Best Effort and Practice Activation Codes

Best Effort and Practice Activ ation Co des Gerhard de Koning Gans 1 and Eric R. V erheul 1 , 2 1 Institute for Computing and Informatio n Sciences Radb oud Univ ersit y Nijmege n P .O. Bo x 9010, 6500 GL Nijmegen, The Netherlands { gkoningg ,eric.verh eul } @cs.ru.nl 2 Pricew aterhouseCoopers Advisory P .O. Bo x 2273 5, 1100 DE Amsterdam, The Netherlands eric.verhe ul@nl.pwc .com Abstract. Activ ation Codes are used in man y d iffere nt digital services and known by man y differen t n ame s including vouc her, e-coup on and discount code. In this pap er w e fo cus on a sp eci fic class of ACs that are short, human-readable, fixed-length and represen t v alue. Even though this class of co des is extensively used there are no general guid el ines for the design of Activ a tion Code schemes. W e discuss different methods that are used in practice and p ro p o se BEP AC, a new Activ ation Co de scheme that p ro vides b o th authenticit y and confi den tialit y . The small message space of activ a tion co des introduces some problems that are illustrated by an adaptive chosen-plain text attack ( C P A-2) on a general 3-round F eis- tel netw ork of size 2 2 n . This attack recov ers the complete p erm utation from at most 2 n +2 plain text-ciphertext p airs. F or t his reason, BEP AC is d es igned in such a w a y t h at authenticit y and confidentialit y are in- dep enden t properties, i.e . lo ss of confi d en tiality do es not imply loss of authenticit y . Keywords: activ ation co de, e-coup on, vouc her, F eistel n et wo rk, small domain encryption, financial cryptography . 1 In tr oduction This pap e r introduces Activ a tion Co des (ACs) as a generic term for co des that are used in man y differen t digital services. They are kno wn b y many differe n t names including voucher, e-coup on and discount co de. The commo n prop erties of these c odes are that they need to b e short, h uman- readable, have a fix e d length and can be traded for eco nomic b enefit. There are sc hemes [ 4 , 5 , 8 ] that include a ll kinds o f prop ert y infor ma tion in the co de itself o r include digital signatures [ 14 , 12 ]. This mak es the codes unsuita ble for ma n ual entry and thus for prin ting on pro ducts, lab els or r eceipts. The focus of this pap er is o n ACs that can b e printed a nd ma n ually entered such as the AC that is prin ted on a receipt in Figur e 1 . In this case the cus to mer can enter the AC ‘ TY5FJA HB ’ on a website to r eceiv e s ome pro duct. W e prop ose a scheme called BEP AC to generate and verify this class of A Cs . BEP AC is an acronym for Best Effort and Practice Activ atio n Co des. Her e ‘ b est pr actic e ’ cov ers the use of a key e d hash function to satisfy authenticit y and ‘ b est effort ’ cov ers the use of a F eistel netw ork to satis fy confidentialit y . Fig. 1: Activ ation Co de Security plays an imp ortan t role in the design o f an AC sys tem b ecause o f the economic v alue it r epresen ts. A system breach could r esult in big financial losses . Nevertheless, to the b est of o ur k no wl- edge, there a re no g uidelines on the de- sign of secure A C sys tem s that co nsider the prev io usly mentioned prop erties. De- spite the lack o f general guidelines for go od practice, ACs a re extensiv ely used. This underlines the need for a prop er AC scheme that relies o n elementary , w e ll- studied, c ryptographic primitives to provide authen ticit y and c onfiden tiality . First, we discuss so me examples that illustra te the need for a scheme that pro - vides b oth confidentiality and authenticit y . Then, we give a ge ner al definition of an AC scheme and us e it as a r eference throughout this pap er. Our Contribution This pap er addresses so me known metho ds that are us ed to generate A Cs and prop oses BEP AC, an AC scheme that c om bines b est effort with b est practice. B EP AC is based on well-studied cryptogr a phic primitiv es to guara n tee unique and authentic c o des that provide a satisfactor y level of confidentialit y . Confidentialit y is o btained by a F eistel co nstruction. The F eistel construction has weak theoretical b ounds when it is used on a s ma ll do ma in, therefore we do not r ely on it for authenticit y . W e use the work of Bla c k and Ro- gaw ay [ 3 ] on small doma in encryption and make so me s ma ll changes to a c hieve confidentialit y . A practical attack o n a general 3-round F eistel net work is pre- sented to demo nstrate the weak b ounds of the F eistel construction. F or authen- ticit y , we s olely r e ly on a keyed-hash messag e authentication co de (HMAC) of the serial num b er, where the size of this HMA C determines the proba bilit y of successfully guessing a v alid AC. This separated design allows a separa te anal- ysis of b oth co nfidentiality a nd authenticit y . An adv antage of this approa ch is that authenticit y is not automatically compromised when confidentialit y is bro- ken. Finally , a BEP AC s o lution fits on a smart card and therefore allows A C generation a nd clearance to b e p erformed in a co n trolled environmen t. R elate d Work Bla c k a nd Rogaw ay [ 3 ] prop ose the Generalized F eistel Cipher (GF C) as a solution to small do main e ncr yption. This elega n t so lution can be used to co ns truct a p ermut ation on a n y finite do ma in. In the BE P A C scheme w e use their metho d in a sligh tly adapted w ay and solely