We consider the cryptographic problem of constructing an invertible random permutation from a public random function (i.e., which can be accessed by the adversary). This goal is formalized by the notion of indifferentiability of Maurer et al. (TCC 2004). This is the natural extension to the public setting of the well-studied problem of building random permutations from random functions, which was first solved by Luby and Rackoff (Siam J. Comput., '88) using the so-called Feistel construction. The most important implication of such a construction is the equivalence of the random oracle model (Bellare and Rogaway, CCS '93) and the ideal cipher model, which is typically used in the analysis of several constructions in symmetric cryptography. Coron et al. (CRYPTO 2008) gave a rather involved proof that the six-round Feistel construction with independent random round functions is indifferentiable from an invertible random permutation. Also, it is known that fewer than six rounds do not suffice for indifferentiability. The first contribution (and starting point) of our paper is a concrete distinguishing attack which shows that the indifferentiability proof of Coron et al. is not correct. In addition, we provide supporting evidence that an indifferentiability proof for the six-round Feistel construction may be very hard to find. To overcome this gap, our main contribution is a proof that the Feistel construction with eigthteen rounds is indifferentiable from an invertible random permutation. The approach of our proof relies on assigning to each of the rounds in the construction a unique and specific role needed in the proof. This avoids many of the problems that appear in the six-round case.
Many cryptographic security proofs rely on the assumption that a concrete cryptographic function (e.g. a block cipher or a hash function) behaves as a random primitive, i.e., an ideal object which answers queries "randomly". A typical example is a random function F : {0, 1} m → {0, 1} n , which associates with each m-bit input x a uniformly distributed n-bit value F(x). We speak of a random oracle if the domain consists of all strings of finite length, rather than all m-bit ones. A random permutation P : {0, 1} n → {0, 1} n is another example: It behaves as a uniformly-chosen permutation from the set of all permutations on {0, 1} n , allowing both forward queries P(x) and backward queries P -1 (y).
Many results in cryptography can be recast as finding an explicit construction of a random primitive from another one in a purely information-theoretic setting. For instance, the core of Luby and Rackoff’s seminal result [LR88] on building pseudorandom permutations from pseudorandom functions (a computational statement) is a construction of a random permutation from random functions via the r-round Feistel construction Ψ r : It implements a permutation taking a 2n-bit input (L 0 , R 0 ) (where L 0 , R 0 are n-bit values), and the output (L r , R r ) is computed via r rounds mapping L i , R i to L i+1 , R i+1 as
where F 1 , . . . , F r : {0, 1} n → {0, 1} n are so-called round functions. The main statement of [LR88] is that if the round functions are independent random functions, then Ψ 3 is information-theoretically indistinguishable from a random permutation which does not allow backward queries, whereas Ψ 4 is indistinguishable from a full-fledged random permutation.
Random primitives are frequently employed to model an idealized cryptographic function accessible by all parties in the scenario at hand, including the adversary. The most prominent example is the Random Oracle Model [BR93], where a random oracle models an ideal hash function. Although it is known that no concrete hash function can achieve the functionality of a random oracle [CGH04] (see also [MRH04]), security proofs in the random oracle model provide a common heuristic as to which schemes are expected to remain secure when the random oracle is instantiated with a concrete hash function. In fact, to date, many widely employed practical schemes, such as OAEP [BR94] 1 and FDH [BR96], only enjoy security proofs in the random oracle model.
The ideal cipher model is another widespread model in which all parties are granted access to an ideal cipher E : {0, 1} κ × {0, 1} n → {0, 1} n , a random primitive such that the restrictions E(k, •) for k ∈ {0, 1} κ are 2 κ independent random permutations. Application examples of the ideal cipher model range from the analysis of block-cipher based hash function constructions (see, for example [BRS02]) to disproving the existence of generic attacks against constructions such as cascade encryption [BR06,GM09] and to studying generic related-key attacks [BK03].
Equivalence of models and indifferentiability. This paper addresses the fundamental question of determining whether the random oracle model and the ideal cipher model are equivalent, where equivalence is to be understood within a simulation-based security framework such as [Can01]: In other words, we aim at answering the following two questions:
(1) Can we find a construction C 1 , which uses an ideal cipher E, such that C E 1 is “as good as” a random oracle R, meaning that any secure cryptographic scheme using R remains secure when using C E 1 instead?
(2) Conversely, is there C 2 such that C R 2 is “as good as” an ideal cipher E?
Indistinguishability is not sufficient to satisfy the above requirement of being “as good as”, as the adversary can exploit access to the underlying primitive. Instead, the stronger notion of indifferentiability due to Maurer et al. [MRH04] is needed: the system C E 1 is indifferentiable from R if there exists a simulator2 S accessing R such that (C E 1 , E) and (R, S R ) are information-theoretically indistinguishable. This is equivalent to stating that the adversary is able to locally simulate the ideal cipher consistently with R, given only access to the random oracle and without knowledge of the queries to R of the honest users. Of course, indifferentiability generalizes to arbitrary primitives: The definition of C R 2 being indifferentiable from E is analogous. 3Prior work and applications. Question (1) above is, to date, well understood: Coron et al. [CDMP05], and long series of subsequent work, have presented several constructions of random oracles from ideal ciphers based on hash-function constructions such as the Merkle-Damgård construction [Mer89,Dam89] with block-cipher based compression functions. In particular, indifferentiability has become a de-facto standard security requirement for hash function constructions, generally interpreted as the absence of generic attacks against the construction treating the bloc
This content is AI-processed based on open access ArXiv data.
