Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Cryptographically Strong Pseudorandom Functions and Their Applications 陳昱升 碩士學位論文 中興大學 資訊科學系 2006 年 6 月.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Cryptographically Strong Pseudorandom Functions and Their Applications 陳昱升 碩士學位論文 中興大學 資訊科學系 2006 年 6 月."— Presentation transcript:

1 1 Cryptographically Strong Pseudorandom Functions and Their Applications 陳昱升 碩士學位論文 中興大學 資訊科學系 2006 年 6 月

2 2 Outline Introduction –Randomness and Pseudorandomness –Pseudorandom Bit Generator (PRBG) –Pseudorandom Function (PRF) The GGM construction of PRFs from PRBGs Performance Improvement for the GGM Construction of PRFs Applications –Previous work –A RFID protocol for identifying merchandise

3 3 Introduction

4 4 Introduction Randomness Randomness –a concept of the equality of probability. Application of Randomness –scientific experiments –one-time pad system Generate randomness – Not easy –hardware –program –no way to prove their randomness

5 5 Introduction Pseudorandomness Pseudorandomness – our goal –Will not be efficiently distinguished from randomness by any adversary. Pseudorandom Bit Generator (PRBG) –Keeping the input (random seed) to a PRBG secret, the PRBG’s output is pseudorandom. Pseudorandom Function (PRF) –Keeping the key (random) of a PRF secret, the PRF’s behavior is pseudorandom.

6 6 Pseudoranom Bit Generator (PRBG) x (secret seed) 01001100111110100100010…… truly random string Random function x f(x) On query x, a random function returns a random value. Pseudorandom function (PRF) x f(x) Pseudorandom function: Input-output behavior is computationally indistinguishable from that of a random function. Computationally Indistinguishable! Illustrations

7 7 The GGM construction of PRFs The GGM (Goldreich Goldwasser Micali) construction of PRFs –a generic method using PRBGs as build blocks. Let G: {0,1} k →{0,1} 2k be a PRBG. –G(x)=b 1 b 2 …b k b k+1 …b 2k –G 0 (x)=b 1 b 2 …b k –G 1 (x)=b k+1 b k+2 …b 2k

8 8 The GGM construction (conti.) Construct a PRF f k in the following way – is a randomly chosen key. –if is a query to f x, then

9 9 α

10 10 Other PRFs PRFs from Pseudorandom Synthesizers. PRFs based on DDH-assumption and Factoring assumption. PRFs based on Factoring assumption.

11 11 Performance Improvement for the GGM Construction of PRFs

12 12 Performance Analysis of the GGM construction At the (i-1)-th iteration, we compute G 0 (x) if α i =0 and compute G 1 (x) if α i =1. Denote T 0 and T 1 as the cost of generating G 0 (x) and G 1 (x), respectively. Assume that G generates pseudorandom bits sequentially. Then T 1 is about twice T 0. Then, the expected cost of evaluating the PRF is

13 13 The Variant of the GGM Construction Consider processing c bits per iteration. We have a 2 c -ary-tree construction for some constant integer c. PRBG x is a randomly chosen key. Define the functionas

14 14

15 15 is a PRF Prove by contradiction. Suppose that there exists a PPT A F that can distinguish from a random function with probability 1/Q(k), where Q(k) is a polynomial. Then use A F to construct another PPT A G that can distinguish the underlying PRBG with probability at least, which should be negligible. Contradiction. Therefore, any choice of c=O(logk) can still make the functions pseudorandom. (Because we must ensure that the length of G’s output 2 c k is a polynomial).

16 16 Figure 4 Illustration of using A F to construct A G

17 17 Performance Analysis of the Variant For c=2, we have In general, we have It can be verified that if c > 2. That is, the performance of the 4-ary-tree construction is optimal among all similar tree constructions.

18 18 Analysis of the Variant (Conti.) The previous analysis assumes that the underlying PRBG G generates pseudorandom bits sequentially. If the underlying PRBG G allows random access to any k-bit pseudorandom string with the same cost T 0. Then At most, by choosing c=logk we can shorten the depth of the tree to k/logk. Then

19 19 Summary We have given analysis and improvements for the GGM construction: –the 4-ary-tree (c=2) construction has the best performance on average if G generates bits sequentially. –the k-ary-tree (c=logk) construction if G allows random access with the same cost.

20 20 Applications of PRFs

21 21 Previous Work Checking the correctness of memory –Check the correctness of a large unreliable memory, given only a small reliable memory. Pseudo-Random Permutation –basic primitives in block ciphers. Storageless distribution of users’ secrets –assign (U,f x (U)) to user U. Message authentication –message m with a short tag f s (m). Identification –A group shares a common secret s. Members can identify each other through challenge r and response f s (r).

22 22 A RFID protocol for identifying merchandise Our goal – an ideal RFID protocol –protect against tag cloning attacks –resist against malicious tracing –efficiency of the protocol the server can quickly identify tags the communication cost is low. tag Server Reader tag Database

23 23 The difficulty of designing an ideal RFID protocol To be against cloning attacks or malicious tracing –a tag’s reply should not be constant. But a floating identifier of a tag causes the performance problem in the server –the server may need to maintain a sorting table. To be against DoS attack –To prevent the desynchronization attack, the tag may need to authenticate the reader.

24 24 A general challenge-response RFID protocol in order to mutually authenticate…

25 25 Our proposal Main idea –A mutual authentication protocol is usually needed to fulfill the security requirements. Such a protocol needs at least 4 times of transmission each identification. –To breakthrough the bottleneck, we divide the situation of a product into three phases. ( Ⅰ ) Warehouse phase ( Ⅱ ) Transfer phase ( Ⅲ ) Housekeeping phase

26 26 The three phases Warehouse phase –A product is in this phase before it is sold. Need to be against tag counterfeiting. Not need to be against malicious tracing. Transfer phase –The seller sells the product to the customer. Housekeeping phase –The customer owns and keeps the product. Need to be against malicious tracing. Not need to be against tag counterfeiting. The performance on the server is less concerned because the customer has less tags to identify.

27 27 The proposed protocol Initial Setting Each tag has a PRF and needs a small amount of memory: Choices of PRFs: SHA, MD5, DES, AES TypeRead-OnlyRewritable Write-Once Read-Many Value ID i KiKi SiSi MiMi Purpose The unique identification value of a tag The key of the PRF f Depend on the phase Separate different phase Size N tags would need about logN bits. 128 bits (adjust to the strength of security) the same as K i 1 bit

28 28 The proposed protocol ( Ⅰ ) Warehouse phase The server can quickly identify the tag. is used to be against tag cloning.

29 29 The proposed protocol ( Ⅱ ) Transfer phase The reader first obtains the value S i of the tag from the backend server and sends to the tag. The tag compares S i with its S i. If they are the same, set M i to 0 and update S i to. The seller tells the buyer K i as a secret.

30 30 To identify the tag, the server finds a key K i in its database which satisfies y=f Ki (S i ). The proposed protocol ( Ⅲ ) Housekeeping phase.

31 31 Security Analysis Tag counterfeiting –In Warehouse phase, an adversary may collect a set U={ (x,y=f Ki (x)) } with |U|=t. –For a new challenge x’, the probability to forge y’ Eavesdropping –A tag’s ID i can be eavesdropped. But ID i does not reveal any information about the product.

32 32 Security Analysis (conti.) Malicious tracing –In Housekeeping phase, a tag replies (S i,y=f Ki (S i )) and updates S i. –S i can be used to traced only if S i repeats. –For a random function f, the series f(x), f(f(x)), f(f(f(x))), … is expected to repeat at the –In our protocol, S i is expected to repeat at the 2 |D|/2, i.e. 2 63 -th round. DoS attack –No desynchronization attack. –S i will not be quickly exhausted.

33 33 Efficiency analysis In Warehouse phase –the server can quick identify the tag by ID i. In Housekeeping phase –a tag replies a floating identifier. The server needs to do a search. But we assume the customer’s tags are no more than thousands. Each phase can be done in only 1 round –better than a mutual authentication protocol.

34 34 Conclusion We give analysis and improvements for the GGM construction of PRFs from PRBGs. We give analysis and improvements for the GGM construction of PRFs from PRBGs. –the 4-ary-tree (c=2) construction if G generates bits sequentially. –the k-ary-tree (c=logk) if G allows random access with the same cost. We propose a RFID protocol for identifying merchandise. We propose a RFID protocol for identifying merchandise. –Against tag cloning attacks –Against malicious tracing –Efficient

35 35 Thanks!

Download ppt "1 Cryptographically Strong Pseudorandom Functions and Their Applications 陳昱升 碩士學位論文 中興大學 資訊科學系 2006 年 6 月."

Similar presentations

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Xiutao Feng Institute of Software Chinese Academy of Sciences A Byte-Based Guess and Determine Attack on SOSEMANUK.

Xiutao Feng Institute of Software Chinese Academy of Sciences A Byte-Based Guess and Determine Attack on SOSEMANUK.
Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
CIS 5371 Cryptography 3b. Pseudorandomness.

CIS 5371 Cryptography 3b. Pseudorandomness.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Sheng Xiao, Weibo Gong and Don Towsley,2010 Infocom.

Sheng Xiao, Weibo Gong and Don Towsley,2010 Infocom.
Serverless Search and Authentication Protocols for RFID Chiu C. Tan, Bo Sheng and Qun Li Department of Computer Science College of William and Mary.

Serverless Search and Authentication Protocols for RFID Chiu C. Tan, Bo Sheng and Qun Li Department of Computer Science College of William and Mary.
Foundations of Cryptography Lecture 12 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 12 Lecturer: Moni Naor.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
1 Chapter 5 Hashes and Message Digests Instructor: 孫宏民 Room: EECS 6402, Tel:03-5742968, Fax : 886-3-572-3694.

1 Chapter 5 Hashes and Message Digests Instructor: 孫宏民 Room: EECS 6402, Tel: , Fax :
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
On The Cryptographic Applications of Random Functions Oded Goldreich Shafi Goldwasser Silvio Micali Advances in Cryptology-CRYPTO ‘ 84 報告人 : 陳昱升.

On The Cryptographic Applications of Random Functions Oded Goldreich Shafi Goldwasser Silvio Micali Advances in Cryptology-CRYPTO ‘ 84 報告人 : 陳昱升.
Security and Privacy Aspects of Low-Cost Radio Frequency Identification Systems Stephen A. Weis, Sanjay E. Sarma, Ronald L. Rivest and Daniel W. Engels.

Security and Privacy Aspects of Low-Cost Radio Frequency Identification Systems Stephen A. Weis, Sanjay E. Sarma, Ronald L. Rivest and Daniel W. Engels.
Hellman’s TMTO 1 Hellman’s TMTO Attack. Hellman’s TMTO 2 Popcnt  Before we consider Hellman’s attack, consider simpler Time-Memory Trade-Off  “Population.

Hellman’s TMTO 1 Hellman’s TMTO Attack. Hellman’s TMTO 2 Popcnt  Before we consider Hellman’s attack, consider simpler Time-Memory Trade-Off  “Population.
1 Secure Indexes Author : Eu-Jin Goh Presented by Yi Cheng Lin.

1 Secure Indexes Author : Eu-Jin Goh Presented by Yi Cheng Lin.
YA-TRAP: Yet Another Trivial RFID Authentication Protocol Gene Tsudik International Conference on Pervasive Computing and Communications, PerCom 2006.

YA-TRAP: Yet Another Trivial RFID Authentication Protocol Gene Tsudik International Conference on Pervasive Computing and Communications, PerCom 2006.
Lecturer: Moni Naor Foundations of Cryptography Lecture 9: Pseudo-Random Functions and Permutations.

Lecturer: Moni Naor Foundations of Cryptography Lecture 9: Pseudo-Random Functions and Permutations.

Similar presentations

Ads by Google