Abstract
Randomness is an essential resource for cryptography. For practical randomness generation, the security notion of pseudorandom generators (PRGs) intends to automatically preserve (computational) security of cryptosystems when used in implementation. Nevertheless, some opposite case such as in computational randomness extractors (Barak et al., CRYPTO 2011) is known (but not yet systematically studied so far) where the security can be lost even by applying secure PRGs. The present paper aims at pushing ahead the observation and understanding about such a phenomenon; we reveal such situations at layers of primitives and protocols as well, not just of building blocks like randomness extractors. We present three typical types of such cases: (1) adversaries can legally see the seed of the PRGs (including the case of randomness extractors); (2) the set of “bad” randomness may be not efficiently recognizable; (3) the formulation of a desired property implicitly involves non-uniform distinguishers for PRGs. We point out that the semi-honest security of multiparty computation also belongs to Type 1, while the correctness with negligible decryption error probability for public key encryption belongs to Types 2 and 3. We construct examples for each type where a secure PRG (against uniform distinguishers only, for Type 3) does not preserve the security/correctness of the original scheme; and discuss some countermeasures to avoid such an issue.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
“Performing key generation (using the randomness), encryption, and decryption and then checking if the result is correct” is in general not an efficient procedure, as the corresponding “bad” plaintext to be encrypted may be not efficiently samplable.
- 2.
The issue remains even if the PRG is secure against non-uniform distinguishers with advice. Although the set of “bad” randomness is fixed for each security parameter, this set may be too complicated to be included in the advice of polynomial length.
- 3.
Such so-called “immunization” methods had also been studied before, e.g., [13, 20, 23], but those methods remove the errors only partially. We note also that such methods did not concern the issue as in the paper and their motivations were different; e.g., preventing attacks that utilize decryption errors (e.g., [21]).
- 4.
For the security of PKE, the theory can be reasonably based on the uniform complexity treatment [14].
- 5.
The issue discussed here will disappear if there is no such gap.
- 6.
By an appropriate padding to the input, our convention here can be made consistent with a standard convention where an advice depends solely on the input length.
- 7.
One may think that the seed length of a PRG should satisfy \(\ell _{\mathrm {in}}(\lambda ) = \lambda \); but our seemingly generalized style is just for the sake of technical ease and our argument can indeed be translated into the more strict style where \(\ell _{\mathrm {in}}(\lambda ) = \lambda \) always holds.
- 8.
Some reader may feel strange because the two parties’ inputs in the protocol are very correlated and the protocol has no output. This is for the sake of simplifying the argument, and in fact our protocol can be converted into a more “natural” but complicated form. See Appendix A for the details.
- 9.
In fact, in order to let the internal randomness for \(\mathcal {S}\) be a bit sequence, we have to, and indeed we can, approximate (with exponentially small deviation from the ideal) the procedures in Lines 1, 2 and 9 by PPT algorithms with random bit sequences.
- 10.
The reason of restricting \(\mathcal {B}\) to be deterministic is that \(\mathcal {B}\) will be used as a component of the desired PRG and hence may not have its own internal randomness.
- 11.
The factorization is trivially easy if \(\mathcal {F}\) may be non-uniform, as \(\mathcal {B}\) is deterministic.
- 12.
Such a PRG can be obtained from a PRG with 1-bit stretch by a standard technique based on hybrid argument (cf. Construction 3.3.2 and Theorem 3.3.3 of [15]).
- 13.
As the security is not the central topic here, we just implicitly assume IND-CPA security for the PKE schemes in the following arguments.
- 14.
Again, such a PKE scheme can be obtained via a hybrid argument (cf. Sect. 5.2.5.3 of [16]) from a perfectly correct PKE scheme with 1-bit plaintexts.
- 15.
The technical constraint for \(\mathcal {R}\) that the seed length should be a strictly increasing function of \(\lambda \) can be ensured by adjusting the seed length of \(\mathcal {R}^{*}\).
- 16.
We assume that the PRG \(\overline{\mathcal {R}}\) satisfies the constraint \(\overline{\ell }_{\mathrm {in}}(\lambda ) = \ell _{\mathrm {in}}(\lambda ) + \ell _{\mathrm {in}}^{\dagger }(\lambda ) < \overline{\ell }_{\mathrm {out}}(\lambda ) = L(\lambda )\) for input/output lengths.
References
Asharov, G., Lindell, Y., Schneider, T., Zohner, M.: More efficient oblivious transfer and extensions for faster secure computation. In: 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS 2013, Berlin, Germany, 4–8 November 2013, pp. 535–548 (2013)
Asharov, G., Lindell, Y., Schneider, T., Zohner, M.: More efficient oblivious transfer and extensions for faster secure computation. IACR Cryptology ePrint Archive 2013:552 (2013)
Barak, B., et al.: Leftover hash lemma, revisited. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 1–20. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9_1
Bernstein, D.J., Lange, T.: Non-uniform cracks in the concrete: the power of free precomputation. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013. LNCS, vol. 8270, pp. 321–340. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-42045-0_17
Bitansky, N., Vaikuntanathan, V.: A note on perfect correctness by derandomization. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10211, pp. 592–606. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56614-6_20
Canetti, R., Goldreich, O., Halevi, S.: The random oracle methodology, revisited. J. ACM 51(4), 557–594 (2004)
De, A., Trevisan, L., Tulsiani, M.: Time space tradeoffs for attacks against one-way functions and PRGs. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 649–665. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14623-7_35
Degabriele, J.P., Paterson, K.G., Schuldt, J.C.N., Woodage, J.: Backdoors in pseudorandom number generators: possibility and impossibility results. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 403–432. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4_15
Dodis, Y., Ganesh, C., Golovnev, A., Juels, A., Ristenpart, T.: A formal treatment of backdoored pseudorandom generators. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 101–126. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_5
Dodis, Y., Ong, S.J., Prabhakaran, M., Sahai, A.: On the (im)possibility of cryptography with imperfect randomness. In: 45th Symposium on Foundations of Computer Science (FOCS 2004), Rome, Italy, 17–19 October 2004, Proceedings, pp. 196–205 (2004)
Dodis, Y., Pointcheval, D., Ruhault, S., Vergnaud, D., Wichs, D.: Security analysis of pseudo-random number generators with input: /dev/random is not robust. In: 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS 2013, Berlin, Germany, 4–8 November 2013, pp. 647–658 (2013)
Dodis, Y., Yao, Y.: Privacy with imperfect randomness. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 463–482. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48000-7_23
Dwork, C., Naor, M., Reingold, O.: Immunizing encryption schemes from decryption errors. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 342–360. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_21
Goldreich, O.: A uniform-complexity treatment of encryption and zero-knowledge. J. Cryptol. 6(1), 21–53 (1993). https://doi.org/10.1007/BF02620230
Goldreich, O.: The Foundations of Cryptography - volume 1, Basic Techniques. Cambridge University Press, New York (2001)
Goldreich, O.: The Foundations of Cryptography - Volume 2, Basic Applications. Cambridge University Press, New York (2004)
Hazay, C., Zarosim, H.: The feasibility of outsourced database search in the plain model. In: Zikas, V., De Prisco, R. (eds.) SCN 2016. LNCS, vol. 9841, pp. 313–332. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-44618-9_17
Hirose, S.: Secure block ciphers are not sufficient for one-way hash functions in the Preneel-Govaerts-Vandewalle model. In: Nyberg, K., Heys, H. (eds.) SAC 2002. LNCS, vol. 2595, pp. 339–352. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36492-7_22
Hoeffding, W.: Probability inequalities for sums of bounded random variables. J. Am. Stat. Assoc. 58(301), 13–30 (1963)
Holenstein, T., Renner, R.: One-way secret-key agreement and applications to circuit polarization and immunization of public-key encryption. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 478–493. Springer, Heidelberg (2005). https://doi.org/10.1007/11535218_29
Howgrave-Graham, N., et al.: The impact of decryption failures on the security of NTRU encryption. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 226–246. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_14
Hub’avcek, P., Wichs, D.: On the communication complexity of secure function evaluation with long output. In: Proceedings of the 2015 Conference on Innovations in Theoretical Computer Science, ITCS 2015, Rehovot, Israel, 11–13 January 2015, pp. 163–172 (2015)
Lin, H., Tessaro, S.: Amplification of chosen-ciphertext security. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 503–519. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_30
Nisan, N., Wigderson, A.: Hardness vs randomness. J. Comput. Syst. Sci. 49(2), 149–167 (1994)
Nuida, K.: How to use pseudorandom generators in unconditional security settings. In: Chow, S.S.M., Liu, J.K., Hui, L.C.K., Yiu, S.M. (eds.) ProvSec 2014. LNCS, vol. 8782, pp. 291–299. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-12475-9_20
Pietrzak, K., Skorski, M.: Non-uniform attacks against pseudoentropy. In: 44th International Colloquium on Automata, Languages, and Programming, ICALP 2017, Warsaw, Poland, pp. 39:1–39:13 (2017)
Shaltiel, R., Umans, C.: Simple extractors for all min-entropies and a new pseudo-random generator. In: 42nd Annual Symposium on Foundations of Computer Science, FOCS 2001, Las Vegas, Nevada, USA, 14–17 October 2001, pp. 648–657 (2001)
Acknowledgements
The author thanks all the members of a study group “Shin-Akarui-Angou-Benkyoukai”, in particular Shota Yamada, Tadanori Teruya, Kazumasa Shinagawa, Takashi Yamakawa, Takahiro Matsuda, Yusuke Sakai, Keita Emura, and Goichiro Hanaoka, for fruitful discussions. This work was supported by JST PRESTO Grant Number JPMJPR14E8, by JST CREST Grant Number JPMJCR14D6, and by JST CREST Grant Number JPMJCR19F6.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A A “Natural” Variant of Algorithm 1
A A “Natural” Variant of Algorithm 1
Here we give a “natural” variant of 2PC protocol \(\pi _1\) defined in Sect. 3.2 (Algorithm 1) where the inputs for two parties are not correlated and the parties have outputs in the protocol. The modified protocol is given in Algorithm 9. Here \(\mathcal {F}_{\mathsf {EQ}}\) denotes an ideal functionality for two-party equality test, where the common output \(\beta = 1\) (respectively, \(\beta = 0\)) means that the two inputs are equal (respectively, not equal).
In the part of the protocol before executing \(\pi _1\), the two parties check if their inputs satisfy the required conditions in the original protocol \(\pi _1\). More precisely, first, the input (p, q) for \(\mathcal {P}_2\) in \(\pi _1\) should satisfy that \(p < q\), p and q are primes, and \(p \equiv q \equiv 3 \pmod {4}\). In the protocol here, \(\mathcal {P}_2\) first checks if these conditions hold, and if it fails then the protocol halts at this step. Secondly, assuming the conditions for \(\mathcal {P}_2\)’s input, the input N for \(\mathcal {P}_1\) should satisfy that \(N = pq\). This condition is checked by using \(\mathcal {F}_{\mathsf {EQ}}\), and if it fails then the protocol halts at this step. Once these conditions have been verified, the parties can execute the protocol \(\pi _1\) with the correct input pair. By focusing on the input pairs satisfying the conditions in \(\pi _1\), the protocol here inherits from \(\pi _1\) the property that the security will be lost by applying a certain secure PRG to the randomness for \(\mathcal {P}_1\).
For the security against \(\mathcal {P}_1\), if the output is \(\iota = 2\), then \(\mathcal {P}_1\) receives no message and hence the security holds trivially. If \(\iota = 1\), then \(\mathcal {P}_1\) just participates in the execution of \(\mathcal {F}_{\mathsf {EQ}}\) and obtains the output \(\beta = 0\), therefore the security follows from the security of \(\mathcal {F}_{\mathsf {EQ}}\). Finally, if \(\iota = 0\), then \(\mathcal {P}_1\) participates in the execution of \(\mathcal {F}_{\mathsf {EQ}}\) with output being always \(\beta = 1\) and also participates in \(\pi _1\), therefore the security also follows from the security of \(\mathcal {F}_{\mathsf {EQ}}\) and \(\pi _1\).
For the sake of completeness, we describe in Algorithm 10 a well-known implementation of \(\mathcal {F}_{\mathsf {EQ}}\) using the lifted-ElGamal cryptosystem. Here \(\boxplus \) and \(\boxdot \) denote the homomorphic addition and homomorphic scalar multiplication, respectively. We analyze the behavior of the protocol as follows:
-
If \(x_1 = x_2\), then the ciphertext c in the protocol is a random ciphertext of plaintext \(r (x_2 - r_1) = 0\) (note that the randomness in c has also been perfectly rerandomized, as a random ciphertext \(\mathsf {Enc}(0)\) was homomorphically added). Hence the protocol outputs the correct value \(\beta = 1\), and now the message received by \(\mathcal {P}_1\) is a random ciphertext \(\mathsf {Enc}(0)\) as mentioned above, which can be perfectly simulated.
-
If \(x_1 \ne x_2\), then \(x_2 - x_1 \in (\mathbb {F}_P)^{\times }\) by the property \(P > 2^{2\lambda + 1}\), while \(r \leftarrow _R (\mathbb {F}_P)^{\times }\). Therefore the plaintext \(r (x_2 - x_1)\) for c is also uniformly random over \((\mathbb {F}_P)^{\times }\) and hence the protocol outputs the correct value \(\beta = 0\) (note that, though \(r (x_2 - x_1)\) can be large and the lifted-ElGamal cryptosystem enables to efficiently decrypt small plaintexts only, the protocol just checks if the ciphertext c has plaintext 0 or not, which is still efficiently checkable). Moreover, in this case, the received message c is a random ciphertext for a uniformly random non-zero plaintext, which can be perfectly simulated.
Hence the correctness and the security (against \(\mathcal {P}_1\)) of the implemented \(\mathcal {F}_{\mathsf {EQ}}\) have been verified. In particular, the security against \(\mathcal {P}_1\) is information-theoretic. Therefore, as well as the original protocol \(\pi _1\), the variant of \(\pi _1\) given here also has information-theoretic security against \(\mathcal {P}_1\), as desired.
Rights and permissions
Copyright information
© 2021 International Association for Cryptologic Research
About this paper
Cite this paper
Nuida, K. (2021). Cryptographic Pseudorandom Generators Can Make Cryptosystems Problematic. In: Garay, J.A. (eds) Public-Key Cryptography – PKC 2021. PKC 2021. Lecture Notes in Computer Science(), vol 12711. Springer, Cham. https://doi.org/10.1007/978-3-030-75248-4_16
Download citation
DOI: https://doi.org/10.1007/978-3-030-75248-4_16
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-75247-7
Online ISBN: 978-3-030-75248-4
eBook Packages: Computer ScienceComputer Science (R0)