Indifferentiability of Confusion- Diffusion Networks Yevgeniy Dodis - - PowerPoint PPT Presentation

Indifferentiability of Confusion- Diffusion Networks

Yevgeniy Dodis (NYU), Martijn Stam (Bristol), John Steinberger (Tsinghua), Tianren Liu (MIT)

Wednesday, May 11, 16

Indifferentiability of Confusion- Diffusion Networks

Yevgeniy Dodis (NYU), Martijn Stam (Bristol), John Steinberger (Tsinghua), Liu Tianren (MIT)

Wednesday, May 11, 16

Substitution-Permutation Network (ex: AES):

k0 S S S S k1 π S S S S k2 π S S S S k3 π S S S S k4 π

Wednesday, May 11, 16

Substitution-Permutation Network (ex: AES):

k0 S S S S k1 π S S S S k2 π S S S S k3 π S S S S k4 π

S-boxes

(small input size) (permutations!)

Wednesday, May 11, 16

Substitution-Permutation Network (ex: AES):

k0 S S S S k1 π S S S S k2 π S S S S k3 π S S S S k4 π

S-boxes

(small input size) (permutations!)

“Diffusion” Permutations

(big input size, simple structure)

Wednesday, May 11, 16

Substitution-Permutation Network (ex: AES):

k0 S S S S k1 π S S S S k2 π S S S S k3 π S S S S k4 π

S-boxes

(small input size) (permutations!)

“Diffusion” Permutations

(big input size, simple structure)

Subkeys!

Wednesday, May 11, 16

Confusion-Diffusion Network:

S S S S S S S S S S S S S S S S S S S S π π π π

Wednesday, May 11, 16

Confusion-Diffusion Network:

S S S S S S S S S S S S S S S S S S S S π π π π

...same, but no keys!

Wednesday, May 11, 16

Confusion-Diffusion Network:

S S S S S S S S S S S S S S S S S S S S π π π π

...same, but no keys!

• can be seen as a domain extension mechanism for permutations

(from S-box to “full” permutation)

Wednesday, May 11, 16

Confusion-Diffusion Network:

S S S S S S S S S S S S S S S S S S S S π π π π

...same, but no keys!

• can be seen as a domain extension mechanism for permutations

(from S-box to “full” permutation)

• terminology goes back to Shannon (1949), but the design paradigm

seems to be Feistel’s (1970)

Wednesday, May 11, 16

• Investigate the theoretical soundness of CD

(confusion-diffusion!) networks as a design paradigm for cryptographic permutations

• Fundamental question: (efficient) domain

extension of a public random permutation

• Work in an ideal model (S-boxes are independent

random permutations, D-boxes are fixed, explicit permutations)

• Does the network “emulate” a random

permutation? How many rounds are necessary, and what kinds of D-boxes do we need??

This work’s high-level goals

Wednesday, May 11, 16

• Investigate the theoretical soundness of CD

(confusion-diffusion!) networks as a design paradigm for cryptographic permutations

• Fundamental question: (efficient) domain

extension of a public random permutation

• Work in an ideal model (S-boxes are independent

random permutations, D-boxes are fixed, explicit permutations)

• Does the network “emulate” a random

permutation? How many rounds are necessary, and what kinds of D-boxes do we need??

This work’s high-level goals

Wednesday, May 11, 16

• Investigate the theoretical soundness of CD

(confusion-diffusion!) networks as a design paradigm for cryptographic permutations

• Fundamental question: (efficient) domain

extension of a public random permutation

• Work in an ideal model (S-boxes are independent

random permutations, D-boxes are fixed, explicit permutations)

• Does the network “emulate” a random

permutation? How many rounds are necessary, and what kinds of D-boxes do we need??

This work’s high-level goals

Wednesday, May 11, 16

• Investigate the theoretical soundness of CD

(confusion-diffusion!) networks as a design paradigm for cryptographic permutations

• Fundamental question: (efficient) domain

extension of a public random permutation

• Work in an ideal model (S-boxes are independent

random permutations, D-boxes are fixed, explicit permutations)

• Does the network “emulate” a random

permutation? How many rounds are necessary, and what kinds of D-boxes do we need??

This work’s high-level goals

Wednesday, May 11, 16

• Miles &

Viola prove an indistinguishability result for SPN networks where the S-boxes are secret (part of the key) and one-way (so not really an SPN network after all)

vaguely related work

Wednesday, May 11, 16

• Miles &

Viola prove an indistinguishability result for SPN networks where the S-boxes are secret (part of the key) and one-way (so not really an SPN network after all)

vaguely related work

indifferentiability CD public two-way

Wednesday, May 11, 16

S1,1 S1,2 S1,3 S2,1 S2,2 S2,3 S3,1 S3,2 S3,3 S4,1 S4,2 S4,3 π1 π2 π3

Wednesday, May 11, 16

S1,1 S1,2 S1,3 S2,1 S2,2 S2,3 S3,1 S3,2 S3,3 S4,1 S4,2 S4,3 π1 π2 π3

n = wire length

n n n

Wednesday, May 11, 16

S1,1 S1,2 S1,3 S2,1 S2,2 S2,3 S3,1 S3,2 S3,3 S4,1 S4,2 S4,3 π1 π2 π3

n = wire length

n

w = “width” (no. S-boxes per round)

w = 3

n n

Wednesday, May 11, 16

S1,1 S1,2 S1,3 S2,1 S2,2 S2,3 S3,1 S3,2 S3,3 S4,1 S4,2 S4,3 π1 π2 π3

n = wire length

n

w = “width” (no. S-boxes per round)

w = 3

r = number of rounds

n n

r = 4

Wednesday, May 11, 16

S1,1 S1,2 S1,3 S2,1 S2,2 S2,3 S3,1 S3,2 S3,3 S4,1 S4,2 S4,3 π1 π2 π3

n = wire length

n

w = “width” (no. S-boxes per round)

w = 3

r = number of rounds

{0, 1}wn = domain of CD network

n n

r = 4

Wednesday, May 11, 16

Security Model

(indifferentiability)

D

? ? ?

Wednesday, May 11, 16

Security Model

(indifferentiability) REAL WORLD IDEAL WORLD

D

? ? ?

Wednesday, May 11, 16

Security Model

(indifferentiability) REAL WORLD IDEAL WORLD

D

S1,1 S1,2 S1,3 S2,1 S2,2 S2,3 S3,1 S3,2 S3,3 π1 π2

? ? ?

Wednesday, May 11, 16

Security Model

(indifferentiability) REAL WORLD IDEAL WORLD

D

S1,1 S1,2 S1,3 S2,1 S2,2 S2,3 S3,1 S3,2 S3,3 π1 π2 S1,1 S1,2 S1,3 S2,1 S2,2 S2,3 S3,1 S3,2 S3,3

? ? ?

Wednesday, May 11, 16

Security Model

(indifferentiability) REAL WORLD IDEAL WORLD

D

S1,1 S1,2 S1,3 S2,1 S2,2 S2,3 S3,1 S3,2 S3,3 π1 π2 S1,1 S1,2 S1,3 S2,1 S2,2 S2,3 S3,1 S3,2 S3,3

Q

? ? ?

Wednesday, May 11, 16

Security Model

(indifferentiability) REAL WORLD IDEAL WORLD

D

S1,1 S1,2 S1,3 S2,1 S2,2 S2,3 S3,1 S3,2 S3,3 π1 π2 S1,1 S1,2 S1,3 S2,1 S2,2 S2,3 S3,1 S3,2 S3,3

Q

? ? ?

Insert Simulator Here

Wednesday, May 11, 16

S S S S S S S S S

Security Model

(indifferentiability) REAL WORLD IDEAL WORLD

D

S1,1 S1,2 S1,3 S2,1 S2,2 S2,3 S3,1 S3,2 S3,3 π1 π2 S1,1 S1,2 S1,3 S2,1 S2,2 S2,3 S3,1 S3,2 S3,3

Q

? ? ?

Insert Simulator Here

Wednesday, May 11, 16

Goal: By using oracle access to the simulator has to make up answers that look “consistent” with Q

S

Q

S S S S S S S S S

REAL WORLD IDEAL WORLD

D

S1,1 S1,2 S1,3 S2,1 S2,2 S2,3 S3,1 S3,2 S3,3 π1 π2 S1,1 S1,2 S1,3 S2,1 S2,2 S2,3 S3,1 S3,2 S3,3

Q

? ? ?

Insert Simulator Here

Security Model

(indifferentiability)

Wednesday, May 11, 16

Goal: By using oracle access to the simulator has to make up answers that look “consistent” with Q

⊆ {

Q

S S S S S S S S S

REAL WORLD IDEAL WORLD

D

S1,1 S1,2 S1,3 S2,1 S2,2 S2,3 S3,1 S3,2 S3,3 π1 π2 S1,1 S1,2 S1,3 S2,1 S2,2 S2,3 S3,1 S3,2 S3,3

Q

? ? ?

Insert Simulator Here

Security Model

(indifferentiability) “For so-and-so many rounds, for such-and-such diffusion permutations, and with such-and-such a simulator, the distinguisher cannot distinguish using so-and-so-many queries.”

Wednesday, May 11, 16

Goal: By using oracle access to the simulator has to make up answers that look “consistent” with Q

⊆ {

Q

S S S S S S S S S

REAL WORLD IDEAL WORLD

D

S1,1 S1,2 S1,3 S2,1 S2,2 S2,3 S3,1 S3,2 S3,3 π1 π2 S1,1 S1,2 S1,3 S2,1 S2,2 S2,3 S3,1 S3,2 S3,3

Q

? ? ?

Insert Simulator Here

Security Model

(indifferentiability) “For so-and-so many rounds, for such-and-such diffusion permutations, and with such-and-such a simulator, the distinguisher cannot distinguish using so-and-so-many queries.”

Wednesday, May 11, 16

Combinatorial Properties of the Diffusion Permutations, by name:

• 1. Entry-Wise Randomized Preimage Resistance (RPR)
• 2. Entry-Wise Randomized Collision Resistance (RCR)
• 3. Conductance (& “all-but-one Conductance”)

Wednesday, May 11, 16

RPR

π

x4 x3 x2

$ → x1

y2

?

= y∗

2

Wednesday, May 11, 16

RPR

π

x4 x3 x2

$ → x1

y2

?

= y∗

2

For any fixed values of , and , and for any , there is low probability that over the randomness in

x4

x2 x3

y∗

2

y2 = y∗

2

x1

Wednesday, May 11, 16

RCR

π

x4, x′

4

x3, x′

3

x2, x′

2

$ → x1

y2

?

= y′

2

Wednesday, May 11, 16

RCR

π

x4, x′

4

x3, x′

3

x2, x′

2

$ → x1

y2

?

= y′

2

For any such that

x2, x3, x4, x′

2, x′ 3, x′ 4

(x2, x3, x4) ̸= (x′

2, x′ 3, x′ 4) there is low

probability that over the random

y2 = y′

2

choice of .

x1(= x′

1)

Wednesday, May 11, 16

RCR

π

x4, x′

4

x3, x′

3

x2, x′

2

$ → x1

y2

?

= y′

2

For any such that

x2, x3, x4, x′

2, x′ 3, x′ 4

(x2, x3, x4) ̸= (x′

2, x′ 3, x′ 4) there is low

probability that over the random

y2 = y′

2

choice of .

x1(= x′

1)

‘C’ stands for ‘CANNOT’ be linear

Wednesday, May 11, 16

RCR

π

x4, x′

4

x3, x′

3

x2, x′

2

$ → x1

For any such that

x2, x3, x4, x′

2, x′ 3, x′ 4

(x2, x3, x4) ̸= (x′

2, x′ 3, x′ 4) there is low

probability that over the random

y2 = y′

2

choice of .

x1(= x′

1)

‘C’ stands for ‘CANNOT’ be linear

y2 = ax1 + bx2 + cx3 + dx4 y′

2 = ax1 + bx′ 2 + cx′ 3 + dx′ 4

Wednesday, May 11, 16

RCR

π

x4, x′

4

x3, x′

3

x2, x′

2

$ → x1

For any such that

x2, x3, x4, x′

2, x′ 3, x′ 4

(x2, x3, x4) ̸= (x′

2, x′ 3, x′ 4) there is low

probability that over the random

y2 = y′

2

choice of .

x1(= x′

1)

‘C’ stands for ‘CANNOT’ be linear (for )

w > 2

y2 = ax1 + bx2 + cx3 + dx4 y′

2 = ax1 + bx′ 2 + cx′ 3 + dx′ 4

Wednesday, May 11, 16

An RCR permutation:

π = σ−1 ◦ η ◦ σ

suitably “full rank” linear permutation “Feistel polynomial”:

Wednesday, May 11, 16

An RCR permutation:

π = σ−1 ◦ η ◦ σ

suitably “full rank” linear permutation “Feistel polynomial”:

− → x = (x1, . . . , xw) η(− → x )[i] =

• x1 + w

j=2 x2j+1 j

if i = 1, xi if i ̸= 1

(where )

Wednesday, May 11, 16

Conductance

π

Wednesday, May 11, 16

Conductance

π U1 U2 U3 U4 V1 V2 V3 V4

Wednesday, May 11, 16

Conductance

π U1 U2 U3 U4 V1 V2 V3 V4 |Ui| = |Vi| = q

Ui, Vi ⊆ {0, 1}n

Wednesday, May 11, 16

Conductance

π U1 U2 U3 U4 V1 V2 V3 V4 |Ui| = |Vi| = q

Ui, Vi ⊆ {0, 1}n

|{(− → x , − → y ) : − → x ∈ U1 × · · · × Uw, − → y ∈ V1 × · · · × Vw, π(− → x ) = − → y }|

conductance( ): maximum of this over all possible choices of . of size .

q

U1, . . . , Uw, V1, . . . , Vw

q

Wednesday, May 11, 16

Conductance

π |Ui| = |Vi| = q

Ui, Vi ⊆ {0, 1}n

|{(− → x , − → y ) : − → x ∈ U1 × · · · × Uw, − → y ∈ V1 × · · · × Vw, π(− → x ) = − → y }|

conductance( ): maximum of this over all possible choices of . of size .

q

U1, . . . , Uw, V1, . . . , Vw

q

Wednesday, May 11, 16

Conductance

π |Ui| = |Vi| = q

Ui, Vi ⊆ {0, 1}n

|{(− → x , − → y ) : − → x ∈ U1 × · · · × Uw, − → y ∈ V1 × · · · × Vw, π(− → x ) = − → y }|

conductance( ): maximum of this over all possible choices of . of size .

q

U1, . . . , Uw, V1, . . . , Vw

q

Wednesday, May 11, 16

|{(− → x , − → y ) : − → x ∈ U1 × · · · × Uw, − → y ∈ V1 × · · · × Vw, π(− → x ) = − → y }|

conductance( ): maximum of this over all possible choices of . of size .

q

U1, . . . , Uw, V1, . . . , Vw

q

Conductance

π |Ui| = |Vi| = q

≈ q2

• have for any

permutation

• no known *explicit* constructions of

permutations with low conductance (great research direction!)

• generic linear permutations have

suboptimal conductance ( , maybe worse)

q ≤ condπ(q) ≤ qw

π

≈ q2

Wednesday, May 11, 16

(synopsis of results)

linear diffusion permutations? 5 rounds suffice w/ bad security; 7 rounds enough for good security no yes 9 rounds suffice w/ bad security; 11 rounds enough for “maybe” good security

Wednesday, May 11, 16

(synopsis of results)

linear diffusion permutations? 5 rounds suffice w/ bad security; 7 rounds enough for good security no yes 9 rounds suffice w/ bad security; 11 rounds enough for “maybe” good security

˜ O(q2/2n)

˜ O(q2w/2n)

Wednesday, May 11, 16

(synopsis of results)

linear diffusion permutations? 5 rounds suffice w/ bad security; 7 rounds enough for good security no yes 9 rounds suffice w/ bad security; 11 rounds enough for “maybe” good security

˜ O(q2/2n)

˜ O(q2w/2n)

Only one theorem & simulator in paper! (But subject to 3 boolean flags, for a total

• f eight flavors.)

Wednesday, May 11, 16

(The 5-round Simulator)

πG πB πC πH

Wednesday, May 11, 16

(The 5-round Simulator)

πG πB πC πH

Basic Idea: Path-completion strategy similar to 14-round & 10-round Feistel simulators of HKT11, Seurin09

Wednesday, May 11, 16

πG πB πC πH

detect detect detect Basic Idea: Path-completion strategy similar to 14-round & 10-round Feistel simulators of HKT11, Seurin09

Wednesday, May 11, 16

πG πB πC πH

detect detect detect adapt adapt

Wednesday, May 11, 16

πG πB πC πH

detect detect detect untangle (RCR) untangle (RCR) adapt adapt untangle (RCR) untangle (RCR)

Wednesday, May 11, 16

πG πB πC πH

detect detect detect untangle (RCR) untangle (RCR) adapt adapt untangle (RCR) untangle (RCR)

Wednesday, May 11, 16

πG πB πC πH

detect detect detect untangle (RCR) untangle (RCR) adapt adapt untangle (RCR) untangle (RCR) CANNOT be linear!

