Abstract
We study random number generators (RNGs) with input, RNGs that regularly update their internal state according to some auxiliary input with additional randomness harvested from the environment. We formalize the problem of designing an efficient recovery mechanism from complete state compromise in the presence of an active attacker. If we knew the timing of the last compromise and the amount of entropy gathered since then, we could stop producing any outputs until the state becomes truly random again. However, our challenge is to recover within a time proportional to this optimal solution even in the hardest (and most realistic) case in which (a) we know nothing about the timing of the last state compromise, and the amount of new entropy injected since then into the state, and (b) any premature production of outputs leads to the total loss of all the added entropy used by the RNG. In other words, the challenge is to develop recovery mechanisms which are guaranteed to save the day as quickly as possible after a compromise we are not even aware of. The dilemma is that any entropy used prematurely will be lost, and any entropy which is kept unused will delay the recovery.
After formally modeling RNGs with input, we show a nearly optimal construction that is secure in our very strong model. Our technique is inspired by the design of the Fortuna RNG (which is a heuristic RNG construction that is currently used by Windows and comes without any formal analysis), but we non-trivially adapt it to our much stronger adversarial setting. Along the way, our formal treatment of Fortuna enables us to improve its entropy efficiency by almost a factor of two, and to show that our improved construction is essentially tight, by proving a rigorous lower bound on the possible efficiency of any recovery mechanism in our very general model of the problem.
Chapter PDF
Similar content being viewed by others
References
Barak, B., Halevi, S.: A model and architecture for pseudo-random generation with applications to /dev/random. In: Proceedings of the 12th ACM Conference on Computer and Communications Security, CCS 2005, pp. 203–212. ACM, New York (2005)
Barker, E., Kelsey, J.: Recommendation for random number generation using deterministic random bit generators. NIST Special Publication 800-90A (2012)
Bellare, M., Rogaway, P.: The security of triple encryption and a framework for code-based game-playing proofs. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 409–426. Springer, Heidelberg (2006)
CVE-2008-0166. Common Vulnerabilities and Exposures (2008)
Dodis, Y., Pointcheval, D., Ruhault, S., Vergniaud, D., Wichs, D.: Security analysis of pseudo-random number generators with input: /dev/random is not robust. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer Communications Security, CCS 2013, pp. 647–658. ACM, New York (2013)
Dodis, Y., Shamir, A., Stephens-Davidowitz, N., Wichs, D.: How to eat your entropy and have it too – optimal recovery strategies for compromised rngs. Cryptology ePrint Archive, Report 2014/167 (2014), http://eprint.iacr.org/
Dorrendorf, L., Gutterman, Z., Pinkas, B.: Cryptanalysis of the random number generator of the windows operating system. IACR Cryptology ePrint Archive 2007, 419 (2007)
Eastlake, D., Schiller, J., Crocker, S.: RFC 4086 - Randomness Requirements for Security (June 2005)
Ferguson, N.: Private communication (2013)
Ferguson, N., Schneier, B.: Practical Cryptography, 1st edn. John Wiley & Sons, Inc., New York (2003)
Gutterman, Z., Pinkas, B., Reinman, T.: Analysis of the linux random number generator. In: Proceedings of the 2006 IEEE Symposium on Security and Privacy, SP 2006, pp. 371–385. IEEE Computer Society, Washington, DC (2006)
Heninger, N., Durumeric, Z., Wustrow, E., Halderman, J.A.: Mining your Ps and Qs: Detection of widespread weak keys in network devices. In: Proceedings of the 21st USENIX Security Symposium (August 2012)
Information technology - Security techniques - Random bit generation. ISO/IEC18031:2011 (2011)
Kelsey, J., Schneier, B., Ferguson, N.: Yarrow-160: Notes on the design and analysis of the yarrow cryptographic pseudorandom number generator. In: Heys, H.M., Adams, C.M. (eds.) SAC 1999. LNCS, vol. 1758, pp. 13–33. Springer, Heidelberg (2000)
Kelsey, J., Schneier, B., Wagner, D., Hall, C.: Cryptanalytic attacks on pseudorandom number generators. In: Vaudenay, S. (ed.) Fast Software Encryption, FSE 1998. LNCS, vol. 1372, pp. 168–188. Springer, Heidelberg (1998)
Killmann, W., Schindler, W.: A proposal for: Functionality classes for random number generators. AIS 20 / AIS31 (2011)
Lacharme, P., Röck, A., Strubel, V., Videau, M.: The linux pseudorandom number generator revisited. IACR Cryptology ePrint Archive 2012, 251 (2012)
Lenstra, A.K., Hughes, J.P., Augier, M., Bos, J.W., Kleinjung, T., Wachter, C.: Public keys. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 626–642. Springer, Heidelberg (2012)
Nguyen, Shparlinski: The insecurity of the digital signature algorithm with partially known nonces. Journal of Cryptology 15(3), 151–176 (2002)
Sahai, A., Vadhan, S.P.: A complete problem for statistical zero knowledge. J. ACM 50(2), 196–249 (2003)
Wikipedia. /dev/random (2004), http://en.wikipedia.org/wiki//dev/random (accessed February 09, 2014)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 International Association for Cryptologic Research
About this paper
Cite this paper
Dodis, Y., Shamir, A., Stephens-Davidowitz, N., Wichs, D. (2014). How to Eat Your Entropy and Have It Too – Optimal Recovery Strategies for Compromised RNGs. In: Garay, J.A., Gennaro, R. (eds) Advances in Cryptology – CRYPTO 2014. CRYPTO 2014. Lecture Notes in Computer Science, vol 8617. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-44381-1_3
Download citation
DOI: https://doi.org/10.1007/978-3-662-44381-1_3
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-44380-4
Online ISBN: 978-3-662-44381-1
eBook Packages: Computer ScienceComputer Science (R0)