Abstract
Conventionally, key-scheduling algorithm (KSA) of a cryptographic scheme runs for predefined number of steps. We suggest a different approach by utilization of randomized stopping rules to generate permutations which are indistinguishable from uniform ones. We explain that if the stopping time of such a shuffle is a Strong Stationary Time and bits of the secret key are not reused then these algorithms are immune against timing attacks.
We also revisit the well known paper of Mironov [15] which analyses a card shuffle which models KSA of RC4. Mironov states that expected time till reaching uniform distribution is \(2n H_n - n\) while we prove that \(n H_n+ n\) steps are enough (by finding a new strong stationary time for the shuffle).
Nevertheless, both cases require \(O(n \log ^2 n)\) bits of randomness while one can replace the shuffle used in RC4 (and in Spritz) with a better shuffle which is optimal and needs only \(O(n \log n)\) bits.
Authors were supported by Polish National Science Centre contract number DEC-2013/10/E/ST1/00359.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
It is known [2] that optimal SST for top to random initially marks second from the bottom card.
References
Albrecht, M.R., Paterson, K.G.: Lucky microseconds: a timing attack on Amazon’s s2n implementation of TLS. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 622–643. Springer, Heidelberg (2016). doi:10.1007/978-3-662-49890-3_24
Aldous, D., Diaconis, P.: Shuffling cards and stopping times. Am. Math. Mon. 93(5), 333–348 (1986)
Aldous, D., Diaconis, P.: Strong uniform times and finite random walks. Adv. Appl. Math. 8, 69–97 (1987)
AlFardan, N., Bernstein, D.J., Paterson, K.G., Poettering, B., Schuldt, J.C.N.: On the security of RC4 in TLS. In: Presented as Part of the 22nd USENIX Security Symposium (USENIX Security 13), Washington, D.C., pp. 305–320. USENIX (2013)
Ankele, R., Kölbl, S., Rechberger, C.: State-recovery analysis of spritz. In: Lauter, K., Rodríguez-Henríquez, F. (eds.) LATINCRYPT 2015. LNCS, vol. 9230, pp. 204–221. Springer, Cham (2015). doi:10.1007/978-3-319-22174-8_12
Banik, S., Isobe, T.: Cryptanalysis of the full spritz stream cipher. In: Peyrin, T. (ed.) FSE 2016. LNCS, vol. 9783, pp. 63–77. Springer, Heidelberg (2016). doi:10.1007/978-3-662-52993-5_4
Diaconis, P., Shahshahani, M.: Generating a random permutation with random transpositions. Zeitschrift fur Wahrscheinlichkeitstheorie und Verwandte Gebiete 57(2), 159–179 (1981)
Fill, J.A.: An interruptible algorithm for perfect sampling via Markov chains. Ann. Appl. Probab. 8(1), 131–162 (1998)
Fluhrer, S., Mantin, I., Shamir, A.: Weaknesses in the key scheduling algorithm of RC4. In: Vaudenay, S., Youssef, A.M. (eds.) SAC 2001. LNCS, vol. 2259, pp. 1–24. Springer, Heidelberg (2001). doi:10.1007/3-540-45537-X_1
Fluhrer, S.R., McGrew, D.A.: Statistical analysis of the alleged RC4 keystream generator. In: Goos, G., Hartmanis, J., Leeuwen, J., Schneier, B. (eds.) FSE 2000. LNCS, vol. 1978, pp. 19–30. Springer, Heidelberg (2001). doi:10.1007/3-540-44706-7_2
Ge, Q., Yarom, Y., Cock, D., Heiser, G.: A Survey of Microarchitectural Timing Attacks and Countermeasures on Contemporary Hardware. IACR Eprint (2016)
Golić, J.D.: Linear statistical weakness of alleged RC4 keystream generator. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 226–238. Springer, Heidelberg (1997). doi:10.1007/3-540-69053-0_16
Mantin, I., Shamir, A.: A practical attack on broadcast RC4. In: Matsui, M. (ed.) FSE 2001. LNCS, vol. 2355, pp. 152–164. Springer, Heidelberg (2002). doi:10.1007/3-540-45473-X_13
Matthews, P.: A strong uniform time for random transpositions. J. Theoret. Probab. 1(4), 411–423 (1988)
Mironov, I.: (Not so) random shuffles of RC4. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 304–319. Springer, Heidelberg (2002). doi:10.1007/3-540-45708-9_20
Mossel, E., Peres, Y., Sinclair, A.: Shuffling by semi-random transpositions. In: Foundations of Computer Science, pp. 572–581 (2004)
Naor, M., Reingold, O.: On the construction of pseudo-random permutations. In: Proceedings of the Twenty-Ninth Annual ACM Symposium on Theory of Computing - STOC 1997, pp. 189–199. ACM Press, New York (1997)
Pereida García, C., Brumley, B.B., Yarom, Y.: Make sure DSA signing exponentiations really are constant-time
Propp, J.G., Wilson, D.B.: Exact sampling with coupled Markov chains and applications to statistical mechanics. Random Struct. Algorithms 9, 223–252 (1996)
Schuldt, J.C.N., Rivest, R.L.: Spritz–a spongy RC4-like stream cipher and hash function (2014)
Paul, S., Preneel, B.: A new weakness in the RC4 keystream generator and an approach to improve the security of the cipher. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 245–259. Springer, Heidelberg (2004). doi:10.1007/978-3-540-25937-4_16
Standaert, F.-X., Pereira, O., Yu, Y., Quisquater, J.-J., Yung, M., Oswald, E.: Leakage resilient cryptography in practice. In: Sadeghi, A.-R., Naccache, D. (eds.) Towards Hardware-Intrinsic Security, pp. 99–134. Springer, Heidelberg (2010). doi:10.1007/978-3-642-14452-3_5
Maitra, S., Paul, G.: Analysis of RC4 and proposal of additional layers for better security margin. In: Chowdhury, D.R., Rijmen, V., Das, A. (eds.) INDOCRYPT 2008. LNCS, vol. 5365, pp. 27–39. Springer, Heidelberg (2008). doi:10.1007/978-3-540-89754-5_3
Yarom, Y., Genkin, D., Heninger, N.: CacheBleed: a timing attack on OpenSSL constant time RSA. CHES (2016)
Zoltak, B.: VMPC one-way function and stream cipher. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 210–225. Springer, Heidelberg (2004). doi:10.1007/978-3-540-25937-4_14
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
Appendix
A Sign Distinguisher Advantage
B Detailed Proof of Lemma 3
Proof
Define \(T_k\) to be the first time when k cards are marked (thus \(T\equiv T_n\)). Let \(d=\lceil (n-1)/2\rceil \). Then \(T_d\) is the running time of the first phase and \(\left( T_n - T_d\right) \) is the running time of the second phase. Denote \(Y_k := T_{k+1}-T_k\).
Assume that there are \(k<d\) marked cards at a certain step. Then the new card will be marked in next step if we choose two unmarked cards what happens with probability:
Thus \(Y_k\) is a geometric random variable with parameter \(p_a(k)\) and
Now assume that there are \(k\ge d\) cards marked at a certain step. Then, the new card will be marked in next step with probability:
and \(Y_k\) is a geometric random variable with parameter \(p_a(k)\). Thus:
For variance we have:
Finally
\(\square \)
C Experimental Results
The expected running time of \({\textsf {KSA}}^{**}_\texttt {RTRT}\) (i.e., with Random-to-Random Transpositions shuffling) is known:
-
with ST=StoppingRuleKLZ it is \(n(H_n+1)\)
-
with stopping rule used in [15] it is \(2n H_n-n\)
For both stopping rules applied to Cyclic-to-Random Transpositions no precise results on expected running times are known. Instead we estimated them via simulations, simply running 10.000 of them. The results are given in Fig. 4.
D Timing-Attacks and \({\textsf {KSA}}^{**}\)
Example 1
(Top to random shuffle T2R – timing attack – re-used randomness). Consider algorithm \({\textsf {KSA}}^{**}_\texttt {T2R,ST}\) with shuffling procedure corresponding to Top-To-Random card shuffling (put the card S[1] which is currently on top to the position j defined by the randomness in the current round) and following stopping time ST:
-
before the start of the algorithm, mark the last card (i.e., the card n is markedFootnote 1),
-
stop one step after the marked card reaches the top of the deck.
The sample execution of the algorithm is given in Fig. 5.
Example 2
(Top-to-random – timing attack – fresh randomness). Let us now consider a very similar situation with one important difference. Now no portion of the key is re-used. An example run of the algorithm is presented on the Fig. 6. Based on the knowledge on the number of performed steps, one can learn some information about the secret key (i.e., \(K[1] = 000\), K[2] is either 110 or 111) but still no adversary can learn anything about the resulting permutation because any information is generated with exactly the same probability.
E Spritz Definition
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Kulis, M., Lorek, P., Zagorski, F. (2017). Randomized Stopping Times and Provably Secure Pseudorandom Permutation Generators. In: Phan, RW., Yung, M. (eds) Paradigms in Cryptology – Mycrypt 2016. Malicious and Exploratory Cryptology. Mycrypt 2016. Lecture Notes in Computer Science(), vol 10311. Springer, Cham. https://doi.org/10.1007/978-3-319-61273-7_8
Download citation
DOI: https://doi.org/10.1007/978-3-319-61273-7_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-61272-0
Online ISBN: 978-3-319-61273-7
eBook Packages: Computer ScienceComputer Science (R0)