. 3, the reference data 302 is randomly selected or determined by the selection determination unit 401, the selection unit 402, the transposition unit 502, the post-stage mapping selection unit 202, the variation determination unit 601, and the internal state variation unit 602. Used when doing.

  Further, the reference data 302 is used only for randomly giving transitions of the internal state in the pseudo random number generation algorithm in the internal state changing means 602 and the like, and is not diverted as the random bit string of the original data 303 as described above. As a result, even if the output random bit string 802, which is the final output of the pseudo-random number generator according to the present exemplary embodiment, becomes known, it becomes difficult to estimate and synchronize the internal state, and it is essential to generate the output random bit string 802. It becomes difficult to estimate the seed or the pseudo random bit string length n as the input information 801.

  When the processing by the extraction unit 301 is completed, the selection determination unit 401 is activated. The selection determination unit 401 determines whether to adopt or discard the original data 303 extracted in the current loop in the process of the bit calculation means 400. The determination is made based on the count value of the mapping number counter 603 and the reference data 302. If the determination in the selection determination unit 401 is Yes (adopted), the process proceeds to the selection unit 402, while if the determination is No (discarded), the selection unit 402 that performs a substantial operation in the bit calculation unit 400. The processing of the transposing means 502 is skipped.

  When the determination in the selection determination unit 401 is Yes and the process proceeds to the selection unit 402, a random bit (random bit string) to be output in the loop of the pseudo random number generation according to this embodiment in the original data 303 is selected / Extract. In this selection / extraction, the “adopted bit position” is obtained based on the information of the reference data 302, the bit (bit string) of the “adopted bit position” in the original data 303 is selected and extracted, and the random bit sequence before transposition 403 Is stored in addition to the register.

  The bit string selected by the selection means 402 is sent to the random bit length counter 404. The random bit length counter 404 counts up the number of bits of the transmitted bit string. As a result, the value of the random bit length counter 404 is counted up by the number of bits of the pre-transpose random bit string 403.

  When the count-up of the random bit length counter 404 is completed, the transposition determining unit 501 is activated. The transposition determining unit 501 determines, based on the value of the random bit length counter 404, whether or not the number of bits (sequence length) of the pre-transposition random bit sequence 403 has reached a size for performing transposition processing. The size (bit length) in the case of performing the transposing process is predetermined, and is set by the input information 801, for example. When it is detected that the determination result by the transposition determination unit 501 is Yes (reached the predetermined size), the process of the transposition unit 502 is performed, while it is detected that the determination result is No (the predetermined size is not reached). If so, the processing of the transposing means 502 is skipped.

  When it proceeds to the transposing means 502, the transposing process is performed on the data in which the size (bit length) of the pre-transposing random bit string 403 to be transposed is extracted. In the transposition process, based on the information of the reference data 302, the determination unit 500 shown in FIG. 4 determines which of the plurality of transposition calculation units 502-1 to 502-u is used to perform the transposition. Alternatively, the determination unit 500 obtains the “transposition rule”, performs a predetermined transposition process on the data of the pre-transposition random bit string 403 according to the transposition rule, and causes the holding unit 503 to temporarily hold the bit string of the transposition result.

  When the processing of the transposing means 502 is completed, the output unit 504 is activated. The output unit 504 determines whether or not the transposed random bit string held in the holding unit 503 has reached the output specified bit length, for example, based on the output specified bit length to be output that is set by the input information 801 and is determined in advance. Then, if it has reached, an output command is output and the transposed random bit string held in the holding means 503 is output as the output random bit string 802. Thus, the transposed bit string held by the holding means 503 is output as the output random bit string 802 at a predetermined timing.

  When the processing of the transposing means 502 is completed, the random bit length counter clear 505 that clears the random bit length counter 404 is executed regardless of whether the processing of the output unit 504 is executed.

  If the random bit length counter clear 505 is performed, or if the selection determination unit 401 selects No, or if the transposition determination unit 501 selects No, then the subsequent mapping selection is performed. The unit 202 is activated. The latter-stage mapping selection unit 202 determines which of the plurality of mapping calculation units 203-0 to 203- (m-1) is used to perform the mapping based on the reference data 302.

  Subsequent to the selection by the latter-stage mapping selecting unit 202, a predetermined fraction processing is performed in the selected mapping calculating unit 203-i of the mapping calculating units 203-0 to 203- (m-1) as the latter-stage mapping calculating unit 203. Is carried out. The rounding function may be as shown in Equation 0 below. As for the rounding function, "Takeshi Miyazaki, Shunsuke Araki, Satoshi Uehara," On the property of sequences by logistic maps on integers with different rounding, "2010 Cryptography and Information Security Symposium Proceedings (SCIS2010), 3D3- 1, January 2010. ”(Reference 23),“ Takeru Miyazaki, Shunsuke Araki, Satoshi Uehara, “Rounding Logistic Maps over Integers and the Properties of the Generated Sequences,” Proc. Of the Fifth International Workshop on Signal Design and its Application in Communications, pp. 21-24, 2011. "(Reference 24), and the effect is also described in the same reference.

  After the post-stage mapping calculation means 203 is performed, the mapping value which is the result of the post-stage mapping calculation is stored in place of the mapping value already stored in the mapping value register 103, and the internal state changing means 602 is activated. . The internal state changing means 602 determines whether or not to change the parameter sequence used by the preceding stage mapping calculation means 201 in the variation determining unit 601 based on the reference data 302 and the parameter variation amount sequence 102. Here, if the determination result is Yes (change), the process proceeds to the process of the internal state changing unit 602, while if the determination result is No (does not change), the internal state changing unit 602. Skip the process of.

