Progress in Cryptology - INDOCRYPT 2010

Strong Pseudorandompermutations or SPRPs,which were introduced byLuby andRacko? [4], formalize the well established cryptographic notion ofblock ciphers.They provided a construction of SPRP, well known as LRconstruction, which was motivated by the structure of DES[6].The basicbuildingblock is the so called 2n-bit Feistel permutation (or LR round permutation) LR based F K on an n-bitpseudorandomfunction (PRF) F : K n LR (x ,x)=(F (x )?x ,x ),x ,x?{0,1} . F 1 2 K 1 2 1 1 2 K Theirconstruction consists (see Fig 1) offour rounds of Feistel permutations (or three rounds, for PRP), each round involves an application ofanindependent PRF(i.e.with independentrandomkeys K ,K ,K , and K ). More precisely, 1 2 3 4 LR and LR are PRP and SPRP respectively where K ,K ,K K ,K ,K ,K 1 2 3 1 2 3 4 LR := LR := LR (...(LR (*))...). K ,...,K F ,...,F F F 1 r K K K K r r 1 1 After this work, many results are known improvingperformance (reducingthe number of invocations of F )[5] and reducingthekey-sizes (i.e. reusingthe K roundkeys [7,8,10,12,11] orgenerate more keysfromsinglekey by usinga PRF[2]). However there are some limitations.Forexample,wecannotuseas few as single-keyLR (unless wetweak the roundpermutation) orasfew as two-roundsince they are not secure. Distinguishing attacks forsome other LR constructionsarealso known [8]. We list some oftheknow related results (see Table 1). Here all keys K ,K ,...are independently chosen.