XLS is Not a Strong Pseudorandom Permutation

  • Mridul Nandi
Conference paper

DOI: 10.1007/978-3-662-45611-8_25

Part of the Lecture Notes in Computer Science book series (LNCS, volume 8873)
Cite this paper as:
Nandi M. (2014) XLS is Not a Strong Pseudorandom Permutation. In: Sarkar P., Iwata T. (eds) Advances in Cryptology – ASIACRYPT 2014. ASIACRYPT 2014. Lecture Notes in Computer Science, vol 8873. Springer, Berlin, Heidelberg


In FSE 2007, Ristenpart and Rogaway had described a generic method XLS to construct a length-preserving strong pseudorandom permutation (SPRP) over bit-strings of size at least n. It requires a length-preserving permutation \(\mathcal{E}\) over all bits of size multiple of n and a blockcipher E with block size n. The SPRP security of XLS was proved from the SPRP assumptions of both \(\mathcal{E}\) and E. In this paper we disprove the claim by demonstrating a SPRP distinguisher of XLS which makes only three queries and has distinguishing advantage about 1/2. XLS uses a multi-permutation linear function, called mix2. In this paper, we also show that if we replace mix2 by any invertible linear functions, the construction XLS still remains insecure. Thus the mode has inherit weakness.


XLS SPRP Distinguishing Advantage length-preserving encryption 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Copyright information

© International Association for Cryptologic Research 2014

Authors and Affiliations

  • Mridul Nandi
    • 1
  1. 1.Indian Statistical InstituteKolkataIndia

Personalised recommendations