SoK: Security Models for Pseudo-Random Number Generators

Randomness plays an important role in multiple applications in cryptography. It is required in fundamental tasks such as key generation, masking and hiding values, nonces and initialization vectors generation. Pseudo-random number generators have been studied by numerous authors, either to propose clear security notions and associated constructions or to point out potential vulnerabilities. In this systematization of knowledge paper, we present the three notions of generators that have been successively formalized: standard generators, stateful generators and generators with input. For each notion, we present expected security properties, where adversaries have increasing capabilities (including access to partial information on the internal variables) and we propose secure and efficient constructions, all based on the block cipher AES. In our description of generators with input, we revisit the notions of accumulator and extractor and we point out that security crucially relies on the independence between the randomness source and the seeds of the accumulator and the extractor. To illustrate this requirement, we identify a potential vulnerability of the NIST standard CTR_DRBG

Randomness Concerns When Deploying Differential Privacy

The U.S. Census Bureau is using differential privacy (DP) to protect confidential respondent data collected for the 2020 Decennial Census of Population & Housing. The Census Bureau's DP system is implemented in the Disclosure Avoidance System (DAS) and requires a source of random numbers. We estimate that the 2020 Census will require roughly 90TB of random bytes to protect the person and household tables. Although there are critical differences between cryptography and DP, they have similar requirements for randomness. We review the history of random number generation on deterministic computers, including von Neumann's "middle-square" method, Mersenne Twister (MT19937) (previously the default NumPy random number generator, which we conclude is unacceptable for use in production privacy-preserving systems), and the Linux /dev/urandom device. We also review hardware random number generator schemes, including the use of so-called "Lava Lamps" and the Intel Secure Key RDRAND instruction. We finally present our plan for generating random bits in the Amazon Web Services (AWS) environment using AES-CTR-DRBG seeded by mixing bits from /dev/urandom and the Intel Secure Key RDSEED instruction, a compromise of our desire to rely on a trusted hardware implementation, the unease of our external reviewers in trusting a hardware-only implementation, and the need to generate so many random bits.Comment: 12 pages plus 2 pages bibliograph

Analyse de sécurité pour les générateurs de nombre pseudo-aléatoires

In cryptography, randomness plays an important role in multiple applications. It is required in fundamental tasks such as key generation and initialization vectors generation or in key exchange. The security of these cryptographic algorithms and protocols relies on a source of unbiased and uniform distributed random bits. Cryptography practitioners usually assume that parties have access to perfect randomness. However, quite often this assumption is not realizable in practice and random bits are generated by a Pseudo-Random Number Generator. When this is done, the security of the scheme depends of course in a crucial way on the quality of the (pseudo-)randomness generated. However, only few generators used in practice have been analyzed and therefore practitioners and end users cannot easily assess their real security level. We provide in this thesis security models for the assessment of pseudo-random number generators and we propose secure constructions. In particular, we propose a new definition of robustness and we extend it to capture memory attacks and side-channel attacks. On a practical side, we provide a security assessment of generators used in practice, embedded in system kernel (Linux /dev/random) and cryptographic libraries (OpenSSL and Java SecureRandom), and we prove that these generators contain potential vulnerabilities.La génération d’aléa joue un rôle fondamental en cryptographie et en sécurité. Des nombres aléatoires sont nécessaires pour la production de clés cryptographiques ou de vecteurs d’initialisation et permettent également d’assurer que des protocoles d’échange de clé atteignent un niveau de sécurité satisfaisant. Dans la pratique, les bits aléatoires sont générés par un processus de génération de nombre dit pseudo-aléatoire, et dans ce cas, la sécurité finale du système dépend de manière cruciale de la qualité des bits produits par le générateur. Malgré cela, les générateurs utilisés en pratique ne disposent pas ou peu d’analyse de sécurité permettant aux utilisateurs de connaître exactement leur niveau de fiabilité. Nous fournissons dans cette thèse des modèles de sécurité pour cette analyse et nous proposons des constructions prouvées sûres et efficaces qui répondront à des besoins de sécurité forts. Nous proposons notamment une nouvelle notion de robustesse et nous étendons cette propriété afin d’adresser les attaques sur la mémoire et les attaques par canaux cachés. Sur le plan pratique, nous effectuons une analyse de sécurité des générateurs utilisés dans la pratique, fournis de manière native dans les systèmes d’exploitation (/dev/random sur Linux) et dans les librairies cryptographiques (OpenSSL ou Java SecureRandom) et nous montrons que ces générateurs contiennent des vulnérabilités potentielles

