Beyond-birthday secure domain-preserving PRFs from a single permutation

Abstract

This paper revisits the fundamental cryptographic problem of building pseudorandom functions (PRFs) from pseudorandom permutations (PRPs). We prove that, SUMPIP, i.e. \(P \oplus P^{-1}\), the sum of a PRP and its inverse, and EDMDSP, the single-permutation variant of the “dual” of the Encrypted Davies–Meyer scheme introduced by Mennink and Neves (CRYPTO 2017), are secure PRFs up to \(2^{2n/3}/n\) adversarial queries. To our best knowledge, SUMPIP is the first parallelizable, single-permutation-based, domain-preserving, beyond-birthday secure PRP-to-PRF conversion method.

Appendix A: Our alternative proof for EDMSP

In this section we present our security analysis of EDMSP.

Theorem 3

For any distinguisher D making at most q queries with \(q\ll N/6\), we have

$$\begin{aligned} {\mathbf {Adv}}^\mathrm {prf}_{\textsf {EDMSP}}(D)\le \frac{(24+8\sqrt{3n})q^{3/2}}{N} +\frac{8q}{N} + \frac{48q^3}{N^2} +\frac{2}{N}. \end{aligned}$$

The proof for this scheme is more complicated, since the evaluations of two distinct inputs may collide after the “first round”, i.e., \(P(x)\oplus x=P(x')\oplus x'\). It can be seen that two queries (x, z) and \((x',z')\) in \(\tau \) is such a “colliding” pair if and only if the corresponding outputs collide, i.e. \(z=z'\). To simplify the analysis, we make a separate discussion on such “colliding” queries.

In details, for an attainable transcript \(\tau =\{(x_1,z_1),(x_2,z_2),\ldots ,(x_q,z_q)\}\), define a set

and let \(\tau _2=\tau \backslash \tau _1\). Further define three sets

and let \(\mu =|{\mathcal {S}}{\mathcal {C}}{\mathcal {S}}|\). Then the bad transcripts are defined in the next subsection.

1.1 A.1 Bad transcript

Definition 3

(Bad transcripts for\(\textsf {EDMSP}\)) If one of the following conditions is fulfilled, we say an attainable transcript \(\tau =((x_1,z_1),(x_2,z_2),\ldots ,(x_q,z_q))\) is bad:

• (B-1) there exists three distinct indices \(i,j,k\in \{1,\ldots ,q\}\) such that \(z_i=z_j=z_k\);

• (B-2) \(\mu \ge {q^3}/{N}+q^{3/2}\sqrt{3n}\);

• (B-3) \(|\tau _1|\ge \sqrt{q}\).

Otherwise we say that \(\tau \) is good. Denote by \({\mathcal {T}} _{\mathrm {bad}}\), resp. \({\mathcal {T}} _{\mathrm {good}}\) the set of bad, resp. good transcripts.

Clearly, \(\Pr [\text {(B-1)}]\le \left( {\begin{array}{c}q\\ 3\end{array}}\right) \cdot \frac{1}{N^2}\le \frac{q^3}{N^2}\). On the other hand, \(\Pr [\text {(B-2)}]\le \frac{2}{N}\) immediately follows from Lemma 2. Finally, for (B-3), we have at most \(\left( {\begin{array}{c}q\\ 2\end{array}}\right) \le q^2/2\) pairs \(((x_i,z_i),(x_j,z_j))\) of distinct records in \(\tau \). We note \(\Pr [\lambda \ge \sqrt{q}]\) does not exceed the probability that the number of pairs \(((x_i,z_i),(x_j,z_j))\) with \(z_i=z_j\) exceeds \(\sqrt{q}/2\). For each such \((x_i,z_i)\) and \((x_j,z_j)\), we have \(\Pr [z_i=z_j]=1/N\), thus \(\Pr [\text {(B-3)}]=\Pr [|\tau _1|\ge \sqrt{q}]\le \frac{q^2/2}{N\sqrt{q}/2}={q^{3/2}}/{N}\) by Markov’s inequality, and

$$\begin{aligned} \Pr [\tau \in {\mathcal {T}} _{\mathrm {bad}}]\le \frac{q^3}{N^2}+\frac{2}{N}+\frac{q^{3/2}}{N}. \end{aligned}$$

We then proceed to lower bound \(\Pr [T_{\mathrm {re}}=\tau ]\) for a good \(\tau \).

1.2 A.2 Ratio for good transcripts

We lower bound the number of random permutations P such that \(\textsf {EDMSP}^{P}(x_i)=z_i\) for \(i=1,\ldots ,q\). We first consider the queries in \(\tau _1\).

1.2.1 A.2.1 Analyzing \(\tau _1\)

We note that for a good transcript \(\tau \), \(|\tau _1|\) is necessarily even, as otherwise (B-1) is fulfilled. Therefore, we could let \(\lambda =|\tau _1|/2\), and rename the subscripts and write

$$\begin{aligned} \tau _1=((x_1,z_1),(x_1',z_1),\ldots ,(x_{\lambda },z_{\lambda }),(x_{\lambda }',z_{\lambda })). \end{aligned}$$

For the \(2\lambda \) queries in \(\tau _1\), we lower bound the number of sequences of distinct intermediate values \({\mathbf {Y}}=(y_1,y_2,\ldots ,y_{\lambda })\) such that each pair \(\textsf {EDMSP}^{P}(x_l)=z_l\) and \(\textsf {EDMSP}^{P}(x_l')=z_l\) for \(l=1,\ldots ,\lambda \) is equivalent to \(3\lambda \) distinct equations \(P(x_l)=x_l\oplus y_l\), \(P(x_l')=x_l'\oplus y_l\), and \(P(y_l)=z_l\), cf. the notations in Fig. 1 (right). Formally, we lower bound the number \(N_Y\) of \({\mathbf {Y}}\) that satisfy:

1. (i)

   for any \(1\le l\le \lambda \), \(y_l\notin \mathcal {X}\), \(x_l\oplus y_l\notin \mathcal {Z}\), and \(x_l'\oplus y_l\notin \mathcal {Z}\);

2. (ii)

   \(y_1,\ldots ,y_{\lambda }\) are distinct, and the \(2\lambda \) values \(x_1\oplus y_1\), \(x_1'\oplus y_1\), \(\ldots \), \(x_{\lambda }\oplus y_{\lambda }\), \(x_{\lambda }'\oplus y_{\lambda }\) are distinct.

By this,

• there are at least \(N-|\mathcal {X}|-2|\mathcal {Z}|=N-3q+2\lambda \) choices for \(y_1\), since \(y_1\notin \mathcal {X}\) and \(y_1\oplus x_1\notin \mathcal {Z}\) and \(y_1\oplus x_1'\notin \mathcal {Z}\);

• once \(y_1\) is fixed, there are at least \(N-|\mathcal {X}|-2|\mathcal {Z}|-1-4\cdot 1=N-3q+2\lambda -5\) choices for \(y_2\), since \(y_2\ne y_1\), and since \(x_2\oplus y_2\) and \(x_2'\oplus y_2\) should be different from \(x_1\oplus y_1\) and \(x_1'\oplus y_1\);

• once \(y_1,\ldots ,y_l\) are fixed, there are at least \(N-|\mathcal {X}|-2|\mathcal {Z}|-l-4l=N-3q+2\lambda -5l\) choices for \(y_{l+1}\), since \(y_{l+1}\ne y_1,\ldots ,y_l\), and since both \(x_{l+1}\oplus y_{l+1}\) and \(x_{l+1}'\oplus y_{l+1}\) should avoid 2l values (i.e. \(x_1\oplus y_1,x_1'\oplus y_1,\ldots ,x_l\oplus y_l,x_l'\oplus y_l\)).

Therefore,

$$\begin{aligned} N_Y\ge \prod _{l=0}^{\lambda -1}(N-3q+2\lambda -5l). \end{aligned}$$

It’s not hard to see that given such a good \({\mathbf {Y}}\), the event \(\textsf {EDMSP}^{P}(x_l)=z_l\) for \(l=1,\ldots ,\lambda \) is indeed equivalent to the desired \(3\lambda \) equations. By these,

$$\begin{aligned} \Pr [P\xleftarrow {\$}\mathcal {P}(n):\textsf {EDMSP} ^P\vdash \tau _1]\ge \frac{N_Y}{(N)_{3\lambda }}. \end{aligned}$$

We then proceed to derive the lower bound for \(\Pr [P\xleftarrow {\$}\mathcal {P}(n):\textsf {EDMSP} ^P\vdash \tau _2\mid \textsf {EDMSP} ^P\vdash \tau _1]\). To this end, we fix a good sequence \({\mathbf {Y}}\) as described, assume that a randomly picked P satisfies the \(3\lambda \) induced equations, and analyze the queries in \(\tau _2\).

1.2.2 A.2.2 Analyzing \(\tau _2\)

We rename the subscripts and write

$$\begin{aligned} \tau _2=\{(x_{2\lambda +1},z_{2\lambda +1}),(x_{2\lambda +2},z_{2\lambda +2}),\ldots ,(x_q,z_q) \}. \end{aligned}$$

We lower bound the number of P’s that satisfy \(\textsf {EDMSP}^{P}(x_i)=z_i\) for \(i=2\lambda +1,\ldots ,q\). To this end, for a fixed \(t\in \{0,\ldots ,\frac{q-2\lambda }{2}\}\), we bound the number of permutations P such that

$$\begin{aligned} \textsf {tf} (P,\tau _2)=t,\text { and }\textsf {EDMSP} ^{P}(x_l)=z_l\text { for }l=1,\ldots ,q, \end{aligned}$$

where

Note that this function slightly deviates from the tf functions used in Sects. 3 and 4.

In detail, we sequentially choose t pairs of indices \((i_1,j_1),(i_2,j_2),\ldots ,(i_t,j_t)\) from \(2\lambda +1,\ldots ,q\), such that each pair of them determines three equations on P, i.e., \(P(x_{i_l})=x_{i_l}\oplus x_{j_l}\), \(P(x_{j_l})=z_{i_l}\), and \(P(x_{j_l}\oplus z_{i_l})=z_{j_l}\) for \(l=1,\ldots ,t\). In order to make these equations “good”, that is consistent with a permutation and does not determine any other unfixed input-output patterns on P, we consider the sequences of indices that satisfy:

1. (i)

   the 2t indices are distinct;

2. (ii)

   for \(1\le l\le t\), it holds \(x_{i_l}\oplus x_{j_l}\notin \mathcal {Z}\) and \(x_{j_l}\oplus z_{i_l}\notin \mathcal {X}\),

3. (iii)

   for \(1\le l\le t\) and \(1\le \alpha \le \lambda \), it holds \(x_{i_l}\oplus x_{j_l}\ne x_{\alpha }\oplus y_{\alpha }\), \(x_{i_l}\oplus x_{j_l} \ne x_{\alpha }'\oplus y_{\alpha }\) and \(x_{j_l}\oplus z_{i_l}\ne y_{\alpha }\), where \((x_\alpha , z_{\alpha }), (x'_{\alpha }, z_{\alpha }) \in \tau _1\) and \(y_\alpha \in {\mathbf {Y}}\) is their corresponding intermediate value;

4. (iv)

   the t values \(x_{i_1}\oplus x_{j_1},\ldots ,x_{i_t}\oplus x_{j_t}\) are distinct; the t values \(x_{j_1}\oplus z_{i_1},\ldots ,x_{j_t}\oplus z_{i_t}\) are distinct.

We note that \(x_{i_l}\oplus x_{j_l}\in \mathcal {Z}\) implies \((i_l,j_l)\in {\mathcal {B}}{\mathcal {S}}_1\), where

Whereas \(x_{j_l}\oplus z_{i_l}\in \mathcal {X}\) implies \((i_l,j_l)\in {\mathcal {B}}{\mathcal {S}}_2\) for

By this and \(|{\mathcal {B}}{\mathcal {S}}_1|,|{\mathcal {B}}{\mathcal {S}}_2|\le |{\mathcal {S}}{\mathcal {C}}{\mathcal {S}}|=\mu \), we have:

• there are at least \(q-2\lambda \) choices for \(i_1\) and \(q-2\lambda -1\) choices for \(j_1\). However, among these \((q-2\lambda )(q-2\lambda -1)\) choices, there are at most \(2\mu \) bad ones that would violate the required condition (ii). Moreover, in a similar vein as the corresponding reasoning in Sect. 3.2, condition (iii) would exclude at most \(3\lambda q\) choices in total. Therefore, there are at least \((q-2\lambda )(q-2\lambda -1)-2\mu -3\lambda q\) choices for \((i_1,j_1)\);

• For \(i_2\) and \(j_2\),

  • condition (ii) accounts to subtracting at most \(2\mu \) choices,

  • condition (iii) accounts to subtracting at most \(3\lambda q\) choices, and

  • condition (iv) accounts to subtracting at most 2q choices.

  Therefore, there are at least \((q-2\lambda -2)(q-2\lambda -3)-2\mu -3\lambda q-2q\) choices for \((i_1,j_1)\);

• \(\ldots \)

• once \((i_1,j_1),\ldots ,(i_l,j_l)\) are fixed, to ensure distinctness, there are at least \((q-2\lambda -2l)(q-2\lambda -2l-1)-2\mu -3\lambda q-2lq\) choices for \((i_{l+1},j_{l+1})\).

It’s not hard to see given such a sequence of good indices \((i_1,j_i),\ldots ,(i_t,j_t)\), for \(l=1,\ldots ,t\), the 3t equations \(P(x_{i_l})=x_{i_l}\oplus x_{j_l}\), \(P(x_{j_l})=z_{i_l}\), and \(P(x_{j_l} \oplus z_{i_l})=z_{j_l}\) would be new and distinct ones. Having the redundant possibilities excluded, the number \(N_I\) of such 3t equations is thus at least

$$\begin{aligned} N_I\ge \frac{\prod _{l=0}^{t-1}\bigg ((q-2\lambda -2l)(q-2\lambda -2l-1)-2\mu -3\lambda q-2lq\bigg )}{t!}. \end{aligned}$$

Finally, given a good choice \({\mathbf {Y}}\) and a good set of indices \(\{(i_1,j_1),\ldots ,(i_t,j_t)\}\), we choose a sequence of \(q-2\lambda -2t\) distinct intermediate values for the remaining \(q-2\lambda -2t\) queries in \(\tau _2\). For convenience, we rename the subscripts and write

$$\begin{aligned} \Big \{(x_{2\lambda +2t+1},z_{2\lambda +2t+1}),(x_{2\lambda +2t+2},z_{2\lambda +2t+2}),\ldots ,(x_q,z_q)\Big \} \end{aligned}$$

for these queries, and denote the newly chosen sequence by

$$\begin{aligned} {\mathbf {Y}}'=(y_{2\lambda +2t+1},y_{2\lambda +2t+2},\ldots ,y_q). \end{aligned}$$

We bound the number \(N_Y'\) of \({\mathbf {Y}}'\) that satisfy (some requirements slightly resembling that on \({\mathbf {Y}}\)):

1. (i)

   for any \(2\lambda +2t+1\le l\le q\), \(y_l\notin \mathcal {X}\), and \(x_l\oplus y_l\notin \mathcal {Z}\);

2. (ii)

   \(y_{2\lambda +2t+1},\ldots ,y_q\) are distinct; and \(x_{2\lambda +2t+1}\oplus y_{2\lambda +2t+1}\), \(\ldots \), \(x_q\oplus y_q\) are distinct;

3. (iii)

   for any \(2\lambda +2t+1\le l\le q\),

   • there does not exist \(1\le j\le \lambda \) in \(\tau _1\) such that \(y_l=y_j\) or \(x_l\oplus y_l=x_j\oplus y_j\) or \(x_l\oplus y_l=x_j'\oplus y_j\) (\(y_j\) is given by \({\mathbf {Y}}\));

   • there does not exist a pair of indices \((\alpha ,\beta )\) (selected in the previous phase of the t pairs in \(\tau _2\)) such that either \(y_l=x_{\beta }\oplus z_{\alpha }\) or \(x_l\oplus y_l=x_{\alpha }\oplus x_{\beta }\).

Following the reasoning for \(\tau _1\), it’s not hard to see

$$\begin{aligned} N_Y'\ge \prod _{l=0}^{q-2t-2\lambda -1}\bigg (N-2(q+\lambda +t+l)\bigg ). \end{aligned}$$

It can be seen that given a good choice of \({\mathbf {Y}}\), a good choice of a set of 2t indices, and a good choice of \({\mathbf {Y}}'\), the event \(T_{\mathrm {re}}=\tau \) is equivalent to P satisfying \(3\lambda +3t+2(q-2t-2\lambda )=2q-t-\lambda \) equations. Therefore,

$$\begin{aligned} \Pr [P\xleftarrow {\$}\mathcal {P}(n):\textsf {EDMSP} ^P\vdash \tau \mid \textsf {tf} (P,\tau _2)=t] \ge \frac{N_I\cdot N_Y'}{(N-3\lambda )_{2q-4\lambda -t}}. \end{aligned}$$

1.3 A.3 Expectation for t, and the final bound

Since \(|\tau _1|=2\lambda \), it can be seen

$$\begin{aligned} \Pr [P\xleftarrow {\$}\mathcal {P}(n):\textsf {tf} (P,\tau _2)=t]&=\frac{(q-2\lambda )_t(q-2\lambda )_t(N-q+2\lambda )_{q-2\lambda -t}}{t!(N)_{q-2\lambda }} \\&=\textsf {Hyp}_{N,q-2\lambda ,q-2\lambda }(t). \end{aligned}$$

Therefore, we have

$$\begin{aligned}&\textsf {p}_t = \Pr [P\xleftarrow {\$}\mathcal {P}(n):\textsf {EDMSP} ^P\vdash \tau \mid \textsf {tf} (P,\tau _2)=t] \\&\quad \ge \prod _{l=0}^{\lambda -1}(N-3q+2\lambda -5l) \cdot \underbrace{\frac{\prod _{l=0}^{t-1}\bigg ((q-2\lambda -2l)(q-2\lambda -2l-1)-2\mu -3\lambda q-2lq\bigg )}{(q-2\lambda )_t(q-2\lambda )_t}}_{B} \\&\qquad \cdot \frac{\prod _{l=0}^{q-2t-2\lambda -1}\bigg (N-2(q+\lambda +t+l)\bigg )}{(N)_{2q-\lambda -t}} \cdot \frac{(N)_{q-2\lambda }\cdot N^q}{(N-q+2\lambda )_{q-2\lambda -t}} \end{aligned}$$

We tidy the terms for clearness:

$$\begin{aligned} \frac{(N)_{q-2\lambda }\cdot N^q}{(N)_{2q-\lambda -t}(N-q+2\lambda )_{q-2\lambda -t}} =&\frac{N^{q-2\lambda -2t}N^{2\lambda +2t}}{(N-q+2\lambda )_{q+\lambda -t}(N-q+2\lambda )_{q-2\lambda -t}} \\ =&\frac{N^{q-2\lambda -2t}N^{2\lambda +2t}}{((N-q+2\lambda )_{q-2\lambda -t})^2(N-2q+4\lambda +t)_{3\lambda }} \\ \ge&\frac{N^{q-2\lambda -2t}}{((N-q+2\lambda )_{q-2\lambda -2t})^2(N-2q+2\lambda +t)_{\lambda }} . \end{aligned}$$

By this,

$$\begin{aligned} \textsf {p}_t \ge \underbrace{\frac{\prod _{l=0}^{\lambda -1}(N-3q+2\lambda -5l)}{(N-2q+2\lambda +t)_{\lambda }}}_{A} \cdot B \cdot \underbrace{\prod _{l=0}^{q-2t-2\lambda -1}\frac{(N-2(q+\lambda +t+l))N}{(N-q+2\lambda -l)^2}}_{C}. \end{aligned}$$

We next bound the three involved terms A, B, and C in turn. First, for any \(0\le t\le \frac{q-2\lambda }{2}\), we have

$$\begin{aligned} A=\prod _{l=0}^{\lambda -1}\bigg (1 - \frac{q+4l+t}{N-2q+2\lambda -l}\bigg ) \ge 1 - \frac{q\lambda +2\lambda ^2+t\lambda }{N-2q+\lambda }, \end{aligned}$$

Further using \(\lambda =|\tau _1|/2\le \sqrt{q}/2\) (since \(\tau \) is good) and \(N-2q+\lambda \ge N-2q\gg N/2\) when \(2q\ll N/2\), we have

$$\begin{aligned} A\ge 1 - \frac{q^{3/2}+q+t\sqrt{q}}{N} . \end{aligned}$$

Moreover,

$$\begin{aligned} B =&\prod _{l=0}^{t-1}\frac{((q-2\lambda -2l)(q-2\lambda -2l-1)-2\mu -3\lambda q-2ql)}{(q-2\lambda -l)^2} \\ =&\prod _{l=0}^{t-1}\bigg (1-\frac{l}{q-2\lambda -l}-\frac{l+1}{q-2\lambda -l}-\frac{2\mu +3\lambda q+2ql}{(q-2\lambda -l)^2}\bigg ) \\ \ge&\,1 - \bigg (\frac{2t^2+t}{q-2\lambda }+\frac{8\mu t+12\lambda qt+4qt^2}{(q-2\lambda )^2}\bigg ) \ge 1 - \bigg (\frac{2t^2+t}{q-2\lambda }+\frac{8\mu t+6q^{3/2}t+4qt^2}{(q-2\lambda )^2}\bigg ) . \end{aligned}$$

For the last term, we have

$$\begin{aligned} C \ge&\prod _{l=0}^{q-2t-2\lambda -1} \Bigg ( 1 - \frac{4N\lambda +2Nt+(q-2\lambda +l)^2}{(N-q+2\lambda -l)^2} \Bigg ) \\ \ge&\, 1 - \bigg (\frac{16\lambda q}{N} + \frac{8tq}{N} + \frac{16(q-t-2\lambda )^3}{N^2} \bigg ) \ge 1 - \bigg (\frac{16q^{3/2}+8tq}{N} + \frac{16q^3}{N^2} \bigg ). \end{aligned}$$

Therefore, we have

$$\begin{aligned} \textsf {p}_t \ge 1- \underbrace{\bigg (\frac{17q^{3/2}+q+9tq}{N}+ \frac{2t^2+t}{q-2\lambda }+\frac{8\mu t+6q^{3/2}t+4qt^2}{(q-2\lambda )^2} + \frac{16q^3}{N^2} \bigg )}_{\epsilon _1(t)}. \end{aligned}$$

Following the same line as Sect. 3.3, it can be shown

$$\begin{aligned} {\mathbb {E}}_{P}[\textsf {tf} (P,\tau _2)]={\mathbb {E}}_{P}\Big [\sum _{i=1}^{q}t_i\Big ]=\frac{(q-2\lambda )^2}{N} \end{aligned}$$

and

$$\begin{aligned} {\mathbb {E}}_{P}[(\textsf {tf} (P,\tau _2))^2] =\frac{(q-2\lambda )^2}{N}+\frac{(q-2\lambda )^2(q-2\lambda -1)^2}{N(N-1)}\le \frac{(q-2\lambda )^2}{N}+\frac{(q-2\lambda )^4}{N^2}. \end{aligned}$$

Furthermore, the mean of the hypergeometric distribution \(\textsf {Hyp}_{N,q-2\lambda ,q-2\lambda }\) is \(\frac{(q-2\lambda )^2}{N}\), using the assumption that \(q\le N/3\) thus we have

Gathering the above, and using \(q-2\lambda \le q\), we obtain

Gathering this ratio and the upper bound on \(\Pr [\tau \in {\mathcal {T}} _{\mathrm {bad}}]\) ultimately yields

$$\begin{aligned} \frac{(24+8\sqrt{3n})q^{3/2}}{N} +\frac{8q}{N} + \frac{48q^3}{N^2} +\frac{2}{N}. \end{aligned}$$