A formal treatment of backdoored pseudorandom generators

Yevgeniy Dodis, Chaya Ganesh, Alexander Golovnev, Ari Juels, Thomas Ristenpart

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

We provide a formal treatment of backdoored pseudorandom generators (PRGs). Here a saboteur chooses a PRG instance for which she knows a trapdoor that allows prediction of future (and possibly past) generator outputs. This topic was formally studied by Vazirani and Vazirani, but only in a limited form and not in the context of subverting cryptographic protocols. The latter has become increasingly important due to revelations about NIST’s backdoored Dual EC PRG and new results about its practical exploitability using a trapdoor. We show that backdoored PRGs are equivalent to public-key encryption schemes with pseudorandom ciphertexts. We use this equivalence to build backdoored PRGs that avoid a well known drawback of the Dual EC PRG, namely biases in outputs that an attacker can exploit without the trapdoor. Our results also yield a number of new constructions and an explanatory framework for why there are no reported observations in the wild of backdoored PRGs using only symmetric primitives. We also investigate folklore suggestions for countermeasures to backdoored PRGs, which we call immunizers. We show that simply hashing PRG outputs is not an effective immunizer against an attacker that knows the hash function in use. Salting the hash, however, does yield a secure immunizer, a fact we prove using a surprisingly subtle proof in the random oracle model. We also give a proof in the standard model under the assumption that the hash function is a universal computational extractor (a recent notion introduced by Bellare, Tung, and Keelveedhi).

Original languageEnglish (US)
Title of host publicationAdvances in Cryptology – EUROCRYPT 2015 - 34th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings
PublisherSpringer Verlag
Pages101-126
Number of pages26
Volume9056
ISBN (Print)9783662467992
DOIs
StatePublished - 2015
Event34th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Eurocrypt 2015 - Sofia, Bulgaria
Duration: Apr 26 2015Apr 30 2015

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume9056
ISSN (Print)03029743
ISSN (Electronic)16113349

Other

Other34th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Eurocrypt 2015
CountryBulgaria
CitySofia
Period4/26/154/30/15

Fingerprint

Pseudorandom Generator
Hash functions
Cryptography
Hash Function
Output
Extractor
Public Key Encryption
Cryptographic Protocols
Random Oracle Model
Hashing
Countermeasures
Standard Model
Choose
Equivalence
Generator

ASJC Scopus subject areas

  • Computer Science(all)
  • Theoretical Computer Science

Cite this

Dodis, Y., Ganesh, C., Golovnev, A., Juels, A., & Ristenpart, T. (2015). A formal treatment of backdoored pseudorandom generators. In Advances in Cryptology – EUROCRYPT 2015 - 34th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings (Vol. 9056, pp. 101-126). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 9056). Springer Verlag. https://doi.org/10.1007/978-3-662-46800-5_5

A formal treatment of backdoored pseudorandom generators. / Dodis, Yevgeniy; Ganesh, Chaya; Golovnev, Alexander; Juels, Ari; Ristenpart, Thomas.

Advances in Cryptology – EUROCRYPT 2015 - 34th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings. Vol. 9056 Springer Verlag, 2015. p. 101-126 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 9056).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Dodis, Y, Ganesh, C, Golovnev, A, Juels, A & Ristenpart, T 2015, A formal treatment of backdoored pseudorandom generators. in Advances in Cryptology – EUROCRYPT 2015 - 34th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings. vol. 9056, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 9056, Springer Verlag, pp. 101-126, 34th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Eurocrypt 2015, Sofia, Bulgaria, 4/26/15. https://doi.org/10.1007/978-3-662-46800-5_5
Dodis Y, Ganesh C, Golovnev A, Juels A, Ristenpart T. A formal treatment of backdoored pseudorandom generators. In Advances in Cryptology – EUROCRYPT 2015 - 34th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings. Vol. 9056. Springer Verlag. 2015. p. 101-126. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). https://doi.org/10.1007/978-3-662-46800-5_5
Dodis, Yevgeniy ; Ganesh, Chaya ; Golovnev, Alexander ; Juels, Ari ; Ristenpart, Thomas. / A formal treatment of backdoored pseudorandom generators. Advances in Cryptology – EUROCRYPT 2015 - 34th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings. Vol. 9056 Springer Verlag, 2015. pp. 101-126 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
@inproceedings{e4078d002b684b33b23ed50758eb8467,
title = "A formal treatment of backdoored pseudorandom generators",
abstract = "We provide a formal treatment of backdoored pseudorandom generators (PRGs). Here a saboteur chooses a PRG instance for which she knows a trapdoor that allows prediction of future (and possibly past) generator outputs. This topic was formally studied by Vazirani and Vazirani, but only in a limited form and not in the context of subverting cryptographic protocols. The latter has become increasingly important due to revelations about NIST’s backdoored Dual EC PRG and new results about its practical exploitability using a trapdoor. We show that backdoored PRGs are equivalent to public-key encryption schemes with pseudorandom ciphertexts. We use this equivalence to build backdoored PRGs that avoid a well known drawback of the Dual EC PRG, namely biases in outputs that an attacker can exploit without the trapdoor. Our results also yield a number of new constructions and an explanatory framework for why there are no reported observations in the wild of backdoored PRGs using only symmetric primitives. We also investigate folklore suggestions for countermeasures to backdoored PRGs, which we call immunizers. We show that simply hashing PRG outputs is not an effective immunizer against an attacker that knows the hash function in use. Salting the hash, however, does yield a secure immunizer, a fact we prove using a surprisingly subtle proof in the random oracle model. We also give a proof in the standard model under the assumption that the hash function is a universal computational extractor (a recent notion introduced by Bellare, Tung, and Keelveedhi).",
author = "Yevgeniy Dodis and Chaya Ganesh and Alexander Golovnev and Ari Juels and Thomas Ristenpart",
year = "2015",
doi = "10.1007/978-3-662-46800-5_5",
language = "English (US)",
isbn = "9783662467992",
volume = "9056",
series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
publisher = "Springer Verlag",
pages = "101--126",
booktitle = "Advances in Cryptology – EUROCRYPT 2015 - 34th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings",

}

TY - GEN

T1 - A formal treatment of backdoored pseudorandom generators

AU - Dodis, Yevgeniy

AU - Ganesh, Chaya

AU - Golovnev, Alexander

AU - Juels, Ari

AU - Ristenpart, Thomas

PY - 2015

Y1 - 2015

N2 - We provide a formal treatment of backdoored pseudorandom generators (PRGs). Here a saboteur chooses a PRG instance for which she knows a trapdoor that allows prediction of future (and possibly past) generator outputs. This topic was formally studied by Vazirani and Vazirani, but only in a limited form and not in the context of subverting cryptographic protocols. The latter has become increasingly important due to revelations about NIST’s backdoored Dual EC PRG and new results about its practical exploitability using a trapdoor. We show that backdoored PRGs are equivalent to public-key encryption schemes with pseudorandom ciphertexts. We use this equivalence to build backdoored PRGs that avoid a well known drawback of the Dual EC PRG, namely biases in outputs that an attacker can exploit without the trapdoor. Our results also yield a number of new constructions and an explanatory framework for why there are no reported observations in the wild of backdoored PRGs using only symmetric primitives. We also investigate folklore suggestions for countermeasures to backdoored PRGs, which we call immunizers. We show that simply hashing PRG outputs is not an effective immunizer against an attacker that knows the hash function in use. Salting the hash, however, does yield a secure immunizer, a fact we prove using a surprisingly subtle proof in the random oracle model. We also give a proof in the standard model under the assumption that the hash function is a universal computational extractor (a recent notion introduced by Bellare, Tung, and Keelveedhi).

AB - We provide a formal treatment of backdoored pseudorandom generators (PRGs). Here a saboteur chooses a PRG instance for which she knows a trapdoor that allows prediction of future (and possibly past) generator outputs. This topic was formally studied by Vazirani and Vazirani, but only in a limited form and not in the context of subverting cryptographic protocols. The latter has become increasingly important due to revelations about NIST’s backdoored Dual EC PRG and new results about its practical exploitability using a trapdoor. We show that backdoored PRGs are equivalent to public-key encryption schemes with pseudorandom ciphertexts. We use this equivalence to build backdoored PRGs that avoid a well known drawback of the Dual EC PRG, namely biases in outputs that an attacker can exploit without the trapdoor. Our results also yield a number of new constructions and an explanatory framework for why there are no reported observations in the wild of backdoored PRGs using only symmetric primitives. We also investigate folklore suggestions for countermeasures to backdoored PRGs, which we call immunizers. We show that simply hashing PRG outputs is not an effective immunizer against an attacker that knows the hash function in use. Salting the hash, however, does yield a secure immunizer, a fact we prove using a surprisingly subtle proof in the random oracle model. We also give a proof in the standard model under the assumption that the hash function is a universal computational extractor (a recent notion introduced by Bellare, Tung, and Keelveedhi).

UR - http://www.scopus.com/inward/record.url?scp=84942627496&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84942627496&partnerID=8YFLogxK

U2 - 10.1007/978-3-662-46800-5_5

DO - 10.1007/978-3-662-46800-5_5

M3 - Conference contribution

AN - SCOPUS:84942627496

SN - 9783662467992

VL - 9056

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 101

EP - 126

BT - Advances in Cryptology – EUROCRYPT 2015 - 34th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings

PB - Springer Verlag

ER -