1 Cryptographically Strong Pseudorandom Functions and Their Applications 陳昱升 碩士學位論文 中興大學 資訊科學系 2006 年 6 月

2 Outline Introduction –Randomness and Pseudorandomness –Pseudorandom Bit Generator (PRBG) –Pseudorandom Function (PRF) The GGM construction of PRFs from PRBGs Performance Improvement for the GGM Construction of PRFs Applications –Previous work –A RFID protocol for identifying merchandise

3 Introduction

4 Introduction Randomness Randomness –a concept of the equality of probability. Application of Randomness –scientific experiments –one-time pad system Generate randomness – Not easy –hardware –program –no way to prove their randomness

5 Introduction Pseudorandomness Pseudorandomness – our goal –Will not be efficiently distinguished from randomness by any adversary. Pseudorandom Bit Generator (PRBG) –Keeping the input (random seed) to a PRBG secret, the PRBG’s output is pseudorandom. Pseudorandom Function (PRF) –Keeping the key (random) of a PRF secret, the PRF’s behavior is pseudorandom.

6 Pseudoranom Bit Generator (PRBG) x (secret seed) …… truly random string Random function x f(x) On query x, a random function returns a random value. Pseudorandom function (PRF) x f(x) Pseudorandom function: Input-output behavior is computationally indistinguishable from that of a random function. Computationally Indistinguishable! Illustrations

7 The GGM construction of PRFs The GGM (Goldreich Goldwasser Micali) construction of PRFs –a generic method using PRBGs as build blocks. Let G: {0,1} k →{0,1} 2k be a PRBG. –G(x)=b 1 b 2 …b k b k+1 …b 2k –G 0 (x)=b 1 b 2 …b k –G 1 (x)=b k+1 b k+2 …b 2k

8 The GGM construction (conti.) Construct a PRF f k in the following way – is a randomly chosen key. –if is a query to f x, then

9 α

10 Other PRFs PRFs from Pseudorandom Synthesizers. PRFs based on DDH-assumption and Factoring assumption. PRFs based on Factoring assumption.

11 Performance Improvement for the GGM Construction of PRFs

12 Performance Analysis of the GGM construction At the (i-1)-th iteration, we compute G 0 (x) if α i =0 and compute G 1 (x) if α i =1. Denote T 0 and T 1 as the cost of generating G 0 (x) and G 1 (x), respectively. Assume that G generates pseudorandom bits sequentially. Then T 1 is about twice T 0. Then, the expected cost of evaluating the PRF is

13 The Variant of the GGM Construction Consider processing c bits per iteration. We have a 2 c -ary-tree construction for some constant integer c. PRBG x is a randomly chosen key. Define the functionas

14

15 is a PRF Prove by contradiction. Suppose that there exists a PPT A F that can distinguish from a random function with probability 1/Q(k), where Q(k) is a polynomial. Then use A F to construct another PPT A G that can distinguish the underlying PRBG with probability at least, which should be negligible. Contradiction. Therefore, any choice of c=O(logk) can still make the functions pseudorandom. (Because we must ensure that the length of G’s output 2 c k is a polynomial).

16 Figure 4 Illustration of using A F to construct A G

17 Performance Analysis of the Variant For c=2, we have In general, we have It can be verified that if c > 2. That is, the performance of the 4-ary-tree construction is optimal among all similar tree constructions.

18 Analysis of the Variant (Conti.) The previous analysis assumes that the underlying PRBG G generates pseudorandom bits sequentially. If the underlying PRBG G allows random access to any k-bit pseudorandom string with the same cost T 0. Then At most, by choosing c=logk we can shorten the depth of the tree to k/logk. Then

19 Summary We have given analysis and improvements for the GGM construction: –the 4-ary-tree (c=2) construction has the best performance on average if G generates bits sequentially. –the k-ary-tree (c=logk) construction if G allows random access with the same cost.

20 Applications of PRFs

21 Previous Work Checking the correctness of memory –Check the correctness of a large unreliable memory, given only a small reliable memory. Pseudo-Random Permutation –basic primitives in block ciphers. Storageless distribution of users’ secrets –assign (U,f x (U)) to user U. Message authentication –message m with a short tag f s (m). Identification –A group shares a common secret s. Members can identify each other through challenge r and response f s (r).

22 A RFID protocol for identifying merchandise Our goal – an ideal RFID protocol –protect against tag cloning attacks –resist against malicious tracing –efficiency of the protocol the server can quickly identify tags the communication cost is low. tag Server Reader tag Database

23 The difficulty of designing an ideal RFID protocol To be against cloning attacks or malicious tracing –a tag’s reply should not be constant. But a floating identifier of a tag causes the performance problem in the server –the server may need to maintain a sorting table. To be against DoS attack –To prevent the desynchronization attack, the tag may need to authenticate the reader.

24 A general challenge-response RFID protocol in order to mutually authenticate…

25 Our proposal Main idea –A mutual authentication protocol is usually needed to fulfill the security requirements. Such a protocol needs at least 4 times of transmission each identification. –To breakthrough the bottleneck, we divide the situation of a product into three phases. ( Ⅰ ) Warehouse phase ( Ⅱ ) Transfer phase ( Ⅲ ) Housekeeping phase

26 The three phases Warehouse phase –A product is in this phase before it is sold. Need to be against tag counterfeiting. Not need to be against malicious tracing. Transfer phase –The seller sells the product to the customer. Housekeeping phase –The customer owns and keeps the product. Need to be against malicious tracing. Not need to be against tag counterfeiting. The performance on the server is less concerned because the customer has less tags to identify.

27 The proposed protocol Initial Setting Each tag has a PRF and needs a small amount of memory: Choices of PRFs: SHA, MD5, DES, AES TypeRead-OnlyRewritable Write-Once Read-Many Value ID i KiKi SiSi MiMi Purpose The unique identification value of a tag The key of the PRF f Depend on the phase Separate different phase Size N tags would need about logN bits. 128 bits (adjust to the strength of security) the same as K i 1 bit

28 The proposed protocol ( Ⅰ ) Warehouse phase The server can quickly identify the tag. is used to be against tag cloning.

29 The proposed protocol ( Ⅱ ) Transfer phase The reader first obtains the value S i of the tag from the backend server and sends to the tag. The tag compares S i with its S i. If they are the same, set M i to 0 and update S i to. The seller tells the buyer K i as a secret.

30 To identify the tag, the server finds a key K i in its database which satisfies y=f Ki (S i ). The proposed protocol ( Ⅲ ) Housekeeping phase.

31 Security Analysis Tag counterfeiting –In Warehouse phase, an adversary may collect a set U={ (x,y=f Ki (x)) } with |U|=t. –For a new challenge x’, the probability to forge y’ Eavesdropping –A tag’s ID i can be eavesdropped. But ID i does not reveal any information about the product.

32 Security Analysis (conti.) Malicious tracing –In Housekeeping phase, a tag replies (S i,y=f Ki (S i )) and updates S i. –S i can be used to traced only if S i repeats. –For a random function f, the series f(x), f(f(x)), f(f(f(x))), … is expected to repeat at the –In our protocol, S i is expected to repeat at the 2 |D|/2, i.e th round. DoS attack –No desynchronization attack. –S i will not be quickly exhausted.

33 Efficiency analysis In Warehouse phase –the server can quick identify the tag by ID i. In Housekeeping phase –a tag replies a floating identifier. The server needs to do a search. But we assume the customer’s tags are no more than thousands. Each phase can be done in only 1 round –better than a mutual authentication protocol.

34 Conclusion We give analysis and improvements for the GGM construction of PRFs from PRBGs. We give analysis and improvements for the GGM construction of PRFs from PRBGs. –the 4-ary-tree (c=2) construction if G generates bits sequentially. –the k-ary-tree (c=logk) if G allows random access with the same cost. We propose a RFID protocol for identifying merchandise. We propose a RFID protocol for identifying merchandise. –Against tag cloning attacks –Against malicious tracing –Efficient

35 Thanks!