A Practice-Oriented Treatment of Pseudorandom Number Generators

Desai, Anand; Hevia, Alejandro; Yin, Yiqun Lisa

doi:10.1007/3-540-46035-7_24

Cited by 34 publications

(32 citation statements)

References 20 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…These algorithms consume random coins which are typically generated by pseudo-random number generators (PRNGs). Practical PRNGs, such as ANSI X9.17 PRNG and FIPS 186 PRNG, can generate bit-strings which are computationally indistinguishable from truly random strings provided that the seeds of the PRNGs are fresh and truly random [17]. In practice (e.g.…”

Section: Introductionmentioning

confidence: 99%

Authenticated Key Exchange under Bad Randomness

Yang

Duan

Wong

et al. 2012

Financial Cryptography and Data Security

View full text Add to dashboard Cite

Abstract. We initiate the formal study on authenticated key exchange (AKE) under bad randomness. This could happen when (1) an adversary compromises the randomness source and hence directly controls the randomness of each AKE session; and (2) the randomness repeats in different AKE sessions due to reset attacks. We construct two formal security models, Reset-1 and Reset-2, to capture these two bad randomness situations respectively, and investigate the security of some widely used AKE protocols in these models by showing that they become insecure when the adversary is able to manipulate the randomness. On the positive side, we propose simple but generic methods to make AKE protocols secure in Reset-1 and Reset-2 models. The methods work in a modular way: first, we strengthen a widely used AKE protocol to achieve Reset-2 security, then we show how to transform any Reset-2 secure AKE protocol to a new one which also satisfies Reset-1 security.

show abstract

Section: Introductionmentioning

confidence: 99%

Authenticated Key Exchange under Bad Randomness

Yang

Duan

Wong

et al. 2012

Financial Cryptography and Data Security

View full text Add to dashboard Cite

show abstract

“…It is worth noticing that the construction of the above modified OFB mode operation is identical to the one of the ANSI X9.17 PRG mode of operation introduced by Desai et al in [DHY02], so that the pseudorandomness proof (related the associated expansion function) provided in Section 5 is to some extent complementary to the pseudorandomness proof (related to the the associated state transition function) established in [DHY02]. The modified OFB mode of operation is also similar to the keystream generation mode of operation of the KASUMI blockcipher used in the UMTS encryption function f8 [Ka00], up to the fact that in the f8 mode, two additional precautions are taken: the key used in the prewhitening computation differs from the one in the rest of the computations, and in order to prevent collisions between two output blocks from resulting in short cycles in the produced keystream sequence, a mixture of the OFB and counter techniques is applied.…”

Section: Modified Ofb Constructionmentioning

confidence: 96%

“…However, the security model considered in [DHY02] is quite distinct (and somewhat complementary): we consider the pseudorandomness properties of the one to t blocks expansion function resulting from the considered mode of operation, whereas [DHY02] models a PRG mode of operation as the iteration a "smaller" keyed state transition and keystream output function, and consider the pseudorandomness properties of such state transition functions. -in [HN00], Hastad and Näslund propose a pseudorandom numbers generator named BMGL.…”

Section: Introductionmentioning

confidence: 99%

The Security of ”One-Block-to-Many” Modes of Operation

Gilbert

2003

Fast Software Encryption

View full text Add to dashboard Cite

Abstract. In this paper, we investigate the security, in the Luby-Rackoff security paradigm, of blockcipher modes of operation allowing to expand a one-block input into a longer t-block output under the control of a secret key K. Such "one-block-to-many" modes of operation are of frequent use in cryptology. They can be used for stream cipher encryption purposes, and for authentication and key distribution purposes in contexts such as mobile communications. We show that although the expansion functions resulting from modes of operation of blockciphers such as the counter mode or the output feedback mode are not pseudorandom, slight modifications of these two modes provide pseudorandom expansion functions. The main result of this paper is a detailed proof, in the Luby-Rackoff security model, that the expansion function used in the construction of the third generation mobile (UMTS) example authentication and key agreement algorithm MILENAGE is pseudorandom.

show abstract

“…BMY-PRG is the most efficient known construction, whose security relies on a reasonable assumption. Practical standardized PRGs based on block-ciphers and hash functions (a hash function is a function whose range is smaller than the domain, also referred to as a compression function) [FIPS94], though much more efficient, rely on a rather strong and not well-studied assumption (in the theoretical cryptography community) that the underlying function is a PRF [DHY02], and thus are not a focus of this work. In this paper, we investigate a question of finding an efficient hash-function-based PRG, whose security relies on collision-resistance, a very well-studied and widely-used property of a hash function.…”

Section: Introduction 1motivationmentioning

confidence: 99%

A New Pseudorandom Generator from Collision-Resistant Hash Functions

Boldyreva

Kumar

2012

Lecture Notes in Computer Science

View full text Add to dashboard Cite

We present a new hash-function-based pseudorandom generator (PRG). Our PRG is reminiscent of the classical constructions iterating a function on a random seed and extracting Goldreich-Levin hardcore bits at each iteration step. The latest PRG of this type that relies on reasonable assumptions (regularity and one-wayness) is due to Haitner et al. In addition to a regular one-way function, each iteration in their "randomized iterate" scheme uses a new pairwise-independent function, whose descriptions are part of the seed of the PRG. Our construction does not use pairwise-independent functions and is thus more efficient, requiring less computation and a significantly shorter seed. Our scheme's security relies on the standard notions of collision-resistance and regularity of the underlying hash function, where the collisionresistance is required to be exponential. In particular, any polynomial-time adversary should have less than 2 −n/2 probability of finding collisions, where n is the output size of the hash function. We later show how to relax the regularity assumption by introducing a new notion that we call worst-case regularity, which lower bounds the size of primages of different elements from the range (while the common regularity assumption requires all such sets to be of equal size). Unlike previous results, we provide a concrete security statement.

show abstract

A Practice-Oriented Treatment of Pseudorandom Number Generators

Cited by 34 publications

References 20 publications

Authenticated Key Exchange under Bad Randomness

Authenticated Key Exchange under Bad Randomness

The Security of ”One-Block-to-Many” Modes of Operation

A New Pseudorandom Generator from Collision-Resistant Hash Functions

Contact Info

Product

Resources

About