
TL;DR
This paper introduces the first explicit examples of low-conductance permutations and characterizes them as permutations with properties similar to Multi-Source-Somewhere-Condensers, advancing understanding in this area.
Contribution
It provides explicit examples of low-conductance permutations and a general characterization linking them to Multi-Source-Somewhere-Condensers, a novel theoretical insight.
Findings
First explicit examples of low-conductance permutations
Low-conductance permutations are equivalent to permutations with properties of Multi-Source-Somewhere-Condensers
Provides a theoretical framework connecting conductance and information-theoretic properties
Abstract
In this paper, we present the first explicit examples of low-conductance permutations. The notion of conductance of permutations was introduced by Dodis et al. in "Indifferentiability of Confusion-Diffusion Networks", where the search for low-conductance permutations was first initiated and motivated. As part of our contribution, we not only provide these examples, but also offer a general characterization of the problem: we show that low-conductance permutations are equivalent to permutations possessing the information-theoretic properties of Multi-Source-Somewhere-Condensers, a specific variant of somewhere condensers.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
\ArticleNo
1University of Warsaw, [email protected]://orcid.org/0000-0002-3191-3262 \CopyrightTomasz Kazana{CCSXML}<ccs2012> <concept> <concept_id>10002978.10002979</concept_id> <concept_desc>Security and privacy Cryptography</concept_desc> <concept_significance>300</concept_significance> </concept> <concept> <concept_id>10002978.10002979.10002984</concept_id> <concept_desc>Security and privacy Information-theoretic techniques</concept_desc> <concept_significance>500</concept_significance> </concept> <concept> <concept_id>10002978.10002979.10002982.10011598</concept_id> <concept_desc>Security and privacy Block and stream ciphers</concept_desc> <concept_significance>300</concept_significance> </concept> </ccs2012>
\ccsdesc[300]Security and privacy Cryptography \ccsdesc[500]Security and privacy Information-theoretic techniques \ccsdesc[300]Security and privacy Block and stream ciphers
Condense to Conduct and Conduct to Condense
Tomasz Kazana
Abstract
In this paper, we present the first explicit examples of low-conductance permutations. The notion of conductance of permutations was introduced by Dodis et al. in “Indifferentiability of Confusion-Diffusion Networks”, where the search for low-conductance permutations was first initiated and motivated. As part of our contribution, we not only provide these examples, but also offer a general characterization of the problem: we show that low-conductance permutations are equivalent to permutations possessing the information-theoretic properties of Multi-Source-Somewhere-Condensers, a specific variant of somewhere condensers.
keywords:
cryptography, low-conductance permutation, condenser, block cipher, confusion-diffusion network, randomness in computer science, combinatorics of data structures, information theory
1 Introduction
1.1 Background
The starting point of this paper is the concept of permutation conductance, introduced by Yevgeniy Dodis, Martijn Stam, John Steinberger, and Tianren Liu in their seminal paper Indifferentiability of confusion-diffusion networks [dod].
Their work focuses on the theoretical analysis of the indifferentiability security of confusion-diffusion networks, investigating how many rounds of certain block cipher and hash function constructions suffice to ensure adequate security. A central primitive in their analysis is a particular permutation, for which the parameter they introduced, known as conductance, is expected to be small. The results of this paper (e.g. Theorem 1.3) have a direct impact on these applications, as outlined in Section 1.1.2. For a detailed discussion of the motivation and the direct connections between permutations with suitable conductance and the security of confusion-diffusion based ciphers, we refer to [dod]. In this work, however, the conductance of a permutation is primarily treated as a combinatorial concept, situated within the broader framework of the combinatorics of data structures.
From a formal perspective, each permutation of the type has a certain degree of conductance, depending additionally on a parameter . This degree (denoted ) is always a real number between and and serves as a measure of how random is (the more random the permutation, the closer is to ; in particular, an identity permutation has equal to ). It turns out that permutations with low (“more random”) are useful in the applications described in [dod]. Fortunately, the authors of [dod] showed (Theorem 3, App. B, probabilistic method) that almost every random permutation has (for parameters , which is sufficient for their applications) very close to (more precisely: it is no larger than ). On the other hand, no explicit constructions have been shown demonstrating how such permutations could be constructed in practice.
In this paper we provide, for the first time, explicit examples of permutations with conductance degree less than (see Theorem 1.3). Our constructions are based on what we call Multi-Source-Somewhere-Condenser permutations (see Definition 1.7), a variant of classical somewhere condensers, such as those defined for example in Definition 1.11 of [raz].
Moreover, we establish a rather surprising converse result: every permutation with sufficiently low conductance degree must satisfy the Multi-Source-Somewhere-Condenser assumptions. In other words, this work provides an almost complete characterization of the problem, which is successful for nearly the entire range of parameters (see Section • ‣ 3 for details).
1.1.1 Relations to the State-of-the-Art and Previous Results
In the literature on information theory and its applications in computer science, numerous constructions have been developed to simulate or enhance randomness. These include extractors [raz2005extractors, vadhan2012pseudorandomness], condensers [ta-Shma2017condenser, doron2016nearly], expanders [goudarzi2020expander, mihail2017list], list-decodable and list-recoverable codes [mihail2017list, stinson2006cryptography, doron2016nearly], samplers [goldreich1993samplers], and pairwise independent hash functions [bellare1996foundations, shaltiel2011pseudorandomness]. Many of these primitives are closely related or, in a certain sense, formally equivalent (see [impagliazzo1999hardness, dod, shaltiel2011recent, impagliazzo1989recycle, dodis2009nonmalleable]), and they play a key role in managing randomness in computation. Within this framework, these constructions have numerous applications in cryptography, including universal hashing, key derivation functions, and randomness extractors for secure computation.
In this work, we show that the notion of a low-conductance permutation, as introduced in [dod], can be viewed as essentially equivalent to condensers, and thus as another member of this family. Therefore, while combinatorially interesting on its own, it turns out to be equivalent to well-studied primitives. This equivalence is valuable as it enables transferring insights and parameter bounds from classical constructions to low-conductance permutations. At the same time, determining explicit parameters and limitations remains challenging, as problems in this family are inherently difficult. Overall, this perspective establishes a conceptual bridge between the combinatorial properties of permutations and information-theoretic tools, highlighting potential avenues for designing new cryptographic primitives with provable security guarantees.
1.1.2 Concrete Implications for Cryptography
A natural question is whether our results have direct implications for block cipher design. The detailed analysis of the connections between low-conductance permutations and block cipher security is thoroughly discussed in [dod]. Here, we highlight the two main insights.
First, the bounds we obtain are non-trivial (see Theorem 1.3), though still far from the ideal case of random permutations (in the probabilistic sense), for which conductance is close to . In contrast, the analysis in [dod] relies on access to such nearly optimal bounds. As a result, formal guarantees can only be established for relatively stringent conductance thresholds. Unfortunately, due to the equivalence with condensers, constructing explicit examples that achieve such bounds remains a major challenge.
Second, it turns out that simple linear permutations (as originally hypothesized in [dod]) are unfortunately insufficient for achieving low conductance. These functions inherently fall short of the required conductance levels because they lack the necessary condenser properties, emphasizing the need for more sophisticated constructions to approach the theoretical optimum.
Overall, while immediate implications for provably secure cipher design are limited, this work provides a rigorous combinatorial and information-theoretic foundation, clarifying the limits and potential strategies for constructing robust block ciphers.
1.1.3 Final Remarks
To conclude the introduction, we highlight how this problem exemplifies the non-obvious interconnections between several fields in theoretical computer science and mathematics. The problem originally arises in the theoretical analysis of symmetric ciphers – a relatively rare research area (see, e.g., [biba1, biba2, biba3, biba4]). From this context, a notable combinatorial problem was extracted [dod]. Its analysis draws heavily on techniques from information theory, particularly the theory of min-entropy extraction, and can thus also be seen as a contribution to that field (see, e.g., [avi, bibb2, bibb3, bibb4, bibb5, bibb6, raz, bibb8, bibb9]).
It is important to note that leveraging extractor-theoretic results to tackle combinatorial problems is not entirely new; similar phenomena have been observed in various contexts (see, e.g., [bibc1, bibc2, bibc3, bibc4, bibc5, bibc6]). Together, these observations illustrate why the problem under consideration is both compelling and surprisingly non-trivial, requiring insights from multiple domains.
1.2 Main Results
1.2.1 Main Notion
Before we present the main result of the paper, let us first quote (from [dod]) the formal definition of the notion of conductance of a permutation:
Definition 1.1**.**
Consider the permutation and the parameter . Then is equal to if:
[TABLE]
Since the above notion is exceptionally essential for this work, to increase its readability we add an additional, intuitive understanding of this notion below preceded by one more important definition:
Definition 1.2**.**
A set will be called a discrete -box of dimension if
[TABLE]
for some such that .
{remark*}
In the above definition, if the dimension is obvious from the context, we will sometimes just write that is a discrete -box (omitting the phrase of dimension ).
Intuition for Definition 1.1:
In simple terms, determines how much a given permutation distorts all discrete -boxes of dimension for . More specifically, for each such -box we look at its image and search for another -box such that the intersection is as large as possible. The maximum we can obtain in this way is given by in the form of the following relation:
[TABLE]
In the “worst” (least random) case we will find such that is just another -box and then , which gives .
On the other hand, “more random” permutations should intuitively behave in such a way that regardless of the choice of and , the cardinality of the set will always be much smaller than . At the same time, it can be observed that it is always possible to choose such that is at least . In particular, this means that we definitely have .
Finally, combining these intuitions and observations, we see that is a specific way of estimating the randomness of the permutation , which is always a number in the range between and . The more random (in the given sense) the permutation is, the smaller this factor is.
Notation
For clarity, let us add a technical note that the original work of [dod] uses a slightly different notation. Specifically, instead of the parameter , the parameter is used, which is simply equal to in the language of our work. Consequently, instead of , [dod] refers to , with the relation . Then is a number between and , not between and , as is the case for .
The above changes are dictated by a different center of gravity of our focus. The work of [dod] concerns more specific applications, so the parameter (referring to the number of queries present in security analyses) is natural there. Our work clearly takes a turn towards information theory and for us the primary notion is rather the min-entropy of the source, to which refers.
Results in the Original Notation
For consistency with the notation from the paper [dod], in Appendix A we present the main results of our paper reformulated in the language of the paper [dod]. Similarly, the result from [dod] quoted above (Theorem 3, App. B) is originally expressed in a different language. Appendix A also contains a proof of the equivalence of both versions.
1.2.2 Main Result
In this paper we present the first example of a permutation with nontrivial conductance degree:
Theorem 1.3**.**
If is prime and , then there exists an efficiently computable permutation such that
[TABLE]
where
The reasoning that leads to the construction of this permutation (the final proof is in Section 2.4) requires the introduction of several lemmas (all proofs are in Section 2) and definitions, which we present below:
Definition 1.4**.**
The min-entropy of a source is defined as
[TABLE]
Definition 1.5**.**
A distribution over domain is a flat distribution if it is uniformly random over a set . In other words: if it is uniform on its support.
We have the following well known fact on these notions:
Lemma 1.6**.**
A source with min-entropy at least is always a convex combination of flat distributions supported on sets of size .
Definition 1.7**.**
Let be positive integers, and let be a permutation.
We say that is an -Multi-Source-Somewhere-Condenser if for any independent random variables with min-entropy at least , the distribution of can be written as
[TABLE]
such that for each , the marginal has min-entropy at least , where:
- •
* are distributions over ;*
- •
* and ;*
- •
* denotes the marginal of on the -th -bit block, under the natural decomposition ;*
- •
.
Intuition: The permutation redistributes entropy from several independent weak sources so that, in almost all of the resulting mass (of total weight at least ), there exists a block whose min-entropy is amplified by a factor of . In other words: in nearly all cases the output is “somewhere” more random. This definition is based on Definition 1.11 from [raz], adapted to the multi-source setting and restricted to permutations.
Armed with the above definitions, we are ready to formulate the following technical lemma, the proof of which can be found in Section 2.1:
Lemma 1.8**.**
If the permutation is an -Multi-Source-Somewhere-Condenser, then is at most , for .
The formula in the above lemma means that if is negligible, then we will achieve .
So, to effectively use Lemma 1.8, we need a Multi-Source-Somewhere-Condenser with suitably strong parameters, which fortunately exists and may be found for example in the paper [avi]. Specifically, it holds (in [avi] this result and its proof are described as Lemma 3.14):
Lemma 1.9**.**
Consider the permutation: (i.e. ) defined by the formula , where are treated as elements of the field . Then for and a prime number , the permutation defined above is ()-Multi-Source-Somewhere-Condenser for .
{remark*}
Note: the original lemma from [avi] is even stronger than the formulation of Lemma 1.9 presented above. In fact, it is always the third coordinate (except for some set of measure ) that has the appropriate min-entropy, not some coordinate for different fragments of the permutation.
The corollary of Lemmas 1.8 and 1.9 is as follows:
Lemma 1.10**.**
If , then there exists an efficiently computable permutation such that
[TABLE]
as long as is prime and for some
The formal proof of the above lemma can be found in Section 2.3. The generalization of this lemma to higher dimensions (i.e. arbitrary ), which is simply the content of our main Theorem 1.3 – can be found in Section 2.4).
1.2.3 Converse Theorem
It turns out that the theorem also holds in the opposite direction, i.e. showing that every permutation with a suitable is also a nontrivial Multi-Source-Somewhere-Condenser:
Theorem 1.11**.**
Let be a permutation such that its conductance degree is less than , for some and . Then is a ()-Multi-Source-Somewhere-Condenser, for .
The proof is given in Section 2.2. It is also the most technically demanding part of the paper.
1.3 Intuition and Toy Examples
Consider the function , where and is a prime number. This is of course a permutation, since for any value of , its unique preimage is . We want to justify why has conductance degree strictly less than (for some fixed parameter ).
For this purpose, we consider two arbitrary -boxes and (i.e. ). Now we want (according to the Definition 1.1) to estimate an upper bound on .
This is a purely combinatorial problem, but we will look at it from the probabilistic perspective. Specifically: we will assume a uniform distribution on and then we will show some upper bound on . This will allow us to achieve the main result, since of course we have:
[TABLE]
To achieve our goal, we will use the fact that is a Multi-Source-Somewhere-Condenser (thus Lemma 1.9), and even a stronger fact (which is formulated in this way in [avi]), i.e. that it is always the third (not some) coordinate of that is the condenser, except for some negligible part of the domain. More specifically, thanks to this version of Lemma 1.9 we know that – since we are considering a uniform distribution on – and thus we have that and are independent and have min-entropy , there exists such that can be written as a convex combination of two distributions and (that is, for some ) with the following properties:
[TABLE]
and (i.e. the third coordinate of ) has min-entropy at least . This last fact can also be formally written as follows: for any , it holds
[TABLE]
Let us additionally denote and we can finally complete the main estimation:
[TABLE]
Hence:
[TABLE]
This of course means that , which is strictly smaller than for sufficiently large , so really has nontrivial conductance.
A completely analogous reasoning can be carried out for the permutation , establishing that is also a permutation with nontrivial conductance.
Going even further, let us now consider the following permutation:
[TABLE]
which, as we can see, is a kind of mix of the permutations and , so it is certainly – as can be checked from the definition – a Multi-Source-Somewhere-Condenser. Reasoning that is only slightly more complicated than the one given above (and thus similar to the proof of Lemma 1.8) allows us to prove that is also a permutation with nontrivial conductance.
Interestingly and importantly, we show that no fundamentally different constructions can yield nontrivial conductance. To be more concrete: every such permutation is essentially just a somewhere condenser. That is, it must be obtained as a “mix” of coordinate-wise condensers, in the same sense as in . This is made precise in Theorem 1.11.
2 Technical Part: Formal Proofs
2.1 Proof of Lemma 1.8
(This proof is essentially a direct generalization of the reasoning presented in Section 1.3.)
To prove the statement, we need to consider two arbitrary -boxes (i.e. ) and show that . Equivalently, we will consider the uniform distribution on and prove that
[TABLE]
Since are independent and have min-entropy , we can use the fact that is a -Multi-Source-Somewhere-Condenser. We then get that
[TABLE]
where and (the -th coordinate of ) has min-entropy of at least .
This last fact can be more conveniently rewritten as follows: for any , it holds
[TABLE]
If we additionally denote , then from the above we also have:
[TABLE]
Given the above, we can proceed to the main estimation:
[TABLE]
which completes the proof.
2.2 Proof of Theorem 1.11
We are to show that is a -Multi-Source-Somewhere-Condenser. By definition, we should consider some independent random variables such that their min-entropy is at least and show that the distribution has the appropriate properties. However, without loss of generality (using Lemma 1.6), we can assume that the distribution of is flat, that is, it is really just a uniformly distributed discrete -box (as defined in Definition 1.2). Then, after translating to the discrete interpretation, our original statement becomes:
Claim 1**.**
The set can be partitioned into disjoint sets and such that:
- •
, where ;
- •
for each and for each we have:
[TABLE]
Notational note: in the above statement and simply denote subsets of , while in the original Definition 1.7 the same letters would denote uniform distributions on these sets.
Besides, let us remind that we know that the set has cardinality and (thanks to the assumption that has the appropriate degree of conductance) that for any other -box the following always holds:
[TABLE]
Before we proceed to the direct proof of Claim 1 (that is, giving the appropriate way of partitioning ), we need one more auxiliary definition:
Definition 2.1**.**
We say that the set has at point , an -Bottleneck-Slice
[TABLE]
if it holds .
Intuitively: -Bottleneck-Slice at point means that the projection of onto the -coordinate at point is nonempty, but suitably thin.
{remark*}
We will sometimes also say that contains a Bottleneck-Slice (without specifying the coordinate ). This of course means that contains an -Bottleneck-Slice for some .
Now the procedure for partitioning the set is as follows.
Procedure for Partitioning :
- Step 1:
First, we initialize the auxiliary variables: for each , let be the empty set and let . 2. Step 2:
If contains any (for any and at any point ) -Bottleneck-Slice , perform the assignments:
[TABLE] 3. Step 3:
Loop Step 2 until no longer contains any Bottleneck-Slice. 4. Step 4:
Assign and . 5. Step 5:
For each , if , then assign , otherwise: assign and . 6. Step 6:
Assign .
Intuitively: from the set we cut off all Bottleneck-Slices one by one until we are left with , which no longer contains sets of this type. Then all cut off -Bottleneck-Slices concerning the -th coordinate together form , unless their measure is sufficiently small, in which case is empty and these Bottleneck-Slices go to . The final is the union of and .
It remains to analyze that the partitioning constructed in this way actually satisfies the requirements of Claim 1. So we have both necessary analyses in turn:
Analysis of :
If is empty, then the statement trivially holds. Otherwise, it must be
[TABLE]
Additionally, for any , it holds
[TABLE]
since every such set as above on the left is either empty or (as follows from the construction) equal to exactly one -Bottleneck-Slice cut off from .
Combining these facts, we can conclude that:
[TABLE]
what was needed to be shown.
Analysis of :
We have to show that is,
[TABLE]
Additionally, we know that . So it is enough to show two inequalities:
[TABLE]
The first one is a trivial consequence of the partitioning procedure: in the worst case could have had times added the set of cardinality at most , which is exactly the postulated bound.
The last inequality follows directly from the fact that does not contain any Bottleneck-Slice, the bound and the property (5) (this property holds for , so obviously also for ), which, however, requires a slightly deeper analysis, which (thus concluding the entire proof) we present below:
Claim 2**.**
If the set does not contain any Bottleneck-Slice, and
[TABLE]
for any discrete -box of dimension , then
[TABLE]
Reminder: the formal definition of a discrete box is given in Definition 1.2.
To prove the above statement, let us assume for the sake of contradiction that . Then:
First, let us note that is contained in a discrete -box . This is actually the case because and does not contain any Bottleneck-Slice, so at each coordinate it takes at most:
[TABLE]
different values.
This means that is a sum of at most
[TABLE]
discrete )-boxes.
Since , at least one of these boxes contains
[TABLE]
points, which, however, contradicts the (6) property, and thus completes the proof.
2.3 Proof of Lemma 1.10
We simply apply Lemma 1.8 to the permutation from Lemma 1.9:
That is, first from Lemma 1.9 we have that there exists a permutation (explicitly over ), which is a ()-Multi-Source-Somewhere-Condenser for some . Now, additionally denoting , from Lemma 1.8 we have that this permutation has such that:
[TABLE]
for .
Finally, to achieve the postulated result , it is enough to choose the parameters so that:
[TABLE]
The left inequality follows trivially from the formula on obtained above. To obtain the right one, we want , which means , and is true by assumption so completes the proof.
2.4 Final Proof of Theorem 1.3
The final proof is a direct consequence of Lemma 1.10, since our final construction for dimension will be just a simple serial repetition of many copies of the dimension permutation from the aforementioned lemma.
To formalize this construction, let us first denote the permutation (coming from Lemma 1.10) on successive coordinates as follows:
[TABLE]
(explicitly over , as defined in the proof of Lemma 1.10)
Now let and the permutation be defined as follows (for now, assume that is a multiple of ):
[TABLE]
If leaves a remainder when divided by , we define:
[TABLE]
and similarly, when divided by leaves a remainder :
[TABLE]
[TABLE]
From the very construction it is obvious that is a permutation, so it remains to estimate of the presented construction. For this purpose, we consider two arbitrary -boxes: and (i.e. ) and we estimate .
As in Sections 1.3 and 2.1, it will be more convenient to assume a uniform distribution on and use the probabilistic interpretation:
[TABLE]
Before we move on to the main estimation, let us just recall that for any such that we have (from Lemma 1.10 and again the probabilistic interpretation of the inequality ):
[TABLE]
Armed with this fact, we can finally move on to the main estimation:
[TABLE]
where follows immediately from the structure of the construction of (primarily from the fact that successive triples in the construction are fully independent of each other).
Finally, from (8) we have that , which completes the proof.
3 Open Problems and Future Work
This section lists issues that remain open and may be worth further investigation.
- •
Wider Range of Parameters
The main result (Theorem 1.3) largely relies on Lemma 3.14 of [avi] (i.e. Lemma 1.9 in this paper), which contains certain restrictions that we suspect can be avoided. First of all, we ask whether the same result can be obtained for that are not prime numbers, and also whether the parameters and must really depend on (the work of [avi] even gives hope for removing these dependencies – one would like to simply use Lemma 3.1 from that paper, but unfortunately in our solution it turned out that we were able only to use Lemma 3.14, which is a version of Lemma 3.1 with weaker assumptions and a weaker thesis.).
Additionally, there remains an open question about low-conductance permutations for .
- •
The Converse Theorem for Weak Conductance
The Converse Theorem (Theorem 1.11) applies to almost all cases, except when . It remains to be investigated.
- •
Always-Condenser vs. Somewhere-Condenser
Recall that our solution for the dimension is given by: While we can easily believe that the third coordinate of really behaves very randomly, since it is a condenser, it seems intuitive that the following construction should have even lower conductance than (i.e. both the second and third coordinates are condensers): However, we cannot formally prove that is indeed better.
(For clarity: we can show that when is a prime such that , then is indeed a permutation; in a more complicated way, we can improve this example by constructing a permutation where all three coordinates will simultaneously have the form of a condenser.)
The above question can naturally be generalized to higher dimensions. In other words: we hypothesize that if all coordinates (and not, for example, every third one like in our construction) of a permutation are condensers, then such a permutation has an even better conductance degree than the construction that derives from Lemma 1.8.
- •
Other Directions
In this work, we have established the equivalence between low-conductance permutations and condensers, but a more quantitative analysis of the tightness of this equivalence would be valuable.
Another direction is to construct permutations for larger width without relying on product-type constructions derived from smaller-width permutations. Strategies that replicate a width- permutation times are unlikely to achieve optimal conductance, which suggests that new, more global constructions may be required.
References
Appendix A Original Language Formulations from [dod]
A.1 Theorem 3, Appendix B from [dod]
The result quoted in the introduction:
[TABLE]
was originally formulated as follows:
[TABLE]
This is, of course, a consequence of the original result, because, on the one hand, we have (equivalence of assumptions):
[TABLE]
and on the other hand we have:
[TABLE]
A.2 Main Results of the Paper in the Notation from [dod]
For the sake of clarity, we present the main results once again, this time rewritten in the original notation from the paper [dod]:
Theorem 1.3’.
If is a prime number and , then there exists a permutation such that:
[TABLE]
where
[TABLE]
Theorem 1.11’.
Let be a permutation such that , for some . Then is a ()-Multi-Source-Somewhere-Condenser.
