{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,2,21]],"date-time":"2025-02-21T07:22:37Z","timestamp":1740122557521,"version":"3.37.3"},"reference-count":24,"publisher":"Springer Science and Business Media LLC","issue":"11","license":[{"start":{"date-parts":[[2024,6,27]],"date-time":"2024-06-27T00:00:00Z","timestamp":1719446400000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2024,6,27]],"date-time":"2024-06-27T00:00:00Z","timestamp":1719446400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"name":"Institute of Information & communications Technology Planning & Evaluatio","award":["2022-0-01047"],"award-info":[{"award-number":["2022-0-01047"]}]},{"name":"Korea Advanced Institute of Science and Technology"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Des. Codes Cryptogr."],"published-print":{"date-parts":[[2024,11]]},"abstract":"Abstract<\/jats:title>Deterministic random bit generators (DRBGs) are essential tools in modern cryptography for generating secure and unpredictable random numbers. The ISO DRBG standards provide guidelines for designing and implementing DRBGs, including four algorithms: $$\\textsf{HASH}\\text {-}\\textsf{DRBG}$$<\/jats:tex-math>\n \n HASH<\/mml:mi>\n -<\/mml:mtext>\n DRBG<\/mml:mi>\n <\/mml:mrow>\n <\/mml:math><\/jats:alternatives><\/jats:inline-formula>, $$\\textsf{HMAC}\\text {-}\\textsf{DRBG}$$<\/jats:tex-math>\n \n HMAC<\/mml:mi>\n -<\/mml:mtext>\n DRBG<\/mml:mi>\n <\/mml:mrow>\n <\/mml:math><\/jats:alternatives><\/jats:inline-formula>, $$\\textsf{CTR}\\text {-}\\textsf{DRBG}$$<\/jats:tex-math>\n \n CTR<\/mml:mi>\n -<\/mml:mtext>\n DRBG<\/mml:mi>\n <\/mml:mrow>\n <\/mml:math><\/jats:alternatives><\/jats:inline-formula>, and $$\\textsf{OFB}\\text {-}\\textsf{DRBG}$$<\/jats:tex-math>\n \n OFB<\/mml:mi>\n -<\/mml:mtext>\n DRBG<\/mml:mi>\n <\/mml:mrow>\n <\/mml:math><\/jats:alternatives><\/jats:inline-formula>. While security analyses have been conducted for the former three algorithms, there is a lack of specific security analysis for the $$\\textsf{OFB}$$<\/jats:tex-math>\n OFB<\/mml:mi>\n <\/mml:math><\/jats:alternatives><\/jats:inline-formula>-$$\\textsf{DRBG}$$<\/jats:tex-math>\n DRBG<\/mml:mi>\n <\/mml:math><\/jats:alternatives><\/jats:inline-formula> algorithm. We prove its security in the robustness security framework that has been used to analyze $$\\mathsf {CTR\\text {-}DRBG}$$<\/jats:tex-math>\n \n CTR<\/mml:mi>\n -<\/mml:mtext>\n DRBG<\/mml:mi>\n <\/mml:mrow>\n <\/mml:math><\/jats:alternatives><\/jats:inline-formula> by Hoang and Shen at Crypto\u00a02020. More precisely, we prove that $$\\textsf{OFB}$$<\/jats:tex-math>\n OFB<\/mml:mi>\n <\/mml:math><\/jats:alternatives><\/jats:inline-formula>-$$\\textsf{DRBG}$$<\/jats:tex-math>\n DRBG<\/mml:mi>\n <\/mml:math><\/jats:alternatives><\/jats:inline-formula> provides $$O(\\min \\left\\{ \\frac{\\lambda }{3}, \\frac{n}{2} \\right\\} )$$<\/jats:tex-math>\n \n O<\/mml:mi>\n (<\/mml:mo>\n min<\/mml:mo>\n \n \n \u03bb<\/mml:mi>\n 3<\/mml:mn>\n <\/mml:mfrac>\n ,<\/mml:mo>\n \n n<\/mml:mi>\n 2<\/mml:mn>\n <\/mml:mfrac>\n <\/mml:mfenced>\n )<\/mml:mo>\n <\/mml:mrow>\n <\/mml:math><\/jats:alternatives><\/jats:inline-formula>-bit security, including ideal cipher queries, where $$\\lambda $$<\/jats:tex-math>\n \u03bb<\/mml:mi>\n <\/mml:math><\/jats:alternatives><\/jats:inline-formula> and n<\/jats:italic> denote the lower bound of min-entropy and the size of the underlying block cipher, respectively. The proof strategy is to transform the robustness game of $$\\textsf{OFB}$$<\/jats:tex-math>\n OFB<\/mml:mi>\n <\/mml:math><\/jats:alternatives><\/jats:inline-formula>-$$\\textsf{DRBG}$$<\/jats:tex-math>\n DRBG<\/mml:mi>\n <\/mml:math><\/jats:alternatives><\/jats:inline-formula> into an indistinguishability game and then apply the H-coefficient technique to upper bound the distinguishing advantage.<\/jats:p>","DOI":"10.1007\/s10623-024-01449-z","type":"journal-article","created":{"date-parts":[[2024,6,27]],"date-time":"2024-06-27T16:19:44Z","timestamp":1719505184000},"page":"3515-3532","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["Security analysis of the ISO standard $$\\textsf{OFB}$$-$$\\textsf{DRBG}$$"],"prefix":"10.1007","volume":"92","author":[{"given":"Woohyuk","family":"Chung","sequence":"first","affiliation":[]},{"given":"Hwigyeom","family":"Kim","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0001-5471-9350","authenticated-orcid":false,"given":"Jooyoung","family":"Lee","sequence":"additional","affiliation":[]},{"given":"Yeongmin","family":"Lee","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2024,6,27]]},"reference":[{"key":"1449_CR1","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1007\/978-3-642-22792-9_1","volume-title":"Advances in Cryptology-CRYPTO 2011","author":"B Barak","year":"2011","unstructured":"Barak B., Dodis Y., Krawczyk H., Pereira O., Pietrzak K., Standaert F.-X., Yu Y.: Leftover hash lemma, revisited. In: Rogaway P. (ed.) Advances in Cryptology-CRYPTO 2011, vol. 6841, pp. 1\u201320. Springer, Berlin (2011)."},{"key":"1449_CR2","doi-asserted-by":"publisher","DOI":"10.6028\/NIST.SP.800-90Ar1","volume-title":"Recommendation for Random Number Generation Using Deterministic Random Bit Generators","author":"E Barker","year":"2015","unstructured":"Barker E., Kelsey J.: Recommendation for Random Number Generation Using Deterministic Random Bit Generators. Special Publication (NIST SP), National Institute of Standards and Technology, Gaithersburg (2015) https:\/\/doi.org\/10.6028\/NIST.SP.800-90Ar1."},{"key":"1449_CR3","unstructured":"Bernstein D.J., et al.: Factoring RSA keys from certified smart cards: Coppersmith in the wild. Advances in Cryptology-ASIACRYPT 2013: 19th International Conference on the Theory and Application of Cryptology and Information Security, Bengaluru, India, December 1\u20135, 2013, Proceedings, Part II 19. Springer Berlin Heidelberg, (2013)."},{"key":"1449_CR4","first-page":"33","volume":"6225","author":"G Bertoni","year":"2010","unstructured":"Bertoni G., Daemen J., Peeters M., Van Assche G.: Sponge-based pseudo-random number generators. CHES 6225, 33\u201347 (2010).","journal-title":"CHES"},{"key":"1449_CR5","doi-asserted-by":"publisher","first-page":"314","DOI":"10.46586\/tosc.v2018.i1.314-335","volume":"2018","author":"S Bhattacharya","year":"2018","unstructured":"Bhattacharya S., Nandi M.: Revisiting variable output length XOR pseudorandom function. IACR Trans. Symmetric Cryptol. 2018, 314\u2013335 (2018).","journal-title":"IACR Trans. Symmetric Cryptol."},{"key":"1449_CR6","unstructured":"Brown D.R.: Conjectured security of the ANSI-NIST elliptic curve RNG. Cryptology ePrint Archive (2006)."},{"key":"1449_CR7","unstructured":"Campagna M.J.: Security bounds for the NIST codebook-based deterministic random bit generator. Cryptology ePrint Archive, Paper 2006\/379. https:\/\/eprint.iacr.org\/2006\/379 (2006)."},{"key":"1449_CR8","unstructured":"Checkoway S., Niederhagen R., Everspaugh A., Green M., Lange T., Ristenpart T., Bernstein D.J., Maskiewicz J., Shacham H., Fredrikson M.: On the practical exploitability of dual EC in TLS implementations. In: 23rd USENIX Security Symposium (USENIX Security 14), pp. 319\u2013335 (2014)."},{"key":"1449_CR9","doi-asserted-by":"crossref","unstructured":"Dodis Y., Pointcheval D., Ruhault S., Vergniaud D., Wichs D.: Security analysis of pseudo-random number generators with input: \/dev\/random is not robust. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 647\u2013658. Association for Computing Machinery, New York, NY, USA (2013).","DOI":"10.1145\/2508859.2516653"},{"key":"1449_CR10","unstructured":"Heninger N., et al.: Mining your Ps and Qs: Detection of widespread weak keys in network devices. Presented as part of the 21st USENIX Security Symposium (USENIX Security 12). (2012)."},{"key":"1449_CR11","doi-asserted-by":"publisher","first-page":"278","DOI":"10.1007\/978-3-642-00306-6_21","volume-title":"Information Security Applications","author":"S Hirose","year":"2009","unstructured":"Hirose S.: Security analysis of DRBG using HMAC in NIST SP 800\u201390. In: Chung K.-I., Sohn K., Yung M. (eds.) Information Security Applications, vol. 5379, pp. 278\u2013291. Springer, Berlin (2009)."},{"key":"1449_CR12","doi-asserted-by":"publisher","first-page":"218","DOI":"10.1007\/978-3-030-56784-2_8","volume-title":"Advances in Cryptology-CRYPTO 2020","author":"VT Hoang","year":"2020","unstructured":"Hoang V.T., Shen Y.: Security analysis of NIST CTR-DRBG. In: Micciancio D., Ristenpart T. (eds.) Advances in Cryptology-CRYPTO 2020, vol. 12170, pp. 218\u2013247. Springer, Cham (2020)."},{"key":"1449_CR13","unstructured":"International Organization for Standardization: Information technology\u2014Security techniques\u2014Random bit generation (ISO Standard No. 18031:2011). Technical report (2011)."},{"key":"1449_CR14","doi-asserted-by":"publisher","first-page":"328","DOI":"10.1007\/978-3-642-04159-4_21","volume-title":"Selected Areas in Cryptography","author":"J Patarin","year":"2009","unstructured":"Patarin J.: The \u201cCoefficients H\u2019\u2019 technique. In: Avanzi R.M., Keliher L., Sica F. (eds.) Selected Areas in Cryptography, vol. 5381, pp. 328\u2013345. Springer, Berlin (2009)."},{"key":"1449_CR15","doi-asserted-by":"crossref","unstructured":"Raz R., Reingold O.: On recycling the randomness of states in space bounded computation. In: Proceedings of the Thirty-First Annual ACM Symposium on Theory of Computing, pp. 159\u2013168. Association for Computing Machinery, New York, NY, USA (1999).","DOI":"10.1145\/301250.301294"},{"key":"1449_CR16","unstructured":"Ristenpart T., Yilek S.: When Good Randomness Goes Bad: Virtual Machine Reset Vulnerabilities and Hedging Deployed Cryptography. NDSS (2010)."},{"issue":"1","key":"1449_CR17","doi-asserted-by":"publisher","first-page":"506","DOI":"10.13154\/tosc.v2017.i1.506-544","volume":"2017","author":"S Ruhault","year":"2017","unstructured":"Ruhault S.: SoK: security models for pseudo-random number generators. IACR Trans. Symm. Cryptol. 2017(1), 506\u2013544 (2017). https:\/\/doi.org\/10.13154\/tosc.v2017.i1.506-544.","journal-title":"IACR Trans. Symm. Cryptol."},{"key":"1449_CR18","unstructured":"Schoenmakers B., Sidorenko A.: Cryptanalysis of the dual elliptic curve pseudorandom generator. Cryptology ePrint Archive (2006)."},{"key":"1449_CR19","doi-asserted-by":"publisher","first-page":"77","DOI":"10.1007\/978-3-662-46800-5_4","volume-title":"Advances in Cryptology\u2014EUROCRYPT 2015","author":"T Shrimpton","year":"2015","unstructured":"Shrimpton T., Terashima R.S.: A provable-security analysis of intel\u2019s secure key RNG. In: Oswald E., Fischlin M. (eds.) Advances in Cryptology\u2014EUROCRYPT 2015, vol. 9056, pp. 77\u2013100. Springer, Berlin (2015)."},{"key":"1449_CR20","doi-asserted-by":"publisher","first-page":"429","DOI":"10.1007\/978-3-662-53887-6_16","volume-title":"Advances in Cryptology\u2014ASIACRYPT 2016","author":"T Shrimpton","year":"2016","unstructured":"Shrimpton T., Terashima R.S.: Salvaging weak security bounds for blockcipher based constructions. In: Cheon J.H., Takagi T. (eds.) Advances in Cryptology\u2014ASIACRYPT 2016, vol. 10031, pp. 429\u2013454. Springer, Berlin (2016)."},{"key":"1449_CR21","unstructured":"Shumow D., Ferguson N.: On the possibility of a back door in the NIST SP800-90 Dual Ec Prng. In: Proc. Crypto, vol. 7 (2007)."},{"key":"1449_CR22","doi-asserted-by":"publisher","first-page":"151","DOI":"10.1007\/978-3-030-17656-3_6","volume-title":"Advances in Cryptology-EUROCRYPT 2019","author":"J Woodage","year":"2019","unstructured":"Woodage J., Shumow D.: An Analysis of NIST SP 800\u201390A. In: Ishai Y., Rijmen V. (eds.) Advances in Cryptology-EUROCRYPT 2019, vol. 11477, pp. 151\u2013180. Springer, Cham (2019)."},{"key":"1449_CR23","doi-asserted-by":"crossref","unstructured":"Ye K.Q., Green M., Sanguansin N., Beringer L., Petcher A., Appel A.W.: Verified correctness and security of MbedTLS HMAC-DRBG. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 2007\u20132020. Association for Computing Machinery, New York, NY, USA (2017).","DOI":"10.1145\/3133956.3133974"},{"key":"1449_CR24","doi-asserted-by":"crossref","unstructured":"Yilek S., et al.: When private keys are public: Results from the 2008 Debian OpenSSL vulnerability. Proceedings of the 9th ACM SIGCOMM Conference on Internet Measurement. (2009).","DOI":"10.1145\/1644893.1644896"}],"container-title":["Designs, Codes and Cryptography"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10623-024-01449-z.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s10623-024-01449-z\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10623-024-01449-z.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,9,29]],"date-time":"2024-09-29T18:02:47Z","timestamp":1727632967000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s10623-024-01449-z"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,6,27]]},"references-count":24,"journal-issue":{"issue":"11","published-print":{"date-parts":[[2024,11]]}},"alternative-id":["1449"],"URL":"https:\/\/doi.org\/10.1007\/s10623-024-01449-z","relation":{},"ISSN":["0925-1022","1573-7586"],"issn-type":[{"type":"print","value":"0925-1022"},{"type":"electronic","value":"1573-7586"}],"subject":[],"published":{"date-parts":[[2024,6,27]]},"assertion":[{"value":"8 June 2023","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"9 January 2024","order":2,"name":"revised","label":"Revised","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"19 June 2024","order":3,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"27 June 2024","order":4,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}}]}}