Skip to main content
SpringerLink
Log in

Seedless Fruit Is the Sweetest: Random Number Generation, Revisited

  • Conference paper
  • First Online:
Advances in Cryptology – CRYPTO 2019 (CRYPTO 2019)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11692))

Included in the following conference series:

Abstract

The need for high-quality randomness in cryptography makes random-number generation one of its most fundamental tasks.

A recent important line of work (initiated by Dodis et al., CCS ’13) focuses on the notion of robustness for pseudorandom number generators (PRNGs) with inputs. These are primitives that use various sources to accumulate sufficient entropy into a state, from which pseudorandom bits are extracted. Robustness ensures that PRNGs remain secure even under state compromise and adversarial control of entropy sources. However, the achievability of robustness inherently depends on a seed, or, alternatively, on an ideal primitive (e.g., a random oracle), independent of the source of entropy. Both assumptions are problematic: seed generation requires randomness to start with, and it is arguable whether the seed or the ideal primitive can be kept independent of the source.

This paper resolves this dilemma by putting forward new notions of robustness which enable both (1) seedless PRNGs and (2) primitive-dependent adversarial sources of entropy. To bypass obvious impossibility results, we make a realistic compromise by requiring that the source produce sufficient entropy even given its evaluations of the underlying primitive. We also provide natural, practical, and provably secure constructions based on hash-function designs from compression functions, block ciphers, and permutations. Our constructions can be instantiated with minimal changes to industry-standard hash functions SHA-2 and SHA-3, or key derivation function HKDF, and can be downgraded to (online) seedless randomness extractors, which are of independent interest.

On the way we consider both a computational variant of robustness, where attackers only make a bounded number of queries to the ideal primitive, as well as a new information-theoretic variant, which dispenses with this assumption to a certain extent, at the price of requiring a high rate of injected weak randomness (as it is, e.g., plausible on Intel’s on-chip RNG). The latter notion enables applications such as everlasting security. Finally, we show that the CBC extractor, used by Intel’s on-chip RNG, is provably insecure in our model.

S. Coretti—Work done while at NYU. Supported by NSF grants 1314568 and 1619158.

Y. Dodis—Partially supported by gifts from VMware Labs, Facebook and Google, and NSF grants 1314568, 1619158, 1815546.

H. Karthikeyan—Supported by NSF grant 1619158.

S. Tessaro—Partially supported by NSF grants CNS-1553758 (CAREER), CNS-1719146, CNS-1528178, and IIS-1528041, and by a Sloan Research Fellowship.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 109.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 139.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    We do, however, later discuss an interesting approach suggested by [3].

  2. 2.

    Or, in the non-uniform setting, “seed-dependent”.

  3. 3.

    For example, the ability to compute a random preimage of a given element, which is known to imply one-way functions [31], allows the attacker to produce entropic inputs whose entropy is completely lost by the refresh procedure.

  4. 4.

    In fact, if the length of G(X) is slightly less than \(\gamma ^*\), we can even let \(\mathcal A\) query all of G and use leftover-hash lemma [30] to get information-theoretic security.

  5. 5.

    Prior to our work, the above modeling of sources as being independent of the ideal primitive, was the only way to overcome extractor-fixing attacks. Examples of this approach include [18, 36, 49] and many others. While these results are non-trivial due to the “non-monolithic” structure of their extractors G, none of these works model the setting where the source could depend on the ideal primitive.

  6. 6.

    Of course, when we instantiate G with a real-world hash function, this is no longer the case, as we discuss below.

  7. 7.

    Since we no longer need to hide the seed from the distribution sampler, forcing us to separate it from the attacker.

  8. 8.

    Note, in the extraction game the definition of \(\mathcal L_1\) is the same in the real and the ideal worlds. For our future definitions of PRNGs, however, it will be important that the notion of legitimacy is defined in the ideal world (i.e., conditioned on \(b=1\)).

  9. 9.

    Here, \(\pi ^i\) denotes the i-fold application of \(\pi \).

  10. 10.

    To reduce notational clutter, the algorithms \(\mathsf {refresh}\) and \(\mathsf {next}\) of the PRNG constructions are not “branded” with the design name. There will be no ambiguity as to which construction is meant in any place in this paper.

  11. 11.

