Abstract
Good randomness is needed for most cryptographic applications. In practice pseudo-random number generators (PRNGs) are employed. \(\texttt {CTR\_DRBG}\) is a popular choice and among the recommended PRNGs by NIST. It is defined for use with primitives like AES or TDEA, which are not always suited for lightweight applications.
In this work we propose \(\texttt{FCRNG}\), a new PRNG, similar to \(\texttt {CTR\_DRBG}\), that is optimized for the lightweight setting (e.g. the Internet of Things). Our \(\texttt{FCRNG}\) construction utilizes the expanding and tweakable forkcipher primitive instantiated with \(\textsf{ForkSkinny}\), which was introduced by Andreeva et al. at ASIACRYPT 2019. \(\texttt{FCRNG}\) employs internally a forkcipher-based counter-style mode \(\mathsf {\texttt {FCTR}}\). We propose two \(\mathsf {\texttt {FCTR}}\) variants: \(\texttt {FCTR\hbox {-}c}\) for optimized speed and \(\texttt {FCTR\hbox {-}T}\) for optimized security. We then show that \(\texttt{FCRNG}\) with \(\textsf{ForkSkinny}\) can be 33% faster than \(\texttt {CTR\_DRBG}\) when instantiated with the AES blockcipher. \(\texttt{FCRNG}\) achieves also a better security bound in the robustness security game - first introduced by Dodis et al. at CCS’13 and now the standard security goal for PRNGs. Contrary to the CRYPTO 2020 security bound by Hoang and Shen established for \(\texttt {CTR\_DRBG}\), the security of our construction with \(\texttt {FCTR\hbox {-}T}\) does not degrade with the length of the random inputs, nor the amount of requested output pseudorandom bits. \(\texttt{FCRNG}\) passes all tests of the NIST test suite for pseudorandom number generators.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Cohney et al. [12] noted that 67.8% of all certified implementations from NIST’s Cryptographic Module Validation Program (CMVP) in 2019 supported \(\texttt {CTR\_DRBG}\), making it the most popular design among these certifications.
- 2.
We look at the \(\textsf{SKINNY}\) instance with the same blocksize and tweakey size, since we want the round function in both cases to operate on the same input sizes.
References
Andreeva, E., Bhati, A.S., Preneel, B., Vizár, D.: 1, 2, 3, fork: counter mode variants based on a generalized Forkcipher. IACR Trans. Symm. Cryptol. 2021(3), 1–35 (2021). https://doi.org/10.46586/tosc.v2021.i3.1-35
Andreeva, E., Lallemand, V., Purnal, A., Reyhanitabar, R., Roy, A., Vizár, D.: Forkcipher: a new primitive for authenticated encryption of very short messages. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11922, pp. 153–182. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34621-8_6
Andreeva, E., Reyhanitabar, R., Varici, K., Vizár, D.: Forking a blockcipher for authenticated encryption of very short messages. Cryptology ePrint Archive, Report 2018/916 (2018). https://eprint.iacr.org/2018/916
Ankele, R., et al.: Related-key impossible-differential attack on reduced-round Skinny. In: Gollmann, D., Miyaji, A., Kikuchi, H. (eds.) ACNS 2017. LNCS, vol. 10355, pp. 208–228. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-61204-1_11
Ankele, R., Kölbl, S.: Mind the gap - A closer look at the security of block ciphers against differential cryptanalysis. In: Cid, C., Jacobson Jr., M. (eds.) Selected Areas in Cryptography – SAC 2018. SAC 2018. LNCS, vol. 11349, pp. 163–190. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-10970-7_8
Barak, B., et al.: Leftover hash lemma, revisited. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 1–20. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9_1
Barak, B., Halevi, S.: A model and architecture for pseudo-random generation with applications to /dev/random. In: Atluri, V., Meadows, C., Juels, A. (eds.) ACM CCS 2005. pp. 203–212. ACM Press, Alexandria, Virginia, USA (7–11 November 2005). https://doi.org/10.1145/1102120.1102148
Beierle, C., et al.: The SKINNY family of block ciphers and its low-latency variant MANTIS. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp. 123–153. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53008-5_5
Blum, L., Blum, M., Shub, M.: A simple unpredictable pseudo-random number generator. SIAM J. Comput. 15(2), 364–383 (1986)
Bogdanov, A., et al.: PRESENT: an ultra-lightweight block cipher. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 450–466. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74735-2_31
Chen, S., Steinberger, J.: Tight security bounds for key-alternating ciphers. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 327–350. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_19
Cohney, S., et al.: Pseudorandom black swans: Cache attacks on ctr_drbg. In: 2020 IEEE Symposium on Security and Privacy (SP), pp. 1241–1258. IEEE (2020)
Desai, A., Hevia, A., Yin, Y.L.: A practice-oriented treatment of pseudorandom number generators. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 368–383. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46035-7_24
Dodis, Y., Pointcheval, D., Ruhault, S., Vergnaud, D., Wichs, D.: Security analysis of pseudo-random number generators with input: /dev/random is not robust. In: Sadeghi, A.R., Gligor, V.D., Yung, M. (eds.) ACM CCS 2013. pp. 647–658. ACM Press, Berlin, Germany (4–8 November 2013). https://doi.org/10.1145/2508859.2516653
Goldberg, I., Wagner, D.: Randomness and the Netscape browser. Dobb’s J.-Softw. Tools Profess. Program. 21.1 66–71 (1996). Redwood City, CA: M &T Pub., (1989–1996)
Guo, J., Peyrin, T., Poschmann, A., Robshaw, M.J.B.: The LED block cipher. In: Preneel and Takagi [23], pp. 326–341. https://doi.org/10.1007/978-3-642-23951-9_22
Hoang, V.T., Shen, Y.: Security analysis of NIST CTR-DRBG. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12170, pp. 218–247. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56784-2_8
Hoang, V.T., Tessaro, S.: Key-alternating ciphers and key-length extension: exact bounds and multi-user security. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 3–32. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4_1
kokke: TinyAES. https://github.com/kokke/tiny-AES-c. Accessed 22 June 2022
NIST: NIST SP 800–22: Documentation and Software. https://csrc.nist.gov/projects/random-bit-generation/documentation-and-software. Accessed 23 Nov 2022
Patarin, J.: The “Coefficients H’’ technique. In: Avanzi, R.M., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. 328–345. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-04159-4_21
Pohle, E.: ForkSkinny-C by Erik Pohle. https://github.com/ErikP0/forkskinny-c. Accessed 08 Sept 2022
Preneel, B., Takagi, T. (eds.): CHES 2011. LNCS, vol. 6917. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23951-9
Raz, R., Reingold, O.: On recycling the randomness of states in space bounded computation. In: 31st ACM STOC, pp. 159–168. ACM Press, Atlanta, GA, USA (1–4 May 1999). https://doi.org/10.1145/301250.301294
Sadeghi, S., Mohammadi, T., Bagheri, N.: Cryptanalysis of reduced round SKINNY block cipher. IACR Trans. Symm. Cryptol. 2018(3), 124–162 (2018). https://doi.org/10.13154/tosc.v2018.i3.124-162
Santha, M., Vazirani, U.V.: Generating quasi-random sequences from slightly-random sources (extended abstract). In: 25th FOCS, pp. 434–440. IEEE Computer Society Press, Singer Island, Florida (24–26 October 1984). https://doi.org/10.1109/SFCS.1984.715945
Shibutani, K., Isobe, T., Hiwatari, H., Mitsuda, A., Akishita, T., Shirai, T.: Piccolo: an ultra-lightweight blockcipher. In: Preneel and Takagi [23], pp. 342–357. https://doi.org/10.1007/978-3-642-23951-9_23
Tolba, M., Abdelkhalek, A., Youssef, A.M.: Impossible differential cryptanalysis of reduced-round SKINNY. In: Joye, M., Nitaj, A. (eds.) AFRICACRYPT 2017. LNCS, vol. 10239, pp. 117–134. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-57339-7_7
Weatherley, R.: Skinny-C by Rhys Weatherley. https://github.com/rweather/skinny-c. Accessed 22 June 2022
Woodage, J., Shumow, D.: An analysis of NIST SP 800-90A. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11477, pp. 151–180. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17656-3_6
Zhang, P., Zhang, W.: Differential cryptanalysis on block cipher skinny with MILP program. Security and Communication Networks 2018 (2018)
Zhang, W., Rijmen, V.: Division cryptanalysis of block ciphers with a binary diffusion layer. IET Inf. Secur. 13(2), 87–95 (2019)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Security of \(\textsf{FCTRCond}\)
A Security of \(\textsf{FCTRCond}\)
Algorithm Related Notation. Let \(\textsf{FCTRCond} ^*\) denote the algorithm that runs \(\textsf{FCTRCond}\) (as defined in Fig. 4) but only returns the first block, i.e. \(\textsf{FCTRCond} ^*(I) := \textsf{FCTRCond} (I)[1:n]\). Let \(M = \textsf{pad}^*(I_1)\), \(M' = \textsf{pad}^*(I_2)\). According to the second line of \(\textsf{FCTRCond}\), let \(M_1, ..., M_a\) and \(M'_1, ..., M'_b\) be the result of splitting M and \(M'\), respectively, into blocks of length \(k+n+v\). Let B, \(B'\) be the output of \(\textsf{FCTRCond} ^*(I_1)\) and \(\textsf{FCTRCond} ^*(I_2)\), respectively. For all \(i \in \{{1, ..., a}\}\), let \(X_i := F^{W,b}_{K}(V)[1:n]\) with \(K \leftarrow M_i[1 : k], V \leftarrow M_i[k+1 : k+n], W \leftarrow 1\ ||\ [i]_{t-v-1}\ ||\ M_i[k+n+1 : k+n+v]\) (i.e. X is the i-th XOR-summand of B). We define \(Y_i\) accordingly: For all \(i \in \{{1, ..., b}\}\), let \(Y_i := F^{W,b}_{K}(V)[1:n]\) with \(K \leftarrow M'_i[1 : k], V \leftarrow M'_i[k+1 : k+n], W \leftarrow 1\ ||\ [i]_{t-v-1}\ ||\ M'_i[k+n+1 : k+n+v]\).
Simplifications. For the proofs in this section, we will only consider the case where \(a = b\) (i.e. M and \(M'\) have the same length), as is stated in the following lemmas. The final goal is to give an upper bound on \(\Pr [B = B']\). For any i, if \(M_i = M'_i\) then \(X_i = Y_i\), which means that \(X_i, Y_i\) have no influence on \(\Pr [B = B']\), and could be removed. Since \(I_1 \ne I_2\), there will be at least one index u at which \(M_u \ne M'_u\). Hence, without loss of generality, we will always assume that \(M_i \ne M'_i\) for all \(i, 1 \le i \le a\).
Probability Theory. For a proper probability theoretic treatment, we define the event space \(\varOmega = \{{(x_1, ..., x_a, y_1, ..., y_a) | \forall i: x_i, y_i \in \{0,1\}^n }\} \). In the tuple, the bitstring \(x_i\) should relate to the value of the random variable \(X_i\) (for \(y_i, Y_i\) accordingly).
Lemmas. As mentioned we assume that \(M_i \ne M'_i\) for all \(i, 1 \le i \le a\). Observe that the difference might either (a) cause a difference in the tweak or key portion of the F-call of \(X_i\) and \(Y_i\), i.e. a difference in W or K, or (b) cause no difference in the tweak or key portion. In case (b) the difference must lie in the message portion V.
Lemma 5
For any \(i \in \{{1, ..., a}\}\) and any \(x,y \in \{0,1\}^n, x \ne y\), If \(M_i \ne M'_i\) then
Proof
In case (a), \(X_i\) and \(Y_i\) were produced using different keys or tweaks, which means they are independent in the ideal forkcipher model. Hence the probability of any pair of values is \( \frac{1}{2^n} \frac{1}{2^n}\). On the other hand in case (b), the F-calls were performed with the same tweak and key, but with different messages. Hence the outputs must be different, and there are in total \(2^n (2^n - 1)\) possible values for the pair \((X_i, Y_i)\), each of which have the same probability. \(\square \)
Lemma 6
For all \(a', 1 \le a' \le a\), let \(B_{a'} = X_1 \oplus ... \oplus X_{a'}\), \(B'_{a'} = Y_1 \oplus ... \oplus Y_{a'}\). If \(M_i \ne M'_i\), for all \(i \in \{{1, ..., a}\}\), then
Proof
We will use induction on the number \(a'\).
Induction base (\(a' = 1\)). We need to show that
Let d be arbitrary but fixed.
We can use Lemma 5 to bound the probability of \(\Pr [X_1 = x, Y_1 = x \oplus d]\). In any case, \(\Pr [X_1 = x, Y_1 = x \oplus d] \le \frac{1}{2^n} \frac{1}{2^n - 1}\).
Induction step. We assume as the induction hypothesis that
We need to prove that for \(B_{a' + 1} \oplus B'_{a' + 1}\) the statement holds as well. Let \(d \in \{0,1\}^n\) be arbitrary but fixed. Let \(E_{x,y}\) be a shorthand for the event \((X_{a' + 1} = x, Y_{a' + 1} = y)\).
\(\square \)
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Andreeva, E., Weninger, A. (2023). A Forkcipher-Based Pseudo-Random Number Generator. In: Tibouchi, M., Wang, X. (eds) Applied Cryptography and Network Security. ACNS 2023. Lecture Notes in Computer Science, vol 13906. Springer, Cham. https://doi.org/10.1007/978-3-031-33491-7_1
Download citation
DOI: https://doi.org/10.1007/978-3-031-33491-7_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-33490-0
Online ISBN: 978-3-031-33491-7
eBook Packages: Computer ScienceComputer Science (R0)