Modification Attack Effects on PRNGs: Empirical Studies and Theoretical Proofs #

: Random sequence as a critical part in a security system should be garranted as random that should be secure from any attacks. Modification attack is one of possible attacks on random generator in order to make the generator function mislead or the output random sequences bias. From previous research, it was shown that 1-bit modification attack has effects on the randomness property of AES-based PRNG outputs under advantage ε = 0.00001 based on statistical distance test and entropy difference test. In this paper, we propose the extended research on some other PRNGs i.e. Rabbit, Dragon, ANSI X9.17 and ANSI X9.31 under the same scenario with intensity of modification (1-bit to 3-bits) per block. From the experiment results we found that the modification attack already has effects on the four algorithms under advantage ε = 0.001 with intensity 3-bits per block. Even on PRNG X9.17, the attack effect is already significant for all intensity. The effect is getting more significant for all four algorithms under advantage ε = 0.0001 for all intensity. It is showed that PRNG ANSI X9.17 is weaker against the modification attack than the other three algorithms. From theoretical approach based on occurrance probability of an m -bit pattern in the sequence after the attack, we got two results. First, the modification attack will have no effect on the probability distribution of each m -bit pattern as long as the modified bits are balance. So it is possible that the randomness property of the target sequence still hold after the attack. Second, if the bits modified are not balanced then it caused the unbalanced of the probability distribution of the m -bit patterns after attack that could make the randomness of the target sequence bias. Based on the two results, we concluded that the modification attack is potential to reduce the randomness property of the output sequences of a random or pseudorandom generator.


Introduction
As mentioned in the abstract, a random sequence is very important in the security system that based on cryptographic application. The random (pseudo random) generator is mentioned as the heartbeat of a security system [2]. However a random sequence is also important for other applications such as in packets transmission on a network, online start-up of cable tv after crash down, online access on e-ticket, or other applications that are really depend on the randomness property of a random sequence. [3]. Due to that requirement, it is very useful to consider that the random or pseudorandom generator used in those applications is secure from any attack. Some literatures ( [1], [2], [4], [5]), showed that there are some attacks can be mounted on random number generator (RNG) or pseudorandom number generator (PRNG) where the mechanisms and the attack goals are vary. One possible attack to conduct on RNG/PRNG is modification attack. This attack can be mounted through environmental attack using software approach or hardware approach. From previous research [1], it is showed that the 1-bit modification attack has effect on randomness property of AES-based PRNG with mode CFB, OFB, CTR and CBC under advantage ε = 0.00001. But specifically on mode CBC, it already has effect under ε = 0.0001. This indicated that AES-based PRNG with mode CBC is weaker than other modes against this attack. In this paper, we extend the research on some other PRNGs i.e. Rabbit stream cipher, Dragon stream cipher, PRNG ANSI X9.17 and PRNG ANSI X9.31 to acommodate all categories of crypto systems. In this research, we also did the statistical distance test and entropy difference test as we proposed in the first research [1]. To complete the knowledge of the modification attack effects on PRNG, we did the theoretical approaches by examining the occurance probability of an m-bit pattern in the target sequence after the attack, under the assumption that the target sequences are random before the attack. From experimental results, we found that the modification attack are getting significant under ε = 0.0001 but limited only for 3-bits modification per block, except for the ANSI X9.17 that holds for all the three intensity levels. The effects are more significant under advantage ε = 0.0001 for all algorithms, especially for the ANSI X9.17 that perfectly affected by indication that 100% sequences can be distinguished under that value for all intensity level. This indicates that the PRNG ANSI X9.17 is weaker against the attack than other algorithms. From theoretical proofs, we got two conditions. First, the probabilities distribution of m-bit pattern in the sequence after the attack is still balance whenever the bits modified are also balanced. This indicates that after the attack the occurance probability of each pattern is still the same. Second, the probability distribution of each pattern in the sequence after the attack is potentially damaged when the bits modified are not balanced. When the probability of bit '0' to be modified is > ½, it caused the bit '1' will occur more frequent than bit '0' after the attack (or vice versa), that could make the probability distribution of each pattern is no longer uniform. The two results above lead us to conclude that the modification attack is potential to reduce the randomness property of the outputs of PRNGs. The presentation of this paper is composed in 4 chapters. Chapter I is introduction including the basic idea of the attack, our contributions and the open problem left for future research. Chapter II is presenting the preliminaries, including the background theory, methodology, and related researches. Chapter III contains detailed results from the experiments and also theoretical proofs of the modification attack effects. And the last chapter is presenting the conclusion.

Background Theories
Modern cryptography is considered as a construction of robust systems against any malicious attempt that aim to make the systems malfunction. [6] In principle there are two kinds of attack on a cryptographic protocol, i.e. active and passive attack. [7]. Attack on RNG/PRNG can be done actively or passively depend on the goal of the attack. According to [4], attack on RNG/PRNG can be divided into two classes : non-invasive attacks and invasive attacks. The first attack is related with external influences where the attacker can use it to disturb the RNG/PRNG such as make the input/output bits bias improperly by introducing spike in power supply, apply the electromagnetic shocks into the chip, push temperature changes, and so on. In this attack the time for the attacker is very limited. On the other hand, invasive attack need more resources from the attacker to mount the attack succesively. This attack is more powerful and the goal is to make a permanent damage on the target RNG/PRNG. In [5], the attacks are divided into 3 classes : direct cryptanalysis attack, input based attack, and state compromise extension attack. These attacks comes from the idea that RNG/PRNG is designed to produce random numbers such that indistinguishable from truly random numbers. Therefore the attacks tried to find the possibility of distinguishing the RNG/PRNG outputs from trully random numbers. Young and Yung [2] proposed another scheme of attack on RNG/PRNG by implementing the Trojan to manipulate the functions in order to get advantage of it. The Trojan can be designed to reveal the critical information such as the key (seed of PRNG example) to be sent to the attacker, make the output sequence bias, or even pretends as the right generator (masquarade). The Trojan can be made as a "bug" that will be planted into the system to apply the task that already set by the attacker, or designed based on mathematical function to influence the statistic distribution of the output bits so that the generator will be very sensitive against the entropy input. Based on the literatures above, the attack can be mounted in traditional ways based on all possible cryptanalysis methods such as brute force, functional cryptanalysis or side channel (environmental) attack. Interestingly, it also can be peformed subversively by planting the trojan or spy chip during manufacturing. In this research, modification attack is part of environmental attack that in practice can be applied under software approach or hardware approach such as a Trojan. As mentioned above to measure the attack effects on randomness property of the target sequence, we apply the statistical distance test and entropy difference test as indistinguishability parameters between the sequence after the attack and before the attack. The statistical distance test are measured based on the maximum statistical distance that is proposed by Wang [8] that is defined in (1).
The idea to use the statistical distance are inspired by some previous researches such as [9] that using the test to distinguish the modified PRNG algorithm with the original algorithm. Let is a probability of an m-bit pattern to occur in the sequence. For the probability distribution of = 1 2 … , = 2 , the entropy of D is defined as : [10] In this research, the entropy measurements are conducted by determining the entropy difference value between probability distribution of pattern in the sequence after the attack and before the attack. Suppose = 1 2 … 2 is probability distribution of each patern in the sequence before attack and = 1 2 … 2 is probability distribution of each pattern in the sequence after the attack. Then the entropy difference between X and Y notated as ∆ ( , ) is defined as : Because > 0 such that 1 > 0 (it holds for also) then it can be verified that : From (4) it can be proved tha( Thus, due to this condition we as the parameter to conduct the entropy difference test in measuring the modification attack effects.
Here two definitions that are related with disjoint probability. Definition 1 [11]: Two events E and F are disjoint if there are no outcomes common to both E and F which is notated as E  F = Ø.
Definition 2 [11]: E  F is the collections of all outcomes in either E or F so that the probability of E  F is the sum of each probability E and F that is written as

Simulation Process of Modification Attack.
The experiment are conducted under the same scenario as previous research [1], where the modification attack are simulated in five level of block modification with intensity of 1-bit to 3-bits per block. The location of modificated bit is determined randomly based on a random sequence using formulation dec[log 2 where b is the length of the block and dec is decimal value. For example for b = 32 bits, then every position of each block will be determined by every 5-bits from a certain random sequence that will be transformed into decimal value. The bit that is pointed by this value will be modified into its complement. The illustration of the attack simulation is described in Figure 1. To see more detail information, the analysis will be extended into measurement under ε = 0.0001 as a comparison.

Theoretical Proofs of Modification Attack Effects.
To get more information about the modification attack effects on the randomness property of the bit sequences produced by PRNGs, we also did some theoretical proofs using probability theory. In this case, it is assumed that the output sequence of PRNGs is random, so that each pattern occurs in the sequence has the same probability, or in other word the probability distribution of each pattern in the random sequence is uniform [12]. The measurement is done by determining the occurence probability of an m-bit pattern after the attack, under assumption that if the occurence probability of each pattern is changed, then the modification attack has effects on randomness property of the sequence. Otherwise the attack has no effects. The m-bit pattern is all possible patterns that can be derived from a sequence with length m-bits. For example, for m =1 there are two patterns i.e. bit 0 and 1, for m = 2 we have 4 patterns i.e. 00, 01, 10, and 11, and so on. The proof is conducted in three cases: 1) the bits modified are balance that means each pattern has the same probability ≈ 1 2 to be modified; 2) the bits modified are not balance that means the probability of one or more m-bit patterns are higher than the expected probability Here some notations we used in this paper : is the target sequence from a PRNG 1 2 … is the m-bit pattern in a sequence before the attack is the m-bit pattern that is modified ′ 1 2 … is the m-bit pattern in a sequence after the attack

Related Works
Becker et al [13] proved that it is possible to implement hardware Trojan as a subversive attack into a crypto device and evaluate the impact on the security of the target device. They demonstrating the attack by inserting the Trojans into two designs: a digital post-processing derived from Intel's cryptographically secure RNG design used in the Ivy Bridge processors; and a side-channel resistant S-Box implementation.
The first attemp showed the Trojan can reduce the security of random key sequence produced by the RNG from 128-bit into nbit where n is chosed by the attacker for n < 128 bits. The RNG device with Trojan inserted still passed the Built-in-Software-Test (BIST) and the output key sequence produced still passed the NIST randomness test tool, so that the user does not recognize the attack. Second attemp proved that the Trojan succed to reveal the right key with correlation goes up to 0.9971. They also proved that the resistancy of the design with Trojan and the design without Trojan are similar, so that user could not detect that the device was attacked. Second related work is from Markettos and More [14] that implementing the injection attack on RNG in 2004 EMV Payment Card by injecting signals through prover suppy. The attack succed to make the output sequence bias that automatically reduce the security of the RNG output sequeces that used as PIN number for payment application from 2 32 into 2 8 bits. The idea of the two attacks above is similar with the modification attack proposed by the writer. The modification attack is also possible to be applied on RNG/PRNG as a Trojan based on software or hardware approach. This paper does not explained the modification attack on RNG/PRNG technically in practice but by simulation process. The writers show the possible impacts of the attack through empirical study by simulation process and theoretical proofs based on occurence probability of each pattern in the sequence after the attack. From the experiment results and theoretical proofs, the modification attack could reduce the randomness property of the target sequence under certain circumstances that will be described in detail in the following chapter.

Experimental Results
The experimental results of modification attack effect on the four algorithms Dragon, Rabbit, ANSI X9.17 and ANSI X9.31 based on statistical distance test under advantage value ε = 0.001 is presented in Table 1.  Table II indicate that the modification attack also already affects the target sequences under ε = 0.001 but only at intensity level 3-bits per block for all algorithms except ANSI X9.17 that is already affected at all level of intensity. But the attack effects on ANSI X9.17 under this test is less significant compared with the statistical distance test results above, because the total sequences that exceeded the advantage value is more lower. The two test results above indicates that the modification attack effects is less significant for three algorithm Dragon, Rabbit and ANSI X9.31 under advantage ε = 0.001, but very significant for ANSI X9.17 under the same advantage. This fact indicates that under advantage value ε = 0.001, ANSI X9.17 is relatively more weaker than other three algorithms against the modification attacks.
If the advantage value is reduced to a lower level ε = 0.0001 it is proved that the modification attack effects is more significant for all algorithms at all level of modification intensity as can be seen in Table 3 and Table 4.  From the two test results under advantage ε = 0.0001 it can be seen that the attack effects for all algorithms except ANSI X9.17 are quite similar at any level of intensity. And as many bits are modified is incresed at higher intensity, the number sequences after the attack that can be distinguished from the original sequence are also increased. Compared with the test results on AES-based PRNG from previous research [1], the 1-bit modification attack still not affected the randomness property of AES-based PRNG under advantage ε = 0.001 even under ε = 0.0001 based on statistical distance test. This condition holds for all modes and all varians. The attack has just affected the randomness of the sequence under advantage value ε = 0.00001. For entropy difference tests results on AES-based PRNG for all modes and all varians, the 1-bit modification attack still has no effect under advantage ε = 0.001. This condition also holds for the advantage value ε = 0.0001 except for mode CBC for all varian, where only a small number of maximum entropy difference values (less than 8%) has exceeded the advantage value ε = 0.0001 that can be ignored. This lead to a conclusion that the 1-bit modification attack has no effect on AES-based PRNG for all varians and all modes under ε = 0.001 even under advantage ε = 0.0001 that contradictive with the attack effects on other four algorithms under the same advantage value that presented in Table 4.
The comparison results showed that AES-based PRNG is more stronger against modification attack at level 1-bit intensity, meanwhile ANSI X9.17 is the weakest among the 5 algorithms against the attack under the same level. Based on the overall experimental results, it could be concluded that modification attack has different effects on RNGs/PRNGs. One important point that under certain advantage value, the attack could be potentially damage the randomness property of the output of RNG/PRNG. To complete the results, the following chapter presented the theoretical proofs about the modification effect based on occurence probability of each pattern in the sequence.

Theoretical Approaches Results
Suppose there is a random sequence U n with length n bits. Since the sequence is asummed to be random then the bit 0 s and the bit 1 s will have the same probability to occur in the sequence. Let 0 is all bit 0 in and 1 is all bit 1 in sequence 1 such that ( 0 ) ≈ ( 1 ) ≈ 1 2 . Suppose s bits in sequence U n will be modified into its complement and s < n.
Suppose the complement bits are notated as s' such that ns + s' = n. The proofs of modification attack effects are conducted in two schenarios i.e. when the bits modified are balanced and not balanced for each pattern. First for 1-bit pattern, suppose s bits in U n will be modified where s may contain of some bit 0 and some bit 1, all bit 0, or all bit 1. Let 0 notated as all bit 0 in U n that are modified into bit 1, which will be notated as ′ 1 after modification. Vice versa, 1 notated as all bit 1 s in U n that are modified into bit 0 which will be notated as ′ 0 after modification. Then we get ′ 1 = 0 and ′ 0 = 1 where ′ 0 + ′ 1 = 1 + 0 = . It can be proved that − + ′ = ( 0 + 1 ) − ( 0 + 1 ) + ( ′ 1 + ′ 0 ) = ( 0 − 0 + ′ 0 ) + ( 1 − 1 + ′ 1 ) = . In other words, it is proved that the modification attack does not change the total number of bits in the sequence .
Case 1, suppose that the probability of bit 0 will be modifed is the same as bit 1, then 0 = 1 , so that the occurence probability of bit 0 in the sequence after the attack can be expressed as (Note that ( 0 ) ≈ ( 1 ) = The expression (6) also holds for bit 1 such that the probability of bit 1 to occur after the attack is ½. Case 2, If probability of bit 0 which will be modified is not the same as bit 1. Suppose probability of bit 0 to be modified is bigger than bit 1, notated ( 0 ) ≈ 1 2 + , so that 0 > 1 , then the occurence probability of bit 0 after the modification attack can be expressed as (note that ( 1 ) = ( ′ 0 ) = 1 − ( 0 )) : Thus from (7) we conclude that the probability of bit 0 to ocur after the attack is less than ½ that imply the probability of bit 1 to ocur is higher than ½. With the same way it can be prove that if the probability of bit 0 to be modified is less than bit 1 notated ( 0 ) ≈ 1 2 − such that 0 < 1 , then the probability of bit 0 to ocur after the attack is : (7) and (8) we have that the probability of each bit 0 and 1 to ocur after the attack will not balance if the probability of being modified for each bit is not the same. On the other hand it will still balance if the probability of each bit to be modified is the same. If we extend the pattern bit into m-bit pattern with the same way, we could generalized the formulation of occurence probability of an m-bit pattern after the modification attack. Let ( 1 2 … ) is the probability of an m-bit pattern 1 2 … in the target sequence that will be modified into its complement 1 2 … , and let ( 1 2 … ) is the probability of 1 2 … to be modified. Then the generalized formulation of the occurence probability of an mbit pattern ′ 1 2 … after the attack are as follow : Case 1: If the probability of being modified of each m-bit pattern in sequence is uniform such that ( 1 2 … ) ≈ 1 4 than probability of each bit pattern to be ocurred after the attack is :  : where where where ( 1 2 … ) ≈ Then the probability of an m-bit pattern to be occurred after the attack can be defined as folow: where ( 1 2 … ) ≈ where ( 1 2 … ) ≈ where ( 1 2 … ) ≈ 1 2 − From the theoretical proofs above then we come to conclusion that the modification attack is potential to destroy the randomness property of a random sequence if the probability of each m-bit pattern that modified is not uniform. In contrary, the probability of each m-bit pattern to ocur after the attack are uniform if the probability of each m-bit pattern that are modified are also the same or uniform.

Conclusion
From empirical study based on statistical distance test and entropy difference test on some PRNGs i.e. AES-based PRNGs, Dragon, Rabbit, ANSI X9.17 and ANSI X9.3, we found that the modification attack is potential to affect the randomness property of the output sequences of PRNGs but the significancy of the effects are different for each algorithm. From theoretical proofs based on occurance probability of each m-bit pattern after the attack, the modification attack may destroy the randomness property of a random sequence as long as the probability of each m-bit pattern modified bits is not uniform. In contrary, the probability of each m-bit pattern will still have the same probability to occur after the attack, if the probability of each pattern that is modified is the same. Based on the two results above, the modification attack may have bad impacts on randomness property of the outputs from RNG or PRNG. And from related researches in [13] and [14], it showed that this kind of attack is possible to be implemented in practice, where as an adversary can conduct the modification attack as a Trojan in order to reduce the randomness property of the RNG/PRNG's outputs. Therefore, this modification attack cannot be disobeyed and should be anticipated.