Substitution-Permutation Networks, Pseudorandom Functions, and Natural Proofs

Part of the Lecture Notes in Computer Science book series (LNCS, volume 7417)


This paper takes a new step towards closing the troubling gap between pseudorandom functions (PRF) and their popular, bounded-input-length counterparts. This gap is both quantitative, because these counterparts are more efficient than PRF in various ways, and methodological, because these counterparts usually fit in the substitution-permutation network paradigm (SPN) which has not been used to construct PRF.

We give several candidate PRF \(\mathcal {F}_i\) that are inspired by the SPN paradigm. This paradigm involves a “substitution function” (S-box). Our main candidates are:

\(\mathcal {F}_1 : \{0, 1\}^n \rightarrow \{0, 1\}^n\) is an SPN whose S-box is a random function on b bits given as part of the seed. We prove unconditionally that \(\mathcal {F}_1\) resists attacks that run in time \(\le 2^{\epsilon b}\). Setting \(b = \omega (\lg n)\) we obtain an inefficient PRF, which however seems to be the first such construction using the SPN paradigm.

\(\mathcal {F}_2 : \{0, 1\}^n \rightarrow \{0, 1\}^n\) is an SPN where the S-box is (patched) field inversion, a common choice in practical constructions. \(\mathcal {F}_2\) is computable with Boolean circuits of size \(n \cdot \log ^{O(1)} n\), and in particular with seed length \(n \cdot \log ^{O(1)} n\). We prove that this candidate has exponential security \(2^{\Omega (n)}\) against linear and differential cryptanalysis.

\(\mathcal {F}_3 : \{0, 1\}^n \rightarrow \{0, 1\}\) is a non-standard variant on the SPN paradigm, where “states” grow in length. \(\mathcal {F}_3\) is computable with size \(n^{1+\epsilon }\), for any \(\epsilon > 0\), in the restricted circuit class \(\mathrm {TC}^0\) of unbounded fan-in majority circuits of constant-depth. We prove that \(\mathcal {F}_3\) is almost 3-wise independent.

\(\mathcal {F}_4 : \{0, 1\}^n \rightarrow \{0, 1\}\) uses an extreme setting of the SPN parameters (one round, one S-box, no diffusion matrix). The S-box is again (patched) field inversion. We prove that this candidate fools all parity tests that look at \(\le 2^{0.9n}\) outputs.

Assuming the security of our candidates, our work also narrows the gap between the “Natural Proofs barrier” [Razborov & Rudich; JCSS ’97] and existing lower bounds, in three models: unbounded-depth circuits, \(\mathrm {TC}^0\) circuits, and Turing machines. In particular, the efficiency of the circuits computing \(\mathcal {F}_3\) is related to a result by Allender and Koucky [JACM ’10] who show that a lower bound for such circuits would imply a lower bound for \(\mathrm {TC}^0\).


  1. 1.
    Aaronson, S., Wigderson, A.: Algebrization: a new barrier in complexity theory. In: 40th ACM Symp. on the Theory of Computing, STOC, pp. 731–740 (2008)Google Scholar
  2. 2.
    Allender, E., Koucký, M.: Amplifying lower bounds by means of self-reducibility. J. of the ACM 57(3) (2010)Google Scholar
  3. 3.
    Alon, N., Goldreich, O., Håstad, J., Peralta, R.: Simple constructions of almost \(k\)-wise independent random variables. Random Structures & Algorithms 3(3), 289–304 (1992)MathSciNetCrossRefMATHGoogle Scholar
  4. 4.
    Baker, T., Gill, J., Solovay, R.: Relativizations of the P=? NP question. SIAM J. Comput. 4(4), 431–442 (1975)Google Scholar
  5. 5.
    Bazzi, L.M.J.: Polylogarithmic independence can fool DNF formulas. SIAM J. Comput. 38(6), 2220–2272 (2009)MathSciNetCrossRefMATHGoogle Scholar
  6. 6.
    Biham, E., Shamir, A.: Differential cryptanalysis of DES-like cryptosystems. Journal of Cryptology 4(1), 3–72 (1991)MathSciNetCrossRefMATHGoogle Scholar
  7. 7.
    Braverman, M.: Poly-logarithmic independence fools \(AC^0\) circuits. In: 24th IEEE Conf. on Computational Complexity, CCC. IEEE (2009)Google Scholar
  8. 8.
    Brodsky, A., Hoory, S.: Simple permutations mix even better. Random Struct. Algorithms 32(3), 274–289 (2008)MathSciNetCrossRefMATHGoogle Scholar
  9. 9.
    Cho, H.-S., Sung, S.H., Kwon, D., Lee, J.-K., Song, J.H., Lim, J.: New Method for Bounding the Maximum Differential Probability for SPNs and ARIA. In: Park, C., Chee, S. (eds.) ICISC 2004. LNCS, vol. 3506, pp. 21–32. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  10. 10.
    Daemen, J., Rijmen, V.: The Design of Rijndael: AES - The Advanced Encryption Standard. Springer (2002)Google Scholar
  11. 11.
    Even, S., Mansour, Y.: A construction of a cipher from a single pseudorandom permutation. J. Cryptology 10(3), 151–162 (1997)MathSciNetCrossRefMATHGoogle Scholar
  12. 12.
    Gao, S., von zur Gathen, J., Panario, D., Shoup, V.: Algorithms for exponentiation in finite fields. J. Symb. Comput. 29(6), 879–889 (2000)Google Scholar
  13. 13.
    Gauravaram, P., Knudsen, L.R., Matusiewicz, K., Mendel, F., Rechberger, C., Schläffer, M., Thomsen, S.S.: Grøstl: a SHA-3 candidate (2011),
  14. 14.
    Gentry, C., Ramzan, Z.: Eliminating Random Permutation Oracles in the Even-Mansour Cipher. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 32–47. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  15. 15.
    Gerasoulis, A.: A fast algorithm for the multiplication of generalized Hilbert matrices with vectors. Mathematics of Computation 50, 179–188 (1988)MathSciNetCrossRefMATHGoogle Scholar
  16. 16.
    Goldreich, O.: Foundations of Cryptography: Volume 1, Basic Tools. Cambridge University Press (2001)Google Scholar
  17. 17.
    Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions. J. of the ACM 33(4), 792–807 (1986)MathSciNetCrossRefMATHGoogle Scholar
  18. 18.
    Goldreich, O., Levin, L.: A hard-core predicate for all one-way functions. In: 21st ACM Symp. on the Theory of Computing, STOC, pp. 25–32 (1989)Google Scholar
  19. 19.
    Gowers, W.: An almost \(m\)-wise independent random permutation of the cube. Combinatorics, Probability and Computing 5(2), 119–130 (1996)MathSciNetCrossRefMATHGoogle Scholar
  20. 20.
    Haitner, I., Reingold, O., Vadhan, S.P.: Efficiency improvements in constructing pseudorandom generators from one-way functions. In: 42nd ACM Symp. on the Theory of Computing, STOC, pp. 437–446 (2010)Google Scholar
  21. 21.
    Håstad, J., Impagliazzo, R., Levin, L.A., Luby, M.: A pseudorandom generator from any one-way function. SIAM J. Comput. 28(4), 1364–1396 (1999)MathSciNetCrossRefMATHGoogle Scholar
  22. 22.
    Healy, A., Viola, E.: Constant-Depth Circuits for Arithmetic in Finite Fields of Characteristic Two. In: Durand, B., Thomas, W. (eds.) STACS 2006. LNCS, vol. 3884, pp. 672–683. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  23. 23.
