On Generalized Feistel Networks

  • Viet Tung Hoang
  • Phillip Rogaway
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6223)


We prove beyond-birthday-bound security for most of the well-known types of generalized Feistel networks: (1) unbalanced Feistel networks, where the n-bit to m-bit round functions may have \(n\ne m\); (2) alternating Feistel networks, where the round functions alternate between contracting and expanding; (3) type-1, type-2, and type-3 Feistel networks, where n-bit to n-bit round functions are used to encipher kn-bit strings for some k ≥ 2; and (4) numeric variants of any of the above, where one enciphers numbers in some given range rather than strings of some given size. Using a unified analytic framework, we show that, in any of these settings, for any ε> 0, with enough rounds, the subject scheme can tolerate CCA attacks of up to q~N 1 − ε adversarial queries, where N is the size of the round functions’ domain (the larger domain for alternating Feistel). Prior analyses for most generalized Feistel networks established security to only q~N 0.5 queries.


Block ciphers coupling Feistel networks generalized Feistel networks modes of operation provable security symmetric techniques 


  1. 1.
    Anderson, R., Biham, E.: Two practical and provably secure block ciphers: BEAR and LION. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 113–120. Springer, Heidelberg (1996)Google Scholar
  2. 2.
    Bellare, M., Rogaway, P., Spies, T.: The FFX mode of operation for format-preserving encryption (draft 1.1). NIST submission (February 2010),
  3. 3.
    Black, J., Rogaway, P.: Ciphers with arbitrary finite domains. In: Preneel, B. (ed.) CT-RSA 2002. LNCS, vol. 2271, pp. 114–130. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  4. 4.
    Bellare, M., Ristenpart, T., Rogaway, P., Stegers, T.: Format-preserving encryption. In: Jacobson Jr., M.J., Rijmen, V., Safavi-Naini, R. (eds.) SAC 2009. LNCS, vol. 5867, pp. 295–312. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  5. 5.
    Brightwell, M., Smith, H.: Using datatype-preserving encryption to enhance data warehouse security. In: 20th NISSC Proceedings, pp. 141–149 (1997),
  6. 6.
    Coppersmith, D.: Luby-Rackoff: four rounds is not enough. Technical Report RC 20674, IBM (December 1996)Google Scholar
  7. 7.
    Feistel, H., Notz, W., Smith, J.: Some cryptographic techniques for machine-to-machine data communications. In: Proc. of the IEEE, vol. 63, pp. 1545–1554 (1975)Google Scholar
  8. 8.
    Hoang, V., Rogaway, P.: On generalized Feistel networks. Full version of this paper. Cryptology ePrint report 2010/301, May26 (2010)Google Scholar
  9. 9.
    Jutla, C.: Generalized birthday attacks on unbalanced Feistel networks. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 186–199. Springer, Heidelberg (1998)Google Scholar
  10. 10.
    Luby, M., Rackoff, C.: How to construct pseudorandom permutations from pseudorandom functions. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 447–447. Springer, Heidelberg (1986)Google Scholar
  11. 11.
    Lucks, S.: Faster Luby-Rackoff ciphers. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 189–203. Springer, Heidelberg (1996)Google Scholar
  12. 12.
    Maurer, U.: A simplified and generalized treatment of Luby-Rackoff pseudorandom permutation generator. In: Rueppel, R.A. (ed.) EUROCRYPT 1992. LNCS, vol. 658, pp. 239–255. Springer, Heidelberg (1993)CrossRefGoogle Scholar
  13. 13.
    Maurer, U., Pietrzak, K.: The security of many-round Luby-Rackoff pseudo-random permutations. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 544–561. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  14. 14.
    Maurer, U., Pietrzak, K., Renner, R.: Indistinguishability amplification. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 130–149. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  15. 15.
    Mirinov, I. (Not so) random shuffles of RC4. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 304–319. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  16. 16.
    Moriai, S., Vaudenay, S.: On the pseudorandomness of top-level schemes of block ciphers. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 289–302. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  17. 17.
    Morris, B., Rogaway, P., Stegers, T.: How to encipher messages on a small domain: deterministic encryption and the Thorp shuffle. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 286–302. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  18. 18.
    Nachef, V.: Generic attacks on alternating unbalanced Feistel schemes. Cryptology ePrint report 2009/287, June 16 (2009)Google Scholar
  19. 19.
    Naor, M., Reingold, O.: On the construction of pseudo-random permutations: Luby-Rackoff revisited. Journal of Cryptology 12(1), 29–66 (1997)CrossRefMathSciNetGoogle Scholar
  20. 20.
    Nyberg, K.: Generalized Feistel networks. In: Kim, K.-c., Matsumoto, T. (eds.) ASIACRYPT 1996. LNCS, vol. 1163, pp. 91–104. Springer, Heidelberg (1996)CrossRefGoogle Scholar
  21. 21.
    Patarin, J.: About Feistel schemes with six (or more) rounds. In: Vaudenay, S. (ed.) FSE 1998. LNCS, vol. 1372, pp. 103–121. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  22. 22.
    Patarin, J.: Generic attacks on Feistel schemes. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 222–238. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  23. 23.
    Patarin, J.: Luby-Rackoff: 7 Rounds are enough for 2n − ε security. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 513–529. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  24. 24.
    Patarin, J.: New results on pseudorandom permutation generators based on the DES scheme. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 301–312. Springer, Heidelberg (1992)Google Scholar
  25. 25.
    Patarin, J.: Security of balanced and unbalanced Feistel schemes with linear non equalities. Cryptology ePrint report 2010/293. May 17 (2010)Google Scholar
  26. 26.
    Patarin, J.: Security of random Feistel schemes with 5 or more rounds. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 106–122. Springer, Heidelberg (2004)Google Scholar
  27. 27.
    Patarin, J., Nachef, V., Berbain, C.: Generic attacks on unbalanced Feistel schemes with contracting functions. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 396–411. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  28. 28.
    Patarin, J., Nachef, V., Berbain, C.: Generic attacks on unbalanced Feistel schemes with expanding functions. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 325–341. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  29. 29.
    PCI Security Standards Council. Payment Card Industry (PCI) Data Security Standard: Requirements and Security Assessment Procedures, version 1.2.1 (July 2009),
  30. 30.
    Schneier, B., Kelsey, J.: Unbalanced Feistel networks and block cipher design. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 121–144. Springer, Heidelberg (1996)Google Scholar
  31. 31.
    Smith, J.: The design of Lucifer: a cryptographic device for data communications. IBM Research Report RC 3326. IBM T.J. Watson Research Center, Yorktown Heights, New York, USA (April 15, 1971)Google Scholar
  32. 32.
    Thorp, E.: Nonrandom shuffling with applications to the game of Faro. Journal of the American Statistical Association 68, 842–847 (1973)zbMATHCrossRefGoogle Scholar
  33. 33.
    Vaudenay, S.: Provable security for block ciphers by decorrelation. In: Meinel, C., Morvan, M. (eds.) STACS 1998. LNCS, vol. 1373, pp. 249–275. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  34. 34.
    Yun, A., Park, J., Lee, J.: On Lai-Massey and quasi-Feistel ciphers. In: Designs, Codes and Cryptography, Online First (2010)Google Scholar
  35. 35.
    Zheng, Y., Matsumoto, T., Imai, H.: On the construction of block ciphers provably secure and not relying on any unproved hypotheses. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 461–480. Springer, Heidelberg (1990)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Viet Tung Hoang
    • 1
  • Phillip Rogaway
    • 1
  1. 1.Dept. of Computer ScienceUniversity of CaliforniaDavisUSA

Personalised recommendations