Beyond-Birthday-Bound Security for 4-round Linear Substitution-Permutation Networks

Recent works of Cogliati et al. (CRYPTO 2018) have initiated provable treatments of Substitution-Permutation Networks (SPNs), one of the most popular approach to construct modern blockciphers. Such theoretical SPN models may employ non-linear diffusion layers, which enables beyond-birthday-bound provable security. Though, for the model of real world blockciphers, i.e., SPN models with linear diffusion layers, existing provable results are capped at birthday security up to 2n/2 adversarial queries, where n is the size of the idealized S-boxes. In this paper, we overcome this birthday barrier and prove that a 4-round SPN with linear diffusion layers and independent round keys is secure up to 22n/3 queries. For this, we identify conditions on the linear layers that are sufficient for such security, which, unsurprisingly, turns out to be slightly stronger than Cogliati et al.’s conditions for birthday security. These provides additional theoretic supports for real world SPN blockciphers.

[1]  Vincent Rijmen,et al.  Provable Security Evaluation of Structures Against Impossible Differential and Zero Correlation Linear Cryptanalysis , 2016, EUROCRYPT.

[2]  Begül Bilgin,et al.  Low AND Depth and Efficient Inverses: a Guide on S-boxes for Low-latency Masking , 2020, IACR Trans. Symmetric Cryptol..

[3]  Jacques Patarin,et al.  Security of Random Feistel Schemes with 5 or More Rounds , 2004, CRYPTO.

[4]  Alex Biryukov,et al.  Alzette: A 64-bit ARX-box , 2020, IACR Cryptol. ePrint Arch..

[5]  Vincent Rijmen,et al.  The Wide Trail Design Strategy , 2001, IMACC.

[6]  Yannick Seurin,et al.  An Asymptotically Tight Security Analysis of the Iterated Even-Mansour Cipher , 2012, ASIACRYPT.

[7]  John P. Steinberger,et al.  Indifferentiability of Confusion-Diffusion Networks , 2015, EUROCRYPT.

[8]  Shai Halevi,et al.  Invertible Universal Hashing and the TET Encryption Mode , 2007, CRYPTO.

[9]  Phillip Rogaway,et al.  On Generalized Feistel Networks , 2010, CRYPTO.

[10]  John P. Steinberger,et al.  Tight Security Bounds for Key-Alternating Ciphers , 2014, EUROCRYPT.

[11]  Kaoru Kurosawa,et al.  On the Pseudorandomness of the AES Finalists - RC6 and Serpent , 2000, FSE.

[12]  Alex Biryukov,et al.  Structural Cryptanalysis of SASAS , 2001, Journal of Cryptology.

[13]  Benoit Cogliati,et al.  Beyond-Birthday-Bound Security for Tweakable Even-Mansour Ciphers with Linear Tweak and Key Mixing , 2015, ASIACRYPT.

[14]  Shai Halevi,et al.  A Parallelizable Enciphering Mode , 2004, CT-RSA.

[15]  Xuejia Lai,et al.  A Proposal for a New Block Encryption Standard , 1991, EUROCRYPT.

[16]  Eric Miles,et al.  Substitution-Permutation Networks, Pseudorandom Functions, and Natural Proofs , 2012, J. ACM.

[17]  Bart Mennink,et al.  XPX: Generalized Tweakable Even-Mansour with Improved Security Guarantees , 2016, CRYPTO.

[18]  Andrey Bogdanov,et al.  PRESENT: An Ultra-Lightweight Block Cipher , 2007, CHES.

[19]  Moni Naor,et al.  On the Construction of Pseudorandom Permutations: Luby—Rackoff Revisited , 1996, Journal of Cryptology.

[20]  David A. Wagner,et al.  Tweakable Block Ciphers , 2002, Journal of Cryptology.

[21]  Yishay Mansour,et al.  A construction of a cipher from a single pseudorandom permutation , 1997, Journal of Cryptology.

[22]  Alex Biryukov,et al.  Substitution-Permutation (SP) Network , 2005, Encyclopedia of Cryptography and Security.

[23]  Stefano Tessaro,et al.  Key-Alternating Ciphers and Key-Length Extension: Exact Bounds and Multi-user Security , 2016, CRYPTO.

[24]  John P. Steinberger,et al.  Key-Alternating Ciphers in a Provable Setting: Encryption Using a Small Number of Public Permutations , 2012, IACR Cryptol. ePrint Arch..

[25]  Vincent Rijmen,et al.  The Design of Rijndael: AES - The Advanced Encryption Standard , 2002 .

[26]  Jongin Lim,et al.  On the Security of Rijndael-Like Structures against Differential and Linear Cryptanalysis , 2002, ASIACRYPT.

[27]  Christophe De Cannière,et al.  KATAN and KTANTAN - A Family of Small and Efficient Hardware-Oriented Block Ciphers , 2009, CHES.

[28]  Jean-Sébastien Coron,et al.  How to Build an Ideal Cipher: The Indifferentiability of the Feistel Construction , 2014, Journal of Cryptology.

[29]  Ross Anderson,et al.  Serpent: A Proposal for the Advanced Encryption Standard , 1998 .

[30]  Jonathan Katz,et al.  Provable Security of Substitution-Permutation Networks , 2017, IACR Cryptol. ePrint Arch..

[31]  Sangjin Lee,et al.  Improving the Upper Bound on the Maximum Differential and the Maximum Linear Hull Probability for SPN Structures and AES , 2003, FSE.

[32]  Jacques Patarin,et al.  Luby-Rackoff: 7 Rounds Are Enough for 2n(1-epsilon)Security , 2003, CRYPTO.

[33]  Antoine Joux Cryptanalysis of the EMD Mode of Operation , 2003, EUROCRYPT.

[34]  Vincent Rijmen,et al.  Nonlinear diffusion layers , 2018, Des. Codes Cryptogr..

[35]  Ueli Maurer,et al.  The Security of Many-Round Luby-Rackoff Pseudo-Random Permutations , 2003, EUROCRYPT.

[36]  Palash Sarkar,et al.  A New Mode of Encryption Providing a Tweakable Strong Pseudo-random Permutation , 2006, FSE.

[37]  John P. Steinberger,et al.  Minimizing the Two-Round Even–Mansour Cipher , 2014, Journal of Cryptology.

[38]  Michael Luby,et al.  How to Construct Pseudo-Random Permutations from Pseudo-Random Functions (Abstract) , 1986, CRYPTO.

[39]  Bart Mennink,et al.  Improved Masking for Tweakable Blockciphers with Applications to Authenticated Encryption , 2016, IACR Cryptol. ePrint Arch..

[40]  Jonathan Katz,et al.  Provable Security of (Tweakable) Block Ciphers Based on Substitution-Permutation Networks , 2018, CRYPTO.

[41]  Alex Biryukov,et al.  Decomposition attack on SASASASAS , 2015, IACR Cryptol. ePrint Arch..

[42]  Alex Biryukov,et al.  Cryptographic Schemes Based on the ASASA Structure: Black-Box, White-Box, and Public-Key (Extended Abstract) , 2014, ASIACRYPT.

[43]  Ueli Maurer,et al.  Indifferentiability, Impossibility Results on Reductions, and Applications to the Random Oracle Methodology , 2004, TCC.

[44]  W. Cary Huffman,et al.  Fundamentals of Error-Correcting Codes , 1975 .

[45]  Benoit Cogliati,et al.  Wide Tweakable Block Ciphers Based on Substitution-Permutation Networks: Security Beyond the Birthday Bound , 2018, IACR Cryptol. ePrint Arch..

[46]  John P. Steinberger,et al.  Improved Security Bounds for Key-Alternating Ciphers via Hellinger Distance , 2012, IACR Cryptol. ePrint Arch..