Substitution-Permutation Networks, Pseudorandom Functions, and Natural Proofs

Abstract

This article takes a new step towards closing the gap between pseudorandom functions (PRF) and their popular, bounded-input-length counterparts. This gap is both quantitative, because these counterparts are more efficient than PRF in various ways, and methodological, because these counterparts usually fit in the substitution-permutation network paradigm (SPN), which has not been used to construct PRF. We give several candidate PRF F i that are inspired by the SPN paradigm. Most of our candidates are more efficient than previous ones. Our main candidates are as follows. — F 1 : {0,1} n → {0,1} n is an SPN whose S-box is a random function on b bits given as part of the seed. We prove that F 1 resists attacks that run in time ≤ 2 ϵb . — F 2 : {0,1} n → {0,1} n is an SPN where the S-box is (patched) field inversion, a common choice in practical constructions. We show that F 2 is computable with boolean circuits of size n ⋅ log O (1) n and that it has exponential security 2 Ω( n ) against linear and differential cryptanalysis. — F 3 : {0,1} n → {0,1} is a nonstandard variant on the SPN paradigm, where “states” grow in length. We show that F 3 is computable with TC 0 circuits of size n 1 + ϵ , for any ϵ > 0, and that it is almost 3-wise independent. — F 4 : {0,1} n → {0,1} uses an extreme setting of the SPN parameters (one round, one S-box, no diffusion matrix). The S-box is again (patched) field inversion. We show that F 4 is computable by circuits of size n ⋅ log O (1) n and that it fools all parity tests on ≤2 0.9 n outputs. Assuming the security of our candidates, our work narrows the gap between the Natural Proofs barrier and existing lower bounds in three models: circuits, TC 0 circuits, and Turing machines.