Provable Security of (Tweakable) Block Ciphers Based on Substitution-Permutation Networks

  • Benoît Cogliati
  • Yevgeniy Dodis
  • Jonathan Katz
  • Jooyoung LeeEmail author
  • John Steinberger
  • Aishwarya Thiruvengadam
  • Zhe Zhang
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10991)


Substitution-Permutation Networks (SPNs) refer to a family of constructions which build a wn-bit block cipher from n-bit public permutations (often called S-boxes), which alternate keyless and “local” substitution steps utilizing such S-boxes, with keyed and “global” permutation steps which are non-cryptographic. Many widely deployed block ciphers are constructed based on the SPNs, but there are essentially no provable-security results about SPNs.

In this work, we initiate a comprehensive study of the provable security of SPNs as (possibly tweakable) wn-bit block ciphers, when the underlying n-bit permutation is modeled as a public random permutation. When the permutation step is linear (which is the case for most existing designs), we show that 3 SPN rounds are necessary and sufficient for security. On the other hand, even 1-round SPNs can be secure when non-linearity is allowed. Moreover, 2-round non-linear SPNs can achieve “beyond-birthday” (up to \(2^{2n/3}\) adversarial queries) security, and, as the number of non-linear rounds increases, our bounds are meaningful for the number of queries approaching \(2^n\). Finally, our non-linear SPNs can be made tweakable by incorporating the tweak into the permutation layer, and provide good multi-user security.

As an application, our construction can turn two public n-bit permutations (or fixed-key block ciphers) into a tweakable block cipher working on wn-bit inputs, 6n-bit key and an n-bit tweak (for any \(w\ge 2\)); the tweakable block cipher provides security up to \(2^{2n/3}\) adversarial queries in the random permutation model, while only requiring w calls to each permutation, and 3w field multiplications for each wn-bit input.


Substitution-permutation networks Tweakable block ciphers Domain extension of block ciphers Beyond-birthday-bound security 



The work of Aishwarya Thiruvengadam was done while at the University of Maryland. Benoît Cogliati was partially supported by the European Union’s H2020 Programme under grant agreement number ICT-644209. The work of Yevgeniy Dodis was done in part while visiting the University of Maryland, and was supported by gifts from VMware Labs and Google, as well as NSF grants 1619158, 1319051, and 1314568. The work of Jonathan Katz and Aishwarya Thiruvengadam was performed under financial assistance award 70NANB15H328 from the U.S. Department of Commerce, National Institute of Standards and Technology. Jooyoung Lee was supported by a National Research Foundation of Korea (NRF) grant funded by the Korean government (Ministry of Science and ICT), No. NRF-2017R1E1A1A03070248.


  1. [BBK14]
    Biryukov, A., Bouillaguet, C., Khovratovich, D.: Cryptographic schemes based on the ASASA structure: black-box, white-box, and public-key (extended abstract). In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014, Part I. LNCS, vol. 8873, pp. 63–84. Springer, Heidelberg (2014). Scholar
  2. [BD99]
    Bleichenbacher, D., Desai, A.: A construction of a super-pseudorandom cipher, February 1999. Unpublished manuscriptGoogle Scholar
  3. [BDPA09]
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Keccak sponge function family main document. Submission to NIST (Round 2) (2009).
  4. [BK]
    Biryukov, A., Khovratovich, D.: Decomposition attack on SASASASAS.
  5. [BKL+17]
    Bernstein, D.J., et al.: Gimli: a cross-platform permutation. In: Fischer, W., Homma, N. (eds.) CHES 2017. LNCS, vol. 10529, pp. 299–320. Springer, Cham (2017). Scholar
  6. [BS10]
    Biryukov, A., Shamir, A.: Structural cryptanalysis of SASAS. J. Cryptol. 23(4), 505–518 (2010)MathSciNetCrossRefGoogle Scholar
  7. [CDMS10]
    Coron, J.-S., Dodis, Y., Mandal, A., Seurin, Y.: A domain extender for the ideal cipher. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 273–289. Springer, Heidelberg (2010). Scholar
  8. [CHK+16]
    Coron, J.-S., Holenstein, T., Künzler, R., Patarin, J., Seurin, Y., Tessaro, S.: How to build an ideal cipher: the indifferentiability of the Feistel construction. J. Cryptol. 29(1), 61–114 (2016)MathSciNetCrossRefGoogle Scholar
  9. [CL18]
    Cogliati, B., Lee, J.: Wide tweakable block ciphers based on substitution-permutation networks: security beyond the birthday bound. IACR Cryptology ePrint Archive, Report 2018/488 (2018).
  10. [CLL+14]
    Chen, S., Lampe, R., Lee, J., Seurin, Y., Steinberger, J.: Minimizing the two-round Even-Mansour cipher. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part I. LNCS, vol. 8616, pp. 39–56. Springer, Heidelberg (2014). Scholar
  11. [CLS15]
    Cogliati, B., Lampe, R., Seurin, Y.: Tweaking Even-Mansour ciphers. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015, Part I. LNCS, vol. 9215, pp. 189–208. Springer, Heidelberg (2015). Scholar
  12. [CS06]
    Chakraborty, D., Sarkar, P.: A new mode of encryption providing a tweakable strong pseudo-random permutation. In: Robshaw, M. (ed.) FSE 2006. LNCS, vol. 4047, pp. 293–309. Springer, Heidelberg (2006). Scholar
  13. [CS14]
    Chen, S., Steinberger, J.: Tight security bounds for key-alternating ciphers. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 327–350. Springer, Heidelberg (2014). Scholar
  14. [Dae95]
    Daemen, J.: Cipher and hash function design strategies based on linear and differential cryptanalysis. Ph.D. thesis, Katholieke Universiteit Leuven (1995)Google Scholar
  15. [DDKL]
    Dinur, I., Dunkelman, O., Kranz, T., Leander, G.: Decomposing the ASASA block cipher construction.
  16. [DKS+17]
    Dodis, Y., Katz, J., Steinberger, J.P., Thiruvengadam, A., Zhang, Z.: Provable security of substitution-permutation networks. IACR Cryptology ePrint Archive, Report 2017/016 (2017).
  17. [DSSL16]
    Dodis, Y., Stam, M., Steinberger, J., Liu, T.: Indifferentiability of confusion-diffusion networks. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016, Part II. LNCS, vol. 9666, pp. 679–704. Springer, Heidelberg (2016). Scholar
  18. [EM97]
    Even, S., Mansour, Y.: A construction of a cipher from a single pseudorandom permutation. J. Cryptol. 10(3), 151–162 (1997)MathSciNetCrossRefGoogle Scholar
  19. [Fei73]
    Feistel, H.: Cryptography and computer privacy. Sci. Am. 228(5), 15–23 (1973)CrossRefGoogle Scholar
  20. [GJMN16]
    Granger, R., Jovanovic, P., Mennink, B., Neves, S.: Improved masking for tweakable blockciphers with applications to authenticated encryption. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016, Part I. LNCS, vol. 9665, pp. 263–293. Springer, Heidelberg (2016). Scholar
  21. [Hal07]
    Halevi, S.: Invertible universal hashing and the TET encryption mode. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 412–429. Springer, Heidelberg (2007). Scholar
  22. [HKT11]
    Holenstein, T., Künzler, R., Tessaro, S.: The equivalence of the random oracle model and the ideal cipher model, revisited. In: Fortnow, L., Vadhan, S.P. (eds.) Symposium on Theory of Computing - STOC 2011, pp. 89–98. ACM (2011)Google Scholar
  23. [HR03]
    Halevi, S., Rogaway, P.: A tweakable enciphering mode. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 482–499. Springer, Heidelberg (2003). Scholar
  24. [HR04]
    Halevi, S., Rogaway, P.: A parallelizable enciphering mode. In: Okamoto, T. (ed.) CT-RSA 2004. LNCS, vol. 2964, pp. 292–304. Springer, Heidelberg (2004). Scholar
  25. [HR10]
    Hoang, V.T., Rogaway, P.: On generalized Feistel networks. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 613–630. Springer, Heidelberg (2010). Scholar
  26. [HT16]
    Hoang, V.T., Tessaro, S.: Key-alternating ciphers and key-length extension: exact bounds and multi-user security. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016, Part I. LNCS, vol. 9814, pp. 3–32. Springer, Heidelberg (2016). Scholar
  27. [IK00]
    Iwata, T., Kurosawa, K.: On the pseudorandomness of the AES finalists - RC6 and serpent. In: Goos, G., Hartmanis, J., van Leeuwen, J., Schneier, B. (eds.) FSE 2000. LNCS, vol. 1978, pp. 231–243. Springer, Heidelberg (2001). Scholar
  28. [Jou03]
    Joux, A.: Cryptanalysis of the EMD mode of operation. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 1–16. Springer, Heidelberg (2003). Scholar
  29. [KL15]
    Katz, J., Lindell, Y.: Introduction to Modern Cryptography, 2nd edn. Chapman & Hall/CRC Press, London (2015)zbMATHGoogle Scholar
  30. [LPS12]
    Lampe, R., Patarin, J., Seurin, Y.: An asymptotically tight security analysis of the iterated Even-Mansour cipher. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 278–295. Springer, Heidelberg (2012). Scholar
  31. [LR88]
    Luby, M., Rackoff, C.: How to construct pseudorandom permutations from pseudorandom functions. SIAM J. Comput. 17(2), 373–386 (1988)MathSciNetCrossRefGoogle Scholar
  32. [LRW11]
    Liskov, M., Rivest, R.L., Wagner, D.A.: Tweakable block ciphers. J. Cryptol. 24(3), 588–613 (2011)MathSciNetCrossRefGoogle Scholar
  33. [Men16]
    Mennink, B.: XPX: generalized tweakable Even-Mansour with improved security guarantees. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016, Part I. LNCS, vol. 9814, pp. 64–94. Springer, Heidelberg (2016). Scholar
  34. [MF07]
    McGrew, D.A., Fluhrer, S.R.: The security of the extended codebook (XCB) mode of operation. In: Adams, C., Miri, A., Wiener, M. (eds.) SAC 2007. LNCS, vol. 4876, pp. 311–327. Springer, Heidelberg (2007). Scholar
  35. [MRH04]
    Maurer, U.M., Renner, R., Holenstein, C.: Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 21–39. Springer, Heidelberg (2004). Scholar
  36. [MRS09]
    Morris, B., Rogaway, P., Stegers, T.: How to encipher messages on a small domain. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 286–302. Springer, Heidelberg (2009). Scholar
  37. [MV15]
    Miles, E., Viola, E.: Substitution-permutation networks, pseudorandom functions, and natural proofs. J. ACM 62(6), 46 (2015)MathSciNetCrossRefGoogle Scholar
  38. [NR99]
    Naor, M., Reingold, O.: On the construction of pseudorandom permutations: Luby-Rackoff revisited. J. Cryptol. 12(1), 29–66 (1999)MathSciNetCrossRefGoogle Scholar
  39. [Pat03]
    Patarin, J.: Luby-Rackoff: 7 rounds are enough for \(2^{n(1-\epsilon )}\) security. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 513–529. Springer, Heidelberg (2003). Scholar
  40. [Pat04]
    Patarin, J.: Security of random Feistel schemes with 5 or more rounds. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 106–122. Springer, Heidelberg (2004). Scholar
  41. [Pat08]
    Patarin, J.: The “Coefficients H” technique. In: Avanzi, R.M., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. 328–345. Springer, Heidelberg (2009). Scholar
  42. [Pat10]
    Patarin, J.: Security of balanced and unbalanced Feistel schemes with linear non equalities. IACR Cryptology ePrint Archive, Report 2010/293 (2010).
  43. [Sha49]
    Shannon, C.: Communication theory of secrecy systems. Bell Syst. Tech. J. 28(4), 656–715 (1949)MathSciNetCrossRefGoogle Scholar
  44. [Tes14]
    Tessaro, S.: Optimally secure block ciphers from ideal primitives. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9453, pp. 437–462. Springer, Heidelberg (2015). Scholar
  45. [Wag99]
    Wagner, D.: The boomerang attack. In: Knudsen, L. (ed.) FSE 1999. LNCS, vol. 1636, pp. 156–170. Springer, Heidelberg (1999). Scholar

Copyright information

© International Association for Cryptologic Research 2018

Authors and Affiliations

  • Benoît Cogliati
    • 1
  • Yevgeniy Dodis
    • 2
  • Jonathan Katz
    • 3
  • Jooyoung Lee
    • 4
    Email author
  • John Steinberger
    • 6
  • Aishwarya Thiruvengadam
    • 5
  • Zhe Zhang
    • 6
  1. 1.University of LuxembourgEsch-sur-AlzetteLuxembourg
  2. 2.New York UniversityNew YorkUSA
  3. 3.University of MarylandCollege ParkUSA
  4. 4.KAISTDaejeonKorea
  5. 5.University of CaliforniaSanta BarbaraUSA
  6. 6.Tsinghua UniversityBeijingChina

Personalised recommendations