Benes and Butterfly schemes revisited


In [1], W. Aiello and R. Venkatesan have shown how to construct pseudo-random functions of 2n bits<lb>→ 2n bits from pseudo-random functions of n bits→ n bits. They claimed that their construction, called<lb>“Benes”, reaches the optimal bound (m ¿ 2) of security against adversaries with unlimited computing<lb>power but limited by m queries in an adaptive chosen plaintext attack (CPA-2). However a complete<lb>proof of this result is not given in [1] since one of the assertions of [1] is wrong. Due to this, the proof<lb>given in [1] is valid for most attacks, but not for all the possible chosen plaintext attacks. In this paper<lb>we will in a way fix this problem since for all ε > 0, we will prove CPA-2 security when m ¿ 2n(1−ε).<lb>However we will also see that the probability to distinguish Benes functions from random functions is<lb>sometime larger than the term in m 2<lb>22n given in [1]. One of the key idea in our proof will be to notice<lb>that, when m À 2 and m ¿ 2, for large number of variables linked with some critical equalities,<lb>the average number of solutions may be large (i.e. À 1) while, at the same time, the probability to have<lb>at least one such critical equalities is negligible (i.e. ¿ 1).<lb>

DOI: 10.1007/11734727_10

Extracted Key Phrases

4 Figures and Tables

Cite this paper

@article{Patarin2005BenesAB, title={Benes and Butterfly schemes revisited}, author={Jacques Patarin and Audrey Montreuil}, journal={IACR Cryptology ePrint Archive}, year={2005}, volume={2005}, pages={4} }