2014 | OriginalPaper | Chapter
XLS is Not a Strong Pseudorandom Permutation
Author : Mridul Nandi
Published in: Advances in Cryptology – ASIACRYPT 2014
Publisher: Springer Berlin Heidelberg
Activate our intelligent search to find suitable subject content or patents.
Select sections of text to find matching patents with Artificial Intelligence. powered by
Select sections of text to find additional relevant content using AI-assisted search. powered by
In FSE 2007, Ristenpart and Rogaway had described a generic method
XLS
to construct a length-preserving strong pseudorandom permutation (SPRP) over bit-strings of size at least
n
. It requires a length-preserving permutation
$\mathcal{E}$
over all bits of size multiple of
n
and a blockcipher
E
with block size
n
. The SPRP security of
XLS
was proved from the SPRP assumptions of both
$\mathcal{E}$
and
E
. In this paper we disprove the claim by demonstrating a SPRP distinguisher of
XLS
which makes only three queries and has distinguishing advantage about 1/2.
XLS
uses a multi-permutation linear function, called
mix2
. In this paper, we also show that if we replace
mix2
by any invertible linear functions, the construction
XLS
still remains insecure. Thus the mode has inherit weakness.