Abstract
This article takes a new step towards closing the gap between pseudorandom functions (PRF) and their popular, bounded-input-length counterparts. This gap is both quantitative, because these counterparts are more efficient than PRF in various ways, and methodological, because these counterparts usually fit in the substitution-permutation network paradigm (SPN), which has not been used to construct PRF.
We give several candidate PRF Fi that are inspired by the SPN paradigm. Most of our candidates are more efficient than previous ones. Our main candidates are as follows.
—F1 : {0,1}n → {0,1}n is an SPN whose S-box is a random function on b bits given as part of the seed. We prove that F1 resists attacks that run in time ≤ 2ϵb.
—F2 : {0,1}n → {0,1}n is an SPN where the S-box is (patched) field inversion, a common choice in practical constructions. We show that F2 is computable with boolean circuits of size n ⋅ logO(1) n and that it has exponential security 2Ω(n) against linear and differential cryptanalysis.
—F3 : {0,1}n → {0,1} is a nonstandard variant on the SPN paradigm, where “states” grow in length. We show that F3 is computable with TC0 circuits of size n1 + ϵ, for any ϵ > 0, and that it is almost 3-wise independent.
—F4 : {0,1}n → {0,1} uses an extreme setting of the SPN parameters (one round, one S-box, no diffusion matrix). The S-box is again (patched) field inversion. We show that F4 is computable by circuits of size n ⋅ logO(1) n and that it fools all parity tests on ≤20.9n outputs.
Assuming the security of our candidates, our work narrows the gap between the Natural Proofs barrier and existing lower bounds in three models: circuits, TC0 circuits, and Turing machines.
- Scott Aaronson and Avi Wigderson. 2009. Algebrization: A new barrier in complexity theory. ACM Trans. Comput. Theory 1, 1 (2009) Article 2. DOI=http://dx.doi.org/10.1145/1490270.1490272 Google Scholar
Digital Library
- Adi Akavia, Andrej Bogdanov, Siyao Guo, Akshay Kamath, and Alon Rosen. 2014. Candidate weak pseudorandom functions in AC0 ˆ MOD2. In Proceedings of the 5th Conference on Innovations in Theoretical Computer Science (ITCS'14). ACM, New York, NY, 251--260. DOI=http://dx.doi.org/10.1145/2554797.2554821 Google Scholar
Digital Library
- Eric Allender and Michal Koucký. 2010. Amplifying lower bounds by means of self-reducibility. J. ACM 57, 3, (2010) Article 14. DOI=http://dx.doi.org/10.1145/1706591.1706594 Google Scholar
Digital Library
- Noga Alon, Oded Goldreich, Johan Håastad, and René Peralta. 1992. Simple constructions of almost k-wise independent random variables. Random Struct. Algorith. 3, 3 (1992), 289--304. DOI=http://dx.doi.org/10.1002/rsa.3240030308 Google Scholar
Digital Library
- Noga Alon, Oded Goldreich, and Yishay Mansour. 2003. Almost k-wise independence versus k-wise independence. Inf. Process. Lett. 88, 3 (2003), 107--110. DOI=http://dx.doi.org/10.1016/S0020-0190(03)00359-4 Google Scholar
Digital Library
- Theodore Baker, John Gill, and Robert Solovay. 1975. Relativizations of the P=?NP question. SIAM J. Comput. 4, 4 (1975), 431--442. DOI=http://dx.doi.org/10.1137/0204037Google Scholar
Digital Library
- Abhishek Banerjee and Chris Peikert. 2014. New and improved key-homomorphic pseudorandom functions. In Proceedings of the 34th Annual Cryptology Conference (CRYPTO), Part I. 353--370. DOI=http://dx.doi.org/10.1007/978-3-662-44371-2_20Google Scholar
Cross Ref
- Abhishek Banerjee, Chris Peikert, and Alon Rosen. 2012. Pseudorandom functions and lattices. In Proceedings of the 31st Annual International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT). 719--737. DOI=http://dx.doi.org/10.1007/978-3-642-29011-4_42 Google Scholar
Digital Library
- Louay M. J. Bazzi. 2009. Polylogarithmic independence can fool DNF formulas. SIAM J. Comput. 38, 6 (2009), 2220--2272. DOI=http://dx.doi.org/10.1137/070691954 Google Scholar
Digital Library
- Mihir Bellare, Joe Kilian, and Phillip Rogaway. 2000. The security of the cipher block chaining message authentication code. J. Comput. Syst. Sci. 61, 3 (Dec. 2000), 362--399. DOI=http://dx.doi.org/10.1006/jcss.1999.1694 Google Scholar
Digital Library
- E. Biham and A. Shamir. 1991. Differential cryptanalysis of DES-like cryptosystems. J. Cryptol. 4, 1 (1991), 3--72. DOI=http://10.1007/BF00630563 Google Scholar
Digital Library
- Mark Braverman. 2009. Poly-logarithmic independence fools AC0 circuits. In Proceedings of the 24th Annual IEEE Conference on Computational Complexity (CCC'09). IEEE Computer Society, 3--8. http://dx.doi.org/10.1109/CCC.2009.35 Google Scholar
Digital Library
- Alex Brodsky and Shlomo Hoory. 2008. Simple permutations mix even better. Random Struct. Algorith. 32, 3 (May 2008), 274--289. DOI=http://dx.doi.org/10.1002/rsa.v32:3 Google Scholar
Digital Library
- Hong-Su Cho, Soo Hak Sung, Daesung Kwon, Jung-Keun Lee, Jung Hwan Song, and Jongin Lim. 2004. New method for bounding the maximum differential probability for SPNs and ARIA. In Proceedings of the 7th International Conference on Information Security and Cryptology (ICISC'04), Choon-sik Park and Seongtaek Chee (Eds.), Springer-Verlag, Berlin, Heidelberg, 21--32. DOI=http://dx.doi.org/10.1007/11496618_4 Google Scholar
Digital Library
- Joan Daemen. 1995. Cipher and hash function design strategies based on linear and differential cryptanalysis. Ph.D. Dissertation, K.U. Leuven, Leuven, Flanders, Belgium.Google Scholar
- Joan Daemen and Vincent Rijmen. 2002. The Design of Rijndael: AES - The Advanced Encryption Standard. Springer Verlag, New York, Inc., Secaucus, NJ. Google Scholar
Digital Library
- Shimon Even and Yishay Mansour. 1997. A construction of a cipher from a single pseudorandom permutation. J. Cryptol. 10, 3 (June 1997), 151--162. DOI=http://dx.doi.org/10.1007/s001459900025 Google Scholar
Digital Library
- Anna Gál, Kristoffer Arnsfelt Hansen, Michal Koucký, Pavel Pudlák, and Emanuele Viola. 2013. Tight bounds on computing error-correcting codes by bounded-depth circuits with arbitrary gates. IEEE Trans. Inform. Theory 59, 10 (2013), 6611--6627. DOI=http://dx.doi.org/10.1109/TIT.2013.2270275 Google Scholar
Digital Library
- Shuhong Gao, Joachim von zur Gathen, Daniel Panario, and Victor Shoup. 2000. Algorithms for exponentiation in finite fields. J. Symb. Comput. 29, 6 (June 2000), 879--889. DOI=http://dx.doi.org/10.1006/jsco.1999.0309 Google Scholar
Digital Library
- Praveen Gauravaram, Lars R. Knudsen, Krystian Matusiewicz, Florian Mendel, Christian Rechberger, Martin Schläffer, and Søren S. Thomsen. 2011. Grøstl: A SHA-3 candidate. http://www.groestl.info.Google Scholar
- Craig Gentry and Zulfikar Ramzan. 2004. Eliminating random permutation oracles in the Even-Mansour Cipher. In Proceedings of the 10th International Conference on the Theory and Application of Cryptology and Information security (ASIACRYPT). 32--47. DOI=http://dx.doi.org/10.1007/978-3-540-30539-2_3Google Scholar
Cross Ref
- A. Gerasoulis. 1988. A fast algorithm for the multiplication of generalized Hilbert matrices with vectors. Math. Comp. 50 (1988), 179--188. DOI=http://dx.doi.org/10.1090/S0025-5718-1988-0917825-9Google Scholar
Cross Ref
- Oded Goldreich. 2001. Foundations of Cryptography: Volume 1. Cambridge University Press, New York, NY. Google Scholar
Digital Library
- Oded Goldreich, Shafi Goldwasser, and Silvio Micali. 1986. How to construct random functions. J. ACM 33, 4 (August 1986), 792--807. DOI=http://dx.doi.org/10.1145/6490.6503 Google Scholar
Digital Library
- Oded Goldreich and Leonid Levin. 1989. A hard-core predicate for all one-way functions. In Proceedings of the 21st annual ACM Symposium on Theory of Computing (STOC'89), D. S. Johnson (Ed.), ACM, New York, NY, 25--32. DOI=http://dx.doi.org/10.1145/73007.73010 Google Scholar
Digital Library
- W. T. Gowers. 1996. An almost m-wise independent random permutation of the cube. Combinatorics, Probab. Comput. 5, 2 (1996), 119--130. DOI=http://dx.doi.org/10.1017/S0963548300001917Google Scholar
Cross Ref
- Iftach Haitner, Omer Reingold, and Salil P. Vadhan. 2010. Efficiency improvements in constructing pseudorandom generators from one-way functions. In Proceedings of the ACM Symposium on Theory of Computing (STOC'10). ACM, New York, NY, 437--446. DOI=http://dx.doi.org/10.1145/1806689.1806750 Google Scholar
Digital Library
- Johan Håstad, Russell Impagliazzo, Leonid A. Levin, and Michael Luby. 1999. A pseudorandom generator from any one-way function. SIAM J. Comput. 28, 4 (March 1999), 1364--1396. DOI=http://dx.doi.org/10.1137/S0097539793244708 Google Scholar
Digital Library
- Alexander Healy and Emanuele Viola. 2006. Constant-depth circuits for arithmetic in finite fields of characteristic two. In Proceedings of the 23rd Annual Conference on Theoretical Aspects of Computer Science (STACS'06). Bruno Durand and Wolfgang Thomas (Eds.), Springer-Verlag, Berlin, Heidelberg, 672--683. DOI=http://dx.doi.org/10.1007/11672142_55 Google Scholar
Digital Library
- William Hesse, Eric Allender, and David A. Mix Barrington. 2002. Uniform constant-depth threshold circuits for division and iterated multiplication. J. Comput. Syst. Sci. 65, 4 (December 2002), 695--716. DOI=http://dx.doi.org/10.1016/S0022-0000(02)00025-9 Google Scholar
Digital Library
- Shlomo Hoory, Avner Magen, Steven Myers, and Charles Rackoff. 2005. Simple permutations mix well. Theor. Comput. Sci. 348, 2 (December 2005), 251--261. DOI=http://dx.doi.org/10.1016/j.tcs.2005.09.016 Google Scholar
Digital Library
- T. Jakobsen and L. R. Knudsen. 2001. Attacks on block ciphers of low algebraic degree. J. Cryptol. 14, 3 (January 2001), 197--210. DOI=http://dx.doi.org/10.1007/s00145-001-0003-x Google Scholar
Digital Library
- Ju-Sung Kang, Seokhie Hong, Sangjin Lee, Okyeon Yi, Choonsik Park, and Jongin Lim. 2001. Practical and provable security against differential and linear cryptanalysis for substitution-permutation networks. ETRI J. 23, 4 (Dec. 2001), 158--167. DOI=http://dx.doi.org/10.4218/etrij.01.0101.0402Google Scholar
Cross Ref
- Liam Keliher, Henk Meijer, and Stafford E. Tavares. 2001. New method for upper bounding the maximum average linear hull probability for SPNs. In Proceedings of the International Conference on the Theory and Application of Cryptographic Techniques: Advances in Cryptology (EUROCRYPT'01). Birgit Pfitzmann (Ed.), Springer-Verlag, London, 420--436. Google Scholar
Digital Library
- Lars R. Knudsen. 1994. Truncated and higher order differentials. In Proceedings of the 2nd Internatinal Workshop on Fast Software Encryption (FSE). 196--211. DOI=http://dx.doi.org/10.1007/3-540-60590-8_16Google Scholar
- Swastik Kopparty. 2011. On the complexity of powering in finite fields. In Proceedings of the 43rd Annual ACM Symposium on Theory of Computing (STOC'11). ACM, New York, NY, 489--498. DOI=http://dx.doi.org/10.1145/1993636.1993702 Google Scholar
Digital Library
- Eyal Kushilevitz and Noam Nisan. 1997. Communication Complexity. Cambridge University Press, New York, NY. Google Scholar
Digital Library
- Michael Luby and Charles Rackoff. 1988. How to construct pseudorandom permutations from pseudorandom functions. SIAM J. Comput. 17, 2 (April 1988), 373--386. DOI=http://dx.doi.org/10.1137/0217022 Google Scholar
Digital Library
- M. Matsui. 1994. Linear cryptanalysis method for DES cipher. In Proceedings of the Workshop on the Theory and Application of Cryptographic Techniques on Advances in Cryptology (EUROCRYPT'93), Tor Helleseth (Ed.). Springer-Verlag New York, Inc., Secaucus, NJ, 386--397. Google Scholar
Digital Library
- Eric Miles and Emanuele Viola. 2012. Substitution-permutation networks, pseudorandom functions, and natural proofs. In Proceedings of the 32nd Annual Cryptology Conference (CRYPTO). 68--85. DOI=http://dx.doi.org/10.1007/978-3-642-32009-5_5Google Scholar
Digital Library
- Joseph Naor and Moni Naor. 1993. Small-bias probability spaces: Efficient constructions and applications. SIAM J. Comput. 22, 4 (August 1993), 838--856. DOI=http://dx.doi.org/10.1137/0222053 Google Scholar
Digital Library
- Moni Naor and Omer Reingold. 1999. On the construction of pseudorandom permutations: Luby-Rackoff revisited. J. Cryptol. 12, 1 (January 1999), 29--66. DOI=http://dx.doi.org/10.1007/PL00003817 Google Scholar
Digital Library
- Moni Naor and Omer Reingold. 2004. Number-theoretic constructions of efficient pseudo-random functions. J. ACM 51, 2 (March 2004), 231--262. DOI=http://dx.doi.org/10.1145/972639.972643 Google Scholar
Digital Library
- Moni Naor, Omer Reingold, and Alon Rosen. 2002. Pseudorandom functions and factoring. SIAM J. Comput. 31, 5 (May 2002), 1383--1404. DOI=http://dx.doi.org/10.1137/S0097539701389257 Google Scholar
Digital Library
- Kaisa Nyberg. 1993. Differentially uniform mappings for cryptography. In Proceedings of the Workshop on the Theory and Application of Cryptographic Techniques on Advances in Cryptology (EUROCRYPT'93). Tor Helleseth (Ed.), Springer-Verlag New York, Inc., Secaucus, NJ, 55--64. Google Scholar
Digital Library
- Josef Pieprzyk. 1991. On bent permutations. In Proceedings of the International Conference on Finite Fields, Coding Theory, and Advances in Communications and Computing. Lecture Notes in Pure and Applied Math, Vol. 141. Marcel Dekker, Inc.Google Scholar
- Zulfikar Ramzan and Leonid Reyzin. 2000. On the round security of symmetric-key cryptographic primitives. In Proceedings of the 20th Annual International Cryptology Conference on Advances in Cryptology (CRYPTO'00), Mihir Bellare (Ed.)., Springer-Verlag, London, 376--393. Google Scholar
Digital Library
- Alexander Razborov and Steven Rudich. 1997. Natural proofs. J. Comput. Syst. Sci. 55, 1 (August 1997), 24--35. DOI=http://dx.doi.org/10.1006/jcss.1997.1494 Google Scholar
Digital Library
- Alexander A. Razborov. 2009. A simple proof of Bazzi's theorem. ACM Trans. Comput. Theory 1, 1 (February 2009). Article 3. DOI=http://dx.doi.org/10.1145/1490270.1490273 Google Scholar
Digital Library
- Ron M. Roth and Gadiel Seroussi. 1985. On generator matrices of MDS codes. IEEE Trans. Inf. Theor. 31, 6 (November 1985), 826--830. DOI=http://dx.doi.org/10.1109/TIT.1985.1057113 Google Scholar
Digital Library
- Claude Shannon. 1949. Communication theory of secrecy systems. Bell Syst. Tech. J. 28, 4 (1949), 656--715. DOI=http://dx.doi.org/10.1002/j.1538-7305.1949.tb00928.xGoogle Scholar
Cross Ref
- Salil P. Vadhan and Colin Jia Zheng. 2012. Characterizing pseudoentropy and simplifying pseudorandom generator constructions. In Proceedings of the 44th Annual ACM Symposium on Theory of Computing (STOC'12). ACM, New York, NY, 817--836. DOI=http://dx.doi.org/10.1145/2213977.2214051 Google Scholar
Digital Library
- Joachim von zur Gathen and Jürgen Gerhard. 2003. Modern Computer Algebra (2nd ed.). Cambridge University Press, New York, NY. Google Scholar
Digital Library
- Ryan Williams. 2011. Non-uniform ACC circuit lower bounds. In Proceedings of the IEEE Conference on Computational Complexity (CCC). 115--125. DOI=http://dx.doi.org/10.1109/CCC.2011.36 Google Scholar
Digital Library
- Hongjun Wu. 2011. The hash function JH. http://www3.ntu.edu.sg/home/wuhj/research/jh/index.html.Google Scholar
Index Terms
Substitution-Permutation Networks, Pseudorandom Functions, and Natural Proofs
Recommendations
Substitution-Permutation Networks, Pseudorandom Functions, and Natural Proofs
Proceedings of the 32nd Annual Cryptology Conference on Advances in Cryptology --- CRYPTO 2012 - Volume 7417This paper takes a new step towards closing the troubling gap between pseudorandom functions PRF and their popular, bounded-input-length counterparts. This gap is both quantitative, because these counterparts are more efficient than PRF in various ways, ...
Hardness amplification proofs require majority
STOC '08: Proceedings of the fortieth annual ACM symposium on Theory of computingHardness amplification is the fundamental task of converting a δ-hard function f : (0, 1)n -> (0, 1) into a (1/2-ε)-hard function Amp(f), where f is γ-hard if small circuits fail to compute f on at least a γ fraction of the inputs. Typically, ε,δ are ...
Substitution-permutation networks resistant to differential and linear cryptanalysis
In this paper we examine a class of product ciphers referred to as substitution-permutation networks. We investigate the resistance of these cryptographic networks to two important attacks: differential cryptanalysis and linear cryptanalysis. In ...






Comments