practical seed recovery for the pcg pseudo random number
play

Practical Seed-Recovery for the PCG Pseudo-Random Number Generator - PowerPoint PPT Presentation

Jul 23, 2023 •13 likes •533 views

Practical Seed-Recovery for the PCG Pseudo-Random Number Generator Charles Bouillaguet, Florette Martinez and Julia Sauvage November 2, 2020 Bouillaguet, Martinez, Sauvage (SU) Seed-Recovery for PCG November 2, 2020 1 / 31 Introduction

  1. Practical Seed-Recovery for the PCG Pseudo-Random Number Generator Charles Bouillaguet, Florette Martinez and Julia Sauvage November 2, 2020 Bouillaguet, Martinez, Sauvage (SU) Seed-Recovery for PCG November 2, 2020 1 / 31

  2. Introduction What? Cryptanalysis of the Permuted Congruential Generator (PCG). Bouillaguet, Martinez, Sauvage (SU) Seed-Recovery for PCG November 2, 2020 2 / 31

  3. Why? Bouillaguet, Martinez, Sauvage (SU) Seed-Recovery for PCG November 2, 2020 3 / 31

  4. Why? Bouillaguet, Martinez, Sauvage (SU) Seed-Recovery for PCG November 2, 2020 4 / 31

  5. Why? Bouillaguet, Martinez, Sauvage (SU) Seed-Recovery for PCG November 2, 2020 5 / 31

  6. Bouillaguet, Martinez, Sauvage (SU) Seed-Recovery for PCG November 2, 2020 6 / 31

  7. Introduction What? Cryptanalysis of the Permuted Congruential Generator (PCG). Results Practical seed-recovery / prediction. How? "Guess-and-Determine" attack. Most expensive part : many small CVP problems. Actually done in ≤ 20 000 CPU-hours. Bouillaguet, Martinez, Sauvage (SU) Seed-Recovery for PCG November 2, 2020 7 / 31

  8. Permuted Congruencial Generators (PCG) Conventional (non-crypto) pseudo-random generators Designed in 2014 by Melissa O’Neil PCG64 Internal state : 128-bit state and 128-bit increment 64-bit outputs 256-bit seed (or 128-bit with default increment) Default pseudo-random generator in NumPy 128 0 Bouillaguet, Martinez, Sauvage (SU) Seed-Recovery for PCG November 2, 2020 8 / 31

  9. Permuted Congruencial Generators (PCG) Conventional (non-crypto) pseudo-random generators Designed in 2014 by Melissa O’Neil PCG64 Internal state : 128-bit state and 128-bit increment 64-bit outputs 256-bit seed (or 128-bit with default increment) Default pseudo-random generator in NumPy × a + c mod 2 128 128 128 S i + 1 S i 128 0 Bouillaguet, Martinez, Sauvage (SU) Seed-Recovery for PCG November 2, 2020 8 / 31

  10. Permuted Congruencial Generators (PCG) Conventional (non-crypto) pseudo-random generators Designed in 2014 by Melissa O’Neil PCG64 Internal state : 128-bit state and 128-bit increment 64-bit outputs 256-bit seed (or 128-bit with default increment) Default pseudo-random generator in NumPy × a + c mod 2 128 128 128 S i + 1 S i 128 0 64 64 � Bouillaguet, Martinez, Sauvage (SU) Seed-Recovery for PCG November 2, 2020 8 / 31

  11. Permuted Congruencial Generators (PCG) Conventional (non-crypto) pseudo-random generators Designed in 2014 by Melissa O’Neil PCG64 Internal state : 128-bit state and 128-bit increment 64-bit outputs 256-bit seed (or 128-bit with default increment) Default pseudo-random generator in NumPy × a + c mod 2 128 128 128 S i + 1 S i 128 122 0 64 64 � 6 r i ≫ 64 X i Bouillaguet, Martinez, Sauvage (SU) Seed-Recovery for PCG November 2, 2020 8 / 31

  12. Attack Outline Guess some bits in a few successive states. Least-significant bits Rotations ⇒ Turn it into a (regular) truncated congruential generator . Reconstruct hidden information using lattice techniques. Discard bad guesses. Bouillaguet, Martinez, Sauvage (SU) Seed-Recovery for PCG November 2, 2020 9 / 31

  13. Attack Outline Guess some bits in a few successive states. Least-significant bits Rotations ⇒ Turn it into a (regular) truncated congruential generator . Reconstruct hidden information using lattice techniques. Easy case ( c known): full state Hard case ( c unknown): only partial information Discard bad guesses. Bouillaguet, Martinez, Sauvage (SU) Seed-Recovery for PCG November 2, 2020 9 / 31

  14. Easy Case: Known increment If the increment (c) is known ... ... Get rid of it! S ′ 0 ← S 0 S ′ 1 ← S 1 − c S ′ 2 ← S 2 − ( a + 1 ) c 3 ← S 3 − ( a 2 + a + 1 ) c S ′ . . . Yields S ′ : sequence of states with c = 0 → Geometric sequence . Bouillaguet, Martinez, Sauvage (SU) Seed-Recovery for PCG November 2, 2020 10 / 31

  15. Attack Details 64 bits 64 bits S 0 S 1 S 2 Bouillaguet, Martinez, Sauvage (SU) Seed-Recovery for PCG November 2, 2020 11 / 31

  16. Attack Details 6 ℓ bits r 0 w S 0 r 1 S 1 r 2 S 2 Bouillaguet, Martinez, Sauvage (SU) Seed-Recovery for PCG November 2, 2020 11 / 31

  17. Attack Details 6 ℓ bits r 0 w S 0 × a + c mod 2 ℓ r 1 w 1 S 1 × a + c mod 2 ℓ r 2 w 2 S 2 Bouillaguet, Martinez, Sauvage (SU) Seed-Recovery for PCG November 2, 2020 11 / 31

  18. Attack Details 6 ℓ bits r 0 w S 0 r 1 w 1 S 1 r 2 w 2 S 2 Bouillaguet, Martinez, Sauvage (SU) Seed-Recovery for PCG November 2, 2020 11 / 31

  19. Attack Details 6 ℓ bits r 0 w S 0 ????????????????? r 1 w 1 S 1 ????????????????? r 2 w 2 S 2 ????????????????? ℓ bits 6 Bouillaguet, Martinez, Sauvage (SU) Seed-Recovery for PCG November 2, 2020 11 / 31

  20. Attack Details ????????????????? ????????????????? ????????????????? ℓ bits 6 64 bits Bouillaguet, Martinez, Sauvage (SU) Seed-Recovery for PCG November 2, 2020 11 / 31

  21. Remove the “Constant Component” ????????????????? T 0 − 0 × a mod 2 64 ????????????????? T 1 − c × a mod 2 64 ????????????????? T 2 ( a + 1 ) c − Bouillaguet, Martinez, Sauvage (SU) Seed-Recovery for PCG November 2, 2020 12 / 31

  22. Truncated Linear Congruential Generators Internal state : 2 k -bit state. Multiplier a : known constant. Initial state: unknown 2 k -bit seed. × a mod 2 k k 0 T i discarded Bouillaguet, Martinez, Sauvage (SU) Seed-Recovery for PCG November 2, 2020 13 / 31

  23. Reconstructing Truncated Geometric Sequences Sequence u i + 1 = a × u i mod 2 k . T = Truncated version (low-order bits unknown). L = lattice spawned by the rows of a 2 a n − 1   1 a . . . 2 k 0 0 0 . . .    2 k  0 0 . . . 0 u i     . . . . . . . . . . . . . . .   T i ????????? 2 k 0 0 0 . . . Main Idea u = ( u 0 , u 1 , . . . , u n − 1 ) belongs to the lattice L . T (truncated geometric series) is an approximation of u . ⇒ T is close to a point of L . ⇒ Closest point to T in L � u . Bouillaguet, Martinez, Sauvage (SU) Seed-Recovery for PCG November 2, 2020 14 / 31

  24. Lattices and Basis reduction Lattice : subgroup of R n isomorphic to Z m Bouillaguet, Martinez, Sauvage (SU) Seed-Recovery for PCG November 2, 2020 15 / 31

  25. Lattices and Basis reduction Lattice : subgroup of R n isomorphic to Z m Bouillaguet, Martinez, Sauvage (SU) Seed-Recovery for PCG November 2, 2020 15 / 31

  26. CVP problem and Babai rounding Closest Vector Problem Standard NP-hard problem on lattices. Given arbitrary x ∈ Z n , find closest lattice point. Babai Rounding Algorithm Approximately solves CVP. H − 1 × x � � BabaiRounding ( x , L ) = H × round Where H is a “good” (LLL-reduced) basis of the lattice L . FAST (two matrix-vector products + rounding) Exponentially bad approximation (in the lattice dimension). → Often exact in small dimension though. Bouillaguet, Martinez, Sauvage (SU) Seed-Recovery for PCG November 2, 2020 16 / 31

  27. Lattices and Basis reduction Lattice : subgroup of R n isomorphic to Z m Bouillaguet, Martinez, Sauvage (SU) Seed-Recovery for PCG November 2, 2020 17 / 31

  28. Lattices and Basis reduction Lattice : subgroup of R n isomorphic to Z m Bouillaguet, Martinez, Sauvage (SU) Seed-Recovery for PCG November 2, 2020 17 / 31

  29. Implementation (Easy case, known increment) Summary Observe 3 outputs X 0 , X 1 , X 2 (192 bits). Guess 37 bits: n = 3 successive rotations (6 bits each), ℓ = 19 least significant bits of S 0 , Solve 2 37 instances of CVP in dimension 3 (Babai Rounding). Reconstruct initial state, check outputs. Caveat Attack proved correct for ℓ = 20, works fine for ℓ = 19... Concretely... 25 CPU cycles per guess, 23 CPU-minutes in total. Bouillaguet, Martinez, Sauvage (SU) Seed-Recovery for PCG November 2, 2020 18 / 31

  30. Issue with c unknown Summary so far (the Easy Case ) The increment (c) is known : Remove it, get truncated geometric sequence, CVP. Now the Hard Case The increment (c) is unknown : How to get truncated geometric sequence? (∆ S i + 1 = a × ∆ S i mod 2 128 ) . Use ∆ S i = S i + 1 − S i Bouillaguet, Martinez, Sauvage (SU) Seed-Recovery for PCG November 2, 2020 19 / 31

  31. Issue with c unknown Summary so far (the Easy Case ) The increment (c) is known : Remove it, get truncated geometric sequence, CVP. Now the Hard Case The increment (c) is unknown : How to get truncated geometric sequence? (∆ S i + 1 = a × ∆ S i mod 2 128 ) . Use ∆ S i = S i + 1 − S i Same attack as before, but... Must guess one more rotation. Must guess least-significant bits of c . Bouillaguet, Martinez, Sauvage (SU) Seed-Recovery for PCG November 2, 2020 19 / 31

  32. Attack Details S 0 S 1 S 2 S 3 S 4 Bouillaguet, Martinez, Sauvage (SU) Seed-Recovery for PCG November 2, 2020 20 / 31

  33. Attack Details 6 ℓ bits r 0 w S 0 r 1 S 1 r 2 S 2 r 3 S 3 r 4 S 4 Bouillaguet, Martinez, Sauvage (SU) Seed-Recovery for PCG November 2, 2020 20 / 31

  34. Attack Details 6 ℓ bits r 0 w S 0 × a + c mod 2 ℓ r 1 w 1 S 1 × a + c mod 2 ℓ r 2 w 2 S 2 × a + c mod 2 ℓ r 3 w 3 S 3 × a + c mod 2 ℓ r 4 w 4 S 4 Bouillaguet, Martinez, Sauvage (SU) Seed-Recovery for PCG November 2, 2020 20 / 31

  35. Attack Details 6 ℓ bits r 0 w S 0 r 1 w 1 S 1 r 2 w 2 S 2 r 3 w 3 S 3 r 4 w 4 S 4 Bouillaguet, Martinez, Sauvage (SU) Seed-Recovery for PCG November 2, 2020 20 / 31

Recommend

Random Numbers RANDOM VS PSEUDO RANDOM Truly Random numbers From Wolfram: A random number

Random Numbers RANDOM VS PSEUDO RANDOM Truly Random numbers From Wolfram: A random number

Random Numbers RANDOM VS PSEUDO RANDOM Truly Random numbers From Wolfram: A random number is a number chosen as if by chance from some specified distribution such that selection of a large set of these numbers reproduces the underlying

720 views • 12 slides
Random Numbers, Files, and Onwards Random Numbers Computers cannot produce truly random numbers.

Random Numbers, Files, and Onwards Random Numbers Computers cannot produce truly random numbers.

Random Numbers, Files, and Onwards Random Numbers Computers cannot produce truly random numbers. We make do with pseudo-random numbers, which are good enough. The pseudo-random generation algorithm is given a seed value. The same seed will always

331 views • 12 slides
PSEUDO-RANDOM FUNCTIONS We want to answer the question: What is a good block cipher? where

PSEUDO-RANDOM FUNCTIONS We want to answer the question: What is a good block cipher? where

Recall We studied security of function families (in particular, block ciphers) against key recovery. But we saw that security against key recovery is not su ffi cient to ensure that natural usages of a block cipher are secure. PSEUDO-RANDOM

268 views • 13 slides
Introduction to Pseudo-Random Number Generators Nicola Gigante December 21, 2016 Why random

Introduction to Pseudo-Random Number Generators Nicola Gigante December 21, 2016 Why random

Introduction to Pseudo-Random Number Generators Nicola Gigante December 21, 2016 Why random numbers? Lifes most important questions are, for the most part, nothing but probability problems. Pierre-Simon de Laplace 2 Why random numbers?

1.37k views • 63 slides
Introduction to Pseudo-Random Number Generators Nicola Gigante March 9, 2016 Why random

Introduction to Pseudo-Random Number Generators Nicola Gigante March 9, 2016 Why random

Introduction to Pseudo-Random Number Generators Nicola Gigante March 9, 2016 Why random numbers? Lifes most important questions are, for the most part, nothing but probability problems. Pierre-Simon de Laplace 2 Why random numbers?

684 views • 55 slides
ECEN 5022 Cryptography Pseudo Random Number Generators Peter Mathys University of Colorado

ECEN 5022 Cryptography Pseudo Random Number Generators Peter Mathys University of Colorado

Pseudo Random Number Generators ECEN 5022 Cryptography Pseudo Random Number Generators Peter Mathys University of Colorado Spring 2008 Peter Mathys ECEN 5022 Cryptography Pseudo Random Number Generators Random Number Generation Random

352 views • 14 slides
Draft History of Random Number Generators Seed x 0 , x i = f ( x i 1 ) , u i = g ( x i )

Draft History of Random Number Generators Seed x 0 , x i = f ( x i 1 ) , u i = g ( x i )

1 Draft History of Random Number Generators Seed x 0 , x i = f ( x i 1 ) , u i = g ( x i ) Pierre LEcuyer 2 Draft Once upon a time, ... 5000 years ago Dice, coins, and other devices were used long ago to make random selections

815 views • 50 slides
Links visited in class Lehmer Park-Miller pseudo-random numbers seed based on letter E scipy

Links visited in class Lehmer Park-Miller pseudo-random numbers seed based on letter E scipy

4.3 Statistical tests Links visited in class Lehmer Park-Miller pseudo-random numbers seed based on letter E scipy reference stats norm for vocabulary ppf (percent point function), pdf, cdf 1

741 views • 5 slides
Draft History of Random Number Generators Seed x 0 , x i = f ( x i 1 ) , u i = g ( x i )

Draft History of Random Number Generators Seed x 0 , x i = f ( x i 1 ) , u i = g ( x i )

1 Draft History of Random Number Generators Seed x 0 , x i = f ( x i 1 ) , u i = g ( x i ) Pierre LEcuyer Ecole Polytechnique, Palaiseau, D ec. 2017 2 Draft Once upon a time, ... 5000 years ago Dice, coins, and other devices

1.35k views • 85 slides
Determinism in Deep Learning (S9911) Duncan Riach, GTC 2019 1 RANDOMNESS Pseudo-random number

Determinism in Deep Learning (S9911) Duncan Riach, GTC 2019 1 RANDOMNESS Pseudo-random number

Determinism in Deep Learning (S9911) Duncan Riach, GTC 2019 1 RANDOMNESS Pseudo-random number generation Random mini-batching Stochastic gradient descent Data augmentation Regularization / generalization 2 DETERMINISM Elimination of truly

564 views • 52 slides
Practical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits

Practical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits

Practical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits Damien Vergnaud cole normale suprieure CHES September, 15th 2015 (with Aurlie Bauer) Damien Vergnaud (ENS) Key Recovery from Random

766 views • 48 slides
PSEUDO-RANDOM FUNCTIONS 1 / 65 Recall We studied security of a block cipher against key

PSEUDO-RANDOM FUNCTIONS 1 / 65 Recall We studied security of a block cipher against key

PSEUDO-RANDOM FUNCTIONS 1 / 65 Recall We studied security of a block cipher against key recovery. But we saw that security against key recovery is not sufficient to ensure that natural usages of a block cipher are secure. We want to answer the

920 views • 88 slides
Security of Pseudo-Random Number Generators With Input Damien Vergnaud cole normale

Security of Pseudo-Random Number Generators With Input Damien Vergnaud cole normale

Security of Pseudo-Random Number Generators With Input Damien Vergnaud cole normale suprieure INRIA PSL wr0ng April, 30th 2017 (with Yevgeniy Dodis, David Pointcheval, Sylvain Ruhault & Daniel Wichs) Damien Vergnaud (ENS)

694 views • 57 slides
Pseudo-random Functions Debdeep Mukhopadhyay IIT Kharagpur We have seen the construction of

Pseudo-random Functions Debdeep Mukhopadhyay IIT Kharagpur We have seen the construction of

Pseudo-random Functions Debdeep Mukhopadhyay IIT Kharagpur We have seen the construction of PRG (pseudo-random generators) being constructed from any one-way functions. Now we shall consider a related concept: Pseudo-random

829 views • 15 slides
Cryptographic Secure Pseudo-Random Bits Generation : The Blum-Blum-Shub Generator Pascal Junod

Cryptographic Secure Pseudo-Random Bits Generation : The Blum-Blum-Shub Generator Pascal Junod

Cryptographic Secure Pseudo-Random Bits Generation : The Blum-Blum-Shub Generator Pascal Junod August 1999 Contents 1 Introduction 3 2 Concept of Pseudo-Random Bit Generator 4 3 The Blum-Blum-Shub Generator 7 3.1 Some number-theoretic

481 views • 21 slides
Pseudo-Random Number Generators Functional Programming and Intelligent Algorithms Prof Hans Georg

Pseudo-Random Number Generators Functional Programming and Intelligent Algorithms Prof Hans Georg

Pseudo-Random Number Generators Functional Programming and Intelligent Algorithms Prof Hans Georg Schaathun Hgskolen i lesund 14th February 2017 1 Randomness 1. What is randomness? 2 Randomness 1. What is randomness? 2. How do we

590 views • 22 slides
SoK: Security Models for Pseudo-Random Number Generators Sylvain Ruhault March 8 th , Tokyo, Fast

SoK: Security Models for Pseudo-Random Number Generators Sylvain Ruhault March 8 th , Tokyo, Fast

Motivation Standard PRNG Stateful PRNG PRNG with input Conclusion SoK: Security Models for Pseudo-Random Number Generators Sylvain Ruhault March 8 th , Tokyo, Fast Software Encryption 2017 1 / 18 Motivation Standard PRNG Stateful PRNG

266 views • 26 slides
Pseudo-Random Generators Computer programming (e.g. randomized algorithm) Elementary and

Pseudo-Random Generators Computer programming (e.g. randomized algorithm) Elementary and

Why do we need random numbers? Simulation Sampling Numerical analysis Pseudo-Random Generators Computer programming (e.g. randomized algorithm) Elementary and critical element in many cryptographic protocols Usually:

157 views • 5 slides
Random number generators and random processes Eugeniy E. Mikhailov The College of William &

Random number generators and random processes Eugeniy E. Mikhailov The College of William &

Random number generators and random processes Eugeniy E. Mikhailov The College of William & Mary Lecture 11 Eugeniy Mikhailov (W&M) Practical Computing Lecture 11 1 / 11 Statistics and probability intro Mathematical and physical

551 views • 17 slides
Pseudo-random numbers: a line at a time mostly Nelson H. F.

Pseudo-random numbers: a line at a time mostly Nelson H. F.

of code Pseudo-random numbers: a line at a time mostly Nelson H. F. Beebe Research Professor University of Utah Department of Mathematics, 110 LCB 155 S 1400 E RM 233 Salt Lake City, UT 84112-0090 USA

1.07k views • 78 slides
Pseudo-random numbers: a line at a time mostly Nelson H. F.

Pseudo-random numbers: a line at a time mostly Nelson H. F.

of code Pseudo-random numbers: a line at a time mostly Nelson H. F. Beebe Research Professor University of Utah Department of Mathematics, 110 LCB 155 S 1400 E RM 233 Salt Lake City, UT 84112-0090, USA

693 views • 68 slides
Pseudo-random numbers: a line at a time mostly Nelson H. F.

Pseudo-random numbers: a line at a time mostly Nelson H. F.

of code Pseudo-random numbers: a line at a time mostly Nelson H. F. Beebe Research Professor University of Utah Department of Mathematics, 110 LCB 155 S 1400 E RM 233 Salt Lake City, UT 84112-0090 USA

837 views • 65 slides
Parallel generation of pseudo-random sequences Who?

Parallel generation of pseudo-random sequences Who?

Parallel generation of pseudo-random sequences Who? 1100001010100110001001100100111010010110110001100000 0100001100101000011010101110010011101000011000100110 111101101010111000011110 = ( Cedric Lauradoux ) 10

646 views • 35 slides
Practical Password Recovery on an Practical Password Recovery on an MD5 Challenge/Response such

Practical Password Recovery on an Practical Password Recovery on an MD5 Challenge/Response such

Practical Password Recovery on an Practical Password Recovery on an MD5 Challenge/Response such as MD5 Challenge/Response such as APOP * APOP * Yu Sasaki ( The University of Electro-Communications ) Go Yamamoto (NTT) Kazumaro Aoki (NTT)

436 views • 8 slides

More recommend