Inspired by the works of Nyberg and Knudsen, the wide trail strategy suggests to ensure that the number of active S-boxes in a differential characteristic or a linear approximation is sufficiently high, thus, offering security against differential and linear attacks. Many cipher designers are relying on this strategy, and most new designs include analysis based on counting the number of active S-boxes.

Counting Active S-Boxes is not Enough

This work deals with the security and efficiency of type-I and type-II generalized Feistel networks (GFNs) with 4 lines. We propose to instantiate the GFNs with double SP-functions (substitutionpermutation layer followed by another substitution-permutation layer) instead of single SP-functions (one substitution-permutation layer). We provide tight lower bounds on the number of differentially and linearly active functions and S-boxes in such ciphers. Based on these bounds, we show that the instantiation with double SP-functions using MDS diffusion has a proportion of differentially and linearly active S-boxes by up to 33% and 50% higher than that with single SP-functions for type-I and type-II GFNs, respectively. This opens up the possibility of designing more efficient block ciphers based on GFN structure. Note that type-I and type-II GFNs are the only non-contracting GFNs with 4 lines under a reasonable definition of a GFN.

Double SP-functions: enhanced generalized feistel networks

Zorro is an AES-like lightweight block cipher proposed in CHES 2013, which only uses 4 S-boxes per round. The designers showed the resistance of the cipher against various attacks and concluded the cipher has a large security margin. Recently, Guo et. al [1] have given a key recovery attack on full-round Zorro by using the internal differential characteristics. However, the attack only works for 264 out of 2128 keys. In this paper, the secret key selected randomly from the whole key space can be recovered much faster than the brute-force attack. We first observe that the fourth power of the MDS matrix used in Zorro(or AES) equals to the identity matrix. Moveover, several iterated differential characteristics and iterated linear trails are found due to the interesting property. We select three characteristics with the largest probability to give the key recovery attack on Zorro and a linear trail with the largest correlation to show a linear distinguishing attack with 2105.3 known plaintexts. The results show that the security of Zorro against linear and differential cryptanalysis evaluated by designers is insufficient and the security margin of Zorro is not enough.

/pdf/differential-cryptanalysis-and-linear-distinguisher-of-full-17g3l3w0gu.pdf

Differential Cryptanalysis and Linear Distinguisher of Full-Round Zorro

The current paper studies the probability of differential characteristics for an unkeyed (or with a fixed key) construction. Most notably, it focuses on the gap between two probabilities of differential characteristics: probability with independent S-box assumption, p_ind, and exact probability, p_exact. It turns out that p_exact is larger than p_ind in Feistel network with some S-box based inner function. The mechanism of this gap is then theoretically analyzed. The gap is derived from interaction of S-boxes in three rounds, and the gap depends on the size and choice of the S-box. In particular the gap can never be zero when the S-box is bigger than six bits. To demonstrate the power of this improvement, a related-key differential characteristic is proposed against a lightweight block cipher RoadRunneR. For the 128-bit key version, p_ind of 2^-48 is improved to p_exact of 2^-43. For the 80-bit key version, p_ind of 2^-68 is improved to p_exact of 2^-62. The analysis is further extended to SPN with an almost-MDS binary matrix in the core primitive of the authenticated encryption scheme Minalpher: p_ind of 2^-128 is improved to p_exact of 2^-96, which allows to extend the attack by two rounds.

/pdf/refined-probability-of-differential-characteristics-394ao9o35a.pdf

Counting Active S-Boxes is not Enough

References

Double SP-functions: enhanced generalized feistel networks

Differential Cryptanalysis and Linear Distinguisher of Full-Round Zorro

Refined Probability of Differential Characteristics Including Dependency Between Multiple Rounds

Related Papers (5)

The design of s-boxes by simulated annealing

Dynamic cellular automata-based s-boxes

New Structure of Block Ciphers with Provable Security against Differential and Linear Cryptanalysis

Practically Secure Feistel Ciphers

How Fast can be Algebraic Attacks on Block Ciphers