A Formal Treatment of Backdoored Pseudorandom Generators

  • Yevgeniy DodisEmail author
  • Chaya Ganesh
  • Alexander Golovnev
  • Ari Juels
  • Thomas Ristenpart
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9056)


We provide a formal treatment of backdoored pseudorandom generators (PRGs). Here a saboteur chooses a PRG instance for which she knows a trapdoor that allows prediction of future (and possibly past) generator outputs. This topic was formally studied by Vazirani and Vazirani, but only in a limited form and not in the context of subverting cryptographic protocols. The latter has become increasingly important due to revelations about NIST’s backdoored Dual EC PRG and new results about its practical exploitability using a trapdoor.

We show that backdoored PRGs are equivalent to public-key encryption schemes with pseudorandom ciphertexts. We use this equivalence to build backdoored PRGs that avoid a well known drawback of the Dual EC PRG, namely biases in outputs that an attacker can exploit without the trapdoor. Our results also yield a number of new constructions and an explanatory framework for why there are no reported observations in the wild of backdoored PRGs using only symmetric primitives.

We also investigate folklore suggestions for countermeasures to backdoored PRGs, which we call immunizers. We show that simply hashing PRG outputs is not an effective immunizer against an attacker that knows the hash function in use. Salting the hash, however, does yield a secure immunizer, a fact we prove using a surprisingly subtle proof in the random oracle model. We also give a proof in the standard model under the assumption that the hash function is a universal computational extractor (a recent notion introduced by Bellare, Tung, and Keelveedhi).


Hash Function Formal Treatment Random Oracle Random Oracle Model Pseudorandom Generator 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Albertini, A., Aumasson, J.P., Eichlseder, M., Mendel, F., Schläffer, M.: Malicious hashing: Eve’s variant of SHA-1. Cryptology ePrint Archive, Report 2014/694 (2014).
  2. 2.
    Aranha, D.F., Fouque, P.A., Qian, C., Tibouchi, M., Zapalowicz, J.C.: Binary elligator squared. Cryptology ePrint Archive, Report 2014/486 (2014).
  3. 3.
    Backes, M., Cachin, C.: Public-key steganography with active attacks. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 210–226. Springer, Heidelberg (2005) CrossRefGoogle Scholar
  4. 4.
    Bellare, M., Hoang, V.T., Keelveedhi, S.: Instantiating random oracles via UCEs. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 398–415. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  5. 5.
    Bellare, M., Paterson, K.G., Rogaway, P.: Security of symmetric encryption against aass surveillance. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part I. LNCS, vol. 8616, pp. 1–19. Springer, Heidelberg (2014) CrossRefGoogle Scholar
  6. 6.
    Benaloh, J.: Dense probabilistic encryption. In: Proceedings of the Workshop on Selected Areas of Cryptography, pp. 120–128 (1994)Google Scholar
  7. 7.
    Bendel, M.: Hackers describe PS3 security as epic fail, gain unrestricted access.
  8. 8.
    Bernstein, D.J., Chang, Y.-A., Cheng, C.-M., Chou, L.-P., Heninger, N., Lange, T., van Someren, N.: Factoring RSA keys from certified smart cards: coppersmith in the wild. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part II. LNCS, vol. 8270, pp. 341–360. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  9. 9.
    Bernstein, D.J., Hamburg, M., Krasnova, A., Lange, T.: Elligator: Elliptic-curve points indistinguishable from uniform random strings. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 967–980. ACM (2013)Google Scholar
  10. 10.
    Blum, L., Blum, M., Shub, M.: A simple unpredictable pseudo-random number generator. SIAM Journal on Computing 15(2), 364–383 (1986)CrossRefzbMATHMathSciNetGoogle Scholar
  11. 11.
    Brown, D., Vanstone, S.: Elliptic curve random number generation (2007).
  12. 12.
    Cachin, C.: An information-theoretic model for steganography. In: Aucsmith, D. (ed.) IH 1998. LNCS, vol. 1525, pp. 306–318. Springer, Heidelberg (1998) CrossRefGoogle Scholar
  13. 13.
    Checkoway, S., Fredrikson, M., Niederhagen, R., Green, M., Lange, T., Ristenpart, T., Bernstein, D.J., Maskiewicz, J., Shacham, H.: On the practical exploitability of Dual EC DRBG in TLS implementations (2014)Google Scholar
  14. 14.
    Everspaugh, A., Zhai, Y., Jellinek, R., Ristenpart, T., Swift, M.: Not-so-random numbers in virtualized linux and the Whirlwind RNG (2014)Google Scholar
  15. 15.
    Goh, E.-J., Boneh, D., Pinkas, B., Golle, P.: The design and implementation ofprotocol-based hidden key recovery. In: Boyd, C., Mao, W. (eds.) ISC 2003. LNCS, vol. 2851, pp. 165–179. Springer, Heidelberg (2003) CrossRefGoogle Scholar
  16. 16.
    Goldberg, I., Wagner, D.: Randomness and the Netscape browser. Dr Dobb’s Journal pp. 66–71 (1996)Google Scholar
  17. 17.
    Heninger, N., Durumeric, Z., Wustrow, E., Halderman, J.A.: Mining your Ps and Qs: Detection of widespread weak keys in network devices. In: USENIX Security, pp. 205–220. USENIX (2012)Google Scholar
  18. 18.
    Holenstein, T.: Key agreement from weak bit agreement. In: Proceedings of the Thirty-Seventh Annual ACM Symposium on Theory of Computing, pp. 664–673. ACM (2005)Google Scholar
  19. 19.
    Hopper, N., von Ahn, L., Langford, J.: Provably secure steganography. IEEE Transactions on Computers 58(5), 662–676 (2009)CrossRefGoogle Scholar
  20. 20.
    Juels, A., Guajardo, J.: RSA key generation with verifiable randomness. In: Naccache, D., Paillier, P. (eds.) PKC 2002. LNCS, vol. 2274, pp. 357–374. Springer, Heidelberg (2002) CrossRefGoogle Scholar
  21. 21.
    Möller, B.: A public-key encryption scheme with pseudo-random ciphertexts. In: Samarati, P., Ryan, P.Y.A., Gollmann, D., Molva, R. (eds.) ESORICS 2004. LNCS, vol. 3193, pp. 335–351. Springer, Heidelberg (2004) CrossRefGoogle Scholar
  22. 22.
    Mowery, K., Wei, M., Kohlbrenner, D., Shacham, H., Swanson, S.: Welcome to the Entropics: Boot-time entropy in embedded devices, pp. 589–603. IEEE (2013)Google Scholar
  23. 23.
    National Institute of Standards and Technology: Special Publication 800–90: Recommendation for random number generation using deterministic random bit generators (2012),, (first version June 2006, second version March 2007)
  24. 24.
    Ristenpart, T., Yilek, S.: When good randomness goes bad: Virtual machine reset vulnerabilities and hedging deployed cryptography. In: NDSS (2010)Google Scholar
  25. 25.
    Schoenmakers, B., Sidorenko, A.: Cryptanalysis of the dual elliptic curve pseudorandom generator. IACR Cryptology ePrint Archive 2006, 190 (2006)Google Scholar
  26. 26.
    Shoup, V.: A proposal for an iso standard for public key encryption (version 2.1). IACR E-Print Archive 112 (2001)Google Scholar
  27. 27.
    Shumow, D., Ferguson, N.: On the possibility of a back door in the NIST SP800-90 Dual Ec Prng. In: Proc. Crypto 2007 (2007)Google Scholar
  28. 28.
    Simmons, G.J.: The prisoners’ problem and the subliminal channel. In: Advances in Cryptology. pp. 51–67. Springer (1984)Google Scholar
  29. 29.
    Tibouchi, M.: Elligator squared: Uniform points on elliptic curves of prime order as uniform random strings. Cryptology ePrint Archive, Report 2014/043 (2014).
  30. 30.
    Vazirani, U.V., Vazirani, V.V.: Trapdoor pseudo-random number generators, with applications to protocol design. FOCS 83, 23–30 (1983)Google Scholar
  31. 31.
    Vazirani, U.V., Vazirani, V.V.: Efficient and secure pseudo-random number generation. In: Blakely, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 193–202. Springer, Heidelberg (1985) CrossRefGoogle Scholar
  32. 32.
    von Ahn, L., Hopper, N.J.: Public-key steganography. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 323–341. Springer, Heidelberg (2004) CrossRefGoogle Scholar
  33. 33.
    Yilek, S., Rescorla, E., Shacham, H., Enright, B., Savage, S.: When private keys are public: Results from the 2008 Debian OpenSSL vulnerability. In: SIGCOMM Conference on Internet Measurement, pp. 15–27. ACM (2009)Google Scholar
  34. 34.
    Young, A., Yung, M.: The dark side of “black-box” cryptography, or: should we trust capstone? In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 89–103. Springer, Heidelberg (1996) Google Scholar
  35. 35.
    Young, A., Yung, M.: Kleptography: using cryptography against cryptography. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 62–74. Springer, Heidelberg (1997) CrossRefGoogle Scholar
  36. 36.
    Young, A., Yung, M.: Kleptography from standard assumptions and applications. In: Garay, J.A., De Prisco, R. (eds.) SCN 2010. LNCS, vol. 6280, pp. 271–290. Springer, Heidelberg (2010) CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2015

Authors and Affiliations

  • Yevgeniy Dodis
    • 1
    Email author
  • Chaya Ganesh
    • 1
  • Alexander Golovnev
    • 1
  • Ari Juels
    • 2
  • Thomas Ristenpart
    • 3
  1. 1.Department of Computer ScienceNew York UniversityNew YorkUSA
  2. 2.Jacobs InstituteCornell TechNew YorkUSA
  3. 3.Department of Computer SciencesUniversity of WisconsinMadisonUSA

Personalised recommendations