Analysis, demands, and properties of pseudorandom number generators

Similar documents
Basic principles of pseudo-random number generators

T Cryptography and Data Security

T Cryptography and Data Security

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Computer Security: Principles and Practice

Random and Pseudorandom Bit Generators

Analysis of Cryptography and Pseudorandom Numbers

Computer Security 3/23/18

Public Key Cryptography and RSA

Network Security. Random Number Generation. Chapter 6. Network Security (WS 2003): 06 Random Number Generation 1 Dr.-Ing G.

Acronyms. International Organization for Standardization International Telecommunication Union ITU Telecommunication Standardization Sector

Acronyms. International Organization for Standardization International Telecommunication Union ITU Telecommunication Standardization Sector

Cryptography and Network Security Chapter 7

This chapter continues our overview of public-key cryptography systems (PKCSs), and begins with a description of one of the earliest and simplest

Chapter 6 Random Number Generation

n-bit Output Feedback

Cryptography MIS

Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7

Public Key Cryptography

RSA BSAFE Crypto-C Micro Edition Security Policy

Key Exchange. Secure Software Systems

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

PRNGs & DES. Luke Anderson. 16 th March University Of Sydney.

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

The Sources of Randomness in Smartphones with Symbian OS

Chapter 9 Public Key Cryptography. WANG YANG

Practical Aspects of Modern Cryptography

Study Guide to Mideterm Exam

Cryptography. Dr. Michael Schneider Chapter 10: Pseudorandom Bit Generators and Stream Ciphers

Internet Engineering Task Force (IETF) Request for Comments: 7192 Category: Standards Track April 2014 ISSN:

Cryptographic Concepts

Cryptography and Network Security

CSC/ECE 774 Advanced Network Security

CSC 774 Network Security

Overview. Public Key Algorithms I

The Application of Elliptic Curves Cryptography in Embedded Systems

Security. Communication security. System Security

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

Blum-Blum-Shub cryptosystem and generator. Blum-Blum-Shub cryptosystem and generator

Information Security CS526

Introduction to Public-Key Cryptography

CS408 Cryptography & Internet Security

Channel Coding and Cryptography Part II: Introduction to Cryptography

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

Route1 FIPS Cryptographic Module

Cryptography and Network Security Chapter 7. Fourth Edition by William Stallings

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

RSA. Public Key CryptoSystem

Cryptographic Systems

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl. Chapter 6 Introduction to Public-Key Cryptography

Encrypt Data (QC3ENCDT, Qc3EncryptData) API

Lecture 20 Public key Crypto. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller and Bailey s ECE 422

RSA BSAFE Crypto-J JSAFE and JCE Software Module Security Policy Level 2 Roles, Services and Authentication

Random number generation

Stream Ciphers An Overview

Elliptic Curve Public Key Cryptography

NIST Cryptographic Toolkit

Introduction to Modern Cryptography. Lecture 2. Symmetric Encryption: Stream & Block Ciphers

Internet Engineering Task Force (IETF) Request for Comments: 7518 Category: Standards Track May 2015 ISSN:

Public Key Encryption

Winter 2011 Josh Benaloh Brian LaMacchia

Understanding Cryptography by Christof Paar and Jan Pelzl. Chapter 9 Elliptic Curve Cryptography

Chapter 9. Public Key Cryptography, RSA And Key Management

Tuesday, January 17, 17. Crypto - mini lecture 1

ryptograi "ГС for Tom St Denis, Elliptic Semiconductor Inc. Simon Johnson and Author of the LibTom Project

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl. Chapter 6 Introduction to Public-Key Cryptography

Introduction to Cryptography. Vasil Slavov William Jewell College

Crypto Basics. Recent block cipher: AES Public Key Cryptography Public key exchange: Diffie-Hellmann Homework suggestion

CIS 4360 Introduction to Computer Security Fall WITH ANSWERS in bold. First Midterm

Appendix A: Introduction to cryptographic algorithms and protocols

I.D. NUMBER SURNAME OTHER NAMES

Lecture 6 - Cryptography

Public-key encipherment concept

Cryptography. Summer Term 2010

CS 6324: Information Security More Info on Key Establishment: RSA, DH & QKD

UNCLASSIFIED INFORMATION TECHNOLOGY SECURITY GUIDANCE

Computer Security CS 526

Intel R Integrated Performance Primitives. Cryptography Guide. Andrzej Chrzȩszczyk Jakub Chrzȩszczyk

Chapter 3 Public Key Cryptography

Cryptographic Primitives A brief introduction. Ragesh Jaiswal CSE, IIT Delhi

Lecture 1 Applied Cryptography (Part 1)

Advanced Crypto. 2. Public key, private key and key exchange. Author: Prof Bill Buchanan

RSA BSAFE Crypto-J JSAFE and JCE Software Module 5.0 Security Policy Level 2 Roles, Authentication and Services

3 Symmetric Cryptography

RSA BSAFE Crypto-J JSAFE and JCE Software Module 5.0 Security Policy Level 1 Roles, Authentication and Services

Technological foundation

Cryptography BITS F463 S.K. Sahay

Intended status: Standards Track January 13, 2015 Expires: July 17, 2015

Internet Engineering Task Force (IETF) Request for Comments: 6160 Category: Standards Track April 2011 ISSN:

Advanced Security for Systems Engineering VO 09: Applied Cryptography

Public-Key Cryptanalysis

FIPS Non-Proprietary Security Policy. Level 1 Validation Version 1.2

Some Stuff About Crypto

Diffie-Hellman Protocol as a Symmetric Cryptosystem

3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some

Public-Key Encryption, Key Exchange, Digital Signatures CMSC 23200/33250, Autumn 2018, Lecture 7

Public Key Algorithms

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 11 Basic Cryptography

Transcription:

Analysis, demands, and properties of pseudorandom number generators Jan Krhovják Department of Computer Systems and Communications Faculty of Informatics, Masaryk University Brno, Czech Republic Jan Krhovják (FI MU) Santa s Crypto Get-Together 06 (Prague) 7. 12. 2006 1 / 12

Outline Pseudorandom number generators (PRNGs) Basic Information Random and pseudorandom data in cryptography Review of demands of common cryptographic schemes on pseudorandom data Cryptographic keys and initialization vectors Padding schemes and salting Cryptographic protocols The analysis of properties used in PRNGs Generating pseudorandom data in computer systems Basic categories and principles of PRNGs Conclusion & future research Jan Krhovják (FI MU) Santa s Crypto Get-Together 06 (Prague) 7. 12. 2006 2 / 12

Basic Information Random and pseudorandom data in cryptography Random data in cryptography Cryptographic keys, padding values, nonces, etc. Quality and unpredictability is critical Generating truly random data Based on nondeterministic physical phenomena Radioactive decay, thermal noise, etc. In deterministic environments extremely hard and slow Only a small amount of random data in a reasonable time Generating pseudorandom data Typically (in many computational environments) faster Generated by deterministic algorithm Short input (often called seed) truly random data Output computationally indistinguishable from truly random data Jan Krhovják (FI MU) Santa s Crypto Get-Together 06 (Prague) 7. 12. 2006 3 / 12

Basic Information Random and pseudorandom data in cryptography Random data in cryptography Cryptographic keys, padding values, nonces, etc. Quality and unpredictability is critical Generating truly random data Based on nondeterministic physical phenomena Radioactive decay, thermal noise, etc. In deterministic environments extremely hard and slow Only a small amount of random data in a reasonable time Generating pseudorandom data Typically (in many computational environments) faster Generated by deterministic algorithm Short input (often called seed) truly random data Output computationally indistinguishable from truly random data Jan Krhovják (FI MU) Santa s Crypto Get-Together 06 (Prague) 7. 12. 2006 3 / 12

Basic Information Random and pseudorandom data in cryptography Random data in cryptography Cryptographic keys, padding values, nonces, etc. Quality and unpredictability is critical Generating truly random data Based on nondeterministic physical phenomena Radioactive decay, thermal noise, etc. In deterministic environments extremely hard and slow Only a small amount of random data in a reasonable time Generating pseudorandom data Typically (in many computational environments) faster Generated by deterministic algorithm Short input (often called seed) truly random data Output computationally indistinguishable from truly random data Jan Krhovják (FI MU) Santa s Crypto Get-Together 06 (Prague) 7. 12. 2006 3 / 12

