1. Introduction

2. Physical Sources of Randomness

3. Pseudorandom Number Generation

3.2. Cryptographically Secure Generators

Since cryptographically secure PRNGs are accompanied by strong security (unpredictability) evidence, we present some of the most powerful cryptographically secure PRNGs and we discuss design directions for the construction of such PRNGs.

3.2.1. The BBS Generator

The BBS generator, proposed by L. Blum, M. Blum and M. Shub in [3], is one of the most often deployed cryptographically strong PRNGs. Its security (unpredictability) is founded on the difficulty of the Quadratic Residue problem.

For every integer N, $\left|N\right|$ is its length in bits and ${\left|N\right|}_b$ its length in base $b>2$. If $\Sigma =\{0,1,\cdots ,b-1\}$, ${\Sigma }^{★}$ is the set of finite sequences with elements from $\Sigma$ and ${\Sigma }^{\infty }$ the set of sequences with an infinite number of elements from $\Sigma$. Also, we define ${\Sigma }^k=\{x\in {\Sigma }^{★}:\left|x\right|=k\}$, i.e. the set of finite sequences of length k. For all sequences $x\in {\Sigma }^{\infty }$, with $x^k$ we denote the initial part of the sequence x of length k (i.e. its first k elements) and with $x_k$ we denote the k-th element of x (its first element is $x_0$).

With $xmodN$ we denote the smallest nonnegative integer remainder from dividing x by the integer N. A quadratic residue $modN$ is any number x for which there exists an integer u such that $x=u^{2}modN$. Recall that $Z_N^{*}=\{$integers $x\mid 0<x<N$ and $gcd(x,N)=1\}$, i.e. the set of integers which are smaller than N and relatively prime with N. The set $Z_N^{*}$ has order, i.e. number of elements, equal to $\varphi \left(N\right)$. The set of quadratic residues $modN$ will be denoted by $QRN$. This is a subset of $Z_N$ and has order $\frac{\varphi \left(N\right)}{4}$. Additionally, with $Z_N^{*}(+1)$ we will denote the subset of $Z_N^{*}$ consisting of its elements which have a Jacobi symbol equal to 1 and with $Z_N^{*}(-1)$ the subset of its elements $Z_N^{*}$ which have Jacobi symbol $-1$. All quadratic residues $modN$ belong in the subset $Z_N^{*}(+1)$.

Each quadratic remainder $u^{2}modN$ has four different roots in $Z_N$, which are $\pm umodN$ and $\pm ymodN$. If, however, we assume that $N\equiv 3mod4$, then every quadratic residue has exactly one square root, which is also a quadratic residue. In other words, the function $f\left(x\right)=x^{2}modN$ is a $1-1$ and onto mapping (i.e. bijection) from $QRN$ to itself.

Finally, we state the definition of Carmichael’s function, which will then also be needed for the concept of special primes. Carmichael’s $\lambda$-function [8] is closely related to Euler’s totient function. However, while Euler’s totient function $\varphi \left(n\right)$ provides the order of the unit group $U(\mathbb{Z}/n\mathbb{Z})$, Carmichael’s function $\lambda \left(n\right)$ provides its exponent. In other words, $\lambda \left(n\right)$ is the smallest positive integer for which it holds that $a^{\lambda \left(n\right)}\equiv 1(modn)$ for any a which is coprime to n. Carmichael’s $\lambda$ function is not multiplicative but has a related property which can be called lcm-multiplicative, as follows:

$$\lambda \left(\mathrm{lcm}\right[m,n\left]\right)=\mathrm{lcm}\left[\lambda \right(m),\lambda (n\left)\right],\mathrm{for}\mathrm{each}\mathrm{pair}\mathrm{of}\mathrm{positive}\mathrm{integers}m,n.$$

(5)

Some special values include $\lambda \left(p^k\right)=\varphi \left(p^k\right)$, for $p^k$ an odd prime power, $\lambda \left(1\right)=\lambda \left(2\right)=1$, $\lambda \left(4\right)=2$, as well as $\lambda \left(2^k\right)=2^{k-2}$ for $k\ge 3$. Based on these special values and Equation (5), $\lambda \left(n\right)$ can be computed for any positive integer n.

A prime number P is called special if $P=2P_1+1$ and $P_1=2P_2+1$, where $P_1,P_2$ are primes greater than 2. A composite number $N=PQ$ is special if and only if P, Q are two distinct special primes and $PQ\equiv 3mod4$.

The set $\mathcal{N}$ of the generator parameters consists of all positive integers $N=PQ$, where P, Q are distinct prime numbers of equal length (i.e. $\left|P\right|=\left|Q\right|$) and $PQ\equiv 3mod4$. For any integer N, the set $X_N=\{x^{2}modN:x\in Z_N^{*}\}$ is the set consisting of the quadratic residues $modN$. The domain of the generator seeds will be $X=\{X_N\mid N\in \mathbb{N}\}$. The seeds should be selected from X according to the uniform distribution for increased generator security.

Given as input a pair $(N,x_0)$, the BBS pseudorandom number generator will output a pseudorandom sequence of bits $b_0{b}_1{b}_2\cdots$ where $b_i=Parity\left(x_i\right)$ and $x_i+1=x_i^{2}modN$. $Parity\left(x\right)$ is the least significant bit of the integer x. The construction of the pseudorandon sequence obviously takes place in polynomial time. As it is shown in [3], the period $\pi$ of the pseudorandom sequence divides or is equal to (under some condition) $\lambda \left(\lambda \right(N\left)\right)$. Given $x_0,N$ and $\lambda \left(N\right)$ we can efficiently calculate $x_i=x_0^{2^i}modN=x_0^{2^{i}mod\lambda \left(N\right)}modN$ for $i>0$. To calculate $x_i$ for $i<0$ we use the equality $x_i=x_{imod\lambda \left(\lambda \right(N\left)\right)}$. As we will see below, if $x_0$ and N are known, but not the values of P and Q, we can construct the pseudorandom sequence forward (i.e. for $i>0$) but not backwards (for $i<0$). thus, it appears that the prediction of the sequence is as hard as factoring a large integer $N=PQ$. Alexi et al. [1] proved that the BBS generator remains cryptographically secure even if it outputs up to $O(loglogN)$ low order bits instead of only one. With this result, the generator’s efficiency is greatly improved. Practically, a BBS generator can be realized as follows:

• Find primes p and q such that $p\equiv q\equiv 3$ mod 4
• Set $N=pq$
• Start with $x_0$ = seed (a truly random value), $i=0$
• Set $x_i=x_{i-1}^2$ mod N
• Output the least significant bit of $x_i$
• Set $i=i+1$, go to step 3

Now regarding the security of this generator, as mentioned above in the introduction, all cryptographically secure generators base their security on the difficulty of solving number theory problems. This problem in the case of the BBS generator is the Quadratic Residuosity Problem. The problem is defined as follows: given N and $x\in Z_N^{*}(+1)$, decide whether x is a quadratic residue $modN$. Recall that exactly half the elements of $Z_N^{*}(+1)$ are quadratic residues.

