# Substitution-Permutation Networks, Pseudorandom Functions, and Natural Proofs

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7417)

## Abstract

This paper takes a new step towards closing the troubling gap between pseudorandom functions (PRF) and their popular, bounded-input-length counterparts. This gap is both quantitative, because these counterparts are more efficient than PRF in various ways, and methodological, because these counterparts usually fit in the substitution-permutation network paradigm (SPN) which has not been used to construct PRF.

We give several candidate PRF $$\mathcal {F}_i$$ that are inspired by the SPN paradigm. This paradigm involves a “substitution function” (S-box). Our main candidates are:

$$\mathcal {F}_1 : \{0, 1\}^n \rightarrow \{0, 1\}^n$$ is an SPN whose S-box is a random function on b bits given as part of the seed. We prove unconditionally that $$\mathcal {F}_1$$ resists attacks that run in time $$\le 2^{\epsilon b}$$. Setting $$b = \omega (\lg n)$$ we obtain an inefficient PRF, which however seems to be the first such construction using the SPN paradigm.

$$\mathcal {F}_2 : \{0, 1\}^n \rightarrow \{0, 1\}^n$$ is an SPN where the S-box is (patched) field inversion, a common choice in practical constructions. $$\mathcal {F}_2$$ is computable with Boolean circuits of size $$n \cdot \log ^{O(1)} n$$, and in particular with seed length $$n \cdot \log ^{O(1)} n$$. We prove that this candidate has exponential security $$2^{\Omega (n)}$$ against linear and differential cryptanalysis.

$$\mathcal {F}_3 : \{0, 1\}^n \rightarrow \{0, 1\}$$ is a non-standard variant on the SPN paradigm, where “states” grow in length. $$\mathcal {F}_3$$ is computable with size $$n^{1+\epsilon }$$, for any $$\epsilon > 0$$, in the restricted circuit class $$\mathrm {TC}^0$$ of unbounded fan-in majority circuits of constant-depth. We prove that $$\mathcal {F}_3$$ is almost 3-wise independent.

$$\mathcal {F}_4 : \{0, 1\}^n \rightarrow \{0, 1\}$$ uses an extreme setting of the SPN parameters (one round, one S-box, no diffusion matrix). The S-box is again (patched) field inversion. We prove that this candidate fools all parity tests that look at $$\le 2^{0.9n}$$ outputs.

Assuming the security of our candidates, our work also narrows the gap between the “Natural Proofs barrier” [Razborov & Rudich; JCSS ’97] and existing lower bounds, in three models: unbounded-depth circuits, $$\mathrm {TC}^0$$ circuits, and Turing machines. In particular, the efficiency of the circuits computing $$\mathcal {F}_3$$ is related to a result by Allender and Koucky [JACM ’10] who show that a lower bound for such circuits would imply a lower bound for $$\mathrm {TC}^0$$.

## Keywords

Random Function Turing Machine Block Cipher Advance Encryption Standard Seed Length
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

## References

1. 1.
Aaronson, S., Wigderson, A.: Algebrization: a new barrier in complexity theory. In: 40th ACM Symp. on the Theory of Computing, STOC, pp. 731–740 (2008)Google Scholar
2. 2.
Allender, E., Koucký, M.: Amplifying lower bounds by means of self-reducibility. J. of the ACM 57(3) (2010)Google Scholar
3. 3.
Alon, N., Goldreich, O., Håstad, J., Peralta, R.: Simple constructions of almost $$k$$-wise independent random variables. Random Structures & Algorithms 3(3), 289–304 (1992)
4. 4.
Baker, T., Gill, J., Solovay, R.: Relativizations of the P=? NP question. SIAM J. Comput. 4(4), 431–442 (1975)Google Scholar
5. 5.
Bazzi, L.M.J.: Polylogarithmic independence can fool DNF formulas. SIAM J. Comput. 38(6), 2220–2272 (2009)
6. 6.
Biham, E., Shamir, A.: Differential cryptanalysis of DES-like cryptosystems. Journal of Cryptology 4(1), 3–72 (1991)
7. 7.
Braverman, M.: Poly-logarithmic independence fools $$AC^0$$ circuits. In: 24th IEEE Conf. on Computational Complexity, CCC. IEEE (2009)Google Scholar
8. 8.
Brodsky, A., Hoory, S.: Simple permutations mix even better. Random Struct. Algorithms 32(3), 274–289 (2008)
9. 9.
Cho, H.-S., Sung, S.H., Kwon, D., Lee, J.-K., Song, J.H., Lim, J.: New Method for Bounding the Maximum Differential Probability for SPNs and ARIA. In: Park, C., Chee, S. (eds.) ICISC 2004. LNCS, vol. 3506, pp. 21–32. Springer, Heidelberg (2005)
10. 10.
Daemen, J., Rijmen, V.: The Design of Rijndael: AES - The Advanced Encryption Standard. Springer (2002)Google Scholar
11. 11.
Even, S., Mansour, Y.: A construction of a cipher from a single pseudorandom permutation. J. Cryptology 10(3), 151–162 (1997)
12. 12.
Gao, S., von zur Gathen, J., Panario, D., Shoup, V.: Algorithms for exponentiation in finite fields. J. Symb. Comput. 29(6), 879–889 (2000)Google Scholar
13. 13.
Gauravaram, P., Knudsen, L.R., Matusiewicz, K., Mendel, F., Rechberger, C., Schläffer, M., Thomsen, S.S.: Grøstl: a SHA-3 candidate (2011), http://www.groestl.info
14. 14.
Gentry, C., Ramzan, Z.: Eliminating Random Permutation Oracles in the Even-Mansour Cipher. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 32–47. Springer, Heidelberg (2004)
15. 15.
Gerasoulis, A.: A fast algorithm for the multiplication of generalized Hilbert matrices with vectors. Mathematics of Computation 50, 179–188 (1988)
16. 16.
Goldreich, O.: Foundations of Cryptography: Volume 1, Basic Tools. Cambridge University Press (2001)Google Scholar
17. 17.
Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions. J. of the ACM 33(4), 792–807 (1986)
18. 18.
Goldreich, O., Levin, L.: A hard-core predicate for all one-way functions. In: 21st ACM Symp. on the Theory of Computing, STOC, pp. 25–32 (1989)Google Scholar
19. 19.
Gowers, W.: An almost $$m$$-wise independent random permutation of the cube. Combinatorics, Probability and Computing 5(2), 119–130 (1996)
20. 20.
Haitner, I., Reingold, O., Vadhan, S.P.: Efficiency improvements in constructing pseudorandom generators from one-way functions. In: 42nd ACM Symp. on the Theory of Computing, STOC, pp. 437–446 (2010)Google Scholar
21. 21.
Håstad, J., Impagliazzo, R., Levin, L.A., Luby, M.: A pseudorandom generator from any one-way function. SIAM J. Comput. 28(4), 1364–1396 (1999)
22. 22.
Healy, A., Viola, E.: Constant-Depth Circuits for Arithmetic in Finite Fields of Characteristic Two. In: Durand, B., Thomas, W. (eds.) STACS 2006. LNCS, vol. 3884, pp. 672–683. Springer, Heidelberg (2006)
23. 23.
Hesse, W., Allender, E., Barrington, D.A.M.: Uniform constant-depth threshold circuits for division and iterated multiplication. J. Comput. System Sci. 65(4), 695–716 (2002); Special issue on complexity, 2001 (Chicago, IL)Google Scholar
24. 24.
Hoory, S., Magen, A., Myers, S., Rackoff, C.: Simple permutations mix well. Theor. Comput. Sci. 348(2-3), 251–261 (2005)
25. 25.
Jakobsen, T., Knudsen, L.: Attacks on block ciphers of low algebraic degree. Journal of Cryptology 14, 197–210 (2001)
26. 26.
Kang, J.S., Hong, S., Lee, S., Yi, O., Park, C., Lim, J.: Practical and provable security against differential and linear cryptanalysis for substitution-permutation networks. ETRI Journal 23(4), 158–167 (2001)
27. 27.
Keliher, L., Meijer, H., Tavares, S.: New Method for Upper Bounding the Maximum Average Linear Hull Probability for SPNs. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 420–436. Springer, Heidelberg (2001)
28. 28.
Knudsen, L.R.: Truncated and Higher Order Differentials. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 196–211. Springer, Heidelberg (1995)Google Scholar
29. 29.
Kopparty, S.: On the complexity of powering in finite fields. In: ACM Symp. on the Theory of Computing, STOC (2011)Google Scholar
30. 30.
Kushilevitz, E., Nisan, N.: Communication complexity. Cambridge University Press (1997)Google Scholar
31. 31.
Luby, M., Rackoff, C.: How to construct pseudorandom permutations from pseudorandom functions. SIAM J. Comput. 17(2), 373–386 (1988)
32. 32.
Matsui, M.: Linear Cryptanalysis Method for DES Cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994)
33. 33.
Naor, J., Naor, M.: Small-bias probability spaces: efficient constructions and applications. SIAM J. Comput. 22(4), 838–856 (1993)
34. 34.
Naor, M., Reingold, O.: On the construction of pseudorandom permutations: Luby-Rackoff revisited. J. Cryptology 12(1), 29–66 (1999)
35. 35.
Naor, M., Reingold, O.: Number-theoretic constructions of efficient pseudo-random functions. J. of the ACM 51(2), 231–262 (2004)
36. 36.
Nyberg, K.: Differentially Uniform Mappings for Cryptography. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 55–64. Springer, Heidelberg (1994)
37. 37.
Pieprzyk, J.: On bent permutations. In: Proceedings of the International Conference on Finite Fields, Coding Theory, and Advances in Communications and Computing, Las Vegas (August 1991)Google Scholar
38. 38.
Ramzan, Z., Reyzin, L.: On the Round Security of Symmetric-Key Cryptographic Primitives. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 376–393. Springer, Heidelberg (2000)
39. 39.
Razborov, A., Rudich, S.: Natural proofs. J. of Computer and System Sciences 55(1), 24–35 (1997)
40. 40.
Razborov, A.A.: A simple proof of Bazzi’s theorem. ACM Transactions on Computation Theory (TOCT) 1(1) (2009)Google Scholar
41. 41.
Roth, R.M., Seroussi, G.: On generator matrices of MDS codes. IEEE Transactions on Information Theory 31, 826–830 (1985)
42. 42.
Shannon, C.: Communication theory of secrecy systems. Bell Systems Technical Journal 28(4), 656–715 (1949)
43. 43.
Vadhan, S.P., Zheng, C.J.: Characterizing pseudoentropy and simplifying pseudorandom generator constructions. In: ACM Symp. on the Theory of Computing, STOC (2012)Google Scholar
44. 44.
Williams, R.: Non-uniform ACC lower bounds. In: IEEE Conf. on Computational Complexity, CCC (2011)Google Scholar
45. 45.
Wu, H.: The hash function JH (2011), http://www3.ntu.edu.sg/home/wuhj/research/jh/index.html