Simpira v2: A Family of Efficient Permutations Using the AES Round Function

  • Shay Gueron
  • Nicky MouhaEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10031)


This paper introduces Simpira, a family of cryptographic permutations that supports inputs of \(128 \times b\) bits, where b is a positive integer. Its design goal is to achieve high throughput on virtually all modern 64-bit processors, that nowadays already have native instructions for AES. To achieve this goal, Simpira uses only one building block: the AES round function. For \(b=1\), Simpira corresponds to 12-round AES with fixed round keys, whereas for \(b\ge 2\), Simpira is a Generalized Feistel Structure (GFS) with an F-function that consists of two rounds of AES. We claim that there are no structural distinguishers for Simpira with a complexity below \(2^{128}\), and analyze its security against a variety of attacks in this setting. The throughput of Simpira is close to the theoretical optimum, namely, the number of AES rounds in the construction. For example, on the Intel Skylake processor, Simpira has throughput below 1 cycle per byte for \(b \le 4\) and \(b=6\). For larger permutations, where moving data in memory has a more pronounced effect, Simpira with \(b=32\) (512 byte inputs) evaluates 732 AES rounds, and performs at 824 cycles (1.61 cycles per byte), which is less than \(13\,\%\) off the theoretical optimum. If the data is stored in interleaved buffers, this overhead is reduced to less than \(1\,\%\). The Simpira family offers an efficient solution when processing wide blocks, larger than 128 bits, is desired.


Cryptographic permutation AES-NI Generalized Feistel structure (GFS) Beyond birthday-bound (BBB) security Hash function Lamport signature Wide-block encryption Even-Mansour 



We thank the organizers and participants of Dagstuhl Seminar 16021, where an early version of this work was presented. The detailed comments and suggestions of the seminar participants helped to improve this manuscript significantly. Thanks to Christoph Dobraunig, Maria Eichlseder, Florian Mendel and Sondre Rønjom their attacks on Simpira v1, which lead to the updated Simpira v2 that is presented in this document. We also thank Eik List for pointing out some notation issues in an earlier version of this text, and Sébastien Duval, Brice Minaud, Kazuhiko Minematsu, and Tetsu Iwata for their insights into Feistel structures. This work was supported in part by the Research Council KU Leuven: GOA TENSE (GOA/11/007), by Research Fund KU Leuven, OT/13/071, by the PQCRYPTO project, which was partially funded by the European Commission Horizon 2020 research Programme, grant #645622, by the ISRAEL SCIENCE FOUNDATION (grant No. 1018/16), and by the French Agence Nationale de la Recherche through the BLOC project under Contract ANR-11-INS-011, and the BRUTUS project under Contract ANR-14-CE28-0015. Nicky Mouha is supported by a Postdoctoral Fellowship from the Flemish Research Foundation (FWO-Vlaanderen), and by FWO travel grant 12F9714N. Certain algorithms and commercial products are identified in this paper to foster understanding. Such identification does not imply recommendation or endorsement by NIST, nor does it imply that the algorithms or products identified are necessarily the best available for the purpose.


  1. 1.
    Albrecht, M.R., Rechberger, C., Schneider, T., Tiessen, T., Zohner, M.: Ciphers for MPC and FHE. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 430–454. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-46800-5_17 Google Scholar
  2. 2.
    Anderson, R.J., Biham, E.: Two practical and provably secure block ciphers: BEAR and LION. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 113–120. Springer, Heidelberg (1996). doi: 10.1007/3-540-60865-6_48 CrossRefGoogle Scholar
  3. 3.
    Andreeva, E., Daemen, J., Mennink, B., Van Assche, G.: Security of keyed sponge constructions using a modular proof approach. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 364–384. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-48116-5_18 CrossRefGoogle Scholar
  4. 4.
    Bellare, M., Rogaway, P.: On the construction of variable-input-length ciphers. In: Knudsen, L. (ed.) FSE 1999. LNCS, vol. 1636, pp. 231–244. Springer, Heidelberg (1999). doi: 10.1007/3-540-48519-8_17 CrossRefGoogle Scholar
  5. 5.
    Bellare, M., Rogaway, P.: Encode-then-encipher encryption: how to exploit nonces or redundancy in plaintexts for efficient cryptography. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 317–330. Springer, Heidelberg (2000). doi: 10.1007/3-540-44448-3_24 CrossRefGoogle Scholar
  6. 6.
    Berger, T.P., Francq, J., Minier, M., Thomas, G.: Extended generalized Feistel networks using matrix representation to propose a new lightweight block cipher: Lilliput. IEEE Trans. Comput. 65(7), 2074–2089 (2016)MathSciNetCrossRefGoogle Scholar
  7. 7.
    Berger, T.P., Minier, M., Thomas, G.: Extended generalized Feistel networks using matrix representation. In: Lange, T., Lauter, K., Lisoněk, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 289–305. Springer, Heidelberg (2014). doi: 10.1007/978-3-662-43414-7_15 CrossRefGoogle Scholar
  8. 8.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Cryptographic sponge functions.
  9. 9.
    Biham, E., Biryukov, A., Shamir, A.: Cryptanalysis of skipjack reduced to 31 rounds using impossible differentials. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 12–23. Springer, Heidelberg (1999). doi: 10.1007/3-540-48910-X_2 Google Scholar
  10. 10.
    Biham, E., Biryukov, A., Shamir, A.: Cryptanalysis of skipjack reduced to 31 rounds using impossible differentials. J. Cryptology 18(4), 291–311 (2005)MathSciNetCrossRefzbMATHGoogle Scholar
  11. 11.
    Biham, E., Dunkelman, O., Keller, N.: Enhancing differential-linear cryptanalysis. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 254–266. Springer, Heidelberg (2002). doi: 10.1007/3-540-36178-2_16 CrossRefGoogle Scholar
  12. 12.
    Biham, E., Shamir, A.: Differential cryptanalysis of DES-like cryptosystems. J. Cryptology 4(1), 3–72 (1991)MathSciNetCrossRefzbMATHGoogle Scholar
  13. 13.
    Biryukov, A., Khovratovich, D.: PAEQ: parallelizable permutation-based authenticated encryption. In: Chow, S.S.M., Camenisch, J., Hui, L.C.K., Yiu, S.M. (eds.) ISC 2014. LNCS, vol. 8783, pp. 72–89. Springer, Heidelberg (2014). doi: 10.1007/978-3-319-13257-0_5 Google Scholar
  14. 14.
    Black, J., Rogaway, P., Shrimpton, T.: Black-box analysis of the block-cipher-based hash-function constructions from PGV. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 320–335. Springer, Heidelberg (2002). doi: 10.1007/3-540-45708-9_21 CrossRefGoogle Scholar
  15. 15.
    Black, J., Rogaway, P., Shrimpton, T., Stam, M.: An analysis of the blockcipher-based hash functions from PGV. J. Cryptology 23(4), 519–545 (2010)MathSciNetCrossRefzbMATHGoogle Scholar
  16. 16.
    Bogdanov, A., Khovratovich, D., Rechberger, C.: Biclique cryptanalysis of the full AES. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 344–371. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-25385-0_19 CrossRefGoogle Scholar
  17. 17.
    Bogdanov, A., Knežević, M., Leander, G., Toz, D., Varıcı, K., Verbauwhede, I.: spongent: a lightweight hash function. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 312–325. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-23951-9_21 CrossRefGoogle Scholar
  18. 18.
    Bogdanov, A., Knežević, M., Leander, G., Toz, D., Varıcı, K., Verbauwhede, I.: SPONGENT: the design space of lightweight cryptographic hashing. IEEE Trans. Comput. 62(10), 2041–2053 (2013)MathSciNetCrossRefGoogle Scholar
  19. 19.
    Boura, C., Canteaut, A.: A zero-sum property for the Keccak-f permutation with 18 rounds. In: ISIT 2010. pp. 2488–2492. IEEE (2010)Google Scholar
  20. 20.
    Boura, C., Canteaut, A.: Zero-sum distinguishers for iterated permutations and application to Keccak-f and Hamsi-256. In: Biryukov, A., Gong, G., Stinson, D.R. (eds.) SAC 2010. LNCS, vol. 6544, pp. 1–17. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-19574-7_1 CrossRefGoogle Scholar
  21. 21.
    Boura, C., Canteaut, A., De Cannière, C.: Higher-order differential properties of Keccak and Luffa. Cryptology ePrint Archive, Report 2010/589 (2010)Google Scholar
  22. 22.
    Cid, C., Murphy, S., Robshaw, M.J.B.: Algebraic Aspects of the Advanced Encryption Standard. Springer, Heidelberg (2006)zbMATHGoogle Scholar
  23. 23.
    Cogliati, B., Lampe, R., Seurin, Y.: Tweaking Even-Mansour ciphers. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 189–208. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-47989-6_9 CrossRefGoogle Scholar
  24. 24.
    Coron, J.-S., Dodis, Y., Malinaud, C., Puniya, P.: Merkle-Damgård revisited: how to construct a hash function. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 430–448. Springer, Heidelberg (2005). doi: 10.1007/11535218_26 CrossRefGoogle Scholar
  25. 25.
    Coron, J.-S., Patarin, J., Seurin, Y.: The random oracle model and the ideal cipher model are equivalent. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 1–20. Springer, Heidelberg (2008). doi: 10.1007/978-3-540-85174-5_1 CrossRefGoogle Scholar
  26. 26.
    Cossíos, D.: Breve Bestiario Peruano. Editorial Casatomada, 2nd edn. (2008)Google Scholar
  27. 27.
    Crowley, P.: Mercy: a fast large block cipher for disk sector encryption. In: Goos, G., Hartmanis, J., Leeuwen, J., Schneier, B. (eds.) FSE 2000. LNCS, vol. 1978, pp. 49–63. Springer, Heidelberg (2001). doi: 10.1007/3-540-44706-7_4 CrossRefGoogle Scholar
  28. 28.
    Dachman-Soled, D., Katz, J., Thiruvengadam, A.: 10-round Feistel is indifferentiable from an ideal cipher. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 649–678. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-49896-5_23 CrossRefGoogle Scholar
  29. 29.
    Daemen, J., Knudsen, L., Rijmen, V.: The block cipher square. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 149–165. Springer, Heidelberg (1997). doi: 10.1007/BFb0052343 CrossRefGoogle Scholar
  30. 30.
    Daemen, J., Rijmen, V.: The wide trail design strategy. In: Honary, B. (ed.) Cryptography and Coding 2001. LNCS, vol. 2260, pp. 222–238. Springer, Heidelberg (2001). doi: 10.1007/3-540-45325-3_20 CrossRefGoogle Scholar
  31. 31.
    Daemen, J., Rijmen, V.: The Design of Rijndael: AES - The Advanced Encryption Standard. Springer, Heidelberg (2002)CrossRefzbMATHGoogle Scholar
  32. 32.
    Dai, Y., Steinberger, J.: Indifferentiability of 10-round Feistel networks. Cryptology ePrint Archive, Report 2015/874 (2015)Google Scholar
  33. 33.
    Dai, Y., Steinberger, J.: Indifferentiability of 8-round Feistel networks. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 95–120. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-53018-4_4 CrossRefGoogle Scholar
  34. 34.
    Diffie, W., Hellman, M.E.: Exhaustive cryptanalysis of the NBS data encryption standard. Computer 10(6), 74–84 (1977)CrossRefGoogle Scholar
  35. 35.
    Dobraunig, C., Eichlseder, M., Mendel, F.: Cryptanalysis of Simpira. Cryptology ePrint Archive, Report 2016/244 (2016)Google Scholar
  36. 36.
    Dodis, Y., Ristenpart, T., Shrimpton, T.: Salvaging Merkle-Damgård for practical applications. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 371–388. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-01001-9_22 CrossRefGoogle Scholar
  37. 37.
    Dunkelman, O., Keller, N., Shamir, A.: Minimalism in cryptography: the Even-Mansour scheme revisited. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 336–354. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-29011-4_21 CrossRefGoogle Scholar
  38. 38.
    Dworkin, M.J.: SHA-3 standard: permutation-based hash and extendable-output functions. Federal Inf. Process. Stds. (NIST FIPS) - 202, August 2015Google Scholar
  39. 39.
    Even, S., Mansour, Y.: A construction of a cipher from a single pseudorandom permutation. In: Imai, H., Rivest, R.L., Matsumoto, T. (eds.) ASIACRYPT 1991. LNCS, vol. 739, pp. 210–224. Springer, Heidelberg (1993). doi: 10.1007/3-540-57332-1_17 Google Scholar
  40. 40.
    Even, S., Mansour, Y.: A construction of a cipher from a single pseudorandom permutation. J. Cryptology 10(3), 151–162 (1997)MathSciNetCrossRefzbMATHGoogle Scholar
  41. 41.
    Gauravaram, P., Knudsen, L.R., Matusiewicz, K., Mendel, F., Rechberger, C., Schläffer, M., Thomsen, S.S.: Grøstl - a SHA-3 candidate. Submission to the NIST SHA-3 Competition (Round 3) (2011).
  42. 42.
    Gilbert, H., Peyrin, T.: Super-Sbox cryptanalysis: improved attacks for AES-like permutations. In: Hong, S., Iwata, T. (eds.) FSE 2010. LNCS, vol. 6147, pp. 365–383. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-13858-4_21 CrossRefGoogle Scholar
  43. 43.
    Gueron, S.: Intel’s new AES instructions for enhanced performance and security. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 51–66. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-03317-9_4 CrossRefGoogle Scholar
  44. 44.
    Gueron, S.: Intel\(\textregistered \) Advanced Encryption Standard (AES) new instructions set, September 2012., Revision 3.01
  45. 45.
    Gueron, S., Mouha, N.: Simpira v2: a family of efficient permutations using the AES round function. Cryptology ePrint Archive, Report 2016/122 (2016). Full version of this paperGoogle Scholar
  46. 46.
    Halevi, S.: EME*: extending EME to handle arbitrary-length messages with associated data. In: Canteaut, A., Viswanathan, K. (eds.) INDOCRYPT 2004. LNCS, vol. 3348, pp. 315–327. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-30556-9_25 CrossRefGoogle Scholar
  47. 47.
    Halevi, S., Rogaway, P.: A tweakable enciphering mode. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 482–499. Springer, Heidelberg (2003). doi: 10.1007/978-3-540-45146-4_28 CrossRefGoogle Scholar
  48. 48.
    Halevi, S., Rogaway, P.: A parallelizable enciphering mode. In: Okamoto, T. (ed.) CT-RSA 2004. LNCS, vol. 2964, pp. 292–304. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-24660-2_23 CrossRefGoogle Scholar
  49. 49.
    Hoang, V.T., Krovetz, T., Rogaway, P.: Robust authenticated-encryption AEZ and the problem that it solves. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 15–44. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-46800-5_2 Google Scholar
  50. 50.
    Hoang, V.T., Rogaway, P.: On generalized Feistel networks. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 613–630. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-14623-7_33 CrossRefGoogle Scholar
  51. 51.
    Holenstein, T., Künzler, R., Tessaro, S.: The equivalence of the random oracle model and the ideal cipher model, revisited. In: STOC 2011, pp. 89–98. ACM (2011)Google Scholar
  52. 52.
    Jean, J.: Cryptanalysis of Haraka. Cryptology ePrint Archive, Report 2016/396 (2016)Google Scholar
  53. 53.
    Jean, J., Nikolić, I., Sasaki, Y., Wang, L.: Practical cryptanalysis of PAES. In: Joux, A., Youssef, A. (eds.) SAC 2014. LNCS, vol. 8781, pp. 228–242. Springer, Heidelberg (2014). doi: 10.1007/978-3-319-13051-4_14 CrossRefGoogle Scholar
  54. 54.
    Jean, J., Nikolić, I., Sasaki, Y., Wang, L.: Practical forgeries and distinguishers against PAES. IEICE Trans. 99–A(1), 39–48 (2016)CrossRefGoogle Scholar
  55. 55.
    Knudsen, L.R.: Truncated and higher order differentials. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 196–211. Springer, Heidelberg (1995). doi: 10.1007/3-540-60590-8_16 CrossRefGoogle Scholar
  56. 56.
    Kölbl, S., Lauridsen, M.M., Mendel, F., Rechberger, C.: Haraka - efficient short-input hashing for post-quantum applications. Cryptology ePrint Archive, Report 2016/098 (2016)Google Scholar
  57. 57.
    Lamport, L.: Constructing digital signatures from a one way function. Technical report. SRI-CSL-98, SRI International Computer Science Laboratory, October 1979Google Scholar
  58. 58.
    Langford, S.K., Hellman, M.E.: Differential-linear cryptanalysis. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 17–25. Springer, Heidelberg (1994). doi: 10.1007/3-540-48658-5_3 Google Scholar
  59. 59.
    Leander, G., Abdelraheem, M.A., AlKhzaimi, H., Zenner, E.: A cryptanalysis of PRINTcipher: the invariant subspace attack. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 206–221. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-22792-9_12 CrossRefGoogle Scholar
  60. 60.
    Liskov, M., Rivest, R.L., Wagner, D.: Tweakable block ciphers. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 31–46. Springer, Heidelberg (2002). doi: 10.1007/3-540-45708-9_3 CrossRefGoogle Scholar
  61. 61.
    Liskov, M., Rivest, R.L., Wagner, D.: Tweakable block ciphers. J. Cryptology 24(3), 588–613 (2011)MathSciNetCrossRefzbMATHGoogle Scholar
  62. 62.
    Lucks, S.: BEAST: a fast block cipher for arbitrary blocksizes. In: Horster, P. (ed.) CMS 1996. IFIP Conference Proceedings, vol. 70, pp. 144–153. Chapman & Hall, New York (1996)Google Scholar
  63. 63.
    Matsui, M.: Linear cryptanalysis method for DES cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994). doi: 10.1007/3-540-48285-7_33 Google Scholar
  64. 64.
    Maurer, U., Renner, R., Holenstein, C.: Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 21–39. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-24638-1_2 CrossRefGoogle Scholar
  65. 65.
    Mendel, F., Rechberger, C., Schläffer, M., Thomsen, S.S.: The rebound attack: cryptanalysis of reduced Whirlpool and Grøstl. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 260–276. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-03317-9_16 CrossRefGoogle Scholar
  66. 66.
    Moriai, S., Vaudenay, S.: On the pseudorandomness of top-level schemes of block ciphers. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 289–302. Springer, Heidelberg (2000). doi: 10.1007/3-540-44448-3_22 CrossRefGoogle Scholar
  67. 67.
    Mouha, N.: The design space of lightweight cryptography. Cryptology ePrint Archive, Report 2015/303 (2015)Google Scholar
  68. 68.
    Mouha, N., Luykx, A.: Multi-key security: the Even-Mansour construction revisited. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 209–223. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-47989-6_10 CrossRefGoogle Scholar
  69. 69.
    Mouha, N., Mennink, B., Herrewege, A.V., Watanabe, D., Preneel, B., Verbauwhede, I.: Chaskey: an efficient MAC algorithm for 32-bit microcontrollers. In: Joux, A., Youssef, A. (eds.) SAC 2014. LNCS, vol. 8781, pp. 306–323. Springer, Heidelberg (2014). doi: 10.1007/978-3-319-13051-4_19 CrossRefGoogle Scholar
  70. 70.
    Mouha, N., Wang, Q., Gu, D., Preneel, B.: Differential and linear cryptanalysis using mixed-integer linear programming. In: Wu, C.-K., Yung, M., Lin, D. (eds.) Inscrypt 2011. LNCS, vol. 7537, pp. 57–76. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-34704-7_5 CrossRefGoogle Scholar
  71. 71.
    Rechberger, C.: On bruteforce-like cryptanalysis: new meet-in-the-middle attacks in symmetric cryptanalysis. In: Kwon, T., Lee, M.-K., Kwon, D. (eds.) ICISC 2012. LNCS, vol. 7839, pp. 33–36. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-37682-5_3 CrossRefGoogle Scholar
  72. 72.
    Rogaway, P., Steinberger, J.: Security/efficiency tradeoffs for permutation-based hashing. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 220–236. Springer, Heidelberg (2008). doi: 10.1007/978-3-540-78967-3_13 CrossRefGoogle Scholar
  73. 73.
    Rønjom, S.: Personal Communication, March 2016Google Scholar
  74. 74.
    Rønjom, S.: Invariant subspaces in Simpira. Cryptology ePrint Archive, Report 2016/248 (2016)Google Scholar
  75. 75.
    Schroeppel, R.: The hasty pudding cipher - a tasty morsel, submission to the NIST AES competition (1998)Google Scholar
  76. 76.
    Suzaki, T., Minematsu, K.: Improving the generalized Feistel. In: Hong, S., Iwata, T. (eds.) FSE 2010. LNCS, vol. 6147, pp. 19–39. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-13858-4_2 CrossRefGoogle Scholar
  77. 77.
    Todo, Y.: Structural evaluation by generalized integral property. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 287–314. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-46800-5_12 Google Scholar
  78. 78.
    Wagner, D.: The boomerang attack. In: Knudsen, L. (ed.) FSE 1999. LNCS, vol. 1636, pp. 156–170. Springer, Heidelberg (1999). doi: 10.1007/3-540-48519-8_12 CrossRefGoogle Scholar
  79. 79.
    Yanagihara, S., Iwata, T.: On permutation layer of type 1, source-heavy, and target-heavy generalized Feistel structures. In: Lin, D., Tsudik, G., Wang, X. (eds.) CANS 2011. LNCS, vol. 7092, pp. 98–117. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-25513-7_8 CrossRefGoogle Scholar
  80. 80.
    Yanagihara, S., Iwata, T.: Improving the permutation layer of type 1, type 3, source-heavy, and target-heavy generalized Feistel structures. IEICE Trans. 96–A(1), 2–14 (2013)CrossRefGoogle Scholar
  81. 81.
    Yanagihara, S., Iwata, T.: Type 1.x generalized Feistel structures. IEICE Trans. 97A(4), 952–963 (2014)CrossRefGoogle Scholar
  82. 82.
    Zhang, H., Wu, W.: Structural evaluation for generalized Feistel structures and applications to LBlock and TWINE. In: Biryukov, A., Goyal, V. (eds.) INDOCRYPT 2015. LNCS, vol. 9462, pp. 218–237. Springer, Heidelberg (2015). doi: 10.1007/978-3-319-26617-6_12 CrossRefGoogle Scholar
  83. 83.
    Zheng, Y., Matsumoto, T., Imai, H.: On the construction of block ciphers provably secure and not relying on any unproved hypotheses. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 461–480. Springer, Heidelberg (1990). doi: 10.1007/0-387-34805-0_42 CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2016

Authors and Affiliations

  1. 1.Department of MathematicsUniversity of HaifaHaifaIsrael
  2. 2.Israel Development CenterIntel CorporationHaifaIsrael
  3. 3.Department of Electrical Engineering-ESAT/COSICKU LeuvenLeuvenBelgium
  4. 4.iMindsGhentBelgium
  5. 5.Project-team SECRETInriaParisFrance
  6. 6.National Institute of Standards and TechnologyGaithersburgUSA

Personalised recommendations