Simpira v2: A Family of Efficient Permutations Using the AES Round Function

This paper introduces Simpira, a family of cryptographic permutations that supports inputs of \(128 \times b\) bits, where b is a positive integer. Its design goal is to achieve high throughput on virtually all modern 64-bit processors, that nowadays already have native instructions for AES. To achieve this goal, Simpira uses only one building block: the AES round function. For \(b=1\), Simpira corresponds to 12-round AES with fixed round keys, whereas for \(b\ge 2\), Simpira is a Generalized Feistel Structure (GFS) with an F-function that consists of two rounds of AES. We claim that there are no structural distinguishers for Simpira with a complexity below \(2^{128}\), and analyze its security against a variety of attacks in this setting. The throughput of Simpira is close to the theoretical optimum, namely, the number of AES rounds in the construction. For example, on the Intel Skylake processor, Simpira has throughput below 1 cycle per byte for \(b \le 4\) and \(b=6\). For larger permutations, where moving data in memory has a more pronounced effect, Simpira with \(b=32\) (512 byte inputs) evaluates 732 AES rounds, and performs at 824 cycles (1.61 cycles per byte), which is less than \(13\,\%\) off the theoretical optimum. If the data is stored in interleaved buffers, this overhead is reduced to less than \(1\,\%\). The Simpira family offers an efficient solution when processing wide blocks, larger than 128 bits, is desired.

[1]  Tetsu Iwata,et al.  On Permutation Layer of Type 1, Source-Heavy, and Target-Heavy Generalized Feistel Structures , 2011, CANS.

[2]  Matthew J. B. Robshaw,et al.  Algebraic Aspects of the Advanced Encryption Standard (Advances in Information Security) , 2006 .

[3]  Martin R. Albrecht,et al.  Ciphers for MPC and FHE , 2015, IACR Cryptol. ePrint Arch..

[4]  Ueli Maurer,et al.  Indifferentiability, Impossibility Results on Reductions, and Applications to the Random Oracle Methodology , 2004, TCC.

[5]  Vincent Rijmen,et al.  The Design of Rijndael , 2002, Information Security and Cryptography.

[6]  John Black,et al.  An Analysis of the Blockcipher-Based Hash Functions from PGV , 2010, Journal of Cryptology.

[7]  Jean-Sébastien Coron,et al.  The Random Oracle Model and the Ideal Cipher Model Are Equivalent , 2008, CRYPTO.

[8]  Eli Biham,et al.  Differential cryptanalysis of DES-like cryptosystems , 1990, Journal of Cryptology.

[9]  Vincent Rijmen,et al.  The Design of Rijndael: AES - The Advanced Encryption Standard , 2002 .

[10]  Shay Gueron,et al.  Intel's New AES Instructions for Enhanced Performance and Security , 2009, FSE.

[11]  Whitfield Diffie,et al.  Special Feature Exhaustive Cryptanalysis of the NBS Data Encryption Standard , 1977, Computer.

[12]  Kazuhiko Minematsu,et al.  Improving the Generalized Feistel , 2010, FSE.

[13]  Florian Mendel,et al.  Haraka v2 - Efficient Short-Input Hashing for Post-Quantum Applications , 2017, IACR Trans. Symmetric Cryptol..

[14]  Florian Mendel,et al.  Cryptanalysis of Simpira , 2016, IACR Cryptol. ePrint Arch..

[15]  Yu Sasaki,et al.  Practical Cryptanalysis of PAES , 2014, Selected Areas in Cryptography.

[16]  Hideki Imai,et al.  On the Construction of Block Ciphers Provably Secure and Not Relying on Any Unproved Hypotheses , 1989, CRYPTO.

[17]  Dawu Gu,et al.  Differential and Linear Cryptanalysis Using Mixed-Integer Linear Programming , 2011, Inscrypt.

[18]  Eli Biham,et al.  Two Practical and Provably Secure Block Ciphers: BEARS and LION , 1996, FSE.

[19]  Orr Dunkelman Fast Software Encryption, 16th International Workshop, FSE 2009, Leuven, Belgium, February 22-25, 2009, Revised Selected Papers , 2009, FSE.

[20]  Anne Canteaut,et al.  A zero-sum property for the KECCAK-f permutation with 18 rounds , 2010, 2010 IEEE International Symposium on Information Theory.

[21]  Lars R. Knudsen,et al.  Truncated and Higher Order Differentials , 1994, FSE.

[22]  B Guido,et al.  Cryptographic sponge functions , 2011 .

[23]  Ingrid Verbauwhede,et al.  Chaskey: An Efficient MAC Algorithm for 32-bit Microcontrollers , 2014, Selected Areas in Cryptography.

