On the Optimality of Non-Linear Computations of Length-Preserving Encryption Schemes

Abstract

It is well known that three and four rounds of balanced Feistel cipher or Luby-Rackoff (LR) encryption for two blocks messages are pseudorandom permutation (PRP) and strong pseudorandom permutation (SPRP) respectively. A block is n-bit long for some positive integer n and a (possibly keyed) block-function is a nonlinear function mapping all blocks to themselves, e.g. blockcipher. XLS (eXtended Latin Square) encryption defined over two block inputs with three blockcipher calls was claimed to be SPRP. However, later Nandi showed that it is not a SPRP. Motivating with these observations, we consider the following questions in this paper: What is the minimum number of invocations of block-functions required to achieve PRP or SPRP security over \(\ell \) blocks inputs? To answer this question, we consider all those length-preserving encryption schemes, called linear encryption mode, for which only nonlinear operations are block-functions. Here, we prove the following results for these encryption schemes:

1. 1.

   At least \(2\ell \) (or \(2\ell -1\)) invocations of block-functions are required to achieve SPRP (or PRP respectively). These bounds are also tight.

2. 2.

   To achieve the above bound for PRP over \(\ell > 1\) blocks, either we need at least two keys or it can not be inverse-free (i.e., need to apply the inverses of block-functions in the decryption). In particular, we show that a single-keyed inverse-free PRP needs \(2\ell \) invocations of block functions.

3. 3.

   We show that 3-round LR using a single-keyed pseudorandom function (PRF) is PRP if we xor a block of input by a masking key.

1 Introduction

Block function. For all symmetric key algorithms, domains (sometimes, also ranges) are desired to be sets of bit-strings of variable sizes. However, almost all known methodologies, known as modes, use one or more (usually keyed) functions defined over small and fixed lengths (e.g., blockcipher, compression function, permutations in sponge constructions etc.) in a black-box manner. We call a function from \(I_n := \{0,1\}^n\) (elements of the set are called blocks) to itself a block function. Throughout the paper we fix a positive integer n. A keyed blockcipher is a popular example of block function. Multiplying (as a field multiplication over \(I_n\)) an element by a secret key K can also be considered to be a block function as it maps a block input x to \(K \cdot x \in I_n\). Outputs of a streamcipher with one block seed, can also be viewed as a sequence of execution of different block functions. In fact, any function mapping one block to multiple blocks can be viewed as a sequence of executions of block functions. Whereas, a function mapping multiple blocks to a single block can not be in general expressed through block functions. For example, compression function, or mapping (x, y) to \((x+K) \cdot (y+ K)\) (known as pseudo dot-product) are not examples of block functions as they take more than one block as an input.

Length-Preserving Encryption. An encryption algorithm is called length-preserving if the the number of blocks in a plaintext and its corresponding ciphertext are same. A length-preserving encryption is called an enciphering scheme. In addition with the theoretical interest, an enciphering scheme has some practical applications. Among others, a popular application is disk-sector encryption addressed by the “IEEE Security in Storage” Work Group P1619. An enciphering scheme is said to be (S)PRP or (strong) pseudorandom permutation [34, 35] if it is secure against adversaries making only plaintext queries (or both plaintext, ciphertext queries respectively). The building block keyed block function is assumed to be PRP or PRF (pseudorandom function [12]).

Linear Mode. In this paper we consider a wide class of enciphering schemes and pseudorandom functions based on linear mode. Informally, a linear mode (LM) is defined by an oracle algorithm which interacts with block functions (usually keyed) as oracles such that all inputs of the block functions are computed through some public linear functions (determined in the design) of the previous obtained responses. Finally, the output is also computed through a public linear function of all responses of block functions and the input.

This class is indeed a wide class of encryption algorithms. Most of the known symmetric key encryptions, e.g., Luby-Rackoff (LR) [23, 28], Feistel type Encryption Schemes [6, 17] CMC [15], EME [13, 16] HCTR [9, 51], TET [14], HEH [47] etc. are some examples of enciphering schemes based on linear mode. Almost all pseudorandom functions (e.g., CBC-MAC [5], PMAC [8], TMAC [22], OMAC [18], DAG-based constructions [20], a sub-class of affine domain extension or ADE [29] etc.) are also based on linear mode. Thus, the linear mode based keyed construction includes a wide class of symmetric key algorithms.

1.1 Brief Literature Survey

Now we briefly revisit the related results. Feistel structure is used to define different blockciphers e.g., Lucifer [50], DES etc. Later, Luby-Rackoff provides the PRP and SPRP security analysis of this type of ciphers and since then it is also popularly known as Luby-Rackoff (LR) cipher. In particular it was shown that three and four round LR cipher are PRP and SPRP secure respectively. Each round invokes exactly one block function. There are many results known for security analysis of different rounds of LR and for different forms of Feistel structures [6, 28, 39, 40, 48]. Many results are known for reducing the key-sizes (i.e. reusing the round keys [37, 38, 42, 46]). Nandi [28] has characterized that all secure LR encryption schemes must have non-palindrome key-scheduling algorithms. Thus, we cannot use one single key.

XLS [43] is proposed to construct a generic encryption scheme which takes incomplete message blocks given that an encryption which can take complete message blocks. A particular instantiation of XLS invokes three block functions and claimed to be SPRP secure. However, the result is shown to be wrong [31] and some of implications (e.g., COPA [2] which uses XLS) are shown very recently [32]. Among all linear mode based length-preserving SPRP, the CMC and four-round Luby-Rackoff require only \(2\ell \) calls for encrypting \(\ell \) blocks and others requires more (e.g., EME requires \(2\ell + 1\) calls etc.). Understanding optimality of SPRP and PRP, in terms of the number of blockcipher or block function calls, is our main motivation of this paper.

A class of authenticated encryption modes linear over the field was proposed by Jutla [21]. This class is more restricted than our linear mode as the linearity is considered over \(I_n\) instead of binary. In other words, only linear operation is bit-wise xor (without having any rotation or permutation of bit positions, multiplying by primitive element etc.). Jutla had shown that the number of invocations of blockcipher calls plus the number of masking keys should be about \(\ell + O(\log _2 \ell )\).

1.2 Our Contribution

(1) Optimality in PRP and SPRP. Lear Bahack in his submission of the design called Julius [1] stated that \(2\ell -1\) blockcipher encryptions are required for achieving “simple linear mode” PRP over \(\ell \) blocks. However, their result is still unpublished and so formalizing the issue and proving such a statement is yet to know. Moreover, no such claim is known for SPRP security. In this paper we provide a formal definition of linear mode in Sect. 3. In Sect. 4, we formally show that a linear mode based length-preserving PRP (or SPRP) over \(\ell \) blocks must invoke block functions at least \(2\ell -1\) (or respectively, \(2\ell \)) times. This justifies why XLS or three rounds of Luby-Rackoff are not SPRP. This bound is tight as three and four-rounds LR, CMC (for arbitrary block messages) etc. achieve these bounds.

(2) Optimality in Single-key Inverse-Free PRP. Inverse-free encryptions [6, 17, 19, 23] like LR cipher are useful in terms of implementation as we do not need to implement the inverse of the building-block for the combined implementation of encryption and decryption. In Sect. 5, we show that any linear-mode based inverse-free single key length-preserving PRP over \(\ell \) blocks requires at least \(2\ell \) invocations (which is actually same for SPRP constructions). This shows that PRP and SPRP becomes equally costly for single-keyed inverse-free encryptions. Although all distinguishers of our paper are differential distinguishers, the PRP distinguisher for an inverse-free single key construction is different from the above SPRP attacks.

(3) Three-Round Single-PRF Based LR with a Masking is PRP. The above observation says that to achieve inverse-free double-block PRP with three invocations, we can use two independent PRF (e.g., the constructions in [28] are such examples). Two independent keyed PRF may be more costly than one keyed PRF due to key-scheduling or key set-up algorithms [10, 44]. In the later part of the Sect. 5, we show that the single PRF based three round LR is indeed PRP if we simply mask one block of the input by a masking key.

Significance. Our above two distinguishing attacks provide a limitation on the performance of a (inverse-free) length-preserving encryption or pseudorandom function or permutation. This applies to a wide class of encryption algorithms including online encryption, authenticated encryption (without any nonce) etc. and so it has impact on designs and analysis in symmetric key cryptography.

Novelty of The Attack Idea. In [30] the minimum number of multiplications required to achieve \(\varDelta \) universal hash has been proposed. Like all other differential attacks (where zero differences are exploited), our PRP distinguisher and the \(\varDelta \)U attack from [30] basically finds zero differences in the input of non-linear functions for some executions. Basic intuition of our SPRP distinguishing attack is also similar to that of the distinguishing attack of XLS. However, to make all these applicable for general constructions, we need to find an appropriate difference in queries. For this, we adopt methodologies from linear algebra. The PRP distinguisher for single keyed inverse-free construction also exploits zero differential propagation. However, to achieve zero differential in one more block than expected (for a PRP distinguisher) is the tricky part of the attack. This essentially allows to achieve a PRP distinguisher even if we invoke one extra block function compared to usual PRP construction.

2 Preliminaries

A block matrix is a binary square matrix of size n. Let \(\mathbb {M}_n(a,b)\) denote the set of all partitioned matrices \(E_{a \times b}\) (of size \(a \times b\) as a block partitioned matrix and of size \(an \times bn\) as a binary matrix) whose \((i, j)^{\mathrm {th}}\) entry, denoted E[i, j], is a block-matrix for all \(i \in [1..a] = \{1, \ldots , a\}\) and \(j \in [1..b]\). The transpose of E, denoted \(E^{tr}\), is applied as a binary matrix. Thus, \(E^{tr}[i,j] = E[j, i]^{tr}\). Conventionally, any matrix \(E_{a \times b}\) is written as the following block-wise partition matrices

$$\begin{aligned} E = \begin{pmatrix} E[1,1] &{} E[1,2] &{} \cdots &{} E[1, b] \\ E[2,1] &{} E[2,2] &{} \cdots &{} E[2, b] \\ \vdots &{} \vdots &{} \vdots &{} \vdots \\ E[a,1] &{} E[a,2] &{} \cdots &{} E[a, b] \end{pmatrix} := \begin{pmatrix} E[1,*] \\ E[2,*] \\ \vdots \\ E[a,*] \end{pmatrix} := \begin{pmatrix} E[*,1]&E[*,2]&\cdots&E[*, b] \end{pmatrix} \end{aligned}$$

where \(E[i, *]\) and \(E[*, j]\) denote \(i^{\mathrm {th}}\) block-row and \(j^{\mathrm {th}}\) block-column respectively. For \(1 \le i \le j \le a\), we also write \(E[i..j~;~ *]\) to mean the sub-matrix consisting of all rows in between i and j. We simply write \(E[..j~;~*]\) or \(E[i..~;~*]\) to denote \(E[1..j~;~ *]\) and \(E[i..a~;~ *]\) respectively. Similar notation for columns are defined.

Definition 1

A (square) matrix \(E \in \mathbb {M}_n(a, a)\) is called (block-wise) strictly lower triangular if for all \(1 \le i \le j \le a\), \(E[i,j] = \mathbf {0}\) (zero matrix).

For all \(x = (x_1, \ldots , x_a) \in I_n^a\), we define a linear function mapping a blocks to b blocks as \(E \cdot x = (y_1, \ldots , y_b)\). Here, we consider x and y as binary column vectors (we follow this convention which should be understood from the context). So the block matrix E[i, j] represents the contribution of \(x_j\) to define \(y_i\). More formally,

$$y_i = E[i,1] \cdot x_1 + E[i,2] \cdot x_2 + \cdots + E[i,a] \cdot x_a,~~ 1 \le i \le b.$$

If E is a strictly lower triangular matrix then \(y_i\) is clearly functionally independent of \(x_i, \ldots , x_{a}\), \(1 \le i \le a\). So if we associate \(y_i\) uniquely to each \(x_i\) (e.g., \(y_i =\rho (x_i)\) for some function \(\rho \)) then the choice of the vectors x and y satisfying \(E \cdot x =y\) becomes unique. This observation is useful while we define intermediate inputs and outputs of a black-box based construction.

2.1 Useful Properties of Matrices

It is well known that the maximum number of linearly independent (binary) rows and columns of a matrix \(A \in \mathbb {M}_n(s, t)\) are same and this number is called rank of the matrix, denoted \(\mathrm {rank}(A)\). So clearly we have \(\mathrm {rank}(A) \le \min \{ns, nt\}\). By using Gaussian elimination method, denoted \(x = \textsf {solve}(A, b)\), we can solve for some x (not necessarily unique) of the system of solvable linear equations \(A \cdot x = b\). By convention, whenever a non-zero solution exists it returns a non-zero solution. Note that if \(w^{tr} = \textsf {solve}(A^{tr}, b^{tr})\) then \(w \cdot A = b\) (by applying transpose). The following results are straightforward and so we skip the proofs.

Lemma 1

Let \(A \in \mathbb {M}_n(s, t)\) and \(r := \mathrm {rank}(A)\).

(1) If \(r < ns\) (i.e. presence of row-dependency) then \(\textsf {solve}(A^{tr}, 0)\) returns a non-zero solution.

(2) Similarly for \(r < nt\) (i.e. presence of column-dependency) \(\textsf {solve}(A, 0)\) returns a non-zero solution.

(3) Finally, let \(r = nt\) (i.e., full column rank) and \(b := A \cdot w\). Then, \(\textsf {solve}(A, b) = w\) (i.e., w is also the unique solution).

Lemma 2

Suppose \(A \in \mathbb {M}_n(s, s)\) is a non-singular matrix, i.e., rank(A) \(= ns\). Let \(t < s\) and

$$\begin{aligned} B = \begin{pmatrix} A[..t,*] &{} \mathbf {0} \\ \mathbf {0} &{} A[..t,*] \\ A[t+1..,*] &{} A[t+1..,*] \\ \end{pmatrix} \end{aligned}$$

where \(\mathbf {0}\) denotes the zero matrix of appropriate size. Then, \(\mathrm {rank}(B) = n(s+t)\) (i.e., full row-rank).

2.2 Security Definitions and Notation

In this section we quickly recall the security definitions of fixed length keyed constructions. One can also extend the definitions for variable length constructions.

