1. Field
The present invention relates to cryptography and more particularly to a secure generation of pseudo-random numbers in electronic devices.
2. Background
Generation of random numbers has many applications, including cryptographic uses (e.g., keys used for encryption and integrity protection, nonces used for security protocols, etc.) for example. A true random number is impossible to be predicted with probability higher than average. In the real world, it is extremely hard to obtain a perfect random number source.
A physical source, such as thermal noise from a circuit component, sometimes produces very good random output. However, a physical source is exposed to external interference, which can make the output bear a significant bias. Moreover, a physical source is limited in how quickly it can provide new entropy (randomness). Many applications cannot afford to wait a long time for random numbers. Additionally, hardware-dependent generators sometimes fail after an extended period of time and produce very bad random numbers in such cases.
A pseudo-random number generator (PRNG) is often employed that uses a deterministic algorithm to generate pseudo-random numbers. The PRNG can produce numbers at a very fast speed. Given a random input called a seed, a very long sequence of pseudo-random numbers can be generated deterministically. Without knowledge of this seed, it is infeasible or very hard to distinguish the generator from a random source. While there are many PRNGs available, most are not designed for security applications. Because PRNGs use deterministic algorithms, they are exposed to hacking, thereby weakening the security of the PRNG. For example, a linear congruential generator is widely used as a PRNG but can be broken after a short sequence of output is analyzed.
Cryptographic applications typically use “random” numbers for initialization vectors, keys, nonces, salts, etc. Generally, a cryptographically secure PRNG (CSPRNG) is seeded with unpredictable inputs in a secure way so that it is infeasible to distinguish its output from a sequence of random bits. As defined herein, a CSPRNG has all properties of a normal PRNG, and, in addition, at least two other properties. One of these properties, referred to as the “next bit test”, states that given a sequence of m bits generated from a generator, no feasible method can predict the (m+1)-th bit with probability significantly higher than one half. The second property, referred to a “malicious seeding resistance”, states that even if an attack can gain full or partial control of the inputs to the CSPRNG for a period of time, it is still infeasible to predict or reproduce any random output from the CSPRNG.
A pseudo-random number generation scheme is relatively straightforward in a CSPRNG. It can be, for example, a block cipher running in counter mode or output feedback mode, a stream cipher using a seed as cipher key, or a nested structure of hashing. A complicated part in CSPRNG design is how to seed and reseed the CSPRNG. Reseeding is a process used to update the sequential logic of a CSPRNG, which has been previously seeded, with a new seed. Such reseeding makes it more difficult to break a deterministic number generation algorithm.
There exist a number of standardized CSPRNG designs, such as FIPS 186-2, ANSI X9.17-1985 Appendix C, ANSI X9.31-1998 Appendix A.2.4, and ANSI X9.62-1998 Annex A.4. Unfortunately, many of these designs are not satisfactory under certain circumstances. For example, two design flaws of ANSI X9.17 PRNG have been identified by J. Kelsey et al. at Fast Software Encryption, 5th International Workshop Proceedings, Springer-Verlag, 1998.
Yarrow and Fortuna are two well-known CSPRNG designs. (See “Yarrow-160: Notes on the Design and Analysis of the Yarrow Cryptographic Pseudorandom Number Generator”, by J. Kelsey, B. Schneier, and N. Ferguson, Sixth Annual Workshop on Selected Areas in Cryptography, Springer Verlag, August 1999, and “Practical Cryptography”, by N. Ferguson and B. Schneier, published by Wiley in 2003.
Both Yarrow and Fortuna have reseeding controls with support from complicated schemes for entropy accumulation. Yarrow does not specify a concrete method to evaluate entropy for reseeding while Fortuna reseeds the system periodically when the fastest entropy pool source is ready. Both of them use block ciphers in counter mode for pseudo-random number generation and use hash algorithms extensively for reseeding. Use of block ciphers in counter mode and hash algorithms for reseeding is computationally expensive and time consuming.
Therefore, there is a need for a better, less complex and/or more efficient pseudo-random number generator.