Abstract
This article takes a new step towards closing the gap between pseudorandom functions (PRF) and their popular, bounded-input-length counterparts. This gap is both quantitative, because these counterparts are more efficient than PRF in various ways, and methodological, because these counterparts usually fit in the substitution-permutation network paradigm (SPN), which has not been used to construct PRF.
We give several candidate PRF Fi that are inspired by the SPN paradigm. Most of our candidates are more efficient than previous ones. Our main candidates are as follows.
—F1 : {0,1}n → {0,1}n is an SPN whose S-box is a random function on b bits given as part of the seed. We prove that F1 resists attacks that run in time ≤ 2ϵb.
—F2 : {0,1}n → {0,1}n is an SPN where the S-box is (patched) field inversion, a common choice in practical constructions. We show that F2 is computable with boolean circuits of size n ⋅ logO(1) n and that it has exponential security 2Ω(n) against linear and differential cryptanalysis.
—F3 : {0,1}n → {0,1} is a nonstandard variant on the SPN paradigm, where “states” grow in length. We show that F3 is computable with TC0 circuits of size n1 + ϵ, for any ϵ > 0, and that it is almost 3-wise independent.
—F4 : {0,1}n → {0,1} uses an extreme setting of the SPN parameters (one round, one S-box, no diffusion matrix). The S-box is again (patched) field inversion. We show that F4 is computable by circuits of size n ⋅ logO(1) n and that it fools all parity tests on ≤20.9n outputs.
Assuming the security of our candidates, our work narrows the gap between the Natural Proofs barrier and existing lower bounds in three models: circuits, TC0 circuits, and Turing machines.
- Scott Aaronson and Avi Wigderson. 2009. Algebrization: A new barrier in complexity theory. ACM Trans. Comput. Theory 1, 1 (2009) Article 2. DOI=http://dx.doi.org/10.1145/1490270.1490272 Google ScholarDigital Library
- Adi Akavia, Andrej Bogdanov, Siyao Guo, Akshay Kamath, and Alon Rosen. 2014. Candidate weak pseudorandom functions in AC0 ˆ MOD2. In Proceedings of the 5th Conference on Innovations in Theoretical Computer Science (ITCS'14). ACM, New York, NY, 251--260. DOI=http://dx.doi.org/10.1145/2554797.2554821 Google ScholarDigital Library
- Eric Allender and Michal Koucký. 2010. Amplifying lower bounds by means of self-reducibility. J. ACM 57, 3, (2010) Article 14. DOI=http://dx.doi.org/10.1145/1706591.1706594 Google ScholarDigital Library
- Noga Alon, Oded Goldreich, Johan Håastad, and René Peralta. 1992. Simple constructions of almost k-wise independent random variables. Random Struct. Algorith. 3, 3 (1992), 289--304. DOI=http://dx.doi.org/10.1002/rsa.3240030308 Google ScholarDigital Library
- Noga Alon, Oded Goldreich, and Yishay Mansour. 2003. Almost k-wise independence versus k-wise independence. Inf. Process. Lett. 88, 3 (2003), 107--110. DOI=http://dx.doi.org/10.1016/S0020-0190(03)00359-4 Google ScholarDigital Library
- Theodore Baker, John Gill, and Robert Solovay. 1975. Relativizations of the P=?NP question. SIAM J. Comput. 4, 4 (1975), 431--442. DOI=http://dx.doi.org/10.1137/0204037Google ScholarDigital Library
- Abhishek Banerjee and Chris Peikert. 2014. New and improved key-homomorphic pseudorandom functions. In Proceedings of the 34th Annual Cryptology Conference (CRYPTO), Part I. 353--370. DOI=http://dx.doi.org/10.1007/978-3-662-44371-2_20Google ScholarCross Ref
- Abhishek Banerjee, Chris Peikert, and Alon Rosen. 2012. Pseudorandom functions and lattices. In Proceedings of the 31st Annual International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT). 719--737. DOI=http://dx.doi.org/10.1007/978-3-642-29011-4_42 Google ScholarDigital Library
- Louay M. J. Bazzi. 2009. Polylogarithmic independence can fool DNF formulas. SIAM J. Comput. 38, 6 (2009), 2220--2272. DOI=http://dx.doi.org/10.1137/070691954 Google ScholarDigital Library
- Mihir Bellare, Joe Kilian, and Phillip Rogaway. 2000. The security of the cipher block chaining message authentication code. J. Comput. Syst. Sci. 61, 3 (Dec. 2000), 362--399. DOI=http://dx.doi.org/10.1006/jcss.1999.1694 Google ScholarDigital Library
- E. Biham and A. Shamir. 1991. Differential cryptanalysis of DES-like cryptosystems. J. Cryptol. 4, 1 (1991), 3--72. DOI=http://10.1007/BF00630563 Google ScholarDigital Library
- Mark Braverman. 2009. Poly-logarithmic independence fools AC0 circuits. In Proceedings of the 24th Annual IEEE Conference on Computational Complexity (CCC'09). IEEE Computer Society, 3--8. http://dx.doi.org/10.1109/CCC.2009.35 Google ScholarDigital Library
- Alex Brodsky and Shlomo Hoory. 2008. Simple permutations mix even better. Random Struct. Algorith. 32, 3 (May 2008), 274--289. DOI=http://dx.doi.org/10.1002/rsa.v32:3 Google ScholarDigital Library
- Hong-Su Cho, Soo Hak Sung, Daesung Kwon, Jung-Keun Lee, Jung Hwan Song, and Jongin Lim. 2004. New method for bounding the maximum differential probability for SPNs and ARIA. In Proceedings of the 7th International Conference on Information Security and Cryptology (ICISC'04), Choon-sik Park and Seongtaek Chee (Eds.), Springer-Verlag, Berlin, Heidelberg, 21--32. DOI=http://dx.doi.org/10.1007/11496618_4 Google ScholarDigital Library
- Joan Daemen. 1995. Cipher and hash function design strategies based on linear and differential cryptanalysis. Ph.D. Dissertation, K.U. Leuven, Leuven, Flanders, Belgium.Google Scholar
- Joan Daemen and Vincent Rijmen. 2002. The Design of Rijndael: AES - The Advanced Encryption Standard. Springer Verlag, New York, Inc., Secaucus, NJ. Google ScholarDigital Library
- Shimon Even and Yishay Mansour. 1997. A construction of a cipher from a single pseudorandom permutation. J. Cryptol. 10, 3 (June 1997), 151--162. DOI=http://dx.doi.org/10.1007/s001459900025 Google ScholarDigital Library
- Anna Gál, Kristoffer Arnsfelt Hansen, Michal Koucký, Pavel Pudlák, and Emanuele Viola. 2013. Tight bounds on computing error-correcting codes by bounded-depth circuits with arbitrary gates. IEEE Trans. Inform. Theory 59, 10 (2013), 6611--6627. DOI=http://dx.doi.org/10.1109/TIT.2013.2270275 Google ScholarDigital Library
- Shuhong Gao, Joachim von zur Gathen, Daniel Panario, and Victor Shoup. 2000. Algorithms for exponentiation in finite fields. J. Symb. Comput. 29, 6 (June 2000), 879--889. DOI=http://dx.doi.org/10.1006/jsco.1999.0309 Google ScholarDigital Library
- Praveen Gauravaram, Lars R. Knudsen, Krystian Matusiewicz, Florian Mendel, Christian Rechberger, Martin Schläffer, and Søren S. Thomsen. 2011. Grøstl: A SHA-3 candidate. http://www.groestl.info.Google Scholar
- Craig Gentry and Zulfikar Ramzan. 2004. Eliminating random permutation oracles in the Even-Mansour Cipher. In Proceedings of the 10th International Conference on the Theory and Application of Cryptology and Information security (ASIACRYPT). 32--47. DOI=http://dx.doi.org/10.1007/978-3-540-30539-2_3Google ScholarCross Ref
- A. Gerasoulis. 1988. A fast algorithm for the multiplication of generalized Hilbert matrices with vectors. Math. Comp. 50 (1988), 179--188. DOI=http://dx.doi.org/10.1090/S0025-5718-1988-0917825-9Google ScholarCross Ref
- Oded Goldreich. 2001. Foundations of Cryptography: Volume 1. Cambridge University Press, New York, NY. Google ScholarDigital Library
- Oded Goldreich, Shafi Goldwasser, and Silvio Micali. 1986. How to construct random functions. J. ACM 33, 4 (August 1986), 792--807. DOI=http://dx.doi.org/10.1145/6490.6503 Google ScholarDigital Library
- Oded Goldreich and Leonid Levin. 1989. A hard-core predicate for all one-way functions. In Proceedings of the 21st annual ACM Symposium on Theory of Computing (STOC'89), D. S. Johnson (Ed.), ACM, New York, NY, 25--32. DOI=http://dx.doi.org/10.1145/73007.73010 Google ScholarDigital Library
- W. T. Gowers. 1996. An almost m-wise independent random permutation of the cube. Combinatorics, Probab. Comput. 5, 2 (1996), 119--130. DOI=http://dx.doi.org/10.1017/S0963548300001917Google ScholarCross Ref
- Iftach Haitner, Omer Reingold, and Salil P. Vadhan. 2010. Efficiency improvements in constructing pseudorandom generators from one-way functions. In Proceedings of the ACM Symposium on Theory of Computing (STOC'10). ACM, New York, NY, 437--446. DOI=http://dx.doi.org/10.1145/1806689.1806750 Google ScholarDigital Library
- Johan Håstad, Russell Impagliazzo, Leonid A. Levin, and Michael Luby. 1999. A pseudorandom generator from any one-way function. SIAM J. Comput. 28, 4 (March 1999), 1364--1396. DOI=http://dx.doi.org/10.1137/S0097539793244708 Google ScholarDigital Library
- Alexander Healy and Emanuele Viola. 2006. Constant-depth circuits for arithmetic in finite fields of characteristic two. In Proceedings of the 23rd Annual Conference on Theoretical Aspects of Computer Science (STACS'06). Bruno Durand and Wolfgang Thomas (Eds.), Springer-Verlag, Berlin, Heidelberg, 672--683. DOI=http://dx.doi.org/10.1007/11672142_55 Google ScholarDigital Library
- William Hesse, Eric Allender, and David A. Mix Barrington. 2002. Uniform constant-depth threshold circuits for division and iterated multiplication. J. Comput. Syst. Sci. 65, 4 (December 2002), 695--716. DOI=http://dx.doi.org/10.1016/S0022-0000(02)00025-9 Google ScholarDigital Library
- Shlomo Hoory, Avner Magen, Steven Myers, and Charles Rackoff. 2005. Simple permutations mix well. Theor. Comput. Sci. 348, 2 (December 2005), 251--261. DOI=http://dx.doi.org/10.1016/j.tcs.2005.09.016 Google ScholarDigital Library
- T. Jakobsen and L. R. Knudsen. 2001. Attacks on block ciphers of low algebraic degree. J. Cryptol. 14, 3 (January 2001), 197--210. DOI=http://dx.doi.org/10.1007/s00145-001-0003-x Google ScholarDigital Library
- Ju-Sung Kang, Seokhie Hong, Sangjin Lee, Okyeon Yi, Choonsik Park, and Jongin Lim. 2001. Practical and provable security against differential and linear cryptanalysis for substitution-permutation networks. ETRI J. 23, 4 (Dec. 2001), 158--167. DOI=http://dx.doi.org/10.4218/etrij.01.0101.0402Google ScholarCross Ref
- Liam Keliher, Henk Meijer, and Stafford E. Tavares. 2001. New method for upper bounding the maximum average linear hull probability for SPNs. In Proceedings of the International Conference on the Theory and Application of Cryptographic Techniques: Advances in Cryptology (EUROCRYPT'01). Birgit Pfitzmann (Ed.), Springer-Verlag, London, 420--436. Google ScholarDigital Library
- Lars R. Knudsen. 1994. Truncated and higher order differentials. In Proceedings of the 2nd Internatinal Workshop on Fast Software Encryption (FSE). 196--211. DOI=http://dx.doi.org/10.1007/3-540-60590-8_16Google Scholar
- Swastik Kopparty. 2011. On the complexity of powering in finite fields. In Proceedings of the 43rd Annual ACM Symposium on Theory of Computing (STOC'11). ACM, New York, NY, 489--498. DOI=http://dx.doi.org/10.1145/1993636.1993702 Google ScholarDigital Library
- Eyal Kushilevitz and Noam Nisan. 1997. Communication Complexity. Cambridge University Press, New York, NY. Google ScholarDigital Library
- Michael Luby and Charles Rackoff. 1988. How to construct pseudorandom permutations from pseudorandom functions. SIAM J. Comput. 17, 2 (April 1988), 373--386. DOI=http://dx.doi.org/10.1137/0217022 Google ScholarDigital Library
- M. Matsui. 1994. Linear cryptanalysis method for DES cipher. In Proceedings of the Workshop on the Theory and Application of Cryptographic Techniques on Advances in Cryptology (EUROCRYPT'93), Tor Helleseth (Ed.). Springer-Verlag New York, Inc., Secaucus, NJ, 386--397. Google ScholarDigital Library
- Eric Miles and Emanuele Viola. 2012. Substitution-permutation networks, pseudorandom functions, and natural proofs. In Proceedings of the 32nd Annual Cryptology Conference (CRYPTO). 68--85. DOI=http://dx.doi.org/10.1007/978-3-642-32009-5_5Google ScholarDigital Library
- Joseph Naor and Moni Naor. 1993. Small-bias probability spaces: Efficient constructions and applications. SIAM J. Comput. 22, 4 (August 1993), 838--856. DOI=http://dx.doi.org/10.1137/0222053 Google ScholarDigital Library
- Moni Naor and Omer Reingold. 1999. On the construction of pseudorandom permutations: Luby-Rackoff revisited. J. Cryptol. 12, 1 (January 1999), 29--66. DOI=http://dx.doi.org/10.1007/PL00003817 Google ScholarDigital Library
- Moni Naor and Omer Reingold. 2004. Number-theoretic constructions of efficient pseudo-random functions. J. ACM 51, 2 (March 2004), 231--262. DOI=http://dx.doi.org/10.1145/972639.972643 Google ScholarDigital Library
- Moni Naor, Omer Reingold, and Alon Rosen. 2002. Pseudorandom functions and factoring. SIAM J. Comput. 31, 5 (May 2002), 1383--1404. DOI=http://dx.doi.org/10.1137/S0097539701389257 Google ScholarDigital Library
- Kaisa Nyberg. 1993. Differentially uniform mappings for cryptography. In Proceedings of the Workshop on the Theory and Application of Cryptographic Techniques on Advances in Cryptology (EUROCRYPT'93). Tor Helleseth (Ed.), Springer-Verlag New York, Inc., Secaucus, NJ, 55--64. Google ScholarDigital Library
- Josef Pieprzyk. 1991. On bent permutations. In Proceedings of the International Conference on Finite Fields, Coding Theory, and Advances in Communications and Computing. Lecture Notes in Pure and Applied Math, Vol. 141. Marcel Dekker, Inc.Google Scholar
- Zulfikar Ramzan and Leonid Reyzin. 2000. On the round security of symmetric-key cryptographic primitives. In Proceedings of the 20th Annual International Cryptology Conference on Advances in Cryptology (CRYPTO'00), Mihir Bellare (Ed.)., Springer-Verlag, London, 376--393. Google ScholarDigital Library
- Alexander Razborov and Steven Rudich. 1997. Natural proofs. J. Comput. Syst. Sci. 55, 1 (August 1997), 24--35. DOI=http://dx.doi.org/10.1006/jcss.1997.1494 Google ScholarDigital Library
- Alexander A. Razborov. 2009. A simple proof of Bazzi's theorem. ACM Trans. Comput. Theory 1, 1 (February 2009). Article 3. DOI=http://dx.doi.org/10.1145/1490270.1490273 Google ScholarDigital Library
- Ron M. Roth and Gadiel Seroussi. 1985. On generator matrices of MDS codes. IEEE Trans. Inf. Theor. 31, 6 (November 1985), 826--830. DOI=http://dx.doi.org/10.1109/TIT.1985.1057113 Google ScholarDigital Library
- Claude Shannon. 1949. Communication theory of secrecy systems. Bell Syst. Tech. J. 28, 4 (1949), 656--715. DOI=http://dx.doi.org/10.1002/j.1538-7305.1949.tb00928.xGoogle ScholarCross Ref
- Salil P. Vadhan and Colin Jia Zheng. 2012. Characterizing pseudoentropy and simplifying pseudorandom generator constructions. In Proceedings of the 44th Annual ACM Symposium on Theory of Computing (STOC'12). ACM, New York, NY, 817--836. DOI=http://dx.doi.org/10.1145/2213977.2214051 Google ScholarDigital Library
- Joachim von zur Gathen and Jürgen Gerhard. 2003. Modern Computer Algebra (2nd ed.). Cambridge University Press, New York, NY. Google ScholarDigital Library
- Ryan Williams. 2011. Non-uniform ACC circuit lower bounds. In Proceedings of the IEEE Conference on Computational Complexity (CCC). 115--125. DOI=http://dx.doi.org/10.1109/CCC.2011.36 Google ScholarDigital Library
- Hongjun Wu. 2011. The hash function JH. http://www3.ntu.edu.sg/home/wuhj/research/jh/index.html.Google Scholar
Index Terms
- Substitution-Permutation Networks, Pseudorandom Functions, and Natural Proofs
Recommendations
Substitution-permutation networks resistant to differential and linear cryptanalysis
In this paper we examine a class of product ciphers referred to as substitution-permutation networks. We investigate the resistance of these cryptographic networks to two important attacks: differential cryptanalysis and linear cryptanalysis. In ...
Substitution-Permutation Networks, Pseudorandom Functions, and Natural Proofs
Proceedings of the 32nd Annual Cryptology Conference on Advances in Cryptology --- CRYPTO 2012 - Volume 7417This paper takes a new step towards closing the troubling gap between pseudorandom functions PRF and their popular, bounded-input-length counterparts. This gap is both quantitative, because these counterparts are more efficient than PRF in various ways, ...
Comments