Affiliations: [a] Stanford University and CISPA Helmholtz Center for Information Security, 353 Serra Mall, Stanford, CA 94305, USA. lucjan.hanzlik@stanford.edu | [b] CISPA Helmholtz Center for Information Security, Stuhlsatzenhaus 5, Saarland Informatics Campus, 66123 Saarbrucken, Germany. kamil.kluczniak@cispa.saarland | [c] Wrocław University of Science and Technology, Department of Computer Science, Faculty of Fundamental Problems of Technology, Wybrzeże Wyspiańskiego 27, 50-370 Wrocław, Poland. miroslaw.kutylowski@pwr.edu.pl
Correspondence:
[†]
Address for correspondence: Wrocław University of Science and Technology, Faculty of Fundamental Problems of Technology, Wybrzeże Wyspiańskiego 27, 50-370 Wrocław, Poland
Note: [*] This research has been supported by Polish National Science Centre grant OPUS, no 2014/15/B/ST6/02837, and done when all authors have been affiliated with Wrocław University of Science and Technology
Abstract: Security of many cryptographic protocols is conditioned by the quality of the random elements generated in the course of the protocol execution. On the other hand, cryptographic devices implementing these protocols are designed given technical limitations, usability requirements and cost constraints. This frequently results in a black box solution. Unfortunately, black box random number generators may enable creating backdoors for stealing signing keys, breaking authentication protocols and encrypted communication. In this paper we deal with this problem and extend our approach proposed during MYCRYPT’2016. The solution discussed is generating random parameters so that: (a) the protocols are backwards compatible (a user gets additional data that can be simply ignored), (b) verification of randomness might be executed any time without notice, so a device is forced to behave honestly, (c) the solution makes almost no intrusion in the existing protocols and is easy to implement, (d) the owner of a cryptographic device becomes secured against its designer and manufacturer that may even predict the output of the generator. In this paper we focus on a case when Diffie-Hellman protocol is executed for a generator that itself is a secret – this case has not been solved in our paper from MYCRYPT’2016. On the other hand, exactly this case occurs for the PACE protocol from the ICAO standard specifying electronic travel documents. For the sake of the proof we develop a framework of nested security games that aims to enable security proofs of modified protocols without redoing the proofs designed for their original versions.