The Quadratic Residuosity Assumption states that any efficient algorithm for solving the quadratic residuosity problem would give wrong results for at least a percentage of the inputs to the algorithm. More formally, the assumption is as follows: let $poly\left(\right)$ be a polynomial and $P[N,x]$ a polynomial algorithm which when given as input N and x, with $\left|N\right|=\left|x\right|=n$, returns 0 if x is not a quadratic residue $modN$ and 1 otherwise. Also let $0<\delta <1$ be a constant and t a positive integer. Then for n very large and for a fraction d of the numbers N with $\left|N\right|=n$, the probability that the process $P[N,x]$ gives the wrong answer for the integer x (given that x is chosen according to the uniform distribution from $Z_N^{*}(+1)$), exceeds $\frac{1}{n^t}$, that is $\frac{\sum Prob\left(P\right[N,x\left]isnotcorrect\right)}{\frac{\Phi \left(N\right)}{2}}>\frac{1}{n^t}$. The quantity $\frac{1}{n^t}$ can be replaced by $\frac{1}{2}-\frac{1}{n^t}$.

The details of the discussion that follows can be found in [3]. We, also, recall that in what follows, $N=PQ$, with P, Q prime numbers and $PQ\equiv 3mod4$, and that the function $f\left(x\right)=x^{2}modN$ is a $1-1$ mapping from QRN to QRN.

According to the definition of the BBS generator, knowledge of N is sufficient for the efficient generation of the sequence $x_0,x_1,\cdots$ starting from a seed value $x_0$. However, knowing only N and not its two factors P and Q does not suffice for the generation of the sequence in reverse direction, i.e. the sequence $x_0,x_1,x_2,\cdots$ starting from $x_0$. For this purpose, the factors P and Q are needed. This necessity follows from the following argument: Suppose that we can efficiently calculate $x_1$ without knowing the factors of N. Then in order to factor N we choose an $x\in Z_N(-1)$, we set $x_0=x_{2}modN$ and calculate $x_1$. We then compute $gcd(x+x_1,N)=P$ or Q. Therefore, the ability to compute $x_1$ for at least a percentage of the values of x would allow us to factor N efficiently with a high probability of success.

On the other hand, if we could factor N, we could generate the pseudorandom sequence backwards. This fact follows from the following theorem: There exists an efficient deterministic algorithm A which when given as inputs N, the factors P and Q, and any quadratic residue $x_0\in Z_N$, computes the unique quadratic residue $x_{1}modN$ for which $x_1^{2}modN=x_0$. In other words, $A(P,Q,x_0)=x_1$.

Moreover, the factors of N are necessary to have an $ϵ$-advantage in finding the parity bit of $x_1$ in polynomial time, given $x_0$. A probabilistic process P that returns 0 or 1 is said to have $ϵ$-advantage, with $0<{ϵ}^{\frac{1}{2}}$ in guessing the parity bit of $x_1$, if and only if $\frac{\sum Prob(P[N,x_0]=parity\left(x_1\right))}{\frac{\Phi \left(N\right)}{4}}>\frac{1}{2}+ϵ$. Similarly, we can define a probabilistic procedure that would have an $ϵ$-advantage in deciding whether some $x\in Z_N^{*}(+1)$ is a quadratic residue (which is the quadratic residuosity problem). More simply, we would say (according to a lemma of [3]) that, an $ϵ$-advantage in finding the parity bit of $x_1$ can be converted into an $ϵ$-advantage for the quadratic residuosity problem.

In [3] a theorem is given which proves the unpredictability of the BBS generator. By this theorem, for any constant $0<\delta <1$ and any positive integer t, any probabilistic polynomial process P has at most a $\frac{1}{n^t}$ advantage in predicting the sequences generated by BBS backwards (for sufficiently large $n=\mid N\mid$ and for all but a fraction $\delta$ of N). In short, if the BBS generator were predictable, the quadratic residuosity assumption described previously would not hold. For this reason, the generator can be safely assumed to, also, pass every probabilistic, polynomial, statistical test on its long term output.

Having shown that the output of the generator cannot be efficiently predicted, it remains to calculate its period. The fact that the sequence $x_0,x_1,x_2,\cdots$ cannot be predicted shows that the period of $\pi \left(x_0\right)$ should be very large. According to a theorem proved in [3], the period $\pi \left(x_0\right)$ divides $\lambda \left(\lambda \right(N\left)\right)$. However, it would be best for the period to be as long as possible, i.e. equal to $\lambda \left(\lambda \right(N\left)\right)$. The equality $\pi \left(x_0\right)=\lambda \left(\lambda \left(N\right)\right)$ can indeed hold under two conditions. The first is that the integer N is special as defined earlier and the second is to choose a seed $x_0$ so that its order is equal to $\lambda \left(N\right)/2$.

Finally, we define the linear complexity of a sequence of pseudorandom numbers $x_0,x_1,\dots$ the smallest number L for which the linear relationship

$$x_{n+L}=a_{L-1}{x}_{n+L-1}+\dots +a_0{x}_0$$

holds for $n=1,2,\cdots$.

The linear complexity of any pseudorandom sequence does not exceed the period of the sequence. Obviously, the higher the linear complexity of a sequence is, the more cryptographically secure it is with respect to prediction of its output. As demonstrated in [22], the BBS generator does not exhibit any particular form of linear structure, a property which excludes the possibility of applying attacks such as the Lattice Reduction attack on its outputs.

3.2.2. The RSA/Rabin Generator

The second cryptographically secure generator is the RSA/Rabin generator. It is based on the RSA function and it works as follows:

• Find primes p and q as well as a small prime e such that $gcd\left(\right(p-1\left)\right(q-1),e)=1$
• Set $N=pq$
• Start with $x_0$ = seed (a truly random value), $i=0$
• Set $x_i=x_{i-1}^e$ mod N
• Output the least significant bit of $x_i$
• Set $i=i+1$ and repeat from Step 3

The RSA/Rabin generator is cryptographically secure under the RSA function assumption. According to this assumption, given N, e and y, where $y=x^{e}modN$, the problem of determining x is computationally intractable. More details about this generator can be found in [1].

3.2.3. Generators Based on Block-Ciphers

The other two generators that are deployed in the lottery are based on the encryption algorithms DES and AES. The implementations provided by version 2.5.3 of the mcrypt library (available at [17]) was used with key sizes 64 bits for DES and 192 bits for AES.

