Designing a Side Channel Resistant Random Number Generator

This paper describes the design of the random number generator (RNG) in the Caernarvon high assurance smart card operating system. Since it is used in the generation of cryptographic keys and other sensitive materials, the RNG has a number of stringent security requirements that the random bits must be of good quality i.e. the bits must not be predictable or biased. To this end, a number of standards such as the German AIS 31 mandate that true random bits be continuously tested before use in sensitive applications such as key generation. A key issue in implementing this standard is that such testing before use in key generation greatly increases the attack surface for side-channel attacks. For example, template attacks which can extract information about the random bits from even a single run provided we use the same bits at many different points in the computation. Because of these potential risks, the Caernarvon operating system uses pseudo random number generators which are initially seeded by externally generated high quality random bits, and then perturbed by bits from the true random number generator. We describe a PRNG design which yields high quality random bits while also ensuring that it is not susceptible to side-channel attacks and provide an informal argument about its effectiveness.

[1]  Marco Bucci,et al.  A Design of Reliable True Random Number Generator for Cryptographic Applications , 1999, CHES.

[2]  Elaine B. Barker,et al.  Recommendation for Random Number Generation Using Deterministic Random Bit Generators , 2007 .

[3]  Frédéric Cuppens,et al.  Computer Security - ESORICS 2000 , 2000, Lecture Notes in Computer Science.

[4]  Richard J. Lipton,et al.  On the Importance of Checking Cryptographic Protocols for Faults (Extended Abstract) , 1997, EUROCRYPT.

[5]  Axel Schairer,et al.  Verification of a Formal Security Model for Multiapplicative Smart Cards , 2000, ESORICS.

[6]  W. Killmann A proposal for : Functionality classes and evaluation methodology for true ( physical ) random number generators , 2002 .

[7]  Burton S. Kaliski Advances in Cryptology - CRYPTO '97 , 1997 .

[8]  Dieter Gollmann,et al.  Computer Security – ESORICS 2003 , 2003, Lecture Notes in Computer Science.

[9]  Christof Paar,et al.  Cryptographic Hardware and Embedded Systems - CHES 2003 , 2003, Lecture Notes in Computer Science.

[10]  Pankaj Rohatgi,et al.  Template Attacks , 2002, CHES.

[11]  Siva Sai Yerubandi,et al.  Differential Power Analysis , 2002 .

[12]  Walter Fumy,et al.  Advances in Cryptology — EUROCRYPT ’97 , 2001, Lecture Notes in Computer Science.

[13]  Philip Heng Wai Leong,et al.  Compact FPGA-based true and pseudo random number generators , 2003, 11th Annual IEEE Symposium on Field-Programmable Custom Computing Machines, 2003. FCCM 2003..

[14]  David Paul Maher,et al.  Random Number Generators Founded on Signal and Information Theory , 1999, CHES.

[15]  Werner Schindler,et al.  Evaluation Criteria for True (Physical) Random Number Generators Used in Cryptographic Applications , 2002, CHES.

[16]  阿兰·舒马赫 Method and apparatus for generating random numbers , 2007 .

[17]  Michael Wiener,et al.  Advances in Cryptology — CRYPTO’ 99 , 1999 .

[18]  Dan Boneh,et al.  Digital Signature Standard , 2005, Encyclopedia of Cryptography and Security.

[19]  Functionality Classes and Evaluation Methodology for Deterministic Random Number Generators , 2011 .

[20]  Paul A. Karger,et al.  Processor Requirements for a High Security Smart Card Operating System , 2007 .

[21]  Eli Biham,et al.  Differential Fault Analysis of Secret Key Cryptosystems , 1997, CRYPTO.

[22]  Dakshi Agrawal,et al.  The EM Side-Channel(s) , 2002, CHES.

[23]  Hao Zheng,et al.  Design and Implementation of a True Random Number Generator Based on Digital Circuit Artifacts , 2003, CHES.

[24]  Hugo Krawczyk,et al.  Authenticating Mandatory Access Controls and Preserving Privacy for a High-Assurance Smart Card , 2003, ESORICS.

[25]  Moti Yung,et al.  A block cipher based pseudo random number generator secure against side-channel key recovery , 2008, ASIACCS '08.

[26]  Frank Stajano Security in Pervasive Computing , 2003, SPC.

[27]  William M. Daley,et al.  Security Requirements for Cryptographic Modules , 1999 .

[28]  Paul A. Karger The Importance of High Assurance Security in Pervasive Computing , 2003, SPC.

[29]  Sam Weber,et al.  The Caernarvon secure embedded operating system , 2008, OPSR.

[30]  Christof Paar,et al.  Cryptographic Hardware and Embedded Systems - CHES 2002 , 2003, Lecture Notes in Computer Science.