200 likes | 401 Views
True Random Number Generators Secure in a Changing Environment. Boaz Barak, Ronen Shaltiel, Eran Tromer Weizmann Institute, Israel. True Random Number Generators (TRNG). A TRNG is a device that outputs a sequence of independent bits (i.e., coin tosses). TRNG. 0110100110111010110….
E N D
True Random Number Generators Secure in a Changing Environment Boaz Barak, Ronen Shaltiel, Eran Tromer Weizmann Institute, Israel
True Random Number Generators (TRNG) A TRNG is a device that outputs a sequence of independent bits (i.e., coin tosses). TRNG 0110100110111010110… In this talk: focus on case that TRNG outputs a block of bits (e.g., 256 bits). (Results generalize to case of sequence, also it’s always possible to apply pseudo-RNG to block)
00011001 E. Gen 01011 Ext High Entropy Source: X Design of TRNG A TRNG can be split into two phases:entropy generation and entropy extraction. We focus on the entropy extraction phase.
Previous Constructions ofEntropy Extraction Phase • Tailor-made design for a “nice” source X(Intel RNG, IBM-4758, … ) • Use cryptographic hash functions(PGP, Linux, Apache… )
000101001010001001 0101101001 Example: Intel RNG
00011011 01 Ext Intel RNG Extractor* Von-Neumann Operator 00 No output01 output 010 output 111 No output If each bit is independently1 w.p. p thenPr[ output = 1] = Pr[ output = 0] = p(1-p) Output length: m= 2p(1-p)n · ½n
Suppose that source is indp. in “ideal” conditions.Does this hold for all RNGs “out there” in varying (& possibly adversarial) environments? Is Source Really Independent?? • Proof using physics: ???? (probably not) • Statistical tests:passed all except for “minor deviations in tests involving spectral analysis” [JK99] Note: There are natural sources on which von-Neumann completely fails (e.g., if sampling too fast)
00011011 01 h Using Crypto Hash Functions (Linux, Apache, SSL,…) h:{0,1}n {0,1}m (n>m) E.g., h = SHA-1 or MD5 Motivation: Don’t want to assume anything about source’s structure.Intuitively, should work for everyhigh-entropy source.
Problems w/ using Crypto-hash • Relying on unproven properties of hash functions to obtain supposedly true random bits. • Assumptions are not even explicitly stated.Not an explicit goal of either hash designers or cryptanalysts (In contrast to collision resistance)
00011011 01 h Natural Security Def h:{0,1}n {0,1}m (n>m) E.g., h = SHA-1 or MD5 Ent(X) is the min-entropy of X Def 1: h is an extractor w/ params k, if for every (efficiently samplable) r.v. X over {0,1}nif Ent(X) ¸ k then h(X)~Um ? Bad News: Def 1 is impossible to obtain.(even for k=n-1 and =½)
Thm [NZ]:8 efficiently computable h , 9efficiently sampleable X s.t.1) Ent(X) ¸ n-12) The first bit of h(X) is fixed. Proof:W.l.o.g Pr[h1(Un)=0] ¸ ½ .Sample X as follows:1. Let x {0,1}n2. If h1(x)=0, output x. Otherwise, goto 1 X is uniform over h1-1(0) – a set of size at least 2n/2.
Our Contribution • We give an explicit model and definitionfor the entropy extraction problem. • We prove unconditionally that a known simple construction satisfies the definition. • We implemented and tested the above solution.
00011011 01 h Our Framework h:{0,1}n {0,1}m (n>m) h is chosen at random from a collection H and made public.The same choice h can be used for manyRNG’s.
Collection H is secure if h(X’)»Um Outline of Security Def X(r.v. over {0,1}n) h H X’(r.v. over {0,1}n) We require that X’2XX is the set of allowed modifications to XWe require that Ent(X’)¸k for all X’2X ?
We want one definition that unifies all these requirements. Defining Allowed Modifications X(r.v. over {0,1}n) h H X’(r.v. over {0,1}n) • Possible choices: • Allow adv. to change bounded # of bits in X • Allow adv. to change sampling speed of X. • Allow adv. to bias bits of X • Allow adv. to xor X with a fixed value.… We require that X’2XX is the set of allowed modifications to XWe require that Ent(X’)¸k for all X’2X Collection H is secure if h(X)»Um
Collection H is a t-resilient extractor with parameters n>k>m and If h(X)»Um t-Resilient Extractors X(family of 2t r.v. of ent. at least k) h H X’(X’2X) This captures all modifications from previous slide. ?
Allows to obtain any desired level of entropy loss or resiliency (at expense of less efficient h). Main Qualitative Result Thm 1: For every choice of n>k>m and 9t-resilient extractor H s.t. t= (( k-m+log(1/) )¢(|h|/n)) Proof (similar to [TV]): Show that anl-wiseindependent hash function collection, for appropriately chosen l, is an extractor with wanted parameters.
Better Efficiency – Pairwise Indp. Hash Functions [CW] Thm: For every choice of n>k>m and if H:{0,1}n{0,1}mis a pairwise indp. collection then it is a t-resilient extractor where t= (k-m)/2 - 2log(1/) - 1 H is pairwise indp. if for every distinct x1,x22{0,1}n, if hH then the r.v. h(x1) and h(x2) are uniform and indp. random variables.
Example Parameters Suppose source contains k=512 bits of entropy and we want to extract m=256 bits with stat. distance =2-35. Using pairwise collection: get 57-resilient extractor. Using 16-wise collection: get 667-resilient extractor. Note: results are independent of source length.
A Sample Software Implementation We implemented H = {hA} where hA:{0,1}n{0,1}mhA(x) = A¢x and A is a n£m Topelitz matrix. ? H is not pairwise independent but can be proven to satisfy same extraction properties. For n=768, m=256, processed input at rate of 56Mbit/Sec on 1.7Ghz Pentium Xeon Passed DIEHARD statistical tests on input a 90MB file of english text. Note: For better efficiency on a PC, we worked over the field GF(216) and used some tricks to implement multiplication in that field faster.