Chapter 6 Random Number Generation

Similar documents
Network Security. Random Number Generation. Chapter 6. Network Security (WS 2003): 06 Random Number Generation 1 Dr.-Ing G.

Random and Pseudorandom Bit Generators

Cryptography. Dr. Michael Schneider Chapter 10: Pseudorandom Bit Generators and Stream Ciphers

Cryptography. Summer Term 2010

Basic principles of pseudo-random number generators

Blum-Blum-Shub cryptosystem and generator. Blum-Blum-Shub cryptosystem and generator

Analysis, demands, and properties of pseudorandom number generators

Acronyms. International Organization for Standardization International Telecommunication Union ITU Telecommunication Standardization Sector

T Cryptography and Data Security

T Cryptography and Data Security

Randomness in Cryptography

A Secured Key Generation Scheme Using Enhanced Entropy

APPENDIX D RANDOM AND PSEUDORANDOM NUMBER GENERATION

Dawn Song

Random number generation

Cryptographic Primitives A brief introduction. Ragesh Jaiswal CSE, IIT Delhi

CS408 Cryptography & Internet Security

George Landon Chao Shen Chengdong Li

A Mathematical Proof. Zero Knowledge Protocols. Interactive Proof System. Other Kinds of Proofs. When referring to a proof in logic we usually mean:

Zero Knowledge Protocols. c Eli Biham - May 3, Zero Knowledge Protocols (16)

Data Integrity & Authentication. Message Authentication Codes (MACs)

Data Integrity & Authentication. Message Authentication Codes (MACs)

Stream Ciphers. Çetin Kaya Koç Winter / 13

Cryptography and Network Security Chapter 7. Fourth Edition by William Stallings

Comparative Analysis of SLA-LFSR with Traditional Pseudo Random Number Generators

Study Guide for the Final Exam

Algorithmic number theory Cryptographic hardness assumptions. Table of contents

Topics. Key Generation. Applying Cryptography

Cryptographic protocols

You ve already read basics of simulation now I will be taking up method of simulation, that is Random Number Generation

The Sources of Randomness in Smartphones with Symbian OS

Security. Communication security. System Security

Stream Ciphers. Koç ( ucsb ccs 130h explore crypto fall / 13

Cryptography. Summer Term 2010

Cryptography and Network Security Chapter 7

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

CSC 482/582: Computer Security. Applying Cryptography

Stream Ciphers An Overview

Cryptographic Hash Functions. Rocky K. C. Chang, February 5, 2015

Information Security CS526

Algorithms (III) Yijia Chen Shanghai Jiaotong University

Algorithms (III) Yu Yu. Shanghai Jiaotong University

Pseudorandom Number Generation

Practical Aspects of Modern Cryptography

Computer Security: Principles and Practice

Random Number Generator Andy Chen

B) Symmetric Ciphers. B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers

Implementation of Modified Chaos- based Random Number Generator for Text Encryption

Cryptographic Hash Functions

UNIT 9A Randomness in Computation: Random Number Generators Principles of Computing, Carnegie Mellon University - CORTINA

Computational Methods. Randomness and Monte Carlo Methods

U-II BLOCK CIPHER ALGORITHMS

Pseudo-random number generators

Reproducibility in Stochastic Simulation

Random Number Generators

Monte Carlo Methods; Combinatorial Search

Computational Security, Stream and Block Cipher Functions

Analysis of Cryptography and Pseudorandom Numbers

Request for Comments: 1750 Category: Informational Cybercash J. Schiller MIT December 1994

Lecture 18 Message Integrity. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller & Bailey s ECE 422

CSCE 715: Network Systems Security

Combinatorial Search; Monte Carlo Methods

RSA. Public Key CryptoSystem

What is the Q in QRNG?

Introduction to Cryptography. Lecture 3

Elements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Syrvey on block ciphers

UNIT 9A Randomness in Computation: Random Number Generators

Recommendation for Random Number Generation Using Deterministic Random Bit Generators

Lab 1: Cipher Fundamentals

Computer Networks. Network Security and Ethics. Week 14. College of Information Science and Engineering Ritsumeikan University

Algorithms (III) Yijia Chen Shanghai Jiaotong University

CSC/ECE 774 Advanced Network Security

MTAT Research Seminar in Cryptography IND-CCA2 secure cryptosystems

Lecture 4: Authentication and Hashing

Information Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1

This chapter gives an introduction to stream ciphers:

Lab 1: Cipher Fundamentals

Chapter 4: (0,1) Random Number Generation

COMS W4995 Introduction to Cryptography November 13, Lecture 21: Multiple Use Signature Schemes

Recurrent Neural Network Models for improved (Pseudo) Random Number Generation in computer security applications

Side-Channel Attack against RSA Key Generation Algorithms

Lecture 14 Alvaro A. Cardenas Kavitha Swaminatha Nicholas Sze. 1 A Note on Adaptively-Secure NIZK. 2 The Random Oracle Model

The Design and Analysis of a True Random Number Generator in a Field Programmable Gate Array. By Paul Kohlbrenner November 20, 2003

Multiple forgery attacks against Message Authentication Codes

Network Security. Chapter 4 Public Key Cryptography. Public Key Cryptography (4) Public Key Cryptography

ASYMMETRIC CRYPTOGRAPHY

COMP4109 : Applied Cryptography

Encryption I. An Introduction

CS 161 Computer Security

Lecture 4: Hashes and Message Digests,

CIT 480: Securing Computer Systems. Hashes and Random Numbers

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

Dolphin DCI 1.2. FIPS Level 3 Validation. Non-Proprietary Security Policy. Version 1.0. DOL.TD DRM Page 1 Version 1.0 Doremi Cinema LLC

Lecture 3 Algorithms with numbers (cont.)

CS61B Lecture #32. Last modified: Sun Nov 5 19:32: CS61B: Lecture #32 1

Secure digital certificates with a blockchain protocol

Public Key Algorithms

CHAPTER 5 NEW ENCRYPTION SCHEME USING FINITE STATE MACHINE AND GENERATING FUNCTION

CS408 Cryptography & Internet Security

Transcription:

Chapter 6 Random Number Generation Requirements / application Pseudo-random bit generator Hardware and software solutions [NetSec/SysSec], WS 2007/2008 6.1

Requirements and Application Scenarios Security Key generation automatically generated keys must be secure against prediction or estimation Initialization vectors many encryption algorithms rely on an IV, thus must be random to prevent guessing Authentication security protocols relying on challenge-response exchanges require random numbers Further applications in cryptographic algorithms Other domains Probabilistic decisions if not random, sequences may be created in long-term applications leading to self-similar behavior Simulation techniques calculation of variables following a particular distribution [NetSec/SysSec], WS 2007/2008 6.2

Random Number Generation Hardware-based random bit generators are based on physical phenomena, as: elapsed time between emission of particles during radioactive decay, thermal noise from a semiconductor diode or resistor, frequency instability of a free running oscillator, the amount a metal insulator semiconductor capacitor is charged during a fixed period of time, air turbulence within a sealed disk drive which causes random fluctuations in disk drive sector read latencies, and sound from a microphone or video input from a camera A hardware-based random bit generator should ideally be enclosed in some tamper-resistant device and thus shielded from possible attackers [NetSec/SysSec], WS 2007/2008 6.3

Random Number Generation Software-based random bit generators, are based upon processes as: the system clock, elapsed time between keystrokes or mouse movement, content of input- / output buffers user input, and operating system values such as system load and network statistics Ideally, multiple sources of randomness should be mixed, e.g. by concatenating their values and computing a cryptographic hash value for the combined value, in order to avoid that an attacker might guess the random value If, for example, only the system clock is used as a random source, than an attacker might guess random-numbers obtained from that source of randomness if he knows about when they were generated [NetSec/SysSec], WS 2007/2008 6.4

Random Number Generation De-skewing: Consider a random generator that produces biased but uncorrelated bits, e.g. it produces 1 s with probability p 0.5 and 0 s with probability 1 - p, where p is unknown but fixed The following technique can be used to obtain a random sequence that is uncorrelated and unbiased: The output sequence of the generator is grouped into pairs of bits All pairs 00 and 11 are discarded For each pair 10 the unbiased generator produces a 1 and for each pair 01 it produces a 0 Another practical (although not provable) de-skewing technique is to pass sequences whose bits are correlated or biased through a cryptographic hash function such as MD-5 or SHA-1 [NetSec/SysSec], WS 2007/2008 6.5

Statistical Tests for Random Numbers The following tests allow to check, if a generated random or pseudorandom sequence inhibits certain statistical properties: Monobit Test: Are there equally many 1 s like 0 s? Serial Test (Two-Bit Test): Are there equally many 00-, 01-, 10-, 11-pairs? Runs Test: Are the numbers of runs (sequences containing only either 0 s or 1 s) of various lengths as expected for random numbers? Autocorrelation Test: Are there correlations between the sequence and (non-cyclic) shifted versions of it? Maurer s Universal Test: Can the sequence be compressed? The above descriptions just give the basic ideas of the tests. For a more detailed and mathematical treatment, please refer to sections 5.4.4 and 5.4.5 in [Men97a] [NetSec/SysSec], WS 2007/2008 6.6

Random and Pseudo-Random Number Generation Definition: A random bit generator is a device or algorithm, which outputs a sequence of statistically independent and unbiased binary digits. Remark: A random bit generator can be used to generate uniformly distributed random numbers, e.g. a random integer in the interval [0, n] can be obtained by generating a random bit sequence of length lg n + 1 and converting it into a number. If the resulting integer exceeds n it can be discarded and the process is repeated until an integer in the desired range has been generated. [NetSec/SysSec], WS 2007/2008 6.7

Random and Pseudo-Random Number Generation Definition: A pseudo-random bit generator (PRBG) is a deterministic algorithm which, given a truly random binary sequence of length k, outputs a binary sequence of length m >> k which appears to be random. The input to the PRBG is called the seed and the output is called a pseudo-random bit sequence. Remarks: The output of a PRBG is not random, in fact the number of possible output sequences of length m is at most all small fraction 2 k / 2 m, as the PRBG produces always the same output sequence for one (fixed) seed The motivation for using a PRBG is that it might be too expensive to produce true random numbers of length m, e.g. by coin flipping, so just a smaller amount of random bits is produced and then a pseudorandom bit sequence is produced out of the k truly random bits In order to gain confidence in the randomness of a pseudo-random sequence, statistical tests are conducted on the produced sequences [NetSec/SysSec], WS 2007/2008 6.8

Random and Pseudo-Random Number Generation Example: A linear congruential generator produces a pseudo-random sequence of numbers y 1, y 2,... According to the linear recurrence y i = a y i-1 + b mod q with a, b, q being parameters characterizing the PRBG Unfortunately, this generator is predictable even when a, b and q are unknown, and should, therefore, not be used for cryptographic purposes [NetSec/SysSec], WS 2007/2008 6.9

Random and Pseudo-Random Number Generation Security requirements of PRBGs for use in cryptography As a minimum security requirement the length k of the seed to a PRBG should be large enough to make brute-force search over all seeds infeasible for an attacker The output of a PRBG should be statistically indistinguishable from truly random sequences The output bits should be unpredictable for an attacker with limited resources, if he does not know the seed [NetSec/SysSec], WS 2007/2008 6.10

Random and Pseudo-Random Number Generation Definition: A PRBG is said to pass all polynomial-time statistical tests, if no polynomial-time algorithm can correctly distinguish between an output sequence of the generator and a truly random sequence of the same length with probability significantly greater than 0.5 Polynomial-time algorithm means, that the running time of the algorithm is bound by a polynomial in the length m of the sequence Definition: A PRBG is said to pass the next-bit test, if there is no polynomial-time algorithm which, on input of the first m bits of an output sequence s, can predict the (m + 1) st bit s m+1 of the output sequence with probability significantly greater than 0.5 Theorem (universality of the next-bit test): A PRBG passes the next-bit test it passes all polynomial-time statistical tests For the proof, please see section 12.2 in [Sti95a] [NetSec/SysSec], WS 2007/2008 6.11

Random and Pseudo-Random Number Generation Definition: A PRBG that passes the next-bit test possibly under some plausible but unproved mathematical assumption such as the intractability of the factoring problem for large integers is called a cryptographically secure pseudo-random bit generator (CSPRBG) [NetSec/SysSec], WS 2007/2008 6.12

Pseudo-Random Number Generation There are a number of algorithms, that use cryptographic hash functions or encryption algorithms for generation of cryptographically secure pseudo random numbers Although these schemes can not be proven to be secure, they seem sufficient for most practical situations One such approach is the ANSI X9.17 generator: Input: a random and secret 64-bit seed s, integer m, and 3-DES key K Output: m pseudo-random 64-bit strings y 1, y 2,... Y m 1.) q = E(K, Date_Time) 2.) For i from 1 to m do 2.1) x i = E(K, (q s) 2.2) s = E(K, (x i q) 3.) Return(x 1, x 2,... x m ) This method is a U.S. Federal Information Processing Standard (FIPS) approved method for pseudo-randomly generating keys and initialization vectors for use with DES [NetSec/SysSec], WS 2007/2008 6.13

Secure Pseudo-Random Number Generation The RSA-PRBG is a CSPRBG under the assumption that the RSA problem is intractable: Output: a pseudo-random bit sequence z 1, z 2,..., z k of length k 1.) Setup procedure: Generate two secret primes p, q suitable for use with RSA Compute n = p q and Φ = (p -1) (q -1) Select a random integer e such that 1 < e < Φ and gcd(e, Φ) = 1 2.) Select a random integer y 0 (the seed) such that y 0 [1, n] 3.) For i from 1 to k do 3.1) y i = (y i-1 ) e mod n 3.2) z i = the least significant bit of y i The efficiency of the generator can be slightly improved by taking the last j bits of every y i, with j = c lg(lg(n)) and c is a constant However, for a given bit-length m of n, a range of values for the constant c such that the algorithm still yields a CSPRBG has not yet been determined [NetSec/SysSec], WS 2007/2008 6.14

Secure Pseudo-Random Number Generation The Blum-Blum-Shub-PRBG (BBS) is a CSPRBG under the assumption that the integer factorization problem is intractable: Output: a pseudo-random bit sequence z 1, z 2,..., z k of length k 1.) Setup procedure: Generate two large secret and distinct primes p, q such that p, q are each congruent 3 modulo 4 and let n = p q 2.) Select a random integer s (the seed) such that s [1, n - 1] such that gcd(s, n) = 1 and let y 0 = s 2 mod n 3.) For i from 1 to k do 3.1) y i = (y i-1 ) 2 mod n 3.2) z i = the least significant bit of y i The efficiency of the generator can be improved using the same method as for the RSA generator with similar constraints on the constant c [NetSec/SysSec], WS 2007/2008 6.15

Summary (what do I need to know) Principles Random bit generator Pseudo-random bit generator Cryptographically secure pseudo-random bit generator Hardware solutions Examples Software solutions Examples [NetSec/SysSec], WS 2007/2008 6.16

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback