2

I am reading this paper "Farfalle: parallel permutation-based cryptography", and there are some terms that I do not understand.

  • Page 4 says

ratio efficiency vs. safety margin.

What does ratio efficiency and safety margin mean?

  • Page 5 says

Typically, rollc is a lightweight linear function with huge order,

My question is: What is a linear function with huge order?

Naturally, rolle should have a negligible amount of states in short cycles (preferably none) as they would lead to periodic output sequences

My question is: What does it mean for a permutation to have a negligible amount of states in short cycles?

Aman Grewal
  • 1,421
  • 1
  • 9
  • 23
juaninf
  • 2,701
  • 2
  • 18
  • 28

2 Answers2

2

TL;DR Skip to the bottom for update.

As is well known, the mapping $$L:\{0,1\}^n\rightarrow \{0,1\}^n,$$ of a primitive LFSR on $n$ bits has a single very long cycle of length $2^n-1,$ and a cycle of length $1$ (which maps zero to zero).

As a permutation, this mapping has huge order, i.e., the for almost all the state space the smallest $k,$ such that the $k-$fold composition of $L$ gives the identity map is $k=2^{n}-1:$ $$L^{k}(\cdot)=L(L(\cdots(L(\cdot)))).$$

A randomly chosen permutation on $\{0,1\}^n$ has at least one fixed point with probability $(1-e^{-1})$, and considered as a state mapping, it has a lot of short cycles.

The expected number of fixed points of a random permutation is actually 1, but that is not so relevant, the relevance is the relatively large number of small cycles.

In fact the fraction of permutations with no cycles of length $k$ or less is $e^{-H_k}$ where $H_k=1+2+\cdots+k$ is the Harmonic number. You can use the approximation $H_k \approx\ln k$ to obtain some rough estimates.

Also see this answer on mathoverflow for some details. This is not desirable here and the permutation must be carefully chosen.

Edit: For more concrete results see the paper by Odlyzko-Flajolet here where for example, it is proved that the expected "rho length" i.e., initial segment followed by a closed cycle from a random starting point in the state space is $O(\sqrt{N}),$ for a permutation on $N$ points (Theorem 7).

Now compare with the $O(N)$ cycle length in the primitive LFSR example with $N=2^n.$

kodlu
  • 22,423
  • 2
  • 27
  • 57
0

What is a linear function with huge order

We are talking about a permutation, so when it comes to order i would assume an order of the cyclic subgroup in this permutation. By http://mathonline.wikidot.com/the-order-of-a-permutation order of a permutation is the smallest value m, for which if You apply the permutation m times, You get the identity. Long story short, imagine a permutation (1,2)->(2,1). You would need to apply the permutation 2 times to get the identity (as the permutation switches the two elements, you need to apply it twice to get the same element). Now for bigger permutations, for each of the elements, the order might be different ((1,2,3)->(1,3,2), for 1 the order is 0, for 2 and 3 it's 2 again). With this it should be clear what is meant by permutation with big order.

What does it mean for a permutation to have a negligible amount of states in short cycles?

A short cycle would be exactly the 1 from above example. Some element either stays the same, or only switches places with a few other elements. A short cycle of one element does not necessarly mean a short order of the whole permutation

Sezzart
  • 49
  • 5