How to Extract and Expand Randomness: A Summary and Explanation of Existing Results

We examine the use of randomness extraction and expansion in key agreement (KA) pro- tocols to generate uniformly random keys in the standard model. Although existing works provide the basic theorems necessary, they lack details or examples of appropriate cryptographic primitives and/or parameter sizes. This has lead to the large amount of min-entropy needed in the (non-uniform) shared secret being overlooked in proposals and efficiency comparisons of KA protocols. We therefore summa- rize existing work in the area and examine the security levels achieved with the use of various extractors and expanders for particular parameter sizes. The tables presented herein show that the shared secret needs a min-entropy of at least 292 bits (and even more with more realistic assumptions) to achieve an overall security level of 80 bits using the extractors and expanders we consider. The tables may be used to �nd the min-entropy required for various security levels and assumptions. We also �nd that when using the short exponent theorems of Gennaro et al., the short exponents may need to be much longer than they suggested.

[1]  Oded Goldreich Foundations of Cryptography: Index , 2001 .

[2]  Oded Goldreich Foundations of Cryptography: Volume 1 , 2006 .

[3]  Oded Goldreich,et al.  Foundations of Cryptography: List of Figures , 2001 .

[4]  Mihir Bellare,et al.  The Security of the Cipher Block Chaining Message Authentication Code , 2000, J. Comput. Syst. Sci..

[5]  Olivier Chevassut,et al.  The Twist-AUgmented Technique for Key Exchange , 2006, Public Key Cryptography.

[6]  Chris J. Mitchell,et al.  New CBC-MAC Forgery Attacks , 2001, ACISP.

[7]  Sarvar Patel,et al.  An Efficient Discrete Log Pseudo Random Generator , 1998, CRYPTO.

[8]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[9]  Paul C. van Oorschot,et al.  On Diffie-Hellman Key Agreement with Short Exponents , 1996, EUROCRYPT.

[10]  Tim Dierks,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008 .

[11]  Vijay V. Vazirani,et al.  Efficient and Secure Pseudo-Random Number Generation , 1984, CRYPTO.

[12]  James H. Burrows,et al.  Secure Hash Standard , 1995 .

[13]  Bart Preneel,et al.  On the Security of Iterated Message Authentication Codes , 1999, IEEE Trans. Inf. Theory.

[14]  Ronald L. Rivest,et al.  The MD5 Message-Digest Algorithm , 1992, RFC.

[15]  Bart Preneel,et al.  Software Performance of Universal Hash Functions , 1999, EUROCRYPT.

[16]  William Millan,et al.  3C- A Provably Secure Pseudorandom Function and Message Authentication Code.A New mode of operation for Cryptographic Hash Function , 2005, IACR Cryptol. ePrint Arch..

[17]  David Pointcheval,et al.  HMAC is a randomness extractor and applications to TLS , 2008, ASIACCS '08.

[18]  Berry Schoenmakers,et al.  Concrete Security of the Blum-Blum-Shub Pseudorandom Generator , 2005, IMACC.

[19]  Yevgeniy Dodis,et al.  Exposure-resilient cryptography , 2000 .

[20]  Dirk Fox,et al.  Advanced Encryption Standard (AES) , 1999, Datenschutz und Datensicherheit.

[21]  Noam Nisan,et al.  The computational complexity of universal hashing , 1990, STOC '90.

[22]  Manuel Blum,et al.  A Simple Unpredictable Pseudo-Random Number Generator , 1986, SIAM J. Comput..

[23]  Bart Preneel,et al.  RIPEMD-160: A Strengthened Version of RIPEMD , 1996, FSE.

[24]  Jacques Stern,et al.  Hardness of Distinguishing the MSB or LSB of Secret Keys in Diffie-Hellman Schemes , 2006, ICALP.

[25]  Hugo Krawczyk,et al.  Secure Hashed Diffie-Hellman over Non-DDH Groups , 2004, EUROCRYPT.

[26]  Hugo Krawczyk,et al.  Pseudorandom functions revisited: the cascade construction and its concrete security , 1996, Proceedings of 37th Conference on Foundations of Computer Science.

[27]  Hugo Krawczyk,et al.  Randomness Extraction and Key Derivation Using the CBC, Cascade and HMAC Modes , 2004, CRYPTO.

[28]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008, RFC.

[29]  Simon Heron,et al.  Encryption: Advanced Encryption Standard (AES) , 2009 .

[30]  Victor Shoup,et al.  A computational introduction to number theory and algebra , 2005 .

[31]  Oded Goldreich,et al.  Foundations of Cryptography: Basic Tools , 2000 .