Skip to main content
SpringerLink
Log in

Immunizing Backdoored PRGs

  • Conference paper
  • First Online:
Theory of Cryptography (TCC 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14371))

Included in the following conference series:

  • 243 Accesses

Abstract

A backdoored Pseudorandom Generator (PRG) is a PRG which looks pseudorandom to the outside world, but a saboteur can break PRG security by planting a backdoor into a seemingly honest choice of public parameters, pk, for the system. Backdoored PRGs became increasingly important due to revelations about NIST’s backdoored Dual EC PRG, and later results about its practical exploitability.

Motivated by this, at Eurocrypt’15 Dodis et al. [22] initiated the question of immunizing backdoored PRGs. A k-immunization scheme repeatedly applies a post-processing function to the output of k backdoored PRGs, to render any (unknown) backdoors provably useless. For \(k=1\), [22] showed that no deterministic immunization is possible, but then constructed “seeded” 1-immunizer either in the random oracle model, or under strong non-falsifiable assumptions. As our first result, we show that no seeded 1-immunization scheme can be black-box reduced to any efficiently falsifiable assumption.

This motivates studying k-immunizers for \(k\ge 2\), which have an additional advantage of being deterministic (i.e., “seedless”). Indeed, prior work at CCS’17 [37] and CRYPTO’18 [8] gave supporting evidence that simple k-immunizers might exist, albeit in slightly different settings. Unfortunately, we show that simple standard model proposals of [8, 37] (including the XOR function [8]) provably do not work in our setting. On a positive, we confirm the intuition of [37] that a (seedless) random oracle is a provably secure 2-immunizer. On a negative, no (seedless) 2-immunization scheme can be black-box reduced to any efficiently falsifiable assumption, at least for a large class of natural 2-immunizers which includes all “cryptographic hash functions.”

In summary, our results show that k-immunizers occupy a peculiar place in the cryptographic world. While they likely exist, and can be made practical and efficient, it is unlikely one can reduce their security to a “clean” standard-model assumption.

M. Ball—Supported in part by the Simons Foundation.

Y. Dodis—Research Supported by NSF grant CNS-2055578, and gifts from JP Morgan, Protocol Labs and Algorand Foundation.

E. Goldin—Partially supported by a National Science Foundation Graduate Research Fellowship.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 69.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 89.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    And instead thinking of PRG as outputting pseudorandom elliptic curve points.

  2. 2.

    Note that the immunizer only processes pseudorandom outputs and does not have access to the internal state (which is not necessarily available to a user). Indeed, if one has access to a random initial state, there is a trivial “immunizer” that ignores the given backdoor PRG, and instead uses the random state to bootstrap a different (non-backdoored) PRG.

  3. 3.

    This assumption presumes that such C itself is not backdoored.

  4. 4.

    Recall that, loosely speaking, an assumption is efficiently falsifiable if the falseness of the assumption can be verified (efficiently), given an appropriate witness.

  5. 5.

    Note that again if the post-processing is not sufficiently “simple” (here this means statelessly processing outputs in an online manner), one can trivially bootstrap “honest” public parameters from many fresh PRG invocations.

  6. 6.

    Drawing inspiration from 2-source extractors [18] to similarly overcome the impossibility of deterministic extraction from a single weak source of randomness.

  7. 7.

    Under a widely believed cryptographic assumption mentioned shortly.

  8. 8.

    In general, we conjecture no such composition result is true under proper modeling of backdoor PRGs, such as the one in this work. For example, 2-immunization for stateless PRGs can be effectively instantiated with a sufficiently strong 2-source extractor. In contrast, our negative result (mentioned later in the Introduction) rules out such extractors as sufficient for stateful PRGs.

  9. 9.

    Note however, that their modeling does capture pseudorandom number generators (PRNGs) which accumulate entropy albeit in a setting where one has rewinding access and the entropy sources are not too adversarial.

  10. 10.

