Full Indifferentiable Security of the Xor of Two or More Random - - PowerPoint PPT Presentation

Full Indifferentiable Security of the Xor of Two or More Random Permutations Using the χ2 Method

Srimanta Bhattacharya and Mridul Nandi

Indian Statistical Institute, Kolkata.

Eurocrypt 2018 Tel Aviv, Israel 30th April, 2018

Outline

1 Introduction

Motivation XORP and XORP[k] Indifferentiability Techniques

2 Simulator and Transcript

Simulator for XORP Transcript to the Adversary

3 Main Result: Indifferentiability of XORP

Result and Outline

4 Indifferentiability of XORP[k] 5 Conclusion

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Introduction Motivation Luby-Rackoff Backwards

Luby-Rackoff Backwards

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Introduction Motivation Luby-Rackoff Backwards

Luby-Rackoff Backwards

How to construct a PRF from PRP?

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Introduction Motivation Luby-Rackoff Backwards

Luby-Rackoff Backwards

How to construct a PRF from PRP?

Converse to the work of Luby and Rackoff.

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Introduction Motivation Luby-Rackoff Backwards

Luby-Rackoff Backwards

How to construct a PRF from PRP?

Converse to the work of Luby and Rackoff. Well motivated.

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Introduction Motivation Luby-Rackoff Backwards

Luby-Rackoff Backwards

How to construct a PRF from PRP?

Converse to the work of Luby and Rackoff. Well motivated.

PRFs are much needed (Goldreich et al., 1985). PRPs are available.

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Introduction Motivation Luby-Rackoff Backwards

Luby-Rackoff Backwards

How to construct a PRF from PRP?

Converse to the work of Luby and Rackoff. Well motivated.

PRFs are much needed (Goldreich et al., 1985). PRPs are available.

Is a PRP a good PRF?

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Introduction Motivation Luby-Rackoff Backwards

Luby-Rackoff Backwards

How to construct a PRF from PRP?

Converse to the work of Luby and Rackoff. Well motivated.

PRFs are much needed (Goldreich et al., 1985). PRPs are available.

Is a PRP a good PRF?

Birthday-bound security.

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Introduction Motivation Luby-Rackoff Backwards

Luby-Rackoff Backwards

How to construct a PRF from PRP?

Converse to the work of Luby and Rackoff. Well motivated.

PRFs are much needed (Goldreich et al., 1985). PRPs are available.

Is a PRP a good PRF?

Birthday-bound security.

Initiated by Bellare et al., 1998.

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Introduction Motivation Luby-Rackoff Backwards

Luby-Rackoff Backwards

How to construct a PRF from PRP?

Converse to the work of Luby and Rackoff. Well motivated.

PRFs are much needed (Goldreich et al., 1985). PRPs are available.

Is a PRP a good PRF?

Birthday-bound security.

Initiated by Bellare et al., 1998.

Two sequential block cipher calls (in Bellare et al., 1998)

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Introduction Motivation Luby-Rackoff Backwards

Luby-Rackoff Backwards

How to construct a PRF from PRP?

Converse to the work of Luby and Rackoff. Well motivated.

PRFs are much needed (Goldreich et al., 1985). PRPs are available.

Is a PRP a good PRF?

Birthday-bound security.

Initiated by Bellare et al., 1998.

Two sequential block cipher calls (in Bellare et al., 1998)

Achieves birthday-bound security.

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Introduction Motivation Luby-Rackoff Backwards

Luby-Rackoff Backwards

How to construct a PRF from PRP?

Converse to the work of Luby and Rackoff. Well motivated.

PRFs are much needed (Goldreich et al., 1985). PRPs are available.

Is a PRP a good PRF?

Birthday-bound security.

Initiated by Bellare et al., 1998.

Two sequential block cipher calls (in Bellare et al., 1998)

Achieves birthday-bound security.

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Introduction Motivation Luby-Rackoff Backwards

Luby-Rackoff Backwards

How to construct a PRF from PRP?

Converse to the work of Luby and Rackoff. Well motivated.

PRFs are much needed (Goldreich et al., 1985). PRPs are available.

Is a PRP a good PRF?

Birthday-bound security.

Initiated by Bellare et al., 1998.

Two sequential block cipher calls (in Bellare et al., 1998)

Achieves birthday-bound security.

Beyond-birthday security is non-trivial!

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Introduction XORP and XORP[k] Construction and Applications

XORP and XORP[k],k ≥ 3

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Introduction XORP and XORP[k] Construction and Applications

XORP and XORP[k],k ≥ 3

Construction

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Introduction XORP and XORP[k] Construction and Applications

XORP and XORP[k],k ≥ 3

Construction Perm: the set of all permutations

• ver the set {0,1}n.

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Introduction XORP and XORP[k] Construction and Applications

XORP and XORP[k],k ≥ 3

Construction Perm: the set of all permutations

• ver the set {0,1}n.

Π0,Π1 ←$Perm. XORP(x) = Π0(x) ⊕ Π1(x)

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Introduction XORP and XORP[k] Construction and Applications

XORP and XORP[k],k ≥ 3

Construction Perm: the set of all permutations

• ver the set {0,1}n.

Π0,Π1 ←$Perm. XORP(x) = Π0(x) ⊕ Π1(x) Π0,...,Πk−1 ←$Perm. XORP[k](x) = ⊕k−1

i=0 Πi(x).

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Introduction XORP and XORP[k] Construction and Applications

XORP and XORP[k],k ≥ 3

Construction Perm: the set of all permutations

• ver the set {0,1}n.

Π0,Π1 ←$Perm. XORP(x) = Π0(x) ⊕ Π1(x) Π0,...,Πk−1 ←$Perm. XORP[k](x) = ⊕k−1

i=0 Πi(x).

Applications

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Introduction XORP and XORP[k] Construction and Applications

XORP and XORP[k],k ≥ 3

Construction Perm: the set of all permutations

• ver the set {0,1}n.

Π0,Π1 ←$Perm. XORP(x) = Π0(x) ⊕ Π1(x) Π0,...,Πk−1 ←$Perm. XORP[k](x) = ⊕k−1

i=0 Πi(x).

Applications CENC Iwata, 2006, Iwata et al., 2016 PMAC_Plus Yasuda, 2011 ZMAC Iwata et al., 2017

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Introduction XORP and XORP[k] PRF-Security: Indistinguishability

PRF-Security: Indistinguishability

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Introduction XORP and XORP[k] PRF-Security: Indistinguishability

PRF-Security: Indistinguishability

XORP $ A

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Introduction XORP and XORP[k] PRF-Security: Indistinguishability

PRF-Security: Indistinguishability

XORP $ A Advprf

XORP(A) ∶= ∣Pr[AXORP → 1] − Pr[A$ → 1]∣

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Introduction XORP and XORP[k] PRF-Security: Indistinguishability

PRF-Security: Indistinguishability

XORP $ A Advprf

XORP(A) ∶= ∣Pr[AXORP → 1] − Pr[A$ → 1]∣

Focus on information theoretic security of XORP.

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Introduction XORP and XORP[k] PRF-Security: Indistinguishability

PRF-Security: Indistinguishability

XORP $ A Advprf

XORP(A) ∶= ∣Pr[AXORP → 1] − Pr[A$ → 1]∣

Focus on information theoretic security of XORP.

A comutationally unbounded. A deterministic.

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Introduction XORP and XORP[k] PRF-Security: Indistinguishability

PRF-Security: Indistinguishability

XORP $ A Advprf

XORP(A) ∶= ∣Pr[AXORP → 1] − Pr[A$ → 1]∣

Focus on information theoretic security of XORP.

A comutationally unbounded. A deterministic.

Restrict A to q queries.

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Introduction XORP and XORP[k] PRF-Security: Indistinguishability

PRF-Security: Indistinguishability

XORP $ A Advprf

XORP(A) ∶= ∣Pr[AXORP → 1] − Pr[A$ → 1]∣

Focus on information theoretic security of XORP.

A comutationally unbounded. A deterministic.

Restrict A to q queries. XORP and $ returns Xq

1 = (X1,1,...,X1,q),

Xq

2 = (X2,1,...,X2,q) ∈ Ωq

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Introduction XORP and XORP[k] PRF-Security: Indistinguishability

PRF-Security: Indistinguishability

XORP $ A Advprf

XORP(A) ∶= ∣Pr[AXORP → 1] − Pr[A$ → 1]∣

Focus on information theoretic security of XORP.

A comutationally unbounded. A deterministic.

Restrict A to q queries. XORP and $ returns Xq

1 = (X1,1,...,X1,q),

Xq

2 = (X2,1,...,X2,q) ∈ Ωq

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Introduction XORP and XORP[k] PRF-Security: Indistinguishability

PRF-Security: Indistinguishability

XORP $ A Advprf

XORP(A) ∶= ∣Pr[AXORP → 1] − Pr[A$ → 1]∣

Focus on information theoretic security of XORP.

A comutationally unbounded. A deterministic.

Restrict A to q queries. XORP and $ returns Xq

1 = (X1,1,...,X1,q),

Xq

2 = (X2,1,...,X2,q) ∈ Ωq

Advprf

XORP[k](A) ≤ maxE⊆Ωq ∑xq∈E(Pr[Xq 1 = xq] − Pr[Xq 2 = xq]).

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Introduction XORP and XORP[k] PRF-Security Results

Upper Bounds on Advprf

XORP(A) and Advprf XORP[k](A)

Bellare and Impagliazzo, 1999: O (nq

3 2

N

3 2 ) for XORP

Lucks, 2000: O (qk+1

Nk ) for XORP[k],k ≥ 2.

Patarin, 2008, Patarin, 2013: O ( q

N )

Cogliati et al., 2014: O ( qk+2

Nk+1 ), O ((kq2k+2 N2k+1 ) 3

) for XORP[k] Dai et al., 2017: O ( q

N ) for XORP.

Mennink and Preneel, 2015: Advprf

XORP[k](A) = Advprf XORP(A)

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Introduction Indifferentiability Moving from Secret to Public Permutation

Moving from Secret to Public Permutation

In PRF-security (indistinguishability) setting permuatations remain secret.

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Introduction Indifferentiability Moving from Secret to Public Permutation

Moving from Secret to Public Permutation

In PRF-security (indistinguishability) setting permuatations remain secret. Motivation behind making the permutations public

Sometimes block ciphers are instantiated with fixed keys. Many unkeyed permutations are designed as an underlying primitive of encryption Bertoni et al., 2011a, MAC Bertoni et al., 2011b, hash functions Bertoni et al., 2013, Rivest et al., 2008, Wu, 2011, Gauravaram et al., 2009 CAESAR candidates have been analyzed in the public permutation model.

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Introduction Indifferentiability Indifferentiable-Security Notion

Indifferentiable-Security Notion

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Introduction Indifferentiability Indifferentiable-Security Notion

Indifferentiable-Security Notion

F T S G

Real World Ideal World

A

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Introduction Indifferentiability Indifferentiable-Security Notion

Indifferentiable-Security Notion

F T S G

Real World Ideal World

A Advdiff

TF,GS(A) = ∣Pr[AT,F → 1] − Pr[AG,S → 1]∣.

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Introduction Indifferentiability Indifferentiable-Security Notion

Indifferentiable-Security Notion

F T S G

Real World Ideal World

A Advdiff

TF,GS(A) = ∣Pr[AT,F → 1] − Pr[AG,S → 1]∣.

Maurer et al., 2004 ∃ S s.t. Advdiff

TF,GS(A)

is negligible ∀ adversary A.

⇒

T is indifferentiable from G.

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Introduction Indifferentiability Indifferentiability of XORP

Indifferentiability of XORP

Π = (Π0,Π1,Π−1

0 ,Π−1 1 )

XORP S $ A Purpose of S is to simulate Π such that (XORP,Π) is indistinguishable from ($,S).

S has oracle access to $.

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Introduction Indifferentiability Indifferentiability of XORP

Real World and Ideal World

Real World:

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Introduction Indifferentiability Indifferentiability of XORP

Real World and Ideal World

Real World: Construction Query:

A queries with x. XORP returns Π0(x) ⊕ Π1(x) to A.

Primitive Query:

Forward Query: A queries Π0 or Π1 with x and gets Π0(x) or Π1(x). Backward Query: A queries Π0 or Π1 with y and obtains Π−1

0 (y) or

Π−1

1 (y).

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Introduction Indifferentiability Indifferentiability of XORP

Real World and Ideal World

Real World: Construction Query:

A queries with x. XORP returns Π0(x) ⊕ Π1(x) to A.

Primitive Query:

Forward Query: A queries Π0 or Π1 with x and gets Π0(x) or Π1(x). Backward Query: A queries Π0 or Π1 with y and obtains Π−1

0 (y) or

Π−1

1 (y).

Ideal World:

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Introduction Indifferentiability Indifferentiability of XORP

Real World and Ideal World

Real World: Construction Query:

A queries with x. XORP returns Π0(x) ⊕ Π1(x) to A.

Primitive Query:

Forward Query: A queries Π0 or Π1 with x and gets Π0(x) or Π1(x). Backward Query: A queries Π0 or Π1 with y and obtains Π−1

0 (y) or

Π−1

1 (y).

Ideal World: Random Function Query: $ returns $(x). Simulator Query:

Forward Query: A queries S with (x,b). S returns Vb ∈ {0,1}n. Backward Query: A queries S with (y,b). S returns Vb ∈ {0,1}n ∪ {}.

indicates that S aborted after certain number of iterations.

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Introduction Indifferentiability Indifferentiability of XORP

Goal

Purpose of S is to simulate Π such that (XORP,Π) is indistinguishable from ($,S).

Vb should be close to Πb (or Π−1

b in case of backward query).

Construct S such that Advdiff

XORP,$(A) = ∣Pr[AXORP,Π → 1] − Pr[A$,S → 1]∣

should be negligible.

Restrict A to q queries and obtain a concrete upper bound on Advdiff

XORP,$(A) (in terms of parameters q and n)

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Introduction Indifferentiability Results

Results

Construction Best known bound Our bound XORP q3/22n Mennink and Preneel, 2015 √ q/2n XORP[k]

qk+1 2nk (k ≥ 4 even) Lee, 2017

√ q/2n

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Introduction Techniques Mirror Theory

Mirror Theory and It’s Limitations

Introduced in Patarin, 2010; motivated from the PRF-security of XORP[k] type constructions. Lower bound on the number of solutions satisfying a system of linear equations involving exactly two variables. ✓ Together with the H-coefficient technique provides a bound on the PRF-security of XORP. ✓ Powerful: Optimal security

• f EDM, EWCDM,
• etc. Mennink and Neves, 2017a,

Mennink and Neves, 2017b × Complex: some stpes are not clear. × Limitation in indifferentiability setting:

× No equation in single variable × Adversary can make public permutation calls. Need to consider single variable equations.

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Introduction Techniques χ2 Method

χ2 Method

Xq ∶= (X1,...,Xq) and Zq ∶= (Z1,...,Zq) distributed over Ωq = Ω × ⋯ × Ω according to P0 and P1 respectively.

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Introduction Techniques χ2 Method

χ2 Method

Xq ∶= (X1,...,Xq) and Zq ∶= (Z1,...,Zq) distributed over Ωq = Ω × ⋯ × Ω according to P0 and P1 respectively. P0∣xi−1(xi) = Pr[Xi = xi ∣ X1 = x1,...,Xi−1 = xi−1], P1∣xi−1(xi) = Pr[Zi = xi ∣ Z1 = x1,...,Zi−1 = xi−1].

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Introduction Techniques χ2 Method

χ2 Method

Xq ∶= (X1,...,Xq) and Zq ∶= (Z1,...,Zq) distributed over Ωq = Ω × ⋯ × Ω according to P0 and P1 respectively. P0∣xi−1(xi) = Pr[Xi = xi ∣ X1 = x1,...,Xi−1 = xi−1], P1∣xi−1(xi) = Pr[Zi = xi ∣ Z1 = x1,...,Zi−1 = xi−1].

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Introduction Techniques χ2 Method

χ2 Method

Xq ∶= (X1,...,Xq) and Zq ∶= (Z1,...,Zq) distributed over Ωq = Ω × ⋯ × Ω according to P0 and P1 respectively. P0∣xi−1(xi) = Pr[Xi = xi ∣ X1 = x1,...,Xi−1 = xi−1], P1∣xi−1(xi) = Pr[Zi = xi ∣ Z1 = x1,...,Zi−1 = xi−1]. Definition

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Introduction Techniques χ2 Method

χ2 Method

Xq ∶= (X1,...,Xq) and Zq ∶= (Z1,...,Zq) distributed over Ωq = Ω × ⋯ × Ω according to P0 and P1 respectively. P0∣xi−1(xi) = Pr[Xi = xi ∣ X1 = x1,...,Xi−1 = xi−1], P1∣xi−1(xi) = Pr[Zi = xi ∣ Z1 = x1,...,Zi−1 = xi−1]. Definition ∥P0 − P1∥ ∶= 1

2 ∑xq∈Ωq ∣P0(xq) − P1(xq)∣.

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Introduction Techniques χ2 Method

χ2 Method

Xq ∶= (X1,...,Xq) and Zq ∶= (Z1,...,Zq) distributed over Ωq = Ω × ⋯ × Ω according to P0 and P1 respectively. P0∣xi−1(xi) = Pr[Xi = xi ∣ X1 = x1,...,Xi−1 = xi−1], P1∣xi−1(xi) = Pr[Zi = xi ∣ Z1 = x1,...,Zi−1 = xi−1]. Definition ∥P0 − P1∥ ∶= 1

2 ∑xq∈Ωq ∣P0(xq) − P1(xq)∣.

χ2(xi−1) = χ2(P0∣xi−1,P1∣xi−1) ∶= ∑xi∈Ω

(P0∣xi−1(xi)−P1∣xi−1(xi))2 P1∣xi−1(xi)

.

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Introduction Techniques χ2 Method

χ2 Method

Xq ∶= (X1,...,Xq) and Zq ∶= (Z1,...,Zq) distributed over Ωq = Ω × ⋯ × Ω according to P0 and P1 respectively. P0∣xi−1(xi) = Pr[Xi = xi ∣ X1 = x1,...,Xi−1 = xi−1], P1∣xi−1(xi) = Pr[Zi = xi ∣ Z1 = x1,...,Zi−1 = xi−1]. Definition ∥P0 − P1∥ ∶= 1

2 ∑xq∈Ωq ∣P0(xq) − P1(xq)∣.

χ2(xi−1) = χ2(P0∣xi−1,P1∣xi−1) ∶= ∑xi∈Ω

(P0∣xi−1(xi)−P1∣xi−1(xi))2 P1∣xi−1(xi)

.

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Introduction Techniques χ2 Method

χ2 Method

Xq ∶= (X1,...,Xq) and Zq ∶= (Z1,...,Zq) distributed over Ωq = Ω × ⋯ × Ω according to P0 and P1 respectively. P0∣xi−1(xi) = Pr[Xi = xi ∣ X1 = x1,...,Xi−1 = xi−1], P1∣xi−1(xi) = Pr[Zi = xi ∣ Z1 = x1,...,Zi−1 = xi−1]. Definition ∥P0 − P1∥ ∶= 1

2 ∑xq∈Ωq ∣P0(xq) − P1(xq)∣.

χ2(xi−1) = χ2(P0∣xi−1,P1∣xi−1) ∶= ∑xi∈Ω

(P0∣xi−1(xi)−P1∣xi−1(xi))2 P1∣xi−1(xi)

. Theorem (Dai et al., 2017) ∥P0 − P1∥ ≤ (1

2 ∑q i=1 Ex[χ2(Xi−1)])

1 2 Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Introduction Techniques χ2 Method

χ2 Method(contd..)

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Introduction Techniques χ2 Method

χ2 Method(contd..)

Ingredients

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Introduction Techniques χ2 Method

χ2 Method(contd..)

Ingredients

1 Pinsker’s inequality, 2 chain rule of Kullback-Leibler divergence (KL divergence), and 3 Jensen’s inequality.

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Introduction Techniques χ2 Method

χ2 Method(contd..)

Ingredients

1 Pinsker’s inequality, 2 chain rule of Kullback-Leibler divergence (KL divergence), and 3 Jensen’s inequality.

Applications

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Introduction Techniques χ2 Method

χ2 Method(contd..)

Ingredients

1 Pinsker’s inequality, 2 chain rule of Kullback-Leibler divergence (KL divergence), and 3 Jensen’s inequality.

Applications

1 PRF-security of the truncated random permutation in Stam, 1978. 2 Full PRF-security of XORP and improved PRF-security of EDM in

Dai et al., 2017.

3 Full PRF-security of the variable output length XOR

pseudorandom functions in Bhattacharya and Nandi, 2018.

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Simulator and Transcript Simulator for XORP Simulator Overview

SIMFWD and SIMBCK

S consists of a pair of stateful randomized algorithms

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Simulator and Transcript Simulator for XORP Simulator Overview

SIMFWD and SIMBCK

S consists of a pair of stateful randomized algorithms

SIMFWD - algorithm for forward queries

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Simulator and Transcript Simulator for XORP Simulator Overview

SIMFWD and SIMBCK

S consists of a pair of stateful randomized algorithms

SIMFWD - algorithm for forward queries SIMBCK - algorithm for backward queries

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Simulator and Transcript Simulator for XORP Simulator Overview

SIMFWD and SIMBCK

S consists of a pair of stateful randomized algorithms

SIMFWD - algorithm for forward queries SIMBCK - algorithm for backward queries

S tries to be consistent with the XORP by ‘consulting’ with $.

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Simulator and Transcript Simulator for XORP Simulator Overview

SIMFWD and SIMBCK

S consists of a pair of stateful randomized algorithms

SIMFWD - algorithm for forward queries SIMBCK - algorithm for backward queries

S tries to be consistent with the XORP by ‘consulting’ with $.

Tries to maintain $(x) = SIMFWD(x,0) ⊕ SIMFWD(x,1) for x ∈ {0,1}n.

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Simulator and Transcript Simulator for XORP Simulator Overview

SIMFWD and SIMBCK

S consists of a pair of stateful randomized algorithms

SIMFWD - algorithm for forward queries SIMBCK - algorithm for backward queries

S tries to be consistent with the XORP by ‘consulting’ with $.

Tries to maintain $(x) = SIMFWD(x,0) ⊕ SIMFWD(x,1) for x ∈ {0,1}n.

If it fails (during backward queries only) after n attempts SIMBCK returns .

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Simulator and Transcript Simulator for XORP Simulator Overview

Internal State

Sets D,R0, and R1 simulate the domain of Π0 and Π1 and their ranges respectively. Lists (indexed by elements of D) L0,L1 - simulate the input-output mappings of Π0 and Π1 respectively.

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Simulator and Transcript Simulator for XORP Simulator Overview

Internal State

Sets D,R0, and R1 simulate the domain of Π0 and Π1 and their ranges respectively. Lists (indexed by elements of D) L0,L1 - simulate the input-output mappings of Π0 and Π1 respectively. For b ∈ {0,1},x ∈ D,y ∈ Rb, Lb(x) = y implies

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Simulator and Transcript Simulator for XORP Simulator Overview

Internal State

Sets D,R0, and R1 simulate the domain of Π0 and Π1 and their ranges respectively. Lists (indexed by elements of D) L0,L1 - simulate the input-output mappings of Π0 and Π1 respectively. For b ∈ {0,1},x ∈ D,y ∈ Rb, Lb(x) = y implies

Vb = y was output on a forward query (x,b), or

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Simulator and Transcript Simulator for XORP Simulator Overview

Internal State

Sets D,R0, and R1 simulate the domain of Π0 and Π1 and their ranges respectively. Lists (indexed by elements of D) L0,L1 - simulate the input-output mappings of Π0 and Π1 respectively. For b ∈ {0,1},x ∈ D,y ∈ Rb, Lb(x) = y implies

Vb = y was output on a forward query (x,b), or Vb = x was output on a backward query (y,b)

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Simulator and Transcript Simulator for XORP Simulator Overview

Internal State

Sets D,R0, and R1 simulate the domain of Π0 and Π1 and their ranges respectively. Lists (indexed by elements of D) L0,L1 - simulate the input-output mappings of Π0 and Π1 respectively. For b ∈ {0,1},x ∈ D,y ∈ Rb, Lb(x) = y implies

Vb = y was output on a forward query (x,b), or Vb = x was output on a backward query (y,b)

For all x ∈ D, the relationship L0(x) ⊕ L1(x) = $(x) is always satisfied.

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Simulator and Transcript Simulator for XORP Simulator Detail

SIMFWD

Data: x ∈ {0,1}n,b ∈ {0,1} Result: Vb ∈ {0,1}n if x ∈ D then return Lb(x) end Z ← $(x) Vb ←${0,1}n ∖ {Rb ∪ {Z ⊕ R1−b}} Rb ← Rb ∪ {Vb},R1−b ← R1−b ∪ {Z ⊕ Vb} D ← D ∪ {x} Lb(x) ← Vb,L1−b(x) ← Z ⊕ Vb return Vb

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Simulator and Transcript Simulator for XORP Simulator Detail

SIMFWD

Data: x ∈ {0,1}n,b ∈ {0,1} Result: Vb ∈ {0,1}n if x ∈ D then return Lb(x) end Z ← $(x) Vb ←${0,1}n ∖ {Rb ∪ {Z ⊕ R1−b}} Rb ← Rb ∪ {Vb},R1−b ← R1−b ∪ {Z ⊕ Vb} D ← D ∪ {x} Lb(x) ← Vb,L1−b(x) ← Z ⊕ Vb return Vb

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Simulator and Transcript Simulator for XORP Simulator Detail

SIMFWD

Data: x ∈ {0,1}n,b ∈ {0,1} Result: Vb ∈ {0,1}n if x ∈ D then return Lb(x) end Z ← $(x) Vb ←${0,1}n ∖ {Rb ∪ {Z ⊕ R1−b}} Rb ← Rb ∪ {Vb},R1−b ← R1−b ∪ {Z ⊕ Vb} D ← D ∪ {x} Lb(x) ← Vb,L1−b(x) ← Z ⊕ Vb return Vb

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Simulator and Transcript Simulator for XORP Simulator Detail

SIMFWD

Data: x ∈ {0,1}n,b ∈ {0,1} Result: Vb ∈ {0,1}n if x ∈ D then return Lb(x) end Z ← $(x) Vb ←${0,1}n ∖ {Rb ∪ {Z ⊕ R1−b}} Rb ← Rb ∪ {Vb},R1−b ← R1−b ∪ {Z ⊕ Vb} D ← D ∪ {x} Lb(x) ← Vb,L1−b(x) ← Z ⊕ Vb return Vb

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Simulator and Transcript Simulator for XORP Simulator Detail

SIMBCK

Data: y ∈ {0,1}n,b ∈ {0,1} Result: Vb ∈ {0,1}n ∪ {⊥} if y = Lb(x) for x ∈ D then return x D′ ← D repeat Vb ←${0,1}n ∖ D′, Z ← $(Vb) if Z ⊕ y ∉ R1−b then D ← D ∪ {Vb}, Rb ← Rb ∪ {y}, Lb(Vb) ← y, R1−b ← R1−b ∪ {Z ⊕ y},L1−b(Vb) ← Z ⊕ y return Vb end D′ ← D′ ∪ {Vb} until n times ; return

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Simulator and Transcript Simulator for XORP Simulator Detail

SIMBCK

Data: y ∈ {0,1}n,b ∈ {0,1} Result: Vb ∈ {0,1}n ∪ {⊥} if y = Lb(x) for x ∈ D then return x D′ ← D repeat Vb ←${0,1}n ∖ D′, Z ← $(Vb) if Z ⊕ y ∉ R1−b then D ← D ∪ {Vb}, Rb ← Rb ∪ {y}, Lb(Vb) ← y, R1−b ← R1−b ∪ {Z ⊕ y},L1−b(Vb) ← Z ⊕ y return Vb end D′ ← D′ ∪ {Vb} until n times ; return

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Simulator and Transcript Simulator for XORP Simulator Detail

SIMBCK

Data: y ∈ {0,1}n,b ∈ {0,1} Result: Vb ∈ {0,1}n ∪ {⊥} if y = Lb(x) for x ∈ D then return x D′ ← D repeat Vb ←${0,1}n ∖ D′, Z ← $(Vb) if Z ⊕ y ∉ R1−b then D ← D ∪ {Vb}, Rb ← Rb ∪ {y}, Lb(Vb) ← y, R1−b ← R1−b ∪ {Z ⊕ y},L1−b(Vb) ← Z ⊕ y return Vb end D′ ← D′ ∪ {Vb} until n times ; return

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Simulator and Transcript Simulator for XORP Simulator Detail

SIMBCK

Data: y ∈ {0,1}n,b ∈ {0,1} Result: Vb ∈ {0,1}n ∪ {⊥} if y = Lb(x) for x ∈ D then return x D′ ← D repeat Vb ←${0,1}n ∖ D′, Z ← $(Vb) if Z ⊕ y ∉ R1−b then D ← D ∪ {Vb}, Rb ← Rb ∪ {y}, Lb(Vb) ← y, R1−b ← R1−b ∪ {Z ⊕ y},L1−b(Vb) ← Z ⊕ y return Vb end D′ ← D′ ∪ {Vb} until n times ; return

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Simulator and Transcript Simulator for XORP Simulator Detail

SIMBCK

Data: y ∈ {0,1}n,b ∈ {0,1} Result: Vb ∈ {0,1}n ∪ {⊥} if y = Lb(x) for x ∈ D then return x D′ ← D repeat Vb ←${0,1}n ∖ D′, Z ← $(Vb) if Z ⊕ y ∉ R1−b then D ← D ∪ {Vb}, Rb ← Rb ∪ {y}, Lb(Vb) ← y, R1−b ← R1−b ∪ {Z ⊕ y},L1−b(Vb) ← Z ⊕ y return Vb end D′ ← D′ ∪ {Vb} until n times ; return

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Simulator and Transcript Simulator for XORP Simulator Detail

SIMBCK

Data: y ∈ {0,1}n,b ∈ {0,1} Result: Vb ∈ {0,1}n ∪ {⊥} if y = Lb(x) for x ∈ D then return x D′ ← D repeat Vb ←${0,1}n ∖ D′, Z ← $(Vb) if Z ⊕ y ∉ R1−b then D ← D ∪ {Vb}, Rb ← Rb ∪ {y}, Lb(Vb) ← y, R1−b ← R1−b ∪ {Z ⊕ y},L1−b(Vb) ← Z ⊕ y return Vb end D′ ← D′ ∪ {Vb} until n times ; return

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Simulator and Transcript Simulator for XORP Simulator Detail

SIMBCK

Data: y ∈ {0,1}n,b ∈ {0,1} Result: Vb ∈ {0,1}n ∪ {⊥} if y = Lb(x) for x ∈ D then return x D′ ← D repeat Vb ←${0,1}n ∖ D′, Z ← $(Vb) if Z ⊕ y ∉ R1−b then D ← D ∪ {Vb}, Rb ← Rb ∪ {y}, Lb(Vb) ← y, R1−b ← R1−b ∪ {Z ⊕ y},L1−b(Vb) ← Z ⊕ y return Vb end D′ ← D′ ∪ {Vb} until n times ; return

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Simulator and Transcript Transcript to the Adversary Additional Information

Additional Information

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Simulator and Transcript Transcript to the Adversary Additional Information

Additional Information

After the interation with real/ideal world is over

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Simulator and Transcript Transcript to the Adversary Additional Information

Additional Information

After the interation with real/ideal world is over A is given additional information. Real World Query: A knows the tuple (xi,Π0(xi),Π1(xi)) = Si. Distributions: pfwd and pbck for forward and backward queries. Ideal World Query:A knows the tuple (xi,V0,i,V1,i) (In case of ‘abort’ (xi,V0,i,V1,i) = ). Distributions: pfwd

1

and pbck

1

for forward and backward queries.

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Main Result: Indifferentiability of XORP Result and Outline Outline

Indifferentiability of XORP: Outline

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Main Result: Indifferentiability of XORP Result and Outline Outline

Indifferentiability of XORP: Outline

Theorem Let N ≥ 16 and q < N

2 . Then Advdiff XORP,$(q) ≤

√

1.25q N .

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Main Result: Indifferentiability of XORP Result and Outline Outline

Indifferentiability of XORP: Outline

Theorem Let N ≥ 16 and q < N

2 . Then Advdiff XORP,$(q) ≤

√

1.25q N .

Goal is to calculate Ex[χ2(Si−1)] over the real world distributions (pfwd and pbck ).

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Main Result: Indifferentiability of XORP Result and Outline Outline

Indifferentiability of XORP: Outline

Theorem Let N ≥ 16 and q < N

2 . Then Advdiff XORP,$(q) ≤

√

1.25q N .

Goal is to calculate Ex[χ2(Si−1)] over the real world distributions (pfwd and pbck ). Need to consider two cases.

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Main Result: Indifferentiability of XORP Result and Outline Outline

Indifferentiability of XORP: Outline

Theorem Let N ≥ 16 and q < N

2 . Then Advdiff XORP,$(q) ≤

√

1.25q N .

Goal is to calculate Ex[χ2(Si−1)] over the real world distributions (pfwd and pbck ). Need to consider two cases.

si is a forward query

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Main Result: Indifferentiability of XORP Result and Outline Outline

Indifferentiability of XORP: Outline

Theorem Let N ≥ 16 and q < N

2 . Then Advdiff XORP,$(q) ≤

√

1.25q N .

Goal is to calculate Ex[χ2(Si−1)] over the real world distributions (pfwd and pbck ). Need to consider two cases.

si is a forward query si is a backward query

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Main Result: Indifferentiability of XORP Result and Outline Forward Query

Forward Query

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Main Result: Indifferentiability of XORP Result and Outline Forward Query

Forward Query

χ2(si−1) = ∑si

(pfwd (si∣si−1)−pfwd

1

(si∣si−1))2 pfwd

1

(si∣si−1)

.

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Main Result: Indifferentiability of XORP Result and Outline Forward Query

Forward Query

χ2(si−1) = ∑si

(pfwd (si∣si−1)−pfwd

1

(si∣si−1))2 pfwd

1

(si∣si−1)

. To consider χ2(Si−1) for real world distribution Si−1.

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Main Result: Indifferentiability of XORP Result and Outline Forward Query

Forward Query

χ2(si−1) = ∑si

(pfwd (si∣si−1)−pfwd

1

(si∣si−1))2 pfwd

1

(si∣si−1)

. To consider χ2(Si−1) for real world distribution Si−1.

Each Sj ∈ {Si−1} may correspond to a forward or a backward query.

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Main Result: Indifferentiability of XORP Result and Outline Forward Query

Forward Query

χ2(si−1) = ∑si

(pfwd (si∣si−1)−pfwd

1

(si∣si−1))2 pfwd

1

(si∣si−1)

. To consider χ2(Si−1) for real world distribution Si−1.

Each Sj ∈ {Si−1} may correspond to a forward or a backward query. The distributions pfwd and pbck are identical; the distribution of Si−1 does not depend on the query type of each individual Sj.

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Main Result: Indifferentiability of XORP Result and Outline Forward Query

Forward Query

χ2(si−1) = ∑si

(pfwd (si∣si−1)−pfwd

1

(si∣si−1))2 pfwd

1

(si∣si−1)

. To consider χ2(Si−1) for real world distribution Si−1.

Each Sj ∈ {Si−1} may correspond to a forward or a backward query. The distributions pfwd and pbck are identical; the distribution of Si−1 does not depend on the query type of each individual Sj.

Allows to treat χ2(Si−1) as a random variable and take its expectation under the distribution of Si−1.

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Main Result: Indifferentiability of XORP Result and Outline Forward Query

Forward Query

χ2(si−1) = ∑si

(pfwd (si∣si−1)−pfwd

1

(si∣si−1))2 pfwd

1

(si∣si−1)

. To consider χ2(Si−1) for real world distribution Si−1.

Each Sj ∈ {Si−1} may correspond to a forward or a backward query. The distributions pfwd and pbck are identical; the distribution of Si−1 does not depend on the query type of each individual Sj.

Allows to treat χ2(Si−1) as a random variable and take its expectation under the distribution of Si−1.

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Main Result: Indifferentiability of XORP Result and Outline Forward Query

Forward Query

χ2(si−1) = ∑si

(pfwd (si∣si−1)−pfwd

1

(si∣si−1))2 pfwd

1

(si∣si−1)

. To consider χ2(Si−1) for real world distribution Si−1.

Each Sj ∈ {Si−1} may correspond to a forward or a backward query. The distributions pfwd and pbck are identical; the distribution of Si−1 does not depend on the query type of each individual Sj.

Allows to treat χ2(Si−1) as a random variable and take its expectation under the distribution of Si−1.

Forward Query Bound ∑q

i=1 Ex[χ2(Si−1)] ≤ 8q3 N3

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Main Result: Indifferentiability of XORP Result and Outline Backward Query

Backward Query

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Main Result: Indifferentiability of XORP Result and Outline Backward Query

Backward Query

Steps are similar to the backward query case.

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Main Result: Indifferentiability of XORP Result and Outline Backward Query

Backward Query

Steps are similar to the backward query case. si ≠⊥ and si =⊥ are treated separately.

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Main Result: Indifferentiability of XORP Result and Outline Backward Query

Backward Query

Steps are similar to the backward query case. si ≠⊥ and si =⊥ are treated separately.

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Main Result: Indifferentiability of XORP Result and Outline Backward Query

Backward Query

Steps are similar to the backward query case. si ≠⊥ and si =⊥ are treated separately. Backward Query Bound ∑q

i=1 Ex[χ2(Si−1)] ≤ 2.5q N

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Main Result: Indifferentiability of XORP Result and Outline Backward Query

Backward Query

Steps are similar to the backward query case. si ≠⊥ and si =⊥ are treated separately. Backward Query Bound ∑q

i=1 Ex[χ2(Si−1)] ≤ 2.5q N

Final Bound

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Main Result: Indifferentiability of XORP Result and Outline Backward Query

Backward Query

Steps are similar to the backward query case. si ≠⊥ and si =⊥ are treated separately. Backward Query Bound ∑q

i=1 Ex[χ2(Si−1)] ≤ 2.5q N

Final Bound Backward Query Bound ≥ Forward Query Bound.

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Main Result: Indifferentiability of XORP Result and Outline Backward Query

Backward Query

Steps are similar to the backward query case. si ≠⊥ and si =⊥ are treated separately. Backward Query Bound ∑q

i=1 Ex[χ2(Si−1)] ≤ 2.5q N

Final Bound Backward Query Bound ≥ Forward Query Bound. Advdiff

XORP,$(q) ≤

√

1.25q N .

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Indifferentiability of XORP[k] The Simulator

Indifferentiability of XORP[k]

Theorem Advdiff

XORP[k],$(q) ≤

√

1.25q N

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Indifferentiability of XORP[k] The Simulator

Indifferentiability of XORP[k]

Theorem Advdiff

XORP[k],$(q) ≤

√

1.25q N

Two steps ( similar to Mennink and Preneel, 2015).

Simulator S′: simulates Π′ = (Π0,...,Πk−1,Π−1

0 ,...,Π−1 k−1)

Reduction: for an adversary A′ of XORP[k] construct an adversary A of XORP.

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Indifferentiability of XORP[k] The Simulator

Indifferentiability of XORP[k]

Theorem Advdiff

XORP[k],$(q) ≤

√

1.25q N

Two steps ( similar to Mennink and Preneel, 2015).

Simulator S′: simulates Π′ = (Π0,...,Πk−1,Π−1

0 ,...,Π−1 k−1)

Reduction: for an adversary A′ of XORP[k] construct an adversary A of XORP.

Simulator S′

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Indifferentiability of XORP[k] The Simulator

Indifferentiability of XORP[k]

Theorem Advdiff

XORP[k],$(q) ≤

√

1.25q N

Two steps ( similar to Mennink and Preneel, 2015).

Simulator S′: simulates Π′ = (Π0,...,Πk−1,Π−1

0 ,...,Π−1 k−1)

Reduction: for an adversary A′ of XORP[k] construct an adversary A of XORP.

Simulator S′ Samples Π2,...,Πk−1. When i ≥ 2 and (x,i) is forward or backward query, responds honestly. When i ∈ {0,1}, behaves exactly in the same way as S, except

computes $′(x) = $(x) ⊕ Π2(x) ⊕ ⋯Πk−1(x)

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Indifferentiability of XORP[k] The Reduction

The Reduction

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Indifferentiability of XORP[k] The Reduction

The Reduction

The Reduction For an adversary A′ against XORP[k] and the simulator S′, there is an adversary A against XORP and the simulator S.

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Indifferentiability of XORP[k] The Reduction

The Reduction

The Reduction For an adversary A′ against XORP[k] and the simulator S′, there is an adversary A against XORP and the simulator S. A stores the permutations Π2,...,Πk−1.

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Indifferentiability of XORP[k] The Reduction

The Reduction

The Reduction For an adversary A′ against XORP[k] and the simulator S′, there is an adversary A against XORP and the simulator S. A stores the permutations Π2,...,Πk−1. A runs A′. A′ can query Π′/S′ and XORP[k]/$′.

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Indifferentiability of XORP[k] The Reduction

The Reduction

The Reduction For an adversary A′ against XORP[k] and the simulator S′, there is an adversary A against XORP and the simulator S. A stores the permutations Π2,...,Πk−1. A runs A′. A′ can query Π′/S′ and XORP[k]/$′.

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Indifferentiability of XORP[k] The Reduction

The Reduction

The Reduction For an adversary A′ against XORP[k] and the simulator S′, there is an adversary A against XORP and the simulator S. A stores the permutations Π2,...,Πk−1. A runs A′. A′ can query Π′/S′ and XORP[k]/$′. Query to Π′ /S′

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Indifferentiability of XORP[k] The Reduction

The Reduction

The Reduction For an adversary A′ against XORP[k] and the simulator S′, there is an adversary A against XORP and the simulator S. A stores the permutations Π2,...,Πk−1. A runs A′. A′ can query Π′/S′ and XORP[k]/$′. Query to Π′ /S′ If i ≥ 2, then A computes Πi(x) or Π−1

i (x).

If i = 0 or 1, then A forwards the query to Π/S.

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Indifferentiability of XORP[k] The Reduction

The Reduction

The Reduction For an adversary A′ against XORP[k] and the simulator S′, there is an adversary A against XORP and the simulator S. A stores the permutations Π2,...,Πk−1. A runs A′. A′ can query Π′/S′ and XORP[k]/$′. Query to Π′ /S′ If i ≥ 2, then A computes Πi(x) or Π−1

i (x).

If i = 0 or 1, then A forwards the query to Π/S. Query to XORP[k] /$′

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Indifferentiability of XORP[k] The Reduction

The Reduction

The Reduction For an adversary A′ against XORP[k] and the simulator S′, there is an adversary A against XORP and the simulator S. A stores the permutations Π2,...,Πk−1. A runs A′. A′ can query Π′/S′ and XORP[k]/$′. Query to Π′ /S′ If i ≥ 2, then A computes Πi(x) or Π−1

i (x).

If i = 0 or 1, then A forwards the query to Π/S. Query to XORP[k] /$′ A forwards the query to XORP/$ and receives Z as a response. A sends Z′ = Z ⊕ ⊕k−1

i=2 Πi(x) to A′.

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Indifferentiability of XORP[k] The Reduction

The Reduction (contd..)

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Indifferentiability of XORP[k] The Reduction

The Reduction (contd..)

When A is interacting with (XORP,(Π) interaction interface of A′ is equivalent to (XORP[k],Π′)

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Indifferentiability of XORP[k] The Reduction

The Reduction (contd..)

When A is interacting with (XORP,(Π) interaction interface of A′ is equivalent to (XORP[k],Π′) When A is interacting with ($,S), the interaction interface of A′ is equivalent to ($ ⊕ XORP[k − 2],S′) ≡ ($′,S′).

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Indifferentiability of XORP[k] The Reduction

The Reduction (contd..)

When A is interacting with (XORP,(Π) interaction interface of A′ is equivalent to (XORP[k],Π′) When A is interacting with ($,S), the interaction interface of A′ is equivalent to ($ ⊕ XORP[k − 2],S′) ≡ ($′,S′). Advdiff

XORP[k],$′(A′) = Advdiff XORP,$(A) ≤

√

1.25q N

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Conclusion

Conclusion

Shown full indifferentiable security of XORP and XORP[k].

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Conclusion

Conclusion

Shown full indifferentiable security of XORP and XORP[k]. In practice does not lead to full security.

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Conclusion

Conclusion

Shown full indifferentiable security of XORP and XORP[k]. In practice does not lead to full security.

Due to the presence of the square root.

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Conclusion

Conclusion

Shown full indifferentiable security of XORP and XORP[k]. In practice does not lead to full security.

Due to the presence of the square root.

Can the bound be improved ?

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Questions?

Thank You!

Technical Details: Forward Query

pfwd (si ∣ sr) =

1 (N−r)2

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Technical Details: Forward Query

pfwd (si ∣ sr) =

1 (N−r)2

pfwd

1

(si ∣ sr) = 1

N × 1 N−∣Wxi∣, where Wxi = R0 ∪ {$(xi) ⊕ R1}

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Technical Details: Forward Query

pfwd (si ∣ sr) =

1 (N−r)2

pfwd

1

(si ∣ sr) = 1

N × 1 N−∣Wxi∣, where Wxi = R0 ∪ {$(xi) ⊕ R1}

χ2(sr) =

N(∣Wxi∣− 2rN−r2

N

)

2

(N−r)3

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Technical Details: Forward Query

pfwd (si ∣ sr) =

1 (N−r)2

pfwd

1

(si ∣ sr) = 1

N × 1 N−∣Wxi∣, where Wxi = R0 ∪ {$(xi) ⊕ R1}

χ2(sr) =

N(∣Wxi∣− 2rN−r2

N

)

2

(N−r)3

Ex[∣Wxi∣] = 2rN−r2

N

and Var[∣Wxi∣] ≤ r2

N

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Technical Details: Forward Query

pfwd (si ∣ sr) =

1 (N−r)2

pfwd

1

(si ∣ sr) = 1

N × 1 N−∣Wxi∣, where Wxi = R0 ∪ {$(xi) ⊕ R1}

χ2(sr) =

N(∣Wxi∣− 2rN−r2

N

)

2

(N−r)3

Ex[∣Wxi∣] = 2rN−r2

N

and Var[∣Wxi∣] ≤ r2

N

Ex[χ2(Sr)] =

N (N−r)3 × Ex[(∣Wxi∣ − Ex[∣Wxi∣])2] = N (N−r)3 × Var[∣Wxi∣]

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Technical Details: Forward Query

pfwd (si ∣ sr) =

1 (N−r)2

pfwd

1

(si ∣ sr) = 1

N × 1 N−∣Wxi∣, where Wxi = R0 ∪ {$(xi) ⊕ R1}

χ2(sr) =

N(∣Wxi∣− 2rN−r2

N

)

2

(N−r)3

Ex[∣Wxi∣] = 2rN−r2

N

and Var[∣Wxi∣] ≤ r2

N

Ex[χ2(Sr)] =

N (N−r)3 × Ex[(∣Wxi∣ − Ex[∣Wxi∣])2] = N (N−r)3 × Var[∣Wxi∣]

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Technical Details: Forward Query

pfwd (si ∣ sr) =

1 (N−r)2

pfwd

1

(si ∣ sr) = 1

N × 1 N−∣Wxi∣, where Wxi = R0 ∪ {$(xi) ⊕ R1}

χ2(sr) =

N(∣Wxi∣− 2rN−r2

N

)

2

(N−r)3

Ex[∣Wxi∣] = 2rN−r2

N

and Var[∣Wxi∣] ≤ r2

N

Ex[χ2(Sr)] =

N (N−r)3 × Ex[(∣Wxi∣ − Ex[∣Wxi∣])2] = N (N−r)3 × Var[∣Wxi∣]

Forward Query Bound ∑q

i=1 Ex[χ2(Si−1)] ≤ 8q3 N3

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Backward Query

Technical Details: Backward Query

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Backward Query

Technical Details: Backward Query

Ex[χ2(Sr)] = Ex[∑si

(pbck (si∣Sr)−pbck

1

(si∣Sr))2 pbck

1

(si∣Sr)

].

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Backward Query

Technical Details: Backward Query

Ex[χ2(Sr)] = Ex[∑si

(pbck (si∣Sr)−pbck

1

(si∣Sr))2 pbck

1

(si∣Sr)

]. Split the sum into two cases.

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Backward Query

Technical Details: Backward Query

Ex[χ2(Sr)] = Ex[∑si

(pbck (si∣Sr)−pbck

1

(si∣Sr))2 pbck

1

(si∣Sr)

]. Split the sum into two cases.

si ≠

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Backward Query

Technical Details: Backward Query

Ex[χ2(Sr)] = Ex[∑si

(pbck (si∣Sr)−pbck

1

(si∣Sr))2 pbck

1

(si∣Sr)

]. Split the sum into two cases.

si ≠ si =

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Backward Query

Technical Details: Backward Query

Ex[χ2(Sr)] = Ex[∑si

(pbck (si∣Sr)−pbck

1

(si∣Sr))2 pbck

1

(si∣Sr)

]. Split the sum into two cases.

si ≠ si =

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Backward Query

Technical Details: Backward Query

Ex[χ2(Sr)] = Ex[∑si

(pbck (si∣Sr)−pbck

1

(si∣Sr))2 pbck

1

(si∣Sr)

]. Split the sum into two cases.

si ≠ si =

si ≠ :

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Backward Query

Technical Details: Backward Query

Ex[χ2(Sr)] = Ex[∑si

(pbck (si∣Sr)−pbck

1

(si∣Sr))2 pbck

1

(si∣Sr)

]. Split the sum into two cases.

si ≠ si =

si ≠ : pbck (si ∣ sr) = pfwd (si ∣ sr) =

1 (N−r)2

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Backward Query

Technical Details: Backward Query

Ex[χ2(Sr)] = Ex[∑si

(pbck (si∣Sr)−pbck

1

(si∣Sr))2 pbck

1

(si∣Sr)

]. Split the sum into two cases.

si ≠ si =

si ≠ : pbck (si ∣ sr) = pfwd (si ∣ sr) =

1 (N−r)2

pbck

1

(si ∣ sr) = ∑n

ℓ=1 1 N × 1 N−r−ℓ+1 × ( r N ) ℓ−1

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Backward Query

Technical Details: Backward Query

Ex[χ2(Sr)] = Ex[∑si

(pbck (si∣Sr)−pbck

1

(si∣Sr))2 pbck

1

(si∣Sr)

]. Split the sum into two cases.

si ≠ si =

si ≠ : pbck (si ∣ sr) = pfwd (si ∣ sr) =

1 (N−r)2

pbck

1

(si ∣ sr) = ∑n

ℓ=1 1 N × 1 N−r−ℓ+1 × ( r N ) ℓ−1

1 (N−r)2 × (1 − ( r N ) n) ≤ pbck 1 (si ∣ sr) ≤ 4 N(N−r)

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Backward Query

Technical Details: Backward Query

Ex[χ2(Sr)] = Ex[∑si

(pbck (si∣Sr)−pbck

1

(si∣Sr))2 pbck

1

(si∣Sr)

]. Split the sum into two cases.

si ≠ si =

si ≠ : pbck (si ∣ sr) = pfwd (si ∣ sr) =

1 (N−r)2

pbck

1

(si ∣ sr) = ∑n

ℓ=1 1 N × 1 N−r−ℓ+1 × ( r N ) ℓ−1

1 (N−r)2 × (1 − ( r N ) n) ≤ pbck 1 (si ∣ sr) ≤ 4 N(N−r)

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Backward Query

Technical Details: Backward Query

Ex[χ2(Sr)] = Ex[∑si

(pbck (si∣Sr)−pbck

1

(si∣Sr))2 pbck

1

(si∣Sr)

]. Split the sum into two cases.

si ≠ si =

si ≠ : pbck (si ∣ sr) = pfwd (si ∣ sr) =

1 (N−r)2

pbck

1

(si ∣ sr) = ∑n

ℓ=1 1 N × 1 N−r−ℓ+1 × ( r N ) ℓ−1

1 (N−r)2 × (1 − ( r N ) n) ≤ pbck 1 (si ∣ sr) ≤ 4 N(N−r)

Bound for si ≠ ∑si,si≠

(pbck (si∣sr)−pbck

1

(si∣sr))2 pbck

1

(si∣sr)

≤ max{

3N−4r 4N(N−r), ( r

N )2n

(1−( r

N )n)}. Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Backward Query

Technical Details(contd..)

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Backward Query

Technical Details(contd..)

si = :

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Backward Query

Technical Details(contd..)

si = : pbck ( ∣ Sr) = 0.

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Backward Query

Technical Details(contd..)

si = : pbck ( ∣ Sr) = 0.

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Backward Query

Technical Details(contd..)

si = : pbck ( ∣ Sr) = 0. Bound for si = Ex[

(pbck (∣Sr)−pbck

1

(∣Sr))2 pbck

1

(∣Sr)

] = Ex[pbck

1

( ∣ Sr)] = pbck

1

() = ( r

N ) n

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

Backward Query

Technical Details(contd..)

si = : pbck ( ∣ Sr) = 0. Bound for si = Ex[

(pbck (∣Sr)−pbck

1

(∣Sr))2 pbck

1

(∣Sr)

] = Ex[pbck

1

( ∣ Sr)] = pbck

1

() = ( r

N ) n

Backward Query Bound ∑q−1

r=0 Ex[χ2(Sr)] ≤ 2.5q N

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

References I

Bellare, M. and Impagliazzo, R. (1999). A tool for obtaining tighter security analyses of pseudorandom function based constructions, with applications to PRP to PRF conversion. IACR Cryptology ePrint Archive, 1999:24. Bellare, M., Krovetz, T., and Rogaway, P. (1998). Luby-rackoff backwards: Increasing security by making block ciphers non-invertible. pages 266–280. Springer. Bertoni, G., Daemen, J., Peeters, M., and Van Assche, G. (2011a). Duplexing the sponge: Single-pass authenticated encryption and

• ther applications.

In Selected Areas in Cryptography, volume 7118, pages 320–337. Springer.

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

References II

Bertoni, G., Daemen, J., Peeters, M., and Van Assche, G. (2011b). On the security of the keyed sponge construction. In Symmetric Key Encryption Workshop (SKEW 2011). Bertoni, G., Daemen, J., Peeters, M., Van Assche, G., and NIST, G. (2013). Keccak and the sha-3 standardization. Bhattacharya, S. and Nandi, M. (2018). Revisiting variable output length pseudorandom functions. IACR Transactions on Symmetric Cryptology, 2018(1):To appear.

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

References III

Cogliati, B., Lampe, R., and Patarin, J. (2014). The indistinguishability of the XOR of k permutations. In Cid, C. and Rechberger, C., editors, Fast Software Encryption - 21st International Workshop, FSE 2014, London, UK, March 3-5, 2014. Revised Selected Papers, volume 8540 of Lecture Notes in Computer Science, pages 285–302. Springer. Dai, W., Hoang, V. T., and Tessaro, S. (2017). Information-theoretic indistinguishability via the chi-squared method. In Katz and Shacham, 2017, pages 497–523. Gauravaram, P., Knudsen, L. R., Matusiewicz, K., Mendel, F., Rechberger, C., Schläffer, M., and Thomsen, S. S. (2009). Grøstl-a sha-3 candidate. In Dagstuhl Seminar Proceedings. Schloss Dagstuhl-Leibniz-Zentrum für Informatik.

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

References IV

Goldreich, O., Goldwasser, S., and Micali, S. (1985). On the cryptographic applications of random functions (extended abstract). In Blakley, G. R. and Chaum, D., editors, Advances in Cryptology, pages 276–288, Berlin, Heidelberg. Springer Berlin Heidelberg. Iwata, T. (2006). New blockcipher modes of operation with beyond the birthday bound security. In Robshaw, M. J. B., editor, Fast Software Encryption, 13th International Workshop, FSE 2006, Graz, Austria, March 15-17, 2006, Revised Selected Papers, volume 4047 of Lecture Notes in Computer Science, pages 310–327. Springer. Iwata, T., Mennink, B., and Vizár, D. (2016). CENC is optimally secure. IACR Cryptology ePrint Archive, 2016:1087.

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

References V

Iwata, T., Minematsu, K., Peyrin, T., and Seurin, Y. (2017). ZMAC: A fast tweakable block cipher mode for highly secure message authentication. IACR Cryptology ePrint Archive, 2017:535. Katz, J. and Shacham, H., editors (2017). Advances in Cryptology - CRYPTO 2017 - 37th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 20-24, 2017, Proceedings, Part III, volume 10403 of Lecture Notes in Computer

• Science. Springer.

Lee, J. (2017). Indifferentiability of the sum of random permutations towards

• ptimal security.

IEEE Transactions on Information Theory.

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

References VI

Lucks, S. (2000). The sum of prps is a secure PRF. In EUROCRYPT 2000, volume 1807 of LNCS, pages 470–484. Springer. Maurer, U., Renner, R., and Holenstein, C. (2004). Indifferentiability, Impossibility Results on Reductions, and Applications to the Random Oracle Methodology, pages 21–39. Springer Berlin Heidelberg, Berlin, Heidelberg. Mennink, B. and Neves, S. (2017a). Encrypted davies-meyer and its dual: Towards optimal security using mirror theory. Cryptology ePrint Archive, Report 2017/xxx, to be published in CRYPTO 2017. http://eprint.iacr.org/2017/537.

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

References VII

Mennink, B. and Neves, S. (2017b). Encrypted davies-meyer and its dual: Towards optimal security using mirror theory. In Katz and Shacham, 2017, pages 556–583. Mennink, B. and Preneel, B. (2015). On the xor of multiple random permutations. In International Conference on Applied Cryptography and Network Security, pages 619–634. Springer. Patarin, J. (2008). A proof of security in o(2n) for the xor of two random permutations. In ICITS 2008, volume 5155 of LNCS, pages 232–248. Springer.

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

References VIII

Patarin, J. (2010). Introduction to mirror theory: Analysis of systems of linear equalities and linear non equalities for cryptography. Cryptology ePrint Archive, Report 2017/287. http://eprint.iacr.org/2010/287. Patarin, J. (2013). Security in o(2n) for the xor of two random permutations \\ - proof with the standard H technique -. IACR Cryptology ePrint Archive, 2013:368. Rivest, R. L., Agre, B., Bailey, D. V., Crutchfield, C., Dodis, Y., Fleming, K. E., Khan, A., Krishnamurthy, J., Lin, Y., Reyzin, L., et al. (2008). The md6 hash function–a proposal to nist for sha-3. Submission to NIST, 2(3).

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations

References IX

Stam, A. J. (1978). Distance between sampling with and without replacement. Statistica Neerlandica, 32(2):81–91. Wu, H. (2011). The hash function jh. Submission to NIST (round 3), page 6. Yasuda, K. (2011). A new variant of PMAC: beyond the birthday bound. In CRYPTO 2011, pages 596–609.

Srimanta Bhattacharya and Mridul Nandi Full Indifferentiable Security of the Xor of Random Permutations