Abstract
The need for high-quality randomness in cryptography makes random-number generation one of its most fundamental tasks.
A recent important line of work (initiated by Dodis et al., CCS ’13) focuses on the notion of robustness for pseudorandom number generators (PRNGs) with inputs. These are primitives that use various sources to accumulate sufficient entropy into a state, from which pseudorandom bits are extracted. Robustness ensures that PRNGs remain secure even under state compromise and adversarial control of entropy sources. However, the achievability of robustness inherently depends on a seed, or, alternatively, on an ideal primitive (e.g., a random oracle), independent of the source of entropy. Both assumptions are problematic: seed generation requires randomness to start with, and it is arguable whether the seed or the ideal primitive can be kept independent of the source.
This paper resolves this dilemma by putting forward new notions of robustness which enable both (1) seedless PRNGs and (2) primitive-dependent adversarial sources of entropy. To bypass obvious impossibility results, we make a realistic compromise by requiring that the source produce sufficient entropy even given its evaluations of the underlying primitive. We also provide natural, practical, and provably secure constructions based on hash-function designs from compression functions, block ciphers, and permutations. Our constructions can be instantiated with minimal changes to industry-standard hash functions SHA-2 and SHA-3, or key derivation function HKDF, and can be downgraded to (online) seedless randomness extractors, which are of independent interest.
On the way we consider both a computational variant of robustness, where attackers only make a bounded number of queries to the ideal primitive, as well as a new information-theoretic variant, which dispenses with this assumption to a certain extent, at the price of requiring a high rate of injected weak randomness (as it is, e.g., plausible on Intel’s on-chip RNG). The latter notion enables applications such as everlasting security. Finally, we show that the CBC extractor, used by Intel’s on-chip RNG, is provably insecure in our model.
Keywords
S. Coretti—Work done while at NYU. Supported by NSF grants 1314568 and 1619158.
Y. Dodis—Partially supported by gifts from VMware Labs, Facebook and Google, and NSF grants 1314568, 1619158, 1815546.
H. Karthikeyan—Supported by NSF grant 1619158.
S. Tessaro—Partially supported by NSF grants CNS-1553758 (CAREER), CNS-1719146, CNS-1528178, and IIS-1528041, and by a Sloan Research Fellowship.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
We do, however, later discuss an interesting approach suggested by [3].
- 2.
Or, in the non-uniform setting, “seed-dependent”.
- 3.
For example, the ability to compute a random preimage of a given element, which is known to imply one-way functions [31], allows the attacker to produce entropic inputs whose entropy is completely lost by the refresh procedure.
- 4.
In fact, if the length of G(X) is slightly less than \(\gamma ^*\), we can even let \(\mathcal A\) query all of G and use leftover-hash lemma [30] to get information-theoretic security.
- 5.
Prior to our work, the above modeling of sources as being independent of the ideal primitive, was the only way to overcome extractor-fixing attacks. Examples of this approach include [18, 36, 49] and many others. While these results are non-trivial due to the “non-monolithic” structure of their extractors G, none of these works model the setting where the source could depend on the ideal primitive.
- 6.
Of course, when we instantiate G with a real-world hash function, this is no longer the case, as we discuss below.
- 7.
Since we no longer need to hide the seed from the distribution sampler, forcing us to separate it from the attacker.
- 8.
Note, in the extraction game the definition of \(\mathcal L_1\) is the same in the real and the ideal worlds. For our future definitions of PRNGs, however, it will be important that the notion of legitimacy is defined in the ideal world (i.e., conditioned on \(b=1\)).
- 9.
Here, \(\pi ^i\) denotes the i-fold application of \(\pi \).
- 10.
To reduce notational clutter, the algorithms \(\mathsf {refresh}\) and \(\mathsf {next}\) of the PRNG constructions are not “branded” with the design name. There will be no ambiguity as to which construction is meant in any place in this paper.
- 11.
The integer arguments to the compression function are to be naturally mapped to \(\{0,1\}^{n}\).
- 12.
A (block) cipher is an efficiently computable and invertible permutation \(E(k,\cdot ): \{0,1\}^{n}\rightarrow \{0,1\}^{n}\) for every key \(k \in \{0,1\}^{n}\).
- 13.
The integer arguments to the cipher are to be naturally mapped to \(\{0,1\}^{n}\).
References
Barak, B., Halevi, S.: A model and architecture for pseudo-random generation with applications to /dev/random. In: Atluri, V., Meadows, C., Juels, A. (eds.) ACM CCS 2005, Alexandria, Virginia, USA, 7–11 November 2005, pp. 203–212. ACM Press (2005)
Barak, B., Impagliazzo, R., Wigderson, A.: Extracting randomness using few independent sources. In: 45th FOCS, Rome, Italy, 17–19 October 2004, pp. 384–393. IEEE Computer Society Press (2004)
Barak, B., Shaltiel, R., Tromer, E.: True random number generators secure in a changing environment. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 166–180. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45238-6_14
Barker, E., Kelsey, J.: NIST Special Publication 800–90A (A revision of SP 800–90) Recommendation for random number generation using deterministic random bit generators (2012). https://csrc.nist.gov/publications/detail/sp/800-90a/rev-1/final
Barker, E., Kelsey, J.: Recommendation for random number generation using deterministic random bit generators. NIST Special Publication 800–90A (2012)
Bellare, M., Hoang, V.T., Keelveedhi, S.: Instantiating random oracles via UCEs. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 398–415. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40084-1_23
Bellare, M., Pietrzak, K., Rogaway, P.: Improved security analyses for CBC MACs. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 527–545. Springer, Heidelberg (2005). https://doi.org/10.1007/11535218_32
Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: On the indifferentiability of the sponge construction. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 181–197. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78967-3_11
Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Sponge-based pseudo-random number generators. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 33–47. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15031-9_3
Blum, M.: Independent unbiased coin flips from a correlated biased source-a finite stae Markov chain. Combinatorica 6(2), 97–108 (1986)
Chattopadhyay, E., Zuckerman, D.: Explicit two-source extractors and resilient functions. In: Wichs, D., Mansour, Y. (eds.) 48th ACM STOC, Cambridge, MA, USA, 18–21 June 2016, pp. 670–683. ACM Press (2016)
Checkoway, S., et al.: On the practical exploitability of dual EC in TLS implementations. In: Proceedings of the 23rd USENIX Security Symposium, San Diego, CA, USA, 20–22 August 2014, pp. 319–335 (2014)
Chen, S., Steinberger, J.: Tight security bounds for key-alternating ciphers. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 327–350. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_19
Chor, B., Goldreich, O.: Unbiased bits from sources of weak randomness and probabilistic communication complexity (extended abstract). In: 26th FOCS, Portland, Oregon, 21–23 October 1985, pp. 429–442. IEEE Computer Society Press (1985)
Chor, B., Goldreich, O.: Unbiased bits from sources of weak randomness and probabilistic communication complexity. SIAM J. Comput. 17(2), 230–261 (1988)
Chor, B., Goldreich, O., Håstad, J., Friedman, J., Rudich, S., Smolensky, R.: The bit extraction problem of t-resilient functions (preliminary version). In: 26th FOCS, Portland, Oregon, 21–23 October 1985, pp. 396–407. IEEE Computer Society Press (1985)
Coretti, S., Dodis, Y., Karthikeyan, H., Tessaro, S.: Seedless fruit is the sweetest: random number generation, revisited. Cryptology ePrint Archive, Report 2019/198 (2019). https://eprint.iacr.org/2019/198
Dodis, Y., Gennaro, R., Håstad, J., Krawczyk, H., Rabin, T.: Randomness extraction and key derivation using the CBC, cascade and HMAC modes. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 494–510. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-28628-8_30
Dodis, Y., Pointcheval, D., Ruhault, S., Vergnaud, D., Wichs, D.: Security analysis of pseudo-random number generators with input: /dev/random is not robust. In: Sadeghi, A.-R., Gligor, V.D., Yung, M. (eds.) ACM CCS 2013, Berlin, Germany, 4–8 November 2013, pp. 647–658. ACM Press (2013)
Dodis, Y., Ristenpart, T., Vadhan, S.: Randomness condensers for efficiently samplable, seed-dependent sources. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 618–635. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-28914-9_35
Dodis, Y., Shamir, A., Stephens-Davidowitz, N., Wichs, D.: How to eat your entropy and have it too – optimal recovery strategies for compromised RNGs. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part II. LNCS, vol. 8617, pp. 37–54. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44381-1_3
Eastlake, D., Schiller, J., Crocker, S.: RFC 4086 - Randomness Requirements for Security, June 2005
Ferguson, N.: Private communication (2013)
Ferguson, N., Schneier, B.: Practical Cryptography, 1st edn. Wiley, New York (2003)
Gaži, P., Pietrzak, K., Rybár, M.: The exact PRF-security of NMAC and HMAC. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part I. LNCS, vol. 8616, pp. 113–130. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44371-2_7
Gaži, P., Tessaro, S.: Provably robust sponge-based PRNGs and KDFs. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016, Part I. LNCS, vol. 9665, pp. 87–116. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49890-3_4
Harnik, D., Naor, M.: On everlasting security in the hybrid bounded storage model. In: Bugliesi, M., Preneel, B., Sassone, V., Wegener, I. (eds.) ICALP 2006, Part II. LNCS, vol. 4052, pp. 192–203. Springer, Heidelberg (2006). https://doi.org/10.1007/11787006_17
Hutchinson, D.: A robust and sponge-like PRNG with improved efficiency. In: Avanzi, R., Heys, H. (eds.) SAC 2016. LNCS, vol. 10532, pp. 381–398. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-69453-5_21
Hutchinson, D.: A robust and sponge-like PRNG with improved efficiency. Cryptology ePrint Archive, Report 2016/886 (2016). http://eprint.iacr.org/2016/886
Impagliazzo, R., Levin, L.A., Luby, M.: Pseudo-random generation from one-way functions (extended abstracts). In: 21st ACM STOC, Seattle, WA, USA, 15–17 May 1989, pp. 12–24. ACM Press (1989)
Impagliazzo, R., Luby, M.: One-way functions are essential for complexity based cryptography (extended abstract). In: 30th FOCS, Research Triangle Park, North Carolina, 30 October–1 November 1989, pp. 230–235. IEEE Computer Society Press (1989)
Information technology - Security techniques - Random bit generation. ISO/IEC18031:2011 (2011)
Kamp, J., Rao, A., Vadhan, S.P., Zuckerman, D.: Deterministic extractors for small-space sources. J. Comput. Syst. Sci. 77(1), 191–220 (2011)
Kelsey, J., Schneier, B., Ferguson, N.: Yarrow-160: notes on the design and analysis of the yarrow cryptographic pseudorandom number generator. In: Heys, H., Adams, C. (eds.) SAC 1999. LNCS, vol. 1758, pp. 13–33. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-46513-8_2
Killmann, W., Schindler, W.: A proposal for: functionality classes for random number generators. AIS 20/AIS31 (2011)
Krawczyk, H.: Cryptographic extraction and key derivation: the HKDF scheme. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 631–648. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14623-7_34
Lichtenstein, D., Linial, N., Saks, M.E.: Some extremal problems arising form discrete control processes. Combinatorica 9(3), 269–287 (1989)
John, M.: Intel digital random number generator (DRNG) software implementation guide (2014). https://software.intel.com/en-us/articles/intel-digital-random-number-generator-drng-software-implementation-guide
Nisan, N., Zuckerman, D.: More deterministic simulation in logspace. In: Proceedings of the Twenty-Fifth Annual ACM Symposium on Theory of Computing, San Diego, CA, USA, 16–18 May 1993, pp. 235–244 (1993)
Nisan, N., Zuckerman, D.: Randomness is linear in space. J. Comput. Syst. Sci. 52(1), 43–52 (1996)
Patarin, J.: The “coefficients H” technique. In: Avanzi, R.M., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. 328–345. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-04159-4_21
Schoenmakers, B., Sidorenko, A.: Cryptanalysis of the dual elliptic curve pseudorandom generator. Cryptology ePrint Archive, Report 2006/190 (2006). http://eprint.iacr.org/2006/190
Shrimpton, T., Terashima, R.S.: A provable-security analysis of Intel’s secure key RNG. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015, Part I. LNCS, vol. 9056, pp. 77–100. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_4
Shumow, D., Ferguson, N.: On the possibility of a back door in the NIST SP800-90 Dual Ec PRNG. CRYPTO Rump Session (2007)
Soni, P., Tessaro, S.: Public-seed pseudorandom permutations. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017, Part II. LNCS, vol. 10211, pp. 412–441. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56614-6_14
Trevisan, L., Vadhan, S.P.: Extracting randomness from samplable distributions. In: 41st FOCS, Redondo Beach, CA, USA, 12–14 November 2000, pp. 32–42. IEEE Computer Society Press (2000)
von Neumann, J.: Various techniques used in connection with random digits. In: Householder, A.S., Forsythe, G.E., Germond, H.H. (eds.) Monte Carlo Method. National Bureau of Standards Applied Mathematics Series, vol. 12, pp. 36–38. U.S. Government Printing Office, Washington, D.C. (1951)
Wikipedia: /dev/random (2004). http://en.wikipedia.org/wiki//dev/random. Accessed 09 Feb 2014
Woodage, J., Shumow, D.: An analysis of NIST SP 800-90A. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11477, pp. 151–180. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17656-3_6
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 International Association for Cryptologic Research
About this paper
Cite this paper
Coretti, S., Dodis, Y., Karthikeyan, H., Tessaro, S. (2019). Seedless Fruit Is the Sweetest: Random Number Generation, Revisited. In: Boldyreva, A., Micciancio, D. (eds) Advances in Cryptology – CRYPTO 2019. CRYPTO 2019. Lecture Notes in Computer Science(), vol 11692. Springer, Cham. https://doi.org/10.1007/978-3-030-26948-7_8
Download citation
DOI: https://doi.org/10.1007/978-3-030-26948-7_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-26947-0
Online ISBN: 978-3-030-26948-7
eBook Packages: Computer ScienceComputer Science (R0)