Substitution-Permutation Network (SPN) Example

Question

I came in contact with an algorithm that deals with SPN in an example, first I'd like to give a definition of what it is:

Let $l, m, $ and $N$ be positive integers, let $\pi_s: \{0,1\}^l \to \{0,1\}^l$ be a permutation, and let $\pi_p:\{1,...,lm\} \to \{1,...,lm\}$ be a permutation. Let $P = C = \{0,1\}^{lm}$ and $K \subseteq (\{0,1\}^{lm})^{N+1}$ consist of all possible key schedules that could be derived from an initial key $K$ using the key scheduling algorithm. For a key schedule $(K^1, ..., K^{N+1})$, we encrypt the plaintext $x$ using the a known algorithm (that I couldn't type):

So, I'd like to work on the following example:

Suppose $l = m = N = 4$. Let $\pi_s$ be defined as follows (with input $z$), and output (written in hexadecimal notation)$\pi_s$, ($0 \leftrightarrow(0,0,0,0)$, ..., $9 \leftrightarrow(1,0,0,1), A \leftrightarrow(1,0,1,0)$, and so on; and let $\pi_p$ be defined as:

$\pi(1)=1$, $\pi(2)=5$, $\pi(3)=9$, $\pi(4)=13$, $\pi(5)=2$, $\pi(6)=6$, $\pi(7)=10$, $\pi(8)=14$, $\pi(9)=3$, $\pi(10)=7$, $\pi(11)=11$, $\pi(12)=15$, $\pi(13)=4$, $\pi(14)=8$, $\pi(15)=12$, $\pi(16)=16$.

Suppose the key is $K = 0011 $ $1010$ $1001$ $0100$ $1101$ $0110$ $0011$ $1111$, with plaintext $x = 0010$ $0110$ $1011$ $0111$, then how to apply line by line (in the algorithm)? In addition I'd like to understand, for example, we attribute $w^{r-1} \oplus K^r $ to $u^r$, why $v_{}\leftarrow \pi_s(u^r_{})$?

Given that $v_{} = (x_{{(i-1)}{l-1}}, ..., x_{il})$,

kelalaka · Answer 1 · 2022-01-05T16:58:29.923

The question is read as;

We have Substitution–Permutation Network (SPN)

a block cipher with block size $lm$
Round key addition with $K^r$
$\pi_s$ is the diffusion part and it is S-box of input-output size $l$ and this is valid since SPN requires invertible S-boxes, also the sub-index also indicates this.
$\pi_p$ is the permutation for the confusion step with size $lm$.

A single round line by line (some parts not calculated since we don't know the permutation)

 [0010 0110 1011 0111]  : w^r-1 as the round input
 [0011 1010 1001 0100]  : X-or with round key K^r   
 [0001 1100 0010 0011]  : X-or result
 [Sbox Sbox Sbox Sbox]  : Apply the Sbox for each block i.e. \pi_x
 [ Permute to Confuse]  : Apply \pi_p for confussion

There is no key schedule defined so, we cannot apply more than two rounds or 1 round as AES did ( first x-or with the key than round ends with a subkey x-or)

In addition I'd like to understand, for example, we attribute $w^{r-1} \oplus K^r $ to $u^r$, why $v_{}\leftarrow \pi_s(u^r_{})$?

Given that $v_{} = (x_{{(i-1)}{l-1}}, ..., x_{il})$,

$w^{r-1} \oplus K^r $ is probable the input before the key addition. We can assume it is the input to the round.
$u^r$ is the output of the key x-or.
$v_{}\leftarrow \pi_s(u^r_{})$; if we carefully look at the indexes this is diving the block size into $l$ sized block for the input to the $\pi_s$. In the example it has size 4 and we have call of 4 $\pi_s$ in a round.

Substitution-Permutation Network (SPN) Example

1 Answers1