Two Simple Composition Theorems with H-coefficients

Abstract

We will present two new and simple theorems that show that when we compose permutation generators with independent keys, then the “quality” of CCA security increases. These theorems (Theorems 2 and 5 of this paper) are written in terms of H-coefficients (which are nothing else, up to some normalization factors, than transition probabilities). Then we will use these theorems on the classical analysis of Random Feistel Schemes (i.e. Luby-Rackoff constructions) and we will compare the results with the coupling technique. Finally, we will show an interesting difference between 5 and 6 Random Feistel Schemes. With 5 rounds on 2n bits \(\rightarrow 2n\) bits, when the number of q queries satisfies \(\sqrt{2^n} \ll q \ll 2^n\), we have some “holes” in the H-coefficient values, i.e. some H values are much smaller than the average value of H. This property for 5 rounds does not exist any more on 6 rounds.

Appendices

A An Exact Formula for the H-coefficient for \(\varPsi ^k, 1 \le k \le 5\)

The aim of this Appendix A is to prove Theorem 16, i.e. to obtain an exact formula H for \(\varPsi ^5\). (A similar formula was already mentioned in [18]). We will need this Theorem 16 in Appendix B.

Definition of \(\varPsi ^k\)

We recall the definition of the balanced Feistel Schemes, i.e. the classical Feistel schemes. Let \(\mathcal {P}_{2n}\) be the set of all permutations from \(\{0,1\}^{2n}\) to \(\{0,1\}^{2n}\). Let \(\mathcal {F}_n\) be the set of all functions from \(\{0,1\}^n\) to \(\{0,1\}^n\). Let L, R, S and T be four n-bit strings in \(\{0,1\}^n\). Let \(\varPsi (f_1)\) denotes the permutation of \(\mathcal {P}_{2n}\) such that:

$$ \varPsi (f_1)[L,R] = [S,T] ~{\mathop {\Leftrightarrow }\limits ^{{\mathrm {def}}}}~ \left\{ \begin{array}{l} S=R\\ T=L \oplus f_1(R)\\ \end{array} \right. $$

More generally if \(f_1, f_2, \ldots , f_k\) are k functions of \(\mathcal {F}_n\), let \(\varPsi ^k(f_1, \ldots , f_k)\) denotes the permutation of \(\mathcal {P}_{2n}\) such that:

$$\begin{aligned} \varPsi ^k(f_1, \ldots , f_k) = \varPsi (f_k) \circ \cdots \circ \varPsi (f_2) \circ \varPsi (f_1). \end{aligned}$$

The permutation \(\varPsi ^k(f_1,\ldots ,f_k)\) is called a ‘balanced Feistel scheme with k rounds’ or shortly \(\varPsi ^k\). When \(f_1,\ldots ,f_k\) are randomly and independently chosen in \(\mathcal {F}_n\), then \(\varPsi ^k(f_1,\ldots ,f_k)\) is called a ‘random Feistel scheme with k rounds’ or a ‘Luby-Rackoff construction with k rounds’.

Definition 3

Definition of H for \(\varPsi ^k\)

When \([L_{i},R_{i}],[S_{i},T_{i}], 1 \le i \le q\), is a given sequence of 2q values of \(\{0,1\}^{2n}\), we will denote by \(H_k(L,R,S,T)\) or in short by \(H_k\), or simply by H, the number of k-tuples of functions \((f_1,\ldots f_k)\) of \(F_n ^k\) such that:

$$ \forall i,\ 1\le i \le q,\ \varPsi ^k(f_1,\ldots ,f_k)[L_i,R_i] =[S_i,T_i]. $$

We will analyse the properties of these H values in order to obtain our security results.

Let \([L_{i},R_{i}],[S_{i},T_{i}], 1 \le i \le q\), be a given sequence of 2q values of \(\{0,1\}^{2n}\). Let r be the number of independent equalities \(R_i =R_j\), \(i \ne j\), and let s be the number of independent equalities \(S_i =S_j\), \(i \ne j\).

Theorem 12

The exact formula for \(H_1\) (i.e. for \(\varPsi ^1\)) is:

$$\begin{aligned} H_1&= 0\ {if }\ (C)\ {is\ not\ satisfied },\\ H_1&= \frac{\vert \mathcal {F}_n \vert }{2^{nq}}\cdot 2^{nr}\ {if}\ (C)\ {is\ satisfied },\\ \end{aligned}$$

where (C) is this set of conditions:

1. 1.

   \(\forall i, \, 1 \le i \le q, \, R_i=S_i\)

2. 2.

   \(\forall i,j \, 1 \le i \le q, \, 1 \le j \le q, \, R_i=R_j \Rightarrow T_i \oplus L_i = T_j\oplus L_j\).

Proof

For one round, we have \(\varPsi ^1 ([L_i,R_i])= [S_i,Y_i] \Leftrightarrow S_i=R_i\) and \(T_i = L_i \oplus f_1(R_i)\). Therefore, if (C) is not satisfied, \(H_1=0\). Now if (C) is satisfied, then \(f_1\) is fixed on exactly \(q-r\) points by \(f_1(R_i)= T_i \oplus L_i\), and we obtain Theorem 12 as claimed.

   \(\square \)

Theorem 13

The exact formula for \(H_2\) (i.e. for \(\varPsi ^2\)) is:

$$\begin{aligned} H_2&= 0 \ {if}\ (C)\ {is\ not\ satisfied },\\ H_2&= \frac{\vert \mathcal {F}_n \vert ^2}{2^{2nq}}\cdot 2^{n(r+s)}\ { if }\ (C)\ {is\ satisfied }, \end{aligned}$$

where (C) is this set of conditions:

1. 1.

   \(\forall i,j \, 1 \le i \le q, \, 1 \le j \le q, \, R_i=R_j \Rightarrow L_i \oplus L_j = S_i\oplus S_j\)

2. 2.

   \(\forall i,j \, 1 \le i \le q, \, 1 \le j \le q, \, S_i=S_j \Rightarrow R_i \oplus R_j = T_i\oplus T_j\).

Proof

For two rounds we have \(\psi ^2 ([L_i,R_i])= [S_i,T_i] \Leftrightarrow S_i= L_i \oplus f_1(R_i)\) and \(T_i = R_i \oplus f_2(S_i)\). Therefore if (C) is not satisfied, \(H_2=0\). Now if (C) is satisfied then \((f_1,f_2)\) is fixed on exactly \(2q-r-s\) points, and we obtain Theorem 13 as claimed.    \(\square \)

Definition 4

(Framework for \(\varPsi ^3\))

For 3 rounds, \(\varPsi ^3\), we define a “framework” as a set of equations \(X_i=X_j\). We will say that two frameworks are equal if they imply exactly the same set of equations in X.

Theorem 14

The exact formula for \(H_3\) (i.e. for \(\varPsi ^3\)) is:

$$ H_3 = \frac{\vert \mathcal {F}_n \vert ^3 \cdot 2^{n(r+s)}}{2^{3nq}} \sum _{{{ all\ frameworks }}\ \mathcal F \atop \ {{ that\ satisfy }}\ (F1)} 2^{nx} [{{ Number\ of }}\ X_i\ {{ satisfying }}\ (C1)] $$

where:

• x is the number of independent equalities \(X_i=X_j\) for a framework \(\mathcal {F}\).

• \( (F1): X_i=X_j\) is in \(\mathcal {F} \Rightarrow S_i \oplus S_j = R_i \oplus R_j\)

  $$ (C_1): \left\{ \begin{array}{l} R_i=R_j\Rightarrow X_i\oplus X_j=L_i\oplus L_j \\ S_i=S_j\Rightarrow X_i\oplus X_j=T_i\oplus T_j \\ {The\ only\ equations}\ X_i=X_j, i<j,\ {are\ exactly\ those\ implied\ by \ } \mathcal {F}. \end{array} \right. $$

Proof

We write \(\varPsi ^3= \varPsi \circ \varPsi ^2\) with \(\varPsi ^2([L_i,R_i])=[X_i,S_i]\) and \(\varPsi ([X_i,S_i])=[S_i,T_i]\). For \(\varPsi ^2\), we obtain from Theorem 13, \(2^{n(r+x)}\frac{\vert \mathcal {F}_n \vert ^2}{2^{2nq}}\) solutions when (C1) is satisfied. For \(\varPsi \), we obtain from Theorem 12, \(2^{ns}\frac{\vert \mathcal {F}_n \vert }{2^{nq}}\) solutions when (C1) is satisfied. Thus, we obtain Theorem 14 as claimed.    \(\square \)

Definition 5

(Framework for \(\varPsi ^4\))

For 4 rounds, \(\varPsi ^4\), let us define a “framework” as a set of equations \(X_i=X_j\) or \(Y_i=Y_j\). We will say that two frameworks are equal if they imply exactly the same set of equalities in X and Y. For a framework \(\mathcal {F}\), we denote by x the number of independent equalities \(X_i=X_j\), and by y the number of independent equalities \(Y_i=Y_j\).

Theorem 15

The exact formula for \(H_4\) (i.e. for \(\varPsi ^4\)) is:

$$\begin{aligned} H_4 = \frac{\vert \mathcal {F}_n \vert ^4 \cdot 2^{n(r+s)}}{2^{4nq}}&\sum _{{{ all\ frameworks }}\ \mathcal F} 2^{n(x+y)} [{{ Number\ of }}\ X_i\ {{ satisfying }}\ (C1)] \\&\cdot [{{ Number\ of }}\ Y_i \ {{ satisfying }}\ (C2)] \end{aligned}$$

where

$$(C_1): \left\{ \begin{array}{l} R_i=R_j\Rightarrow X_i\oplus X_j=L_i\oplus L_j \\ Y_i=Y_j{ is in }\mathcal {F}\Rightarrow X_i\oplus X_j=S_i\oplus S_j \\ {{The\ only\ equations }}\ X_i=X_j, i<j,\ {{ are\ exactly\ those\ implied\ by }}\ \mathcal {F}. \end{array} \right. $$

$$(C_2): \left\{ \begin{array}{l} S_i=S_j\Rightarrow Y_i\oplus Y_j=T_i\oplus T_j \\ X_i=X_j\ { is\ in }\ \mathcal {F}\Rightarrow Y_i\oplus Y_j=R_i\oplus R_j \\ {The\ only\ equations }\ Y_i=Y_j, i<j,\ { are\ exactly\ those\ implied\ by }\ \mathcal {F}. \end{array} \right. $$

Proof

We write \(\psi ^4= \varPsi \circ \varPsi ^3\) with \(\varPsi ^3([L_i,R_i])=[Y_i,S_i]\) and \(\varPsi ([Y_i,S_i])=[S_i,T_i]\), and we sum over all possible Y. Then from Theorems 12 and 14, we obtain Theorem 15.    \(\square \)

Definition 6

(Framework for \(\varPsi ^5\))

For 5 rounds, \(\varPsi ^5\), a “framework” is a set of equations \(X_i=X_j\) or \(Y_i=Y_j\), or \(Z_i=Z_j\). We will say that two frameworks are equal if they imply exactly the same set of equalities in X, Y and Z. For a framework \(\mathcal {F}\), we denote by x the number of independent equalities \(X_i=X_j\), by y the number of independent equalities \(Y_i=Y_j\), and by z the number of independent equalities \(Z_i=Z_j\).

Theorem 16

The exact formula for \(H_5\) (i.e. for \(\varPsi ^5\)) is:

$$\begin{aligned} H_5 = \frac{\vert \mathcal {F}_n \vert ^5 \cdot 2^{n(r+s)}}{2^{5nq}}&\sum _{{{ all\ frameworks }}\ \mathcal F} 2^{n(x+y+z)} [{{ Number\ of }}\ X_i, Z_i\ {{ satisfying }}\ (C1)] \\&\cdot [{{ Number\ of }}\ Y_i\ {{ satisfying }}\ (C2)] \end{aligned}$$

where

$$(C_1): \left\{ \begin{array}{l} R_i=R_j\Rightarrow X_i\oplus X_j=L_i\oplus L_j \\ Y_i=Y_j\ {{ is\ in }}\ \mathcal {F}\Rightarrow X_i\oplus X_j=Z_i\oplus Z_j \\ S_i=S_j \Rightarrow Z_i\oplus Z_j=T_i\oplus T_j \\ {{The\ only\ equations }}\ X_i=X_j, i<j,\ {{ are\ exactly\ those\ implied\ by }}\ \mathcal {F}.\\ {{The\ only\ equations }}\ Z_i=Z_j, i<j,\ {{ are\ exactly\ those\ implied\ by }}\ \mathcal {F}.\\ \end{array} \right. $$

$$(C_2): \left\{ \begin{array}{l} X_i=X_j\ {{ is\ in }}\ \mathcal {F} \Rightarrow Y_i \oplus Y_j=R_i\oplus R_j \\ Z_i=Z_j\ {{ is\ in\ }}\ \mathcal {F}\Rightarrow Y_i\oplus Y_j=S_i\oplus S_j \\ {{The\ only\ equations }}\ Y_i=Y_j, i<j,\ {{ are\ exactly\ those\ implied\ by }}\ \mathcal {F}. \end{array} \right. $$

Proof

We write \(\varPsi ^5= \varPsi \circ \varPsi ^4\) with \(\varPsi ^4([L_i,R_i])=[Z_i,S_i]\) and \(\varPsi ([Z_i,S_i])=[S_i,T_i]\), and we sum over all possible Z. Then from Theorems 12 and 15, we obtain Theorem 16.    \(\square \)

B “Holes” on \(\varPsi ^5\) when \( \sqrt{2^n} \ll q \ll 2^n\)

We will present here a “structural” difference between \(\varPsi ^5\) and \(\varPsi ^6\): in \(\varPsi ^5\), we have “holes” when \( \sqrt{2^n} \ll q \ll 2^n\) (but not in \(\varPsi ^6\): cf. Theorem 8).

5 Rounds

For \(\varPsi ^5\), with \(q \simeq \sqrt{2^n}\), we can choose all the \(R_i\) with the same value, all the \(S_i\) with the same value and the property: \(\forall i,j, \; 1 \le i \le q, \; 1 \le j \le q\), \(T_i \oplus T_j \ne L_i \oplus L_j\). For example, the first \(\frac{n}{2}\) bits of the \(L_i\) values are always 0 and the last \(\frac{n}{2}\) bits of the \(T_i\) values are always 0. Since all the \(R_i\) values are equal, then all the \(L_i\) values are pairwise distinct (because we want pairwise distinct \([L_i,R_i]\)) and all the \(X_i\) values are pairwise distinct (because \(R_i=R_j \Rightarrow X_i \oplus X_j= L_i \oplus L_j\). Similarly, since all the \(S_i\) values are equal, then all the \(T_i\) values are distinct (because we want pairwise distinct \([S_i,T_i]\)) and all the \(Z_i\) values are pairwise distinct (because \(S_i=S_j \Rightarrow Z_i \oplus Z_j = T_i \oplus T_j\)). Moreover all the \(Y_i\) values are also pairwise distinct, because \(Y_i=Y_j \Rightarrow X_i \oplus X_j = Z_i \oplus Z_j \Rightarrow L_i \oplus L_j = T_i \oplus T_j\), but we always have: \(L_i \oplus L_j \ne T_i \oplus T_j\).

We know (cf. Appendix A, Theorem 16) that the exact formula for H is:

$$\begin{aligned} H_5 = \frac{\vert \mathcal {F}_n \vert ^5 \cdot 2^{n(r+s)}}{2^{5nq}}&\sum _{{{ all\ frameworks\ }}\ \mathcal F} 2^{n(x+y+z)} [{{ Number\ of }}\ X_i, Z_i\ {{ satisfying }}\ (C1)]\\&\cdot [{{ Number\ of }}\ Y_i\ {{ satisfying }}\ (C2)]. \end{aligned}$$

Here we have only one framework (all the \(X_i\) are pairwise distinct, \(Y_i\) pairwise distinct, \(Z_i\) pairwise distinct) with \(r=q-1, s=q-1\), \(x=y=z=0\), [Number of \(X_i\) satisfying \((C1)]=2^n\), [Number of \(Z_i\) satisfying \((C1)]=2^n\), and [Number of \(Y_i\) satisfying \((C2)]=2^n(2^n-1)\ldots (2^n -q+1)\). we obtain:

$$ H_5 = \frac{\vert \mathcal {F}_n \vert ^5}{2^{2nq}} \cdot \left( 1- \frac{1}{2^n}\right) \left( 1- \frac{2}{2^n}\right) \ldots \left( 1- \frac{q-1}{2^n}\right) \ll \frac{\vert F_n \vert ^5}{2^{2nq}} $$

when \(q\ll \sqrt{2^n}\). However \(\tilde{H_5}= \frac{\vert \mathcal {F}_n \vert ^5}{(2^n)(2^n-1)\ldots (2^n -q+1)} \simeq \frac{\vert \mathcal {F}_n \vert ^5}{2^{2nq}}\). Therefore here we have \(H_5 \ll \tilde{H_5}\), i.e. a “hole” of length \(\sqrt{2^n}\).

This result is not in contradiction with the act that \(\varPsi ^5\) is CCA secure when \(q\ll 2^n\) because it is not possible in a CCA attack with q queries to obtain \(R_1=R_2= \ldots =R_m\) and \(S_1=S_2= \ldots =S_m\) with \(m \simeq \sqrt{2^n}\).