Feistel Ciphers Based on a Single Primitive

Abstract

We consider Feistel ciphers instantiated with tweakable block ciphers (TBCs) and ideal ciphers (ICs). The indistinguishability security of the TBC-based Feistel cipher is known, and the indifferentiability security of the IC-based Feistel cipher is also known, where independently keyed TBCs and independent ICs are assumed. In this paper, we analyze the security of a single-keyed TBC-based Feistel cipher and a single IC-based Feistel cipher. We characterize the security depending on the number of rounds. More precisely, we cover the case of contracting Feistel ciphers that have \(d\ge 2\) lines, and the results on Feistel ciphers are obtained as a special case by setting \(d=2\). Our indistinguishability security analysis shows that it is provably secure with \(d+1\) rounds. Our indifferentiability result shows that, regardless of the number of rounds, it cannot be secure. Our attacks are a type of a slide attack, and we consider a structure that uses a round constant, which is a well-known counter measure against slide attacks. We show an indifferentiability attack for the case \(d=2\) and 3 rounds.

A Security Proof of \(\mathrm {\Phi }_{d+1}\)

We show the detailed proof of Theorem 2. We recall the theorem.

Theorem 2

Fix \(d \ge 2\). Let \(\widetilde{E}\) be the \((n, (d-1)n)\)-bit TRP, and \(\mathrm {\Phi }_{d+1} = \mathrm {\Phi }_{d+1}[\widetilde{E}]\) be the r-round single-keyed TBC-based Feistel cipher, where \(r=d+1\). Then for any adversary \(\mathcal {A}\) that makes at most q queries, we have

$$\begin{aligned} \textbf{Adv}^\textrm{sprp}_{\mathrm {\Phi }_{d+1}}(\mathcal {A}) \le \frac{(4d+1)q^2}{2^n} + \frac{0.5q^2}{2^{dn}}\,. \end{aligned}$$

We first define the transcripts followed by two oracles, the real world oracle based on \(\mathrm {\Phi }_{d+1}\) and the ideal world oracle based on the random permutation \(\pi \), and the bad conditions. Next, we compute the bad probability in Lemma 2 and the good probability ratio in Lemma 3. The security bound is obtained from these lemmas and the coefficient-H technique in Lemma 1.

Transcripts. The adversary \(\mathcal {A}\) is given access to the encryption and decryption oracles. If the i-th query is an encryption query \(M_i^{[1..d]}\), then \(\mathcal {A}\) obtains the corresponding ciphertext \(C_i^{[1..d]}\). If the i-th query is a decryption query \(C_i^{[1..d]}\), then \(\mathcal {A}\) obtains \(M_i^{[1..d]}\). Without loss of generality, we assume that \(\mathcal {A}\) makes exactly q queries, does not repeat a query, and does not make a redundant query, i.e., if \(\mathcal {A}\) obtains \(C_i^{[1..d]}\) for an encryption query \(M_i^{[1..d]}\), then it does not use \(C_i^{[1..d]}\) in the subsequent decryption queries, and vice versa. As we detail below, after making q queries and before returning the decision bit, \(\mathcal {A}\) is given all the internal state values \(S_1,\ldots ,S_q\). Since it is only beneficial to \(\mathcal {A}\), there is no loss of generality of giving the additional input to \(\mathcal {A}\). Then the transcript is defined as follows:

$$\begin{aligned} ((M_1^{[1..d]},C_1^{[1..d]}),\ldots ,(M_q^{[1..d]},C_q^{[1..d]}),S_1,\ldots ,S_q) \end{aligned}$$

(1)

Definition of the Oracles. The real world oracles \(\mathcal {R}, \mathcal {R}^{-1}\) internally make use of the block cipher \(\mathrm {\Phi }_{d+1}\) and its inverse \(\mathrm {\Phi }_{d+1}^{-1}\). After making q queries, the oracles \(\mathcal {R}, \mathcal {R}^{-1}\) give \(\mathcal {A}\) all the internal states \(S_1, \dots , S_q\). Figure 7 shows the algorithms of \(\mathcal {R}, \mathcal {R}^{-1}\).

Fig. 7.

Algorithm of \(\mathcal {R}\) and \(\mathcal {R}^{-1}\)

The ideal world oracles \(\mathcal {I}, \mathcal {I}^{-1}\) internally make use of the random permutation \(\pi \) and its inverse \(\pi ^{-1}\). After q queries, \(\mathcal {I}, \mathcal {I}^{-1}\) generate dummy internal states \(S_1, \dots , S_q\) with the same probability distribution as TRP \(\widetilde{E}\). For this, for an encryption query, the oracle simulates the 1st round TRP. For a decryption query, the oracle simulates the \((d+1)\)-st round TRP. After completing the simulation, \(S_1, \dots , S_q\) are given to \(\mathcal {A}\). Figure 8 shows the algorithms of \(\mathcal {I}, \mathcal {I}^{-1}\).

