Balanced Permutations Even–Mansour Ciphers

Abstract

The r-rounds Even–Mansour block cipher is a generalization of the well known Even–Mansour block cipher to r iterations. Attacks on this construction were described by Nikolić et al. and Dinur et al. for $r=2,3$. These attacks are only marginally better than brute force but are based on an interesting observation (due to Nikolić et al.): for a “typical” permutation P, the distribution of $P\left(x\right)\oplus x$ is not uniform. This naturally raises the following question. Let us call permutations for which the distribution of $P\left(x\right)\oplus x$ is uniformly “balanced” — is there a sufficiently large family of balanced permutations, and what is the security of the resulting Even–Mansour block cipher? We show how to generate families of balanced permutations from the Luby–Rackoff construction and use them to define a $2n$-bit block cipher from the 2-round Even–Mansour scheme. We prove that this cipher is indistinguishable from a random permutation of ${\{0,1\}}^{2n}$, for any adversary who has oracle access to the public permutations and to an encryption/decryption oracle, as long as the number of queries is $o(2^{n/2})$. As a practical example, we discuss the properties and the performance of a 256-bit block cipher that is based on our construction, and uses the Advanced Encryption Standard (AES), with a fixed key, as the public permutation.

1. Introduction

The r-round Even–Mansour (EM) block cipher, suggested by Bogdanov et al. [1], encrypts an n-bit plaintext m by

$${\mathsf{EM}}_{K_0,K_1,\dots ,K_r}^{P_1,P_2,\dots ,P_r}\left(m\right)=P_r(\dots P_2(P_1(m\oplus K_0)\oplus K_1)\dots \oplus K_{r-1})\oplus K_r$$

(1)

where $K_0,K_1,\dots ,K_r\in {\{0,1\}}^n$ are secret keys and $P_1,P_2,\dots ,P_r$ are publicly known permutations, which are selected uniformly and independently at random, from the set of permutations of ${\{0,1\}}^n$. The confidentiality of the EM cipher is achieved even though the permutations $P_1,\dots ,P_r$ are made public. For $r=1$, Equation (1) reduces to the classical Even–Mansour construction [2].

As a practical example, Bogdanov et al. defined the 128-bit block cipher AES², which is an instantiation of the 2-round EM cipher where the two public permutations are AES with two publicly known “arbitrary” keys (they chose the binary digits of the constant π). The complexity of the best (meet-in-the-middle) attack they showed uses $2^{129.6}$ cipher revaluations. Consequently, they conjectured that AES² offers 128-bit security.

Understanding the security of the EM cipher has been a topic of extended research. First, Even and Mansour [2] proved, for $r=1$, that an adversary needs to make $\Omega (2^{n/2})$ oracle queries before he can decrypt a new message with high success probability. Daemen [3] showed that this bound is tight, by demonstrating a chosen-plaintext key-recovery attack after $O(2^{n/2})$ evaluations of $P_1$ and the encryption oracle. Bogdanov et al. [1] showed, for the r-round EM cipher, $r\ge 2$, that an adversary who sees only $O(2^{2n/3})$ chosen plaintext-ciphertext pairs cannot distinguish the encryption oracle from a random permutation of ${\{0,1\}}^n$. This result has been recently improved by Chen and Steinberger [4], superseding intermediate progress made by Steinberger [5] and by Lampe, Patarin and Seurin [6]. They showed that for every r, an adversary needs $\Omega (2^{\frac{r}{r+1}n})$ chosen plaintext-ciphertext pairs before he can distinguish the r-round EM cipher from a random permutation of ${\{0,1\}}^n$. This bound is tight, by Bogdanov et al.’s [1] distinguishing attack after $O(2^{\frac{r}{r+1}n})$ queries.

Nikolić et al. [7] demonstrated a chosen-plaintext key-recovery attack on the single key variant ($K_0=K_1=K_2$) of the 2-round EM cipher. Subsequently, Dinur et al. [8] produced additional key-recovery attacks on various other EM variants. All the attacks in [7,8] are only slightly better than a brute force approach. For example, the attack ([8]) on the single key variant of the 2-round EM cipher has time complexity $O\left(\frac{logn}{n}{2}^n\right)$, and the attack ([8]) on AES² (with three different keys) has complexity of $2^{126.8}$ (still better than Bogdanov et al. [1], thus enough to invalidate their that AES² has $2^{128}$ security).

The above attacks are based on the astute observation, made in [7], that for a “typical” permutation P of ${\{0,1\}}^n$, the distribution of $P\left(x\right)\oplus x$ over uniformly chosen $x\in {\{0,1\}}^n$ is not uniform. Currently, this observation yields only weak attacks, but the unveiled asymmetry may have the potential to lead to stronger results.

This motivates the following question. Call a permutation P of ${\{0,1\}}^n$ “balanced” if the distribution of $P\left(x\right)\oplus x$, over uniformly chosen $x\in {\{0,1\}}^n$, is uniform. Can we construct a block cipher based on balanced permutations? We point out that, a priori, it is not even clear that there exists a family of such permutations, that is large enough to support a block cipher construction.

In this work, we show how to generate a large family of balanced permutations of ${\{0,1\}}^{2n}$, by observing that a 2-round Luby–Rackoff construction with any two identical permutations of ${\{0,1\}}^n$, always yields a balanced permutation (of ${\{0,1\}}^{2n}$). We use these permutations in an EM setup (illustrated in Figure 2, top panel), to construct a block cipher with block size of $2n$ bits. Note that in this EM setup, the permutations $P_1,P_2$ are not chosen uniformly at random from the set of all permutations of ${\{0,1\}}^{2n}$. They are selected from a particular subset of the permutations of ${\{0,1\}}^{2n}$, and defined via a random choice of two permutations of ${\{0,1\}}^n$, as the paper describes.

For the security of the resulting $2n$ bits block cipher, we would ideally like to maintain the security of the EM cipher (on blocks of $2n$ bits ). This would be guaranteed if we replaced the random permutation in the EM cipher, with an indifferentiable block cipher (as defined in [9]). However, the balanced permutations we use in the EM construction are 2-round Luby–Rackoff permutations, and it was shown in [10] that even the 5-round Luby–Rackoff construction does not satisfy indifferentiability. Therefore, it is reasonable to expect weaker security properties in our cipher. Indeed, we demonstrate a distinguishing (not a key recovery) attack that uses $O(2^{n/2})$ queries. On the other hand, we prove that a smaller number of chosen plaintext-ciphertext queries is not enough to distinguish the block cipher from a random permutation of ${\{0,1\}}^{2n}$.

We comment that the combination of EM and Luby–Rackoff constructions have already been used and analyzed. Gentry and Ramzan [11] showed that the internal permutation of the Even–Mansour construction for $2n$-bits block size can be securely replaced by a 4-round Luby–Rackoff scheme with public round functions. They proved that the resulting construction is secure up to $O(2^{n/2})$ queries. Lampe and Seurin [12] discuss r-round Luby–Rackoff constructions where the round functions are of the form $x\mapsto F_i(K_i\oplus x)$, $F_i$ is a public random function, and $K_i$ is a (secret) round key. For an even number of rounds, this can be seen as a $r/2$-round EM construction, where the permutations are 2-round Luby–Rackoff permutations. They show that this construction is secure up to $O(2^{\frac{tn}{t+1}})$ queries, where $t=\lfloor r/3\rfloor$ for non-adaptive chosen-plaintext adversaries, and $t=\lfloor r/6\rfloor$ for adaptive chosen-plaintext and ciphertext adversaries. These works bare some similarities to ours, but the new feature in our construction is the emergence of balanced permutations.

The paper is organized as follows. In Section 2, we discuss balanced permutations and balanced permutations EM ciphers. Section 3 provides general background for the security analysis given in Section 4. In Section 5, we demonstrate the distinguishing attack. A practical use of our construction is a 256-bit block cipher is based on AES. Section 6 defines this cipher and discusses its performance characteristics. We conclude with a discussion in Section 7.

2. Balanced Permutations and Balanced Permutation EM Ciphers

2.1. Balanced Permutations

Definition 1 (Balanced permutation). 

Let σ be a permutation of ${\{0,1\}}^n$. Define the function $\tilde{\sigma }:{\{0,1\}}^n\to {\{0,1\}}^n$ by $\tilde{\sigma }\left(\omega \right)=\omega \oplus \sigma \left(\omega \right)$, for every $\omega \in {\{0,1\}}^n$. We say that σ is a balanced permutation if $\tilde{\sigma }$ is also a permutation (such permutations are also called “orthomorphism” in the mathematical literature).

Example 1. 

Let $A\in M_{n\times n}\left({\mathbb{Z}}_2\right)$ be a matrix such that both A and $I+A$ are invertible. Define ${\pi }_A:{\mathbb{Z}}_2^n\to {\mathbb{Z}}_2^n$ by ${\pi }_A\left(x\right)=Ax$. Then, ${\pi }_A$ is a balanced permutation of ${\{0,1\}}^n$. One such matrix is defined by $A_{i,i}=A_{i,i+1}=1$ for $i=1,2,\dots ,n-1$, $A_{n,1}=1$ and $A_{i,j}=0$ for all other $1\le i,j\le n$.

Example 2. 

Let a be an element of $GF(2^n)$ such that $a\ne 0,1$. Identify $GF(2^n)$ with ${\{0,1\}}^n$, so that field addition corresponds to bitwise Exclusive Or (XOR). The field’s multiplication is denoted by ×. The function $x\to a\times x$ is a balanced permutation of ${\{0,1\}}^n$. Note that this example is actually a special case of the previous one.

The balanced permutations provided by the above examples are a small family of permutations, and, moreover, are all linear. We now give a recipe for generating a large family of balanced permutations, by employing the Feistel construction that turns any function $f:{\{0,1\}}^n\to {\{0,1\}}^n$ to a permutation of ${\{0,1\}}^{2n}$.

Let us use the following notation. For a string $\omega \in {\{0,1\}}^{2n}$, denote the string of its first n bits by ${\omega }_L\in {\{0,1\}}^n$, and the string of its last n bits by ${\omega }_R\in {\{0,1\}}^n$. Denote the concatenation of two strings ${\omega }_1,{\omega }_2\in {\{0,1\}}^n$ (in this order) by ${\omega }_1*{\omega }_2\in {\{0,1\}}^{2n}$. We have the following identities:

$${\left({\omega }_1*{\omega }_2\right)}_L={\omega }_1,{\left({\omega }_1*{\omega }_2\right)}_R={\omega }_2,{\omega }_L*{\omega }_R=\omega$$

Definition 2 (Luby–Rackoff permutations). 

Let $f:{\{0,1\}}^n\to {\{0,1\}}^n$ be a function. Let $\mathsf{LR}[f]:{\{0,1\}}^{2n}\to {\{0,1\}}^{2n}$ be the Luby–Rackoff (a.k.a Feistel) permutation

$$\mathsf{LR}[f]\left(\omega \right):={\omega }_R*\left({\omega }_L\oplus f\left({\omega }_R\right)\right)$$

(2)

For every $r\ge 2$ and r functions $f_1,\dots ,f_r:{\{0,1\}}^n\to {\{0,1\}}^n$, we define the r-round Luby–Rackoff permutation to be the composition

$$\mathsf{LR}[f_1,\dots ,f_r]:=\mathsf{LR}[f_r]\circ \cdots \circ \mathsf{LR}[f_1]$$

Since we use here extensively the special case $\mathsf{LR}[f,f]$, we denote it by ${\mathsf{LR}}^2[f]$.

The following proposition shows that when f is, itself, a permutation, then ${\mathsf{LR}}^2[f]$ is a balanced permutation.

Proposition 1. 

Let f be a permutation of ${\{0,1\}}^n$. Then, the 2-round Luby–Rackoff permutation, ${\mathsf{LR}}^2[f]$, is a balanced permutation of ${\{0,1\}}^{2n}$.

Proof. 

Denote $P:={\mathsf{LR}}^2[f]$. Observe first that

$$\begin{array}{cc}\hfill P\left(\omega \right)={\mathsf{LR}}^2[f]\left(\omega \right)& =\mathsf{LR}[f]\left(\mathsf{LR}[f]\left(\omega \right)\right)=\mathsf{LR}[f]\left({\omega }_R*\left({\omega }_L\oplus f\left({\omega }_R\right)\right)\right)\hfill \\ & =\left({\omega }_L\oplus f\left({\omega }_R\right)\right)*\left({\omega }_R\oplus f\left({\omega }_L\oplus f\left({\omega }_R\right)\right)\right)\hfill \end{array}$$

(3)

Therefore,

$$\tilde{P}\left(\omega \right)=f\left({\omega }_R\right)*f\left({\omega }_L\oplus f\left({\omega }_R\right)\right)$$

Assume that $x,y\in {\{0,1\}}^{2n}$ such that $\tilde{P}\left(x\right)=\tilde{P}\left(y\right)$, i.e.,

$$f\left(x_R\right)*f\left(x_L\oplus f\left(x_R\right)\right)=f\left(y_R\right)*f\left(y_L\oplus f\left(y_R\right)\right)$$

Then, $f\left(x_R\right)=f\left(y_R\right)$ and $f\left(x_L\oplus f\left(x_R\right)\right)=f\left(y_L\oplus f\left(y_R\right)\right)$. Since (by assumption) f is one-to-one, $x_R=y_R$ and $x_L\oplus f\left(x_R\right)=y_L\oplus f\left(y_R\right)$, it follows that $x_L=\left(x_L\oplus f\left(x_R\right)\right)\oplus f\left(x_R\right)=\left(y_L\oplus f\left(y_R\right)\right)\oplus f\left(y_R\right)=y_L$.

We established that $\tilde{P}\left(x\right)=\tilde{P}\left(y\right)$ implies $x=x_L*x_R=y_L*y_R=y$ which concludes the proof. ☐

Figure 1 shows an illustration of 2-round Luby–Rackoff (balanced) permutation.

2.2. Balanced Permutation EM Ciphers

Definition 3 (r-round balanced permutations EM ciphers (BPEM)). 

Let $n\ge 1$ and $r\ge 1$ be integers. Let $K_0,K_1,\dots ,K_r$ be $r+1$ strings in ${\{0,1\}}^{2n}$. Let $f_1,f_2,\dots ,f_r$ be r permutations of ${\{0,1\}}^n$. Their associated 2-round Luby–Rackoff (balanced) permutations (of ${\{0,1\}}^{2n}$) are ${\mathsf{LR}}^2[f_1],{\mathsf{LR}}^2[f_2],\dots ,{\mathsf{LR}}^2[f_r]$, respectively. The r-round balanced permutations EM (BPEM) block cipher is defined as

$$\mathsf{BPEM}[K_0,K_1,\dots ,K_r;f_1,\dots ,f_r]:={\mathsf{EM}}_{K_0,K_1,\dots ,K_r}^{{\mathsf{LR}}^2[f_1],{\mathsf{LR}}^2[f_2],\dots ,{\mathsf{LR}}^2[f_r]}$$

(4)

(where $\mathsf{EM}$ is defined by Equation (1)). It encrypts $2n$-bit blocks with an r-round EM cipher with the keys $K_0,K_1,\dots ,K_r$, where the r permutations $P_1,P_2,\dots ,P_r$ (of ${\{0,1\}}^{2n}$) are set to be ${\mathsf{LR}}^2[f_1],{\mathsf{LR}}^2[f_2],\dots ,{\mathsf{LR}}^2[f_r]$, respectively.

The use of the r-round BPEM cipher for encryption (and decryption) starts with an initialization step, where the permutations $f_1,f_2,\dots ,f_r$ are selected uniformly and independently, at random from the set of permutations of ${\{0,1\}}^n$. After they are selected, they can be made public. Subsequently, per session/message, the secret keys $K_0,K_1,\dots ,K_r$ are selected uniformly and independently, at random, from ${\{0,1\}}^{2n}$. Figure 2 illustrates a 2-round BPEM cipher $\mathsf{BPEM}[K_0,K_1,K_2;f_1,f_2]$, which is the focus of this paper.

Remark 1. 

The r-round EM cipher is not necessarily secure with any choice of balanced permutations as $P_1,P_2,\dots ,P_r$. For example, it can be easily broken when using the linear balanced permutations shown in Examples 1 and 2.

Remark 2. 

In our construction, the permutations $P_1,P_2,\dots ,P_r$ are not random permutations. Therefore, the security analysis of the “classical” EM does not apply, and the resulting cipher (BPEM) may not be secure. Indeed, it is easy to see that the 1-round BPEM does not provide confidentiality. For any plaintexts $m\in {\{0,1\}}^{2n}$, we have, by Equation (3),

$${\left({\mathsf{LR}}^2[f](m\oplus K_0)\right)}_L=\left(m_L\oplus {\left(K_0\right)}_L\right)\oplus f(m_R\oplus {\left(K_0\right)}_R)$$

Therefore, by Equations (4), (1) and (3),

$$\begin{array}{cc}\hfill {\left(\mathsf{BPEM}[K_0,K_1;f]\left(m\right)\right)}_L& ={\left({\mathsf{EM}}_{K_0,K_1}^{{\mathsf{LR}}^2[f]}\left(m\right)\right)}_L={\left({\mathsf{LR}}^2[f](m\oplus K_0)\right)}_L\oplus {\left(K_1\right)}_L\hfill \\ & =m_L\oplus {\left(K_0\right)}_L\oplus {\left(K_1\right)}_L\oplus f(m_R\oplus {\left(K_0\right)}_R)\hfill \end{array}$$

It follows that if, e.g., ${\left(m_1\right)}_R={\left(m_2\right)}_R$ then

$${\left(\mathsf{BPEM}[K_0,K_1;f]\left(m_1\right)\oplus \mathsf{BPEM}[K_0,K_1;f]\left(m_2\right)\right)}_L={(m_1\oplus m_2)}_L$$

which means that the ciphertexts leak out information on $m_1,m_2$. This also implies that the r-round BPEM cipher must be used with $r\ge 2$ to have any hope for achieving security.

Remark 3. 

By construction, $\mathsf{BPEM}[K_0,K_1,\dots ,K_r;f_1,\dots ,f_r]$ ($r\ge 2$) is immune against any attack that tries to leverage the non-uniformity of $P\left(x\right)\oplus x$ (including [7,8])). Obviously, this does not guarantee it is secure (as indicated in Remark 1).

In Section 4, we prove that the 2-round BPEM cipher is indistinguishable from a random permutation.

2.3. Equivalent Representation of BPEM in Terms of LR

In this section, we show that 2-round BPEM can be viewed as a “keyed” Luby–Rackoff cipher (i.e., each function used in the Luby–Rackoff construction is selected from a family of functions indexed by a key). In fact, the r-round BPEM has a similar representation for every r.

Notation 1. 

Given a function $f:{\{0,1\}}^n\to {\{0,1\}}^n$ and a key $K\in {\{0,1\}}^n$ we denote ${\mathsf{EM}}_{K,K}^f$ by $f^{\oplus K}$, namely

$${\mathsf{EM}}_{K,K}^f\left(x\right)=f(x\oplus K)\oplus K.$$

Lemma 1. 

Let $K_0,K_1,K_2\in {\{0,1\}}^{2n}$ and let $f_1,f_2$ be two permutations of ${\{0,1\}}^n$. Then,

$$\mathsf{BPEM}[K_0,K_1,K_2;f_1,f_2]=\mathsf{LR}[f_1^{\oplus K_1^{\prime }},f_1^{\oplus K_2^{\prime }},f_2^{\oplus K_3^{\prime }},f_2^{\oplus K_4^{\prime }}]\oplus (K_6^{\prime }*K_5^{\prime })$$

where

$$\left(\begin{array}{c}{K}_1^{\prime }\\ K_2^{\prime }\\ K_3^{\prime }\\ K_4^{\prime }\\ K_5^{\prime }\\ K_6^{\prime }\end{array}\right)=\left(\begin{array}{cccccc}1& 0& 0& 0& 0& 0\\ 1& 1& 0& 0& 0& 0\\ 0& 1& 1& 0& 0& 0\\ 1& 0& 1& 1& 0& 0\\ 1& 1& 0& 1& 1& 0\\ 1& 0& 1& 1& 0& 1\end{array}\right)·\left(\begin{array}{c}{\left(K_0\right)}_R\\ {\left(K_0\right)}_L\\ {\left(K_1\right)}_R\\ {\left(K_1\right)}_L\\ {\left(K_2\right)}_R\\ {\left(K_2\right)}_L\end{array}\right)$$

(5)

Proof. 

For every function $f:{\{0,1\}}^n\to {\{0,1\}}^n$, $K\in {\{0,1\}}^{2n}$ and $\omega \in {\{0,1\}}^{2n}$ we have, by Equation (2),

$$\begin{array}{cc}\hfill \mathsf{LR}[f](\omega \oplus K)& ={(\omega \oplus K)}_R*\left({(\omega \oplus K)}_L\oplus f\left({(\omega \oplus K)}_R\right)\right)\hfill \\ & =\left({\omega }_R*\left({\omega }_L\oplus f({\omega }_R\oplus K_R)\oplus K_R\right)\right)\oplus \left(K_R*(K_L\oplus K_R)\right)\hfill \\ & =\left({\omega }_R*\left({\omega }_L\oplus f^{\oplus K_R}\left({\omega }_R\right)\right)\right)\oplus \left(K_R*(K_L\oplus K_R)\right)\hfill \\ & =\mathsf{LR}\left[f^{\oplus K_R}\right]\left(\omega \right)\oplus \left(K_R*(K_L\oplus K_R)\right)\hfill \end{array}$$

and hence

$$\begin{array}{cc}\hfill {\mathsf{LR}}^2[f](\omega \oplus K)& =\mathsf{LR}[f]\left(\mathsf{LR}[f](\omega \oplus K)\right)\hfill \\ & =\mathsf{LR}[f]\left(\left(\mathsf{LR}\left[f^{\oplus K_R}\right]\left(\omega \right)\right)\oplus \left(K_R*(K_L\oplus K_R)\right)\right)\hfill \\ & =\mathsf{LR}\left[f^{\oplus (K_L\oplus K_R)}\right]\left(\mathsf{LR}\left[f^{\oplus K_R}\right]\left(\omega \right)\right)\oplus \left((K_L\oplus K_R)*K_L\right)\hfill \\ & =\mathsf{LR}\left[f^{\oplus K_R},f^{\oplus (K_L\oplus K_R)}\right]\left(\omega \right)\oplus \left((K_L\oplus K_R)*K_L\right)\hfill \end{array}$$

In particular

$$\begin{array}{cc}\hfill {\mathsf{LR}}^2[f_1]& (\omega \oplus K_0)\hfill \\ & =\mathsf{LR}\left[f_1^{\oplus {\left(K_0\right)}_R},f_1^{\oplus \left({\left(K_0\right)}_L\oplus {\left(K_0\right)}_R\right)}\right]\left(\omega \right)\oplus \left(({\left(K_0\right)}_L\oplus {\left(K_0\right)}_R)*{\left(K_0\right)}_L\right)\hfill \\ & =\mathsf{LR}\left[f_1^{\oplus K_1^{\prime }},f_1^{\oplus K_2^{\prime }}\right]\left(\omega \right)\oplus \left(K_2^{\prime }*(K_1^{\prime }\oplus K_2^{\prime })\right)\hfill \end{array}$$

and then

$$\begin{array}{cc}\hfill {\mathsf{LR}}^2& [f_2]\left({\mathsf{LR}}^2[f_1](\omega \oplus K_0)\oplus K_1\right)\hfill \\ \hfill =& {\mathsf{LR}}^2[f_2]\left(\mathsf{LR}\left[f_1^{\oplus K_1^{\prime }},f_1^{\oplus K_2^{\prime }}\right]\left(\omega \right)\oplus \left(K_2^{\prime }*(K_1^{\prime }\oplus K_2^{\prime })\right)\oplus K_1\right)\hfill \\ \hfill =& \mathsf{LR}\left[f_2^{\oplus \left(K_1^{\prime }\oplus K_2^{\prime }\oplus {\left(K_1\right)}_R\right)},f_2^{\oplus \left(K_1^{\prime }\oplus {\left(K_1\right)}_L\oplus {\left(K_1\right)}_R\right)}\right]\left(\mathsf{LR}\left[f_1^{\oplus K_1^{\prime }},f_1^{\oplus K_2^{\prime }}\right]\left(\omega \right)\right)\oplus \hfill \\ & \oplus \left((K_1^{\prime }\oplus {\left(K_1\right)}_L\oplus {\left(K_1\right)}_R)*(K_2^{\prime }\oplus {\left(K_1\right)}_L)\right)\hfill \\ \hfill =& \mathsf{LR}\left[f_1^{\oplus K_1^{\prime }},f_1^{\oplus K_2^{\prime }},f_2^{\oplus K_3^{\prime }},f_2^{\oplus K_4^{\prime }}\right]\left(\omega \right)\oplus \left(K_4^{\prime }*(K_3^{\prime }\oplus K_4^{\prime })\right)\hfill \end{array}$$

Therefore, by Equations (4) and (1),

$$\begin{array}{cc}\hfill \mathsf{BPEM}& \left[K_0,K_1,K_2;f_1,f_2\right]\left(\omega \right)={\mathsf{EM}}_{K_0,K_1,K_2}^{{\mathsf{LR}}^2[f_1],{\mathsf{LR}}^2[f_2]}\left(\omega \right)\hfill \\ \hfill =& {\mathsf{LR}}^2[f_2]\left({\mathsf{LR}}^2[f_1](\omega \oplus K_0)\oplus K_1\right)\oplus K_2\hfill \\ \hfill =& \mathsf{LR}\left[f_1^{\oplus K_1^{\prime }},f_1^{\oplus K_2^{\prime }},f_2^{\oplus K_3^{\prime }},f_2^{\oplus K_4^{\prime }}\right]\left(\omega \right)\oplus \left((K_4^{\prime }\oplus {\left(K_2\right)}_L)*(K_3^{\prime }\oplus K_4^{\prime }\oplus {\left(K_2\right)}_R)\right)\hfill \\ \hfill =& \mathsf{LR}\left[f_1^{\oplus K_1^{\prime }},f_1^{\oplus K_2^{\prime }},f_2^{\oplus K_3^{\prime }},f_2^{\oplus K_4^{\prime }}\right]\left(\omega \right)\oplus (K_6^{\prime }*K_5^{\prime })\hfill \end{array}$$

☐

3. Security Preliminaries and Definitions

Let A be an oracle adversary which interacts with one or more oracles. Suppose that $\mathcal{O}$ and ${\mathcal{O}}^{\prime }$ are two oracles (or a tuple of oracles) with the same domain and range spaces. We define the distinguishing advantage of A distinguishing $\mathcal{O}$ and ${\mathcal{O}}^{\prime }$ as

$${\Delta }_A(\mathcal{O};{\mathcal{O}}^{\prime }):=|Pr[A^{\mathcal{O}}=1]-Pr[A^{{\mathcal{O}}^{\prime }}=1]|$$

The maximum advantage ${max}_A{\Delta }_A(\mathcal{O};{\mathcal{O}}^{\prime })$ over all adversaries with complexity θ (which includes query, time complexities etc.) is denoted by ${\Delta }_{\theta }(\mathcal{O};{\mathcal{O}}^{\prime })$. When we consider computationally unbounded adversaries (which is done in this paper), the time and memory parameters are not present and so we only consider query complexities. In the case of a single oracle, θ is the number of queries, and in the case of a tuple of oracles, θ would be of the form $(q_1,\dots ,q_r)$ where $q_i$ denotes the number of queries to the $i^{\mathrm{th}}$ oracle. While we define security advantages of $\mathcal{O}$, we usually choose ${\mathcal{O}}^{\prime }$ to be an ideal candidate, such as the random permutation Π or a random function. The Pseudo Random Permutation advantage (PRP-advantage) of A against a keyed construction ${\mathcal{C}}_K$ is ${\Delta }_A({\mathcal{C}}_K;\Pi )$. The maximum PRP-advantage with query complexity θ is denoted as ${\Delta }_{\mathcal{C}}^{\mathrm{prp}}\left(\theta \right)$.

In this paper, we always assume that queries to an oracle $\mathcal{O}$ are allowed in both directions, i.e., to ${\mathcal{O}}^{-1}$ as well. We denote

$$\begin{array}{cc}\hfill {\Delta }_A^{\pm }(\mathcal{O},{\mathcal{O}}^{\prime })& :={\Delta }_A\left((\mathcal{O},{\mathcal{O}}^{-1});({\mathcal{O}}^{\prime },{\mathcal{O}}^{\prime }-1)\right)\hfill \\ \hfill {\Delta }_{\theta }^{\pm }(\mathcal{O},{\mathcal{O}}^{\prime })& :={\Delta }_{\theta }\left((\mathcal{O},{\mathcal{O}}^{-1});({\mathcal{O}}^{\prime },{\mathcal{O}}^{\prime }-1)\right)\hfill \end{array}$$

The Symmetric Pseudo Random Permutation advantage ( SPRP-advantage) of a keyed construction ${\mathcal{C}}_K$ (where the adversary has access to both the encryption ${\mathcal{C}}_K$ and its decryption ${\mathcal{C}}_K^{-1}$) is defined by

$${\Delta }_{\mathcal{C}}^{\mathrm{sprp}}\left(\theta \right):={\Delta }_{\theta }^{\pm }({\mathcal{C}}_K;\Pi )$$

When a construction $\mathcal{C}$ is based on one or more ideal permutations or random permutations $f_1,\dots ,f_r$ and a key K, we define SPRP-advantage of a distinguisher A, in the presence of ideal candidates, as ${\Delta }_A^{\pm }((\mathcal{C},f_1,\dots ,f_r);(\Pi ,f_1,\dots ,f_r))$ where Π is sampled independently of $\widehat{f}:=(f_1,\dots ,f_r)$. We denote the maximum advantage by ${\Delta }_{\mathcal{C}}^{\mathrm{im}-\mathrm{sprp}}\left(\theta \right):={\Delta }_{\theta }^{\pm }((\mathcal{C},\widehat{f});(\Pi ,\widehat{f}))$ which we call SPRP-advantage in the ideal model. The complexity parameters of the above advantages depend on the number of oracles, and will be explicitly declared in specific instances.

We state two simple observations on the distinguishing advantages for oracles (we skip the proofs of these observations, as these are straightforward).

Observation 1. 

If ${\mathcal{O}}_1$, ${\mathcal{O}}_2$ and ${\mathcal{O}}^{\prime }$ are three independent oracles, then

$${\Delta }_{q,q^{\prime }}^{\pm }\left(({\mathcal{O}}_1,{\mathcal{O}}^{\prime });({\mathcal{O}}_2,{\mathcal{O}}^{\prime })\right)\le {\Delta }_q^{\pm }({\mathcal{O}}_1;{\mathcal{O}}_2)$$

Observation 2. 

If $\mathcal{C}$ is an oracle construction, then (by using standard reduction)

$${\Delta }_{q,q^{\prime }}^{\pm }\left(({\mathcal{C}}^{{\mathcal{O}}_1},{\mathcal{O}}^{\prime });({\mathcal{C}}^{{\mathcal{O}}_2},{\mathcal{O}}^{\prime })\right)\le {\Delta }_{rq,q^{\prime }}^{\pm }\left(({\mathcal{O}}_1,{\mathcal{O}}^{\prime });({\mathcal{O}}_2,{\mathcal{O}}^{\prime })\right)$$

where r is the number of queries to $\mathcal{O}$, needed to simulate one query to the construction ${\mathcal{C}}^{\mathcal{O}}$.

Note that in the Observation 2, we do not need to assume any kind of independence of the oracles. Analogous observations, up to obvious changes, hold for the case where ${\mathcal{O}}_1,{\mathcal{O}}_2,{\mathcal{O}}^{\prime }$ are tuples of oracles.

3.1. Coefficient-H Technique

Patarin’s coefficient-H technique [13] (see also [14]) is a tool for showing an upper bound for the distinguishing advantage. Here is the basic result of the technique.

Theorem 1 

(Patarin [13]). Let $\mathcal{O}$ and ${\mathcal{O}}^{\prime }$ be two oracle algorithms with domain D and range R. Suppose there exist a set ${\mathcal{V}}_{bad}\subseteq D^q\times R^q$ and $\epsilon >0$ such that the following conditions hold:

• For all $(x_1,\dots ,x_q,y_1$, …, $y_q)\notin {\mathcal{V}}_{bad}$,

  $$Pr[\mathcal{O}\left(x_1\right)=y_1,\dots ,\mathcal{O}\left(x_q\right)=y_q]\ge (1-\epsilon )Pr[{\mathcal{O}}^{\prime }\left(x_1\right)=y_1,\dots ,{\mathcal{O}}^{\prime }\left(x_q\right)=y_q]$$

  (the above probabilities are called interpolation probabilities).
• For all A making at most q queries to ${\mathcal{O}}^{\prime }$, $Pr[\mathrm{Trans}(A^{{\mathcal{O}}^{\prime }})\in {\mathcal{V}}_{bad}]\le \delta$ where $\mathrm{Trans}(A^{{\mathcal{O}}^{\prime }})=(x_1,\dots ,x_q,y_1,\dots ,y_q)$, $x_i$ and $y_i$ denote the $i^{\mathrm{th}}$ query and response of A to ${\mathcal{O}}^{\prime }$.

Then,

$${\Delta }_q(\mathcal{O};{\mathcal{O}}^{\prime })\le \epsilon +\delta$$

The above result can be applied for more than one oracle. In such cases, we split the parameter q into $(q_1,\dots ,q_r)$ where $q_i$ denotes the maximum number of queries to the $i^{\mathrm{th}}$ oracle. Moreover, if we have an oracle $\mathcal{O}$ and its inverse ${\mathcal{O}}^{-1}$, then the interpolation probability for both $\mathcal{O}$ and ${\mathcal{O}}^{-1}$ can be simply expressed through the interpolation probability of $\mathcal{O}$ only. For example, if an adversary makes a query y to ${\mathcal{O}}^{-1}$ and obtains the response x, we can write $\mathcal{O}\left(x\right)=y$. Therefore, under the conditions of Theorem 1, we also have ${\Delta }_q^{\pm }(\mathcal{O};{\mathcal{O}}^{\prime })\le \epsilon +\delta$.

3.2. Known Related Results

3.2.1. The Security of Even–Mansour Cipher

It is known that the Even–Mansour cipher ${\mathsf{EM}}_{K_0,K_1}$ is SPRP secure in the ideal model, in the following sense: ${\Delta }_{EM}^{\mathrm{im}-\mathrm{sprp}}(q_1,q_2)=O(q_1{q}_2/2^n)$. The same is true for the single key variant ${\mathsf{EM}}_{K,K}$. In Section 4, we provide (using Patarin’s coefficient-H technique) a simple proof of this result (Lemma 2) and a more general result (Lemma 3).

3.2.2. The Security of Luby–Rackoff Encryption

The 3-round Luby–Rackoff construction is PRP secure and the 4-round Luby–Rackoff construction is SPRP secure, when the underlying functions $f_i$ are PRPs (or Pseudo Random Functions). We use the following quantified version of the SPRP security of the 4-round case.

Theorem 2 

(Piret [15]). Let ${\Pi }_1,\dots ,{\Pi }_4$ be four independent random permutations of ${\{0,1\}}^n$, and let Π be a random permutation of ${\{0,1\}}^{2n}$. Then, $\mathsf{LR}[{\Pi }_1,\dots ,{\Pi }_4]$ is SPRP secure in the following sense:

$${\Delta }_q^{\pm }(\mathsf{LR}[{\Pi }_1,\dots ,{\Pi }_4];\Pi )\le \frac{5q(q-1)}{2^n}$$

The above bound $O(q^2/2^n)$ is tight (see [16]). In the proof of Theorem 7, we use the following, more general, result.

Theorem 3 

(Nandi [17]). Let $r\ge 4$, and let $({\alpha }_1,\dots {\alpha }_r)$ be a sequence of numbers from $\{1,\dots ,t\}$ such that $({\alpha }_1,\dots {\alpha }_r)\ne ({\alpha }_r,\dots ,{\alpha }_1)$. Let ${\Pi }_1,\dots ,{\Pi }_t$ be t independent random permutations of ${\{0,1\}}^n$, and let Π be a random permutation of ${\{0,1\}}^{2n}$. Then, $\mathsf{LR}[{\Pi }_{{\alpha }_1},\dots ,{\Pi }_{{\alpha }_r}]$ is SPRP secure in the following sense:

$${\Delta }_q(\mathsf{LR}[{\Pi }_{{\alpha }_1},\dots ,{\Pi }_{{\alpha }_r}];\Pi )\le \frac{(r^2+1)q^2}{2^n-1}+\frac{q^2}{2^{2n}}$$

4. Security Analysis of Our Construction

4.1. Security Analysis of Tuples of Single Key 1-Round EM Cipher

Notation 2. 

Let $x_1,\dots ,x_t\in {\{0,1\}}^n$. We use $\mathsf{coll}(x_1,\dots ,x_t)$ to indicate the existence of a collision, i.e., that $x_i=x_j$ for some $1\le i<j\le t$. Otherwise, we write ${\mathsf{dist}}_n(x_1,\dots ,x_t)$, and say that the tuple $(x_1,\dots ,x_t)$ is block-wise distinct. Given a function $f:{\{0,1\}}^n\to {\{0,1\}}^n$ and a tuple $x_1,\dots ,x_t\in {\{0,1\}}^n$, we define

$$f^{\left(t\right)}(x_1,\dots ,x_t):=(f\left(x_1\right),\dots ,f\left(x_t\right))$$

For positive integers $m,r$, denote

$$P(m,r)=m(m-1)\cdots (m-r+1)$$

Observation 3. 

For every ${\mathsf{dist}}_n(x_1,\dots ,x_t)$, ${\mathsf{dist}}_n(y_1,\dots ,y_t)$ and a uniform random permutation Π on ${\{0,1\}}^n$,

$$Pr[{\Pi }^{\left(t\right)}(x_1,\dots ,x_t)=(y_1,\dots ,y_t)]=\frac{1}{P(2^n,t)}$$

More generally, let ${\Pi }_1,\dots ,{\Pi }_r$ be independent uniform random permutations over ${\{0,1\}}^n$ then, for every block-wise distinct tuples $X^i,Y^i\in {\left({\{0,1\}}^n\right)}^{t_i}$, $1\le i\le r$ we have

$$Pr[{\Pi }_1^{\left(t_1\right)}\left(X^1\right)=Y^1,\dots ,{\Pi }_r^{\left(t_r\right)}\left(X^r\right)=Y^r]=\frac{1}{P(2^n,t_1)}\times \cdots \times \frac{1}{P(2^n,t_r)}$$

(6)

Now we show that for a random permutation Π of ${\{0,1\}}^n$ and a uniformly chosen K, the permutation ${\Pi }^{\oplus K}$ (single keyed 1-round EM, see Notation 1) is SPRP secure in the ideal model.

Lemma 2. 

Let Π and ${\Pi }_1$ be independent random permutations of ${\{0,1\}}^n$. Then

$${\Delta }_{q_1,q_2}^{\pm }\left(({\Pi }^{\oplus K},\Pi );({\Pi }_1,\Pi )\right)\le \frac{2q_1{q}_2}{2^n}$$

Proof. 

We use Patarin’s coefficient H-technique. We take the set of bad views ${\mathcal{V}}_{bad}$ to be the empty set. We need to show that for every tuples $M,C\in {\left({\{0,1\}}^n\right)}^{q_1}$, $x,y\in {\left({\{0,1\}}^n\right)}^{q_2}$,

$$\begin{array}{c}Pr[{\Pi }^{\oplus K}\left(M_i\right)=C_i,1\le i\le q_1,\Pi \left(x_i\right)=y_i,1\le j\le q_2]\ge \\ \ge (1-\epsilon )Pr[{\Pi }_1\left(M_i\right)=C_i,1\le i\le q_1,\Pi \left(x_i\right)=y_i,1\le j\le q_2]\end{array}$$

where $\epsilon =\frac{2q_1{q}_2}{2^n}$. With no loss of generality, we may assume that each of the tuples $M,C,x,y$ is block-wise distinct. Then, by Equation (6),

$$\begin{array}{c}{I}_{ideal}:=Pr[{\Pi }_1\left(M_i\right)=C_i,1\le i\le q_1,\Pi \left(x_i\right)=y_i,1\le j\le q_2]\\ =Pr[{\Pi }_1^{\left(q_1\right)}\left(M\right)=C,{\Pi }^{\left(q_2\right)}\left(x\right)=y]=\frac{1}{P(2^n,q_1)}\times \frac{1}{P(2^n,q_2)}\end{array}$$

We say that a key $K\in {\{0,1\}}^n$ is “good” if $K\oplus M_i\ne x_j$ and $K\oplus C_i\ne y_j$ for all $1\le i\le q_1$, $1\le j\le q_2$. In other words, for a good key, all the inputs (outputs) of Π (in the $I_{real}$ computation) are block-wise distinct. Thus, for any given good key K,

$$\begin{array}{c}Pr[\Pi (M_i\oplus K)=(K\oplus C_i),1\le i\le q_1,\Pi \left(x_j\right)=y_j,1\le j\le q_2]\\ =\frac{1}{P(2^n,q_1+q_2)}\ge I_{ideal}\end{array}$$

By a simple counting argument, the number of good keys is at least $2^n-2q_1{q}_2$, i.e., the probability that a randomly chosen key is good, is at least $(1-\epsilon )$, where $\epsilon =\frac{2q_1{q}_2}{2^n}$. Therefore, we have

$$\begin{array}{c}{I}_{real}:=Pr[{\Pi }^{\oplus K}\left(M_i\right)=C_i,1\le i\le q_1,\Pi \left(x_i\right)=y_i,1\le j\le q_2]\ge (1-\epsilon )I_{ideal}\end{array}$$

and the result follows by Theorem 1. ☐

Now, we extend Lemma 2 to a tuple $({\Pi }_{{\alpha }_1}^{\oplus K_{{\beta }_1}},\dots ,{\Pi }_{{\alpha }_t}^{\oplus K_{{\beta }_t}})$ of single key 1-round EM encryptions, where some keys and permutations can be repeated.

Lemma 3. 

Let ${\Pi }_1,\dots ,{\Pi }_r,{\overline{\Pi }}_1,\dots ,{\overline{\Pi }}_t$ be independent random permutations of ${\{0,1\}}^n$ and $K_1,\dots K_s$ be chosen uniformly and independently from ${\{0,1\}}^n$. We write $\widehat{\Pi }$ to denote $({\Pi }_1,\dots ,{\Pi }_r)$. Let $({\alpha }_1,\dots ,{\alpha }_t)$ and $({\beta }_1,\dots ,{\beta }_t)$ be a sequence of elements from $\{1,\dots ,r\}$ and $\{1,\dots ,s\}$, respectively, such that $({\alpha }_i,{\beta }_i)$’s are distinct. Then, for any $\theta =(q_1,\dots ,q_t,q_1^{\prime },\dots ,q_r^{\prime })$ (specifying the maximum number of queries for each permutation), we have

$${\Delta }_{\theta }^{\pm }\left(({\overline{\Pi }}_1,\dots ,{\overline{\Pi }}_t,\widehat{\Pi });({\Pi }_{{\alpha }_1}^{\oplus K_{{\beta }_1}},\dots ,{\Pi }_{{\alpha }_t}^{\oplus K_{{\beta }_t}},\widehat{\Pi })\right)\le \frac{\sigma }{2^n}$$

where $\sigma :=2{\sum }_{\alpha =1}^r\left(\left(\genfrac{}{}{0pt}{}{{\sigma }_{\alpha }}{2}\right)+{\sigma }_{\alpha }{q}_{\alpha }^{\prime }\right)$ and ${\sigma }_{\alpha }={\sum }_{\begin{array}{c}1\le i\le t\\ {\alpha }_i=\alpha \end{array}}{q}_i$ for every $1\le \alpha \le r$.

We note that Lemma 3 is a slightly more general case of [18], which considers Even–Mansour with multiple keys that are independently and uniformly drawn from the key space.

Proof. 

The proof is similar to the proof of Lemma 2. Let $M^i,C^i\in {\left({\{0,1\}}^n\right)}^{q_i}$, $1\le i\le t$, $X^{\alpha },Y^{\alpha }\in {\left({\{0,1\}}^n\right)}^{q_{\alpha }^{\prime }}$, $1\le \alpha \le r$, be block-wise distinct tuples. From Equation (6), we have that

$$\begin{array}{c}{I}_{ideal}=Pr[{\overline{{\Pi }_i}}^{\left(q_i\right)}\left(M^i\right)=C^i,1\le i\le t,{\Pi }_{\alpha }^{\left(q_{\alpha }^{\prime }\right)}\left(X^{\alpha }\right)=Y^{\alpha },1\le \alpha \le r]\\ =\prod _{i=1}^t\frac{1}{P(2^n,q_i)}\times \prod _{\alpha =1}^r\frac{1}{P(2^n,q_{\alpha }^{\prime })}\end{array}$$

We say that a tuple of keys $(K_1,\dots ,K_s)$ is “bad” if one of the following holds:

• There are $1\le i,i^{\prime }\le t$, $1\le j\le q_i$, $1\le j^{\prime }\le q_{i^{\prime }}$ such that $(i,j)\ne (i^{\prime },j^{\prime })$, ${\alpha }_i={\alpha }_{i^{\prime }}$, and $K_{{\beta }_i}\oplus M_j^{{\alpha }_i}=K_{{\beta }_{i^{\prime }}}\oplus M_{j^{\prime }}^{{\alpha }_{i^{\prime }}}$.
• There are $1\le i\le t$, $1\le j\le q_i$, $1\le j^{\prime }\le q_{{\alpha }_i}^{\prime }$ such that $K_{{\beta }_i}\oplus M_j^{{\alpha }_i}=X_{j^{\prime }}^{{\alpha }_i}$.
• There are $1\le i,i^{\prime }\le t$, $1\le j\le q_i$, $1\le j^{\prime }\le q_{i^{\prime }}$ such that $(i,j)\ne (i^{\prime },j^{\prime })$, ${\alpha }_i={\alpha }_{i^{\prime }}$, and $K_{{\beta }_i}\oplus C_j^{{\alpha }_i}=K_{{\beta }_{i^{\prime }}}\oplus C_{j^{\prime }}^{{\alpha }_{i^{\prime }}}$.
• There are $1\le i\le t$, $1\le j\le q_i$, $1\le j^{\prime }\le q_{{\alpha }_i}^{\prime }$ such that $K_{{\beta }_i}\oplus C_j^{{\alpha }_i}=Y_{j^{\prime }}^{{\alpha }_i}$.

Note that there are at most ${\sum }_{\alpha =1}^r\left(\genfrac{}{}{0pt}{}{{\sigma }_{\alpha }}{2}\right)$ cases in the first and in the third items, and at most ${\sum }_{\alpha =1}^r{\sigma }_{\alpha }{q}_{\alpha }^{\prime }$ cases in the second and fourth items.

If a key tuple is not bad, we say that it is a “good” key tuple. As in the proof of Lemma 2, for a good key tuple all the inputs (outputs) of each permutation are distinct. Thus, given a good tuple of keys $(K_1,\dots ,K_s)$, it is easy to see that

$$\begin{array}{c}Pr[{({\Pi }_{{\alpha }_i}^{\oplus K_{{\beta }_i}})}^{\left(q_i\right)}\left(M^i\right)=C^i,1\le i\le t,{\Pi }_{\alpha }^{\left(q_{\alpha }^{\prime }\right)}\left(X^{\alpha }\right)=Y^{\alpha },1\le \alpha \le r]\\ =\prod _{\alpha =1}^r\frac{1}{P(2^n,{\sigma }_{\alpha }+q_{\alpha }^{\prime })}\ge I_{ideal}\end{array}$$

It now remains to bound the probability that a random key tuple is bad. This can happen with one of the cases listed in items 1-4 where each case has probability $2^{-n}$ to occur. Hence, the probability that a random key tuple is bad, is at most $\frac{\sigma }{2^n}$, and the probability that a random key tuple is good is therefore at least $1-\frac{\sigma }{2^n}$. The result follows by Theorem 1. ☐

4.2. Main Theorems

Theorem 4. 

Consider the BPEM cipher $\mathsf{BPEM}[K_0,K_1,K_2;f_1,f_2]$ where the (secret) keys $K_0,K_1,K_2$ are selected uniformly and independently at random. Let $q_{*}$ be the maximum number of queries to the encryption/decryption oracle, and let $q_1,q_2$ be the maximum numbers of queries to the public permutations $f_1$ and $f_2$, respectively. Then,

$${\Delta }_{\mathsf{BPEM}}^{im-sprp}(q_{*},q_1,q_2)\le \frac{q_{*}(13q_{*}+4q_1+4q_2)}{2^n}$$

Proof. 

By Lemma 1, we know that our BPEM construction is same as

$$\mathsf{LR}[f_1^{\oplus K_1^{\prime }},f_1^{\oplus K_2^{\prime }},f_2^{\oplus K_3^{\prime }},f_2^{\oplus K_4^{\prime }}]\oplus (K_6^{\prime }*K_5^{\prime })$$

where $K_1^{\prime },\dots ,K_6^{\prime }$ are defined via Equation (5) by $K_1,K_2,K_3,K_4$. The matrix in Equation (5) is lower triangular with non-zero diagonal, and hence non-singular. Thus, the “new” keys $K_1^{\prime },\dots ,K_6^{\prime }$ are also distributed uniformly and independently. As $K_5^{\prime },K_6^{\prime }$ are independent of all the “ingredients” of $\mathsf{LR}[f_1^{\oplus K_1^{\prime }},f_1^{\oplus K_2^{\prime }},f_2^{\oplus K_3^{\prime }},f_2^{\oplus K_4^{\prime }}]$, it suffices to prove our result without the keys $K_5^{\prime }$ and $K_6^{\prime }$.

Let ${\Pi }_1,\dots ,{\Pi }_4$ be random permutations of ${\{0,1\}}^n$ and let Π be a random permutation of ${\{0,1\}}^{2n}$; all are independent of each other and independent of $\widehat{f}=(f_1,f_2)$). Denote $\widehat{F}=(f_1^{\oplus K_1^{\prime }},f_1^{\oplus K_2^{\prime }},f_2^{\oplus K_3^{\prime }},f_2^{\oplus K_4^{\prime }})$ and $\widehat{\Pi }=({\Pi }_1,\dots ,{\Pi }_4)$. By Observation 2 and Lemma 3, we have

$$\begin{array}{c}\hfill {\Delta }_{q_{*},q_1,q_2}^{\pm }\left((\mathsf{LR}[\widehat{F}],\widehat{f});(\mathsf{LR}[\widehat{\Pi }],\widehat{f})\right)\le {\Delta }_{q_{*},q_{*},q_{*},q_{*},q_1,q_2}^{\pm }\left((\widehat{F},\widehat{f});(\widehat{\Pi },\widehat{f})\right)\le \frac{4q_F\left(2q_F+q_1+q_2\right)}{2^n}\end{array}$$

Note that each query to the oracle construction $\mathsf{LR}[g_1,g_2,g_3,g_4]$ translates to four queries—one to each permutation $g_i$, $i=1,\dots ,4$. Finally, by applying the triangle inequality, Observation 1 and Theorem 2, the SPRP-advantage in the ideal model is

$$\begin{array}{cc}\hfill {\Delta }^{\pm }& {}_{q_{*},q_1,q_2}\left((\mathsf{LR}[\widehat{F}],\widehat{f});(\Pi ,\widehat{f})\right)\hfill \\ & \le {\Delta }_{q_{*},q_1,q_2}^{\pm }\left((\mathsf{LR}[\widehat{F}],\widehat{f});(\mathsf{LR}[\widehat{\Pi }],\widehat{f})\right)+{\Delta }_{q_{*},q_1,q_2}^{\pm }\left((\mathsf{LR}[\widehat{\Pi }],\widehat{f});(\Pi ,\widehat{f})\right)\hfill \\ & \le \frac{4q_F\left(2q_F+q_1+q_2\right)}{2^n}+{\Delta }_{q_{*}}^{\pm }(\mathsf{LR}[\widehat{\Pi }];\Pi )\hfill \\ & \le \frac{4q_{*}(2q_{*}+q_1+q_2)}{2^n}+\frac{5q_{*}^2}{2^n}=\frac{q_{*}(13q_{*}+4q_1+4q_2)}{2^n}\hfill \end{array}$$

☐

The same argument can be used to show a similar bound for the single permutation 2-round BPEM cipher.

Theorem 5. 

Consider the single permutation BPEM cipher $\mathsf{BPEM}[K_0,K_1,K_2;f,f]$ where the (secret) keys $K_0,K_1,K_2$ are selected uniformly and independently at random. Let $q_{*}$ be the maximum number of queries to the encryption/decryption oracle, and let q be the maximum number of queries to the public permutation f. Then,

$${\Delta }_{\mathsf{BPEM}[K_0,K_1,K_2;f,f]}^{im-sprp}(q_{*},q)\le \frac{q_{*}(21q_{*}+8q)}{2^n}$$

Remark 4. 

The difference in the bounds we received in Theorems 4 and 5 are due only to the difference in the value of σ in the application of Lemma 3.

We also comment that the same bounds hold in the single key variants. By Equation (5), we have

$$\begin{array}{cc}\hfill \mathsf{BPEM}[K,K,K;f_1,f_2]& =\mathsf{LR}[f_1^{\oplus K_1^{\prime }},f_1^{\oplus K_2^{\prime }},f_2^{\oplus K_2^{\prime }},f_2^{\oplus K_3^{\prime }}]\hfill \\ \hfill \mathsf{BPEM}[K,K,K;f,f]& =\mathsf{LR}[f^{\oplus K_1^{\prime }},f^{\oplus K_2^{\prime }},f^{\oplus K_2^{\prime }},f^{\oplus K_3^{\prime }}]\hfill \end{array}$$

where

$$\left(\begin{array}{c}{K}_1^{\prime }\\ K_2^{\prime }\\ K_3^{\prime }\end{array}\right)=\left(\begin{array}{cc}1& 0\\ 1& 1\\ 0& 1\end{array}\right)·\left(\begin{array}{c}{K}_R\\ K_L\end{array}\right)$$

For both constructions, the “new” keys $K_1^{\prime },K_2^{\prime },K_3^{\prime }$ are no longer independent, so we need to generalize Lemma 3 as stated below.

Lemma 4. 

Let ${\Pi }_1,\dots ,{\Pi }_r,{\overline{\Pi }}_1,\dots ,{\overline{\Pi }}_t$ be independent random permutations of ${\{0,1\}}^n$ and $K_1,\dots K_s$ be chosen uniformly and independently from ${\{0,1\}}^n$. We write $\widehat{\Pi }$ to denote $({\Pi }_1,\dots ,{\Pi }_r)$. Let $({\alpha }_1,\dots ,{\alpha }_t)$ be a sequence of elements from $\{1,\dots ,r\}$. Let M be a binary matrix of size $t\times s$, with no zero rows, satisfying the following condition: for every $1\le i_1<i_2\le t$ such that ${\alpha }_{i_1}={\alpha }_{i_2}$, the $i_1^{\mathrm{th}}$ and $i_2^{\mathrm{th}}$ rows of M are distinct. Let $K_i^{\prime }:={\sum }_{j=1}^s{M}_{ij}{K}_j$, for every $1\le i\le t$.

Then, for any $\theta =(q_1,\dots ,q_t,q_1^{\prime },\dots ,q_r^{\prime })$ (specifying the maximum number of queries) we have

$${\Delta }_{\theta }^{\pm }\left(({\overline{\Pi }}_1,\dots ,{\overline{\Pi }}_t,\widehat{\Pi });({\Pi }_{{\alpha }_1}^{\oplus K_{{\beta }_1}^{\prime }},\dots ,{\Pi }_{{\alpha }_t}^{\oplus K_{{\beta }_t}^{\prime }},\widehat{\Pi })\right)\le \frac{\sigma }{2^n}$$

where $\sigma :=2{\sum }_{\alpha =1}^r\left(\left(\genfrac{}{}{0pt}{}{{\sigma }_{\alpha }}{2}\right)+{\sigma }_{\alpha }{q}_{\alpha }^{\prime }\right)$ and σ is as defined in Lemma 3.

We skip the proof of this lemma as it is similar to that of Lemma 3. Similarly to the proof of Theorem 4 (while using Lemma 4 instead of Lemma 3), we can obtain the following bound.

Theorem 6. 

Consider the single key BPEM cipher $\mathsf{BPEM}[K,K,K;f_1,f_2]$ where the (secret) key K is selected uniformly at random. Let $q_{*}$ be the maximum number of queries to the encryption/decryption oracle, and let $q_1,q_2$ be the maximum numbers of queries to the public permutations $f_1$ and $f_2$, respectively. Then,

$${\Delta }_{\mathsf{BPEM}[K,K,K;f_1,f_2]}^{im-sprp}(q_{*},q_1,q_2)\le \frac{q_{*}(13q_{*}+4q_1+4q_2)}{2^n}$$

Finally, similarly to the proof of Theorem 5 (while using Lemma 4 instead of Lemma 3, and using Theorem 3 instead of Theorem 2), we obtain the following bound.

Theorem 7. 

Consider the single key single permutation BPEM cipher $\mathsf{BPEM}[K,K,K;f,f]$ where the (secret) key K is selected uniformly at random. Let $q_{*}$ be the maximum number of queries to the encryption/decryption oracle, and let q be the maximum number of queries to the public permutation f. Then,

$${\Delta }_{\mathsf{BPEM}[K,K,K;f,f]}^{im-sprp}(q_{*},q)\le \frac{q_{*}(16q_{*}+8q)}{2^n}+\frac{17q_{*}^2}{2^n-1}+\frac{q_{*}^2}{2^{2n}}$$

5. A Distinguishing Attack on BPEM

In this section, we describe a distinguishing attack on BPEM that uses $O(2^{n/2})$ queries. This is the same attack as the one described in ([16], Section 3.2) for the 4-round Luby–Rackoff with internal permutations, not at all surprising, since we showed (in Section 2.3) that BPEM can be viewed as a 4-round Luby–Rackoff with internal (keyed) permutations. Nevertheless, for the sake of completeness, we describe and analyze the attack in this BPEM terminology. We will use the following technical lemma.

Lemma 5. 

If $x,y,\rho \in {\{0,1\}}^n$ such that

$$\begin{array}{c}x\oplus {\left(\mathsf{BPEM}[K_0,K_1,K_2;f_1,f_2](x*\rho )\right)}_L=y\oplus {\left(\mathsf{BPEM}[K_0,K_1,K_2;f_1,f_2](y*\rho )\right)}_L\end{array}$$

(7)

then $x=y$.

Proof. 

Denote

$$\begin{array}{c}\check{x}:={\mathsf{LR}}^2[f_1]\left((x*\rho )\oplus K_0\right)\oplus K_1\\ \check{y}:={\mathsf{LR}}^2[f_1]\left((y*\rho )\oplus K_0\right)\oplus K_1\end{array}$$

By Equations (4) and (1) we have that

$$\begin{array}{c}\mathsf{BPEM}[K_0,K_1,K_2;f_1,f_2](x*\rho )={\mathsf{EM}}_{K_0,K_1,K_2}^{{\mathsf{LR}}^2[f_1],{\mathsf{LR}}^2[f_2]}(x*\rho )\\ ={\mathsf{LR}}^2[f_2]\left({\mathsf{LR}}^2[f_1]((x*\rho )\oplus K_0)\oplus K_1\right)\oplus K_2={\mathsf{LR}}^2[f_2]\left(\check{x}\right)\oplus K_2\end{array}$$

hence, by Equation (3),

$$\begin{array}{c}{\left(\mathsf{BPEM}[K_0,K_1,K_2;f_1,f_2](x*\rho )\right)}_L={\left({\mathsf{LR}}^2[f_2]\left(\check{x}\right)\oplus K_2\right)}_L\\ ={\check{x}}_L\oplus f_2\left({\check{x}}_R\right)\oplus {\left(K_2\right)}_L=x\oplus {\left(K_0\right)}_L\oplus {\left(K_1\right)}_L\oplus f_1\left(\rho \oplus {\left(K_0\right)}_R\right)\oplus f_2\left({\check{x}}_R\right)\oplus {\left(K_2\right)}_L\end{array}$$

Similarly,

$$\begin{array}{c}{\left(\mathsf{BPEM}[K_0,K_1,K_2;f_1,f_2](y*\rho )\right)}_L=y\oplus {\left(K_0\right)}_L\oplus {\left(K_1\right)}_L\oplus f_1\left(\rho \oplus {\left(K_0\right)}_R\right)\oplus f_2\left({\check{y}}_R\right)\oplus {\left(K_2\right)}_L\end{array}$$

Therefore, we get from Equation (7) that $f_2\left({\check{x}}_R\right)=f_2\left({\check{y}}_R\right)$, hence, since $f_2$ is injective, ${\check{x}}_R={\check{y}}_R$. Therefore, using Equation (3) again,

$$\begin{array}{c}\rho \oplus {\left(K_0\right)}_R\oplus f_1\left(x\oplus {\left(K_0\right)}_L\oplus f_1(\rho \oplus {\left(K_0\right)}_R)\right)\oplus {\left(K_1\right)}_R\\ =\rho \oplus {\left(K_0\right)}_R\oplus f_1\left(y\oplus {\left(K_0\right)}_L\oplus f_1(\rho \oplus {\left(K_0\right)}_R)\right)\oplus {\left(K_1\right)}_R\end{array}$$

hence

$$\begin{array}{c}{f}_1\left(x\oplus {\left(K_0\right)}_L\oplus f_1(\rho \oplus {\left(K_0\right)}_R)\right)=f_1\left(y\oplus {\left(K_0\right)}_L\oplus f_1(\rho \oplus {\left(K_0\right)}_R)\right)\end{array}$$

Since $f_1$ is injective, we get that

$$x\oplus {\left(K_0\right)}_L\oplus f_1(\rho \oplus {\left(K_0\right)}_R)=y\oplus {\left(K_0\right)}_L\oplus f_1(\rho \oplus {\left(K_0\right)}_R)$$

hence $x=y$. ☐

Proposition 2. 

Consider the BPEM cipher $\mathsf{BPEM}[K_0,K_1,K_2;f_1,f_2]$ with arbitrary (secret) keys $K_0,K_1,K_2$. Let $q_{*}$ be the maximum number of queries to the encryption oracle. Then,

$${\Delta }_{\mathsf{BPEM}}^{prp}\left(q_{*}\right)\ge 1-e^{-\frac{q_{*}(q_{*}-1)}{2(2^n+1)}}$$

Remark 5. 

Note that Proposition 2 implies that the adversary advantage becomes non-negligible for $q_{*}=\Omega (2^{n/2})$.

Proof. 

Fix an n-bit string ρ and $q_{*}$ distinct n-bit strings ${\omega }_1,{\omega }_2,\dots ,{\omega }_{q_{*}}$. We query the encryption oracle for the plaintexts ${\omega }_1*\rho ,{\omega }_2*\rho ,\dots ,{\omega }_{q_{*}}*\rho$, and let ${\sigma }_1,{\sigma }_2,\dots ,{\sigma }_{q_{*}}$ be the corresponding ciphertexts. We now search for collisions between the $q_{*}$ n-bit strings ${\omega }_1\oplus {\left({\sigma }_1\right)}_L,{\omega }_2\oplus {\left({\sigma }_2\right)}_L,\dots ,{\omega }_k\oplus {\left({\sigma }_{q_{*}}\right)}_L$. By Lemma 5, there will be no collision if the oracle encrypts using $\mathsf{BPEM}[K_0,K_1,K_2;f_1,f_2]$. By contrast, if the oracle encrypts by applying a randomly chosen permutation of ${\{0,1\}}^{2n}$, then the probability that there is no collision is at most

$$\begin{array}{c}\prod _{k=1}^{q_{*}-1}\left(1-\frac{k(2^n-1)}{2^{2n}-k}\right)\le \prod _{k=1}^{q_{*}-1}\left(1-\frac{k}{2^n+1}\right)\le \prod _{k=1}^{q_{*}-1}{e}^{-\frac{k}{2^n+1}}=e^{-\frac{q_{*}(q_{*}-1)}{2(2^n+1)}}\end{array}$$

☐

6. A Practical Construction of a 256-Bit Cipher

In this section, we demonstrate a practical construction of a 256-bit block cipher based on the 2-round BPEM cipher, where the underlying permutation is AES.

Definition 4 ($EM256AES$: a 256-bit block cipher). 

Let ${\ell }_1$ and ${\ell }_2$ be two 128-bit keys and let $K_0,K_1,K_2$ be three 256-bit secret keys (assume ${\ell }_1,{\ell }_2,K_0,K_1,K_2$ are selected uniformly and independently at random). Let the permutations $f_1$ and $f_2$ be the AES encryption using ${\ell }_1$ and ${\ell }_2$ as the AES key, respectively.

The 256-bit block cipher $EM256AES$ is defined as the associated instantiation of the 2-round BPEM cipher $\mathsf{BPEM}[K_0,K_1,K_2;f_1,f_2]$.

Usage of $EM256AES$:

• ${\ell }_1$ and ${\ell }_2$ are determined during the setup phase, and can be made public (e.g., sent from the sender to the receiver as an IV).
• $K_0,K_1,K_2$ are selected per encryption session.

The single key EM256AES is the special case where a single value $K\in {\{0,1\}}^{256}$ and a single value $\ell \in {\{0,1\}}^{128}$ are selected uniformly and independently at random, and the EM256AES cipher uses $K_0=K_1=K_2=K$ and ${\ell }_1={\ell }_2=\ell$.

Hereafter, we use the single key EM256AES. To establish security properties for $EM256AES$, we make the standard assumption about AES with a secret key that is selected (uniformly at random): an adversary has negligible advantage in distinguishing AES from a random permutation of ${\{0,1\}}^{128}$ even after seeing a (very) large number of plaintext-ciphertext pairs (i.e., the assumption is that AES satisfies its design goals ([19], Section 4). This assumption is certainly reasonable if the number of blocks that are encrypted with the same keys is limited to be much smaller than $2^{64}$ (note that AES can also be argued to be secure in a known-key setting, although this property is not part of the design goals of AES [20,21]). Therefore, in our context, we can consider assigning the randomly selected key ℓ at setup time, as an approximation for a random selection of the permutations $f_1$ and $f_2$ (which are identical). Under this assumption, we can rely on the result of Theorem 7 for the security of $EM256AES$.

$EM256AES$ Efficiency

An encryption session between two parties requires exchanging a 256-bit secret key and transmitting a 128-bit IV ($=\ell$). One key (and IV) can be used for N blocks as long as we keep $N\ll 2^{64}$. Computing one (256-bit) ciphertext involves four AES computations (with the $IV$ as the AES key) plus a few much cheaper XOR operations. Let us assume that the encryption is executed on a platform that has the capability of computing AES at some level of performance. If the $EM256AES$ encryption (decryption) is done in a serial mode, we can estimate the encryption rate to be roughly half the rate of AES (serial) computation on that platform (4 AES operations per one 256-bit block). Similarly, if the $EM256AES$ encryption is done in a parallelized mode, we can estimate the throughput to be roughly half the throughput of AES.

$EM256AES$ Performance

To test the actual performance of $EM256AES$, and validate our predictions, we coded an optimized implementation of $EM256AES$. Its performance is reported here. The performance was measured on an Intel® Core^TM i7-4700MQ (microarchitecture Codename Haswell) where the enhancements (Intel® Turbo Boost Technology, Intel® Hyper-Threading Technology, and Enhanced Intel Speedstep® Technology) were disabled. The code used the AES instructions (AES-NI) that are available on such modern processors. On this platform, we point out the following baseline: the performance of AES (128-bit key) in a parallelized mode (CTR) is $0.63$ C/B, and in a serial mode (CBC encryption) it is $4.44$ cycles per byte (C/B hereafter). The measured performance of our $EM256AES$ implementation was $1.44$ C/B for the parallel mode, and $8.92$ C/B for the serial mode. The measured performance clearly matches the predictions. It is also interesting to compare the performance of $EM256AES$ to another 256-bit cipher. To this end, we prepared an implementation of Rijndael256 cipher [22] (we point out that although AES is based on the Rijndael block cipher, the AES standardizes only a 128 block size, while the Rijndael definitions support both 128-bit and 256-bit blocks). For details on how to code Rijndael256 with AES-NI, see [23]). Rijndael256 (in ECB mode) turned out to be much slower than $EM256AES$, performing at $3.85$ C/B.

7. Conclusions

In this work, we showed how to construct a large family of balanced permutations, and analyzed the resulting new variation, BPEM, of the EM cipher.

The resulting $2n$-bit block cipher is obtained by using a permutation of ${\{0,1\}}^n$ as a primitive. The computational cost of encrypting (decrypting) one $2n$-bit block is four evaluations of a permutation of ${\{0,1\}}^n$ (plus a relatively small overhead). Note that this makes BPEM readily useful in practice, for example to define a 256-bit cipher, because “good” permutations of ${\{0,1\}}^{128}$ are available. We demonstrated the specific cipher $EM256AES$, which is based on AES, and showed that its throughput is (only) half the throughput of AES (and $2.5$ times faster than Rijndael256).

A variation on the way by which BPEM can be used, would make it a tweakable $2n$-bit block cipher. Here, the public IV (=ℓ) can be associated with each encrypted block as an identifier, to be viewed as the tweak. The implementation would switch this tweak for each block. To randomize the keys for the (public) permutations, an additional encryption (using some secret key) is necessary.

The expression of the advantage in Theorem 4 behaves linearly with the number of queries to the public permutations, and quadratically with the number of queries to the encryption/decryption oracle. This reflects the intuition that the essential limitations on the number of adversary queries should be on the encryption/decryption invocations, while weaker (or perhaps no) limitations should be imposed on the number of queries to the public permutations. It also suggests the following protocol, where the secret keys are changed more frequently than the random permutations. Choose the public permutations for a period of, say, $\frac{1}{1000}{2}^{2n/3}$ blocks, divided into $2^{n/3}$ sessions of $\frac{1}{1000}{2}^{n/3}$ blocks. Change the secret keys every session. This way, the relevant information on the block cipher, from a specific choice of keys, is limited to a session, while the adversary can accumulate relevant information from replies to the public permutations across sessions. Therefore, $q_{*}$ is limited to $\frac{1}{1000}{2}^{n/3}$, while $q_{*}+q_1+q_2$ is limited to $\frac{1}{1000}{2}^{2n/3}$. Theorem 4 guarantees that this usage is secure.