17

I have been looking at an embedded microcontroller which has a cryptographic hardware engine (in particular the PIC32MZ family). These devices have what they advertise as a cryptographically secure PRNG, as well as a true random number generator.

The features of the random number generators are,

  • TRNG:
    • List item
    • Up to 25 Mbps of random bits
    • Multi-Ring Oscillator based design
    • Built in Bias Corrector
  • PRNG:
    • LSFR-based
    • Up to 64-bit polynomial length
    • Programmable polynomial
    • TRNG can be seed value

From what I've read about LFSR PRNG (in particular this answer) my understanding is that you only require 2*n bits to be able to determine the polynomial of the LFSR and hence all the random numbers that it generates.

If my understanding is correct, then only 128 bits (16 bytes) of random data are required before the random data is compromised - that is just enough for a single AES IV.

One way that I can imagine making the PRNG cryptographically secure is to reseed it after every 16 bytes using the TRNG - would this be secure?

Is it even possible to make a LFSR cryptographically secure?

Community
  • 1
Duncan Drennan
  • 293
  • 2
  • 7

1 Answers1

14

With a 64-bit known polynomial, future output of an LFSR can be trivially predicted from the last 64 bits output. Even if the 64-bit polynomial is unknown, the last 128 bits are enough, using the Berlekamp–Massey algorithm. Thus indeed, the LFSR-based PRNG in the hardware described in a section 27 of the document linked to in question, with some additional info here, is unusable as a CSPRNG, just like any pure LFSR PRNG is.

It is possible to make a passable CSPRNG by combining LFSRs. One very simple example is the Alternating Step Generator, proposed by C. G. GĂĽnther in Alternating step generators controlled by de Bruijn sequences (Eurocrypt 1987). One LFSR decides which of two other LFSRs is clocked, and the output is the XOR of these two LFSRs. The three LFSRs are customarily non-stationary, maximal length, and of distinct but comparable size. The ASG has no published attack (that I know) that can be interpreted as claiming an effort better than $O(2^{n/6})$, where $n$ is the total number of bits in the three LFSRs (assumed of about equal size); and in fact I'm not sure this attack beats this one, which I read as more like $O(2^{2\cdot n/9})$.

I can't however recommend the ASG, or any generator easily described as a combination of LFSRs, because we now have better constructs, with more conjectured security per bit, and easier software implementation, like Trivum.

Addition (updated): If the 64-bit seed is from a good TRNG; and the LFSR is maximal-length, that is with a primitive polynomial; and the LFSR is reseeded after 64-bit; then the 64-bit output of the LFSR is not worst (or much better) than the 64-bit output of the TRNG. It is actually easy go from one 64-bit value to the other, with knowledge of the polynomial.

My understanding of the PIC32MZ PRNG is that it is more applicable to generating specific sequences defined using a prescribed LFSR, as might be desirable in some pre-existing protocols or applications, e.g. test sequence, CRC, or spread-spectrum radio; than it is as a CSPRNG.

fgrieu
  • 149,326
  • 13
  • 324
  • 622