Towards Minimizing Non-linearity in Type-II Generalized Feistel Networks

Abstract

Recent works have revisited blockcipher structures to achieve MPC- and ZKP-friendly designs. In particular, Albrecht et al. (EUROCRYPT 2015) first pioneered using a novel structure SP networks with partial non-linear layers ( \(\text {P{-}SPNs}\) ) and then (ESORICS 2019) repopularized using multi-line generalized Feistel networks (GFNs). In this paper, we persist in exploring symmetric cryptographic constructions that are conducive to the applications such as MPC. In order to study the minimization of non-linearity in Type-II Generalized Feistel Networks, we generalize the (extended) GFN by replacing the bit-wise shuffle in a \(\text {GFN}\) with the stronger linear layer in \(\text {P{-}SPN}\) and introducing the key in each round. We call this scheme Generalized Extended Generalized Feistel Network (\(\text {GEGFN}\)). When the block-functions (or S-boxes) are public random permutations or (domain-preserving) functions, we prove CCA security for the 5-round \(\text {GEGFN}\). Our results also hold when the block-functions are over the prime fields \(\mathbb {F} _p\), yielding blockcipher constructions over \((\mathbb {F} _p)^*\).

Appendices

A The H-Coefficient Technique

We use Patarin’s H-coefficient technique [30] to prove the SPRP security of \(\text {GEGFNs}\). We provide a quick overview of its main ingredients here. Our presentation borrows heavily from that of [8]. Fix a distinguisher D that makes at most q queries to its oracles. As in the security definition presented above, D’s aim is to distinguish between two worlds: a “real world” and an “ideal world”. Assume wlog that D is deterministic. The execution of D defines a transcript that includes the sequence of queries and answers received from its oracles; D’s output is a deterministic function of its transcript. Thus, if \(\mu ,\nu \) denote the probability distributions on transcripts induced by the real and ideal worlds, respectively, then D’s distinguishing advantage is upper bounded by the statistical distance

$$\begin{aligned} \textsf{Dist} (\mu ,\nu ):=\frac{1}{2}\sum _{\tau }\big |\mu (\tau )-\nu (\tau )\big |, \end{aligned}$$

(16)

where the sum is taken over all possible transcripts \(\tau \).

Let \(\mathcal {T} \) denote the set of all transcripts such that \(\nu (\tau )>0\) for all \(\tau \in \mathcal {T} \). We look for a partition of \(\mathcal {T}\) into two sets \(\mathcal {T} _1\) and \(\mathcal {T} _2\) of “good” and “bad” transcripts, respectively, along with a constant \(\epsilon _1\in [0, 1)\) such that

$$\begin{aligned} \tau \in \mathcal {T} _1 \Longrightarrow \mu (\tau )/\nu (\tau )\ge 1-\epsilon _1. \end{aligned}$$

(17)

It is then possible to show (see [8] for details) that

$$\begin{aligned} \textsf{Dist} (\mu ,\nu )\le \epsilon _1+\Pr [\nu \in \mathcal {T} _2] \end{aligned}$$

(18)

is an upper bound on the distinguisher’s advantage.

B Deferred Proofs

1.1 B.1 Proof of Lemma 2

Wlog, consider the case of Type-I \(Q_{m_{\ell }}\), as the other case is just symmetric. Assume otherwise, and assume that \(\textsf{tuple} _1=\big (u_1^{(j_1)},u_2^{(j_1)},v_4^{(j_1)},v_5^{(j_1)}\big )\) and \(\textsf{tuple} _2=\big (u_1^{(j_2)},u_2^{(j_2)},v_4^{(j_2)},v_5^{(j_2)}\big )\) in \(\cup _{i=1}^{\ell -1}Q_{m_i}\) are such two tuples with the smallest indices \(j_1,j_2\). Wlog assume \(j_2>j_1\), i.e., \(\textsf{tuple} _2\) was later. Then \(\textsf{tuple} _2\) was necessarily a forward query, as otherwise \(u_1^{(j_1)}[\textsf {even} ]=u_1^{(j_2)}[\textsf {even} ]\) would contradict the goodness of \(\tau \) (the 4th condition). By this and further by the 4th condition, \(v_5^{(j_2)}[\textsf {even} ]\) is “new”, and \(\textsf{tuple} _2\) cannot be in any Type-II set \(Q_{m_i}\), \(i\le \ell -1\). This means there exists a Type-I set \(Q_{m_i}\), \(i\le \ell -1\), such that \(\textsf{tuple} _2\in Q_{m_i}\). By our rules, the tuples in the purported \(Q_{m_\ell }\) should have been \(Q_{m_i}\), and thus \(Q_{m_\ell }\) should not exist, reaching a contradiction.

