Towards Minimizing Tweakable Blockcipher-Based Generalized Feistel Networks

Abstract

A generalized Feistel network (GFN) is a classical approach to constructing a blockcipher from pseudorandom functions (PRFs). Recently, Nakaya and Iwata (ToSC, 2022) formalized tweakable blockcipher (TBC)-based counterparts of type-1, type-2, and type-3 GFNs. This paper studies minimizing the number of TBC calls in such GFN variants. Motivated by the so-called extended GFNs of Berger et al. (IEEE TC, 2016) and Zhao et al. (CANS 2023), we consider TBC-based type-2 GFN and replace the blockwise shuffle with a block-oriented linear diffusion layer. We show that when this diffusion layer is moderately strong, 4 TBC-based GFN rounds are sufficient for CCA security, which is independent of the number of lines. This provides a much more efficient approach to TBC-based enciphering schemes.

A Candidate Good Diffusion Layers for Definition 1

Using the primitive polynomial \(x^8+x^4+x^3+x^2+1\), two candidates for \(n=8\) and \(d=8,16\) respectively are as follows.

$$\tiny \left( \begin{array}{cccccccc} \text {0x}37~&{} \text {0x}8E~&{} \text {0x}7F~&{} \text {0x}B9~&{} \text {0x}8C~&{} \text {0x}C9~&{} \text {0x}3D~&{} \text {0x}06\\ \text {0x}2A~&{} \text {0x}80~&{} \text {0x}09~&{} \text {0x}F3~&{} \text {0x}31~&{} \text {0x}91~&{} \text {0x}FE~&{} \text {0x}0F\\ \text {0x}73~&{} \text {0x}EB~&{} \text {0x}4C~&{} \text {0x}9C~&{} \text {0x}25~&{} \text {0x}60~&{} \text {0x}D4~&{} \text {0x}D8\\ \text {0x}8C~&{} \text {0x}79~&{} \text {0x}5E~&{} \text {0x}0F~&{} \text {0x}AC~&{} \text {0x}97~&{} \text {0x}22~&{} \text {0x}BC\\ \text {0x}28~&{} \text {0x}0F~&{} \text {0x}34~&{} \text {0x}15~&{} \text {0x}1F~&{} \text {0x}A5~&{} \text {0x}2F~&{} \text {0x}92\\ \text {0x}8D~&{} \text {0x}3D~&{} \text {0x}3D~&{} \text {0x}47~&{} \text {0x}E1~&{} \text {0x}0D~&{} \text {0x}25~&{} \text {0x}02\\ \text {0x}51~&{} \text {0x}FF~&{} \text {0x}BA~&{} \text {0x}59~&{} \text {0x}F3~&{} \text {0x}BF~&{} \text {0x}8B~&{} \text {0x}8B\\ \text {0x}82~&{} \text {0x}F7~&{} \text {0x}25~&{} \text {0x}A1~&{} \text {0x}CF~&{} \text {0x}AB~&{} \text {0x}8D~&{} \text {0x}19 \end{array} \right) , $$

$$\tiny \left( \begin{array}{cccccccccccccccc} \text {0x}CA\;\,\,&{} \text {0x}AF~&{} \text {0x}A2~&{} \text {0x}BB~&{} \text {0x}56~&{} \text {0x}F7~&{} \text {0x}FB~&{} \text {0x}A2~&{} \text {0x}D2~&{} \text {0x}86~&{} \text {0x}A5~&{} \text {0x}AA~&{} \text {0x}05~&{} \text {0x}10~&{} \text {0x}29~&{} \text {0x}E2\\ \text {0x}C2\;\,\,&{} \text {0x}83~&{} \text {0x}97~&{} \text {0x}11~&{} \text {0x}57~&{} \text {0x}D3~&{} \text {0x}7D~&{} \text {0x}A5~&{} \text {0x}51~&{} \text {0x}B9~&{} \text {0x}37~&{} \text {0x}74~&{} \text {0x}02~&{} \text {0x}40~&{} \text {0x}AE~&{} \text {0x}DD\\ \text {0x}B8\;\,\,&{} \text {0x}82~&{} \text {0x}5B~&{} \text {0x}64~&{} \text {0x}AE~&{} \text {0x}E6~&{} \text {0x}FC~&{} \text {0x}DB~&{} \text {0x}36~&{} \text {0x}49~&{} \text {0x}64~&{} \text {0x}46~&{} \text {0x}E1~&{} \text {0x}B0~&{} \text {0x}1E~&{} \text {0x}79\\ \text {0x}84\;\,\,&{} \text {0x}2F~&{} \text {0x}9B~&{} \text {0x}E9~&{} \text {0x}45~&{} \text {0x}AB~&{} \text {0x}98~&{} \text {0x}47~&{} \text {0x}35~&{} \text {0x}26~&{} \text {0x}7C~&{} \text {0x}3C~&{} \text {0x}41~&{} \text {0x}C2~&{} \text {0x}BB~&{} \text {0x}82\\ \text {0x}A7\;\,\,&{} \text {0x}C9~&{} \text {0x}6D~&{} \text {0x}99~&{} \text {0x}F1~&{} \text {0x}1E~&{} \text {0x}83~&{} \text {0x}40~&{} \text {0x}B6~&{} \text {0x}FE~&{} \text {0x}6F~&{} \text {0x}30~&{} \text {0x}D5~&{} \text {0x}C8~&{} \text {0x}B1~&{} \text {0x}0C\\ \text {0x}79\;\,\,&{} \text {0x}56~&{} \text {0x}E3~&{} \text {0x}4D~&{} \text {0x}55~&{} \text {0x}5A~&{} \text {0x}9E~&{} \text {0x}F6~&{} \text {0x}F8~&{} \text {0x}F1~&{} \text {0x}60~&{} \text {0x}EF~&{} \text {0x}71~&{} \text {0x}53~&{} \text {0x}8D~&{} \text {0x}CE\\ \text {0x}9F\;\,\,&{} \text {0x}FC~&{} \text {0x}FE~&{} \text {0x}D5~&{} \text {0x}FE~&{} \text {0x}C9~&{} \text {0x}5E~&{} \text {0x}D8~&{} \text {0x}AD~&{} \text {0x}53~&{} \text {0x}5D~&{} \text {0x}55~&{} \text {0x}DF~&{} \text {0x}EB~&{} \text {0x}03~&{} \text {0x}39\\ \text {0x}03\;\,\,&{} \text {0x}24~&{} \text {0x}1B~&{} \text {0x}F8~&{} \text {0x}DF~&{} \text {0x}0C~&{} \text {0x}A4~&{} \text {0x}25~&{} \text {0x}35~&{} \text {0x}B2~&{} \text {0x}60~&{} \text {0x}22~&{} \text {0x}92~&{} \text {0x}65~&{} \text {0x}9A~&{} \text {0x}3F\\ \text {0x}F8\;\,\,&{} \text {0x}FB~&{} \text {0x}18~&{} \text {0x}0C~&{} \text {0x}B9~&{} \text {0x}EE~&{} \text {0x}38~&{} \text {0x}81~&{} \text {0x}E1~&{} \text {0x}4C~&{} \text {0x}86~&{} \text {0x}BE~&{} \text {0x}06~&{} \text {0x}CD~&{} \text {0x}0F~&{} \text {0x}A9\\ \text {0x}5D\;\,\,&{} \text {0x}BE~&{} \text {0x}C2~&{} \text {0x}94~&{} \text {0x}67~&{} \text {0x}5D~&{} \text {0x}27~&{}\text {0x}C1~&{} \text {0x}77~&{} \text {0x}05~&{} \text {0x}92~&{} \text {0x}4C~&{} \text {0x}CB~&{} \text {0x}C6~&{} \text {0x}05~&{}\text {0x}CC \\ \text {0x}4C\;\,\,&{} \text {0x}69~&{} \text {0x}CD~&{} \text {0x}13~&{} \text {0x}D0~&{} \text {0x}90~&{} \text {0x}CD~&{} \text {0x}61~&{} \text {0x}8F~&{} \text {0x}18~&{} \text {0x}14~&{} \text {0x}59~&{} \text {0x}8C~&{} \text {0x}2C~&{} \text {0x}97~&{} \text {0x}FB\\ \text {0x}E7\;\,\,&{} \text {0x}32~&{} \text {0x}FF~&{} \text {0x}8E~&{} \text {0x}09~&{} \text {0x}7E~&{} \text {0x}E1~&{} \text {0x}6A~&{} \text {0x}89~&{} \text {0x}52~&{} \text {0x}3F~&{} \text {0x}52~&{} \text {0x}1E~&{} \text {0x}BB~&{} \text {0x}24~&{} \text {0x}6E\\ \text {0x}C3\;\,\,&{} \text {0x}A7~&{} \text {0x}2F~&{} \text {0x}FB~&{} \text {0x}EC~&{} \text {0x}F1~&{} \text {0x}07~&{} \text {0x}B2~&{} \text {0x}40~&{} \text {0x}34~&{} \text {0x}70~&{} \text {0x}81~&{} \text {0x}BE~&{} \text {0x}F5~&{} \text {0x}E0~&{} \text {0x}37\\ \text {0x}E5\;\,\,&{} \text {0x}BB~&{} \text {0x}26~&{} \text {0x}DA~&{} \text {0x}28~&{} \text {0x}09~&{} \text {0x}5A~&{} \text {0x}FE~&{} \text {0x}27~&{} \text {0x}A0~&{} \text {0x}65~&{} \text {0x}8D~&{} \text {0x}D5~&{} \text {0x}43~&{} \text {0x}14~&{} \text {0x}CB\\ \text {0x}BE\;\,\,&{} \text {0x}ED~&{} \text {0x}5B~&{} \text {0x}E8~&{} \text {0x}27~&{} \text {0x}57~&{} \text {0x}15~&{} \text {0x}A6~&{} \text {0x}9E~&{} \text {0x}10~&{} \text {0x}69~&{} \text {0x}58~&{} \text {0x}BA~&{} \text {0x}46~&{} \text {0x}D0~&{} \text {0x}B1\\ \text {0x}24\;\,\,&{} \text {0x}5D~&{} \text {0x}2A~&{} \text {0x}B1~&{} \text {0x}29~&{} \text {0x}58~&{} \text {0x}F8~&{} \text {0x}D0~&{} \text {0x}93~&{} \text {0x}37~&{} \text {0x}A1~&{} \text {0x}52~&{} \text {0x}FC~&{} \text {0x}53~&{} \text {0x}ED~&{} \text {0x}AF \end{array} \right) . $$

Using the primitive polynomial \(x^{11}+x^2+1\) a candidate for \(n=11\) and \(d=8\) is as follows:

$$\tiny \left( \begin{array}{cccccccc} \text {0x}22A~&{} \text {0x}308~&{} \text {0x}7B4~&{} \text {0x}406~&{} \text {0x}1D3~&{} \text {0x}66A~&{} \text {0x}02F~&{} \text {0x}507\\ \text {0x}153~&{} \text {0x}61A~&{} \text {0x}6A0~&{} \text {0x}4A1~&{} \text {0x}618~&{} \text {0x}689~&{} \text {0x}17A~&{} \text {0x}4A2\\ \text {0x}663~&{} \text {0x}167~&{} \text {0x}773~&{} \text {0x}7D2~&{} \text {0x}64C~&{} \text {0x}751~&{} \text {0x}441~&{} \text {0x}2F8\\ \text {0x}144~&{} \text {0x}39D~&{} \text {0x}6F5~&{} \text {0x}563~&{} \text {0x}0B3~&{} \text {0x}365~&{} \text {0x}133~&{} \text {0x}3AB\\ \text {0x}434~&{} \text {0x}2EF~&{} \text {0x}44F~&{} \text {0x}7DE~&{} \text {0x}1B0~&{} \text {0x}7E9~&{} \text {0x}422~&{} \text {0x}730\\ \text {0x}47F~&{} \text {0x}3DB~&{} \text {0x}07F~&{} \text {0x}161~&{} \text {0x}060~&{} \text {0x}7C2~&{} \text {0x}65F~&{} \text {0x}746\\ \text {0x}704~&{} \text {0x}18F~&{} \text {0x}410~&{} \text {0x}1C3~&{} \text {0x}0ED~&{} \text {0x}551~&{} \text {0x}7F4~&{} \text {0x}111\\ \text {0x}2E9~&{} \text {0x}53E~&{} \text {0x}36E~&{} \text {0x}76D~&{} \text {0x}464~&{} \text {0x}1D2~&{} \text {0x}661~&{} \text {0x}002 \end{array} \right) . $$

We have also found plenty of candidates for other parameters, which are however omitted for the sake of space.