Abstract
We will present two new and simple theorems that show that when we compose permutation generators with independent keys, then the “quality” of CCA security increases. These theorems (Theorems 2 and 5 of this paper) are written in terms of H-coefficients (which are nothing else, up to some normalization factors, than transition probabilities). Then we will use these theorems on the classical analysis of Random Feistel Schemes (i.e. Luby-Rackoff constructions) and we will compare the results with the coupling technique. Finally, we will show an interesting difference between 5 and 6 Random Feistel Schemes. With 5 rounds on 2n bits \(\rightarrow 2n\) bits, when the number of q queries satisfies \(\sqrt{2^n} \ll q \ll 2^n\), we have some “holes” in the H-coefficient values, i.e. some H values are much smaller than the average value of H. This property for 5 rounds does not exist any more on 6 rounds.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Chen, S., Steinberger, J.: Tight security bounds for key-alternating ciphers. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 327–350. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_19
Cogliati, B., Patarin, J., Seurin, Y.: Security amplification for the composition of block ciphers: simpler proofs and new results. In: Joux, A., Youssef, A. (eds.) SAC 2014. LNCS, vol. 8781, pp. 129–146. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-13051-4_8
Hoang, V.T., Rogaway, P.: On generalized Feistel networks. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 613–630. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14623-7_33
Hoang, V.T., Tessaro, S.: Key-alternating ciphers and key-length extension: exact bounds and multi-user security. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 3–32. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4_1
Lampe, R., Patarin, J., Seurin, Y.: An asymptotically tight security analysis of the iterated Even-Mansour cipher. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 278–295. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34961-4_18
Lampe, R., Seurin, Y.: Tweakable blockciphers with asymptotically optimal security. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 133–151. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-43933-3_8
Lampe, R., Seurin, Y.: Security analysis of key-alternating Feistel ciphers. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 243–264. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46706-0_13
Luby, M., Rackoff, C.: How to construct pseudo-random permutations from pseudo-random functions. SIAM J. Comput. 17, 373–386 (1988)
Maurer, U.: Indistinguishability of random systems. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 110–132. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46035-7_8
Maurer, U., Pietrzak, K.: The security of many-round Luby-Rackoff pseudo-random permutations. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 544–561. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-39200-9_34
Maurer, U., Pietrzak, K.: Composition of random systems: when two weak make one strong. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 410–427. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24638-1_23
Maurer, U., Pietrzak, K., Renner, R.: Indistinguishability amplification. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 130–149. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74143-5_8
Mironov, I.: (Not so) random shuffles of RC4. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 304–319. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45708-9_20
Morris, B., Rogaway, P., Stegers, T.: How to encipher messages on a small domain. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 286–302. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03356-8_17
Myers, S.: Black-box composition does not imply adaptive security. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 189–206. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_12
Patarin, J.: Étude des Générateurs de Permutations Pseudo-aléatoires basés sur le schéma du D.E.S., Ph.D., November 1991
Patarin, J.: The “coefficients H” technique. In: Avanzi, R.M., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. 328–345. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-04159-4_21
Patarin, J.: Security of balanced and unbalanced Feistel schemes with linear non equalities. Cryptology ePrint Archive: Report 2010/293 (2010)
Pietrzak, K.: Composition does not imply adaptive security. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 55–65. Springer, Heidelberg (2005). https://doi.org/10.1007/11535218_4
Tessaro, S.: Security amplification for the cascade of arbitrarily weak PRPs: tight bounds via the interactive hardcore lemma. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 37–54. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19571-6_3
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A An Exact Formula for the H-coefficient for \(\varPsi ^k, 1 \le k \le 5\)
The aim of this Appendix A is to prove Theorem 16, i.e. to obtain an exact formula H for \(\varPsi ^5\). (A similar formula was already mentioned in [18]). We will need this Theorem 16 in Appendix B.
Definition of \(\varPsi ^k\)
We recall the definition of the balanced Feistel Schemes, i.e. the classical Feistel schemes. Let \(\mathcal {P}_{2n}\) be the set of all permutations from \(\{0,1\}^{2n}\) to \(\{0,1\}^{2n}\). Let \(\mathcal {F}_n\) be the set of all functions from \(\{0,1\}^n\) to \(\{0,1\}^n\). Let L, R, S and T be four n-bit strings in \(\{0,1\}^n\). Let \(\varPsi (f_1)\) denotes the permutation of \(\mathcal {P}_{2n}\) such that:
More generally if \(f_1, f_2, \ldots , f_k\) are k functions of \(\mathcal {F}_n\), let \(\varPsi ^k(f_1, \ldots , f_k)\) denotes the permutation of \(\mathcal {P}_{2n}\) such that:
The permutation \(\varPsi ^k(f_1,\ldots ,f_k)\) is called a ‘balanced Feistel scheme with k rounds’ or shortly \(\varPsi ^k\). When \(f_1,\ldots ,f_k\) are randomly and independently chosen in \(\mathcal {F}_n\), then \(\varPsi ^k(f_1,\ldots ,f_k)\) is called a ‘random Feistel scheme with k rounds’ or a ‘Luby-Rackoff construction with k rounds’.
Definition 3
Definition of H for \(\varPsi ^k\)
When \([L_{i},R_{i}],[S_{i},T_{i}], 1 \le i \le q\), is a given sequence of 2q values of \(\{0,1\}^{2n}\), we will denote by \(H_k(L,R,S,T)\) or in short by \(H_k\), or simply by H, the number of k-tuples of functions \((f_1,\ldots f_k)\) of \(F_n ^k\) such that:
We will analyse the properties of these H values in order to obtain our security results.
Let \([L_{i},R_{i}],[S_{i},T_{i}], 1 \le i \le q\), be a given sequence of 2q values of \(\{0,1\}^{2n}\). Let r be the number of independent equalities \(R_i =R_j\), \(i \ne j\), and let s be the number of independent equalities \(S_i =S_j\), \(i \ne j\).
Theorem 12
The exact formula for \(H_1\) (i.e. for \(\varPsi ^1\)) is:
where (C) is this set of conditions:
-
1.
\(\forall i, \, 1 \le i \le q, \, R_i=S_i\)
-
2.
\(\forall i,j \, 1 \le i \le q, \, 1 \le j \le q, \, R_i=R_j \Rightarrow T_i \oplus L_i = T_j\oplus L_j\).
Proof
For one round, we have \(\varPsi ^1 ([L_i,R_i])= [S_i,Y_i] \Leftrightarrow S_i=R_i\) and \(T_i = L_i \oplus f_1(R_i)\). Therefore, if (C) is not satisfied, \(H_1=0\). Now if (C) is satisfied, then \(f_1\) is fixed on exactly \(q-r\) points by \(f_1(R_i)= T_i \oplus L_i\), and we obtain Theorem 12 as claimed.
\(\square \)
Theorem 13
The exact formula for \(H_2\) (i.e. for \(\varPsi ^2\)) is:
where (C) is this set of conditions:
-
1.
\(\forall i,j \, 1 \le i \le q, \, 1 \le j \le q, \, R_i=R_j \Rightarrow L_i \oplus L_j = S_i\oplus S_j\)
-
2.
\(\forall i,j \, 1 \le i \le q, \, 1 \le j \le q, \, S_i=S_j \Rightarrow R_i \oplus R_j = T_i\oplus T_j\).
Proof
For two rounds we have \(\psi ^2 ([L_i,R_i])= [S_i,T_i] \Leftrightarrow S_i= L_i \oplus f_1(R_i)\) and \(T_i = R_i \oplus f_2(S_i)\). Therefore if (C) is not satisfied, \(H_2=0\). Now if (C) is satisfied then \((f_1,f_2)\) is fixed on exactly \(2q-r-s\) points, and we obtain Theorem 13 as claimed. \(\square \)
Definition 4
(Framework for \(\varPsi ^3\))
For 3 rounds, \(\varPsi ^3\), we define a “framework” as a set of equations \(X_i=X_j\). We will say that two frameworks are equal if they imply exactly the same set of equations in X.
Theorem 14
The exact formula for \(H_3\) (i.e. for \(\varPsi ^3\)) is:
where:
-
x is the number of independent equalities \(X_i=X_j\) for a framework \(\mathcal {F}\).
-
\( (F1): X_i=X_j\) is in \(\mathcal {F} \Rightarrow S_i \oplus S_j = R_i \oplus R_j\)
$$ (C_1): \left\{ \begin{array}{l} R_i=R_j\Rightarrow X_i\oplus X_j=L_i\oplus L_j \\ S_i=S_j\Rightarrow X_i\oplus X_j=T_i\oplus T_j \\ {The\ only\ equations}\ X_i=X_j, i<j,\ {are\ exactly\ those\ implied\ by \ } \mathcal {F}. \end{array} \right. $$
Proof
We write \(\varPsi ^3= \varPsi \circ \varPsi ^2\) with \(\varPsi ^2([L_i,R_i])=[X_i,S_i]\) and \(\varPsi ([X_i,S_i])=[S_i,T_i]\). For \(\varPsi ^2\), we obtain from Theorem 13, \(2^{n(r+x)}\frac{\vert \mathcal {F}_n \vert ^2}{2^{2nq}}\) solutions when (C1) is satisfied. For \(\varPsi \), we obtain from Theorem 12, \(2^{ns}\frac{\vert \mathcal {F}_n \vert }{2^{nq}}\) solutions when (C1) is satisfied. Thus, we obtain Theorem 14 as claimed. \(\square \)
Definition 5
(Framework for \(\varPsi ^4\))
For 4 rounds, \(\varPsi ^4\), let us define a “framework” as a set of equations \(X_i=X_j\) or \(Y_i=Y_j\). We will say that two frameworks are equal if they imply exactly the same set of equalities in X and Y. For a framework \(\mathcal {F}\), we denote by x the number of independent equalities \(X_i=X_j\), and by y the number of independent equalities \(Y_i=Y_j\).
Theorem 15
The exact formula for \(H_4\) (i.e. for \(\varPsi ^4\)) is:
where
Proof
We write \(\psi ^4= \varPsi \circ \varPsi ^3\) with \(\varPsi ^3([L_i,R_i])=[Y_i,S_i]\) and \(\varPsi ([Y_i,S_i])=[S_i,T_i]\), and we sum over all possible Y. Then from Theorems 12 and 14, we obtain Theorem 15. \(\square \)
Definition 6
(Framework for \(\varPsi ^5\))
For 5 rounds, \(\varPsi ^5\), a “framework” is a set of equations \(X_i=X_j\) or \(Y_i=Y_j\), or \(Z_i=Z_j\). We will say that two frameworks are equal if they imply exactly the same set of equalities in X, Y and Z. For a framework \(\mathcal {F}\), we denote by x the number of independent equalities \(X_i=X_j\), by y the number of independent equalities \(Y_i=Y_j\), and by z the number of independent equalities \(Z_i=Z_j\).
Theorem 16
The exact formula for \(H_5\) (i.e. for \(\varPsi ^5\)) is:
where
Proof
We write \(\varPsi ^5= \varPsi \circ \varPsi ^4\) with \(\varPsi ^4([L_i,R_i])=[Z_i,S_i]\) and \(\varPsi ([Z_i,S_i])=[S_i,T_i]\), and we sum over all possible Z. Then from Theorems 12 and 15, we obtain Theorem 16. \(\square \)
B “Holes” on \(\varPsi ^5\) when \( \sqrt{2^n} \ll q \ll 2^n\)
We will present here a “structural” difference between \(\varPsi ^5\) and \(\varPsi ^6\): in \(\varPsi ^5\), we have “holes” when \( \sqrt{2^n} \ll q \ll 2^n\) (but not in \(\varPsi ^6\): cf. Theorem 8).
5 Rounds
For \(\varPsi ^5\), with \(q \simeq \sqrt{2^n}\), we can choose all the \(R_i\) with the same value, all the \(S_i\) with the same value and the property: \(\forall i,j, \; 1 \le i \le q, \; 1 \le j \le q\), \(T_i \oplus T_j \ne L_i \oplus L_j\). For example, the first \(\frac{n}{2}\) bits of the \(L_i\) values are always 0 and the last \(\frac{n}{2}\) bits of the \(T_i\) values are always 0. Since all the \(R_i\) values are equal, then all the \(L_i\) values are pairwise distinct (because we want pairwise distinct \([L_i,R_i]\)) and all the \(X_i\) values are pairwise distinct (because \(R_i=R_j \Rightarrow X_i \oplus X_j= L_i \oplus L_j\). Similarly, since all the \(S_i\) values are equal, then all the \(T_i\) values are distinct (because we want pairwise distinct \([S_i,T_i]\)) and all the \(Z_i\) values are pairwise distinct (because \(S_i=S_j \Rightarrow Z_i \oplus Z_j = T_i \oplus T_j\)). Moreover all the \(Y_i\) values are also pairwise distinct, because \(Y_i=Y_j \Rightarrow X_i \oplus X_j = Z_i \oplus Z_j \Rightarrow L_i \oplus L_j = T_i \oplus T_j\), but we always have: \(L_i \oplus L_j \ne T_i \oplus T_j\).
We know (cf. Appendix A, Theorem 16) that the exact formula for H is:
Here we have only one framework (all the \(X_i\) are pairwise distinct, \(Y_i\) pairwise distinct, \(Z_i\) pairwise distinct) with \(r=q-1, s=q-1\), \(x=y=z=0\), [Number of \(X_i\) satisfying \((C1)]=2^n\), [Number of \(Z_i\) satisfying \((C1)]=2^n\), and [Number of \(Y_i\) satisfying \((C2)]=2^n(2^n-1)\ldots (2^n -q+1)\). we obtain:
when \(q\ll \sqrt{2^n}\). However \(\tilde{H_5}= \frac{\vert \mathcal {F}_n \vert ^5}{(2^n)(2^n-1)\ldots (2^n -q+1)} \simeq \frac{\vert \mathcal {F}_n \vert ^5}{2^{2nq}}\). Therefore here we have \(H_5 \ll \tilde{H_5}\), i.e. a “hole” of length \(\sqrt{2^n}\).
This result is not in contradiction with the act that \(\varPsi ^5\) is CCA secure when \(q\ll 2^n\) because it is not possible in a CCA attack with q queries to obtain \(R_1=R_2= \ldots =R_m\) and \(S_1=S_2= \ldots =S_m\) with \(m \simeq \sqrt{2^n}\).
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this paper
Cite this paper
Patarin, J. (2018). Two Simple Composition Theorems with H-coefficients. In: Joux, A., Nitaj, A., Rachidi, T. (eds) Progress in Cryptology – AFRICACRYPT 2018. AFRICACRYPT 2018. Lecture Notes in Computer Science(), vol 10831. Springer, Cham. https://doi.org/10.1007/978-3-319-89339-6_5
Download citation
DOI: https://doi.org/10.1007/978-3-319-89339-6_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-89338-9
Online ISBN: 978-3-319-89339-6
eBook Packages: Computer ScienceComputer Science (R0)