Cryptographically secure pseudorandom number generator

A cryptographically secure pseudorandom number generator (CSPRNG) or cryptographic pseudorandom number generator (CPRNG) is a pseudorandom number generator (PRNG) with properties that make it suitable for use in cryptography. It is also loosely known as a cryptographic random number generator (CRNG). Background Most cryptographic applications require random numbers, for example:

key generation
nonces
salts in certain signature schemes, including ECDSA, RSASSA-PSS

The "quality" of the randomness required for these applications varies. For example, creating a nonce in some protocols needs only uniqueness. On the other hand, the generation of a master key requires a higher quality, such as more entropy. And in the case of one-time pads, the information-theoretic guarantee of perfect secrecy only holds if the key material comes from a true random source with high entropy, and thus any kind of pseudorandom number generator is insufficient. Ideally, the generation of ran

Privacy Analysis of Forward and Backward Untraceable RFID Authentication Schemes

Khaled Ouafi

In this paper, we analyze the first known provably secure Radio Frequency Identification (RFID) authentication schemes that are designed to provide forward untraceability and backward untraceability: the L-K and S-M schemes. We show how to trace tags in the L-K scheme without needing to corrupt tags. We also show that if a standard cryptographic pseudorandom bit generator (PRBG) is used in the S-M scheme, then the scheme may fail to provide forward untraceability and backward untraceability. To achieve the desired untraceability features, we show that the S-M scheme can use a robust PRBG which provides forward security and backward security. We also note that the backward security is stronger than necessary for the backward untraceability of the S-M scheme.

Springer Verlag2011

Forgery-Resilience for Digital Signature Schemes

Atefeh Mashatan, Khaled Ouafi

We introduce the notion of forgery-resilience for digital signature schemes, a new paradigm for digital signature schemes exhibiting desirable legislative properties. It evolves around the idea that, for any message, there can only be a unique valid signature, and exponentially many acceptable signatures, all but one of them being spurious. This primitive enables a judge to verify whether an alleged forged signature is indeed a forgery. In particular, the scheme considers an adversary who has access to a signing oracle and an oracle that solves a “hard” problem, and who tries to produce a signature that appears to be acceptable from a verifier’s point of view. However, a judge can tell apart such a spurious signature from a signature that is produced by an honest signer. This property is referred to as validatibility. Moreover, the scheme provides undeniability against malicious signers who try to fabricate spurious signatures and deny them later by showing that they are not valid. Last but not least, trustability refers to the inability of a malicious judge trying to forge a valid signature. This notion for signature schemes improves upon the notion of fail-stop signatures in different ways. For example, it is possible to sign more than one messages with forgery-resilient signatures and once a forgery is found, the credibility of a previously signed signature is not under question. A concrete instance of a forgery-resilient signature scheme is constructed based on the hardness of extracting roots of higher residues, which we show to be equivalent to the factoring assumption. In particular, using collision-free accumulators, we present a tight reduction from malicious signers to adversaries against the factoring problem. Meanwhile, a secure pseudorandom function ensures that no polynomially-bounded cheating verifier, who can still solve hard problems, is able to forge valid signatures. Security against malicious judges is based on the RSA assumption.

2012

OMD: A Compression Function Mode of Operation for Authenticated Encryption

Reza Reyhanitabar, Serge Vaudenay, Damian Vizár

We propose the Offset Merkle-Damgård (OMD) scheme, a mode of operation to use a compression function for building a nonce-based authenticated encryption with associated data. In OMD, the parts responsible for privacy and authenticity are tightly coupled to minimize the total number of compression function calls: for processing a message of l blocks and associated data of a blocks, OMD needs l+a+2 calls to the compression function (plus a single call during the whole lifetime of the key). OMD is provably secure based on the standard pseudorandom function (PRF) property of the compression function. Instantiations of OMD using the compression functions of SHA-256 and SHA-512, called OMD-SHA256 and OMD-SHA512, respectively, provide much higher quantitative level of security compared to the AES-based schemes. OMD-SHA256 can benefit from the new Intel SHA Extensions on next-generation processors.

Springer International Publishing2014

Forgery-Resilience for Digital Signature Schemes

Atefeh Mashatan, Khaled Ouafi

2012