International Association for Cryptologic Research

International Association
for Cryptologic Research


Immunizing Backdoored PRGs

Marshall Ball , NYU
Yevgeniy Dodis , NYU
Eli Goldin , NYU
Search ePrint
Search Google
Presentation: Slides
Conference: TCC 2023
Abstract: A backdoored Pseudorandom Generator (PRG) is a PRG which looks pseudorandom to the outside world, but a saboteur can break PRG security by planting a backdoor into a seemingly honest choice of public parameters, pk, for the system. Backdoored PRGs became increas- ingly important due to revelations about NIST’s backdoored Dual EC PRG, and later results about its practical exploitability. Motivated by this, at Eurocrypt’15 Dodis et al. [20] initiated the ques- tion of immunizing backdoored PRGs. A k-immunization scheme repeat- edly applies a post-processing function to the output of k backdoored PRGs, to render any (unknown) backdoors provably useless. For k = 1, [20] showed that no deterministic immunization is possible, but then constructed “seeded” 1-immunizer either in the random oracle model, or under strong non-falsifiable assumptions. As our first result, we show that no seeded 1-immunization scheme can be black-box reduced to any efficiently falsifiable assumption. This motivates studying k-immunizers for k ≥ 2, which have an ad- ditional advantage of being deterministic (i.e., “seedless”). Indeed, prior work at CCS’17 [35] and CRYPTO’18 [7] gave supporting evidence that simple k-immunizers might exist, albeit in slightly different settings. Un- fortunately, we show that simple standard model proposals of [35,7] (including the XOR function [7]) provably do not work in our setting. On a positive, we confirm the intuition of [35] that a (seedless) random oracle is a provably secure 2-immunizer. On a negative, no (seedless) 2-immunization scheme can be black-box reduced to any efficiently falsi- fiable assumption, at least for a large class of natural 2-immunizers which includes all “cryptographic hash functions.” In summary, our results show that k-immunizers occupy a peculiar place in the cryptographic world. While they likely exist, and can be made practical and efficient, it is unlikely one can reduce their security to a “clean” standard-model assumption.
  title={Immunizing Backdoored PRGs},
  author={Marshall Ball and Yevgeniy Dodis and Eli Goldin},