A Time-Success Ratio Analysis of wPRF-based Leakage-Resilient Stream Ciphers

TL;DR

This paper analyzes the security bounds of leakage-resilient stream ciphers based on weak pseudorandom functions, compares different proofs quantitatively, and highlights gaps in current security guarantees when using standard primitives.

Contribution

It provides a comprehensive comparison of existing security bounds and revisits proof techniques to assess their practical security implications.

Findings

Identifies a flaw in the recent security analysis of the EUROCRYPT'09 stream cipher.

Demonstrates that current proofs do not guarantee security when instantiated with standard primitives.

Introduces a time-to-success ratio analysis to compare security bounds effectively.

Abstract

Weak pseudorandom functions (wPRFs) found an important application as main building blocks for leakage-resilient ciphers (EUROCRYPT'09). Several security bounds, based on different techniques, were given to these stream ciphers. The security loss in these reduction-based proofs is always polynomial, but has not been studied in detail. The aim of this paper is twofold. First, we present a clear comparison of quantitatively different security bounds in the literature. Second, we revisit the current proof techniques and answer the natural question of how far we are from meaningful and provable security guarantees, when instantiating weak PRFs with standard primitives (block ciphers or hash functions). In particular, we demonstrate a flaw in the recent (TCC'14) analysis of the EUROCRYPT'09 stream cipher, which means that we still don't know if it offers provable security when instantiated with a standard block cipher. Our approach is a \emph{time-to-success Ratio} analysis, a universal measure introduced by Luby, which allow us to compare different security bounds.