Keywords

1 Introduction

Randomness is an essential ingredient in almost every area of cryptography; yet in the literature, randomness is often sampled uniformly at random with little thought on how quickly this amount of “good” randomness can be generated in practice. The need for high quality randomness delivered quickly has spawned work on the various key aspects of a PRNG, such as the ability to produce randomness at a fast and reliable rate, and protection against adversaries who may be able to compromise parts of the generator’s state or the environment in which it draws entropy. In practice, many generators in active use have not received valid security analysis, and, on the opposite side of the fence, many designs are created in a theoretical setting without the full scope of desirable properties for a PRNG in mind and as result, are impractical for active use.

Sponges. The sponge design is very simple and yet very powerful; it benefits from a large amount of analysis due to the success of Keccak [6] in the SHA3 competition in 2012. The design requires an n-bit state with a rate r and capacity c such that \(n=r+c\); the r bits of the state \(s_{}\) are known as the outer state, written \(\overline{s}_{}\) while the c bits are known as the inner state \(\widehat{s}_{}\). The design initialises with an initial state of the zero state, and a random permutation \(\pi \). The sponge has two algorithms; Absorb and Squeeze.

Previous constructions. The sponge-based PRNG construction first suggested by Bertoni et al. in [8] utilises a random permutation and relies on the sponge indifferentiability proof of [7] for security. This analysis, though useful, does not consider security in terms of a security model for PRNGs. More recently, work by Gaži and Tessaro has improved upon this design and security claims, but still requires multiple additional calls to the permutation to ensure forward security, along with several additional strings to give a seeded design.

Ideal permutation model. We prove all of our security claims in the ideal permutation model where \(\pi \) is a public, random permutation picked at the beginning of any game. Any party has access to the permutation and may make forward and backward queries. We denote by \(\mathcal {A}_{\mathsf {}}^{\pi }\) an adversary with oracle access to \(\pi \overset{\$}{\leftarrow }\mathcal {P}_n\) with \(\mathcal {P}_n\) being the space of all permutations on n-bit strings. We say that \(\mathcal {A}_{\mathsf {}}^\pi \) is a \(q_\pi \)-query adversary if it makes at most \(q_\pi \) queries \(\pi \).

PRNG security models. The development of security models for PRNGs has been slow due to a complex combination of security goals and the difficulty in accurately capturing the environment both the PRNG and the associated adversary are working in. Security models for PRNGs include work by Barak and Halevi [2], from 2005, a brilliantly simple model that introduced a very strong notion of Robustness.

This model was later improved upon in successive work by Dodis et al. [10], which initially aims to address the situation where a PRNG accumulates entropy at a slow rate, and is at risk of “prematurely” being called before enough entropy has been gathered.

The model was then further improved in [11], which introduced the idea of a scheduler, inspired by the design of the Fortuna PRNG [12] which aimed at a design to improve the recovery time of a compromised PRNG. We will not be considering a scheduler in this paper and will keep to the definitions of [10]; however, the idea of a scheduler is an interesting prospect in terms of possibly replacing the need for \(\mathsf {seed} \) described below.

Seedless design. More recently, work done concurrently to the first draft of this paper, by Gaži and Tessaro [13], concentrates on the importance of a “seeded” design when using a public ideal permutation. The authors argue that a publicly available permutation allows an adversary to generate PRNG inputs dependent on the permutation. These “bad” distributions can output high entropy inputs but result in a predictable bit of the state, and thus result in a non-negligible advantage for the adversary. The authors of this work ensure their implementation is seeded by requiring a small number \((s=2\) or 3) of r-bit strings that are used as additional inputs to prevent this attack.

We note that this adds to the initial entropy requirements of the PRNG, which can already be one of the most restrictive and problematic situations for a PRNG. Another addition is the need for a counter to be kept; this is absorbed into the refresh procedure but should be an additional part of the state. Fortunately due to work in [15], this would not affect security. Alternatively, this could merely be an identifier of the system on which the PRNG is implemented, along with the current time of the system clock, which could be hashed to provide the seed, though in the security games the seed is chosen uniformly at random. Our design is aimed at being practical and efficient; in a practical scenario the distribution sampler or entropy accumulation mechanism is not so easily influenced and discovering these “bad” distributions is very difficult when good, studied entropy sources are used.

We include the option of a seed so that robustness can be achieved, but we question the necessity of the seed in a practical scenario; this can be likened to many PRNGs made for practical use having the option of a “personalisation” string [16], but note that this is often not used or even implemented. In practical implementations the PRNG does not have direct access to a noise source, but rather an entropy source that has been studied and provides a minimum entropy estimate, along with post processing and health checking [3, 4].

Notation. In this paper we denote by \(s_{i}\) the ith \(n-\)bit state of a generator. In the context of sponges we work with an \(n-\)bit state \(s_{i}\) which is split into an inner state of c-bits, denoted by \(\widehat{s}_{i}\). The rest of the state is called the outer state, of r-bits and is denoted \(\overline{s}_{i}\). Thus, the state can be given as \(s_{i}=(\overline{s}_{i}\Vert \widehat{s}_{i})\) where \(\Vert \) is the usual concatenation of strings. The construction defined in this paper utilises a public, random permutation \(\pi \) from the set \(\mathcal {P}_n\) of all permutations on n-bits. We use \(x\overset{\$}{\leftarrow }X\) to denote an element x of a set X chosen uniformly at random. We denote by \(\mathrm {I}_{i}\) the ith r-bit input string, used to refresh the state of a generator. We denote by \(r_{i}\) the ith output of a generator. These counters are in fact dependent on the state counter, so rather than the i-th output, we refer to the output associated with state i.

Contributions. We put forward an improved sponge-like PRNG design which we prove is robust in the updated security model. The recent work by Gaži and Tessaro updated the security of the sponge-based PRNG design of Bertoni et al. but did not seek to improve the design of the next procedure. We improve the design of the next function to ensure our design is more efficient, making a single call to the permutation \(\pi \), compared with \(1+t\) calls; resulting in a design better suited for practical application, especially those that restrict the number of calls to \(\pi \). Since the p.forget procedure of the previous generator calls the permutation \(1+t\) times, with zeroing, it presents the problem of increased collisions in the state, something that is avoided by our design and thus our bound is mainly limited by the collision factor associated with the refresh procedure. This potentially makes our generator comparatively more secure when first initialised on a random initial state and before any refreshes have been made. Below are the two main components of the new design Reverie.

  • \(\textsf {Reverie}.\textsf {refresh} ^\pi (s_{i},\mathrm {I}_{},\mathsf {seed},j) = \pi ((\overline{s}_{i}\oplus \mathrm {I}_{} \oplus \mathsf {seed} _j)\Vert \widehat{s}_{i}) = s_{i+1}, j = j+1\mod s\),

  • \(\textsf {Reverie}.\textsf {next} ^\pi (s_{i})= (\pi (s_{i}) \oplus (0^r\Vert \widehat{s}_{i}),\overline{s}_{i})=(s_{i+1},r_{i+1})\).

The security notion of interest in this paper is the strongest security notion, “robustness” which, informally, refers to an adversary working in time t, with access to a distribution sampler \(\mathcal {D}\) that outputs refresh material used to update the state of the generator.

The adversary is allowed up to \(q_\mathcal {D}\) outputs from the distribution sampler \(\mathcal {D}\), these strings are required to have a minimum entropy when being used to refresh the generator from a compromised state. The adversary also has access to two algorithms get-next and next-ror which give the adversary output from the generator or random. The adversary is allowed up to \(q_R\) queries between these two algorithms.

Lastly, the adversary has up to \(q_S\) queries to set-state and get-state which give the adversary the current state of the generator and in the case of the former, allow it to set the state. In addition, the generator is said to be “uncompromised” if the current state has minimum entropy \(\ge \gamma ^*\) for some value \(\gamma ^*\). We say a generator is \(((t,q_\mathcal {D}, q_R, q_S), \gamma ^*, \epsilon )\) robust where \(\epsilon \) is the maximum advantage of any adversary playing the robustness game.

The design can be seen in Fig. 2 for further clarity. Although this design departs slightly from the sponge design, it can still be captured by the more generalised structure of the parazoa as defined in [1], and, given access to the underlying permutation function, easily implemented.

Organisation. This paper is organised into preliminaries in Sects. 2 and 3, followed by the description of the new generator in Sect. 4, the security analysis of the generator in Sect. 5 and finally a discussion of results in Sect. 6.

2 Preliminary Definitions

This section aims to provide a background on all the necessities of pseudo-random number generators (PRNG), the ideal permutation model, along with an introduction to Patarin’s H-coefficient technique.

2.1 Probabilities and Further Notation

Definition 1

The statistical distance between two discrete random variables X and Y over the set \(\mathcal {X}\) is denoted

$$\begin{aligned} \mathsf {SD}(X,Y)=\frac{1}{2}\sum \limits _{x\in \mathcal {X}}\left| \mathrm {Pr}\left[ X=x\right] -\mathrm {Pr}\left[ Y=x\right] \right| . \end{aligned}$$

Definition 2

The minimum entropy of a random variable X is defined as \(H_{\infty }(X)= \mathsf {min}_{x\overset{\$}{\leftarrow }X}\{-\log (\mathrm {Pr}\left[ X=x\right] )\}\).

Definition 3

For the purposes used in this paper, a source \(S^\pi \) is defined as an input-less randomised oracle which makes queries to \(\pi \) and outputs a string. The range of the source is denoted [S] and is the set of all values the source outputs with positive probability, taken over the choice of \(\pi \) and the internal randomness of S.

We use the usual game-based formalism from [5]; for a game \(\mathsf {G}\), \(\mathsf {G}(\mathcal {A}_{\mathsf {}})\Rightarrow 1\) denotes the event that an adversary \(\mathcal {A}_{\mathsf {}}\) playing the game \(\mathsf {G}\), results in the game outputting 1, while \(\mathsf {G}(\mathcal {A}_{\mathsf {}})\rightarrow 1\) denotes the event that the \(\mathcal {A}_{\mathsf {}}\) playing the game \(\mathsf {G}\) outputs 1.

2.2 PRGs and PRNGs

In this document a PRG will refer to a pseudo-random number generator without input, while PRNG will refer to a pseudo-random number generator with input and in the form described in Definition 4.

Definition 4

(PRNG from [10]). A PRNG with input is a triple of algorithms \(G = (\textsf {setup}, \textsf {refresh}, \textsf {next})\) and a triple \((n,\ell , p) \in \mathbb {N}^3\) where: n is the state length, \(\ell \) is the output length, p is the input length of G and

  • \(\textsf {setup} \): is a probabilistic algorithm that outputs some public parameters \(\mathsf {seed} \) for the generator.

  • \(\textsf {refresh} \): is a deterministic algorithm that, given \(\mathsf {seed} \), a state \(s_{i}\in \{0,1\}^n\) and an input \(\mathrm {I}_{}\in \{0,1\}^p\), outputs a new state \(s_{i+1} := \textsf {refresh} (s_{i}, \mathrm {I}_{}, \mathsf {seed} \))

  • \(\textsf {next} \): is a deterministic algorithm that, given \(\mathsf {seed} \) and a state \(s_{i} \in \{0,1\}^n\), outputs a pair \((s_{i+1},r_{i+1}) = \textsf {next} (\mathsf {seed}, s_{i})\), where \(s_{i+1}\) is the new state and \(r_{i+1} \in \{0,1\}^\ell \) is the output. We write \(\textsf {next} (s_{i})\) and omit \(\mathsf {seed} \) for clarity.

Definition 5

(Originally of [10] but as amended in [13]). A Q-distribution sampler is a randomised stateful oracle algorithm \(\mathcal {D}\) which operates as follows:

  • It takes a state \(\sigma _i\), with initial state \(\sigma _0 = \perp \).

  • \(\mathcal {D}^\pi (\sigma _i)\) outputs a tuple \((\sigma _i,\mathcal {S}_i,\gamma _i, z_i)\), where

    • \(\sigma _i\) is the new state of \(\mathcal {D}^\pi \).

    • \(\mathcal {S}_i\) is a source with range \([\mathcal {S}_{i}]\subseteq \{0,1\}^\ell _i\) for some \(\ell _i\ge 1\).

    • \(\gamma _i\) is an entropy estimation for \(\mathcal {S}_{i}\) which will be discussed further below.

    • \(z_i\) is the leakage and/or auxiliary information about \(\mathcal {S}_{i}\).

  • When run \(q_{\mathcal {D}}\) times, the number of queries to the permutation \(\pi \) made by \(\mathcal {D}^\pi \) and \(\mathcal {S}_{1},\dots ,\mathcal {S}_{q_{\mathcal {D}}}\) is at most \(Q(q_{\mathcal {D}})\).

For simplicity, \((\sigma _i,\mathrm {I}_{i},\gamma _i,r_{i})\overset{\$}{\leftarrow }\mathcal {D}^\pi (\sigma _{i-1})\) is written as the overall process of running \(\mathcal {D}\) and the generated source \(\mathcal {S}_i\). Next, we note the requirement for some restriction on distribution samplers, namely we require the following:

Definition 6

A distribution sampler \(\mathcal {D}\) as defined above in Definition 5 is \((q_{\mathcal {D}},q_\pi )\)-legitimate, if, for every adversary \(\mathcal {A}_{\mathsf {}}\) making \(q_\pi \) queries, every \(i^*\in [q_{\mathcal {D}}]\), and for any possible values \(\left( \mathrm {I}_{j}\right) _{j\ne i^*}, (\gamma _1,z_1),\dots ,(\gamma _{q_{\mathcal {D}}},z_{q_{\mathcal {D}}}), V_{\mathcal {A}_{\mathsf {}}},Q_{\mathcal {D}}\) potentially output by the game \(\mathsf {GLEG}_{q_{\mathcal {D}},i^*}(\mathcal {A}_{\mathsf {}},\mathcal {D})\) with positive probability,

$$\begin{aligned} \mathrm {Pr}\left[ \mathrm {I}_{i^*}=x\mid \left( \mathrm {I}_{j}\right) _{j\ne i^*},(\gamma _1,z_1),\dots ,(\gamma _{q_{\mathcal {D}}},z_{q_{\mathcal {D}}}), V_{\mathcal {A}_{\mathsf {}}},Q_{\mathcal {D}}\right] \le 2^{-\gamma _{i^*}}, \end{aligned}$$

for all \(x\in \{0,1\}^{\ell _{i^*}}\), where the probability is conditioned on these particular values being output by the game. The game \(\mathsf {GLEG}_{q_{\mathcal {D}},i^*}(\mathcal {A}_{\mathsf {}},\mathcal {D})\), is defined in full in [13, Definition 3, p. 10] and presented in Appendix A, but informally, the challenger samples a permutation \(\pi \), \(\mathcal {D}^\pi \) is run \(q_{\mathcal {D}}\) times and the adversary \(\mathcal {A}_{\mathsf {}}\) is run on all of the output from \(\mathcal {D}^\pi \), apart from that of \(\mathcal {S}_i\) and its associated queries. \(V_{\mathcal {A}_{\mathsf {}}}\) is the adversary’s final output, while \(Q_\mathcal {D}\) is the input-output pairs of permutation queries made by \(\mathcal {D}\).

2.3 The Ideal Permutation Model (IPM)

An implementation of a sponge-based PRNG would involve a publicly available permutation; hence, our analysis is done in the ideal permutation model. Formally, each party has oracle access to a public, random permutation \(\pi \overset{\$}{\leftarrow }\mathcal {P}_n\), chosen by the challenger at the beginning of a game. The permutation can be queried as both \(\pi \) and \(\pi ^{-1}\) but for simplicity, we write that an algorithm or entity, such as an adversary \(\mathcal {A}_{\mathsf {}}\), has access to \(\pi \) by \(\mathcal {A}_{\mathsf {}}^\pi \). We make use of the following, which denotes the advantage of an adversary \(\mathcal {A}_{\mathsf {}}\) with oracle access to \(\pi \) in distinguishing between the distributions \(D_0, D_1\) that also have access to \(\pi \):

$$\begin{aligned} \mathsf {Adv}_{\mathsf {\mathcal {A}_{\mathsf {}}}}^{\mathsf {\mathsf {dist}}}(D_0,D_1)=\left| \mathrm {Pr}\left[ X\overset{\$}{\leftarrow }D_0^\pi :\mathcal {A}_{\mathsf {}}^\pi (X)\Rightarrow 1\right] -\mathrm {Pr}\left[ X\overset{\$}{\leftarrow }D_1^\pi : \mathcal {A}_{\mathsf {}}^\pi (X)\Rightarrow 1\right] \right| , \end{aligned}$$

with \(\mathcal {A}_{\mathsf {}}\) being called a \(q_\pi \)-query adversary if it asks at most \(q_\pi \) queries to \(\pi \).

2.4 Patarin’s H-Coefficient Technique

This section gives a brief introduction to Patarin’s H-coefficient technique with a focus on functionality. Influenced by [9] and initially defined in [14], the H-coefficient technique is applied by splitting the “transcripts” of a game into two or more distinct sets; calculating the probability of the real or ideal world outputting transcripts in a particular set yields a close bound for the statistical distance of the real and ideal world.

A high level overview is that of a q-query information theoretic adversary \(\mathcal {A}_{\mathsf {}}\) which can be assumed to be deterministic, making no redundant queries without loss of generality, interacting with an oracle \(\omega \) representing either the real world or ideal world. The interaction \(\mathcal {A}_{\mathsf {}}\) has with this oracle \(\omega \) is represented in a transcript \(\tau \) which includes a list of queries and their answers given by \(\omega \).

Let \(\omega \) be an oracle that serves as the way the adversary \(\mathcal {A}_{\mathsf {}}\) interacts with the challenger in the chosen world. Let \(\varOmega _X\) refer to the probability space of all real world oracles with the uniform probability distribution, and similarly \(\varOmega _Y\) is the probability space of all ideal world oracles again with the uniform distribution.

Let \(\mathcal {T}\) be the set of all transcripts, with \(\tau \in \mathcal {T}\) an individual transcript that describes, in full, the interactions and final output between the adversary \(\mathcal {A}_{\mathsf {}}\) and the oracle she interacts with.

Further, the random variables X and Y are defined over the probability spaces respectively, where \(X(\omega ) = \tau \) refers to running \(\mathcal {A}_{\mathsf {}}\) on oracle \(\omega \) for \(\omega \in \varOmega _X\), which in turn produces the transcript \(\tau \).

For simplicity we will only consider two sets; good and bad transcripts, which are denoted \(\mathcal {T}_G\) and \(\mathcal {T}_B\) respectively. Defining this split is integral to the proof since the H-coefficient technique allows bounding the statistical distance of the random variables X and Y in the following way: suppose \(\exists \epsilon \in [0,1]\), such that \(\forall \tau \in \mathcal {T}_G, \text { with }\mathrm {Pr}\left[ Y=\tau \right] >0\),

$$\begin{aligned} \frac{\mathrm {Pr}\left[ X=\tau \right] }{\mathrm {Pr}\left[ Y=\tau \right] } \ge 1 - \epsilon . \end{aligned}$$

Finally,

Theorem 1

(H-coefficient). Let \(X, Y, \mathcal {T}_G, \mathcal {T}_B, \tau ,\epsilon \) be as above, then,

$$\begin{aligned} \mathsf {SD}(X,Y)\le \epsilon + \mathrm {Pr}\left[ Y\in \mathcal {T}_B\right] . \end{aligned}$$

3 Security Notions

This section defines the notion of robustness originally from [10], but augmented as in [13] to allow for the publicly available random permutation. Robustness is the strongest security notion of the security model. We also include definitions of two weaker notions of security; preserving and recovering security, which together imply that a PRNG fulfils the requirements of robustness.

As per the definitions of [10], a minimal “fresh” entropy in the PRNG system when security should be expected. Minimising \(\gamma ^*\) corresponds to a stronger security guarantee.

An adversary is modelled using a pair \((\mathcal {A}_{\mathsf {}},\mathcal {D})\) where \(\mathcal {A}_{\mathsf {}}\) is the actual \(q_\pi \)-query adversary and \(\mathcal {D}\) is a \((q_{\mathcal {D}},q_\pi )\)-legitimate distribution sampler. The adversary \(\mathcal {A}_{\mathsf {}}\)’s goal is to determine a challenge bit b picked during the initialise procedure, this procedure also returns \(\mathsf {seed} \) to the adversary.

Definition 7

A PRNG with input G, is called \(((q_\pi ,q_{\mathcal {D}}, q_R, q_S), \gamma ^*, \epsilon _{\mathsf {rob}})\)-robust \((\mathsf {ROB}_{G}^{\gamma ^*})\) if for any adversary \(\mathcal {A}_{\mathsf {}}\) making at most \(q_\pi \) queries to \(\pi ^{\pm }\), making at most \(q_{\mathcal {D}}\) calls to \(\mathcal {D}\textsf {-refresh}\), \(q_R\) calls to Next-ror/Get-next and \(q_S\) calls to Get-state/Set-state and any legitimate distribution sampler \(\mathcal {D}\), the advantage of any adversary in the robustness game is at most \(\epsilon _{\mathsf {rob}}\) which is defined below.

The adversary \(\mathcal {A}_{\mathsf {}}\) has access to a subset of the following oracles, dependent on the security game that it’s playing; the full set is available in \(\mathsf {ROB}_{G}^{\gamma ^*}(\mathcal {A}_{\mathsf {,}}\mathcal {D})\). We say that an adversarial pair \((\mathcal {A}_{\mathsf {}},\mathcal {D})\) playing the robustness game as described below in Sect. 3 for a PRNG G have advantage

$$\begin{aligned} \mathsf {Adv}_{\mathsf {G}}^{\mathsf {\gamma ^*-\mathsf {ROB}}}(\mathcal {A}_{\mathsf {}},\mathcal {D}):= \left| 2\mathrm {Pr}\left[ \mathsf {ROB}_{G}^{\gamma ^*}(\mathcal {A}_{\mathsf {}},\mathcal {D})\Rightarrow 1\right] -1\right| \le \epsilon _{\mathsf {rob}}. \end{aligned}$$

Next, we define two further security notions: preserving security and recovering security. If a PRNG satisfies both these notions, then by Theorem 1 of [10] (with updated version from [13]) the generator in question satisfies the robustness security notion under the corresponding parameters. Next we define preserving and recovering security (Fig. 1).

Fig. 1.
figure 1

\(\mathsf {ROB}_{G}^{\gamma ^*}(\mathcal {A}_{\mathsf {,}}\mathcal {D})\)

Full size image

3.1 Preserving Security

Informally, preserving security states that if the state of a generator starts uncompromised, is refreshed using compromised input, then the next output and resulting state are still indistinguishable from random.

Definition 8

A PRNG with input is said to have \((q_\pi , \epsilon _{\mathsf {pres}})\)-preserving security if the advantage of any adversary \(\mathcal {A}_{\mathsf {}}\) making at most \(q_\pi \) queries to \(\pi ^{\pm }\) in the following game is at most \(\epsilon _{\mathsf {pres}}\), where the advantage is defined to be

$$\begin{aligned} \mathsf {Adv}_{\mathsf {G}}^{\mathsf {\mathsf {PRES}}}(\mathcal {A}_{\mathsf {}}):= \left| 2\mathrm {Pr}\left[ \mathsf {PRES}_{G}(\mathcal {A}_{\mathsf {}})\Rightarrow 1\right] -1\right| \le \epsilon _{\mathsf {pres}}. \end{aligned}$$
figure a

3.2 Recovering Security

Informally, recovering security implies that if a PRNG is compromised, inserting enough random entropy to refresh the internal state will ensure that the next output and state will be indistinguishable from random.

Definition 9

A PRNG with input has \((q_\pi , q_{\mathcal {D}}, \gamma ^*, \epsilon _{\mathsf {rec}})\)-recovering security if the advantage of any adversary \(\mathcal {A}_{\mathsf {}}\) making at most \(q_{\mathcal {D}}\) queries to \(\pi ^{\pm }\) and distribution sampler \(\mathcal {D}\), making at most \(Q(q_{\mathcal {D}})\) queries to \(\pi ^{\pm }\), in the following game with \(\gamma ^*>0\) is at most \(\epsilon _{\mathsf {rec}}\) where advantage is defined as

$$\begin{aligned} \mathsf {Adv}_{\mathsf {G}}^{\mathsf {(\gamma ^*,q_{\mathcal {D}})-\mathsf {rec}}}(\mathcal {A}_{\mathsf {}},\mathcal {D}):=\left| 2\mathrm {Pr}\left[ \mathsf {REC}_{G}^{(\gamma ^*,q_{\mathcal {D}})}\Rightarrow 1\right] -1\right| \le \epsilon _{\mathsf {rec}}. \end{aligned}$$
figure b

4 Improved Construction

The following algorithms describe Reverie, a sponge-like PRNG with forward security that does not require additional calls to the underlying public permutation. Let \(s,r,c\ge 1\) and \(c:=n-r,\ell =p=r\), together with \(\pi \overset{\$}{\leftarrow }\mathcal {P}_n\), then \(\mathsf {Rev}_{s,n,r}^{\pi }:=(\textsf {Reverie}.\textsf {setup} ^\pi ,\textsf {Reverie}.\textsf {refresh} ^\pi ,\textsf {Reverie}.\textsf {next} ^\pi )\) for:

figure c
Fig. 2.
figure 2

Reverie.

Full size image

5 Security of Reverie

This section consists of the security proofs of Reverie; the approach is to analyse the security of the \(\textsf {next} \) function, and then focus on the preserving and recovering security games, making use of the previous result.

Theorem 2

For \(\textsf {Reverie} =\mathsf {Rev}_{s,n,r}^{\pi }\) as defined above, let \(\gamma ^*>0\), let \(\mathcal {D}\) be a \((q_{\mathcal {D}},q_\pi )\)-legitimate distribution sampler, let \(\overline{q}_\pi := q_\pi + Q(q_{\mathcal {D}})\) and \(\widehat{q}:=\overline{q}_\pi + q_{R}+q_{\mathcal {D}}d\). Then \(\mathsf {Rev}_{s,n,r}^{\pi }\) is \(((q_\pi ,q_{\mathcal {D}},q_{R},q_{S}),\gamma ^*,\epsilon _{\mathsf {rob}})\)-robust, for \(\epsilon _{\mathsf {rob}}\) as below:

$$\begin{aligned} \mathsf {Adv}_{\mathsf {\mathsf {Rev}_{s,n,r}^{\pi }}}^{\mathsf {\gamma ^*\mathsf {-rob}}}(\mathcal {A}_{\mathsf {}},\mathcal {D})\le q_R\cdot \bigg (&\frac{\overline{q}_\pi +1}{2^{\gamma ^*}}+\frac{Q(q_{\mathcal {D}})}{2^{sr}}+\frac{7(\widehat{q}^2+1)+29\widehat{q}}{2^{c-1}}\\&+\frac{(2d^2+3)\widehat{q}+d(3d+2d)}{2^n}\bigg ). \end{aligned}$$

Proof

The theorem is the result of the preserving and recovering security bounds in Lemmas 2 and 3 respectively, combined by [13, Theorem 4].

Lemma 1

(Security of the \(\textsf {next} \) function ). Let \(U_x\) is the uniform distribution over x-bit strings, let \(\textsf {next} \) be as defined in Sect. 4, let \(s_{0}\overset{\$}{\leftarrow }\{0,1\}^n\), then for any \(q_\pi \)-query adversary \(\mathcal {A}_{\mathsf {}}\),

$$\begin{aligned} \epsilon _{\mathsf {next}}(q_\pi ):=\mathsf {Adv}_{\mathsf {\mathcal {A}_{\mathsf {}}}}^{\mathsf {\mathsf {dist}}}(\textsf {next} (U_n),(U_n,U_r))&\le \left( 2-\frac{1}{2^r}\right) \frac{q_\pi }{2^{c-1}} + \frac{3q_\pi }{2^{c-1}}\\&=\left( 5-\frac{1}{2^r}\right) \frac{q_\pi }{2^{c-1}}. \end{aligned}$$

Proof outline. Distinguishing between \(\textsf {next} (s_{0})\) and random output \((S,T)\overset{\$}{\leftarrow }\{0,1\}^n \times \{0,1\}^r\) naively, it seems like the adversary’s only option is to guess the inner state of the secret initial state, by either a direct forward query to \(\pi \) or by an indirect guess that would reveal a candidate for this inner state through a query to \(\pi ^{-1}\).

The proof, given in Appendix B proves that this is in fact the optimal strategy. Since there are two parts to the challenge, the logical approach is to split the proof into first proving that one part of the challenge can be replaced with random, before approaching the remaining part of the challenge.

We note that unlike [13], the next function requires a uniformly random state; the difference is made up for in a game jump in the proof, but allows us to avoid an additional call to \(\pi \), as is required in [13]. This step can be reinstated at the cost of a single additional call to \(\pi \).

5.1 Preserving Security

Now that we have this tool, we can prove the following:

Lemma 2

Given Reverie as defined in Sect. 4, and with \(\epsilon _{\mathsf {next}}\) as above, then for every \(q_\pi \)-query adversary \(\mathcal {A}_{\mathsf {}}\) playing the preserving security game defined in Definition 8 with \(d\) adversarial refresh inputs, we have

$$\begin{aligned} \mathsf {Adv}_{\mathsf {\mathcal {A}_{\mathsf {}}}}^{\mathsf {\mathsf {pres}}}(\textsf {Reverie} [\pi ])&\le \epsilon _{\mathsf {next}}(q_\pi ) + \frac{q_\pi '+d}{2^n}+\frac{(d+1)(2q_\pi '+d)}{2^n}\\&\le \frac{5q_\pi }{2^{c-1}}+\frac{(2d+3)q_\pi +d(d+2)}{2^{n}}. \end{aligned}$$

Proof outline. The proof relies on proving that for a random secret initial state \(s_{0}\), the resulting state \(s_{d}\) will look random and thus, by our previous analysis of the \(\textsf {next} \) function, the challenge output will also be random. The complete proof can be found in the full version of the paper.

5.2 Recovering Security

Thanks to the impressive result of [13] the proof of recovering security can be expressed as an adaptation of their result; using the sponge as an extractor, and the security of the \(\textsf {next} \) function. To formalise this:

Lemma 3

Let \(q_\pi , \overline{q}_\pi :=q_\pi + Q(q_{\mathcal {D}}), r,s,c\) be as in Sect. 4. Let \(\epsilon _{\mathsf {ext}}(q_\pi ,q_{\mathcal {D}})\) be as described in [13, Sect. 5.3] and similarly let \(\epsilon _{\mathsf {next}}(\overline{q}_\pi )\) be the bound as in Lemma 1 as a function of \(\overline{q}_\pi \); both with nrc as previously described. Given Reverie, also as in Sect. 4, \(\gamma ^*>0, q_{\mathcal {D}}\ge 0, \mathcal {A}_{\mathsf {}}\), a \(q_\pi \)-query adversary against recovering security, and \(\mathcal {D}\), a \((q_{\mathcal {D}},q_\pi )\)-legitimate distribution sampler as defined in Definition 5. Then,

$$\begin{aligned}&\mathsf {Adv}_{\mathsf {\mathsf {Rev}_{s,n,r}^{\pi }}}^{\mathsf {(\gamma ^*,q_\pi )-\mathsf {rec}}}(\mathcal {A}_{\mathsf {}},\mathcal {D})\le \epsilon _{\mathsf {ext}}(q_\pi + 1,q_{\mathcal {D}}) + 2\epsilon _{\mathsf {next}}(\overline{q}_\pi ) + \frac{q_\pi }{2^{n-1}}\\&\le \frac{\overline{q}_\pi +1}{2^{\gamma ^*}}+\frac{Q(q_{\mathcal {D}})}{2^{sr}}+\frac{7(\overline{q}_\pi ^2+1)+24\overline{q}_\pi }{2^{c-1}}+\frac{(\overline{q}_\pi +1)d+d^2+q_\pi -2\overline{q}_\pi }{2^{n-1}}. \end{aligned}$$

Proof outline. The strategy of the proof is to use the extractor properties of the sponge to replace the resulting state with a random state; following this the output of \(\textsf {next} \) will be random by the arguments of Lemma 1. The complete proof can be found in the full version of the paper.

6 Conclusion

We have presented an updated construction, Reverie, for a sponge-like PRNG. The construction incorporates an effective and efficient forward-security mechanism and we have provided proofs of both preserving and recovering security in the chosen security model. Our design makes a single call to the permutation on every invocation of \(\textsf {Reverie}.\textsf {next} \), while the comparable generators make \(1+t\) calls. Our design choice ensures the underlying permutation is called far fewer times. Thus, the loss of security from collisions is reduced when compared to the relevant bounds of other designs.

The main limiting factor of the bound relates to the recovering security bound; and more precisely the extraction bound. This begs the question: can this bound be improved? This is briefly discussed in [13] in the present setting, but we would also like to consider other, possibly similar mechanisms that may present a better security bound; for instance, would a full state refresh yield a better bound? A full state refresh however, enables in practise an adversary to more easily affect or even set the state of the generator.