Improved Security Bounds for Generalized Feistel Networks Yaobin - PowerPoint PPT Presentation

Feistel Networks Our Contributions Security Proofs Conclusion Improved Security Bounds for Generalized Feistel Networks Yaobin Shen 1 Chun Guo 2 Lei Wang 1 1 Shanghai Jiao Tong University 2 Shandong University November 13, FSE 2020 Yaobin Shen, Chun Guo, Lei Wang Improved Security Bounds for GFN

Feistel Networks Our Contributions Security Proofs Conclusion Outline 1 Feistel Networks 2 Our Contributions 3 Security Proofs 4 Conclusion Yaobin Shen, Chun Guo, Lei Wang Improved Security Bounds for GFN

� � � � � � � � � � � ������� ������� � � � � � � � � � � � � � ��� ������������� � �������� �������� ������ ��� ��� ������ ����� ���� ���� ��� ���� ������� �������� ������� ������� ����� �� ������� ����������� � � � � ������� ������������ � � � � � � � � � � � � � � � ������� �������� Feistel Networks Our Contributions Security Proofs Conclusion Feistel Network Feistel network: iterate several times of Feistel permutation � � � � � � � � ����� Ψ F i ( A, B ) = ( B, A ⊕ F i ( B )) , where F i : { 0 , 1 } n → { 0 , 1 } n is � � � � � � �� ������ ����� �������� called round function n n A 0 B 0 F 1 A 1 B 1 F 2 A 2 B 2 Figure: Classical Feistel Yaobin Shen, Chun Guo, Lei Wang Improved Security Bounds for GFN

Feistel Networks Our Contributions Security Proofs Conclusion Generalized Feistel Networks Replace round functions with expanding or contracting ones unbalanced Feistel Alternatively use expanding and contracting round functions alternating Feistel Partition the input into more than two blocks type-1, type-2, type-3 Feistel Use tweakable blockcipher TBC-based Feistel Yaobin Shen, Chun Guo, Lei Wang Improved Security Bounds for GFN

Feistel Networks Our Contributions Security Proofs Conclusion Generalized Feistel Networks m n m n m n Z M Z N A 0 B 0 A 0 B 0 + A 0 B 0 N · A 0 B 0 F 1 F 1 F 1 ⊞ F 1 A ′ A ′ B 0 B 0 0 0 A 1 B 1 A 1 B 1 A 1 B 1 A 1 B 1 F 2 F 2 F 2 F 2 ⊞ B 1 A ′ B 1 A ′ 1 1 A 2 B 2 A 2 + B 2 N · A 2 B 2 A 2 B 2 (c) Alternating Feistel ALF r [ m, n ] (d) Numeric alternating Feistel NALF r [ M, N ] (a) Unbalanced Feistel UBF r [ m, n ] with m ≤ n (b) Unbalanced Feistel UBF r [ m, n ] with m > n n n n n n n n n n n n n n n A 0 B 0 A 0 [1] A 0 [2] A 0 [3] A 0 [4] A 0 [1] A 0 [2] A 0 [3] A 0 [4] A 0 [1] A 0 [2] A 0 [3] A 0 [4] W � P 1 F 1 F 2 F 1 F 2 F 3 F A 1 B 1 W � P 2 A 1 [1] A 1 [2] A 1 [3] A 1 [4] A 1 [1] A 1 [2] A 1 [3] A 1 [4] A 1 [1] A 1 [2] A 1 [3] A 1 [4] A 2 B 2 (e) Type-1 Feistel Feistel1 r [ k, n ] (f) Type-2 Feistel Feistel2 r [ k, n ] (g) Type-3 Feistel Feistel3 r [ k, n ] (h) TBC-based Feistel TGF r [ ω, 2 n ] Figure: Illustration of generalized Feistel networks Yaobin Shen, Chun Guo, Lei Wang Improved Security Bounds for GFN

Feistel Networks Our Contributions Security Proofs Conclusion Applications of Feistel Networks DES (classical Feistel) Skipjack (unbalanced Feistel) BEAR/LION, Format-Preserving Encryption (alternating Feistel) CAST-256 (type-1), RC6 (type-2), MARS (type-3) Double-block length Tweakable blockcipher (TBC-based Feistel) Yaobin Shen, Chun Guo, Lei Wang Improved Security Bounds for GFN

Feistel Networks Our Contributions Security Proofs Conclusion Previous Results For unbalanced, alternating, type-1, type-2, type-3 Feistel Birthday-bound security [NR99,MRS09,AB96,BR02,BRRS09,Luc96,ZMI90] Beyond-birthday-bound security for unbalanced Feistel [Pat10] Asymptotically n -bit security [HR10] for all these Feistels Hoang and Rogaway’s result [HR10] CCA-secure up to 2 (1 − ε ) n queries for any ε > 0 requires a large number of rounds for asymptotically n -bit security For TBC-based Feistel by Coron et al. [CDMS10] 3 rounds are proved to have n -bit security the input size to underlying tweakable permutation is: n + w ( w is the size of tweak, w > n ) n -bit security is only birthday-type with respect to the input size [LL18] Yaobin Shen, Chun Guo, Lei Wang Improved Security Bounds for GFN

Feistel Networks Our Contributions Security Proofs Conclusion Outline 1 Feistel Networks 2 Our Contributions 3 Security Proofs 4 Conclusion Yaobin Shen, Chun Guo, Lei Wang Improved Security Bounds for GFN

Feistel Networks Our Contributions Security Proofs Conclusion Improved Security Bounds For unbalanced, alternating, type-1, type-2 and type-3 Feistel improve the coupling analyzes of Hoang and Rogaway [HR10] achieve almost the same security bound with a nearly half number of rounds Scheme Previous Bound #rounds Our Bound #rounds UBF r [ m, n ] � (3 ⌈ n � 4 ⌈ n � t � t m ⌉ +3) q m ⌉ q +4 q 2 q (4 ⌈ n 2 q (2 ⌈ n m ⌉ + 2) t + 2 ⌈ n n ≥ m m ⌉ + 4) t [HR10] m ⌉ + 1 2 n 2 n t +1 t +1 � 4 ⌈ m � 4 ⌈ n � t � t n ⌉ q m ⌉ q 2 q (2 ⌈ m 2 q 4 t + 2 ⌈ n n < m n ⌉ + 4) t [HR10] m ⌉ + 1 2 n 2 n t +1 t +1 � (6 ⌈ n � 6 ⌈ n � t � t m ⌉ +3) q m ⌉ q +3 q ALF r [ m, n ] 2 q (12 ⌈ n 2 q (12 ⌈ n m ⌉ + 8) t [HR10] m ⌉ + 2) t + 5 t +1 2 n t +1 2 n � t � NALF r [ M, N ] t +1 ( (6 ⌈ log M N ⌉ +3) q 2 q 2 q 6 ⌈ log M N ⌉ q +3 q ) t (12 ⌈ log M N ⌉ + 8) t [HR10] (12 ⌈ log M N ⌉ + 2) t + 5 N t +1 N � t � t � 2 k ( k 2 − k +1) q � 2 q (2 k 2 + 2 k ) t [HR10] 2 q 2 k ( k − 1) q ( k 2 + k − 2) t + 1 Feistel1 r [ k, n ] t +1 2 n t +1 2 n � t � t � 2 k ( k − 1) q � 2 k ( k − 1) q Feistel2 r [ k, n ] 2 q 2 q (2 k + 2) t [HR10] 2 kt + 1 t +1 2 n t +1 2 n � t � t � 4( k − 1) 2 q � 4( k − 1) 2 q Feistel3 r [ k, n ] 2 q 2 q ( k + 4) t [HR10] ( k + 2) t + 1 2 n 2 n t +1 t +1 Table: Summary of improved bounds for generalized Feistel networks Yaobin Shen, Chun Guo, Lei Wang Improved Security Bounds for GFN

Feistel Networks Our Contributions Security Proofs Conclusion Improved Security Bounds For TBC-based Feistel give the first coupling analysis achieves 2 n -bit security with enough rounds Scheme Previous Bound #rounds Our Bound #rounds � t � 1 / 2 � q 2 � TGF r [ ω, 2 n ] q 30 q 3 [CDMS10] 2 · 4 t + 2 2 2 n t +1 2 2 n Table: Comparison between Coron et al.’s bound and our bound. Yaobin Shen, Chun Guo, Lei Wang Improved Security Bounds for GFN

Feistel Networks Our Contributions Security Proofs Conclusion Outline 1 Feistel Networks 2 Our Contributions 3 Security Proofs 4 Conclusion Yaobin Shen, Chun Guo, Lei Wang Improved Security Bounds for GFN

� � � � � Feistel Networks Our Contributions Security Proofs Conclusion The Coupling Technique Focus on NCPA security, then lift it to CCA security by a composition lemma [MP03] real world ideal world Inputs � � � , … , � � Inputs � � � , … , � � Outputs � � � , … , � � , … , � Outputs � � Figure: The NCPA indistinguishability game Yaobin Shen, Chun Guo, Lei Wang Improved Security Bounds for GFN

� � � � � � Feistel Networks Our Contributions Security Proofs Conclusion The Coupling Technique Another ideal world U 1 , . . . , U q are uniformly sampled at random without replacement from { 0 , 1 } n E k is a permutation So in the ideal world, Y 1 , . . . , Y q are also uniformly sampled at random without replacement from { 0 , 1 } n real world ideal world Inputs � � � , … , � � Inputs � � � , … , � � Outputs � � � , … , � Outputs � � � , … , � Figure: The NCPA indistinguishability game Yaobin Shen, Chun Guo, Lei Wang Improved Security Bounds for GFN

� � � � � � Feistel Networks Our Contributions Security Proofs Conclusion The Coupling Technique Intermediate game � -th world ( � + 1) -th world � � , … , � � , � ��� , … , � � � � , … , � � , � ��� , … , � � Outputs � � � , … , � Outputs � � � , … , � Figure: The NCPA indistinguishability game Adv ncpa E k ( q ) ≤ � q − 1 ℓ =0 � µ ℓ − µ ℓ +1 � µ 0 the distribution of outputs in the ideal world µ ℓ the distribution of outputs in the ℓ -th world µ q the distribution of outputs in the real world Yaobin Shen, Chun Guo, Lei Wang Improved Security Bounds for GFN

Feistel Networks Our Contributions Security Proofs Conclusion The Coupling Technique A coupling of µ and ν is a distribution λ on Ω × Ω such that: � ∀ x ∈ Ω , � y ∈ Ω λ ( x, y ) = µ ( x ) ∀ y ∈ Ω , � x ∈ Ω λ ( x, y ) = ν ( y ) Use coupling lemma to bound the distance between µ ℓ and µ ℓ +1 Lemma (Coupling Lemma) Let µ and ν be two probability distributions on a finite event space Ω . Let random variable ( X, Y ) be a coupling of µ and ν . Then � µ − ν � ≤ Pr[ X � = Y ] . Yaobin Shen, Chun Guo, Lei Wang Improved Security Bounds for GFN