Is F(k,k) $\oplus$ F(k,x) a pseudorandom permutation?

Question

Suppose that $F: \{0,1\}^n\times \{0,1\}^n\rightarrow \{0,1\}^n$ is a strongly pseudorandom permutation. Let $\hat{F}(k,x):=F(k,k)\oplus F(k,x)$. I know that $\hat{F}$ can't be a strongly pseudorandom permutation. How to prove that $\hat{F}$ is a normal PRP? This is the problem 6.20 in the joy of cryptography.

I want to prove it by reduction. Assuming there is an efficient distinguisher $A$ that can breaks $\hat{F}$, it is sufficient to construct an efficient distinguisher $D$ using $A$ as a subroutine that breaks $F$. The core difficulty is that $D$ cannot answer queries made by $A$ because $D$ don't know $k$ choosed by challenger!

Answer 1

I found a counterexample to this problem.

Suppose that $F':\{0,1\}^n\times\{0,1\}^n\rightarrow \{0,1\}^n$ is SPRP. Then define $F:\{0,1\}^n\times\{0,1\}^n\rightarrow \{0,1\}^n$ as follows: Let $F_{0^n}():=F'_{0^n}()$. For $k\not=0^n$, we define:

$$ F_k(x):=\begin{cases} F'_k(0^n)\oplus k &\text{ if }x=k,\\ F'_k(k) &\text{ if }x=F'^{-1}_k(F'_k(0^n)\oplus k),\\ F'_k(x) &\text{otherwise}. \end{cases} $$

Actually I just interchange the values of $F_k'$ at $k$ and $F'^{-1}_k(F'_k(0^n)\oplus k)$.

Now if we define $\hat{F}_k(x):=F_k(k)\oplus F_k(x)$, we can see $\hat{F}_k(0^n)=k$ for any $k\not=0^n$, so clearly $\hat{F}$ is not a PRP.

It remains to prove that $F$ constructed above is a SPRP. Suppose that there is an efficient distinguisher $A$ that can break the SPRP property of $F$, we construct a $D$ to break the SPRP property of $F'$:

$D$ is given access to oracles $O()$ and $O^{-1}()$, where $O()=F'_k()$ or a uniform random permutation$f()$.

1. $D$ answer $A$'s querys at $x_1,x_2,...,x_q$ using $O()$ and $O^{-1}()$. After $q$ times query $A$ output a bit $b$.
2. Then $D$ output $b$.

If $D$ is given access to $f,f^{-1}$, then $D$ answers $A$'s queries correctly. So $Pr[D^{f,f^{-1}}(1^n)=1]=Pr[A^{f,f^{-1}}(1^n)=1]$.

If $D$ is given access to $F'_k, F'^{-1}_k$, let event $E:= A \text{ queries at } k,F'^{-1}_k(F'_k(0^n)\oplus k),F'_k(0^n)\oplus k,F'_k(k)$.

Then $D$ answers $A$'s queries correctly if $E$ does not occur! If $Pr(E)$ is negl, then the difference between $Pr[D^{F'_k, F'^{-1}_k}(1^n)=1]$ and $Pr[A^{F_k, F^{-1}_k}(1^n)=1]$ is negl, then the advantage of $D$ is non-negl.

If $Pr(E)$ is non-negl, intuitively, we can use these queries to find the key with non-negl probability.

Formally we construct $D'$:

1. $D'$ answer $A$'s querys at $x_1,x_2,...,x_q$ using $O()$ and $O^{-1}()$.
2. $D'$ randomly choose $x_i$ from $A$'s $q$ queries.
3. $D'$ computes $k_1=x_i, k_2=O(x_i)\oplus O(0^n),k_3=x_i\oplus O(0^n)$,$k_4=O^{-1}(x_i)$.
4. Then $D'$ output 1 if $O()=F'_{k_1} $ or $F'_{k_2}$ or $F'_{k_3}$ or $F'_{k_4}$. ($D'$ can check if $O()=F'_k$ for any $k$ with high accuracy). Otherwise $D'$ output $0$.

It is clear that $Pr[D'^{f,f^{-1}}(1^n)=1]$ is negl. On the other side, $Pr[D'^{F'_k, F'^{-1}_k}(1^n)=1]\ge 1/q*Pr(E)$ is non-negl.