On the XOR of Multiple Random Permutations

A straightforward way of constructing an n-bit pseudorandom function is to XOR two or more pseudorandom permutations: p1 ⊕ . . .⊕pk. This XOR construction has gained broad attention over the last two decades. In this work, we revisit the security of this well-established construction. We consider the case where the underlying permutations are considered secret, as well as the case where these permutations are publicly available to the adversary. In the secret permutation setting, we present a simple reduction showing that the XOR construction achieves optimal 2 security for all k ≥ 2, therewith improving a recent result of Cogliati et al. (FSE 2014). Regarding the public permutation setting, Mandal et al. (INDOCRYPT 2010) proved 2 security for the case k = 2, but we point out the existence of a non-trivial flaw in the proof. We re-establish and generalize the claimed security bound for general k ≥ 2 using a different proof approach.