EUROCRYPT 2018: Advances in Cryptology – EUROCRYPT 2018 pp 387-412

# Full Indifferentiable Security of the Xor of Two or More Random Permutations Using the $$\chi ^2$$ Method

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10820)

## Abstract

The construction $$\mathsf {XORP}$$ (bitwise-xor of outputs of two independent n-bit random permutations) has gained broad attention over the last two decades due to its high security. Very recently, Dai et al. (CRYPTO’17), by using a method which they term the Chi-squared method ($$\chi ^2$$ method), have shown n-bit security of $$\mathsf {XORP}$$ when the underlying random permutations are kept secret to the adversary. In this work, we consider the case where the underlying random permutations are publicly available to the adversary. The best known security of $$\mathsf {XORP}$$ in this security game (also known as indifferentiable security) is $$\frac{2n}{3}$$-bit, due to Mennink et al. (ACNS’15). Later, Lee (IEEE-IT’17) proved a better $$\frac{(k-1)n}{k}$$-bit security for the general construction $$\mathsf {XORP}[k]$$ which returns the xor of k ($$\ge 2$$) independent random permutations. However, the security was shown only for the cases where k is an even integer. In this paper, we improve all these known bounds and prove full, i.e., n-bit (indifferentiable) security of $$\mathsf {XORP}$$ as well as $$\mathsf {XORP}[k]$$ for any k. Our main result is n-bit security of $$\mathsf {XORP}$$, and we use the $$\chi ^2$$ method to prove it.

## Keywords

Random permutation Indifferentiable security $$\chi ^2$$ method XOR construction Simulator

## Notes

### Acknowledgement

We are indebted to the reviewers for their patient reading and valuable comments which improved the quality of this paper significantly.

This work is supported in part by the WISEKEY project, which we gratefully acknowledge.

## References

1. [AMP10]
Andreeva, E., Mennink, B., Preneel, B.: On the indifferentiability of the Grøstl hash function. In: Garay, J.A., De Prisco, R. (eds.) SCN 2010. LNCS, vol. 6280, pp. 88–105. Springer, Heidelberg (2010).
2. [BDP+13]
Bertoni, G., Daemen, J., Peeters, M., Van Assche, G., NIST, G.: Keccak and the SHA-3 Standardization (2013)Google Scholar
3. [BDPVA08]
Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: On the indifferentiability of the sponge construction. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 181–197. Springer, Heidelberg (2008).
4. [BDPVA11a]
Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Duplexing the sponge: single-pass authenticated encryption and other applications. In: Miri, A., Vaudenay, S. (eds.) SAC 2011. LNCS, vol. 7118, pp. 320–337. Springer, Heidelberg (2012).
5. [BDPVA11b]
Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: On the security of the keyed sponge construction. In: Symmetric Key Encryption Workshop (SKEW 2011) (2011)Google Scholar
6. [BI99]
Bellare, M., Impagliazzo, R.: A tool for obtaining tighter security analyses of pseudorandom function based constructions, with applications to PRP to PRF conversion. IACR Cryptol. ePrint Arch. 1999, 24 (1999)Google Scholar
7. [BKR98]
Bellare, M., Krovetz, T., Rogaway, P.: Luby-Rackoff backwards: Increasing security by making block ciphers non-invertible. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 266–280. Springer, Heidelberg (1998).
8. [BMN10]
Bhattacharyya, R., Mandal, A., Nandi, M.: Security analysis of the mode of JH hash function. In: Hong, S., Iwata, T. (eds.) FSE 2010. LNCS, vol. 6147, pp. 168–191. Springer, Heidelberg (2010).
9. [BN18]
Bhattacharya, S., Nandi, M.: Revisiting variable output length pseudorandom functions. IACR Trans. Symmetric Cryptol. 2018(1) (2018, to appear)Google Scholar
10. [CAE]
CAESAR: Competition for Authenticated Encryption: Security, Applicability, and Robustness. http://competitions.cr.yp.to/caesar.html/
11. [CLP14]
Cogliati, B., Lampe, R., Patarin, J.: The indistinguishability of the XOR of $$k$$ permutations. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 285–302. Springer, Heidelberg (2015). Google Scholar
12. [CS16a]
Cogliati, B., Seurin, Y.: EWCDM: an efficient, beyond-birthday secure, nonce-misuse resistant MAC. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 121–149. Springer, Heidelberg (2016).
13. [CT06]
Cover, T.M., Thomas, J.A.: Elements of Information Theory (Wiley Series in Telecommunications and Signal Processing), Wiley-Interscience (2006)Google Scholar
14. [DHT17]
Dai, W., Hoang, V.T., Tessaro, S.: Information-theoretic indistinguishabilityvia the chi-squared method. In: Katz and Shacham [KS17], pp. 497–523 (2017)Google Scholar
15. [GG16]
Gilboa, S., Gueron, S.: The Advantage of Truncated Permutations, CoRR abs/1610.02518 (2016)Google Scholar
16. [GGM17]
Gilboa, S., Gueron, S., Morris, B.: How many queries are needed to distinguish a truncated random permutation from a random function? J. Cryptol. 31(1), 162–171 (2017)
17. [GKM+09]
Gauravaram, P., Knudsen, L.R., Matusiewicz, K., Mendel, F., Rechberger, C., Schläffer, M., Thomsen, S.S.: Grøstl-a SHA-3 candidate. In: Dagstuhl Seminar Proceedings, Schloss Dagstuhl-Leibniz-Zentrum für Informatik (2009)Google Scholar
18. [IMPS17]
Iwata, T., Minematsu, K., Peyrin, T., Seurin, Y.: ZMAC: a fast tweakable block cipher mode for highly secure message authentication. IACR Cryptol. ePrint Arch. 2017, 535 (2017)
19. [IMV16]
Iwata, T., Mennink, B., Vizár, D.: CENC is optimally secure. IACR Cryptol. ePrint Arch. 2016, 1087 (2016)Google Scholar
20. [Iwa06]
Iwata, T.: New blockcipher modes of operation with beyond the birthday bound security. In: Robshaw, M. (ed.) FSE 2006. LNCS, vol. 4047, pp. 310–327. Springer, Heidelberg (2006).
21. [KS17]
Katz, J., Shacham, H. (eds.): CRYPTO 2017. LNCS, vol. 10403. Springer, Cham (2017).
22. [Lee17]
Lee, J.: Indifferentiability of the sum of random permutations towards optimal security. IEEE Trans. Inf. Theory 63(6), 4050–4054 (2017)
23. [LR88]
Luby, M., Rackoff, C.: How to construct pseudorandom permutations from pseudorandom functions. SIAM J. Comput. 17(2), 373–386 (1988)
24. [Luc00]
Lucks, S.: The sum of PRPs Is a secure PRF. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 470–484. Springer, Heidelberg (2000).
25. [LV87]
Liese, F., Vajda, I.: Convex Statistical Distances. Teubner, Leipzig (1987)
26. [MN17a]
Mennink, B., Neves, S.: Encrypted Davies-Meyer and its dual: Towards optimal security using Mirror theory, Cryptology ePrint Archive, Report 2017/xxx, to be published in CRYPTO 2017 (2017). http://eprint.iacr.org/2017/537
27. [MN17b]
Mennink, B., Neves, S.: Encrypted davies-meyer and its dual: towards optimal security using mirror theory. In: Katz and Shacham [KS17], pp. 556–583 (2017)Google Scholar
28. [MP15]
Mennink, B., Preneel, B.: On the XOR of multiple random permutations. In: Malkin, T., Kolesnikov, V., Lewko, A.B., Polychronakis, M. (eds.) ACNS 2015. LNCS, vol. 9092, pp. 619–634. Springer, Cham (2015).
29. [MPN10]
Mandal, A., Patarin, J., Nachef, V.: Indifferentiability beyond the birthday bound for the xor of two public random permutations. In: Gong, G., Gupta, K.C. (eds.) INDOCRYPT 2010. LNCS, vol. 6498, pp. 69–81. Springer, Heidelberg (2010).
30. [MRH04]
Maurer, U., Renner, R., Holenstein, C.: Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 21–39. Springer, Heidelberg (2004).
31. [Pat08a]
Patarin, J.: The “Coefficients H” technique. In: Avanzi, R.M., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. 328–345. Springer, Heidelberg (2009).
32. [Pat08b]
Patarin, J.: A proof of security in O(2n) for the xor of two random permutations. In: Safavi-Naini, R. (ed.) ICITS 2008. LNCS, vol. 5155, pp. 232–248. Springer, Heidelberg (2008).
33. [Pat10]
Patarin, J.: Introduction to Mirror Theory: Analysis of Systems of Linear Equalities and Linear Non Equalities for Cryptography. Cryptology ePrint Archive, Report 2017/287 (2010). http://eprint.iacr.org/2010/287
34. [RAB+08]
Rivest, R.L., Agre, B., Bailey, D.V., Crutchfield, C., Dodis, Y., Fleming, K.E., Khan, A., Krishnamurthy, J., Lin, Y., Reyzin, L., et al.: The MD6 hash function-a proposal to NIST for SHA-3. NIST 2(3) (2008, submitted)Google Scholar
35. [Sta78]
Stam, A.J.: Distance between sampling with and without replacement. Statistica Neerlandica 32(2), 81–91 (1978)
36. [Vau03]
Vaudenay, S.: Decorrelation: a theory for block cipher security. J. Cryptol. 16(4), 249–286 (2003)
37. [Wu11]
Wu, H.: The hash function JH, NIST (round 3), 6 (2011, submitted)Google Scholar
38. [Yas11]
Yasuda, K.: A new variant of PMAC: beyond the birthday bound. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 596–609. Springer, Heidelberg (2011).

## Copyright information

© International Association for Cryptologic Research 2018

## Authors and Affiliations

1. 1.Indian Statistical InstituteKolkataIndia