1

From Definition of CSPRNG, it has two characteristics

  1. It satisfies the next-bit test.
  2. It withstands 'state compromise extensions' - part of all of the state being compromised does not allow for reconstruction of the prior stream of random numbers.

I am looking for PRNGs which fail the 2nd Characteristic. Infact they are PRNG but not CSPRNG.

crypt
  • 2,417
  • 17
  • 32
  • Is there something missing from your question that requires more specificity? Otherwise aren't you just looking for all the common random number generators like LFSRs, XORShift, Twister..? – Paul Uszak Jun 01 '17 at 10:58
  • every PRNG is not CSPRNG ( i think so it may be wrong ) – crypt Jun 01 '17 at 19:07

2 Answers2

4

Item (2) is not part of the definition of a standard CSPRNG. If you look at where this definition was taken from in Wikipedia, this item refers to a "forward secure CSPRNG". So, this is a definition of forward security and not the standard notion.

Also, the next-bit test is one way of defining, but certainly not the only way.

In any case, it is easy to construct a CSPRNG that is not forward secure; simply always store the initial state.

Yehuda Lindell
  • 27,820
  • 1
  • 66
  • 83
  • Please refer the Correct definition of CSPRNG and forward secure CSPRNG – crypt Jun 01 '17 at 09:38
  • 1
    @Raza that might be tricky, they are cryptographically secure until they are not. Dual_EC_DRBG is now not a CSRNG, but it was in 2006 – daniel Jun 01 '17 at 09:43
  • @daniel It still is, but a flawed one. In the same way, MD5 is a cryptographic hash algorithm, but a broken one. Whether or not something is cryptographically secure is dictated by the design of the algorithm, not the existence of attacks or lack thereof. Compare MD5's (unmet) design goals with something like Fletcher-128 which was never designed for collision resistance in the first place. – forest Jul 10 '18 at 23:09
  • @forest I like my words better. MD5 is not a good example as it is not a provably secure hash function, the secure word is the one I'm poking fun at. A locked door is secure, if it's kicked in it was secure, but it's not secure anymore. – daniel Jul 11 '18 at 12:34
  • 1
    @daniel Indeed, when we say that something is "secure" it is always only a conjecture (unless it doesn't rely on any assumption). Ideally, we can say that it is secure under a well-established assumption. However, EC_DBRG is still a secure PRG, under the DDH assumption, just one that can have a backdoor. This possibility is not ruled out by the definition. MD5 is indeed not secure, and in hindsight it never was; we just didn't know it back then. – Yehuda Lindell Jul 11 '18 at 15:33
  • @daniel Being secure and being a cryptographically secure function are different uses of the term secure. The former describes the lack of severe, practical attacks against the construction. The latter only describes the intents behind its design. – forest Jul 12 '18 at 02:26
  • @forest I don't agree, it's more the answer to secure against what, and I assume we mean secure against a computationally bounded attacker that has all public knowledge of the thing. I could intend to make a CSPRNG, but then later someone finds it just outputs a string of 7s. My intent alone does not make it secure. – daniel Jul 12 '18 at 13:55
  • In cryptography, being "secure" is not a subjective or vague notion; it is based on a well-formulated definition. An encryption scheme cannot be said to be "secure" or "insecure" without first defining the adversary; so a scheme can be CPA secure and not CCA secure and this additional qualification is essential. So, one could try to define a "backdoor-resilient secure PRG" and then you could argue that EC_DRBG is a secure PRG that is not backdoor-resilient. However, as long as we are just talking about it as a PRG, it is secure. This is mathematics (computer science) and not emotion. – Yehuda Lindell Jul 12 '18 at 17:25
  • @YehudaLindell Late to the party, I know, but I'm confused by your assertion that "EC_DBRG" is still "secure" in the technical sense you're using. Are you talking about something other than the once NIST standardized Dual_EC_DRBG? Assuming not, there exists a polynomial-time algorithm that can distinguish the output of this PRNG from random with non-negligible probability. Whether or not anyone knows the algorithm is irrelevant. The backdoor is there, we just can't be sure how many people have the key that unlocks it (and, orthogonally, if it was built intentionally or by a drunk carpenter). – jerry Mar 28 '19 at 15:32
  • More directly related to your answer, do you have a link to the reference you're asserting is the source of the Wikipedia definition? The currently accepted answer to the question the OP linked points to http://www.uobabylon.edu.iq/eprints/paper_1_17913_649.pdf as the source. It does seem to match nearly word for word. I don't see any references there to "forward secure" or "forward security", but do you know of a different version? Sadly that one is lacking in a number of respects. – jerry Mar 28 '19 at 15:52
1

The ChaCha cipher is definitely not forward secure: the only state modification is to increment a counter.

dhardy
  • 111
  • 2
  • While technically correct, ChaCha is not a CSPRNG by itself (it is a stream cipher), it can be a building block of a CSPRNG (e.g. the Linux kernel's CRNG which uses ChaCha20 and involves backtrack protection that makes it forward secure). – forest May 12 '18 at 08:55
  • 1
    The word ‘ChaCha’ can comfortably refer to (a) the pseudorandom function family sometimes specifically called the ‘ChaCha core’; (b) the pseudorandom function family obtained by applying the ChaCha core to a sequence of consecutive inputs; and (c) the stream cipher that uses the ChaCha core on a sequence of conescutive inputs to generate a one-time pad with which to xor a message to encrypt it. Presumably @dhardy was referring to (b). – Squeamish Ossifrage May 12 '18 at 13:45