On the Construction of PseudoRandom Permutations

LubyRacko Revisited

y

Moni Naor Omer Reingold

Abstract

Luby and Racko showed a metho d for constructing a pseudorandom p ermutation from

a pseudorandom function The metho d is based on comp osing four or three for weakened se

curity so called Feistel p ermutations each of which requires the evaluation of a pseudorandom

function We reduce somewhat the complexity of the construction and simplify its pro of of security

by showing that two Feistel p ermutations are sucient together with initial and nal pairwise in

dep endent p ermutations The revised construction and pro of provide a framework in which similar

constructions may b e brought up and their security can b e easily proved We demonstrate this by

presenting some additional adjustments of the construction that achieve the following

Reduce the success probability of the adversary

Provide a construction of pseudorandom p ermutations with large inputlength using pseudo

random functions with smal l inputlength

Incumbent of the Morris and Rose Goldman Career Development Chair Dept of Applied Mathematics and

Computer Science Weizmann Institute of Science Rehovot Israel Research supp orted by grant no

from the Israel Science Foundation administered by the Israeli Academy of Sciences and by BSF grant no

Email naorwisdomweizmannacil

y

Dept of Applied Mathematics and Computer Science Weizmann Institute of Science Rehovot Israel

Part of this research was supp orted by a Clore Scholars award Email reingoldwisd omweizmannacil

Introduction

Pseudorandom p ermutations which were introduced by Luby and Racko formalize the well

established cryptographic notion of blo ck ciphers Blo ck ciphers are privatekey encryption schemes

such that the encryption of every plaintextblock is a single ciphertextblo ck of the same length

Therefore we can think of the private key as determining a p ermutation on strings of the length of

the blo ck A highly inuential example of a blo ck cipher is the Data Encryption Standard DES

The advantage of blo ck ciphers compared with using pseudorandom functions for private

key encryption is that the plaintext and ciphertext are of the same length This prop erty saves

on memory and prevents wasting communication bandwidth Furthermore it enables the easy

incorp oration of the encryption scheme into existing proto cols or hardware comp onents

Luby and Racko dened the security of pseudorandom p ermutations in analogy to the dierent

attacks considered in the context of blo ck ciphers

Pseudorandom p ermutations can b e interpreted as blo ck ciphers that are secure against an

adaptive chosenplaintext attack Informally this means that an ecient adversary with

access to the encryptions of messages of its choice cannot tell apart those encryptions from

the values of a truly random p ermutation

Strong pseudorandom p ermutations can b e interpreted as blo ck ciphers that are secure

against an adaptive chosen plaintext and ciphertext attack Here the adversary has the

additional p ower to ask for the decryption of ciphertexts of its choice

Pseudorandom p ermutations are closely related b oth in denition and in their construction

to the earlier concept of pseudorandom functions which was dened by Goldreich Goldwasser and

Micali These are eciently samplable and computable functions that are indistinguishabl e

from random functions under all ecient blackbox attacks see Section for a formal denition

Pseudorandom functions play a ma jor role in privatekey cryptography and have many additional

applications for some of these applications see

Luby and Racko provided a construction of strong pseudorandom p ermutations LR

Construction which was motivated by the structure of DES The basic building blo ck is the so

called Feistel p ermutation based on a pseudorandom function dened by the key Their construc

tion consists of four rounds of Feistel p ermutations or three rounds for pseudorandom p ermuta

tions each round involves an application of a dierent pseudorandom function see Figure a for

an illustration The LRConstructions main source of attraction is most probably its elegance

Goldreich Goldwasser and Micali showed a construction of pseudorandom functions from

pseudorandom generators Thus the construction of pseudorandom p ermutations reduces

to the construction of pseudorandom generators Recently a dierent construction of pseudo

random functions was introduced by Naor and Reingold this is a parallel construction based

on a new primitive called a pseudorandom synthesizer that in particular can b e constructed from

any trap do or p ermutation This implies a parallel construction of pseudorandom p ermutations

Nevertheless all known constructions of pseudorandom functions involve nontrivial though of

course p olynomialtime computation so it makes sense to attempt to minimize the number of

invocations of pseudorandom functions

def

n n n

A Feistel p ermutation for a function f f g f g is a p ermutation on f g dened by D L R

f

R L f R where jLj jRj n Each of the rounds of DES involves a Feistel p ermutation of a function

determined by the key bits

Alongside cryptographic pseudorandomness the last two decades saw the development of the

notion of limited indep endence in various setting and formulations For a

family of functions F to have some sort of limited indep endenc e means that if we consider the

value of a function f chosen uniformly at random from F at each p oint as a random variable

in the probability space dened by choosing f then these random variables p ossess the promised

n

indep endence prop erty Thus a family of p ermutations on f g is pairwise indep endent if for

n

all x y the values of f x and f y are uniformly distributed over strings a b f g such

that a b Functions of limited indep endenc e are typically much simpler to construct and easier

to compute than cryptographic pseudorandom functions

New Results and Organization

The goal of this pap er is to provide a b etter understanding of the LRConstruction and as a result

improve the construction in several resp ects Our main observation is that the dierent rounds of

the LRConstruction serve signicantly dierent roles We show that the rst and last rounds can

b e replaced by pairwise indep endent p ermutations and use this in order to

Simplify the pro of of security of the construction esp ecially in the case of strong pseudo

random p ermutations and provide a framework for proving the security of similar construc

tions

Derive generalizations of the construction that are of practical and theoretical interest The

pro of of security for each one of the constructions is practically free of charge given the

framework

Achieve an improvement in the computational complexity of the pseudorandom p ermuta

tions two applications of a pseudorandom function on n bits suce for computing the value

of a pseudorandom p ermutation on n bits at a given p oint vs four applications in the

original LRConstruction This implies that the reduction is optimal

As discussed in Section the new construction is in fact a generalization of the original LR

Construction Thus the pro of of security Theorem also applies to the original construction

The following is a brief and informal description of the pap ers main results and organization

Section Reviews the notation and the denitions regarding pseudorandomness and k wise in

dep endence

Section Presents the main construction and proves its security pairwise indep endent p ermu

tations can replace the rst and fourth rounds of the LRConstruction see Figure b for an

illustration

Section Highlights the highlevel structure of the pro of of security which provides a framework

that enables us to relax and generalize the main construction

Section Shows how the main construction can b e relaxed by

Using a single pseudorandom function instead of two and

Using weaker and more ecient p ermutations or functions instead of the pairwise

indep endent p ermutations

Section Provides a simple generalization of the main construction using t rounds of gener

alized Feistel p ermutations instead of two the success probability of the distinguisher is

m m t

reduced from approximately to approximately where the p ermutation is on

t

bits and the distinguisher makes at most m queries see Figure for an illustration

Section Provides a second generalization of the main construction Instead of applying Feistel

p ermutations on the entire outputs of the rst and second rounds Feistel p ermutations can b e

separately applied on each one of their subblo cks This is a construction of a strong pseudo

random p ermutation on many blo cks using pseudorandom functions on a single blo ck see

Figure for an illustration

Section Analyzes the dierent constructions of the pap er as constructions of k wise dep endent

p ermutations

Section Suggests directions for further research

Related Work

The LRConstruction inspired a considerable amount of research We try to refer to the more

relevant to this pap er part of these directions

Several alternative pro ofs of the LRConstruction were presented over the years Maurer

gives a pro of of the threeround construction His pro of concentrates on the nonadaptive case

ie when the distinguisher has to sp ecify all its queries in advance A p oint worth noticing is

that indistinguishabi l ity under nonadaptive attacks do es not necessarily imply indistinguishabil i ty

under adaptive attacks For example a random involution an involution is a p ermutation which is

the inverse of itself and a random p ermutation are indistinguishable under nonadaptive attacks

and can b e distinguished using a very simple adaptive attack A dierent approach toward the

pro of was describ ed by Patarin this is the only published pro of we are aware of for the

LRConstruction of strong pseudorandom p ermutations another pro of was given by Koren

Other pap ers consider the security of p ossible variants of the construction A signicant p ortion

of this research deals with the construction of pseudorandom p ermutations and strong pseudo

random p ermutations from a single pseudorandom function This line of work is describ ed in

Section

Lucks shows that a hash function can replace the pseudorandom function in the rst round

of the threeround LRConstruction His pro of is based on and is motivated by his suggestion

to use the LRConstruction when the input is divided into two unequal parts Lucks left op en the

question of the construction of strong pseudorandom p ermutations

Somewhat dierent questions were considered by Even and Mansour and by Kilian and

Rogaway Lo osely sp eaking the former construct several pseudorandom p ermutations from

a single one while the latter show how to make exhaustive keysearch attacks more dicult The

construction itself amounts in b oth cases to XORing the input of the pseudorandom p ermutation

with a random key and XORing the output of the p ermutation with a second random key

The background and related work concerning other relevant issues are discussed in the appro

priate sections Denitions and constructions of ecient hash functions in Section reducing

the distinguishing probability in Section and the construction of pseudorandom p ermutations

or functions with large inputlength from pseudorandom p ermutations or functions with small

inputlength in Section

An even more striking example is obtained by comparing a random p ermutation P that satises P P

with a truly random p ermutation

Preliminaries

In this section the concepts of pseudorandom functions and pseudorandom p ermutations are

briey reviewed A more thorough and formal treatment can b e found in

Notation

n

I denotes the set of all nbit strings f g

n

F denotes the set of all I I functions and P denotes the set of all such p ermutations

n n n n

P F

n n

Let x and y b e two bit strings of equal length then x y denotes their bitbybit exclusiveor

