5

Let's assume a balanced network with many (dozens?) rounds. And a simple (selecting key bits) key schedule. What does it take from the round F function to make a secure block cipher? obviously we need non linearity and some avalanche. But is this sufficient, how can this still fail? Does a high round count compensate for any mild weaknesses in the F function?

fgrieu
  • 149,326
  • 13
  • 324
  • 622
Meir Maor
  • 12,053
  • 1
  • 24
  • 55

3 Answers3

3

What does it take from the round F function to make a secure block cipher?

  • The ability of providing resistance to most common attacks like differential, linear, algebraic, slide and others mainly depend on the features of S-box (if used). * Simon does not use an S-box.

  • To design F-function, it depends on the structure of your Feistel cipher Type I, II, III and others (which differ in term of number of branches, number of F-function, internal structure of F-function).

  • The size of plaintext (64,128) could also influence the size of box (4-bit or 8-bit), like piccolo vs Clefia. Therefore, the differential probability, linear probability and algebraic immunity differ, 8-bit S-box provide higher immunity features, therefore lower number of active S-boxes needed to provide minimum immunity, hence lower number of rounds.

  • The internal structure of F-functions such as SP vs SPS influences diffusion (in term of number active-box). In addition, the use of different MDS matrices in r-rounds (multiple round diffusion or diffusion switching mechanism (DSM)) provide higher diffusion compared to using 1 MDS matrix. CLEFIA employs DSM.

  • On the other hand, 8-bit s-boxes such as those in AES are expensive in term of masking against side channel attacks. One way is to use smaller s-boxes (easy to mask) to build larger s-boxes or using 4 bit S-box.

Does a high round count compensate for any mild weaknesses in the F function?

  • I don't think if you have self-similarity F-function, it will be vulnerable to slide attack, increasing the number of rounds will not providing compensate for weakness. To solve the self-similarity of F-rounds it is recommended to add constants. For how to chose round constants for simple key scheduling, I recommend to read

Proving Resistance against Invariant Attacks: How to Choose the Round Constants

There are others structures of internal F-function (not only SP, SPS) such as ARX (e.g. the Simon cipher) that have been design in a triangle of security, performance and size, and resistance to both mathematical and implementation attacks (such as timing, DPA).

forest
  • 15,626
  • 2
  • 49
  • 103
hardyrama
  • 2,288
  • 1
  • 17
  • 41
2

Since the decryption of Feistel donot need inverse of round function, we only need to consider the design of round functions and round number.

For the round function, I think it need a good diffusion and confusion, it even doesnot need to be an 1-1 function, you can even use a hash function. Since you may not design a block cipher, you may design a hash function using Feistel.

Since the criteria for a symmetry cipher is the number of rounds it can resist for some typical attack, e.g., differential and rebound, we may consider all the attack model in history to deal the round number.

Felix LL
  • 321
  • 1
  • 7
-1

Does a high round count compensate for any mild weaknesses in the F function?

This may be the case, and this is (perhaps) tangential evidence. A Feistel network forms a block cipher with a number of rounds, often using a simple compressive (F) function. Whilst not a Feistel network, the Threefish block cipher is part of the Skein family of hash functions, and is associated with this quote from it's design paper:-

"The core design principle of Threefish is that a larger number of simple rounds is more secure than fewer complex rounds. "

I include this quote as it specifically relates to increased round count. Threefish's compressive MIX function has geometric similarities with an F function. It would not be a huge leap to assume that the principle of additional rounds providing additional security holds. It is certainly not evidence to the contrary, and I can't recall any professional construct that is safer when shorter.

Plus, the Wikipedia article on Fiestel networks seems to suggest that you're correct. Whilst additional rounds make not immunise a network from all possible attacks, it seems like common sense that more rounds generally increase the overall security when all other things are equal. It must at least increase diffusion if nothing else.

Paul Uszak
  • 15,905
  • 2
  • 32
  • 83