An Analysis of NIST SP 800-90A

“…We adapt previous work [58] on side-channel attacks on AES encryption to the PRG setting, and extend the work of Woodage and Shumow [87] to show how an attacker who observes CTR_DRBG's cache access patterns can recover the PRG state using about 2000 bytes of output. We then empirically demonstrate how a client connecting to a malicious TLS sever can be coerced to provide enough PRG output that an attacker who concurrently observes the PRG's cache access patterns is capable of recovering the PRG state used during the TLS handshake.…”

“…Following [22,87] Woodage and Shumow [87] define three security properties for a PRG: robustness, backtracking resistance, and prediction resistance. Backtracking resistance is the property that if the generator is compromised at time t 1 , an adversary remains unable to distinguish outputs generated prior to t 1 from random.…”

“…Robustness incorporates both of these guarantees into a single property. Next, while the models of [22,87] include an attacker that is able to compromise the entropy distribution used for sampling entropy to the PRG, we consider a weaker attacker who is unable to do so. We therefore obtain a stronger result as our weaker attacker is able break the PRG despite her inability to corrupt the entropy source.…”

Pseudorandom Black Swans: Cache Attacks on CTR_DRBG

“…We adapt previous work [58] on side-channel attacks on AES encryption to the PRG setting, and extend the work of Woodage and Shumow [87] to show how an attacker who observes CTR_DRBG's cache access patterns can recover the PRG state using about 2000 bytes of output. We then empirically demonstrate how a client connecting to a malicious TLS sever can be coerced to provide enough PRG output that an attacker who concurrently observes the PRG's cache access patterns is capable of recovering the PRG state used during the TLS handshake.…”

“…Following [22,87] Woodage and Shumow [87] define three security properties for a PRG: robustness, backtracking resistance, and prediction resistance. Backtracking resistance is the property that if the generator is compromised at time t 1 , an adversary remains unable to distinguish outputs generated prior to t 1 from random.…”

“…Robustness incorporates both of these guarantees into a single property. Next, while the models of [22,87] include an attacker that is able to compromise the entropy distribution used for sampling entropy to the PRG, we consider a weaker attacker who is unable to do so. We therefore obtain a stronger result as our weaker attacker is able break the PRG despite her inability to corrupt the entropy source.…”

Pseudorandom Black Swans: Cache Attacks on CTR_DRBG

“…The theoretical approach consists of searching for flaws by scrutinising the mathematical primitive definition. For instance, there are theoretical attacks [8,28] against PRG proposed by NIST [4] based on specific differential cryptanalysis [6]. The empirical approach relies on defining a statistically significant number of experiments to provide enough confidence of the results, used to create a distinguisher.…”

“…Related work Other works propose to distinguish between random numbers generated with block ciphers [2,9,11,14,15,25,29] of which a vast majority extract features coming from the statistical tests proposed by NIST (NIST STS) [5] and use them as inputs of ML algorithms. While the documen-tation provided by the NIST does not provide any formal security analysis [13], Woodgate et al [28] carry out an indepth security review. Contrarily to prior proposals, we apply MLCrypto to DRBG recommended by NIST [4], being able to statistically distinguish between two pairs of generators.…”

Modelling cryptographic distinguishers using machine learning

Seedless Fruit Is the Sweetest: Random Number Generation, Revisited