7

I saw Martijn Grooten's talk on elliptic curves at BSides London this year, and it helped me understand how elliptic curve crypto works, especially in the case of Diffie-Hellman (ECDH). He also touched on the use of EC for random number generators (e.g. Dual_EC_DRBG) and why they can be flawed / backdoored.

This got me thinking: why do we even bother using EC for CSPRNGs? What drove us to even try? Surely block-cipher based CSPRNGs (e.g. AES-CTR) would be faster and more reliable, with no potential for "hidden number" backdoors? What is the key benefit that EC brings to the world of PRNGs, which outweighs their potential for weakness?

Polynomial
  • 3,577
  • 4
  • 30
  • 45

1 Answers1

6

We, for the most part, don't bother with elliptic curve-based pseudorandom generators. DUAL_EC_DRBG was shoehorned into a NIST standard that also included a block cipher generator, CTR_DRBG, and two hash-based ones—Hash_DRBG and HMAC_DRBG—that are actually used in the field.

Number-theoretic generators, which include Blum-Blum-Shub, DUAL_EC_DRBG, and several others, tend to advertise provable security. What this means is that predicting the next bit reduces to solving a presumably hard problem, like integer factorization or the discrete logarithm problem. While this is appealing to mathematicians and theorists, this kind of generator tends to be very slow and hard to implement correctly, i.e., without leaking state information via a side-channel or buggy arithmetic.

Practitioners highly favor generators based on symmetric primitives that are much faster and easy to implement and reason about and—as a bonus—also happen to resist quantum computers, if those ever get built.

Samuel Neves
  • 12,960
  • 46
  • 54