A Robust and Sponge-Like PRNG with Improved Efficiency

Ever since Keccak won the SHA3 competition, sponge-basedconstructions are being suggested for many different applications, in-cluding pseudo-random number generators (PRNGs). Sponges are verydesirable, being well studied, increasingly efficient to implement and sim-plistic in their design. The initial construction of a sponge-based PRNG(Bertoni et al. CHES 2010) based its security on the well known spongeindifferentiability proof in the random permutation model and providedno forward security. Since then, another improved sponge-based PRNG has been put forwardby Gaži and Tessaro (Eurocrypt 2016) who point out the necessity for apublic seed to prevent an adversarial sampler from gaining non-negligibleadvantage. The authors further update the security model of Dodis etal. (CCS 2013) to accommodate a public random permutation, modelledin the ideal cipher model, and how this affects the notions of security. In this paper we introduce Reverie, an improved and practical, sponge-like pseudo-random number generator together with a formal securityanalysis in the PRNG with input security model of Dodis et al. with themodifications of the Gaži and Tessaro paper. We prove that Reverie is robust when used with a public random per-mutation; robustness is the strongest notion of security in the chosensecurity model. Robustness is proved by establishing two weaker notionsof security, preserving and recovering security, which together, can beshown to imply the robustness result. The proofs utilise the H-coefficienttechnique that has found recent popularity in this area; providing a veryuseful tool for proving the generator meets the necessary security notions.