Seedless Fruit Is the Sweetest: Random Number Generation, Revisited

Sandro Coretti, Yevgeniy Dodis, Harish Karthikeyan, Stefano Tessaro

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

The need for high-quality randomness in cryptography makes random-number generation one of its most fundamental tasks. A recent important line of work (initiated by Dodis et al., CCS ’13) focuses on the notion of robustness for pseudorandom number generators (PRNGs) with inputs. These are primitives that use various sources to accumulate sufficient entropy into a state, from which pseudorandom bits are extracted. Robustness ensures that PRNGs remain secure even under state compromise and adversarial control of entropy sources. However, the achievability of robustness inherently depends on a seed, or, alternatively, on an ideal primitive (e.g., a random oracle), independent of the source of entropy. Both assumptions are problematic: seed generation requires randomness to start with, and it is arguable whether the seed or the ideal primitive can be kept independent of the source. This paper resolves this dilemma by putting forward new notions of robustness which enable both (1) seedless PRNGs and (2) primitive-dependent adversarial sources of entropy. To bypass obvious impossibility results, we make a realistic compromise by requiring that the source produce sufficient entropy even given its evaluations of the underlying primitive. We also provide natural, practical, and provably secure constructions based on hash-function designs from compression functions, block ciphers, and permutations. Our constructions can be instantiated with minimal changes to industry-standard hash functions SHA-2 and SHA-3, or key derivation function HKDF, and can be downgraded to (online) seedless randomness extractors, which are of independent interest. On the way we consider both a computational variant of robustness, where attackers only make a bounded number of queries to the ideal primitive, as well as a new information-theoretic variant, which dispenses with this assumption to a certain extent, at the price of requiring a high rate of injected weak randomness (as it is, e.g., plausible on Intel’s on-chip RNG). The latter notion enables applications such as everlasting security. Finally, we show that the CBC extractor, used by Intel’s on-chip RNG, is provably insecure in our model.

Original languageEnglish (US)
Title of host publicationAdvances in Cryptology – CRYPTO 2019 - 39th Annual International Cryptology Conference, Proceedings
EditorsDaniele Micciancio, Alexandra Boldyreva
PublisherSpringer-Verlag
Pages205-234
Number of pages30
ISBN (Print)9783030269470
DOIs
StatePublished - Jan 1 2019
Event39th Annual International Cryptology Conference, CRYPTO 2019 - Santa Barbara, United States
Duration: Aug 18 2019Aug 22 2019

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume11692 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Conference

Conference39th Annual International Cryptology Conference, CRYPTO 2019
CountryUnited States
CitySanta Barbara
Period8/18/198/22/19

Fingerprint

Random number generation
Random number Generation
Fruit
Fruits
Entropy
Primitive Ideal
Pseudorandom number Generator
Robustness
Seed
Hash functions
Randomness
Hash Function
Chip
Randomness Extractors
Sufficient
Compression Function
Block Ciphers
Extractor
Random Oracle
Dilemma

Keywords

  • Provable security
  • Pseudorandom number generation
  • Symmetric cryptography

ASJC Scopus subject areas

  • Theoretical Computer Science
  • Computer Science(all)

Cite this

Coretti, S., Dodis, Y., Karthikeyan, H., & Tessaro, S. (2019). Seedless Fruit Is the Sweetest: Random Number Generation, Revisited. In D. Micciancio, & A. Boldyreva (Eds.), Advances in Cryptology – CRYPTO 2019 - 39th Annual International Cryptology Conference, Proceedings (pp. 205-234). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 11692 LNCS). Springer-Verlag. https://doi.org/10.1007/978-3-030-26948-7_8

Seedless Fruit Is the Sweetest : Random Number Generation, Revisited. / Coretti, Sandro; Dodis, Yevgeniy; Karthikeyan, Harish; Tessaro, Stefano.

