Bounds for Balanced and Generalized Feistel Constructions

Transcription

1 Bounds for Balanced and Generalized Feistel Constructions Andrey Bogdanov Katholieke Universiteit Leuven, Belgium ECRYPT II SymLab Bounds 2010

2 Outline Feistel Constructions Efficiency Metrics Bounds for Feistel Ciphers Efficiency Comparison

3 Balanced and Generalized Feistel Networks High-Level Constructions BFN Type-I GFN Type-II GFN Type-III GFN Feistel

4 Balanced and Generalized Feistel Networks High-Level Constructions BFN Type-I GFN Type-II GFN Type-III GFN Feistel almost identical encryption and decryption functions

5 Balanced and Generalized Feistel Networks High-Level Constructions BFN Type-I GFN Type-II GFN Type-III GFN Feistel almost identical encryption and decryption functions easy extension of smaller non-linear functions to bigger permutations

6 Balanced and Generalized Feistel Networks High-Level Constructions BFN Type-I GFN Type-II GFN Type-III GFN Feistel almost identical encryption and decryption functions easy extension of smaller non-linear functions to bigger permutations some security proofs available

7 Balanced and Generalized Feistel Functions: SP vs SPS k i SP k i SPS s s s... M i vs s M i s s k i

8 Balanced and Generalized Feistel Functions: SP vs SPS k i SP k i SPS s s s... M i vs s M i s s k i Which one is more efficient for Feistel?

9 Balanced and Generalized Feistel Functions: SP vs SPS k i SP k i SPS s s s... M i vs s M i s s k i Which one is more efficient for Feistel? in terms of resistance against differential and linear cryptanalysis

10 Balanced and Generalized Feistel Functions: SP vs SPS k i SP k i SPS s s s... M i vs s M i s s k i Which one is more efficient for Feistel? in terms of resistance against differential and linear cryptanalysis SP has less S-boxes per function than SPS

11 Balanced and Generalized Feistel Functions: SP vs SPS k i SP k i SPS s s s... M i vs s M i s s k i Which one is more efficient for Feistel? in terms of resistance against differential and linear cryptanalysis SP has less S-boxes per function than SPS SPS turns out consistently more efficient than SP for Feistel!

12 Active S-Boxes

13 Active S-Boxes Differential and linear cryptanalysis

14 Active S-Boxes Differential and linear cryptanalysis two crucial types of attacks

15 Active S-Boxes Differential and linear cryptanalysis two crucial types of attacks tell in a sense how fast the cipher gets close to idealized cipher

16 Active S-Boxes Differential and linear cryptanalysis two crucial types of attacks tell in a sense how fast the cipher gets close to idealized cipher used as subroutines in numerous cryptanalytic extensions

17 Active S-Boxes Differential and linear cryptanalysis two crucial types of attacks tell in a sense how fast the cipher gets close to idealized cipher used as subroutines in numerous cryptanalytic extensions Active S-box

18 Active S-Boxes Differential and linear cryptanalysis two crucial types of attacks tell in a sense how fast the cipher gets close to idealized cipher used as subroutines in numerous cryptanalytic extensions Active S-box involved into the propagation of differential and linear patterns along differential and linear trails

19 Active S-Boxes Differential and linear cryptanalysis two crucial types of attacks tell in a sense how fast the cipher gets close to idealized cipher used as subroutines in numerous cryptanalytic extensions Active S-box involved into the propagation of differential and linear patterns along differential and linear trails contributes to the reduction of the trail probability

20 Active S-Boxes Differential and linear cryptanalysis two crucial types of attacks tell in a sense how fast the cipher gets close to idealized cipher used as subroutines in numerous cryptanalytic extensions Active S-box involved into the propagation of differential and linear patterns along differential and linear trails contributes to the reduction of the trail probability most clear and elaborated tool for security evaluation

21 Active S-Boxes Differential and linear cryptanalysis two crucial types of attacks tell in a sense how fast the cipher gets close to idealized cipher used as subroutines in numerous cryptanalytic extensions Active S-box involved into the propagation of differential and linear patterns along differential and linear trails contributes to the reduction of the trail probability most clear and elaborated tool for security evaluation Limits

22 Active S-Boxes Differential and linear cryptanalysis two crucial types of attacks tell in a sense how fast the cipher gets close to idealized cipher used as subroutines in numerous cryptanalytic extensions Active S-box involved into the propagation of differential and linear patterns along differential and linear trails contributes to the reduction of the trail probability most clear and elaborated tool for security evaluation Limits no evidence against impossible differential attacks

23 Active S-Boxes Differential and linear cryptanalysis two crucial types of attacks tell in a sense how fast the cipher gets close to idealized cipher used as subroutines in numerous cryptanalytic extensions Active S-box involved into the propagation of differential and linear patterns along differential and linear trails contributes to the reduction of the trail probability most clear and elaborated tool for security evaluation Limits no evidence against impossible differential attacks no evidence against multiset analysis/other structural attacks

24 Proportion of active S-boxes to all S-boxes [Shirai-Preneel04]

25 Proportion of active S-boxes to all S-boxes [Shirai-Preneel04] S-box layer is often the most costly operation of ciphers

26 Proportion of active S-boxes to all S-boxes [Shirai-Preneel04] S-box layer is often the most costly operation of ciphers A r,m = # active S-boxes over r rounds for block width m

27 Proportion of active S-boxes to all S-boxes [Shirai-Preneel04] S-box layer is often the most costly operation of ciphers A r,m = # active S-boxes over r rounds for block width m S r,m = # all S-boxes over r rounds for block width m

28 Proportion of active S-boxes to all S-boxes [Shirai-Preneel04] S-box layer is often the most costly operation of ciphers A r,m = # active S-boxes over r rounds for block width m S r,m = # all S-boxes over r rounds for block width m Proportion of active S-boxes over r rounds

29 Proportion of active S-boxes to all S-boxes [Shirai-Preneel04] S-box layer is often the most costly operation of ciphers A r,m = # active S-boxes over r rounds for block width m S r,m = # all S-boxes over r rounds for block width m Proportion of active S-boxes over r rounds E r,m = A r,m /S r,m

30 Proportion of active S-boxes to all S-boxes [Shirai-Preneel04] S-box layer is often the most costly operation of ciphers A r,m = # active S-boxes over r rounds for block width m S r,m = # all S-boxes over r rounds for block width m Proportion of active S-boxes over r rounds E r,m = A r,m /S r,m Asymptotic proportion of active S-boxes for r

31 Proportion of active S-boxes to all S-boxes [Shirai-Preneel04] S-box layer is often the most costly operation of ciphers A r,m = # active S-boxes over r rounds for block width m S r,m = # all S-boxes over r rounds for block width m Proportion of active S-boxes over r rounds E r,m = A r,m /S r,m Asymptotic proportion of active S-boxes for r E m = lim r E r,m

32 Proportion of active S-boxes to all S-boxes [Shirai-Preneel04] S-box layer is often the most costly operation of ciphers A r,m = # active S-boxes over r rounds for block width m S r,m = # all S-boxes over r rounds for block width m Proportion of active S-boxes over r rounds E r,m = A r,m /S r,m Asymptotic proportion of active S-boxes for r E m = lim r E r,m Asymptotic proportion of active S-boxes for r, m

33 Proportion of active S-boxes to all S-boxes [Shirai-Preneel04] S-box layer is often the most costly operation of ciphers A r,m = # active S-boxes over r rounds for block width m S r,m = # all S-boxes over r rounds for block width m Proportion of active S-boxes over r rounds E r,m = A r,m /S r,m Asymptotic proportion of active S-boxes for r E m = lim r E r,m Asymptotic proportion of active S-boxes for r, m E = lim m E m

34 Proportion of active S-boxes to all S-boxes [Shirai-Preneel04] S-box layer is often the most costly operation of ciphers A r,m = # active S-boxes over r rounds for block width m S r,m = # all S-boxes over r rounds for block width m Proportion of active S-boxes over r rounds E r,m = A r,m /S r,m Asymptotic proportion of active S-boxes for r E m = lim r E r,m Asymptotic proportion of active S-boxes for r, m E = lim m E m None of these metrics takes into account the linear operations!

35 Proportion of active S-boxes to all S-boxes [Shirai-Preneel04] S-box layer is often the most costly operation of ciphers A r,m = # active S-boxes over r rounds for block width m S r,m = # all S-boxes over r rounds for block width m Proportion of active S-boxes over r rounds E r,m = A r,m /S r,m Asymptotic proportion of active S-boxes for r E m = lim r E r,m Asymptotic proportion of active S-boxes for r, m E = lim m E m None of these metrics takes into account the linear operations! Large dense MDS matrices can also involve costly computation

36 Proportion of active S-Boxes to S-box and linear operations [Bogdanov09]

37 Proportion of active S-Boxes to S-box and linear operations [Bogdanov09] A r,m = # active S-boxes over r rounds

38 Proportion of active S-Boxes to S-box and linear operations [Bogdanov09] A r,m = # active S-boxes over r rounds S r,m = # all S-boxes over r rounds

39 Proportion of active S-Boxes to S-box and linear operations [Bogdanov09] A r,m = # active S-boxes over r rounds S r,m = # all S-boxes over r rounds L r,m = # all multiplications by constant in F 2 n over r rounds

40 Proportion of active S-Boxes to S-box and linear operations [Bogdanov09] A r,m = # active S-boxes over r rounds S r,m = # all S-boxes over r rounds L r,m = # all multiplications by constant in F 2 n over r rounds λ = cost of one multiplication by constant in F 2 n related to one S-box invocation

41 Proportion of active S-Boxes to S-box and linear operations [Bogdanov09] A r,m = # active S-boxes over r rounds S r,m = # all S-boxes over r rounds L r,m = # all multiplications by constant in F 2 n over r rounds λ = cost of one multiplication by constant in F 2 n related to one S-box invocation Proportion of active S-boxes over r rounds A r,m E r,m = S r,m + λl r,m

42 Proportion of active S-Boxes to S-box and linear operations [Bogdanov09] A r,m = # active S-boxes over r rounds S r,m = # all S-boxes over r rounds L r,m = # all multiplications by constant in F 2 n over r rounds λ = cost of one multiplication by constant in F 2 n related to one S-box invocation Proportion of active S-boxes over r rounds A r,m E r,m = S r,m + λl r,m Asymptotic proportion of active S-boxes for r E m = lim r E r,m

43 Proportion of active S-Boxes to S-box and linear operations [Bogdanov09] A r,m = # active S-boxes over r rounds S r,m = # all S-boxes over r rounds L r,m = # all multiplications by constant in F 2 n over r rounds λ = cost of one multiplication by constant in F 2 n related to one S-box invocation Proportion of active S-boxes over r rounds A r,m E r,m = S r,m + λl r,m Asymptotic proportion of active S-boxes for r E m = lim r E r,m Asymptotic proportion of active S-boxes for r, m E = lim m E m

44 Bounds for Feistel Ciphers Minimum # active S-boxes for SP-functions from literature: [Kanda01], [Shirai-Preneel04], [Wu-Zhang-Lin06], [Shibutani10] BFN-SP GFNI-SP GFNII-SP single-round diffusion M i = M round 4R rounds BR + R 2 16R rounds (3B + 1)R 6R rounds (2B + 2)R multiple-round diffusion M i distinct 3R rounds B R

45 Bounds for Feistel Ciphers Minimum # active S-boxes for SPS-functions: [Bogdanov10], [Bogdanov-Shibutani10] BFN-SPS GFNI-SPS GFNII-SPS GFNIII-SPS 3R rounds 2B 14R rounds 7BR 6R rounds 6BR 14R rounds 7BR

46 Bounds for Feistel Ciphers Minimum # active S-boxes for SPS-functions: [Bogdanov10], [Bogdanov-Shibutani10] BFN-SPS GFNI-SPS GFNII-SPS GFNIII-SPS 3R rounds 2B 14R rounds 7BR 6R rounds 6BR 14R rounds 7BR all single-round diffusion with M i = M in each round

47 Bounds for Feistel Ciphers Minimum # active S-boxes for SPS-functions: [Bogdanov10], [Bogdanov-Shibutani10] BFN-SPS GFNI-SPS GFNII-SPS GFNIII-SPS 3R rounds 2B 14R rounds 7BR 6R rounds 6BR 14R rounds 7BR all single-round diffusion with M i = M in each round proofs basically derive lower bounds on # active function

48 Bounds for Feistel Ciphers Minimum # active S-boxes for SPS-functions: [Bogdanov10], [Bogdanov-Shibutani10] BFN-SPS GFNI-SPS GFNII-SPS GFNIII-SPS 3R rounds 2B 14R rounds 7BR 6R rounds 6BR 14R rounds 7BR all single-round diffusion with M i = M in each round proofs basically derive lower bounds on # active function string-based approach to proofs

49 Bounds for Feistel Ciphers Minimum # active S-boxes for SPS-functions: [Bogdanov10], [Bogdanov-Shibutani10] BFN-SPS GFNI-SPS GFNII-SPS GFNIII-SPS 3R rounds 2B 14R rounds 7BR 6R rounds 6BR 14R rounds 7BR all single-round diffusion with M i = M in each round proofs basically derive lower bounds on # active function string-based approach to proofs all bounds are actually tight

50 Efficiency Comparison SP vs SPS: E = lim r,m A r,m/s r,m, MDS diffusion

51 Efficiency Comparison SP vs SPS: E m = lim r A r,m/s r,m, MDS diffusion

52 Efficiency Comparison SP vs SPS: E m = lim r A r,m/(s r,m + λl r,m), λ = 0.1, m = 8, MDS diffusion

56 Conjecture Instead of Conclusion Conjecture BFN-SPS is optimal with respect to E in the class of all BFN, GFNI, GFNII, and GFNIII designs with SP-, SPS-, SPSP-, SPSPS-,... -type functions instantiated with MDS matrices.