### Abstract

Substitution-Permutation Networks (SPNs) refer to a family of constructions which build a wn-bit block cipher from n-bit public permutations (often called S-boxes), which alternate keyless and “local” substitution steps utilizing such S-boxes, with keyed and “global” permutation steps which are non-cryptographic. Many widely deployed block ciphers are constructed based on the SPNs, but there are essentially no provable-security results about SPNs. In this work, we initiate a comprehensive study of the provable security of SPNs as (possibly tweakable) wn-bit block ciphers, when the underlying n-bit permutation is modeled as a public random permutation. When the permutation step is linear (which is the case for most existing designs), we show that 3 SPN rounds are necessary and sufficient for security. On the other hand, even 1-round SPNs can be secure when non-linearity is allowed. Moreover, 2-round non-linear SPNs can achieve “beyond-birthday” (up to 2^{2n/3}adversarial queries) security, and, as the number of non-linear rounds increases, our bounds are meaningful for the number of queries approaching 2^{n}. Finally, our non-linear SPNs can be made tweakable by incorporating the tweak into the permutation layer, and provide good multi-user security. As an application, our construction can turn two public n-bit permutations (or fixed-key block ciphers) into a tweakable block cipher working on wn-bit inputs, 6n-bit key and an n-bit tweak (for any w≥ 2); the tweakable block cipher provides security up to 2^{2n/3} adversarial queries in the random permutation model, while only requiring w calls to each permutation, and 3w field multiplications for each wn-bit input.

Original language | English (US) |
---|---|

Title of host publication | Advances in Cryptology – CRYPTO 2018 - 38th Annual International Cryptology Conference, 2018, Proceedings |

Editors | Alexandra Boldyreva, Hovav Shacham |

Publisher | Springer-Verlag |

Pages | 722-753 |

Number of pages | 32 |

ISBN (Print) | 9783319968834 |

DOIs | |

State | Published - Jan 1 2018 |

Event | 38th Annual International Cryptology Conference, CRYPTO 2018 - Santa Barbara, United States Duration: Aug 19 2018 → Aug 23 2018 |

### Publication series

Name | Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) |
---|---|

Volume | 10991 LNCS |

ISSN (Print) | 0302-9743 |

ISSN (Electronic) | 1611-3349 |

### Other

Other | 38th Annual International Cryptology Conference, CRYPTO 2018 |
---|---|

Country | United States |

City | Santa Barbara |

Period | 8/19/18 → 8/23/18 |

### Fingerprint

### Keywords

- Beyond-birthday-bound security
- Domain extension of block ciphers
- Substitution-permutation networks
- Tweakable block ciphers

### ASJC Scopus subject areas

- Theoretical Computer Science
- Computer Science(all)

### Cite this

*Advances in Cryptology – CRYPTO 2018 - 38th Annual International Cryptology Conference, 2018, Proceedings*(pp. 722-753). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 10991 LNCS). Springer-Verlag. https://doi.org/10.1007/978-3-319-96884-1_24

**Provable security of (tweakable) block ciphers based on substitution-permutation networks.** / Cogliati, Benoît; Dodis, Yevgeniy; Katz, Jonathan; Lee, Jooyoung; Steinberger, John; Thiruvengadam, Aishwarya; Zhang, Zhe.

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

*Advances in Cryptology – CRYPTO 2018 - 38th Annual International Cryptology Conference, 2018, Proceedings.*Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 10991 LNCS, Springer-Verlag, pp. 722-753, 38th Annual International Cryptology Conference, CRYPTO 2018, Santa Barbara, United States, 8/19/18. https://doi.org/10.1007/978-3-319-96884-1_24

}

TY - GEN

T1 - Provable security of (tweakable) block ciphers based on substitution-permutation networks

AU - Cogliati, Benoît

AU - Dodis, Yevgeniy

AU - Katz, Jonathan

AU - Lee, Jooyoung

AU - Steinberger, John

AU - Thiruvengadam, Aishwarya

AU - Zhang, Zhe

PY - 2018/1/1

Y1 - 2018/1/1

N2 - Substitution-Permutation Networks (SPNs) refer to a family of constructions which build a wn-bit block cipher from n-bit public permutations (often called S-boxes), which alternate keyless and “local” substitution steps utilizing such S-boxes, with keyed and “global” permutation steps which are non-cryptographic. Many widely deployed block ciphers are constructed based on the SPNs, but there are essentially no provable-security results about SPNs. In this work, we initiate a comprehensive study of the provable security of SPNs as (possibly tweakable) wn-bit block ciphers, when the underlying n-bit permutation is modeled as a public random permutation. When the permutation step is linear (which is the case for most existing designs), we show that 3 SPN rounds are necessary and sufficient for security. On the other hand, even 1-round SPNs can be secure when non-linearity is allowed. Moreover, 2-round non-linear SPNs can achieve “beyond-birthday” (up to 22n/3adversarial queries) security, and, as the number of non-linear rounds increases, our bounds are meaningful for the number of queries approaching 2n. Finally, our non-linear SPNs can be made tweakable by incorporating the tweak into the permutation layer, and provide good multi-user security. As an application, our construction can turn two public n-bit permutations (or fixed-key block ciphers) into a tweakable block cipher working on wn-bit inputs, 6n-bit key and an n-bit tweak (for any w≥ 2); the tweakable block cipher provides security up to 22n/3 adversarial queries in the random permutation model, while only requiring w calls to each permutation, and 3w field multiplications for each wn-bit input.

AB - Substitution-Permutation Networks (SPNs) refer to a family of constructions which build a wn-bit block cipher from n-bit public permutations (often called S-boxes), which alternate keyless and “local” substitution steps utilizing such S-boxes, with keyed and “global” permutation steps which are non-cryptographic. Many widely deployed block ciphers are constructed based on the SPNs, but there are essentially no provable-security results about SPNs. In this work, we initiate a comprehensive study of the provable security of SPNs as (possibly tweakable) wn-bit block ciphers, when the underlying n-bit permutation is modeled as a public random permutation. When the permutation step is linear (which is the case for most existing designs), we show that 3 SPN rounds are necessary and sufficient for security. On the other hand, even 1-round SPNs can be secure when non-linearity is allowed. Moreover, 2-round non-linear SPNs can achieve “beyond-birthday” (up to 22n/3adversarial queries) security, and, as the number of non-linear rounds increases, our bounds are meaningful for the number of queries approaching 2n. Finally, our non-linear SPNs can be made tweakable by incorporating the tweak into the permutation layer, and provide good multi-user security. As an application, our construction can turn two public n-bit permutations (or fixed-key block ciphers) into a tweakable block cipher working on wn-bit inputs, 6n-bit key and an n-bit tweak (for any w≥ 2); the tweakable block cipher provides security up to 22n/3 adversarial queries in the random permutation model, while only requiring w calls to each permutation, and 3w field multiplications for each wn-bit input.

KW - Beyond-birthday-bound security

KW - Domain extension of block ciphers

KW - Substitution-permutation networks

KW - Tweakable block ciphers

UR - http://www.scopus.com/inward/record.url?scp=85052380695&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85052380695&partnerID=8YFLogxK

U2 - 10.1007/978-3-319-96884-1_24

DO - 10.1007/978-3-319-96884-1_24

M3 - Conference contribution

AN - SCOPUS:85052380695

SN - 9783319968834

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 722

EP - 753

BT - Advances in Cryptology – CRYPTO 2018 - 38th Annual International Cryptology Conference, 2018, Proceedings

A2 - Boldyreva, Alexandra

A2 - Shacham, Hovav

PB - Springer-Verlag

ER -