Journal of Computer and System Sciences
A complete problem for statistical zero knowledge
Journal of the ACM (JACM)
A Practice-Oriented Treatment of Pseudorandom Number Generators
EUROCRYPT '02 Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques: Advances in Cryptology
32-Bit Cyclic Redundancy Codes for Internet Applications
DSN '02 Proceedings of the 2002 International Conference on Dependable Systems and Networks
Cryptanalytic Attacks on Pseudorandom Number Generators
FSE '98 Proceedings of the 5th International Workshop on Fast Software Encryption
A model and architecture for pseudo-random generation with applications to /dev/random
Proceedings of the 12th ACM conference on Computer and communications security
A computational introduction to number theory and algebra
A computational introduction to number theory and algebra
Analysis of the Linux Random Number Generator
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
The security of triple encryption and a framework for code-based game-playing proofs
EUROCRYPT'06 Proceedings of the 24th annual international conference on The Theory and Applications of Cryptographic Techniques
SP 800-90A. Recommendation for Random Number Generation Using Deterministic Random Bit Generators
SP 800-90A. Recommendation for Random Number Generation Using Deterministic Random Bit Generators
Mining your Ps and Qs: detection of widespread weak keys in network devices
Security'12 Proceedings of the 21st USENIX conference on Security symposium
Hi-index | 0.00 |
A pseudo-random number generator (PRNG) is a deterministic algorithm that produces numbers whose distribution is indistinguishable from uniform. A formal security model for PRNGs with input was proposed in 2005 by Barak and Halevi (BH). This model involves an internal state that is refreshed with a (potentially biased) external random source, and a cryptographic function that outputs random numbers from the continually internal state. In this work we extend the BH model to also include a new security property capturing how it should accumulate the entropy of the input data into the internal state after state compromise. This property states that a good PRNG should be able to eventually recover from compromise even if the entropy is injected into the system at a very slow pace, and expresses the real-life expected behavior of existing PRNG designs. Unfortunately, we show that neither the model nor the specific PRNG construction proposed by BH meet this new property, despite meeting a weaker robustness notion introduced by BH. From a practical side, we give a precise assessment of the Linux PRNGs, /dev/random and /dev/urandom. In particular, we show attacks proving that these PRNGs are not robust according to our definition, due to vulnerabilities in their entropy estimator and their internal mixing function. Finally, we propose a simple PRNG construction that is provably robust in our new and stronger adversarial model and we show that it is more efficient than the Linux PRNGs. We therefore recommend to use this construction whenever a PRNG with input is used for cryptography.