    In particular, the key piece of our proof that was missing in [36, 37], is contained in Lemma 8 of our paper. The important observation (adapted from the seeded 1-immunizers proof in [22]) is that the random oracle outputs reveal negligible information about its inputs, and so every PRG round can inductively be treated as the first round.

References

  1. Recommendation for random number generation using deterministic random bit generators. National Institute of Standards and Technology: Special Publication (2012). https://csrc.nist.gov/publications/PubsSPs.html#800-90A

  2. Alekhnovich, M.: More on average case vs approximation complexity. In: 44th FOCS, pp. 298–307. IEEE Computer Society Press (2003)

    Google Scholar 

  3. Alekhnovich, M.: More on average case vs approximation complexity. Comput. Complex. 20(4), 755–786 (2011)

    Article  MathSciNet  MATH  Google Scholar 

  4. Ateniese, G., Camenisch, J., Hohenberger, S., de Medeiros, B.: Practical group signatures without random oracles. Cryptology ePrint Archive, Report 2005/385 (2005). https://eprint.iacr.org/2005/385

  5. Ateniese, G., Francati, D., Magri, B., Venturi, D.: Immunization against complete subversion without random oracles. Theor. Comput. Sci. 859, 1–36 (2021)

    Article  MathSciNet  MATH  Google Scholar 

  6. Ball, M., Dodis, Y., Goldin, E.: Immunizing backdoored prgs. eprint (2023). https://eprint.iacr.org

  7. Ballard, L., Green, M., de Medeiros, B., Monrose, F.: Correlation-resistant storage via keyword-searchable encryption. Cryptology ePrint Archive, Report 2005/417 (2005). https://eprint.iacr.org/2005/417

  8. Bauer, B., Farshim, P., Mazaheri, S.: Combiners for backdoored random oracles. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10992, pp. 272–302. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96881-0_10

    Chapter  Google Scholar 

  9. Bellare, M., Hoang, V.T., Keelveedhi, S.: Instantiating random oracles via UCEs. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 398–415. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40084-1_23

    Chapter  Google Scholar 

  10. Bellare, M., Paterson, K.G., Rogaway, P.: Security of symmetric encryption against mass surveillance. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 1–19. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44371-2_1

    Chapter  Google Scholar 

  11. Bellare, M., Yee, B.: Forward-security in private-key cryptography. In: Joye, M. (ed.) CT-RSA 2003. LNCS, vol. 2612, pp. 1–18. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36563-X_1

    Chapter  Google Scholar 

  12. Bhattacharyya, R., Nandi, M., Raychaudhuri, A.: Crooked indifferentiability of enveloped XOR revisited. In: Adhikari, A., Küsters, R., Preneel, B. (eds.) INDOCRYPT 2021. LNCS, vol. 13143, pp. 73–92. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-92518-5_4

    Chapter  Google Scholar 

  13. Blum, L., Blum, M., Shub, M.: A simple unpredictable pseudo-random number generator. SIAM J. Comput. 15(2), 364–383 (1986)

    Article  MathSciNet  MATH  Google Scholar 

  14. Boneh, D., Venkatesan, R.: Breaking RSA may not be equivalent to factoring. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 59–71. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0054117

    Chapter  Google Scholar 

  15. Chattopadhyay, A., Pitassi, T.: The story of set disjointness. SIGACT News 41(3), 59–85 (2010)

    Article  Google Scholar 

  16. Checkoway, S., et al.: A systematic analysis of the juniper dual ec incident. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS 2016, pp. 468–479. Association for Computing Machinery, New York (2016)

    Google Scholar 

  17. Checkoway, S., et al.: On the practical exploitability of dual EC in TLS implementations. In: Fu, K., Jung, J. (eds.) USENIX Security 2014, pp. 319–335. USENIX Association (2014)

