Diffusion

Behaviour of Cryptographic Primitives in

Feistel Networks

Vasilios Katos

Department of Information Systems and Computer Applications,

University of Portsmouth,

Burnaby Terrace, Portsmouth, PO1 3AE

Abstract. The concept of product encryption is resident in the majority of sym-

metric block ciphers. Along with product encryption, two properties were also

deﬁned by Shannon, namely diffusion and confusion. In a product cipher such as

a Feistel Network (FN), or generally a Substitution Permutation Network (SPN),

diffusion is dependent upon two types of primitives, the nonlinear transformation

and the swapping scheme. Different approaches to diffusion analysis considered

either the topology of a FN, or the nonlinear transformation. This paper describes

a metric for diffusion in a way suitable for investigating the behaviour of the

underlying primitives of a FN.

1 Introduction

Since their invention, Feistel Networks (FNs) [1], [2] have been extensively studied and

analysed [3], [4]. The large research interest in FNs was due to several reasons:

– ﬂexibility of the underlying non-linear primitive. The main non-linear function in-

volved in a FN, which is not required to be injective, in order to allow unambiguous

decryption;

– realisation of product encryption. FNs are excellent examples of product encryp-

tion. The concept of product encryption, introduced in [5], states that a chain en-

cryption of “weak” ciphers results into a much stronger one. In the same paper, the

notion of confusion and diffusion was introduced, which relate to the cryptographic

qualities of a cipher;

– the DES [6], which is probably the most analysed cipher, is a FN.

However, the bulk of the research in FNs is on homogeneous balanced FNs [3],

since the DES falls into this category. As a direct consequence, the research interest

focused on the construction and properties of the underlying non-linear function. In [3]

there is an investigation of the topology of a FN rather than the non-linear function.

In the same paper, confusion and diffusion were put into perspective and metrics such

as the diffusion rate and confusion rate where deﬁned. A similar perspective is in [4],

but the methodology for examining the diffusion involved directed graphs. However,

although that a graph is an effective tool, the diffusion capability of a cipher is not

apparent as the complexity increases.

Katos V. (2004).

Diffusion Behaviour of Cryptographic Primitives in Feistel Networks.

In Proceedings of the 2nd International Workshop on Security in Information Systems, pages 79-87

DOI: 10.5220/0002661300790087

Copyright

c

SciTePress

The contribution of this paper is two-fold. First, it provides a step towards an alge-

braic description of the diffusion capacity of a FN round. This would allow investigation

of a much broader category of FNs, namely the unbalanced heterogeneous FNs. Second,

the proposed approach allows assumptions about the non-linear function which can be

experimentally evaluated. To demonstrate this, a randomness test is described and can

be used for evaluating the behaviour of the FN as a pseudorandom function [7],[8].

2 Diffusion instances and diffusion matrix

The idea behind the construction of the diffusion instances is related to the calculation

of the differential characteristic, which is the centrepiece of differential cryptanalysis

[9]. A block cipher can be viewed as a function with two independent input variables,

namely the plaintext (or ciphertext) and the encrypting (or decrypting) key, and one

dependent output variable, the ciphertext (or plaintext).

Diffusion is the property where a given input plaintext bit has the chance to af-

fect the output bits [5]. The higher the diffusion, the more output bits can be affected

by a certain input bit. In the described method, the diffusion instance is deﬁned. The

diffusion instance is a snapshot of the diffusion capacity of a cipher.

The process for generating the diffusion instance is similar to the bitwise calcula-

tions used for the Strict Avalanche Criterion (SAC) investigation [10]. Given a random

plaintext p

0

∈

U

GF (2)

n

and a nonzero vector α = (1 0 0 ... 0), we compute:

ψ

j

= e

k

(p

0

) ⊕ e

k

(p

0

⊕ (α >> j)), 0 ≤ j ≤ n − 1 (1)

where (α >> j) represents the right shift of α by j bits.

If a[k] denotes the k-th bit of the binary string a, then matrix Ψ is deﬁned as:

Ψ =

ψ

1

[0] ψ

1

[1] . . . ψ

1

[n − 1]

ψ

2

[0] ψ

2

[1] . . . ψ

2

[n − 1]

.

.

.

.

.

.

.

.

.

.

.

.

ψ

n

[0] ψ

n

[1] . . . ψ

n

[n − 1]

. (2)

The matrix Ψ would then be one diffusion instance. According to the deﬁnitions of

the characteristics of confusion and diffusion, for a cipher these characteristics are at

maximum if a (binary) swap of any of the input bits results to a swap of the output bits

with probability of 0.5 for every output bit. The diffusion instance represents the ability

of an input bit to affect an output bit, [11].

The diffusion matrix is calculated from the logical OR of the Ψ matrices:

Deﬁnition 1.

Let Ψ

i

, i = 1, 2, ... be the diffusion instances of a FN. The diffusion matrix

is deﬁned as:

D =

_

i

Ψ

i

. (3)

80

Theoretically, in order to obtain the actual diffusion matrix of a FN, all plaintexts

must be considered. In practice, for a FN with a 64 bit input, it appeared that 10 random

plaintexts (and therefore 10 diffusion instances, accounting to a total of 640 plaintexts)

would sufﬁce for determining the diffusion matrix. More analytically, after combining

10 diffusion instances, there was no change in the resulting diffusion matrix with each

additional diffusion instance. Furthermore, for a block cipher with maximum diffusion

capabilities, all entries of its diffusion matrix were equal to one, in the neighbourhood

of 10 diffusion instances. Considering a potentially strong block cipher with maximum

diffusion capabilities, it is expected that each diffusion instance would include (1/2)∗n

ones. Therefore, the ith diffusion instance would be expected to contribute with (1/2)

i

∗

n ones in the diffusion matrix. Alternatively, the probability that the calculated diffusion

matrix for a potentially strong block cipher is not the actual one, would be (1/2)

i

. It

should also be highlighted that since the key information is not considered, the proposed

approach is applicable only on block ciphers where their structure is not dependent on

the key.

The diffusion matrix shows if a pairwise relation exists between input and output

bits - that is, if a change of a particular input bit has the chance to affect a particular

output bit. The diffusion matrix is very helpful in examining product ciphers, because

it has the following property:

Lemma 1. Let C be a FN of j rounds. The diffusion matrix of the cryptosystem is equal

to:

D

C

= β(D

1

· D

2

· . . . · D

j

) (4)

where D

i

is the diffusion matrix of the ith round and β(·) : N → {0, 1} is deﬁned as:

β(n) =

(

1, if n 6= 0

0, if n = 0

. (5)

Proof.

The case of a two round FN is shown, that is D = β(D

1

· D

2

). Let [·] be a

boolean evaluation, which evaluates the expression within the brackets to one if it is

true and to zero is it is false, such as [p is prime]. The elements of D, D

1

and D

2

are

denoted by δ

ij

, δ

0

ij

and δ

00

ij

respectively. Note that the output of round one is equal to

the input of round two. For the ﬁrst leftmost input bit it is:

[input bit 1 is related with round-1 output bit j] = δ

0

1j

, 1 ≤ j ≤ n (6)

from the deﬁnition of the diffusion matrix. Similarly, for the ﬁrst leftmost output bit:

[output bit 1 is related with round-2 input bit j] = δ

00

j1

, 1 ≤ j ≤ n . (7)

Combining (6) and (7) we obtain:

[input bit 1 is related with output bit 1] = δ

0

11

· δ

00

11

+ δ

0

12

· δ

00

21

+ . . . + δ

0

1n

· δ

00

n1

(8)

where the right-hand-side is a boolean expression, i.e. . + . denotes the boolean OR and

. · . denotes the boolean AND. If this is repeated for all input and output bits it gives:

[input i is related with output j] = δ

ij

= δ

0

i1

·δ

00

1j

+δ

0

i2

·δ

00

2j

+. . .+δ

0

in

·δ

00

nj

, 1 ≤ i, j ≤ n

81

or equivalently,

D = β(D

1

· D

2

) . ¤

From the diffusion matrix, we can calculate the diffusion, which is deﬁned as the ratio

of ones:

Deﬁnition 2.

The diffusion of a block cipher with a diffusion matrix D of size (n × n)

is the quantity:

D

∆

=

#{δ

ij

|δ

ij

= 1, 1 ≤ i, j ≤ n}

n

2

. (9)

Obviously, D ∈ [0, 1]. This deﬁnition of diffusion, combined with Lemma 1 can be

used for assessing the diffusion of any product block cipher, provided that the diffusion

matrices of the underlying rounds are known. We will demonstrate this by applying it

onto FNs.

2.1 FN analysis

The diffusion matrix of a one round balanced FN would look like:

D =

·

O

n/2

I

n/2

I

n/2

F

¸

(10)

where O

n/2

is a zero square submatrix, I

n/2

is the identity submatrix and F is the

diffusion matrix of the round function. In a balanced FN, all submatrices are of size

n/2. The diffusion of this round would be equal to:

D

1

=

4n + n

2

D

f

4n

2

(11)

where D

f

is the diffusion of the round function. It can bee seen that the diffusion of a

one round balanced FN is upper bounded by (4 + n)/4n and therefore it cannot offer

complete diffusion. To calculate the diffusion of a two round balanced FN, we apply

Lemma 1:

D

2

= β(D

1

· D

1

) =

·

I

n/2

F

F β(F · F)

¸

(12)

where it can be seen that the diffusion for a two round balanced FN can be at most

(3n

2

+ 2n)/4n

2

. For a three round balanced FN, the diffusion can reach its maximum

value, 1.

We observe that no matter how strong the round function is, the diffusion of a two

round balanced FN is limited by the boundary 3/4. The reason for this is the structure

of the diffusion matrix. The permutation of the columns of the matrix is directed by the

Swapping Scheme, SS, which appears after the nonlinear transformation in a Feistel

round. Although that the SS does inﬂuence the diffusion of the FN, it does not actually

82

increase it; the increase is due to the application of the non-linear transformation. Typ-

ically, a SS is a permutation of the input bits. In a balanced FN the permutation is the

swap between the n/2 leftmost bits and the n/2 rightmost bits. This swap is responsible

for the symmetry in the diffusion matrix. However, each application of SS would not

increase the diffusion:

Corollary 1. The product encryption of a block cipher with diffusion equal to D and a

SS, results to a cipher with the same diffusion (D).

The proof follows from the fact that the diffusion matrix of the SS is a matrix with

exactly n nonzero elements, arranged in a way that every row has exactly one nonzero

element (i.e. the rank of the matrix is n). The identity SS is an instance of a SS where

the diffusion matrix is the identity matrix.

The inherent structure of the FN diffusion matrix reveals the limitations of its dif-

fusion capacity. Since the diffusion D measures the density of ones in the matrix, it

follows that 1 − D would correspond to the density of zeros. It is therefore desirable

that 1 − D reaches zero, in order to attain maximum diffusion. As observed above, in

a two round FN with the ”traditional” swapping of the left and right input blocks, the

number of zeros would be at least 1−(3n

2

+2n)/4n

2

, i.e. it would reach asymptotically

1/4 as n increases.

We now consider a two round Substitution Permutation Network, SPN [2], [12],

where each round includes a non-linear function of the same diffusion D

1

as our FN

above. For simplicity, it is assumed that these two rounds include different nonlinear

functions, although their diffusion is the same, D

1

= D

2

. We also consider the per-

mutation to be a random SS, i.e. a random permutation of the input bits, rather than a

tidy swapping of the left and right input block. The diffusion of the one round instances

would be:

D

1

= D

2

=

4n + n

2

D

f

4n

2

(13)

where D

f

denotes the diffusion of the underlying nonlinear function. However, in a

SPN construction it is possible that the zeros are placed randomly in the diffusion ma-

trix. Therefore, the expected zeros in the diffusion matrix of the two round SPN for

D

f

= 1 would be (for the proof see Lemma 2, section 3):

(2(1 − D

1

) − (1 − D

1

)

2

)

n

=

µ

15n

2

− 56n + 16

16n

2

¶

n

(14)

which is small (< 0.006) for most values of n (n ≥ 6). From this result the inefﬁciency

of FNs with respect to diffusion is apparent.

As mentioned above, Lemma 1 is useful when analysing the diffusion of product

ciphers. For instance, FEAL-4 [13] is a four round FN with the characteristic that the

leftmost half input is added (modulo 2) to the rightmost half input, before the ﬁrst FN

round. Considering the product encryption of the ﬁrst addition and the ﬁrst round, the

diffusion at the end of the ﬁrst round would be:

β(

·

I

32

O

32

I

32

I

32

¸

·

·

O

32

I

32

I

32

F

¸

) =

·

O

32

I

32

I

32

F

¸

(15)

83

i.e. the additional complexity of the initial addition is completely redundant and unnec-

essary from a diffusion perspective, since for FEAL D

f

= 1.

3 The diffusion randomness test

Statistical tests for randomness [14]-[16] are of a particular interest in cryptography,

since they are one of the approaches for assessing the cryptographic strength of a cipher.

This section describes a randomness test utilising the diffusion instances, Ψ.

For a potentially strong cipher, the number of zeros must be equal to the number

of ones in every row of the diffusion instance. Furthermore, for a potentially strong

cipher, (statistically) all runs of Ψ table constructions should result to having the number

of ones equal to the number of zeros. However, such an examination does not give

any indication about existing linear relations between the elements in the matrices. For

instance, if ψ

2

[1] = ψ

3

[2] with probability different to 0.5, there is a linear relation

between input bits 1 and 2 [17].

The diffusion randomness test deals with the similarities of the diffusion instances,

Ψ. For a potentially strong cipher the following criteria for the Ψ matrices are set:

–

the number of ones should be equal to the number of zeros,

– the ones (and zeros) should be randomly distributed in the matrix,

–

Ψ

i

and Ψ

j

should not be similar for i 6= j.

The ﬁrst criterion denotes that the cipher is not biased toward ones or zeros. This

is inherently related to the confusion of a cipher, where it is desirable that the chance

of an output bit inverting is 0.5, given an inversion of an input bit. Published statistical

tests for randomness, such as the frequency test [14] can be used.

The second and third criterion include arbitrary terms and need to be quantiﬁed. The

test described in this paper attempts to provide means for measuring the randomness

and similarity of the matrices as follows. The randomness test is based on the following

Lemma.

Lemma 2. Let A and B be two square matrices and p

a

and p

b

be the densities of zeros

in each matrix respectively. If the zeros are distributed randomly in the matrices, then

the expected density of zeros in their product C = A × B would be:

p

c

= (p

a

+ p

b

− p

a

p

b

)

n

(16)

where n is the dimension of the matrices and the multiplication operation is performed

in the set of integers.

Proof.

For A, the density of zeros would be:

p

a

= P (a

ik

= 0) =

#(zeros in A)

n

2

(17)

Similarly, for B:

84

p

b

= P (b

kj

= 0) =

#(zeros in B)

n

2

. (18)

For every element in C, the following relation holds:

c

ij

=

n

X

k=1

a

ik

b

kj

. (19)

The probability to obtain a zero is obtained from (19):

P (c

ij

= 0) =

Q

n

k=1

P (a

ik

= 0 ∪ b

kj

= 0) = (p

a

+ p

b

− p

a

p

b

)

n

. ¤

By comparing the actual and estimated values, it is tested whether a cryptographic

primitive behaves as a random source when generating the Ψ matrices. That is, in the

case of a random source the zeros will be randomly placed in the matrices and there

would be no consistent placement whatsoever. We argue that if the actual and estimated

values are (statistically) different, then the underlying cryptographic primitive does not

yield a pseudorandom function. The opposite is not necessarily true; a primitive passing

the test does not imply that it is a pseudorandom function, since the test does not provide

any indication about the computational indistinguishability of the primitive [18].

diff_rand_test(A,B){

p_a = zeros_density(A);

p_b = zeros_density(B);

p_c = zeros_density(A*B);

if (abs(p_c-(p_a+p_b-p_a*p_b)ˆn)>significance_level )

then return (’fail’)

else return (’pass’) }

Unfortunately for a relatively large n (n > 40) and p

a

, p

b

< 2/3, the density of

zeros is negligible for both expected and actual values and therefore the randomness

test would not produce signiﬁcant results. Therefore it is suggested that the Ψ matrices

are partitioned and the test is applied onto the partitions (submatrices). This is particu-

larly applicable in FNs, where there are emerging submatrices due to the non uniformal

treatment of input and output bits.

For the case of a balanced FN, the Ψ matrix would consist of four submatrices Q

i

as follows:

Ψ =

·

Q

1

Q

2

Q

3

Q

4

¸

(20)

and the test would then run as: diff

rand

test(Q

i

,Q

j

), where i 6= j. It is expected that

a three round balanced FN with an underlying round function being a pseudorandom

function would pass the test, although that passing the test would not imply that the

round function is pseudorandom. Applying this assumption to the well studied DES, it

was established that the three round FN with the DES primitive did not pass the test,

conﬁrming the validity of the test (Table 1). The fact that DES could not pass the test

is a direct consequence of the the inability of DES to reach complete diffusion in three

rounds.

85

Table 1. Signiﬁcant differences in DES

product expected actual difference diff

rand

test()

Q

1

× Q

2

0.241739 0.216797 2.5 fail

Q

1

× Q

3

0.204115 0.179688 2.4 fail

Q

1

× Q

4

0.126188 0.077148 4.9 fail

4 Conclusions

Clearly the reason to adopt a FN structure in a block cipher is mainly due to the con-

venience it offers, such as ease of moving between encryption and decryption, and less

due to its diffusion capabilities. High diffusion in a product cipher implies that the input

bits are be treated uniformly in every round. Since this is not the case for a FN, addi-

tional complexity (e.g. more rounds) would be required. The proposed description and

metric of diffusion enables both the investigation of the topology (structure) of a FN

as well as the underlying non-linear function(s). This would allow the investigation of

FNs consisting of different round functions, with varying input and output lengths as

well as different swapping schemes (unbalanced heterogeneous FNs).

Although that the proposed approach initially aimed for studying FNs, most product

block ciphers can beneﬁt from such an analysis.

References

1.

Feistel, H.: Block Cipher Cryptographic System, U.S. Patent #3,798,359 (1974).

2.

Feistel, H., Notz, W. A., Smith, J. L.: Some Cryptographic Techniques for Machine-to-

Machine Data Communications. Proceedings of the IEEE (1975) 1545–1554.

3. Schneier, B. and Kelsey, J.: Unbalanced Feistel networks and block cipher design. Proc. Fast

Software Encryption, Lecture Notes in Computer Science, vol. 1039, Springer-Verlag (1996)

121–144.

4.

Nakahara J. Jr., Vandewalle, J., Preneel, B.: Diffusion Analysis Of Feistel Networks (Extended

Version). citeseer.nj.nec.com/article/nakahara99diffusion.html (1999).

5. Shannon, C. E.: Communication Theory of Secrecy Systems. Bell Systems Technical Journal,

vol. 27 (1948) 623–656.

6. FIPS PUB 46: Data Encryption Standard. US Department of Commerce/ National Bureau of

Standards (1977).

7. Goldreich, O., Goldwasser, S., Micali, S.: How to Construct Random Functions. Proceedings

25th Annual Symposium in Comp. Sci. (1984).

8.

Luby, M. and Rackoff, C.: How to Construct Pseudorandom Permutations from Pseudoran-

dom Functions. SIAM J. Computing, vol.17, no.2 (1988) 373–86.

9. Biham, E. and Shamir,A.: Differential cryptanalysis of DES-like cryptosystems. Journal of

Cryptology. Vol. 4, No. 1 (1991) 3–72.

10. Webster, A. and Tavares, S.: On the design of S-boxes. In H. Williams (ed), Crypto’85, LNCS

No. 218, Springer: Berlin Heidelberg New York (1986) 523–534.

11. Pﬂeeger, C.: Security in Computing. London: Prentice Hall (1989).

12.

Heys, H. and Tavares, S.: Substitution Permutation Networks resistant to Differential and

Linear cryptanalysis. Journal of Cryptology, no.9, vol. 1 (1996) 1–19.

86

13. Shimizu, A. and Miyaguchi, S.: Fast data encipherment algorithm FEAL. Advances in Cryp-

tology, Eurocrypt’87, LNCS no.304, Springer: Berling Heidelberg New York (1988) 267–280.

14. Knuth, D.: Seminumerical algorithms. The Art of Computer Programming, vol 2. Addison-

Wesley: New York (1981).

15.

Rukhin, A., Soto, J., Nechvatal, V., Smid, M., Barker, E., Leigh, S. Levenson, M., Vangel,

M., Banks, D., Heckert, A., Dray, J.: A Statistical Test Suite for Random and Pseudorandom

Number Generators for Cryptographic Applications. NIST Special Publication 800-22 (2000).

16. Beker, H. and Piper, F.: Cipher Systems: The Protection of Communications. Van Nostrand

Reinhold (1982).

17.

Matsui, M.: Linear Cryptanalysis Method for DES Cipher. Advances in Cryptology EURO-

CRYPT ’93, LNCS 765 (1994) 386–397.

18. Blum, M. and Micali, S.: How to Generate Cryptographically Strong Sequences of Pseudo-

Random Bits. SIAM Journal on Computing, Vol.13 (1984) 850–864.

87