Sponge-based PRNGs A Provable Security Perspective Stefano Tessaro UCSB Base on joint work with Peter Gaži (IST Austria) wr0ng Paris, April 30, 2017
The Sponge Construction [BDP V A08] M ∈ {0,1}* M 1 M 2 M L r-bit blocks: r 0 H (M) π π π c = n - r 0 truncate to r bits (invertible) permutation n → n bits
The Sponge Paradigm – Beyond hashing The sponge paradigm has been used to build: • Authenticated encryption schemes • Message-authentication codes / PRFs • PRNGs
Pseudorandom Number Generators PRNG with input! weak pseudorandom entropy pool randomne bits ss • Few PRNGs come with security proofs. [Barak-Halevi, CCS’15] , [Dodis-Pointcheval-Ruhault-Vergnaud-Wichs, CCS’13], [Shrimpton-Tarashima, EC’15], [Dodis-Shamir-Stephens- Davidovitz-Wichs, C’15] • Real-world PRNGs rarely designed with provable security in mind!
This talk, in a nutshell Discuss state of the art on sponge-based PRNGs , and challenges in their provable security! Talk based on: Peter Gaži and Stefano Tessaro. Provably Robust Sponge-Based PRNGs and KDFs. EUROCRYPT ‘16 Main take-home messages: 1. Sponge-based PRNGs are elegant designs . 2. Proper analysis of sponge-based PRNGs presents several technical challenges . 3. This will bring up some food-for-thought .
Roadmap of this talk 1. PRNGs: Sponge-based Instantiations 2. Provably-robust sponge-based PRNGs 3. Conclusions and open questions
PRNGs with Input [DPRVW13] state input seed state setup refresh next new output new seed state state 𝑇 " refresh refresh next refresh next seed seed seed seed seed
Desiderata – Pseudorandomness Pseudorandomness: Output bits of next are indistinguishable from truly random bits, provided enough entropy is injected. Random! Random! refresh refresh next refresh next seed seed seed seed seed
Desiderata – Forward secrecy Forward secrecy: Even if the attacker compromises the state, it cannot distinguish previous outputs from random! Possibly not Random! random! refresh refresh next refresh next seed seed seed seed seed
Desiderata – Backward secrecy Backward secrecy: Even if the attacker compromises the state, future bits are pseudorandom after enough entropy is injected. Possibly not Random! random! refresh refresh next refresh next seed seed seed seed seed
The Sponge Construction [BDP V A08] M ∈ {0,1}* M 1 M 2 M L r-bit blocks: r 0 H (M) π π π c = n - r 0 truncate to r bits (invertible) permutation n → n bits
Sponge-based PRNGs: Existing Proposal [BDPvA10] π π π π π refresh refresh next refresh next simple and elegant • Three main issues with analysis in simple model • design + analysis we are implemented, e.g., on • aiming two resolve! microcontrollers [vHV14]
Problem 1: No Forward Secrecy π π π 𝑈 π π refresh refresh next refresh next Can easily compute 𝜌 %& (𝑈) and distinguish! recognized in [BDPVA10] • proposed patch: zeroing upper bits after next • – not analyzed
Problem 2: No Seed Pseudorandomness: If inputs have sufficient entropy, then output should be uniform! 𝐽 & , 𝐽 * uniformly 𝐽 & 𝐽 * 𝑎 distributed such that first bit of 𝑎 equals 0. π π π Clearly, 𝑎 is not pseudorandom! refresh refresh next Yet, 𝐽 & , 𝐽 * has almost max entropy! [BDPVA10] did not have this issue, due to technical (only one bit loss) reasons in their proof … coming next ...
Problem 3: Modeling the Permutation π π π π π refresh refresh next refresh next Proofs for sponge-based construction rely on the random permutation model! I.e., 𝜌 is random + adversary has access to 𝜌 / 𝜌 %& Previous attack: Input distribution depends on 𝜌 !!! Existing proofs: Distribution is independent of 𝜌 !!!
Permutation-dependence and the seed: Why care? Typical argument: Real-world distributions behave nicely! Possible, but … it is not easy to characterize what “real-world distribution” means...
Roadmap of this talk 1. PRNGs: Sponge-based Instantiations 2. Provably-robust sponge-based PRNGs 3. Conclusions and open questions
Our goals Goal: Find a sponge-based PRNG with: • Forward secrecy + backward secrecy. • Pseudorandomness for all high-entropy sources – including those that may depend on the permutation.
SPRG: Our Proposal for Sponge-based PRNGs input seed output 0 π π π refresh next - setup : sample seed - refresh: input whitening using seed - next : upper-state zeroing, additional π -call
How to model security? Robustness notion [DPRVW13] adapted to the random permutation model. Main ideas: • The source of weak randomness is also adversarial. • Incorporates both forward and backward security within same security game! Distribution sampler D Attacker A - generates inputs to PRNG - knows the seed - legitimate: provides truthful - can compromise state entropy lower bounds - can trigger refresh - does not know seed! - can ask for a real-or-random challenge
Robust PRNGs [DPRVW13] D D D 𝐽 - 𝐽 & 𝑨 & , 𝛿 & 𝐽 * 𝑨 * , 𝛿 * 𝑨 - , 𝛿 - refresh refresh refresh next next seed seed seed seed seed 𝑍 𝑍 * & seed A A A A A Legitimate sampler: 𝐈 2 𝐽 3 𝐽 453 , 𝑨 & , 𝑨 * , . . , 𝑨 7 ≥ 𝛿 3 Here: 𝐈 2 𝑌 𝑍 = min > 𝐈 2 (𝑌|𝑍 = 𝑧)
Robust PRNGs [DPRVW13] ^ ∗ %_`a 𝐵, 𝐸 = 2 ⋅ Pr 𝑐 = 𝑐 h − 1 Adv Z[\] init: - 𝑡𝑓𝑓𝑒 ← 𝐭𝐟𝐮𝐯𝐪() - inital state ← IV - 𝑐 ← {0,1} refresh: 𝐽 3 , 𝛿 3 , 𝑨 3 ← 𝐸; 𝐬𝐟𝐠𝐬𝐟𝐭𝐢 𝑡𝑓𝑓𝑒, 𝐽 3 return ( 𝑨 3 , 𝛿 3 ) 𝑡𝑓𝑓𝑒 get-state: returns current state Compromise! set-state: sets current state A get-challenge: 𝑆 0 ← 𝐨𝐟𝐲𝐮(𝑡𝑓𝑓𝑒) ; 𝑆 1 ← $ b’ if ( ∑𝛿 4 ≥ 𝛿 ∗ since last compromise ) return 𝑆 𝑐 else return 𝑆 0
Extension to the Random Permutation Model Basic idea: Add permutation access for everyone! [Yes, even for D!] init: - 𝑡𝑓𝑓𝑒 ← 𝐭𝐟𝐮𝐯𝐪 𝝆 () - initial state ← IV refresh: - 𝑐 ← {0,1} 3 ← 𝐸 𝝆 ; 𝐬𝐟𝐠𝐬𝐟𝐭𝐢 𝝆 𝑡𝑓𝑓𝑒, 𝐽 𝐽 3 , 𝛿 3 , 𝑨 3 return ( 𝑨 3 , 𝛿 3 ) 𝑡𝑓𝑓𝑒 get-state: returns current state Compromise! set-state: sets current state 𝐵 𝝆 get-challenge: 𝑆 0 ← 𝐨𝐟𝐲𝐮 𝝆 (𝑡𝑓𝑓𝑒) ; 𝑆 1 ← $ b’ if ( ∑𝛿 4 ≥ 𝛿 ∗ since last compromise ) return 𝑆 𝑐 else return 𝑆 0
RPM Legitimate Samplers Catch: What does 𝐈 2 𝐽 3 𝐽 453 , 𝑨 & , 𝑨 * , . . , 𝑨 7 ≥ 𝛿 3 mean in the RPM? – 𝐽 3 may be unpredictable only for attackers with bounded queries to 𝝆 3 = 𝝆 7 (0 o ) – Example: 𝐽 Current definition of legitimate sampler: A somewhat-unsatisfactory monster!
Legitimate samplers 𝐈 2 𝐽 3 𝐽 453 , 𝑨 & , 𝑨 * , . . , 𝑨 7 ≥ 𝛿 3 “No adversary making 𝑟 q queries to 𝜌 should 3 with prob. better than 2 %^ r , be able to guess 𝐽 even given all 𝐽 4 for 𝑘 ≠ 𝑗 , 𝑨 & , … , 𝑨 7 , and all permutations queries made by 𝐸 , except those needed to compute 𝐽 3 ” “ 𝑟 q -legitimate sampler”
e.g., 𝑜 = 1600 , 𝑑 ≥ 1024 Main Theorem – Robustness input 𝑜 = 𝑠 + 𝑑 seed output 𝑠 bits 0 π π π 𝑑 bits refresh next Theorem. [Informal] ∀𝐸, 𝐵 making ≤ 𝑟 q queries, and 𝐵 making ≤ 𝑟 y real-or-random queries: ^ ∗ %_`a 𝐵, 𝐸 ≤ 𝑟 y ×(something small) Adv Z[\] ƒ As long as: 𝑟 q ≤ min{2 ^∗ , 2 „ , 2 _ }
Proof overview – Two Steps 𝜹 ∗ -recovering security 𝑍 vs seed A D D D 𝛿 7 , 𝑨 7 𝛿 & , 𝑨 & 𝛿 * , 𝑨 * 𝐽 7 𝐽 & 𝐽 * 𝑇 " refresh next refresh refresh ∑𝛿 4 ≥ 𝛿 ∗ seed seed seed seed preserving security If initialized with “good seed A 𝑍 state”, output of next is vs pseudorandom for 𝐽 * 𝐽 & adversarially chosen 𝐽 & , 𝐽 * , … refresh refresh next “good state” seed seed seed
Two key lemmas source material “Sponge extraction lemma” seed seed o u π π IV t Analysis of next 𝑎 0 _ π π 𝑇 𝑈 S next
Key Lemma– Sponge Extraction Key question: Can sponges act as good randomness extractors? 𝐽 & 𝐽 7 seed seed o u π π IV t E.g. 𝑡𝑓𝑓𝑒, 𝑝𝑣𝑢 ≈ (𝑡𝑓𝑓𝑒, $) if 𝐈 2 𝐽 & … 𝐽 7 ≥ 𝛿 ∗
It depends: One-round case e.g., imagine source samples 𝐽 𝐽 = 0||𝑋 seed where W is a uniform 𝑠 − 1 - bit string. Distinguisher 𝐸 𝑡𝑓𝑓𝑒, 𝑍 : 𝑍 IV π 𝑈 ← 𝜌 %& (𝑍) if 𝑈 1 ⊕ 𝐽𝑊 1 ⊕ 𝑡𝑓𝑓𝑒 1 = 0 then return 1 else return 𝟏 The attack was possible because we have been able to query 𝜌 %& 𝑍 … so what if we can’t?
It depends: One-round case Intuition: If 𝐸 𝑡𝑓𝑓𝑒, 𝑍 𝐽 cannot query 𝜌 %& (𝑍) , then needs to query 𝜌(𝐽𝑊 ⊕ seed 𝑡𝑓𝑓𝑒 ⊕ 𝐽) on all possible 𝐽 ’s! 𝑍 IV π Work needed to distinguish: 2 𝐈 • (–) = 2 _%& queries to 𝜌 ! Main observation: Restriction that 𝜌 %& (𝑍) is never queried is valid in applications where 𝑍 is used as a secret key!
Recommend
More recommend
