Common Contracts

PDF hosted at the Radboud Repository of the Radboud University Nijmegen

January 23rd, 2018

• Filed
  January 23rd, 2018

Table 2 reports on the diffusion performance of round-reduced Friet-PC and its inverse. We generated the avalanche probability vectors for these results from 250 000 random samples. We evaluated each metric on all 384 input differences Δ of Hamming weight 1 and, as is done for Xoodoo in [13], we report on the worst-case values. From the table, one can observe that 8 rounds are needed for Friet-PC and its inverse to exhibit the same behaviour as a random 384-bit permutation with respect to the three metrics, i.e. Dav(T, Δ) = 384, wav(T, Δ) 192 and Hav(T, Δ) 384. Note moreover that 7 rounds are enough to achieve full diffusion in the forward direction and 6 rounds in the inverse direction. This suggests that it will be very hard to find structural distinguishers over more than 14 rounds. Moreover, in Friet the adversary has only access to 1/3 of the permutation’s input and output greatly limiting the degrees of freedom when trying to exploit such distinguishers.

PDF hosted at the Radboud Repository of the Radboud University Nijmegen

January 23rd, 2018

• Filed
  January 23rd, 2018

Table 2 reports on the diffusion performance of round-reduced Friet-PC and its inverse. We generated the avalanche probability vectors for these results from 250 000 random samples. We evaluated each metric on all 384 input differences Δ of Hamming weight 1 and, as is done for Xoodoo in [13], we report on the worst-case values. From the table, one can observe that 8 rounds are needed for Friet-PC and its inverse to exhibit the same behaviour as a random 384-bit permutation with respect to the three metrics, i.e. Dav(T, Δ) = 384, wav(T, Δ) 192 and Hav(T, Δ) 384. Note moreover that 7 rounds are enough to achieve full diffusion in the forward direction and 6 rounds in the inverse direction. This suggests that it will be very hard to find structural distinguishers over more than 14 rounds. Moreover, in Friet the adversary has only access to 1/3 of the permutation’s input and output greatly limiting the degrees of freedom when trying to exploit such distinguishers.

PDF hosted at the Radboud Repository of the Radboud University Nijmegen

January 23rd, 2018

• Filed
  January 23rd, 2018

Table 2 reports on the diffusion performance of round-reduced Friet-PC and its inverse. We generated the avalanche probability vectors for these results from 250 000 random samples. We evaluated each metric on all 384 input differences Δ of Hamming weight 1 and, as is done for Xoodoo in [13], we report on the worst-case values. From the table, one can observe that 8 rounds are needed for Friet-PC and its inverse to exhibit the same behaviour as a random 384-bit permutation with respect to the three metrics, i.e. Dav(T, Δ) = 384, wav(T, Δ) 192 and Hav(T, Δ) 384. Note moreover that 7 rounds are enough to achieve full diffusion in the forward direction and 6 rounds in the inverse direction. This suggests that it will be very hard to find structural distinguishers over more than 14 rounds. Moreover, in Friet the adversary has only access to 1/3 of the permutation’s input and output greatly limiting the degrees of freedom when trying to exploit such distinguishers.