Abstract:Substitution-Permutation Networks (SPNs) refer to a family of constructions which build a wn-bit block cipher from n-bit public permutations (often called S-boxes), which alternate keyless and "local" substitution steps utilizing such S-boxes, with keyed and "global" permutation steps which are non-cryptographic. Many widely deployed block ciphers are constructed based on the SPNs, but there are essentially no provable-security results about SPNs. In this work, we initiate a comprehensive study of the provable… Show more
“…A concurrent work of Cogliati et al shows how to construct wide-block TBC from SPNs [62]. They focus on (better) beyond-birthday bounds, while we proved ⊕-RKA security which may not be implied by tweakable pseudorandomness.…”
Section: Introductionmentioning
confidence: 51%
“…These results are complementary to ours. Since we identified concrete conditions, our work is closer to the series [53], [21], [62].…”
Section: Introductionmentioning
confidence: 97%
“…Finally, in the ideal model, key-schedule conditions that suffice for some level of security have been characterized for single-key security of Luby-Rackoff [72], KACs [53], and SPNs [62], for ⊕-RKA security of KACs [21], and for indifferentiability of Luby-Rackoff [11] and KACs, see [15] and the reference therein. These results are complementary to ours.…”
We initiate the provable related-key security treatment for models of practical Feistel ciphers. In detail, we consider Feistel networks with four whitening keys wi(k), i = 0, 1, 2, 3, and round-functions of the form f (γj(k) ⊕ X), where k is the master-key, wi and γj are efficient transformations, and f is a public ideal function or permutation accessible by the adversary. We investigate key-schedule conditions that are sufficient for security against XOR-induced related-key attacks up to 2 n/2 adversarial queries. When the key-schedules are non-linear, we prove security for 4 rounds. When only affine key-schedules are used, we prove security for 6 rounds. These also imply secure tweakable Feistel ciphers in the Random Oracle model.By shuffling the key-schedules, our model unifies both the DES-like structure (known as Feistel-2 scheme in the cryptanalytic community, a.k.a. key-alternating Feistel due to Lampe and Seurin, FSE 2014) and the Lucifer-like model (previously analyzed by Guo and Lin, TCC 2015). This allows us to derive concrete implications on these two (more common) models, and helps understanding their related-key security difference.
“…A concurrent work of Cogliati et al shows how to construct wide-block TBC from SPNs [62]. They focus on (better) beyond-birthday bounds, while we proved ⊕-RKA security which may not be implied by tweakable pseudorandomness.…”
Section: Introductionmentioning
confidence: 51%
“…These results are complementary to ours. Since we identified concrete conditions, our work is closer to the series [53], [21], [62].…”
Section: Introductionmentioning
confidence: 97%
“…Finally, in the ideal model, key-schedule conditions that suffice for some level of security have been characterized for single-key security of Luby-Rackoff [72], KACs [53], and SPNs [62], for ⊕-RKA security of KACs [21], and for indifferentiability of Luby-Rackoff [11] and KACs, see [15] and the reference therein. These results are complementary to ours.…”
We initiate the provable related-key security treatment for models of practical Feistel ciphers. In detail, we consider Feistel networks with four whitening keys wi(k), i = 0, 1, 2, 3, and round-functions of the form f (γj(k) ⊕ X), where k is the master-key, wi and γj are efficient transformations, and f is a public ideal function or permutation accessible by the adversary. We investigate key-schedule conditions that are sufficient for security against XOR-induced related-key attacks up to 2 n/2 adversarial queries. When the key-schedules are non-linear, we prove security for 4 rounds. When only affine key-schedules are used, we prove security for 6 rounds. These also imply secure tweakable Feistel ciphers in the Random Oracle model.By shuffling the key-schedules, our model unifies both the DES-like structure (known as Feistel-2 scheme in the cryptanalytic community, a.k.a. key-alternating Feistel due to Lampe and Seurin, FSE 2014) and the Lucifer-like model (previously analyzed by Guo and Lin, TCC 2015). This allows us to derive concrete implications on these two (more common) models, and helps understanding their related-key security difference.
“…The notion of indifferentiability, introduced by Maurer, Renner and Holenstein [26] generalizes over the standard notion of indistinguishability by considering settings where the adversary has oracle access to both the construction and its underlying primitive. It has been used as a way of reducing concerns in the design of block ciphers (with proofs for Feistel networks [20,21] and substitutionpermutation networks [16]) and hash functions (with proofs for the Merkle-Damgård construction [18] and the Sponge construction [14]), in each case formally capturing the intuition that the construction does not introduce any structural vulnerabilities when the underlying primitive is seen as an ideal black-box. Definition 2.1 (Indifferentiability [26]).…”
Section: Security Of the Sponge Constructionmentioning
We present a high-assurance and high-speed implementation of the SHA-3 hash function. Our implementation is written in the Jasmin programming language, and is formally verified for functional correctness, provable security and timing attack resistance in the EasyCrypt proof assistant. Our implementation is the first to achieve simultaneously the four desirable properties (efficiency, correctness, provable security, and side-channel protection) for a non-trivial cryptographic primitive.Concretely, our mechanized proofs show that: 1) the SHA-3 hash function is indifferentiable from a random oracle, and thus is resistant against collision, first and second preimage attacks; 2) the SHA-3 hash function is correctly implemented by a vectorized x86 implementation. Furthermore, the implementation is provably protected against timing attacks in an idealized model of timing leaks. The proofs include new EasyCrypt libraries of independent interest for programmable random oracles and modular indifferentiability proofs.
“…There is a huge amount of efficient designs that exploit this design strategy, including Rijndael/AES [ 20 ] which is perhaps the most important one. Theoretical aspects have been analyzed too, which include the asymptotic analysis by Miles and Viola [ 41 ], and more recent results in the provable security framework [ 16 , 26 ]. Fig.…”
Keyed and unkeyed cryptographic permutations often iterate simple round functions. Substitution-permutation networks (SPNs) are an approach that is popular since the mid 1990s. One of the new directions in the design of these round functions is to reduce the substitution (S-Box) layer from a full one to a partial one, uniformly distributed over all the rounds. LowMC and Zorro are examples of this approach.
A relevant freedom in the design space is to allow for a highly non-uniform distribution of S-Boxes. However, choosing rounds that are so different from each other is very rarely done, as it makes security analysis and implementation much harder.
We develop the design strategy
Hades
and an analysis framework for it, which despite this increased complexity allows for security arguments against many classes of attacks, similar to earlier simpler SPNs. The framework builds upon the wide trail design strategy, and it additionally allows for security arguments against algebraic attacks, which are much more of a concern when algebraically simple S-Boxes are used.
Subsequently, this is put into practice by concrete instances and benchmarks for a use case that generally benefits from a smaller number of S-Boxes and showcases the diversity of design options we support: A candidate cipher natively working with objects in
, for securing data transfers with distributed databases using secure multiparty computation (MPC). Compared to the currently fastest design MiMC, we observe significant improvements in online bandwidth requirements and throughput with a simultaneous reduction of preprocessing effort, while having a comparable online latency.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