  In the internal state changing means 602, the parameter sequence is changed, and a new parameter sequence as a result is stored in place of the parameter sequence already stored in the parameter sequence register 104. In this way, the parameter sequence that determines the mapping function form of the chaotic map is changed (displacement is added and updated). As the variation method (how to give the displacement), the parameter sequence of the mapping function used in the current loop (the parameter sequence in the parameter sequence register 104), the mapping value in the mapping value register 103, the parameter variation sequence 102, and It can be calculated based on the reference data 302. After that, the count value of the mapping number counter 603 is incremented, and the process proceeds to the end determination unit 701.

  The end determination unit 701 determines whether or not the generated pseudo random bit string has reached a predetermined length. In the determination, whether or not the bit length of the random bit string 802 has reached the pseudo random bit length n of the input information 801 is compared. Here, when it is detected that the answer is Yes (n is reached / end), the process proceeds to the post-processing unit 702, while when it is detected that it is No (n is not reached / continue). Returns to the former mapping calculation means 201 and continues a series of processing.

  When the processing proceeds to the post-processing unit 702, post-processing such as reset of each register or each unit is performed, and the processing ends (end).

  The following are the cases in which the attack can be achieved most easily (with the least amount of calculation) by using the attack methods shown in the above-mentioned documents 9 to 17 and the attack methods mathematically and technically equivalent to them. . (A) The same mapping function is used from the start to the end of pseudo-random number generation (the internal state is not changed). (B) Extract random bits for output for each mapping. (C) The order of output random bits matches the order of mapping. Compared with the above case, the pseudo random number generation device according to the present embodiment has an attack using the above attack method (guess of internal state, while having high random number performance in the statistical aspect equivalent to the precedent case). It has the effect of making it difficult to guess the seed.

  The pseudo random number generation device according to the present exemplary embodiment includes a variation determination unit 601 and an internal state variation unit 602. The internal state variation unit 602 includes reference data 302 and a parameter variation amount sequence 102 that is seed-specific information. With reference to this, while maintaining the uniqueness of the seed information, the internal state is changed by a random amount of change (the mapping function form is changed), and the fluctuation determining unit 601 refers to the reference data 302 and randomly The configuration is such that the above-mentioned internal state change (map function type change) is achieved at a timing. That is, it has an effect (effect 1) that makes it difficult for the attacker to synchronize the internal state, and particularly makes it difficult to apply the attack method in the case (A).

  The pseudo random number generation device according to the present exemplary embodiment includes a selection determination unit 401 and a selection unit 402, each of which refers to reference data 302 to obtain “adopted bit position”, and “adopts” in original data 303. A bit (bit string) of “bit position” is selectively extracted to obtain a pre-transposition random bit string 403. That is, not all of the random bit strings extracted for each mapping are used as they are as the final output, and thus there is an effect (effect 2) that makes it difficult to apply the attack method in case B above.

  The pseudo random number generation device according to the present exemplary embodiment has a transposing unit 502, and the transposing unit 502 refers to the reference data 302 to obtain the “transposition rule”, and the data of the pre-transposition random bit string 403 is determined by the transposition rule. The transposing process is executed, and the bit string resulting from the transposition is held in the holding unit 503 that temporarily holds the bit string. That is, since the random bit string extracted for each mapping is not output in the mapping order (in the order in which the random bit string is extracted), it is difficult to apply the attack method in the above case C (effect 3). have.

  The random bit string generated by the pseudo random number generation device according to the present embodiment is extracted from the value after the calculation by the pre-stage mapping calculation unit 201, randomizes the selection in various selection units, and before reaching the final output. A process such as receiving a random transposition is performed based on the reference data 302, while a final output candidate of the pseudo random number generation device according to the embodiment is an operation on the original data 303 clearly separated from the reference data 302. It is obtained by two independent random bit strings.

  The reference data 302 is referred to by the variation determination unit 601, the internal state variation unit 602, the selection determination unit 401, the selection unit 402, the transposition unit 502, and the rear-stage mapping selection unit 202, and functions as a source of providing required randomness. And contributes to the above effects 1 to 3. Since this reference data 302 is not used as the original data of the output random bit string 802 which is the final output of the pseudo random number generation device according to the present exemplary embodiment, the random number is output from the final output information of the pseudo random number generation device according to the present exemplary embodiment. The reference data 302 as information about the timing of change is not estimated or predicted. This has the effect of making it difficult to apply various attack methods in addition to the effects 1 to 3 described above.

  Further, the output random bit string 802 is obtained by the calculation of the bit calculating means 400 using the original data 303 obtained from the mapping value enlarged by the pre-stage mapping calculating means 201. Further, the input of the mapping calculation used in the next step by the loop (the mapping value which is the source of the mapping calculation in the next step) is the value obtained by the calculation of the bit calculating means 400, and the mapping as the latter-stage mapping calculating means 203. It is obtained by calculation in the calculation units 203-0 to 203- (m-1) (for example, as a remainder in division or as a bit string truncated by right bit shift). As a result, the input of the pre-stage mapping calculation of the next step (the mapping value which is the source of the mapping calculation in the next step) includes all the information of the output random bit string 802 which is the final output of the pseudo random number generation device according to this embodiment. Since it does not exist, it has the effect of making it difficult to apply various attack methods in addition to the above-mentioned effects 1 to 3.

