International Cryptology Conference

CRYPTO 2014: Advances in Cryptology – CRYPTO 2014 pp 37-54 | Cite as

How to Eat Your Entropy and Have It Too – Optimal Recovery Strategies for Compromised RNGs

  • Yevgeniy Dodis
  • Adi Shamir
  • Noah Stephens-Davidowitz
  • Daniel Wichs
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8617)


We study random number generators (RNGs) with input, RNGs that regularly update their internal state according to some auxiliary input with additional randomness harvested from the environment. We formalize the problem of designing an efficient recovery mechanism from complete state compromise in the presence of an active attacker. If we knew the timing of the last compromise and the amount of entropy gathered since then, we could stop producing any outputs until the state becomes truly random again. However, our challenge is to recover within a time proportional to this optimal solution even in the hardest (and most realistic) case in which (a) we know nothing about the timing of the last state compromise, and the amount of new entropy injected since then into the state, and (b) any premature production of outputs leads to the total loss of all the added entropy used by the RNG. In other words, the challenge is to develop recovery mechanisms which are guaranteed to save the day as quickly as possible after a compromise we are not even aware of. The dilemma is that any entropy used prematurely will be lost, and any entropy which is kept unused will delay the recovery.

After formally modeling RNGs with input, we show a nearly optimal construction that is secure in our very strong model. Our technique is inspired by the design of the Fortuna RNG (which is a heuristic RNG construction that is currently used by Windows and comes without any formal analysis), but we non-trivially adapt it to our much stronger adversarial setting. Along the way, our formal treatment of Fortuna enables us to improve its entropy efficiency by almost a factor of two, and to show that our improved construction is essentially tight, by proving a rigorous lower bound on the possible efficiency of any recovery mechanism in our very general model of the problem.


Random number generators RNGs with input 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Barak, B., Halevi, S.: A model and architecture for pseudo-random generation with applications to /dev/random. In: Proceedings of the 12th ACM Conference on Computer and Communications Security, CCS 2005, pp. 203–212. ACM, New York (2005)CrossRefGoogle Scholar
  2. 2.
    Barker, E., Kelsey, J.: Recommendation for random number generation using deterministic random bit generators. NIST Special Publication 800-90A (2012)Google Scholar
  3. 3.
    Bellare, M., Rogaway, P.: The security of triple encryption and a framework for code-based game-playing proofs. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 409–426. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  4. 4.
    CVE-2008-0166. Common Vulnerabilities and Exposures (2008)Google Scholar
  5. 5.
    Dodis, Y., Pointcheval, D., Ruhault, S., Vergniaud, D., Wichs, D.: Security analysis of pseudo-random number generators with input: /dev/random is not robust. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer Communications Security, CCS 2013, pp. 647–658. ACM, New York (2013)CrossRefGoogle Scholar
  6. 6.
    Dodis, Y., Shamir, A., Stephens-Davidowitz, N., Wichs, D.: How to eat your entropy and have it too – optimal recovery strategies for compromised rngs. Cryptology ePrint Archive, Report 2014/167 (2014),
  7. 7.
    Dorrendorf, L., Gutterman, Z., Pinkas, B.: Cryptanalysis of the random number generator of the windows operating system. IACR Cryptology ePrint Archive 2007, 419 (2007)Google Scholar
  8. 8.
    Eastlake, D., Schiller, J., Crocker, S.: RFC 4086 - Randomness Requirements for Security (June 2005)Google Scholar
  9. 9.
    Ferguson, N.: Private communication (2013)Google Scholar
  10. 10.
    Ferguson, N., Schneier, B.: Practical Cryptography, 1st edn. John Wiley & Sons, Inc., New York (2003)MATHGoogle Scholar
  11. 11.
    Gutterman, Z., Pinkas, B., Reinman, T.: Analysis of the linux random number generator. In: Proceedings of the 2006 IEEE Symposium on Security and Privacy, SP 2006, pp. 371–385. IEEE Computer Society, Washington, DC (2006)Google Scholar
  12. 12.
    Heninger, N., Durumeric, Z., Wustrow, E., Halderman, J.A.: Mining your Ps and Qs: Detection of widespread weak keys in network devices. In: Proceedings of the 21st USENIX Security Symposium (August 2012)Google Scholar
  13. 13.
    Information technology - Security techniques - Random bit generation. ISO/IEC18031:2011 (2011)Google Scholar
  14. 14.
    Kelsey, J., Schneier, B., Ferguson, N.: Yarrow-160: Notes on the design and analysis of the yarrow cryptographic pseudorandom number generator. In: Heys, H.M., Adams, C.M. (eds.) SAC 1999. LNCS, vol. 1758, pp. 13–33. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  15. 15.
    Kelsey, J., Schneier, B., Wagner, D., Hall, C.: Cryptanalytic attacks on pseudorandom number generators. In: Vaudenay, S. (ed.) Fast Software Encryption, FSE 1998. LNCS, vol. 1372, pp. 168–188. Springer, Heidelberg (1998)Google Scholar
  16. 16.
    Killmann, W., Schindler, W.: A proposal for: Functionality classes for random number generators. AIS 20 / AIS31 (2011)Google Scholar
  17. 17.
    Lacharme, P., Röck, A., Strubel, V., Videau, M.: The linux pseudorandom number generator revisited. IACR Cryptology ePrint Archive 2012, 251 (2012)Google Scholar
  18. 18.
    Lenstra, A.K., Hughes, J.P., Augier, M., Bos, J.W., Kleinjung, T., Wachter, C.: Public keys. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 626–642. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  19. 19.
    Nguyen, Shparlinski: The insecurity of the digital signature algorithm with partially known nonces. Journal of Cryptology 15(3), 151–176 (2002)MathSciNetCrossRefMATHGoogle Scholar
  20. 20.
    Sahai, A., Vadhan, S.P.: A complete problem for statistical zero knowledge. J. ACM 50(2), 196–249 (2003)MathSciNetCrossRefMATHGoogle Scholar
  21. 21.
    Wikipedia. /dev/random (2004), (accessed February 09, 2014)

Copyright information

© International Association for Cryptologic Research 2014

Authors and Affiliations

  • Yevgeniy Dodis
    • 1
  • Adi Shamir
    • 2
  • Noah Stephens-Davidowitz
    • 1
  • Daniel Wichs
    • 3
  1. 1.Dept. of Computer ScienceNew York UniversityNew YorkUSA
  2. 2.Dept. of Computer Science and Applied MathematicsWeizmann InstituteRehovotIsrael
  3. 3.Dept. of Computer ScienceNortheastern UniversityBostonUSA

Personalised recommendations