The Dual Elliptic Curve Deterministic RBG

Similar documents
Cryptanalysis of the Dual Elliptic Curve Pseudorandom Generator

Elliptic Curve DRNGs. Çetin Kaya Koç Winter / 19

Elliptic Curve DRNGs. Çetin Kaya Koç Winter / 21

Analysis of Underlying Assumptions in NIST DRBGs

Random Bit Generation

Information Security

Other Public-Key Cryptosystems

Efficient Pseudorandom Generators Based on the DDH Assumption

True & Deterministic Random Number Generators

Weil Image Sums. (and some related problems) Joshua E. Hill. Department of Mathematics University of California, Irvine

An Improved Pseudorandom Generator Based on Hardness of Factoring

Other Public-Key Cryptosystems

1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:

Chapter 10 Elliptic Curves in Cryptography

Efficient Pseudorandom Generators Based on the DDH Assumption

Quantum Permanent Compromise Attack to Blum-Micali Pseudorandom Generator

8 Elliptic Curve Cryptography

Short Exponent Diffie-Hellman Problems

State Recovery Attacks on Pseudorandom Generators

CPSC 467: Cryptography and Computer Security

CSCE 564, Fall 2001 Notes 6 Page 1 13 Random Numbers The great metaphysical truth in the generation of random numbers is this: If you want a function

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

An Efficient Discrete Log Pseudo Random Generator

Chair for Network Architectures and Services Institute of Informatics TU München Prof. Carle. Network Security. Chapter 2 Basics

Introduction to Cryptology. Lecture 20

Selecting Elliptic Curves for Cryptography Real World Issues

Discrete Logarithm Problem

Cryptography IV: Asymmetric Ciphers

CPSC 467b: Cryptography and Computer Security

Suppose F is a field and a1,..., a6 F. Definition 1. An elliptic curve E over a field F is a curve given by an equation:

Public-key Cryptography and elliptic curves

Notes for Lecture Decision Diffie Hellman and Quadratic Residues

Lecture 11: Hash Functions, Merkle-Damgaard, Random Oracle

Pseudo-random Number Generation. Qiuliang Tang

1 Number Theory Basics

Lecture 6: Cryptanalysis of public-key algorithms.,

Elliptic Curves I. The first three sections introduce and explain the properties of elliptic curves.

Definition of a finite group

Public-key Cryptography and elliptic curves

Introduction to Modern Cryptography Recitation 3. Orit Moskovich Tel Aviv University November 16, 2016

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Lecture 14: Cryptographic Hash Functions

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Evidence that the Diffie-Hellman Problem is as Hard as Computing Discrete Logs

Pseudorandom Generators

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

An Improved Pseudo-Random Generator Based on Discrete Log

Number Theory: Applications. Number Theory Applications. Hash Functions II. Hash Functions III. Pseudorandom Numbers

Asymmetric Encryption

Lecture 3: Randomness in Computation

Discrete logarithm and related schemes

Yale University Department of Computer Science

NON-LINEAR COMPLEXITY OF THE NAOR REINGOLD PSEUDO-RANDOM FUNCTION

Lattice Cryptography

6. ELLIPTIC CURVE CRYPTOGRAPHY (ECC)

An Introduction to Probabilistic Encryption

Pseudorandom Generators

Digital Signatures. Saravanan Vijayakumaran Department of Electrical Engineering Indian Institute of Technology Bombay

CPSC 467b: Cryptography and Computer Security

Simple Unpredictable Pseudo-Random Number Generator

14 Diffie-Hellman Key Agreement

Counting Prime Numbers with Short Binary Signed Representation

Public Key Cryptography

CSC 5930/9010 Modern Cryptography: Number Theory

Computational Number Theory. Adam O Neill Based on

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

Elliptic Curve Cryptography

Topics in Cryptography. Lecture 5: Basic Number Theory

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

1 Cryptographic hash functions

6.080 / Great Ideas in Theoretical Computer Science Spring 2008

CIS 551 / TCOM 401 Computer and Network Security

Provable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval

Notes. Number Theory: Applications. Notes. Number Theory: Applications. Notes. Hash Functions I

Fast, twist-secure elliptic curve cryptography from Q-curves

Chapter 4 Asymmetric Cryptography

Asymmetric Cryptography

Lecture Notes, Week 6

Public Key Cryptography

CPSC 467b: Cryptography and Computer Security

5 Public-Key Encryption: Rabin, Blum-Goldwasser, RSA

Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1

Public-Key Cryptosystems CHAPTER 4

Random number generators

Cryptography and Security Final Exam

On Pseudorandomness w.r.t Deterministic Observers

Prevention of Exponential Equivalence in Simple Password Exponential Key Exchange (SPEKE)

Final Exam Math 105: Topics in Mathematics Cryptology, the Science of Secret Writing Rhodes College Tuesday, 30 April :30 11:00 a.m.

Hash Functions. A hash function h takes as input a message of arbitrary length and produces as output a message digest of fixed length.

PREDICTING MASKED LINEAR PSEUDORANDOM NUMBER GENERATORS OVER FINITE FIELDS

Introduction to Elliptic Curve Cryptography. Anupam Datta

On the complexity of computing discrete logarithms in the field F

Faster F p -arithmetic for Cryptographic Pairings on Barreto-Naehrig Curves

Optimal Randomness Extraction from a Diffie-Hellman Element

Introduction to Cybersecurity Cryptography (Part 4)

Simple Pseudorandom Number Generator with Strengthened Double Encryption (Cilia)

CS 355: TOPICS IN CRYPTOGRAPHY

An Introduction to Elliptic Curve Cryptography

A Practical Elliptic Curve Public Key Encryption Scheme Provably Secure Against Adaptive Chosen-message Attack

CPSC 467: Cryptography and Computer Security

Transcription:

/ The Dual Elliptic Curve Deterministic RBG Background, Specification, Security and Notes Joshua E Hill Department of Mathematics, University of California, Irvine Math C Mathematical Cryptography June, http://bitly/decdrbg v

Talk Outline / Introduction Background Security Goals of the Dual EC DRBG The Dual EC DRBG Specification Underlying Theoretical Basis of Security Attacks, Findings and Notes Conclusion

Introduction Outline / Introduction Background Security Goals of the Dual EC DRBG The Dual EC DRBG Specification Underlying Theoretical Basis of Security Attacks, Findings and Notes Conclusion

/ Introduction I We ll talk about Number Theoretic RBGs I We ll talk about the desired goals of any reasonable RBG I We ll provide a specification for the Dual Elliptic Curve Deterministic RBG I We ll discuss the relevant problems I We ll describe some attacks on this DRBG

Background / Introduction Background Security Goals of the Dual EC DRBG The Dual EC DRBG Specification Underlying Theoretical Basis of Security Attacks, Findings and Notes Conclusion

/ I mean, what s the point? I There are many quick, well-designed RBGs in the world I They are generally based on ad-hoc assumptions and their security is dependent on some underlying security primitive I We would ideally have some RBG that was as secure as some very difficult problem I The I d have bigger problems design ideal I Such algorithms do exist!

That s HARDCORE! / Definition A hardcore bit (also called hardcore predicate ) is a single bit associated with a one way function Guessing this bit with any significant advantage is equivalent to reversing the associated one-way function

BBS my Heart! / I We have already discussed one such RBG whose security analysis uses this notion: The Blum-Blum-Shub RBG Definition Seed the RBG with < x < n such that x ; n/ D Future states are calculated as x j D x j mod n/ The jth output, r j, is a hardcore bit, generally the parity of x j

So, Presentation Accomplished? / I One bit per modular squaring is not exactly quick I Security bounds are a killer bit security requires a bit modulus bit security requires a bit modulus I If the modulus is k bits long, these multiplications each take at least Ok log k log log k/

/ So, Presentation Accomplished? I One bit per modular squaring is not exactly quick I Security bounds are a killer bit security requires a bit modulus bit security requires a bit modulus I If the modulus is k bits long, these multiplications each take at least Ok log k log log k/ I per bit output

