Bad Randomness: Protecting Against Cryptography's Perfect Crime

Bad randomness attacks are extremely stealthy and difficult to detect since there’s no way to definitively prove if a number is truly random

Key attack vectors include:

• Compromised random number generators (PRNGs)
• Malware that patches/modifies random number generation
• Certificate authority injection enabling man-in-the-middle attacks
• Monitoring cryptocurrency transactions for addresses created with weak randomness

Bad randomness vulnerabilities affect multiple critical systems:

• TLS/HTTPS encryption
• Bitcoin/cryptocurrency wallets
• Authentication systems
• Digital signatures (ECDSA)

Recommended protections include:

• Distributing random number generation across multiple parties (MPC)
• Deriving randomness deterministically from existing entropy when possible
• Protecting PRNG implementations from tampering
• Reducing unnecessary randomness requirements in protocols

Humans are poor sources of entropy and should not generate random values manually

Perfect forward secrecy (PFS) alone is insufficient protection if initial randomness is compromised

The stealthy nature of bad randomness attacks makes them “perfect crimes” - they are both lethal to security and virtually undetectable

Even a single bit of randomness leakage can compromise an entire cryptographic system

Bad randomness attackers actively monitor for vulnerable implementations to exploit in real-time

Protection requires both securing random number generators and architecting systems to be resilient against compromised randomness