{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,7,30]],"date-time":"2025-07-30T17:04:49Z","timestamp":1753895089458,"version":"3.41.2"},"reference-count":36,"publisher":"International Association for Cryptologic Research","issue":"4","license":[{"start":{"date-parts":[[2024,10,8]],"date-time":"2024-10-08T00:00:00Z","timestamp":1728345600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IACR CiC"],"accepted":{"date-parts":[[2024,12,3]]},"abstract":"<jats:p>  In spite of being a popular technique for designing block ciphers, Lai-Massey networks have received considerably less attention from a security analysis point of view than Feistel networks and Substitution-Permutation networks. In this paper we study the beyond-birthday-bound (BBB) security of Lai-Massey networks with independent random round functions against chosen-plaintext adversaries. Concretely, we show that five rounds are necessary and sufficient to achieve BBB security. <\/jats:p>","DOI":"10.62056\/a0wahey6b","type":"journal-article","created":{"date-parts":[[2025,1,13]],"date-time":"2025-01-13T17:00:52Z","timestamp":1736787652000},"update-policy":"https:\/\/doi.org\/10.62056\/adfjwm02dj","source":"Crossref","is-referenced-by-count":0,"title":["Building a BBB Pseudorandom Permutation using Lai-Massey Networks"],"prefix":"10.62056","volume":"1","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-2883-4870","authenticated-orcid":false,"given":"Ritam","family":"Bhaumik","sequence":"first","affiliation":[{"id":[{"id":"https:\/\/ror.org\/001kv2y39","id-type":"ROR","asserted-by":"publisher"}],"name":"Technology Innovation Institute","place":["Abu Dhabi, UAE"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Mohammad","family":"Raeisi","sequence":"additional","affiliation":[{"id":[{"id":"https:\/\/ror.org\/024c2fq17","id-type":"ROR","asserted-by":"publisher"}],"name":"Sharif University of Technology","place":["Tehran, Iran"]}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"48349","published-online":{"date-parts":[[2025,1,13]]},"reference":[{"key":"ref1:DBLP:journals\/siamcomp\/LubyR88","doi-asserted-by":"publisher","first-page":"373","DOI":"10.1137\/0217022","article-title":"How to Construct Pseudorandom Permutations from\n  Pseudorandom Functions","volume":"17","author":"Michael Luby","year":"1988","journal-title":"SIAM J. Comput."},{"key":"ref2:DBLP:conf\/fse\/Patarin98","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"103","DOI":"10.1007\/3-540-69710-1_8","article-title":"About Feistel Schemes with Six (or More) Rounds","volume":"1372","author":"Jacques Patarin","year":"1998"},{"key":"ref3:AC:Patarin01","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"222","DOI":"10.1007\/3-540-45682-1_14","article-title":"Generic Attacks on Feistel Schemes","volume":"2248","author":"Jacques Patarin","year":"2001"},{"key":"ref4:DBLP:conf\/crypto\/Patarin03","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"513","DOI":"10.1007\/978-3-540-45146-4_30","article-title":"Luby-Rackoff: 7 Rounds Are Enough for\n  2\\({}^{\\mbox{n(1-epsilon)}}\\)Security","volume":"2729","author":"Jacques Patarin","year":"2003"},{"key":"ref5:DBLP:conf\/crypto\/Patarin04","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"106","DOI":"10.1007\/978-3-540-28628-8_7","article-title":"Security of Random Feistel Schemes with 5 or More Rounds","volume":"3152","author":"Jacques Patarin","year":"2004"},{"key":"ref6:AC:PatNacBer06","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"396","DOI":"10.1007\/11935230_26","article-title":"Generic Attacks on Unbalanced Feistel Schemes with\n  Contracting Functions","volume":"4284","author":"Jacques Patarin","year":"2006"},{"key":"ref7:AC:PatNacBer07","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"325","DOI":"10.1007\/978-3-540-76900-2_20","article-title":"Generic Attacks on Unbalanced Feistel Schemes with\n  Expanding Functions","volume":"4833","author":"Jacques Patarin","year":"2007"},{"key":"ref8:10.1007\/978-3-642-02384-2_4","isbn-type":"print","doi-asserted-by":"publisher","first-page":"41","DOI":"10.1007\/978-3-642-02384-2_4","article-title":"Generic Attacks on Feistel Networks with Internal\n  Permutations","author":"Joana Treger","year":"2009","ISBN":"https:\/\/id.crossref.org\/isbn\/9783642023842"},{"key":"ref9:AC:VolNacPat10","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"94","DOI":"10.1007\/978-3-642-17373-8_6","article-title":"Improved Generic Attacks on Unbalanced Feistel Schemes\n  with Expanding Functions","volume":"6477","author":"Emmanuel Volte","year":"2010"},{"key":"ref10:DBLP:conf\/eurocrypt\/LaiM90","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"389","DOI":"10.1007\/3-540-46877-3_35","article-title":"A Proposal for a New Block Encryption Standard","volume":"473","author":"Xuejia Lai","year":"1990"},{"key":"ref11:DBLP:phd\/dnb\/Lai92","isbn-type":"print","doi-asserted-by":"publisher","DOI":"10.3929\/ETHZ-A-000646711","volume-title":"On the design and security of block ciphers","author":"Xuejia Lai","year":"1992","ISBN":"https:\/\/id.crossref.org\/isbn\/9783891915738"},{"key":"ref12:AC:Vaudenay99","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"8","DOI":"10.1007\/978-3-540-48000-6_2","article-title":"On the Lai-Massey Scheme","volume":"1716","author":"Serge Vaudenay","year":"1999"},{"key":"ref13:DBLP:conf\/wisa\/NakaharaRPV03","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"458","DOI":"10.1007\/978-3-540-24591-9_34","article-title":"The MESH Block Ciphers","volume":"2908","author":"Jorge Nakahara Jr.","year":"2003"},{"key":"ref14:DBLP:conf\/indocrypt\/Yildirim03","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"68","DOI":"10.1007\/978-3-540-24582-7_5","article-title":"Nonlinearity Properties of the Mixing Operations of the\n  Block Cipher IDEA","volume":"2904","author":"Hamdi Murat Yildirim","year":"2003"},{"key":"ref15:DBLP:conf\/sacrypt\/JunodV04a","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"114","DOI":"10.1007\/978-3-540-30564-4_8","article-title":"FOX : A New Family of Block Ciphers","volume":"3357","author":"Pascal Junod","year":"2004"},{"key":"ref16:DBLP:conf\/fse\/JunodM09","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"277","DOI":"10.1007\/978-3-642-03317-9_17","article-title":"Revisiting the IDEA Philosophy","volume":"5665","author":"Pascal Junod","year":"2009"},{"key":"ref17:DBLP:journals\/iacr\/SuL14a","first-page":"704","article-title":"A 128-bit Block Cipher Based on Three Group Arithmetics","author":"Shenghui Su","year":"2014","journal-title":"IACR Cryptol. ePrint Arch."},{"key":"ref18:DBLP:journals\/ipl\/LuoLG10","doi-asserted-by":"publisher","first-page":"90","DOI":"10.1016\/J.IPL.2010.10.012","article-title":"Pseudorandomness analysis of the (extended) Lai-Massey\n  scheme","volume":"111","author":"Yiyuan Luo","year":"2010","journal-title":"Inf. Process. Lett."},{"key":"ref19:DBLP:journals\/dcc\/YunPL11","doi-asserted-by":"publisher","first-page":"45","DOI":"10.1007\/S10623-010-9386-8","article-title":"On Lai-Massey and quasi-Feistel ciphers","volume":"58","author":"Aaram Yun","year":"2011","journal-title":"Des. Codes Cryptogr."},{"key":"ref20:DBLP:journals\/dcc\/LuoLZ17","doi-asserted-by":"publisher","first-page":"407","DOI":"10.1007\/S10623-016-0235-2","article-title":"Generic attacks on the Lai-Massey scheme","volume":"83","author":"Yiyuan Luo","year":"2017","journal-title":"Des. Codes Cryptogr."},{"key":"ref21:DBLP:conf\/crypto\/HoangR10","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"613","DOI":"10.1007\/978-3-642-14623-7_33","article-title":"On Generalized Feistel Networks","volume":"6223","author":"Viet Tung Hoang","year":"2010"},{"key":"ref22:DBLP:journals\/jise\/LuoLH15","first-page":"1085","article-title":"The Pseudorandomness of Many-Round Lai-Massey Scheme","volume":"31","author":"Yiyuan Luo","year":"2015","journal-title":"J. Inf. Sci. Eng."},{"key":"ref23:DBLP:journals\/iacr\/JhaN18","first-page":"1130","article-title":"Applications of H-Technique: Revisiting Symmetric Key\n  Security Analysis","author":"Ashwin Jha","year":"2018","journal-title":"IACR Cryptol. ePrint Arch."},{"key":"ref24:DBLP:conf\/sacrypt\/Patarin08","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"328","DOI":"10.1007\/978-3-642-04159-4_21","article-title":"The \"Coefficients H\" Technique","volume":"5381","author":"Jacques Patarin","year":"2008"},{"key":"ref25:DBLP:conf\/icisc\/WuZF05","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"229","DOI":"10.1007\/11734727_20","article-title":"Integral Cryptanalysis of Reduced FOX Block Cipher","volume":"3935","author":"Wenling Wu","year":"2005"},{"key":"ref26:DBLP:journals\/mta\/LiYSL13","doi-asserted-by":"publisher","first-page":"691","DOI":"10.1007\/S11042-011-0895-X","article-title":"Fault analysis study of the block cipher FOX64","volume":"63","author":"Ruilin Li","year":"2013","journal-title":"Multim. Tools Appl."},{"key":"ref27:DBLP:journals\/itiis\/FuJ14","doi-asserted-by":"publisher","first-page":"3624","DOI":"10.3837\/TIIS.2014.10.020","article-title":"Practical Security Evaluation against Differential and\n  Linear Cryptanalyses for the Lai-Massey Scheme with an SPS F-function","volume":"8","author":"Lishi Fu","year":"2014","journal-title":"KSII Trans. Internet Inf. Syst."},{"key":"ref28:DBLP:conf\/fse\/IsobeS14","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"104","DOI":"10.1007\/978-3-662-46706-0_6","article-title":"Improved All-Subkeys Recovery Attacks on FOX, KATAN and\n  SHACAL-2 Block Ciphers","volume":"8540","author":"Takanori Isobe","year":"2014"},{"key":"ref29:DBLP:conf\/pqcrypto\/MaoGWH22","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"205","DOI":"10.1007\/978-3-031-17234-2_11","article-title":"Quantum Attacks on Lai-Massey Structure","volume":"13512","author":"Shuping Mao","year":"2022"},{"key":"ref30:DBLP:journals\/dcc\/ZhangWSW23","doi-asserted-by":"publisher","first-page":"2687","DOI":"10.1007\/S10623-023-01225-5","article-title":"Post-quantum security on the Lai-Massey scheme","volume":"91","author":"Zhongya Zhang","year":"2023","journal-title":"Des. Codes Cryptogr."},{"key":"ref31:DBLP:journals\/iacr\/ChauhanS22","first-page":"1001","article-title":"Quantum Security of FOX Construction based on Lai-Massey\n  Scheme","author":"Amit Kumar Chauhan","year":"2022","journal-title":"IACR Cryptol. ePrint Arch."},{"key":"ref32:DBLP:journals\/iacr\/ShamsabadD20","first-page":"5","article-title":"Lai-Massey Scheme Revisited","author":"M. R. Mirzaee Shamsabad","year":"2020","journal-title":"IACR Cryptol. ePrint Arch."},{"key":"ref33:DBLP:journals\/iacr\/000122a","first-page":"1245","article-title":"On Generalizations of the Lai-Massey Scheme: the Birth of\n  Amaryllises","author":"Lorenzo Grassi","year":"2022","journal-title":"IACR Cryptol. ePrint Arch."},{"key":"ref34:DBLP:journals\/joc\/Vaudenay03","doi-asserted-by":"publisher","first-page":"249","DOI":"10.1007\/S00145-003-0220-6","article-title":"Decorrelation: A Theory for Block Cipher Security","volume":"16","author":"Serge Vaudenay","year":"2003","journal-title":"J. Cryptol."},{"key":"ref35:DBLP:conf\/crypto\/Patarin91","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"301","DOI":"10.1007\/3-540-46766-1_25","article-title":"New Results on Pseudorandom Permutation Generators Based on\n  the DES Scheme","volume":"576","author":"Jacques Patarin","year":"1991"},{"key":"ref36:DBLP:conf\/eurocrypt\/AiolloV96","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"307","DOI":"10.1007\/3-540-68339-9_27","article-title":"Foiling Birthday Attacks in Length-Doubling Transformations\n  - Benes: A Non-Reversible Alternative to Feistel","volume":"1070","author":"William Aiello","year":"1996"}],"container-title":["IACR Communications in Cryptology"],"original-title":[],"language":"en","deposited":{"date-parts":[[2025,1,13]],"date-time":"2025-01-13T17:11:57Z","timestamp":1736788317000},"score":1,"resource":{"primary":{"URL":"https:\/\/cic.iacr.org\/p\/1\/4\/23"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,1,13]]},"references-count":36,"journal-issue":{"issue":"4","published-online":{"date-parts":[[2025,1,13]]}},"URL":"https:\/\/doi.org\/10.62056\/a0wahey6b","archive":["Internet Archive","Internet Archive"],"relation":{},"ISSN":["3006-5496"],"issn-type":[{"type":"electronic","value":"3006-5496"}],"subject":[],"published":{"date-parts":[[2025,1,13]]},"assertion":[{"value":"2024-10-08","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2024-12-03","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}}],"article-number":"cc1-4-44"}}