Luby-Rackoff Ciphers from Weak Round Functions?

  • Ueli Maurer
  • Yvonne Anne Oswald
  • Krzysztof Pietrzak
  • Johan Sjödin
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4004)


The Feistel-network is a popular structure underlying many block-ciphers where the cipher is constructed from many simpler rounds, each defined by some function which is derived from the secret key.

Luby and Rackoff showed that the three-round Feistel-network – each round instantiated with a pseudorandom function secure against adaptive chosen plaintext attacks (CPA) – is a CPA secure pseudorandom permutation, thus giving some confidence in the soundness of using a Feistel-network to design block-ciphers.

But the round functions used in actual block-ciphers are – for efficiency reasons – far from being pseudorandom. We investigate the security of the Feistel-network against CPA distinguishers when the only security guarantee we have for the round functions is that they are secure against non-adaptive chosen plaintext attacks (nCPA). We show that in the information-theoretic setting, four rounds with nCPA secure round functions are sufficient (and necessary) to get a CPA secure permutation. Unfortunately, this result does not translate into the more interesting pseudorandom setting. In fact, under the so-called Inverse Decisional Diffie-Hellman assumption the Feistel-network with four rounds, each instantiated with a nCPA secure pseudorandom function, is in general not a CPA secure pseudorandom permutation.


  1. [Dam04]
    Damgård, I.: Discrete log based cryptosystems (manuscript, 2004),
  2. [GGM86]
    Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions. J. ACM 33(4), 792–807 (1986)MathSciNetCrossRefzbMATHGoogle Scholar
  3. [HILL99]
    Håstad, J., Impagliazzo, R., Levin, L.A., Luby, M.: A pseudorandom generator from any one-way function. SIAM J. Comput. 28(4), 1364–1396 (1999)MathSciNetCrossRefzbMATHGoogle Scholar
  4. [LR86]
    Luby, M., Rackoff, C.: Pseudo-random permutation generators and cryptographic composition. In: Proc, 18th ACM Symposium on the Theory of Computing (STOC), pp. 356–363 (1986)Google Scholar
  5. [Luc96]
    Lucks, S.: Faster Luby-Rackoff ciphers. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 189–203. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  6. [Mau02]
    Maurer, U.: Indistinguishability of random systems. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 110–132. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  7. [MOPS06]
    For the full version of this paper see,
  8. [MP04]
    Maurer, U., Pietrzak, K.: Composition of random systems: When two weak make one strong. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 410–427. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  9. [MPR06]
    Maurer, U., Pietrzak, K., Renner, R.: Indistinguishability amplification (manuscript, 2006)Google Scholar
  10. [MT05]
    Minematsu, K., Tsunoo, Y.: Hybrid symmetric encryption using known-plaintext attack-secure components. In: Won, D.H., Kim, S. (eds.) ICISC 2005. LNCS, vol. 3935, pp. 242–260. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  11. [Mye04]
    Myers, S.: Black-box composition does not imply adaptive security. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 189–206. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  12. [NR99]
    Naor, M., Reingold, O.: On the construction of pseudorandom permutations: Luby-Rackoff revisited. J. Cryptology 12(1), 29–66 (1999)MathSciNetCrossRefzbMATHGoogle Scholar
  13. [NR02]
    Naor, M., Reingold, O.: Constructing pseudo-random permutations with a prescribed structure. J. Cryptology 15(2), 97–102 (2002)MathSciNetCrossRefzbMATHGoogle Scholar
  14. [Pat04]
    Patarin, J.: Security of random feistel schemes with 5 or more rounds. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 106–122. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  15. [Pie90]
    Pieprzyk, J.: How to construct pseudorandom permutations from single pseudorandom functions. In: Damgård, I.B. (ed.) EUROCRYPT 1990. LNCS, vol. 473, pp. 140–150. Springer, Heidelberg (1991)CrossRefGoogle Scholar
  16. [Pie05]
    Pietrzak, K.: Composition does not imply adaptive security. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 55–65. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  17. [Pie06]
    Pietrzak, K.: Composition implies adaptive security in minicrypt. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 328–338. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  18. [Ple05]
    Pletscher, P.: Adaptive security of composition, Semester Thesis (2005),
  19. [RR00]
    Ramzan, Z., Reyzin, L.: On the round security of symmetric-key cryptographic primitives. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 376–393. Springer, Heidelberg (2000)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Ueli Maurer
    • 1
  • Yvonne Anne Oswald
    • 1
  • Krzysztof Pietrzak
    • 2
  • Johan Sjödin
    • 1
  1. 1.Department of Computer ScienceETH ZurichZurichSwitzerland
  2. 2.Département d’informatique, Ecole Normale SupérieureParisFrance

Personalised recommendations