LR

The Luby-Racko Theorem
Douglas Wikstrom, dog@csc.kth.se

DD2448 Foundations of Cryptography
February 4, 2010
Abstract
We give an asymptotic version of Luby-Racko, stripped of all concrete parameters.
The idea is to illustrate the technique of hybrid arguments by applying it repeatedly in
each step of the proof.
The Luby-Racko Theorem
Denition 1 (Negligible Function). A function (n) is negligible if for every constant c > 0,
there exists a constant n
0
, such that (n) <
1
n
c
for all n n
0
.
Denition 2 (Pseudo-Random Function). A family of functions F : {0, 1}
k
{0, 1}
n
{0, 1}
n
is pseudo-random if for all polynomial time oracle adversaries A
Pr
K
_
A
F
K
()
= 1
_
Pr
R:{0,1}
n
{0,1}
n
_
A
R()
= 1
_
is negligible.
Denition 3 (Pseudo-Random Permutation). A family of permutations P : {0, 1}
k
{0, 1}
n
{0, 1}
n
is pseudo-random if for all polynomial time oracle adversaries A
Pr
K
_
A
P
K
(),P
1
K
()
= 1
_
Pr
S
2
n
_
A
(),
1
()
= 1
_
is negligible, where S
2
n is the set of permutations of {0, 1}
n
.
Denition 4 (Feistel Round). A Feistel-round using a function f : {0, 1}
n
{0, 1}
n
is
given by H
f
: {0, 1}
n
{0, 1}
n
{0, 1}
n
{0, 1}
n
where
H
f
(l, r) = (r, l f(r)) .
Theorem 5 (Luby and Racko). If F : {0, 1}
k
{0, 1}
n
{0, 1}
n
is a pseudo-random
family of functions, then
H : {0, 1}
4k
{0, 1}
2n
{0, 1}
2n
H :
_
(k
1
, k
2
, k
3
, k
4
), x
_
H
F
k
4
(H
F
k
3
(H
F
k
2
(H
F
k
1
(x))))
is a pseudo-random family of permutations.
1
Proof of Theorem 5
Notation
F
i
denotes F
Ki
for a random choice of K
i
.
R
i
denotes a randomly chosen function {0, 1}
n
{0, 1}
n
.
R and R
denote randomly chosen functions {0, 1}

2n
{0, 1}
2n
.
denotes a randomly chosen permutation of {0, 1}
2n
.
Given an adversary A, we also dene:
p
A
F
= Pr
F
_
A
F()
= 1
_
p
A
F1F2F3F4
= Pr
F1,F2,F3,F4
_
A
H
F
1
,F
2
,F
3
,F
4
(),H
1
F
1
,F
2
,F
3
,F
4
()
= 1
_
p
A
H,H
= Pr
H,H
_
A
H(),H
()
= 1
_
Overview of Proof
Our goal is to prove that
p
A
F1F2F3F4
p
A
,
1
is negligible. We proceed by a hybrid argument. We expand the absolute value and apply
the triangle inequality and the lemmas below
p
A
F1F2F3F4
p
A
R1R2R3R4
+ p
A
R1R2R3R4
p
A
R,R
+ p
A
R,R
p
A
,
1
p
A
F1F2F3F4
p
A
R1R2R3R4
. .
1 by Lemma 6
+
p
A
R1R2R3R4
p
A
R,R
. .
2 by Lemma 8
+
p
A
R,R
p
A
,
1
. .
3 by Lemma 7

1
+
2
+
3
which is then negligible. Throughout we assume without loss that:
1. Remember Previous Queries. The adversary A never asks the same query twice,
since it can store all previous queries in table at a polynomial cost.
2. No Trick-Queries. The adversary A with oracles O
1
and O
2
never asks for both
y = O
1
(x) and O
2
(y) or x = O
2
(y) and O
1
(x), since the relations O
2
(O
1
(x)) = x and
O
1
(O
2
(y)) are guaranteed to hold for both (O
1
, O
2
) = (H
F1,F2,F3,F4
, H
1
F1,F2,F3,F4
) and
(O
1
, O
2
) = (,
1
).
Technical Lemmas
Pseudo-Random Functions Look Like Random Functions,
Even Within the Feistel Network
Lemma 6. For each polynomial time oracle adversary A
p
A
F1F2F3F4
p
A
R1R2R3R4
<
1
for some negligible function
1
.
2
Proof. This follows from the triangle inequality and the pseudo-randomness of F. To see
this, rst note that
p
A
F1F2F3F4
p
A
R1R2R3R4
p
A
F1F2F3F4
p
A
F1F2F3R4
+ p
A
F1F2F3R4
. . . p
A
F1R2R3R4
+ p
A
F1R2R3R4
p
A
R1R2R3R4
p
A
F1F2F3F4
p
A
F1F2F3R4
+ . . . +

p
A
F1R2R3R4
p
A
R1R2R3R4
.
If the lemma is false, then at least one of the absolute values in the sum is not negligible, say
the rst (the other cases follows similarly). This means that there exists a constant c > 0
and an innite set N such that
p
A
F1F2F3F4
p
A
F1F2F3R4

1
n
c
for n N. We could then construct an adversary A
expecting a single oracle T() that

executes A and simulates F
1
, F
2
, and F
3
to A. Any query to F
4
(or R
4
), is forwarded to T()
and the result handed by to A. It follows that
p
A
F4
p
A
R4
p
A
F1F2F3F4
p
A
F1F2F3R4

1
n
c
,
which contradicts the pseudo-randomness of F. Thus, the lemma must be true.
Without Trick Queries Random Permutations Look Like Random Functions
p
A
R,R
p
A
,
1
<
3
3
.
Proof. For our class of adversaries that remember previous queries and does not ask trick
questions, the only way to distinguish the oracle pair (R, R
) from (,
1
) is if two queries
to R or R
respectively, give the same reply. This happens with some negligible probability
3
, since A only asks a polynomial number of queries.
Without Trick Queries A Feistel Network Based On Random Functions Look
Like Random Functions
p
A
R1R2R3R4
p
A
R,R
<
2
2
.
Proof. Let (O
i
1
, O
i
2
) be a hybrid oracle pair that equals (H
R1,R2,R3,R4
, H
1
R1,R2,R3,R4
) for the
rst i queries and then equals (R, R
) for the remaining q i queries, where q is the total

number of queries. Note that q is polynomial, since A is polynomial. We clearly have
p
A
O
0
1
,O
0
2
= p
A
R1R2R3R4
and p
A
O
q
1
,O
q
2
= p
A
R,R
. Using the triangle inequality we get
p
A
R1R2R3R4
p
A
R,R
i=1
_
p
A
O
i
1
,O
i
2
p
A
O
i1
1
,O
i1
2
_
q max
i
_
p
A
O
i
1
,O
i
2
p
A
O
i1
1
,O
i1
2
_
.
3
Let (l
j
k
, r
j
k
) denote the jth intermediate left-right value pair of the kth execution of the Feistel
network behind (O
i
1
, O
i
2
) for 1 k i and j = 0, . . . , 4. Thus, the jth query-reply pair may
be written
_
(l
0
k
, r
0
k
), (l
4
k
, r
4
k
)
_
.
Let E
good
denote the event that r
1
k
= r
1
k
and l
3
k
= l
3
k
for every k = k
. It follows that
Pr[E
good
] is negligible, since (1) for every xed (l
0
k
, r
0
k
) = (l
0
k
, r
0
k
)
Pr
_
r
1
k
= r
1
k
= Pr
_
R
1
(r
0
k
) l
0
k
= R
1
(r
0
k
) l
0
k
is negligible and there are at most q

2
pairs to consider, and (2) the argument is similar for
the case of l
3
k
= l
3
k
. We conclude that
p
A
O
i
1
,O
i
2
p
A
O
i1
1
,O
i1
2
only changes by a negligible quantity if we condition on E

good
.
We now consider the case where the ith query x = (l
0
i
, r
0
i
) is to the rst oracle of A,
and investigate the distribution of the reply y conditioned on the event E
good
when the rst
oracle is O
i1
1
and O
i
1
respectively. The case where the ith query is to the second oracle is
similar.
If the rst oracle of A is O
i1
1
, then clearly y is uniformly distributed in {0, 1}
2n
. If on
the other hand the rst oracle of A is O
i
1
, then we note that
l
3
i
= r
2
i
= l
1
i
R
2
(r
1
i
) and r
3
i
= l
2
i
R
3
(r
2
i
) = r
1
i
R
3
(l
3
i
) . (1)
Thus, when r
1
i
is distinct from all r
1
k
and l
3
i
is distinct from all l
3
k
for each k < i, then R
2
(r
1
i
)
and R
3
(l
3
i
) are uniformly and independently distributed in {0, 1}
n
, which makes (l
3
i
, r
3
i
)
uniformly and independently distributed in {0, 1}
2n
by (1). We conclude that the reply y is
also uniformly and independently distributed in {0, 1}
2n
.
4

LR

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

LR

Uploaded by

Copyright:

Available Formats

The Luby-Racko Theorem

Douglas Wikstrom, dog@csc.kth.se

denote randomly chosen functions {0, 1}

expecting a single oracle T() that

) for the remaining q i queries, where q is the total

is negligible and there are at most q

only changes by a negligible quantity if we condition on E

You might also like