For any f g F denote by f g their comp osition ie f g x f g x

n

For x I denote by x the rst left n bits of x and by x the last right n bits of x

n

j j

L R

Denition Feistel Permutations For any function f F let D P be the permu

n f n

def

tation dened by D L R R L f R where jLj jRj n

f

Notice that Feistel p ermutations are as easy to invert as they are to compute since the in

L R D for L R R f L L that is D verse p ermutation satises D

f

f f

def

L R R L Therefore the LRConstruction and its dierent variants which are intro

duced in Sections are easy to invert

PseudoRandomness

Pseudorandomness is fundamental to cryptography and indeed essential in order to p erform such

tasks as encryption authentication and identication Lo osely sp eaking pseudorandom distribu

tions cannot b e eciently distinguished from the truly random distributions usually random here

means uniform However the pseudorandom distributions have substantially smaller entropy

than the truly random distributions and are eciently samplable

Overview of PseudoRandom Primitives

In the case of pseudorandom bit generators which were introduced by Blum and Micali

and Yao the pseudorandom distribution is of bitsequences The distribution is eciently

sampled using a relatively small truly random bitsequence the seed Hastad Impagliazzo Levin

and Luby showed how to construct a pseudorandom generator from any oneway function

informally a function is oneway if it is easy to compute its value but hard to invert it

Pseudorandom function ensembles PFE which were introduced by Goldreich Gold

wasser and Micali are distributions of functions These distributions are indistinguishabl e from

the uniform distribution under all p olynomiallyb ounded blackbox attacks ie the distinguisher

can only access the function by sp ecifying inputs and getting the value of the function on these

inputs Goldreich Goldwasser and Micali provided a construction of such functions based on the

existence of pseudorandom generators

D stands for DESlike another common term for these p ermutations

Luby and Racko dene pseudorandom p ermutation ensembles PPE to b e dis

tributions of p ermutations that are indistinguishabl e from the uniform distribution to an ecient

observer that again has access to the value of the p ermutation at p oints of its choice In addi

tion they consider a stronger notion of pseudorandomness which they call super pseudorandom

permutation generators Here the distinguisher can also access the inverse p ermutation at p oints

of its choice Following we use the term strong pseudorandom p ermutation ensembles

SPPE instead

Luby and Racko provided a simple construction of PPE and SPPE LRConstruction which

is the fo cus of this work Their construction is based on a basic comp ound of the structure of

DES namely the comp ositions of several Feistelpermutations Their design of the PPE resp

SPPE is D D D resp D D D D where all f s are indep endent pseudorandom

f f f f f f f i

functions and D as in Denition see Figure a for an illustration

f

i

Denitions

A function ensemble is a sequence H fH g such that H is a distribution over F H is

n nN n n

the uniform function ensemble if H is uniformly distributed over F A permutation ensemble is

n n

a sequence H fH g such that H is a distribution over P H is the uniform permutation

n nN n n

ensemble if H is uniformly distributed over P

n n

A function ensemble or a p ermutation ensemble H fH g is eciently computable if the

n nN

distribution H can b e sampled eciently and the functions in H can b e computed eciently Ie

n n

there exist probabilistic p olynomialtime Turingmachines I and V and a mapping from strings

n

to functions such that I and H are identically distributed and V i x ix so

n

n

in fact H V I

n

We would like to consider eciently computable function or p ermutation ensembles that

cannot b e eciently distinguished from the uniform ensemble In our setting the distinguisher is

an oracle machine that can make queries to a length preserving function or functions and outputs

n

a single bit We assume that on input the oracle machine makes only nbit long queries n

also serves as the security parameter An oracle machine has an interpretation b oth under the

uniform complexity mo del and under the nonuniform mo del In the former it is interpreted as

a Turingmachine with a sp ecial oracletap e in this case ecient means probabilistic p olynomial

time and in the latter as a circuitfamily with sp ecial oraclegates in this case ecient means

p olynomialsize The discussion of this pap er is indep endent of the chosen interpretation

Let M b e an oracle machine let f b e a function in F and H a distribution over F Denote

n n n

f n

the distribution of M s output when its queries are answered by f and denote by by M

n f n H

n

the distribution M where f is distributed according to H We would also like to M

n

consider oracle machines with access b oth to a p ermutation and to its inverse Let M b e such a

f f n

machine let f b e a p ermutation in P and H a distribution over P Denote by M the

n n n

n H H

n

n

distribution of M s output when its queries are answered by f and f and denote by M

f f n

the distribution M where f is distributed according to H

n

Denition advantage Let M be an oracle machine and let H fH g and H

n nN

fH g be two function or permutation ensembles We call the function

n nN

H n H n

n n

PrM PrM

the advantage M achieves in distinguishing between H and H

Let M be an oracle machine and let H fH g and H fH g be two permutation

n nN n nN

ensembles We call the function

n n H H H H

n n

n n

PrM PrM

the advantage M achieves in distinguishing between hH H i and hH H i

Denition distinguish We say that M distinguishes between H and H resp hH H i

and hH H i for n if for innitely many ns the advantage M achieves in distinguishing

between H and H resp hH H i and hH H i is at least n

Denition negligible functions A function h N N is negligible if for every constant

c and al l suciently large ns

hn

c

n

Denition PFE Let H fH g be an eciently computable function ensemble and let

n nN

R fR g be the uniform function ensemble H is a pseudorandom function ensemble if

n nN

for every ecient oraclemachine M the advantage M has in distinguishing between H and R is

negligible

Denition PPE Let H fH g be an eciently computable p ermutation ensemble and

n nN

let R fR g be the uniform permutation ensemble H is a pseudorandom p ermutation en

n nN

semble if for every ecient oraclemachine M the advantage M has in distinguishing between H

and R is negligible

Denition SPPE Let H fH g be an eciently computable permutation ensemble and

n nN

let R fR g be the uniform permutation ensemble H is a strong pseudorandom p ermutation

n nN

ensemble if for every ecient oraclemachine M the advantage M has in distinguishing between

hH H i and hR R i is negligible

Remark We use the phrase f is a pseudorandom function as an abbreviation for f is

distributed according to a pseudorandom function ensemble and similarly for f is a pseudo

random permutation and f is a strong pseudorandom permutation

kWise Indep endent Functions and Permutations

The notions of kwise indep endent functions and kwise almost indep endent functions

under several dierent formulations play a ma jor role in contemporary computer

science These are distributions of functions such that their value on any given k inputs is uniformly

or almost uniformly distributed Several constructions of such functions and a large variety of

applications were suggested over the years

We briey review the denitions of k wise indep endenc e and k wise dep endence The de

nitions of pairwise indep endenc e and pairwise dep endence can b e derived by taking k

Denition Let D and D be two distributions dened over the variation distance between

D and D is

X

kD D k jD D j

Denition Let A and B be two sets k an integer k jAj and F a

distribution of A B functions

Let x x x be k dierent members of A consider the fol lowing two distributions

k

hf x f x f x i where f is distributed according to F

k

k

The uniform distribution over B

F is k wise independent if for al l x x x the two distributions are identical F is k wise

k

dependent if for al l x x x the two distributions are of variation distance at most

k

These denitions are naturally extended to p ermutations

Denition Let A be a set k an integer k jAj and F a distribution of

permutations over A

Let x x x be k dierent members of A consider the fol lowing two distributions

k

hf x f x f x i where f is distributed according to F

k

The uniform distribution over sequences of k dierent elements of A

F is k wise independent if for al l x x x the two distributions are identical F is k wise

k

dependent if for al l x x x the two distributions are of variation distance at most

k

The connection of this pap er to k wise indep endenc e is bidirectional as describ ed in the following

two paragraphs

As shown in Section pairwise indep endent p ermutations can replace the rst and fourth

def

rounds of the LRConstruction Let A b e a nite eld then the p ermutation f x a x b

ab

where a b A are uniformly distributed is pairwise indep endent Thus there are pair

n

wise indep endent p ermutations over I the p ermutations f with op erations over GF In

n ab

Section it is shown that we can use even more ecient functions and p ermutations in our

construction In particular we consider the concept of AXU functions

In contrast with the case of pairwise indep endent p ermutations we are not aware of any go o d

constructions of k wise dep endent p ermutations for general k and The dierent variants of the

LRConstruction oer a partial solution to this problem partial b ecause of the b ounded values

of that can b e achieved For example using k wise dep endent functions on n bits instead of

pseudorandom functions in the original LRConstruction yields a k wise dep endent p ermutation

n

on n bits for O k In Section we analyze the dierent constructions of this pap er

as constructions of k wise dep endent p ermutations

Construction of PPE and SPPE

Intuition

As mentioned in the introduction a principle observation of this pap er is that the dierent rounds of

the LRConstruction serve signicantly dierent roles To illustrate this p oint consider two rounds

of the construction Namely E D D where f f F are two indep endently chosen

f f n

pseudorandom functions It is not hard to verify that E is computationally indistinguishabl e

m

from a random p ermutation to any ecient algorithm that has access to pairs fhx E x ig

i i

i

m

where the sequence fx g is uniformly distributed The intuition is as follows Note that it is

i

i L 0 R0 Input

f1 h1

LR1 1 L 0 R0

f2 f1

LRLR2 2 1 1

f3 f2

LR3 3 LR2 2

f 4 -1 h2

LR4 4 Output

(a) (b)

Figure Constructions of SPPE a The original LRConstruction b The revised Construction

In a and b i L R and R L f R In b hL R i h I nput and

i i i i i i

hL R i O utput h

enough to prove the pseudorandomness of E when f and f are truly random functions instead

of pseudorandom Let L R x and L R E x by the denition of E we get that

i i

i i i i

m

L L f R and R R f L Since the sequence fx g is uniformly distributed we

i

i i i i i i i

m

R R for all i j Conditioned on have that with go o d probability b etter than

n

i j

m m

this event the sequence fL g is uniformly distributed and indep endent of the sequence fx g

i

i i i

since f is random We now have that with go o d probability L L for all i j Conditioned

i j

m m

on this event the sequence fR g is uniformly distributed and indep endent of b oth fL g and

i i i i

m m

fx g Notice that this argument still works if the sequence fx g is only pairwise indep endent

i i

i i

Nevertheless as Luby and Racko showed E can b e easily distinguished from a random p ermu

tation by an algorithm that gets to see the value of E or E on inputs of its choice The reason is

that for any values L L and R such that L L we have that E L R E L R L L

j j

L L

n

In contrast for a truly random p ermutation the probability of this event is This is the reason

that the LRConstruction includes three or four rounds

If we think of the second and third rounds of the LRConstruction as the p ermutation E

then the discussion ab ove implies that the role of the rst and fourth rounds is to prevent the

distinguisher from directly choosing the inputs of E and E We show that this goal can also

b e achieved with combinatorial constructions eg pairwise indep endent p ermutations rather

than cryptographic ie pseudorandom functions In particular the LRConstruction remains

secure when the rst and fourth rounds are replaced with pairwise indep endent p ermutations see

Figure for an illustration

Construction and Main Result

Denition For any f f F and h h P dene

n n

def

W h f f D D h

f f

and

def

h D D S h f f h h

f f

Theorem Let h h P be pairwise independent permutations similarly to Remark

n

this is an abbreviation for distributed according to a pairwise independent permutation ensemble

and let f f F be pseudorandom functions h h f and f are independently chosen Then

n

W W h f f is a pseudorandom permutation and S S h f f h is a strong pseudo

random permutation W and S as in Denition

Furthermore assume that no ecient oraclemachine that makes at most m mn queries

distinguishes between the pseudorandom functions and random functions for n see Def

inition Then no ecient oraclemachine that makes at most m queries to W resp S and

m m

S distinguishes W resp S from a random permutation for

n

n

Remark The conditions of Theorem are meant to simplify the exposition of the theorem

and of its proof These conditions can be relaxed as discussed in Section The main points are

the fol lowing

A single pseudorandom function f can replace both f and f

h and h may obey weaker requirements than pairwise independence For example it is

enough that for every x y

n n

Prh x h y and Prh x h y

j j j j

R R L L

Pro of of Security

We now prove the security of the SPPEconstruction the pro of of security for the PPEconstruction

is very similar and in fact a bit simpler As with the original LRConstruction the main task

is to prove that the p ermutations are pseudorandom when f and f are truly random instead of

pseudorandom

Theorem Let h h P be pairwise independent permutations and let f f F be

n n

random functions Dene S S h f f h as in Denition and let R P be a random

n

permutation Then for any oracle machine M not necessarily an ecient one that makes at

most m queries

m m

n n RR SS

PrM PrM

n n

Theorem follows easily from Theorem see a pro ofsketch in the sequel In order to

prove Theorem we introduce additional notation

Let G denote the p ermutation that is accessible to the machine M G is either S or R There

are two types of queries M can make either x which denotes the query what is Gx or

th

y which denotes the query what is G y For the i query M makes dene the query

answer pair hx y i I I where either M s query was x and the answer it got was

i i n n i

y or M s query was y and the answer it got was x We assume that M makes exactly m

i i i

queries and refer to the sequence fhx y i hx y ig of all these pairs as the transcript of M s

m m

computation

Notice that no limitations were imp osed on the computational p ower of M Therefore M can

b e assumed to b e deterministic we can always x the random tap e that maximizes the advantage

th

M achieves This assumption implies that for every i m the i query of M is fully

determined by the rst i queryanswer pairs Thus for every i it can b e determined from

th

the transcript whether the i query was x or y We also get that M s output is a

i i

th

deterministic function of its transcript Denote by C fhx y i hx y ig the i query of

M i i

M as a function of the previous queryanswer pairs and denote by C fhx y i hx y ig the

M m m

output of M as a function of its transcript

Denition Let be a sequence fhx y i hx y ig where for i m we have that

m m

hx y i I I Then is a p ossible M transcript if for every i m

i i n n

C fhx y i hx y ig f x y g

M i i i i

Let us consider yet another distribution on the answers to M s queries which in turn induces

another distribution on the p ossible M transcripts Consider a random pro cess R that on the ith

query of M answers as follows

th

If M s query is x and for some j i the j queryanswer pair is hx y i then Rs

answer is y for an arbitrary such queryanswer pair hx y i

th

If M s query is y and for some j i the j queryanswer pair is hx y i then Rs

answer is x for an arbitrary such queryanswer pair hx y i

If neither nor holds then Rs answer is a uniformly chosen nbit string

It is p ossible that R provides answers that are not consistent with any p ermutation

Denition Let fhx y i hx y ig be any possible M transcript is inconsistent if

m m

for some j i m the corresponding queryanswer pairs satisfy x x and y y or y y

i j i j i j

and x x Otherwise is consistent

i j

We rst show in Prop osition that the advantage M might have in distinguishing b etween

the pro cess R and the random p ermutation R is small The reason is that as long as R answers

consistently which happ ens with go o d probability it b ehaves exactly as a random p ermutation

In order to formalize this we consider the dierent distributions on the transcript of M induced

by the dierent distributions on the answers it gets

Denition Let T T and T be the random variables such that T is the transcript of M

S R S

R

when its queries are answered by S T is the transcript of M when its queries are answered by R

R

and T is the transcript of M when its queries are answered by R

R

SS n

Notice that by these denitions and by our assumptions M C T are the same

M S

RR n

random variables and M C T

M R

Prop osition

m

PrC T C T Pr

M R M

R

n

R

R

Pro of For any p ossible and consistent M transcript we have that

n

is consistent j T PrT PrT

R

R R

n

R

m

R

b eing consistent is exactly the distribution of conditioned on T Therefore the distribution of T

R R

is inconsistent if for some is inconsistent is small T T Furthermore the probability that T

R

R R

j i m the corresp onding queryanswer pairs satisfy x x and y y or y y and

i j i j i j

n

x x For a given i and j this event happ ens with probability at most Hence

i j

m m

n

is inconsistent T Pr

R

n

R

The prop osition follows

PrC T PrC T

M R M

R

R

R

PrC T j T is consistent PrC T PrT is consistent

M M R

R R R

R

R R

C T j T is inconsistent PrC T Pr T is inconsistent Pr

M M R

R R R

R

R R

PrT is inconsistent

R

R

m

n

2

It remains to b ound the advantage M might have in distinguishing b etween T and T The

S

R

intuition is that for every p ossible and consistent M transcript unless some bad and rare

event on the choice of h and h as in the denition of S happ ens the probability that T is

S

exactly the same as the probability that T We now formally dene this event Denition

R

and b ound its probability Prop osition

Convention For any possible M transcript fhx y i hx y ig we can assume here

m m

after that if is consistent then for i j both x x and y y this means that M never asks

i j i j

a query if its answer is determined by a previous queryanswer pair

Denition For every specic choice of pairwise independent permutations h h P in

n

the denition of S dene BADh h to be the set of al l possible and consistent M transcripts

fhx y i hx y ig satisfying

m m

i j m such that h x h x or h y h y

i j i j

j j j j

R R L L

Prop osition Let h h P be pairwise independent permutations then for any possible and

n

consistent M transcript fhx y i hx y ig we have that

m m

m

Pr BADh h

n

h h

Pro of By denition BADh h if there exist i j m such that either h x

i

j

R

h x h x and h x or h y h y For any given i and j b oth Pr

i j j i j h

j j j j j

R R R L L

n

are smaller than since h and h are pairwise indep endent There h y h y Pr

j i h

j j

L L

fore

m m

n

Pr BADh h

n

h h

2

The key lemma for proving Theorem is

Lemma Let fhx y i hx y ig be any possible and consistent M transcript then

m m

PrT j BADh h PrT

S

R

S

R

Pro of Since is a p ossible M transcript we have that for all i m

C fhx y i hx y ig f x y g

M i i i i

th

i for all i m the i answer R gives is y in the case that Therefore T

i

R

th

C fhx y i hx y ig x and otherwise its i answer is x Assume that R answered

M i i i i

correctly ie y or x as ab ove for each one of the rst i queries Then by Convention

i i

th

and the denition of R its i answer is an indep endent and uniform nbit string Therefore

nm

Pr T

R

R

Since is a p ossible M transcript we have that T i for all i m y S x

S i i

Consider any sp ecic choice of p ermutations h and h for which S S h f f h such that

