1 Constructing Pseudo-Random Permutations with a Prescribed Structure Moni Naor Weizmann Institute Omer Reingold AT&T Research

2 Pseudo-Random Permutations Pseudo-random Permutations F  0,1  k  0,1  n  0,1  n key Domain Range F -1  0,1  k  0,1  n  0,1  n key Range Domain Family  k  F S  S  0,1  k  is pseudo-random if: –X  F S -1  F S (X)) - Invertability –Succinct Representation: k    log (  n !) –Efficiently computable: given S can compute F s and F S -1 –Indistinguishable from random permutations...

3 Indistinguishability The tester T that can choose adaptively –X 1 and get Y 1  F S (X 1 ) –Y 2 and get X 2  F S -1 (Y 2 ) –   –X q and get Y  F S (X q ) Challenge: T has to decide whether F S  R  k  or F S  R  (n)   F    F  0,1  n  0,1  n  S

4 (t, ,q)-pseudo-random For a function F chosen at random from (1)  k  F S  S  0,1  k  (2)  (n)  F  F  0,1  n  0,1  n  For all t-time machines T that get to choose q queries and try to distinguish (1) from (2)  Pr  T  ‘1’  F  R  k   - Pr  T  ‘1’  F  R  (n)     Want a family where  is negligible as long as t and q are not too large

5 Model Block Ciphers Block-Ciphers : Shared-key encryption schemes where the encryption of every plaintext block is a ciphertext block of the same length. Important Examples: DES, Rijndael (AES)  ey CC Plaintext Ciphertext

6 Construction of Pseudo-Random Permutations Defined and constructed by Luby and Rackoff Possible to construct p.r. permutations from p.r. functions (and vice versa...) Based on 4 Feistal Permutations - 2 of which should be pseudo-random functions. f L1L1 R1R1 L2L2 R2R2

7 Permutations with a Prescribed Structure Example: Cyclic Permutations Want to construct a family of permutations that is Pseudo-Random Cyclic Motivation: a never repeating, random looking sequence X 1, X 2,...,X i,... such that X i+1 =F S (X i ) [Shamir-Tsaban]    

8 Permutations with a prescribed Structure A cycle type - list of how many cycles there are of each size Want to construct a family of permutations where Each member has cycle type C Pseudo-Random : –Succinct Representation: k    log (  n !) –Efficiently computable: given S can compute F s and F S -1 –Indistinguishable from random permutations with cycle type C

9 The Construction To construct  C  a p.r. family of permutation with type C: Let  k  F S  S  0,1  k  be a family of pseudo- random permutations Let  be a (fixed) permutation with cycle type C  C  P S  F S    F S -1  S  0,1  k  To evaluate P S (X): compute F S -1 (  (F S (X))) To evaluate P S -1 (Y): compute F S -1 (  -1 (F S (Y)))

10 The Construction... Example: cyclic permutation  (X)  X+1 mod  n Complexity of evaluation: Two invocations of F S (one in each direction) One invocation of 

11 Why does it work? Well known theorem from elementary group theory: For any two permutations  and   and      -1  have the same cycle type.  Prove a stronger statement: Theorem 1 : For any permutation  with cycle type C, let  be a random permutation. Then the permutation      -1  is uniformly distributed over the permutations with cycle type C.

12 Security of Construction Theorem 2 : Suppose that adversary D can distinguish with advantage  whether a given permutation is  R  C or a random permutation of type C. Then there is a D’ can distinguish the family  k from  (n) with advantage . Running time of D’ is t   running time of D. t  time to evaluate  and  -1

13 Proof by Simulation D’ is given  as a black-box. It simulates D on      -1 –When D queries a point X - D’ requests  X) and then  -1 at point  X  –When D queries an inverse of point X - D’ requests  X) and then  -1 at point  -1  X  –Outputs the same guess as D From Theorem 1 the probabilities of distinguishing are identical.

14 Involutions An involution is a permutation that is self -inverse When used for encryption - the encryption and decryption operations are identical. Let  X  X+1 if x is even and  X  X-1 if odd. Resulting  I is a family of involutions with no fixed points.

15 Combinatorial Randomness (almost) t-wise independence - combinatorial counterpart to (cryptographic) pseudo-randomness If instead of  k a family H of 2t-wise independent permutations is used, the result is –a t-wise independent family of permutations with cycle type C. If an approximation to 2t-wise is used - similar approximation in  c

16 Fast Forward Possible to iterate P S   c  with ‘zero’ cost: P S (m) ( X )= F S -1 (  (F S (F S -1 (   )))= F S -1 (  (m) (F S (x))) Same as iterating  In case of cyclic permutations: P S (m) ( X )= F S -1 (F S (x) +m mod  n ) Also easy to check whether X 1 and X 2 are in the same cycle.

17 Open Problems Fast forward property for permutations with no prescribed cycle type. –Sufficient to find right distribution on cycle types. Fast forward property for pseudo-random functions – Algorithmic applications: Pollard’s , Hellman time- space tradeoff – Caveat - does not necessarily improve them Construct pseudo-random permutation of size N’ < N given one of size N.

18...Open Problems Other combinatorial structures - is it possible to generate a succinct/implicit representation that looks random of Pseudo-random graphs –G n,p or bounded degree –Involution - d regular d colorable Latin Squares –2 n  2 n matrix where each row and each column are a permutation of  0,1  n –Non trivial even for non-implicit