Core Concepts
A Feistel-based construction with more than 2000n/log(1/ε) rounds can transform a subverted random function, which disagrees with the original one at a small fraction (ε) of inputs, into an object that is crooked-indifferentiable from a random permutation, even if the adversary is aware of all the randomness used in the transformation.
Abstract
The paper investigates the problem of "repairing" a subverted random permutation in such a way that the corrected construction can be used as a drop-in replacement for an unsubverted random permutation. The authors introduce a new security notion called "crooked indifferentiability" to formally capture this problem.
The main contribution is a Feistel-based construction that can boost a "subverted" random permutation (or just a function) into a construction that is indifferentiable from a perfect random permutation. The construction relies on public randomness and a family of independent random oracles as the source functions.
The authors prove that the Feistel-based construction with more than 2000n/log(1/ε) rounds is (n', 2n, qD, qA, r, ε')-indifferentiable from a random permutation P: {0,1}^2n → {0,1}^2n, where ε' = negl(n), qD is the number of queries made by the distinguisher D and qA is the number of queries made by the subversion algorithm A. They also provide a lower bound showing that the construction cannot use fewer than 2n/log(1/ε) rounds to achieve crooked-indifferentiable security.
The security proof requires new techniques beyond the classical indifferentiability analysis of the Feistel construction, as the authors need to handle the subversion of the round functions. The simulator must ensure consistency between the construction's output and the ideal random permutation, even when some of the round functions are dishonest (i.e., different from the original).
Stats
The construction requires more than 2000n/log(1/ε) rounds to achieve crooked-indifferentiable security from a random permutation.
The construction cannot use fewer than 2n/log(1/ε) rounds to achieve crooked-indifferentiable security.
Quotes
The Feistel construction is a fundamental technique for building pseudorandom permutations and block ciphers.
The random permutation (ideal cipher) heuristic states that if the original scheme Π is secure, then the instantiated scheme Π' is also secure.