Pseudo-Random Generators

Similar documents
Pseudo-Random Generators

Topics. Pseudo-Random Generators. Pseudo-Random Numbers. Truly Random Numbers

Chair for Network Architectures and Services Institute of Informatics TU München Prof. Carle. Network Security. Chapter 2 Basics

Random number generators

Network Security (NetSec)

Network Security. Random Numbers. Cornelius Diekmann. Version: November 21, 2015

A study of entropy transfers

Pseudo-random Number Generation. Qiuliang Tang

Random Number Generation Is Getting Harder It s Time to Pay Attention

Information Security

Lecture Notes. Advanced Discrete Structures COT S

How does the computer generate observations from various distributions specified after input analysis?

ENEE 459-C Computer Security. Message authentication (continue from previous lecture)

Number Theory: Applications. Number Theory Applications. Hash Functions II. Hash Functions III. Pseudorandom Numbers

On Linux Random Number Generator

How does the computer generate observations from various distributions specified after input analysis?

Dan Boneh. Stream ciphers. The One Time Pad

Lecture 1: Introduction to Public key cryptography

Notes. Number Theory: Applications. Notes. Number Theory: Applications. Notes. Hash Functions I

True & Deterministic Random Number Generators

Simple Pseudorandom Number Generator with Strengthened Double Encryption (Cilia)

Entropy. Finding Random Bits for OpenSSL. Denis Gauthier and Dr Paul Dale Network Security & Encryption May 19 th 2016

Other Public-Key Cryptosystems

Other Public-Key Cryptosystems

A model and architecture for pseudo-random generation with applications to /dev/random

Topics in Computer Mathematics

Class 12. Random Numbers

Scribe for Lecture #5

STREAM CIPHER. Chapter - 3

Random Bit Generation

Pseudorandom Generators

CPSC 467: Cryptography and Computer Security

CPSC 531: Random Numbers. Jonathan Hudson Department of Computer Science University of Calgary

Computer Science A Cryptography and Data Security. Claude Crépeau

Slides 3: Random Numbers

Public-Key Cryptosystems CHAPTER 4

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Integers and Division

On Perfect and Adaptive Security in Exposure-Resilient Cryptography. Yevgeniy Dodis, New York University Amit Sahai, Princeton Adam Smith, MIT

B. Maddah ENMG 622 Simulation 11/11/08

Design of Cryptographically Strong Generator By Transforming Linearly Generated Sequences

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

Private-Key Encryption

A model and Architecture for Pseudo-Random Generation and Applications to /dev/random

Entropy Evaluation for Oscillator-based True Random Number Generators

Review of Statistical Terminology

Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2

Recovering Private Keys Generated With Weak PRNGs

Cryptography and Security Final Exam

Lecture 7: Pseudo Random Generators

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

Simple Unpredictable Pseudo-Random Number Generator

Linear Congruences. The equation ax = b for a, b R is uniquely solvable if a 0: x = b/a. Want to extend to the linear congruence:

Algorithmic Number Theory and Public-key Cryptography

7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1

Lecture 28: Public-key Cryptography. Public-key Cryptography

All-Or-Nothing Transforms Using Quasigroups

6.080 / Great Ideas in Theoretical Computer Science Spring 2008

On some properties of PRNGs based on block ciphers in counter mode

Pseudorandom number generators based on random covers for finite groups

Research Article A Novel True Random Number Generator Based on Mouse Movement and a One-Dimensional Chaotic Map

4.5 Applications of Congruences

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

CS March 17, 2009

Introduction to Cryptography. Lecture 8

1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:

Stream ciphers I. Thomas Johansson. May 16, Dept. of EIT, Lund University, P.O. Box 118, Lund, Sweden

U.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6

Codes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII

Analysis of Entropy Usage in Random Number Generators

Cryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University

What is the Q in QRNG?

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4

2008 Winton. Review of Statistical Terminology

Efficient Pseudorandom Generators Based on the DDH Assumption

Random Number Generation. Stephen Booth David Henty

Foundations of Network and Computer Security

Yale University Department of Computer Science

/dev/random and SP800-90B

CHAPTER 3 CHAOTIC MAPS BASED PSEUDO RANDOM NUMBER GENERATORS

Elliptic Curves I. The first three sections introduce and explain the properties of elliptic curves.

Foundations of Network and Computer Security

Design of Cryptographically Strong Generator By Transforming Linearly Generated Sequences

has the solution where M = Since c = w 2 mod n we have c w 2 (mod p) and c w 2 (mod q);

CRYPTOGRAPHY AND NUMBER THEORY

Lecture 7: ElGamal and Discrete Logarithms

Security Implications of Quantum Technologies

A Pseudo-Random Encryption Mode

ECS 189A Final Cryptography Spring 2011

Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks

Pseudorandom Generators

State Recovery Attacks on Pseudorandom Generators

Sources of randomness

Section 2.1: Lehmer Random Number Generators: Introduction

CHAPTER 6: OTHER CRYPTOSYSTEMS, PSEUDO-RANDOM NUMBER GENERATORS and HASH FUNCTIONS. Part VI

Cryptography. pieces from work by Gordon Royle

CS 395T. Probabilistic Polynomial-Time Calculus

Public-key Cryptography: Theory and Practice

A novel pseudo-random number generator based on discrete chaotic iterations

Logic gates. Quantum logic gates. α β 0 1 X = 1 0. Quantum NOT gate (X gate) Classical NOT gate NOT A. Matrix form representation

Transcription:

Pseudo-Random Generators

Why do we need random numbers? Simulation Sampling Numerical analysis Computer programming (e.g. randomized algorithm) Elementary and critical element in many cryptographic protocols Usually: Alice picks key K at random Cryptosystems only secure if keys random. Session keys for symmetric ciphers. Nonce in different protocols (to avoid replay)

Cryptography relies on randomness To encrypt e-mail, digitally sign documents, or spend a few dollars of electronic cash over the internet, we need random numbers. If random numbers in any of these applications are insecure, then the entire application is insecure.

Truly Random Numbers Random bits are generated by a hardware that s based on physical phenomena. Those numbers cannot be reliably reproduced or predicted. Generation of (truly) random bits is an inefficient procedure in most practical systems: slow & expensive. Storage and transmission of a large number of random bits may be impractical.

Pseudo-Random Numbers Pseudorandom - Having the appearance of randomness, but nevertheless exhibiting a specific, repeatable pattern. Random numbers are very difficult to generate, especially on computers which are designed to be deterministic devices. The sequence is not truly random in that it is completely determined by a relatively small set of initial values, called the PRNG's state.

Pseudo-Random Numbers An Efficient (polynomial time) deterministic algorithm G. Secret Seed random looking string a string of n random bits Expanded string of m>n pseudorandom bits

The Seed Can t create randomness out of nothing. True physical sources of randomness that cannot be predicted: Noise from a semiconductor device (Hardware). Resource utilization statistics and system load (Software). User's mouse movements. Device latencies. Use as a minimum security requirement the length n of the seed to a PRNG should be large enough to make brute-force search over all seeds infeasible for an attacker.

Normal RNG Operation entropy output t t+k t+k+1 t+k+2 output output output entropy t+n output

The difference between Truly Random and Pseudo-Random If one knows: The algorithm & seed used to create the numbers. He can predict all the numbers returned by every call to the algorithm. With genuinely random numbers, knowledge of one number or a long sequence of numbers is of no use in predicting the next number to be generated.

Random looking Random looking means that: If the number is in the range: 0 n. And there are m numbers to be generated. An observer given m-1 out of m numbers, cannot predict the m th number with better probability than 1/n.

What do we expect from pseudo randomness? Long period : The generator should be of long period (the period of a random number generator is the number of times we can call it before the random sequence begins to repeat). Fast computation: The generator should be reasonably fast and low cost.

What do we expect from pseudo randomness? Unbiased: The output of the generator has good statistical characteristics. Unpredictable: Given a few first bits, it should not be easy to predict, or compute, the rest of the bits. Uncorrelated sequences -The sequences of random numbers should be serially uncorrelated.

RNG Security Requirements Pseudo-randomness Output is indistinguishable from random Backward security RNG outputs cannot be compromised by a break-in in the past Forward security RNG outputs cannot be compromised by a break-in in the future

Some basic ideas for tests Randomness is a probabilistic property: The properties of a random sequence can be characterized in terms of probability. The following tests may be applied: Monobit Test: Are there equally many 1 s like 0 s? Serial Test (Two-Bit Test): Are there equally many 00, 01, 10, 11 pairs?

Linear Congruential Method Example for PRNG algorithm

Properties of Random Numbers Two important statistical properties: Uniformity Independence. Random Number, R i, must be independently drawn from a uniform distribution with pdf: f ( x) 1, 0, 0 x 1 otherwise E( R) 1 0 xdx x 2 2 1 0 1 2 Figure: pdf for random numbers 17

Linear Congruential Method [Techniques] To produce a sequence of integers, X 1, X 2, between 0 and m 1 by following a recursive relationship: X i 1 ( ax i c) mod m, i 0,1,2,... The multiplier The selection of the values for a, c, m, and X 0 drastically affects the statistical properties and the cycle length. The random integers are being generated [0,m 1], and to convert the integers to random numbers: R i The increment X i m, i 1,2,... The modulus 18

Examples [LCM] Use X 0 = 27, a = 17, c = 43, and m = 100. The X i and R i values are: X 1 = (17*27+43) mod 100 = 502 mod 100 = 2, R 1 = 0.02; X 2 = (17*2+43) mod 100 = 77, R 2 = 0.77; X 3 = (17*77+43) mod 100 = 52, R 3 = 0.52; X 4 = (17* 52 +43) mod 100 = 27, R 4 = 0.27 19

A Good LCG Example X=2456356; %seed value for i=1:10000, X=mod(1664525*X+1013904223,2^32); U(i)=X/2^32; end edges=0:0.05:1; M=histc(U,edges); bar(m); hold; figure; hold; for i=1:5000, plot(u(2*i 1),U(2*i)); end 20

Linear Congruence Generators In Cryptography However, even high quality classical generators are mostly not usable in cryptography. Why? Because given several successive numbers that were generated by LCG, it is possible to compute the modulus and the multiplier with reasonable efficiency. Meaning: there is always the risk of reverse engineering of the generators.

Pseudo Random Generators In Cryptography If generators are needed in cryptographic applications, they are usually created using the cryptographic primitives, such as: block ciphers hash functions There is a natural tendency to assume that the security of these underlying primitives will translate to security for the PRNG.

Linux PNRG

Linux PNRG Implemented in the kernel. Entropy based PRNG Used by many applications TCP, PGP, SSL, S/MIME, Two interfaces Kernel interface get_random_bytes (nonblocking) User interfaces /dev/random (blocking) /dev/urandom (non-blocking)

Entropy Collection Events are represented by two 32-bit words Event type. E.g., mouse press, keyboard value Event time in milliseconds. Bad news: Actual entropy in every event is very limited Good news: There are many of these events

Entropy estimation A counter estimates the physical entropy in the LRNG Increased on entropy addition (from OS events) Decreased on data extraction. blocking and non-blocking interfaces Blocking interface does not provide output when entropy estimation reaches zero Non-blocking interface always provides output Blocking interface is considered more secure

LRNG structure keyboard mouse Entropy Sources interrupts disk C A Entropy Pool 512 bytes A E E A A Secondary 128 Bytes Urandom 128 Bytes A E E /dev/random blocking /dev/urandom get_random_bytes non-blocking A A C entropy collection A entropy addition E data extraction

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback