Substitution-Permutation Networks, Pseudorandom Functions, and Natural Proofs

Part of the Lecture Notes in Computer Science book series (LNCS, volume 7417)


This paper takes a new step towards closing the troubling gap between pseudorandom functions (PRF) and their popular, bounded-input-length counterparts. This gap is both quantitative, because these counterparts are more efficient than PRF in various ways, and methodological, because these counterparts usually fit in the substitution-permutation network paradigm (SPN) which has not been used to construct PRF.

We give several candidate PRF \(\mathcal {F}_i\) that are inspired by the SPN paradigm. This paradigm involves a “substitution function” (S-box). Our main candidates are:

\(\mathcal {F}_1 : \{0, 1\}^n \rightarrow \{0, 1\}^n\) is an SPN whose S-box is a random function on b bits given as part of the seed. We prove unconditionally that \(\mathcal {F}_1\) resists attacks that run in time \(\le 2^{\epsilon b}\). Setting \(b = \omega (\lg n)\) we obtain an inefficient PRF, which however seems to be the first such construction using the SPN paradigm.

\(\mathcal {F}_2 : \{0, 1\}^n \rightarrow \{0, 1\}^n\) is an SPN where the S-box is (patched) field inversion, a common choice in practical constructions. \(\mathcal {F}_2\) is computable with Boolean circuits of size \(n \cdot \log ^{O(1)} n\), and in particular with seed length \(n \cdot \log ^{O(1)} n\). We prove that this candidate has exponential security \(2^{\Omega (n)}\) against linear and differential cryptanalysis.

\(\mathcal {F}_3 : \{0, 1\}^n \rightarrow \{0, 1\}\) is a non-standard variant on the SPN paradigm, where “states” grow in length. \(\mathcal {F}_3\) is computable with size \(n^{1+\epsilon }\), for any \(\epsilon > 0\), in the restricted circuit class \(\mathrm {TC}^0\) of unbounded fan-in majority circuits of constant-depth. We prove that \(\mathcal {F}_3\) is almost 3-wise independent.

\(\mathcal {F}_4 : \{0, 1\}^n \rightarrow \{0, 1\}\) uses an extreme setting of the SPN parameters (one round, one S-box, no diffusion matrix). The S-box is again (patched) field inversion. We prove that this candidate fools all parity tests that look at \(\le 2^{0.9n}\) outputs.

Assuming the security of our candidates, our work also narrows the gap between the “Natural Proofs barrier” [Razborov & Rudich; JCSS ’97] and existing lower bounds, in three models: unbounded-depth circuits, \(\mathrm {TC}^0\) circuits, and Turing machines. In particular, the efficiency of the circuits computing \(\mathcal {F}_3\) is related to a result by Allender and Koucky [JACM ’10] who show that a lower bound for such circuits would imply a lower bound for \(\mathrm {TC}^0\).


Random Function Turing Machine Block Cipher Advance Encryption Standard Seed Length 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Aaronson, S., Wigderson, A.: Algebrization: a new barrier in complexity theory. In: 40th ACM Symp. on the Theory of Computing, STOC, pp. 731–740 (2008)Google Scholar
  2. 2.
    Allender, E., Koucký, M.: Amplifying lower bounds by means of self-reducibility. J. of the ACM 57(3) (2010)Google Scholar
  3. 3.
    Alon, N., Goldreich, O., Håstad, J., Peralta, R.: Simple constructions of almost \(k\)-wise independent random variables. Random Structures & Algorithms 3(3), 289–304 (1992)MathSciNetCrossRefMATHGoogle Scholar
  4. 4.
    Baker, T., Gill, J., Solovay, R.: Relativizations of the P=? NP question. SIAM J. Comput. 4(4), 431–442 (1975)Google Scholar
  5. 5.
    Bazzi, L.M.J.: Polylogarithmic independence can fool DNF formulas. SIAM J. Comput. 38(6), 2220–2272 (2009)MathSciNetCrossRefMATHGoogle Scholar
  6. 6.
    Biham, E., Shamir, A.: Differential cryptanalysis of DES-like cryptosystems. Journal of Cryptology 4(1), 3–72 (1991)MathSciNetCrossRefMATHGoogle Scholar
  7. 7.
    Braverman, M.: Poly-logarithmic independence fools \(AC^0\) circuits. In: 24th IEEE Conf. on Computational Complexity, CCC. IEEE (2009)Google Scholar
  8. 8.
    Brodsky, A., Hoory, S.: Simple permutations mix even better. Random Struct. Algorithms 32(3), 274–289 (2008)MathSciNetCrossRefMATHGoogle Scholar
  9. 9.
    Cho, H.-S., Sung, S.H., Kwon, D., Lee, J.-K., Song, J.H., Lim, J.: New Method for Bounding the Maximum Differential Probability for SPNs and ARIA. In: Park, C., Chee, S. (eds.) ICISC 2004. LNCS, vol. 3506, pp. 21–32. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  10. 10.
    Daemen, J., Rijmen, V.: The Design of Rijndael: AES - The Advanced Encryption Standard. Springer (2002)Google Scholar
  11. 11.
    Even, S., Mansour, Y.: A construction of a cipher from a single pseudorandom permutation. J. Cryptology 10(3), 151–162 (1997)MathSciNetCrossRefMATHGoogle Scholar
  12. 12.
    Gao, S., von zur Gathen, J., Panario, D., Shoup, V.: Algorithms for exponentiation in finite fields. J. Symb. Comput. 29(6), 879–889 (2000)Google Scholar
  13. 13.
    Gauravaram, P., Knudsen, L.R., Matusiewicz, K., Mendel, F., Rechberger, C., Schläffer, M., Thomsen, S.S.: Grøstl: a SHA-3 candidate (2011),
  14. 14.
    Gentry, C., Ramzan, Z.: Eliminating Random Permutation Oracles in the Even-Mansour Cipher. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 32–47. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  15. 15.
    Gerasoulis, A.: A fast algorithm for the multiplication of generalized Hilbert matrices with vectors. Mathematics of Computation 50, 179–188 (1988)MathSciNetCrossRefMATHGoogle Scholar
  16. 16.
    Goldreich, O.: Foundations of Cryptography: Volume 1, Basic Tools. Cambridge University Press (2001)Google Scholar
  17. 17.
    Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions. J. of the ACM 33(4), 792–807 (1986)MathSciNetCrossRefMATHGoogle Scholar
  18. 18.
    Goldreich, O., Levin, L.: A hard-core predicate for all one-way functions. In: 21st ACM Symp. on the Theory of Computing, STOC, pp. 25–32 (1989)Google Scholar
  19. 19.
    Gowers, W.: An almost \(m\)-wise independent random permutation of the cube. Combinatorics, Probability and Computing 5(2), 119–130 (1996)MathSciNetCrossRefMATHGoogle Scholar
  20. 20.
    Haitner, I., Reingold, O., Vadhan, S.P.: Efficiency improvements in constructing pseudorandom generators from one-way functions. In: 42nd ACM Symp. on the Theory of Computing, STOC, pp. 437–446 (2010)Google Scholar
  21. 21.
    Håstad, J., Impagliazzo, R., Levin, L.A., Luby, M.: A pseudorandom generator from any one-way function. SIAM J. Comput. 28(4), 1364–1396 (1999)MathSciNetCrossRefMATHGoogle Scholar
  22. 22.
    Healy, A., Viola, E.: Constant-Depth Circuits for Arithmetic in Finite Fields of Characteristic Two. In: Durand, B., Thomas, W. (eds.) STACS 2006. LNCS, vol. 3884, pp. 672–683. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  23. 23.
    Hesse, W., Allender, E., Barrington, D.A.M.: Uniform constant-depth threshold circuits for division and iterated multiplication. J. Comput. System Sci. 65(4), 695–716 (2002); Special issue on complexity, 2001 (Chicago, IL)Google Scholar
  24. 24.
    Hoory, S., Magen, A., Myers, S., Rackoff, C.: Simple permutations mix well. Theor. Comput. Sci. 348(2-3), 251–261 (2005)MathSciNetCrossRefMATHGoogle Scholar
  25. 25.
    Jakobsen, T., Knudsen, L.: Attacks on block ciphers of low algebraic degree. Journal of Cryptology 14, 197–210 (2001)MathSciNetCrossRefMATHGoogle Scholar
  26. 26.
    Kang, J.S., Hong, S., Lee, S., Yi, O., Park, C., Lim, J.: Practical and provable security against differential and linear cryptanalysis for substitution-permutation networks. ETRI Journal 23(4), 158–167 (2001)CrossRefGoogle Scholar
  27. 27.
    Keliher, L., Meijer, H., Tavares, S.: New Method for Upper Bounding the Maximum Average Linear Hull Probability for SPNs. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 420–436. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  28. 28.
    Knudsen, L.R.: Truncated and Higher Order Differentials. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 196–211. Springer, Heidelberg (1995)Google Scholar
  29. 29.
    Kopparty, S.: On the complexity of powering in finite fields. In: ACM Symp. on the Theory of Computing, STOC (2011)Google Scholar
  30. 30.
    Kushilevitz, E., Nisan, N.: Communication complexity. Cambridge University Press (1997)Google Scholar
  31. 31.
    Luby, M., Rackoff, C.: How to construct pseudorandom permutations from pseudorandom functions. SIAM J. Comput. 17(2), 373–386 (1988)MathSciNetCrossRefMATHGoogle Scholar
  32. 32.
    Matsui, M.: Linear Cryptanalysis Method for DES Cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994)CrossRefGoogle Scholar
  33. 33.
    Naor, J., Naor, M.: Small-bias probability spaces: efficient constructions and applications. SIAM J. Comput. 22(4), 838–856 (1993)MathSciNetCrossRefMATHGoogle Scholar
  34. 34.
    Naor, M., Reingold, O.: On the construction of pseudorandom permutations: Luby-Rackoff revisited. J. Cryptology 12(1), 29–66 (1999)MathSciNetCrossRefMATHGoogle Scholar
  35. 35.
    Naor, M., Reingold, O.: Number-theoretic constructions of efficient pseudo-random functions. J. of the ACM 51(2), 231–262 (2004)MathSciNetCrossRefMATHGoogle Scholar
  36. 36.
    Nyberg, K.: Differentially Uniform Mappings for Cryptography. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 55–64. Springer, Heidelberg (1994)CrossRefGoogle Scholar
  37. 37.
    Pieprzyk, J.: On bent permutations. In: Proceedings of the International Conference on Finite Fields, Coding Theory, and Advances in Communications and Computing, Las Vegas (August 1991)Google Scholar
  38. 38.
    Ramzan, Z., Reyzin, L.: On the Round Security of Symmetric-Key Cryptographic Primitives. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 376–393. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  39. 39.
    Razborov, A., Rudich, S.: Natural proofs. J. of Computer and System Sciences 55(1), 24–35 (1997)MathSciNetCrossRefMATHGoogle Scholar
  40. 40.
    Razborov, A.A.: A simple proof of Bazzi’s theorem. ACM Transactions on Computation Theory (TOCT) 1(1) (2009)Google Scholar
  41. 41.
    Roth, R.M., Seroussi, G.: On generator matrices of MDS codes. IEEE Transactions on Information Theory 31, 826–830 (1985)MathSciNetCrossRefMATHGoogle Scholar
  42. 42.
    Shannon, C.: Communication theory of secrecy systems. Bell Systems Technical Journal 28(4), 656–715 (1949)MathSciNetCrossRefMATHGoogle Scholar
  43. 43.
    Vadhan, S.P., Zheng, C.J.: Characterizing pseudoentropy and simplifying pseudorandom generator constructions. In: ACM Symp. on the Theory of Computing, STOC (2012)Google Scholar
  44. 44.
    Williams, R.: Non-uniform ACC lower bounds. In: IEEE Conf. on Computational Complexity, CCC (2011)Google Scholar
  45. 45.
    Wu, H.: The hash function JH (2011),

Copyright information

© International Association for Cryptologic Research 2012 2012

Authors and Affiliations

  1. 1.Northeastern UniversityBostonUSA

Personalised recommendations