random numbers in cryptography - university of california...
TRANSCRIPT
-
Random Numbers in Cryptography
Martin ŠimkaSentivision, Poland / Technical University of Košice, Slovakia
Miloš Drutarovský Viktor FischerTechnical University of Košice, Slovakia Université Jean Monnet, France
-
Dec 6, 2006 Special purpose hardware for cryptography: Attacks and Applications
2
About Me
• Former PhD student of Technical University of Košice (Slovakia)
• Short time stages (3-4 months):– CoSy group (Prof. Ch.Paar), COSIC group
(Prof. B.Preneel and Prof. I.Verbauwhede), LTSI Lab
• Currently working in– IPTV and VOD technology provider
-
Dec 6, 2006 Special purpose hardware for cryptography: Attacks and Applications
3
Contents• Role of randomness in
cryptography• Applications of random values in
cryptographic algorithms• Different requirements set to
random numbers in dependency onusage
• Generation of random numbers• Most known randomness extraction
techniques in digital systems• Testing and certification process
-
Dec 6, 2006 Special purpose hardware for cryptography: Attacks and Applications
4
Random Numbers
• Wide application in several fields:– Monte Carlo simulation method– Spectrum spreading
telecommunication systems– Generation of primes– Cryptography– Computer games– Gambling industry
-
Dec 6, 2006 Special purpose hardware for cryptography: Attacks and Applications
5
What Is Random? 1/2
• How to prove randomness?
• Exact definition is missing
• For finite numeric sequence –impossible task– What is more random? – 00110011 or 10011100?
-
Dec 6, 2006 Special purpose hardware for cryptography: Attacks and Applications
6
What Is Random? 2/2
-
Dec 6, 2006 Special purpose hardware for cryptography: Attacks and Applications
7
Is There Any Randomness?
• Philosophical question
• God does not play dice with the universe – Albert Einstein
• Several physical phenomena present in nature are supposed to be random: quantum mechanics, noise…
-
Dec 6, 2006 Special purpose hardware for cryptography: Attacks and Applications
8
Coin Flipping
• Generation of random sequence –tale 0, head 1
• Truly random or just difficult-to-describe system?
• Randomness appears due to “instability” of the system
-
Dec 6, 2006 Special purpose hardware for cryptography: Attacks and Applications
9
Randomness Definitions
• Truly random number is generated by a process, whose outcome is:– unpredictable, and – which cannot be subsequentially
reliably reproduced
-
Dec 6, 2006 Special purpose hardware for cryptography: Attacks and Applications
10
Unpredictable sequence
• For unpredictable bit sequence it is computationally infeasible to predict what the next random bit will be, given – complete knowledge of the
algorithm, – the hardware generating the
sequence, and – all of the previously generated bits
-
Dec 6, 2006 Special purpose hardware for cryptography: Attacks and Applications
11
Unrepeatable sequence
• Given the same working conditions (or seed) the generated sequences are completely different
-
Dec 6, 2006 Special purpose hardware for cryptography: Attacks and Applications
12
Practical Randomness
• Sequence that has the samestatistical properties as randombits, is unpredictable and cannotbe reliably reproduced
• Evaluation on how the tested sequence shares the statistical properties of ideal random sequence
-
Dec 6, 2006 Special purpose hardware for cryptography: Attacks and Applications
13
History of RNG
• Patented ATT machine from year 1941 generating random sequence
• Source of randomness –large container of black and white balls
-
Dec 6, 2006 Special purpose hardware for cryptography: Attacks and Applications
14
Sources of randomness
• Decay of radioactive material, quantum mechanics processes
• Thermal and other types of noise
• Frequency instability of free-running oscillators
-
Dec 6, 2006 Special purpose hardware for cryptography: Attacks and Applications
15
Randomness in Cryptography
• Generation of:– Nonce (only once used number)– Key– Challenge– Initialization vector– Padding byte– Blinding value
-
Dec 6, 2006 Special purpose hardware for cryptography: Attacks and Applications
16
Example From Cryptography
• Challenge-response scheme based on keyed one-way function
• Authentication of the entity A to the verifier B
• Random nonce r, shared secret k, MAC function h()
-
Dec 6, 2006 Special purpose hardware for cryptography: Attacks and Applications
17
What does assure the randomness?