BADh h Let L R h x and L R h y By the denition of S we get that

i i

i i i i

L L and f L R R y S x f R

i i

i i i i i i

For every i j m b oth R R and L L otherwise BADh h Therefore

i j i j

since f and f are random we have that for every choice of h and h such that BADh h

nm

the probability that T is exactly We can conclude

S

nm

PrT j BADh h

S

S

which complete the pro of of the lemma 2

Pro of of Theorem Let b e the set of all p ossible and consistent M transcripts such

that M

PrC T Pr C T

M S M

R

S

R

X

PrT is inconsistent PrT PrT

S

R R

S

R R

X

PrT j BADh h PrT Pr BADh h

S

R

S

h h

R

X

PrT j BADh h PrT Pr BADh h

S

R

S

h h

R

Pr T is inconsistent

R

R

We already showed in the pro of of Prop osition that the value of Expression is smaller than

m

by Lemma we get that the value of Expression is Therefore it remains to b ound

n

the value of Expression Assume without loss of generality that

X

PrT j BADh h Pr BADh h

S

S

h h

X

Pr BADh h PrT

R

h h

R

then using Prop osition we get that

X

Pr BADh h PrT j BADh h PrT

S

R

h h S

R

X

Pr BADh h PrT

R

h h

R

max Pr BADh h

h h

m

n

Thus we can conclude that

m m

PrC T Pr C T

M S M

R

n n

S

R

Using Prop osition we complete the pro of

n n RR SS

PrM PrM

R S

PrC T PrC T

M S M R

S R

PrC T Pr C T Pr C T PrC T

M S M M M R

R R

S R

R R

m m

n n

2

Given Theorem the pro of of Theorem is essentially the same as the corresp onding pro of

of the original LRConstruction the pro of of Theorem of given their main Lemma The

pro ofidea is the following Dene three distributions

S S h f f h where h h P are pairwise indep endent and f f F are

n n

pseudorandom functions

S S h g f h where h h P are pairwise indep endent f F a pseudorandom

n n

function and g F a random function

n

S S h g g h where h h P are pairwise indep endent and g g F are

n n

random functions

It is enough to show that for every oracle machine for all but nite number of ns

S S n S S n

n PrM PrM

S S n S S n

PrM PrM n

If or do not hold then we can construct an ecient oraclemachine M that distinguishes

the pseudorandom functions from the random functions in contradiction to the assumption As

sume for example that for innitely many ns

n n S S S S

n PrM PrM

n

The oraclemachine M on input and with access to a function O F rst samples pairwise

n

indep endent p ermutations h h P and a pseudorandom function f F M then invokes

n n

n

M with input and answers its queries with the values of S and S for S S h O f h

When M halts so do es M and it outputs whatever was the output of M Notice that if O is a

pseudorandom function then the distribution of S is S whereas if O is a truly random function

then the distribution of S is S This is the reason that M distinguishes a pseudorandom function

from a random one with advantage greater than n Similar hybridarguments apply to all other

constructions of this pap er

The Framework

As we shall see in Sections the construction of Section can b e relaxed and generalized in

several ways The dierent pseudorandom p ermutations obtained share a similar structure and

almost identical pro of of security In this section we examine the pro of of Theorem in a more

abstract manner Our goal is to establish a framework for proving almost all the constructions

of this pap er and to suggest a way for designing and proving additional constructions

Our framework deals with constructions of a pseudorandom p ermutation S on bits which is

the comp osition of three p ermutations S h E h see Figure for an illustration In

are lightweight and E is where most of the work is done E is constructed general h and h

from pseudorandom functions and for the purp ose of the analysis we assume as in Theorem

that these functions are truly random In Section for example n h and h are chosen as

pairwise indep endent p ermutations and E D D for random f f F

f f n

The framework starts with E which may b e easily distinguished from a truly random p ermuta

tion and transforms it via h and h into a pseudorandom p ermutation The prop erty E should

have is that for almost every sequence fhx y i hx y ig the probability that i y E x

m m i i

is close to what we have for a truly random p ermutation Input

h1

E

-1 h2

Output

Figure The highlevel structure of the dierent constructions of SPPE

m

Denition A sequence fhx y i hx y ig is E Go o d if Pr i y E x

m m E i i

We assume that apart from some rare sequences all others are E Go o d Lo osely sp eaking the

role of h and h is to ensure that under any adaptive chosen plaintext and ciphertext attack on

S the inputs and outputs of E form an E Go o d sequence with a very high probability

For the exact prop erties needed from the distributions on h h and E we shall try to follow

the statement and pro of of Theorem The goal is to show that S is indistinguishabl e from a

truly random p ermutation R on bits Sp ecically that for some small whose choice will b e

explained hereafter for any oracle machine M not necessarily an ecient one that makes at

most m queries

m

RR SS

PrM PrM

Let the notions of queryanswer pair a transcript the function C a p ossible M transcript the

M

b e random pro cess R a consistent transcript and the dierent random variables T T and T

S R

R

is as in the pro of of Theorem Prop osition saying that the distance b etween T and T

R

R

m

b ounded by the probability that T is inconsistent and that this probability is b ounded by

R

still holds The heart of applying the framework is in sp ecifying the bad M transcripts for given

h and h This set BAD h h replaces BADh h in Denition and in the rest of the

E

pro of It contains p ossible and consistent M transcripts and should have the prop erty that any

fhx y i hx y ig not in BAD h h satises that fhh x h y i hh x h y ig

m m E m m

is E Go o d Note that Denition is indeed a sp ecial case of the ab ove and also that by this

prop erty

m

PrT j BAD h h

S E

S

This implies that Lemma where BADh h is replaced with BAD h h is true

E

Lemma Let fhx y i hx y ig be any possible and consistent M transcript then

m m

PrT j BAD h h Pr T

S E

R

S

R

For BAD h h to b e useful we must have that

E

Pr BAD h h

E

h h

and this substitutes Prop osition This is the only place in the pro of where we use the denition

of and the denition of the distributions of h and h As demonstrated in Sections there

is actually a tradeo b etween reducing the requirements from h and h and having a somewhat

larger value of Applying and Lemma as in the pro of of Theorem we conclude

Theorem Let h h E be distributed over permutations in P let S h E h and let

R P be a random permutation Suppose that BAD h h is as above and satises Then

E

for any oracle machine M not necessarily an ecient one that makes at most m queries

m

RR SS

PrM PrM

To summarize the ma jor p oint in proving the security of the dierent constructions is to dene

the set BAD h h such that for any p ossible and consistent M transcript b oth Pr T

E S S

m

j BAD h h and Pr BAD h h for the sp ecic in the claim

E h h E

we are proving This suggests that the critical step for designing a pseudorandom p ermutation

using the framework describ ed in this section is to come up with a p ermutation E such that the

set of E Go o d sequences is large enough and nice enough Note that to meet this end one can

use dierent or more general denitions of an E Go o d sequence with only minor changes to the

pro of as is the case for the p ermutation S in Section

Relaxing the Construction

PPE and SPPE with a Single PseudoRandom Function

Since Luby and Racko introduced their construction a considerable amount of research

was fo cused on the following question Can we obtain a similar construction

of PPE or SPPE such that every p ermutation will b e constructed from a single pseudorandom

function

Apparently this line of research originated in the work of Schnorr Schnorr considered the

LRConstruction where the functions used are truly random as a pseudorandom generator that is

secure if not to o many bits are accessible The security of Schnorrs generator do es not dep end on

any unproven assumption This notion of lo calrandomness is further treated in Since the

key of a random function is huge it makes sense to minimize the number of functions and indeed

Schnorr suggested D D D as pseudorandom the suggested p ermutation was later shown to

f f f

b e distinguishable from random

Following is an informal description of some of these results Let f F b e a random function

n

then

is not pseudorandom D D For all i j k the p ermutation D

j i

k

f f

f

is not strongly pseudorandom D D D For all i j k the p ermutation D

j i

k

f f f f

D D D is pseudorandom D

f f f

f

D D D D D D is strongly pseudorandom where I F is the identity function

f I f I n

f f

D D D is pseudorandom and D D D D is strongly pseudorandom

f f f f f f f f f

where is for example a rotation of one bit

A critique which has b een voiced often is that using only one pseudorandom function do es not

seem to o signicant A pseudorandom function on n bits can replace pseudorandom functions

on n bits or alternatively a small key can b e used to pseudorandomly generate a larger key It

should also b e noticed that the new constructions require additional invocations of the pseudo

random functions which imply an increase in the computation time Furthermore these results

involve detailed and nontrivial pro ofs to a p oint where some pap ers claim to nd inaccuracies in

others

The adjustment of the LRConstruction we suggest in Section can easily b e converted into

a construction of PPE and SPPE from a single pseudorandom function Simply replace b oth

pseudorandom functions f and f with a single pseudorandom function f This solution

do es not suer from the drawbacks of the previous ones The construction and the pro of remain as

simple as b efore and the pseudorandom function is only invoked twice at each computation of the

p ermutation The additional keylength for the pairwise indep endent functions h and h is not

substantial esp ecially compared to the length of a truly random function Consider for example

the construction of SPPE when we use a truly random function f

Theorem Let h h P be pairwise independent permutations and let f F be a random

n n

function Dene S S h f f h as in Denition and let R P be a random permutation

n

Then for any oracle machine M not necessarily an ecient one that makes at most m queries

m m

n n RR SS

PrM PrM

n n

The pro of follows the framework describ ed in Section The set BADh h Denition

is replaced with the set BAD h h dened to b e

The set of al l possible and consistent M transcripts fhx y i hx y ig sat

m m

or h x isfying that there exist i j m such that either h x

j i

j j

R R

h y h y as before or there exist i j m such that h x h y

i j i j

j j j j

L L R L

In order to apply Theorem it is enough to note that by this denition we get that for any

nm

p ossible and consistent M transcripts b oth Pr T j BAD h h hence it

S S

m

is a prop er denition according to the framework and Pr BAD h h

n

h h

Relaxing the PairWise Indep endence Requirement

One might interpret the construction of Section in the following way given the task of construct

ing ecient pseudorandom p ermutations it is enough to concentrate on the ecient construction

of pseudorandom functions The assumption that supp orts such a claim is that the computation

of pseudorandom functions is much more exp ensive than the computation of pairwise indep en

dent p ermutations Therefore computing the value of the pseudorandom p ermutation that is

constructed in Section on any input of n bits is essentially equivalent to two invocations of a

pseudorandom function with nbit inputs In this section we show that we can use even weaker

p ermutations instead of the pairwise indep endent ones resulting in an even more ecient con

struction of pseudorandom p ermutations

As mentioned in Section the only place in Section we use the fact that h and h are pair

wise indep endent p ermutations is in the pro of of Prop osition In fact the exact requirement

on h and h we use is that for every x y

n n

Pr h x h y and Pr h x h y

j j j j

R R L L

h h

n n

Furthermore we can replace with any and still get a construction of pseudorandom

p ermutations with somewhat larger distinguishing probability Consider for example the revised

statement of Theorem

Theorem Let H and H be distributions of permutations in P such that for every pair of

n

nbit strings x y

Pr h x h y and Pr h x h y

j j j j

R R L L

h H h H

Let h be distributed according to H h distributed according to H and let f f F be random

n

functions Dene S S h f f h as in Denition and let R P be a random permu

n

tation Then for any oracle machine M not necessarily an ecient one that makes at most m

queries

m

n n RR SS

m PrM PrM

n

The pro of follows the framework describ ed in Section This time the denition of BADh h

stays unchanged and in order to apply Theorem we only need to note that for any p ossible

and consistent M transcript Pr BADh h m

h h

The conditions on H and H in Theorem are somewhat nonstandard since the requirements

are on half the bits of the output Nevertheless these conditions are satised by more traditional

requirements on functionfamilies In particular one can use the concept of AXU functions

Denition A distribution on I I functions or permutations H is AXU if for every

n n

x y and every z x y z I

n

Pr hx hy z

hH

This concept was originally dened by Carter and Wegman We use the terminology of Rogaway

It is easy to verify that the conditions on H and H in Theorem are satised if b oth H

n n

and H are AXU Such a distribution of p ermutations over I for

n

def

n

is h x a x where a is uniform in I n fg and the multiplication is in GF

a n

Another way to construct H and H is by using Feistel permutations with AXU functions

Let H b e a distribution of AXU functions on n bits strings then we can dene H to b e fD g

h hH

g The reason is that for every two dierent nbit strings x L R and and H to b e fD

hH

h

y L R and every function h F we have by denition that

n

D x D y hR hR L L

h h

j j

R R

If R R then L L and therefore D x D y otherwise by the denition of AXU

h h

j j

R R

functions

Pr D x D y Pr hR hR L L

h h

j j

R R

hH hH

Thus H satises its requirement and similarly for H

By using Feistel p ermutations to construct H and H we get the original LRConstruction as

n

a sp ecial case since a random function is in particular AXU Thus the pro of of security in

Section also holds for the original LRConstruction The idea of using AXU functions instead

of pseudorandom functions for the rst round of the LRConstruction was previously suggested

by Lucks

Another advantage of this approach is that it allows us to use many ecient constructions of

n

function families An example of ecient AXU functions are Vaziranis shiftfamily A

th

key of such a function is a uniformly chosen string a I and the j bit of f x j n

n a

P

n

is dened to b e x a mo d

i j i

i

A substantial amount of research deals with the construction of ecient

hash functions This line of work contains constructions that ob ey weaker denitions on function

families than pairwise indep endence and in particular contains constructions of AXU functions

Unfortunately these functions were designed to b e esp ecially ecient when their output is substan

tially smaller than their input since they were mainly brought up in the context of authentication

which is not true in our case but is relevant in Section An additional ob jective is to reduce the

size of the family of hash functions eg In our setting the purp ose of this is to reduce

the keylength of the pseudorandom p ermutations

Reducing the Distinguishing Probability

There are various circumstances where it is desirable to have a pseudorandom p ermutation on rela

tively few bits say This is esp ecially true when we want to minimize the size of the hardware

circuit that implements the p ermutation or the communication bandwidth with the hardware or

software comp onent that computes the p ermutation

Let F b e a pseudorandom p ermutation on bits note that n in Section constructed

from truly random functions on bits using the LRConstruction As shown by Patarin F

can b e distinguished with constant probability from a random p ermutation using O queries

which means that the analysis of the LRConstruction where the distinguishin g probability for

m

m queries is O is tight Therefore the LRConstruction on bits can only b e used if is

large enough to b ound the number of queries in the attack on the blo ck cipher

In this section a simple generalization of the construction of Section is presented Using this

construction the adversarys probability of distinguishing b etween the pseudorandom and random

m t

for every integer t for t we get p ermutations can b e reduced to roughly

t

the original construction To achieve this security t p ermutations are comp osed The initial

and nal are pairwise indep endent p ermutations the rest are generalized Feistel p ermutations

dened by I I random or pseudorandom functions see Figure for an illustration

t t

Patarin shows that if we take six rounds of the LRConstruction instead of three or four

then the resulting p ermutation cannot b e distinguished from a random p ermutation with advantage

m

b etter than improving This means that distinguishing the sixround construction from a

truly random p ermutation with constant probability requires at least queries The b ound

t

we achieve in this section is b etter for any t Note that our construction

uses pseudorandom functions with larger inputlength which might b e a disadvantage for some

applications

In order to describ e our generalized constructions we rst extend Feistel p ermutations to deal

with the case where the underlying functions have arbitrary input and output lengths instead of Input

h1

FFF1 2 3

f1

F2 F3 L 1

f2

FL3 1 L 2

f3

L 1 L 2 L 3

-1 h2

Output

Figure Construction of strong pseudorandom p ermutations with reduced distinguishing proba

bility using t rounds here t Recall f I I here f I I

i i

t t

lengthpreserving functions as in Denition We note that using such unbalanced Feistel

p ermutations was previously suggested in

Denition Generalized Feistel Permutations For any two positive integers s and

I let s and let D P be the permutation dened by and any function f I

s f

def

D L R R L f R where jLj s and jRj

f

We can now dene the revised construction and consider its security These are simple gener

alizations of the construction in Section and of its pro of of security

Denition t Round Construction For any integers t let s and r be integers

such that s t r where r t For any h h P f f f I I and

r s s

f f I I dene

r t s s

def

W h f f f D D D h

t f f f

t

t

and

def

D S h f f f h h h D D

f t f f

t

t

We get the construction of Denition by choosing t s and r

Theorem Let W and S be as in Denition where h h are pairwise independent

permutations and f f f are pseudorandom functions t is al lowed to be a function of h

t

h and f f f are independently chosen Then W is a pseudorandom permutation and S a

t

strong pseudorandom permutation

Furthermore assume that no ecient oraclemachine that makes at most m m queries

distinguishes between the pseudorandom functions and random functions for n Then no

ecient oraclemachine that makes at most m queries to W resp S and S distinguishes W

t m m

resp S from a random permutation for t

dte

In case the middle functions are truly random this reduces to

Theorem Let S be as in Denition where h and h are pairwise independent permuta

tions and f f f are random functions and let R P be a random permutation Then for

t

any oracle machine M not necessarily an ecient one that makes at most m queries

m t m

RR SS

PrM PrM

dte

The pro of of Theorem follows the framework describ ed in Section Assume for simplicity

that s t the set BADh h Denition is replaced with the set BAD h h dened to

b e

The set of al l possible and consistent M transcripts fhx y i hx y ig sat

m m

isfying that there exist i j m and k t such that

k t k k t k

F F L L F F L L

i i j j

i i j j

t t

F where F F F h x and L L L h y F

i i

i i i i i i i i

t t

F L L L s

i i i i

This guarantees that for any p ossible and consistent M transcript we have that Pr T

S S

m

j BAD h h and hence it is a prop er denition according to the framework

The reason is that under the notation ab ove

k t k k k

i y S x i m k t f F F L L F L

i i k

i i i i

i i

Therefore given any sp ecic choice of h and h in the denition of S such that BAD h h

s

the event T is comp osed of m t indep endent events each of which has probability to

S

happ en In order to apply Theorem it remains to note that for any such we have that

m m t

dte

Pr BAD h h t

dte

h h

Remark The construction of this section achieves a substantial improvement in security over

the construction in Section even for a smal l constant t that is with a few additional

applications of the pseudorandom functions Nevertheless it might be useful for some applications

to take a larger value of t Choosing t reduces the advantage the distinguisher may achieve to

m

roughly

SPPE on Many Blo cks Using PFE or PPE on a Single Blo ck

Consider the application of pseudorandom p ermutations to encryption ie using f M in order

to encrypt a message M where f is a pseudorandom p ermutation Assume also that we want

to use DES for this purp ose We now have the following problem while DES works on xed and

relatively small length strings we need a p ermutation on jM jbit long strings where the length of

the message jM j may b e large and may vary b etween dierent messages

This problem is not restricted to the usage of DES though the fact that DES was designed

for hardware implementation contributes to it Usually a direct construction of pseudorandom

p ermutations or pseudorandom functions if we want to employ the LRConstruction with large

inputlength is exp ensive Therefore we would like a way to construct pseudorandom p ermutations

or functions on many blocks from pseudorandom p ermutations or functions on a single block

Several such constructions were suggested in the context of DES see eg for the dierent

mo des of op eration for DES The simplest known as the electronic co deb o ok mo de ECBmo de

is to divide the input into subblo cks and to apply the pseudorandom p ermutation on each sub

blo ck separately This solution suers from the obvious drawback that every subblo ck of output

solely dep ends on a single subblo ck of input and in particular the p ermutation on the complete

input is not pseudorandom This may leak information ab out the message b eing encrypted see

further discussion in Section

In this section we consider a generalization of the construction of Section that uses pseudo

random functions or p ermutations on a single blo ck to construct strong pseudorandom p ermu

tations on many blo cks The idea is as follows apply a pairwise indep endent p ermutation on the

entire input divide the value you get into subblo cks and apply two rounds of Feistelpermutations

or one round of a pseudorandom p ermutation on each subblo ck separately nally apply a second

pairwise indep endent p ermutation on the entire value you get see Figure for an illustration

This solution resembles the ECBmo de it is almost as simple and it is highly suitable for

parallel implementation Contrary to the ECBmo de this construction do es give a pseudorandom

p ermutation on the entire message though the security parameter is still relative to the length of

a subblo ck Input

h1

f1 f1 f1

f2 f2 f2

-1 h2

Output

Figure Construction of a strong pseudorandom p ermutation on many six in this case blo cks

from a pseudorandom function on a single blo ck

For simplicity we only describ e the construction using truly random functions or a truly

random p ermutation The analysis of the construction when pseudorandom functions are used

follows easily In addition we restrict our attention to the construction of strong pseudorandom

p ermutations

b

Denition For any two integers b and s for any function g F let g F be the function

s bs

dened by

def

b

g x x x g x g x g x

b b

For any f f F and h h P dene

n nb

def

b b

h D D S h f f h h

f f

For any p P and h h P dene

n nb

def

b

S h p h h p h

Theorem Let h h P be pairwise independent permutations let f f F be random

nb n

functions and p P a random permutation Dene S S h f f h and S S h p h as

n

in Denition and let R P be a random permutation Then for any oracle machine M

nb

not necessarily an ecient one that makes at most m queries

m b m

nb nb RR SS

PrM PrM

n nb

and

m b

nb nb RR S S

PrM PrM

n

The pro of of Theorem for S follows the framework describ ed in Section The set BADh h

Denition is replaced with the set BAD h h dened to b e

The set of al l possible and consistent M transcripts fhx y i hx y ig such

m m

j

g or there are two equal val that either there are two equal values in fF

im j b

i

j

b b

L L h x and L F F ues in fL g where F

i im j b

i i i i i i

i

b b

L n L F L F h y F

i

i i i i i i

This guarantees that for any p ossible and consistent M transcript we have that

nbm

PrT j BAD h h

S

S

and hence it is a prop er denition according to the framework The reason is that under the

notation ab ove

j j j j j j

i y S x i m j b f F F L and f L F L

i i

i i i i i i

Therefore given any sp ecic choice of h and h in the denition of S such that BAD h h

n

the event T is comp osed of m b indep endent events each of which has probability to

S

happ en In order to apply Theorem it remains to note that for any such we have that

m b m b

n

Pr BAD h h

n

h h

The pro of of Theorem for S slightly deviates from the framework describ ed in Section

providing yet another evidence to the claim that nob o dy is p erfect The set BADh h

Denition is replaced with the set BAD h h dened to b e

The set of al l possible and consistent M transcripts fhx y i hx y ig such

m m

j

that either there are two equal values in fF g or there are two equal values

im j b

i

j

b b

in fL g where F F F h x and L L L h y

im j b i i

i i i i i i

i

b b

F F F L L L n

i i i i i i

Now we have that for any p ossible and consistent M transcript

m b m b

n

Pr BAD h h

n

h h

but now for any such

n

Pr T j BAD h h

S

n

m b

S

nbm

instead of as required by the framework However the dierence in probabilities is

rather small which result in only a minor deviation from the pro of of Theorem

Relaxing the Construction

As in Section we would like to reduce the requirements from h and h in Theorem Our

main motivation in doing so is to decrease the keylength of the pseudorandom p ermutations We

would like the keylength to b e of order n the length of the small subblo cks and not of order

nb the length of the complete input in some cases we may allow a small dep endence on b

We sketch a way to redene the distributions on h and h in the denition of S almost the

same ideas apply to the denition of S The requirement these distributions have to ob ey is that

BAD h h is small for any p ossible and consistent M transcript we have that Pr

h h

We use the following notation For any n bbit string z z z z such that j jz j n

b j

th

the substring z the i substring of z The requirement ab ove and for all i b denote by z

i

j

i

can b e achieved by sampling h and h according to a p ermutation distribution H such that for

n

some small we have that

For any n bbit string x i j b Pr hx hx and

hH

j j

i j

hx For any n bbit strings x x i j b Pr hx

hH

j j

j i

We start by dening a p ermutation distribution H that almost achieves this A p ermutation

h h sampled from H is dened by two AXU functions u I I and u I

n n

dlog be

u u

I see denition of AXU functions in Section For any z z z z such that

n b

j jz j n

j

def

z z u z u z u z u z u z u b z u b h

b b b b b

u u

It is not hard to verify that

h x h x and For any n bbit string x i j b Pr

h H

j j

i j

For any n bbit strings x x such that x x and for all i j b

j

b j

b

h x h x Pr

h H

j j

i j

In order to eliminate the additional requirement in that x x we dene the p ermutation

j

b j

b

distribution H such that a p ermutation h sampled from H is dened to b e h D see Denition

g

where h is sampled according to H and g I I is a AXU function Using and

n

nb

and the fact that for any n bbit strings x x

PrD x D x

g g

j j

b b

g

we get that H satises and for

Notice that the computation of a function h H is essentially equivalent to one computation

of an AXU function g I I and a few additional XOR op erations p er blo ck Using

n

nb

ecient constructions of AXU functions we get an ecient function h

m

AXU functions from m bits to bits with keybits Krawczyk shows a construction of

Using these functions we can achieve the desired goal of reducing the keylength of h to On bits

Related Work

The construction presented in this section is certainly not the only solution to the problem at hand

We refer in brief to some additional solutions

As mentioned ab ove DES mo des of op eration were suggested as a way of encrypting long mes

sages However none of these mo des constitutes a construction of a pseudorandom p ermutation

Note that when the encryption of a message M is f M for a pseudorandom p ermutation f then

the only information that is leaked on M is whether or not M is equal to a previously encrypted

message This is not true for DES mo des of op eration For instance when using the cipher blo ck

chaining mo de CBCmo de the encryptions of two messages with identical prex will also have an

identical prex The ECBmo de leaks even more information the existence of two identical sub

blo cks in two dierent encrypted messages or in a single message The reason that the ECBmo de

leaks so much information is that every ciphertextblo ck solely dep ends on a single plaintextblock

Our construction implies that only very little and noncryptographic diusion the p ermutations

h and h is required in order to overcome this aw of the ECBmo de

Bellare and Rogaway show how to convert the CBCmo de in order to construct a pseudo

random p ermutation with large inputlength this is the only place we are aware of that explicitly

refers to the problem The amount of work in their construction is comparable with two appli

cations of the original CBCmo de approximately twice the work of our construction assuming

that h and h are relatively ecient The security of this construction is of similar order to the

security of our construction In contrast to our construction as well as is sequential in

nature

A dierent approach is to dene a lengthpreserving pseudorandom function F on bits using a

lengthpreserving pseudorandom function F on bits where and then to apply our version

of the LRConstruction using F in order to get a pseudorandom permutation on bits The

function F can b e dened to b e G F h where h is a pairwise indep endent hash function from

bits to bits and G a pseudorandom bit generator from bits to bits This idea may b e

attributed in part to Carter and Wegman Anderson and Biham and Lucks show how

to directly apply similar ideas into the LRConstruction A comparison b etween this approach

and our construction relies on the sp ecic parameters of the dierent primitives that are used

In particular the parameters of the pseudorandom function F vs the pseudorandom generator

However as shown by Bellare et al the CBCmo de do es dene a construction of a pseudorandom function

with small output length A somewhat related solution to this problem is the so called cascade construction that is

considered by Bellare et al

G For instance for this approach to b e more ecient than our construction we need that one

application of G would b e more ecient than de applications of F

Reducing the Distinguishing Probability

All the constructions of a pseudorandom p ermutation on many blo cks from a pseudorandom

function or p ermutation on a single blo ck that are describ ed in this subsection including ours

have the following weakness If the length of a single blo ck is to o small eg bits then the

pseudorandom p ermutation on many blo cks is very weak even when the original pseudorandom

function or p ermutation is very secure eg completely random In the following few paragraphs

we discuss this problem and a way to overcome it

Consider the p ermutation S S h f f h as in Denition where h h P are

nb

pairwise indep endent p ermutations and f f F are random functions Our analysis of the

n

n

security of S Theorem fails when the number of queries that the adversary makes is b

n

in fact this analysis is tight Having b large enough forces a signicant restriction on n

Therefore a natural question is whether we can improve the security of the construction A sim

ple InformationTheoretic argument implies that all such constructions can b e distinguished from

n n

random using O b queries This follows from the fact that with O b queries the adversary

gets much more bits than the length of the p ermutations secretkey Hence the distribution of the

answers to these queries is statistically very dierent from uniform which allows an allp owerful

adversary to distinguish the p ermutation from random

In order to match this b ound we rst note that the somewhat high distinguishing probability of

S is due to its vulnerability to a birthdayattack on the length of a single blo ck An adversary that

n

makes b uniformly chosen queries to S will force a collision in the inputs to f or f with a

constant probability Such a collision fails our analysis and can indeed b e used to distinguish S from

uniform The solution lies in the following observation The problem of foiling birthdayattacks

when constructing a pseudorandom p ermutation on many blo cks can b e reduced to the problem

of foiling birthdayattacks when constructing a pseudorandom function or p ermutation on two

blo cks We demonstrate this using the Aiello and Venkatesan construction of pseudorandom

functions

Let f and f b e two indep endent copies of the pseudorandom functions on n bits we get

when using truly random functions on n bits in the construction of Aiello and Venkatesan By

n

distinguishing each f from a truly random function with constant probability requires

i

queries Let h and h P b e pairwise indep endent p ermutations and let the p ermutation

nb

S S h f f h b e as in Theorem for the parameters n n and b b We now get

n

that distinguishing S from random with constant probability requires O b queries which is

optimal

Constructions of k Wise Dep endent Permutations

In this section we summarize the connection b etween the various constructions of this pap er and

the task of obtaining k wise dep endent p ermutations As mentioned in Section Schnorr

suggested using the LRConstruction with truly random functions in order to get a pseudo

random generator that is secure as long as not to o many bits of its output are accessible to the

adversary This idea is further treated by Maurer and Massey Maurer suggested to

replace the truly random functions with what he calls lo cally random or almost random functions

In the terminology of k wise indep endence these ideas can b e interpreted as a way of using the

LRConstruction in order to obtain k wise dep endent p ermutations from k wise dep endent

functions as long as k is not to o large Theorem in implies that

when k wise dependent functions are used instead of pseudorandom functions in the

n

LRConstruction the result is a k wise dependent permutations for O k

Similar observations apply to the dierent constructions of our pap er as discussed in this section

Corollary to Theorem Let h h P be pairwise independent permutations and let

n

f f F be k wise dependent functions Then S S h f f h as in Denition is a

n

k wise dependent permutation for

k k

def

n n

Pro of Let S S P have the following distributions

n

S S h g f h where h h P are pairwise indep endent f F a k wise

n n

dep endent function and g F a truly random function

n

S S h g g h where h h P are pairwise indep endent and g g F are truly

n n

random functions

and let R P b e a truly random p ermutation It is enough to show that for every k strings of

n

nbits x x x we have

k

k hS x S x S x i hS x S x S x i k

k k

k hS x S x S x i hS x S x S x i k

k k

k k

k hS x S x S x i hRx Rx Rx i k

n

n k k

th

The reason holds is that if we dene an oracle machine M such that its i query is always

x and such that

i

C fhx y i hx y i hx y ig

M k k

PrhS x S x i hy y i PrhRx Rx i hy y i

k k k k

we get by the denition of variation distance and from Theorem that

k hS x S x S x i hRx Rx Rx i k

k k

n n RR S S

PrM PrM

k k

n n

and hold by the denition of k wise dep endent functions For example if

k hS x S x S x i hS x S x S x i k

k k

then we can x h h P and f F in the denition of b oth S and S such that the inequality

n n

still holds This denes k strings of nbits z z z not necessarily all dierent and a function

k

V for which

hS x S x S x i V hf z f z f z i and

k k

hS x S x S x i V hg z g z g z i

k k

We get a contradiction since for any function V

kV hf z f z f z i V hg z g z g z ik

k k

khf z f z f z i hg z g z g z ik

k k

2

In a similar way we get the following two Corollaries from the constructions of Sections

Corollary to Theorem Let S be as in Denition where h and h are pairwise

independent permutations and f f f are k wise dependent functions Then S is a k wise

t

dependent permutation for

k k t

def

t

dte

Corollary to Theorem Let h h P be pairwise independent permutations let

nb

f f F be b k wise dependent functions and let p P be a b k wise dependent

n n

permutation Dene S S h f f h and S S h p h as in Denition Then S is a

k wise dependent permutation for

k k b

def

n nb

and S is a k wise dependent permutation for

k b

def

n

By taking t in Corollary we get a simple construction of a k wise dep endent p ermu

k

tation on bits for as close to as we wish This construction requires applications of

k wise dep endent functions from bits to a single bit An interesting question is to nd a

simple construction of k wise dep endent p ermutations for an arbitrarily smal l and an arbitrary

k

An old prop osal by the rst author see page is to apply a card shuing pro cedure

that requires only few rounds and is oblivious in the sense that the lo cation of a card after each

round dep ends on a few random decisions The sp ecic card shuing for which this idea is describ ed

in was suggested by Aldous and Diaconis Unfortunately to the b est of our knowledge this

pro cedure was never proven to give with few rounds an almost uniform ordering of the cards

Nevertheless we briey describ e it in order to demonstrate the concept of an oblivious card shuing

and the way that such a pro cedure can b e used to construct a k wise dep endent p ermutation

Finally we describ e the main idea in the denition of another oblivious card shuing for which we

can prove that only few rounds are needed

Each round shue in a card shuing pro cedure is a p ermutation on the lo cations of the N

def

cards of a deck ie a p ermutation on the set N f N g In the case of the Aldous and

Diaconis card shuing each such p ermutation is dened by a uniformly chosen N bit string

r r r r Denote this p ermutation by then

r

N

i i i N i if r

r r i

i N

i i i N i otherwise

r r

Ie the cards at lo cations i and i N move to lo cations i and i and their internal order

is uniformlychosen indep endently of all other choices Note that x evaluating x or x

r

r

requires the knowledge of a single bit of r and therefore this card shuing is indeed oblivious

def

s

s

Consider s rounds of the card shuing describ ed ab ove s s

r

r r r r

s s

where fr r g are uniformlydistributed and indep endent of each other If is of statisti

cal distance at most from a uniform p ermutation then we can construct a k wise dep endent

s s

p ermutation for as follows simply take the p ermutation to b e s rounds

s

s

s where the s N bits of fr r g are the outputs of a k swise

r

r r

s

dependent Binaryfunction f Evaluating or its inverse at a given p oint consists of s invoca

s

tions of f Therefore an interesting problem is to show that is of exp onentiallysmall statistical

distance from a uniform p ermutation for a small value of s In it is conjectured that this can

b e shown for s O log N While this conjecture is to the b est of our knowledge still op en we

can show a dierent card shuing pro cedure for which it can b e proven that O log N rounds

are sucient This card shuing is dened in a recursive manner Split the deck into two halves

lo cations f N g and lo cations fN N g apply the card shuing recursively on each

half of the deck and merge the two now shued halves in an almost uniform way A p ermutation

M on N is a merge if for every i and j such that i j N or N i j N

we have that M i M j An oblivious in the same meaning as ab ove merging pro cedure can

also b e dened recursively but since the construction is rather cumbersome we omit its description

This direction may b ecome attractive given an ecient and simple merging pro cedure

A dierent direction to solving the problem of constructing k wise dep endent p ermutations

is to try and generalize the algebraic construction of pairwise indep endent p ermutations Leonard

Schulman private communication suggested such a generalization that yields wise indep endent

p ermutations Hes suggestion is to use sharply transitive p ermutation groups A p ermutation

group over the set n f ng is a subgroup of the symmetric group S A p ermutation group

n

G over n is k transitive if for every two k tuples fa a g and fb b g of distinct elements

k k

of n there exist a p ermutation G such that i k a b A p ermutation group

i i

G over n is sharply k transitive if for every two such tuples there exists exactly one p ermutation

G such that i k a b A sharply k transitive p ermutation group is in particular

i i

k wise indep endent and indeed the algebraic construction of pairwise indep endent p ermutations

use a sharply transitive p ermutation group containing all the linear p ermutations Schulman

suggested to use the fact that there are known constructions of sharply transitive p ermutation

groups However this approach cannot b e generalized to larger values of k from the classication

of nite simple groups it follows that for k there are no k transitive groups over n other than

the symmetric group S and the alternating group A and there are only few such groups for k

n n

and k see One should b e careful not to interpret this as implying that for k there

are no ecient algebraic constructions of k wise indep endent p ermutations It is however justied

to deduce that for k any small family of k wise indep endent p ermutations is not a p ermutation

group ie is not closed under comp osition and inverse

Conclusion and Further Work

The constructions describ ed in Sections are optimal in their cryptographic work in the sense

that the total number of bits on which the cryptographic functions are applied on is exactly the

number of bits in the input Therefore it seems that in order to achieve the goal of constructing

ecient blo ckciphers it is sucient to concentrate on the construction of ecient pseudorandom

functions The depth of the constructions on the other hand is twice the depth of the cryptographic

functions It is an interesting question whether there can b e a construction of similar depth The

goal of reducing the depth is even more signicant in the case of the t round construction in

Section A dierent question is nding a simple construction of k wise dep endent p ermutations

for an arbitrarily smal l and an arbitrary k This question is discussed in Section

Acknowledgments

We thank Ran Canetti Oded Goldreich Jo e Kilian Kobbi Nissim and Benny Pinkas for many

helpful discussions and for their diligent reading of the pap er We thank the anonymous referees for

their many helpful comments It is dicult to overestimate Odeds contribution to the presentation

of this pap er

References

W Aiello and R Venkatesan Foiling Birthday Attacks in LengthDoubling Transformations Advances in

Cryptology EUROCRYPT Lecture Notes in Computer Science SpringerVerlag pp

D Aldous and P Diaconis Strong uniform times and nite random walks Advances in Applied Mathe

matics vol pp

N Alon L Babai and A Itai A fast and simple randomized parallel algorithm for the maximal inde

p endent set problem J Algorithms vol pp

N Alon O Goldreich J Hastad and R Peralta Simple constructions for almost k wise indep endent

random variables Random Structures and Algorithms vol pp

R Anderson and E Biham Two practical and provably secure blo ck ciphers BEAR and LION Proc

Fast Software Encryption Lecture Notes in Computer Science vol SpringerVerlag pp

M Bellare R Canetti and H Krawczyk Pseudorandom functions revisited the cascade construction

Proc th IEEE Symp on Foundations of Computer Science pp

M Bellare O Goldreich and S Goldwasser Incremental cryptography the case of hashing and signing

Advances in Cryptology CRYPTO Lecture Notes in Computer Science vol SpringerVerlag

pp

M Bellare J Kilian and P Rogaway The security of cipher blo ck chaining Advances in Cryptology

CRYPTO Lecture Notes in Computer Science vol SpringerVerlag pp

M Bellare and P Rogaway Blo ck cipher mo de of op eration for secure lengthpreserving encryption

manuscript in preparation

M Blum and S Micali How to generate cryptographically strong sequence of pseudorandom bits

SIAM J Comput vol pp

G Brassard Mo dern cryptology Lecture Notes in Computer Science vol SpringerVerlag

P J Cameron Finite p ermutation groups and nite simple groups Bul l London Math Soc vol

pp

L Carter and M Wegman Universal hash functions J of Computer and System Sciences vol

pp

B Chor and O Goldreich On the p ower of twopoint based sampling J Complexity vol

pp

S Even and Y Mansour A construction of a cipher from a single pseudorandom p ermutation To

app ear in J of Cryptology Preliminary version in Advances in Cryptology ASIACRYPT Lecture

Notes in Computer Science SpringerVerlag

O Goldreich Foundations of cryptography fragments of a b o ok Electronic publica

tion httpwwwecccunitrierdeecccinfoECCCBooksecccb o okshtml Electronic Collo quium on

Computational Complexity

O Goldreich S Goldwasser and S Micali How to construct random functions J of the ACM vol

pp

O Goldreich S Goldwasser and S Micali On the cryptographic applications of random functions

Advances in Cryptology CRYPTO Lecture Notes in Computer Science vol SpringerVerlag

pp

O Goldreich and A Wigderson Tiny families of functions with random prop erties a qualitysize

tradeo for hashing Proc th ACM Symp on Theory of Computing pp

S Halevi and H Krawczyk MMH message authentication in software in the Gbitsecond rates Proc

Fast Software Encryption Lecture Notes in Computer Science SpringerVerlag

J Hastad R Impagliazzo L A Levin and M Luby Construction of a pseudorandom generator from

any oneway function To app ear in SIAM J Comput Preliminary versions by Impagliazzo et al in st

STOC and Hastad in nd STOC

J Kilian and P Rogaway How to protect DES against exhaustive key search Advances in Cryptology

CRYPTO pp

T Koren On the construction of pseudorandom block ciphers MSc Thesis in Hebrew CS Dept

Technion Israel May

H Krawczyk LFSRbased hashing and authentication Advances in Cryptology CRYPTO Lecture

Notes in Computer Science vol SpringerVerlag pp

M Luby A simple parallel algorithm for the maximal indep endent set problem SIAM J Comput

vol pp

M Luby Pseudorandomness and applications Princeton University Press

M Luby and C Racko How to construct pseudorandom p ermutations and pseudorandom functions

SIAM J Comput vol pp

S Lucks Faster LubyRacko ciphers Proc Fast Software Encryption Lecture Notes in Computer

Science vol SpringerVerlag pp

U M Maurer A simplied and generalized treatment of LubyRacko pseudorandom p ermutation

generators Advances in Cryptology EUROCRYPT Lecture Notes in Computer Science Springer

Verlag pp

U M Maurer and J L Massey Lo cal randomness in pseudorandom sequences J of Cryptology

vol SpringerVerlag pp

J Naor and M Naor Smallbias probability spaces ecient constructions and applications SIAM J

Comput vol pp

M Naor and O Reingold Synthesizers and their application to the parallel construction of pseudo

random functions Proc th IEEE Symp on Foundations of Computer Science pp

National Bureau of Standards Data encryption standard Federal Information Processing Standard

US Department of Commerce FIPS PUB Washington DC

Y Ohnishi A study on data security Master Thesis in Japanese Tohuku University Japan

J Patarin Pseudorandom p ermutations based on the DES scheme Proc of EUROCODE Lecture

Notes in Computer Science SpringerVerlag pp

J Patarin New results on pseudorandom p ermutation generators based on the DES scheme Advances

in Cryptology CRYPTO Lecture Notes in Computer Science SpringerVerlag pp

J Patarin How to construct pseudorandom and sup er pseudorandom p ermutations from one single

pseudorandom function Advances in Cryptology EUROCRYPT Lecture Notes in Computer Sci

ence SpringerVerlag pp

J Patarin Improved security b ounds for pseudorandom p ermutations To app ear in th ACM Con

ference on Computer and Communications Security

J Pieprzyk How to construct pseudorandom p ermutations from single pseudorandom functions Ad

vances in Cryptology EUROCRYPT Lecture Notes in Computer Science vol SpringerVerlag

pp

D J S Robinson A course in the theory of groups nd ed New York SpringerVerlag

P Rogaway Bucket hashing and its application to fast message authentication Advances in Cryptology

CRYPTO Lecture Notes in Computer Science vol SpringerVerlag pp

S Rudich Limits on the provable consequences of oneway functions PhD Thesis U C Berkeley

R A Ruepp el On the security of Schnorrs pseudo random generator Advances in Cryptology EU

ROCRYPT Lecture Notes in Computer Science SpringerVerlag pp

B Sadeghiyan and J Pieprzyk On necessary and sucient conditions for the construction of su

p er pseudorandom p ermutations Abstracts of ASIACRYPT Lecture Notes in Computer Science

SpringerVerlag pp

B Sadeghiyan and J Pieprzyk A construction for sup er pseudorandom p ermutations from a single

pseudorandom function Advances in Cryptology EUROCRYPT Lecture Notes in Computer Sci

ence SpringerVerlag pp

B Schneier and J Kelsey Unbalanced Feistel networks and blo ck cipher design Proc Fast Software

Encryption Lecture Notes in Computer Science vol SpringerVerlag pp

C P Schnorr On the construction of random number generators and random function generators

Advances in Cryptology EUROCRYPT Lecture Notes in Computer Science vol Springer

Verlag pp

D Stinson Universal hashing and authentication co des Designs Codes and Cryptography vol

pp

U V Vazirani Randomness adversaries and computation PhD Thesis U C Berkeley

M Wegman and L Carter New hash functions and their use in authentication and set equality J of

Computer and System Sciences vol pp

A C Yao Theory and applications of trap do or functions Proc rd IEEE Symp on Foundations of

Computer Science pp

Y Zheng T Matsumoto and H Imai Imp ossibility and optimality results on constructing pseudoran

dom p ermutations Advances in Cryptology EUROCRYPT Lecture Notes in Computer Science

vol SpringerVerlag pp