View
221
Download
6
Embed Size (px)
Citation preview
11
Cryptographically Strong Cryptographically Strong Pseudorandom Functions and Pseudorandom Functions and
Their ApplicationsTheir Applications
陳昱升 碩士學位論文陳昱升 碩士學位論文中興大學 資訊科學系中興大學 資訊科學系
20062006 年年 66月月
2
Outline
• Introduction– Randomness and Pseudorandomness– Pseudorandom Bit Generator (PRBG)– Pseudorandom Function (PRF)
• The GGM construction of PRFs from PRBGs
• Performance Improvement for the GGM Construction of PRFs
• Applications– Previous work– A RFID protocol for identifying merchandise
33
IntroductionIntroduction
4
Introduction
Randomness
• Randomness– a concept of the equality of probability.
• Application of Randomness– scientific experiments– one-time pad system
• Generate randomness – Not easy– hardware– program– no way to prove their randomness
5
Introduction
Pseudorandomness
• Pseudorandomness – our goal– Will not be efficiently distinguished from rando
mness by any adversary.
• Pseudorandom Bit Generator (PRBG)– Keeping the input (random seed) to a PRBG s
ecret, the PRBG’s output is pseudorandom.
• Pseudorandom Function (PRF)– Keeping the key (random) of a PRF secret, th
e PRF’s behavior is pseudorandom.
6
Pseudoranom Bit Generator(PRBG)
x
(secret seed)
01001100111110100100010……
truly random string
Randomfunction
x
f(x)
On query x, a random function returns a random value.
Pseudorandomfunction(PRF)
x
f(x)
Pseudorandom function:
Input-output behavior is computationally indistinguishable from that of a random function.
Computationally Indistinguishable!
Illustrations
7
The GGM construction of PRFs
• The GGM (Goldreich Goldwasser Micali) construction of PRFs– a generic method using PRBGs as build block
s.
• Let G: {0,1}k→{0,1}2k be a PRBG.– G(x)=b1b2…bkbk+1…b2k
– G0(x)=b1b2…bk
– G1(x)=bk+1bk+2…b2k
8
The GGM construction (conti.)
• Construct a PRF fk in the following way
– is a randomly chosen key.
– if is a query to fx , then
kx }1,0{k
k }1,0{...21
)))(((...)(12xGGGf
kx
9
α
10
Other PRFs
• PRFs from Pseudorandom Synthesizers.
• PRFs based on DDH-assumption and Factoring assumption.
• PRFs based on Factoring assumption.
1111
Performance Improvement for tPerformance Improvement for the GGM Construction of PRFshe GGM Construction of PRFs
12
Performance Analysis of the GGM construction
• At the (i-1)-th iteration, we compute G0(x) if αi=0 and compute G1(x) if αi=1.
• Denote T0 and T1 as the cost of generating G0(x) and G1(x), respectively.
• Assume that G generates pseudorandom bits sequentially. Then T1 is about twice T0.
• Then, the expected cost of evaluating the PRF is
011 011 2
3)
2
1
2
1(][][][ kTTTTETETE
k
i
k
i
k
if ii
13
The Variant of the GGM Construction
• Consider processing c bits per iteration. We have a 2c-ary-tree construction for some constant integer c.
• PRBG
• x is a randomly chosen key.
• Define the function as
kcbbbxG 221)(
kkcx IIf :
)))(((
)(
2122122212
xGGG
f
cccckcckcckc
cx
ααααααααα
α
14
15
is a PRF• Prove by contradiction.• Suppose that there exists a PPT AF that can disting
uish from a random function with probability 1/Q(k), where Q(k) is a polynomial.
• Then use AF to construct another PPT AG that can distinguish the underlying PRBG with probability at least , which should be negligible. Contradiction.
• Therefore, any choice of c=O(logk) can still make the functions pseudorandom. (Because we must ensure that the length of G’s output 2ck is a polynomial).
cxf
cxf
)(kQk
c
16
Figure 4 Illustration of using AF to construct AG
17
Performance Analysis of the Variant
• For c=2, we have
• In general, we have
• It can be verified that if c > 2.• That is, the performance of the 4-ary-tree
construction is optimal among all similar tree constructions.
][2
34
5 )4
4
13
4
12
4
1
4
1(][
0
0000
2/
1 02
f
k
if
TEkT
kTTTTTTE
0000/
1 0 2
21)232(
2
1][ kT
cTTTTTE
ccck
i cf c
][][ 2ffTETE c
18
Analysis of the Variant (Conti.)
• The previous analysis assumes that the underlying PRBG G generates pseudorandom bits sequentially.
• If the underlying PRBG G allows random access to any k-bit pseudorandom string with the same cost T0. Then
• At most, by choosing c=logk we can shorten the depth of the tree to k/logk. Then
ckTT cf /0
.log/0log kkTT kf
19
Summary
• We have given analysis and improvements for the GGM construction:– the 4-ary-tree (c=2) construction has the best performan
ce on average if G generates bits sequentially.
– the k-ary-tree (c=logk) construction if G allows random access with the same cost.
][2
3
4
5][ 002 ff
TEkTkTTE
ffTkTkkTT k 00 log/log
2020
Applications of PRFsApplications of PRFs
21
Previous Work
• Checking the correctness of memory– Check the correctness of a large unreliable memory,
given only a small reliable memory.• Pseudo-Random Permutation
– basic primitives in block ciphers.• Storageless distribution of users’ secrets
– assign (U,fx(U)) to user U.• Message authentication
– message m with a short tag fs(m).• Identification
– A group shares a common secret s. Members can identify each other through challenge r and response fs(r).
22
A RFID protocol for identifying merchandise
• Our goal – an ideal RFID protocol– protect against tag cloning attacks– resist against malicious tracing– efficiency of the protocol
• the server can quickly identify tags• the communication cost is low.
tagServer Readertag
tag
Database
23
The difficulty of designing an ideal RFID protocol
• To be against cloning attacks or malicious tracing– a tag’s reply should not be constant.
• But a floating identifier of a tag causes the performance problem in the server– the server may need to maintain a sorting table.
• To be against DoS attack– To prevent the desynchronization attack, the ta
g may need to authenticate the reader.
24
A general challenge-response RFID protocol
in order to mutually authenticate…
25
Our proposal
• Main idea– A mutual authentication protocol is usually
needed to fulfill the security requirements. Such a protocol needs at least 4 times of transmission each identification.
– To breakthrough the bottleneck, we divide the situation of a product into three phases.
• ( ) Warehouse phaseⅠ• ( ) Transfer phaseⅡ• ( ) Housekeeping phaseⅢ
26
The three phases• Warehouse phase
– A product is in this phase before it is sold.• Need to be against tag counterfeiting.• Not need to be against malicious tracing.
• Transfer phase– The seller sells the product to the customer.
• Housekeeping phase– The customer owns and keeps the product.
• Need to be against malicious tracing.• Not need to be against tag counterfeiting.• The performance on the server is less concerned because
the customer has less tags to identify.
27
The proposed protocolInitial Setting
• Each tag has a PRF and needs a small amount of memory:
• Choices of PRFs: SHA, MD5, DES, AES
DDKf :
Type Read-Only RewritableWrite-Once Read-Many
Value IDi Ki Si Mi
PurposeThe unique
identification value of a tag
The key of the PRF f
Depend on the phase
Separate different phase
SizeN tags would need about log
N bits.
128 bits(adjust to the strength of security)
the same as
Ki
1 bit
28
The proposed protocol( )Ⅰ Warehouse phase
• The server can quickly identify the tag.
• is used to be against tag cloning.)(xfiK
29
The proposed protocol ( ) Transfer phaseⅡ
• The reader first obtains the value Si of the tag from the backend server and sends to the tag.
• The tag compares Si with its Si . If they are the same, set Mi to 0 and update Si to .
• The seller tells the buyer Ki as a secret.
)( iK Sfi
30
• To identify the tag, the server finds a key Ki in its database which satisfies y=fKi(Si).
The proposed protocol ( ) Housekeeping phaseⅢ
)( to Update yfSiKi.
31
Security Analysis
• Tag counterfeiting– In Warehouse phase, an adversary may collect a set
U={ (x,y=fKi(x)) } with |U|=t.– For a new challenge x’, the probability to forge y’
• Eavesdropping– A tag’s IDi can be eavesdropped. But IDi does not rev
eal any information about the product.
. 2
1
||
1
||
||
||
11
||
]'Pr[]'|')'(Pr[]'Pr[]'|')'(Pr[
]')'(Pr[
128
t
D
t
D
tD
DD
t
UxUxyxAUxUxyxA
yxA
32
Security Analysis (conti.)
• Malicious tracing– In Housekeeping phase, a tag replies (Si,y=fKi(Si)) and
updates Si.– Si can be used to traced only if Si repeats.– For a random function f, the series f(x), f(f(x)), f(f(f(x))),
… is expected to repeat at the
– In our protocol, Si is expected to repeat at the 2|D|/2, i.e. 263-th round.
• DoS attack– No desynchronization attack.– Si will not be quickly exhausted.
length). (rhonumber 2/|| thD
33
Efficiency analysis
• In Warehouse phase– the server can quick identify the tag by IDi.
• In Housekeeping phase– a tag replies a floating identifier. The server n
eeds to do a search. But we assume the customer’s tags are no more than thousands.
• Each phase can be done in only 1 round– better than a mutual authentication protocol.
3434
ConclusionConclusion
• We give analysis and improvements for the GGWe give analysis and improvements for the GGM construction of PRFs from PRBGs.M construction of PRFs from PRBGs.– the 4-ary-tree (the 4-ary-tree (cc=2) construction if =2) construction if GG generates bits generates bits
sequentially.sequentially.– the the kk-ary-tree (-ary-tree (cc=log=logkk) if ) if GG allows random access wi allows random access wi
th the same cost.th the same cost.• We propose a RFID protocol for identifying merWe propose a RFID protocol for identifying mer
chandise.chandise.– Against tag cloning attacksAgainst tag cloning attacks– Against malicious tracingAgainst malicious tracing– EfficientEfficient
3535
Thanks!Thanks!