The Characterization of Luby-Rackoff and Its Optimum Single-Key Variants
Luby and Rackoff provided a construction (LR) of 2n-bit (strong) pseudo-random permutation or (S)PRP from n-bit pseudorandom function (PRF), which was motivated by the structure of DES. Their construction consists of four rounds of Feistel permutations (or three rounds, for PRP), each round involves an application of an independent PRF (i.e. with an independent round key). The definition of the LR construction can be extended by reusing round keys in a manner determined by a key-assigning function. So far several key-assigning functions had been analyzed (e.g. LR with 4-round keys K 1, K 2, K 2, K 2 was proved secure whereas K 1, K 2, K 2, K 1 is not secure). Even though we already know some key-assigning functions which give secure and insecure LR constructions, the exact characterization of all secure LR constructions for arbitrary number of rounds is still unknown. Some characterizations were being conjectured which were later shown to be wrong. In this paper we solve this long-standing open problem and (informally) prove the following:
LR is secure iff its key-assigning is not palindrome (i.e. the order of key indices is not same with its reverse order).
4 invocations of PRF is minimum for a class of a single-key LR-variants SPRP and LRv is optimum in the class.
KeywordsLuby-Rackoff Feistel PRP SPRP PRF distinguisher palindrome
Unable to display preview. Download preview PDF.
- 2.Iwata, T., Kurosawa, K.: How to Re-use Round Function in Super-Pseudorandom Permutation. Information Security and Privacy, 224–235 (2004)Google Scholar
- 3.Koren, T.: On the construction of pseudorandom block ciphers, M.Sc. Thesis (in Hebrew), CS Dept., Technion, Israel (May 1989)Google Scholar
- 4.Luby, M., Rackoff, C.: How to construct pseudorandom permutations and pseudorandom functions. 2nd SIAM J. Comput. 17, 373–386 (1988)Google Scholar
- 6.National Bureau of Standards, Data encryption standard, Federal Information Processing Standard, PT U.S. Department of Commerce, FIPS PUB 46, Washington, DC (1977)Google Scholar
- 7.Patarin, J.: Pseudorandom permutations based on the DES scheme. In: Damgård, I.B. (ed.) EUROCRYPT 1990. LNCS, vol. 473, Springer, Heidelberg (1991)Google Scholar
- 8.Patarin, J.: How to construct pseudorandom and super pseudorandom permutations from one single pseudorandom pseudorandom function. In: Rueppel, R.A. (ed.) EUROCRYPT 1992. LNCS, vol. 658, pp. 256–266. Springer, Heidelberg (1993)Google Scholar
- 9.Patarin, J.: The ”Coefficients H” Technique. Selected Areas in Cryptography 2008, 328–345 (2008)Google Scholar
- 10.Pieprzyk, J.: How to construct pseudorandom permutations from single pseudorandom functions. In: Damgård, I.B. (ed.) EUROCRYPT 1990. LNCS, vol. 473, pp. 140–150. Springer, Heidelberg (1991)Google Scholar
- 12.Sadeghiyan, B., Pieprzyk, J.: A construction for super pseudorandom permutations from a single pseudorandom function. In: Rueppel, R.A. (ed.) EUROCRYPT 1992. LNCS, vol. 658, Springer, Heidelberg (1992)Google Scholar