randomness generation
play

Randomness generation Daniel J. Bernstein, Tanja Lange May 16, 2014 - PowerPoint PPT Presentation

Feb 20, 2023 •123 likes •392 views

Randomness generation Daniel J. Bernstein, Tanja Lange May 16, 2014 RDRAND: Just use it! David Johnston, 2012 (emphasis added): Thats exactly why we put the new random number generator in our processors. To solve the chronic problem of

  1. Randomness generation Daniel J. Bernstein, Tanja Lange May 16, 2014

  2. RDRAND: Just use it! David Johnston, 2012 (emphasis added): “That’s exactly why we put the new random number generator in our processors. To solve the chronic problem of security software systems lacking entropy. To provide secure random numbers even in VMs on blades. The rules of RNGs change when you have a 3Gbps source of entropy, which we do. You can over-engineer the downstream processing to ensure a reliable and sufficient supply under worst case assumptions. It’s not to solve ‘seeding’ issues. It provides both the entropy, the seeds and the PRNG in hardware. So you can replace the whole shebang and eliminate software PRNGs. Just use the output of the RDRAND instruction wherever you need a random number. ” Daniel J. Bernstein and Tanja Lange Randomness generation

  3. The developers are listening Daniel J. Bernstein and Tanja Lange Randomness generation

  4. But does RDRAND actually work? RTFM “Intel 64 and IA-32 Architectures Software Developer’s Manual”, Intel manual 325462, volume 1, page 7-24 (combined PDF page 177): “Under heavy load, with multiple cores executing RDRAND in parallel, it is possible, though unlikely, for the demand of random numbers by software processes/threads to exceed the rate at which the random number generator hardware can supply them. This will lead to the RDRAND instruction returning no data transitorily. The RDRAND instruction indicates the occurrence of this rare situation by clearing the CF flag. . . . It is recommended that software using the RDRAND instruction to get random numbers retry for a limited number of iterations while RDRAND returns CF=0 and complete when valid data is returned, indicated with CF=1. This will deal with transitory underflows.” Daniel J. Bernstein and Tanja Lange Randomness generation

  5. RTFM, continued #define SUCCESS 1 #define RETRY_LIMIT_EXCEEDED 0 #define RETRY_LIMIT 10 int get_random_64( unsigned __int 64 * arand) {int i; for (i = 0;i < RETRY_LIMIT;i++) { if(_rdrand64_step(arand) ) return SUCCESS; } return RETRY_LIMIT_EXCEEDED; } Daniel J. Bernstein and Tanja Lange Randomness generation

  6. Does the Intel code work? RTFM, continued “Runtime failures in the random number generator circuitry or statistically anomalous data occurring by chance will be detected by the self test hardware and flag the resulting data as being bad. In such extremely rare cases, the RDRAND instruction will return no data instead of bad data.” Intel’s DRNG Software Implementation Guide, Revision 1.1: “rare event that the DRNG fails during runtime”. No quantification of “rare”. Enter stay-dead state for one power-up out of every 10000? Enter stay-dead state at certain voltages? 2013 Bernstein–Chang–Cheng–Chou–Heninger–Lange–van Someren “Factoring RSA keys from certified smart cards: Coppersmith in the wild” exploited such rare failures. Daniel J. Bernstein and Tanja Lange Randomness generation

  7. RDRAND conclusion: unsafe at any speed If software keeps retrying: “busy loop”; software hangs. Daniel J. Bernstein and Tanja Lange Randomness generation

  8. RDRAND conclusion: unsafe at any speed If software keeps retrying: “busy loop”; software hangs. If software ignores EXCEEDED : software uses “bad data”. Daniel J. Bernstein and Tanja Lange Randomness generation

  9. RDRAND conclusion: unsafe at any speed If software keeps retrying: “busy loop”; software hangs. If software ignores EXCEEDED : software uses “bad data”. If software catches EXCEEDED : crypto dies. Daniel J. Bernstein and Tanja Lange Randomness generation

  10. RDRAND conclusion: unsafe at any speed If software keeps retrying: “busy loop”; software hangs. If software ignores EXCEEDED : software uses “bad data”. If software catches EXCEEDED : crypto dies. What’s the backup plan? Daniel J. Bernstein and Tanja Lange Randomness generation

  11. RDRAND conclusion: unsafe at any speed If software keeps retrying: “busy loop”; software hangs. If software ignores EXCEEDED : software uses “bad data”. If software catches EXCEEDED : crypto dies. What’s the backup plan? There is no backup plan! Daniel J. Bernstein and Tanja Lange Randomness generation

  12. RDRAND conclusion: unsafe at any speed If software keeps retrying: “busy loop”; software hangs. If software ignores EXCEEDED : software uses “bad data”. If software catches EXCEEDED : crypto dies. What’s the backup plan? There is no backup plan! Cryptography Research: using RDRAND directly in applications is easy but “the most prudent approach is always to combine any other available entropy sources to avoid having a single point of failure.” Daniel J. Bernstein and Tanja Lange Randomness generation

  13. RDRAND conclusion: unsafe at any speed If software keeps retrying: “busy loop”; software hangs. If software ignores EXCEEDED : software uses “bad data”. If software catches EXCEEDED : crypto dies. What’s the backup plan? There is no backup plan! Cryptography Research: using RDRAND directly in applications is easy but “the most prudent approach is always to combine any other available entropy sources to avoid having a single point of failure.” This is exactly what BSD’s /dev/urandom does. Daniel J. Bernstein and Tanja Lange Randomness generation

  14. Does RDRAND actually work properly? Daniel J. Bernstein and Tanja Lange Randomness generation

  15. Does RDRAND actually work properly? [7] D. J. Johnston, ”Mircoarchitecture Specification (MAS) for PP-DRNG,” Intel Corporation (unpublished), V1.4, 2009. [8] C. E. Dike, ”3 Gbps Binary RNG Entropy Source,” Intel Corporation (unpublished), 2011. [9] C. E. Dike and S. Gueron, ”Digital Symmetric Random Number Generator Mathematics,” Intel Corporation (unpublished), 2009. (References from “Analysis of Intel’s Ivy Bridge Digital Random Number Generator Prepared for Intel” by Mike Hamburg, Paul Kocher, and Mark E. Marson. Cryptography Research, Inc.) Daniel J. Bernstein and Tanja Lange Randomness generation

  16. Design (from CRI report) Daniel J. Bernstein and Tanja Lange Randomness generation

  17. Entropy Source (from CRI report) Daniel J. Bernstein and Tanja Lange Randomness generation

  18. Design (from CRI report) “It uses the counter mode CTR DRBG construction as defined in [2], with AES-128 as the block cipher.” Daniel J. Bernstein and Tanja Lange Randomness generation

  19. Intel assurances – David Johnston I’ve examined my own RNG with electron microscopes and picoprobes. So I and a number of test engineers know full well that the design hasn’t been subverted. For security critical systems, having multiple entropy sources is a good defense against a single source being subverted. But if an Intel processor were to be subverted, there are better things to attack, like the microcode or memory protection or caches. We put a lot of effort into keeping them secure, but as with any complex system it’s impossible to know that you’ve avoided all possible errors, so maintaining the security of platforms is an ongoing battle. [..] But the implication at the top of this thread is that we were leaned on by the government to undermine our own security features. I know for a fact that I was not leant on by anyone to do that. X9.82 took my contributions and NIST is taking about half my contributions, but maybe they’re slowly coming around to my way of thinking on online entropy testing. If I ultimately succeed in getting those specs to be sane, we better hope that I am sane. Daniel J. Bernstein and Tanja Lange Randomness generation

  20. Scary Paper of the Year: Stealthy Dopant-Level Hardware Trojans by Becker, Regazzoni, Paar, and Burleson, CHES 2013 Daniel J. Bernstein and Tanja Lange Randomness generation

  21. Linux use of RDRAND -rw-r--r-- H. Peter Anvin 2012-07-27 22:26 random.c: /* * In case the hash function has some recognizable output * pattern, we fold it in half. Thus, we always feed back * twice as much data as we output. */ hash.w[0] ^= hash.w[3]; hash.w[1] ^= hash.w[4]; hash.w[2] ^= rol32(hash.w[2], 16); /* * If we have a architectural hardware random number * generator, mix that in, too. */ for (i = 0; i < LONGS(EXTRACT_SIZE); i++) { unsigned long v; if (!arch_get_random_long(&v)) break; hash.l[i] ^= v; } memcpy(out, &hash, EXTRACT_SIZE); Daniel J. Bernstein and Tanja Lange memset(&hash, 0, sizeof(hash)); Randomness generation

  22. RDRAND backdoor proof of concept – Taylor Hornby “The way RDRAND is being used in kernels <= 3.12.3 allows it to cancel out the other entropy. See extract buf().” “if I make RDRAND return [EDX] ^ 0x41414141 , /dev/urandom output will be all ’A’ .” Full thread Daniel J. Bernstein and Tanja Lange Randomness generation

  23. Updated in Linux repository (Dec 2013) /* * If we have an architectural hardware random number * generator, use it for SHA’s initial vector */ sha_init(hash.w); for (i = 0; i < LONGS(20); i++) { unsigned long v; if (!arch_get_random_long(&v)) break; hash.l[i] = v; } /* Generate a hash across the pool, * 16 words (512 bits) at a time */ spin_lock_irqsave(&r->lock, flags); for (i = 0; i < r->poolinfo->poolwords; i += 16) sha_transform(hash.w, (__u8 *)(r->pool + i), workspace); Daniel J. Bernstein and Tanja Lange Randomness generation

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Randomness Some content taken from Silence on the Wire by Michal Zalewski Todays Agenda

Randomness Some content taken from Silence on the Wire by Michal Zalewski Todays Agenda

Randomness Some content taken from Silence on the Wire by Michal Zalewski Todays Agenda Randomness in Private Key Generation Randomness in Election (fraud) Randomness in Coin Flipping What is random? Chosen without method

693 views • 35 slides
Toward the Generation of Bell Certified Randomness Using Photons Alessandro Cer, Siddarth

Toward the Generation of Bell Certified Randomness Using Photons Alessandro Cer, Siddarth

Toward the Generation of Bell Certified Randomness Using Photons Alessandro Cer, Siddarth Koduru Josh, Chen Ming Chia, Jean-Daniel Bancal, Lana Sheridan, Valerio Scarani, Christian Kurtsiefer Quantum Optics Group 12/08/2013 Random is hard

473 views • 22 slides
the entropy generation rates of physical sources of randomness Joseph D. Hart 1,2,* , Thomas E.

the entropy generation rates of physical sources of randomness Joseph D. Hart 1,2,* , Thomas E.

The im impact of dig igitization on the entropy generation rates of physical sources of randomness Joseph D. Hart 1,2,* , Thomas E. Murphy 2,3 , Rajarshi Roy 2,3,4 , Gerry Baumgartner 5 1 Dept. of Physics 2 Institute for Research in Electronics

918 views • 33 slides
Firmware Insider Bluetooth Randomness is Mostly Random RANDOMNESS IS MY PASSION Jrn

Firmware Insider Bluetooth Randomness is Mostly Random RANDOMNESS IS MY PASSION Jrn

Firmware Insider Bluetooth Randomness is Mostly Random RANDOMNESS IS MY PASSION Jrn Tillmanns, Jiska Classen, Felix Rohrbach, Matthias Hollick Technische Universitt Darmstadt, Germany ??? 2 How to acquire randomness? A: 42 B: Random

562 views • 32 slides
Lecture 19 Randomness, Pseudo Randomness, and Confidentiality Stephen Checkoway University

Lecture 19 Randomness, Pseudo Randomness, and Confidentiality Stephen Checkoway University

Lecture 19 Randomness, Pseudo Randomness, and Confidentiality Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller and Baileys ECE 422 Randomness and Pseudorandomness Review Problem:

1.69k views • 33 slides
Randomness and analysis: a tutorial Part I: Randomness notions and almost everywhere theorems

Randomness and analysis: a tutorial Part I: Randomness notions and almost everywhere theorems

Randomness and analysis: a tutorial Part I: Randomness notions and almost everywhere theorems Andr e Nies CCC 2015, Kochel am See 1/1 Di ff erentiability Di ff erentiability of a function f at a real z means that the rate of change

1.19k views • 108 slides
15-251 Great Theoretical Ideas in Computer Science Lecture 21: Introduction to Randomness and

15-251 Great Theoretical Ideas in Computer Science Lecture 21: Introduction to Randomness and

15-251 Great Theoretical Ideas in Computer Science Lecture 21: Introduction to Randomness and Probability Theory Review April 4th, 2017 Randomness and the Universe Randomness and the Universe Does the universe have true randomness?

693 views • 52 slides
Randomness in Computing L ECTURE 1 Randomness in Computing Course information Verifying

Randomness in Computing L ECTURE 1 Randomness in Computing Course information Verifying

Randomness in Computing L ECTURE 1 Randomness in Computing Course information Verifying polynomial identities Probability Amplification Probability Review Sofya Raskhodnikova 1/21/2020 Sofya Raskhodnikova;Randomness in Computing

348 views • 21 slides
Counting Words: Non- Randomness Pre-Processing and Non-Randomness The End Marco Baroni &amp;

Counting Words: Non- Randomness Pre-Processing and Non-Randomness The End Marco Baroni &amp;

Pre-processing and non-randomness Baroni &amp; Evert Pre-Processing Counting Words: Non- Randomness Pre-Processing and Non-Randomness The End Marco Baroni &amp; Stefan Evert M alaga, 11 August 2006 Outline Pre-processing and

879 views • 55 slides
Physical Randomness Extractors Kai-Min Chung Academia Sinica, Taiwan Xiaodi Wu Yaoyun Shi

Physical Randomness Extractors Kai-Min Chung Academia Sinica, Taiwan Xiaodi Wu Yaoyun Shi

Physical Randomness Extractors Kai-Min Chung Academia Sinica, Taiwan Xiaodi Wu Yaoyun Shi MIT/UC Berkeley University of Michigan Presented in QIP14 as plenary talk (joint with [MS14]) 1 Randomness Randomness is a vital resource

391 views • 17 slides
From Quantum Computing Types of Physical . . . to Computers Quantum Processes . . . Randomness

From Quantum Computing Types of Physical . . . to Computers Quantum Processes . . . Randomness

We Need Faster . . . What Physical . . . How Can We Find . . . This Leads to . . . From Quantum Computing Types of Physical . . . to Computers Quantum Processes . . . Randomness in General of Generation Omega Completely Lawless . . .

383 views • 20 slides
Algorithmic randomness Cuny logic worshop Benoit Monin - LACL - Universit e Paris-Est Cr

Algorithmic randomness Cuny logic worshop Benoit Monin - LACL - Universit e Paris-Est Cr

Algorithmic randomness Beyond arithmetic Higher randomness ITTM and randomness Algorithmic randomness Cuny logic worshop Benoit Monin - LACL - Universit e Paris-Est Cr eteil 5 May 2017 Algorithmic randomness Beyond arithmetic Higher

771 views • 64 slides
Randomness in C 2 and Pluripotential Theory Randomness in C 2 and Pluripotential Theory Outline 1

Randomness in C 2 and Pluripotential Theory Randomness in C 2 and Pluripotential Theory Outline 1

Randomness in C 2 and Pluripotential Theory Randomness in C 2 and Pluripotential Theory Outline 1 Zeros of univariate random polynomials p : C C and potential theory; recent results of Bloom-Dauvergne 2 Random polynomials p : C 2 C and

585 views • 42 slides
Randomness Dependent Randomness Dependent Message Security g y Eleanor Birrell Kai

Randomness Dependent Randomness Dependent Message Security g y Eleanor Birrell Kai

Randomness Dependent Randomness Dependent Message Security g y Eleanor Birrell Kai Min Chung Rafael Pass Sidharth Telang Public key Encryption Public key Encryption Goal: l (pk,sk) Gen c = Enc(pk,m) E ( k ) Dec(sk,c) = m

638 views • 40 slides
CS 574: Randomized Algorithms Lecture 1. Introduction to Randomness August 25, 2015 Lecture 1.

CS 574: Randomized Algorithms Lecture 1. Introduction to Randomness August 25, 2015 Lecture 1.

Administrativia and Syllabus Why Randomness? Randomness in Computer Science CS 574: Randomized Algorithms Lecture 1. Introduction to Randomness August 25, 2015 Lecture 1. Introduction to Randomness CS 574: Randomized Algorithms

1.23k views • 61 slides
Chapter 7 Random-Number Generation Banks, Carson, Nelson &amp; Nicol Discrete-Event System

Chapter 7 Random-Number Generation Banks, Carson, Nelson &amp; Nicol Discrete-Event System

Chapter 7 Random-Number Generation Banks, Carson, Nelson &amp; Nicol Discrete-Event System Simulation Purpose &amp; Overview Discuss the generation of random numbers. Introduce the subsequent testing for randomness: Frequency test

440 views • 24 slides
ES-TRNG A High- throughput , Low-area T rue R andom N umber G enerator based on E dge S ampling

ES-TRNG A High- throughput , Low-area T rue R andom N umber G enerator based on E dge S ampling

ES-TRNG A High- throughput , Low-area T rue R andom N umber G enerator based on E dge S ampling Bohan Yang , Vladimir Roi , Milo Gruji Nele Mentens and Ingrid Verbauwhede COSIC, KU Leuven Generic TRNG Architecture Timing jitter

522 views • 16 slides
Serial and Parallel Random Number Generation Prof. Dr. Michael Mascagni Seminar f ur

Serial and Parallel Random Number Generation Prof. Dr. Michael Mascagni Seminar f ur

Serial and Parallel Random Number Generation Prof. Dr. Michael Mascagni Seminar f ur Angewandte Mathematik, ETH Z urich R aimistrasse 101, CH-8092 Z urich, Switzerland and Department of Computer Science &amp; School of

672 views • 35 slides
ECEN 5022 Cryptography Pseudo Random Number Generators Peter Mathys University of Colorado

ECEN 5022 Cryptography Pseudo Random Number Generators Peter Mathys University of Colorado

Pseudo Random Number Generators ECEN 5022 Cryptography Pseudo Random Number Generators Peter Mathys University of Colorado Spring 2008 Peter Mathys ECEN 5022 Cryptography Pseudo Random Number Generators Random Number Generation Random

352 views • 14 slides
Generation of non-uniform random numbers General method Function ran f () Theorem.- Let x be a

Generation of non-uniform random numbers General method Function ran f () Theorem.- Let x be a

Generation of non-uniform random numbers General method Function ran f () Theorem.- Let x be a r.v. with probability distribution func- tion F x ( x ) u = F x ( x ) is a r.v. uniformly distributed in the interval (0 , 1) ( U (0 ,

287 views • 25 slides
A Highly-Portable True Random Number Generator based on Coherent Sampling 2019 International

A Highly-Portable True Random Number Generator based on Coherent Sampling 2019 International

A Highly-Portable True Random Number Generator based on Coherent Sampling 2019 International Conference on Field-Programmable Logic and Applications Adriaan Peetermans, Vladimir Ro zi c and Ingrid Verbauwhede September 10, 2019 Random

370 views • 35 slides
MIPS Assembly (Random Numbers) 2 Lab Schedule Activities Assignments Due This Week Lab 10

MIPS Assembly (Random Numbers) 2 Lab Schedule Activities Assignments Due This Week Lab 10

Computer Systems and Networks ECPE 170 Jeff Shafer University of the Pacific MIPS Assembly (Random Numbers) 2 Lab Schedule Activities Assignments Due This Week Lab 10 Due by Apr 11 th 5:00am Lab work time MIPS

477 views • 5 slides
Random Numbers on GPUs W. B. Langdon Mathematical and Biological Sciences and Computing and

Random Numbers on GPUs W. B. Langdon Mathematical and Biological Sciences and Computing and

Random Numbers on GPUs W. B. Langdon Mathematical and Biological Sciences and Computing and Electronic Systems CIGPU 2008 Introduction Artificial Intelligence needs Randomisation Implementing randomisation is hard. GPU no native

618 views • 23 slides
Computational Expression Random Class, Math Class, Wrapper Classes Janyl Jumadinova 30

Computational Expression Random Class, Math Class, Wrapper Classes Janyl Jumadinova 30

Computational Expression Random Class, Math Class, Wrapper Classes Janyl Jumadinova 30 September, 2019 Janyl Jumadinova Computational Expression 30 September, 2019 1 / 8 Random Class The Random class is part of the java.util package It

415 views • 15 slides

More recommend