Entropy Estimation by Example

Similar documents
Streaming Algorithms for Optimal Generation of Random Bits

The Entropy Bogeyman. Ed Morris and Khai Van November 5, 2015 International Crypto Module Conference

Contents. ID Quantique SA Tel: Chemin de la Marbrerie 3 Fax : Carouge

Streaming Algorithms for Optimal Generation of Random Bits

Chair for Network Architectures and Services Institute of Informatics TU München Prof. Carle. Network Security. Chapter 2 Basics

Random Bit Generation

Enough Entropy? Justify It!

Public-key Cryptography: Theory and Practice

The Hash Function JH 1

Entropy Estimation Methods for SW Environments in KCMVP. NSR: Seogchung Seo, Sangwoon Jang Kookmin University: Yewon Kim, Yongjin Yeom

Survey of Hardware Random Number Generators (RNGs) Dr. Robert W. Baldwin Plus Five Consulting, Inc.

Cryptanalysis of the Light-Weight Cipher A2U2 First Draft version

An Entropy Bound for Random Number Generation

Table Of Contents. ! 1. Introduction to AES

1 Cryptographic hash functions

A semi-device-independent framework based on natural physical assumptions

Leftovers from Lecture 3

Algebraic properties of SHA-3 and notable cryptanalysis results

ENEE 459-C Computer Security. Message authentication (continue from previous lecture)

SOBER Cryptanalysis. Daniel Bleichenbacher and Sarvar Patel Bell Laboratories Lucent Technologies

General Strong Polarization

Cube Test Analysis of the Statistical Behavior of CubeHash and Skein

Codes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII

( ) ( ) Monte Carlo Methods Interested in. E f X = f x d x. Examples:

Analysis of Message Injection in Stream Cipher-based Hash Functions

What is the Q in QRNG?

Pseudo-Random Numbers Generators. Anne GILLE-GENEST. March 1, Premia Introduction Definitions Good generators...

How does the computer generate observations from various distributions specified after input analysis?

Entropy. Probability and Computing. Presentation 22. Probability and Computing Presentation 22 Entropy 1/39

Analysis of cryptographic hash functions

EE376A - Information Theory Final, Monday March 14th 2016 Solutions. Please start answering each question on a new page of the answer booklet.

MATH UN Midterm 2 November 10, 2016 (75 minutes)

Multimedia Communications. Mathematical Preliminaries for Lossless Compression

/dev/random and SP800-90B

An Approach for Entropy Assessment of Ring Oscillator- Based Noise Sources. InfoGard, a UL Company Dr. Joshua Hill

The Communication Complexity of Correlation. Prahladh Harsha Rahul Jain David McAllester Jaikumar Radhakrishnan

FPGA BASED DESIGN OF PARALLEL CRC GENERATION FOR HIGH SPEED APPLICATION

CPSC 467: Cryptography and Computer Security

Lecture Notes. Advanced Discrete Structures COT S

1 Cryptographic hash functions

Lecture 10 - MAC s continued, hash & MAC

Stream ciphers I. Thomas Johansson. May 16, Dept. of EIT, Lund University, P.O. Box 118, Lund, Sweden

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Fast correlation attacks on certain stream ciphers

AURORA: A Cryptographic Hash Algorithm Family

Distinguishers for the Compression Function and Output Transformation of Hamsi-256

MS&E 226: Small Data. Lecture 11: Maximum likelihood (v2) Ramesh Johari

International Journal of Scientific & Engineering Research, Volume 7, Issue 8, August ISSN MM Double Exponential Distribution

Cryptographic Hash Functions

Random Number Generation Is Getting Harder It s Time to Pay Attention

ECE 512 Digital System Testing and Design for Testability. Model Solutions for Assignment #3

