A Proof of Security in O(2n) for the Xor of Two Random Permutations

Xoring two permutations is a very simple way to construct pseudorandom functions from pseudorandom permutations. The aim of this paper is to get precise security results for this construction. Since such construction has many applications in cryptography (see [2,3,4,6] for example), this problem is interesting both from a theoretical and from a practical point of view. In [6], it was proved that Xoring two random permutations gives a secure pseudorandom function if $m \ll 2^{\frac {2n}{3}}$. By "secure" we mean here that the scheme will resist all adaptive chosen plaintext attacks limited to mqueries (even with unlimited computing power). More generally in [6] it is also proved that with kXor, instead of 2, we have security when $m \ll 2^{\frac {kn}{k+1}}$. In this paper we will prove that for k= 2, we have in fact already security when mi¾? O(2n). Therefore we will obtain a proof of a similar result claimed in [2] (security when mi¾? O(2n/n2/3)). Moreover our proof is very different from the proof strategy suggested in [2] (we do not use Azuma inequality and Chernoff bounds for example), and we will get precise and explicit Ofunctions. Another interesting point of our proof is that we will show that this (cryptographic) problem of security is directly related to a very simple to describe and purely combinatorial problem. An extended version of this paper can be obtained on eprint [8].

[1]  Stefan Lucks,et al.  The Sum of PRPs Is a Secure PRF , 2000, EUROCRYPT.

[2]  Ueli Maurer,et al.  The Security of Many-Round Luby-Rackoff Pseudo-Random Permutations , 2003, EUROCRYPT.

[3]  Jacques Patarin,et al.  The "Coefficients H" Technique , 2009, Selected Areas in Cryptography.

[4]  Kenneth Rogers,et al.  A combinatorial problem in Abelian groups , 1963, Mathematical Proceedings of the Cambridge Philosophical Society.

[5]  Bruce Rothschild,et al.  Marshall Hall, Jr. , 1982 .

[6]  Mihir Bellare,et al.  Luby-Rackoff Backwards: Increasing Security by Making Block Ciphers Non-invertible , 1998, EUROCRYPT.

[7]  Ramarathnam Venkatesan,et al.  Foiling Birthday Attacks in Length-Doubling Transformations - Benes: A Non-Reversible Alternative to Feistel , 1996, EUROCRYPT.

[8]  Bruce Schneier,et al.  Building PRFs from PRPs , 1998, CRYPTO.

[9]  Jacques Patarin,et al.  On Linear Systems of Equations with Distinct Variables and Small Block Size , 2005, ICISC.

[10]  Jacques Patarin,et al.  Luby-Rackoff: 7 Rounds Are Enough for 2n(1-epsilon)Security , 2003, CRYPTO.

[11]  陈永武 α , 1995 .

[12]  Roger C. Lyndon,et al.  PROBLEMS IN COMBINATORIAL GROUP THEORY , 1987 .

[13]  Mihir Bellare,et al.  A tool for obtaining tighter security analyses of pseudorandom function based constructions, with applications to PRP to PRF conversion , 1999, IACR Cryptol. ePrint Arch..

[14]  Jacques Patarin Etude des generateurs de permutations pseudo-aleatoires bases sur le schema du d. E. S , 1991 .

[15]  Jacques Patarin Luby-rackoff: 7 rounds are enough for 2n(1-ε) security , 2003 .