The Indistinguishability of the XOR of k permutations

Similar documents
Benes and Butterfly schemes revisited

Security of Random Feistel Schemes with 5 or more Rounds

The Sum of PRPs is a Secure PRF

Chapter 2 Balanced Feistel Ciphers, First Properties

A Pseudo-Random Encryption Mode

The Pseudorandomness of Elastic Block Ciphers

A Domain Extender for the Ideal Cipher

From Non-Adaptive to Adaptive Pseudorandom Functions

On the Round Security of Symmetric-Key Cryptographic Primitives

Distinguishing a truncated random permutation from a random function

Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1

Simple Pseudorandom Number Generator with Strengthened Double Encryption (Cilia)

The Relation Between CENC and NEMO

CPA-Security. Definition: A private-key encryption scheme

A Generic Method to Design Modes of Operation Beyond the Birthday Bound

The Random Oracle Model and the Ideal Cipher Model are Equivalent

On the Construction of Pseudo-Random Permutations: Luby-Rackoff Revisited

arxiv: v1 [cs.cr] 16 Dec 2014

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

The Random Oracle Model and the Ideal Cipher Model are Equivalent

Cryptanalysis of a Message Authentication Code due to Cary and Venkatesan

Security Analysis of Key-Alternating Feistel Ciphers

Provable Security in Symmetric Key Cryptography

A Note on Quantum-Secure PRPs

CTR mode of operation

Cascade Encryption Revisited

EME : extending EME to handle arbitrary-length messages with associated data

Block Ciphers/Pseudorandom Permutations

From Unpredictability to Indistinguishability: A Simple. Construction of Pseudo-Random Functions from MACs. Preliminary Version.

The Random Oracle Model and the Ideal Cipher Model Are Equivalent

Black-Box Composition Does Not Imply Adaptive Security

Foundation of Cryptography, Lecture 4 Pseudorandom Functions

Improved security analysis of OMAC

Indifferentiable Security Analysis of Popular Hash Functions with Prefix-free Padding

Eliminating Random Permutation Oracles in the Even-Mansour Cipher

CSA E0 235: Cryptography March 16, (Extra) Lecture 3

Characterization of EME with Linear Mixing

Short Exponent Diffie-Hellman Problems

Computer Science Dept.

Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network

Computer Science A Cryptography and Data Security. Claude Crépeau

Semantic Security of RSA. Semantic Security

From Unpredictability to Indistinguishability: A Simple Construction of Pseudo-Random Functions from MACs

Public Key Cryptography

4-3 A Survey on Oblivious Transfer Protocols

Indifferentiable Security Analysis of Popular Hash Functions with Prefix-free Padding

Building PRFs from PRPs

Efficient Amplification of the Security of Weak Pseudo-Random Function Generators

III. Pseudorandom functions & encryption

1 Cryptographic hash functions

Black-Box Composition Does Not Imply Adaptive Security

Constructing Variable-Length PRPs and SPRPs from Fixed-Length PRPs

How many rounds can Random Selection handle?

The Generalized Randomized Iterate and its Application to New Efficient Constructions of UOWHFs from Regular One-Way Functions

State Recovery Attacks on Pseudorandom Generators

Revisiting Variable Output Length XOR Pseudorandom Function

A Composition Theorem for Universal One-Way Hash Functions

KFC - The Krazy Feistel Cipher

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

A Note on Negligible Functions

From Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes

On Generalized Feistel Networks

On Pseudo Randomness from Block Ciphers

Pseudorandom Generators

A New Paradigm of Hybrid Encryption Scheme

Domain Extension of Public Random Functions: Beyond the Birthday Barrier

Cryptanalysis of Tweaked Versions of SMASH and Reparation

COS598D Lecture 3 Pseudorandom generators from one-way functions

Building Secure Block Ciphers on Generic Attacks Assumptions

Towards Provable Security of Substitution-Permutation Encryption Networks

1 Cryptographic hash functions

Secret-key Cryptography from Ideal Primitives: A Systematic Overview

Indistinguishability and Pseudo-Randomness

CBC MAC for Real-Time Data Sources. Abstract. The Cipher Block Chaining (CBC) Message Authentication Code (MAC) is an

Building Secure Block Ciphers on Generic Attacks Assumptions

Lecture 3: Interactive Proofs and Zero-Knowledge

Symmetric Encryption

On Pseudorandomness w.r.t Deterministic Observers

Adaptive Preimage Resistance Analysis Revisited: Requirements, Subtleties and Implications

