Improved Security Bounds for Generalized Feistel Networks Yaobin - - PowerPoint PPT Presentation

improved security bounds for generalized feistel networks
SMART_READER_LITE
LIVE PREVIEW

Improved Security Bounds for Generalized Feistel Networks Yaobin - - PowerPoint PPT Presentation

Sep 20, 2022 179 likes •412 views

Feistel Networks Our Contributions Security Proofs Conclusion Improved Security Bounds for Generalized Feistel Networks Yaobin Shen 1 Chun Guo 2 Lei Wang 1 1 Shanghai Jiao Tong University 2 Shandong University November 13, FSE 2020 Yaobin

slide-1
SLIDE 1

Feistel Networks Our Contributions Security Proofs Conclusion

Improved Security Bounds for Generalized Feistel Networks

Yaobin Shen1 Chun Guo2 Lei Wang1

1Shanghai Jiao Tong University 2Shandong University

November 13, FSE 2020

Yaobin Shen, Chun Guo, Lei Wang Improved Security Bounds for GFN

slide-2
SLIDE 2

Feistel Networks Our Contributions Security Proofs Conclusion

Outline

1 Feistel Networks 2 Our Contributions 3 Security Proofs 4 Conclusion

Yaobin Shen, Chun Guo, Lei Wang Improved Security Bounds for GFN

slide-3
SLIDE 3

Feistel Networks Our Contributions Security Proofs Conclusion

Feistel Network

Feistel network: iterate several times of Feistel permutation

ΨFi(A, B) = (B, A ⊕ Fi(B)), where Fi : {0, 1}n → {0, 1}n is called round function

  • F1

A0 B0 F2 A1 B1 A2 B2 n n

Figure: Classical Feistel

Yaobin Shen, Chun Guo, Lei Wang Improved Security Bounds for GFN

slide-4
SLIDE 4

Feistel Networks Our Contributions Security Proofs Conclusion

Generalized Feistel Networks

Replace round functions with expanding or contracting ones

unbalanced Feistel

Alternatively use expanding and contracting round functions

alternating Feistel

Partition the input into more than two blocks

type-1, type-2, type-3 Feistel

Use tweakable blockcipher

TBC-based Feistel

Yaobin Shen, Chun Guo, Lei Wang Improved Security Bounds for GFN

slide-5
SLIDE 5

Feistel Networks Our Contributions Security Proofs Conclusion

Generalized Feistel Networks

F1 A0 B0 A′ B0 F2 A1 B1 A′

1

B1 A2 B2 m n (a) Unbalanced Feistel UBFr[m, n] with m ≤ n F1 A0 B0 A′ B0 F2 A1 B1 A′

1

B1 A2 B2 m n (b) Unbalanced Feistel UBFr[m, n] with m > n F1 A0 B0 F2 A1 B1 A2 B2 m n (c) Alternating Feistel ALFr[m, n] F1 A0 B0 F2 A1 B1 A2 B2 ⊞ ⊞ + + N· N· ZM ZN (d) Numeric alternating Feistel NALFr[M, N]

A0[1] A0[2] A0[3] A0[4] F A1[1] A1[2] A1[3] A1[4] n n n n

(e) Type-1 Feistel Feistel1r[k, n]

A0[1] A0[2] A0[3] A0[4] F1 F2 A1[1] A1[2] A1[3] A1[4] n n n n

(f) Type-2 Feistel Feistel2r[k, n]

A0[1] A0[2] A0[3] A0[4] F1 F3 F2 A1[1] A1[2] A1[3] A1[4] n n n n

(g) Type-3 Feistel Feistel3r[k, n]

A0 B0

  • P1

W A1 B1

  • P2

W A2 B2 n n (h) TBC-based Feistel TGFr[ω, 2n]

Figure: Illustration of generalized Feistel networks

Yaobin Shen, Chun Guo, Lei Wang Improved Security Bounds for GFN

slide-6
SLIDE 6

Feistel Networks Our Contributions Security Proofs Conclusion

Applications of Feistel Networks

DES (classical Feistel) Skipjack (unbalanced Feistel) BEAR/LION, Format-Preserving Encryption (alternating Feistel) CAST-256 (type-1), RC6 (type-2), MARS (type-3) Double-block length Tweakable blockcipher (TBC-based Feistel)

Yaobin Shen, Chun Guo, Lei Wang Improved Security Bounds for GFN

slide-7
SLIDE 7

Feistel Networks Our Contributions Security Proofs Conclusion

Previous Results

For unbalanced, alternating, type-1, type-2, type-3 Feistel

Birthday-bound security [NR99,MRS09,AB96,BR02,BRRS09,Luc96,ZMI90] Beyond-birthday-bound security for unbalanced Feistel [Pat10] Asymptotically n-bit security [HR10] for all these Feistels

Hoang and Rogaway’s result [HR10]

CCA-secure up to 2(1−ε)n queries for any ε > 0 requires a large number of rounds for asymptotically n-bit security

For TBC-based Feistel by Coron et al. [CDMS10]

3 rounds are proved to have n-bit security the input size to underlying tweakable permutation is: n + w (w is the size of tweak, w > n) n-bit security is only birthday-type with respect to the input size [LL18]

Yaobin Shen, Chun Guo, Lei Wang Improved Security Bounds for GFN

slide-8
SLIDE 8

Feistel Networks Our Contributions Security Proofs Conclusion

Outline

1 Feistel Networks 2 Our Contributions 3 Security Proofs 4 Conclusion

Yaobin Shen, Chun Guo, Lei Wang Improved Security Bounds for GFN

slide-9
SLIDE 9

Feistel Networks Our Contributions Security Proofs Conclusion

Improved Security Bounds

For unbalanced, alternating, type-1, type-2 and type-3 Feistel

improve the coupling analyzes of Hoang and Rogaway [HR10] achieve almost the same security bound with a nearly half number of rounds

Scheme Previous Bound #rounds Our Bound #rounds UBFr[m, n] n ≥ m

2q t+1

(3⌈ n

m ⌉+3)q

2n

t (4⌈ n

m⌉ + 4)t [HR10] 2q t+1

4⌈ n

m ⌉q+4q

2n

t (2⌈ n

m⌉ + 2)t + 2⌈ n m⌉ + 1

n < m

2q t+1

4⌈ m

n ⌉q

2n

t (2⌈ m

n ⌉ + 4)t [HR10] 2q t+1

4⌈ n

m ⌉q

2n

t 4t + 2⌈ n

m⌉ + 1

ALFr[m, n]

2q t+1

(6⌈ n

m ⌉+3)q

2n

t (12⌈ n

m⌉ + 8)t [HR10] 2q t+1

6⌈ n

m ⌉q+3q

2n

t (12⌈ n

m⌉ + 2)t + 5

NALFr[M, N]

2q t+1( (6⌈logM N⌉+3)q N

)t (12⌈logM N⌉ + 8)t [HR10]

2q t+1

  • 6⌈logM N⌉q+3q

N

t (12⌈logM N⌉ + 2)t + 5 Feistel1r[k, n]

2q t+1

  • 2k(k2−k+1)q

2n

t (2k2 + 2k)t [HR10]

2q t+1

  • 2k(k−1)q

2n

t (k2 + k − 2)t + 1 Feistel2r[k, n]

2q t+1

  • 2k(k−1)q

2n

t (2k + 2)t [HR10]

2q t+1

  • 2k(k−1)q

2n

t 2kt + 1 Feistel3r[k, n]

2q t+1

  • 4(k−1)2q

2n

t (k + 4)t [HR10]

2q t+1

  • 4(k−1)2q

2n

t (k + 2)t + 1

Table: Summary of improved bounds for generalized Feistel networks

Yaobin Shen, Chun Guo, Lei Wang Improved Security Bounds for GFN

slide-10
SLIDE 10

Feistel Networks Our Contributions Security Proofs Conclusion

Improved Security Bounds

For TBC-based Feistel

give the first coupling analysis achieves 2n-bit security with enough rounds

Scheme Previous Bound #rounds Our Bound #rounds TGFr[ω, 2n]

q2 22n

3 [CDMS10] 2 ·

  • q

t+1

  • 30q

22n

t1/2 4t + 2

Table: Comparison between Coron et al.’s bound and our bound.

Yaobin Shen, Chun Guo, Lei Wang Improved Security Bounds for GFN

slide-11
SLIDE 11

Feistel Networks Our Contributions Security Proofs Conclusion

Outline

1 Feistel Networks 2 Our Contributions 3 Security Proofs 4 Conclusion

Yaobin Shen, Chun Guo, Lei Wang Improved Security Bounds for GFN

slide-12
SLIDE 12

Feistel Networks Our Contributions Security Proofs Conclusion

The Coupling Technique

Focus on NCPA security, then lift it to CCA security by a composition lemma [MP03]

real world Inputs , … ,

  • Outputs

, … ,

  • ideal world

Inputs , … ,

  • Outputs

, … ,

  • Figure: The NCPA indistinguishability game

Yaobin Shen, Chun Guo, Lei Wang Improved Security Bounds for GFN

slide-13
SLIDE 13

Feistel Networks Our Contributions Security Proofs Conclusion

The Coupling Technique

Another ideal world

U1, . . . , Uq are uniformly sampled at random without replacement from {0, 1}n Ek is a permutation So in the ideal world, Y1, . . . , Yq are also uniformly sampled at random without replacement from {0, 1}n

real world Inputs , … ,

  • Outputs

, … ,

  • ideal world

Inputs , … , Outputs

, … ,

  • Figure: The NCPA indistinguishability game

Yaobin Shen, Chun Guo, Lei Wang Improved Security Bounds for GFN

slide-14
SLIDE 14

Feistel Networks Our Contributions Security Proofs Conclusion

The Coupling Technique

Intermediate game

  • th world

, … , , , … ,

  • Outputs

, … ,

  • ( + 1)-th world

, … , , , … , Outputs

, … ,

  • Figure: The NCPA indistinguishability game

Advncpa

Ek (q) ≤ q−1 ℓ=0 µℓ − µℓ+1

µ0 the distribution of outputs in the ideal world µℓ the distribution of outputs in the ℓ-th world µq the distribution of outputs in the real world

Yaobin Shen, Chun Guo, Lei Wang Improved Security Bounds for GFN

slide-15
SLIDE 15

Feistel Networks Our Contributions Security Proofs Conclusion

The Coupling Technique

A coupling of µ and ν is a distribution λ on Ω × Ω such that: ∀x ∈ Ω,

y∈Ω λ(x, y) = µ(x)

∀y ∈ Ω,

x∈Ω λ(x, y) = ν(y)

Use coupling lemma to bound the distance between µℓ and µℓ+1 Lemma (Coupling Lemma) Let µ and ν be two probability distributions on a finite event space Ω. Let random variable (X, Y ) be a coupling of µ and ν. Then µ − ν ≤ Pr[X = Y ].

Yaobin Shen, Chun Guo, Lei Wang Improved Security Bounds for GFN

slide-16
SLIDE 16

Feistel Networks Our Contributions Security Proofs Conclusion

Proof for Unbalanced Feistel

Intuition of the improvement

the output after b rounds is somewhat random and collision-free reduce the number of rounds in each of following trials in coupling analysis

every 2b rounds every 2b rounds

HR’s idea

every b rounds first b rounds every b rounds

  • ur improvement

Yaobin Shen, Chun Guo, Lei Wang Improved Security Bounds for GFN

slide-17
SLIDE 17

Feistel Networks Our Contributions Security Proofs Conclusion

Proof for Unbalanced Feistel

A more fine-grained analysis of the internal collision Lemma Consider an unbalanced Feistel cipher UBFr[m, n] with m ≤ n. Let b = ⌈n/m⌉. For any i ∈ [b + 1; r] and any subset S ⊆ [b + 1; i − 1], one has Pr[COLLi | ∩s∈SCOLLs] ≤ 4ℓ 2n , where ℓ is the number of queries that has made to the cipher before the coupling. Similar improvement idea for alternating, type-1, type-2, type-3 Feistels

Yaobin Shen, Chun Guo, Lei Wang Improved Security Bounds for GFN

slide-18
SLIDE 18

Feistel Networks Our Contributions Security Proofs Conclusion

Proof for TBC-based Feistel

Define two bad events

colli: Dℓ+1

i

= Bj

i ∧ Bℓ+1 i+1 = Bj i+1 for j ≤ ℓ

coll′

i:

Bℓ+1

i

= Bj

i ∧ Dℓ+1 i+1 = Bj i+1 for j ≤ ℓ

first cipher second cipher

Yaobin Shen, Chun Guo, Lei Wang Improved Security Bounds for GFN

slide-19
SLIDE 19

Feistel Networks Our Contributions Security Proofs Conclusion

Proof for TBC-based Feistel

first cipher second cipher

coupling according to four sub-cases

Bℓ+1

i

= Bj

i ∧ Dℓ+1 i

= Bj

i : Dℓ+1 i+1 = Bℓ+1 i+1 ← $ {0, 1}n

Bℓ+1

i

= Bj

i ∧ Dℓ+1 i

= Bj

i : Dℓ+1 i+1 = Bℓ+1 i+1 ← $ {0, 1}n \ Rng(

Pi+1(W Bj

i , ))

Bℓ+1

i

= Bj

i ∧ Dℓ+1 i

= Bj

i : Dℓ+1 i+1 = Bℓ+1 i+1 ← $ {0, 1}n \ Rng(

Pi+1(W Bj

i , ))

Bℓ+1

i

= Bj

i ∧ Dℓ+1 i

= Bj′

i

: Dℓ+1

i+1 = Bℓ+1 i+1 ← $ {0, 1}n \ (Rng(

Pi+1(W Bj

i , )) ∪ Rng(

Pi+1(W Bj′

i , )))

Yaobin Shen, Chun Guo, Lei Wang Improved Security Bounds for GFN

slide-20
SLIDE 20

Feistel Networks Our Contributions Security Proofs Conclusion

Proof for TBC-based Feistel

Bound the probability of two bad events:

first cipher second cipher

analyze the probability that the number of repeated tweaks is greater than a threshold c when the number of repeated tweaks ≤ c Pr[colli] ≤ 2ec · ℓc cc · 2nc + ℓ (2n − c)2

Yaobin Shen, Chun Guo, Lei Wang Improved Security Bounds for GFN

slide-21
SLIDE 21

Feistel Networks Our Contributions Security Proofs Conclusion

Outline

1 Feistel Networks 2 Our Contributions 3 Security Proofs 4 Conclusion

Yaobin Shen, Chun Guo, Lei Wang Improved Security Bounds for GFN

slide-22
SLIDE 22

Feistel Networks Our Contributions Security Proofs Conclusion

Conclusion

For unbalanced, alternating, type-1, type-2, and type-3 Feistel

improve the coupling analysis of Hoang and Rogaway achieve the asymptotically optimal security with nearly half number of rounds

For TBC-based Feistel

prove that it can achieve 2n-bit security with enough rounds

Future works

give a tighter analysis via the coupling technique analyze the security for a smaller number of rounds (χ2 method, H-coefficient technique)

Yaobin Shen, Chun Guo, Lei Wang Improved Security Bounds for GFN