Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [pseudo-random-permutation]

A Pseudo-Random Permutation (PRP) is a function that cannot be distinguished (with practical effort) from a permutation selected at random with uniform probability from the family of all permutations on the function's domain.

A Pseudo-Random Permutation (PRP) is a function that cannot be distinguished (with practical effort) from a permutation selected at random with uniform probability from the family of all permutations on the function's domain.

Wikipedia: http://en.wikipedia.org/wiki/Pseudo-random_permutation

191 questions
21
votes
1 answer

Is the inverse of a secure PRP also a secure PRP?

If a block cipher is a secure PRP, is its inverse a secure PRP as well? My intuition says yes but I'm not exactly sure. On a related note, if a block cipher is a secure sPRP, is its inverse a secure sPRP? I'm using the terminology "PRP = secure…
orlp
  • 4,355
  • 21
  • 31
17
votes
2 answers

How to check whether the permutation is random or not

Imagine that my friend gives me the permutation $\pi$. He pretends that the permutation was generated completely random. I'm suspicious and worried, because the permutation (for instance) looks like: $\pi(x) = ax + b \pmod n$ for some $a$, $b$. My…
Kirill Tsar.
  • 609
  • 4
  • 13
15
votes
3 answers

Expected entropy in $P(x)\oplus x$ for random $x$, where $P$ is a random permutation

Let $P$ be a random permutation of $n>1$ bits. Let $F$ be the function on the same domain $\{0,1\}^n$, defined by $F(x)=P(x)\oplus x$. When $P$ is a block cipher with key a message block, that's the Davies-Meyer construction of a one-way compression…
fgrieu
  • 149,326
  • 13
  • 324
  • 622
13
votes
1 answer

Formally, what is AES?

AES is supposed to be a symmetric key block cipher. The theoretical counterpart to this is a pseudorandom permutation. I'd like to say that AES is a PRP (well, supposedly at least), but that doesn't seem correct; while there are larger variants of…
extremeaxe5
  • 249
  • 1
  • 5
13
votes
2 answers

Example of a PRP that is not a strong PRP

The exact definition of security for a pseudorandom permutation is straightforward - for some encryption scheme $E\,\colon\,\mathcal{K}\times\mathcal{D}\rightarrow\mathcal{D}$, it must be the case that no efficient adversary can distinguish…
pg1989
  • 4,736
  • 25
  • 43
13
votes
1 answer

Luby-Rackoff theorem confusion

The Luby-Rackoff theorem states that if a round function is a secure pseudorandom function (PRF) then 3 rounds are sufficient to make the block cipher a pseudorandom permutation (PRP). PRPs are invertible whereas PRFs are not. How come 3 rounds of a…
BlaX
  • 746
  • 8
  • 18
12
votes
1 answer

CPA-security of a pseudorandom permutation encryption scheme

Let $F$ be a pseudorandom permutation, and define a fixed-length encryption scheme $(Gen, Enc, Dec)$ as follows: on input $m \in$ $\{0,1\}^{n/2}$ and key $k \in \{0,1\}^n$, algorithm $Enc$ chooses a random string $r \leftarrow \{0,1\}^{n/2}$…
pa5h1nh0
  • 541
  • 7
  • 17
11
votes
1 answer

Non-iterative cryptographic hash functions

Consider the following cryptographic hash function $H$ which maps a message $m$ of variable size to $b$ bits: $$H:\{0,1\}^{*} \mapsto \{0,1\}^b$$ $$y = H(m) = SPRP(IV||m||padding)\mid_{b}$$ , where: $$SPRP:\{0,1\}^n \mapsto…
Ethan Heilman
  • 2,326
  • 2
  • 20
  • 40
11
votes
3 answers

What is the most computationally efficient way of generating pseudo-random permutations?

I have an application in which I need to create up to J randomly shuffled-copies of an array of length N. Then I will have millions or even billions of iterations such that, in each iteration, I will have to fetch the value of K << N entries of the…
user44353
  • 111
  • 5
9
votes
3 answers

Any advantage to a block cipher which is not efficiently invertible?

The classic definition of a PRP includes efficient invertibility. Given that many modern cipher modes (CTR-based e.g. GCM) use only the forward direction of the block cipher, it seems that the efficient invertibility part of the definition is not…
eddydee123
  • 147
  • 11
9
votes
1 answer

Sponge with PRF instead of PRP

In most uses of Sponge mode of operations such as SHA3 and many of the round-2 candidates in the NIST lightweight cryptography project, the underlaying primitive is a cryptographic permutation - that is, it's bijective. For reasons of curiosity, I…
DannyNiu
  • 10,640
  • 2
  • 27
  • 64
8
votes
4 answers

Why are $\lceil 1/\operatorname{entropy-per-bit} \rceil$ number of bits not sufficient to generate an unbiased bit?

Consider a biased RNG badrand() generating 1 with probability $0.9$ and 0 with probability $0.1$. This excellent answer explains that we need 849 bits of badrand() to generate 1 bit of betterrand() with less bias than the NIST recommended…
Ritesh Singh
  • 319
  • 2
  • 9
7
votes
2 answers

How random are permutations generated from Feistel networks with a small number of rounds?

I wrote a toy pseudo-random permutation out of a Feistel network using blake2b. However, looking at the distribution of permutations for small n = 6, it's clearly not uniform unless many rounds are performed. I was under the impression that 3 or 4…
Arthur B
  • 275
  • 2
  • 5
7
votes
1 answer

State of the art low memory arbitrary-domain PRP?

I am wondering what the state of the art is on low memory arbitrary-domain PRPs. That is, I'm looking for an algorithm that implements bijective function $PRP : \mathbb{Z}_n \times \{0, 1\}^b \rightarrow \mathbb{Z}_n$, where $b$ is an acceptable…
orlp
  • 4,355
  • 21
  • 31
7
votes
1 answer

Are pseudorandom permutation really permutation in mathematical sense?

In security, and specifically Block Cipher (AES, DES, etc), when we talk about pseudo random permutations, is the term "permutation" refer to the same meaning as in discrete mathematics. That is, the random shuffling of elements? So let's the input…
user1819047
  • 171
  • 1
1
2 3
12 13