On Generalized Feistel Networks

The Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography

Efficient and Optimally Secure Key-Length Extension for Block Ciphers via Randomized Cascading

Security of Permutation-based Compression Function lp231

A Unified Method for Improving PRF Bounds for a Class of Blockcipher based MACs

Equivalence between Semantic Security and Indistinguishability against Chosen Ciphertext Attacks

A survey on quantum-secure cryptographic systems

Pseudorandom functions and permutations

Lecture 10 - MAC s continued, hash & MAC

Yale University Department of Computer Science

A Generalization of PGV-Hash Functions and Security Analysis in Black-Box Model

Reset Indifferentiability and its Consequences

Bootstrapping Obfuscators via Fast Pseudorandom Functions

Feistel Networks made Public, and Applications

A Theoretical Treatment of Related-Key Attacks: RKA-PRPs, RKA-PRFs, and Applications

On the Relation Between the Ideal Cipher and the Random Oracle Models

Adaptive Security of Compositions

Online Ciphers and the Hash-CBC Construction

Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)

A short proof of the unpredictability of cipher block chaining

Improving Upon the TET Mode of Operation

Transcription:

The Indistinguishability of the XOR of k permutations Benoit Cogliati, Rodolphe Lampe, Jacques Patarin University of Versailles, France Abstract. Given k independent pseudorandom permutations f 1,..., f k over {0, 1} n, it is natural to define a pseudorandom function by XORing the permutations: f 1... f k. In [9] Stefan Lucks studied the security of this PRF. In this paper we improve the security bounds of [9] by using different proof techniques. Keywords: Pseudorandom functions, pseudorandom permutations, security beyond the birthday bound, Luby-Rackoff backwards. 1 Introduction Much research dealt with constructing cryptographic operations from other ones: Levin [6] got pseudorandom bit generators from one-way functions, then Goldreich, Goldwasser and Micali [4] constructed pseudorandom functions PRFs) from pseudorandom bit generators. In [1], Aiello and Venkatesan studied how to construct PRFs from smaller PRFs. Luby and Rackoff [7] dealt with the problem of getting pseudorandom permutations PRPs) from PRFs; further work about their construction can be found in [8, 11]. Our article focuses on the reverse problem of converting PRPs into PRFs named Luby-Rackoff backwards which was first considered in [3]. This problem is obvious if we are interested in an asymptotical polynomial versus non polynomial security model since a PRP is then a PRF), but not if we are interested in achieving more optimal and concrete security bounds. More precisely, the loss of security when regarding a PRP as a PRF comes from the birthday attack which can distinguish a random permutation from a random function of n bits to n bits in n operations and n queries. Therefore different ways to build PRF from PRP with a security above n and by performing very few computations have been suggested see [, 3, 5, 9]). One of the simplest way is to XOR k independent pseudorandom permutations with k. In [9] Theorem p.474) Stefan Lucks proved, with a simple proof, that the XOR of k independant PRPs gives a PRF with security at least in O k k+1 n ). In [] and [1] difficult analyses of k = are given, with proofs that the security is good when the number of queries is lower than O ) n n or O n ). For k 3 there is a significant gap between the /3 proven security of [9] and the best attacks of [13]. In this paper we reduce this gap by improving the proven security for the XOR of k permutations, k 3. Constructions with k 3 instead of k =

are interesting for various reasons. First, our proofs are much simpler than the proofs of [] and [1]. Second, in many cryptographic applications the size n of the blocks cannot be chosen by the designer of the algorithm since it is imposed by the application. Then it is interesting to have another parameter to decrease the proven advantage of any adversary to a value as small as wanted with a simple construction. Our proof technique is based on the coefficient H technique of Patarin cf [14]). However we only use the first steps and not all the refinements) in order to keep very simple proofs with still better security results than previously known; we could achieve tighter bounds by using the full technique, but it would require more computations such as [15]). Related problems. In [10] the security of the XOR of two public permutations are studied i.e. indifferentiability instead of indistinguishability). Organisation of the paper. Section presents the notations and basic definitions that are used in this paper. In section 3 and 4, two security bounds are shown with different techniques respectively the H σ coefficient technique and the H coefficient technique). Then both these results are compared to the one from [9] in the last section. Preliminaries We denote I n the set of n bits strings and Jn q the subset of In q of values x i ) 1 i q satisfying x i x j, i j. We denote F n the set of functions from I n to I n and B n the set of permutations of I n. The notation x R E stands for x is chosen randomly with a uniform distribution in E. An adversary A trying to distinguish between f 1... f k, where f i R B n for each i {1,..., k}, from a random function F R F n is considered to have access to an oracle Q. This oracle either simulates F or f 1... f k. A chooses inputs x {0, 1} n ; then Q responds Qx) {0, 1} n. After at most q queries, A outputs AQ) {0, 1}. AQ) is then seen as a random variable over {0, 1}. This is an adaptative chosen plaintext attack cpa). To measure the pseudorandomness of the XOR of k permutations one must evaluate the advantage A, of an adversary A which is defined as A, = P r[af 1... f k ) = 1] P r[af ) = 1]. We write for the maximal advantage any adversary can get when trying to distinguish the XOR of k random permutations from a random function. 3 Security Bound from the H σ technique 3.1 Linking the advantage to a combinatorial problem Let k. We use theorem 3 from [14] :

Theorem 1. Let α, β R + and q N \ {0}. Let E be a subset of I q n such that E 1 β) nq. Suppose that, for each sequence a i ) 1 i q, b i ) 1 i q J q n, with b i ) 1 i q E: Ha, b) 1 α) B n k nq, with Ha, b) the number of f 1,..., f k ) B k n such that : i, 1 i q, f 1... f k )a i ) = b i. Then: α + β. For every b J q n, let h q b) be the number of sequences x 1, x,..., x k 1 J q n such that x 1... x k 1 b J q n then Lemma 1 For all a, b J q n: B n k Ha, b) = h q b) n n q + 1) ) k. Proof. The number Ha, b) can be seen as the sum, over the sequences x 1, x,..., x k 1 Jn q such that x 1... x k 1 b Jn, q of the number of f 1,..., f k B n satisfying the equations f j a i ) = x j i for all j k 1, i q and f ka i ) = x 1 i... x k 1 i b i, i q. Then, for each choices of x 1,..., x k 1, each f j is a uniformly B random permutation fixed on q points so Ha, b) = h q b) n which also shows that Ha, b) does not depend of a. n n q+1)) k, We now see h q as a random variable over b R I q n. The security of the XOR of k permutations is closely related to the variance and the expectancy of this random variable: Lemma The advantage satisfies: ) 1/3 V [h q ] E [h q ]. 1) Proof. For all a, we define Ha) the random variable over b equal to Ha, b). The Bienayme-Chebyshev s inequality yields: Taking ɛ = αe [Ha)]: ɛ > 0, Pr [ Ha) E [Ha)] ɛ] 1 V [Ha)] ɛ. α > 0, Pr [ Ha) E [Ha)] αe [Ha)]] 1 3 V [Ha)] α E [Ha)].

Then α > 0, Pr [Ha) 1 α)e [Ha)]] 1 V [Ha)] α E [Ha)]. Thus, defining E = {b i ) 1 i q Ha, b) 1 α)e [Ha)]}, theorem 1 yields : Then, with α = α > 0, α + V [Ha)] α E [Ha)]. V[Ha)] E[Ha)] ) 1/3: V [Ha)] E [Ha)] ) 1/3 = ) 1/3 V [h q ] E [h q ]. Lemma 3 The mean of h q satisfies: E [h q ] = [ n n 1)... n q + 1) ] k nq. Proof. This result generalizes a theorem found in [1]. We define δ x, with x = x 1,..., x k 1 ) Jn) q k 1, a random variable over b such that δ x = 1 if x 1,..., x k 1, b x 1 x k 1 Jn q and δ x = 0 otherwise. It s clear that h q = δ x, then x Jn) q k 1 E [h q ] = E [δ x ] x Jn) q k 1 = [ the bi x 1 i... x k 1 i are pairwise distinct ] x J q n) k 1 Pr = n n 1)... n q + 1) nq x Jn) q k 1 = Jn q k 1 n n 1)... n q + 1) [ nq n n 1)... n q + 1) ] k = nq. We now focus on the variance of h q. 3. Study of V [h q ] We denote λ q the number of sequences g 1,..., g k J q n such that g 1 g k = 0. These conditions will be referred to as the λ q conditions. This is k sequences 4

of q pairwise distinct elements and q equations so, we could expect λ q to be close to U q := n n 1) n q + 1)) k nq. We see in the next lemma that the problem of knowing how close λ q is from U q is at the core of the computation of the advantage. Lemma 4 The advantage satisfies: ) 1/3 λq 1. U q Proof. We know that h q = x δ x with the sum being over x J q n) k 1, so the linearity of the expected value operator yields: ) V [h q ] = E δ x E [h q ] x ) ) = E δ x δ x E [h q ] + E [h q ] x x [ ) )] [ ] = E δ x δ x E δ x E [h q ] + E [h q ] x x = E δ x δ x E [h q ], x,x x the sum being over x, x J q n) k 1. Then: E δ x δ x = 1 nq δ x b)δ x b). x,x b,x,x We know that δ x b)δ x b), with x, x J q n) k 1, equals 1 if and only if b x 1 x k 1 J q n and b x 1 x k 1 J q n. If we change variables like this: g i := x i and g i+k 1 := x i for all 1 i k 1 and g k 1 := b x 1 x k 1, g k := b x 1 x k 1, we see that b,x,x δ xb)δ x b) is equal to λ q. Then: V [h q ] = λ q nq E [h q] = λ q U q nq since E [h q ] = U q nq. 5

Moreover, using lemma : V [h q ] E [h q ] λq U q U q ) 1/3 ) 1/3 ) 1/3 λq 1. U q The strategy we follow is to evaluate recursively, more and more accurately, the coefficients λ α for 1 α q. 3.3 First evaluation of λ α By definition, λ α+1 is the number of tuples g 1,..., g k J α+1 n such that : 1. the λ α conditions hold,. for all 1 j k, g j α+1 {gj i, 1 i α}, 3. g 1 α+1 g k α+1 = 0. E α+1 ) Hence there are kα equations that should not be verified. For 1 i kα, we denote β i the i-th such equation. Let B i be the set of tuples g 1,..., g k ) which satisfy the λ α conditions, the equation E α+1 ) and the equation β i, for 1 i kα. Then: kα λ α+1 = k 1)n λ α B i. Using the inclusion-exclusion principle: kα λ α+1 = k 1)n λ α + 1) l l=1 i=1 i 1<...<i l B i1... B il. When more than k + 1 equations β i are considered, at least two of them use the same variable, for example g 1 α+1 = g 1 1 and g 1 α+1 = g 1, which is impossible according to the λ α conditions. Thus: λ α+1 = k 1)n λ α + k l=1 1) l Now, we study every kind of intersection. 1 equation : i 1<...<i l B i1... B il. ) 6

The β i equation fixes the value of one new variable, whereas the others are free, so: B i = k )n λ α and there exists kα such sets. l equations l k 1) : Such an intersection is non-empty if every equation β i uses a different new variable. In this case, l new variables are fixed and the others remain free. Thus, B i1... B il = k 1 l)n λ α ) k and there are α l k such non-empty intersections. k equations : Like before, such a set is non-empty if every equation β i uses a different new variable. In this case, the set B i1... B ik is composed of tuples such that gα+1 1 = gi 1 1,..., gα+1 k = gi k k and the equation E α+1 ) implies that: g 1 i 1 g k i k = 0. We denote X this equation and λ αx) the size of B i1... B ik. There are 3 possible cases: If the k indexes in X are equal then X is always true. There are α possibilities and λ αx) = λ α. If k 1 indexes are equal and the last is different, then λ αx) = 0 since X is in contradiction with λ α. There are kαα 1) possibilities. We denote S the set of equations X that are not of the previous types. We denote λ α = max S λ αx). Hence, thanks to ), one has: λ α+1 = k 1)n λ α kαλ α + = kn kα n + k 1 l= k 1 l= k l k l ) 1) l α l k 1 l)n λ α + X ) 1) l α l k l)n ) n α) k α k + n α ) λ α n + α k α kαα 1) ) λ α We denote ɛ α = n λ α λ α n λ α+1 λ α 1, so: λ αx) λ α n + αλ α + λ αx) X S n α) k α k + n α + n λ α λ α α k α kαα 1)) n α) k + n α α kαα 1) + ɛ α α k α kαα 1)) n α) k kα + α n + k 1) + ɛ α α k kα + αk 1)) 7

3.4 Relation between the advantage and ɛ α Lemma 5 For every m 1, the advantage satisfies: m 1 α=1 1 + kα + α n + k 1) + ɛ α α k kα ) 1/3 + αk 1)) n α) k 1). Proof. We know that n U α+1 = n α) k, U α and the result of the previous section yields: λ α+1 U α+1 λ α U α λ α U α n α) k kα + α n + k 1) + ɛ α α k kα ) + αk 1)) n α) k 1 + kα + α n + k 1) + ɛ α α k kα + αk 1)) n α) k Since U 1 = λ 1 = k 1)n : λ m U m m 1 α=1 1 + kα + α n + k 1) + ɛ α α k kα ) + αk 1)) n α) k And Lemma 4 ends the proof. ) 3.5 First approximation of ɛ α Before evaluating ɛ α, we need a technical lemma: Lemma 6 For every α {,..., m}, one has: 1 kα n λ α k 1)n λ α 1 1. 3) Proof. We consider g 1,..., g k Jn α satisfying the conditions λ α 1. To satisfy the conditions λ α, there are n α 1)) possibilities for each gα, 1..., gα k and there are α 1) non-equalities left: gα k 1 g k 1 i and gα k gi k for all i α 1. Since g k α equations on g k 1 α choices for g k 1 α = gα 1 gα k 1, one sees these α 1) non-equalities as. So, there are between n α 1) and n α 1) possible and 1 choice for gα k. Then: λ α 1 n α 1)) k n α 1)) λ α λ α 1 n α 1)) k 1 which is equivalent to: 1 α 1 n ) k 1 ) α 1) n λ α 1 α 1 ) k 1 k 1)n λ α 1 n. Since the left term is bigger than 1 kα and the right term is inferior to 1, it n ends the proof. 8

Lemma 7 Every value λ αx) with X S satisfies : n λ αx) kα 1 + ) λ α 1 kα. n n Proof. We now express λ α in terms of λ α 1. Without loss of generality, we suppose that X involves gα, 1 otherwise we can just reorder the variables. Let i be any index such that gα i is not involved in X this is possible since X S). Let g 1,..., g k Jn α such that the λ α 1 conditions are satisfied. We now count λ αx). There are at most n α 1) possible choices for each gα, j j 1, i. After we made these choices, there are two variables left: gα 1 and gα. i Since gα i is not involved in X, there is only, at most, one possible choice for gα 1 and there is, at most, one possible choice for gα i using the equation gα 1 gα k = 0. Then: λ αx) n α 1)) k λ α 1. Applying lemma 6, one finds that: ) λ αx) n α 1)) k 1 λ α 1 kα k 1)n n Since n α 1 n 1 kα and = 1 +, this ends the proof. 1 kα n 1 kα n )n Remark: These two technical lemmas formalize the intuition that, when one equation is added to the system, one degree of freedom is lost and this divides the number of possible solutions by around n. Finally kα ɛ α ) 1 kα. n n First notice that if q n k, kα + α n ) 0. Then, from lemma 5, q 1 α=1 1 + kα + α n + k 1) + ɛ α α k kα ) 1/3 + αk 1)) n α) k 1). If q n k, all the terms of the product are greater than 1 and q 1 α=1 q 1 α=1 ) 1 + kα + α n + k 1) n α) k + kα αk kα + αk 1)) ) 1 1 kα n n n α) k ) ) 1/3 α n 1 + n α) k + kα ) k+1 1 1 kα n n n α) k q 1 n + n q) k + kq k+1 1 kq n n q) k Thus we have proven that : n ) q 1 1/3. ) 1/3 9

Theorem Upper bound of the advantage using H σ ). The maximal advantage an adversary can get using q queries, with q n k verifies: Notice that q 1 n + n q) k + kq k+1 1 kq n n q) k n ) q 1 ) 1/3 q kqk+ k 1)n 1 q + ) k k+1)n 1 6kq. n ) n Since k 3 and q n, the first term is negligible in front of 1. Moreover, when q k+ k+1)n, 1. Hence we have proven that the XOR of k permutations is safe as long as q k+1 k+ n with this first technique. 1/3. 4 Security bound from the standard H technique We now use the standard H technique, i.e. proofs from the general result the corollary 8) below. In this section, E[h q ] is noted h q to lighten the notations. Corollary 8 Let α > 0. If, for every sequence b = b i ) 1 i q I q n h q b) 1 α) h q, then α. Proof. This result comes immediately from theorem 1 with β = 0 and lemmas 1 and 3. 4.1 First approximation Let us study hα h α. One has: h α+1 = h α n α) k n. We now evaluate h α+1 from h α. From the definition of h α see section 3.1), we see that h α+1 is the number of sequence P j i ) 1 i m,1 j k such that: the h α conditions hold ; P 1 α+1... P k α+1 = b α+1, this equation will be called X ; P j α+1 P j i for every 1 i α, 1 j k. 10

Let β i, 1 kα be the kα ) equations which should be false. Let, for 1 i kα, B i be the set of the P j i for which the h α conditions and the 1 i α+1,1 j k equation β i hold. From the inclusion-exclusion principle, we get: h α+1 = k 1)n h α kα i=1 B i = k 1)n h α + 1) l 1 l kα i 1<...<i l B i1... B il. When k + 1 sets are intersected, at least two equations will use the same P j α+1 variable, which is in contradiction with h α. Thus, h α+1 = k 1)n h α + 1) l B i1... B il. 4) i 1<...<i l 1 l k We study the number of possible messages in function of the number of sets in the intersection. l equations, 1 l k 1: If we want B i1... B il 0, every new β i equation should bring a new variable P j α+1. In this case, X and β i fix l + 1 variables, the remaining ones are free, so B i1... B il = k l 1)n h α and ) k B i1... B il = α l k l 1)n h l α i 1<...<i l k equations: As well as above, in order to have B i1... B ik 0, there must be an equation in every new variable: P j α+1 = P j i j, 1 j k. So the condition P 1 α+1... P k α+1 = b α+1 becomes: P 1 i 1... P k i k = b α+1. Let h αb 1,..., b α+1 )i 1,..., i k ) or h αi 1,..., i k ) the number of P j i ) 1 i α,1 j k such that: I kα n the conditions h α hold, P 1 i 1... P k i k = b α+1. Let Y i 1,..., i k ) be this equality. Thus i 1<...<i k B i1... B ik = From 4), we have: 1 i 1,...,i k α h α+1 = n α) k 1) k α k n h α + 1) k h αi 1,..., i k ). 1 i 1,...,i k α h αi 1,..., i k ). 5) 11

Remark: if k is even, one has: n α) k α k ) h α+1 h α n. So h α+1 h α α k ) 1 h α+1 h α n α) k. As h 1 = h 1 = k 1)n, q k ) q h q h q 1 n q) k ) h q 1 qk+1 n q) k Then, using corollary 8, qk+1 n q) k. The upper bound we get in this case is in the same order of magnitude as the one from [9]. If we study more closely h α, we will get a better inequality. 4. Second approximation In this section, we suppose that k 3. Let M = {i, 1 i α, b i = b α+1 }. If i M, we have h αi,..., i) = h α and if i M, h αi,..., i) = 0. Furthermore, in order to be compatible with h α, if i M, for each 1 j α, i j, h αj, i,..., i) = h αi, j,..., i) =... = h αi,..., i, j) = 0. Let I be the set of the tuples that do not satisfy these requirements. Then I = α k α k M α 1). By applying 5), one gets: h α+1 = n α) k 1) k α k + 1) k n M n h α + 1) k We now need a technical lemma: Lemma 9 If i = i 1,..., i k ) I, 1 i 1,...,i k ) I 3α n α)1 α ) n h αi 1,..., i k ) 1 h n α 1 3α. n h αi 1,..., i k ). Proof. Without loss of generality, we can suppose that i 1 = α and i = α 1 because we can reorder the queries). Let us evaluate h α and h α from h α. To get h α from h α, we have k new variables P j α 1 and P j α, 1 j k, such that: 6) 1

P 1 α... P k α = b α, P 1 α 1... P k α 1 = b α 1, j, 1 j k, i, 1 i α, P j α 1 P j i, j, 1 j k, i, 1 i α 1, P j α P j i. We decide that the first equation will fix P 1 α 1 and the next one P 1 α. For j 3, we have respectively n α ) and n α 1) possibilities for P j α 1 and P j α. When these messages have been chosen, only P α 1 and P α remain, and they must satisfy: P α 1 P i, 1 i α, P α 1 P 1 i b α 1 P 3 α 1... P k α 1, 1 i α, P α P i, 1 i α 1, P α P 1 i b α P 3 α... P k α, 1 i α 1. There are for P α 1 between n α ) and n α ) choices and for P α 1 between n α 1) and n α 1). Thus n α )) k n α 1)) k n α )) n α 1)) hα h α,7) h α h α n α )) k 1 n α 1)) k 1. 8) In order to go from h α to h α, we also have k new variables P j α 1 and P j α, 1 j k, such that: P 1 α 1... P k α 1 = b α 1, P 1 α = b α+1 P α 1 P 3 i 3... P k i k, P 1 α... P k α = b α, j, 1 j k, i, 1 i α, P j α 1 P j i, j, 1 j k, i, 1 i α 1, P j α P j i. We have, for j 4, respectively n α ) and n α 1) possibilities for P j α 1 and P j α. From these 3 equalities, we can fix the following variables: 1. P 1 α 1 = b α 1 P α 1... P k α 1,. P 1 α = b α+1 P α 1 P 3 i 3... P k i k, 3. P α = b α+1 b α ) P α 1 P 3 i 3 P 3 α)... P k i k P k α). Then the condition i, 1 i α, P 1 α 1 P 1 i becomes: i, 1 i α, P α 1 P 1 i b α 1 P 3 α 1... P k α 1, i, 1 i α 1, P 1 α P 1 i becomes: i, 1 i α 1, P α 1 b α+1 P 1 i P 3 i 3... P k i k, i, 1 i α, P α P 1 i becomes: 13

i, 1 i α, P α 1 b α+1 b α ) P i P 3 i 3 P 3 α)... P k i k P k α) For P α P α 1, there are two cases. If i 3 =... = i k = α, since i 1,..., i k ) I, we have b α+1 b α and this non-equality is automatically verified. Else, this means that there is an index 3 j k such that i j α, e.g. j = 3. Then P α P α 1 becomes : P 3 α b α+1 b α ) P 3 i 3... P k i k P k α). Thus, after the other messages have been chosen, there are between n α and n α 1) possibilities for P 3 α, n α ) possibilities for P 3 α 1 and finally between n 4α 7) and n α ) possibilities for P α 1. Then n α )) k n α 1)) k 3 n α) n 4α 7)) h α h α 9) n α )) k 1 n α 1)) k h α h α. 10) From 7,9 we can deduce the following inequalities that allow us to get the result we want: n h α h α n n 4α+7) n α) n α )) n α 1)), n h α h α n n α ) n α )) n α 1)). Remark: if we suppose α < n 1, we get One has: h α+1 h α+1 = h α h α 0 < 1 1α n n h αi 1,..., i k ) h α 1 + 3α n 3α. 11) 1 + 1)k+1 α k n α) k + 1)k n M n h α h α n α) k + 1)k n α) k 1) = h α h α 1 A α ) 13) where A α := 1)k α k n α) k n M 1)k n α) k 1)k n h α h α n α) k. Lemma 10 If q < n 1, A α k.n α n α) k + 1 α k+1 n 3α) n α) k. 14

Proof. We have to study A α according to the parity of k. k even: A α α k n α) k n M n α) k αk α k M α 1))1 1α n α) k n ) n 1α M α + k M α 1))1 ) α k+1 n + n α) k n α) k + 1 n n α) k k.α n α) k + 1 α k+1 n n α) k k odd: α k A α n α) k + n M n α) k + αk α k M α 1))1 + 3α n α) k So, in both cases, n 3α M α + k M α 1))1 + n α) k n α n α) k + 3α k+1 n α) k n 3α) A α n 3α ) n α) k + n 3α ) 3α k+1 n α) k n 3α) k.n α n α) k + 1 α k+1 n 3α) n α) k, From this lemma and 1, Since h 1 = h 1, we get: h α+1 h α 1 k.n α h α+1 h α n α) k 1 α k+1 ) n 3α) n α) k. h q 1 kn q h q n q) k 1 q k+1 ) q n 3q) n q) k 1 kq. n n q) k 1 q k+ n 3q) n q) k. 15

Thus, with corollary 8, we have proven that, when q < n 1 : kq. n n q) k + 1 q k+ n 3q) n q) k 14) Hence we get the following result: kq qk+ k 1)n 1 k q + 1 ) k+1)n 1 k + 3) q n ). 15) n Theorem 3 upper bound for the advantage with the standard H technique). Let k 3 and q < n 1. The advantage to distinguish, with q queries, the XOR of k bijections from a fonction f R F n satisfies: kq qk+ k 1)n 1 k q + 1 ) k+1)n 1 k + 3) q n ). n Since k 3, the first term is negligible when q n. This theorem shows that the XOR of k bijections is indistinguishable when q k+1 k+ n. This upper bound on q is worse than the previous one, but if q k+ k+4 n i.e. for small values of q) this new upper bound on the advantage is actually better. 5 Conclusion This table regroups our results and the previous one from S. Lucks in [9], with order of magnitudes for these bounds beyond the birthday bound : technique upper bound for f 1... f k S. Lucks kn 1) i k H H σ kq k 1)n 1 k q q k 1)n 1 q 0 i<q + 1 k+ q n ) k+1)n 1 k+3) q n ) + k+ kq n ) k k+1)n 1 6kq n ) order of magnitude ) q O k+1 kn 1) ) q O k+ ) k+1)n 1/3 ) ) 1/3 O k qk+ k+1)n Table 1. Comparison of the bounds on the advantage from 3 techniques The upper bound we got with the coefficients H technique is smaller than the one from [9] by a factor q. The one we proved with the coefficients H n σ technique allows us to have 1 when q k+1 k+ n instead of q k k+1 n for [9]. For example with k = 3 we have proven that 1 when q 7 8 n instead of q 3 4 n. However, when q is fixed and k increases, the upper bound from the H technique becomes better than the one from H σ. This graph shows the evolution of the order of magnitude of 16

these three upper bounds in function of the logarithm of q, with k = 5 and n = 40: Table. Upper bound plotted versus the logarithm of q Here is a more accurate view of the region where the curves from H and H σ intersect: Table 3. Upper bound plotted versus the logarithm of q : comparison between H and H σ This illustrates that, depending on the value of q, our best bound can be the one from section 3 or the one from section 4. Moreover, the curve from [9] does not appear in this second graph because its values were much higher than ours around 6 10 4 whereas the bounds from this article are around 4 10 7 in 17

this graph). This shows why the two techniques studied in this paper are both useful. References [1] W. Aiello and R. Venkatesan. Foiling Birthday Attacks in Length Doubling Transformations. In Advances in cryptology - EUROCRYPT 96, pages 307 30. Springer-Verlag, 1996. [] M. Bellare and R. Impagliazzo. A Tool for Obtaining Tighter Security Analyses of Pseudorandom Function Based Constructions, with Applications to PRP to PRF Conversion. eprint Archive 1999/04: Listing for 1999, 1999. [3] M. Bellare, T. Krovetz, and P. Rogaway. Luby-Rackoff Backwards: Increasing Security by Making Block Ciphers Non-invertible. In K. Nyberg, editor, Advances in cryptology - EUROCRYPT 1998, pages 66 80. Springer-Verlag, 1998. [4] O. Goldreich, S. Goldwasser, and S. Micali. How to Construct Random Functions. Journal of the ACM, 334):79 807, 1986. [5] C. Hall, D. Wagner, J. Kelsey, and B. Schneier. Building PRFs from PRPs. In H. Krawcyk, editor, Advances in cryptology - CRYPTO 1998, pages 370 389. Springer-Verlag, 1998. [6] L. Levin. One Way Functions and Pseudorandom Generators. Combinatorica, 74):357 363, 1987. [7] M. Luby and C. Rackoff. How to Construct Pseudorandom Permutations from Pseudorandom Functions. SIAM J. Comput., 17):373 386, 1988. [8] S. Lucks. Faster Luby-Rackoff Ciphers. In Fast Software Encryption 1996, pages 189 05. Springer-Verlag, 1996. [9] S. Lucks. The Sum of PRPs Is a Secure PRF. In B. Preneel, editor, Advances in Cryptology - EUROCRYPT 000, pages 470 484. Springer-Verlag, 000. [10] A. Mandal, V. Nachef, and J. Patarin. Indifferentiability beyond the Birthday Bound for the Xor of Two Public Random Permutations. In Progress in Cryptology - INDOCRYPT 010, pages 69 81, 010. [11] M. Naor and O. Reingold. On the Construction of Pseudo-Random Permutations: Luby-Rackoff Revisited. Journal of Cryptology, 11):9 66, 1999. [1] J. Patarin. A Proof of Security in O n ) for the Xor of Two Random Permutation. In R. Safavi-Naini, editor, ICITS 008, pages 38 345. Springer-Verlag, 008. [13] J. Patarin. Generic Attacks for the Xor of k Random Permutations. Available on eprint, 008. [14] J. Patarin. The "coefficients H" Technique. In Selected Areas in Cryptography 008, pages 38 345. Springer-Verlag, 008. [15] J. Patarin. Security in O n ) for the Xor of Two Random Permutations - Proof with the standard H technique -. Available on eprint, 013. 18

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback