Analysis of the single-permutation encrypted Davies–Meyer construction

We consider the so-called Encrypted Davies–Meyer (EDM) construction, which turns a permutation P on $$\{0,1\}^n$${0,1}n into a function from $$\{0,1\}^n$${0,1}n to $$\{0,1\}^n$${0,1}n defined as $$P(P(x)\oplus x)$$P(P(x)⊕x). A similar construction using two independent permutations, namely $$P'(P(x)\oplus x)$$P′(P(x)⊕x), was previously analyzed by Cogliati and Seurin (Advances in cryptology—CRYPTO 2016 (Proceedings, Part I). LNCS, vol 9814, pp. 121–149, 2016) who showed that when P and $$P'$$P′ are secret and random, then any black-box adversary needs at least roughly $$2^{2n/3}$$22n/3 queries to distinguish the construction from a uniformly random function from $$\{0,1\}^n$${0,1}n to $$\{0,1\}^n$${0,1}n. In this paper, we focus on the single-permutation variant of the construction. Our main result is that the PRF-security of the single-permutation EDM construction is also (at least) roughly $$2^{2n/3}$$22n/3, in the sense that any black-box adversary needs at least this number of queries to distinguish the construction from a uniformly random function. This yields the first PRP-to-PRF conversion method which uses a single permutation, does not shrink the original domain nor range of the permutation, and provides security beyond the birthday bound.

[1]  Silvio Micali,et al.  How to construct random functions , 1986, JACM.

[2]  Mihir Bellare,et al.  A concrete security treatment of symmetric encryption , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[3]  John P. Steinberger,et al.  Counting solutions to additive equations in random sets , 2013, ArXiv.

[4]  Benoit Cogliati,et al.  The Indistinguishability of the XOR of k Permutations , 2014, FSE.

[5]  Mihir Bellare,et al.  The Security of Triple Encryption and a Framework for Code-Based Game-Playing Proofs , 2006, EUROCRYPT.

[6]  Daniel J. Bernstein,et al.  Stronger Security Bounds for Wegman-Carter-Shoup Authenticators , 2005, EUROCRYPT.

[7]  Jacques Patarin,et al.  The "Coefficients H" Technique , 2009, Selected Areas in Cryptography.

[8]  Bruce Schneier,et al.  Building PRFs from PRPs , 1998, CRYPTO.

[9]  Bart Preneel,et al.  On the XOR of Multiple Random Permutations , 2015, ACNS.

[10]  Jacques Patarin Pseudorandom Permutations Based on the D.E.S. Scheme , 1990, ESORICS.

[11]  Jacques Patarin,et al.  A Proof of Security in O(2n) for the Xor of Two Random Permutations , 2008, ICITS.

[12]  Stefan Lucks,et al.  The Sum of PRPs Is a Secure PRF , 2000, EUROCRYPT.

[13]  Mihir Bellare,et al.  A tool for obtaining tighter security analyses of pseudorandom function based constructions, with applications to PRP to PRF conversion , 1999, IACR Cryptol. ePrint Arch..

[14]  Bart Mennink,et al.  Encrypted Davies-Meyer and Its Dual: Towards Optimal Security Using Mirror Theory , 2017, CRYPTO.

[15]  Silvio Micali,et al.  How to construct random functions , 1986, JACM.

[16]  Stefano Tessaro,et al.  Information-Theoretic Indistinguishability via the Chi-Squared Method , 2017, CRYPTO.

[17]  Mihir Bellare,et al.  Luby-Rackoff Backwards: Increasing Security by Making Block Ciphers Non-invertible , 1998, EUROCRYPT.

[18]  Brice Minaud,et al.  The Iterated Random Permutation Problem with Applications to Cascade Encryption , 2015, CRYPTO.

[19]  Victor Shoup,et al.  On Fast and Provably Secure Message Authentication Based on Universal Hashing , 1996, CRYPTO.

[20]  John P. Steinberger,et al.  Minimizing the Two-Round Even–Mansour Cipher , 2014, Journal of Cryptology.

[21]  Jacques Patarin,et al.  Introduction to Mirror Theory: Analysis of Systems of Linear Equalities and Linear Non Equalities for Cryptography , 2010, IACR Cryptol. ePrint Arch..

[22]  Shay Gueron,et al.  How Many Queries are Needed to Distinguish a Truncated Random Permutation from a Random Function? , 2014, Journal of Cryptology.

[23]  Valérie Nachef,et al.  Indifferentiability beyond the Birthday Bound for the Xor of Two Public Random Permutations , 2010, INDOCRYPT.

[24]  Benoit Cogliati,et al.  EWCDM: An Efficient, Beyond-Birthday Secure, Nonce-Misuse Resistant MAC , 2016, CRYPTO.

[25]  Mridul Nandi,et al.  A note on the chi-square method: A tool for proving cryptographic security , 2018, Cryptography and Communications.

[26]  Jacques Patarin,et al.  Security in O(2n) for the Xor of Two Random Permutations \\ - Proof with the standard H technique - , 2013, IACR Cryptol. ePrint Arch..

[27]  John P. Steinberger,et al.  Tight Security Bounds for Key-Alternating Ciphers , 2014, EUROCRYPT.

[28]  Michael Luby,et al.  How to Construct Pseudo-Random Permutations from Pseudo-Random Functions (Abstract) , 1986, CRYPTO.

[29]  Larry Carter,et al.  New Hash Functions and Their Use in Authentication and Set Equality , 1981, J. Comput. Syst. Sci..

[30]  Harald Niederreiter,et al.  Probability and computing: randomized algorithms and probabilistic analysis , 2006, Math. Comput..