Revisiting Key-Alternating Feistel Ciphers for Shorter Keys and Multi-user Security

  • Chun Guo
  • Lei WangEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11272)


Key-Alternating Feistel (KAF) ciphers, a.k.a. Feistel-2 models, refer to Feistel networks with round functions of the form \(F_i(k_i\oplus x_i)\), where \(k_i\) is the (secret) round-key and \(F_i\) is a public random function. This model roughly captures the structures of many famous Feistel ciphers, and the most prominent instance is DES.

Existing provable security results on KAF assumed independent round-keys and round functions (ASIACRYPT 2004 & FSE 2014). In this paper, we investigate how to achieve security under simpler and more realistic assumptions: with round-keys derived from a short main-key, and hopefully with identical round functions.

For birthday-type security, we consider 4-round KAF, investigate the minimal conditions on the way to derive the four round-keys, and prove that when such adequately derived keys and the same round function are used, the 4-round KAF is secure up to \(2^{n/2}\) queries.

For beyond-birthday security, we focus on 6-round KAF. We prove that when the adjacent round-keys are independent, and independent round-functions are used, the 6 round KAF is secure up to \(2^{2n/3}\) queries. To our knowledge, this is the first beyond-birthday security result for KAF without assuming completely independent round-keys.

Our results hold in the multi-user setting as well, constituting the first non-trivial multi-user provable security results on Feistel ciphers. We finally demonstrate applications of our results on designing key-schedules and instantiating keyed sponge constructions.


Blockcipher Provable security Multi-user security Key-alternating cipher Feistel cipher Key-schedule design Keyed sponge 



We thank the reviewers for invaluable comments, and for pointing [25] to us. Chun Guo is funded in part by the ERC project 724725 (acronym SWORD), and would like to thank François-Xavier Standaert for the invaluable support. Lei Wang is supported by National Natural Science Foundation of China (61602302, 61472250, 61672347), Natural Science Foundation of Shanghai (16ZR1416400), Shanghai Excellent Academic Leader Funds (16XD1401300), 13th five-year National Development Fund of Cryptography (MMJJ20170114).

Finally we thank Yaobin Shen for identifying a flaw (in Lemma 5) in an earlier version of the proof, and Christian Rechberger and Damian Vizár for the discussion on multi-party computation.


  1. 1.
    Andreeva, E., Daemen, J., Mennink, B., Van Assche, G.: Security of keyed sponge constructions using a modular proof approach. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 364–384. Springer, Heidelberg (2015). CrossRefGoogle Scholar
  2. 2.
    Bar-On, A., Biham, E., Dunkelman, O., Keller, N.: Efficient slide attacks. J. Cryptol. 31(3), 641–670 (2017)MathSciNetCrossRefGoogle Scholar
  3. 3.
    Barbosa, M., Farshim, P.: The related-key analysis of Feistel constructions. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 265–284. Springer, Heidelberg (2015). CrossRefGoogle Scholar
  4. 4.
    Beaulieu, R., Shors, D., Smith, J., Treatman-Clark, S., Weeks, B., Wingers, L.: The SIMON and SPECK families of lightweight block ciphers. Cryptology ePrint Archive, Report 2013/404 (2013).
  5. 5.
    Bellare, M., Boldyreva, A., Micali, S.: Public-key encryption in a multi-user setting: security proofs and improvements. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 259–274. Springer, Heidelberg (2000). CrossRefzbMATHGoogle Scholar
  6. 6.
    Bellare, M., Tackmann, B.: The multi-user security of authenticated encryption: AES-GCM in TLS 1.3. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016, part I. LNCS, vol. 9814, pp. 247–276. Springer, Heidelberg (2016). CrossRefzbMATHGoogle Scholar
  7. 7.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Sponge functions. In: Ecrypt Hash Workshop 2007 (2007)Google Scholar
  8. 8.
    Biham, E.: How to decrypt or even substitute DES-encrypted messages in \(2^{28}\) steps. Inf. Process. Lett. 84(3), 117–124 (2002)MathSciNetCrossRefGoogle Scholar
  9. 9.
    Biryukov, A., Nikolić, I.: Complementing Feistel ciphers. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 3–18. Springer, Heidelberg (2014). CrossRefGoogle Scholar
  10. 10.
    Biryukov, A., Wagner, D.: Advanced slide attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 589–606. Springer, Heidelberg (2000). CrossRefGoogle Scholar
  11. 11.
    Bogdanov, A., Knudsen, L.R., Leander, G., Standaert, F.-X., Steinberger, J., Tischhauser, E.: Key-alternating ciphers in a provable setting: encryption using a small number of public permutations. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 45–62. Springer, Heidelberg (2012). CrossRefzbMATHGoogle Scholar
  12. 12.
    Bose, P., Hoang, V.T., Tessaro, S.: Revisiting AES-GCM-SIV: multi-user security, faster key derivation, and better bounds. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018, part I. LNCS, vol. 10820, pp. 468–499. Springer, Cham (2018). CrossRefGoogle Scholar
  13. 13.
    Canetti, R., Goldreich, O., Halevi, S.: The random Oracle methodology. Revisit. J. ACM 51(4), 557–594 (2004)MathSciNetCrossRefGoogle Scholar
  14. 14.
    Chen, S., Lampe, R., Lee, J., Seurin, Y., Steinberger, J.: Minimizing the Two-Round Even-Mansour cipher. J. Cryptol. 31(4), 1064–119 (2018)MathSciNetCrossRefGoogle Scholar
  15. 15.
    Chen, S., Steinberger, J.: Tight security bounds for key-alternating ciphers. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 327–350. Springer, Heidelberg (2014). CrossRefGoogle Scholar
  16. 16.
    Cogliati, B., Lampe, R., Seurin, Y.: Tweaking Even-Mansour ciphers. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015, part I. LNCS, vol. 9215, pp. 189–208. Springer, Heidelberg (2015). CrossRefGoogle Scholar
  17. 17.
    Cogliati, B., Seurin, Y.: Beyond-birthday-bound security for tweakable Even-Mansour ciphers with linear tweak and key mixing. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015, part II. LNCS, vol. 9453, pp. 134–158. Springer, Heidelberg (2015). CrossRefGoogle Scholar
  18. 18.
    Daemen, J., Rijmen, V.: Probability distributions of correlation and differentials in block ciphers. J. Math. Cryptol. 1(3), 221–242 (2007)MathSciNetCrossRefGoogle Scholar
  19. 19.
    Dai, Y., Seurin, Y., Steinberger, J., Thiruvengadam, A.: Indifferentiability of iterated even-mansour ciphers with non-idealized key-schedules: five rounds are necessary and sufficient. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017, part III. LNCS, vol. 10403, pp. 524–555. Springer, Cham (2017). CrossRefGoogle Scholar
  20. 20.
    Dodis, Y., Katz, J., Steinberger, J., Thiruvengadam, A., Zhang, Z.: Provable security of substitution-permutation networks. Cryptology ePrint Archive, Report 2017/016 (2017).
  21. 21.
    Dunkelman, O., Keller, N., Shamir, A.: Slidex attacks on the Even-Mansour encryption scheme. J. Cryptol. 28(1), 1–28 (2015)MathSciNetCrossRefGoogle Scholar
  22. 22.
    Even, S., Mansour, Y.: A construction of a cipher from a single pseudorandom permutation. J. Cryptol. 10(3), 151–161 (1997)MathSciNetCrossRefGoogle Scholar
  23. 23.
    Gaži, P., Pietrzak, K., Tessaro, S.: The exact PRF security of truncation: tight bounds for keyed sponges and truncated CBC. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015, part I. LNCS, vol. 9215, pp. 368–387. Springer, Heidelberg (2015). CrossRefGoogle Scholar
  24. 24.
    Gentry, C., Ramzan, Z.: Eliminating random permutation oracles in the Even-Mansour cipher. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 32–47. Springer, Heidelberg (2004). CrossRefzbMATHGoogle Scholar
  25. 25.
    Gilboa, S., Gueron, S., Nandi, M.: Balanced permutations Even-Mansour ciphers. Cryptography 1(1), 2 (2017)CrossRefGoogle Scholar
  26. 26.
    Gueron, S., Lindell, Y.: Better bounds for block cipher modes of operation via nonce-based key derivation. CCS 2017, 1019–1036 (2017)Google Scholar
  27. 27.
    Guo, C., Lin, D.: On the indifferentiability of key-alternating Feistel ciphers with no key derivation. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015, part I. LNCS, vol. 9014, pp. 110–133. Springer, Heidelberg (2015). CrossRefGoogle Scholar
  28. 28.
    Guo, C., Wang, L.: Revisiting key-alternating Feistel ciphers for shorter keys and multi-user security. Cryptology ePrint Archive, Report 2018/816 (2018). The full version of this paper
  29. 29.
    Guo, J., Jean, J., Nikolić, I., Sasaki, Y.: Meet-in-the-middle attacks on generic Feistel constructions. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014, part I. LNCS, vol. 8873, pp. 458–477. Springer, Heidelberg (2014). CrossRefGoogle Scholar
  30. 30.
    Guo, J., Peyrin, T., Poschmann, A.: The PHOTON family of lightweight hash functions. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 222–239. Springer, Heidelberg (2011). CrossRefGoogle Scholar
  31. 31.
    Hoang, V.T., Rogaway, P.: On generalized Feistel networks. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 613–630. Springer, Heidelberg (2010). CrossRefGoogle Scholar
  32. 32.
    Hoang, V.T., Tessaro, S.: Key-alternating ciphers and key-length extension: exact bounds and multi-user security. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016, part I. LNCS, vol. 9814, pp. 3–32. Springer, Heidelberg (2016). CrossRefGoogle Scholar
  33. 33.
    Isobe, T., Shibutani, K.: Generic key recovery attack on Feistel scheme. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, part I. LNCS, vol. 8269, pp. 464–485. Springer, Heidelberg (2013). CrossRefGoogle Scholar
  34. 34.
    Izadi, M., Sadeghiyan, B., Sadeghian, S.S., Khanooki, H.A.: MIBS: a new lightweight block cipher. In: Garay, J.A., Miyaji, A., Otsuka, A. (eds.) CANS 2009. LNCS, vol. 5888, pp. 334–348. Springer, Heidelberg (2009). CrossRefGoogle Scholar
  35. 35.
    Jager, T., Stam, M., Stanley-Oakes, R., Warinschi, B.: Multi-key authenticated encryption with corruptions: reductions are lossy. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017. LNCS, vol. 10677, pp. 409–441. Springer, Cham (2017). CrossRefGoogle Scholar
  36. 36.
    Lampe, R., Seurin, Y.: Security analysis of key-alternating Feistel ciphers. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 243–264. Springer, Heidelberg (2015). CrossRefGoogle Scholar
  37. 37.
    Luby, M., Wigderson, A.: Pairwise independence and derandomization. Found. Trends Theor. Comput. Sci. 1(4), 237–301 (2005)MathSciNetCrossRefGoogle Scholar
  38. 38.
    Luby, M.G., Rackoff, C.: Pseudo-random permutation generators and cryptographic composition. In: Proceedings of the Eighteenth Annual ACM Symposium on Theory of Computing, STOC 1986, pp. 356–363. ACM, New York (1986)Google Scholar
  39. 39.
    Mandal, A., Patarin, J., Seurin, Y.: On the public indifferentiability and correlation intractability of the 6-round Feistel construction. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 285–302. Springer, Heidelberg (2012). CrossRefzbMATHGoogle Scholar
  40. 40.
    Maurer, U., Pietrzak, K.: The security of many-round Luby-Rackoff pseudo-random permutations. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 544–561. Springer, Heidelberg (2003). CrossRefGoogle Scholar
  41. 41.
    Miles, E., Viola, E.: Substitution-permutation networks, pseudorandom functions, and natural proofs. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 68–85. Springer, Heidelberg (2012). CrossRefGoogle Scholar
  42. 42.
    Mouha, N., Luykx, A.: Multi-key security: the even-mansour construction revisited. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015, part I. LNCS, vol. 9215, pp. 209–223. Springer, Heidelberg (2015). CrossRefGoogle Scholar
  43. 43.
    Mouha, N., Mennink, B., Van Herrewege, A., Watanabe, D., Preneel, B., Verbauwhede, I.: Chaskey: an efficient MAC algorithm for 32-bit microcontrollers. In: Joux, A., Youssef, A. (eds.) SAC 2014. LNCS, vol. 8781, pp. 306–323. Springer, Cham (2014). CrossRefGoogle Scholar
  44. 44.
    Nachef, V., Patarin, J., Volte, E.: Feistel Ciphers. Security Proofs and Cryptanalysis. Springer, Cham (2017). CrossRefzbMATHGoogle Scholar
  45. 45.
    Nandi, M.: The characterization of Luby-Rackoff and its optimum single-key variants. In: Gong, G., Gupta, K.C. (eds.) INDOCRYPT 2010. LNCS, vol. 6498, pp. 82–97. Springer, Heidelberg (2010). CrossRefGoogle Scholar
  46. 46.
    Nandi, M.: On the optimality of non-linear computations of length-preserving encryption schemes. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015, part II. LNCS, vol. 9453, pp. 113–133. Springer, Heidelberg (2015). CrossRefGoogle Scholar
  47. 47.
    Patarin, J.: How to construct pseudorandom and super pseudorandom permutations from one single pseudorandom function. In: Rueppel, R.A. (ed.) EUROCRYPT 1992. LNCS, vol. 658, pp. 256–266. Springer, Heidelberg (1993). CrossRefGoogle Scholar
  48. 48.
    Patarin, J.: Improved security bounds for pseudorandom permutations. In: CCS 1997, pp. 142–150. ACM (1997)Google Scholar
  49. 49.
    Patarin, J.: Security of random Feistel schemes with 5 or more rounds. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 106–122. Springer, Heidelberg (2004). CrossRefGoogle Scholar
  50. 50.
    Ramzan, Z., Reyzin, L.: On the round security of symmetric-key cryptographic primitives. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 376–393. Springer, Heidelberg (2000). CrossRefGoogle Scholar
  51. 51.
    Rotaru, D., Smart, N.P., Stam, M.: Modes of operation suitable for computing on encrypted data. IACR Trans. Symmetric Cryptol. 2017(3), 294–324 (2017)Google Scholar
  52. 52.
    Sadeghiyan, B., Pieprzyk, J.: A construction for super pseudorandom permutations from a single pseudorandom function. In: Rueppel, R.A. (ed.) EUROCRYPT 1992. LNCS, vol. 658, pp. 267–284. Springer, Heidelberg (1993). CrossRefGoogle Scholar
  53. 53.
    Soni, P., Tessaro, S.: Public-seed pseudorandom permutations. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017, part II. LNCS, vol. 10211, pp. 412–441. Springer, Cham (2017). CrossRefGoogle Scholar
  54. 54.
    Standaert, F.-X., Pereira, O., Yu, Y.: Leakage-resilient symmetric cryptography under empirically verifiable assumptions. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 335–352. Springer, Heidelberg (2013). CrossRefGoogle Scholar
  55. 55.
    Suzaki, T., Minematsu, K., Morioka, S., Kobayashi, E.: \(\mathit{TWINE}\): a lightweight block cipher for multiple platforms. In: Knudsen, L.R., Wu, H. (eds.) SAC 2012. LNCS, vol. 7707, pp. 339–354. Springer, Heidelberg (2013)Google Scholar
  56. 56.
    Tessaro, S.: Optimally secure block ciphers from ideal primitives. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015, part II. LNCS, vol. 9453, pp. 437–462. Springer, Heidelberg (2015). CrossRefGoogle Scholar
  57. 57.
    Wu, W., Zhang, L.: LBlock: a lightweight block cipher. In: Lopez, J., Tsudik, G. (eds.) ACNS 2011. LNCS, vol. 6715, pp. 327–344. Springer, Heidelberg (2011). CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2018

Authors and Affiliations

  1. 1.ICTEAM/ELEN/Crypto GroupUniversité Catholique de LouvainLouvain-la-NeuveBelgium
  2. 2.Shanghai Jiao Tong UniversityShanghaiChina
  3. 3.Westone Cryptologic Research CenterBeijingChina

Personalised recommendations