Impossibility and Optimality Results on Constructing Pseudorandom Permutations (Extended Abstract)

Let In = {0, 1}n, and Hn be the set of all functions from In to In. For f ∈ Hn, define the DES-like transformation associated with f by F2n,f (L, R) = (R ⊕ f(L), L), where L, R ∈ In. For f1, f2, . . . , fs ∈ Hn, define ψ(fs, . . . , f2, f1) = F2n,fs ◦ · · · ◦ F2n,f2 ◦ F2n,f1 . Our main result is that ψ(f, f j , f ) is not pseudorandom for any positive integers i, j, k, where f i denotes the i-fold composition of f . Thus, as immediate consequences, we have that (1) none of ψ(f, f, f), ψ(f, f, f) and ψ(f, f, f) are pseudorandom and, (2) Ohnishi’s constructions ψ(g, g, f) and ψ(g, f, f) are optimal. Generalizations of the main result are also considered.