A TPRF-based pseudo-random number generator

Abstract

Most cryptographic applications use randomness that is generated by pseudo-random number generators (PRNGs). A popular PRNG practical choice is the NIST standardized $$ \rm{CTR\_DRBG}$$ . In their recent ACNS 2023 publication, Andreeva and Weninger proposed a new and more efficient and secure PRNG called $$ \mathtt{FCRNG}$$ . $$ \mathtt{FCRNG}$$ is based on $$ \rm{CTR\_DRBG}$$ and uses the $$ n $$ -to-$$ 2n $$ forkcipher expanding primitive ForkSkinny as a building block. In this work, we create a new BKRNG PRNG, which is based on $$ \mathtt{FCRNG}$$ and employs the novel $$ n $$ -to-$$ 8n $$ expanding primitive Butterknife. Butterknife is based on the Deoxys tweakable blockcipher (and thus AES) and realizes a tweakable expanding pseudo-random function. While both blockciphers and forkciphers are invertible primitives, tweakable expanding pseudo-random functions are not. This functional simplification enables security benefits for BKRNG in the robustness security game - the standard security goal for a PRNG. Contrary to the security bound of $$ \rm{CTR\_DRBG}$$ , we show that the security of our BKRNG construction does not degrade with the length of the random inputs, nor the number of requested output pseudo-random bits. We also empirically verify the BKRNG security with the NIST PRNG test suite and the TestU01 suite. Furthermore, we show the $$ n $$ -to-$$ 8n $$ multi-branch expanding nature of Butterknife contributes to a significant speed-up in the efficiency of BKRNG compared to $$ \mathtt{FCRNG}$$ . More concretely, producing random bits with BKRNG is 30.0% faster than $$ \mathtt{FCRNG}$$ and 49.2% faster than $$ \rm{CTR\_DRBG}$$ .