Wednesday, May 11, 16

detect detect detect untangle adapt adapt

πG πH πI πB πC πJ πK πH

untangle untangle untangle

Wednesday, May 11, 16

detect detect detect untangle adapt adapt

πG πH πI πB πC πJ πK πH

untangle untangle untangle

RPR RPR RPR RPR RPR RPR RPR RPR

Wednesday, May 11, 16

detect detect detect untangle adapt adapt

πG πH πI πB πC πJ πK πH

untangle untangle untangle

RPR RPR RPR RPR RPR RPR RPR RPR

can be linear!

Wednesday, May 11, 16

πG πB πC πH

detect detect detect untangle (RCR) untangle (RCR) adapt adapt untangle (RCR) untangle (RCR)

Wednesday, May 11, 16

πG πB πC πH

detect detect detect untangle (RCR) untangle (RCR) adapt adapt untangle (RCR) untangle (RCR)

security q2w/2n

Wednesday, May 11, 16

πG πB πC πH

detect detect detect untangle (RCR) untangle (RCR) adapt adapt untangle (RCR) untangle (RCR)

security q2w/2n = (qw)2/2n

Wednesday, May 11, 16

πG πB τ πC πH

detect detect detect untangle (RCR) untangle (RCR) adapt adapt untangle (RCR) untangle (RCR)

security ....

Wednesday, May 11, 16

πG πB τ πC πH

detect detect detect untangle (RCR) untangle (RCR) adapt adapt untangle (RCR) untangle (RCR)

security condτ(q)2/2n

Wednesday, May 11, 16

πG πB τ πC πH

detect detect detect untangle (RCR) untangle (RCR) adapt adapt untangle (RCR) untangle (RCR)

security condτ(q)2/2n “≈” q2/2n

Wednesday, May 11, 16

detect detect detect untangle adapt adapt

security

πG πH πI πB τ πC πJ πK πH

untangle untangle untangle

condτ(q)2/2n “≈” q2/2n RPR RPR RPR RPR RPR RPR RPR RPR

Wednesday, May 11, 16

detect detect detect untangle adapt adapt

security

πG πH πI πB τ πC πJ πK πH

untangle untangle untangle

condτ(q)2/2n “≈” q2/2n RPR RPR RPR RPR RPR RPR RPR RPR Linear!

Wednesday, May 11, 16

detect detect detect untangle adapt adapt

security

πG πH πI πB τ πC πJ πK πH

untangle untangle untangle

condτ(q)2/2n “≈” q2/2n RPR RPR RPR RPR RPR RPR RPR RPR Linear! Linear? U choose! Modularity!

Wednesday, May 11, 16

πG πB τ πC πH

detect detect detect untangle (RCR) untangle (RCR) adapt adapt untangle (RCR) untangle (RCR)

Wednesday, May 11, 16

πG πB τ πC πH

detect detect detect untangle (RCR) untangle (RCR) adapt adapt untangle (RCR) untangle (RCR)

security condτ(q)2/2n

Wednesday, May 11, 16

πG πB τ πC πH

detect detect detect untangle (RCR) untangle (RCR) adapt adapt untangle (RCR) untangle (RCR)

security query complexity qw condτ(q)2/2n

Wednesday, May 11, 16

ν πG πB τ πC πH

detect detect detect untangle (RCR) untangle (RCR) adapt adapt untangle (RCR) untangle (RCR)

security query complexity .... condτ(q)2/2n

Wednesday, May 11, 16

ν πG πB τ πC πH

detect detect detect untangle (RCR) untangle (RCR) adapt adapt untangle (RCR) untangle (RCR)

security query complexity condτ(q)2/2n condν(q)

Wednesday, May 11, 16

ν πG πB τ πC πH

detect detect detect untangle (RCR) untangle (RCR) adapt adapt untangle (RCR) untangle (RCR)

security query complexity condτ(q)2/2n condν(q)

• Security ( )
• Query Complexity ( )
• Linearity of Untangle zones ( )

XtraMiddleRnd XtraUntangleRnds

Altogether, the three boolean flags control...

XtraOuterRnd

Wednesday, May 11, 16

Domain Extension: Our Work vs Previous

RP → RO → RP CD length 5 CD length 7qqKK via 8-round Feistel (explicit) (existential) SECURITY q8/2n q4/2n q2/2nqqKK qq NUM CALLS TO RP 16 10 14 QUERY COMPLEXITY q4 q4 q SIM COMPLEXITY q4 q4 q2

(w = 2)

Wednesday, May 11, 16