DES and AES are used in their CFB (Cipher-text Feed-Back) mode and they are operated as follows. An initial random seed is constructed from the combined output of the true random generators and then DES and AES are invoked, using the seed as the Initial Vector (IV), as many times as the values we need to generate. In particular, every time the encryption function is called, a byte with all zeros is encrypted (always in CFB mode) and the encryption result is the output of the corresponding generator.

The cryptographic strength of these two generators is based on the security of the corresponding encryption algorithms and not on a presumed computationally hard mathematical problem, like RSA and BBS. However, both generators have passed, separately, all the Diehard tests and, thus, their output is considered secure.

Bruce Schneier et al. in [18] present the design and analysis of the Yarrow cryptographically secure PRNG. Yarrow relies on a one-way hash function $h\left(x\right)$ with an m-bit digest and a block cipher $E\left(\right)$ with a k-bit key and an n-bit block size. The designer should select an one-way hash function that is collision intractable (e.g. one from the SHA-2 family of hash functions) and a block cipher (e.g. AES) that is highly resistant to known-plaintext and chosen-plaintext attacks.

The major components of Yarrow are an entropy accumulator that collects samples from entropy sources in two pools, a reseed mechanism that periodically reseeds the key with new entropy from the pools, and a block-cipher based generation mechanism that generates random numbers (Figure 1). The basic idea behind the generation mechanism is that if an attacker does not know the block-cipher key he cannot distinguish the generated outputs from a truly random sequence of bits.

The entropy accumulator determines the next unguessable internal state of the PRNG. Each source of entropy sends samples to the entropy accumulator and their hashed values are stored to either a fast pool or a slow pool. The fast pool is used for frequent key reseeding while the slow one for rare reseeding. It is obvious that the collected entropy is no more than the size of the hash digest, i.e m-bit entropy. Initially, the entropy accumulator collects samples until the collected estimated entropy is high enough for reseeding the block cipher with a new key. Recommendations for entropy estimation can be found in [23].

3.2.4. Algorithms M and B

Given two sequences of pseudorandom numbers X and Y, algorithm M will produce a sequence $X^{\prime }$ significantly “more random”. Essentially the numbers in $X^{\prime }$ are the same as those that make up X except that they are in a different positions (i.e. they form a permutation of the original sequence X) in the new sequence. These positions are dictated by the sequence Y.

More specifically, an array N with k elements is formed, where k is an integer depending on the application, often close to 100. The elements in the array N are the first k elements of the sequence X. The steps of the algorithm M (applied iteratively) are the following:

It turns out that in most cases the period of the sequence produced by algorithm M is the least common multiple of the periods of sequences X and Y.

However, there is a more effective way to transpose the elements of a sequence X. The corresponding algorithm is called AlgorithmB. It is similar to M, but it achieves better results in practice. At the same time it has the advantage that only one sequence of pseudorandom numbers is needed and not two, as in the case of M.

Initially (as in M) the first k elements of the sequence X are placed in the array N. Then the variable y takes the value $X_k$ and the following steps are applied iteratively:

• $j=\lfloor \frac{ky}{m}\rfloor$, where m is the modulus of the sequence X.
• $N\left[j\right]$ is the next new element of the sequence $X^{\prime }$,
• We set $y=N\left[j\right]$ and $N\left[j\right]$ is set to the next element of the sequence X.

Although algorithm M can produce satisfactory pseudorandom number sequences given, as input, even non-random sequences (e.g. the Fibonacci numbers sequence, for example), it is still likely to produce a less random sequence than the original sequences if they are strongly correlated. Such issues do not arise with algorithm B. Algorithm B does not, in any way, reduce the “randomness” of the given sequence of pseudorandom numbers. On the contrary, it increases it with a small computational cost. For these reasons it is recommended to use algorithm B with any PRNG.

A notable disadvantage of algorithm M and B algorithms is that they only modify the order of the numbers in a sequence and not the numbers of the sequences themselves. Although for most applications the ordering of the numbers is important, if the initial generators we choose do not pass some basic statistical tests, permuting their elements with the M and B algorithms will not render them stronger. For this reason, in applications which require pseudorandom number sequences with strong randomness properties with theoretical guarantees that imply unpredictability, it is better to deploy cryptographically secure PRNGs, such as BBS and RSA using, optionally, algorithms M and B.

4. Randomness Tests

4.1. Practical Statistical Tests

In this section, we will present a number of statistical tests described in Knuth’s book [12]. Most of the tests, however, suit mainly truly random number sequences while some of the test parameters are not provided numerically. Thus, we follow the modifications of these tests as described in [13] which are appropriate for integer number sequences while specific parameter values are provided for the tests.

In particular, the basic theory of tests for real number sequences is provided in [12]. The proposed applicability criteria are, also, suitable for integer sequences as well in some tests. However, integer sequences cannot be tested since the same assumptions as for real number sequences since they may not be applicable to them. For instance, the Permutation Test gives test probabilities based on the premise that no two consecutive terms of the tested sequence can be equal. However, for integer sequences, equality of consecutive terms may occur with a non-negligible probability. Thus, in [13] new combinatorial calculations were developed in order to adapt Knuth’s test suite to integer and binary sequences. Additionally, some of the required parameters for the tests, such as sequence length, alphabet size, block size, and other similar parameters, are, also, provided in [13]. Taking into account the aforementioned issues, the authors of [13] provide the test details and required probability calculations for testing binary and integer sequences, which are of interest for our purposes.

Each of the tests is applied, in general, to a sequence $<U_n>=U_0,U_1,\cdots ,U_{n-1}$ of real numbers which, assumedly, have been chosen independently from the uniform distribution in the interval $(0,1)$. However, some of the tests are designed for sequences of integers rather than sequences of real numbers. If this is the case, we form the auxiliary integer sequence $<Y_n>=Y_0,Y_1,\cdots ,Y_{n-1}$, where $Y_n=\lfloor d{U}_n\rfloor$. Accordingly, this sequence has been, assumedly, produced, by independent choices from the uniform distribution over the integers $0,1,\dots d-1$. The parameter d should be sufficiently large so as the tests’ results are meaningful for our PRNGs (e.g. the $Y_i$’s fall in the PRNG’s range) but not so large as to render the test infeasible in practice.

Below, we discuss some of the tests in Knuth’s book [12]. One may, also, consult their modified form provided in [13]. We first discuss two fundamental tests which are used in combination with other empirical test that we describe afterwards.

