The t-wise Independence of Substitution-Permutation Networks

Block ciphers such as the Advanced Encryption Standard (Rijndael) are used extensively in practice, yet our understanding of their security continues to be highly incomplete. This paper promotes and continues a research program aimed at proving the security of block ciphers against important and well-studied classes of attacks. In particular, we initiate the study of (almost) t-wise independence of concrete block-cipher construction paradigms such as substitutionpermutation networks and key-alternating ciphers. Sufficiently strong (almost) pairwise independence already suffices to resist (truncated) differential attacks and linear cryptanalysis, and hence this is a relevant and meaningful target. Our results are two-fold. Our first result concerns substitution-permutation networks (SPNs) that model ciphers such as AES. We prove the almost pairwise-independence of an SPN instantiated with concrete Sboxes together with an appropriate linear mixing layer, given sufficiently many rounds and independent sub-keys. Our proof relies on a characterization of S-box computation on input differences in terms of sampling output differences from certain subspaces, and a new randomness extraction lemma (which we prove with Fourier-analytic techniques) that establishes when such sampling yields uniformity. We use our techniques in particular to prove almost pairwiseindependence for sufficiently many rounds of both the AES block cipher (which uses a variant of the patched inverse function x 7→ x as the S-box) and the MiMC block cipher (which uses the cubing function x 7→ x as the S-box), assuming independent sub-keys. Secondly, we show that instantiating a key-alternating cipher (which can be thought of as a degenerate case of SPNs) with most permutations gives us (almost) t-wise independence in t+o(t) rounds. In order to do this, we use the probabilistic method to develop two new lemmas, an independence-amplification lemma and a distance amplification lemma, that allow us to reason about the evolution of key-alternating ciphers.

[1]  Henk Meijer,et al.  New Method for Upper Bounding the Maximum Average Linear Hull Probability for SPNs , 2001, EUROCRYPT.

[2]  John P. Steinberger,et al.  On the Indifferentiability of Key-Alternating Ciphers , 2013, IACR Cryptol. ePrint Arch..

[3]  Moni Naor,et al.  Derandomized Constructions of k-Wise (Almost) Independent Permutations , 2005, Algorithmica.

[4]  Liam Keliher,et al.  Refined Analysis of Bounds Related to Linear and Differential Cryptanalysis for the AES , 2004, AES Conference.

[5]  L. Carlitz Permutations in a finite field , 1953 .

[6]  Henk Meijer,et al.  Improving the Upper Bound on the Maximum Average Linear Hull Probability for Rijndael , 2001, Selected Areas in Cryptography.

[7]  Massimiliano Sala,et al.  An application of the O’Nan-Scott theorem to the group generated by the round functions of an AES-like cipher , 2009, Des. Codes Cryptogr..

[8]  Noga Alon,et al.  Almost k-Wise vs. k-Wise Independent Permutations, and Uniformity for General Group Actions , 2012, Theory Comput..

[9]  Martin R. Albrecht,et al.  MiMC: Efficient Encryption and Cryptographic Hashing with Minimal Multiplicative Complexity , 2016, ASIACRYPT.

[10]  Xuejia Lai Higher Order Derivatives and Differential Cryptanalysis , 1994 .

[11]  Ueli Maurer,et al.  Indistinguishability Amplification , 2007, CRYPTO.

[12]  T. Sanders,et al.  Analysis of Boolean Functions , 2012, ArXiv.

[13]  Eli Biham,et al.  Differential cryptanalysis of DES-like cryptosystems , 1990, Journal of Cryptology.

[14]  Xiaolei Dong,et al.  Tight Security Analysis of 3-Round Key-Alternating Cipher with A Single Permutation , 2020, IACR Cryptol. ePrint Arch..

[15]  John P. Steinberger,et al.  Tight Security Bounds for Key-Alternating Ciphers , 2014, EUROCRYPT.

[16]  John P. Steinberger,et al.  Improved Security Bounds for Key-Alternating Ciphers via Hellinger Distance , 2012, IACR Cryptol. ePrint Arch..

[17]  John P. Steinberger,et al.  Indifferentiability of Confusion-Diffusion Networks , 2015, EUROCRYPT.

[18]  Lars R. Knudsen,et al.  Provable security against a differential attack , 1994, Journal of Cryptology.

[19]  D. Coppersmith,et al.  Generators for Certain Alternating Groups with Applications to Cryptography , 1975 .

[20]  Noga Alon,et al.  Almost k-Wise vs. k-Wise Independent Permutations, and Uniformity for General Group Actions , 2013, Theory Comput..

[21]  Alex Brodsky,et al.  Simple permutations mix even better , 2008, Random Struct. Algorithms.

[22]  Eli Biham,et al.  Differential cryptanalysis of DES-like cryptosystems , 1990, Journal of Cryptology.

[23]  Ryan O'Donnell,et al.  Analysis of Boolean Functions , 2014, ArXiv.

[24]  Steven Myers,et al.  Simple permutations mix well , 2005, Theor. Comput. Sci..

[25]  John P. Steinberger,et al.  Key-Alternating Ciphers in a Provable Setting: Encryption Using a Small Number of Public Permutations , 2012, IACR Cryptol. ePrint Arch..

[26]  David A. Wagner,et al.  Integral Cryptanalysis , 2002, FSE.

[27]  Lars R. Knudsen,et al.  The Interpolation Attack on Block Ciphers , 1997, FSE.

[28]  Kenneth G. Paterson,et al.  A weak cipher that generates the symmetric group , 1994, Journal of Cryptology.

[29]  Kaisa Nyberg,et al.  Perfect nonlinear functions and cryptography , 2015, Finite Fields Their Appl..

[30]  Joan Daemen,et al.  Cipher and hash function design strategies based on linear and differential cryptanalysis , 1995 .

[31]  Vincent Rijmen,et al.  Understanding Two-Round Differentials in AES , 2006, SCN.

[32]  Jongin Lim,et al.  On the Security of Rijndael-Like Structures against Differential and Linear Cryptanalysis , 2002, ASIACRYPT.

[33]  Serge Vaudenay,et al.  Proving the Security of AES Substitution-Permutation Network , 2005, Selected Areas in Cryptography.

[34]  Seokhie Hong,et al.  Provable Security against Differential and Linear Cryptanalysis for the SPN Structure , 2000, FSE.

[35]  Xuejia Lai,et al.  Markov Ciphers and Differential Cryptanalysis , 1991, EUROCRYPT.

[36]  Eric Miles,et al.  Substitution-Permutation Networks, Pseudorandom Functions, and Natural Proofs , 2012, J. ACM.

[37]  Lars R. Knudsen,et al.  Truncated and Higher Order Differentials , 1994, FSE.

[38]  Mitsuru Matsui,et al.  A New Method for Known Plaintext Attack of FEAL Cipher , 1992, EUROCRYPT.

[39]  Harald Niederreiter,et al.  Introduction to finite fields and their applications: Theoretical Applications of Finite Fields , 1994 .

[40]  Jonathan Katz,et al.  Provable Security of Substitution-Permutation Networks , 2017, IACR Cryptol. ePrint Arch..

[41]  Kaisa Nyberg,et al.  Differentially Uniform Mappings for Cryptography , 1994, EUROCRYPT.

[42]  Sangjin Lee,et al.  Improving the Upper Bound on the Maximum Differential and the Maximum Linear Hull Probability for SPN Structures and AES , 2003, FSE.

[43]  Dongdai Lin,et al.  On the Indifferentiability of Key-Alternating Feistel Ciphers with No Key Derivation , 2015, TCC.

[44]  Jonathan Katz,et al.  Provable Security of (Tweakable) Block Ciphers Based on Substitution-Permutation Networks , 2018, CRYPTO.

[45]  Stefano Tessaro,et al.  Key-Alternating Ciphers and Key-Length Extension: Exact Bounds and Multi-user Security , 2016, CRYPTO.

[46]  Fan Chung Graham,et al.  Concentration Inequalities and Martingale Inequalities: A Survey , 2006, Internet Math..

[47]  Benoit Cogliati,et al.  Wide Tweakable Block Ciphers Based on Substitution-Permutation Networks: Security Beyond the Birthday Bound , 2018, IACR Cryptol. ePrint Arch..

[48]  John P. Steinberger,et al.  Minimizing the Two-Round Even–Mansour Cipher , 2014, Journal of Cryptology.

[49]  Yannick Seurin,et al.  Security Analysis of Key-Alternating Feistel Ciphers , 2014, FSE.

[50]  Dongdai Lin,et al.  A Synthetic Indifferentiability Analysis of Interleaved Double-Key Even-Mansour Ciphers , 2015, ASIACRYPT.

[51]  Liam Keliher,et al.  Exact maximum expected differential and linear probability for two-round Advanced Encryption Standard , 2007, IET Inf. Secur..

[52]  Serge Vaudenay,et al.  Decorrelation: A Theory for Block Cipher Security , 2003, Journal of Cryptology.

[53]  Andrey Bogdanov,et al.  Biclique Cryptanalysis of the Full AES , 2011, ASIACRYPT.

[54]  Moni Naor,et al.  Derandomized Constructions of k-Wise (Almost) Independent Permutations , 2005, APPROX-RANDOM.

[55]  Ronald L. Rivest,et al.  Is the Data Encryption Standard a group? (Results of cycling experiments on DES) , 1988, Journal of Cryptology.

[56]  Steven Myers,et al.  Simple permutations mix well , 2005, Theor. Comput. Sci..

[57]  Jongin Lim,et al.  Practical and Provable Security against Differential and Linear Cryptanalysis for Substitution‐Permutation Networks , 2001 .