Pseudorandom Number Generators for Cryptographic Applications Diplomarbeit zur Erlangung des Magistergrades an der Naturwissenschaftlichen Fakult¨at der Paris-Lodron-Universit¨at Salzburg Andrea R¨ock Salzburg, M¨arz 2005 ii Abstract Random numbers are a fundamental tool in many cryptographic applications like key generation, encryption, masking protocols, or for internet gambling. We require generators which are able to produce large amounts of secure random numbers. Simple mathematical generators, like linear feedback shift registers (LFSRs), or hardware generators, like those based on radio active decay, are not sufficient for these applications. In this thesis we discuss the properties and a classification of cryptographic random number generators (RNGs) and introduce five different examples of practical generators: /dev/random, Yarrow, BBS, AES, and HAVEGE. For a complete overview of this topic we also provide an introduction to three math- ematical theories that are used in connection with random number generators. We focus our discussion on those theories that try to define the notion of randomness and address Shannon's entropy, Kolmogorov complexity and polynomial-time indistinguishability. In all three cases we study the relation between these theoretical notions and random number generators. iii Acknowledgments I would like to thank my supervisor, Peter Hellekalek, for his advice and encouragement during the development of my thesis and for finding time for me even in stressful moments. Especially, I express my gratitude towards him for always supporting my wish to visit foreign universities. I'm indebted to Nicolas Sendrier for welcoming me for one month in his research group at INRIA-Rocquencourt and for giving me the chance to to get a deeper insight into the functionality of the HAVEGE generator. The help of Stefan Wegenkittl with patiently answering my questions about Markov chains is greatly appreciated. I'm grateful to Peter Kritzer and C´edric Lauradoux for proofreading my thesis and for all their formal and textual advices which have been a great help during my writing process. Especially, I'm indebted to my parents Heinz and Elisabeth R¨ock, who always encour- aged and supported me in my studies. In particular, I would like to thank my mother for many mathematical discussions which helped me to solve several tricky problems. Last but not least, I wish to express my gratitude towards my sister, Susanne, and all my friends and colleagues in Tyrol, Salzburg, and all over the world which accompanied me during my studies. iv Contents 1 Introduction 1 1.1 Outline and Summary . 3 I Theoretical Background 5 2 Overview 7 3 Entropy 9 3.1 Definition and Characteristics . 9 3.2 Entropy and RNGs . 14 3.2.1 RNG as Information Source . 15 3.2.2 External Input as Information Source . 15 3.2.3 Shifting of Entropy . 15 3.2.4 Entropy-Preserving Functions . 15 3.3 Estimation of Entropy . 18 3.3.1 Overlapping Serial Test . 21 3.3.2 Maurer's Universal Test . 22 3.3.3 Entropy and Cryptographic RNGs . 23 4 Kolmogorov Complexity 25 4.1 Definition and Characteristics . 26 4.1.1 Turing Machine (TM) . 26 4.1.2 Universal Turing Machine . 28 4.1.3 Complexity . 29 4.1.4 Incompressible Sequences . 30 4.1.5 Martin-L¨of Test of Randomness . 31 4.2 Kolmogorov Complexity and Shannon's Entropy . 34 4.3 Computability of Kolmogorov Complexity . 34 4.4 Kolmogorov Complexity and Cryptographic RNGs . 36 5 Polynomial-Time Indistinguishability 37 5.1 Definitions and Characteristics . 37 v vi CONTENTS 5.1.1 Existence of Pseudorandom Generators . 40 5.2 Polynomial-time Statistical Tests and Random-ness . 40 5.3 Polynomial-time and Efficiency . 41 5.4 Kolmogorov Complexity versus Computational Indistinguishability . 41 5.5 Pseudorandomness and Cryptographic PRNGs . 42 6 Summary of Part I 43 II Practical Generators 45 7 A Selection of Cryptographic RNGs 47 7.1 Three Categories . 47 7.1.1 Pseudorandom Number Generators . 47 7.1.2 Entropy Gathering Generators . 49 7.1.3 Hybrid Generators . 51 7.2 General Problems and Properties . 51 7.3 Description scheme . 53 7.3.1 Case 1: Constant transition function . 54 7.3.2 Case 2: Input-dependent transition function. 55 7.3.3 Cryptographic Strength . 55 8 Attacks 57 8.1 Direct Cryptanalytic Attacks . 57 8.1.1 Partial Precomputation Attack . 58 8.1.2 Timing Attack . 59 8.2 Input Based Attacks . 59 8.2.1 Chosen Input Attacks . 59 8.2.2 Known Input Attack . 60 8.3 State Compromise Extension Attacks . 61 8.3.1 Permanent Compromise Attack . 62 8.3.2 Backtracking Attack . 62 8.3.3 Integrative Guessing Attack . 62 8.3.4 Meet-In-The-Middle Attack . 63 9 /dev/random 65 9.1 General Structure . 65 9.2 State Space . 67 9.3 Transition Function . 67 9.3.1 Processing the Input . 67 9.3.2 Shifting the information . 69 9.3.3 Mixing the Secondary Pool . 71 CONTENTS vii 9.3.4 Input Space . 71 9.4 Output Function . 71 9.5 Security . 72 9.6 Empirical Results . 73 9.7 Portability . 73 9.8 Conclusion . 74 10 Yarrow 75 10.1 General Structure . 75 10.2 State Space . 77 10.3 Transition Function . 78 10.3.1 Entropy Gathering . 78 10.3.2 Reseed Control . 79 10.3.3 Reseed Mechanism . 79 10.3.4 Generator Gate . 80 10.3.5 Input Space . 80 10.4 Output Function . 81 10.5 Security . 81 10.6 Empirical Results . 81 10.7 Portability . 82 10.8 Conclusion . 82 11 Blum-Blum-Shub Generator 83 11.1 General Structure . 83 11.2 State Space . 84 11.3 Transition Function . 85 11.4 Output Function . 85 11.5 Security . 86 11.6 Empirical Results . 86 11.7 Portability . 86 11.8 Conclusion . 86 12 AES 89 12.1 General Structure . 89 12.2 State Space . 91 12.3 Transition Function . 91 12.4 Output Function (AES) . 92 12.5 Security . 94 12.6 Empirical Results . 95 12.7 Portability . 96 12.8 Conclusion . 96 viii CONTENTS 13 HAVEGE 99 13.1 General Structure . 100 13.1.1 Optimization Techniques of the Processor . 100 13.1.2 Functionality of HAVEGE . 103 13.1.3 General Structure . 104 13.2 State Space . 104 13.2.1 Seed (HAVEG) . 105 13.3 Transition Function . 106 13.3.1 Input Space . 106 13.4 Output Function . 107 13.5 Empirical Results . 107 13.6 Security . 108 13.7 Portability . ..