A preliminary version of this paper appears in the proceedings of Eurocrypt 2016.

This is the full

version.

Nonce-Based Cryptography: Retaining Security when

Randomness Fails

Mihir Bellare1 Björn Tackmann2

March 2016

Abstract
We take nonce-based cryptography beyond symmetric encryption, developing it as a broad
and practical way to mitigate damage caused by failures in randomness, whether inadvertent
(bugs) or malicious (subversion). We focus on definitions and constructions for nonce-based
public-key encryption and briefly treat nonce-based signatures. We introduce and construct
hedged extractors as a general tool in this domain. Our nonce-based PKE scheme guarantees
that if the adversary wants to violate IND-CCA security then it must do both of the following:
(1) fully compromise the RNG (2) penetrate the sender system to exfiltrate a seed used by the
sender.

1
Department of Computer Science & Engineering, University of California San Diego, 9500 Gilman Drive, La
Jolla, California 92093, USA. Email: [email protected]. URL: http://cseweb.ucsd.edu/~mihir/. Supported in
part by NSF grants CNS-1526801 and CNS-1228890, ERC Project ERCC FP7/615074 and a gift from Microsoft.
2
Department of Computer Science & Engineering, University of California San Diego, 9500 Gilman Drive,
La Jolla, California 92093, USA. Email: [email protected]. URL: http://cseweb.ucsd.edu/~btackmann.
Supported in part by the Swiss National Science Foundation (SNF) via Fellowship No. P2EZP2_155566 and NSF
grant CNS-1228890.

1
Contents
1 Introduction 3

2 Notation and standard definitions 7

3 Hedged Extractors 8

4 Nonce-based public-key encryption 15

5 Nonce-based signatures 21

References 25

2
1 Introduction
An old security adage says there is no point putting strong locks on the door if you leave the
window open. The lock here is modern public-key encryption, proven to meet the strong IND-CCA
goal. The window is the assumption made in these proofs that, at every encryption, the encryptor
has access to perfect, fresh (independent from prior) randomness. To allow encryption to fulfill in
practice the promise it makes in theory, we must close the window. This paper develops nonce-
based public-key encryption as a practical way to do this. It goes on to develop nonce-based digital
signatures.
Randomness. That randomness failures occur and lead to cryptographic failures is by now very
well known and does not need to be belabored. The news of interest is perhaps that it is getting
worse. Let us explain. There are two sources of randomness failures. The first, which has been
with us a while and is not going away, is bugs. A good example is the Debian Linux vulnerability
present from September 2006 to May 2008 where a programmer removed some lines of code from
the OpenSSL source, resulting in there being only 15 bits of entropy in the seed for the PRNG [1].
HDWH [24] finds cryptographic vulnerabilities in a significant fraction of TLS and SSH servers due
to what they call “malfunctioning RNGs.” And the list goes on. The second source of randomness
failures, which may have been with us for a while but of which we have learned only recently due
to the mass-surveillance revelations, is subversion, the deliberate and targeted attempt to weaken
randomness. At the South by South West (SXSW) 2014 conference, Snowden said “we know that
the encryption algorithms we are using today work ... it is the random number generators that are
attacked as opposed to the encryption algorithms themselves.” The prime example here is Dual
EC, a RNG the NSA designed to have a backdoor and then pushed into standards and adoption.
The ability to compromise security in practice via the backdoor has been demonstrated in [16].
Prior work. The basic definitions of security for public-key encryption (PKE), namely IND-
CPA [23] and IND-CCA [7, 18], provide no guarantees if the randomness is bad. There is a long
line of work giving new definitions of security that do provide such guarantees, and building PKE
schemes to meet these definitions.
The simplest way to avoid vulnerabilities due to poor randomness is to not use randomness
at all. Deterministic PKE [4, 14, 8, 21] however only provides security when the messages have
high min-entropy. This limits utility (for example, we may want to encrypt votes, which have low
min-entropy) and, although in a different context, CGPR [15] show that in practice the entropy of
“real” data is often quite low. Hedged PKE [5, 9, 33] extends Deterministic PKE to provide privacy
as long as the message and randomness together have sufficient min-entropy. This is a significant
benefit and we recommend that one use Hedged PKE whenever possible. But the limitations
remain. Since messages regularly do not in fact have entropy [15], and the “randomness” can be
entirely predictable (this happened both with the Debian Linux bug and the Dual EC subversion),
the message and randomness together still may not have enough entropy for hedged encryption
to provide security. A further limitation of both Deterministic and Hedged PKE is that security
is only provided for messages that do not depend on the public key. (This second limitation can
be partially addressed but at some cost [32].) Yilek [38] defines and achieves security against
randomness-reset attacks, where the randomness is perfect but the adversary can force its re-use
across different encryptions. This is useful in the context of virtual machine resets but not more
broadly. PSS [30] introduce related-randomness attacks, where encryption is under adversary-
specified functions of some initial uniform randomness. However, negative results they provide
show that for many functions one cannot achieve security.
In summary, all these notions have some limitations and the practical benefit they provide is

3
not clear. Most importantly, these were all designed in the older mindset of RNG failures due to
bugs and can break down severely when the RNG is subverted. The latter is the new reality against
which we need to defend.
Nonces. Rogaway [34, 35] introduced nonce-based symmetric-key encryption, where the encryp-
tion algorithm is deterministic, taking the shared key, message and a quantity called a nonce.
Security is provided as long as the nonce does not repeat. The notion was strengthened by Rog-
away and Shrimpton (RS) [36]. Rogaway suggests that packet sequence numbers may play the role
of the nonce. Motivations he provides include reducing implementor error and achieving stronger
notions of security. We suggest that nonces can be used much more broadly and are a good defense
against poor randomness. The goal we pursue in depth is nonce-based PKE.
The obvious extension fails. Towards this we begin by noting that a direct extension of
nonce-based symmetric-key encryption as defined in [34, 35, 36] to the public-key setting does not
work. Such an extension would have the encryption algorithm E be deterministic, taking input
the encryption key ek, message m and a nonce n to return the ciphertext C = E(ek, m, n). The
privacy game would give the adversary an oracle that takes messages m0 , m1 and a nonce n (in
the definitions of [34, 35, 36], nonces are adversarially chosen subject to not repeating) to return
C = E(ek, mb , n), where b is a challenge bit chosen at random by the game. Security would require
that the adversary has little advantage in guessing b. But such security would not be achieved
because in the public-key setting the adversary has ek and can itself encrypt. Thus it could query
its oracle with any m0 , m1 , n of its choice to get back ciphertext C = E(ek, mb , n), and itself
compute C0 = E(ek, m0 , n). If C = C0 it knows that the challenge b is 0, else it is 1.
Nonce-based PKE. We define a nonce-based PKE scheme NPE as follows. The receiver runs
key-generation algorithm NPE.Kg as usual to get an encryption key ek and decryption key dk. Not
as usual, the sender begins by locally running a seed generation algorithm NPE.sKg to get a seed xk.
The encryption algorithm NPE.Enc is deterministic, taking in addition to the usual ek and message
m, two new inputs, a nonce n and the seed xk, and returning ciphertext C = NPE.Enc(ek, xk, m, n).
Decryption is unchanged, taking dk and a ciphertext C to return a message. The receiver does
not need to know the seed, and the keys and seed are entirely independent. The sender can either
re-use the same seed across multiple encryptions, or generate a fresh one at every encryption, or
anything in between, and the receiver will be oblivious to all of this.
Security is captured via two games and corresponding requirements. Nonce-based privacy One
(NBP1) asks that IND-CCA privacy be maintained as long as message-nonce pairs do not repeat.
That is, the only way security fails is if, for the same message, a nonce is re-used. This is a very
strong guarantee. However there is one caveat, namely this holds when the seed is kept private
from the adversary. Nonce-based privacy Two (NBP2) addresses the possibility that the adversary
compromises the sender’s system and obtains the seed. Even in this case, it guarantees IND-CCA
privacy as long as nonces are unpredictable to the adversary. The formalizations are in terms of a
stateful nonce generator NG that takes an adversary specified input η to return the next nonce, so
that nonces are (indirectly) under adversary control.
In practice we would expect a combination of a variety of things to be used as the nonce, for
example the current time (this does not repeat) and prior ciphertexts, but, also, randomness from
the system RNG, since, for NBP2, nonce unpredictability is required. (This is a departure from
the symmetric setting.) However guarantees in the face of poor randomness are much better than
before, as we now explain.
What this buys us. Intuitively our definitions are saying the following. Consider two cases. The
expected and good case is that the sender seed stays private. In this case we get IND-CCA privacy

4
regardless of the quality of the randomness, the only requirement being that message-nonce pairs do
not repeat. The latter is a mild condition, such repetition being unlikely with reasonable nonces,
even simply using the date and time as the nonce. The other case is that the sender’s system is
compromised and the seed is exposed. In this case, we are effectively in the setting of standard
PKE and we cannot deterministically provide IND-CCA. We guarantee that we do no worse than
standard PKE, meaning we provide IND-CCA as long as the randomness (here part of the nonce)
is good. But in fact we do better, since the requirement on nonces is only unpredictability. This
means that we are safe even if the outputs of the RNG are correlated and structured, as long as
they remain unpredictable.
Put another way, if a subvertor wanted to compromise privacy, it would not suffice to compro-
mise the RNG. They would have to also break in to the sender’s system, find the seed, and exfiltrate
it. Frequent rotation of seeds (which has effectively no cost) makes this even harder. This ups the
ante. Now, it is true that with the NSA’s capabilities in malware, we should not under-estimate
their ability to penetrate a target sender. But this would have to be done on per-sender basis,
making mass surveillance harder.
Hedged extractors and our scheme. It is easy to achieve either of NBP1 or NBP2 in isolation.
We can get an NBP1 nonce-based PKE scheme by encrypting under a conventional (randomized)
IND-CCA PKE scheme with the coins set to the result of a PRF keyed by the sender seed and
applied to the message and nonce, but there is no reason this scheme would also be NBP2 secure.
We can get an NBP2 nonce-based PKE scheme by encrypting under the conventional IND-CCA
PKE scheme with the coins set to the result of an extractor keyed by the seed and applied to
the (message and) nonce, but there is no reason this scheme would also be NBP1 secure. To
simultaneously get both properties, we introduce and use hedged extractors.
A hedged extractor HE takes a seed (also called a key) xk, a message m and a nonce n to
deterministically return a string r = HE(xk, (m, n)). It has two properties: (1) It is a PRF,
meaning if xk is random and hidden then the outputs look random even to an adversary that picks
m, n, and (2) it is an extractor, meaning if xk is random but known, then r looks random if (m, n)
is unpredictable (meaning, has enough min-entropy). Again, achieving either goal in isolation is
trivial. The task is to achieve them simultaneously, in the same construction. We give two solutions,
one in the ROM, the other in the standard model. The first is easy but practical, and likely to
be what we would use, namely to simply apply the RO to xk, (m, n). The second combines a
PRF with a strong randomness extractor via XOR. The ROM solution delivers optimal security,
the standard-model one a bit less due to the inherent limitations of strong randomness extractors,
namely that they are only guaranteed to work for seed-independent inputs that retain min-entropy
even conditioned on prior inputs.
Our nonce-based PKE scheme is then simply defined via the same paradigm as for the in-
isolation cases, namely we encrypt under a conventional (randomized) IND-CCA PKE scheme
with the coins set to the result of a hedged extractor keyed by the sender seed and applied to the
message and nonce. Both NBP1 and NBP2 security are proven for this scheme assuming IND-CCA
of the conventional scheme and security of the hedged extractor.
Discussion and pragmatics. We can view nonce-based cryptography as moving the traditional
abstraction boundary between cryptography and system RNGs closer to the cryptography. The
view is that, in the presence of bad RNGs, a safer and better architecture is that the cryptography
take on as large a share of the burden of providing security as possible, in other words, rely on its
environment as little as possible. Our suggestion here is that the environment is relied on only to
produce nonces with relatively weak requirements. This view is in some ways the opposite of that
represented by work that aims to strengthen RNGs against failure or subversion [19]. In practice

5
the two can co-exist and their combined presence will increase security.
Our nonce-based encryption scheme is simple and modular, a way to transform any given
conventional IND-CCA scheme into an NBP1+NBP2 secure nonce-based scheme. With a practical
choice of hedged extractor such as our ROM one, we retain the efficiency attributes of the initial
PKE scheme. In our scheme, decryption is unchanged. The decryptor does not need to change
its software or even know that nonces are being used. These attributes make it easier to deploy
nonce-based PKE as a practical defense against poor randomness.
In the above-discussed prior work aimed at increasing resistance of PKE to randomness failures,
the model was unchanged in the sense that the object whose security was being considered continued
in syntax to be a classical public-key encryption scheme as per [23]. Nonce-based encryption is a
new model (because the sender has a seed) and a new syntax (there is a seed generation algorithm
and the encryption algorithm is different). It is these changes, and in particular not just the nonce,
but the combination of nonce and seed, that are a game changer and result in significantly better
guarantees against poor randomness compared to prior work.
Picking a seed, like picking a key, does require (good) randomness. The viewpoint here, as in all
the prior work discussed above, is that there is a difference between static and dynamic randomness
usage. We assume good randomness for key generation because effort can be invested in it. Current
key-generation software often has the user generate coins by waving their mouse around. Good
seed generation would require similar effort, but one would expect to use a seed for some time so
this effort is not frequent. This is flexible. If a seed is lost due to a system reboot, or compromised,
the user can elect to make the effort to pick a new one. If you are encrypting from multiple systems
(your desktop, laptop and phone) each can have its own, independently chosen seed.
Nonce-based signatures and beyond. We define nonce-based signatures, where the signing
algorithm is deterministic, and takes not only the signing key and message, but also a seed and
nonce. We require that (1) if the seed remains hidden then we have regular security (unforgeability)
regardless of how nonces are generated, and (2) if the seed is exposed, then we have security as
long as the nonces were unpredictable. Section 5 formalizes this and shows how to convert any
signature scheme into a nonce-based one with these security properties using a hedged extractor.
Due to their speed and short signature sizes, the most attractive signature schemes for practice
are elliptic-curve versions of DSA, El Gamal and Schnorr [37]. However, they are randomized, and
fail spectacularly when the randomness is bad. Discussions on the cfrg forum show overwhelming
support for making these schemes deterministic. This is easily done, by deriving the coins either
as a PRF, keyed by a seed that is part of the secret key and applied to the message, or as a
RO applied to the secret key and message [29, 26, 11, 31], and the popular Ed25519 signature
scheme of [13] already embodies this. Making a scheme nonce-based complements this traditional
de-randomization, retaining the benefits of deterministic signing while adding further ones. See
Section 5 for more extensive background and discussion.
Nonces in combination with seeds can similarly be used in many other areas of cryptography
to provide resilience in the face of poor randomness or even provide other gains. Our work aims to
be illustrative rather than exhaustive.
Related work. BKS [10] introduce stateful PKE. Here also the sender can maintain a seed.
They show that this leads to significant efficiency gains. Their schemes are however randomized,
and there are no nonces. An interesting direction for future work is to combine their methods with
ours to get similar efficiency gains for nonce-based PKE.
Krawczyk [28] proposes the use of HMAC as an extractor. Interestingly, HMAC exhibits a
duality property that is similar to our hedged extractors: it is a PRF if its seed is random and
secret [6, 3, 22] and a computational extractor, in the ROM, if its seed is public or even constant [20].

6
The notion of computational extractor used by Krawczyk [28] is, however, weaker than ours. It
is defined for only a single extraction and the distribution of the inputs cannot be influenced by
the adversary. Understanding whether HMAC can be seen as a hedged extractor according to our
definitions is an interesting open question.
Rogaway [35] discusses nonces as “surfacing the IV.” As motivation, he says that when IVs are
implicit, implementors and even books get things wrong. He says that often nonces are readily
available, for example packet sequence numbers. He does not seem to explicitly mention robustness
in the face of randomness failure as a goal in the symmetric case. Intriguingly, in the final section
of the paper, he goes on to say: “ ... it makes just as much sense to consider nonce-based public-
key encryption schemes as it does to consider nonce-based symmetric encryption schemes. This
provides an approach to effectively weakening the requirement for randomness on the sender.” Our
work has pursued this suggestion. It is surprising that this waited 12 years.

2 Notation and standard definitions

Notation. We let ε denote the empty string. If X is a finite set, we let x ←$ X denote picking an
element of X uniformly at random and assigning it to x. Algorithms may be randomized unless
otherwise indicated. Running time is worst case. If A is an algorithm, we let y ← A(x1 , . . . ; r)
denote running A with random coins r on inputs x1 , . . . and assigning the output to y. We let
y ←$ A(x1 , . . .) be the result of picking r at random and letting y ← A(x1 , . . . ; r). We let [A(x1 , . . .)]
denote the set of all possible outputs of A when invoked with inputs x1 , . . .. We use the code based
game playing framework of [12]. (See Fig. 1 for an example.) By Pr[G] we denote the event that
the execution of game G results in the game returning true. Random oracles are variable output
length, represented by a game procedure RO that takes x, l and returns a random string of length l.
The min-entropy of a random variable X over X is defined as H∞ (X) = − log(maxx∈X (Pr[X = x])).
Function families. A family of functions F: F.Keys×F.Dom → F.Rng is a two-argument function
that takes a key K in the key space F.Keys, an input x in the domain F.Dom and returns an output
F(K, x) in the range F.Rng. In the ROM, F takes an oracle RO.
Pseudo-random functions. The security of F as a PRF is defined via game Gprf F (A) that is
associated to adversary A and shown in Fig. 1. Intuitively, the game requires the adversary to
distinguish between F with a uniformly random key and a uniformly random function F.Dom →
F.Rng. Here F could have access to a RO and thus the game is in the ROM. Tables S, T are assumed
initially ⊥ everywhere. The advantage of A is defined as Advprf prf
F (A) = 2 Pr[GF (A)] − 1.
Public-key encryption. A public-key encryption scheme PE specifies the following. Receiver
key-generation algorithm PE.Kg returns an encryption key ek and associated decryption key dk.
Encryption algorithm PE.Enc takes ek and message m ∈ {0, 1}∗ to return a ciphertext c. Determin-
istic decryption algorithm PE.Dec takes ek, dk and ciphertext c to return a value in {0, 1}∗ ∪ {⊥},
and we require standard decryption correctness. The advantage of an adversary A in breaking
ind ind
the IND-CCA security of PE is defined as Advind PE (A) = 2 Pr[GPE (A)] − 1 for the game GPE (A)
described in Fig. 1. This represents a conventional (not nonce-based) scheme, and thus PE.Enc is
randomized. We will use such schemes as base schemes and we will need to surface their coins,
writing c ← PE.Enc(ek, m; r) to mean that PE.Enc is run with coins r to deterministically return
c. The length of the coins is denoted PE.rl.
Digital signatures. A digital signature scheme DS specifies the following. Signer key-generation
algorithm DS.Kg returns a signature key sk and a verification key vk. Signing algorithm DS.Sig
takes sk and message m ∈ {0, 1}∗ to return a signature s ∈ {0, 1}DS.ol . Verification algorithm

7
 Game Gprf
F (A) Game Gind
PE (A) Game Guf
DS (A)
fk ←$ F.Keys (ek, dk) ←$ PE.Kg (sk, vk) ←$ DS.Kg
c ←$ {0, 1} b ←$ {0, 1} ; C ← ∅ M ←∅
c0 ←$ AFn,RO b0 ←$ AENC,DEC (ek) (m, s) ←$ ASIG (vk)
Return (c = c0 ) Return (b = b0 ) v ← (DS.Ver(vk, m, s) = 1)
Fn(x) ENC(m0 , m1 ) Return (v ∧ (m 6∈ M ))
If (c = 1) then If (|m0 | =
6 |m1 |) then return ⊥ SIG(m)
S[x] ← FRO (fk, x) c ←$ PE.Enc(ek, mb ) s ← DS.Sig(sk, m)
Else C ← C ∪ {c} M ← M ∪ {m}
If S[x] = ⊥ then Return c Return s
S[x] ←$ F.Rng DEC(c)
Return S[x]
If (c ∈ C) then return ⊥
RO(x, l) m ← PE.Dec(ek, dk, c)
If T [x, l] = ⊥ then Return m
T [x, l] ←$ {0, 1}l
Return T [x, l]

Figure 1: Games for defining PRF security of a function family F, standard IND-CCA
security of a standard PKE scheme PE and EUF-CMA security of a signature scheme
DS.

DS.Ver takes vk, message m ∈ {0, 1}∗ , and signature s ∈ {0, 1}DS.ol , to return a bit b ∈ {0, 1}. The
advantage of an adversary A in breaking the EUF-CMA security of DS is defined as Advuf DS (A) =
Pr[Guf
DS (A)] for the game G uf
DS (A) described in Fig. 1. Again we may need to surface the coins
r ∈ {0, 1} DS.rl of DS.Sig, writing s ← DS.Sig(sk, m; r).

3 Hedged Extractors
Our nonce-based schemes work simply by supplying coins to a base scheme via a hedged extractor
keyed by the sender seed. This primitive, that we introduce and build here, is a function family
that has two security properties. The first is that it is a PRF. The second, which we define and
call ror (real or random) security, formalizes randomness of outputs when the key (seed) is known.
Clearly this can only be achieved with some restrictions, and the type of ror security achieved will
vary across constructions, from the “best possible” achieved by our ROM construction to a weaker,
but we think still meaningful, version for our standard model construction. To make the goals
precise we first introduce the notion of a nonce generator.
Nonce generators. A nonce generator is an algorithm NG that, on input a nonce selector η
and a current state St, returns a nonce n, belonging to the range set NG.Rng ⊆ {0, 1}∗ of NG,
together with an updated state, written (n, St) ←$ NG(η, St). We say the generator has nonce
length NG.nl ∈ N if NG.Rng = {0, 1}NG.nl . Let P be an adversary called a predictor and consider
game Gpred
NG (P) of Fig. 2. Let

Advpred pred
NG (P) = Pr[GNG (P)] and Advpred pred
NG (q1 , q2 ) = max AdvNG (P) ,
P

where the maximum is over all P making at most q1 ∈ N queries to GEN and q2 ∈ {0, 1} queries to

8
 Game Gpred
NG (P) Game Gror
HE,NG (G)
St ← ε ; s ← 0 ; N ← ∅ St ← ε ; xk ←$ HE.Keys ; c ←$ {0, 1} ; s ← 0
n ←$ P GEN,EXPOSE c0 ←$ G RoR,EXPOSE,RO (xk)
Return ((n ∈ N ) OR coll) Return (c = c0 )
GEN(η) RoR(m, η)
If s = 1 then return ⊥ If s = 1 then return ⊥
(n, St) ←$ NG(η, St) (n, St) ←$ NG(η, St)
If (n ∈ N ) then coll ← true If (c = 1) then r ← HERO (xk, (m, n))
N ← N ∪ {n} Else r ←$ HE.Rng
EXPOSE Return r

s←1 EXPOSE
Return St s ← 1 ; Return St
RO(x, l)
If T [x, l] = ⊥ then T [x, l] ←$ {0, 1}l
Return T [x, l]

Figure 2: Games for defining predictability of the nonce generator NG and real or
random security of function family HE.

EXPOSE. Now let us explain. A call to GEN generates the next nonce in the sequence, returning
nothing to the adversary, The adversary can influence the choice of nonces through its choice of
the selector η. The EXPOSE oracle allows to additionally get access to the state of the nonce
generator. To win, the adversary needs to guess some generated nonce or create a collision between
generated nonces.
Nonce generators represent another departure from nonce-based symmetric encryption. In the
latter the adversary picks the nonce, but we saw in Section 1 that this does not work in the public-
key setting. Instead, we model the process of a sender picking a nonce via a nonce generator.
In discussions, we refer to NG as weakly unpredictable if it is unpredictable for adversaries
making no EXPOSE query, meaning Advpred NG (q1 , 0) is “small” for “practical” values of q1 , and
strongly unpredictable if it is unpredictable even for adversaries making an EXPOSE query, mean-
ing Advpred
NG (q1 , 1) is “small” for “practical” values of q1 . If NG is strongly unpredictable it is also
weakly unpredictable, but not necessarily vice versa. That is, the class of weakly unpredictable
nonce generators is larger than the class of strongly unpredictable nonce generators.
Real or random security. Let HE: HE.Keys × HE.Dom → HE.Rng be an oracle family of
functions (this means it may have access to a random oracle). The first input is referred to as the
“key” or the “seed.” The domain has the form HE.Dom = {0, 1}∗ × HE.NS, so that an input is
a pair of strings, the first referred to as the “message” and the second as the “nonce,” the latter
drawn from a nonce space HE.NS associated to HE. Consider game Gror HE,NG (G) of Fig. 2 associated
to HE, nonce generator NG and an adversary G. The number of queries to EXPOSE is either 0 or
1, and the number to other oracles is arbitrary. Let
Advror ror
HE,NG (G) = 2 Pr[GHE,NG (G)] − 1 .

Note that here the adversary is given the key (seed) xk as input, unlike in the PRF notion, modeling
exposure of the sender seed. Security asks that outputs of HE(xk, (·, ·)), for adversary-chosen

9
messages and nonces from the nonce generator, are indistinguishable from random. Clearly, this
will be possible only with certain restrictions, which will emerge when we discuss our constructions
below.
In game Gror
HE,NG (G), we say that adversary G is agnostic if its RoR queries do not depend on the
seed xk. More formally, there exists a pair (G1 , G2 ) of algorithms such that G RoR,EXPOSE,RO (xk)
does the following:
St ←$ G1RoR,EXPOSE,RO (ε) ; c0 ← G2EXPOSE,RO (xk, St) ; Return c0 .
This represents one of the restrictions we will impose to achieve ror security in the standard model.
Hedged extractors. A hedged extractor HE: HE.Keys × HE.Dom → HE.Rng is an oracle fam-
ily of functions as above where the goal is that (1) HE is a PRF, meaning Advprf HE (A) is low for
any adversary A of practical resources, and also (2) Advror HE,NG (G) is small for some class of nonce
generators NG and some class of ror adversaries G, both specified via results for individual hedged
extractors. We give a ROM construction and standard model one. Both achieve PRF security,
but differ in the type of ror security achieved. The ROM construction achieves ror security for
unpredictable nonce generators (both weak and strong) and for all ror adversaries. This is “best
possible” because the unpredictability assumption is easily seen to be necessary. The standard
model construction achieves ror security for strongly unpredictable generators and agnostic ror
adversaries. These restrictions reflect limitations of the randomness extractors that are our under-
lying tool. The restriction to agnostic adversaries reflects that randomness extractors only work
on seed-independent distributions, and the strong unpredictability requirement on the generator
reflects that when extracting from a sequence of inputs, one needs not only that each has some
min-entropy, but that it does even given the others.
ROM hedged extractor. We start by giving a simple and efficient construction HE1 of a
hedged extractor in the ROM. Let ` be a desired number of output bits for the extractor, and k
a desired seed (key) length. Associated to `, k is the hedged extractor HE = HE1[`, k]: {0, 1}k ×
({0, 1}∗ × {0, 1}∗ ) → {0, 1}` defined by
HERO (xk, x) = RO((xk, x), `) .
Here HE.Keys = {0, 1}k , HE.Dom = {0, 1}∗ × HE.NS with HE.NS = {0, 1}∗ , and HE.Rng = {0, 1}` .
The following lemma states that this construction achieves PRF security and also achieves real
or random security assuming only that the nonce generator is unpredictable. Note the latter only
requires each nonce to individually be unpredictable, but nonces may be arbitrarily correlated, and
it could be that given n1 one can easily predict n2 . But the extractor works nonetheless.

Lemma 3.1 Let `, k ≥ 1 be integers and let HE = HE1[`, k] be the ROM function family associated
to ` and k as above.
1. If A is an adversary making q2 queries to its RO oracle, then
q2
Advprf
HE (A) ≤ k . (1)
2
2. Let NG be a nonce generator. If G is an adversary making q1 queries to its RoR oracle, q2
queries to its RO oracle, and q3 ∈ {0, 1} queries to its EXPOSE oracle, then
pred
Advror
HE,NG (G) ≤ q2 · AdvNG (q1 , q3 ) . (2)

Note that in the 2nd case, the reduction preserves the number of EXPOSE queries, meaning the
number reflected by q3 is the number made by G. This is the best one could hope for.

10
 Game G0 / G1
xk ←$ {0, 1}k ; c0 ←$ AFn,RO ; Return (c0 = 1)
Fn(w)
If S[w] = ⊥ then S[w] ←$ {0, 1}` ; Return S[w]
RO(w, l)
If T [w, l] = ⊥ then
T [w, l] ←$ {0, 1}l ; (u, x) ← w
If ((u = xk) and (l = `)) then
If (S[w] = ⊥) then S[w] ←$ {0, 1}`
bad ← true ; T [w, l] ← S[w]
Return T [w, l]

Game G2 / G3 Adversary P GEN,EXPOSE

St ← ε ; xk ←$ {0, 1}k ; S ← ∅ xk ←$ {0, 1}k ; i ← 0
c0 ←$ G RoR,EXPOSE,RO (xk) ; Return (c0 = 1) g ←$ {1, . . . , q2 }
RoR(m, η) c0 ←$ G RoR,EXPOSE,RO (xk)
Return ng
If s = 1 then return ⊥
(n, St) ←$ NG(η, St) RoR(m, η)
r ← R[m, n] ; R[m, n] ←$ {0, 1}` If s = 1 then return ⊥
If ((m, n) ∈ S) then bad ← true ; R[m, n] ← r GEN(η)
If (T [(xk, (m, n)), `] 6= ⊥) then r ←$ {0, 1}`
bad ← true ; R[m, n] ← T [(xk, (m, n)), `] Return r
S ← S ∪ {(m, n)} EXPOSE
Return R[m, n]
s←1
EXPOSE St ← EXPOSE
s←1 Return St
Return St RO(w, l)
RO(w, l) If (T [w, l] = ⊥) then
If (T [w, l] = ⊥) then T [w, l] ←$ {0, 1}l
T [w, l] ←$ {0, 1}l ; (u, x) ← w ; (m, n) ← x (u, x) ← w ; (m, n) ← x
If ((u = xk) and (l = `) and ((m, n) ∈ S)) then i ← i + 1 ; ni ← n
bad ← true ; T [w, l] ← R[m, n] Return T [w, l]
Return T [w, l]

Figure 3: Games and adversary for proof of Lemma 3.1.

Proof of Lemma 3.1: For the proof of Equation (1), consider the games G0 , G1 of Fig. 3, where
G1 contains the boxed code and G0 does not. Letting c denote the challenge bit in game Gprf
HE (A),
the following, justified below, establishes Equation (1):
 
Advprf prf prf
HE (A) = Pr[ GHE (A) | c = 1 ] − 1 − Pr[ GHE (A) | c = 0 ] (3)

= Pr[G1 ] − Pr[G0 ] (4)

11
 ≤ Pr[G0 sets bad] (5)
q2
≤ k . (6)
2
Equation (3) is a standard re-formulation of the definition of the advantage. In game G0 , replies to
queries to the Fn and RO oracles are independently distributed, so that it is equivalent to the c = 0
case of game Gprf
HE (A), up to the flipping of the outcomes from true to false. In game G1 , the replies
to Fn queries are given by HERO , making it equivalent to the c = 1 case of game Gprf HE (A). This
justifies Equation (4). Games G0 , G1 are identical until bad (differ only in statements following the
setting of bad to true), so the Fundamental Lemma of Game Playing [12] justifies Equation (5). In
game G0 , replies to all oracle queries are random and independent of xk so the probability that the
latter is queried as part of an RO query is at most the quantity of Equation (6).
For Equation (2), consider the games G2 , G3 of Fig. 3, where G3 contains the boxed code and G2
does not. Let predictor adversary P be as specified in Fig. 3. Letting c denote the challenge bit in
game Gror
HE,NG (G), the following, justified below, establishes Equation (2):
 
Advror ror ror
HE,NG (G) = Pr[ GHE,NG (G) | c = 1 ] − 1 − Pr[ GHE,NG (G) | c = 0 ] (7)

= Pr[G3 ] − Pr[G2 ] (8)

≤ Pr[G2 sets bad] (9)

≤ q2 · Advpred
NG (G) (10)

≤ q2 · Advpred
NG (q1 , q3 ) . (11)
Equation (7) is a standard re-formulation of the definition of the advantage. In game G2 , replies
to queries to the RoR and RO oracles are independently distributed, so that it is equivalent to
the c = 0 case of game Gror HE,NG (G), up to the flipping of the outcomes from true to false. In game
G3 , the replies to RoR queries are given by HERO , making it equivalent to the c = 1 case of game
Gror
HE,NG (G). This justifies Equation (8). Games G2 , G3 are identical until bad, so the Fundamental
Lemma of Game Playing [12] justifies Equation (9). In game G2 , replies to all oracle queries are
random and independent, so adversary P can simulate the oracles of adversary G directly. Its
output is a random one of the nonces in a RO-query of G, whence Equation (10). Equation (11) is
because P makes q1 calls to its GEN oracle and q3 queries to its EXPOSE oracle.

Standard-model hedged extractor. Next we give a standard-model hedged extractor based

on a PRF F and an almost-XOR-universal hash function H. We use the latter essentially as a
strong extractor. The construction is simple: the PRF is evaluated on the message and nonce,
and the hash function is evaluated only on the nonce. The results are combined via a simple XOR
operation. The intuition behind this is that as long as at least one of the outputs generated by the
two schemes is random, then the result is also random. PRF security of the hedged extractor is
proved assuming only on the assumed PRF security of F. Real-or-random security of the hedged
extractor is shown for a restricted class of nonce generators NG and adversaries G. Namely NG
must retain unpredictability even in the presence of an EXPOSE query revealing the state, and
G’s RoR queries must not depend on the seed. These restrictions reflect inherent limitations of
strong extractors.
We start with some definitions. For  ∈ [0, 1], function family H is -almost XOR-universal [27]
if H.Rng = {0, 1}` for some ` ∈ N and, for all distinct x, y ∈ H.Dom and all s ∈ {0, 1}` , we have
Pr[H(hk, x) ⊕ H(hk, y) = s : hk ←$ H.Keys] ≤ .

12
Our standard model construction is as follows. Let ` be a desired number of output bits for the
extractor. Let F: F.Keys × ({0, 1}∗ × {0, 1}∗ ) → {0, 1}` be a function family assumed to be a PRF,
and let H: H.Keys × H.Dom → {0, 1}` be an almost-XOR-universal hash function with H.Dom ⊆
{0, 1}∗ . We associate to `, F, H the standard-model hedged extractor HE = HE2[F, H]: (F.Keys ×
H.Keys) × ({0, 1}∗ × H.Dom) → {0, 1}` defined by
Algorithm HE(xk, (x, y))
(hk, fk) ← xk ; z1 ← H(hk, y) ; z2 ← F(fk, (x, y)) ; Return z1 ⊕ z2
Here HE.Keys = F.Keys × H.Keys, HE.Dom = {0, 1}∗ × HE.NS with HE.NS = H.Dom, and HE.Rng =
{0, 1}` . The following says this hedged extractor achieves PRF security and restricted real-or-
random security.

Lemma 3.2 Let ` ≥ 1 be an integer. Let F: F.Keys × ({0, 1}∗ × {0, 1}∗ ) → {0, 1}` be a function
family. Let H: H.Keys × H.Dom → {0, 1}` be a (1 + γ) · 2−` -almost-XOR-universal hash function.
Let HE = HE2[F, H] be the function family associated to `, F and H as above.
1. If A is an adversary making q queries to its Fn oracle then there is an adversary B (described
in the proof) such that

Advprf prf
HE (A) ≤ AdvF (B) . (12)
Adversary B also makes q queries to its Fn oracle and has running time that of A plus the
time for q computations of H.
2. Let NG be a nonce generator that produces outputs in the set H.Dom. If G is an agnostic
adversary making q queries to its RoR oracle and Advpred −k
NG (q, 1) ≤ 2 , then
s
q 2`
Advror
HE,NG (G) ≤ γ+ . (13)
2 2k

To prove this we first need some more definitions. Recall that for  ∈ [0, 1], a function family H
is -almost universal if Pr[H(hk, x) = H(hk, y) : hk ←$ H.Keys] ≤  for all distinct x, y ∈ H.Dom.
For a function family H with H.Dom = {0, 1}∗ × {0, 1}∗ , we say that H is -almost universal
in the second input component if for all x1 , y1 ∈ {0, 1}∗ and all x2 , y2 ∈ {0, 1}∗ with x2 6= y2 ,
Pr[H(hk, (x1 , x2 )) = H(hk, (y1 , y2 )) : hk ←$ H.Keys] ≤ . For k ∈ N and  ∈ [0, 1], a (k, )-strong
extractor SE is a (standard model) family of functions such that AdvrorE,NG (1, 0, 1) ≤  for all NG with
pred −k
AdvNG (1, 1) ≤ 2 . This is a re-formulation of the standard requirement that is clearly equivalent
to it. The Leftover Hash Lemma, a celebrated result by Impagliazzo, Levin, and Luby [25], states
that an almost universal hash function is a strong extractor:
Lemma 3.3 (Leftover Hash Lemma) Let γ, k > 0. Let H be an (1 + γ)/|H.Rng|-almost univer-
sal hash function family. Then H is an (k, )-strong extractor where
s
1 |H.Rng|
= γ+ .
2 2k
The original result is stated in a different formalism and a slightly more restricted form, but it
generalizes to the form stated here. (The formulation of the bounds comes from [2].)
Since we use the nonce that is used in the hash function H also outside of it, namely in the
evaluation of the PRF F, we cannot immediately apply the leftover-hash lemma. However, we show
that if the function H is almost XOR-universal, then the hedged extractor HE obtained by XORing
the output of F to the output of H is almost universal and therefore serves as a strong extractor.

13
Lemma 3.4 Let H : H.Keys × H.Dom → {0, 1}` be an -almost-XOR-universal hash function. Let
F : F.Keys × ({0, 1}∗ × {0, 1}∗ ) → {0, 1}` a function family and H.Dom ⊆ {0, 1}∗ . Then, for each
m ∈ {0, 1}∗ , HE(·, (m, ·)) as defined above is -almost-universal.

Proof: For all n, n0 ∈ H.Dom with n 6= n0 :

Pr HE(xk, (m, n)) = HE(xk, (m, n0 )) : xk ←$ HE.Keys
 

h
= Pr H(hk, n) ⊕ F(fk, (m, n)) = H(hk, n0 ) ⊕ F(fk, (m, n0 ))
i
: (hk, fk) ←$ H.Keys × F.Keys
h
≤ max Pr H(hk, n) ⊕ H(hk, n0 ) = F(fk, (m, n)) ⊕ F(fk, (m, n0 ))
fk∈F.Keys
i
: hk ←$ H.Keys ≤ ,

since for each fk ∈ F.Keys the term F(fk, (m, n)) ⊕ F(fk, (m, n0 )) describes a fixed value s ∈ {0, 1}`
and H is -almost XOR-universal.
A strong extractor will only guarantee the outputs to be random and independent of the seed
if the inputs to the extractor, that is the nonces, do not depend on the seed. Once the seed is
exposed to the adversary, no guarantee on further outputs can be given. Therefore, for the game
Gror
HE,NG (G) we restrict our attention to agnostic adversaries G.
The proof uses a hybrid argument for the extraction from multiple values akin to the one in
the adaptive Leftover Hash Lemma of Bellare et al. [5, Lemma A.1], which in turn is based on the
work of Zuckerman [39]. (A tighter bound for extraction from block sources is given by Chung
and Vadhan [17].) The difference is that the nonces from which we extract are obtained from a
stateful nonce generator instead of sampled independently from adversarially-chosen distributions;
the argument follows along the same lines.
Proof of Lemma 3.2: We first prove Equation (12). Adversary B starts by choosing a seed
hk ←$ H.Keys uniformly at random. It then uses the assumed adversary A, and whenever A makes
a query Fn(x, y), then B first computes z1 ← H(hk, y) and then makes a query z2 ← Fn(x, y), and
returns z1 ⊕ z2 . Finally, B provides the same output as A. The view of A has the same distribution
in Gprf prf
HE (A) and in GF (B), and therefore the distribution of the output is also the same. This
implies Equation (12).
We prove Equation (13) using a hybrid argument similarly to Zuckerman [39, Lemma 6]. The
hybrid argument involves a game G as specified in Fig. 4 and adversaries G1 , . . . , Gq that each
query the oracle RoR only once. This is achieved by having Gi answer the ith query of G by
using the RoR oracle, by using for all previous queries uniformly random values and computing all
subsequent values by evaluating HE. In more detail, for all queries j = 1, . . . , i − 1, the adversary Gi
will call its GEN(η) oracle and then sample a value from HE.Rng = {0, 1}` uniformly at random.
For the ith query, the adversary Gi will call RoR(m, η) and obtain the output r, as well as the
nonce generator’s state St through a subsequent EXPOSE query. The answer to G will be r in this
case. For all queries j = i + 1, . . . , q, adversary Gi will compute the nonce via (nj , St) ← NG(η, St)
and the output as HE(xk, (m, nj )). The adversary uses the seed xk only after the challenge query,
and we can therefore specify it as a pair Gi = (Gi,prep , Gi,chal ) as described in Fig. 4.
To conclude the hybrid argument, we first observe that the view of G in Gror HE,NG (G) with c = 1 is
the same as its view in G(G1 ) with c = 1. Subsequently, for each i = 1, . . . , q − 1, the view of G in

14
 Game G(G)
St ← ε ; xk ←$ HE.Keys ; c ←$ {0, 1} ; s ← 0
St G ←$ Gprep
GEN

0 RoR,EXPOSE
c ←$ Gchal (St G , xk)
Return (c = c0 )
RoR(m, η)
If s = 1 then return ⊥
(n, St) ←$ NG(η, St)
If (c = 1) then r ← HERO (xk, (m, n))
Else r ←$ HE.Rng
Return r
GEN(η)
(n, St) ←$ NG(η, St)
EXPOSE
s←1
Return St

Figure 4: Hybrid game as needed in the proof of Lemma 3.2.

G(Gi ) with c = 0 is the same as in G(Gi+1 ) with c = 1. Finally, the view of G in G(Gq ) with c = 0
is the same as in Gror
HE,NG (G) with c = 0.

We still have to bound the advantage of adversary Gi . By Lemma 3.4, we know that for any
m ∈ {0, 1}∗ , HE(·, (m, ·)) is p
(1 + γ)/2` -almost universal and therefore by Lemma 3.3 a (k, )-
strong extractor for  = 1/2 γ + 2`−k . Fix i, then Gi,prep makes i − 1 queries to its GEN or-
acle. We can therefore define a nonce generator RG(Gi,guess , NG) as follows: Set St ← ε and
execute (n, St G ) ←$ Gi,guess
GEN with the oracle as defined in the game. Compute a random x via

(x, St) ←$ NG(η, St) and output a pair (x, (St, St G )).
This implies that Advpred pred
RG(Gi,prep ,NG) (1, 1) ≤ AdvNG (i, 1), since otherwise Gi,prep could be used in the
statement against the assumption on NG. But now we can view Gi,chal as an adversary against H in
the Gror ror
H,RG(Gi,prep ,NG) game, and 2 Pr [HYBHE,NG (Gi )] − 1 ≤ AdvH,RG(Gi,prep ,NG) (Gi,chal ) ≤ . We obtain
a factor q through the hybrid argument; this completes the proof.

4 Nonce-based public-key encryption

In this section we define nonce-based public-key encryption, giving first a syntax and then two
security goals, NBP1 and NPB2. We give a construction, simultaneously meeting both goals,
based on a hedged extractor. Instantiating the latter via our constructions of Section 3 yields
concrete nonce-based PKE schemes, one in the ROM and the other in the standard model.
Syntax. A nonce-based public-key encryption scheme NPE specifies the following. Receiver key-
generation algorithm NPE.Kg returns an encryption key ek and associated decryption key dk.
Sender seed-generation algorithm NPE.sKg returns a seed xk. Encryption algorithm NPE.Enc
takes ek, xk, message m ∈ {0, 1}∗ and nonce n from nonce set NPE.NS to return a ciphertext
c. This algorithm is deterministic. Decryption algorithm NPE.Dec (also deterministic) takes
ek, dk and ciphertext c to return a value in {0, 1}∗ ∪ {⊥}. The scheme NPE is correct if for

15
 Game Gnbp1
NPE,NG (A) Game Gnbp2
NPE,NG (A)
(ek, dk) ←$ NPE.Kg ; xk ←$ NPE.sKg (ek, dk) ←$ NPE.Kg
b ←$ {0, 1} ; St ← ε ; C, S0 , S1 ← ∅ xk ←$ NPE.sKg
b0 ←$ AENC,DEC,RO (ek) b ←$ {0, 1} ; St ← ε ; C ← ∅
Return (b = b0 ) b0 ←$ AENC,DEC,RO (ek, xk)
ENC(m0 , m1 , η) Return (b = b0 )

If (|m0 | =
6 |m1 |) then return ⊥ ENC(m0 , m1 , η)
(n, St) ←$ NG(η, St) If (|m0 | =
6 |m1 |) then return ⊥
If ((m0 , n) ∈ S0 ) then return ⊥ (n, St) ←$ NG(η, St)
If ((m1 , n) ∈ S1 ) then return ⊥ c ← NPE.EncRO (ek, xk, mb , n)
S0 ← S0 ∪ {(m0 , n)} C ← C ∪ {c}
S1 ← S1 ∪ {(m1 , n)} Return c
c ← NPE.EncRO (ek, xk, mb , n) DEC(c)
C ← C ∪ {c}
If (c ∈ C) then return ⊥
Return c
m ← NPE.DecRO (ek, dk, c)
DEC(c) Return m
If (c ∈ C) then m ← ⊥ RO(x, l)
Else m ← NPE.DecRO (ek, dk, c)
If T [x, l] = ⊥ then T [x, l] ←$ {0, 1}l
Return m
Return T [x, l]
RO(x, l)
If T [x, l] = ⊥ then T [x, l] ←$ {0, 1}l
Return T [x, l]

Figure 5: Games for security goals for nonce-based asymmetric encryption scheme NPE.
Both are relative to nonce generator NG.

all (ek, dk) ∈ [NPE.Kg], all xk ∈ [NPE.sKg], all m ∈ {0, 1}∗ and all n ∈ NPE.NS we have
NPE.Dec(ek, dk, NPE.Enc(ek, xk, m, n)) = m.
The receiver key-generation algorithm has the same role as in a randomized PKE scheme. The
sender seed-generation algorithm is a new element of nonce-based PKE schemes. Encryption is
changed to take a nonce rather than randomness and, importantly, is now deterministic. Decryp-
tion is as in a standard PKE scheme. Unlike symmetric nonce-based encryption, the decryption
algorithm is not given the nonce.
Nonce-based encryption is a sender-side hardening and can be added to an existing encryption
scheme in such a way that the receiver is oblivious to its presence and the receiver implementation
needs no changes.

Security definitions. Let NPE be a nonce-based PKE scheme. Let NG be a nonce generator
returning nonces in NPE.NS. We associate to NPE, NG and adversary A the games of Fig. 5. We
define the advantages of A in these games via
Advnbp1 nbp1
NPE,NG (A) = 2 Pr[GNPE,NG (A)] − 1

16
 Algorithm NPE.Kg Algorithm NPE.EncRO (ek, xk, m, n)
(ek, dk) ←$ PE.Kg r ← HERO (xk, (m, n))
Return (ek, dk) c ← PE.Enc(ek, m; r)
Return c
Algorithm NPE.sKg Algorithm NPE.Dec(ek, dk, c)
xk ←$ HE.Keys m ← PE.Dec(ek, dk, c)
Return xk Return m

Figure 6: The nonce-based public-key encryption scheme NPE, based on probabilistic

public-key encryption scheme PE and hedged extractor HE. The nonce space is the
same as for the hedged extractor.

and
Advnbp2 nbp2
NPE,NG (A) = 2 Pr[GNPE,NG (A)] − 1 ,

respectively. The games are described in the ROM; standard-model definitions are derived by
considering only schemes and adversaries that do not query the RO oracle. The notation “nbp”
stands for “nonce-based privacy.” We proceed to discuss the definitions.
Game Gnbp1
NPE,NG (A) formalizes security in the case where the sender’s seed is not exposed, cap-
tured in the formalism by the fact that the adversary is not given the seed as input, while game
Gnbp2
NPE,NG (A) formalizes security in the case where the sender’s seed is exposed, formalized by its
being given to the adversary as input. Both ask for indistinguishability-style security under a
chosen-ciphertext attack. In Gnbp1NPE,NG (A), the natural restriction that one would consider is to
ask that nonces not repeat. The restriction we make is weaker, resulting in a stronger security
condition, namely that message-nonce pairs may not repeat. (Thus, security is provided even if
a nonce repeats, as long as the message is different.) We will achieve this notion for any nonce
generator, meaning we get very good privacy with minimal restrictions on nonces. In Gnbp2 NPE,NG (A),
no restriction is made, so a priori the notion is stronger, but we will achieve it only if the hedged
extractor is ror-secure, which will be further reduced to unpredictability of the nonce generator.
Thus, in this case, security requires unpredictable nonces.
In game Gnbp2
NPE,NG (A), we say that adversary A is agnostic if its ENC, DEC queries do not
depend on the seed xk. More formally, there exists a pair (A1 , A2 ) of algorithms such that
AENC,DEC,RO (ek, xk) does the following:
St ←$ AENC,DEC,RO
1 (ek) ; c0 ← ARO 0
2 (xk, St) ; Return c .

Scheme. We specify a scheme NPE that achieves both the NPB1 and NPB2 security notions
simultaneously, that is, it guarantees security if either the sender’s state remains secret and as long
as the message-nonce pairs are unique, or even if the sender’s state is leaked to the adversary as
long as the nonces are sufficiently unpredictable. The construction is actually a transform R2NPE
that takes a base, randomized PKE scheme PE and a hedged extractor HE to return a nonce-based
PKE scheme NPE = R2NPE[PE, HE] whose algorithms are described in Fig. 6. The nonce space is
that of the hedged extractor, i.e. NPE.NS = HE.NS. The construction requires that the randomness
provided by HE is sufficient, i.e., PE.rl = HE.ol.
We first prove that the scheme achieves NBP1-security, that is, it is secure as a nonce-based
scheme as long as the sender’s seed remains secret. The theorem bounds the adversaries advantage

17
by advantages of other, related adversaries against the underlying probabilistic public-key scheme
and the PRF-property of the hedged extractor HE. For the constructions described in Section 3,
the latter advantage is then bounded by Lemmas 3.1 (for the ROM construction) and 3.2 (for the
standard-model construction), respectively.

Theorem 4.1 Let PE be a (standard, randomized) public-key encryption scheme. Let HE be a

hedged extractor. Let nonce-based public-key encryption scheme NPE = R2NPE[PE, HE] be asso-
ciated to them as above. Let NG be a nonce generator. Let A be an adversary making at most q1
queries to its ENC oracle, q2 queries to its DEC oracle, and q3 queries to its RO oracle. Then
the proof specifies adversaries B and G such that
Advnbp1 prf ind
NPE,NG (A) ≤ 2AdvHE (G) + AdvPE (B) , (14)
where adversary B makes at most q1 queries to its ENC oracle and q2 queries to its DEC oracle; in
terms of computation it evaluates NG for q1 times and manages an array of generated ciphertexts.
Adversary G makes at most q1 queries to its Fn oracle and q3 queries to its RO oracle; it generates
keys for PE and compute q1 encryptions and q2 decryptions in addition to the computation of A.

Proof: Adversary B obtains ek and starts by setting St ← ε, S0 ← ∅, and S1 ← ∅. Adversary B

then runs adversary A internally on input ek. For queries ENC(m0 , m1 , η), adversary B computes
(n, St) ←$ NG(η, St), checks whether (m0 , n) ∈ S0 or (m1 , n) ∈ S1 , and returns ⊥ in that case.
Otherwise, it queries its own oracle ENC(m0 , m1 ) and returns the result to A. Queries DEC(c)
are answered using the respective oracles in the game, and potential queries RO(x, l) are answered
by emulating a random oracle via lazy sampling as also described in the game.
For each d ∈ {0, 1}, adversary Gd against the PRF initializes St ← ε, S0 ← ∅, and S1 ← ∅ as
B and generates a key pair (ek, dk) ←$ PE.Kg. Adversary Gd then runs adversary A on input ek.
Upon a query ENC(m0 , m1 , η) from A, adversary Gd computes (n, St) ←$ NG(η, St), checks whether
(m0 , n) ∈ S0 or (m1 , nonce) ∈ S1 , and returns ⊥ in that case. Gd gets r from its oracle Fn(md , n),
computes c ← PE.Enc(ek, md ; r) and returns c. Queries DEC(c) are answered by computing
m ← PE.Dec(ek, dk, c) and returning m. Potential queries RO(x, l) are referred to the random
oracle provided in the game. When A provides its output b0 , then Gd outputs b0 ⊕ d.
We define a hybrid game G in which all computations are performed as before, except that in the
encryption with a new pair of message mb and nonce n a fresh random string r ← {0, 1}` is used.
The difference with the game Gnbp1
NPE,NG (A) can be highlighted as described in game G in Fig. 7

The view of A in G is exactly the same as in Gind

PE (B). Furthermore, we observe that

2 Pr[Gprf nbp1
HE (G0 )] = Pr[GNPE,NG (A)|b = 0] − Pr[G|b = 0] + 1,

the reason is that if the bit b = 0 is chosen in GprfHE (G0 ), then the view of A is exactly as in G
with b = 0; all ciphertexts are encryptions of m0 with fresh randomness. Analogously, if b = 1
is chosen in Gprf nbp1
HE (G0 ), then the view of A is exactly as in GNPE,NG (A) with b = 0; all ciphertexts
are encryptions of m0 with randomness computed via NG and HE from the message m0 and the
input η, but in this case G0 outputs the “wrong” bit. In the same sense,
2 Pr[Gprf nbp1
HE (G1 )] = Pr[GNPE,NG (A)|b = 1] − Pr[G|b = 1] + 1,

since if the bit b is chosen as b = 0 in Gprf

HE (G0 ), then the view of A is exactly as in G with b = 1;
all ciphertexts are encryptions of m1 with fresh randomness. This is the reason for G1 to invert the

18
 Game G Game H
.. ..
. .
S1 ← S1 ∪ {(m1 , n)} (n, St) ←$ NG(η, St)
c ← NPE.EncRO (ek, xk, mb , n) c ← NPE.EncRO (ek, xk, mb , n)
r ←$ {0, 1}` r ←$ {0, 1}`
c ← PE.Enc(ek, mb ; r) c ← PE.Enc(ek, mb ; r)
C ← C ∪ {c} C ← C ∪ {c}
Return c Return c
.. ..
. .

Figure 7: Intermediate games used in the proofs of Theorem 4.1 (left) and Theorem 4.2
(right).

output of A. Overall, we obtain

Advnbp1 nbp1 nbp1
NPE,NG (A) = Pr[GNPE,NG (A)|b = 0] + Pr[GNPE,NG (A)|b = 1] − 1

= Pr[Gnbp1
NPE,NG (A)|b = 0] − Pr[G|b = 0]

+ Pr[Gnbp1
NPE,NG (A)|b = 1] − Pr[G|b = 1] + 2 Pr[G] − 1
nbp1
≤ 2 Pr[Gprf prf
HE (G0 )] − 1 + 2 Pr[GHE (G1 )] − 1 + AdvPE (B)

= Advprf prf nbp1

HE (G0 ) + AdvHE (G1 ) + AdvPE (B).

The proof concludes by defining G as choosing G0 or G2 with probability 1/2 each.

The property of a hedged extractor to serve simultaneously as extractor and as a PRF implies that
the scheme described above is also secure even if the sender’s seed leaks, as long as the nonces are
sufficiently unpredictable. The reduction in the theorem below preserves agnosticity, meaning if
A is agnostic, so is G. This allows us to draw conclusions based on Lemma 3.2 in the case of the
standard-model hedged extractor.

Theorem 4.2 Let PE be a (standard, randomized) public-key encryption scheme. Let HE be a

hedged extractor. Let nonce-based public-key encryption scheme NPE = R2NPE[PE, HE] be asso-
ciated to them as above. Let NG be a nonce generator. Let A be an adversary making at most q1
queries to its ENC oracle, q2 queries to its DEC oracle, and q3 queries to its RO oracle. Then
the proof specifies adversaries B and G such that
Advnbp2 ror ind
NPE,NG (A) ≤ 2AdvHE,NG (G) + AdvPE (B) , (15)
where adversary B makes at most q1 queries to its ENC oracle and q2 queries to its DEC oracle,
and emulates a random oracle for q3 queries. Adversary G makes at most q1 queries to its RoR
oracle and q3 queries to its RO oracle; it generates keys for PE and computes q1 encryptions and
q2 decryptions in addition to the computation of A. Furthermore, if A is agnostic, then G is also
agnostic.

Proof: The proof follows the same ideas as the one for Theorem 4.1. Adversary B against the
underlying public-key encryption scheme PE behaves as follows. It obtains an encryption key ek

19
as an input and generates a seed xk ←$ HE.Keys, and then runs adversary A on input (ek, xk).
Upon a query ENC(m0 , m1 , η) by A, adversary B queries its oracle ENC(m0 , m1 ) and returns the
result to A. Queries DEC(c) are answered by making the same query to its own oracle; the queries
RO(x, l) are answered by emulating a random oracle via lazy sampling. Adversary B outputs the
same output bit as A.
For each d ∈ {0, 1}, adversary Gd against the extractor behaves as follows. It obtains an extrac-
tor seed xk ∈ HE.Keys, generates a key pair (ek, dk) ←$ PE.Kg, and then runs adversary A on
input (ek, xk). Upon a query ENC(m0 , m1 , η) from A, adversary Gd calls RoR(md , η) to obtain
a random string r. It then computes c ← PE.Enc(ek, md ; r) and returns c. Queries DEC(c) are
answered by computing m ← PE.Dec(ek, dk, c) and returning m. Potential queries RO(x, l) are
referred to the random oracle provided in the game. When A provides its output b0 , then Gd outputs
b0 ⊕ d. Note that Gd uses the seed only through A, and if A uses it only after all encryption queries,
then Gd uses it only after all RoR queries. Thus, if A is agnostic, then Gd is also agnostic.
We define a hybrid game H in which all computations are performed as before, except that in the
encryption a fresh random string r ← {0, 1}` is used; the difference with the game Gnbp2
NPE,NG (A) is
highlighted by the boxed code in Fig. 7.
The view of A in H is exactly the same as in Gnbp2
PE (B). Furthermore, we observe that
nbp2
2 Pr[Gror
HE,NG (G0 )] = Pr[GNPE,NG (A)|b = 0] − Pr[H|b = 0] + 1,

the reason is that if the bit b = 0 is chosen in Gror

HE,NG (G0 ), then the view of A is exactly as in H
with b = 0; all ciphertexts are encryptions of m0 with fresh randomness. Analogously, if b = 1 is
nbp2
chosen in Gror
HE,NG (G0 ), then the view of A is exactly as in GNPE,NG (A) with b = 0; all ciphertexts
are encryptions of m0 with randomness computed via HE and NG from the message m0 and the
input η, but in this case G0 outputs the “wrong” bit. In the same sense,
nbp2
2 Pr[Gror
HE,NG (G1 )] = Pr[GNPE,NG (A)|b = 1] − Pr[H|b = 1] + 1,

since if the bit b is chosen as b = 0 in Gror

HE,NG (G0 ), then the view of A is exactly as in H with b = 1;
all ciphertexts are encryptions of m1 with fresh randomness. This is the reason for G1 to invert the
output of A. The final computation follows exactly as in Theorem 4.1.

Settings with multiple senders and multiple receivers. The security properties defined
above take into account only a single sender and a single receiver. Realistic settings, however,
involve multiple senders and multiple receivers. This means that, on the one hand, encryptions
toward the same receivers will be made with respect to different sender seeds. On the other hand,
senders will use the same seed to generate randomness for encryptions toward different receivers.
To achieve security in these settings, we extend the games Gnbp2 nbp1
NPE,NG (A) and GNPE,NG (A) by the
following oracle:

ENC2(ek, m, η)
(n, St) ←$ NG(η, St)
c ← NPE.Enc(ek, xk, m, n)
Return c

The scheme discussed above can easily be shown to achieve the correspondingly modified games;
the hedged extractor provides uniform and independent randomness for each encryption.
Extending this game to multiple senders and multiple receives is done by generating multiple
sets of keys and seeds in the game and extending the oracles with arguments to select the desired

20
sender and/or receiver of the messages to be processed. The proof then follows by two hybrid
arguments, one for reducing the number of senders, and one for reducing the number of receivers.
The oracle ENC2 is required in the step to reduce the number of receivers to simulate encryptions
toward the receivers not captured in the game.

5 Nonce-based signatures
In this section we define and construct nonce-based digital signature schemes.
Background. Eliminating randomness in signing is not new and is easily done. A simple way to
convert a given randomized EUF-CMA digital signature scheme DS into a deterministic one is as
follows. Let F be a PRF. The key-generation algorithm lets (sk, vk) ←$ DS.Kg and fk ←$ F.Keys,
and stores the pair (fk, sk) as the secret signing key of the new scheme. A signature on a message
m ∈ {0, 1}∗ is then computed by first evaluating r ← F(fk, m) and then s ← DS.Sig(sk, m; r). This
method goes back to MNPV [29] and it is easy to show that it works, meaning the constructed,
deterministic signature scheme retains the EUF-CMA security of the starting randomized one
assuming F is a PRF.
The above solution, however, changes the secret key, which is not always desirable. For example
it may be a problem to retrofit deployed schemes with the modification, or if the same signature
key is used by multiple applications and the format cannot easily be changed. A folklore solution
is to leave the keys unchanged and obtain the coins r via a random oracle applied to the existing
secret key sk and the message. In the case that DS is ECDSA, this was proven to work by KM [26].
It was proven to work in general (meaning, for any base EUF-CMA scheme) by BPS [11]. Such de-
randomization is used in the Ed25519 signature scheme [13] and is specified for DSA and ECDSA
in an RFC by Pornin [31].
Nonce-based signatures. In our model, the signer has a secret key as well as a seed. Signing
uses both these and a nonce, and is deterministic. If the seed (and secret key) are kept private,
we get the usual EUF-CMA level of security, regardless of how nonces are generated. So far this
is providing the same security as deterministic signature schemes. The added condition is that if
the seed is exposed (but the secret key isn’t) then we still retain security as long as the nonces are
unpredictable.
The secret key and seed are held by the same entity, namely the signer. So one may ask how
it could be that the seed is exposed but the secret key isn’t. That is, either the system is secure,
in which case both are secure, or not, in which case both are exposed. If so, indeed, nonce-based
signatures do not provide anything over and above classical deterministic signatures. However,
we can imagine settings where the level of security for the secret key and seed are different. For
example the secret key may be already stored in hardware, and the seed not. The seed may be
stored at a different place than the signature scheme’s secret key, and it may be re-generated at any
frequency that seems appropriate for the application (ranging from never, at fixed time intervals,
at every system reboot, or at every signature operation). Being a signer-only modification of the
signature generation, a user may also use different seeds on different machines, or use the modified
scheme with the standard probabilistic one.
The scheme we propose is again based on hedged extractors.
Definitions. A nonce-based signature scheme NDS specifies the following. Signer key-generation
algorithm NDS.Kg returns a signature key sk, a verification key vk, and a seed xk. Deterministic
signature algorithm NDS.Sig takes sk, xk, message m ∈ {0, 1}∗ , and nonce n from nonce set
NDS.NS, to return a signature s ∈ {0, 1}NDS.ol . Deterministic verification algorithm NDS.Ver takes

21
 Game Gnbuf1 nbuf2
NDS,NG (A) / Game GNDS,NG (A) Algorithm NDS.Kg
(sk, vk, xk) ←$ NDS.Kg xk ←$ HE.Keys
St ← ε ; M ← ∅ (sk, vk) ←$ DS.Kg
(m, s) ←$ ASIG,RO ( vk , xk ) Return (sk, vk, xk)
v ← NDS.Ver(vk, m, s)
Return ((v = 1) ∧ (m ∈/ M )) Algorithm NDS.SigRO (sk, xk, m, n)
SIG(m, η) r ← HERO (xk, (m, n))
c ← DS.Sig(sk, m; r)
(n, St) ←$ NG(η, St)
Return c
s ← NDS.Sig(sk, xk, m, n)
M ← M ∪ {m}
Algorithm NDS.VerRO (vk, m, c)
Return s
b ← DS.Ver(vk, m, c)
RO(x, l)
Return b
If T [x, l] = ⊥ then T [x, l] ←$ {0, 1}l
Return T [x, l]

Figure 8: Games for security goals for nonce-based digital scheme NDS relative to nonce-
generator NG, and our nonce-based digital signature scheme.

vk, message m ∈ {0, 1}∗ , and candidate signature s ∈ {0, 1}NDS.ol , to return a bit b ∈ {0, 1}. The
scheme NDS is correct if for all (sk, vk, xk) ∈ [NDS.Kg], all m ∈ {0, 1}∗ and n ∈ NDS.NS, the
verification of true signatures succeeds: NDS.Ver(vk, m, NDS.Sig(sk, xk, m, n)) = 1.
To formalize security, we consider the games Gnbuf1 nbuf2
NDS,NG (A) and GNDS,NG (A) in Fig. 8 associated to
nonce-based signature scheme NDS, nonce generator NG returning nonces in NDS.NS, and adversary
A, where the second game includes the boxed code and the first does not. We let
Advnbuf1 nbuf1
NDS,NG (A) = Pr[GNDS,NG (A)] , and

Advnbuf2 nbuf2
NDS,NG (A) = Pr[GNDS,NG (A)] .

As usual the games are described in the ROM, with standard-model definitions are derived by
considering only schemes and adversaries that do not query the RO oracle. The difference between
the games is tiny, and in just one line of the code, namely that in the second game, the adversary gets
the seed xk as an additional input. The first game captures the case that the seed is not exposed,
and we will guarantee security for any nonce generator. The second game captures the case that
the seed is exposed, in which case we will provide security for unpredictable nonce generators.
Regular signature schemes can be viewed as a special case of nonce-based ones where the seed xk
is defined to be the empty string and security is measured relative only to the nonce generator that
always returns a uniformly random string.
In game Advnbuf2
NDS,NG (A), we say that adversary A is agnostic if its SIG queries do not depend
on the seed xk. More formally, there exists a pair (A1 , A2 ) of algorithms such that ASIG,RO (vk, xk)
does the following:
St ←$ ASIG,RO
1 (vk) ; (m, s) ← ARO
2 (xk, St) ; Return (m, s) .

Scheme. We specify a transform R2NDS that takes a (standard, randomized) signature scheme
DS and a hedged extractor HE and returns the nonce-based signature scheme NDS = R2NDS[DS, HE]

22
whose algorithms are described in Fig. 8. The nonce space is the same as for the hedged extractor,
i.e. NDS.NS = HE.NS. The length of the signatures is preserved, NDS.ol = DS.ol. The construction
requires that HE provides sufficient randomness, i.e., DS.rl = HE.ol.
We first show that the described scheme NDS is indeed secure according to the game Gnbuf1
NDS,NG (A),
that is, in case the seed is not exposed. In this case and if the hedged extractor is a good pseudo-
random function, we achieve the same security guarantees as achieved by the original scheme if
proper randomness is used.

Theorem 5.1 Let DS be a (standard, randomized) digital-signature scheme. Let HE be a hedged

extractor. Let nonce-based digital signature scheme NDS = R2NDS[DS, HE] be associated to them
as above. Let NG be a nonce generator. Let A be an adversary making at most q1 queries to its
SIG oracle and q2 queries to its RO oracle. Then the proof specifies adversaries B and G such that
prf
Advnbuf1 uf
NDS,NG (A) ≤ AdvHE (G) + AdvDS (B) , (16)
where adversary B makes at most q1 queries to its SIG oracle; besides emulating a Random Oracle
it performs almost the same computation as A. Adversary G makes at most q1 queries to its RoR
oracle and q2 queries to its RO oracle; in terms of computation it generates a key pair for DS and
computes q1 signatures.

Proof: Adversary B against DS behaves as follows. When started with input vk, it executes A(vk).
Upon a query SIG(m, η) from A, adversary B queries SIG(m), obtaining a signature s, and returns
s to A. Queries to the oracle RO are exactly as in the game, that is, by lazy sampling of a random
function.
Adversary G against the hedged extractor behaves as follows. It initially generates a key pair
(sk, vk) ←$ DS.Kg, and then runs adversary A on input vk. Upon a query SIG(m, η) from A,
adversary G calls Fn(m, η) to obtain a random string r. It then computes s ← DS.Sig(sk, m; r)
and returns s. Potential queries RO(x, l) are referred to the random oracle provided in the game.
When A provides its output (m, s), then G outputs the result of DS.Ver(vk, m, s) = 1.
We define a hybrid game G that is defined almost identically with Gnbuf1NDS,NG (A), with the only
difference that the randomness used in SIG queries is uniformly random instead of derived via the
hedged extractor. The difference with the game Gnbuf1
NDS,NG (A) is highlighted in Fig. 9.

The view of A in G is the same as in Guf

DS (B); in both cases the signatures are computed with fresh
randomness.
We observe that
2 Pr[Gprf prf prf
HE (G)] = Pr[GHE (G)|b = 1] + Pr[GHE (G)|b = 0]

= Pr[Gprf prf
HE (G)|b = 1] + 1 − Pr[¬GHE (G)|b = 0]

= Pr[Gnbuf1 uf
NDS,NG (A)] + 1 − Pr[GDS (B)],

the reason is that if the bit b is chosen as b = 0 in Gprf HE (G), then the view of A is exactly as in
Guf
DS (B); all signatures are generated using fresh randomness. Analogously, if b is chosen as b = 1
in Gprf
HE (G), then the view of A is exactly as in G nbuf1
NDS,NG (A) with b = 0; all signatures are generated
with randomness computed via HE and NG from the message m and the input η. For b = 1 the
probability of G guessing correctly is the same as the probability of A forging the signature, but
for b = 0 the probability of G guessing correctly is the same as the probability of A not forging a

23
 Game G Game H
.. ..
. .
SIG(m, η) SIG(m, η)
(n, St) ←$ NG(η, St) (n, St) ←$ NG(η, St)
s ← NDS.Sig(sk, xk, m, n) s ← NDS.Sig(sk, xk, m, n)
r ←$ {0, 1}` r ←$ {0, 1}`
s ← DS.Sig(sk, m; r) s ← DS.Sig(sk, m; r)
M ← M ∪ {m} M ← M ∪ {m}
Return s Return s
.. ..
. .

Figure 9: Intermediate games used in the proofs of Theorem 5.1 (left) and Theorem 5.2
(right).

signature. The above equation implies

Advprf nbuf1 uf
HE (G) = AdvNDS,NG (A) − AdvDS (B)

and therefore the inequality claimed in the theorem statement.

The second statement concerns the security in the sense of Gnbuf2 NDS,NG (A), that is, the signatures
are indeed secure even if the seed is exposed, as long as the nonces contain a sufficient amount of
min-entropy. For the scheme based on our standard-model hedged extractor, we again restrict the
statement to agnostic adversaries A. The scheme based on our ROM-based hedged extractor is
again secure against all (i.e., not necessarily agnostic) adversaries.
Theorem 5.2 Let DS be a (standard, randomized) digital-signature scheme. Let HE be a hedged
extractor. Let nonce-based digital signature scheme NDS = R2NDS[DS, HE] be associated to them
as above. Let NG be a nonce generator. Let A be an adversary making at most q1 queries to its
SIG oracle and q2 queries to its RO oracle. Then the proof specifies adversaries B and G such that
Advnbuf2 ror uf
NDS,NG (A) ≤ AdvHE,NG (G) + AdvDS (B) , (17)
where adversary B makes at most q1 queries to its SIG oracle; besides emulating a Random Oracle
it performs almost the same computation as A. Adversary G makes at most q1 queries to its RoR
oracle and q2 queries to its RO oracle; in terms of computation it generates a key pair for DS and
computes q1 signatures. Furthermore, if A is agnostic, then G is also agnostic.

Proof: Adversary B against DS behaves as follows. When started with input vk, it samples
xk ←$ HE.Keys and executes A(vk, xk). Upon a query SIG(m, η) from A, adversary B queries
SIG(m), obtaining a signature s, and returns s to A. Queries to the oracle RO are exactly as in
the game, that is, by lazy sampling of a random function.
Adversary G against the hedged extractor behaves as follows. It obtains a seed xk ∈ HE.Keys
and generates a key pair (sk, vk) ←$ DS.Kg, and then runs adversary A on input (vk, xk). Upon
a query SIG(m, η) from A, adversary G calls RoR(m, η) to obtain a random string r. It then
computes s ← DS.Sig(sk, m; r) and returns s. Potential queries RO(x, l) are referred to the random
oracle provided in the game. When A provides its output (m, s), then G outputs the result of
DS.Ver(vk, m, s) = 1.

24
We define a hybrid game H that is defined almost identically with Gnbuf2NDS,NG (A), with the only
difference that the randomness used in SIG queries is uniformly random instead of derived via the
hedged extractor. The difference with the game Gnbuf2
NDS,NG (A) is highlighted in Fig. 9.

The view of A in H is the same as in Guf

DS (B); in both cases the signatures are computed with fresh
randomness. The remainder of the proof follows almost exactly as in Theorem 5.1.

Acknowledgments
We thank the anonymous reviewers at EUROCRYPT for their helpful and detailed comments.

References
[1] OpenSSL predictable random number generator. Debian security advisory, May 2008. Available at
http://www.debian.org/security/2008/dsa-1571. 3
[2] B. Barak, Y. Dodis, H. Krawczyk, O. Pereira, K. Pietrzak, F.-X. Standaert, and Y. Yu. Leftover hash
lemma, revisited. In P. Rogaway, editor, CRYPTO 2011, volume 6841 of LNCS, pages 1–20. Springer,
Heidelberg, Aug. 2011. 13
[3] M. Bellare. New proofs for NMAC and HMAC: Security without collision-resistance. In C. Dwork,
editor, CRYPTO 2006, volume 4117 of LNCS, pages 602–619. Springer, Heidelberg, Aug. 2006. 6
[4] M. Bellare, A. Boldyreva, and A. O’Neill. Deterministic and efficiently searchable encryption. In
A. Menezes, editor, CRYPTO 2007, volume 4622 of LNCS, pages 535–552. Springer, Heidelberg, Aug.
2007. 3
[5] M. Bellare, Z. Brakerski, M. Naor, T. Ristenpart, G. Segev, H. Shacham, and S. Yilek. Hedged public-
key encryption: How to protect against bad randomness. In M. Matsui, editor, ASIACRYPT 2009,
volume 5912 of LNCS, pages 232–249. Springer, Heidelberg, Dec. 2009. 3, 14
[6] M. Bellare, R. Canetti, and H. Krawczyk. Keying hash functions for message authentication. In
N. Koblitz, editor, CRYPTO’96, volume 1109 of LNCS, pages 1–15. Springer, Heidelberg, Aug. 1996. 6
[7] M. Bellare, A. Desai, D. Pointcheval, and P. Rogaway. Relations among notions of security for public-
key encryption schemes. In H. Krawczyk, editor, CRYPTO’98, volume 1462 of LNCS, pages 26–45.
Springer, Heidelberg, Aug. 1998. 3
[8] M. Bellare, M. Fischlin, A. O’Neill, and T. Ristenpart. Deterministic encryption: Definitional equiva-
lences and constructions without random oracles. In D. Wagner, editor, CRYPTO 2008, volume 5157
of LNCS, pages 360–378. Springer, Heidelberg, Aug. 2008. 3
[9] M. Bellare and V. T. Hoang. Resisting randomness subversion: Fast deterministic and hedged public-
key encryption in the standard model. In E. Oswald and M. Fischlin, editors, EUROCRYPT 2015, Part
II, volume 9057 of LNCS, pages 627–656. Springer, Heidelberg, Apr. 2015. 3
[10] M. Bellare, T. Kohno, and V. Shoup. Stateful public-key cryptosystems: How to encrypt with one
160-bit exponentiation. In A. Juels, R. N. Wright, and S. Vimercati, editors, ACM CCS 06, pages
380–389. ACM Press, Oct. / Nov. 2006. 6
[11] M. Bellare, B. Poettering, and D. Stebila. From identification to signatures, tightly: A framework and
generic transforms. Cryptology ePrint Archive, Report 2015/1157, 2015. http://eprint.iacr.org/
2015/1157. 6, 21
[12] M. Bellare and P. Rogaway. The security of triple encryption and a framework for code-based game-
playing proofs. In S. Vaudenay, editor, EUROCRYPT 2006, volume 4004 of LNCS, pages 409–426.
Springer, Heidelberg, May / June 2006. 7, 12

25
[13] D. J. Bernstein, N. Duif, T. Lange, P. Schwabe, and B.-Y. Yang. High-speed high-security signatures.
In B. Preneel and T. Takagi, editors, CHES 2011, volume 6917 of LNCS, pages 124–142. Springer,
Heidelberg, Sept. / Oct. 2011. 6, 21
[14] A. Boldyreva, S. Fehr, and A. O’Neill. On notions of security for deterministic encryption, and efficient
constructions without random oracles. In D. Wagner, editor, CRYPTO 2008, volume 5157 of LNCS,
pages 335–359. Springer, Heidelberg, Aug. 2008. 3
[15] D. Cash, P. Grubbs, J. Perry, and T. Ristenpart. Leakage-abuse attacks against searchable encryption.
In I. Ray, N. Li, and C. Kruegel:, editors, ACM CCS 15, pages 668–679. ACM Press, Oct. 2015. 3
[16] S. Checkoway, M. Fredrikson, R. Niederhagen, A. Everspaugh, M. Green, T. Lange, T. Ristenpart,
D. J. Bernstein, J. Maskiewicz, and H. Shacham. On the practical exploitability of dual ec in tls
implementations. In USENIX Security, volume 1, 2014. 3
[17] K. Chung and S. Vadhan. Tight bounds for hashing block sources. In A. Goel, K. Jansen, J. Rolim, and
R. Rubinfeld, editors, Approximation, Randomization and Combinatorial Optimization, volume 5171 of
LNCS, pages 357–370, Heidelberg, 2008. Springer. 14
[18] R. Cramer and V. Shoup. A practical public key cryptosystem provably secure against adaptive chosen
ciphertext attack. In H. Krawczyk, editor, CRYPTO’98, volume 1462 of LNCS, pages 13–25. Springer,
Heidelberg, Aug. 1998. 3
[19] Y. Dodis, C. Ganesh, A. Golovnev, A. Juels, and T. Ristenpart. A formal treatment of backdoored
pseudorandom generators. In E. Oswald and M. Fischlin, editors, EUROCRYPT 2015, Part I, volume
9056 of LNCS, pages 101–126. Springer, Heidelberg, Apr. 2015. 5
[20] Y. Dodis, R. Gennaro, J. Håstad, H. Krawczyk, and T. Rabin. Randomness extraction and key deriva-
tion using the CBC, cascade and HMAC modes. In M. Franklin, editor, CRYPTO 2004, volume 3152
of LNCS, pages 494–510. Springer, Heidelberg, Aug. 2004. 6
[21] B. Fuller, A. O’Neill, and L. Reyzin. A unified approach to deterministic encryption: New constructions
and a connection to computational entropy. In R. Cramer, editor, TCC 2012, volume 7194 of LNCS,
pages 582–599. Springer, Heidelberg, Mar. 2012. 3
[22] P. Gaži, K. Pietrzak, and M. Rybár. The exact PRF-security of NMAC and HMAC. In J. A. Garay
and R. Gennaro, editors, CRYPTO 2014, Part I, volume 8616 of LNCS, pages 113–130. Springer,
Heidelberg, Aug. 2014. 6
[23] S. Goldwasser and S. Micali. Probabilistic encryption. Journal of Computer and System Sciences,
28(2):270–299, 1984. 3, 6
[24] N. Heninger, Z. Durumeric, E. Wustrow, and J. A. Halderman. Mining your ps and qs: Detection of
widespread weak keys in network devices. In USENIX Security Symposium, pages 205–220, 2012. 3
[25] R. Impagliazzo, L. A. Levin, and M. Luby. Pseudo-random generation from one-way functions (extended
abstracts). In 21st ACM STOC, pages 12–24. ACM Press, May 1989. 13
[26] N. Koblitz and A. Menezes. The random oracle model: A twenty-year retrospective. Cryptology ePrint
Archive, Report 2015/140, 2015. http://eprint.iacr.org/2015/140. 6, 21
[27] H. Krawczyk. LFSR-based hashing and authentication. In Y. Desmedt, editor, CRYPTO’94, volume
839 of LNCS, pages 129–139. Springer, Heidelberg, Aug. 1994. 12
[28] H. Krawczyk. Cryptographic extraction and key derivation: The HKDF scheme. In T. Rabin, editor,
CRYPTO 2010, volume 6223 of LNCS, pages 631–648. Springer, Heidelberg, Aug. 2010. 6, 7
[29] D. M’Raïhi, D. Naccache, D. Pointcheval, and S. Vaudenay. Computational alternatives to random
number generators. In S. E. Tavares and H. Meijer, editors, SAC 1998, volume 1556 of LNCS, pages
72–80. Springer, Heidelberg, Aug. 1999. 6, 21
[30] K. G. Paterson, J. C. N. Schuldt, and D. L. Sibborn. Related randomness attacks for public key encryp-
tion. In H. Krawczyk, editor, PKC 2014, volume 8383 of LNCS, pages 465–482. Springer, Heidelberg,
Mar. 2014. 3

26
[31] T. Pornin. Deterministic usage of the digital signature algorithm (DSA) and elliptic curve digital
signature algorithm (ECDSA). IETF RFC 6979, 2013. 6, 21
[32] A. Raghunathan, G. Segev, and S. P. Vadhan. Deterministic public-key encryption for adaptively chosen
plaintext distributions. In T. Johansson and P. Q. Nguyen, editors, EUROCRYPT 2013, volume 7881
of LNCS, pages 93–110. Springer, Heidelberg, May 2013. 3
[33] T. Ristenpart and S. Yilek. When good randomness goes bad: Virtual machine reset vulnerabilities
and hedging deployed cryptography. In NDSS 2010. The Internet Society, Feb. / Mar. 2010. 3
[34] P. Rogaway. Authenticated-encryption with associated-data. In V. Atluri, editor, ACM CCS 02, pages
98–107. ACM Press, Nov. 2002. 4
[35] P. Rogaway. Nonce-based symmetric encryption. In B. K. Roy and W. Meier, editors, FSE 2004, volume
3017 of LNCS, pages 348–359. Springer, Heidelberg, Feb. 2004. 4, 7
[36] P. Rogaway and T. Shrimpton. A provable-security treatment of the key-wrap problem. In S. Vaudenay,
editor, EUROCRYPT 2006, volume 4004 of LNCS, pages 373–390. Springer, Heidelberg, May / June
2006. 4
[37] C.-P. Schnorr. Efficient signature generation by smart cards. Journal of Cryptology, 4(3):161–174, 1991.
6
[38] S. Yilek. Resettable public-key encryption: How to encrypt on a virtual machine. In J. Pieprzyk, editor,
CT-RSA 2010, volume 5985 of LNCS, pages 41–56. Springer, Heidelberg, Mar. 2010. 3
[39] D. Zuckerman. Simulating BPP using a general weak random source. In 32nd FOCS, pages 79–89.
IEEE Computer Society Press, Oct. 1991. 14

27