Related Randomness Attacks for Public Key Encryption

Several recent and high-profile incidents give cause to believe that randomness failures of various kinds are endemic in deployed cryptographic systems. In the face of this, it behoves cryptographic researchers to develop methods to immunise --- to the extent that it is possible --- cryptographic schemes against such failures. This paper considers the practically-motivated situation where an adversary is able to force a public key encryption scheme to reuse random values, and functions of those values, in encryption computations involving adversarially chosen public keys and messages. It presents a security model appropriate to this situation, along with variants of this model. It also provides necessary conditions on the set of functions used in order to attain this security notation, and demonstrates that these conditions are also sufficient in the Random Oracle Model. Further standard model constructions achieving weaker security notions are also given, with these constructions having interesting connections to other primitives including: pseudo-random functions that are secure in the related key attack setting; Correlated Input Secure hash functions; and public key encryption schemes that are secure in the auxiliary input setting this being a special type of leakage resilience.

[1]  Eric Wustrow,et al.  Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices , 2012, USENIX Security Symposium.

[2]  Thomas Shrimpton,et al.  Deterministic Authenticated-Encryption: A Provable-Security Treatment of the Key-Wrap Problem , 2006, IACR Cryptol. ePrint Arch..

[3]  Stefan Lucks Ciphers Secure against Related-Key Attacks , 2004, FSE.

[4]  Hovav Shacham,et al.  Hedged Public-Key Encryption: How to Protect against Bad Randomness , 2009, ASIACRYPT.

[5]  Willi Meier,et al.  Fast software encryption : 11th International Workshop, FSE 2004, Delhi, India, February 5-7, 2004 : revised papers , 2004, FSE 2004.

[6]  Tanja Lange,et al.  Factoring RSA keys from certified smart cards: Coppersmith in the wild , 2013, IACR Cryptol. ePrint Arch..

[7]  Thomas Ristenpart,et al.  When Good Randomness Goes Bad: Virtual Machine Reset Vulnerabilities and Hedging Deployed Cryptography , 2010, NDSS.

[8]  Arjen K. Lenstra,et al.  Public Keys , 2012, CRYPTO.

[9]  Mihir Bellare,et al.  The Security of Triple Encryption and a Framework for Code-Based Game-Playing Proofs , 2006, EUROCRYPT.

[10]  Phillip Rogaway,et al.  Nonce-Based Symmetric Encryption , 2004, FSE.

[11]  Dahlia Malkhi,et al.  Hold Your Sessions: An Attack on Java Session-Id Generation , 2005, CT-RSA.

[12]  Tatsuaki Okamoto,et al.  Secure Integration of Asymmetric and Symmetric Encryption Schemes , 1999, Journal of Cryptology.

[13]  Yael Tauman Kalai,et al.  Public-Key Encryption Schemes with Auxiliary Inputs , 2010, TCC.

[14]  Kenneth G. Paterson,et al.  RKA Security beyond the Linear Barrier: IBE, Encryption and Signatures , 2012, IACR Cryptol. ePrint Arch..

[15]  Hoeteck Wee Public Key Encryption against Related Key Attacks , 2012, Public Key Cryptography.

[16]  Rafail Ostrovsky,et al.  Circular-Secure Encryption from Decision Diffie-Hellman , 2008, CRYPTO.

[17]  Scott Yilek,et al.  Resettable Public-Key Encryption: How to Encrypt on a Virtual Machine , 2010, CT-RSA.

[18]  Ian Goldberg,et al.  Randomness and the Netscape browser , 1996 .

[19]  David Cash,et al.  Cryptography Secure Against Related-Key Attacks and Tampering , 2011, IACR Cryptol. ePrint Arch..

[20]  Benny Pinkas,et al.  Cryptanalysis of the random number generator of the Windows operating system , 2009, TSEC.

[21]  Moni Naor,et al.  Number-theoretic constructions of efficient pseudo-random functions , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[22]  David Pointcheval,et al.  Security analysis of pseudo-random number generators with input: /dev/random is not robust , 2013, CCS.

[23]  Mihir Bellare,et al.  A Theoretical Treatment of Related-Key Attacks: RKA-PRPs, RKA-PRFs, and Applications , 2003, EUROCRYPT.

[24]  David Cash,et al.  Pseudorandom Functions and Permutations Provably Secure against Related-Key Attacks , 2010, CRYPTO.

[25]  Amit Sahai,et al.  On the (im)possibility of cryptography with imperfect randomness , 2004, 45th Annual IEEE Symposium on Foundations of Computer Science.

[26]  Mihir Bellare,et al.  Optimal Asymmetric Encryption , 1994, EUROCRYPT.

[27]  Jörg Schwenk,et al.  Randomly Failed! The State of Randomness in Current Java Implementations , 2013, CT-RSA.

[28]  Adam O'Neill,et al.  Correlated-Input Secure Hash Functions , 2011, TCC.

[29]  Benny Pinkas,et al.  Analysis of the Linux random number generator , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[30]  Jonathan Katz,et al.  How to Encrypt with a Malicious Random Number Generator , 2008, FSE.