Basic Information Random and pseudorandom data in cryptography Random data in cryptography Cryptographic keys, padding values, nonces, etc. Quality and unpredictability is critical Generating truly random data Based on nondeterministic physical phenomena Radioactive decay, thermal noise, etc. In deterministic environments extremely hard and slow Only a small amount of random data in a reasonable time Generating pseudorandom data Typically (in many computational environments) faster Generated by deterministic algorithm Short input (often called seed) truly random data Output computationally indistinguishable from truly random data Jan Krhovják (FI MU) Santa s Crypto Get-Together 06 (Prague) 7. 12. 2006 3 / 12

Review of demands of common cryptographic schemes Cryptographic keys and initialization vectors I Symmetric cryptosystems (block & stream ciphers) Supported length of keys and initialization vectors is hardwired & their potential modification imply: Change of usage model (e.g., from DES to 3DES-2/3) Change of cipher itself (e.g., from CAST-128 to CAST-256) Block ciphers (requirements) Keys: mostly between 112 and 256 bits (e.g., 3DES-2, AES, Serpent) <80 bits (DES); 256 448 (Blowfish, MARS); 448< (RC5, RC6) Initialization vectors: same as blocksize (i.e., 64, 128, or 256 bits) Stream ciphers (very similar requirements) Keys: typically do not go beyond 256 bits (e.g., HC-256, Dragon-256) Initialization vectors: mostly comparable to the length of the used key Initialization vectors require only freshness (not secrecy) Jan Krhovják (FI MU) Santa s Crypto Get-Together 06 (Prague) 7. 12. 2006 4 / 12

Review of demands of common cryptographic schemes Cryptographic keys and initialization vectors I Symmetric cryptosystems (block & stream ciphers) Supported length of keys and initialization vectors is hardwired & their potential modification imply: Change of usage model (e.g., from DES to 3DES-2/3) Change of cipher itself (e.g., from CAST-128 to CAST-256) Block ciphers (requirements) Keys: mostly between 112 and 256 bits (e.g., 3DES-2, AES, Serpent) <80 bits (DES); 256 448 (Blowfish, MARS); 448< (RC5, RC6) Initialization vectors: same as blocksize (i.e., 64, 128, or 256 bits) Stream ciphers (very similar requirements) Keys: typically do not go beyond 256 bits (e.g., HC-256, Dragon-256) Initialization vectors: mostly comparable to the length of the used key Initialization vectors require only freshness (not secrecy) Jan Krhovják (FI MU) Santa s Crypto Get-Together 06 (Prague) 7. 12. 2006 4 / 12

Review of demands of common cryptographic schemes Cryptographic keys and initialization vectors I Symmetric cryptosystems (block & stream ciphers) Supported length of keys and initialization vectors is hardwired & their potential modification imply: Change of usage model (e.g., from DES to 3DES-2/3) Change of cipher itself (e.g., from CAST-128 to CAST-256) Block ciphers (requirements) Keys: mostly between 112 and 256 bits (e.g., 3DES-2, AES, Serpent) <80 bits (DES); 256 448 (Blowfish, MARS); 448< (RC5, RC6) Initialization vectors: same as blocksize (i.e., 64, 128, or 256 bits) Stream ciphers (very similar requirements) Keys: typically do not go beyond 256 bits (e.g., HC-256, Dragon-256) Initialization vectors: mostly comparable to the length of the used key Initialization vectors require only freshness (not secrecy) Jan Krhovják (FI MU) Santa s Crypto Get-Together 06 (Prague) 7. 12. 2006 4 / 12

Review of demands of common cryptographic schemes Cryptographic keys and initialization vectors I Symmetric cryptosystems (block & stream ciphers) Supported length of keys and initialization vectors is hardwired & their potential modification imply: Change of usage model (e.g., from DES to 3DES-2/3) Change of cipher itself (e.g., from CAST-128 to CAST-256) Block ciphers (requirements) Keys: mostly between 112 and 256 bits (e.g., 3DES-2, AES, Serpent) <80 bits (DES); 256 448 (Blowfish, MARS); 448< (RC5, RC6) Initialization vectors: same as blocksize (i.e., 64, 128, or 256 bits) Stream ciphers (very similar requirements) Keys: typically do not go beyond 256 bits (e.g., HC-256, Dragon-256) Initialization vectors: mostly comparable to the length of the used key Initialization vectors require only freshness (not secrecy) Jan Krhovják (FI MU) Santa s Crypto Get-Together 06 (Prague) 7. 12. 2006 4 / 12

Review of demands of common cryptographic schemes Cryptographic keys and initialization vectors II Asymmetric cryptosystems (in comparison with symmetric) Depend on the intractability of certain mathematical problems Their solution is not so time consuming as an exhaustive search of the key space => the need of several times larger keys Typically between 1024 and 8192 bits (or 160 and 512 bits for ECC) Easily parameterizable Key-length is restricted only by implementation Common asymmetric cryptosystems RSA: size of key is bit-length of its modulus n = pq DSA: size of key is bit-length of its prime modulus p ECDSA: size of key is bit-length of order n of the base point G (of the chosen elliptic curve E) Jan Krhovják (FI MU) Santa s Crypto Get-Together 06 (Prague) 7. 12. 2006 5 / 12

Review of demands of common cryptographic schemes Cryptographic keys and initialization vectors II Asymmetric cryptosystems (in comparison with symmetric) Depend on the intractability of certain mathematical problems Their solution is not so time consuming as an exhaustive search of the key space => the need of several times larger keys Typically between 1024 and 8192 bits (or 160 and 512 bits for ECC) Easily parameterizable Key-length is restricted only by implementation Common asymmetric cryptosystems RSA: size of key is bit-length of its modulus n = pq DSA: size of key is bit-length of its prime modulus p ECDSA: size of key is bit-length of order n of the base point G (of the chosen elliptic curve E) Jan Krhovják (FI MU) Santa s Crypto Get-Together 06 (Prague) 7. 12. 2006 5 / 12

Padding schemes and salting Review of demands of common cryptographic schemes Padding used to extend messages to required length of block (or integer multiple of block) Padding typically not required by stream ciphers Deterministic padding required by block ciphers (in the CBC mode) and cryptographic hash functions Randomized padding required by deterministic asymmetric cryptosystems (e.g., RSA) Padding schemes adapted for algorithm RSA (see PKCS #1) Encryption schemes: RSAES-OAEP and RSAES-PKCS1-v1 5 hlen bytes and k mlen 3 bytes of random data Signature scheme: RSASSA-PSS (and RSASSA-PKCS1-v1 5) hlen bytes (and 0 bytes) of random data Salting used commonly in the password-based cryptography Key derivation functions as PBKDF1/PBKDF2 (see PKCS #5) PBKDF1 requires 64 bits of salt; PBDF2 requires 8 bits of salt UNIX function crypt also uses up to 128 bits of salt Jan Krhovják (FI MU) Santa s Crypto Get-Together 06 (Prague) 7. 12. 2006 6 / 12

Padding schemes and salting Review of demands of common cryptographic schemes Padding used to extend messages to required length of block (or integer multiple of block) Padding typically not required by stream ciphers Deterministic padding required by block ciphers (in the CBC mode) and cryptographic hash functions Randomized padding required by deterministic asymmetric cryptosystems (e.g., RSA) Padding schemes adapted for algorithm RSA (see PKCS #1) Encryption schemes: RSAES-OAEP and RSAES-PKCS1-v1 5 hlen bytes and k mlen 3 bytes of random data Signature scheme: RSASSA-PSS (and RSASSA-PKCS1-v1 5) hlen bytes (and 0 bytes) of random data Salting used commonly in the password-based cryptography Key derivation functions as PBKDF1/PBKDF2 (see PKCS #5) PBKDF1 requires 64 bits of salt; PBDF2 requires 8 bits of salt UNIX function crypt also uses up to 128 bits of salt Jan Krhovják (FI MU) Santa s Crypto Get-Together 06 (Prague) 7. 12. 2006 6 / 12

Padding schemes and salting Review of demands of common cryptographic schemes Padding used to extend messages to required length of block (or integer multiple of block) Padding typically not required by stream ciphers Deterministic padding required by block ciphers (in the CBC mode) and cryptographic hash functions Randomized padding required by deterministic asymmetric cryptosystems (e.g., RSA) Padding schemes adapted for algorithm RSA (see PKCS #1) Encryption schemes: RSAES-OAEP and RSAES-PKCS1-v1 5 hlen bytes and k mlen 3 bytes of random data Signature scheme: RSASSA-PSS (and RSASSA-PKCS1-v1 5) hlen bytes (and 0 bytes) of random data Salting used commonly in the password-based cryptography Key derivation functions as PBKDF1/PBKDF2 (see PKCS #5) PBKDF1 requires 64 bits of salt; PBDF2 requires 8 bits of salt UNIX function crypt also uses up to 128 bits of salt Jan Krhovják (FI MU) Santa s Crypto Get-Together 06 (Prague) 7. 12. 2006 6 / 12

Cryptographic protocols Review of demands of common cryptographic schemes Focused on challenge-response protocols Authentication protocols: random data for random challenges (nonces) Key establishment protocols: random data for generating shared keys Authenticated key establishment protocols: their combination Common authentication protocols (e.g., ISO/IEC 9798) Random challenges are typically 64 (or better 128) bits long Some protocols use timestamps or sequence numbers instead of nonces Key establishment (key distribution & key agreement) protocols One party is involved in key generation process Requirements are dependent on the type of generated key Both (or more) parties is involved in key generation process Typically based on Diffie-Hellman exponential key exchange Modulus at least 1024 bits; Key(s) at least 160 bits Jan Krhovják (FI MU) Santa s Crypto Get-Together 06 (Prague) 7. 12. 2006 7 / 12

Cryptographic protocols Review of demands of common cryptographic schemes Focused on challenge-response protocols Authentication protocols: random data for random challenges (nonces) Key establishment protocols: random data for generating shared keys Authenticated key establishment protocols: their combination Common authentication protocols (e.g., ISO/IEC 9798) Random challenges are typically 64 (or better 128) bits long Some protocols use timestamps or sequence numbers instead of nonces Key establishment (key distribution & key agreement) protocols One party is involved in key generation process Requirements are dependent on the type of generated key Both (or more) parties is involved in key generation process Typically based on Diffie-Hellman exponential key exchange Modulus at least 1024 bits; Key(s) at least 160 bits Jan Krhovják (FI MU) Santa s Crypto Get-Together 06 (Prague) 7. 12. 2006 7 / 12

Cryptographic protocols Review of demands of common cryptographic schemes Focused on challenge-response protocols Authentication protocols: random data for random challenges (nonces) Key establishment protocols: random data for generating shared keys Authenticated key establishment protocols: their combination Common authentication protocols (e.g., ISO/IEC 9798) Random challenges are typically 64 (or better 128) bits long Some protocols use timestamps or sequence numbers instead of nonces Key establishment (key distribution & key agreement) protocols One party is involved in key generation process Requirements are dependent on the type of generated key Both (or more) parties is involved in key generation process Typically based on Diffie-Hellman exponential key exchange Modulus at least 1024 bits; Key(s) at least 160 bits Jan Krhovják (FI MU) Santa s Crypto Get-Together 06 (Prague) 7. 12. 2006 7 / 12

The analysis of properties used in PRNGs Generating pseudorandom data in computer systems PRNG is deterministic finite state machine => at any point of time it is in a certain internal state PRNG state is secret (PRNG output must be unpredictable) PRNG (whole) state is repeatedly updated (PRNG must produce different outputs) Secret state compromise may occur recovering is difficult Mixing data with small amounts of entropy to the secret state Problem is limited amount of entropy between two requests for pseudorandom data (solution is pooling) Frequent requests & brute force => new secret state Solution is pooling of incoming entropy to sufficient amount, and then to mix it to the secret state Basic types of PRNGs utilize Linear feedback shift register (LFSR), hard problems of number and complexity theory, typical cryptographic functions/primitives Jan Krhovják (FI MU) Santa s Crypto Get-Together 06 (Prague) 7. 12. 2006 8 / 12

The analysis of properties used in PRNGs Generating pseudorandom data in computer systems PRNG is deterministic finite state machine => at any point of time it is in a certain internal state PRNG state is secret (PRNG output must be unpredictable) PRNG (whole) state is repeatedly updated (PRNG must produce different outputs) Secret state compromise may occur recovering is difficult Mixing data with small amounts of entropy to the secret state Problem is limited amount of entropy between two requests for pseudorandom data (solution is pooling) Frequent requests & brute force => new secret state Solution is pooling of incoming entropy to sufficient amount, and then to mix it to the secret state Basic types of PRNGs utilize Linear feedback shift register (LFSR), hard problems of number and complexity theory, typical cryptographic functions/primitives Jan Krhovják (FI MU) Santa s Crypto Get-Together 06 (Prague) 7. 12. 2006 8 / 12

The analysis of properties used in PRNGs Generating pseudorandom data in computer systems PRNG is deterministic finite state machine => at any point of time it is in a certain internal state PRNG state is secret (PRNG output must be unpredictable) PRNG (whole) state is repeatedly updated (PRNG must produce different outputs) Secret state compromise may occur recovering is difficult Mixing data with small amounts of entropy to the secret state Problem is limited amount of entropy between two requests for pseudorandom data (solution is pooling) Frequent requests & brute force => new secret state Solution is pooling of incoming entropy to sufficient amount, and then to mix it to the secret state Basic types of PRNGs utilize Linear feedback shift register (LFSR), hard problems of number and complexity theory, typical cryptographic functions/primitives Jan Krhovják (FI MU) Santa s Crypto Get-Together 06 (Prague) 7. 12. 2006 8 / 12

Linear feedback shift register (LFSR) The analysis of properties used in PRNGs Finite number of possible states => repeating cycles Outputs of LFSRs are linear => easy cryptanalysis Improvement necessary for cryptographic purposes Non-linear combination of several LFSRs imply the need of well designed nonlinear function f Geffe generator: function f (x 1, x 2, x 3) = x 1x 2 x 2x 3 x 3 Summation generator: integer addition (over Z 2) Using one (or several) LFSR to clock another (or combination of more) LFSR Alternating step generator: LFSR 1 used to clock LFSR 2 and LFSR 3 Shrinking generator: LFSR 1 used to control output of LFSR 2 Jan Krhovják (FI MU) Santa s Crypto Get-Together 06 (Prague) 7. 12. 2006 9 / 12

Linear feedback shift register (LFSR) The analysis of properties used in PRNGs Finite number of possible states => repeating cycles Outputs of LFSRs are linear => easy cryptanalysis Improvement necessary for cryptographic purposes Non-linear combination of several LFSRs imply the need of well designed nonlinear function f Geffe generator: function f (x 1, x 2, x 3) = x 1x 2 x 2x 3 x 3 Summation generator: integer addition (over Z 2) Using one (or several) LFSR to clock another (or combination of more) LFSR Alternating step generator: LFSR 1 used to clock LFSR 2 and LFSR 3 Shrinking generator: LFSR 1 used to control output of LFSR 2 Jan Krhovják (FI MU) Santa s Crypto Get-Together 06 (Prague) 7. 12. 2006 9 / 12

The analysis of properties used in PRNGs Hard problems of number and complexity theory RSA PRNG is based on public-key cryptosystem RSA p, q primes; n = pq; Φ(n) = (p 1)(q 1); gcd(e, Φ(n)) = 1 Seed x 0 is selected from [2, n 2] For i from 1 to m do the following: x i = xi 1 e mod n; z i = lsb(x i ); i.e., z i is least significant bit of x i The output sequence of length m is z 1, z 2,... z m Security based on the intractability of RSA problem Blum Blum Shub PRNG on modular squaring Difference is that is used x i = xi 1 2 mod n Security based on the intractability of quadratic residuosity problem Generators based on discrete logarithm problem or Diffie-Hellman problem (with stronger DDH assumption) Jan Krhovják (FI MU) Santa s Crypto Get-Together 06 (Prague) 7. 12. 2006 10 / 12

The analysis of properties used in PRNGs Hard problems of number and complexity theory RSA PRNG is based on public-key cryptosystem RSA p, q primes; n = pq; Φ(n) = (p 1)(q 1); gcd(e, Φ(n)) = 1 Seed x 0 is selected from [2, n 2] For i from 1 to m do the following: x i = xi 1 e mod n; z i = lsb(x i ); i.e., z i is least significant bit of x i The output sequence of length m is z 1, z 2,... z m Security based on the intractability of RSA problem Blum Blum Shub PRNG on modular squaring Difference is that is used x i = xi 1 2 mod n Security based on the intractability of quadratic residuosity problem Generators based on discrete logarithm problem or Diffie-Hellman problem (with stronger DDH assumption) Jan Krhovják (FI MU) Santa s Crypto Get-Together 06 (Prague) 7. 12. 2006 10 / 12

