-2

In a 128-bits Feistel Cipher:

I need suggestions about two variations of the Round Function

Variation-1

  1. $64$ bit input is divided into $8$ bytes
  2. Byte $0,1,2,3$ are substituted with Sbox1
  3. Byte $4,5,6,7$ are substituted with Sbox2.
  4. Then a $8 \times 8$ Binary Matrix is applied on the 8 bytes from 8 rows (Matrix similar to Camellia).

Variation-1

Variation-2

  1. 64 bit input of the round function is expressed as $8 \times 8$ binary matrix.
  2. Sbox1 is applied on the rows (on 8 bytes).
  3. Sbox2 is applied on the columns (on 8 bytes).
  4. 8 Bytes are made using bits of Rows.
  5. Then a $8 \times 8$ Binary Matrix is applied on the 8 bytes from 8 rows (Matrix similar to Camellia).

Variation - 2

Keeping in view that both S-boxes have non-linearity of 112 and maximum Differential Probability of $2^{-6}$ ($\approx$ the same level of security of AES).

Which variation is better in terms of security ? The same S-boxes are used in both the variations. Variation-2 is slow and more complex to implement, but thats not a issue

e-sushi
  • 17,891
  • 12
  • 83
  • 229
crypt
  • 2,417
  • 17
  • 32
  • 2
    And exactly what is the question ? O.o – Biv May 11 '16 at 11:57
  • i mean which variation is better in terms of security. bcz same sboxes are used in both the variations. Variation-2 is slow and more complex to impliment, but thats not a issue – crypt May 11 '16 at 14:50
  • You ever hear of a P-box? – Richie Frame May 11 '16 at 15:40
  • it is used in camellia. 8x8 Binary Matrix. – crypt May 11 '16 at 16:42
  • no, that is the P-function, see the P-box in DES – Richie Frame May 11 '16 at 16:45
  • what does Pbox has to do with both variations? The Only thing different in both variations is how the Sboxes are being used. – crypt May 11 '16 at 17:15
  • S-box provide confusion while the P-box provide a diffusion. I'm not sure your 8x8 matrix provide the sufficiant diffusion intended. – Biv May 11 '16 at 17:42
  • i am saying both variations wil have same P-box, so no need to compare the P-box, the question is about usage of Sboxes. in Two Variations nothing is changed except how the Sboxes are being used. I hope you understood @Biv – crypt May 11 '16 at 17:57
  • 1
    You should specify what exactly you mean by "security". For example, do you wish to optimize for resistance against linear/differential cryptanalysis? Also, can you provide more detail on the smaller S-boxes, ideally their complete specification (in general the end result will depend on more than just the non-linearity). The easiest way to check is just to construct both round functions and test their properties. If you want a theoretical result (for any small Sbox), that's a lot more work (and then you should show some of your own effort, IMHO). – Aleph May 12 '16 at 15:37
  • Still Wondering... – crypt May 29 '16 at 20:01

1 Answers1

2

About the security of your first variation, it is sort of answered here.

This is your 1st variation. enter image description here

This is your 2nd variation (your $8 \times 8$ matrix idea is equivalent to apply a permutation). enter image description here

In your first variation, the application of the matrix is useless, one can consider the $S1$ (or $S2$) and the matrix as a single S-box. Hence you have no security gain.

In the second variation, you can see that even if you find the right differential on $S1$, it became harder to exploit because you apply a permutation before the following $S2$ (and subsequently the application of the matrix which is equivalent to another S-box).

Remark: Because in the second scheme you use a permutation, they cannot really be compared (apple vs oranges...)

With this in mind, I will let you decide which of these two variations is the most secure...

Given that you ask such a question (meaning you are not familiar enough to find a weakness),
I HIGHLY RECOMMEND YOU TO NOT USE SUCH A BLOCK CIPHER in production environment and stick to the standards !

Biv
  • 9,979
  • 2
  • 39
  • 67
  • If I understand the (unclear) question correctly, your link to the related answer is unrelated: I think what the OP describes is only the round function, not the full Feistel cipher. Although the composition of several substitutions indeed remains a substitution, its various security properties for use as a round function will in general change drastically . In this regard it also makes perfect sense to compare both schemes, if only the OP gave us a more specific definition of "security" (e.g. he seems to be mainly interested in resistance against differential and linear cryptanalysis?)... – Aleph May 12 '16 at 15:42
  • Using 2 S-box one after the other is why I think the answer linked is related while I do agree it does not fully answer the question. But at least it provides a nice explanation for the security about the first variation. – Biv May 12 '16 at 17:08
  • But when two S-boxes are applied after each other, the security properties can be completely different. Obviously the result is another S-box, but what matters is what the properties of this S-box are. – Aleph May 12 '16 at 17:12
  • True but given the security margin he gave for his 8 bit S-box, I hardly think he could have something better. – Biv May 12 '16 at 17:15
  • @Biv Thanks alot for making a clear diagram for the variation-2. But may i ask why you are applying Mcamellia 8 times to all 8 bytes separately treating 8 bits as input? (or i understood it wrong way, and Mcamellia is being applied to 8 bytes just like in camellia) From the Diagram you made, it make clear the Variation 2 will have better diffusion, changing one bit in input of sbox1, will cause change of atleast 4 different inputs to sbox2. which after passing from Mcamellia will propogate more change as compared to variation-1 – crypt May 12 '16 at 18:17
  • The P-function matrix is applied on an entire 64-bit value in camellia, it is not a binary matrix, but rather an 8x8 matrix with only values of 1 and 0, which is why op called it binary – Richie Frame May 12 '16 at 18:17
  • I didn't know that part about the Matrix, I thought it was applied on slot of 8 bits. Well then it is just a big permutation of bytes right @RichieFrame ? And therefore it does not add security if you were to compare the two scheme between each other. – Biv May 12 '16 at 18:24
  • @Biv i have updated the question using your images (a bit modified) – crypt May 12 '16 at 18:39
  • @RichieFrame thanks for clearing the usage of matrix. any suggestion about both the variations? and any comments on my following understanding

    "Variation 2 will have better diffusion, changing one bit in input of sbox1, will cause change of atleast 4 different inputs to sbox2. which after passing from Mcamellia will propogate more change as compared to variation-1"

     – crypt May 12 '16 at 18:41
  • @Biv Your opinion about both variations after the clarity on P-Box. and any suggestions about THIS Question – crypt May 12 '16 at 18:49