WO2010149142A1

WO2010149142A1 - System for producing randomized bit lists of any length on computers in normal operation

Info

Publication number: WO2010149142A1
Application number: PCT/DE2010/000713
Authority: WO
Inventors: Robert Niggl
Original assignee: Robert Niggl
Priority date: 2009-06-22
Filing date: 2010-06-22
Publication date: 2010-12-29

Abstract

The present invention relates to a system that works with a computer-supported randomization method and that can provide bit lists of any length having high randomization quality. The method is based on standard random number generators and on supply values, which are obtained by collecting (and evaluating) certain results, which provide address values. In the normal operation of a computer system, a supply of values that has any size and that cannot be predicted externally can thus be produced; in other words, each supply is possible and equally probable without additional assumptions (a "white noise" of the normal operation, as it were). On the basis of such a supply of values and a standard random number generator, bit lists of any length can then be produced piece by piece by means of reinitialization using an iteration process, wherein each reinitialization step uses at least one randomly selected and then securely encrypted supply value.

Description

SYSTEM FOR GENERATING ANY LONG RANDOMIZED BITLISTS ON COMPUTERS IN NORMAL OPERATION

The present invention is concerned with a system for generating arbitrarily long randomized bit lists on computers in normal operation, as they are needed for secure encryption by ONE-TIME-PAD (OTP) method. There, the key is a one-time key and must be as long as plain text.

Such mathematical encryptions as e.g. the Mersenne Twister method is known in the art. A disadvantage of this method, it is perceived that due to the calculation effort only very small keys can be generated or that the start values for long lists should be "huge" accordingly and - if at all with the respective interfaces specifiable - could not be processed efficiently ,

Remedy could be provided by technical methods developed in the context of quantum cryptography, eg laser-based methods with half-mirrors. However, such devices are only available in the form of prototypes. Until the practical commercial use Such devices are probably still several questions to clarify, especially questions of quality assurance in the production of equipment and the issues of accident safety.

The present invention, on the other hand, is primarily intended for "normal operation" computer systems, ie it relies solely on standard random generators and certain events which always and suitably occur during normal operation of a computer system Normal operation if it is not profoundly manipulated The present invention can therefore be used immediately in practice.

Of course, the quantum mechanical methods and the present invention would complement each other very well. If the key generation is designed to be redundant, i. If keys are generated independently via two devices, one key can be securely encrypted with the other and thus a super key can be generated. A device could then still fail or be disturbed.

Therefore, it is an object of the present invention to provide a system that operates according to a secure method with manageable computational effort, so that data can be safely transported unobtrusively from one location to another without allowing access to the transported data.

This object is achieved with the characterizing features of the main claims.

According to the invention, the system with any standard random number generator and a dynamic memory is characterized in that a bitmap is generated by reinitializing the random number generator piecewise in a bitmap module based on an arbitrary random number generator and based on suitably accumulated stock values in such a way that for each reinitialization step at least one randomly determined and then securely encrypted value from the collected stock of values is used, the At least part of the value stock is obtained by collecting address values of dynamically allocated objects, ie by evaluating certain address values of the dynamic memory area of the computer system and the time of collection or of a time associated with the allocation of the respective object.

Since one of the outstanding features is the usability for secure encryption - because arbitrarily long keys can be generated efficiently in high randomization quality - this is first presented.

The secure encryption is "information destroying", that is the encrypted plaintext (cipher) carries no information in the sense that, mathematically justified, no information can be obtained about the cipher alone.

It is easy to see that one-time-pad (OTP) methods are information-destructive, because every bit of the plaintext K is associated with a random bit and is used only for this combination. The key must therefore be generated randomly for K (one-time key) and must be at least as long as K.

As an example, the bit addition is called the bit addition (also known as XOR operation): 0 + 1 = 1 + 0 = 1, 1 + 1 = 0 + 0 = 0. Then, if E is a one-time key for K in the length of K, then K + E is the encrypted plaintext (V), bit by bit being added. As evidently V + E = K, E can also be decrypted again.

Since the bit addition has the properties of an "abelian group", you can, for example, calculate "as with integers". Bit addition in algebra is also known as "addition in the smallest field (| F_2)".

For the sake of completeness, the bit addition has also been carried out briefly and the characteristics relevant for the enciphering have been proven. It will be a practical one Instead of the + character, the ^A character is used for the corresponding bit operator, which is available in many programming languages.

Definition: Let! 0 = 1,! l = 0 (negation)

It obviously applies! ! x = x

Definition: Let 0 ^Λ 0 = l ^A l = 0 and 0 ^A l = l ^Λ 0 = l (bit addtion or XOR linkage)

Then always applies

• x ^Λ x = 0 (clear)

• x ^A ! X = 1 (clear)

• x ^A 0 = x (for 1 ^A 0 = 1 0 ^A 0 = 0)

• x ^A l =! X (because l ^Λ l = 0, O ^A l = l)

Furthermore, for two bit variables x, y, the following always holds:

• x ^A y = y ^A x (clear)

We now consider arbitrary bit variables x, y, z and show:

• x ^Λ (y ^A z) = (x ^A y) ^A z Assumption: y = z.

The right side then delivers

• x ^Λ (y ^Λ z) = x ^A 0 = x

For the left side two cases are possible:

• (x ^A x) ^A x = 0 ^A x = x

• (x ^A ! X) ^A ! X = l ^A ! X =! ! X = x

Assumption: y ≠ z.

The following cases are possible for the left side:

• x ^A (x ^Λ ! X) = x ^A l =! X

• x ^Λ (! X ^Λ x) = x ^Λ l =! X

The following cases are possible for the right side: • (x ^Λ ! X) ^Λ x = l ^Λ x =! X

• (x ^Λ x) ^Λ ! X = 0 ^Λ ! X =! X

Consequently, the equation holds in all cases.

So let K, as before, be a bit-list, E an equidistant one-time-key, and the cipher V be defined as V = K ^Λ E, which is added component by component. If O is a bitmap of the same length with all zeros, then:

V ^A E = (K ^A E) ^Λ E = K ^Λ (E ^Λ E) = K ^Λ O = K.

The inventive method is now based on a value store, which is obtained by collecting address values of allocated objects. The triggering event is thus the allocation of an object in the dynamic memory by a program that is executed on the computer system. As a result, a stock value is arbitrarily determined by expanding at least two pieces of information for generation. These are the address value of an object dynamically generated in the system according to the invention and the collection time or a time associated with the allocation, as shown in FIG. 1. In Fig. 1, the architecture of the system according to the invention is shown. FIG. 1 shows how application programs running on the computer system generate a value store directly or indirectly via the new bit list module by collecting address values, which is then used later by the bit list module for the list generation. It is also recorded that the bitmap module itself (as an application program) is used to obtain the stock value.

Collecting can be easily implemented by, for example, writing a timer-controlled monitor program that constructs itself objects. Such a program would thus put itself in the "background operation" of the computer system.When a random generator is used to randomize both the timer setting and the object construction via subobjects, the collecting of the address values provides optimal starting values for the generation of the stored value from the address value x and the respective collection time t can be easily construct a value that is unpredictable from the outside in normal operation, for example, that with t as the initialization size for the standard random number generator generates a key and then x is encrypted with this key secure.

The collection of address values can therefore generate an arbitrarily large stock of values that can not be predicted from outside without massive manipulation of normal operation. Any value stock is possible and unlikely, without any reasonable additional assumptions, a kind of "white noise" that normal operation generates.

Based on such a sufficiently large stock of values and the normal operation can as described provide an arbitrarily large stock of values (!) - can therefore a long bitmap with a standard random generator on Reinitialisierungsschritte "piecewise" generated, the random number generator after each step with randomly selected and then securely encrypted stock values are reinitialized, ie (at least) one stock value is randomly selected, then securely encrypted, and then this cipher is used for reinitialization, because in the result a series of independent random experiments is simulated.

Note: A mathematical analysis of the randomization quality of the method - i. the approach to "absolute coincidence" ~ is very complex and requires corresponding statistical assumptions about the quality of stock levels and standard random number generators, and is very demanding even assuming that all process components are "ideally" realized.

