General Diffusion Analysis: How to Find Optimal Permutations for - PowerPoint PPT Presentation

General Diffusion Analysis: How to Find Optimal Permutations for Generalized Type-II Feistel Schemes Victor Cauchois 1 , 2 , Clément Gomez 1 , Gaël Thomas 1 1 DGA Maitrise de l’Information, Bruz, France 2 IRMAR, Université de Rennes 1, Rennes, France Fast Software Encryption — 2019-03-26 — Paris, France Optimal Permutations for Generalized Type-II Feistel Schemes Cauchois, Gomez, Thomas FSE 2019-03-26 1/20

The Feistel Network How to construct a permutation? F Challenging task F Split the problem in half and iterate F DES, Camellia, Simon, . . . Optimal Permutations for Generalized Type-II Feistel Schemes Cauchois, Gomez, Thomas FSE 2019-03-26 2/20

Type-II Generalized Feistel Structure (GFS) F F F F Split into k blocks k / 2 parallel mini-Feistel functions (easier to design) F Then a block-wise permutation π ∈ S k : CLEFIA ( k = 4), Simpara ( k = 4 , 6 , 8), TWINE ( k = 16) Problem: Diffusion needs more rounds Optimal Permutations for Generalized Type-II Feistel Schemes Cauchois, Gomez, Thomas FSE 2019-03-26 3/20

Maximum Diffusion Round (DR) 5 F F F F F F F F F F F F F F F F F F F F F F F F 6 Optimal Permutations for Generalized Type-II Feistel Schemes Cauchois, Gomez, Thomas FSE 2019-03-26 4/20

Maximum Diffusion Round (DR) 5 6 F F F F F F F F F F F F F F F F F F F F F F F F 6 Optimal Permutations for Generalized Type-II Feistel Schemes Cauchois, Gomez, Thomas FSE 2019-03-26 4/20

Maximum Diffusion Round (DR) 5 6 5 F F F F F F F F F F F F F F F F F F F F F F F F 6 Optimal Permutations for Generalized Type-II Feistel Schemes Cauchois, Gomez, Thomas FSE 2019-03-26 4/20

Maximum Diffusion Round (DR) 5 6 5 6 F F F F F F F F F F F F F F F F F F F F F F F F 6 Optimal Permutations for Generalized Type-II Feistel Schemes Cauchois, Gomez, Thomas FSE 2019-03-26 4/20

Maximum Diffusion Round (DR) 5 6 5 6 5 6 5 6 F F F F F F F F F F F F F F F F F F F F F F F F 6 Optimal Permutations for Generalized Type-II Feistel Schemes Cauchois, Gomez, Thomas FSE 2019-03-26 4/20

Maximum Diffusion Round (DR) 5 6 5 6 5 6 5 6 Simple criterion F F F F Depends only on the F F F F permutation π Link with impossible F F F F differential and saturation attacks F F F F Encryption F F F F F F F F 6 Optimal Permutations for Generalized Type-II Feistel Schemes Cauchois, Gomez, Thomas FSE 2019-03-26 4/20

Maximum Diffusion Round (DR) 5 6 5 6 5 6 5 6 Simple criterion F F F F Depends only on the F F F F permutation π Link with impossible F F F F differential and saturation attacks F F F F Encryption F F F F AND Decryption F F F F 6 Optimal Permutations for Generalized Type-II Feistel Schemes Cauchois, Gomez, Thomas FSE 2019-03-26 4/20

Maximum Diffusion Round (DR) 5 6 5 6 5 6 5 6 Simple criterion F F F F Depends only on the F F F F permutation π Link with impossible F F F F differential and saturation attacks F F F F Encryption F F F F AND Decryption F F F F here DR ( π ) = 6 6 5 6 5 6 5 6 5 Optimal Permutations for Generalized Type-II Feistel Schemes Cauchois, Gomez, Thomas FSE 2019-03-26 4/20

Previous Works F F F F k DR ( rot ) min DR ( π ) Suzaki and Minematsu, FSE 2010 4 4 4 Focus on even-odd GFS ( S eo k ) 6 6 5 8 8 6 Exhaustive search for k ≤ 16 blocks 10 10 7 12 12 8 Power of two case : generic 14 14 8 construction in DR ( π ) = 2 log 2 k 16 16 8 Optimal Permutations for Generalized Type-II Feistel Schemes Cauchois, Gomez, Thomas FSE 2019-03-26 5/20

Our Contributions k [SM10] this paper 4 4 4 Constructive upper-bound on the 6 5 5 number of even-odd GFS up to 8 6 6 equivalence 10 7 7 12 8 8 Exhaustive search for k ≤ 24 14 8 8 16 8 8 New criterion to reduce search 18 8 space: Collision-free depth 20 9 22 8 Power of two case: new 24 9 permutations based on graph 26 9 coloring 32 10 10 64 12 11 Case of non even-odd permutations 128 14 13 Optimal Permutations for Generalized Type-II Feistel Schemes Cauchois, Gomez, Thomas FSE 2019-03-26 6/20

Equivalence of GFS F F F F Equivalence up to block reindexing Optimal Permutations for Generalized Type-II Feistel Schemes Cauchois, Gomez, Thomas FSE 2019-03-26 7/20

Equivalence of GFS F F F F Equivalence up to block reindexing Permutations of pairs: swap blocks in a pair-wise manner Optimal Permutations for Generalized Type-II Feistel Schemes Cauchois, Gomez, Thomas FSE 2019-03-26 7/20

Equivalence of GFS F F F F Equivalence up to block reindexing Permutations of pairs: swap blocks in a pair-wise manner S p k := { ϕ ∈ S k |∀ i ≤ k 2 − 1 , ϕ ( 2 i ) is even and ϕ ( 2 i + 1 ) = ϕ ( 2 i )+ 1 } Optimal Permutations for Generalized Type-II Feistel Schemes Cauchois, Gomez, Thomas FSE 2019-03-26 7/20

Equivalence of GFS F F F F Equivalence up to block reindexing Permutations of pairs: swap blocks in a pair-wise manner S p k := { ϕ ∈ S k |∀ i ≤ k 2 − 1 , ϕ ( 2 i ) is even and ϕ ( 2 i + 1 ) = ϕ ( 2 i )+ 1 } “Pair-equivalence”: S p k acts on S k by conjugation π 1 ≡ π 2 iff ∃ ϕ ∈ S p k s.t. π 1 = ϕ ◦ π 2 ◦ ϕ − 1 Optimal Permutations for Generalized Type-II Feistel Schemes Cauchois, Gomez, Thomas FSE 2019-03-26 7/20

Number of Even-odd GFS up to Pair-equivalence F F F F  S eo S k / 2 × S k / 2 → (even-odd GFS) k  Bijection:  Optimal Permutations for Generalized Type-II Feistel Schemes Cauchois, Gomez, Thomas FSE 2019-03-26 8/20

Number of Even-odd GFS up to Pair-equivalence F F F F  S eo S k / 2 × S k / 2 → (even-odd GFS) k  Bijection: � π ( 2 i ) = 2 π 1 ( i ) + 1 � ( π 1 , π 2 ) �→ π s.t. � π ( 2 i + 1 ) = 2 π 2 ( i )  � Optimal Permutations for Generalized Type-II Feistel Schemes Cauchois, Gomez, Thomas FSE 2019-03-26 8/20

Number of Even-odd GFS up to Pair-equivalence F F F F  S eo S k / 2 × S k / 2 → (even-odd GFS) k  Bijection: � π ( 2 i ) = 2 π 1 ( i ) + 1 � ( π 1 , π 2 ) �→ π s.t. � π ( 2 i + 1 ) = 2 π 2 ( i )  � ( k / 2 )! 2 ( k / 2 )! ≤ number of classes ≤ Optimal Permutations for Generalized Type-II Feistel Schemes Cauchois, Gomez, Thomas FSE 2019-03-26 8/20

Number of Even-odd GFS up to Pair-equivalence F F F F  S eo S k / 2 × S k / 2 → (even-odd GFS) k  Bijection: � π ( 2 i ) = 2 π 1 ( i ) + 1 � ( π 1 , π 2 ) �→ π s.t. � π ( 2 i + 1 ) = 2 π 2 ( i )  � Idea Only enumerate a single π 1 for each conjugacy class in S k / 2 w.r.t regular conjugation ( k / 2 )! 2 ( k / 2 )! ≤ number of classes ≤ Optimal Permutations for Generalized Type-II Feistel Schemes Cauchois, Gomez, Thomas FSE 2019-03-26 8/20

Number of Even-odd GFS up to Pair-equivalence F F F F  S eo S k / 2 × S k / 2 → (even-odd GFS) k  Bijection: � π ( 2 i ) = 2 π 1 ( i ) + 1 � ( π 1 , π 2 ) �→ π s.t. � π ( 2 i + 1 ) = 2 π 2 ( i )  � Idea Only enumerate a single π 1 for each conjugacy class in S k / 2 w.r.t regular conjugation ( k / 2 )! ≤ number of classes ≤ N k / 2 · ( k / 2 )! Optimal Permutations for Generalized Type-II Feistel Schemes Cauchois, Gomez, Thomas FSE 2019-03-26 8/20

Number of Even-odd GFS up to Pair-equivalence F F F F  S eo S k / 2 × S k / 2 → (even-odd GFS) k  Bijection: � π ( 2 i ) = 2 π 1 ( i ) + 1 � ( π 1 , π 2 ) �→ π s.t. � π ( 2 i + 1 ) = 2 π 2 ( i )  � Idea Only enumerate a single π 1 for each conjugacy class in S k / 2 w.r.t regular conjugation ( k / 2 )! ≤ number of classes ≤ N k / 2 · ( k / 2 )! Number of conjugacy class in S k / 2 : N k / 2 = O ( e π √ k / 3 ) Optimal Permutations for Generalized Type-II Feistel Schemes Cauchois, Gomez, Thomas FSE 2019-03-26 8/20

General Diffusion Analysis: How to Find Optimal Permutations for - PowerPoint PPT Presentation

General Diffusion Analysis: How to Find Optimal Permutations for Generalized Type-II Feistel Schemes Victor Cauchois 1 , 2 , Clment Gomez 1 , Gal Thomas 1 1 DGA Maitrise de lInformation, Bruz, France 2 IRMAR, Universit de Rennes 1,

Optimal multiple stopping time problems of jumps diffusion processes Im` ene BEN LATIFA

31/10/2019 Diffusion General Note. Atomic diffusion is a process whereby the random

Parallelizing Union-Find in Constraint Handling Rules Using Confluence Analysis Thom Fr

USING DATA TO FIND THE OPTIMAL MIX OF RETAIL LOCATIONS AND RESOURCES INTRODUCTION Education

Blockchains Beyond Bitcoin: Notations Towards Optimal Level of Analysis of the Problem Let Us

Generalized Feistel Networks with Optimal Diffusion Lo Perrin DTU, Lyngby Inria, Paris

Multiscale Analysis and Diffusion Semigroups With Applications Karamatou Yacoubou Djima Advisor:

Image analysis Biomedical images are analyzed in order to get information of interest with a non

Analysis of the controllability of space-time fractional diffusion and super diffusion equations

NIST Workshop: High Throughput Analysis of Multicomponent Multiphase Diffusion Data March

The method of viscosity solutions for analysis of singular diffusion problems appearing in

Cyril Bachelard OLZ AG Optimal Portfolios and Where to Find Them Hint: Somewhere inside a

Simulating Neurodegeneration through Longitudinal Population Analysis of Structural and Diffusion

A general mechanism of diffusion in Hamiltonian Systems DYNAMICAL SYSTEMS: FROM GEOMETRY TO

Finite Volume Methods: the steady convection-diffusion equation G. Manzini 1 1 IMATI - CNR, Pavia

Questions about Exercise 2? Lecture: Natural diffusion Introduction to the

Questions about Exercise 2? Lecture: Natural diffusion Introduction to the

Goals of Routing Protocols Find the optimal route 10: Rapid Convergence Inter and

c + = Diffusion Diffusion 2 6.82 10 -6 v c D c 10 -1 Equation

Mass spectrometric diffusion parameters and 3D structural analysis of oligomeric associates of

Sensitivity analysis for relaxed optimal control problems with final-state constraints eric

Neutrino diffusion in General Relativity Giovanni Camelio with Stephan Rosswog from Astronomy

Inhomogeneous materials can become homogeneous by diffusion. For an active diffusion to occur, the

From normal to anomalous deterministic diffusion Part 1: Normal deterministic diffusion Rainer