MASARYK UNIVERSITY FACULTY}w¡¢£¤¥¦§¨  OF I !"#$%&'()+,-./012345

Randomness extractors in mobile devices

MASTER’STHESIS

Filip Jurneˇcka

Brno, Spring 2010 Declaration

Hereby I declare, that this paper is my original authorial work, which I have worked out by my own. All sources, references and literature used or excerpted during elaboration of this work are properly cited and listed in complete reference to the due source.

Brno, May 25, 2010 Filip Jurneˇcka

Advisor: RNDr. Jan Bouda, Ph.D.

ii Acknowledgement

I would like to thank my mother for her unyielding support and belief in me. I would also like to thank all of those who helped me to get through my studies.

iii Abstract

Objective of this thesis is to give an overview of the problematics of ran- domness extractors with focus on searching an extractor suitable for gen- erating random numbers for cryptographic applications in mobile devices. Selected extractors based on their suitability for given application will be implemented in mobile device on a platform chosen by student.

iv Keywords

Evaluation hash, extractor, JavaME, mobile, pseudorandom, randomness, shift register hash, truly random, weak source.

v Contents

Chapter outline ...... 3 1 Introduction ...... 5 1.1 Troubles with implementations of PRNGs ...... 6 1.2 Usage of randomness ...... 7 1.2.1 Deterministic vs randomized algorithms ...... 7 1.2.2 Randomness in cryptography ...... 10 2 Sources of randomness ...... 13 2.1 Definitions ...... 13 2.2 Weak random sources ...... 15 3 Randomness extractors ...... 20 3.1 Preliminaries ...... 20 3.2 Definitions ...... 23 3.3 Tradeoffs ...... 24 3.3.1 Simulating BPP ...... 24 3.3.2 Lower bounds ...... 25 3.4 Applications of extractors ...... 25 3.5 Overview of constructions ...... 26 3.6 Extractors using hash functions ...... 28 4 Randomness in mobile devices ...... 30 4.1 Smart cards ...... 30 4.2 Mobile phones ...... 31 4.2.1 Categorization of mobile phone random sources . . . 31 4.2.2 Analysis of available sources ...... 32 4.3 Analysis of underlying platforms ...... 34 4.3.1 Symbian platform ...... 36 4.3.2 Blackberry OS ...... 37 4.3.3 iPhone OS ...... 38 4.3.4 Windows Mobile ...... 39 4.3.5 Embedded Linux ...... 40 4.3.6 Android ...... 40 4.4 Argumentation for chosen source and platform ...... 41 5 Construction and implementation ...... 43

1 5.1 Device requirements ...... 43 5.2 Processing data from camera ...... 44 5.3 Implementation of shift register hash based extractor . . . . 47 5.4 Implementation of Evaluation Hash based extractor . . . . . 49 6 Conclusion ...... 52

2 Chapter outline

This thesis is dealing with the problem of acquiring close to uniformly dis- tributed random data especially in mobile phones. Since these devices gain in computational power and in range of usage, it is required to introduce such data for mainly cryptographic purposes in order to protect communi- cation and these devices in general. However, manufacturers of these devices provide little to no support for third-party developers. Therefore, we decided to generate close to uni- formly distributed random data in mobile devices using a randomness ex- tractor. Although some constructions were described in several papers, we were unable to find any implementations and perhaps perform some statis- tical comparison of them. Therefore, we decided to implement two extrac- tors based on the constructions described in [BMT+06] and [BKMS09]. In the first chapter called Introduction we will shortly elaborate on the history of randomness, explain initial motivation for randomness extrac- tors, their basic meaning and alternative approach to generating random data via randomness generators. We enrich the introduction by a few ex- amples of upstart flaws in pseudo-random number generators. We try to stress out importance of randomness in computation and its most common usage. We will provide an example of a problem and its solution using a deterministic algorithm and a randomized one and discuss their effective- ness. For that purpose we also briefly introduce complexity classes of ran- domized algorithms. Second chapter Sources of randomness will be dealing with sources of randomness and especially weak ones. Together with the third chapter, this part of the thesis extends survey done by Shaltiel [Sha02]. It gives a compre- hensive discussion on history of weak sources examined for deterministic randomness extraction and enlists main applications of extractors as well as achievements in constructions. Third chapter named Randomness extractors will be discussing mathe- matical background to randomness, its measurement and bring the formal definitions of extractor as well as some related terms. Then we will clarify what we want to achieve with an extractor and present an early construc-

3 tion of randomness extractors and achievements in the area as well as their usage in practice. In the fourth chapter Randomness in mobile devices we try to categorize nowadays mobile devices (smartphones) and discuss their options regard- ing sources of randomness. This chapter is mainly build on the dissertation thesis by Jan Krhovják [Krh09]. After that we will discuss the platforms on which these devices stand and their usability for implementation of ran- domness extractors together with random data acquisition. Chapter Construction and implementation will be critical for this thesis and it will describe the process of harvesting randomness from a camera of a mobile phone and an implementation of that. Then it will describe two of our implemented extractors in detail. These are based on previous papers by advisor of this thesis Jan Bouda and intended for further use in mobile devices, since there are no freely accessible implementations of those ex- tractors on the Internet. The last chapter Conclusion will present possible future work in the area of this thesis topic and mention some open problems regarding randomness extractors.

4 Chapter 1 Introduction

Randomness, although appearing in all human’ history was at first de- scribed only in connection with gambling1. First mathematical conceptions were given by Blaise Pascal, Pierre de Fermat and Christiaan Huygens. The basic slightly inaccurate thought they came with is that outcomes of ran- dom processes are equally likely. Nowadays we define randomness as a type of circumstance or event that is described by a probability distribution Since then randomness as a scientific concept has taken place in many scientific fields, mainly in physics and mathematics. Now randomness plays a crucial part in quantum mechanics, modern evolutionary synthesis, com- puter communications, gambling industries etc. Random data are necessary for all of the above, which leads to the ques- tion how to obtain them. One already well elaborated concept stands on sources of randomness and their further processing e.g. via pseudo-random number generators (PRNG). Such sources might be anything you want, like coin flips, ball in a roulette or atmospheric noise (see chapter 2). When it is not simple to get an answer from the source, pseudo-random generators are used to produce additional randomness. They take output of a source and transform the need for measurement of a physical phenomenon into algorithmic computation. Since close to uniformly distributed random numbers are difficult to get, using (pseudo-)random number generators is quite common. Another approach is to gather somewhat random sequence and transform it into closer to uniformly distributed random data. That is where randomness extractors come in. A randomness extractor is a function that takes in an arbitrary distribution and gives out almost uniformly distributed bits.

1. Gerolamo Cardano wrote a book about games of chance, Liber de ludo aleae ("On Cast- ing the Die"). Written in the 1560s, but not published until 1663, it contains the first system- atic treatment of probability, as well as a section on effective cheating methods.

5 1. INTRODUCTION

1.1 Troubles with implementations of PRNGs

It is important to stress that modern PRNGs are generally very satisfactory. However, improper solutions giving us very poor outcomes are still often used.

• There is famous weakness on the side of Microsoft for their imple- mentation of pseudo-random number generator for the popular web programming language PHP. See the bitmap 1.1. A bitmap is an image represented by pixel. In this case, if the random generator returned 0, the pixel is black. As you can see, output of this generator is highly correlated.

Figure 1.1: PHP rand() on Microsoft Windows

• A significant mistake in the PRNG implementation for the OpenSSL Federal Information Processing Standards (FIPS) Object Module v1.1.1 has been reported by Geoff Lowe [Low07]. Due to a coding error in the FIPS self-test the auto-seeding never takes place. That means that the PRNG key and seed, which were used, correspond with the last self-test. The FIPS PRNG gets additional seed data only from date-time information, so the generated random data is far more pre- dictable than they should be, especially for the first few calls (see [Wea07]).

• The X9.17 PRNG does not properly recover from state compromise. That is, an attacker who compromises the X9.17 triple-DES key, K, can compromise the whole internal state of the PRNG from then on

6 1. INTRODUCTION

without much additional effort as examined in [KSW+88] by Kelsey et al. There are many more, like in an early version of Netscape SSL [GW96], Sun’s MIDP Reference Implementation of SSL [SMH05] or predictable ran- dom number generator in Debian’s OpenSSL package [Bel08], which caused guessability of cryptographic materials created on such systems. As you can see, they can have critical impact in common computer usage.

1.2 Usage of randomness

Randomness was first examined in the context of gambling and keeps a lot of importance in gambling industry. Basically, every game a casino offers has at least slightly higher probability of winning on the casino’s side. Take a roulette, for instance. If you keep betting both red and black, neither you nor the casino ever lose. But the green zero means direct win for the casino. Thus the chance is slightly in favor for the casino. And every game you can encounter in such a place, works in a very similar way. Randomness can be seen important also in other areas of human so- ciety and interaction as e.g. in arts, but it is most important in computer communication, cryptography, simulations and many other of the com- puter performed tasks. In communication theory, randomness is seen as noise degrading transmitted data. In cryptography random numbers work as generators of private keys, but are also often an integral part of steps of cryptographic algorithms. A popular example is a scientific simulation of virus infections per- formed by David N. Levy from the University of Alabama at Birmingham, who reported pseudo-random numbers 2 were not good enough for such a task.

1.2.1 Deterministic vs randomized algorithms Deterministic algorithms follow the same execution path every time they are launched. On the other hand, randomized algorithms make decisions based on random data and their paths and results might (or not) differ on the same input. Remarkably, there are many problems with randomized algorithms bet- ter in both time and space complexity than the best known deterministic

2. The data were generated by MacOS built-in linear congruential PRNG (e.g.see definition in [JvOPCA01]).

7 1. INTRODUCTION one. As a motivation you may consider the following problem.

Problem of finding 1 in an array

DEFINITION: an array of length n consists of the same amount of 1s and 0s in arbitrary order. TASK: find an arbitrary index of 1.

Deterministic solution: we cannot guarantee less computational steps than n 2 , because for each deterministic strategy there is a worst-case input array ordered in a way that we would first read all 0s and only after that the wanted 1. Thus the complexity of any deterministic algorithm is O(n).

Randomized solution: there is no input array, that would always (for all possible random choices) resolve in the worst scenario for our strategy, be- cause we always choose an index to test at random. The probability that we n n − 2 are forced to examine 2 + 1 elements before finding a 1 in any input is 2 . Even though the complexity is still linear, the expected running time for ar- Pn−1 bitrary input is k=1 k · Pr[X = k], where X is random variable denoting number of needed comparisons.

COROLLARY: statistically, we will be significantly faster while using this simple randomized algorithm.

Complexity classes of randomized algorithms are defined as follows.

Definition 1.1. The expected running time of a randomized algorithm is an upper bound on the expected running time for each input (the expec- tation being over all outputs of the random number generator used by the algorithm), expressed as a function of the input size.

Definition 1.2. A language L ∈ RP (Randomized Polynomial-Time), BPP (Bounded-Error Probabilistic Polynomial-Time), or ZPP (Zero-Error Proba- bilistic Polynomial-Time) iff there exists a randomized Turing machine M and random data y used for making decisions in M, with polynomial ex- pected running time such as:

8 1. INTRODUCTION

Condition Quantity to be bounded RP BPP ZPP 3 3 x ∈ L P ry(M(x, y) accepts) ≥ 4 ≥ 4 = 1 1 x∈ / L P ry(M(x, y) accepts) = 0 ≤ 4 = 0 3 All values of 4 can be replaced by any value strictly 1 greater than 2 .

Table 1.1: Randomized complexity classes

Another often presented algorithm is the well-known Quicksort algo- rithm. While using its deterministic variant, the worst case chooses always the smallest element and the time complexity is O(n2). In the randomized version of this algorithm (choosing pivot elements uniformly at random), we provably achieve time complexity of O(n · log n). A rather frequent problem computed usually by randomized algorithms, although a deterministic one exists, is the problem of primality testing. The study of randomized algorithms was spurred by the discovery of a random- ized primality test (i.e., determining whether a number is prime or compos- ite) by Robert M. Solovay and Volker Strassen [MV77]. Deterministic approach has been improved√ from simple testing to di- vide n by all prime number lower than n over elliptic curve primality test with complexity of O(log6 n) with some still unproven statements of analytic number theory to the most recent AKS primality test discovered by Agrawal, Kayal and Saxena in 2002 [AKS02]. The AKS algorithm ran in O(log12+ n) and was later improved to O(log6+ n) where n is the possibly prime number and  is a small number. This algorithm is very elegant and in it’s idea quite simple and authors have been many times awarded for their achievement. Unfortunately, AKS primality test is slower in practice than probabilistic tests and although there are many implementations of AKS test, probabilistic tests are used more often.

Probabilistic primality tests usually work in a three-stepped cycle. 1. Pick a random number r.

2. Execute some computation and check some equality (corresponding to the chosen test) involving r and the tested number n. If the equality does not hold true, then n is a composite number, r is known as a witness for the compositeness, and the test stops.

3. Begin again from the first step until required probability is achieved.

9 1. INTRODUCTION

Such a test is e.g. Fermat primality test based on Fermat’s little theorem.

Theorem 1.3. Fermat’s little theorem states that if p is prime such that 1 ≤ r < p then rp−1 ≡ 1 (mod p).

Previous theorem gives us a direct approach to determining whether a number is composite or prime that lies in BPP. Unfortunately, for so called Carmichael numbers3 the test fails. Solovay-Strassen primality testing algorithm was mostly important be- cause it proved that the decision problem COMPOSITE (is number n com- posite?) is in the complexity class RP and was of a great historical impor- tance in analyzing security of RSA algorithm. It was the predecessor of the Miller-Rabin test and is slightly less efficient than the latter. Miller-Rabin primality test also belongs to BPP.

1.2.2 Randomness in cryptography

It has been already mentioned that cryptography is one of the main areas of computer science where randomized data is critical. Randomness is of criti- cal importance for generating of private keys so that they are unpredictable. Cryptographic algorithms often employ prime numbers. Hence, random- ized primality testing is of importance. These are mostly involved in asym- metric cryptography protocols such as RSA or ElGamal. But there are other algorithms and protocols in cryptography that could not exist without ran- dom data. For instance salting is rather often used principle.

Definition 1.4. A salt is a random bits sequence that is added to an encryp- tion key or to a password in order to protect them from disclosure.

Typically, salt is being used on operating systems for storing user pass- words. Deterministic functions computing a secret key of given length from a secret are called key derivation functions (KDF). A simple example of use of such a salted password follows.

Algorithm example (salted) KDF

SUMMARY: derives a key from secret password and a open text salt. INPUT: password p, salt s, a positive integers c and l, number of iterations

3. A Carmichael number is a composite integer satisfying the congruence bn−1 ≡ 1 (mod n). Typical example is 561 = 3 · 11 · 17.

10 1. INTRODUCTION of the hash function and intended length of keying material in bytes respec- tively. OUTPUT: derived key k. 1. Concatenate password and salt. Then compute initial hash value.

T1 = Hash(p ◦ s).

2. Iteration of hash function. for i = 2 to c do Ti = Hash(Ti−1) end for

3. Output the first l bytes of Tc as derived key k.

The result of previous algorithm is then stored in a password file to- gether with associated salt. When the user subsequently enters a password, the system looks up the corresponding salt, and applies the previous algo- rithm to the entered password. Since the salt is given in a plaintext, the diffi- culty of exhaustive search on any particular user’s password is unchanged by salting. However, salting increases the complexity of a dictionary attack4 against a large set of passwords concurrently, by requiring the dictionary to contain 2t variations of each trial password. If the attacker had a precomputed hash table of a dictionary of possible keys, without the salting mechanism he would only need to find a collision. With the strengthening by salting such a table becomes useless because 1. logging with the collisional key is in vain since the system salts the key and thus it becomes completely different input giving completely different hash and 2. even if the attacker counts the table for one salt, he still must compute another one for each user with other random salt. Corollary 1.5. Salting passwords results in significantly larger memory re- quirement for storing the encrypted dictionary and correspondingly more time for its computation. Another example of useful application of random numbers in cryptog- raphy is the Eksblowfish algorithm.

4. a brute-force type of attack against a password that tries only possibilities that are most likely to succeed; stores output values in a dictionary to look up a collision quickly

11 1. INTRODUCTION

Eksblowfish is a cost parameterizable salted block cipher currently used in some Unix/Linux systems. As the name might indicate, the cipher is based on Blowfish cipher by Bruce Schneier [Sch94]. Eksblowfish takes as input a secret key, required cost and a random salt. The resulting security depends on the key length, allowed number of iterations of the main cy- cle and salt collisions. For further information about this cipher see Niels Provos’s and David Mazières’s paper [ND99].

12 Chapter 2 Sources of randomness

In this chapter we introduce the notion of a randomness source as well as a random number generator, an important cryptographic primitive, and then we survey a restricted set of weak random sources that were used and examined in order to generate unbiased random data.

2.1 Definitions

When computing any randomized algorithm, we need some source of ran- dom data. Formally, it is the source of randomness or equivalently source of entropy. A little less formally, it is the random number generator.

Definition 2.1. A source of randomness is a finite sequence of random vari- ables.

Note, that a source can be fully described by its probability distribution and thus also by a single random variable X.

Definition 2.2. A source is called weak if its distribution is not uniform.

Alternatively, a weak source is sometimes defined as a source with un- known distribution. However, we will stick to the not uniform version. When we want some random data, we ask for one to be generated. A random number generator is a device or algorithm which outputs a se- quence of statistically independent and unbiased numbers. These devices can be divided into two categories, the true random number generators and pseudo-random number generators.

Definition 2.3. A true random number generator (TRNG) is a device that extracts randomness from some unpredictable physical phenomena.

Such devices are usually based on microscopic phenomena such as:

• radioactive decay

13 2. SOURCESOFRANDOMNESS

• thermal and other types of noise • the photoelectric effect • or other quantum phenomena.

Definition 2.4. A pseudorandom number generator (PRNG) G : {0, 1}k → {0, 1}l is a deterministic polynomial time algorithm that takes a truly ran- dom string x ∈ {0, 1}k and produces a longer string G(x) of polynomial length l > k and the probability that any BPP algorithm guesses correctly 1 output of G without knowledge of x is 2k +  for some small . The input to the PRNG is called the seed, while the output of the PRNG is called a pseudorandom number sequence.

Usual classes of PRNGs include:

• linear congruential generators, • Lagged Fibonacci generators, • linear feedback shift registers, • generalized feedback shift registers and others.

Currently most popular algorithms are:

• Blum Blum Shub, • Fortuna or • Mersenne twister.

The basic difference between PRNGs and TRNGs is easy to understand if you compare generated random numbers to rolls of a die. Because PRNGs generate random numbers by using deterministic algorithms or precalcu- lated lists, using one corresponds with someone rolling a die many times and writing down the results. Then whenever you ask for a die roll, you get the next number on the list. These numbers seem random, but they are in fact given. TRNGs work by making a computer actually roll the die - or, more specifically, use some other phenomenon that is easier for a computer to comprehend than a die roll is. Unlike TRNGs, pseudorandom generators are efficient, which means they produce numbers very fast since they only compute them. TRNGs on the other hand must perform some nontrivial physical task in order to pro- duce a new random number like sampling enough raw data from a periph- eral device in order to extract some specific bit out of them. Such an action can take a long time. Take generating randomness from keyboard strokes, for instance. There is no way to generate a new bit when no one is typing. The same thing applies to other sources dependent on a user.

14 2. SOURCESOFRANDOMNESS

The third characteristic in which these two kinds of generators differ is repeating of their outcome. While TRNGs do not suffer from this char- acteristic with probability close to 1, all PRNGs do (i.e., all PRNGs have a sequence that periodically repeats). However, modern PRNGs have usu- ally a very long cycle before repeating itself thus making them acceptable for most situations which do not require true random numbers. The following two tables are taken from popular web TRNG [RAN]. They sum up key characteristics, differences and use-scenarios of pseudo and true random number generators.

Characteristic PRNG TRNG Efficiency Excellent Poor Determinism Deterministic Nondeterministic Periodicity Periodic Aperiodic

Table 2.1: characteristics comparison

Application Most Suitable Generator Lotteries and Draws TRNG Games and Gambling TRNG Random Sampling (e.g., drug screening) TRNG Simulation and Modeling PRNG Security (e.g., generation of data encryption keys) TRNG The Arts Varies

Table 2.2: suitability of random number generators

2.2 Weak random sources

In computer science and in cryptography especially, we usually need uni- formly distributed random bits, which means a source of randomness pro- 1 ducing 1 with probability 2 independent of other bits. However, in limited devices, such as laptop computers or mobile devices, a TRNG might be in- accessible1.

1. Although there are several web services gathering and offering true random data, the communication can be jeopardized.

15 2. SOURCESOFRANDOMNESS

Therefore, it is desirable to be able to extract a sequence of close to uni- formly distributed random data from available sources of weak random- ness. Once we are able to extract true randomness from weak sources, we can e.g. effectively simulate any BPP algorithm. Study of weak sources goes back to von Neumann [vN51], as he showed how to generate unbiased bits using an independent coin with fixed bias. The algorithm goes as follows.

Algorithm von Neumann’s random bit generation

SUMMARY: given a biased coin produces an unbiased bit. INPUT: a biased coin C (a random variable) with P r[C = 1] = δ, where 1 stands for heads and 0 for tails and δ is unknown.2 OUTPUT: an unbiased bit.

1. Toss the coin twice. Denote the result as φ ∈ {11, 10, 01, 00}

2. If φ = 11 or φ = 00, discard the result and go to first step.

3. If φ = 10 output 1, and if φ = 01 output 0.

Obviously, data rate of such a source purely depends on the bias.3 Study of following special classes of weak sources was inspired by the desire to extract independent unbiased random data without the need of additional randomness. The first obvious source as weighed by von Neu- mann is a simple biased coin.

Definition 2.5. A simple weak source of bits is a source, that produces 0 with probability δ and 1 with probability 1 − δ. Formally,

Pr[X = 0] = δ, Pr[X = 1] = 1 − δ.

Definition 2.6. A Markov chain is a sequence of random variables X1,X2,X3,... with the Markov property, namely that, given the present state, the future and past states are independent. Formally, for all x1, . . . , xn+1

Pr[Xn+1 = x|X1 = x1,X2 = x2 ...,Xn = xn] = Pr[Xn+1 = x|Xn = xn].

2. Such sources are also referred to as δ-sources. 3. From this work also comes the famous quote “Anyone who considers arithmetical meth- ods of producing random digits is, of course, in the state of sin."

16 2. SOURCESOFRANDOMNESS

Following von Neumann, Samuelson [Sam68] proposed that the initial position of the coin after previous toss can affect probability of the next toss. Definition 2.7. A Samuelson source is a simple weak source with first-order Markov property. Formally,

Pr[Xi = 0|Xi−1 = 0] = γ 6= δ = Pr[Xi = 1|Xi−1 = 0].

Later on, Elias [Eli72] generalized von Neumann’s result and nearly achieved the entropy of the coin. He also generalized a 1968 result of Samuel- son [Sam68] for the two state-state binary Markov input. Blum [Blu84] considered sources generated by walks on a finite Markov chain with unknown structure and transition probabilities and using Elias’s previous result [Eli72] he was able to give an algorithm with polynomial expected running time, while reaching the entropy of the source in the limit. Blum’s scheme is optimal in the sense of extracting perfectly unbiased bits. However, one may satisfy themselves with only almost unbiased bits. This was pointed out and studied by Santha and Vazirani [SV84] and is called SV-model, semirandom source or unpredictable source, while their original name was Quasi-random generator. The key property is that every bit is somewhat unpredictable given previous bits (see definition 2.8). Definition 2.8. Unpredictable sources are those sources that for every i, 1 every xi ∈ {0, 1} and some constant δ ≤ 2 satisfy

Pr[Xi+1 = 0|X0 = x0,...,Xi = xi] ∈ [1/2 − δ, 1/2 + δ].

In the year 1988 Chor and Goldreich [CG88] followed the previous work and generalized the model for sources of weak randomness, originally called Probability-Bounded sources, now mostly referred to as block-wise sources (see definition 2.11). In order to specify these sources they also introduced the notion of (l, b)-distributed variable. Definition 2.9. Let l be a positive integer, and b > 0 a real number. Let X be a random variable assuming values in {0, 1}l. The random variable X is (l, b)-distributed if for every α ∈ {0, 1}l holds that Pr[X = α] ≤ 2−b.

Definition 2.10. Let X1,...,Xt be a sequence of random variables, each as- l suming values in {0, 1} . The random variable Xt is (l, b)−distributedgivenX1,...,Xt−1 if for every α ∈ {0, 1}(t−1)·l and β ∈ {0, 1}l,

−b Pr[Xt = β|X1 ...Xt−1 = α] ≤ 2 .

17 2. SOURCESOFRANDOMNESS

Definition 2.11. A block-wise (l, b)-source is an infinite sequence of random l variables X1,X2,... each assuming values in {0, 1} such that for every t, the random variable Xt is (l, b) − distributed given X1,...,Xt−1.

You can see that if we set l = 1, we get the unpredictable source. Chor and Goldreich also showed how to simulate any BPP algorithm using single (l, b)-source. An interesting result that helped them to do that was their notion of flat sources.

Definition 2.12. A source X is (l, b)-flat, if X is (l, b)-distributed and there exists a set S ⊂ {0, 1}l of possible outcomes such that ∀α, β ∈ S it holds that

Pr[X = α] = Pr[X = β].

These are interesting because worst-case behaviour of a function oc- curs on them. Namely, for every function f : {0, 1}2l → {0, 1}m, every α ∈ {0, 1}m and independent random variables X,Y

sup Pr[f(X,Y ) = α] = max Pr[f(X,Y ) = α X,Y are (l,b)−distributed X,Y are (l,b)−flat

inf Pr[f(X,Y ) = α] = min Pr[f(X,Y ) = α X,Y are (l,b)−distributed X,Y are (l,b)−flat Another approach to weak sources of randomness was from a pure mathematical point of view originally by Chor et al [CGH+85]. They con- sidered a source of some bits perfectly random and some bits controlled by an adversary. Such sources are called bit-fixing sources (see definition 2.13). Cohen and Wigderson [CW89] then considered several variations of bit-fixing sources and constructed corresponding extractors and dispersers.

Definition 2.13. A distribution X over {0, 1}n is an (n, k)bit-fixing source if there exists a subset S = {i1, . . . , ik} ⊆ {1, . . . , n} such that Xi1 ,Xi2 ,...,Xik k is uniformly distributed over {0, 1} and for every i∈ / S, Xi is constant.

There are two classes of bit-fixing sources. The oblivious bit-fixing sources choose bits to fix before the random bits are generated while the non-oblivious do so afterwards.

These two directions were later united under the model of δ-sources introduced by David Zuckerman [Zuc90]. Although originally defined as δ-sources, we will use alternative term k-sources to avoid conflicts with δ used in the names of other sources.

18 2. SOURCESOFRANDOMNESS

Definition 2.14. A k-source is asked only once for R bits, and the source outputs an R-bit string such that no string has probability more than 2−k·R of being output for some fixed k > 0.

Indeed, consider the case of R = 1 and see that

• flat sources are a special case of k-sources, if |S| ≤ 2k,

1 • if we take k = log (1−δ)n , we get the Santha-Vazirani sources, and • with k random and independent bits together with n − k fixed bits over {0, 1}n we get the oblivious bit-fixing sources.

19 Chapter 3 Randomness extractors

In this chapter we give formal definitions of randomness extractors, exam- ine the possible use of extractors and give an extended overview of cur- rent achievements in extractor constructions over the work done by Shaltiel [Sha02]. In the last part of this chapter we describe a general construction technique for randomness extractors. Here we describe the one based on Carter-Wegman universal classes of hash functions, as it is the one we are using.

Randomness extractors are essentially a computational postprocessing part of TRNGs. They are used to transform the truly random data of somehow weak distribution obtained from the physical device into data closer to uni- form distribution. Therefore, the generator output is less predictable, i.e. less vulnerable to an adversary. Unlike PRNGs, extractors only use proven (mathematical) techniques.

3.1 Preliminaries

In order to measure the quality of the distribution produced by the physical device and the distance from uniform distribution we need several defini- tions. n From now on we denote uniform distribution on {0, 1} by Un. Definition 3.1. Let P and Q be two distributions on the same sample space X. The statistical distance1 between them is . 1 X ∆(P,Q) = kP − Qk = max |P (Y ) − Q(Y )| = |P (x) − Q(x)|. Y ⊆X 2 x∈X We say that two distributions are -close if their statistical distance is at most . A distribution P on X is called -quasi-random (on X) if the

1 1. Statistical distance is often also called variation distance between distributions, 2 L1- 1 distance or 2 taxicab distance.

20 3. RANDOMNESSEXTRACTORS statistical distance between P and the U on X is at most . The intuitive understanding would be that any event in P happens in Q with same probability ±. It is the most natural measure of distance for probability distributions since it is a metric. Indeed, it satisfies the following properties.

1. 0 ≤ ∆(P,Q) ≤ 1. The distance is minimized when P and Q are the same distributions and maximized when they have disjoint support,

2. ∆(P,Q) = ∆(Q, P ),

3. the inequality holds: ∆(P,R) ≤ ∆(P,Q) + ∆(Q, R),

4. for any function f it holds ∆(f(P ), f(Q)) ≤ ∆(P,Q), and

5. ∆((P1,P2), (Q1,Q2)) ≤ ∆(P1,Q1) + ∆(P2,Q2), if P1 and P2 are inde- pendent and Q1 and Q2 are independent.

Next thing we need to measure is the amount of randomness within a distribution. From now on, unless stated otherwise, we consider the most general model of weak random sources, the k-sources by Zuckerman [Zuc90]. For this purpose we introduce the following three notions of entropy.

Definition 3.2. The Shannon’s entropy [Sha48] HS of a random variable X whose range is over {0, 1}n is defined as X HS(X) = − Pr[X = x] logb Pr[X = x], x∈{0,1}n where usual values of b are 2, Euler’s number and 10. In Computer science we generally compute with b = 2.

Simply put, Shannon’s entropy measures the average amount of ran- domness within a distribution.

Definition 3.3. The Renyi’s entropy [Ren60] Hα of a random variable X whose range is over {0, 1}n is defined as ! 1 X H (X) = log Pr[X = x]α , α 1 − α b x∈{0,1}n where α ≥ 0 is the order of entropy.

21 3. RANDOMNESSEXTRACTORS

This is, in fact, a generalization of Shannon’s work. We will use the term Renyi’s entropy2 (without explicit α for the entropy of the order α = 2). Shannon’s entropy is then the one of order α = 1. This implies the last obviously interesting entropy of the order α = ∞.

Definition 3.4. The min-entropy H∞ of a random variable X whose range is over {0, 1}n is defined as 1 H∞(X) = − logb( max Pr[X = x]) = min logb . x∈{0,1}n x∈{0,1}n Pr[X = x] A distribution has a min-entropy of at least m bits if no possible state has a probability greater than b−m. An obvious question arises, which variant of entropy measure should we use? They all have the following properties.

1. If X and Y are independent, then H((X,Y )) = H(X) + H(Y ).

2. 0 ≤ H(X) ≤ log |Supp(X)|. Then H(X) = 0, if X is constant and H(X) = log |Supp(X)|, if X is uniform on Supp(X).

3. For every deterministic function f, we have H(f(X)) ≤ H(X).

Moreover, it holds, that H∞(X) ≤ H2(X) ≤ HS(X) for any X. n Consider a source X with Pr[X = 0 ] = 0.99 and Pr[X = Un] = 1 0.01. Then HS(X) ≥ 0.01n, H2(X) ≤ log( 0.992 ) ≈ 0, 0087 and H∞(X) ≤ 1 log( 0.99 ) ≈ 0, 0044. Even though X has relatively high Shannon’s entropy, using only one sample from X we cannot expect string that is close to uni- formly distributed, because with probability of 99% we get a useless string of n zeros. The key difference of Shannon’s and min-entropy is that Shannon’s en- tropy is meant to be used to measure quality of a distribution when we are allowed to gather multiple samples, whereas with min-entropy we care only for the worst-case scenario. That means that while using Shannon’s entropy we know the average randomness contained in the sample of dis- tribution. However, as first argued by Chor and Goldreich [CG88], it can be the case that with very low probability we get high randomness and with high probability we get almost no randomness at all. Then it can be shown that extracting randomness from a distribution which has low min-entropy is impossible. In the other direction, if randomness can be extracted from a

2. also called collision entropy

22 3. RANDOMNESSEXTRACTORS distribution X then X is close to having high min-entropy. And because of that, Shannon’s entropy is not a good measure when we need to extract randomness from a random sample. Therefore, we have to settle for min- entropy.

3.2 Definitions

Randomness extractors exist in both deterministic and randomized ver- sions. Although the deterministic one would be usually better (no need of ancillary truly random input), it was the randomized one that was first de- fined as extractor by Nisan and Zuckerman [NZ96]3. The argument called impossibility result [CG88] for use of additional random input for such a function follows. We want to construct a function E : {0, 1}n → {0, 1} extracting one n random bit from arbitrary distribution X over {0, 1} with H∞ ≥ n − 1. Now it is easy to see that every such function E has a set S = {x|E(x) = 0}, n−1 where |S| ≥ 2 . Thus uniformly distributed X on S has H∞ ≥ n − 1 and at the same time E(X) = 0, which is in contradiction with the premise that E extracts a random bit. Definition 3.5. A (k, )-extractor is a function E : {0, 1}n × {0, 1}t → {0, 1}m,

n if for every distribution X on {0, 1} with H∞(X) ≥ k the distribution E(X,Ut) is -close to the Um. Although procedures to extract randomness deterministically have been examined since von Neumann [vN51], deterministic extractors were first defined in 2000 by Trevisan and Vadhan [TV00]. They pointed out that there are applications of randomness such as probabilistic encryption [GM84] for which, in principle, it seems unavoidable to use randomness extractors without the additional random input. Because of the impossibility result stated above, it is clear that such a function does not exist for general weak source. However, there are classes of weak random sources which enable such a deterministic extraction. Definition 3.6. A (k, )-deterministic extractor is a function E : {0, 1}n → {0, 1}m

3. Originally, [NZ96] defined strong version of an extractor. The “non-strong” variant was given later by Ta-Shma in [TS96].

23 3. RANDOMNESSEXTRACTORS

n if for every distribution X on {0, 1} with H∞(X) ≥ k it holds that ∆(E(X),Um) ≤ . Another natural characteristic that can be required from a randomness extractor is that the output of the extractor should seem close to uniformly distributed even to someone who sees the random seed. Such characteristic is then very practical when the truly random data are very expensive and thus can be reused. An elegant way to enforce that is the condition that an output of the extractor concatenated with the random seed is still -close to the uniform distribution. Definition 3.7. A (k, )-strong extractor is a function E : {0, 1}n × {0, 1}t → {0, 1}m,

n if for every distribution X on {0, 1} with H∞(X) ≥ k it holds that ∆(Ut ◦ E(X,Ut),Ut+m) ≤ . Furthermore, Reingold, Shaltiel and Wigderson in [RSW00] showed, that any extractor can be transformed into a strong extractor with essentially the same parameters.

3.3 Tradeoffs

The standard optimization problem is the following. Given source length n, entropy threshold k and allowed error  we want to minimize the seed length 4 and maximize the output length m. Note: We say that an extractor is trivial if the output length is equal or smaller than the seed length m ≤ t.

3.3.1 Simulating BPP Note that using randomness extractors we can effectively simulate any BPP algorithm A with input word x requiring m random bits with an extractor using only t  m random bits. This is due to the fact that Pr[A(x, Um) = A(x, E(y, Ut))] ≤  and therefore the majority of answers of A(x, E(y, r)) for r ∈ {0, 1}m yields the same result as with the original longer random seed within probability 2. Such an algorithm runs in O(2t) of the extractor E and the original algo- rithm. Thus we want to achieve

4. The seed length can be reduced to zero for certain classes of weak sources using deter- ministic extractors as mentioned above.

24 3. RANDOMNESSEXTRACTORS

1. t = O(log n) 2. E computable in polynomial time 3. m = kΩ(1)

3.3.2 Lower bounds In the original work done by Nisan and Zuckerman [NZ96] they proposed following lower bound on the quality of any extractor. Theorem 3.8. Suppose E : {0, 1}n × {0, 1}t → {0, 1}m is a (k, )-extractor, 1 1 −1 where k ≤ 1 − n and  < 2 . Then t ≥ max (log  − 1, log ((1 − k)n)) and m < kn + 2. However, this bound was soon refined by Radhakrishnan and Ta-Shma [RTS00]. We keep the previous result mainly because it is still being used in some papers, e.g. [BKMS09] which is used for one of our constructions and the reader might have a problem with understanding where their results came from. Theorem 3.9. Suppose E : {0, 1}n × {0, 1}t → {0, 1}m is a (k, )-extractor, 1 1 1 where k ≤ 1 − n and  < 2 . Then t ≥ log(n − k) + 2 log(  ) − O(1) and 1 m ≤ t + k − 2 log(  ) + O(1).

3.4 Applications of extractors

Originally, randomness extractors were defined to simulate randomized al- gorithms given only weak sources of randomness. However, they are such a useful tool that they have been incorporated into many applications some- times not even connected to randomness. Some of them are listed. Note, that in all of following works extractor constructions5 play key role. • Zuckerman [Zuc96] proved using randomness extractors that all of Karp’s [Kar72] original NP-complete problems have a version that is hard to approximate. Using the same technique he also showed the hardness of approximation for MAX CLIQUE. He also addresses the same problem in [Zuc06]. • Zuckerman [Zuc97] presented the first efficient oblivious sampler us- ing improved extractor construction. This sampler can further deter- ministically amplify the success probability of a BPP algorithm.

5. Sometimes a weaker notion of dispersers suffice.

25 3. RANDOMNESSEXTRACTORS

• Chen and Kao [CK97] proposed a general methodology for testing whether a polynomial with integer coefficients is identically zero.

• Goldreich and Zuckerman [GZ97] introduced a new, simpler proof that BPP ⊆ PH.

• Many constructions of pseudorandom number generators for space bounded probabilistic algorithms.

• Wigderson and Zuckerman [WZ99] gave a protocol for sorting and selecting rounds.

• Based on Trevisan’s construction [Tre99] of extractor out of pseudo- random generator, Ta-Shma, Umans, and Zuckerman [TSUZ07] con- structed explicit lossless condensers.

• Capalbo et al. [CRVW02] came with randomness conductors, a notion which generalizes extractors, expanders, condensers and other simi- lar objects. They also gave an explicit construction of constant degree lossless expanders.

• Gasarch et al. [GGK03] presented their ideas for parallel sorting in constant time.

• Dodis et al. [DORS08] provided the notion of fuzzy extractors for turning noisy information into cryptographic keys usable for any cryp- tographic application given biometric input.

• Ta-Shma and Zuckerman [TSZ04] showed equivalence between ex- tractors and error correcting codes for highly noisy channels.

• Recently, Zuckerman et al. [KLRZ08] showed how to extract private randomness over a network with Byzantine faults for both theoretic and computational settings.

3.5 Overview of constructions

In the last two decades, a lot of attention has been paid to extractors and a lot of constructions have arisen. Given the five parameters of an extractor one can improve, many different optimization objectives have been focused on. We will consider only two probably most important characteristics, the seed length t and output length m for some constant . Although there are

26 3. RANDOMNESSEXTRACTORS many improvement works between presented extractors, we only restrict ourselves to some interesting or important for us. We remind the reader that the theoretical lower bounds for fixed  are t = log(n − k) − O(1) and m = t + k + O(1).

• Even before the definition of extractors, Impagliazzo et al. [ILL89] presented an extractor-like construction for any k with seed length t = O(n) and output length m = k + d + O(1).

• Together with the definition, Nisan and Zuckerman [NZ96] gave a construction of extractor with k = Ω(n), t = O(log2 n) and m = Ω(k)

• Zuckerman and Srinivasan [SZ99] made a construction rather inter- esting for extremely small k. However, for any k, t = O(log n) and k2n m = Ω( log k−1 ). • Trevisan [Tre99] showed how to construct an extractor out of pseudo- log2 n 1−δ random generator for any k, t = O( log k ) and m = k • Reingold et al. [RVW00] gave the first construction, using their zig- n O(1) zag product, which k > 2 , t = log (n − k) and m = k + d + O(1) • Lu, Reingold, Vadhan and Wigderson [LRVW03] came in 2003 with the first explicit extractor simultaneously optimal up to constant fac- tors in both seed length and output length. More precisely, for every n, k, their extractor uses a random seed of length t = O(log n) and m = (1 − α)k, where α is any positive constant.

• Barak, Impagliazzo and Wigderson [BIW04] gave the first determin- istic extractor using a constant number of weak random sources.

• Shaltiel and Umans [SU05] introduced a simple algebraic construction yielding t = (1 + α) log n and m = k/(log n)O(1/α) for any k.

• After proving equivalence between error-correcting codes and ran- domness extractors Ta-Shma, Zuckerman and Safra [TSZS06] came with several direct constructions out of Reed-Muller codes. We men- tion only the parameters of the last one, which are for min-entropy k = Ω(n) seed length t = log n + O(log log n) and output length m = Ω(k).

• Recently, Ta-Shma [TS09] has shown an extractor that is good even against quantum storage. He modified Trevisan’s [Tre99] extractor to

27 3. RANDOMNESSEXTRACTORS

require only logarithmic seed length and gave such first efficient ex- tractor.

• The latest constructions up to date of writing of this thesis were by Guruswami, Umans and Vadhan [GUV09] and although they are un- able to handle the full scale of , they gave the construction of random- ness extractors that are optimal up to constant factors, while being much simpler than the previous construction of Lu et al. [LRVW03].

3.6 Extractors using hash functions

There is already a fair number of general construction techniques. The first universal technique was described in [ILL89] and is based on Carter-Wegman [CW79] universal classes of hash functions. Another approach is to trans- form a general source into a block-wise source, a technique described in [NZ96]. A way of converting certain pseudo-random generators into extrac- tors has been described in [Tre99]. As already mentioned before, in [TSZS01] authors succeeded in constructing extractors directly from error-correcting codes. In this section we describe the construction technique of constructors based on Carter-Wegman universal classes of hash functions.

Definition 3.10. A class H = {h|h : {0, 1}n → {0, 1}m} of hash functions is n m universal2 iff for every x 6= y ∈ {0, 1} there are exactly |H|/2 functions h such that h(x) = h(y).

To set the length of output as close as possible to the lossless boundary (d + k) we can use the Leftover hash lemma first defined in [ILL89]. Theorem 3.11. Let X be a random variable defined on the sample space S = n {0, 1} with probability distribution p having min-entropy H∞(p) ≥ k, H = n k−2e {h|h : {0, 1} → {0, 1} } be a universal2 class of hash functions. Let x ∈R {0, 1}n be randomly chosen from {0, 1}n according to p and h be randomly and uniformly chosen from H. Then the distribution of (h, h(x)) is 2−e close to the uniform distribution in the L1 (trace) distance, i.e. application of a function ran- domly chosen from H is a (k, 2−e) strong randomness extractor.

Since parameters n, k and |H| are independent of the loss of 2e bits, we can approach the lossless boundary arbitrarily by increasing length of the input n and its min-entropy. Prolongation of input might also seriously affect the computational complexity. However, that mostly depends on the hash function used.

28 3. RANDOMNESSEXTRACTORS

Since truly random data in a mobile device are rather expensive, we will either reuse the ancillary input or use part of the output generated by the extractor as examined in [SZ99]. This again increases the distance between our output and a uniform distribution, but only by amount defined in the next theorem.

Theorem 3.12 ([SZ99]). Let X1,X2,...,Xl be independent random variables defined on the sample space S = {0, 1}n with a common probability distribution n k−2e P having min-entropy H∞(P ) ≥ k, H = {h|h : {0, 1} → {0, 1} } be a n universal2 class of hash functions. Let xi ∈R {0, 1} be randomly chosen from n {0, 1} according to Xi and h be randomly and uniformly chosen from H. Then −e the distribution of (h, h(x1), . . . , h(xl)) is l2 close to the uniform distribution in the statistical distance, i.e. l repeated applications of a fixed function randomly chosen from H is a (k, l2−e) strong randomness extractor.

Definition 3.13. A class of hash functions is called -AXU (almost exclusive- or universal), if ∀x1 6= x2, and any n-bit string z, for a random h ∈ H,

Pr[h(x1) ⊕ h(x2) = z] ≤ , where  ≥ 2−l is sufficiently small.

As it turns out, for most purposes all we need is a -AXU class of hash functions. For more details see e.g. [Kra94]. It was also noted in [SZ99], that any XOR universal class of functions, is universal2 as well, and it can be used to reduce the length of seed.

29 Chapter 4 Randomness in mobile devices

In this chapter we discuss use and sources of random data in mobile de- vices (such as mobile phones, cryptographic smart cards, etc.). Since truly random data can be still slightly correlated, the objective is to obtain close to uniformly distributed random data for further use in mobile devices. It is the lack of the really good true random sources that urges the use of weak sources together with randomness extractors, which are examined in the first half of this chapter. In the second part, we give an analysis of the platforms of mobile phones as the main target of application of randomness extractors. A mobile device is a rather limited instrument. Generally, it contains a little computational power and even less device parts capable of gath- ering some randomness. Unlike a general computer, mobile devices cannot gather much randomness from user input such as exact timing of keystrokes or movements of the mouse. Therefore, other sources must be searched for.

4.1 Smart cards

In the case of smart cards1 the statement above holds over the top. A smart card is any pocket-sized card with embedded integrated circuits. As such, it can compute some algorithms (some restricted set), gather input and de- liver output using either a contact pad or RFID 2 induction technology re- quiring only proximity to the reader device in order to communicate. These cards are already used in banking, computer security, health care and some other areas. As such, it is of critical importance to use secure pro- tocols and keys of high quality. However, there are already good solutions [BGL+03] to generating high quality random numbers (e.g. specialized in-

1. The automated chip card was invented by German rocket scientist Helmut Gröttrup and his colleague Jürgen Dethloff in 1968. 2. Radio-frequency identification (RFID) is the use of an object (typically referred to as an RFID tag) applied to or incorporated into a product, animal, or person for the purpose of identification and tracking using radio waves.

30 4. RANDOMNESSINMOBILEDEVICES tegrated circuits). Therefore, for the rest of this chapter, we will only discuss mobile phones as the main target for implementing randomness extractors.

4.2 Mobile phones

Modern mobile phones are still not as versatile as computers, but they al- ready carry a lot of responsibility. Especially, since they gained access to the Internet. That instantly resulted into public key communication protocols and other applications of random data. Mobile phones were not built with respect for cryptographic function- ality. Therefore, they often lack a dedicated true random number generator. Furthermore, most of the details regarding implemented TRNGs in mobile phones are kept as industrial secrets. Note, that this is in direct opposi- tion with Kerkhoffs’ second principle, which states that used cryptosystem should not be kept secret, in contrast to the key. The situation is similar to the smart cards case, however, the application field of random numbers in mobile phones is significantly larger. Only few papers regarding this topic have been published.

4.2.1 Categorization of mobile phone random sources

We know that some sort of TRNG is usually present in a mobile phone (some integrated chip), but access to that TRNG is often restricted only to system applications. Since we can not easily plug in an add-on card like into a general com- puter, other ways of extracting randomness are examined. A typical solu- tion is based on some weak sources of randomness (such as current date and time, application ID, etc.) and further use of pseudo-random number generator. This solution is unfortunately often insecure as reviewed in sec- tion 1.1. Another approach, considered by this thesis, is to extract randomness from weak sources and then apply randomness extractors to acquire close to uniformly distributed random numbers. In the following text we briefly examine possible sources of randomness in a mobile phone.

These sources can be divided into three categories.

1. External sources - those that are directly influenced by holder of the mobile phone (typically microphone, keyboard, camera, etc.).

31 4. RANDOMNESSINMOBILEDEVICES

2. Internal sources - those that are without direct access for a remote user (typically random number generator on the SIM card, memory access time, noise generated by the microphone, etc.). 3. Interactive sources - those that are highly influenced by surrounding environment (typically signal strength, battery charge, network com- munication, etc.). Obviously, all of these classes are more or less influenced by the envi- ronment. Unfortunately, the most secure ones (internal sources) are typi- cally inaccessible not only to influence, but also to measure. Therefore, in the following text we will discuss mainly external and interactive sources.

4.2.2 Analysis of available sources As computers gather randomness from user input (keyboard, mouse), so can mobile phones. In the case of keyboard, there is a serious disadvantage. It can run dry, when user does not use the keyboard. In reality, keyboard is far less used on a mobile phone than by computer. Additionally, the key- board on a mobile phone is smaller (contains less buttons), thus it contains less entropy.

In modern touch-screen mobile phones, we can assume pointer move- ment as an entropy source. According to Canalys [Alt10], majority of smart- phones now have touchscreen. This is a better source than keyboard, since when the phone allows this control, it is far more frequently used than key- board and contains more entropy. It can gather not only the exact timing of events, but also the positioning of the pointer. However, it can run dry too, and the number of touch screen phones is still not high enough for wide usage as a source.

A basic input device in a mobile phone is a microphone. This could be rather suitable source of randomness. Nearly all mobile phones and PDAs contain an electret microphone. The drawback lies in the small frequency response usually offered by these devices3. Although much better (in the sense of frequency response range) electred microphones have been devel- oped, the goal of microphone in a mobile phone is to gather human voice. Therefore, the cheaper, less effective devices are generally used. A related problem is that manufacturers do not publish detailed speci- fications about these components. Microphone would be a good source of

3. Usually is the frequency response of such device around 100 Hz - 10 kHz.

32 4. RANDOMNESSINMOBILEDEVICES randomness by collecting background noise, if some advanced4 device was embedded into the mobile phone. Of course, this sort of input can be easily influenced by an adversary. Furthermore, digitalized microphone input is slightly correlated.

Nowadays, mobile phones in most cases contain digital camera capable of taking snapshots or videos, too. A digital camera is rather great source of entropy, since each pixel of an image gains one of 2colordepthinbits possible values. To gather randomness means gather some noise. By gathering noise using camera we mean ideally to acquire image with closed lens. The prob- lem is, some phones do not have lens, or do not allow taking pictures with lens closed. Camera as a source has two main disadvantages. Firstly, the image cap- tured by camera is always post-processed before being programatically avail- able. Secondly, it can be influenced by a range of factors. Most significant seems to be direct illumination of the CCD/CMOS chip5, which almost al- ways yields maximum value of the overexposed pixels. More on this topic is discussed in [KSM07].

From the area of interactive sources, sources like battery charge and sig- nal strength would be of interest. However, there are significant restraints in most of the APIs used in mobile phones reducing information about these readings into only a small number of possible values, thus yielding low en- tropy. Furthermore, these values (especially signal strength) can be easily influenced by an adversary (i.e. take the phone out of signal).

Another type of interactive source is network monitoring. Modern mo- bile phones generally support the Internet or even other networks connec- tions. It is a great entropy source. It allows monitoring of exact timing of events, data size, protocol and other values. But again, it is too vulnerable

4. That is with wider frequency response range. 5. A charge-coupled device (CCD) is a device for the movement of electrical charge, usu- ally from within the device to an area where the charge can be manipulated, for example conversion into a digital value. Often the device is integrated with an image sensor, such as a photoelectric device to produce the charge that is being read, thus making the CCD a major technology for digital imaging. Complementary metal-oxide-semiconductor (CMOS) is a technology for constructing inte- grated circuits. CMOS technology is used in microprocessors, microcontrollers, static RAM, and other digital logic circuits. CMOS technology is also used for a wide variety of analog circuits such as image sensors, data converters, and highly integrated transceivers for many types of communication.

33 4. RANDOMNESSINMOBILEDEVICES for an attack. Also, it can run dry, if no data are present in the network.

4.3 Analysis of underlying platforms

In this section we briefly examine mobile phone platforms for development of our random number generator. We discuss both the range of possible target devices and their security model. There are many platforms a developer can choose for his application. They are mostly mutually incompatible, i.e. application developed for one platform does not on work another. Therefore, it is of importance to choose target platform carefully in order to maximize coverage of mobile phones. First parameter one should take a look at is the market share of mobile phone manufacturers. According to Gartner [VMZ+10], largest manufac- turer Nokia still keeps it is position, but all of top five manufacturers are losing the market share to Apple and other vendors, with their combined share dropping from 79.7% in 2008 to 75.3% in 2009.

Figure 4.1: Worldwide Mobile Terminal Sales to End Users in 2009

Second thing one should consider is the fact that advanced cryptographic applications requiring some random number generator are installed by a

34 4. RANDOMNESSINMOBILEDEVICES user almost exclusively on mobile phones offering advanced PC-like ca- pabilities called smartphones. In fact, there is no standard definition of a smartphone. We will stick with following definition. A smartphone is a phone that runs complete operating system software providing a standardized interface and platform for application develop- ers. Obviously, a smartphone is the target device. Older mobile phones that cannot be counted in smartphones usually do not support third party ap- plications at all or very limited platforms like Java ME6 with only basic libraries. Again, it is worth some effort to take a look at market share of smart- phone operating systems in order to choose the best suitable platform. There are currently about seven recognizable operating systems (further OS) on the market of mobile devices such as smartphones or PDAs. The table 4.3 excludes OS independent platforms like Java ME or platforms in development like MeeGo, Bada OS and others.

Figure 4.2: Worldwide Smartphone Sales to End Users by Operating System

According to Gartner [VMZ+10], in 2010 we can expect strong focus

6. Java Platform, Micro Edition, or Java ME, is a Java platform designed for mobile devices and embedded systems. 35 4. RANDOMNESSINMOBILEDEVICES around operating systems, services and applications while hardware takes a back seat.

4.3.1 Symbian platform Symbian platform is an open source OS maintained by Symbian Founda- tion based on Symbian OS from Symbian Ltd. and included software assets like the S60 platform and parts of the UIQ and MOAP(S) user interfaces. With 46.9% , it has the largest market share of others. It lags behind other mobile platforms in the relatively small but highly visible North American market. This matches the success of its largest shareholder and customer, Nokia, in all markets except Japan. Quoting Roberta Cozza, principal re- search analyst at Gartner, “Symbian had become uncompetitive in recent years, but its market share, particularly on Nokia devices, is still strong. If Symbian can use this momentum, it could return to positive growth.” Currently, the most widely spread version is Symbianˆ2. In the time of writing this thesis, Symbianˆ3 is being completed. Symbianˆ4 has been an- nounced for last quarter of 2010. Symbian itself is written in its own dialect of C++, the Symbian C++, which was designed for low memory, low power devices designed to run indefinitely. Devices based on Symbian platform offer a choice of poten- tial programming environments, including applications written in C, both Symbian C++ and Standard C++, Java ME, Python, Ruby, Flash Lite, .NET or Qt, as well as the alternative approach of using Web technologies. Each programming environment has its advantages and limitations. There is really rich documentation of both Symbian platform develop- ment itself and application development in all mentioned languages/environments on Symbian’s wiki.

The security model of Symbian platform is described in detail in an on- line article [Cor09]. We only cover basic ideas presented and further dis- cussed there. Approach to security is quite different to well-known operating systems as Windows or Unix. The main concept is to control what a process can do rather than what a user can do. The main reasons for this are:

• The very nature of the Symbian platform is to be mono-user. This cor- responds with mono-user mobile phones.

• The Symbian platform provides services through independent server processes. They always run and are not attached to a user session.

36 4. RANDOMNESSINMOBILEDEVICES

• The Symbian platform is aimed to be used in devices used by a large public with no technology knowledge. When installing software, the user may not have the skills to decide what permissions to grant to an application. Furthermore, with always-connected devices, the con- sequences of a wrong or malevolent decision may impact a domain much larger than the device itself.

The countermeasures undertaken by Symbian in order to protect the system can are summarized further.

• Trusted computing platform is a requirement for segmentation of com- puting environment into a trusted computing base, architectural ele- ments with full access to the device and trusted computing environ- ment subdividing system capabilities for granting restricted access to these.

• Process capabilities are access tokens corresponding to a permissions to undertake a sensitive action or group of actions.

• Process identification specifies the capability to reduce the need of identifying applications.

• Data caging creates a protected part of the file system which rogue applications are not able to access.

• The software installer has been changed substantially to support the process capability model and data caging. In addition, software in- staller now conforms to an appropriate Public Key Infrastructure.

• Secure backup and restore is primarily concerned with the integrity of the backup, not with the confidentiality of any data that might be stored within it.

4.3.2 Blackberry OS Research in Motion’s RIM’s Blackberry OS is currently second most favourite mobile OS with 16.6% of market share. This is due to communicator orig- inally designed for the needs of business managers, which became very popular especially in North America. Unfortunately, BlackBarry is a platform for single manufacturer’s de- vices. The latest version is of number 5.0 and version 6.0 is under development without published release date.

37 4. RANDOMNESSINMOBILEDEVICES

RIM makes it mandatory for application developers to use Java as a programming language on BlackBerry. People tend to confuse this with the technology used to develop the operating system. The BlackBerry OS itself is developed using C++. More specifically, BlackBerry devices run on RIM’s own version of Java Platform, Micro Edition (Java R ME), which includes additional APIs. This platform is very feature rich and allows a lot of func- tionality to be built in to the applications. Partly because of the closed source nature of BlackBerry OS, the docu- mentation especially about inner logic is sometimes not as detailed as e.g. Symbian’s. On the other hand, the application programming interface (API) is highly readable and easy to navigate through thanks to the Javadoc for- mat. There is an online available technical overview [Lim09] describing the security features that the BlackBerry supports. BlackBerry is primarily con- cerned with security of user data. I.e. the accent is put on encryption of saved user data and secure transmission of data. To honor this principle, RIM includes extensive cryptographic library in it’s API. Critical importance is dedicated to the problem of authenticating the user and even protecting lost, stolen, or replaced BlackBerry devices. Con- trol of BlackBerry component devices using IT policy rules is also dealt with, but it is on a side track next to the previous issues.

4.3.3 iPhone OS

In 2007, Apple introduced its smartphone based on iPhone OS (also known as OS X iPhone, iPhone OS X, or Apple OS) and is steadily gaining market share since. By the end of 2009, the smartphone OS market share of iPhone OS is 14.4% . Similarly to BlackBerry OS, iPhone OS is installed only on devices pro- duced by one manufacturer. On the other hand, iPhone OS is being in- stalled on three different types of (mobile) devices. The obvious iPhone, iPod Touch and the recently released iPad. Unfortunatelly, it is not clear from any found market share analysis, whether the number 14.4% includes these devices or not. The iPhone OS architecture is similar to the basic architecture found in Mac OS X. Latest version 3.2 is for iPad only, latest iPhone version is 3.1.3, but beta version of 4.0 was released on April 8th and it should be compati- ble with all new generation devices. The OS itself is written in Objective-C, an extended version of ANSI C language by mostly Smalltalk features. It is also the only language ac-

38 4. RANDOMNESSINMOBILEDEVICES ceptable for developing an application for iPhone OS. Currently, it is only available on Mac OS X 10.5. All third-party applications must be cleared by Apple before being hosted on the AppStore, the sole distribution channel for iPhone devices. After a lot of time spent on searching for iPhone OS security architec- ture, we were forced to abandon the search for more detailed information. There is no (at least not publicly accessible) actual document specifying iPhone OS security layer. Only articles we found on official Apple devel- oper’s web site about security architecture and concepts were mixed to- gether with Mac OS X, making it difficult to tell apart special security con- cepts of iPhone OS. Furthermore, vast majority of information on security concepts and architecture was in general terms and for all platforms. The only interesting specific about iPhone OS security concept we found was the sandboxing, which is actually the idea of minimal permissions for an application.

4.3.4 Windows Mobile

Windows Mobile is a compact mobile operating system developed by Mi- crosoft, and designed for use in smartphones and mobile devices. It is based on Windows Embedded Compact - a minimalistic operating system for mo- bile devices. Even though its market share is dropping, it is still widely spread in Asia. This decay is to be stopped by new version Windows Phone 7. Unlike BlackBerry OS and iPhone OS, Windows Mobile is being in- stalled on multiple manufacturers’ smartphones. There are several options for developers to choose from when deploying a mobile application. This includes writing native code with Visual C++, writing Managed code that works with the .NET Compact Framework (a subset of of the .NET Framework), or Server-side code that can be deployed using Internet Explorer Mobile or a mobile client on the user’s device. It is also possible to deploy Java ME applications, which might require installa- tion of a java virtual machine (JVM) if none is already present. Finally there is a Python port named PythonCE, too. The Windows Mobile security model provides a lightweight solution to enforcing application permissions while allowing individual service providers to determine the security policy of the devices on their networks. Windows Mobile-based Smartphones are available as one-tier and two-tier devices. The one-tier device distinguishes between signed and unsigned appli- cations. All signed applications run privileged on the device. Privileged ap-

39 4. RANDOMNESSINMOBILEDEVICES plications can access every aspect of the device, including system APIs and protected registry keys. The two-tier security device uses the application’s signature to deter- mine whether the application runs privileged or normal. If the application is signed with a certificate in the privileged certificate store, then the appli- cation will run privileged. If the application is signed with a certificate in the normal certificate store, then the application will run normal.

4.3.5 Embedded Linux

A group of companies interested in the development of Linux products formed The Embedded Linux Consortium (ELC) in order to promote Linux and develop standards for the embedded computing markets. Standards are also developed for managing power consumption of devices, designing user interfaces, and real-time operation of embedded Linux software. One of the results of this effort is the Embedded Linux Consortium Platform Specification (ELCPS). Linux based mobile phones are produced by multiple manufacturers, mainly Motorola, Panasonic, NEC, Samsung and Nokia. Also, many other recognized platforms are in fact based on embedded Linux as e.g. Android, Amazon Kindle or MontaVista. Third-party applications are supported in different ways by different distributions. Only native C/C++ and Java ME are present in all of them. Usually, many other programming languages can be used to create such an application, but this is specific to each distribution. Also the security model slightly differs on each distribution, therefore we will skip this part for this class of mobile OS.

4.3.6 Android

Android was developed by Google Inc.. Android is an Open Source, Linux- derived platform backed by Google, along with major hardware and soft- ware developers (such as Intel, HTC, ARM, and eBay, to name a few), which form the Open Handset Alliance.7 As it is still very new OS (initially re- leased on October 21 2008), it has already significant amount of market share and it is expected to grow rapidly.

7. The Open Handset Alliance is a group of 47 technology and mobile companies which have come together to accelerate innovation in mobile and offer consumers a richer, less expensive, and better mobile experience.

40 4. RANDOMNESSINMOBILEDEVICES

At launch, Java was the only officially supported programming lan- guage for building distributable third-party Android software. Later an Android Native Development Kit (NDK) was released thus allowing de- velopers to build Android software with C and C++. Android also takes advantage of the large number of existing Java ME applications thanks to MicroEmulator - pure Java implementation of Java ME API’s (application programming interface). Libraries written in C and other languages can be compiled to ARM native code and installed using the Android Native De- velopment Kit. Native classes can be called from Java code running under the Dalvik VM using the System.loadLibrary call, which is a part of the standard Android Java classes. The Android Platform provides a rich security model that allows de- velopers to request the capabilities, or access, needed by their application and to define new capabilities that other applications can request. The An- droid user can choose to grant or deny an application’s request for certain capabilities on the handset. A central design point of the Android security architecture is that no ap- plication, by default, has permission to perform any operations that would adversely impact other applications, the operating system, or the user. This includes reading or writing the user’s private data (such as contacts or e- mails), reading or writing another application’s files, performing network access, keeping the device awake, etc.

4.4 Argumentation for chosen source and platform

Almost all sources mentioned above are more or less vulnerable to an ad- versary, microphone and camera included. Once he gets control over the device, this can not really be the most significant measure, since all external environments can be easily simulated. As microphone and camera seem to be sources with the highest entropy rate, we choose one of these. Since, camera provides higher data rate than a microphone, which also implies higher entropy (and min-entropy) yield in the same time period, we choose the camera. Based on the quick survey of target devices from previous text we de- cided to implement our extractors (together with the data acquisition func- tion) in Java ME as it allows our final applications to be deployed on the largest amount of today’s mobile devices (even those not categorized as smartphones). This includes all of the top mobile operating systems except iPhone OS and some versions of Windows Mobile.

41 4. RANDOMNESSINMOBILEDEVICES

Another factor is the speed of computation. Java is often just-in-time (JIT) compiled at runtime by the Java Virtual Machine, but may also be compiled ahead-of-time (AOT), just like C or C++. The more common is the JIT compilation, whose performance of the compiled code is more or less equal to C or C++ and startup time with memory usage are worse than with C/C++. Even though C/C++ would be much faster in the low level camera ac- cess, these languages are used in smartphones’ OS’s in many different mu- tations. That makes it hard to deploy one application in a multiple environ- ments. Finally, the fact is, that object oriented language as Java is significantly easier to read, maintain and adjust than structured language as C.

42 Chapter 5 Construction and implementation

In this chapter we will first describe the implementation of function acquir- ing random data from mobile phone’s camera and then we specify closely the construction of two selected extractor functions and their advantages. We will be especially interested in the implementation details while using Java ME. The full source code is available on the enclosed CD as well as on the web page https://sourceforge.net/projects/mobrandextract.

5.1 Device requirements

Based on the selection of programming language, some specifics are needed from the target device. Either it has to support Java ME directly (as most of the pre-smartphone mobile phones does) or it has to enable installation of JVM1 to run our application on2. In addition, the device must implement Java Specification Requests (JSRs) 118 - Mobile Information Device Profile (MIDP 2.0), 139 - Connected Lim- ited Device Configuration (CLDC 1.1) and 135 - Mobile Media API (MMAPI 1.2). However, these requirements are generally met by most of the devices that somehow do support Java ME. We are trying to give a very customizable implementation, therefore we will use strictly only standard Java ME APIs. For use on a specific platform devices one is encouraged to improve the code with that platform’s Java ME libraries, as they usually offer significant computational speed advan- tage over the standard. This recommendation especially applies to hard- ware access, i.e. gathering data from camera.

1. JVM stands for Java Virtual Machine and it is a virtual machine model for the execution of Java bytecode. 2. which is basically what is hidden behind "supporting Java ME directly"

43 5. CONSTRUCTION AND IMPLEMENTATION

5.2 Processing data from camera

We obtain data from camera and then process it by our function f cyclically until sufficient amount of data for the extractor function is reached. The role of function f is to provide random data for an extractor with high min- entropy. I.e. the data output by f should have still sufficient min-entropy even after an adversary tempers with the device.

The basic construction of a function that distills random bits from cam- era is following the model of [BKMS09], see image 5.2. However, using only the Java ME, we had to modify the function f slightly.

Figure 5.1: Data acquisition from camera source.

For our implementation tests we use Nokia N73 device running on Sym- bian OS. Performance of the algorithm is measured on this device. The first, most limiting issue is the impossibility of gathering data di- rectly from a view finder. Even though the view finder is in standard Java ME present, the only way to acquire data from camera is either to record a video or capture a snapshot. There is no direct access to the data presented in the view finder in the standard APIs, but at least Blackberry and Android do have one. Based on this fact we decide to take a picture by the camera using Video- Control class. byte[] snap = (VideoControl)vidc.getSnapshot(encoding); This action takes the longest time in the entire application and thus is the main critical section. The average time of this action on Nokia N73 device is between 3 to 5 seconds. However, testing on different phones shows big diversity in the time consumed by this action. For example, a Sony Ericsson K550i is able to capture an image within 1 to 2 seconds. Unfortunately, we can not avoid the encoding of the image in standard Java ME. Therefore, we choose some lossless encoding, e.g. PNG or BMP.

44 5. CONSTRUCTION AND IMPLEMENTATION

By specification, default encoding of an image in Java ME is PNG and thus it is the best choice for all mobile phones supporting MMAPI. Even though other encodings like RGB888 would be significantly better, because we could skip the next step, no tested device actually supported such en- codings. PNGs can come in a variety of flavours (e.g. direct colour model or in- dexed colour model). Therefore, we can not really extract the data from snap, because we do not know the exact model implemented in arbitrary device. This way snap contains some header and some ancillary informa- tion. Thus for direct work with the image pixels we have to create the image out of snap first. Image image = Image.createImage(snap, 0, snap.length);

It is the second most time consuming action in the entire application taking approximately 500 to 900 ms. However, it can be avoided using pre- viously mentioned RGB888 encoding or further knowledge of the model of given encoding. After we acquire the image, we can finally process it using our function f. For this purpose we implemented the class ImageProcessor, which we describe further. The ImageProcessor has 4 constructors allowing the user to set up two properties. Those are the squareDimension and the nonNeighborsTogether (see their function below). ImageProcessor also reveals a single method process, which computes deterministically the outcome of given image. The method process also comes with an overload allowing to introduce some offset in the pixels that are selected to form the output. The method process is basically only calling 4 methods, where the result of the last one is the result of f. int[] rgbs = getPixels(imageOffset); byte[] columns = xorColumns(rgbs); byte[] nonNeighborColumns = xorNonNeighborColumns(columns); boolean[] result = xorEachByte(nonNeighborColumns);

The first method getPixels is used to divide the image given in construc- tor into squares of squareDimension × squareDimension pixels3 and re- turns ARGB4 value of each pixel. From each square one pixel is taken from

3. In the case the image width modulo squareDimension > 0, the overlapping rows and columns are omitted. 4. RGB color model with extra information, so called alpha-blending in 0xAARRGGBB format.

45 5. CONSTRUCTION AND IMPLEMENTATION a position that has both coordinates different to each neighboring square. For that, following code is used yielding position of pixel in given square. int width = ((i + (2 * j)) + imageOffset) % squareDimension; int height = (((2 * i) + j) + imageOffset) % squareDimension; The result from getPixels can be viewed as a new image of dimensions image.W idth()/squareDimension×image.Height/squareDimenstion with- out ancillary information. Values i and j are current height and current width of the pixel in the resulting image, respectively. This new image is then taken by method xorColumns and RGB values of each pixel in a column are XORed together. The alpha value is left out, because the ARGB values of image returned by Java ME method getRGB depend on the device’s display capabilities. On devices that do not support alpha blending the alpha value will be 0xFF for opaque pixels and 0x00 for all other pixels. On devices that support alpha blending alpha channel val- ues may be resampled to reflect the number of levels of semitransparency supported. Also, the method getRGB is slow5, so instead of grabbing each pixel’s values by this method individually, we take all the pixels’ RGB values and the selected pixels extract from that. After each column is XORed into one byte, we XOR several non-neighboring columns together using method xorNonNeighborColumns. The amount of columns XORed together is given by the property nonNeighborsTogether. Thus for 23 columns and nonNeighborsT ogether = 3 we XOR together columns (1, 8, 15, 22), (2, 9, 16, 23), (3, 10, 17), (4, 11, 18), (5, 12, 19), (6, 13, 20) and (7, 14, 21). Finally, using xorEachByte we XOR together values from each byte re- sulting into one bit per byte.

Our implementation uses the default resolution of image taken from came of 640 × 480 pixels (width times height), squareDimension = 5 and nonNeighborsT ogether = 3. Therefore, after getPixels we get image reso- lution 128 × 96, i.e. 12288 pixels of 4-byte values. Then after xorColumns we get only 128 bytes. The xorNonNeighborColumns method transforms this amount of data into 42 bytes, which are then XORed together into 42 bits. All the processing together with the snapshot takes approximately 5 to 6 seconds. To improve the independence of selected pixels we increase the image- Offset parameter of method getPixels for each image.

5. A Nokia specific method DirectGraphics.getPixels can be a little bit better

46 5. CONSTRUCTION AND IMPLEMENTATION

A successful attack scenario would require the capability of flipping and predicting all bits used to construct the outcome. That is especially difficult given the fact that many specifics about CCD/CMOS chip algorithms are kept secret.

5.3 Implementation of shift register hash based extractor

The Shift Register Hash has been suggested by Impagliazzo and Zucker- man in [IZ89]. It is a good function for our purposes, because it is straight- forward to build a universal2 class of hash functions and is very efficient in implementation.

The definition of Shift Register Hash follows: n Let r = r1r2 . . . rn, x = x1x2 . . . xn, x, r ∈ {0, 1} . Let r · x denote the scalar product of r and x, i.e., r · x = 1 iff the number of bit locations i, 1 ≤ i ≤ n where ri = x1 = 1, is odd, and is equal to 0 otherwise. For 1 ≤ l ≤ n, let r(l) denote the left bit rotation of r by l positions, i.e., (l) r = rl+1rl+2 . . . rnr1r2 . . . rl. We define the m-convolution of r on x as the (1) (m−1) bit string r(x)m = r · x, . . . , r · x, . . . , r · x.

For the construction of universal2 class of hash functions, consider fol- lowing. Let p be a prime such that 2 is a primitive root modulo p, let n = p n m p − 1. Let Cn,m = {hr|r ∈ {0, 1} }, where hr : {0, 1} → {0, 1} and hr(y) = r(1 ◦ y)m with ◦ denoting the concatenation of bit strings. Then the class of functions Cn,m is universal2. This result is due to [IZ89].

We want to set the outcoming statistical distance to uniform distribution to at least  ≤ 2−64. From theorem 3.12 we get that for l = 220 repetitions we need to set e ≥ 84 in order to achieve required statistical distance. We set the default value for prime with primitive root of 2 p = 853. As it is unsure what the exact min-entropy of our data acquiring function is6, for now we follow the previous results from [BKMS09] and assume the min-entropy of at least lg 228. Then the output length of the extractor with 852/32 thirty- two bit samples is m = k − 2e = b(lg(228) · (852/32)) − 168 = 577.5c = 577. 1 Compare this result to the theoretical upper bound m ≤ t + k − 2 log(  ) = 852 + lg(228) − 2 lg(264) = 752. The implementation is straightforward. We implement class Shift_Register_Hash with three properties. The outputLength defines the number of output bits

6. Determining the exact min-entropy is left as future work, possibly for another thesis.

47 5. CONSTRUCTION AND IMPLEMENTATION by one computation, i.e. outputLength-convolution length. The parameter x stands for the weak source output and the parameter r is the initial ran- dom seed. After initializing the class, one has to fill parameters x and r and call method convolution, which performs the outputLength-convolution re- turning the outcome. ShiftRegisterHash srh = new ShiftRegisterHash(); srh.set_x(someParameter); srh.set_r(someOtherParameter); result = srh.convolution();

For better understanding of the usage of the class see figure 5.3. compute new output if repetitions > l hash length waiting output if repetitions ≤ l TR convo- lution

WS WS TR = truly random input TR WS = weak source input

Figure 5.2: Work schema of ShiftRegisterHash class.

For parametrisability of the function we included also several helper methods in the class. Mainly, it is the boolean isPrimitiveRootModPrime(int prime, int possibleRoot);

This method verifies whether the possibleRoot is a primitive root modulo prime. In our construction, possibleRoot should be always equal to 2. Fur- thermore, there is a method public int computeOutputLength(float minEntropy, int prime, int imageDataLength, int e); together with an overload with integer instead of float in the first param- eter computing the output length m for given parameters. The difference between these two methods is whether the user has the computed loga- rithm of min-entropy or not.

48 5. CONSTRUCTION AND IMPLEMENTATION

As already mentioned, the computation is very fast. That is due to the fact that the only operations performed are position shift and scalar product of bits, i.e. bitwise XOR and addition modulo 2. Given this fact, we are only limited by our rate of data acquisition. Since we expect frame returning 32 bits, we extract approximately 21 bits with at least  ≥ 2−64 statistical distance to uniform distribution per frame.

5.4 Implementation of Evaluation Hash based extractor

The second extractor construction is based on the Evaluation Hash pro- posed by Shoup [Sho96] and then used in [BMT+06] for and authentication algorithm. We basically implement the algorithm described in [BMT+06] as there is no implementation publicly available and it has some interesting properties for number of applications. These properties namely are:

• It is computationally efficient,

• the parameters can vary in a wide range, and

• it can start the computation before the whole input is known.

The definition of Evaluation Hash follows: The evaluation hash views the input as a polynomial M(t) of degree less than n over GF (2l). The hash key is a random element α ∈ GF (2l). The hash value is M(α) · α ∈ GF (2l). This family of hash functions is -AXU with  ≈ n/2l.

Again, we want to achieve the statistical distance of outcoming distri- bution from uniform distribution of at least  ≤ 2−64 and therefore the pa- rameter l should be at least l ≥ 64. In our implementation, we see the GF (2l) as GF (2)[x]/(f(x)) for some irreducible polynomial of degree l. Based on the fact that mobile phones generally use 16 or 32 bit architecture to select l as a multiple of 16. Fur- thermore, for the efficiency purposes, it is suitable to select f(x) in the form l f(x) = x + f0(x), where f0(x) is some small polynomial. For example let l = 64, then suitable f(x) = x64 +x4 +x3 +x+1. In the class Helper we offer several preselected suitable irreducible polynomials for order of multiples of 32 up to 256. To compute the result of evaluation hash for input GF (2l)[t] at the point α we have to evaluate M(t), where t = α and the result multiply by α. We

49 5. CONSTRUCTION AND IMPLEMENTATION use the Horner’s rule: n X i M(t) = mit , i=0

M(α) · α = ((((mnα + mn−1α)αmn−2) ...)α + m0)α (mod f(x)). Obviously, the critical section is the multiplication, since addition of two polynomials over Z2 modulo some primitive polynomial does not change the degree of resulting polynomial and can be implemented as bitwise XOR. Next, we explain how to implement efficient multiplication for our pur- poses. Because the only multiplications appearing the evaluation of M(t) are multiplications by fixed α, we can precompute two tables for any nontrivial multiplications (i.e. those that exceed the polynomial degree l). Performing a multiplication would be then transformed into looking up corresponding entries in these tables. We compute these tables upon the initialization of the class EvaluationHash. public EvaluationHash(int l, GaloisPolynomial primitivePolynomial, GaloisPolynomial hashKeyPolynomial);

Note, that class GaloisPolynomial is basically a wrapper around an ar- ray of boolean values representing the Galois polynomial with several ex- tension methods. We proceed with l = 64, when needed, we mention specifics for dealing with other values. Both tables in our application are given stored in Vec- tor instances, which implements a dynamic array of objects. This approach even lowers space requirements in comparison to the originally proposed array of 16 bit entries, as most of these entries do not reach the degree of 15 for the represented polynomial. Furthermore, using this class instead of an array of 16 bit entries proves most useful when dealing with larger l such as 256, where there are no suitable f0(x) and thus the result would be longer. The first table Table1 stores outcomes of

v(x) → v(x) · x64 mod f(x) for all polynomials v(x) of degree less than 8. Thus in the worst case sce- nario the table would have 16 bits for each of 256 entries because of the spe- cial form of f(x). That gives a total 512 bytes of memory. Note, that thanks to the Vector class storing objects rather than arrays we can do better. The second table Table2 stores outcomes of

v(x) → v(x) · a(x) mod f(x)

50 5. CONSTRUCTION AND IMPLEMENTATION for all polynomials v(x) of degree less than 8, where α ≡ a(x) (mod f(x)). It will have 256 entries of up to l bits, in current scenario 64. Computing this table is the main critical section of this implementation but it increases the throughput of the hash function approximately three times. Now, we can use these two tables to evaluate the multiplication modulo f(x) as follows. To compute the product a(x) · b(x), where b(x) ∈ GF (264), P7 8i let us write b(x) = i=0 bi(x) · x , where bi(x) is a polynomial of degree less than 8 and let c(x) = 0. Then do the following:

8 for i ← 7 down to 0 do c(x) ← c(x) · x + bi(x) · a(x) mod f(x).

In the case of l 6= 64 it is only required to set maximal value of i to l/8. After initialization of the class EvaluationHash, the user has to call method computeHornerScheme, which returns the hash output for single polyno- mial, the input of l bits in the form of a boolean array7. public boolean[] computeHornerScheme (GaloisPolynomial inputPolynomial) { GaloisPolynomial c = new GaloisPolynomial(new boolean[0]); GaloisPolynomial temp; boolean[] b_i = new boolean[EIGHT]; boolean[] coefs = inputPolynomial.getCoefs(L); for (int i = L/EIGHT - 1; i >= 0 ; i--) { System.arraycopy(coefs, i * EIGHT, b_i, 0, EIGHT); c = multiplyByX8(c); temp = multiplySmallByAlpha(new GaloisPolynomial(b_i)); c = new GaloisPolynomial(sum(temp, c)); } return c.getCoefs(L); }

7. Even though the size of this primitive data type is not precisely defined in Java, it should be one bit. Additionally, this representation makes it much easier to work with the abstract polynomial.

51 Chapter 6 Conclusion

Possible future work includes several options. Mainly, there should be some evaluation of the min-entropy provided by our weak source. Currently, we are generating data to perform the analysis on. Following this, we could perform some statistical tests of the quality of the implemented extrac- tors. Furthermore, we could try to increase the number of implemented extractors in order to provide some comprehensive cryptographic library for these functions similar to Bouncy Castle. From the theoretical point of view, there are still some open problems, such as construction of an extractor against quantum storage with logarith- mic seed length and arbitrarily small polynomial error. However, that is a significantly more difficult task and is beyond our current expertise.

52 List of Tables

1.1 Randomized complexity classes 9 2.1 characteristics comparison 15 2.2 suitability of random number generators 15

53 List of Figures

1.1 PHP rand() on Microsoft Windows 6 4.1 Worldwide Mobile Terminal Sales to End Users in 2009 34 4.2 Worldwide Smartphone Sales to End Users by Operating System 35 5.1 Data acquisition from camera source. 44 5.2 Work schema of ShiftRegisterHash class. 48

54 Bibliography

[AKS02] Manindra Agrawal, Neeraj Kayal, and Nitin Saxena. PRIMES is in P. Ann. of Math, 2:781–793, 2002.

[Alt10] Palo Alto. Majority of smart phones now have touch screens - Research also shows leading smart phone vendors have high- est user loyalty. Technical report, Canalys, 2010.

[Bel08] Lucianno Bello. Openssl predictable random number generator. Debian Security Advisory, 2008. Avail- able from: http://www.debian.org/security/2008/ dsa-1571 [cited 17.5.2010].

[BGL+03] Marco Bucci, Lucia Germani, Raimondo Luzzi, Alessan- dro Trifiletti, and Mario Varanonuovo. A High- Speed Oscillator-Based Truly Random Number Source for Cryptographic Applications on a Smart Card IC. IEEE Transactions on Computers, 52:403–409, 2003. doi:http://doi.ieeecomputersociety.org/10. 1109/TC.2003.1190581.

[BIW04] Boaz Barak, Russell Impagliazzo, and Avi Wigderson. Ex- tracting Randomness Using Few Independent Sources. In FOCS ’04: Proceedings of the 45th Annual IEEE Symposium on Foundations of Computer Science, pages 384–393, Wash- ington, DC, USA, 2004. IEEE Computer Society. doi:http: //dx.doi.org/10.1109/FOCS.2004.29.

[BKMS09] Jan Bouda, Jan Krhovjak, Vashek Matyas, and Petr Svenda. Towards True Random Number Generation in Mobile Envi- ronments. In NordSec ’09: Proceedings of the 14th Nordic Conference on Secure IT Systems, pages 179–189, Berlin, Hei- delberg, 2009. Springer-Verlag. doi:http://dx.doi.org/ 10.1007/978-3-642-04766-4_13.

55 6. CONCLUSION

[Blu84] M. Blum. Independent Unbiased Coin Flips From A Corre- lated Biased Source: A Finite State Markov Chain. In SFCS ’84: Proceedings of the 25th Annual Symposium on Foun- dations of Computer Science, 1984, pages 425–433, Washing- ton, DC, USA, 1984. IEEE Computer Society. doi:http: //dx.doi.org/10.1109/SFCS.1984.715944.

[BMT+06] Jan Bouda, Oliver Maurhart, Thomas Themel, Stephan Jank, Philipp Pluch, and Rajagopal Nagarajan. Encryption and au- thentication in SECOQC. 2006.

[CG88] Benny Chor and Oded Goldreich. Unbiased bits from sources of weak randomness and probabilistic communication com- plexity. SIAM J. Comput., 17(2):230–261, 1988. doi:http: //dx.doi.org/10.1137/0217015.

[CGH+85] Benny Chor, Oded Goldreich, Johan Hasted, Joel Freidmann, Steven Rudich, and Roman Smolensky. The bit extraction problem or t-resilient functions. In SFCS ’85: Proceedings of the 26th Annual Symposium on Foundations of Computer Science, pages 396–407, Washington, DC, USA, 1985. IEEE Computer Society. doi:http://dx.doi.org/10.1109/ SFCS.1985.55.

[CK97] Zhi-Zhong Chen and Ming-Yang Kao. Reducing random- ness via irrational numbers. In STOC ’97: Proceedings of the twenty-ninth annual ACM symposium on Theory of comput- ing, pages 200–209, New York, NY, USA, 1997. ACM. doi: http://doi.acm.org/10.1145/258533.258583.

[Cor09] Nokia Corporation. Symbian OS v9 Security Architecture, 2009. Available from: http://developer.symbian. org/main/documentation/reference/s%5E3/doc_ source/guide/platsec/SGL.SM0007.013_Rev2. 0_Symbian_OS_Security_Architecture._doc. html#common%2fdeveloperlibrary%2fdoc_source% 2fDevGuides%2fplatsec%2fSGL%2eSM0007%2e013_ Rev2%2e0_Symbian_OS_Security_Architecture% 2edoc [cited 17.5.2010].

[CRVW02] Michael Capalbo, Omer Reingold, Salil Vadhan, and Avi Wigderson. Randomness conductors and constant-degree

56 6. CONCLUSION

lossless expanders. In STOC ’02: Proceedings of the thiry- fourth annual ACM symposium on Theory of computing, pages 659–668, New York, NY, USA, 2002. ACM. doi:http: //doi.acm.org/10.1145/509907.510003.

[CW79] Larry Carter and Mark N. Wegman. Universal classes of hash functions. Journal of Computer and System Sciences, 18(2):143–154, 1979.

[CW89] A. Cohen and A. Wigderson. Dispersers, deterministic am- plification, and weak random sources. In SFCS ’89: Proceed- ings of the 30th Annual Symposium on Foundations of Com- puter Science, pages 14–19, Washington, DC, USA, 1989. IEEE Computer Society. doi:http://dx.doi.org/10.1109/ SFCS.1989.63449.

[DORS08] Yevgeniy Dodis, Rafail Ostrovsky, Leonid Reyzin, and Adam Smith. Fuzzy extractors: How to generate strong keys from biometrics and other noisy data. SIAM J. Comput., 38(1):97–139, 2008. doi:http://dx.doi.org/10.1137/ 060651380.

[Eli72] Peter Elias. The efficient construction of an unbiased random sequence. The Annals of Mathematical Statistics, 43(3):865– 870, 1972.

[GGK03] William Gasarch, Evan Golub, and Clyde Kruskal. Constant time parallel sorting: an empirical view. J. Comput. Syst. Sci., 67(1):63–91, 2003. doi:http://dx.doi.org/10.1016/ S0022-0000(03)00040-0.

[GM84] Shafi Goldwasser and Silvio Micali. Probabilistic encryption. Journal of Computer and System Sciences, 28(2):270–299, 1984. Available from: http://www.sciencedirect. com/science/article/B6WJ0-4B4RWB9-17/2/ 3926c7a6afdab2e2dda0b6fdead72b4e [cited 17.5.2010], doi:DOI:10.1016/0022-0000(84)90070-9.

[GUV09] Venkatesan Guruswami, Christopher Umans, and Salil Vad- han. Unbalanced expanders and randomness extractors from parvaresh–vardy codes. J. ACM, 56(4):1–34, 2009. doi: http://doi.acm.org/10.1145/1538902.1538904.

57 6. CONCLUSION

[GW96] I. Goldberg and D. Wagner. Randomness and the netscape browser. Dr. Dobb’s Journal, 1996.

[GZ97] Oded Goldreich and David Zuckerman. Another proof that bpp ⊆ ph (and more). Electronic Colloquium on Computa- tional Complexity (ECCC), 4(45), 1997.

[ILL89] R. Impagliazzo, L. A. Levin, and M. Luby. Pseudo-random generation from one-way functions. In STOC ’89: Proceed- ings of the twenty-first annual ACM symposium on Theory of computing, pages 12–24, New York, NY, USA, 1989. ACM. doi:http://doi.acm.org/10.1145/73007.73009.

[IZ89] Russell Impagliazzo and David Zuckerman. How to recycle random bits. In Proceedings of the 30th IEEE Symposium on Foundations of Computer Science, pages 248–253, 1989.

[JvOPCA01] Menezes A. J., van Oorschot P. C., and Vanstone S. A. Hand- book of Applied Cryptography. CRC Press, United States of America, 2001.

[Kar72] R. Karp. Reducibility among combinatorial problems. In R. Miller and J. Thatcher, editors, Complexity of Computer Computations, pages 85–103. Plenum Press, 1972.

[KLRZ08] Yael Tauman Kalai, Xin Li, Anup Rao, and David Zucker- man. Network extractor protocols. In FOCS ’08: Proceed- ings of the 2008 49th Annual IEEE Symposium on Founda- tions of Computer Science, pages 654–663, Washington, DC, USA, 2008. IEEE Computer Society. doi:http://dx.doi. org/10.1109/FOCS.2008.73.

[Kra94] Hugo Krawczyk. LFSR-based Hashing and Authentication. In CRYPTO ’94: Proceedings of the 14th Annual International Cryptology Conference on Advances in Cryptology, pages 129–139, London, UK, 1994. Springer-Verlag.

[Krh09] Jan Krhovják. Cryptographic random and pseudorandom data generators. PhD thesis, Faculty of Informatics, Masaryk University, Brno, 2009.

[KSM07] Jan Krhovjak, Petr Svenda, and Vaclav Matyas. The sources of randomness in mobile devices. In Proceeding of the 12th

58 6. CONCLUSION

Nordic Workshop on Secure IT-systems, pages 73–84. Reyk- javik University, 2007.

[KSW+88] John Kelsey, Bruce Schneier, David Wagner, Chris Hall, and Counterpane Systems. Cryptanalytic attacks on pseudoran- dom number generators. In Fast Software Encryption, Fifth International Proceedings, pages 168–188. Springer-Verlag, 1988.

[Lim09] Research In Motion Limited. BlackBerry Enterprise Solution: Version: 5.0. Security Technical Overview. Technical report, Research In Motion Limited, 2009. Available from: http: //docs.blackberry.com/en/admin/deliverables/ 7127/BB_Ent_Soln_Security_5_0_0_STO.pdf [cited 17.5.2010].

[Low07] G. Lowe. Openssl security advisory - openssl fips object module vulnerabilities. Technical report, Secure Computing Corporation, 2007. Available from: http://www.openssl. org/news/secadv_20071129.txt [cited 17.5.2010].

[LRVW03] Chi-Jen Lu, Omer Reingold, Salil Vadhan, and Avi Wigder- son. Extractors: optimal up to constant factors. In STOC ’03: Proceedings of the thirty-fifth annual ACM symposium on Theory of computing, pages 602–611, New York, NY, USA, 2003. ACM. doi:http://doi.acm.org/10.1145/ 780542.780630.

[MV77] Solovay R. M. and Strassen V. A fast monte-carlo test for pri- mality. SIAM Journal on Computing, 1977.

[ND99] Provos N. and Mazieres D. A future-adaptable password scheme. In USENIX, 1999.

[NZ96] Noam Nisan and David Zuckerman. Randomness is linear in space. Journal of Computer and System Sciences, 52(1):43–52, 1996. doi:http://dx.doi.org/10.1006/jcss.1996. 0004.

[RAN] Available from: http://www.random.org/.

[Ren60] A. Renyi. On measures of information and entropy. In Proceedings of the 4th Berkeley Symposium on Mathematics,

59 6. CONCLUSION

Statistics and Probability, pages 547–561, 1960. Available from: http://digitalassets.lib.berkeley.edu/ math/ucb/text/math_s4_v1_article-27.pdf [cited 17.5.2010].

[RSW00] O. Reingold, R. Shaltiel, and A. Wigderson. Extracting ran- domness via repeated condensing. In FOCS ’00: Proceedings of the 41st Annual Symposium on Foundations of Computer Science, page 22, Washington, DC, USA, 2000. IEEE Computer Society.

[RTS00] Jaikumar Radhakrishnan and Amnon Ta-Shma. Bounds for dispersers, extractors, and depth-two superconcentrators. SIAM J. Discret. Math., 13(1):2–24, 2000. doi:http://dx. doi.org/10.1137/S0895480197329508.

[RVW00] O. Reingold, S. Vadhan, and A. Wigderson. Entropy waves, the zig-zag graph product, and new constant-degree ex- panders and extractors. In FOCS ’00: Proceedings of the 41st Annual Symposium on Foundations of Computer Science, page 3, Washington, DC, USA, 2000. IEEE Computer Society.

[Sam68] Paul A. Samuelson. Constructing an unbiased random se- quence. Journal of the American Statistical Association, 63:1526–1527, 1968.

[Sch94] Bruce Schneier. Description of a new variable-length key, 64- bit block cipher (blowfish). In Fast Software Encryption, Cam- bridge Security Workshop, pages 191–204, London, UK, 1994. Springer-Verlag.

[Sha48] Claude E. Shannon. A mathematical theory of communica- tion. The Bell System Technical Journal, 27:379–423,623–656, July, October 1948.

[Sha02] Ronen Shaltiel. Recent developments in explicit constructions of extractors. Bulletin of the EATCS, 77:67–95, 2002.

[Sho96] Victor Shoup. On Fast and Provably Secure Message Authen- tication Based on Universal Hashing. In CRYPTO ’96: Pro- ceedings of the 16th Annual International Cryptology Con- ference on Advances in Cryptology, pages 313–328, London, UK, 1996. Springer-Verlag.

60 6. CONCLUSION

[SMH05] K. I. F. Simonsen, V. Moen, and K. J. Hole. Attack on sun’s midp reference implementation of ssl. In Proceeding 10th Nordic Workshop on Secure IT Systems, pages 96–103, 2005.

[SU05] Ronen Shaltiel and Christopher Umans. Simple extractors for all min-entropies and a new pseudorandom generator. J. ACM, 52(2):172–216, 2005. doi:http://doi.acm.org/ 10.1145/1059513.1059516.

[SV84] M. Santha and U. V. Vazirani. Generating quasi-random se- quences from slightly-random sources. In SFCS ’84: Proceed- ings of the 25th Annual Symposium onFoundations of Com- puter Science, 1984, pages 434–440, Washington, DC, USA, 1984. IEEE Computer Society.

[SZ99] Aravind Srinivasan and David Zuckerman. Comput- ing with very weak random sources. SIAM J. Com- put., 28(4):1433–1459, 1999. doi:http://dx.doi.org/10. 1137/S009753979630091X.

[Tre99] Luca Trevisan. Construction of extractors using pseudo- random generators. In STOC ’99: Proceedings of the thirty- first annual ACM symposium on Theory of computing, pages 141–148, New York, NY, USA, 1999. ACM. doi:http:// doi.acm.org/10.1145/301250.301289.

[TS96] Amnon Ta-Shma. On extracting randomness from weak ran- dom sources (extended abstract). In STOC ’96: Proceedings of the twenty-eighth annual ACM symposium on Theory of computing, pages 276–285, New York, NY, USA, 1996. ACM. doi:http://doi.acm.org/10.1145/237814.237877.

[TS09] Amnon Ta-Shma. Short seed extractors against quantum stor- age. In STOC ’09: Proceedings of the 41st annual ACM sympo- sium on Theory of computing, pages 401–408, New York, NY, USA, 2009. ACM. doi:http://doi.acm.org/10.1145/ 1536414.1536470.

[TSUZ07] Amnon Ta-Shma, Christopher Umans†, and David Zuckerman‡. Lossless condensers, unbalanced expanders, and extractors. Combinatorica, 27(2):213– 240, 2007. doi:http://dx.doi.org/10.1007/ s00493-007-0053-2.

61 6. CONCLUSION

[TSZ04] Amnon Ta-Shma and David Zuckerman. Extractor codes. IEEE Transactions on Information Theory, 50(12):3015–3025, 2004.

[TSZS01] A. Ta-Shma, D. Zuckerman, and S. Safra. Extractors from reed-muller codes. In FOCS ’01: Proceedings of the 42nd IEEE symposium on Foundations of Computer Science, page 638, Washington, DC, USA, 2001. IEEE Computer Society.

[TSZS06] Amnon Ta-Shma, David Zuckerman, and Shmuel Safra. Ex- tractors from reed-muller codes. J. Comput. Syst. Sci., 72(5):786–812, 2006. doi:http://dx.doi.org/10.1016/ j.jcss.2005.05.010.

[TV00] L. Trevisan and S. Vadhan. Extracting randomness from sam- plable distributions. In FOCS ’00: Proceedings of the 41st Annual Symposium on Foundations of Computer Science, page 32, Washington, DC, USA, 2000. IEEE Computer Society.

[VMZ+10] Hugues J. De La Vergne, Carolina Milanesi, Annette Zimmer- mann, Roberta Cozza, Tuong Huy Nguyen, Anshul Gupta, and CK Lu. Competitive Landscape: Mobile Devices, World- wide, 4Q09 and 2009. Technical report, Gartner, Inc., 2010.

[vN51] John von Neumann. Various techniques used in connection with random digits. J. Research Nat. Bur. Stand., Appl. Math. Series, 12:36–38, 1951.

[Wea07] John Weathersby, 2007. Available from: http: //csrc.nist.gov/groups/STM/cmvp/documents/ 140-1/140val-all.htm#733 [cited 17.5.2010].

[WZ99] Avi Wigderson and David Zuckerman. Expanders that beat the eigenvalue bound: Explicit construction and applications. Combinatorica, 19(1):125–138, 1999.

[Zuc90] David Zuckerman. General weak random sources. In SFCS ’90: Proceedings of the 31st Annual Symposium on Foun- dations of Computer Science, pages 534–543 vol.2, Washing- ton, DC, USA, 1990. IEEE Computer Society. doi:http: //dx.doi.org/10.1109/FSCS.1990.89574.

62 6. CONCLUSION

[Zuc96] David Zuckerman. On unapproximable versions of np-complete problems. SIAM Journal on Computing, 25(6):1293–1304, 1996. doi:http://dx.doi.org/10. 1137/S0097539794266407.

[Zuc97] David Zuckerman. Randomness-optimal oblivious sam- pling. Random Structures & Algorithms, 11(4):345–367, 1997. doi:http://dx.doi.org/10.1002/(SICI) 1098-2418(199712)11:4<345::AID-RSA4>3.0.CO; 2-Z.

[Zuc06] David Zuckerman. Linear degree extractors and the inap- proximability of max clique and chromatic number. In STOC ’06: Proceedings of the thirty-eighth annual ACM sympo- sium on Theory of computing, pages 681–690, New York, NY, USA, 2006. ACM. doi:http://doi.acm.org/10.1145/ 1132516.1132612.

63