Abstract
Recent works of Cogliati et al. (CRYPTO 2018) have initiated provable treatments of Substitution-Permutation Networks (SPNs), one of the most popular approach to construct modern blockciphers. Such theoretical SPN models may employ non-linear diffusion layers, which enables beyond-birthday-bound provable security. Though, for the model of real world blockciphers, i.e., SPN models with linear diffusion layers, existing provable results are capped at birthday security up to 2n/2 adversarial queries, where n is the size of the idealized S-boxes.In this paper, we overcome this birthday barrier and prove that a 4-round SPN with linear diffusion layers and independent round keys is secure up to 22n/3 queries. For this, we identify conditions on the linear layers that are sufficient for such security, which, unsurprisingly, turns out to be slightly stronger than Cogliati et al.’s conditions for birthday security. These provides additional theoretic supports for real world SPN blockciphers.
Highlights
Modern blockciphers roughly fall into two classes, namely Feistel networks and their generalizations, and substitution-permutation networks (SPNs)
We focus on linear SPNs with independent S-boxes and independent round keys, and we will focus on the case where w ≥ 2, since, when w = 1, we recover the standard Even-Mansour construction that has already been well investigated
For such linear SPNs, we answer our main question positively and prove the first beyond-birthday-bound (BBB) 2n/3-bit security result on 4 rounds
Summary
Modern blockciphers roughly fall into two classes (with some rare exceptions such as IDEA [LM91] and KATAN [DDK09]), namely Feistel networks and their generalizations, and substitution-permutation networks (SPNs). To prove security for SPNs, the “S-boxes” may be idealized as secret random functions or permutations, leaving the permutation layers as efficient “non-cryptographic” functions [IK01, MV15] In this case, the S-boxes act as the only source of cryptographic hardness, while the permutation layers only supply auxiliary combinatorial properties. Initiated by Dodis et al [DSSL16, DKS+17], a series of works investigated a new model of SPNs, in which the S-boxes are small public ideal primitives and the permutation layers remain non-cryptographic. Cogliati and Lee improved this result by: (i) adding tweaks into the non-linear transformations to obtain tweakable non-linear SPNs, and (ii) proving beyond-birthday-bound results [CL18] They showed that two rounds of such tweakable non-linear SPNs are secure tweakable blockciphers [LRW11] up to roughly 22n/3 adversarial queries. They provided a (non-tight) asymptotic security bound improving as the number of rounds grows
Sign-in/Register to view highlights & summary 
Published Version (
Free)
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call