Beyond-birthday secure domain-preserving PRFs from a single permutation

  • Chun Guo
  • Yaobin Shen
  • Lei WangEmail author
  • Dawu Gu


This paper revisits the fundamental cryptographic problem of building pseudorandom functions (PRFs) from pseudorandom permutations (PRPs). We prove that, SUMPIP, i.e. \(P \oplus P^{-1}\), the sum of a PRP and its inverse, and EDMDSP, the single-permutation variant of the “dual” of the Encrypted Davies–Meyer scheme introduced by Mennink and Neves (CRYPTO 2017), are secure PRFs up to \(2^{2n/3}/n\) adversarial queries. To our best knowledge, SUMPIP is the first parallelizable, single-permutation-based, domain-preserving, beyond-birthday secure PRP-to-PRF conversion method.


PRP-to-PRF Beyond birthday bound Domain preserving 

Mathematics Subject Classification

94A60 68P25 



We thank the reviewers of EUROCRYPT & CRYPTO 2018 for invaluable comments. Chun Guo is a postdoc in ICTEAM/ELEN/Crypto Group, Université Catholique de Louvain, and his work is funded in part by the ERC project 724725 (acronym SWORD). Many thanks to François-Xavier Standaert for the invaluable support. Yaobin Shen, Lei Wang and Dawu Gu are supported by National Natural Science Foundation of China (61602302, 61472250, 61672347), Natural Science Foundation of Shanghai (16ZR1416400), Shanghai Excellent Academic Leader Funds (16XD1401300), 13th five-year National Development Fund of Cryptography (MMJJ20170114).


  1. 1.
    Babai L.: The Fourier transform and equations over finite Abelian groups: an introduction to the method of trigonometric sums (lecture notes), Version 1.3, Section 4.
  2. 2.
    Bellare M., Impagliazzo R.: A tool for obtaining tighter security analyses of pseudorandom function based constructions, with applications to PRP to PRF conversion. Cryptology ePrint Archive, Report 1999/024 (1999).Google Scholar
  3. 3.
    Bellare M., Desai A., Jokipii E., Rogaway P.: A concrete security treatment of symmetric encryption. In: Proceedings, 38th Annual Symposium on Foundations of Computer Science, pp. 394–403. IEEE (1997).Google Scholar
  4. 4.
    Bellare M., Krovetz T., Rogaway P.: Luby–Rackoff backwards: increasing security by making block ciphers non-invertible. In: Nyberg K. (ed.) Advances in Cryptology-EUROCRYPT’98, LNCS, vol. 1403, pp. 266–280. Springer, Berlin (1998).CrossRefGoogle Scholar
  5. 5.
    Bellare M., Kilian J., Rogaway P.: The security of the cipher block chaining message authentication code. J. Comput. Syst. Sci. 61(3), 362–399 (2000).MathSciNetCrossRefzbMATHGoogle Scholar
  6. 6.
    Bellare M., Rogaway P.: The security of triple encryption and a framework for code-based game-playing proofs. In: Vaudenay S. (ed.) Advances in Cryptology-EUROCRYPT 2006, LNCS, vol. 4004, pp. 409–426. Springer, Berlin (2006).CrossRefGoogle Scholar
  7. 7.
    Bhattacharya S., Nandi M.: Full Indifferentiable Security of the XOR of two or more random permutations using the \(\chi ^2\) method. In: EUROCRYPT 2018, Part I, pp. 387–412 (2018).Google Scholar
  8. 8.
    Bogdanov A., Knudsen L.R., Leander G., Paar C., Poschmann A., Robshaw M.J.B., Seurin Y., Vikkelsoe C.: PRESENT: an ultra-lightweight block cipher. In: Paillier P., Verbauwhede I. (eds.) Cryptographic Hardware and Embedded Systems-CHES 2007, LNCS, vol. 4727, pp. 450–466. Springer, Berlin (2007).CrossRefGoogle Scholar
  9. 9.
    Borghoff J., Canteaut A., Güneysu T., Kavun E., Knezevic M., Knudsen L.R., Leander G., Nikov V., Paar C., Rechberger C., Rombouts P., Thomsen S., Yalçn T.: PRINCE-a low-latency block cipher for pervasive computing applications. In: Wang X., Sako K. (eds.) Advances in Cryptology-ASIACRYPT 2012, LNCS, vol. 7658, pp. 208–225. Springer, Berlin (2012).CrossRefGoogle Scholar
  10. 10.
    Chen S., Steinberger J.: Tight security bounds for key-alternating ciphers. In: Nguyen P.Q., Oswald E. (eds.) Advances in Cryptology-EUROCRYPT 2014, LNCS, vol. 8441, pp. 327–350. Springer, Berlin (2014).CrossRefGoogle Scholar
  11. 11.
    Chen S., Lampe R., Lee J., Seurin Y., Steinberger J.: Minimizing the two-round Even–Mansour cipher. In: Garay J.A., Gennaro R. (eds.) Advances in Cryptology-CRYPTO 2014, Part I, LNCS, vol. 8616, pp. 39–56. Springer, Berlin (2014).CrossRefGoogle Scholar
  12. 12.
    Cogliati B., Seurin Y.: Beyond-birthday-bound security for tweakable Even–Mansour ciphers with linear tweak and key mixing. In: Iwata T., Cheon J.H. (eds.) Advances in Cryptology-ASIACRYPT 2015, Part II, LNCS, vol. 9453, pp. 134–158. Springer, Berlin (2015).CrossRefGoogle Scholar
  13. 13.
    Cogliati B., Seurin Y.: EWCDM: an efficient, beyond-birthday secure, nonce-misuse resistant MAC. In: Robshaw M., Katz J. (eds.) Advances in Cryptology-CRYPTO 2016, Part I, LNCS, vol. 9814, pp. 121–149. Springer, Berlin (2016).CrossRefGoogle Scholar
  14. 14.
    Cogliati B., Seurin Y.: Analysis of the single-permutation encrypted Davies–Meyer construction. Des. Codes Cryptogr. (2018).
  15. 15.
    Cogliati B., Lampe R., Patarin J.: The indistinguishability of the XOR of \(k\) permutations. In: Cid C., Rechberger C. (eds.) FSE 2014, LNCS, vol. 8540, pp. 285–302. Springer, Berlin (2014).Google Scholar
  16. 16.
    Dai W., Hoang V.T., Tessaro S.: Information-theoretic indistinguishability via the chi-squared method. In: Katz J., Shacham H. (eds.) CRYPTO 2017, Part III, LNCS, vol. 10403, pp. 497–523. Springer, Berlin (2017).Google Scholar
  17. 17.
    Dodis Y., Pietrzak K., Puniya P.: A new mode of operation for block ciphers and length-preserving MACs. In: Smart N. (ed.) Advances in Cryptology-EUROCRYPT 2008, LNCS, vol. 4965, pp. 198–219. Springer, Berlin (2008).CrossRefGoogle Scholar
  18. 18.
    Dodis Y., Reyzin L., Rivest R.L., Shen E.: Indifferentiability of permutation-based compression functions and tree-based modes of operation, with applications to MD6. In: Dunkelman O. (ed.) Fast Software Encryption-FSE 2009, LNCS, vol. 5665, pp. 104–121. Springer, Berlin (2009).Google Scholar
  19. 19.
    Dziembowski S., Pietrzak K.: Leakage-resilient cryptography. In: 49th Annual IEEE Symposium on Foundations of Computer Science, FOCS 2008, 25–28 October, 2008, Philadelphia, PA, pp. 293–302 (2008).
  20. 20.
    Gilboa S., Gueron S.: The Advantage of Truncated Permutations (2012). arXiv:1610.02518.
  21. 21.
    Hall C., Wagner D., Kelsey J., Schneier B.: Building PRFs from PRPs. In: Krawczyk H. (ed.) Advances in Cryptology-CRYPTO’98, LNCS, vol. 1462, pp. 370–389. Springer, Berlin (1998).Google Scholar
  22. 22.
    Hoang V.T., Tessaro S.: Key-alternating ciphers and key-length extension: exact bounds and multi-user security. In: Robshaw M., Katz J. (eds.) Advances in Cryptology-CRYPTO 2016, Part I, LNCS, vol. 9814, pp. 3–32. Springer, Berlin (2016).CrossRefGoogle Scholar
  23. 23.
    Kiltz E., Pietrzak K., Szegedy M.: Digital signatures with minimal overhead from indifferentiable random invertible functions. In: Canetti R., Garay J.A. (eds.) Advances in Cryptology-CRYPTO 2013, LNCS, vol. 8042, pp. 571–588. Springer, Berlin (2013).CrossRefGoogle Scholar
  24. 24.
    Luby M., Rackoff C.: Pseudo-random permutation generators and cryptographic composition. In: Proceedings of the Eighteenth Annual ACM Symposium on Theory of Computing, STOC’86, ACM, New York, NY, pp. 356–363 (1986)Google Scholar
  25. 25.
    Lucks S.: The sum of PRPs is a secure PRF. In: Preneel B. (ed.) EUROCRYPT 2000, LNCS, vol. 1807, pp. 470–484. Springer, Berlin (2000).CrossRefGoogle Scholar
  26. 26.
    Mandal A., Patarin J., Nachef V.: Indifferentiability beyond the birthday bound for the XOR of two public random permutations. In: Gong G., Gupta K.C. (eds.) Progress in Cryptology-INDOCRYPT 2010, LNCS, vol. 6498, pp. 69–81. Springer, Berlin Heidelberg (2010).CrossRefGoogle Scholar
  27. 27.
    Maurer U., Pietrzak K.: The security of many-round Luby–Rackoff pseudo-random permutations. In: Biham E. (ed.) Advances in Cryptology-EUROCRYPT 2003, LNCS, vol. 2656, pp. 544–561. Springer, Berlin (2003).CrossRefGoogle Scholar
  28. 28.
    Maurer U., Renner R., Holenstein C.: Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology. In: Naor M. (ed.) TCC 2004, LNCS, vol. 2951, pp. 21–39. Springer, Berlin (2004).Google Scholar
  29. 29.
    Mennink B., Neves S.: Encrypted Davies–Meyer and its dual: towards optimal security using mirror theory. In: Katz J., Shacham H. (eds.) Advances in Cryptology-CRYPTO 2017, Part III, LNCS, vol. 10403, pp. 556–583. Springer, Berlin (2017).CrossRefGoogle Scholar
  30. 30.
    Mennink B., Neves S.: Optimal PRFs from blockcipher designs. IACR Trans. Symmetric Cryptol. 2017(3), 228–252 (2017). Scholar
  31. 31.
    Mennink B., Preneel B.: Hash functions based on three permutations: a generic security analysis. In: Safavi-Naini R., Canetti R. (eds.) Advances in Cryptology-CRYPTO 2012, LNCS, vol. 7417, pp. 330–347. Springer, Berlin (2012).CrossRefGoogle Scholar
  32. 32.
    Mennink B., Preneel B.: On the XOR of multiple random permutations. In: Malkin T., Kolesnikov V., Lewko A.B., Polychronakis M. (eds.) ACNS 2015, LNCS, vol. 9092, pp. 619–634. Springer, Berlin (2015).Google Scholar
  33. 33.
    Patarin J.: Security of random Feistel schemes with 5 or more rounds. In: Franklin M. (ed.) Advances in Cryptology-CRYPTO 2004, LNCS, vol. 3152, pp. 106–122. Springer, Berlin (2004).CrossRefGoogle Scholar
  34. 34.
    Patarin J.: A proof of security in \(O(2^n)\) for the XOR of two random permutations. In: Safavi-Naini R. (ed.) Information Theoretic Security-ICITS 2008, LNCS, vol. 5155, pp. 232–248. Springer, Berlin (2008).Google Scholar
  35. 35.
    Patarin J.: The “Coefficients H” technique. In: Avanzi R.M., Keliher L., Sica F. (eds.) Selected Areas in Cryptography-SAC 2008, LNCS, vol. 5381, pp. 328–345. Springer, Berlin (2009).Google Scholar
  36. 36.
    Patarin J.: Introduction to mirror theory: analysis of systems of linear equalities and linear non equalities for cryptography. Cryptology ePrint Archive, Report 2010/287 (2010).Google Scholar
  37. 37.
    Patarin J.: Security in \(O(2^n)\) for the XOR of two random permutations. Proof with the standard H technique. Cryptology ePrint Archive, Report 2013/368 (2013).Google Scholar
  38. 38.
    Steinberger J.: The sum-capture problem for Abelian groups. (2014). arXiv:1309.5582.

Copyright information

© Springer Science+Business Media, LLC, part of Springer Nature 2018

Authors and Affiliations

  1. 1.ICTEAM/ELEN/Crypto Group, Université Catholique de LouvainLouvainBelgium
  2. 2.Shanghai Jiao Tong UniversityShanghaiChina
  3. 3.Westone Cryptologic Research CenterBeijingChina

Personalised recommendations