 So, well, without much ado, let's just cut right to the chase. So what is a PRNG? And we all know PRNG is a big red button, probably from Staples. So you press it once, you get an output. You do it again, you get another output, and a third time another output, and so on. So you get the idea. But what is common among these outputs is that we want the output to be uniform, independent, and fresh. But where does this randomness come from? And when we look at it inside this big red button, what we see is that this PRNG is actually a PRNG with input. And what are these inputs? These are entropy sources. Typically, these are interrupts. But they can also be system measures, such as temperature and timing. But what is the properties of these entropy sources? They are not uniform. They are not independent. They are not fresh. They come gradually, and they are adversarial. So the goal of this talk is to present a way in which we can take these inputs with these properties to produce output with the desired characteristics. But before we get caught in the details, let's actually take a step back and look at the bigger picture. Cryptography has given us a lot of primitives that sort of introduced in the ad hoc fashion. But over time, they have matured. But what is the state of the PRNG? It's rather primitive, as denoted by Golem here. But considering that the PRNG is sort of the bedrock of cryptography, we need randomness to generate keys. And so it's irrefutable that PRNGs are rather crucial. So the goal of this talk would be to put it into the next step, which is this. But when you actually take a step back and look at our PRNGs, they should be the easiest to deal with, because there's not multiple algorithms. There's no correctness. There's no consistency. So hopefully with our help, we will actually be able to take it next step and unlock the full potential of PRNG. So this is the tribute to all of the Lord of the Rings fans out here. But what about PRNG standardization in particular? I don't have time, but there's a lot of work. But it is rather ad hoc in fashion and rather immature. So the TLDR version is, if this works, is this. But clearly, operating systems have PRNGs. We know them. We use them. So what about those in particular? So that brings us to this slide. Affair transitions. OK. That is rather underwhelming. But the fact remains that these PRNGs was not built according to any standard. But the good ones seem to use cryptographic hash functions. We'll be revisiting this idea in greater detail. But once again, the TLDR summary is that this remote is meant to just tire my jokes. But yes, it works. But we are not entirely sure why. So this is the state of PRNG in practice. So let's look at PRNG theory. Well, that kind of got my joke. But anyway, the story is that PRNG theory is largely divorced from practice. There are existing theory, but they don't exactly analyze models in practice. So the goal of this talk would actually be to propose this movement towards looking at these constructions in practice from a theoretical vantage point. More formally, our focus is why do existing RNGs work? So we meandered off. So let's go back to where we started, which is a PRNG with input. Now let's take a simpler case of one output and where the entropy comes all at once. This is a case of a monolithic extractor. This is a simpler beast to tame. So with this setting, let's move on and look at replacing these pictures with variables because that's what mathematicians do. So we look at x, and we apply deterministic function, which is y, to produce the output y. And the goal of the adversity is to distinguish y from random. So what are the assumptions that we can make about x? So yes, thank you. That might mean yes. But the holiest grail would be to make the simplest assumption, which would be to say x has min entropy gamma, but does it necessarily translate to the output of an extract function on x being indistinguishable from random? Unfortunately, no. Because even if you assume that the extractor function just produces one bit of output, we can still sample x in such a way that it almost has full entropy. But the output as such is always 0. So this set up a lot of work, and a lot of workarounds was proposed around this impossibility result. The first such was to limit the class of sources. But once again, these did not deal with real practical sources, and the other solution was to weaken the security. Well, as cryptographers, you would rather not weaken security. So this inspired a whole bunch of research, the preferred solution became to use a seed, where the extract function, in addition to taking input x, also uses the seed s. But where does the seed come from? So it becomes a chicken and egg problem, because sometimes you need to use randomness to generate the seed, and in order to generate randomness from the seed, which comes first, which whether the chicken or the egg. But perhaps most importantly, the source needs to be independent of the seed, which is unrealistic for PRNGs. The reason is simple, because you're running a PRNG with seed, it's going to trigger a whole bunch of system interrupts, which would invariably end up becoming an entropy source. So it becomes a loop again. And the best known extractors tend to be information theoretic extractors, which catastrophically fail if source is not seed independent. So clearly, this is not very attractive for practitioners. But as we discussed earlier, we have that cryptographic hash functions were used. So the large part of our paper deals with looking at these RNGs in practice, but analyzing in idealized models. So let's go back or rather forward if it moves any minutes now. Yes. So we look at monolithic extraction from the random oracle setting, because we are looking at things in that idealized world. More formally, we look at our random oracle model extraction from oracle independent sources. Here, we have x, which is an arbitrary distribution. The goal of the adversary is the construction is simple. We apply a monolithic random oracle, g, on the input x. Now the adversary is allowed to query the oracle g. So clearly, we have the proof, which is the folklore proof, which says that unless the attacker actually ends up querying x in one of the queries it makes, the output is perfectly random. So this gets us the bound q times 2 to the negative gamma. But what is the caveat? The caveat is that from a practical standpoint, this is unrealistic. And from a theoretical standpoint, we have an exponential seed, which is an overkill. So the next logical step would be to look at oracle dependent sources, where the idea is to let the attacker choose with oracle access a high entropy input. So the setting is as before. It makes q queries. It provides the x. And the challenger responds with g of x or u. So what about the earlier assumption that we made when we said x has min entropy gamma, at least? Will that still work? Unfortunately, what this means is that for the outside world, x has gamma bits of entropy. It does not translate to x actually not knowing x. Sorry, the adversary not knowing x. More formally, the problem is that the attacker has to forget something. So how do we capture it? The condition would now, we can condition it on the state of the adversary just after it provides x, which gets us here. But well, everything is skipping ahead. But the problem here would be that we can use the random oracle as a source of entropy. What it means is that the attacker merely provides x as g of 0. So the state is null. But clearly, this is not a fix that we are happy with. So the next step, we can look at conditioning it in addition to sigma on g. Now, does it work? Unfortunately, no. Because we come up with a bigger problem, which is the extractor fixing attack. So in the next slide, we look at this attack in larger detail. So the setting is as before, but this is the attack. The attacker chooses x uniformly at random. It queries y is g of x. And it checks to see if y begins with 0. If not, it chooses x prime uniformly at random, thus querying to get y prime. And then it checks to see if y prime is 0. Now, at this point, it outputs, if it begins with 0, it outputs x prime as its guess. And it empties the state. OK, now let's look at the conditioning that we had before, which is that now x prime condition on sigma, which is empty. And g, it still has entropy. So clearly, this is not a good attack, because as such, the output has minimum entropy. So that brings us to the big question. Can we capture the belief that a cryptographic hash function, for example, a shout 2 or a shout 3, is a very good extractor without seed, and despite the extractor fixing attack, which we did. So let's go back and take a look at the greater detail. In particular, let's focus on the queries that the adversary makes. So it makes the following set of queries. So now let's look at conditioning on x prime with the set of queries L. So what does this, if you have slept or if you have not had woken up from the coffee, this is the biggest takeaway. So we condition on the set of queries L in addition to sigma. And once we condition L, we can actually lose g. So L is a random variable denoting the set of g queries up to when it outputs x. And now, even if it clears the entire state, does it satisfy the condition? Actually, it doesn't. So the attacker does not work. So voila, we actually came up with something. Or did we? So that brings us to, well, under Icon to Cut My Message, we actually came up with something that was fascinating. Because what does it mean to condition from queries? The intuition here is the entropy does not come from queries to Oracle. And we force entropy even if the attacker does not forget the queries. And it seems to realistically model existing entropy sources. For example, let's consider timing of introps. Clearly, as we discussed before, it can and does depend on the hash functions even in a non-adversarial manner. But so the higher order timing info might be easy to predict. But as of the lower order, it still appears centropic because the timing of the system is independent of the running of the hash function. So what we end up with is a larger pool of sources in addition to the standard model main entropy sources. But we actually now have many Oracle-dependent sources as well. So the biggest takeaway that we did was we conditioned on the set of queries that the adversary makes to the random Oracle. Now, what do we get using this principle in terms of a theorem for monolithic extraction? We actually get the g of x is secure extractor with error q times 2 to the negative gamma. Now, for those of you who remember, this is the same bound as for the auto-independent setting. But we have just shown it for a larger pool of sources. And the proof follows in a similar intuition as before where we cannot guess g of x with high probability. So are we done? So what are the implications when instantiating g? So when we look at an extractor that we get, it's a rich class of sources, including those coming from real entropy sources. But as we discussed, since we are dealing with it in an idealized setting, for these, it tends to be heuristic. So let's go back and look at online extraction. What is online extraction? It is when the inputs actually come in multiple blocks. So as denoted by x1 through Excel. And now, we want to produce an output. So this primitive uses a state s. So it absorbs the input using a refresh function. And it produces an output y finalize of x. So there are two functions here, refresh and finalize. And so what is essentially happening is that it iteratively absorbs the input. And then it finally produces output by calling the function finalize. Note that this is a fine-grained syntax, but the security definition is still the same. And replacing with a more robust pseudocode, as I mentioned, it iteratively absorbs and produces the output. So we now propose practical constructions. The first thing we have a Merkle-Damgard with a random compressing function f. The refresh function basically takes as input the previous state and the current input. And it produces the new state. The finalize function just outputs the state. We propose another construction. A variant of this was proven secure, but in the RO independent setting by the work of Dodis and others in 2004. The second construction we have is to instantiate the random compressing function, but with an ideal cipher instead. This is the basis by the ideal cipher. This is the Davis-Meier style construction that is used in SHA2. Remember that we were discussing SHA2, SHA3, and looking at using them. So the refresh function is as follows. Finalize Gehli outputs the same state. Then we come to Sponge, where it's sort of different because it's a completely different breed. Where the refresh function basically exhausts the input to only the first half of the state or first part of the state. And then finalize just outputs the first orbits of the state. The reason is simple, because if it outputs the entire state because we are using a random permutation pi, I can invert the query. So this is the third construction. And we can take Sponge to an extreme form, which is called this CBC construction. I'm sorry, a version of it was proved secure in the seated setting by Ghazi and Tesaro in 2016. I'm sorry, I just skipped across. But so let's look at CBC in particular. So we have this. So here the entire state is exorbed with the input. So this is the refresh function. And it is used in the CDR construction in SBA 890A. It is used by Intel RNG. It's proven secure in the Oracle independent setting by Dodes and others. So the question we have here is, is it secure in the Oracle dependent setting? We might be sort of naive to think it would be case. True, but we actually show an attack and it's a beautiful attack, wherein we say at each step of the process, we provide exactly one bit of entropy. So note that, so we toss the first step, the adversary tosses a coin and chooses between zero and one. The output after the first pi call is pi of zero or pi of one. Then for the second input, it chooses between zero and pi of zero exorbed with pi of one. Now the result of this exorbed operation, the input if I can, the result here, for those of you who can do some quick math, is actually the same state. So the output of the second pi call becomes either pi squared of zero or pi squared of one. And this process is repeatedly done. And after L steps, let's look at what has happened. It has absorbed L bits of entropy. But if you look at it, the state pi L of zero or pi raised to the L of one actually has only one bit of entropy in the output. So, and note that this is independent. This is true even when conditioned on the state and the attackers by queries. So clearly we have attack CBC and does that mean all of the other constructions crumble? What about the rest of them? We actually show that Merkle Damgot has a good online extractor in the random monocle model. We show that Merkle Damgot and an extension is seen. We can check our paper for extension to HMAC and HKDF. And we show Merkle Damgot with Davis Meyer as an online extractor in the ideal cypher model. We also show that the sponge is an online extractor in the random permutation model. And actually all of them are PRNGs with input, okay? So clearly we have attack CBC but all of the others we have shown to be secure. So this is the perfect segue to where we started the whole before we went down the rabbit hole. PRNGs with input, okay? So we replace online extractor but in this case we want multiple outputs. So we replace PRNG, we have multiple outputs Y, Y prime and so on and we replace the finalized function with next instead, okay? So we have multiple outputs Y, Y prime and so on. So this is our PRNG with input. Note that the calls can be made in any order so I can have refresh next, next, whatever be the case but it needs to handle state compromise. What does it mean? The adversary can set it to a state of its choice. What the adversary can also do is we practice plan to compromise the state at any given point of time. So this is captured in the robustness game but due to paucity of time I'm actually gonna just give you the high level view. We actually discussed, show it for adversarial sources, the robustness game is model. We also deal with both forward, backward security. We have it's seedless and we critically use the notion that we mentioned before where we conditioned on the set of queries that it has made and it's simpler than previous work. So these are our PRNG constructions. I don't have time but I'm just gonna give you one, a flavor of the Merkel dam guard with the random compressing function f. So the refresh is similar to what we saw before but the next actually does this wherein it takes the final state and it sets a new state to be f of zero comma s and it sets the new random bits to be f of one comma s and so on and so forth. And so on. Yes. I'm just gonna jump right to Shah because the sponge construction. This next is a modification proposed by Hutchinson in 2016 where the output Y is first, the first R bits becomes the output and then there's a pi call. Any minutes now, I feel like I'm a Harry Potter holding a wand but it doesn't work. But anyway, so the output of next is now, the seed is now exorbit the output of pi. This is done to ensure that we can't have inversion queries. So this is the sponge and I think I don't have time for the information theoretic PRNG so I'm just going to jump right to the summary. We provide, we just can discuss this offline but yes, so summary, what have we done? We have a new meaningful robustness notion for seedless PRNGs. It's a clean, oracle-dependent entropy condition for attackers which is restrictive and permissive. Restrictive enough to avoid impossibility but permissive enough to have a larger pool of sources and we have both the computational and IT version. We have a sensible way of arguing. The security of PRNGs that are widely used. We allow for seedless extraction in idealized models and we do have three PRNG constructions which we prove both computational and IT secure and we also show an attack on CVC to show us that does not succumb to entropy. So are we ahead? I think we are, or at least we are close to it. So hopefully this heads us on a path but then we unlock the demon of Sauron. So thank you. I'll take questions now. Ben, I have one please. Yeah. So I understand you had four presentations you considered and three of them were secure, like roughly saying. Like you had this, you had a secure construction based on McLeod-Dumgaard and one with Davis Maya and so on. Can you compare them with each other? So like you have three secure constructions. Which one is the best? Which other do they compare? Oh, so we did do an analysis wherein we considered the parameters. I don't remember the offline unfortunately but we actually discussed the parameter choices wherein we select different parameters. And but I'm not sure if I have an answer to the question which I would prefer. But yes, but the answer, the answer, non-answer because Shato and Shatri is widely used and Shatri is Shatri, it's after Shat two. So maybe I would recommend that. But once again, we do compare parameter choices but I don't have an answer to which I would which way I believe. Thank you. Is there any other question? I do not see any. Okay, thank you. Thank you so much.