1 / 17

Randomness

Randomness. Is this a problem?. Importance of randomness Keys Challenges Random algorithms Objective: uniform choice in large domain Implementation attempts Time Time as seed & PRG Traffic Memory contents. True RNG. Physical sources Disk rotation Sampling of unsynchronized clocks

vachel
Download Presentation

Randomness

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Randomness

  2. Is this a problem? • Importance of randomness • Keys • Challenges • Random algorithms • Objective: uniform choice in large domain • Implementation attempts • Time • Time as seed & PRG • Traffic • Memory contents

  3. True RNG • Physical sources • Disk rotation • Sampling of unsynchronized clocks • Measuring noise in quiet channels • Human interaction • Problems • Typically, low entropy • Difficult to measure quality • XOR approach – Let X, Y be two independent samples of TRNG, use XY

  4. Reducing bias • Claim: the maximum (minimum) probability of an element in XY is smaller (greater) than min {max X, max Y} (max {min X, min Y}). • Definition: let X be a Bernoulli variable with parameter p (Pr[X=0]=p and Pr[X=1]=1-p). The bias of X is p-1/2. • Claim – if Xi is Bernoulli with bias εi, i=1,…,n then X=iXi has bias 2n-1iεi • Idea for reducing bias inTRNG: • Sample X1,…,Xn • Set X=iXi • Can only be better than each of X1,…,Xn

  5. Reducing bias (cont.) • Example that XOR does not improve • Heuristic for TRNG – X=h(X1,…,Xn) for a cryptographic hash function, h

  6. PRG Attempts • Attempt at definition: PRG is a deterministic algorithm that receives a random, short seed and stretches it to a long pad • Attempt I: • x0=seed1, a=seed2, c=seed3, p public prime • xi=axi-1 mod p, outputi=cxi mod p • Attempt II: • x0, a, b, c, d initialized by seed, p public prime • xi=axi-1+b mod p, outputi=cxi+d mod p • Attempt III: k=0, x0=seed, xi=AESk(xi-1), outputi=xi

  7. Indistinguishable ensembles • Let Xi be a random variable for i=1, 2, … • {Xi}i is an ensemble of random variables • We say that {Xi}iand {Yi}i are two indistinguishable ensembles if for any random polynomial time algorithm A, |Prob[A(Xn)=1]-Prob[A(Yn)=1]|=neg(n) • Example – let {Un}n denote the ensemble of uniform distributions on { then {Un} and {Un\{0}} are indistinguishable.

  8. Pseudo-Random Generator • Definition: an algorithm G with input s{0,1}n and output G(s){0,1}n^c, for some constant c. If s is uniform in {0,1}n then G(s) is indistinguishable from a uniformly random string of length nc. • Theorem: Pseudo-random generators exists if and only if one-way functions exist. • We’ll show a weaker (but more practical) construction from one-way permutations.

  9. Hardcore bits • Negligible function in n – asymptotically smaller than 1/nc for any c. • Asymptotic evaluation – loses practical significance for overly large numbers • Let f:{R and xD • B(x):{{0,1} is a hardcore bit for f(x) if for any random polynomial time algorithm A, |Prob[A(f(x))=B(x)]-1/2|=neg(n) • Claim: any one-way function f(x) has a hardcore bit. • Example: lsb and msb in discrete log

  10. Hardcore bits & PRG • Let f:{0,1}n{0,1}n be a one-way permutation and B(x) be a hardcore bit for f(x) • Claim: if x is chosen uniformly at random then f(x)||B(x) is indistinguishable from the uniform distribution on n+1 bits • PRG: • s0=seed • sj=f(sj-1) • Output B(s0), B(s1),…

  11. The BBS PRG • BBS – Blum, Blum, Shub • Let p, q be two secret primes, p≡q≡3 mod 4 • The seed is a random X0Zn • Compute Xi=(Xi-1)2 mod n • Define Oi=lsb(Xi) • BBS(x) = O1, O2, … • Improvement – Oi is defined as the loglog n lower bits of Xi • Theorem – BBS is as secure as factoring • The practical performance of BBS is relatively low – a modular multiplication per ~10 bits

  12. Practical PRG constructions • Cipher based • Key is initialized to seed • Use stream cipher • Example: AES with fixed IV in OFB or CTR mode. • X9.31 (with TRNG as well) • K=seed1, V0=seed2 • I=Ek(time) • Ri=Ek(I  vi-1) • Vi=Ek(Ri  I)

  13. Practical PRG constructions • Hash based • Hash1 to update state • Hash2 to for output • LFSR based

  14. Random generator: TRNG+PRG • TRNG can supply truly random bits of uncertain quality • A PRG can stretch a truly random seed • Approach: • Sample a TRNG: X1,…,Xn • Compute seed: S=h(X1,…,Xn) • Stretch seed: PRG(S)= O1, O2, … • Can this model be attacked? • What happens if the PRG is BBS and the attacker obtains an intermediate state?

  15. Requirements for randomness • Pseudo-randomness • Forward security • An internal state of the random generator does not reveal previous random outputs • Backward security • Even after complete compromise of random generator state, secret random bits can be generated given enough new truly random bits • Requires TRNG and update

  16. Randomness in Linux

  17. State attacks • Linux attack • 2006 • Given entropy pool, a previous entropy pool can be computed in time: • O(296), 7/16 of the time • O(264), 9/16 of the time • Windows attack • 2007 • Given internal state, 128000 of the previous bits can be computed • O(223) time

More Related