  The pseudo random number generation device according to the present exemplary embodiment includes a post-stage mapping selection unit 202 and a mapping calculation unit 203-0 to 203- (m-1) as the post-stage mapping calculation unit 203. The latter-stage mapping selection unit 202 employs a configuration that refers to the reference data 302 and randomly selects one of the plurality of mapping calculation units 203-0 to 203- (m-1). This has the effect of increasing the variation of the trajectory, contributing to the increase in the number of patterns of the random bit string, and making it difficult to apply various attack methods.

Specific Embodiment 1
Next, a specific embodiment 1 will be described. The specific embodiment 1 is an example in which a tent map is used. In the first embodiment, an n-bit random bit string (binary sequence of 0 and 1) {bn} is obtained by using a seed (or key) seed having a 512-bit seed length and the random bit string length n as input information 801. is there. In the specific embodiment 1, the calculation precision is 64 bits, and the bit width of the mapping value X is t = 32 bits. In the concrete embodiment 1, the following tent maps which have been converted into integers are used.

To give a finite-precision computer implementation, the mapping is accomplished by combining the tent map F _{T, A} and the fractional processing function G ξ (ξ = 0, 1, ..., 7). That is, it is as shown in the following Expression 2.

In the concrete embodiment 1, the calculation of the mapping by the equation 2 is considered by dividing it into the following pre-stage mapping F ′ _{T, A} and post-stage mapping G ′ _ξ .

The above-mentioned mapping (second stage) G ′ _ξ (X) indicates a function that performs fraction processing after dividing X by M. In particular, when M is a power of 2, that is, when M = 2 ^s , the operation of dividing X by M is the same process as s-bit right shift of X. At this time, the lower s bits of X are truncated. In other words, before X is divided by M (before s-bit right shift of X), the position to be truncated is fixed, and the lower s bits of X correspond to the “truncated bit string”.

  If M is not a power of 2, the portion that is cut off by the operation of dividing X by M is the remainder (remainder portion) of X by M (XModM, Mod (X, M), X% M , Etc.), which is also known, like the operation of dividing X by M. From the above, the original data 303 is the remainder in the division of the mapping calculators 203-0 to 203- (m-1) as the latter mapping calculator 203 among the mapping values expanded by the former mapping calculator 201, or It can be concluded that it is extracted from the bit string that is truncated by right bit shift.

  In the following description of the specific embodiment 1, the following constants are used.

  The operation will be described below assuming that the specific embodiment 1 is realized by the configuration shown in FIG.

  The pre-processing unit 101 receives a 512-bit seed (or key) seed and a random bit string length nεZ, and performs an initial mapping value, an initial parameter string, a seed-specific parameter string, and a parameter change amount string by a predetermined function. 102 is generated as follows.

Seed-specific parameter sequence _{k a [1] ~k a [} 32] divides 512-bit seed seed in 16-bit units, is obtained by storing a total of 32 blocks (16 × 32 = 512). That is, it is as shown in the following Expression 14.

  The parameter strings a [1] to a [32] are stored in the parameter string register 104 and used in the mapping calculation in the pre-stage mapping calculation means 201. In the specific embodiment 1, the following Expression 15 is obtained.

Parameter change amount column _{102 (p a [1] ~p} a [32]) , in the internal state change means 602 is used as a reference value to provide a change in the parameter column a []. In the specific embodiment 1, the following Expression 16 is obtained.

After the processing by the preprocessing unit 101, the calculation by the pre-stage mapping calculation unit 201 is performed. In this pre-stage mapping calculation means 201, the pre-stage mapping shown in Expression 3 is executed to obtain a mapping intermediate value Y. At the start of the pseudo-random number generation algorithm, mapping calculation is performed using the initial mapping value X ₀ generated by the preprocessing unit 101 and stored in the mapping value register 103. Here, assuming that the number of mappings i and the parameter sequence a [j] are selected, the mapping intermediate value Y is as in the following Expression 17.

  The parameter sequence a [] used in the pre-stage mapping calculation means 201 will be described. In the specific embodiment 1, a total of 32 parameters a [1] to a [32] are generated by the preprocessing unit 101 at the start of the pseudorandom number generation algorithm. In the first mapping, the j = 1st parameter, that is, a [1] is used. It is now assumed that the j-th (j = 1, 2, ..., 32) parameter is selected. If the variation determination unit 601 described later determines No (no variation), the same parameter is used again in the next mapping. When it is determined to be Yes (change), the value of a [j] is updated and the increment of j (j = j + 1) is executed by the method described later, and in the next mapping, the next number Parameters are used. However, when j> 32, the process returns to j = 1.

The process by the extraction unit 301 is performed after the pre-stage mapping calculation unit 201. The extraction unit 301 extracts a bit at a predetermined position of the mapping intermediate value Y obtained after the calculation by the pre-stage mapping calculation unit 201, and as reference data 302, r _i [k] and (r _i [k] ε {0, 1 }, K = 1, 2, ..., 17), and as original data 303, r _o [k], (r _o [k] ε {0, 1}, k = 1, 2, ... , 8). In the specific embodiment 1, Y is 64 bits. Consider the array shown in the following Expression 18 in which Y is represented by a binary number. As a result, r _i [k] and r _o [k] become equations 19 and 20.

