The Iterated Random Permutation Problem with Applications to Cascade Encryption

(1)

The Iterated Random Permutation Problem

with Applications to Cascade Encryption

?

Brice Minaud and Yannick Seurin

ANSSI, Paris, France

Abstract. We introduce and study the iterated random permutation problem, which asks how hard it is to distinguish, in a black-box way, the r-th power of a random permutation from a uniformly random permutation of a set of sizeN. We show that this requiresΩ(N) queries (even for a two-sided, adaptive adversary). As a direct application of this result, we show that cascading a block cipher with the same key cannot degrade its security (as a pseudorandom permutation) more than negligibly.

Keywords: iterated random permutation problem, block cipher, pseudorandom permutation, cascade encryption

1 Introduction

A Simple Question. Assume that, as a cautious and slightly paranoid cryptog-rapher, you are not at ease with usingAES(say, with 256-bit keys) as is. Instead, you define the block ciphermyAESas

myAES(k, x)def= AES(k,AES(k, x)),

that is, you encipher the plaintext xtwice with the same key k, hoping that this will increase security. After all, this seems like a cheap, “black-box” way of doubling the number of rounds ofAES-256, and it is heuristically well established that increasing the number of rounds of a cipher improves its resistance to various attacks. Another motivation is some contexts could be to slow down brute force attacks.1_{How can you be sure that the security of your new custom block cipher}

does not suddenly collapse, becomingmuch worse than the security ofAES-256? This seems quite implausible, but can we hope toformally prove that this cannot

happen?

? c

IACR 2015. This article is the final version submitted by the authors to the IACR and to Springer-Verlag in June 2015, which appears in the proceedings of CRYPTO 2015.

(2)

Cascade Encryption. This question is obviously related to what is called

cascade encryption(ormultiple encryption), i.e., self-composition of a block cipher. Given a block cipherE, the cascade of lengthrassociated with E encrypts a message xas

Ek01,...,kr(x)

def

= (Ekr◦ · · · ◦Ek1)(x).

Cascade encryption has been extensively studied in the setting where the keys (k1, . . . , kr) for the r calls to the underlying block cipher E are independent:

there are results in the computational setting [LR86, Mye99, MT09, Tes11], in the information-theoretic setting (where only computationally unbounded adversaries are considered) [Vau98,Vau99,Vau03,MP04,MPR07,CPS14], and in the ideal cipher model (in the context of key-length extension) [ABCV98,

BR06,GM09,Lee13,DLMS14]. In particular, it is known that cascading a given block cipher with independent keys is security-amplifying: if E is a (q, t, ε )-pseudorandom permutation2_{(PRP), then the}_r_{-fold cascade with independent}

keys for thercalls toE is a (q0, t0, rεr)-PRP [Tes11], withq0 'qandt0 't. In the information-theoretic setting, the following slightly weaker result has been shown: ifE is a (q, ε)-PRP, then ther-fold cascade ofE with independent keys is a (q,2r−1εr)-PRP [Vau98,Vau99].

On the other hand, virtually nothing is known regarding the security of cascade encryption when the keys used for each call to the underlying block cipher arenot

independent.3 _{Not only is it not known whether this might amplify security (and}

indeed, proving even a tiny security amplification result for cascade encryption without increasing the total key-length would be a major breakthrough), but there is absolutely no guarantee that this might not in some cases dramatically

deteriorate security.

Our Result. In this short paper, we prove thatcascading a block cipher with

the same key cannot degrade its security beyond negligible. By security, we mean

the standard notion of (strong) pseudorandomness, defined as follows.

Definition 1 (Strong Pseudorandom Permutation (SPRP)).Let E be a

block cipher with key spaceK and message spaceS, andPerm(S)be the set of all

permutations ofS. Let Dbe a distinguisher with oracle access to a permutation

and its inverse, and returning a single bit. The SPRP-advantage of DagainstE

2

A block cipherE= (Ek)k∈K with key spaceK is a (q, t, ε)-PRP if any adversary making at mostq oracle queries and running in time at mosttcan distinguishEk (for a random keyk) from a uniformly random permutation with advantage at most

ε. See also Definition1below. 3

(3)

is defined as

Advsprp_E (D) =

Pr

h

P ←$Perm(S) :DP,P −1

= 1i

−Prhk←$K:DEk,(Ek) −1

= 1i .

For integers qandt, the SPRP-advantage ofE is defined as

Advsprp_E (q, t) = max

D Adv

sprp

E (D),

where the maximum is taken over all distinguishers making at most q oracle

queries and running in time at mostt.E is a(q, t, ε)-SPRP if Advsprp_E (q, t)≤ε.

A block cipher is deemed secure if its SPRP-advantage is “small” for all “reasonable” parametersqandt. We show the following.

Theorem 1. LetE be a block cipher with message space of sizeN, and r >0

be an integer. Let Er _{be the block cipher obtained by}_r_{-fold self-composition of}_E

with the same key. (Note thatE and Er _{have the same message and key spaces.)}

Then

Advsprp_Er (q, t)≤Adv

sprp

E (rq, t

0_{) +}(2r+ 1)q

N ,

with t0=O(t).

Hence, cascade encryption with the same key does not hurt security beyond negligible, or, to phrase it more positively, it can only improve the security of a given PRP. Theorem1 follows straightforwardly from a purely information-theoretic result that we now expose in details.

The Iterated Random Permutation Problem. Let S be a set of size

N >0, and letPerm(S) be the group of all permutations ofS. For a permutation

P ∈Perm(S) and an integerr≥1, we denotePr ther-fold self-composition of

P. Consider an adversary (later called distinguisher)Dhaving two-sided oracle access to an element P ∈ Perm(S): it can either query P(x) and receive the corresponding imagey, or queryP−1₍_y_{) and receive the corresponding antecedent}

x. We assume thatDmakes at mostq(adaptive queries) before outputting a bit

b. Theiterated random permutation problem asks how many queriesqneedsD

to distinguish with a noticeable probability the following two situations:

1. a permutationP is drawn at random fromPerm(S), andDis given oracle access toP andP−1;

2. a permutationP is drawn at random fromPerm(S), andDis given oracle access toPr_{and (}_Pr₎−1_.

In other words, defining the advantage ofDfor the iterated random permutation problem as

AdvP,Pr(D) =

Pr

h

P ←$Perm(S) :DP,P−1 = 1i

−PrhP ←$Perm(S) :DP

r_,₍_Pr₎−1 = 1i

(4)

and the best advantage atqqueries as

AdvP,Pr(q) = max

D AdvP,Pr(D),

where the maximum is taken over all distinguishers making at mostqqueries, we ask howqmust grow withN forAdvP,Pr(q) to be constant, sayAdv_P,Pr(q)≥ 1/2. We show that this requiresq=Ω(N/r). More precisely, we have the following theorem.

Theorem 2. For any integerq, one has

AdvP,Pr(q)≤

(2r+ 1)q

N .

This theorem is proved in Section2. Theorem1follows from Theorem2by a simple hybrid argument that we give for completeness.

Proof of Theorem 1. LetDbe a distinguisher against the strong

pseudorandom-ness ofEr_{making at most}_q _{oracle queries and running in time at most}_t_{. By}

definition,

Advsprp_Er (D) =

Pr

h

P ←$Perm(S) :DP,P −1

= 1i

−Prhk←$K:D(Ek)

r_,₍₍_E

k)r)−1 _{= 1}i

≤AdvP,Pr(D) +Adv_Pr_,Er(D)

≤(2r+ 1)q

N +AdvPr,Er(D),

where the last inequality follows from Theorem2and where

AdvPr_,Er(D) =

Pr

h

P←$Perm(S) :DPr,(Pr)−1_{= 1}i

−Prhk←$K:D(Ek)r,((Ek)r)−1 _{= 1}i .

Consider the following distinguisherD0 _{against the strong pseudorandomness of}

E. It has oracle access to some permutation oracle O(which is either a random permutation P or Ek for a random key k) and works as follows: it runs D,

answering each oracle query of Dby querying its own oraclertimes to return

Or(x) for a direct query or (Or)−1(y) for an inverse query, and outputting the same decision as D. Clearly, the SPRP-advantage of D0 _against _E _{is exactly}

AdvPr_,Er(D), and D0 makes at most rq queries and runs in time t0 = O(t). Hence

AdvPr_,Er(D)≤Advsprp_E (rq, t0),

(5)

Remark 1. It can be noted in the proof above that even whenDis non-adaptive (i.e.,Dchooses all its queries at the beginning of the security experiment and issues them all at once),D0 _{seems to inherently have to query its oracle adaptively.}

And indeed, Theorem1does not extend to the non-adaptive variant of (strong) pseudorandomness. This can be seen from the following simple example: Consider a (single-key) Even-Mansour cipher [EM97], defined byEk(x) =k⊕P(k⊕x),

whereP is a public (efficiently computable and invertible) permutation. Assume that P is an involution (i.e., P2 _{is the identity). Then, the block cipher} _E2

obtained by composingEtwice with the same key is highly insecure (even against non-adaptive adversaries making one single query) since it is equal to the identity for any key. On the other hand, modelingP as a public random involution oracle, it can be shown [DKS12] thatE is secure against non-adaptive distinguishers making at most q= 2n/2 encryption/decryption queries and evaluatingP on at mostt= 2n/2 values.4This shows that, unlike what Theorem 1ensures for adaptive security, cascading with the same key can completely ruin security against non-adaptive distinguishers.

We also exhibit a distinguisher whose advantage matches the upper bound of Theorem 2(up to some constant term which depends onr), establishing the following lower bound.

Theorem 3. Forq≤N/r, one has

AdvP,Pr(q)≥

q

2N − r N.

The adversary that we use to arrive at Theorem3simply picks a random messagex∈S and travels along the cycle on which this point lies, hoping to cycle back tox. Details of the analysis can be found in Section3. A different attack, based on the search of a fixed point, has been analyzed by Courtoiset al.[BAC12].

Perspectives. A natural question is whether it is possible to prove any kind of security amplification for cascade encryption with non-independent keys, which in its full generality would take the form

E_k0(x) = (Efr(k)◦ · · · ◦Ef1(k))(x),

where thefi’s are permutations of the key space ofE.5However, in the particular

scenario where the same key is reused (i.e., all fi’s are equal to the identity),

this clearly requires additional assumptions on the underlying block cipherE, as indicated (again) by the simple example of a single-key Even-Mansour cipher

4

But note thatEcan be distinguished from random by anadaptiveadversary making two queries; namely, denotingOthe adversary’s oracle, it queriesy:=O(x),y0:= O(y), and checks whethery0=x.

(6)

Ek(x) =k⊕P(k⊕x), whereP is a public (efficiently computable and invertible)

permutation. There is a generic6_{attack on any block cipher of this class requiring}

q= 2n/2 _{queries to the encryption/decryption oracle and} _t_{= 2}n/2 _evaluations

of the inner permutationP [Dae91,DKS12]. Note that for anyr >1, ther-fold cascade with the same key Er _{is again a one-round single-key Even-Mansour}

cipher, with inner permutationPr_{, so that it can be generically attacked with}

q= 2n/2 _{queries to the encryption/decryption oracle and}_t₌_r₂n/2 _evaluations

ofP. Hence, under the assumption thatP is such that the best attack againstE

is the generic one, composition with the same key does not amplify the security of such a block cipher. The same argument applies if thefi’s are of the form

fi(k) = k⊕ci for public constants ci. Indeed, this yields again a one-round

single-key Even-Mansour cipher with inner permutation

P0(x) =cr⊕P(cr⊕cr−1⊕P(cr−1⊕ · · · ⊕c1⊕P(c1⊕x)· · ·)).

Besides, slide attacks [BW99] show that iterating a truly weak cipher cannot make it arbitrarily strong, independently of the number of iterations. For instance, in the information-theoretic setting, ifE is so weak that it can be distinguished from random using a single plaintext/ciphertext pair with advantage 1−2n/2_,

then Er can be distinguished from random using 2n/2 queries with constant probability of success, regardless of the value ofr.7

We leave open the problem whether it is possible to find assumptions on the block cipherE(e.g. resistance to related-key attacks, resistance to key-dependent messages attacks, etc.) sufficient to prove that cascading with non-independent keys is security amplifying.

2 Proof of the Main Result

In this section, we prove Theorem2. We rely on the game-playing framework, and we assume some familiarity of the reader with this technique (see [Sho04,BR06] for more details).

In all the following, given a non-empty setS, we denote Card(S) the number of elements inS. Let Cycl(S) denote the set of cyclic permutationsofS, i.e., the subset ofPerm(S) consisting of permutations with a single cycle. Overall, we will consider the following four games:

6 _{In this context, an attack is said to be generic if it only uses the inner permutation} P as a black-box.

7

(7)

– G_P, which gives access toP andP−1 _for_P_←

$Perm(S);

– G_Pr, which gives access toPrand (Pr)−1 forP ←$Perm(S);

– G_C, which gives access toC andC−1 forC←$Cycl(S);

– G_Cr, which gives access toCr_{and (}_Cr₎−1_for_C_←

$Cycl(S).

Each game provides two interfaces to the distinguisher, denotedQandQ−1, for querying the underlying permutation respectively in the direct and inverse direction. For example, the formal definition ofG_P is:

1 GameG_P: 2 Initialization: 3 P←_$Perm(S) 4 procedureQ(x): 5 returnP(x)

6 procedure Q−1(y): 7 returnP−1(y)

For any gamesG,H, we writeAdvG,H(q) to denote the maximal advantage

attainable by distinguishers betweenGandHwithinq queries. We say that two gamesGandHareequivalent (withinqqueries) ifAdvG,H(q) = 0. Our goal is

to bound AdvG

P,GPr(q). The layout of the proof is summarized by the following picture:

G_P

G_C G_Cr

G_Pr

Adv≤q/N Lemma1 Lemma2 Adv≤rq/N

Adv≤rq/N

Lemma3

Lemma 1.

AdvG

P,GC(q)≤

q N.

Proof. We start with some useful definitions. Apartial permutation graph(V, E)

of sizeN is a directed graph (with loops allowed) with set of verticesV of sizeN

and set of edgesE⊂V2, where each vertex has out- and in-degree 0 or 1. Given a partial permutation graph (V, E) containing no cycles and a vertexz∈V, the

sourceofz, denotedSo(z), is the uniquex∈V with in-degree 0 such that there

is a path fromxto z(with the convention that So(z) =zifz has in-degree 0), and the sink of z, denoted Si(z), is the unique y ∈ V with out-degree 0 such that there is a path from z to y (with the convention that Si(z) =z ifz has out-degree 0). The existence and uniqueness of So(z) andSi(z) when (V, E) is acyclic are straightforward to prove.

We considerlazily sampledversions ofG_PandG_C. To describe the lazy sampling procedure, we assume thatG_Pinternally maintains a partial permutation graph over V =S (with initially no edge). This graph represents the current state of the sampling process. We letE⊂S2_{denote the (time-dependent) set of edges}

(8)

the set of vertices with in-degree 1, these two sets being time-dependent as well. Slightly abusing notation, for x∈ X, we denote E(x) the unique y ∈ S such that (x, y)∈E, and fory∈Y, we denote E−1₍_y_{) the unique}_x_∈_S _{such that}

(x, y)∈E. The lazy sampled version ofG_P is as follows:

1 GameGlazy_P : 2 Variables:

3 Set of edgesE, initially empty 4 procedureQ(x):

5 if x /∈X then

6 y←_$S\Y

7 E:=E∪ {(x, y)} 8 returnE(x)

9 procedure Q−1(y): 10 if y /∈Y then

11 x←_$S\X

12 E:=E∪ {(x, y)} 13 returnE−1(y)

Claim. G_P andGlazy_P are equivalent (for any numberqof queries).

Proof. This is a folklore result (see e.g. [BR06, Section 7.4]). Proving it amounts

to showing, with the previous notation, that if P ←$ Perm(S) agrees with

a partial permutation graph (S, E), for x ∈ S \X, then P(x) is uniformly distributed overS\Y. Equivalently, for anyx, x1, . . . , xn pairwise distinct inS,

andyA, yB, y1, . . . , yn pairwise distinct inS, we have

Card{P ∈Perm(S) :P(x) =yA, P(x1) =y1, . . . , P(xn) =yn}

= Card{P ∈Perm(S) :P(x) =yB, P(x1) =y1, . . . , P(xn) =yn}.

To see this, observe that left-hand side composition with transposition (yAyB) is

a bijection between the two sets. The reasoning for an inverse query is similar.

Similarly, the lazy version ofG_Cis:

1 GameG

lazy C :

2 Variables:

3 Set of edgesE, initially empty 4 procedureQ(x):

5 if x /∈X then

6 y←_$S\(Y ∪ {So(x)}) 7 E:=E∪ {(x, y)} 8 returnE(x)

11 x←_$S\(X∪ {Si(y)}) 12 E:=E∪ {(x, y)} 13 returnE−1(y)

Claim. G_C andGlazy_C are equivalent (for any numberqof queries).

Proof. Here, we must show that for any partial permutation graph (S, E)

con-taining no cycle, with the previous notation and letting X = {x1, . . . , xn},

Y ={y1, . . . , yn},x∈S\X andyA, yB ∈S\(Y ∪ {So(x)}), we have

Card{C∈Cycl(S) :C(x) =yA, C(x1) =y1, . . . , C(xn) =yn}

(9)

Once again, we prove this equality by building a bijection between the two sets. This bijection is: C 7→ (yAyB)◦C◦(Si(yA)Si(yB)), where (a b) denotes the

transposition swapping a andb. If C is seen as a cyclic graph, this bijection swaps the position of the longest chain starting fromyAinE with the longest

chain starting fromyB. Thus it preserves the cyclic structure and is an involutive

bijection between the two sets considered. The reasoning for an inverse query is

similar.

From the lazy sampling versions of the games, it becomes apparent that Glazy_C andGlazy_P are identical, unless the event [Q(x) =So(x) or Q−1₍_y_{) =}_Si(_y_)]

happens for some query inGlazy_P . More precisely, we can rewriteGlazy_C using a flag badas follows:

1 GameGlazy2_C : 2 Variables:

3 Set of edgesE, initially empty 4 bad←false

5 procedureQ(x): 6 if x /∈X then

7 y←$S\Y

8 if y=So(x)then

9 bad←true

10 y ←_$S\(Y ∪ {So(x)}) 11 E:=E∪ {(x, y)}

12 returnE(x)

15 x←$S\X

16 if x=Si(y)then 17 bad←true

18 x←_$S\(X∪ {Si(y)}) 19 E:=E∪ {(x, y)}

20 returnE−1(y)

Clearly,Glazy_C andGlazy2_C are equivalent (this technique is called resampling, see [BR06, Section 7.2]). Moreover, Glazy_P andGlazy2_C are syntactically identical unlessbadis set totrue. By the fundamental lemma of game-playing (see [BR06, Lemma 2]), one has

Adv_Glazy P ,G

lazy2 C

(q)≤max

D Pr

h

Dsetsbadtotruein Glazy2_C i,

where the maximum is taken over all distinguishers making at mostq queries. For any distinguisherD, the probability thatbadis set totrueat thei-th query ofDinGlazy2_C is exactly 1/(N−i). Hence, we finally obtain

AdvG

P,GC(q) =AdvG_Plazy,Glazy2_C (q)≤1−

q−1 Y

i=0

1− 1

N−i

= q

N.

Lemma 2.

AdvG

Pr,GCr(q)≤

rq N.

Proof. Any distinguisher betweenPr_and_Cr_{can be used to distinguish between}

(10)

the distinguisher D0 _{with oracle access to some permutation oracle} _O _(which

is either P orC) working as follows: it runs D, answering each oracle query of Dby querying its own oracle r times to returnOr₍_x_{) for a direct query or}

(Or₎−1₍_y_{) for an inverse query, and outputting the same decision as}_D_{. Clearly,}

the advantage ofD0 _{in distinguishing}_G

P andGCis equal to the advantage of D

in distinguishing G_Pr andG_Cr, andD0 makes at mostrq queries ifD makes at mostqqueries. Hence, by Lemma1,

AdvG

Pr,GCr(q)≤AdvGP,GC(rq)≤

rq N.

Lemma 3.

AdvG

C,GCr(q)≤

rq N.

Proof. Letd= gcd(N, r). The key observation is thatG_Cris equivalent to querying a random permutation withdcycles of equal length.8_{This follows from the fact}

that the mapping C 7→ Cr _sends _Cycl(_S_{) onto the set of permutations with}

exactlydcycles of the same length, and that each such permutation has the same number of preimages inCycl(S) under this mapping (the interested reader can refer to AppendixA where we prove this claim). In particular, ifd= 1 (when

N andrare coprime), the gamesG_C andG_Cr are identical and we are done. If

d >1, we need to upper bound the advantage of an adversary distinguishing between a random permutation with a single cycle, and a random permutation withdcycles of equal length.

We now describe a new gameG∗

Cr, which we claim is an equivalent description

ofG_Cr.

1 GameG∗_Cr: 2 Initialization: 3 C←$Cycl(S) 4 s0←$S

5 fori < d,si =CN/d(si−1)

6 procedureQ(x):

7 if x=si forsome ithen

8 returnC(s₍_i₋_{1) mod}_d) 9 else

10 returnC(x)

11 procedure Q−1(y):

12 if y=C(si)forsome ithen

13 returns₍_i_{+1) mod}_d 14 else

15 returnC−1(y) Intuitively,G∗_Cr may be pictured as shown on Fig.1.

We show in AppendixAthat the sampling process underlying gameG∗_Cr is also equivalent to sampling a random permutation withdcycles of equal length. Meanwhile, we define the gameG∗_C as being identical toG∗_Cr, except queriesQ(x) (resp. Q−1₍_y_{)) simply return}_C₍_x_{) (resp.}_C−1₍_y_{)): the}_s

i’s play no special role.

This corresponds to step 2 in the picture above. The point is thatG∗_C is clearly an equivalent description ofG_C (since proceduresQandQ−1_{are syntactically}

8

(11)

s0

s1

s2

s0

s1

s2 1. Pick a random cycle. 2. Pick a random point

s0. Split intodequal chains.

3. Redirect thesi’s to formdcycles.

Fig. 1.Representation of the gameG∗Cr.

the same in both games), whileG∗_Cr is an equivalent description ofG_Cr (indeed, by the two claims proved in AppendixA, they are both equivalent to querying a random permutation with dcycles of lengthN/d).

ThusAdvG_C,G_Cr(q) =AdvG∗

C,G

∗

Cr(q). The following claim completes the proof.

Claim.

AdvG∗

C,G

∗

Cr(q)≤

dq N.

Proof. The only difference betweenG∗_C andG∗_Cr occurs whenQ(si) is queried for

somei(orQ−1₍_C₍_s

i)) for backward queries). SoAdvG_C,G_Cr(q) is upper bounded

by the advantage of an adversary playing the following game: she queries G∗_C, and wins iff one of the queries is ansi (orC(si) for a backward query). We now

prove that the advantage of such an adversary is at mostdq/N.

To show this, we give extra information to the adversary: we grant her full knowledge of the cycle C before queries begin. Clearly this can only increase her advantage. The point is that queries no longer provide any new information. Thus the game becomes equivalent to the adversary simply trying to guess one of thesi’s withinq tries.

Notice that the position of thesi’s in the cycleCis essentially defined modulo

a=N/d. Guessing the position of one of thesi’s in the cycle amounts to guessing

a value modulo a. Thus the game is equivalent to guessing a value among a

possibilities, withinqtries. The advantage of an adversary in this game is:

1−

q−1 Y

i=0

1− 1

a−i

= 1−a−q

a = 1−

N−dq

N =

dq N.

By the previous reasoning, this is an upper bound forAdvG∗

C,G

∗

Cr(q). Thus, we have

AdvG

C,GCr(q) =AdvG

∗

C,G

∗

Cr(q)≤

dq N ≤

(12)

The proof of Theorem2 is now complete. Combining Lemmas1,2, and3, we obtain

AdvG

P,GPr(q)≤AdvGP,GC(q) +AdvGC,GCr(q) +AdvGCr,GPr(q)≤

(2r+ 1)q

N .

3 A Matching Attack

In this section, we describe a simple attack matching the bound in Theorem2

within a constant factor, when the number of iterationsris constant. Our attack uses the following distinguisherDcyclebetweenG_PandG_Pr. It makesqqueries to the interface Q(corresponding toP in G_P andPr inG_Pr), ignoringQ−1.

1 DistinguisherDQ_cycle(q) 2 s0←$S

3 for iin {0, . . . , q−1}: 4 si+1←Q(si)

5 end for

6 if all s_i’s are distinct 7 return0

8 else

9 return1

Thus, DQ

cycle returns 1 iff the point s0 ←$ S belongs to a cycle of length

at most q. We have the following result (from which Theorem 3 is a direct application).

Lemma 4. Assumeq≤N/r. Then

C(r)q

N − r

N ≤AdvGP,GPr(Dcycle)≤C(r)

q N +

r

N withC(r) =

X

d|r

φ(d)

d −1

where d|r denotes “d divides r”, and φ is Euler’s totient function. Moreover

C(r)≥1/2forr≥2.

Proof. By definition:

AdvG

P,GPr(Dcycle) =

Pr

h

P ←$Perm(S) :DP

r

cycle= 1 i

−PrP ←$Perm(S) :DcycleP = 1

.

We now set out to compute these two probabilities.

If we pick a random point in a random permutation onN points, and look at the length of the cycle it belongs to, all lengths 1≤k≤N are equally probable. This is a standard result. It can be shown, for instance, usingGlazy_P : if we choose

(13)

create a cycle, then the probability that the next query does is exactly 1/(N−i). Thus, the probability thats0 belongs to a cycle of lengthkis precisely

k−1 Y

i=0

1− 1

N−i

· 1

N−k =

1

N.

As a consequence, one has

Pr

P ←$Perm(S) :DPcycle(q) = 1

= q

N.

We now turn to the case whereDcycle interacts withPr instead ofP. We let

pdef= Pr[P ←$Perm(S) :DcyclePr (q) = 1].

First, we recall two classic equalities regarding the totient function:

X

d|n

φ(d) =n (1) φ(n) =n Y

p|n,p∈P

1−1

p

(2)

where P is the set of prime numbers. Now let k be the length of the cycle containings0. In Pr this cycle is broken up intod= gcd(k, r) cycles of length

k/d. HenceDcycle(q) detects a cycle iffq≥k/d. Since all lengthsk are equally probable, we have

p= 1

NCard

k≤N:q≥ k

gcd(k, r)

= 1

NCard{k≤N :∃d|r,gcd(k, r) =dandk≤dq}

= 1

NCard{k:∃d|r,gcd(k, r/d) = 1 andk≤min(q, N/d)} withk←k/d

= 1

NCard{k:∃d|r,gcd(k, r/d) = 1 andk≤q} usingq≤N/r

= 1

N

X

d|r

Card{k: gcd(k, d) = 1 and k≤q}sinced7→r/dis 1-to-1 over d|r

≥ 1

N

X

d|r

Cardnk: gcd(k, d) = 1 and k≤djq d

ko

= 1

N

X

d|r

φ(d)jq

d

k

≥ 1

N

X

d|r

φ(d)q

d−1

= q

N

X

d|r

φ(d)

d −

r

(14)

One can upper bound p in a very similar manner, and we obtain the main inequality.

Finally, we show thatC(r)≥1/2 for r≥2. In fact it holds that for all r,

C(r)≥1−1/r. To see this, observe that ifr >2 is not prime, we have:

C(r) =X

d|r

φ(d)

d −1

= φ(1) 1 +

X

d|r,1<d<r

φ(d)

d +

Y

p|r,p∈P

1−1

p

−1 by (2)

≥ X

d|r,1<d<r

φ(d)

d +

1− X

p|r,p∈P

1

p

by the union bound

≥1 since{p∈_P:p|r} ⊆ {1< d < r:d|r}.

On the other hand, ifr is prime then C(r) = 1−1/r, hence this is the lower bound.

Corollary 1. For constant r, the best distinguisher between G_P and G_Pr has

advantageΘ(q/N)asN → ∞ andq≤N is any function ofN.

Proof. Theorem2shows that the advantage isO(q/N). Theorem3shows that

it isΩ(q/N) if q≤N/r. On the other hand if q > N/r, as the advantage can only increase withq, it is at leastC(r)N/r_N +o(1)≥ 1

2r+o(1) =Ω(1) =Ω(q/N).

Hence overall the advantage isΘ(q/N).

For concreteness, ifr= 2, Theorem3 exhibits a distinguisher with advantage 0.5q/N (under the assumptionq < N/2), while the main theorem upper bounds the advantage of any such distinguisher by 5q/N. Note that ifr is not constant, the behavior is more complex; informally, only cycles whose length is not coprime withrare affected by the transformationP 7→Pr_{. In particular, if} _r_{is prime}

andr > N, P 7→Pr _{is a permutation of} _Perm(_S_{) and} _G

P is indistinguishable

fromG_Pr.

The problem of finding a tight bound for variabler is interesting from a purely theoretical standpoint, although we do not know of a situation where such a result would be applicable.

References

[ABCV98] William Aiello, Mihir Bellare, Giovanni Di Crescenzo, and Ramarathnam Venkatesan. Security Amplification by Composition: The Case of Doubly-Iterated, Ideal Ciphers. In Hugo Krawczyk, editor,Advances in Cryptology - CRYPTO ’98, volume 1462 ofLNCS, pages 390–407. Springer, 1998. [BAC12] Gregory V. Bard, Shaun Van Ault, and Nicolas T. Courtois. Statistics of

(15)

[BR06] Mihir Bellare and Phillip Rogaway. The Security of Triple Encryption and a Framework for Code-Based Game-Playing Proofs. In Serge Vaudenay, editor, Advances in Cryptology - EUROCRYPT 2006, volume 4004 of LNCS, pages 409–426. Springer, 2006. Full version available at http: //eprint.iacr.org/2004/331.

[BW99] Alex Biryukov and David Wagner. Slide Attacks. In Lars R. Knudsen, editor,Fast Software Encryption - FSE ’99, volume 1636 ofLNCS, pages 245–259. Springer, 1999.

[CPS14] Benoit Cogliati, Jacques Patarin, and Yannick Seurin. Security Ampli-fication for the Composition of Block Ciphers: Simpler Proofs and New Results. In Antoine Joux and Amr M. Youssef, editors,Selected Areas in Cryptography - SAC 2014, volume 8781 ofLNCS, pages 129–146. Springer, 2014.

[Dae91] Joan Daemen. Limitations of the Even-Mansour Construction. In Hideki Imai, Ronald L. Rivest, and Tsutomu Matsumoto, editors,Advances in Cryptology - ASIACRYPT ’91, volume 739 of LNCS, pages 495–498. Springer, 1991.

[DKS12] Orr Dunkelman, Nathan Keller, and Adi Shamir. Minimalism in Cryptog-raphy: The Even-Mansour Scheme Revisited. In David Pointcheval and Thomas Johansson, editors,Advances in Cryptology - EUROCRYPT 2012, volume 7237 ofLNCS, pages 336–354. Springer, 2012.

[DLMS14] Yuanxi Dai, Jooyoung Lee, Bart Mennink, and John P. Steinberger. The Security of Multiple Encryption in the Ideal Cipher Model. In Juan A. Garay and Rosario Gennaro, editors,Advances in Cryptology - CRYPTO 2014 (Proceedings, Part I), volume 8616 ofLNCS, pages 20–38. Springer, 2014.

[EM97] Shimon Even and Yishay Mansour. A Construction of a Cipher from a Single Pseudorandom Permutation. Journal of Cryptology, 10(3):151–162, 1997.

[GM09] Peter Gazi and Ueli M. Maurer. Cascade Encryption Revisited. In Mitsuru Matsui, editor,Advances in Cryptology - ASIACRYPT 2009, volume 5912 ofLNCS, pages 37–51. Springer, 2009.

[Lee13] Jooyoung Lee. Towards Key-Length Extension with Optimal Security: Cascade Encryption and Xor-cascade Encryption. In Thomas Johansson and Phong Q. Nguyen, editors,Advances in Cryptology - EUROCRYPT 2013, volume 7881 ofLNCS, pages 405–425. Springer, 2013.

[LR86] Michael Luby and Charles Rackoff. Pseudo-random Permutation Generators and Cryptographic Composition. InSymposium on Theory of Computing -STOC ’86, pages 356–363. ACM, 1986.

[MM93] Ueli M. Maurer and James L. Massey. Cascade Ciphers: The Importance of Being First. 6(1):55–61, 1993.

[MP04] Ueli M. Maurer and Krzysztof Pietrzak. Composition of Random Systems: When Two Weak Make One Strong. In Moni Naor, editor, Theory of Cryptography Conference - TCC 2004, volume 2951 ofLNCS, pages 410– 427. Springer, 2004.

(16)

[MT09] Ueli M. Maurer and Stefano Tessaro. Computational Indistinguishability Amplification: Tight Product Theorems for System Composition. In Shai Halevi, editor,Advances in Cryptology - CRYPTO 2009, volume 5677 of LNCS, pages 355–373. Springer, 2009.

[Mye99] Steven Myers. On the Development of Block-Ciphers and Pseudo-Random Function Generators Using the Composition and XOR Operators. PhD thesis, University of Toronto, 1999.

[Sha49] Claude Shannon. Communication Theory of Secrecy Systems. Bell System Technical Journal, 28(4):656–715, 1949.

[Sho04] Victor Shoup. Sequences of Games: A Tool for Taming Complexity in Security Proofs. IACR ePrint Archive, Report 2004/332, 2004. Available athttp://eprint.iacr.org/2004/332.pdf.

[Tes11] Stefano Tessaro. Security Amplification for the Cascade of Arbitrarily Weak PRPs: Tight Bounds via the Interactive Hardcore Lemma. In Yuval Ishai, editor,Theory of Cryptography - TCC 2011, volume 6597 ofLNCS, pages 37–54. Springer, 2011.

[Vau98] Serge Vaudenay. Provable Security for Block Ciphers by Decorrelation. In Michel Morvan, Christoph Meinel, and Daniel Krob, editors,Symposium on Theoretical Aspects of Computer Science, STACS 98, volume 1373 of LNCS, pages 249–275. Springer, 1998.

[Vau99] Serge Vaudenay. Adaptive-Attack Norm for Decorrelation and Super-Pseudorandomness. In Howard M. Heys and Carlisle M. Adams, editors, Selected Areas in Cryptography - SAC ’99, volume 1758 ofLNCS, pages 49–61. Springer, 1999.

[Vau03] Serge Vaudenay. Decorrelation: A Theory for Block Cipher Security.Journal of Cryptology, 16(4):249–286, 2003.

A

Omitted Proofs

We prove here two claims that we used in the proof of Lemma 3. We denote Cycl_d(S) the set of permutations ofS with exactlydcycles of lengthN/d(note that Cycl(S) =Cycl₁(S)).

Claim. LetS be a set of sizeN,r≥1 be an integer, and d= gcd(N, r). Letφ

be the mapping

φ:Cycl(S)→Perm(S)

P 7→Pr.

Thenφ(Cycl(S)) =Cycl_d(S) and all permutations inCycl_d(S) have exactly the same number of preimages byφ.

Proof. First, we show that for anyC∈Cycl(S),φ(C)∈Cycl_d(S). Leta=N/d. Denote

C= (x1 x2 · · · xN).

Then it is easy to see thatCr_{is the product of} _d_{disjoint cycles}_C

i, 1≤i≤d,

with

(17)

ForA∈Cycl_d(S), we denoteφ−1₍_A_{) the set of preimages of}_A_by _φ_{. We now}

show that for anyA, B∈Cycl_d(S), |φ−1₍_A₎_|₌_|_φ−1₍_B₎_|_{. For}_P _∈_Perm(_S_{), we}

denote fP the conjugation by P, namely fP(Q) = P◦Q◦P−1. SinceA and

B have the same cycle structure, they belong to the same conjugacy class, i.e., there exists a permutation P such thatfP(A) =B. Hence, for anyC∈φ−1(A),

fP(C)∈Cycl(S) since conjugation preserves the cycle structure, and one has

fP(C)r= (P◦C◦P−1)r=P◦Cr◦P−1=P◦A◦P−1=B.

This implies thatfP(φ−1(A))⊆φ−1(B), and hence|φ−1(A)| ≤ |φ−1(B)| since

fP is one-to-one. By symmetry, |φ−1(A)|=|φ−1(B)|.

Claim. Let ψdenote the mapping which sends a pair (C, s0)∈Cycl(S)×S to

the permutation defined by gameG∗_Cr. Thenψ(Cycl(S)×S) =Cycl_d(S) and all permutations inCycl_d(S) have exactly the same number of preimages byψ.

Proof. The fact that ψ(C, s0)∈Cycld(S) for any (C, s0)∈Cycl(S)×S is clear.

We now show that for any A, B ∈ Cycl_d(S), |ψ−1₍_A₎_| ₌ _|_ψ−1₍_B₎_|_{. As in the}

previous claim, there exists a permutation P such that fP(A) =B. We show

that for any (C, s0)∈ψ−1(A), (fP(C), P(s0))∈ψ−1(B). First,fP(C)∈Cycl(S)

since conjugation preserves the cycle structure. For i < d, let si=CiN/d(s0). By

definition ofψ,A(si) =C(s(i−1) modd) andA(x) =C(x) forx /∈ {s0, . . . , sd−1}.

Lets0₀=P(s0) and fori < d,s0i =fP(C)iN/d(s00) =P(si). Then

ψ(fP(C), P(s0))(si0) =fP(C)(s0(i−1) modd)

=P◦C(s(i−1) modd) =P◦A(si) =fP(A)(s0i) =B(s

0

i),

and forx /∈ {s0₀, . . . , s0_d₋₁}, sinceP−1₍_x₎_{∈ {}_/ _s

0, . . . , sd−1}, one has

ψ(fP(C), P(s0))(x) =fP(C)(x) =P◦C◦P−1(x) =P◦A◦P−1(x) =B(x),

which shows thatψ(fP(C), P(s0)) =B. Hence, the image ofψ−1(A) by the