A Formal Treatment of Backdoored Pseudorandom Generators

We provide a formal treatment of backdoored pseudorandom generators (PRGs). Here a saboteur chooses a PRG instance for which she knows a trapdoor that allows prediction of future (and possibly past) generator outputs. This topic was formally studied by Vazirani and Vazirani, but only in a limited form and not in the context of subverting cryptographic protocols. The latter has become increasingly important due to revelations about NIST’s backdoored Dual EC PRG and new results about its practical exploitability using a trapdoor.

[1]  Eric Wustrow,et al.  Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices , 2012, USENIX Security Symposium.

[2]  Moti Yung,et al.  The Dark Side of "Black-Box" Cryptography, or: Should We Trust Capstone? , 1996, CRYPTO.

[3]  Thomas Holenstein,et al.  Key agreement from weak bit agreement , 2005, STOC '05.

[4]  Kristian Gjøsteen,et al.  A Security Analysis of the NIST SP 800-90 Elliptic Curve Random Number Generator , 2007, CRYPTO.

[5]  Moti Yung,et al.  Kleptography: Using Cryptography Against Cryptography , 1997, EUROCRYPT.

[6]  Vijay V. Vazirani,et al.  Efficient and Secure Pseudo-Random Number Generation , 1984, CRYPTO.

[7]  Daniel J. Bernstein,et al.  Elligator: elliptic-curve points indistinguishable from uniform random strings , 2013, IACR Cryptol. ePrint Arch..

[8]  Tanja Lange,et al.  Factoring RSA keys from certified smart cards: Coppersmith in the wild , 2013, IACR Cryptol. ePrint Arch..

[9]  Mehdi Tibouchi,et al.  Binary Elligator Squared , 2014, IACR Cryptol. ePrint Arch..

[10]  Nicholas Hopper,et al.  Public-Key Steganography , 2003, EUROCRYPT.

[11]  Florian Mendel,et al.  Malicious Hashing: Eve's Variant of SHA-1 , 2014, Selected Areas in Cryptography.

[12]  Ian Goldberg,et al.  Randomness and the Netscape browser , 1996 .

[13]  Josh Benaloh,et al.  Dense Probabilistic Encryption , 1999 .

[14]  Berry Schoenmakers,et al.  Cryptanalysis of the Dual Elliptic Curve Pseudorandom Generator , 2006, IACR Cryptol. ePrint Arch..

[15]  Kwok-Wo Wong,et al.  Elliptic curve random number generation , 2001, Proceedings of IEEE Region 10 International Conference on Electrical and Electronic Technology. TENCON 2001 (Cat. No.01CH37239).

[16]  Victor Shoup,et al.  A Proposal for an ISO Standard for Public Key Encryption , 2001, IACR Cryptol. ePrint Arch..

[17]  John Langford,et al.  Provably Secure Steganography , 2009, IEEE Trans. Computers.

[18]  Christian Cachin,et al.  An information-theoretic model for steganography , 1998, Inf. Comput..

[19]  Mihir Bellare,et al.  Instantiating Random Oracles via UCEs , 2013, IACR Cryptol. ePrint Arch..

[20]  Michael Backes,et al.  Public-Key Steganography with Active Attacks , 2005, TCC.

[21]  Hovav Shacham,et al.  Welcome to the Entropics: Boot-Time Entropy in Embedded Devices , 2013, 2013 IEEE Symposium on Security and Privacy.

[22]  Gustavus J. Simmons,et al.  The Prisoners' Problem and the Subliminal Channel , 1983, CRYPTO.

[23]  Kenneth G. Paterson,et al.  Security of Symmetric Encryption against Mass Surveillance , 2014, IACR Cryptol. ePrint Arch..

[24]  Benny Pinkas,et al.  The Design and Implementation of Protocol-Based Hidden Key Recovery , 2003, ISC.

[25]  Michael M. Swift,et al.  Not-So-Random Numbers in Virtualized Linux and the Whirlwind RNG , 2014, 2014 IEEE Symposium on Security and Privacy.

[26]  Moti Yung,et al.  Kleptography from Standard Assumptions and Applications , 2010, SCN.

[27]  Arno Mittelbach,et al.  Using Indistinguishability Obfuscation via UCEs , 2014, IACR Cryptol. ePrint Arch..

[28]  Ari Juels,et al.  RSA Key Generation with Verifiable Randomness , 2002, Public Key Cryptography.

[29]  Vijay V. Vazirani,et al.  Trapdoor pseudo-random number generators, with applications to protocol design , 1983, 24th Annual Symposium on Foundations of Computer Science (sfcs 1983).

[30]  Bodo Möller,et al.  A Public-Key Encryption Scheme with Pseudo-random Ciphertexts , 2004, ESORICS.

[31]  Mehdi Tibouchi Elligator Squared: Uniform Points on Elliptic Curves of Prime Order as Uniform Random Strings , 2014, Financial Cryptography.

[32]  Elaine B. Barker,et al.  Recommendation for Random Number Generation Using Deterministic Random Bit Generators , 2007 .

[33]  Manuel Blum,et al.  A Simple Unpredictable Pseudo-Random Number Generator , 1986, SIAM J. Comput..

[34]  Tanja Lange,et al.  On the Practical Exploitability of Dual EC in TLS Implementations , 2014, USENIX Security Symposium.

[35]  Thomas Ristenpart,et al.  When Good Randomness Goes Bad: Virtual Machine Reset Vulnerabilities and Hedging Deployed Cryptography , 2010, NDSS.

[36]  Hovav Shacham,et al.  When private keys are public: results from the 2008 Debian OpenSSL vulnerability , 2009, IMC '09.