Abstract
Recent works have revisited blockcipher structures to achieve MPC- and ZKP-friendly designs. In particular, Albrecht et al. (EUROCRYPT 2015) first pioneered using a novel structure SP networks with partial non-linear layers ( \(\text {P{-}SPNs}\) ) and then (ESORICS 2019) repopularized using multi-line generalized Feistel networks (GFNs). In this paper, we persist in exploring symmetric cryptographic constructions that are conducive to the applications such as MPC. In order to study the minimization of non-linearity in Type-II Generalized Feistel Networks, we generalize the (extended) GFN by replacing the bit-wise shuffle in a \(\text {GFN}\) with the stronger linear layer in \(\text {P{-}SPN}\) and introducing the key in each round. We call this scheme Generalized Extended Generalized Feistel Network (\(\text {GEGFN}\)). When the block-functions (or S-boxes) are public random permutations or (domain-preserving) functions, we prove CCA security for the 5-round \(\text {GEGFN}\). Our results also hold when the block-functions are over the prime fields \(\mathbb {F} _p\), yielding blockcipher constructions over \((\mathbb {F} _p)^*\).
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
We followed the attack idea in [19]. However, due to the difference between our construction and the \(\text {P{-}SPN}\) in the round function, the collision-inducing positions considered in our attack are distinct.
- 2.
Here we consider the information-theoretic setting, with no limit on the time complexity. In practice, \(N \) is usually small, especially in the binary fields, and this enumeration remains feasible.
References
Albrecht, M.R., et al.: Feistel structures for MPC, and more. In: Sako, K., Schneider, S., Ryan, P.Y.A. (eds.) ESORICS 2019. LNCS, vol. 11736, pp. 151–171. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-29962-0_8
Albrecht, M.R., Rechberger, C., Schneider, T., Tiessen, T., Zohner, M.: Ciphers for MPC and FHE. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 430–454. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_17
Aly, A., Ashur, T., Ben-Sasson, E., Dhooghe, S., Szepieniec, A.: Design of symmetric-key primitives for advanced cryptographic protocols. IACR Trans. Symm. Cryptol. 2020(3), 1–45 (2020). https://doi.org/10.13154/tosc.v2020.i3.1-45
Bar-On, A., Dinur, I., Dunkelman, O., Lallemand, V., Keller, N., Tsaban, B.: Cryptanalysis of SP networks with partial non-linear layers. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 315–342. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_13
Berger, T.P., Francq, J., Minier, M., Thomas, G.: Extended generalized Feistel networks using matrix representation to propose a new lightweight block cipher: Lilliput. IEEE Trans. Comput. 65(7), 2074–2089 (2016). https://doi.org/10.1109/TC.2015.2468218
Bhaumik, R., List, E., Nandi, M.: ZCZ – achieving n-bit SPRP security with a minimal number of tweakable-block-cipher calls. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11272, pp. 336–366. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03326-2_12
Cauchois, V., Gomez, C., Thomas, G.: General diffusion analysis: how to find optimal permutations for generalized type-II Feistel schemes. IACR Trans. Symm. Cryptol. 2019(1), 264–301 (2019). https://doi.org/10.13154/tosc.v2019.i1.264-301
Chen, S., Steinberger, J.: Tight security bounds for key-alternating ciphers. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 327–350. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_19
Cogliati, B., et al.: Provable security of (tweakable) block ciphers based on substitution-permutation networks. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10991, pp. 722–753. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96884-1_24
Derbez, P., Fouque, P., Lambin, B., Mollimard, V.: Efficient search for optimal diffusion layers of generalized Feistel networks. IACR Trans. Symmetric Cryptol. 2019(2), 218–240 (2019). https://doi.org/10.13154/tosc.v2019.i2.218-240
Dodis, Y., Katz, J., Steinberger, J., Thiruvengadam, A., Zhang, Z.: Provable security of substitution-permutation networks. Cryptology ePrint Archive, Report 2017/016 (2017). https://eprint.iacr.org/2017/016
Dodis, Y., Stam, M., Steinberger, J., Liu, T.: Indifferentiability of confusion-diffusion networks. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 679–704. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_24
Gao, Y., Guo, C.: Provable security Of HADES structure. In: Beresford, A.R., Patra, A., Bellini, E. (eds.) CANS 2022. LNCS, vol. 13641, pp. 258–276. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-20974-1_13
Gérard, B., Grosso, V., Naya-Plasencia, M., Standaert, F.-X.: Block ciphers that are easier to mask: how far can we go? In: Bertoni, G., Coron, J.-S. (eds.) CHES 2013. LNCS, vol. 8086, pp. 383–399. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40349-1_22
Grassi, L., Hao, Y., Rechberger, C., Schofnegger, M., Walch, R., Wang, Q.: Horst meets fluid-SPN: griffin for zero-knowledge applications. Cryptology ePrint Archive, Paper 2022/403 (2022). https://eprint.iacr.org/2022/403. To appear at CRYPTO 2023
Grassi, L., Kales, D., Khovratovich, D., Roy, A., Rechberger, C., Schofnegger, M.: Starkad and Poseidon: new hash functions for zero knowledge proof systems. Cryptology ePrint Archive, Report 2019/458 (2019). https://eprint.iacr.org/2019/458
Grassi, L., Khovratovich, D., Rechberger, C., Roy, A., Schofnegger, M.: Poseidon: A new hash function for zero-knowledge proof systems. In: USENIX Security Symposium (2021)
Grassi, L., Lüftenegger, R., Rechberger, C., Rotaru, D., Schofnegger, M.: On a generalization of substitution-permutation networks: the HADES design strategy. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12106, pp. 674–704. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45724-2_23
Guo, C., Standaert, F.X., Wang, W., Wang, X., Yu, Y.: Provable security of SP networks with partial non-linear layers. In: FSE 2021, pp. 353–388 (2021). https://doi.org/10.46586/tosc.v2021.i2.353-388
Halevi, S.: EME*: extending EME to handle arbitrary-length messages with associated data. In: Canteaut, A., Viswanathan, K. (eds.) INDOCRYPT 2004. LNCS, vol. 3348, pp. 315–327. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-30556-9_25
Halevi, S., Rogaway, P.: A tweakable enciphering mode. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 482–499. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_28
Halevi, S., Rogaway, P.: A parallelizable enciphering mode. In: Okamoto, T. (ed.) CT-RSA 2004. LNCS, vol. 2964, pp. 292–304. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24660-2_23
Hoang, V.T., Rogaway, P.: On generalized Feistel networks. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 613–630. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14623-7_33
Iwata, T., Kurosawa, K.: On the pseudorandomness of the AES finalists - RC6 and serpent. In: Goos, G., Hartmanis, J., van Leeuwen, J., Schneier, B. (eds.) FSE 2000. LNCS, vol. 1978, pp. 231–243. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44706-7_16
Lacan, J., Fimes, J.: Systematic MDS erasure codes based on Vandermonde matrices. IEEE Commun. Lett. 8, 570–572 (2004)
Nakamichi, R., Iwata, T.: Iterative block ciphers from tweakable block ciphers with long tweaks. IACR Trans. Symm. Cryptol. 2019(4), 54–80 (2019). https://doi.org/10.13154/tosc.v2019.i4.54-80
Nakaya, K., Iwata, T.: Generalized Feistel structures based on tweakable block ciphers. IACR Trans. Symmetric Cryptol. 2022(4), 24–91 (2022). https://doi.org/10.46586/tosc.v2022.i4.24-91
Nandi, M.: XLS is not a strong pseudorandom permutation. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 478–490. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45611-8_25
Nandi, M.: On the optimality of non-linear computations of length-preserving encryption schemes. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9453, pp. 113–133. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48800-3_5
Patarin, J.: The “coefficients H’’ technique. In: Avanzi, R.M., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. 328–345. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-04159-4_21
Ristenpart, T., Rogaway, P.: How to enrich the message space of a cipher. In: Biryukov, A. (ed.) FSE 2007. LNCS, vol. 4593, pp. 101–118. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74619-5_7
Suzaki, T., Minematsu, K.: Improving the generalized Feistel. In: Hong, S., Iwata, T. (eds.) FSE 2010. LNCS, vol. 6147, pp. 19–39. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13858-4_2
Wu, S., Wang, M.: Automatic search of truncated impossible differentials for word-oriented block ciphers. In: Galbraith, S., Nandi, M. (eds.) INDOCRYPT 2012. LNCS, vol. 7668, pp. 283–302. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34931-7_17
Wu, W., Zhang, L.: LBlock: a lightweight block cipher. In: Lopez, J., Tsudik, G. (eds.) ACNS 2011. LNCS, vol. 6715, pp. 327–344. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-21554-4_19
Zheng, Y., Matsumoto, T., Imai, H.: On the construction of block ciphers provably secure and not relying on any unproved hypotheses. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, p. 10.1007/0-387-34805-0_42-480. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_42
Acknowledgments
Chun Guo was partly supported by the National Natural Science Foundation of China (Grant No. 62002202) and the Taishan Scholars Program (for Young Scientists) of Shandong. Weijia Wang was partly supported by the Program of Qilu Young Scholars (Grant No. 61580082063088) of Shandong University.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A The H-Coefficient Technique
We use Patarin’s H-coefficient technique [30] to prove the SPRP security of \(\text {GEGFNs}\). We provide a quick overview of its main ingredients here. Our presentation borrows heavily from that of [8]. Fix a distinguisher D that makes at most q queries to its oracles. As in the security definition presented above, D’s aim is to distinguish between two worlds: a “real world” and an “ideal world”. Assume wlog that D is deterministic. The execution of D defines a transcript that includes the sequence of queries and answers received from its oracles; D’s output is a deterministic function of its transcript. Thus, if \(\mu ,\nu \) denote the probability distributions on transcripts induced by the real and ideal worlds, respectively, then D’s distinguishing advantage is upper bounded by the statistical distance
where the sum is taken over all possible transcripts \(\tau \).
Let \(\mathcal {T} \) denote the set of all transcripts such that \(\nu (\tau )>0\) for all \(\tau \in \mathcal {T} \). We look for a partition of \(\mathcal {T}\) into two sets \(\mathcal {T} _1\) and \(\mathcal {T} _2\) of “good” and “bad” transcripts, respectively, along with a constant \(\epsilon _1\in [0, 1)\) such that
It is then possible to show (see [8] for details) that
is an upper bound on the distinguisher’s advantage.
B Deferred Proofs
1.1 B.1 Proof of Lemma 2
Wlog, consider the case of Type-I \(Q_{m_{\ell }}\), as the other case is just symmetric. Assume otherwise, and assume that \(\textsf{tuple} _1=\big (u_1^{(j_1)},u_2^{(j_1)},v_4^{(j_1)},v_5^{(j_1)}\big )\) and \(\textsf{tuple} _2=\big (u_1^{(j_2)},u_2^{(j_2)},v_4^{(j_2)},v_5^{(j_2)}\big )\) in \(\cup _{i=1}^{\ell -1}Q_{m_i}\) are such two tuples with the smallest indices \(j_1,j_2\). Wlog assume \(j_2>j_1\), i.e., \(\textsf{tuple} _2\) was later. Then \(\textsf{tuple} _2\) was necessarily a forward query, as otherwise \(u_1^{(j_1)}[\textsf {even} ]=u_1^{(j_2)}[\textsf {even} ]\) would contradict the goodness of \(\tau \) (the 4th condition). By this and further by the 4th condition, \(v_5^{(j_2)}[\textsf {even} ]\) is “new”, and \(\textsf{tuple} _2\) cannot be in any Type-II set \(Q_{m_i}\), \(i\le \ell -1\). This means there exists a Type-I set \(Q_{m_i}\), \(i\le \ell -1\), such that \(\textsf{tuple} _2\in Q_{m_i}\). By our rules, the tuples in the purported \(Q_{m_\ell }\) should have been \(Q_{m_i}\), and thus \(Q_{m_\ell }\) should not exist, reaching a contradiction.
1.2 B.2 Proof of Lemma 3
Wlog consider a Type-I \(Q_{m_{\ell }}\). First, note that by \(\lnot \text {(B-1)} \) (the 1st condition), \(u_2^{(\ell ,i_1)}[j]\notin \text {Dom} _2\) and \(u_2^{(\ell ,i_2)}[j]\notin \text {Dom} _2\) for any \(j\in \{2,4,\ldots ,w\}\). We then distinguish two cases depending on \(\cup _{i=1}^{\ell -1}Q_{m_i}\) (which contribute to \(\text {ExtDom} _2^{(\ell )}\)):
Case 1: \(\textbf{u}_1^{(\boldsymbol{\ell ,i}_\textbf{1})}[{{\textbf {{\textsf {even}}}}}]\ne \textbf{u}_\textbf{1}[{{\textbf {{\textsf {even}}}}}]\) for all \((\textbf{u}_\textbf{1},\textbf{u}_\textbf{2},\textbf{v}_\textbf{4},\textbf{v}_\textbf{5})\in \mathbf {\cup }_{\textbf{i}=\textbf{1}}^{\mathbf {\ell }-\textbf{1}}\textbf{Q}_{\textbf{m}_\textbf{i}}\). Then by \(\lnot \text {(B-3)} \), \(u_2^{(\ell ,i_1)}[j],u_2^{(\ell ,i_2)}[j]\notin \text {ExtDom} _2^{(\ell )}\) for all \(j\in \{2,4,\ldots ,w\}\). Among these w/2 indices, there exists \(j_1\) such that \(u_2^{(\ell ,i_1)}[j_1]\ne u_2^{(\ell ,i_2)}[j_1]\), as otherwise, it would contradict the “\(q_C\) non-redundant forward/inverse queries”. Therefore, we complete the argument for this case.
Case 2: there exists \((\textbf{u}_\textbf{1}^*,\!\textbf{u}_\textbf{2}^*,\!\textbf{v}_\textbf{4}^*,\!\textbf{v}_{5}^*)\!\in \!\mathbf {\cup }_{\textbf{i}=\textbf{1}}^{\mathbf {\ell }-\textbf{1}}\textbf{Q}_{\textbf{m}_\textbf{i}}\) with \(\textbf{u}_\textbf{1}^*[{{\textbf {{\textsf {even}}}}}]\!=\!\textbf{u}_\textbf{1}^{(\mathbf {\ell },\textbf{i}_\textbf{1})}[{{\textbf {{\textsf {even}}}}}]\).
Then by construction, we have \(u_2^{(\ell ,i_1)}[\textsf {even} ]=u_2^*[\textsf {even} ]+\Delta _{i_1}\) and \(u_2^{(\ell ,i_2)}[\textsf {even} ]=u_2^*[\textsf {even} ]+\Delta _{i_2}\), where \(\Delta _{i_1}=T_{\textsc {eo}}\cdot \big (u_1^{(\ell ,i_1)}[\textsf {odd} ]-u_1^*[\textsf {odd} ]\big )\) and \(\Delta _{i_2}=T_{\textsc {eo}}\cdot \big (u_1^{(\ell ,i_2)}[\textsf {odd} ]-u_1^*[\textsf {odd} ]\big )\). Let \(\mathcal {J} _{i_1}\) be the subset of \(\{2,4,\ldots ,w\}\) such that \(\Delta _{i_1}[j]\ne \textsf{0} \) iff. \(j\in \mathcal {J} _{i_1}\), and \(\mathcal {J} _{i_2}\subseteq \{2,4,\ldots ,w\}\) be such that \(\Delta _{i_2}[j]\ne \textsf{0} \) iff. \(j\in \mathcal {J} _{i_2}\). We distinguish three subcases depending on \(\mathcal {J} _{i_1}\) and \(\mathcal {J} _{i_2}\):
-
Subcase 2.1: \(\mathcal {J} _{i_1}\backslash \mathcal {J} _{i_2}\ne \emptyset \). Then, let \(j_1\in \mathcal {J} _{i_1}\backslash \mathcal {J} _{i_2}\), and \(j_2\in \mathcal {J} _{i_2}\) in arbitrary. This means \(j_1\ne j_2\), \(\Delta _{i_1}[j_1]\ne \textsf{0} \) but \(\Delta _{i_2}[j_1]=\textsf{0} \), and then \(u_2^{(\ell ,i_1)}[j_1]\ne u_2^{(\ell ,i_2)}[j_1]\). Moreover,
-
\(u_2^{(\ell ,i_1)}[j_1]\ne u_2^*[j_3]\) for any \(j_3\notin \{2,4,\ldots ,w\}\backslash \{j_1\}\), by \(\lnot \text {(B-3)} \) (the 2nd condition); \(u_2^{(\ell ,i_1)}[j_1]\ne u_2^*[j_1]\) since \(j_1\in \mathcal {J} _{i_1}\). Thus \(u_2^{(\ell ,i_1)}[j_1]\notin \text {ExtDom} _2^{(\ell )}\). Similarly for \(u_2^{(\ell ,i_2)}\).
-
\(u_1^{(\ell ,i_1)}[\textsf {even} ]\ne u_1^{**}[\textsf {even} ]\) for any \((u_1^{**},u_2^{**},v_4^{**},v_5^{**})\ne (u_1^*,u_2^*,v_4^*,v_5^*)\) in \(\cup _{i=1}^{\ell -1}Q_{m_i}\) (by Lemma 2), and thus \(u_2^{(\ell ,i_1)}[j_1]\ne u_2^{**}[j']\) for any \(j'\in \{2,4,\ldots ,w\}\) by \(\lnot \text {(B-3)} \) (the 1st condition). Similarly for \(u_2^{(\ell ,i_2)}\).
-
-
Subcase 2.2: \(\mathcal {J} _{i_2}\backslash \mathcal {J} _{i_1}\ne \emptyset \). Then, let \(j_2\in \mathcal {J} _{i_2}\backslash \mathcal {J} _{i_1}\), and \(j_1\in \mathcal {J} _{i_1}\), and the argument is similar to subcase 2.1 by symmetry.
-
Subcase 2.3: \(\mathcal {J} _{i_1}=\mathcal {J} _{i_2}\). Then there exists \(j\in \mathcal {J} _{i_1}\) such that \(\Delta _{i_1}[j]\ne \Delta _{i_2}[j]\), as otherwise \(\Delta _{i_1}=\Delta _{i_2}\), meaning a contradiction. Let \(j_1=j_2=j\), then it’s easy to see all the claims hold.
By the above, for Type-I sets, the claims hold in all cases. Thus the claim.
C MDS Candidates in \(\mathbb {F} _N \)
An important question is whether such a strong T in Definition 1 exists at all. Note that if a strong T in Definition 1 exists, then T in Definition 2 naturally exists. Therefore, we give candidates in \(\mathbb {F} _N \), where \(N \) is either a power of 2 or a prime number.
1.1 C.1 MDS in Binary Field
Using the primitive polynomial \(x^8+x^4+x^3+x^2+1\), two candidates for \(N =2^8\) and \(w=8,16\), respectively, are as follows. We employ Vandermonde matrices [25] to generate these MDS matrices.
Using the primitive polynomial \(x^{11}+x^2+1\) a candidate for \(N =2^{11}\) and \(w=8\) is as follows:
We have also found plenty of candidates for other parameters, which are however omitted for the sake of space.
1.2 C.2 MDS in Prime Field
Rescue [3] is a symmetric cryptographic algorithm in the prime field. [3] offers to use \(m\times 2m\) Vandermonde matrices using powers of an \(\mathbb {F} _N \) primitive element. This matrix is then echelon reduced after which the \(m\times m\) identity matrix is removed and the MDS matrix is obtained.
The field is \(\mathbb {F} _N \) where \(N = 2^{61} + 20 \cdot 2^{32} + 1\) and the state consists of \(w = 12\) elements. We get an MDS matrix \(T^{12\times 12}\) that satisfies Definition 1. Because the matrix is large, we give four submatrices of \(T^{12\times 12}\) for convenience.
Remark 1. Our results also apply to some finite commutative rings if these rings exist MDS matrix. We assume that \(\mathcal {R}\) is a finite commutative ring with identity and \(\mathcal {U(R)}\) be the set of unit elements in \(\mathcal {R}\). We note that a square matrix M over \(\mathcal {R}\) is an MDS matrix if and only if the determinant of every submatrix of M is an element of \(\mathcal {U(R)}\).
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Zhao, Y., Guo, C., Wang, W. (2023). Towards Minimizing Non-linearity in Type-II Generalized Feistel Networks. In: Deng, J., Kolesnikov, V., Schwarzmann, A.A. (eds) Cryptology and Network Security. CANS 2023. Lecture Notes in Computer Science, vol 14342. Springer, Singapore. https://doi.org/10.1007/978-981-99-7563-1_5
Download citation
DOI: https://doi.org/10.1007/978-981-99-7563-1_5
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-99-7562-4
Online ISBN: 978-981-99-7563-1
eBook Packages: Computer ScienceComputer Science (R0)