    Hesse, W., Allender, E., Barrington, D.A.M.: Uniform constant-depth threshold circuits for division and iterated multiplication. J. Comput. System Sci. 65(4), 695–716 (2002); Special issue on complexity, 2001 (Chicago, IL)Google Scholar
  24. 24.
    Hoory, S., Magen, A., Myers, S., Rackoff, C.: Simple permutations mix well. Theor. Comput. Sci. 348(2-3), 251–261 (2005)MathSciNetCrossRefMATHGoogle Scholar
  25. 25.
    Jakobsen, T., Knudsen, L.: Attacks on block ciphers of low algebraic degree. Journal of Cryptology 14, 197–210 (2001)MathSciNetCrossRefMATHGoogle Scholar
  26. 26.
    Kang, J.S., Hong, S., Lee, S., Yi, O., Park, C., Lim, J.: Practical and provable security against differential and linear cryptanalysis for substitution-permutation networks. ETRI Journal 23(4), 158–167 (2001)CrossRefGoogle Scholar
  27. 27.
    Keliher, L., Meijer, H., Tavares, S.: New Method for Upper Bounding the Maximum Average Linear Hull Probability for SPNs. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 420–436. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  28. 28.
    Knudsen, L.R.: Truncated and Higher Order Differentials. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 196–211. Springer, Heidelberg (1995)Google Scholar
  29. 29.
    Kopparty, S.: On the complexity of powering in finite fields. In: ACM Symp. on the Theory of Computing, STOC (2011)Google Scholar
  30. 30.
    Kushilevitz, E., Nisan, N.: Communication complexity. Cambridge University Press (1997)Google Scholar
  31. 31.
    Luby, M., Rackoff, C.: How to construct pseudorandom permutations from pseudorandom functions. SIAM J. Comput. 17(2), 373–386 (1988)MathSciNetCrossRefMATHGoogle Scholar
  32. 32.
    Matsui, M.: Linear Cryptanalysis Method for DES Cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994)CrossRefGoogle Scholar
  33. 33.
    Naor, J., Naor, M.: Small-bias probability spaces: efficient constructions and applications. SIAM J. Comput. 22(4), 838–856 (1993)MathSciNetCrossRefMATHGoogle Scholar
  34. 34.
    Naor, M., Reingold, O.: On the construction of pseudorandom permutations: Luby-Rackoff revisited. J. Cryptology 12(1), 29–66 (1999)MathSciNetCrossRefMATHGoogle Scholar
  35. 35.
    Naor, M., Reingold, O.: Number-theoretic constructions of efficient pseudo-random functions. J. of the ACM 51(2), 231–262 (2004)MathSciNetCrossRefMATHGoogle Scholar
  36. 36.
    Nyberg, K.: Differentially Uniform Mappings for Cryptography. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 55–64. Springer, Heidelberg (1994)CrossRefGoogle Scholar
  37. 37.
    Pieprzyk, J.: On bent permutations. In: Proceedings of the International Conference on Finite Fields, Coding Theory, and Advances in Communications and Computing, Las Vegas (August 1991)Google Scholar
  38. 38.
    Ramzan, Z., Reyzin, L.: On the Round Security of Symmetric-Key Cryptographic Primitives. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 376–393. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  39. 39.
    Razborov, A., Rudich, S.: Natural proofs. J. of Computer and System Sciences 55(1), 24–35 (1997)MathSciNetCrossRefMATHGoogle Scholar
  40. 40.
    Razborov, A.A.: A simple proof of Bazzi’s theorem. ACM Transactions on Computation Theory (TOCT) 1(1) (2009)Google Scholar
  41. 41.
    Roth, R.M., Seroussi, G.: On generator matrices of MDS codes. IEEE Transactions on Information Theory 31, 826–830 (1985)MathSciNetCrossRefMATHGoogle Scholar
  42. 42.
    Shannon, C.: Communication theory of secrecy systems. Bell Systems Technical Journal 28(4), 656–715 (1949)MathSciNetCrossRefMATHGoogle Scholar
  43. 43.
    Vadhan, S.P., Zheng, C.J.: Characterizing pseudoentropy and simplifying pseudorandom generator constructions. In: ACM Symp. on the Theory of Computing, STOC (2012)Google Scholar
  44. 44.
    Williams, R.: Non-uniform ACC lower bounds. In: IEEE Conf. on Computational Complexity, CCC (2011)Google Scholar
  45. 45.
    Wu, H.: The hash function JH (2011),

Copyright information

© International Association for Cryptologic Research 2012 2012

Authors and Affiliations

  1. 1.Northeastern UniversityBostonUSA

Personalised recommendations