In summary, it can be stated that securely encrypted values, which are themselves unpredictable, are ideal values for reinitialization, so that the independence is inherited "step by step." The present invention introduces a system that uses a computer-based randomization method which can deliver arbitrarily long bit lists in high randomization quality. The method relies on standard random number generators and on inventory values obtained by collecting (and evaluating) certain events that provide address values. During normal operation of a computer system, an arbitrarily large stock of values can thus be generated which can not be predicted externally, ie every supply is possible and without additional assumptions equally probable, a kind of "white noise" of the normal operation based on such a stock of values and a standard random number generator Any length of bit lists over an iteration process by piece reinitialization are generated, each Reinitialisierungssschritt at least one randomly selected and then securely encrypted stock value used.

In the following two completely different versions of the algorithm for the randomized generation of long bit lists are given, which also randomize the piece lengths.

FIRST VERSION

1. Summary

This document describes a method for generating arbitrarily long randomized bit lists based on random number generators for bitlists.

The strategy is to construct a corresponding vector B = (Bi, ..., B _n ) of sufficiently short sublists B ₁ , obtained by independent reinitialization, such that the reinitialization process has a variable number of times Parameters (called stocks) is controlled.

It is shown that under certain conditions - in particular with regard to the number and the collection of the stock values - the overall list is sufficiently well randomized.

2 basic terms, notations

Definition 1. An (elementary) random generator Z is described below as a tuple (f, g, m)

• / is an initialization function

• g is a production function that delivers m bits

For a random number generator let Z = (/, g, m) be

• Init (Z): = f (read: initialization function of Z)

• Prod (Z): = g (read: production function of Z)

• bit number (Z): = m (read: bit number of Z)

• Inits (Z): = number of parameters of Init (Z)

Definition 2. If Z is a random number generator, byte (Z) is the following function:

• Input: A number h

Output: h bytes generated by repeatedly calling Prod (Z), i. Prod (Z) is called x times, bit number (Z) * x> h * 8, sequentially concatenated, the bits generated and then output (the first) h bytes.

Definition 3. For a list a = (αi, ..., α _m ) let \ a \: = m be the list length. If α = (αi, ..., α _m ), b = (6 ₁ ,. -., Δ ") lists, let: = (α _{l 5} .., A _m , h,. , δ ") is the list resulting from the concatenation of α with b. If X = (Xi, ..., XM) is a list of lists, List (X) is the concatenation of all elements:

• List {X): = Xi for M = 1

• list (X): = list ((X _u ..., XM-I)) XM for M> 1

Definition 4. For a data object x, let dim (x) be the memory requirement of 2 ^; in bytes.

3 task

With a random number generator Z, a byte list of (minimum) length M is to be generated.

4 Solution 4.1 Overview

A vector B = (B ₁ , ..., B _n ), n> 0, is generated step by step by means of Bytelisten B ₁ , which together give a sufficiently long total list, ie

•

..., ß "_i)) | <M <\ List (B) \

where before each step the initialization function of Z is called:

• The first step (i = 1) uses classic initialization values (for example, current timestamps).

• In each step i, the reinitialization parameters for the next step (i + 1) are determined such that from a value set V = (Vi, ..., V ₁₁ ) a corresponding selection of values V _{j is} randomized and these parameters then become One Time-pad-encrypted, the keys are each newly generated via byte (Z).

• Furthermore, the length of B ₁ in step i is randomized within adjustable limits - a minimum length (L) or maximum length (L ') - determined. 4.2 Algorithm l: procedure RANDOMIZE (Z, B, M, L, L ', V)

2: Il Compute B with \ List [B] \> M via Z under the following conditions:

3: // M> 0

4: // 0 <L <L '

5: // \ V \> 0

6: // instructions x: = byte [Z) [diτn [x)] assume an x-type in the following,

7: // which can be allocated with arbitrary bits (for example, unsigned int)

8: B initialize // now: B = (B ₁ ,..., B _n ), n = 0 that is \ B \ = 0, \ list (B) \ = 0

