Designs, Codes and Cryptography

, Volume 39, Issue 2, pp 233–245 | Cite as

Luby–Rackoff Revisited: On the Use of Permutations as Inner Functions of a Feistel Scheme

  • Gilles Piret


In this paper we are dealing with the security of the Feistel structure in the Luby–Rackoff model when the round functions are replaced by permutations. There is a priori no reason to think that the security bounds remain the same in this case, as illustrated by Knudsen’s attack [5]. It is why we revisit Luby–Rackoff’s proofs [6] in this specific case. The conclusion is that when the inner functions are random permutations, a 3-round (resp. 4-round) Feistel scheme remains secure against pseudorandom (resp. superpseudorandom) distinguishers as long as m Open image in new window 2n/2 (with m the number of queries and 2n the block size).


Symmetric cryptography block ciphers Feistel scheme Luby–Rackoff-model (super-)pseudorandomness 

AMS Classification



Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    K. Aoki, T. Ichikawa, M. Kanda, M.Matsui S. Moriai, J. Nakajima and T.Tokita, Camellia: A 128-Bit Block Cipher Suitable for Multiple Platforms—Design and Analysis. In D.R. Stinson and S.E. Tavares (eds.), Selected Areas in Cryptography, 7th Annual International Workshop, SAC 2000, Waterloo, Canada, August 14–15, 2000, volume 2012 of Lecture Notes in Computer Science, Springer-Verlag (2001) pp. 39–56.Google Scholar
  2. 2.
    Aoki, K., Ohta, K. 1997Strict evaluation for the maximum average of differential probability and the maximum average of linear probabilityIEICE Transactions on FundamentalsE80-A28Google Scholar
  3. 3.
    E. Biham, Cryptanalysis of Ladder-DES. In Eli Biham (ed.), Fast Software Encryption, Haifa, Israel, January 20–22, 1997, volume 1267 of Lecture Notes in Computer Science, Springer-Verlag (1997) pp. 134–138.Google Scholar
  4. 4.
    H. Gilbert and M. Minier, New results on the pseudorandomness of some blockcipher constructions, In Mitsuru Matsui, editor, Fast Software Encryption,Yokohama, Japan, April 2–4, 2001, volume 2355 of Lecture Notes in Computer Science, Springer-Verlag (2002) pp. 248–266.Google Scholar
  5. 5.
    L. R. Knudsen, DEAL – A 128-bit Block Cipher, Technical Report #151, University of Bergen, Department of Informatics, Norway, February 1998. Submitted as a candidate for the Advanced Encryption Standard.Google Scholar
  6. 6.
    Luby, M., Rackoff, C. 1998How to construct pseudorandom permutations from pseudorandom functionsSIAM Journal on Computing17373386MathSciNetGoogle Scholar
  7. 7.
    S. Lucks, Faster Luby–Rackoff ciphers, In Dieter Gollmann (ed.), Fast Software Encryption, Cambridge, UK, February 21–23, 1996, volume 1039 of Lecture Notes in Computer Science, Springer-Verlag (1996) pp. 189–203.Google Scholar
  8. 8.
    Naor, M., Reingold, O. 1999On the construction of pseudorandom permutations: Luby–Rackoff RevisitedJournal of Cryptology122966MathSciNetGoogle Scholar
  9. 9.
    K. Nyberg, Linear approximation of block ciphers. In Alfredo De Santis (ed.), Advances in Cryptology—EUROCRYPT ’94, Perugia, Italy, May 9–12, 1994, volume 950 of Lecture Notes in Computer Science, Springer-Verlag (1995) pp. 439–444.Google Scholar
  10. 10.
    Nyberg, K., Knudsen, L. R. 1995Provable security against differential cryptanalysisJournal of Cryptology82737CrossRefMathSciNetGoogle Scholar
  11. 11.
    J. Patarin, Etude des Générateurs de Permutations Basés sur le Schéma du DES. PhD thesis, Université Paris VI, November 1991.Google Scholar
  12. 12.
    J. Patarin, How to construct pseudorandom and super pseudorandom permutations from one single pseudorandom function. In Rainer A. Rueppel (ed.), Advances in Cryptology—EUROCRYPT ’92, Balatonfüred, Hungary, May 24–28, 1992, volume 658 of Lecture Notes in Computer Science, Springer-Verlag (1993) pp. 256–266.Google Scholar
  13. 13.
    J. Patarin, About Feistel schemes with six (or more) rounds. In Serge Vaudenay (ed.), Fast Software Encryption, Paris, France, March 23–25, 1998, volume 1372 of Lecture Notes in Computer Science, Springer-Verlag (1998) pp. 103–121.Google Scholar
  14. 14.
    J. Patarin, Generic attacks on Feistel schemes. In Colin Boyd (ed.), Advances in Cryptology – ASIACRYPTM 2001, Gold Coast, Australia, December 9–13, 2001, volume 2248 of Lecture Notes in Computer Science, Springer-Verlag (2001) pp. 222–238.Google Scholar
  15. 15.
    J. Patarin, Luby-Rackoff: 7 Rounds are enough for 2n(1−ε) security. In Dan Boneh (ed.), Advances in Cryptology – CRYPTO 2003, Santa Barbara, USA, August 17–21, 2003, volume 2729 of Lecture Notes in Computer Science, Springer-Verlag (2003) pp. 513–529.Google Scholar
  16. 16.
    J. Patarin, Security of random feistel schemes with 5 or more rounds. In Matt Franklin (ed.), Advances in Cryptology – CRYPTO 2004, Santa Barbara, USA, August 15–19, 2004, volume 3152 of Lecture Notes in Computer Science, Springer-Verlag (2004) pp. 106–122.Google Scholar
  17. 17.
    Z. Ramzan and L. Reyzin, On the round security of symmetric-key cryptographic primitives. In Mihir Bellare (ed.), Advances in Cryptology – CRYPTO 2000, Santa Barbara, USA, August 20–24, 2000, volume 1880 of Lecture Notes in Computer Science, Springer-Verlag (2000) pp. 376–393.Google Scholar
  18. 18.
    Rijmen, V., Preneel, B., Win, E. 1997On weaknesses of non-surjective round functionsDesigns, Codes and Cryptography12253266CrossRefMathSciNetGoogle Scholar
  19. 19.
    B. Schneier, J. Kelsey, D. Whiting, D. Wagner, C. Hall and N. Ferguson Twofish: A 128-bit Block Cipher. NIST AES Proposal. Available from, June 1998.

Copyright information

© Springer Science+Business Media, Inc. 2006

Authors and Affiliations

  1. 1.Département d’Informatique 45Ecole Normale SupérieureParis cedex 05France

Personalised recommendations