Luby-Rackoff Ciphers from Weak Round Functions?

(1)

Luby-Rackoff Ciphers from

Weak Round Functions?

(full version)

Ueli Maurer1_{, Yvonne Anne Oswald}1_, Krzysztof Pietrzak2, ?_{, and Johan Sj¨}_odin1, ??

1

Department of Computer Science, ETH Zurich, CH-8092 Zurich, Switzerland

{maurer,sjoedin}@inf.ethz.ch, [email protected] 2

D´epartement d’informatique, Ecole Normale Sup´erieure, Paris, France [email protected]

Abstract. The Feistel-network is a popular structure underlying many block-ciphers where the cipher is constructed from many simpler rounds, each defined by some function which is derived from the secret key. Luby and Rackoff showed that the three-round Feistel-network – each round instantiated with a pseudorandom function secure against adap-tive chosen plaintext attacks (CPA) – is a CPA secure pseudorandom permutation, thus giving some confidence in the soundness of using a Feistel-network to design block-ciphers.

But the round functions used in actual block-ciphers are – for efficiency reasons – far from being pseudorandom. We investigate the security of the Feistel-network againstCPA distinguishers when the only secu-rity guarantee we have for the round functions is that they are secure against non-adaptive chosen plaintext attacks (nCPA). We show that in the information-theoretic setting, four rounds with nCPAsecure round functions are sufficient (and necessary) to get aCPAsecure permutation. Unfortunately, this result does not translate into the more interesting pseudorandom setting. In fact, under the so-called Inverse Decisional Diffie-Hellman assumption the Feistel-network with four rounds, each instantiated with a nCPA secure pseudorandom function, is in general not aCPAsecure pseudorandom permutation.

We also consider other relaxations of the Luby-Rackoff construction and prove their (in)security against different classes of attacks.

?_{Most of this work was done while the author was a PhD student at ETH where}

he was supported by the Swiss National Science Foundation, project No. 200020-103847/1. Currently the author is partially supported by the Commission of the European Communities through the IST program under contract IST-2002-507932 ECRYPT.

??_{This work was partially supported by the Zurich Information Security Center. It}

(2)

1 Introduction

Feistel-network.The Feistel-network is a popular design approach for block-ciphers where the cipher over {0,1}2n _{is constructed by cascading simpler}

per-mutations, each constructed from a round function f : {0,1}n _{→ {}_0,₁_}n_{. The}

secret key of the cipher is only used to choose the particular round functions.

Luby-Rackoff Ciphers. In their celebrated paper [LR86] Luby and Rackoff prove that the three-round Feistel-network is an adaptive chosen plaintext (CPA) secure block-cipher – i.e. a pseudorandom permutation (PRP) – if each round is instantiated with an independent CPA secure pseudorandom function (PRF), and with one extra round even adaptive chosen ciphertext (CCA) security is achieved. Besides reducing PRPs to PRFs, this result also gives some confidence in the soundness of using a Feistel-network to design block-ciphers. But unlike in the Luby-Rackoff ciphers, in most block-ciphers based on Feistel-networks the round functions are not independent (in order to keep the secret key short) and also far from being pseudorandom (for efficiency reasons). Instead, the number of rounds is much larger than four (which was sufficient for the Luby-Rackoff constructions).

In order to achieve more efficient constructions of PRPs from PRFs, many researchers have investigated the security of weakened versions of the Luby-Rackoff ciphers. Several variations of the ciphers were proven to be pseudoran-dom where for example the round functions were not required to be independent [Pie90], some round functions were replaced by weaker primitives than PRFs [Luc96,NR99] or the distinguisher was given direct oracle access to some of the round functions [RR00]. These results further fortify the confidence in using Feistel-networks to design block ciphers.

All these relaxed constructions need at least some of the round functions to be CPA secure PRFs in order to get a CPA secure PRP. In this paper, we investigate for the first time – to the best of our knowledge – the CPA secu-rity of the permutation one gets by a Feistel-network where none of the round functions is guaranteed to beCPAsecure. In particular, we investigate the secu-rity of the Feistel-network where each round is instantiated with anon-adaptive

chosen plaintext (nCPA) secure round function. AlthoughnCPA security is still a strong requirement, this was the weakest natural class of attacks we could imagine which does not make the Feistel-network trivially insecure againstCPA

attackers. For example round functions which are only secure against known-plaintext attacks (KPA), i.e. look random on random inputs, are too weak.1

(3)

tion (URF) by any efficient adversary. Pseudorandom permutations (PRP) are defined analogously. As usual in cryptography, an adversary is efficient if he is in P/poly, i.e. in non-uniform polynomial time (but almost all our results also hold when considering uniform adversaries; the only exception is addressed in Footnote 13). Aquasirandom function (QRF) (similarly for a quasirandom per-mutation (QRP)) is defined similar to apseudorandom one but where one does not require the distinguisher or the function to be efficient, only the number of queries the distinguisher is allowed to make is bounded. Quasirandomness can be seen as an extension of the concept of statistically close distributions to systems which can be queried interactively.

In order to prove that some system – which is built frompseudorandom com-ponents – is pseudorandom itself, it is often enough to prove it to bequasirandom

when the components are replaced by the corresponding ideal systems. In par-ticular, to prove the security of the original three-round Luby-Rackoff cipher it is enough to prove – the purely information-theoretic result – that the network instantiated with URFs is aCPAsecure QRP. It then immediately follows that the construction is aCPAsecure PRP when the URFs are replaced byCPA se-cure PRFs, since if it was not aCPAsecure PRP, we could use the distinguisher for it to build a distinguisher for the CPAsecure PRF (via a standard hybrid argument). Similarly one can easily show that if the round functions are only

nCPA or only KPA secure PRFs, the construction is a secure PRF, but only against the class of attacksnCCA(hence alsonCPA) andKPA, respectively.

2 Contributions

Our results and related work are summarized in Fig. 2 on page 5.

(In)secure Relaxations of the Three-Round Luby-Rackoff Cipher.

In the pseudo- and quasirandom setting, the three-round Feistel-network is – as mentioned above –ATK∈ {CPA,nCPA,KPA}secure, when the round functions areATK-secure. Moreover it is known that one can replace the first round with a pairwise independent permutation [Luc96,NR99].2 _{We further relax this by} showing that the function in the last round only needs to be secure against known plaintext attacks (KPA). This resolves an open question posed by Minematsu and Tsunoo in [MT05]. Furthermore, forATK =KPA we show that the first round is not necessary – as opposed to when ATK ∈ {CPA,nCPA} – and that it is sufficient to instantiate the (two) round functions with a single instantiation of aKPAsecure function.

But the second round seems to be the crucial one forATK ∈ {CPA,nCPA}. We show that for constructing a CPA secure permutation – i.e. PRP or QRP depending on the setting – one cannot in general instantiate the second round with a function which is only nCPA secure by constructing a counter-example,

2

(4)

i.e. anCPA secure function such that the three-round Feistel-network with this function in the second, and any random functions in the first and third round can easily be distinguished from a uniformly random permutation (URP) with only three adaptively chosen queries. Similarly, if one instantiates the second round with aKPAsecure function, then the construction will in general not even benCPA secure.

Four Rounds with non-adaptive Round Functions. As a consequence, three rounds withnCPAsecure round functions are not enough to getCPA secu-rity. On the positive side, we show that one extranCPAsecure round is sufficient (and necessary) in the quasirandom setting. Note that for the translation of a security proof from quasi- to pseudorandom systems – as described at the end of the previous section – it is crucial that we can construct a distinguisher for the components from a distinguisher for the whole system. But here the com-ponents have a weaker security guarantee (i.e. nCPA) than what we prove for the whole system (i.e.CPA). So even when we have aCPAdistinguisher for the four-round Feistel-network, we cannot construct a nCPA distinguisher for any round function. This is not just a shortcoming of the used approach, but indeed, in the pseudorandom setting the situation is different: we show that here four rounds are not enough to get CPAsecurity. To show this we construct a nCPA

secure PRF, such that the four-round Feistel-network with such round functions can easily be distinguished from URP with only three adaptive queries.

This phenomenon – i.e. that some construction implies adaptive security for quasirandom but not for pseudorandom systems – has already been proven [MP04,MPR06,Pie05] for two simple constructions: the sequential composition f .g(.)def=g(f(.)) and the parallel compositionf ?g(.)def=f(.)?g(.) (where?stands for any group operation). The security proofs from [MP04] in the quasirandom setting crucially use the fact that the sequential composition of two permutations is a URPs whenever at least one of the permutations is a URP, similarly the par-allel composition of two functions is a URF whenever one of the components is a URF. The Feistel-network does not have this nice property of being ideal when-ever one of the components is ideal, and we have to work harder here (using a more general approach from [MPR06]). Our counter-example for the pseudoran-dom setting – i.e. a four-round Feistel-network withnCPAsecure PRFs as round functions that is not aCPAsecure PRP – is similar to the counter-examples for sequential and parallel composition shown in [Pie05,Ple05]. In [Ple05], it is shown that the sequential composition of arbitrarily manynCPA secure PRFs will not be a CPA secure PRF in general, whereas for the parallel composition only a counter-example with two components is known [Pie05]. For the Feistel-network we also could only find a counter-example for four rounds. So we cannot rule out the possibility that five or more rounds imply adaptive security. However, if this was the case, then it seems likely that – like for sequential composition [Mye04] – there is no black-box proof for this fact.3

3

Myers [Mye04] constructs an oracle relative to which there exist PRPs that are

(5)

Construction Quasirandom Pseudorandom Reference

ψ[RRR] CPA, nCCA,¬CCA [LR86,Mau02] H . ψ[RR] CPA,¬nCCA [Luc96,NR99]

H . ψ[RK] CPA, ¬nCCA §4

ψ[RN R] ¬CPA §5

ψ[N N N N] CPA ¬CPA(under IDDH) §6 and§7

ψ[RRRR] CCA [LR86,Mau02]

H . ψ[RR]. H−1

CCA [Luc96,NR99]

ψ[N N N N N] CCA ? §8

ψ[RR] KPA, ¬nCPA [MT05]

ψ[K2_]

KPA, ¬nCPA §4

ψ[N N N] nCCA, ¬CPA §4

H . ψ[N K] nCPA, ¬nCCA §4

ψ[RKR] ¬nCPA §5

Fig. 1.Security of the Feistel-networkψwith various security guarantees on the round functions. Here ψ[f1· · ·fk](·) denotes thek-round Feistel-network withfi in thei’th

round, andψ[f2_]def

=ψ[f f] – i.e. the same functionf in both rounds. Each occurrence ofR,N, andKstands for an independentCPA,nCPA, andKPAsecure function (i.e. a PRF or a QRF depending on the setting) respectively. The same holds forHwhich is any “lightweight” permutation from which we only require that the collision probability be small on the left half of the output, an almost pairwise independent permutation or a Feistel round instantiated with an almost XOR-universal function is thus sufficient. The results in gray are implied by other results in the table.

What about CCA Security? While it seems unlikely in the pseudorandom setting to achieve CPA security (and hence also CCA security) of the Feistel-network with nCPA secure round functions, we show that (even) CCA security can be achieved in the quasirandom setting. In particular, we show that the five-round Feistel-network withnCPA secure QRFs is aCCAsecure QRP.

Unconditional vs. Conditional Counter-examples. The counter-example showing that the three-round Feistel-network with anCPAsecure PRFFin the second round is not adaptively secure is unconditional4_{and black-box; with this} we mean that we can construct F starting from any (nCPA secure) PRF via a The idea behind this oracle is quite general, and we see no reason (besides being technically challenging) why one should not be able to construct a similar oracle for the Feistel-network, and thus also rule out a black-box proof for showing that the Feistel-network withnCPAsecure PRFs as round functions is aCPAsecure PRP. 4

(6)

reduction which uses this PRF only as a black-box.5_{As four rounds are enough} to get adaptive security for quasirandom systems, there cannot be a black-box counter-example (like for three rounds) for the four (or more) round case. Thus it is not surprising that our counter-example for four rounds is not unconditional. It relies on the so-called Inverse Decisional Diffie-Hellman assumption. The fact that there is no black-box counter-example can be used to show that there is in some sense no “generic” adversary which breaks the adaptive security of the four-round Feistel-network with non-adaptive round functions. What “generic” actually means will not be the topic of this paper, but see Sect. 4 from [Pie06] for the corresponding statement for sequential composition.

3 Basic Definitions and Random Systems

We use capital calligraphic letters likeX to denote sets, capital letters likeX to denote random variables and small letters likexdenote concrete values. To save on notation we writeXi_{for (X1, X2, . . . , X}

i).

For x ∈ {0,1}2n _{we denote with}

Lx and Rx the left and right half of x

respectively, sox=LxkRx. Similarly for any functionf with range{0,1}2n, we

denote withLf (Rf) the function one gets by ignoring the right (left) half of the

output off. For two functionsf(.) andg(.) we denote withf . g(.)def

=g(f(.)) the sequential composition of f and g.6 _{For a (randomized) function} _f _{we denote} withcollk(f) the collision probability of any fixedk-tuple of distinct inputs, i.e.

collk(f) = max x1,...,xk

P(∃i, j; 1≤i < j ≤k:f(xi) =f(xj)).

If f denotes a uniform random function with range {0,1}n_{, then} _coll k(f) ≤

k2_/2n+1_{, this is called the} _{birthday bound} _{which we will use quite often.}

Definition 1 (Feistel-network) The (one-round) Feistel-network ψ[f] : {0,1}2n_{→ {}_0,₁_}2n _{is a permutation based on a function} _f _:_{_0,₁_}n_{→ {}_0,₁_}n_,

and is defined as follows

ψ[f](x)def

= (f(Lx)⊕Rx)kLx.

Withψ[f1· · ·fk]

def

=ψ[f1].ψ[f2].· · ·.ψ[fk]we denote thek-round Feistel-network

based on (randomized) round functions f1, . . . , fk, here the randomness used by

any function is always assumed to be independent of the randomness of the other round functions. Thek round Feistel-network where the same instantiation of a function f is used for all rounds is denoted byψ[fk_]def

=ψ[f· · ·f | {z }

k times ].

5

We buildFfrom a pseudorandom involution (PRI), how to construct a PRI from a PRP (via a black-box reduction) has been shown in [NR02].

(7)

Random Systems:Many results from this paper are stated and proven in the random systems framework of [Mau02]. Arandom systemis a system which takes inputsX1, X2, . . .and generates, for each new inputXi, an outputYi which

de-pends probabilistically on the inputs and outputs seen so far. We define random systems in terms of the distribution of the outputsYiconditioned onXiYi−1(i.e.

the actual queryXi and all previous input/output pairsX1Y1, . . . , Xi−1Yi−1).

Definition 2 (Random systems) An(X,Y)-random systemFis a sequence of conditional probability distributions PF

Yi|XiYi−1 for i≥1. Here we denote by PF

Yi|XiYi−1(yi, x

i_{, y}i−1₎ _{the probability that} _F _{will output} _y

i on input xi

condi-tioned on the fact that Fdid outputyj on inputxj for j= 1, . . . , i−1.

As special classes of random systems we will considerrandom functions (which are exactly the stateless random systems) andrandom permutations.

Definition 3 (Random functions and permutations) A random function X → Y (random permutationonX) is a random variable which takes as values functionsX → Y (permutations onX).

Auniform random function (URF) R:X → Y (A uniform random permu-tation (URP) PonX) is a random function with uniform distribution over all functions from X toY (permutations onX). Throughout, the symbolsRandP

are used for the systems defined above (X,Y to be understood).

Indistinguishability of random systems.The distinguishing advantage of a computationally unbounded distinguisher for two random variablesAandBis simply the statistical distance ofAandB. It is more intricate to define what we mean by the indistinguishability of random systems as here one must specify how the systems can be accessed. For this we define the concept of a distinguisher. Definition 4 A (Y,X)-distinguisher is a (Y,X)-random system which is one query ahead; i.e. it is defined by PD

Xi|Yi−1Xi−1 instead of P

D

Xi|YiXi−1 for all i. In particular the first outputPD

X1 is defined before Dis fed with any input.

We can now consider the random experiment where a (Y,X)-distinguisher queries a (X,Y)-random system

Definition 5 With D♦F we denote the random experiment where a distin-guisher Dinteractively queries a compatible random system F.

We divide distinguishers into classes by posing restrictions on how the distin-guisher can access its inputs and produce its queries. In particular the following attacks will be of interest to us:

– CPA: Adaptively Chosen Plaintext Attack; here the adversary can choose thei’th query after receiving the (i−1)’th output.

– nCPA: Non-Adaptively Chosen Plaintext Attack; here the distinguisher must choose all queries in advance.

(8)

If F is a permutation, its inverse F−1 _{is well-defined and we can consider the} attacks

– CCA: Adaptively Chosen Ciphertext Attack – nCCA: Non-Adaptively Chosen Ciphertext Attack

which are defined like aCPAandnCPA, respectively, but where the attacker can additionally make queries from the inverse direction.

Definition 6 For k≥1, the two random experimentsD♦FandD♦G define a distribution overXk_{× Y}k_{. The} _advantage_of_D_after_k_{queries in distinguishing}

F fromG, denoted ∆D

k(F,G), is the statistical difference between those

distri-butions7

∆D

k(F,G)

def = 1

2 X

Xk_×Yk

PD_X♦k_YFk−P

D♦G

Xk_Yk

. (1)

The advantage of the bestATK-distinguisher makingkqueries for FandG is

∆ATK k (F,G)

def

= max

ATK−distinguisher D∆ D

k(F,G).

Informally, a family of random functions indexed by a security parameter (γ∈N₎ is ATK-secure QRF, if for any polynomial p(.) the distinguishing advantage ∆ATK

p(γ)(F,R) is negligible (inγ). QRPs are defined similarly but usingPinstead of R, and where we additionally require that F (for any value of the security parameter) is a permutation.

Pseudorandomness.We denote withAdvATKt,k (F,G) the distinguishing

advan-tage of the best oracle circuit for random systems F and G where the circuit must be of size at mosttand make at mostkATK-queries to its oracle. SoAdv is defined similarly to ∆ but with an additional restriction on the size of the distinguisher. In particularAdvATK∞,k(F,G) =∆ATKk (F,G).

Informally, a family of keyed functions F indexed by a security parame-ter γ ∈N _{is an} ATK-secure pseudorandom function (PRF) if F (with security parameterγ) can be computed in uniform polynomial (inγ) time, and for any polynomialp(.) the distinguishing advantageAdvATKp(γ),p(γ)(F,R) is negligible in γ (for a key chosen uniformly at random). Pseudorandom permutations (PRP) are defined similarly but usingPinstead ofR, and where we additionally require that F(for any value of the security parameter and key) is a permutation.

We usually use sans-serif fonts like F to denote systems which can be effi-ciently computed (in particular pseudorandom systems), and bold fonts like F to denote quasirandom and ideal systems.

7

This definition has a natural interpretation in the random experiment where we first toss a uniform random coinC ∈ {0,1}. Then we letD(which has no a priori information onC) makekqueries to a systemHwhereH≡FifC= 0 andH≡G ifC= 1. Here the expected probability that an optimal guess onCbased on thek inputs and outputs ofHwill be correct is 1/2 +∆D

(9)

4 Relaxations of the Three-Round Luby-Rackoff Cipher

Let us first state some results for the three-round Feistel-network.

Proposition 1 For any (ATK,ATK0)∈ {(CPA,CPA),(nCCA,nCPA),(KPA,KPA)}

and random functionF

∆ATK

k (ψ2n[FFF],P)≤3·∆ATK

0

k (F,R) + 2·

k2

2n+1. (2)

The analogous statement also holds in the computational case – i.e. for any efficient random functionF

AdvATKt,k (ψ2n[FFF],P)≤3·AdvATK

0

t0_,k (F,R) + 2· k2

2n+1, (3)

where t0 ₌_poly_{(t, k)} _{for some polynomial} _poly _{which accounts for the overhead}

implied by the reduction we make.

The classical result of Luby and Rackoff [LR86], states that the Feistel-network with three independent PRF rounds is aCPAsecure PRP – i.e (3) for (ATK,ATK0) = (CPA,CPA).

Luby and Rackoff proved this result directly. One gets a simpler proof by first showing that the three-round Feistel-network with URFsRis aCPAsecure QRP as this is a purely information-theoretic statement. In particular it was shown in [Mau02] that8

∆CPA

k (ψ2n[RRR],P)≤2·

k2

2n+1. (4)

This bound also holds for nCCA distinguishers (as we show in Appendix B). These results directly imply Proposition 1 by a standard hybrid argument.9

Lucks showed [Luc96] (see also [NR99]) that the first round in the three-round Luby-Rackoff cipher can be replaced with a much weaker primitive which only must provide some guarantee on the collision probability on the left half of the output (for any two fixed inputs). In particular, an almost pairwise independent permutation or a Feistel-round with an almost XOR-universal function will do. 8 _{This bound has been improved – using larger number of rounds – in a series of} papers. The latest [Pat04] by Patarin claims (optimal) security up tok2n(and not justk2n/2

) queries, using five rounds (five rounds are also necessary to get such optimal security).

9

The argument goes as follows for pseudorandom systems: let (ATK,ATK0₎ _∈

{(CPA,CPA),(nCCA,nCPA),(KPA,KPA)} and suppose there is an efficient ATK -distinguisherAforψ2n[FFF] andP. Then by (4) thisAwill also distinguishψ2n[FFF]

from ψ2n[RRR]. Consider the hybrids H0 = ψ2n[FFF], H1 =ψ2n[RFF], . . . , H3 = ψ2n[RRR]. By the triangle inequality there is an 0≤i≤2 (sayi= 1) such thatA

can distinguishHifromHi+1. Now, the distinguisher which – with access to an oracle G(implementing eitherForR) – simulatesA♦ψ2n[RGF] and outputs the output of

Ais an efficientATK0_{-distinguisher for}_F_{with the same advantage as}_A_{’s advantage}

(10)

Proposition 2 For any ATK ∈ {CPA,nCPA,KPA}, any random functions F,

G, and any permutationH

∆ATKk (H. ψ2n[FG],P)≤∆ATKk (F,R)+2·∆KPAk (G,R)+collk(LH)+k

2

2n. (5)

The analogous statement also holds in the computational case: for any ATK∈ {CPA,nCPA,KPA}, any efficient random functions F,G, and any efficient per-mutation H

AdvATKt,k (H. ψ2n[FG],P) (6)

≤AdvATKt0_,k(F,R) +Adv_tKPA0_,k(G,R) +coll_k(_LH) + k2 2n+1,

wheret0 ₌_t+_poly_{(n, k)}_{for some polynomial}_poly_{which accounts for the overhead}

implied by the reduction we make.

Let us stress that (6) doesnot directly follow from (5).10 The proof of Proposi-tion 2 is given in Appendix C.

We relax the construction further forATK=KPAby showing that the first round can be removed completely (as opposed to whenATK∈ {CPA,nCPA}11_). Moreover, the round functions can be replaced by a single instantiation of a

KPAsecure function. Note that if one in addition interchange the left and the right part of the output, the resulting construction is an involution, i.e. has the structural property of being self inverse. This result also generalizes Lemma 2.2 of [MT05] which states that the two round Feistel-network withCPAsecure PRFs is aKPAsecure PRP.

Proposition 3 For any random function F

∆KPA

k (ψ2n[F2],P)≤∆KPA2k (F,R) + 4·

k2

2n+1. (7)

The analogous statement also holds in the computational case: for any (in par-ticular efficient) random functionF

AdvKPA_t,k (ψ2n[F2],P)≤AdvKPAt0_,₂_k(F,R) + 4· k2

2n+1, (8)

wheret0 =t+poly(n, k)for some polynomialpolywhich accounts for the overhead implied by the reduction we make.

The proof is given in Appendix C. Note that unlike in the previous propositions, here we do not require the round functionFto be efficient in the computational case (the reason is that in the proof we do not need the distinguisher to simulate any round function).

10_{The reason why a reduction – like the simple argument to show that Proposition 1} follows from (4) – fails here, is that theKPAsecurity guarantee for one of the com-ponents is weaker than theCPAsecurity for the whole construction. But fortunately theproof of (5) is such that it easily translates to the pseudorandom setting. 11

ψ2n[RR] can be distinguish fromPwith two non-adaptively chosen queries: query

0n_k₀n_7→L_y_kR_y_{and 0}n_k₁n_7→L_y0_kR_y0_{, and output 1 if}

(11)

5 The Second Round is Crucial

In the previous section we have seen that in the classical three-round Luby-Rackoff cipher the first and third round function need not beCPAsecure. In this section we will see that the security requirements for the second round cannot be relaxed. We only give proof sketches for the propositions of this section.

The following proposition states that to achieveCPAsecurity in general it is not sufficient that the second round function isnCPAsecure. There exists anCPA

secure function, such that the three-round Feistel-network with this function in the second, and any random functions in the first and third round, is not CPA

secure.

Proposition 4 There exists a random function F such that for any random functionsG andG0 _{(in particular for} _G₌_R_and_G0₌_R₎

∆nCPAk (F,R)≤

k2

2n−1 and ∆

CPA

2 (ψ2n[GFG0],P)≥1−2−n+1.

The analogous statement also holds in the computational case: (informal) there is a nCPAsecure PRFF such thatψ2n[GFG0]is not aCPAsecure PRP for any

(not necessarily efficient) functionsG andG0_.

Proof. Let us first consider the quasirandom statement. Let I be a uniform random involution, i.e.I(I(x)) =xfor allx. Now,Fis simply defined asF(x) = x⊕I(x), note that thisFsatisfiesF(x) =F(x⊕F(x)) for all x.

The nCPA security of F (which is simply the nCPA security of I) can be bounded as stated in the proposition by standard techniques (see Appendix C). Furthermore,ψ2n[GFG0] can easily be distinguished fromPwith two adaptively

chosen queries as follows. After a first query 0n_k₀n_{, the output}

LYkZ contains

the outputZ of the internal functionF. Now make a second query 0n_k_Z_{. If the}

(unknown) input toFin the first query was some valueV, then in this query it will beV⊕Z, and asFsatisfiesF(V) =F(V⊕F(V)) =F(V⊕Z), the output of Fwill again beZ, and the overall output will be (LY ⊕Z)kZ. The proposition

follows as the output ofP will satisfy such a relation with probability at most 1

2n+

2n₋₁

22n₋₁ ≤2−n+1.

The corresponding statement for the pseudorandom setting is proven almost identically. The only difference is that we need to use aCPAsecure pseudorandom involution I instead of the uniform random involutionI. It is shown in [NR02] how to construct a pseudorandom involution from anyCPAsecure PRF. ut The next proposition states that the network will in general not (even) be

nCPA secure when the second round function is only secure againstKPAs. Proposition 5 There exists a random function F such that for any random functionsG andG0

∆KPAk (F,R)≤

k2

2n+1, and ∆

nCPA

(12)

The analogous statement also holds in the computational case: (informal) there is aKPAsecure PRFF such thatψ2n[GFG0] is not anCPAsecure PRP for any

(not necessarily efficient) functionsG andG0.

Proof. Let us first consider the statement in the quasirandom setting. Let F be a URF which ignores the first input bit, i.e. for all x ∈ {0,1}n−1 _{we have} F(0kx) = F(1kx). The KPA security of F follows from the fact that F looks completely random unless we happen to query two queries of the form 0kxand 1kx. By the birthday bound the probability that this happens afterkqueries is at most k2

2n+1 (see Appendix C). Furthermore,ψ2n[GFG0] can be distinguished

from P with two non-adaptively chosen queries. For instance on input 0n_k₀n

and 0n_k₍₁_k₀n−1_{), the right half of the output will be identical. However, for} _P this only happens with probability at most ₂22nn−₋1₁ ≤2−n.

The corresponding statement in the pseudorandom setting is proven exactly as above, except that we have to use a PRFFinstead of F. ut

6 Four

nCPA

_{Secure Rounds, the Quasirandom Case}

In this section we will show that the four-round Feistel-network withnCPAsecure QRFs is aCPAsecure QRP. This is also the best possible as in Sect. 5 we showed that four rounds are also necessary. The theorem is even stronger as the third and fourth round function must only beKPAsecure QRFs.

Theorem 1 For any random functions FandG

∆CPA

k (ψ2n[FFGG],P)≤3· ∆knCPA(F,R) +∆KPAk (G,R)

+ k

2

2n−2. To prove this theorem we use Theorem 2 from [MPR06] which, for the special case of the four-round Feistel-network, is given as Proposition 6 below. The proposition bounds the security of a composition against a “strong” attacker

sATK (in particular CPA) in terms of the security of the components against “weak” attackerswATKi (in particularnCPAorKPA).

The proposition uses the concept of conditions defined for random systems as defined in Appendix A, for now we only give an informal definition: WithFA_we

denote the random system F, but which additionally defines an internal binary random variable after each query (called a condition). Let Ai ∈ {0,1} denote

the condition after thei’th query. We setA0= 0 and require the condition to be monotone which means thatAi = 1⇒Ai+1= 1 (i.e. when the condition failed, it will never hold again). Letai denote the eventAi= 1, then with

νATK₍_FA_{, a} k)

def

= max

ATK−distinguisherDP D♦FA

ak , (9)

(13)

Proposition 6 If for any({0,1}n_,_{_0,₁_}n₎_{-random system with a condition}_FA

νsATK_(ψ2

n[FARRR], ak)≤νwATK1(FA, ak) +α1 (10)

νsATK(ψ2n[RFARR], ak)≤νwATK2(FA, ak) +α2 (11)

νsATK(ψ2n[RRFAR], ak)≤νwATK3(FA, ak) +α3 (12)

νsATK_(ψ2

n[RRRFA], ak)≤νwATK4(FA, ak) +α4 (13)

for some attacks wATK1, wATK2, wATK3, wATK4, sATK and some α1, α2, α3, α4≥0, then for anyF1,F2,F3,F4

∆sATKk (ψ2n[F1F2F3F4], ψ2n[RRRR])≤

4 X

i=1

(∆wATKi_k (Fi,R) +αi).

To apply this proposition we must show that equations (10), (11), (12) and (13) hold for some attackwATKi andαi fori= 1,2,3,4.

In Appendix D we prove the following claim, from which Theorem 1 now follows.

Claim 1 Equation (10) - (13) are satisfied for any random function with a conditionFA_, _sATK₌_{CPA, and}

wATKi, αi

=

                  

nCPA, 2· k2

2n+1

if i= 1

nCPA, 2·₂nk+12 +∆nCPAk (F,R)

if i= 2

KPA, 2· k2

2n+1 +∆KPA_k (F,R)

if i= 3

KPA, 2· k2

2n+1

if i= 4.

7 Four

nCPA

_{Secure Rounds, the Pseudorandom Case}

In this section we again investigate theCPA security of the four-round Feistel-network with nCPA secure round functions, but this time for pseudorandom

systems. We show that here the situation is dramatically different from the quasirandom setting by constructing a nCPAsecure PRF where the four-round Feistel-network with this PRF as round function is notCPAsecure.

This PRF is defined over some group (of prime order), and to prove the

nCPA security we assume that the so-called inverse decisional Diffie-Hellman

(IDDH) is hard in this group. Informally, the IDDH assumption requires that for a generatorg and random x, y it is hard do distinguish the triple (g, gx_{, g}y₎

from (g, gx_{, g}x−1_).

(14)

This theorem follows from Lemma 1 below which states that there exist nCPA

secure PRFsF1,F2,F3such that the left half of the three round Feistel-network

Lψ2n[F1F2F3] is not aCPAsecure PRF. This implies that alsoψ2n[F1F2F3G] is not a CPA secure PRP for any G (and thus proves Theorem 2) as follows. By the so-called PRF/PRP Switching Lemma anyCPAsecure PRPPis also aCPA

secure PRF. Clearly, then alsoLPmust be aCPAsecure PRF. Now, by Lemma 1 Lψ2n[F1F2F3] =Lψ2n[F1F2F3G] is not a CPAsecure PRF, soψ2n[F1F2F3G] can-not be aCPAsecure PRP.12

Lemma 1 Under the IDDH-assumption there existnCPAsecure PRFsF1,F2,F3

such that Lψ2n[F1F2F3] is not a CPA secure PRF: it can be distinguished

effi-ciently from a URF with only three (adaptive) queries with high probability.

Outline For this Section. In §7.1 we give a more formal definition of the IDDH assumption. Then, in§7.2 we first show the construction from [Ple05] of anCPAsecure PRF whose sequential composition will not beCPAsecure. This extremely simple and intuitive construction is the basis for the (more involved) counter-example for the Feistel-network (i.e. Lemma 1) given in§7.3.

7.1 The Non-uniform IDDH Assumption

Below we define the IDDH assumption which is similar (and easily seen to im-ply) the well known decisional Diffie-Hellman assumption. Throughout, we will work with hardness assumptions in a non-uniform model of computation (i.e. we require hardness against polynomial size circuit families and not just any fixed Turing machine).13

LetGdenote an efficiently computable family of groups indexed by a security parametern∈N_{. By efficiently computable we mean that one can efficiently (i.e.} in time polynomial in n) sample a group (together with a generator) from the family, and efficiently compute the group operations therein. Abusing notation we denote with (G, g) =G(n) any group/generator pair for security parametern. The IDDH assumption is hard in G if for (G, g) = G(n) polynomial size circuits have negligible advantage guessing whether for a given triple (g, gx_{, g}y₎

they is random or computed asy=x−1_{, more formally} 12_{The lemma talks about three different}

Fi’s (and in the proof we really construct a different Fi for every round), but the theorem is stated for a single F. This does not really make a difference. For example this singleFcan be defined as behaving likeFiwith probability 1/3 fori∈ {1,2,3}. Then with constant probability 3−3 _the ψ2n[FFF] behaves likeψ2n[F1F2F3].

(15)

Definition 7 (non-uniform IDDH) For a groupGand a generatorg of G

AdvIDDH_s (G, g)def = max

C,|C|≤s

Prx

h

C(g, gx_{, g}x−1

) =truei−Pr

x,y[C(g, g

x_{, g}y_{) =}_true]

,

where the probability is over the random choice ofx, y∈[1, . . . ,|G|]. We say that IDDH is hard inG if for any polynomial p(.)

AdvIDDHp(n) (G(n)) =negl(n).

7.2 Counter-example for Sequential Composition from [Ple05]

In this section we construct a simple PRFF, but where the sequential composi-tion of (arbitrary many) suchF (with independent keys) is notCPAsecure.

Fis based on some prime order cyclic group (G, g) =G(n) where the IDDH problem is hard and where the elements of the group can be efficiently and densely encoded into{0,1}n _{(with dense we mean that all but a negligible}

frac-tion of the strings should correspond to an element of the group).14For example we can letGbe a subgroup of prime orderqofZ∗

p, wherepis a safe prime (i.e.

2q+ 1) and q is close to 2n _{([Dam04] describes how to embed such a} _G _into

{0,1}n_).

Let [.] :G(n)→ {0,1}n _{denote an (efficient) embedding of}_G _{into bitstrings}

(to save on notation we let [a, b] denote the concatenation of [a] and [b]). Let

R : K × {0,1}4n _→ _Z4

q be any nCPA secure PRF. Now consider the following

definition of a nCPA secure PRF F : {0,1}4n _{→ {}_0,₁_}4n _{with secret key (κ} _∈

K, x∈Z∗_q_).

The first thing F does on input (α, β, γ, δ) ∈ {0,1}4n _{is to generate some}

pseudorandom values usingR, i.e.

(r1, r2, r3, r4)←R(κ, α, β, γ, δ). (14) Further, if there exists (a, b, c, d)∈G4 _s.t._α_{= [a], β}_{= [b], γ} _{= [c], δ}_{= [d] then}_F outputs (herex−1 _{is the inverse of}_x _in_Z∗

q)

F([a, b, c, d])→([axr1_{, b}r1_{, c}x−1r2_{, d}r2_]), ₍₁₅₎ withr1, r2 generated as in (14). On the remaining inputs (which are a negligible fraction of{0,1}4n₎_F_{outputs just the pseudorandom values [g}r1_{, g}r2_{, g}r3_{, g}r4_].

Now consider the cascadeF0.F00.F000 of three independent F’s (with corre-sponding keys (x1, κ1), (x2, κ2), and (x3, κ3)). Make a first query [g, g, g, g]

F0.F00.F000([g, g, g, g])→[gx1x2x3r_{, g}r_{, g}x−11 x −1 2 x

−1 3 r

0 , gr0_].

14

For this construction we actually do not need this embedding, we could define F

(16)

Then the output will have the formgx1x2x3r_{, g}r_{, g}x −1 1 x

−1 2 x

−1 3 r

0 , gr0

for somer, r0_.

Now exchange the right and the left half of this output and use it as the second query

F0.F00.F000([gx−11 x −1 2 x

−1 3 r

0

, gr0, gx1x2x3r_{, g}r_])_→_[gr00_{, g}r00_{, g}r000_{, g}r000_] so the output is of the form [u, u, v, v] for someu, vand thus can be distinguished from random. ThereforeF0_._F00_._F000 _{is not a}_CPA_{secure PRF. This proves that}

the sequential composition of nCPA secure PRFs does not yield a CPA secure function in general. Note that this distinguishing attack works for any number of rounds, not just three. The following lemma states thatF is annCPA secure PRF if IDDH is hard inG,Ris anCPAsecure PRF and the encoding [.] is dense (as then (2n_{− |}_G_|_)/2n _{is negligible).}

Lemma 2 For F over (G, g) =G(n)we have

AdvnCPAk,s (F,R)≤6·k·AdvsIDDH0 (G, g) +AdvnCPA_k,s0 (R,R) + 4·k·

2n_{− |}_G_|

2n , (16)

wheres0 ₌_s₊_poly_{(k, n)}_{for some polynomial} _poly_{which accounts for the}

over-head implied by the reduction we make.

Proof. The Lemma follows from the Lemmata 3 and 4 below. ut

Instead of proving this lemma directly, we consider a functioneFR0

:Z_|G|_×_G4_→ G4 _{(defined below) which will be easier to analyze.}_e_FR0

is defined almost likeF

but with two differences. First, the PRFRused byFis replaced by a uniformly random functionR0_{, and second we do not embed the output of}_e_FR0

into{0,1}n

as inF(using the embedding [.]). We defineFeR0

, with keyx∈Z|G|and oracle access toR0:G4→Z|G|2 as

e

FR0

(x, a, b, c, d)→(axr, br, cx−1r0, dr0) where R0(a, b, c, d)→(r, r0).

By the following lemma, distinguishingeFR0

from a URF is basically as hard as distinguishingF.

Lemma 3 For URFs R:G4 _→_G4_, _R0 _:_G4_→_Z2

|G|, R00:{0,1}4n → {0,1}4n

andRfrom the definition of F,

AdvnCPAk,s (F,R00)≤AdvnCPAk,s0 (eF

R0

,R) +AdvnCPAk,s0 (R,R0) + 4·k·

2n_{− |}_G_|

2n ,

wheres0 ₌_s₊_poly_{(k, n)}_{for some polynomial} _poly_{which accounts for the}

over-head implied by the reduction we make.

Proof. LetFR0

beF, but where one uses the URFR0 _{instead of}_R_{. Then}

AdvnCPA_k,s (F,R00₎_≤_AdvnCPA k,s (F

R0

(17)

FR0

only differs fromeFR0

by the use of the embedding [.], as for a randomx∈G, [x] is|G|/2n _{close to uniform we further get}

AdvnCPA_k,s (FR0,R00₎_≤_AdvnCPA k,s0 (eF

R0

,R) + 4·k· 2

n_{− |}_G_|

2n .

u t

We will now bound the indistinguishability of eFR0

from random in terms of the hardness of the IDDH problem.

Lemma 4

AdvnCPAk,s (eF

R0

,R)≤6·k·AdvIDDHs+poly(k,n)(G, g).

Proof. First we observe that for any nCPA and non-uniform distinguishers C, there is a distinguisherC0 _with15 _|_C0_{| ≤ |}_C_|₊_O(k_·_log(_|_G_|_{)) =}_|_C_|₊_poly_{(k, n)}

which behaves exactly as C, but which additionally “knows” all the discrete logarithms to basis g of its inputs, i.e. when C0 _{makes a query (a1, a2, a3, a4)}

whereai=gzi, then thez1, . . . , z4are somehow hardwired into C0.16

The task of our distinguisherC0 _{is to distinguish}_k_{quadruples with uniform}

distribution overG4 _from_k _{quadruples of the form}

(axr1 , ar2, ax −1_r0 3 , ar

0

4) = (gz1xr, gz2r, gz3x −1_r0

, gz4r0_). ₍₁₇₎

where (a1, . . . , a4) is a query chosen (non-adaptively) byC0 _and_{x, r, r}0 _are

uni-formly random (note thatx, which is part of the key of eFR0

, is the same for all k quadruples, but ther, r0 _{are independently generated by}_R0 _{for each of the}_k

quadruples). As we do assume thatC0 _{knows the}_{z1, . . . , z4, this is equivalent}17 to distinguish

(gxr_{, g}r_{, g}x−1r0_{, g}r0_{) from (g}r_{, g}r0_{, g}r00_{, g}r000_), ₍₁₈₎

wherex andr, r0_{, r}00_{, r}000 _{are uniformly random.}

We make the task forC0 _{even simpler and additionally provide}_gx_and_gx−1 , i.e.C0 _{must distinguish}

(gx, gx−1, gxr, gr, gx−1r0, gr0) from (gx, gx−1, gr, gr0, gr00, gr000). (19) 15

As we require that group operations can be done in time polynomial inn, the rep-resentation of elements of|G|— which is at least log(|G|) bits long — must also be polynomial (as otherwise one could not even read an element in polynomial time). 16_{This observation may seem silly, but this “knowledge” seems necessary in the}

fol-lowing reduction. This is also the reason why we can only prove this lemma in the non-uniform setting.