9; Auxiliary vector W, \ W \ = InUs [Z), with default initialization values

10: for | _list (5) | <M do // Step: 5 = (Bi, .. .., B _n ) to expand an element

11: Call InIt [Z) with W // Initialize Z

12: for k = 1..InUs [Z) do // W _fe for reinitialization

13: r: = byte [Z) [dim [r)] // Determine random number r

14: h: = mod [r, \ V \) // determine the precedence index h

15: S: = Byte [Z) [dim [V _h ]) // Determine key S

16: W _k : = XOR (I ^, S) Il V _h OTP-encrypt

_17: r: = byte [z) [dim [r)] // determine further random number r

₁ 8 _: d: = max [L, mod [r, L ')] // specify length d of the new element

1 ₉ : b: = byte [Z) [d] // calculate byte list b of length d

20: B: = (B ₁ , ..., B _n , b) Expand Il B by b

21: // now: \ B \> 0, | Lt * te (£) | > M

4.3 rating

assumptions:

1. The partial lists are short enough (to be controlled via L, U).

2. The number of stock values is large enough (e.g., JVj = 10,000).

3. The stock values are generated on the computer system-technically conditioned and without connection with any technical data so that they are not externally foreseeable.

Under this assumption B is then randomized sufficiently well:

• The first part of the coast is won by classical initialization, so it is sufficiently well randomized.

• In each subsequent step, the random number generator is reinitialized with values that are sufficiently well-randomized, so each sub-list of a subsequent step is randomly and randomly randomized, because:

If the selected stock values are securely encrypted in step i, then in step i + 1 the selected stock values are encrypted securely and independently. • It is virtually impossible to simulate the set of possible outcomes over the set of possible input values.

5 Stock determination

Implemented:

• Collect addresses of allocated objects in a vector.

• If the maximum vector length is reached, the oldest entries are overwritten, ie a write position is maintained, which is reset to 0 after reaching the maximum length.

Second execution

1 preliminary remarks

The following is a procedure for the randomized generation of arbitrary long keys for ONE-TIME-PAD cryptography (s.u.). These preliminary remarks contain agreements for the later used notation. We start with the following bitaddition ©:

• 1ΘO: = OΘ1: = 1

• 0 θ 0: = 1 θ 1: = 0

For bits a, b, c, the following tacitly used calculation rules apply:

• a @ b = bQa

• αθO = α • a @ a = 0

• o (D (b CJ) c) = (α (J) b) (S) c

The first three rules can be read directly from the definition of ©. The fourth rule is immediately clear for α = 0 or 6 = 0 or c = 0, e.g. holds α © (6 © 0) = aθb = (α © 6) © 0. Further, 1 θ (1 θ 1) = 1 © 0 = 0 θ 1 = (1 Φ 1) θ 1.

Hint: One calculates as with integers, but now - x = x (da x + x = 0).

As usual, we write down a list x of length \ x \: = n in the form x = (xι, ..., X _n ). For bit lists x - (X ₁ , .... x _n ), y = (y _\ , ..., y _n ) - ie the x _u y _z are bits -, the componentwise bit addition x © y of x and y defined as usual:

The calculation rules that apply to bits are then transferred to bitlists. For example, x © y = (X ₁ @ Vu -., x _n Qy _n ) = (yi Qxι .-, y _n Qx _n ) = y @ x.

2 ONE-TIME-PAD (OTP) - Kyptography

We will first consider how perfectly random keys, i. equally distributed bit lists can be used cryptographically.

Let x: = (x _\ , ..., X _n ) be a plaintext ¹ shown as a bitmap and let y: = (yι, ..., y _n ) be an (arbitrary) key of the same length. If one forms from this the cipher z: = x φ y, then z © y = x, ie y is also a key for z in order to recover x, because:

z © y = {x Φ y) © y = x 8 (y θ y) = x © (O, .... 0) = x

The so-defined encryption method is symmetrical, i. the encryption function / and the decryption function g use the same key y, i. it always applies:

• g (f ( ^χ , y), y) = ^χ

Furthermore, here even f = g = @. A key test, i. one checks for a test key y '. whether f (g (z y '), y') = z holds is meaningless for this method, because it always applies:

{z © y ') © y' = z © (y ¹ © y ') = z © (0, ..., 0) = z

Suppose someone knows the cipher z = x © y, but neither x nor y, and furthermore the key y is chosen perfectly random (see above). Could he still calculate the plaintext x anyway? The answer is no, because the following lemma holds: For every x-hypothesis x ', y': = z © x 'is the uniquely determined key with z © y' = x '. Proof:

• y 'is a key: z © y' = z © {z © x ') - (z © z) © x' = (0, .... 0) © x '= x'.

• Uniqueness: From z © y "= x 'follows y' = z © x '= z © (z © y") = (0, .... 0) θ y "= y".

Consequently, each of the 2 "bitlists x 'of length n is a possible x-hypothesis, and we can not learn about the uniquely determined key y' with z © y '= x' as to whether x '= x since x is unknown and according to the assumption (nV), two keys y ', y "are equally probable.

For this reasoning, the size of n does not matter; it also holds for n = 1. A situation analogous to the case π = 1, we can in the general case by extreme additional knowledge: Suppose we also knew that x = a or x = b holds. Even in this extreme case - there are only two possibilities! - we can n.V. make no decision about the appropriate keys z φ α or z @ b!

Clear: We may use the generated key y only once, i. one newly generated key per plaintext (one-time key). In the literature, the above outlined cryptography is therefore known as ONE-TIME-PAD (OTP) cryptography.

¹ Each file is a sequence of bytes, ie bit sequences of length 8. 3 generation of random numbers

How do you get now Zusfallszahlen (to follow) (ZZF). that are statistically perfect. i.e.

• real ZZF or

• ZZF, which are indistinguishable from real ones?

On Linux / Unix systems, for a physical evaluation of the system state, it is known that corresponding ZZG are available under / dev / random or / dev / urandom: They show virtually no statistical abnormalities. However, there is no accepted physical justification for why (at least normally) this should be the case.

Perspectively: In the context of quantum cryptography, e.g. developed laser-based methods that can provide such genuine (!) ZZF. However, such devices are currently available only prototypically (see Prototypes of the University of Vienna).

In practice, calculation methods based on starting values are usually used, so-called arithmetic (more precisely: recursive) random number generators [ZZG]. These calculations then provide in each case pseudo-ZZF, and at best those that are indistinguishable from true ZZF (see criteria below). But even if these pseudo-ZZFs are indistinguishable from real ones, there is a fundamental problem (functional trap) in the context of a cryptographic application:

If Y is the set of bitlists of length n and if the key yE Y is calculated using a function F: X → Y, an attacker - if he knows F - only has to search through more F (X) by going through the x EX and the F (x) is calculated.

If, for example, the calculation can be reduced to a timestamp as the starting value - that is, X is equal to the amount of possible timestamps - then the search space X can obviously easily be screened with a notebook ²³ .

For OTP cryptography key tests are basically pointless (see above). However, the restriction to a key area that can be screened opens up possibilities of attack even if no decision is possible via the key: An attacker screens the test-decrypted cipher to determine whether it makes sense in terms of content - e.g. via a text analysis.

The method presented here is a hybrid method that combines certain arithmetic techniques with technical elements to simulate ZZF in a quality sufficient for cryptographic application:

• A starting value distribution deviating from the equal distribution can not be justified.

• The starting value range is so large that it can not be scanned.

• Even a partial screening is useless: The amount of possible news is so large that it tends to contain news of the opposite content for any suspected message. One can therefore never cancel a survey.

² There are 365 * 24 * 60 * 60 * 1000 millisec per year. Is it even possible to limit the day and hour to a certain extent - eg in an online attack? so remains a ridiculous search space!

³ Eiii key buy shifts the problem: the attacker could seek out the provider, blackmail, etc. 4 Recursive ZZG

Without limitation (oE), keys can be interpreted as sequences t _/ = (^ ₁ , ..., y _n ) of bit words y _{t of} fixed length (eg words with 32 bits). These bit words then represent integers from a corresponding region D. The task of the key generation can now be formulated as follows:

For given n> 0, create a real ZZF from D ⁿ .

