Security analysis of pseudo-random number generators with input

/dev/random is not robust

Yevgeniy Dodis, David Pointcheval, Sylvain Ruhault, Damien Vergniaud, Daniel Wichs

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

A pseudo-random number generator (PRNG) is a deterministic algorithm that produces numbers whose distribution is indistinguishable from uniform. A formal security model for PRNGs with input was proposed in 2005 by Barak and Halevi (BH). This model involves an internal state that is refreshed with a (potentially biased) external random source, and a cryptographic function that outputs random numbers from the continually internal state. In this work we extend the BH model to also include a new security property capturing how it should accumulate the entropy of the input data into the internal state after state compromise. This property states that a good PRNG should be able to eventually recover from compromise even if the entropy is injected into the system at a very slow pace, and expresses the real-life expected behavior of existing PRNG designs. Unfortunately, we show that neither the model nor the specific PRNG construction proposed by BH meet this new property, despite meeting a weaker robustness notion introduced by BH. From a practical side, we give a precise assessment of the Linux PRNGs, /dev/random and /dev/urandom. In particular, we show attacks proving that these PRNGs are not robust according to our definition, due to vulnerabilities in their entropy estimator and their internal mixing function. Finally, we propose a simple PRNG construction that is provably robust in our new and stronger adversarial model and we show that it is more efficient than the Linux PRNGs. We therefore recommend to use this construction whenever a PRNG with input is used for cryptography.

Original languageEnglish (US)
Title of host publicationCCS 2013 - Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security
Pages647-658
Number of pages12
DOIs
StatePublished - 2013
Event2013 ACM SIGSAC Conference on Computer and Communications Security, CCS 2013 - Berlin, Germany
Duration: Nov 4 2013Nov 8 2013

Other

Other2013 ACM SIGSAC Conference on Computer and Communications Security, CCS 2013
CountryGermany
CityBerlin
Period11/4/1311/8/13

Fingerprint

Entropy
Cryptography
Linux

Keywords

  • /dev/random
  • entropy
  • randomness
  • security models

ASJC Scopus subject areas

  • Software
  • Computer Networks and Communications

Cite this

Dodis, Y., Pointcheval, D., Ruhault, S., Vergniaud, D., & Wichs, D. (2013). Security analysis of pseudo-random number generators with input: /dev/random is not robust. In CCS 2013 - Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security (pp. 647-658) https://doi.org/10.1145/2508859.2516653

Security analysis of pseudo-random number generators with input : /dev/random is not robust. / Dodis, Yevgeniy; Pointcheval, David; Ruhault, Sylvain; Vergniaud, Damien; Wichs, Daniel.

CCS 2013 - Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security. 2013. p. 647-658.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Dodis, Y, Pointcheval, D, Ruhault, S, Vergniaud, D & Wichs, D 2013, Security analysis of pseudo-random number generators with input: /dev/random is not robust. in CCS 2013 - Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security. pp. 647-658, 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS 2013, Berlin, Germany, 11/4/13. https://doi.org/10.1145/2508859.2516653
Dodis Y, Pointcheval D, Ruhault S, Vergniaud D, Wichs D. Security analysis of pseudo-random number generators with input: /dev/random is not robust. In CCS 2013 - Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security. 2013. p. 647-658 https://doi.org/10.1145/2508859.2516653
Dodis, Yevgeniy ; Pointcheval, David ; Ruhault, Sylvain ; Vergniaud, Damien ; Wichs, Daniel. / Security analysis of pseudo-random number generators with input : /dev/random is not robust. CCS 2013 - Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security. 2013. pp. 647-658
@inproceedings{1110c3de03b048758c21eb909037d597,
title = "Security analysis of pseudo-random number generators with input: /dev/random is not robust",
abstract = "A pseudo-random number generator (PRNG) is a deterministic algorithm that produces numbers whose distribution is indistinguishable from uniform. A formal security model for PRNGs with input was proposed in 2005 by Barak and Halevi (BH). This model involves an internal state that is refreshed with a (potentially biased) external random source, and a cryptographic function that outputs random numbers from the continually internal state. In this work we extend the BH model to also include a new security property capturing how it should accumulate the entropy of the input data into the internal state after state compromise. This property states that a good PRNG should be able to eventually recover from compromise even if the entropy is injected into the system at a very slow pace, and expresses the real-life expected behavior of existing PRNG designs. Unfortunately, we show that neither the model nor the specific PRNG construction proposed by BH meet this new property, despite meeting a weaker robustness notion introduced by BH. From a practical side, we give a precise assessment of the Linux PRNGs, /dev/random and /dev/urandom. In particular, we show attacks proving that these PRNGs are not robust according to our definition, due to vulnerabilities in their entropy estimator and their internal mixing function. Finally, we propose a simple PRNG construction that is provably robust in our new and stronger adversarial model and we show that it is more efficient than the Linux PRNGs. We therefore recommend to use this construction whenever a PRNG with input is used for cryptography.",
keywords = "/dev/random, entropy, randomness, security models",
author = "Yevgeniy Dodis and David Pointcheval and Sylvain Ruhault and Damien Vergniaud and Daniel Wichs",
year = "2013",
doi = "10.1145/2508859.2516653",
language = "English (US)",
isbn = "9781450324779",
pages = "647--658",
booktitle = "CCS 2013 - Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security",

}

TY - GEN

T1 - Security analysis of pseudo-random number generators with input

T2 - /dev/random is not robust

AU - Dodis, Yevgeniy

AU - Pointcheval, David

AU - Ruhault, Sylvain

AU - Vergniaud, Damien

AU - Wichs, Daniel

PY - 2013

Y1 - 2013

N2 - A pseudo-random number generator (PRNG) is a deterministic algorithm that produces numbers whose distribution is indistinguishable from uniform. A formal security model for PRNGs with input was proposed in 2005 by Barak and Halevi (BH). This model involves an internal state that is refreshed with a (potentially biased) external random source, and a cryptographic function that outputs random numbers from the continually internal state. In this work we extend the BH model to also include a new security property capturing how it should accumulate the entropy of the input data into the internal state after state compromise. This property states that a good PRNG should be able to eventually recover from compromise even if the entropy is injected into the system at a very slow pace, and expresses the real-life expected behavior of existing PRNG designs. Unfortunately, we show that neither the model nor the specific PRNG construction proposed by BH meet this new property, despite meeting a weaker robustness notion introduced by BH. From a practical side, we give a precise assessment of the Linux PRNGs, /dev/random and /dev/urandom. In particular, we show attacks proving that these PRNGs are not robust according to our definition, due to vulnerabilities in their entropy estimator and their internal mixing function. Finally, we propose a simple PRNG construction that is provably robust in our new and stronger adversarial model and we show that it is more efficient than the Linux PRNGs. We therefore recommend to use this construction whenever a PRNG with input is used for cryptography.

AB - A pseudo-random number generator (PRNG) is a deterministic algorithm that produces numbers whose distribution is indistinguishable from uniform. A formal security model for PRNGs with input was proposed in 2005 by Barak and Halevi (BH). This model involves an internal state that is refreshed with a (potentially biased) external random source, and a cryptographic function that outputs random numbers from the continually internal state. In this work we extend the BH model to also include a new security property capturing how it should accumulate the entropy of the input data into the internal state after state compromise. This property states that a good PRNG should be able to eventually recover from compromise even if the entropy is injected into the system at a very slow pace, and expresses the real-life expected behavior of existing PRNG designs. Unfortunately, we show that neither the model nor the specific PRNG construction proposed by BH meet this new property, despite meeting a weaker robustness notion introduced by BH. From a practical side, we give a precise assessment of the Linux PRNGs, /dev/random and /dev/urandom. In particular, we show attacks proving that these PRNGs are not robust according to our definition, due to vulnerabilities in their entropy estimator and their internal mixing function. Finally, we propose a simple PRNG construction that is provably robust in our new and stronger adversarial model and we show that it is more efficient than the Linux PRNGs. We therefore recommend to use this construction whenever a PRNG with input is used for cryptography.

KW - /dev/random

KW - entropy

KW - randomness

KW - security models

UR - http://www.scopus.com/inward/record.url?scp=84889063937&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84889063937&partnerID=8YFLogxK

U2 - 10.1145/2508859.2516653

DO - 10.1145/2508859.2516653

M3 - Conference contribution

SN - 9781450324779

SP - 647

EP - 658

BT - CCS 2013 - Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security

ER -