In the specific embodiment 1, as the reference data 302, the random bit string indicated by r _i [k], (ri [k] ε {0, 1}, k = 1, 2, ..., 17) is It is used as random data that is referred to at a total of six locations including the selection determination unit 401, the selection unit 402, the latter-stage mapping selection unit 202, the transposition unit 502, the variation determination unit 601, and the internal state variation unit 602. The range in which r _i as the reference data 302 is referred to is limited to internal processing of the algorithm, and is not used as a random bit string for external output.

The original data 303 r _o [k] (r _o [k] ε {0, 1}, k = 1, 2, ..., 8) is a random bit string that is an output of the concrete embodiment 1. Is a "candidate". That is, not all of the original data 303, _ro , are adopted.

Following the processing by the extraction means 301, the selection determination unit 401 performs processing. The selection determination unit 401 refers to the data of r _i that is the reference data 302 and determines whether or not to shift to the process of the selection unit 402 that selects a pseudo random number. If r _i [1] = 1 (Yes) in the r _i [k] (k = 1, 2, ..., 17) that is the reference data 302, the process proceeds to the processing of the selection unit 402. On the other hand, if r _i [1] = 0 (No), the process proceeds to the latter-stage mapping selection unit 202.

When the selection determination unit 401 described above determines Yes, the selection unit 402 performs the following processing. The selection unit 402 refers to the data of r _i that is the reference data 302 and selects a random bit (column) to be output to the outside from the data of r _o that is the original data 303. In the present embodiment, with reference to the 8-bit _{r i [2] ~r i [} 9] Among the reference data _{302, r i [k] =} 1 (k = 2,3,4, ···, 9) If (Yes), _ro [k-1] is stored in the register tmp [] as the pre-transposition random bit string 403 which is a valid bit string. On the other hand, if r _i [k] = 0 (k = 2, 3, 4, ..., 9) (No), r _o [k−1] is discarded without being used for any purpose.

  After the processing by the selection means 402, the random bit length counter 404 counts the length of the random bit string selected by the selection means 402 and output to the outside.

  The transposition determining unit 501 operates in response to the count of the random bit length counter 404. The transposition determining unit 501 refers to the data size of the pre-transposition random bit string 403 stored in the register tmp [] and determines whether or not to shift to the processing of the transposing unit 502. In the present embodiment, if the length of the pre-transposition random bit string 403 stored in the register tmp [] has reached 8 bits (Yes), the transposing means 502 proceeds to the processing. On the other hand, if the length of the pre-transposition random bit sequence 403 is less than 8 bits (No), the process proceeds to the post-stage mapping selection unit 202. In the case of shifting to the processing by the transposing means 502, the 8 bits from the beginning of the register tmp [] are moved to the register ref [] and the leading 8 bits of the register tmp [] are erased. Further, the data of the 9th bit onward of the register tmp [] is carried up.

Subsequent to the processing by the transposition determining unit 501, the processing by the transposing means 502 is performed. The transposing means 502 performs a process of rearranging the order of the 8-bit data generated in the above-mentioned register ref [] only when the determination by the transposition determining unit 501 is Yes. In this embodiment, 16 transposition rules of P _{0 to} P ₁₅ are prepared in advance. The four bits of _{r i [10] ~r i [} 13] of the reference data 302, the decimal expansion value ξ = {0,1,2, ···, 15 } is the transpose rule P _xi] corresponding to To be selected. The transposed data is stored in the register OUT [] which is the holding unit 503.

The 16-system transposition rule used in the present embodiment is the mapping t: I → I, (iεI, t (i) εI, I = {1, 2, ..., 8}, t is given as bijection). The mapping t is 8 in total! (8 factorial) There are streets. In the present embodiment, 16 of the 8 factorial streets are selected. Below, the bit transposition table P _ξ that means the ξ (ξ = 0, 1, 2, ..., 15) th mapping t is shown in Table 1 (P _{0 to} P ₇ ) and Table 2 (P ₈ to P ₁₅ ).

  When the processing of the transposing means 502 is completed, the output unit 504 is activated. When the transposed data is stored in the register OUT [] which is the holding unit 503, an output command is output from the output unit 504 at a predetermined timing and the bit string held in the register OUT [] which is the holding unit 503. Is output as an output random bit string 802. As described above, the output unit 504 determines whether or not the transposed random bit string held in the holding unit 503 has reached the specified output bit length, and if so, outputs the output command.

  When the processing of the transposing means 502 is completed, the random bit length counter clear 505 that clears the random bit length counter 404 is executed regardless of whether the processing of the output unit 504 is executed. If the random bit length counter clear 505 is performed, or if the selection determination unit 401 selects No, or if the transposition determination unit 501 selects No, then the subsequent mapping selection unit 202. Is started.

In the latter-stage mapping selection unit 202, the predetermined position data of the reference data 302 among the latter-stage mapping functions G ′ _{0 to} G ′ _m−1 corresponding to the _m fraction processing functions G _{0 to} G _m−1 prepared in advance. To select. In the present embodiment, as m = 8, and is _{pre-G '0} ~G' ₇ 8 scheme subsequent mapping function of prepared. The total of three bits of _{r i [14] ~r i [} 16] of the reference data 302, the decimal expansion value ξ∈ {0,1,2, ···, 7} corresponding to the subsequent mapping function G ' _ξ is selected. Here, an example of the latter-stage mapping function G ′ _ξ (X) (ξ = 0, 1, 2, ..., 7) is shown in the following expression (A).