4.1.1. The “Chi-Square” Test

In probability theory and statistics, the “chi-squared” distribution, also called “chi-square” and denoted by ${\chi }^2$, with k degrees of freedom is defined as the distribution of the sum of the squares of k standard normal random variables. The “chi-square” distribution of k degrees of freedom is, also, denoted by ${\chi }^2\left(k\right)$ or ${\chi }_k^2$. The “chi-squared” distribution is one of the most frequently used probability distributions in statistics, e.g. in hypothesis testing and in the construction of confidence intervals.

In our case, the “chi-square” distribution is used to evaluate the “goodness-of-fit” of the monitored frequencies of a sequence of observations to the expected frequencies of the distribution under test (this is the hypothesis). The test statistic (stochastic distribution) is of the form ${\chi }^2=\sum {((o_i-e_i)}^2/e_i)$, where $o_i$ and $e_i$ are the observed and expected frequencies of occurrence, correspondingly, of the observations. This Chi-Square test is one of the most widespread statistical tests of a sequence of data derived from observations of a phenomenon, in general. In our case, this phenomenon is the source of pseudorandom numbers and our data is the generated numbers.

We assume the following:

• Each observation can belong to one of k categories.
• We have obtained n independent measurements.

According to this test, we perform n independent observations from the source of data (n should be large enough). In our case, the observations will be the pseudorandom numbers. Then, we count how many times each number appeared. Let us assume that the number s appeared $Y_s$ times. Also, let $p_s$ be the probability of appearance of the number s. We calculate the following statistical indicator (we assume that the numbers generated by the pseudorandom number generator are within the range $1,\dots ,m$):

$$\begin{array}{c}\hfill V=\sum _{1\le s\le m}\frac{{(Y_s-n{p}_s)}^2}{n{p}_s}=\frac{1}{n}\sum _{1\le s\le m}\left(\frac{Y_s^2}{p_s}\right)-n.\end{array}$$

(7)

Next, we compare V to the entries of the distribution tables of ${\chi }^2$ with the parameter k (the degree of freedom) equal to $m-1$. If V is less than the table entry corresponding to 99% or greater than the entry corresponding to 1%, then we do not have sufficient randomness. If it is between the entries of 99% and 95%, then insufficient randomness may exist. A value below 95% is a good indication that the numbers under testing are close to random.

Knuth suggests applying the test for a sufficiently large values of n. Also, for test reliability purposes, he suggests, as a rule of thumb, that n should be sufficiently large to render the expected values of $n{p}_s$ greater than 5. However, a large value of n presents some undesirable properties, such as locally non-random behavior through, for instance, an entrance into a cycle in the sequence. This fact is addressed not by using smaller value for n but by applying the test for several different large values of n.

4.1.2. The Kolmogorov-Smirnov Test

The “Kolmogorov-Smirnov” test measures the maximum difference between the expected and the actual distribution of the given number sequence. In simple terms, the test checks whether a dataset (a PRNG sequence in our case) comes from a particular probability distribution.

In order to approximate the distribution of a random variable X, we target the distribution function $F\left(x\right)$, where $F\left(x\right)=Pr(X\le x)$. If we have n different independent observations of X then from the values corresponding to these observations $X_1,X_2,\cdots ,X_n$ we can, empirically, approximate the function $F_n\left(x\right)$ as follows:

$$F_n\left(x\right)=\frac{\mathrm{The}\mathrm{number}\mathrm{of}{X}_1,X_2,\cdots ,X_n\mathrm{that}\mathrm{is}\le x}{n}.$$

To apply the “Kolmogorov-Smirnov” test we use the following statistical quantities:

$$K_n^{+}=\sqrt{n}\underset{-\infty <x<\infty }{max}(F_n\left(x\right)-F\left(x\right))$$

$$K_n^{-}=\sqrt{n}\underset{-\infty <x<\infty }{max}(F\left(x\right)-F_n\left(x\right))$$

where $K_n^{+}$ measures the maximum deviation when $F_n$ is greater than F and $K_n^{-}$ measures the maximum deviation when $F_n$ is less than F.

The test applies, subsequently, the following steps, based on these functions:

• First, we take n independent observations $X_1,X_2,\cdots ,X_n$ corresponding to a certain continuous distribution function $F\left(x\right)$.
• We rearrange the observations so that they occur in non-descending order $X_{i_1}{X}_{i_2}\cdots X_{i_n}$.
• The desired statistical quantities are given by the following formulas:

  $$K_n^{+}=\sqrt{n}\underset{1\le j\le n}{max}\left(\frac{j}{n}-F\left(X_{i_j}\right)\right)$$

  $$K_n^{-}=\sqrt{n}\underset{1\le j\le n}{max}\left(F\left(X_{i_j}\right)-\frac{j-1}{n}\right)$$

After we have calculated the quantities $K_n^{+}$ and $K_n^{-}$,we compare them to the values in the test’s tables in order to decide whether the given sequence is uniformly random or not. Knuth recommends to apply the test with $n=1000$ using only two decimal places of precision.

Further to these two fundamental tests, we give below some more empirical tests which are used in conjunction with them.

4.1.3. Equidistribution or Frequency (Monobit) Test

This test checks if number of occurrences of each element, i.e. number produced by the PRNG, a is as it would be expected from a random sequence of elements. The Monobit case examines bits, i.e. it is applied on bit sequences but it can, also, be applied to any number range. Knuth suggests two methods for applying the test:

• Using the “Kolmogorov-Smirnov” test with distribution function $F\left(x\right)=x$, for $0\le x<d$.
• For each element a, $0\le a<d$, we count the number of occurrences of a in the given sequence and then we apply the “chi-square” test with degree of freedom $k=d-1$, and probability $p_a=\frac{1}{d}$ for each element (“bin”).

4.1.4. Serial Test

The serial test is, actually, an Equidistribution test for pairs of elements of the sequence, i.e. for alphabet (element) size $d^2$. Thus, the serial test checks that the pairs of numbers are uniformly distributed. For PRNGs with binary output, for instance, where $d=2$, the test checks whether the distribution of the pairs of bits, i.e. $(00,01,10,11)$ is as expected.

The test is applied in the following way:

• We count the number of times that pairs $(Y_{2j},Y_{2j+1})=(q,r)$ occur, for $0\le j\le n$, $0\le q,r<d$.
• We apply the “Chi-Square” test with $d^2-1$ degrees of freedom and probability $\frac{1}{d^2}$ for each category (i.e. $(q,r)$ pair).

For the application of the test, the following considerations apply:

• The value of n should be, at least, $10d^2$.
• The test can also be applied to groups of triples, quadruples, etc. of consecutive generator values.
• The value of d must be limited in order to avoid the formation of many categories.