PRF. We call an oracle algorithm \(\mathcal {A}\) (t, q)-algorithm if it makes at most q queries and runs in time t. Let \(\mathcal {K}\) be a key-space and \(f: \mathcal {K} \times I_n^a \rightarrow I_n^b\) be a (keyed) function. We say that f is \((q, t, \epsilon )\)-PRF if for any (t, q)-algorithm \(\mathcal {A}\) the prf-distinguishing advantage

$$\begin{aligned} \mathbf {Adv}^{\mathrm {prf}}_{f}(\mathcal {A}):= |\textsf {Pr}[\mathcal {A}^{f_K} = 1; K \mathop {\leftarrow }\limits ^{\$}\mathcal {K}] - \textsf {Pr}[\mathcal {A}^{g} = 1; g \mathop {\leftarrow }\limits ^{\$}\mathrm {Func}(a,b)]| \end{aligned}$$

is at most \(\epsilon \) where \(\mathrm {Func}(a,b)\) denotes the set of all functions from \(I_n^a\) to \(I_n^b\). We call randomly chosen g to be the (uniform) random function.

Notation. For notational simplicity, we skip the time parameter t which is irrelevant in this paper. We also simply write \(\mathrm {Func}:= \mathrm {Func}(1,1)\) and \(\mathrm {Perm}\) to mean the set of all functions and permutations over \(I_n\).

(S)PRP. A keyed permutation g over \(I_n^a\) is a function \(g: \mathcal {K} \times I_n^a \rightarrow I_n^a\) such that for all key \(k \in \mathcal {K}\), \(g_k := g(K, \cdot ) \in \mathrm {Perm}(a)\) (the set of all permutations over \(I_n^a\)). We denote the uniformly chosen permutation by \(\varPi _a\) and call uniform random permutation. A keyed permutation g is called \((q, \epsilon )\)-PRP if for any q-algorithm \(\mathcal {A}\) the prp-distinguishing advantage

$$\begin{aligned} \mathbf {Adv}^{\mathrm {prp}}_{g}(\mathcal {A}):= |\textsf {Pr}[\mathcal {A}^{g_K(\cdot )} = 1; K \mathop {\leftarrow }\limits ^{\$}\mathcal {K}] - \textsf {Pr}[\mathcal {A}^{\varPi _a} = 1]| \end{aligned}$$

is at most \(\epsilon \). By PRF-PRP switching lemma [4, 49], it is well known that \(|\mathbf {Adv}^{\mathrm {prf}}_{f}(\mathcal {A}) - \mathbf {Adv}^{\mathrm {prp}}_{f}(\mathcal {A})| \le {q \atopwithdelims ()2} 2^{-n}\). We define the sprp-distinguishing advantage

$$\begin{aligned} \mathbf {Adv}^{\mathrm {sprp}}_{f}(\mathcal {A}):= |\textsf {Pr}[\mathcal {A}^{f_K, f_K^{-1}} = 1; K \mathop {\leftarrow }\limits ^{\$}\mathcal {K}] - \textsf {Pr}[\mathcal {A}^{\varPi _a, \varPi _a^{-1}} = 1]| \end{aligned}$$

and \((q, \epsilon )\)-SPRP.

2.3 Tools for Proving Security

Given a q-algorithm \(\mathcal {A}\) interacting with an oracle \(\mathcal {O}\) we denote the transcript \(\tau (\mathcal {A}^{\mathcal {O}})\) by the random vector \(((X_1, Y_1), \ldots , (X_q, Y_q))\) where \(X_i \in I_n^a\) and \(Y_i \in I_n^b\) are the \(i^{\mathrm {th}}\) query made by and response obtained by \(\mathcal {A}\) respectively. The following theorem, known as coefficient-H technique [36, 41] is very useful to show a construction is PRP or SPRP. It has also been adapted in [7, 25]

Theorem 1

(Coefficient-H Technique). Let \(f: \mathcal {K} \times I_n^a \rightarrow I_n^b\) be a keyed function and \(\mathcal {V}_{\mathrm {bad}} \subseteq (I_n^a \times I_n^b)^q\). Suppose

1. 1.

   for all q-algorithm \(\mathcal {B}\), \(\textsf {Pr}[\tau (\mathcal {B}^{\varGamma _{a,b}}) \in \mathcal {V}_{\mathrm {bad}}] \le \epsilon _1\) and

2. 2.

   for all \(\tau =((x_1, y_1), \ldots , (x_q, y_q)) \not \in \mathcal {V}_{\mathrm {bad}}\),

   $$\textsf {Pr}[f_K(x_1) = y_1, \ldots , f_K(x_q) = y_q; K \mathop {\leftarrow }\limits ^{\$}\mathcal {K}] \ge (1 - \epsilon _2) \times 2^{-nbq}.$$

Then, for all q-algorithm \(\mathcal {A}\), \(\mathbf {Adv}^{\mathrm {prf}}_{f}(\mathcal {A}) \le \epsilon _1 + \epsilon _2\).

3 Linear Mode

3.1 Linear Query and Mode

A block matrix \(U \in \mathbb {M}_n(\ell , a+ \ell )\) is called \((a,\ell )\)-query function if \(U[*~;~ a+1..]\) is block-wise strictly lower triangular. Here \(\ell \) represents the number of queries and a represents the number of blocks in the input. For any such query function, an input \(X \in I_n^a\), (and a tuple of \(\ell \) functions \(\tilde{\rho } = (\rho _1, \ldots , \rho _\ell )\) over \(I_n\)), we can uniquely define or associate u and v, called intermediate input and output vector respectively, satisfying (1) \(U \cdot {X \atopwithdelims ()v} = u\) and (2) \(\tilde{\rho }(u) := (\rho _1(u_1), \ldots , \rho _\ell (u_\ell )) = v\). This can be easily shown by recursive definitions of \(u_i\)’s and \(v_i\)’s. More precisely, \(u_i\) is uniquely determined by \(v_1, \ldots , v_{i-1}\) and X (through the linear function) and \(v_i\) is uniquely determined by \(u_i\) through \(\rho _i\), for all \(1 \le i \le \ell \). Informally, a \((a, b, \ell )\)-linear mode is a mode which takes a blocks input and returns b blocks output based on executing block functions building blocks (see Fig. 1 for an illustration of a linear mode). Formally, \((a, b, \ell )\)-linear mode is defined by a block matrix \(E \in \mathbb {M}_n(\ell +b, \ell +a)\) where \(E[1..\ell ~;~ *]\) is a \((a, \ell )\)-query function. For any \(\ell \)-tuple of functions \(\tilde{\rho } \in \mathrm {Func}^{\ell }\), the corresponding linear-mode function \(E^{\tilde{\rho }}: I_n^a \rightarrow I_n^b\) is defined as \(E^{\tilde{\rho }}(X) = Y\) where

$$\begin{aligned} E \cdot \begin{pmatrix} X \\ v \end{pmatrix} = \begin{pmatrix} u \\ Y \end{pmatrix} ,~~~ \tilde{\rho }(u) = v. \end{aligned}$$

Fig. 1.

Linear Mode: Here \(U[i, *]\) means the \(i^{\mathrm {th}}\) block row which maps \((X, v_1, \ldots , v_{i-1}, 0^{\ell -i+1})\) to \(u_i\). Finally, \(U[\ell +1..~;~*]\) maps the input X and intermediate output vector v to the output Y consisiting of b blocks.

So v is the intermediate output vector associated to the input X and the final output \(Y:= E[\ell +1..~;~*] \cdot {X \atopwithdelims ()v}\), a linear function of v and X. Now we state a useful differential property of linear mode. Note that the functions of \(\tilde{\rho }\) are non-linear and would be secret for the adversaries. So to obtain any information about the intermediate input and output, we only can equate intermediate outputs whenever two inputs collide for same function. Given any vectors \(x, x'\) of same size, we write \(\varDelta x\) to mean \(x \oplus x'\) and \(\varDelta _{a.b} x\) to mean \((x_a \oplus x'_a, \ldots , x_b \oplus x'_b)\). We simply write \(\varDelta _t x\) to mean \(\varDelta _{1..t} x\) (the first t elements of \(\varDelta x\)) (Fig. 2).

Fig. 2.

Differential patterm of the linear mode: we choose \(\varDelta X\) such that the first t input differences of the \(\rho \) functions are zero. So the final difference \(\varDelta Y\) can be expressed as the linear function of the rest of the differences \(\varDelta v_{t+1..}\) and \(\varDelta X\).

Lemma 3

Suppose \(E[..t~;~*] \cdot X = E[..t~;~ *] \cdot X'\) (i.e., \(E[..t~;~*] \cdot \varDelta X= 0\)). Let \(E^{\tilde{\rho }}(X) = Y\), \(E^{\tilde{\rho }}(X') = Y'\). Let \(v, v'\) and \(u, u'\) denote intermediate outputs and inputs respectively associated with X and \(X'\) (for the function tuple \(\tilde{\rho }\)) respectively. Then, \(\varDelta _t u = \varDelta _t v = 0^t\) and

$$\varDelta Y = E[\ell +1..~;~..a] \cdot \varDelta X + E[\ell +1..~;~a+t+1..] \cdot \varDelta v_{t+1..}.$$

Proof

Due to choice of X and \(X'\), by induction one can show that \((u_1, v_1) = (u'_1, v'_1), \ldots (u_t, v_t) = (u'_t, v'_t)\) where u and \(u'\) denote the intermediate inputs associated with X and \(X'\) respectively (for the function tuple \(\tilde{\rho }\)). In other words, \(\varDelta _t u = \varDelta _t v = 0^t\). Now, \(Y = E[\ell +1..~;~a+1..] \cdot v + E[\ell +1..~;~..a] \cdot X\) and similarly \(Y' = E[\ell +1..~;~a+1..] \cdot v' + E[\ell +1..~;~..a] \cdot X'\). The result is followed after we add these two equations and using that \(\varDelta _t v = 0^t\).    \(\square \)

3.2 Keyed Constructions Based on Linear Mode

Keyed Linear Mode. Let \(\mathcal {F} = \mathcal {F}_1 \times \cdots \times \mathcal {F}_f\) and k be a non-negative integer where \(\mathcal {F}_i \subseteq \mathrm {Func}\). A key-space \(\mathcal {K}\) for any keyed function is of the form \(I_n^k \times \mathcal {F}\). We call \(\mathcal {F}\) the function-key space and \(I_n^k\) masking-key space. Any function g is also written as \(g^{+1}\).

Definition 2

Let \(\mu : [1..\ell ] \rightarrow [1..f]\), called key-assignment function, \(\alpha := (\alpha _1, \ldots , \alpha _{\ell }) \in \{+1, -1\}^{\ell }\), called inverse-assignment tuple. For any function-key \(\rho = (\rho _1, \ldots , \rho _f) \in \mathcal {F}\), we define \(\rho _\mu ^{\alpha } := (\rho _{\mu _1}^{\alpha _1}, \ldots , \rho _{\mu _\ell }^{\alpha _\ell })\). We denote the set of all functions \(\rho _\mu ^{\alpha }\) by \(\mathcal {F}_{\mu }^{\alpha }\).

Here we implicitly assume that whenever \(\alpha _i = -1\), \(\rho _{\mu _i}\) is a permutation. If \(\alpha = 1^{\ell }\), we simply skip the notation \(\alpha \). In general, the presence of inverse call of building blocks may be required when we consider decryption of keyed function. For the encryption, or a keyed function where decryption is not defined, w.l.o.g. we may assume that \(\alpha = 1^{\ell }\).

Definition 3

A (k, a, b) keyed linear mode with key-space \(\mathcal {K}\), key-assignment function \(\mu \), is a \((a+k, b, \ell )\) linear mode E. For each key \(\kappa := (L, \rho ) \in \mathcal {K} := I_n^k \times \mathcal {F}\), we define a keyed function \(E_{\kappa }(P) := E^{\rho _{\mu }}(L, P)\).

Keyed linear mode E is actually a linear mode with a part of the input is the masking key and function tuples are also derived by reusing some keyed block functions.

Fig. 3.

The simplified structure of PMAC. The input is \((p_1, \ldots , p_a)\) and the output is \(c_1\).

Example 1

Consider the simple variant of PMAC [8, 45] defined over \(I_n^a\) (see Fig. 3 above). Let \((p_1, \ldots , p_a)\) be the input.

$$1 \le i \le a-1, u_i = p_i \text{ and } u_a = p_a \oplus (\bigoplus _{i=1}^{a-1} v_i).$$

Finally the output is defined as \(c_1 = v_a\). Here \(\ell = a\) and \(b = 1\). There is no masking key, i.e. \(k = 0\) and \(f = a\) (all function-keys are independently chosen). The key-assignment function \(\mu \) is an identity function.

In a single function-key version of PMAC (with independent masking key), we have \(f = 1 = k\). The \(u_i = \alpha ^{i} \cdot L \oplus p_i\) for \( 1 \le i < a\) and \(u_a = p_a \oplus (\bigoplus _{i=1}^{a-1} v_i) \oplus L\). Here the key-assignment function maps all indices to the key-index 1 (as there is only one choice of key).

Affine Domain Extension or ADE [29]. As defined in [29], affine domain extension over \(I_n^a\) is nothing but a \((a, 1, \ell )\)-linear mode keyed function \(\mathbf {E}\) such that the key-space is \(\mathcal {K} = \mathcal {F} \subseteq \mathrm {Func}\), i.e., \(f = 1\) (single function-key) and \(k = 0\) (no masking key). Moreover, the final output is the response of the last oracle call, i.e. \(v_{\ell }\). Like PMAC, the key-assignment function for ADE maps all indices to the key-index 1. One can consider an injective padding rule and sequence of such constructions indexed by a to incorporate variable length inputs. CBC-MAC [5], PMAC [8, 24, 33], TMAC [22], OMAC [18, 27], DAG-based constructions [20] etc. are some examples of ADE.

Length Preserving Linear Encryption Mode. A keyed linear mode E is called length-preserving (LP) encryption if \(E_{\kappa }\) is encryption scheme and \(a = b\). In addition to these, we also assume that its decryption algorithm D is also a keyed linear mode which is indeed true for all known linear encryption modes. We first see an example below.

Example 2

As an example, consider Luby-Rackoff (LR) keyed function with three rounds using two random functions \(\rho _1, \rho _2\), i.e. \(f =2\), \(a = b = 2\) and \(\ell = 3\) (three invocations of the underlying block functions). Consider the key-assignment function \(\pi \) with \(\pi _1 = 1, \pi _2 = 1\) and \(\pi _3 =2\). So the function tuple after applying the key-assignment is \((\rho _1, \rho _1, \rho _2)\). As there is no masking key, we have \(k = 0\). So the key-space is \(\mathrm {Func}^2\). Given \((p_1, p_2) \in I_n^2\) we define

$$\begin{aligned} u_1 := p_1, v_1 = \rho _1(u_1), u_2 = v_1 + p_2, v_2 = \rho _1(u_2), u_3 = v_2 + p_1, v_3 = \rho _2(u_3). \end{aligned}$$

Finally, the output is \((c_1, c_2)\) where \(c_1 := u_3\) and \(c_2 = v_3 + u_2\). This is clearly decryptable. Consider \(u_i\)’s, \(v_i\)’s and \(p_i\)’s as variables. The ciphertext provides two linear functions of these variables, namely \(u_3\) and \(v_3 + u_2\). So \(u_3\) is in the span. As \(u_3\) is in the span, \(v_3\) is also computable. Thus \(u_2\) is in the span of the extended ciphertext including \(v_3\). Again \(v_2\) is computable and hence \(u_1 := p_1\) is in the extended span. Finally, \(p_2\) is in the span after including \(v_1\). So we see that that decryption algorithm is also linear mode (Fig. 4).

Fig. 4.

LR with three round.

Decryption Algorithm of a Keyed Linear Encryption Mode. From the above example, it is clear that the intermediate input outputs for the building blocks would be same if we encrypt and then decrypt as we do in the correctness condition: \(D_{\kappa }(E_{\kappa }(P)) = P\). Informally, if some input-output does not arise in the decryption then either this input-output is redundant in the encryption computation or the correctness condition does not hold (due to randomness of the output which has influence in the encryption but is not used in the decryption). We now describe the details of a length preserving linear encryption mode for which all invocations of block function calls are not redundant.

Definition 4

(Reordering of Vectors). Let \(\alpha := (\alpha _1, \ldots , \alpha _{\ell }) \in \{1, -1\}^{\ell }\), and \(\beta = (\beta _1, \ldots , \beta _{\ell })\) be a permutation over \([1.. \ell ]\). A pair of vectors \((w, z) \in I_n^{2\ell }\) is \((a, \beta )\)-reordering of a pair of vectors \((u, v) \in I_n^{2\ell }\) if

$$\begin{aligned} (w_i, z_i) = {\left\{ \begin{array}{ll} (u_{\beta _i}, v_{\beta _i}) &{} \text{ if } \alpha _i = 1, \\ (v_{\beta _i}, u_{\beta _i}) &{} \text{ if } \alpha _i = -1. \end{array}\right. } \end{aligned}$$

Definition 5

A \((k + a, a, \ell )\)-linear mode E is called linear-mode length-preserving encryption with key-space \(\mathcal {K} := I_n^k \times \mathcal {F}\) and key-assignment \(\pi \) if the corresponding decryption algorithm D is also a \((k + a, a, \ell )\)-linear mode with (1) an inverse assignment-tuple \(\alpha := (\alpha _1, \ldots , \alpha _{\ell }) \in \{1, -1\}^{\ell }\) and (2) key-assignment \(\pi ' := \pi \circ \beta \) where \(\beta = (\beta _1, \ldots , \beta _{\ell })\) is a permutation over \([1.. \ell ]\). Moreover, \(\forall P \in I_n^a, L \in I_n^k, \rho = (\rho _1, \ldots , \rho _f) \in \mathcal {F}\),

$$\begin{aligned} E \cdot \begin{pmatrix} L \\ P\\ v \end{pmatrix} = \begin{pmatrix} u \\ C \end{pmatrix} , \rho _{\pi _1}(u_1) = v_1, \ldots \rho _{\pi _{\ell }}(u_{\ell }) = v_{\ell }~if~and~only~if \end{aligned}$$

$$\begin{aligned} D \cdot \begin{pmatrix} L \\ C \\ z \\ \end{pmatrix} = \begin{pmatrix} w \\ P \end{pmatrix} , \rho _{\pi '_1}^{\alpha _1}(w_1) = z_1, \ldots , \rho _{\pi '_\ell }^{\alpha _\ell }(w_\ell ) = z_\ell \end{aligned}$$

where (w, z) is \((a, \beta )\)-reordering of (u, v).

The above definition implies that correctness condition of an encryption \(D^{\rho _{\pi '}^{\alpha }}(L, E^{\rho }(L, P)) = P\). In addition with the correctness condition, the intermediate inputs and outputs for both encryption and decryption are simply reordered. In Example 2 (given above), we have \(a = b = f =2\), \(\ell = 3\). For the decryption algorithm, we execute the function in the reverse order and so we set \(\beta _1 = 3, \beta _2 = 2, \beta _1 = 3\). So the key-assignment function for the decryption is \(\pi '_1 = 2, \pi '_2 = 2, \pi '_3 =1\). We do not need to apply inverse for the decryption (it is called inverse-free) and so inverse-assignment tuple is \(1^3\). So if \((u_1, v_1), (u_2, v_2)\) and \((u_3, v_3)\) are the intermediate input-output pairs for encryption then \((u_2, v_3), (u_2, v_2)\) and \((u_1, v_1)\) (reordering of the previous pairs) are the intermediate input-output pairs for decryption.

Examples. EME [16], ELmE [11], AEZ [1], CMC [15] (these follow Encrypt-Mix-Encrypt paradigm), Luby-Rackoff with \(a = b = 2\), unbalanced Feistel [17, 48] etc. are some examples of length-preserving linear mode encryptions. HCBC1, HCBC2 [3], Modified-HCBC’s, ELmD [1], MCBC [26], COPE [2] etc. are some examples of online computable length-preserving encryptions based on linear mode.

4 PRP and SPRP Distinguishing Attacks

Consider a length-preserving encryption scheme based on \((k+a, a, \ell )\) linear mode E. Now we show two main results in this section. Namely, we provide PRP and SPRP distinguishing attacks on the encryption scheme if \(\ell \le 2a -2\). and \(\ell \le 2a -1\) respectively. Thus, it gives lower bound on the number of invocations of building blocks for achieving PRP and SPRP security.

4.1 PRP Distinguishing Attack on E with \(\ell = 2a-2\)

Let us assume \(\ell = 2a-2\). The attack can be trivially extended to all those constructions with \(\ell < 2a-2\). We recall that \(E^{\tilde{\rho }}_L(P) = C\) if and only if

$$\begin{aligned} E \cdot \begin{pmatrix} L \\ P \\ v \end{pmatrix} = \begin{pmatrix} u \\ C \end{pmatrix} ,~~ \tilde{\rho }(u) = v. \end{aligned}$$

Distinguisher \(D_{prp}\) against \((k+a, a, 2a-2)\) -Linear mode E.

1. 1.

   step-1 (finding a suitable difference in a pair of plaintext queries): Let \(d \in I_n^a\) be the non-zero solution of \(\textsf {solve}(E[..a-1~;~ k+1..k+a], 0)\), i.e. \(E[..a-1~; k+1..k+a] \cdot d = 0\). Such a non-zero solution exists as the number of columns is more than that of rows (see lemma 1).

2. 2.

   step-2 (make the queries with the difference obtained in step-1): Now the distinguisher makes two queries \(0^a\) and d and obtains corresponding responses \(c = E^{\tilde{\rho }}_L(0)\) and \(c' = E^{\tilde{\rho }}_L(d)\). Let

   $$u_1, v_1, \ldots , u_{2a-2}, v_{2a-2}, \text{ and } u'_1, v'_1, \ldots , u'_{2a-2}, v'_{2a-2}$$

   denote the intermediate inputs outputs for the two queries respectively. By lemma 2, we have \(1 \le i \le a-1\), \(u_i = u'_i, v_i = v'_i\) and

   $$\begin{aligned} \varDelta c = E[2a-1..~;~k+1..(a+k)] \cdot d + E[2a-1..~;~ 2a+k..] \cdot \varDelta v_{a..} \end{aligned}$$

   while it is interacting with the keyed construction.

