Security of Random Feistel Schemes with 5 or More Rounds
We study cryptographic attacks on random Feistel schemes. We denote by m the number of plaintext/ciphertext pairs, and by k the number of rounds. In their famous paper , M. Luby and C. Rackoff have completely solved the cases m≪ 2 n/2: the schemes are secure against all adaptive chosen plaintext attacks (CPA-2) when k≥ 3 and against all adaptive chosen plaintext and chosen ciphertext attacks (CPCA-2) when k≥ 4 (for this second result a proof is given in ).
In this paper we study the cases m≪2 n . We will use the “coefficients H technique” of proof to analyze known plaintext attacks (KPA), adaptive or non-adaptive chosen plaitext attacks (CPA-1 and CPA-2) and adaptive or non-adaptive chosen plaitext and chosen ciphertext attacks (CPCA-1 and CPCA-2). In the first part of this paper, we will show that when m≪ 2 n the schemes are secure against all KPA when k≥4, against all CPA-2 when k≥ 5 and against all CPCA-2 attacks when k≥6. This solves an open problem of , , and it improves the result of  (where more rounds were needed and m≪ 2 n(1 − − ε) was obtained instead of m≪ 2 n ). The number 5 of rounds is minimal since CPA-2 attacks on 4 rounds are known when m≥ O(2 n/2) (see , ). Furthermore, in all these cases we have always obtained an explicit majoration for the distinguishing probability. In the second part of this paper, we present some improved generic attacks. For k=5 rounds, we present a KPA with m ≃ 23n/2 and a non-adaptive chosen plaintext attack (CPA-1) with m ≃ 2 n . For k≥ 7 rounds we also show some improved attacks against random Feistel generators (with more than one permutation to analyze and ≥ 22 n computations).
KeywordsRandom Permutation Block Cipher Round Function Generic Attack Plaintext Attack
- 1.Aiello, W., Venkatesan, R.: Foiling Birthday Attacks in Length-Doubling Transformations-Benes: A Non-Reversible Alternative to Feistel. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 307–320. Springer, Heidelberg (1996)Google Scholar
- 2.Knudsen, L.R.: DEAL - A 128 bit Block Cipher. Technical Report #151, University of Bergen, Departement of Informatics, Norway (February 1998)Google Scholar
- 7.Nachev, V.: Random Feistel schemes for m = 3, available from the author at: Valerie.firstname.lastname@example.orgGoogle Scholar
- 9.Patarin, J.: Pseudorandom Permutations based on the DES Scheme. In: Charpin, P., Cohen, G. (eds.) EUROCODE 1990. LNCS, vol. 514, pp. 193–204. Springer, Heidelberg (1991)Google Scholar
- 10.Patarin, J.: New results on pseudorandom permutation generators based on the DES scheme. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 301–312. Springer, Heidelberg (1992)Google Scholar
- 11.Patarin, J.: Etude des générateurs de permutations basés sur le schéma du DES. Ph. D. Thesis, Inria, Domaine de Voluceau, Le Chesnay, France (1991)Google Scholar
- 12.Patarin, J.: About Feistel Schemes with 6 (or More) Rounds. In: Fast Software Encryption 1998, pp. 103–121 (1998)Google Scholar
- 15.Patarin, J.: Extended version of this paper, avaible from the authorGoogle Scholar
- 16.Schneier, B., Kelsey, J.: Unbalanced Feistel Networks and Block Cipher Design. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 121–144. Springer, Heidelberg (1996)Google Scholar