Substitution-Permutation Networks, Pseudorandom Functions, and Natural Proofs

  • Eric MilesEmail author
  • Emanuele Viola
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7417)


This paper takes a new step towards closing the troubling gap between pseudorandom functions (PRF) and their popular, bounded-input-length counterparts. This gap is both quantitative, because these counterparts are more efficient than PRF in various ways, and methodological, because these counterparts usually fit in the substitution-permutation network paradigm (SPN) which has not been used to construct PRF.

We give several candidate PRF \(\mathcal {F}_i\) that are inspired by the SPN paradigm. This paradigm involves a “substitution function” (S-box). Our main candidates are:

\(\mathcal {F}_1 : \{0, 1\}^n \rightarrow \{0, 1\}^n\) is an SPN whose S-box is a random function on b bits given as part of the seed. We prove unconditionally that \(\mathcal {F}_1\) resists attacks that run in time \(\le 2^{\epsilon b}\). Setting \(b = \omega (\lg n)\) we obtain an inefficient PRF, which however seems to be the first such construction using the SPN paradigm.

\(\mathcal {F}_2 : \{0, 1\}^n \rightarrow \{0, 1\}^n\) is an SPN where the S-box is (patched) field inversion, a common choice in practical constructions. \(\mathcal {F}_2\) is computable with Boolean circuits of size \(n \cdot \log ^{O(1)} n\), and in particular with seed length \(n \cdot \log ^{O(1)} n\). We prove that this candidate has exponential security \(2^{\Omega (n)}\) against linear and differential cryptanalysis.

\(\mathcal {F}_3 : \{0, 1\}^n \rightarrow \{0, 1\}\) is a non-standard variant on the SPN paradigm, where “states” grow in length. \(\mathcal {F}_3\) is computable with size \(n^{1+\epsilon }\), for any \(\epsilon > 0\), in the restricted circuit class \(\mathrm {TC}^0\) of unbounded fan-in majority circuits of constant-depth. We prove that \(\mathcal {F}_3\) is almost 3-wise independent.

\(\mathcal {F}_4 : \{0, 1\}^n \rightarrow \{0, 1\}\) uses an extreme setting of the SPN parameters (one round, one S-box, no diffusion matrix). The S-box is again (patched) field inversion. We prove that this candidate fools all parity tests that look at \(\le 2^{0.9n}\) outputs.

Assuming the security of our candidates, our work also narrows the gap between the “Natural Proofs barrier” [Razborov & Rudich; JCSS ’97] and existing lower bounds, in three models: unbounded-depth circuits, \(\mathrm {TC}^0\) circuits, and Turing machines. In particular, the efficiency of the circuits computing \(\mathcal {F}_3\) is related to a result by Allender and Koucky [JACM ’10] who show that a lower bound for such circuits would imply a lower bound for \(\mathrm {TC}^0\).


Random Function Turing Machine Block Cipher Advance Encryption Standard Seed Length 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Aaronson, S., Wigderson, A.: Algebrization: a new barrier in complexity theory. In: 40th ACM Symp. on the Theory of Computing, STOC, pp. 731–740 (2008)Google Scholar
  2. 2.
    Allender, E., Koucký, M.: Amplifying lower bounds by means of self-reducibility. J. of the ACM 57(3) (2010)Google Scholar
  3. 3.
    Alon, N., Goldreich, O., Håstad, J., Peralta, R.: Simple constructions of almost \(k\)-wise independent random variables. Random Structures & Algorithms 3(3), 289–304 (1992)MathSciNetCrossRefzbMATHGoogle Scholar
  4. 4.
    Baker, T., Gill, J., Solovay, R.: Relativizations of the P=? NP question. SIAM J. Comput. 4(4), 431–442 (1975)Google Scholar
  5. 5.
    Bazzi, L.M.J.: Polylogarithmic independence can fool DNF formulas. SIAM J. Comput. 38(6), 2220–2272 (2009)MathSciNetCrossRefzbMATHGoogle Scholar
  6. 6.
    Biham, E., Shamir, A.: Differential cryptanalysis of DES-like cryptosystems. Journal of Cryptology 4(1), 3–72 (1991)MathSciNetCrossRefzbMATHGoogle Scholar
  7. 7.
    Braverman, M.: Poly-logarithmic independence fools \(AC^0\) circuits. In: 24th IEEE Conf. on Computational Complexity, CCC. IEEE (2009)Google Scholar
  8. 8.
    Brodsky, A., Hoory, S.: Simple permutations mix even better. Random Struct. Algorithms 32(3), 274–289 (2008)MathSciNetCrossRefzbMATHGoogle Scholar
  9. 9.
    Cho, H.-S., Sung, S.H., Kwon, D., Lee, J.-K., Song, J.H., Lim, J.: New Method for Bounding the Maximum Differential Probability for SPNs and ARIA. In: Park, C., Chee, S. (eds.) ICISC 2004. LNCS, vol. 3506, pp. 21–32. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  10. 10.
    Daemen, J., Rijmen, V.: The Design of Rijndael: AES - The Advanced Encryption Standard. Springer (2002)Google Scholar
  11. 11.
    Even, S., Mansour, Y.: A construction of a cipher from a single pseudorandom permutation. J. Cryptology 10(3), 151–162 (1997)MathSciNetCrossRefzbMATHGoogle Scholar
  12. 12.
    Gao, S., von zur Gathen, J., Panario, D., Shoup, V.: Algorithms for exponentiation in finite fields. J. Symb. Comput. 29(6), 879–889 (2000)Google Scholar
  13. 13.
    Gauravaram, P., Knudsen, L.R., Matusiewicz, K., Mendel, F., Rechberger, C., Schläffer, M., Thomsen, S.S.: Grøstl: a SHA-3 candidate (2011),
  14. 14.
    Gentry, C., Ramzan, Z.: Eliminating Random Permutation Oracles in the Even-Mansour Cipher. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 32–47. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  15. 15.
    Gerasoulis, A.: A fast algorithm for the multiplication of generalized Hilbert matrices with vectors. Mathematics of Computation 50, 179–188 (1988)MathSciNetCrossRefzbMATHGoogle Scholar
  16. 16.
    Goldreich, O.: Foundations of Cryptography: Volume 1, Basic Tools. Cambridge University Press (2001)Google Scholar
  17. 17.
    Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions. J. of the ACM 33(4), 792–807 (1986)MathSciNetCrossRefzbMATHGoogle Scholar
  18. 18.
    Goldreich, O., Levin, L.: A hard-core predicate for all one-way functions. In: 21st ACM Symp. on the Theory of Computing, STOC, pp. 25–32 (1989)Google Scholar
  19. 19.
    Gowers, W.: An almost \(m\)-wise independent random permutation of the cube. Combinatorics, Probability and Computing 5(2), 119–130 (1996)MathSciNetCrossRefzbMATHGoogle Scholar
  20. 20.
    Haitner, I., Reingold, O., Vadhan, S.P.: Efficiency improvements in constructing pseudorandom generators from one-way functions. In: 42nd ACM Symp. on the Theory of Computing, STOC, pp. 437–446 (2010)Google Scholar
  21. 21.
    Håstad, J., Impagliazzo, R., Levin, L.A., Luby, M.: A pseudorandom generator from any one-way function. SIAM J. Comput. 28(4), 1364–1396 (1999)MathSciNetCrossRefzbMATHGoogle Scholar
  22. 22.
    Healy, A., Viola, E.: Constant-Depth Circuits for Arithmetic in Finite Fields of Characteristic Two. In: Durand, B., Thomas, W. (eds.) STACS 2006. LNCS, vol. 3884, pp. 672–683. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  23. 23.
