IACR News item: 09 May 2015
Mridul Nandi
ePrint Reportmethod XLS to construct a length-preserving strong pseudorandom per-
mutation (SPRP) over bit-strings of size at least n. It requires a length-preserving permutation E over all bits of size multiple of n and a blockcipher E with block size n. The SPRP security of XLS was proved from the SPRP assumptions of both E and E. In this paper we disprove the claim by demonstrating a SPRP distinguisher of XLS which makes only
three queries and has distinguishing advantage about 1/2. XLS uses a
multi-permutation linear function, called mix2. In this paper, we also
show that if we replace mix2 by any invertible linear functions, the construction XLS still remains insecure. Thus the mode has inherit weakness.
Additional news items may be found on the IACR news page.