Random Bit Generation

Similar documents
The Dual Elliptic Curve Deterministic RBG

Random Number Generation Is Getting Harder It s Time to Pay Attention

Chair for Network Architectures and Services Institute of Informatics TU München Prof. Carle. Network Security. Chapter 2 Basics

An Approach for Entropy Assessment of Ring Oscillator- Based Noise Sources. InfoGard, a UL Company Dr. Joshua Hill

Survey of Hardware Random Number Generators (RNGs) Dr. Robert W. Baldwin Plus Five Consulting, Inc.

CPSC 467: Cryptography and Computer Security

Pseudo-Random Generators

Pseudo-Random Generators

Topics. Pseudo-Random Generators. Pseudo-Random Numbers. Truly Random Numbers

Information Security

Solutions for week 1, Cryptography Course - TDA 352/DIT 250

Leftovers from Lecture 3

Entropy Evaluation for Oscillator-based True Random Number Generators

Network Security (NetSec)

Simple Pseudorandom Number Generator with Strengthened Double Encryption (Cilia)

CS 6260 Applied Cryptography

Network Security. Random Numbers. Cornelius Diekmann. Version: November 21, 2015

AQI: Advanced Quantum Information Lecture 6 (Module 2): Distinguishing Quantum States January 28, 2013

ENEE 459-C Computer Security. Message authentication (continue from previous lecture)

The Entropy Bogeyman. Ed Morris and Khai Van November 5, 2015 International Crypto Module Conference

Modern Cryptography Lecture 4

Lecture 2: Perfect Secrecy and its Limitations

Entropy. Finding Random Bits for OpenSSL. Denis Gauthier and Dr Paul Dale Network Security & Encryption May 19 th 2016

CSA E0 235: Cryptography March 16, (Extra) Lecture 3

Notes for Lecture 9. 1 Combining Encryption and Authentication

Pseudorandom Generators

Stream ciphers I. Thomas Johansson. May 16, Dept. of EIT, Lund University, P.O. Box 118, Lund, Sweden

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Enough Entropy? Justify It!

Computational security & Private key encryption

What is the Q in QRNG?

4.5 Applications of Congruences

A study of entropy transfers

5 Pseudorandom Generators

On some properties of PRNGs based on block ciphers in counter mode

Foundations of Network and Computer Security

Modern symmetric-key Encryption

Lecture 11: Hash Functions, Merkle-Damgaard, Random Oracle

Cryptographic Hash Functions

CPSC 467: Cryptography and Computer Security

CS 6260 Applied Cryptography

1 Indistinguishability for multiple encryptions

Pseudorandom Generators

Lecture 3: Lower bound on statistically secure encryption, extractors

6.080 / Great Ideas in Theoretical Computer Science Spring 2008

Real Randomness with Noise and Chaos

CTR mode of operation

Lecture 10 - MAC s continued, hash & MAC

Password Cracking: The Effect of Bias on the Average Guesswork of Hash Functions

Provable security. Michel Abdalla

Cryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4

Information in Biology

Lecture 5, CPA Secure Encryption from PRFs

Security Under Key-Dependent Inputs

Lectures 2+3: Provable Security

Analysis of Underlying Assumptions in NIST DRBGs

CS 395T. Probabilistic Polynomial-Time Calculus

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

Information in Biology

Quantum Information Types

Scribe for Lecture #5

Error Reconciliation in QKD. Distribution

Contents. ID Quantique SA Tel: Chemin de la Marbrerie 3 Fax : Carouge

Lecture 5: Random numbers and Monte Carlo (Numerical Recipes, Chapter 7) Motivations for generating random numbers

STREAM CIPHER. Chapter - 3

Hash Functions. A hash function h takes as input a message of arbitrary length and produces as output a message digest of fixed length.

COMS W4995 Introduction to Cryptography October 12, Lecture 12: RSA, and a summary of One Way Function Candidates.

Lecture 5: Pseudorandom functions from pseudorandom generators

Hash Functions. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 34

Foundations of Network and Computer Security

Block ciphers And modes of operation. Table of contents

Public-key Cryptography: Theory and Practice

CPSC 91 Computer Security Fall Computer Security. Assignment #3 Solutions

Cryptanalysis of a Message Authentication Code due to Cary and Venkatesan

Dan Boneh. Stream ciphers. The One Time Pad

Multi-Map Orbit Hopping Chaotic Stream Cipher

Discrete Mathematics and Probability Theory Spring 2014 Anant Sahai Note 10

Latches. October 13, 2003 Latches 1

MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION. Mihir Bellare UCSD 1

CPSC 467b: Cryptography and Computer Security

Recap. CS514: Intermediate Course in Operating Systems. What time is it? This week. Reminder: Lamport s approach. But what does time mean?

CPSC 467: Cryptography and Computer Security

Pr[C = c M = m] = Pr[C = c] Pr[M = m] Pr[M = m C = c] = Pr[M = m]

CSc 466/566. Computer Security. 5 : Cryptography Basics

Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +

CPSC 467: Cryptography and Computer Security

Yale University Department of Computer Science

Algorithms and Networking for Computer Games

BU CAS CS 538: Cryptography Lecture Notes. Fall itkis/538/

A block cipher enciphers each block with the same key.

Cold Boot Attacks in the Discrete Logarithm Setting

Uniform random numbers generators

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Lecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers

Quantum Information Theory and Cryptography

Lecture Notes on Secret Sharing

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

6.080 / Great Ideas in Theoretical Computer Science Spring 2008

Transcription:

.. Random Bit Generation Theory and Practice Joshua E. Hill Department of Mathematics, University of California, Irvine Math 235B January 11, 2013 http://bit.ly/xwdbtv v. 1 / 47

Talk Outline 1 Introduction 2 Non-Deterministic Random Bit Generation 3 Deterministic Random Bit Generation 4 Conclusion 2 / 47

Section 1 Introduction 3 / 47

The Story Thus Far I We have seen many, many uses for random numbers in cryptography. I This is for reasons coming from game theory. By Kerckhoffs principle, we assume that adversaries know the design, thus know how secret values are selected. Game theory tells us that in these circumstances, the random selection of parameters yields the least advantage for the attacker. I Within computers, we represent any number as a sequence of bits, so I ll generally use the term random bit generator. 4 / 47

Random is as Random Does I Random is not a characteristic of a number. I Processes are random, and we refer to the numbers produced by such processes as random numbers. I Such numbers can be modeled as random variables selected from some probability distribution. 5 / 47

Wheels within Wheels... The term random bit generator is used in a few distinct ways: 1. Truly random: Derived from some underlying physical phenomena which is unpredictable absent direct measurement. 2. Cryptographically random: Computationally difficult for an attacker to guess future outputs given past outputs. 3. Statistically random: Models some particular statistical distribution well. 6 / 47

When I use a word.... Definition. A cryptographic random bit generator, with security bound L bits, produces sequences of random bits.r 1 ; R 2 ; : : : ; R n / such that. 1. The generator is unbiased: Pr R j D 0 D 1 2. 2. The bits are uncorrelated: Pr R j D 0jR 1 ; R 2 ; : : : ; R j 1 D 1 2. 3. Negligible advantage: An attacker can t distinguish between a true uniform random bit generator and the cryptographic random bit generator without performing at least 2 L operations. This third goal is equivalent to the goal Computationally difficult for an attacker to guess future outputs given past outputs.. 7 / 47

You Can t Get There From Here... There are a few approaches to this: I Use a non-deterministic random bit generator (NDRBG, a.k.a., a True Random Number Generator). Most physical sources aren t well modeled by uniform distributions. Most physical sources are fragile and can fail, often subtly. Most physical sources produce random bits very slowly. Many physical sources can be affected by a suitably powerful attacker. I Use a deterministic random bit generator (DRBG, a.k.a. pseudo-random number generator, or PRNG). Good designs: Have excellent statistical properties. Are easy to test. Can produce vast amounts of output quickly. Are difficult for an attacker to influence. Can accumulate entropy (uncertainty). 8 / 47

You Can t Get There From Here... There are a few approaches to this: I Use a non-deterministic random bit generator (NDRBG, a.k.a., a True Random Number Generator). Most physical sources aren t well modeled by uniform distributions. Most physical sources are fragile and can fail, often subtly. Most physical sources produce random bits very slowly. Many physical sources can be affected by a suitably powerful attacker. I Use a deterministic random bit generator (DRBG, a.k.a. pseudo-random number generator, or PRNG). Good designs: Have excellent statistical properties. Are easy to test. Can produce vast amounts of output quickly. Are difficult for an attacker to influence. Can accumulate entropy (uncertainty). Require input that cannot be predicted by an attacker. :-( 9 / 47

You got your NDRBG in my DRBG! I Reasonable designs must involve both a DRBG and a NDRBG. The NDRBG could be integrated into the design. The NDRBG could be used during manufacturing. I The NDRBG is the ultimate source of uncertainty (and thus security). I The DRBG: Conditions the output and gives it excellent statistical properties. Remains secure any time after being seeded by reasonable NDRBG input, even if the NDRBG fails later. Can produce a very large amount of input given a very modest amount of reasonable input from the NDRBG. 10 / 47

Section 2 Non-Deterministic Random Bit Generation 11 / 47

NDRBG Outline 1 Introduction 2 Non-Deterministic Random Bit Generation Information Theory Entropy Source Test, Test, Test NDRBG Conclusion 3 Deterministic Random Bit Generation 4 Conclusion 12 / 47

Subsection 1 Information Theory 13 / 47

How Many Bits Would a Bit Compressor Compress if... I The traditional measure of uncertainty from Information Theory is called entropy. I Much like randomness, messages do not have entropy. Message sources have entropy. I There are several related notions of entropy. I Shannon entropy is the most widely adopted notion of entropy. I It tells you the minimal average message length for a source.. Definition. Shannon Entropy. nx H.X/ D p i lg.p i / id1 14 / 47

No, Mr. Bond, I Expect You to Guess. I Shannon entropy is not really what we want. I We want a worst case, not the average case. I We get it from a generalization of Shannon Entropy called Rényi entropy.. Definition. Rényi Entropy! H.X/ D 1 nx 1 lg pį. id1 I Letting! 1 gives us Shannon Entropy. 15 / 47

Mirror Mirror on the Wall... I Take the limit as! 1 yields the worst-case: Min-entropy. I In some sense, min-entropy is a lower bound for any other notion of entropy.. Definition. Min-Entropy. H 1.X/ D lg.max p i / i 16 / 47

Subsection 2 Entropy Source 17 / 47

When The Diode Breaks: Sources of Entropy I Well understood sources Ring oscillators Noisy diodes Radioactive decay (Other) Quantum effects I Somewhat understood sources Fluid turbulence (or other other chaotic systems) Audio noise Radio noise CCD noise I Poorly understood sources Process scheduling patterns Network packet arrival timing Booting randomness Keyboard / mouse movement 18 / 47

Beyond Good and Evil I A Good Source is very simple and easy to analyze. has a readily identifiable and quantifiable source for uncertainty. is difficult for an attacker to monitor. can be well modeled by some well understood statistical distribution so that min-entropy can be estimated. can be easily tested for deviation from this expected distribution. is stable across the the expected operational range of the system. I In summary, a good source is both secure and has assurance of security. 19 / 47

Wait, Am I in the Right Room? Let s examine an ring oscillator: Source: Inductiveload via: Wikipedia I Each gate has a finite switching time. I Variation in switching time is called jitter. I This jitter is induced by thermal noise, which is thought to be a random process (quantum effects dominate). I The jitter for one gate is roughly normally distributed. I Chaining together multiple gates sums the jitter for each gate. I The sum of independent identically distributed normal distributions is normal (with the same mean, and larger standard deviation). 20 / 47

Rings and Things You Sing About, Bring em Out I Initialize the system by opening the loop and allowing to stabilize. I Induce a pulse whose length is (much) less than the oscillator period. I Close the loop. I Time period between rising edge of the pulses. I Subtract the average oscillator period: this is the jitter. 21 / 47

0.010 0.008 0.006 0.004 0.002 Not A Reference to the Book! I The probability distribution function (PDF) for one implementation s jitter looks like this: I Divide the PDF into roughly eighths. I p max D 0:130205 so H 1.X/ 2:94. Great! 22 / 47

0.010 0.008 0.006 0.004 0.002 Not A Reference to the Book! I The probability distribution function (PDF) for one implementation s jitter looks like this: I Divide the PDF into roughly eighths. I p max D 0:130205 so H 1.X/ 2:94. Great! 23 / 47

0.010 0.008 0.006 0.004 0.002 Hot Space I What if the chip gets a bit warm? 0.005 0.004 0.003 0.002 0.001! I p max D 0:283855 is now so H 1.X/ 1:82. I We now have only 61% of our prior entropy. :-( 24 / 47

Fix Up I The assumption about the parameters of the distribution is fragile. I To make our analysis more conservative, analyze the timing difference between consecutive pulses. If the first is longer, output a 1. If the second is longer, output a 0. If equal, no output. Difference of two i.i.d. normal distributions is a normal distribution. Mean and standard deviation should be stable, so p max :5, so H 1.X/ 1 bit. I The local conditions between two consecutive pulses should be very stable. I Ideally, provide the full timing values as the seed. I Account only for one bit of min-entropy per pair. 25 / 47

Subsection 3 Test, Test, Test 26 / 47

Design Testing I After implementation, test your implementation against your assumptions. I Many tool chains silently remove uncertainty. I We can produce a set of likely upper entropy bounds given a great deal of seed data. I Raw timing values allow for extensive design tests. I If we expect full entropy, testing is easy! Diehard / Dieharder sts Statistical tests require some expertise to run and interpret. I If we expect our data to have less than full entropy, we can only run a subset of these tests, and interpretation must be done very carefully. I We can estimate (Shannon) entropy with compression tests. I Testing seed data to assess entropy must be conducted prior to any cryptographic processing. 27 / 47

Unit Testing I Some statistical testing should continue while in use. Examples: Continuous output testing for a stuck-value. Periodic 2 test. I Tune the probability of false failure to an acceptable level (set ˇ low enough so that the lifetime probability of false test failure is low). I Technically, this reduces entropy, though if ˇ is low enough, this is negligible. 28 / 47

Subsection 4 NDRBG Conclusion 29 / 47

Lessons I Only uses sources that you really understand. What physical process is responsible for entropy? What probability distribution models this process well? How does this process change with conditions? I Try to be very conservative with entropy analysis. This results in high assurance lower bound estimates. Never throw away possible entropy, just account and combine conservatively. I Test! Verify that your analysis is supported by reality. Verify that the running NDRBG hasn t failed. 30 / 47

Section 3 Deterministic Random Bit Generation 31 / 47

DRBG Outline 1 Introduction 2 Non-Deterministic Random Bit Generation 3 Deterministic Random Bit Generation DRBG Introduction OFB Based DRBG ANSI X9.31-1998 A.2.4 DRBG CTR-DRBG 4 Conclusion 32 / 47

Subsection 1 DRBG Introduction 33 / 47

A Reminder. Any one who considers arithmetical methods of producing random digits is, of course, in a state of sin. For, as has been pointed out several times, there is no such thing as a random number there are only methods to produce random numbers, and a strict arithmetic procedure of course is not such a method.. John von Neumann 34 / 47

General Idea I Conceptually, a DRBG involves a few processes A function that seeds the DRBG. A function that processes the internal state between outputs. A function that outputs random bits ( Generate ). I Seeding requires entropy input. The other functions can optionally accept entropy input. I Internal state collision leads to cycles (there may be a birthday paradox problem, depending on the design). I We make use of some cryptographic primitive within each of these functions. I Any entropy input must be in large blocks (min-entropy at least as large as the security bound). I Seed input may allow the attacker to manipulate the internal state. 35 / 47

Subsection 2 OFB Based DRBG 36 / 47

A Bad Idea I DES in OFB mode. Source: NIST SP800-38A 37 / 47

A Bad Idea: Notes I Seed by selecting the key, K, and the one block IV. I Keep K secret, use the output of the DES function as the DRBG output. I This (mostly) has excellent statistical properties. I Problem: We expose our internal state (as the DRBG output). I Problem: only V is updated. K is fixed. I Once we randomly return to a previously used internal state, we enter a cycle. I This happens quite quickly! For a block size of 64 bits: Only 2 32 blocks until we expect it to occur. 2 21 blocks until the probability is more than 2 20 that this has occurred. 38 / 47

Subsection 3 ANSI X9.31-1998 A.2.4 DRBG 39 / 47

A Somewhat Better Idea ANSI X9.31-1998 A.2.4 40 / 47

A Somewhat Better Idea: Notes I Seed by selecting a key, K, and a one block V. I The updating DT field helps prevent cycles. I We don t directly expose the internal state. I We never update K (until we rekey). I We can t gracefully provide additional entropy. I The internal state size is still quite small, and can t be expanded. I Seeds can only be as large as the internal state, so must be full entropy to obtain a reasonable security level. 41 / 47

Subsection 4 CTR-DRBG 42 / 47

A Very Good Design: Generate Stages 2 and 3 of NIST s CTR-DRBG Generate: (Stage 1 is not directly relevant to this discussion.) Stage 2: Stage 3: Source: NIST SP800-90A 43 / 47

A Very Good Design: Update Source: NIST SP800-90A 44 / 47

A Very Good Design: Notes I This design allows for effectively arbitrary length seed input. I Seeding input produces V and Key. I V is one cipher block long I Key and V are updated during the Instantiate, Reseed, Generate operations. I Key and V are segregated for the generation loop (reducing the likelihood of a cycle). I Update mixes Key and V (updating all the state between Generates). I Uses block cipher in a Counter-like mode to produce output bits and mix Key and V. I Very unlikely to enter a cycle (with probability less than 2 40 when used as directed). 45 / 47

Section 4 Conclusion 46 / 47

Conclusion I For reasonable security, it is necessary to use both a DBRG and a NDRBG. I For the NDRBG Only use sources that you really understand. Try to be very conservative with entropy analysis. Test! I For the DRBG, use a well understood and evaluated design. The design should: be based on a well understood cryptographic primitive. allow for large seed input. allow for periodic reseeding. not keep any state data fixed. never discard data that might contain entropy. not be susceptible to cycles. 47 / 47

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback