security of pseudo random number generators with input
play

Security of Pseudo-Random Number Generators With Input Damien - PowerPoint PPT Presentation

Sep 16, 2022 •109 likes •694 views

Security of Pseudo-Random Number Generators With Input Damien Vergnaud cole normale suprieure INRIA PSL wr0ng April, 30th 2017 (with Yevgeniy Dodis, David Pointcheval, Sylvain Ruhault & Daniel Wichs) Damien Vergnaud (ENS)

  1. Security of Pseudo-Random Number Generators With Input Damien Vergnaud École normale supérieure – INRIA – PSL wr0ng April, 30th 2017 (with Yevgeniy Dodis, David Pointcheval, Sylvain Ruhault & Daniel Wichs) Damien Vergnaud (ENS) Security of PRNG with Input April, 30th 2017 1 / 36

  2. About this Talk examine randomness generation for cryptography give ◮ security definitions ◮ a construction meeting the formalized requirements. analyze ◮ a previous construction proposed by Barak and Halevi in 2005 ◮ Linux random generators /dev/random and /dev/urandom Damien Vergnaud (ENS) Security of PRNG with Input April, 30th 2017 2 / 36

  3. Contents Pseudorandom Generators 1 Security Models 2 Barak-Halevi Security Model Dodis et al. Security Model On the Security of Barak-Halevi Construction A Provably Secure Construction 3 Linux PRNG /dev/random and /dev/urandom 4 Conclusion 5 Damien Vergnaud (ENS) Security of PRNG with Input April, 30th 2017 3 / 36

  4. True Random Number Generators Natural randomness in real world previous talks Find a regular but random event and monitor but, need special hardware to do this but, often slow but, problems of bias or uneven distribution Damien Vergnaud (ENS) Security of PRNG with Input April, 30th 2017 4 / 36

  5. True Random Number Generators Natural randomness in real world previous talks Find a regular but random event and monitor but, need special hardware to do this but, often slow but, problems of bias or uneven distribution Damien Vergnaud (ENS) Security of PRNG with Input April, 30th 2017 4 / 36

  6. Random Sources and Extractors What kinds of random sources are useful ? ◮ impredictable � must have sufficient entropy ◮ in cryptography: use min-entropy: H ∞ ( X ) = min {− log Pr [ X = x ] } $ x ← X Build deterministic extractor ? ◮ f : { 0 , 1 } n → { 0 , 1 } , s.t. for X over { 0 , 1 } n with H ∞ ( X ) ≥ n − 1, Pr [ f ( X ) = 0 ] = 1 / 2 ◮ cannot exist � Randomness extractors ◮ use a small family of functions ◮ parametrized by a seed ◮ in cryptography: public or private ? Damien Vergnaud (ENS) Security of PRNG with Input April, 30th 2017 5 / 36

  7. Random Sources and Extractors What kinds of random sources are useful ? ◮ impredictable � must have sufficient entropy ◮ in cryptography: use min-entropy: H ∞ ( X ) = min {− log Pr [ X = x ] } $ x ← X Build deterministic extractor ? ◮ f : { 0 , 1 } n → { 0 , 1 } , s.t. for X over { 0 , 1 } n with H ∞ ( X ) ≥ n − 1, Pr [ f ( X ) = 0 ] = 1 / 2 ◮ cannot exist � Randomness extractors ◮ use a small family of functions ◮ parametrized by a seed ◮ in cryptography: public or private ? Damien Vergnaud (ENS) Security of PRNG with Input April, 30th 2017 5 / 36

  8. Random Sources and Extractors What kinds of random sources are useful ? ◮ impredictable � must have sufficient entropy ◮ in cryptography: use min-entropy: H ∞ ( X ) = min {− log Pr [ X = x ] } $ x ← X Build deterministic extractor ? ◮ f : { 0 , 1 } n → { 0 , 1 } , s.t. for X over { 0 , 1 } n with H ∞ ( X ) ≥ n − 1, Pr [ f ( X ) = 0 ] = 1 / 2 ◮ cannot exist � Randomness extractors ◮ use a small family of functions ◮ parametrized by a seed ◮ in cryptography: public or private ? Damien Vergnaud (ENS) Security of PRNG with Input April, 30th 2017 5 / 36

  9. (Deterministic) Pseudorandom Number Generators 0110100100101001010110010 01100010111101001010101111110101111010000101110. . . output determined by a secret initial value output approximates the properties of random numbers fast and reproducible Damien Vergnaud (ENS) Security of PRNG with Input April, 30th 2017 6 / 36

  10. Security of a PRNG 0110001011110100101010111111010111101000010111. . . Damien Vergnaud (ENS) Security of PRNG with Input April, 30th 2017 7 / 36

  11. Security of a PRNG 0110001011110100101010111111010111101000010111. . . Damien Vergnaud (ENS) Security of PRNG with Input April, 30th 2017 7 / 36

  12. Security of a PRNG 0110001011110100101010111111010111101000010111. . . Damien Vergnaud (ENS) Security of PRNG with Input April, 30th 2017 7 / 36

  13. Security of a PRNG 0110001011110100101010111111010111101000010111. . . What if the key is compromised ? Damien Vergnaud (ENS) Security of PRNG with Input April, 30th 2017 7 / 36

  14. Pseudorandom Number Generators with Inputs 0110100100101001010110010 01100010111101001010101111110101111010000101110. . . Examples: ◮ Linux RNG : /dev/random , Yarrow, Fortuna, Havege, . . . Damien Vergnaud (ENS) Security of PRNG with Input April, 30th 2017 8 / 36

  15. Pseudorandom Number Generators with Inputs 0110100100101001010110010 01100010111101001010101111110101111010000101110. . . Examples: ◮ Linux RNG : /dev/random , Yarrow, Fortuna, Havege, . . . Damien Vergnaud (ENS) Security of PRNG with Input April, 30th 2017 8 / 36

  16. Expected Security Properties Resilience: output looks random w/o knowledge of internal state ◮ Unknown/Known/Chosen input attacks Security After State Compromise ◮ Forward security: � earlier output looks random with knowledge of current state ◮ Backward security: � future output looks random with knowledge of current state How to formalize these security notions ? Damien Vergnaud (ENS) Security of PRNG with Input April, 30th 2017 9 / 36

  17. Expected Security Properties Resilience: output looks random w/o knowledge of internal state ◮ Unknown/Known/Chosen input attacks Security After State Compromise ◮ Forward security: � earlier output looks random with knowledge of current state ◮ Backward security: � future output looks random with knowledge of current state How to formalize these security notions ? Damien Vergnaud (ENS) Security of PRNG with Input April, 30th 2017 9 / 36

  18. Expected Security Properties Resilience: output looks random w/o knowledge of internal state ◮ Unknown/Known/Chosen input attacks Security After State Compromise ◮ Forward security: � earlier output looks random with knowledge of current state ◮ Backward security: � future output looks random with knowledge of current state How to formalize these security notions ? Damien Vergnaud (ENS) Security of PRNG with Input April, 30th 2017 9 / 36

  19. Contents Pseudorandom Generators 1 Security Models 2 Barak-Halevi Security Model Dodis et al. Security Model On the Security of Barak-Halevi Construction A Provably Secure Construction 3 Linux PRNG /dev/random and /dev/urandom 4 Conclusion 5 Damien Vergnaud (ENS) Security of PRNG with Input April, 30th 2017 10 / 36

  20. Barak-Halevi Security Model (2005) G = ( refresh , next ) is a PRNG with input ◮ refresh ( S , I ) = S ′ ∈ { 0 , 1 } n . ◮ next ( S ) = ( S ′ , R ) ∈ { 0 , 1 } n × { 0 , 1 } ℓ Security notion: Robustness G 1 proc . good - refresh ( D ) proc . bad - refresh ( x ) proc . set - state ( S ′ ) proc . next - ror () $ x ← D S ← refresh ( S , x ) OUTPUT S ( R , S ′ ) ← next ( S ) S ← refresh ( S , x ) S ← S ′ S ← S ′ OUTPUT R G 2 proc . good - refresh ( D ) proc . bad - refresh ( x ) proc . set - state ( S ′ ) proc . next - ror () $ IF corrupt x ← D S ← refresh ( S , x ) ( R , S ′ ) ← next ( S ) S ← S ′ S ← refresh ( S , x ) OUTPUT S corrupt ← false IF corrupt ELSE $ ← { 0 , 1 } m OUTPUT R OUTPUT S ← S ′ ELSE $ corrupt ← true ← { 0 , 1 } ℓ OUTPUT Damien Vergnaud (ENS) Security of PRNG with Input April, 30th 2017 11 / 36

  21. Barak-Halevi Security Model (2005) G = ( refresh , next ) is a PRNG with input ◮ refresh ( S , I ) = S ′ ∈ { 0 , 1 } n . ◮ next ( S ) = ( S ′ , R ) ∈ { 0 , 1 } n × { 0 , 1 } ℓ Security notion: Robustness G 1 proc . good - refresh ( D ) proc . bad - refresh ( x ) proc . set - state ( S ′ ) proc . next - ror () $ x ← D S ← refresh ( S , x ) OUTPUT S ( R , S ′ ) ← next ( S ) S ← refresh ( S , x ) S ← S ′ S ← S ′ OUTPUT R G 2 proc . good - refresh ( D ) proc . bad - refresh ( x ) proc . set - state ( S ′ ) proc . next - ror () $ IF corrupt x ← D S ← refresh ( S , x ) ( R , S ′ ) ← next ( S ) S ← S ′ S ← refresh ( S , x ) OUTPUT S corrupt ← false IF corrupt ELSE $ ← { 0 , 1 } m OUTPUT R OUTPUT S ← S ′ ELSE $ corrupt ← true ← { 0 , 1 } ℓ OUTPUT Damien Vergnaud (ENS) Security of PRNG with Input April, 30th 2017 11 / 36

  22. Defects in Barak-Halevi Model Entropy accumulation null or high entropy inputs, but , entropy could be accumulated slowly in S . a PRNG should recover from state compromise (if the amount of accumulated entropy crosses some threshold) Need for a setup procedure deterministic randomness extractors do not exist! Two options: ◮ restrict the family of permitted high-entropy distributions. ◮ add a setup procedure which outputs some public parameters (used by next and refresh ) Damien Vergnaud (ENS) Security of PRNG with Input April, 30th 2017 12 / 36

  23. Defects in Barak-Halevi Model Entropy accumulation null or high entropy inputs, but , entropy could be accumulated slowly in S . a PRNG should recover from state compromise (if the amount of accumulated entropy crosses some threshold) Need for a setup procedure deterministic randomness extractors do not exist! Two options: ◮ restrict the family of permitted high-entropy distributions. ◮ add a setup procedure which outputs some public parameters (used by next and refresh ) Damien Vergnaud (ENS) Security of PRNG with Input April, 30th 2017 12 / 36

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

SoK: Security Models for Pseudo-Random Number Generators Sylvain Ruhault March 8 th , Tokyo, Fast

SoK: Security Models for Pseudo-Random Number Generators Sylvain Ruhault March 8 th , Tokyo, Fast

Motivation Standard PRNG Stateful PRNG PRNG with input Conclusion SoK: Security Models for Pseudo-Random Number Generators Sylvain Ruhault March 8 th , Tokyo, Fast Software Encryption 2017 1 / 18 Motivation Standard PRNG Stateful PRNG

266 views • 26 slides
ECEN 5022 Cryptography Pseudo Random Number Generators Peter Mathys University of Colorado

ECEN 5022 Cryptography Pseudo Random Number Generators Peter Mathys University of Colorado

Pseudo Random Number Generators ECEN 5022 Cryptography Pseudo Random Number Generators Peter Mathys University of Colorado Spring 2008 Peter Mathys ECEN 5022 Cryptography Pseudo Random Number Generators Random Number Generation Random

352 views • 14 slides
Introduction to Pseudo-Random Number Generators Nicola Gigante March 9, 2016 Why random

Introduction to Pseudo-Random Number Generators Nicola Gigante March 9, 2016 Why random

Introduction to Pseudo-Random Number Generators Nicola Gigante March 9, 2016 Why random numbers? Lifes most important questions are, for the most part, nothing but probability problems. Pierre-Simon de Laplace 2 Why random numbers?

684 views • 55 slides
Introduction to Pseudo-Random Number Generators Nicola Gigante December 21, 2016 Why random

Introduction to Pseudo-Random Number Generators Nicola Gigante December 21, 2016 Why random

Introduction to Pseudo-Random Number Generators Nicola Gigante December 21, 2016 Why random numbers? Lifes most important questions are, for the most part, nothing but probability problems. Pierre-Simon de Laplace 2 Why random numbers?

1.37k views • 63 slides
Pseudo-Random Number Generators Functional Programming and Intelligent Algorithms Prof Hans Georg

Pseudo-Random Number Generators Functional Programming and Intelligent Algorithms Prof Hans Georg

Pseudo-Random Number Generators Functional Programming and Intelligent Algorithms Prof Hans Georg Schaathun Hgskolen i lesund 14th February 2017 1 Randomness 1. What is randomness? 2 Randomness 1. What is randomness? 2. How do we

590 views • 22 slides
Random Numbers RANDOM VS PSEUDO RANDOM Truly Random numbers From Wolfram: A random number

Random Numbers RANDOM VS PSEUDO RANDOM Truly Random numbers From Wolfram: A random number

Random Numbers RANDOM VS PSEUDO RANDOM Truly Random numbers From Wolfram: A random number is a number chosen as if by chance from some specified distribution such that selection of a large set of these numbers reproduces the underlying

720 views • 12 slides
Pseudo-Random Generators Computer programming (e.g. randomized algorithm) Elementary and

Pseudo-Random Generators Computer programming (e.g. randomized algorithm) Elementary and

Why do we need random numbers? Simulation Sampling Numerical analysis Pseudo-Random Generators Computer programming (e.g. randomized algorithm) Elementary and critical element in many cryptographic protocols Usually:

157 views • 5 slides
Random numbers We have seen that in many applications we need random number generators For

Random numbers We have seen that in many applications we need random number generators For

Random numbers We have seen that in many applications we need random number generators For example we sue random number generator to obtain session keys; to avoid key guessing If an adversary sees a sequence of session keys He/she

426 views • 16 slides
Pseudo-random Functions Debdeep Mukhopadhyay IIT Kharagpur We have seen the construction of

Pseudo-random Functions Debdeep Mukhopadhyay IIT Kharagpur We have seen the construction of

Pseudo-random Functions Debdeep Mukhopadhyay IIT Kharagpur We have seen the construction of PRG (pseudo-random generators) being constructed from any one-way functions. Now we shall consider a related concept: Pseudo-random

829 views • 15 slides
Draft History of Random Number Generators Seed x 0 , x i = f ( x i 1 ) , u i = g ( x i )

Draft History of Random Number Generators Seed x 0 , x i = f ( x i 1 ) , u i = g ( x i )

1 Draft History of Random Number Generators Seed x 0 , x i = f ( x i 1 ) , u i = g ( x i ) Pierre LEcuyer 2 Draft Once upon a time, ... 5000 years ago Dice, coins, and other devices were used long ago to make random selections

815 views • 50 slides
Seeding Random Number Generators Jesse Walker Intel Corpora:on

Seeding Random Number Generators Jesse Walker Intel Corpora:on

Seeding Random Number Generators Jesse Walker Intel Corpora:on Intel Labs Circuits and System Research Security Research Lab 1 Agenda The problem

513 views • 13 slides
Draft History of Random Number Generators Seed x 0 , x i = f ( x i 1 ) , u i = g ( x i )

Draft History of Random Number Generators Seed x 0 , x i = f ( x i 1 ) , u i = g ( x i )

1 Draft History of Random Number Generators Seed x 0 , x i = f ( x i 1 ) , u i = g ( x i ) Pierre LEcuyer Ecole Polytechnique, Palaiseau, D ec. 2017 2 Draft Once upon a time, ... 5000 years ago Dice, coins, and other devices

1.35k views • 85 slides
PSEUDO-RANDOM FUNCTIONS We want to answer the question: What is a good block cipher? where

PSEUDO-RANDOM FUNCTIONS We want to answer the question: What is a good block cipher? where

Recall We studied security of function families (in particular, block ciphers) against key recovery. But we saw that security against key recovery is not su ffi cient to ensure that natural usages of a block cipher are secure. PSEUDO-RANDOM

268 views • 13 slides
Random number generators and random processes Eugeniy E. Mikhailov The College of William &

Random number generators and random processes Eugeniy E. Mikhailov The College of William &

Random number generators and random processes Eugeniy E. Mikhailov The College of William & Mary Lecture 11 Eugeniy Mikhailov (W&M) Practical Computing Lecture 11 1 / 11 Statistics and probability intro Mathematical and physical

551 views • 17 slides
Draft 1 On the Lattice Structure of MIXMAX Random Number Generators Pierre LEcuyer Joint

Draft 1 On the Lattice Structure of MIXMAX Random Number Generators Pierre LEcuyer Joint

Draft 1 On the Lattice Structure of MIXMAX Random Number Generators Pierre LEcuyer Joint work with Paul Wambergue, Erwan Bourceret, and Marc-Antoine Savard MCQMC, Rennes, July 2018 Draft 2 MIXMAX Generators [Akopov, Savvidy, et al.

508 views • 19 slides
Determinism in Deep Learning (S9911) Duncan Riach, GTC 2019 1 RANDOMNESS Pseudo-random number

Determinism in Deep Learning (S9911) Duncan Riach, GTC 2019 1 RANDOMNESS Pseudo-random number

Determinism in Deep Learning (S9911) Duncan Riach, GTC 2019 1 RANDOMNESS Pseudo-random number generation Random mini-batching Stochastic gradient descent Data augmentation Regularization / generalization 2 DETERMINISM Elimination of truly

564 views • 52 slides
Uniform Variate Generation Refs: Chapter 7 in Law, Pierre Lecuyer Tutorial, Winter Simulation

Uniform Variate Generation Refs: Chapter 7 in Law, Pierre Lecuyer Tutorial, Winter Simulation

Uniform Variate Generation Refs: Chapter 7 in Law, Pierre Lecuyer Tutorial, Winter Simulation Conference 2015 Peter J. Haas CS 590M: Simulation Spring Semester 2020 1 / 21 Pseudo-Random Numbers Overview Simple Congruential Generators

325 views • 21 slides
C Programming for Engineers Arrays & Pointers ICEN 360 Spring 2017 Prof. Dola Saha 1

C Programming for Engineers Arrays & Pointers ICEN 360 Spring 2017 Prof. Dola Saha 1

C Programming for Engineers Arrays & Pointers ICEN 360 Spring 2017 Prof. Dola Saha 1 Classroom Assignment Matrix Addition/Subtraction two matrices should have same number of rows and columns. Addition Subtraction

478 views • 30 slides
Using Blaise for Implementing a Complex Sampling Algorithm By Linda Gowen and Ed Dolbow, Westat

Using Blaise for Implementing a Complex Sampling Algorithm By Linda Gowen and Ed Dolbow, Westat

Using Blaise for Implementing a Complex Sampling Algorithm By Linda Gowen and Ed Dolbow, Westat Inc. Introduction A new in-person household survey using Blaise as the tool to perform computer aided interviewing (CAI), required a complicated

422 views • 13 slides
Simulation Simulation Modeling and Performance Analysis with Discrete-Event Simulation g y Dr.

Simulation Simulation Modeling and Performance Analysis with Discrete-Event Simulation g y Dr.

Computer Science, Informatik 4 Communication and Distributed Systems Simulation Simulation Modeling and Performance Analysis with Discrete-Event Simulation g y Dr. Mesut Gne Computer Science, Informatik 4 Communication and Distributed

744 views • 35 slides
Science II Arrays Li Xiong 1 Roadmap Basics of Array Number guessing and Binary Search

Science II Arrays Li Xiong 1 Roadmap Basics of Array Number guessing and Binary Search

CS 171: Introduction to Computer Science II Arrays Li Xiong 1 Roadmap Basics of Array Number guessing and Binary Search Hw1: Number guessing game Arraylist OO and inheritance Guess-a-Number Game I am asking you to guess

330 views • 16 slides
Adversarial Learning for Neural Dialogue Generation 1 , Will Monroe 1 , Tianlan Shi 1 , Jiwei Li

Adversarial Learning for Neural Dialogue Generation 1 , Will Monroe 1 , Tianlan Shi 1 , Jiwei Li

Adversarial Learning for Neural Dialogue Generation 1 , Will Monroe 1 , Tianlan Shi 1 , Jiwei Li 2 , Alan Ritter 3 , Dan Jurafsky 1 Sbastian Jean 1 Stanford University, 2 New York University, 3 Ohio State University Some slides/images taken

975 views • 59 slides
Vacuum fluctuations Secure heterodyne-based quantum random number quantum random number

Vacuum fluctuations Secure heterodyne-based quantum random number quantum random number

Vacuum fluctuations Secure heterodyne-based quantum random number quantum random number generator with non-iid generator at 17 Gbps samples Tobias Gehring et al. Marco Avesani et al. 1 The need for random numbers Alice quantum Rx laser

346 views • 32 slides
Cybersecurity for Future Presidents Homework for next week: Reading, Exercises Reading for next

Cybersecurity for Future Presidents Homework for next week: Reading, Exercises Reading for next

Any Questions? My office hours: About previous lecture? Wed. afternoon, 12-3pm, 442 About homework? RH About reading? Cybersecurity for Future Presidents Homework for next week: Reading, Exercises Reading for next week (for all):

339 views • 3 slides

More recommend