Selective Adsorption Performances of UiO-67 for Separation of Light

Jul 7, 2017 - File failed to load: https://cdn.mathjax.org/mathjax/contrib/a11y/accessibility-menu.js .... Separation of light hydrocarbons such as me...
1 downloads 5 Views 264KB Size
2017 IEEE Second International Conference on Data Science in Cyberspace

New Pseudorandom Number Generators From Block Ciphers Ping Zhang, Honggang Hu, Xianjun Hu, Xiaolong Yang Key Laboratory of Electromagnetic Space Information, CAS University of Science and Technology of China Hefei, China, 230027 Email: [email protected], {zgp,hxj2012,yxl}@mail.ustc.edu.cn be far from uniform. Follow on, Goldwasser and Micali [18] presented the notion of computationally indistinguishable sequences and provided the hybrid method in 1984. The hybrid technique is one of the most important tools in the proofs of PRNGs. Yao [31] proved that the existence of any one-way permutation implies the existence of pseudorandom generators. Therewith, Blum et al. provided some classic constructions of PRNGs, such as Blum-Blum-Shub generator (BBS-Generator) [8] and Blum-Micali generator (BMGenerator) [9]. They are provable security under reasonable number-theoretic assumptions. Blum and Micali [9] presented the construction of BM-Generator, which is based on the intractability of the discrete logarithm problem. Blum et al. [8] gave two instances of PRNGs: 1/P generator (where P is a prime) and x2 mod N generator (where N = P · Q is a product of distinct primes). They are based on the continued fraction and factoring, respectively. There are two Federal Information Processing Standard (FIPS) recommended PRNGs, namely the ANSI X9.17 PRNG and FIPS 186 PRNG. The ANSI X9.17 PRNG is based on data encryption standard (DES), which is the archetypal block cipher. It was applied to the banking standard. The FIPS 186 PRNG is based on hash functions (SHA-1). It was standardized for generating randomness in the Digital Signature Algorithm (DSA). There exists some analyses for the ANSI X9.17 PRNG and the FIPS 186 PRNG. Desai et al. [12] studied the ANSI X9.17 PRNG and the FIPS 186 PRNG in 2002. They first provided a general security framework for PRNGs and proved the security in the CIA (Chosen-Input Attack), CSA (Chosen-State Attack), and KKA (Known-Key Attack) senses. Gilbert [14] provided “one-block-to-many” modes of operation in 2003. In [14], Gilbert presented two new schemes constructed by slight modifications of CTR and OFB modes, and analyzed their security in the Luby-Rackoff security model. At last, they obtained the results that slight modifications of CTR and OFB modes are pseudorandom. In the last few years, as more and more people are interested in the PRNGs, many papers about PRNGs emerged in endlessly. Bertoni et al. [6] proposed a sponge-based pseudorandom number generator in 2010. They presented the analyses of the security. Boldyreva and Kumar [7] put forward to a new hash-function-based PRNG in 2012. They proved the security of their scheme if the underlying hash function is regular (worst-case regular) and

Abstract—This paper proposes two classes of new pseudorandom number generators from block ciphers, called HTR and HBC. They are provably secure in the PRG-CIA (pseudorandom generator against chosen-input-attacks) sense, assuming that the underlying block cipher is a secure pseudorandom permutation (PRP). HTR is a parallel structure, while HBC is a cascade structure. Therefore, the implementation efficiency of HTR is higher than HBC. Moreover, for HTR and HBC, each recursion only invokes the underlying block cipher once, which results in a better performance than ANSI X9.17 PRNG (invoking two times) in the software and hardware implementation. We test the randomness of output sequences by an integrated software package provided by NIST, and obtain a perfect result that they have good pseudorandomness. Index Terms—Pseudorandom number generators, block ciphers, provable security, forward security, randomness test.

I. I NTRODUCTION Randomness closely relates to the security of various cryptographic applications and protocols. For example, the secret key in the symmetric encryption scheme, the private key in the asymmetric encryption and digital signature schemes, session keys in network protocols, and challenges in authentication protocols must be generated by a random fashion. A random number generator (RNG) is a program, which outputs a sequence of statistically independent and unbiased binary digits. However, RNGs, such as Hardware-based generators, Software-based generators, and De-skewing, are subject to influence by external factors, and the cost of generating enough randomness is very expensive. Therefore, most of applications utilize pseudorandom number generators (PRNGs) to generate pseudorandom sequences. A pseudorandom number generator (PRNG) is a program, which takes a short truly random seed as an input and generates a long random sequence. Pseudorandom sequences are defined as computationally indistinguishable from truly random sequences by efficient algorithms. Therefore, the output of a PRNG can be used to replace random sequence in any efficient applications requiring such random sequences. A one-way function can be utilized as the iterated function of PRNGs. Examples of suitable one-way functions include hash functions such as SHA-1, or block ciphers such as AES. Yao [31] first presented the definition of pseudorandomness and obtained the result that pseudorandom sequences could 978-1-5386-1600-0/17 $31.00 © 2017 IEEE DOI 10.1109/DSC.2017.22

162

collision-resistant. Yu [32] revisited the design of regular-oneway-function-based PRNGs and presented new constructions from known-regular and unknown-regular one-way functions in 2013. Shrimpton and Terashima [30] provided the first security analysis of the Intel Secure Key hardware RNG (ISKRNG) and proved stronger forward-security bounds for the pseudorandom bits fetched by the RDRAND instruction. Gaˇ zi et al. [17] considered the problem of devising provably secure PRNGs with input based on the sponge paradigm in 2016. They proposed a new sponge-based seeded construction of a PRNG, and proved that the sponge-based PRNG is robust and secure under the ideal permutation model. Recently, there exist some related researches, such as [11] and [29]. Degabriele et al. [11] showed efficient constructions of backdoored PRNGs (BPRNGs) and proved that these BPRNGs are forward secure in the traditional sense for a PRNG. Then they focused on backdoored PRNGs with input, provided a formal definition, and presented a construction satisfying BPRNGs with input. Finally, they presented an impossibility result for BPRNGs. Ruhault [29] formalized three security models of PRNGs: standard PRNGs, stateful PRNGs, and PRNGs with input, showed expected security properties, and proposed secure and efficient constructions for each security model.

they passed all of the 15 statistical tests suited for random or pseudorandom generators. That is to say, these sequences generated by HTR and HBC have good pseudorandomness. They can be used in secure cryptographic protocols, secure multiparty computations, secure encryption schemes, and many other settings. Organizations of This Paper. In Section II, we introduce some notations and basic definitions. In Section III, we present some basic security theories. New constructions and analyses of PRNGs are proposed in Section IV. In Section V, we present the analyses of security and efficiency for our schemes. Pseudorandomness test and results are presented in Section VI. Finally, this paper ends up with a conclusion. II. P RELIMINARIES Notations. The empty string is denoted as . Let {0, 1}∗ be the set of all finite-length binary strings, including . If a finite string x is a member of {0, 1}∗ , then |x| stands for the length of x. For two finite strings x, y, let xy or xy present the concatenation of them. Let x⊕y be the XOR of x and y. If $ X is a set, let x ← X be an element randomly chosen from X. Let Un denote a random variable uniformly distributed over {0, 1}n . Let N be the set of the natural numbers.

There are six approaches for the design of PRNGs. The first approach is direct design method or generic PRNGs’ design method. One directly utilizes an iterated one-way function (OWF) to design a PRNG. There still exists researches on this approach until now, such as [16], [19], [10], [20], [32]. The second approach is based on hash functions, such as [7]. The third approach is based on block ciphers. A typical example is [12]. The fourth approach is based on permutations. Examples of this approach include [6], [17]. The fifth approach is based on sequence ciphers, such as [25], [27]. The sixth approach is based on some intractability assumptions, such as the discrete logarithm, factoring, syndrome decoding, etc. Examples of this approach include [8], [9], [13], [21], [24]. Our PRNGs are based on the third approach.

One-way Functions [15]. A function f : {0, 1}∗ → {0, 1}∗ , is called one-way if the following two conditions hold: 1. Easy to compute: There exists a (deterministic) polynomial-time algorithm A such that on input x algorithm A outputs f (x) (i.e., A(x) = f (x)). 2. Hard to invert: For every probabilistic polynomial-time algorithm D, every positive polynomial p(·), and all sufficiently large n’s, such that P r[D(f (Un ), 1n ) ∈ f −1 (f (Un ))] < 1/p(n).

(1)

Loosely speaking, a one-way function is a function that is easy to evaluate but hard to invert (in an average-case sense). Examples of suitable one-way functions include cryptographic hash functions and block ciphers.

Our Contributions. In this paper, we present two classes of new PRNGs. One is based on modified CTR mode, called HTR, and another is based on modified HPCBC mode, called HBC. We firstly set up a PRNG model, and provide an attack model PRG-CIA [12]. Then we prove that they are secure PRNGs in the PRG-CIA sense, assuming that the underlying block cipher is a secure pseudorandom permutation (PRP). Moreover, we analyze the forward security and backward security of HTR and HBC, and illustrate that HTR is both forward secure and backward secure while HBC is just forward secure. HTR is a parallel structure, while HBC is a cascade structure. Therefore, the implementation efficiency of HTR is higher than HBC. Moreover, each recursion only invokes the underlying block cipher once for HTR and HBC, which results in a better performance than ANSI X9.17 PRNG (invoking 2 times) in the software and hardware implementation. We test the randomness of HTR and HBC by an integrated software package provided by NIST, and obtain a perfect result so that

Block Ciphers. In cryptography, a block cipher is a one-way and deterministic algorithm operating on fixed-length groups of bits, called blocks, with an unvarying transformation that is specified by a symmetric key. A block cipher E : K × {0, 1}n → {0, 1}n , where K is a key space, and K ∈ K, E(K, ·) = EK (·) is a permutation of {0, 1}n . Let Rand(n) be $ the set of all functions from {0, 1}n to {0, 1}n . ρ ← Rand(n) stands for a function ρ(·) randomly chosen from Rand(n). $ Let P erm(n) be the set of all permutations on n bits. π ← P erm(n) stands for a permutation function π(·) randomly chosen from P erm(n). Indistinguishability [15]. Let Xn , Yn denote two random variables distributed over {0, 1}n . Variant for sequences indexed by N: For two sequences, X = {Xn }n∈N and Y = {Yn }n∈N , are indistinguishable in polynomial time if for every probabilistic polynomial-time algorithm D, every positive

163

prf prp advantage AdvE (or AdvE ) is negligible, the block cipher EK is a secure PRF (or PRP), i.e., it is indistinguishable from a random function (or a random permutation). If the resources used by all adversaries are at most R, we define the maximum advantage as

polynomial p(·), and all sufficiently large n’s, |P r[D(X, 1n ) = 1] − P r[D(Y, 1n ) = 1]| < 1/p(n).

(2)

Pseudorandom Generators [15]. A pseudorandom generator is a deterministic polynomial-time algorithm G satisfying the following two conditions: 1. Expansion: There exists a function l : N → N such that l(n) > n for all n ∈ N, and |G(s)| = l(|s|) for all s ∈ {0, 1}∗ , where the function l is called the expansion factor of G. 2. Pseudorandomness: The sequence {G(Un )}n∈N is pseudorandom. PRNG Model. A PRNG consists of two algorithms. One is a seed generation algorithm, which generates two outputs: a key K and an initial state S0 . Another is a sequence generation algorithm. For cascade schemes, the sequence generation algorithm takes K and the current state Si−1 as inputs, and returns a PRNG output Ri and the next state Si , i ≥ 1. For parallelizable schemes, the sequence generation algorithm firstly pre-computes all the inner states, then takes the states and the key as inputs, and returns pseudorandom sequences {Ri }i∈N . We assume that there is a “good” entropy pool to provide the source of randomness. That is, K and S0 are generated from the entropy pool.

Adv(R) = maxA Adv(A),

where the resources of interest include the time complexity t, the number of queries q, the maximum query complexity σ. AXU-Hash Function Family. A family of universal hash functions is widely applied to cryptographic schemes. Here we introduce a class of special universal hash function: almost XOR universal hash (AXU-hash) function family. Definition 1: (AXU-Hash Function Family [22]) Let H be a set of hash functions h : X → {0, 1}n . If the following two conditions hold: 1) For any element x ∈ X and any element y ∈ {0, 1}n , P r(h(x) = y) ≤ δ; h 2) For any two distinct elements x, y ∈ X and any element z ∈ {0, 1}n , P r(h(x) ⊕ h(y) = z) ≤ ε; h

then H is called a (ε, δ)-almost XOR universal (AXU) hash function family. Examples of AXU hash function families are presented as follows. 1. H1 = {ha (x1 , x2 , · · · , xt ) = a · x1 + a2 · x2 + · · · + at · xt | a ∈ GF (2n )∗ , xi ∈ GF (2n ), 1 ≤ i ≤ t, (x1 , x2 , · · · , xt ) = (0, 0, · · · , 0)}. Then H1 is a (t/2n , t/2n )-AXU hash function family from {0, 1}tn \ {0tn } to {0, 1}n . 2. H2 = {ha1 ,a2 ,··· ,at (x1 , x2 , · · · , xt ) = a1 · x1 + a2 · x2 + · · · + at · xt | ai ∈ GF (2n ), xi ∈ GF (2n ), 1 ≤ i ≤ t, (a1 , a2 , · · · , at ) = (0, 0, · · · , 0), (x1 , x2 , · · · , xt ) = (0, 0, · · · , 0)}. Then H2 is a (1/2n , 1/2n )-AXU hash function family from {0, 1}tn \ {0tn } to {0, 1}n . PRNGs and PRG-CIA. We revisit a notion: pseudorandom generator against chosen-input-attacks (PRG-CIA), which is first presented in [12]. The input we said here means the initiate seed. The key is typically required to be hidden for PRNGs constructed by block ciphers. Without loss of generality, we assume that an adversary doesn’t make redundant queries. An adversary can choose any input to sequence generation algorithm. If the adversary cannot distinguish the sequence generated by the algorithm from a true random sequence, then it is secure in the PRG-CIA sense, and the component for generating this sequence is called pseudorandom number generator (PRNG). Formally, we define a real-or-random oracle EK (RR(·, b)), where b ∈ {0, 1}, to take input x. If b = 1, it computes R = EK (x), else it outputs a equal-length random string with R. The scheme is a PRNG in the PRG-CIA sense if no reasonable adversary can obtain significant advantage in distinguishing the cases b = 0 and b = 1 given access to the oracle. Definition 2: Let E : K × {0, 1}n → {0, 1}n be a block cipher. Let A be an adversary that has access to the oracle EK (RR(·, b)), K ∈ K. PRNGs EK : {0, 1}n → {0, 1}mn

III. BASIC T HEORIES OF S ECURITY Security is a relatively abstract concept. It depends on the ability of the adversary. In this paper, we take into account the indistinguishable security against chosen-inputattacks (CIA) assuming that the underlying block cipher is a secure pseudorandom permutation (PRP). PRF and PRP Assumptions. Pseudorandomness is one that approximates randomness. The better the approximation, the better the pseudorandomness. The better the pseudorandomness, the more secure the schemes. An adversary is a probabilistic algorithm with access to certain oracles for the cryptographic scheme. Let AO ⇒ 1 be the event that an adversary A outputs 1 after interacting with the oracle O. Let E : K × {0, 1}n → {0, 1}n be a block cipher. Let A be a PRF-adversary (pseudorandom functionadversary) that has access to encryption oracles. Then an advantage of A attacking E is defined as $

prf AdvE (A) =|P r[K ← K : AEK (·) ⇒ 1] $

− P r[ρ ← Rand(n) : Aρ(·) ⇒ 1]|.

(3)

Let A be a PRP-adversary (pseudorandom permutationadversary) that has access to encryption oracles. Then the advantage of A attacking E is defined as $

prp AdvE (A) =|P r[K ← K : AEK (·) ⇒ 1] $

− P r[π ← P erm(n) : Aπ(·) ⇒ 1]|.

(5)

(4)

The probabilities are taken over the random coins used by the oracles and also over internal coins of A, if any. If the

164

(m > 1) are based on E. Let b ∈ {0, 1}. We consider the following experiment:

Algorithm 1 HTR Algorithm Input: an n bit key K and an initial state S0 = IV ← {0, 1}n Output: pseudorandom sequence (R1 R2  · · · Rm )

Experiment Expprg−cia−b (k) EK ,A (K, S0 ) ← K(k) b ← AEK (RR(S0 ,b)) return b We define the advantage of the adversary A via

for i = 1 to m Si ← h(EK (S0 ), i) Ri ← Si ⊕ EK (Si ) return (R1 R2  · · · Rm )

AdvEprg−cia (A) =|P r[Expprg−cia−1 ⇒ 1] EK ,A K

Algorithm 1 in fact is a generation algorithm of a sequence. h is a hash function randomly chosen from a AXU-hash function family H. We present a simple instance of AXUhash function family — H = {hK  (EK (S0 ), i) = K  · i ⊕ EK (S0 ) · i2 | K  = EK (0n ), (EK (S0 ), i) = (0, 0)} — in the experiment of the randomness test. We utilize a family of AXU-hash functions to generate the whole iterated states, which makes HTR parallel. Si is an internal state, where 1 ≤ i ≤ m, which can not be observed by the adversary. The adversary can chose any initial state S0 to query Algorithm 1.

− P r[Expprg−cia−0 ⇒ 1]| EK ,A

=P r[AEK ⇒ 1] − P r[A$ ⇒ 1],

(6)

where $ : {0, 1}n → {0, 1}mn (m > 1) is a random function. For any integers t, q, (t, q) = maxA AdvEprg−cia (A), AdvEprg−cia K K

(7)

where the maximum is over all A with time complexity t, each making at most q queries to the EK (RR(·, b)) oracle.

Security Result. The following theorem provides the security of HTR. If the underlying block cipher E is a secure pseudorandom permutation (PRP), HTR is a provably secure scheme in the PRG-CIA sense. Theorem 1 (Security in the PRG-CIA Sense): Let A be an adversary against HTR, making q oracle queries and obtaining at most σ = q + mq blocks. The construction of HTR is described in Fig. 1. Let B be a PRP distinguisher against the pseudo-random of E : K × {0, 1}n → {0, 1}n . Suppose H is a (ε, δ)-AXU hash function family, h ∈ H, then

Hybrid Technique [15]. The hybrid technique is a widely used way in the theory of provable security. It is, in fact, a “reducibility argument” in which the computational indistinguishability of complex sequences is proved by using the computational indistinguishability of basic sequences. On the contrary, the actual reduction is in the other direction. Efficiently distinguishing the basic sequences is reduced to efficiently distinguishing the complex sequences. IV. N EW C ONSTRUCTIONS AND A NALYSES OF PRNG S The design of most PRNGs is based on iterated functions. A one-way function can be utilized as the iterated function of PRNGs. Examples of suitable one-way functions include hash functions such as SHA-1, or block ciphers such as AES. We construct two new blockcipher-based PRNGs in this section. These PRNGs are proven secure in the PRG-CIA sense, assuming that the underlying block cipher is a secure pseudorandom permutation (PRP).

prg−cia prp AdvHT (A) ≤ AdvE (B) + R

σ 2 (δ + ε) q2 + n+1 , 2 2

(8)

where a new adversary B has an additional running time equal to the time needed to process the queries from A. $ $ Proof: Let K ← K, π ← P erm(n). According to the advantage of an adversary, we have prg−cia AdvHT (A) =P r[AHT R ⇒ 1] − P r[A$ ⇒ 1] R

=P r[AHT R[EK ] ⇒ 1] − P r[AHT R[π] ⇒ 1]

A. Analyses of HTR

+ P r[AHT R[π] ⇒ 1] − P r[A$ ⇒ 1]

Specifical Construction. In this section, we present the construction of HTR, which is based on the modified CTR mode. Compared with the generation of key-stream in CTR, HTR utilizes a function EK (x) ⊕ x1 instead of a block cipher, where x is an input. Let E : K × {0, 1}n → {0, 1}n be a block cipher. The process of HTR includes two algorithms as follows. The seed generation algorithm generates two outputs: a key K and an initial state S0 = IV . The sequence generation algorithm takes K and S0 as inputs and produces outputs of PRNGs: pseudorandom sequences (R1 R2  · · · Rm ). The construction of HTR is described in Fig. 1.

prp prg−cia (B) + AdvHT =AdvE R[π] (A)

(9)

where $ : {0, 1}n → {0, 1}mn , m > 1 is a random function, B is a new adversary against the pseudorandomness of EK , and B uses A as a subroutine and simulates oracles for A. Considering that the underlying block cipher EK is a prp pseudo-random permutation (PRP), that is to say, AdvE (B) prg−cia is negligible. Next we need to bound the value AdvHT R[π] (A). Let G0 be an accurate simulation of the real world with HT R[π], and let G1 stand for the random world. Let Good denote the event that the inputs x to ρ(x) = π(x) ⊕ x are all distinct and the outputs of ρ are all distinct, then Bad = ¬Good. Let P r0 [◦] denote the probability of the event ◦ in G0 . Let P r1 [◦] denote the probability of the event ◦ in G1 .

1 The Davies-Meyer (DM) construction is the easiest way to turn a block cipher into a keyed function. If the block cipher is a secure pseudorandom permutation (PRP), then the DM construction is a secure pseudorandom function (PRF).

165

^Ϭс/s





͘͘͘




1 is a random function, B is a new adversary against the pseudorandomness of EK , and B uses A as a subroutine and simulates oracles for A. Considering that the underlying block cipher EK is a prp pseudo-random permutation (PRP), that is to say, AdvE (B) prg−cia is negligible. Next we need to bound the value AdvHBC[π] (A). Let G0 be an accurate simulation of the real world with HBC[π], and let G1 stand for the random world. Let Good denote the event that the inputs x to ρ(x) = π(x) ⊕ x are all distinct and the outputs of ρ are all distinct, then Bad = ¬Good. Let P r0 [◦] denote the probability of the event ◦ in G0 . Let P r1 [◦] denote the probability of the event ◦ in G1 . Then we have

prg−cia AdvHBC (A) =P r[AHBC ⇒ 1] − P r[A$ ⇒ 1]

=P r[AHBC[EK ] ⇒ 1] − P r[AHBC[π] ⇒ 1] + P r[AHBC[π] ⇒ 1] − P r[A$ ⇒ 1] prp prg−cia (B) + AdvHBC[π] (A) =AdvE

Specifical Construction. Inspired by HTR, we present another scheme HBC in this section. HBC is constructed by modifying HPCBC mode. HTR utilizes a function EK (x) ⊕ x instead of the iterated block cipher EK (If EK is used in HBC directly, it is very easy to find a cryptanalysis), where x is an input. Let E : K × {0, 1}n → {0, 1}n . The process of HBC includes two algorithms as follows. The seed generation algorithm generates two outputs: a key K and an initial state S0 = IV . The sequence generation algorithm takes K and S0 as inputs, and produces outputs of PRNGs: pseudorandom sequences (R1 R2  · · · Rm ). The construction of HBC is described in Fig. 2.

(21)

P r[AHBC[π] ⇒ 1] =P r0 [AG0 ⇒ 1|Good]P r0 [Good]

Algorithm 2 HBC Algorithm Input: an n bit key K and an initial state IV Output: pseudorandom sequence (R1 R2  · · · Rm )

+ P r0 [AG0 ⇒ 1|Bad]P r0 [Bad] (22) and

S0 = IV ← {0, 1}n R0 ← EK (S0 ) for i = 1 to m Si ← h(Ri−1 ) Ri ← Si ⊕ EK (Si ) return (R1 R2  · · · Rm )

P r[A$ ⇒ 1] =P r1 [AG1 ⇒ 1|Good]P r1 [Good] + P r1 [AG1 ⇒ 1|Bad]P r1 [Bad].

(23)

As the difference of G0 and G1 is just the underlying function, therefore P r0 [Bad] = P r1 [Bad]. The output of G0 in the Good case is random, therefore P r0 [AG0 ⇒ 1|Good] = P r1 [AG0 ⇒ 1|Good]. Therefore, we have

Algorithm 2 in fact is a sequence generation algorithm. h is a hash function randomly chosen from a AXU-Hash function family H. We present a simple instance of AXU-hash function family H = {hK  (x) = K  · x | K  = EK (0n ), K ∈ GF (2n ), x = 0} in the experiment of the randomness test.

prg−cia (A) = P r[AHBC[π] ⇒ 1] − P r[A$ ⇒ 1] AdvHBC[π]

≤ P r0 [Bad].

167

(24)

^Ϭс/s