Cryptology ePrint Archive: Report 2017/016
Provable Security of Substitution-Permutation Networks
Yevgeniy Dodis and Jonathan Katz and John Steinberger and Aishwarya Thiruvengadam and Zhe Zhang
Abstract: Many modern block ciphers are constructed based on the paradigm of substitution-permutation networks (SPNs). But, somewhat surprisingly---especially in comparison with Feistel networks, which have been analyzed by dozens of papers going back to the seminal work of Luby and Rackoff---there are essentially no provable-security results about SPNs. In this work, we initiate a comprehensive study of the security of SPNs as strong pseudorandom permutations when the underlying "$S$-box" is modeled as a public random permutation. We show that 3~rounds of S-boxes are necessary and sufficient for secure linear SPNs, but that even 1-round SPNs can be secure when non-linearity is allowed.
Additionally, our results imply security in settings where an SPN structure is used for domain extension of a block cipher, even when the attacker has direct access to the small-domain block cipher.
Category / Keywords: secret-key cryptography / SPNs, block ciphers
Date: received 9 Jan 2017, last revised 27 Sep 2017
Contact author: aish at cs ucsb edu
Available format(s): PDF | BibTeX Citation
Note: Added (1) attack against 2-round, linear SPNs that works for fields of arbitrary characteristic and (2) remarks on reducing key-length for 3-round linear SPNs.
Version: 20170927:210711 (All versions of this report)
Short URL: ia.cr/2017/016
[ Cryptology ePrint archive ]