design of secure trngs for cryptography past present and
play

Design of Secure TRNGs for Cryptography Past, Present, and Future - PowerPoint PPT Presentation

Dec 01, 2022 •393 likes •739 views

Sources Characterization Dedicated tests Conclusions Design of Secure TRNGs for Cryptography Past, Present, and Future Viktor F ISCHER Univ Lyon, UJM-Saint-Etienne, CNRS Laboratoire Hubert Curien UMR 5516 F-42023, SAINT-ETIENNE, France

  1. Sources Characterization Dedicated tests Conclusions Design of Secure TRNGs for Cryptography – Past, Present, and Future Viktor F ISCHER Univ Lyon, UJM-Saint-Etienne, CNRS Laboratoire Hubert Curien UMR 5516 F-42023, SAINT-ETIENNE, France fischer@univ-st-etienne.fr Workshop Wr0ng2017, Paris, April 2017 1/34 V. F ISCHER Design of Secure TRNGs for Cryptography – Past, Present, and Future

  2. Sources Characterization Dedicated tests Conclusions Random Numbers in Cryptography ◮ (True) Random Number Generator (RNG or TRNG) Physical function generating a sequence of random bits or symbols (e.g. groups of bits = numbers) ◮ RNG (or RBG, i.e. Random Bit Generator) Essential part of cryptographic systems ◮ Today’s cryptographic systems mostly implemented in logic devices (e.g. smart cards) ◮ Challenge: find and exploit analog sources of randomness in digital devices using a standard technology (avoid a full custom design) 2/34 V. F ISCHER Design of Secure TRNGs for Cryptography – Past, Present, and Future

  3. Sources Characterization Dedicated tests Conclusions Fair Tossing of Fair Coins ◮ Mathematical approach: Considered as an ideal TRNG Ten fair coins give entropy rate of ten bits per trial ◮ Physical approach: What (physically) means ‘fair tossing’ 1 and ‘fair coins’ ? What can be the frequency of trials ? 1 In fact, mechanical systems are perfectly predictable. Only initial conditions determine the entropy. 3/34 V. F ISCHER Design of Secure TRNGs for Cryptography – Past, Present, and Future

  4. Sources Characterization Dedicated tests Conclusions Tossing (Partially) Unfair Coins – Realistic TRNG In the context of oscillator based TRNG: Manipulable Fair Correlated Biased ◮ How much entropy per trial, if: One (independent) fair coin Four correlated coins Two biased coins Three manipulable coins ◮ Can the output be manipulable, if the ten coins’ values are bit-wise XORed to get just one output bit? 4/34 V. F ISCHER Design of Secure TRNGs for Cryptography – Past, Present, and Future

  5. Sources Characterization Dedicated tests Conclusions Tossing (Partially) Unfair Coins – Realistic TRNG In the context of oscillator based TRNG: ! ? ? Manipulable Fair Correlated Local thermal Local flicker noise Biased noise Global noises Sampling ◮ How much entropy per trial, if: One (independent) fair coin Four correlated coins Two biased coins Three manipulable coins ◮ Can the output be manipulable, if the ten coins’ values are bit-wise XORed to get just one output bit? 5/34 V. F ISCHER Design of Secure TRNGs for Cryptography – Past, Present, and Future

  6. Sources Characterization Dedicated tests Conclusions Conclusions Regarding Our Study Case ◮ Design of a TRNG is rather a physical than a mathematical project ◮ Physical parameters of the sources of randomness must be thoroughly evaluated: Characteristics of each exploited source of randomness Relationship between individual sources of randomness Distribution of output random values (bias) Correlation or even dependence between output values Manipulability Agility (spectrum) 6/34 V. F ISCHER Design of Secure TRNGs for Cryptography – Past, Present, and Future

  7. Sources Characterization Dedicated tests Conclusions Random Number Generation and Security ◮ Two main security requirements on RNGs: R1: Good statistical properties of the output bitstream R2: Output unpredictability ◮ Statistical properties can be easily evaluated using general purpose (black box) statistical tests ◮ Unpredictability is more difficult to assess In PRNGs guaranteed by the underlying algorithm – it must be computationally difficult to guess future and past random numbers Approved cryptographic algorithm should be used In TRNGs guaranteed by a sufficient entropy rate per generated random number Approved design approach should be used 7/34 V. F ISCHER Design of Secure TRNGs for Cryptography – Past, Present, and Future

  8. Sources Characterization Dedicated tests Conclusions Classical versus Modern TRNG Design Approach ◮ Recall – two main security requirements on TRNGs: R1: Good statistical properties of the output bitstream R2: Output unpredictability ◮ Security evaluation – classical approach: Assess both requirements using statistical tests – insufficient ◮ Modern (more stringent) ways of assessing security: Evaluate statistical parameters using statistical tests Evaluate entropy using an entropy estimator (stochastic model) Test online the source of entropy using dedicated statistical tests Objectives of the talk To discuss modern approaches in the TRNG design To illustrate the new methodology on a comprehensive example 8/34 V. F ISCHER Design of Secure TRNGs for Cryptography – Past, Present, and Future

  9. Sources Characterization Dedicated tests Conclusions Outline 1 Sources of randomness in logic devices 2 Characterization and quantification of sources of randomness 3 From quantification of the source of randomness to dedicated tests 4 Conclusions 9/34 V. F ISCHER Design of Secure TRNGs for Cryptography – Past, Present, and Future

  10. Sources Characterization Dedicated tests Conclusions Contemporary TRNG Design – Recommendations AIS 31 Internal random numbers Digital noise Algor. & Crypto source post-processing Raw binary signal output Entropy Embedded Alarm estimation point tests ◮ Digital noise source Should have as high entropy rate per bit as possible Should enable sufficient bit-rate Shouldn’t be manipulable (robustness) ◮ Post-processing (optional) Algorithmic – enhances statistics without reducing the entropy Cryptographic – for unpredictability when source of entropy fails ◮ Dedicated embedded tests Fast total failure test with low probability of false alarms Online tests detecting quickly and reliably intolerable weaknesses 10/34 V. F ISCHER Design of Secure TRNGs for Cryptography – Past, Present, and Future

  11. Sources Characterization Dedicated tests Conclusions Sources of Randomness in Logic Devices ◮ Commonly used sources related to some physical process, basically coming from electric noises Clock jitter : short-term variation of an event from its ideal position Metastability : ability of an unstable equilibrium electronic state to persist for an indefinite period in a digital system (rare) Oscillatory metastability : ability of a bi-stable circuit (e.g. an RS flip-flop) to oscillate for an indefinite period Initialization of flip-flops : initialization of a flip-flop (or a memory element) to a random state (after power-up or periodically) Chaos : stochastic behavior of a deterministic system which exhibits sensitive dependence on initial conditions 11/34 V. F ISCHER Design of Secure TRNGs for Cryptography – Past, Present, and Future

  12. Sources Characterization Dedicated tests Conclusions Sources of Randomness: Jittery Clock Signals ◮ Clock jitter – the most frequently used in logic devices ◮ The jitter in clock generators is caused by 1 Local noise sources Global noise sources Random sources (e.g. thermal and flicker noise) Local sources Deterministic sources (e.g. cross-talks) Clock jitter sources Random sources (e.g. random noise from EMI and power line) Global sources Deterministic sources (e.g. determ. signals from EMI and power) ◮ Sources in red are manipulable! ◮ The entropy must be estimated depending on the local non-manipulable sources (in green) 1 B. Valtchanov, A. Aubert, F . Bernard, and V. Fischer, Modeling and observing the jitter in ring oscillators implemented in FPGAs, DDECS 2008 12/34 V. F ISCHER Design of Secure TRNGs for Cryptography – Past, Present, and Future

  13. Sources Characterization Dedicated tests Conclusions Choice of the Source of Randomness ◮ The source of randomness must be clearly defined, well characterized and quantified ◮ With respect to the entropy harvesting method, it should serve as an input parameter of the stochastic model ◮ Problem #1: False entropy source E.g. while claiming to use metastability, the designer uses some other, uncharacterized source of entropy (electric noises) ◮ Problem #2: Entropy overestimation The effect of manipulable sources is not excluded from entropy estimation – the general purpose statistical tests are not able to exclude them! 13/34 V. F ISCHER Design of Secure TRNGs for Cryptography – Past, Present, and Future

  14. Sources Characterization Dedicated tests Conclusions Digitization of the Noise Signal ◮ Explicite Sampling of a noisy signal Counting of random events Time-to-digital conversion ◮ Hidden (or implicite) Conversion of analog electric noises to the timing jitter of the clock signal ◮ Sometimes it is difficult or even impossible to separate digitization from the post-processing ◮ If the digitization is hidden or if it is mixed with the post-processing, the raw random signal – difficult to determine 14/34 V. F ISCHER Design of Secure TRNGs for Cryptography – Past, Present, and Future

  15. Sources Characterization Dedicated tests Conclusions Outline 1 Sources of randomness in logic devices 2 Characterization and quantification of sources of randomness 3 From quantification of the source of randomness to dedicated tests 4 Conclusions 15/34 V. F ISCHER Design of Secure TRNGs for Cryptography – Past, Present, and Future

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Advanced Tools from Modern Cryptography Lecture 12 MPC: UC-secure OT UC-Secure OT UC-secure

Advanced Tools from Modern Cryptography Lecture 12 MPC: UC-secure OT UC-Secure OT UC-secure

Advanced Tools from Modern Cryptography Lecture 12 MPC: UC-secure OT UC-Secure OT UC-secure OT is impossible (even against PPT adversaries) in the plain model (i.e., without the help of another functionality) But possible from simple

527 views • 16 slides
20 Years of PaX PaX Team SSTIC 2012.06.06 20 Years of PaX About Past Present Future About

20 Years of PaX PaX Team SSTIC 2012.06.06 20 Years of PaX About Past Present Future About

About Past Present Future 20 Years of PaX PaX Team SSTIC 2012.06.06 20 Years of PaX About Past Present Future About Introduction Design Concepts Past Userland Present Kernel Self-Protection Toolchain Support Future Userland

803 views • 40 slides
VA Psychology Leadership Conference y gy p PAST PRESENT & FUTURE FOR VHA: PAST, PRESENT

VA Psychology Leadership Conference y gy p PAST PRESENT & FUTURE FOR VHA: PAST, PRESENT

VA Psychology Leadership Conference y gy p PAST PRESENT & FUTURE FOR VHA: PAST, PRESENT & FUTURE FOR VHA: THE REALIGNMENT IN CENTRAL OFFICE May 18, 2011 y , George W. Arana, MD Acting Assistant Deputy Under Secretary for Health g p

510 views • 32 slides
Australian Pretreatment Market Past and Present Design principles Approvals State

Australian Pretreatment Market Past and Present Design principles Approvals State

H ALGAN P TY L TD Kerry Hall August 2012 Australian Pretreatment Market Past and Present Design principles Approvals State Design Manufacturers Suitability Approvals in Australia are currently by state government bodies

378 views • 24 slides
1 Symmetric algorithm Public key algorithm Secret key public key and private key C 1 = E

1 Symmetric algorithm Public key algorithm Secret key public key and private key C 1 = E

Cryptography security Cryptography may be a component of a secure system Cryptographic Systems Adding cryptography may not make a Authentication & Communication system secure Protocols Paul Krzyzanowski Distributed Systems

753 views • 23 slides
Secure UHF Tags with Strong Cryptography Development of ISO/IEC 18000-63 Compatible Secure RFID

Secure UHF Tags with Strong Cryptography Development of ISO/IEC 18000-63 Compatible Secure RFID

Secure UHF Tags with Strong Cryptography Development of ISO/IEC 18000-63 Compatible Secure RFID Tags and Presentation of First Results Walter Hinz, Klaus Finkenzeller, Martin Seysen Barcelona, February 19 th , 2013 Agenda Motivation for

416 views • 26 slides
Applied Cryptography (Pt. 1) Engineering Secure Software Last Revised: October 13, 2020

Applied Cryptography (Pt. 1) Engineering Secure Software Last Revised: October 13, 2020

Applied Cryptography (Pt. 1) Engineering Secure Software Last Revised: October 13, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 Networks, Cryptography, and You Most application developers Dont implement networking

