11

Cryptographically Strong Cryptographically Strong Pseudorandom Functions and Pseudorandom Functions and

Their ApplicationsTheir Applications

陳昱升 碩士學位論文陳昱升 碩士學位論文中興大學 資訊科學系中興大學 資訊科學系

20062006 年年 66月月

2

Outline

• Introduction– Randomness and Pseudorandomness– Pseudorandom Bit Generator (PRBG)– Pseudorandom Function (PRF)

• The GGM construction of PRFs from PRBGs

• Performance Improvement for the GGM Construction of PRFs

• Applications– Previous work– A RFID protocol for identifying merchandise

33

IntroductionIntroduction

4

Introduction

Randomness

• Randomness– a concept of the equality of probability.

• Application of Randomness– scientific experiments– one-time pad system

• Generate randomness – Not easy– hardware– program– no way to prove their randomness

5

Introduction

Pseudorandomness

• Pseudorandomness – our goal– Will not be efficiently distinguished from rando

mness by any adversary.

• Pseudorandom Bit Generator (PRBG)– Keeping the input (random seed) to a PRBG s

ecret, the PRBG’s output is pseudorandom.

• Pseudorandom Function (PRF)– Keeping the key (random) of a PRF secret, th

e PRF’s behavior is pseudorandom.

6

Pseudoranom Bit Generator(PRBG)

x

(secret seed)

01001100111110100100010……

truly random string

Randomfunction

x

f(x)

On query x, a random function returns a random value.

Pseudorandomfunction(PRF)

x

f(x)

Pseudorandom function:

Input-output behavior is computationally indistinguishable from that of a random function.

Computationally Indistinguishable!

Illustrations

7

The GGM construction of PRFs

• The GGM (Goldreich Goldwasser Micali) construction of PRFs– a generic method using PRBGs as build block

s.

• Let G: {0,1}k→{0,1}2k be a PRBG.– G(x)=b1b2…bkbk+1…b2k

– G0(x)=b1b2…bk

– G1(x)=bk+1bk+2…b2k

8

The GGM construction (conti.)

• Construct a PRF fk in the following way

– is a randomly chosen key.

– if is a query to fx , then

kx }1,0{k

k }1,0{...21

)))(((...)(12xGGGf

kx

9

α

10

Other PRFs

• PRFs from Pseudorandom Synthesizers.

• PRFs based on DDH-assumption and Factoring assumption.

• PRFs based on Factoring assumption.

1111

Performance Improvement for tPerformance Improvement for the GGM Construction of PRFshe GGM Construction of PRFs

12

Performance Analysis of the GGM construction

• At the (i-1)-th iteration, we compute G0(x) if αi=0 and compute G1(x) if αi=1.

• Denote T0 and T1 as the cost of generating G0(x) and G1(x), respectively.

• Assume that G generates pseudorandom bits sequentially. Then T1 is about twice T0.

• Then, the expected cost of evaluating the PRF is

011 011 2

3)

2

1

2

1(][][][ kTTTTETETE

k

i

k

i

k

if ii

13

The Variant of the GGM Construction

• Consider processing c bits per iteration. We have a 2c-ary-tree construction for some constant integer c.

• PRBG

• x is a randomly chosen key.

• Define the function as

kcbbbxG 221)(

kkcx IIf :

)))(((

)(

2122122212

xGGG

f

cccckcckcckc

cx

ααααααααα

α

14

15

is a PRF• Prove by contradiction.• Suppose that there exists a PPT AF that can disting

uish from a random function with probability 1/Q(k), where Q(k) is a polynomial.

• Then use AF to construct another PPT AG that can distinguish the underlying PRBG with probability at least , which should be negligible. Contradiction.

• Therefore, any choice of c=O(logk) can still make the functions pseudorandom. (Because we must ensure that the length of G’s output 2ck is a polynomial).

cxf

cxf

)(kQk

c

16

Figure 4 Illustration of using AF to construct AG

17

Performance Analysis of the Variant

• For c=2, we have

• In general, we have

• It can be verified that if c > 2.• That is, the performance of the 4-ary-tree

construction is optimal among all similar tree constructions.

][2

34

5 )4

4

13

4

12

4

1

4

1(][

0

0000

2/

1 02

f

k

if

TEkT

kTTTTTTE

0000/

1 0 2

21)232(

2

1][ kT

cTTTTTE

ccck

i cf c

][][ 2ffTETE c

18

Analysis of the Variant (Conti.)

• The previous analysis assumes that the underlying PRBG G generates pseudorandom bits sequentially.

• If the underlying PRBG G allows random access to any k-bit pseudorandom string with the same cost T0. Then

• At most, by choosing c=logk we can shorten the depth of the tree to k/logk. Then

ckTT cf /0

.log/0log kkTT kf

19

Summary

• We have given analysis and improvements for the GGM construction:– the 4-ary-tree (c=2) construction has the best performan

ce on average if G generates bits sequentially.

– the k-ary-tree (c=logk) construction if G allows random access with the same cost.

][2

3

4

5][ 002 ff

TEkTkTTE

ffTkTkkTT k 00 log/log

2020

Applications of PRFsApplications of PRFs

21

Previous Work

• Checking the correctness of memory– Check the correctness of a large unreliable memory,

given only a small reliable memory.• Pseudo-Random Permutation

– basic primitives in block ciphers.• Storageless distribution of users’ secrets

– assign (U,fx(U)) to user U.• Message authentication

– message m with a short tag fs(m).• Identification

– A group shares a common secret s. Members can identify each other through challenge r and response fs(r).

22

A RFID protocol for identifying merchandise

• Our goal – an ideal RFID protocol– protect against tag cloning attacks– resist against malicious tracing– efficiency of the protocol

• the server can quickly identify tags• the communication cost is low.

tagServer Readertag

tag

Database

23

The difficulty of designing an ideal RFID protocol

• To be against cloning attacks or malicious tracing– a tag’s reply should not be constant.

• But a floating identifier of a tag causes the performance problem in the server– the server may need to maintain a sorting table.

• To be against DoS attack– To prevent the desynchronization attack, the ta

g may need to authenticate the reader.

24

A general challenge-response RFID protocol

in order to mutually authenticate…

25

Our proposal

• Main idea– A mutual authentication protocol is usually

needed to fulfill the security requirements. Such a protocol needs at least 4 times of transmission each identification.

– To breakthrough the bottleneck, we divide the situation of a product into three phases.

• ( ) Warehouse phaseⅠ• ( ) Transfer phaseⅡ• ( ) Housekeeping phaseⅢ

26

The three phases• Warehouse phase

– A product is in this phase before it is sold.• Need to be against tag counterfeiting.• Not need to be against malicious tracing.

• Transfer phase– The seller sells the product to the customer.

• Housekeeping phase– The customer owns and keeps the product.

• Need to be against malicious tracing.• Not need to be against tag counterfeiting.• The performance on the server is less concerned because

the customer has less tags to identify.

27

The proposed protocolInitial Setting

• Each tag has a PRF and needs a small amount of memory:

• Choices of PRFs: SHA, MD5, DES, AES

DDKf :

Type Read-Only RewritableWrite-Once Read-Many

Value IDi Ki Si Mi

PurposeThe unique

identification value of a tag

The key of the PRF f

Depend on the phase

Separate different phase

SizeN tags would need about log

N bits.

128 bits(adjust to the strength of security)

the same as

Ki

1 bit

28

The proposed protocol( )Ⅰ Warehouse phase

• The server can quickly identify the tag.

• is used to be against tag cloning.)(xfiK

29

The proposed protocol ( ) Transfer phaseⅡ

• The reader first obtains the value Si of the tag from the backend server and sends to the tag.

• The tag compares Si with its Si . If they are the same, set Mi to 0 and update Si to .

• The seller tells the buyer Ki as a secret.

)( iK Sfi

30

• To identify the tag, the server finds a key Ki in its database which satisfies y=fKi(Si).

The proposed protocol ( ) Housekeeping phaseⅢ

)( to Update yfSiKi.

31

Security Analysis

• Tag counterfeiting– In Warehouse phase, an adversary may collect a set

U={ (x,y=fKi(x)) } with |U|=t.– For a new challenge x’, the probability to forge y’

• Eavesdropping– A tag’s IDi can be eavesdropped. But IDi does not rev

eal any information about the product.

. 2

1

||

1

||

||

||

11

||

]'Pr[]'|')'(Pr[]'Pr[]'|')'(Pr[

]')'(Pr[

128

t

D

t

D

tD

DD

t

UxUxyxAUxUxyxA

yxA

32

Security Analysis (conti.)

• Malicious tracing– In Housekeeping phase, a tag replies (Si,y=fKi(Si)) and

updates Si.– Si can be used to traced only if Si repeats.– For a random function f, the series f(x), f(f(x)), f(f(f(x))),

… is expected to repeat at the

– In our protocol, Si is expected to repeat at the 2|D|/2, i.e. 263-th round.

• DoS attack– No desynchronization attack.– Si will not be quickly exhausted.

length). (rhonumber 2/|| thD

33

Efficiency analysis

• In Warehouse phase– the server can quick identify the tag by IDi.

• In Housekeeping phase– a tag replies a floating identifier. The server n

eeds to do a search. But we assume the customer’s tags are no more than thousands.

• Each phase can be done in only 1 round– better than a mutual authentication protocol.

3434

ConclusionConclusion

• We give analysis and improvements for the GGWe give analysis and improvements for the GGM construction of PRFs from PRBGs.M construction of PRFs from PRBGs.– the 4-ary-tree (the 4-ary-tree (cc=2) construction if =2) construction if GG generates bits generates bits

sequentially.sequentially.– the the kk-ary-tree (-ary-tree (cc=log=logkk) if ) if GG allows random access wi allows random access wi

th the same cost.th the same cost.• We propose a RFID protocol for identifying merWe propose a RFID protocol for identifying mer

chandise.chandise.– Against tag cloning attacksAgainst tag cloning attacks– Against malicious tracingAgainst malicious tracing– EfficientEfficient

3535

Thanks!Thanks!