Advances in Cryptology – CRYPTO 2019 - 39th Annual International Cryptology Conference, Proceedings. ed. / Daniele Micciancio; Alexandra Boldyreva. Springer-Verlag, 2019. p. 205-234 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 11692 LNCS).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Coretti, S, Dodis, Y, Karthikeyan, H & Tessaro, S 2019, Seedless Fruit Is the Sweetest: Random Number Generation, Revisited. in D Micciancio & A Boldyreva (eds), Advances in Cryptology – CRYPTO 2019 - 39th Annual International Cryptology Conference, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 11692 LNCS, Springer-Verlag, pp. 205-234, 39th Annual International Cryptology Conference, CRYPTO 2019, Santa Barbara, United States, 8/18/19. https://doi.org/10.1007/978-3-030-26948-7_8
Coretti S, Dodis Y, Karthikeyan H, Tessaro S. Seedless Fruit Is the Sweetest: Random Number Generation, Revisited. In Micciancio D, Boldyreva A, editors, Advances in Cryptology – CRYPTO 2019 - 39th Annual International Cryptology Conference, Proceedings. Springer-Verlag. 2019. p. 205-234. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). https://doi.org/10.1007/978-3-030-26948-7_8
Coretti, Sandro ; Dodis, Yevgeniy ; Karthikeyan, Harish ; Tessaro, Stefano. / Seedless Fruit Is the Sweetest : Random Number Generation, Revisited. Advances in Cryptology – CRYPTO 2019 - 39th Annual International Cryptology Conference, Proceedings. editor / Daniele Micciancio ; Alexandra Boldyreva. Springer-Verlag, 2019. pp. 205-234 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
@inproceedings{0909d653751d4712a2c85dadd82e006e,
title = "Seedless Fruit Is the Sweetest: Random Number Generation, Revisited",
abstract = "The need for high-quality randomness in cryptography makes random-number generation one of its most fundamental tasks. A recent important line of work (initiated by Dodis et al., CCS ’13) focuses on the notion of robustness for pseudorandom number generators (PRNGs) with inputs. These are primitives that use various sources to accumulate sufficient entropy into a state, from which pseudorandom bits are extracted. Robustness ensures that PRNGs remain secure even under state compromise and adversarial control of entropy sources. However, the achievability of robustness inherently depends on a seed, or, alternatively, on an ideal primitive (e.g., a random oracle), independent of the source of entropy. Both assumptions are problematic: seed generation requires randomness to start with, and it is arguable whether the seed or the ideal primitive can be kept independent of the source. This paper resolves this dilemma by putting forward new notions of robustness which enable both (1) seedless PRNGs and (2) primitive-dependent adversarial sources of entropy. To bypass obvious impossibility results, we make a realistic compromise by requiring that the source produce sufficient entropy even given its evaluations of the underlying primitive. We also provide natural, practical, and provably secure constructions based on hash-function designs from compression functions, block ciphers, and permutations. Our constructions can be instantiated with minimal changes to industry-standard hash functions SHA-2 and SHA-3, or key derivation function HKDF, and can be downgraded to (online) seedless randomness extractors, which are of independent interest. On the way we consider both a computational variant of robustness, where attackers only make a bounded number of queries to the ideal primitive, as well as a new information-theoretic variant, which dispenses with this assumption to a certain extent, at the price of requiring a high rate of injected weak randomness (as it is, e.g., plausible on Intel’s on-chip RNG). The latter notion enables applications such as everlasting security. Finally, we show that the CBC extractor, used by Intel’s on-chip RNG, is provably insecure in our model.",
keywords = "Provable security, Pseudorandom number generation, Symmetric cryptography",
author = "Sandro Coretti and Yevgeniy Dodis and Harish Karthikeyan and Stefano Tessaro",
year = "2019",
month = "1",
day = "1",
doi = "10.1007/978-3-030-26948-7_8",
language = "English (US)",
isbn = "9783030269470",
series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
publisher = "Springer-Verlag",
pages = "205--234",
editor = "Daniele Micciancio and Alexandra Boldyreva",
booktitle = "Advances in Cryptology – CRYPTO 2019 - 39th Annual International Cryptology Conference, Proceedings",

}

TY - GEN

T1 - Seedless Fruit Is the Sweetest

T2 - Random Number Generation, Revisited

AU - Coretti, Sandro

AU - Dodis, Yevgeniy

AU - Karthikeyan, Harish

AU - Tessaro, Stefano

PY - 2019/1/1

Y1 - 2019/1/1

N2 - The need for high-quality randomness in cryptography makes random-number generation one of its most fundamental tasks. A recent important line of work (initiated by Dodis et al., CCS ’13) focuses on the notion of robustness for pseudorandom number generators (PRNGs) with inputs. These are primitives that use various sources to accumulate sufficient entropy into a state, from which pseudorandom bits are extracted. Robustness ensures that PRNGs remain secure even under state compromise and adversarial control of entropy sources. However, the achievability of robustness inherently depends on a seed, or, alternatively, on an ideal primitive (e.g., a random oracle), independent of the source of entropy. Both assumptions are problematic: seed generation requires randomness to start with, and it is arguable whether the seed or the ideal primitive can be kept independent of the source. This paper resolves this dilemma by putting forward new notions of robustness which enable both (1) seedless PRNGs and (2) primitive-dependent adversarial sources of entropy. To bypass obvious impossibility results, we make a realistic compromise by requiring that the source produce sufficient entropy even given its evaluations of the underlying primitive. We also provide natural, practical, and provably secure constructions based on hash-function designs from compression functions, block ciphers, and permutations. Our constructions can be instantiated with minimal changes to industry-standard hash functions SHA-2 and SHA-3, or key derivation function HKDF, and can be downgraded to (online) seedless randomness extractors, which are of independent interest. On the way we consider both a computational variant of robustness, where attackers only make a bounded number of queries to the ideal primitive, as well as a new information-theoretic variant, which dispenses with this assumption to a certain extent, at the price of requiring a high rate of injected weak randomness (as it is, e.g., plausible on Intel’s on-chip RNG). The latter notion enables applications such as everlasting security. Finally, we show that the CBC extractor, used by Intel’s on-chip RNG, is provably insecure in our model.

AB - The need for high-quality randomness in cryptography makes random-number generation one of its most fundamental tasks. A recent important line of work (initiated by Dodis et al., CCS ’13) focuses on the notion of robustness for pseudorandom number generators (PRNGs) with inputs. These are primitives that use various sources to accumulate sufficient entropy into a state, from which pseudorandom bits are extracted. Robustness ensures that PRNGs remain secure even under state compromise and adversarial control of entropy sources. However, the achievability of robustness inherently depends on a seed, or, alternatively, on an ideal primitive (e.g., a random oracle), independent of the source of entropy. Both assumptions are problematic: seed generation requires randomness to start with, and it is arguable whether the seed or the ideal primitive can be kept independent of the source. This paper resolves this dilemma by putting forward new notions of robustness which enable both (1) seedless PRNGs and (2) primitive-dependent adversarial sources of entropy. To bypass obvious impossibility results, we make a realistic compromise by requiring that the source produce sufficient entropy even given its evaluations of the underlying primitive. We also provide natural, practical, and provably secure constructions based on hash-function designs from compression functions, block ciphers, and permutations. Our constructions can be instantiated with minimal changes to industry-standard hash functions SHA-2 and SHA-3, or key derivation function HKDF, and can be downgraded to (online) seedless randomness extractors, which are of independent interest. On the way we consider both a computational variant of robustness, where attackers only make a bounded number of queries to the ideal primitive, as well as a new information-theoretic variant, which dispenses with this assumption to a certain extent, at the price of requiring a high rate of injected weak randomness (as it is, e.g., plausible on Intel’s on-chip RNG). The latter notion enables applications such as everlasting security. Finally, we show that the CBC extractor, used by Intel’s on-chip RNG, is provably insecure in our model.

KW - Provable security

KW - Pseudorandom number generation

KW - Symmetric cryptography

UR - http://www.scopus.com/inward/record.url?scp=85071764459&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85071764459&partnerID=8YFLogxK

U2 - 10.1007/978-3-030-26948-7_8

DO - 10.1007/978-3-030-26948-7_8

M3 - Conference contribution

SN - 9783030269470

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 205

EP - 234

BT - Advances in Cryptology – CRYPTO 2019 - 39th Annual International Cryptology Conference, Proceedings

A2 - Micciancio, Daniele

A2 - Boldyreva, Alexandra

PB - Springer-Verlag

ER -