Security analysis of the ISO standard OFB-DRBG

Abstract

Deterministic Random Bit Generators (DRBGs) are essential tools in modern cryptography for generating secure and unpredictable random numbers. The ISO DRBG standards provide guidelines for designing and implementing DRBGs, including four algorithms: $\mathsf{HASH}\text{-}\mathsf{DRBG}$, $\mathsf{HMAC}\text{-}\mathsf{DRBG}$, $\mathsf{CTR}\text{-}\mathsf{DRBG}$, and $\mathsf{OFB}\text{-}\mathsf{DRBG}$. While security analyses have been conducted for the former three algorithms, there is a lack of specific security analysis for the $\mathsf{OFB}$-$\mathsf{DRBG}$ algorithm. We prove its security in the robustness security framework that has been used to analyze $\mathsf{CTR}\text{-}\mathsf{DRBG}$ by Hoang and Shen at Crypto 2020. More precisely, we proves that $\mathsf{OFB}$-$\mathsf{DRBG}$ provides $O(\min\left\{ \frac{\lambda}{3}, \frac{n}{2} \right\})$-bit security, including ideal cipher queries, where $\lambda$ and $n$ denote the lower bound of min-entropy and the size of the underlying block cipher, respectively. The proof strategy is to transform the robustness game of $\mathsf{OFB}$-$\mathsf{DRBG}$ into an indistinguishability game and then apply the H-coefficient technique to upper bound the distinguishing advantage.