Today we finish the analysis of a construction of a pseudorandom permutation (block cipher) given a pseudorandom function.
Recall that if ![{F:\{ 0,1 \}^m \rightarrow \{ 0,1 \}^m}]( "{F:\{ 0,1 \}^m \rightarrow \{ 0,1 \}^m}")
is a function, then we define the Feistel permutation ![{D_F: \{ 0,1 \}^{2m} \rightarrow \{ 0,1 \}^{2m}}]( "{D_F: \{ 0,1 \}^{2m} \rightarrow \{ 0,1 \}^{2m}}")
associated with ![{F}]( "{F}")
as
![\displaystyle D_F(x,y) := y, x\oplus F(y) \ \ \ \ \ (1)]( "\displaystyle D_F(x,y) := y, x\oplus F(y) \ \ \ \ \ (1)")
Let ![{F: \{ 0,1 \}^k \times \{ 0,1 \}^m \rightarrow \{ 0,1 \}^m}]( "{F: \{ 0,1 \}^k \times \{ 0,1 \}^m \rightarrow \{ 0,1 \}^m}")
be a pseudorandom function, we define the following function ![{P: \{ 0,1 \}^{4k} \times \{ 0,1 \}^{2m} \rightarrow \{ 0,1 \}^{2m}}]( "{P: \{ 0,1 \}^{4k} \times \{ 0,1 \}^{2m} \rightarrow \{ 0,1 \}^{2m}}")
: given a key ![{\overline K (K_1,\ldots,K_4)}]( "{\overline K (K_1,\ldots,K_4)}")
and an input ![{x}]( "{x}")
,
![\displaystyle P_{\overline K} (x) := D_{F_{K_4}} ( D_{F_{K_3}} ( D_{F_{K_2}} (D_{F_{K_1}} (x ))))\ \ \ \ \ (2)]( "\displaystyle P_{\overline K} (x) := D_{F_{K_4}} ( D_{F_{K_3}} ( D_{F_{K_2}} (D_{F_{K_1}} (x ))))\ \ \ \ \ (2)")
If ![{\overline F = F_1,F_2,F_3,F_4}]( "{\overline F = F_1,F_2,F_3,F_4}")
are four functions, then ![{P_{\overline F}}]( "{P_{\overline F}}")
is the same as the above construction but using the functions ![{F_i}]( "{F_i}")
:
![\displaystyle P_{\overline F} (x) := D_{F_{4}} ( D_{F_{3}} ( D_{F_{2}} (D_{F_{1}} (x ))))\ \ \ \ \ (3)]( "\displaystyle P_{\overline F} (x) := D_{F_{4}} ( D_{F_{3}} ( D_{F_{2}} (D_{F_{1}} (x ))))\ \ \ \ \ (3)")
If ![{A}]( "{A}")
is an oracle algorithm, we define as ![{S(A)}]( "{S(A)}")
the probabilistic process in which we run a simulation of ![{A}]( "{A}")
in which we reply to each query with a random answer.
The proof of the following result is what was missing from yesterday’s analysis.
Lemma 1 For every non-repating algorithm ![{A}]( "{A}")
of complexity ![{\leq t}]( "{\leq t}")
we have
![\displaystyle \left| \mathop{\mathbb P}_{\overline {F} } [ A^{P_{\overline{F}}, P^{-1} _{\overline{F}} } () =1 ] - \mathop{\mathbb P} [ S(A) = 1] \right| \leq \frac{t^2}{ 2\cdot 2^{2m}} + \frac {t^2}{ 2^{m}}]( "\displaystyle \left| \mathop{\mathbb P}_{\overline {F} } [ A^{P_{\overline{F}}, P^{-1} _{\overline{F}} } () =1 ] - \mathop{\mathbb P} [ S(A) = 1] \right| \leq \frac{t^2}{ 2\cdot 2^{2m}} + \frac {t^2}{ 2^{m}}")
![]()
![]()
we have
![\displaystyle \left| \mathop{\mathbb P}_{\overline {F} } [ A^{P_{\overline{F}}, P^{-1} _{\overline{F}} } () =1 ] - \mathop{\mathbb P} [ S(A) = 1] \right| \leq \frac{t^2}{ 2\cdot 2^{2m}} + \frac {t^2}{ 2^{m}}](http://s0.wp.com/latex.php?latex=%5Cdisplaystyle++%5Cleft%7C+%5Cmathop%7B%5Cmathbb+P%7D_%7B%5Coverline+%7BF%7D+%7D+%5B+A%5E%7BP_%7B%5Coverline%7BF%7D%7D%2C+P%5E%7B-1%7D+_%7B%5Coverline%7BF%7D%7D+%7D+%28%29+%3D1+%5D+-+%5Cmathop%7B%5Cmathbb+P%7D+%5B+S%28A%29+%3D+1%5D+%5Cright%7C+%5Cleq+%5Cfrac%7Bt%5E2%7D%7B+2%5Ccdot+2%5E%7B2m%7D%7D+%2B+%5Cfrac+%7Bt%5E2%7D%7B+2%5E%7Bm%7D%7D+&bg=ffffff&fg=000000&s=0 "\displaystyle \left| \mathop{\mathbb P}_{\overline {F} } [ A^{P_{\overline{F}}, P^{-1} _{\overline{F}} } () =1 ] - \mathop{\mathbb P} [ S(A) = 1] \right| \leq \frac{t^2}{ 2\cdot 2^{2m}} + \frac {t^2}{ 2^{m}}")
