KI: A Bit Too impl Grg Ros ggr@qualcomm.com
Outli KI radom umbr grator ubgrators Efficit attack N KI ad attack oclusio PAGE 2
O approach to PRNG scurity "A radom umbr grator is lik sx: Wh it's good, its odrful; Ad h it's bad, it's still prtty good." Add to that, i li ith my rcommdatios o combiatio grators; "Ad if it's bad, try a tosom or thrsom. -- Gorg Marsaglia, quotig himslf (1999) PAGE 3
KI a Psudo-Radom Numbr Grator Kp it impl tupid Marsaglia ad Zama, Florida tat U, 1993 Marsaglia posts vrsio to sci.crypt, 1998/99, took off Nvr said it as scur! Good thig, too But othrs sm to thik it is. #dfi z (z=36969*(z&65535)(z>>16)) #dfi (=18000*(&65535)(>>16)) #dfi MW ((z<<16) ) #dfi HR3 (jsr^=(jsr<<17), jsr^=(jsr>>13), jsr^=(jsr<<5)) #dfi ONG (jcog=69069*jcog1234567) #dfi KI ((MW^ONG)HR3) PAGE 4
KI diagram z M W O N G H R 3 K I PAGE 5
Multiply With arry subgrator z ad 16 bits radom lookig, 32 bits of stat Multiply by costat (18000, 36969 rsp), add carry from prvious multiplicatio Priods about 2 29.1 ad 2 30.2 to log cycls ach To bad valus (0 ad somthig ls) rpat forvr Larg stats go ito smallr os aftr o updat z oly affcts high ordr bits. PAGE 6
Liar ogrutial subgrator Wll studid, priod 2 32, sigl log cycl Lo ordr bits form smallr liar cogrutial grators I particular, LB gos 01010101010 PAGE 7
3-hift Rgistr subgrator Liar, but ot lik LFR Authors assum log priod, but rog LBs of output form o of 64 LFRs Priods rag from 1 to 2 28.2 (ot 2 32-1!) a rcovr iitial stat from 32 coscutiv LBs asily Biary matrix multiplicatio PAGE 8
Attack ida Divid ad oqur Rgistrs ar updatd idpdtly of ach othr, th combid o try to gt rid of ffcts of o or mor rgistrs O of thm is alrady partly go! Exploit aksss (g. Liarity of HR3, lo ordr bits of ONG) Guss ad Dtrmi Guss (that is, try all possibilitis) for som valus, th Driv othr valus Vrify hthr still cosistt PAGE 9
What do ko at th start? z M W O N G Gussd Dtrmid No ko H R 3 K I PAGE 10
Guss z M W O N G Gussd Dtrmid No ko H R 3 K I PAGE 11
Guss LB of ONG (01010 or 10101 ) z M W O N G Gussd Dtrmid No ko H R 3 K I PAGE 12
Dtrmi LB squc from HR3 z M W O N G Gussd Dtrmid No ko H R 3 K I PAGE 13
Vrify LB squc from HR3 is LFR z M W O N G Gussd Dtrmid No ko H R 3 K I PAGE 14
Dtrmi half of ONG z M W O N G Gussd Dtrmid No ko H R 3 K I PAGE 15
Guss top half of ONG z M W O N G Gussd Dtrmid No ko H R 3 K I PAGE 16
Dtrmi lo half of z z M W O N G Gussd Dtrmid No ko H R 3 K I PAGE 17
Dtrmi high half of z from lo half z M W O N G Gussd Dtrmid No ko H R 3 K I PAGE 18
Ad vrify z M W O N G Gussd Dtrmid No ko H R 3 K I PAGE 19
Ho much ork? Domiatd by tryig, o avrag, 589,823,999 valus for Ad for ach o, usig Brlkamp-Massy algorithm to chck hthr th cadidat for HR3 is LFR Altrativly, ca chck parity quatios. F hours o laptop. PAGE 20
Nr KI ci.crypt 2011 postig by Marsaglia Lookig for logr ad logr cycls Priod > 10 40,000,000 tat is ridiculously larg (2 22 3 32-bit ords) Agai combis multipl compots for scurity b32mw (2 22 ords) H R 3 O N G PAGE 21
N KI static usigd log Q[4194304],carry=0; usigd log b32mw(void) {usigd log t,x; static it j=4194303; j=(j1)&4194303; x=q[j]; t=(x<<28)carry; carry=(x>>4)-(t<x); rtur (Q[j]=t-x); } #dfi NG ( cg=69069*cg13579 ) #dfi X ( xs^=(xs<<13), xs^=(xs>>17), xs^=(xs<<5) ) #dfi KI ( b32mw()ngx ) PAGE 22
omplmtd Multiply With arry Larg circular buffr ith carry variabl Extrmly log priod tat valus ar usd dirctly for output a b ru backard Aftr o rotatio through buffr, ca chck cosistcy asily (usd i attack) By itslf has o cryptographic strgth at all output is stat PAGE 23
Attack o N KI impl divid ad coqur Guss stat of ONG ad HR3 Ru grator forard slightly mor tha a full rotatio of b32mw s buffr If 3 outputs ar mutually cosistt, must hav gussd corrctly Ru backard to rcovr full iitial stat Equivalt to 2 63 ky stup opratios But th ky is hug, so is th ky stup opratio PAGE 24
oclusio M & Z ovrstimatd th priod by about a factor of 10 KI is ot scur Nd about 70 ords of gratd output a apply attack to uko (but biasd) plaitxt Rplac B-M stp ith fast corrlatio attack till surprisigly fficit Do t us KI if you d scurity! PAGE 25