3. 3.

   step-3 (find a nullifier of unknown intermediate values): As the matrix \(E[2a-1..~;~2a+k..]\) is \(a \times (a-1)\) matrix, we find a non-zero binary vector \(w \in \{0,1\}^{na}\) such that \(w \cdot E[2a-1..~;~ 2a+k..] = 0\). In particular, \(w = \textsf {solve}(E[2a-1..~;~ 2a+k..]^{\mathrm {tr}}, 0)\).

4. 4.

   step-4 (the distinguisher event): If \(w \cdot \varDelta c = w \cdot E[2a-1..~;~k+1..(a+k)] \cdot d\) then it returns 1 (decision for the keyed construction), else returns 0 (decision for uniform random permutation).

The distinguishing advantage of the above distinguisher D is at least 1 / 2 since for a random permutation \(w \cdot \varDelta c = w \cdot E[2a-1..~;~k+1..(a+k)] \cdot d\) with probability 1 / 2 whereas we have seen this holds with probability one for the keyed construction. When \(a = 2\), we know that LR with three rounds is PRP. This shows the bound is tight at least for \(a = 2\).

A Generalized Distinguisher \(D_{prp}^{gen}\) Against \((k+a, a, \ell )\) -Linear Mode E. Now we define a distinguisher against \((k+a, a, \ell )\)-linear mode E assuming certain singularities in the sub-matrices.

Assumption: Suppose there exists an integer t such that

1. 1.

   \(\mathrm {rank}(E[..t~;~..a]) < na\) and

2. 2.

   \(\mathrm {rank}(E[\ell +1..~;~ a+k+t+1..]) < na\).

Note the above assumption always holds for \(t = a-1\) when \(\ell \le 2a-2\). However, if \(\ell \ge 2a-1\), the both conditions not necessarily hold. Whenever the assumptions hold, we have the following similar distinguisher as mentioned before. This distinguisher would be used later on while describing SPRP distinguishers.

Distinguisher \(D_{prp}^{gen}\) Against \((k+a, a, \ell )\) -linear Mode E.

1. 1.

   step-1. Due to the assumptions, we can find d and w such that \(E[..t~;~ ..a]) \cdot d = 0\) and \(w \cdot E[\ell +1..~;~ a+k+t+1..] = 0\).

2. 2.

   step-2. Then we make two queries 0 and d and obtain responses c and \(c'\).

3. 3.

   step-3. The distinguisher returns 1 if \(w \cdot \varDelta c = w \cdot E[\ell +1..~;~k+1..(a+k)] \cdot d\), else 0.

4.2 SPRP Distinguishing Attack on E with \(\ell = 2a-1\)

Now we show that if \(\ell < 2a\) then we have a SPRP distinguisher. In other words, 2a many invocations is minimum to achieve SPRP and which is tight as it is achieved in CMC. The basic intuition of our attack is similar to that of XLS. However, to complete the attack for any linear-mode encryption we need to carefully set the queries and distinguishing event. Consider a length-preserving \((k,a,2a-1)\)-encryption scheme based on \((k+a, a, 2a-1)\)-linear mode E. Let us denote the \((k+a, a, 2a-1)\)-linear mode for its decryption by D. We describe three distinguishers depending on cases.

Case 1: Rank( E [2 a.. ; 2 a + k.. ]) \(<\) na. In this case, the two assumptions, mentioned above, hold for \(t = a-1\). So we can run the PRP-distinguisher \(D_{prp}^{gen}\).

Case 2: Rank( D [ ..a ; k + 1 ..k + a ]) \(<\) na. In this case, the two assumptions also hold for \(t = a\) for the decryption function. So we run our general PRP distinguisher \(D_{prp}^{gen}\) applied to the decryption function.

Case 3: Rank( D [ ..a ; k + 1 ..k + a ]) = na, rank( E [2 a.. ; 2 a + k.. ]) = na.

Here we describe a SPRP distinguisher. Briefly, it works as follows. It first makes two queries as in step-2 (the first \(a-1\) intermediate input and outputs are identical for two encryption queries). Using the invertible property we can actually obtain all the differences of intermediate values. As the computation of decryption algorithm must use same internal input and outputs of the building blocks, we also know the differences of intermediate inputs and outputs if we decrypt the first two encryption queries. Now we find another decryption query for which the first a intermediate input and output differences with one of the first two queries are fixed. So we can nullify the unknown \(a-1\) differences and obtain a distinguishing event. The details are described below.

Distinguisher \(D_{sprp}\) Against \((k+a, a, 2a-1)\) -Linear Mode E.

1. 1.

   step-1 (make two queries with a certain difference, same as PRP distinguisher): Let \(d \in I_n^a\) be the non-zero solution of \(\textsf {solve}(E[..a-1~;~k+1..k+a], 0)\), i.e. \(E[..a-1~;~ k+1..k+a] \cdot d = 0\). It makes two queries \(0^a\) and d and obtains corresponding responses \(c = E^{\tilde{\rho }}_L(0)\) and \(c' = E^{\tilde{\rho }}_L(d)\). Let \(u_1, v_1, \ldots , u_{2a-1}, v_{2a-1}\) and \(u'_1, v'_1, \ldots , u'_{2a-1}, v'_{2a-1}\) denote the intermediate inputs outputs for the two queries respectively. By lemm 3, we have \(1 \le i \le a-1\), \(u_i = u'_i, v_i = v'_i\) and

   $$\begin{aligned} \varDelta c = E[2a-1..~;~k+1..(a+k)] \cdot d + E[2a..~;~ 2a+k..] \cdot \varDelta v_{a..} \end{aligned}$$

   while it is interacting with the keyed construction.

2. 2.

   step-2 (solve for \(\varDelta u\), \(\varDelta v\)): Using the invertible property of \(E[2a..~;~ 2a+k..]\), we can actually solve \(\varDelta v_{a..}\) and hence \(\varDelta u_{a..}\). Thus, we know \(\varDelta u\) and \(\varDelta v\). Suppose we make two (redundant) decryption queries c and \(c'\) (whose responses must be 0 and d) and let \(w_1, z_1, \ldots , w_{2a-1}, z_{2a-1}\) and \(w'_1, z'_1, \ldots , w'_{2a-1}, z'_{2a-1}\) denote the intermediate inputs outputs for the two queries respectively. Then by the definition of decryption algorithm we also know \(\varDelta w\), \(\varDelta z\) which are nothing but \((\beta , \pi )\)-reordering of \((\varDelta u, \varDelta v)\).

3. 3.

   step-3 (find a difference for the final decryption query): Now we find a difference \(d'\) such that

   $$D[..a~;~k+1..k+a+1] \cdot {d' \atopwithdelims ()\varDelta z_1} = {\varDelta w_1 \atopwithdelims ()0^{a-1}}.$$

   We can solve for a non-zero \(d'\). This can be solved assuming that \(\varDelta w_1\ne 0\) (see the remark below). Note that the matrix \(D[..a~;~k+1..k+a]\) is invertible. Now we make two decryption queries \(\bar{c}\) and \(\bar{c}' = \bar{c} + d'\). While we set two queries we should ensure that none of these have been obtained in the first two encryption queries (these are also called non-pointless or non-trivial queries). Let \(\bar{w}_1, \bar{z}_1, \ldots , \bar{w}_{2a-1}, \bar{z}_{2a-1}\) \(\bar{w}'_1, \bar{z}'_1, \ldots , \bar{w}'_{2a-1}, \bar{z}'_{2a-1}\) denote the intermediate inputs outputs for these two queries respectively and let \(\bar{p}\) and \(\bar{p}'\) denote the corresponding responses. By choice of \(d'\) we know that \(\bar{z}_{1} = \bar{z}'_1\) and \(\varDelta \bar{z}_{2..a} = 0^{a-1}\).

4. 4.

   step-4 (find a nullifier of unknown intermediate values, same as PRP distinguisher): As \(D[2a..~;~2a+k..]\) is \(a \times (a-1)\) matrix, we find a non-zero binary vector \(w \in \{0,1\}^{nb}\) such that \(w \cdot D[2a-1.., 2a+k..] = 0\).

5. 5.

   step-5 (the distinguisher event): If \(w \cdot (\bar{p} \oplus \bar{p}') = w \cdot D[2a-1..~;~k+1..(a+k)] \cdot d'\) then it returns 1 (decision for the keyed construction), else returns 0 (decision for uniform random permutation).

Remark 1

In the above attack we assume that \(\varDelta w_1 \ne 0\) since otherwise we do not get a non-zero \(d'\). Note that \(\varDelta w_1\) can be written as a function of c and \(c'\). So for a random permutation, a function of c and \(c'\) become zero has low probability. So we may assume that the \(\varDelta w_1 \ne 0\).

5 Security Analysis of Inverse-Free Single Key Construction

5.1 PRP Attack of Single-Key Inverse-Free Constructions Without Masking

In the last section, we have seen that to obtain PRP, we need at least \(2a-1\) invocations and this is tight as three rounds of LR achieves this bound. Note that the three calls of the building block can not have same key. In [28], it is also shown that three rounds of LR-type rounds with same key building block can not be PRP. However, their result is applicable to a specific form of encryption schemes. Now, we generalize this result and show that any inverse-free single function-key (and no masking key) PRP requires at least 2a calls. In [28], there is a construction of inverse-free SPRP over two blocks invoking underlying function (single keyed) four times. So the bound is tight. Interestingly, the cost of PRP and SPRP become same when we want inverse-free single function-key constructions.

Consider a length-preserving encryption scheme based on \((a, a, 2a-1)\)-linear mode E. Let us denote the \((a, a, 2a-1)\)-linear mode for its decryption by D. Since it is inverse-free the inverse-assignment for the decryption is \(\beta = (1, 1, \ldots , 1)\). As it is based on single function-key, the key-assignment is a constant function, i.e., \(\pi _i = \pi '_i =1\). However, there exists a permutation \(\beta \) over \([1..2a-1]\). such that w and z are \(\pi \)-reordering of u and v respectively where u, v denote the intermediate input and output, respectively for \(E^{\rho }(P) = C\) and similarly w, z for \(D^{\rho }(C) = P\). We first briefly describe how we can construct a PRP-distinguisher (as like SPRP). The attack is similar to SPRP but we can not make decryption queries. We see how we can manage even if we are not allowed to make decryption queries.

We make two encryption queries such that \(\varDelta _{a-1} u = \varDelta _{a-1} v = 0^{a-1}\). This is possible as we have a many plaintext blocks. Assuming some invertible property, we can find out the whole differences \(\varDelta u\) and \(\varDelta v\) for these two queries. For these two queries, if we look at the decryption computation then the first inputs, say \(w_1, w'_1\) and their corresponding output differences \(\varDelta z_1\) (not the exact outputs) for both decryption are known (as there is no masking key). So now we make two encryption queries with the the following restrictions on intermediate values \(\overline{u}, \overline{v}, \overline{u}'\) and \(\overline{v}'\): \(\overline{u}_1 = w_1, \overline{u}'_1 = w'_1\), \(\varDelta _{2..a}\overline{u} = \varDelta _{2..a}\overline{u}'\), \(\varDelta _{2..a}\overline{v} = \varDelta _{2..a}\overline{v}'\). As we have obtained differences for the first a inputs in a determined manner, we can nullify the remaining \(a-1\) intermediate differences and obtain a distinguishing event. The more details of the attack is given below depending on different cases. Note that the matrix \(E \in \mathbb {M}_n(3a-1, 3a-1)\).

Distinguisher \(D_{prp}\) Against \((a, a, 2a-1)\) -Linear-Mode E (with Corresponding Decryption Mode D.

Case 1: Rank( E [2 a.. ; 2 a.. ]) \(<\) na. In this case, the two assumptions, mentioned before, hold for \(t = a-1\). So we have our general PRP distinguisher.

Case 2: Rank( E [1.. a ; ..a ]) \(<\) na. In this case, the two assumptions also hold for \(t = a\). So we have our general PRP distinguisher.

Case 3: Rank( E [1.. a ; ..a ]) \(=\) na., rank( E [2 a.. ; 2 a.. ]) \(=\) na. Here we describe a PRP distinguisher which works similar to SPRP distinguisher and as described above.

1. 1.

   step-1 (make two queries with a certain difference, same as PRP distinguisher): Let \(d \in I_n^a\) be the non-zero solution of \(\textsf {solve}(E[..a-1~;~ ..a], 0)\), i.e. \(E[..a-1~;~ ..a] \cdot d = 0\). It makes two queries \(0^a\) and d and obtains corresponding responses \(c = E^{\rho }(0)\) and \(c' = E^{\rho }(d)\). Let \(u_1, v_1, \ldots , u_{2a-1}, v_{2a-1}\) and \(u'_1, v'_1, \ldots , u'_{2a-1}, v'_{2a-1}\) denote the intermediate inputs outputs for the two queries respectively. By lemma 3, we have \(1 \le i \le a-1\), \(u_i = u'_i, v_i = v'_i\) and

   $$\begin{aligned} \varDelta c = E[2a..~;~..a] \cdot d + E[2a..~;~ 2a..] \cdot \varDelta v_{a..} \end{aligned}$$

   while it is interacting with the keyed construction.

2. 2.

   step-2 (solve for \(\varDelta u\), \(\varDelta v\)): Using the invertible property of E[2a.. ;   2a..], we can actually solve \(\varDelta v_{a..}\) and hence \(\varDelta u_{a..}\). Thus, we know \(\varDelta u\) and \(\varDelta v\). Now note that the first input of decryption D is only based on c and \(c'\). Let \(\beta \) be the permutation corresponding to the reordering of intermediate input outputs for decryption. So the values of \(u_{\beta _1}\) and \(u'_{\beta _1}\) are known (as they depend only on c and \(c'\) due to no masking keys and inverse-free property). Moreover, we know \(\varDelta v_{\beta _1}\). Here we assume the difference \(\varDelta u_{\beta _1}\) is non-zero, otherwise, we can have a different distinguishing event as zero difference can occur with low probability for random permutation.

3. 3.

   step-3 (find a difference for two more encryption queries): Now we find a solution p and \(p'\) such that

   $$ \begin{pmatrix} E[1,*] &{} \mathbf {0} \\ \mathbf {0} &{} E[1,*] \\ E[2..a,*] &{} E[2..a, *] \end{pmatrix} \cdot \begin{pmatrix} p \\ p' \end{pmatrix} = \begin{pmatrix} u_{\beta _1} \\ u'_{\beta _1} \\ \mathbf {0} \end{pmatrix} . $$

   This can be solved as it has full column rank (see Lemma 2). Now we make two encryption queries p and \(p'\) and obtain outputs \(\overline{c}\) and \(\overline{c}'\). Let \(\overline{u}, \overline{v}, \overline{u}'\) and \(\overline{v}'\) be the intermediate inputs and outputs for these two queries respectively. So \(\overline{u}_1 = u_{\beta _1}, \overline{u}'_1 = u'_{\beta _1}\), \(\varDelta \overline{v}_1 = \varDelta v_{\beta _1}\) and \(\varDelta _{2..a}\overline{u} = \varDelta _{2..a}\overline{v} = 0^{a-1}\). Thus, the a block output difference \(\varDelta \overline{c}\) depends only on the \(a-1\) blocks of the intermediate output difference \(\varDelta \overline{v}_{a+1..}\).

4. 4.

   step-4 (find a nullifier of unknown intermediate values, same as PRP distinguisher): As \(E[2a..~;~ 2a+1..]\) is \(a \times (a-1)\) matrix, we find a non-zero binary vector \(w \in \{0,1\}^{nb}\) such that \(w \cdot E[2a.., 2a+1..] = 0\).

5. 5.

   step-5 (the distinguisher event): If \(w \cdot (p \oplus d) = w \cdot D[2a..~;~..a] \cdot d'\) then it returns 1 (decision for the keyed construction), else returns 0 (decision for uniform random permutation).

5.2 PRP Security of Single-Key Luby-Rackoff with Masking

Define one round Luby-Rackoff \(\textsf {LR}^f(a, b) = (b \oplus f(a), a)\) where \(a, b \in I_n\) and \(f \in \mathrm {Func}(a, a)\). In [28] it was shown that three rounds of some variants LR rounds with single function key is not PRP secure. In last section we have also generalized and showed that any encryption making three calls over two blocks input with key space \(\mathcal {K} = \mathcal {F} = \mathrm {Func}(a)\) is not PRP secure. However, we now show that a simple variant of LR with a masking key becomes PRP secure.

Definition 6

For any \(f \in \mathrm {Func}(a)\), \(L \in I_n\), we define (see the Fig. 5 below)

$$\textsf {LR}^{f,3}_L(a, b) = \textsf {LR}^{f}(\textsf {LR}^{f}(\textsf {LR}^{f}(a + L, b))).$$

Fig. 5.

LR-three rounds single function-key and one masking key.

Now we show that the above construction with key-space \(\mathcal {K} = I_n \times \mathrm {Func}\) is PRP. Note that we have constant key-assignment (i.e., we reuse the PRF for all invocations) and also inverse assignment tuple is \(1^3\). Let f denote the uniform random function on \(I_n\). Given a tuple of elements \(c = (c_1, \ldots , c_t)\) we say that the event \(\textsf {coll}(c)\) holds if there exists \(i \ne j\) such that \(c_i = c_j\). We define

$$\begin{aligned} \mathcal {V}_{bad} = \{((a_1, b_1, c_1, d_1), \ldots (a_q, b_q, c_q, d_q)) \in I_n^{4q}: \textsf {coll}(c)\}. \end{aligned}$$

It is easy to see that for random function \(\varGamma _2\) and a q-algorithm \(\mathcal {A}\),

$$\textsf {Pr}[\tau (\mathcal {A}^{\varGamma _2}) \in \mathcal {V}_{bad}] \le {q \atopwithdelims ()2} 2^{-n}.$$

Now we show the high interpolation probability of the variant of 3 round LR construction.

Proposition 1

For all \(\tau = ((a_1, b_1, c_1, d_1), \ldots (a_q, b_q, c_q, d_q)) \not \in \mathcal {V}_{bad}\), we have

$$\begin{aligned} \textsf {Pr}[\tau ] := \textsf {Pr}[\textsf {LR}^{f,3}_L(a_i, b_i) = (c_i, d_i), 1 \le i \le q] \ge (1 - \epsilon ) 2^{-2nq} \end{aligned}$$

where \(\epsilon = \frac{7q^2}{2^{n+1}}\).

Proof

We say that a tuple \((L_0, (x_i)_{1 \le i \le q})\) is admissible if

1. 1.

   \(L_0 \not \in \{a_i + c_j; 1 \le i, j \le q \} \cup \{a_i + x_j; 1 \le i , j \le q\}\),

2. 2.

   \(x_i\)’s are distinct and \(x_i \ne c_j\), \(1 \le i, j \le q\) and

3. 3.

   whenever \(a_i = a_j\), we have \(x_i + x_j = b_i + b_j\).

Let \(\mathcal {A}\) denote the set of admissible tuples. Let \(q_1\) be the number of distinct \(a_i\)’s. The number of \((L_0, x = (x_1, \ldots , x_q))\), denoted \(N_{1,3}\), satisfying only (1) and (3) is at least \((2^n - 2q^2)\times 2^{nq_1}\). So the number of admissible tuple is at least

$$(2^n - 2q^2)\times 2^{nq_1} - (2^n - 2q^2) \times 2^{n(q_1-1)} 3q^2/2.$$

We mainly subtract the number of tuples satisfying (1) and (3) and not satisfying (2) from \(N_{1,3}\). So the number of admissible tuple is at least \(2^{n(q_1+1)}(1 - \epsilon )\) where \(\epsilon = \frac{7q^2}{2^{n+1}}\).

Now, for any \(\tau = ((a_1, b_1, c_1, d_1), \ldots (a_q, b_q, c_q, d_q)) \not \in \mathcal {V}_{bad}\) we have

$$\textsf {Pr}[\tau ] \ge \sum _{(L_0, x) \in \mathcal {A}} \textsf {Pr}[\tau , X_i = x_i, L = L_0] = \sum _{(L_0, x) \in \mathcal {A}} 2^{-n(q_1+2q+1)}.$$

By using the lower bound of the number of admissible tuples we have

$$\begin{aligned} \textsf {Pr}[\textsf {LR}^{f,3}_L(a_i, b_i) = (c_i, d_i), 1 \le i \le q] \ge (1 - \frac{7q^2}{2^{n+1}}) 2^{-2nq}. \end{aligned}$$

   \(\square \)

Theorem 2

For any q-adversary, the PRP advantage \(\mathbf {Adv}_{\textsf {LR}^{f,3}_L}^{\mathrm {prp}}\) against \(\textsf {LR}^{f,3}_L\) is at most \(\frac{4q^2}{2^{n}}\).

Proof

Armed with the above result and using Coefficient-H technique the theorem follows.   \(\square \)

6 Conclusion

In this paper, we justify formally why we do not have any length-preserving PRP constructions more efficient than LR three rounds and length-preserving SPRP constructions more efficient than CMC or four round LR (in terms of the number of building block calls). We note that this optimality holds for all linear modes. We show that any such linear mode based constructions over \(\ell \) blocks requires at leat \(2\ell -1\) blockcipher calls against chosen plaintext adversaries and at least \(2\ell \) blockcipher calls against chosen plaintext-ciphertext adversaries. This bounds are clearly tight as we know some constructions achieving the bound. Then we look into inverse-free single-key PRP constructions. Nandi has shown that three blockcipher call is no longer sufficient for LR-type constructions over two blocks (note that three call is sufficient using two independent PRF). We extend this result and show that any \(\ell \)-block single-key inverse-free PRP must require \(2\ell \) calls like SPRP constructions. However, if we are allowed to use one masking key then we can have inverse-free PRP construction invoking only three blockcipher calls. We actually show that the three round LR using same keyed PRF is PRP if we mask a plaintext block by a masking key.