How to Eat Your Entropy and Have It Too – Optimal Recovery Strategies for Compromised RNGs
We study random number generators (RNGs) with input, RNGs that regularly update their internal state according to some auxiliary input with additional randomness harvested from the environment. We formalize the problem of designing an efficient recovery mechanism from complete state compromise in the presence of an active attacker. If we knew the timing of the last compromise and the amount of entropy gathered since then, we could stop producing any outputs until the state becomes truly random again. However, our challenge is to recover within a time proportional to this optimal solution even in the hardest (and most realistic) case in which (a) we know nothing about the timing of the last state compromise, and the amount of new entropy injected since then into the state, and (b) any premature production of outputs leads to the total loss of all the added entropy used by the RNG. In other words, the challenge is to develop recovery mechanisms which are guaranteed to save the day as quickly as possible after a compromise we are not even aware of. The dilemma is that any entropy used prematurely will be lost, and any entropy which is kept unused will delay the recovery.
After formally modeling RNGs with input, we show a nearly optimal construction that is secure in our very strong model. Our technique is inspired by the design of the Fortuna RNG (which is a heuristic RNG construction that is currently used by Windows and comes without any formal analysis), but we non-trivially adapt it to our much stronger adversarial setting. Along the way, our formal treatment of Fortuna enables us to improve its entropy efficiency by almost a factor of two, and to show that our improved construction is essentially tight, by proving a rigorous lower bound on the possible efficiency of any recovery mechanism in our very general model of the problem.
KeywordsRandom number generators RNGs with input
Unable to display preview. Download preview PDF.
- 2.Barker, E., Kelsey, J.: Recommendation for random number generation using deterministic random bit generators. NIST Special Publication 800-90A (2012)Google Scholar
- 4.CVE-2008-0166. Common Vulnerabilities and Exposures (2008)Google Scholar
- 5.Dodis, Y., Pointcheval, D., Ruhault, S., Vergniaud, D., Wichs, D.: Security analysis of pseudo-random number generators with input: /dev/random is not robust. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer Communications Security, CCS 2013, pp. 647–658. ACM, New York (2013)CrossRefGoogle Scholar
- 6.Dodis, Y., Shamir, A., Stephens-Davidowitz, N., Wichs, D.: How to eat your entropy and have it too – optimal recovery strategies for compromised rngs. Cryptology ePrint Archive, Report 2014/167 (2014), http://eprint.iacr.org/
- 7.Dorrendorf, L., Gutterman, Z., Pinkas, B.: Cryptanalysis of the random number generator of the windows operating system. IACR Cryptology ePrint Archive 2007, 419 (2007)Google Scholar
- 8.Eastlake, D., Schiller, J., Crocker, S.: RFC 4086 - Randomness Requirements for Security (June 2005)Google Scholar
- 9.Ferguson, N.: Private communication (2013)Google Scholar
- 11.Gutterman, Z., Pinkas, B., Reinman, T.: Analysis of the linux random number generator. In: Proceedings of the 2006 IEEE Symposium on Security and Privacy, SP 2006, pp. 371–385. IEEE Computer Society, Washington, DC (2006)Google Scholar
- 12.Heninger, N., Durumeric, Z., Wustrow, E., Halderman, J.A.: Mining your Ps and Qs: Detection of widespread weak keys in network devices. In: Proceedings of the 21st USENIX Security Symposium (August 2012)Google Scholar
- 13.Information technology - Security techniques - Random bit generation. ISO/IEC18031:2011 (2011)Google Scholar
- 15.Kelsey, J., Schneier, B., Wagner, D., Hall, C.: Cryptanalytic attacks on pseudorandom number generators. In: Vaudenay, S. (ed.) Fast Software Encryption, FSE 1998. LNCS, vol. 1372, pp. 168–188. Springer, Heidelberg (1998)Google Scholar
- 16.Killmann, W., Schindler, W.: A proposal for: Functionality classes for random number generators. AIS 20 / AIS31 (2011)Google Scholar
- 17.Lacharme, P., Röck, A., Strubel, V., Videau, M.: The linux pseudorandom number generator revisited. IACR Cryptology ePrint Archive 2012, 251 (2012)Google Scholar
- 21.Wikipedia. /dev/random (2004), http://en.wikipedia.org/wiki//dev/random (accessed February 09, 2014)