Ciphers with Arbitrary Finite Domains

Transcription

1 Cphers wth Arbtrary Fnte Domans John Black 1 and Phllp Rogaway 2 1 Dept. of Computer Scence, Unversty of Nevada, Reno NV 89557, USA, [email protected], WWW home page: 2 Dept. of Computer Scence, Unversty of Calforna at Davs, Davs, CA 95616, USA, [email protected], WWW home page: Abstract. We explore the problem of encpherng members of a fnte set M where k = M s arbtrary (n partcular, t need not be a power of two). We want to acheve ths goal startng from a block cpher (whch requres a message space of sze N =2 n, for some n). We look at a few solutons to ths problem, focusng on the case when M =[0,k 1]. We see cphers wth arbtrary domans as a worthwhle prmtve n ts own rght, and as a potentally useful one for makng hgher-level protocols. Keywords: Cphers, Modes of Operaton, Provable securty, Symmetrc Encrypton. 1 Introducton A Motvatng Example. Consder the followng problem: a company wshes to generate dstnct and unpredctable ten-dgt credt-card numbers. One way to accomplsh ths nvolves keepng a hstory of all prevously-ssued numbers. But the company wshes to avod storng a large amount of senstve nformaton. Another approach s to use some block cpher E under a randomly-selected key K and then ssue credt-card numbers E K (0),E K (1),. But the domans of contemporary block cphers are nconvenent for ths problem: ths company needs dstnct numbers n [0, ] but block cpher have a doman [0, 2 n 1] for some n such as 64 or 128. Is there an elegant soluton to ths problem? Encpherng wth Arbtrary Domans. More generally now, we have good tools block cphers to encpher ponts when the message space M s strngs of some partcular length, M = {0, 1} n. But what f you want to encpher a number between one and a mllon? Or a pont n Z N or ZN, where N s a 1024-bt number? Or a pont from some ellptc-curve group? Ths paper looks at the queston of how to construct cphers whose doman s not {0, 1} n. That s, we are nterested n how to make a cpher whch has some desred but werd doman: F : K M Mwhere K s the key space and M s the fnte message space that we have n mnd. A tool from whch we may start our constructon s a block cpher: a map E : K {0, 1} n {0, 1} n where K s the key space and n s the block length. A soluton to ths problem mmedately solves

2 the credt-card problem: for a block cpher F : K [0, ] [0, ], the company chooses a random K Kand ssues the (dstnct) credt-card numbers F K (0),F K (1),F K (2),...,F K (), and has only to remember the last value used. Measurng Success. We would lke to make clear rght away what s the securty goal that we are after. Let s do ths by way of an example. Suppose that you want to encpher numbers between one and a mllon: M =[1, 10 6 ]. Followng [2, 7], we magne two games. In the frst game one chooses a random key K from K and hands to an adversary an oracle E K ( ). In the second game one chooses a random permutaton π on [1, 10 6 ] and hands the adversary an oracle for π( ). The adversary should be unable to dstngush these two types of oracles wthout spendng a huge amount of tme. Note that the doman s so small that the adversary mght well ask for the value of the oracle f( ) {E K ( ), π( )} at every pont n the doman. Ths shouldn t help the adversary wn. So, for example, f the adversary asks the value of E K ( ) at all ponts except 1 and 2 (a total of ponts), then the adversary wll know what are the two mssng numbers, c 1 and c 2, but the adversary won t be able to ascertan f E K (1) = c 1 and E K (2) = c 2,orfE K (1) = c 2 and E K (2) = c 1, nstead. Our Contrbutons. Though the problem of encpherng on an arbtrary doman has been consdered before [13], here we draw attenton to ths problem and gve the frst rgorous treatment, provdng a few solutons together wth ther analyses. Our solutons focus on the case n whch the message space s M =[0,k 1], though we sketch extensons to some other message spaces, lke Z pq and common ellptc-curve groups. Our frst method assumes that we have a block cpher E that acts on N =2 n ponts, where N k. To encpher M =[0,k 1] one just encphers these ponts wth block cpher E and uses the orderng of E K (0), E K (1), up to E K (k 1) to name the desred permutaton on [0,k 1]. Ths method s computatonally reasonable only for small k, such as k<2 30. A second method, smlar to known technques used n other settngs, encphers a message m Mby repeatedly applyng the block cpher, startng at m, untl one gets back to a pont n M. (Assume once agan that N k.) Ths method s good f M s dense n the doman of the block cpher, {0, 1} n.so, for example, one can use ths method to encpher a strng n Z N, where N s a 1024-bt number, usng a block cpher wth block length of 1024 bts. (A block cpher wth a long block length, lke ths, can be constructed from a standard block cpher by followng works lke [3, 9, 11].) Ths constructon has been suggested before [13]; our man contrbuton here s the analyss of the constructon. A fnal method whch we look at chooses an a, b where ab k and performs a Festel constructon on the message m, but uses a left-hand sde n Z a and a rghthand sde n Z b. Our analyss of ths s an adaptaton of Luby and Rackoff s [9]. Ths method can be qute effcent, though the proven bounds are weak when the message space s small (eg, k<2 128 ). Wth each of our cphers we provde a decpherng algorthm, though ths may not be requred n all domans (eg, n our credt-card example above).

