True & Deterministic Random Number Generators

Transcription

1 True & Deterministic Random Number Generators Çetin Kaya Koç Koç ( HRL RNG April 11, / 47

2 Random Numbers in Cryptography Session keys Signature keys and parameters Authentication protocols Ephemeral keys (DSA, ECDSA, ElGamal) Zero-knowledge protocols IVs for block ciphers Blinding and masking values... Koç ( HRL RNG April 11, / 47

3 Properties of Random Numbers Silent Requirement: The random numbers should assume all admissible values with equal probability and should be independent from predecessors and successors. Koç ( HRL RNG April 11, / 47

4 Properties of Random Numbers Silent Requirement: The random numbers should assume all admissible values with equal probability and should be independent from predecessors and successors. This characterizes an ideal random number generator Koç ( HRL RNG April 11, / 47

5 Ideal RNGs Even with maximal knowledge and unlimited computational power an attacker has no better strategy than blind guessing Brute force attack Koç ( HRL RNG April 11, / 47

6 Ideal RNGs Even with maximal knowledge and unlimited computational power an attacker has no better strategy than blind guessing Brute force attack Guessing n random bits costs 2 n 1 trials in average The guess work remains invariant in the course of time Today, in 2 years, in 100 years Koç ( HRL RNG April 11, / 47

7 Ideal RNGs Even with maximal knowledge and unlimited computational power an attacker has no better strategy than blind guessing Brute force attack Guessing n random bits costs 2 n 1 trials in average The guess work remains invariant in the course of time Today, in 2 years, in 100 years However, An ideal RNG is a mathematical construct! Koç ( HRL RNG April 11, / 47

8 Real World RNGs Koç ( HRL RNG April 11, / 47

9 Random Number Generators in Cryptography Deterministic RNGs are also known as pseudorandom number generators Koç ( HRL RNG April 11, / 47

10 Random Number Generators in Cryptography Deterministic RNGs are also known as pseudorandom number generators Hybrid deterministic RNGs and hybrid true RNGs apply design criteria from both deterministic RNGs and non-deterministic RNGs Koç ( HRL RNG April 11, / 47

11 Random Number Generators in Cryptography Deterministic RNGs are also known as pseudorandom number generators Hybrid deterministic RNGs and hybrid true RNGs apply design criteria from both deterministic RNGs and non-deterministic RNGs True random numbers cannot be computed on deterministic computers, they are best produced using physical RNGs which operate by measuring a well controlled and specially prepared random physical process Koç ( HRL RNG April 11, / 47

12 Random Number Generators in Cryptography Deterministic RNGs are also known as pseudorandom number generators Hybrid deterministic RNGs and hybrid true RNGs apply design criteria from both deterministic RNGs and non-deterministic RNGs True random numbers cannot be computed on deterministic computers, they are best produced using physical RNGs which operate by measuring a well controlled and specially prepared random physical process Especially valuable are information-theoretic provable RNGs which, at state of the art, seem to be possible only by exploiting randomness inherent to certain quantum systems Koç ( HRL RNG April 11, / 47

13 Challenge-Response Protocol Koç ( HRL RNG April 11, / 47

14 Challenge-Response Protocol To prevent replay attacks the random numbers U 1,U 2,... should be distinct with overwhelming probability Koç ( HRL RNG April 11, / 47

15 Security Requirement R1 Random numbers should not show any statistical weaknesses Koç ( HRL RNG April 11, / 47

16 Security Requirement R1 Random numbers should not show any statistical weaknesses Requirement R1 is usually verified by statistical tests Koç ( HRL RNG April 11, / 47

17 Security Requirement R1 Random numbers should not show any statistical weaknesses Requirement R1 is usually verified by statistical tests Is Requirement R1 is sufficient? Koç ( HRL RNG April 11, / 47

18 Key Exchange Protocol Alice Bob Charles Daniel r e 1 B mod nb T 1 r e 2 C mod nc T 2 r e 3 C mod nc T 3 r e 4 D mod nd T 4 Koç ( HRL RNG April 11, / 47

19 Key Exchange Protocol Alice Bob Charles Daniel r e 1 B mod nb T 1 r e 2 C mod nc T 2 r e 3 C mod nc T 3 r e 4 D mod nd T 4 Privileged attacker Charles: The knowledge of r 2 and r 3 may allow him to guess r 3 Koç ( HRL RNG April 11, / 47

20 Security Requirement R2 The knowledge of subsequences of random numbers should not allow one to compute predecessors or successors practically or to guess them with non-negligibly larger probability than without knowledge of these subsequences Koç ( HRL RNG April 11, / 47

21 Security Requirement R2 The knowledge of subsequences of random numbers should not allow one to compute predecessors or successors practically or to guess them with non-negligibly larger probability than without knowledge of these subsequences Requirement R2 implies backward and forward security Koç ( HRL RNG April 11, / 47

22 Security Requirement R2 The knowledge of subsequences of random numbers should not allow one to compute predecessors or successors practically or to guess them with non-negligibly larger probability than without knowledge of these subsequences Requirement R2 implies backward and forward security Requirement R2 can be thought of as the union of R3 (backward security) and R4 (forward security) Koç ( HRL RNG April 11, / 47

23 Security Requirements The minimum requirements on the random numbers depend on the intended applications Koç ( HRL RNG April 11, / 47

24 Security Requirements The minimum requirements on the random numbers depend on the intended applications For sensitive applications, e.g., the generation of session keys or signature parameters, Requirement R2 is indispensable Koç ( HRL RNG April 11, / 47

25 DRNGs A pure DRNG starts with a seed (s 0 ) value and using a seeding procedure computes the first internal state s 1 from s 0 The output is the random number r 1 which is computed using the output function Ψ while the next state s 2 is computed using the state transition function Φ as s 1 = seeding (s 0 ) r 1 = Ψ(s 1 ) s 2 = Φ(s 1 ) Koç ( HRL RNG April 11, / 47

26 Pure DRNG Schematic Koç ( HRL RNG April 11, / 47

27 DRNG Examples Linear Feedback Shift Registers (LFSRs) Cellular Automata (CA) Linear Congruential Generators (LCGs) Block cipher based methods Hash function based methods Number-theoretical methods: Blum-Blum-Shub, RSA, Rabin Elliptic curve methods: LCG, Power Generator, Naor-Reingold New: Edward curves method Koç ( HRL RNG April 11, / 47

28 DRNG Advantages DRNGs as random number generators have many advantages: low cost no dedicated hardware is required implementations can be done in software identical seed values imply identical random numbers which is a necessary condition for using them as stream ciphers Koç ( HRL RNG April 11, / 47

29 DRNG Disadvantages However, there are disadvantages: For pure DRNGs, the output is completely determined by the seed Output sequences of pure DRNGs cannot be truly independent They may behave as output sequence of an ideal RNG at most with respect to certain aspects The internal state has to be protected even if the device is not active Koç ( HRL RNG April 11, / 47

30 Security Requirements of DRNGs LFSRs: usually meet Requirement R1, but they do not meet R2 CA: on certain conditions meet R1 and R2 LCGs: usually meet Requirement R1, on certain conditions meet R2 Koç ( HRL RNG April 11, / 47

31 Security Requirements of DRNGs LFSRs: usually meet Requirement R1, but they do not meet R2 CA: on certain conditions meet R1 and R2 LCGs: usually meet Requirement R1, on certain conditions meet R2 Simple structures are useful for efficient implementations but they have serious security shortcomings Koç ( HRL RNG April 11, / 47

32 Block Cipher DRNGs Block cipher based DRNGs: k key (to be kept secret) and internal state s n = (r n,k) and s n+1 = (E k (r n ),k) = (r n+1,k) Internal state: s n = (r n,k) s n+1 = (E(r n,k),k) = (r n+1,k) Koç ( HRL RNG April 11, / 47

33 Block Cipher DRNGs Block cipher based DRNGs meet R1: ciphertext from a strong cipher should not have any statistical weakness Koç ( HRL RNG April 11, / 47

34 Block Cipher DRNGs Block cipher based DRNGs meet R1: ciphertext from a strong cipher should not have any statistical weakness They also meet R2: only if the encryption and decryption functions are secure against chosen-plaintext attacks Koç ( HRL RNG April 11, / 47

35 Block Cipher DRNGs Block cipher based DRNGs meet R1: ciphertext from a strong cipher should not have any statistical weakness They also meet R2: only if the encryption and decryption functions are secure against chosen-plaintext attacks This security proof is typical for DRNGs: tracing back to the recognized properties of well-known cryptographic primitives Koç ( HRL RNG April 11, / 47

36 Block Cipher DRNGs Block cipher based DRNGs meet R1: ciphertext from a strong cipher should not have any statistical weakness They also meet R2: only if the encryption and decryption functions are secure against chosen-plaintext attacks This security proof is typical for DRNGs: tracing back to the recognized properties of well-known cryptographic primitives For AES and Triple-DES encryption functions, may assume that this DRNG meets R2 Koç ( HRL RNG April 11, / 47

37 Block Cipher DRNGs Block cipher based DRNGs meet R1: ciphertext from a strong cipher should not have any statistical weakness They also meet R2: only if the encryption and decryption functions are secure against chosen-plaintext attacks This security proof is typical for DRNGs: tracing back to the recognized properties of well-known cryptographic primitives For AES and Triple-DES encryption functions, may assume that this DRNG meets R2 In the 80s, the same conclusion was justified for Single-DES, but this conclusion is no longer valid! Koç ( HRL RNG April 11, / 47

38 Hash Function DRNGs s n is a 160-bit vector Koç ( HRL RNG April 11, / 47

39 Hash Function DRNGs s n is a 160-bit vector Fulfills R1 and R2 (both backward and forward security) Koç ( HRL RNG April 11, / 47

40 Cryptographically Secure DRNGs Their security is based on intractability assumptions, e.g., factoring is hard or DLP is hard Examples: Blum-Blum-Shub, RSA, Rabin bit generators Koç ( HRL RNG April 11, / 47

41 Cryptographically Secure DRNGs Their security is based on intractability assumptions, e.g., factoring is hard or DLP is hard Examples: Blum-Blum-Shub, RSA, Rabin bit generators On the basis of these intractability assumptions certain security properties can be proved, such as next-bit security Usually only asymptotic security properties can be proved, for example, with increasing RSA modulus Koç ( HRL RNG April 11, / 47

42 Cryptographically Secure DRNGs Their security is based on intractability assumptions, e.g., factoring is hard or DLP is hard Examples: Blum-Blum-Shub, RSA, Rabin bit generators On the basis of these intractability assumptions certain security properties can be proved, such as next-bit security Usually only asymptotic security properties can be proved, for example, with increasing RSA modulus Not used in practice due to their low output rate Koç ( HRL RNG April 11, / 47

43 Security Requirement R4 For specific applications, Requirement R4 (enhanced forward security) is desirable Koç ( HRL RNG April 11, / 47

44 Security Requirement R4 For specific applications, Requirement R4 (enhanced forward security) is desirable It should not be practically feasible to compute future random numbers from the internal state or to guess them with non-negligibly larger probability than without the knowledge of the internal state Koç ( HRL RNG April 11, / 47

45 Security Requirement R4 For specific applications, Requirement R4 (enhanced forward security) is desirable It should not be practically feasible to compute future random numbers from the internal state or to guess them with non-negligibly larger probability than without the knowledge of the internal state Attack Scenario: An attacker is able to read or to manipulate the internal state of a DRNG without being noticed by the user/owner of the DRNG who uses the subsequent random numbers Koç ( HRL RNG April 11, / 47

46 Security Requirement R4 For specific applications, Requirement R4 (enhanced forward security) is desirable It should not be practically feasible to compute future random numbers from the internal state or to guess them with non-negligibly larger probability than without the knowledge of the internal state Attack Scenario: An attacker is able to read or to manipulate the internal state of a DRNG without being noticed by the user/owner of the DRNG who uses the subsequent random numbers Pure DRNGs cannot fulfill Requirement R4 Koç ( HRL RNG April 11, / 47

47 Security Requirement R4 For specific applications, Requirement R4 (enhanced forward security) is desirable It should not be practically feasible to compute future random numbers from the internal state or to guess them with non-negligibly larger probability than without the knowledge of the internal state Attack Scenario: An attacker is able to read or to manipulate the internal state of a DRNG without being noticed by the user/owner of the DRNG who uses the subsequent random numbers Pure DRNGs cannot fulfill Requirement R4 A hybrid DRNG may fulfill R4 for the random numbers that are generated after the first update of its internal state with random data after the internal state has been compromised Koç ( HRL RNG April 11, / 47

48 Hybrid DRNGs Koç ( HRL RNG April 11, / 47

49 Hybrid DRNGs Additional input may be provided After each step Occasionally Upon external request of an application Koç ( HRL RNG April 11, / 47

50 Hybrid DRNGs Additional input may be provided After each step Occasionally Upon external request of an application Additional input may have Large entropy per bit, using a strong physical RNG Low entropy, time etc Koç ( HRL RNG April 11, / 47

51 Block Cipher Hybrid DRNGs Strong block cipher, e.g., AES or Triple-DES Key k is kept secret The algorithmic part guarantees R1 and R2 Additional input large entropy may ensure R3 and R4 Koç ( HRL RNG April 11, / 47

52 Elliptic Curve DRNGs There are three existing proposals Linear congruential generator Power generator Naor-Reingold generator Koç ( HRL RNG April 11, / 47

53 Elliptic Curve DRNGs There are three existing proposals Linear congruential generator Power generator Naor-Reingold generator Some results have been obtained Some complexity results (bounds) for the power generators Studies involving Koblitz curves Koç ( HRL RNG April 11, / 47

54 Elliptic Curve DRNGs There are three existing proposals Linear congruential generator Power generator Naor-Reingold generator Some results have been obtained Some complexity results (bounds) for the power generators Studies involving Koblitz curves Our new work New pure and hybrid DRNG over Edward Curves New complexity results Koç ( HRL RNG April 11, / 47

55 Elliptic Curve DRNGs Weierstrass form of elliptic curves has been the standard tool Interesting applications of character sums, combinatorics, and curves Requirement R1 is usually assumed Requirement R2: Security proofs of elliptic curve DRNGs are based on the elliptic curve discrete logarithm problem: Find d, given P and Q = [d]p Koç ( HRL RNG April 11, / 47

56 Weierstrass Elliptic Curves The set of points (x,y) on elliptic curve together with the point at infinity O E = {(x,y) (x,y) F 2 p and y2 = x 3 +ax +b} {O} forms an Abelian group with respect to the addition operation Koç ( HRL RNG April 11, / 47

57 Elliptic Curve Point Addition The addition operation computes the coordinates (x 3,y 3 ) of P 3 for P 3 = P 1 P 2 = (x 1,y 1 ) (x 2,y 2 ) Koç ( HRL RNG April 11, / 47

58 Elliptic Curve Addition and Doubling over F p Given P 1 = (x 1,y 1 ) and P 2 = (x 2,y 2 ), the computation of P 3 = (x 3,y 3 ): If (x 1,y 1 ) = O, then (x 3,y 3 ) = (x 2,y 2 ) since P 3 = O+P 2 = P 2 If (x 2,y 2 ) = O, then (x 3,y 3 ) = (x 1,y 1 ) since P 3 = P 1 +O = P 1 If x 2 = x 1 and y 2 = y 1, then (x 3,y 3 ) = O since P 3 = P 1 +P 1 = O Otherwise, first compute the slope using y 2 y 1 x 2 x 1 for x 1 x 2 m = 3x1 2+a 2y 1 for x 1 = x 2 and y 1 = y 2 Then, (x 3,y 3 ) is computed using x 3 = m 2 x 1 x 2 y 3 = m (x 1 x 3 ) y 1 Koç ( HRL RNG April 11, / 47

59 Sequence from Points Map points P n = (x n,y n ) F 2 p into [0,1) [0,1) There is a natural map since F p = {0,1,...,p 1} P n ( xn p, y ) n p Some applications use only the x coordinate or apply maps to the coordinate values (for example, hash functions or trace maps) Koç ( HRL RNG April 11, / 47

60 Elliptic Curve Linear Congruential Generator For the initial value Q 0 E(F p ), consider the sequence Q k = P Q k 1 = [k]p Q 0 for k = 1,2,... Easy to construct the following element given two consecutive ones Let Q k = (x k,y k ) and use (x k ) k=0 as sequence in F p or normalize to [0,1) using an enumeration of the field and dividing by p Period is linked to the number of points in E If the field is F 2 n, this sequence is studied Tr(x 0 ),Tr(y 0 ),Tr(x 1 ),Tr(y 1 ),Tr(x 2 ),Tr(y 2 ),... Koç ( HRL RNG April 11, / 47

61 Elliptic Curve Power Generator For integer e 2, consider the sequence with Q 0 = P Q k = [e]q k 1 = [e k ]P Determining e from Q k and Q k 1 would be solving the ECDLP Constructing the sequence element given longer substrings is related to the generalized ECDH problem Koç ( HRL RNG April 11, / 47

62 Elliptic Curve Naor-Reingold Given an integer vector A = (a 1,a 2,...,a n ), consider the sequence Q A,k = [a k 1 1 ak 2 2 akn n ]P where k = k 1 k 2...k n is the bit representation of k, 0 k 2 n 1 Ezample: n = 4, l = 19, and A = (2,5,3,4) f A,0 = P = P f A,1 = P = [4]P f A,2 = P = [3]P f A,3 = P = [12]P f A,11 = P = [24]P = [5]P f A,15 = P = [120]P = [6]P Koç ( HRL RNG April 11, / 47

63 Research on EC-LCG, EC-PG, and EC-NRG Recent work of Tanja Lange, David Kohel, Igor Shparlinski, Berry Schoenmakers, and Vladimir Sidorenko Some results of theoretical value; Other results are more practical: If the order of P is at least p 0.5+ǫ then all three sequences are reasonably well distributed Koç ( HRL RNG April 11, / 47

64 Research on EC-LCG, EC-PG, and EC-NRG Recent work of Tanja Lange, David Kohel, Igor Shparlinski, Berry Schoenmakers, and Vladimir Sidorenko Some results of theoretical value; Other results are more practical: If the order of P is at least p 0.5+ǫ then all three sequences are reasonably well distributed Cryptanalysis results: A variant of EC-LCG, dual elliptic curve generator : s 0 random seed, Q = [a]p, a is secret s i = x([s i 1 ]P) r i = lsb 240 (x([s i ]Q)) r i are not uniformly distributed; next bit is predictable without knowing a; looks secure if fewer bits are extracted Koç ( HRL RNG April 11, / 47

65 Edwards Curves Harold Edwards introduced a new normal form for elliptic curves and gave an addition law which is remarkably symmetric and much simpler The original form the equation Edwards studied was x 2 +y 2 = c 2 +c 2 x 2 y 2 solved over a field F whose characteristic is not equal to 2 Studies on such groups go as far back as to Gauss Bernstein and Lange gave a slightly simpler form where d is a quadratic non residue x 2 +y 2 = 1+dx 2 y 2 Koç ( HRL RNG April 11, / 47

66 Edwards Curves (d = 0) When d = 0, this becomes the unit circle The zero element of the group is (0,1) The addition law is given as (x 1,y 1 ) (x 2,y 2 ) = (x 1 y 2 +x 2 y 1,y 1 y 2 x 1 x 2 ) The geometric interpretation: add the angles of the points P 1 and P 2 Koç ( HRL RNG April 11, / 47

67 Edwards Curves Other values of d F {0,1} for a non-binary field F form curves within the unit circle Edwards curves for d = 0, 2, 10, 50, Koç ( HRL RNG April 11, / 47

68 Edwards Curve Addition Law The zero (neutral) element is (0,1) The inverse of (x,y) is ( x,y) The addition law ( x1 y 2 +x 2 y 1 (x 1,y 1 ) (x 2,y 2 ) =, 1+dx 1 x 2 y 1 y 2 ) y 1 y 2 x 1 x 2 1 dx 1 x 2 y 1 y 2 Koç ( HRL RNG April 11, / 47

69 Edwards Curve Projections A point (x,y) on the Edwards curve E d projects to the point (u,v) in the same quadrant on the unit circle as (u,v) = (αx,αy), where α = 1 x 2 +y 2 Koç ( HRL RNG April 11, / 47

70 Edwards Curve Projections A point (x,y) on the Edwards curve E d projects to the point (u,v) in the same quadrant on the unit circle as (u,v) = (αx,αy), where α = 1 x 2 +y 2 A point (u,v) on the unit circle projects back to the point (x,y) in the same quadrant on the Edwards curve E d as (x,y) = (βu,βv), where 2 β = du 2 v 2 Koç ( HRL RNG April 11, / 47

71 Edwards Curve Projections A point (x 0,y 0 ) on the Edwards curve E d0 projects to the point (x 1,y 1 ) in the same quadrant on the Edwards curve E d1 as (x 1,y 1 ) = (γx 0,γx 1 ), where γ = 2 x 20 +y20 + (x0 2 +y2 0 )2 4d 1 x0 2y2 0 Koç ( HRL RNG April 11, / 47

72 Edwards Curve Projections A point (x 0,y 0 ) on the Edwards curve E d0 projects to the point (x 1,y 1 ) in the same quadrant on the Edwards curve E d1 as (x 1,y 1 ) = (γx 0,γx 1 ), where γ = 2 x 20 +y20 + (x0 2 +y2 0 )2 4d 1 x0 2y2 0 Equations are more complicated however where it is possible to project from one curve to another, using clock addition and roots of unity ( sin ( ) 2π,cos n ( )) 2π n Koç ( HRL RNG April 11, / 47

73 Edwards Curve Hybrid DRNG Given the seed vector K = (k 0,k 1,...,k n ), consider the Edwards curve E d over the odd prime p Koç ( HRL RNG April 11, / 47

74 Edwards Curve Hybrid DRNG Given the seed vector K = (k 0,k 1,...,k n ), consider the Edwards curve E d over the odd prime p Take initial d 0 = d and start with P 0 = (x 0,y 0 ) on E d0, and compute [k 0 ]P 0 = (x 0,y 0 ) d0 d0 (x 0,y 0 ) = (a 0,b 0 ) Koç ( HRL RNG April 11, / 47

75 Edwards Curve Hybrid DRNG Given the seed vector K = (k 0,k 1,...,k n ), consider the Edwards curve E d over the odd prime p Take initial d 0 = d and start with P 0 = (x 0,y 0 ) on E d0, and compute [k 0 ]P 0 = (x 0,y 0 ) d0 d0 (x 0,y 0 ) = (a 0,b 0 ) Obtain t 0 from the entropy source such that a 2 0 +b2 0 t2 0 is a QNR Koç ( HRL RNG April 11, / 47

76 Edwards Curve Hybrid DRNG Given the seed vector K = (k 0,k 1,...,k n ), consider the Edwards curve E d over the odd prime p Take initial d 0 = d and start with P 0 = (x 0,y 0 ) on E d0, and compute [k 0 ]P 0 = (x 0,y 0 ) d0 d0 (x 0,y 0 ) = (a 0,b 0 ) Obtain t 0 from the entropy source such that a0 2 +b2 0 t2 0 Assuming a 0 b 0 0, set is a QNR d 1 = t2 0 a0 2 (a b b0 2 t0) 2 0 Koç ( HRL RNG April 11, / 47

77 Edwards Curve Hybrid DRNG This d 1 is a QNR, and we can use it to define a new Edwards curve Koç ( HRL RNG April 11, / 47

78 Edwards Curve Hybrid DRNG This d 1 is a QNR, and we can use it to define a new Edwards curve The selection t 0 = 1 always works, but this gives d 1 = d 0 Koç ( HRL RNG April 11, / 47

79 Edwards Curve Hybrid DRNG This d 1 is a QNR, and we can use it to define a new Edwards curve The selection t 0 = 1 always works, but this gives d 1 = d 0 Now, project the point (a 0,b 0 ) on the Edwards curve E d1 by P 1 = (x 1,y 1 ) = (γ 0 a 0,γ 0 b 0 ) Koç ( HRL RNG April 11, / 47

80 Edwards Curve Hybrid DRNG This d 1 is a QNR, and we can use it to define a new Edwards curve The selection t 0 = 1 always works, but this gives d 1 = d 0 Now, project the point (a 0,b 0 ) on the Edwards curve E d1 by P 1 = (x 1,y 1 ) = (γ 0 a 0,γ 0 b 0 ) The projection coefficient simplifies γ 0 = t 1 0 Now compute [k 1 ]P 1 = (x 1,y 1 ) d1 d1 (x 1,y 1 ) = (a 1,b 1 ) Koç ( HRL RNG April 11, / 47

81 Edwards Curve Hybrid DRNG Assuming a 1 b 1 0, the parameter for the next Edwards curve is d 2 = t2 1 a1 2 (a b b1 2 t1) 2 1 such that a 2 1 +b2 1 t2 1 is a QNR and t 1 comes from the entropy source Koç ( HRL RNG April 11, / 47

82 Edwards Curve Hybrid DRNG Assuming a 1 b 1 0, the parameter for the next Edwards curve is d 2 = t2 1 a1 2 (a b b1 2 t1) 2 1 such that a 2 1 +b2 1 t2 1 is a QNR and t 1 comes from the entropy source Now compute [k 2 ]P 2 on E d2 where P 2 is the projection and so on P 2 = (x 2,y 2 ) = (t 1 1 a 1,t 1 1 b 1) Koç ( HRL RNG April 11, / 47

83 Edwards Curve Hybrid DRNG Assuming a 1 b 1 0, the parameter for the next Edwards curve is d 2 = t2 1 a1 2 (a b b1 2 t1) 2 1 such that a 2 1 +b2 1 t2 1 is a QNR and t 1 comes from the entropy source Now compute [k 2 ]P 2 on E d2 where P 2 is the projection and so on P 2 = (x 2,y 2 ) = (t 1 1 a 1,t 1 1 b 1) The final point produced is [k n ]P n on the Edwards curve E dn Koç ( HRL RNG April 11, / 47

84 Edwards Curve Hybrid DRNG System parameters: Edward curve over F p with odd prime p and d 0 = d, and a point on the curve P 0 = (x 0,y 0 ) Koç ( HRL RNG April 11, / 47

85 Edwards Curve Hybrid DRNG System parameters: Edward curve over F p with odd prime p and d 0 = d, and a point on the curve P 0 = (x 0,y 0 ) Input seed vector: K = (k 0,k 1,...,k n ) Koç ( HRL RNG April 11, / 47

86 Edwards Curve Hybrid DRNG System parameters: Edward curve over F p with odd prime p and d 0 = d, and a point on the curve P 0 = (x 0,y 0 ) Input seed vector: K = (k 0,k 1,...,k n ) The entropy source produces: T 0,T 1,...,T n which have been modified to obtain the QNRs t 0,t 1,...,t n at each step Koç ( HRL RNG April 11, / 47

87 Edwards Curve Hybrid DRNG System parameters: Edward curve over F p with odd prime p and d 0 = d, and a point on the curve P 0 = (x 0,y 0 ) Input seed vector: K = (k 0,k 1,...,k n ) The entropy source produces: T 0,T 1,...,T n which have been modified to obtain the QNRs t 0,t 1,...,t n at each step For i = 0 to i = n, Step i: (a i,b i ) = [k i ]P i Get T i and compute t i such that a 2 i +b 2 i t 2 i is a QNR d i+1 = t2 i (a ai 2b2 i 2 +bi 2 ti 2) i γ i = t 1 i P i+1 = (γ i a i,γ i b i ) Koç ( HRL RNG April 11, / 47

88 Edwards Curve Hybrid DRNG System parameters: Edward curve over F p with odd prime p and d 0 = d, and a point on the curve P 0 = (x 0,y 0 ) Input seed vector: K = (k 0,k 1,...,k n ) The entropy source produces: T 0,T 1,...,T n which have been modified to obtain the QNRs t 0,t 1,...,t n at each step For i = 0 to i = n, Step i: (a i,b i ) = [k i ]P i Get T i and compute t i such that a 2 i +b 2 i t 2 i is a QNR d i+1 = t2 i (a ai 2b2 i 2 +bi 2 ti 2) i γ i = t 1 i P i+1 = (γ i a i,γ i b i ) Random points P 1,P 2,...,P n Koç ( HRL RNG April 11, / 47

89 Edwards Curve Hybrid DRNG Koç ( HRL RNG April 11, / 47

90 A Complexity Result Theorem Suppose p,q are prime numbers with p = 4q 1. A few such (p,q) pairs are (11, 3), (19, 5), (331, 83), ( , ), ( , ). Consider the Edwards group G on E d with d = 1 (a QNR) over F p. G has identity (0,1), the element (0, 1) of order 2, and the elements (±1,0) are of order 4. Any other (x,y) has order q, 2q or 4q. Koç ( HRL RNG April 11, / 47