evaluating entropy for true random number generators
play

Evaluating Entropy for True Random Number Generators orski 1 Maciej - PowerPoint PPT Presentation

Oct 19, 2023 •148 likes •655 views

Evaluating Entropy for True Random Number Generators orski 1 Maciej Sk IST Austria WR0NG 2017, 30th April, Paris 1 Supported by the European Research Council consolidator grant (682815-TOCNeT) Maciej Sk orski (IST Austria) Evaluating

  1. Evaluating Entropy for True Random Number Generators orski 1 Maciej Sk´ IST Austria WR0NG 2017, 30th April, Paris 1 Supported by the European Research Council consolidator grant (682815-TOCNeT) Maciej Sk´ orski (IST Austria) Evaluating Entropy for True Random Number Generators WR0NG 2017, 30th April, Paris 1 / 49

  2. True Random Number Generators 1 Design Sources Postprocessing Security evaluation 2 Methodology Statistical tests - caveats Hardware implementations - caveats Entropy Estimators Health tests Conclusion 3 References 4 Maciej Sk´ orski (IST Austria) Evaluating Entropy for True Random Number Generators WR0NG 2017, 30th April, Paris 2 / 49

  3. True Random Number Generators Plan True Random Number Generators 1 Design Sources Postprocessing Security evaluation 2 Methodology Statistical tests - caveats Hardware implementations - caveats Entropy Estimators Health tests Conclusion 3 References 4 Maciej Sk´ orski (IST Austria) Evaluating Entropy for True Random Number Generators WR0NG 2017, 30th April, Paris 3 / 49

  4. True Random Number Generators What is this talk about? overview of entropy estimation, in the context of TRNGs theoretical justification for some heuristics / explanation for subtle issues Maciej Sk´ orski (IST Austria) Evaluating Entropy for True Random Number Generators WR0NG 2017, 30th April, Paris 4 / 49

  5. True Random Number Generators Design Plan True Random Number Generators 1 Design Sources Postprocessing Security evaluation 2 Methodology Statistical tests - caveats Hardware implementations - caveats Entropy Estimators Health tests Conclusion 3 References 4 Maciej Sk´ orski (IST Austria) Evaluating Entropy for True Random Number Generators WR0NG 2017, 30th April, Paris 5 / 49

  6. True Random Number Generators Design True Random Number Generators digitalization pre-processor postprocessor output source (conditioner) (a) physical source generates noise (somewhat unpredictable) (b) noise converted to digital form (may introduce extra bias) (c) (little) preprocessing decreases bias (e.g. ignoring less variable bits) (d) postprocessing eliminates bias and dependencies (e.g. extractor) (e) output should be uniform Maciej Sk´ orski (IST Austria) Evaluating Entropy for True Random Number Generators WR0NG 2017, 30th April, Paris 6 / 49

  7. True Random Number Generators Design New paradigm: real-time monitoring failure tests health tests entropy estimation output tests digitalization postprocessor pre-processor output source (condtitioner) standards [KS11,TBKM16]: monitor the source and digitalized raw numbers sometimes one implements also online output tests [VRV12]. Real-time testing necessary Need to evaluate the whole construction, no black-box outputs tests! (a) biased functions may pass outputs tests (b) sources may be bit different outside of lab (environmental influences) Maciej Sk´ orski (IST Austria) Evaluating Entropy for True Random Number Generators WR0NG 2017, 30th April, Paris 7 / 49

  8. True Random Number Generators Design Theoretical framework weak source: entropy + assumptions to learn it from samples preprocessor: condenser postprocessor: extractor optionally: + hashing (extra masking) output: indistinguishable from random weak source + online entropy estimation + calibrating postprocessor ≈ TRNG Maciej Sk´ orski (IST Austria) Evaluating Entropy for True Random Number Generators WR0NG 2017, 30th April, Paris 8 / 49

  9. True Random Number Generators Design Evaluating security - criteria Standards for Random Number Generators Two popular and well documented (examples+justifications) recommendations AIS 31 - German Federal Office for Information Security (BSI) SP 800-90B - U.S. National Institute for Standards and Technology (NIST) Randomness tests Most popular: NIST, DieHard, DieHarder, TestU01 Maciej Sk´ orski (IST Austria) Evaluating Entropy for True Random Number Generators WR0NG 2017, 30th April, Paris 9 / 49

