Markus Dichtl

High-Speed True Random Number Generation with Logic Gates Only

It is shown that the amount of true randomness produced by the recently introduced Galois and Fibonacci ring oscillators can be evaluated experimentally by restarting the oscillators from the same initial conditions and by examining the time evolution of the standard deviation of the oscillating signals. The restart approach is also applied to classical ring oscillators and the results obtained demonstrate that the new oscillators can achieve orders of magnitude higher entropy rates. A theoretical explanation is also provided. The restart and continuous modes of operation and a novel sampling method almost doubling the entropy rate are proposed. Accordingly, the new oscillators appear to be by far more effective than other known solutions for random number generation with logic gates only.

Bad and good ways of post-processing biased physical random numbers

Algorithmic post-processing is used to overcome statistical deficiencies of physical random number generators. We show that the quasigroup based approach for post-processing random numbers described in [MGK05] is ineffective and very easy to attack. We also suggest new algorithms which extract considerably more entropy from their input than the known algorithms with an upper bound for the number of input bits needed before the next output is produced.

How to Predict the Output of a Hardware Random Number Generator

A hardware random number generator was described at CHES 2002 in [Tka03]. In this paper, we analyze its method of generating randomness and, as a consequence of the analysis, we describe how, in principle, an attack on the generator can be executed.

On Nonlinear Filter Generators

In this paper the bits in a linear feedback shift register are treated as if they were independent random variables. A necessary condition for filter functions which result in independent random output bits is given. An example shows that the sufficient condition given by Golic in [2] is not necessary.

A new method of black box power analysis and a fast algorithm for optimal key search

This paper suggests a new method of power analysis, similarity power analysis, which overcomes the numerics and complexity problems of the template attacks. Similarity power analysis learns characteristics of the device to attack in a profiling phase and is then able to determine a secret key from a single power trace. Similarity power analysis is a black box attack; it does not make any assumptions on the algorithm attacked or its implementation. Since similarity power analysis usually gives wrong results for a small number of key bits, it is supplemented with a new fast algorithm for optimal key search, which enables an attacker to try the keys with the highest probability of success first. Both similarity power analysis and the fast optimal key search algorithm were experimentally tried on DES.

Problems with the linear cryptanalysis of DES using more than one active S-box per round

Matsui introduced the concept of linear cryptanalysis. Originally only one active S-box per round was used. Later he and Biham proposed linear cryptanalysis with more than one active S-box per round. They combine equations with the Piling-up Lemma which requires independent random input variables. This requirement is not met for neighbouring S-boxes, because they share input bits. In this paper we study the error resulting from this application of the Piling-up Lemma. We give statistical evidence that the errors are severe. On the other hand we show that the Piling-up Lemma gives the correct probabilities for Matsuis Type II approximation.

Fish: A Fast Software Stream Cipher

This paper describes a fast software stream cipher called Fish based on the shrinking principle applied to the lagged Fibonacci generator (Fish — Fibonacci shrinking). It is designed to make full use of the 32 bit word length of popular processors. On an Intel 486 clocked with 33 MHz a data rate of 15 Mbit/s is achieved with a C implementation.

Linearity Properties of the SOBER-t32 Key Loading

In the course of the evaluation of the stream cipher SOBER- t32 submitted to NESSIE, a correlation between initial states has been found for related keys. With high probability some sums of bits of the initial state after key loading do not change their value when a bit of the key is inverted. This holds also for the loading of frame keys. It is shown that the required condition for the frame keys is met very naturally when using counters as frame keys. The linearity properties of the SOBER-t32 key loading are caused by non-optimal diffusion of the non-linear filter function of the cipher.