Substitution-Permutation Networks, Pseudorandom Functions, and Natural Proofs

This article takes a new step towards closing the gap between pseudorandom functions (PRF) and their popular, bounded-input-length counterparts. This gap is both quantitative, because these counterparts are more efficient than PRF in various ways, and methodological, because these counterparts usually fit in the substitution-permutation network paradigm (SPN), which has not been used to construct PRF. We give several candidate PRF Fi that are inspired by the SPN paradigm. Most of our candidates are more efficient than previous ones. Our main candidates are as follows. —F1 : {0,1}n → {0,1}n is an SPN whose S-box is a random function on b bits given as part of the seed. We prove that F1 resists attacks that run in time ≤ 2εb. —F2 : {0,1}n → {0,1}n is an SPN where the S-box is (patched) field inversion, a common choice in practical constructions. We show that F2 is computable with boolean circuits of size n ⋅ logO(1) n and that it has exponential security 2Ω(n) against linear and differential cryptanalysis. —F3 : {0,1}n → {0,1} is a nonstandard variant on the SPN paradigm, where “states” grow in length. We show that F3 is computable with TC0 circuits of size n1 + ε, for any ε > 0, and that it is almost 3-wise independent. —F4 : {0,1}n → {0,1} uses an extreme setting of the SPN parameters (one round, one S-box, no diffusion matrix). The S-box is again (patched) field inversion. We show that F4 is computable by circuits of size n ⋅ logO(1) n and that it fools all parity tests on ≤20.9n outputs. Assuming the security of our candidates, our work narrows the gap between the Natural Proofs barrier and existing lower bounds in three models: circuits, TC0 circuits, and Turing machines.

[1]  Moni Naor,et al.  Pseudorandom Functions and Factoring , 2002, SIAM J. Comput..

[2]  Dan Suciu,et al.  Journal of the ACM , 2006 .

[3]  Alexander A. Razborov,et al.  Natural Proofs , 2007 .

[4]  Silvio Micali,et al.  How to construct random functions , 1986, JACM.

[5]  Kaisa Nyberg,et al.  Differentially Uniform Mappings for Cryptography , 1994, EUROCRYPT.

[6]  Abhishek Banerjee,et al.  New and Improved Key-Homomorphic Pseudorandom Functions , 2014, CRYPTO.

[7]  Joachim von zur Gathen,et al.  Algorithms for Exponentiation in Finite Fields , 2000, J. Symb. Comput..

[8]  Eric Allender,et al.  Amplifying Lower Bounds by Means of Self-Reducibility , 2008, 2008 23rd Annual IEEE Conference on Computational Complexity.

[9]  Vincent Rijmen,et al.  The Design of Rijndael , 2002, Information Security and Cryptography.

[10]  Oded Goldreich Foundations of Cryptography: Volume 1 , 2006 .

[11]  Oded Goldreich,et al.  Foundations of Cryptography: List of Figures , 2001 .

[12]  Mihir Bellare,et al.  The Security of the Cipher Block Chaining Message Authentication Code , 2000, J. Comput. Syst. Sci..

[13]  A. Razborov Communication Complexity , 2011 .

[14]  Eric Miles,et al.  Substitution-Permutation Networks, Pseudorandom Functions, and Natural Proofs , 2012, CRYPTO.

[15]  Lars R. Knudsen,et al.  Truncated and Higher Order Differentials , 1994, FSE.

[16]  Emanuele Viola,et al.  Constant-Depth Circuits for Arithmetic in Finite Fields of Characteristic Two , 2006, STACS.

[17]  Ryan Williams,et al.  Non-uniform ACC Circuit Lower Bounds , 2011, 2011 IEEE 26th Annual Conference on Computational Complexity.

[18]  Michael Luby,et al.  How to Construct Pseudo-Random Permutations from Pseudo-Random Functions (Abstract) , 1986, CRYPTO.

[19]  Claude E. Shannon,et al.  Communication theory of secrecy systems , 1949, Bell Syst. Tech. J..

[20]  Omer Reingold,et al.  Efficiency improvements in constructing pseudorandom generators from one-way functions , 2010, STOC '10.

[21]  Kristoffer Arnsfelt Hansen,et al.  Tight Bounds on Computing Error-Correcting Codes by Bounded-Depth Circuits With Arbitrary Gates , 2012, IEEE Transactions on Information Theory.

[22]  Avi Wigderson,et al.  Algebrization: A New Barrier in Complexity Theory , 2009, TOCT.

[23]  Eli Biham,et al.  Differential cryptanalysis of DES-like cryptosystems , 1990, Journal of Cryptology.

[24]  Moni Naor,et al.  Small-bias probability spaces: efficient constructions and applications , 1990, STOC '90.

[25]  Alon Rosen,et al.  Candidate weak pseudorandom functions in AC0 ○ MOD2 , 2014, ITCS.

[26]  Hongjun Wu,et al.  The Hash Function JH , 2009 .

[27]  Swastik Kopparty On the complexity of powering in finite fields , 2011, STOC '11.

[28]  A. Gerasoulis A fast algorithm for the multiplication of generalized Hilbert matrices with vectors , 1988 .

[29]  Vincent Rijmen,et al.  The Advanced Encryption Standard Process , 2002 .

[30]  R. Gregory Taylor,et al.  Modern computer algebra , 2002, SIGA.

[31]  Kristoffer Arnsfelt Hansen,et al.  Tight Bounds on Computing Error-Correcting Codes by Bounded-Depth Circuits With Arbitrary Gates , 2013, IEEE Trans. Inf. Theory.

[32]  Louay Bazzi,et al.  Polylogarithmic Independence Can Fool DNF Formulas , 2007, 48th Annual IEEE Symposium on Foundations of Computer Science (FOCS'07).

[33]  Joan Daemen,et al.  Cipher and hash function design strategies based on linear and differential cryptanalysis , 1995 .

[34]  Salil P. Vadhan,et al.  Characterizing pseudoentropy and simplifying pseudorandom generator constructions , 2012, STOC '12.

[35]  Alexander A. Razborov A Simple Proof of Bazzi’s Theorem , 2009, TOCT.

[36]  Oded Goldreich,et al.  Foundations of Cryptography: Basic Tools , 2000 .

[37]  Steven Myers,et al.  Simple permutations mix well , 2005, Theor. Comput. Sci..

[38]  Joachim von zur Gathen,et al.  Modern Computer Algebra , 1998 .

[39]  Florian Mendel,et al.  Symmetric Cryptography , 2009 .

[40]  R. Solovay,et al.  Relativizations of the $\mathcal{P} = ?\mathcal{NP}$ Question , 1975 .

[41]  Mark Braverman,et al.  Poly-logarithmic Independence Fools AC^0 Circuits , 2009, 2009 24th Annual IEEE Conference on Computational Complexity.

[42]  Moni Naor,et al.  On the Construction of Pseudorandom Permutations: Luby—Rackoff Revisited , 1996, Journal of Cryptology.

[43]  John Gill,et al.  Relativizations of the P =? NP Question , 1975, SIAM J. Comput..

[44]  Henk Meijer,et al.  New Method for Upper Bounding the Maximum Average Linear Hull Probability for SPNs , 2001, EUROCRYPT.

[45]  Jongin Lim,et al.  Practical and Provable Security against Differential and Linear Cryptanalysis for Substitution‐Permutation Networks , 2001 .

[46]  NaorMoni,et al.  Number-theoretic constructions of efficient pseudo-random functions , 2004 .

[47]  W. T. Gowers An Almost m-wise Independent Random Permutation of the Cube , 1996, Combinatorics, Probability and Computing.

[48]  Eric Allender,et al.  Uniform constant-depth threshold circuits for division and iterated multiplication , 2002, J. Comput. Syst. Sci..

[49]  Oded Goldreich Foundations of Cryptography: Index , 2001 .

[50]  Oded Goldreich,et al.  Foundations of Cryptography: Volume 1, Basic Tools , 2001 .

[51]  Eyal Kushilevitz,et al.  Communication Complexity: Index of Notation , 1996 .

[52]  Mitsuru Matsui,et al.  Linear Cryptanalysis Method for DES Cipher , 1994, EUROCRYPT.

[53]  Yishay Mansour,et al.  A construction of a cipher from a single pseudorandom permutation , 1997, Journal of Cryptology.

[54]  Pulak Mishra,et al.  Mergers, Acquisitions and Export Competitive- ness: Experience of Indian Manufacturing Sector , 2012 .

[55]  Zulfikar Ramzan,et al.  On the Round Security of Symmetric-Key Cryptographic Primitives , 2000, CRYPTO.

[56]  Noga Alon,et al.  Almost k-wise independence versus k-wise independence , 2003, Information Processing Letters.

[57]  Craig Gentry,et al.  Eliminating Random Permutation Oracles in the Even-Mansour Cipher , 2004, ASIACRYPT.

[58]  Vincent Rijmen,et al.  The Design of Rijndael: AES - The Advanced Encryption Standard , 2002 .

[59]  Leonid A. Levin,et al.  A hard-core predicate for all one-way functions , 1989, STOC '89.

[60]  Alex Brodsky,et al.  Simple permutations mix even better , 2008, Random Struct. Algorithms.

[61]  Lars R. Knudsen,et al.  Attacks on Block Ciphers of Low Algebraic Degree , 2001, Journal of Cryptology.

[62]  Leonid A. Levin,et al.  A Pseudorandom Generator from any One-way Function , 1999, SIAM J. Comput..

[63]  Daesung Kwon,et al.  New Method for Bounding the Maximum Differential Probability for SPNs and ARIA , 2004, ICISC.

[64]  Abhishek Banerjee,et al.  Pseudorandom Functions and Lattices , 2012, EUROCRYPT.

[65]  Ron M. Roth,et al.  On generator matrices of MDS codes , 1985, IEEE Trans. Inf. Theory.

[66]  Noga Alon,et al.  Addendum to "Simple Construction of Almost k-wise Independent Random Variables" , 1993, Random Struct. Algorithms.

[67]  Mark Braverman Poly-logarithmic Independence Fools AC0 Circuits , 2009, Computational Complexity Conference.