Secure and efficient random functions with variable-length output
Introduction
Random numbers are used widely in computers and networks for a variety of purposes. For example, a large number of scientific experiments and simulations need good random numbers to satisfy various requirements, such as creating randomized connections, choosing parameter values randomly, and injecting noise into network simulations (Shin and Weiss, 2010, Wu et al., 2009). The random number generators are also extremely useful in the game programming, in which randomness makes less deterministic for all players and therefore harder to defeat under simple patterns and more replayable (Peretz et al., 2011). Moreover, computer security requires some levels of encryption to be applied to various kinds of data, including secure Web transactions (Jalal and King, 2011), secure transmission technology (EDGE, Bluetooth, WiFi, WiMAX, etc.) (Pering and Want, 2012), or SSH (Gont and Bellovin, 2012). In addition, the random numbers are widely used in various applications, e.g., virus feature match, data comparison, and message lookup, so that a random number generator has already been a necessary function and module in the modern computer systems.
In general, cryptographic primitives, such as Hash function, message authentication code (MAC), and pseudorandom generator (PRG), have been widely used as the cornerstones of various random number generators (Lin et al., 2011, Huang et al., 2013). These functions are collectively called random function because a common feature among them is that their outputs are pseudorandom. In the cryptography, a random function is essentially a one-way function, which is easy to compute on any inputs, but hard to invert when given an output value. Typically, an efficient random function should satisfy some desirable properties, such as randomness, security, efficiency, to meet the requirements of various applications.
Motivation: Smart mobile devices (iPad, iPhone, Android, Blackberry) have experimented exponential growth over the last several years and there are currently around 1.2 billion users worldwide.1 The explosive growth of wireless systems coupled with the proliferation of laptop and palmtop computers indicates a bright future for wireless networks. Many new applications, including wireless sensor networks, smart homes and appliances, and remote tele-medicine, are emerging from research ideas to concrete systems with the help of wireless networks.
Unfortunately, a wireless network is susceptible to security attacks because of its openness of transmission media. Mobile network security has become a major concern to mobile clients throughout the world. In order to solve this issue, more and more cryptographic techniques have been used to enhance the security of these mobile devices, such as signature, encryption, and identification. Especially, some cryptographic random functions, like Hash, MAC, PRF, have been widely employed in a variety of applications and services (Shamir, 2008), including warehouse inventory control, public transportation passes, anti-counterfeiting tags for medicines, and secure identification.
In general, these cryptographic primitives are computed frequently on inputs which are often thousands of bytes long. Moreover, computing and verifying primitives are typically done in software, and may be done on relatively weak platforms with limited energy, such as, wireless sensor, bluetooth, and wearable computing. Additionally, the computations must be done in real time. Therefore, developing techniques for optimizing these cryptographic primitives while retaining an appropriate level of security is crucial to improve the performance of mobile devices.
More importantly, there exist too many algorithms (or standards) that can be used to implement these primitives. For example, general hash algorithms have FNV (Fowler et al., 1988), RIPEMD-160, MD5, SHA-1 (Sasaki and Aoki, 2009), SHA-2, HMAC (Bellare et al., 1996, Bellare et al., 2000), Lookup3, Spooky, JSHash (Jenkins, 2009), and Murmur (Appleby, 2011). This often leads to a large number of different algorithms stored in the system, a waste of limited storage space, and even the confusion. Therefore, it is necessary to provide a common method to unify a variety of primitives into a family of cryptographic functions (Etzel et al., 1999) with variable-length output. So that we can use a common core algorithm to construct various cryptographic functions. In addition, special hardware or optimized software based on such a core algorithm can be designed to further improve the system performance. In brief, several goals desired in this paper have been found to be of great practical value, such as:
- •
To construct a family of random functions, including Hash, MAC, PRG, based on a common and light weight core algorithm.
- •
To implement a random function with variable-length output according to different requirements in various applications.
- •
To provide several significant properties, such as easy to understand and implement, provable security, parallelizability, and high performance of software and hardware.
Fortunately, a newly developed cryptographic technique, hidden number problem (HNP) on the lattice theory, provides us with a powerful tool for constructing such a family of random functions. For instance, it is well-known that the Square (Blum Blum Shub) hash algorithm, is provably secure, based on the difficulty of the quadratic residue problem (QRP). But only lower-order bits (Blum et al., 1986 (is considered as random in the output of QRP modulo a composite N, e.g., for a 1024-bit N, we can get a 10-bit random output. Especially, a recent survey from HNP showed that bits still remains random (Boneh and Venkatesan, 1997, Kiltz, 2001). This means that we can get about 341-bit random output. Therefore, HNP should be an effective optimization technique to develop an efficient, provably secure, variable-length random function.
Contribution: In this paper, we focus on the construction of a family of random functions with a common, secure and efficient core algorithm. We first present a new hash scheme (called SqHash) based on a specially truncated function (most significant bits, MSB) of Square Hash function. This scheme can provide additional security for the inputted secret based on the assumption of hidden number problem. We also improve the performance of SqHash by using “circular convolution” which makes variable-length output possible. Furthermore, we present a new MAC scheme (called SqMAC) and a new PRG scheme (called SqPRG) based on the same core algorithm. We also prove that the security of these constructions based on the privacy property in the hidden number problem and the Hard-core unpredication of one-way function. Our experiment results show that these schemes have better performance under different input and output lengths. We also perform 4 types of statistical tests for randomness. The experiments indicate that our construction has good average-case randomness than SHA-2 and the original Square algorithm. The proposed schemes as well as their respective performance and security parameters are summarized in Table 1.
The remainder of this paper is organized as follows. In 2 Related work, 3 Background and preliminaries, we review some preliminary background. In 4 Construction of Hash function, 5 Construction of MAC function, 6 Construction of pseudorandom generator, we present the new Hash, MAC and PRG constructions. In 7 Security analysis, 8 Improved algorithms, 9 Statistical tests, we analyze the security and performance features of our schemes and the improved schemes. Section 10 concludes the paper.
Section snippets
Related work
Hash function is one of the most basic forms of random function. It is related to (and often confused with) checksum, fingerprint, randomization function, and so on. Generally, hash functions can be divided into two main categories: non-cryptographic hash functions and cryptographic hash functions. The former neglects cryptographic security, so it is not cryptographically strong, but it offers these benefits: (1) it is extremely simple; (2) it is performed on bitwise and bit shift operations;
Background and preliminaries
When creating cryptographic systems, designers use cryptographic primitives as their most basic building blocks. These primitives are similar in some ways to programming languages, in which a designer will use one of already established components (e.g., DLL, OCX) to program in. The basic primitives, such as cryptographic Hash function, message authentication codes (MACs), pseudorandom generator (PRG), and verifiable random function (VRF), are widely used in various computer and network
Square Hash and its shortcomings
A cryptographic hash function is a function that takes an arbitrary block of data and returns a fixed-size bit string. A square hash function (Etzel et al., 1999) is a cryptographic hash function with for an enough large N, where it is hard to factorize N. Definition 2 Basic Construction The SQH family of hash functions from to is defined as: where the functions f are defined as where, and .
The security of this construction is based on the quadratic
Construction of MAC function
Message authentication code (MAC), sometimes called keyed (cryptographic) hash function, specifies that an authenticated tag between two parties that share a secret key in order to validate message transmitted between these parties. The MAC value protects a message׳s data integrity and its authenticity by allowing verifiers (who also possess the secret key) to detect any changes in the message content. Typically, MACs are built from hash functions. Based on square function, we define the square
Construction of pseudorandom generator
A pseudorandom generator, abbreviated as PRG, is an efficiently computable function which generates a sequence of that approximates the properties of random string. Strictly speaking, no efficient algorithm can distinguish this sequence from a random sequence with significant advantage. Although there exists some practical PRG algorithms, such as, linear congruential generators (LCG), lagged Fibonacci generators (LFG), and linear feedback shift registers (LFSR), we present a fast PRG
Security analysis of SqHash functions
The SQH function f(m) is a cryptographic hash function with preimage resistance and collision resistance (Ouafi and Vaudenay, 2009). The latter property also means that this function is second-preimage resistant. The preimage resistance stems from the fact that Square function is a trap-door one-way function in that given y, without (p,q), to find x such that is as hard as factoring N. Based on these previous work, we provide a brief analysis of security of SqHash function.
Improved algorithms
We use two different approaches (i.e., the truncated function and circular convolution) to improve the performance of all proposed schemes. Usually, long-size cryptographic algorithms are not suitable for providing security on wireless devices due to their limited computation and communication capabilities. In a cryptosystem, key length is usually much longer than the “word size” of mobile devices, typically 16 or 32 bits. Using short ALU to deal with long data often leads to more complex
Statistical tests
The security proofs have shown that our schemes are able to resist some common attacks, but this does not mean that they have excellent properties to meet the requirements of various applications. To end it, a set of statistical tests for randomness are described in this section. In our statistical tests, the performance of our schemes and SHA-2 functions is measured by several valuation tools written in Mathematica 7 and VC 2005. These tools are run on a IBM desktop PC (2.0 GHz and 2 GB RAM)
Conclusions
In this paper, we prompt the idea of constructing various basic cryptographic primitives (such as hash, MAC, and PRG) from a common core algorithm to simplify the management and improve the efficiency of current cryptographic implementation practices on mobile devices. For this purpose, we present the design of a family of cryptographic primitives based on the common core squaring operation. Our design takes advantage of the practical construction in ALU hardware, such as parallel processing
Acknowledgements
We are indebted to anonymous reviewers for their valuable suggestions. This work was presented in part at the Global Communications Conference (GLOBECOM), Anaheim, CA, USA, 2012. This work was supported by the National 973 Program (Grant No. 2013CB329605) and the National Natural Science Foundation of China (Grant Nos. 61170264 and No. 61370187).
References (33)
- et al.
The security of the cipher block chaining message authentication code
J Comput Syst Sci
(2000) - et al.
Fast and deterministic hash table lookup using discriminative bloom filters
J Netw Comput Appl
(2013) - et al.
Efficient vehicle ownership identification scheme based on triple-trapdoor chameleon hash function
J Netw Comput Appl
(2011) - et al.
Resilient and efficient load balancing in distributed hash tables
J Netw Comput Appl
(2009) - Appleby A. Murmur hash. 2011....
- et al.
Keying hash functions for message authentication
- et al.
Quada practical stream cipher with provable security
- et al.
A simple unpredictable pseudo-random number generator
SIAM J Comput
(1986) - et al.
The modular inversion hidden number problem
- et al.
Rounding in lattices and its cryptographic applications