Provably Robust Sponge-Based PRNGs and KDFs

We study the problem of devising provably secure PRNGs with input based on the sponge paradigm. Such constructions are very appealing, as efficient software/hardware implementations of SHA-3 can easily be translated into a PRNG in a nearly black-box way. The only existing sponge-based construction, proposed by Bertoni et al. CHES 2010, fails to achieve the security notion of robustness recently considered by Dodis et al. CCS 2013, for two reasons: 1 The construction is deterministic, and thus there are high-entropy input distributions on which the construction fails to extract random bits, and 2 The construction is not forward secure, and presented solutions aiming at restoring forward security have not been rigorously analyzed. We propose a seeded variant of Bertoni et al.'s PRNG with input which we prove secure in the sense of robustness, delivering in particular concrete security bounds. On the way, we make what we believe to be an important conceptual contribution, developing a variant of the security framework of Dodis et al. tailored at the ideal permutation model that captures PRNG security in settings where the weakly random inputs are provided from a large class of possible adversarial samplers which are also allowed to query the random permutation. As a further application of our techniques, we also present an efficient sponge-based key-derivation function which can be instantiated from SHA-3 in a black-box fashion, which we also prove secure when fed with samples from permutation-dependent distributions.

[1]  John P. Steinberger,et al.  Tight security bounds for multiple encryption , 2014, IACR Cryptol. ePrint Arch..

[2]  Shai Halevi,et al.  A model and architecture for pseudo-random generation with applications to /dev/random , 2005, CCS '05.

[3]  Yevgeniy Dodis,et al.  Randomness Condensers for Efficiently Samplable, Seed-Dependent Sources , 2012, TCC.

[4]  Hugo Krawczyk,et al.  Leftover Hash Lemma, Revisited , 2011, IACR Cryptol. ePrint Arch..

[5]  Jacques Patarin,et al.  The "Coefficients H" Technique , 2009, Selected Areas in Cryptography.

[6]  David Pointcheval,et al.  Security analysis of pseudo-random number generators with input: /dev/random is not robust , 2013, CCS.

[7]  Arno Mittelbach Salvaging Indifferentiability in a Multi-stage Setting , 2013, IACR Cryptol. ePrint Arch..

[8]  Ingrid Verbauwhede,et al.  Software only, extremely compact, Keccak-based secure PRNG on ARM Cortex-M , 2014, 2014 51st ACM/EDAC/IEEE Design Automation Conference (DAC).

[9]  Guido Bertoni,et al.  Sponge-Based Pseudo-Random Number Generators , 2010, CHES.

[10]  Elaine B. Barker,et al.  Recommendation for Random Number Generation Using Deterministic Random Bit Generators , 2007 .

[11]  Thomas Shrimpton,et al.  A Provable-Security Analysis of Intel's Secure Key RNG , 2015, EUROCRYPT.

[12]  Hugo Krawczyk,et al.  Randomness Extraction and Key Derivation Using the CBC, Cascade and HMAC Modes , 2004, CRYPTO.

[13]  Hovav Shacham,et al.  Careful with Composition: Limitations of the Indifferentiability Framework , 2011, EUROCRYPT.

[14]  Bart Mennink,et al.  Security of Full-State Keyed and Duplex Sponge: Applications to Authenticated Encryption , 2015, IACR Cryptol. ePrint Arch..

[15]  Kenneth G. Paterson,et al.  On Cipher-Dependent Related-Key Attacks in the Ideal-Cipher Model , 2011, IACR Cryptol. ePrint Arch..

[16]  Adi Shamir,et al.  How to Eat Your Entropy and Have it Too: Optimal Recovery Strategies for Compromised RNGs , 2017, Algorithmica.

[17]  Donald E. Eastlake,et al.  Randomness Requirements for Security , 2005, RFC.

[18]  Hugo Krawczyk,et al.  Cryptographic Extraction and Key Derivation: The HKDF Scheme , 2010, IACR Cryptol. ePrint Arch..

[19]  John P. Steinberger,et al.  Tight Security Bounds for Key-Alternating Ciphers , 2014, EUROCRYPT.

[20]  Stefano Tessaro,et al.  The Exact PRF Security of Truncation: Tight Bounds for Keyed Sponges and Truncated CBC , 2015, CRYPTO.

[21]  Mihir Bellare,et al.  The Security of Triple Encryption and a Framework for Code-Based Game-Playing Proofs , 2006, EUROCRYPT.

[22]  Ueli Maurer,et al.  Indifferentiability, Impossibility Results on Reductions, and Applications to the Random Oracle Methodology , 2004, TCC.

[23]  David Evans,et al.  Reverse-Engineering a Cryptographic RFID Tag , 2008, USENIX Security Symposium.

[24]  Benny Pinkas,et al.  Cryptanalysis of the windows random number generator , 2007, CCS '07.

[25]  John Kelsey,et al.  Recommendation for Random Number Generation Using Deterministic Random Bit Generators , 2014 .

[26]  Bart Mennink,et al.  Security of Keyed Sponge Constructions Using a Modular Proof Approach , 2015, FSE.

[27]  Guido Bertoni,et al.  On the Indifferentiability of the Sponge Construction , 2008, EUROCRYPT.

[28]  Bruce Schneier,et al.  Cryptanalytic Attacks on Pseudorandom Number Generators , 1998, FSE.

[29]  Anand Desai,et al.  A Practice-Oriented Treatment of Pseudorandom Number Generators , 2002, EUROCRYPT.