1 / 29

Some Recent Results in Secure Pseudorandom Number Generation

11th Workshop on Elliptic Curve Cryptography 2007 Dublin/September 6, 2007. Some Recent Results in Secure Pseudorandom Number Generation. Berry Schoenmakers Joint work with Andrey Sidorenko and (partly) with Reza Rezaeian Farashahi Coding & Crypto group TU Eindhoven. Plan.

ryanbrown
Télécharger la présentation

Some Recent Results in Secure Pseudorandom Number Generation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 11th Workshop on Elliptic Curve Cryptography 2007Dublin/September 6, 2007 Some Recent Results in Secure Pseudorandom Number Generation Berry Schoenmakers Joint work with Andrey Sidorenko and (partly) with Reza Rezaeian Farashahi Coding & Crypto group TU Eindhoven

  2. Plan • 1. Revisiting a basic problem: • Random bits  random numbers in a given interval. • 2. Concrete security of provably secure PRGs • Construction based on k-DDHI • Cryptanalysis Dual Elliptic Curve Generator • 3. New PRGs based on DDH • “Practically” tight reduction to DDH • Specific instances • QR(p): group of quadratic residues modulo p • Gq: arbitrary subgroup of Zp* • open problem: elliptic curve based one??

  3. Random numbers in [0,B), 2n-1<B<2n • Given a source of (uniform) random bits. • Two folklore algorithms for generating x  [0,B). Alg.1: pick x  {0,1}n, using n random bits, until x<B Alg.2: pick x{0,1}n+k, using n+k random bits; output x mod B • Properties: • Alg.1: perfectly uniform; but wastes up to n bits on average (worst case B = 2n-1 + 1); Las Vegas algorithm • Alg.2: statistical distanceΔ<1/2k; wastes k bits exactly

  4. Our algorithm • Generate random x  [0,B) bit by bit, starting from the most significant bit, comparing with most significant bits of B-1. • Algorithm: let xi be next random bit • if xi > (B-1)i, start all over “too large” • if xi = (B-1)i , continue with next bit “unsure” • if xi < (B-1)i , complete x with random bits and stop “home free” • Randomness complexity: n bits plus some waste. • Question: what’s the waste? • Recursive version • rand(B): • if B=1 thenreturn 0 else • repeat • x = ${0,1} + 2 × rand([(B+1)/2]); • until x<B; • return x coin flip

  5. Analysis of randomness complexity • 1st computing the exact probability distribution and then the expected value is cumbersome • We determine expected value Edirectly! • Example: S = Σi=0..∞ri: • S = Σi=0..∞ ri = 1 + Σi=0..∞ri+1=1+r S, so S = 1/(1-r) • Example: T = Σi=0..∞i ri: • T = Σi=0..∞ (1+i) ri+1= r S + r T, so T = r/(1-r)2 • By conditioning on the right event, this leads to: • E = n + 2n/BΣi=2..ni(1-(B-1)n-i)/2i< n + 3 • So, waste is bounded by a small constant! • Averaged over all B, waste is approx. 1.1 random bits

  6. Knuth-Yao 1976 • Minimize randomness complexity • Average wasted random bits for x  [0,B): •  0.58 random bits on average, over all B • < 1 random bits for worst case B • Actually, any probability distribution can be generated from random bits, with averagewaste < 2 bits (beyond entropy).

  7. Knuth-Yao B=5 0 1 2 0 1 3 4 2 3 4 … $ $ $ $ $

  8. Context of secure multiparty computation • In context of secure multiparty computation: • Generating “encrypted” random bits is expensive. • But, also comparing “encrypted” bits, arithmetic with “encrypted” bits, etc. • Our algorithm strikes a better balance than Knuth-Yao’s minimal waste algorithm (depending on the setting) • cheaper to make our algorithm oblivious “Data independent execution paths”

  9. Pseudorandom Generator (PRG) n truly random bits (seed) • Preferably M>>n and a fast PRG • Focus on provably secure PRGs • PRG is called provably secure if “breaking” the PRG is as hard as solving a presumably hard problem 10001010111001110101111010111101 Pseudorandom generator: deterministicalgorithm 1001101011011001010111101011110110101111101100010011101000101110101011101011000 M bits that “look random” (pseudorandom sequence)

  10. Provably secure PRGs Pseudorandom sequence for a truly random seed Distinguisher: running time at mostT “I think that you gave me a pseudorandom sequence” OR Truly random sequence of the same length If probability of successful guess <½ (1+ ε) the PRG is (T, ε)-secure

  11. Provably secure PRGs (cont.) • If T'/ε' ≈ T/ε, reduction is called tight • If T'/ε' >> T/ε, reduction is called not tight • If the reduction is tight, a desired security level can be achieved for a relatively low value of security parameter n (seed length) (T, ε)-distinguisher for a PRG: {0, 1}n → {0, 1}M (T', ε')-solver for a hard problem with security parameter n (e.g., DL problem in n-bit finite field) reduction

  12. Formal Security of PRGs (Yao 1982) • Ununiform distribution on {0, 1}n • UM uniform distribution on {0, 1}M • Pseudorandom generator PRG: {0,1}n→ {0, 1}M • Distinguisher D: {0,1}M→ {0, 1} • PRG is called (T, ε)-secure if for all T-time D | Pr[D(PRG(Un)) = 1] – Pr[D(UM) = 1] | < ε

  13. Typical PRG seed state1 state2 statei … … output1 output2 outputi State should remain secret, given all outputs !

  14. Blum-Micali PRG (1984) • Based on DL-problem in Zp* • Provably secure • Outputs just 1 bit per modular exponentiation • Let n = log2p. If this PRG is not (T, ε)-secure, then DL problem can be solved in time T' = 64 n3 (M/ε)4T with success probability ε' = ½ • T'/ε' >> T/ε, so reduction is not tight … seed x ←RZp* x ←gx x ←gx output [x < p/2] output [x < p/2]

  15. Blum-Micali PRG (cont.) polynomial in n subexponential in n • Blum-Micali PRG is (T, ε)-secure if 128 n3 (M/ε)4T < TDL(Zp*) • For M = 220, T/ε = 280,this PRG is (T, ε)-secure if n > 61000 • Large seed length n implies poor efficiency • due to far from tight reduction • We propose a PRG with a much better security reduction • based on the DDH assumption (stronger than DL assumption) • output of n bits (instead of 1 bit) per iteration

  16. k-DDHI based PRG • Universal hash function used as extractor • Good results • But assumption k-DDHI less standard • k-DDHI: distinguish … a ←RZq s0←g y ←R{0,1}l s1← s0a s2←s1a output extract(s1,y) output extract(s2,y)

  17. Dual Elliptic Curve PRG • Proposed by Barker and Kelsey in a NIST draft standard [BK05] • For prime p = 2256+ 2224 + 2192 + 296+1, let E(Fp) be an elliptic curve such that #E(Fp) is prime. Let P, Q ←RE(Fp) • Sequence siQ is indistinguishable from sequence of uniformly random points under DDH assumption and x-logarithm assumption [Brown 2006] • However, random bits are extracted from random points improperly so the PRG is insecure … seed s0←RFp s1←x(s0P) s2←x(s1P) output lsb240(x(s1Q)) output lsb240(x(s2Q))

  18. Distinguishing attack output lsb240(x(s1Q)) output lsb240(x(s2Q)) output lsb240(x(siQ)) … … • Point siQ is mapped to block lsb240(x(siQ)) • Blocks b←R {0, 1}240 have on average 216preimages • Blocks lsb240(x(R)) with R ←RE(Fp) have on average more than216 preimages • For each block bi count the number of points P s.t. bi = lsb240(x(P)) • If average number of preimages is above 216, decide that the sequence is pseudorandom; • Otherwise, decide that the sequence is “truly random” block b1 block b2 block bi

  19. Detailed analysis Note the shift by +1 frequency • We tested 330 outputs of Dual Elliptic Curve PRG • each output consisted of 4000 output blocks • Running time of the attack is about 3 hours on a 3GHz Linux machine with 1Gb of memory Fits normal distribution N(65537.0, 255.6) 216 = 65536 number of preimages

  20. Decisional Diffie-Hellman (DDH) problem • G=<g> is a multiplicative group of prime order q • Algorithm A solves the DDH problem in G with advantage ε iff for a random triple (a, b, r) | Pr(A(g, ga, gb,gab) = 1) – Pr(A(g, ga, gb, gr) = 1) | ≥ ε • For concrete analysis: • DDH problem is assumed to be as hard as the DL problem

  21. DDH generator (intuition) • Let a ← Zq be a fixed integer • Consider Doubleg,a(b) = (gb, gab) [NR97] • for b←R Zq the output is pseudorandom under DDH • “doubles” the input • Is Double a pseudorandom generator? • No! It produces pseudorandom group elements rather than pseudorandom bits • Converting group elements into bits is a non-trivial problem • Double cannot be iterated to produce as much randomness as required by the application

  22. DDH generator (construction) • rank is a bijection mapping elements of group G to numbers in Zq rank: G→ Zq • More generally, allow additional input/output number in Zl: rank: G× Zl→ Zq × Zl • Public parameters for DDH generator: x, y ←RG • Outputs log2 q bits per step • Seed length log2 q + 2 log2 l seed s ←RZq, rx, ry←RZl (s, rx) ←rank(xs, rx) (s, rx) ←rank(xs, rx) … (z, ry) ← rank(ys, ry) output z (z, ry) ←rank(ys, ry) output z

  23. Security of the DDH generator • DDH generator produces pseudorandom numbers in Zq • if q 2n then it produces pseudorandom bits directly • for arbitrary q, additional effort needed to convert numbers into bits (from integers in [0,q) to bits) Theorem. Assume that 0< (2n – q)/2n < δ. Then (T, ε)-distinguisher for the DDH generator implies a (T, nε/M –δ)-solver for the DDH problem in G • Proof is based on a hybrid argument • Hybrids Hj = (u1,u2,…,uj-1,output1,…,outputk-j+1) • A given 4-tuple (x,y,X,Y) is DDH tuple iff output ~ Hj

  24. PRG1: instance based on QR(p) • Safe prime p = 2q + 1, with q prime • G = QR(p), |G| = q • Consider the following bijection (Chevassut et al. 2005; Cramer-Shoup 2003, and … ?): rank: QR(p)  Zq with rank(x) = min(x, p-x) • Public parameters x, y ←RG • Extracts n bits per iteration (2 modular exponentiations) … seed s ←RZq s←rank(xs) s←rank(xs) outputrank(ys) outputrank(ys)

  25. PRG1 (cont.) • What seed length, n, guarantees security? • recall that for Blum-Micali PRG n > 61000 • PRG1 is (T, ε)-secure if 2MT/nε < TDL(QRp) • For M = 220, T/ε = 280,PRG1 is (T, ε)-secure if… n > 1600 • The seed length n is short because the reduction is (almost) tight • PRG1 is much more efficient than Blum-Micali PRG • PRG1 based on a stronger assumption (the DDH assumption) • Limitation: works only for specific subgroup of Zp*

  26. PRG2: instance based on any subgroup • G is a (prime) order q subgroup of Zp*, p – 1 = ql • tis an element of Zp* of order l, so tl = 1 • Let rank: G× Zl→ Zq × Zl be the following bijection: rank(x, r) = (xtrmod q, xtrdiv q) seed s ←RZq, rx, ry←RZl (s, rx) ←rank(xs, rx) (s, rx) ←rank(xs, rx) … (z, ry) ← rank(ys, ry) output z (zi, ry) ← rank(ys, ry) output z

  27. PRG by Jiang (2006) … seed (A0,A1)←RZq× Zq A2 ← grank(A0)rank(A1) A3 ← grank(A1)rank(A2) outputrank(grank(A2)) outputrank(grank(A3)) • Also, standard DDH assumption • Speed of the two generators is the same • Seed of our generator is twice as short as for Jiang’s generator • For most applications, the length of the seed is a critical issue • Our generator can be used with any prime order group such that the elements of the group can be “efficiently ranked” • Jiang’s generator is designed for a specific subgroup of Zp* for safe primesp

  28. Conclusions • DDH based PRGs • Showed a general constructions of PRGs based on DDH assumption • Specific instances of our DDH-based PRG are presented • subgroup of quadratic residues modulo prime p – seed length |p| • Jiang’s generator is an alternative in this case • arbitrary order q subgroup of Zp* -- seed length 2|p| -|q| • Open problem: how to use an elliptic curve group? • would result in considerably shorter seeds • maybe use Kaliski’s map from points on an elliptic curve (over Fq) and its quadratic twist to Z2q • Revisiting problems related to conversion/extraction of random bits, random numbers, random group elements, all in the context of secure multiparty computation leads to new approaches and solutions.

  29. Author’s address Berry Schoenmakers Coding and Crypto group Dept. of Mathematics and Computer Science Technical University of Eindhoven P.O. Box 513 5600 MB Eindhoven Netherlands berry@win.tue.nl http://www.win.tue.nl/~berry/

More Related