Wide Tweakable Block Ciphers Based on Substitution-Permutation Networks: Security Beyond the Birthday Bound

Substitution-Permutation Networks (SPNs) refer to a family of constructions which build a wn-bit (tweakable) block cipher from n-bit public permutations. Many widely deployed block ciphers are part of this family and rely on very small public permutations. Surprisingly, this structure has seen little theoretical interest when compared with Feistel networks, another high-level structure for block ciphers. This paper extends the work initiated by Dodis et al. in three directions; first, we make SPNs tweakable by allowing keyed tweakable permutations in the permutation layer, and prove their security as tweakable block ciphers. Second, we prove beyond-the-birthday-bound security for 2-round non-linear SPNs with independent S-boxes and independent round keys. Our bounds also tend towards optimal security 2 (in terms of the number of threshold queries) as the number of rounds increases. Finally, all our constructions permit their security proofs in the multi-user setting. As an application of our results, SPNs can be used to build provably secure wide tweakable block ciphers from several public permutations, or from a block cipher. More specifically, our construction can turn two strong public n-bit permutations into a tweakable block cipher working on wn-bit blocks and using a 6n-bit key and an n-bit tweak (for any w ≥ 2); the tweakable block cipher provides security up to 22n/3 adversarial queries in the random permutation model, while only requiring w calls to each permutation and 3w field multiplications for each wn-bit block.

[1]  Michael Luby,et al.  How to Construct Pseudo-Random Permutations from Pseudo-Random Functions (Abstract) , 1986, CRYPTO.

[2]  Bart Mennink,et al.  Improved Masking for Tweakable Blockciphers with Applications to Authenticated Encryption , 2016, IACR Cryptol. ePrint Arch..

[3]  Yannick Seurin,et al.  An Asymptotically Tight Security Analysis of the Iterated Even-Mansour Cipher , 2012, ASIACRYPT.

[4]  Scott R. Fluhrer,et al.  The Security of the Extended Codebook (XCB) Mode of Operation , 2007, IACR Cryptol. ePrint Arch..

[5]  John P. Steinberger,et al.  Indifferentiability of Confusion-Diffusion Networks , 2015, EUROCRYPT.

[6]  Shai Halevi,et al.  A Tweakable Enciphering Mode , 2003, CRYPTO.

[7]  Shai Halevi,et al.  Invertible Universal Hashing and the TET Encryption Mode , 2007, CRYPTO.

[8]  Phillip Rogaway,et al.  How to Encipher Messages on a Small Domain , 2009, CRYPTO.

[9]  Jean-Sébastien Coron,et al.  A Domain Extender for the Ideal Cipher , 2010, TCC.

[10]  Palash Sarkar,et al.  HCH: A New Tweakable Enciphering Scheme Using the Hash-Encrypt-Hash Approach , 2006, INDOCRYPT.

[11]  Palash Sarkar,et al.  A New Mode of Encryption Providing a Tweakable Strong Pseudo-random Permutation , 2006, FSE.

[12]  John P. Steinberger,et al.  Minimizing the Two-Round Even–Mansour Cipher , 2014, Journal of Cryptology.

[13]  Shai Halevi,et al.  EME*: Extending EME to Handle Arbitrary-Length Messages with Associated Data , 2004, INDOCRYPT.

[14]  Guido Bertoni,et al.  Keccak sponge function family main document , 2009 .

[15]  Eric Miles,et al.  Substitution-Permutation Networks, Pseudorandom Functions, and Natural Proofs , 2012, J. ACM.

[16]  Yosuke Todo,et al.  Gimli : A Cross-Platform Permutation , 2017, CHES.

[17]  Jean-Sébastien Coron,et al.  How to Build an Ideal Cipher: The Indifferentiability of the Feistel Construction , 2014, Journal of Cryptology.

[18]  Stefano Tessaro,et al.  The equivalence of the random oracle model and the ideal cipher model, revisited , 2010, STOC '11.

[19]  Yishay Mansour,et al.  A construction of a cipher from a single pseudorandom permutation , 1997, Journal of Cryptology.

[20]  Benoit Cogliati,et al.  Tweaking Even-Mansour Ciphers , 2015, CRYPTO.

[21]  Stefano Tessaro,et al.  Optimally Secure Block Ciphers from Ideal Primitives , 2015, ASIACRYPT.

[22]  Bart Mennink,et al.  XPX: Generalized Tweakable Even-Mansour with Improved Security Guarantees , 2016, CRYPTO.

[23]  Stefano Tessaro,et al.  Key-Alternating Ciphers and Key-Length Extension: Exact Bounds and Multi-user Security , 2016, CRYPTO.

[24]  Jacques Patarin,et al.  The "Coefficients H" Technique , 2009, Selected Areas in Cryptography.

[25]  Jonathan Katz,et al.  Provable Security of Substitution-Permutation Networks , 2017, IACR Cryptol. ePrint Arch..

[26]  Phillip Rogaway,et al.  On Generalized Feistel Networks , 2010, CRYPTO.

[27]  John P. Steinberger,et al.  Tight Security Bounds for Key-Alternating Ciphers , 2014, EUROCRYPT.

[28]  Kaoru Kurosawa,et al.  On the Pseudorandomness of the AES Finalists - RC6 and Serpent , 2000, FSE.

[29]  Shai Halevi,et al.  A Parallelizable Enciphering Mode , 2004, CT-RSA.

[30]  Jacques Patarin,et al.  Security of Random Feistel Schemes with 5 or More Rounds , 2004, CRYPTO.

[31]  Ueli Maurer,et al.  Indifferentiability, Impossibility Results on Reductions, and Applications to the Random Oracle Methodology , 2004, TCC.