On some properties of PRNGs based on block ciphers in counter mode

Transcription

1 On some properties of PRNGs based on block ciphers in counter mode Alexey Urivskiy, Andrey Rybkin, Mikhail Borodin JSC InfoTeCS, Moscow, Russia 2016

2 Pseudo Random Number Generators G: 0,1 m 0,1 M for M m Typical assumptions for a cryptographic PRNG: G is efficiently computable the seed is uniformly distributed on 0,1 m G is random-like : no polynomial statistical test can distinguish G from a truly random generator with uniform distribution (informally)

3 Pseudo Random = Unpredictable Predictability problem: predict the next output bit for G with probability better than ½ if all previously output bits are known Next-bit test: G passes the test if the next bit cannot be predicted by any polynomial predictor. Theorem [Yao 82] : if G passes the next-bit test it will pass any polynomial statistical test.

4 PRNGs based on block ciphers G1 E(K, T) block cipher K V k key T V n message G1: for i=0 to M do count IV + i mod 2 n a i E K, count Consider the case M < N = 2 n.

5 PRNGs based on block ciphers G1 G1 is highly appreciated and widely used ISO/IEC CTR_DRBG. However, if G1 has output a symbol, it will never output it again For M~ N due to the birthday paradox becomes distinguishable from a truly random uniform generator.

6 PRNGs based on block ciphers G2 G2: for i = 0 to M do count IV + i mod 2 n a i E K, count E 1 K, count + 1

7 PRNGs based on block ciphers G2 IV K +1 E(K, T) E 1 (K, T + 1)

8 PRNGs based on block ciphers G2 G2: for i = 0 to M do count IV + i mod 2 n a i E K, count E 1 K, count + 1 Will a second cipher help? and how?

9 Idealized model for PRNGs Assumption 1: encryption (decryption) procedure of an n-bit block cipher with a random key is a random permutation on V n n -2 2 n -1 σ(0) σ(1) σ(2) σ(2 n -2) σ(2 n -1) Typical to cryptanalysis: a good block cipher with a random key must be indistinguishable from a random permutation.

10 Idealized model for PRNGs Assumption 2: encryption and decryption procedures of a block cipher with the same random key are independent so they are the two random and independent permutations on V n. G1I: E K, T σ T G2I: E K, T E 1 K, T + 1 σ 1 T σ 2 (T + 1)

11 Does IV matter? σ (i) = σ( i + IV mod 2 n ) Another choice of IV leads to a different σ given σ, however from the same set: IV = 0 G1I: E K, T σ T G2I: E K, T E 1 K, T + 1 σ 1 T σ 2 (T)

12 Output sequences G1I: a 0, a 1, a 2,, a N 2, a N 1 N N 1 N = N! N 1 G2I: σ i = 0 i V n i=0 a i = σ 1 i σ 2 i = 0 i V n a 0, a 1, a 2,, a N 2, a N 1 N N N N 1 N N 1

13 Theorem (Hall 52). For any sequence a 0, a 1,, a N 1, a i V n, i = 0,1,, 2 n 1, satisfying the condition N 1 i=0 a i = 0 there exists at least one pair of permutations σ 1, σ 2 on V n such that a i = σ 1 i σ 2 i. a 0, Output sequences a 1, a 2,, a N 2, a N 1 N N N N 1 = N N 1

14 Output sequences: summary Type Number (of length N ) G1I σ count all elements are different N! G2I σ 1 count σ 2 (count) any fixed N 1 elements are arbitrary N N 1 N! N N 1 = 2πN NN e N N = N ln N e 2πN NN

15 Equivalent representation for G2I N N N N 3 M = N 4 N 1 N 1 N 2 N 3 N 4 0

16 Equivalent representation for G2I Definition. A sequence of pairs of indices i 0, j 0, i 1, j 1,, (i N 1, j N 1 ), i l, j l {0,1,, N 1}, i k i t, j k j t for any t k is called a trajectory on M. Definition. The sequence M i 0, j 0, M i 1, j 1,, M(i N 1, j N 1 ) is called the output of the trajectory i 0, j 0, i 1, j 1,, (i N 1, j N 1 )

17 Equivalent representation for G2I Proposition. Between the set of ordered pairs of permutations on V n and the set of trajectories on matrix M a one-to-one correspondence can be defined so that the sum of the pair of permutations will coincide with the output of the corresponding trajectory. Corollary. The generation process is: the s-th output symbol a s is chosen randomly from M. After that the row and the column containing a s are struck out from M.

18 Equivalent representation for G2I N N 2 M = N N 4 N 1 N 2 N 3 N 4 0

19 Equivalent representation for G2I N N 2 M = N N 4 N 1 N 2 N 3 N 4 0 a 0 = 3 2,1,

20 Equivalent representation for G2I N N 2 M = N N 4 N 1 N 2 N 3 N 4 0 a 0 = 3 2,1,

21 Equivalent representation for G2I N N 2 M = N N 4 N 1 N 2 N 3 N 4 0 a 0 = 3, a 1 = 2 2,1, (1,3)

22 Equivalent representation for G2I N N 2 M = N N 4 N 1 N 2 N 3 N 4 0 a 0 = 3, a 1 = 2 2,1, (1,3)

23 Equivalent representation for G2I N N 2 M = N N 4 N 1 N 2 N 3 N 4 0 a 0 = 3, a 1 = 2, a 2 = N 3 2,1, (1,3), (N-1,2)

24 Equivalent representation for G2I N N 2 M = N N 4 N 1 N 2 N 3 N 4 0 a 0 = 3, a 1 = 2, a 2 = N 3 2,1, (1,3), (N-1,2)

25 Conditional probability Conditional probability P a s a s 1, a s 2,, a 0 is the probability for a generator to output a s provided a s 1, a s 2,, a 0 were output before. To estimate P a s a s 1, a s 2,, a 0 for G2I it suffices to estimate how many a s are left in M after s rows and columns were struck out.

26 Conditional probability G1I P a s a s 1, a s 2,, a 0 = 0, if a s {a s 1, a s 2,, a 0 }; 1, otherwise. N s G2I P 1 = N 2s N s 2 P a s a s 1, a s 2,, a 0 N s N s 2 = P 2 P 1 < 1 N < P 2

27 Conditional probability: summary Lower bound Number of symbols Upper bound Number of symbols G1I σ count 0 G2I σ 1 count σ 2 (count) N 2s N s 2 Ideal s N s N 1 N s 1 N s N s s N 1 N 1 N

28 Thank you! Questions?