1.2 B.2 Proof of Lemma 3

Wlog consider a Type-I \(Q_{m_{\ell }}\). First, note that by \(\lnot \text {(B-1)} \) (the 1st condition), \(u_2^{(\ell ,i_1)}[j]\notin \text {Dom} _2\) and \(u_2^{(\ell ,i_2)}[j]\notin \text {Dom} _2\) for any \(j\in \{2,4,\ldots ,w\}\). We then distinguish two cases depending on \(\cup _{i=1}^{\ell -1}Q_{m_i}\) (which contribute to \(\text {ExtDom} _2^{(\ell )}\)):

Case 1: \(\textbf{u}_1^{(\boldsymbol{\ell ,i}_\textbf{1})}[{{\textbf {{\textsf {even}}}}}]\ne \textbf{u}_\textbf{1}[{{\textbf {{\textsf {even}}}}}]\) for all \((\textbf{u}_\textbf{1},\textbf{u}_\textbf{2},\textbf{v}_\textbf{4},\textbf{v}_\textbf{5})\in \mathbf {\cup }_{\textbf{i}=\textbf{1}}^{\mathbf {\ell }-\textbf{1}}\textbf{Q}_{\textbf{m}_\textbf{i}}\). Then by \(\lnot \text {(B-3)} \), \(u_2^{(\ell ,i_1)}[j],u_2^{(\ell ,i_2)}[j]\notin \text {ExtDom} _2^{(\ell )}\) for all \(j\in \{2,4,\ldots ,w\}\). Among these w/2 indices, there exists \(j_1\) such that \(u_2^{(\ell ,i_1)}[j_1]\ne u_2^{(\ell ,i_2)}[j_1]\), as otherwise, it would contradict the “\(q_C\) non-redundant forward/inverse queries”. Therefore, we complete the argument for this case.

Case 2: there exists \((\textbf{u}_\textbf{1}^*,\!\textbf{u}_\textbf{2}^*,\!\textbf{v}_\textbf{4}^*,\!\textbf{v}_{5}^*)\!\in \!\mathbf {\cup }_{\textbf{i}=\textbf{1}}^{\mathbf {\ell }-\textbf{1}}\textbf{Q}_{\textbf{m}_\textbf{i}}\) with \(\textbf{u}_\textbf{1}^*[{{\textbf {{\textsf {even}}}}}]\!=\!\textbf{u}_\textbf{1}^{(\mathbf {\ell },\textbf{i}_\textbf{1})}[{{\textbf {{\textsf {even}}}}}]\).

Then by construction, we have \(u_2^{(\ell ,i_1)}[\textsf {even} ]=u_2^*[\textsf {even} ]+\Delta _{i_1}\) and \(u_2^{(\ell ,i_2)}[\textsf {even} ]=u_2^*[\textsf {even} ]+\Delta _{i_2}\), where \(\Delta _{i_1}=T_{\textsc {eo}}\cdot \big (u_1^{(\ell ,i_1)}[\textsf {odd} ]-u_1^*[\textsf {odd} ]\big )\) and \(\Delta _{i_2}=T_{\textsc {eo}}\cdot \big (u_1^{(\ell ,i_2)}[\textsf {odd} ]-u_1^*[\textsf {odd} ]\big )\). Let \(\mathcal {J} _{i_1}\) be the subset of \(\{2,4,\ldots ,w\}\) such that \(\Delta _{i_1}[j]\ne \textsf{0} \) iff. \(j\in \mathcal {J} _{i_1}\), and \(\mathcal {J} _{i_2}\subseteq \{2,4,\ldots ,w\}\) be such that \(\Delta _{i_2}[j]\ne \textsf{0} \) iff. \(j\in \mathcal {J} _{i_2}\). We distinguish three subcases depending on \(\mathcal {J} _{i_1}\) and \(\mathcal {J} _{i_2}\):