Recursive ZZG are calculated condition-based in a primitive recursive manner from a starting state, with each newly calculated number changing the current state. The start state can be specified by specifying initial data in an initialization step. In this sense, a recursive ZZG is describable over

• a state quantity Q and

• a step function f: Q → D x Q. which calculates a number and a new state from a state.

Initial data we can see oE as a number sequences of fixed length L = L _j from D. The initialization step can then formally be called function a; : D ^L - »Q are described.

For initialization data x & Ω ^L and a natural number n> 0 we calculate φ (f, x, n) = (z _1: ... z _n ) £ W using the following recursion equations:

(2 _{t + 1} , s _{t + 1} ): = / (s.) For z <n.

We call φ (f, x, n) the output sequence of length n calculated by / and initialization data x.

We also write ψ (fx m + n) as a concatenation φ (f.X ₁ m) φ (f, *, n), where φ (f, *, n) can be read as n other numbers. This takes into account the fact that in the implementation of a ZZG the states are typically internal quantities.

Since recursive ZZG compute number sequences from initial data, the corresponding output sequences provide pseudo-ZZF which are at best indistinguishable from true ZZF. In the literature, therefore, various criteria for the approximation to this best case are formulated (quality of a recursive ZZG).

More recent recursive ZZG fulfill these criteria to a high degree. For the Mersenne Twister MTI 9937 is e.g. proved:

• {equal distribution): fc-dimensional equal distribution for k <624, i. If an output sequence generated via MT19937 is divided into subsections of length k, these subsections are equally distributed in fc-dimensional space.

Even the bits of an output sequence are equally distributed!

• (Period length) An arbitrarily long output sequence is a repetition of an initial section of length 2 ¹⁹⁹³⁷ - 1 «4, 3 • 10 ⁶⁰⁰¹ . 5 Cryptographic application of recursive ZZG

Also, a high quality recursive ZZG such as e.g. MT19937 can not be used without further constraints for key generation, i. For a cryptographic application further demands are to be made:

• requirement 1: For an output sequence to be a usable ZZF (in the sense of the formulated quality criteria), the initial data must also be usable ZZF.

• Requirement 2: The initial data length L and the Periondenlänge must be sufficiently large, so that a trial and error or limiting the initial data space is practically not feasible.

• Requirement 3: The initial data must be secret.

Claim 3 is comparatively easy to fulfill by producing the output sequence centrally on a computer system located in a secure area.

Claim 2 is satisfactorily fulfilled in the prior art by MT19937, since L _MTI99S7 = 624. However, with regard to the quantum computer, there is still no _{room for} future certainty.

Claim 1 throws us back to our initial problem, especially in combination with requirement 2. For MT19937 this problem can be somewhat mitigated by calculating an output sequence of length m + n with a random m in the order of 10 ° in a warm-up phase and then only the last n numbers of the sequence are used.

6 The procedure

We now introduce the new procedure. that meets requirements 1 and 2.

Given a recursive ZZG with step function / and a storage process ω, then a pseudorandom number sequence y = (yi, ..., y ") € D ^ra is calculated as follows:

• Output sequences u ¹ : - ψ (f x ^ι , riι), ..., u ^k : = ψ (f, x ^h , n _k ) are successively output with initial data x ^ι € D ^L and lengths n _τ . such that Σ, n _t = n is calculated and concatenated in this order.

Also included is the possibility that the function / itself is replaced at random, ie u ^ι : - ψ (g _ι , x ^ι , n _ι ) for a randomly selected g _τ .

• The lengths n _t are determined randomly (with the exception of the last value U _k -, which is determined by the abovementioned empirical formula).

Execution note: You can do this by using φ (f. *, M) to calculate further random numbers. Before the first step, you have to warm up / enough (see above).

• The initial data x ^ι GD ^L are determined as follows:

- (supply request) Via ω an x '€ D ^{L is} determined (see below).

- (key generation) An auxiliary key x "€ D ^{L is} generated Execution note: You can do this again / use (see above).

- (encryption) is reacted x ^ι: = x 'Q) x "ie x.' Encrypted with the auxiliary key OTP.

Accepted:

• / is of sufficient quality and warmed up properly (see above).

The stocking process is of sufficient quality, i. provides values that can neither be predicted nor simulated externally (for the purpose of screening).