Subsequent to the processing of the latter-stage mapping selection unit 202, the processing of the latter-stage mapping calculation means 203 is performed. In the selected mapping calculation unit 203-i of the mapping calculation units 203-0 to 203- (m-1) as the subsequent mapping calculation unit 203, based on the mapping intermediate value Y obtained in the preceding mapping calculation unit 201. , The post-stage mapping function G ′ _ξ corresponding to the number ξ selected by the post-stage mapping selection unit 202 is calculated to update the mapping value. If the current number of mappings is i, the updated mapping values are as shown in equation 21 below.

The updated mapping value is overwritten on the mapping value in the mapping value register 103. After the processing of the latter-stage mapping calculation unit 203, the processing by the fluctuation determination unit 601 is performed. The fluctuation determination unit 601 refers to the predetermined position data of the reference data 302 and determines whether or not to change the internal state of the pseudo random number generation algorithm. In the present embodiment, a reference data _{302 r i [k] (k} = 1,2, ···, 17) _of, if it is r i [17] = 1 ( Yes / give variation) The process moves to the process by the internal state changing unit 602, and if r _i [17] = 0 (No / no change), the process proceeds to the process of the mapping number counter 603.

In the above, r _i [17] = 1, and when the process shifts to the processing by the internal state changing unit 602, the internal state changing unit 602 refers to the parameter change amount column 102 and the reference data 302 and changes the parameter a []. give. Now, it is assumed that the j (1, 2, ..., 32) th parameter a [j] is selected. In the present embodiment, the variation according to the following Expression 22 is performed.

  When the internal state changing means 602 changes according to the above equation 22, the parameter string of the parameter string register 104 is overwritten with the parameter string related to the fluctuation and updated. After this process, or when the change determination unit 601 returns No, the mapping number counter j = j + 1 is calculated, and the next numbered parameter is used in the next mapping. However, when j> 32, the process returns to j = 1. After that, the count value of the mapping number counter 603 is incremented, and the process proceeds to the end determination unit 701.

  The end determination unit 701 determines whether or not the pseudo random bit string has reached a predetermined length. If Yes (end), the process proceeds to the post-processing unit 702, and if No (not end), the process returns to the pre-stage mapping calculation unit 201 and the series of processes is continued.

  When the processing proceeds to the post-processing unit 702, post-processing such as resetting of each register and each unit is performed, and the processing (algorithm) ends.

Specific Embodiment 2
Next, a specific second embodiment will be described. The second specific example is an example in which a logistic mapping is used. As the system parameter, the bit width of the mapping value X: t = 64 bits, the calculation accuracy: 192 bits are used.

The user
seed: 64-bit random number seed n: number of bits of output random bit string is input to the pseudo-random number generator.
As a result, the pseudo random number generator outputs the next random bit string.
{B1, b2, ..., Bn}: n-bit output random bit string, where bi is 0 or 1.

  In the concrete embodiment 2, the logistic mapping in which the following integers are calculated is used.

In order to provide a finite-precision computer implementation here, the mapping is achieved by combining the logistic mapping FL _{, AL} and the fractional processing function G _ξ (ξ = 0, 1, ..., 7). That is, it is represented by the following Expression 24.

Incidentally, in the second specific embodiment, the calculation of the mapping by the equation (24) is executed by dividing it into the following pre-stage mapping F ′ _{L, AL} and post-stage mapping G ″ ″ _ξ .

  The following constants will be used in the subsequent description of the specific second embodiment.

  The operation will be described below assuming that the specific embodiment 2 is realized by the configuration shown in FIG.

  The pre-processing unit 101 receives an input of a seed (or key) seed of t (= 64) bits and a random bit string length nεZ, and performs an initial mapping value, an initial parameter string, a seed-specific parameter string, by a predetermined function. The parameter change amount sequence 102 is generated as follows.

The pre-processing unit 101 calculates the initial mapping value X _{0 based} on the seed information and calculates X _{i + 1} = F _{L, AL, max} (X _i ). In the process, a 64-bit integer with k _a [j] = X _{5j + 100} is obtained as an element of the seed-specific parameter sequence. That is, it becomes as shown in the following Expression 36.

  The parameter strings a [1] to a [32] are stored in the parameter string register 104 and used in the mapping calculation in the pre-stage mapping calculation means 201. In the specific second embodiment, the following Expression 37 is obtained.

Parameter variation column _{p a [1] ~p a [} 32] , in the internal state change means 602 is used as a reference value to provide a change in the parameter column a []. In the specific second embodiment, the following Expression 38 is obtained.

After the preprocessing unit 101, the calculation by the pre-stage mapping calculation unit 201 is performed. The pre-stage mapping calculation means 201 calculates the pre-stage mapping shown in Expression 25 to obtain a mapping intermediate value Y. At the start of the pseudo-random number generation algorithm, mapping calculation is performed using the initial mapping value X ₀ generated by the preprocessing unit 101 and stored in the mapping value register 103. Here, assuming that the number of mappings i and the parameter sequence a [j] are selected, the mapping intermediate value Y is as in the following Expression 39.

  The parameter sequence a [] used in the pre-stage mapping calculation means 201 will be described. In the second specific embodiment, a total of 32 parameters a [1] to a [32] are generated by the preprocessing unit 101 at the start of the pseudorandom number generation algorithm. In the first mapping, the j = 1st parameter, that is, a [1] is used. It is now assumed that the j-th (j = 1, 2, ..., 32) parameter is selected. If the variation determination unit 601 described later determines No (no variation), the same parameter is used again in the next mapping. When it is determined to be Yes (change), the value of a [j] is updated and the increment of j (j = j + 1) is executed by the method described later, and in the next mapping, the next number Parameters are used. However, when j> 32, the process returns to j = 1.

The process by the extraction unit 301 is performed after the pre-stage mapping calculation unit 201. The extraction unit 301 extracts a bit string at a predetermined position of the mapping intermediate value Y obtained after the calculation by the pre-stage mapping calculation unit 201, and as reference data 302, r _i [k] and (r _i [k] ε {0, 1 }, K = 1, 2, ..., 61), and as original data 303, r _o [k], (r _o [k] ε {0, 1}, k = 1, 2, ... , 48). In the second specific embodiment, Y is 192 bits. The reference data 302 is 13 bits from the 49th bit to the 61st bit of Y and a total of 61 bits of 48 bits from the 113th bit to the 160th bit, and the original data 303 is 112 bits from the 65th bit of Y. The 48 bits up to the eye, a total of 109 bits, are extracted as a random bit string. Specifically, consider an array represented by the following Expression 40 in which Y is represented in binary notation and Y is represented in binary notation. As a result, r _i [k] and r _o [k] become equations 41 and 42.

In the concrete embodiment 2, as the reference data 302, the random bit string indicated by r _i [k], (ri [k] ε {0,1}, k = 1, 2, ..., 17) is It is used as random data that is referred to at a total of six locations including the selection determination unit 401, the selection unit 402, the latter-stage mapping selection unit 202, the transposition unit 502, the variation determination unit 601, and the internal state variation unit 602. The range in which r _i as the reference data 302 is referred to is limited to internal processing of the algorithm, and is not used as a random bit string for external output.

Note that the original data 303 r _o [k] (r _o [k] ε {0,1}, k = 1, 2, ..., 48) is a random bit string that is an output of the concrete embodiment 2. Is a "candidate". That is, not all of the original data 303, _ro , are adopted.

Following the processing by the extraction means 301, the selection determination unit 401 performs processing. The selection determination unit 401 refers to the data of r _i that is the reference data 302 and determines whether or not to shift to the process of the selection unit 402 that selects a pseudo random number. Of the reference data 302 r _i [k] (k = 1, 2, ..., 61), if r _i [1] = 1 (Yes / selection), the process proceeds to the processing of the selection unit 402. . On the other hand, if r _i [1] = 0 (No / no selection), the process proceeds to the rear-stage mapping selection unit 202.

When the selection determination unit 401 described above determines Yes, the selection unit 402 performs the following processing. The selection unit 402 refers to the data of r _i that is the reference data 302 and selects a random bit (column) to be output to the outside from the data of r _o that is the original data 303. In the present embodiment, with reference to the 48-bit _{r i [14] ~r i [} 61] of the reference data _{302, r i [k] =} 1 (k = 14,15, ···, 61) (Yes ), _Ro [k-13] is stored in the register tmp [] as the pre-transpose random bit string 403 which is a valid bit string. On the other hand, if r _i [k] = 0 (k = 14, 15, ..., 61) (No), r _o [k-13] is discarded without being used for any purpose.

  After the processing by the selection means 402, the random bit length counter 404 counts the length of the random bit string selected by the selection means 402 and output to the outside.

  The transposition determining unit 501 operates in response to the count of the random bit length counter 404. The transposition determining unit 501 refers to the data size of the pre-transposition random bit string 403 stored in the register tmp [] and determines whether or not to shift to the processing of the transposing unit 502. In the present embodiment, if the length of the pre-transposition random bit string 403 stored in the register tmp [] reaches 64 bits (Yes), the transposing means 502 proceeds to the processing. On the other hand, if the length of the pre-transposition random bit string 403 is less than 64 bits (No), the process proceeds to the rear-stage mapping selection unit 202. In the case of shifting to the processing by the transposing means 502, 64 bits from the head of the register tmp [] are moved to the register ref [] and the head 64 bits of the register tmp [] are erased. Further, the data of the 65th bit and subsequent bits of the register tmp [] are carried up.

Subsequent to the processing by the transposition determining unit 501, the processing by the transposing means 502 is performed. The transposing means 502 performs a process of rearranging the order of the 64-bit data generated in the above-mentioned register ref [] only when the determination by the transposition determining unit 501 is Yes. In the present embodiment, 256 transposition rules of P _{0 to} P ₂₅₅ are prepared in advance. The _r i [2] _~r i eight bits of [9] of the reference data 302, the decimal expansion value ξ = {0,1,2, ···, 255 } is the transpose rule P _xi] corresponding to To be selected. The transposed data is stored in the register OUT [] which is the holding unit 503.

  The 256-system transposition rule used in this embodiment is the mapping t: I → I, (iεI, t (i) εI, I = {1, 2, , 64}, t is given as bijection). The mapping t is 64 in total! (64 factorials) In this embodiment, 256 of the 64 factorial streets are selected. Specific examples in the case of 8-bit transposition have already been shown in Tables 1 and 2. Even in the case of 64-bit transposition, since it is sufficient to create the bijection before and after mapping so that the bijective relationship is maintained, a specific example of 64-bit transposition is omitted.

  When the processing of the transposing means 502 is completed, the output unit 504 is activated. When the transposed data is stored in the register OUT [] which is the holding unit 503, an output command is output from the output unit 504 at a predetermined timing and the bit string held in the register OUT [] which is the holding unit 503. Is output as an output random bit string 802. As described above, the output unit 504 determines whether or not the transposed random bit string held in the holding unit 503 has reached the specified output bit length, and if so, outputs the output command.

