180 likes | 198 Views
Learn how to create a family of cyclic, pseudo-random permutations efficiently with prescribed cycle types. Explore the construction process, security proofs, and implications. Discover the concept of t-wise independence and combinatorial randomness.
E N D
Constructing Pseudo-Random Permutations with a Prescribed Structure Moni Naor Weizmann Institute Omer Reingold AT&T Research
Pseudo-Random Permutations Pseudo-random Permutations F : 0,1k 0,1n 0,1n key Domain Range F-1: 0,1k 0,1n 0,1n key Range Domain FamilyFk ={FS | S0,1k is pseudo-random if: • X= FS-1 (FS (X)) -Invertability • Succinct Representation: k log (2n!) • Efficiently computable: given Scan compute Fsand FS-1 • Indistinguishable from random permutations...
The tester T that can choose adaptively X1 and get Y1= FS (X1) Y2 and get X2= FS-1(Y2) Xq and get Y= FS (Xq) Challenge: T has to decide whether FS R Fkor FS R P(n)= F| 1-1F:0,1n 0,1n S Indistinguishability
(t,,q)-pseudo-random For a function F chosen at random from (1) Fk ={FS | S0,1k (2)P(n)= F| 1-1F:0,1n 0,1n For all t-time machines T that get to choose q queries and try to distinguish (1) from (2) PrT ‘1’ FR Fk - PrT ‘1’ FRP(n) Want a family whereis negligible as long ast and qare not too large
Block-Ciphers: Shared-key encryption schemes where the encryption of every plaintext block is a ciphertext block of the same length. Important Examples: DES, Rijndael (AES) Plaintext Key BC Ciphertext Model Block Ciphers
Defined and constructed by Luby and Rackoff Possible to construct p.r. permutations from p.r. functions (and vice versa...) Based on 4 Feistal Permutations - 2 of which should be pseudo-random functions. Construction of Pseudo-Random Permutations L1 R1 f L2 R2
Permutations with a Prescribed Structure Example: Cyclic Permutations Want to construct a family of permutations that is • Pseudo-Random • Cyclic Motivation: a never repeating, random looking sequence X1, X2, ...,Xi, ... such that Xi+1 =FS (Xi) [Shamir-Tsaban] < > > >
Permutations with a prescribed Structure A cycle type - list of how many cycles there are of each size Want to construct a family of permutations where • Each member has cycle type C • Pseudo-Random : • Succinct Representation: k log (2n!) • Efficiently computable: given Scan compute Fsand FS-1 • Indistinguishable from random permutations with cycle type C
The Construction To construct GCa p.r. family of permutation with type C: • Let Fk ={FS | S0,1k be a family of pseudo-random permutations • Let sbe a (fixed) permutation with cycle type C GC ={PS = FS s FS-1 | S0,1k • To evaluate PS (X):compute FS-1(s(FS(X))) • To evaluate PS-1(Y):compute FS-1(s-1(FS(Y)))
The Construction... • Example: cyclic permutation s(X)= X+1 mod 2n Complexity of evaluation: • Two invocations of FS (one in each direction) • One invocation of s
Why does it work? Well known theorem from elementary group theory: For any two permutations s and p: s and p s p-1have the same cycle type. Prove a stronger statement: Theorem 1: For any permutation s with cycle type C, let p be a random permutation. Then the permutation p s p-1 is uniformly distributed over the permutations with cycle type C.
Security of Construction Theorem 2: Suppose that adversary D can distinguish with advantage e whether a given permutation is RGC or a random permutation of type C. Then there is a D’ can distinguish the family Fk from P(n)with advantage e. Running time of D’ is ts running time of D. ts time to evaluate s and s-1
Proof by Simulation • D’ is given p as a black-box. • It simulates D on psp-1 • When D queries a point X - D’ requests p(X) and then p-1at point s(p(X)) • When D queries an inverse of point X - D’ requests p(X) and then p-1at point s-1(p(X)) • Outputs the same guess as D • From Theorem 1 the probabilities of distinguishing are identical.
Involutions • An involution is a permutation that is self-inverse • When used for encryption - the encryption and decryption operations are identical. • Let s(X)= X+1if x is even and s(X)= X-1if odd. • Resulting GI is a family of involutions with no fixed points.
Combinatorial Randomness • (almost) t-wise independence - combinatorial counterpart to (cryptographic) pseudo-randomness • If instead of Fk a family H of 2t-wise independent permutations is used, the result is • a t-wise independent family of permutations with cycle type C. • If an approximation to 2t-wise is used - similar approximation in Gc
Fast Forward • Possible to iterate PS Gc with ‘zero’ cost: PS(m)(X)=FS-1(s(FS(FS-1(s)))= FS-1 (s (m)(FS(x))) Same as iterating s In case of cyclic permutations: PS(m)(X)=FS-1(FS(x) +m mod 2n) Also easy to check whether X1 and X2 are in the same cycle.
Open Problems • Fast forward property for permutations with no prescribed cycle type. • Sufficient to find right distribution on cycle types. • Fast forward property for pseudo-random functions • Algorithmic applications: Pollard’s r, Hellman time-space tradeoff • Caveat - does not necessarily improve them • Construct pseudo-random permutation of size N’ < N given one of size N.
...Open Problems Other combinatorial structures - is it possible to generate a succinct/implicit representation that looks random of • Pseudo-random graphs • Gn,p or bounded degree • Involution - d regular d colorable • Latin Squares • 2n2nmatrix where each row and each column are a permutation of 0,1n • Non trivial even for non-implicit