    The integer arguments to the compression function are to be naturally mapped to \(\{0,1\}^{n}\).

  12. 12.

    A (block) cipher is an efficiently computable and invertible permutation \(E(k,\cdot ): \{0,1\}^{n}\rightarrow \{0,1\}^{n}\) for every key \(k \in \{0,1\}^{n}\).

  13. 13.

    The integer arguments to the cipher are to be naturally mapped to \(\{0,1\}^{n}\).

References

  1. Barak, B., Halevi, S.: A model and architecture for pseudo-random generation with applications to /dev/random. In: Atluri, V., Meadows, C., Juels, A. (eds.) ACM CCS 2005, Alexandria, Virginia, USA, 7–11 November 2005, pp. 203–212. ACM Press (2005)

    Google Scholar 

  2. Barak, B., Impagliazzo, R., Wigderson, A.: Extracting randomness using few independent sources. In: 45th FOCS, Rome, Italy, 17–19 October 2004, pp. 384–393. IEEE Computer Society Press (2004)

    Google Scholar 

  3. Barak, B., Shaltiel, R., Tromer, E.: True random number generators secure in a changing environment. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 166–180. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45238-6_14

    Chapter  Google Scholar 

  4. Barker, E., Kelsey, J.: NIST Special Publication 800–90A (A revision of SP 800–90) Recommendation for random number generation using deterministic random bit generators (2012). https://csrc.nist.gov/publications/detail/sp/800-90a/rev-1/final

  5. Barker, E., Kelsey, J.: Recommendation for random number generation using deterministic random bit generators. NIST Special Publication 800–90A (2012)

    Google Scholar 

  6. Bellare, M., Hoang, V.T., Keelveedhi, S.: Instantiating random oracles via UCEs. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 398–415. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40084-1_23

    Chapter  Google Scholar 

  7. Bellare, M., Pietrzak, K., Rogaway, P.: Improved security analyses for CBC MACs. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 527–545. Springer, Heidelberg (2005). https://doi.org/10.1007/11535218_32

    Chapter  Google Scholar 

  8. Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: On the indifferentiability of the sponge construction. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 181–197. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78967-3_11

    Chapter  Google Scholar 

  9. Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Sponge-based pseudo-random number generators. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 33–47. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15031-9_3

    Chapter  Google Scholar 

  10. Blum, M.: Independent unbiased coin flips from a correlated biased source-a finite stae Markov chain. Combinatorica 6(2), 97–108 (1986)

    Article  MathSciNet  Google Scholar 

  11. Chattopadhyay, E., Zuckerman, D.: Explicit two-source extractors and resilient functions. In: Wichs, D., Mansour, Y. (eds.) 48th ACM STOC, Cambridge, MA, USA, 18–21 June 2016, pp. 670–683. ACM Press (2016)

    Google Scholar 

  12. Checkoway, S., et al.: On the practical exploitability of dual EC in TLS implementations. In: Proceedings of the 23rd USENIX Security Symposium, San Diego, CA, USA, 20–22 August 2014, pp. 319–335 (2014)

    Google Scholar 

  13. Chen, S., Steinberger, J.: Tight security bounds for key-alternating ciphers. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 327–350. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_19

    Chapter  Google Scholar 

  14. Chor, B., Goldreich, O.: Unbiased bits from sources of weak randomness and probabilistic communication complexity (extended abstract). In: 26th FOCS, Portland, Oregon, 21–23 October 1985, pp. 429–442. IEEE Computer Society Press (1985)

    Google Scholar 

  15. Chor, B., Goldreich, O.: Unbiased bits from sources of weak randomness and probabilistic communication complexity. SIAM J. Comput. 17(2), 230–261 (1988)

    Article  MathSciNet  Google Scholar 

  16. Chor, B., Goldreich, O., Håstad, J., Friedman, J., Rudich, S., Smolensky, R.: The bit extraction problem of t-resilient functions (preliminary version). In: 26th FOCS, Portland, Oregon, 21–23 October 1985, pp. 396–407. IEEE Computer Society Press (1985)

    Google Scholar 

  17. Coretti, S., Dodis, Y., Karthikeyan, H., Tessaro, S.: Seedless fruit is the sweetest: random number generation, revisited. Cryptology ePrint Archive, Report 2019/198 (2019). https://eprint.iacr.org/2019/198

  18. Dodis, Y., Gennaro, R., Håstad, J., Krawczyk, H., Rabin, T.: Randomness extraction and key derivation using the CBC, cascade and HMAC modes. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 494–510. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-28628-8_30

    Chapter  Google Scholar 

  19. Dodis, Y., Pointcheval, D., Ruhault, S., Vergnaud, D., Wichs, D.: Security analysis of pseudo-random number generators with input: /dev/random is not robust. In: Sadeghi, A.-R., Gligor, V.D., Yung, M. (eds.) ACM CCS 2013, Berlin, Germany, 4–8 November 2013, pp. 647–658. ACM Press (2013)

    Google Scholar 

  20. Dodis, Y., Ristenpart, T., Vadhan, S.: Randomness condensers for efficiently samplable, seed-dependent sources. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 618–635. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-28914-9_35

    Chapter  Google Scholar 

  21. Dodis, Y., Shamir, A., Stephens-Davidowitz, N., Wichs, D.: How to eat your entropy and have it too – optimal recovery strategies for compromised RNGs. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part II. LNCS, vol. 8617, pp. 37–54. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44381-1_3

    Chapter  Google Scholar 

  22. Eastlake, D., Schiller, J., Crocker, S.: RFC 4086 - Randomness Requirements for Security, June 2005

    Google Scholar 

  23. Ferguson, N.: Private communication (2013)

    Google Scholar 

  24. Ferguson, N., Schneier, B.: Practical Cryptography, 1st edn. Wiley, New York (2003)

    MATH  Google Scholar 

  25. Gaži, P., Pietrzak, K., Rybár, M.: The exact PRF-security of NMAC and HMAC. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part I. LNCS, vol. 8616, pp. 113–130. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44371-2_7

    Chapter  Google Scholar 

  26. Gaži, P., Tessaro, S.: Provably robust sponge-based PRNGs and KDFs. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016, Part I. LNCS, vol. 9665, pp. 87–116. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49890-3_4

    Chapter  Google Scholar 

  27. Harnik, D., Naor, M.: On everlasting security in the hybrid bounded storage model. In: Bugliesi, M., Preneel, B., Sassone, V., Wegener, I. (eds.) ICALP 2006, Part II. LNCS, vol. 4052, pp. 192–203. Springer, Heidelberg (2006). https://doi.org/10.1007/11787006_17

    Chapter  Google Scholar 

  28. Hutchinson, D.: A robust and sponge-like PRNG with improved efficiency. In: Avanzi, R., Heys, H. (eds.) SAC 2016. LNCS, vol. 10532, pp. 381–398. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-69453-5_21

    Chapter  Google Scholar 

  29. Hutchinson, D.: A robust and sponge-like PRNG with improved efficiency. Cryptology ePrint Archive, Report 2016/886 (2016). http://eprint.iacr.org/2016/886

  30. Impagliazzo, R., Levin, L.A., Luby, M.: Pseudo-random generation from one-way functions (extended abstracts). In: 21st ACM STOC, Seattle, WA, USA, 15–17 May 1989, pp. 12–24. ACM Press (1989)

    Google Scholar 

  31. Impagliazzo, R., Luby, M.: One-way functions are essential for complexity based cryptography (extended abstract). In: 30th FOCS, Research Triangle Park, North Carolina, 30 October–1 November 1989, pp. 230–235. IEEE Computer Society Press (1989)

    Google Scholar 

  32. Information technology - Security techniques - Random bit generation. ISO/IEC18031:2011 (2011)

    Google Scholar 

  33. Kamp, J., Rao, A., Vadhan, S.P., Zuckerman, D.: Deterministic extractors for small-space sources. J. Comput. Syst. Sci. 77(1), 191–220 (2011)

    Article  MathSciNet  Google Scholar 

  34. Kelsey, J., Schneier, B., Ferguson, N.: Yarrow-160: notes on the design and analysis of the yarrow cryptographic pseudorandom number generator. In: Heys, H., Adams, C. (eds.) SAC 1999. LNCS, vol. 1758, pp. 13–33. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-46513-8_2

