## Cryptology ePrint Archive: Report 2019/243

4-Round Luby-Rackoff Construction is a qPRP

Abstract: The Luby-Rackoff construction, or the Feistel construction, is one of the most important approaches to construct secure block ciphers from secure pseudorandom functions. The 3-round and 4-round Luby-Rackoff constructions are proven to be secure against chosen-plaintext attacks (CPAs) and chosen-ciphertext attacks (CCAs), respectively, in the classical setting. However, Kuwakado and Morii showed that a quantum superposed chosen-plaintext attack (qCPA) can distinguish the 3-round Luby-Rackoff construction from a random permutation in polynomial time. In addition, a recent work by Ito et al. showed a quantum superposed chosen-ciphertext attack (qCCA) that distinguishes the 4-round Luby-Rackoff construction. Since Kuwakado and Morii showed the result, it has been a problem of much interest how many rounds are sufficient to achieve the provable security against quantum query attacks. This paper shows the answer to this fundamental question by showing that 4-rounds suffice against qCPAs. Concretely, we prove that the 4-round Luby-Rackoff construction is secure up to $O(2^{n/12})$ quantum queries. We also give a query upper bound for the problem of distinguishing the 4-round Luby-Rackoff construction from a random permutation by showing a distinguishing qCPA with $O(2^{n/6})$ quantum queries. Our result is the first one that shows security of a typical block-cipher construction against quantum query attacks, without any algebraic assumptions. To give security proofs, we use an alternative formalization of Zhandry's compressed oracle technique.

Category / Keywords: secret-key cryptography / post-quantum cryptography, provable security, quantum security, compressed oracle technique, quantum chosen plaintext attacks, Luby-Rackoff constructions.

Date: received 27 Feb 2019, last revised 17 May 2019

Contact author: hosoyamada akinori at lab ntt co jp

Available format(s): PDF | BibTeX Citation

Note: Editorial changes on the presentation. (5/18/2019) Errors in the proof of Proposition 5 are corrected, and the security bound is changed. Title is also changed accordingly. (5/2/2019)

Short URL: ia.cr/2019/243

[ Cryptology ePrint archive ]