A Forkcipher-Based Pseudo-Random Number Generator

Abstract

Good randomness is needed for most cryptographic applications. In practice pseudo-random number generators (PRNGs) are employed. \(\texttt {CTR\_DRBG}\) is a popular choice and among the recommended PRNGs by NIST. It is defined for use with primitives like AES or TDEA, which are not always suited for lightweight applications.

In this work we propose \(\texttt{FCRNG}\), a new PRNG, similar to \(\texttt {CTR\_DRBG}\), that is optimized for the lightweight setting (e.g. the Internet of Things). Our \(\texttt{FCRNG}\) construction utilizes the expanding and tweakable forkcipher primitive instantiated with \(\textsf{ForkSkinny}\), which was introduced by Andreeva et al. at ASIACRYPT 2019. \(\texttt{FCRNG}\) employs internally a forkcipher-based counter-style mode \(\mathsf {\texttt {FCTR}}\). We propose two \(\mathsf {\texttt {FCTR}}\) variants: \(\texttt {FCTR\hbox {-}c}\) for optimized speed and \(\texttt {FCTR\hbox {-}T}\) for optimized security. We then show that \(\texttt{FCRNG}\) with \(\textsf{ForkSkinny}\) can be 33% faster than \(\texttt {CTR\_DRBG}\) when instantiated with the AES blockcipher. \(\texttt{FCRNG}\) achieves also a better security bound in the robustness security game - first introduced by Dodis et al. at CCS’13 and now the standard security goal for PRNGs. Contrary to the CRYPTO 2020 security bound by Hoang and Shen established for \(\texttt {CTR\_DRBG}\), the security of our construction with \(\texttt {FCTR\hbox {-}T}\) does not degrade with the length of the random inputs, nor the amount of requested output pseudorandom bits. \(\texttt{FCRNG}\) passes all tests of the NIST test suite for pseudorandom number generators.

A Security of \(\textsf{FCTRCond}\)

Algorithm Related Notation. Let \(\textsf{FCTRCond} ^*\) denote the algorithm that runs \(\textsf{FCTRCond}\) (as defined in Fig. 4) but only returns the first block, i.e. \(\textsf{FCTRCond} ^*(I) := \textsf{FCTRCond} (I)[1:n]\). Let \(M = \textsf{pad}^*(I_1)\), \(M' = \textsf{pad}^*(I_2)\). According to the second line of \(\textsf{FCTRCond}\), let \(M_1, ..., M_a\) and \(M'_1, ..., M'_b\) be the result of splitting M and \(M'\), respectively, into blocks of length \(k+n+v\). Let B, \(B'\) be the output of \(\textsf{FCTRCond} ^*(I_1)\) and \(\textsf{FCTRCond} ^*(I_2)\), respectively. For all \(i \in \{{1, ..., a}\}\), let \(X_i := F^{W,b}_{K}(V)[1:n]\) with \(K \leftarrow M_i[1 : k], V \leftarrow M_i[k+1 : k+n], W \leftarrow 1\ ||\ [i]_{t-v-1}\ ||\ M_i[k+n+1 : k+n+v]\) (i.e. X is the i-th XOR-summand of B). We define \(Y_i\) accordingly: For all \(i \in \{{1, ..., b}\}\), let \(Y_i := F^{W,b}_{K}(V)[1:n]\) with \(K \leftarrow M'_i[1 : k], V \leftarrow M'_i[k+1 : k+n], W \leftarrow 1\ ||\ [i]_{t-v-1}\ ||\ M'_i[k+n+1 : k+n+v]\).

Simplifications. For the proofs in this section, we will only consider the case where \(a = b\) (i.e. M and \(M'\) have the same length), as is stated in the following lemmas. The final goal is to give an upper bound on \(\Pr [B = B']\). For any i, if \(M_i = M'_i\) then \(X_i = Y_i\), which means that \(X_i, Y_i\) have no influence on \(\Pr [B = B']\), and could be removed. Since \(I_1 \ne I_2\), there will be at least one index u at which \(M_u \ne M'_u\). Hence, without loss of generality, we will always assume that \(M_i \ne M'_i\) for all \(i, 1 \le i \le a\).

Probability Theory. For a proper probability theoretic treatment, we define the event space \(\varOmega = \{{(x_1, ..., x_a, y_1, ..., y_a) | \forall i: x_i, y_i \in \{0,1\}^n }\} \). In the tuple, the bitstring \(x_i\) should relate to the value of the random variable \(X_i\) (for \(y_i, Y_i\) accordingly).

Lemmas. As mentioned we assume that \(M_i \ne M'_i\) for all \(i, 1 \le i \le a\). Observe that the difference might either (a) cause a difference in the tweak or key portion of the F-call of \(X_i\) and \(Y_i\), i.e. a difference in W or K, or (b) cause no difference in the tweak or key portion. In case (b) the difference must lie in the message portion V.

Lemma 5

For any \(i \in \{{1, ..., a}\}\) and any \(x,y \in \{0,1\}^n, x \ne y\), If \(M_i \ne M'_i\) then

$$\begin{aligned} \Pr [X_i = Y_i = x] = {\left\{ \begin{array}{ll} \frac{1}{2^n} \frac{1}{2^n} &{} \text {if case (a) applies} \\ 0 &{} \text {else (i.e. case (b) applies)} \end{array}\right. } \end{aligned}$$

(6)

$$\begin{aligned} \Pr [X_i = x, Y_i = y] = {\left\{ \begin{array}{ll} \frac{1}{2^n} \frac{1}{2^n} &{} \text {if case (a) applies} \\ \frac{1}{2^n} \frac{1}{2^n - 1} &{} \text {else (i.e. case (b) applies)} \end{array}\right. } \end{aligned}$$

(7)

Proof

In case (a), \(X_i\) and \(Y_i\) were produced using different keys or tweaks, which means they are independent in the ideal forkcipher model. Hence the probability of any pair of values is \( \frac{1}{2^n} \frac{1}{2^n}\). On the other hand in case (b), the F-calls were performed with the same tweak and key, but with different messages. Hence the outputs must be different, and there are in total \(2^n (2^n - 1)\) possible values for the pair \((X_i, Y_i)\), each of which have the same probability.   \(\square \)

Lemma 6

For all \(a', 1 \le a' \le a\), let \(B_{a'} = X_1 \oplus ... \oplus X_{a'}\), \(B'_{a'} = Y_1 \oplus ... \oplus Y_{a'}\). If \(M_i \ne M'_i\), for all \(i \in \{{1, ..., a}\}\), then

$$ \forall a', 1 \le a' \le a, \forall d \in \{0,1\}^n: \Pr [B_{a'} \oplus B'_{a'} = d] \le \frac{1}{2^n - 1} $$

Proof

We will use induction on the number \(a'\).

Induction base (\(a' = 1\)). We need to show that

$$ \forall d \in \{0,1\}^n: \Pr [X_1 \oplus Y_1 = d] \le \frac{1}{2^n - 1} $$

Let d be arbitrary but fixed.

$$ \Pr [X_1 \oplus Y_1 = d] = \sum _{x \in \{0,1\}^n} \Pr [X_1 = x, Y_1 = x \oplus d] $$

We can use Lemma 5 to bound the probability of \(\Pr [X_1 = x, Y_1 = x \oplus d]\). In any case, \(\Pr [X_1 = x, Y_1 = x \oplus d] \le \frac{1}{2^n} \frac{1}{2^n - 1}\).

$$ \Pr [X_1 \oplus Y_1 = d] \le \sum _{x \in \{0,1\}^n} \frac{1}{2^n} \frac{1}{2^n - 1} = \frac{1}{2^n - 1} $$

Induction step. We assume as the induction hypothesis that

$$ \forall d \in \{0,1\}^n: \Pr [B_{a'} \oplus B'_{a'} = d] \le \frac{1}{2^n - 1} $$

We need to prove that for \(B_{a' + 1} \oplus B'_{a' + 1}\) the statement holds as well. Let \(d \in \{0,1\}^n\) be arbitrary but fixed. Let \(E_{x,y}\) be a shorthand for the event \((X_{a' + 1} = x, Y_{a' + 1} = y)\).

$$\begin{aligned}&\Pr [B_{a' + 1} \oplus B'_{a' + 1} = d]&\\ =&\sum _{x,y \in \{0,1\}^n} \Pr [B_{a' + 1} \oplus B'_{a' + 1} = d\ |\ E_{x,y}] \cdot \Pr [E_{x,y}]&\\ =&\sum _{x,y \in \{0,1\}^n} \Pr [B_{a'} \oplus B'_{a'} = d \oplus x \oplus y] \cdot \Pr [E_{x,y}]&\\ =&\sum _{x,y \in \{0,1\}^n} \frac{1}{2^n - 1} \cdot \Pr [E_{x,y}]&\\ =&\frac{1}{2^n - 1} \sum _{x,y \in \{0,1\}^n} \Pr [E_{x,y}]&\\ =&\frac{1}{2^n - 1}&\\ \end{aligned}$$

   \(\square \)