 We need random numbers for different purposes in security and cryptography for generating keys We often initialize algorithms with some initial value often some initial random value and An important thing is that the attacker Shouldn't be able to guess the value that we're using so therefore choosing a random value is important But we need our computer to generate that random value and our computer is Deterministic if follow some algorithm So we need that algorithm be such that it's very hard for the attacker to be able to guess what our random number will be Even though it does follow some algorithm and we distinguish between true random number generators and pseudo random number generators a true Generator uses some external source some measurements from the environment. So some noise some radiation levels vibration of components on on a computer and They are considered sources of randomness true randomness and they can be used to generate random numbers the problem being is that we need something to measure those sources and They don't generate many random numbers over a short period of time That is they don't generate many bits per second. We often needs for some applications to have many Thousands of bits of randomness to support our application so what we do is we have algorithms that take Some initial value some seed value and generate a sequence of bits which we Hope to be close to a true random sequence So we call a pseudo random sequence and the algorithm a pseudo random sequence number generator number generator PRNG There are different algorithms Some better than others We to introduce a simple one we went through LCG and we saw just with a simple equation a Multiplier times the previous value plus an increment mod by M We can generate we generate a short sequence in our case But it's an okay generator for generating a random sequence of numbers Sequence of random numbers as long as we choose the parameters correctly Okay, so people have done analysis of this generator and found that for certain values of a and a large modulus Which is prime turns out that it does generate a good sequence But there are others and that was one we chose just because it's easy to calculate another one Blum-blum-shub generator developed by mr. and mrs. Blum and mr. Shub and Slightly different, but the algorithm is not very complex You start with two large prime numbers P and Q. There's some conditions on what primes you can choose You multiply them together to get some value n Then you choose some random number s and That random number s must be relatively prime to n. What does relatively prime mean? We will see in the next topic on number theory, but it means the numbers the greatest common divisor of s and n should one We'll define that in the next topic But we choose some large We generate some large n if we have two large primes multiply them together We get a large n and then another random number smaller than an n and Then we follow this algorithm Our initial output so our outputs will be x our initial output s squared mod n So we're using mod similar to the LCG algorithm s squared mod n and then you continue forever to do these two steps you take The previous value X i minus 1 the previous value that we got x 0 Square mod n and you get the next value and you keep doing that and you just get a so you start with some random number s square it mod by n and You get the next value Square that mod by n the next value and just keep doing that so quite easy to calculate The last step B is that instead of using the number x that comes out They take the last bit of that number if you mod a number by two you get that last bit zero one and This is quite a simple algorithm. We will not go through an example. There's one on the next slide It's quite a simple algorithm that generates quite a good sequence of pseudo random numbers. I don't expect you remember That that algorithm we will not go through an example In class this one lists the values for different iterations that is some initial values p times q Two primes. They're not large primes 383 is a very small prime. We'll see in the next topic. We'll talk about large primes but for this example two primes multiplied together and choose some random s and you take S squared mod by n and you get twenty thousand seven hundred and forty nine You take that squared mod by n and you get the next number squared mod by n and you get these numbers the sequence that comes out is the last bit of those numbers if it's Odd it will be one if it's even it will be zero if you think of the last bit of that number in binary a zero or one So the sequence that comes out is one one zero zero one one one zero zero zero doesn't look very random there But that's just a coincidence here zero one zero zero and keeps going So this is an example of a different pseudo random number generator and is considered so people have analyzed the design and see if it's Generate sequences which Exhibit characteristics of true random number generators and they say yes, it does. It's a good one and quite simple There are others Yes, the bees in this case the random So the sequence we get is the values of the bits that come out. All right, so yes the random numbers are These are random numbers coming out but as a sequence we take just the last bit of each If you have just the last bit as Opposed to the actual number the number may give away some information about where we are in the sequence Okay, but the last bit if I see the last bit is zero Well, there's only two choices. We don't know whether If I know this sequence one one zero zero one one one as the attacker Can I work out those initial values if I could work out the initial values? Then I can know what the next value will be but if the attacker just knows the past values of the bits How do you work out what the next one will be? Well, you need to know the initial values So most of our pseudo random number generators go forever They generate as continuous sequence so we can keep going. Let's say This algorithm is implemented in software on our computer when we call the random function that Starts this algorithm. It produces Say eight bits we call it again It produces the next eight bits in the sequence as we call that Algorithm it grabs the next sequence of bits as for as long as we need That was the same with the LCG it generates a sequence Except it does Come back to the start. Remember. There's a period of that sequence So the the strength of this algorithm is That if the attacker just knows those bits for example, if they see that those 20 bits listed The attacker wants to know the 21st bit. What will it be zero one? Well, they have a 50% chance to guess but can they know for sure what it will be next and what will the next 10 bits be if they can This algorithm is insecure If they can predict the next value Then they'll know what value you choose as the next value So the security this scheme comes if you know those Past 20 bits it should be practically impossible for the attacker to work out the next bits And it's considered to be the case in this algorithm To get those next bits you actually need to know The previous value 48,060 But the attacker only knows the bits he doesn't know these numbers listed here the x values The person generating those bits knows that number they just square the number Mod by n which they also know The security actually depends upon how those initial values are chosen the prime numbers, but we will not Get to that until the next topic will talk about prime numbers and the role they play in other cryptographic algorithms There are others. There are other algorithms for generating pseudo random sequences and a Different approach is not to have your own algorithm That's just for generating random numbers, but to use something that we already know about which is encryption When we encrypt something our goal is to generate random ciphertext Okay, so the idea of encryption we take our structured plain text Encrypted such that the output cipher takes ciphertext appears random and That's a good encryption algorithm if that happens so because our ciphers that we've designed for encryption produce random outputs use them as random number generators and That's another approach There are different ways to take existing ciphers and use them as random number generators Here's two approaches The first so it doesn't matter what block cipher we have whether it's AES desk or something else It's a block cipher. It takes b bits in of plain text produces b bits out of ciphertext and it has a key coming in So one way we can generate a sequence of bits The encrypt rectangle here means apply our block cipher like AES It takes a secret key as input k is it the key that the user chooses and another initial value We'll denote the value the vector or value V here as input because our block cipher remember takes a key in a plain text All right, we're not encrypting plain text here. We're just encrypting this initial value V If encrypt was desk the key would be Effectively 56 bits and V would be 64 bits because it's 64 bit block cipher This is the counter mode of operation Similar to what you've seen in the the the last quiz Where we take some initial value that the user chooses Say I choose V and I choose K. I encrypt the initial value of V I get some cipher text that comes out and that cipher text should be random The idea of encryption plain text goes in random bits come out So we get the first sequence of random bits Then we use the same key encrypt again, but encrypt our value plus one We increment. This is the counter mode. So if the first value was 10,000 in decimal I Encrypt that I get some cipher text Then I encrypt 10,001 give some cipher text 10,002 get some cipher text and those Set of cipher text values is my sequence of bits We talk about a seed is the initial value of a random number generator in this case the seed is made up of two values the key and the initial value V So I must choose those to get started and then the algorithm just keeps going forever generating bits which considered pseudo random So this is good because we just reuse our existing ciphers We know that our existing ciphers have been analyzed a lot and considered Secure we know that they do produce random outputs. So they're very easy to use we have software and hardware implementations already so it's Practical to use existing cycles The picture on the right is just a different Way to do that. It's called the output feedback mode We encrypt our initial value using the key we take the cipher text and encrypt that With the same key take the cipher text, which is our output bits, but then encrypt that Our cipher text that comes out at the start is random and Then it becomes the input and if you encrypt a random input again, you get different output all the time Again, the seed is the combination of the key and that initial value V why use Why not use one of these versus a bbs blum blum shove? What's the difference? Assuming they both produce Equivalent pseudo random sequence of bits. What could be a difference between them? Why would I choose one not the other? What do we care about? Assuming they're both secure. What's our limitation? We care about performance. All right, so in security. They're a Key trade-off security versus performance or more generally convenience But often that comes down to it in terms of implementations performance. How fast it does something is a key thing These algorithms of blum blum shove are quite simple There's a square a mod and Grab some bits in hardware quite easy to implement Whereas if you recall back to to simplified desks the real desks There are many different operations that go we go through multiple rounds So that can be slower in hardware So using existing block ciphers is okay from a security perspective But sometimes can take time to generate compared to the other approaches But time here. We're talking about micro seconds. Maybe milliseconds difference is there's not a significant difference Depends upon your application. So we're just going through the different approaches for pseudo ren number generators use block ciphers is one way Have dedicated algorithms like the previous ones is another approach This is another one that uses block ciphers it was a standard ANSI Created creates a number of standards in the US and used to our side and this was a standard user Generating random numbers and I actually use triple desks. So it used a block cipher Just a different example It used triple desks three times So we'll see a block in the next slide and it has three encrypt blocks as triple desks in each of them It takes different inputs. It takes the current data time All right some timestamp. So when we do this operation, what's the current date and time? Some seed value which we chosen by the user and Some keys in this case. We use two keys k1 and k2. So it also chosen by the user it produces in one iteration 64 bits of Pseudo random bits as output and it generates the next value of the seed which will be used in the next iteration So we keep going using them that output. So this one is Designs specifically for triple desks Where's triple desks in this picture the EDE is triple desks One way that triple desks was designed was to do an encrypt with desks a Decrypt with desks and an encrypt with desks three desks operations triple desks and They use two keys as input k1 and k2. So K1 and k2 are fed into each of those three EDE blocks the inputs the date and timestamp Current date and time and some initial value V There are some operations to combine the output of the first encrypt with an X or Use it in a second encrypt and then we do a third encrypt. We get a The next value of our seed as output V and we also get some random bits out To get more random bits we take the next value of V and do it all again. We'll have a new timestamp It'll be some time later We'll have a new value of V the same key We keep using the same key and we'll encrypt those three times get another sequence of random bits and keep going So this is just a third example of Using our existing block ciphers to generate random numbers This one was widely used and still is used because it become a standard government use again The point isn't to remember these algorithms, but just to see some examples We're seeing we're using our normal encrypt block ciphers What other operation? This is X or exclusive or and as computer engineers, you know Exclusive exclusive or is a very easy to implement in hardware. Okay hardware can do an X or very easily It's a very basic operation so therefore it's very fast if we use X or and Exclusive or's we've seen in many of our Algorithms we've seen it in desk. There's a X or in different stages. We see it here Stream ciphers in the next few slides and others X or is common a common operation. It's a good thing to mix Things together if you want to take two values Especially in one of them's random You exclusive or them and the output will be random Okay, so that's a very useful operation and used In a number of cases it's fast and and very easy and Produce a secure output if used correctly so that's it on pseudo random number generators we have dedicated algorithms we just saw two examples lcg and bbs and We could also use existing block ciphers to Generate pseudo random numbers Any questions? Yes each Each EDE there are three EDE blocks is triple deaths Right, so there are three instances of triple deaths here or nine instances of deaths Triple deaths is just Single deaths three times the E means encrypt with deaths The D means decrypt with deaths So that was the way that triple deaths was designed encrypt encrypt encrypt with single deaths But using different keys k1 and k2 if death is slow, then this is nine times slower than deaths Okay, we need to do deaths nine times to do this so performance may be an issue and Performance in practice is mainly an issue the speed is mainly an issue if we need to generate random numbers quickly like we Sending data in real-time across the internet we generate the data from some source Someone speaking or there's some video and we want to encrypt it. We need a random number So we need to generate that random number quickly So that we can encrypt and send with small delay so with real-time data transfer That's when performance is is something to be considered And that's when maybe a dedicated random number generator is better than the block cipher ones. These are a bit slower But for your computer For generating random numbers for keys and so on any of them are okay What does your computer use if we go back to the principles we said Somewhere that our pseudo random number generator Take some initial value a seed But we don't want the attacker to know what the seed value is Because that is an initial parameter for our generator So it makes sense to generate that seed randomly so a common approach is to Have a true random number generator generate the seed and then use that to generate the pseudo random bit stream So the seed may be one say 64 bit or 128 bit value Which is used for a day for example Whereas the bit stream that comes out for that day may be millions or billions of bits so the idea is we Apply the true random number generator to generate a small sequence of bits and Use that small sequence to generate a large sequence of bits. So that's a practical application Where does my laptop get? The true random number generator Well, there are ways that computers will generate True random number generate true random numbers It depends on your operating system for example, what mine does it just in this picture It has different sources of true randomness When I hit keys on the keyboard The time when I hit them Not the second or the hour the second hour when I hit the keys may be quite predictable When I type a word there may be a one one second between each key But the millisecond or the microsecond when I hit that key is quite unpredictable and Consider a source of randomness Let's see if we show an example When I hit a key Note the time stamp will be given here. It's hard to see it scrolls very quickly But here's a time stamp where the last three numbers are the milliseconds. So if we zoom in The last three numbers are the milliseconds. Just wait. I'll hit a key the space bar So the last three numbers were eight three nine on the bottom most one 174 at the bottom of the screen near my mouse five seven nine six one seven four Hit it again five seven one Even if I type a b c d e f Every about half a second. I was hitting a key so that that's predictable, but the last three numbers eight eight eight three nine three four five and so on and Especially so they're in milliseconds if he went down to the microsecond level those numbers are effectively random All right, so it's hard for someone to predict what they will be So what my computer does is takes those values every time I hit a key records those values and Uses them as a source of true randomness Not just when I hit keys when I move the mouse as I move the mouse those numbers are changing and again When I move the mouse and do different things when I click those numbers the millisecond and microsecond are considered random The other thing that your computer does is disk operations. So when you Read files write files you do different operations on the disk Again the millisecond microsecond time stamps are effectively random and maybe hardware interrupts when different devices do things when my Wi-Fi wakes up when the screen does something and so on those are all combined together and Mixed together. How do we mix those values? What's a good way to mix things if I have two times like the time stamp in Microseconds of my keyboard was eight three nine and my mouse was seven four six To mix them together. We could exclusive all the values two random values Exclusive or together generate another random value. So that's one way to mix them all together and that those values From my operating systems perspective are called the the primary entropy pool, which is really a sequence of random bits Which are then used in the pseudo random number generators So then algorithms use those as seeds to generate more bits And other operating systems do similar things they use record the user activity and use that as a true random number source to see those values My computer treats the the random numbers as like a file when I read the file I can see those random bits It's a device on my computer the random device When I look at it It doesn't look very nice because it's all random, but if we convert to bits to binary. It's just random characters There are the random bits that come out and what's happening We may see over time We may get some more coming up Let's stop that so then to the last set of random bits that came out at this line 7e and My computer depending on what I do On my computer. I move my mouse around and press some keys elsewhere and a few more bits come out Because what's happening is my operating systems measuring what I do on the computer Mixing all of that together and producing a random sequence of bits coming out Here it's quite slow that is each line is Six by eight is 48 bits each line down the bottom is 48 bits and then not many Bits being generated Okay, so every few seconds another 48 bits are generated So the way that your computer generates those bits It's important to be aware of that because when you use this to generate a key You need to make sure that the key length that you can generate at that point in time is large enough Okay, here. It's quite slow Let's Finish on pseudo random number generators. So that was an example from my operating systems perspective The details of how they work is quite important, but we don't have Time for all of that The last topic here stream ciphers At the very one of our first lectures we distinguish between block ciphers and stream ciphers block ciphers encrypt Say 64 bits might maybe 128 bits at a time Stream ciphers encrypt one bit or one byte at a time And the general difference is that stream ciphers aim to be faster than block ciphers and stream ciphers are Quite simple in that they generate a random sequence of bits and Exclusive or the plain text with that sequence of bits So we see X or come up again There are different stream ciphers available, but their general design is shown on this slide We have some plain text and we talk about a stream of plain text that is when I'm talking If I have a mobile phone that I'm talking into that mobile phone Converts my voice the analog audio into bits and as I continue talking a stream of bits are generated to be sent across the mobile phone network If I want to encrypt my voice So in real time encrypt what I'm saying so that someone cannot intercept Then we think my voice is the input stream of plain text Continuous stream of bits as I talk and what the stream cipher does we have a key So the user chooses a secret key And that key is used to generate a sequence of bits, which is considered pseudo random So we use a pseudo random number generator or a byte generator Maybe generates numbers, but we usually generate a byte at a time Like the ones we've seen already And that generates some random bits or a random byte So be careful here the uppercase K is the secret key that the user chooses The lowest case K is called the key stream which or the the random bit stream That's the random bits that come out and To encrypt I X or my plain text with that random sequence of bits So say I talk I'm generating bits and every byte or every eight bits of plain text X or with every eight bits of the key stream K and the next eight bits of plain text are simply X or with the next random K Where the pseudo random byte generator just generates eight bits of randomness with the same key and we keep going X or And the output is the ciphertext We send the ciphertext across our network The receiver who must have the same key Takes and uses the same pseudo random number generator So with the same input and the same algorithm you get the same output so the same values of K and You X or K with the ciphertext C and the properties of exclusive or is that you'll get the plain text back if you X or the plain text with K and get C if you X or C with the same K You get P everyone remembers that from their basics of computer hardware properties of X or a reminder effectively what we're doing is the ciphertext is obtained by taking the plain text and X or with lowercase K The key let's say these are 8-bit values so if we use that same K and we Do C X or K What is C? Well, it's P X or K That is the encryption is this step take our plain text X or with the key. Sorry with the key stream We get ciphertext if we take that same ciphertext and X or with the same key stream lowercase K Then that's equivalent of P X or K X or K again What's K X or K? They cross they cancel each other out if K is zero K X or K if K zero zero X or zero Zero one X or one Zero, okay, so we get zero here. They cancel each other out effectively and it becomes C X or K These two disappear we left with P the plain text X or zero is simply the plain text so exclusive or encryption and Decryption we can use the same operation exclusive or This is the decrypt plain text X or the key stream We get the ciphertext to decrypt just X or that ciphertext with the same key stream It needs to be the same value and you'll get the original plain text and the good thing about X or it's very fast Okay, so as long as we can generate random bytes quickly Encryption is very fast here as I generate my plain text Gonna quickly X or with some random bits and get the ciphertext and send that and that's where the power or the the benefit of stream surface come in the speed and The idea of course is that K is random or pseudo random Know when I say random from now on often. I mean pseudo random. I will not distinguish so this should be random and if you Exclusive or some random set of bits with some structured set of bits some plain text the output should also appear random Because what X or does is just change those bits depending upon whether it's a matching 0 0 We get a 0 1 1 we get a 0 or if they're not matching then we get a 1 as output If one of those inputs K is random Then it's going to change the output bits Randomly so the ciphertext will be random as it comes out Even if the plain text is structured will get random ciphertext an example of that If we have plain text structured plain text eight bits structured, I just chose four bits of zero four bits of one and we X or with some random key and I'll try and choose randomly So this should be my random key. This is my structured plain text when we X or what do we get? Well our structured plain text Here we're going to get one This bit will change if it's different from the key stream bit and It will stay the same if it's the same and Because the key stream bits are random then The bits that will change in our plain text will be random Here we got a different one. So we end up with change value change so the property of X or is that with one value that's random as This one's structured Not random But with one value as random input the output would be random And that's what we want from encryption produce random ciphertext If you take it a couple of steps further, you'll see if you use this correctly X or is equivalent to the one-time pad The one-time pad is the only unconditionally secure Algorithm that we know of there's only one algorithm. We know which is perfect offers perfect security the one-time pad In fact the exclusive or Provides that capability it is a one-time pad However, the key must be used correctly That's a good exam question prove X or is a one-time pad So stream ciphers in general quite simple. We just need a random number generator Well, we've seen some in the previous slide some examples of random number generators the LCG BBS or we could actually use Block ciphers, but that doesn't make sense if we want to improve performance and There are other algorithms we can use there a widely used well no some Design issues first So this is in general with stream ciphers and also random number generators when we have a random number generator We said with LCG it produces a sequence and then it repeats So the length of that sequence before it repeats is called the period So we want it to have a very large period. So it doesn't repeat very often So that's a design Criteria when considering the algorithm and parameters the key stream or the output should be Appear to be truly random Should exhibit randomness and the key that we use as input must be large enough If someone can guess the initial key uppercase K, then they can generate the key stream So that Something to consider when we compare to block ciphers stream ciphers are usually easier to implement and as a consequence much faster to operate But if we reuse the key with a stream cipher Then it makes it easy for the attacker to break it Whereas with block ciphers by re we can reuse the key for as long as we like in theory As long as the attacker can't guess it but if we reuse the key with stream ciphers and end up encrypting this the same plain text multiple times with the same key and if the attacker discovers some known plain text ciphertext pairs It's quite easy for them to work out what the key is okay So a common way that stream ciphers work is that if we have a key Then it's changed on a regular basis So or another value say you combine a secret key with some initial value some time stamp such that changes on a regular basis The last one is just an example of a Common stream cipher. It's been around for a long time It is now considered to have some weaknesses and no longer recommended Rc4 Rc4 Developed Ron revest and remember the last name because it'll come up again He developed Rc4 and also some other ciphers will see and It's been used widely in web browsing. So when you connect to a website when it says HTTPS in The past that commonly used Rc4 to encrypt the data sent between your web browser and server so When you're downloading the web page from the web server to your browser the server Uses Rc or in the past at least used to use Rc4 to encrypt that web page It would X or with some random bit stream and send the the ciphertext you would decrypt and in Wi-Fi if you used what was a WEP in Wi-Fi today if you choose the secure mode the encryption. There's usually different options like WPA WPA2 and the older one was WEP WEP and that one used Rc4 But it had some weaknesses in in Wi-Fi encryption that meant it was no longer used It was very simple and efficient So it was widely used because of that it allowed for different key sizes There are some theoretical limitations and and if you use the keys in the wrong manner it's easy to break and Nowadays people recommend against it for web browsing and Wi-Fi. So web browsers over the last one or two years as Stop using Rc4 and mainly use AES and a few other ciphers AES is fast enough to almost match the speed of stream ciphers So that's one widely used stream cipher There are some slides that go through the algorithm which we will not do in this course this semester So if you want to see one Real stream cipher you can look through. It's not so hard to go through It's in about 10 or 15 lines of code to implement this and the lines of code simply are Some loops There's a mod operation Some additions and another mod a swap changing parts of memory Some more mods and additions so that the Operations are very basic from a computer's perspective and therefore very fast to implement and finally an XOR XOR the plain text with the key stream So that brings us to the end of random numbers We'll see that they use throughout some other topics as well We'll assume from now on that we can generate secure random numbers good random numbers but in practice some of the The Flaws in algorithms have been due to poor random number generators some of the The the hacks that say the NSA and others did which were released by Snowden and others were due to compromise random number generators one of them was that a random number generator which was widely used and standardized was Supposedly the NSA Created a back door into that so that they could Detect and predict what the random values will be coming output Whereas you didn't think they'll do that and therefore they could work out your key Random number generator design is complex, but very important Questions to finish this topic Any random questions Now's a good time We'll have a break soon We don't go through the algorithms in much depth LCG was a quick example Just the concepts