The analysis of properties used in PRNGs Hard problems of number and complexity theory RSA PRNG is based on public-key cryptosystem RSA p, q primes; n = pq; Φ(n) = (p 1)(q 1); gcd(e, Φ(n)) = 1 Seed x 0 is selected from [2, n 2] For i from 1 to m do the following: x i = xi 1 e mod n; z i = lsb(x i ); i.e., z i is least significant bit of x i The output sequence of length m is z 1, z 2,... z m Security based on the intractability of RSA problem Blum Blum Shub PRNG on modular squaring Difference is that is used x i = xi 1 2 mod n Security based on the intractability of quadratic residuosity problem Generators based on discrete logarithm problem or Diffie-Hellman problem (with stronger DDH assumption) Jan Krhovják (FI MU) Santa s Crypto Get-Together 06 (Prague) 7. 12. 2006 10 / 12

The analysis of properties used in PRNGs PRNG based on cryptographic functions 3DES/AES ANSI X9.17/X9.31 is based on 64-bit 3DES-3 or 128-bit AES The key K is reserved only for the generator Seed is a 64/128-bit value V DT is a 64/128-bit representation of the date and time In each iteration is performed: I i = E K (DT ) R i = E K (I i V i ) V i+1 = E K (R i I i ) The output is pseudorandom string R i One from many existing modifications I i = E K (I i 1 DT ) This corresponds to encrypting DT in CBC mode (instead of in ECB) Jan Krhovják (FI MU) Santa s Crypto Get-Together 06 (Prague) 7. 12. 2006 11 / 12

The analysis of properties used in PRNGs PRNG based on cryptographic functions 3DES/AES ANSI X9.17/X9.31 is based on 64-bit 3DES-3 or 128-bit AES The key K is reserved only for the generator Seed is a 64/128-bit value V DT is a 64/128-bit representation of the date and time In each iteration is performed: I i = E K (DT ) R i = E K (I i V i ) V i+1 = E K (R i I i ) The output is pseudorandom string R i One from many existing modifications I i = E K (I i 1 DT ) This corresponds to encrypting DT in CBC mode (instead of in ECB) Jan Krhovják (FI MU) Santa s Crypto Get-Together 06 (Prague) 7. 12. 2006 11 / 12

Conclusion Pseudorandom number generators (PRNGs) Conclusion & future research We described demands of common cryptographic schemes (between hundreds and thousands of bits) Smaller amounts: symmetric cryptography Larger amounts: asymmetric cryptography Analysis of properties of common pseudorandom number generators, some of them are: Extremely fast (e.g., LFSR based PRNG) Extremely slow (e.g., cryptographically secure PRNG) Intended for particular purpose (e.g., ANSI X9.17/X9.31, FIPS-186) Designed for general purpose (e.g., Yarrow-160, Fortuna) Future research PRNGs in mobile computing environments (limited resources as CPU speed, memory, or energy) Jan Krhovják (FI MU) Santa s Crypto Get-Together 06 (Prague) 7. 12. 2006 12 / 12

Conclusion Pseudorandom number generators (PRNGs) Conclusion & future research We described demands of common cryptographic schemes (between hundreds and thousands of bits) Smaller amounts: symmetric cryptography Larger amounts: asymmetric cryptography Analysis of properties of common pseudorandom number generators, some of them are: Extremely fast (e.g., LFSR based PRNG) Extremely slow (e.g., cryptographically secure PRNG) Intended for particular purpose (e.g., ANSI X9.17/X9.31, FIPS-186) Designed for general purpose (e.g., Yarrow-160, Fortuna) Future research PRNGs in mobile computing environments (limited resources as CPU speed, memory, or energy) Jan Krhovják (FI MU) Santa s Crypto Get-Together 06 (Prague) 7. 12. 2006 12 / 12

Conclusion Pseudorandom number generators (PRNGs) Conclusion & future research We described demands of common cryptographic schemes (between hundreds and thousands of bits) Smaller amounts: symmetric cryptography Larger amounts: asymmetric cryptography Analysis of properties of common pseudorandom number generators, some of them are: Extremely fast (e.g., LFSR based PRNG) Extremely slow (e.g., cryptographically secure PRNG) Intended for particular purpose (e.g., ANSI X9.17/X9.31, FIPS-186) Designed for general purpose (e.g., Yarrow-160, Fortuna) Future research PRNGs in mobile computing environments (limited resources as CPU speed, memory, or energy) Jan Krhovják (FI MU) Santa s Crypto Get-Together 06 (Prague) 7. 12. 2006 12 / 12

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback