Randomized Stopping Times and Provably Secure Pseudorandom Permutation Generators

Abstract

Conventionally, key-scheduling algorithm (KSA) of a cryptographic scheme runs for predefined number of steps. We suggest a different approach by utilization of randomized stopping rules to generate permutations which are indistinguishable from uniform ones. We explain that if the stopping time of such a shuffle is a Strong Stationary Time and bits of the secret key are not reused then these algorithms are immune against timing attacks.

We also revisit the well known paper of Mironov [15] which analyses a card shuffle which models KSA of RC4. Mironov states that expected time till reaching uniform distribution is \(2n H_n - n\) while we prove that \(n H_n+ n\) steps are enough (by finding a new strong stationary time for the shuffle).

Nevertheless, both cases require \(O(n \log ^2 n)\) bits of randomness while one can replace the shuffle used in RC4 (and in Spritz) with a better shuffle which is optimal and needs only \(O(n \log n)\) bits.

Authors were supported by Polish National Science Centre contract number DEC-2013/10/E/ST1/00359.

Appendices

Appendix

A Sign Distinguisher Advantage

Fig. 3.

The advantage (\(\epsilon \)) of Sign distinguisher of RC4 after discarding initial k bytes.

B Detailed Proof of Lemma 3

Proof

Define \(T_k\) to be the first time when k cards are marked (thus \(T\equiv T_n\)). Let \(d=\lceil (n-1)/2\rceil \). Then \(T_d\) is the running time of the first phase and \(\left( T_n - T_d\right) \) is the running time of the second phase. Denote \(Y_k := T_{k+1}-T_k\).

Assume that there are \(k<d\) marked cards at a certain step. Then the new card will be marked in next step if we choose two unmarked cards what happens with probability:

$$p_a(k)= {(n-k)^2\over n^2}.$$

Thus \(Y_k\) is a geometric random variable with parameter \(p_a(k)\) and

$$ \begin{array}{lllllllll} E[T_d] &{} = &{} \displaystyle \sum _{k=0}^{d-1} E[Y_k] = \sum _{k=0}^{d-1} {1\over p_a(k)}=\sum _{k=0}^{d-1} {n^2\over (n-k)^2} = n^2 \sum _{k=n-d+1}^n{1\over k^2} \\[14pt] &{} = &{}\displaystyle n^2\left( H_n^{(2)}-H_{n-d}^{(2)}\right) = n^2 \left( \frac{1}{n} + O\left( \frac{1}{n^2}\right) \right) = n + O(1). \end{array} $$

Now assume that there are \(k\ge d\) cards marked at a certain step. Then, the new card will be marked in next step with probability:

$$p_b(k)= {(n-k)(k+1)\over n^2}$$

and \(Y_k\) is a geometric random variable with parameter \(p_a(k)\). Thus:

$$ \begin{array}{lllllllll} E[T_n-T_d] &{} = &{} \displaystyle \sum _{k=0}^{d-1} E[Y_k] = \sum _{k=d}^{n-1} {1\over p_b(k)}=\sum _{k=d}^{n-1} {n^2\over (n-k)(k+1)} \\ &{} = &{} \displaystyle {n^2 \over n+1} \sum _{k=d}^{n-1} \left( {1\over n-k} + {1\over k+1}\right) = {n^2 \over n+1} \left( {\sum _{k=1}^{n-d} \frac{1}{k}} + {\sum _{k=d+1}^{n} \frac{1}{k}} \right) \\ &{} = &{} \displaystyle {n^2\over n+1} \left( H_{n-d} + H_n - H_d \right) = {n^2\over n+1} H_n + {n^2\over n+1} \left( H_{n-d} - H_d \right) \\ &{} = &{} nH_n - \frac{n}{n+1}H_n + {n^2\over n+1} \left( H_{n-d} - H_d \right) = nH_n + O(H_n) + O(1) = nH_n + O(H_n). \end{array} $$

For variance we have:

$$ \begin{array}{lllllllll} Var[T_d] &{} = &{} \displaystyle \sum _{k=0}^{d-1} Var[Y_k] = \sum _{k=0}^{d-1} \frac{1-p_a(k)}{\left( p_a(k)\right) ^2} = \sum _{k=0}^{d-1} \frac{1-\frac{(n-k)^2}{n^2}}{\left( \frac{(n-k)^2}{n^2}\right) ^2} \approx \int _{0}^{\frac{n}{2}} \frac{1-\frac{(n-x)^2}{n^2}}{\left( \frac{(n-x)^2}{n^2}\right) ^2} dx = \frac{4}{3} n. \\[24pt] Var[T_n-T_d] &{}=&{} \displaystyle \sum _{k=d}^{n-1} Var[Y_k] = \sum _{k=d}^{n-1} \frac{1-p_b(k)}{\left( p_b(k)\right) ^2} = \sum _{k=d}^{n-1} \frac{1 - \frac{(n-k)(k+1)}{n^2}}{\frac{(n-k)^2 (k+1)^2}{n^4}} \\[24pt] &{} = &{} \displaystyle n^2 \sum _{k=d}^{n-1} \frac{n(n-1)+k(1-n)+k^2}{(n-k)^2 (k+1)^2} \approx n^2 \cdot \frac{1}{2} \sum _{k=0}^{n-1} \frac{n(n-1)+k(1-n)+k^2}{(n-k)^2 (k+1)^2} \\[24pt] &{} \approx &{} \displaystyle \frac{n^2}{2} \left[ \left( \frac{2}{n} - \frac{4}{n^2} \right) H_n + 3 H_n^{(2)} \right] \sim \frac{\pi ^2}{4}n^2. \\ \end{array} $$

Finally

$$Var[T_n] = Var[T_d]+Var[T_n-T_d] \sim \frac{\pi ^2}{4}n^2. $$

\(\square \)

C Experimental Results

The expected running time of \({\textsf {KSA}}^{**}_\texttt {RTRT}\) (i.e., with Random-to-Random Transpositions shuffling) is known:

• with ST=StoppingRuleKLZ it is \(n(H_n+1)\)

• with stopping rule used in [15] it is \(2n H_n-n\)

For both stopping rules applied to Cyclic-to-Random Transpositions no precise results on expected running times are known. Instead we estimated them via simulations, simply running 10.000 of them. The results are given in Fig. 4.

Fig. 4.

Simulations’ results for Mironov’s and StoppingRuleKLZ stopping rules.

Fig. 5.

Example run of top-to-random shuffle with “reused randomness” which is taken from the key K of the length equal to three 8-value bytes (9-bits). Let us assume that the running time of SST was exactly 8. Conditioning on the number of steps one can figure out that the first word of the key must be equal to 111 while the second part \(K[2] \in \{110, 111\}\) with the same probability. Finally \(K[3] \in \{101, 110, 111\}\) and for the step i: \(K[i] = K[i \bmod 3]\). So now, instead of possible \(2^9 = 512\) permutations which can be generated from 9 bits of key, only 6 are possible (based on the fact that SST has stopped exactly after 8 steps).

D Timing-Attacks and \({\textsf {KSA}}^{**}\)

Example 1

(Top to random shuffle T2R – timing attack – re-used randomness). Consider algorithm \({\textsf {KSA}}^{**}_\texttt {T2R,ST}\) with shuffling procedure corresponding to Top-To-Random card shuffling (put the card S[1] which is currently on top to the position j defined by the randomness in the current round) and following stopping time ST:

• before the start of the algorithm, mark the last card (i.e., the card n is marked¹),

• stop one step after the marked card reaches the top of the deck.

The sample execution of the algorithm is given in Fig. 5.

Example 2

(Top-to-random – timing attack – fresh randomness). Let us now consider a very similar situation with one important difference. Now no portion of the key is re-used. An example run of the algorithm is presented on the Fig. 6. Based on the knowledge on the number of performed steps, one can learn some information about the secret key (i.e., \(K[1] = 000\), K[2] is either 110 or 111) but still no adversary can learn anything about the resulting permutation because any information is generated with exactly the same probability.

Fig. 6.

Example run of top-to-random shuffle with “fresh randomness” taken from the key K of the length equal to 8 8-value bytes (24-bits). Conditioning on the number of steps of the SST (in this case 8) one can find out that: out of the possible \(2^{24}\) keys only (exactly) 8! keys are possible (due to the fact that SST stopped after 8 steps) and every of 8! permutations are possible (based on the fact that SST has stopped exactly after 8 steps) – moreover each permutation with exactly the same probability. SST leaks bits of the key i.e., \(K[1] = 111\) but does not leak any information about the produced permutation.

E Spritz Definition

Fig. 7.

Building blocks of Spritz