How to eat your entropy and have it too - Optimal recovery strategies for compromised RNGs

Yevgeniy Dodis, Adi Shamir, Noah Stephens-Davidowitz, Daniel Wichs

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

We study random number generators (RNGs) with input, RNGs that regularly update their internal state according to some auxiliary input with additional randomness harvested from the environment. We formalize the problem of designing an efficient recovery mechanism from complete state compromise in the presence of an active attacker. If we knew the timing of the last compromise and the amount of entropy gathered since then, we could stop producing any outputs until the state becomes truly random again. However, our challenge is to recover within a time proportional to this optimal solution even in the hardest (and most realistic) case in which (a) we know nothing about the timing of the last state compromise, and the amount of new entropy injected since then into the state, and (b) any premature production of outputs leads to the total loss of all the added entropy used by the RNG. In other words, the challenge is to develop recovery mechanisms which are guaranteed to save the day as quickly as possible after a compromise we are not even aware of. The dilemma is that any entropy used prematurely will be lost, and any entropy which is kept unused will delay the recovery. After formally modeling RNGs with input, we show a nearly optimal construction that is secure in our very strong model. Our technique is inspired by the design of the Fortuna RNG (which is a heuristic RNG construction that is currently used by Windows and comes without any formal analysis), but we non-trivially adapt it to our much stronger adversarial setting. Along the way, our formal treatment of Fortuna enables us to improve its entropy efficiency by almost a factor of two, and to show that our improved construction is essentially tight, by proving a rigorous lower bound on the possible efficiency of any recovery mechanism in our very general model of the problem.

Original languageEnglish (US)
Title of host publicationAdvances in Cryptology, CRYPTO 2014 - 34th Annual Cryptology Conference, Proceedings
PublisherSpringer Verlag
Pages37-54
Number of pages18
EditionPART 2
ISBN (Print)9783662443804
DOIs
StatePublished - Jan 1 2014
Event34rd Annual International Cryptology Conference, CRYPTO 2014 - Santa Barbara, CA, United States
Duration: Aug 17 2014Aug 21 2014

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
NumberPART 2
Volume8617 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Other

Other34rd Annual International Cryptology Conference, CRYPTO 2014
CountryUnited States
CitySanta Barbara, CA
Period8/17/148/21/14

    Fingerprint

Keywords

  • RNGs with input
  • Random number generators

ASJC Scopus subject areas

  • Theoretical Computer Science
  • Computer Science(all)

Cite this

Dodis, Y., Shamir, A., Stephens-Davidowitz, N., & Wichs, D. (2014). How to eat your entropy and have it too - Optimal recovery strategies for compromised RNGs. In Advances in Cryptology, CRYPTO 2014 - 34th Annual Cryptology Conference, Proceedings (PART 2 ed., pp. 37-54). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 8617 LNCS, No. PART 2). Springer Verlag. https://doi.org/10.1007/978-3-662-44381-1_3