How to Eat Your Entropy and Have It Too - Optimal Recovery Strategies for Compromised RNGs

We study random number generators (RNGs) with input, RNGs that regularly update their internal state according to some auxiliary input with additional randomness harvested from the environment. We formalize the problem of designing an efficient recovery mechanism from complete state compromise in the presence of an active attacker. If we knew the timing of the last compromise and the amount of entropy gathered since then, we could stop producing any outputs until the state becomes truly random again. However, our challenge is to recover within a time proportional to this optimal solution even in the hardest (and most realistic) case in which (a) we know nothing about the timing of the last state compromise, and the amount of new entropy injected since then into the state, and (b) any premature production of outputs leads to the total loss of all the added entropy used by the RNG. In other words, the challenge is to develop recovery mechanisms which are guaranteed to save the day as quickly as possible after a compromise we are not even aware of. The dilemma is that any entropy used prematurely will be lost, and any entropy which is kept unused will delay the recovery.

[1]  Shai Halevi,et al.  A model and architecture for pseudo-random generation with applications to /dev/random , 2005, CCS '05.

[2]  Werner Schindler,et al.  Evaluation Criteria for True (Physical) Random Number Generators Used in Cryptographic Applications , 2002, CHES.

[3]  Eric Wustrow,et al.  Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices , 2012, USENIX Security Symposium.

[4]  Patrick Lacharme,et al.  The Linux Pseudorandom Number Generator Revisited , 2012, IACR Cryptol. ePrint Arch..

[5]  John Kelsey,et al.  NIST Special Publication 800-90A: Recommendation for Random Number Generation Using Deterministic Random Bit Generators , 2011 .

[6]  David Pointcheval,et al.  Security analysis of pseudo-random number generators with input: /dev/random is not robust , 2013, CCS.

[7]  John Kelsey,et al.  Recommendation for Random Number Generation Using Deterministic Random Bit Generators , 2014 .

[8]  SahaiAmit,et al.  A complete problem for statistical zero knowledge , 2003 .

[9]  Igor E. Shparlinski,et al.  The Insecurity of the Digital Signature Algorithm with Partially Known Nonces , 2002, Journal of Cryptology.

[10]  Bruce Schneier,et al.  Practical cryptography , 2003 .

[11]  Benny Pinkas,et al.  Cryptanalysis of the random number generator of the Windows operating system , 2009, TSEC.

[12]  Bruce Schneier,et al.  Cryptanalytic Attacks on Pseudorandom Number Generators , 1998, FSE.

[13]  Benny Pinkas,et al.  Analysis of the Linux random number generator , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[14]  Bruce Schneier,et al.  Yarrow-160: Notes on the Design and Analysis of the Yarrow Cryptographic Pseudorandom Number Generator , 1999, Selected Areas in Cryptography.

[15]  Arjen K. Lenstra,et al.  Public Keys , 2012, CRYPTO.

[16]  Mihir Bellare,et al.  The Security of Triple Encryption and a Framework for Code-Based Game-Playing Proofs , 2006, EUROCRYPT.