    Google Scholar 

  18. Chor, B., Goldreich, O.: Unbiased bits from sources of weak randomness and probabilistic communication complexity (extended abstract). In: 26th FOCS, pp. 429–442. IEEE Computer Society Press (1985)

    Google Scholar 

  19. Coretti, S., Dodis, Y., Guo, S., Steinberger, J.: Random oracles and non-uniformity. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10820, pp. 227–258. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78381-9_9

    Chapter  Google Scholar 

  20. Coretti, S., Dodis, Y., Karthikeyan, H., Tessaro, S.: Seedless fruit is the sweetest: random number generation, revisited. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11692, pp. 205–234. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26948-7_8

    Chapter  Google Scholar 

  21. Dodis, Y., Farshim, P., Mazaheri, S., Tessaro, S.: Towards defeating backdoored random oracles: indifferentiability with bounded adaptivity. In: Pass, R., Pietrzak, K. (eds.) TCC 2020. LNCS, vol. 12552, pp. 241–273. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64381-2_9

    Chapter  Google Scholar 

  22. Dodis, Y., Ganesh, C., Golovnev, A., Juels, A., Ristenpart, T.: A formal treatment of backdoored pseudorandom generators. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 101–126. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_5

    Chapter  Google Scholar 

  23. Dodis, Y., Guo, S., Katz, J.: Fixing cracks in the concrete: random oracles with auxiliary input, revisited. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10211, pp. 473–495. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56614-6_16

    Chapter  Google Scholar 

  24. Dodis, Y., Mironov, I., Stephens-Davidowitz, N.: Message transmission with reverse firewalls—secure communication on corrupted machines. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 341–372. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4_13

    Chapter  Google Scholar 

  25. Dodis, Y., Vaikuntanathan, V., Wichs, D.: Extracting randomness from extractor-dependent sources. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12105, pp. 313–342. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45721-1_12

    Chapter  Google Scholar 

  26. Gentry, C., Wichs, D.: Separating succinct non-interactive arguments from all falsifiable assumptions. In: Fortnow, L., Vadhan, S.P. (eds.) 43rd ACM STOC, pp. 99–108. ACM Press (2011)

    Google Scholar 

  27. Hopper, N.J., Langford, J., von Ahn, L.: Provably secure steganography. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 77–92. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45708-9_6

    Chapter  Google Scholar 

  28. Horel, T., Park, S., Richelson, S., Vaikuntanathan, V.: How to subvert backdoored encryption: Security against adversaries that decrypt all ciphertexts. In: Blum, A. (ed.) ITCS 2019, vol. 124, pp. 42:1–42:20. LIPIcs (2019)

    Google Scholar 

  29. Juels, A., Guajardo, J.: RSA key generation with verifiable randomness. In: Naccache, D., Paillier, P. (eds.) PKC 2002. LNCS, vol. 2274, pp. 357–374. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45664-3_26

    Chapter  MATH  Google Scholar 

  30. Mironov, I., Stephens-Davidowitz, N.: Cryptographic Reverse Firewalls. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 657–686. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46803-6_22

    Chapter  Google Scholar 

  31. Nisan, N., Zuckerman, D.: Randomness is linear in space. J. Comput. Syst. Sci. 52(1), 43–52 (1996)

    Article  MathSciNet  MATH  Google Scholar 

  32. Persiano, G., Phan, D.H., Yung, M.: Anamorphic encryption: private communication against a dictator. In: Dunkelman, O., Dziembowski, S. (eds.) EUROCRYPT 2022. LNCS, vol. 13276, pp. 34–63. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-07085-3_2

    Chapter  Google Scholar 

  33. Quach, W., Waters, B., Wichs, D.: Targeted lossy functions and applications. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021. LNCS, vol. 12828, pp. 424–453. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84259-8_15

    Chapter  Google Scholar 

  34. Russell, A., Tang, Q., Yung, M., Zhou, H.S.: Cliptography: clipping the power of kleptographic attacks. Cryptology ePrint Archive, Report 2015/695 (2015). https://eprint.iacr.org/2015/695

  35. Russell, A., Tang, Q., Yung, M., Zhou, H.-S.: Cliptography: clipping the power of kleptographic attacks. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10032, pp. 34–64. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53890-6_2

    Chapter  Google Scholar 

  36. Russell, A., Tang, Q., Yung, M., Zhou, H.S.: Generic semantic security against a kleptographic adversary. Cryptology ePrint Archive, Paper 2016/530 (2016). https://eprint.iacr.org/2016/530

  37. Russell, A., Tang, Q., Yung, M., Zhou, H.S.: Generic semantic security against a kleptographic adversary. In: Thuraisingham, B.M., Evans, D., Malkin, T., Xu, D. (eds.) ACM CCS 2017, pp. 907–922. ACM Press (2017)

    Google Scholar 

  38. Russell, A., Tang, Q., Yung, M., Zhou, H.-S.: Correcting subverted random oracles. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10992, pp. 241–271. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96881-0_9

    Chapter  Google Scholar 

  39. Shumow, D., Ferguson, N.: On the possibility of a back door in the nist sp800-90 dual ec prng. In: Proceedings of Crypto 2007 (2007). https://rump2007.cr.yp.to/15-shumow.pdf

  40. Simmons, G.J.: The prisoners’ problem and the subliminal channel. In: Chaum, D. (ed.) CRYPTO 1983, Plenum Press, New York, USA, pp. 51–67 (1983)

    Google Scholar 

  41. Unruh, D.: Random oracles and auxiliary input. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 205–223. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74143-5_12

    Chapter  Google Scholar 

  42. Vazirani, U.V., Vazirani, V.V.: Trapdoor pseudo-random number generators, with applications to protocol design. In: 24th FOCS, pp. 23–30. IEEE Computer Society Press (1983)

    Google Scholar 

  43. Vazirani, U.V., Vazirani, V.V.: Efficient and secure pseudo-random number generation (extended abstract). In: Blakley, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 193–202. Springer, Heidelberg (1985). https://doi.org/10.1007/3-540-39568-7_17

    Chapter  Google Scholar 

  44. Wichs, D.: Barriers in cryptography with weak, correlated and leaky sources. In: Kleinberg, R.D. (ed.) ITCS 2013, pp. 111–126. ACM (2013)

    Google Scholar 

  45. Young, A., Yung, M.: The dark side of “Black-Box’’ cryptography or: should we trust capstone? In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 89–103. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68697-5_8

    Chapter  Google Scholar 

  46. Young, A., Yung, M.: Kleptography: using cryptography against cryptography. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 62–74. Springer, Heidelberg (1997). https://doi.org/10.1007/3-540-69053-0_6

    Chapter  Google Scholar 

  47. Young, A., Yung, M.: Kleptography from standard assumptions and applications. In: Garay, J.A., De Prisco, R. (eds.) SCN 2010. LNCS, vol. 6280, pp. 271–290. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15317-4_18

    Chapter  MATH  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. New York University, New York, USA

    Marshall Ball, Yevgeniy Dodis & Eli Goldin

Authors
  1. Marshall Ball
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Yevgeniy Dodis
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Eli Goldin
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Marshall Ball .

Editor information

Editors and Affiliations

  1. Apple, Cupertino, CA, USA

    Guy Rothblum

  2. NTT Research, Sunnyvale, CA, USA

    Hoeteck Wee

Rights and permissions

Reprints and permissions

Copyright information

© 2023 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Ball, M., Dodis, Y., Goldin, E. (2023). Immunizing Backdoored PRGs. In: Rothblum, G., Wee, H. (eds) Theory of Cryptography. TCC 2023. Lecture Notes in Computer Science, vol 14371. Springer, Cham. https://doi.org/10.1007/978-3-031-48621-0_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-48621-0_6

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-48620-3

  • Online ISBN: 978-3-031-48621-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation