How to construct random functions
Journal of the ACM (JACM)
How to construct pseudorandom permutations from pseudorandom functions
SIAM Journal on Computing - Special issue on cryptography
Impossibility and optimally results on constructing pseudorandom permutations (extended abstract)
EUROCRYPT '89 Proceedings of the workshop on the theory and application of cryptographic techniques on Advances in cryptology
How to construct pseudorandom permutations from single pseudorandom functions
EUROCRYPT '90 Proceedings of the workshop on the theory and application of cryptographic techniques on Advances in cryptology
Indistinguishability of Random Systems
EUROCRYPT '02 Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques: Advances in Cryptology
Proceedings of the Third International Workshop on Fast Software Encryption
EUROCRYPT'96 Proceedings of the 15th annual international conference on Theory and application of cryptographic techniques
Feistel Networks Made Public, and Applications
EUROCRYPT '07 Proceedings of the 26th annual international conference on Advances in Cryptology
A proof of security in O(2n) for the Benes scheme
AFRICACRYPT'08 Proceedings of the Cryptology in Africa 1st international conference on Progress in cryptology
On generalized Feistel networks
CRYPTO'10 Proceedings of the 30th annual conference on Advances in cryptology
Generic attacks on misty schemes
LATINCRYPT'10 Proceedings of the First international conference on Progress in cryptology: cryptology and information security in Latin America
On Lai---Massey and quasi-Feistel ciphers
Designs, Codes and Cryptography
Domain extension for MACs beyond the birthday barrier
EUROCRYPT'11 Proceedings of the 30th Annual international conference on Theory and applications of cryptographic techniques: advances in cryptology
Derandomized constructions of k-wise (almost) independent permutations
APPROX'05/RANDOM'05 Proceedings of the 8th international workshop on Approximation, Randomization and Combinatorial Optimization Problems, and Proceedings of the 9th international conference on Randamization and Computation: algorithms and techniques
Security analysis of the GF-NLFSR structure and four-cell block cipher
ICICS'09 Proceedings of the 11th international conference on Information and Communications Security
Proving the security of AES substitution-permutation network
SAC'05 Proceedings of the 12th international conference on Selected Areas in Cryptography
Benes and butterfly schemes revisited
ICISC'05 Proceedings of the 8th international conference on Information Security and Cryptology
On linear systems of equations with distinct variables and small block size
ICISC'05 Proceedings of the 8th international conference on Information Security and Cryptology
Building blockcipher from tweakable blockcipher: extending FSE 2009 proposal
IMACC'11 Proceedings of the 13th IMA international conference on Cryptography and Coding
Understanding adaptivity: random systems revisited
ASIACRYPT'12 Proceedings of the 18th international conference on The Theory and Application of Cryptology and Information Security
Generic attacks for the Xor of k random permutations
ACNS'13 Proceedings of the 11th international conference on Applied Cryptography and Network Security
Hi-index | 0.00 |
Luby and Rackoff showed how to construct a (super-)pseudo-random permutation {0, 1}2n → {0, 1}2n from some number r of pseudo-random functions {0, 1}n → {0, 1}n. Their construction, motivated by DES, consists of a cascade of r Feistel permutations. A Feistel permutation 1 for a pseudo-random function f is defined as (L,R) → (R,L⊕f(R)), where L and R are the left and right part of the input and ⊕ denotes bitwise XOR or, in this paper, any other group operation on {0, 1}n. The only non-trivial step of the security proof consists of proving that the cascade of r Feistel permutations with independent uniform random functions {0, 1}n → {0, 1}n, denoted Ψ2nr, is indistinguishable from a uniform random permutation {0, 1}2n → {0, 1}2n by any computationally unbounded adaptive distinguisher making at most O(2cn) combined chosen plaintext/ciphertext queries for any c Luby and Rackoff proved α = 1/2 for r = 4. A natural problem, proposed by Pieprzyk is to improve on α for larger r. The best known result, α = 3/4 for r = 6, is due to Patarin. In this paper we prove α = 1- O(1/r), i.e., the trivial upper bound α = 1 can be approached. The proof uses some new techniques that can be of independent interest.