Security Analysis of DRBG Using HMAC in NIST SP 800-90



Similar documents
The NIST SP A Deterministic Random Bit Generator Validation System (DRBGVS)

Network Security. Chapter 6 Random Number Generation

C O M P U T E R S E C U R I T Y

Yale University Department of Computer Science

Comparison of CBC MAC Variants and Comments on NIST s Consultation Paper

Recommendation for Applications Using Approved Hash Algorithms

Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads

MACs Message authentication and integrity. Table of contents

On the Security of CTR + CBC-MAC

Lecture 9 - Message Authentication Codes

Randomized Hashing for Digital Signatures

Network Security. Chapter 6 Random Number Generation. Prof. Dr.-Ing. Georg Carle

Lecture 5 - CPA security, Pseudorandom functions

Improved Online/Offline Signature Schemes

Victor Shoup Avi Rubin. Abstract

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

Provable-Security Analysis of Authenticated Encryption in Kerberos

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Non-Black-Box Techniques In Crytpography. Thesis for the Ph.D degree Boaz Barak

Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring

International Journal of Information Technology, Modeling and Computing (IJITMC) Vol.1, No.3,August 2013

Recommendation for Cryptographic Key Generation

Authentication requirement Authentication function MAC Hash function Security of

1 Message Authentication

The Misuse of RC4 in Microsoft Word and Excel

Computational Soundness of Symbolic Security and Implicit Complexity

ARCHIVED PUBLICATION

Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths

Concrete Security of the Blum-Blum-Shub Pseudorandom Generator

Digital Signature Standard (DSS)

The Keyed-Hash Message Authentication Code (HMAC)

1 Construction of CCA-secure encryption

Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography (Revised)

A Factoring and Discrete Logarithm based Cryptosystem

Security Analysis for Order Preserving Encryption Schemes

Identity-Based Encryption from the Weil Pairing

Length extension attack on narrow-pipe SHA-3 candidates

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC

Ch.9 Cryptography. The Graduate Center, CUNY.! CSc Theoretical Computer Science Konstantinos Vamvourellis

Capture Resilient ElGamal Signature Protocols

A New Generic Digital Signature Algorithm

Computer Security: Principles and Practice

Security Aspects of. Database Outsourcing. Vahid Khodabakhshi Hadi Halvachi. Dec, 2012

New Efficient Searchable Encryption Schemes from Bilinear Pairings

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

CMSS An Improved Merkle Signature Scheme

The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?)

Lecture 13: Message Authentication Codes

Cryptographic Hash Functions Message Authentication Digital Signatures

ETSI TS V1.2.1 ( )

A novel deniable authentication protocol using generalized ElGamal signature scheme

A New and Efficient Signature on Commitment Values

An Approach to Shorten Digital Signature Length

CUNSHENG DING HKUST, Hong Kong. Computer Security. Computer Security. Cunsheng DING, HKUST COMP4631

Algorithms and Parameters for Secure Electronic Signatures V.1.44 DRAFT May 4 th., 2001

Efficient Unlinkable Secret Handshakes for Anonymous Communications

Information Theory and Coding Prof. S. N. Merchant Department of Electrical Engineering Indian Institute of Technology, Bombay

GCM-SIV: Full Nonce Misuse-Resistant Authenticated Encryption at Under One Cycle per Byte. Yehuda Lindell Bar-Ilan University

Message Authentication Code

MTAT Cryptology II. Digital Signatures. Sven Laur University of Tartu

One-Way Encryption and Message Authentication

Security Arguments for Digital Signatures and Blind Signatures

CS 393 Network Security. Nasir Memon Polytechnic University Module 11 Secure

SkyRecon Cryptographic Module (SCM)

Message Authentication Codes 133

Talk announcement please consider attending!

SECURITY IMPROVMENTS TO THE DIFFIE-HELLMAN SCHEMES

SD12 REPLACES: N19780

National Security Agency Perspective on Key Management

1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.

EXAM questions for the course TTM Information Security May Part 1

Stronger Security Bounds for OMAC, TMAC and XCBC

Introduction. Digital Signature

Advanced Cryptography

Leakage-Resilient Authentication and Encryption from Symmetric Cryptographic Primitives

Chapter 3. Network Domain Security

Simulation-Based Security with Inexhaustible Interactive Turing Machines

HASH CODE BASED SECURITY IN CLOUD COMPUTING

Implementation of Elliptic Curve Digital Signature Algorithm

shmqv: An Efficient Key Exchange Protocol for Power-limited Devices

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

Notes from Week 1: Algorithms for sequential prediction

NEW DIGITAL SIGNATURE PROTOCOL BASED ON ELLIPTIC CURVES

An Improved Authentication Protocol for Session Initiation Protocol Using Smart Card and Elliptic Curve Cryptography

Hash-based Digital Signature Schemes

Developing and Investigation of a New Technique Combining Message Authentication and Encryption

Elliptic Curve Hash (and Sign)

Transcription:

Security Analysis of DRBG Using MAC in NIST SP 800-90 Shoichi irose Graduate School of Engineering, University of Fukui hrs shch@u-fukui.ac.jp Abstract. MAC DRBG is a deterministic random bit generator using MAC specified in NIST SP 800-90. The document claims that MAC DRBG is a pseudorandom bit generator if MAC is a pseudorandom function. owever, no proof is given in the document. This article provides a security analysis of MAC DRBG and confirms the claim. ey words: NIST SP 800-90, pseudorandom bit generator, MAC, pseudorandom function 1 Introduction Background. Random bits are indispensable to every cryptographic application. owever, it is not easy to prepare sufficient amount of truly random bits in general. Thus, most applications use a cryptographic mechanism that is called a pseudorandom bit generator (PRBG). It stretches a short sequence of random bits to a long sequence of bits that are indistinguishable from truly random bits in practice. MAC DRBG is a deterministic random bit generator (DRBG) specified in NIST SP 800-90 [3]. It is claimed in NIST SP 800-90 that MAC DRBG is a PRBG if MAC is a pseudorandom function (PRF). owever, no proof is made public as far as the authors know. Contribution. This article presents a security analysis of MAC DRBG. The result supports the claim in NIST SP 800-90 mentioned above. This article does not provide new techniques and just uses well-known ones in the analysis. In spite of this fact, the contribution of this paper is still important since MAC DRBG is expected to be widely used in practice. MAC DRBG consists of three algorithms. They are instantiate, reseed and generate algorithms. The instantiate/reseed algorithm is used to produce/refresh a secret key. The generate algorithm produces a binary sequence from a secret key given by the instantiate or reseed algorithms. This article gives a proof for the pseudorandomness of MAC DRBG on the assumption that the instantiate and reseed algorithms are ideal. Namely, a secret key given to the generate algorithm is selected uniformly at random by each of them.

2 S. irose Related Work. NIST SP 800-90 specifies four DRBG mechanisms: ash DRBG, MAC DRBG, CTR DRBG and Dual EC DRBG. ash DRBG and MAC DRBG are based on hash functions. CTR DRBG uses a block cipher in the counter mode. Dual EC DRBG is based on the elliptic curve discrete logarithm problem. A security analysis of these DRBGs was presented in [9]. owever, the discussion was quite informal. A security analysis of CTR DRBG was also presented in [7]. Brown and Gjøsteen [6] provided a detailed security analysis of Dual EC DRBG. There also exist some other approved DRBGs in ANSI X.9.31 [2], ANSI X.9.62-1998 [1] and FIPS PUB 186-2 [11]. The security of these algorithms was discussed in [8] and [10]. MAC was proposed by Bellare, Canetti and rawczyk [5]. It was proved to be a PRF on the assumption that the compression function of the underlying iterated hash function is a PRF with two keying strategies[4]. Actually, MAC is used as a PRF in many cryptographic schemes. Organization. This article is organized as follows. Definitions of a pseudorandom bit generator and a pseudorandom function are given in Sect. 2. A description of MAC DRBG is presented in Sect. 3. Results on security analysis of MAC DRBG are shown in Sect. 4. Concluding remarks are given in Sect. 5. 2 Preliminaries Let a $ A represent that an element a is selected uniformly at random from a set A. 2.1 A Pseudorandom Bit Generator Let G be a function such that G : {0, 1} n {0, 1} l. Let D be a probabilistic algorithm which outputs 0 or 1 for a given input in {0, 1} l. The goal of D is to tell whether a given input is G(k) for k selected uniformly at random or it is selected uniformly at random. The advantage of D against G is defined as follows: Pr[D(G(k)) G (D) = $ = 1 k {0, 1} n ] Pr[D(s) = 1 s $ {0, 1} l ], where the probabilities are taken over the coin tosses by D and the uniform distributions on {0, 1} n or {0, 1} l. G is called a pseudorandom bit generator (PRBG) if l > n and G (D) is negligible for any efficient D. 2.2 A Pseudorandom Function Let be a keyed function such that : D R, where is a key space, D is a domain, and R is a range. (k, ) is denoted by k ( ). Let A be a probabilistic algorithm which has oracle access to a function from D to R. The goal of A is to tell whether the oracle is k for k selected uniformly at random or it is a

Security Analysis of DRBG Using MAC in NIST SP 800-90 3 function selected uniformly at random. A first asks elements in D and obtains the corresponding elements in R with respect to the function, and then outputs 0 or 1. A makes the queries adaptively: A makes a new query after receiving an answer to the current query. Let F be the set of all functions from D to R. The advantage of A for is defined as follows: Adv prf Pr[A (A) = k = 1 k $ ] Pr[A ρ = 1 ρ $ F ], where the probabilities are taken over the coin tosses by A and the uniform distributions on or F. is called a pseudorandom function (PRF) if Adv prf (A) is negligible for any efficient A. 3 MAC DRBG MAC DRBG is a DRBG using MAC in NIST SP 800-90 [3]. It consists of three algorithms: an instantiate algorithm, a reseed algorithm and a generate algorithm. The instantiate algorithm is used to produce a secret key. The reseed algorithm is used to refresh it. These algorithms are out of the scope of the article. They also use MAC to produce the secret keys. owever, the security of the outputs is not based on the secrecy and randomness of the keys given to MAC but the data given to MAC via message input. From this viewpoint, we may say that they abuse MAC. We only assume that the keys produced by the instantiate and reseed algorithms are ideal. Namely, we assume that a secret key given to the generate algorithm is selected uniformly at random. The generate algorithm produces a binary sequence for a given secret key. A description of this algorithm is given in the following part. The instantiate and reseed algorithms are given in Appendix A for reference. Notation. MAC is simply denoted by. Let n denote the output length of. Let null denote an empty sequence. Concatenation of binary sequences x and y is denoted by x y. The symbol is sometimes omitted. 3.1 Internal State The internal state of MAC DRBG includes {0, 1} n, {0, 1} n, and a reseed counter d 1. and are assumed to be secret. The reseed counter d is an integer variable indicating the number of requests for pseudorandom bits since instantiation or reseeding. 3.2 The Function Update The function Update is used in the generate algorithm to produce a secret key (, ) for the next invocation of the generate algorithm. It is described as follows.

4 S. irose Update(,, adin): 1. = (, 0x00 adin) 2. = (, ) 3. If adin = null, then return (, ) 4. = (, 0x01 adin) 5. = (, ) 6. Return (, ) adin is an optional additional input. Update is shown in Fig. 1. 0x00 (a) If adin is an empty sequence 0x00 adin 0x01 adin (b) If adin is not an empty sequence Fig. 1. The function Update 3.3 The Algorithm Generate The generate algorithm Generate produces a binary sequence s for given secret (, ) and an optional additional input adin. It is described as follows.

Security Analysis of DRBG Using MAC in NIST SP 800-90 5 Generate(,, adin): 1. If d > w, then return an indication that a reseed is required. 2. (, ) = Update(,, adin) if adin null 3. tmp = null 4. While tmp < l do: (a) = (, ) (b) tmp = tmp 5. s = the leftmost l bits of tmp 6. (, ) = Update(,, adin) 7. d = d + 1 8. Return s and (, ) The maximum sizes of parameters are given in Table 1. w is called a reseed interval. It represents the total number of requests for pseudorandom bits between reseeding. If adin is not supported, then the step 6 is executed with adin = null. Generate is given in Fig. 2. null Update adin s (a) If adin is not given or not supported Update Update s (b) If adin is given Fig. 2. The algorithm Generate. The update of the reseed counter d is omitted.

6 S. irose Table 1. The maximum sizes of parameters parameter maximum size adin 2 35 bits l 2 19 bits w 2 48 4 Security Analysis For simplicity, we assume that l is a multiple of n. Thus, the output length of Generate is l+2n. We analyze the security of a generator G : {0, 1} 2n {0, 1} wl defined as follows: G(, ): 1. ( 0, 0 ) = (, ) 2. s = null 3. for i = 1 to w do (a) (s i, i, i ) = Generate( i 1, i 1, adin i 1 ) (b) s = s s i (c) Return s We make adin i implicit in the notation of G(, ), because the analysis given in the remaining parts does not depend on the value of adin i. It depends only on whether adin i = null or not. 4.1 If adin = null First, notice that we cannot prove the pseudorandomness of G directly from that of Generate. Generate is not a PRBG if adin = null. Let q = l/n and Generate(, ) = s 1 s 2 s q, where s j {0, 1} n for 1 j q. Then, = (s q ). Thus, it is easy to distinguish s 1 s 2 s q from a truly random sequence of length l + 2n. We introduce two generators G 01 and G 02. G 01 : {0, 1} 2n {0, 1} l+2n is described as follows: G 01 (, ): 1. s = 2. tmp = null 3. While tmp < l do: (a) = (, ) (b) tmp = tmp 4. s = s tmp 5. = (, 0x00) 6. s = s 7. Return s

Security Analysis of DRBG Using MAC in NIST SP 800-90 7 G 02 : {0, 1} 2n {0, 1} l+3n is described as follows: G 02 (, ) : 1. s = 2. = (, ) 3. s = s G 01 (, ) 4. Return s The only difference between G 01 and G 02 is that G 02 calls MAC more than G 01 by one time. Let G 0 : {0, 1} 2n {0, 1} w(l+n)+n be a generator which, for a given (, ), produces a sequence { s 1 0 s 1 1 s 1 q+1 if w = 1 s 1 0s 1 1 s 1 q 1 s 2 1s 2 0 s 2 q 1 s w 1 1 sw 1 0 s w 1 q 1 sw 1s w 0 s w q+1 if w 2, where 1. s i j {0, 1}n, 2. s 1 0s 1 1 s 1 q+1 = G 01 (, ), and 3. s i 1s i 0s i 1 s i q+1 = G 02 (s i 1 q+1, si 1 q ) for 2 i w. A diagram of G 0 is given in Fig. 3. Notice that G(, ) is a part of G 0 (, ). It is obvious if w = 1. For w 2, G(, ) = s 1 1s 1 2 s 1 q 1 s 2 1s 2 1s 2 2 s 2 q 1 s 1 w 1 sw 1 1 s w 1 2 s w 1 q 1 sw 1s w 1 s w 2 s w q = s 1 1s 1 2 s 1 q s 2 1s 2 2 s 2 q s w 1 1 s2 w 1 s w 1 q s w 1 s w 2 s w q, where s i+1 1 = si q for 1 i w 1. Thus, G is a PRBG if G 0 is a PRBG. We will discuss the security of G 0 in the remaining part. c c G 01 G 02 G 02 G 02............ Fig. 3. A diagram of the generator G 0. c represents the concatenation with 0x00. The Update functions are surrounded by dashed rectangles. We first show that both G 01 and G 02 are PRBGs if MAC is a PRF. For an algorithm A, let t A be the running time of A.

8 S. irose Lemma 1. Let D be a distinguisher for G 01 which runs in t D. Then, there exists an adversary A for MAC such that G 01 (D) Adv prf q(q 1) MAC (A) + 2 n+1. A runs in t D + O(l) and asks at most q + 1 queries. Proof. Let F,n be the set of all functions from {0, 1} to {0, 1} n. Let Ĝ01(ρ, ) be a generator obtained from G 01 by replacing MAC with a function ρ F,n. Let Then, P 0 = Pr[D(s) = 1 (, ) $ {0, 1} 2n s G 01 (, )], P 1 = Pr[D(s) = 1 ρ $ F,n $ {0, 1} n s Ĝ01(ρ, )], P 2 = Pr[D(s) = 1 s $ {0, 1} l+2n ]. G (D) = P 0 P 2 P 0 P 1 + P 1 P 2. Let Ĝ01(ρ, ) = ŝ 0 ŝ 1 ŝ q+1, where ŝ j {0, 1} n for 0 j q + 1. If ρ $ F,n, then Ĝ01(ρ, ) and a random sequence of length l + 2 n is completely indistinguishable as far as ŝ j1 ŝ j2 for every j 1 and j 2 such that 0 j 1 < j 2 q 1. Notice that ŝ j ŝ q 0x00 for every 0 j q 1. Thus, P 1 P 2 q(q 1) 2 n+1. On the other hand, for P 0 P 1, it is easy to see that we can construct an adversary A for MAC, using D as a subroutine, such that Adv prf MAC (A) P 0 P 1, where A runs in t D + O(l) and asks at most q + 1 queries. Lemma 2. Let D be a distinguisher for G 02 which runs in t D. Then, there exists an adversary A such that G 02 (D) Adv prf q(q + 1) MAC (A) + 2 n+1. A runs in t D + O(l) and asks at most q + 2 queries. Proof. The proof is similar to that of Lemma 1. For w 2, let G (w 1) 02 be a generator which calls G 02 (w 1) times successively. Namely, G (w 1) 02 (s 1 q+1, s 1 q) = s 2 1s 2 0 s 2 q 1 s w 1 1 sw 1 0 s w 1 q 1 sw 1s w 0 s w q+1.

Security Analysis of DRBG Using MAC in NIST SP 800-90 9 Lemma 3. Let D be a distinguisher for G (w 1) 02 which runs in t D. Then, there exists a distinguisher D of G 02 such that G (w 1) 02 D runs in t D + (w 2) t G02 + O(wl). (D) (w 1) G 02 (D ). Proof. For a given input s {0, 1} l+3n, the distinguisher D behaves as follows: 1. Select 2 r w uniformly at random. 2. If r 3, then select s 2 1s 2 0 s 2 q 1,..., s r 1 1 sr 1 0 s r 1 q 1 uniformly at random. 3. Let s r 1s r 0 s r q+1 = s. 4. If r < w, s i 1s i 0 s i q+1 = G 02 (s i 1 q ) for r + 1 i w. 5. Call D with s = s 2 1s 2 0 s 2 q 1 s w 1 1 6. Output D s output. Then, q+1, si 1 sw 1 0 s w 1 q 1 sw 1s w 0 s w q+1. G 02 (D ) = Pr[D (G 02 (, )) = 1 (, ) $ {0, 1} 2n ] Pr[D (s) = 1 s $ {0, 1} l+3n ] = Pr[D(s) = 1 (, ) $ {0, 1} 2n s G 02 (, )] Pr[D(s) = 1 s $ {0, 1} l+3n ]. Pr[D(s) = 1 (, ) $ {0, 1} 2n s G 02 (, )] w = Pr[r = u D(s) = 1 (, ) $ {0, 1} 2n s G 02 (, )] = u=2 w u=2 Pr[D(s) = 1 (, ) $ {0, 1} 2n s G 02 (, ) r = u] w 1 = Pr[D(s) = 1 (, ) $ {0, 1} 2n s G (w 1) 02 (, )] + w 1 w Pr[D(s) = 1 (, ) $ {0, 1} 2n s G 02 (, ) r = u] w 1 u=3. Pr[D(s) = 1 s $ {0, 1} l+3n ] = w 1 u=2 Pr[D(s) = 1 s $ {0, 1} l+3n r = u] w 1 + Pr[D(s) = 1 s $ {0, 1} (w 1)(l+n)+2n ] w 1.

10 S. irose There may exist a better distinguisher for G 02 than D with the same running time. Thus, we have G 02 (D ) 1 w 1 Advprbg G (w 1) 02 (D). The running time of D is at most t D + (w 2) t G02 + O(wl). Lemma 4. Let D be a distinguisher for G 0 which runs in t D. Then, there exist distinguishers D for G 01 and D for G (w 1) 02 such that D runs in t D + t G (w 1) 02 Proof. Let G 0 (D) G 01 (D ) + G (w 1) 02 (D ). + O(wl), and D runs in t D + O(wl). P 0 = Pr[D(s) = 1 (, ) $ {0, 1} 2n s G 0 (, )], P 1 = Pr[D(s) = 1 s 1 0 s 1 q+1 P 2 = Pr[D(s) = 1 s $ {0, 1} w(l+n)+n ]. Then, there exist D and D such that $ {0, 1} l+2n s s 1 0 s 1 q 1 G (w 1) 02 (s 1 q+1, s 1 q)], G 0 (D) = P 0 P 2 P 0 P 1 + P 1 P 2 The running time of D is t D + t (w 1) G 02 t D + O(wl). G 01 (D ) + G (w 1) 02 (D ). + O(wl). The running time of D is The following theorem directly follows from Lemmas 1, 2, 3 and 4. It implies that G 0 is a PRBG if MAC is a PRF. Theorem 1. Let D be a distinguisher for G 0 which runs in t D. Then, there exists an adversary A for MAC such that G 0 (D) w Adv prf wq(q + 1) MAC (A) + 2 n+1. A runs in t D + w(q + 2) t MAC + O(wl) and asks at most q + 2 queries, where the length of each query is at most n + 8. Remark 1. Suppose that SA-1 is the underlying hash function of MAC. Then, n = 160. Suppose that w = 2 48 and l = 2 11 160 ( 2 19 ). Then, G 0 (D) 2 48 Adv prf MAC (A) + 1 2 90, where A runs in time t D +2 60 t MAC +O(2 66.3 ) and makes at most 2050 queries. The big-o notation is abused here. O(2 66.3 ) is upper bounded by c 2 66.3 for some positive constant c.

Security Analysis of DRBG Using MAC in NIST SP 800-90 11 Remark 2. Suppose that SA-256 is the underlying hash function of MAC. Then, n = 256. Suppose that w = 2 48 and l = 2 19. Then, G 0 (D) 2 48 Adv prf MAC (A) + 1 2 186, where A runs in time t D + 2 60 t MAC + O(2 67 ) and makes at most 2050 queries. 4.2 If adin null If adin null, then the analysis is similar but tedious. We first define several generators. Let g 10 : {0, 1} 2n {0, 1} 2n be a generator such that g 10 (, ) = (, 0x00 adin). Let g 11 : {0, 1} 2n {0, 1} 3n be a generator such that g 11 (, ) = s, where s is obtained as follows: 1. 1 = (, ) 2. 2 = (, 1 0x01 adin) 3. s = 1 2 Let g 12 : {0, 1} 2n {0, 1} 3n be a generator such that g 12 (, ) = s, where s is obtained as follows: 1. 1 = (, ) 2. 2 = (, 1 0x00 adin) 3. s = 1 2 The generators g 10, g 11 and g 12 are depicted in Fig. 4. Let G 10 : {0, 1} 2n {0, 1} l+3n be a generator equivalent to G 02 defined in the previous subsection. c0 c1 c0 g 10 g 11 g 12 Fig. 4. A diagram of the generators g 10, g 11 and g 12. The Update functions are surrounded by dashed rectangles. c0 represents the concatenation with 0x00 adin, and c1 represents the concatenation with 0x01 adin. Using the generators defined above, we further define two generators G 11 and G 12. G 11 : {0, 1} 2n {0, 1} l+4n is described as follows: G 11 (, ) = s 2 s 1 s q+1, where

12 S. irose 1. 1 1 = g 10 (, ) 2. s 2 2 2 = g 11 ( 1, 1 ) 3. s 1 s 0 s q s q+1 = G 10 ( 2, 2 ) G 12 : {0, 1} 2n {0, 1} l+6n is described as follows: G 12 (, ) = s 4 s 3 s q+1, where 1. s 4 1 1 = g 11 (, ) 2. s 3 2 2 = g 12 ( 1, 1 ) 3. s 2 3 3 = g 11 ( 2, 2 ) 4. s 1 s 0 s q s q+1 = G 10 ( 3, 3 ) Now, we are ready to discuss the pseudorandomness of G(, ). Let G 1 : {0, 1} 2n {0, 1} w(l+4n) be a generator which, for a given (, ), produces a sequence where { s 1 2 s 1 1 s 1 q+1 if w = 1 s 1 2s 1 1 s 1 q 1 s 2 4 s 2 q 1 s 4 w 1 s w 1 q 1 sw 4 s w q+1 if w 2, 1. s i j {0, 1}n, 2. s 1 2s 1 1 s 1 q+1 = G 11 (, ), and 3. s i 4 s i q+1 = G 12 (sq+1 i 1, si 1 q ) for 2 i w. Notice that G(, ) is a part of G 1 (, ). It is easy to see if w = 1. For w 2, G(, ) = s 1 1s 1 2 s 1 q 1 s 2 4s 2 1s 2 2 s 2 q 1 s w 1 4 sw 1 1 s w 1 2 s w 1 q 1 sw 4s w 1 s w 2 s w q+1 = s 1 1s 1 2 s 1 q s 2 1s 2 2 s 2 q s w 1 1 s w 1 2 s w 1 q s w 1 s w 2 s w q, where s i+1 4 = si q for 1 i w 1. Thus, we discuss the pseudorandomness of G 1 in the remaining part. We only present the results since the proofs are similar. Lemma 5. Let D be a distinguisher for g 10 which runs in t D. Then, there exists an adversary A for MAC such that A runs in t D + O(n) and asks 1 query. g 10 (D) Adv prf MAC (A). Lemma 6. Let g be g 11 or g 12. Let D be a distinguisher for g which runs in t D. Then, there exists an adversary A for MAC such that g (D) Adv prf MAC (A). A runs in t D + O(n) and asks at most 2 queries.

Security Analysis of DRBG Using MAC in NIST SP 800-90 13 Lemma 7. Let D be a distinguisher for G 11 which runs in t D. Then, there exist D 0, D 1 and D such that g 10 G 11 (D) (D 0 ) + g 11 (D 1 ) + G 10 (D ). D 0 runs in t D + t g11 + t G10 + O(n). D 1 runs in t D + t G10 + O(n). D runs in t D + O(n). Lemma 8. Let D be a distinguisher for G 12 which runs in t D. Then, there exist D 1, D 2 and D such that g 11 G 12 (D) 2 (D 1 ) + g 12 (D 2 ) + G 10 (D ). D 1 runs in t D + t g11 + t g12 + t G10 + O(n). D 2 runs in t D + t g11 + t G10 + O(n). D runs in t D + O(n). The following theorem directly follows from Lemmas 5, 6, 7 and 8. It implies that G 1 is a PRBG if MAC is a pseudorandom function. Theorem 2. Let D be a distinguisher for G 1 which runs in t D. Then, there exist adversaries A 1 and A 2 such that G 1 (D) w Adv prf MAC (A 1) + 3 w Adv prf MAC (A wq(q 1) 2) + 2 n+1. A 1 runs in t D + w(q + 8) t MAC + O(wl) and asks at most q + 1 queries, and A 2 runs in t D + (w + 1)(q + 8) t MAC + O(wl) and asks at most 2 queries. 5 Conclusion We have shown that the binary sequence generation algorithm of MAC DRBG is a PRBG if MAC is a PRF. Future work includes analysis of the instantiate and reseed algorithms of MAC DRBG. Acknowledgements The author would like to thank anonymous reviewers for their valuable comments. This research was supported in part by the National Institute of Information and Communications Technology, Japan. References 1. American National Standards Institute. Public key cryptography for the financial services industry: The elliptic curve digital signature algorithm (ECDSA). ANSI X9.62-1998 (1998) 2. American National Standards Institute. Digital signatures using reversible public key cryptography for the financial services industry (rdsa). ANSI X9.31-1998 (1998)

14 S. irose 3. Barker, E., elsey, J.: Recommendation for random number generation using deterministic random bit generators (revised). NIST Special Publication 800-90 (2007) 4. Bellare, M.: New proofs for NMAC and MAC: Security without collisionresistance. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 602 619. Springer (2006). The full version is Cryptology eprint Archive: Report 2006/043 at http://eprint.iacr.org/. 5. Bellare, M., Canetti, R., rawczyk,.: eying hash functions for message authentication. In: oblitz, N. (ed.) CRYPTO 96. LNCS, vol. 1109, pp. 1 15. Springer (1996) 6. Brown, D.R., Gjøsteen,.: A security analysis of the NIST SP 800-90 elliptic curve random number generator. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 466 481. Springer (2007) 7. Campagna, M.J.: Security bounds for the NIST codebook-based deterministic random bit generator. Cryptology eprint Archive: Report 2006/379, http://eprint. iacr.org/ 8. Desai, A., evia, A., Yin, Y.L.: A practice-oriented treatment of pseudorandom number generators. In: nudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 368 383. Springer (2002) 9. an, W.: Analysis of underlying assumptions in NIST DRBGs. Cryptology eprint Archive: Report 2007/345, http://eprint.iacr.org/ 10. elsey, J., Schneier, B., Wagner, D., all, C.: Cryptanalytic attacks on pseudorandom number generators. In: audenay, S. (ed.) FSE 98. LNCS, vol. 1372, pp. 168 188. Springer (1998) 11. U.S. Department of Commerce/National Institute of Standards and Technology. Digital signature standard (DSS). Federal Information Processing Standards Publication 186-2 (+Change Notice) (2000) A The Instantiate and Reseed Algorithms of MAC DRBG The internal state of MAC DRBG includes {0, 1} n, {0, 1} n, and a reseed counter d. data is the entropy source. adin is an optional additional input. The Instantiate Algorithm. The instantiate algorithm Instantiate is described as follows: Instantiate(data, nonce, adin): 1. seed = data nonce adin 2. = 0x0000 00 3. = 0x0101 01 4. (, ) = Update(seed,, ) 5. d = 1 6. Return (, ) and d. If adin is not supported, then the first step of the procedure is replaced by seed = data nonce.

Security Analysis of DRBG Using MAC in NIST SP 800-90 15 The Reseed Algorithm. The reseed algorithm Reseed is described as follows: Reseed(,, d, data, adin): 1. seed = data adin 2. (, ) = Update(seed,, ) 3. d = 1 4. Return (, ) and d. The input (, ) to Reseed is given by the latest Generate. If adin is not supported, then the first step of the procedure is replaced by seed = data.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information