An Enciphering Scheme Based on a Card Shuffle - Department of ...
An Enciphering Scheme Based on a Card Shuffle - Department of ...
An Enciphering Scheme Based on a Card Shuffle - Department of ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
10 Viet Tung Hoang, Ben Morris, and Phillip Rogaway<br />
where the last line holds because m + ℓ = N. It follows that E(st+1 | st) =<br />
ℓ+N<br />
2N<br />
<br />
st, which verifies (6) and hence (5). This completes the pro<strong>of</strong>. ⊓⊔<br />
CCA-security. Observe that if E =SN[r, N, +] for some abelian group G =<br />
([N], +) then E−1 is also SN[r, N, +]. Employing Lemma 1 we c<strong>on</strong>clude our main<br />
theorem.<br />
Theorem 4. Let E =SN[2r, N, +]. ThenAdv cca<br />
3/2 4N<br />
E (q) ≤<br />
r +2<br />
4 Complexity-Theoretic Interpretati<strong>on</strong><br />
r/2+1 q + N<br />
.<br />
2N<br />
While Theorem 4 is informati<strong>on</strong>-theoretic, it should be clear that the result<br />
applies to the complexity-theoretic setting too, in exactly the same manner as<br />
Luby-Rack<strong>of</strong>f [14] and its successors. Namely, from a PRF F : K×{0, 1} ∗ →<br />
{0, 1} and a number n, define n-bit round functi<strong>on</strong>s Fi(X) whosejth bit is<br />
F (〈i, j, n, X〉). Also define n-bit round keys Ki whose jth bit is F (〈i, j, n〉). Using<br />
these comp<strong>on</strong>ents, apply the swap-or-not c<strong>on</strong>structi<strong>on</strong> for, say, r =7n rounds,<br />
yielding a PRP E <strong>on</strong> n bits. Translating the informati<strong>on</strong>-theoretic result into<br />
this setting, the PRP-security <strong>of</strong> E is the PRF-security <strong>of</strong> F minus a term that<br />
remains negligible until q =(1− ɛ)2 n adversarial queries, for any ɛ>0. That<br />
is, from the asymptotic point <strong>of</strong> view, the swap-or-not c<strong>on</strong>structi<strong>on</strong> preserves<br />
essentially all <strong>of</strong> a PRF’s security in the c<strong>on</strong>structed PRP.<br />
We emphasize that our security results <strong>on</strong>ly cover the (str<strong>on</strong>g) PRP noti<strong>on</strong> <strong>of</strong><br />
security. <str<strong>on</strong>g>An</str<strong>on</strong>g> interesting questi<strong>on</strong> we leave open is whether the swap-or-not cipher<br />
is indifferentiable from a random permutati<strong>on</strong> [16]. Following Cor<strong>on</strong>, Patarin,<br />
and Seurin [6], Holenstein, Künzler, and Tessaro show that the 14-round Feistel<br />
c<strong>on</strong>structi<strong>on</strong> is indifferentiable from a random permutati<strong>on</strong> [12]. But their pro<strong>of</strong><br />
is complex and delivers very poor c<strong>on</strong>crete-security bounds. It would be desirable<br />
to have a c<strong>on</strong>structi<strong>on</strong> supporting a simpler pro<strong>of</strong> with better bounds.<br />
5 Format-Preserving Encrypti<strong>on</strong><br />
In the format-preserving encrypti<strong>on</strong> (FPE) problem, <strong>on</strong>e wants to encipher <strong>on</strong><br />
an arbitrary set X , <strong>of</strong>ten X =[N] forsomenumberN. Usually c<strong>on</strong>structi<strong>on</strong>s<br />
are sought that start from a c<strong>on</strong>venti<strong>on</strong>al blockcipher, like AES. The problem<br />
has attracted increasing interest [1–5, 8, 9, 17, 24, 25, 27], and is the subject <strong>of</strong><br />
<strong>on</strong>going standardizati<strong>on</strong> work by NIST and the IEEE.<br />
When N is sufficiently small that <strong>on</strong>e can afford ˜ Ω(N)-time to encrypt,<br />
provably good soluti<strong>on</strong>s are easy, by directly realizing a random shuffle [3].<br />
<str<strong>on</strong>g>An</str<strong>on</strong>g>d when N is sufficiently large that no adversary could ask anything near<br />
N 1/2 queries, nice soluti<strong>on</strong>s are again easy, using standard cryptographic c<strong>on</strong>structi<strong>on</strong>s<br />
like multi-round Feistel. But for intermediate-size domains, like those