Download presentation
Presentation is loading. Please wait.
1
Randomness
2
Is this a problem? Importance of randomness
Keys Challenges Random algorithms Objective: uniform choice in large domain Implementation attempts Time Time as seed & PRG Traffic Memory contents
3
True RNG Physical sources Human interaction Problems
Disk rotation Sampling of unsynchronized clocks Measuring noise in quiet channels Human interaction Problems Typically, low entropy Difficult to measure quality XOR approach – Let X, Y be two independent samples of TRNG, use XY
4
Reducing bias Claim: the maximum (minimum) probability of an element in XY is smaller (greater) than min {max X, max Y} (max {min X, min Y}). Definition: let X be a Bernoulli variable with parameter p (Pr[X=0]=p and Pr[X=1]=1-p). The bias of X is p-1/2. Claim – if Xi is Bernoulli with bias εi, i=1,…,n then X= iXi has bias 2n-1iεi Idea for reducing bias inTRNG: Sample X1,…,Xn Set X= iXi Can only be better than each of X1,…,Xn Notation: pi=Pr[XY=i], qi=Pr[X=i], ri=Pr[Y=i]. Claim I: max{pi}≤min{max{qi},max{ri}} Let pj= max{pi}. pj=Σi qirij ≤ Σi max{qi} rij = max{qi} Claim II: the bias of XY, when X has bias ε and Y has bias , is Pr[XY=0]-1/2= Pr[X=0]Pr[Y=0]+Pr[X=1]Pr[Y=1]-1/2 = (1/2+ε)(1/2+)+(1/2-ε)(1/2-)-1/2=2ε. Prove the claim by induction.
5
Reducing bias (cont.) Example that XOR does not improve
Heuristic for TRNG – X=h(X1,…,Xn) for a cryptographic hash function, h
6
PRG Attempts Attempt at definition: PRG is a deterministic algorithm that receives a random, short seed and stretches it to a long pad Attempt I: x0=seed1, a=seed2, c=seed3, p public prime xi=axi-1 mod p, outputi=cxi mod p Attempt II: x0, a, b, c, d initialized by seed, p public prime xi=axi-1+b mod p, outputi=cxi+d mod p Attempt III: k=0, x0=seed, xi=AESk(xi-1), outputi=xi
7
Indistinguishable ensembles
Let Xi be a random variable for i=1, 2, … {Xi}i is an ensemble of random variables We say that {Xi}i and {Yi}i are two indistinguishable ensembles if for any random polynomial time algorithm A, |Prob[A(Xn)=1]-Prob[A(Yn)=1]|=neg(n) Example – let {Un}n denote the ensemble of uniform distributions on {0,1}n then {Un} and {Un\{0}} are indistinguishable.
8
Pseudo-Random Generator
Definition: an algorithm G with input s{0,1}n and output G(s){0,1}n^c, for some constant c. If s is uniform in {0,1}n then G(s) is indistinguishable from a uniformly random string of length nc. Theorem: Pseudo-random generators exists if and only if one-way functions exist. We’ll show a weaker (but more practical) construction from one-way permutations.
9
Hardcore bits Negligible function in n – asymptotically smaller than 1/nc for any c. Asymptotic evaluation – loses practical significance for overly large numbers Let f:{0,1}nR and xD B(x): {0,1}n {0,1} is a hardcore bit for f(x) if for any random polynomial time algorithm A, |Prob[A(f(x))=B(x)]-1/2|=neg(n) Claim: any one-way function f(x) has a hardcore bit. Example: lsb and msb in discrete log
10
Hardcore bits & PRG Let f:{0,1}n{0,1}n be a one-way permutation and B(x) be a hardcore bit for f(x) Claim: if x is chosen uniformly at random then f(x)||B(x) is indistinguishable from the uniform distribution on n+1 bits PRG: s0=seed sj=f(sj-1) Output B(s0), B(s1),… Lemma: If f(x)||B(x) is indistinguishable from the uniform distribution then f(x)||B(x) is indistinguishable from f(x)||(not B(x)) Proof: Pr[D(f(x)||B(x)=1]-Pr[D(Un+1)=1]= = Pr[D(f(x)||B(x)=1]- ½(Pr[D(f(x)||B(x)=1]+Pr[D(f(x)||(not B(x))=1] =½(Pr[D(f(x)||B(x)=1]-Pr[D(f(x)||(not B(x))=1] Proof of claim: Assume that there is a distinguisher D. Given f(x) choose random b and output b if D(f(x)||b)=1, otherwise output 1-b. Pr [output=B(x)]= Pr[b=B(x)]*Pr[D(f(x)||B(x))=1]+Pr[b=1-B(x)]*Pr[D(f(x)||(not B(x)))=0]= ½(Pr[D(f(x)||B(x))=1] + Pr[D(f(x)||(not B(x)))=0])= ½(Pr[D(f(x)||B(x))=1] + 1- Pr[D(f(x)||(not B(x)))=1])= ½ + non-negligible
11
The BBS PRG BBS – Blum, Blum, Shub
Let p, q be two secret primes, p≡q≡3 mod 4 The seed is a random X0Zn Compute Xi=(Xi-1)2 mod n Define Oi=lsb(Xi) BBS(x) = O1, O2, … Improvement – Oi is defined as the loglog n lower bits of Xi Theorem – BBS is as secure as factoring The practical performance of BBS is relatively low – a modular multiplication per ~10 bits
12
Practical PRG constructions
Cipher based Key is initialized to seed Use stream cipher Example: AES with fixed IV in OFB or CTR mode. X9.31 (with TRNG as well) K=seed1, V0=seed2 I=Ek(time) Ri=Ek(I vi-1) Vi=Ek(Ri I)
13
Practical PRG constructions
Hash based Hash1 to update state Hash2 to for output LFSR based
14
Random generator: TRNG+PRG
TRNG can supply truly random bits of uncertain quality A PRG can stretch a truly random seed Approach: Sample a TRNG: X1,…,Xn Compute seed: S=h(X1,…,Xn) Stretch seed: PRG(S)= O1, O2, … Can this model be attacked? What happens if the PRG is BBS and the attacker obtains an intermediate state?
15
Requirements for randomness
Pseudo-randomness Forward security An internal state of the random generator does not reveal previous random outputs Backward security Even after complete compromise of random generator state, secret random bits can be generated given enough new truly random bits Requires TRNG and update
16
Randomness in Linux
17
State attacks Linux attack Windows attack 2006
Given entropy pool, a previous entropy pool can be computed in time: O(296), 7/16 of the time O(264), 9/16 of the time Windows attack 2007 Given internal state, of the previous bits can be computed O(223) time
Similar presentations