    Hesse, W., Allender, E., Barrington, D.A.M.: Uniform constant-depth threshold circuits for division and iterated multiplication. J. Comput. System Sci. 65(4), 695–716 (2002); Special issue on complexity, 2001 (Chicago, IL)Google Scholar
  24. 24.
    Hoory, S., Magen, A., Myers, S., Rackoff, C.: Simple permutations mix well. Theor. Comput. Sci. 348(2-3), 251–261 (2005)MathSciNetCrossRefzbMATHGoogle Scholar
  25. 25.
    Jakobsen, T., Knudsen, L.: Attacks on block ciphers of low algebraic degree. Journal of Cryptology 14, 197–210 (2001)MathSciNetCrossRefzbMATHGoogle Scholar
  26. 26.
    Kang, J.S., Hong, S., Lee, S., Yi, O., Park, C., Lim, J.: Practical and provable security against differential and linear cryptanalysis for substitution-permutation networks. ETRI Journal 23(4), 158–167 (2001)CrossRefGoogle Scholar
  27. 27.
    Keliher, L., Meijer, H., Tavares, S.: New Method for Upper Bounding the Maximum Average Linear Hull Probability for SPNs. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 420–436. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  28. 28.
    Knudsen, L.R.: Truncated and Higher Order Differentials. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 196–211. Springer, Heidelberg (1995)Google Scholar
  29. 29.
    Kopparty, S.: On the complexity of powering in finite fields. In: ACM Symp. on the Theory of Computing, STOC (2011)Google Scholar
  30. 30.
    Kushilevitz, E., Nisan, N.: Communication complexity. Cambridge University Press (1997)Google Scholar
  31. 31.
    Luby, M., Rackoff, C.: How to construct pseudorandom permutations from pseudorandom functions. SIAM J. Comput. 17(2), 373–386 (1988)MathSciNetCrossRefzbMATHGoogle Scholar
  32. 32.
    Matsui, M.: Linear Cryptanalysis Method for DES Cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994)CrossRefGoogle Scholar
  33. 33.
    Naor, J., Naor, M.: Small-bias probability spaces: efficient constructions and applications. SIAM J. Comput. 22(4), 838–856 (1993)MathSciNetCrossRefzbMATHGoogle Scholar
  34. 34.
    Naor, M., Reingold, O.: On the construction of pseudorandom permutations: Luby-Rackoff revisited. J. Cryptology 12(1), 29–66 (1999)MathSciNetCrossRefzbMATHGoogle Scholar
  35. 35.
    Naor, M., Reingold, O.: Number-theoretic constructions of efficient pseudo-random functions. J. of the ACM 51(2), 231–262 (2004)MathSciNetCrossRefzbMATHGoogle Scholar
  36. 36.
    Nyberg, K.: Differentially Uniform Mappings for Cryptography. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 55–64. Springer, Heidelberg (1994)CrossRefGoogle Scholar
  37. 37.
    Pieprzyk, J.: On bent permutations. In: Proceedings of the International Conference on Finite Fields, Coding Theory, and Advances in Communications and Computing, Las Vegas (August 1991)Google Scholar
  38. 38.
    Ramzan, Z., Reyzin, L.: On the Round Security of Symmetric-Key Cryptographic Primitives. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 376–393. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  39. 39.
    Razborov, A., Rudich, S.: Natural proofs. J. of Computer and System Sciences 55(1), 24–35 (1997)MathSciNetCrossRefzbMATHGoogle Scholar
  40. 40.
    Razborov, A.A.: A simple proof of Bazzi’s theorem. ACM Transactions on Computation Theory (TOCT) 1(1) (2009)Google Scholar
  41. 41.
    Roth, R.M., Seroussi, G.: On generator matrices of MDS codes. IEEE Transactions on Information Theory 31, 826–830 (1985)MathSciNetCrossRefzbMATHGoogle Scholar
  42. 42.
    Shannon, C.: Communication theory of secrecy systems. Bell Systems Technical Journal 28(4), 656–715 (1949)MathSciNetCrossRefzbMATHGoogle Scholar
  43. 43.
    Vadhan, S.P., Zheng, C.J.: Characterizing pseudoentropy and simplifying pseudorandom generator constructions. In: ACM Symp. on the Theory of Computing, STOC (2012)Google Scholar
  44. 44.
    Williams, R.: Non-uniform ACC lower bounds. In: IEEE Conf. on Computational Complexity, CCC (2011)Google Scholar
  45. 45.
    Wu, H.: The hash function JH (2011),

Copyright information

© International Association for Cryptologic Research 2012 2012

Authors and Affiliations

  1. 1.Northeastern UniversityBostonUSA

Personalised recommendations