Provable security of (tweakable) block ciphers based on substitution-permutation networks

Benoît Cogliati; Yevgeniy Dodis; Jonathan Katz; Jooyoung Lee; John Steinberger; Aishwarya Thiruvengadam; Zhe Zhang

doi:10.1007/978-3-319-96884-1_24

Provable security of (tweakable) block ciphers based on substitution-permutation networks

Benoît Cogliati, Yevgeniy Dodis, Jonathan Katz, Jooyoung Lee, John Steinberger, Aishwarya Thiruvengadam, Zhe Zhang

Computer Science

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

Substitution-Permutation Networks (SPNs) refer to a family of constructions which build a wn-bit block cipher from n-bit public permutations (often called S-boxes), which alternate keyless and “local” substitution steps utilizing such S-boxes, with keyed and “global” permutation steps which are non-cryptographic. Many widely deployed block ciphers are constructed based on the SPNs, but there are essentially no provable-security results about SPNs. In this work, we initiate a comprehensive study of the provable security of SPNs as (possibly tweakable) wn-bit block ciphers, when the underlying n-bit permutation is modeled as a public random permutation. When the permutation step is linear (which is the case for most existing designs), we show that 3 SPN rounds are necessary and sufficient for security. On the other hand, even 1-round SPNs can be secure when non-linearity is allowed. Moreover, 2-round non-linear SPNs can achieve “beyond-birthday” (up to 2^2n/3adversarial queries) security, and, as the number of non-linear rounds increases, our bounds are meaningful for the number of queries approaching 2ⁿ. Finally, our non-linear SPNs can be made tweakable by incorporating the tweak into the permutation layer, and provide good multi-user security. As an application, our construction can turn two public n-bit permutations (or fixed-key block ciphers) into a tweakable block cipher working on wn-bit inputs, 6n-bit key and an n-bit tweak (for any w≥ 2); the tweakable block cipher provides security up to 2^2n/3 adversarial queries in the random permutation model, while only requiring w calls to each permutation, and 3w field multiplications for each wn-bit input.

Original language	English (US)
Title of host publication	Advances in Cryptology – CRYPTO 2018 - 38th Annual International Cryptology Conference, 2018, Proceedings
Editors	Alexandra Boldyreva, Hovav Shacham
Publisher	Springer Verlag
Pages	722-753
Number of pages	32
ISBN (Print)	9783319968834
DOIs	https://doi.org/10.1007/978-3-319-96884-1_24
State	Published - 2018
Event	38th Annual International Cryptology Conference, CRYPTO 2018 - Santa Barbara, United States Duration: Aug 19 2018 → Aug 23 2018

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	10991 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Other

Other	38th Annual International Cryptology Conference, CRYPTO 2018
Country/Territory	United States
City	Santa Barbara
Period	8/19/18 → 8/23/18

Keywords

Beyond-birthday-bound security
Domain extension of block ciphers
Substitution-permutation networks
Tweakable block ciphers

ASJC Scopus subject areas

Theoretical Computer Science
General Computer Science

Access to Document

10.1007/978-3-319-96884-1_24

Cite this

Cogliati, B., Dodis, Y., Katz, J., Lee, J., Steinberger, J., Thiruvengadam, A., & Zhang, Z. (2018). Provable security of (tweakable) block ciphers based on substitution-permutation networks. In A. Boldyreva, & H. Shacham (Eds.), Advances in Cryptology – CRYPTO 2018 - 38th Annual International Cryptology Conference, 2018, Proceedings (pp. 722-753). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 10991 LNCS). Springer Verlag. https://doi.org/10.1007/978-3-319-96884-1_24

Provable security of (tweakable) block ciphers based on substitution-permutation networks. / Cogliati, Benoît; Dodis, Yevgeniy; Katz, Jonathan et al.
Advances in Cryptology – CRYPTO 2018 - 38th Annual International Cryptology Conference, 2018, Proceedings. ed. / Alexandra Boldyreva; Hovav Shacham. Springer Verlag, 2018. p. 722-753 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 10991 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Cogliati, B, Dodis, Y, Katz, J, Lee, J, Steinberger, J, Thiruvengadam, A & Zhang, Z 2018, Provable security of (tweakable) block ciphers based on substitution-permutation networks. in A Boldyreva & H Shacham (eds), Advances in Cryptology – CRYPTO 2018 - 38th Annual International Cryptology Conference, 2018, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 10991 LNCS, Springer Verlag, pp. 722-753, 38th Annual International Cryptology Conference, CRYPTO 2018, Santa Barbara, United States, 8/19/18. https://doi.org/10.1007/978-3-319-96884-1_24

Cogliati B, Dodis Y, Katz J, Lee J, Steinberger J, Thiruvengadam A et al. Provable security of (tweakable) block ciphers based on substitution-permutation networks. In Boldyreva A, Shacham H, editors, Advances in Cryptology – CRYPTO 2018 - 38th Annual International Cryptology Conference, 2018, Proceedings. Springer Verlag. 2018. p. 722-753. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-319-96884-1_24

Cogliati, Benoît ; Dodis, Yevgeniy ; Katz, Jonathan et al. / Provable security of (tweakable) block ciphers based on substitution-permutation networks. Advances in Cryptology – CRYPTO 2018 - 38th Annual International Cryptology Conference, 2018, Proceedings. editor / Alexandra Boldyreva ; Hovav Shacham. Springer Verlag, 2018. pp. 722-753 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{b9487c8c00724641a2c6f88d400de01b,

title = "Provable security of (tweakable) block ciphers based on substitution-permutation networks",

abstract = "Substitution-Permutation Networks (SPNs) refer to a family of constructions which build a wn-bit block cipher from n-bit public permutations (often called S-boxes), which alternate keyless and “local” substitution steps utilizing such S-boxes, with keyed and “global” permutation steps which are non-cryptographic. Many widely deployed block ciphers are constructed based on the SPNs, but there are essentially no provable-security results about SPNs. In this work, we initiate a comprehensive study of the provable security of SPNs as (possibly tweakable) wn-bit block ciphers, when the underlying n-bit permutation is modeled as a public random permutation. When the permutation step is linear (which is the case for most existing designs), we show that 3 SPN rounds are necessary and sufficient for security. On the other hand, even 1-round SPNs can be secure when non-linearity is allowed. Moreover, 2-round non-linear SPNs can achieve “beyond-birthday” (up to 22n/3adversarial queries) security, and, as the number of non-linear rounds increases, our bounds are meaningful for the number of queries approaching 2n. Finally, our non-linear SPNs can be made tweakable by incorporating the tweak into the permutation layer, and provide good multi-user security. As an application, our construction can turn two public n-bit permutations (or fixed-key block ciphers) into a tweakable block cipher working on wn-bit inputs, 6n-bit key and an n-bit tweak (for any w≥ 2); the tweakable block cipher provides security up to 22n/3 adversarial queries in the random permutation model, while only requiring w calls to each permutation, and 3w field multiplications for each wn-bit input.",

keywords = "Beyond-birthday-bound security, Domain extension of block ciphers, Substitution-permutation networks, Tweakable block ciphers",

author = "Beno{\^i}t Cogliati and Yevgeniy Dodis and Jonathan Katz and Jooyoung Lee and John Steinberger and Aishwarya Thiruvengadam and Zhe Zhang",

note = "Publisher Copyright: {\textcopyright} International Association for Cryptologic Research 2018.; 38th Annual International Cryptology Conference, CRYPTO 2018 ; Conference date: 19-08-2018 Through 23-08-2018",

year = "2018",

doi = "10.1007/978-3-319-96884-1_24",

language = "English (US)",

isbn = "9783319968834",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Verlag",

pages = "722--753",

editor = "Alexandra Boldyreva and Hovav Shacham",

booktitle = "Advances in Cryptology – CRYPTO 2018 - 38th Annual International Cryptology Conference, 2018, Proceedings",

}

TY - GEN

T1 - Provable security of (tweakable) block ciphers based on substitution-permutation networks

AU - Cogliati, Benoît

AU - Dodis, Yevgeniy

AU - Katz, Jonathan

AU - Lee, Jooyoung

AU - Steinberger, John

AU - Thiruvengadam, Aishwarya

AU - Zhang, Zhe

N1 - Publisher Copyright: © International Association for Cryptologic Research 2018.

PY - 2018

Y1 - 2018

N2 - Substitution-Permutation Networks (SPNs) refer to a family of constructions which build a wn-bit block cipher from n-bit public permutations (often called S-boxes), which alternate keyless and “local” substitution steps utilizing such S-boxes, with keyed and “global” permutation steps which are non-cryptographic. Many widely deployed block ciphers are constructed based on the SPNs, but there are essentially no provable-security results about SPNs. In this work, we initiate a comprehensive study of the provable security of SPNs as (possibly tweakable) wn-bit block ciphers, when the underlying n-bit permutation is modeled as a public random permutation. When the permutation step is linear (which is the case for most existing designs), we show that 3 SPN rounds are necessary and sufficient for security. On the other hand, even 1-round SPNs can be secure when non-linearity is allowed. Moreover, 2-round non-linear SPNs can achieve “beyond-birthday” (up to 22n/3adversarial queries) security, and, as the number of non-linear rounds increases, our bounds are meaningful for the number of queries approaching 2n. Finally, our non-linear SPNs can be made tweakable by incorporating the tweak into the permutation layer, and provide good multi-user security. As an application, our construction can turn two public n-bit permutations (or fixed-key block ciphers) into a tweakable block cipher working on wn-bit inputs, 6n-bit key and an n-bit tweak (for any w≥ 2); the tweakable block cipher provides security up to 22n/3 adversarial queries in the random permutation model, while only requiring w calls to each permutation, and 3w field multiplications for each wn-bit input.

AB - Substitution-Permutation Networks (SPNs) refer to a family of constructions which build a wn-bit block cipher from n-bit public permutations (often called S-boxes), which alternate keyless and “local” substitution steps utilizing such S-boxes, with keyed and “global” permutation steps which are non-cryptographic. Many widely deployed block ciphers are constructed based on the SPNs, but there are essentially no provable-security results about SPNs. In this work, we initiate a comprehensive study of the provable security of SPNs as (possibly tweakable) wn-bit block ciphers, when the underlying n-bit permutation is modeled as a public random permutation. When the permutation step is linear (which is the case for most existing designs), we show that 3 SPN rounds are necessary and sufficient for security. On the other hand, even 1-round SPNs can be secure when non-linearity is allowed. Moreover, 2-round non-linear SPNs can achieve “beyond-birthday” (up to 22n/3adversarial queries) security, and, as the number of non-linear rounds increases, our bounds are meaningful for the number of queries approaching 2n. Finally, our non-linear SPNs can be made tweakable by incorporating the tweak into the permutation layer, and provide good multi-user security. As an application, our construction can turn two public n-bit permutations (or fixed-key block ciphers) into a tweakable block cipher working on wn-bit inputs, 6n-bit key and an n-bit tweak (for any w≥ 2); the tweakable block cipher provides security up to 22n/3 adversarial queries in the random permutation model, while only requiring w calls to each permutation, and 3w field multiplications for each wn-bit input.

KW - Beyond-birthday-bound security

KW - Domain extension of block ciphers

KW - Substitution-permutation networks

KW - Tweakable block ciphers

UR - http://www.scopus.com/inward/record.url?scp=85052380695&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85052380695&partnerID=8YFLogxK

U2 - 10.1007/978-3-319-96884-1_24

DO - 10.1007/978-3-319-96884-1_24

M3 - Conference contribution

AN - SCOPUS:85052380695

SN - 9783319968834

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 722

EP - 753

BT - Advances in Cryptology – CRYPTO 2018 - 38th Annual International Cryptology Conference, 2018, Proceedings

A2 - Boldyreva, Alexandra

A2 - Shacham, Hovav

PB - Springer Verlag

T2 - 38th Annual International Cryptology Conference, CRYPTO 2018

Y2 - 19 August 2018 through 23 August 2018

ER -

Provable security of (tweakable) block ciphers based on substitution-permutation networks

Abstract

Publication series

Other

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this