SoK: Security Models for Pseudo-Random Number Generators

Randomness plays an important role in multiple applications in cryptography. It is required in fundamental tasks such as key generation, masking and hiding values, nonces and initialization vectors generation. Pseudo-random number generators have been studied by numerous authors, either to propose clear security notions and associated constructions or to point out potential vulnerabilities. In this systematization of knowledge paper, we present the three notions of generators that have been successively formalized: standard generators, stateful generators and generators with input. For each notion, we present expected security properties, where adversaries have increasing capabilities (including access to partial information on the internal variables) and we propose secure and efficient constructions, all based on the block cipher AES. In our description of generators with input, we revisit the notions of accumulator and extractor and we point out that security crucially relies on the independence between the randomness source and the seeds of the accumulator and the extractor. To illustrate this requirement, we identify a potential vulnerability of the NIST standard CTR_DRBG

French 2022 legislatives elections: a verifiability experiment

International audienceFor the 2022 legislative elections, France made use of Internet voting for a fraction of its voters, namely French voters from abroad. For the first time, France introduced the notion of verifiability and third party. We report here the role of the third party, its interaction with the ANSSI, what it meant in terms of verifiability, as well as its limitations

Security Analysis of Pseudo-Random Number Generators with Input: /dev/random is not Robust

Abstract. A pseudo-random number generator (PRNG) is a deterministic algorithm that produces numbers whose distribution is indistinguishable from uniform. A formal security model for PRNGs with input was proposed in 2005 by Barak and Halevi (BH). This model involves an internal state that is refreshed with a (potentially biased) external random source, and a cryptographic function that outputs random numbers from the continually internal state. In this work we extend the BH model to also include a new security property capturing how it should accumulate the entropy of the input data into the internal state after state compromise. This property states that a good PRNG should be able to eventually recover from compromise even if the entropy is injected into the system at a very slow pace, and expresses the real-life expected behavior of existing PRNG designs. Unfortunately, we show that neither the model nor the specific PRNG construction proposed by Barak and Halevi meet this new property, despite meeting a weaker robustness notion introduced by BH. From a practical side, we also give a precise assessment of the security of the two Linux PRNGs, /dev/random and /dev/urandom. In particular, we show several attacks proving that these PRNGs are not robust according to our definition, and do not accumulate entropy properly. These attacks are due to the vulnerabilities of the entropy estimator and the internal mixing function of the Linux PRNGs. These attacks against the Linux PRNG show that it does not satisfy the "robustness " notion of security, but it remains unclear if these attacks lead to actual exploitable vulnerabilities in practice. Finally, we propose a simple and very efficient PRNG construction that is provably robust in our new and stronger adversarial model. We therefore recommend to use this construction whenever a PRNG with input is used for cryptography

Robust Pseudo-Random Number Generators with Input Secure Against Side-Channel Attacks

International audienceA pseudo-random number generator (PRNG) is a deterministic algorithm that produces numbers whose distribution is indistinguishable from uniform. In this paper, we extend the formal model of PRNG with input defined by Dodis et al. at CCS 2013 to deal with partial leakage of sensitive information. The resulting security notion, termed leakage-resilient robust PRNG with input, encompasses all the previous notions, but also allows the adversary to continuously get some leakage on the manipulated data. Dodis et al. also proposed an efficient construction, based on simple operations in a finite field and a classical deterministic pseudo-random generator G. Here, we analyze this construction with respect to our new stronger security model, and prove that with a stronger G, it also resists leakage. We show that this stronger G can be obtained by tweaking some existing constructions based on AES. We also propose a new instantiation which may be better in specific cases. Eventually, we show that the resulting scheme remains quite efficient in spite of its new security properties. It can thus be recommended in contexts where side-channel resistance is required

Sonia Belaïd - Schémas symétriques prouvés sûrs contre les attaques par canaux auxiliaires: Journées Codage et Cryptographie 2014

Schémas symétriques prouvés sûrs contre les attaques par canaux auxiliaire