Thèse de Doctorat présentée à L’ÉCOLE POLYTECHNIQUE pour obtenir le titre de DOCTEUR EN SCIENCES Spécialité Informatique soutenue le 18 mai 2009 par Andrea Röck Quantifying Studies of (Pseudo) Random Number Generation for Cryptography. Jury Rapporteurs Thierry Berger Université de Limoges, France Andrew Klapper University of Kentucky, USA Directeur de Thèse Nicolas Sendrier INRIA Paris-Rocquencourt, équipe-projet SECRET, France Examinateurs Philippe Flajolet INRIA Paris-Rocquencourt, équipe-projet ALGORITHMS, France Peter Hellekalek Universität Salzburg, Austria Philippe Jacquet École Polytechnique, France Kaisa Nyberg Helsinki University of Technology, Finland Acknowledgement It would not have been possible to finish this PhD thesis without the help of many people. First, I would like to thank Prof. Peter Hellekalek for introducing me to the very rich topic of cryptography. Next, I express my gratitude towards Nicolas Sendrier for being my supervisor during my PhD at Inria Paris-Rocquencourt. He gave me an interesting topic to start, encouraged me to extend my research to the subject of stream ciphers and supported me in all my decisions. A special thanks also to Cédric Lauradoux who pushed me when it was necessary. I’m very grateful to Anne Canteaut, which had always an open ear for my questions about stream ciphers or any other topic. The valuable discussions with Philippe Flajolet about the analysis of random functions are greatly appreciated. Especially, I want to express my gratitude towards my two reviewers, Thierry Berger and Andrew Klapper, which gave me precious comments and remarks. I’m grateful to Kaisa Nyberg for joining my jury and for receiving me next year in Helsinki. I’m thankful to Philippe Jacquet for assisting in my jury. Especially, I own a lot to my parents Heinz and Elisabeth Röck and my sister Susanne Röck. They always supported me in my studies, my goings abroad, and any of my decisions. Without them, I would not be here. Also, I do not know what I would have done without the support of Yann. Every time when I was frustrated, desperate or just tired, he cheered me up and encouraged me to go on. I spend four great years at the project SECRET (formerly known as project CODES). A special thanks to all the people with which I could share the “buró uno”, the best of- fice of the world, just beside the coffee table: Cédric, Maria, Mathieu (which we adopt), Matthieu and Yann. I must not forget to mention Christelle. She is the soul of the project, the best secretary, and a very good friend of mine. Thank you. There are many people which passed at Inria and which contribute to the good atmosphere and the discussion at the coffee table. I will mention them in alphabetic order and I hope that I do not forget anyone. I’m grateful to all of them. Avishek Adhikari, Daniel Augot, Raghav Bhaskar, Bhaskar Biswas, Céline Blondeau, Anne Canteaut, Christophe Chabot, Pascale Charpin, Mathieu Cluzeau, Maxime Côte, Frédéric Didier, Cédric Faure, Matthieu Finiasz, Fabien Galand, Benoit Gérard, Christelle Guiziou, Vincent Herbert, Stéphane Jacob, Deepak Ku- mar Dalai, Yann Laigle-Chapuy, Cédric Lauradoux, Françoise Levy-dit-Vehel, Ayoub Ot- mani, Raphael Overbeck, Maria Naya Plasencia, Ludovic Perret, Sumanta Sarkar, Nicolas Sendrier, Jean-Pierre Tillich, Marion Videau, and Alexander Zeh. Once again I want to thank all the people that helped and supported me during my i PhD. It is due to them that I can say now: Ça, c’est fait. Contents Acknowledgementi 1 Introduction1 I General Notions5 2 Entropy7 2.1 Definition and Characteristics.........................7 3 Stream Cipher 13 3.1 Classification.................................. 13 3.1.1 One-Time Pad (Vernam Cipher).................... 14 3.1.2 Synchronous Stream Cipher...................... 15 3.1.3 Self-Synchronizing Stream Cipher................... 16 3.2 State of the Art................................. 17 II Studies of the HAVEGE Random Number Generator 19 4 Random Number Generators 21 4.1 Tests of Randomness.............................. 22 5 HAVEGE 23 5.1 Optimization Techniques of the Processor.................. 24 5.1.1 Functionality of HAVEGE ....................... 27 5.2 General Structure................................ 28 5.2.1 HAVEG ................................. 28 5.2.2 HAVEGE ................................ 28 5.3 Empirical Results................................ 30 5.4 Security..................................... 31 5.5 Conclusion.................................... 32 iii 6 Empirical Tests 35 6.1 Test Setup.................................... 35 6.2 Test Results................................... 36 6.2.1 Basic Data................................ 37 6.2.2 Auto Correlation............................ 40 6.2.3 Entropy................................. 42 6.2.4 Entropy of a Markov Chain...................... 43 6.3 Conclusion.................................... 48 III Study of a Specific Stream Cipher 51 7 The Dragon Stream Cipher 53 7.1 Introduction................................... 53 7.1.1 Inner State............................... 53 7.1.2 Key and IV Setup............................ 54 7.1.3 State Update.............................. 54 7.1.4 Function F ............................... 56 7.2 Published Distinguisher on Dragon ..................... 57 7.2.1 Statistical Distinguisher........................ 58 7.2.2 Linear Distinguisher.......................... 58 7.3 Some Properties of Dragon .......................... 61 7.3.1 Properties of G’s and H’s....................... 61 7.3.2 Relations among Words........................ 62 7.3.3 Bias of Different Equations....................... 62 7.3.4 Bias of Equations............................ 64 7.4 Conclusion.................................... 67 IV Random Functions 69 8 Characteristics of Random Functions 71 8.1 Approach to Analyze Random Functions................... 72 8.1.1 Use of Generating Function...................... 72 8.1.2 Singularity Analysis.......................... 75 8.2 Known Properties................................ 77 9 State Entropy of a Stream Cipher using a Random Function 81 9.1 Introduction................................... 81 9.2 Estimation of Entropy............................. 83 9.2.1 Previous Work............................. 83 9.2.2 New Entropy Estimation........................ 84 9.3 Collision Attacks................................ 94 9.3.1 States after k Iterations........................ 95 9.3.2 Including Intermediate States..................... 96 9.3.3 Improvement with Distinguished Points................ 97 9.4 Conclusion.................................... 99 V FCSRs 101 10 Introduction to FCSRs 103 10.1 Characteristics of LFSRs............................ 104 10.2 Characteristics of FCSRs............................ 107 10.3 Applications of FCSRs............................. 116 10.4 Extensions of FCSRs.............................. 122 10.4.1 d-FCSRs................................. 122 10.4.2 AFSR.................................. 124 11 Entropy of the Inner State of an FCSR in Galois Setup 127 11.1 Introduction................................... 127 11.2 Entropy after One Iteration.......................... 128 11.3 Final State Entropy............................... 130 11.3.1 Some Technical Terms......................... 131 11.3.2 Final Entropy Case by Case...................... 134 11.3.3 Complexity of the Computation.................... 136 11.4 Lower Bound of the Entropy.......................... 137 11.4.1 Basis of Induction............................ 137 11.4.2 Induction Step............................. 138 11.5 Bounds for the Sums.............................. 142 11.6 Conclusion.................................... 144 12 Parallel generation of `-sequences 145 12.1 Introduction................................... 145 12.2 Motivation.................................... 146 12.3 Sub-Sequences Generators and m-Sequences................. 148 12.4 Sub-Sequences Generators and `-Sequences.................. 150 12.5 Conclusion.................................... 158 Conclusion and Perspectives 159 Bibliography 176 Table of figures 178 List of algorithms 179 List of tables 181 Chapter 1 Introduction Random numbers are an important tool in cryptography. They are used to generate secret keys, to encrypt messages or to mask the content of certain protocols by combining the content with a random sequence. A (pseudo) Random Number Generator (RNG) produces “randomly looking” sequences from a short initial seed or from unpredictable events. We mean by randomly looking that an adversary is not able to distinguish the sequence from the outcome of independent and uniformly distributed random variables. Shannon’s entropy is one example of an indicator of how hard it is for an adversary to guess a value in the sequence (Chapter2). We consider RNGs in two different settings. The first one discusses a random number generator which produces sequences from parameters that we cannot control. Thus, we are not able to produce the same sequence twice. Such generators can be used to generate secret keys. However, we always must be careful whether the output of the generator does contain enough uncertainty/entropy. This was the problem in the random number generator of the Netscape browser used for the Secure Sockets Layer (SSL) protocol. The generator was seeded only from the time of the day, the process ID and the parent-process ID. These values do not contain enough uncertainty, which allows an attack on the protocol [GW96]. The second class of random number generators