Cryptographic Hash Functions Part II

Topics in Computer Mathematics

Information & Correlation

LINEAR FEEDBACK SHIFT REGISTER BASED UNIQUE RANDOM NUMBER GENERATOR

Table Of Contents. ! 1. Introduction to Quantum Computing. ! 2. Physical Implementation of Quantum Computers

PROBABILITY AND INFORMATION THEORY. Dr. Gjergji Kasneci Introduction to Information Retrieval WS

Symmetric Crypto Systems

Cryptography CS 555. Topic 24: Finding Prime Numbers, RSA

Lecture 11: Quantum Information III - Source Coding

Symmetric Crypto Systems

Information Security

A Brief Review of Probability, Bayesian Statistics, and Information Theory

Introduction to Information Theory. Uncertainty. Entropy. Surprisal. Joint entropy. Conditional entropy. Mutual information.

CPSC 467: Cryptography and Computer Security

Dept. of Linguistics, Indiana University Fall 2015

An Improved Fast and Secure Hash Algorithm

9. Distance measures. 9.1 Classical information measures. Head Tail. How similar/close are two probability distributions? Trace distance.

EECS150 - Digital Design Lecture 21 - Design Blocks

Pseudorandom Generators

Entropies & Information Theory

Cryptographic Hashing

Pseudo-Random Generators

EE5139R: Problem Set 4 Assigned: 31/08/16, Due: 07/09/16

An instantaneous code (prefix code, tree code) with the codeword lengths l 1,..., l N exists if and only if. 2 l i. i=1

Foundations of Network and Computer Security

Pseudo-Random Generators

Private-Key Encryption

Avoiding collisions Cryptographic hash functions. Table of contents

Topics. Pseudo-Random Generators. Pseudo-Random Numbers. Truly Random Numbers

Quiz 1 Date: Monday, October 17, 2016

Attacks on hash functions. Birthday attacks and Multicollisions

arxiv: v1 [cs.it] 23 Dec 2014

Parallel Cube Tester Analysis of the CubeHash One-Way Hash Function

Cryptographically Robust Large Boolean Functions. Debdeep Mukhopadhyay CSE, IIT Kharagpur

CPSC 467: Cryptography and Computer Security

Lecture 1. Crypto Background

Security Analysis of the Compression Function of Lesamnta and its Impact

MCV172, HW#3. Oren Freifeld May 6, 2017

COMPOSITIONS OF LINEAR FUNCTIONS AND APPLICATIONS TO HASHING

New attacks on Keccak-224 and Keccak-256

Efficient Pseudorandom Generators Based on the DDH Assumption

Quantum Information Theory and Cryptography

How Philippe Flipped Coins to Count Data

EECS150 - Digital Design Lecture 26 Error Correction Codes, Linear Feedback Shift Registers (LFSRs)

fsat We next show that if sat P, then fsat has a polynomial-time algorithm. c 2010 Prof. Yuh-Dauh Lyuu, National Taiwan University Page 425

Collision Attack on Boole

Hash Functions: From Merkle-Damgård to Shoup. Ilya Mironov

Quantum Preimage and Collision Attacks on CubeHash

Stream Ciphers: Cryptanalytic Techniques

Transcription:

Entropy Estimation by Example By David Cornwell, PhD Location: ICMC 2015 Date: November 2015 This document is for public distribution.

1 Table Of Contents 1. Introduction to Entropy 2. Unbiasing 3. Conditioning 4. What is the Entropy Estimation Problem? 5. Other Research 6. NIST Entropy Tool 7. Examples of test results for raw entropy sources 8. Improvements to the NIST entropy estimation scheme 9. References 10. Questions?

2 1.1 Introduction to Entropy The Entropy Problem is a serious problem for Vendors, Labs, NIST, NIAP and others Entropy is used to seed Deterministic Random Bit Generators (DRBGs) DRBGs are used to generate keys We need to have confidence keys are generated with the claimed (maximum) entropy You don t want to be the Vendor in the news because Your keys can be trivially recovered on a laptop You don t want to be the Lab in the news because You tested the product of the vendor in the news NIST and NIAP are probably protected from being in the news lets go work for them!