• Subcase 2.1: \(\mathcal {J} _{i_1}\backslash \mathcal {J} _{i_2}\ne \emptyset \). Then, let \(j_1\in \mathcal {J} _{i_1}\backslash \mathcal {J} _{i_2}\), and \(j_2\in \mathcal {J} _{i_2}\) in arbitrary. This means \(j_1\ne j_2\), \(\Delta _{i_1}[j_1]\ne \textsf{0} \) but \(\Delta _{i_2}[j_1]=\textsf{0} \), and then \(u_2^{(\ell ,i_1)}[j_1]\ne u_2^{(\ell ,i_2)}[j_1]\). Moreover,

  • \(u_2^{(\ell ,i_1)}[j_1]\ne u_2^*[j_3]\) for any \(j_3\notin \{2,4,\ldots ,w\}\backslash \{j_1\}\), by \(\lnot \text {(B-3)} \) (the 2nd condition); \(u_2^{(\ell ,i_1)}[j_1]\ne u_2^*[j_1]\) since \(j_1\in \mathcal {J} _{i_1}\). Thus \(u_2^{(\ell ,i_1)}[j_1]\notin \text {ExtDom} _2^{(\ell )}\). Similarly for \(u_2^{(\ell ,i_2)}\).

  • \(u_1^{(\ell ,i_1)}[\textsf {even} ]\ne u_1^{**}[\textsf {even} ]\) for any \((u_1^{**},u_2^{**},v_4^{**},v_5^{**})\ne (u_1^*,u_2^*,v_4^*,v_5^*)\) in \(\cup _{i=1}^{\ell -1}Q_{m_i}\) (by Lemma 2), and thus \(u_2^{(\ell ,i_1)}[j_1]\ne u_2^{**}[j']\) for any \(j'\in \{2,4,\ldots ,w\}\) by \(\lnot \text {(B-3)} \) (the 1st condition). Similarly for \(u_2^{(\ell ,i_2)}\).

• Subcase 2.2: \(\mathcal {J} _{i_2}\backslash \mathcal {J} _{i_1}\ne \emptyset \). Then, let \(j_2\in \mathcal {J} _{i_2}\backslash \mathcal {J} _{i_1}\), and \(j_1\in \mathcal {J} _{i_1}\), and the argument is similar to subcase 2.1 by symmetry.

• Subcase 2.3: \(\mathcal {J} _{i_1}=\mathcal {J} _{i_2}\). Then there exists \(j\in \mathcal {J} _{i_1}\) such that \(\Delta _{i_1}[j]\ne \Delta _{i_2}[j]\), as otherwise \(\Delta _{i_1}=\Delta _{i_2}\), meaning a contradiction. Let \(j_1=j_2=j\), then it’s easy to see all the claims hold.

By the above, for Type-I sets, the claims hold in all cases. Thus the claim.

C MDS Candidates in \(\mathbb {F} _N \)

An important question is whether such a strong T in Definition 1 exists at all. Note that if a strong T in Definition 1 exists, then T in Definition 2 naturally exists. Therefore, we give candidates in \(\mathbb {F} _N \), where \(N \) is either a power of 2 or a prime number.

1.1 C.1 MDS in Binary Field

Using the primitive polynomial \(x^8+x^4+x^3+x^2+1\), two candidates for \(N =2^8\) and \(w=8,16\), respectively, are as follows. We employ Vandermonde matrices [25] to generate these MDS matrices.

