Evaluation Criteria for True (Physical) Random Number Generators Used in Cryptographic Applications Werner Schindler 1, Wolfgang Killmann 2 2 T-Systems.

Slides:



Advertisements
Similar presentations
ARCHITECTURES FOR ARTIFICIAL INTELLIGENCE SYSTEMS
Advertisements

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Random Number Generators for Cryptographic Applications (Part 2) Werner Schindler Federal Office for Information Security (BSI), Bonn Bonn, January 24,
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
An Introduction to Stream Ciphers Zahra Ahmadian Electrical Engineering Department Sahrif University of Technology
Generating Random Numbers
Random Number Generation. Random Number Generators Without random numbers, we cannot do Stochastic Simulation Most computer languages have a subroutine,
Sheng Xiao, Weibo Gong and Don Towsley,2010 Infocom.
CS457 – Introduction to Information Systems Security Cryptography 1b Elias Athanasopoulos
Quantum Spectrum Testing Ryan O’Donnell John Wright (CMU)
ISBN Chapter 3 Describing Syntax and Semantics.
Decision Making: An Introduction 1. 2 Decision Making Decision Making is a process of choosing among two or more alternative courses of action for the.
Daniel E. Holcomb, Wayne P. Burleson and Kevin Fu
1. Introduction Consistency of learning processes To explain when a learning machine that minimizes empirical risk can achieve a small value of actual.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
280 SYSTEM IDENTIFICATION The System Identification Problem is to estimate a model of a system based on input-output data. Basic Configuration continuous.
Software Metrics II Speaker: Jerry Gao Ph.D. San Jose State University URL: Sept., 2001.
Random Number Generators for Cryptographic Applications (Part 1) Werner Schindler Federal Office for Information Security (BSI), Bonn Bonn, January 17,
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
1 Analysis of the Linux Random Number Generator Zvi Gutterman, Benny Pinkas, and Tzachy Reinman.
Chapter 13: Audit Sampling Spring Overview of Sampling.
Session 6: Introduction to cryptanalysis part 1. Contents Problem definition Symmetric systems cryptanalysis Particularities of block ciphers cryptanalysis.
ISO 9001 Interpretation : Exclusions
Lecture 11 Implementation Issues – Part 2. Monte Carlo Simulation An alternative approach to valuing embedded options is simulation Underlying model “simulates”
Software Integration and Documenting
Pseudorandom Number Generators. Randomness and Security Many cryptographic protocols require the parties to generate random numbers. All the hashing algorithms.
Lecture 8 Digital Signatures. This lecture considers techniques designed to provide the digital counterpart to a handwritten signature. A digital signature.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 21 “Public-Key Cryptography.
Difference Two Groups 1. Content Experimental Research Methods: Prospective Randomization, Manipulation Control Research designs Validity Construct Internal.
Statistical Hypothesis Testing. Suppose you have a random variable X ( number of vehicle accidents in a year, stock market returns, time between el nino.
Cryptography and Network Security (CS435)
Block ciphers 2 Session 4. Contents Linear cryptanalysis Differential cryptanalysis 2/48.
Practices in Security Bruhadeshwar Bezawada. Key Management Set of techniques and procedures supporting the establishment and maintenance of keying relationships.
Marking Scheme ISM ISM Top-up. Project Contents Abstract, – A one page summary (max. 400 words) of the Intent, work undertaken. Introduction, – An overview.
CS555Spring 2012/Topic 51 Cryptography CS 555 Topic 5: Pseudorandomness and Stream Ciphers.
9th IMA Conference on Cryptography & Coding Dec 2003 More Detail for a Combined Timing and Power Attack against Implementations of RSA Werner Schindler.
Assessing Quality for Integration Based Data M. Denk, W. Grossmann Institute for Scientific Computing.
Towards Automated Security Proof for Symmetric Encryption Modes Martin Gagné Joint work with Reihaneh Safavi-Naini, Pascal Lafourcade and Yassine Lakhnech.
Chapter 7 Random-Number Generation
Information Security Lab. Dept. of Computer Engineering 182/203 PART I Symmetric Ciphers CHAPTER 7 Confidentiality Using Symmetric Encryption 7.1 Placement.
Stream Ciphers Making the one-time pad practical.
Channel Capacity.
Chapter 21 Public-Key Cryptography and Message Authentication.
FOURTH EUROPEAN QUALITY ASSURANCE FORUM "CREATIVITY AND DIVERSITY: CHALLENGES FOR QUALITY ASSURANCE BEYOND 2010", COPENHAGEN, NOVEMBER IV FORUM-
Following the submission of your CV and letter of application, the head of Human Resources has invited you to proceed to the second stage of the recruitment.
Palestine University Faculty of Information Technology IGGC Understanding Telecommunications Instructor: Dr. Eng. Mohammed Alhanjouri 2 nd Lecture:
Session 9 & 10. Definition of risk assessment and pre condition for risk assessment Establishment of clear, consistent agency objectives. Risk assessment.
A–Level Computing Project Introduction. Learning objectives Become familiar with the: Guidelines associated with choosing a project. Stages in project.
CHES 2002 Presented at the workshop CHES 2002, August 13-15, 2002, Redwood Shores, California, USA.
Based on Bruce Schneier Chapter 8: Key Management Dulal C Kar.
FDT Foil no 1 On Methodology from Domain to System Descriptions by Rolv Bræk NTNU Workshop on Philosophy and Applicablitiy of Formal Languages Geneve 15.
McGraw-Hill/Irwin © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. 1.
TM8104 IT Security EvaluationAutumn CC – Common Criteria (for IT Security Evaluation) The CC permits comparability between the results of independent.
Game-based composition for key exchange Cristina Brzuska, Marc Fischlin (University of Darmstadt) Nigel Smart, Bogdan Warinschi, Steve Williams (University.
PRNGs Pseudo-random number generation. Randomness and Cryptography Randomness and pseudo-randomness are useful in cryptography: –To generate random and.
The Theoretical Design
Reliability performance on language tests is also affected by factors other than communicative language ability. (1) test method facets They are systematic.
======!"§==Systems= Technical Guidance for CC Evaluation Wolfgang Killmann T-Systems GEI GmbH.
Quality Assurance in the Presence of Variability Kim Lauenroth, Andreas Metzger, Klaus Pohl Institute for Computer Science and Business Information Systems.
Lecture №4 METHODS OF RESEARCH. Method (Greek. methodos) - way of knowledge, the study of natural phenomena and social life. It is also a set of methods.
Wired Equivalent Privacy (WEP) Chris Overcash. Contents What is WEP? What is WEP? How is it implemented? How is it implemented? Why is it insecure? Why.
Real-life cryptography Pfeiffer Alain.  Types of PRNG‘s  History  General Structure  User space  Entropy types  Initialization process  Building.
Building Valid, Credible & Appropriately Detailed Simulation Models
Sampling and Sampling Distribution
Lecture 1.31 Criteria for optimal reception of radio signals.
Cryptography and Network Security Chapter 7
Department of Computer Science Abdul Wali Khan University Mardan
An overview of course assessment
A handbook on validation methodology. Metrics.
Presentation transcript:

Evaluation Criteria for True (Physical) Random Number Generators Used in Cryptographic Applications Werner Schindler 1, Wolfgang Killmann 2 2 T-Systems ISS GmbH Bonn, Germany 1 Bundesamt für Sicherheit in der Informationstechnik (BSI) Bonn, Germany

Random numbers in cryptographic applications - random session keys - RSA prime factors -... Examples: - zero-knowledge-proofs - random numbers for DSS - challenge-response-protocols - IV vectors

Random number generators - deterministic random number generators (DRNGs) (output completely determined by the seed) - true (physical) random number generators (TRNGs) - hybrid generators (refreshing their seed regularly; e.g. by exploiting user‘s interaction, mouse move- ment, key strokes or register values)

Requirements on random numbers R1: The random numbers should have good statistical properties The requirements on the used random numbers depend essentially on the intended application! R2: The knowledge of subsequences of random numbers shall not enable to compute pre- decessors or successors or to guess them with non-negligible probability.

TRNGs vs. DRNGs For sensitive applications requirement R2 is indispensable! DRNGs rely on computational complexity („practical security“) TRNGs: If the entropy per random number is suffi- ciently large this ensures theoretical security.

Objectives of a TRNG evaluation (I): at hand of Verification of the general suitability of the TRNG-design carefully investigated prototypes theoretical considerations and

TRNGs in operation: General problems and risks - total breakdown of the noise source - tolerances of components - aging effects

tot-test / startup test / online test testaim shall detect a total breakdown of the noise source very soon tot-test shall ensure the functionality of the TRNG at the start startup test shall detect non-tolerable weaknesses or deterioration of the quality of random numbers online test

Objectives of a TRNG evaluation (II): at hand of Verification of the suitability of the tot-, startup- and online test theoretical considerations

TRNG (schematic design) digitised analog signal (das-random numbers) internal r.n. algorithmic postprocessing (optional) noise source analogdigital external r.n. external interface buffer (optional)

Which random numbers should be tested? (I) Example: linear feedback shift register... das-r.n.internal r.n. worst case scenario: total breakdown of the noise sorce das-r.n.s : constant, i.e. entropy /bit = 0... but... internal r.n.s: good statistical properties!!!

Which random numbers should be tested? (II) Statistical blackbox tests applied on the internal random numbers will not detect a total breakdown of the noise source (unless the linear complexity profile is tested). The relevant property is the increase of entropy per random bit. Example (continued):

Entropy (I) Fundamental problems: - Entropy is a property of random variables but not of observed random numbers! - „general“ entropy estimators do not exist - Entropy cannot be measured as voltage etc. Consequences: - at least the distribution class of the underlying random variables has to be known General demand (-> R2): - Entropy / random bit should be sufficiently large

Entropy (II) The das-random numbers should be tested. Conclusion: das-random numbers: - may not be equidistributed - may be dependent on predecessors - but there should not be complicated algebraic long-term dependencies (-> math. model of the noise source)

ITSEC and CC ITSEC (Information Technology Security Evaluation Criteria) and CC (Common Criteria) - provide evaluation criteria which shall permit the comparability between independent security evaluations. - A product or system which has been successfully evaluated is awarded with an internationally recognized IT security certificate.

CC: Evaluation of Random Number Generators ITSEC, CC and the corresponding evaluation manuals do not specify any uniform evaluation criteria for random number generators! AIS 31: Functionality Classes and Evaluation Methodology for Physical Random Number Generators In the German evaluation and certification scheme the evaluation guidance document has been effective since September 2001

AIS 31 (I) - provides clear evaluation criteria for TRNGs - discusses positive and negative examples - no statistical blackbox tests for class P2 - distinguishes between two functionality classes P1 (for less sensitive applications as challenge-response mechanisms) P2 (for sensitive applications as key generation)

AIS 31 (II) - does not favour or exclude any reasonable TRNG design; if necessary, the applicant has give and to justify alternative criteria - mathematical-technical reference: W. Schindler, W. Killmann: A Proposal for: Functionality Classes and Evaluation Methodology for True (Physical) Random Number Generators

AIS 31: Alternative Criteria (I) P2-specific requirement P2.d)(vii): Digitised noise signal sequences meet particular criteria or pass statistical tests intended to rule out features such as multi-step dependencies Tests and evaluation rules are specified in sub-section P2.i) Aim of this requirement: to guarantee a minimum entropy limit for the das-random numbers and, consequently, for the internal random numbers.

AIS 31: Alternative Criteria (II) Case A): The das-random numbers do not meet these criteria. Using an appropriate (data-compressing) mathematical postprocessing the entropy of the internal r.n.s may yet be sufficiently large. The applicant has to give clear proof that the entropy of the internal random numbers is sufficiently large, taking into account the mathematical postprocessing on basis of the empirical properties of the digitized noise signal sequence.

AIS 31: Alternative Criteria (III) Case B): Due to construction of the TRNG there is no access to the das-random numbers possible. The applicant additionally has to give a comprehensible and plausible description of a mathematical model of the noise source and of the das random numbers (specifying a distribution class!).

AIS 31: Reference Implementation A reference implementation of the applied statistical tests will be put on the BSI website in September The AIS 31 has been well-tried in a number of product evaluations

for improvement of the AIS 31 are always welcome! Proposals and ideas

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.