to provide c onfiden tial- it y . Bla c k and Ro ga way pr o vide an adapted pr oof of Luby [ 15 ] to pr o ve s e crecy of a 3-ro und F eistel netw o r k. Howev er, in their example configura tion, the s in- gle DES round function does not give the 3 × 5 6-bit sec ur it y since single DES can b e bro k en by exha us tiv e k ey sear c h [ 25 ]. Moreov er, in this setting it c a n be broken ro und by ro und which a ctually means that we have 5 8-bit security . Bellare et al. [ 2 ] pro pose 12 8 -bit AES as a pseudo-ra ndom function which dras - tically increases the effor t needed to break one r ound o f the F eistel netw ork by brute-force. Howev er, the ada ptiv e chosen-plain text attack (CP A-2) o n a 3 - round F eistel netw ork pr esen ted in this pap er shows that the key le ng th of the pseudo-rando m function used in ea c h r ound do es not hav e any influence on the attack complex ity . Re s earc h o n F eistel netw o rks [ 22 , 20 , 19 , 15 , 13 , 21 ] has re sulted in theor etical security b ounds. F eistel c onstructions of s ix o r more rounds ar e se- cure against adaptive chosen pla in text a nd chosen c iphertext attacks (CPCA-2) when the num b er of quer ies m ≪ 2 n , see [ 22 , 13 ]. Ther e is more r elated literature on the design o f ACs, but to the b est o f our knowledge there ar e no propos als for the class of AC schemes that we discuss in th is pa per. Blundo et al. [ 4 , 5 , 8 ] int ro duce an e-coup on which is 420 b ytes in size. This sc heme uses a message authentication code (MAC) ov er some character iz ing da ta lik e the ident it y of the manufacturer, name of the promoted pro duct, expiry date etc. The r e s ulting e-coup ons contain v alua ble infor ma tion but are to o larg e to b e entered manually by a user. In the work of Kumar et a l. [ 14 ] and Jakobssen et al. [ 12 ] a co upon is basically a digital signature w hich als o means that they describ e relatively la rge e-coup ons. C ha ng et al. [ 6 ] recognize the problem of efficiency and describ e a scheme that is more s uitable for mobile phones that hav e less pro cessing p ow er. On the one hand, they circumv ent the use o f public key c ryptography whic h reduces the computational complexity , but on the o ther ha nd, their scheme de- scrib es r elativ ely long co des. None of the schemes des cribed previously satisfy the r equiremen t of shor t co des that can be entered manually . Matsuyama and F ujimura [ 17 ] describ e a digital tick et management scheme that allows users to trade tick ets. The a ut hors disc us s an a ccoun t based and a smart card based approach and try to trea t different tic ket types tha t are solely electronically circulated. This in c on trast with BEP AC whic h fo cuses on co des that c a n easily be printed on pro duct wra ppings. Our inten tio n is not to define a trading sys tem where ACs can be transfered from o ne pe r son to ano ther. Such contextual re q uiremen ts are defined in RF C 3506 a s V oucher T rading Sys tems (VTS). T er a da et al. [ 28 ] co me with a copy protection mechanism for a VTS a nd use public k ey cryptog raph y . T his ma kes the vouchers o nly suitable for electronic circulation. F urthermor e, RFC 3506 and [ 17 ] do not discuss metho ds on how to generate thes e vouc her s securely . W e pro p ose the BE P AC scheme in order to fill this g ap. 2 A C Schem e Selection This section fir st discusses some ex amples of A C systems. Then, tw o differen t approaches to set up an AC scheme are discussed a nd their main drawbac ks are visited. After this, the Generalize d F eistel Cipher o f [ 3 ] is in tro duced in Section 2.1 which has some useful co nce pt s that we use in our scheme. The fo cus of an AC scheme desig n lays o n scala bilit y , co s t-efficiency and off-line use. Finally , forger y of ACs should b e har d, an a dversar y is only able to forge ACs with a very small predefined pro babilit y . Examples of A ctivation Co des First, w e discuss s o me e x amples of A Cs in rea l life. A go od first exa mple is the scr atch pr ep aid c ar d that is used in the telecom- m unication industry . T o use a prepaid card, the cus t omer needs to remov e some foil and reveals a co de that can be used to obtain mobile phone credits. Then we hav e the e- c oup on which is a widely used replac e men t for the conv entional pa p er coup on. An e-coup on repr esen ts v alue and is used to give financial discount or rebate at the chec kout o f a web shop. The last exa mple is a one-t ime p asswor d that gives access to o n-line conten t. This conten t should o nly b e accessible to authenticated p eople who p ossess this unique pass w ord; think of sneak pr eviews of new material or softw are dis tribution. All the aforementioned examples use unique co des that should b e easy to handle, that is, p eople sho uld b e able to ma n ually copy ACs without muc h effort. At the s ame time, it should b e impos sible fo r an adversary to use an A C more than once or autono mously gene r ate a new v a lid AC. Altog ether, A Cs are unique co des that hav e to guara n tee authenticit y . An AC system provides authenticit y when an adversary is not able to for ge ACs. It is a misco nception that authenticit y only is enough for an AC scheme. In the end, most AC systems are used in a comp etitiv e environment . When vendor A sta r ts a campaig n where A Cs a re used to promo te a pro duct and pro vide it for free to customers, then it is not desira ble that vendor B finds out deta ils ab out this campaign like the nu m be r o f r e leased A Cs . Other sensitive details might be the v alue tha t differen t A Cs r epresen t or the expiry date of A Cs. It is fo r this reason that we need confidentialit y , which means that an adversary is not a ble to reco gnize patterns or e x tract any informatio n fro m a rele ased AC. Many systems use co des that ne e d to provide the pro perties discus s ed ab o ve. In this pa p er we refer to a ll these co des as ACs. By an AC scheme S we indica te a tuple ( A , N , P , λ ) wher e A is the size of the used alphab et, N is the num b er of desir ed ACs, P determines the pr o babilit y P = 1 P of a n adv er sary guessing an AC and λ is the length of the ACs. Database Approac h The database approa c h is very straightforward and con- sists of a data base that contains a ll the r eleased ACs and their c urren t status. The genera tion o f new AC ent ries is done by a pseudo- random function. When a customer r edeems an AC, its status is set to ‘used’. An adv a n tage of the database appro ac h is that the randomness o f the ACs is directly rela ted to the randomness of the pseudo-rando m gene r ator. So, it is imp ortant to select a go o d pseudo-rando m g enerator, e.g. a FIPS certified one. On the other hand, the protection of this v aluable data is s t ill a problem. F or instance, if an attacker manages to add en tries to the database or is able to change the record status to ‘unused’, it will b e har d to detect this fra ud in time. Also, it is nec e ssary to chec k any new A C against all existing ent ries since there migh t be a collision. As a c o nsequence, access to the c o mplete se t of ACs is needed on genera tion of new A Cs . Blo c k Ciph e r Approac h Another appro ac h is to use a blo c k cipher that gives a r andom p erm utation F : { 0 , 1 } n → { 0 , 1 } n from serial num b ers to ACs. The provider maintains a count er i to keep tra c k o f the n umber of genera ted ACs. This wa y the authenticit y of a ser ial num b er can b e chec ked since only ACs that dec r ypt to a serial < i a r e v a lid. A disadv antage of this metho d is the s ize of the resulting AC which is 1 28-bits for AES and 6 4-bits for 3 DES. F or AES, this r esults in a string of ab out 21 characters when we use num b ers, upp er- and low er case character s in our alphab et. F or 3DES, this is ab out 1 1 characters. Smaller blo ck ciphers do exist, like Ka t an [ 10 ] whic h is 32-bits, but are no t very well-studied. F urthermo re, blo c k ciphers force ACs to hav e a length that is a multiple o f the blo c k size b . An alter nativ e could b e the concept of elastic blo c k cipher s [ 9 ] which is an ex tended scheme wher e v ar ia ble message siz e s ar e allow ed as input. Moreov er , this scheme uses well-studied blo c k ciphers. Still, the minimal size o f a plain text message is the blo ck size b of the incorp o rated blo c k cipher . So, this do es not give a n y adv antage and is still to o larg e for our target, whic h is roug hly 20 to 50 -bit co des. 2.1 Small Domain Ciphers Black and Rogaw ay introduce the Genera lized F eis t el Cipher (GF C) in [ 3 ]. The GF C is desig ne d to allow the construction of ar bitr ary do main ciphers. Here, arbitrar y domain means a doma in spa ce that is no t necess arily { 0 , 1 } n . F or A Cs we wan t to use a small domain cipher where the domain size can b e customize d to a cer tain extent, therefo re we lo ok into the pro posed method in [ 3 ]. Before we describ e the Genera lized F eistel Cipher , w e briefly visit the basic F eistel construction. Fig. 2: F eistel F eis tel Netw ork A F eistel netw or k [ 1 6 ] is a p ermut ation that takes an input x of size 2 n , then p erforms a num b er o f rounds r with round functions f 1 , ..., f r , and finally delivers an output y of size 2 n . T he input is split into tw o blo cks h L, R i ∈ { 0 , 1 } 2 × n . As shown in Figure 2 , every right blo c k is input to a r ound function f i . The o utput of this function is combined with the left block and b ecomes the new right blo c k, e .g. L ′ = f 1 ( R ) + L for GFC. The o r iginal r igh t blo ck b ecomes the new left blo c k. F or the ease of decr yption the last output blo cks ar e swapped in case of an o dd num b er of r ounds (which is the case in Fig. 2 ). Generalized F eistel Ci pher The GF C of Black a nd Rogawa y [ 3 ] was intro- duced to handle flexible do main s izes. T ake for example a n encryption E : 5 14 → 5 14 which is not a domain that is ca pt ured by standard blo c k cipher algorithms. The BEP AC scheme b orrows some of the ideas o f GFC to b e able to construct arbitrar ily sized A C co nfigurations. In GFC the left and rig ht blo c k o f the F eistel netw ork a r e “ s imilarly sized” which means that their domain size may deviate a little. F or the particular case of A Cs we hav e lo oser restrictio ns on the arbitra riness of our doma in and we can increase the guessing pro ba bilit y P to influence the domain size. As a consequence, the system parameters of BEP AC can b e chosen such that the left and rig h t blo c k ar e eq ua lly s ized. An obvious way to use the F eistel netw ork is to create a ps eudo-random per m utation F : K × M → M where K and M are the key s pace and messag e space res pectively . T o genera te ACs, we take a s plaintext a n index i a nd use the resulting cipher tex t as AC α . In or der to chec k α the provider keeps track of the last index i and considers a given α v a lid when F − 1 ( α ) ≤ i . This construction guarantees: 1. Co llis ion-freeness, since F is a p e r m utation. 2. V alid s e rial num b ers, they ca nnot b e predicted since F is a ps eudo-random per m utation. As Black and Rogawa y already conc lude in [ 3 ] the Genera lized F eistel Cipher has weak security b ounds when used in applicatio ns where the messa ge space is roughly from k = 2 30 up to k = 2 60 . This sugg ests that our seco nd ar gumen t might not b e that strong . Also, the serial i is kept secret and one might a rgue that this pres umes un- forgeability . How e v er, the wa y i is embedded a llo ws an a dv ersa ry to make useful assumptions ab out i since the ACs are generated using consecutive num b ers. In the GFC, the left blo c k L and rig h t blo c k R are initiated as follows: L = i mo d 2 n , R = ⌊ i/ 2 n ⌋ Here, L represe nts the lea st significant bits of i , and the succes sor of every i alwa ys causes a change in L . On the contrary , when i is seq ue ntially inc r emen ted, the v alue o f R changes o nly once every 2 n times. T his w ay , the fir st 2 n A Cs ar e generated with R = 0, the seco nd 2 n A Cs with R = 1, etc. The problems that this little exa mple alrea dy p oin ts out are further explained in the next section. 3 F eistel Pe rm utation Recov ery using CP A-2 In this s ection we present a pra ctical attack o n a three-round F e istel construc tio n in order to illustrate the problem of choosing a small n umber o f rounds and using a ser ial em bedding as suggested by Bla c k and Rogawa y [ 3 ]. Theorem 1. Consider a t h r e e-r ound 2n-bit F eistel c onstruction. Then ther e ex- ists an algorithm t ha t ne e ds at most 2 n +2 adaptive chosen plain-/ciphertext p airs to c ompute a ny ciphertext fr om any plaintext and vic e versa without know le dge of t he se cr et r ound keys and r e gar d less the u se d key length. Pr o of. The t wo cipher text blo c ks are defined in terms of the plaintext blo c ks as follows: R ′ = f 2 ( f 1 ( R ) + L ) + R L ′′ = f 3 ( f 2 ( f 1 ( R ) + L ) + R ) + f 1 ( R ) + L = f 3 ( R ′ ) + f 1 ( R ) + L (1) Note that L ′′ uses R ′ as input to f 3 ( · ). With L i we denote L = i and s imila rly R j denotes R = j . The notation R ′ ( i,j ) means the v alue of R ′ when L i and R j are used as input blo cks. W e fir st observe that several triples ( f 1 , f 2 , f 3 ) lead to the same p erm utation and show that it is alwa y s p ossible to find the triple with f 1 (0) = 0. T o this end, if we r eplace the triple ( f 1 , f 2 , f 3 ) with the triple ( f ′ 1 , f ′ 2 , f ′ 3 ) defined b y Equatio n ( 2 ), this leads to the same pe r m utation (Equation ( 1 )) w ith the desired prop ert y that f ′ 1 (0) = 0. f ′ 1 ( x ) = f 1 ( x ) − f 1 (0) , f ′ 2 ( x ) = f 2 ( x + f 1 (0)) , f ′ 3 ( x ) = f 3 ( x ) + f 1 (0) (2) So, without loss of generality we may ass ume that f 1 (0) = 0. Next, we describ e a metho d to find a tr iple ( f 1 , f 2 , f 3 ) with f 1 (0) = 0. Fir st, we deter mine f 2 , then f 1 and finally f 3 . By Eq uation ( 1 ) w e get f 2 : f 2 ( f 1 ( R 0 ) + L i ) = R ′ ( i, 0) − R 0 = R ′ ( i, 0) ⇒ f 2 ( L i ) = R ′ ( i, 0) (3) Now, to find f 1 observe that f 1 ( j ) is a solution for x in the equation f 2 ( x ) = R ′ (0 ,j ) − R j . Ho wev er, this equation do es not alwa ys ha ve o ne unique so lut ion since f 2 is a pseudo-r andom function. In case of m ultiple solutions we compare the output of successive (wrt. x ) function inputs with the v a lues for f 2 ( x + i ) that were found using Eq uation ( 3 ). Then, the corr ect x is the unique s olution to: f 2 ( x + i ) = R ′ ( i,j ) − R j for i = 0 , . . . , m (4) Sometimes m = 0 alr eady gives a unique solution. At the end of this section we show that with very high probability m = 1 defines a unique solutio n. W e find: f 1 ( j ) = x (5) When f 1 and f 2 are b oth determined, L a nd R can b e chosen suc h that every v a lue for R ′ ∈ { 0 , . . . , 2 n − 1 } is visited. Since R ′ functions as dir ect input to f 3 it is p ossible to find all input-output pairs for f 3 . T o visit every p ossible input v a lue z = 0 , . . . , 2 n − 1 find a pair L i , R j such that R ′ ( i,j ) = z . First, find an index x such that f 2 ( x ) = z − R j . If such a n x do es not exist choose a different v a lue for R j . There is always a s olution for x s ince R j cov ers the whole domain of f 2 . Sec ond, derive L i : f 2 ( f 1 ( R j ) + L i ) = f 2 ( x ) ⇒ L i = x − f 1 ( R j ) (6) Note that the deter mina tion o f L i and R j do es not need any intermediate queries since it is completely determined by f 1 and f 2 . Next, we query the sys tem with L i and R j and use Equa tion ( 3 ) and ( 5 ) to compute f 3 as follows: f 3 ( x ) = L ′′ ( i,j ) − f 1 ( R j ) − L i (7) This completes the solution for a triple ( f 1 , f 2 , f 3 ) that results in the same p er- m utation as the F eistel co nstruction under attack. Numb er of Qu eries The deter mination of f 2 is given by Equa tion ( 1 ) and costs 2 n queries. The determination of f 1 is given by Equation ( 4 ). The probability p that ther e ex ists an x ′ 6 = x for a pr eselected x such that ( f 2 ( x ) = f 2 ( x ′ )) ∧   ^ i =1 ,...,m f 2 ( x + i ) = f 2 ( x ′ + i )   (8) can b e split into tw o parts. First, we have the probability p 1 that there is a collision f 2 ( x ) = f 2 ( x ′ ) with x 6 = x ′ . Then, the seco nd probability p 2 cov ers cases wher e a preselected p osition f 2 ( x + i ) has the s ame v a lue a s some other preselected p osition f 2 ( x ′ + i ). W e take k = 2 n and the tw o pro babilities are then given by p 1 = 1 − ( k − 1 k ) ( k − 1) and p 2 = 1 k . Now, p = p 1 · p 2 m bec ause we need to multiply b y p 2 for every o ther successiv e matc h. T o conclude, the probability that there is an x ′ 6 = x for a F eistel cons tr uction o f size 2 · k a nd with m successive que r ies, i.e. the pro babilit y that there is no unique solution x to Equation ( 4 ), is the probability p = 1 k m − 1 k m ·  k − 1 k  k − 1 (9) So, p < 1 k m and dep ending on the size k , m = 1 a lr eady g iv es p close to zer o. In practice one might sometimes need an additional query ( m = 2) o r only one query ( m = 0 ), but o n av erage m = 1 . This mea ns that the co st for determina tion of f 1 is 2 · 2 n queries o n av e rage. Then, the determination o f f 3 is given b y Equation ( 7 ) a nd costs a t most 2 n queries. As a result, the determination of ( f 1 , f 2 , f 3 ) ha s a n upp er b ound o f 2 n +2 queries. 4 BEP AC Sc heme In this s ection we prop ose our Activ ation Co de Scheme called BE P AC. Its pri- mary o b jectiv e is to ens ur e authen ticity and its secondar y ob jectiv e is to provide confidentialit y . Confident iality is sa tisfied up to the secur ity b ounds given b y Black and Rogaw ay in [ 3 ]. In the BE P AC scheme, loss of confidentialit y do es not affect the authenticit y prop ert y . The authen ticit y is achiev ed in a n obvious w ay b y the use of an HMAC whic h is a key ed hash function. W e ta ke the truncated HMA C h of a sequence nu m be r i and concatenate it to i itself. F or this co nc a tenation we use an em bedding m like the o ne used by B lac k and Rogaw ay in [ 3 ] and Spies in [ 2 ]. W e rely o n the strength o f the underly ing hash function which cov er s the b est pr actic e part of our s olution: ACs a re not forgeable. The length of a n HMA C is usually to o long for the ea se o f use that is demanded for ACs. Therefor e we in tro duce the probability P = 1 P that puts a low er b o und o n the succes s rate of guessing corre c t A Cs. W e use this pa rameter to limit the leng th of the co des, i.e. P determines the size of the HMAC. A low er succ ess proba bility for an adversary is a c hieved by co ncatenating a bigg er par t o f the HMAC and thus res ult s in a longer AC. Our solution differs from encryption schemes for small do mains [ 3 , 18 ] in the sense that w e make a clear sepa ration b et ween the part that pr o vides authen- ticit y and the part that provides confidentialit y . The latter is added as an ad- ditional op eration on the embedding m . W e use a balanced F eistel constructio n as pro posed in [ 3 ] to cr eate the necess ary confusion a nd diffusio n. T his separa - tion b et ween authen ticit y and confidentialit y is r eally differ e n t from an a pproac h where the sequence num b er i is directly fed into a F eistel construction and when it solely dep ends o n this constr uction for its a uth enticit y . The attack in Section 3 demonstrates that we cannot rely on a F eistel cons t ruction for authenticit y when it is us e d on a small domain. These results form the ba sis of o ur design decisio n. 4.1 A C Sc h e me Setup h i h' Feistel Network c h' Activation Code α h = s Serial i when length is even: h = s / A h' = s mod A when length is odd: s = HMAC( i ) mod P when length is odd Fig. 3: BE P AC Scheme The BEP AC scheme setup is a construction (see Fig . 3 ) wher e an e m b edding m o f a n in- dex i and a part of HMA C( i ) a re fed into a F e istel netw ork. Since this is a balanced F eis- tel netw ork, m needs to b e divided int o t wo equally size d blo c ks. When this is no t p ossible a small part h ′ of HMAC( i ) b y passes the F eis- tel netw o rk a nd is embedded together with the cryptogr a m c from the F eistel netw or k to form A C α . The BEP AC scheme S is a tuple ( A , N , P , λ, ω ) where A is the size of the al- phab et, λ + ω is the length of the ACs where λ is a lw ays even and ω is either 0 or 1. Then, N is the n umber o f ACs and P determines the probability P = 1 P of obta ining a v alid A C by a ra ndom g uess, e.g. P = 10 . 00 0. W e a s sume A < P . Definition 1 (V ali d A C Sc hem e). An AC scheme S = ( A , N , P , λ, ω ) is v a lid when A λ > N × P × A − ω holds and λ is even. A v alid AC scheme S can b e obtained as follows: (a) The user cho oses the a lpha bet size A , desired num b er o f ACs N and some minimal guess proba bility 1 P . (b) Now the minimal length λ is ca lculated such that A λ > = N × P b y tak ing λ =  A log( N × P )  (c) |A λ − N × P | is minimized by tak ing P = ⌊A λ / N ⌋ (d) The length λ can b e either o dd or even: – When λ = 2 k + 1 and A < P then we adjust P such that A is a divisor of P . As a cons e quence, we might hav e a lar ger num b er of ACs N . P = P − ( P mo d A ) , N = ⌊A λ / P ⌋ After these op erations we obtain the sy stem S = ( A , N , P , λ − 1 , 1 ). – When λ = 2 k we obtain the system S = ( A , N , P , λ, 0 ). (e) The pro cess is rep eated from step ( a ) when no v alid system S is found. 4.2 Generation This se ction describ es the gener ation of new ACs once a v a lid A C scheme is co n- figured. Algorithm 1 contains the pse udo co de for AC genera tion. The plaintext is an embedding m of a part o f HMA C( i ) and i itse lf . In c a se of an o dd A C length ( ω = 1) a small part h ′ of HMA C( i ) is excluded from this embedding. The part of HMA C ( i ) that is used in m is determined by P . s = HMAC( i ) mo d P , h = ⌊ s × A − ω ⌋ , h ′ = s mo d A , m = h × N + i The balanced F eistel constr uction is defined with: k = A ( λ/ 2) , L = m mo d k , R = ⌊ m / k ⌋ L and R are input blo c ks with size k of a ba lanced F eistel net work. W e denote the output blo c ks after r r o unds by L ⋆ and R ⋆ . When the num ber o f rounds r is even the crypto gram c is g iv en by: c = R ⋆ × k + L ⋆ When r is o dd, the left and r igh t block are swapp ed and the cryptogram c is given b y: c = L ⋆ × k + R ⋆ This difference b et ween o dd and e v en is ther e to allow the sa me construction for enco ding and deco ding. Finally , the activ ation co de α is g iv en by: α = c × A ω + ω h ′ 4.3 V erification This section describe s the verification of pr eviously generated A Cs for a v alid A C scheme. Algorithm 2 contains the pseudo co de for AC verification. Given an A C α and an AC scheme S the v alidity ca n be check ed as follows. First compute c and h ′ from α : c = ⌊ α/ A ω ⌋ , h ′ = α mo d A ω The balanced F eistel construction is defined with input blo ck s ize k = A ( λ/ 2) . Now, the input blo c k s L and R a re obtained fro m c as follows: L = c mo d k , R = ⌊ c/k ⌋ L and R ar e input blocks with size k of a balanced F eis tel netw o rk. W e denote the output blo cks after r rounds by L ⋆ and R ⋆ . In this case we want to decrypt and therefor e use the r ound keys in reverse order. When the num b er of rounds r is even the plaint ext m is given by: m = R ⋆ × k + L ⋆ When r is o dd, the left and right blo c k are s w app ed and the plaintext m is g iven by: m = L ⋆ × k + R ⋆ Now, we are able to o btain the par t ial HMAC h and index i from m by: h = ⌊ m/ N ⌋ , i = m mo d N W e calculate the pa r tial HMAC h t and h ′ t like in the enco ding, but now we use the recovered index i . Finally , we say that α is a v alid A C iff h t = h and ω h ′ t = ω h ′ . Algorithm 1 Genera te ( i ) k ← A ( λ/ 2) s ← HMAC( i ) m od P h ← ⌊ s × A − ω ⌋ h ′ ← s m od A m ← h × N + i L ← m mo d k ; R ← ⌊ m/k ⌋ for j ← 1 to r d o tmp ← ( L + f j ( R )) mo d k L ← R ; R ← tmp end for if r is o dd then c ← L × k + R else c ← R × k + L end if α ← c × A ω + ω h ′ Algorithm 2 Verify ( α ) k ← A ( λ/ 2) c ← ⌊ α/ A ω ⌋ ; h ′ ← α m od A ω L ← c mo d k ; R = ⌊ c/k ⌋ for j ← r to 1 do tmp ← ( L + f j ( R )) mo d k L ← R ; R ← tmp end for if r is o dd then m ← L × k + R else m ← R × k + L end if h ← ⌊ m/ N ⌋ ; i ← m mo d N s ← HMAC( i ) m od P h t ← ⌊ s × A − ω ⌋ h ′ t ← s mo d A if h t = h and ω h ′ t = ω h ′ then V a lid else Inv alid end if 5 Example Application: Smart Card In this section we want to give an example o f an Activ a tion Co de System (ACS). In an ACS there are a few things that need to b e managed. The index i of the latest g enerated AC and the ACs that hav e b een used so far . Since this information is highly v a lua ble and repres en ts financia l v a lue it mu st b e well protected. Think of an application where the ACs ar e pr in ted on prepaid cards cov ere d by s ome scratc h- off material. The pro duction of these cards is a very secured a nd well-defined pro cess to ensur e that activ ation co des are kept s ecret during manufacturing. Thes e cards need to have all kinds of physical pro perties, e.g. the AC should not b e rea dable when the ca rd is partly p eeled off fro m the back. This can b e a c hieved by prin ting a rando m pattern on top of the scratch-off foil. A t some po in t there is a very cr itical task to be executed when the ACs need to b e delivered to the manufacturer. An ob vious metho d to do this is to encrypt the list of A Cs with a secr et key . Later o n in the pro cess, this list of randomly gener a ted co des needs to b e maintained by the vendor who sells the scratch ca rds. This induces a big secur it y threa t since leak ag e of this lis t or Desired A = 8 A = 20 A = 31 N P N P ( × 10 3 ) l Bits N P ( × 10 3 ) l Bits N P ( × 10 3 ) l Bits 10 1 10 3 10 1 26,214 6 18 10 1 16 4 18 10 1 92,352 4 20 10 2 10 3 10 2 20,968 7 21 10 2 32 5 22 10 2 286,285 5 25 10 3 10 3 10 3 16,777 8 24 10 3 64 6 26 10 3 28,613 5 25 10 4 10 3 10.004 13,416 9 27 10 4 128 7 31 10 4 88,75 6 30 10 5 10 3 100.003 10,737 10 30 10 5 12,8 7 31 10 5 275,125 7 35 10 6 10 3 1.000.006 68,719 12 36 10 6 25,6 8 35 1.000.567 27,497 7 35 10 7 10 3 10.001.379 54,968 13 39 10 7 51,2 9 39 10.000.012 85,289 8 40 10 8 10 3 100.001.057 43,98 14 42 10 8 102,4 10 44 100.010.675 264,368 9 45 10 9 10 3 1.000.010.575 35,184 15 45 10 9 10,24 10 44 1.001.045.818 26,412 9 45 T able 1: BEP AC Configurations unauthorized mo dification results in financial loss. Especia lly when it directly relates to the core business like in the telecommunications industry . The use of a secure a pplication mo dule (SAM) sig nifican tly reduces this r is k. A SAM is typically a tamp er-resistant device, often a smart c ard, which is in most cases extensively tested and cer tifi ed in accorda nce to a s tandard, e.g. the Common Criter ia 3 . The e le gance of the s olution presented in this pa per is that it can be implement ed using sma rt c a rds. The supplier determines the probability P , num b er of co des N , size of c ha racter set A and the key K to be used. An obvious approach is to use tw o smart cards since the pro duction and clea rance of activ ation co des are very likely to happ en at t wo different lo cations. B oth s mart cards a re initialized using the same AC scheme S a nd the same k ey K . F rom that momen t on the firs t one only giv es out up to N new activ ation co des. The seco nd one is used at the cleara nce house to verify and keep track of traded activ a tion co des. This can be done by a sequence of bits where the i -th bit determines whether the i -th a ctiv ation co de has bee n clear ed. F o r 1 .000.000 activ atio n co des approximately 122 kB of stor a ge is needed. This fits on a Smar tMX card [ 27 ] which is av ailable with 144 kB of EEPROM. Of course, multiple c ards ca n b e used if more ACs a re needed. 6 Analysis In this section we discus s the sy stem pa rameters of B E P AC and decide on so me minimal b ounds a nd algorithms. W e tested a 6- round BE P AC scheme for obvious flaws using the NIST random n umber test [ 26 ]. This test implementation also delivered the num b ers in T able 1 which give a g oo d indication of the length l of the codes co mpared to different A C scheme configur ations. In the left column the desired v a lues ar e given for the num b er of co des N and the g uessing pr obabilit y P . W e tes ted these different n um ber s for three different alphab et sizes A . Numb er of R ounds W e found g oo d a r gumen ts to set the minim um n um ber of rounds to s ix fo r the BEP A C scheme. The liter a ture shows that F eistel con- structions of six or more ro unds are secure agains t adaptive c hos en plain text and chosen ciphertext attacks (CPCA-2 ) when the num b er of quer ies m ≪ 2 n , 3 http://www .commoncr iteriaportal.org see [ 22 , 13 ]. Patarin [ 21 ] shows that an adversary needs at least 2 3 n/ 4 encryptions to distinguish a six-r ound F eistel cons tr uction fr om a random per m utation. A six round F e is tel netw ork sufficiently covers the risk of leaking ser ial num b er information, but this is of co urse a minimum. Key Derivation In the BEP AC scheme we need different r ound keys for ev er y F e istel round and another different key for the calculation o f the HMA C on the serial. W e prop ose to derive these keys fro m an initial rando mly chosen key [ 1 ] by a key deriv atio n function (KDF). T he r e ar e several definitions av a ilable for KDFs and we propo se to use KDF1 whic h is defined in ISO 180 33-2 [ 11 ]. Recommendations for K DF s a nd their co nstruction can also be found in [ 7 ]. The first key that is derived is used as the key in the HMA C ca lculation o f h and h ′ (Section 4 ). After this the round k e y s for the F eistel construction are successively derived. Pseudo-r andom F unctions F ur ther more, we need to decide on the pseudo-r a ndom functions (PRFs) that are used as round functions of the F eistel netw or k. The pseudo-rando mness of the p erm uta tion defined by a F eistel net work dep e nds on the chosen PRF in each round [ 15 ]. It is stra igh tforward to use a c r ypto- graphic hash function since we a lready need a has h function for the HMAC [ 24 ] calculation and it keeps our A C scheme simple. Hash F un ctio n In the end, the BEP AC s c heme is s olely ba s ed o n a sing le c rypto- graphic hash function. W e fo llo w the secure hash standard FIPS 1 80-3 [ 23 ] a nd prop ose to us e an approved ha sh function like SHA-25 6. 7 Conclusions In this paper we hav e in tro duced activ ation co des (ACs), short co des of fixed length, that repres e nt v alue. These ACs should be scalable, cos t efficien t and forgery resistant. In the literature, se v eral solutions [ 4 , 5 , 8 , 14 , 12 , 6 , 17 , 28 , 17 ] han- dle digital coup ons or tick ets that ar e somehow r eminiscen t to our notio n o f A Cs. The difference is that most solutions use public key cryptog raph y or other means that res ult in lengthy co des. In fa ct, these solutions c o me closer to s o me extended notion of digital cash and ar e not meant to give a solution on the gen- eration of A Cs. T o the best of our knowledge there is no sc heme that foc uses on the class of ACs that ar e describ ed in this pa p er (roughly think of 20 to 50-bit co des). Our prop osed AC scheme for this class satisfies authenticit y a nd confidentialit y in a w ay tha t when confidentialit y is co mpromised it do es not automatically break authenticit y a nd vice versa. In order to allow a relatively s ma ll and arbitrar y mes sage space fo r o ur AC scheme we use so me of the ideas of Black and Rogaw ay [ 3 ] in their General- ized F eistel Cipher to satisfy the co nfid ent iality in o ur scheme. Sev eral stud- ies [ 22 , 20 , 19 , 15 , 13 , 21 ] show that the sec urit y b ounds of F eistel co nstructions a re not str ong enough a nd thus make the use of F e istel co nstructions in small do- mains q uestionable. T o illustrate this, we have demonstra ted that CP A-2 allows an adversary to r eco ver the complete per mutation from only 2 n +2 plaintext- ciphertext pa ir s. Still, the F eis tel co nstruction is suitable for the purpo se of confidentialit y in our AC scheme. Since co nfiden tiality is a secondary go a l, it relaxes the demands on the security b ounds. F urthermor e, in BEP AC the plain- text cannot b e predicted which counters the attacks fro m the literature. And most imp ortant of all, a F eistel co nstruction defines a p erm utation o n the A C domain, whic h means in practice that w e do not ha ve to stor e any a ddit ional data in or der to remember which A Cs are alre ady published and which a re not. T o conclude, we found satisfac tory s y stem pa rameters for the minimum num- ber of F eistel rounds and we defined a metho d to do the key deriv ation for the round k e y s. F urthermor e, we sugge s ted a spe c ific pseudo-r andom function (PRF) and ha sh function for co nc r ete implementations. Finally , we hav e implemented the BE P AC scheme 4 and per formed some statistical tests using the NIST Ran- dom Num b er T est [ 26 ]. This test did not reveal a n y o b vious flaws. It might b e in ter esting for future work to cr eate a smar t card implementation of BEP AC as suggested in Section 5 . References 1. E. Barker and J. Kelsey . Recommendation for R a ndom Numb er Generation Using Deterministic Rand om Bit Generators (revised). NIST Sp e cial public ation , 800:90, 2007. 2. M. Bellare, P . Rogaw ay , and T. Spies. F ormat-Preserving F eistel-Based Encry p tion Mode. http://csr c.nist.go v/groups/S T/toolkit/BCM/modes_development.html , Nov ember 2009. 3. J. Black and P . Rogaw ay . Ciphers with Arbitrary Finite Domains. T opics i n Cryptolo gy–CT-RSA 2002 , p ages 185–203, 2002. 4. C. Blundo, S. Cimato, and A. De Bonis. A Light weigh t Protocol for the Generation and Distribution of Secure E-Coup ons. In WWW ’02: Pr o c e e dings of the 11t h international c onf er enc e on World Wide Web , pages 542–552, New Y ork, NY , U SA, 2002. ACM. 5. C. Blund o , S. Cimato, and A. De Bonis. Secure E-Coup ons. Ele ctr onic C ommer c e R ese ar ch , 5(1):117–139, 2005. 6. C.C. Chang, C.C. W u, and I.C. Lin . A Secure E-coup on System for Mobile Users. International Journal of Computer Sci e nc e and Network Se curity , 6(1):273, 2006. 7. L. Chen . R eco mmendation for Key Deriv ation Using Pseudorandom F unctions. NIST Sp e ci a l Public ation , 800:108 , 2009. 8. S. Cimato and A . De Bonis. Online Ad v ertising: Secure E-Coup ons. The or etic al Computer Scienc e , pages 370–383. 9. D. Co ok, A. Keromytis, and M. Y ung. Elastic Block Ciphers: The Basic Design. In Pr o c e e dings of the 2nd ACM symp osium on Information, c omputer and c ommu- nic ations se curity , pages 350–352. AC M, 2007. 10. C. De Canni` ere, O. D unk elman, and M. Kneˇ zevi´ c. K A T A N and KT ANT A N – A F amily of Small and Efficien t Hardware-Orien ted Block Ciphers. Crypt o gr aphic Har dwar e and Emb e dde d Systems-CHES 2009 , pages 272–288, 2009. 4 http://www .cs.ru.nl / ~ gkoningg/b epac 11. ISO/IEC 18033-2:200 6. I nformat ion T e chnolo gy - Se curity T e chniques - Encryption Algor ithms - Part 2: Asymmetric Ciphers , 2006. 12. M. Jako bsson, P .D. MacKenzie, and J.P . Stern. Secure and Ligh tw eigh t Ad v ertis- ing on the W eb. Computer Networks-th e Internat ional Journal of Computer and T ele c ommunic ations Networkin , 31(11):1101–1110 , 1999. 13. L.R. Knudsen. The Security of F eistel Ciphers with Six R ounds or Less. Journal of Cryptolo gy , 15(3):207 –222, 2008. 14. M. Kumar, A. Rangachari , A. Jhingran, and R. Mohan. Sales Promotions on the Internet. 3r d USENIX W or kshop on Ele ctr onic Commer c e , pages 167 – 176, 1998. 15. M. Luby . Pseudor andomness and Crypto gr aphic Appli c ations . Princeton U niv ersity Press, 1996. 16. Mic hael Luby and Charles Rack off. H o w to Construct Pseudorandom Pe rmutatio ns from Pseudorandom F unctions. SIAM J. Comput. , 17(2):373–386 , 1988. 17. K. Matsuyama and K. F ujimura. Distributed D ig ital-Tick et Management for Rights T rading System. In Pr o c e e dings of the 1st ACM c onfer enc e on Ele ctr onic c ommer c e , page 118. ACM, 1999. 18. B. Morris, P . Roga wa y , and T. Stegers. How to Encipher Messages on a Small Domain. In Pr o c e e dings of the 29th A nnual International Cry ptolo gy Conf er enc e on A dvanc es i n Cryptolo gy , page 302. Sp ri nger, 2009. 19. M. Naor and O. Reingold. On the Construction of Pseudorandom Perm utations: Luby-Rac koff Revisited. Journal of Cryptolo gy , 12(1):29–66, 1999. 20. J. Patarin. New Results on Pseudorandom Pe rmutatio n Generators Based on the DES S c heme. In A dvanc es i n Cryptolo gy-CR YPTO , volume 91, pages 301–312. 21. J. Patarin. Ab out F eistel Schemes with Six (or More) Rounds. L e ctur e Note s in Computer Scienc e , 1372:103–12 1, 1998. 22. J. Patari n. Security of Rand o m F eistel Schemes with 5 or More Rounds. L e ctur e Notes in Computer Scienc e , pages 106–122 , 2004. 23. FIB PUB. FIPS 180-3: Secure HASH S t a ndard (S HS). F e der al Information Pr o- c essing Standar ds Public ation , 2008. 24. N.F. PU B . FIPS 198: Keyed-Hash Message Authentication Code (HMAC). F e der al Information Pr o c essing Standar ds Publi c ation , 198. 25. J.J. Quisquater and F.X. Standaert. Exhaustiv e Key S ea rc h of the DES: Up dates and R efinemen ts. Sp e ci al-Pur p ose Har dwar e f or Att acking Crypto gr aphic Systems , 2005. 26. A. Rukhin , J. S oto , J. N ec hv atal, M. Smid, E. Barker, S. Leigh, M. Levenson, M. V angel, D. Banks, A. Hecke rt, et al. A Statistic al T est Suite for Ra ndom and Pseudor andom Numb er Gener ators for Crypto gr aphic Appli c ations . NIST, 2000. 27. NXP Semiconductors. P5Cx012/02x/40/73/80/14 4 F amily: Se cur e Dual Interfac e and Contact PKI Smart Car d Contr ol ler . NX P , June 2010. 28. M. T erada, M. Hanadate, and K . F ujimura. Copy Preventio n Scheme for Rights T rading Infrastructure. In Smart Car d R ese ar ch and A dvanc e d Applic ations: IFI P TC8/WG8 , p ag e 51. Springer, 2000.