## Pseudorandomness Analysis of the Lai-Massey Scheme

### BibTeX

@MISC{Luo_pseudorandomnessanalysis,

author = {Yiyuan Luo and Xuejia Lai and Zheng Gong and Zhongming Wu},

title = {Pseudorandomness Analysis of the Lai-Massey Scheme},

year = {}

}

### OpenURL

### Abstract

Abstract. At Asiacrypt’99, Vaudenay modified the structure in the IDEA cipher to a new scheme, which they called as the Lai-Massey scheme. It is proved that 3-round Lai-Massey scheme is sufficient for pseudorandomness and 4-round Lai-Massey scheme is sufficient for strong pseudorandomness. But the author didn’t point out whether three rounds and four rounds are necessary for the pseudorandomness and strong pseudorandomness of the Lai-Massey Scheme. In this paper we find a tworound pseudorandomness distinguisher and a three-round strong pseudorandomness distinguisher, thus prove that three rounds is necessary for the pseudorandomness and four rounds is necessary for the strong pseudorandomness. 1

### Citations

284 |
How to construct pseudorandom permutations from pseudorandom functions
- Luby, Rackoff
- 1988
(Show Context)
Citation Context ...ds is necessary for the pseudorandomness and four rounds is necessary for the strong pseudorandomness. 1 Introduction The notion of pseudorandom permutation was formally discussed by Luby and Rackoff =-=[6]-=-, which referred to the functions that cannot be distinguished from a uniformly random permutation in polynomial time bound. Pseudorandom permutations are often used to describe the idealized abstract... |

273 |
Foundations of Cryptography: Basic Tools
- Goldreich
- 2001
(Show Context)
Citation Context ...el network, where Fi, 1 ≤ i ≤ r are independent uniform distribution random functions from {0, 1} n to {0, 1} n . The 3-round Feistel network LR3 is described in Fig. 1. The following result is proved=-=[2]-=-:4 Yiyuan Luo, Xuejia Lai, Zheng Gong and Zhongming Wu L0 0 R F1 L0 R0 F1 σ F2 R L1 1 L1 F2 R1 σ R L2 2 L2 R2 F3 F3 L R 3 3 L3 R3 Fig. 1. The 3-round Feistel Structure LR3 and 3-round Lai-Massey Sche... |

146 | A proposal for a new block encryption standard
- Lai, Massey
- 1990
(Show Context)
Citation Context ...es[7, 9–13]. At Asiacrypt’99, Vaudenay [14] provided the other method to construct (strong) pseudorandom permutations. Since this new method uses a structure which is similar to the block cipher IDEA =-=[4, 5]-=-, so it is called the Lai-Massey scheme. Moreover, a new family of block ciphers, which is named the FOX (also known as IDEA-NXT ) [3], was built on the Lai-Massey scheme. It is proved that 3-round La... |

125 |
On the Design and Security of Block Ciphers
- Lai
- 1992
(Show Context)
Citation Context ...tly modeling the underlying blockcipher as a pseudorandom permutation to enable the formal analysis of a blockcipher-based construction. The construction could be an encryption scheme (e.g., DES, IDEA=-=[4]-=-, FOX[3]), a message authentication code (e.g., CBC-MAC) and so on. The security of pseudorandom permutations can be classified as pseudorandomness and strong pseudorandomness. The pseudorandom permut... |

93 | On the construction of pseudorandom permutations: Luby-Rackoff revisited - Naor, Reingold - 1999 |

71 | Indifferentiability, Impossibility Results on Reductions, and Applications to the Random Oracle Methodology
- Maurer, Renner, et al.
- 2004
(Show Context)
Citation Context ... Gong and Zhongming Wu input/output of the internal primitives. Since the indifferentiability model was introduced recently and be used in exploiting if there exist hidden flaws in hash constructions =-=[1, 8]-=-. An interesting future work is to find out that the exact rounds for the Lai-Massey scheme can be secure in the indifferentiability model, where the distinguisher can make oracle queries to all the i... |

31 | A simplified and generalized treatment of Luby-Rackoff pseudorandom permutation generators
- Maurer
(Show Context)
Citation Context ... A4 ⊕ f1 ⊕ δ1) = g ′ 1 ‖ g ′ 2 and F3(A1 ⊕ A2 ⊕ A3 ⊕ f2 ⊕ g ′ 1 ⊕ g ′ 2 ⊕ δ2, A1 ⊕ A4 ⊕ f1 ⊕ f2 ⊕ g ′ 1 ⊕ δ1 ⊕ δ2) = h ′ 1 ‖ h ′ 2. Thus we have f2 ⊕ g ′ 1 ⊕ g ′ 2 = D ′ 1 ⊕ D ′ 3 ⊕ A1 ⊕ A2 ⊕ A3 ⊕ δ2 =-=(7)-=- f1 ⊕ f2 ⊕ g ′ 1 = D ′ 2 ⊕ D ′ 4 ⊕ A1 ⊕ A4 ⊕ δ1 ⊕ δ2 (8) The decryption of (d1, d2, d3, d4) = (D ′ 1⊕δ2, D ′ 2⊕δ1⊕δ2, D ′ 3⊕δ2, D ′ 4⊕δ1⊕δ2) is (a1, a2, a3, a4), following the decryption procedure, th... |

27 | Provable security for block ciphers by decorrelation - VAUDENAY - 1998 |

21 |
On the Lai-Massey scheme
- Vaudenay
(Show Context)
Citation Context ...ation from a pseudorandom function. Later many works focus on alternative structures that also have the pseudorandomness and the strong pseudorandomness properties[7, 9–13]. At Asiacrypt’99, Vaudenay =-=[14]-=- provided the other method to construct (strong) pseudorandom permutations. Since this new method uses a structure which is similar to the block cipher IDEA [4, 5], so it is called the Lai-Massey sche... |

17 | FOX: a new family of block ciphers
- Junod, Vaudenay
- 2004
(Show Context)
Citation Context ...ling the underlying blockcipher as a pseudorandom permutation to enable the formal analysis of a blockcipher-based construction. The construction could be an encryption scheme (e.g., DES, IDEA[4], FOX=-=[3]-=-), a message authentication code (e.g., CBC-MAC) and so on. The security of pseudorandom permutations can be classified as pseudorandomness and strong pseudorandomness. The pseudorandom permutations c... |

14 | The Random Oracle Model and the Ideal Cipher Model are Equivalent
- Coron, Patarin, et al.
- 2008
(Show Context)
Citation Context ... Gong and Zhongming Wu input/output of the internal primitives. Since the indifferentiability model was introduced recently and be used in exploiting if there exist hidden flaws in hash constructions =-=[1, 8]-=-. An interesting future work is to find out that the exact rounds for the Lai-Massey scheme can be secure in the indifferentiability model, where the distinguisher can make oracle queries to all the i... |

11 | On the Pseudorandom of Top-Level Schemes of Block Ciphers
- Moriai, Vaudenary
- 1976
(Show Context)
Citation Context ...fficient to implement pseudorandomness and strong pseudorandomness. Later many people realize that 3-round Feistel is not strong pseudorandomness, this question is even left as an exercise in [2]. In =-=[9]-=-, Moriai and Vaudenay find a 3round distinguisher which needs 2 encryption queries and 2 decryption queries. In fact, there exist a distinguisher only needs 2 encryption queries and 1 decryption queri... |

11 |
How to construct pseudorandom and super pseudorandom permutations from one single pseudorandom function
- Patarin
- 1993
(Show Context)
Citation Context ...ted the 2-round pseudorandomness distinguisher. But they didn’t give the 3-round strong pseudorandomness distinguisher. Later Patarin gave a distinguisher for the strong pseudorandomness with 3 rounds=-=[11]-=- which involved four oracle queries. Patarin’s distinguisher is described as follows: Patarin’s distinguisher with four oracle queries. Distinguisher D can access to oracles (O, O −1 ) where (O, O −1 ... |

1 | On necessary and sufficient conditions for the construction of super pseudorandom permutations - Sadeghiyan, Pieprzyk - 1991 |

1 | Wentao Zhang and Dengguo Feng. Integral Cryptanalysis of Reduced FOX - Wu - 2006 |