, Volume 79, Issue 4, pp 1196–1232 | Cite as

How to Eat Your Entropy and Have it Too: Optimal Recovery Strategies for Compromised RNGs

  • Yevgeniy Dodis
  • Adi Shamir
  • Noah Stephens-DavidowitzEmail author
  • Daniel Wichs


Random number generators (RNGs) play a crucial role in many cryptographic schemes and protocols, but their security proof usually assumes that their internal state is initialized with truly random seeds and remains secret at all times. However, in many practical situations these are unrealistic assumptions: The seed is often gathered after a reset/reboot from low entropy external events such as the timing of manual key presses, and the state can be compromised at unknown points in time via side channels or penetration attacks. The usual remedy (used by all the major operating systems, including Windows, Linux, FreeBSD, MacOS, iOS, etc.) is to periodically replenish the internal state through an auxiliary input with additional randomness harvested from the environment. However, recovering from such attacks in a provably correct and computationally optimal way had remained an unsolved challenge so far.

In this paper we formalize the problem of designing an efficient recovery mechanism from state compromise, by considering it as an online optimization problem. If we knew the timing of the last compromise and the amount of entropy gathered since then, we could stop producing any outputs until the state becomes truly random again. However, our challenge is to recover within a time proportional to this optimal solution even in the hardest (and most realistic) case in which (a) we know nothing about the timing of the last state compromise, and the amount of new entropy injected since then into the state, and (b) any premature production of outputs leads to the total loss of all the added entropy used by the RNG, since the attacker can use brute force to enumerate all the possible low-entropy states. In other words, the challenge is to develop recovery mechanisms which are guaranteed to save the day as quickly as possible after a compromise we are not even aware of. The dilemma that we face is that any entropy used prematurely will be lost, and any entropy which is kept unused will delay the recovery.

After developing our formal definitional framework for RNGs with inputs, we show how to construct a nearly optimal RNG which is secure in our model. Our technique is inspired by the design of the Fortuna RNG (which is a heuristic RNG construction that is currently used by Windows and comes without any formal analysis), but we non-trivially adapt it to our much stronger adversarial setting. Along the way, our formal treatment of Fortuna enables us to improve its entropy efficiency by almost a factor of two, and to show that our improved construction is essentially tight, by proving a rigorous lower bound on the possible efficiency of any recovery mechanism in our very general model of the problem.


Random number generator RNG State compromise 


  1. 1.
    Barak, B., Halevi, S.: A model and architecture for pseudo-random generation with applications to /dev/random. In: Proceedings of the 12th ACM Conference on Computer and Communications Security, CCS ’05, ACM, pp. 203–212. New York, NY, USA (2005)Google Scholar
  2. 2.
    Barker, E., Kelsey, J.: Recommendation for Random Number Generation Using Deterministic Random Bit Generators. NIST Special Publication, Oakland (2012)CrossRefGoogle Scholar
  3. 3.
    Bellare, M., Rogaway, P.: The security of triple encryption and a framework for code-based game-playing proofs. In: Vaudenay S. (ed.) Advances in Cryptology—EUROCRYPT. Lecture Notes in Computer Science, vol. 4004, pp. 409–426. Springer, Berlin, Heidelberg (2006)Google Scholar
  4. 4.
    CVE-2008-0166. Common vulnerabilities and exposures (2008)Google Scholar
  5. 5.
    Dodis, Y., Pointcheval, D., Ruhault, S., Vergniaud, D., Wichs, D.: Security analysis of pseudo-random number generators with input: /dev/random is not robust. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer Communications Security, CCS ’13, ACM, pp. 647–658. New York, NY, USA (2013)Google Scholar
  6. 6.
    Dorrendorf, L., Gutterman, Z., Pinkas, B.: Cryptanalysis of the random number generator of the windows operating system. IACR Cryptol. ePrint Arch. 2007, 419 (2007)Google Scholar
  7. 7.
    Eastlake, D., Schiller, J., Crocker, S.: Randomness Requirements for Security (2005).
  8. 8.
    Ferguson, N.: Private communication (2013)Google Scholar
  9. 9.
    Ferguson, N., Schneier, B.: Practical Cryptography, 1st edn. Wiley, New York (2003)zbMATHGoogle Scholar
  10. 10.
    Gutterman, Z., Pinkas, B., Reinman, T.: Analysis of the linux random number generator. In: Proceedings of the 2006 IEEE Symposium on Security and Privacy. SP ’06, IEEE Computer Society, pp. 371–385. Washington, DC, USA (2006)Google Scholar
  11. 11.
    Heninger, N., Durumeric, Z., Wustrow, E., Halderman, J.A.: Mining your Ps and Qs: detection of widespread weak keys in network devices. In: Proceedings of the 21st USENIX Security Symposium (2012)Google Scholar
  12. 12.
    Kelsey, J., Schneier, B., Ferguson, N.: Yarrow-160: notes on the design and analysis of the yarrow cryptographic pseudorandom number generator. In: Sixth Annual Workshop on Selected Areas in Cryptography, pp. 13–33. Springer (1999)Google Scholar
  13. 13.
    Kelsey, J., Schneier, B., Wagner, D., Hall, C.: Cryptanalytic attacks on pseudorandom number generators. In: Vaudenay S. (ed.) Fast Software Encryption. Lecture Notes in Computer Science, vol. 1372, pp. 168–188. Springer, Berlin, Heidelberg (1998)Google Scholar
  14. 14.
    Lacharme, P., Röck, A., Strubel, V., Videau, M.: The linux pseudorandom number generator revisited. IACR Cryptol. ePrint Arch. 2012, 251 (2012)Google Scholar
  15. 15.
    Lenstra, A.K., Hughes, J.P., Augier, M., Bos, J.W., Kleinjung, T., Wachter, C.: Public keys. In: Advances in cryptology–CRYPTO 2012. Lecture Notes in Computer Science, vol. 7417, pp. 626–642. Springer, Heidelberg (2012)Google Scholar
  16. 16.
    Nguyen, P.Q., Shparlinski, I.E.: The insecurity of the digital signature algorithm with partially known nonces. J. Cryptol. 15(3), 151–176 (2002)MathSciNetCrossRefzbMATHGoogle Scholar
  17. 17.
    Sahai, A., Vadhan, S.P.: A complete problem for statistical zero knowledge. J. ACM 50(2), 196–249 (2003)MathSciNetCrossRefzbMATHGoogle Scholar
  18. 18.
    Schinlder, W., Killmann, W.: Evaluation Criteria for True (Physical) Random Number Generators Used in Cryptographic Applications. In: Kaliski, B.S., Koç, Ç.K., Paar, C. (eds.) Cryptographic Hardware and Embedded Systems - CHES 2002: 4th International Workshop, Redwood Shores, CA, USA, August 13–15, 2002, Revised Papers, pp. 431–449. Springer, Berlin, Heidelberg (2003)Google Scholar
  19. 19.
    Wikipedia. /dev/random. (2004). Accessed 09 Feb 2014

Copyright information

© Springer Science+Business Media New York 2016

Authors and Affiliations

  • Yevgeniy Dodis
    • 1
  • Adi Shamir
    • 2
  • Noah Stephens-Davidowitz
    • 1
    Email author
  • Daniel Wichs
    • 3
  1. 1.Department of Computer ScienceNew York UniversityNew YorkUSA
  2. 2.Department of Computer Science and Applied MathematicsWeizmann InstituteRehovotIsrael
  3. 3.Department of Computer ScienceNortheastern UniversityBostonUSA

Personalised recommendations