Security analysis of the ISO standard \(\textsf{OFB}\)-\(\textsf{DRBG}\)

Abstract

Deterministic random bit generators (DRBGs) are essential tools in modern cryptography for generating secure and unpredictable random numbers. The ISO DRBG standards provide guidelines for designing and implementing DRBGs, including four algorithms: \(\textsf{HASH}\text {-}\textsf{DRBG}\), \(\textsf{HMAC}\text {-}\textsf{DRBG}\), \(\textsf{CTR}\text {-}\textsf{DRBG}\), and \(\textsf{OFB}\text {-}\textsf{DRBG}\). While security analyses have been conducted for the former three algorithms, there is a lack of specific security analysis for the \(\textsf{OFB}\)-\(\textsf{DRBG}\) algorithm. We prove its security in the robustness security framework that has been used to analyze \(\mathsf {CTR\text {-}DRBG}\) by Hoang and Shen at Crypto 2020. More precisely, we prove that \(\textsf{OFB}\)-\(\textsf{DRBG}\) provides \(O(\min \left\{ \frac{\lambda }{3}, \frac{n}{2} \right\} )\)-bit security, including ideal cipher queries, where \(\lambda \) and n denote the lower bound of min-entropy and the size of the underlying block cipher, respectively. The proof strategy is to transform the robustness game of \(\textsf{OFB}\)-\(\textsf{DRBG}\) into an indistinguishability game and then apply the H-coefficient technique to upper bound the distinguishing advantage.

1 Introduction

1.1 Deterministic random bit generators

In modern cryptography, generating secure and unpredictable random numbers plays a pivotal role in protecting sensitive information and ensuring the integrity of various systems. Deterministic random bit generators (DRBGs), or pseudorandom number generators (PRNGs) have emerged as a fundamental tool for producing random-like sequences of numbers, crucial for cryptographic algorithms, simulations, and many other applications. Unlike truly random numbers that are inherently unpredictable, DRBGs utilize deterministic algorithms to generate sequences that exhibit statistical randomness.

1.2 ISO DRBG standards

The ISO (International Organization for Standardization) DRBG standards [13], specified by ISO/IEC 18031, provide guidelines for the design and implementation of PRNGs for cryptography, encompassing four schemes; \(\textsf{HASH}\text {-}\textsf{DRBG}\), \(\textsf{HMAC}\text {-}\textsf{DRBG}\), \(\textsf{CTR}\text {-}\textsf{DRBG}\), and \(\textsf{OFB}\text {-}\textsf{DRBG}\). These standards define security strength levels and mechanisms to mitigate against various types of attacks such as prediction and backtracking. However, it is important to note that while security analyses have been conducted for the former three algorithms, there is currently a lack of specific security analysis available for the \(\textsf{OFB}\)-\(\textsf{DRBG}\) algorithm within the ISO DRBG standards. This absence of security analysis for \(\textsf{OFB}\)-\(\textsf{DRBG}\) raises the importance of further research and evaluation to assess its robustness and resistance to potential attacks.

1.3 Importance of security proof of DRBG

The representative example that shows the importance of security analysis on DRBG is \(\textsf{DualEC}\)-\(\textsf{DRBG}\). The NIST special publication 800-90A recommendation, which provides recommendations for random number generation using deterministic random bit generators (NIST SP 800-90A) [2] had included \(\textsf{DualEC}\)-\(\textsf{DRBG}\) algorithm in its initial version. However, \(\textsf{DualEC}\)-\(\textsf{DRBG}\) has long been suspected of containing a backdoor inserted by the NSA [6, 8, 18, 21], finally it was withdrawn from NIST 800-90A in 2014. Also, attacks against real-world PRNGs are constantly being attempted [3, 10, 16, 24]. Given this background, it is crucial to conduct thorough analyses of DRBG standards in order to ensure their security and reliability.

1.4 Prior works

The line of research in the provable security of DRBG focuses on developing rigorous mathematical proofs and analysis to establish the security properties of these cryptographic primitives [17]. There have been several attempts to prove DRBG standards [7, 11, 20, 23], but they did not consider scenarios where the state can be compromised or updated by an adversary. To address this, Dodis et al. introduced a new formal security notion of robustness for DRBGs that captures both forward and backward security [9] by introducing the notion of a distribution sampler that produces inputs with high entropy which is available to an adversary. Woodage and Shumow subsequently proved the robustness of \(\textsf{HASH}\)-\(\textsf{DRBG}\) and \(\textsf{HMAC}\)-\(\textsf{DRBG}\) [22]. Later, Hoang and Shen proved the security of \(\textsf{CTR}\)-\(\textsf{DRBG}\) [12].

1.5 Contribution

In this paper, we prove the security of \(\textsf{OFB}\)-\(\textsf{DRBG}\) for the first time. This construction is pictorially represented in Fig. 1, while it will be formally defined in Sect. 3. The security proof follows the robustness security framework used to analyze NIST DRBG standards [12, 22]. Within this framework, we prove that \(\textsf{OFB}\)-\(\textsf{DRBG}\) is secure up to \(O(2^{\min \left\{ \frac{\lambda }{3}, \frac{n}{2} \right\} })\) oracle queries including ideal cipher queries, where \(\lambda \) is a lower bound of the min-entropy of I and n is the size of the underlying block cipher. Table 1 compares \(\textsf{OFB}\text {-}\textsf{DRBG}\) with the NIST DRBG standards.

Fig. 1

\(\textsf{OFB}\text {-}\textsf{DRBG}\) construction based on k-bit key and n-bit input where I is an entropy input

Table 1 Comparison of \(\textsf{OFB}\text {-}\textsf{DRBG}\) with other DRBG standards

In order to prove the robustness security of \(\textsf{OFB}\text {-}\textsf{DRBG}\), we introduce an ideal world, and transform the robustness game of \(\textsf{OFB}\text {-}\textsf{DRBG}\) to an indistinguishability game. Then, we employ the H-coefficient technique to upper bound the distinguishing advantage. Our security proof takes a similar approach to \(\textsf{CTR}\text {-}\textsf{DRBG}\) as they have been designed with a similar design rationale in a sense that they consist of a compression function and an extendable output function. On the other hand, the security proof is rather modular, which is independent of a particular property of the underlying XOF. So we believe that using a beyond-birthday-bound (BBB) secure XOF such as \(\textsf{XORP}[w]\) [5] might lead to a new DRBG design with that strong security. This problem is left as an interesting topic of further research.

2 Preliminaries

2.1 Notation

We write \(0^n\) to denote the n-bit string of all zeros. Given a non-empty finite set \(\mathcal {X}\), \(x\leftarrow _\$\mathcal {X}\) denotes that x is chosen uniformly at random from \(\mathcal {X}\). For a set \(\mathcal {X}\), \(\left| {\mathcal {X}} \right| \) denotes the number of elements in \(\mathcal {X}\). The set of all permutations of \(\{0,1\}^n\) is denoted \(\textsf{Perm}(n)\). For a keyed function \(F: \mathcal {K}\times \mathcal {X}\rightarrow \mathcal {Y}\) with key space \(\mathcal {K}\) and non-empty sets \(\mathcal {X}\) and \(\mathcal {Y}\), we will write \(F_K(\cdot )\) to denote \(F(K, \cdot )\) for \(K \in \mathcal {K}\). Let \(S = \{ a_1, \dots , a_s \}\). Then, we write \(S \oplus x\) to denote \(\{ a_1 \oplus x, \dots , a_s \oplus x\}\).

For a (binary) string x, \(\left| {x} \right| \) denotes the length of x. The empty string is denoted \(\varepsilon \), where \(\left| {\varepsilon } \right| =0\). For an \(\ell \)-bit string x, and m and n such that \(1\le m\le n\le \ell \), x[m : n] denotes an \((n-m+1)\)-bit string from the m-th bit to the n-th bit of x and \(x[m: \cdot ]\) denotes an \((\ell - m + 1)\)-bit string from the m-th bit to the last bit of x. When \(M=M_1\mathbin {\Vert }\dots \mathbin {\Vert }M_w\) where \(\left| {M_i} \right| =t\) for \(1\le i\le w-1\) and \(0 < \left| {M_w} \right| \le t\), we write \((M_1,\dots ,M_w)\overset{t}{\longleftarrow }M\). For an integer \(0 \le i < 2^s\), \(\langle i\rangle _s\) denotes s-bit representation of i. For a real number t, \(\lceil t\rceil \) is the smallest integer that is the same as or bigger than t.

2.2 Conditional min-entropy

For two random variables X and Y, the (average-case) conditional min-entropy of X given Y is defined as

$$\begin{aligned} H_{\infty }(X|Y)=-\log \left( \sum _y \Pr [Y=y]\cdot \max _x \Pr [X=x|Y=y] \right) . \end{aligned}$$

Block ciphers. A block cipher, modeled as an ideal cipher, is a keyed function \(E:\mathcal {K}\times \{0,1\}^n\rightarrow \{0,1\}^n\) where for a fixed key \(K\in \mathcal {K}\), \(E_K(\cdot )\) is a random permutation that is uniformly chosen from \(\textsf{Perm}(n)\). For the rest of the paper, we let \(\Pi (k,n)\) denote the set of all n-bit block ciphers using k-bit keys.

2.3 Deterministic random bit generator

From [9, 19], a DRBG(Deterministic Random Bit Generator) is a triple of algorithms \(\mathcal {G}= (\textsf{setup},\textsf{refresh},\textsf{next})\) where:

• \(\textsf{setup}\): an algorithm that outputs initial state S from seed \(\textsf{seed}\) and input I.

• \(\textsf{refresh}\): a deterministic algorithm that, given \(\textsf{seed}\), a state S and an input I, outputs a new state \(S'\).

• \(\textsf{next}\): a deterministic algorithm that, given \(\textsf{seed}\) and a state S, outputs a new state \(S'\) and random bits R.

2.4 \(\delta \)-Almost universal hashing

A (keyed) hash function \(H: \mathcal {L}\times \mathcal {X}\rightarrow \mathcal {Y}\) is called \(\delta \)-almost universal (\(\delta \)-AU) if for any distinct \(X, X' \in \mathcal {X}\),

$$\begin{aligned} \textsf{Pr}{ \left[ L \leftarrow _\$\mathcal {L}: H_L(X) = H_L(X') \right] } \le \delta . \end{aligned}$$

3 Robustness of \(\mathsf {OFB\text {-}DRBG}\)

3.1 \(\textsf{OFB}\)-\(\textsf{DRBG}\) Construction

Before defining the \(\textsf{OFB}\)-\(\textsf{DRBG}\) construction, we define the components of \(\textsf{OFB}\)-\(\textsf{DRBG}\): \(\textsf{CBCMAC}\), \(\textsf{CBC}\), \(\textsf{CtE}\), and \(\textsf{OFB}\).

Algorithm 1

\(\textsf{CtE}\) and \(\textsf{OFB}\) Construction

For the function \(\textsf{Condense}\), let \(\textsf{pad}: \{0, 1\}^* \rightarrow (\{0, 1\}^n)^*\) be a function that appends a byte 0x08 first and then appends 0s to make the length of an input to be a multiple of n. Let \(\pi : \{0,1\}^n \rightarrow \{0,1\}^n\) be a permutation. Then for an initial vector \(IV\in \{0,1\}^n\) and message \((M_1,\dots , M_w)\overset{n}{\longleftarrow }M\), we recursively define \(\textsf{CBCMAC}\) as follows.

$$\begin{aligned} \textsf{CBCMAC}^{IV}[\pi ](M)=\textsf{CBCMAC}^{\pi (IV\oplus M_1)}[\pi ](M_2\mathbin {\Vert }\cdots \mathbin {\Vert }M_w) \end{aligned}$$

where \(\textsf{CBCMAC}^{IV}[\pi ](\varepsilon )=IV\).

Let \(E:\{0,1\}^k\times \{0,1\}^n\rightarrow \{0,1\}^n\) be a block cipher. For a key \(K\in \{0,1\}^k\) and an initial vector IV and message \((M_1,\dots , M_w)\overset{n}{\longleftarrow }M\), we can define \(\textsf{CBC}\) as follows.

$$\begin{aligned} \textsf{CBC}^{IV}_K[E](M)=\textsf{CBCMAC}^{IV}[E_K](M_1)\mathbin {\Vert }\cdots \mathbin {\Vert }\textsf{CBCMAC}^{IV}[E_K](M_1\mathbin {\Vert }\cdots \mathbin {\Vert }M_w). \end{aligned}$$

3.2 Condense-then-encrypt

In the ISO standard [13], block cipher-based DRBGs can absorb entropy either from freeform input strings with at least a specified amount of entropy, or from full-entropy strings with specified lengths. To use freeform input strings with some entropy, we need to use a derivation function called \(\mathsf {Block\_Cipher\_df}\) which extracts entropy from strings. In 2019, Woodage and Shumow [22] show that the \(\mathsf {CTR\text {-}DRBG}\) without using the \(\mathsf {Block\_Cipher\_df}\) is vulnerable to the attacker who can conduct a side channel attack to leak partial state during the next call. Because \(\mathsf {OFB\text {-}DRBG}\) has similar structure as \(\mathsf {CTR\text {-}DRBG}\), \(\mathsf {OFB\text {-}DRBG}\) can be attacked similarly. Hence, we only consider the \(\mathsf {OFB\text {-}DRBG}\) using \(\mathsf {Block\_Cipher\_df}\) in this paper. This setting is also used to analyze \(\mathsf {CTR\text {-}DRBG}\) in [12]. They named the \(\mathsf {Block\_Cipher\_df}\) as Condense-then-Encrypt (\(\textsf{CtE}\)). As \(\mathsf {OFB\text {-}DRBG}\) uses the same \(\textsf{CtE}\) for the \(\mathsf {Block\_Cipher\_df}\), we use the same name \(\textsf{CtE}\).

From the former constructions, we define \(\textsf{CtE}\) and \(\textsf{OFB}\) in Algorithm 1 and we also define \(\textsf{OFB}\)-\(\textsf{DRBG}\) construction in Algorithm 2. Note that \(\textsf{OFB}\)-\(\textsf{DRBG}\) consists of three components: \(\textsf{setup}\), \(\textsf{refresh}\) and \(\textsf{next}\) (see Fig. 1).

Algorithm 2

\(\mathsf {OFB\text {-}DRBG}\)

3.3 Distribution sampler

A distribution sampler \(\mathcal {D}\) is a stateful, probabilistic algorithm suggested to extract and estimate system entropy. Given a current state s, it outputs a tuple \((s', I,\gamma ,z)\) in which \(s'\) is an updated state, I is the next randomness input for the DRBG, \(\gamma \) is a real number, and z is some side information of I. Let p be an upper bound of the number of calls to \(\mathcal {D}\) and \((s_i,I_i,\gamma _i,z_i)\) be the i-th output of \(\mathcal {D}\) for every \(i\in \{1,\ldots ,p\}\). For each \(i\le p\), let

$$\begin{aligned} \mathcal {I}_{p,i}=\left( I_1,\ldots ,I_{i-1},I_{i+1},\ldots ,I_p,\gamma _1,\ldots ,\gamma _p,z_1,\ldots ,z_p\right) . \end{aligned}$$

Then \(\mathcal {D}\) is legitimate if \(H_{\infty }(I_i \mid \mathcal {I}_{p,i})\ge \gamma _i\) for every \(i\in \{1,\ldots ,p\}\). A legitimate sampler is \(\lambda \)-simple if \(\gamma _i\ge \lambda \) for every i.

3.4 Robustness of \(\textsf{OFB}\)-\(\textsf{DRBG}\)

Let \(\mathcal {G}\) be \(\textsf{OFB}\)-\(\textsf{DRBG}\). Then, with a real number \(\lambda \), flag set \(\mathcal {F}\) where \(\left| {\mathcal {F}} \right| =2\), an adversary \(\mathcal {A}\) and a legitimate distribution sampler \(\mathcal {D}\), the robustness game is defined as follows.

1. 1.

   \(b\leftarrow _\$\mathcal {F}\).

2. 2.

   Get oracles \(\textrm{INIT}(),\textrm{REF}(),\textrm{ROR}(),\textrm{GET}(),\textrm{SET}()\) from \(\textbf{S}_b\).

3. 3.

   Run \(\textrm{INIT}()\) and give \(\mathcal {A}\) return values \((E,\gamma ,z)\).

4. 4.

   \(\mathcal {A}\) make queries \(E(K,M),E^{-1}(K,C),\textrm{REF}(),\textrm{ROR}(\ell ),\textrm{GET}(),\textrm{SET}(S')\) and get response.

5. 5.

   After the querying phase, \(\mathcal {A}\) outputs flag \(b'\). If \(b'=b\), \(\mathcal {A}\) wins.

For the ideal world (resp. the real world) denoted \(\textbf{S}_0\) (resp. \(\textbf{S}_1\)), the oracles are defined in Algorithm 3 (resp. Algorithm 4).

Algorithm 3

Ideal world \(\textbf{S}_{0}\) Oracles

Algorithm 4

Real world \(\textbf{S}_{1}\) Oracles

The rationale for each oracle is as follows.

• \(\textrm{REF}()\) and \(\textrm{ROR}(\ell )\) are basic DRBG functions to generate random number.

• Because block cipher is picked by \(\textrm{INIT}()\), the adversary can access the block cipher and query E(K, M) and \(E^{-1}(K, C)\). The reason for picking block cipher randomly is to make \(\mathcal {A}\) can access to block cipher, but \(\mathcal {D}\) should be independent of the block cipher. This is called an extension for ideal models and also used in prior works [4, 12, 22].

• Robustness includes security for the bits before the state leakage (Forward Security) and security for the bits after accumulating entropy even state is manipulated (Backward Security). \(\textrm{GET}()\) simulates state leakage and \(\textrm{SET}(S')\) simulates state manipulation.

For \(\mathcal {F}=\{a,b\}\), let

$$\begin{aligned} \textbf{Adv}^{\textrm{rob}}_{\{a,b\}}(\mathcal {A},\mathcal {D})=\left| {\Pr \left[ 1\leftarrow \mathcal {A}^{\textbf{S}_a}\right] -\Pr \left[ 1\leftarrow \mathcal {A}^{\textbf{S}_b}\right] } \right| . \end{aligned}$$

Then we can claim the robustness of \(\textsf{OFB}\)-\(\textsf{DRBG}\) by Theorem 1.

Theorem 1

Let \(E: \{0, 1\}^k \times \{0, 1\}^n \rightarrow \{0, 1\}^n\) be a block cipher. Let \(\mathcal {G}\) denote \(\mathsf {OFB\text {-}DRBG}[E]\) as defined in Algorithm 2. Suppose that a distribution sampler \(\mathcal {D}\) is \(\lambda \)-simple. Let \(\mathcal {A}\) be an adversary against \(\mathcal {G}\) who can make at most \(q_c\) queries to oracles \(\textrm{GET}\), \(\textrm{SET}\), \(\textrm{REF}\), \(\textrm{ROR}\), \(q_p\) queries to the block cipher oracle and \(q_I\) queries to \(\textrm{REF}\). Let L be the overall block length of the random entropy inputs from \(\mathcal {D}\) and let \(\ell _{max}\) be the maximum block length of the single entropy input. Let B be the overall block length of the \(\textsf{OFB}\) call outputs and let \(b_{max}\) be the maximum block length of the single \(\textsf{OFB}\) call output. Then for \(q=q_p + q_c + q_I + 4\), one has

$$\begin{aligned} \textbf{Adv}^{\textrm{rob}}_{\{0,1\}}(\mathcal {A}, \mathcal {D})&\le {} \frac{2b_{max}B}{2^n} + \frac{2 q_c \cdot q}{2^k} + \frac{2q_I \cdot q}{2^n} + \frac{2q_I \sqrt{q}}{2^{\lambda / 2}} \\&\quad + \frac{ 16(L +2q_I)\sqrt{q(\ell _{max} + 2)}}{2^n}. \end{aligned}$$

4 Unpredictability of \(\textsf{CtE}\)

In [12], Hoang and Shen provided useful lemmas for proving the unpredictability bound of \(\textsf{CtE}\). In this section, we review those lemmas as they are also needed to prove the security of \(\mathsf {OFB\text {-}DRBG}\). The readers can find the proof of these lemmas in [12]. Following their proofs, we model the \(\textsf{CtE}\) to be a good randomness condenser [15]. The security of a randomness condenser is defined as the winning probability of the game described in algorithm 5. Let a condenser \(\textsf{Cond}: \textsf{Seed} \times \{0, 1\}^* \rightarrow \{0, 1\}^n\) be deterministic hash. We modeled the \(\textsf{Cond}\) to depend on an ideal cipher \(\Pi \). Then the input \(seed \in \textsf{Seed}\) of the \(\textsf{Cond}\) is the entire encoding of \(\Pi \) given free to the adversary. Let \(\mathcal {D}\) be a \(\lambda \)-source that outputs a random input I and a side information z such that \(H_{\infty } (I \mid z) \ge \lambda \). We model the \(\mathcal {D}\) to be independent of the \(\Pi \). For guessing game adversary \(\mathcal {A}\) against \(\textsf{Cond}\) on the source \(\mathcal {D}\), define its advantage as follows

$$\begin{aligned} \textbf{Adv}^{guess}_{\textsf{Cond}} (\mathcal {A}, \mathcal {D}) = \Pr \left[ \mathcal {G}^{guess}_{\textsf{Cond}} (\mathcal {A}, \mathcal {D}) \right] . \end{aligned}$$

Algorithm 5

A Guessing Game \(\mathcal {G}_{\textsf{Cond}}^{guess}(\mathcal {A}, \mathcal {D})\)

To upper bound the guessing advantage, we use the following lemma, which is called the generalized leftover hash lemma [1].

Lemma 1

[1] (Generalized leftover hash lemma) Let \(\mathcal {D}\) be a \(\lambda \)-source whose random input I has at most \(\ell \) blocks. Let \(\textsf{Cond}: \textsf{Seed} \times \textsf{Dom} \rightarrow \{0, 1\}^n\) be a \(\frac{\delta (\ell )}{2^n}\)-AU hash function where \(\textsf{Dom}\) is a set of strings of at most \(\ell \) blocks, and let \(\lambda > 0\) be a real number. For any adversary \(\mathcal {A}\) making at most q guesses,

$$\begin{aligned} \textbf{Adv}^{guess}_{\textsf{Cond}}(\mathcal {A},\mathcal {D}) \le \frac{q}{2^n} + \sqrt{\frac{q}{2^\lambda } + \frac{q(\delta (\ell ) -1)}{2^n}}. \end{aligned}$$

To use the generalized leftover hash lemma, we need to calculate the \(\delta (\ell )\) from the \(\textsf{CtE}\). To calculate the almost universality of the \(\textsf{CtE}\), we need to calculate the multi-collision bound of the \(\textsf{CBCMAC}\) which is used inside of the \(\textsf{CtE}\).

Lemma 2

[12] Let \(n\ge 32\) be an integer. Let \(M_1, M_2, M_1', M_2'\) be distinct, non-empty, full-block messages such that the following two conditions hold:

1. 1.

   \(M_1\) and \(M_1'\) have the same first block, and \(M_2\) and \(M_2'\) have the same first block, but these two blocks are different.

2. 2.

   The block length of each message is at most \(\ell \) where \(4 \le \ell \le 2^{n/3 -4}\).

Then for a truly random permutation \(\pi \leftarrow _\$\textsf{Perm}(n)\), the probability that both \(\textsf{CBCMAC}[\pi ](M_1) = \textsf{CBCMAC}[\pi ](M_1')\) and \(\textsf{CBCMAC}[\pi ](M_2)=\textsf{CBCMAC}[\pi ](M_2')\) hold is at most \(64 \ell ^3 / 2^{2n}\).

Then, by using the above lemma 2, we can calculate the \(\delta (\ell )\) from \(\textsf{CtE}\) as follows.

Lemma 3

[12] Let \(n \ge 32\) and \(k \in \{n,n+1,\cdots ,2n\} \subset \mathbb {Z}\). Let \(E: \{0, 1\}^k \times \{0, 1\}^n \rightarrow \{0, 1\}^n\) be an ideal cipher. Let \(I \ne I'\) be input strings of at most \(\ell \) blocks, where \(\ell +2 \le 2^{n/3 -4}\). Then for \(\textsf{CtE}[E,n]\) (as described in Algorithm 1), one has

$$\begin{aligned} \Pr \left[ \textsf{CtE}[E,n](I)=\textsf{CtE}[E,n](I') \right] \le \frac{1}{2^n} + \frac{64(\ell +2)^3}{2^{2n}} \end{aligned}$$

where the randomness comes from the choices of E.

Finally, we can use the generalized leftover hash lemma with the \(\delta (\ell )\) calculated from the lemma 3 as follows.

Lemma 4

[12] Let \(n \ge 32\) and \(k \in \{n,n+1,\ldots ,2n\} \subset \mathbb {Z}\). Let \(E: \{0, 1\}^k \times \{0, 1\}^n \rightarrow \{0, 1\}^n\) be an ideal cipher. Suppose that \(\mathcal {D}\) is \(\lambda \)-source, independent of E, and returns a random input I with at most \(\ell \) blocks. For any adversary \(\mathcal {A}\) against \(\textsf{CtE}[E,n]\) (as described in Algorithm 1) making at most q guesses, one has

$$\begin{aligned} \textbf{Adv}^{guess}_{\textsf{CtE}[E,n]}(\mathcal {A},\mathcal {D}) \le \frac{q}{2^n} + \frac{\sqrt{q}}{2^{\lambda / 2}} + \frac{ 8\sqrt{q (\ell +2)^3}}{2^n}. \end{aligned}$$

5 Proof of Theorem 1

Before we prove the security of \(\textsf{OFB}\)-\(\textsf{DRBG}\), we briefly compare our analysis with \(\textsf{CTR}\text {-}\textsf{DRBG}\), and give a proof overview.

5.1 Comparison with \(\textsf{CTR}\text {-}\textsf{DRBG}\)

Both \(\textsf{CTR}\text {-}\textsf{DRBG}\) and \(\textsf{OFB}\text {-}\textsf{DRBG}\) are based on a compression function and an extendable output function; they use the same compression function \(\textsf{CtE}\), while different extendable output functions—\(\textsf{CTR}\) and \(\textsf{OFB}\). So, their security proofs are similar: some bad events are defined from key collisions and another bad events are from the underlying extendable output function. The key is generated from \(\textsf{CtE}\), so the analysis of the bad events from key collisions are the same for both DRBGs. On the other hand, bad events from the extendable output functions should be carefully analyzed. In our proof, we define a bad event on \(\textsf{OFB}\) extendable output function, namely \(\textsf{bad}_2\), and upper bound its probability.

5.2 Proof overview

Our security proof can be outlined as follows:

1. 1.

   Firstly, we transform the attack on the robustness of \(\textsf{OFB}\)-\(\textsf{DRBG}\) into a distinguishing game between the ideal world and the real world. In order to simply upper bound the distinguishing advantage, we introduce a hybrid world. Then the security proof is reduced to upper bounding the distinguishing advantage between the real world and the hybrid world. In the hybrid world, the state S is updated randomly when \(c \ge \lambda \) in the \(\textsf{refresh}\) and \(\textsf{next}\) procedures, which makes the security proof eaiser.

2. 2.

   The advantage between the real world and the hybrid world is upper bounded by the H-coefficient technique. In particular, we define two bad events, namely \(\textsf{bad}_1\) and \(\textsf{bad}_2\). Excluding \(\textsf{bad}_1\) ensures that all the keys are distinct when sufficient entropy is accumulated, which means all \(\textsf{refresh}\) and \(\textsf{next}\) calls are independent. On the other hand, without \(\textsf{bad}_2\), no collision happens for \(\textsf{next}\) queries.

3. 3.

   The unpredictability of \(\textsf{CtE}\), as proven in the previous section, will be used to upper bound the probability of \(\textsf{bad}_1\). The inability of the distribution sampler to access the block cipher and the unpredictability of \(\textsf{CtE}\) can be used to upper bound the probability of \(\textsf{bad}_1\).

5.3 Hybrid world

In order to prove Theorem 1, we introduce a hybrid world for \(\textsf{OFB}\)-\(\textsf{DRBG}\) as referred. We first define \(\textsf{hOFB}\) and \(\mathsf {hOFB\text {-}DRBG}\) as described in Algorithm 6.

Algorithm 6

\(\textsf{hOFB}\) construction and \(\mathsf {hOFB\text {-}DRBG}\)

The \(\textsf{hOFB}\) construction additionally gets system entropy threshold \(\lambda \) and accumulated entropy c. If \(c<\lambda \), then \(\textsf{hOFB}\) executes the same computation as \(\textsf{OFB}\), but if accumulated entropy is sufficient, it outputs truly random bits. From the \(\textsf{hOFB}\) construction, one can build \(\textsf{setup}_{\textsf{h}},\textsf{refresh}_{\textsf{h}},\textsf{next}_{\textsf{h}}\) procedures for \(\mathsf {hOFB\text {-}DRBG}\). With procedures for \(\mathsf {hOFB\text {-}DRBG}\), one can build hybrid world \(\textbf{S}_h\) as described in Algorithm 7.

In a hybrid world, \(\textsf{setup}_\textsf{h}\), \(\textsf{refresh}_\textsf{h}\) and \(\textsf{next}_\textsf{h}\) are based on \(\textsf{hOFB}\), so the state, in particular, the key of \(\mathsf {hOFB\text {-}DRBG}\) is random as long as \(c \ge \lambda \). Therefore, we can assume that if \(c \ge \lambda \), then the key is independent of subsequent operations of \(\mathsf {hOFB\text {-}DRBG}\). Using this independence, we can prove Theorem 1.¹ We begin with Lemmas 5 and 6.

Algorithm 7

Hybrid world \(\textbf{S}_{h}\) Oracles

Lemma 5

Let \(\mathcal {A}\) and \(\mathcal {D}\) be an adversary and a distribution sampler introduced in Theorem 1, respectively. Then there exists an adversary \(\mathcal {A}'\) distinguishing \(\textbf{S}_1\) and \(\textbf{S}_h\) under the same restriction on the queries as \(\mathcal {A}\), that satisfies

$$\begin{aligned} \textbf{Adv}^{\textrm{rob}}_{\{0,1\}}(\mathcal {A}, \mathcal {D})\le 2\textbf{Adv}^{\textrm{rob}}_{\{h,1\}}(\mathcal {A}', \mathcal {D}). \end{aligned}$$

Proof

By the triangle inequality, we have

$$\begin{aligned} \textbf{Adv}^{\textrm{rob}}_{\{0,1\}}(\mathcal {A}, \mathcal {D})&\le \left| {\Pr [1\leftarrow A^{\textbf{S}_0}]-\Pr [1\leftarrow A^{\textbf{S}_1}]} \right| \\&\le \left| {\Pr [1\leftarrow A^{\textbf{S}_0}]-\Pr [1\leftarrow A^{\textbf{S}_h}]} \right| +\left| {\Pr [1\leftarrow A^{\textbf{S}_h}]-\Pr [1\leftarrow A^{\textbf{S}_1}]} \right| \\&\le \textbf{Adv}^{\textrm{rob}}_{\{0,h\}}(\mathcal {B}, \mathcal {D})+\textbf{Adv}^{\textrm{rob}}_{\{h,1\}}(\mathcal {A}', \mathcal {D}), \end{aligned}$$

where \(\mathcal {B}\) aims to distinguish \(\textbf{S}_0\) and \(\textbf{S}_h\) under same restriction. For any adversary that aims to distinguish \(\textbf{S}_0\) and \(\textbf{S}_h\), one can build an adversary that aims to distinguish \(\textbf{S}_1\) and \(\textbf{S}_h\), by changing the response for \(\textrm{ROR}(\ell )\) with \(\ell \)-bit random string if the accumulated entropy \(c \ge \lambda \). Therefore, we can prove there always exists an adversary that satisfies

$$\begin{aligned} \textbf{Adv}^{\textrm{rob}}_{\{0,h\}}(\mathcal {B}, \mathcal {D})\le \textbf{Adv}^{\textrm{rob}}_{\{h,1\}}(\mathcal {A}', \mathcal {D}) \end{aligned}$$

under the same restriction. \(\square \)

Lemma 6

Let \(E: \{0, 1\}^k \times \{0, 1\}^n \rightarrow \{0, 1\}^n\) be a block cipher. Let \(\mathcal {G}\) denote \(\mathsf {OFB\text {-}DRBG}[E]\) as defined in Algorithm 2. Suppose that a distribution sampler \(\mathcal {D}\) is \(\lambda \)-simple. Let \(\mathcal {A}\) be an adversary against \(\mathcal {G}\) who can make at most \(q_c\) queries to oracles \(\textrm{GET}, \textrm{SET}, \textrm{REF}, \textrm{RoR}\), \(q_p\) queries to the block cipher oracle and \(q_I\) queries to \(\textrm{REF}\). Let L be the overall block length of the random entropy inputs from \(\mathcal {D}\) and let \(\ell _{max}\) be the maximum block length of the single entropy input. Let B be the overall block length of the \(\textsf{OFB}\) call outputs and let \(b_{max}\) be the maximum block length of the single \(\textsf{OFB}\) call output. Then for \(q=q_p + q_c + q_I + 4\), one has

$$\begin{aligned} \textbf{Adv}^{\textrm{rob}}_{\{h,1\}}(\mathcal {A}, \mathcal {D})&\le \frac{b_{max}B}{2^n} + \frac{q_c \cdot q}{2^k} + \frac{q_I \cdot q}{2^n} + \frac{q_I \sqrt{q}}{2^{\lambda / 2}} + \frac{ 8(L +2q_I)\sqrt{q(\ell _{max} + 2)}}{2^n}. \end{aligned}$$

5.4 Transcript for the distinguishing game

Before proving Lemma 6, let \(\ell \) be an output length of the \(\textrm{ROR}\) that an attacker chooses. We assume that \(\ell \) is the multiple of n for convenience. After the querying phase, \(\mathcal {A}\) has responses for \(\textrm{GET}, \textrm{SET}, \textrm{REF}\) and \(\textrm{ROR}\) queries, block cipher oracle queries, and outputs from the \(\textrm{INIT}\). We also assume the adversary can get the state S of every query, all distribution sampler outputs I and \(\textsf{CtE}[E,n\cdot \lceil k/n\rceil +n](I)\) after the query phase. Also, for all \(\textrm{REF}()\) and \(\textrm{ROR}(\ell )\) queries with accumulated entropy \(c\ge \lambda \), adversary also can get \((n\cdot \lceil k/n\rceil - k)\)-bit T that is discarded block cipher output to update \((k+n)\)-bit state in \(\textbf{S}_{1}\), or just a random bit string picked uniformly from \(\{0,1\}^{n\cdot \lceil k/n\rceil -k}\) in \(\textbf{S}_{h}\) after the adversary finishes querying. Then, the transcript can be transformed to

$$\begin{aligned} \tau =(\mathcal {Q}_P,\mathcal {Q}_\lambda ,\mathcal {Q}_S,\mathcal {Q}_I, \mathcal {R}), \end{aligned}$$

where,

• \(\mathcal {Q}_P\) is a tuple of ideal cipher queries, i.e., \((J,u,v)\in \mathcal {Q}_P\) if and only if \(E_J(u) = v\).

• \(\mathcal {Q}_\lambda \) is a tuple of \(\textrm{REF}\) or \(\textrm{ROR}\) queries which is queried with the accumulated entropy \(c \ge \lambda \). The elements of the \(\mathcal {Q}_\lambda \) are (K, X, r) and they are created as follows.

  • \(K \mathbin {\Vert }V = S_0\) where \(S_0\) is a start state.

  • For \(\textrm{ROR}(\ell )\), with \(S_0\), output \((R,S_1)\) and additional information T,

    $$\begin{aligned} X=V\mathbin {\Vert }R\mathbin {\Vert }T \mathbin {\Vert }S_1. \end{aligned}$$

    X is the concatenation of an input V and outputs of the block cipher E in the real world, or randomly generated values when it is in the hybrid world.

  • For \(\textrm{REF}()\), with \(S_0\), output \(S_1\), additional information T and entropy input I,

    $$\begin{aligned} X= V \mathbin {\Vert }\left( (S_1\mathbin {\Vert }T)\oplus \textsf{CtE}[E,n\cdot \lceil k/n\rceil +n](I) \right) . \end{aligned}$$

    X is the concatenation of an input V and outputs of the block cipher E in the real world, or randomly generated values when it is in the hybrid world.

  • r is the accumulated entropy when the key K is generated. \(\mathcal {Q}_\lambda \) only contains a tuple of \(\textrm{REF}\) or \(\textrm{ROR}\) queries that is queried with the accumulated entropy \(c \ge \lambda \). But the key K is generated before the \(\textrm{REF}\) or \(\textrm{ROR}\) queries. Hence, the accumulated entropy c can be smaller than \(\lambda \) when K is generated. So, we define r in such a way that it stores the accumulated entropy c when K is generated.

• \(\mathcal {Q}_S\) is a tuple of S that is the all states of \(\mathsf {OFB\text {-}DRBG}\) when \(c < \lambda \).

• \(\mathcal {Q}_I\) is a tuple of \((I,\textsf{CtE}[E,n\cdot \lceil k/n\rceil +n](I),\sigma , \gamma , z)\) where \(\sigma \) is a next state of the \(\mathcal {D}\), \(\gamma \) is an estimated entropy of I and z is a side information of I.

• \(\mathcal {R}\) is a tuple of R that is the output of \(\textrm{ROR}(\ell )\) when \(c < \lambda \).

5.5 H-coefficient technique

In order to upper bound the advantage of the adversary, we will partition the set of attainable transcripts \(\Gamma \) into a set of “good” transcripts \(\Gamma _{\textsf{good}}\) such that the probabilities to obtain some transcript \(\tau \in \Gamma _{\textsf{good}}\) are close in \(\textbf{S}_{1}\) and \(\textbf{S}_{h}\), and a set \(\Gamma _{\textsf{bad}}\) of “bad” transcripts such that the probability to obtain any \(\tau \in \Gamma _{\textsf{bad}}\) is small in the \(\textbf{S}_{h}\). For any event \(\mathcal {E}\) and \(b\in \{h,1\}\), we define \(\Pr _{\textbf{S}_b}[\mathcal {E}]\) the conditional probability that \(\mathcal {E}\) happens under the world is \(\textbf{S}_b\).

Lemma 7

(H-coefficient technique [14]) Fix an adversary \(\mathcal {A}\). Let \(\Gamma =\Gamma _{\textsf{good}}\sqcup \Gamma _{\textsf{bad}}\) be a partition of the set of attainable transcripts. Assume that there exists \(\varepsilon _1\) such that for any \(\tau \in \Gamma _{\textsf{good}}\),

$$\begin{aligned} \frac{\textrm{Pr}_{\textbf{S}_{1}}[\tau ]}{\textrm{Pr}_{\textbf{S}_{h}}[\tau ]}\ge 1-\varepsilon _1, \end{aligned}$$

and that there exists \(\varepsilon _2\) such that \(\textrm{Pr}_{\textbf{S}_{h}}[\Gamma _{\textsf{bad}}]\le \varepsilon _2\). Then one has

$$\begin{aligned} \textbf{Adv}^{\textrm{rob}}_{\{h,1\}}(\mathcal {A})\le \varepsilon _1+\varepsilon _2. \end{aligned}$$

5.6 Bad transcripts

A transcript is called \(\textsf{bad}\) if one of the following conditions holds:

• \(\textsf{bad}_1 \Leftrightarrow \) There exists \((K, \cdot , \cdot ) \in \mathcal {Q}_\lambda \) such that one of the following holds:

  • \(\textsf{bad}_{1,1}\): there also exists \((K, \cdot , \cdot ) \in \mathcal {Q}_P\);

  • \(\textsf{bad}_{1,2}\): there also exists a distinct element \((K', \cdot , \cdot ) \in \mathcal {Q}_\lambda \) where \(K = K'\);

  • \(\textsf{bad}_{1,3}\): there also exists \(K \mathbin {\Vert }\cdot \in \mathcal {Q}_S\);

  • \(\textsf{bad}_{1,4}\): \(K = K_0\) where \(K_0\) is the constant key for \(\textsf{CBCMAC}\);

  • \(\textsf{bad}_{1,5}\): there also exists \((I, \cdot , \cdot , \cdot , \cdot ) \in \mathcal {Q}_I\) such that \(K = \textsf{Condense}[E](I)[1:k]\).

• \(\textsf{bad}_2 \Leftrightarrow \) There exists a \((K, X, r) \in \mathcal {Q}_\lambda \) such that \(X_i = X_j\) for \(i \ne j\) where \((X_1, \dots , X_{|X|/n}) \overset{n}{\longleftarrow }\ X\).

In our case, \(\textsf{bad}_1\) is defined to simplify the calculation of \(\epsilon _1\). By defining \(\textsf{bad}_1\), we can safely say that the keys used in \(\mathcal {Q}_\lambda \) are used only once in \(\Gamma _{\textsf{good}}\). In the ideal cipher model, two distinct keys yield two independent random permutations. Hence, we can simplify the calculation of \(\epsilon _1\) based on the ideal cipher E in the real world. \(\textsf{bad}_2\) is an undesirable event such that if the event happens, then the attacker can distinguish two worlds with high probability. For \(i \ne j\), if \(X_i = X_j\) and \(X_{i-1} \ne X_{j-1}\), then the attacker trivially says that it is the hybrid world. In the real world, \(X_{i-1}\) (resp. \(X_{j-1}\)) is input of the E that yields \(X_i\) (resp. \(X_j\)). Hence, if \(X_i = X_j\), then \(X_{i-1} = X_{j-1}\) in the real world. Therefore, the attacker can know it is a hybrid world. For \(i \ne j\), if \(X_i = X_j\) and \(X_{i+1} \ne X_{j+1}\), then the attacker obviously knows that it is in the hybrid world. We define \(\textsf{bad}_2\) as the event that there exists a \((K, X, r) \in \mathcal {Q}_\lambda \) such that \(X_i = X_j\) for \(i \ne j\). In this way, we exclude all the undesirable events.

Note that in the H-coefficient technique, we only need to analyze the probability of \(\textsf{bad}\) cases in \(\textbf{S}_{h}\). Let \(\mathcal {K}_\lambda \) be a set of keys in \(\mathcal {Q}_\lambda \). In other words, \(K \in \mathcal {K}_\lambda \) if and only if \((K, \cdot , \cdot ) \in \mathcal {Q}_\lambda \). Similarly, let \(\mathcal {K}_P\) be a set of keys in \(\mathcal {Q}_P\). Let \(\mathcal {K}_S\) be a set of keys in \(\mathcal {Q}_S\). Let \(\mathcal {K}_C:= \{ \textsf{Condense}[E](I)[1:k]: (I,\cdot ,\cdot ,\cdot ,\cdot ) \in \mathcal {Q}_I \}\). \(\mathcal {K}_\lambda \) is divided into \(\mathcal {K}_{R}\) and \(\mathcal {K}_{I}\) where

• \(\mathcal {K}_{R}\) is the set of keys that are generated uniformly at random. For \((K, \cdot , r) \in \mathcal {Q}_\lambda \), if \(r \ge \lambda \) then \(K \in \mathcal {K}_R\).

• \(\mathcal {K}_{I}\) is the set of keys K such that K is generated by

  $$\begin{aligned} K \leftarrow \textsf{OFB}^{V'}_{K'}[E](\textsf{CtE}[E,k](I)) \end{aligned}$$

  for a random entropy input I from the distribution sampler \(\mathcal {D}\) and the previous state \(K' \mathbin {\Vert }V'\). For \((K, \cdot , r) \in \mathcal {Q}_\lambda \), if \(r < \lambda \) then \(K \in \mathcal {K}_I\).

5.7 Probability of \(\textsf{bad}_1\)

The adversary can make at most \(q_p\) ideal cipher queries, at most \(q_c\) queries to the robustness oracles \(\textrm{REF}, \textrm{ROR}, \textrm{GET}\) and \(\textrm{SET}\) and at most \(q_I\) queries to the \(\textrm{REF}\) oracle.

• Suppose \(K \in \mathcal {K}_R\). In other words, K is generated uniformly at random. Considering \(\textsf{bad}_{1,1}\), at most \(q_p\) keys can exist in \(\mathcal {K}_P\). Considering \(\textsf{bad}_{1,2}\) and \(\textsf{bad}_{1,3}\), at most \(q_c + 2\) keys can exist in \(\mathcal {K}_\lambda \cup \mathcal {K}_S\). Because \(q_c\) is the number of \(\textrm{REF}, \textrm{ROR}, \textrm{GET}\) and \(\textrm{SET}\) calls, we upper bound the number of keys used as \(q_c + 2\) considering initial state \(0^k \mathbin {\Vert }0^n\) and a state after \(\textrm{INIT}\) call. Considering \(\textsf{bad}_{1,4}\), we only need to consider a constant key \(K_0\). Considering \(\textsf{bad}_{1,5}\), at most \(q_I + 1\) keys can exist in \(\mathcal {K}_C\), because only two oracles \(\textrm{REF}\) and \(\textrm{INIT}\) use the \(\textsf{CtE}\) as a subroutine. Note that we denote \(q = q_p + q_c + q_I +4\). For any \((K, \cdot , \cdot ) \in \mathcal {Q}_{\lambda }\), the probability that \(\textsf{bad}_1\) occurs is at most \(\frac{q}{2^k}\). Since there are at most \(q_c\) elements in \(\mathcal {Q}_{\lambda }\), the probability that \(\textsf{bad}_1\) occurs is upper bounded by

  $$\begin{aligned} \frac{q_c \cdot q}{2^k}. \end{aligned}$$

  (1)

• Suppose \(K \in \mathcal {K}_I\), i.e.,

  $$\begin{aligned} K = \textsf{OFB}^{V'}_{K'}[E](\textsf{CtE}[E,k](I)) \end{aligned}$$

  for an entropy input I and previous state \((K', V')\). We fix \(U:= (K, X, r) \in \mathcal {Q}_\lambda \). Let \(\ell _U\) be a block length of the entropy input I. Considering the \(\textsf{bad}_{1,1}\), we define \(\textsf{Coll}_U^1\) as an event that \(K \in \mathcal {K}_P\). Considering the \(\textsf{bad}_{1,2}\), let \(\mathcal {K}_2:= \{K': (K', \cdot , \cdot ) \in \mathcal {Q}_\lambda \backslash \{U\}\}\). Then we define \(\textsf{Coll}_U^2\) as an event that \(K \in \mathcal {K}_2\). Considering the \(\textsf{bad}_{1,3}\), we define \(\textsf{Coll}_U^3\) as an event that \(K \in \mathcal {K}_S\). Considering the \(\textsf{bad}_{1,4}\), we define \(\textsf{Coll}_U^4\) as an event that \(K=K_0\). Considering the \(\textsf{bad}_{1,5}\), we define \(\textsf{Coll}_U^5\) as an event that \(K \in \mathcal {K}_C\). Note that if \(K \in \mathcal {K}_{I}\), then \(\textbf{S}_{h}\) gives a uniformly random output instead of the real \(\textsf{OFB}\) output. Therefore, the adversary cannot obtain any information of K after this query. Hence, to get information of K, the attacker needs to somehow guess \(\textsf{CtE}[E,k](I)\) and \(E(K', V')\). We give \(Z = E(K', V')\) for free to the adversary. Note that \(\textsf{CtE}[E,n](I) = K \oplus Z\) and \(k \ge n\). Therefore, we can reduce the above events to the guessing game of the n-bit prefix of the \(\textsf{CtE}\) as follows. For simplicity, we denote \({\overline{\mathcal {K}}}:= \mathcal {K}_P \cup \mathcal {K}_2\cup \mathcal {K}_S \cup \{ K_0\} \cup \mathcal {K}_C\). Then,

  $$\begin{aligned} \textrm{Pr}_{\textbf{S}_{h}}\left[ \textsf{Coll}_U^1 \vee \textsf{Coll}_U^2 \vee \textsf{Coll}_U^3 \vee \textsf{Coll}_U^4 \vee \textsf{Coll}_U^5 \right]&= \textrm{Pr}_{\textbf{S}_{h}}\left[ K \in {\overline{\mathcal {K}}} \right] \nonumber \\&\le \textsf{Pr} \left[ \textsf{CtE}[E,n] \in {\overline{\mathcal {K}}} \oplus Z \right] . \end{aligned}$$

  (2)

  The adversary only has side information z, an estimated entropy \(\gamma \) of I, and some information on the block cipher E. We assumed that \(\mathcal {D}\) is independent of the ideal cipher, i.e., the information of E does not affect the min-entropy of I. So, the probability that \(\textsf{Coll}_U^1 \vee \textsf{Coll}_U^2 \vee \textsf{Coll}_U^3 \vee \textsf{Coll}_U^4 \vee \textsf{Coll}_U^5\) occurs is upper bounded by the probability of winning the \(\textsf{CtE}\) guessing game with the adversary who can guess at most q times. Since we modeled \(\mathcal {D}\) as \(\lambda \)-simple, the min-entropy of I is greater than or equal to \(\lambda \). By Lemma 4, the following holds

  $$\begin{aligned} \textsf{Pr} \left[ \textsf{CtE}[E,n] \in {\overline{\mathcal {K}}} \oplus Z \right]&\le \frac{q}{2^n} + \frac{\sqrt{q}}{2^{\lambda / 2}} + \frac{ 8\sqrt{q(\ell _U + 2)^3}}{2^n} \nonumber \\&\le \frac{q}{2^n} + \frac{\sqrt{q}}{2^{\lambda / 2}} + \frac{ 8(\ell _U +2)\sqrt{q(\ell _{max} + 2)}}{2^n} \end{aligned}$$

  (3)

  since \(\ell _U \le \ell _{max}\).

By (1), (2) and (3),

$$\begin{aligned} \textrm{Pr}_{\textbf{S}_{h}}\left[ \textsf{bad}_1 \right]&\le \frac{q_c \cdot q}{2^k} + \textrm{Pr}_{\textbf{S}_{h}}\left[ \bigvee _{U \in \mathcal {Q}_\lambda } \left( \textsf{Coll}_U^1 \vee \textsf{Coll}_U^2 \vee \textsf{Coll}_U^3 \vee \textsf{Coll}_U^4 \vee \textsf{Coll}_U^5\right) \right] \nonumber \\&\le \frac{q_c \cdot q}{2^k} + \frac{q_I \cdot q}{2^n} + \frac{q_I \sqrt{q}}{2^{\lambda / 2}} + \frac{ 8(L +2q_I)\sqrt{q(\ell _{max} + 2)}}{2^n} \end{aligned}$$

(4)

since \(\left| {\mathcal {K}_{I}} \right| \le q_{I}\) and \(\sum _{U \in \mathcal {Q}_{\lambda }} \ell _U \le L\).

5.8 Probability of \(\textsf{bad}_2\)

Assume that \(\mathcal {Q}_\lambda \) are generated from C calls of \(\textsf{OFB}\). Let \(X_1,\ldots , X_C\) be the corresponding \(\textsf{OFB}\) outputs. Let \(b_1,\ldots , b_C\) be the block length of \(X_1,\dots , X_C\). For \(j=1,\dots ,C\), we decompose \(X_j\) to \((x_1, \ldots , x_{b_j}) \overset{n}{\longleftarrow }\ X_j\). We define \(\textsf{Coll}_j\) as an event that there exists at least two indexes \(u \ne u' \in \{1,\dots ,b_j\}\) such that \(x_u = x_{u'}\). Because we are considering \(\mathcal {Q}_\lambda \) in \(\textbf{S}_{h}\), \(X_j\) is picked uniformly at random. Then, the following holds

$$\begin{aligned} \textrm{Pr}_{\textbf{S}_{h}}\left[ \textsf{Coll}_j \right] \le \frac{b_j^2}{2^n}. \end{aligned}$$

Then, by union bound,

$$\begin{aligned} \textrm{Pr}_{\textbf{S}_{h}}\left[ \textsf{bad}_2 \right]&\le \sum _{j=1}^{C} \textrm{Pr}_{\textbf{S}_{h}}\left[ \textsf{Coll}_j \right] \le \sum _{j=1}^{C} \frac{b_{max}b_j}{2^n} \le \frac{b_{max}B}{2^n}. \end{aligned}$$

(5)

Finally, by (4) and (5), we have

$$\begin{aligned} \textrm{Pr}_{\textbf{S}_{h}}\left[ \textsf{bad}\right] \le \frac{b_{max}B}{2^n} + \frac{q_c \cdot q}{2^k} + \frac{q_I \cdot q}{2^n} + \frac{q_I \sqrt{q}}{2^{\lambda / 2}} + \frac{ 8(L +2q_I)\sqrt{q(\ell _{max} + 2)}}{2^n}. \end{aligned}$$

(6)

5.9 Good transcripts

Fix a good transcript \(\tau \). In the real world \(\textbf{S}_{1}\), the following holds

$$\begin{aligned} \textrm{Pr}_{\textbf{S}_{1}}\left[ \tau \right]&= \textrm{Pr}_{\textbf{S}_{1}}\left[ \mathcal {Q}_P \wedge \mathcal {Q}_I \wedge \mathcal {Q}_\lambda \wedge \mathcal {Q}_S \wedge \mathcal {R}\right] \\&= \textrm{Pr}_{\textbf{S}_{1}}\left[ \mathcal {Q}_P \wedge \mathcal {Q}_I \right] \cdot \textrm{Pr}_{\textbf{S}_{1}}\left[ \mathcal {Q}_\lambda \mid \mathcal {Q}_P \wedge \mathcal {Q}_I \right] \cdot \textrm{Pr}_{\textbf{S}_{1}}\left[ \mathcal {Q}_S \wedge \mathcal {R}\mid \mathcal {Q}_P \wedge \mathcal {Q}_I \wedge \mathcal {Q}_\lambda \right] . \end{aligned}$$

Because \(\tau \in \Gamma _{\textsf{good}}\), the keys used in \(\mathcal {Q}_\lambda \) is different from the keys from \(\mathcal {Q}_P\), \(\mathcal {Q}_S\) and \(\mathcal {Q}_I\). Note that the key used to generate \(\mathcal {R}\) is contained in the \(\mathcal {Q}_S\). Hence, the following holds

$$\begin{aligned} \textrm{Pr}_{\textbf{S}_{1}}\left[ \mathcal {Q}_\lambda \mid \mathcal {Q}_P \wedge \mathcal {Q}_I \right] = \prod _{(K,X,r) \in \mathcal {Q}_\lambda }\frac{1}{2^n (2^n-1) \cdots \left( 2^n - \frac{|X|}{n} + 2\right) }. \end{aligned}$$

In the hybrid world \(\textbf{S}_{h}\), the following holds

$$\begin{aligned} \textrm{Pr}_{\textbf{S}_{h}}\left[ \tau \right]&=\textrm{Pr}_{\textbf{S}_{h}}\left[ \mathcal {Q}_P \wedge \mathcal {Q}_I \wedge \mathcal {Q}_\lambda \wedge \mathcal {Q}_S \wedge \mathcal {R}\right] \\&= \textrm{Pr}_{\textbf{S}_{h}}\left[ \mathcal {Q}_P \wedge \mathcal {Q}_I \right] \cdot \textrm{Pr}_{\textbf{S}_{h}}\left[ \mathcal {Q}_\lambda \mid \mathcal {Q}_P \wedge \mathcal {Q}_I \right] \cdot \textrm{Pr}_{\textbf{S}_{h}}\left[ \mathcal {Q}_S \wedge \mathcal {R}\mid \mathcal {Q}_P \wedge \mathcal {Q}_I \wedge \mathcal {Q}_\lambda \right] . \end{aligned}$$

Because \(\tau \in \Gamma _{\textsf{good}}\), the keys used in \(\mathcal {Q}_\lambda \) is different from the keys from \(\mathcal {Q}_P\), \(\mathcal {Q}_S\) and \(\mathcal {Q}_I\). Then the following holds in the hybrid world \(\textbf{S}_{h}\)

$$\begin{aligned} \textrm{Pr}_{\textbf{S}_{h}}\left[ \mathcal {Q}_\lambda \mid \mathcal {Q}_P \wedge \mathcal {Q}_I \right] = \prod _{(K,X,r) \in \mathcal {Q}_\lambda } \frac{1}{(2^n)^{\frac{|X|}{n} - 1}}. \end{aligned}$$

The ideal cipher and the distribution sampler \(\mathcal {D}\) identically operate in both worlds. Also, conditioned on \(\mathcal {Q}_P \wedge \mathcal {Q}_I \wedge \mathcal {Q}_\lambda \), the randomness in \(\mathcal {Q}_S \wedge \mathcal {R}\) only depends on the block cipher calls in both worlds. Hence, the following hold

$$\begin{aligned}&\textrm{Pr}_{\textbf{S}_{1}}[\mathcal {Q}_P \wedge \mathcal {Q}_I] = \textrm{Pr}_{\textbf{S}_{h}}[\mathcal {Q}_P \wedge \mathcal {Q}_I] \end{aligned}$$

and

$$\begin{aligned} \textrm{Pr}_{\textbf{S}_{1}}\left[ \mathcal {Q}_S \wedge \mathcal {R}\mid \mathcal {Q}_P \wedge \mathcal {Q}_I \wedge \mathcal {Q}_\lambda \right] = \textrm{Pr}_{\textbf{S}_{h}}\left[ \mathcal {Q}_S \wedge \mathcal {R}\mid \mathcal {Q}_P \wedge \mathcal {Q}_I \wedge \mathcal {Q}_\lambda \right] . \end{aligned}$$

Therefore,

$$\begin{aligned} \frac{\textrm{Pr}_{\textbf{S}_{1}}\left[ \tau \right] }{\textrm{Pr}_{\textbf{S}_{h}}\left[ \tau \right] } = \frac{\textrm{Pr}_{\textbf{S}_{1}}\left[ \mathcal {Q}_\lambda \mid \mathcal {Q}_P \wedge \mathcal {Q}_I \right] }{\textrm{Pr}_{\textbf{S}_{h}}\left[ \mathcal {Q}_\lambda \mid \mathcal {Q}_P \wedge \mathcal {Q}_I \right] } \ge 1. \end{aligned}$$

(7)

Finally, by (6) and (7) and using Lemma 7, we obtain

$$\begin{aligned} \textbf{Adv}^{\textrm{rob}}_{\{h,1\}}(\mathcal {A}, \mathcal {D})&\le \frac{b_{max}B}{2^n} + \frac{q_c \cdot q}{2^k} + \frac{q_I \cdot q}{2^n} + \frac{q_I \sqrt{q}}{2^{\lambda / 2}} + \frac{ 8(L +2q_I)\sqrt{q(\ell _{max} + 2)}}{2^n}. \end{aligned}$$