3 Note that the three methods above solve our problem for small and large domans, but there s a gap whch remans: ntermedate-szed values where our frst method requres too much space and tme, and our second method requres too many block-cpher nvocatons, and our thrd method may work but the bound s too weak. Ths gap occurs roughly from k =2 30 up to about k =2 60, dependng on your pont of vew. Our credt-card example (k = ) falls nto ths gap. Ths problem remans open. Why Cphers on Non-Standard Sets? Popular books on cryptography speak of encpherng the ponts n the message space M, whatever that message space may be, but few seem to have thought much about how to actually do ths when the message space s somethng other than a set of bt strngs, often of one partcular length. Ths omsson s no doubt due to the fact that t s usually fne to embed the desred message space nto a larger one, usng some paddng method, and then apply a standard constructon to encpher n the larger space. For example, suppose you want to encpher a random number m between one and a mllon. Your tool s a 128-bt block cpher E. You could encode m as a 128-bt strng M by wrtng m usng 20 bts, prependng 108 zero-bts, and computng C = E K (M). Ignorng the fact that the cphertext C wastes 108 bts, ths method s usually fne. But not always. One problem wth the method above s that t allows one to tell f a canddate key K mght have been used to produce C. To llustrate the ssue, suppose that the key space s small, say K =2 30. Suppose the adversary sees a pont C = E K (M). Then the adversary has everythng she needs to decrypt cphertext C = E K (M): she just tres all keys K Kuntl she fnds one for whch E 1 K (C) begns wth 108 zeros. Ths s almost certanly the rght key. The objecton that we shouldn t have used a small key space s not a productve one f the pont of our efforts was to make due wth a small key space. If we had used a cpher wth message space M = [1, 10 6 ] we would not have had ths problem. Every cphertext C, under every possble key K, would correspond to a vald message M. The cphertext would reveal nothng about whch key had been used. Of course there are several other solutons to the problem we have descrbed, but many of them have dffcultes of ther own. Suppose, for example, that one pads wth random bts nstead of zero bts. Ths s better, but stll not perfect: n partcular, an adversary can tell that a canddate key K could not have been used to encpher M f decryptng C under K yelds a fnal 20 bts whose decmal value exceeds 1,000,000. If one had 1,000 cphertexts of random plantexts encphered n the manner we have descrbed, the adversary could, once agan, usually determne the correct key. As a more realstc example related to that above, consder the Bellovn- Merrtt EKE protocol [4]. Ths entty-authentcaton protocol s desgned to defeat password-guessng attacks. The protocol nvolves encryptng, under a possbly weak password K, astrngg x mod p, where p s a large prme number and g s a generator of Zp. In ths context t s crucal that from the resultng cphertext C one can not ascertan f a canddate password K could possbly have

4 produced the cphertext C. Ths can be easly and effcently done by encpherng wth message space M = Z p. Ordnary encrypton methods won t work. Another problem wth cphertext-expanson occurs when we are constraned by an exstng record format: suppose we wsh to encrypt a set of felds n a database, but the cost of changng the record sze s prohbtve. Usng a cpher whose doman s the set of values for the exstng felds allows some measure of added securty wthout requrng a complete restructurng of the database. And f the data have addtonal restrctons beyond sze (eg, the felds must contan prntable characters), we can further restrct the doman as needed. In addton to these (modest) applcatons, the queston s nterestng from a theoretcal standpont: how can we construct new cphers from exstng ones? In partcular, can we construct cphers wth arbtrary domans wthout resortng to creatng new cphers from scratch? It certanly feels lke there should be a good way to construct a block cpher on 32 bts gven a block cpher on 64 bts, but, even for ths case, no one knows how to do ths n a practcal manner wth good securty bounds. Related Work. We assume that one has n hand a good block cpher for any desred block length. Snce standard block cphers come only n convenent block lengths, such as n = 128, here are some ways that one mght create a block cpher for some non-standard block length. Frst, one could construct the block cpher from scratch. But t s probably better to start wth a wellstuded prmtve lke SHA-1 or AES. These could then be used wthn a balanced Festel network [14], whch creates a block cpher for any (even) block length 2n, startng wth somethng that behaves as a pseudorandom functon (PRF) from n bts to n bts. Luby and Rackoff [9] gve quanttatve bounds on the effcacy of ths constructon (when usng three and four rounds), and ther work has spawned much related analyss, too. Naor and Rengold [11] provde a dfferent constructon whch extends a block cpher on n bts to a block cpher on 2n bts, for any 1. A varaton on ther constructon due to Patel, Ramzan and Sundaram [12] yelds a cpher on n bts for any 1. Lucks [10] generalzes Luby-Rackoff to consder a three-round unbalanced Festel network, usng hash functons for round functons. Ths yelds a block cpher for any gven length N startng wth a PRF from r bts to l bts and another from l bts to r bts, where l + r = N. Startng from an n-bt block cpher, Bellare and Rogaway [3] construct and analyze a length-preservng cpher wth doman {0, 1} n. Ths s somethng more than makng a block cpher on arbtrary N n bts. Anderson and Bham [1] provde two constructons for a block cpher (BEAR and LION) whch use a hash functon and a stream cpher. Ths agan uses an unbalanced Festel network. It s unclear how to make any of the constructons above apply to message spaces whch are not sets of strngs. Probably several of the constructons can modfed, and n multple ways, to deal wth a message space M =[0,k 1], or wth other message spaces.

5 The Hasty Puddng Cpher of Schroeppel and Orman [13] s a block cpher whch works on any doman [0,k 1]. They use what s essentally Method 2, nternally teratng the cpher untl a proper doman pont s reached. Schroeppel beleves that the dea underlyng ths method dates back to the rotor machnes used n the early 1900 s. Our noton of a pseudorandom functon s due to Goldrech, Goldwasser and Mcal [6]. Pseudorandom permutatons are defned and constructed by Luby and Rackoff [9]. We use the adaptaton of these notons to deal wth fnte objects, whch frst appears n Bellare, Klan and Rogaway [2]. 2 Prelmnares Notaton. If A and B are sets then Rand(A, B) s the set of all functons from A to B. IfA or B s a postve number, n, then the correspondng set s [0,n 1]. We wrte Perm(A) to denote the set of all permutatons on the set A and f n s a postve number then the set s assumed to be [0,n 1]. By x R A we denote the experment of choosng a random element from A. A functon famly s a multset F = {f : A B}, where A, B {0, 1}. Each element f F has a name K, where K Key. So, equvalently, a functon famly F s a functon F : Key A B. We call A the doman of F and B the range of F. The frst argument to F wll be wrtten as a subscrpt. A cpher s a functon famly F : Key A A where F K ( ) s always a permutaton; a block cpher s a functon famly F : Key {0, 1} n {0, 1} n where F K ( ) s always a permutaton. An deal block cpher s a block cpher n whch each permutaton on {0, 1} n s realzed by exactly one K Key. An adversary s an algorthm wth an oracle. The oracle computes some functon. We wrte A f( ) to ndcate an adversary A wth oracle f( ). Adversares are assumed to never ask a query outsde the doman of the oracle, and to never repeat a query. Let F : Key A B be a functon famly and let A be an adversary. In ths paper, we measure securty as the maxmum advantage obtanable by some adversary; we use the followng statstcal measures: Adv prf F = Pr[f R F : A f( ) =1] Pr[R R Rand(A, B): A R( ) =1], and when A = B (A) def Adv prp def F (A) = Pr[f R F : A f( ) =1] Pr[π R Perm(A): A π( ) =1]. Useful Facts. It s often convenent to replace random permutatons wth random functons, or vce versa. The followng proposton lets us easly do ths. For a proof see Proposton 2.5 n [2]. Lemma 1. [PRF/PRP Swtchng] Fx n 1. LetA be an adversary that asks at most p queres. Then Pr[π R Perm(n): A π( ) =1] Pr[ρ R Rand(n, n): A ρ( ) =1] p 2 /2 n+1.

6 Algorthm Int Px K for j 0 to k 1 do I j E K(j) for j 0 to k 1 do J j Ord(I j, {I j} j [0,k 1] ) for j 0 to k 1 do L Jj j Algorthm Px K(m) return J m Algorthm Px 1 K (m) return L m Fg. 1. Algorthms for the Prefx Cpher. Frst the ntalzaton algorthm Int Px K s run. Then encpher wth Px K(m) and decpher wth Px 1 K (m). 3 Method 1: Prefx Cpher Fx some nteger k and let M be the set [0,k 1]. Our goal s to buld a cpher wth doman M. Our frst approach s a smple, practcal method for small values of k. We name ths cpher Px. Our cpher wll use some exstng block cpher E wth keyspace K and whose doman s a superset of M. The key space for Px wll also be K. TocomputePx K (m) for some m Mand K Kwe frst compute the tuple I =(E K (0) E K (1) E K (k 1)). Snce each element of I s a dstnct strng, we may replace each element n I wth ts ordnal poston (startng from zero) to produce tuple J. And now to encpher any m Mwe compute Px K (m) as smply the m-th component of J (agan countng from zero). The encpherng and decpherng algorthms are gven n Fgure 1. Example. Suppose we wsh to encpher M = {0, 1, 2, 3, 4}. We choose some random key K for some block cpher E. Let s assume E s an 8-bt deal block cpher; therefore E K s a unformly chosen random permutaton on [0, 255]. Next we encpher each element of M. Let s say E K (0) = 166, E K (1) = 6, E K (2) = 130, E K (3) = 201, and E K (4) = 78. So our tuple I s ( ) and J s(30241).wearenowreadytoencpher any m M: we return the m-th element from J, countng from zero. For example we encpher 0 as 3, and 1 as 0, etc.. Analyss. Under the assumpton that our underlyng block cpher E s deal, I s equally lkely to be any of the permutatons on M. The proof of ths fact s trval and s omtted. The method remans good when E s secure n the sense of a PRP. The argument s standard and s omtted. Practcal Consderatons. Encpherng and decpherng are constant-tme operatons. The cost here s O(k) tme and space used n the ntalzaton step. Ths clearly means that ths method s practcal only for small values of k. A further practcal consderaton s that, although ths ntalzaton s a one-tme cost, t results n a table of senstve data whch must be stored somewhere.

7 Algorthm Cy K (m) c E K(m) f c Mreturn c else return Cy K (c) Algorthm Cy 1 K (m) c E 1 K (m) f c Mreturn c else return Cy 1 K (c) Fg. 2. Algorthms for the Cycle-Walkng Cpher. We encpher wth Cy K ( ) and decpher wth Cy 1 K ( ). 4 Method 2: Cycle-Walkng Cpher Ths next method uses a block cpher whose doman s larger than M, and then handles those cases where a pont s out of range. Agan we fx an nteger k, let M be the set [0,k 1], and devse a method to encpher M. Let N be the smallest power of 2 larger or equal to k, letn be lg N, and let E K ( ) beann-bt block cpher. We construct the block cpher Cy K on the set M by computng t = E K (m) and teratng f c M. The encpherng and decpherng algorthms are shown n Fgure 2. Example. Let M = [0, 10 6 ]. Then N = 2 20 and so n = 20. We use some known method to buld a 20-bt block cpher E K ( ) on the set T =[0, ]. Now suppose we wsh to encpher the pont m = ; we compute c 1 = E K (314159) whch yelds some number n T, say Snce c 1 M,we terate by computng c 2 = E K ( ) whch s, say, Snce c 2 M, we output 1729 as Cy K (314159). Decpherment s smply the reverse of ths procedure. Analyss. Let s vew the permutaton E K ( ) as a famly of cycles: any pont m Mles on some cycle and repeated applcatons of E K ( ) can be vewed as a partcle walkng along the cycle, startng at m. In fact, we can now thnk of our constructon as follows: to encpher any pont m Mwalk along the cycle contanng m untl you encounter some pont c M. Then c =Cy K (m). Of course ths method assumes that one can effcently test for membershp n M. Ths s trval for our case when M =[0,k 1], but mght not be for other sets. Now we may easly see that Cy K ( ) s well-defned: gven any pont m M f we apply E K ( ) enough tmes, we wll arrve at a pont n M. Ths s because walkng on m s cycle must eventually arrve back at some pont n M, evenf that pont s m tself. We can also see that Cy K ( ) s nvertble snce nvertng Cy K (m) s equvalent to walkng backwards on m s cycle untl fndng some element n M. Therefore, we know Cy K ( ) s a permutaton on M. However the queston arses, how much securty do we lose n dervng ths permutaton? The fortunate answer s, nothng. Theorem 1. [Securty of Cycle-Walkng Cpher] Fx k 1 and let M = [0,k 1]. LetE K ( ) be an deal block cpher on the set T where M T. Choose a key K unformly at random and then construct Cy K ( ) usng E K ( ). Then Cy K ( ) s a unform random permutaton on M.

8 Proof. Fx some permutaton π on the set M. We wll show that an equal number of keys K wll gve rse to π; ths wll mply the theorem. We proceed by nducton, showng that the number of permutatons on {0,...,k 1,x} whch gve rse under our constructon to π s constant. Snce M T we can repeatedly add all elements x T Mwhle mantanng that the number of permutatons whch gve rse to π s constant. Decompose π nto r cycles of lengths l 1,l 2,,l r. We count the number of ways to nsert the new element x. There are l ways to nsert x nto the th orbt correspondng to the th cycle, and one way to nsert x nto a new orbt of ts own (e, the permutaton whch fxes x). Therefore there are r =1 l +1 = k ways to add element x to π yeldng a permutaton whch wll gve rse to π by repeated teratons. Ths holds no matter what π we choose. Let T = t. Then by nducton we see that there are exactly t =k keys K under whch our constructon reduces E K ( ) toπ. Smlar to the Prefx Cpher, our constructon has retaned all of the securty of the underlyng block cpher. Theorem 1 s an nformaton-theoretc result. Passng to the correspondng complexty-theoretc result s standard. Because no securty s lost n the nformaton-theoretc settng, and because we apply E an expected two tmes (or fewer), an adversary s maxmal advantage to dstngush E K ( ) fromarandom permutaton of Z 2 n n expected tme 2t approxmately upper bounds an adversary s maxmal advantage to dstngush Cy K ( ) fromarandompermutaton on M n tme t. 5 Method 3: Generalzed-Festel Cpher Our fnal method works as follows: we decompose all the numbers n M nto pars of smlarly szed numbers and then apply the well-known Festel constructon [14] to produce a cpher. Agan we fx an nteger k, letm be the set [0,k 1], and devse a method to encpher M. We call our cpher Fe[r, a, b] where r s the number of rounds we use n our Festel network and a and b are postve numbers such that ab k. Weusea and b to decompose any m Mnto two numbers for use as the nputs nto the network. Wthn the network we use r random functons F 1,...,F r whose ranges contan M. The algorthms to encpher and decpher are gven n Fgure 3. Notce that f usng the Festel constructon results n a number not n M, we terate just as we dd for the Cycle-Walkng Cpher. Example. In order to specfy some partcular Fe[r, a, b] K ( ) we must specfy the numbers a and b, the number of Festel rounds r, and the choce of underlyng functons F 1,,F r we wll use. As a concrete example, let s take k = 2 35, r = 3, and a = and b = (methods for fndng a and b wll be dscussed later). Note that ab k as requred. Snce ab s larger than k, our Festel constructon wll be on the set M =[0, (2 35 1) ], meanng there are values

9 Algorthm Fe[r, a, b] K(m) c fe[r, a, b] K(m) f c Mreturn c else return Fe[r, a, b] K(c) Algorthm fe[r, a, b] K(m) L m mod a; R m/a for j 1 to r do f (j s odd) then tmp (L + F j(r)) mod a else tmp (L + F j(r)) mod b L R; R tmp f (r s odd) then return al + R else return ar + L Algorthm Fe[r, a, b] 1 K (m) c fe[r, a, b] 1 K (m) f c Mreturn c else return Fe[r, a, b] 1 K (c) Algorthm fe[r, a, b] 1 K (m) f (r s odd) then R m mod a; L m/a else L m mod a; R m/a for j r to 1 do f (j s odd) then tmp (R F j(l)) mod a else tmp (R F j(l)) mod b R L; L tmp return ar + L Fg. 3. Algorthms for the Generalzed-Festel Cpher. We encpher wth Fe[r, a, b] K( ) and decpher wth Fe[r, a, b] 1 K ( ). Herea and b are the numbers used to bjectvely map all m Mnto L, andr, andr s the number of rounds of Festel we wll apply. The key K s mplctly used to select the r functons F 1,...,F r. whch are n M Mfor whch we wll have to terate (just as we dd for the Cycle-Walkng Cpher). Let s use DES wth ndependent keys as our underlyng PRFs. DES s a 64-bt cpher whch uses a 56-bt key; we wll regard the 64-bt strngs on whch DES operates as ntegers n the range [0, ] n the natural way. We need three PRFs so our key K = K 1 K 2 K 3 wll be 3 56 = 168 bts. Now to compute Fe[3, , ](m) we compute L = m mod , and R = m/185360, and then perform three rounds of Festel usng DES K1 ( ), DES K2 ( ), and DES K3 ( ) as our underlyng PRFs. The frst round results n L m/ and R (m mod DES K1 ( m/ )) mod , and so on. Analyss. Frst we note that Fe[r, a, b]( ) s a permutaton: t s well-known that the Festel constructon produces a permutaton, and we showed prevously that

10 teratng any permutaton s a permutaton. We now analyze the how good s ths Generalzed-Festel Cpher for the three-round case. Assumng the underlyng functons F 1, F 2,andF 3 used n our constructon are truly random functons, we wll compare how close Fe[3,a,b]( ) s to a truly random permutaton. Passng to the complexty-theoretc settng s then standard, and therefore omtted. Theorem 2. [Securty of Generalzed-Festel Cpher] Fx k 1 and let M =[0,k 1]. Fx two numbers a, b > 0 such that ab k. Let = ab k. Fx an n such that 2 n >aand 2 n >b.letd be an adversary whch asks q queres of her oracle. Then Adv prf Fe (D) =Pr[F R 1,F 2,F 3 Rand(2 n, 2 n ): D Fe[3,a,b]( ) =1] Pr[ρ R Rand(k, k): D ρ( ) =1] (q + )2 2 n+1 ( 2 n /a + 2 n /b ). The proof s an adaptaton of Luby s analyss from Lecture 13 of [8], whch s n-turn based on [9]. It can be found n Appendx A. Fnally, we must adjust ths bound to account for the fact that we have compared Fe[3,a,b] K ( ) wth a random functon nstead of a random permutaton. We can nvoke Lemma 1 whch gves us a fnal bound quantfyng the qualty of our constructon: Adv prp Fe (D) =Pr[F R 1,F 2,F 3 Rand(2 n, 2 n ): D Fe[3,a,b]( ) =1] Pr[π R Perm(k): D π( ) =1] (q + )2 + q 2 2 n+1 ( 2 n /a + 2 n /b ). 6 Dscusson Prefx Cpher. Our frst method, the Prefx Cpher, s useful only for sutably small k. Snce encpherng one pont requres encpherng all k ponts n [0,k 1], many applcatons would fnd ths prohbtvely expensve for all but farly small values of k. Cycle-Walkng Cpher. Our second method, the Cycle-Walkng Cpher, can be qute practcal. If k s just smaller than some power of 2, the number of ponts we have to walk through durng any gven encpherment s correspondngly small. In the worst case, however, k s one larger than a power of 2, and (wth extremely bad luck) mght requre k calls to the underlyng block cpher to encpher just one pont. But f the underlyng block cpher s good we requre, n the worst case, an expected two calls to t n order to encpher and decpher any pont.

11 Generalzed-Festel Cpher. To get the best bound we should select a and b such that these numbers are somewhat close together and such that = ab k s small. One obvous technque s to try numbers near k; for example, takng a = b = k means that ab k wll never be more than 2 k + 1. But often one can do better. Another way to mprove the bound s to ensure n s sutably large. The tal effects spoken of n the proof are dmnshed as n grows (because as 2 n gets larger 2 n /a /2 n gets closer to 1/a). The One-Off Constructon. Another method, not mentoned above, works well for domans whch are one element larger than a doman we can accommodate effcently. Say we have a cpher E wth doman [0,k 1] and we wsh to construct a cpher E wth doman [0,k]. We choose a key K = {K, r} for E by choosng a key K for E and a random number r [0,k]. We then compute E K (X) as follows: r E K (X) = k E K (X) f X = k f X = E 1 K (r) otherwse The securty of ths constructon s tghtly related to the securty of E and the method for selectng r. The analyss s omtted. Of course we can use ths method to repeatedly extend the doman of any cpher to the sze of choce, but for most settngs t s mpractcal to do ths more than a few tmes. A typcal method for generatng r would be to take r = E K (0) mod (k + 1) where K s a new randomly-selected key. The tal effect here s not too bad, but wll cause a rapd deteroraton of the securty bound when used too often. Also, the scheme begns to become qute neffcent when we extend the doman n ths way too many tmes. Other Domans. Though we have spoken n terms of the doman [0,k 1] the same methods work for other domans, too. For example, to encpher n Z N, where N = pq s a 1024-bt product of two prmes, one can use ether cyclewalkng or the generalzed-festel constructon, teratng n the hghly unlkely eventthatapontsnz N but not n Z N. We may also use our methods to encpher ponts from an ellptc curve group (EC group). There are well-known compact representatons of the ponts n EC groups, and these representatons form our startng pont. For example, one fnds n [5] smple algorthms to compress the representaton of a pont n an EC group. Consder the EC group G over the feld F q where q s ether a power of two or a prme. Then any pont (x, y) G may be represented as a member of F q together wth a sngle bt. Let s consder frst the case where q =2 m wth m>0. The Hasse theorem (see [5], page 8) guarantees at least d(r) =r +1 2 r ponts n G. Snce t s possble to represent any pont n G wth m+1 bts and t s also possble to effcently test for membershp n G, we could use the cycle-walkng constructon over a 2 m+1 -bt cpher. The expected number of nvocatons of ths cpher to encpher a pont n G s then 2 m+1 /d(2 m ) 2.

12 If q s nstead a prme p, we can represent any pont n G as a number x [0,p 1] and a sngle bt y. We may agan use any of our methods to encpher these 2p ponts. Here the Hasse theorem ([5], page 7) guarantees at least d(p) ponts n G and once agan an effcent test for membershp n G exsts. Therefore we may use the cycle-walkng constructon over some lg 2p bt cpher. However f 2p s not close to a power of 2, we may wsh to nstead use the generalzed-festel constructon. Open Problems. As mentoned already, we have not provded any constructon whch works well (and provably so) for ntermedate-szed values of k. For example, suppose you are gven an deal block cpher Π on 128-bt strngs, and you want to approxmate a random permutaton π on, say, 40-bt strngs. Probably enough rounds of Festel work, but remember that our securty goal s that even f an adversary nqures about all 2 40 ponts, stll she should be unable to dstngush π from a random permutaton on 40 bts. Known bounds are not nearly so strong. Of course the prefx method works, but spendng 2 40 tme and space to encpher the frst pont s not practcal. Acknowledgments Specal thanks to Rchard Schroeppel who made many useful comments on an earler draft. Thanks also to Mhr Bellare, Davd McGrew, and Slvo Mcal for ther helpful comments. Ths paper was wrtten whle Rogaway was on leave of absence from UC Davs, vstng the Department of Computer Scence, Faculty of Scence, Chang Ma Unversty. Ths work was supported under NSF CAREER award CCR , and by a generous gft from Csco Systems. References 1. Anderson, R., and Bham, E. Two practcal and provably secure block cphers: BEAR and LION. In Fast Software Encrypton (1996), vol of Lecture Notes n Computer Scence, Sprnger-Verlag, pp Bellare, M., Klan, J., and Rogaway, P. The securty of the cpher block channg message authentcaton code. Journal of Computer and System Scences 61, 3 (2000), Earler verson n CRYPTO 94. See rogaway. 3. Bellare, M., and Rogaway, P. On the constructon of varable-nput-length cphers. In Fast Software Encrypton (1999), vol of Lecture Notes n Computer Scence, Sprnger-Verlag. See rogaway. 4. Bellovn, S., and Merrtt, M. Encrypted key exchange: password-based protocols secure aganst dctonary attacks. In 1992 IEEE Computer Socety Symposum on Research n Securty and Prvacy (1992), IEEE Computer Socety Press, pp Certcom Research. Standards for effcent cryptography, SEC1: Ellptc curve cryptography, verson 1, Sept Avalable on-lne at 6. Goldrech, O., Goldwasser, S., and Mcal, S. How to construct random functons. Journal of the ACM 33, 4 (1986),

13 7. Goldwasser, S., Mcal, S., and Rvest, R. A dgtal sgnature scheme secure aganst adaptve chosen-message attacks. SIAM Journal of Computng 17, 2 (Apr. 1988), Luby, M. Pseudorandomness and cryptographc applcatons. Prnceton Unversty Press, Prnceton, New Jersey, Luby, M., and Rackoff, C. How to construct pseudorandom permutatons from pseudorandom functons. SIAM Journal of Computng 17, 2 (Apr. 1988). 10. Lucks, S. Faster Luby-Rackoff cphers. In Fast Software Encrypton (1996), vol of Lecture Notes n Computer Scence, Sprnger-Verlag. 11. Naor, M., and Rengold, O. On the constructon of pseudorandom permutatons: Luby-Rackoff revsted. Journal of Cryptology 12, 1 (1999), Patel, S., Ramzan, Z., and Sundaram, G. Towards makng Luby-Rackoff cphers optmal and practcal. In Fast Software Encrypton (1999), vol of Lecture Notes n Computer Scence, Sprnger-Verlag. 13. Schroeppel, R., and Orman, H. Introducton to the hasty puddng cpher. In Proceedngs from the Frst Advanced Encrypton Standard Canddate Conference, Natonal Insttute of Standards and Technology, Aug See Smth, J. L. The desgn of Lucfer: A cryptographc devce for data communcatons. Tech. Rep. IBM Research Report RC 3326, IBM T.J. Watson Research Center, Yorktown Heghts, N.Y., 10598, U.S.A., Apr A Proof of Theorem 2 Proof. To smplfy the exposton, we wll ntally assume that k = ab. In other words, that no teratng s requred to compute Fe[3,a,b] K ( ). Once we establsh the result n ths settng, we can make some mnor changes to get the general result. We begn by defnng a couple of games. Let us call Game Fe the game n whch we choose three random functons F 1,F 2,F 3 Rand(2 n, 2 n ) and then answer D s queres accordng to Fe[3,a,b]( ) usngf 1, F 2,andF 3 as our underlyng functons. Let us call Game Rn the game n whch we choose a random functon ρ Rand(k, k) and then answer D s queres accordng to ρ( ). Let s denote by P Fe the probablty that D outputs 1 n Game Fe, and denote by P Rn the probablty that D outputs 1 n Game Rn. We are tryng to show that (q + ab k)2 P Fe P Rn 2 n+1 ( 2 n /a + 2 n /b ). Wthout loss of generalty, assume D never repeats a query. We begn by descrbng a new game called Game B. Game B wll look the same to adversary D as Game Fe, but Game B wll be played completely dfferently. Instead of choosng three random functons F 1,F 2,F 3, we ll choose only some random numbers x 1,...,x q, y 1,...,y q,andz 1,...,z q. Each of these numbers s n [0, 2 n 1]. The only random choces we wll make n playng game B s n the choce of the x, y,andz. We descrbe Game B n Fgure 4. It s played as follows: frst choose random numbers x 1,...,x q, y 1,...,y q,andz 1,...,z q. Now answer the -th query wth aβ + γ, where β and γ are descrbed n the fgure.

14 L R Let u = mn{j ε {1,...,} : R = R } j x u + (mod a) R α Let v ε = mn{j {1,...,} : α = α } j y v + (mod b) α β Let w = mn{j ε {1,...,} : β = β } j z w + (mod a) β γ Fg. 4. Game B. Ths game s dentcal, as far as the adversary can tell, to Game Fe. Begn by choosng x 1,...,x q, y 1,...,y q,andz 1,...,z q at random. Then answer the -th query, L,R,byβ,γ, computed as n the fgure. It should be obvous that Game B s the same, as far as the adversary can see, to Game Fe. Thus P Fe =Pr[D B = 1]. We now modfy Game B to a Game B whch s dentcal, from the adversary s pont of vew, to Game B (and therefore to Game Fe). Ths modfcaton s unusual: we wll subtract R v from the second sum, and we wll subtract α w from the fnal sum. The new game s shown n Fgure 5. The reason that these new addends do not change the adversary s vew of the game stems from the fact that the ((y v R v )modb, (z w α w )moda) n Game B retan the same dstrbuton as (y v,z w ) had n game B. We now have that P Fe =Pr[D B = 1]. The probablty s taken over the random q-vectors x, y, andz wth coordnates n [0, 2 n 1]. We now consder one fnal game, Game C. Ths game s dentcal to B except that we output ay + z (nstead of aβ + γ ). Obvously P Rn =Pr[D C = 1]. Agan the probablty s over the random vectors x, y, z.

15 L R Let u = mn{j ε {1,...,} : R = R } j x u + (mod a) R α Let v ε = mn{j {1,...,} : α = α } j y v + (mod b) - R v α β Let w = mn{j ε {1,...,} : β = β } j z w + (mod a) - α w β γ Fg. 5. Game B. WemodfyB by addng the quanttes ndcated by the emboldened arrows. Ths game s once agan dentcal, from the adversary s perspectve, to Game Fe. We wll now make some observatons and calculatons about Games B and C whch wll allow us to conclude wth the theorem. The dea s that Games B and C usually concde. We wll manage to bound adversaral advantage by lookng at the chance that games B and C do not concde. Frst we defne some events. These events are defned n Game C. (It s mportant that we do ths n Game C, not Game B.) Defne the event REPEAT α as true f α = α j for some <j that s, some α arses twce. Defne the event REPEAT β as true f β = β j for some <j that s, some β arses twce. Defne the event REPEAT as the dsjunct of α and β that s, ether an α repeats or a β repeats. Agan, these events are defned n Game C. Clam. Pr[REPEAT α ] q2 2 n /a 2 n+1. Look at query. IfR tself s a repetton of an earler R j, then we know for sure that α α j, snce all queres are assumed to be dstnct. It s possble, however, that α could concde wth some α j where R j was dfferent from R.Butwe

16 have provded the adversary no nformaton about nternal x and α values. If the cardnalty of [0, 2 n 1] were evenly dvsble by a then we would know the chance for any partcular α j to concde wth α would be 1/a. Ths s because we are takng the sum of L wth a random member of [0, 2 n 1] and then takng ths (mod a). But of course 2 n may not be dvsble by a and ths modulus wll create an tal effect slghtly basng the probablty. We can easly measure ths, however, as follows: the amount of probablty mass on some ponts wll be 2 n /a /2 n and on the others t wll be 2 n /a /2 n. We wll smply take the latter as a bound. If R s a new, unrepeated value, then x u wll be a random number n [0, 2 n 1] and so the chance that α wll collde wth any partcular pror α j s agan bounded by 2 n /a /2 n. Thus the chance that α wll collde wth an earler query s at most ( 1) 2 n /a /2 n, and the chance that there wll eventually be a collson n α -values s at most q =1 ( 1) 2n /a /2 n q2 2 2n /a /2 n. Clam. Pr[REPEAT β REPEAT α ] q2 2 n /b 2 n+1. By assumpton, the v values are all dstnct, so y s beng evaluated on dstnct ponts. The chance that two β values concde s determned smlar to the case n the prevous clam where the R values were dstnct. So analogously we have q =1 ( 1) 2n /b /2 n q2 2 2n /b /2 n. Puttng ths together we have that Clam. Pr[REPEAT] The reason s that q2 2 n+1 ( 2n /a + 2 n /b ). Pr[REPEAT] =Pr[REPEAT α ]+Pr[REPEAT β REPEAT α ] =Pr[REPEAT α ]+Pr[REPEAT β REPEAT α ] Pr[REPEAT α ] Pr[REPEAT α ]+Pr[REPEAT β REPEAT α ], and we have just bounded each of the above addends. Now for the key observaton: Clam. Pr[D B =1 REPEAT] =Pr[D C =1 REPEAT]. Both probabltes are over random choces of x, y, z. On the rght-hand we output y,z n response to the th query. On the left-hand sde, assumng that REPEAT does not hold n Game C, once agan we output y,z. Ths would be clear f we had sad assumng that REPEAT does not hold n Game B, and we defned ths even n Game B n the obvous manner. But notce that as long as REPEAT does not hold n Game C, Game C and Game B behave dentcally, always returnng y,z n response to query. Ths s easly establshed by nducton.

17 We clam that, because of the last clam, P Fe P Rn =Pr[D B =1] Pr[D C ]=1 Pr[REPEAT] Let A, B, C be arbtrary events and assume Pr[A C] =Pr[B C]. Now Pr[A] Pr[B] =Pr[A C]Pr[C]+Pr[A C]Pr[C] Pr[B C]Pr[C] Pr[B C]Pr[C] and so Pr[A C] =Pr[B C] tells us that frst and thrd addends cancel. Now upperbound the second addend by droppng the Pr[A C] (that s, upperbound ths by 1) and drop the fnal addend (whch s negatve) entrely, thereby gettng an upperbound of Pr[C], as desred. We now address the case where we terate the cpher. In other words, what happens when ab k>0? In ths case we may nvoke fe[3,a,b] K ( ) multple tmes per encpherment, and we must account for ths n the bound. The crucal pont n the proof affected by teratng s when we are calculatng REPEAT α.inthe worst case, the frst encpherment could cause us to compute fe[3,a,b](m) forall m [k, ab 1]. In ths case up to ab k values of α may already have been computed. We therefore nclude these ponts n the computaton of Pr[REPEAT α ]. The new bound s therefore q+(ab k) =1 ( 1) 2 n /a /2 n (q+ab k)2 2 2 n /a /2 n for Pr[REPEAT α ] and smlarly for Pr[REPEAT β REPEAT α ]. So the overall bound s now (q + ab k)2 Pr[REPEAT] 2 n+1 ( 2 n /a + 2 n /b ). And settng = ab k we obtan the bound of Theorem 2.