Type 1.x Generalized Feistel Structures

Similar documents
FFT-Based Key Recovery for the Integral Attack

A Unified Method for Finding Impossible Differentials of Block Cipher Structures

Key Difference Invariant Bias in Block Ciphers

Impossible Boomerang Attack for Block Cipher Structures

Lecture 12: Block ciphers

Improved Impossible Differential Cryptanalysis of Rijndael and Crypton

Impossible Differential Attacks on 13-Round CLEFIA-128

Complementing Feistel Ciphers

Linear Cryptanalysis of Reduced-Round PRESENT

Improved Meet-in-the-Middle Attacks on Reduced-Round Camellia-192/256

Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128

Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-128

The Improved 96th-Order Differential Attack on 11 Rounds of the Block Cipher CLEFIA

Using MILP in Analysis of Feistel Structures and Improving Type II GFS by Switching Mechanism

jorge 2 LSI-TEC, PKI Certification department

How Biased Are Linear Biases

Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network

Introduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.

Cryptanalysis of a Generalized Unbalanced Feistel Network Structure

How Fast can be Algebraic Attacks on Block Ciphers?

Cryptanalysis of a Generalized Unbalanced Feistel Network Structure

Linear Cryptanalysis

A Five-Round Algebraic Property of the Advanced Encryption Standard

Linear Cryptanalysis. Kaisa Nyberg. Department of Computer Science Aalto University School of Science. S3, Sackville, August 11, 2015

Extended Generalized Feistel Networks Using Matrix Representation

Improved Multiple Impossible Differential Cryptanalysis of Midori128

Improved Linear (hull) Cryptanalysis of Round-reduced Versions of SIMON

Block ciphers. Block ciphers. Data Encryption Standard (DES) DES: encryption circuit

Extended Generalized Feistel Networks using Matrix Representation

Cryptanalysis of the Full DES and the Full 3DES Using a New Linear Property

Algebraic Techniques in Differential Cryptanalysis

Cryptography Lecture 4 Block ciphers, DES, breaking DES

Differential Attack on Five Rounds of the SC2000 Block Cipher

hold or a eistel cipher. We nevertheless prove that the bound given by Nyberg and Knudsen still holds or any round keys. This stronger result implies

Related-Key Rectangle Attack on Round-reduced Khudra Block Cipher

Block Ciphers and Systems of Quadratic Equations

Links among Impossible Differential, Integral and Zero Correlation Linear Cryptanalysis

Thesis Research Notes

Extended Criterion for Absence of Fixed Points

Low Probability Differentials and the Cryptanalysis of Full-Round CLEFIA-128

Quantum Chosen-Ciphertext Attacks against Feistel Ciphers

Differential Analysis of the LED Block Cipher

Outline. 1 Arithmetic on Bytes and 4-Byte Vectors. 2 The Rijndael Algorithm. 3 AES Key Schedule and Decryption. 4 Strengths and Weaknesses of Rijndael

Structural Evaluation by Generalized Integral Property

A New Algorithm to Construct. Secure Keys for AES

Enhancing the Signal to Noise Ratio

The Hash Function JH 1

Public-key Cryptography: Theory and Practice

AURORA: A Cryptographic Hash Algorithm Family

Further improving security of Vector Stream Cipher

Affine equivalence in the AES round function

Towards Provable Security of Substitution-Permutation Encryption Networks

Attacking AES via SAT

Some attacks against block ciphers

On the Design Rationale of Simon Block Cipher: Integral Attacks and Impossible Differential Attacks against Simon Variants

On the Counter Collision Probability of GCM*

Symmetric Crypto Systems

Chapter 1 - Linear cryptanalysis.

Block Cipher Cryptanalysis: An Overview

On Feistel Ciphers Using Optimal Diffusion Mappings Across Multiple Rounds

Lecture 4: DES and block ciphers

Introduction to Modern Cryptography. (1) Finite Groups, Rings and Fields. (2) AES - Advanced Encryption Standard

Zero-Correlation Linear Cryptanalysis of Reduced-Round LBlock

Introduction to Cybersecurity Cryptography (Part 4)

Analysis of cryptographic hash functions

An average case analysis of a dierential attack. on a class of SP-networks. Distributed Systems Technology Centre, and

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 9: Encryption modes. AES

A Pseudo-Random Encryption Mode

Huihui Yap* and Khoongming Khoo. Axel Poschmann

Introduction to Cybersecurity Cryptography (Part 4)

S-box (Substitution box) is a basic component of symmetric

Division Property: a New Attack Against Block Ciphers

Algebraic Analysis of the Simon Block Cipher Family

Revisit and Cryptanalysis of a CAST Cipher

Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent

Cryptanalysis of SP Networks with Partial Non-Linear Layers

Correlation Attack to the Block Cipher RC5. and the Simplied Variants of RC6. 3 Fujitsu Laboratories LTD.

