Reverse Cycle Walking And Its Applications

We study the problem of constructing a block-cipher on a "possibly-strange" set S using a block-cipher on a larger set T. Such constructions are useful in format-preserving encryption, where for example the set S might contain "valid9-digit social security numbers" while T might be the set of 30-bit strings. Previous work has solved this problem using a technique called cycle walking, first formally analyzed by Black and Rogaway. Assuming the size of S is a constant fraction of the size of T, cycle walking allows one to encipher a point x. S by applying the block-cipher on T a small expected number of times and O(N) times in the worst case, where N = vertical bar T vertical bar, without any degradation in security. We introduce an alternative to cycle walking that we call reverse cycle walking, which lowers the worst-case number of times we must apply the block-cipher on T from O(N) to O(logN). Additionally, when the underlying block-cipher on T is secure against q = (1-epsilon)N adversarial queries, we show that applying reverse cycle walking gives us a cipher on S secure even if the adversary is allowed to query all of the domain points. Such fully secure ciphers have been the the target of numerous recent papers.