Pseudorandom permutations with the fast forward property

We describe an efficient construction of pseudorandom permutations P with the fast forward property, namely, such that for each m the computation of Pm(x) can be done with a constant number of calls to an underlying pseudorandom permutation. This solves an open problem of Naor and Reingold. 1. Ordered cycle structures Definition 1.1. Let Ω be a finite, well-ordered set. The ordered cycle structure of a permutation P ∈ SΩ is the output of the following procedure: 1. Set S0 = ∅. 2. For each i = 0, 1, 2, . . . do the following: (a) If Ω \ Si = ∅, then exit this loop. (b) Let αi be the first element of Ω \ Si. (c) Let Ai be the orbit of αi, Ai = {αi, P (αi), P (αi), . . .}. (d) Let Si+1 = Si ∪ Ai. 3. Output the sequence (|A0|, |A1|, |A2|, . . . ). We will call this the Ordered Cycle Structure generation procedure (OCS), and write OCS(P ) = (|A0|, |A1|, . . . ). Proposition 1.2. For a uniformly chosen P ∈ SΩ, the expected length of the sequence OCS(P ) is equal to the harmonic number