When the process of the output unit 504 is completed, a process random bit length counter clear 505 for clearing the random bit length counter 404 is performed, and subsequently, the latter-stage mapping selection unit 202 is activated. In the latter-stage mapping selection unit 202, the reference data 302 is predetermined among the latter-stage mapping functions G ″ _{0 to} G ″ _m−1 corresponding to the _m fractional processing functions G _{0 to} G _m−1 prepared in advance. Select by referring to the position data. In this embodiment, when m = 8, the post-stage mapping functions of the eight systems G ″ _{0 to} G ″ ₇ are prepared in advance. The total of three bits of _{r i [10] ~r i [} 12] of the reference data 302, the decimal expansion value ξ∈ {0,1,2, ···, 7} corresponding to the subsequent mapping function G ' ′ _Ξ is selected. Here, an example of the latter-stage mapping function G ″ _ξ (X) (ξ = 0, 1, 2, ..., 7) is shown in the following expression (B).

Subsequent to the processing of the latter-stage mapping selection unit 202, the processing of the latter-stage mapping calculation means 203 is performed. In the selected mapping calculation unit 203-i of the mapping calculation units 203-0 to 203- (m-1) as the subsequent mapping calculation unit 203, based on the mapping intermediate value Y obtained in the preceding mapping calculation unit 201. , The rear-stage mapping function G ″ ″ _ξ corresponding to the number ξ selected by the rear-stage mapping selection unit 202 is calculated to update the mapping value. If the current number of mappings is i, then the updated mapping values are as shown in equation 43 below.

The updated mapping value is overwritten on the mapping value in the mapping value register 103. After the processing of the latter-stage mapping calculation unit 203, the processing by the fluctuation determination unit 601 is performed. The fluctuation determination unit 601 refers to the predetermined position data of the reference data 302 and determines whether or not to change the internal state of the pseudo random number generation algorithm. In the present embodiment, if r _i [13] = 1 out of r _i [k] (k = 1, 2, ..., 61) that is the reference data 302 (Yes / change is given), If the process moves to the process by the internal state changing unit 602 and r _i [13] = 0 (No / no change), the process proceeds to the process of the mapping number counter 603.

In the above, r _i [13] = 1, and when the process shifts to the process by the internal state changing unit 602, the internal state changing unit 602 refers to the parameter change amount sequence 102 and the reference data 302 to change the parameter a []. give. Now, it is assumed that the j (1, 2, ..., 32) th parameter a [j] is selected. In this embodiment, the variation according to the following equation 44 is performed.

  In the internal state changing means 602, j = j + 1 is calculated at the same time, and the next numbered parameter is used in the next mapping. However, when j> 32, the process returns to j = 1. After that, the count value of the mapping number counter 603 is incremented, and the process proceeds to the end determination unit 701.

  The end determination unit 701 determines whether or not the pseudo random bit string has reached a predetermined length. If Yes (end), the process proceeds to the post-processing unit 702, and if No (not end), the process returns to the pre-stage mapping calculation unit 201 and the series of processes is continued.

  When the processing proceeds to the post-processing unit 702, post-processing such as resetting of each register and each unit is performed, and the processing (algorithm) ends.

Since the specific embodiments 1 and 2 described above have a simple configuration, they are characterized by ease of implementation and high-speed processing. Further, it can be considered that this pseudo random number generation method is diverted as a pseudo random number generation unit of stream cipher.
The pseudo random number generation device and program according to the present invention are preferably applied to applications, tools, libraries and information systems, and electronic devices that require secure pseudo random numbers. Here, “safe” means that it is difficult to analytically obtain the seed information used to generate the random number sequence when the pseudo random number sequence generated by the pseudo random number generation method is used as known information. .

  More specifically, the pseudo random number generation device and program according to the present invention are used in the field of information security in general, for example, generation of a secure key pair (private key, public key) in a public key authentication system (PKI), and common key cryptography. It can be used to generate a secure common key, a secure session key for encrypted communication, a key for wireless communication, and other random passwords and random keys.

101 Pre-Processing Unit 102 Parameter Change Sequence 103 Mapping Value Register 104 Parameter Sequence Register 201 Pre-stage Mapping Calculating Unit 202 Post-stage Mapping Selecting Unit 203 Post-stage Mapping Calculating Unit 203-0 to 203- (m-1) Mapping Calculating Unit 301 Extracting Means 302 Reference data 303 Original data 400 Bit calculation means 401 Selection determination part 402 Selection means 403 Pre-transposition random bit string 404 Random bit length counter 500 Determination part 501 Transposition determination part 502 Transposition means 502-1 to 502-u Transposition operation part 502 Transposition means 503 Holding unit 504 Output unit 505 Random bit length counter clear 601 Variation determination unit 602 Internal state variation unit 603 Mapping number counter 701 End determination unit 702 Post-processing unit 801 Input information 802 Output random bit string

Claims (20)

