# Provable Security of (Tweakable) Block Ciphers Based on Substitution-Permutation Networks

@inproceedings{Cogliati2018ProvableSO,
title={Provable Security of (Tweakable) Block Ciphers Based on Substitution-Permutation Networks},
author={Benoit Cogliati and Yevgeniy Dodis and Jonathan Katz and Jooyoung Lee and John P. Steinberger and Aishwarya Thiruvengadam and Zhe Zhang},
booktitle={CRYPTO},
year={2018}
}
• Published in CRYPTO 19 August 2018
• Computer Science, Mathematics
Substitution-Permutation Networks (SPNs) refer to a family of constructions which build a wn-bit block cipher from n-bit public permutations (often called S-boxes), which alternate keyless and “local” substitution steps utilizing such S-boxes, with keyed and “global” permutation steps which are non-cryptographic. Many widely deployed block ciphers are constructed based on the SPNs, but there are essentially no provable-security results about SPNs.

### The t-wise Independence of Substitution-Permutation Networks

• Computer Science, Mathematics
IACR Cryptol. ePrint Arch.
• 2021
Almost pairwise independence is proved for sufficiently many rounds of both the AES block cipher and the MiMC block cipher, assuming independent sub-keys, and it is shown that instantiating a key-alternating cipher with most permutations gives us (almost) t-wise independence in t+o(t) rounds.

### CENCPP - Beyond-birthday-secure Encryption from Public Permutations

• Computer Science, Mathematics
IACR Cryptol. ePrint Arch.
• 2020
This work tries to address the gap in encryption schemes with beyond-birthday-bound security by proposing CENCPP ∗, a nonce-based encryption scheme from public permutations that is a variant of Iwata’s block-cipher-based mode CENC that is adapted for public permutation, thereby generalizing Chen et al.

### Cryptography and Coding: 17th IMA International Conference, IMACC 2019, Oxford, UK, December 16–18, 2019, Proceedings

• M. Stam
• Computer Science, Mathematics
IMACC
• 2019
This paper focuses on the construction of Signcryption in the Multi-user Setting from Identity-Based Encryption, and on the Homomorphic Computation of Symmetric Cryptographic Primitives.

### Small-Box Cryptography

• Computer Science, Mathematics
ITCS
• 2022
This work introduces a novel paradigm for justifying the security of existing block ciphers, which it allows one to go much deeper inside the existing block cipher constructions, by only idealizing a small building block of very small size n, such as an 8-to-32-bit S-box.

### Provable Security of SP Networks with Partial Non-Linear Layers

• Computer Science, Mathematics
IACR Trans. Symmetric Cryptol.
• 2021
The results formally confirm the conjecture that partial SPNs achieve the same security as normal SPNs while consuming less non-linearity, in a well-established framework.

### Sashimi: Cutting up CSI-FiSh secret keys to produce an actively secure distributed signing protocol

• Computer Science, Mathematics
IACR Cryptol. ePrint Arch.
• 2019
We present the first actively secure variant of a distributed signature scheme based on isogenies. The protocol produces signatures from the recent CSI-FiSh signature scheme. Our scheme works for any

### Beyond-Birthday-Bound Security for 4-round Linear Substitution-Permutation Networks

• Computer Science, Mathematics
IACR Trans. Symmetric Cryptol.
• 2020
This paper proves that a 4-round SPN with linear diffusion layers and independent round keys is secure up to 22n/3 queries and identifies conditions on the linear layers that are sufficient for such security, which, unsurprisingly, turns out to be slightly stronger than Cogliati et al.

### Sequential Indifferentiability of Confusion-Diffusion Networks

• Computer Science, Mathematics
INDOCRYPT
• 2021
It is proved that 3-round NLCDNs achieve the notion of sequential indifferentiability, a notion strongly related to known-key security of block ciphers and secure hash functions, and provides additional insights on understanding the complexity for known- key security, as well as using confusion-diffusion paradigm for designing cryptographic hash functions.

### Sharing the LUOV: Threshold Post-Quantum Signatures

• Computer Science, Mathematics
IACR Cryptol. ePrint Arch.
• 2019
All schemes, except the ones in the MQ family, have significant issues when one wishes to convert them using relatively generic MPC techniques, and the two which would appear to be most suitable for using in a threshold like manner are Rainbow and LUOV.

### Thresholdizing HashEdDSA: MPC to the Rescue

• Computer Science, Mathematics
IACR Cryptol. ePrint Arch.
• 2020
It is shown that one can obtain relatively efficient implementations of threshold HashEdDSA with no modifications to the behaviour of the signing algorithm using a doubly authenticated bit (daBit) generation protocol tailored for access structures that is more efficient than prior work.

## References

SHOWING 1-10 OF 46 REFERENCES

### Provable Security of Substitution-Permutation Networks

• Computer Science, Mathematics
IACR Cryptol. ePrint Arch.
• 2017
It is shown that 3 rounds of S-boxes are necessary and sufficient for secure linear SPNs, but that even 1-round SPNs can be secure when non-linearity is allowed.

### Wide Tweakable Block Ciphers Based on Substitution-Permutation Networks: Security Beyond the Birthday Bound

• Computer Science, Mathematics
IACR Cryptol. ePrint Arch.
• 2018
This paper makes SPNs tweakable by allowing keyed tweakable permutations in the permutation layer, and proves beyond-the-birthday-bound security for 2-round non-linear SPNs with independent S-boxes and independent round keys and proves their security as tweakable block ciphers.

### Structural Cryptanalysis of SASAS

• Mathematics, Computer Science
Journal of Cryptology
• 2010
It is shown that a five-layer scheme with 128-bit plaintexts and 8-bit S-boxes is surprisingly weak against what is called a multiset attack, even when all the S- boxes and affine mappings are key dependent (and thus completely unknown to the attacker).

### Cryptographic Schemes Based on the ASASA Structure: Black-Box, White-Box, and Public-Key (Extended Abstract)

• Computer Science, Mathematics
ASIACRYPT
• 2014
This paper designs several encryption schemes based on the ASASA structure ranging from fast and generic symmetric ciphers to compact public key and white-box constructions based on generic affine transformations combined with specially designed low degree non-linear layers.

### Tweaking Even-Mansour Ciphers

• Computer Science, Mathematics
CRYPTO
• 2015
The (one-round) tweakable Even-Mansour (TEM) cipher is introduced, constructed from a single n-bit permutation P and a uniform and almost XOR-universal family of hash functions $$(H_k) from some tweak space to \(\{0,1\}^n$$, and its generalization obtained by cascading r independently keyed rounds of this construction.

### A construction of a cipher from a single pseudorandom permutation

• Computer Science, Mathematics
Journal of Cryptology
• 2007
A scheme for a block cipher which uses only one randomly chosen permutation, F, which removes the need to store, or generate a multitude of permutations.

### Cipher and hash function design strategies based on linear and differential cryptanalysis

This thesis contains a new approach to design block ciphers, synchronous and self-synchronizing stream cipher and cryptographic hash functions that can be implemented efficiently on a wide variety of platforms.

### Decomposing the ASASA Block Cipher Construction

• Computer Science, Mathematics
IACR Cryptol. ePrint Arch.
• 2015
This paper presents several attacks on general ASASA schemes that significantly outperform the analysis of Biryukov et al. and are able to break all the proposed concrete AsASA constructions with practical complexity.

### Minimizing the Two-Round Even-Mansour Cipher

• Computer Science, Mathematics
IACR Cryptol. ePrint Arch.
• 2014
This paper proves a qualitatively similar $$\widetilde{ \mathcal{O} } (2^{2n/3})$$ security bound for the two-round Even-Mansour cipher, the first “beyond the birthday bound” security result for AES-like ciphers that does not assume independent round keys.

### Security of Random Feistel Schemes with 5 or More Rounds

It is shown that the Feistel schemes are secure against all adaptive chosen plaintext attacks (CPA-2) when k≥ 3 and against all adaptations of plaintext/ciphertext and chosen ciphertext attacks(CPCA-2).