• The lengths n _{t of} the sections are within sufficient limits (eg 10 ² <Ti ₁ <10 ⁵ ).

Then the output sequence is of sufficient quality, i. meets Ford. 1 and 2.

The ONE-TIME-PAD (OTP) encryption step in the calculation of x ¹ can even be omitted if the stocking process is perfect, ie has no statistical abnormalities (see below). However, the encryption step also provides the output sequence with practically sufficient quality if the stocking process excludes deviating statistical hypotheses or if such hypotheses must be based on extreme additional assumptions ⁴ .

Security turned: If an attacker knows a computer so well, he could probably also come directly to the data. 7 The stock of value / stock process

7.1 Principle

The value store is obtained on a computer system in normal operation by suitably evaluating certain operating events, i. We use technical features of a computer system in normal operation that can not be observed or predicted from the outside and evaluate it appropriately.

An operational event is basically a pair {time value}. We use an Allocation Event: The allocation of memory in the dynamic memory area through a background process of the computer system controlled by timers, which in turn are set randomly (e.g., via a modulo calculation to the current timestamp).

Assessment: In a normal multitasking environment, the operational events can be designed to be unpredictable from the outside. This is especially true in a garbage collector system environment, e.g. in that the background process accumulates character buffers of randomly determined length in a table and gradually overwrites that table.

There are basically two evaluation strategies:

• {physical evaluation) A (random) physical feature of the computer system is read out (i.e., the allocation process is only for the timing of the readout process).

• {cryptographic evaluation) The allocation event {time. Address value) is evaluated accordingly. e.g. a hash value is formed and encrypted.

The value thus obtained is then used for the formation of inventories.

For a physical stockpiling on Linux / Unix systems are known under / dev / random or / dev / urandom appropriate ZZG available: They show virtually no statistical abnormalities, ie the stock request then delivers really random values (perfect stock of values). The events in this case only control the timing of the readout, thus ensuring that the system changes its physical state (unpredictable).

7.2 Implementation

The stocking process ω manages a record from «JGD ¹ (stock data record), which can serve as an initial data record for MT19937 (see above). This reserve data set is initialized appropriately and then continuously changed by AES encryption ⁰ .

7.2.1 Inventory initialization

The stock value w is classically initialized:

• (Initial assignment) A standard ZZG g is initialized with a timestamp and then filled with peudo random numbers via g.

• (Encryption) Finally, an AES key r is generated via g without reinitialization - i. E. a key in length that AES demands - and then encrypted with r AES-.

7.2.2 Inventory update

A background process evaluates event-driven allocation events as follows:

• (event evaluation) A hash value is derived from the allocation event and g is reinitialized with this value.

• (encryption) as above.

7.2.3 Stock request

Each stock request is treated like a stock update.

7.2.4 Optimization

The supply set is doubly encrypted: First it is encrypted as described above AES- and then it is OTP-encrypted, whereby this key is generated via MT19937 (suitable warmed up) (without reinitialization).

7.2.5 Rating

The stock value w is continuously transformed via the background process as well as with each request. More precisely, the data record is initialized as an event (timestamp) and then cumulatively changed under event control! The stock process thus represents, as it were, typically a noise of the operating process.

⁵ AES = Advanced Encrypt. Was standing.

Claims

1. A system for generating arbitrarily long bit lists for encrypting data with at least one random standard generator and at least one dynamic memory area, characterized in that with the random generator via a bitmap module and based on collected stock values bitlists of arbitrary length piece by piece by reinitializing the random number generator is generated in such a way that for each reinitialization at least one randomly determined and then securely encrypted value from the collected value stock is used.

2. A method for the randomized generation of arbitrarily long bit lists for encrypting data, characterized in that with a random generator and based on stock values a bitlist of arbitrary length is generated piecemeal by reinitialization of the random number generator in such a way that at least one randomly determined and then securely encrypted value from the stock of values is used.

3. The method according to claim 2, characterized in that a stock of values is obtained at least in part by collecting and evaluating address values of dynamically allocated objects of the computer system, i. by evaluating these address values and the collection time or a time associated with the allocation.