Abstract
This paper revisits the fundamental cryptographic problem of building pseudorandom functions (PRFs) from pseudorandom permutations (PRPs). We prove that, SUMPIP, i.e. \(P \oplus P^{-1}\), the sum of a PRP and its inverse, and EDMDSP, the single-permutation variant of the “dual” of the Encrypted Davies–Meyer scheme introduced by Mennink and Neves (CRYPTO 2017), are secure PRFs up to \(2^{2n/3}/n\) adversarial queries. To our best knowledge, SUMPIP is the first parallelizable, single-permutation-based, domain-preserving, beyond-birthday secure PRP-to-PRF conversion method.
Similar content being viewed by others
Notes
Probabilistic distinguishers can be derandomized with the optimal random coins.
Note that unlike the action of picking t pairs of indices in Sect. 3.2, here for the quantity t the involved 2t indices do not need to be completely distinct.
References
Babai L.: The Fourier transform and equations over finite Abelian groups: an introduction to the method of trigonometric sums (lecture notes), Version 1.3, Section 4. http://people.cs.uchicago.edu/laci/reu02/fourier.pdf.
Bellare M., Impagliazzo R.: A tool for obtaining tighter security analyses of pseudorandom function based constructions, with applications to PRP to PRF conversion. Cryptology ePrint Archive, Report 1999/024 (1999).
Bellare M., Desai A., Jokipii E., Rogaway P.: A concrete security treatment of symmetric encryption. In: Proceedings, 38th Annual Symposium on Foundations of Computer Science, pp. 394–403. IEEE (1997).
Bellare M., Krovetz T., Rogaway P.: Luby–Rackoff backwards: increasing security by making block ciphers non-invertible. In: Nyberg K. (ed.) Advances in Cryptology-EUROCRYPT’98, LNCS, vol. 1403, pp. 266–280. Springer, Berlin (1998).
Bellare M., Kilian J., Rogaway P.: The security of the cipher block chaining message authentication code. J. Comput. Syst. Sci. 61(3), 362–399 (2000).
Bellare M., Rogaway P.: The security of triple encryption and a framework for code-based game-playing proofs. In: Vaudenay S. (ed.) Advances in Cryptology-EUROCRYPT 2006, LNCS, vol. 4004, pp. 409–426. Springer, Berlin (2006).
Bhattacharya S., Nandi M.: Full Indifferentiable Security of the XOR of two or more random permutations using the \(\chi ^2\) method. In: EUROCRYPT 2018, Part I, pp. 387–412 (2018).
Bogdanov A., Knudsen L.R., Leander G., Paar C., Poschmann A., Robshaw M.J.B., Seurin Y., Vikkelsoe C.: PRESENT: an ultra-lightweight block cipher. In: Paillier P., Verbauwhede I. (eds.) Cryptographic Hardware and Embedded Systems-CHES 2007, LNCS, vol. 4727, pp. 450–466. Springer, Berlin (2007).
Borghoff J., Canteaut A., Güneysu T., Kavun E., Knezevic M., Knudsen L.R., Leander G., Nikov V., Paar C., Rechberger C., Rombouts P., Thomsen S., Yalçn T.: PRINCE-a low-latency block cipher for pervasive computing applications. In: Wang X., Sako K. (eds.) Advances in Cryptology-ASIACRYPT 2012, LNCS, vol. 7658, pp. 208–225. Springer, Berlin (2012).
Chen S., Steinberger J.: Tight security bounds for key-alternating ciphers. In: Nguyen P.Q., Oswald E. (eds.) Advances in Cryptology-EUROCRYPT 2014, LNCS, vol. 8441, pp. 327–350. Springer, Berlin (2014).
Chen S., Lampe R., Lee J., Seurin Y., Steinberger J.: Minimizing the two-round Even–Mansour cipher. In: Garay J.A., Gennaro R. (eds.) Advances in Cryptology-CRYPTO 2014, Part I, LNCS, vol. 8616, pp. 39–56. Springer, Berlin (2014).
Cogliati B., Seurin Y.: Beyond-birthday-bound security for tweakable Even–Mansour ciphers with linear tweak and key mixing. In: Iwata T., Cheon J.H. (eds.) Advances in Cryptology-ASIACRYPT 2015, Part II, LNCS, vol. 9453, pp. 134–158. Springer, Berlin (2015).
Cogliati B., Seurin Y.: EWCDM: an efficient, beyond-birthday secure, nonce-misuse resistant MAC. In: Robshaw M., Katz J. (eds.) Advances in Cryptology-CRYPTO 2016, Part I, LNCS, vol. 9814, pp. 121–149. Springer, Berlin (2016).
Cogliati B., Seurin Y.: Analysis of the single-permutation encrypted Davies–Meyer construction. Des. Codes Cryptogr. (2018). https://doi.org/10.1007/s10623-018-0470-9.
Cogliati B., Lampe R., Patarin J.: The indistinguishability of the XOR of \(k\) permutations. In: Cid C., Rechberger C. (eds.) FSE 2014, LNCS, vol. 8540, pp. 285–302. Springer, Berlin (2014).
Dai W., Hoang V.T., Tessaro S.: Information-theoretic indistinguishability via the chi-squared method. In: Katz J., Shacham H. (eds.) CRYPTO 2017, Part III, LNCS, vol. 10403, pp. 497–523. Springer, Berlin (2017).
Dodis Y., Pietrzak K., Puniya P.: A new mode of operation for block ciphers and length-preserving MACs. In: Smart N. (ed.) Advances in Cryptology-EUROCRYPT 2008, LNCS, vol. 4965, pp. 198–219. Springer, Berlin (2008).
Dodis Y., Reyzin L., Rivest R.L., Shen E.: Indifferentiability of permutation-based compression functions and tree-based modes of operation, with applications to MD6. In: Dunkelman O. (ed.) Fast Software Encryption-FSE 2009, LNCS, vol. 5665, pp. 104–121. Springer, Berlin (2009).
Dziembowski S., Pietrzak K.: Leakage-resilient cryptography. In: 49th Annual IEEE Symposium on Foundations of Computer Science, FOCS 2008, 25–28 October, 2008, Philadelphia, PA, pp. 293–302 (2008). https://doi.org/10.1109/FOCS.2008.56.
Gilboa S., Gueron S.: The Advantage of Truncated Permutations (2012). arXiv:1610.02518.
Hall C., Wagner D., Kelsey J., Schneier B.: Building PRFs from PRPs. In: Krawczyk H. (ed.) Advances in Cryptology-CRYPTO’98, LNCS, vol. 1462, pp. 370–389. Springer, Berlin (1998).
Hoang V.T., Tessaro S.: Key-alternating ciphers and key-length extension: exact bounds and multi-user security. In: Robshaw M., Katz J. (eds.) Advances in Cryptology-CRYPTO 2016, Part I, LNCS, vol. 9814, pp. 3–32. Springer, Berlin (2016).
Kiltz E., Pietrzak K., Szegedy M.: Digital signatures with minimal overhead from indifferentiable random invertible functions. In: Canetti R., Garay J.A. (eds.) Advances in Cryptology-CRYPTO 2013, LNCS, vol. 8042, pp. 571–588. Springer, Berlin (2013).
Luby M., Rackoff C.: Pseudo-random permutation generators and cryptographic composition. In: Proceedings of the Eighteenth Annual ACM Symposium on Theory of Computing, STOC’86, ACM, New York, NY, pp. 356–363 (1986)
Lucks S.: The sum of PRPs is a secure PRF. In: Preneel B. (ed.) EUROCRYPT 2000, LNCS, vol. 1807, pp. 470–484. Springer, Berlin (2000).
Mandal A., Patarin J., Nachef V.: Indifferentiability beyond the birthday bound for the XOR of two public random permutations. In: Gong G., Gupta K.C. (eds.) Progress in Cryptology-INDOCRYPT 2010, LNCS, vol. 6498, pp. 69–81. Springer, Berlin Heidelberg (2010).
Maurer U., Pietrzak K.: The security of many-round Luby–Rackoff pseudo-random permutations. In: Biham E. (ed.) Advances in Cryptology-EUROCRYPT 2003, LNCS, vol. 2656, pp. 544–561. Springer, Berlin (2003).
Maurer U., Renner R., Holenstein C.: Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology. In: Naor M. (ed.) TCC 2004, LNCS, vol. 2951, pp. 21–39. Springer, Berlin (2004).
Mennink B., Neves S.: Encrypted Davies–Meyer and its dual: towards optimal security using mirror theory. In: Katz J., Shacham H. (eds.) Advances in Cryptology-CRYPTO 2017, Part III, LNCS, vol. 10403, pp. 556–583. Springer, Berlin (2017).
Mennink B., Neves S.: Optimal PRFs from blockcipher designs. IACR Trans. Symmetric Cryptol. 2017(3), 228–252 (2017). https://doi.org/10.13154/tosc.v2017.i3.228-252.
Mennink B., Preneel B.: Hash functions based on three permutations: a generic security analysis. In: Safavi-Naini R., Canetti R. (eds.) Advances in Cryptology-CRYPTO 2012, LNCS, vol. 7417, pp. 330–347. Springer, Berlin (2012).
Mennink B., Preneel B.: On the XOR of multiple random permutations. In: Malkin T., Kolesnikov V., Lewko A.B., Polychronakis M. (eds.) ACNS 2015, LNCS, vol. 9092, pp. 619–634. Springer, Berlin (2015).
Patarin J.: Security of random Feistel schemes with 5 or more rounds. In: Franklin M. (ed.) Advances in Cryptology-CRYPTO 2004, LNCS, vol. 3152, pp. 106–122. Springer, Berlin (2004).
Patarin J.: A proof of security in \(O(2^n)\) for the XOR of two random permutations. In: Safavi-Naini R. (ed.) Information Theoretic Security-ICITS 2008, LNCS, vol. 5155, pp. 232–248. Springer, Berlin (2008).
Patarin J.: The “Coefficients H” technique. In: Avanzi R.M., Keliher L., Sica F. (eds.) Selected Areas in Cryptography-SAC 2008, LNCS, vol. 5381, pp. 328–345. Springer, Berlin (2009).
Patarin J.: Introduction to mirror theory: analysis of systems of linear equalities and linear non equalities for cryptography. Cryptology ePrint Archive, Report 2010/287 (2010).
Patarin J.: Security in \(O(2^n)\) for the XOR of two random permutations. Proof with the standard H technique. Cryptology ePrint Archive, Report 2013/368 (2013).
Steinberger J.: The sum-capture problem for Abelian groups. (2014). arXiv:1309.5582.
Acknowledgements
We thank the reviewers of EUROCRYPT & CRYPTO 2018 for invaluable comments. Chun Guo is a postdoc in ICTEAM/ELEN/Crypto Group, Université Catholique de Louvain, and his work is funded in part by the ERC project 724725 (acronym SWORD). Many thanks to François-Xavier Standaert for the invaluable support. Yaobin Shen, Lei Wang and Dawu Gu are supported by National Natural Science Foundation of China (61602302, 61472250, 61672347), Natural Science Foundation of Shanghai (16ZR1416400), Shanghai Excellent Academic Leader Funds (16XD1401300), 13th five-year National Development Fund of Cryptography (MMJJ20170114).
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by A. Winterhof.
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Appendix A: Our alternative proof for EDMSP
Appendix A: Our alternative proof for EDMSP
In this section we present our security analysis of EDMSP.
Theorem 3
For any distinguisher D making at most q queries with \(q\ll N/6\), we have
The proof for this scheme is more complicated, since the evaluations of two distinct inputs may collide after the “first round”, i.e., \(P(x)\oplus x=P(x')\oplus x'\). It can be seen that two queries (x, z) and \((x',z')\) in \(\tau \) is such a “colliding” pair if and only if the corresponding outputs collide, i.e. \(z=z'\). To simplify the analysis, we make a separate discussion on such “colliding” queries.
In details, for an attainable transcript \(\tau =\{(x_1,z_1),(x_2,z_2),\ldots ,(x_q,z_q)\}\), define a set
and let \(\tau _2=\tau \backslash \tau _1\). Further define three sets
and let \(\mu =|{\mathcal {S}}{\mathcal {C}}{\mathcal {S}}|\). Then the bad transcripts are defined in the next subsection.
1.1 A.1 Bad transcript
Definition 3
(Bad transcripts for\(\textsf {EDMSP}\)) If one of the following conditions is fulfilled, we say an attainable transcript \(\tau =((x_1,z_1),(x_2,z_2),\ldots ,(x_q,z_q))\) is bad:
-
(B-1) there exists three distinct indices \(i,j,k\in \{1,\ldots ,q\}\) such that \(z_i=z_j=z_k\);
-
(B-2) \(\mu \ge {q^3}/{N}+q^{3/2}\sqrt{3n}\);
-
(B-3) \(|\tau _1|\ge \sqrt{q}\).
Otherwise we say that \(\tau \) is good. Denote by \({\mathcal {T}} _{\mathrm {bad}}\), resp. \({\mathcal {T}} _{\mathrm {good}}\) the set of bad, resp. good transcripts.
Clearly, \(\Pr [\text {(B-1)}]\le \left( {\begin{array}{c}q\\ 3\end{array}}\right) \cdot \frac{1}{N^2}\le \frac{q^3}{N^2}\). On the other hand, \(\Pr [\text {(B-2)}]\le \frac{2}{N}\) immediately follows from Lemma 2. Finally, for (B-3), we have at most \(\left( {\begin{array}{c}q\\ 2\end{array}}\right) \le q^2/2\) pairs \(((x_i,z_i),(x_j,z_j))\) of distinct records in \(\tau \). We note \(\Pr [\lambda \ge \sqrt{q}]\) does not exceed the probability that the number of pairs \(((x_i,z_i),(x_j,z_j))\) with \(z_i=z_j\) exceeds \(\sqrt{q}/2\). For each such \((x_i,z_i)\) and \((x_j,z_j)\), we have \(\Pr [z_i=z_j]=1/N\), thus \(\Pr [\text {(B-3)}]=\Pr [|\tau _1|\ge \sqrt{q}]\le \frac{q^2/2}{N\sqrt{q}/2}={q^{3/2}}/{N}\) by Markov’s inequality, and
We then proceed to lower bound \(\Pr [T_{\mathrm {re}}=\tau ]\) for a good \(\tau \).
1.2 A.2 Ratio for good transcripts
We lower bound the number of random permutations P such that \(\textsf {EDMSP}^{P}(x_i)=z_i\) for \(i=1,\ldots ,q\). We first consider the queries in \(\tau _1\).
1.2.1 A.2.1 Analyzing \(\tau _1\)
We note that for a good transcript \(\tau \), \(|\tau _1|\) is necessarily even, as otherwise (B-1) is fulfilled. Therefore, we could let \(\lambda =|\tau _1|/2\), and rename the subscripts and write
For the \(2\lambda \) queries in \(\tau _1\), we lower bound the number of sequences of distinct intermediate values \({\mathbf {Y}}=(y_1,y_2,\ldots ,y_{\lambda })\) such that each pair \(\textsf {EDMSP}^{P}(x_l)=z_l\) and \(\textsf {EDMSP}^{P}(x_l')=z_l\) for \(l=1,\ldots ,\lambda \) is equivalent to \(3\lambda \) distinct equations \(P(x_l)=x_l\oplus y_l\), \(P(x_l')=x_l'\oplus y_l\), and \(P(y_l)=z_l\), cf. the notations in Fig. 1 (right). Formally, we lower bound the number \(N_Y\) of \({\mathbf {Y}}\) that satisfy:
-
(i)
for any \(1\le l\le \lambda \), \(y_l\notin \mathcal {X}\), \(x_l\oplus y_l\notin \mathcal {Z}\), and \(x_l'\oplus y_l\notin \mathcal {Z}\);
-
(ii)
\(y_1,\ldots ,y_{\lambda }\) are distinct, and the \(2\lambda \) values \(x_1\oplus y_1\), \(x_1'\oplus y_1\), \(\ldots \), \(x_{\lambda }\oplus y_{\lambda }\), \(x_{\lambda }'\oplus y_{\lambda }\) are distinct.
By this,
-
there are at least \(N-|\mathcal {X}|-2|\mathcal {Z}|=N-3q+2\lambda \) choices for \(y_1\), since \(y_1\notin \mathcal {X}\) and \(y_1\oplus x_1\notin \mathcal {Z}\) and \(y_1\oplus x_1'\notin \mathcal {Z}\);
-
once \(y_1\) is fixed, there are at least \(N-|\mathcal {X}|-2|\mathcal {Z}|-1-4\cdot 1=N-3q+2\lambda -5\) choices for \(y_2\), since \(y_2\ne y_1\), and since \(x_2\oplus y_2\) and \(x_2'\oplus y_2\) should be different from \(x_1\oplus y_1\) and \(x_1'\oplus y_1\);
-
once \(y_1,\ldots ,y_l\) are fixed, there are at least \(N-|\mathcal {X}|-2|\mathcal {Z}|-l-4l=N-3q+2\lambda -5l\) choices for \(y_{l+1}\), since \(y_{l+1}\ne y_1,\ldots ,y_l\), and since both \(x_{l+1}\oplus y_{l+1}\) and \(x_{l+1}'\oplus y_{l+1}\) should avoid 2l values (i.e. \(x_1\oplus y_1,x_1'\oplus y_1,\ldots ,x_l\oplus y_l,x_l'\oplus y_l\)).
Therefore,
It’s not hard to see that given such a good \({\mathbf {Y}}\), the event \(\textsf {EDMSP}^{P}(x_l)=z_l\) for \(l=1,\ldots ,\lambda \) is indeed equivalent to the desired \(3\lambda \) equations. By these,
We then proceed to derive the lower bound for \(\Pr [P\xleftarrow {\$}\mathcal {P}(n):\textsf {EDMSP} ^P\vdash \tau _2\mid \textsf {EDMSP} ^P\vdash \tau _1]\). To this end, we fix a good sequence \({\mathbf {Y}}\) as described, assume that a randomly picked P satisfies the \(3\lambda \) induced equations, and analyze the queries in \(\tau _2\).
1.2.2 A.2.2 Analyzing \(\tau _2\)
We rename the subscripts and write
We lower bound the number of P’s that satisfy \(\textsf {EDMSP}^{P}(x_i)=z_i\) for \(i=2\lambda +1,\ldots ,q\). To this end, for a fixed \(t\in \{0,\ldots ,\frac{q-2\lambda }{2}\}\), we bound the number of permutations P such that
where
Note that this function slightly deviates from the tf functions used in Sects. 3 and 4.
In detail, we sequentially choose t pairs of indices \((i_1,j_1),(i_2,j_2),\ldots ,(i_t,j_t)\) from \(2\lambda +1,\ldots ,q\), such that each pair of them determines three equations on P, i.e., \(P(x_{i_l})=x_{i_l}\oplus x_{j_l}\), \(P(x_{j_l})=z_{i_l}\), and \(P(x_{j_l}\oplus z_{i_l})=z_{j_l}\) for \(l=1,\ldots ,t\). In order to make these equations “good”, that is consistent with a permutation and does not determine any other unfixed input-output patterns on P, we consider the sequences of indices that satisfy:
-
(i)
the 2t indices are distinct;
-
(ii)
for \(1\le l\le t\), it holds \(x_{i_l}\oplus x_{j_l}\notin \mathcal {Z}\) and \(x_{j_l}\oplus z_{i_l}\notin \mathcal {X}\),
-
(iii)
for \(1\le l\le t\) and \(1\le \alpha \le \lambda \), it holds \(x_{i_l}\oplus x_{j_l}\ne x_{\alpha }\oplus y_{\alpha }\), \(x_{i_l}\oplus x_{j_l} \ne x_{\alpha }'\oplus y_{\alpha }\) and \(x_{j_l}\oplus z_{i_l}\ne y_{\alpha }\), where \((x_\alpha , z_{\alpha }), (x'_{\alpha }, z_{\alpha }) \in \tau _1\) and \(y_\alpha \in {\mathbf {Y}}\) is their corresponding intermediate value;
-
(iv)
the t values \(x_{i_1}\oplus x_{j_1},\ldots ,x_{i_t}\oplus x_{j_t}\) are distinct; the t values \(x_{j_1}\oplus z_{i_1},\ldots ,x_{j_t}\oplus z_{i_t}\) are distinct.
We note that \(x_{i_l}\oplus x_{j_l}\in \mathcal {Z}\) implies \((i_l,j_l)\in {\mathcal {B}}{\mathcal {S}}_1\), where
Whereas \(x_{j_l}\oplus z_{i_l}\in \mathcal {X}\) implies \((i_l,j_l)\in {\mathcal {B}}{\mathcal {S}}_2\) for
By this and \(|{\mathcal {B}}{\mathcal {S}}_1|,|{\mathcal {B}}{\mathcal {S}}_2|\le |{\mathcal {S}}{\mathcal {C}}{\mathcal {S}}|=\mu \), we have:
-
there are at least \(q-2\lambda \) choices for \(i_1\) and \(q-2\lambda -1\) choices for \(j_1\). However, among these \((q-2\lambda )(q-2\lambda -1)\) choices, there are at most \(2\mu \) bad ones that would violate the required condition (ii). Moreover, in a similar vein as the corresponding reasoning in Sect. 3.2, condition (iii) would exclude at most \(3\lambda q\) choices in total. Therefore, there are at least \((q-2\lambda )(q-2\lambda -1)-2\mu -3\lambda q\) choices for \((i_1,j_1)\);
-
For \(i_2\) and \(j_2\),
-
condition (ii) accounts to subtracting at most \(2\mu \) choices,
-
condition (iii) accounts to subtracting at most \(3\lambda q\) choices, and
-
condition (iv) accounts to subtracting at most 2q choices.
Therefore, there are at least \((q-2\lambda -2)(q-2\lambda -3)-2\mu -3\lambda q-2q\) choices for \((i_1,j_1)\);
-
-
\(\ldots \)
-
once \((i_1,j_1),\ldots ,(i_l,j_l)\) are fixed, to ensure distinctness, there are at least \((q-2\lambda -2l)(q-2\lambda -2l-1)-2\mu -3\lambda q-2lq\) choices for \((i_{l+1},j_{l+1})\).
It’s not hard to see given such a sequence of good indices \((i_1,j_i),\ldots ,(i_t,j_t)\), for \(l=1,\ldots ,t\), the 3t equations \(P(x_{i_l})=x_{i_l}\oplus x_{j_l}\), \(P(x_{j_l})=z_{i_l}\), and \(P(x_{j_l} \oplus z_{i_l})=z_{j_l}\) would be new and distinct ones. Having the redundant possibilities excluded, the number \(N_I\) of such 3t equations is thus at least
Finally, given a good choice \({\mathbf {Y}}\) and a good set of indices \(\{(i_1,j_1),\ldots ,(i_t,j_t)\}\), we choose a sequence of \(q-2\lambda -2t\) distinct intermediate values for the remaining \(q-2\lambda -2t\) queries in \(\tau _2\). For convenience, we rename the subscripts and write
for these queries, and denote the newly chosen sequence by
We bound the number \(N_Y'\) of \({\mathbf {Y}}'\) that satisfy (some requirements slightly resembling that on \({\mathbf {Y}}\)):
-
(i)
for any \(2\lambda +2t+1\le l\le q\), \(y_l\notin \mathcal {X}\), and \(x_l\oplus y_l\notin \mathcal {Z}\);
-
(ii)
\(y_{2\lambda +2t+1},\ldots ,y_q\) are distinct; and \(x_{2\lambda +2t+1}\oplus y_{2\lambda +2t+1}\), \(\ldots \), \(x_q\oplus y_q\) are distinct;
-
(iii)
for any \(2\lambda +2t+1\le l\le q\),
-
there does not exist \(1\le j\le \lambda \) in \(\tau _1\) such that \(y_l=y_j\) or \(x_l\oplus y_l=x_j\oplus y_j\) or \(x_l\oplus y_l=x_j'\oplus y_j\) (\(y_j\) is given by \({\mathbf {Y}}\));
-
there does not exist a pair of indices \((\alpha ,\beta )\) (selected in the previous phase of the t pairs in \(\tau _2\)) such that either \(y_l=x_{\beta }\oplus z_{\alpha }\) or \(x_l\oplus y_l=x_{\alpha }\oplus x_{\beta }\).
-
Following the reasoning for \(\tau _1\), it’s not hard to see
It can be seen that given a good choice of \({\mathbf {Y}}\), a good choice of a set of 2t indices, and a good choice of \({\mathbf {Y}}'\), the event \(T_{\mathrm {re}}=\tau \) is equivalent to P satisfying \(3\lambda +3t+2(q-2t-2\lambda )=2q-t-\lambda \) equations. Therefore,
1.3 A.3 Expectation for t, and the final bound
Since \(|\tau _1|=2\lambda \), it can be seen
Therefore, we have
We tidy the terms for clearness:
By this,
We next bound the three involved terms A, B, and C in turn. First, for any \(0\le t\le \frac{q-2\lambda }{2}\), we have
Further using \(\lambda =|\tau _1|/2\le \sqrt{q}/2\) (since \(\tau \) is good) and \(N-2q+\lambda \ge N-2q\gg N/2\) when \(2q\ll N/2\), we have
Moreover,
For the last term, we have
Therefore, we have
Following the same line as Sect. 3.3, it can be shown
and
Furthermore, the mean of the hypergeometric distribution \(\textsf {Hyp}_{N,q-2\lambda ,q-2\lambda }\) is \(\frac{(q-2\lambda )^2}{N}\), using the assumption that \(q\le N/3\) thus we have
Gathering the above, and using \(q-2\lambda \le q\), we obtain
Gathering this ratio and the upper bound on \(\Pr [\tau \in {\mathcal {T}} _{\mathrm {bad}}]\) ultimately yields
Rights and permissions
About this article
Cite this article
Guo, C., Shen, Y., Wang, L. et al. Beyond-birthday secure domain-preserving PRFs from a single permutation. Des. Codes Cryptogr. 87, 1297–1322 (2019). https://doi.org/10.1007/s10623-018-0528-8
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10623-018-0528-8