JV Roig

DOI: https://doi.org/10.48550/arXiv.1804.02904

2018-04-09

Cryptography and Security

Abstract:Generating secure random numbers is vital to the security and privacy infrastructures we rely on today. Having a computer system generate a secure random number is not a trivial problem due to the deterministic nature of computer systems. Servers commonly deal with this problem through hardware-based random number generators, which can come in the form of expansion cards, dongles, or integrated into the CPU itself. With the explosion of network- and internet-connected devices, however, the problem of cryptography is no longer a server-centric problem; even small devices need a reliable source of randomness for cryptographic operations - for example, network devices and appliances like routers, switches and access points, as well as various Internet-of-Things (IoT) devices for security and remote management. This paper proposes a software solution based on side-channel measurements as a source of high-quality entropy (nicknamed "SideRand"), that can theoretically be applied to most platforms (large servers, appliances, even maker boards like RaspberryPi or Arduino), and generates a seed for a regular CSPRNG to enable proper cryptographic operations for security and privacy. This paper also proposes two criteria - openness and auditability - as essential requirements for confidence in any random generator for cryptographic use, and discusses how SideRand meets the two criteria (and how most hardware devices do not).

Wei Liu,Chengrong Wu,Haolin Jin,Shiyong Zhang

DOI: https://doi.org/10.1109/cits.2016.7546416

2016-01-01

Abstract:Web security is an important part of information security. This paper proposes a new web anti-attack method based on URL randomization. Adding a random field in the URL leads that the attackers cannot get desired URLs through sniffing and scanning the static URLs. In the section of theoretical analysis, we analyze the probability that the attackers construct the correct URLs. Finally, we implement a prototype of the method we come up with and use it to measure the overhead the method will bring. Experiment results shows that the overhead the method brings is very little and this method has the significance of practical application.

Ram Soorat,Madhuri K.,Ashok Vudayagiri

DOI: https://doi.org/10.48550/arXiv.1510.01234

2015-10-06

Abstract:One of the key requirement of many schemes is that of random numbers. Sequence of random numbers are used at several stages of a standard cryptographic protocol. A simple example is of a Vernam cipher, where a string of random numbers is added to massage string to generate the encrypted code. It is represented as $C=M \oplus K $ where $M$ is the message, $K$ is the key and $C$ is the ciphertext. It has been mathematically shown that this simple scheme is unbreakable is key K as long as M and is used only once. For a good cryptosystem, the security of the cryptosystem is not be based on keeping the algorithm secret but solely on keeping the key secret. The quality and unpredictability of secret data is critical to securing communication by modern cryptographic techniques. Generation of such data for cryptographic purposes typically requires an unpredictable physical source of random data. In this manuscript, we present studies of three different methods for producing random number. We have tested them by studying its frequency, correlation as well as using the test suit from NIST.

Computational Physics,Cryptography and Security,Instrumentation and Detectors

Zhi Guan,Zhen Cao,Xuan Zhao,Ruichuan Chen,Zhong Chen,Xianghao Nan

DOI: https://doi.org/10.1109/ICDCS.2008.24

2008-01-01

Abstract:The growing popularity of web applications in the last few years has led users to give the management of their data to online application providers, which will endanger the security and privacy of the users. In this paper, we present WebIBC, which integrates public key cryptography into web applications without any browser plugins. The public key of WebIBC is provided by identity based cryptography, eliminating the need of public key and certificate online retrieval; the private key is supplied by the fragment identifier of the URL inspired by BeamAuth. The implementation and performance evaluation demonstrate that WebIBC is secure and efficient both in theory and practice.

Subhajit Adhikari,Anirban Panja,Sunil Karforma

DOI: https://doi.org/10.1007/s11042-024-19093-z

IF: 2.577

2024-04-10

Multimedia Tools and Applications

Abstract:Pseudorandom numbers have several uses in cryptography, including digital signatures, one-time passwords, hashing, and encryption techniques. The randomness of pseudo random number generators improves significantly when dynamical systems such as chaos maps are used. The two-dimensional ikeda map is an excellent option for exhibiting this random behavior. In this study, the notion of a chaos based Ikeda map and the random number are used to create a pseudo random number sequence that achieves cryptographic-level security, which is referred to as the Ikeda-assisted Cryptographically Secure Pseudo Random Number Generator. Different statistical analyses demonstrate the effectiveness and strength of the random sequence in terms of less control parameters, less amount of generation time, high entropy value, almost zero value for auto correlation and correlation coefficient. Our random sequence demonstrates that it is resilient and cryptographically safe by passing all of the Diehard battery tests with the required value. Also, our method has qualified the majority of the test results of the randomness test recognized by the National Institute of Standards and Technology with the required value. This pseudo random number sequence can be used to generate a single password, as an initialization vector, a replacement or permutation step in a cryptosystem, or as a secret key in encryption methods for picture, text, audio, and video data.

computer science, information systems, theory & methods,engineering, electrical & electronic, software engineering

Peter Kietzmann,Thomas C. Schmidt,Matthias Wählisch

DOI: https://doi.org/10.1145/3453159

2021-07-15

Abstract:Random numbers are an essential input to many functions on the Internet of Things (IoT). Common use cases of randomness range from low-level packet transmission to advanced algorithms of artificial intelligence as well as security and trust, which heavily rely on unpredictable random sources. In the constrained IoT, though, unpredictable random sources are a challenging desire due to limited resources, deterministic real-time operations, and frequent lack of a user interface. In this paper, we revisit the generation of randomness from the perspective of an IoT operating system (OS) that needs to support general purpose or crypto-secure random numbers. We analyse the potential attack surface, derive common requirements, and discuss the potentials and shortcomings of current IoT OSs. A systematic evaluation of current IoT hardware components and popular software generators based on well-established test suits and on experiments for measuring performance give rise to a set of clear recommendations on how to build such a random subsystem and which generators to use.

Cryptography and Security

Yong Wang,Zhuo Liu,Leo Yu Zhang,Fabio Pareschi,Gianluca Setti,Guanrong Chen

DOI: https://doi.org/10.1109/tcyb.2021.3129808

IF: 11.8

2021-01-01

IEEE Transactions on Cybernetics

Abstract:Applying the chaos theory for secure digital communications is promising and it is well acknowledged that in such applications the underlying chaotic systems should be carefully chosen. However, the requirements imposed on the chaotic systems are usually heuristic, without theoretic guarantee for the resultant communication scheme. Among all the primitives for secure communications, it is well accepted that (pseudo) random numbers are most essential. Taking the well-studied 2-D coupled map lattice (2D CML) as an example, this article performs a theoretical study toward pseudorandom number generation with the 2D CML. In so doing, an analytical expression of the Lyapunov exponent (LE) spectrum of the 2D CML is first derived. Using the LEs, one can configure system parameters to ensure the 2D CML only exhibits complex dynamic behavior, and then collect pseudorandom numbers from the system orbits. Moreover, based on the observation that least significant bit distributes more evenly in the (pseudo) random distribution, an extraction algorithm E is developed with the property that when applied to the orbits of the 2D CML, it can squeeze uniform bits. In implementation, if fixed-point arithmetic is used in binary format with a precision of z bits after the radix point, E can ensure that the deviation of the squeezed bits is bounded by 2^-z . Further simulation results demonstrate that the new method not only guides the 2D CML model to exhibit complex dynamic behavior but also generates uniformly distributed independent bits with good efficiency. In particular, the squeezed pseudorandom bits can pass both NIST 800-22 and TestU01 test suites in various settings. This study thereby provides a theoretical basis for effectively applying the 2D CML to secure communications.

automation & control systems,computer science, cybernetics, artificial intelligence

Lei Wang,Wang Fu-Ping,Wang Zan-Ji

DOI: https://doi.org/10.7498/aps.55.3964

2006-01-01

Abstract:A novel pseudo-random number generator based on z-logistic map is proposed. The observed binary sequence of the chaotic orbit which is realized exactly under finite computing precision mostly retains the statistical characteristics and the randomness of the chaos-based information source which is defined on real domain, so the cryptographic properties of this novel chaos-based pseudo-random number generator (CPRNG) can be supported theoretically. Moreover, the period of this CPRNG is predicable and the weak keys can be excluded using a simple algorithm. This CPRNG overcomes the disadvantage of the traditional CPRNG whose existing weak keys are difficult to be excluded. Theoretical analysis and simulation results demonstrate that the cryptographic properties of the novel CPRNG are good, so it has potential application prospect in many areas including data encryption.

Volodymyr Maksymovych,Mariia Shabatura,Oleh Harasymchuk,Ruslan Shevchuk,Pawel Sawicki,Tomasz Zajac

DOI: https://doi.org/10.3390/s22249700

2022-12-11

Abstract:Random and pseudo-random number and bit sequence generators with a uniform distribution law are the most widespread and in demand in the market of pseudo-random generators. Depending on the specific field of application, the requirements for their implementation and the quality of the generator's output sequence change. In this article, we have optimized the structures of the classical additive Fibonacci generator and the modified additive Fibonacci generator when they work together. The ranges of initial settings of structural elements (seed) of these generators have been determined, which guarantee acceptable statistical characteristics of the output pseudo-random sequence, significantly expanding the scope of their possible application, including cybersecurity. When studying the statistical characteristics of the modified additive Fibonacci generator, it was found that they significantly depend on the signal from the output of the logic circuit entering the structure. It is proved that acceptable statistical characteristics of the modified additive Fibonacci generator, and the combined generator realized on its basis, are provided at odd values of the module of the recurrent equation describing the work of such generator. The output signal of the combined generator has acceptable characteristics for a wide range of values of the initial settings for the modified additive Fibonacci generator and the classic additive Fibonacci generator. Regarding the use of information security, it is worth noting the fact that for modern encryption and security programs, generators of random numbers and bit sequences and approaches to their construction are crucial and critical.

Zhi Guan,Hu Xiong,Suke Li,Zhong Chen

DOI: https://doi.org/10.1109/ISPA.2011.63

2011-01-01

Abstract:People's increasingly relying on web applications to manage their digital assets makes web authentication a critical security issue. As most websites today still authenticate a user with only username and password, the authentication credentials can be easily compromised in a vulnerable browsing environment without the owner's notice. Considering the browsing in mobile devices is more secure than personal computers, in this paper we explore the One-Time Password web application running inside mobile browsers as a second authentication factor for high value websites in hostile browsing environments. We discuss the security and efficiency of this authentication method from both theory and practice. An implementation with performance evaluation is also provided to prove our concept.

Wen Ming Liu,Lingyu Wang,Kui Ren,Mourad Debbabi

DOI: https://doi.org/10.1109/CloudCom.2013.96

2013-01-01

Abstract:While enjoying the convenience of Software as a Service (SaaS), users are also at an increased risk of privacy breaches. Recent studies show that a Web-based application may be inherently vulnerable to side-channel attacks which exploit unique packet sizes to identify sensitive user inputs from encrypted traffic. Existing solutions based on packet padding or packet-size rounding generally rely on the assumption that adversaries do not possess prior background knowledge about possible user inputs. In this paper, we propose a novel random ceiling padding approach whose results are resistant to such adversarial knowledge. Specifically, the approach injects randomness into the process of forming padding groups, such that an adversary armed with background knowledge would still face sufficient uncertainty in estimating user inputs. We formally present a generic scheme and discuss two concrete instantiations. We then confirm the correctness and performance of our approach through both theoretic analysis and experiments with two real world applications.

Yinzhi Cao,Zhichun Li,Vaibhav Rastogi,Yan Chen

DOI: https://doi.org/10.1145/1866307.1866387

2010-01-01

Abstract:Third-party JavaScript offers much more diversity to Web and its applications but also introduces new threats. Those scripts cannot he completely trusted and executed with the privileges given to host web sites. Due to incomplete virtualization and lack of tracking all the data flows, all the existing works in this area can secure only a subset of third-party JavaScript. At the same time, because of the existence of not so well documented browser quirks, attacks may be encoded in non standard HTML/JavaScript so that they can bypass existing approaches as these approaches will parse third party JavaScript twice, at both server and clint side.In this paper, we propose Virtual Browser, a completely virtualized environment within existing browsers for executing untrusted third-party code. We secure complete JavaScript, including all the hard-to-secure functions of JavaScript programs, such as with and eval. Since this approach parses scripts only once, there is no possibility of attacks being executed through browser quirks. We first completely isolate Virtual Browser from the native browser components and then introduce communication by adding data flows carefully examined for security.

Kamalika Bhattacharjee,Krishnendu Maity,Sukanta Das

DOI: https://doi.org/10.1016/j.cosrev.2022.100471

2018-11-03

Abstract:In today's world, several applications demand numbers which appear random but are generated by a background algorithm; that is, pseudo-random numbers. Since late $19^{th}$ century, researchers have been working on pseudo-random number generators (PRNGs). Several PRNGs continue to develop, each one demanding to be better than the previous ones. In this scenario, this paper targets to verify the claim of so-called good generators and rank the existing generators based on strong empirical tests in same platforms. To do this, the genre of PRNGs developed so far has been explored and classified into three groups -- linear congruential generator based, linear feedback shift register based and cellular automata based. From each group, well-known generators have been chosen for empirical testing. Two types of empirical testing has been done on each PRNG -- blind statistical tests with Diehard battery of tests, TestU01 library and NIST statistical test-suite and graphical tests (lattice test and space-time diagram test). Finally, the selected $29$ PRNGs are divided into $24$ groups and are ranked according to their overall performance in all empirical tests.

Cryptography and Security,Mathematical Software

Tong Zhou,Mingyan Yu,YIzheng Ye

DOI: https://doi.org/10.1109/mwscas.2006.381785

2006-01-01

Abstract:This paper presents a high-speed truly random number generator based on a simple chaotic map of the Bernoulli shift, which is extended to keep robustness in practical implementation. The design is realized by switched- current techniques that can make it be fully integrated in embedded cryptosystems. And a pipelined architecture post- processed by a SHA-1 hardware module is proposed to improve the throughput and the randomness statistical properties. The whole design is implemented in UMC 0.18 mum CMOS mixed signal process, and the statistical properties are investigated by post-simulations. The power consumption is low and the truly random output bit rate can get to 266 Mbit/s.

Jack West,Kyuin Lee,Suman Banerjee,Younghyun Kim,George K. Thiruvathukal,Neil Klingensmith

DOI: https://doi.org/10.48550/arXiv.2104.14618

2021-04-29

Cryptography and Security

Abstract:Context-based authentication is a method for transparently validating another device's legitimacy to join a network based on location. Devices can pair with one another by continuously harvesting environmental noise to generate a random key with no user involvement. However, there are gaps in our understanding of the theoretical limitations of environmental noise harvesting, making it difficult for researchers to build efficient algorithms for sampling environmental noise and distilling keys from that noise. This work explores the information-theoretic capacity of context-based authentication mechanisms to generate random bit strings from environmental noise sources with known properties. Using only mild assumptions about the source process's characteristics, we demonstrate that commonly-used bit extraction algorithms extract only about 10% of the available randomness from a source noise process. We present an efficient algorithm to improve the quality of keys generated by context-based methods and evaluate it on real key extraction hardware. Moonshine is a randomness distiller which is more efficient at extracting bits from an environmental entropy source than existing methods. Our techniques nearly double the quality of keys as measured by the NIST test suite, producing keys that can be used in real-world authentication scenarios.

Luca Baldanzi,Luca Crocetti,Francesco Falaschi,Matteo Bertolucci,Jacopo Belli,Luca Fanucci,Sergio Saponara

DOI: https://doi.org/10.3390/s20071869

2020-03-27

Abstract:In the context of growing the adoption of advanced sensors and systems for active vehicle safety and driver assistance, an increasingly important issue is the security of the information exchanged between the different sub-systems of the vehicle. Random number generation is crucial in modern encryption and security applications as it is a critical task from the point of view of the robustness of the security chain. Random numbers are in fact used to generate the encryption keys to be used for ciphers. Consequently, any weakness in the key generation process can potentially leak information that can be used to breach even the strongest cipher. This paper presents the architecture of a high performance Random Number Generator (RNG) IP-core, in particular a Cryptographically Secure Pseudo-Random Number Generator (CSPRNG) IP-core, a digital hardware accelerator for random numbers generation which can be employed for cryptographically secure applications. The specifications used to develop the proposed project were derived from dedicated literature and standards. Subsequently, specific architecture optimizations were studied to achieve better timing performance and very high throughput values. The IP-core has been validated thanks to the official NIST Statistical Test Suite, in order to evaluate the degree of randomness of the numbers generated in output. Finally the CSPRNG IP-core has been characterized on relevant Field Programmable Gate Array (FPGA) and ASIC standard-cell technologies.

Jungwon Lim,Yonghwi Jin,Mansour Alharthi,Xiaokuan Zhang,Jinho Jung,Rajat Gupta,Kuilin Li,Daehee Jang,Taesoo Kim

DOI: https://doi.org/10.48550/arXiv.2112.15561

2022-01-01

Abstract:Web browsers are integral parts of everyone's daily life. They are commonly used for security-critical and privacy sensitive tasks, like banking transactions and checking medical records. Unfortunately, modern web browsers are too complex to be bug free (e.g., 25 million lines of code in Chrome), and their role as an interface to the cyberspace makes them an attractive target for attacks. Accordingly, web browsers naturally become an arena for demonstrating advanced exploitation techniques by attackers and state-of-the-art defenses by browser vendors. Web browsers, arguably, are the most exciting place to learn the latest security issues and techniques, but remain as a black art to most security researchers because of their fast-changing characteristics and complex code bases. To bridge this gap, this paper attempts to systematize the security landscape of modern web browsers by studying the popular classes of security bugs, their exploitation techniques, and deployed defenses. More specifically, we first introduce a unified architecture that faithfully represents the security design of four major web browsers. Second, we share insights from a 10-year longitudinal study on browser bugs. Third, we present a timeline and context of mitigation schemes and their effectiveness. Fourth, we share our lessons from a full-chain exploit used in 2020 Pwn2Own competition. and the implication of bug bounty programs to web browser security. We believe that the key takeaways from this systematization can shed light on how to advance the status quo of modern web browsers, and, importantly, how to create secure yet complex software in the future.

Cryptography and Security

Wenbo Zhao,Caochuan Ma

DOI: https://doi.org/10.3390/sym16020169

2024-02-01

Symmetry

Abstract:Chaotic maps have been widely studied in the field of cryptography for their complex dynamics. However, chaos-based cryptosystems have not been widely used in practice. One important reason is that the following requirements of practical engineering applications are not taken into account: computational complexity and difficulty of hardware implementation. In this paper, based on the demand for information security applications, we modify the local structure of the three-dimensional Intertwining Logistic chaotic map to improve the efficiency of software calculation and reduce the cost of hardware implementation while maintaining the complex dynamic behavior of the original map. To achieve the goal by reducing the number of floating point operations, we design a mechanism that can be decomposed into two processes. One process is that the input parameters value of the original system is fixed to 2k by Scale index analysis. The other process is that the transcendental function of the original system is replaced by a nonlinear polynomial. We named the new map as "Simple intertwining logistic". The basic chaotic dynamic behavior of the new system for controlling parameter is qualitatively analyzed by bifurcation diagram and Lyapunov exponent; the non-periodicity of the sequence generated by the new system is quantitatively evaluated by using Scale index technique based on continuous wavelet change. Fuzzy entropy (FuzzyEn) is used to evaluate the randomness of the new system in different finite precision digital systems. The analysis and evaluation results show that the optimized map could achieve the designed target. Then, a novel scheme for generating pseudo-random numbers is proposed based on new map. To ensure its usability in cryptographic applications, a series of analysis are carried out. They mainly include key space analysis, recurrence plots analysis, correlation analysis, information entropy, statistical complexity measure, and performance speed. The statistical properties of the proposed pseudo random number generator (PRNG) are tested with NIST SP800-22 and DIEHARD. The obtained results of analyzing and statistical software testing shows that, the proposed PRNG passed all these tests and have good randomness. In particular, the speed of generating random numbers is extremely rapid compared with existing chaotic PRNGs. Compared to the original chaotic map (using the same scheme of random number generation), the speed is increased by 1.5 times. Thus, the proposed PRNG can be used in the information security.

multidisciplinary sciences

H Liang,QH Liu,FS Bai

DOI: https://doi.org/10.1016/j.camwa.2004.05.012

IF: 3.218

2005-01-01

Computers & Mathematics with Applications

Abstract:A combined random number generator by Wichmann and Hill is studied in this note. Statistical and numerical computations show that a good initial value for this generator is not so easy to obtain, and hence the use of such generator seems dubious.

Ruinian Li,Yinhao Xiao,Cheng Zhang,Tianyi Song,Chunqiang Hu

DOI: https://doi.org/10.3934/mfc.2018015

2018-01-01

Mathematical Foundations of Computing

Abstract:Privacy in online applications has drawn tremendous attention in recent years. With the development of cloud-based applications, protecting users' privacy while guaranteeing the expected service from the server has become a significant issue. This paper surveyed the most popular cryptographic algorithms in privacy-preserving online applications to provide a tutorial-like introduction to researchers in this area. Particularly, this paper focuses on introduction to homomorphic encryption, secret sharing, secure multi-party computation and zero-knowledge proof.