    Chapter  Google Scholar 

  35. Killmann, W., Schindler, W.: A proposal for: functionality classes for random number generators. AIS 20/AIS31 (2011)

    Google Scholar 

  36. Krawczyk, H.: Cryptographic extraction and key derivation: the HKDF scheme. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 631–648. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14623-7_34

    Chapter  Google Scholar 

  37. Lichtenstein, D., Linial, N., Saks, M.E.: Some extremal problems arising form discrete control processes. Combinatorica 9(3), 269–287 (1989)

    Article  MathSciNet  Google Scholar 

  38. John, M.: Intel digital random number generator (DRNG) software implementation guide (2014). https://software.intel.com/en-us/articles/intel-digital-random-number-generator-drng-software-implementation-guide

  39. Nisan, N., Zuckerman, D.: More deterministic simulation in logspace. In: Proceedings of the Twenty-Fifth Annual ACM Symposium on Theory of Computing, San Diego, CA, USA, 16–18 May 1993, pp. 235–244 (1993)

    Google Scholar 

  40. Nisan, N., Zuckerman, D.: Randomness is linear in space. J. Comput. Syst. Sci. 52(1), 43–52 (1996)

    Article  MathSciNet  Google Scholar 

  41. Patarin, J.: The “coefficients H” technique. In: Avanzi, R.M., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. 328–345. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-04159-4_21

    Chapter  Google Scholar 

  42. Schoenmakers, B., Sidorenko, A.: Cryptanalysis of the dual elliptic curve pseudorandom generator. Cryptology ePrint Archive, Report 2006/190 (2006). http://eprint.iacr.org/2006/190

  43. Shrimpton, T., Terashima, R.S.: A provable-security analysis of Intel’s secure key RNG. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015, Part I. LNCS, vol. 9056, pp. 77–100. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_4

    Chapter  Google Scholar 

  44. Shumow, D., Ferguson, N.: On the possibility of a back door in the NIST SP800-90 Dual Ec PRNG. CRYPTO Rump Session (2007)

    Google Scholar 

  45. Soni, P., Tessaro, S.: Public-seed pseudorandom permutations. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017, Part II. LNCS, vol. 10211, pp. 412–441. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56614-6_14

    Chapter  Google Scholar 

  46. Trevisan, L., Vadhan, S.P.: Extracting randomness from samplable distributions. In: 41st FOCS, Redondo Beach, CA, USA, 12–14 November 2000, pp. 32–42. IEEE Computer Society Press (2000)

    Google Scholar 

  47. von Neumann, J.: Various techniques used in connection with random digits. In: Householder, A.S., Forsythe, G.E., Germond, H.H. (eds.) Monte Carlo Method. National Bureau of Standards Applied Mathematics Series, vol. 12, pp. 36–38. U.S. Government Printing Office, Washington, D.C. (1951)

    Google Scholar 

  48. Wikipedia: /dev/random (2004). http://en.wikipedia.org/wiki//dev/random. Accessed 09 Feb 2014

  49. Woodage, J., Shumow, D.: An analysis of NIST SP 800-90A. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11477, pp. 151–180. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17656-3_6

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. IOHK, Zurich, Switzerland

    Sandro Coretti

  2. New York University, New York, USA

    Yevgeniy Dodis & Harish Karthikeyan

  3. University of Washington, Seattle, WA, USA

    Stefano Tessaro

Authors
  1. Sandro Coretti
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Yevgeniy Dodis
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Harish Karthikeyan
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Stefano Tessaro
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Sandro Coretti or Yevgeniy Dodis .

Editor information

Editors and Affiliations

  1. Georgia Institute of Technology, Atlanta, GA, USA

    Alexandra Boldyreva

  2. University of California at San Diego, La Jolla, CA, USA

    Daniele Micciancio

Rights and permissions

Reprints and permissions

Copyright information

© 2019 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Coretti, S., Dodis, Y., Karthikeyan, H., Tessaro, S. (2019). Seedless Fruit Is the Sweetest: Random Number Generation, Revisited. In: Boldyreva, A., Micciancio, D. (eds) Advances in Cryptology – CRYPTO 2019. CRYPTO 2019. Lecture Notes in Computer Science(), vol 11692. Springer, Cham. https://doi.org/10.1007/978-3-030-26948-7_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-26948-7_8

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-26947-0

  • Online ISBN: 978-3-030-26948-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation