Benes and butterfly schemes revisited

Abstract

In [1], W. Aiello and R. Venkatesan have shown how to construct pseudo-random functions of 2n bits → bits from pseudo-random functions of n bits → bits. They claimed that their construction, called "Benes", reaches the optimal bound (m ≪ 2 n) of security against adversaries with unlimited computing power but limited by m queries in an Adaptive Chosen Plaintext Attack (CPA-2). However a complete proof of this result is not given in [1] since one of the assertions of [1] is wrong. Due to this, the proof given in [1] is valid for most attacks, but not for all the possible Chosen Plaintext Attacks. In this paper we will in a way fix this problem since for all ε > 0, we will prove CPA-2 security when m ≪ 2 n(1-ε. However we will also see that the probability to distinguish Benes functions from random functions is sometime larger than the term in m 2 /2 2n given in [1]. One of the key idea in our proof will be to notice that, when m ≫ 2 2n/3 and m ≪ 2 n, for large number of variables linked with some critical equalities, the average number of solutions may be large (i.e. ≫ 1) while, at the same time, the probability to have at least one such critical equalities is negligible (i.e. ≪ 1). © Springer-Verlag Berlin Heidelberg 2006.