This paper introduces Simpira, a family of cryptographic permutations that supports inputs of 128× b bits, where b is a positive integer.Itsdesigngoalis toachievehighthroughputonvirtually all modern64- bitprocessors, that nowadaysalready havenativeinstructionsfor AES.Toachieve thisgoal,Simpirausesonlyonebuildingblock: theAES round function. For b = 1, Simpira corresponds to 12- round AES with fixed round keys, whereas for b ≥ 2, Simpira is a Generalized Feistel Structure(GFS) with an F-function that consists of two rounds of AES. We claim that there are no structural distinguishers for Simpira with a complexity below 2128, and analyze its security against a variety of attacksinthissetting.Thethroughput ofSimpiraisclose tothetheoretical optimum, namely, the number of AES rounds in the construction. For example, on the Intel Skylake processor, Simpira has throughput below 1 cycle per byte for b ≤ 4 and b = 6. For larger permutations, where moving data in memory has a more pronounced effect, Simpira with b =32(512byteinputs) evaluates732AES rounds,andperformsat824 cycles (1.61cyclesperbyte),whichisless than13% off the theoretical optimum. If the data is stored in interleaved buffers, this overhead is reduced to less than 1%. The Simpira family offers an efficient solution when processing wide blocks, larger than 128 bits, is desired.
LNCS: Advanced in Cryptology - ASIACRYPT 2016
December 4-8, 2016
The 22nd Annual International Conference on the Theory and Application of Cryptology and
Information Security, ASIACRYPT 2016
, Datta, N.
, Dutta, A.
, Mouha, N.
and Nandi, M.
Simpira v2: A Family of Efficient Permutations Using the AES Found Function, LNCS: Advanced in Cryptology - ASIACRYPT 2016, Hanoi, VN, [online], https://doi.org/10.1007/978-3-662-53887-6, https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=921927
(Accessed May 31, 2023)