Simpira v2: A family of efficient permutations using the AES round function

Shay Gueron, Nicky Mouha

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review


This paper introduces Simpira, a family of cryptographic permutations that supports inputs of 128 × b bits, where b is a positive integer. Its design goal is to achieve high throughput on virtually all modern 64-bit processors, that nowadays already have native instructions for AES. To achieve this goal, Simpira uses only one building block: the AES round function. For b = 1, Simpira corresponds to 12-round AES with fixed round keys, whereas for b ≥ 2, Simpira is a Generalized Feistel Structure (GFS) with an F-function that consists of two rounds of AES. We claim that there are no structural distinguishers for Simpira with a complexity below 2128, and analyze its security against a variety of attacks in this setting. The throughput of Simpira is close to the theoretical optimum, namely, the number of AES rounds in the construction. For example, on the Intel Skylake processor, Simpira has throughput below 1 cycle per byte for b ≤ 4 and b = 6. For larger permutations, where moving data in memory has a more pronounced effect, Simpira with b = 32 (512 byte inputs) evaluates 732 AES rounds, and performs at 824 cycles (1.61 cycles per byte), which is less than 13% off the theoretical optimum. If the data is stored in interleaved buffers, this overhead is reduced to less than 1%. The Simpira family offers an efficient solution when processing wide blocks, larger than 128 bits, is desired.

Original languageEnglish
Title of host publicationAdvances in Cryptology - ASIACRYPT 2016 - 22nd International Conference on the Theory and Application of Cryptology and Information Security, Proceedings
EditorsJung Hee Cheon, Tsuyoshi Takagi
PublisherSpringer Verlag
Number of pages31
ISBN (Print)9783662538869
StatePublished - 2016
Event22nd International Conference on the Theory and Application of Cryptology and Information Security, ASIACRYPT 2016 - Hanoi, Viet Nam
Duration: 4 Dec 20168 Dec 2016

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume10031 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349


Conference22nd International Conference on the Theory and Application of Cryptology and Information Security, ASIACRYPT 2016
Country/TerritoryViet Nam

Bibliographical note

Funding Information:
We thank the organizers and participants of Dagstuhl Seminar 16021, where an early version of this work was presented. The detailed comments and suggestions of the seminar participants helped to improve this manuscript significantly. Thanks to Christoph Dobraunig, Maria Eichlseder, Florian Mendel and Sondre Rønjom their attacks on Simpira v1, which lead to the updated Simpira v2 that is presented in this document. We also thank Eik List for pointing out some notation issues in an earlier version of this text, and Sébastien Duval, Brice Minaud, Kazuhiko Minematsu, and Tetsu Iwata for their insights into Feistel structures. This work was supported in part by the Research Council KU Leuven: GOA TENSE (GOA/11/007), by Research Fund KU Leuven, OT/13/071, by the PQCRYPTO project, which was partially funded by the European Commission Horizon 2020 research Programme, grant #645622, by the ISRAEL SCIENCE FOUNDATION (grant No. 1018/16), and by the French Agence Nationale de la Recherche through the BLOC project under Contract ANR-11-INS-011, and the BRUTUS project under Contract ANR-14-CE28-0015. Nicky Mouha is supported by a Postdoctoral Fellowship from the Flemish Research Foundation (FWO-Vlaanderen), and by FWO travel grant 12F9714N. Certain algorithms and commercial products are identified in this paper to foster understanding. Such identification does not imply recommendation or endorsement by NIST, nor does it imply that the algorithms or products identified are necessarily the best available for the purpose.

Publisher Copyright:
© International Association for Cryptologic Research 2016.


  • AES-NI
  • Beyond birthday-bound (BBB) security
  • Cryptographic permutation
  • Even-Mansour
  • Generalized Feistel structure (GFS)
  • Hash function
  • Lamport signature
  • Wide-block encryption

ASJC Scopus subject areas

  • Theoretical Computer Science
  • Computer Science (all)


Dive into the research topics of 'Simpira v2: A family of efficient permutations using the AES round function'. Together they form a unique fingerprint.

Cite this