A pre-stage mapping calculation means for performing a pre-stage mapping calculation based on the parameter sequence and the mapping value,
And a rear-stage mapping calculation means for performing a mapping calculation different from the front-stage mapping calculation on the basis of the calculation result by the front-stage mapping calculation means and returning the calculation result to the front-stage mapping calculation means.
A pseudo-random number generation device that repeats a mapping operation by a loop of the front-stage mapping calculation means and the rear-stage mapping calculation means a predetermined number of times,
Extraction means for extracting the original data which is a part of the output random bit string based on the calculation result by the pre-stage mapping calculation means,
Bit calculation means for selecting and executing a predetermined process based on the original data and calculating a part of the output random bit string;
Further equipped with,
The extraction means is for extracting reference data to be referred to when selecting a predetermined process executed by the bit calculation means,
A pseudo random number generation device, which generates a pseudo random number composed of an output random bit string based on a calculation result obtained from the pre-stage mapping calculation means. The bit calculating means has a selecting means for selecting a part of the original data, judges whether or not to execute the selection by the selecting means based on the reference data, and executes the selection by the selecting means. The pseudo random number generation device according to claim 1 , wherein which bit of the original data to select is determined based on the reference data. Bit calculation means, according to claim 2, wherein the includes a transposition means for performing a transpose operation on the selected bit by the selection means, and determines whether to transpose by the transposition means based on the reference data Pseudo-random number generator described in. The pseudo means according to claim 3 , wherein the transposing unit has a plurality of transposition operation sections, and determines which of the plurality of transposition operation sections is used for transposition based on the reference data. Random number generator. Holding means for temporarily holding the bit string resulting from the transposition by the transposing means, and when the holding means holds a bit string of a predetermined length, outputting the bit string held by the holding means as an output random bit string, The pseudo random number generation device according to claim 3 or 4 . The second-stage mapping calculation means, a plurality of mapping calculation unit is provided, to claim 1, characterized in that a determination of whether to perform the mapping using any of the plurality of mapping calculation unit on the basis of the reference data 5. The pseudo random number generation device according to any one of 5 above. In response to the calculation result of the latter-stage map calculation means, an internal state changing means for changing the parameter used by the former-stage map calculation means is provided,
7. The pseudo-random number according to claim 1, wherein the internal state changing unit determines whether to change a parameter used by the pre-stage mapping calculation unit based on the reference data. Generator. 8. The pseudo-random number generation device according to claim 1, wherein the front-stage mapping calculation unit has a plurality of mapping calculation units that perform different mapping calculations connected in cascade. 9. The pseudo-random number generation device according to claim 1 , wherein the latter-stage mapping calculation unit performs an integer operation on the mapping result of the former-stage mapping calculation unit. At the start of the process, according to claim 1 to 9, characterized in that it comprises a preprocessing unit for generating the initial values including at least the initial mapping value and the initial parameter sequence to be given to the pre-stage mapping calculation means The pseudo-random number generator according to any one of 1. A computer that generates pseudo-random numbers
Pre-stage mapping calculation means for performing a pre-stage mapping calculation based on the parameter sequence and the mapping value,
Based on the calculation result by the front-stage mapping calculation means, a mapping calculation different from the front-stage mapping calculation is performed, and the calculation result is returned to the front-stage mapping calculation means;
Function as
The computer performs a loop process as the pre-stage mapping calculation means and the post-stage mapping calculation means, and causes the mapping calculation to be repeated a predetermined number of times;
The computer is further
Extraction means for extracting the original data which is a part of the output random bit string based on the calculation result by the pre-stage mapping calculation means,
Bit calculation means for calculating a part of the output random bit string by selectively executing a predetermined process based on the original data,
Function as
Using the computer as the extraction means, causing the bit calculation means to function to extract reference data to be referred to when selecting a predetermined process,
A pseudo-random number generation program that causes the computer to further function to generate a pseudo-random number composed of an output random bit string based on a calculation result obtained from the pre-stage mapping calculation means. In the bit calculation means, the computer is caused to function as a selection means for selecting a part of the original data, and it is determined whether or not the selection means executes selection based on the reference data,
12. The pseudo random number generation program according to claim 11 , wherein when the selection by the selection unit is executed, it is determined which bit of the original data is selected based on the reference data. In the bit calculating means, the computer is caused to function as a transposing means for performing a transposing operation on the bit selected by the selecting means,
The pseudo-random number generation program according to claim 12 , wherein it is determined whether or not the transposition is performed by the transposition means based on the reference data. In the transposing means, the computer is caused to function as a plurality of transposition operation units,
The pseudo random number generation program according to claim 13 , wherein which of the plurality of transposition calculation units is used to perform transposition is determined based on the reference data. Holding means for temporarily holding the bit string resulting from the transposition by the transposing means, and when the holding means holds a bit string of a predetermined length, outputting the bit string held by the holding means as an output random bit string, The pseudorandom number generation program according to claim 13 or 14 . In the latter-stage mapping calculation means, the computer is caused to function as a plurality of mapping calculation units,
16. The pseudo random number generation program according to claim 11, wherein which of the plurality of mapping calculation units is used to perform mapping is determined based on the reference data. The computer is caused to function as an internal state changing means for receiving the calculation result of the latter-stage mapping calculating means and varying the parameter used by the former-stage mapping calculating means,
The pseudo-random number according to any one of claims 11 to 16 , wherein the internal state changing unit determines whether to change a parameter used by the pre-stage mapping calculation unit based on the reference data. Generator. Wherein in the front mapping calculation means, according to the computer, to any one of claims 11 to 17 a plurality of mapping operation unit to perform different mapping calculation respectively and wherein the to function as cascaded Pseudo-random number generator. The pseudo random number generation program according to any one of claims 11 to 18 , wherein the latter-stage mapping calculation unit performs an integer operation on the mapping result of the former-stage mapping calculation unit. Computer,
At the start of the process, according to claim 11 or 19, characterized in that to function as a pre-processing unit for generating an initial value including at least the initial mapping value and the initial parameter sequence to be given to the pre-stage mapping calculation means The pseudorandom number generation program according to any one of 1.

Images