Contents 1 Introduction 3 2 Te Problem Invertibility can urt wen using block cipers: An example PRPs, PRs, and teir relation

Transcription

1 An extended abstract appears in Advances in Cryptology { urocrypt 98 Proceedings, Lecture Notes in Computer Science Vol. 1403, K. Nyberg ed., Springer-Verlag, Tis is te full version. Luby-Racko Backwards: Increasing Security by Making Block Cipers Non-Invertible Miir Bellare Ted Krovetz y Pillip Rogaway y October 17, 1998 Abstract We argue tat te invertibility of a block ciper can reduce te security of scemes tat use it, and a better starting point for sceme design is te non-invertible analog of a block ciper, tat is, a pseudorandom function (PR). Since a block ciper may be viewed as a pseudorandom permutation, we are led to investigate te reverse of te problem studied by Luby and Racko, and ask: \ow can one transform a PRP into a PR in as security-preserving a way as possible?" Te solution we propose is data-dependent re-keying. As an illustrative special case, let : f0; 1g n f0; 1g n!f0; 1g n be te block ciper. Ten we can construct te PR from te PRP by setting (k; x) = ((k; x);x). We generalize tis to allow for arbitrary block and key lengts, and to improve eciency. We prove strong quantitative bounds on te value of data-dependent re-keying in te Sannon model of an ideal ciper, and take some initial steps towards an analysis in te standard model. Keywords: Birtday attacks, block cipers, pseudorandom functions, symmetric encryption. Dept. of Computer Science & ngineering, Mail Code 0114, University of California at San Diego, 9500 Gilman Drive, La Jolla, CA 92093, USA. -mail: miir@cs.ucsd.edu. Web page: ttp://www-cse.ucsd.edu/users/miir. Supported in part by NS CARR Award CCR and a 1996 Packard oundation ellowsip in Science and ngineering. y Dept. of Computer Science, ngineering II Bldg., University ofcalifornia at Davis, Davis, CA 95616, USA. -mail: fkrovetz,rogawayg@cs.ucdavis.edu. Web page: ttp:// Supported in part by NS CARR Award CCR and a MICRO grant from RSA Data Security, Inc.

2 Contents 1 Introduction 3 2 Te Problem Invertibility can urt wen using block cipers: An example PRPs, PRs, and teir relation to block cipers Luby-Racko backwards History and related work Te n Construction 6 4 Denitions Complexity teoretic model Ideal block ciper model Security of te n Construction Security in te complexity teoretic model Security in te ideal block ciper model Attacks /Lower bounds Proof of Teorem Proof of Teorem Lemmas Proof of Teorem 5.2, Part Proof of Teorem 5.2, Part Analysis of attacks Proof of Proposition Proof of Proposition References 25 2

3 1 Introduction Tis paper describes a transformation turning a \pseudorandom permutation" (PRP) into a \pseudorandom function" (PR) using \data-dependent re-keying." It can be applied to a block ciper to increase te block ciper's security in certain ways, and, in particular, te metod leads to block ciper based message encryption and autentication tecniques wic are approximately as ecient as ones in current use, but ave better security. In Section 2 we explain our (at rst paradoxical sounding) tesis: tat invertibility ofablock ciper can be a liability, not an asset, wen it comes to te security ofscemes tat use te ciper. We will ten explain wat are PRs and PRPs, ow te former are a better starting point for constructions but te latter a better model for block cipers, and ow all tis leads us to consider te problem of transforming PRPs into PRs in a security-preserving way. In Section 3 we describe our way to do te PRP to PR transformation. We call our transform n d, were d is a parameter on wic te construction depends. (Te impatient reader can jump to Section 3 to see ow n d works. It is very simple.) Our main result is an analysis 1 in te Sannon model wic sows tat if te block ciper is ideal ten its transform under n d is close to an ideal random function. Te provided bounds are strong, sowing te transform is close to security preserving. Te interpretation of te above is tat te n d transform gives good security against \generic" attacks. To guage its strengt against cryptanalytic attacks we also analyze it in te standard complexity teoretic or \reductionist" framework. We do succeed in providing a reduction, but te quality of te bounds is not as good as in te Sannon model, and tus we view tese results as preliminary, opefully to be improved. Te results are presented, discussed, and displayed grapically in Section 5. Just before tat, in Section 4, we provide te precise denitions of te security notions, but tese can be skipped at rst reading, or skipped entirely by an expert. Te rest of te paper is devoted to proofs. 2 Te Problem We begin wit a simple example, ten relate tese issues to PRs and PRPs, ten describe te problem tat results, and conclude wit a discussion of related work. 2.1 Invertibility can urt wen using block cipers: An example A block ciper is a function : f0; 1g f0; 1g n!f0; 1g n wic transforms an n-bit message block x into an n-bit string y under te control of a -bit key k: y = (k; x). Te function is invertible def in te sense tat for eac key te map k =(k; ) is a permutation of f0; 1g n, and knowledge of k permits computation of,1 k. Concrete examples are DS, triple-ds and RC5. Message encryption is done by using te block ciper in some mode of operation, suc as \CBC." Using even avery \good" block ciper (say triple-ds, or even an ideal ciper), CBC encryption becomes insecure once 2 n=2 blocks ave been encrypted, in te sense tat at tis point partial information about te message begins to leak 2, due to birtday attacks. 3 urtermore, tis is true 1 All analyses in tis paper are concrete and quantitative, meaning providing explicit, non-asymptotic bounds on te success probabiilty of an adversary as a function of its resources. 2 A good encryption sceme is muc more tan one tat prevents key recovery from a cipertext: it sould ave te property tat even partial information about te plaintext is not revealed [9, 4]. 3 Te attacks are well known. See [4] for an analysis of teir eectiveness relative to formal notions of security 3

4 for many oter common modes of operation, too. Tus direct use of a 64-bit block size block ciper usually enables one to safely encrypt no more tan 2 32 blocks, wic is quite small. We stress tat tese attacks arise because te ciper is a permutation, and teir cost depends only on te block lengt, not te key lengt or te security of te block ciper. So te attacks are just as eective for triple-ds, or even an ideal block ciper, as tey are for DS. In summary, block ciper based scemes are often subject to birtday attacks arising from te very nature of block cipers as permutations. So ow can we safely encrypt more tan 2 n=2 blocks? One answer is to use a sligtly dierent type of primitive in an appropriate mode of operation: specically, a \pseudorandom function" (PR) in CTR (counter) mode, as discussed in [4, 11] and explained furter below. Tis way to encrypt is easy and as no extra overead if a PR of cost comparable to te block ciper is available. Te above is only one example of an issue tat arises in many places: tat te permutivity of a block ciper can inder te security ofscemes wic use it. To eectively address tis we need to explain wat are PRs and PRPs and ow tey relate to block cipers. 2.2 PRPs, PRs, and teir relation to block cipers Let us rst back up and look at ow te security of a block ciper is best captured. Security of a block ciper: PRPs. It is natural to view a real block ciper as constructed to \approximate", as closely as possible, an ideal block ciper (tat is, a random permutation) in te sense tat if you don't know te key k and only see input/output examples of k ten tese sould appear like input/output examples of a random permutation. Te quality ofagiven block ciper as a PRP (pseudorandom permutation) is tus captured by a function Sec prp (q; t) wic returns te maximum \advantage" tat one can obtain in distinguising k from a random permutation if you see q input/output examples and are allowed furter computational resources bounded by t. (In te complexity-teoretic model, t will bound computing time; in te information-teoretic model, t will bound te number of known (k; x; k (x)) values. Te advantage is a number between 0 and 1 given as te dierence of two probabilities: te probability tat te adversary outputs 1 given a random function k from, and te probability tat te adversary outputs 1 given a random permutation. See Section 4 for more details.) ac specic ciper (eg. DS) will ave suc an associated security function, wic depends on (and to a large extent comprises) its cryptanalytic strengt. Of course we won't know for sure wat is tis function, but we can work wit wat we know from cryptanalytic results. or example, if te linear cryptanalysis of [13] is te best attack on DS, we migt assume Sec prp DS (q; t) stays small (close to 0) until q; t reaces around rom now on, \block ciper" and \PRP" are synonymous, from te security point of view. Cipers witout invertibility: PRs. Like a block ciper, a pseudorandom function (PR) is a map : f0; 1g f0; 1g n!f0; 1g n def, but now k = (k; ) is not required to be invertible. Te required security property is to approximate, as closely as possible, a random function. Te quality of a given function is captured by Sec prf (q; t) wic returns te maximum \advantage" tat one can obtain in distinguising k from a random function if you see q input-output examples and are allowed computational resources t. (Tis advantage is te dierence between probability tat te adversary outputs 1 given a random function k from and te probability tat te adversary outputs 1 given a random function. See Section 4 for more details.) for encryption. 4

5 Te example revisited. Counter mode encryption wit a PR means tat to encrypt an m-block plaintext M = x 1 x m, send ( ctr; k (ctr + 1i)x 1 k k k (ctr + mi)x m ) were ii is te binary encoding of i into n bits, \ k " denotes concatenation, and were you increment ctr by m after doing eac encryption. (Notice tat to decrypt you need only apply k, so tat you don't need tis function to be invertible.) Counter-mode encryption wit a good PR is pretty muc \ideal encryption": it is sown in [4] tat an adversary's cance of obtaining partial information about some plaintext, after q blocks ave been encrypted, is at most Sec prf (q; t), te strengt of as a PR. In particular if we ad a PR wit te same numerical security as DS but as a PR not a PRP, namely Sec prf (q; t) Secprp DS (q; t), ten we could encrypt nearly 243 blocks, well above te birtday bound. In contrast, wen we use a block ciper (PRP) directly in CBC (or CTR) mode, we are not able to recoup all of te cryptograpic strengt captured by its Sec prp (; ) value, because at q =2n=2 (wic isq =2 32 for DS) birtday attacks kill te encryption sceme. Te conclusion can be put like tis: to get quantitatively good security, wat is most useful and convenient about is tat Sec prf (q; t) be small, not Secprp (q; t). To make te former as low as possible te family must not be a family of permutations, since no family of permutation will ave a good value of Sec prf (q; t) if q 2n=2. Tis is because of birtday attacks: if is a family of permutations ten te adversary A(q) wo guesses \random function" if and only if se sees a collision in te answers returned from q distinct but oterwise arbitrary queries already accrues advantage of about 1=e if q =2 n=2. Te adversary's advantage ten goes quickly to 1 wit q 2 n= Luby-Racko backwards Te above is part of an emerging view or understanding, emanating from works like [4,5, 6, 20], tat wen it comes to designing iger-level primitives (like encryption scemes or MACs) a PR is a better tool tan a PRP, from two points of view: it permits easier and more eective analysis of te designed sceme, and te resulting scemes ave a greater proven quantitative security. Tis leads us to suggest tat for te purpose of protocol design, wat we really want are PRs, not block cipers (PRPs). So te question is ow to get PR families of ig security and low cost. One possibility isto make tese directly, in te same way we make block cipers now. We suggest tat tis indeed be kept in mind for te future, but at te moment isnotavery pragmatic view, for two reasons. irst, we ave lots of (good) block cipers available, and we want to use tem well. Second, permutivity may be important to te design process of block cipers; for example, using te round structure of aeistel-network gives rise to a permutation. 4 We propose instead to transform PRPs into PRs. Tat is, starting wit a good PRP (realized by a block ciper), convert it into a good PR. Tis is eectively te reverse of te problem considered by Luby and Racko [12], wo wanted to turn PRs into PRPs. A crucial issue is to make transformations tat are as \security preserving" as possible. We want (q; t) to remain low even for q 2n=2. Ideally, Sec prf (q; t) would be close to Secprp (q; t). Let us now discuss some related work. ollowing tat we present our construction. Sec prf 4 Anoter possibility istomake sure tat te block size n is large enoug (n 128) tat attacks of complexity 2 n=2 are irrelevant. Tis too is a good idea, but te construction we give as merit wic goesbeyond te birtday attacks wic we ave been using to motivate tis problem. 5

6 2.4 History and related work Our construction is related to te cascade construction of [3]. Te notion of a PR was rst dened in te polynomial-time framework by Goldreic, Goldwasser and Micali [8]. A concrete security treatment of PRs, togeter wit te idea tat concretely dened PRs/PRPs can be used to model block cipers, originates wit [6]. Luby and Racko use te term PRP to refer to a family of permutations tat is a PR family in te sense of [8]. Our notion is dierent in tat we measure te advantage relative to random permutations, not functions. Tis makes no dierence in te polynomial-time framework, but in te concrete-security framework te dierence is crucial; indeed, if concrete security is ignored, te problem we are considering does not exist. Te ideal block ciper model we use for some of our results is tat of [19], used also in [7, 10]. Tere are many natural ways to try to do te PRP-to-PR conversion. One of te rst to come to mind is to dene k (x) =x k (x). Tis construction is of value in some contexts, but not in ours. or if you are given an oracle for tis k () you eectively ave an oracle for k (): for any query x you can compute k (x) asx k (x). So k will resemble a random function no more tan k does. Tere are many natural alternatives to te n d transformation. or example, truncate k (x), dening k (x) to be some appropriate-lengt prex of k (x). Tis sceme was partially analyzed by [2].Anoter natural metod is k1 k 2 (x) = k1 (x) k2 (x). Tis as not been analyzed. Aiello and Venkatesan [1] give a general construction for turning a PR : f0; 1g f0; 1g n! f0; 1g n into a PR : f0; 1g 6 f0; 1g 2n!f0; 1g 2n. But tis is a dierent problem. Altoug tey too want to circumvent some birtday attacks, teir starting point is a random function (not a permutation) and te problem is to double te number of bits te function can take as input. Tey are bound by te original security of te starting function as a PR: birtday attacks are only prevented in te sense tat te construction does not induce suc attacks itself. So if a block ciper is te starting point, it is viewed as a PR, meaning te security is only 2 n=2. Tere is no notion of modeling a ciper as a random permutation. In contrast, we go above te original birtday tresold, to a security close to 2 n. Our construction is also more ecient, and it yields a map of te same key size and block lengt as te original one. In constructing a Wegman-Carter message autentication code (MAC) [21] one needs to symmetrically encrypt te universal-as of eac message M. If a PRP is in and for doing te encryption, one could dene MAC k1;k2 (M) = (ctr; k2 (ctr) k1 (M)), but te security would degrade by (q 2 2,n ) compared to using a PR. (Here q is te number of MACed messages.) Soup [20] describes an alternative wit better exact security. Our metods allow te simpler and more general (ctr; k2 (ctr) k1 (M)), were is te result of PRP-to-PR conversion starting from. As we explained, Luby and Racko consider te complementary problem of turning a PR into a block ciper [12]. Luby and Racko spawned muc furter work, including [14, 15, 16, 17, 22], and our work sares teir empasis on concrete bounds, eciency, and tigt reductions. 3 Te n Construction We ave described in Section 2.4 some simple suggestions tat don't work and some related constructions. Now we present our solution. We let : f0; 1g f0; 1g n!f0; 1g n be te given block ciper (PRP). Te values n and vary across real block cipers; for example, for DS we ave =56and n = 64; for (two-key) triple DS we ave = 112 and n = 64. We want to andle all tese cases. 6

7 Accordingly, our construction depends on te relative values of and n. It also depends on a parameter d, were 0 d<n. Simple Case. Te simplest case of our construction is wen te given PRP as te property tat = n, and we coose d = 0. One ten denes = n 0 by (k; x) = ((k; x);x). Tat is, k (x) = k 0(x), were k 0 = k (x). We call tis \data-dependent re-keying" since we are applying to x, but using te data-dependent \derived key" k 0 = k (x). Te cost of computing is twice te cost of computing, in te sense tat tere are two applications of for eac application of. Te general construction includes a provision aimed at reducing tis overead. Te General Case. Let 0 d<nbe given. If x 0 is an n-bit string, let x 0 d denote x 0 sifted to te rigt by d positions, wit 0-bits lling te vacated positions. If k 0 is a string of lengt `, let [k 0 ] 1::i be te string consisting of te rst i bits of k 0 (for 1 i `). Set j = d=ne. Te function = n d takes a j-bit key k 1 k j and an n-bit input x to return an n-bit output y as follows: function (k 1 k j ; x) begin x 0 xd //Sift away low d bits k 0 (k 1 ;x 0 )kk(k j ;x 0 ) //Construct te \extended" derived key k [k 0 ] 1:: //We only need bits of derived key y (k; x) //Use derived key on te input return y end We call x 0 te group selector and k te derived key. Te j applications of ki are to deal wit te possibility tat >n, and te truncating of k 0 to bits is to andle te possibility tat te key lengt migt notbeamultiple of te block lengt n. (More strange is te discarding of bits from te x, namely te xd. Tis is for eciency, as we will explain below.) As an example, if = DS, so tat =56and n = 64, we would ave j =1,so te key of is just a 56-bit DS key k 1, te derived key k 0 is te rst 56 bits of DS k1 (x 0 ), and te output is DS k 0(x). If is TDS (two-key triple-ds), so tat = 112 and n = 64, we would ave j = 2, so te key for is a pair k 1 k 2 of TDS keys, te derived key k 0 is te rst 112 bits of TDS k1 (x 0 )TDS k2 (x 0 ), and te output is TDS k 0(x). Notice tat for xed k 1 k j,iftwo n-bit strings determine te same group selector ten tey generate te same derived key, and tis appens if te two strings agree in te rst n, d bits. Accordingly, we cluster togeter all points tat ave te same group selector into wat we call a common key group. Tus tere are a total of 2 n,d common key groups. or any 2f0; 1g n,d we dene ckg = f x : [x] 1:::n,d = g as te -t common key group. Identifying strings wit integers in te natural way, te i-t common key group consists of te integers (i, 1)2 d ; :::; i2 d, 1. fficiency. Recall tat te nominal way to encrypt using = n d involves applying to a single key k and successive ctr-values. By dropping te least signicant d bits of tis counter, one needs to recompute k 0 only once every 2 d invocations of. Of course an implementation would need to to record te last derived key and refrain from re-computing it. Doing tis makes te amortized cost to compute just (1 + j2,d ) times te cost of computing. or many cipers tis is an underestimate because of additional cost associated to canging te key. In fact, te cost of canging te key for some block cipers is ig, wic is wy we don't want to do it very often. Variations. How exactly one drops bits of x is not so important. or example, instead of sifting to te rigt one could zero-out te least signicant d bits. Tis makes no dierence in te analysis. 7

8 We ave constructed = n d to be a map : f0; 1g j f0; 1g n!f0; 1g n. If one prefers, let k (x) = k 0(x) were k 0 is te rst bits of k1 (xd) k k kj (xd) and k i is dened as k (ii). Now uses a -bit key, just like. Te analysis of lifts to wit just a tiny loss in quantitative security. 4 Denitions Here we give te more precise denitions of security in te two models in wicwe will be analyzing our construction, namely te (standard) \complexity teoretic" model and te Sannon model. Recall tat in Section 2 we discussed te security of and by way of functions Sec prf (q; t) and Sec prp (q; t). Teir meaning canges according to te model in a simple way: In te complexity teoretic model tey are CSec prf (q; t) and CSecprp (q; t), respectively, tese quantities being dened in Section 4.1 below, and In te ideal ciper model, tey are ISec prf (q; t) and ISecprp ;n(q; t), respectively, tese quantities being dened in Section 4.2 below, were refers to te transformation tat takes into. (In our case, = n d ). Preliminaries. If S is a probability space ten g S denotes te operation of selecting g at random according to te distribution specied by S. If S is a set it is viewed as endowed wit te uniform distribution, so tat g S means tat g is selected uniformly at random from set S. If y is not a set ten g y is a simple assignment statement, assigning g te value y. (It is tus equivalent tog fyg.) Let Perm n denote te set of all permutations : f0; 1g n!f0; 1g n. Let Rand n denote te set of all functions : f0; 1g n!f0; 1g n. Let BC ;n be te set of all maps : f0; 1g f0; 1g n!f0; 1g n suc tat (k; ) 2 Perm n for all k 2f0; 1g. Let R ;n be te set of all maps R : f0; 1g f0; 1g n!f0; 1g n. A family of functions wit key lengt and block lengt n is a map G : f0; 1g f0; 1g n! f0; 1g n def, tat is, G 2 R ;n. ac -bit key k species te map G k =G(k; ) 2 Rand n. Tis map is not necessarily a permutation. If G k is a permutation for eac k 2f0; 1g (ie., G 2 BC ;n ) ten we call G a family of permutations, or a block ciper. We view G as a probability space over Rand n given by coosing functions via a uniform coice of te underlying key; tat is, g G is te same as k f0; 1g ; g G k. Given a block ciper, te block ciper,1 : f0; 1g f0; 1g n!f0; 1g n is dened by,1 (k; y) being te unique point x suc tat (k; x) =y. We intercangeably write,1 k (y) and,1 (k; y). An adversary is an algoritm A wit access to some number of oracles. Oracles are denoted as superscripts to A, asina ;,1 ;. An oracle responds to its query in unit time. 4.1 Complexity teoretic model We will ave two measures of security: te strengt of G as a PR and te strengt of G as a PRP. We follow [6] in te manner in wic te basic notion of [8] is \concretized." irst, we need te concept of advantage, wic for empasis we call te \computational advantage" and write CAdv. Let D be an algoritm (a \distinguiser") taking an oracle for a function g, and let G 1 ;G 2 be two families of functions wit te same block lengt. We dene CAdv G1 ;G 2 (D) = Pr [ g G 1 : D g =1], Pr [ g G 2 : D g =1]: 8

9 Now, suppose is a family of functions, and is a family of permutations. We let CAdv prf (D) = CAdv prp ;Rand n (D) CAdv (D) = CAdv ;Perm n (D) CSec prf (q; t) = max D fcadv prf (D)g CSec prp (q; t) = max D fcadv prp (D)g Here te rst quantity measures te advantage D as in distinguising random members of (resp. ) from truly random functions (resp. permutations) of te same block lengt. Te second quantity is te maximum advantage attainable using some amount of resources, in tis case te number q of oracle queries and te running time t. or simplicity, wen we speak of an adversary's time we mean te adversary's actual running time plus te size of te encoding of te adversary (relative to some xed encoding sceme), so we ave a single parameter t to capture time plus description size. Te maximum ere is over all distinguisers D tat make up to q oracle queries and ave running time bounded by t. 4.2 Ideal block ciper model Te Sannon model [19] treats as a random block ciper. Tis means tat eac k is taken to be random permutation on n-bit strings. Let be some operator on wic returns a new family of functions, and say te new family as key lengt but te block lengt is still n. (or us, = n d and = j were j = d=ne.) As modeled by [7], te adversary tat attacks is given oracles for (; ) and,1 (; ) as well as an oracle f were eiter f() = (k ; ) for = and k a randomly cosen key in f0; 1g, or else f() =(), for a random function : f0; 1g n!f0; 1g n. We investigate te adversary's advantage in determining wat type of oracle f is. Tis is dened as: i IAdv prf (A) = Pr BC ;n ; k f0; 1g ; f () k : A ;,1 ;f =1 i, Pr BC ;n ; f Rand n : A ;,1 ;f =1 : Te advantage A gains depends, in part, on te number of queries q se asks of f and te total number of queries t se asks of and,1. We are interested in ISec prf (q; t) = max A fiadv prf (A)g ; te maximum being over all adversaries tat make up to q queries to te f oracle and up to t queries to te and,1 oracles. Tis is an information-teoretic setting: te adversary as unlimited computational power. If we tink of as a concrete block ciper, and not an idealized one, ten attacks in tis model correspond to attacks in wic te adversary exploits no caracteristics specic to te block ciper, only \generic" features of te construction we are analyzing. Tus, security guarantees from results in tis model are weaker tan tose from results in te model above, yet tey do ave some meaning. We use te Sannon model wen tecnical diculties prevent us from getting bounds as good as we would like in te complexity teoretic model. Note. Te goal will be to upper bound ISec prf (q; t) as a function of t; q; ; n. As suc we don't really need any notion of ISec prp ;n(q; t), te security of te block ciper, because te latter is assumed ideal, but tere are two reasons to dene it anyway. irst, to maintain a uniform security treatment across te models, and in particular be consistent wit Section 2; second, because it is indeed te quantity wit wic we wis to compare ISec prf (q; t). We dene ISec prp ;n(q; t) as te maximum, over all adversaries A of te specied resources, of te quantity i Pr BC ;n ; k f0; 1g ; f k : A ;,1 ;f =1 9

10 i, Pr BC ;n ; f Perm n : A ;,1 ;f =1 : Notice tat tis quantity is not zero. or q>1 and large n we would expect it to be about t 2,, corresponding to an exaustive key searc attack. 5 Security of te n Construction We summarize bot proven security guarantees and attacks tat indicate te tigtness of te bounds in tem. 5.1 Security in te complexity teoretic model Here we refer to te notions of security of Section 4.1. We assume is a PRP family and sow our construction is a PR family, via a reduction. We do tis only for te case were te key lengt,, is identical to te block lengt, n, and we drop no bits, namely d =0. Teorem 5.1 Let = n be a positive integer and let : f0; 1g f0; 1g n!f0; 1g n be a family of permutations wose security as a PRP family is described by security function CSec prp (; ). Let : f0; 1g f0; 1g n! f0; 1g n be our construction for te case of no bit dropping, namely = n 0. Its security as a PR is described by function CSec prf (; ) wic for any number of queries q 2 n =2 and time t can be bounded as follows: CSec prf (q; t) CSecprp (q; t0 )+q CSec prp (3;t0 )+ q2 were t 0 = t + O(q) ( + n + Time ). 2 2n Proof: See Section 6. Te bound ere looks good at rst glance. Te rst term, namely CSec prp (q; t0 ), is saying te security of as a PR is related to tat of as a PRP for essentially te same resources: we can't ask better. Te last term, namely q 2 =2 2n, is negligible. Wat about te middle term, namely q CSec prp (3;t0 )? Intuitively, CSec prp (3;t0 ) is small: wat can you do in tree queries? Tis view is deceptive because one sould not forget te time t 0. One can spend it in exaustive key searc, and tus CSec prp (3;t0 ) can be (t 0 2, ). But (dropping constants) tis is at least q2, so te second term in our bound looks like q 2 2,. Since = n tis is q 2 2,n. So tese bounds are not proof tat te security of goes beyond te birtday bound. It would be nice to improve te above result. However, even te proof of te above is not exactly trivial, and tis is one reason we include te result in tis paper: we ope its ideas are food for tougt towards an extension. As far as we can tell, te diculties in extending te above result are tecncial rater tan arising from any weakness in te construction. (We could be wrong.) Is tere any oter way we can give some meaningful evidence of te strengt of te construction? We do tis by analyzing it in te Sannon model. 5.2 Security in te ideal block ciper model Te teorem below looks at te most general version of te = n d construction, wen te number d of bits dropped is arbitrary and no restrictions are made on ; n, in te model of Section 4.2, 10

11 1 0.8 k = 128, d = 8, n = 64 Birtday Bound, n = 64 Advantage lg Q igure 1: Rigt curve: Illustrating Teorem 5.2, our upper bound on te adversary's advantage in distinguising = n d from a random function, assuming n =64, = 128, and d =8. Here is a random permutation and te orizontal axis Q = max(q; t) is te maximum of te number of consecutive f-queries and te total number of ;,1 queries. Left curve: Te birtday bound for te same coice of parameters. were is an ideal ciper. We obtain very strong results, sowing security not only beyond te birtday bound, but nearly as good as one could ope for. As we noted in Section 2, an important mode of operation for our construction will be wen te values to wic k1 :::k j are being applied are successive counter values. Indeed, te bit dropping is done precisely to ave maximum eciency in tis mode: as explained in Section 3, in tis case, te amortized cost of computing is just (1 + j=2 d ) times tat of computing, a negligible overead. Accordingly, tis is te case to wic te following security analysis pertains. (Toug later analyses are more general.) Teorem 5.2 Let n; be positive integers and d; q; t; ^t be non-negative integers wit 0 d<n and let = n d. Let A be an adversary wit tree oracles, (; );,1 (; ); and f(), wo asks te numbers 0;:::;q, 1 of its f-oracle (so tat tese refer to ^q = dq2,d e common key groups), and asks at most t total queries of its - and,1 -oracles, tese referring to no more tan ^t common key groups. Let j = d=ne. Ten IAdv prf (A) ^q 5 + ^t Proof: See Section 7. 2,4 + j 2 +2j ^q + tj + t 2, +^q2 2d,n+3 + t^t2 d,n,+2 : Te rst term bounding IAdv prf (A) remains low until q 24=5 or t 2 4=5. We speculate tat tese conditions can be furter improved to 2 (1,) (and tey are already very small in teir current form), so a reasonable summary of IAdv prf (A) istosay tat te construction is good until q minf2 ; 2 n,d g or t minf2 ; 2 (n+)=2 g. In igure 1 we illustrate our bound for te case of a block ciper wit parameters n = 64, = 128, and dropping d = 8 bits. Te bound indicates tat one must ask about 2 55 queries before one can ope to distinguis k from a random function wit advantage 1=e. (Tis 1=e-convention is a convenient way to summarize security.) or comparison, if you let = you get te usual birtday-attack curve, wic indicates tat it takes but 2 32 queries before an adversary can get like advantage at distinguising k from a random function. 11

12 1 0.8 k = 128, d = 0, n = 64 k = 64, d = 0, n = 64 k = 56, d = 0, n = k = 64, d = 0, n = 64 k = 64, d = 4, n = 64 k = 64, d = 8, n = 64 k = 64, d = 12, n = 64 k = 64, d = 16, n = 64 Advantage Advantage lg Q lg Q igure 2: Varying te parameters of Teorem 5.2 our upper bound on te adversary's advantage in distinguising = n d from a random function, wit te orizontal axis Q = max(q; t) as in te previous gure. Left: Varying key lengt. Rigt: Varying bits dropped d. or bot pictures n =64. In igure 2 we illustrate our bound by sowing te eect on advantage of canging eiter te key lengt (left-and plot) or te value of d (rigt-and plot). We assume a block size of n =64 bits. Te adversary's maximum advantage decreases wit increasing key lengt, but tis eect soon saturates. Te construction as worse demonstrated security for larger values of d, but te eect is not tat dramatic, and tere is little reason to select a very large value of d, anyway. It is important to understand te dierence between te results ere and tose of Section 5.1. Te \type" of security guarantee is better in te latter, since we are saying tat security in te sense of a PRP (using te standard notion of a PRP) translates into security in te sense of a PR (using te standard notion of a PR). Te results ere are only about ideal cipers, wic only guarantees security against generic attacks. Yet, generic attacks are an important and easy to mount class of attacks, and a proof of security against tem, especially wit suc strong bounds, is certainly meaningful. ventually we ope strong results will emerge in te oter model (as well as for oter PRP-to-PR constructions). 5.3 Attacks / Lower bounds In Propositions 5.3 and 5.4 we present te best attacks tat we know on our construction. Tese translate into lower bounds on te security of n d. We present two adversaries: one wic becomes successful wen q 2 n,d, and one wic becomes successful wen t 2. Tis is done in te Sannon model, but in tis case (of attacks) tis is not a restriction; if we can attack ideal cipers we can certainly attack real ones. Tus, te results ere sould be viewed as complementing Teorem 5.2, telling us ow close to tigt is te analysis in te latter. Proposition 5.3 Let n; be positive integers and d; q non-negative integers wit 0 d<n, and let = n d. Ten tere is an adversary CS wic asks at most q queries of an f oracle, no queries of te or,1 oracles, and acieves advantage IAdv prf (CS) 1, e,bq2,d c(2 d,1)2 d,n,1 : Proof: See Section

13 1 0.8 Upper Bound, k = 64, d = 7, n = 64 Lower Bound, k = 64, d = 7, n = 64 Advantage lg Q igure 3: Wit typical parameters our bounds are tigt. Illustrating Propositions 5.3 and 5.4 and Teorem 5.2 for n = 64, = 64, d = 7. Te orizontal axis Q is te same as in te previous gures. Proposition 5.4 Let n; be positive integers and t; d; c be non-negative integers wit 0 d<n, let = n d, and let j = d=ne. Ten tere is an adversary KS wic asks c queries of er f oracle, t queries of er oracle, and acieves advantage IAdv prf (KS ) = minf1; bt=(cj + c)c2,j g,t2,cn : Proof: See Section 5.3. Te rst lower bound is around 1, e,q2d,n,1, wile te second one is around t2,j. Tese become signicant wen q 2 n,d or t 2 j. Te point of giving tese lower bounds is to see ow tigt is Teorem 5.2. As igure 3 illustrates, te bounds are quite close for realistic parameters. On te same plot we grap our upper and lower bound for = 56, n = 64, and d =7. Te curves almost coincide. 6 Proof of Teorem 5.1 Refer to Section 5.1 for te teorem statement and to Section 4.1 for te denitions of security. We now provide te proof. Since te oracles we provide our adversaries are deterministic, we assume trougout and witout loss of generality tat no adversary ever repeats an oracle query. By Time we mean te worst-case amount of time required to calculate function in our underlying (xed) model of computation. We use te notion of multi-oracles as in [3], to provide a framework in wic toreason about intermediate constructions tat arise in our analysis. A multi-oracle is simply a sequence of oracles, wit some rules as to ow queries to te multi-oracle are answered by te individual oracles. In our setting, an adversary making q queries will be provided wit a multi-oracle consisting of q functions, f 1 ;:::;f q, eac mapping n bits to n bits. Te adversary's j-t query to te multi-oracle will be answered by f j, for j =1;:::;q. (Tat is, if te j-t query to is x j ten te response is f j (x j ).) Note tat in tis game it is not possible to ask two queries of a single oracle, nor to ask queries in some dierent order: te adversary is eectively restricted to sequentially querying 13

14 f 1 ;:::;f q in tat order, wit exactly one query to eac function. urtermore, all queries x 1 ;:::;x q are distinct strings. We will consider various possible multi-oracles. Te rst, represented pictorially, is (0) : k k ; were k f0; 1g is a random key and tere is a total of q instances of k above. Next come two classes, or types, of multi-oracles, and in eac type tere are q + 1dierent multi-oracles, so tat we ave (s; i) for i =0;:::;q and s =1; 2. We typically want to visualize and compare te i-t members of eac class. Tese are represented pictorially below. In eac case i+1 ;:::; q Perm n are randomly and independently cosen permutations, and k 1 ;:::;k i,1 are random, distinct -bit keys. (1;i) : k1 ki,1 ki i+1 q k i f0; 1g,fk 1 ;:::;k i,1 g (2;i) : k1 ki,1 i i+1 q i Perm n In oter words, in (1;i), te i-t oracle is encryption under a key k i distinct from tose of te previous oracles. In (2;i) te i-t oracle is a random permutation independent ofanyting else. Observe tat (1;i) = (2;i, 1) for i = 1;:::;q; tis is someting we will use later. Now, for s =0; 1; 2 and i =0;:::;q we let!(s; i) = Pr A (s;i) =1 i and!(0) = Pr A (0) =1 be te probability tat A outputs 1 in te game were it is provided wit te corresponding multioracle, te probability being over te coice of te multi-oracle as discussed above, and over te coins of A, ifany. We now claim tat!(0) = Pr [ k f0; 1g ; g k : A g =1]!(1; 0) = Pr [ g Rand n : A g =1]: Te rst equality follows from te denition of (0). or te second, observe tat (1; 0) consists of q random, independent permutations, 1 ;:::; q. Te adversary is making exactly one query to eac of tese, so te responses are independently and uniformly distributed over f0; 1g n. Tus te equality is true. Tus our goal is to bound!(0),!(1; 0). We will do so by comparing bot to!(1;q). Te proofs of te following lemmas appear later. Lemma 6.1!(0),!(1;q) CSec prp (q; t0 ). Lemma 6.2!(1;q),!(1; 0) q CSec prp (3;t0 )+ q2 2. 2n Now we can write!(0),!(1; 0) = [!(0),!(1;q)] + [!(1;q),!(1; 0)] And ten apply te two lemmas above to obtain te bound in te teorem. So to complete te proof of te teorem we need to prove te two lemmas. Te rst is quite straigtforward; te second will take work. Proof of Lemma 6.1: We bound te quantity in question via te advantage of a distinguiser D (for versus Perm n ) tat we will construct below. It gets an oracle for a function g wic is eiter k for a random k or is Perm n and wants to tell wic. It uses A as a subroutine and will respond to oracle queries in suc a way tat A is working wit multi-oracle g ; g ;:::; g. Te code for D is as follows: i 14

15 Algoritm D g Run A, replying to te j-t oracle query x j of A by g(xj )(x j ) Output watever A outputs and alt We now claim tat Pr [ k f0; 1g ; g k : D g =1] =!(0) Pr [ g Perm n : D g =1] =!(1;q) : Te rst is clear. or te second, note te sequence of auxiliary keys used to answer te queries wen g Perm n will be outputs of g on distinct points, ence random, distinct keys, wic matces te denition of (1;q). Now, note tat D makes q oracle queries and as a running time bounded by tat of A plus qtime plus overead, making it at most t 0. Tus, we know tat its advantage is at most CSec prp (q; t0 ). Proof of Lemma 6.2: We bound te quantity in question via te advantage of a distinguiser D (for versus Perm n ) tat we will construct below. It gets an oracle for a function g wic is eiter k for a random k or is Perm n and wants to tell wic. It uses A as a subroutine. Before specifying te code and analysis let us try to give an idea of te issues. D will try to respond to oracle queries of A in suc away tat A is working wit multi-oracle k1 ki,1 g i+1 q (1) were k 1 ;:::;k i,1 are random but distinct keys, and i+1 ;:::; q are random, independent permutations. D can \simulate" te rst k, 1 oracles by coosing random but distinct keys k 1 ;:::;k i,1 and responding to a query to te j-t oracle (j =1;:::;i,1) via kj (). Simulation of te (i+1)-t to q-t oracles is even easier: since eac is called exactly once, D can just return a random number in response to eac query. Now, we would like tat if g k for a random k ten te oracle provide to A in te simulation looks like (1;i), and if g for a random permutation ten it looks like (2;i). However, neiter of tese wises is easily realizable. Consider te rst, namely te case were g = k for a random k. or te oracle provided to A in te simulation to be (1;i)itmust be tat k 62 fk 1 ;:::;k i,1 g. Altoug tis appens wit some probability, namely 1, (i, 1)=2, D does not know weter or not tis appens. (And we can't just neglect tis, because ten it turns out te bound would not be of good quality.) Terefore te idea is to ave D try to gure tis out: it will run a certain test wose purpose is to accept if k 2fk 1 ;:::;k i,1 g and reject oterwise. Te test is to compute g on m values, were m is some parameter wose value inuences te analysis, and compare tis to kj evaluated on te same values, for j = 1;:::;i, 1. Now te problem is tat tis test migt accept even toug k is not in fact one of k 1 ;:::;k i,1, and te analysis must take tat into account. Let us now specify te code. We will ten give te analysis. Below, m>0isaninteger parameter wose value we will specify later and li is te n-bit binary representation of integer l. Algoritm D g Let i f1;:::;qg Let k 1 ;:::;k i,1 be random but distinct -bit strings Let r i+1 ;:::;r q f0; 1g n 15

16 or l =0to m, 1 do y l g(li) end for j 1 Wile (j i, 1) do If [ kj (0i) =y 0 and... and kj (m, 1i) =y m,1 ] ten return 1 (and alt) j j +1 end wile Run A, replying to te j-t oracle query x j of A as follows: if j<iten reply by kj (x j ) if j = i ten reply by g(x j ) if j>iten reply by r j Return watever A outputs (and alt) We refer to [ kj (0i) =y 0 and... and kj (m, 1i) =y m,1 ] as te \equality test for key k j ". or te analysis, let (1) = Pr [ k f0; 1g ; g k : D g =1] (0) = Pr [ g Perm n : D g =1]: We now claim a certain lower bound on (1) wic will be justied below: (1) 1 q 1 q qx i=1 qx i=1 1, i, 1!(1;i)+ i, 1 (2) 2 2!(1;i) : (3) Te second inequality is just aritmetic, but we do ave to justify te rst. In particular, it would appear tat we ave not accounted for te equality test at all, but in fact we ave. quation (2) is justied like tis. Wit probability (i, 1)=2 it will be te case tat k 2 fk 1 ;:::;k i,1 g. (Te probability is exactly tis because k 1 ;:::;k i,1 are distinct.) In tis case, te appropriate equality test (namely te one for k j were k j = k) is sure to return true and D will certainly output 1. Tis accounts for te second term in quation (2). Now, wit probability 1, (i, 1)=2, k 62 fk 1 ;:::;k i,1 g. In tis case, we would like to ave te equality tests fail so tat we are providing A wit te multi-oracle of quation (1). If tis would appen, we would ave quation (2) wit an equality, not an inequality. But some test may succeed. In fact for any key k 62 fk 1 ;:::;k i,1 g tere is a certain probability p(k) tat te test succeeds, and tis means tat eac key reaces te simulation part of te code wit a dierent probability. However, te key observation is tat if te test succeeds in tese bad cases, D will output 1. So te overall probability of outputting one cannot decrease relative to te case were te tests do not succeed, so wat we ave written is indeed a lower bound. Now, we upper bound (0) as follows: (0) 1 q qx i=1! m,1 Y 1!(2;i)+(i, 1) 2 n, l l=0 (4) 16

17 " 1 q qx i=1!(1;i, 1) # + q, : (5) 2 n 2 (m,1)(n,1) quation (4) is justied by observing tat te cance of an equality test for a particular key k j succeeding wen g is a random permutation is at most te product above, and tere are i, 1keys tested. On te oter and, te probability of reacing te simulation is certainly only decreased, so te probability ofd outputting 1 via A can't exceed!(2;i). To get quation (5) we are rst using te observation made above tat (2;i) is just (1;i, 1). On te oter and we are simplifying te second term, using our assumption tat q 2 n,1. We can now lower bound te dierence (namely te advantage of D): CAdv prp (D) = (1), (0) " 1 qx q = 1 q i=1!(1;i),!(1;i, 1) #, q, 1 2 n (m,1)(n,1) [!(1;q),!(1; 0)], q, 1 2 n (m,1)(n,1) : Te simplication came about because te sum \telescoped". Now, multiply bot sides of te above by q and transpose terms to get!(1;q),!(1; 0) q CAdv prp, 1) 1 (D)+q(q 2 n+1 2 : (m,1)(n,1) Te second term can be made arbitrarily small by increasing te parameter m. Let us decide to set m =2. Now, notice tat D makes m +1=3queries to its oracle g, and its running time is bounded by t 0, so tat CAdv prp (D) CSecprp (m; t0 ). Tus we conclude tat!(1;q),!(1; 0) q CSec prp (3;t0 )+ q2 2 : 2n Tis completes te proof of Lemma Proof of Teorem 5.2 Refer to Section 5.1 for te teorem statement. We now provide te proof. Since te oracles we provide our adversaries are deterministic, we assume trougout and witout loss of generality tat no adversary ever repeats an oracle query. Sometimes we regard a block ciper as a two-dimensional table wit 2 rows and 2 n columns, were (k; x) is te value in te cell of te k-t row and x-t column. Given a partial function f from (a subset of) f0; 1g n to (a subset of) f0; 1g n, we denote te domain and range of f (te points were f as been dened and te values tose domain points map to) by Dom(f) and Range(f), respectively. Dene Dom(f) =f0; 1g n, Dom(f) and Range(f) = f0; 1g n, Range(f). Wen an oracle's algoritm is specied in pseudo-code aving a Boolean variable bad i, BAD i is te event tat ag bad i is set true and is te rst suc bad ag to be set by te algoritm. 17

18 7.1 Lemmas Te proofs in tis section use two lemmas wic are independent of te rest of te section. We give tem ere. Te rst lemma bounds te ability ofan adversary to distinguis te output from two nearly identical programs. Wen we write two algoritms wic simulate two oracles, we specify te algoritms to be syntactically identical for as muc of teir specication as possible. Were teir specications diverge, a ag is set, and we bound te advantage of an adversary based on er ability to set one of tese ags. See igures 4 and 5 for examples. Te basis for tis approac is founded on Lemma 7.1. Te second standard lemma gives upper and lower bounds for te birtday penomena in Lemma 7.3. Distinguising Nearly Identical Programs. Consider an adversary A and er oracle f, and assume A is dened to output eiter 0 or 1. Say tat f is set to eiter program P 1 or P 2, and tat te advantage A as in distinguising wic is te case is Adv A =Pr 1 [A =1], Pr 2 [A = 1]. Now consider te case were P 1 and P 2 are syntactically identical except for some if-guarded instructions in P 2 wic, if executed, set a boolean ag bad. Let BAD be te event inp 2 tat bad is set. Lemma 7.1 Adv A Pr 2 [BAD]. Proof: Let C be te set of all innite strings representing te coins used in te experiment. Classify te elements of C into four non-overlapping sets, C 12, C12, C 1 2 and C12, were te elements of C 12 cause (A P 1 =1^ A P 2 = 1), and te elements of C12 cause (A P 1 =0^ A P 2 = 1), etc. Ten, Adv A = Pr C [AP 1 = jc 12j + jc 1 2j jcj = jc 12j,jC12j jcj jc 12j + jc12j jcj = Pr C [AP 1 6= AP 2 ] Pr 2 [BAD] =1], Pr C [AP 2 =1], jc 12j + jc12j jcj To see te last step, if a set of coins does not cause te bad ag to be marked, ten only sared code is executed, and P 1 and P 2 ave identical output. Terefore, A can only ave advantage on te coins selected wic set bad. Corollary 7.2 If P 1 and P 2 are identical except for some if-guarded instructions in P 1 wic if executed set bad 1 and some if-guarded instructions in P 2 wic if executed set bad 2, ten Adv A Pr 1 [BAD 1 ]+Pr 2 [BAD 2 ]. Proof: Let program P 3 be identical to te common parts of P 1 and P 2. Ten, Pr 1 [A =1],Pr 2 [A = 1] (Pr 1 [A =1], Pr 3 [A = 1]) + (Pr 3 [A =1], Pr 2 [A = 1]) Pr 1 [BAD 1 ]+Pr 2 [BAD 2 ] 18

19 Lemma 7.3 [Birtday Penomenon] Given n balls tossed independently and randomly into m bins, te probability tat at least one bin as more tan one ball, C(n; m), satises 1,e,n(n,1)=2m C(n; m) n 2 =2m. 7.2 Proof of Teorem 5.2, Part 1 In te ideal model te adversary as access to,,1, and (n d )(k; ) oracles. However, we initially envision an adversary wit access only to te last of tese. Later we correct for tis simplifying assumption. Modularizing te proof in tis way makes tis already-complex argument easier to follow. Lemma 7.4 Let n; be positive integers and d; ^q be non-negative integers. Let j = d=ne. Let A be an adversary wit a single oracle, f, and suppose A asks f queries referring to no more tan ^q common key groups. Ten Adv 1 A def = i Pr BC ;n ; k f0; 1g j ;f() def = n d (k; ) :A f =1, Pr [ Rand n : A =1] j 2 2,,1 + ^q ,4 +^q2 2d,n+3 +^qj2, : Note tat if an adversary is restricted to referring to no more tan ^q common key groups, implicitly se is restricted to no more tan ^q2 d total queries. Proof: To prove te bound we devise an algoritm to simulate an oracle for te adversary. Actually, tere are two algoritms developed. Bot are indicated in igure 4, te dierence being weter or not we set te ag Game2. We call \Game 1" te result of running te specied algoritm wit te ag Game2 set to false, and we call \Game 2" te result of running te specied algoritm wit te ag Game2 set to true. Te idea of tese games is to simulate one of two experiments te exact two experiments used in te denition of Adv 1 A and to structure tese simulations so tat tey are \identical" until tis can be maintained no longer. Game 1 simulates te experiment used to dene te second addend of te adversary's advantage. Game 2 simulates te experiment used to dene te rst addend of te adversary's advantage. Wen Games 1 and 2 \diverge," a ag will be set. Bounding te probability tat any of te game's ags get set will serve to bound Adv 1 A. i Let p 2 =Pr BC ;n ; k f0; 1g j ;f() def = n d (k; ) :A f =1 denote te rst addend of te adversary's advantage in Lemma 7.4. Similarly, let p 1 = Pr [ Rand n : A =1] denote te second addend. Let Pr i [] denote te probability ofevent wit respect to te probability space induced by Game i. Our denitions of an oracle in Game 1 and Game 2 (igure 4) make te following clear. i Claim 7.5 Pr 1 A =1 = p 1. i Claim 7.6 Pr 2 A =1 = p 2. To bound jp 1, p 2 j we bound an adversary's advantage in dierentiating between Game 1 and Game 2. Te following claim is a direct result of Lemma