Format-Preserving Encryption Algorithms Using Families of Tweakable Blockciphers

Abstract

We present two new algorithms, FEA-1 and FEA-2, for secure and efficient format-preserving encryption. Each algorithm is built from a family of dedicated tweakable blockciphers supporting various block bit-lengths. The tweakable blockciphers in the same family have similar structures and are based on common building blocks, enabling security analyses in the same frameworks. Their security follows largely from the structures, the round functions, and the tweak schedules. Their structures are new tweakable Feistel schemes, which are shown to be indistinguishable from tweakable random permutations against adaptive chosen tweak, plaintext, and ciphertext attacks. Their building blocks are shown to have cryptographically strong properties. The proposed algorithms outperform existing ones. They are several times faster than FF1-AES on test platforms.

Appendices

A Equivalent Tweak Analysis

In this section, we show that when round functions are Tw-KSP-Tr or Tw-KSP-KS-Tr, the resulting tweakable blockciphers have weaknesses if the block bit-length is small and the number of rounds is not very large. For simplicity, we consider the case where the block bit-length is 16 and the round tweaks are only padded similarly to the type 1 TBCs. In this case, the bit-length of the tweaks, round tweaks, and round inputs are 112, 56, and 8, respectively. Let the secret key \(K\) be randomly chosen and let the \(r\)-th round key be \(RK_0^r \Vert \cdots \Vert RK_{8}^r\) for each \(r\). For the \(r\)-th round, let \(x\) be the 8-bit input of round function. For each tweak \(T\), let \(RT_1^r \Vert \cdots \Vert RT_{15}^r\) be the \(r\)-th round tweak. Let

$$ \eta _{K,T,r} = \sum _{i=1} ^7 M_{0i} S(RT_i ^r \oplus RK_i^r) $$

for each key \(K\), tweak \(T\), and round index \(r\). Then the output of Tw-KSP-Tr function is \(y = (M_{00} \cdot S(x \oplus RK_0^r)) \oplus \eta _{K,T,r} \) and the output of Tw-KSP-KS-Tr function is \(z = S(y \oplus RK_{8}^r)\). Note that if \(\eta _{K,T1,r} = \eta _{K,T2,r}\) for tweaks \(T1\) and \(T2\), then the round functions coincide for \(T1\) and \(T2\). Let \(R\) be the number of rounds. \(\eta _{K,T1,1} = \eta _{K,T2,1}, \eta _{K,T1,2} = \eta _{K,T2,2}, \cdots , \eta _{K,T1,R} = \eta _{K,T2,R}\) implies that \(T1\) and \(T2\) are equivalent tweaks for the key \(K\). Thus when about \(2^{4R}\) tweaks are applied with the same key, then there exist equivalent tweaks with non-negligible probability. Note that equivalent tweaks are very likely to satisfy the above condition. If we assume this, we can get some direct information useful for recovering the secret key \(K\) by the following procedure.

1. 1.

   Find out equivalent tweaks by encrypting all the 16-bit inputs using \(2^{4R}\) tweaks using the cipher.

2. 2.

   If such equivalent tweaks are found, we conclude that \(\eta _{K,T1,1} = \eta _{K,T2,1}, \eta _{K,T1,2} = \eta _{K,T2,2}, \cdots , \eta _{K,T1,R} = \eta _{K,T2,R}\).

The attack is more effective than exhaustive key search when \(16 + 4R\) is smaller than the key bit-length. Thus, when the key bit-length is 128 and the block bit-length is 16, the number of rounds should be at least 28 even if we do not have a security margin.

B Bound of Differential Probability for Truncated KSP-KSP Functions

In [17], the MDP of a KSP-KS function was shown to be bounded by \(p^d\), when the MDP of each S-box is \(p\) and \(P\) is a diffusion layer represented by a \(d \times d\) MDS matrix over \(\mathrm {GF}(2^m)\). The proof uses Lemma 1 [17].

Lemma 1

For the linear map \(Z_2 ^{dm} \rightarrow Z_2^{dm}\) defined by a \(d \times d\) MDS matrix over \(\mathrm {GF}(2^m), d\) components of input and output, chosen from any \(d\) positions among the \(2d\) possible ones, determine the remaining \(d\) components.

We now prove Theorem 1 using Lemma 1 as a crucial ingredient.

Proof

We proceed similarly as in [17]. Let \(D\) be the \(d \times d\) MDS matrix. Let \(\pi : \mathbb {Z}_2 ^{dm} \rightarrow \mathbb {Z}_2 ^{sm}\) be the truncation map outputting the \(s\) most significant \(m\)-bit words. Let us denote the input value, output value, and the intermediate values by \(x, \overline{y}\), and \(u, v, w, y\), respectively. They are related by

$$ x \mathop {\rightarrow }\limits ^{KS} u \mathop {\rightarrow }\limits ^{P} v \mathop {\rightarrow }\limits ^{KS} w \mathop {\rightarrow }\limits ^{P} y \mathop {\rightarrow }\limits ^{\pi } \overline{y}. $$

Each input value and intermediate value has \(d\) \(m\)-bit components. For example, \(x = (x_{(0)}, \cdots , x_{(d-1)})\) with \(x_{(i)} \in \mathbb {Z}_2^m\). Now let \(\varDelta x\) and \(\varDelta \overline{y}\) be fixed input and output differences. Let \(h\) be the number of nonzero components of \(\varDelta x\). We may assume without loss of generality that \(\varDelta x_{(0)}, \cdots , \varDelta x_{(h-1)} \ne 0\). Then we consider differential probability of all paths

$$ \varDelta x \rightarrow \varDelta u \rightarrow \varDelta v \rightarrow \varDelta w \rightarrow \varDelta y \rightarrow \varDelta \overline{y}. $$

Note that we only have to take into consideration \(\varDelta u\)’s such that \(\varDelta u _{(h)} = \cdots = \varDelta u_{(d-1)} = 0\). Note also that \(\varDelta u\) and \(\varDelta w\) are determined by \(\varDelta v\) and \(\varDelta y\), respectively. For each \(\varDelta v\), we denote

$$ \sum _{\varDelta w: \pi D(\varDelta w) = \varDelta \overline{y}} \left( \prod _{i=0}^{d-1} \mathrm {DP}^S(\varDelta v_{(i)} \rightarrow \varDelta w_{(i)}) \right) $$

by \(\sigma (\varDelta v)\) and

$$ \sigma (\varDelta v) \prod _{i=0}^{h-1} \mathrm {DP}^S(\varDelta x_{(i)} \rightarrow \varDelta u_{(i)}) $$

by \(\varTheta (\varDelta v)\), respectively. For each \(j_1, \cdots , j_k\) with \(0 \le j_1 < \cdots < j_k < d\), let

$$ \mathsf {V}_{j_1, \cdots , j_k} := \{ \varDelta v: \varDelta v_{(j)} =0 \text{ iff } j = j_i \text{ for } \text{ some } i \in \{1, \cdots , k \} \}. $$

Now,

$$ \begin{array}{l} \mathrm {DP}^{\mathrm {KSP-KSP-Tr}} (\varDelta x \rightarrow \varDelta \overline{y})\\ \le \sum \nolimits _{\varDelta v}(\prod \nolimits _{i=0}^{h-1} \mathrm {DP}^S(\varDelta x_{(i)} \rightarrow \varDelta u_{(i)}) \sigma (\varDelta v)) \\ \le \sum \nolimits _{k=0}^{d}( \sum \nolimits _{1 \le j_1 < \cdots < j_k \le d} ( \sum \nolimits _{\varDelta v \in \mathsf {V}_{j_1, \cdots , j_k}}\varTheta (\varDelta v) ) ). \end{array} $$

Note that, by Lemma  1,

$$ \sum _{\varDelta v \in \mathsf {V}_{j_1, \cdots , j_k}} \left( \prod _{i=0}^{h-1} \mathrm {DP}^S(\varDelta x_{(i)} \rightarrow \varDelta u_{(i)}) \right) \le p^k $$

for each \(j_1, \cdots , j_k\) with \(0 \le j_1 < \cdots < j_k < d,\) since \(\varDelta v \in \mathsf {V}_{j_1, \cdots , j_k}\) forces that \(h-k\) nonzero components of \(\varDelta u\) (together with \(d-h\) zero components of \(\varDelta u\) and \(k\) zero components of \(\varDelta v\)) determine the remaining \(k\) nonzero components of \(\varDelta u\).

Then, we consider \(\sum _{\varDelta v \in \mathsf {V}_{j_1, \cdots , j_k}}\varTheta (\varDelta v)\) for various \(k\)’s and \((j_1, \cdots , j_k)\)’s.

• If \(k \ge h\), then \(\sigma (\varDelta v) = \varTheta (\varDelta v) = 0\) for any \(\varDelta v\) having at least \(k\) zero components.

• If \(k \le d-s\), then for any \(\varDelta v\) having \(k\) zero components, \(\sigma (\varDelta v) \le p^s\), since the corresponding \(k\) zero components of \(\varDelta w\), together with the fixed \(s\) components of \(\varDelta y\) and any \(d-s-k\) nonzero components of \(\varDelta w\) determine the remaining \(s\) components of \(\varDelta w\).

• If \( d-s < k< h\), then the number of tuples \((j_1, \cdots , j_k)\) such that \(0 \le j_1 < \cdots < j_k < d\) and \(\sum _{\varDelta v \in \mathsf {V}_{j_1, \cdots , j_k}} \sigma (\varDelta v) \ne 0\) is bounded by \(M[d,s,k]\): If \(\sigma (\varDelta v) \ne 0\) and \(\sigma (\varDelta v') \ne 0\) for some \(\varDelta v \in \mathsf {V}_{j_1, \cdots , j_k}\) and \(\varDelta v' \in \mathsf {V}_{j'_1, \cdots , j'_k}\), then for some \(\varDelta w \in \mathsf {V}_{j_1, \cdots , j_k}\) and \(\varDelta w' \in \mathsf {V}_{j'_1, \cdots , j'_k}, P(\varDelta w \oplus \varDelta w')\) has at least \(s\) zero components. Then \(\varDelta w \oplus \varDelta w'\) has at most \(d-s-1\) zero components so that the set \(\{j_1, \cdots , j_k\}\) and \(\{j'_1, \cdots , j'_k\}\) has at most \(d-s-1\) common elements.

When \(d-s<k<h\) and \(\varDelta v \in \mathsf {V}_{j_1, \cdots , j_k}\), we have \( \prod _{i=0}^{d-1} \mathrm {DP}^S(\varDelta v_{(i)} \rightarrow \varDelta w_{(i)}) \le p^{d-k}\) for any \(\varDelta w\). Thus,

$$ \begin{array}{l} \sum \nolimits _{k=0}^{d}( \sum \nolimits _{1 \le j_1 < \cdots < j_k \le d} ( \sum \nolimits _{\varDelta v \in \mathsf {V}_{j_1, \cdots , j_k}}\varTheta (\varDelta v) ) )\\ \le \sum \nolimits _{k=0}^{d-s} {d \atopwithdelims ()k} p^{k+s} + p^d \sum \nolimits _{k= d-s+1}^{h-1 } M[d,s,k], \\ \end{array} $$

which completes the proof.

Lemma 2 follows considering that the row rank and column rank of a matrix are the same and that any block submatrix of an MDS matrix has maximal rank.

Lemma 2

Let \(D\) be a \(d \times d\) MDS matrix over \(\mathrm {GF}(2^m)\). Let \(y =D(w)\), \(0 \le s <d, 1 \le b <m, 0 \le j_1 < \cdots < j_s < d, 0 \le i_1 < \cdots < i_{d-s-1} < d, 1 \le i,j \le d, i \notin \{i_1, \cdots , i_{d-s-1} \}\), and \(j \notin \{j_1, \cdots , j_s \}\). Then for any \(b\) bit positions of \(w_i\), there exists some \(m-b\) bit positions of \(y_j\) such that the values \(w_{(i_1)}, \cdots , w_{(i_{d-s-1})}, y_{(j_1)}, \cdots , y_{(j_s)}\), the \(b\) bits of \(w_{(i)}\), and the \(m-b\) bits of \(y_{(j)}\) determine all the other bits of \(y\) and \(w\).

Once Lemma 2 having been proved, Theorem 2 can be proved in the same way as Theorem 1.

C IND-CTPCA-2 Security of the 8-Round Tweakable Feistel Scheme

In [14], some tweakable Feistel schemes were shown to be secure using the results in [24]. But, we will prove Theorem 3 directly. For the proof, we analyze coefficient H for \(\hat{\varPsi }^3\) first and prove Lemmas 4, 5, and 6. Using the Lemmas, we will analyze \(\hat{\varPsi }^6\) and prove Lemma 7, which will easily lead to Theorem 3. Lemma 4 alone provides a proof of the fact that the scheme \(\hat{\varPsi }^3\) is secure against KTPCA up to near birthday bound. For brevity, we sometimes write \(\mathcal {A, B, L, R, S}\) and \(\mathcal {T}\) in places of the sequences \((A_i), (B_i), (L_i), (R_i), (S_i)\) and \((T_i)\) consisting of \(q\) \(n\)-bit values, respectively. We also write \(H_r([\mathcal {A,B;L,R,S,T}])\), or shortly \(H_r\), instead of \(H_r([A_i, B_i; L_i, R_i,S_i,T_i]_{i=1, \cdots , q})\). We will use Lemma 3 repeatedly.

Lemma 3

Let \(q \le 2^n\) be an integer and let \(\sim \) be an equivalence relation on \([1..q]\). Let \(E = q -\)(the number of partitions determined by \(\sim \)). Let \((y_i)_{i=1,\cdots ,q}\) and \((z_i)_{i=1,\cdots ,q}\) be arbitrary sequences of \(n\)-bit values. Then the number of sequences \((x_i)_{i=1,\cdots ,q}\) of \(n\)-bit values such that

• \(x_i \oplus y_i = x_j \oplus y_j\) whenever \(i \sim j\) and

• \(x_i \oplus z_i \ne x_j \oplus z_j\) whenever \(i \not \sim j\)

is at least \(2^{n(q-E)} ( 1-\frac{q(q-1)}{2^{n+1}} )\).

Proof

\(x_1\) can be any \(n\)-bit value. Once \(x_1, \cdots , x_i\) having been determined to satisfy the condition, determine \(x_{i+1}\) as follows. If \(i+1\sim j\) for some \(j<i+1\), let \(x_{i+1} = y_{i+1} \oplus x_j \oplus y_j\). \(x_{i+1}\) is well-defined since \(i+1 \sim j_1\) and \(i+1 \sim j_2\) implies that \(j_1 \sim j_2\) and \(x_{j_1} \oplus y_{j_1} = x_{j_2} \oplus y_{j_2}\). If \(i+1 \not \sim j\) for all \(j<i+1\), then choose any \(x_{i+1}\) such that \(x_{i+1} \not \in \{x_j \oplus z_j \oplus z_{i+1}: j < i+1 \}\). Thus the number the sequences is at least \(2^{n(q-E)}(1 - \frac{1}{2^n})(1 - \frac{2}{2^n}) \cdots (1 - \frac{q-1}{2^n}) \ge 2^{n(q-E)}(1-\frac{q(q-1)}{2^{n+1}})\).

1.1 C.1 3-Round Scheme

We consider the 3-round scheme \(\hat{\varPsi }^3\) and analyze \(H_3([\mathcal {A,B;L,R,S,T}])\) for most of sequences \(\mathcal {A,B,L,R,S,T}\) consisting of \(q\) \(n\)-bit values. Note that \(H_3 \ne 0\) if and only if there exists a sequence \((P_i)_{i=1, \cdots , q}\) of \(n\)-bit values satisfying the following conditions CP1, CP2, and CP3:

1. 1.

   \(R_i = R_j \Rightarrow L_i \oplus P_i = L_j \oplus P_j\). (CP1)

2. 2.

   \(S_i \oplus B_i = S_j \oplus B_j \Rightarrow T_i \oplus P_i = T_j \oplus P_j\). (CP2)

3. 3.

   \(P_i \oplus A_i = P_j \oplus A_j \Rightarrow R_i \oplus S_i = R_j \oplus S_j\). (CP3)

When \(H_3 \ne 0\), there exist \(f_1, f_2\), and \(f_3\) such that \(\hat{\varPsi }^3 (f_1,f_2,f_3)(A_i,B_i;L_i,R_i)=(S_i,T_i)\) for each \(i\). For such \(f_1, f_2\), and \(f_3\), let \(P_i = L_i \oplus f_1(R_i)\) for each \(i\). Then we have \(S_i = R_i \oplus f_2(P_i \oplus A_i)\) and \(T_i = P_i \oplus f_3(S_i \oplus B_i)\) for each \(i\) and the three conditions are satisfied. Conversely, when \(P_i\)’s satisfy the three conditions, then let \(f_1\) be any functions satisfying \(P_i = L_i \oplus f_1(R_i)\) for each \(i\). Such \(f_1\) exists by the first condition. Similarly, there are \(f_2\) and \(f_3\) such that \(S_i = R_i \oplus f_2(P_i \oplus A_i)\) and \(T_i = P_i \oplus f_3(S_i \oplus B_i)\) for each \(i\). Then we have \(\hat{\varPsi }^3(f_1, f_2,f_3)(A_i,B_i;L_i,R_i)=(S_i,T_i)\) for all \(i\)’s so that \(H_3 \ne 0\). So it is easily seen that \(H_3 \ne 0\) implies the following conditions C1, C2, and C3 are satisfied.

• (\(R_i = R_j\) and \(L_i \oplus A_i = L_j \oplus A_j\)) \(\Rightarrow \) \(S_i = S_j\). (C1)

• (\(R_i = R_j\) and \(S_i \oplus B_i = S_j \oplus B_j \)) \(\Rightarrow \) \(L_i \oplus T_i = L_j \oplus T_j\). (C2)

• (\(S_i \oplus B_i = S_j \oplus B_j\) and \(T_i \oplus A_i = T_j \oplus A_j\)) \(\Rightarrow \) \(R_i \oplus B_i = R_j \oplus B_j\). (C3)

For sequences \(\mathcal {A, B, L, R, S, T}\) consisting of \(q\) \(n\)-bit values, we denote by \(E_1\) the number of independent equations \(R_i = R_j\). Then \(q-E_1\) is the number of different values among \(R_i\)’s, or the number of partitions determined by the equivalence relation \(\sim \) defined on \([1..q]\) such that \(i \sim j\) iff \(R_i = R_j\). We also denote the numbers of independent equations \((R_i, L_i \oplus A_i) = (R_j, L_j \oplus A_j) \) and \((R_i, L_i \oplus A_i, B_i)=(R_j, L_j \oplus A_j, B_j)\) by \(E_2\) and \(E_3\), respectively.

Forward Direction. Let us assume throughout this subsection that the sequences \(\mathcal {A, B, L, R}\) of \(n\)-bit values are fixed and consider \(H_3 (\mathcal {A, B; L, R,S,T})\) when \(\mathcal {(S,T)}\) varies. The following conditions C4 and C5 are used to filter out good pairs of output sequences:

• \(R_i \ne R_j\) \(\Rightarrow \) \(S_i \oplus B_i \ne S_j \oplus B_j\). (C4)

• (\(R_i = R_j\) and \(L_i \oplus A_i \ne L_j \oplus A_j\)) \(\Rightarrow \) \(S_i \oplus B_i \ne S_j \oplus B_j\). (C5)

Then we have Lemma 4.

Lemma 4

If \((\mathcal {A, B, L, R, S, T})\) satisfies C1, C2, C3, C4, and C5, then

$$ H_3([\mathcal {A, B;L, R, S, T}]) \ge \frac{|F_n|^3}{2^{n(2q -E_2-E_3)}} \left( 1 - \frac{q(q-1)}{2^{n+1}} \right) . $$

Proof

Let \(N_1\) be the number of sequences \(\mathcal {P} = (P_i)\) such that

• \(R_i = R_j \Rightarrow L_i \oplus P_i = L_j \oplus P_j\). (CP1)

• \(R_i \ne R_j \Rightarrow P_i \oplus A_i \ne P_j \oplus A_j\). (CP4)

• (\(R_i = R_j\) and \(L_i \oplus A_i \ne L_j \oplus A_j\))\(\Rightarrow \) \(P_i \oplus A_i \ne P_j \oplus A_j\). (CP5)

CP1 and CP4 together force CP5 and \(N_1 \ge 2^{n(q-E_1)} (1 - \frac{q(q-1)}{2^{n+1}})\) by Lemma 3. For each \(\mathcal {P}\) satisfying the conditions, we have the following.

1. 1.

   The number of \(f_1\)’s satisfying \(P_i = L_i \oplus f_1(R_i)\) for all \(i\) is \(\frac{|F_n|}{2^{n(q-E_1)}}\) : \(R_i = R_j\) implies \(L_i \oplus P_i = L_j \oplus P_j\) and the number of different values among \(R_i\)’s is \(q-E_1\).

2. 2.

   The number of \(f_2\)’s satisfying \(S_i = R_i \oplus f_2(P_i \oplus A_i)\) for all \(i\) is \(\frac{|F_n|}{2^{(q-E_2)n}}\) : \(P_i \oplus A_i = P_j \oplus A_j\) implies \(R_i = R_j\) and \(L_i \oplus A_i = L_j \oplus A_j\), and then \(S_i = S_j\) by C1, which again implies \(S_i \oplus R_i = S_j \oplus R_j\). The number of different values among \(P_i \oplus A_i\)’s is equal to the number of different values among \((R_i, L_i \oplus A_i)\)’s, which is \(q - E_2\).

3. 3.

   The number of \(f_3\)’s satisfying \(T_i = P_i \oplus f_3(S_i \oplus B_i)\) for all \(i\) is \(\frac{|F_n|}{2^{(q-E_3)n}}\): \(S_i \oplus B_i = S_j \oplus B_j\) implies \(R_i = R_j\) (C4) which implies \(L_i \oplus P_i = L_j \oplus P_j\) , \(L_i \oplus A_i = L_j \oplus A_j\) (C5) and \(L_i \oplus T_i = L_j \oplus T_j\) (C2) and then \(T_i \oplus P_i = T_j \oplus P_j\). The number of different values among \(S_i \oplus B_i\)’s is equal to the number of different \((R_i, L_i \oplus A_i, B_i)\)’s, which is \(q-E_3\).

Thus we have \(H_3 \ge \frac{|F_n|^3}{2^{n(2q -E_2-E_3)}} (1 - \frac{q(q-1)}{2^{n+1}})\).

Note that the number of \(\mathcal {(S,T)}\)’s satisfying C1, C2, C3, C4, and C5 is at least \(2^{n(2q -E_2-E_3)} (1 - \frac{q(q-1)}{2^{n+1}})\). Thus Lemma 4 implies that most nonzero values of \(H_3([\mathcal {A, B; L, R,S,T}])\) do not deviate much from \(\frac{|F_n|^3}{2^{n(2q -E_2-E_3)}}\).

We also have Lemma 5 whose proof is not hard and omitted.

Lemma 5

Suppose that \((\mathcal {A, B, L, R, S, T})\) satisfies \(R_i \ne R_j\) and \((S_i \oplus B_i, T_i \oplus A_i) \ne \left( S_i \oplus B_i, T_i \oplus A_i \right) \) whenever \(i \ne j\). Then

$$ H_3([\mathcal {A, B;L, R, S, T}]) \ge \frac{|F_n|^3}{2^{2nq}} \left( 1 - \frac{q(q-1)}{2^{n+1}} \right) . $$

Backward Direction. Let \(E_1', E_2'\) and \(E_3'\) denote the numbers of independent equations \(S_i \oplus B_i = S_j \oplus B_j, (S_i \oplus B_i, T_i \oplus A_i) = (S_j \oplus B_j, T_j \oplus A_j) \) and \((S_i \oplus B_i, T_i \oplus A_i, B_i)=(S_j \oplus B_j, T_j \oplus A_j, B_j)\), respectively. Let C6 and C7 be the following conditions:

• \(S_i \oplus B_i \ne S_j \oplus B_j\) \(\Rightarrow \) \(R_i \ne R_j\). (C6)

• (\(S_i \oplus B_i = S_j \oplus B_j\) and \(T_i \oplus A_i \ne T_j \oplus A_j\)) \(\Rightarrow \) \(R_i \ne R_j\). (C7)

Then similarly to the forward direction, we have Lemma 6.

Lemma 6

If \((\mathcal {A, B, L, R, S, T})\) satisfies C1, C2, C3, C6, and C7, then

$$ H_3([\mathcal {A, B;L, R, S, T}]) \ge \frac{|F_n|^3}{2^{n(2q -E_2'-E_3')}} \left( 1 - \frac{q(q-1)}{2^{n+1}} \right) . $$

1.2 C.2 6-Round Scheme

In this subsection, we analyze \(H_6\) using the results on \(H_3\) presented in the preceding subsection. We let \(\mathcal {A, B, L, R,S,T} \) be sequences consisting of \(q\) \(n\)-bit values. Let \(E_1, E_2, E_3, E_1', E_2'\), and \(E_3'\) be as in the case of 3-round scheme. So, for example, \(q - E_1\) is the number of different values among \(R_i\)’s. We consider the cases when the following holds.

• \((R_i, L_i \oplus A_i, B_i) \ne (R_j, L_j \oplus A_j, B_j)\) and \((S_i \oplus B_i, T_i \oplus A_i, B_i) \ne (S_j \oplus B_j, T_j \oplus A_j, B_j)\) whenever \(i \ne j\)

Note that they cover most of the cases. We will show that

Lemma 7

In the above cases, we have

$$ H_6([\mathcal {A,B;L,R,S,T}]) \ge \frac{|F_n|^6}{2^{2nq}} \left( 1 - \frac{2q(q-1)}{2^{n}} \right) . $$

Proof

Let \(\mathsf {X}\) be the set of sequences \((X_i)\) of \(n\)-bit values satisfying the followings.

• (\(R_i = R_j\) and \(L_i \oplus A_i = L_j \oplus A_j\)) \(\Rightarrow \) \(X_i = X_j\). (C1X)

• \(R_i \ne R_j\) \(\Rightarrow \) \(X_i \oplus B_i \ne X_j \oplus B_j\). (C4X)

• (\(R_i = R_j\) and \(L_i \oplus A_i \ne L_j \oplus A_j \)) \(\Rightarrow \) \(X_i \oplus B_i \ne X_j \oplus B_j\). (C5X)

Then each \(\mathcal {X} = (X_i) \in \mathsf {X}\) also satisfies the followings.

• \(R_i = R_j\) and \(X_i \oplus B_i = X_j \oplus B_j\) do not hold simultaneously. (C2X)

• \(X_i \oplus B_i \ne X_j \oplus B_j\) whenever \(i \ne j\). (C3X)

Thus if \(\mathcal {X} \in \mathsf {X}\), then \(H_3([\mathcal {A,B};\mathcal {L,R,X,Y}]) \ge \frac{|F_n|^3}{2^{n(2q -E_2)}} (1 - \frac{q(q-1)}{2^{n+1}})\) for any sequence \(\mathcal {Y}\) of \(n\)-bit values by Lemma 4. Note that \(|\mathsf {X}| \ge 2^{n(q-E_2)}(1 - \frac{q(q-1)}{2^{n+1}})\). Similarly, let \(\mathsf {Y}\) be the set of sequences \(\mathcal {Y} = (Y_i)\) of \(n\)-bit values such that the followings are satisfied.

• (\(S_i \oplus B_i = S_j \oplus B_j\) and \(T_i \oplus A_i = T_j \oplus A_j\)) \(\Rightarrow \) \(Y_i \oplus B_i = Y_j \oplus B_j\). (C3Y)

• \(S_i \oplus B_i \ne S_j \oplus B_j\) \(\Rightarrow \) \(Y_i \ne Y_j\). (C6Y)

• (\(S_i \oplus B_i = S_j \oplus B_j\) and \(T_i \oplus A_i \ne T_j \oplus A_j\)) \(\Rightarrow \) \(Y_i \ne Y_j\). (C7Y)

Then \(|\mathsf {Y}| \ge 2^{n(q-E_2')}(1 - \frac{q(q-1)}{2^{n+1}})\), and \(H_3([\mathcal {A,B};\mathcal {X,Y,S,T}]) \ge \frac{|F_n|^3}{2^{n(2q -E_2')}} (1 - \frac{q(q-1)}{2^{n+1}})\) for any sequence \(\mathcal {X}\) of \(n\)-bit values when \(\mathcal {Y} \in \mathsf {Y}\). Now we have

$$ \begin{array}{l} H_6([\mathcal {A,B;L,R,S,T}]) \\ = \sum \nolimits _{\mathcal {X,Y}} (H_3([\mathcal {A,B;L,R,X,Y}])H_3([\mathcal {A,B;X,Y,S,T}]))\\ \ge \sum \nolimits _{\mathcal {X} \in \mathsf {X},\mathcal {Y} \in \mathsf {Y}} (H_3([\mathcal {A,B;L,R,X,Y}])H_3([\mathcal {A,B;X,Y,S,T}])) \\ \ge \frac{|F_n|^6}{2^{2nq}} (1 - \frac{2q(q-1)}{2^{n}}), \end{array} $$

which was to be shown.

1.3 C.3 8-Round Scheme

In this subsection, we consider the 8-round scheme \(\overline{\varPsi }^8\) obtained by adding rounds before and after \(\hat{\varPsi }^6\), and prove Theorem 3. Let \(\mathcal {A,B,L,R,S,T}\) be sequences consisting of \(q\) \(n\)-bit values. Let \(\mathsf {X}\) be the set of sequences \((X_i)\) satisfying the followings:

• \(R_i \oplus B_i = R_j \oplus B_j\) \(\Rightarrow \) \(L_i \oplus X_i = L_j \oplus X_j\).

• \(R_i \oplus B_i \ne R_j \oplus B_j\) \(\Rightarrow \) \(X_i \ne X_j\).

Then for any \((X_i) \in \mathsf {X}, (X_i, R_i \oplus A_i, B_i) \ne (X_j, R_j \oplus A_j, B_j)\) whenever \(i \ne j\), since, we would have \((A_i,B_i,L_i,R_i)=(A_j,B_j,L_j,R_j)\) for some \(i \ne j\), otherwise. Let \(\mathsf {Y}\) be the set of sequences \(\mathcal {Y}=(Y_i)\) satisfying the followings:

• \(S_i = S_j\) \(\Rightarrow \) \(Y_i \oplus T_i = Y_j \oplus T_j\).

• \(S_i \ne S_j\) \(\Rightarrow \) \(Y_i \oplus B_i \ne Y_j \oplus B_j\).

Then for any \((Y_i) \in \mathsf {Y}, (Y_i \oplus B_i, S_i \oplus A_i, B_i) \ne (Y_j \oplus B_j, S_j \oplus A_j, B_j)\) whenever \(i \ne j\). Let \(E_1''\) and \(E_1'''\) be the numbers of independent equations \(R_i \oplus B_i = R_j \oplus B_j\) and \(S_i = S_j\), respectively. Then \(|\mathsf {X}| \ge 2^{n(q-E_1'')} (1 - \frac{q(q-1)}{2^{n+1}})\) and \(|\mathsf {Y}| \ge 2^{n(q-E_1''')} (1 - \frac{q(q-1)}{ 2^{n+1} }).\) Note that for each \(\mathcal {X} \in \mathsf {X}\), the number of \(f_1 \in F_n\) such that \(f_1 (R_i \oplus B_i) = L_i \oplus X_i\) for all \(i\) is \(\frac{|F_n|}{2^{n(q-E1'')}}\) and for each \(\mathcal {Y} \in \mathsf {Y}\), the number of \(f_8 \in F_n\) such that \(f_8 (S_i) = Y_i \oplus B_i\) for all \(i\) is \(\frac{|F_n|}{2^{n(q-E1''')}}.\) Now, by Lemma 7, we have

$$ \begin{array}{l} \overline{H}_8([\mathcal {A,B;L,R,S,T}]) \\ \ge \sum \nolimits _{\mathcal {X} \in \mathsf {X},\mathcal {Y} \in \mathsf {Y}}(\frac{|F_n|}{2^{n(q-E1'')}}\frac{|F_n|}{2^{n(q-E1''')}}H_6([\mathcal {A,B;R,X,Y,S}]))\\ \ge \frac{|F_n|^8}{2^{2nq}} (1 - \frac{3q(q-1)}{2^{n}}). \end{array} $$

Table 6. S-box

D S-box Table, Matrix, and Round Constants

The 8-bit S-box used in our TBCs is specified in Table 6. It is defined by an affine transformation following the inversion over the field \(\mathrm {GF}(2^8)\) represented by the irreducible polynomial \(x^8 + x^4 + x^3 + x^2 + 1\) over \(\mathrm {GF}(2)\) . The MDS matrix \(\mathcal {M}\) is defined by

$$ \mathcal {M} = \left( {\small \begin{array}{cccccccc} \mathtt {28}&{}\mathtt {1a}&{}\mathtt {7b}&{}\mathtt {78}&{}\mathtt {c3}&{}\mathtt {d0}&{}\mathtt {42}&{}\mathtt {40}\\ \mathtt {1a}&{}\mathtt {7b}&{}\mathtt {78}&{}\mathtt {c3}&{}\mathtt {d0}&{}\mathtt {42}&{}\mathtt {40}&{}\mathtt {28}\\ \mathtt {7b}&{}\mathtt {78}&{}\mathtt {c3}&{}\mathtt {d0}&{}\mathtt {42}&{}\mathtt {40}&{}\mathtt {28}&{}\mathtt {1a}\\ \mathtt {78}&{}\mathtt {c3}&{}\mathtt {d0}&{}\mathtt {42}&{}\mathtt {40}&{}\mathtt {28}&{}\mathtt {1a}&{}\mathtt {7b}\\ \mathtt {c3}&{}\mathtt {d0}&{}\mathtt {42}&{}\mathtt {40}&{}\mathtt {28}&{}\mathtt {1a}&{}\mathtt {7b}&{}\mathtt {78}\\ \mathtt {d0}&{}\mathtt {42}&{}\mathtt {40}&{}\mathtt {28}&{}\mathtt {1a}&{}\mathtt {7b}&{}\mathtt {78}&{}\mathtt {c3}\\ \mathtt {42}&{}\mathtt {40}&{}\mathtt {28}&{}\mathtt {1a}&{}\mathtt {7b}&{}\mathtt {78}&{}\mathtt {c3}&{}\mathtt {d0}\\ \mathtt {40}&{}\mathtt {28}&{}\mathtt {1a}&{}\mathtt {7b}&{}\mathtt {78}&{}\mathtt {c3}&{}\mathtt {d0}&{}\mathtt {42}\\ \end{array} } \right) $$

over \(\mathrm {GF}(2^8)\) represented by the irreducible polynomial \(x^8 + x^6 + x^5 + x^4 + 1\). Table 7 shows the round constants. They are obtained from the fractional parts of \(|\mathrm {cos}(k/8) + \mathrm {sin}(k/8) | / \sqrt{2}\) and \(\mathrm {log}(k/64)\) with first 64 bits discarded for each key bit-length \(k\), respectively. All the values are represented in hexadecimal forms.

Table 7. Round constants