Use of PRNG's vulnerability for attacking a cryptographic system

user110019

6/22/24, 1:39 PM

I am investigating a PRNG which fails some of NIST tests (FFT, ApproximateEntropy and Serial). If such a generator is used in cryptography for any purpose, what consequences can it has? How this vulnerability affects its safety? What is possible attack?

I want to discuss implications.

1 + 0

statistical-test

pseudo-random-generator

nist

attack

Score:3

Crypto

fgrieu

6/22/24, 2:51 PM

a PRNG which fails some of NIST tests (FFT, ApproximateEntropy and Serial)

Assuming other tests pass, that fact taken in isolation has no practical consequence for most applications, which really are quite tolerant to generators with a slight defect unrelated to what the application does. That includes use for key generation (symmetric and asymmetric), password generation, challenge/nonce/UID generation in symmetric cryptography, and internal randomness generation in RSAES-OAEP, RSAES-PKCS1-v1_5, RSASSA-PSS, Schnorr signature. I'm not quite so confident for generation of the per-message secret in DSA and ECDSA signature, which are quite sensitive to some kinds of bias in attacks where adversaries can request many signatures and attempt to recover the private key.

However, that fact (tests fail) should be taken as an indication that something is wrong: If the tests are conducted properly, their failure shows that this generator does not use (properly implemented) cryptographic post-conditionning, something that a RNG safe to use for arbitrary cryptographic purposes should do.

Perhaps even more worryingly, it's likely attempted to determine if a RNG is safe to use for cryptographic purposes using a common but inappropriate method: testing it's output with a statistical test. That can only detect some defective RNGs. When it comes to building positive confidence, passing such tests successfully is only useful for entropy sources known to be unconditioned or with known and precisely analyzed conditioning. But for generators of unknown design, passing such tests successfully is not a robust indication that they are suitable for cryptographic purposes. Too many blind spots remain, including:

Does the generator have a weakness in it's post-conditioning?
Does the generator have a backdoor, like Dual_E8C_DRBG, which passes all NIST tests?
Does the generator tend to have the same output at each power-up, making it unsuitable in some very real-life scenarios?
Would a defect in the internal entropy source of the generator (due to build defect, aging, temperature, power supply characteristics, interference including fault attacks…) be detected and trigger a fail-safe mechanism?

† NIST tests are so stringent that most generators that pass them have some post-conditioning. And it's easy to accidentally make a post-conditioning vulnerable to attack, yet that pass the NIST tests with flying color even with a stuck entropy source.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Use of PRNG's vulnerability for attacking a cryptographic system

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.