SoK: Security Models for Pseudo-Random Number Generators Sylvain - - PowerPoint PPT Presentation

sok security models for pseudo random number generators
SMART_READER_LITE
LIVE PREVIEW

SoK: Security Models for Pseudo-Random Number Generators Sylvain - - PowerPoint PPT Presentation

Apr 29, 2023 6 likes •267 views

Motivation Standard PRNG Stateful PRNG PRNG with input Conclusion SoK: Security Models for Pseudo-Random Number Generators Sylvain Ruhault March 8 th , Tokyo, Fast Software Encryption 2017 1 / 18 Motivation Standard PRNG Stateful PRNG

slide-1
SLIDE 1

Motivation Standard PRNG Stateful PRNG PRNG with input Conclusion

SoK: Security Models for Pseudo-Random Number Generators

Sylvain Ruhault March 8th, Tokyo, Fast Software Encryption 2017

1 / 18

slide-2
SLIDE 2

Motivation Standard PRNG Stateful PRNG PRNG with input Conclusion

Motivation

Papers about PRNG

FSE 96: Jenkins FSE 98: Schneier et al. Usenix 98: Gutman EC02: Desai et al. CT-RSA03: Bellare and Yee ACSAC03: Viega CHES03: Barak et al. CCS05: Barak and Halevi CCS10: Yu et al. CCS13: Dodis et al. C14: Dodis et al. · · ·

SoK Paper

Unify security models presentation Propose secure constructions based on AES

2 / 18

slide-3
SLIDE 3

Motivation Standard PRNG Stateful PRNG PRNG with input Conclusion

1

Standard PRNG

2

Stateful PRNG

3

PRNG with input

3 / 18

slide-4
SLIDE 4

Motivation Standard PRNG Stateful PRNG PRNG with input Conclusion

Standard PRNG

S G R

0001010110101 ? ?

Security of G

Secret S |R| > |S| R is indistinguishable from random.

AES based construction

S

$

← {0, 1}128 R = AESS(1)||AESS(2)|| · · ·

4 / 18

slide-5
SLIDE 5

Motivation Standard PRNG Stateful PRNG PRNG with input Conclusion

Stateful PRNG

Standard S G R Stateful key S0 next S1 R1 next . . . next Sqn Rqn

R0, R1, · · · shall be indistinguishable from random S: internal state of the generator

5 / 18

slide-6
SLIDE 6

Motivation Standard PRNG Stateful PRNG PRNG with input Conclusion

Stateful PRNG

Standard S G R Stateful key S0 next S1 R1 next . . . next Sqn Rqn

R0, R1, · · · shall be indistinguishable from random S: internal state of the generator

5 / 18

slide-7
SLIDE 7

Motivation Standard PRNG Stateful PRNG PRNG with input Conclusion

State Compromise

key S0 next S1 R1 next . . . next Sqn Rqn

Forward Security

Past outputs are not compromised Can be build upon a secure standard PRNG (BY03)

6 / 18

slide-8
SLIDE 8

Motivation Standard PRNG Stateful PRNG PRNG with input Conclusion

State Compromise

key S0 next S1 R1 next . . . next Sqn Rqn

Forward Security

Past outputs are not compromised Can be build upon a secure standard PRNG (BY03)

AES based construction

key next Require: ∅ Require: S Ensure: S Ensure: S′, R 1: S

$

← {0, 1}128 1: S′ = AESS(1) 2: return S 2: R = AESS(2) 3: return (S′, R)

6 / 18

slide-9
SLIDE 9

Motivation Standard PRNG Stateful PRNG PRNG with input Conclusion

State Compromise

key S0 next S1 R1 next . . . next Sqn Rqn

Forward Security

Past outputs are not compromised Can be build upon a secure standard PRNG (BY03)

Backward Security ?

"Next" outputs are not compromised ? New input shall be collected Recovery mechanism

6 / 18

slide-10
SLIDE 10

Motivation Standard PRNG Stateful PRNG PRNG with input Conclusion

PRNG with input

S G I S R

7 / 18

slide-11
SLIDE 11

Motivation Standard PRNG Stateful PRNG PRNG with input Conclusion

PRNG with input

How to Manage Inputs ?

Accumulation: entropy of each input shall be accumulated in the internal state Extraction: entropy of the collected inputs shall be extracted to generate outputs these operations are implicit in Fortuna, OpenSSL PRNG, /dev/random, NIST CTR_DRBG, ...

7 / 18

slide-12
SLIDE 12

Motivation Standard PRNG Stateful PRNG PRNG with input Conclusion

PRNG with input

How to Manage Inputs ?

Accumulation: entropy of each input shall be accumulated in the internal state Extraction: entropy of the collected inputs shall be extracted to generate outputs these operations are implicit in Fortuna, OpenSSL PRNG, /dev/random, NIST CTR_DRBG, ...

Definitions

Seeded extractors, accumulators Requires independence between public seed and inputs Potential vulnerability in NIST CTR_DRBG

7 / 18

slide-13
SLIDE 13

Motivation Standard PRNG Stateful PRNG PRNG with input Conclusion

Barak-Halevi Model (BH05)

PRNG with input Definition

Two operations input collection

  • utput generation

Where Operations are not synchronised

S I refresh S′ S next S′ R

8 / 18

slide-14
SLIDE 14

Motivation Standard PRNG Stateful PRNG PRNG with input Conclusion

Recovery in Barak-Halevi model

S next S R next S R next S R next S R next · · · I I I I refresh refresh refresh refresh 9 / 18

slide-15
SLIDE 15

Motivation Standard PRNG Stateful PRNG PRNG with input Conclusion

Recovery in Barak-Halevi model

S next S R next S R next S R next S R next · · · I I I I refresh refresh refresh refresh

AES based construction

setup refresh next Require: r Require: X, I, S Require: S Ensure: X Ensure: S′ Ensure: S′, R 1: X

$

← {0, 1}512 1: U = [X · I]128 1: S′ = AESS(1) 2: return X 2: S′ = S ⊕ U 2: R = AESS(2) 3: return S′ 3: return (S′, R)

9 / 18

slide-16
SLIDE 16

Motivation Standard PRNG Stateful PRNG PRNG with input Conclusion

Security Analysis

AES based construction

setup refresh next Require: r Require: X, I, S Require: S Ensure: X Ensure: S′ Ensure: S′, R 1: X

$

← {0, 1}512 1: U = [X · I]128 1: S′ = AESS(1) 2: return X 2: S′ = S ⊕ U 2: R = AESS(2) 3: return S′ 3: return (S′, R) |S| = 128 Involves a Seeded Extractor At least one input shall have maximal entropy H∞(I) = 512 Requires a public random seed X of length 512 bits Inputs shall be independent from X

10 / 18

slide-17
SLIDE 17

Motivation Standard PRNG Stateful PRNG PRNG with input Conclusion

Dodis et al. Model (DPR+13)

PRNG with input Definition

Triple of algorithms (setup, refresh, next): setup, seed generation algorithm refresh, entropy collecting algorithm, (S, I) → S′ next, output algorithm, S → (R, S′)

setup seed S I refresh S′ S next S′ R

11 / 18

slide-18
SLIDE 18

Motivation Standard PRNG Stateful PRNG PRNG with input Conclusion

Recovery in Dodis et al. Model

S next S R next S R next S R next S R next · · · I I I I refresh refresh refresh refresh

entropy can be accumulated slowly in S recovery: after accumulated entropy is OK

12 / 18

slide-19
SLIDE 19

Motivation Standard PRNG Stateful PRNG PRNG with input Conclusion

Recovery in Dodis et al. Model

S next S R next S R next S R next S R next · · · I I I I refresh refresh refresh refresh

AES based construction

setup refresh next Require: ∅ Require: X, I, S Require: S, X ′ Ensure: X, X ′ Ensure: S′ Ensure: S′, R 1: X

$

← {0, 1}1024 1: S′ = S · X + I 1: U = [X ′ · S]256 2: X ′

$

← {0, 1}1024 2: return S′ 2: S′ = AESU(1)|| · · · ||AESU(8) 3: return X, X ′ 3: R = AESU(9) 4: return (S′, R)

12 / 18

slide-20
SLIDE 20

Motivation Standard PRNG Stateful PRNG PRNG with input Conclusion

Security Analysis

AES based construction

setup refresh next Require: ∅ Require: X, I, S Require: S, X ′ Ensure: X, X ′ Ensure: S′ Ensure: S′, R 1: X

$

← {0, 1}1024 1: S′ = S · X + I 1: U = [X ′ · S]256 2: X ′

$

← {0, 1}1024 2: return S′ 2: S′ = AESU(1)|| · · · ||AESU(8) 3: return X, X ′ 3: R = AESU(9) 4: return (S′, R)

|S| = 1024 Involves a Seeded Extractor and a Seeded Accumulator Requires a public random (X, X ′) of length 2048 bits Inputs shall be independent from X Extensions has been proposed for Leakage Security [CR14, ABPRV15]

13 / 18

slide-21
SLIDE 21

Motivation Standard PRNG Stateful PRNG PRNG with input Conclusion

Premature Next Attack, Dodis et al. (DSSW14)

S next S R next S R next S R next S R next · · · I I I I refresh refresh refresh refresh

a next call can be done before recovery

14 / 18

slide-22
SLIDE 22

Motivation Standard PRNG Stateful PRNG PRNG with input Conclusion

Premature Next Attack, Dodis et al. (DSSW14)

S next S R next S R next S R next S R next · · · I I I I refresh refresh refresh refresh

a next call can be done before recovery Solution: S = [S1 · · · Sin · · · Sout · · · Sp], a scheduler selects Sin and Sout

Sin I refresh S′

in

Sout next S′

  • ut

R 14 / 18

slide-23
SLIDE 23

Motivation Standard PRNG Stateful PRNG PRNG with input Conclusion

Generalized Fortuna Construction (DSSW14)

Gi, i = 1, · · · , 32, based on AES

setupG refreshi nexti Require: ∅ Require: X, I, S Require: S, X ′ Ensure: X, X ′ Ensure: S′ Ensure: S′, R 1: X

$

← {0, 1}1024 1: S′ = S · X + I 1: U = [X ′ · S]256 2: X ′

$

← {0, 1}1024 2: return S′ 2: S′ = AESU(1)|| · · · ||AESU(8) 3: return X, X ′ 3: R = AESU(9)||AESU(10) 4: return (S′, R)

AES based scheduler

Uses AES as a PRF (in, out) ← SC(skey)

AES based construction

setupG refresh next Require: ∅ Require: X, key, I, S Require: S Ensure: X, X ′, skey Ensure: S′ Ensure: S′, R 1: X, X ′ ← setupG 1: parse S as (Sρ, (Si)31

i=0)

1: parse S as (Sρ, (Si)31

i=0)

2: skey

$

← {0, 1}128 2: (in, out) ← SC(skey) 2: Sρ = AESSρ(1)||AESSρ(2) 3: return X, X ′, skey 3: Sin ← refreshin(X, Sin, I) 3: R = AESSρ(3)||AESSρ(4) 4: (Sout, R) ← nextout(X ′, Sout) 4: return (S′, R) 5: Sρ ← Sρ ⊕ R 6: return S′ = (Sρ, (Si)31

i=0)

15 / 18

slide-24
SLIDE 24

Motivation Standard PRNG Stateful PRNG PRNG with input Conclusion

Security Analysis

AES based construction

setup refresh next Require: ∅ Require: X, key, I, S Require: S Ensure: X, X ′, skey Ensure: S′ Ensure: S′, R 1: X, X ′ ← setupG 1: parse S as (Sρ, (Si)31

i=0)

1: parse S as (Sρ, (Si)31

i=0)

2: skey

$

← {0, 1}128 2: (in, out) ← SC(skey) 2: Sρ = AESSρ(1)||AESSρ(2) 3: return X, X ′, skey 3: Sin ← refreshin(X, Sin, I) 3: R = AESSρ(3)||AESSρ(4) 4: (Sout, R) ← nextout(X ′, Sout) 4: return (S′, R) 5: Sρ ← Sρ ⊕ R 6: return S′ = (Sρ, (Si)31

i=0)

S = (Sρ, (Si)31

i=0), |S| = 33024

Involves a Seeded Extractor a Seeded Accumulator and a Scheduler Requires a public random (X, X ′) of length 2048 bits Inputs shall be independent from X Leakage Security shall be studied: SPOF: Sρ, |Sρ| = 256

16 / 18

slide-25
SLIDE 25

Motivation Standard PRNG Stateful PRNG PRNG with input Conclusion

Model and constructions analysis

Ref. Definition Property Attacker Capabilities Construction Operations AES Ext Acc SC refresh next BY03 1 : S ← key FWD next-ror, get-state ✖ AES (2) 2 : (S′, R) ← next(S) GMOPST14 1 : S ← key LPR(f ) next-ror, leaknext ✖ AES (3) 2 : (S′, R) ← next(S) DHY02 1 : (K, S) ← key CIA getinput, get-state, setinput + (3), × (2), 2 : (S′, R) ← next(S, K, I) CSA getinput, get-state, set-state ✖ ✖ AES (2) KKA getinput, get-key BST03 1 : seed ← setup RES(F) next-ror ✖ × (1), [ ] (1) 2 : R ← next(seed, I) BH05 1 : S′ ← refresh(S, I) ROB(F) good-refresh, bad-refresh, ✖ ✖ × (1), [ ] (1), AES (2) 2 : (S′, R) ← next(S) get-state, next-ror ⊕ (1) DPRVW13 1 : seed ← setup ROB(γ∗) D-refresh, set-state, get-state ✖ ✖ ✖ × (1), + (1) × (1), [ ] (1), 2 : S′ ← refresh(seed, S, I) next-ror AES (9) 3 : (S′, R) ← next(seed, S) DSSW14 1 : seed ← setup NROB(γ∗, β) D-refresh, set-state, get-state ✖ ✖ ✖ ✖ + (1), × (2), AES (4) 2 : S′ ← refresh(seed, S, I) next-ror ⊕ (1), [ ] (2), 3 : (S′, R) ← next(seed, S) AES (11) 17 / 18

slide-26
SLIDE 26

Motivation Standard PRNG Stateful PRNG PRNG with input Conclusion

Conclusion

Contribution

Revisited the notions of Extractors and Accumulators Unified the presentation of PRNG models Proposed AES based constructions Identified a potential vulnerability in NIST CTR_DRBG

Perpectives

Independence requirement ? Leakage security of [DSSW14] construction ? Lightweight PRNG ?

18 / 18