4.1.5. Gap Test

This test counts the number of elements, or gap, that appear between successive appearances of particular elements in the sequence and then uses the Kolmogorov-Smirnov test to compare with the expected, from a random sequence, number of gaps. In other words, the test checks whether the gaps between specific numbers follows the expected distribution. In Knuth’s book, the test is defined for sequences of real numbers by examining the length of gaps between occurrences of $U_j$ over a specific range of these elements. As we discussed above, the test can easily transformed into a test for integer values.

In particular, if a, b two real numbers with $0\le a<b\le 1$, our goal is to examine the lengths of consecutive subsequences $U_j,U_{j+1},\cdots ,U_{j+r}$ such that $U_{j+r}$ is between a and b while all the other values are not. Thus, this subsequence of $r+1$ exhibits a gap of length r. In what follows, we give the algorithm that, given a, b and a sequence $U_0,U_1,\dots$ of real numbers, counts the number of gaps, as defined above, with lengths ranging over $0,\dots ,t-1$ as well as the number of gaps of length at least t, until n gaps have been computed.

Note that the algorithm terminates only when n gaps have been located (see step 6).

After the algorithm has terminated, we will have calculated the number of gaps of lengths $0,1,\dots ,t-$ and and of lengths at least t, in the array variables

$$COUNT\left[0\right],COUNT\left[1\right],\dots ,COUNT\left[t\right].$$

We can, now, apply the “Chi-Square” test with $k=t+1$ degrees of freedom using the, expected from a random sequence, probabilities below:

$$p_r=p{(1-p)}^r,0\le r\le t-1,p_t={(1-p)}^t.$$

(8)

In the probabilities in (8), we set $p=b-a$ which is the probability of the event $a\le U_j<b$. As stated in [12], the values $n,t$ are selected so that $COUNT\left[r\right]$ is expected to be at least 5 (preferably more than 5).

4.1.6. Poker Test

The Poker test proposed by Knuth involves checking n groups of five successive elements $\{Y_{5j},Y_{5j+1},Y_{5j+2},Y_{5j+3},Y_{5j+4}\}$, $0\le j<n$, with respect to whether one of the following seven element patters appears in them, where ordering does not matter:

• All 5 elements are distinct.
• There is only one pair of equal elements.
• There are two distinct pairs of equal elements each.
• There is only one triple of equal elements.
• There is a triple of equal elements and a pair of equal elements, different from the element in the triple.
• There is one one quadruple of equal elements.
• There is a quintuple of equal elements.

In other words, we study the distinctness of the numbers in each group of five elements. Next, we apply the “Chi-Square” test for the number of quintuples in the n groups 5 consecutive elements that fall within each of the 7 categories defined above.

We can generalize the reasoning of the test discussed above by considering n groups of k successive elements, instead of 5. Then we can calculate the number of k-tuples of successive elements which have rdistinct values. The probability $p_r$ for this event is given by the following equation (see [12] for the proof):

$$p_r=\frac{d(d-1)\cdots (d-r+1)}{d^k}\left\{\begin{array}{c}k\\ r\end{array}\right\}.$$

See Equation 6 for the computation of $\left\{\begin{array}{c}k\\ r\end{array}\right\}$, i.e. the Stirling numbers of the second kind.

4.1.7. Coupon Collector’s Test

Using the sequence $Y_0,Y_1,\cdots ,Y_n$, the Coupons collector’s test computes the lengths of the segments $Y_{j+1},\cdots ,Y_{j+r}$ required to obtain the complete set of integers from 0 up to $d-1$.

• Given the PRNG sequence $Y_0,Y_1,\cdots$, where $0\le Y_j\le d-1$, we count the lengths of n consecutive “coupon collector” samplings using the algorithm that follows. In the algorithm, $COUNT\left[r\right]$ is the number of segments of length r, $d\le r<t$, while $COUNT\left[t\right]$ is the number of segments of length at least t.
  Algorithm description:
  
• After the algorithm has counted n lengths, we apply the “Chi-Square” test to
  $COUNT\left[d\right],COUNT[d+1],\cdots ,COUNT\left[t\right]$ (i.e. the number of coupon collection steps of length r) with $k=t-d+1$ (degrees of freedom). The propabilities that correspond to these events are the following (see [12] for the derivation):

  $$p_r=\frac{d!}{d^r}\left\{\begin{array}{c}r-1\\ d-1\end{array}\right\}\mathrm{where}d\le r<t\mathrm{and}{p}_t=1-\frac{d!}{d^{t-1}}\left\{\begin{array}{c}t-1\\ d\end{array}\right\}.$$

4.1.8. Permutation Test

The Permutation test calculates the frequency of appearance of em permutations, i.e. different arrangements, of successive elements in a given number sequence.

More specifically, we divide the numbers of the given sequence into n groups of t elements each, i.e. we form the sets of t-tuples $U_{jt},U_{jt+1},\cdots ,U_{jt+t-1}$, $0\le j<n$. For each t-tuple we may have $t!$ possible permutations or categories. The test counts the frequency of appearance of each such permutation.

Note that for this test it is assumed that all numbers are distinct. This is justifiable if the $U_i$’s are real numbers (since the probability of equality of two real numbers is zero) but not justifiable for integer sequences. See [13] for a discussion of how to alleviate this assumption for the integer sequences of PRNGs.

The frequency of appearance of each permutation or category is calculated by the algorithm P below (see [12] for more details). The algorithm is given a sequence $U_1,U_2,\cdots ,U_t$ of distinct elements. Then it computes an integer $f(U_1,U_2,\cdots ,U_t)$ for which the following is satisfied: $0\le f(U_1,U_2,\cdots ,U_t)\le t!$ and $f(U_1,U_2,\cdots ,U_t)=f(V_1,V_2,\cdots ,V_t)$ if and only if $U_1,U_2,\cdots ,U_t$ and $V_1,V_2,\cdots ,V_t$ have the same relative ordering.

The steps of the algorithm are the following:

Finally, we apply the “Chi-Square” test for $k=t!$ degrees of freedom with probability of each permutation (category) equal to $\frac{1}{t!}$ (see [12] for more details).

4.1.9. Run Test

The Run test checks the lengths of maximal monotone subsequence of the given sequence, i.e. monotonically increasing or decreasing or “runs-up” and “runs-down” respectively. In other words, we consider the length of these monotone runs.

Note, however, that in the Run test we cannot not apply the “Chi-Square” test to the lengths of the monotone runs since they are, in general, not independent. Usually, a long run is followed by a short run etc. In order to handle this difficulty we apply the following procedure, which takes as input a sequence $(U_0,U_1,\cdots ,U_{n-1})$ of distinct real numbers:

• We use an algorithm that measures the lengths of the monotone runs (this is easy to accomplish).
• After the lengths have been computed, we calculate the statistical indicator V as follows:

  $$V=\frac{1}{n-6}\sum _{1\le i,j\le 6}(COUNT\left[i\right]-n{b}_i)(COUNT\left[j\right]-n{b}_j)a_{ij}.$$
  The values $a_{ij},b_i$ and $b_j$ are specific constants, which are given in [12] in matrix form. The value of V is expected to obey the “Chi-Square” distribution with six degrees of freedom and sufficiently large n, e.g. $n>4000$.

The same test can be applied to “runs-down”.

4.1.10. The Maximum t Test

The Maximum t test checks if the distribution of the maximum of t random numbers is as expected. The test works as follows, iterating over n subsequences of t values:

• We take the maximum value of the given t numbers, i.e. for all n subsequences, $0\le j<n$, $V_j=max(U_{jt},U_{jt+1},\cdots ,U_{jt+t-1})$.
• We apply the “Kolmogorov-Smirnov” test to the sequence of maximums $V_0,V_1,\cdots ,V_{n-1}$ with distribution function $F\left(x\right)=x^t$, $x\in [0,1]$. As an alternative, we can apply the Equidistribution test to the sequence $V_0^t,V_1^t,\cdots ,V_{n-1}^t$.

The verification of the test is to show that the distribution function of the $V_j$’s is $F\left(x\right)=x^t$. This is beacause the probability of the event $max(U_1,U_2,\cdots ,U_t)\le x$ is equal to the probability of the independent events $U_1\le x,U_2\le x,\dots ,U_t\le x$ which is equal to the product of the individual probabilities, all equal to x, which gives $x^t$.

4.1.11. Collision Test

The Collision test checks the number of collisions produced by the elements of a given number sequence. We want the number of collisions to be neither too high nor too low. Below, we explain the term collision and highlight the workings of the tetst.

The general experiment we consider is throwing balls in bins at random. When two balls appear in a single bin, we have a collision. In our case, the bins are the test categories and the balls are the sequence elements or observations to be placed into the bins or categories. In the Collision test the number of categories is assumed to be much larger than the number of observations (i.e. distinct numbers in the sequence). Otherwise, we can use direct “Chi-square” tests on the categories as before.

More specifically (see [12]) let us fix, for concreteness, the number of bins or categories m to be $2^{20}$ and the number of balls or observations n to be equal to $2^{14}$. In our experiment, we throw at random these n balls into the m bins. To this end, we will convert the U sequence of real numbers into a corresponding Y sequence of integers for an appropriate choice of d (see discussion in the beginning of Section 4.1).

In this example, we will evaluate the generator’s sequence in a 20-dimensional space using $d=2$, i.e. forming vectors of 20 elements 0 or 1. Each vector j has the form $V_j=Y_{20j},Y_{20j+1},\cdots ,Y_{20j+19}$, with $0\le j<n$.

Given m and n, the test uses an algorithm (see [12] to determines the distribution of the number of collisions caused by the n balls (20-dimensional vectors) when they are placed, at random, into the m bins. The corresponding probabilities are provided similarly as in the Poker test. The probability that c collisions occur in a bin is the probability that $n-c$ bins are occupied, which is given by

$$\frac{m(m+1)\cdots (m-n+c+1)}{m^n}\left\{\begin{array}{c}n\\ n-c\end{array}\right\}.$$

Since n and m are very large, it is not easy to compute these probabilities using the definition of the Stirling numbers of the second kind as given by Equation 6. Knuth has proposed a simple algorithm, called Algorithm S (see [12]) to approximate these probabilities through a process which simulates the placement of the balls into the bins.

4.1.12. Birthday Spacings Test

This test was proposed by G. Marsaglia in 1984 and it is included in the Diehard suite of tests. As in the Collision test, in the Birthday spacings test we randomly throw n balls into m bins. However, in this test the parameter m, the bins, represents the number of available “days in a year” and the parameter n represents “birthdays”, i.e. choices of days in a year.

We start by arranging the dates given n birthdays into of birth in non-descending order. That is, if the birthdays are $(Y_1,Y_2,\cdots ,Y_n)$, where $0\le Y_k<m$, they are sorted into non-decreasing order, say $Y_{\left(1\right)}\le Y_{\left(2\right)}\le \cdots \le Y_{\left(n\right)}$. Then we define the successive spacings between birthdays $S_1=Y_{\left(2\right)}-Y_{\left(1\right)},\cdots ,S_{n-1}=Y_{\left(n\right)}-Y_{(n-1)},S_n=Y_{\left(1\right)}+m-Y_{\left(n\right)}$ We, subsequently, rearrange the spacings into non-decreasing order, say $S_{\left(1\right)}\le S_{\left(2\right)}\le \cdots \le S_{\left(n\right)}$. Finally, we compute the distribution of the random variable R which counts the number these spacings which are equal: it is defined as the number of indices j, $1<j\le n$, such that $S_{\left(j\right)}=S_{(j-1)}$. This distribution of R depends on the specific values of m and n and we can focus on the cases $R=0,1,2$ and at least 3 (see [12]).

As suggested by Knuth, we repeat the test 1000 times and compare the distribution of R found empirically with this procedure with the theoretical distribution using the “Chi-square” test with $k=3$ degrees of freedom.

4.1.13. Serial Correlation Test

The idea behind the Serial Correlation test is to calculate the serial correlation coefficient, which is a statistical indicator of the degree to which the value of $U_{j+1}$, of a real number sequence, depends on the previous value $U_j$.

For a given sequence of numbers $U_1,U_2,\dots ,U_{n-1}$, the serial correlation coefficient is given by the formula below:

$$C=\frac{n(U_0{U}_1+U_1{U}_2+\cdots +U_{n-2}{U}_{n-1}+U_{n-1}{U}_0)-{(U_0+U_1+\cdots +U_{n-1})}^2}{n(U_0^2+U_1^2+\cdots +U_{n-1}^2)-{(U_0+U_1+\cdots +U_{n-1})}^2}$$

The correlation coefficient always ranges from $-1$ to 1. When C is 0 or close to 0, it indicates $U_{j+1}$ and $U_j$ are independent. If $C=\pm 1$, $U_{j+1}$ and $U_j$ are totally linearly dependent. Thus, it is desirable to have C equal or close to 0.

However, since the values $U_0$ and $U_1$ are not, in fact, entirely independent of the values of $U_1$ and $U_2$, C is not expected to be exactly zero. As suggested by Knuth, a good value for C is any value between ${\mu }_n-2{\sigma }_n$ and ${\mu }_n+2{\sigma }_n$ where

$${\mu }_n=-\frac{1}{n-1},{\sigma }_n^2=\frac{n^2}{{(n-1)}^2(n-2)}\mathrm{with}n>2.$$

For a good PRNG, we expect C to lie between these values around $95\%$ of the time.

5. Application Domains Where Unpredictability Is Essential

5.3. The Protocol Components

5.3.1. Prevention of Post-Betting

The ability to detect post-betting, i.e. to detect whether a coupon was placed into the coupon database after the winning numbers were produced by the generators, is an important requirement from the protocol. If such an illegal event is detected, the protocol must be stopped immediately and the current draw must be canceled without announcing the winning numbers.

This requirement can be easily satisfied by combining information characterizing the state of the coupon file just before the winning numbers are produced. The state can, also, include information about the truly random seeds obtained from physical sources in order to start the PRNGs of the lottery. For instance, we can use the coupon file’s hash value as the file’s state indicator for ensuring integrity and detecting subsequent, to the draw, efforts to modify it by inserting a new coupon. Then the has value of the coupon file along with the used seeds become input to a pseudorandom functions commonly used in cryptography such as the Naor-Reingold function. In this way, we can also detect insider attacks from corrupted lottery employees who have access to the winning numbers just shortly after they have been generated and before they are announced.

5.3.2. Signing the Numbers and Authenticating Their Source

Both the Generator and the Verifier create, during the lottery initialization process, their own RSA key pair and then exchange their public keys. Using their public keys, they create, jointly, a shared key which they, also, exchange.

Using the shared secret key the winning numbers and seeds from the Generator are encrypted and then signed with the Generator’s public key. After receiving this signed packet, the Verifier verifies the signature of the Generator and uses the shared key to decrypt the winning numbers and seeds. This encryption and signing process eliminates the risks inherent in authentication methods like verifying IP addresses of servers, exchanging password phrases, etc.

Finally, the RSA key pairs van be refreshed, periodically, as an additional security precaution.

5.3.3. Seed Commitment and Reproduction of Received Numbers

An issue that arises after the Verifier receives the winning numbers of the current draw is whether the numbers were, indeed, generated taking into consideration the coupon file’s hash value in order to avoid post-betting, as we explained earlier.

To accomplish this, after receiving the hash value from the Verifier (who has obtained the coupon file after the betting period is closed), the Generator draws a seed from the true random number generators, securely combines it with the hash value (e.g., XORs them together) and then em commits to the result using the Naor-Reingold function (see [20]) discussed below. This function is used to process the mixture of seeds derived from the truly random number generators as combined with the hash value of the coupons file. The result of this processing is given as input to the PRNGs deployed by the lottery (four in the case we study). Moreover, the quality of the seeding process is enhanced and the overall security of the random number generation protocol is enhanced with the employment of the NR function.

Following this processing, the result is transmitted, as a commitment from the Generator, to the Verifier. Then when the Generator produces the numbers of the current draw, the Verifier is able to recreate the numbers using the commitment from the Generator. If the numbers are the same then the verification process is successful. In this case, the current draw is considered valid and the winning numbers can be publicized. Otherwise, an alert is issued for investigating potential malfunction of the generators or an effort to interfere, maliciously, with the lottery operation.

With respect to the Naor-Reingold, or NR function for short, a key is a tuple $〈P,Q,g,\overrightarrow{a}〉$, with P a large prime, Q is a large prime divisor of $P-1$, g an element of order Q in $Z_P^{*}$ and $\overrightarrow{a}=〈a_0,a_1,\dots a_n〉$ a uniformly distributed sequence of $n+1$ elements in $Z_Q$. Given an input x of n bits, $x=x_1\dots x_n$, the NR function is defined as follows:

$$\begin{array}{c}\hfill {\tilde{f}}_{P,Q,g,\overrightarrow{a}}={\left(g^{a_0}\right)}^{{\prod }_{x_i=1}{a}_i}modP.\end{array}$$

In the specific implementation in [14,15], the sizes of P and Q were 1000 bits and 200 bits respectively. Note that, in general, a pseudorandom function is applied both for randomizing, further, the input value and serving as a commitment for the generation of the next winning number sequence, in the case of the lottery. This commitment is based on the Generator’s inputs, i.e. seeds from physical sources and coupon file’s hash value, so that its output (i.e. winning numbers) can be checked for validity. Since the NR function is pseudorandom, revealing input-output relationships does not affect its security. An alternative approach is the use of another “verifiable (pseudo)random function” as defined in [19].

Finally, the Simplified Optimal Asymmetric Encryption Padding, or SAEP protocol (see [5]) can be applied before passing the seeds from the NR function to the Generator. Using this protocol, a padding on the NR function’s output is computed towards security enhancement. More specifically, if M is the message to be encrypted, the SAEP protocol concatenates M with a sequence of 0s and, then, it appends to it a random number r. Then the hash value of r is computed which is XOR-ed with the message M and the 0s. The final message, for encryption,is the concatenation of the result of the XOR operation with the random number r. Finally, the message M is recovered by the receiving party using the reverse process. The SAEP protocol is summarized in Figure 4.

In the random number generation protocol examined in this section, the message M is composed of the seeds that must be sent from the Generator to the Verifier. After the SAEP protocol has been applied all the information is encrypted and signed with the Generator’s private RSA key. The result of this process is transmitted to the Verifier for the verification process.

After receiving the encrypted and signed packet from the Generator, the Verifier first validates the signature and then decrypts the message using the shared key with the Generator. Finally, the Verifier applies the reverse SAEP process retrieving the commitment (seeds).

An indicative key size for the encryption process is 1000 bits and for the signature 2000 bits. The number of 0s used in the SAEP protocol can be, approximately, 100. Also, the size of the random number r can be approximately 100. Finally, the rmd160 algorithm can be used as the hash function, among other suitable choices.

5.3.4. Incorporation of Several True Randomness Sources

The initial randomness, or seed, of a software PRNG must, eventually, be drawn from a source of true randomness or physical source. After considering the various sources of true randomness within a computer (e.g. /dev/random in LINUX, fluctuations in hard disk access times, motherboard clock frequency drift, etc.) and evaluating the trade-offs between ease of use and quality of output, it was decided to use commercial hardware generators known to pass a number of demanding statistical tests (e.g. Diehard - see Section 4.2 for a brief presentation of the tests).

Moreover, it was important to use several such true randomness sources (see Section 2) with their outputs XORed, since it is not uncommon to have, after some time, risky deviations in the physical characteristics of the devices from which the initial randomness (seed) is drawn. These fluctuations, in turn, may cause the appearance of detectable biases or patterns in the produced number sequences.

