1

From Definition of CSPRNG, it has two characteristics

  1. It satisfies the next-bit test.
  2. It withstands 'state compromise extensions' - part of all of the state being compromised does not allow for reconstruction of the prior stream of random numbers.

The Design of CSPRNG can be based on

  1. Cryptographic Primitives
  2. Number Theory Problems
  3. Sepcial Designs like Yarrow, Fortuna etc

If CSPRNG is constructed out of AES/Twofish/Camellia in CTR Mode, does it satisfy 2nd characteristic? i.e Compromise of internal state will not lead to reconstruction of prior stream of random numbers?

If we consider state as Counter only, or Counter and IV only (excluding the key). Will it be a CSPRNG?

Will any CPA secure Block Cipher working in Counter mode made CSPRNG under the assumption that compromise of internal state only consists of compromise of Counter only or Counter and IV only (not the key).

crypt
  • 2,417
  • 17
  • 32

3 Answers3

2

If CSPRNG is constructed out of AES in CTR Mode, does it satisfy 2nd characteristic? i.e Compromise of internal state will not lead to reconstruction of prior stream of random numbers?

No, assuming you mean the CSPRNG is just AES in CTR, the state is simply the key and the IV, therefore compromise will allow trivial generation of both past and future outputs.

Exposure of just the key is also as bad, as you can decrypt the output using the key (in ECB mode) to recover the IV.

Richie Frame
  • 13,097
  • 1
  • 25
  • 42
  • Which is why in NIST.SP.800-90A, The counter mode cipher is rekeyed after each invocation of random bit generation. – DannyNiu Jun 02 '17 at 01:57
2

This is an incorrect definition of CSPRNG and is misleading for people on this website. Forward security is an additional property that may be desirable, but this is certainly not the standard notion. Thus, it is incorrect to even say things like "AES-CTR is not a CSPRNG under this definition". Rather, please be exact, and say "AES-CTR does not fulfill forward security".

Yehuda Lindell
  • 27,820
  • 1
  • 66
  • 83
1

Depends if you consider the key to be part of the inner state. If you do then no, otherwise yes. On the one hand it is certainly part of the data structures in memory, on the other hand it doesn't change during the execution. Generally however I think most cryptanalysts would consider the key part of the state. If the key is found when the state is compromised then the second criteria certainly isn't met.

AES-CTR can be directly compared to RC4 for this kind of problem; both are just stream ciphers in the answer of Poncho to the question you referenced. So in that regard the answer of Poncho as also valid for AES-CTR. That is: it all depends on which definition you use. If you consider both points of the definition valid - including the one about state compromise - then AES-CTR is certainly not a CSPRNG.

Maarten Bodewes
  • 92,551
  • 13
  • 161
  • 313
  • AES-CTR in itself also doesn't provide reseeding by itself, where additional entropy is mixed in with the state. Although this is obviously not a requirement in your list, AES-CTR by itself would not meet the definition in NIST SP 800-90a for DRBG's. – Maarten Bodewes Jun 01 '17 at 08:28
  • Can we consider DRBGs as CSPRNG or they are PRNG? – crypt Jun 01 '17 at 09:04
  • I'd rather ask the reverse question. I think you could consider DRBGs primitives that implement a CSPRNG. So if that's the case you can wonder if a certain CSPRNG is a DRBG. In that case reseeding is not a direct requirement of a CSPRNG and we would be back at the original definition used in your question. This is why I made this a comment rather than part of the answer. – Maarten Bodewes Jun 01 '17 at 09:10