• For brute-force attack there are no preferred values, all values have equal probability to be keys
• Any bias (difference from ideally random sequence) that would provide additional information on subsequent generated values
-
Dec 6, 2006 Special purpose hardware for cryptography: Attacks and Applications
18
Requirements on Random Values
• In dependency on application the random numbers have to be:– Unpredictable, un-guessable, non-
correlated, statistically equal (have equal probability)
– Unrepeatable– Secret
-
Dec 6, 2006 Special purpose hardware for cryptography: Attacks and Applications
19
Types of RNG
• TRNGs (True Random Number Generators) – generators of truly random numbers, called also physical generators
• PRNGs (Pseudo-random Number Generators) – generators of pseudo-random sequencies, denoted also as deterministic generators
• Hybrid Generators – combination of above principles
-
Dec 6, 2006 Special purpose hardware for cryptography: Attacks and Applications
20
Random Number Generators
• PRNG – Pseudo-RNG– Good statistical properties– High output rates– Requirement of random seed
• TRNG – True-RNG– Natural sources may have statistical
defects– Post-processing causes lower output
rates– Complicated implementation in
digital systems
-
Dec 6, 2006 Special purpose hardware for cryptography: Attacks and Applications
21
Pseudo-random
• Sometimes statistical properties are prioritized – no bias, equiprobability…
• Need to reproduce the sequence in other time, by other part of system
• Predictability could be acceptable• Looks like random, but is not
truly random – pseudo-random
-
Dec 6, 2006 Special purpose hardware for cryptography: Attacks and Applications
22
PRNG – deterministic
• Anyone who considers arithmetical methods of producing random digits is,of course, in a state of sin (John von Neumann)
• A random seed is expanded to long random-looking sequence
• Security depends on sequence period, internal algorithm
• Knowing internal structure and status or previous values, the output value can be set
-
Dec 6, 2006 Special purpose hardware for cryptography: Attacks and Applications
23
PRNG cont.
• PRNG based on: – LFSR– Hash functions– RSA– Cellular Automata– Quadratic residua– …
-
Dec 6, 2006 Special purpose hardware for cryptography: Attacks and Applications
24
Feedback Shift Register
• Linear for XOR as feedback function– Fibonacci and – Galois configuration
bn bn-1 b2 b1. . . .
feedback function
-
Dec 6, 2006 Special purpose hardware for cryptography: Attacks and Applications
25
Cryptographically secure pseudo-random
• Knowing the algorithm and the previous output it is computationally infeasible to predict the subsequent output– Blum-Blum-Shub– Stream ciphers
-
Dec 6, 2006 Special purpose hardware for cryptography: Attacks and Applications
26
TRNG
• Based on physical source of randomness – entropy, that is impossible to describe in deterministic way
• Distinguish from quasi random sources in computers: mouse pointer movements, access time of hard disc, system time – these are difficult to describe, low-entropy sources
-
Dec 6, 2006 Special purpose hardware for cryptography: Attacks and Applications
27
Typical block diagram of TRNG
Source ofrandomness
Post-processing
Outputbuffer
analogue part digital part
external interfaceA/D conversion
noisesignal
digitisednoisesignal
internalrandom
sequence
randomnumber
sequence
-
Dec 6, 2006 Special purpose hardware for cryptography: Attacks and Applications
28
Ring oscillator
• Chain of odd number of invertors• Delayed feedback from the last
NOT gate to the first one causes oscillation
-
Dec 6, 2006 Special purpose hardware for cryptography: Attacks and Applications
29
PLL-based TRNG
D Q
PLL1
PLL2
CLJ
CLK
CLI
OUT
• Stable ratio between CLK and CLJ• Sampling tracking jitter of PLL
-
Dec 6, 2006 Special purpose hardware for cryptography: Attacks and Applications
30
Hybrid RNG
• Slow TRNG seeds PRNG• Important is to divide clearly both
system– Mixing truly random values with low
entropy and pseudo-random values does not provide acceptable solution
• Offers high bit-rate output based on truly random seed
-
Dec 6, 2006 Special purpose hardware for cryptography: Attacks and Applications
31
Internal status of RNG
• PRNG: – Previous output value– Directly influences the subsequent output
value
• Crypto secure PRNG– Hidden, not revealed with output sequence
• TRNG– No internal status/memory– The output depends only on current physical
conditions, not on previous output
-
Dec 6, 2006 Special purpose hardware for cryptography: Attacks and Applications
32
Entropy
• In PRNG– Given by entropy of the seed– Constant
• In TRNG– Increasing by each generated
random value– Need to set level of entropy of the
source
-
Dec 6, 2006 Special purpose hardware for cryptography: Attacks and Applications
33
Entropy cont.
• The entropy does not give a guaranty for randomness
– Zipped file has high level of entropy (information), however, the archived content is fully deterministic
– On other hand, if sequence can be compressed, it is not truly random
-
Dec 6, 2006 Special purpose hardware for cryptography: Attacks and Applications
34
Implementations of TRNG
• FPGA– Xilinx:
• Kohlbrenner and Gaj (ring oscillators)• Schellekens et al. (ring oscillators)• Tsoi et al. (external RC circuit)• Golic (Fibonacci and Galois ring oscillators)
– Altera and Actel:• Fischer, Drutarovský, Šimka (PLLs)
• Industrial solutions – Intel motherboard chipset – VIA processors
-
Dec 6, 2006 Special purpose hardware for cryptography: Attacks and Applications
35
Netscape case of unsecure RNG
• Wrong implementation of RNG in Netscape for SSL encryption protocol
• Seed value of the PRNG was derived only from 3 parameters: – Time of day, – ID of running and – ID of parent process
-
Dec 6, 2006 Special purpose hardware for cryptography: Attacks and Applications
36
Concepts of TRNG
• Sunar et al.– Model of entropy collection process– Specification of TRNG parameters
based on model
• Bucci and Luzzi
-
Dec 6, 2006 Special purpose hardware for cryptography: Attacks and Applications
37
Certification process
• FIPS 140-2 standard (NIST)– Originally 4 included tests (monobit, poker,
runs, long runs on 20.000 bits) were removed
• AIS standards (German Federal Office for Information Security (BSI))– AIS 21 for PRNG– AIS 31 for TRNG– Model of randomness extraction– Analysis of digitalized analogue samples
-
Dec 6, 2006 Special purpose hardware for cryptography: Attacks and Applications
38
Statistical tests
• NIST test suite
• AIS
• DIEHARD tests by G. Marsaglia
• Special tests suited to extraction method
-
Dec 6, 2006 Special purpose hardware for cryptography: Attacks and Applications
39
Quastions & Answers
-
Dec 6, 2006 Special purpose hardware for cryptography: Attacks and Applications
40
Thank you!
-
Dec 6, 2006 Special purpose hardware for cryptography: Attacks and Applications
41
References
• NIST test suite– http://csrc.nist.gov/rng/rng2.html
• AIS 31– http://www.bsi.bund.de/zertifiz/zer
t/interpr/ais_cc.htm
• RFC 1750– http://www.ietf.org/rfc/rfc1750.txt
http://csrc.nist.gov/rng/rng2.htmlhttp://www.bsi.bund.de/zertifiz/zert/interpr/ais_cc.htmhttp://www.bsi.bund.de/zertifiz/zert/interpr/ais_cc.htmhttp://www.ietf.org/rfc/rfc1750.txt
Random Numbers �in CryptographyAbout MeContentsRandom NumbersWhat Is Random?1/2What Is Random?2/2Is There Any Randomness?Coin FlippingRandomness DefinitionsUnpredictable sequenceUnrepeatable sequencePractical RandomnessHistory of RNGSources of randomnessRandomness in CryptographyExample From CryptographyWhat does assure the randomness?Requirements on Random ValuesTypes of RNGRandom Number GeneratorsPseudo-randomPRNG – deterministic PRNG cont.Feedback Shift RegisterCryptographically secure �pseudo-randomTRNGTypical block diagram of TRNGRing oscillatorPLL-based TRNGHybrid RNGInternal status of RNGEntropyEntropy cont.Implementations of TRNGNetscape case of unsecure RNGConcepts of TRNGCertification processStatistical testsQuastions & AnswersThank you!References