5.3.5. Mixing the Outputs of the Generators: Algorithms M and B

As we discussed in Section 3.2.4, algorithm M takes as input two sequences $X_n$ and $Y_n$ and combines them in order to produce a sequence of enhanced randomness properties. The algorithm, actually, shuffles the elements of the sequence $X_n$ using as indices the elements of the sequence $Y_n$. Thus, the elements of the new sequence are the elements of $X_n$ but in different order. Algorithm B is similar to M, but it requires only one sequence as input. The output is, again, a shuffled version of the input sequence. Both algorithms are described in detail in Knuth’s book [12].

In the lottery application we examine, however, the involved sequences are composed of 0s and 1s and, thus, we have implemented slightly different variants of M and B. Now algorithm M takes as inputs two bit sequences X and Y while algorithm B takes as input one bit sequence X. In what follows, $X_{out}$ is the output sequence.

Returning to the generators that the protocol uses, the BBS, RSA/Rabin, DES and AES generators, we can combine them in many ways so that the protocol can swap, periodically and (optionally) unpredictably, to different combinations for the generation of the winning numbers. For instance, at one moment we can use the BBS and DES generators, combined with the M algorithm, and at a later time RSA/Rabin with the B algorithm. This will make the lottery protocol more secure and less vulnerable to guessing attacks. Each of the four generators can be used alone or with the B algorithm. In addition, all four generators can be used in groups of two using the M algorithm and in groups of two, three and four, using the XOR operation on their outputs.

5.3.6. Capability for Dynamic, On-Line, Reconfiguration

The electronic lottery protocol deploys four software PRNGs based on RSA, BBS, DES and AES. It was desirable to implement the option of modifying periodically (or through an external signal from the Verifier) the subset of generators whose combined output is used for the lottery draws. This creates additional difficulty to an observer as the output number sequences will originate from different types of generators at different times of the lottery operation.

6. Conclusions

References

1. Alexi, W.; Chor, B.; Goldreich, O.; Schnorr, C. RSA and Rabin Functions: Certain Parts are as Hard as the Whole. SIAM J. Computing 1988, 17, 194–209. [Google Scholar] [CrossRef]
2. E. Barker, A. Roginsky, R. Davis, Recommendation for Cryptographic Key Generation, NIST Special Publication 800-133 Revision 2. 2. [CrossRef]
3. Blum, L.; Blum, M.; Shub, M. A Simple Unpredictable Pseudo-Random Generator. SIAM J. Computing 1986, 15. [Google Scholar] [CrossRef]
4. Blum, M.; Micali, S. How to Generate Cryptographically Strong Sequences of Pseudo-Random Bits. SIAM J. Computing 1984, 13, 850–864. [Google Scholar] [CrossRef]
5. D. Boneh. In Proc. Crypto 2001, pp. 275–291. Lecture Notes in Computer Science, Vol. 2139, Springer-Verlag.
6. Boyar, J. Inferring sequences produced by pseudo-random number generators. J. Assoc. Comput. Mach. 1989, 36, 129–141. [Google Scholar] [CrossRef]
7. Boyar, J. Inferring sequences produced by a linear congruential generator missing low-order bits. Journal of Cryptology 1989, 1, 177–184. [Google Scholar] [CrossRef]
8. Carmichael, R.D. On composite numbers P which satisfy the Fermat congruence a^P-1≡1modP. Am. Math. Monthly 1919, 26, 137–146. [Google Scholar]
9. Goldreich, O.; Goldwasser, S.; Micali, S. How to construct random functions (extended abstract). Proc. FOCS 1984, 464–479. [Google Scholar]
10. J. Guajardo, S. S. Kumar, G. J. Schrijen, P. Tuyls: FPGA Intrinsic PUFs and Their Use for IP Protection. CHES 2007: 63-80.
11. G Marsaglia. The Marsaglia Random Number CDROM including the Diehard Battery of Tests of Randomness. Florida State University. 1995. Archived from the original on 2016-01-25. Available online: https://web.archive.org/web/20160125103112/http://stat.fsu.edu/pub/diehard/.
12. D. Knuth. The Art of Computer Programming: Volume 2, Seminumerical Algorithms. Addison-Wesley Professional, 3rd edition, 1997.
13. O.O. Koçak, F. Sulak, A. Doğanaksoy, and M. Uğuz. Modifications of Knuth Randomness Tests for Integer and Binary Sequences. Commun. Fac. Sci. Univ. Ank. Ser. A1 Math. Stat., Volume 67, Number 2, pp. 64–81, 2018. Available online: https://hdl.handle.net/11511/44973.
14. E. Konstantinou, V. Liagkou, P. Spirakis, YC. Stamatiou, and M. Yung. Electronic National Lotteries. In Proc. Financial Cryptography: 8th International Conference, FC 2004, pp. 147–163. Lecture Notes in Computer Science, vol 3110. Springer, Berlin, Heidelberg.
15. E. Konstantinou, V. Liagkou, P. Spirakis, YC. Stamatiou, and M. Yung. “Trust Engineering:” From Requirements to System Design and Maintenance - A Working National Lottery System Experience. In Proc. Information Security, ISC 2005, pp. 44–58. Lecture Notes in Computer Science, vol 3650. Springer, Berlin, Heidelberg.
16. E. Kranakis. Primality and Cryptography. Wiley-Teubner Series in Computer Science, 1986.
17. Mcrypt cryptographic library. Available online: ftp://mcrypt.hellug.gr/pub/crypto/mcrypt.
18. J. Kelsey, B. Schneier, and N. Ferguson, Yarrow-160: Notes on the Design and Analysis of the Yarrow Cryptographic Pseudorandom Number Generator, Sixth Annual Workshop on Selected Areas in Cryptography, Springer Verlag, August 1999.
19. S. Micali, M. Rabin and S. Vadhan, Verifiable Random Functions. In Proc. 40th Annual Symposium on the Foundations of Computer Science (FOCS `99), pp. 120–130. New York: IEEE Computer Society Press.
20. M. Naor and O. Reingold, Number-theoretic constructions of efficient pseudo-random functions, Proc. 38th IEEE Symp. on Foundations of Computer Science, 1997.
21. C.W. O’Donnell, G.E. Suh, and S. Devadas, PUF-Based Random Number Generation, MIT CSAIL CSG Technical Memo 481.
22. I. Shparlinski. On the linear complexity of the power generator. Kluwer Academic Publishers, Designs, Codes and Cryptography, 23, 5-10, 2001.
23. M.S. Turan, E. Barker, J. Kelsey, K.A. McKay, M.L. Baish, M. Boyle, Recommendation for the Entropy Sources Used for Random Bit Generation, NIST Special Publication 800-90B. [CrossRef]
24. A. Yao. Theory and Applications of Trapdoor Functions. IEEE FOCS, 1982.
25. H. Zenil (ed.). Randomness through computation. Collective Volume. World Scientific, 2011.