Tight Indistinguishability Bounds for the XOR of Independent Random Permutations by Fourier Analysis

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

Abstract

The XOR of two independent permutations (XoP) is a well-known construction for achieving security beyond the birthday bound when implementing a pseudorandom function using a block cipher (i.e., a pseudorandom permutation). The idealized construction (where the permutations are uniformly chosen and independent) and its variants have been extensively analyzed over nearly 25 years. The best-known asymptotic information-theoretic indistinguishability bound for the XoP construction is O(q/21.5n), derived by Eberhard in 2017. A generalization of the XoP construction outputs the XOR of r≥2 independent permutations, and has also received significant attention in both the single-user and multi-user settings. In particular, for r=3, the best-known bound (obtained by Choi et al. [ASIACRYPT’22]) is about q2/22.5n in the single-user setting and uqmax2/22.5n in the multi-user setting (where u is the number of users and qmax is the number of queries per user). In this paper, we prove an indistinguishability bound of q/2(r-0.5)n for the (generalized) XoP construction in the single-user setting, and a bound of uqmax/2(r-0.5)n in the multi-user setting. In particular, for r=2, we obtain the bounds q/21.5n and uqmax/21.5n in single-user and multi-user settings, respectively. For r=3 the corresponding bounds are q/22.5n and uqmax/22.5n. All of these bounds hold assuming q<2n/2 (or qmax<2n/2). Compared to previous works, we improve all the best-known bounds for the (generalized) XoP construction in the multi-user setting, and the best-known bounds for the generalized XoP construction for r≥3 in the single-user setting (assuming q≥2n/2). For the basic two-permutation XoP construction in the single-user setting, our concrete bound of q/21.5n stands in contrast to the asymptotic bound of O(q/21.5n) by Eberhard. Since all of our bounds are matched (up to constant factors) for q>2n/2 by attacks published by Patarin in 2008 (and their generalizations to the multi-user setting), they are all tight. We obtain our results by Fourier analysis of Boolean functions. Most of our technical work involves bounding (sums of) Fourier coefficients of the density function associated with sampling without replacement. While the proof of Eberhard relies on similar bounds, our proof is elementary and significantly simpler.

Original languageEnglish
Title of host publicationAdvances in Cryptology – EUROCRYPT 2024 - 43rd Annual International Conference on the Theory and Applications of Cryptographic Techniques, 2024, Proceedings
EditorsMarc Joye, Gregor Leander
PublisherSpringer Science and Business Media Deutschland GmbH
Pages33-62
Number of pages30
ISBN (Print)9783031587153
DOIs
StatePublished - 1 Jan 2024
Event43rd Annual International Conference on the Theory and Applications of Cryptographic Techniques, EUROCRYPT 2024 - Zurich, Switzerland
Duration: 26 May 202430 May 2024

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume14651 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Conference

Conference43rd Annual International Conference on the Theory and Applications of Cryptographic Techniques, EUROCRYPT 2024
Country/TerritorySwitzerland
CityZurich
Period26/05/2430/05/24

ASJC Scopus subject areas

  • Theoretical Computer Science
  • General Computer Science

Fingerprint

Dive into the research topics of 'Tight Indistinguishability Bounds for the XOR of Independent Random Permutations by Fourier Analysis'. Together they form a unique fingerprint.

Cite this