  10. True Random Number Generators Sources Plan True Random Number Generators 1 Design Sources Postprocessing Security evaluation 2 Methodology Statistical tests - caveats Hardware implementations - caveats Entropy Estimators Health tests Conclusion 3 References 4 Maciej Sk´ orski (IST Austria) Evaluating Entropy for True Random Number Generators WR0NG 2017, 30th April, Paris 10 / 49

  11. True Random Number Generators Sources Examples of sources Many proposals. Below examples with public (web) interfaces Radioactive decay [Wal] ( https://www.fourmilab.ch/hotbits/ ) Atmospheric noise [Haa] ( http://www.random.org/ ) Quantum vacuum fluctuations [SQCG] ( http://qrng.anu.edu.au ) Maciej Sk´ orski (IST Austria) Evaluating Entropy for True Random Number Generators WR0NG 2017, 30th April, Paris 11 / 49

  12. True Random Number Generators Sources Necessary properties of sources indistinguishability X = X 1 , X 2 , X m f ( X ) b 1 b 2 . . . b n ≈ raw bits random bits post-processing Theorem (Min-entropy in sources necessary [RW04]) If X ∈ { 0 , 1 } m is such that f ( X ) ≈ U n then X ≈ Y s.t. H ∞ ( Y ) � n where 1 H ∞ ( X ) = min x log P X ( x ) is the min-entropy of the source (also when conditioned on the randomness of f ). Can we use Shannon entropy? many papers estimate Shannon entropy in the context of TRNGs (easier) best available tests utilize Shannon entropy (compression techniques) standards put more emphasize on min-entropy only recently Maciej Sk´ orski (IST Austria) Evaluating Entropy for True Random Number Generators WR0NG 2017, 30th April, Paris 12 / 49

  13. True Random Number Generators Sources Shannon entropy is bad in one-shot regimes... Shannon entropy is a bad estimate even for (less restrictive) collision entropy 50 worst H 2 given H 40 H 2 (collision) 30 20 10 0 0 32 64 128 200 256 H (Shannon) Figure: Worst bounds on collision entropy when Shannon entropy is fixed (256 bits). Example Even with H ( X ) = 255 . 999 we could have only H 2 ( X ) = 35 . 7 . Construction: a heavy unit mass mixed with the uniform distribution. Maciej Sk´ orski (IST Austria) Evaluating Entropy for True Random Number Generators WR0NG 2017, 30th April, Paris 13 / 49

  14. True Random Number Generators Sources ... but ok for repeated experiments! Asymptotic Equiparition Property If the source produces X 1 , X 2 , X 3 . . . then for x ← X 1 , . . . , X n we have 1 P X n ( x ) = 1 1 nH ( X n ) + o (1) n log w.p. 1 − o (1) Under reasonable restrictions on the source (e.g. iid or stationarity and ergodicity). Essentially: almost all sequences are roughly equally likely. Shannon is asymptotically good We conclude that for n → ∞ nH ∞ ( X 1 , . . . , X n | E ) ≈ 1 1 nH ( X 1 , . . . , X n | E ) , Pr[ E ] = 1 − o (1) this demonstrates the entropy smoothing technique [RW04,HR11,STTV07,Kog13]. Maciej Sk´ orski (IST Austria) Evaluating Entropy for True Random Number Generators WR0NG 2017, 30th April, Paris 14 / 49

  15. True Random Number Generators Sources How big is the error? can quantify the convergence in the AEP (Holenstein, Renner [HR11]... ... much better when entropy per bit is high - relevant to TRNGs [Sko17] 8 6 min-entropy rate 4 2 new bound bound [HR11] 0 0 100 200 300 400 500 number of samples n Figure: (smooth) min-entropy per bit, independent 8 -bit samples with Shannon rate 0.997 per bit Maciej Sk´ orski (IST Austria) Evaluating Entropy for True Random Number Generators WR0NG 2017, 30th April, Paris 15 / 49

  16. True Random Number Generators Sources Sources - conclusion Shannon approximation min-entropy necessary for post-processing, but hard to estimate we have simple Shannon entropy estimators (compression techniques [Mau92]) under (practically reasonable) restrictions on the source, one can approximate by Shannon entropy; the justification is by entropy smoothing+AEP convergence even better in high-entropy regimes (relevant to TRNGs) What about Renyi entropy? One can also use collision entropy (between min-entropy and Shannon entropy), which is faster to estimate [AOST15] (at least for iid sources). Maciej Sk´ orski (IST Austria) Evaluating Entropy for True Random Number Generators WR0NG 2017, 30th April, Paris 16 / 49

  17. True Random Number Generators Postprocessing Plan True Random Number Generators 1 Design Sources Postprocessing Security evaluation 2 Methodology Statistical tests - caveats Hardware implementations - caveats Entropy Estimators Health tests Conclusion 3 References 4 Maciej Sk´ orski (IST Austria) Evaluating Entropy for True Random Number Generators WR0NG 2017, 30th April, Paris 17 / 49

  18. True Random Number Generators Postprocessing Instantiating Postprocessors ≈ ǫ U n Ext ( X ) X high min-entropy indistinguishable from random post-processing Here ≈ ǫ means ǫ -closeness in total variation (statistical distance). Implementing postprocessors Randomness extractors, like Teoplitz Matrices or the Trevisan extractor (implemented in quantum TRNGs [MXXTQ+13]). CBC-MAC (inside Intel’s IvyBridge; TRNG is part of hybrid design!) other cryptographic functions (e.g. early Intel RNGs used SHA-1) Maciej Sk´ orski (IST Austria) Evaluating Entropy for True Random Number Generators WR0NG 2017, 30th April, Paris 18 / 49

Recommend

Canary Numbers: Design for Light-weight Online Testability of True Random Number Generators

Canary Numbers: Design for Light-weight Online Testability of True Random Number Generators

Canary Numbers: Design for Light-weight Online Testability of True Random Number Generators Vladimir Roi, Bohan Yang, Nele Mentens and Ingrid Verbauwhede Acknowledgment This work is supported in part by the European Commission through the

348 views • 19 slides
Random numbers We have seen that in many applications we need random number generators For

Random numbers We have seen that in many applications we need random number generators For

Random numbers We have seen that in many applications we need random number generators For example we sue random number generator to obtain session keys; to avoid key guessing If an adversary sees a sequence of session keys He/she

426 views • 16 slides
The Frequency Injection Attack on Ring-Oscillator-Based True Random Number Generators A.

The Frequency Injection Attack on Ring-Oscillator-Based True Random Number Generators A.

The Frequency Injection Attack on Ring-Oscillator-Based True Random Number Generators A. Theodore Markettos and Simon Moore www.cl.cam.ac.uk/research/security Computer Laboratory A.T. Markettos and S. W. Moore, The Frequency Injection Attack

796 views • 30 slides
Analysis of the Linux Random Number Generator Patrick Lacharme, Andrea R ock, Vincent Stubel,

Analysis of the Linux Random Number Generator Patrick Lacharme, Andrea R ock, Vincent Stubel,

Analysis of the Linux Random Number Generator Patrick Lacharme, Andrea R ock, Vincent Stubel, Marion Videau October 23, 2009 - Rennes Outline Random Number Generators The Linux Random Number Generator Building Blocks Entropy Estimation

681 views • 55 slides
Draft History of Random Number Generators Seed x 0 , x i = f ( x i 1 ) , u i = g ( x i )

Draft History of Random Number Generators Seed x 0 , x i = f ( x i 1 ) , u i = g ( x i )

1 Draft History of Random Number Generators Seed x 0 , x i = f ( x i 1 ) , u i = g ( x i ) Pierre LEcuyer 2 Draft Once upon a time, ... 5000 years ago Dice, coins, and other devices were used long ago to make random selections

815 views • 50 slides
A Random Walk through CS70 bounds for computing whether you have an even number of 1s as true?

A Random Walk through CS70 bounds for computing whether you have an even number of 1s as true?

A Random Walk through CS70 bounds for computing whether you have an even number of 1s as true? Then Q true, then R true. If P not true, then both sides reduce CS70 Summer 2016 - Lecture 8B 4 Applications: Circuits Boolean logic encompasses a

336 views • 5 slides
Introduction to Pseudo-Random Number Generators Nicola Gigante December 21, 2016 Why random

Introduction to Pseudo-Random Number Generators Nicola Gigante December 21, 2016 Why random

Introduction to Pseudo-Random Number Generators Nicola Gigante December 21, 2016 Why random numbers? Lifes most important questions are, for the most part, nothing but probability problems. Pierre-Simon de Laplace 2 Why random numbers?

1.37k views • 63 slides
Introduction to Pseudo-Random Number Generators Nicola Gigante March 9, 2016 Why random

Introduction to Pseudo-Random Number Generators Nicola Gigante March 9, 2016 Why random

Introduction to Pseudo-Random Number Generators Nicola Gigante March 9, 2016 Why random numbers? Lifes most important questions are, for the most part, nothing but probability problems. Pierre-Simon de Laplace 2 Why random numbers?

684 views • 55 slides
ECEN 5022 Cryptography Pseudo Random Number Generators Peter Mathys University of Colorado

ECEN 5022 Cryptography Pseudo Random Number Generators Peter Mathys University of Colorado

Pseudo Random Number Generators ECEN 5022 Cryptography Pseudo Random Number Generators Peter Mathys University of Colorado Spring 2008 Peter Mathys ECEN 5022 Cryptography Pseudo Random Number Generators Random Number Generation Random

352 views • 14 slides
Draft History of Random Number Generators Seed x 0 , x i = f ( x i 1 ) , u i = g ( x i )

Draft History of Random Number Generators Seed x 0 , x i = f ( x i 1 ) , u i = g ( x i )

1 Draft History of Random Number Generators Seed x 0 , x i = f ( x i 1 ) , u i = g ( x i ) Pierre LEcuyer Ecole Polytechnique, Palaiseau, D ec. 2017 2 Draft Once upon a time, ... 5000 years ago Dice, coins, and other devices

1.35k views • 85 slides
Random number generators and random processes Eugeniy E. Mikhailov The College of William &

Random number generators and random processes Eugeniy E. Mikhailov The College of William &

Random number generators and random processes Eugeniy E. Mikhailov The College of William & Mary Lecture 11 Eugeniy Mikhailov (W&M) Practical Computing Lecture 11 1 / 11 Statistics and probability intro Mathematical and physical

551 views • 17 slides
Draft 1 On the Lattice Structure of MIXMAX Random Number Generators Pierre LEcuyer Joint

Draft 1 On the Lattice Structure of MIXMAX Random Number Generators Pierre LEcuyer Joint

Draft 1 On the Lattice Structure of MIXMAX Random Number Generators Pierre LEcuyer Joint work with Paul Wambergue, Erwan Bourceret, and Marc-Antoine Savard MCQMC, Rennes, July 2018 Draft 2 MIXMAX Generators [Akopov, Savvidy, et al.

508 views • 19 slides
A study of entropy transfers in the Linux Random Number Generator Th. Vuillemin, F . Goichon, G.

A study of entropy transfers in the Linux Random Number Generator Th. Vuillemin, F . Goichon, G.

A study of entropy transfers in the Linux Random Number Generator Th. Vuillemin, F . Goichon, G. Salagnac, C. Lauradoux 1 The need for random numbers Computers are built to be fully deterministic... ...but unpredictability is still required

483 views • 33 slides
Entropy, Relative Entropy, Cross Entropy Entropy Entropy, H(x) is a measure of the uncertainty of

Entropy, Relative Entropy, Cross Entropy Entropy Entropy, H(x) is a measure of the uncertainty of

Entropy, Relative Entropy, Cross Entropy Entropy Entropy, H(x) is a measure of the uncertainty of a discrete random variable. Properties: H(x) >= 0 Entropy Entropy Lesser the probability for an event, larger the entropy.

471 views • 21 slides
A Fast, Cheap, High-Entropy Source for IoT Devices Ben Lampert, Riad Wahby, Shane Leonard,Phil

A Fast, Cheap, High-Entropy Source for IoT Devices Ben Lampert, Riad Wahby, Shane Leonard,Phil

A Fast, Cheap, High-Entropy Source for IoT Devices Ben Lampert, Riad Wahby, Shane Leonard,Phil Levis Introduction - How do you evaluate random number generators (RNG) Entropy is a measure of an adversarial information on a sequence of bits given

797 views • 28 slides
AMath 483/583 Lecture 26 Outline: Monte Carlo methods Random number generators

AMath 483/583 Lecture 26 Outline: Monte Carlo methods Random number generators

AMath 483/583 Lecture 26 Outline: Monte Carlo methods Random number generators Monte Carlo integrators Random walk solution of Poisson problem R.J. LeVeque, University of Washington AMath 483/583, Lecture 26 Announcements

587 views • 41 slides
FPGA-based True Random Number Generation using Circuit

FPGA-based True Random Number Generation using Circuit

FPGA-based True Random Number Generation using Circuit Meta-stability with Adaptive Feedback Control Mehrdad Majzoobi 1 , Farinaz Koushanfar 1, and

243 views • 21 slides
Random Number Generators: Design Principles and Statistical Testing Pierre LEcuyer Mixmax

Random Number Generators: Design Principles and Statistical Testing Pierre LEcuyer Mixmax

1 Random Number Generators: Design Principles and Statistical Testing Pierre LEcuyer Mixmax Workshop, CERN, Geneva, July 2016 2 What do we want? Sequences of numbers that look random. 2 What do we want? Sequences of numbers that look

1.31k views • 128 slides
Security of Pseudo-Random Number Generators With Input Damien Vergnaud cole normale

Security of Pseudo-Random Number Generators With Input Damien Vergnaud cole normale

Security of Pseudo-Random Number Generators With Input Damien Vergnaud cole normale suprieure INRIA PSL wr0ng April, 30th 2017 (with Yevgeniy Dodis, David Pointcheval, Sylvain Ruhault & Daniel Wichs) Damien Vergnaud (ENS)

694 views • 57 slides
Seeding Random Number Generators Jesse Walker Intel Corpora:on

Seeding Random Number Generators Jesse Walker Intel Corpora:on

Seeding Random Number Generators Jesse Walker Intel Corpora:on Intel Labs Circuits and System Research Security Research Lab 1 Agenda The problem

513 views • 13 slides
Random Number Generators for Cryptography Design and Evaluation Viktor F ISCHER Laboratoire

Random Number Generators for Cryptography Design and Evaluation Viktor F ISCHER Laboratoire

TRNG Design TRNG Classes Conclusions Random Number Generators for Cryptography Design and Evaluation Viktor F ISCHER Laboratoire Hubert Curien, UMR 5516 CNRS Jean Monnet University, Member of University of Lyon Saint-Etienne, France

675 views • 52 slides
HAVEGE HArdware Volatile Entropy Gathering and Expansion Unpredictable random number generation

HAVEGE HArdware Volatile Entropy Gathering and Expansion Unpredictable random number generation

HAVEGE HArdware Volatile Entropy Gathering and Expansion Unpredictable random number generation at user level Andr Seznec Nicolas Sendrier Andr Seznec Caps Team IRISA/INRIA Unpredictable random numbers Unpredictable =

597 views • 48 slides
A Highly-Portable True Random Number Generator based on Coherent Sampling 2019 International

A Highly-Portable True Random Number Generator based on Coherent Sampling 2019 International

A Highly-Portable True Random Number Generator based on Coherent Sampling 2019 International Conference on Field-Programmable Logic and Applications Adriaan Peetermans, Vladimir Ro zi c and Ingrid Verbauwhede September 10, 2019 Random

370 views • 35 slides
CSCE 478/878 Lecture 5: Evaluating will misclassify an instance drawn at random accord-

CSCE 478/878 Lecture 5: Evaluating will misclassify an instance drawn at random accord-

Outline Two Definitions of Error Sample error vs. true error The true error of hypothesis h with respect to target function f and distribution D is the probability that h CSCE 478/878 Lecture 5: Evaluating will misclassify an instance

88 views • 5 slides

More recommend