Pseudo-random generators are used in some forms of cryptography to provide secured communication means for the transmission of messages between a transmitter and a receiver. Security is provided such that only an intended receiver can understand a message (e.g., voice or data) transmitted by an authorized transmitter, and only the authorized transmitter can send the message to the intended receiver. The challenge of cryptography is to change a message into a form that only the intended receiver can comprehend. This must be done in a way that is both economical for the transmitter and for the intended receiver. At the same time, it must be very difficult (in terms of time and/or processing capabilities) for an unauthorized receiver (i.e., not the intended receiver) to comprehend the message. As unauthorized receivers and unauthorized transmitters become more sophisticated, the need for secured communications become greater.
FIG. 1 depicts a functional block diagram of a transmitter 10 in the prior art having a cryptographic device for encrypting messages. The cryptographic device comprising pseudo-random number (PN) generator 12 and XOR operator 14. PN generator 12 is defined by the following modular exponential function: EQU x.sub.i =g.sup.x.sup..sub.i-1 mod p (equation 1)
wherein x.sub.i is a value comprising m bits, p is a prime number comprising k bits, g is a generator of integer mod p, and 1&lt;i.ltoreq.n. Since equation 1 is a modular exponential function, the value of m should be less than or equal to k (i.e., m.ltoreq.k). Value x.sub.i is generated initially by providing PN generator 12 with seed value x.sub.0, which is a secret value comprising m bits and known only to the authorized transmitter and the intended receiver. Thus, value x.sub.1 is equal to g.sup.x.sup..sub.0 mod p . Value x.sub.1 is used to generate x.sub.2 (i.e., x.sub.2 =g.sup.x.sup..sub.1 mod p), which is then used to generate x.sub.3, and so on.
PN generator 12 outputs a pseudo-random number z.sub.i comprising a d bit size segment of x.sub.i. The pseudo-random number z.sub.i is then used to encrypt a d bit size segment of a message to be transmitted. Specifically, XOR operator 14 receives as inputs the message segment and the pseudo-random number z.sub.i. The message segment is XOR with the pseudo-random number z.sub.i to produce a d bit size encrypted message segment. The values of d, m, and k depend, in part, on the degree of cryptographic security (or difficulty) sought to be attained, as will be described herein.
Cryptographic security depends on two factors: (1) the degree of difficulty in solving a discrete logarithm problem for x.sub.i, and (2) the degree of difficulty in breaking the pseudo-random number generator given one or more pseudo-random numbers z.sub.i (comprising d bits). Assuming all m bits of x.sub.i are available, solving a discrete logarithm problem for x.sub.i involves the determination of x.sub.i-1 such that x.sub.i =g.sup.x.sup..sub.i-1 mod p. A discrete logarithm problem is considered computationally hard, and therefore cryptographically secure, if 2.sup.c number of operations are required to solve it, wherein c represents a cryptographic security threshold level. The standard belief is that a discrete logarithm problem is hard if it takes at least 2.sup.64 number of operations to solve it (i.e., c.gtoreq.64).
A discrete logarithm problem can be solved by a variety of techniques. The two most efficient techniques being the well-known index calculus technique and square root technique. To solve the discrete logarithm problem for x.sub.i using the index calculus technique, it would require EQU operations.sub.index =O(2.sup..alpha.log.sub.2 +L p.times.log.sub.2 +L log.sub.2 +L p) (equation 2)
number of operations, wherein .alpha. is a constant. If c=64, the hard threshold (of 2.sup.64 number of operations) is met when p comprises at least 512 bits (i.e., k.gtoreq.512). Thus, the value selected for k is dependent upon the value of c. By contrast, to solve the discrete logarithm problem for x.sub.i using the square root technique, it would require EQU operations.sub.sq-rt =2.sup.m +L (equation 3)
number of operations. If c=64, the hard threshold is met when x.sub.i comprises at least 128 bits (i.e., m.gtoreq.128). Thus, the value of m is also dependent upon the value of c.
As mentioned earlier, solving the discrete logarithm problem for x.sub.i assumes all m bits of x.sub.i are available. If only d bit size segments of x.sub.i (i.e., pseudo-random number z.sub.i) are available, then the predecessor step to solving the discrete logarithm problem for x.sub.i is to somehow determine all m bits of x.sub.i. This is the aforementioned second factor of cryptographic security, which involves breaking the pseudo-random number generator given one or more pseudo-random number z.sub.i. A pseudo-random number generator is considered cryptographically secure if, given one or more pseudo-random numbers z.sub.i, all m bits of x.sub.i would be difficult to predict or determine. It is believed that if the PN generator outputs smaller bit size pseudo-random numbers z.sub.i (i.e., small segments of x.sub.i), less data would be available to a cryptanalyst to use to predict any other bits of x.sub.i. The exact size of pseudo-random number z.sub.i being outputted would depend on the degree of cryptographic security sought to be attained--that is, the value of d is dependent upon the value of c.
Blum-Micali presented a PN generator which outputted pseudo-random numbers z.sub.i comprising only the most significant bit of x.sub.i, i.e., d=1. Blum-Micali showed that the degree of difficulty in breaking this PN generator is equivalent to the degree of difficulty in solving a discrete logarithm problem for the modular exponential function of x.sub.i. Thus, if solving the discrete logarithm problem for x.sub.i is hard, then breaking Blum-Micali's PN generator (outputting pseudo-random numbers z.sub.i comprising only the most significant bit) is also hard.
By contrast, Peralta presented a successor PN generator which outputted pseudo-random numbers z.sub.i comprising log.sub.2 m most significant bits, i.e., d=log.sub.2 m. For example, if x.sub.i comprises 512 bits, then the PN generator would output pseudo-random numbers z.sub.i comprising no more than the nine (i.e., log.sub.2 512) most significant bits of x.sub.i. Or if x.sub.i comprises 1024 bits, then the PN generator would output pseudo-random numbers z.sub.i comprising no more than the ten (i.e., log.sub.2 1024) most significant bits of x.sub.i. Peralta showed that the degree of difficulty in breaking this PN generator is also equivalent to the degree of difficulty in solving the discrete logarithm problem for the modular exponential function of x.sub.i. Thus, if solving the discrete logarithm problem for x.sub.i is hard, then breaking Peralta's PN generator (outputting pseudo-random numbers z.sub.i comprising only log.sub.2 m most significant bits) is also hard.
Although encryption processes that use the PN generators presented by Blum-Micali and/or Peralta are cryptographically secure, these PN generators output pseudo-random numbers z.sub.i comprising no more than log.sub.2 m bits of x.sub.i. Since log.sub.2 m is a relatively small value, only small bit size segments of messages can be encrypted for every pseudo-random numbers z.sub.i outputted by the PN generator. This results in a slower encryption process because more pseudo-random numbers z.sub.i have to then be outputted to encrypt the entire message. Accordingly, there exists a need for a pseudo-random number generator that outputs larger bit size pseudo-random numbers z.sub.i and is cryptographically secure.