Substitution-Permutation Networks

As we have mentioned, the main property of a block cipher is that it should behave like a random permutation. Of course, a truly random permutation would be perfect. However, for a block cipher with input and output length ofnbits, the size of the table needed for holding the random permutation is n·2ⁿ(actually, this is the size of the table needed for a random function, but it is not much smaller for a random permutation). Thus, we need to somehow construct aconcise function that behaves like a random one.

The confusion-diffusion paradigm. In addition to his work on perfect se-crecy, Shannon introduced a basic paradigm for constructing concise random-looking functions. The basic idea is to break the input up into small parts and then feed these parts through different small random functions. The outputs of these random functions are then mixed together, and the process is repeated again (for a given number of times). Each application of random functions followed by mixing is called aroundof the network (the construction is often called a “network” and we keep this name for consistency with other sources). Note that by using small random functions, the lack of structure that is inherent to a random function is introduced into the construction, but without the heavy expense.² This paradigm introduced by Shannon is often called theconfusion-diffusionapproach (in fact, Shannon himself coined these terms in his original paper). Small random functions introduce “confusion”

into the construction. However, in order to spread the confusion throughout, the results are mixed together, achieving “diffusion”.

In order to see why diffusion is necessary, consider a block-cipher Fk that works by simply applying small random functions to each 8-bit portion of the input. Now, let x and x⁰ be values that differ only in the first bit. It follows that Fk(x) and Fk(x⁰) differ only in the first byte (because in all other bytesxequalsx⁰). In a truly random functionFk(x) andFk(x⁰) should look completely different, because each output value in a random function is chosen uniformly and independently of all other output values. However, in

2Sixteen random functions with input/output of 8 bits each can be stored in only 16·8·2⁸ bits, or 32 Kbits. This is in contrast with a random functions with input/output of 128 bits, that requires 128·2¹²⁸bits to store. We note that this latter number has 40 digits, whereas it is estimated that the number of atoms in Earth is a number with 49 digits. Thus, we could never even build a disk large enough to store such a table.

this imaginary block cipher where diffusion is not used, they are the same except for in the first byte. Thus, such a block cipher is very far from a pseudorandom function. The repeated use of confusion and diffusion ensures that any small changes in the input will be mixed throughout and so the outputs of similar inputs will look completely different.

Substitution-permutation networks. A substitution-permutation net-work is a direct implementation of this paradigm. The “substitution” portion refers to small random functions (much like the mono-alphabetic substitution cipher studied in Section 1.3 that is actually a random 1–1 and onto function of the alphabet), and “permutation” refers to the mixing of the outputs of the random functions. In this context, “permutation” refers to a reordering of the output bits (not to a 1–1 and onto function as we typically use it in this book). The small substitution functions are called S-boxes and we call the permutations that follow them mixing permutations. One question that you may be asking yourselves is where does the secret key come in? There are a number of possible answers to this, and different substitution-permutation networks can use different methods. One possibility is to have the key spec-ify the S-boxes and mixing permutations. Another possibility is to mix the key into the computation in between each round of substitution-permutation (recall that the substitution-permutation operation is repeated many times).

In this latter case, theS-boxes and mixing permutations are publicly known (in accordance with Kerckhoffs’ principle; see Section 1.3). Our presentation here is in accordance with the latter approach, where the key is mixed into the intermediate results between each round. This is often just by a simple XOR operation. That is, the key is XORed with the intermediate result after each round of the network computation. We remark that typically it is not the same key that is XORed each time. Rather, different keys are used. To be more exact, the key to the block cipher is referred to as a master key, and subkeys for each round are derived from it; this derivation procedure is known as the key schedule. We remark that the key schedule is often very simple and may work by just taking subsets of the bits, although complex schedules can also be defined. See Figure?? for the high-level structure of a substitution-permutation network, and Figure??for a closer look at a single round of such a network.

An important point to notice is that we have not specified at all how the S-boxes and mixing permutations should be chosen. We have also not speci-fied whether the S-boxes and mixing permutations are the same or different in each round. We will not present design principles for the construction of

“good” S-boxes (with one exception below), and likewise will not describe how the subkeys should be derived from the master key and how the mix-ing permutations should be chosen. We do stress that these choices are what determines whether the block cipher is trivially breakable or very secure. Nev-ertheless, as we have mentioned, our aim in this chapter is not to teach how to construct block ciphers. The contrary is true: we strongly believe that

non-experts (meaning those who do not have many many many years of experience in this) should never attempt such a task.

Despite the above there are two design choices that we will mention. The first is necessary for making the block cipher a permutation (i.e., a 1–1 and onto function), and the other is a basic requirement for security. Both choices relate to theS-boxes.

Design choice 1 – invertibility of the S-boxes. In a substitution-permutation network, the S-boxes must be invertible. In other words, they must be 1–1 and onto functions. The reason for this is that otherwise the block cipher will not be a permutation (i.e., it will not be 1–1 and onto). In order to see that making the S-boxes 1–1 and onto suffices, we show that given this assumption it is possible to fully determine the input given any output and the key. Specifically, we show that every round can be uniquely inverted (yielding that the entire network can be inverted by working from the end back to the beginning). For the sake of this description, we define a round to consist of three stages: XORing of the subkey with the input to the round, passing the input through theS-boxes, and mixing the result via the mixing permutation. The mixing permutation can easily be inverted because the permutation determines for every bit i in the input, the bit j where it appears in the output (thus thej^th bit is just reversed to the i^th bit). Given the output of the permutation, we therefore obtain the input to the permu-tation, which is exactly the output of the S-boxes. Given the fact that the S-boxes are 1–1 and onto functions, these too can be inverted by looking at the table that defines them. We therefore obtain the input to the S-boxes.

Finally, the subkey can be XORed with this input and we obtain the value from the beginning of the round (note that the required subkey can be derived from the master key in the same way when inverting the block cipher as when computing it). We therefore have the following claim:

CLAIM 5.1 In a substitution-permutation networkF in which theS-boxes are all 1–1 and onto (and of polynomial-size), there exists an efficient proce-dure for computingF⁻¹(y). Furthermore, for every key kand every input x, F_k⁻¹(Fk(x)) =x.

In addition to the requirement that the S-boxes be uniquely invertible, it is clear that they must be random looking. One might therefore think that the best strategy is to simply choose them completely randomly, under the constraint that they be 1–1 and onto. However, this is actually not the best strategy, because truly random S-boxes do not provide the strongest protection against advanced cryptanalytic techniques (like differential and linear cryptanalysis that we briefly discuss below in Section 5.6).

Design choice 2 – the avalanche effect. An important property in any block cipher is that small changes to the input must result in large changes

to the output. Otherwise, the outputs of the block cipher on similar inputs will not look independent (whereas in a random permutation, the outputs of similar inputs are independently distributed). In order to ensure that this is the case, block ciphers are designed to have an avalanche effect, meaning that small changes in the input propagate quickly to very large changes in the intermediate values (and thus outputs). It is easy to demonstrate that the avalanche effect holds in a substitution-permutation network, provided that the following two properties hold:

1. The S-boxes are designed so that any change of at least a single bit to the input to an S-box results in a change of at least two bits in the output.

2. The mixing permutations are designed so that the output bits of any given S-box are spread into different S-boxes in the next round.

We remark that the first property is not necessarily obtained by small random functions or permutations. For example, consider the case that theS-box has input/output length of 4 bits (this may seem very small but the size of a table for an 8-bit S-box is often too large). Now, for any 4-bit input, there are 5 values that differ from the input by 1 or less bits (the input itself plus four other values obtained by flipping a single bit of the input). In contrast, there are 16 possible output values. Thus, the probability that a random output differs from the input by 1 or less bits is ₁₆⁵ > ¹₄. Given that a number of S-boxes may be used (e.g., DES has 8 of them), randomly chosenS-boxes are not likely to have this property.

Returning to the avalanche effect, let us assume that all the S-boxes and mixing permutations are chosen with the aforementioned properties. Consider now what happens when the block cipher is applied to two inputs that differ by only a single bit. For the sake of concreteness, assume that the S-boxes have input/output size of 4 bits, and that the block size is 128 bits. We track the computation of two similar inputs round by round:

1. After the first round of the network, the intermediate values differ in two places. This is due to the fact that the two inputs differ in only a single bit and so all the input values are the same except for in one S-box. Given the aboveS-box property, it follows that the outputs of thisS-box differ in two places.

2. By the second property, the permutation at the end of the first round spreads the two different bits into different regions of the intermediate string. Therefore, it follows that at the beginning of the second round, there are twoS-boxes that receive inputs that differ by one bit. Fol-lowing the same argument as previously, we have that at the end of the second round, the intermediate values differ in 4 bits.

3. Continuing with the same argument, we have that the intermediate values differ by 8 bits after the 3rd round, 16 bits after the 4th round, 32 bits after the 5th round, 64 bits after the 6th round and 128 bits (i.e., everywhere) after the 7th round. Of course, we don’t really mean that the bits are all different, but rather that they have all been affected and so no similarity remains.

We conclude that afterirounds, 2ⁱbits have been affected (thus for a 128 bit block, 7 rounds are required to complete the avalanche effect).

Pseudorandomness of substitution-permutation networks. As we have discussed, there is no formal justification for why such a design yields a pseudorandom permutation. Nevertheless, experience of many years shows that the confusion-diffusion paradigm works, as long as great care is taken in the choice of theS-boxes, the mixing permutations and the key schedule. The Advanced Encryption Standard (AES), described below in Section 5.5, has a similar structure to the substitution-permutation network described above, and is widely believed to be a very strong pseudorandom permutation.

Attacks on reduced-round substitution-permutation networks. In order to obtain more of an insight into substitution-permutation networks, we will demonstrate attacks on block ciphers of this type that have very few rounds. These attacks are straightforward, but are worthwhile seeing.

They also show why a number of rounds are needed. Recall that according to Definition 3.28 (pseudorandom permutations), the adversary is given an oracle that is either a random permutation or the given block cipher (with a randomly chosen key). The aim of the adversary is to guess what function is computed by its oracle. Clearly, if an adversary can obtain the secret key of the block cipher, then it can distinguish it from a random permutation. Such an attack is called acomplete break because once the secret key is learned, no security remains.

1. Attack on a single-round substitution-permutation network: We demon-strate this attack in a weaker adversarial model than above. Namely, we assume only that the adversary is given one input/output pair (and not that it can choose the inputs upon which the block cipher is com-puted). Letxbe the input andythe output. We will demonstrate how the adversary can easily learn the secret key k for which y = Fk(x), where F denotes the single-round substitution-permutation network.

The adversary begins by inverting the mixing permutation, and then theS-boxes. It can do this because the specification of the permuta-tion andS-boxes is public. The intermediate value that the adversary receives from these inversions is exactlyx⊕k(by the design of a single substitution-permutation round). Since the adversary also has the in-putx, it immediately derives the secret keyk. This is therefore a trivial complete break.

2. Attack on a two-round substitution-permutation network: In this case, we also show a complete break. In order to demonstrate the attack, we consider concrete parameters. Let the block size be 64 bits and let eachS-box have input/output of size 4 bits (as we have mentioned, 8 is usually too large). Furthermore, let the keyk be of length 128 bits where the first half of the key is used in the first round and the second half in the second round (letk^a andk^bdenote these two 64 bit parts of the key). We use independent keys here to simplify the description of the attack below, but this only makes the attack “harder”.

Now, let x be the input and y the output (each of 64 bits). Denote z=z1, . . . , z16, where eachziis of length 4 bits (we will use this notation forx,y,k^aandk^b). The adversary begins by peeling off the last round, as in the attack on the single-round block cipher. Denote by w the value that it receives after inverting the mixing permutation and S-boxes of the second round. Denoteα=w1⊕k₁^b(of course, the adversary does not knowk^b but it wishes to learn it). The important observation here is that when working from the input to the output, the value of α is influenced by at most 4 different S-boxes (because in the worst case, each bit of input comes from a differentS-box in the first round).

Furthermore, since the mixing permutation of the first round is known, the adversary knows exactly which of the S-boxes influence it. Next, notice that at most 16 bits of the keyk^a influence the computation of these fourS-boxes. It follows that the adversary can guess 16 bits ofk^a and the four-bit portionk₁^bof the keyk^b, and thenverify the guess with the input-output (x, y). This verification is carried out by XORing the relevant 16 bits of the inputxwith the relevant 16 bits ofk^a, and then computing the appropriate 4 first-roundS-boxes and 4 bits of the first-round mixing permutation. The value α obtained is then compared with w1⊕k^b₁ (where k^b₁ is also part of the guess). If equality is not obtained, then this guess of 16 bits ofk^a and k^b₁ is certainly incorrect.

If equality is obtained, then this guessmay be correct. However, it may also be incorrect (and equality is obtained by chance). Nevertheless, it is possible to use a number of input/output pairs and verify the guess of the key portion with all of the pairs.³ For the sake of concreteness, assume that 8 pairs are used. It follows that the adversary learns the 4 bits ofk₁^b in time 8·2²⁰= 2²³. This can be repeated for all 16 portions of k^b and we obtain a total complexity of 16·2²³ = 2²⁷. We remark that in this process all ofk^ais also learned and so the entire 128-bit key

3Since there are 2²⁰ possible guesses of the key portion, and verification takes place with just 4 bits, we obtain that 2¹⁶ different keys are expected to pass the test with a single input/output pair. Assuming random behavior of the block cipher, we obtain that with 5 different (preferably random) input/output pairs, the verification takes place with 20 bits and so just a single key is expected to pass the test. Given 10 different input/output pairs, it is unlikely that the test will leave more than one possibility for the key portion.

k= (k^a, k^b) is learned in only time 2²⁷. (In fact, the complexity will be even less because all ofk^a will be learned after only 4 or so repetitions of the above procedure, and onlyk^b will remain unknown.)

We recommend sketching two rounds of a substitution-permutation net-work and tracing the steps of the above attack.

There is an important lesson to be learned from the above attack. Ob-serve that the attack is made possible since different parts of the key can be isolated from the other parts (it is much quicker to carry out 16 attacks of time 2²⁰ than a single attack of time 2¹²⁸or even 2⁶⁴). Thus, thediffusion step in the construction is also needed to make sure that all of the bits of the key affect all of the bits of the output. Two rounds of the network are not enough for this to happen.

3. Attack on a three-round substitution-permutation network: We present a weaker attack here; instead of attempting to learn the key, we just show that it is easy to distinguish a three-round block cipher from a pseu-dorandom permutation. This attack is based on the observation that the avalanche effect is not complete after only three rounds (of course, this depends on the block size andS-box size, but with reasonable pa-rameters this will be the case). Thus, the adversary just needs to ask for the function to be computed on two strings that differ on only one

3. Attack on a three-round substitution-permutation network: We present a weaker attack here; instead of attempting to learn the key, we just show that it is easy to distinguish a three-round block cipher from a pseu-dorandom permutation. This attack is based on the observation that the avalanche effect is not complete after only three rounds (of course, this depends on the block size andS-box size, but with reasonable pa-rameters this will be the case). Thus, the adversary just needs to ask for the function to be computed on two strings that differ on only one