INDOCRYPT 2010: Progress in Cryptology - INDOCRYPT 2010 pp 82-97

# The Characterization of Luby-Rackoff and Its Optimum Single-Key Variants

• Mridul Nandi
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6498)

## Abstract

Luby and Rackoff provided a construction (LR) of 2n-bit (strong) pseudo-random permutation or (S)PRP from n-bit pseudorandom function (PRF), which was motivated by the structure of DES. Their construction consists of four rounds of Feistel permutations (or three rounds, for PRP), each round involves an application of an independent PRF (i.e. with an independent round key). The definition of the LR construction can be extended by reusing round keys in a manner determined by a key-assigning function. So far several key-assigning functions had been analyzed (e.g. LR with 4-round keys K 1, K 2, K 2, K 2 was proved secure whereas K 1, K 2, K 2, K 1 is not secure). Even though we already know some key-assigning functions which give secure and insecure LR constructions, the exact characterization of all secure LR constructions for arbitrary number of rounds is still unknown. Some characterizations were being conjectured which were later shown to be wrong. In this paper we solve this long-standing open problem and (informally) prove the following:

• LR is secure iff its key-assigning is not palindrome (i.e. the order of key indices is not same with its reverse order).

We also study the class of LR-variants where some of its round functions can be tweaked (our previous characterization would not work for the variants). We propose a single-key LR-variant SPRP, denoted by LRv, making only four invocations of the PRF. It is exactly same as single-key, 4-round LR with an additional operation (e.g. rotation) applied to the first round PRF output. So far the most efficient single-key LR construction is due to Patarin, which requires five invocations. Moreover, we show a PRP-distinguishing attack on a wide class of single-key, LR-variants with three PRF-invocations. So,
• 4 invocations of PRF is minimum for a class of a single-key LR-variants SPRP and LRv is optimum in the class.

## Keywords

Luby-Rackoff Feistel PRP SPRP PRF distinguisher palindrome

## References

1. 1.
Halevi, S., Rogaway, P.: A tweakable enciphering mode. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 482–499. Springer, Heidelberg (2003)
2. 2.
Iwata, T., Kurosawa, K.: How to Re-use Round Function in Super-Pseudorandom Permutation. Information Security and Privacy, 224–235 (2004)Google Scholar
3. 3.
Koren, T.: On the construction of pseudorandom block ciphers, M.Sc. Thesis (in Hebrew), CS Dept., Technion, Israel (May 1989)Google Scholar
4. 4.
Luby, M., Rackoff, C.: How to construct pseudorandom permutations and pseudorandom functions. 2nd SIAM J. Comput. 17, 373–386 (1988)Google Scholar
5. 5.
Naor, M., Reingold, O.: On the Construction of Pseudorandom Permutations: Luby-Rackoff Revisited. J. Cryptology 12(1), 29–66 (1999)
6. 6.
National Bureau of Standards, Data encryption standard, Federal Information Processing Standard, PT U.S. Department of Commerce, FIPS PUB 46, Washington, DC (1977)Google Scholar
7. 7.
Patarin, J.: Pseudorandom permutations based on the DES scheme. In: Damgård, I.B. (ed.) EUROCRYPT 1990. LNCS, vol. 473, Springer, Heidelberg (1991)Google Scholar
8. 8.
Patarin, J.: How to construct pseudorandom and super pseudorandom permutations from one single pseudorandom pseudorandom function. In: Rueppel, R.A. (ed.) EUROCRYPT 1992. LNCS, vol. 658, pp. 256–266. Springer, Heidelberg (1993)Google Scholar
9. 9.
Patarin, J.: The ”Coefficients H” Technique. Selected Areas in Cryptography 2008, 328–345 (2008)Google Scholar
10. 10.
Pieprzyk, J.: How to construct pseudorandom permutations from single pseudorandom functions. In: Damgård, I.B. (ed.) EUROCRYPT 1990. LNCS, vol. 473, pp. 140–150. Springer, Heidelberg (1991)Google Scholar
11. 11.
Sadeghiyan, B., Pieprzyk, J.: On necessary and sufficient conditions for the construction of super pseudorandom permutations. In: Matsumoto, T., Imai, H., Rivest, R.L. (eds.) ASIACRYPT 1991. LNCS, vol. 739, pp. 194–209. Springer, Heidelberg (1993)
12. 12.
Sadeghiyan, B., Pieprzyk, J.: A construction for super pseudorandom permutations from a single pseudorandom function. In: Rueppel, R.A. (ed.) EUROCRYPT 1992. LNCS, vol. 658, Springer, Heidelberg (1992)Google Scholar
13. 13.
Vaudenay, S.: Decorrelation: A Theory for Block Cipher Security. J. Cryptology 16(4), 249–286 (2003)
14. 14.
Zheng, Y., Matsumoto, T., Imai, H.: Impossibility and optimally results on constructing pseudorandom permutations. In: Quisquater, J.-J., Vandewalle, J. (eds.) EUROCRYPT 1989. LNCS, vol. 434, pp. 412–422. Springer, Heidelberg (1990)