# Unbalanced Feistel networks and block cipher design

Block Ciphers — Proposals

First Online:

## Abstract

We examine a generalization of the concept of Feistel networks, which we call Unbalanced Feistel Networks (UFNs). Like conventional Feistel networks, UFNs consist of a series of rounds in which one part of the block operates on the rest of the block. However, in a UFN the two parts need not be of equal size. Removing this limitation on Feistel networks has interesting implications for designing ciphers secure against linear and differential attacks. We describe UFNs and a terminology for discussing their properties, present and analyze some UFN constructions, and make some initial observations about their security.

## Keywords

Block Cipher Stream Cipher Differential Attack Source Block Target Block
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Download
to read the full conference paper text

## References

- [AB96]R. Anderson and E. Biham, “Two Practical and Provably Secure Block Ciphers: BEAR and LION,”
*Proceedings of the Cambridge Algorithms Workshop*, 1996, to appear.Google Scholar - [AT93]C.M. Adams and S.E. Tavares, “Designing S-boxes for Ciphers Resistant to Differential Cryptanalysis,”
*Proceedings of the 3rd Symposium on State and Progress of Research in Cryptography*, Rome, Italy, 15–16 Feb 1993, pp. 181–190.Google Scholar - [BB93]I. Ben-Aroya and E. Biham, “Differential Cryptanalysis of Lucifer,”
*Advances in Cryptology —CRYPTO '93 Proceedings*, Spinger-Verlag, 1994.Google Scholar - [Bih95]E. Biham, “On Matsui's Linear Cryptanalysis,”
*Advances in Cryptology — EUROCRYPT '94 Proceedings*, Springer-Verlag, 1995, to appear.Google Scholar - [BJ77]G. Bhattacharyya and R. Johnson,
*Statistical Concepts and Methods*, John Wiley and Sons, 1977.Google Scholar - [BS93]E. Biham and A. Shamir,
*Differential Cryptanalysis of the Data Encryption Standard*, Springer-Verlag, 1993.Google Scholar - [BS95]M. Blaze and B. Schneier, “The MacGuffin Block Cipher Algorithm,”
*Fast Software Encryption, Second International Workshop Proceedings*, Springer-Verlag, 1995, pp. 97–110.Google Scholar - [BPS93]L. Brown, M. Kwan, J. Pieprzyk, and J. Seberry, “Improving Resistance to Differential Cryptanalysis and the Redesign of LOKI,”
*Advances in Cryptology — ASIACRYPT '91 Proceedings*, Springer-Verlag, 1993, pp. 36–50.Google Scholar - [CDN95]G. Carter, E. Dawson, and L. Nielsen, “DESV: A Latin Square Variation of DES,”
*Proceedings of the Workshop on Selected Areas in Cryptography*, Ottawa, Canada, 1995.Google Scholar - [DGV94]J. Daemen, R. Govaerts, and J. Vandewalle, “A New Approach to Block Cipher Design,”
*Fast Software Encryption, Cambridge Security Workshop Proceedings*, Springer-Verlag, 1994, pp. 18–32.Google Scholar - [Dae95]J. Daemen, “Cipher and Hash Function Design,” Ph.D Thesis, Katholieke Universiteit Leuven, Mar 95.Google Scholar
- [Fei73]H. Feistel, “Cryptography and Computer Privacy,”
*Scientific American*, v. 228, n. 5, May 1973, pp. 15–23.Google Scholar - [GOST89]GOST, Gosudarstvennyi Standard 28147-89, “Cryptographic Protection for Data Processing Systems,” Government Committee of the USSR for Standards, 1989.Google Scholar
- [HKM95]C. Harpes, G. Kramer, J. Massey, “A Generalization of Linear Cryptanalysis and the Applicability f Matsui's Piling-up Lemma,”
*Advances in Cryptology — EUROCRYPT '95 Proceedings*, Springer, 1995, pp. 24–38.Google Scholar - [Knu93]L.R. Knudsen, “Iterative Characteristics of DES and s
^{2}DES,”*Advances in Cryptology — CRYPTO '92*, Springer-Verlag, 1993, pp. 497–511.Google Scholar - [Knu94a]L.R. Knudsen, “Block Ciphers — Analysis, Design, Applications,” Ph.D. dissertation, Aarhus University, Nov 1994.Google Scholar
- [Knu94b]L.R. Knudsen, “Practically Secure Feistel Ciphers,”
*Fast Software Encryption, Cambridge Security Workshop Proceedings*, Springer-Verlag, 1994, pp. 211–221.Google Scholar - [Knu95]L.R. Knudsen, personal communication.Google Scholar
- [Mer91]R.C. Merkle, “Fast Software Encryption Functions,”
*Advances in Cryptology — CRYPTO '90 Proceedings*, Springer-Verlag, 1991, pp. 476–501.Google Scholar - [NBS77]National Bureau of Standards, NBS FIPS PUB 46, “Data Encryption Standard,” National Bureau of Standards, U.S. Department of Commerce, Jan 1977.Google Scholar
- [NIST93]National Institute of Standards and Technology, NIST FIPS PUB 180, “Secure Hash Standard,” U.S. Department of Commerce, May 93.Google Scholar
- [Nyb91]K. Nyberg, “Perfect Nonlinear S-boxes,”
*Advances in Cryptology — EUROCRYPT '91 Proceedings*, Springer-Verlag, 1991, pp. 378–386.Google Scholar - [Nyb93]K. Nyberg, “On the Construction of Highly Nonlinear Permutations,”
*Advances in Cryptology — EUROCRYPT '92 Proceedings*, Springer-Verlag, 1993, pp. 92–98.Google Scholar - [Nyb94]K. Nyberg, “Differentially Uniform Mappings for Cryptography,”
*Advances in Cryptology — EUROCRYPT '93 Proceedings*, Springer-Verlag, 1994, pp. 55–64.Google Scholar - [NK95]K. Nyberg and L.R. Knudsen, “Provable Security Against Differential Cryptanalysis,”
*Journal of Cryptology*, v. 8, n. 1, 1995, pp. 27–37.Google Scholar - [OCo94a]L. O'Connor, “Enumerating Nondegenerate Permutations,”
*Advances in Cryptology — EUROCRYPT '93 Proceedings*, Springer-Verlag, 1994, pp. 368–377.Google Scholar - [OCo94b]L. O'Connor, “On the Distribution of Characteristics in Bijective Mappings,”
*Advances in Cryptology — EUROCRYPT '93 Proceedings*, Springer-Verlag, 1994, pp. 360–370.Google Scholar - [OCo94c]L. O'Connor, “On the Distribution of Characteristics in Composite Permutations,”
*Advances in Cryptology — CRYPTO '93 Proceedings*, Springer-Verlag, 1994, pp. 403–412.Google Scholar - [PR95]B. Preneel and V. Rijmen, “Cryptanalysis of MacGuffin,”
*Fast Software Encryption, Second International Workshop Proceedings*, Springer-Verlag, 1995, pp. 353–358.Google Scholar - [RIPE92]Research and Development in Advanced Communication Technologies in Europe,
*RIPE Integrity Primitives: Final Report of RACE Integrity Primitives Evaluation (R1040)*, RACE, June 1992.Google Scholar - [Riv91]R.L. Rivest, “The MD4 Message Digest Algorithm,”
*Advances in Cryptology — CRYPTO '90 Proceedings*, Springer-Verlag, 1991, pp. 303–311.Google Scholar - [Riv92]R.L. Rivest, “The MD5 Message Digest Algorithm,” RFC 1321, Apr 1992.Google Scholar
- [Riv95]R.L. Rivest, “The RC5 Encryption Algorithm,”
*Fast Software Encryption*,*Second International Workshop Proceedings*, Springer-Verlag, 1995, pp. 86–96.Google Scholar - [Sch83]I. Schaumuller-Bichl, “On the Design and Analysis of New Cipher Systems Related to the DES,” Technical Report, Linz University, 1983.Google Scholar
- [Sch94a]B. Schneier,
*Applied Cryptography, Second Edition*, John Wiley & Sons, 1996.Google Scholar - [Sch94b]B. Schneier, “Description of a New Variable-Length Key, 64-Bit Block Cipher (Blowfish),”
*Fast Software Encryption, Cambridge Security Workshop Proceedings*, Springer-Verlag, 1994, pp. 191–204.Google Scholar - [Sha49]C.E. Shannon, “Communication Theory of Secrecy Systems,”
*Bell Systems Technical Journal*, v.**27**, n. 4, 1948, pp. 379–423.Google Scholar - [SM88]A. Shimizu and S. Miyaguchi, “Fast Data Encipherment Algorithm FEAL,”
*Advances in Cryptology — EUROCRYPT '87 Proceedings*, Springer-Verlag, 1988, pp. 267–278.Google Scholar - [Vau96]S. Vaudenay, “On the Weak Keys in Blowfish,”
*Proceedings of the Cambridge Algorithms Workshop*, 1996, to appear.Google Scholar - [Wag95]D. Wagner, personal communication.Google Scholar
- [Win84]R.S. Winternitz, “Producing One-Way Hash Functions from DES,”
*Advances in Cryptology: Proceedings of Crypto 83*, Plenum Press, 1984, pp. 203–207.Google Scholar - [ZPS93]Y. Zheng, J. Pieprzyk, and J. Seberry, “HAVAL — A One-Way Hashing Algorithm with Variable Length of Output,”
*Advances in Cryptology — AUSCRYPT '92 Proceedings*, Springer-Verlag, 1993, pp. 83–104Google Scholar

## Copyright information

© Springer-Verlag Berlin Heidelberg 1996