![Page 1: 1 Cryptographically Strong Pseudorandom Functions and Their Applications 陳昱升 碩士學位論文 中興大學 資訊科學系 2006 年 6 月](https://reader037.vdocuments.site/reader037/viewer/2022103123/56649d795503460f94a5d258/html5/thumbnails/1.jpg)
11
Cryptographically Strong Cryptographically Strong Pseudorandom Functions and Pseudorandom Functions and
Their ApplicationsTheir Applications
陳昱升 碩士學位論文陳昱升 碩士學位論文中興大學 資訊科學系中興大學 資訊科學系
20062006 年年 66月月
![Page 2: 1 Cryptographically Strong Pseudorandom Functions and Their Applications 陳昱升 碩士學位論文 中興大學 資訊科學系 2006 年 6 月](https://reader037.vdocuments.site/reader037/viewer/2022103123/56649d795503460f94a5d258/html5/thumbnails/2.jpg)
2
Outline
• Introduction– Randomness and Pseudorandomness– Pseudorandom Bit Generator (PRBG)– Pseudorandom Function (PRF)
• The GGM construction of PRFs from PRBGs
• Performance Improvement for the GGM Construction of PRFs
• Applications– Previous work– A RFID protocol for identifying merchandise
![Page 3: 1 Cryptographically Strong Pseudorandom Functions and Their Applications 陳昱升 碩士學位論文 中興大學 資訊科學系 2006 年 6 月](https://reader037.vdocuments.site/reader037/viewer/2022103123/56649d795503460f94a5d258/html5/thumbnails/3.jpg)
33
IntroductionIntroduction
![Page 4: 1 Cryptographically Strong Pseudorandom Functions and Their Applications 陳昱升 碩士學位論文 中興大學 資訊科學系 2006 年 6 月](https://reader037.vdocuments.site/reader037/viewer/2022103123/56649d795503460f94a5d258/html5/thumbnails/4.jpg)
4
Introduction
Randomness
• Randomness– a concept of the equality of probability.
• Application of Randomness– scientific experiments– one-time pad system
• Generate randomness – Not easy– hardware– program– no way to prove their randomness
![Page 5: 1 Cryptographically Strong Pseudorandom Functions and Their Applications 陳昱升 碩士學位論文 中興大學 資訊科學系 2006 年 6 月](https://reader037.vdocuments.site/reader037/viewer/2022103123/56649d795503460f94a5d258/html5/thumbnails/5.jpg)
5
Introduction
Pseudorandomness
• Pseudorandomness – our goal– Will not be efficiently distinguished from rando
mness by any adversary.
• Pseudorandom Bit Generator (PRBG)– Keeping the input (random seed) to a PRBG s
ecret, the PRBG’s output is pseudorandom.
• Pseudorandom Function (PRF)– Keeping the key (random) of a PRF secret, th
e PRF’s behavior is pseudorandom.
![Page 6: 1 Cryptographically Strong Pseudorandom Functions and Their Applications 陳昱升 碩士學位論文 中興大學 資訊科學系 2006 年 6 月](https://reader037.vdocuments.site/reader037/viewer/2022103123/56649d795503460f94a5d258/html5/thumbnails/6.jpg)
6
Pseudoranom Bit Generator(PRBG)
x
(secret seed)
01001100111110100100010……
truly random string
Randomfunction
x
f(x)
On query x, a random function returns a random value.
Pseudorandomfunction(PRF)
x
f(x)
Pseudorandom function:
Input-output behavior is computationally indistinguishable from that of a random function.
Computationally Indistinguishable!
Illustrations
![Page 7: 1 Cryptographically Strong Pseudorandom Functions and Their Applications 陳昱升 碩士學位論文 中興大學 資訊科學系 2006 年 6 月](https://reader037.vdocuments.site/reader037/viewer/2022103123/56649d795503460f94a5d258/html5/thumbnails/7.jpg)
7
The GGM construction of PRFs
• The GGM (Goldreich Goldwasser Micali) construction of PRFs– a generic method using PRBGs as build block
s.
• Let G: {0,1}k→{0,1}2k be a PRBG.– G(x)=b1b2…bkbk+1…b2k
– G0(x)=b1b2…bk
– G1(x)=bk+1bk+2…b2k
![Page 8: 1 Cryptographically Strong Pseudorandom Functions and Their Applications 陳昱升 碩士學位論文 中興大學 資訊科學系 2006 年 6 月](https://reader037.vdocuments.site/reader037/viewer/2022103123/56649d795503460f94a5d258/html5/thumbnails/8.jpg)
8
The GGM construction (conti.)
• Construct a PRF fk in the following way
– is a randomly chosen key.
– if is a query to fx , then
kx }1,0{k
k }1,0{...21
)))(((...)(12xGGGf
kx
![Page 9: 1 Cryptographically Strong Pseudorandom Functions and Their Applications 陳昱升 碩士學位論文 中興大學 資訊科學系 2006 年 6 月](https://reader037.vdocuments.site/reader037/viewer/2022103123/56649d795503460f94a5d258/html5/thumbnails/9.jpg)
9
α
![Page 10: 1 Cryptographically Strong Pseudorandom Functions and Their Applications 陳昱升 碩士學位論文 中興大學 資訊科學系 2006 年 6 月](https://reader037.vdocuments.site/reader037/viewer/2022103123/56649d795503460f94a5d258/html5/thumbnails/10.jpg)
10
Other PRFs
• PRFs from Pseudorandom Synthesizers.
• PRFs based on DDH-assumption and Factoring assumption.
• PRFs based on Factoring assumption.
![Page 11: 1 Cryptographically Strong Pseudorandom Functions and Their Applications 陳昱升 碩士學位論文 中興大學 資訊科學系 2006 年 6 月](https://reader037.vdocuments.site/reader037/viewer/2022103123/56649d795503460f94a5d258/html5/thumbnails/11.jpg)
1111
Performance Improvement for tPerformance Improvement for the GGM Construction of PRFshe GGM Construction of PRFs
![Page 12: 1 Cryptographically Strong Pseudorandom Functions and Their Applications 陳昱升 碩士學位論文 中興大學 資訊科學系 2006 年 6 月](https://reader037.vdocuments.site/reader037/viewer/2022103123/56649d795503460f94a5d258/html5/thumbnails/12.jpg)
12
Performance Analysis of the GGM construction
• At the (i-1)-th iteration, we compute G0(x) if αi=0 and compute G1(x) if αi=1.
• Denote T0 and T1 as the cost of generating G0(x) and G1(x), respectively.
• Assume that G generates pseudorandom bits sequentially. Then T1 is about twice T0.
• Then, the expected cost of evaluating the PRF is
011 011 2
3)
2
1
2
1(][][][ kTTTTETETE
k
i
k
i
k
if ii
![Page 13: 1 Cryptographically Strong Pseudorandom Functions and Their Applications 陳昱升 碩士學位論文 中興大學 資訊科學系 2006 年 6 月](https://reader037.vdocuments.site/reader037/viewer/2022103123/56649d795503460f94a5d258/html5/thumbnails/13.jpg)
13
The Variant of the GGM Construction
• Consider processing c bits per iteration. We have a 2c-ary-tree construction for some constant integer c.
• PRBG
• x is a randomly chosen key.
• Define the function as
kcbbbxG 221)(
kkcx IIf :
)))(((
)(
2122122212
xGGG
f
cccckcckcckc
cx
ααααααααα
α
![Page 14: 1 Cryptographically Strong Pseudorandom Functions and Their Applications 陳昱升 碩士學位論文 中興大學 資訊科學系 2006 年 6 月](https://reader037.vdocuments.site/reader037/viewer/2022103123/56649d795503460f94a5d258/html5/thumbnails/14.jpg)
14
![Page 15: 1 Cryptographically Strong Pseudorandom Functions and Their Applications 陳昱升 碩士學位論文 中興大學 資訊科學系 2006 年 6 月](https://reader037.vdocuments.site/reader037/viewer/2022103123/56649d795503460f94a5d258/html5/thumbnails/15.jpg)
15
is a PRF• Prove by contradiction.• Suppose that there exists a PPT AF that can disting
uish from a random function with probability 1/Q(k), where Q(k) is a polynomial.
• Then use AF to construct another PPT AG that can distinguish the underlying PRBG with probability at least , which should be negligible. Contradiction.
• Therefore, any choice of c=O(logk) can still make the functions pseudorandom. (Because we must ensure that the length of G’s output 2ck is a polynomial).
cxf
cxf
)(kQk
c
![Page 16: 1 Cryptographically Strong Pseudorandom Functions and Their Applications 陳昱升 碩士學位論文 中興大學 資訊科學系 2006 年 6 月](https://reader037.vdocuments.site/reader037/viewer/2022103123/56649d795503460f94a5d258/html5/thumbnails/16.jpg)
16
Figure 4 Illustration of using AF to construct AG
![Page 17: 1 Cryptographically Strong Pseudorandom Functions and Their Applications 陳昱升 碩士學位論文 中興大學 資訊科學系 2006 年 6 月](https://reader037.vdocuments.site/reader037/viewer/2022103123/56649d795503460f94a5d258/html5/thumbnails/17.jpg)
17
Performance Analysis of the Variant
• For c=2, we have
• In general, we have
• It can be verified that if c > 2.• That is, the performance of the 4-ary-tree
construction is optimal among all similar tree constructions.
][2
34
5 )4
4
13
4
12
4
1
4
1(][
0
0000
2/
1 02
f
k
if
TEkT
kTTTTTTE
0000/
1 0 2
21)232(
2
1][ kT
cTTTTTE
ccck
i cf c
][][ 2ffTETE c
![Page 18: 1 Cryptographically Strong Pseudorandom Functions and Their Applications 陳昱升 碩士學位論文 中興大學 資訊科學系 2006 年 6 月](https://reader037.vdocuments.site/reader037/viewer/2022103123/56649d795503460f94a5d258/html5/thumbnails/18.jpg)
18
Analysis of the Variant (Conti.)
• The previous analysis assumes that the underlying PRBG G generates pseudorandom bits sequentially.
• If the underlying PRBG G allows random access to any k-bit pseudorandom string with the same cost T0. Then
• At most, by choosing c=logk we can shorten the depth of the tree to k/logk. Then
ckTT cf /0
.log/0log kkTT kf
![Page 19: 1 Cryptographically Strong Pseudorandom Functions and Their Applications 陳昱升 碩士學位論文 中興大學 資訊科學系 2006 年 6 月](https://reader037.vdocuments.site/reader037/viewer/2022103123/56649d795503460f94a5d258/html5/thumbnails/19.jpg)
19
Summary
• We have given analysis and improvements for the GGM construction:– the 4-ary-tree (c=2) construction has the best performan
ce on average if G generates bits sequentially.
– the k-ary-tree (c=logk) construction if G allows random access with the same cost.
][2
3
4
5][ 002 ff
TEkTkTTE
ffTkTkkTT k 00 log/log
![Page 20: 1 Cryptographically Strong Pseudorandom Functions and Their Applications 陳昱升 碩士學位論文 中興大學 資訊科學系 2006 年 6 月](https://reader037.vdocuments.site/reader037/viewer/2022103123/56649d795503460f94a5d258/html5/thumbnails/20.jpg)
2020
Applications of PRFsApplications of PRFs
![Page 21: 1 Cryptographically Strong Pseudorandom Functions and Their Applications 陳昱升 碩士學位論文 中興大學 資訊科學系 2006 年 6 月](https://reader037.vdocuments.site/reader037/viewer/2022103123/56649d795503460f94a5d258/html5/thumbnails/21.jpg)
21
Previous Work
• Checking the correctness of memory– Check the correctness of a large unreliable memory,
given only a small reliable memory.• Pseudo-Random Permutation
– basic primitives in block ciphers.• Storageless distribution of users’ secrets
– assign (U,fx(U)) to user U.• Message authentication
– message m with a short tag fs(m).• Identification
– A group shares a common secret s. Members can identify each other through challenge r and response fs(r).
![Page 22: 1 Cryptographically Strong Pseudorandom Functions and Their Applications 陳昱升 碩士學位論文 中興大學 資訊科學系 2006 年 6 月](https://reader037.vdocuments.site/reader037/viewer/2022103123/56649d795503460f94a5d258/html5/thumbnails/22.jpg)
22
A RFID protocol for identifying merchandise
• Our goal – an ideal RFID protocol– protect against tag cloning attacks– resist against malicious tracing– efficiency of the protocol
• the server can quickly identify tags• the communication cost is low.
tagServer Readertag
tag
Database
![Page 23: 1 Cryptographically Strong Pseudorandom Functions and Their Applications 陳昱升 碩士學位論文 中興大學 資訊科學系 2006 年 6 月](https://reader037.vdocuments.site/reader037/viewer/2022103123/56649d795503460f94a5d258/html5/thumbnails/23.jpg)
23
The difficulty of designing an ideal RFID protocol
• To be against cloning attacks or malicious tracing– a tag’s reply should not be constant.
• But a floating identifier of a tag causes the performance problem in the server– the server may need to maintain a sorting table.
• To be against DoS attack– To prevent the desynchronization attack, the ta
g may need to authenticate the reader.
![Page 24: 1 Cryptographically Strong Pseudorandom Functions and Their Applications 陳昱升 碩士學位論文 中興大學 資訊科學系 2006 年 6 月](https://reader037.vdocuments.site/reader037/viewer/2022103123/56649d795503460f94a5d258/html5/thumbnails/24.jpg)
24
A general challenge-response RFID protocol
in order to mutually authenticate…
![Page 25: 1 Cryptographically Strong Pseudorandom Functions and Their Applications 陳昱升 碩士學位論文 中興大學 資訊科學系 2006 年 6 月](https://reader037.vdocuments.site/reader037/viewer/2022103123/56649d795503460f94a5d258/html5/thumbnails/25.jpg)
25
Our proposal
• Main idea– A mutual authentication protocol is usually
needed to fulfill the security requirements. Such a protocol needs at least 4 times of transmission each identification.
– To breakthrough the bottleneck, we divide the situation of a product into three phases.
• ( ) Warehouse phaseⅠ• ( ) Transfer phaseⅡ• ( ) Housekeeping phaseⅢ
![Page 26: 1 Cryptographically Strong Pseudorandom Functions and Their Applications 陳昱升 碩士學位論文 中興大學 資訊科學系 2006 年 6 月](https://reader037.vdocuments.site/reader037/viewer/2022103123/56649d795503460f94a5d258/html5/thumbnails/26.jpg)
26
The three phases• Warehouse phase
– A product is in this phase before it is sold.• Need to be against tag counterfeiting.• Not need to be against malicious tracing.
• Transfer phase– The seller sells the product to the customer.
• Housekeeping phase– The customer owns and keeps the product.
• Need to be against malicious tracing.• Not need to be against tag counterfeiting.• The performance on the server is less concerned because
the customer has less tags to identify.
![Page 27: 1 Cryptographically Strong Pseudorandom Functions and Their Applications 陳昱升 碩士學位論文 中興大學 資訊科學系 2006 年 6 月](https://reader037.vdocuments.site/reader037/viewer/2022103123/56649d795503460f94a5d258/html5/thumbnails/27.jpg)
27
The proposed protocolInitial Setting
• Each tag has a PRF and needs a small amount of memory:
• Choices of PRFs: SHA, MD5, DES, AES
DDKf :
Type Read-Only RewritableWrite-Once Read-Many
Value IDi Ki Si Mi
PurposeThe unique
identification value of a tag
The key of the PRF f
Depend on the phase
Separate different phase
SizeN tags would need about log
N bits.
128 bits(adjust to the strength of security)
the same as
Ki
1 bit
![Page 28: 1 Cryptographically Strong Pseudorandom Functions and Their Applications 陳昱升 碩士學位論文 中興大學 資訊科學系 2006 年 6 月](https://reader037.vdocuments.site/reader037/viewer/2022103123/56649d795503460f94a5d258/html5/thumbnails/28.jpg)
28
The proposed protocol( )Ⅰ Warehouse phase
• The server can quickly identify the tag.
• is used to be against tag cloning.)(xfiK
![Page 29: 1 Cryptographically Strong Pseudorandom Functions and Their Applications 陳昱升 碩士學位論文 中興大學 資訊科學系 2006 年 6 月](https://reader037.vdocuments.site/reader037/viewer/2022103123/56649d795503460f94a5d258/html5/thumbnails/29.jpg)
29
The proposed protocol ( ) Transfer phaseⅡ
• The reader first obtains the value Si of the tag from the backend server and sends to the tag.
• The tag compares Si with its Si . If they are the same, set Mi to 0 and update Si to .
• The seller tells the buyer Ki as a secret.
)( iK Sfi
![Page 30: 1 Cryptographically Strong Pseudorandom Functions and Their Applications 陳昱升 碩士學位論文 中興大學 資訊科學系 2006 年 6 月](https://reader037.vdocuments.site/reader037/viewer/2022103123/56649d795503460f94a5d258/html5/thumbnails/30.jpg)
30
• To identify the tag, the server finds a key Ki in its database which satisfies y=fKi(Si).
The proposed protocol ( ) Housekeeping phaseⅢ
)( to Update yfSiKi.
![Page 31: 1 Cryptographically Strong Pseudorandom Functions and Their Applications 陳昱升 碩士學位論文 中興大學 資訊科學系 2006 年 6 月](https://reader037.vdocuments.site/reader037/viewer/2022103123/56649d795503460f94a5d258/html5/thumbnails/31.jpg)
31
Security Analysis
• Tag counterfeiting– In Warehouse phase, an adversary may collect a set
U={ (x,y=fKi(x)) } with |U|=t.– For a new challenge x’, the probability to forge y’
• Eavesdropping– A tag’s IDi can be eavesdropped. But IDi does not rev
eal any information about the product.
. 2
1
||
1
||
||
||
11
||
]'Pr[]'|')'(Pr[]'Pr[]'|')'(Pr[
]')'(Pr[
128
t
D
t
D
tD
DD
t
UxUxyxAUxUxyxA
yxA
![Page 32: 1 Cryptographically Strong Pseudorandom Functions and Their Applications 陳昱升 碩士學位論文 中興大學 資訊科學系 2006 年 6 月](https://reader037.vdocuments.site/reader037/viewer/2022103123/56649d795503460f94a5d258/html5/thumbnails/32.jpg)
32
Security Analysis (conti.)
• Malicious tracing– In Housekeeping phase, a tag replies (Si,y=fKi(Si)) and
updates Si.– Si can be used to traced only if Si repeats.– For a random function f, the series f(x), f(f(x)), f(f(f(x))),
… is expected to repeat at the
– In our protocol, Si is expected to repeat at the 2|D|/2, i.e. 263-th round.
• DoS attack– No desynchronization attack.– Si will not be quickly exhausted.
length). (rhonumber 2/|| thD
![Page 33: 1 Cryptographically Strong Pseudorandom Functions and Their Applications 陳昱升 碩士學位論文 中興大學 資訊科學系 2006 年 6 月](https://reader037.vdocuments.site/reader037/viewer/2022103123/56649d795503460f94a5d258/html5/thumbnails/33.jpg)
33
Efficiency analysis
• In Warehouse phase– the server can quick identify the tag by IDi.
• In Housekeeping phase– a tag replies a floating identifier. The server n
eeds to do a search. But we assume the customer’s tags are no more than thousands.
• Each phase can be done in only 1 round– better than a mutual authentication protocol.
![Page 34: 1 Cryptographically Strong Pseudorandom Functions and Their Applications 陳昱升 碩士學位論文 中興大學 資訊科學系 2006 年 6 月](https://reader037.vdocuments.site/reader037/viewer/2022103123/56649d795503460f94a5d258/html5/thumbnails/34.jpg)
3434
ConclusionConclusion
• We give analysis and improvements for the GGWe give analysis and improvements for the GGM construction of PRFs from PRBGs.M construction of PRFs from PRBGs.– the 4-ary-tree (the 4-ary-tree (cc=2) construction if =2) construction if GG generates bits generates bits
sequentially.sequentially.– the the kk-ary-tree (-ary-tree (cc=log=logkk) if ) if GG allows random access wi allows random access wi
th the same cost.th the same cost.• We propose a RFID protocol for identifying merWe propose a RFID protocol for identifying mer
chandise.chandise.– Against tag cloning attacksAgainst tag cloning attacks– Against malicious tracingAgainst malicious tracing– EfficientEfficient
![Page 35: 1 Cryptographically Strong Pseudorandom Functions and Their Applications 陳昱升 碩士學位論文 中興大學 資訊科學系 2006 年 6 月](https://reader037.vdocuments.site/reader037/viewer/2022103123/56649d795503460f94a5d258/html5/thumbnails/35.jpg)
3535
Thanks!Thanks!