$$\tiny \left( \begin{array}{cccccccc} \text {0x}87~&{} \text {0x}B3~&{} \text {0x}1D~&{} \text {0x}C7~&{} \text {0x}27~&{} \text {0x}12~&{} \text {0x}5A~&{} \text {0x}83\\ \text {0x}86~&{} \text {0x}3C~&{} \text {0x}E6~&{} \text {0x}3E~&{} \text {0x}0D~&{} \text {0x}BA~&{} \text {0x}E9~&{} \text {0x}3D\\ \text {0x}5D~&{} \text {0x}F4~&{} \text {0x}4A~&{} \text {0x}1C~&{} \text {0x}0C~&{} \text {0x}3B~&{} \text {0x}79~&{} \text {0x}B0\\ \text {0x}51~&{} \text {0x}B1~&{} \text {0x}A6~&{} \text {0x}A5~&{} \text {0x}34~&{} \text {0x}6A~&{} \text {0x}A7~&{} \text {0x}1B\\ \text {0x}63~&{} \text {0x}66~&{} \text {0x}BC~&{} \text {0x}83~&{} \text {0x}02~&{} \text {0x}C9~&{} \text {0x}63~&{} \text {0x}93\\ \text {0x}61~&{} \text {0x}B5~&{} \text {0x}B6~&{} \text {0x}97~&{} \text {0x}EE~&{} \text {0x}67~&{} \text {0x}09~&{} \text {0x}74\\ \text {0x}62~&{} \text {0x}9E~&{} \text {0x}42~&{} \text {0x}C4~&{} \text {0x}50~&{} \text {0x}35~&{} \text {0x}DA~&{} \text {0x}C4\\ \text {0x}A5~&{} \text {0x}65~&{} \text {0x}FB~&{} \text {0x}90~&{} \text {0x}FC~&{} \text {0x}8E~&{} \text {0x}C9~&{} \text {0x}11 \end{array} \right) , $$

$$\tiny \left( \begin{array}{cccccccccccccccc} \text {0x}52\;&{} \text {0x}E7~&{} \text {0x}AE~&{} \text {0x}82~&{} \text {0x}5E~&{} \text {0x}47~&{} \text {0x}66~&{} \text {0x}1C~&{} \text {0x}7C~&{} \text {0x}35~&{} \text {0x}68~&{} \text {0x}BE~&{} \text {0x}96~&{} \text {0x}13~&{} \text {0x}D1~&{} \text {0x}30\\ \text {0x}FB\;&{} \text {0x}A2~&{} \text {0x}7B~&{} \text {0x}AB~&{} \text {0x}2E~&{} \text {0x}8E~&{} \text {0x}5A~&{} \text {0x}F9~&{} \text {0x}8C~&{} \text {0x}07~&{} \text {0x}E2~&{} \text {0x}C3~&{} \text {0x}82~&{} \text {0x}c8~&{} \text {0x}89~&{} \text {0x}E2\\ \text {0x}D4\;&{} \text {0x}FA~&{} \text {0x}EC~&{} \text {0x}33~&{} \text {0x}7E~&{} \text {0x}E6~&{} \text {0x}04~&{} \text {0x}BC~&{} \text {0x}2D~&{} \text {0x}43~&{} \text {0x}2B~&{} \text {0x}7E~&{} \text {0x}AB~&{} \text {0x}DF~&{} \text {0x}58~&{} \text {0x}C7\\ \text {0x}C4\;&{} \text {0x}BF~&{} \text {0x}AF~&{} \text {0x}1A~&{} \text {0x}7A~&{} \text {0x}DF~&{} \text {0x}BD~&{} \text {0x}FE~&{} \text {0x}67~&{} \text {0x}5F~&{} \text {0x}DB~&{} \text {0x}3E~&{} \text {0x}52~&{} \text {0x}A7~&{} \text {0x}DA~&{} \text {0x}E6\\ \text {0x}C1\;&{} \text {0x}18~&{} \text {0x}DE~&{} \text {0x}5C~&{} \text {0x}1B~&{} \text {0x}26~&{} \text {0x}3D~&{} \text {0x}C8~&{} \text {0x}10~&{} \text {0x}4D~&{} \text {0x}C4~&{} \text {0x}D0~&{} \text {0x}0D~&{} \text {0x}62~&{} \text {0x}91~&{} \text {0x}25\\ \text {0x}81\;&{} \text {0x}D8~&{} \text {0x}77~&{} \text {0x}92~&{} \text {0x}12~&{} \text {0x}6A~&{} \text {0x}92~&{} \text {0x}3A~&{} \text {0x}8B~&{} \text {0x}CF~&{} \text {0x}AD~&{} \text {0x}43~&{} \text {0x}C4~&{} \text {0x}FD~&{} \text {0x}44~&{} \text {0x}BA\\ \text {0x}DF\;&{} \text {0x}67~&{} \text {0x}52~&{} \text {0x}E2~&{} \text {0x}CB~&{} \text {0x}CC~&{} \text {0x}8E~&{} \text {0x}EC~&{} \text {0x}1E~&{} \text {0x}EF~&{} \text {0x}71~&{} \text {0x}DC~&{} \text {0x}D7~&{} \text {0x}D1~&{} \text {0x}95~&{} \text {0x}A3\\ \text {0x}E4\;&{} \text {0x}3C~&{} \text {0x}88~&{} \text {0x}E7~&{} \text {0x}D2~&{} \text {0x}41~&{} \text {0x}01~&{} \text {0x}20~&{} \text {0x}3E~&{} \text {0x}56~&{} \text {0x}11~&{} \text {0x}9B~&{} \text {0x}09~&{} \text {0x}FD~&{} \text {0x}D2~&{} \text {0x}C0\\ \text {0x}F7\;&{} \text {0x}33~&{} \text {0x}8F~&{} \text {0x}55~&{} \text {0x}79~&{} \text {0x}65~&{} \text {0x}27~&{} \text {0x}29~&{} \text {0x}48~&{} \text {0x}39~&{} \text {0x}96~&{} \text {0x}B9~&{} \text {0x}F6~&{} \text {0x}BF~&{} \text {0x}A5~&{} \text {0x}BF\\ \text {0x}AB\;&{} \text {0x}EF~&{} \text {0x}A0~&{} \text {0x}9C~&{} \text {0x}A7~&{} \text {0x}6A~&{} \text {0x}F0~&{} \text {0x}44~&{} \text {0x}57~&{} \text {0x}63~&{} \text {0x}AF~&{} \text {0x}0F~&{} \text {0x}79~&{} \text {0x}6A~&{} \text {0x}BA~&{} \text {0x}3D\\ \text {0x}66\;&{} \text {0x}52~&{} \text {0x}58~&{} \text {0x}B5~&{} \text {0x}17~&{} \text {0x}1B~&{} \text {0x}58~&{} \text {0x}BE~&{} \text {0x}9C~&{} \text {0x}BA~&{} \text {0x}77~&{} \text {0x}D6~&{} \text {0x}30~&{} \text {0x}EA~&{} \text {0x}A1~&{} \text {0x}CE\\ \text {0x}C6\;&{} \text {0x}9D~&{} \text {0x}9C~&{} \text {0x}D2~&{} \text {0x}89~&{} \text {0x}02~&{} \text {0x}5F~&{} \text {0x}25~&{} \text {0x}90~&{} \text {0x}25~&{} \text {0x}34~&{} \text {0x}21~&{} \text {0x}D1~&{} \text {0x}E9~&{} \text {0x}2F~&{} \text {0x}52\\ \text {0x}E9\;&{} \text {0x}37~&{} \text {0x}B1~&{} \text {0x}F3~&{} \text {0x}88~&{} \text {0x}0F~&{} \text {0x}5F~&{} \text {0x}E7~&{} \text {0x}CA~&{} \text {0x}0D~&{} \text {0x}F9~&{} \text {0x}52~&{} \text {0x}9F~&{} \text {0x}80~&{} \text {0x}F5~&{} \text {0x}24\\ \text {0x}13\;&{} \text {0x}B4~&{} \text {0x}F3~&{} \text {0x}71~&{} \text {0x}0A~&{} \text {0x}7C~&{} \text {0x}13~&{} \text {0x}CC~&{} \text {0x}C2~&{} \text {0x}04~&{} \text {0x}43~&{} \text {0x}D3~&{} \text {0x}C0~&{} \text {0x}AC~&{} \text {0x}9B~&{} \text {0x}2C\\ \text {0x}BE\;&{} \text {0x}01~&{} \text {0x}7B~&{} \text {0x}40~&{} \text {0x}54~&{} \text {0x}49~&{} \text {0x}73~&{} \text {0x}D9~&{} \text {0x}2E~&{} \text {0x}47~&{} \text {0x}A5~&{} \text {0x}55~&{} \text {0x}3B~&{} \text {0x}55~&{} \text {0x}F7~&{} \text {0x}32\\ \text {0x}5F\;&{} \text {0x}A6~&{} \text {0x}19~&{} \text {0x}03~&{} \text {0x}4D~&{} \text {0x}3F~&{} \text {0x}9E~&{} \text {0x}E8~&{} \text {0x}9D~&{} \text {0x}54~&{} \text {0x}C0~&{} \text {0x}B6~&{} \text {0x}62~&{} \text {0x}5C~&{} \text {0x}E8~&{} \text {0x}8F \end{array} \right) . $$

Using the primitive polynomial \(x^{11}+x^2+1\) a candidate for \(N =2^{11}\) and \(w=8\) is as follows:

$$\tiny \left( \begin{array}{cccccccc} \text {0x}078~&{} \text {0x}166~&{} \text {0x}14D~&{} \text {0x}019~&{} \text {0x}1C8~&{} \text {0x}098~&{} \text {0x}187~&{} \text {0x}09C\\ \text {0x}257~&{} \text {0x}436~&{} \text {0x}7F9~&{} \text {0x}644~&{} \text {0x}0F9~&{} \text {0x}370~&{} \text {0x}634~&{} \text {0x}260\\ \text {0x}777~&{} \text {0x}721~&{} \text {0x}309~&{} \text {0x}609~&{} \text {0x}158~&{} \text {0x}59B~&{} \text {0x}353~&{} \text {0x}2C7\\ \text {0x}5FC~&{} \text {0x}6D8~&{} \text {0x}63A~&{} \text {0x}21A~&{} \text {0x}78B~&{} \text {0x}483~&{} \text {0x}252~&{} \text {0x}65F\\ \text {0x}74C~&{} \text {0x}4B3~&{} \text {0x}068~&{} \text {0x}1B5~&{} \text {0x}103~&{} \text {0x}273~&{} \text {0x}263~&{} \text {0x}330\\ \text {0x}568~&{} \text {0x}45F~&{} \text {0x}401~&{} \text {0x}5EE~&{} \text {0x}25B~&{} \text {0x}541~&{} \text {0x}2D4~&{} \text {0x}517\\ \text {0x}60C~&{} \text {0x}53B~&{} \text {0x}7EB~&{} \text {0x}30F~&{} \text {0x}0B8~&{} \text {0x}52D~&{} \text {0x}35C~&{} \text {0x}11B\\ \text {0x}67C~&{} \text {0x}77C~&{} \text {0x}388~&{} \text {0x}749~&{} \text {0x}216~&{} \text {0x}742~&{} \text {0x}52B~&{} \text {0x}5BF \end{array} \right) . $$

We have also found plenty of candidates for other parameters, which are however omitted for the sake of space.

1.2 C.2 MDS in Prime Field

Rescue [3] is a symmetric cryptographic algorithm in the prime field. [3] offers to use \(m\times 2m\) Vandermonde matrices using powers of an \(\mathbb {F} _N \) primitive element. This matrix is then echelon reduced after which the \(m\times m\) identity matrix is removed and the MDS matrix is obtained.

The field is \(\mathbb {F} _N \) where \(N = 2^{61} + 20 \cdot 2^{32} + 1\) and the state consists of \(w = 12\) elements. We get an MDS matrix \(T^{12\times 12}\) that satisfies Definition 1. Because the matrix is large, we give four submatrices of \(T^{12\times 12}\) for convenience.

Remark 1. Our results also apply to some finite commutative rings if these rings exist MDS matrix. We assume that \(\mathcal {R}\) is a finite commutative ring with identity and \(\mathcal {U(R)}\) be the set of unit elements in \(\mathcal {R}\). We note that a square matrix M over \(\mathcal {R}\) is an MDS matrix if and only if the determinant of every submatrix of M is an element of \(\mathcal {U(R)}\).