pseudorandom algorithms
play

Pseudorandom Algorithms Derek Soeder Christopher Abad - PowerPoint PPT Presentation

Dec 10, 2022 •276 likes •574 views

Black-Box Assessment of Pseudorandom Algorithms Derek Soeder Christopher Abad Gabriel Acevedo dsoeder@cylance.com cabad@cylance.com gacevedo@cylance.com Agenda About PRNGs PRNGs by Example Attack Methodology

  1. Black-Box Assessment of Pseudorandom Algorithms Derek Soeder Christopher Abad Gabriel Acevedo dsoeder@cylance.com cabad@cylance.com gacevedo@cylance.com

  2. Agenda • About PRNGs • PRNGs by Example • Attack Methodology • The Tool: Prangster • Demonstration

  3. Who we are Advanced Threat Protection ∙ Incident Response ∙ Special Projects ∙ Research Christopher Abad, Gabriel Acevedo, Derek Soeder Cylance Labs Division, Cylance, Inc. “The Science of Security”

  4. About PRNGs

  5. About PRNGs • Pseudorandom number generator • Deterministic, appears unpredictable • Designed for simplicity and performance • Not secure • Cryptographically secure random number generator (CSRNG) • Accumulates entropy • Designed for security

  6. About PRNGs Entropy Application Entropy Output source Seed Pseudorandom PRNG numbers State

  7. About PRNGs Seed State • Derived from “entropy” or • Internal state of PRNG supplied by application • Transformed for each • Initial internal state is pseudorandom number derived from it generated Some states might not map to a seed

  8. About PRNGs • Consuming pseudorandom numbers • Modular (“take -from- bottom”) • Multiplicative (“take -from- top”)

  9. About PRNGs • Modular (take-from-bottom) % Modulus % Limit % Output modulus / Discard divisor

  10. About PRNGs • Multiplicative (take-from-top) % Modulus ∙ Limit / Output divisor / Discard divisor

  11. About PRNGs Ordinal value Symbol • Pseudorandom number • One unit of pseudorandom from PRNG, processed by application output, usually a application byte or character • Used to select a symbol for • Mapping from numbers to pseudorandom output symbols is the “alphabet” • Size of alphabet = “limit”

  12. About PRNGs • Alphabet • Decided by application • Pseudorandom numbers to symbols via alphabet is a generalized but common pattern • Example: • abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ 0123456789!@#$%^&*&*()-+_= • ‘ a ’ = 0, ‘ Z ’ = 51, ‘ * ’ = 69 or 71, ‘ = ’ = 77, etc.

  13. PRNGs by Example

  14. PRNGs by Example • Linear congruential generator (LCG) • Array-based • Miscellaneous

  15. PRNGs by Example • Linear congruential generator (LCG) • Next state: s i = (A ∙ s i-1 + C) % M • Output: x i = (s i / D) % R • A = multiplier C = increment M = modulus D = discard divisor R = output modulus (RAND_MAX + 1)

  16. PRNGs by Example • LCG examples: PRNG A C M D R MSVCRT 2 32 2 16 2 15 214013 2531011 2 16 2 32 Java 2 48 0x5DEECE66D 11 2 17 2 31 BSD libc 16807 0 2147483647 1 2147483647 VBScript 2 24 2 24 0xFD43FD 0xC39EC3 1 1.000 000 40014 0 2147483563 MSSQL/PHP 012 324 2147483563 40692 0 2147483399 788 164

  17. PRNGs by Example • Array-based • Array of N integers modulo M • Two indices with a fixed separation • a k = (a k ± a k+Sep ) % M a k+Sep = (a k+Sep ± a k ) % M • At most M N possible states, > possible seeds

  18. PRNGs by Example • Array-based examples: PRNG N Sep Index ± M D Operation .NET 55 21 +1 2147483647 1 a k = (a k - a k+Sep ) % M 2 32 glibc (3) 31 3 +1 2 a k+Sep = (a k + a k+Sep ) % M x = rotr(a k , 13) + a k+Sep 17 2 32 PureBasic 10 -1 1 a k = rotr(b k , 5) + b k+Sep 17 b k = x

  19. PRNGs by Example • Array-based exhibit recurrence relations • .NET: x i+55 = x i - x i+21 + error • glibc (3): x i+31 = x i + x i+28 + error • Error • Caused by interactions of “hidden” state • Stymies prediction • Can actually be useful

  20. PRNGs by Example • Miscellaneous • Google V8: “multiply -with- carry” • Next state: s i = 18273 ∙ (s i-1 % 2 16 ) + (s i-1 / 2 16 ) t i = 36969 ∙ (t i-1 % 2 16 ) + (t i-1 / 2 16 ) • Output: x i = (2 14 ∙ ( s i % 2 18 ) + (t i % 2 18 )) / 2 32 • Perl: uses platform’s libc rand() / (RAND_MAX + 1)

  21. Attack Methodology

  22. Attack Methodology • Identify pseudorandom output • Collect samples • Isolate truly pseudorandom portion • Determine complete alphabet • Detect biases if possible

  23. Attack Methodology • Recover seed from output • Guess PRNG if not known • Guess alphabet • Usually the most obvious arrangement • Use biases/error if available • Exploit • Forward/reverse prediction • Recover entropy

  24. The Tool: Prangster

  25. The Tool: Prangster • Why? • Functions • {Output, alphabet}  Seed(s) • {Seed, alphabet}  Next/previous output • {Seed, ± n}  Seed for n th next/previous state

  26. The Tool: Prangster • Benchmarks ABCDEFGHIJKLMNOP ABCDEFGH ABCDEFGHIJKLMNOP ABCDEFGHIJKLMNO PRNG Full naive brute-force from A..Z from A..Z P from A..Z BSD libc 26 seconds 1 second 1 second 1 second Java 96 days 20 minutes 2 seconds < 1 second MSVCRT 63 seconds < 1 second < 1 second 1 < second 19,856 years 145 seconds V8 < 1 second < 1 second 1 < second (Full state) (Half state)

  27. Demonstration

  28. Questions?

  29. Thank you! Derek Soeder Christopher Abad Gabriel Acevedo dsoeder@cylance.com cabad@cylance.com gacevedo@cylance.com

Recommend

Pseudorandom Objects and Generators Journes ALEA 2012 Lecture 1: Pseudorandom objects:

Pseudorandom Objects and Generators Journes ALEA 2012 Lecture 1: Pseudorandom objects:

Pseudorandom Objects and Generators Journes ALEA 2012 Lecture 1: Pseudorandom objects: examples and constructions David Xiao LIAFA CNRS, Universit Paris 7 Plan Today: examples of pseudorandom objects Expander graphs

403 views • 17 slides
Pseudorandom generators hard for propositional proof systems Markus Latte April 3 and 4, 2009

Pseudorandom generators hard for propositional proof systems Markus Latte April 3 and 4, 2009

Pseudorandom generators hard for propositional proof systems Markus Latte April 3 and 4, 2009 JASS09 Sankt Peterburg Pseudorandom Generators in Complexity Theory Informally, a pseudorandom generator is a (computable) function G n : { 0 , 1 }

624 views • 49 slides
Pseudorandom Objects and Generators Journes ALEA 2012 Lecture 2: Pseudorandomness in

Pseudorandom Objects and Generators Journes ALEA 2012 Lecture 2: Pseudorandomness in

Pseudorandom Objects and Generators Journes ALEA 2012 Lecture 2: Pseudorandomness in Algorithms and Complexity David Xiao LIAFA CNRS, Universit Paris 7 Example: Polynomial Identity Testing Given multi-variate polynomial p Z[x 1

259 views • 21 slides
On the Concrete Security of Goldreichs Pseudorandom Generator Geo ff roy Couteau - Aurlien

On the Concrete Security of Goldreichs Pseudorandom Generator Geo ff roy Couteau - Aurlien

On the Concrete Security of Goldreichs Pseudorandom Generator Geo ff roy Couteau - Aurlien Dupin - Pierrick Maux - Mlissa Rossi - Yann Rotella ASIACRYPT 2018/12/04 1 1 Goldreich Pseudorandom Generator (Goldreich TOCT 2000)

795 views • 64 slides
Pseudorandom States, No-Cloning Pseudorandom States, No-Cloning Theorems and Quantum Money

Pseudorandom States, No-Cloning Pseudorandom States, No-Cloning Theorems and Quantum Money

Pseudorandom States, No-Cloning Pseudorandom States, No-Cloning Theorems and Quantum Money Theorems and Quantum Money Zhengfeng Ji (UTS:QSI) QCrypt 2018, Shanghai 1 . 1 A Joint Work With A Joint Work With Yi-Kai Liu Fang Song (NIST and

257 views • 24 slides
An Algebraic Framework for Pseudorandom Functions and Applications to Related-Key Security Michel

An Algebraic Framework for Pseudorandom Functions and Applications to Related-Key Security Michel

An Algebraic Framework for Pseudorandom Functions and Applications to Related-Key Security Michel Abdalla, Fabrice Benhamouda, Alain Passelgue Pseudorandom functions [GGM86] - efficiently computable function : -

1.01k views • 56 slides
Pseudorandom generators from polarizing random walks Ka Kaave Ho Hossei eini (UC San Diego)

Pseudorandom generators from polarizing random walks Ka Kaave Ho Hossei eini (UC San Diego)

Pseudorandom generators from polarizing random walks Ka Kaave Ho Hossei eini (UC San Diego) Eshan Chattopadhyay (IAS Cornell) Pooya Hatami (UT Austin Ohio State) Shachar Lovett (UC San Diego) Outline Introduce Pseudorandom generators

1.41k views • 88 slides
Extractors and Pseudorandom Generators Luca Trevisan Columbia University Extractors and

Extractors and Pseudorandom Generators Luca Trevisan Columbia University Extractors and

Extractors and Pseudorandom Generators Luca Trevisan Columbia University Extractors and Pseudorandom Generators 1 Contents We present a new approach to construct extractors. Extractors transform a weakly random (realistic)

391 views • 27 slides
Symbolic Encryption with Pseudorandom Keys Daniele Micciancio (UCSD) Cryptographic Protocols

Symbolic Encryption with Pseudorandom Keys Daniele Micciancio (UCSD) Cryptographic Protocols

Symbolic Encryption with Pseudorandom Keys Daniele Micciancio (UCSD) Cryptographic Protocols Often make use of several basic crypto ops: (Enc) Encryption: E(k,m) (PRG) Pseudorandom generators: G(k) Protocol should be secure for

433 views • 24 slides
Load Balancing in Ceph: Load Balancing With Pseudorandom Placement Esteban Molina-Estolano,

Load Balancing in Ceph: Load Balancing With Pseudorandom Placement Esteban Molina-Estolano,

Load Balancing in Ceph: Load Balancing With Pseudorandom Placement Esteban Molina-Estolano, Carlos Maltzahn, Scott Brandt University of California, Santa Cruz The Load Balancing Problem Pseudorandom placement for distributed storage

513 views • 12 slides
Pseudorandom Functions and Lattices Abhishek Banerjee 1 Chris Peikert 1 Alon Rosen 2 1 Georgia Tech

Pseudorandom Functions and Lattices Abhishek Banerjee 1 Chris Peikert 1 Alon Rosen 2 1 Georgia Tech

Pseudorandom Functions and Lattices Abhishek Banerjee 1 Chris Peikert 1 Alon Rosen 2 1 Georgia Tech 2 IDC Herzliya Faces of Modern Cryptography 9 September 2011 1 / 14 2 / 14 Pseudorandom Functions [GGM84] A family F = { F s : { 0 , 1 }

1.03k views • 59 slides
Objectives Random Bit Generation Pseudorandom Bit Generation Statistical Tests

Objectives Random Bit Generation Pseudorandom Bit Generation Statistical Tests

Pseudorandomness Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Random Bit Generation Pseudorandom Bit Generation

379 views • 17 slides
Constrained Pseudorandom Functions for Unconstrained Inputs Apoorvaa Deshpande (Brown

Constrained Pseudorandom Functions for Unconstrained Inputs Apoorvaa Deshpande (Brown

Constrained Pseudorandom Functions for Unconstrained Inputs Apoorvaa Deshpande (Brown University) Venkata Koppula (University of Texas at Austin) Brent Waters (University of Texas at Austin) Pseudorandom Functions (Goldreich-Goldwasser-Micali

1.96k views • 97 slides
Teaching Labs on Pseudorandom Number Generation Elizabeth Patitsas University of Toronto &amp;

Teaching Labs on Pseudorandom Number Generation Elizabeth Patitsas University of Toronto &amp;

Introduction Lab Details Our Experience Conclusion Teaching Labs on Pseudorandom Number Generation Elizabeth Patitsas University of Toronto &amp; University of British Columbia July 5, 2012 Teaching Labs on Pseudorandom Number Generation

192 views • 16 slides
Pseudorandom fu functions in in alm lmost constant depth fr from lo low-noise LPN Yu Yu

Pseudorandom fu functions in in alm lmost constant depth fr from lo low-noise LPN Yu Yu

Pseudorandom fu functions in in alm lmost constant depth fr from lo low-noise LPN Yu Yu Cryptologic Research Center joint work with (John Steinberger) Outline Introduction to LPN Decisional and Computational LPN

416 views • 15 slides
Pseudorandom Number Generation Thanks once again to A. Joseph, D. Tygar, U. Vazirani, and D.

Pseudorandom Number Generation Thanks once again to A. Joseph, D. Tygar, U. Vazirani, and D.

Pseudorandom Number Generation Thanks once again to A. Joseph, D. Tygar, U. Vazirani, and D. Wagner at the University of California, Berkeley Fall 2012 CS 334: Computer Security 1 What Can Go Wrong? An example: This generates a 16

836 views • 35 slides
Part II: Pseudorandom Correlation Generators What are they? How can we build them? Re

Part II: Pseudorandom Correlation Generators What are they? How can we build them? Re

Part II: Pseudorandom Correlation Generators What are they? How can we build them? Re Recall: : Succinct Secure Computation from HSS x Exchange additive Eval C Share output shares y 0 w 0 = C(x,x) w + w 1 y 1 Eval C x

638 views • 44 slides
Effjcient Deterministjc and Non- Deterministjc Pseudorandom Number Generatjon Jie Li, Jianliang

Effjcient Deterministjc and Non- Deterministjc Pseudorandom Number Generatjon Jie Li, Jianliang

Effjcient Deterministjc and Non- Deterministjc Pseudorandom Number Generatjon Jie Li, Jianliang Zheng, Paula Whitlock Outline Introductjon MaD1 Algorithm A Building Block: MARC-bb Data Structure Key Scheduling

612 views • 26 slides
Traversing a n -cube without Balanced Hamiltonian Cycle to Generate Pseudorandom Numbers J.-F .

Traversing a n -cube without Balanced Hamiltonian Cycle to Generate Pseudorandom Numbers J.-F .

Traversing a n -cube without Balanced Hamiltonian Cycle to Generate Pseudorandom Numbers J.-F . Couchot, P .-C. Heam, C. Guyeux, Q. Wang, and J. M. Bahi FEMTO-ST Institute, University of Franche-Comt, France College of Automation, Guangdong

828 views • 24 slides
New and Improved Key-Homomorphic Pseudorandom Functions Abhishek Banerjee 1 Chris Peikert 1 1

New and Improved Key-Homomorphic Pseudorandom Functions Abhishek Banerjee 1 Chris Peikert 1 1

New and Improved Key-Homomorphic Pseudorandom Functions Abhishek Banerjee 1 Chris Peikert 1 1 Georgia Institute of Technology CRYPTO 14 19 August 2014 Outline Introduction 1 Construction, Parameters and Efficiency 2 Proof of Security

886 views • 47 slides
Related-Key Security for Pseudorandom Functions Beyond the Linear Barrier Ala lain in Passel

Related-Key Security for Pseudorandom Functions Beyond the Linear Barrier Ala lain in Passel

Related-Key Security for Pseudorandom Functions Beyond the Linear Barrier Ala lain in Passel elgue Ecole normale suprieure Joint work with: Mich ichel l Abdalla la (ENS), Fabric ice Be Benhamouda (ENS), Ken enneth G. . Paterson

986 views • 61 slides
On the Exact Security of Message Authentication using Pseudorandom Functions Fast Software

On the Exact Security of Message Authentication using Pseudorandom Functions Fast Software

On the Exact Security of Message Authentication using Pseudorandom Functions Fast Software Encryption 17, Tokyo Ashwin Jha 1 , Avradip Mandal 2 , Mridul Nandi 1 1 Indian Statistical Institute, Kolkata, India 2 Fujitsu Laboratories of America,

751 views • 28 slides
Berkeley CS276 &amp; MIT 6.875 Pseudorandom Permutations and Symmetric Key Encryption Lecturer:

Berkeley CS276 &amp; MIT 6.875 Pseudorandom Permutations and Symmetric Key Encryption Lecturer:

Berkeley CS276 &amp; MIT 6.875 Pseudorandom Permutations and Symmetric Key Encryption Lecturer: Raluca Ada Popa Sept 15, 2020 Announcements Starting to record Psets grading policy: We count your best 5 out of 6 psets Total

728 views • 48 slides
Targeted Pseudorandom Generators, Simulation Advice Generators, and Derandomizing Logspace William

Targeted Pseudorandom Generators, Simulation Advice Generators, and Derandomizing Logspace William

Targeted Pseudorandom Generators, Simulation Advice Generators, and Derandomizing Logspace William M. Hoza 1 Chris Umans 2 October 10, 2016 Dagstuhl Seminar 16411 1 University of Texas at Austin 2 California Institute of Technology ?

1.67k views • 130 slides

More recommend