[24]  Serge Vaudenay,et al.  On the Pseudorandomness of Top-Level Schemes of Block Ciphers , 2000, ASIACRYPT.

[25]  Jean-Sébastien Coron,et al.  Merkle-Damgård Revisited: How to Construct a Hash Function , 2005, CRYPTO.

[26]  Paul Crowley,et al.  Mercy: A Fast Large Block Cipher for Disk Sector Encryption , 2000, FSE.

[27]  Lars R. Knudsen Fast software encryption : 6th International Workshop, FSE'99, Rome, Italy, March 24-26, 1999 : proceedings , 1999, FSE 1999.

[28]  Florian Mendel,et al.  Symmetric Cryptography , 2009 .

[29]  Seokhie Hong,et al.  Fast Software Encryption, 17th International Workshop, FSE 2010, Seoul, Korea, February 7-10, 2010, Revised Selected Papers , 2010, FSE.

[30]  Thierry P. Berger,et al.  Extended Generalized Feistel Networks Using Matrix Representation , 2013, Selected Areas in Cryptography.

[31]  John P. Steinberger,et al.  Feistel Networks: Indifferentiability at 10 Rounds , 2015, IACR Cryptol. ePrint Arch..

[32]  Mihir Bellare,et al.  Encode-Then-Encipher Encryption: How to Exploit Nonces or Redundancy in Plaintexts for Efficient Cryptography , 2000, ASIACRYPT.

[33]  Andrey Bogdanov,et al.  SPONGENT: The Design Space of Lightweight Cryptographic Hashing , 2011, IEEE Transactions on Computers.

[34]  Wenling Wu,et al.  Structural Evaluation for Generalized Feistel Structures and Applications to LBlock and TWINE , 2015, INDOCRYPT.

[35]  Matthew J. B. Robshaw,et al.  Algebraic aspects of the advanced encryption standard , 2006 .

[36]  Eli Biham,et al.  Enhancing Differential-Linear Cryptanalysis , 2002, ASIACRYPT.

[37]  Yishay Mansour,et al.  A Construction of a Cioher From a Single Pseudorandom Permutation , 1991, ASIACRYPT.

[38]  Yu Sasaki,et al.  Practical Forgeries and Distinguishers against PAES , 2016, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[39]  Shai Halevi,et al.  EME*: Extending EME to Handle Arbitrary-Length Messages with Associated Data , 2004, INDOCRYPT.

[40]  Eli Biham,et al.  Cryptanalysis of Skipjack reduced to 31 rounds using impossible differentials , 1999 .

[41]  Yosuke Todo,et al.  Structural Evaluation by Generalized Integral Property , 2015, EUROCRYPT.

[42]  Florian Mendel,et al.  The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl , 2009, FSE.

[43]  岡本 龍明 Advances in cryptology - ASIACRYPT 2000 : 6th International Conference on the Theory and Application of Cryptology and Information Security, Kyoto, Japan, December 3-7, 2000 : proceedings , 2000 .

[44]  Thomas Peyrin,et al.  Super-Sbox Cryptanalysis: Improved Attacks for AES-Like Permutations , 2010, FSE.

[45]  Bart Mennink,et al.  Security of Keyed Sponge Constructions Using a Modular Proof Approach , 2015, FSE.

[46]  Shai Halevi,et al.  A Parallelizable Enciphering Mode , 2004, CT-RSA.

[47]  David A. Wagner,et al.  The Boomerang Attack , 1999, FSE.

[48]  Vincent Rijmen,et al.  The Block Cipher Square , 1997, FSE.

[49]  Stefan Lucks BEAST: A Fast Block Cipher for Arbitrary Blocksizes , 1996, Communications and Multimedia Security.

[50]  Yevgeniy Dodis,et al.  Salvaging Merkle-Damgard for Practical Applications , 2009, IACR Cryptol. ePrint Arch..

[51]  Mitsuru Matsui,et al.  Linear Cryptanalysis Method for DES Cipher , 1994, EUROCRYPT.

[52]  Mihir Bellare,et al.  On the Construction of Variable-Input-Length Ciphers , 1999, FSE.

[53]  Alex Biryukov,et al.  PAEQ: Parallelizable Permutation-Based Authenticated Encryption , 2014, ISC.

[54]  Dana Dachman-Soled,et al.  10-Round Feistel is Indifferentiable from an Ideal Cipher , 2016, IACR Cryptol. ePrint Arch..

[55]  Moti Yung,et al.  Advances in Cryptology — CRYPTO 2002 , 2002, Lecture Notes in Computer Science.

[56]  Leslie Lamport,et al.  Constructing Digital Signatures from a One Way Function , 2016 .

[57]  Atul Luykx,et al.  Multi-key Security: The Even-Mansour Construction Revisited , 2015, CRYPTO.

[58]  Sondre Rønjom,et al.  Invariant subspaces in Simpira , 2016, IACR Cryptol. ePrint Arch..

[59]  Phillip Rogaway,et al.  Robust Authenticated-Encryption AEZ and the Problem That It Solves , 2015, EUROCRYPT.

[60]  Anne Canteaut,et al.  Higher-Order Differential Properties of Keccak and Luffa , 2011, FSE.

[61]  Adi Shamir,et al.  Minimalism in Cryptography: The Even-Mansour Scheme Revisited , 2012, EUROCRYPT.

[62]  Andrey Bogdanov,et al.  spongent: A Lightweight Hash Function , 2011, CHES.

[63]  Thierry P. Berger,et al.  Extended Generalized Feistel Networks Using Matrix Representation to Propose a New Lightweight Block Cipher: Lilliput , 2016, IEEE Transactions on Computers.

[64]  David A. Wagner,et al.  Tweakable Block Ciphers , 2002, CRYPTO.

[65]  Tetsu Iwata,et al.  Improving the Permutation Layer of Type 1, Type 3, Source-Heavy, and Target-Heavy Generalized Feistel Structures , 2013, IEICE Transactions on Fundamentals of Electronics Communications and Computer Sciences.

[66]  Pulak Mishra,et al.  Mergers, Acquisitions and Export Competitive- ness: Experience of Indian Manufacturing Sector , 2012 .

[67]  Tatsuaki Okamoto,et al.  Advances in Cryptology — ASIACRYPT 2000 , 2000, Lecture Notes in Computer Science.

[68]  Tetsu Iwata,et al.  Type 1.x Generalized Feistel Structures , 2014, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[69]  Susan K. Langford,et al.  Differential-Linear Cryptanalysis , 1994, CRYPTO.

[70]  Marc Fischlin,et al.  Advances in Cryptology - EUROCRYPT 2015 - 34th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Sofia, Bulgaria, April 26-30, 2015, Proceedings, Part I , 2015, EUROCRYPT.

[71]  Benoit Cogliati,et al.  Tweaking Even-Mansour Ciphers , 2015, CRYPTO.

[72]  Gregor Leander,et al.  A Cryptanalysis of PRINTcipher: The Invariant Subspace Attack , 2011, CRYPTO.

[73]  Shai Halevi,et al.  A Tweakable Enciphering Mode , 2003, CRYPTO.

[74]  Yvo Desmedt,et al.  Advances in Cryptology — CRYPTO ’94 , 2001, Lecture Notes in Computer Science.

[75]  John Black,et al.  Black-Box Analysis of the Block-Cipher-Based Hash-Function Constructions from PGV , 2002, CRYPTO.

[76]  Andrey Bogdanov,et al.  Biclique Cryptanalysis of the Full AES , 2011, ASIACRYPT.

[77]  Jérémy Jean,et al.  Cryptanalysis of Haraka , 2016, IACR Trans. Symmetric Cryptol..

[78]  Nicky Mouha,et al.  The Design Space of Lightweight Cryptography , 2015, IACR Cryptol. ePrint Arch..

[79]  John P. Steinberger,et al.  Security/Efficiency Tradeoffs for Permutation-Based Hashing , 2008, EUROCRYPT.

[80]  Morris J. Dworkin,et al.  SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions , 2015 .

[81]  Vincent Rijmen,et al.  The Wide Trail Design Strategy , 2001, IMACC.

[82]  Phillip Rogaway,et al.  On Generalized Feistel Networks , 2010, CRYPTO.

[83]  Anne Canteaut,et al.  Zero-Sum Distinguishers for Iterated Permutations and Application to Keccak-f and Hamsi-256 , 2010, Selected Areas in Cryptography.

[84]  R. Gennaro,et al.  Advances in cryptology - CRYPTO 2015 : 35th annual cryptology conference Santa Barbara, CA, USA, August 16-20, 2015 : proceedings , 2015 .

[85]  Christian Rechberger,et al.  On Bruteforce-Like Cryptanalysis: New Meet-in-the-Middle Attacks in Symmetric Cryptanalysis , 2012, ICISC.

[86]  Stefano Tessaro,et al.  The equivalence of the random oracle model and the ideal cipher model, revisited , 2010, STOC '11.

[87]  Yishay Mansour,et al.  A construction of a cipher from a single pseudorandom permutation , 1997, Journal of Cryptology.