Join Log in
Score:1
cryptobeginner avatar Crypto

Even-Mansour Cipher: Efficient algorithms for sampling a random permutation

cn flag
cryptobeginner

My understanding of the Even-Mansour cipher is the following:

  • We draw a random permutation $P$ from the set of all permutation $P: \{0,1\}^n \rightarrow \{0,1\}^n$. This permutation is public.
  • We generate two random keys $k_1, k_2 \in \{0,1\}^n$.
  • To encrypt a message $m \in \{0,1\}^n$, we compute $E_{k_1, k_2} = P(m \oplus k_1) \oplus k_2$.

What kind of algorithms exists that allow us to efficiently sample (and represent) a permutation $P$ from the set of all permutations from $n$ bit strings to $n$ bit strings?

54
0 + 0
Score:1
kodlu avatar Crypto
sa flag
kodlu

Even-Mansour is a theoretical model to prove security results. One would need to sample permutations of $n$ bits, say for $n=128,$ since the resulting space of $N=2^n$ objects would be too large to store or manipulate. This is similar to the fact that no one uses a purely random equidistributed and i.i.d. sequence of bits as a keystream in OTP mode in modern cryptography. It is too slow.

However, the following algorithm gives a random permutation on $\{1,2,\ldots, N\}.$ No claim of optimal efficiency is made here.

CODE FOR RANDOM PERMUTATION OF SMALL LIST

Input: The list $A=[1,2,\ldots, N]$ of $N=2^n$ items.

Task: permute the values in $A$ at random.

Let $S:=\{u: u \in A\}.$ Let $B:=A$

for each $i=1,\ldots,N$ do

$\quad$ Choose a random integer $j \in S$

$\quad$ Change array $B$ via $B[j]:=A[i]$

$\quad$ Remove $j$ from set $S$

end for This algorithm chooses $N,$ then $N-1$, then $N-2$ etc. objects uniformly and can generate each permutation with equal likelihood, since it makes $N\!$ choices. Output: The list $A$ is now random.

There are more efficient ways to sample random permutations, see for example Jens Gustedt, "Efficient sampling of random permutations", Journal of Discrete Algorithms, Vol. 6, Issue 1, 2006. Also take a look at Fisher-Yates shuffle and Knuth Shuffle, google is your friend.

The algorithm below doesn't quite get there, thanks to @kelalaka for the correction

Input: The list $A=\{1,2,\ldots, N\}$ of $N=2^n$ items.

Task: permute the values in $A$ at random.

for each $i=0,\ldots,N-1$ do

$\quad$ Choose a random integer $j$ with $i<j<N.$

$\quad$ Swap the entries $A[i]$ and $A[j].$

end for

Output: The list $A$ is now random.

0 + 0
kelalaka avatar
in flag
kelalaka
As we know from the comparison sorting bound, one needs around $n \log n$ swaps to turn back the unsorted array into a sorted one. $N$-swap is not enough to sample all permutations, right?
1
Reply
pe flag
Samuel Neves
Fisher-Yates does result in a uniformly random permutation. Consider the number of possibilities for $A[0]$, then $A[1]$, etc: $N\cdot N-1 \cdot \dots \cdot 1$ = $N!$.
1
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.