Type 1.x Generalized Feistel Structures Feistel Structure (GFS) •The same computation of the...
Transcript of Type 1.x Generalized Feistel Structures Feistel Structure (GFS) •The same computation of the...
![Page 1: Type 1.x Generalized Feistel Structures Feistel Structure (GFS) •The same computation of the nonlinear functions in encryption and decryption •Poor diffusion propertyPublished](https://reader031.fdocuments.net/reader031/viewer/2022022009/5af21c4a7f8b9a8c308f5c84/html5/thumbnails/1.jpg)
Type 1.x Generalized Feistel Structures
Shingo Yanagihara and Tetsu Iwata
Nagoya University, Japan
WCC 2013,
April 15-19, 2013, Bergen (Norway)
1
![Page 2: Type 1.x Generalized Feistel Structures Feistel Structure (GFS) •The same computation of the nonlinear functions in encryption and decryption •Poor diffusion propertyPublished](https://reader031.fdocuments.net/reader031/viewer/2022022009/5af21c4a7f8b9a8c308f5c84/html5/thumbnails/2.jpg)
Generalized Feistel Structure (GFS)
• The same computation of the nonlinear functions in encryption and decryption
• Poor diffusion property
– It requires many rounds to be secure.
2
![Page 3: Type 1.x Generalized Feistel Structures Feistel Structure (GFS) •The same computation of the nonlinear functions in encryption and decryption •Poor diffusion propertyPublished](https://reader031.fdocuments.net/reader031/viewer/2022022009/5af21c4a7f8b9a8c308f5c84/html5/thumbnails/3.jpg)
Type of GFS
• Generally, GFS has the sub-block-wise cyclic shift ( ).
Type 1 CAST-256
Type 2 RC6, HIGHT, CLEFIA
Type 3
Source-Heavy RC2, SPEED
Target-Heavy MARS
Nyberg’s GFS
3
![Page 4: Type 1.x Generalized Feistel Structures Feistel Structure (GFS) •The same computation of the nonlinear functions in encryption and decryption •Poor diffusion propertyPublished](https://reader031.fdocuments.net/reader031/viewer/2022022009/5af21c4a7f8b9a8c308f5c84/html5/thumbnails/4.jpg)
Type of GFS
• Generally, GFS has the sub-block-wise cyclic shift ( ).
Type 1 CAST-256
Type 2 RC6, HIGHT, CLEFIA
Type 3
Source-Heavy RC2, SPEED
Target-Heavy MARS
Nyberg’s GFS
4
![Page 5: Type 1.x Generalized Feistel Structures Feistel Structure (GFS) •The same computation of the nonlinear functions in encryption and decryption •Poor diffusion propertyPublished](https://reader031.fdocuments.net/reader031/viewer/2022022009/5af21c4a7f8b9a8c308f5c84/html5/thumbnails/5.jpg)
Previous work [FSE 2010, Suzaki, Minematsu]
• Changing the permutation of Type 2 GFS from
• There are permutations such that
– the diffusion property and
– the security against several attacks
are better than .
5
![Page 6: Type 1.x Generalized Feistel Structures Feistel Structure (GFS) •The same computation of the nonlinear functions in encryption and decryption •Poor diffusion propertyPublished](https://reader031.fdocuments.net/reader031/viewer/2022022009/5af21c4a7f8b9a8c308f5c84/html5/thumbnails/6.jpg)
Previous work [IEICE 2013, Yanagihara, Iwata]
• FD (full diffusion): every output sub-blocks depend on all input sub-blocks
• For Type 1 GFS
– : the worst permutation in terms of the diffusion property among permutations archive FD.
– The construction of the best permutation
6
![Page 7: Type 1.x Generalized Feistel Structures Feistel Structure (GFS) •The same computation of the nonlinear functions in encryption and decryption •Poor diffusion propertyPublished](https://reader031.fdocuments.net/reader031/viewer/2022022009/5af21c4a7f8b9a8c308f5c84/html5/thumbnails/7.jpg)
Previous work [IEICE 2013, Yanagihara, Iwata]
• For Type 3 GFS,
– The condition of a permutation which cannot archive FD with any number of rounds.
• For Source-Heavy and Target-Heavy GFSs
– : the best permutation in terms of the diffusion property.
7
![Page 8: Type 1.x Generalized Feistel Structures Feistel Structure (GFS) •The same computation of the nonlinear functions in encryption and decryption •Poor diffusion propertyPublished](https://reader031.fdocuments.net/reader031/viewer/2022022009/5af21c4a7f8b9a8c308f5c84/html5/thumbnails/8.jpg)
Example of unclassified types of GFS
• Key schedule function of TWINE [SAC 2012]
– Two nonlinear functions in -Layer
8
![Page 9: Type 1.x Generalized Feistel Structures Feistel Structure (GFS) •The same computation of the nonlinear functions in encryption and decryption •Poor diffusion propertyPublished](https://reader031.fdocuments.net/reader031/viewer/2022022009/5af21c4a7f8b9a8c308f5c84/html5/thumbnails/9.jpg)
Our work
• Propose Type 1.x GFS – covers Type 1 and Type 2 GFSs as special cases
• Propose a construction of a permutation for Type 1.x GFS with two nonlinear functions in F-Layer
• Present analysis of Type 1.x GFS with – compare proposed construction with
• Show experimental results for Type 1.x GFS for
9
![Page 10: Type 1.x Generalized Feistel Structures Feistel Structure (GFS) •The same computation of the nonlinear functions in encryption and decryption •Poor diffusion propertyPublished](https://reader031.fdocuments.net/reader031/viewer/2022022009/5af21c4a7f8b9a8c308f5c84/html5/thumbnails/10.jpg)
• Type 1.x GFS ⇔Type 1 GFS
• Type 1.x GFS ( is even) ⇔Type 2 GFS
Type 1.x GFS
10
![Page 11: Type 1.x Generalized Feistel Structures Feistel Structure (GFS) •The same computation of the nonlinear functions in encryption and decryption •Poor diffusion propertyPublished](https://reader031.fdocuments.net/reader031/viewer/2022022009/5af21c4a7f8b9a8c308f5c84/html5/thumbnails/11.jpg)
Notation
• (← left cyclic shift)
• : the sub-block after applying to the -th sub-block.
• : the smallest number such that .
11
![Page 12: Type 1.x Generalized Feistel Structures Feistel Structure (GFS) •The same computation of the nonlinear functions in encryption and decryption •Poor diffusion propertyPublished](https://reader031.fdocuments.net/reader031/viewer/2022022009/5af21c4a7f8b9a8c308f5c84/html5/thumbnails/12.jpg)
DRmax [Suzaki, Minematsu, FSE 2010]
• : The smallest round such that every output sub-blocks depend on all input sub-blocks.
12
![Page 13: Type 1.x Generalized Feistel Structures Feistel Structure (GFS) •The same computation of the nonlinear functions in encryption and decryption •Poor diffusion propertyPublished](https://reader031.fdocuments.net/reader031/viewer/2022022009/5af21c4a7f8b9a8c308f5c84/html5/thumbnails/13.jpg)
DRmax [Suzaki, Minematsu, FSE 2010]
• : The smallest round such that every output sub-blocks depend on all input sub-blocks.
13
![Page 14: Type 1.x Generalized Feistel Structures Feistel Structure (GFS) •The same computation of the nonlinear functions in encryption and decryption •Poor diffusion propertyPublished](https://reader031.fdocuments.net/reader031/viewer/2022022009/5af21c4a7f8b9a8c308f5c84/html5/thumbnails/14.jpg)
14
![Page 15: Type 1.x Generalized Feistel Structures Feistel Structure (GFS) •The same computation of the nonlinear functions in encryption and decryption •Poor diffusion propertyPublished](https://reader031.fdocuments.net/reader031/viewer/2022022009/5af21c4a7f8b9a8c308f5c84/html5/thumbnails/15.jpg)
15
![Page 16: Type 1.x Generalized Feistel Structures Feistel Structure (GFS) •The same computation of the nonlinear functions in encryption and decryption •Poor diffusion propertyPublished](https://reader031.fdocuments.net/reader031/viewer/2022022009/5af21c4a7f8b9a8c308f5c84/html5/thumbnails/16.jpg)
Proposed construction for .
Let and be an integer
such that
16
![Page 17: Type 1.x Generalized Feistel Structures Feistel Structure (GFS) •The same computation of the nonlinear functions in encryption and decryption •Poor diffusion propertyPublished](https://reader031.fdocuments.net/reader031/viewer/2022022009/5af21c4a7f8b9a8c308f5c84/html5/thumbnails/17.jpg)
Properties of the proposed construction .
17
![Page 18: Type 1.x Generalized Feistel Structures Feistel Structure (GFS) •The same computation of the nonlinear functions in encryption and decryption •Poor diffusion propertyPublished](https://reader031.fdocuments.net/reader031/viewer/2022022009/5af21c4a7f8b9a8c308f5c84/html5/thumbnails/18.jpg)
DRmax of the proposed construction
• Brief overview of the proof: Using the property,
– The largest DRmax for encryption is
– The largest DRmax for decryption is , because the structures of encryption and decryption are equivalent.
18
![Page 19: Type 1.x Generalized Feistel Structures Feistel Structure (GFS) •The same computation of the nonlinear functions in encryption and decryption •Poor diffusion propertyPublished](https://reader031.fdocuments.net/reader031/viewer/2022022009/5af21c4a7f8b9a8c308f5c84/html5/thumbnails/19.jpg)
Equivalence of the structure
19
![Page 20: Type 1.x Generalized Feistel Structures Feistel Structure (GFS) •The same computation of the nonlinear functions in encryption and decryption •Poor diffusion propertyPublished](https://reader031.fdocuments.net/reader031/viewer/2022022009/5af21c4a7f8b9a8c308f5c84/html5/thumbnails/20.jpg)
Equivalence of the structure
20
![Page 21: Type 1.x Generalized Feistel Structures Feistel Structure (GFS) •The same computation of the nonlinear functions in encryption and decryption •Poor diffusion propertyPublished](https://reader031.fdocuments.net/reader031/viewer/2022022009/5af21c4a7f8b9a8c308f5c84/html5/thumbnails/21.jpg)
Equivalence of the structure
21
![Page 22: Type 1.x Generalized Feistel Structures Feistel Structure (GFS) •The same computation of the nonlinear functions in encryption and decryption •Poor diffusion propertyPublished](https://reader031.fdocuments.net/reader031/viewer/2022022009/5af21c4a7f8b9a8c308f5c84/html5/thumbnails/22.jpg)
Equivalence of the structure
22
Encryption direction
![Page 23: Type 1.x Generalized Feistel Structures Feistel Structure (GFS) •The same computation of the nonlinear functions in encryption and decryption •Poor diffusion propertyPublished](https://reader031.fdocuments.net/reader031/viewer/2022022009/5af21c4a7f8b9a8c308f5c84/html5/thumbnails/23.jpg)
DRmax with πs
23
![Page 24: Type 1.x Generalized Feistel Structures Feistel Structure (GFS) •The same computation of the nonlinear functions in encryption and decryption •Poor diffusion propertyPublished](https://reader031.fdocuments.net/reader031/viewer/2022022009/5af21c4a7f8b9a8c308f5c84/html5/thumbnails/24.jpg)
Brief overview of the proof
• For encryption
24
![Page 25: Type 1.x Generalized Feistel Structures Feistel Structure (GFS) •The same computation of the nonlinear functions in encryption and decryption •Poor diffusion propertyPublished](https://reader031.fdocuments.net/reader031/viewer/2022022009/5af21c4a7f8b9a8c308f5c84/html5/thumbnails/25.jpg)
Brief overview of the proof
• For encryption
25
![Page 26: Type 1.x Generalized Feistel Structures Feistel Structure (GFS) •The same computation of the nonlinear functions in encryption and decryption •Poor diffusion propertyPublished](https://reader031.fdocuments.net/reader031/viewer/2022022009/5af21c4a7f8b9a8c308f5c84/html5/thumbnails/26.jpg)
Brief overview of the proof
• For encryption
26
![Page 27: Type 1.x Generalized Feistel Structures Feistel Structure (GFS) •The same computation of the nonlinear functions in encryption and decryption •Poor diffusion propertyPublished](https://reader031.fdocuments.net/reader031/viewer/2022022009/5af21c4a7f8b9a8c308f5c84/html5/thumbnails/27.jpg)
Brief overview of the proof
• For encryption
27
![Page 28: Type 1.x Generalized Feistel Structures Feistel Structure (GFS) •The same computation of the nonlinear functions in encryption and decryption •Poor diffusion propertyPublished](https://reader031.fdocuments.net/reader031/viewer/2022022009/5af21c4a7f8b9a8c308f5c84/html5/thumbnails/28.jpg)
Brief overview of the proof
• For encryption
28
![Page 29: Type 1.x Generalized Feistel Structures Feistel Structure (GFS) •The same computation of the nonlinear functions in encryption and decryption •Poor diffusion propertyPublished](https://reader031.fdocuments.net/reader031/viewer/2022022009/5af21c4a7f8b9a8c308f5c84/html5/thumbnails/29.jpg)
Brief overview of the proof
• For encryption
29
![Page 30: Type 1.x Generalized Feistel Structures Feistel Structure (GFS) •The same computation of the nonlinear functions in encryption and decryption •Poor diffusion propertyPublished](https://reader031.fdocuments.net/reader031/viewer/2022022009/5af21c4a7f8b9a8c308f5c84/html5/thumbnails/30.jpg)
Brief overview of the proof
• For decryption direction
30
![Page 31: Type 1.x Generalized Feistel Structures Feistel Structure (GFS) •The same computation of the nonlinear functions in encryption and decryption •Poor diffusion propertyPublished](https://reader031.fdocuments.net/reader031/viewer/2022022009/5af21c4a7f8b9a8c308f5c84/html5/thumbnails/31.jpg)
A comparison of two lemmas
31
dif
fusi
on
p
rop
ert
y
Good
Bad
![Page 32: Type 1.x Generalized Feistel Structures Feistel Structure (GFS) •The same computation of the nonlinear functions in encryption and decryption •Poor diffusion propertyPublished](https://reader031.fdocuments.net/reader031/viewer/2022022009/5af21c4a7f8b9a8c308f5c84/html5/thumbnails/32.jpg)
Experimental results
• Compute for all and .
• List and all optimum permutations in terms of the diffusion property.
• Present only the lexicographically first permutations in the equivalent classes.
• Result for is analyzed in [IEICE 2013]
32
![Page 33: Type 1.x Generalized Feistel Structures Feistel Structure (GFS) •The same computation of the nonlinear functions in encryption and decryption •Poor diffusion propertyPublished](https://reader031.fdocuments.net/reader031/viewer/2022022009/5af21c4a7f8b9a8c308f5c84/html5/thumbnails/33.jpg)
Result for .
• Subscript
– s: it is equivalent to .
– p: it is equivalent to .
• Superscript
– the integer for .
• For , there are better permutations than .
33
![Page 34: Type 1.x Generalized Feistel Structures Feistel Structure (GFS) •The same computation of the nonlinear functions in encryption and decryption •Poor diffusion propertyPublished](https://reader031.fdocuments.net/reader031/viewer/2022022009/5af21c4a7f8b9a8c308f5c84/html5/thumbnails/34.jpg)
Result for .
• Permutations in green are analyzed in [FSE 2010].
34
![Page 35: Type 1.x Generalized Feistel Structures Feistel Structure (GFS) •The same computation of the nonlinear functions in encryption and decryption •Poor diffusion propertyPublished](https://reader031.fdocuments.net/reader031/viewer/2022022009/5af21c4a7f8b9a8c308f5c84/html5/thumbnails/35.jpg)
Result for n=n
• Some permutations do not exist in [FSE 2010] results.
– Because [FSE 2010] paper observed “even-odd shuffles”. (instead of all permutations)
35
![Page 36: Type 1.x Generalized Feistel Structures Feistel Structure (GFS) •The same computation of the nonlinear functions in encryption and decryption •Poor diffusion propertyPublished](https://reader031.fdocuments.net/reader031/viewer/2022022009/5af21c4a7f8b9a8c308f5c84/html5/thumbnails/36.jpg)
Conclusion
• Proposed Type 1.x GFS
– covers Type 1 and Type 2 GFSs
• Proposed a construction for Type 1.x GFS
• Analysis of Type 1.x GFS with
– compared to in terms of the diffusion property
• Showed experimental results for Type 1.x GFS for
36
![Page 37: Type 1.x Generalized Feistel Structures Feistel Structure (GFS) •The same computation of the nonlinear functions in encryption and decryption •Poor diffusion propertyPublished](https://reader031.fdocuments.net/reader031/viewer/2022022009/5af21c4a7f8b9a8c308f5c84/html5/thumbnails/37.jpg)
Future work
• Analyze the security against various attacks
– differential, linear, impossible differential, and saturation attacks
• Design optimum permutations for .
37