The Characterization of Luby-Rackoff and Its Optimum Single-Key Variants

  • Mridul Nandi
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6498)


Luby and Rackoff provided a construction (LR) of 2n-bit (strong) pseudo-random permutation or (S)PRP from n-bit pseudorandom function (PRF), which was motivated by the structure of DES. Their construction consists of four rounds of Feistel permutations (or three rounds, for PRP), each round involves an application of an independent PRF (i.e. with an independent round key). The definition of the LR construction can be extended by reusing round keys in a manner determined by a key-assigning function. So far several key-assigning functions had been analyzed (e.g. LR with 4-round keys K 1, K 2, K 2, K 2 was proved secure whereas K 1, K 2, K 2, K 1 is not secure). Even though we already know some key-assigning functions which give secure and insecure LR constructions, the exact characterization of all secure LR constructions for arbitrary number of rounds is still unknown. Some characterizations were being conjectured which were later shown to be wrong. In this paper we solve this long-standing open problem and (informally) prove the following:

  • LR is secure iff its key-assigning is not palindrome (i.e. the order of key indices is not same with its reverse order).

We also study the class of LR-variants where some of its round functions can be tweaked (our previous characterization would not work for the variants). We propose a single-key LR-variant SPRP, denoted by LRv, making only four invocations of the PRF. It is exactly same as single-key, 4-round LR with an additional operation (e.g. rotation) applied to the first round PRF output. So far the most efficient single-key LR construction is due to Patarin, which requires five invocations. Moreover, we show a PRP-distinguishing attack on a wide class of single-key, LR-variants with three PRF-invocations. So,
  • 4 invocations of PRF is minimum for a class of a single-key LR-variants SPRP and LRv is optimum in the class.


Luby-Rackoff Feistel PRP SPRP PRF distinguisher palindrome 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Halevi, S., Rogaway, P.: A tweakable enciphering mode. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 482–499. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  2. 2.
    Iwata, T., Kurosawa, K.: How to Re-use Round Function in Super-Pseudorandom Permutation. Information Security and Privacy, 224–235 (2004)Google Scholar
  3. 3.
    Koren, T.: On the construction of pseudorandom block ciphers, M.Sc. Thesis (in Hebrew), CS Dept., Technion, Israel (May 1989)Google Scholar
  4. 4.
    Luby, M., Rackoff, C.: How to construct pseudorandom permutations and pseudorandom functions. 2nd SIAM J. Comput. 17, 373–386 (1988)Google Scholar
  5. 5.
    Naor, M., Reingold, O.: On the Construction of Pseudorandom Permutations: Luby-Rackoff Revisited. J. Cryptology 12(1), 29–66 (1999)MathSciNetCrossRefzbMATHGoogle Scholar
  6. 6.
    National Bureau of Standards, Data encryption standard, Federal Information Processing Standard, PT U.S. Department of Commerce, FIPS PUB 46, Washington, DC (1977)Google Scholar
  7. 7.
    Patarin, J.: Pseudorandom permutations based on the DES scheme. In: Damgård, I.B. (ed.) EUROCRYPT 1990. LNCS, vol. 473, Springer, Heidelberg (1991)Google Scholar
  8. 8.
    Patarin, J.: How to construct pseudorandom and super pseudorandom permutations from one single pseudorandom pseudorandom function. In: Rueppel, R.A. (ed.) EUROCRYPT 1992. LNCS, vol. 658, pp. 256–266. Springer, Heidelberg (1993)Google Scholar
  9. 9.
    Patarin, J.: The ”Coefficients H” Technique. Selected Areas in Cryptography 2008, 328–345 (2008)Google Scholar
  10. 10.
    Pieprzyk, J.: How to construct pseudorandom permutations from single pseudorandom functions. In: Damgård, I.B. (ed.) EUROCRYPT 1990. LNCS, vol. 473, pp. 140–150. Springer, Heidelberg (1991)Google Scholar
  11. 11.
    Sadeghiyan, B., Pieprzyk, J.: On necessary and sufficient conditions for the construction of super pseudorandom permutations. In: Matsumoto, T., Imai, H., Rivest, R.L. (eds.) ASIACRYPT 1991. LNCS, vol. 739, pp. 194–209. Springer, Heidelberg (1993)CrossRefGoogle Scholar
  12. 12.
    Sadeghiyan, B., Pieprzyk, J.: A construction for super pseudorandom permutations from a single pseudorandom function. In: Rueppel, R.A. (ed.) EUROCRYPT 1992. LNCS, vol. 658, Springer, Heidelberg (1992)Google Scholar
  13. 13.
    Vaudenay, S.: Decorrelation: A Theory for Block Cipher Security. J. Cryptology 16(4), 249–286 (2003)MathSciNetCrossRefzbMATHGoogle Scholar
  14. 14.
    Zheng, Y., Matsumoto, T., Imai, H.: Impossibility and optimally results on constructing pseudorandom permutations. In: Quisquater, J.-J., Vandewalle, J. (eds.) EUROCRYPT 1989. LNCS, vol. 434, pp. 412–422. Springer, Heidelberg (1990)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Mridul Nandi
    • 1
  1. 1.C.R. Rao AIMSCS InstituteHyderabadIndia

Personalised recommendations