Cryptography - Pseudo-Random Permutations

These are used to model block ciphers. The ideal block cipher is a collection $E = {π_{1}, . . ., π_{2^{s}}}$ of random permutations $π_{i} : {0,1}^{n} \to {0,1}^{n}$ , and encryption is described by $C = π_{k} (M)$ , where $k$ is the shared key in ${{1,...,2}^{s}}$ , and decryption is $M = π_{k}^{- 1} (C)$ . Of course this is impossible to achieve in practice, so we use pseudo random permutations. We adopt the Luby-Rackoff definition ['88].

$π : {0,1}^{n} \times {0,1}^{s} \to {0,1}^{n}$ is a $(t, ε, q)$ -PRP if

For any $K \in {0,1}^{s}$ , $π_{k}$ is a one-to-one function from ${0,1}^{n}$ to ${0,1}^{n}$ .
For any $K \in {0,1}^{s}$ , there is an "efficient" algorithm to evaluate $π_{K} (x)$ .
For any $t$ -time algorithm $A$ we have
$∣ \Pr_{K \leftarrow {0,1}^{s}} [A^{π_{K}}] - \Pr_{σ \leftarrow 𝒫} [A^{σ}] ∣ < ε$
where $A$ makes $q$ oracle queries and $𝒫 = {π : {0,1}^{n} \to {0,1}^{n}, π$ a permutation $}$ is the set of all permutations on ${0,1}^{n}$ .

In other words, under a chosen plaintext attack, $π_{K}$ cannot be distinguished from a random permutation. But the definition does not cater for chosen ciphertext attacks, which inspires the following:

$π : {0,1}^{n} \times {0,1}^{s} \to {0,1}^{n}$ is a $(t, ε, q)$ -SPRP (Strong PRP) if

For any $K \in {0,1}^{s}$ , $π_{k}$ is a one-to-one function from ${0,1}^{n}$ to ${0,1}^{n}$ .
For any $K \in {0,1}^{s}$ , there is an "efficient" algorithm to evaluate $π_{K} (x)$ and $π_{K}^{- 1} (x)$ .
For any $t$ -time algorithm $A$ we have
$∣ \Pr_{K \leftarrow {0,1}^{s}} [A^{π_{K}, π_{K}^{- 1}}] - \Pr_{σ \leftarrow 𝒫} [A^{σ, σ^{- 1}}] ∣ < ε$
where $A$ makes $q$ oracle queries.

Suppose DES is a $(t, ε, q)$ -PRP. Recall it acts as a permutation on 64 bits at a time. Using DES, can we build a PRP that acts on blocks twice as large, i.e. $π : {0,1}^{128} \times {0,1}^{56} \to {0,1}^{128}$ ? In general, can we construct large SPRP's from smaller ones?

Luby-Rackoff Construction

We show how to construct a PRP from a PRF. Recall that given $L, R \in {0,1}^{n}$ and $f : {0,1}^{n} \to {0,1}^{n}$ , the Feistel permutation is $D_{f} (L ∣ ∣ R) = R ∣ ∣ L \oplus f (R)$ . It is clear that $D_{f} : {0,1}^{2 n} \to {0,1}^{2 n}$ is a permutation.

Theorem: [LR] If $f : {0,1}^{n} \times {0,1}^{s} \to {0,1}^{n}$ is a $(t, ε, q)$ -PRF then

$E_{K_{1}, K_{2}, K_{3}}^{LR} = D_{F_{K_{1}}} (D_{F_{K_{2}}} (D_{F_{K_{3}}}))$ is a $(T, ε + q^{2} / 2^{n}, q)$ -PRP.
$E_{K_{1}, K_{2}, K_{3}, K_{4}}^{LR} = D_{F_{K_{1}}} (D_{F_{K_{2}}} (D_{F_{K_{3}}} (D_{F_{K_{4}}})))$ is a $(T, ε + q^{2} / 2^{n}, q)$ -SPRP.

We cannot get away with fewer rounds. A permutation $E$ constructed using only a two-round Feistel network cannot be a PRP, for if we let $E (L, R) = (L', R')$ , we would have $E (L \oplus T, R) = (L' \oplus T, R')$ , which happens with very low probability for a random permutation.

Similarly, three-round Feistel does not produce SPRP's. [Exercise]

However, note that with two-round Feistel, $E = D_{f_{1}} (D_{f_{2}})$ cannot be distinguished from a random permutation ${0,1}^{2 n} \to {0,1}^{2 n}$ under a known (random) plaintext attack and ciphertext attack, that is, if we are given ${(x_{1}, E (x_{1})), . . ., (x_{q}, E (x_{q}))}$ for random $x_{1}, . . ., x_{q}$ . This observation inspires the following:

Define condition (*) as follows: for all $i \neq j, x_{i} ∣_{R} \neq x_{j} ∣_{R}$ , and $E (x_{i}) ∣_{L} \neq E (x_{j}) ∣_{L}$ . (This condition does not hold for the attack on two-round Feistel.)

It turns out that when (*) holds, ${(x_{1}, E (x_{1}), . . ., (x_{q}, E (x_{q})}$ is from the same distribution as $q$ input/output pairs of a random permutation.

In the Luby-Rackoff construction, the role of $D_{f_{1}}, D_{f_{4}}$ is to ensure condition (*) holds for $D_{f_{2}} (D_{f_{3}})$ . In fact, there is a better way of making sure the condition holds [NR'98]: replace $D_{f_{1}}, D_{f_{4}}$ by pairwise independent permutations:

Definition: $H = {h_{λ} : A \to A}_{λ \in Λ}$ is a family of pairwise independent permutations if $h_{λ}$ is a permutation for any $λ \in Λ$ and for all $α \neq β \in A$ , we have

\Pr_{h \leftarrow H} [h (x) = α \land h (y) = β] = \frac{1}{∣ A ∣} \frac{1}{∣ A ∣ - 1}

An example of such a family is

H = {h_{a, b} (x) = ax + b mod p}_{a \in 𝔽_{p}^{*}, b \in 𝔽_{p}^{*}}, h_{a, b} : 𝔽_{p} \to 𝔽_{p}, ∣ H ∣ = p (p - 1)

is such a family.

Now suppose $f : {0,1}^{n} \times {0,1}^{s} \to {0,1}^{n}$ , and $H = {h_{λ} : {0,1}^{2 n} \to {0,1}^{2 n}}_{λ \in Λ}$ . For $M \in {0,1}^{2 n}$ , define

E_{λ_{1}, λ_{2}, K_{1}, K_{2}}^{NR} (M) = h_{λ_{1}} (D_{f_{K_{1}}} (D_{f_{K_{2}}} (h_{λ_{2}} (M))))

Theorem: If $H$ is a family of pairwise independent permutations and $f$ is a $(t, ε, q)$ -PRF then $E^{NR}$ is a $(t,2 ε + q^{2} / 2^{n} + q^{2} / 2^{n + 1}, q)$ -SPRP for any $q > 0$ .

So it is secure as long as $q ≪ 2^{n / 2}$ . For example, with DES, $n = 32$ , so $q ≪ 2^{16}$ , which is useless. (In contrast, AES has blocksizes of 128, 192 and 256 bits.)

Proof: Let $𝒫_{2 n} = {{0,1}^{2 n} \to {0,1}^{2 n}$ permutaitons $}$ , and write $E$ for $E^{NR}$ . We use a hybrid argument. For all $t$ -time $A$ ,

\begin{matrix} ∣ \Pr_{K_{1}, K_{2} \leftarrow {0,1}^{s}, λ_{1}, λ_{2} \leftarrow Λ} [A^{E_{K_{1}, K_{2}, λ_{1}, λ_{2}}, E^{- 1}}] - \Pr_{σ \leftarrow 𝒫_{2 n}} [A^{σ, σ^{- 1}}] ∣ \\ \leq & ∣ \Pr_{K_{1}, K_{2} \leftarrow {0,1}^{s}, λ_{1}, λ_{2} \leftarrow Λ} [A^{E_{K_{1}, K_{2}, λ_{1}, λ_{2}}, E^{- 1}}] - \Pr_{f_{1}, f_{2} \leftarrow ℱ_{n}, λ_{1}, λ_{2} \leftarrow Λ} [A^{E_{1}, E_{1}^{- 1}}] ∣ \\ + & ∣ \Pr_{f_{1}, f_{2} \leftarrow ℱ_{n}, λ_{1}, λ_{2} \leftarrow Λ} [A^{E_{1}, E_{1}^{- 1}}] - \Pr [A^{{RR}^{- 1}, ({RR}^{- 1})^{- 1}}] ∣ \\ + & ∣ \Pr [A^{{RR}^{- 1}, ({RR}^{- 1})^{- 1}}] - \Pr_{σ \leftarrow 𝒫_{2 n}} [A^{σ, σ^{- 1}}] ∣ \end{matrix}

(let us call the three quantities $(1)$ , $(2)$ and $(3)$ ) where $E_{1}^{λ_{1}, λ_{2}, f_{1}, f_{2}} = h_{λ_{1}} (D_{f_{1}} (D_{f_{2}} (h_{λ_{2}})))$ (that is, we replace the PRF's with random functions) and when $A$ queries ${RR}^{- 1}$ and $({RR}^{- 1})^{- 1}$ , consistent random values are returned (i.e. consistent with previous values). [Hence it is not necessarily a permutation.]

It can be shown that $(1) \leq 2 ε$ , using the definition of PRF. It can also be shown that $(3) \leq q^{2} / 2^{2 n + 1}$ using an information theoretic argument based on the birthday paradox. Lastly, $(2) \leq q^{2} / 2^{n}$ , by using the fact that condition (*) holds.

The story so far:

one-way function \Rightarrow PRNG (BM) \Rightarrow PRF (GGM) \Rightarrow PRP (LR)

As for the converses, from the first assignment, we know that $PRF \Rightarrow PRNG \Rightarrow one-way functions$ . We would like to know if $PRP \Rightarrow PRF$ . This is of practical interest because we would like to take off-the-shelf PRP's such as DES or AES and use them as PRF's (e.g. for MAC's).

If we simply use a PRP as a PRF: from above, a $(t, ε, q)$ -SPRP on ${0,1}^{n}$ is only a $(t, ε + q^{2} / 2^{n + 1}, q)$ -PRF (insecure for $q \approx 2^{n / 2}$ ).

Another method[BI'99]: Let $π : {0,1}^{n} \times {0,1}^{s} \to {0,1}^{n}$ be a $(t, ε, q)$ -PRP. Define $F_{K_{1}, K_{2}} (x) = π_{K_{1}} (x) \oplus π_{K_{2}} (x)$ . Then $F_{K_{1}, K_{2}}$ is a $(t, ε + q / 2^{n} + (q / 2^{n})^{3 / 2} n, 2 q)$ -PRF. (i.e. secure until $q \approx 2^{n} / n^{2 / 3}$ ).

Yet another method[BI'99]: Define $F_{K} (x) = π_{K} (x) ∣_{1 . . . m}$ for some $m \leq n$ . Then $F_{K}$ is a $(t, ε + q 2^{m / 2} / 2^{n}, q)$ -PRF for any $q < 2^{m}$ . For example, for $m = (2 / 3) n$ , we need $q ≪ 2^{2 n / 3}$ for security.

Now we have a good way of doubling the blocksize of DES. If try to use DES directy in the LR construction we have weak bounds. Instead, we shoould use ${DES}_{K_{1}} \oplus {DES}_{K_{2}}$ .