New results on pseudorandom permutation generators based on the des scheme

Abstract

We denote by Ψk the permutation generator based on the DES Scheme with k rounds where the S boxes are replaced by random independant functions. We denote by |P1 - P1*|, (respectively |P1 - P1**|), the probability of distinguishing such a permutation from a random function (respectively from a random permutation) by means of a distinguishing circuit that has m oracle gates. In 1988, M. Luby and C. Rackoff [1] proved that ∀k≥3, |P1-P1*|≤m(m-1)/2n. At Eurocrypt 90, J. Pieprzyk wondered at the end of his paper [4] if that inequality could be improved. This is the problem we consider here. In particular, such an improvement could greatly reduce the length of the keys used in a “direct” application of these theorems to a cryptosystem. Our main results will be: 1. For Ψ3 and Ψ4 there is no really tighter inequality than |P1-P1*| ≤m(m-1)/2n. 2. However for Ψ5 (and then for Ψk, k ≥ 5), there is a much tighter inequality than Luby - Rackoff’s one. For example for Ψ6, |P1-P1*| and |P1-P1**| are ≤12m/2n+18m3/22n. 3. When m is very small (m = 2 or 3 for example) it is possible to have an explicit evaluation of the effects of the number of rounds k on the “better and better pseudorandomness” of Ψk.