SoK: Security Models for Pseudo-Random Number Generators Sylvain - PowerPoint PPT Presentation

Motivation Standard PRNG Stateful PRNG PRNG with input Conclusion SoK: Security Models for Pseudo-Random Number Generators Sylvain Ruhault March 8 th , Tokyo, Fast Software Encryption 2017 1 / 18

Motivation Standard PRNG Stateful PRNG PRNG with input Conclusion Motivation Papers about PRNG FSE 96: Jenkins FSE 98: Schneier et al. Usenix 98: Gutman EC02: Desai et al. SoK Paper CT-RSA03: Bellare and Yee Unify security models ACSAC03: Viega presentation CHES03: Barak et al. Propose secure constructions based on AES CCS05: Barak and Halevi CCS10: Yu et al. CCS13: Dodis et al. C14: Dodis et al. · · · 2 / 18

Motivation Standard PRNG Stateful PRNG PRNG with input Conclusion Standard PRNG 1 Stateful PRNG 2 PRNG with input 3 3 / 18

Motivation Standard PRNG Stateful PRNG PRNG with input Conclusion Standard PRNG S G R ? ? 0001010110101 Security of G AES based construction Secret S $ ← { 0 , 1 } 128 S | R | > | S | R = AES S ( 1 ) || AES S ( 2 ) || · · · R is indistinguishable from random. 4 / 18

Motivation Standard PRNG Stateful PRNG PRNG with input Conclusion Stateful PRNG Standard S G R . . . Stateful key S 0 next S 1 next next S q n R 1 R q n R 0 , R 1 , · · · shall be indistinguishable from random S : internal state of the generator 5 / 18

Motivation Standard PRNG Stateful PRNG PRNG with input Conclusion Stateful PRNG Standard S G R . . . Stateful key S 0 next S 1 next next S q n R 1 R q n R 0 , R 1 , · · · shall be indistinguishable from random S : internal state of the generator 5 / 18

Motivation Standard PRNG Stateful PRNG PRNG with input Conclusion State Compromise . . . key S 0 next S 1 next next S q n R 1 R q n Forward Security Past outputs are not compromised Can be build upon a secure standard PRNG (BY03) 6 / 18

Motivation Standard PRNG Stateful PRNG PRNG with input Conclusion State Compromise . . . key S 0 next S 1 next next S q n R 1 R q n Forward Security Past outputs are not compromised Can be build upon a secure standard PRNG (BY03) AES based construction key next Require: ∅ Require: S Ensure: S ′ , R Ensure: S 1: S ′ = AES S ( 1 ) $ ← { 0 , 1 } 128 1: S 2: return S 2: R = AES S ( 2 ) 3: return ( S ′ , R ) 6 / 18

Motivation Standard PRNG Stateful PRNG PRNG with input Conclusion State Compromise . . . key S 0 next S 1 next next S q n R 1 R q n Forward Security Past outputs are not compromised Can be build upon a secure standard PRNG (BY03) Backward Security ? "Next" outputs are not compromised ? � New input shall be collected � Recovery mechanism 6 / 18

Motivation Standard PRNG Stateful PRNG PRNG with input Conclusion PRNG with input I G S S R 7 / 18

Motivation Standard PRNG Stateful PRNG PRNG with input Conclusion PRNG with input How to Manage Inputs ? Accumulation : entropy of each input shall be accumulated in the internal state Extraction : entropy of the collected inputs shall be extracted to generate outputs � these operations are implicit in Fortuna, OpenSSL PRNG, /dev/random , NIST CTR_DRBG, ... 7 / 18

Motivation Standard PRNG Stateful PRNG PRNG with input Conclusion PRNG with input How to Manage Inputs ? Accumulation : entropy of each input shall be accumulated in the internal state Extraction : entropy of the collected inputs shall be extracted to generate outputs � these operations are implicit in Fortuna, OpenSSL PRNG, /dev/random , NIST CTR_DRBG, ... Definitions Seeded extractors, accumulators Requires independence between public seed and inputs � Potential vulnerability in NIST CTR_DRBG 7 / 18

Motivation Standard PRNG Stateful PRNG PRNG with input Conclusion Barak-Halevi Model (BH05) PRNG with input Definition Two operations input collection output generation Where Operations are not synchronised I S ′ next S ′ S refresh S R 8 / 18

Motivation Standard PRNG Stateful PRNG PRNG with input Conclusion Recovery in Barak-Halevi model I I I I refresh refresh refresh refresh next next next next next · · · S S S S S R R R R 9 / 18

Motivation Standard PRNG Stateful PRNG PRNG with input Conclusion Recovery in Barak-Halevi model I I I I refresh refresh refresh refresh next next next next next · · · S S S S S R R R R AES based construction setup refresh next Require: r Require: X , I , S Require: S Ensure: S ′ Ensure: S ′ , R Ensure: X 1: S ′ = AES S ( 1 ) $ ← { 0 , 1 } 512 1: X 1: U = [ X · I ] 128 2: S ′ = S ⊕ U 2: return X 2: R = AES S ( 2 ) 3: return S ′ 3: return ( S ′ , R ) 9 / 18

Motivation Standard PRNG Stateful PRNG PRNG with input Conclusion Security Analysis AES based construction setup refresh next Require: r Require: X , I , S Require: S Ensure: S ′ Ensure: S ′ , R Ensure: X $ 1: S ′ = AES S ( 1 ) ← { 0 , 1 } 512 1: X 1: U = [ X · I ] 128 2: S ′ = S ⊕ U 2: return X 2: R = AES S ( 2 ) 3: return S ′ 3: return ( S ′ , R ) | S | = 128 Involves a Seeded Extractor At least one input shall have maximal entropy H ∞ ( I ) = 512 Requires a public random seed X of length 512 bits Inputs shall be independent from X 10 / 18

Motivation Standard PRNG Stateful PRNG PRNG with input Conclusion Dodis et al. Model (DPR+13) PRNG with input Definition Triple of algorithms ( setup , refresh , next ) : setup, seed generation algorithm refresh, entropy collecting algorithm, ( S , I ) → S ′ next, output algorithm, S → ( R , S ′ ) seed I setup S ′ next S ′ S refresh S R 11 / 18

Motivation Standard PRNG Stateful PRNG PRNG with input Conclusion Recovery in Dodis et al. Model I I I I refresh refresh refresh refresh next next next next next · · · S S S S S R R R R entropy can be accumulated slowly in S recovery: after accumulated entropy is OK 12 / 18

Motivation Standard PRNG Stateful PRNG PRNG with input Conclusion Recovery in Dodis et al. Model I I I I refresh refresh refresh refresh next next next next next · · · S S S S S R R R R AES based construction setup refresh next Require: S , X ′ Require: ∅ Require: X , I , S Ensure: X , X ′ Ensure: S ′ Ensure: S ′ , R $ 1: S ′ = S · X + I 1: U = [ X ′ · S ] 256 ← { 0 , 1 } 1024 1: X $ 2: S ′ = AES U ( 1 ) || · · · || AES U ( 8 ) 2: X ′ ← { 0 , 1 } 1024 2: return S ′ 3: return X , X ′ 3: R = AES U ( 9 ) 4: return ( S ′ , R ) 12 / 18

Motivation Standard PRNG Stateful PRNG PRNG with input Conclusion Security Analysis AES based construction setup refresh next Require: S , X ′ Require: ∅ Require: X , I , S Ensure: X , X ′ Ensure: S ′ Ensure: S ′ , R $ 1: S ′ = S · X + I 1: U = [ X ′ · S ] 256 ← { 0 , 1 } 1024 1: X $ 2: S ′ = AES U ( 1 ) || · · · || AES U ( 8 ) 2: X ′ ← { 0 , 1 } 1024 2: return S ′ 3: return X , X ′ 3: R = AES U ( 9 ) 4: return ( S ′ , R ) | S | = 1024 Involves a Seeded Extractor and a Seeded Accumulator Requires a public random ( X , X ′ ) of length 2048 bits Inputs shall be independent from X Extensions has been proposed for Leakage Security [CR14, ABPRV15] 13 / 18

Motivation Standard PRNG Stateful PRNG PRNG with input Conclusion Premature Next Attack, Dodis et al. (DSSW14) I I I I refresh refresh refresh refresh next next next next next · · · S S S S S R R R R a next call can be done before recovery 14 / 18

Motivation Standard PRNG Stateful PRNG PRNG with input Conclusion Premature Next Attack, Dodis et al. (DSSW14) I I I I refresh refresh refresh refresh next next next next next · · · S S S S S R R R R a next call can be done before recovery Solution: S = [ S 1 · · · S in · · · S out · · · S p ] , a scheduler selects S in and S out I S ′ S ′ S in S out next refresh in out R 14 / 18

Motivation Standard PRNG Stateful PRNG PRNG with input Conclusion Generalized Fortuna Construction (DSSW14) G i , i = 1 , · · · , 32, based on AES AES based scheduler setup G refresh i next i Require: S , X ′ Require: ∅ Require: X , I , S Ensure: X , X ′ Ensure: S ′ Ensure: S ′ , R Uses AES as a PRF $ 1: S ′ = S · X + I 1: U = [ X ′ · S ] 256 1: X ← { 0 , 1 } 1024 ( in , out ) ← SC ( skey ) $ 2: S ′ = AES U ( 1 ) || · · · || AES U ( 8 ) 2: X ′ ← { 0 , 1 } 1024 2: return S ′ 3: return X , X ′ 3: R = AES U ( 9 ) || AES U ( 10 ) 4: return ( S ′ , R ) AES based construction setup G refresh next Require: ∅ Require: X , key , I , S Require: S Ensure: X , X ′ , skey Ensure: S ′ Ensure: S ′ , R 1: X , X ′ ← setup G ( S ρ , ( S i ) 31 ( S ρ , ( S i ) 31 1: parse S as i = 0 ) 1: parse S as i = 0 ) $ 2: skey ← { 0 , 1 } 128 2: ( in , out ) ← SC ( skey ) 2: S ρ = AES S ρ ( 1 ) || AES S ρ ( 2 ) 3: return X , X ′ , skey 3: S in ← refresh in ( X , S in , I ) 3: R = AES S ρ ( 3 ) || AES S ρ ( 4 ) 4: ( S out , R ) ← next out ( X ′ , S out ) 4: return ( S ′ , R ) 5: S ρ ← S ρ ⊕ R 6: return S ′ = ( S ρ , ( S i ) 31 i = 0 ) 15 / 18