Yarrow algorithm

The Yarrow algorithm is a family of cryptographic pseudorandom number generators (PRNG) devised by John Kelsey, Bruce Schneier and Niels Ferguson. The Yarrow algorithm is explicitly unpatented, royalty-free and open source; no license is required to use it. Yarrow is incorporated in iOS[1] and Mac OS X for their /dev/random devices, as did FreeBSD in the past.[2]

An improved design from Ferguson and Schneier, Fortuna, is described in their book, Practical Cryptography, and FreeBSD has now moved to using this.[2]

Name

The name Yarrow reflects the use of the yarrow plant in the random generating process of I Ching divination. Since the Xia dynasty (c. 2070 to c. 1600 BCE), Chinese have used yarrow stalks for divination. Fortunetellers divide a set of 50 yarrow stalks into piles and use modulo arithmetic recursively to generate two bits of random information[3] that have a non-uniform distribution.

Principles

One of the most important principles of Yarrow is to make a PRNG that is better at resisting real-world attack. The former widely used designs such as ANSI X9.17, RASREF 2.0 PRNG, have loopholes that provide attackers opportunities under some circumstances. Some of them are not intentionally designed to face real-world attacks. Another principle of Yarrow is that system designers with little knowledge about how the PRNG works can incorporate it into their own real-world product fairly easily.

Design

Components

The design of Yarrow consists of four major components including an entropy accumulator, reseed mechanism, generation mechanism and reseed control.

Yarrow accumulates entropy into two pools: the fast pool, which provides frequent reseeds of the key to keep the duration of key compromises as short as possible; the slow pool, which provides rare but conservative reseeds of the key. This makes sure that the reseed is secured even when the entropy estimates are very optimistic.

The reseed mechanism connects the entropy accumulator to the generating mechanism. Reseeding from the fast pool uses the current key and the hash of all inputs to the fast pool since startup to generate a new key; reseeding from the slow pool behaves similarly, except it also uses the hash of all inputs to the slow pool to generate a new key. Both of the reseedings reset the entropy estimation of the fast pool to zero, but the last one also sets the estimation of the slow pool to zero. The reseeding mechanism updates the key constantly, so that even if the key of pool information is known to the attacker before the reseed, they will be unknown to the attacker after the reseed.

The reseed control component is leveraging between frequent reseeding, which is desirable but might allow iterative guessing attacks, and infrequent reseeding, which compromises more information for an attacker who has the key. Yarrow uses the fast pool to reseed whenever the source passes some threshold values, and uses the slow pool to reseed whenever at least two of its sources pass some other threshold value. The specific threshold values are mentioned in the Yarrow-160 section.

Design philosophy

Yarrow assumes that enough entropy can be accumulated to ensure that the PRNG is in an unpredictable state. The designers accumulate entropy in the purpose of keeping the ability to recover the PRNG even when the key is compromised. Similar design philosophy is taken by RSAREF, DSA and ANSI X9.17 PRNGs.

Yarrow-160

The Yarrow uses two important algorithms: a one-way hash function and a block cipher. The specific description and properties are listed in the table below.

Algorithms Properties What Yarrow-160 uses
Hash function h(x)
  • One-way
  • m-bit output size
  • collision intractable

Given M input values, the |M| selections of output values are uniformly distributed over m-bit values.

SHA1 hash function
Block cipher E()
  • Resistant to known-plaintext and chosen-plaintext attacks

High statistical performance of outputs when given highly patterned inputs.

Three-key triple-DES

Generation

Functions for generation mechanism

Yarrow-160 uses three-key triple-DES in counter mode to generate outputs. C is an n-bit counter value; K is the key. In order to generate the next output block, Yarrow follows the functions shown here.

Yarrow keeps count of the output block, because once the key is compromised, the leak of the old output before the compromised one can be stopped immediately. Once some system security parameter Pg is reached, the algorithm will generate k bits of PRNG output and use them as the new key. In Yarrow-160, the system security parameter is set to be 10, which means Pg = 10. The parameter is intentionally set to be low to minimize the number of outputs that can be backtracked.

Reseed

The reseed mechanism of Yarrow-160 uses SHA1 and triple-DES as the hash function and block cipher. The details steps are in the original paper.

Implementation of Yarrow-160

Yarrow-160 can be implemented in Java, and FreeBSD. The examples can be found in "An implementation of the Yarrow PRNG for FreeBSD"[4] by Mark R. V. Murray.

Pros and cons of Yarrow

Pros

Cons

References

  1. "iOS Security" (PDF). Apple.com. October 2012. Retrieved 2016-10-21.
  2. 1 2 "[base] Revision 284959". Svnweb.freebsd.org. Retrieved 18 October 2016.
  3. Schneier, Bruce. "Questions & Answers about Yarrow". Schneier on Security. Retrieved 2016-02-15. The fortuneteller would divide a set of 50 stalks into piles, then repeatedly use modulo arithmetic to generate two random bits.
  4. "An implementation of the Yarrow PRNG for FreeBSD". Retrieved 18 October 2016.
  5. "Fortuna Cryptographically Secure PRNG : AN0806 - Application Note" (PDF). Silabs.com. Retrieved 2016-10-21.
  6. citadel. "Fortuna – A Cryptographically Secure Pseudo Random Number Generator – CodeProject". Retrieved 18 October 2016.

External links

This article is issued from Wikipedia - version of the 10/28/2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.