1 / 20

True Random Number Generators Secure in a Changing Environment

True Random Number Generators Secure in a Changing Environment. Boaz Barak, Ronen Shaltiel, Eran Tromer Weizmann Institute, Israel. True Random Number Generators (TRNG). A TRNG is a device that outputs a sequence of independent bits (i.e., coin tosses). TRNG. 0110100110111010110….

studs
Download Presentation

True Random Number Generators Secure in a Changing Environment

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. True Random Number Generators Secure in a Changing Environment Boaz Barak, Ronen Shaltiel, Eran Tromer Weizmann Institute, Israel

  2. True Random Number Generators (TRNG) A TRNG is a device that outputs a sequence of independent bits (i.e., coin tosses). TRNG 0110100110111010110… In this talk: focus on case that TRNG outputs a block of bits (e.g., 256 bits). (Results generalize to case of sequence, also it’s always possible to apply pseudo-RNG to block)

  3. 00011001 E. Gen 01011 Ext High Entropy Source: X Design of TRNG A TRNG can be split into two phases:entropy generation and entropy extraction. We focus on the entropy extraction phase.

  4. Previous Constructions ofEntropy Extraction Phase • Tailor-made design for a “nice” source X(Intel RNG, IBM-4758, … ) • Use cryptographic hash functions(PGP, Linux, Apache… )

  5. 000101001010001001 0101101001 Example: Intel RNG

  6. 00011011 01 Ext Intel RNG Extractor* Von-Neumann Operator 00 No output01  output 010  output 111  No output If each bit is independently1 w.p. p thenPr[ output = 1] = Pr[ output = 0] = p(1-p) Output length: m= 2p(1-p)n · ½n

  7. Suppose that source is indp. in “ideal” conditions.Does this hold for all RNGs “out there” in varying (& possibly adversarial) environments? Is Source Really Independent?? • Proof using physics: ???? (probably not) • Statistical tests:passed all except for “minor deviations in tests involving spectral analysis” [JK99] Note: There are natural sources on which von-Neumann completely fails (e.g., if sampling too fast)

  8. 00011011 01 h Using Crypto Hash Functions (Linux, Apache, SSL,…) h:{0,1}n {0,1}m (n>m) E.g., h = SHA-1 or MD5 Motivation: Don’t want to assume anything about source’s structure.Intuitively, should work for everyhigh-entropy source.

  9. Problems w/ using Crypto-hash • Relying on unproven properties of hash functions to obtain supposedly true random bits. • Assumptions are not even explicitly stated.Not an explicit goal of either hash designers or cryptanalysts (In contrast to collision resistance)

  10. 00011011 01 h Natural Security Def h:{0,1}n {0,1}m (n>m) E.g., h = SHA-1 or MD5 Ent(X) is the min-entropy of X Def 1: h is an extractor w/ params k, if for every (efficiently samplable) r.v. X over {0,1}nif Ent(X) ¸ k then h(X)~Um ? Bad News: Def 1 is impossible to obtain.(even for k=n-1 and =½)

  11. Thm [NZ]:8 efficiently computable h , 9efficiently sampleable X s.t.1) Ent(X) ¸ n-12) The first bit of h(X) is fixed. Proof:W.l.o.g Pr[h1(Un)=0] ¸ ½ .Sample X as follows:1. Let x  {0,1}n2. If h1(x)=0, output x. Otherwise, goto 1 X is uniform over h1-1(0) – a set of size at least 2n/2.

  12. Our Contribution • We give an explicit model and definitionfor the entropy extraction problem. • We prove unconditionally that a known simple construction satisfies the definition. • We implemented and tested the above solution.

  13. 00011011 01 h Our Framework h:{0,1}n {0,1}m (n>m) h is chosen at random from a collection H and made public.The same choice h can be used for manyRNG’s.

  14. Collection H is secure if h(X’)»Um Outline of Security Def X(r.v. over {0,1}n) h  H X’(r.v. over {0,1}n) We require that X’2XX is the set of allowed modifications to XWe require that Ent(X’)¸k for all X’2X ?

  15. We want one definition that unifies all these requirements. Defining Allowed Modifications X(r.v. over {0,1}n) h  H X’(r.v. over {0,1}n) • Possible choices: • Allow adv. to change bounded # of bits in X • Allow adv. to change sampling speed of X. • Allow adv. to bias bits of X • Allow adv. to xor X with a fixed value.… We require that X’2XX is the set of allowed modifications to XWe require that Ent(X’)¸k for all X’2X Collection H is secure if h(X)»Um

  16. Collection H is a t-resilient extractor with parameters n>k>m and If h(X)»Um t-Resilient Extractors X(family of 2t r.v. of ent. at least k) h  H X’(X’2X) This captures all modifications from previous slide. ?

  17. Allows to obtain any desired level of entropy loss or resiliency (at expense of less efficient h). Main Qualitative Result Thm 1: For every choice of n>k>m and 9t-resilient extractor H s.t. t= (( k-m+log(1/) )¢(|h|/n)) Proof (similar to [TV]): Show that anl-wiseindependent hash function collection, for appropriately chosen l, is an extractor with wanted parameters.

  18. Better Efficiency – Pairwise Indp. Hash Functions [CW] Thm: For every choice of n>k>m and if H:{0,1}n{0,1}mis a pairwise indp. collection then it is a t-resilient extractor where t= (k-m)/2 - 2log(1/) - 1 H is pairwise indp. if for every distinct x1,x22{0,1}n, if hH then the r.v. h(x1) and h(x2) are uniform and indp. random variables.

  19. Example Parameters Suppose source contains k=512 bits of entropy and we want to extract m=256 bits with stat. distance =2-35. Using pairwise collection: get 57-resilient extractor. Using 16-wise collection: get 667-resilient extractor. Note: results are independent of source length.

  20. A Sample Software Implementation We implemented H = {hA} where hA:{0,1}n{0,1}mhA(x) = A¢x and A is a n£m Topelitz matrix. ? H is not pairwise independent but can be proven to satisfy same extraction properties. For n=768, m=256, processed input at rate of 56Mbit/Sec on 1.7Ghz Pentium Xeon Passed DIEHARD statistical tests on input a 90MB file of english text. Note: For better efficiency on a PC, we worked over the field GF(216) and used some tricks to implement multiplication in that field faster.

More Related