A Brief Comparison of Simon and Simeck

3-6 On Multi Rounds Elimination Method for Higher Order Differential Cryptanalysis

AES side channel attacks protection using random isomorphisms

Structural Cryptanalysis of SASAS

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Stream ciphers. Pawel Wocjan. Department of Electrical Engineering & Computer Science University of Central Florida

Invariant Subspace Attack Against Full Midori64

Integrals go Statistical: Cryptanalysis of Full Skipjack Variants

Links Between Theoretical and Effective Differential Probabilities: Experiments on PRESENT

Biomedical Security. Overview 9/15/2017. Erwin M. Bakker

Specification on a Block Cipher : Hierocrypt L1

Differential Cache Trace Attack Against CLEFIA

Preimage Attacks on Reduced Tiger and SHA-2

Improved Impossible Differential Attack on Reduced Version of Camellia-192/256

On Pseudo Randomness from Block Ciphers

Invariant Subspace Attack Against Midori64 and The Resistance Criteria for S-box Designs

ON THE SECURITY OF THE ADVANCED ENCRYPTION STANDARD

Symmetric Crypto Systems

Klein s and PTW Attacks on WEP

Structural Cryptanalysis of SASAS

Cryptanalysis of a Multistage Encryption System

On Correlation Between the Order of S-boxes and the Strength of DES

REU 2015: Complexity Across Disciplines. Introduction to Cryptography

Transcription:

Noname manuscript No. (will be inserted by the editor) Type 1.x Generalized eistel Structures Shingo Yanagihara Tetsu Iwata Received: date / Accepted: date Abstract We formalize the Type 1.x Generalized eistel Structure (GS) in order to fill the gap between Type 1 and Type 2 GSs. This is a natural extension of Type 1 and Type 2 GSs, and covers them as special cases. The diffusion property of GS is known to vary depending on the permutation used in the round function. When we have two non-linear functions in one round, we propose a permutation that has a good diffusion property, and compare it with the structure that uses a sub-block-wise cyclic shift. We also present experimental results of exhaustively evaluating the diffusion properties of all permutations up to eight sub-blocks. Keywords Blockcipher Type 1.x generalized eistel structure permutation layer. 1 Introduction Background. The Generalized eistel Structure, which we write GS, is one of the structures used in the design of blockciphers and hash functions. In the classical eistel structure, the plaintext is divided into two sub-blocks, and these are encrypted through several round functions, while in GS, the plaintext is divided into d ( 3) sub-blocks. Compared to the SP network used in AES [4], GS has an advantage in that computation of the nonlinear functions is the same in encryption and decryption. On the other hand, the diffusion property of GS is generally poor and it requires many rounds to be secure. There are several types of GSs [12,5]. or example, Type 1, Type 2, Type 3, Source-Heavy, Target-Heavy, Alternating, and Nyberg s GSs are known. We will focus on Type 1 and Type 2 GSs, and the former is used for example in CAST-256 and Lesamnta, and the latter is used in RC6, HIGHT, and CLEIA. S. Yanagihara Nagoya University, Japan E-mail: s yanagi@echo.nuee.nagoya-u.ac.jp T. Iwata Nagoya University, Japan E-mail: iwata@cse.nagoya-u.ac.jp

2 Shingo Yanagihara, Tetsu Iwata The security of these structures has been extensively evaluated. [5] shows the security of Nyberg s GS. The lower bounds on the number of active S-boxes for Type 1 and Type 2 GSs with single SP-functions and single-round diffusion are shown in [10] and [6], respectively. [7] derives the lower bounds in the case of using multiple-round diffusions, and [1,3,2] analyze the security of Type 1 and Type 2 GSs with double SP-functions. In the round function, GS generally uses the sub-block-wise cyclic shift over the sub-blocks, which we write π s, as the permutation. As stated above, the diffusion of GS is generally slow and it requires many rounds to be secure. At SE 2010, Suzaki and Minematsu proposed to use a non-cyclic shift in Type 2 GS, and demonstrated that the diffusion property is improved by changing the permutation from π s [8]. The result is incorporated into the design of a practical blockcipher called TWINE [9]. ollowing [8], Yanagihara and Iwata studied the diffusion properties of Type 1, Type 3, Source-Heavy, and Target-Heavy GSs [11]. They showed that the diffusion properties of Type 1 and Type 3 GSs can be improved by changing the permutation from π s. In this paper, we abuse the definition of GS and we use the term GS to mean structures where their permutations are not restricted to the sub-block-wise cyclic shift. Now Type 1 GS has one non-linear function in one round function, while Type 2 GS has d/2 functions, where d is the number of sub-blocks which is even in Type 2 GS. Then a natural question is to see structures where we have η non-linear functions in the round function, where 1 η d/2. Our Contributions. In this paper, we formalize a type of GS called Type 1.x GS to fill the gap between Type 1 and Type 2 GSs. Type 1.x GS is characterized by two integers d and η, where d is the number of sub-blocks which is not necessarily even, and η is the number of the non-linear functions in one round function. Type 1.x GS covers Type 1 and 2 GSs as special cases; they correspond to η = 1 and η = d/2, respectively. We note that Type 1.x GS itself is not new. or example the key schedule of 80-bit key TWINE [9] can be seen as this structure with d = 20 and η = 2. or η = 2, we propose a construction of a permutation, which we write π p, that has a good diffusion property. We also characterize the diffusion property of Type 1.x GS when we use π s as the permutation. We compare these two values to see that π p indeed has a better diffusion property. We also present experimental results of exhaustively evaluating the diffusion properties of all permutations for parameters 3 d 8 and 1 η d/2, and confirm that the proposed construction is the optimum construction in terms of diffusion. 2 Preliminaries We first introduce the Generalized eistel Structure (GS). Let n and d be integers, where n is the size of a sub-block in bits and d is the number of sub-blocks. Let x 0 = (x 0 0, x 0 1,..., x 0 d 1 ) ({0, 1}n ) d be a dn-bit plaintext. GS encrypts x 0 with a secret key by applying the round function for R times iteratively, and outputs a dn-bit ciphertext x R = (x R 0, x R 1,..., x R d 1 ) ({0, 1}n ) d. In ig. 1, we show an example of the round function. The round function consists of -Layer and Π-Layer. -Layer has key dependent functions and the

Type 1.x Generalized eistel Structures 3 d sub-blocks index 0 1 2 3 n bits -Layer Π-Layer ig. 1 Round unction ig. 2 Type 1 GS (d = 6) ig. 3 Type 2 GS (d = 6) ig. 4 Type 1.x GS ((d, η) = (6, 2)) xor operations. The structure of -Layer depends on the types of GS. Π-Layer is a permutation π over d sub-blocks. We assume that in the final round, the round function consists of only -Layer so that both encryption and decryption start with -Layer. Similarly to encryption, decryption is done by using 1 -Layer and Π 1 -Layer instead of -Layer and Π-Layer. As shown in ig. 1, the d sub-blocks are sequentially numbered from left to right as 0, 1,..., d 1 and π is considered to be a permutation over {0, 1,..., d 1}. We write π(i) for the index of the sub-block after applying π to the i-th sub-block. or example, in ig. 1, we have π(0) = 3, π(1) = 0, π(2) = 1, and π(3) = 0, and we also write them as π = (3, 0, 1, 2) collectively. or an integer r 1, π r (i) is the index of the sub-block after applying π to the i-th sub-block for r times. Similarly, π r (i) is the index of the sub-block after applying π 1 to the i-th sub-block for r times. We treat π 0 (i) as i. We define π s as π s = (d 1, 0, 1,..., d 2), i.e. π s is the sub-block-wise left cyclic shift. or encryption, let x r be the intermediate result after encrypting r rounds, and x r i be the i-th sub-block of x r. We write x r = (x r 0,..., x r d 1 ) ({0, 1}n ) d. or decryption, we define y r and yi r analogously. rom these definitions, x 0 and y R correspond to the plaintext, and y 0 and x R correspond to the ciphertext. Next, we introduce Type 1 and Type 2 GSs. Type 1 GS. We write E T1 (π) for Type 1 GS that uses π in Π-Layer. or E T1 (π), x r i is defined as x r i = { (x r 1 0 ) x r 1 x r 1 1 if = 1, otherwise, where : {0, 1} n {0, 1} n. See ig. 2 for an example of E T1 (π s ) with d = 6.

4 Shingo Yanagihara, Tetsu Iwata Type 2 GS. We write E T2 (π) for Type 2 GS that uses π in Π-Layer. or E T2 (π), x r i is defined as x r i = { (x r 1 1 ) xr 1 if mod 2 = 1, x r 1 otherwise, where : {0, 1} n {0, 1} n. Type 2 GS is not defined when d is odd. See ig. 3 for an example of E T2 (π s) with d = 6. Type 3 [12], Source-Heavy, Target-Heavy, and Alternating are also known as other types of GS. We note that as we allow any permutation in Π-Layer, Nyberg s GS can be seen as a special case of Type 2 GS. 3 Type 1.x GS Definition of Type 1.x GS. In this section, we formalize a type of GS which we call Type 1.x GS. Definition 1 Let d and η be integers such that d 3 and 1 η d/2. In Type 1.x GS, x r i is defined as x r i = { (x r 1 1 ) xr 1 x r 1 if mod 2 = 1 and 2η 1, otherwise, where : {0, 1} n {0, 1} n. We write E (d,η) (π) for Type 1.x GS that uses π in Π-Layer. igure 4 shows E (6,2) (π s ). We see that E T1 (π) with d sub-blocks is equivalent to E (d,1) (π), and E T2 (π) with d sub-blocks is equivalent to E (d,d/2) (π) where d is even. or example, ig. 2 is E (6,1) (π s ) and ig. 3 is E (6,3) (π s ). The integer, η, denotes the number of functions in one round, which is equivalent to the number of xor operations in one round. Equivalence of Type 1.x GS. We next define the equivalence of Type 1.x GS. Intuitively, if E (d,η) (π ) is obtained by exchanging several sub-blocks in E (d,η) (π), then we say that these two structures are equivalent. More precisely, we say that E (d,η) (π) and E (d,η) (π ) are equivalent if there exists π = (a 0,..., a d 1 ) such that π = π π (π ) 1, where {a 0, a 2,..., a 2η 2 } = {0, 2,..., 2η 2}, a 1 = a 0 + 1, a 3 = a 2 + 1,..., a 2η 1 = a 2η 2 + 1, and {a 2η, a 2η+1,..., a d 1 } = {2η, 2η + 1,..., d 1}. We note that g f(x) is g(f(x)). That is, E (d,η) (π) and E (d,η) (π ) are equivalent if π permutes the elements within {(0, 1), (2, 3),..., (2η 2, 2η 1)} and {2η, 2η + 1,..., d 1}. It can be verified that E (d,η) (π ) = π E (d,η) (π) (π ) 1. Therefore, E (d,η) (π) and E (d,η) (π ) are the same structures except that the orders of the input and the output are different.

Type 1.x Generalized eistel Structures 5 4 Diffusion Property In this section, following [8], we introduce the notion of DRmax (d,η) (π) to evaluate the diffusion property of Type 1.x GS. Data Dependent Variables. We first introduce the data dependent variables of Type 1.x GS, which we write X r and Y r. or encryption, if we consider the diffusion of the i-th sub-block of the plaintext, we let X 0 = (X0 0, X1 0,..., Xd 1 0 ) {0, 1}d, where Xi 0 = 1 and Xi 0 = 0 for i i. Intuitively, if the i-th input sub-block diffuses to the j-th sub-block after encrypting r rounds, then we let Xj r = 1, and Xj r = 0 otherwise. We write X r = (X0, r X1, r..., X r d 1 ). Similarly, the data dependent variable Y r = (Y0 r, Y1 r,..., Y r d 1 ) {0, 1}d is defined for decryption. If Yi 0 = 1 and Yj r depends on Yi 0, then we let Yj r = 1, and Yj r = 0 otherwise. Let j =. If j mod 2 = 1 and j 2η 1, then the i-th sub-block of the r-th round depends on the (j 1)-st sub-block through the function and the j-th sub-block of the (r 1)-st round. Otherwise, the i-th sub-block of the r-th round depends on the j-th sub-block of the (r 1)-st round. Therefore, given X 0 = (X0 0, X1 0,..., Xd 1 0 ) {0, 1}d, X r for r 1 is successively defined as follows. X r i = { X r 1 1 Xr 1 X r 1 if mod 2 = 1 and 2η 1, otherwise. We note that a b is the or operation of a and b. Similarly, for decryption, given Y 0 = (Y0 0, Y1 0,..., Yd 1 0 ) {0, 1}d, Y r for r 1 is defined as follows. Y r i = { Y r 1 π(i) 1 Y r 1 Y r 1 π(i) if π(i) mod 2 = 1 and π(i) 2η 1, π(i) otherwise. Let X r be the number of bit 1 in X r. If Xi r = 1, then we say that the i-th sub-block is active. If there exists r 0 such that X r = d, then we say that the input X 0 achieves D (ull Diffusion). If all X 0 such that X 0 = 1 achieve D, then we say that the GS achieves D. Definition of DRmax (d,η) (π) [8]. Next, we define DRmax (d,η) (π), which is used to characterize the diffusion property of Type 1.x GS using π in Π-layer. This value is defined as the minimum number of round so that every sub-block depends on all the input sub-blocks. More precisely, it is defined as follows: DRmax (d,η) (π) def = max{drmax (d,η) (π), DRmax (d,η) (π)} irst, we define DRmax (d,η) E (π) by using DRmax (d,η) (π). DRmax (d,η) (π) is the minimum number of round such that the i-th input sub-block diffuses to all the sub-blocks in the encryption direction. Therefore, DRmax (d,η) (π) is defined as DRmax (d,η) (π) def = min{r i i, Xi 0 = 0, X0 i = 1, X r = d}. E D

6 Shingo Yanagihara, Tetsu Iwata Then DRmax (d,η) E (π) is defined as the maximum of DRmax (d,η) (π) over all 0 i d 1 as follows: DRmax (d,η) E (π) def = max{drmax (d,η) (π) 0 i d 1} Similarly, DRmax (d,η) D,i (π) and DRmax (d,η) D DRmax (d,η) (π) def = min{r i i, Yi 0 = 0, Y i 0 D,i (π) are defined for decryption. We let = 1, Y r = d} and DRmax (d,η) D (π) def = max{drmax (d,η) D,i (π) 0 i d 1}. We note that E (d,η) (π) has a better diffusion property if DRmax (d,η) (π) is smaller, and DRmax (d,η) (π) = implies that there exists an input sub-block x 0 i such that some output sub-block is independent of x 0 i after any number of rounds. We also remark that the above definitions are given for the sub-block-wise dependency, and that linear dependency is sufficient. That is, the definition of D does not mean that every output bit depends on all the input bits. There are d! permutations over {0, 1,..., d 1} in total, and we say that the permutation π is optimum in terms of diffusion if DRmax (d,η) (π) is the minimum among all the d! permutations. We note that the optimum π may not be unique. We also note that this paper focuses on the diffusion property of a construction and we use DRmax (d,η) (π) to characterize the diffusion property. We expect that a better diffusion property implies better resistance against various cryptographic attacks, e.g., [8] shows, under a certain condition on the permutation, the relation between DRmax (d,d/2) (π) and the number of rounds of the impossible differential path and saturation path. However, DRmax (d,η) (π) may or may not directly reflect the security against, for example, differential or linear attacks, and hence the security against these attacks has to be evaluated independently. 5 Proposed Construction π p In this section, we focus on η = 2 and present our proposed construction which we call π p. We also derive a value of DRmax (d,2) (π p ). irst, we present our construction of π p. Definition 2 Let d 5, and a be an integer such that 1 a d 3. We define π p as follows: (1, 3, 4, 2, 5, 6,..., d 1, 0) if a = 1 π p = (1, 4, 0, 2, 5, 6,..., d 1, 3) if a = d 3 (1, 4, a + 3, 2, 5, 6,..., a + 2, 3, a + 4, a + 5,..., d 1, 0) otherwise or example, we have the following π p s when d = 9: (1, 3, 4, 2, 5, 6, 7, 8, 0) if a = 1 (1, 4, 5, 2, 3, 6, 7, 8, 0) if a = 2 (1, 4, 6, 2, 5, 3, 7, 8, 0) if a = 3 π p = (1, 4, 7, 2, 5, 6, 3, 8, 0) if a = 4 (1, 4, 8, 2, 5, 6, 7, 3, 0) if a = 5 (1, 4, 0, 2, 5, 6, 7, 8, 3) if a = 6

Type 1.x Generalized eistel Structures 7 ig. 5 Type 1.x GS with π p = (1, 3, 4, 2, 5, 6, 7, 8, 0) 0 1 2 3 a rounds d 2 a rounds ig. 6 Property of E (d,2) (π p ) in terms of the left four sub-blocks See ig. 6 for an example of Type 1.x GS with π p when (d, η) = (9, 2) and a = 1. We next introduce r ij and SB ij which are used to compute DRmax (d,2) (π p ). Definition 3 or any π, let r ij be the smallest integer r 1 such that π r (i) = j, and a set SB ij be SB ij = {k π r (i) = k, 0 < r r ij }. Intuitively, r ij is the smallest number of applications of π so that the i-th subblock propagates to the j-th sub-block, and SB ij is the set of sub-blocks which are passed in the process. igure 6 shows the propagation of the left four sub-blocks of Type 1.x GS with η = 2 and π p. The 0th sub-block propagates to the 1st sub-block, and the 3rd sub-block propagates to the 2nd sub-block in one round. The 1st sub-block propagates to the 3rd sub-block in a rounds, and the 3rd sub-block propagates to the 2nd sub-block in (d 2 a) rounds. By using the notation of r ij and SB ij, we have r 01 = r 32 = 1, r 13 = a, r 20 = d 2 a, 0, 2 SB 13, 1 SB 20, SB 13 SB 20 =, and (1) SB 13 SB 20 {1, 2} = {0, 1,..., d 1}, since SB 13 = {3, 4, 5,..., a + 1, a + 2} and SB 20 = {0, a + 3, a + 4,..., d 1}. Intuitively, π p is designed so that if the 2nd sub-block of E (d,2) (π p) is active in the encryption direction, then all the subsequent 2nd sub-blocks remain active as well. Similarly, if the 1st sub-block is active in the decryption direction, then all the 1st sub-blocks in the following rounds are active. The right (d 2η) sub-blocks are used as the propagation from the 1st and 2nd sub-blocks to the 3rd and 0th sub-blocks, respectively. The next lemma shows the value of DRmax (d,2) (π p). Lemma 1 Let d 5. Then we have DRmax (d,2) (π p ) = 2d 4.

8 Shingo Yanagihara, Tetsu Iwata or the lack of space, we only show a brief overview of the proof. irst, we compare DRmax (d,2) (π p ) for all 0 i d 1. By using (1), it can be shown that DRmax (d,2) E,π p (2) (πp) = 2(r 13 + r 20 ) = 2d 4 is larger than other DRmax (d,2) (π p) s. or decryption, we have DRmax (d,2) D (πp) = DRmax(d,2) E (π p) since E (d,2) (π p) and E (d,2) (πp 1 ) are equivalent, and the lemma follows. Lemma 1 covers d 5. or d = 4, we can define π p = (1, 3, 0, 2). Then we have r 01 = r 32 = r 13 = r 20 = 1. Since SB 13 = {3} and SB 20 = {0}, we also have 0, 2 SB 13, 1 SB 20, SB 13 SB 20 =, and SB 13 SB 20 {1, 2} = {0, 1, 2, 3}. Since these properties are equivalent to (1) and the proof of Lemma 1 works with these properties, we have DRmax (4,2) (π p ) = 2 4 4 = 4. 6 Analysis of E (d,η) (π s ) In this section, we analyze the diffusion property of E (d,η) (π s ). Lemma 2 or any d 3 and 1 η d/2, we have DRmax (d,η) (π s ) = max{drmax (d,η) D,2η 3 (πs), DRmax(d,η) D,2η 1 (πs)}, where ( ) d 2 (d η) + 2 if (d 2) mod η = 0 DRmax (d,η) D,2η 3 (π η s) = (2) d 2 (d 2η) + 2(d η) otherwise η ( ) d 1 (d η) + 1 if (d 1) mod η = 0 DRmax (d,η) D,2η 1 (πs) = η (3) d 1 (d 2η) + 2(d η) otherwise. η We show a brief overview of the proof. irst, we compare DRmax (d,η) (π s) for all 0 i d 1, and show that DRmax (d,η) E,d 1 (π s) (= 2d 2η) is the largest. Similarly, we analyze the decryption direction, and we have (2) and (3). Then we show that DRmax (d,η) D,2η 3 (πs) and DRmax(d,η) D,2η 1 (πs) are the candidates for the largest DRmax (d,η) D,i (π s) value. inally, we compare these three values to show DRmax (d,η) D,2η 3 (π s) DRmax (d,η) E,d 1 (π s) and DRmax (d,η) D,2η 1 (π s) DRmax (d,η) E,d 1 (π s), and we have the lemma. Discussions. We summarize the comparison between Lemma 1 and Lemma 2 for 3 d 16 in ig. 7. rom the figure, we see that E (d,2) (π p ) is better than E (d,2) (π s) in terms of the diffusion property for 3 d 16, that is, we have DRmax (d,2) (π s) 2(d 2) = 2d 4 = DRmax (d,2) (π p). We note that we have experimentally verified the result. 7 Experimental Results In this section, we present our experimental results on computing DRmax (d,η) (π). We compute DRmax (d,η) (π) for all 3 d 8 and 1 η d/2. In Tables 1 4,

Type 1.x Generalized eistel Structures 9 120 π s π p 100 DRmax (d,2) (π) 80 60 40 20 0 4 6 8 10 12 14 16 ig. 7 The values of DRmax (d,2) (π p) and DRmax (d,2) (π s) d we list π s and all optimum π s, i.e., DRmax (d,η) (π) is the minimum among all permutations for given d and η. Only the lexicographically first permutations in the equivalent classes are presented in the tables. Table 1 shows the results for η = 1. Similarly, Tables 2, 3, and 4 show results for η = 2, 3, and 4, respectively. In the tables, permutations with s are equivalent to π s. In Table 2 (for η = 2), the superscript in permutations with p indicates a value of a in Definition 2. Table 1 corresponds to Type 1 GS, and we see that the result is the same as the result in [11]. Also, we can verify that when d = 6, the permutation π = (1, 2, 5, 0, 3, 4) in Table 3 is equivalent to the inverse of No. 1 in [8, p. 38, k = 6]. Similarly, when d = 8, π = (3, 0, 1, 4, 7, 2, 5, 6) and π = (1, 2, 5, 0, 3, 6, 7, 4) in Table 4 are equivalent to No. 1 and its inverse in [8, p. 38, k = 8], respectively. urthermore, π = (1, 2, 5, 6, 7, 4, 3, 0) is equivalent to both No. 2 and its inverse in [8, p. 38, k = 8]. We summarize observations from these tables as follows: In many cases, there exist optimum permutations π such that DRmax (d,η) (π) < DRmax (d,η) (π s ), i.e., the diffusion property of Type 1.x GS can be improved by changing the permutation from π s. or 4 d 8 and η = 2, the proposed construction π p is the optimum permutation in terms of diffusion. or given d and η, Tables 1 4 are useful to know a permutation with a good diffusion property. However, suppose that (d, η) (d, η ) and we want to compare the diffusion properties of E (d,η) (π) and E (d,η ) (π ). In this case, the value of DRmax may not be suitable for this purpose, and one possible option to make a comparison is to consider the value ηdrmax (d,η) (π)/d, which can be easily derived from Tables 1 4.

10 Shingo Yanagihara, Tetsu Iwata Table 1 DRmax (d,1) (π) for 3 d 8 [11] d π DRmax 3 (2, 0, 1) s 5 4 (2, 0, 3, 1) s 10 (2, 0, 3, 4, 1) s 17 5 (2, 3, 4, 1, 0) 14 (2, 3, 4, 0, 1) 14 6 (2, 0, 3, 4, 5, 1) s 26 (2, 0, 3, 4, 5, 6, 1) s 37 7 (2, 3, 4, 5, 1, 6, 0) 27 (2, 3, 4, 5, 6, 0, 1) 27 (2, 0, 3, 4, 5, 6, 7, 1) s 50 8 (2, 3, 4, 5, 1, 6, 7, 0) 38 (2, 3, 4, 5, 6, 0, 7, 1) 38 Table 2 DRmax (d,2) (π) for 4 d 8 d π DRmax 4 (1, 3, 0, 2) 1 p 4 (3, 0, 1, 2) s 4 (1, 3, 4, 2, 0) 1 p 6 5 (1, 4, 0, 2, 3) 2 p 6 (3, 0, 4, 2, 1) s 7 (1, 3, 4, 2, 5, 0) 1 p 8 (1, 4, 0, 2, 5, 3) 3 p 8 6 (1, 4, 5, 2, 3, 0) 2 p 8 (3, 0, 4, 2, 5, 1) s 12 (3, 4, 5, 0, 2, 1) 8 (1, 3, 4, 2, 5, 6, 0) 1 p 10 (1, 4, 0, 2, 5, 6, 3) 4 p 10 7 (1, 4, 5, 2, 3, 6, 0) 2 p 10 (1, 4, 5, 2, 6, 0, 3) 3 p 10 (3, 0, 4, 2, 5, 6, 1) s 16 (1, 3, 4, 2, 5, 6, 7, 0) 1 p 12 (1, 4, 0, 2, 5, 6, 7, 3) 5 p 12 8 (1, 4, 5, 2, 3, 6, 7, 0) 2 p 12 (1, 4, 5, 2, 6, 0, 7, 3) 4 p 12 (1, 4, 5, 2, 6, 7, 3, 0) 3 p 12 s (3, 0, 4, 2, 5, 6, 7, 1) 24 Table 3 DRmax (d,3) (π) for 6 d 8 d π DRmax 6 (1, 2, 5, 0, 3, 4) 5 [8] (3, 0, 5, 2, 1, 4) s 6 (1, 2, 4, 0, 5, 6, 3) 7 (1, 2, 6, 0, 5, 3, 4) 7 7 (2, 0, 5, 6, 3, 4, 1) 7 (3, 0, 1, 5, 6, 4, 2) 7 (3, 0, 5, 2, 6, 4, 1) s 9 (1, 2, 4, 0, 5, 6, 7, 3) 9 (1, 2, 6, 0, 5, 3, 7, 4) 9 (1, 2, 6, 0, 5, 7, 4, 3) 9 (1, 2, 6, 7, 3, 4, 5, 0) 9 (1, 3, 5, 4, 6, 7, 0, 2) 9 (1, 3, 6, 4, 7, 2, 5, 0) 9 (1, 3, 6, 5, 7, 4, 0, 2) 9 (1, 3, 6, 7, 2, 4, 0, 5) 9 (1, 6, 0, 4, 7, 2, 5, 3) 9 (1, 6, 0, 5, 7, 4, 3, 2) 9 (1, 6, 0, 7, 2, 4, 3, 5) 9 (1, 6, 0, 7, 3, 2, 5, 4) 9 8 (1, 6, 5, 0, 7, 4, 2, 3) 9 (2, 0, 5, 4, 6, 7, 3, 1) 9 (2, 0, 5, 6, 3, 4, 7, 1) 9 (2, 0, 5, 6, 3, 7, 4, 1) 9 (2, 4, 5, 6, 3, 0, 7, 1) 9 (3, 0, 1, 5, 6, 4, 7, 2) 9 (3, 0, 1, 6, 7, 4, 5, 2) 9 (3, 0, 5, 2, 6, 4, 7, 1) s 13 (3, 2, 6, 5, 7, 4, 1, 0) 9 (3, 4, 1, 5, 6, 0, 7, 2) 9 (3, 4, 1, 6, 7, 2, 0, 5) 9 (3, 4, 5, 6, 7, 0, 2, 1) 9 (3, 5, 1, 6, 7, 4, 0, 2) 9 Table 4 DRmax (d,4) (π) for d = 8 d π DRmax (1, 2, 4, 0, 7, 6, 5, 3) 6 (1, 2, 5, 0, 3, 6, 7, 4) 6 [8] (1, 2, 5, 6, 7, 4, 3, 0) 6 [8] (1, 2, 5, 7, 3, 0, 4, 6) 6 8 (1, 3, 5, 6, 7, 4, 0, 2) 6 (1, 3, 5, 7, 0, 2, 4, 6) 6 (2, 4, 7, 5, 1, 0, 3, 6) 6 (3, 0, 1, 4, 7, 2, 5, 6) 6 [8] (3, 0, 5, 2, 7, 4, 1, 6) s 8 8 Conclusions In this paper, we formalized Type 1.x GS, which covers Type 1 and Type 2 GSs as special cases. We also proposed a construction π p for η = 2 and derived DRmax (d,2) (π p ). We then derived DRmax (d,η) (π s ), and we showed that Type 1.x GS with π p is better than the one with π s in terms of diffusion. inally, we presented our experimental results for 3 d 8 and 1 η d/2. As future work, it would be interesting to see constructions for η > 2 with a good diffusion property. Also, we have focused on the diffusion property and hence the structures obtained from Tables 1 4 do not imply that they can be used

Type 1.x Generalized eistel Structures 11 in practice with the suggested number of rounds. The security against various cryptographic attacks remains to be evaluated. Acknowledgements The authors would like to thank the reviewers for useful comments. This work was supported in part by MEXT KAKENHI, Grant-in-Aid for Young Scientists (A), 22680001. References 1. Bogdanov, A., Shibutani, K.: Analysis of 3-Line Generalized eistel Networks with Double SD-functions. Inf. Process. Lett. 111(13), 656 660 (2011) 2. Bogdanov, A., Shibutani, K.: Double SP-unctions: Enhanced Generalized eistel Networks Extended Abstract. In: U. Parampalli, P. Hawkes (eds.) ACISP, Lecture Notes in Computer Science, vol. 6812, pp. 106 119. Springer (2011) 3. Bogdanov, A., Shibutani, K.: Generalized eistel Networks Revisited. Designs, Codes and Cryptography pp. 1 23 (2012). DOI 10.1007/s10623-012-9660-z. URL http://dx.doi.org/10.1007/s10623-012-9660-z 4. Daemen, J., Rijmen, V.: The Design of Rijndael: AES - The Advanced Encryption Standard. Springer (2002) 5. Nyberg, K.: Generalized eistel Networks. In: K. Kim, T. Matsumoto (eds.) ASIACRYPT, Lecture Notes in Computer Science, vol. 1163, pp. 91 104. Springer (1996) 6. Shibutani, K.: On the Diffusion of Generalized eistel Structures Regarding Differential and Linear Cryptanalysis. In: A. Biryukov, G. Gong, D.R. Stinson (eds.) Selected Areas in Cryptography, Lecture Notes in Computer Science, vol. 6544, pp. 211 228. Springer (2010) 7. Shirai, T., Araki, K.: On Generalized eistel Structures Using a Diffusion Switching Mechanism. IEICE Trans. undamentals E91-A(8), 2120 2129 (2008) 8. Suzaki, T., Minematsu, K.: Improving the Generalized eistel. In: S. Hong, T. Iwata (eds.) SE, Lecture Notes in Computer Science, vol. 6147, pp. 19 39. Springer (2010) 9. Suzaki, T., Minematsu, K., Morioka, S., Kobayashi, E.: TWINE: A Lightweight Block Cipher for Multiple Platforms. In: Selected Areas in Cryptography (2012). (to appear) 10. Wu, W., Zhang, W., Lin, D.: Security on Generalized eistel Scheme with SP Round unction. I. J. Network Security 3(3), 215 224 (2006) 11. Yanagihara, S., Iwata, T.: Improving the Permutation Layer of Type 1, Type 3, Source- Heavy, and Target-Heavy Generalized eistel Structures. IEICE Trans. undamentals E96-A(1), 2 14 (2013). Earlier version In: Lin, D., Tsudik, G., Wang, X. (eds.) CANS. Lecture Notes in Computer Science, vol. 7092, pp. 98 117. Springer (2011) 12. Zheng, Y., Matsumoto, T., Imai, H.: On the Construction of Block Ciphers Provably Secure and Not Relying on Any Unproved Hypotheses. In: G. Brassard (ed.) CRYPTO, Lecture Notes in Computer Science, vol. 435, pp. 461 480. Springer (1989)

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback