Security of Random Feistel Schemes with 5 or More Rounds

  • Jacques Patarin
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3152)


We study cryptographic attacks on random Feistel schemes. We denote by m the number of plaintext/ciphertext pairs, and by k the number of rounds. In their famous paper [3], M. Luby and C. Rackoff have completely solved the cases m≪ 2 n/2: the schemes are secure against all adaptive chosen plaintext attacks (CPA-2) when k≥ 3 and against all adaptive chosen plaintext and chosen ciphertext attacks (CPCA-2) when k≥ 4 (for this second result a proof is given in [9]).

In this paper we study the cases m≪2 n . We will use the “coefficients H technique” of proof to analyze known plaintext attacks (KPA), adaptive or non-adaptive chosen plaitext attacks (CPA-1 and CPA-2) and adaptive or non-adaptive chosen plaitext and chosen ciphertext attacks (CPCA-1 and CPCA-2). In the first part of this paper, we will show that when m≪ 2 n the schemes are secure against all KPA when k≥4, against all CPA-2 when k≥ 5 and against all CPCA-2 attacks when k≥6. This solves an open problem of [1], [14], and it improves the result of [14] (where more rounds were needed and m≪ 2 n(1 − − ε) was obtained instead of m≪ 2 n ). The number 5 of rounds is minimal since CPA-2 attacks on 4 rounds are known when mO(2 n/2) (see [1], [10]). Furthermore, in all these cases we have always obtained an explicit majoration for the distinguishing probability. In the second part of this paper, we present some improved generic attacks. For k=5 rounds, we present a KPA with m ≃ 23n/2 and a non-adaptive chosen plaintext attack (CPA-1) with m ≃ 2 n . For k≥ 7 rounds we also show some improved attacks against random Feistel generators (with more than one permutation to analyze and ≥ 22 n computations).


Random Permutation Block Cipher Round Function Generic Attack Plaintext Attack 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Aiello, W., Venkatesan, R.: Foiling Birthday Attacks in Length-Doubling Transformations-Benes: A Non-Reversible Alternative to Feistel. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 307–320. Springer, Heidelberg (1996)Google Scholar
  2. 2.
    Knudsen, L.R.: DEAL - A 128 bit Block Cipher. Technical Report #151, University of Bergen, Departement of Informatics, Norway (February 1998)Google Scholar
  3. 3.
    Luby, M., Rackoff, C.: How to construct pseudorandom permutations from pseudorandom functions. SIAM Journal on Computing 17(2), 373–386 (1988)zbMATHCrossRefMathSciNetGoogle Scholar
  4. 4.
    Maurer, U.: A simplified and generalized treatment of Luby-Rackoff pseudorandom permutation generators. In: Rueppel, R.A. (ed.) EUROCRYPT 1992. LNCS, vol. 658, pp. 239–255. Springer, Heidelberg (1993)CrossRefGoogle Scholar
  5. 5.
    Maurer, U.: Indistinguishability of Random Systems. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 110–132. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  6. 6.
    Maurer, U., Pietrzak, K.: The security of Many-Round Luby-Rackoff Pseudo- Random Permutations. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, Springer, Heidelberg (2003)CrossRefGoogle Scholar
  7. 7.
    Nachev, V.: Random Feistel schemes for m = 3, available from the author at: Valerie.nachef@math.u-cergy.frGoogle Scholar
  8. 8.
    Naor, M., Reingold, O.: On the Construction of pseudo-random perlutations: Luby-Rackoff revisited. Journal of Cryptology 12, 29–66 (1999); Extended abstract was published. In: Proc. 29th Ann. ACM Symp. on Theory of Computing, pp. 189–199 (1997)zbMATHCrossRefMathSciNetGoogle Scholar
  9. 9.
    Patarin, J.: Pseudorandom Permutations based on the DES Scheme. In: Charpin, P., Cohen, G. (eds.) EUROCODE 1990. LNCS, vol. 514, pp. 193–204. Springer, Heidelberg (1991)Google Scholar
  10. 10.
    Patarin, J.: New results on pseudorandom permutation generators based on the DES scheme. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 301–312. Springer, Heidelberg (1992)Google Scholar
  11. 11.
    Patarin, J.: Etude des générateurs de permutations basés sur le schéma du DES. Ph. D. Thesis, Inria, Domaine de Voluceau, Le Chesnay, France (1991)Google Scholar
  12. 12.
    Patarin, J.: About Feistel Schemes with 6 (or More) Rounds. In: Fast Software Encryption 1998, pp. 103–121 (1998)Google Scholar
  13. 13.
    Patarin, J.: Generic Attacks on Feistel Schemes. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 222–238. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  14. 14.
    Patarin, J.: Luby-Rackoff: 7 Rounds are Enough for 2n(1−_) Security. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 513–529. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  15. 15.
    Patarin, J.: Extended version of this paper, avaible from the authorGoogle Scholar
  16. 16.
    Schneier, B., Kelsey, J.: Unbalanced Feistel Networks and Block Cipher Design. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 121–144. Springer, Heidelberg (1996)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2004

Authors and Affiliations

  • Jacques Patarin
    • 1
  1. 1.Université de VersaillesVersailles CedexFrance

Personalised recommendations