practical seed recovery for the pcg pseudo random number
play

Practical Seed-Recovery for the PCG Pseudo-Random Number Generator - PowerPoint PPT Presentation

Jul 23, 2023 •13 likes •533 views

Practical Seed-Recovery for the PCG Pseudo-Random Number Generator Charles Bouillaguet, Florette Martinez and Julia Sauvage November 2, 2020 Bouillaguet, Martinez, Sauvage (SU) Seed-Recovery for PCG November 2, 2020 1 / 31 Introduction

  1. Practical Seed-Recovery for the PCG Pseudo-Random Number Generator Charles Bouillaguet, Florette Martinez and Julia Sauvage November 2, 2020 Bouillaguet, Martinez, Sauvage (SU) Seed-Recovery for PCG November 2, 2020 1 / 31

  2. Introduction What? Cryptanalysis of the Permuted Congruential Generator (PCG). Bouillaguet, Martinez, Sauvage (SU) Seed-Recovery for PCG November 2, 2020 2 / 31

  3. Why? Bouillaguet, Martinez, Sauvage (SU) Seed-Recovery for PCG November 2, 2020 3 / 31

  4. Why? Bouillaguet, Martinez, Sauvage (SU) Seed-Recovery for PCG November 2, 2020 4 / 31

  5. Why? Bouillaguet, Martinez, Sauvage (SU) Seed-Recovery for PCG November 2, 2020 5 / 31

  6. Bouillaguet, Martinez, Sauvage (SU) Seed-Recovery for PCG November 2, 2020 6 / 31

  7. Introduction What? Cryptanalysis of the Permuted Congruential Generator (PCG). Results Practical seed-recovery / prediction. How? "Guess-and-Determine" attack. Most expensive part : many small CVP problems. Actually done in ≤ 20 000 CPU-hours. Bouillaguet, Martinez, Sauvage (SU) Seed-Recovery for PCG November 2, 2020 7 / 31

  8. Permuted Congruencial Generators (PCG) Conventional (non-crypto) pseudo-random generators Designed in 2014 by Melissa O’Neil PCG64 Internal state : 128-bit state and 128-bit increment 64-bit outputs 256-bit seed (or 128-bit with default increment) Default pseudo-random generator in NumPy 128 0 Bouillaguet, Martinez, Sauvage (SU) Seed-Recovery for PCG November 2, 2020 8 / 31

  9. Permuted Congruencial Generators (PCG) Conventional (non-crypto) pseudo-random generators Designed in 2014 by Melissa O’Neil PCG64 Internal state : 128-bit state and 128-bit increment 64-bit outputs 256-bit seed (or 128-bit with default increment) Default pseudo-random generator in NumPy × a + c mod 2 128 128 128 S i + 1 S i 128 0 Bouillaguet, Martinez, Sauvage (SU) Seed-Recovery for PCG November 2, 2020 8 / 31

  10. Permuted Congruencial Generators (PCG) Conventional (non-crypto) pseudo-random generators Designed in 2014 by Melissa O’Neil PCG64 Internal state : 128-bit state and 128-bit increment 64-bit outputs 256-bit seed (or 128-bit with default increment) Default pseudo-random generator in NumPy × a + c mod 2 128 128 128 S i + 1 S i 128 0 64 64 � Bouillaguet, Martinez, Sauvage (SU) Seed-Recovery for PCG November 2, 2020 8 / 31

  11. Permuted Congruencial Generators (PCG) Conventional (non-crypto) pseudo-random generators Designed in 2014 by Melissa O’Neil PCG64 Internal state : 128-bit state and 128-bit increment 64-bit outputs 256-bit seed (or 128-bit with default increment) Default pseudo-random generator in NumPy × a + c mod 2 128 128 128 S i + 1 S i 128 122 0 64 64 � 6 r i ≫ 64 X i Bouillaguet, Martinez, Sauvage (SU) Seed-Recovery for PCG November 2, 2020 8 / 31

  12. Attack Outline Guess some bits in a few successive states. Least-significant bits Rotations ⇒ Turn it into a (regular) truncated congruential generator . Reconstruct hidden information using lattice techniques. Discard bad guesses. Bouillaguet, Martinez, Sauvage (SU) Seed-Recovery for PCG November 2, 2020 9 / 31

  13. Attack Outline Guess some bits in a few successive states. Least-significant bits Rotations ⇒ Turn it into a (regular) truncated congruential generator . Reconstruct hidden information using lattice techniques. Easy case ( c known): full state Hard case ( c unknown): only partial information Discard bad guesses. Bouillaguet, Martinez, Sauvage (SU) Seed-Recovery for PCG November 2, 2020 9 / 31

  14. Easy Case: Known increment If the increment (c) is known ... ... Get rid of it! S ′ 0 ← S 0 S ′ 1 ← S 1 − c S ′ 2 ← S 2 − ( a + 1 ) c 3 ← S 3 − ( a 2 + a + 1 ) c S ′ . . . Yields S ′ : sequence of states with c = 0 → Geometric sequence . Bouillaguet, Martinez, Sauvage (SU) Seed-Recovery for PCG November 2, 2020 10 / 31

  15. Attack Details 64 bits 64 bits S 0 S 1 S 2 Bouillaguet, Martinez, Sauvage (SU) Seed-Recovery for PCG November 2, 2020 11 / 31

  16. Attack Details 6 ℓ bits r 0 w S 0 r 1 S 1 r 2 S 2 Bouillaguet, Martinez, Sauvage (SU) Seed-Recovery for PCG November 2, 2020 11 / 31

  17. Attack Details 6 ℓ bits r 0 w S 0 × a + c mod 2 ℓ r 1 w 1 S 1 × a + c mod 2 ℓ r 2 w 2 S 2 Bouillaguet, Martinez, Sauvage (SU) Seed-Recovery for PCG November 2, 2020 11 / 31

  18. Attack Details 6 ℓ bits r 0 w S 0 r 1 w 1 S 1 r 2 w 2 S 2 Bouillaguet, Martinez, Sauvage (SU) Seed-Recovery for PCG November 2, 2020 11 / 31

  19. Attack Details 6 ℓ bits r 0 w S 0 ????????????????? r 1 w 1 S 1 ????????????????? r 2 w 2 S 2 ????????????????? ℓ bits 6 Bouillaguet, Martinez, Sauvage (SU) Seed-Recovery for PCG November 2, 2020 11 / 31

  20. Attack Details ????????????????? ????????????????? ????????????????? ℓ bits 6 64 bits Bouillaguet, Martinez, Sauvage (SU) Seed-Recovery for PCG November 2, 2020 11 / 31

  21. Remove the “Constant Component” ????????????????? T 0 − 0 × a mod 2 64 ????????????????? T 1 − c × a mod 2 64 ????????????????? T 2 ( a + 1 ) c − Bouillaguet, Martinez, Sauvage (SU) Seed-Recovery for PCG November 2, 2020 12 / 31

  22. Truncated Linear Congruential Generators Internal state : 2 k -bit state. Multiplier a : known constant. Initial state: unknown 2 k -bit seed. × a mod 2 k k 0 T i discarded Bouillaguet, Martinez, Sauvage (SU) Seed-Recovery for PCG November 2, 2020 13 / 31

  23. Reconstructing Truncated Geometric Sequences Sequence u i + 1 = a × u i mod 2 k . T = Truncated version (low-order bits unknown). L = lattice spawned by the rows of a 2 a n − 1   1 a . . . 2 k 0 0 0 . . .    2 k  0 0 . . . 0 u i     . . . . . . . . . . . . . . .   T i ????????? 2 k 0 0 0 . . . Main Idea u = ( u 0 , u 1 , . . . , u n − 1 ) belongs to the lattice L . T (truncated geometric series) is an approximation of u . ⇒ T is close to a point of L . ⇒ Closest point to T in L � u . Bouillaguet, Martinez, Sauvage (SU) Seed-Recovery for PCG November 2, 2020 14 / 31

  24. Lattices and Basis reduction Lattice : subgroup of R n isomorphic to Z m Bouillaguet, Martinez, Sauvage (SU) Seed-Recovery for PCG November 2, 2020 15 / 31

  25. Lattices and Basis reduction Lattice : subgroup of R n isomorphic to Z m Bouillaguet, Martinez, Sauvage (SU) Seed-Recovery for PCG November 2, 2020 15 / 31

  26. CVP problem and Babai rounding Closest Vector Problem Standard NP-hard problem on lattices. Given arbitrary x ∈ Z n , find closest lattice point. Babai Rounding Algorithm Approximately solves CVP. H − 1 × x � � BabaiRounding ( x , L ) = H × round Where H is a “good” (LLL-reduced) basis of the lattice L . FAST (two matrix-vector products + rounding) Exponentially bad approximation (in the lattice dimension). → Often exact in small dimension though. Bouillaguet, Martinez, Sauvage (SU) Seed-Recovery for PCG November 2, 2020 16 / 31

  27. Lattices and Basis reduction Lattice : subgroup of R n isomorphic to Z m Bouillaguet, Martinez, Sauvage (SU) Seed-Recovery for PCG November 2, 2020 17 / 31

  28. Lattices and Basis reduction Lattice : subgroup of R n isomorphic to Z m Bouillaguet, Martinez, Sauvage (SU) Seed-Recovery for PCG November 2, 2020 17 / 31

  29. Implementation (Easy case, known increment) Summary Observe 3 outputs X 0 , X 1 , X 2 (192 bits). Guess 37 bits: n = 3 successive rotations (6 bits each), ℓ = 19 least significant bits of S 0 , Solve 2 37 instances of CVP in dimension 3 (Babai Rounding). Reconstruct initial state, check outputs. Caveat Attack proved correct for ℓ = 20, works fine for ℓ = 19... Concretely... 25 CPU cycles per guess, 23 CPU-minutes in total. Bouillaguet, Martinez, Sauvage (SU) Seed-Recovery for PCG November 2, 2020 18 / 31

  30. Issue with c unknown Summary so far (the Easy Case ) The increment (c) is known : Remove it, get truncated geometric sequence, CVP. Now the Hard Case The increment (c) is unknown : How to get truncated geometric sequence? (∆ S i + 1 = a × ∆ S i mod 2 128 ) . Use ∆ S i = S i + 1 − S i Bouillaguet, Martinez, Sauvage (SU) Seed-Recovery for PCG November 2, 2020 19 / 31

  31. Issue with c unknown Summary so far (the Easy Case ) The increment (c) is known : Remove it, get truncated geometric sequence, CVP. Now the Hard Case The increment (c) is unknown : How to get truncated geometric sequence? (∆ S i + 1 = a × ∆ S i mod 2 128 ) . Use ∆ S i = S i + 1 − S i Same attack as before, but... Must guess one more rotation. Must guess least-significant bits of c . Bouillaguet, Martinez, Sauvage (SU) Seed-Recovery for PCG November 2, 2020 19 / 31

  32. Attack Details S 0 S 1 S 2 S 3 S 4 Bouillaguet, Martinez, Sauvage (SU) Seed-Recovery for PCG November 2, 2020 20 / 31

  33. Attack Details 6 ℓ bits r 0 w S 0 r 1 S 1 r 2 S 2 r 3 S 3 r 4 S 4 Bouillaguet, Martinez, Sauvage (SU) Seed-Recovery for PCG November 2, 2020 20 / 31

  34. Attack Details 6 ℓ bits r 0 w S 0 × a + c mod 2 ℓ r 1 w 1 S 1 × a + c mod 2 ℓ r 2 w 2 S 2 × a + c mod 2 ℓ r 3 w 3 S 3 × a + c mod 2 ℓ r 4 w 4 S 4 Bouillaguet, Martinez, Sauvage (SU) Seed-Recovery for PCG November 2, 2020 20 / 31

  35. Attack Details 6 ℓ bits r 0 w S 0 r 1 w 1 S 1 r 2 w 2 S 2 r 3 w 3 S 3 r 4 w 4 S 4 Bouillaguet, Martinez, Sauvage (SU) Seed-Recovery for PCG November 2, 2020 20 / 31

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Random Numbers RANDOM VS PSEUDO RANDOM Truly Random numbers From Wolfram: A random number

Random Numbers RANDOM VS PSEUDO RANDOM Truly Random numbers From Wolfram: A random number

Random Numbers RANDOM VS PSEUDO RANDOM Truly Random numbers From Wolfram: A random number is a number chosen as if by chance from some specified distribution such that selection of a large set of these numbers reproduces the underlying

720 views • 12 slides
Random Numbers, Files, and Onwards Random Numbers Computers cannot produce truly random numbers.

Random Numbers, Files, and Onwards Random Numbers Computers cannot produce truly random numbers.

Random Numbers, Files, and Onwards Random Numbers Computers cannot produce truly random numbers. We make do with pseudo-random numbers, which are good enough. The pseudo-random generation algorithm is given a seed value. The same seed will always

331 views • 12 slides
PSEUDO-RANDOM FUNCTIONS We want to answer the question: What is a good block cipher? where

PSEUDO-RANDOM FUNCTIONS We want to answer the question: What is a good block cipher? where

Recall We studied security of function families (in particular, block ciphers) against key recovery. But we saw that security against key recovery is not su ffi cient to ensure that natural usages of a block cipher are secure. PSEUDO-RANDOM

268 views • 13 slides
Introduction to Pseudo-Random Number Generators Nicola Gigante December 21, 2016 Why random

Introduction to Pseudo-Random Number Generators Nicola Gigante December 21, 2016 Why random

Introduction to Pseudo-Random Number Generators Nicola Gigante December 21, 2016 Why random numbers? Lifes most important questions are, for the most part, nothing but probability problems. Pierre-Simon de Laplace 2 Why random numbers?

1.37k views • 63 slides
Introduction to Pseudo-Random Number Generators Nicola Gigante March 9, 2016 Why random

Introduction to Pseudo-Random Number Generators Nicola Gigante March 9, 2016 Why random

Introduction to Pseudo-Random Number Generators Nicola Gigante March 9, 2016 Why random numbers? Lifes most important questions are, for the most part, nothing but probability problems. Pierre-Simon de Laplace 2 Why random numbers?

684 views • 55 slides
ECEN 5022 Cryptography Pseudo Random Number Generators Peter Mathys University of Colorado

ECEN 5022 Cryptography Pseudo Random Number Generators Peter Mathys University of Colorado

Pseudo Random Number Generators ECEN 5022 Cryptography Pseudo Random Number Generators Peter Mathys University of Colorado Spring 2008 Peter Mathys ECEN 5022 Cryptography Pseudo Random Number Generators Random Number Generation Random

352 views • 14 slides
Draft History of Random Number Generators Seed x 0 , x i = f ( x i 1 ) , u i = g ( x i )

Draft History of Random Number Generators Seed x 0 , x i = f ( x i 1 ) , u i = g ( x i )

1 Draft History of Random Number Generators Seed x 0 , x i = f ( x i 1 ) , u i = g ( x i ) Pierre LEcuyer 2 Draft Once upon a time, ... 5000 years ago Dice, coins, and other devices were used long ago to make random selections

815 views • 50 slides
Links visited in class Lehmer Park-Miller pseudo-random numbers seed based on letter E scipy

Links visited in class Lehmer Park-Miller pseudo-random numbers seed based on letter E scipy

4.3 Statistical tests Links visited in class Lehmer Park-Miller pseudo-random numbers seed based on letter E scipy reference stats norm for vocabulary ppf (percent point function), pdf, cdf 1

741 views • 5 slides
Draft History of Random Number Generators Seed x 0 , x i = f ( x i 1 ) , u i = g ( x i )

Draft History of Random Number Generators Seed x 0 , x i = f ( x i 1 ) , u i = g ( x i )

1 Draft History of Random Number Generators Seed x 0 , x i = f ( x i 1 ) , u i = g ( x i ) Pierre LEcuyer Ecole Polytechnique, Palaiseau, D ec. 2017 2 Draft Once upon a time, ... 5000 years ago Dice, coins, and other devices

1.35k views • 85 slides
Determinism in Deep Learning (S9911) Duncan Riach, GTC 2019 1 RANDOMNESS Pseudo-random number

Determinism in Deep Learning (S9911) Duncan Riach, GTC 2019 1 RANDOMNESS Pseudo-random number

Determinism in Deep Learning (S9911) Duncan Riach, GTC 2019 1 RANDOMNESS Pseudo-random number generation Random mini-batching Stochastic gradient descent Data augmentation Regularization / generalization 2 DETERMINISM Elimination of truly

564 views • 52 slides
Practical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits

Practical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits

Practical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits Damien Vergnaud cole normale suprieure CHES September, 15th 2015 (with Aurlie Bauer) Damien Vergnaud (ENS) Key Recovery from Random

766 views • 48 slides
PSEUDO-RANDOM FUNCTIONS 1 / 65 Recall We studied security of a block cipher against key

PSEUDO-RANDOM FUNCTIONS 1 / 65 Recall We studied security of a block cipher against key

PSEUDO-RANDOM FUNCTIONS 1 / 65 Recall We studied security of a block cipher against key recovery. But we saw that security against key recovery is not sufficient to ensure that natural usages of a block cipher are secure. We want to answer the

920 views • 88 slides
Security of Pseudo-Random Number Generators With Input Damien Vergnaud cole normale

Security of Pseudo-Random Number Generators With Input Damien Vergnaud cole normale

Security of Pseudo-Random Number Generators With Input Damien Vergnaud cole normale suprieure INRIA PSL wr0ng April, 30th 2017 (with Yevgeniy Dodis, David Pointcheval, Sylvain Ruhault & Daniel Wichs) Damien Vergnaud (ENS)

694 views • 57 slides
Pseudo-random Functions Debdeep Mukhopadhyay IIT Kharagpur We have seen the construction of

Pseudo-random Functions Debdeep Mukhopadhyay IIT Kharagpur We have seen the construction of

Pseudo-random Functions Debdeep Mukhopadhyay IIT Kharagpur We have seen the construction of PRG (pseudo-random generators) being constructed from any one-way functions. Now we shall consider a related concept: Pseudo-random

829 views • 15 slides
Cryptographic Secure Pseudo-Random Bits Generation : The Blum-Blum-Shub Generator Pascal Junod

Cryptographic Secure Pseudo-Random Bits Generation : The Blum-Blum-Shub Generator Pascal Junod

Cryptographic Secure Pseudo-Random Bits Generation : The Blum-Blum-Shub Generator Pascal Junod August 1999 Contents 1 Introduction 3 2 Concept of Pseudo-Random Bit Generator 4 3 The Blum-Blum-Shub Generator 7 3.1 Some number-theoretic

481 views • 21 slides
Pseudo-Random Number Generators Functional Programming and Intelligent Algorithms Prof Hans Georg

Pseudo-Random Number Generators Functional Programming and Intelligent Algorithms Prof Hans Georg

Pseudo-Random Number Generators Functional Programming and Intelligent Algorithms Prof Hans Georg Schaathun Hgskolen i lesund 14th February 2017 1 Randomness 1. What is randomness? 2 Randomness 1. What is randomness? 2. How do we

590 views • 22 slides
Chapter 5 CSCE150A CSCE150A 5.1 Repetition in Programs Computer Science & Engineering 150A

Chapter 5 CSCE150A CSCE150A 5.1 Repetition in Programs Computer Science & Engineering 150A

Chapter 5 CSCE150A CSCE150A 5.1 Repetition in Programs Computer Science & Engineering 150A 5.2 Counting Loops and the While Statement Introduction Problem Solving Using Computers Introduction While Loop While Loop 5.3 Computing a Sum

287 views • 9 slides
Supporting Increment and Decrement Operations in Balancing Networks by W. Aiello, C. Busch, M.

Supporting Increment and Decrement Operations in Balancing Networks by W. Aiello, C. Busch, M.

Supporting Increment and Decrement Operations in Balancing Networks by W. Aiello, C. Busch, M. Herlihy, M. Mavronicolas, N. Shavit and D. Touitou Costas Busch Brown University 1 Balancing Networks Introduced by Aspnes, Herlihy and Shavit

486 views • 25 slides
Spark verification features Paul Jackson School of Informatics University of Edinburgh Formal

Spark verification features Paul Jackson School of Informatics University of Edinburgh Formal

Spark verification features Paul Jackson School of Informatics University of Edinburgh Formal Verification Spring 2018 Adding specification information to programs Verification concerns checking whether some model (or program) has desired

476 views • 22 slides
Single Static Assignment CSE 401 Section 10/10 Jack Eggleston, Aaron Johnston & Nate Yazdani

Single Static Assignment CSE 401 Section 10/10 Jack Eggleston, Aaron Johnston & Nate Yazdani

Single Static Assignment CSE 401 Section 10/10 Jack Eggleston, Aaron Johnston & Nate Yazdani Adapted from Laura Vonessons Wi17 Slides The Final Stretch You are here SUN MON TUE WED THU FRI SAT Report M501 Compiler Additions

559 views • 38 slides
Incremental Network Design Martin Savelsbergh Georgia Tech Aussois 2016 Collaborators

Incremental Network Design Martin Savelsbergh Georgia Tech Aussois 2016 Collaborators

Incremental Network Design Martin Savelsbergh Georgia Tech Aussois 2016 Collaborators Thomas Kalinowski University of Newcastle Dmytro Matsypura University of Sydney Outline Motivation Incremental Network Design with

646 views • 42 slides
1 Parallelism in Python The Problem with Shared State Python provides two mechanisms for

1 Parallelism in Python The Problem with Shared State Python provides two mechanisms for

Python Example of a MapReduce Application The mapper and reducer are both self contained Python programs Read from standard input and write to standard output ! Mapper Tell Unix: this is Python #!/usr/bin/env python3 The emit function

464 views • 3 slides
ARM Assembler Structure / Loops Structure / Loops p. 1/12 Loops Four parts to any loop

ARM Assembler Structure / Loops Structure / Loops p. 1/12 Loops Four parts to any loop

Systems Architecture ARM Assembler Structure / Loops Structure / Loops p. 1/12 Loops Four parts to any loop initialisation init i) body body ii) increment or inc iii) decrement dec exit condition

1k views • 61 slides
A linear lower bound for incrementing a space-optimal integer representation in the bit-probe

A linear lower bound for incrementing a space-optimal integer representation in the bit-probe

. . . . . . . . . . . . . . . A linear lower bound for incrementing a space-optimal integer representation in the bit-probe model Michael Raskin, raskin@mccme.ru LaBRI, Universit de Bordeaux July 13, 2017 Michael Raskin,

475 views • 43 slides

More recommend