[Cryptography] Dual_EC_DRBG backdoor: a proof of concept
Thierry Moreau
thierry.moreau at connotech.com
Thu Jan 2 22:16:25 EST 2014
Jon Callas wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
>
> Going back to Blum-Blum-Shub, look at the Wikipedia article on it at <http://en.wikipedia.org/wiki/Blum_Blum_Shub>. There are some interesting statements there, ...
>
> However, there is a proof reducing its security to the computational
> difficulty of the Quadratic residuosity problem. Since the only known
> way to solve that problem requires factoring the modulus, the
> difficulty of Integer factorization is generally regarded as
> providing security. When the primes are chosen appropriately, and
> O(log log M) lower-order bits of each xn are output, then in the limit
> as M grows large, distinguishing the output bits from random should be
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> at least as difficult as factoring M.
>
This is the only thing that the alluded BBS "backdoor" allows. In other
words, the backdoor allows one to write a custom-made statistical test
that the generator will fail. The backdoor does not allow the recovery
of the PRNG state from a fraction of the output sequence -- or at least
I never saw the slightest hint, speculation, or academic author
conjecture that this would be possible for any fraction less than 1.
>
> This is interesting because nowhere do they address the central engineering issue -- that a fixed p,q is not secure yet a variable one requires another RNG to seed the RNG.
>
Out of memory, the engineering issue is solved as follows:
(A) Generate a first BBS modulus and discard the prime factors P and Q.
(B) When provisioning a secure device, seed the first BBS with true
entropy, then generate a device-specific BBS modulus and discard prime
factors P' and Q'. Don't use the first BBS for any other purpose
starting with the same seed.
(C) In operations, occasionally re-seed the device-specific BBS as you
would do with any deterministic PRNG.
If you don't trust the software for the discard operation in (A) and
(B), then you shouldn't trust the software for any other crypto algorithm.
For bootstrap your confidence, you recursively perform (A)-(B)-(C) with
(C) being used for the next (A) in the recursion, until the "security
by management exhaustion" paradigm applies.
Have fun with crypto-grade PRNG selection and implementation design!
--
- Thierry Moreau
More information about the cryptography
mailing list