KISS: A Bit Too Simple Greg Rose ggr@qualcomm.com Outline q KISS - - PowerPoint PPT Presentation

kiss a bit too simple
SMART_READER_LITE
LIVE PREVIEW

KISS: A Bit Too Simple Greg Rose ggr@qualcomm.com Outline q KISS - - PowerPoint PPT Presentation

Mar 03, 2024 319 likes •598 views

KISS: A Bit Too Simple Greg Rose ggr@qualcomm.com Outline q KISS random number generator q Subgenerators q Efficient attack q New KISS and attack q Conclusion PAGE 2 One approach to PRNG security "A random number

slide-1
SLIDE 1

KISS: A Bit Too Simple

Greg Rose

ggr@qualcomm.com

slide-2
SLIDE 2

PAGE 2

Outline

q KISS – random number generator q Subgenerators q Efficient attack q New KISS and attack q Conclusion

slide-3
SLIDE 3

PAGE 3

One approach to PRNG security

"A random number generator is like sex: When it's good, its wonderful; And when it's bad, it's still pretty good." Add to that, in line with my recommendations

  • n combination generators;

"And if it's bad, try a twosome or threesome.”

  • - George Marsaglia, quoting himself (1999)
slide-4
SLIDE 4

PAGE 4

KISS – a Pseudo-Random Number Generator

q “Keep it Simple Stupid” q Marsaglia and Zaman, Florida State U, 1993 q Marsaglia posts C version to sci.crypt, 1998/99, took off q Never said it was secure!

Ø Good thing, too… Ø But others seem to think it is. #define znew (z=36969*(z&65535)+(z>>16)) #define wnew (w=18000*(w&65535)+(w>>16)) #define MWC ((znew<<16)+wnew ) #define SHR3 (jsr^=(jsr<<17), jsr^=(jsr>>13), jsr^= (jsr<<5)) #define CONG (jcong=69069*jcong+1234567) #define KISS ((MWC^CONG)+SHR3)

slide-5
SLIDE 5

PAGE 5

KISS diagram

w n e w z n e w M W C S H R 3 C O N G K I S S

+ + + è

slide-6
SLIDE 6

PAGE 6

Multiply With Carry subgenerator

#define znew (z=36969*(z&65535)+(z>>16)) #define wnew (w=18000*(w&65535)+(w>>16)) #define MWC ((znew<<16)+wnew ) q znew and wnew q 16 bits “random looking”, 32 bits of state q Multiply by constant (18000, 36969 resp), add carry from previous multiplication q Periods about 229.1 and 230.2 – two long cycles each q Two bad values (0 and something else) repeat forever q Large states go into smaller ones after one update q f(x) = cx mod 216c – 1

Ø modulus is prime for the two constants shown

q znew only affects high order bits.

slide-7
SLIDE 7

PAGE 7

Linear Congruential subgenerator

#define CONG (jcong=69069*jcong+1234567) q Well studied, period 232, single long cycle q Low order bits form smaller linear congruential generators q In particular, LSB goes “01010101010…”

slide-8
SLIDE 8

PAGE 8

3-Shift Register subgenerator

#define SHR3 (jsr^=(jsr<<17), jsr^=(jsr>>13), jsr^= (jsr<<5)) q Linear, but not like LFSR q Authors assume long period, but wrong q LSBs of output form one of 64 LFSRs q Periods range from 1 to 228.2 (not 232-1!) q Can recover initial state from 32 consecutive LSBs easily

Ø Binary matrix multiplication

q (It turns out that Marsaglia got the constants 13 and 17 back-to- front; subsequent versions of KISS get them right and the generator then has a full period.)

slide-9
SLIDE 9

PAGE 9

Attack idea

q Divide and Conquer

Ø Registers are updated independently of each other, then combined Ø So try to get rid of effects of one or more registers Ø One of them is already partly gone!

q Exploit weaknesses (eg. Linearity of SHR3, low order bits

  • f CONG)

q Guess and Determine

Ø Guess (that is, try all possibilities) for some values, then Ø Derive other values Ø Verify whether still consistent

slide-10
SLIDE 10

PAGE 10

What do we know at the start?

w n e w z n e w M W C S H R 3 C O N G K I S S

+ + + è

Determined Now known Guessed

slide-11
SLIDE 11

PAGE 11

Guess wnew

w n e w z n e w M W C S H R 3 C O N G K I S S

+ + + è

Determined Now known Guessed

slide-12
SLIDE 12

PAGE 12

Guess LSB of CONG (01010… or 10101…)

w n e w z n e w M W C S H R 3 C O N G K I S S

+ + + è

Determined Now known Guessed

slide-13
SLIDE 13

PAGE 13

Determine LSB sequence from SHR3

w n e w z n e w M W C S H R 3 C O N G K I S S

+ + + è

Determined Now known Guessed

slide-14
SLIDE 14

PAGE 14

Verify LSB sequence from SHR3 is LFSR

w n e w z n e w M W C S H R 3 C O N G K I S S

+ + + è

Determined Now known Guessed

slide-15
SLIDE 15

PAGE 15

Determine half of CONG

w n e w z n e w M W C S H R 3 C O N G K I S S

+ + + è

Determined Now known Guessed

slide-16
SLIDE 16

PAGE 16

Guess top half of CONG

w n e w z n e w M W C S H R 3 C O N G K I S S

+ + + è

Determined Now known Guessed

slide-17
SLIDE 17

PAGE 17

Determine low half of znew

w n e w z n e w M W C S H R 3 C O N G K I S S

+ + + è

Determined Now known Guessed

slide-18
SLIDE 18

PAGE 18

Determine high half of znew from low half

w n e w z n e w M W C S H R 3 C O N G K I S S

+ + + è

Determined Now known Guessed

slide-19
SLIDE 19

PAGE 19

And verify…

w n e w z n e w M W C S H R 3 C O N G K I S S

+ + + è

Determined Now known Guessed

slide-20
SLIDE 20

PAGE 20

How much work?

q Dominated by trying, on average, 589,823,999 values for wnew q And for each one, using Berlekamp-Massey algorithm to check whether the candidate for SHR3 is LFSR

Ø Alternatively, can check parity equations.

q Few hours on laptop.

slide-21
SLIDE 21

PAGE 21

Newer KISS

q Sci.crypt 2011 posting by Marsaglia q Looking for longer and longer cycles q Period > 1040,000,000 q State is ridiculously large (222+3 32-bit words) q Again combines multiple components “for security”

S H R 3

+

C O N G b32MWC (222 words)

slide-22
SLIDE 22

PAGE 22

New KISS

static unsigned long Q[4194304],carry=0; unsigned long b32MWC(void) {unsigned long t,x; static int j=4194303; j=(j+1)&4194303; x=Q[j]; t=(x<<28)+carry; carry=(x>>4)-(t<x); return (Q[j]=t-x); } #define CNG ( cng=69069*cng+13579 ) #define XS ( xs^=(xs<<13), xs^=(xs>>17), xs^=(xs<<5) ) #define KISS ( b32MWC()+CNG+XS )

(Note 13 and 17 reversed from before)

slide-23
SLIDE 23

PAGE 23

Complemented Multiply With Carry

q Large circular buffer with carry variable q Extremely long period q State values are used directly for output q Can be run backward q After one rotation through buffer, can check consistency easily (used in attack) q By itself has no cryptographic strength at all

Ø output is state

slide-24
SLIDE 24

PAGE 24

Attack on New KISS

q Simple divide and conquer q Guess state of CONG and SHR3 q Run generator forward slightly more than a full rotation

  • f b32MWC’s buffer

q If 3 outputs are mutually consistent, must have guessed correctly q Run backward to recover full initial state q Equivalent to 263 key setup operations

Ø But the key is huge, so is the key setup operation

slide-25
SLIDE 25

PAGE 25

Optimization of attack

q Only care about v0, v1, v2, and vR, vR+1, vR+2 q Can fast-forward the simple generators cong and SHR3 q Can maintain cong0, congR and step them forward to enumerate cycle, similarly SHR3 cycles. q Attack is now 263 basic operations, about 241 key setup

  • perations
slide-26
SLIDE 26

PAGE 26

Conclusion

q M & Z overestimated the period by about a factor of 10 q KISS is not secure q Need about 70 words of generated output (original KISS) q Can apply attack to unknown (but biased) plaintext

Ø Replace B-M step with fast correlation attack Ø Still surprisingly efficient

q Don’t use KISS if you need security!