[Cryptography] The hypothetical random number generator backdoor

Phillip Hallam-Baker hallam at gmail.com
Sun Sep 22 20:09:09 EDT 2013

So we think there is 'some kind' of backdoor in a random number generator.
One question is how the EC math might make that possible. Another is how
might the door be opened.

I was thinking about this and it occurred to me that it is fairly easy to
get a public SSL server to provide a client with a session key - just ask
to start a session.

Which suggests that maybe the backdoor is of the form that if you know
nonce i, and the private key to the backdoor, that reduces the search space
for finding nonce i+1.

Or maybe there is some sort of scheme where you get a lot of nonces from
the random number generator, tens of thousands and that allows the seed to
be unearthed.

Either way, the question is how to stop this side channel attack. One
simple way would be to encrypt the nonces from the RNG under a secret key
generated in some other fashion.

nonce = E (R, k)

Or hashing the RNG output and XORing with it

nonce = r  XOR H (r)

Either way, there is an extra crypto system in the way that has to be
broken if a random number generator turns out to have some sort of
relationship between sequential outputs.

Website: http://hallambaker.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20130922/94b0a3be/attachment.html>

More information about the cryptography mailing list