# How to Build an Ideal Cipher: The Indifferentiability of the Feistel Construction

- 656 Downloads
- 10 Citations

## Abstract

This paper provides the *first* provably secure construction of an invertible random permutation (and of an ideal cipher) from a *public* random function that can be evaluated by all parties in the system, including the adversary. The associated security goal was formalized via the notion of *indifferentiability* by Maurer et al. (TCC 2004). The problem is the natural extension of that of building (invertible) random permutations from (private) random functions, first solved by Luby and Rackoff (SIAM J Comput 17(2):373–386, 1988) via the four-round Feistel construction. As our main result, we prove that the Feistel construction with fourteen rounds is indifferentiable from an invertible random permutation. We also provide a new lower bound showing that five rounds are *not* sufficient to achieve indifferentiability. A major corollary of our result is the *equivalence* (in a well-defined sense) of the *random oracle model* and the *ideal cipher model*.

## Keywords

Random oracle model Ideal cipher model Feistel construction Indifferentiability## Notes

### Acknowledgments

It is a pleasure to thank Ueli Maurer for his insightful feedback. We also would like to thank the reviewers of the Journal of Cryptology for their very detailed comments, which helped us in substantially improving the presentation of the paper. Robin Künzler was partially supported by the Swiss National Science Foundation (SNF), Project No. 200021-132508.

## References

- 1.E. Andreeva, A. Bogdanov, Y. Dodis, B. Mennink, J.P. Steinberger, On the indifferentiability of key-alternating ciphers, in R. Canetti, J.A. Garay, editors,
*Advances in Cryptology—CRYPTO 2013 (Proceedings, Part I)*,*Lecture Notes in Computer Science*, vol. 8042 (Springer, Berlin, 2013), pp. 531–550. Full version available at http://eprint.iacr.org/2013/061 - 2.G. Bertoni, J. Daemen, M. Peeters, G. Van Assche, On the indifferentiability of the sponge construction, in N.P. Smart, editor,
*Advances in Cryptology—EUROCRYPT 2008*,*Lecture Notes in Computer Science*, vol. 4965 (Springer, Berlin, 2008), pp. 181–197Google Scholar - 3.D. Boneh, M.K. Franklin, Identity-based encryption from the weil pairing.
*SIAM J. Comput.***32**(3), 586–615 (2003)Google Scholar - 4.M. Bellare, T. Kohno, A theoretical treatment of related-key attacks: RKA-PRPs, RKA-PRFs, and applications, in
*Advances in Cryptology—EUROCRYPT 2003*,*Lecture Notes in Computer Science*, vol. 2656, pp. 491–506 (2003)Google Scholar - 5.A. Bogdanov, L.R. Knudsen, G. Leander, F.-X. Standaert, J.P. Steinberger, E. Tischhauser, Key-alternating ciphers in a provable setting: encryption using a small number of public permutations—(Extended Abstract), in D. Pointcheval, T. Johansson, editors,
*Advances in Cryptology—EUROCRYPT 2012*,*Lecture Notes in Computer Science*, vol. 7237 (Springer, Berlin, 2012), pp. 45–62Google Scholar - 6.J. Black, The ideal-cipher model, revisited: an uninstantiable blockcipher-based hash function, in
*FSE 2006*,*Lecture Notes in Computer Science*, vol. 4047, pp. 328–340 (2006)Google Scholar - 7.D. Boneh, B. Lynn, H. Shacham, Short signatures from the weil pairing.
*J. Cryptol.***17**(4), 297–319 (2004)Google Scholar - 8.M. Bellare, D. Pointcheval, P. Rogaway, Authenticated key exchange secure against dictionary attacks, in
*EUROCRYPT00*,*Lecture Notes in Computer Science*, vol. 1807, pp. 139–155 (2000)Google Scholar - 9.M. Bellare, P. Rogaway, Random oracles are practical: a paradigm for designing efficient protocols, in
*CCS ’93: Proceedings of the 1st ACM Conference on Computer and Communications Security*(ACM, New York, NY, USA, 1993), pp. 62–73Google Scholar - 10.M. Bellare, P. Rogaway. Optimal asymmetric encryption, in
*Advances in Cryptology—EUROCRYPT ’94*, Lecture Notes in Computer Science, pp. 92–111 (1994)Google Scholar - 11.M. Bellare, P. Rogaway, The exact security of digital signatures—how to sign with RSA and Rabin, in
*Advances in Cryptology—EUROCRYPT ’96*,*Lecture Notes in Computer Science*, pp. 399–416 (1996)Google Scholar - 12.J. Black, P. Rogaway, Ciphers with arbitrary finite domains, in
*CT-RSA 2002*,*Lecture Notes in Computer Science*, pp. 114–130 (2002)Google Scholar - 13.M. Bellare, P. Rogaway, The security of triple encryption and a framework for code-based game-playing proofs, in
*Advances in Cryptology—EUROCRYPT 2006*,*Lecture Notes in Computer Science*, vol. 4004, pp. 409–426 (2006)Google Scholar - 14.J. Black, P. Rogaway, T. Shrimpton, Black-box analysis of the block-cipher-based hash-function constructions from PGV, in
*Advances in Cryptology—CRYPTO 2002*,*Lecture Notes in Computer Science*, vol. 2442, pp. 320–335 (2002)Google Scholar - 15.R. Canetti, Universally composable security: a new paradigm for cryptographic protocols, in
*FOCS ’01: Proceedings of the 42nd IEEE Annual Symposium on Foundations of Computer Science*, pp. 136–145 (2001)Google Scholar - 16.J.-S. Coron, Y. Dodis, C. Malinaud, P. Puniya, Merkle-Damgård revisited: how to construct a hash function, in V. Shoup, editor,
*Advances in Cryptology—CRYPTO 2005*,*Lecture Notes in Computer Science*, vol. 3621 (Springer, Berlin, 2005), pp. 430–448Google Scholar - 17.R. Canetti, O. Goldreich, S. Halevi, The random oracle methodology, revisited.
*J. ACM***51**(4), 557–594 (2004)Google Scholar - 18.S. Chen, R. Lampe, J. Lee, Y. Seurin, J.P. Steinberger, Minimizing the two-round even-mansour cipher, in J.A. Garay, R. Gennaro, editors,
*Advances in Cryptology—CRYPTO 2014 (Proceedings, Part I)*,*Lecture Notes in Computer Science*, vol. 8616 (Springer, Berlin, 2014), pp. 39–56. Full version available at http://eprint.iacr.org/2014/443 - 19.J.-S. Coron, J. Patarin, Y. Seurin, The random oracle model and the ideal cipher model are equivalent, in D. Wagner, editor,
*CRYPTO*,*Lecture Notes in Computer Science*, vol. 5157 (Springer, Berlin, 2008), pp. 1–20Google Scholar - 20.J.-S. Coron, J. Patarin, Y. Seurin, The random oracle model and the ideal cipher model are equivalent. Cryptology ePrint Archive, Report 2008/246, August 2008. Version: 20080816:121712, http://eprint.iacr.org/, Extended Abstract at CRYPTO 2008
- 21.S. Chen, J. Steinberger, Tight security bounds for key-alternating ciphers, in P.Q. Nguyen, E. Oswald, editors,
*Advances in Cryptology—EUROCRYPT 2014*,*Lecture Notes in Computer Science*, vol. 8441, pp. 327–350 (Springer, Berlin, 2014). Full version available at http://eprint.iacr.org/2013/222 - 22.I.B. Damgård, A design principle for hash functions, in
*Advances in Cryptology—CRYPTO ’89*,*Lecture Notes in Computer Science*, vol. 435, pp. 416–427 (1989)Google Scholar - 23.G. Demay, P. Gazi, M. Hirt, U. Maurer, Resource-restricted indifferentiability, in
*EUROCRYPT13*,*Lecture Notes in Computer Science*, vol. 7881, pp. 664–683 (2013)Google Scholar - 24.Y. Dodis, P. Puniya, On the relation between the ideal cipher and the random oracle models, in
*Theory of Cryptography—TCC 2006*,*Lecture Notes in Computer Science*, vol. 3876, pp. 184–206 (2006)Google Scholar - 25.S. Dziembowski, K. Pietrzak, D. Wichs, Non-malleable codes, in
*Innovations in Computer Science—ICS 2010*, pp. 434–452 (2010)Google Scholar - 26.Y. Dodis, L. Reyzin, R.L. Rivest, E. Shen, Indifferentiability of permutation-based compression functions and tree-based modes of operation, with applications to MD6, in O. Dunkelman, editor,
*Fast Software Encryption—FSE 2009*,*Lecture Notes in Computer Science*, vol. 5665 (Springer, Berlin, 2009), pp. 104–121Google Scholar - 27.S. Even, Y. Mansour, A construction of a cipher from a single pseudorandom permutation.
*J. Cryptol.***10**(3), 151–162 (1997)Google Scholar - 28.A. Fiat, A. Shamir, How to prove yourself: practical solutions to identification and signature problems, in
*Advances in Cryptology—CRYPTO ’86*,*Lecture Notes in Computer Science*, vol. 263, pp. 186–194 (1986)Google Scholar - 29.T. Holenstein, R. Künzler, S. Tessaro, The equivalence of the random oracle model and the ideal cipher model, revisited, in L. Fortnow, S.P. Vadhan, editors,
*STOC*(ACM, New York, 2011), pp. 89–98Google Scholar - 30.J. Kilian, P. Rogaway, How to protect DES against exhaustive key search (an analysis of DESX).
*J. Cryptol.***14**(1), 17–35 (2001)Google Scholar - 31.J. Kahn, M.E. Saks, C.D. Smyth, A dual version of Reimer’s inequality and a proof of Rudich’s conjecture, in
*IEEE Conference on Computational Complexity*, pp. 98–103 (2000)Google Scholar - 32.M. Luby, C. Rackoff, How to construct pseudorandom permutations from pseudorandom functions.
*SIAM J. Comput.***17**(2), 373–386 (1988)Google Scholar - 33.R. Lampe, Y. Seurin, How to construct an ideal cipher from a small set of public permutations, in K. Sako, P. Sarkar, editors,
*Advances in Cryptology—ASIACRYPT 2013 (Proceedings, Part I)*,*Lecture Notes in Computer Science*, vol. 8269 (Springer, Berlin, 2013), pp. 444–463. Full version available at http://eprint.iacr.org/2013/255 - 34.Y. Lindell, H. Zarosim, Adaptive zero-knowledge proofs and adaptively secure oblivious transfer, in
*Theory of Cryptography Conference—TCC 2009*,*Lecture Notes in Computer Science*, vol. 5444, pp. 183–201 (2009)Google Scholar - 35.U. Maurer, Indistinguishability of random systems, in
*Advances in Cryptology—EUROCRYPT 2002*,*Lecture Notes in Computer Science*, vol. 2332, pp. 110–132 (2002)Google Scholar - 36.R.C. Merkle, A certified digital signature, in
*Advances in Cryptology—CRYPTO ’89*,*Lecture Notes in Computer Science*, vol. 435, pp. 218–238 (1989)Google Scholar - 37.A. Mandal, J. Patarin, Y. Seurin, On the public indifferentiability and correlation intractability of the 6-round Feistel construction, in
*TCC*(2012). Full version available at http://eprint.iacr.org/2011/496.pdf - 38.U. Maurer, R. Renner. Abstract cryptography, in
*Innovations in Computer Science—ICS 2011*, pp. 1–21 (2011)Google Scholar - 39.U. Maurer, R. Renner, C. Holenstein, Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology, in
*Theory of Cryptography Conference—TCC 2004*,*Lecture Notes in Computer Science*, vol. 2951, pp. 21–39, February 2004Google Scholar - 40.P. Rogaway, J.P. Steinberger, Constructing cryptographic hash functions from fixed-key blockciphers, in D. Wagner, editor,
*Advances in Cryptology—CRYPTO 2008*,*Lecture Notes in Computer Science*, vol. 5157 (Springer, Berlin, 2008), pp. 433–450Google Scholar - 41.P. Rogaway, J.P. Steinberger, Security/efficiency tradeoffs for permutation-based hashing, in N.P. Smart, editor,
*Advances in Cryptology—EUROCRYPT 2008*,*Lecture Notes in Computer Science*, vol. 4965 (Springer, Berlin, 2008), pp. 220–236Google Scholar - 42.T. Ristenpart, H. Shacham, T. Shrimpton, Careful with composition: limitations of the indifferentiability framework, in K.G. Paterson, editor,
*EUROCRYPT*,*Lecture Notes in Computer Science*, vol. 6632 (Springer, Berlin, 2011), pp. 487–506Google Scholar - 43.S. Rudich,
*Limits on the Provable Consequences of One-way Functions*. PhD thesis (1989)Google Scholar - 44.Y. Seurin,
*Primitives et protocoles cryptographiques à sécurité prouvée.*PhD thesis, Université de Versailles Saint-Quentin-en-Yvelines, UFR de Sciences - École doctorale SoFt - Laboratoire PRiSM (2009)Google Scholar - 45.Y. Seurin, A note on the indifferentiability of the 10-round feistel construction, March 2011. Unpublished note available from the authorGoogle Scholar
- 46.C.E. Shannon, Communication theory of secrecy systems.
*Bell Syst. Tech. J.***28**, 656–715 (1949)Google Scholar - 47.V. Shoup, Sequences of games: a tool for taming complexity in security proofs (2004)Google Scholar