Abstract
Given \(k\) independent pseudorandom permutations \(f_1,\ldots ,f_k\) over \(\{0,1\}^n\), it is natural to define a pseudorandom function by XORing the permutations: \(f_1\oplus \ldots \oplus f_k\). In [9] Stefan Lucks studied the security of this PRF. In this paper we improve the security bounds of [9] by using different proof techniques.
You have full access to this open access chapter, Download conference paper PDF
Similar content being viewed by others
Keywords
- Pseudorandom functions
- Pseudorandom permutations
- Security beyond the birthday bound
- Luby-Rackoff backwards
1 Introduction
Much research dealt with constructing cryptographic operations from other ones: Levin [6] got “pseudorandom bit generators” from “one-way functions”, then Goldreich, Goldwasser and Micali [4] constructed pseudorandom functions (PRFs) from “pseudorandom bit generators”. In [1], Aiello and Venkatesan studied how to construct PRFs from smaller PRFs. Luby and Rackoff [7] dealt with the problem of getting pseudorandom permutations (PRPs) from PRFs; further work about their construction can be found in [8, 11]. Our article focuses on the reverse problem of converting PRPs into PRFs named “Luby-Rackoff backwards” which was first considered in [3]. This problem is obvious if we are interested in an asymptotical polynomial versus non polynomial security model (since a PRP is then a PRF), but not if we are interested in achieving more optimal and concrete security bounds. More precisely, the loss of security when regarding a PRP as a PRF comes from the “birthday attack” which can distinguish a random permutation from a random function of \(n\) bits to \(n\) bits in \(2^{\frac{n}{2}}\) operations and \(2^{\frac{n}{2}}\) queries. Therefore different ways to build PRF from PRP with a security above \(2^\frac{n}{2}\) and by performing very few computations have been suggested (see [2, 3, 5, 9]). One of the simplest way is to XOR \(k\) independent pseudorandom permutations with \(k \ge 2\). In [9] (Theorem 2, p.474) Stefan Lucks proved, with a simple proof, that the XOR of \(k\) independant PRPs gives a PRF with security at least in \(\mathcal {O}\left( 2^{\frac{k}{k+1}} n\right) \). In [2, 12] difficult analyses of \(k=2\) are given, with proofs that the security is good when the number of queries is lower than \(\mathcal {O}\left( \frac{2^n}{n^{2/3}}\right) \) or \(\mathcal {O}\left( 2^n\right) \). For \(k\ge 3\) there is a significant gap between the proven security of [9] and the best attacks of [13].
In this paper we reduce this gap by improving the proven security for the XOR of \(k\) permutations, \(k \ge 3\). Constructions with \(k \ge 3\) instead of \(k=2\) are interesting for various reasons. First, our proofs are much simpler than the proofs of [2, 12]. Second, in many cryptographic applications the size \(n\) of the blocks cannot be chosen by the designer of the algorithm since it is imposed by the application. Then it is interesting to have another parameter to decrease the proven advantage of any adversary to a value as small as wanted with a simple construction. Our proof technique is based on the “coefficient \(H\) technique” of Patarin (cf [14]). However we only use the first steps (and not all the refinements) in order to keep very simple proofs with still better security results than previously known; we could achieve tighter bounds by using the full technique, but it would require more computations (such as [15]).
Related Problems. In [10] the security of the XOR of two public permutations are studied (i.e. indifferentiability instead of indistinguishability).
Organisation of the Paper. Section. 2 presents the notations and basic definitions that are used in this paper. In Sects. 3 and 4, two security bounds are shown with different techniques (respectively the “\(H_\sigma \) coefficient” technique and the “\(H\) coefficient” technique). Then both these results are compared to the one from [9] in the last section.
2 Preliminaries
We denote \(I_n\) the set of \(n-\)bits strings and \(J_n^q\) the subset of \(I_n^q\) of values \((x_i)_{1\le i\le q}\) satisfying \(x_i\ne x_j, \forall i\ne j\). We denote \(F_n\) the set of functions from \(I_n\) to \(I_n\) and \(B_n\) the set of permutations of \(I_n\). The notation \(x \in _R E\) stands for “\(x\) is chosen randomly with a uniform distribution in \(E\)”.
An adversary \(A\) trying to distinguish between \(f_1\oplus \ldots \oplus f_k\), where \(f_i \in _R B_n\) for each \(i \in \{1,\ldots ,k\}\), from a random function \(F \in _R F_n\) is considered to have access to an oracle \(Q\). This oracle either simulates \(F\) or \(f_1 \oplus \ldots \oplus f_k\). \(A\) chooses inputs \(x \in \{0,1\}^n\); then \(Q\) responds \(Q(x) \in \{0,1\}^n\). After at most \(q\) queries, \(A\) outputs \(A(Q) \in \{0,1\}\). \(A(Q)\) is then seen as a random variable over \(\{0,1\}\). This is an adaptative chosen plaintext attack (\({\mathrm {cpa}}\)). To measure the pseudorandomness of the XOR of \(k\) permutations one must evaluate the advantage \( {\mathbf{Adv }}_{A,f_1 \oplus \ldots \oplus f_k}^{\mathrm {cpa}}\) of an adversary \(A\) which is defined as
We write \( {\mathbf{Adv }}_{f_1 \oplus \ldots \oplus f_k}^{\mathrm {cpa}}\) for the maximal advantage any adversary can get when trying to distinguish the XOR of \(k\) random permutations from a random function.
3 Security Bound from the \(H_\sigma \) Technique
3.1 Linking the Advantage to a Combinatorial Problem
Let \(k \ge 2\). We use Theorem 3 from [14]:
Theorem 1
Let \(\alpha ,\beta \in \mathbb {R}^+\) and \(q \in \mathbb {N}\setminus \{0\}\). Let \(E\) be a subset of \(I_n^q\) such that \(|E| \ge (1-\beta )2^{nq}\). Suppose that, for each sequence \((a_i)_{1\le i \le q}, (b_i)_{1\le i \le q}\in J_n^q\), with \((b_i)_{1\le i \le q} \in E\):
with \(H(a,b)\) the number of \((f_1,\ldots ,f_k)\in B_n^k\) such that:
Then:
For every \(b\in J_n^q\), let \(h_{q}(b)\) be the number of sequences \(x^1,x^2,\ldots ,x^{k-1}\in J_n^q\) such that \(x^1\oplus \ldots \oplus x^{k-1}\oplus b\in J_n^q\) then
Lemma 1
For all \(a,b\in J_n^q\):
Proof
The number \(H(a,b)\) can be seen as the sum, over the sequences \(x^1,x^2,\ldots ,\) \(x^{k-1}\in J_n^q\) such that \(x^1\oplus \ldots \oplus x^{k-1}\oplus b\in J_n^q\), of the number of \(f_1,\ldots ,f_k\in B_n\) satisfying the equations \(f_j(a_i)=x_i^j\) for all \(j\le k-1, i\le q\) and \(f_k(a_i)=x_i^1\oplus \ldots \oplus x_i^{k-1}\oplus b_i, \forall i\le q\). Then, for each choices of \(x^1,\ldots ,x^{k-1}\), each \(f_j\) is a uniformly random permutation fixed on \(q\) points so \(H(a,b)=h_{q}(b) \left( \frac{|B_n|}{ 2^n\times \cdots \times (2^n-q+1)}\right) ^k\), which also shows that \(H(a,b)\) does not depend of \(a\). \(\square \)
We now see \(h_q\) as a random variable over \(b\in _R I^q_n\). The security of the XOR of \(k\) permutations is closely related to the variance and the expectancy of this random variable:
Lemma 2
The advantage satisfies:
Proof
For all \(a\), we define \(H(a)\) the random variable over \(b\) equal to \(H(a,b)\). The Bienayme-Chebyshev’s inequality yields:
Taking \(\epsilon =\alpha {{\mathbb {E}}\left[ H(a)\right] }\):
Then
Thus, defining \(E=\{ (b_i)_{1\le i \le q} | H(a,b)\ge (1-\alpha ) {{\mathbb {E}}\left[ H(a)\right] }\}\), Theorem 1 yields:
Then, with \(\alpha =\left( \frac{{{\mathbb {V}}\left[ H(a)\right] }}{{{\mathbb {E}}\left[ H(a)\right] }^2} \right) ^{1/3}\):
\(\square \)
Lemma 3
The mean of \(h_q\) satisfies:
Proof
This result generalizes a theorem found in [12]. We define \(\delta _x\), with \(x=(x^1,\ldots ,x^{k-1})\in (J_n^q)^{k-1}\), a random variable over \(b\) such that \(\delta _x=1\) if \(x^1,\ldots ,\) \(x^{k-1}, b\oplus x^1\oplus \cdots \oplus x^{k-1}\in J_n^q\) and \(\delta _x=0\) otherwise. It’s clear that \(h_q=\sum \limits _{x \in (J_n^q)^{k-1}}\delta _x\), then
\(\square \)
We now focus on the variance of \(h_q\).
3.2 Study of \({{\mathbb {V}}\left[ h_q\right] }\)
We denote \(\lambda _q\) the number of sequences \(g^1,\ldots ,g^{2k}\,{\in }\, J_n^q\) such that \(g^1\oplus \cdots \oplus g^{2k}\,{=}\,0\). These conditions will be referred to as the \(\lambda _q\) conditions. This is \(2k\) sequences of \(q\) pairwise distinct elements and \(q\) equations so, we could expect \(\lambda _q\) to be close to
We see in the next lemma that the problem of knowing how close \(\lambda _q\) is from \(U_q\) is at the core of the computation of the advantage.
Lemma 4
The advantage satisfies:
Proof
We know that \(h_q=\sum _x \delta _x\) with the sum being over \(x\in (J_n^q)^{k-1}\), so the linearity of the expected value operator yields:
the sum being over \(x,x'\in (J_n^q)^{k-1}\). Then:
We know that \(\delta _x(b)\delta _{x'}(b)\), with \(x,x'\in (J_n^q)^{k-1}\), equals \(1\) if and only if \(b\oplus x^1\oplus \cdots \oplus x^{k-1}\in J_n^q\) and \(b\oplus x'^1\oplus \cdots \oplus x'^{k-1}\in J_n^q\). If we change variables like this: \(g^i:=x^i\) and \(g^{i+k-1}:=x'^i\) for all \(1\le i\le k-1\) and \(g^{2k-1}:=b\oplus x^1\oplus \cdots \oplus x^{k-1}, g^{2k}:=b\oplus x'^1\oplus \cdots \oplus x'^{k-1}\), we see that \(\sum _{b,x,x'}\delta _x(b)\delta _{x'}(b)\) is equal to \(\lambda _q\). Then:
Moreover, using Lemma 2:
\(\square \)
The strategy we follow is to evaluate recursively, more and more accurately, the coefficients \(\lambda _\alpha \) for \(1 \le \alpha \le q\).
3.3 First Evaluation of \(\lambda _\alpha \)
By definition, \(\lambda _{\alpha +1}\) is the number of tuples \(g^1,\ldots ,g^{2k}\in J_n^{\alpha +1}\) such that:
-
1.
the \(\lambda _\alpha \) conditions hold,
-
2.
for all \(1 \le j \le 2k\), \(g^j_{\alpha +1} \not \in \{g^j_i, 1 \le i \le \alpha \}\),
-
3.
\(g_{\alpha +1}^1\oplus \cdots \oplus g_{\alpha +1}^{2k}=0.\quad (E_{\alpha +1})\)
Hence there are \(2k\alpha \) equations that should not be verified. For \(1\le i \le 2k\alpha \), we denote \(\beta _i\) the i-th such equation. Let \(B_i\) be the set of tuples \((g^1,\ldots ,g^{2k})\) which satisfy the \(\lambda _\alpha \) conditions, the equation \((E_{\alpha +1})\) and the equation \(\beta _i\), for \(1\le i \le 2k\alpha \). Then:
Using the inclusion-exclusion principle:
When more than \(2k+1\) equations \(\beta _i\) are considered, at least two of them use the same variable, for example \(g^1_{\alpha +1}=g^1_1\) and \(g^1_{\alpha +1}=g^1_2\), which is impossible according to the \(\lambda _{\alpha }\) conditions. Thus:
Now, we study every kind of intersection.
-
\(1\) equation:
The \(\beta _i\) equation fixes the value of one new variable, whereas the others are free, so:
and there exists \(2k\alpha \) such sets.
-
\(l\) equations (\(2\le l \le 2k-1\)):
Such an intersection is non-empty if every equation \(\beta _i\) uses a different new variable. In this case, \(l\) new variables are fixed and the others remain free. Thus,
and there are \(\left( \begin{array}{c} 2k \\ \ell \end{array}\right) \alpha ^k\) such non-empty intersections.
-
\(2k\) equations:
Like before, such a set is non-empty if every equation \(\beta _i\) uses a different new variable. In this case, the set \(B_{i_1}\cap \ldots \cap B_{i_{2k}}\) is composed of tuples such that \(g_{\alpha +1}^1=g_{i_1}^1,\ldots ,g_{\alpha +1}^{2k}=g_{i_{2k}}^{2k}\) and the equation \((E_{\alpha +1})\) implies that:
We denote \(X\) this equation and \(\lambda '_\alpha (X)\) the size of \(|B_{i_1}\cap \ldots \cap B_{i_{2k}}|\). There are 3 possible cases:
-
If the \(2k\) indexes in \(X\) are equal then \(X\) is always true. There are \(\alpha \) possibilities and \(\lambda '_{\alpha }(X)=\lambda _\alpha \).
-
If \(2k-1\) indexes are equal and the last is different, then \(\lambda '_{\alpha }(X)=0\) since \(X\) is in contradiction with \(\lambda _\alpha \). There are \(2k\alpha (\alpha -1)\) possibilities.
-
We denote \(S\) the set of equations \(X\) that are not of the previous types. We denote \(\lambda '_\alpha =\max _S \lambda '_\alpha (X)\).
Hence, thanks to (2), one has:
We denote \(\epsilon _\alpha =\frac{2^n \lambda '_\alpha }{\lambda _\alpha }-1\), so:
3.4 Relation Between the Advantage and \(\epsilon _\alpha \)
Lemma 5
For every \(m\ge 1\), the advantage satisfies:
Proof
We know that
and the result of the previous section yields:
Since \(U_1=\lambda _1=2^{(2k-1)n}\):
And Lemma 4 ends the proof. \(\square \)
3.5 First Approximation of \(\epsilon _\alpha \)
Before evaluating \(\epsilon _\alpha \), we need a technical lemma:
Lemma 6
For every \(\alpha \in \{2,\ldots ,m\}\), one has:
Proof
We consider \(g^1,\ldots ,g^{2k}\in J_n^{\alpha }\) satisfying the conditions \(\lambda _{\alpha -1}\). To satisfy the conditions \(\lambda _{\alpha }\), there are \((2^n-(\alpha -1))\) possibilities for each \(g^1_{\alpha },\ldots ,g^{2k-2}_{\alpha }\) and there are \(2(\alpha -1)\) non-equalities left: \(g^{2k-1}_{\alpha }\ne g^{2k-1}_i\) and \(g^{2k}_{\alpha }\ne g^{2k}_i\) for all \(i\le \alpha -1\). Since \(g^{2k}_{\alpha }=g^1_{\alpha }\oplus \cdots \oplus g^{2k-1}_{\alpha }\), one sees these \(2(\alpha -1)\) non-equalities as equations on \(g^{2k-1}_{\alpha }\). So, there are between \(2^n-2(\alpha -1)\) and \(2^n-(\alpha -1)\) possible choices for \(g^{2k-1}_{\alpha }\) and \(1\) choice for \(g^{2k}_{\alpha }\). Then:
which is equivalent to:
Since the left term is bigger than \(1-\frac{2k\alpha }{2^n}\) and the right term is inferior to \(1\), it ends the proof. \(\square \)
Lemma 7
Every value \(\lambda '_{\alpha }(X)\) with \(X\in S\) satisfies:
Proof
We now express \(\lambda '_{\alpha }\) in terms of \(\lambda _{\alpha -1}\). Without loss of generality, we suppose that \(X\) involves \(g^1_{\alpha }\), otherwise we can just reorder the variables. Let \(i\) be any index such that \(g^i_{\alpha }\) is not involved in \(X\) (this is possible since \(X\in S\)). Let \(g^1,\ldots ,g^{2k}\in J_n^{\alpha }\) such that the \(\lambda _{\alpha -1}\) conditions are satisfied. We now count \(\lambda '_\alpha (X)\). There are at most \(2^n-(\alpha -1)\) possible choices for each \(g^j_\alpha , j\ne 1,i\). After we made these choices, there are two variables left: \(g^1_\alpha \) and \(g^i_\alpha \). Since \(g^i_\alpha \) is not involved in \(X\), there is only, at most, one possible choice for \(g^1_\alpha \) and there is, at most, one possible choice for \(g^i_\alpha \) using the equation \(g^1_\alpha \oplus \cdots \oplus g^{2k}_\alpha =0\). Then:
Applying Lemma 6, one finds that:
Since \(2^n-\alpha -1\le 2^n\) and \(\frac{1}{1-\frac{2k\alpha }{2^n}}= 1+\frac{2k\alpha }{\left( 1-\frac{2k\alpha }{2^n}\right) 2^n}\), this ends the proof. \(\square \)
Remark: These two technical lemmas formalize the intuition that, when one equation is added to the system, one degree of freedom is lost and this divides the number of possible solutions by around \(2^n\).
Finally
First notice that if \(q \le \frac{2^n}{2k}\), \(-2k \alpha ^2+\alpha (2^n)\ge 0\). Then, from Lemma 5,
If \(q \le \frac{2^n}{2k}\), all the terms of the product are greater than 1 and
Thus we have proven that:
Theorem 2
(Upper Bound of the Advantage Using \(H_\sigma \) ). The maximal advantage an adversary can get using \(q\) queries, with \(q \le \frac{2^n}{2k}\) verifies:
Notice that
Since \(k \ge 3\) and \(q \le 2^n\), the first term is negligible in front of 1. Moreover, when \(q^{2k+2} \ll 2^{(2k+1)n}\), \( {\mathbf{Adv }}_{f_1\oplus \ldots \oplus f_k}^{\mathrm {cpa}}\ll 1\). Hence we have proven that the XOR of \(k\) permutations is safe as long as \(q\ll 2^{\frac{2k+1}{2k+2}n}\) with this first technique.
4 Security Bound from the Standard \(H\) Technique
We now use the “standard \(H\) technique”, i.e. proofs from the general result (the Corollary 8) below. In this section, \(\mathbb {E}[h_q]\) is noted \(\tilde{h}_q\) to lighten the notations.
Corollary 8
Let \(\alpha >0\). If, for every sequence \(b=(b_i)_{1 \le i \le q} \in I_n^q\)
then
Proof
This result comes immediately from Theorem 1 with \(\beta =0\) and Lemmas 1 and 3. \(\square \)
4.1 First Approximation
Let us study \(\frac{h_{\alpha }}{\tilde{h}_\alpha }\).
One has:
We now evaluate \(h_{\alpha +1}\) from \(h_\alpha \). From the definition of \(h_\alpha \) (see Sect. 3.1), we see that \(h_{\alpha +1}\) is the number of sequence \((P_i^j)_{1\le i \le m, 1 \le j \le k}\) such that:
-
the \(h_\alpha \) conditions hold;
-
\(P^1_{\alpha +1} \oplus \ldots \oplus P^k_{\alpha +1} = b_{\alpha +1}\), this equation will be called \(X\);
-
\(P^j_{\alpha +1}\ne P^j_{i}\) for every \(1\le i \le \alpha \), \(1 \le j \le k\).
Let \(\beta _i\), \(1 \le k\alpha \) be the \(k\alpha \) equations which should be false. Let, for \(1\le i \le k\alpha \), \(B_i\) be the set of the \(\left( P^j_i\right) _{1\le i \le \alpha +1, 1\le j \le k}\) for which the \(h_\alpha \) conditions and the equation \(\beta _i\) hold.
From the inclusion-exclusion principle, we get:
When \(k+1\) sets are intersected, at least two equations will use the same \(P^j_{\alpha +1}\) variable, which is in contradiction with \(h_\alpha \). Thus,
We study the number of possible messages in function of the number of sets in the intersection.
-
\(l\) equations, \(1\le l \le k-1\) :
If we want \(|B_{i_1}\cap \ldots \cap B_{i_l}| \ne 0\), every new \(\beta _i\) equation should bring a new variable \(P^j_{\alpha +1}\). In this case, \(X\) and \(\beta _i\) fix \(l+1\) variables, the remaining ones are free, so \(|B_{i_1}\cap \ldots \cap B_{i_l}|=2^{(k-l-1)n}h_{\alpha }\) and
-
\(k\) equations:
As well as above, in order to have \(|B_{i_1}\cap \ldots \cap B_{i_k}| \ne 0\), there must be an equation in every new variable:
So the condition \(P^1_{\alpha +1} \oplus \ldots \oplus P^k_{\alpha +1} = b_{\alpha +1}\) becomes:
Let \(h'_{\alpha }(b_1,\ldots ,b_{\alpha +1})(i_1,\ldots ,i_k)\) or \(h'_{\alpha }(i_1,\ldots ,i_k)\) the number of \((P^j_i)_{1 \le i \le \alpha , 1 \le j \le k} \in I_n^{k\alpha }\) such that:
-
the conditions \(h_{\alpha }\) hold,
-
\(P^1_{i_1} \oplus \ldots \oplus P^k_{i_k} = b_{\alpha +1}.\)
Let \(Y(i_1,\ldots ,i_k)\) be this equality. Thus
From (4), we have:
Remark: if \(k\) is even, one has:
So
As \(h_1=\tilde{h}_1=2^{(k-1)n}\),
Then, using Corollary 8,
The upper bound we get in this case is in the same order of magnitude as the one from [9]. If we study more closely \(h'_{\alpha }\), we will get a better inequality.
4.2 Second Approximation
In this section, we suppose that \(k\ge 3\).
Let \(M=\{i,\, 1 \le i \le \alpha , \, b_i = b_{\alpha +1}\}\). If \(i\in M\), we have \(h'_{\alpha }(i,\ldots ,i)=h_\alpha \) and if \(i\not \in M\), \(h'_{\alpha }(i,\ldots ,i)=0\). Furthermore, in order to be compatible with \(h_\alpha \), if \(i\in M\), for each \(1 \le j \le \alpha \), \(i \ne j\), \(h'_\alpha (j,i,\ldots ,i)=h'_\alpha (i,j,\ldots ,i)=\ldots = h'_\alpha (i,\ldots ,i,j)=0\). Let \(I\) be the set of the tuples that do not satisfy these requirements. Then \(|I|=\alpha ^{k}-\alpha - k|M|(\alpha -1)\). By applying (5), one gets:
We now need a technical lemma:
Lemma 9
If \(i=(i_1,\ldots ,i_k)\in I\),
Proof
Without loss of generality, we can suppose that \(i_1=\alpha \) and \(i_2=\alpha -1\) (because we can reorder the queries). Let us evaluate \(h'_\alpha \) and \(h_\alpha \) from \(h_{\alpha -2}\). To get \(h_{\alpha }\) from \(h_{\alpha -2}\), we have \(2k\) new variables \(P^j_{\alpha -1}\) and \(P^j_{\alpha }\), \(1\le j \le k\), such that:
-
\(P^1_{\alpha } \oplus \ldots \oplus P^k_{\alpha } = b_{\alpha }\),
-
\(P^1_{\alpha -1} \oplus \ldots \oplus P^k_{\alpha -1} = b_{\alpha -1}\),
-
\(\forall j,\, 1\le j \le k,\, \forall i,\, 1 \le i \le \alpha -2,\, P^j_{\alpha -1}\ne P^j_i,\)
-
\(\forall j,\, 1\le j \le k,\, \forall i,\, 1 \le i \le \alpha -1,\, P^j_{\alpha }\ne P^j_i.\)
We decide that the first equation will fix \(P^1_{\alpha -1}\) and the next one \(P^1_{\alpha }\). For \(j\ge 3\), we have respectively \(2^n-(\alpha -2)\) and \(2^n-(\alpha -1)\) possibilities for \(P^j_{\alpha -1}\) and \(P^j_{\alpha }\). When these messages have been chosen, only \(P^2_{\alpha -1}\) and \(P^2_{\alpha }\) remain, and they must satisfy:
-
\(P^2_{\alpha -1} \ne P^2_i,\, 1\le i \le \alpha -2\),
-
\(P^2_{\alpha -1} \ne P^1_{i}\oplus b_{\alpha -1}\oplus P^3_{\alpha -1} \oplus \ldots \oplus P^k_{\alpha -1},\, 1\le i \le \alpha -2\),
-
\(P^2_{\alpha } \ne P^2_i,\, 1\le i \le \alpha -1\),
-
\(P^2_{\alpha } \ne P^1_{i}\oplus b_{\alpha }\oplus P^3_{\alpha } \oplus \ldots \oplus P^k_{\alpha },\, 1\le i \le \alpha -1\).
There are for \(P^2_{\alpha -1}\) between \(2^n-2(\alpha -2)\) and \(2^n-(\alpha -2)\) choices and for \(P^2_{\alpha -1}\) between \(2^n-2(\alpha -1)\) and \(2^n-(\alpha -1)\). Thus
In order to go from \(h_{\alpha -2}\) to \(h'_{\alpha }\), we also have \(2k\) new variables \(P^j_{\alpha -1}\) and \(P^j_{\alpha }\), \(1\le j \le k\), such that:
-
\(P^1_{\alpha -1} \oplus \ldots \oplus P^k_{\alpha -1} = b_{\alpha -1}\),
-
\(P^1_\alpha =b_{\alpha +1} \oplus P^2_{\alpha -1}\oplus P^3_{i_3} \oplus \ldots \oplus P^k_{i_k},\)
-
\(P^1_{\alpha } \oplus \ldots \oplus P^k_{\alpha } = b_{\alpha }\),
-
\(\forall j,\, 1\le j \le k,\, \forall i,\, 1 \le i \le \alpha -2,\, P^j_{\alpha -1}\ne P^j_i,\)
-
\(\forall j,\, 1\le j \le k,\, \forall i,\, 1 \le i \le \alpha -1,\, P^j_{\alpha }\ne P^j_i.\)
We have, for \(j \ge 4\), respectively \(2^n-(\alpha -2)\) and \(2^n-(\alpha -1)\) possibilities for \(P^j_{\alpha -1}\) and \(P^j_{\alpha }\). From these 3 equalities, we can fix the following variables:
-
1.
\(P^1_{\alpha -1}=b_{\alpha -1} \oplus P^2_{\alpha -1}\oplus \ldots \oplus P^k_{\alpha -1}\),
-
2.
\(P^1_\alpha =b_{\alpha +1} \oplus P^2_{\alpha -1} \oplus P^3_{i_3} \oplus \ldots \oplus P^k_{i_k},\)
-
3.
\(P^2_{\alpha }=(b_{\alpha +1}\oplus b_\alpha )\oplus P^2_{\alpha -1} \oplus (P^3_{i_3}\oplus P^3_\alpha )\oplus \ldots \oplus (P^k_{i_k}\oplus P^k_\alpha )\).
Then
-
the condition \(\forall i, 1\le i \le \alpha -2, P^1_{\alpha -1} \ne P^1_i\) becomes:
$$ \forall i, 1\le i \le \alpha -2, P^2_{\alpha -1}\ne P^1_i \oplus b_{\alpha -1} \oplus P^3_{\alpha -1}\oplus \ldots \oplus P^k_{\alpha -1}, $$ -
\(\forall i, 1\le i \le \alpha -1, P^1_{\alpha }\ne P^1_i\) becomes:
$$ \forall i, 1\le i \le \alpha -1, P^2_{\alpha -1}\ne b_{\alpha +1} \oplus P^1_i \oplus P^3_{i_3} \oplus \ldots \oplus P^k_{i_k}, $$ -
\(\forall i, 1\le i \le \alpha -2, P^2_{\alpha }\ne P^1_i\) becomes:
$$\begin{aligned}&\forall i, 1\le i \le \alpha -2,\, P^2_{\alpha -1} \ne (b_{\alpha +1} \oplus b_\alpha )\oplus P^2_{i}\oplus (P^3_{i_3}\oplus P^3_\alpha )\oplus \ldots \oplus (P^k_{i_k}\oplus P^k_\alpha ) \end{aligned}$$
For \(P^2_\alpha \ne P^2_{\alpha -1}\), there are two cases. If \(i_3=\ldots =i_k=\alpha \), since \((i_1,\ldots ,i_k)\in I\), we have \(b_{\alpha +1}\ne b_\alpha \) and this non-equality is automatically verified. Else, this means that there is an index \(3 \le j \le k\) such that \(i_j \ne \alpha \), e.g. \(j=3\). Then \(P^2_\alpha \ne P^2_{\alpha -1}\) becomes:
Thus, after the other messages have been chosen, there are between \(2^n-\alpha \) and \(2^n-(\alpha -1)\) possibilities for \(P^3_\alpha \), \(2^n-(\alpha -2)\) possibilities for \(P^3_{\alpha -1}\) and finally between \(2^n-(4\alpha -7)\) and \(2^n-(\alpha -2)\) possibilities for \(P^2_{\alpha -1}\). Then
From 7 and 9 we can deduce the following inequalities that allow us to get the result we want:
\(\square \)
Remark: if we suppose \(\alpha < \frac{2^n}{12}\), we get
One has:
where
Lemma 10
If \(q < \frac{2^n}{12}\),
Proof
We have to study \(A_\alpha \) according to the parity of \(k\).
-
\(k\) even:
-
\(k\) odd:
So, in both cases,
\(\square \)
From this lemma and 12,
Since \(h_1=\tilde{h}_1\), we get:
Thus, with Corollary 8, we have proven that, when \(q < \frac{2^n}{12}\):
Hence we get the following result:
Theorem 3
(Upper Bound for the Advantage with the Standard \(H\) Technique). Let \(k\ge 3\) and \(q < \frac{2^n}{12}\). The advantage to distinguish, with \(q\) queries, the XOR of \(k\) bijections from a function \(f \in _R F_n\) satisfies:
Since \(k\ge 3\), the first term is negligible when \(q \ll 2^n\). This theorem shows that the XOR of \(k\) bijections is indistinguishable when \(q \ll 2^{\frac{k+1}{k+2}n}\). This upper bound on \(q\) is worse than the previous one, but if \(q \ll 2^{\frac{k+2}{k+4}n}\) (i.e. for small values of \(q\)) this new upper bound on the advantage is actually better.
5 Conclusion
This table regroups our results and the previous one from S. Lucks in [9], with order of magnitudes for these bounds beyond the birthday bound (Tables 1, 2 and 3):
The upper bound we got with the coefficients \(H\) technique is smaller than the one from [9] by a factor \(\frac{q}{2^n}\). The one we proved with the coefficients \(H_\sigma \) technique allows us to have \( {\mathbf{Adv }}_{f_1\oplus \ldots \oplus f_k}^{\mathrm {cpa}}\ll 1\) when \(q \ll 2^{\frac{2k+1}{2k+2}n}\) instead of \(q \ll 2^{\frac{k}{k+1}n}\) for [9]. For example with \(k=3\) we have proven that \( {\mathbf{Adv }}_{f_1\oplus \ldots \oplus f_k}^{\mathrm {cpa}}\ll 1\) when \(q \ll 2^{\frac{7}{8}n}\) instead of \(q \ll 2^{\frac{3}{4}n}\). However, when \(q\) is fixed and \(k\) increases, the upper bound from the \(H\) technique becomes better than the one from \(H_\sigma \). This graph shows the evolution of the order of magnitude of these three upper bounds in function of the logarithm of \(q\), with \(k=5\) and \(n=40\):
Here is a more accurate view of the region where the curves from \(H\) and \(H_\sigma \) intersect:
This illustrates that, depending on the value of \(q\), our best bound can be the one from Sect. 3 or the one from Sect. 4. Moreover, the curve from [9] does not appear in this second graph because its values were much higher than ours (around \(6\cdot 10^{-4}\) whereas the bounds from this article are around \(4\cdot 10^{-7}\) in this graph). This shows why the two techniques studied in this paper are both useful.
References
Aiello, W., Venkatesan, R.: Foiling birthday attacks in length-doubling transformations. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 307–320. Springer, Heidelberg (1996)
Bellare, M., Impagliazzo, R.: A Tool for Obtaining Tighter Security Analyses of Pseudorandom Function Based Constructions, with Applications to PRP to PRF Conversion. ePrint Archive 1999/024: Listing for 1999 (1999)
Bellare, M., Krovetz, T., Rogaway, P.: Luby-rackoff backwards: increasing security by making block ciphers non-invertible. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 266–280. Springer, Heidelberg (1998)
Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions. J. ACM 33(4), 792–807 (1986)
Hall, C., Wagner, D., Kelsey, J., Schneier, B.: Building PRFs from PRPs. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, p. 370. Springer, Heidelberg (1998)
Levin, L.: One way functions and pseudorandom generators. Combinatorica 7(4), 357–363 (1987)
Luby, M., Rackoff, C.: How to construct pseudorandom permutations from pseudorandom functions. SIAM J. Comput. 17(2), 373–386 (1988)
Lucks, S.: Faster Luby-Rackoff ciphers. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 189–203. Springer, Heidelberg (1996)
Lucks, S.: The sum of PRPs is a secure PRF. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 470–484. Springer, Heidelberg (2000)
Mandal, A., Patarin, J., Nachef, V.: Indifferentiability beyond the birthday bound for the XOR of two public random permutations. In: Gong, G., Gupta, K.C. (eds.) INDOCRYPT 2010. LNCS, vol. 6498, pp. 69–81. Springer, Heidelberg (2010)
Naor, M., Reingold, O.: On the construction of pseudo-random permutations: Luby-Rackoff revisited. J. Cryptol. 12(1), 29–66 (1999)
Patarin, J.: A proof of security in \(O(2^n)\) for the XOR of two random permutation. In: Safavi-Naini, R. (ed.) ICITS 2008. LNCS, vol. 5155, pp. 232–248. Springer, Heidelberg (2008)
Patarin, J.: Generic Attacks for the XOR of \(k\) Random Permutations. Available on eprint (2008)
Patarin, J.: The “coefficients H” technique. In: Avanzi, R.M., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. 328–345. Springer, Heidelberg (2009)
Patarin, J.: Security in \(O(2^n)\) for the XOR of Two Random Permutations - Proof with the standard \(H\) technique - Available on eprint (2013)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 International Association for Cryptologic Research
About this paper
Cite this paper
Cogliati, B., Lampe, R., Patarin, J. (2015). The Indistinguishability of the XOR of \(k\) Permutations. In: Cid, C., Rechberger, C. (eds) Fast Software Encryption. FSE 2014. Lecture Notes in Computer Science(), vol 8540. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-46706-0_15
Download citation
DOI: https://doi.org/10.1007/978-3-662-46706-0_15
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-46705-3
Online ISBN: 978-3-662-46706-0
eBook Packages: Computer ScienceComputer Science (R0)