Abstract
Card shuffle algorithms have been studied from a cryptographic point of view with applications to format preserving encryption. In this work, we naturally extend the swap-or-not shuffle, proposed by Hoang, Morris and Rogaway at Crypto 2012, by replacing a perfect matching used in each round by a keyed partition with a certain uniform property. The resulting construction, dubbed the partition-and-mix (or simply \(\textsf{PM}\)) shuffle, is proved to be secure up to \((1-\delta )N\) queries for any \(\delta >0\) and the domain size N, while the number of rounds is significantly reduced compared to the swap-or-not. We give concrete examples of the keyed partitions that provide security as well as allow efficient implementation in practice. Such uniform keyed partitions seem of independent interest. The partition-and-mix shuffle might also be viewed as an alternative block cipher structure that extends the domain of a small block cipher operating on each block of the partition.
Similar content being viewed by others
Avoid common mistakes on your manuscript.
1 Introduction
Format preserving encryption Suppose that we have a database that stores credit card numbers for a large number of customers, and for security reason, we would like to encrypt all of the credit card numbers. If we take a straightforward approach of using any well known block cipher such as AES, each credit card number, being 16-digits long, should be transformed into a 128-bit plaintext (by adding some dummy information), and then encrypted as a ciphertext of the same length. In order to accommodate all the ciphertexts as 128-bit strings, the database should be largely modified, causing a significant amount of extra cost. With this consideration, it would be desirable to encrypt the credit card numbers into ciphertexts of the same format, namely 16-digit numbers. This problem, called format preserving encryption, does not allow any solution as straightforward as one might expect. One should either design a novel mode of operation in order to use a block cipher operating on large-sized blocks such as AES [2,3,4], or construct a (dedicated) small block cipher from scratch.
Card shuffle-based encryption Focusing on the dedicated construction, a (balanced) Feistel cipher, for example, might not be a satisfactory solution at least from a point of provable security: no matter how carefully designed, the resulting block cipher provides only n/2-bit security for the block size n [12, 13]. This level of security might be acceptable for a large block size n, but not for a small size. Credit card numbers of 16 digits in the above example can be represented approximately by 54 bits, and 27-bit security level would be too low. To find an alternative block cipher structure to address this problem, card shuffle algorithms have begun to attract renewed interest that have a long history in probability theory. A card shuffle can be viewed as an encryption scheme when we think of the final position of a card at the end of the shuffle as the ciphertext of the initial position of the card.
In order for a card shuffle to be a computationally feasible block cipher, it should be oblivious, namely one should be able to trace the trajectory of a card without attending to lots of other cards in the deck. The Thorp shuffle is a well-known example of an oblivious card shuffle, where one first cuts a deck of cards into two equal piles, and then starts dropping the cards from either the left or right hand with probability 1/2 [16]. Interpreted as a block cipher, a perfect matching is fixed on the set of positions for each round, and the two cards on each match is swapped or not according to a random coin of probability 1/2, or equivalently according to the evaluation of a single-bit random function at the match. A representative of each match might be defined as the maximum of the two positions of the match. From this cryptographic point of view, the Thorp shuffle operating on \(\{0,1\} ^n\) has been proved to be secure up to \(2^n/n\) queries for \(O(n^2)\) rounds [10].
Afterwards, a randomized variant of the Thorp shuffle, named swap-or-not, has been proposed [8]. In this shuffle, a perfect matching is randomly chosen by an additional round key; a round key \(K\in \{0,1\} ^n\) defines a perfect matching on \(\{0,1\} ^n\) by the difference of K, namely position \(x\in \{0,1\} ^n\) is matched with \(x\oplus K\). Then a single-bit round function is applied to each pair \(\{x,x\oplus K\}\) and the cards at the two positions are swapped or not according to the round function value. Then the threshold number of queries is significantly improved up to \((1-\varepsilon )2^{n}\) for any \(\varepsilon >0\) for O(n) rounds. Precisely, the adversarial distinguishing advantage is upper bounded by
for the r-round swap-or-not shuffle, where N and q denote the size of the domain and the number of queries, respectively.Footnote 1 However it still requires a large number of rounds to achieve a sufficient level of security, for example more than 700 rounds for the domain size \(2^{32}\) and the threshold number of queries \(q=2^{31}\).
1.1 Our results
Partition-and-mix In this work, we naturally extend the swap-or-not shuffle by replacing a perfect matching used in each round of the swap-or-not by a certain uniform keyed partition. Formally, fix a domain \([N]=\{0,\ldots ,N-1\}\) for \(N>0\), the block size D of a keyed partition such that N is a multiple of D, and a certain key space \(\mathcal {K}\). Let \((\mathcal {B}_K)_{K\in \mathcal {K}}\) be a keyed partition of [N], where each key \(K\in \mathcal {K}\) defines a partition of [N]
such that \(|B_K^i|=D\) for \(i=1,\ldots ,N/D\) and \(\bigcup _{i=1}^{\frac{N}{D}}B_K^i=[N]\). For \(\varepsilon >0\), we will say the keyed partition \((\mathcal {B}_K)_{K\in \mathcal {K}}\) is \(\varepsilon \)-almost D-uniform if for every subset \(U\in [N]\) such that \(|U|=D\)
Remark 1
Fix a subset \(U\in [N]\) of size D, and any single element a of U. When a partition of blocks of size D is chosen uniformly at random from the set of all possible partitions, the \(D-1\) other elements of the block containing a are uniformly chosen from the set \([N]\setminus \{a\}\). The probability that they are \(U{\setminus } \{a\}\) is exactly \(1/\left( {\begin{array}{c}N-1\\ D-1\end{array}}\right) \). In other words, when a partition of blocks of size D is chosen uniformly at random from the set of all possible partitions, the probability of having U as its block is exactly \(1/\left( {\begin{array}{c}N-1\\ D-1\end{array}}\right) \) for any subset \(U\in [N]\) of size D.
Given an almost uniform keyed partition \((\mathcal {B}_K)_{K\in \mathcal {K}}\), the next step is to define an independent random permutation
for each key \(K\in \mathcal {K}\), \(i=1,\ldots ,N/D\) and \(t=1,\ldots ,r\). Then the t-th round \(\varPsi _t\) of the partition-and-mix shuffle, \(t=1,\ldots ,r\), is defined as
for each \(a\in \{0,1\} ^n\), where \(K_t\in \mathcal {K}\) is the t-th round key and \(i\in \{1,\ldots ,N/D\}\) is the index such that \(a\in B_{K_t}^i\). Finally, the r-round partition-and-mix shuffle is defined as
As the entire domain is partitioned into blocks of a larger size \(D\ge 2\) compared to the swap-or-not shuffle, and all the elements in each block are uniformly mixed, it would be natural to expect a faster mixing time, or a smaller number of rounds for a given level of security. We remark that the swap-or-not shuffle can be viewed as an instantiation of the partition-and-mix shuffle with \(D=2\) and \(\mathcal {B}_K=\{\{x,x+K\}:x\in \{0,1\}^n\}\).
The main contribution of this work is to prove the security of the partition-and-mix shuffle; for \(\textsf{PM}^{r}\), we will prove
In particular, if \(q=(1-\delta )N\) for \(\delta >0\), then we have
So, for a fixed number of adversarial queries, the number of rounds is reduced by \(\frac{1}{\log D -\log (1+\varepsilon )}\) compared to the swap-or-not shuffle.
Uniform set partition In practice, the efficiency of the partition-and-mix shuffle would depend on the instantiation of the keyed partition. It seems of independent interest to find keyed partitions that allow efficient implementation. In this work, we propose two constructions of uniform random partitions.
The first construction is to use binary Hamming codes. For each integer \(s\ge 2\), there is a binary Hamming code, denoted \(\mathcal {C}_s\), with block length \(2^s-1\) and message length \(2^s-s-1\). In other words, \(\mathcal {C}_s\) is a \((2^s-s-1)\)-dimensional subspace of \(\{0,1\} ^{2^s-1}\). Since a binary Hamming code is perfect, for any \(\textbf{x}\in \{0,1\} ^{2^s-1}\), there is only one codeword \(\textbf{c}\in \mathcal {C}_s\) such that the Hamming distance of \(\textbf{c}\) and \(\textbf{x}\) is at most one. So the balls of radius one centered at the codewords partition the entire set \(\{0,1\} ^{2^s-1}\). With this observation, for \(n\ge 2^s-1\) and \(D=2^s\), we can construct an almost D-wise uniform keyed partition on \(\{0,1\} ^n\) by the following recipe.
-
1.
Linearly independent keys \(K_1,\ldots ,K_{D-1}\in \{0,1\} ^n\) are chosen uniformly at random. Then for a subspace
$$\begin{aligned} V=\langle K_1,\ldots ,K_{D-1}\rangle \end{aligned}$$the entire domain \(\{0,1\} ^n\) is partitioned into the cosets of V.
-
2.
Each coset can be identified as \(\{0,1\} ^{D-1}\). For example, one might choose a representative \(\textbf{a}\) for each coset, and define a bijection from \(\{0,1\} ^{D-1}\) to any coset by mapping
$$\begin{aligned} \textbf{e}=(e_1,\ldots ,e_{D-1})\in \{0,1\} ^{D-1} \mapsto \textbf{a}+e_1K_1+\cdots +e_{D-1}K_{D-1}. \end{aligned}$$ -
3.
A \([2^s-1,2^s-s-1,3]\)-Hamming code \(\mathcal {C}_s\) and an additional round key
$$\begin{aligned} \textbf{b}=(b_1,\ldots ,b_{D-1})\in \{0,1\} ^{D-1} \end{aligned}$$defines a partition of the set \(\{0,1\} ^{D-1}\), and hence each coset of \(\{0,1\}^n\), as follows.
$$\begin{aligned} \{0,1\} ^{D-1}=\bigcup _{\textbf{c}\in \mathcal {C}_s}\{\textbf{c}+\textbf{b}+\textbf{e}:\textbf{wt}(\textbf{e})\le 1\}. \end{aligned}$$
This keyed partition is shown to be \(\varepsilon \)-almost uniform for \(\varepsilon =2^{D-n}\). We will discuss in detail the properties and the instantiation of the keyed partitions based on Hamming codes in Sects. 4 and 5.
Our second construction is recursive: for the block size \(D>0\), one can construct a D-uniform keyed partition of \(X\times Y\) using a D-uniform keyed partition of X and a D-wise independent function family from X to Y. Notice that if a function family \((f_K)_{K\in \mathcal {K}_2}\) is D-wise independent, then for any distinct \(x_1,\ldots ,x_D\in X\) and any (not necessarily distinct) \(y_1,\ldots ,y_D\in Y\), the probability that \(g(x_i)=y_i\) for all \(i=1,\ldots ,D\) is the same, namely \(1/|Y|^D\) over random choice of the key \(K\in \mathcal {K}_2\).
Let \((\mathcal {B}'_K)_{K\in \mathcal {K}_1}\) be an \(\varepsilon \)-almost D-uniform keyed partition of X and let Y be an additive group. For a pair of keys \(K=(K_1,K_2)\in \mathcal {K}_1\times \mathcal {K}_2\), let
In Sect. 4, we prove that \((\mathcal {B}_K)_{K\in \mathcal {K}}\) is an \(\varepsilon '\)-almost D-uniform keyed partition of \(X\times Y\) for
A D-wise independent function family is typically defined as a polynomial of degree at most \(D-1\) over a finite field. This construction might be particularly useful when the domain size is not a power of two: for example, if we want to encrypt data (such as credit card numbers) within the domain \(\{0,\ldots ,9\}^{16}\), then we can decompose the domain as \(\{0,\ldots ,9\}^{16}=X\times Y\), where \(X=\{0,1\} ^{16}\) and \(Y=\{0,1,2,3,4\}^{16}\). Then we might use an almost uniform partition on the set X based on a binary Hamming code and any independent function family from X to Y to obtain a uniform keyed partition of \(X\times Y\).
Comparison Figure compares the upper bounds on distinguishing advantages for the swap-or-not shuffle and the partition-and-mix shuffle based on a 8-uniform keyed partition for the domain size \(N=2^{32}\) and the threshold number of queries \(q=N/2\). In this example, the partition-and-mix shuffle requires a family of random 3-bit permutations, while it provides the same level of security with approximately 1/4th of the number of rounds needed for the swap-or-not shuffle. Details on the instantiation of the partition-and-mix shuffle and its efficiency is discussed in Sect. 5.
1.2 Related work
The swap-or-not and the partition-and-mix shuffles asymptotically guarantee their security only up to \((1-\varepsilon )N\) queries for any \(\varepsilon >0\), but not all the N possible queries for the domain size N. In [14], a new approach, called mix-and-cut, has been proposed turning one shuffle to another, where a deck of cards are randomly separated into two piles, and the shuffle algorithm is independently applied to each of the two piles. Within this framework, one obtains a shuffle achieving the full security by repeatedly applying the swap-or-not shuffle \(O(\log ^2 N)\) times. This approach has been further improved in [11], where they slightly modified mix-and-cut, and showed application of the underlying shuffle to only one of the two piles is enough to achieve the full security. This framework, named sometimes-recurse, requires only \(O(\log N)\) applications of the shuffle on average, significantly improving the efficiency over mix-and-cut.
As another line of research on block cipher construction, a substitution-permutation network is modeled as an iterated Even-Mansour cipher. The original single-round construction is shown to be secure only up to the birthday bound [7]. Iteration would naturally enhance its security, and indeed the r-round Even-Mansour cipher on \(\{0,1\} ^n\) has been proved to be secure up to \(2^{\frac{rn}{r+1}}\) queries [5]. However we notice that the security model is incomparable to ours where the construction is based on independent random permutations whose size is the same as the entire construction as its underlying primitives, while an adversary is allowed to make queries to the inner permutations.
The partition-and-mix shuffle might be viewed as a mode of operation that extends the domain of a small block cipher operating on each block of the partition. The small block cipher might be constructed from a perfect random number generator, and again the random number generator constructed from any robust block cipher such as AES [15]. The domain extension of an ideal cipher has also been studied in [6], where they prove a 3-round Feistel cipher is a secure domain extender of an ideal cipher within the indifferentiability framework, while 2 rounds are enough to get a domain extender of a tweakable block cipher in the standard model.
2 Preliminaries
Notation For a fixed domain size \(N>0\), the set of all permutations on [N] will be denoted \(\mathcal {P} \). For a set T and an integer \(s\ge 1\), \(T^{*s}\) denotes the set of all sequences that consists of s pairwise distinct elements of T. For integers \(1\le s\le t\), we will write \((t)_s=t(t-1)\cdots (t-s+1)\). If \(|T|=t\), then \((t)_s\) becomes the size of \(T^{*s}\).
For a binary string \(\textbf{w}\), the number of its nonzero components is called the weight of \(\textbf{w}\), denoted \(\textbf{wt}(\textbf{w})\). For an element \(x\in \{0,1,\dots ,2^{s}-1\}\), let \(\langle x \rangle _s \in \{0,1\}^s\) denote the binary representation of x, namely, an s-bit string \((a_1,\ldots ,a_s)\in \{0,1\}^s\) such that \(x=2^{s-1}a_{s}+\dots +2a_2+a_1\), and let \(\textbf{e}(x)\) denote a \((2^s-1)\)-bit string \((b_1,\ldots ,b_{2^{s}-1}) \in \{0,1\}^{2^s-1}\) such that \(b_i=1\) if \(i=x\), and \(b_i=0\) otherwise. So we have \(\textbf{wt}(\textbf{e}(x))=0\) if \(x=0\), and \(\textbf{wt}(\textbf{e}(x))=1\) otherwise.
Hamming code An \([n,k,d]_{2^e}\) linear error-correcting code \(\mathcal {C}\) is a k-dimensional subspace of \(\mathbb {F}^n_{2^e}\) with the minimum weight d, where \(\mathbb {F}_{2^e}\) denotes a finite field of order \(2^e\). An \([n,k,d]_{2^e}\) code \(\mathcal {C}\) can be represented by a \(k\times n\) generator matrix G over \(\mathbb {F}_{2^e}\) where every codeword of \(\mathcal {C}\) is expressed as a linear combination of the row vectors of G, namely \(w\cdot G\) for some \(w\in \mathbb {F}^k_{2^e}\).
Hamming codes are a family of \([2^s-1,2^s-k-1,3]_{2}\) codes, where \(s\ge 2\). For each Hamming code, the balls of Hamming radius one centered on the codewords exactly fill out the entire space \(\{0,1\}^{n}\) where \(n=2^s-1\).
D-wise independent function family Let \((f_K)_{K\in \mathcal {K}}\) be a family of functions from X to Y with key space \(\mathcal {K}\). For a positive integer D, \((f_K)_{K\in \mathcal {K}}\) is called D-wise independent if for any distinct \(x_1,\ldots ,x_D\in X\) and any (not necessarily distinct) \(y_1,\ldots ,y_D\in Y\), the probability that \(g(x_i)=y_i\) for every \(i=1,\ldots ,D\) is \(1/|Y|^D\) over random choice of the key \(K\in \mathcal {K}\).
Security definition Let \(\textsf{E}\) be a block cipher on [N] that employs \(\lambda \)-bit keys. So each key \(\textbf{k}\in \{0,1\} ^{\lambda }\) defines a permutation \(\textsf{E}_{\textbf{k}}\) on [N]. In the adaptive chosen-ciphertext attack-indistinguishability (CCA-IND) model, an adversary \(\mathcal {A}\) adaptively makes forward and backward queries to either a permutation P or the blockcipher \(\textsf{E}_{\textbf{k}}\) to tell apart \(\textsf{E}_{\textbf{k}}\) and P, where \(\textsf{E}_{\textbf{k}}\) uses a random secret key \(\textbf{k}\) and P is chosen uniformly at random from \(\mathcal {P} \). Thus \(\mathcal {A}\)’s distinguishing advantage is formally defined by
In the non-adaptive chosen-plaintext attack (NCPA) model, an adversary \(\mathcal {A}\) makes only non-adaptive forward queries. The advantage \( {{\textbf {Adv}}}^{\textrm{ncpa}}_{\textsf{E}}(\mathcal {A})\) is similarly defined in this model. For \(\textrm{atk}\in \{\textrm{cca},\textrm{ncpa}\}\), and for \(q>0\), we define
where the maximum is taken over all \(\textrm{atk}\)-adversaries making at most q queries. If the encryption and decryption algorithms are symmetric in their structures, we can lift the NCPA-security of the block cipher to CCA-security by doubling the number of rounds [9].
Lemma 1
If F and G are block ciphers on the same message space, then for any \(q>0\),
Total variation distance Given a finite event space \(\Omega \) and two probability distributions \(\mu \) and \(\nu \) defined on \(\Omega \), the total variation distance between \(\mu \) and \(\nu \), denoted \(\Vert \mu -\nu \Vert \), is defined as
Useful Lemmas. For a finite nonempty set \(\Omega \), let \(\mu \) and \(\nu \) be probability distributions supported on q-tuples of elements of \(\Omega \). If the first l elements \(u^*_1,\dots ,u^*_l\) are fixed for \(l=0,\ldots ,q-1\), then we can consider the distribution of \(\mu \) restricted to the \((l+1)\)-th element, conditioned on \((u^*_1,\dots ,u^*_l)\), namely
where \((X_1,\ldots ,X_q)\sim \mu \). The distribution \(\nu (\ \cdot \ |u^*_1,\dots ,u^*_l)\) is similarly defined, and hence
Using this notation, given a set of random variables \((Z_1,\ldots ,Z_q)\), we can define a new random variable
for \(l=0,\ldots ,q-1\). Then the total variation distance \(\Vert \mu -\nu \Vert \) is upper bounded by the sum of the conditional distances on average as follows.
Lemma 2
Fix a finite nonempty set \(\Omega \) and let \(\mu \) and \(\nu \) be probability distributions supported on q-tuples of elements of \(\Omega \), and suppose that \((Z_1,\ldots ,Z_q)\sim \mu \). Then
Note that the expectation is taken over the set of random variables \((Z_1,\ldots ,Z_q)\).
Using the conventions \(\left( {\begin{array}{c}0\\ 0\end{array}}\right) =1\) and \(\left( {\begin{array}{c}p\\ q\end{array}}\right) =0\) for \(0\le p<q\), the following lemma on binomial coefficients will be also useful later.
Lemma 3
Let a, b, c be positive integers such that \(b\le c\). Then
Proof
By integrating both sides of
we obtain
Therefore the left-hand side of (2) is the coefficient of \(x^{a+1}\) in the polynomial
which is upper bounded by the coefficient of \(x^{a+1}\) in
The coefficient of \(x^{a+1}\) in (3) is
\(\square \)
3 Security of the partition-and-mix shuffle
The security of the r-round partition-and-mix shuffle \(\textsf{PM}^r\) defined by an \(\varepsilon \)-almost D-uniform keyed partition \((\mathcal {B}_K)_{K\in \mathcal {K}}\) and a set of independent random permutations \((\sigma _K^{i,t})_{(K,i,t)\in \mathcal {K}\times \{1,\ldots ,\frac{N}{D}\}\times \{1,\ldots ,t\}}\) is summarized as the following theorem.
Theorem 1
Let \(\textsf{PM}^r\) be the r-round partition-and-mix shuffle defined by a keyed partition \((\mathcal {B}_K)_{K\in \mathcal {K}}\) and a set of mixing permutations \((\sigma _K^{i,t})\). If \((\mathcal {B}_K)_{K\in \mathcal {K}}\) is \(\varepsilon \)-almost D-uniform, \(\sigma _K^{i,t}\) are all independent random, and round keys \(K_1,\ldots ,K_t\) are chosen independently and uniformly at random from \(\mathcal {K}\), then
3.1 Proof of Theorem 1
Fix q distinct elements \(z_1,\ldots ,z_q\in [N]\). For \(j=1,\ldots ,q\) and \(t=1,\ldots ,r\), let \(X_t(j)\) denote the random variable that indicates the position of \(z_j\) at the end of the t-th round of \(\textsf{PM}^r\), namely,
where \(\varPsi _1,\ldots ,\varPsi _t\) are as defined in (1). Let \(\tau _t\) be the distribution of
and let \(\pi \) be the uniform random distribution on \([N]^{*q}\). So \(\pi \) is the distribution of q samples without replacement from [N]. The core of the security proof is to upper bound their statistical distance \(\Vert \tau _r-\pi \Vert \) for reasonably small r since this is the distinguishing advantage of an NCPA-adversary that makes q queries \(z_1,\ldots ,z_q\).
Given a set of the first t round keys \(K=(K_1,\ldots ,K_t)\in \mathcal {K}^t\) for \(t=1,\ldots ,r\), we can consider the distribution of \((X_t(1),\ldots ,X_t(q))\) conditioned on a fixed set of partitions \((\mathcal {B}_{K_1},\ldots ,\mathcal {B}_{K_t})\), denoted \(\tau _t^{K}\). Then by the definition of the total variance distance and by the triangle inequality, we have
where the expectation is taken over random variable K (regarded as defined on \(\mathcal {K}^r\) with the uniform distribution). Again, by Lemma 2, we have
where the last expectation is taken over random variables \(X_r(1),\ldots ,X_r(l)\) and K, and \(m=N-l\). For a fixed \(l=0,\ldots ,q-1\), let
Then we have
where \(S_t=[N]\setminus \{X_t(1),\ldots ,X_t(l)\}\). By using the inequality \(\textbf{E}\left( {X}\right) ^2\le \textbf{E}\left( {X^2}\right) \) (that holds for any random variable X) and the Cauchy-Schwarz inequality, we have
Define \(s_t=\sum _{a\in S_t}(p_t(a)-1/m)^2\) for \(t=0,\ldots ,r\). Since the initial positions of the elements \(z_1,\ldots ,z_q\) are deterministic, we have
Then we will express \(\textbf{E}\left( {s_{t+1}|s_t}\right) \) as a linear equation of \(s_t\) with small coefficients.
As \(s_t\) being a random variable defined by \(X_t(1),\ldots ,X_t(l)\) and \(K_1,\ldots ,K_t\), we fix the values of these variables, and consider the conditional expectation of \(s_{t+1}\). Given a partition \(\mathcal {B}_{K_{t+1}}\), we only determine the evolution of \(X_t(1),\ldots ,X_t(l)\) (not the other elements) to determine \(S_{t+1}\). Then we can arbitrarily define a permutation
such that \(f(B\cap S_t)=B\cap S_{t+1}\) for every \(B\in \mathcal {B}_{K_{t+1}}\). (This is always possible since \(|B\cap S_t|=|B\cap S_{t+1}|\).) Since
for every \(B\in \mathcal {B}_{K_{t+1}}\), it follows that
For a fixed element \(a\in S_t\), we can choose a set \(U\subset [N]\) such that \(a\in U\) and \(|U|=D\) by the following process.
-
1.
Fix \(i=|(U\cap S_t)|\), where \(1\le i\le D\).
-
2.
Choose \(V=(U\cap S_t)\setminus \{a\}=\{v_1,\ldots ,v_{i-1}\}\).
-
3.
Choose \(W=U\setminus S_t\) such that \(|W|=D-i\).
-
4.
Define \(U=V\cup W\cup \{a\}\).
Since the number of ways of choosing sets W is \(\left( {\begin{array}{c}l\\ D-i\end{array}}\right) \), we have
We expand and simplify the inner summation using the following observations.
-
1.
$$\begin{aligned} \sum _{(v_1,\ldots ,v_{i-1})\subset (S_t\setminus \{a\})^{*(i-1)}}\left( p_t(a)-\frac{1}{m}\right) ^2=(m-1)_{i-1}\left( p_t(a)-\frac{1}{m}\right) ^2 \mathrel {\mathop =^\textrm{def}} A_1. \end{aligned}$$
-
2.
For \(1\le j\le i-1\), since \(\sum _{v\in S_t}\left( p_t(v)-\frac{1}{m}\right) =0\),
$$\begin{aligned}&\sum _{(v_1,\ldots ,v_{i-1})\subset (S_t\setminus \{a\})^{*(i-1)}}\left( p_t(a)-\frac{1}{m}\right) \left( p_t(v_j)-\frac{1}{m}\right) \\&=(m-2)_{i-2}\left( p_t(a)-\frac{1}{m}\right) \sum _{v\in S_t\setminus \{a\}}\left( p_t(v)-\frac{1}{m}\right) \\&=-(m-2)_{i-2}\left( p_t(a)-\frac{1}{m}\right) ^2 \mathrel {\mathop =^\textrm{def}} A_2 \end{aligned}$$where we assume \(m,i\ge 2\).
-
3.
For \(1\le j\le i-1\),
$$\begin{aligned}&\sum _{(v_1,\ldots ,v_{i-1})\subset (S_t\setminus \{a\})^{*(i-1)}}\left( p_t(v_j)-\frac{1}{m}\right) ^2\\&=(m-2)_{i-2}\sum _{v\in S_t\setminus \{a\}}\left( p_t(v)-\frac{1}{m}\right) ^2\\&=(m-2)_{i-2}\left( s_t-\left( p_t(a)-\frac{1}{m}\right) ^2\right) \mathrel {\mathop =^\textrm{def}} A_3 \end{aligned}$$where we assume \(m,i\ge 2\).
-
4.
For \(1\le j<h\le i-1\),
$$\begin{aligned}&\sum _{(v_1,\ldots ,v_{i-1})\subset (S_t\setminus \{a\})^{*(i-1)}}\left( p_t(v_j)-\frac{1}{m}\right) \left( p_t(v_h)-\frac{1}{m}\right) \\&=(m-3)_{i-3}\left( \left( \sum _{v\in S_t\setminus \{a\}}\left( p_t(v)-\frac{1}{m}\right) \right) ^2-\sum _{v\in S_t\setminus \{a\}}\left( p_t(v)-\frac{1}{m}\right) ^2\right) \\&=(m-3)_{i-3}\left( \left( p_t(a)-\frac{1}{m}\right) ^2-\sum _{v\in S_t\setminus \{a\}}\left( p_t(v)-\frac{1}{m}\right) ^2\right) \\&=(m-3)_{i-3}\left( 2\left( p_t(a)-\frac{1}{m}\right) ^2-s_t\right) \mathrel {\mathop =^\textrm{def}} A_4 \end{aligned}$$where we assume \(m,i\ge 3\).
Since
we have
and hence
where the last inequality follows since by applying Lemma 3 with \(a=D-1\), \(b=m-1\) and \(c=N-1\),
By taking expectation on both sides of inequality (7), we have
Since \(\textbf{E}\left( {s_0}\right) <1\), we have
Therefore by (4), (5) and (6), we have
4 Almost uniform partitions
In this section, we will describe in detail how keyed partitions can be defined based on binary Hamming codes, and efficiently implemented within the PM shuffle. We also analyze the property of the recursive construction given in Sect. 1.1.
4.1 Almost uniform partitions based on binary hamming codes
For each integer \(s\ge 2\), let \(\mathcal {C}_s\) be a binary \([2^s-1,2^s-s-1,3]\)-Hamming code. Using the code \(\mathcal {C}_s\), we can define a keyed partition \((\mathcal {B}_K)_{K\in \mathcal {K}}\) of \(\{0,1\} ^n\) for any \(n\ge 2^s-1\) where each block is of size \(D=2^s\). The key space of this keyed partition is defined as
Given a key \(\left( K_1,\ldots ,K_{D-1},\textbf{b}\right) \in \mathcal {K}\), it determines a subspace of dimension \({D-1}\)
If we arbitrarily fix a set of representatives R for the quotient space \(\{0,1\} ^n/V\), then the entire set \(\{0,1\} ^n\) is partitioned as
Again, we partition each coset \(\textbf{a}+V\) as
where we write \(\textbf{c}=(c_1,\ldots ,c_{D-1})\), \(\textbf{b}=(b_1,\ldots ,b_{D-1})\). So for each codeword \(\textbf{c}=(c_1,\ldots ,c_{D-1})\in \mathcal {C}_s\) and the key \(\textbf{b}=(b_1,\ldots ,b_{D-1})\), the element
becomes the center of the block containing the element itself in a sense that the other elements of the block are obtained by adding \(K_i\), \(i=1,\ldots ,D-1\), to the center. Given a key \(\left( K_1,\ldots ,K_{D-1},\textbf{b}\right) \), the center of each block is uniquely determined.
Let \(U=\{\textbf{u}_1,\ldots ,\textbf{u}_{D}\}\subset \{0,1\} ^n\) be a subset of size D. Suppose that U is a block in a partition with key \(\left( K_1,\ldots ,K_{D-1},\textbf{b}\right) \). Then \(u_i\) should be the center of a ball for some \(i=1,\ldots ,D\), which is of the form of (8). In this case, we have
for some permutation g on \([D-1]\). Once i and g are fixed, then \(V=\langle K_1,\ldots ,K_{D-1}\rangle \) is determined, and hence a representative \(\textbf{a}\) such that \(U\subset \textbf{a}+V\). If we arbitrarily choose any codeword \(\textbf{c}\in \mathcal {C}_s\), then \(\textbf{b}\) is uniquely determined by \(\textbf{a}\), \(\textbf{c}\) and the center of the ball \(u_i=\textbf{a}+(c_1+b_1)K_1+\cdots +(c_{D-1}+b_{D-1})K_{D-1}\).Since
and \(D=2^s\), we have
if \(N\ge 2^{D}\). Therefore this keyed partition is \(\varepsilon \)-almost D-uniform for \(\varepsilon =2^{D}/N\).
4.2 Extension of almost uniform partitions using random functions
Let \((\mathcal {B}'_K)_{K\in \mathcal {K}_1}\) be an \(\varepsilon \)-almost D-uniform keyed partition of X, let Y be an additive group, and let \((f_K)_{K\in \mathcal {K}_2}\) be a D-wise independent function family from X to Y. Then we can construct an \(\varepsilon '\)-almost D-uniform keyed partition \((\mathcal {B}_K)_{K\in \mathcal {K}}\) of \(X\times Y\) with the key space being \(\mathcal {K}=\mathcal {K}_1\times \mathcal {K}_2\), where
Given a key \(K=(K_1,K_2)\in \mathcal {K}_1\times \mathcal {K}_2\), the partition keyed with K is defined as
Let \(U=\{(x_1,y_1),\ldots ,(x_D,y_D)\}\) be a subset of \(X\times Y\) of size D. If there is a collision at the first position, namely \(x_i=x_j\) for some \(1\le i <j\le D\), then
Otherwise, for \(M=|X|\), \(M'=|Y|\) and \(N=|X\times Y|=MM'\), we have
if \(D^2\le M\).
5 Concrete instantiation of the \(\textsf{PM}\) shuffle
In this section, we present a concrete instantiation of an n-bit \(\textsf{PM}\) shuffle based on a binary \([2^s-1,2^s-s-1,3]\)-Hamming code \(\mathcal {C}_s\). Suppose that \(n\ge 2^s-1\) and let \(D=2^s\).
A single round of the resulting PM shuffle Given a key
then the \((D-1)\times n\) matrix L with the i-th row being \(K_i\), \(i=1,\ldots ,D-1\), can be transformed into a reduced row echelon form \(H=(h_{ij})\), where we can also compute and record a \((D-1)\times (D-1)\) invertible matrix \(M=(m_{ij})\) such that
This computation, using the elementary row operations, would not be costly in general, and might be precomputed prior to encryption of data. Let \(j_1,\ldots ,j_{D-1}\) denote the column indices of the leading ones in H. So \(h_{\alpha , j_{\alpha }}=1\) for \(\alpha =1,\ldots ,D-1\).
Given an input \(\textbf{u}=(u_1,\ldots ,u_n)\in \{0,1\} ^n\), the representative of the coset containing \(\textbf{u}\) is defined by setting the elements at the positions of the leading ones to zero. Namely, the representative \(\textbf{a}\) is computed by
where \(H_i\) denotes the i-th row of H. Since
for \(i=1,\ldots ,D-1\), we can also compute \(p_1,\ldots ,p_{D-1}\in \{0,1\} \) such that
or equivalently,
Precisely, for \(i=1,\ldots ,D-1\),
By decoding the word \((b_1+p_1,\ldots ,b_{D-1}+p_{D-1})\) using the Hamming code \(\mathcal {C}_s\), we can obtain a codeword \(\textbf{c}=(c_1,\ldots ,c_{D-1})\) and the corresponding error vector
such that \(\textbf{wt}(\textbf{e})\le 1\). This step is essentially to compute the syndrome of the word \((b_1+p_1,\ldots ,b_{D-1}+p_{D-1})\) using the parity check matrix of \(\mathcal {C}_s\). Then we have
and the block containing \(\textbf{u}\) is labeled as \((\textbf{a},\textbf{c})\in \{0,1\}^n\times \{0,1\}^{D-1}\). The position of one in \(\textbf{e}\) can be encoded as an element of \(\{0,1\} ^s\), with no error being regarded as \((0,\ldots ,0)\in \{0,1\} ^s\).
By applying the round permutation \(\sigma _{\textbf{a},\textbf{c}}\) to \(\textbf{e}\),Footnote 2 a new error vector \(\textbf{e}'=(e'_1,\ldots ,e'_{D-1})\) such that \(\textbf{wt}(\textbf{e}')\le 1\) is obtained, and finally the element \(\textbf{u}\) is mapped to
Pseudocode. Suppose that the r-round \(\textsf{PM}^r\) cipher uses an s-bit tweakable permutation
as its underlying primitive. Then \(\textsf{PM}^r\) encrypts \(\textbf{w}\in \{0,1\}^n\) using a set of t round keys
as described in Fig. .
Numerical Example. Let \(s=3\), \(n=32\) and \(r=512\). Then one needs a 3-bit block cipher using 48-bit tweaks for the underlying primitive \(\sigma \). This small block cipher can be instantiated using a tweakable block cipher, e.g., Skinny-128-256 [1]. For each round, one makes a single call to Skinny-128–256 with a fixed plaintext using a 256-bit tweakey containing the 48-bit tweak, obtaining a 128-bit random string, from which one can construct a random permutation on 3 bits. A straightforward way of constructing such a permutation is to parse the 128-bit string into a sequence of eight 16-bit blocks. If there is no collision between the blocks, then the sequence defines a permutation on \(\{0,1\}^3\). The probability of collision is upper bounded by \(\left( {\begin{array}{c}8\\ 2\end{array}}\right) /2^{16}\), which is smaller than \(\frac{1}{2^{11}}\).
Lines 3 to 6 in the pseudocode can be precomputed for every round \(t\in [r]\) if a sufficient amount of memory is available. Line 11 can be executed using the syndrome decoding: the generator matrix of the [7, 4, 3]-Hamming code (for \(s=3\)) is given as
and its parity-check matrix is defined as
By computing \((\textbf{b}+\textbf{p}) (G^*)^T\), one obtains the 3-bit syndrome of \(\textbf{b}+\textbf{p}\), where \((G^*)^T\) denotes the transpose of \(G^*\). The syndrome of \(\textbf{b}+\textbf{p}\) specifies the exact position of the single bit error in \(\textbf{b}+\textbf{p}\) (if any), allowing one to recover the corresponding codeword \(\textbf{c}\) and the error vector \(\textbf{e}\) such that \(\textbf{c}+\textbf{e}=\textbf{b}+\textbf{p}\).
Notes
The coefficient “4” appearing in the original upper bound in [8] should be corrected as “8”.
When we look at the security proof, the permutation family \(\sigma \) do not need to be independent for every distinct key K; they are required to be independent only for every block once a partition is fixed.
References
Beierle C., Jean J., Kšlbl S., Leander G., Moradi A., Peyrin T., Sasaki Y., Sasdrich P., Sim S.M.: The SKINNY family of block ciphers and its low-latency variant MANTIS. In: Advances in Cryptology-CRYPTO 2016, pp. 123–153. Springer, Berlin Heidelberg (2016).
Bellare M., Ristenpart T., Rogaway P., Stegers T.: Format-preserving encryption. In: Selected Areas in Cryptography, pp. 295–312. Springer, Berlin Heidelberg (2009).
Bellare M., Rogaway P., Spies T.: The FFX mode of operation for format-preserving encryption. Unpublished NIST proposal (2010)
Brier E., Peyrin T., Stern J. BPS: a format-preserving encryption proposal. Submission to NIST, available from their website (2010).
Chen S., Steinberger J.: Tight security bounds for key-alternating ciphers. In: Advances in Cryptology-EUROCRYPT 2014, pp. 327–350. Springer, Berlin Heidelberg (2014).
Coron J.S., Dodis Y., Mandal A., Seurin Y.: A domain extender for the ideal cipher. In: Theory of Cryptography, pp. 273–289. Springer, Berlin Heidelberg (2010).
Even S., Mansour Y.: A construction of a cipher from a single pseudorandom permutation. J. Cryptol. 10(3), 151–161 (1997).
Hoang V.T., Morris B., Rogaway P.: An enciphering scheme based on a card shuffle. In: Advances in Cryptology-CRYPTO 2012, pp. 1–13. Springer, Berlin Heidelberg (2012).
Maurer U., Pietrzak K., Renner R.: Indistinguishability amplification. In: Advances in Cryptology-CRYPTO 2007, pp. 130–149. Springer, Berlin Heidelberg (2007).
Morris B., Rogaway P., Stegers T.: How to encipher messages on a small domain. In: Advances in Cryptology-CRYPTO 2009, pp. 286–302. Springer, Berlin Heidelberg (2009).
Morris B., Rogaway P.: Sometimes-Recurse Shuffle. In: Advances in Cryptology-EUROCRYPT 2014, pp. 311–326. Springer, Berlin Heidelberg (2014).
Patarin J.: Luby-Rackoff: \(7\) rounds are enough for \(2n(1-\varepsilon )\) security. In: Advances in Cryptology-CRYPTO 2003, pp. 513–529. Springer, Berlin Heidelberg (2003).
Patarin J.: Security of random Feistel schemes with 5 or more rounds. In: Advances in Cryptology-CRYPTO 2004, pp. 106–122. Springer, Berlin Heidelberg (2004).
Ristenpart T., Yilek S.: The mix-and-cut shuffle: small-domain encryption secure against N queries. In: Advances in Cryptology-CRYPTO 2013, pp. 392–409. Springer, Berlin Heidelberg (2013).
Stefanov E., Shi E.: FastPRP: fast pseudo-random permutations for small domains. IACR Cryptol. 2012, 254 (2012).
Thorp E.O.: Nonrandom shuffling with applications to the game of Faro. J. Am. Stat. Assoc. 68(344), 842–847 (1973).
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by M. Paterson.
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Nam-Su Jho was supported by Institute of Information & Communications Technology Planning & Evaluation (IITP) grant funded by the Korea government(MSIT) (No.2021-0-00779, Development of high-speed encryption data processing technology that guarantees privacy based hardware).
Jooyoung Lee was supported by Institute of Information & Communications Technology Planning & Evaluation (IITP) Grant funded by the Korea government (MSIT) (No. 2022-0-01202, Regional strategic industry convergence security core talent training business).
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Jho, NS., Lee, J. Partition and mix: generalizing the swap-or-not shuffle. Des. Codes Cryptogr. 91, 2237–2254 (2023). https://doi.org/10.1007/s10623-023-01199-4
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10623-023-01199-4