Abstract
This paper takes a new step towards closing the troubling gap between pseudorandom functions (PRF) and their popular, bounded-input-length counterparts. This gap is both quantitative, because these counterparts are more efficient than PRF in various ways, and methodological, because these counterparts usually fit in the substitution-permutation network paradigm (SPN) which has not been used to construct PRF.
We give several candidate PRF \(\mathcal {F}_i\) that are inspired by the SPN paradigm. This paradigm involves a “substitution function” (S-box). Our main candidates are:
\(\mathcal {F}_1 : \{0, 1\}^n \rightarrow \{0, 1\}^n\) is an SPN whose S-box is a random function on b bits given as part of the seed. We prove unconditionally that \(\mathcal {F}_1\) resists attacks that run in time \(\le 2^{\epsilon b}\). Setting \(b = \omega (\lg n)\) we obtain an inefficient PRF, which however seems to be the first such construction using the SPN paradigm.
\(\mathcal {F}_2 : \{0, 1\}^n \rightarrow \{0, 1\}^n\) is an SPN where the S-box is (patched) field inversion, a common choice in practical constructions. \(\mathcal {F}_2\) is computable with Boolean circuits of size \(n \cdot \log ^{O(1)} n\), and in particular with seed length \(n \cdot \log ^{O(1)} n\). We prove that this candidate has exponential security \(2^{\Omega (n)}\) against linear and differential cryptanalysis.
\(\mathcal {F}_3 : \{0, 1\}^n \rightarrow \{0, 1\}\) is a non-standard variant on the SPN paradigm, where “states” grow in length. \(\mathcal {F}_3\) is computable with size \(n^{1+\epsilon }\), for any \(\epsilon > 0\), in the restricted circuit class \(\mathrm {TC}^0\) of unbounded fan-in majority circuits of constant-depth. We prove that \(\mathcal {F}_3\) is almost 3-wise independent.
\(\mathcal {F}_4 : \{0, 1\}^n \rightarrow \{0, 1\}\) uses an extreme setting of the SPN parameters (one round, one S-box, no diffusion matrix). The S-box is again (patched) field inversion. We prove that this candidate fools all parity tests that look at \(\le 2^{0.9n}\) outputs.
Assuming the security of our candidates, our work also narrows the gap between the “Natural Proofs barrier” [Razborov & Rudich; JCSS ’97] and existing lower bounds, in three models: unbounded-depth circuits, \(\mathrm {TC}^0\) circuits, and Turing machines. In particular, the efficiency of the circuits computing \(\mathcal {F}_3\) is related to a result by Allender and Koucky [JACM ’10] who show that a lower bound for such circuits would imply a lower bound for \(\mathrm {TC}^0\).
Supported by NSF grant CCF-0845003.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Aaronson, S., Wigderson, A.: Algebrization: a new barrier in complexity theory. In: 40th ACM Symp. on the Theory of Computing, STOC, pp. 731–740 (2008)
Allender, E., Koucký, M.: Amplifying lower bounds by means of self-reducibility. J. of the ACM 57(3) (2010)
Alon, N., Goldreich, O., Håstad, J., Peralta, R.: Simple constructions of almost \(k\)-wise independent random variables. Random Structures & Algorithms 3(3), 289–304 (1992)
Baker, T., Gill, J., Solovay, R.: Relativizations of the P=? NP question. SIAM J. Comput. 4(4), 431–442 (1975)
Bazzi, L.M.J.: Polylogarithmic independence can fool DNF formulas. SIAM J. Comput. 38(6), 2220–2272 (2009)
Biham, E., Shamir, A.: Differential cryptanalysis of DES-like cryptosystems. Journal of Cryptology 4(1), 3–72 (1991)
Braverman, M.: Poly-logarithmic independence fools \(AC^0\) circuits. In: 24th IEEE Conf. on Computational Complexity, CCC. IEEE (2009)
Brodsky, A., Hoory, S.: Simple permutations mix even better. Random Struct. Algorithms 32(3), 274–289 (2008)
Cho, H.-S., Sung, S.H., Kwon, D., Lee, J.-K., Song, J.H., Lim, J.: New Method for Bounding the Maximum Differential Probability for SPNs and ARIA. In: Park, C., Chee, S. (eds.) ICISC 2004. LNCS, vol. 3506, pp. 21–32. Springer, Heidelberg (2005)
Daemen, J., Rijmen, V.: The Design of Rijndael: AES - The Advanced Encryption Standard. Springer (2002)
Even, S., Mansour, Y.: A construction of a cipher from a single pseudorandom permutation. J. Cryptology 10(3), 151–162 (1997)
Gao, S., von zur Gathen, J., Panario, D., Shoup, V.: Algorithms for exponentiation in finite fields. J. Symb. Comput. 29(6), 879–889 (2000)
Gauravaram, P., Knudsen, L.R., Matusiewicz, K., Mendel, F., Rechberger, C., Schläffer, M., Thomsen, S.S.: Grøstl: a SHA-3 candidate (2011), http://www.groestl.info
Gentry, C., Ramzan, Z.: Eliminating Random Permutation Oracles in the Even-Mansour Cipher. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 32–47. Springer, Heidelberg (2004)
Gerasoulis, A.: A fast algorithm for the multiplication of generalized Hilbert matrices with vectors. Mathematics of Computation 50, 179–188 (1988)
Goldreich, O.: Foundations of Cryptography: Volume 1, Basic Tools. Cambridge University Press (2001)
Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions. J. of the ACM 33(4), 792–807 (1986)
Goldreich, O., Levin, L.: A hard-core predicate for all one-way functions. In: 21st ACM Symp. on the Theory of Computing, STOC, pp. 25–32 (1989)
Gowers, W.: An almost \(m\)-wise independent random permutation of the cube. Combinatorics, Probability and Computing 5(2), 119–130 (1996)
Haitner, I., Reingold, O., Vadhan, S.P.: Efficiency improvements in constructing pseudorandom generators from one-way functions. In: 42nd ACM Symp. on the Theory of Computing, STOC, pp. 437–446 (2010)
Håstad, J., Impagliazzo, R., Levin, L.A., Luby, M.: A pseudorandom generator from any one-way function. SIAM J. Comput. 28(4), 1364–1396 (1999)
Healy, A., Viola, E.: Constant-Depth Circuits for Arithmetic in Finite Fields of Characteristic Two. In: Durand, B., Thomas, W. (eds.) STACS 2006. LNCS, vol. 3884, pp. 672–683. Springer, Heidelberg (2006)
Hesse, W., Allender, E., Barrington, D.A.M.: Uniform constant-depth threshold circuits for division and iterated multiplication. J. Comput. System Sci. 65(4), 695–716 (2002); Special issue on complexity, 2001 (Chicago, IL)
Hoory, S., Magen, A., Myers, S., Rackoff, C.: Simple permutations mix well. Theor. Comput. Sci. 348(2-3), 251–261 (2005)
Jakobsen, T., Knudsen, L.: Attacks on block ciphers of low algebraic degree. Journal of Cryptology 14, 197–210 (2001)
Kang, J.S., Hong, S., Lee, S., Yi, O., Park, C., Lim, J.: Practical and provable security against differential and linear cryptanalysis for substitution-permutation networks. ETRI Journal 23(4), 158–167 (2001)
Keliher, L., Meijer, H., Tavares, S.: New Method for Upper Bounding the Maximum Average Linear Hull Probability for SPNs. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 420–436. Springer, Heidelberg (2001)
Knudsen, L.R.: Truncated and Higher Order Differentials. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 196–211. Springer, Heidelberg (1995)
Kopparty, S.: On the complexity of powering in finite fields. In: ACM Symp. on the Theory of Computing, STOC (2011)
Kushilevitz, E., Nisan, N.: Communication complexity. Cambridge University Press (1997)
Luby, M., Rackoff, C.: How to construct pseudorandom permutations from pseudorandom functions. SIAM J. Comput. 17(2), 373–386 (1988)
Matsui, M.: Linear Cryptanalysis Method for DES Cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994)
Naor, J., Naor, M.: Small-bias probability spaces: efficient constructions and applications. SIAM J. Comput. 22(4), 838–856 (1993)
Naor, M., Reingold, O.: On the construction of pseudorandom permutations: Luby-Rackoff revisited. J. Cryptology 12(1), 29–66 (1999)
Naor, M., Reingold, O.: Number-theoretic constructions of efficient pseudo-random functions. J. of the ACM 51(2), 231–262 (2004)
Nyberg, K.: Differentially Uniform Mappings for Cryptography. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 55–64. Springer, Heidelberg (1994)
Pieprzyk, J.: On bent permutations. In: Proceedings of the International Conference on Finite Fields, Coding Theory, and Advances in Communications and Computing, Las Vegas (August 1991)
Ramzan, Z., Reyzin, L.: On the Round Security of Symmetric-Key Cryptographic Primitives. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 376–393. Springer, Heidelberg (2000)
Razborov, A., Rudich, S.: Natural proofs. J. of Computer and System Sciences 55(1), 24–35 (1997)
Razborov, A.A.: A simple proof of Bazzi’s theorem. ACM Transactions on Computation Theory (TOCT) 1(1) (2009)
Roth, R.M., Seroussi, G.: On generator matrices of MDS codes. IEEE Transactions on Information Theory 31, 826–830 (1985)
Shannon, C.: Communication theory of secrecy systems. Bell Systems Technical Journal 28(4), 656–715 (1949)
Vadhan, S.P., Zheng, C.J.: Characterizing pseudoentropy and simplifying pseudorandom generator constructions. In: ACM Symp. on the Theory of Computing, STOC (2012)
Williams, R.: Non-uniform ACC lower bounds. In: IEEE Conf. on Computational Complexity, CCC (2011)
Wu, H.: The hash function JH (2011), http://www3.ntu.edu.sg/home/wuhj/research/jh/index.html
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 International Association for Cryptologic Research 2012
About this paper
Cite this paper
Miles, E., Viola, E. (2012). Substitution-Permutation Networks, Pseudorandom Functions, and Natural Proofs. In: Safavi-Naini, R., Canetti, R. (eds) Advances in Cryptology – CRYPTO 2012. CRYPTO 2012. Lecture Notes in Computer Science, vol 7417. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-32009-5_5
Download citation
DOI: https://doi.org/10.1007/978-3-642-32009-5_5
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-32008-8
Online ISBN: 978-3-642-32009-5
eBook Packages: Computer ScienceComputer Science (R0)