3 1.2 Introduction to Entropy Define Shannon Entropy and Min Entropy Given a discrete random variable X with possible values {xx 1, xx 2, xx nn } and with probabilities pp 1, pp 2 pp nn the entropy of X is defined as H(XX) = nn ii=1 pp ii llllll 2 pp ii 0 The Min-entropy is defined as HH =mmiiii { llllll 2 pp 1, llllll 2 pp 2, llllll 2 pp nn } = llllll 2 max pp ii (Note: -log is a decreasing function) Note: 0 HH HH(XX)

4 2.1 Unbiasing An entropy source may produce a biased stream. Given a biased input stream is it possible to derive an unbiased output stream with better entropy properties? Various techniques used in connection with random digits (J. von Neumann, 1951) Independent unbiased coin flips from a correlated biased source: a finite state Markov chain (M. Blum 1986) Iterating von Neumann s procedure for extracting random bits (Y. Peres, 1992) Efficient Generation of Random Bits from Finite State Markov Chains (H. Zhou and J. Bruck 2011)

5 2.2 Unbiasing von Neumann Unbiasing Von Neumann unbiasing (1951) Simple scheme to generate a shorter unbiased stream from a biased one Assume random biased bits are produced independently of each other Prob (0) = p, Prob (1) = 1-p = q Input String Probability Output String 00 pp 2 Nothing 01 pppp 0 10 qqqq 1 11 qq 2 nothing Consider biased input string 00 01 10 11 01 11 11 10 => 0101 (unbiased output stream)

6 2.3 Unbiasing Peres Unbiasing Note: In any unbiasing method length of output stream is limited by the entropy of the input stream. Problems with the von Neumann method: Assumes input bits are produced independently Output stream is considerably shorter than input (input length = n, output length~npq ) Wastes 00 and 11 bits Peres method (1992) iterates recursively the von Neumann method Takes advantage of the 00 and 11 bits by forming new streams to generate extra bits The rate at which unbiased bits are output ~ entropy of the input stream (Optimally Efficient)

7 2.4 Unbiasing Peres Unbiasing Peres unbiasing example (ref: Markov Chains and Mixing Times, Levin, Peres, Wilmer, p312): Input Bits 00 11 01 01 10 00 10 10 11 10 01 Extracted Bits Extracted unbiased bits A.. 0 0 1. 1 1. 1 0 0011110 Discarded bits 0 1... 0.. 1.. Extracted unbiased bits B. 0...... 0.. 00 XORed bits 0 0 1 1 1 0 1 1 0 1 1 Extracted unbiased bits C..... 1... 0. 10 Extracted unbiased bit stream: 00111100010 Problem: Assumes input bits are independent Can we do any better than this?

8 2.5 Unbiasing Markov Chain Unbiasing Zhou and Bruck reviewed the previous ideas of von Neumann, Blum and Peres Create three new algorithms that improve upon previous ones Processes correlated input streams from a Markov Chain Produces an unbiased output stream Optimal information efficiency See their paper for the details Other ideas? A Comparison of Post-processing Techniques for Biased Random Number Generators (Kwok, Ee, Chew, Zhenk, Khoo, Tan 2011) Compares Von Neumann method against using Linear Codes

9 3.1 Conditioning Conditioning is taking the raw entropy as an input to a function and using the output of the function as the conditioned source of entropy Properties: Smooths out the roughness in the raw entropy source Does not increase the entropy Example conditioning functions: Hash Functions Linear Feedback Shift Registers (LFSRs)

10 3.2 Conditioning Hash Functions A hash function is a random function What can we say about the relationship between the entropy of the input and the entropy of the output? Examples include SHA-256 Case 1 Input entropy is < 256 bits output entropy is < 256 bits Case 2 Input entropy input = 256 bits output entropy is <= 256 bits Case 2 Input entropy is > 256 bits output entropy is <= 256 bits Can we say more than this? Open research problem.