17

(18)

Clearly the task given by (19) is at most as difficult as (18) as one can always ignore the first two elements. We call the corresponding problem EDDH, i.e.

AdvEDDHs (G, g) = max C,|C|≤s

x,r,rPr0

h

C(gx, gx−1, gxr, gr, gx−1r0, gr0) =truei−

Pr

x,r,r0_,r00_,r000 h

C(gx, gx−1, gr, gr0, gr00, gr000) =truei .

Thus distinguishing eFR0

fromRis at most as hard as distinguishing (gx_{, g}x−1_{, g}xr1_{, g}r1_{, g}x−1r01, gr

0

1), . . . ,(gx, gx −1

, gxrk_{, g}rk_{, g}x−1r

0

k, gr

0

k) (20)

from

(gx_{, g}x−1_{, g}r1_{, g}r01, gr 00 1, gr

000

1 ), . . . ,(gx, gx −1

, grk_{, g}r

0

k, gr

00

k, gr

000

k), (21)

where x and all the ri, . . . , r000i are uniformly random. We can use a hybrid

argument to bound this distinguishing advantage in terms of the hardness of the EDDH problem. LetHi denote thei’th hybrid given by

(gx_{, g}x−1

, gxr1_{, g}r1_{, g}x−1r01, gr 0 1) ..

. (gx_{, g}x−1

, gxri_{, g}ri_{, g}x

−1_r0

i, gr

0

i)

(gx_{, g}x−1_{, g}ri+1_{, g}r0i+1, gr 00

i+1, gr 000

i+1) ..

. (gx_{, g}x−1

, grk_{, g}r0k, gr

00

k, gr

000

k ).

Note that the distribution (21) is justH0 and the distribution (20) isHk. Thus

there is aj such thatC0 _{can distinguish}_H

j−1 fromHj with advantage at least

/k. Now consider the following distinguisherC00_{for EDDH: on input (a1, . . . , a6)}

(which always satisfiesa1=gx_and_a2₌_gx−1

for a randomx)C00_{generates the}

distribution

(gx_{, g}x−1

, gxr1_{, g}r1_{, g}x−1r01, gr 0 1) ..

.

(gx_{, g}x−1_{, g}xrj−1_{, g}rj−1_{, g}x−1r0j−1, gr 0

j−1) (gx_{, g}x−1

, a3, a4, a5, a6)

(gx_{, g}x−1

, grj+1_{, g}r 0

j+1, gr 00

j+1, gr 000

j+1) ..

. (gx_{, g}x−1_{, g}rk_{, g}r0k, gr

00

k, gr

000

k )

and runs C0 _{on this input.}18 _{As the above distribution is equivalent to} _H

j if

(a1, . . . , a6) is of the form as shown by the left side of (19), andHj−1 if it’s of 18

Note thatC00 _{really can efficiently sample this distribution as it knows}_gx_and_gx−1

(19)

the form on the right side of (19), we conclude thatC00_{has the same advantage}

/k for EDDH asC0 _{had in distinguishing}_H

j−1from Hj, so

AdvnCPAk,s (eF

R0

,R)≤k·AdvEDDHs+poly(k,n)(G, g).

To conclude the proof of the lemma, we must now reduce IDDH to EDDH Claim 2

AdvEDDHs (G, g)≤6·AdvIDDHs0 (G, g),

wheres0 =s+poly(k, n)for some polynomial polywhich accounts for the over-head implied by the reduction we make.

Proof. First we show that EDDH is equivalent to deciding whether z = xy or z = r in the tuple (g, gx−1

, gx_{, g}y_{, g}z_{), referred to as DDH- (up to a factor}

of 2). Reducing EDDH to DDH- is trivial, as we can ignore the unnecessary components from an EDDH tuple. For the reverse direction, we examine the following distributions:

H0= (g, gx−1_{, g}x_{, g}y_{, g}xy_{, g}y0_{, g}x−1y0₎

H1= (g, gx−1

, gx_{, g}y_{, g}c_{, g}y0_{, g}c0₎

H2= (g, gx−1, gx, gy, gr, gy0, gr0),

where x, y, y0_{, r, r}0 _{are chosen uniformly at random and with probability 1/2}

(c=xy∧c0 ₌_r0_{). In the other half of the cases (c}₌_r_∧_c0 ₌_x−1_y0_{). Let}_AdvA,B s

denote the maximum advantage – over any circuit of sizes– for distinguishing the distributionsAandB. We can write

AdvEDDHs (G, g)≤AdvHs0,H2 (22)

≤AdvH0,H1

s +Adv

H1,H2

s (23)

≤2·AdvDDH−s0 (G, g). (24) Step (23) follows by applying the triangle inequality. Given a distinguisher D0,1, that is able to distinguish between H0 and H1, we can build a

distin-guisher for DDH. To decide for a tuple (g, ga−1

, ga_{, g}b_{, g}c_{) if}_c ₌_ab _or_c ₌_{r, it}

first generatesgr_{, g}a−1_r

. Then with probability 1/2 it returns the answer D0,1 gives to the input (g, ga−1

, ga_{, g}b_{, g}c_{, g}r_{, g}a−1_r

) and otherwiseD0,1’s response to

(g, ga_{, g}a−1_{, g}r_{, g}a−1r_{, g}b_{, g}c_,_{). Hence} _AdvH0,H1

s ≤ Adv

DDH−

s0 (G, g). An analo-gous argument can be used to tellD1 andD2 apart and therefore (24) follows.

In our next step we bound the distinguishing advantage of DDH- by demon-strating that

AdvDDH−s (G, g)≤AdvDDHs0 (G, g) + 2·AdvIDDH_s0 (G, g). (25) Consider the following distributions

D0= (g, ga−1_{, g}a_{, g}b_{, g}ab₎

H0= (g, gr, ga, gb, gab) H1= (g, gr_{, g}a_{, g}b_{, g}c₎

D1= (g, ga−1

(20)

We want to bound the distinguishing advantage ofD0 andD1. To this pur-pose we use the triangle inequality

AdvDDH−_s (G, g) =AdvD0,D1

s

≤AdvD0,H0

s +AdvHs0,H1+AdvHs1,D1. (26)

When distinguishingH0fromH1, we have to solve a plain DDH problem, as gr_{carries no information on}_a_and_{b. Hence}

AdvH0,H1

s ≤Adv

DDH

s0 (G, g). (27)

Moreovergb_{, g}c _{do not help distinguishing}_H1 _from_{D1, and thus}

AdvH1,D1

s ≤Adv

IDDH

s0 (G, g). (28)

We encounter a similar situation comparing the first two distributions. Since gb_{, g}ab _{can be generated easily when knowing}_ga_{, it follows that}

AdvD0,H0

s ≤Adv

IDDH

s0 (G, g). (29)

Combining equations (26) – (29) proves (25). Equations (22) – (25) conclude

the proof of the claim. 4

u t

7.3 Proof of Lemma 1

The Feistel-network can be seen as a sequential composition of the round func-tions, but where one additionally XORs the input to thei’th round function to the output of the (i+ 1)’th round function. So it is not surprising that we can use Fi’s similar to theF from the previous section to prove Lemma 1. But the

F1,F2, andF3 (from the statement of the lemma) are a bit more complicated as we have to “work around” this additional XORs. LikeF, each Fi has aκi ∈ K

as part of its secret key. MoreoverF1 has ax ∈Z∗q and s, t∈ {0,1}n, F2 has a y ∈ Z∗

q, and F3 az ∈Z∗q as keys. On input (α, β, γ, δ) = [a, b, c, d] the Fi’s are

defined as (with theri’s generated as in (14))

F1([a, b, c, d])→       

[gxr1_{, g}r1_{], s, t} _{if [a, b, c, d] = [0,}_0,_0,_0];

[0,0,0,0] elseifc=dx_;

[gxr1_{, g}r1_,_([γ_⊕_s]−1₎x−1r2_,_([δ_⊕_t]−1₎r2_{] elseif [a, b] = [0,}_0]; [gr1_{, g}r2_{, g}r3_{, g}r4_] _otherwise.

F2([a, b, c, d])→ [cy−1r1_{, d}r1_{, a}yr2_{, b}r2_]

F3([a, b, c, d])→

_[0,_0,_0,_0] _if_bz₌_a;

[az−1r1_{, b}r1_{, c}zr2_{, d}r2_] _otherwise.

Proof (of Lemma 1). The lemma follows from Claim 3 and 4 below. ut Claim 3 One can distinguish Lψ2n[F1F2F3] from a URF with three adaptively

(21)

LQ1 : [0,0,0,0] RQ1 : [0,0,0,0] R2

1 : [gxr 0 1_{, g}r

0 1_]_{, s, t} R3

1 :∗,∗,[gxyr 0 2_{, g}r

0 2_] O1 :∗,∗,[gxyzr

0

3_]_⊕_s,_[_gr 0 3_]_⊕_t

LQ2 : [0,0],[gxyzr 0

3_]_⊕_s,_[_gr 0

3_]_⊕_t _R_Q₂ _{: [0}_,₀_,₀_,_0] R2

2 : [gxr 0 4_{, g}r

0 4_{, g}yzr

0 5_{, g}r

0 5_] R3

2 : [gzr 0 6_{, g}r

0 6_]_,_∗_,_∗ O2 : [gxr

0 4_{, g}r

0 4_{, g}yzr

0 5_{, g}r

0 5_]

LQ3 : [0,0, gxr 0 4_{, g}r

0

4_] _R_Q₃ _{: [0}_,₀_{, g}yzr 0 5_{, g}r

0 5_] R2

3 : [0,0, gyzr 0 5_{, g}r05_] R3

3 : [gzr 0 7_{, g}r

0 7_]_,_∗_,_∗ O3 : [0,0, gyzr

0 5_{, g}r

0 5_]

LQi RQi

F

1 ⊕

R2

i

F

2 ⊕

R3

i

F

3 ⊕

Oi

Fig. 2.An adaptive three query distinguishing attack forLψ2n[F1F2F3].

Proof (sketch).In Fig. 2 we demonstrate an adaptive three query distinguishing attack onLψ2n[F1F2F3]. In the figure, values which are not relevant for the attack are denoted by∗. Allr0

ivalues are random, but not necessarily equal to a random

value generated by a round function (i.e. as in (14)).19_{To see that this is a legal} attack note that every query Qi can be computed from the previous output

Oi−1. That the values will really have the form as described in the attack can

be verified from the definition of theFi’s.20 Since the third output starts with

[0,0] it can be distinguished from a random output with high probability. ut

Claim 4 F1,F2, andF3 are nCPAsecure PRFs if IDDH is hard in G.

Proof (sketch). The nCPA security of the Fi’s follows from the nCPA security

of F from the previous section as stated in Lemma 2:F2 is exactly F, so there is nothing else to prove here. The function F3 behaves exactly as F unless it is queried on an input [a, b, c, d] which satisfies bz ₌ _a _{for a random} _{z. The}

probability that this happens on any (non-adaptive) query is just |G|−1 _(and thus exponentially small even after taking the union bound over all polynomially many queries).

To prove thatF1 is non-adaptively secure, we show how to turn any distin-guisherDforF1into one forF3 whose distinguishing advantage differs only by a negligible amount. First, below we completely ignore the cases wherec=dx_for

19_{For instance,}_r0

1 is the first random value generated byF1 and r02 is the product of r0

1 and the second random value generated byF2.

20_{Actually, there is an exponentially small probability that the values will not have} that form, namely when the input to some round function “by chance” satisfies a condition that is checked. E.g. whenR3

(22)

F1and a=bz forF3 as they only happen with exponentially small probability. Further, as whenever [a, b] 6= [0,0] the output of F1 is pseudorandom, we can assume that the non-adaptive distinguisherD forF1 only makes queries where [a, b] = [0,0].

Now consider the following distinguisherD0 _for_F_{3. First}_D0 _{picks some}

uni-formly randoms, t∈ {0,1}n_._D0 _{basically simulates}_D_{, but when the query was}

[0,0,0,0] then the right half of the output is replaced with s, t. On all other queries (chosen byD) of the form [0,0], γ, δ, D0 invokes the system at hand by [0,0], γ⊕s, δ⊕t. FinallyD0 outputs the decision bit of the simulatedD.

If the system queried byD0 isF3 (with secret keyx) then the output distri-bution that the simulated Dgets to see is exactly as if it was generated byF1 (with secret keyx, s, t). Also note that when the system queried byD0 is a URF, then also the output thatD sees is uniformly random. Thus the distinguishing advantage ofD0forF1(from a URF) is the same as the advantage ofDforF3. ut

8 Some Remarks on

CCA

_Security

We have shown that the four-round Feistel-network with nCPA secure round functions is CPA secure in the information-theoretic, but in general not in the computational setting. A natural question to ask is how many rounds are nec-essary/not sufficient to achieveCCAsecurity.

In order to get aCCAsecure QRP, it is enough – by the following statement (taken from [MPR06]) – to cascade twonCPAsecure QRPs (the second in inverse direction)

∆CCAk (F.G−1,P)≤∆nCPAk (F,P) +∆nCPAk (G,P).

With this and Proposition 1 we directly get that six rounds with nCPA secure QRFs give aCCAsecure QRP, i.e.

∆CCA

k (ψ2n[FFFFFF],P)≤6·∆nCPAk (F,R) +

k2 2n−1.

So six nCPA secure round functions are sufficient to get CCA security, and by Proposition 4 we know that at least four rounds are necessary. Next we show that the five-round Feistel-network withnCPAsecure QRFs is aCCAsecure QRP. The theorem, which is proved in Appendix E, is stated even more generally. Theorem 3 For any random functions FandG

∆CCAk (ψ2n[FFGFF],P)≤8·∆knCPA(F,R) + 2·∆KPAk (G,R) + 12·

k2 2n+1. It remains an open question whether four rounds are sufficient.

(23)

References

[Dam04] Ivan Damg˚ard. Discrete log based cryptosystems, 2004. Manuscript, www.daimi.au.dk/ivan/DL.pdf.

[GGM86] Oded Goldreich, Shafi Goldwasser, and Silvio Micali. How to construct random functions. J. ACM, 33(4):792–807, 1986.

[HILL99] Johan H˚astad, Russell Impagliazzo, Leonid A. Levin, and Michael Luby. A pseudorandom generator from any one-way function. SIAM J. Comput., 28(4):1364–1396, 1999.

[LR86] Michael Luby and Charles Rackoff. Pseudo-random permutation genera-tors and cryptographic composition. InProc, 18th ACM Symposium on the Theory of Computing (STOC), pages 356–363, 1986.

[Luc96] Stefan Lucks. Faster Luby-Rackoff ciphers. In Fast Software Encryption, volume 3557 ofLNCS, pages 189–203. Springer-Verlag, 1996.

[Mau02] Ueli Maurer. Indistinguishability of random systems. InAdvances in Cryp-tology — EUROCRYPT ’02, volume 2332 ofLNCS, pages 110–132. Springer-Verlag, 2002.

[MOPS06] Ueli Maurer, Yvonne-Anne Oswald, Krzysztof Pietrzak, and Johan Sj¨odin. Luby-Rackoff Ciphers from Weak Round Functions. InAdvances in Cryptol-ogy — EUROCRYPT ’06, volume 4004 ofLNCS, pages 391–408. Springer-Verlag, 2006.

[MP04] Ueli Maurer and Krzysztof Pietrzak. Composition of random systems: When two weak make one strong. InTheory of Cryptograpy — TCC ’04, volume 2951 of LNCS, pages 410–427. Springer-Verlag, 2004.

[MPR06] Ueli Maurer, Krzysztof Pietrzak, and Renato Renner. Indistinguishability amplification, 2006. Manuscript.

[MT05] Kazuhiko Minematsu and Yukiyasu Tsunoo. Hybrid symmetric encryp-tion using known-plaintext attack-secure components. InICISC ’05,LNCS. Springer-Verlag, 2005.

[Mye04] Steven Myers. Black-box composition does not imply adaptive security. In Advances in Cryptology — EUROCRYPT ’04, volume 3027 ofLNCS, pages 189–206. Springer-Verlag, 2004.

[NR99] Moni Naor and Omer Reingold. On the construction of pseudorandom per-mutations: Luby-Rackoff revisited. J. Cryptology, 12(1):29–66, 1999. [NR02] Moni Naor and Omer Reingold. Constructing pseudo-random permutations

with a prescribed structure. J. Cryptology, 15(2):97–102, 2002.

[Pat04] Jacques Patarin. Security of random feistel schemes with 5 or more rounds. In Advances of Cryptology — CRYPTO ’04, volume 3152 of LNCS, pages 106–122. Springer-Verlag, 2004.

[Pie90] Josef Pieprzyk. How to construct pseudorandom permutations from single pseudorandom functions. InAdvances in Cryptology — EUROCRYPT ’90, volume 537 ofLNCS, pages 140–150. Springer-Verlag, 1990.

[Pie05] Krzysztof Pietrzak. Composition does not imply adaptive security. In Ad-vances in Cryptology — CRYPTO ’05, volume 3621 ofLNCS, pages 55–65. Springer-Verlag, 2005.

[Pie06] Krzysztof Pietrzak. Composition implies adaptive security in minicrypt. In Advances in Cryptology — EUROCRYPT ’06, volume 4004 ofLNCS, pages 328–338. Springer-Verlag, 2006.

(24)

[RR00] Zulfikar Ramzan and Leonid Reyzin. On the round security of symmetric-key cryptographic primitives. In Advances in Cryptology — CRYPTO ’00, volume 1880 ofLNCS, pages 376–393. Springer-Verlag, 2000.

A

Monotone Conditions for Random Systems

Monotone Conditions for Random Systems.We now define the concept ofmonotone conditions for random systems and show how they can be used to prove bounds on the indistinguishability of random systems.

A monotone conditionAfor a (X,Y)-random systemFis an event sequence A1, A2, . . ., whereAi∈ {ai, ai}. Hereai(ai) denotes the event that the condition

is satisfied (failed) after thei-th query toFhas been processed. Monotone means that if the condition failed, it will never hold again (i.e.ai⇒ai+1). So the event

ai immediately impliesaj for allj > i.

We denote a (X,Y)-random system Fwith a monotone condition AasFA_,

and model the monotone condition by an extra binary output of the systemAi

(whereAi= 0 indicates the eventaiandAi= 1 the eventai). As this outputAi

is never used as an input to a distinguisher or another system, it is convenient to think ofFA_{as of}_F_{with a lamp. This lamp is initially off (A0}_{= 0), but may}

turn on at some point to indicate that the condition failed, i.e. the lamp is on after thei’th query iffAi= 1.

Definition 8 A(X,Y)-random systemFwith a monotone conditionA, denoted

FA_{, is the same random system but with an additional monotone binary variable}

sequenceA1, A2, . . .defined on it. The value ofAi∈ {0,1}is determined after the

i’th query. Monotone means FA _{is given by the infinite sequence of conditional}

probability distributionsPF

AiYi|XiYi−1Ai−1 for i≥1(or equivalently byP

F

AiYi|Xi for i≥1).Ai= 0 means that the condition holds after thei’th query, this event

is denoted byai, the eventAi = 1is denoted with ai.

LetF and G be random systems and A be a condition defined for F. We define three relations for random systems with conditions

FA≡GB ⇐⇒ ∀i≥1 :PF

aiYi|Xi =P

G

biYi|Xi

F|A ≡G ⇐⇒ ∀i≥1 :PF

Yi_|Xi_a_i =P

G

Yi_|Xi

FA_G _{⇐⇒ ∀}_i_≥_{1 :}_PF

aiYi|Xi≤P

G

Yi_|Xi.

It is not hard to see thatF|A ≡G impliesFA_G _{but not vice versa.}

Propo-sition 7 below states that if FA_G_{, then distinguishing}_F _from _G _{is at least}

(25)

Definition 9 For a random systemF with a conditionAwe denote with

νD

(FA, ak)

def

=PD_a_k♦FA (30)

the probability that the distinguisher D can make A fail with k queries. The probability of the best ATK-distinguisher is denoted by

νATK₍_FA_{, a} k)

def

= max

ATK−distinguisher DP D♦FA

ak . (31)

Proposition 7 If FA _G _{(which is implied by}_{F|A ≡}_G _or_FA _≡_GB_{) then}

for any distinguisher D

∆D

k(F,G)≤ν

D

(FA_{, a} k),

and if FA_≡_GB

νD(FA, ak) =ν

D

(GB, bk).

By this proposition we can bound ∆ATK

k (F,G) by first finding a condition A

for F which satisfies FA G and then trying to prove an upper bound on νATK₍_FA_{, a}

k).

The next proposition states that ifF|Ais itself a random system, then adap-tivity is of no use when one want to make Afail. We will use this proposition many times as dealing with non-adaptive distinguishers is usually much easier than to handle adaptive ones.

Proposition 8 For any i ∈ N_{, if for a random system} _F _{with a condition} _A

there exists a random systemG such that F|A ≡G, i.e. for alli≥1

PF_Yi_|Xi_a i≡P

G

Yi_|Xi, (32)

then adaptivity does not help in provokingai, i.e.

νCPA(FA, ai) =νnCPA(FA, ai). (33)

In the sequel we make use of a random system called beacon, denoted byB.

Definition 10 (Beacon) An X → Y-beaconB is a random system for which

(26)

Note thatR|A ≡B, ifAdenotes the condition that the inputs to the URF Rare distinct. Hence, by Proposition 7 it follows that

∆KPA

k (F,B)−∆KPAk (F,R) tri. ineq.

≤ ∆KPA k (R,B)

P rop.7

≤ νKPA₍_R_{, a} k)

b-bound

≤ k

2

2n+1.(34) In the sequel we will frequently make use the following two arguments:

(i) Consider a monotone condition A, defined forE(·). Then it follows (which we show below) that

νATK(EA(F), ak)−νATK(EA(G), ak)≤∆ATKk (EA(G),EA(F)). (35)

Consider theATK-distinguisherD for which it holds that

νD₍_EA₍_F_{), a}

k) =νATK(EA(F), ak),

and the distinguisherD0 _{that simply runs}_D _{and outputs 1 if}_a

k is provoked

and else 0. Clearly, D0 _{distinguishes} _EA₍_G_{) from} _EA₍_F_{) with advantage}

νD₍_EA₍_F_{), a}

k)−νD(EA(G), ak), from which (35) follows.

(ii)Suppose there is anATK-distinguisherDforE(F) andE(G), from which we can construct a distinguisherD E(·) forFandG.

LetATK0={D E(·)|D∈ATK}, for some random systemE(·). Letk0₌_c_·_k

wherec is the number of invocations that E(E) makes to its component E on every invocation. Then it holds that

∆ATKk (E(F),E(G))≤∆ATK

0

k0 (F,G) and

νATK(E(FA), ak)≤νATK

0

(FA, ak0).

B

Original Luby-Rackoff under

nCCA

In this section we show that

∆nCCAk (ψ2n[RRR],P)≤2·

k2 2n+1. LetQ→

i andO→i denote the set of queries and outputs in the forward direction

(afteriqueries), respectively. Similarly, letQ←

i andO←i denote the queries and

(27)

– Letc↔

i denote the event that the input to the second round function are all

distinct (afteriqueries). – Let c→

i denote the event that there exist distinct x, x0 ∈ O→i or (x, x0) ∈

O→

i ×Q←i such thatLx=Lx0.

– Let c←

i denote the event that there exist distinct x, x0 ∈ O←i or (x, x0) ∈

O←

i ×Q→i such thatLx=Lx0.

It holds thatψ2n[RC

←

RC↔_RC→_]_≡_ψ2 n[RC

←

BC↔_RC→_]_P_.

∆nCCA

k (ψ2n[RRR],P) P rop.7

≤ νnCCA(ψ2n[RC

←

BC↔RC→], c←k ∨c↔k ∨c→k ) union bound

≤ νnCCA(ψ2n[RC

←

BR], c←k ) +

νnCCA_(ψ2

n[RBRC

→

], c→_k ) + νnCCA(ψ2n[RBC

↔ R], c↔k ) union bound

≤ |Q

← k |2

2n+1 +|Q

← k | ·

|O→ k |

2n+1 + |Q→

k |2

2n+1 +|Q

→ k | ·

|O← k |

2n+1 + (|Q→

k |+|Q←k |)2

2n+1

≤ 2· k

2

2n+1,

where the last inequality follows from the fact that|Q←_|₊_|_Q→_{| ≤}_k.

C

Proof of Propositions 2 - 5

Without loss of generality (since we are dealing with stateless systems) we as-sume that the distinguisher only makes distinct queries. Let C (C0_{) denote a}

monotone condition for any function defined by lettingci (c0i) denote the event

that the firstiinputs of the function are distinct.

Proof (of Proposition 2).LetAdenote a monotone condition for any function defined by lettingai denote the event that the firstioutputs of the function are