Post on 09-May-2018
1
Improving the Generalized Feistel
Tomoyasu Suzaki and Kazuhiko Minematsu
NEC Corporation
FSE 2010 Feb. 7-10, Seoul Korea
2
Generalized Feistel Structure (GFS)
�One of the basic structure of block cipher.
�Proposed by Zheng et al. in 1989 (CRYPTO ‘89)*.
�GFS is a generalized form of the classical Feistel
structure.
�Classical Feistel structure
divide a message into two sub blocks.
�GFS
divide a message into k sub blocks (k > 2).
* Zheng et al. refers as a Feistel-Type Transformation (FTT).
3
Type-II GFS
Single round GFS :
(x0, x1, ..., xk-2, xk-1) →(F0(x0)⊕x1, x2, F1(x2)⊕x3, x4, ..., F(k-2)/2(xk-2)⊕xk-1, x0)
where F : {0,1}n→ {0,1}n
Employed by many ciphers, such as CLEFIA (k=4), HIGHT (k= 8).
n n n n n n
x0 x1 x2 x3 xk-2 xk-1
F0 F1 F(k-2)/2
4
Advantage/Disadvantage of GFS
� AdvantageFor a fixed message length, input/output length of round function gets shorter as the partition number kgrows.→ suitable for small-scale implementations.
�DisadvantageAs k grows, the diffusion property gets worse.
(We will explain this in the next slides)
5
F F
F
F F
F
Diffusion path of Type-II GFS (k=4,6)
F
F
F F F
F F F
F F F
F F F
F F F
F F F
Full diffusion
Collision
6
F F F F
F F F F
F F F F
F F F F
F F F F
F F F F
F F F F
F F F F
Diffusion path of Type-II GFS (k=8)
7
49
36
25
16
9
4
1
0
Number of collision
36.714
34.712
32.010
28.18
38.216
22.26
12.54
02
Proportion(%)Partition number k
100diffusion fullfor XORs ofNumber
Collisions ofNumber Proportion ×=
Collision of data paths for k partition Type-II GFS
Improvement possible ?
8
Contribution
�Propose “generalized” GFS (GGFS)� GGFS allowing arbitrary network
(but identical for each round)
� Propose criteria for the diffusion property
� Confirm the relationship between our criteria and several known security measures
�Pseudorandomness
� impossible differential characteristics
�saturation characteristics
�Build GGFSs with “good” diffusion� Exhaustive search
� Graph-based
9
block shuffle π / π-1
1
1
+iF1
0
+iF
iX 0
iX1
iX 2
iX 3i
kX 2−
i
kX 1−
1
0
+iX 1
1
+iX1
2
+iX 1
3
+iX1
2
+
−
i
kX 1
1
+
−
i
kX
Generalized GFS
1
1
+
−
i
mF
Iteration
Our goal is to find “good” block shuffle !
y = π(x) ↔ x = π-1(y)
10
Criteria for the diffusion property
).π(DRmax)DRmax(π10
def
iki −≤≤
=
}.)DRmax(π,)π(max{DRmax)(πDRmaxdef
1−± =
)}.π({DRmaxminDRmaxπ
def±
∈
∗ =kΠ
k
F F F
F F F
F F F
F F F
F F F
F F F
DRi(π) : Minimum rounds which i-th input block reaches all
output blocks.
Using DRi(π) we define the following criteria.
DR6(cyclic shift) = 6Optimum π is one that achieves DRmaxk*
11
DRmax for practical k
8
8
8
7
6
5
4
DRmax*k
16
14
12
10
8
6
4
Type-II
/ Nyberg 1
16
12
8
4
14
10
6
Partition number
k
We evaluated DRmax of all block shuffles for k up to 16.
1 Nyberg’s Generalized Feistel Network
12
Optimum block shuffle for k=8
F F
F F
F F
F F
F F
F F
F F
F F
F F
F F
F F
F F
Any even (odd) input block is connected to an odd (even) output block.
We define such shuffle “even-odd shuffle”.
Optimum shuffles we found are all even-odd shuffle.
13
Graphical interpretation
�As k grows, the cost of exhaustive search is expensive,
therefore we have to take a different approach.
�From the previous search result, we focus on even-
odd shuffles.
�We represent an even-odd shuffle as a graph and
translate DRmax evaluation into a graph theoretic
problem.
14
Graphical representation
F F F F
0 1 2 3 4 5 6 7
0 1 2 3
2i+1th block → 2jth block
Sufficient distance (SD(G[π]))
→ Next slideDRmax(π)
2ith block → 2j+1th block
Edge-colored directed graph
with k/2 nodes (degree 2)k sub blocks (k : even)
Corresponding graph G[π]GFS with even-odd shuffle π
vi vj
vi vj
15
�appropriate path :First and last are blue.
The next of red is blue.
�L-appropriately-reachable :Any two (possibly the same) nodes are connected via an
appropriate path of length L.
�Sufficient distance (SD) :Minimum of L such that the graph is L-appropriately-reachable.
Sufficient Distance (SD)
Diam(G) ≤ SD(G)
where Diam(G) is the diameter of G.
i.e., the maximum distance of any two vertices.
000 001 111110
001 110
16
Relation between DRmax and SD
If SD(G[π])=L for even-odd shuffle π,
DRmax(π) ≤ SD(G[π])+1.
F F F F
even-odd shuffle π
F F F F
even-odd shuffle π
F F F F
SD(G[π])
rounds
0
iX
L
jX
1+LXeven-odd shuffle π
(j :any even)
17
de Bruijn Graph
How to color the edges ?
We found a coloring of de Bruijn which achieves SD at most 2s+1.
(see the paper for details)
To build a graph having small SD → de Bruijn graph
� Property of de Bruijn graph :
� order 2s
� two-regular
� directed
� minimum diameter (s)
Good candidate for a graph
with small SD !
18
Our result
0
4
8
12
16
20
24
28
32
36
4 6 8 10 12 14 16 18 20 22 24 26 28 30 32Partition Number k
DR
max*
Type-II, Nyberg's GFS
Optimal GFS
de Bruijn
Lower Bound
Optimum
DR
max
*
Partition number k
19
Security evaluation
� Pseudorandomness
� Cryptanalysis
� Impossible Differential Attack
� Saturation Attack
20
Previous study of Pseudorandomness
�Luby and Rackoff proved pseudorandomness of
Feistel structure.
3 rounds Feistel is pseudorandom permutation (prp).
4 rounds Feistel is strong prp (sprp).
�Mitsuda and Iwata proved pseudorandomness of
Type-II GFS [MI08].
k+1 rounds Type-II is prp.
2k rounds Type-II is sprp.
We proved pseudorandomness of GFS with even-odd shuffle
using SD.
21
Pseudorandomness of GFS
AdvantageRoundAdvantageRound
4logk2logk+1de Bruijn
based GFS
2L+2 *L+2
SD(G[π])≤L
GGFS with
even-odd
2kk+1Type-II
GFS
[MI08]
sprpprp
2
12q
kLn+
2
2q
kLn
22
2q
kn
22
2q
kn
* max{ SD(G[π]), SD(G[π-1]) } ≤ L
2
2
log2q
kkn
2
2
log4q
kkn
22
Impossible differential characteristics
α
β
Ciphertext pair
Key
Decrypt one round using the ciphertext
pair obtained from the plaintext pair for
which the difference is α.
Reject the key for which the difference
is β.
The last remaining key is the correct key.
When the probability of α → β is zero
(Impossible Differential Characteristics :
IDC),
α → β is an impossible differential.Probability 0
F
23
Evaluation of IDC
F
DRmax(π)
0
DRmax(π-1)
γ ⊕ δ
Contradiction
Kim et al. showed the number
of rounds for IDC of Type-II
GFS is 2k+1.
From the characteristic of U-
method (proposed by Kim et
al.) and the definition of
DRmax, the number of rounds
for IDC of GFS becomes at
most 2DRmax+1.
F F
F F F
F F F
F F F
F F F
F F F
F F F
F F F
F F F
0 0 0 γ 0
0 0 0 0 γ0
24
Saturation characteristics
A
Ciphertexts
Key
F
A
F
F
F
F
C
A
B
A
U B
C
A
B ?
Decrypt one round using the 2n
ciphertexts obtained from the 2n all
plaintexts.
Reject the key for which the sum is
not balance.
The last remaining key is the correct
key.
n
A: ALL B: Balance
C: Constant U: Unknown
n
25
Evaluation of saturation characteristics (SC)
C
DR
max
(π)+
2D
Rm
ax(π
-1)-
2
Cα
β
α’Search of saturation characteristics :
1. α → β
After DRmax(π)+3 rounds, the
balance state does not
remain.
→ at most DRmax(π)+2 rounds.
2. Expansion from α to α’
At least one Constant must be
contained.
→ st most DRmax(π)-2 rounds.
α’ → β is at most 2DRmax rounds.
F F F
F F F
F F F
F F F
F F F
F F F
F F F
F F F
F F F
F F F
C C C A
A A C A A A
26
Numerical comparison
16321216sprp
16321216SC
91779prp
optimum optimumType-IIType-II
17
8
13
6
3317IDC
168DRmax
k = 16k = 8( round )
27
Conclusion
� Propose “Generalized” GFS that allow arbitrary network
� Propose criteria (Sufficient Distance) for the diffusion property
� de Bruijn graph based GFS has GOOD diffusion property
� A diffusive improvement showed leading to the improvement of security.
28
Thank you for your attention !