# Provable Security of (Tweakable) Block Ciphers Based on Substitution-Permutation Networks

@inproceedings{Cogliati2018ProvableSO, title={Provable Security of (Tweakable) Block Ciphers Based on Substitution-Permutation Networks}, author={Benoit Cogliati and Yevgeniy Dodis and Jonathan Katz and Jooyoung Lee and John P. Steinberger and Aishwarya Thiruvengadam and Zhe Zhang}, booktitle={CRYPTO}, year={2018} }

Substitution-Permutation Networks (SPNs) refer to a family of constructions which build a wn-bit block cipher from n-bit public permutations (often called S-boxes), which alternate keyless and “local” substitution steps utilizing such S-boxes, with keyed and “global” permutation steps which are non-cryptographic. Many widely deployed block ciphers are constructed based on the SPNs, but there are essentially no provable-security results about SPNs.

## 16 Citations

### The t-wise Independence of Substitution-Permutation Networks

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2021

Almost pairwise independence is proved for sufficiently many rounds of both the AES block cipher and the MiMC block cipher, assuming independent sub-keys, and it is shown that instantiating a key-alternating cipher with most permutations gives us (almost) t-wise independence in t+o(t) rounds.

### CENCPP - Beyond-birthday-secure Encryption from Public Permutations

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2020

This work tries to address the gap in encryption schemes with beyond-birthday-bound security by proposing CENCPP ∗, a nonce-based encryption scheme from public permutations that is a variant of Iwata’s block-cipher-based mode CENC that is adapted for public permutation, thereby generalizing Chen et al.

### Cryptography and Coding: 17th IMA International Conference, IMACC 2019, Oxford, UK, December 16–18, 2019, Proceedings

- Computer Science, MathematicsIMACC
- 2019

This paper focuses on the construction of Signcryption in the Multi-user Setting from Identity-Based Encryption, and on the Homomorphic Computation of Symmetric Cryptographic Primitives.

### Small-Box Cryptography

- Computer Science, MathematicsITCS
- 2022

This work introduces a novel paradigm for justifying the security of existing block ciphers, which it allows one to go much deeper inside the existing block cipher constructions, by only idealizing a small building block of very small size n, such as an 8-to-32-bit S-box.

### Provable Security of SP Networks with Partial Non-Linear Layers

- Computer Science, MathematicsIACR Trans. Symmetric Cryptol.
- 2021

The results formally confirm the conjecture that partial SPNs achieve the same security as normal SPNs while consuming less non-linearity, in a well-established framework.

### Sashimi: Cutting up CSI-FiSh secret keys to produce an actively secure distributed signing protocol

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2019

We present the first actively secure variant of a distributed signature scheme based on isogenies. The protocol produces signatures from the recent CSI-FiSh signature scheme. Our scheme works for any…

### Beyond-Birthday-Bound Security for 4-round Linear Substitution-Permutation Networks

- Computer Science, MathematicsIACR Trans. Symmetric Cryptol.
- 2020

This paper proves that a 4-round SPN with linear diffusion layers and independent round keys is secure up to 22n/3 queries and identifies conditions on the linear layers that are sufficient for such security, which, unsurprisingly, turns out to be slightly stronger than Cogliati et al.

### Sequential Indifferentiability of Confusion-Diffusion Networks

- Computer Science, MathematicsINDOCRYPT
- 2021

It is proved that 3-round NLCDNs achieve the notion of sequential indifferentiability, a notion strongly related to known-key security of block ciphers and secure hash functions, and provides additional insights on understanding the complexity for known- key security, as well as using confusion-diffusion paradigm for designing cryptographic hash functions.

### Sharing the LUOV: Threshold Post-Quantum Signatures

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2019

All schemes, except the ones in the MQ family, have significant issues when one wishes to convert them using relatively generic MPC techniques, and the two which would appear to be most suitable for using in a threshold like manner are Rainbow and LUOV.

### Thresholdizing HashEdDSA: MPC to the Rescue

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2020

It is shown that one can obtain relatively efficient implementations of threshold HashEdDSA with no modifications to the behaviour of the signing algorithm using a doubly authenticated bit (daBit) generation protocol tailored for access structures that is more efficient than prior work.

## References

SHOWING 1-10 OF 46 REFERENCES

### Provable Security of Substitution-Permutation Networks

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2017

It is shown that 3 rounds of S-boxes are necessary and sufficient for secure linear SPNs, but that even 1-round SPNs can be secure when non-linearity is allowed.

### Wide Tweakable Block Ciphers Based on Substitution-Permutation Networks: Security Beyond the Birthday Bound

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2018

This paper makes SPNs tweakable by allowing keyed tweakable permutations in the permutation layer, and proves beyond-the-birthday-bound security for 2-round non-linear SPNs with independent S-boxes and independent round keys and proves their security as tweakable block ciphers.

### Structural Cryptanalysis of SASAS

- Mathematics, Computer ScienceJournal of Cryptology
- 2010

It is shown that a five-layer scheme with 128-bit plaintexts and 8-bit S-boxes is surprisingly weak against what is called a multiset attack, even when all the S- boxes and affine mappings are key dependent (and thus completely unknown to the attacker).

### Cryptographic Schemes Based on the ASASA Structure: Black-Box, White-Box, and Public-Key (Extended Abstract)

- Computer Science, MathematicsASIACRYPT
- 2014

This paper designs several encryption schemes based on the ASASA structure ranging from fast and generic symmetric ciphers to compact public key and white-box constructions based on generic affine transformations combined with specially designed low degree non-linear layers.

### Tweaking Even-Mansour Ciphers

- Computer Science, MathematicsCRYPTO
- 2015

The (one-round) tweakable Even-Mansour (TEM) cipher is introduced, constructed from a single n-bit permutation P and a uniform and almost XOR-universal family of hash functions \((H_k) from some tweak space to \(\{0,1\}^n\), and its generalization obtained by cascading r independently keyed rounds of this construction.

### A construction of a cipher from a single pseudorandom permutation

- Computer Science, MathematicsJournal of Cryptology
- 2007

A scheme for a block cipher which uses only one randomly chosen permutation, F, which removes the need to store, or generate a multitude of permutations.

### Cipher and hash function design strategies based on linear and differential cryptanalysis

- Computer Science, Mathematics
- 1995

This thesis contains a new approach to design block ciphers, synchronous and self-synchronizing stream cipher and cryptographic hash functions that can be implemented efficiently on a wide variety of platforms.

### Decomposing the ASASA Block Cipher Construction

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2015

This paper presents several attacks on general ASASA schemes that significantly outperform the analysis of Biryukov et al. and are able to break all the proposed concrete AsASA constructions with practical complexity.

### Minimizing the Two-Round Even-Mansour Cipher

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2014

This paper proves a qualitatively similar \( \widetilde{ \mathcal{O} } (2^{2n/3})\) security bound for the two-round Even-Mansour cipher, the first “beyond the birthday bound” security result for AES-like ciphers that does not assume independent round keys.

### Security of Random Feistel Schemes with 5 or More Rounds

- Computer Science, MathematicsCRYPTO
- 2004

It is shown that the Feistel schemes are secure against all adaptive chosen plaintext attacks (CPA-2) when k≥ 3 and against all adaptations of plaintext/ciphertext and chosen ciphertext attacks(CPCA-2).