A generalized multi-particle drift-diffusion simulator for ...
Generalized Feistel Networks with Optimal Diffusion
Transcript of Generalized Feistel Networks with Optimal Diffusion
![Page 1: Generalized Feistel Networks with Optimal Diffusion](https://reader033.fdocuments.in/reader033/viewer/2022042902/6269a976c1fb406f9c25a11d/html5/thumbnails/1.jpg)
Generalized Feistel Networks with OptimalDi�usion
Léo Perrin
DTU, LyngbyInria, Paris
Dagstuhl 2018 (seminar-18021)
![Page 2: Generalized Feistel Networks with Optimal Diffusion](https://reader033.fdocuments.in/reader033/viewer/2022042902/6269a976c1fb406f9c25a11d/html5/thumbnails/2.jpg)
Introduction Observations on GFNs Multi-Rotating Feistel Network (MRFN) Possible Applications Conclusion
In this talk
A new type of generalized Feistel Networks
Linear layer design
Wide block cipher/sponge permutation blueprint
Fibonnaci numbers!
1 / 20
![Page 3: Generalized Feistel Networks with Optimal Diffusion](https://reader033.fdocuments.in/reader033/viewer/2022042902/6269a976c1fb406f9c25a11d/html5/thumbnails/3.jpg)
Introduction Observations on GFNs Multi-Rotating Feistel Network (MRFN) Possible Applications Conclusion
Outline
1 Introduction
2 Observations on GFNs
3 Multi-Rotating Feistel Network (MRFN)
4 Possible Applications
5 Conclusion
1 / 20
![Page 4: Generalized Feistel Networks with Optimal Diffusion](https://reader033.fdocuments.in/reader033/viewer/2022042902/6269a976c1fb406f9c25a11d/html5/thumbnails/4.jpg)
Introduction Observations on GFNs Multi-Rotating Feistel Network (MRFN) Possible Applications Conclusion
First GFN
Source: Generalized Feistel networks , K. Nyberg (1996)
2 / 20
![Page 5: Generalized Feistel Networks with Optimal Diffusion](https://reader033.fdocuments.in/reader033/viewer/2022042902/6269a976c1fb406f9c25a11d/html5/thumbnails/5.jpg)
Introduction Observations on GFNs Multi-Rotating Feistel Network (MRFN) Possible Applications Conclusion
Basic GFN
Source: Generalized Feistel networks revisited, A. Bogdanov, K. Shibutani(2013)
3 / 20
![Page 6: Generalized Feistel Networks with Optimal Diffusion](https://reader033.fdocuments.in/reader033/viewer/2022042902/6269a976c1fb406f9c25a11d/html5/thumbnails/6.jpg)
Introduction Observations on GFNs Multi-Rotating Feistel Network (MRFN) Possible Applications Conclusion
Improved GFN
Source: TWINE: A Lightweight, Versatile Block Cipher, T. Suzaki, K.Minematsu, S. Morioka, and E. Kobayashi
4 / 20
![Page 7: Generalized Feistel Networks with Optimal Diffusion](https://reader033.fdocuments.in/reader033/viewer/2022042902/6269a976c1fb406f9c25a11d/html5/thumbnails/7.jpg)
Introduction Observations on GFNs Multi-Rotating Feistel Network (MRFN) Possible Applications Conclusion
Di�usion in Generalized Feistel networks
How long does it take for each input word to influence each output word?
The state consists of 2b branches.
Nyberg/Type-II GFN:≈ 2b rounds
TWINE-like GFN: ≈ 2 log2 (b) rounds
5 / 20
![Page 8: Generalized Feistel Networks with Optimal Diffusion](https://reader033.fdocuments.in/reader033/viewer/2022042902/6269a976c1fb406f9c25a11d/html5/thumbnails/8.jpg)
Introduction Observations on GFNs Multi-Rotating Feistel Network (MRFN) Possible Applications Conclusion
Di�usion in Generalized Feistel networks
How long does it take for each input word to influence each output word?
The state consists of 2b branches.
Nyberg/Type-II GFN:≈ 2b rounds
TWINE-like GFN: ≈ 2 log2 (b) rounds
5 / 20
![Page 9: Generalized Feistel Networks with Optimal Diffusion](https://reader033.fdocuments.in/reader033/viewer/2022042902/6269a976c1fb406f9c25a11d/html5/thumbnails/9.jpg)
Introduction Observations on GFNs Multi-Rotating Feistel Network (MRFN) Possible Applications Conclusion
Di�usion in Generalized Feistel networks
How long does it take for each input word to influence each output word?
The state consists of 2b branches.
Nyberg/Type-II GFN:≈ 2b rounds
TWINE-like GFN: ≈ 2 log2 (b) rounds
5 / 20
![Page 10: Generalized Feistel Networks with Optimal Diffusion](https://reader033.fdocuments.in/reader033/viewer/2022042902/6269a976c1fb406f9c25a11d/html5/thumbnails/10.jpg)
Introduction Observations on GFNs Multi-Rotating Feistel Network (MRFN) Possible Applications Conclusion
General Vue
π
X i0
f
⊕
X i4X i
1
f
⊕
X i5X i
2
f
⊕
X i6X i
3
f
⊕
X i7
Optimal Di�usion
The best we can achieve is for X 00 to influence ϕi+2 branches at round i ,
whereϕ0 = 0, ϕ1 = 1, ϕi+2 = ϕi+1 + ϕi .
6 / 20
![Page 11: Generalized Feistel Networks with Optimal Diffusion](https://reader033.fdocuments.in/reader033/viewer/2022042902/6269a976c1fb406f9c25a11d/html5/thumbnails/11.jpg)
Introduction Observations on GFNs Multi-Rotating Feistel Network (MRFN) Possible Applications Conclusion
Di�usion in GFNs
b 8 16 32 64 128 .. 2048
Nyberg Type-II/Nyberg 16 32 64 128 256 4096
TWINE-like 6 8 10 12 14 22
Optimal 6 8 9 11 12 18
Number of rounds for full di�usion.
7 / 20
![Page 12: Generalized Feistel Networks with Optimal Diffusion](https://reader033.fdocuments.in/reader033/viewer/2022042902/6269a976c1fb406f9c25a11d/html5/thumbnails/12.jpg)
Introduction Observations on GFNs Multi-Rotating Feistel Network (MRFN) Possible Applications Conclusion
Can we reach the Fibonacci-based bound?
Can we have an easy to implement π?
Yes (for both)
8 / 20
![Page 13: Generalized Feistel Networks with Optimal Diffusion](https://reader033.fdocuments.in/reader033/viewer/2022042902/6269a976c1fb406f9c25a11d/html5/thumbnails/13.jpg)
Introduction Observations on GFNs Multi-Rotating Feistel Network (MRFN) Possible Applications Conclusion
Can we reach the Fibonacci-based bound?
Can we have an easy to implement π?
Yes (for both)
8 / 20
![Page 14: Generalized Feistel Networks with Optimal Diffusion](https://reader033.fdocuments.in/reader033/viewer/2022042902/6269a976c1fb406f9c25a11d/html5/thumbnails/14.jpg)
Introduction Observations on GFNs Multi-Rotating Feistel Network (MRFN) Possible Applications Conclusion
Outline
1 Introduction
2 Observations on GFNs
3 Multi-Rotating Feistel Network (MRFN)
4 Possible Applications
5 Conclusion
8 / 20
![Page 15: Generalized Feistel Networks with Optimal Diffusion](https://reader033.fdocuments.in/reader033/viewer/2022042902/6269a976c1fb406f9c25a11d/html5/thumbnails/15.jpg)
Introduction Observations on GFNs Multi-Rotating Feistel Network (MRFN) Possible Applications Conclusion
General Structure
Number of branches: 2bNumber of rounds: r
w-bit permutations f ij (i < r , j < b)
Sequence si of rotations of b words.
The round i of a MRFN with b = 4 and si = 1 is:
f i0
f i1
f i2
f i3
9 / 20
![Page 16: Generalized Feistel Networks with Optimal Diffusion](https://reader033.fdocuments.in/reader033/viewer/2022042902/6269a976c1fb406f9c25a11d/html5/thumbnails/16.jpg)
Introduction Observations on GFNs Multi-Rotating Feistel Network (MRFN) Possible Applications Conclusion
Some Observations
Both a Feistel network and a GFN
π is very simple (1 word-wise rotation per round)
Round function depends on the round index.
Interesting case: si = ϕi .
Fibonacci CaseA MRFN with si = ϕi has optimal di�usion.
10 / 20
![Page 17: Generalized Feistel Networks with Optimal Diffusion](https://reader033.fdocuments.in/reader033/viewer/2022042902/6269a976c1fb406f9c25a11d/html5/thumbnails/17.jpg)
Introduction Observations on GFNs Multi-Rotating Feistel Network (MRFN) Possible Applications Conclusion
Some Observations
Both a Feistel network and a GFN
π is very simple (1 word-wise rotation per round)
Round function depends on the round index.
Interesting case: si = ϕi .
Fibonacci CaseA MRFN with si = ϕi has optimal di�usion.
10 / 20
![Page 18: Generalized Feistel Networks with Optimal Diffusion](https://reader033.fdocuments.in/reader033/viewer/2022042902/6269a976c1fb406f9c25a11d/html5/thumbnails/18.jpg)
Introduction Observations on GFNs Multi-Rotating Feistel Network (MRFN) Possible Applications Conclusion
Fibonacci Case
At round 0, X 00 has touched the first ϕ1 = 1 branches of one side.
ϕi+1 ϕi
X i X i−1
ϕi ϕi + ϕi+1
ϕi+2 ϕi+1
X i+1 X i
Fi ⊕
11 / 20
![Page 19: Generalized Feistel Networks with Optimal Diffusion](https://reader033.fdocuments.in/reader033/viewer/2022042902/6269a976c1fb406f9c25a11d/html5/thumbnails/19.jpg)
Introduction Observations on GFNs Multi-Rotating Feistel Network (MRFN) Possible Applications Conclusion
Example with 12 branches
ϕ0 = 0⊕⊕⊕⊕⊕⊕
ϕ1 = 1⊕⊕⊕⊕⊕
⊕
ϕ2 = 1⊕⊕⊕⊕⊕
⊕
ϕ3 = 2⊕⊕⊕⊕
⊕⊕
ϕ4 = 3⊕⊕⊕
⊕⊕⊕
12 / 20
![Page 20: Generalized Feistel Networks with Optimal Diffusion](https://reader033.fdocuments.in/reader033/viewer/2022042902/6269a976c1fb406f9c25a11d/html5/thumbnails/20.jpg)
Introduction Observations on GFNs Multi-Rotating Feistel Network (MRFN) Possible Applications Conclusion
Implementation
w
b b
VRound function operating on 2bw bit internal state.
1. copy
f i1
2. parallel layer of f i
f i2
2. parallel layer of f i
f i3
2. parallel layer of f i
f i4
2. parallel layer of f i
f i5
2. parallel layer of f i
f i6
2. parallel layer of f i
f i7
2. parallel layer of f i
f i8
2. parallel layer of f i
f i9
2. parallel layer of f i
f i10
2. parallel layer of f i
≪ si
3. rotations
≪ si
3. rotations
≪ si
3. rotations
⊕
4. XOR
⊕
4. XOR
⊕
4. XOR5. swap6. finished!
13 / 20
![Page 21: Generalized Feistel Networks with Optimal Diffusion](https://reader033.fdocuments.in/reader033/viewer/2022042902/6269a976c1fb406f9c25a11d/html5/thumbnails/21.jpg)
Introduction Observations on GFNs Multi-Rotating Feistel Network (MRFN) Possible Applications Conclusion
Implementation
w
b b
VRound function operating on 2bw bit internal state.
1. copy
f i1
2. parallel layer of f i
f i2
2. parallel layer of f i
f i3
2. parallel layer of f i
f i4
2. parallel layer of f i
f i5
2. parallel layer of f i
f i6
2. parallel layer of f i
f i7
2. parallel layer of f i
f i8
2. parallel layer of f i
f i9
2. parallel layer of f i
f i10
2. parallel layer of f i
≪ si
3. rotations
≪ si
3. rotations
≪ si
3. rotations
⊕
4. XOR
⊕
4. XOR
⊕
4. XOR5. swap6. finished!
13 / 20
![Page 22: Generalized Feistel Networks with Optimal Diffusion](https://reader033.fdocuments.in/reader033/viewer/2022042902/6269a976c1fb406f9c25a11d/html5/thumbnails/22.jpg)
Introduction Observations on GFNs Multi-Rotating Feistel Network (MRFN) Possible Applications Conclusion
Implementation
w
b b
VRound function operating on 2bw bit internal state.1. copy
f i1
2. parallel layer of f i
f i2
2. parallel layer of f i
f i3
2. parallel layer of f i
f i4
2. parallel layer of f i
f i5
2. parallel layer of f i
f i6
2. parallel layer of f i
f i7
2. parallel layer of f i
f i8
2. parallel layer of f i
f i9
2. parallel layer of f i
f i10
2. parallel layer of f i
≪ si
3. rotations
≪ si
3. rotations
≪ si
3. rotations
⊕
4. XOR
⊕
4. XOR
⊕
4. XOR5. swap6. finished!
13 / 20
![Page 23: Generalized Feistel Networks with Optimal Diffusion](https://reader033.fdocuments.in/reader033/viewer/2022042902/6269a976c1fb406f9c25a11d/html5/thumbnails/23.jpg)
Introduction Observations on GFNs Multi-Rotating Feistel Network (MRFN) Possible Applications Conclusion
Implementation
w
b b
VRound function operating on 2bw bit internal state.1. copy
f i1
2. parallel layer of f i
f i2
2. parallel layer of f i
f i3
2. parallel layer of f i
f i4
2. parallel layer of f i
f i5
2. parallel layer of f i
f i6
2. parallel layer of f i
f i7
2. parallel layer of f i
f i8
2. parallel layer of f i
f i9
2. parallel layer of f i
f i10
2. parallel layer of f i
≪ si
3. rotations
≪ si
3. rotations
≪ si
3. rotations
⊕
4. XOR
⊕
4. XOR
⊕
4. XOR5. swap6. finished!
13 / 20
![Page 24: Generalized Feistel Networks with Optimal Diffusion](https://reader033.fdocuments.in/reader033/viewer/2022042902/6269a976c1fb406f9c25a11d/html5/thumbnails/24.jpg)
Introduction Observations on GFNs Multi-Rotating Feistel Network (MRFN) Possible Applications Conclusion
Implementation
w
b b
VRound function operating on 2bw bit internal state.1. copy
f i1
2. parallel layer of f i
f i2
2. parallel layer of f i
f i3
2. parallel layer of f i
f i4
2. parallel layer of f i
f i5
2. parallel layer of f i
f i6
2. parallel layer of f i
f i7
2. parallel layer of f i
f i8
2. parallel layer of f i
f i9
2. parallel layer of f i
f i10
2. parallel layer of f i
≪ si
3. rotations
≪ si
3. rotations
≪ si
3. rotations
⊕
4. XOR
⊕
4. XOR
⊕
4. XOR
5. swap6. finished!
13 / 20
![Page 25: Generalized Feistel Networks with Optimal Diffusion](https://reader033.fdocuments.in/reader033/viewer/2022042902/6269a976c1fb406f9c25a11d/html5/thumbnails/25.jpg)
Introduction Observations on GFNs Multi-Rotating Feistel Network (MRFN) Possible Applications Conclusion
Implementation
w
b b
VRound function operating on 2bw bit internal state.1. copy
f i1
2. parallel layer of f i
f i2
2. parallel layer of f i
f i3
2. parallel layer of f i
f i4
2. parallel layer of f i
f i5
2. parallel layer of f i
f i6
2. parallel layer of f i
f i7
2. parallel layer of f i
f i8
2. parallel layer of f i
f i9
2. parallel layer of f i
f i10
2. parallel layer of f i
≪ si
3. rotations
≪ si
3. rotations
≪ si
3. rotations
⊕
4. XOR
⊕
4. XOR
⊕
4. XOR
5. swap
6. finished!
13 / 20
![Page 26: Generalized Feistel Networks with Optimal Diffusion](https://reader033.fdocuments.in/reader033/viewer/2022042902/6269a976c1fb406f9c25a11d/html5/thumbnails/26.jpg)
Introduction Observations on GFNs Multi-Rotating Feistel Network (MRFN) Possible Applications Conclusion
Implementation
w
b b
VRound function operating on 2bw bit internal state.1. copy
f i1
2. parallel layer of f i
f i2
2. parallel layer of f i
f i3
2. parallel layer of f i
f i4
2. parallel layer of f i
f i5
2. parallel layer of f i
f i6
2. parallel layer of f i
f i7
2. parallel layer of f i
f i8
2. parallel layer of f i
f i9
2. parallel layer of f i
f i10
2. parallel layer of f i
≪ si
3. rotations
≪ si
3. rotations
≪ si
3. rotations
⊕
4. XOR
⊕
4. XOR
⊕
4. XOR5. swap
6. finished!
13 / 20
![Page 27: Generalized Feistel Networks with Optimal Diffusion](https://reader033.fdocuments.in/reader033/viewer/2022042902/6269a976c1fb406f9c25a11d/html5/thumbnails/27.jpg)
Introduction Observations on GFNs Multi-Rotating Feistel Network (MRFN) Possible Applications Conclusion
Some Observations
si and si + (−`)i mod b are equivalent
if gcd(si ,b) , 1 for all i , no full di�usion!
Importance of the choice of {si }i≥0
14 / 20
![Page 28: Generalized Feistel Networks with Optimal Diffusion](https://reader033.fdocuments.in/reader033/viewer/2022042902/6269a976c1fb406f9c25a11d/html5/thumbnails/28.jpg)
Introduction Observations on GFNs Multi-Rotating Feistel Network (MRFN) Possible Applications Conclusion
Security
If si = ϕi , then full di�usion in ≈ Λ(n) rounds, where Λ(x ) = i ifϕi−1 < x ≤ ϕi (optimal).
If s2i = 0 and i2i+1 = 2i , then full di�usion in ≈ 2 log2 (n) rounds (likeTWINE).
Both are quickly safe from miss-in-the-middle based impossibledi�erential a�acks and MitM!
When si = ϕi , bad truncated di�erential with 2 active S-Boxes/round.
Open Problem 1
Di�erential/Linear bound?
Open Problem 2
Choice of {si }i≥0?
15 / 20
![Page 29: Generalized Feistel Networks with Optimal Diffusion](https://reader033.fdocuments.in/reader033/viewer/2022042902/6269a976c1fb406f9c25a11d/html5/thumbnails/29.jpg)
Introduction Observations on GFNs Multi-Rotating Feistel Network (MRFN) Possible Applications Conclusion
Security
If si = ϕi , then full di�usion in ≈ Λ(n) rounds, where Λ(x ) = i ifϕi−1 < x ≤ ϕi (optimal).
If s2i = 0 and i2i+1 = 2i , then full di�usion in ≈ 2 log2 (n) rounds (likeTWINE).
Both are quickly safe from miss-in-the-middle based impossibledi�erential a�acks and MitM!
When si = ϕi , bad truncated di�erential with 2 active S-Boxes/round.
Open Problem 1
Di�erential/Linear bound?
Open Problem 2
Choice of {si }i≥0?
15 / 20
![Page 30: Generalized Feistel Networks with Optimal Diffusion](https://reader033.fdocuments.in/reader033/viewer/2022042902/6269a976c1fb406f9c25a11d/html5/thumbnails/30.jpg)
Introduction Observations on GFNs Multi-Rotating Feistel Network (MRFN) Possible Applications Conclusion
Security
If si = ϕi , then full di�usion in ≈ Λ(n) rounds, where Λ(x ) = i ifϕi−1 < x ≤ ϕi (optimal).
If s2i = 0 and i2i+1 = 2i , then full di�usion in ≈ 2 log2 (n) rounds (likeTWINE).
Both are quickly safe from miss-in-the-middle based impossibledi�erential a�acks and MitM!
When si = ϕi , bad truncated di�erential with 2 active S-Boxes/round.
Open Problem 1
Di�erential/Linear bound?
Open Problem 2
Choice of {si }i≥0?
15 / 20
![Page 31: Generalized Feistel Networks with Optimal Diffusion](https://reader033.fdocuments.in/reader033/viewer/2022042902/6269a976c1fb406f9c25a11d/html5/thumbnails/31.jpg)
Introduction Observations on GFNs Multi-Rotating Feistel Network (MRFN) Possible Applications Conclusion
Outline
1 Introduction
2 Observations on GFNs
3 Multi-Rotating Feistel Network (MRFN)
4 Possible Applications
5 Conclusion
15 / 20
![Page 32: Generalized Feistel Networks with Optimal Diffusion](https://reader033.fdocuments.in/reader033/viewer/2022042902/6269a976c1fb406f9c25a11d/html5/thumbnails/32.jpg)
Introduction Observations on GFNs Multi-Rotating Feistel Network (MRFN) Possible Applications Conclusion
GFN-based Linear Layers
Use linear { f i }i≥0; si = ϕi
n-bit block divided into 2b branches of w bits uses:
w2
2︸︷︷︸f ij
×b
︸ ︷︷ ︸f layer
× 2 log2 (b)︸ ︷︷ ︸r
XORs .
If we fix w to a small value, then the number of XORs scales withn log2 (n) rather than n2.
Practical gains even for n = 256:Improvements to the Linear Layer of LowMC: A Faster Picnic, with Angela Promitzer,
Sebastian Ramacher and Christian Rechberger (2017/448)
16 / 20
![Page 33: Generalized Feistel Networks with Optimal Diffusion](https://reader033.fdocuments.in/reader033/viewer/2022042902/6269a976c1fb406f9c25a11d/html5/thumbnails/33.jpg)
Introduction Observations on GFNs Multi-Rotating Feistel Network (MRFN) Possible Applications Conclusion
GFN-based Linear Layers
Use linear { f i }i≥0; si = ϕi
n-bit block divided into 2b branches of w bits uses:
w2
2︸︷︷︸f ij
×b
︸ ︷︷ ︸f layer
× 2 log2 (b)︸ ︷︷ ︸r
XORs .
If we fix w to a small value, then the number of XORs scales withn log2 (n) rather than n2.
Practical gains even for n = 256:Improvements to the Linear Layer of LowMC: A Faster Picnic, with Angela Promitzer,
Sebastian Ramacher and Christian Rechberger (2017/448)
16 / 20
![Page 34: Generalized Feistel Networks with Optimal Diffusion](https://reader033.fdocuments.in/reader033/viewer/2022042902/6269a976c1fb406f9c25a11d/html5/thumbnails/34.jpg)
Introduction Observations on GFNs Multi-Rotating Feistel Network (MRFN) Possible Applications Conclusion
GFN-based Linear Layers
Use linear { f i }i≥0; si = ϕi
n-bit block divided into 2b branches of w bits uses:
w2
2︸︷︷︸f ij
×b
︸ ︷︷ ︸f layer
× 2 log2 (b)︸ ︷︷ ︸r
XORs .
If we fix w to a small value, then the number of XORs scales withn log2 (n) rather than n2.
Practical gains even for n = 256:Improvements to the Linear Layer of LowMC: A Faster Picnic, with Angela Promitzer,
Sebastian Ramacher and Christian Rechberger (2017/448)
16 / 20
![Page 35: Generalized Feistel Networks with Optimal Diffusion](https://reader033.fdocuments.in/reader033/viewer/2022042902/6269a976c1fb406f9c25a11d/html5/thumbnails/35.jpg)
Introduction Observations on GFNs Multi-Rotating Feistel Network (MRFN) Possible Applications Conclusion
Example of Linear Layer
n = 256w = 4b = 32
i = 0
17 / 20
![Page 36: Generalized Feistel Networks with Optimal Diffusion](https://reader033.fdocuments.in/reader033/viewer/2022042902/6269a976c1fb406f9c25a11d/html5/thumbnails/36.jpg)
Introduction Observations on GFNs Multi-Rotating Feistel Network (MRFN) Possible Applications Conclusion
Example of Linear Layer
n = 256w = 4b = 32
i = 1
17 / 20
![Page 37: Generalized Feistel Networks with Optimal Diffusion](https://reader033.fdocuments.in/reader033/viewer/2022042902/6269a976c1fb406f9c25a11d/html5/thumbnails/37.jpg)
Introduction Observations on GFNs Multi-Rotating Feistel Network (MRFN) Possible Applications Conclusion
Example of Linear Layer
n = 256w = 4b = 32
i = 2
17 / 20
![Page 38: Generalized Feistel Networks with Optimal Diffusion](https://reader033.fdocuments.in/reader033/viewer/2022042902/6269a976c1fb406f9c25a11d/html5/thumbnails/38.jpg)
Introduction Observations on GFNs Multi-Rotating Feistel Network (MRFN) Possible Applications Conclusion
Example of Linear Layer
n = 256w = 4b = 32
i = 3
17 / 20
![Page 39: Generalized Feistel Networks with Optimal Diffusion](https://reader033.fdocuments.in/reader033/viewer/2022042902/6269a976c1fb406f9c25a11d/html5/thumbnails/39.jpg)
Introduction Observations on GFNs Multi-Rotating Feistel Network (MRFN) Possible Applications Conclusion
Example of Linear Layer
n = 256w = 4b = 32
i = 4
17 / 20
![Page 40: Generalized Feistel Networks with Optimal Diffusion](https://reader033.fdocuments.in/reader033/viewer/2022042902/6269a976c1fb406f9c25a11d/html5/thumbnails/40.jpg)
Introduction Observations on GFNs Multi-Rotating Feistel Network (MRFN) Possible Applications Conclusion
Example of Linear Layer
n = 256w = 4b = 32
i = 5
17 / 20
![Page 41: Generalized Feistel Networks with Optimal Diffusion](https://reader033.fdocuments.in/reader033/viewer/2022042902/6269a976c1fb406f9c25a11d/html5/thumbnails/41.jpg)
Introduction Observations on GFNs Multi-Rotating Feistel Network (MRFN) Possible Applications Conclusion
Example of Linear Layer
n = 256w = 4b = 32
i = 6
17 / 20
![Page 42: Generalized Feistel Networks with Optimal Diffusion](https://reader033.fdocuments.in/reader033/viewer/2022042902/6269a976c1fb406f9c25a11d/html5/thumbnails/42.jpg)
Introduction Observations on GFNs Multi-Rotating Feistel Network (MRFN) Possible Applications Conclusion
Example of Linear Layer
n = 256w = 4b = 32
i = 7
17 / 20
![Page 43: Generalized Feistel Networks with Optimal Diffusion](https://reader033.fdocuments.in/reader033/viewer/2022042902/6269a976c1fb406f9c25a11d/html5/thumbnails/43.jpg)
Introduction Observations on GFNs Multi-Rotating Feistel Network (MRFN) Possible Applications Conclusion
Example of Linear Layer
n = 256w = 4b = 32
i = 8
17 / 20
![Page 44: Generalized Feistel Networks with Optimal Diffusion](https://reader033.fdocuments.in/reader033/viewer/2022042902/6269a976c1fb406f9c25a11d/html5/thumbnails/44.jpg)
Introduction Observations on GFNs Multi-Rotating Feistel Network (MRFN) Possible Applications Conclusion
Example of Linear Layer
n = 256w = 4b = 32
i = 9
17 / 20
![Page 45: Generalized Feistel Networks with Optimal Diffusion](https://reader033.fdocuments.in/reader033/viewer/2022042902/6269a976c1fb406f9c25a11d/html5/thumbnails/45.jpg)
Introduction Observations on GFNs Multi-Rotating Feistel Network (MRFN) Possible Applications Conclusion
Example of Linear Layer
n = 256w = 4b = 32
i = 10
17 / 20
![Page 46: Generalized Feistel Networks with Optimal Diffusion](https://reader033.fdocuments.in/reader033/viewer/2022042902/6269a976c1fb406f9c25a11d/html5/thumbnails/46.jpg)
Introduction Observations on GFNs Multi-Rotating Feistel Network (MRFN) Possible Applications Conclusion
Sponge function?
n = 384, with b = 64 and w = 3
f ij (x ) = χ3 (x ⊕ cij )
s2i = 0, s2i+1 = 2i for 0 ≤ i < 2 log2 (b) = 12, then repeat (4? times):
s = {0, 1, 0, 2, 0, 4, 0, 8, 0, 16, 0, 32}
E�iciency estimates
On 64-bit processors, for each round:
3 word copies
3 word-wise AND
3+3+3 word-wise XORs
Maybe safe for 48 rounds if ≥ 8 active f functions/round on average.
18 / 20
![Page 47: Generalized Feistel Networks with Optimal Diffusion](https://reader033.fdocuments.in/reader033/viewer/2022042902/6269a976c1fb406f9c25a11d/html5/thumbnails/47.jpg)
Introduction Observations on GFNs Multi-Rotating Feistel Network (MRFN) Possible Applications Conclusion
Sponge function?
n = 384, with b = 64 and w = 3
f ij (x ) = χ3 (x ⊕ cij )
s2i = 0, s2i+1 = 2i for 0 ≤ i < 2 log2 (b) = 12, then repeat (4? times):
s = {0, 1, 0, 2, 0, 4, 0, 8, 0, 16, 0, 32}
E�iciency estimates
On 64-bit processors, for each round:
3 word copies
3 word-wise AND
3+3+3 word-wise XORs
Maybe safe for 48 rounds if ≥ 8 active f functions/round on average.
18 / 20
![Page 48: Generalized Feistel Networks with Optimal Diffusion](https://reader033.fdocuments.in/reader033/viewer/2022042902/6269a976c1fb406f9c25a11d/html5/thumbnails/48.jpg)
Introduction Observations on GFNs Multi-Rotating Feistel Network (MRFN) Possible Applications Conclusion
Other?
MiMC-like construction where f ij (x ) = (x + cij )3 (what Arnab just
presented).
You tell me!
19 / 20
![Page 49: Generalized Feistel Networks with Optimal Diffusion](https://reader033.fdocuments.in/reader033/viewer/2022042902/6269a976c1fb406f9c25a11d/html5/thumbnails/49.jpg)
Introduction Observations on GFNs Multi-Rotating Feistel Network (MRFN) Possible Applications Conclusion
Other?
MiMC-like construction where f ij (x ) = (x + cij )3 (what Arnab just
presented).
You tell me!
19 / 20
![Page 50: Generalized Feistel Networks with Optimal Diffusion](https://reader033.fdocuments.in/reader033/viewer/2022042902/6269a976c1fb406f9c25a11d/html5/thumbnails/50.jpg)
Introduction Observations on GFNs Multi-Rotating Feistel Network (MRFN) Possible Applications Conclusion
Outline
1 Introduction
2 Observations on GFNs
3 Multi-Rotating Feistel Network (MRFN)
4 Possible Applications
5 Conclusion
19 / 20
![Page 51: Generalized Feistel Networks with Optimal Diffusion](https://reader033.fdocuments.in/reader033/viewer/2022042902/6269a976c1fb406f9c25a11d/html5/thumbnails/51.jpg)
Introduction Observations on GFNs Multi-Rotating Feistel Network (MRFN) Possible Applications Conclusion
Conclusion
Fun stu� happens when we allow the use of di�erent permutationsin each round!
Open problems
1 What are good sequences of rotations?
2 How to bound number of active f functions?
3 What can we use it for?
4 What happens in other structures (SPN? ARX?) when the linear layersare round-dependent?
Thank you!
20 / 20
![Page 52: Generalized Feistel Networks with Optimal Diffusion](https://reader033.fdocuments.in/reader033/viewer/2022042902/6269a976c1fb406f9c25a11d/html5/thumbnails/52.jpg)
Introduction Observations on GFNs Multi-Rotating Feistel Network (MRFN) Possible Applications Conclusion
Conclusion
Fun stu� happens when we allow the use of di�erent permutationsin each round!
Open problems
1 What are good sequences of rotations?
2 How to bound number of active f functions?
3 What can we use it for?
4 What happens in other structures (SPN? ARX?) when the linear layersare round-dependent?
Thank you!20 / 20