11 3.3 Conditioning LFSRs LFSRs are linear devices Consider a 32 bit LFSR 32 bit non-zero initial fill Primitive polynomial is used to step out the LFSR (Primitive means irreducible and maximal cycle) e.g. PP xx = xx 0 + xx 5 + xx 32 (Note this example polynomial may not be irreducible or primitive) Maximal cycle length is 2 32 1

12 3.4 Conditioning LFSRs LFSR example (contd) Suppose the initial fill has 32 bits of entropy taken from a raw entropy source Step out the LFSR 1,000,000 steps Read off 256 successive bits as the key How much entropy do these 256 bits have? Answer: 32 The first 32 bits of the 256 bits can be used to generate the rest of the 256 bit key There are only 2 32 1 possible sets of 256 bits Not a very good idea!

13 3.5 Conditioning LFSRs Next consider two LFSRs whose output is added (XOR) together. LFSR1 is driven by PPP xx LFSR2 is driven by PP2 xx What polynomial QQ xx does the output stream satisfy? Answer: Q x = LLLLLL PPP xx, PPP xx If PPP xx = PPP(xx) then the output stream is simply satisfied by Q xx = PPP xx If PPP xx aaaaaa PPP(xx) are both primitive and different then QQ xx = PPP xx PPP(xx)

14 3.6 Conditioning LFSRs LFSR example (contd) Suppose each initial fill has 32 bits of entropy taken from a raw entropy source Step out each LFSR 1,000,000 steps Read off 256 successive bits of the summation stream as the key How much entropy do these 256 bits have? Answer: close to 64 bits The first 64 bits of the 256 bits can be used to generate the rest of the 256 bit key using QQ xx = LLLLLL PPP xx, PPP xx As can be seen you need 8 32-bit LFSRs to get close to 256 bits of entropy. You must use at least 8 different primitive polynomials.

15 4.1 What is the Entropy Estimation Problem? Given an entropy source with discrete random variable X with possible values {xx 1, xx 2, xx nn } and with probabilities pp 1, pp 2 pp nn the Entropy Estimation Problem is estimate the entropy HH(XX) or min-entropy HH XX from a data sample ss 1 ss 2 ss TT Given ss 1 ss 2 ss TT we can calculate estimated probabilities { pp 1, pp 2,, pp nn } which are the maximum likelihood estimators (MLEs) also known as plug-in estimators. Then the entropy estimate is given by: nn HH(XX) = ii=1 pp ii llllll 2 pp ii The Min-entropy estimate is given by: HH (X)=mmmmmm { llllll 2 pp 1, llllll 2 pp 2, llllll 2 pp nn }

16 4.2 What is the Entropy Estimation Problem? Example: Random Variable X takes nn = 2 values {0,1} with probabilities pp 1 =0.25, pp 2 =0.75 respectively then HH XX = 0.8113 HH XX = 0.4150 Let TT = 10 Data sample =1101110111 then pp 1 = 2 10 HH XX = 0.7219 HH XX = 0.3219 pp 2 = 8 10 are the MLEs or plug-in values

17 4.3 What is the Entropy Estimation Problem? Properties of HH(XX) Good Properties of estimators SS(XX) (aka statistics) Unbiased: EE SS(XX) =Average value of SS = SS(XX) e.g. repeat the entropy estimation experiment many times and compute the average. Is HH XX unbiased? Answer=No! E( HH XX ) HH(XX) The entropy estimator using plug-in values under-estimates the true entropy value In fact: HH MMMM XX = HH XX + (n 1)/2T is a better estimator of the entropy (MM=Miller-Madow) No unbiased estimator of entropy exists for discrete case Ref: Estimation of Entropy and Mutual Information, Liam Paninski (2003)

18 4.4 What is the Entropy Estimation Problem? Properties of HH (XX) Is HH XX unbiased? Answer Open Research Problem

19 5. Other Research IACR- CHES 2015

20 6.1 NIST Entropy Tool NIST Entropy tool Estimates the min entropy of a data stream Case 1 tests for iid and then performs entropy estimation calculations otherwise Case 2 if data is non-iid performs other entropy estimation calculations

21 6.2 NIST Entropy Tool - iid Python iid_main.py [-h] [-v] datafile bits_per_symbol number_of_shuffles IId (Independent Identically Distributed) calculations Compression Test Over / Under Test Excursion Test Directional Runs Test Covariance Test Collision Test iid shuffle test Chi square independence test Chi square stability test If the data is IID then calculates the Min Entropy value of the data stream Performs some sanity tests: Compression and Collision Tests

22 6.3 NIST Entropy Tool non-iid Python noniid_main.py [-h] [-u usebits] [-v] datafile bits_per_symbol Non-iid calculations Collision Test Partial Collection Test Markov Test Compression Test Frequency Test Estimates Min Entropy of the data sample Performs a sanity check Compression Test Collision Test

23 7.1 Example of Test Results for Raw Entropy Samples Note: The following results are purely scientific results. Booz Allen Hamilton is not endorsing these entropy sources. We ran the NIST entropy tool against the following three data samples 1. NIST Random Beacon 2. Company 2 3. Quintessence Labs Quantum Random Number Generator (QRNG) called qstream Quantum properties of light

24 7.2 Test Results of Data Sample 1 Data Sample 1 = Seed data from NIST Random Beacon Seed data is the XOR of the output of two commercial entropy sources NIST Random Beacon produces 512 bits of output every minute 512 bits seed data samples were concatenated to form 1,000,000 byte input steam to NIST entropy tool Data was treated as 8 bit bytes Results: Data was confirmed as IID Min Entropy Estimate = 7.8852 bits (out of 8) NIST is currently developing a quantum random source

25 7.4 Test Results of Data Sample 3 Quintessence Labs Company provided a conditioned entropy source produced by properties of quantum mechanics - qstream Data Sample 3 1,000,000 byte input steam to NIST entropy tool Data was treated as 8 bit bytes Results: Data confirmed to be IID Min Entropy Estimate = 7.8957 bits (out of 8)

26 8. Improvements to the NIST Entropy Scheme 1. Big Data (fast) entropy estimation no limits on how much data is sampled special purpose devices for fast calculations or on the symbol size 2. All entropy source designs should be available in the public domain and be non-proprietary, like cryptographic algorithm designs 3. There should be an international competition to design and develop the best entropy source for commercial cryptographic applications like there was for AES and SHA-3 algorithms.

27 9.1 References Company Websites: http://www.nist.gov/itl/csd/ct/nist_beacon.cfm http://www.quintessencelabs.com/ Papers: Various techniques used in connection with random digits (J. von Neumann, 1951) Independent unbiased coin flips from a correlated biased source: a finite state Markov chain (M. Blum 1986) Iterating von Neumann s procedure for extracting random bits (Y. Peres, 1992) Efficient Generation of Random Bits from Finite State Markov Chains (H. Zhou and J. Bruck 2011) A Comparison of Post-processing Techniques for Biased Random Number Generators (Kwok, Ee, Chew, Zhenk, Khoo, Tan 2011) Compares Von Neumann method against using Linear Codes

28 9.2 References Estimation of Entropy and Mutual Information, Liam Paninski (2003) NIST entropy tool https://github.com/usnistgov/sp800-90b_entropyassessment Predictive Models for Min-Entropy Estimation, Kelsey, McKay, Turan (2015) Entropy Bounds and Statistical Tests, Hagerty and Draper (2012)

29 10. Questions? David Cornwell, PhD Booz Allen Hamilton Cornwell_david@bah.com 410 684 6579

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback