Random number generators - Improving Security for Elliptic Curve Implementations on Smart Cards

4.2. RANDOM NUMBER GENERATORS 31

32 CHAPTER 4. RANDOM NUMBERS, GENERATION AND TESTING

random number machines to generate tables of random numbers continued with the publishing of 1,000,000 digits by the Rand Corporation. Their generator could be best described as an electronic roulette wheel. The first version produced sequences with a statistical biases. The Rand Corp. had to optimize andfix their machine, but even after this new sequences showed a slight statistical bias. However, the random sequences were deemed to be “good enough.”

Even though tables provided researchers with a larger selection of random numbers, this method still had its drawbacks. It required large amounts of memory, since each random number had to be preloaded into memory, and it took a long time to input the data. At this point RNG research branched into two paths: the algorithmic approach and the sampling of physical sys-tems. The algorithmic approach looked into producing random numbers by using the computer’s arithmetic operations, and this led to the creation of deterministic random number generators or pseudorandom number generators. Sampling of physical systems, however, looked at how to create statistically acceptable sequences from natural random sources. These random number generators are called “true” random number generators, since they are based on a truly random source.

Remark4.2.1. A detailed timeline for the random number machine can be found in [Rit02].

4.2.2 Properties of random number generators

When looking at a random number generator, how is it possible to determine if it is a source of random numbers? Four properties distinguish a random number generator from just an ordinary number generator. The best way to illustrate these properties is to examine a simple random number generator. One of the most recognized and used RNG is the coin toss; if the coin is assumed to be “fair.”

By giving the coin a “0” and “1” for each side, it can be used to generate a random binary sequence. One of thefirst properties noticed is that the result from each toss is not affected, in any way, by the previous tosses. This means that if ten ones are tossed in a row, the probability of tossing an eleventh one is still 50%. This example illustrates the property ofindependence;

previous results do not affect future results.

Random number generators can be designed to produce any range of values, ordistribution.

When analyzing the output of common RNGs, the values usually fall into an uniform distribution, which means that they have an equal probability of obtaining any of the values in the specified range. This distribution does not need to be uniform; for some simulations a designer may wish to produce a random sequence following a normal or other distribution. For cryptographic applications it is important that the distribution is uniform. Using a nonuniform distribution allows a hacker to concentrate on a smaller group of numbers to attack the system.

There are physical and computational limits to the size of numbers that an RNG can create.

These limitations impose a natural boundary on the RNG and once it has reached these limits, the

4.2. RANDOM NUMBER GENERATORS 33 RNG repeats its output. This defines theperiodof the RNG. A well designed RNG will only be bound by the hardware limits. If the RNG is designed without taking care, there can be multiple sequence groups that the RNG could produce, with each group less than the ideal period.

The size of random sequences required is dependent upon the desired application. Crypto-graphic applications require relatively small sequences, in the range of 1024 bits depending on the algorithm, whereas simulations require extremely large sequences. A good example is the Monte Carlo simulation, which may require random sequences up to a billion bits in length, or even more. Therefore, RNGs need to be veryefficientand must quickly generate numbers.

The next sections examine the different properties of three classes of random number gen-erators: pseudo, true, and cryptographic random number generators. Each has its own unique requirements and restrictions.

4.2.3 Types of random number generators

Pseudorandom number generators

As mentioned in the history of RNGs (cf. Subsection 4.2.1), development of random number generators branched with the advent of computers. Researchers looked for methods to create large random sequences by using algorithms. Using such algorithms, they were able to make sequences, which mimic the properties of “true” random generators. Since they were created with a deterministic equation, they could not be called “truly” random. This led to a new class of generators, calledpseudorandom number generators(PRNGs).

Compared to true random number generators, PRNGs are easier to implement in both hard-ware and softhard-ware, and they also produce large sequences very quickly. In [L’E98, L’E01], the PRNG is described as a structure of the form(X,x₀,f,f_t,f_o,Z)whereX is thefinite set of states with a distribution ofδ. The elementx0∈X is called the initial state or seed. Using the transition function f_t and the output function f_oas shown in Algorithm 1 a pseudorandom sequence can be generated,(z₀,...,z_n)withz_i∈ZandZ= [0,1)as the output set.

Algorithm 1A pseudorandom number generator.

INPUT: An integern.

OUTPUT: A pseudorandom sequence(z₀,...,z_n)withz_i∈Z 1. fori=0 tondo

2. x_i₊₁← f_t(x_i) 3. z_o← f_o(x_i)

The benefit of the PRNG is its ability to quickly produce large sequences of statistically random numbers. This is very important for running simulations when input data may require

34 CHAPTER 4. RANDOM NUMBERS, GENERATION AND TESTING

Table 4.1:Characteristics of pseudo- and true random number generators.

True RNG Pseudo-RNG

Physical random source Deterministic algorithm

Slow Fast

Hard to implement Easy to implement

millions or even billions of random values. Caution must be taken when using pseudorandom number generators for cryptographic applications. Attacks have been published that are able to reveal the secret generator values for some types of pseudorandom generators, which enables a hacker to accurately reproduce the sequence. Cryptographic secure RNGs will be looked at in Subsection 4.2.3.

True random number generators

A computer algorithm can only create pseudorandom sequences. However, there exist a vari-ety of phenomena related to a computation that are nondeterministic. Some examples are noise generated by a transistor, a dual oscillator, air turbulence in a hard drive, or capturing user input on the computer. Whatever the source of natural entropy, the data need to be digitized and con-verted into a working space, often a binary sequence. True random number generators provide a source of random numbers that is impossible to predict (nondeterministic), but at the cost of the sequence generation speed. Therefore, these generators are generally suitable for crypto-graphic applications but unsuitable for simulations. The use of natural entropy is a good source of randomness, but care must still be taken to examine the sequence for other weaknesses: cor-relation or superposition of regular structures. To overcome these weaknesses, RNG sources are mathematically altered to mask weaknesses in the digitized analogue signal. Table 4.1 shows the characteristics of both pseudo- and true random number generators.

Cryptographic random number generators

Cryptography has taken on a new importance as more personal andfinancial information is avail-able in digital form. The strength of encrypted messages depends on many factors, one of which is the random number sequence used in key generation. Many people believe that the random number generator, provided with their compiler or math package, is good enough. However, research has shown that they are very insecure for cryptographic applications. An example of an insecure RNG is where an attacker, who knows the pseudorandom algorithm and has a generated sequence, can take this information and calculate future values. With these values the attacker can calculate a secret key.

Cryptographic random number generators have an added property compared to other

genera-4.2. RANDOM NUMBER GENERATORS 35 tors. They need to beunpredictable,given knowledge of the algorithm and previously generated bits.

These properties can be found in both pseudo- and true random number generators. Often the most efficient method of creating secure cryptographic random number sequences is using a combination of the two generator types.

4.2.4 Popular random number generators

This subsection describes three common random number generators, but there are many more available [NIS99b, APS96, And00, Knu97, Ent98]. Care must be taken to select the correct generator for the required application.

Linear congruential generator (LCG)

The Linear Congruential Generator (LCG) is a classic pseudorandom number generator and has been published in many journals and books [Knu97, Car94, Ent98]. The LCG can be fully described using the following formula:

Xn= (aX_n−1+c)modm (4.2)

withathe multiplier,cthe increment and mthe modulus. Care has to be taken when selecting the constants, since it is very easy to create a poor random generator. This generator is so pop-ular because it is simple to implement in both software and hardware after having selected the constants. Another benefit of this algorithm is its low memory requirement, since only the last value and the secret constants are required to calculate a new value. Knuth [Knu97] dedicates a large portion of the chapter on LCGs to the selection of each constant.

Table 4.2 is a list of popular linear congruential generators. The constants used and the quality of the generator are shown along with the generator’s name. Two noteworthy LCGs are the RANDU and the ANSI-C generators, which can still be found in many mathematical packages and compilers. Both generators have been extensively researched and it was found that their quality is very poor. Park and Miller [PM98] describe the RANDU as:

“RANDU represents aflawed generator with no significant redeeming features.

It does not have a full period and it has some distinctly non-random characteristics.”

As for the ANSI-C generator, it was found to be very nonrandom at lower bits.

Blum-Blum-Shub generator (computationally perfect PRNG)

The Blum-Blum-Shub (BBS) generator is an example of a class of provably secure random number generators. It works under the complexity theory assumption thatP=NP. The BBS

36 CHAPTER 4. RANDOM NUMBERS, GENERATION AND TESTING

Table 4.2:Popular LCGs.

Constants

Generator a c m seed Good/Poor

RANDU 65539 0 2³¹ Poor

ANSI-C 1103515245 12345 2³¹ 12345 Poor

Minimum Standard [PM98]

16807 0 2³¹−1 Good

Note: Good and bad and generators are rated on how well they pass empirical tests.

generator wasfirst published in 1986 by Blum et al. [BBS86], where they showed that a quadratic residue of the form:

X_n₊₁=X_n² modm (4.3)

is very easy to calculate in the forwards direction. However, the backwards calculation of find-ing the square root of a number modulom, when mis large, is very difficult. The modulus is m= p₁p₂, where p₁ and p₂ are large Blum prime numbers. Blum primes are prime numbers, satisfying:

p≡3(mod 4) as−1 is not a square modulop.

The BBS generator is targeted towards cryptographic applications, since it is not a permuta-tion generator, which means the period of the generator is not necessarilym−1. This makes the BBS generator unsuitable for stochastic simulations.

Cryptographic RNG (hardware RNG)

All previous examples of random number generators used deterministic algorithms. These gener-ators statistically act like true RNGs but in fact are not. In order to be thought of as a true random number generator, the source of bits needs to be nondeterministic, which is usually achieved by sampling a natural stochastic process. There are many sources of natural randomness, including measuring radioactive decay, thermal noise, or noise generated by a reversed biased diode.

The problem with nondeterministic random sources is the possible presence of biasing, which means that ones or zeros occur more often. A variety of methods have been developed to reduce the effect of biasing. A few common methods include XORing of the successive bits using the von Neumann algorithm [Dav00], or XORing the nondeterministic bit stream with the bits from a cryptographically secure random number generator (see Figure 4.1).

Hardware random number generators tend to be slower than their pseudorandom counter-parts. However, for cryptographic applications, which may need only a few thousand bits, this is usually not a factor. For applications that need many random digits, hardware random generators

Im Dokument Improving Security for Elliptic Curve Implementations on Smart Cards: A Random Number Generator Test Unit (Seite 41-47)