
The Linux Pseudorandom Number Generator Revisited - colinprince
http://eprint.iacr.org/2012/251
======
agf
A recent, related paper:
[https://cs.nyu.edu/~dodis/ps/rng.pdf](https://cs.nyu.edu/~dodis/ps/rng.pdf)

It doesn't appear to be mentioned in "The Linux Pseudorandom Number Generator
Revisited", which repeatedly refers to a 2006 paper as its precursor.

Security Analysis of Pseudo-Random Number Generators with Input: /dev/random
is not Robust

Abstract:

A pseudo-random number generator (PRNG) is a deterministic algorithm that
produces numbers whose distribution is indistinguishable from uniform. A
formal security model for PRNGs with input was proposed in 2005 by Barak and
Halevi (BH). This model involves an internal state that is refreshed with a
(potentially biased) external random source, and a cryptographic function that
outputs random numbers from the continually internal state. In this work we
extend the BH model to also include a new security property capturing how it
should accumulate the entropy of the input data into the internal state after
state compromise. This property states that a good PRNG should be able to
eventually recover from compromise even if the entropy is injected into the
system at a very slow pace, and expresses the real-life expected behavior of
existing PRNG designs. Unfortunately, we show that neither the model nor the
specific PRNG construction proposed by Barak and Halevi meet this new
property, despite meeting a weaker robustness notion introduced by BH. From a
practical side, we also give a precise assessment of the security of the two
Linux PRNGs, /dev/random and /dev/urandom. In particular, we show several
attacks proving that these PRNGs are not robust according to our definition,
and do not accumulate entropy properly. These attacks are due to the
vulnerabilities of the entropy estimator and the internal mixing function of
the Linux PRNGs. These attacks against the Linux PRNG show that it does not
satisfy the "robustness" notion of security, but it remains unclear if these
attacks lead to actual exploitable vulnerabilities in practice. Finally, we
propose a simple and very efficient PRNG construction that is provably robust
in our new and stronger adversarial model. We therefore recommend to use this
construction whenever a PRNG with input is used for cryptography

~~~
tveita
It doesn't mention it because this is from 2012
([http://eprint.iacr.org/2012/251](http://eprint.iacr.org/2012/251)) and the
paper you mentioned is from 2013.
([http://eprint.iacr.org/2013/338](http://eprint.iacr.org/2013/338))

Here's a comment from DJB regarding the 2013 paper:
[https://twitter.com/hashbreaker/status/342320351776231425](https://twitter.com/hashbreaker/status/342320351776231425)

> [http://eprint.iacr.org/2013/338](http://eprint.iacr.org/2013/338)
> advertises "provable security" while sacrificing actual security. Don't use
> it.

------
cpeterso
Why do most academic papers not include a publication date? Is this because
the paper might be republished in different journals or conference
proceedings? It's difficult to know whether you are reading a paper that is
recent or five years old.

