# Substitution-Permutation Networks, Pseudorandom Functions, and Natural Proofs

Conference paper

DOI: 10.1007/978-3-642-32009-5_5

Part of the Lecture Notes in Computer Science book series (LNCS, volume 7417)
Cite this paper as:
Miles E., Viola E. (2012) Substitution-Permutation Networks, Pseudorandom Functions, and Natural Proofs. In: Safavi-Naini R., Canetti R. (eds) Advances in Cryptology – CRYPTO 2012. Lecture Notes in Computer Science, vol 7417. Springer, Berlin, Heidelberg

## Abstract

This paper takes a new step towards closing the troubling gap between pseudorandom functions (PRF) and their popular, bounded-input-length counterparts. This gap is both quantitative, because these counterparts are more efficient than PRF in various ways, and methodological, because these counterparts usually fit in the substitution-permutation network paradigm (SPN) which has not been used to construct PRF.

We give several candidate PRF $$\mathcal {F}_i$$ that are inspired by the SPN paradigm. This paradigm involves a “substitution function” (S-box). Our main candidates are:

$$\mathcal {F}_1 : \{0, 1\}^n \rightarrow \{0, 1\}^n$$ is an SPN whose S-box is a random function on b bits given as part of the seed. We prove unconditionally that $$\mathcal {F}_1$$ resists attacks that run in time $$\le 2^{\epsilon b}$$. Setting $$b = \omega (\lg n)$$ we obtain an inefficient PRF, which however seems to be the first such construction using the SPN paradigm.

$$\mathcal {F}_2 : \{0, 1\}^n \rightarrow \{0, 1\}^n$$ is an SPN where the S-box is (patched) field inversion, a common choice in practical constructions. $$\mathcal {F}_2$$ is computable with Boolean circuits of size $$n \cdot \log ^{O(1)} n$$, and in particular with seed length $$n \cdot \log ^{O(1)} n$$. We prove that this candidate has exponential security $$2^{\Omega (n)}$$ against linear and differential cryptanalysis.

$$\mathcal {F}_3 : \{0, 1\}^n \rightarrow \{0, 1\}$$ is a non-standard variant on the SPN paradigm, where “states” grow in length. $$\mathcal {F}_3$$ is computable with size $$n^{1+\epsilon }$$, for any $$\epsilon > 0$$, in the restricted circuit class $$\mathrm {TC}^0$$ of unbounded fan-in majority circuits of constant-depth. We prove that $$\mathcal {F}_3$$ is almost 3-wise independent.

$$\mathcal {F}_4 : \{0, 1\}^n \rightarrow \{0, 1\}$$ uses an extreme setting of the SPN parameters (one round, one S-box, no diffusion matrix). The S-box is again (patched) field inversion. We prove that this candidate fools all parity tests that look at $$\le 2^{0.9n}$$ outputs.

Assuming the security of our candidates, our work also narrows the gap between the “Natural Proofs barrier” [Razborov & Rudich; JCSS ’97] and existing lower bounds, in three models: unbounded-depth circuits, $$\mathrm {TC}^0$$ circuits, and Turing machines. In particular, the efficiency of the circuits computing $$\mathcal {F}_3$$ is related to a result by Allender and Koucky [JACM ’10] who show that a lower bound for such circuits would imply a lower bound for $$\mathrm {TC}^0$$.

Download to read the full conference paper text

## Copyright information

© International Association for Cryptologic Research 2012 2012

## Authors and Affiliations

1. 1.Northeastern UniversityBostonUSA