333 views • 30 slides
CSCE 790 Secure Computer Systems Symmetric Cryptography Professor Qiang Zeng Spring 2020

CSCE 790 Secure Computer Systems Symmetric Cryptography Professor Qiang Zeng Spring 2020

CSCE 790 Secure Computer Systems Symmetric Cryptography Professor Qiang Zeng Spring 2020 Previous Class Classical Cryptography Frequency analysis Never use home-made cryptography Goals of Cryptography

527 views • 26 slides
Cryptography Crash Course Symmetric Key Cryptography School on Secure IoT, 2016 Dr. Ir. Jens

Cryptography Crash Course Symmetric Key Cryptography School on Secure IoT, 2016 Dr. Ir. Jens

Cryptography Crash Course Symmetric Key Cryptography School on Secure IoT, 2016 Dr. Ir. Jens Hermans KU Leuven/COSIC Cryptology: basic principles Eve Alice Bob CRYP CRYP Clear Clear %^C& %^C& TOB TOB @&^( @&^(

1.32k views • 119 slides
CUPA - RIO GRANDE CHAPTER ACA (PAST, PRESENT AND FUTURE) Agenda 1. ACA Foundations 2. Past -

CUPA - RIO GRANDE CHAPTER ACA (PAST, PRESENT AND FUTURE) Agenda 1. ACA Foundations 2. Past -

CUPA - RIO GRANDE CHAPTER ACA (PAST, PRESENT AND FUTURE) Agenda 1. ACA Foundations 2. Past - The Early Days 3. Present - Current State 4. Future Whats Next 5. Solutions ACA Compliance Tools 6. Question and Answer Jeff Taylor

373 views • 19 slides
The Past, Present and Future of Irish Agriculture Brendan Kearney The Past, Present and Future of

The Past, Present and Future of Irish Agriculture Brendan Kearney The Past, Present and Future of

The Past, Present and Future of Irish Agriculture Brendan Kearney The Past, Present and Future of Irish Agriculture Changing role in the economy Main policy developments and output/ income trends Changing structure and performance

852 views • 17 slides
Attacks on DNS Cryptography in DNS Secure design and coding for DNS D. J. Bernstein University

Attacks on DNS Cryptography in DNS Secure design and coding for DNS D. J. Bernstein University

Attacks on DNS Cryptography in DNS Secure design and coding for DNS D. J. Bernstein University of Illinois at Chicago http://cr.yp.to /talks.html#2009.03.02 /talks.html#2009.03.03 /talks.html#2009.03.04 1996: qmail 0.70. 1997: qmail 1.00.

1.04k views • 69 slides
Public-Key Cryptography Lecture 12 CCA Secure PKE Hybrid Encryption CCA Secure PKE In SKE, to get

Public-Key Cryptography Lecture 12 CCA Secure PKE Hybrid Encryption CCA Secure PKE In SKE, to get

Public-Key Cryptography Lecture 12 CCA Secure PKE Hybrid Encryption CCA Secure PKE In SKE, to get CCA security, we used a MAC Bob would accept only messages from Alice But in PKE, Bob wants to receive messages from Eve as well! But only if it is

336 views • 14 slides
Connecting YOU with the right customers. About Me Past SEO 2003 to Present Affiliate

Connecting YOU with the right customers. About Me Past SEO 2003 to Present Affiliate

| 2018 Connecting YOU with the right customers. About Me Past SEO 2003 to Present Affiliate Marketing 2002 - Present SEM / Ads 2003 to Present Current Jenga Digital LLC 2013 - Present Personal Born in

385 views • 20 slides
Who Controls the Past Controls the Future Who Controls the Present Controls the Past Nothing

Who Controls the Past Controls the Future Who Controls the Present Controls the Past Nothing

Who Controls the Past Controls the Future Who Controls the Present Controls the Past Nothing gives rest but the sincere search for truth. -Pascal Greetz from Room 101 Kenneth Geers 1984 # Nineteen Eighty-Four (Orwell) # Govt IW vs own

1.03k views • 77 slides
NTRU and Lattice-Based Crypto: Past, Present, and Future Joseph H. Silverman Brown University

NTRU and Lattice-Based Crypto: Past, Present, and Future Joseph H. Silverman Brown University

NTRU and Lattice-Based Crypto: Past, Present, and Future Joseph H. Silverman Brown University The Mathematics of Post-Quantum Cryptography DIMACS Center, Rutgers University January 1216, 2015 0 Some Definitions, Some Notation, and Some

1.02k views • 54 slides
Using Chains for what Theyre Good For Andrew Poelstra usingchainsfor@wpsoftware.net Scaling

Using Chains for what Theyre Good For Andrew Poelstra usingchainsfor@wpsoftware.net Scaling

Using Chains for what Theyre Good For Andrew Poelstra usingchainsfor@wpsoftware.net Scaling Bitcoin, November 5, 2017 1 / 14 On-Chain Smart Contracting Bitcoin (and Ethereum, etc.) uses a scripting language to describe smart contracts and

364 views • 14 slides
Byzantine agreement in the Clear Valerie King University of Victoria Victoria, Canada

Byzantine agreement in the Clear Valerie King University of Victoria Victoria, Canada

Byzantine agreement in the Clear Valerie King University of Victoria Victoria, Canada Byzantine Agreement 0 1 0 1 Start with initial bits; exchanges messages, then output same bit. If all start with the same bit, must output that bit

746 views • 61 slides
Vision 2020 Potential Economic Impact of IoT in 2025 $3.9 11.1 Trillion value of IoT SOURCE:

Vision 2020 Potential Economic Impact of IoT in 2025 $3.9 11.1 Trillion value of IoT SOURCE:

Vision 2020 Potential Economic Impact of IoT in 2025 $3.9 11.1 Trillion value of IoT SOURCE: Expert interviews; McKinsey Global Institute analysis SOURCE: McKinsey Global Institute analysis Vision 2020 IPv4/NAT IPv6 NCP 2 32 10 38 10 4 10

573 views • 19 slides
Counting by Coin Tossings Philippe Flajolet, INRIA, France http://algo.inria.fr/flajolet 1 From

Counting by Coin Tossings Philippe Flajolet, INRIA, France http://algo.inria.fr/flajolet 1 From

ASIAN04, Chiang Mai 2004 Counting by Coin Tossings Philippe Flajolet, INRIA, France http://algo.inria.fr/flajolet 1 From Estan-Varghese-Fisk: traces of attacks Need number of active connections in time slices. Incoming/Outgoing flows at

689 views • 43 slides
Digital Goods E-commerce and the Internet E-Commerce Today E-commerce: use of the Internet

Digital Goods E-commerce and the Internet E-Commerce Today E-commerce: use of the Internet

10/12/2012 E-Commerce: Digital Markets, Digital Goods E-commerce and the Internet E-Commerce Today E-commerce: use of the Internet and Web to transact business; digitally enabled transactions. Began in 1995 and grew exponentially;

715 views • 18 slides
Electronic Arts Inc. Q3 FY 2020 Results January 30, 2020 Safe Harbor Statement Please review

Electronic Arts Inc. Q3 FY 2020 Results January 30, 2020 Safe Harbor Statement Please review

Electronic Arts Inc. Q3 FY 2020 Results January 30, 2020 Safe Harbor Statement Please review our risk factors on Form 10-Q filed with the SEC. Some statements set forth in this document, including the information relating to EAs fiscal

464 views • 12 slides
Approximation and Mechanism Design Jason D. Hartline Northwestern University May 15, 2010

Approximation and Mechanism Design Jason D. Hartline Northwestern University May 15, 2010

Approximation and Mechanism Design Jason D. Hartline Northwestern University May 15, 2010 Game theory has a great advantage in explicitly analyzing the consequences of trading rules that presumably are really common knowledge, it is

1.38k views • 112 slides
Approximation in Mechanism Design Jason Hartline Northwestern University August 8 and 10, 2012

Approximation in Mechanism Design Jason Hartline Northwestern University August 8 and 10, 2012

Approximation in Mechanism Design Jason Hartline Northwestern University August 8 and 10, 2012 Manuscript available at: http://www.eecs.northwestern.edu/hartline/amd.pdf Goals for Mechanism Design Theory Mechanism Design: how can a social

1.61k views • 132 slides

More recommend