KISS: A Bit Too Simple. Greg Rose

Similar documents
Worksheet: Taylor Series, Lagrange Error Bound ilearnmath.net

Lectures 9 IIR Systems: First Order System

APPENDIX: STATISTICAL TOOLS

Probability & Statistics,

DTFT Properties. Example - Determine the DTFT Y ( e ) of n. Let. We can therefore write. From Table 3.1, the DTFT of x[n] is given by 1

ln x = n e = 20 (nearest integer)

Discrete Fourier Transform (DFT)

PURE MATHEMATICS A-LEVEL PAPER 1

Problem Value Score Earned No/Wrong Rec -3 Total

CDS 101: Lecture 5.1 Reachability and State Space Feedback

Discrete Fourier Transform. Discrete Fourier Transform. Discrete Fourier Transform. Discrete Fourier Transform. Discrete Fourier Transform

Class #24 Monday, April 16, φ φ φ

LECTURE 13 Filling the bands. Occupancy of Available Energy Levels

Numerov-Cooley Method : 1-D Schr. Eq. Last time: Rydberg, Klein, Rees Method and Long-Range Model G(v), B(v) rotation-vibration constants.

Chapter 6 Folding. Folding

Solution to 1223 The Evil Warden.

Discrete Fourier Transform. Nuno Vasconcelos UCSD

z 1+ 3 z = Π n =1 z f() z = n e - z = ( 1-z) e z e n z z 1- n = ( 1-z/2) 1+ 2n z e 2n e n -1 ( 1-z )/2 e 2n-1 1-2n -1 1 () z

Law of large numbers

Digital Signal Processing, Fall 2006

Chapter Taylor Theorem Revisited

A Review of Complex Arithmetic

Part B: Transform Methods. Professor E. Ambikairajah UNSW, Australia

Chapter 2 Infinite Series Page 1 of 11. Chapter 2 : Infinite Series

H2 Mathematics Arithmetic & Geometric Series ( )

Economics 201b Spring 2010 Solutions to Problem Set 3 John Zhu

u r du = ur+1 r + 1 du = ln u + C u sin u du = cos u + C cos u du = sin u + C sec u tan u du = sec u + C e u du = e u + C

Statistics 3858 : Likelihood Ratio for Exponential Distribution

Figure 2-18 Thevenin Equivalent Circuit of a Noisy Resistor

(Reference: sections in Silberberg 5 th ed.)

Chapter Five. More Dimensions. is simply the set of all ordered n-tuples of real numbers x = ( x 1

DFT: Discrete Fourier Transform

Time : 1 hr. Test Paper 08 Date 04/01/15 Batch - R Marks : 120

10. Joint Moments and Joint Characteristic Functions

A Simple Proof that e is Irrational

Option 3. b) xe dx = and therefore the series is convergent. 12 a) Divergent b) Convergent Proof 15 For. p = 1 1so the series diverges.

Quasi-Classical States of the Simple Harmonic Oscillator

CDS 101: Lecture 5.1 Reachability and State Space Feedback

Higher order derivatives

07 - SEQUENCES AND SERIES Page 1 ( Answers at he end of all questions ) b, z = n

MONTGOMERY COLLEGE Department of Mathematics Rockville Campus. 6x dx a. b. cos 2x dx ( ) 7. arctan x dx e. cos 2x dx. 2 cos3x dx

Session : Plasmas in Equilibrium

Washington State University

1985 AP Calculus BC: Section I

The calculation method for SNE

September 23, Honors Chem Atomic structure.notebook. Atomic Structure

How many neutrino species?

Chapter 4 - The Fourier Series

Exam 1. It is important that you clearly show your work and mark the final answer clearly, closed book, closed notes, no calculator.

Derivation of a Predictor of Combination #1 and the MSE for a Predictor of a Position in Two Stage Sampling with Response Error.

orbiting electron turns out to be wrong even though it Unfortunately, the classical visualization of the

INTRODUCTION TO SAMPLING DISTRIBUTIONS

Thomas J. Osler. 1. INTRODUCTION. This paper gives another proof for the remarkable simple

Math 34A. Final Review

ANOVA- Analyisis of Variance

EECE 301 Signals & Systems Prof. Mark Fowler

Integration by Parts

Chapter 3 Fourier Series Representation of Periodic Signals

Strongly Connected Components

ECE594I Notes set 6: Thermal Noise

The Matrix Exponential

Data Assimilation 1. Alan O Neill National Centre for Earth Observation UK

15/03/1439. Lectures on Signals & systems Engineering

The Matrix Exponential

( ) = is larger than. the variance of X V

On the Hamiltonian of a Multi-Electron Atom

Frequency Response & Digital Filters

Bipolar Junction Transistors

They must have different numbers of electrons orbiting their nuclei. They must have the same number of neutrons in their nuclei.

A GENERALIZED RAMANUJAN-NAGELL EQUATION RELATED TO CERTAIN STRONGLY REGULAR GRAPHS

Chapter (8) Estimation and Confedence Intervals Examples

ECEN 655: Advanced Channel Coding Spring Lecture 7 02/04/14. Belief propagation is exact on tree-structured factor graphs.

cycle that does not cross any edges (including its own), then it has at least

How many neutrons does this aluminium atom contain? A 13 B 14 C 27 D 40

Ordinary Differential Equations

Computing and Communications -- Network Coding

n n ee (for index notation practice, see if you can verify the derivation given in class)

Outline. Ionizing Radiation. Introduction. Ionizing radiation

Reliability of time dependent stress-strength system for various distributions

Linear Algebra Existence of the determinant. Expansion according to a row.

u x v x dx u x v x v x u x dx d u x v x u x v x dx u x v x dx Integration by Parts Formula

Abstract Interpretation: concrete and abstract semantics

22/ Breakdown of the Born-Oppenheimer approximation. Selection rules for rotational-vibrational transitions. P, R branches.

First derivative analysis

Comparison of Simple Indicator Kriging, DMPE, Full MV Approach for Categorical Random Variable Simulation

Electrochemistry L E O

Elements of Statistical Thermodynamics

CS 332: Algorithms. Linear-Time Sorting. Order statistics. Slide credit: David Luebke (Virginia)

Physics 302 Exam Find the curve that passes through endpoints (0,0) and (1,1) and minimizes 1

SUMMER 17 EXAMINATION

Iterative Methods of Order Four for Solving Nonlinear Equations

Want to go a-courtin but not allowed to dance? Well then, try this once popular party game as a way to get to know each other.

3 2x. 3x 2. Prepared by Vince Zaccone For Campus Learning Assistance Services at UCSB

10. The Discrete-Time Fourier Transform (DTFT)

Lecture 1: Numerical Integration The Trapezoidal and Simpson s Rule

Recurrence Relations

Ideal crystal : Regulary ordered point masses connected via harmonic springs

Review Exercises. 1. Evaluate using the definition of the definite integral as a Riemann Sum. Does the answer represent an area? 2

STIRLING'S 1 FORMULA AND ITS APPLICATION

CPU Frequency Tuning for Optimizing the Energy. David Brayford 1

Transcription:

KI: A Bit Too impl Grg Ros ggr@qualcomm.com

Outli KI radom umbr grator ubgrators Efficit attack N KI ad attack oclusio PAGE 2

O approach to PRNG scurity "A radom umbr grator is lik sx: Wh it's good, its odrful; Ad h it's bad, it's still prtty good." Add to that, i li ith my rcommdatios o combiatio grators; "Ad if it's bad, try a tosom or thrsom. -- Gorg Marsaglia, quotig himslf (1999) PAGE 3

KI a Psudo-Radom Numbr Grator Kp it impl tupid Marsaglia ad Zama, Florida tat U, 1993 Marsaglia posts vrsio to sci.crypt, 1998/99, took off Nvr said it as scur! Good thig, too But othrs sm to thik it is. #dfi z (z=36969*(z&65535)(z>>16)) #dfi (=18000*(&65535)(>>16)) #dfi MW ((z<<16) ) #dfi HR3 (jsr^=(jsr<<17), jsr^=(jsr>>13), jsr^=(jsr<<5)) #dfi ONG (jcog=69069*jcog1234567) #dfi KI ((MW^ONG)HR3) PAGE 4

KI diagram z M W O N G H R 3 K I PAGE 5

Multiply With arry subgrator z ad 16 bits radom lookig, 32 bits of stat Multiply by costat (18000, 36969 rsp), add carry from prvious multiplicatio Priods about 2 29.1 ad 2 30.2 to log cycls ach To bad valus (0 ad somthig ls) rpat forvr Larg stats go ito smallr os aftr o updat z oly affcts high ordr bits. PAGE 6

Liar ogrutial subgrator Wll studid, priod 2 32, sigl log cycl Lo ordr bits form smallr liar cogrutial grators I particular, LB gos 01010101010 PAGE 7

3-hift Rgistr subgrator Liar, but ot lik LFR Authors assum log priod, but rog LBs of output form o of 64 LFRs Priods rag from 1 to 2 28.2 (ot 2 32-1!) a rcovr iitial stat from 32 coscutiv LBs asily Biary matrix multiplicatio PAGE 8

Attack ida Divid ad oqur Rgistrs ar updatd idpdtly of ach othr, th combid o try to gt rid of ffcts of o or mor rgistrs O of thm is alrady partly go! Exploit aksss (g. Liarity of HR3, lo ordr bits of ONG) Guss ad Dtrmi Guss (that is, try all possibilitis) for som valus, th Driv othr valus Vrify hthr still cosistt PAGE 9

What do ko at th start? z M W O N G Gussd Dtrmid No ko H R 3 K I PAGE 10

Guss z M W O N G Gussd Dtrmid No ko H R 3 K I PAGE 11

Guss LB of ONG (01010 or 10101 ) z M W O N G Gussd Dtrmid No ko H R 3 K I PAGE 12

Dtrmi LB squc from HR3 z M W O N G Gussd Dtrmid No ko H R 3 K I PAGE 13

Vrify LB squc from HR3 is LFR z M W O N G Gussd Dtrmid No ko H R 3 K I PAGE 14

Dtrmi half of ONG z M W O N G Gussd Dtrmid No ko H R 3 K I PAGE 15

Guss top half of ONG z M W O N G Gussd Dtrmid No ko H R 3 K I PAGE 16

Dtrmi lo half of z z M W O N G Gussd Dtrmid No ko H R 3 K I PAGE 17

Dtrmi high half of z from lo half z M W O N G Gussd Dtrmid No ko H R 3 K I PAGE 18

Ad vrify z M W O N G Gussd Dtrmid No ko H R 3 K I PAGE 19

Ho much ork? Domiatd by tryig, o avrag, 589,823,999 valus for Ad for ach o, usig Brlkamp-Massy algorithm to chck hthr th cadidat for HR3 is LFR Altrativly, ca chck parity quatios. F hours o laptop. PAGE 20

Nr KI ci.crypt 2011 postig by Marsaglia Lookig for logr ad logr cycls Priod > 10 40,000,000 tat is ridiculously larg (2 22 3 32-bit ords) Agai combis multipl compots for scurity b32mw (2 22 ords) H R 3 O N G PAGE 21

N KI static usigd log Q[4194304],carry=0; usigd log b32mw(void) {usigd log t,x; static it j=4194303; j=(j1)&4194303; x=q[j]; t=(x<<28)carry; carry=(x>>4)-(t<x); rtur (Q[j]=t-x); } #dfi NG ( cg=69069*cg13579 ) #dfi X ( xs^=(xs<<13), xs^=(xs>>17), xs^=(xs<<5) ) #dfi KI ( b32mw()ngx ) PAGE 22

omplmtd Multiply With arry Larg circular buffr ith carry variabl Extrmly log priod tat valus ar usd dirctly for output a b ru backard Aftr o rotatio through buffr, ca chck cosistcy asily (usd i attack) By itslf has o cryptographic strgth at all output is stat PAGE 23

Attack o N KI impl divid ad coqur Guss stat of ONG ad HR3 Ru grator forard slightly mor tha a full rotatio of b32mw s buffr If 3 outputs ar mutually cosistt, must hav gussd corrctly Ru backard to rcovr full iitial stat Equivalt to 2 63 ky stup opratios But th ky is hug, so is th ky stup opratio PAGE 24

oclusio M & Z ovrstimatd th priod by about a factor of 10 KI is ot scur Nd about 70 ords of gratd output a apply attack to uko (but biasd) plaitxt Rplac B-M stp ith fast corrlatio attack till surprisigly fficit Do t us KI if you d scurity! PAGE 25

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback