Full Indifferentiable Security of the Xor of Two or More Random Permutations Using the χ2 Method

The construction \(\mathsf {XORP}\) (bitwise-xor of outputs of two independent n-bit random permutations) has gained broad attention over the last two decades due to its high security. Very recently, Dai et al. (CRYPTO’17), by using a method which they term the Chi-squared method (\(\chi ^2\) method), have shown n-bit security of \(\mathsf {XORP}\) when the underlying random permutations are kept secret to the adversary. In this work, we consider the case where the underlying random permutations are publicly available to the adversary. The best known security of \(\mathsf {XORP}\) in this security game (also known as indifferentiable security) is \(\frac{2n}{3}\)-bit, due to Mennink et al. (ACNS’15). Later, Lee (IEEE-IT’17) proved a better \(\frac{(k-1)n}{k}\)-bit security for the general construction \(\mathsf {XORP}[k]\) which returns the xor of k (\(\ge 2\)) independent random permutations. However, the security was shown only for the cases where k is an even integer. In this paper, we improve all these known bounds and prove full, i.e., n-bit (indifferentiable) security of \(\mathsf {XORP}\) as well as \(\mathsf {XORP}[k]\) for any k. Our main result is n-bit security of \(\mathsf {XORP}\), and we use the \(\chi ^2\) method to prove it.

[1]  Mridul Nandi,et al.  Revisiting Variable Output Length XOR Pseudorandom Function , 2018, IACR Trans. Symmetric Cryptol..

[2]  Benoit Cogliati,et al.  The Indistinguishability of the XOR of k Permutations , 2014, FSE.

[3]  Ueli Maurer,et al.  Indifferentiability, Impossibility Results on Reductions, and Applications to the Random Oracle Methodology , 2004, TCC.

[4]  Guido Bertoni,et al.  On the Indifferentiability of the Sponge Construction , 2008, EUROCRYPT.

[5]  A. J. Stam Distance between sampling with and without replacement , 1978 .

[6]  Jacques Patarin,et al.  Introduction to Mirror Theory: Analysis of Systems of Linear Equalities and Linear Non Equalities for Cryptography , 2010, IACR Cryptol. ePrint Arch..

[7]  Florian Mendel,et al.  Symmetric Cryptography , 2009 .

[8]  Jooyoung Lee,et al.  Indifferentiability of the Sum of Random Permutations Toward Optimal Security , 2017, IEEE Transactions on Information Theory.

[9]  Michael Luby,et al.  How to Construct Pseudo-Random Permutations from Pseudo-Random Functions (Abstract) , 1986, CRYPTO.

[10]  Jacques Patarin,et al.  The "Coefficients H" Technique , 2009, Selected Areas in Cryptography.

[11]  Bart Preneel,et al.  On the XOR of Multiple Random Permutations , 2015, ACNS.

[12]  Shay Gueron,et al.  The Advantage of Truncated Permutations , 2016, CSCML.

[13]  Shay Gueron,et al.  How Many Queries are Needed to Distinguish a Truncated Random Permutation from a Random Function? , 2014, Journal of Cryptology.

[14]  Kan Yasuda,et al.  A New Variant of PMAC: Beyond the Birthday Bound , 2011, CRYPTO.

[15]  Guido Bertoni,et al.  Duplexing the sponge: single-pass authenticated encryption and other applications , 2011, IACR Cryptol. ePrint Arch..

[16]  Minematsu Kazuhiko,et al.  ZMAC: A Fast Tweakable Block Cipher Mode for Highly Secure Message Authentication , 2017 .

[17]  Mihir Bellare,et al.  Luby-Rackoff Backwards: Increasing Security by Making Block Ciphers Non-invertible , 1998, EUROCRYPT.

[18]  Benoit Cogliati,et al.  EWCDM: An Efficient, Beyond-Birthday Secure, Nonce-Misuse Resistant MAC , 2016, CRYPTO.

[19]  Hongjun Wu,et al.  The Hash Function JH , 2009 .

[20]  Mridul Nandi,et al.  Security Analysis of the Mode of JH Hash Function , 2010, FSE.

[21]  Mihir Bellare,et al.  A tool for obtaining tighter security analyses of pseudorandom function based constructions, with applications to PRP to PRF conversion , 1999, IACR Cryptol. ePrint Arch..

[22]  Bart Mennink,et al.  Encrypted Davies-Meyer and Its Dual: Towards Optimal Security Using Mirror Theory , 2017, CRYPTO.

[23]  Tetsu Iwata,et al.  New Blockcipher Modes of Operation with Beyond the Birthday Bound Security , 2006, FSE.

[24]  Jacques Patarin,et al.  A Proof of Security in O(2n) for the Xor of Two Random Permutations , 2008, ICITS.

[25]  Stefan Lucks,et al.  The Sum of PRPs Is a Secure PRF , 2000, EUROCRYPT.

[26]  Stefano Tessaro,et al.  Information-Theoretic Indistinguishability via the Chi-Squared Method , 2017, CRYPTO.

[27]  Bart Mennink,et al.  CENC is Optimally Secure , 2016, IACR Cryptol. ePrint Arch..

[28]  Bart Preneel,et al.  On the Indifferentiability of the Grøstl Hash Function , 2010, SCN.

[29]  Valérie Nachef,et al.  Indifferentiability beyond the Birthday Bound for the Xor of Two Public Random Permutations , 2010, INDOCRYPT.

[30]  Serge Vaudenay,et al.  Decorrelation: A Theory for Block Cipher Security , 2003, Journal of Cryptology.