Blum-Micali Random Bit Generator A more closely related design to the deterministic RBG that we are looking at today is: Definition The Blum-Micali Number Generator is specified by a (large) prime p, a generator g of multiplicative order p and an initial value x The jth value is then x j D g x j mod p/ The jth output bit, r j, is if x j < p and otherwise I Surely no performance problem here!¹ I If the modulus is k bits long, modular exponentiation occurs in Ok log k log log k/ ¹This bullet point is intended as sarcasm /

Blum-Micali Random Bit Generator A more closely related design to the deterministic RBG that we are looking at today is: Definition The Blum-Micali Number Generator is specified by a (large) prime p, a generator g of multiplicative order p and an initial value x The jth value is then x j D g x j mod p/ The jth output bit, r j, is if x j < p and otherwise I Surely no performance problem here!¹ I If the modulus is k bits long, modular exponentiation occurs in Ok log k log log k/ I per bit output ¹This bullet point is intended as sarcasm /

GOOOOOOOOOOOOOOOOOOOOOOOOOOOOALS! / Introduction Background Security Goals of the Dual EC DRBG The Dual EC DRBG Specification Underlying Theoretical Basis of Security Attacks, Findings and Notes Conclusion

Cryptographic Random Bit Generator / Definition A cryptographic random bit generator, with security bound L bits, produces sequences of random bits R ; R ; : : : ; R n / such that The generator is unbiased: Pr R j D D The bits are uncorrelated: Pr R j D jr ; R ; : : : ; R j D Negligible advantage: An attacker can t distinguish between a true random bit generator and the cryptographic random bit generator without performing at least L operations

Backtracking Resistance / Definition Backtracking resistance is provided relative to time T if there is assurance that an adversary who has knowledge of the internal state of the DRBG at some time subsequent to time T would be unable to distinguish between observations of ideal random bitstrings and (previously unseen) bitstrings that were output by the DRBG prior to time T NIST SP -A

Prediction Resistance / Definition Prediction resistance is provided relative to time T if there is assurance that an adversary who has knowledge of the internal state of the DRBG at some time prior to T would be unable to distinguish between observations of ideal random bitstrings and bitstrings output by the DRBG at or subsequent to time T NIST SP -A I Note that this requires reseeding for any deterministic design

Cycle Resistance / Definition The random bit generator is said to have cycle resistance if there is a negligible probability that the generator enters a cycle when used as specified Here negligible probability means less than

Specifications of our Lives / Introduction Background Security Goals of the Dual EC DRBG The Dual EC DRBG Specification Underlying Theoretical Basis of Security Attacks, Findings and Notes Conclusion

/ Helper Functions I '/ converts a field element to an integer in a canonical way I x/ takes the x-coordinate in affine coordinates in the provided model for the EC I Extract Bits takes the rightmost (LSBs) of the value

The Algorithm / NIST SP-A

/ Parameters I The generator is intended to produce no more than blocks between reseeding events I P and Q are obviously very important to the security of this generator I Three curves (along with associated P and Q values) are provided I There is a procedure for generating your own values of P and Q

When you ASSUME / Introduction Background Security Goals of the Dual EC DRBG The Dual EC DRBG Specification Underlying Theoretical Basis of Security Attacks, Findings and Notes Conclusion

Elliptic Curve Decisional Diffie-Hellman Problem / Definition Given an elliptic curve E and basepoint P, an attacker cannot distinguish between qp; rp; qrp/ and qp; rp; zp/, where q, r, and z are random values

Truncated Point Problem / Definition Let R be a random point and b a random bitstring matching the length of the output of the truncation function, t The problem of distinguishing between t'xr/// and b is the Truncated Point Problem See [Brown, Gjøsteen ]

x-logarithm Problem / Definition Let E be an elliptic curve over F q, P 2 EF q / Let Z 2 EF q / be chosen uniformly at random and d a random integer in the range Œ; n The x-logarithm problem is the problem of distinguishing between dp and xz/p See [Brown, Gjøsteen ]

No There There / Introduction Background Security Goals of the Dual EC DRBG The Dual EC DRBG Specification Underlying Theoretical Basis of Security Attacks, Findings and Notes Conclusion

/ Inadequate Truncation I Due to [Schoenmakers, Sidorenko ] I If too few bits are truncated, the generator has a predictor I This is as a result of modular arithmetic mod a prime I For k-bit random integers in Œ; k, the lth bit is random I If we restrict to some other (non-power of two length) range, this is no longer true I Thus, there is a small bias associated with the high order bits I Solution: remove at least bits

Too Much Truncation / I Asymptotic estimates of the distribution of x-coordinates by Shparlinski suggest that too much truncation may make a predictor possible as well

/ The LSB for Binary Fields I Due to [Brown, Gjøsteen ] I A set of elliptic curves over binary fields are specified by NIST I B- and K- (both over F ) are such binary fields I These fields have the property that the LSB of the x value is fixed, so should be discarded

The Back Door I Due to [Shumow, Ferguson ] I NIST Prime curves have prime order I Thus there is an integer e so that eq D P I The Attack: An attacker knows e and the prior output R, and the number of bits the system truncates, m The attacker iterates through all m possible values for x, say x ; : : : ; x m If Oy j D x j C ax j C b mod p/ is a square, then x j ; poy j / are points on our EC The correct point, A, must be in the resulting list We have A D sq, so ea D seq/ D sp, so 'xea// is then the next internal state! I This attack difficulty increases exponentially with the number of bits truncated /

The Back Door I Due to [Shumow, Ferguson ] I NIST Prime curves have prime order I Thus there is an integer e so that eq D P I The Attack: An attacker knows e and the prior output R, and the number of bits the system truncates, m The attacker iterates through all m possible values for x, say x ; : : : ; x m If Oy j D x j C ax j C b mod p/ is a square, then x j ; poy j / are points on our EC The correct point, A, must be in the resulting list We have A D sq, so ea D seq/ D sp, so 'xea// is then the next internal state! I This attack difficulty increases exponentially with the number of bits truncated I So, that would be bad then /

The Back Door I Due to [Shumow, Ferguson ] I NIST Prime curves have prime order I Thus there is an integer e so that eq D P I The Attack: An attacker knows e and the prior output R, and the number of bits the system truncates, m The attacker iterates through all m possible values for x, say x ; : : : ; x m If Oy j D x j C ax j C b mod p/ is a square, then x j ; poy j / are points on our EC The correct point, A, must be in the resulting list We have A D sq, so ea D seq/ D sp, so 'xea// is then the next internal state! I This attack difficulty increases exponentially with the number of bits truncated I So, that would be bad then I Does the NSA know e for the provided curves? /

Computational Notes / I This generator is orders of magnitude slower than any of the common (non-number theoretic) RBG designs I It is considerably faster than any of the common number theoretic RBGs EC security (exponential) vs non-ec security (often sub-exponential) Other EC generators output only a single bit per EC point scaling operation

/ Section Conclusion

/ Today s Conclusion I Reseed often I Generate your own P, Q I Truncate aggressively, but not too aggressively

That s All Folks! / Thank You!

/ Bibliography I Barker, Elaine and Kelsey, John NIST Special Publication -A, Recommendation for Random Number Generation Using Deterministic Random Bit Generators, January http://csrcnistgov/publications/nistpubs/800-90a/ SP800-90Apdf I Brown, Daniel RL and Gjøsteen, Kristian A Security Analysis of the NIST SP - Elliptic Curve Random Number Generator, February http://eprintiacrorg/2007/048 I Schoenmakers, Berry and Sidorenko, Andrey Cryptanalysis of the Dual Elliptic Curve Pseudorandom Generator, May http://eprintiacrorg/2006/190 I Ferguson, Niels and Shumow, Dan On the Possibility of a Back door in the NIST SP- Dual EC PRNG, August, http://rump2007crypto/15-shumowpdf

/ Colophon I The principal font is Evert Bloemsma s humanist sans-serif font Legato This font is designed to be exquisitely readable, and is a significant departure from the highly geometric forms that dominate most sans-serif fonts Legato was Evert Bloemsma s final font prior to his untimely death at the age of I The URLs are typeset in Luc(as) de Groot s Consolas, a monospace font with excellent readability

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback