Paper 2024/1795

How Fast Does the Inverse Walk Approximate a Random Permutation?

Abstract

For a finite field $\mathbb{F}$ of size $n$, the (patched) inverse permutation $\mathrm{INV}:\mathbb{F}\to \mathbb{F}$ computes the inverse of $x$ over $\mathbb{F}$ when $x\ne 0$ and outputs $0$ when $x=0$, and the ${\mathrm{ARK}}_K$ (for AddRoundKey) permutation adds a fixed constant $$ to its input, i.e., $$ We study the process of alternately applying the $$ permutation followed by a random linear permutation $$, which is a random walk over the alternating (or symmetric) group that we call the inverse walk. We show both lower and upper bounds on the number of rounds it takes for this process to approximate a random permutation over $$. We show that $$ rounds of the inverse walk over the field of size $$ with $$ rounds generates a permutation that is $$-close (in variation distance) to a uniformly random even permutation (i.e. a permutation from the alternating group $$). This is tight, up to logarithmic factors. Our result answers an open question from the work of Liu, Pelecanos, Tessaro and Vaikuntanathan (CRYPTO 2023) by providing a missing piece in their proof of $$-wise independence of (a variant of) AES. It also constitutes a significant improvement on a result of Carlitz (Proc. American Mathematical Society, 1953) who showed a reachability result: namely, that every even permutation can be generated eventually by composing $$ and $$. We show a tight convergence result, namely a tight quantitative bound on the number of rounds to reach a random (even) permutation.

Note: 27 pages.