 How to find optimal permutations for generalized type 2 feistal schemes. This is joint work between Victor Cauchois, Clément Gomes, and Gael Doma. And Gael will give the talk. And so this paper wins the runner-up award for the longest title. There is tomorrow one paper with one character more in the title, but you almost won. OK. Thank you for the introduction. So this talk is about type 2 feistal permutation and type 2 feistal schemes and how to find the best permutations in the feistal. So I assume you already know what feistal network do. Your task as a designer is to construct a cipher, a permutation, or something like this. And the state may be big. So you do. I will only do the part of the work. I will only do this on half the block. And then to influence the other block, I will absorb my output to the other half. And since it is not enough, or no problem, I iterate. And this is quite a popular design. And it was generalized at the end of the 1980s. And this time, instead of dividing the state into two blocks, you divide it into k blocks, which means you have more functions, but they are much simpler. And after that, you swap in some manner the different blocks. So in the original paper, the swap was simply a rotation. But we can actually do more than that. And again, this is a very popular design with different number of blocks. But the problem with this construction is how many ones do you have to do before you have some kind of diffusion? So here, what do I mean by diffusion? I'm talking about what's called maximum diffusion round. And basically, you look, for example, at the first block. And you follow the different hours. And you will count how many blocks you have influenced after a center number of ones. So here, after one round, you have influenced two blocks, then three, then five, and things like seven. And here, after five turns, you've influenced every block. And so you say that the diffusion round for the first block is five. And you do that for every other block. Here, we have, here, we need six rounds, et cetera, et cetera. So the idea behind this criterion is to kind of a first sieve criterion for choosing a permutation for a five-stone network. Because it's for a first sieve because it's very easy to compute. But it's maybe not exactly very precise to assess the security of the cipher. But it's nonetheless a link with many attacks, which are very powerful against generalized five-stone structure, like impossible attacks and saturation attacks. And of course, it was done for encryption, but you can do the same for decryption. And you say that the maximum diffusion round, or dr for short, of the permutation pi here is this permutation. So the pointer is one out of battery. You say so that the diffusion round for this permutation is six. And so there is a seminal paper on how to improve the diffusion of five-stone network, which was done by Suzuki and Minimatsu and presented at FSC 2010. And what was their main focus? Was there the idea that the permutation you use, oh, you have two kind of blocks. You have blocks that are at the input of a function and blocks that are at the output. And the blocks that help diffusion are the even ones. And the odd ones play a less important role, shall we say. So the heuristic would be that, oh, between two rounds, let's swap the roles of these two kind of blocks. That's what we call even odd, general five-stone networks, where you send the even blocks to the odd blocks and vice versa. And they conducted an exhaustive search of a permutation of two-six in block and proved that contrary to the first results, where here you would simply rotate the blocks by using a different permutation. You can actually have a much faster diffusion. And moreover, they gave a generic construction with a diffusion logarithmic in the number of blocks. And so what are our contributions? Our contribution is we give an upper bound and more than that, a constructive upper bound on how many even odd GFS we have up to some notion of equivalence. Using this constructive method, we can do the exhaustive search for up to 24 blocks. When exhaustive search is out of reach, we define a new criterion to reduce the search space, which we call cohesion-free-def. And in a few words, it means that we want to have a special criterion for the first few rounds of diffusion. We'll revisit the generic construction of Suzuki and Minimetsu, where we can, in some cases, improve the result by one round. That's the bottom results here. We go from 12 to 11 and 14 to 13. And we also study the case of non-even odd permutations. So I said we study GFS up to equivalence. What is equivalence of GFS? It's very simple, you have a GFS, and let's say you want to exchange the walls of different blocks, so you swap them. That doesn't change the cryptographic property, you're just changing how your number, your blocks. So this is an equivalence relation. But in fact, if you do that naively, you end up with something that doesn't look like a type II general five-stale anymore. That is where you have this structure of one function every two blocks. So to keep this structure, you have to permute using a special kind of permutation, which we call a permutation of pairs, where you basically swap blocks by packets of two. Just for the notation, I call this set SKP, K is the number of blocks and P is for pair. And so we have a notion of pair equivalence that is pi one and pi two. The two permutations here are equivalent if and only if they are conjugated with each other with one of these pair equivalent permutations. So how many permutations do we have up to this notion of equivalence? Well, the first thing to notice is that if you have an even odd permutation, you can write it as two smaller permutations over K over two elements. Simply, the first one tells you where you send the even elements and the second tells you where you send the odd elements. And so this means that the number of classes, well, is trivially upper bounded by how many permutations you have. And the lower bound is actually comes actually from the fact that since you're using equivalence relation on the SEO set, which have the K over two factorial square element, and you have permutate, you are, ah, sorry. You have equivalence up to a set with K over two elements. That is permutation of pairs, big blocks. So you have in total, at least, K over two factorial equivalence classes. But in fact, the idea is that you don't have to exhaust all these big sets. You can reduce the search space where the first permutation, pi one, can be simply in one, single one in a conjugacy class of S K over two. It is regular conjugacy class. And so you save up K over two factorial that to be placed by the number of conjugacy clays in the permutation group over K over two element. And to see how big this saving is, you go from factorial K over two to something that is in bigger of exponential square root of K. And so we did as a search using this method. So here from six to 24 are the best of the diffusion one of the best permutation that exists. So up to 16, that are the results of Sasaki and Minematsu. And after that, that is our results. And we also computed how many classes there are that are optimal. And we can see a little bit strange. That is for 18 blocks, there are only two optimal permutations. For 22, there are four. And they have a diffusion one of eight. But in between there is that 20 that has a diffusion one of nine, but there are a huge number of them. And so what happens here? In fact, there is a problem with lower bound. It is that before any doing actual exhaustive search, you can have a lower bound on how many rounds you will need. And this lower bound, in fact, can be seen as follows. So for each round, you will be counting how many blocks you have influenced. So here after zero round, you have computed, you have a single, let's call it an active block. Here you have one, two, three, five. And if I could continue naively, you would think, oh, that's a Fibonacci sequence. I'm gonna have an eight. No, I have a seven. Why? Because there has been a collision between two blocks. That is, you have something that you would have expect to have this kind of half the block separate in two with respect to diffusion. But here that does not happen because you have two different paths influence the same block. And so you have this lower bound, say if you have no collisions, you have the Fibonacci sequence. And so basically you have that, if you look the Fibonacci number, the dr, the drth Fibonacci numbers times two must be at least equal to the number of blocks. And so based on this idea, when the exhaustive test is intractable, we try to reduce the search base to permutation where the number of collisions in the first few rounds is very small or does not happen at all, in fact. And so there's this new criterion which we call collision-free depth or CD for short, which is basically the number of rounds before any collision happened. So here the collision-free depth is, for this particular block is three, but if you were to begin on the block before, this is four rounds, sorry, but if you were to begin on the blocks to the left, that would be three. So the collision-free depth for this particular permutation is three. And so for all the permutations, we computed what was a collision-free depth and classified it. So here are the results. Because of that Fibonacci bound, we also have a bound on the collision-free depth, which is given on the third round. And so from this result, we can see that, okay, there, except for maybe for the 18, but there are only two permutations, maybe a nut layer here, we can almost always find permutations with a high collision-free depth, which means that it's maybe a relevant criterion. But again, it seems that most permutations don't have a very high collision-free depth. So there is some kind of trade-off between how much, how big the search space is and the optimality of your results you may find. And in particular, there is a very interesting case, which is the case for K equals 26. So as I said before, this case is too big for a just search. But if you look at the Fibonacci bound, 26 divided by two is 13, and 13 is a Fibonacci number. And with that, there may be a problem with the bound here, that may be not Fibonacci of eight, but maybe Fibonacci of eight minus one, but never mind the reasoning is correct. And so if you wanted to have a permutation on 26 blocks with a diffusion round of eight, you would need an optimal collision-free depth, that is no collision until the last round. And we can actually test if such a thing exists using exhaustive search. So we perform exhaustive search for any permutation with a collision-free depth, at least four, and the best result we found was 10. So this proves that the best permutation cannot have a diffusion round of eight. It must be either nine or 10. And so we transform our algorithm to perform this random search, and we use it with a collision-free depth of three, which was the biggest value we had not tested yet, and found one result with nine, which is then optimal. So this means that the collision-free depth is indeed a useful criterion for finding permutations. To look a little bit, to have a look a bit more detail in what we do, if you have your Feistel network here, if you're simulant in the things a bit and look at what happens on block zero, you have that block zero influence, well, block zero when you went for the function, but also block three, three influence six, et cetera, et cetera. And so basically the idea of collision-free depth is the number of ones, the number of steps you can do before the given number appears twice on one of the leaves. But in fact, this representation is a bit tedious to handle because you have that kind of unbalanced graph. And as was already done in the Suzuki and Minimatsu paper, you can represent Feistel network by considering blocks by sets of two. So you consider only a kind of super block that we group block zero and one, block two and three, block four and five, block six and seven. And this nicely simplifies into a balanced binary tree. And the advantage of this representation, well, it's a binary tree, binary trees are cool. You have fewer nodes because you're grouping blocks by two. So overall it's something really more simple than what you had before. But the major inconvenience is that it does not represent a unique permutation because here you lost information of when you said that the super block zero influences the super block one, that is the edge on the right. You do not know if this is done with even to odd edge or with an odd to even edge. So you need additional information which you can represent as a graph coloring of this tree with two colors, one for even to odd and one for odd to even. And actually what was used in the Suzuki Minimatsu paper to construct this kind of graph is the so-called the brain graph. And the brain graph is simply a graph with two to the N nodes. The nodes are labeled using all the binary numbers with N bits. So here is the case for N equals to two. So you have zero zero zero one one zero and one one. And you draw an edge. As the following you take, for example, zero zero, you drop the leftmost bit, so you end up with zero. And if you add the label on the edge to form the label of the new node. So zero zero drops the leftmost zero, add a zero to the right, to the right, sorry. You end up still on zero zero. Zero zero drops the leftmost zero, add a one to the right, you end up on zero one, et cetera, et cetera. And if you translate that in terms of our tree representation, it simply means that you're feeling the tree with the least possible numbers. So this is kind of a way to avoid collisions on the first ones. And how do you color it? Well, for this particular example, you don't have much choice up to swapping the color of blues and red. So blue, for example, means you go from even to odd and red means you go from odd to even. This also means that on the tree representation you go left means red and right means blue. But this is the coloring used in the Suzuki and Minimatsu paper. But actually you can exhaust all the possible coloring with a complexity of two to the K over four. And we did this for K up to 128. And we obtained better results. We can gain one round for the 64 and 128 blocks for the value of K, 64 and 128. And so until now I've spoken about the upper bound, the exhaustive charge, the criterion of collision three-dev and the graph coloring ID. I have not spoken about the non-even odd permutations. So I will give a few words about this. Basically, most of the previous, most of the previous ideas still work. That is, since they are based on graphs, you can define the graph for the FISOL. You can follow the line that works roughly the same. So collision three-dev stays the same. You can adapt the graph coloring IDs. Of course, you still have the question of what graph do you choose. And for the number of classes, so in the even odd case, you had this inequality. And for the general case, you have something that is like this. So what's most interesting is the upper bound. NK is the number of conjugacy class. And the second is the number of representative of the Y-coset of SK mode, mode of the K blocks permutation, modulo permutation of pairs where you swap permutations by super blocks, in fact. So we can again do exhaustive search. We did this and we found, and surprisingly, as was noticed in the Suzuki and Minimetsu's paper, that non-even odd permutations are generally worse than even odd permutations. So in conclusion, we studied type two generalized FISOL structures, where in fact we studied permutations up to per equivalence. We gave an upper bound on them, a constructive upper bound, which allowed us to run exhaustive search for up to 24 blocks, for the even odd case, or 20 for the general case. And we introduced the collision depth criterion, which is the criterion when you want to avoid collision in the first few rounds. And finally, we analyzed the graph constructions on the divine graph, and you proved the result for K equals 64 and 128. Thank you for your attention. Do you have any questions? Thank you very much. No questions. I will ask you questions. So you look at the optimal diffusion. Did they have special structure or do they look more like random graphs? Sorry. Do you have optimal solutions? Do they have special structure if you look at them or are they random? Well, that depends for some number of blocks. There are thousands of solutions, so we did not look at all of them. And for the K equals 18, there are only two, but I don't remember if they have any structure. So I also have a question about your definition of full diffusion. So, I mean, of course, the left-right trick solves it a bit. But I mean, if there is a linear dependency, just it goes to an X or to the next round. That also seems as full diffusion. But of course, if it goes to an F function, there is much more diffusion among the bits. Does your analysis take this into account or you just say... No, we just see the F function as a kind of black box and we assume there are... But you don't distinguish between X or an F function diffusion or any more questions? If not, let's thank Galvin, all the other speakers of this session for interesting thoughts. Thank you.