XLS is Not a Strong Pseudorandom Permutation

  • Mridul Nandi
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8873)


In FSE 2007, Ristenpart and Rogaway had described a generic method XLS to construct a length-preserving strong pseudorandom permutation (SPRP) over bit-strings of size at least n. It requires a length-preserving permutation \(\mathcal{E}\) over all bits of size multiple of n and a blockcipher E with block size n. The SPRP security of XLS was proved from the SPRP assumptions of both \(\mathcal{E}\) and E. In this paper we disprove the claim by demonstrating a SPRP distinguisher of XLS which makes only three queries and has distinguishing advantage about 1/2. XLS uses a multi-permutation linear function, called mix2. In this paper, we also show that if we replace mix2 by any invertible linear functions, the construction XLS still remains insecure. Thus the mode has inherit weakness.


XLS SPRP Distinguishing Advantage length-preserving encryption 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
  2. 2.
    Andreeva, E., Bogdanov, A., Luykx, A., Mennink, B., Tischhauser, E., Yasuda, K.: Parallelizable and authenticated online ciphers. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part I. LNCS, vol. 8269, pp. 424–443. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  3. 3.
    Chakraborty, D., Sarkar, P.: HCH: A new tweakable enciphering scheme using the hash-encrypt-hash approach. In: Barua, R., Lange, T. (eds.) INDOCRYPT 2006. LNCS, vol. 4329, pp. 287–302. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  4. 4.
    Cook, D.L., Yung, M., Keromytis, A.D.: Elastic aes. IACR Cryptology ePrint Archive, 2004:141 (2004)Google Scholar
  5. 5.
    Cook, D.L., Yung, M., Keromytis, A.D.: Elastic block ciphers: method, security and instantiations. Int. J. Inf. Sec. 8(3), 211–231 (2009)CrossRefGoogle Scholar
  6. 6.
    Daemen, J., Lamberger, M., Pramstaller, N., Rijmen, V., Vercauteren, F.: Computational aspects of the expected differential probability of 4-round aes and aes-like ciphers. Computing 85(1-2), 85–104 (2009)CrossRefMATHMathSciNetGoogle Scholar
  7. 7.
    Halevi, S.: EME*: Extending EME to handle arbitrary-length messages with associated data. In: Canteaut, A., Viswanathan, K. (eds.) INDOCRYPT 2004. LNCS, vol. 3348, pp. 315–327. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  8. 8.
    Halevi, S.: TET: A wide-block tweakable mode based on Naor-Reingold. Cryptology ePrint Archive, Report 2007/014 (2007), http://eprint.iacr.org/
  9. 9.
    Halevi, S., Rogaway, P.: A tweakable enciphering mode. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 482–499. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  10. 10.
    Halevi, S., Rogaway, P.: A parallelizable enciphering mode. In: Okamoto, T. (ed.) CT-RSA 2004. LNCS, vol. 2964, pp. 292–304. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  11. 11.
    Liskov, M., Rivest, R.L., Wagner, D.: Tweakable block ciphers. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 31–46. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  12. 12.
    Luby, M., Rackoff, C.: How to construct pseudo-random permutations from pseudo-random functions. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, p. 447. Springer, Heidelberg (1986)Google Scholar
  13. 13.
    McGrew, D.A., Fluhrer, S.R.: The extended codebook (XCB) mode of operation. Cryptology ePrint Archive, Report 2004/278 (2004), http://eprint.iacr.org/
  14. 14.
    Nandi, M.: A generic method to extend message space of a strong pseudorandom permutation. Computación y Sistemas 12(3) (2009)Google Scholar
  15. 15.
    Ristenpart, T., Rogaway, P.: How to enrich the message space of a cipher. In: Biryukov, A. (ed.) FSE 2007. LNCS, vol. 4593, pp. 101–118. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  16. 16.
    Sarkar, P.: Improving upon the tet mode of operation. In: Nam, K.-H., Rhee, G. (eds.) ICISC 2007. LNCS, vol. 4817, pp. 180–192. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  17. 17.
    Wang, P., Feng, D., Wu, W.: HCTR: A variable-input-length enciphering mode. In: Feng, D., Lin, D., Yung, M. (eds.) CISC 2005. LNCS, vol. 3822, pp. 175–188. Springer, Heidelberg (2005)CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2014

Authors and Affiliations

  • Mridul Nandi
    • 1
  1. 1.Indian Statistical InstituteKolkataIndia

Personalised recommendations