Fig. 8.

Algorithm of \(\mathcal {I}\) and \(\mathcal {I}^{-1}\), where \(\textrm{Dom}(T)\) and \(\textrm{Ran}(T)\) are defined as \(\textrm{Dom}(T) = \{x \mid \widetilde{E}(T, x) = y \text{ is } \text{ defined } \text{ for } \text{ some } y\}\) and \(\textrm{Ran}(T) = \{y \mid \widetilde{E}(T, x) = y \text{ is } \text{ defined } \text{ for } \text{ some } x\}\)

Bad Conditions. For the TRP \(\widetilde{E}\) in the real world, the tweak determines the permutation between the input and output of the TRP. Accordingly, if the tweaks are the same, the TRP does not output distinct outputs from the same inputs or distinct inputs from the same outputs. By applying this to all the combinations of the TRPs in \(\mathrm {\Phi }_{d+1}\), we obtain the bad conditions of the whole structure of \(\mathrm {\Phi }_{d+1}\) as follows:

1. 1.

   \(\{M_1^1, \dots , M_1^d, \dots , M_q^1,\dots , M_q^d\} \cap \{S_1, \dots , S_q\} \ne \emptyset \)

2. 2.

   \(\{C_1^1, \dots , C_1^d, \dots , C_q^1, \dots , C_q^d\} \cap \{S_1, \dots , S_q\} \ne \emptyset \)

3. 3.

   \(|\{S_1, \dots , S_q\}| < q\)

Recall that a transcript is defined as (1), and let \(\mathcal {T}_\textrm{bad}\) be the set of all the transcripts that satisfy at least one of the conditions above. Let \(\mathcal {T}_\textrm{good}\) be the set of all the transcripts that does not satisfy any of the conditions above.

In what follows, we discuss the correctness of the above bad conditions, i.e., without the bad conditions, we show that the underlying TRP \(\widetilde{E}\) can interpolate all the relevant inputs, tweaks, and the outputs with a non-zero probability.

First, observe that the absence of the above three conditions guarantees that all the tweaks in \(\widetilde{E}^2\), ..., \(\widetilde{E}^d\) are distinct. That is, there are q tweaks for each of \(\widetilde{E}^2, \dots , \widetilde{E}^d\), and we thus have \(q(d-1)\) values of the tweak in total for \(\widetilde{E}^2, \dots , \widetilde{E}^d\). It can be verified that all these \(q(d-1)\) values are distinct, and they are also different from the q tweaks of \(\widetilde{E}^1\) and the q tweaks of \(\widetilde{E}^{d+1}\).

Next, let \(\mathcal {T}^1=\{M_1^{[2..d]},\ldots ,M_q^{[2..d]}\}\) be the set of the q tweaks of \(\widetilde{E}^1\) and \(\mathcal {T}^{d+1}=\{C_1^{[1..d-1]},\ldots ,C_q^{[1..d-1]}\}\) be the set of the q tweaks of \(\widetilde{E}^{d+1}\). From the discussion above, all these 2q tweaks are different from those of \(\widetilde{E}^2\), ..., \(\widetilde{E}^d\), while we may have \(|\mathcal {T}^1|<q\), \(\mathcal {T}^1\cap \mathcal {T}^{d+1}\ne \emptyset \), or \(|\mathcal {T}^{d+1}|<q\).

• If \(|\mathcal {T}^1|<q\), i.e., if \(M_i^{[2..d]}=M_j^{[2..d]}\) holds for some \(1\le i<j\le q\), we necessary have \(M^1_i\ne M^1_j\) since the adversary does not repeat a query, and from \(S_i\ne S_j\), this case does not yield inconsistency in \(\widetilde{E}\).

• If \(\mathcal {T}^1\cap \mathcal {T}^{d+1}\ne \emptyset \), there are two cases to consider. The first case is \(M_i^{[2..d]}=C_j^{[2..d]}\) for some \(1\le i<j\le q\). In this case, \(\widetilde{E}^1\) and \(\widetilde{E}^{d+1}\) have to satisfy \(S_i=\widetilde{E}^1(M_i^{[2..d]},M_i^1)\) and \(C_j^d=\widetilde{E}^{d+1}(C_j^{[1..d-1]},S_j)\), which is possible since \(S_i\ne C_j^d\) and \(M_i^1\ne S_j\).

  The second case is \(M_i^{[2..d]}=C_i^{[2..d]}\) for some \(1\le i\le q\). In this case, \(\widetilde{E}^1\) and \(\widetilde{E}^{d+1}\) have to satisfy \(S_i=\widetilde{E}^1(M_i^{[2..d]},M_i^1)\) and \(C_i^d=\widetilde{E}^{d+1}(C_i^{[1..d-1]},S_i)\), which is again possible since \(S_i\ne C_i^d\) and \(M_i^1\ne S_i\).

• The analysis of the case \(|\mathcal {T}^{d+1}|<q\) is similar to the case \(|\mathcal {T}^1|<q\).

Therefore, the absence of the bad conditions implies that the TRP \(\widetilde{E}\) can interpolate all the relevant inputs, tweaks, and the outputs with a non-zero probability. We next compute the probability of the bad conditions and the ratio of the good probabilities to use the coefficient-H technique.

Probability of the Bad Conditions. We have the following lemma.

Lemma 2

We have \(\Pr [\varTheta _\mathcal {I}\in \mathcal {T}_\textrm{bad}] \le \dfrac{(4d+1)q^2}{2^n}\).

Proof

We compute the probability of the bad conditions based on the randomness of \(S_1,\dots ,S_q\). Assume that \(\mathcal {A}\) has completed making q queries to the oracles, and hence \((M_1^{[1..d]},C_1^{[1..d]}),\ldots ,(M_q^{[1..d]},C_q^{[1..d]})\) are fixed. We further assume that we do not have the bad conditions for \(S_1,\ldots ,S_{i-1}\), and we compute the probability that \(S_i\) causes one of the bad conditions, which we write “\(S_i\) is bad.” We then have

$$\begin{aligned} \Pr [S_i\,\, \hbox {is bad}] &\le \frac{2dq + (i-1)}{2^n - 2q}\,. \end{aligned}$$

The term 2q of the denominator indicates the maximum value of \(|\textrm{Ran}(M_i^{[2..d]})|\) or \(|\textrm{Dom}(C_i^{[1..d-1]})|\). Due to the uniqueness of \(S_1, \dots , S_{i-1}\), the tweaks of TRPs other than \(\widetilde{E}^1\) and \(\widetilde{E}^{d+1}\) also have unique values. Therefore, \(|\textrm{Ran}(M_i^{[2..d]})|\) or \(|\textrm{Dom}(C_i^{[1..d-1]})|\) takes the maximum value of 2q when \(M_j^{[2..d]}\) and \(C_j^{[1..d-1]}\) take the same value for all \(j = 1, \dots , i-1\). Besides, from the uniqueness of \(S_1, \dots , S_{i-1}\) and the assumption that no queries are repeated, it is guaranteed that the corresponding entry, i.e., \((M_i^{[2..d]},M_i^{1})\) for encryption or \((C_i^{[1..d-1]},C_i^{d})\) for decryption, does not exist at the generation of \(S_i\). That is, \(S_i\) has randomness when generating it.

Now, by taking the summation of \(\Pr [S_i\,\, \hbox {is bad}]\), we have

$$\begin{aligned} \Pr [\varTheta _\mathcal {I}\in \mathcal {T}_\textrm{bad}] &\le \sum _{i=1}^q \frac{2dq + (i-1)}{2^n - 2q}\\ &\le \frac{(2d+0.5)q^2}{2^n - 2q}\\ &\le \frac{(4d+1)q^2}{2^n}\,, \end{aligned}$$

where the third inequality follows from \(2q < 2^{n-1}\).

Ratio of the Good Probabilities. We have the following lemma.

Lemma 3

For any \(\theta \in \mathcal {T}_\textrm{good}\), we have \(\dfrac{\Pr [\varTheta _\mathcal {R}= \theta ]}{\Pr [\varTheta _\mathcal {I}= \theta ]} \ge 1 - \dfrac{0.5q^2}{2^{dn}}\).

Proof

First, we define the following two sets:

$$\begin{aligned} Q_e &= \{i \mid \,\,\hbox {the}\,\, i\hbox {-th query is encryption}\}\\ Q_d &= \{i \mid \,\, \hbox {the}\,\, i\hbox {-th query is decryption}\} \end{aligned}$$

In the real world, we additionally define two sets as follows:

$$\begin{aligned} S^{\textrm{enc},x}_i &= \{(j, k) \mid ((j<i \wedge 1 \le k \le d+1) \vee (j=i \wedge 1 \le k < x))\\ &\wedge \,\, \hbox {(the}\,\, j\hbox {-th tweak of}\,\, \widetilde{E}^k) = \hbox {(the}\,\, i\hbox {-th tweak of}\,\, \widetilde{E}^x) \}\\ S^{\textrm{dec},x}_i &= \{(j, k) \mid ((j<i \wedge 1 \le k \le d+1) \vee (j=i \wedge x < k \le d+1))\\ &\wedge \,\, \hbox {(the}\,\, j\hbox {-th tweak of}\,\, \widetilde{E}^k) = \hbox {(the}\,\, i\hbox {-th tweak of}\,\, \widetilde{E}^x) \} \end{aligned}$$

Intuitively, \(S^{\textrm{enc},x}_i\) is the set of (j, k) that shares the same tweak as the i-th tweak of \(\widetilde{E}^x\) when the i-th query is encryption, and \(S^{\textrm{dec},x}_i\) is that when the i-th query is decryption. That is, for the i-th tweak of \(\widetilde{E}^x\), these sets indicate the indices that share the same tweak in the previous TRP calls. Then, the probability can be evaluated as follows:

$$\begin{aligned} \Pr [\varTheta _\mathcal {R}= \theta ] &= \prod _{x=1}^{d+1} \left( \prod _{i \in Q_e} \frac{1}{2^n - |S^{\textrm{enc},x}_i|} \times \prod _{i \in Q_d} \frac{1}{2^n - |S^{\textrm{dec},x}_i|} \right) \\ &\ge \frac{1}{(2^n)^{dq}} \times \prod _{i \in Q_e} \frac{1}{2^n - |S^{\textrm{enc},1}_i|} \times \prod _{i \in Q_d} \frac{1}{2^n - |S^{\textrm{dec},d+1}_i|}\,. \end{aligned}$$

The last inequality is obtained by assuming \(|S^{\textrm{enc},x}_i| = |S^{\textrm{dec},x}_i| = 0\) except for \(|S^{\textrm{enc},1}_i|\) and \(|S^{\textrm{dec},d+1}_i|\).

In the ideal world, as with the real world, we define two sets as follows:

$$\begin{aligned} T^{\textrm{enc},x}_i &= \{(j, k) \mid ((j<i \wedge 1 \le k \le d+1) \vee (j=i \wedge 1 \le k < x))\\ &\wedge \hbox {(the}\,\, j\hbox {-th tweak of}\,\, \widetilde{E}^k)= \hbox {(the}\,\, i\hbox {-th tweak of}\,\, \widetilde{E}^x) \}\\ T^{\textrm{dec},x}_i &= \{(j, k) \mid ((j<i \wedge 1 \le k \le d+1) \vee (j=i \wedge x < k \le d+1))\\ &\wedge \hbox {(the}\,\, j\hbox {-th tweak of}\,\, \widetilde{E}^k)= \hbox {(the}\,\, i\hbox {-th tweak of}\,\, \widetilde{E}^x) \}\,. \end{aligned}$$

Here, in the definitions above, we abuse the notation to write \(\widetilde{E}^k\) for the TRP \(\widetilde{E}\) used in the k-th round in Algorithm 5. Then, the probability can be evaluated as follows:

$$\begin{aligned} \Pr [\varTheta _\mathcal {I}= \theta ] = \frac{1}{(2^{dn})_q} \times \prod _{i \in Q_e} \frac{1}{2^n - |T^{\textrm{enc},1}_i|} \times \prod _{i \in Q_d} \frac{1}{2^n - |T^{\textrm{dec},d+1}_i|}\,. \end{aligned}$$

Finally, we compute the ratio of the two possibilities. We have

$$\begin{aligned} \frac{\Pr [\varTheta _\mathcal {R}= \theta ]}{\Pr [\varTheta _\mathcal {I}= \theta ]} &\ge \frac{(2^{dn})_q}{(2^n)^{dq}} \times \prod _{i \in Q_e} \frac{2^n - |S^{\textrm{enc},1}_i|}{2^n - |T^{\textrm{enc},1}_i|} \times \prod _{i \in Q_d} \frac{2^n - |S^{\textrm{dec},d+1}_i|}{2^n - |T^{\textrm{dec},d+1}_i|}\\ & \ge 1 - \frac{0.5q^2}{2^{dn}}\,, \end{aligned}$$

where the last inequality follows since \(S^{\textrm{enc},x}_i = T^{\textrm{enc},x}_i\) and \(S^{\textrm{dec},x}_i = T^{\textrm{dec},x}_i\) are always satisfied from the definitions of the oracles.

From Lemma 2, Lemma 3, and the coefficient-H technique, we obtain Theorem 2.