Skip to main content
SpringerLink
Log in

Layout Graphs, Random Walks and the t-Wise Independence of SPN Block Ciphers

  • Conference paper
  • First Online:
Advances in Cryptology – CRYPTO 2023 (CRYPTO 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14083))

Included in the following conference series:

  • 1161 Accesses

Abstract

We continue the study of t-wise independence of substitution-permutation networks (SPNs) initiated by the recent work of Liu, Tessaro, and Vaikuntanathan (CRYPTO 2021).

Our key technical result shows that when the S-boxes are randomly and independently chosen and kept secret, an r-round SPN with input length \(n = b \cdot k\) is \(2^{-\varTheta (n)}\)-close to t-wise independent within \(r = O(\min \{k, \log t\})\) rounds for any t almost as large as \(2^{b/2}\). Here, b is the input length of the S-box and we assume that the underlying mixing achieves maximum branch number. We also analyze the special case of AES parameters (with random S-boxes), and show it is \(2^{-128}\)-close to pairwise independent in 7 rounds. Central to our result is the analysis of a random walk on what we call the layout graph, a combinatorial abstraction that captures equality and inequality constraints among multiple SPN evaluations.

We use our technical result to show concrete security bounds for SPNs with actual block cipher parameters and small-input S -boxes. (This is in contrast to the large body of results on ideal-model analyses of SPNs.) For example, for the censored-AES block cipher, namely AES with most of the mixing layers removed, we show that 192 rounds suffice to attain \(2^{-128}\)-closeness to pairwise independence. The prior such result for AES (Liu, Tessaro and Vaikuntanathan, CRYPTO 2021) required more than 9000 rounds.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 89.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 119.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    LTV prove that 6r-round AES is \(2^{r-1} (0.472)^r\)-close to pairwise independent, which becomes smaller than \(2^{-128}\) for \(r \ge 1528\).

  2. 2.

    Even if there exists distinct \(a,a'\) such that \(i\in I_{a,t}\cap I_{a',t}\), \(I_{\text {c}}\) is still well-defined. Because in such case, we must have \(i\in I_{a,a'}\) (otherwise I is not a valid layout), then \(\textbf{x}_{a}[i] = \textbf{x}_{a'}[i]\).

References

  1. Advanced Encryption Standard (AES). National Institute of Standards and Technology, NIST FIPS PUB 197, U.S. Department of Commerce (Nov 2001)

    Google Scholar 

  2. Andreeva, E., Bogdanov, A., Dodis, Y., Mennink, B., Steinberger, J.P.: On the indifferentiability of key-alternating ciphers. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 531–550. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_29

    Chapter  Google Scholar 

  3. Baignères, T., Vaudenay, S.: Proving the security of AES substitution-permutation network. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 65–81. Springer, Heidelberg (2006). https://doi.org/10.1007/11693383_5

    Chapter  Google Scholar 

  4. Biham, E., Shamir, A.: Differential cryptanalysis of des-like cryptosystems. J. Cryptol. 4(1), 3–72 (1991)

    Article  MathSciNet  MATH  Google Scholar 

  5. Bogdanov, A., Khovratovich, D., Rechberger, C.: Biclique cryptanalysis of the full AES. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 344–371. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_19

    Chapter  Google Scholar 

  6. Bogdanov, A., Knudsen, L.R., Leander, G., Standaert, F.-X., Steinberger, J., Tischhauser, E.: Key-alternating ciphers in a provable setting: encryption using a small number of public permutations. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 45–62. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_5

    Chapter  MATH  Google Scholar 

  7. Brodsky, A., Hoory, S.: Simple permutations mix even better. Random Struct. Algorithms 32(3), 274–289 (2008). https://doi.org/10.1002/rsa.20194

  8. Chen, S., Lampe, R., Lee, J., Seurin, Y., Steinberger, J.: Minimizing the two-round even-mansour cipher. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 39–56. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44371-2_3

    Chapter  Google Scholar 

  9. Chen, S., Steinberger, J.: Tight security bounds for key-alternating ciphers. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 327–350. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_19

    Chapter  Google Scholar 

  10. Cogliati, B., et al.: Provable security of (tweakable) block ciphers based on substitution-permutation networks. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10991, pp. 722–753. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96884-1_24

    Chapter  Google Scholar 

  11. Cogliati, B., Seurin, Y.: On the Provable Security of the Iterated Even-Mansour Cipher Against Related-Key and Chosen-Key Attacks. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 584–613. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_23

    Chapter  Google Scholar 

  12. Coron, J.S., Holenstein, T., Künzler, R., Patarin, J., Seurin, Y., Tessaro, S.: How to build an ideal cipher: The indifferentiability of the Feistel construction. J. Cryptol. 29(1), 61–114 (2016). https://doi.org/10.1007/s00145-014-9189-6

    Article  MathSciNet  MATH  Google Scholar 

  13. Courtois, N.T., Pieprzyk, J.: Cryptanalysis of block ciphers with overdefined systems of equations. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 267–287. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-36178-2_17

    Chapter  Google Scholar 

  14. Daemen, J.: Cipher and hash function design strategies based on linear and differential cryptanalysis. Ph.D. Thesis, KU Leuven (1995)

    Google Scholar 

  15. Dai, Y., Seurin, Y., Steinberger, J., Thiruvengadam, A.: Indifferentiability of iterated even-mansour ciphers with non-idealized key-schedules: five rounds are necessary and sufficient. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10403, pp. 524–555. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63697-9_18

    Chapter  Google Scholar 

  16. Dai, Y., Steinberger, J.: Indifferentiability of 8-round feistel networks. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 95–120. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4_4

    Chapter  Google Scholar 

  17. Dodis, Y., Karthikeyan, H., Wichs, D.: Small-box cryptography. In: Braverman, M. (ed.) 13th Innovations in Theoretical Computer Science Conference, ITCS 2022, January 31 - February 3, 2022, Berkeley, CA, USA. LIPIcs, vol. 215, pp. 56:1–56:25. Schloss Dagstuhl - Leibniz-Zentrum für Informatik (2022)

    Google Scholar 

  18. Dodis, Y., Katz, J., Steinberger, J., Thiruvengadam, A., Zhang, Z.: Provable security of substitution-permutation networks. Cryptology ePrint Archive, Report 2017/016 (2017). https://eprint.iacr.org/2017/016

  19. Dodis, Y., Stam, M., Steinberger, J., Liu, T.: Indifferentiability of confusion-diffusion networks. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 679–704. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_24

    Chapter  Google Scholar 

  20. Even, S., Mansour, Y.: A construction of a cipher from a single pseudorandom permutation. J. Cryptol. 10(3), 151–162 (1997). https://doi.org/10.1007/s001459900025

    Article  MathSciNet  MATH  Google Scholar 

  21. Farshim, P., Procter, G.: The related-key security of iterated even–mansour ciphers. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 342–363. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48116-5_17

    Chapter  Google Scholar 

  22. Guo, C., Lin, D.: On the indifferentiability of key-alternating feistel ciphers with no key derivation. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015. LNCS, vol. 9014, pp. 110–133. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46494-6_6

    Chapter  Google Scholar 

  23. Hoang, V.T., Tessaro, S.: Key-alternating ciphers and key-length extension: exact bounds and multi-user security. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 3–32. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4_1

    Chapter  Google Scholar 

  24. Hoory, S., Magen, A., Myers, S.A., Rackoff, C.: Simple permutations mix well. Theor. Comput. Sci. 348(2–3), 251–261 (2005)

    Article  MathSciNet  MATH  Google Scholar 

  25. Jakobsen, T., Knudsen, L.R.: The interpolation attack on block ciphers. In: FSE. Lecture Notes in Computer Science, vol. 1267, pp. 28–40. Springer (1997). https://doi.org/10.1007/bfb0052332

  26. Joan, D., Vincent, R.: The design of rijndael: Aes-the advanced encryption standard. Information Security and Cryptography (2002)

    Google Scholar 

  27. Kang, J.S., Hong, S., Lee, S., Yi, O., Park, C., Lim, J.: Practical and provable security against differential and linear cryptanalysis for substitution-permutation networks. Etri J. 23 (02 2002). https://doi.org/10.4218/etrij.01.0101.0402

  28. Kaplan, E., Naor, M., Reingold, O.: Derandomized constructions of k-wise (almost) independent permutations. In: APPROX-RANDOM. Lecture Notes in Computer Science, vol. 3624, pp. 354–365. Springer (2005). https://doi.org/10.1007/s00453-008-9267-y

  29. Kaplan, E., Naor, M., Reingold, O.: Derandomized constructions of k-wise (almost) independent permutations. Algorithmica 55(1), 113–133 (2009). https://doi.org/10.1007/s00453-008-9267-y

  30. Knudsen, L.: Deal - a 128-bit block cipher. In: NIST AES Proposal (1998)

    Google Scholar 

  31. Knudsen, L.R.: Truncated and higher order differentials. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 196–211. Springer, Heidelberg (1995). https://doi.org/10.1007/3-540-60590-8_16

    Chapter  Google Scholar 

  32. Knudsen, L., Wagner, D.: Integral cryptanalysis. In: Daemen, J., Rijmen, V. (eds.) FSE 2002. LNCS, vol. 2365, pp. 112–127. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45661-9_9

    Chapter  Google Scholar 

  33. Lai, X.: Higher Order Derivatives and Differential Cryptanalysis, pp. 227–233. Springer, US, Boston, MA (1994). https://doi.org/10.1007/978-1-4615-2694-0_23

  34. Lai, X., Massey, J.L., Murphy, S.: Markov ciphers and differential cryptanalysis. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 17–38. Springer, Heidelberg (1991). https://doi.org/10.1007/3-540-46416-6_2

    Chapter  Google Scholar 

  35. Lampe, R., Patarin, J., Seurin, Y.: An asymptotically tight security analysis of the iterated even-mansour cipher. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 278–295. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34961-4_18

    Chapter  Google Scholar 

  36. Lampe, R., Seurin, Y.: Security Analysis of Key-Alternating Feistel Ciphers. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 243–264. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46706-0_13

    Chapter  Google Scholar 

  37. Liu, T., Tessaro, S., Vaikuntanathan, V.: The t-wise independence of substitution-permutation networks. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021. LNCS, vol. 12828, pp. 454–483. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84259-8_16

    Chapter  Google Scholar 

  38. Matsui, M., Yamagishi, A.: A new method for known plaintext attack of FEAL cipher. In: Rueppel, R.A. (ed.) EUROCRYPT 1992. LNCS, vol. 658, pp. 81–91. Springer, Heidelberg (1993). https://doi.org/10.1007/3-540-47555-9_7

    Chapter  Google Scholar 

  39. Maurer, U., Pietrzak, K., Renner, R.: Indistinguishability Amplification. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 130–149. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74143-5_8

    Chapter  Google Scholar 

  40. Miles, E., Viola, E.: Substitution-permutation networks, pseudorandom functions, and natural proofs. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 68–85. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_5

    Chapter  Google Scholar 

  41. National Soviet Bureau of Standards: Information processing system - cryptographic protection - cryptographic algorithm gost 28147–89 (1989)

    Google Scholar 

  42. Nyberg, K.: Differentially uniform mappings for cryptography. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 55–64. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48285-7_6

    Chapter  Google Scholar 

  43. Patarin, J.: A proof of security in \(O(2^n)\) for the Benes scheme. In: Vaudenay, S. (ed.) AFRICACRYPT 08. LNCS, vol. 5023, pp. 209–220. Springer, Heidelberg (Jun (2008)

    Google Scholar 

  44. Tessaro, S.: Optimally secure block ciphers from ideal primitives. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9453, pp. 437–462. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48800-3_18

    Chapter  Google Scholar 

  45. Tiessen, T., Knudsen, L.R., Kölbl, S., Lauridsen, M.M.: Security of the AES with a secret S-box. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 175–189. Springer, Heidelberg (Mar 2015). https://doi.org/10.1007/978-3-662-48116-5_9

Download references

Acknowledgements

Pelecanos was supported by DARPA under Agreement No. HR00112020023. Tessaro was supported in part by NSF grants CNS-2026774, CNS-2154174, a JP Morgan Faculty Award, a CISCO Faculty Award, and a gift from Microsoft. Vaikuntanathan was supported by DARPA under Agreement No. HR00112020023, NSF CNS-2154149, and a Thornton Family Faculty Research Innovation Fellowship.

Author information

Authors and Affiliations

  1. Peking University, Beijing, China

    Tianren Liu

  2. UC Berkeley, Berkeley, USA

    Angelos Pelecanos

  3. University of Washington, Seattle, USA

    Stefano Tessaro

  4. MIT CSAIL, Cambridge, USA

    Vinod Vaikuntanathan

Authors
  1. Tianren Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Angelos Pelecanos
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Stefano Tessaro
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Vinod Vaikuntanathan
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Tianren Liu .

Editor information

Editors and Affiliations

  1. Rambus Inc., San Jose, CA, USA

    Helena Handschuh

  2. Brown University, Providence, RI, USA

    Anna Lysyanskaya

Rights and permissions

Reprints and permissions

Copyright information

© 2023 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Liu, T., Pelecanos, A., Tessaro, S., Vaikuntanathan, V. (2023). Layout Graphs, Random Walks and the t-Wise Independence of SPN Block Ciphers. In: Handschuh, H., Lysyanskaya, A. (eds) Advances in Cryptology – CRYPTO 2023. CRYPTO 2023. Lecture Notes in Computer Science, vol 14083. Springer, Cham. https://doi.org/10.1007/978-3-031-38548-3_23

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-38548-3_23

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-38547-6

  • Online ISBN: 978-3-031-38548-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation