Lecture 17
Chapter 8
Random Bit Generation and
Stream Ciphers
© 2020 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
Outline
• Random Number and Pseudorandom Number
• True Random Number Generator (TRNG)
• Pseudorandom Number Generator (PRNG)/
Pseudorandom Function (PRF)
© 2020 Pearson Education, Inc.,
Hoboken, NJ. All rights reserved.
Generating Random
numbers
♦
♦
This is a surprisingly difficult task for a computer.
There are two main approaches:
–
Pseudorandom Number Generators
•
•
–
Typically an algorithm which actually produces a deterministic
set of numbers that appear to be random.
Can be based off block ciphers, because block ciphers tend to
produce quit random looking blocks.
True Random Number Generators
•
Typically uses something in the environment as a source of
randomness.
–
Perhaps keyboard/mouse movements, sound, hard drive activity etc.
Random Numbers
• A number of network security algorithms and
protocols based on cryptography make use of
random binary numbers:
• Key generation for block cipher
• Generation of a bit stream for symmetric
stream encryption
Randomness
There are two distinct
requirements for a
sequence of random
numbers:
Unpredictability
© 2020 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
Randomness
Two criteria are used to validate that
a sequence of numbers is random:
Uniform distribution
•The frequency of occurrence of ones and
zeros should be approximately equal
Independence
• No one subsequence in the sequence can be
inferred from the others
© 2020 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
Unpredictability
• With “true” random sequences each number is
statistically independent of other numbers →
unpredictable
• True random numbers limitations: inefficiency
• Therefore, it is more common to implement
algorithms that generate numbers that appear to
be random → pseudorandom number
• Care must be taken that an opponent not be able
to predict future elements of the sequence
based on earlier elements
© 2020 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
Pseudorandom Numbers
• Cryptographic applications typically make use
of algorithmic techniques for random number
generation
• These algorithms are deterministic and
therefore produce sequences of numbers that
are not statistically random
• If the algorithm is good, the resulting
sequences will pass many tests of randomness
and are referred to as pseudorandom numbers
© 2020 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
Contextspecific
Seed values
Source of
true
randomness
Seed
Conversion
to binary
Deterministic
algorithm
Deterministic
algorithm
Random
bit stream
Pseudorandom
bit stream
Pseudorandom
value
(a) TRNG
(b) PRNG
(c) PRF
TRNG = true random number generator
PRNG = pseudorandom number generator
PRF = pseudorandom function
Figure 8.1 Random and Pseudorandom Number Generators
© 2020 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
Entropy
♦
♦
You’ll see the word Entropy used a lot when
talking about random number generators
It’s a measure of how much randomness you might
have.
–
–
Computers are deterministic so they by default have 0
entropy.
Other sources can introduce entropy such as user clicks
with their mouse and keyboard.
True Random Number
Generator (TRNG)
• Takes as input a source that is effectively random
• The source is referred to as an entropy source and
is drawn from the physical environment of the
computer
• Includes things such as keystroke timing patterns,
disk electrical activity, mouse movements, and
instantaneous values of the system clock
• The source, or combination of sources, serve as
input to an algorithm that produces random binary
output
• The TRNG may simply involve conversion of an
analog source to a binary output
© 2020 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
First let’s talk about seeds
♦
Pseudorandom Number Generators require a seed.
–
♦
♦
♦
As the name implies it’s a starting place for the
algorithm. Different seeds will produce different strings
of random numbers from the pseudorandom generator.
Typically it’s a number that has to be carefully
chosen.
The seed must be a secret. If it can be guessed you
can calculate the next numbers in the sequence.
Often a True Random Number Generator is used to
pick the seed, which then feeds the Pseudorandom
generator.
Pseudorandom Number
Generator (PRNG)
• Takes as input a fixed value,
called the seed, and produces
a sequence of output bits
using a deterministic
algorithm
• Quite often the seed is
generated by a TRNG
• The output bit stream is
determined solely by the
input seed.
• An adversary who knows the
algorithm and the seed can
reproduce the entire bit
stream
© 2020 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
Two different forms of PRNG
Pseudorandom
number
generator (PRNG)
• An algorithm that is
used to produce an
open-ended
sequence of bits
• Application:
Generate key for a
symmetric stream
cipher
Pseudorandom
function (PRF)
• Used to produce a
pseudorandom
string of some fixed
length
• Applications:
symmetric
encryption keys and
nonces
PRNG Requirements
• If used for a cryptographic application, an
adversary who does not know the seed is
unable to determine the pseudorandom string
• The requirement for secrecy of PRN:
• Randomness
• Unpredictability
• Characteristics of the seed
© 2020 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
Randomness
• The generated bit stream needs to appear
random even though it is deterministic
• NIST SP 800-22 specifies that the tests should
seek to establish three characteristics:
• Uniformity: 1/2
• Scalability: subsequence
• Consistency: consistent with seed
© 2020 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
Goals
♦
♦
Ideally random number generators would be:
Random
–
♦
Scalability
–
♦
If you are picking 0’s and 1’s. Ideally your output should
on average give 50% of each.
Even if I look at a short or very long segment of your
output the above should still be true
Consistency
–
Regardless of the seed used to start the algorithm, the
output should remain random.
Unpredictability
• Two forms of unpredictability:
• Forward unpredictability
• If the seed is unknown, the next output bit in the
sequence should be unpredictable despite any
knowledge of previous bits in the sequence
• Backward unpredictability
• It should not be feasible to determine the seed
from knowledge of any generated values
• No correlation between a seed and any value
generated from that seed
• Each element of the sequence should appear to
be the outcome of an independent random
event with probability of 1/2
© 2020 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
Tests
♦
How to evaluate Randomness?
–
Frequency Test
•
–
Run test
•
•
–
The count of 0’s and 1’s in the output is pretty even.
A run is a string of the same bit (e.g. 11111 or 000)
There should be similar numbers of runs of 1’s and 0’s. Likewise
the average length of a run of 1’s should be similar to the
average length of runs of 0’s.
Maurer’s universal statistical test.
•
How far do you have to go to see a repeat of the same numbers.
Ideally far.
Seed Requirements
• The seed must be secure and unpredictable
• The seed itself must be a random or
pseudorandom number
• Typically, the seed is generated by TRNG
© 2020 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
Entropy
source
True random
number generator
(TRNG)
Seed
Pseudorandom
number generator
(PRNG)
Pseudorandom
bit stream
Figure 8.2 Generation of Seed Input to PRNG
© 2020 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
Linear Congruential Generator
• An algorithm that is parameterized with four numbers:
m the modulus
m>0
a
the multiplier
0 < a< m
c
the increment
0≤ c < m
X0 the starting value, or seed
0 ≤ X0 < m
• The sequence of random numbers {Xn} is obtained via the following
iterative equation:
Xn+1 = (aXn + c) mod m
• If m , a , c , and X0 are integers, then this technique will produce a
sequence of integers with each integer in the range 0 ≤ Xn < m
• The selection of values for a , c , and m is critical in developing a
good random number generator
© 2020 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
Linear Congruential Generator
• The sequence of random numbers {Xn} is obtained
via the following iterative equation:
Xn+1 = (aXn + c) mod m
• The selection of values for a , c , and m is critical in
developing a good random number generator
Sample selection rules if c <> 0
• a=c=1 is not a good selection.
then ensure that:
• a=7, c=0, m=32, X0=1?
GCD(m,c) = 1
• Sequence: {7, 17, 23, 1, 7, 17, 23, 1, 7, …} a-1 is divisible by all prime
factors of m
• Not satisfactory
a-1 is divisible by 4 if m is
divisible by 4
• m should be nearly equal to the maximum
representable nonnegative integer, such as 231.
© 2020 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
Linear Congruential Generator
• Vulnerable to attacks:
• The attacker has the knowledge of X0, X1, X2, X3
• X1 = (aX0 + c) mod m
• X2 = (aX1 + c) mod m
• X3 = (aX2 + c) mod m
• It is easy to calculate a, c and m.
• Improve:
• Restart the sequence after every N numbers using
the current clock value (mod m) as the new seed.
• Another way would be simply to add the current
clock value to each random number (mod m).
© 2020 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
Examples
♦
An example algorithm is:
–
–
–
X(n+1) = (aXn+c) mod (231 -1) [in here, where c = 0]
We’d start with a seed which fills in the first X. The subsequent
X’s are calculated.
A “good” value for a is 7^5 (picked by IBM) = 16807
Seed = 9182
First Number = 16807 x 9182 mod (2^31 -1)
154,321,874 mod 2,147,483,647 = 154,321,874
Second Number = 16807 x 154,321,874 mod 2,147,483,647
= 1,674,974,389
Another way to add “randomness” is to add the system clock
to this, or change the seed every few seconds.
♦
♦
♦
♦
The well known ZedX (ZX81) uses: m = 216+1, a = 75, c = 74
Gcc uses m = 231, a = 1103515245, c = 12345
MMIX m = 264, a = 6364136223846793005, c = 1442695040888963407
Blum Blum Shub (BBS)
Generator
• Has perhaps the strongest public proof of its
cryptographic strength of any purpose-built
algorithm
• Referred to as a cryptographically secure
pseudorandom bit generator (CSPRBG)
• The security of BBS is based on the difficulty of
factoring n
© 2020 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
Initialize
with seed s
Generate
x2 mod n
Select least
significant bit
[0, 1]
Figure 8.3 Blum Blum Shub Block Diagram
© 2020 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
Blum Blum Shub
Generator
♦
Pick 2 large prime numbers that yield 3 when mod 4.
–
–
–
–
–
E.g. p=1091 and q=1151
n=1091*1151 = 1,255,741
Pick a random s which is relatively prime to n (e.g. 285,202)
Calculate the first number s^2 mod n
In a loop you’ll calculate the next:
•
•
♦
PreviousNumber^2 mod n
Pick the last bit of this by doing mod 2.
Implemented Java code here:
–
https://repl.it/@EndaSullivan/Blum-Blum-Shub-Generator
Table 8.1 Example Operation of BBS Generator
i
Xi
Bi
i
Xi
Bi
0
1
2
3
4
20749
143135
177671
97048
89992
1
1
0
0
11
12
13
14
15
137922
123175
8630
114386
14863
0
1
0
0
1
5
6
7
8
9
174051
80649
45663
69442
186894
1
1
1
0
0
16
17
18
19
20
133015
106065
45870
137171
48060
1
1
0
1
0
10
177046
0
© 2020 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
PRNG Using Block Cipher Modes of
Operation
• Two approaches that use a block cipher to
build a PNRG have gained widespread
acceptance:
• CTR mode
• Recommended in NIST SP 800-90, ANSI standard
X.82, and RFC 4086
• OFB mode
• Recommended in X9.82 and RFC 4086
© 2020 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
Using a block cipher
♦
Since the output of a block cipher encryption looks
random why not just use it.
–
♦
You need to change the input text in a non predictable
way.
There are 2 commonly accepted solutions:
–
CTR (using the counter block cipher operation)
•
•
–
Start with a number. Encrypt it using AES with a key. The
output is your random bits.
Increment the number, go again, append result to previous
block.
OFB (using the output feedback block cipher operation)
•
Start with a random IV, encrypt it with your key, make the
ciphertext the next IV.
Other popular PseudoRand
generators
♦
ANSI X9.17 PseudoRandom
–
–
–
♦
Used in PGP and other things.
Uses Triple DES with 2 keys. They are the secret
As usual 3DES implies: Encrypt, Decrypt, Encrypt
CTR_DRBG
–
–
–
–
Implemented in most intel processors for random
number generations
Employes 3DES or AES
As name suggests uses CTR chaining.
Uses an entropy source often clock, keyboard etc.
Stream Ciphers (RC4)
♦
Given what we’ve just learned, you should realize
you could use a Pseudo Random Number
Generator (PRNG) as an encryption algorithm.
–
–
♦
Simply generate a very long “one time pad” and xor the
plaintext to it. The result is very secure cipher text.
To work, the user must know the PRNG algorithm, and
the seed.
RC4 was once a popular encryption method based
on this idea.
RC4
♦
Very simple to implement in software. Very fast,
was once a favored encryption scheme.
–
–
Used in WEP (original security protocol in 802.11 wireless
ethernet). Then in it’s successor WPA. It’s not use in
WPA2 which is what most people use today
Was used in SSL (original security protocol used by web
servers and web browsers. (No longer permitted after
2015).
Implementation step 1
A state array (S) is initialized with a key (either filled or
repeated)
For i = 0 to 255 do
S[i] =i;
T[i] = K[i mod keylen];
A permutation happens on the state array.
j=0
For i = 0 to 255 do
j=(j+S[i] + T[i]) mod 256;
Swap (S[i],S[j]);
♦
♦
Implementation step2
I, j = 0;
While (true)
i=(i+1) mod 256;
J = (j+S[i]) mod 256;
Swap (S[i], S[j]);
T = (S[i] + S[j]) mod 256;
K = S[t];
♦
This produces a stream of random bits, which you
can xor plaintext with.
RC4 strength
♦
♦
♦
Developed by RSA it was initially proprietary
The source code was leaked
It was great for a long time.
–
–
Eventually problems started to pop up, and the strength
of the algorithm started to wane.
In the end it was determined that RC4 can no longer be
used.
1
+
V
K
Encrypt
V
K
Encrypt
pseudorandom bits
pseudorandom bits
(a) CTR Mode
(b) OFB Mode
Figure 8.4 PRNG Mechanisms Based on Block Ciphers
© 2020 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
Table 8.2 Example Results for PRNG Using OFB
Output Block
Fraction of
One Bits
1786f4c7ff6e291dbdfdd90ec3453176
5e17b22b14677a4d66890f87565eae64
fd18284ac82251dfb3aa62c326cd46cc
c8e545198a758ef5dd86b41946389bd5
fe7bae0e23019542962e2c52d215a2e3
14fdf5ec99469598ae0379472803accd
6aeca972e5a3ef17bd1a1b775fc8b929
f7e97badf359d128f00d9b4ae323db64
0.57
0.51
0.47
0.50
0.47
0.49
0.57
0.55
© 2020 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
Fraction of Bits that
Match with
Preceding Block
—
0.52
0.54
0.44
0.48
0.52
0.48
0.45
Table 8.3 Example Results for PRNG Using CTR
Output Block
Fraction of
One Bits
1786f4c7ff6e291dbdfdd90ec3453176
60809669a3e092a01b463472fdcae420
d4e6e170b46b0573eedf88ee39bff33d
5f8fcfc5deca18ea246785d7fadc76f8
90e63ed27bb07868c753545bdd57ee28
0125856fdf4a17f747c7833695c52235
f4be2d179b0f2548fd748c8fc7c81990
1151fc48f90eebac658a3911515c3c66
0.57
0.41
0.59
0.59
0.53
0.50
0.51
0.47
© 2020 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
Fraction of Bits that
Match with
Preceding Block
—
0.41
0.45
0.52
0.52
0.47
0.48
0.45
True Random Number
Generators
Sources of true random numbers:
♦
–
–
–
♦
Sound/Video input (the static between radio stations is
the seed for random.com)
Speed of hard drives fluciates, if you measure that it’s a
source of random stuff
Move your mouse to produce random numbers.
Watching for patterns
–
You must be careful to pick things that don’t have
hidden patterns.
TRNG vs PRNG
♦
While TRNG are more random, they are less
efficient. Think of the radio waves, how many
numbers can you get out of that?
–
–
Instead TRNG are typically used as the seeds for PRNGs
which then generate bits that are very random.
This is a good tradeoff of speed and randomness.
Summary
• Explain the concepts of
randomness and
unpredictability with
respect to random
numbers
• Present an overview of
requirements for
pseudorandom
number generators
© 2020 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
• Understand the
differences among true
random number
generators,
pseudorandom
number generators,
and pseudorandom
functions
• Explain how a block
cipher can be used to
construct a
pseudorandom
number generator