Pseudorandom Permutations
In a simple substitution cipher, each letter is replaced with another letter, for example:
Under this particular substitution, becomes . If we want to be able to reverse this process, then the substitution must be a permutation over the set of letters .
Substitution ciphers of individual letters are not difficult to break, and frankly not very interesting. However, a substitution cipher that operates on pairs of letters is slightly more interesting:
In this example, the individual letter can be mapped to etc., depending on its neighboring letters. The cipher must again be a permutation, this time over the set .
A substitution cipher that operates on large blocks of letters is more interesting still. Here's an example that uses blocks of twenty-four letters:
A substitution cipher like this would require a truly enormous amount of storage—in fact, more bytes than there are atoms in the universe.
Just as a PRF emulates an enormous (lazy) random dictionary, a pseudorandom permutation (PRP) emulates an enormous (lazy) random permutation over large blocks of bits. A PRP can expand a short secret key into a permutation (both the forward and reverse directions) that is indistinguishable from a uniformly sampled permutation.
7.1. Defining PRPs
Pseudorandom permutations operate on blocks of bits, not blocks of characters.
A keyed permutation consists of two functions:
The first input to these functions is the key; the second input and the output are blocks.
The functions must satisfy the following correctness property: for all and all . In other words, the two functions and are inverses.
We call the blocklength of the keyed permutation. We refer to the permutation collectively as .
This chapter's introduction gives some hint about how to define security for a PRP—it should be indistinguishable from a lazy random permutation. But how does one implement a lazy random permutation? We can take inspiration from lazy random dictionaries, and realize that a permutation is simply a dictionary whose entries do not repeat:
In this code, contains all of the values stored so far in the dictionary. It always samples the next value to avoid repeating any in . Thus, the function implemented by is a permutation.
I can already hear you asking, Wait, that's only the forward direction of a permutation. What about the reverse direction? Indeed, a pseudorandom permutation must implement both directions. However, many applications that use pseudorandom permutations expose only the forward direction to the adversary. So for the purposes of security, we will start with this simple attack scenario, in which the adversary gets access to the forward direction only; it must be indistinguishable from the forward direction of a lazy random substitution. Later, in section 7.5, we introduce a stronger security model that provides the adversary access to both directions of the permutation.
A keyed permutation is a secure pseudorandom permutation (PRP) if the following two libraries are indistinguishable:
PRPs are also commonly called block ciphers, and in this book we will use both names interchangeably.
Be careful! This chapter is about permutations over the set , meaning that they map an -bit string to another arbitrary -bit string . We are not talking about rearranging the bits of in a regular way (e.g., move bit 1 of to bit 10 of the output; move bit 2 of to bit 3 of the output). This would be one way to map -bit strings to -bit strings, but not a very good one (see exercise 7.1).
7.2. Comparing PRPs and PRFs, and the switching lemma
Compare the library from the PRP security definition to the library from the PRF security definition. The former library samples outputs without replacement, and the latter with replacement. If the PRF/PRP outputs are long enough (specifically, bits) then we expect this difference to be indistinguishable thanks to the birthday bound (lemma 4.5.7). This observation is known as the the (PRF-PRP) switching lemma:
The following two libraries are indistinguishable:
The only difference in the two libraries is whether they sample values with or without replacement. They can be proven indistinguishable by a simple three-hop maneuver involving lemma 4.5.7.
What does it mean that the security goals for PRPs and PRFs are indistinguishable?
If we have a keyed permutation with blocklength , and we wish to show that it is a secure PRP, it's enough to prove that it is a secure PRF.
Conversely, if a certain construction requires a secure PRF with output length , then it is safe to use a secure PRP. A secure PRP with blocklength is a secure PRF!
This is all potentially confusing, but just remember: A PRF and PRP provide very different functionality to someone who knows the key. But when we talk about PRF security, we are talking about the perspective of an adversary who doesn't know the secret key, and who has access only to the forward direction of the function. The PRF security definition says that, in this situation, outputs are pseudorandom. The definition neither demands nor forbids the existence of an inverse. Just knowing that a function is a PRF tells you nothing about whether it is a permutation. Secure PRPs satisfy the definition of PRF security while having an inverse; some other PRFs do not have inverses.
7.3. How to construct a PRP: The Feistel construction
Can we upgrade a PRF into a PRP? How can we add an inverse to a function that may not have one? This section describes a clever way to do just that.
An -round Feistel cipher with round functions is defined as follows:
If the round functions each map bits to bits, then the Feistel cipher maps bits to bits.
A Feistel cipher is always a permutation on , regardless of its round functions.
Each round of a Feistel cipher computes the next block as:
To invert this round, we can rearrange the equation to solve for in terms of and :
Importantly, we do not require to have an inverse. Both the forward and inverse direction of the Feistel cipher evaluate in the forward direction!
The diagram below illustrates the case of a single round and its inverse:
We can invert the entire Feistel cipher by inverting each round in this way, starting from the last round:
A Feistel cipher whose round functions are is called an -round keyed Feistel cipher with round function .
The sequence is called the key schedule.
Like any Feistel cipher, a keyed Feistel cipher is invertible. In order to invert a Feistel cipher, you must evaluate its round functions (in the forward direction). If the round functions require a key, then that key is required to evaluate both directions of the Feistel cipher.
Since a Feistel cipher is a keyed permutation, we might ask whether it can be a secure PRP. The answer depends on the number of rounds. In exercise 7.5 you are asked to show that a 2-round Feistel cipher cannot be a secure PRP. However, three rounds is enough, assuming that the round function is a secure PRF:
Let be a secure PRF with input/output length . Then a three-round keyed Feistel cipher with round function is a secure PRP (with blocklength ).
We already know that any Feistel cipher is invertible, so it suffices to show that this Feistel cipher is pseudorandom. From lemma 7.2.1, it is enough to show that is a secure PRF. In other words:
Proof idea: Our goal is to show that the Feistel cipher's outputs are pseudorandom. What can we say about these outputs?
The output is , and each of these is an xor-expression:
We can think of any xor expression as an OTP ciphertext. Here, it makes most sense to think of as the OTP plaintexts and and as OTP keys. Thus, if we can show that these “OTP keys” are pseudorandom, we will be able to easily conclude that and are also pseudorandom. So what can we say about and ?
Clearly these values are outputs of a secure PRF . So they are pseudorandom, provided that the PRF inputs (in this case, and ) do not repeat. Most of the proof is devoted to showing that and repeat with only negligible probability.
The proof follows the outline described above. Indeed, the crux of the proof is to show that and values don't unexpectedly repeat, so that outputs and are pseudorandom. We will trigger a bad event when or unexpectedly repeat. To make the bad event's probability easier to analyze, we will move all bad-event logic to the end of time.
The final library is , along with some logic at the end of time to determine whether to trigger the bad event. If we can show that the bad event's probability is negligible in this final hybrid, then we have completed the proof.
Our probability analysis uses the fact that the bad-event logic happens at the end of time, after all of the adversary's inputs and outputs have been fixed. There are two cases that trigger the bad event:
-
Case 1: There are two distinct inputs and that both lead to the same value. This happens if and only if
Rearrange this condition to the equivalent:
-
Case 1a: If , then the right-hand-side is zero. We must also have since . But then the left-hand side is nonzero, and the condition can never be true. We conclude that this case is impossible.
-
Case 1b: If , then and were sampled uniformly and independently. Not only that; they were sampled independently of and . So the probability that they satisfy the condition is .
So, two specific inputs and induce the same value with probability at most . If the adversary makes calls to , then there are at most pairs of inputs that could lead to this bad event. By the union bound, the overall probability of Case 1 is at most .
-
-
Case 2: There are two distinct inputs and that both lead to the same value. This case is easier because for each distinct input to , the library samples an value uniformly and independently. Hence, values repeat according to the birthday probability , where is the number of calls to made by the adversary.
Overall, the probability of the bad event is at most:
which is negligible since is polynomial in the security parameter.
If the Feistel cipher has an inverse, why can't the adversary break it by inverting it?
The adversary does not know the round keys, so it cannot evaluate the round function, so it cannot evaluate the Feistel cipher in either direction.
7.4. PRPs in theory and practice
7.4.1. Feistel ciphers in practice
The block ciphers you will encounter in practice are not built from the Feistel cipher recipe presented in lemma 7.3.4, for a few reasons:
-
If we build a Feistel cipher from a PRF, and the PRF is built from a PRG according to construction 6.5.1, the result would be slow. It would require calls to the PRG to evaluate the PRP on a single input.
-
Theorem 7.3.4 doesn't provide great concrete security, which is important in practice. (Recall the discussion of concrete vs. asymptotic security in chapter 4.) The Feistel cipher has blocklength but gives only bits of concrete security. The proof of theorem 7.3.4 involves a bad event with probability at most . If an adversary makes queries to , the bound becomes useless, telling us only that the bad event happens with probability at most 1.
In practice, we use fast block ciphers that don't generally have security proofs that reduce their security to simpler components like PRGs. So theorem 7.3.4 does not describe any real-world block ciphers design. However, some real-world PRPs do use the basic structure of the Feistel cipher. So the practical implication of theorem 7.3.4 is to provide justification for a general design principle for real-world PRPs.
Later in the book, many constructions and security proofs do explain exactly how things are built in the real world. For example, the CBC, CTR, GCM constructions explain exactly how to a PRP is used to build real-world encryption schemes.
The Digital Encryption Standard (DES) was the most widely used block cipher in the '80s and '90s. DES is fundamentally a Feistel cipher; thus, its security rests, to a great extent, on the security of its round function. There are a few important differences between the “theoretical” Feistel cipher and a “practical” one like DES:
-
Three rounds are enough for a theoretical Feistel cipher, because in the world of theory you can be confidently assume that your round function is a PRF. (Four rounds are needed to achieve a stronger security property—see section 7.5.) Real-world Feistel ciphers usually have many more rounds, reflecting the fact that the round functions are not proven to be secure PRFs, or even conjectured to be full-fledged PRFs. DES, for example, is a 16-round Feistel cipher.
-
A theoretical Feistel cipher uses the simplest possible key schedule, in which the round keys are independent. The proof of theorem 7.3.4 relies heavily on the fact that the round keys are independent, giving rise to completely independent pseudorandom round functions. A theoretical -round Feistel cipher requires a key that is times longer than the round function's key. Long keys are inconvenient, so real-world Feistel ciphers derive the round keys from a single, short master key. For example, DES has a 56-bit master key, and each of its 48-bit round keys are simply a different subset of bits from the master key.
7.4.2. Meet-in-the-middle attack
There is another reason for real-world Feistel ciphers deriving round keys from a single, short master key. It has to do with an attack called meet-in-the-middle.
Suppose is a PRP that can be decomposed into two phases, such that the first phase depends only on the first half of the (-bit) key, and the second phase depends only on the second half of the key. In other words, can be written as:
For example, could be an -round Feistel cipher, where represents first rounds (and represents the first round keys) and represents the second rounds.
If has this structure, then it is possible to recover 's private key in time given just a few input-output samples from .
Suppose that , and consider the intermediate value that is computed during the computation of . There are two different ways to compute this : one that uses only and another that uses only :
This fact allows us to brute-force the two halves of the keys separately, if we have an example of an input-output sample from :
-
For all possible , compute a candidate value . Record each candidate along with the key that produced it.
-
For all possible , compute a candidate value . Record each candidate along with the key that produced it.
-
The previous two steps will result in two large lists of candidate values. The “correct” value , corresponding to the victim's true key, must be in both lists.
If the “correct” is the only candidate in both lists, then the adversary has identified the victim's key as the unique and values that gave rise to this . If there is more than one candidate in both lists, then we can take a note of the possible candidates for and , discarding the rest, and repeat the attack again on another input-output sample from . In practice, the correct key is identified after only a small constant number of input-output samples.
Since this attack brute-forces the two halves of the -bit key separately, its total cost is “only” . The moral of the story: Don't provide a way to brute-force different parts of the key separately.
The meet-in-the-middle attack requires exponential time , which is why it does not invalidate theorem 7.3.4. Meet-in-the-middle is relevant only when considering concrete security. A block cipher with -bit keys that is vulnerable to a meet-in-the-middle attack can be broken in time; ideally we prefer -bit block ciphers to have bits of concrete security.
7.4.3. Recommendations and Alternatives
DES is the traditional example of a real-world Feistel cipher and a good illustration of how the real world differs from theory. But DES is sorely outdated; you should never use it. The most glaring problem with DES is that its key is only 56 bits long.
DES was supplanted in the early 2000s by its successor, the Advanced Encryption Standard (AES). There are three standardized variants of AES, supporting keys of length 128, 192, and 256 bits. All three variants use a blocklength of 128 bits. AES is still widely regarded as secure, and it should be your default choice of PRP. Thanks to its position as a global standard, fast hardware-accelerated AES operations are now incorporated into many modern CPUs.
AES is not a Feistel cipher; it is designed using an entirely different methodology. Later, in section 12.3, we discuss a theoretical approach for PRPs that is closer to AES's design.
7.5. ☆ Strong PRPs
You may have noticed that the PRP security definition involves only the forward direction and not the reverse direction . The security definition therefore models an attack scenario in which the adversary can control a victim's inputs only to the PRP's forward direction. This limited attack scenario suffices for many applications of PRPs, which we will see in the next chapters.
However, other applications use PRPs in a way that allows an adversary to control the victims' inputs to both the PRP and its inverse. We need a different security definition for PRPs to reflect this kind of attack scenario.
An adversary who has access to both directions of a PRP should not be able to distinguish what it sees from a lazy random permutation and its inverse. Therefore, the new security definition involves a library that implements a lazy random permutation alongside its inverse. This library is slightly more cumbersome, because it must do significant bookkeeping to efficiently implement a permutation along with its inverse.
A keyed permutation is a secure strong pseudorandom permutation (SPRP) if the following two libraries are indistinguishable:
You can understand how implements a lazy random permutation through the following invariants:
-
If is defined, then .
-
If is defined, then .
-
stores the set of values on which is defined.
-
stores the set of values on which is defined.
Modern real-world block ciphers are designed to be secure SPRPs.
Exercises
-
Let be a secure PRP with blocklength bits (think of as a small integer, like 7 or 8). For this exercise we will interpret inputs and outputs of not as -bit strings, but as numbers in the range in the natural way.
Now consider the following keyed permutation , with blocklength :
Thus, rearranges the bits of according to the permutation . Show that is not a secure PRP.
-
Let and be keyed permutations, both with blocklength , and define the following function :
Prove that is a secure PRP if either of or is a secure PRP. The proof should be split into two cases. In the first case, assume that is secure, and assume nothing from other than the fact that it is indeed a keyed permutation (i.e., it has an inverse). In the second case, swap the roles of and .
-
Lemma 7.2.1 requires the PRP to have blocklength (at least) . Suppose that is a secure PRP with blocklength only . Are the libraries from lemma 7.2.1 still indistinguishable?
-
Show that an -round keyed Feistel cipher is not a secure PRP, for any , if its round function is .
-
Show that a 2-round keyed Feistel cipher cannot be a secure PRP, even if the round function is a secure PRF.
-
Let be a secure PRF with input and output length , and consider the three-round Feistel cipher with round function . Its key schedule normally consists of three independent keys ; in this problem we consider the security of simpler key schedules.
-
Show that the cipher is not a secure PRP if (and is chosen independently).
-
Prove that the cipher is a secure PRP if (and is chosen independently).
-
Prove that the cipher is a secure PRP if (and is chosen independently).
-
-
Let be a secure PRF with input and output length . In this problem we consider a Feistel cipher variant where the key schedule is , but where the last round function is iterated twice. The three- and four-round variants are therefore:
-
Show that the three-round variant above is not a secure PRP.
-
Prove that the four-round variant above is a secure PRP.
-
-
A standard PRF is secure against an adversary who chooses the PRF inputs. Suppose we do not allow the adversary to choose the inputs; instead, the victim will sample inputs uniformly, and tell the adversary the choice of input. If a PRF's outputs are pseudorandom in this attack scenario, we call it a weak PRF. More formally, is a weak PRF if the following two libraries are indistinguishable:
:return:if undefined:return-
Prove that a 2-round keyed Feistel cipher (with independent round keys) is a weak PRF, if its round function is a secure PRF.
-
How does the answer change if the 2-round Feistel cipher uses the trivial key schedule ?
-
-
Describe a more detailed implementation of the meet-in-the-middle attack in example 7.4.1. What data structures should you use, and how should you identify values common to two sets, to ensure that the overall running time remains ?
-
Show that a 3-round keyed Feistel cipher is not a secure strong PRP (definition 7.5.1), even if its round function is a secure PRF.
-
Prove that a 4-round keyed Feistel cipher (using independent round keys) is a secure strong PRP (definition 7.5.1) if its round function is a secure PRF.
-
Let be a secure SPRP with blocklength . In this exercise we will construct a new PRP that is almost identical to but with two of its inputs swapped. Specifically, let and let . Then will be identical to except that it will swap the outputs for (the bitwise complement of ) and .
Pictorially:
cannot be a secure PRP: and are always bitwise complements, and so is easily distinguished from a random dictionary.
Despite that, prove that is a (plain) PRP. Thus, it is possible for to be a secure PRP while is not.
Chapter Notes
The Feistel cipher methodology first appeared in the Lucifer block cipher, developed by Horst Feistel at IBM in 1971 [100]. Luby and Rackoff were the first to prove that a three-round Feistel cipher is a secure PRP (theorem 7.3.4) if the round function is a secure PRF [149]. Patarin proved that a four-round Feistel cipher is a secure strong PRP (exercise 7.11) [176].
The results of exercise 7.6, involving simplifications to the key schedule of a three-round Feistel cipher, were shown by Ohnishi [173] (in Japanese, as reported in [222]). The attack on a three-round Feistel cipher with key schedule was also shown independently by Rueppel [197]. The secure (four-round) single-key Feistel cipher variant from exercise 7.7 was proposed by Pieprzyk [182]; the attack against the three-round variant (and many generalizations thereof) was given by Zheng, Matsumoto, and Imai [222].