Abstract
We extend the prior provable related-key security analysis of (generalized) Feistel networks (Barbosa and Farshim, FSE 2014; Yu et al., Inscrypt 2020) to the setting of expanding round functions, i.e., n-bit to m-bit round functions with \(n<m\). This includes Expanding Feistel Networks( \(\mathsf {EFN}\text {s}\) ) that purely rely on such expanding round functions, and Alternating Feistel Networks( \(\mathsf {AFN}\text {s}\) ) that alternate expanding and contracting round functions. We show that, when two independent keys \(K_1,K_2\) are alternatively used in each round, (a) \(2\lceil \frac{m}{n}\rceil +2\) rounds are sufficient for related-key security of \(\mathsf {EFN}\text {s}\), and (b) a constant number of 4 rounds are sufficient for related-key security of \(\mathsf {AFN}\text {s}\). Our results complete the picture of provable related-key security of GFNs, and provide additional theoretical support for the \(\mathsf {AFN}\)-based NIST format preserving encryption standards FF1 and FF3.
Y. Zhao and W. Yu—are co-first authors of the article.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
It consumes \(n\cdot 2^m\) bits to describe the table of a contracting random function from \(\{0,1\} ^m\) to \(\{0,1\} ^n\), while \(m\cdot 2^n\) bits for an expanding one from \(\{0,1\} ^n\) to \(\{0,1\} ^m\).
- 2.
For \(\mathsf {AFN}\)-based modes we might have \(n=128\), and the bound would be meaningful. We hope to see concrete designs.
- 3.
Although many have mentioned the possibility of CCA security on 4 rounds [33].
- 4.
By this, even number of rounds are likely vulnerable to recent advanced slide attacks [20]. Though, we remark that slide attacks typically require at least \(2^{n/2}\) complexities [11, 12, 20, 22], and thus do not violate our birthday provable bounds. Seeking for beyond-birthday provable bounds is a promising future direction.
- 5.
This was termed multi-key RKA security in [5]. As we refer to the classical security model with a single “static” secret key as “single-key (CCA) model”, we use the terms single-user and multi-user here for distinction.
- 6.
We stress that \(G^{m,n}\) and \(F^{n,m}\) must be “independent”, in the sense that \((G_{K_1}^{m,n},F_{K_2}^{n,m})\) using independent keys \(K_1,K_2\) is indistinguishable from a pair of independent ideal keyed functions \((\mathsf {RG} ^{m,n},\mathsf {RF} ^{n,m})\). For example, \(G^{m,n}\) and \(F^{n,m}\) cannot be built from the same primitive such as the AES.
References
Abdalla, M., Benhamouda, F., Passelègue, A., Paterson, K.G.: Related-key security for pseudorandom functions beyond the linear barrier. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 77–94. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44371-2_5
Anderson, R., Biham, E.: Two practical and provably secure block ciphers: BEAR and LION. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 113–120. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-60865-6_48
Anderson, R.J., Kuhn, M.G.: Low cost attacks on tamper resistant devices. In: Security Protocols, 5th International Workshop, Paris, France, April 7–9, 1997, Proceedings, pp. 125–136 (1997). https://doi.org/10.1007/BFb0028165
Banik, S., et al.: Midori: a block cipher for low energy. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9453, pp. 411–436. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48800-3_17
Barbosa, M., Farshim, P.: The related-key analysis of Feistel constructions. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 265–284. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46706-0_14
Bellare, M., Cash, D.: Pseudorandom functions and permutations provably secure against related-key attacks. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 666–684. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14623-7_36
Bellare, M., Kohno, T.: A theoretical treatment of related-key attacks: RKA-PRPs, RKA-PRFs, and applications. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 491–506. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-39200-9_31
Bellare, M., Ristenpart, T., Rogaway, P., Stegers, T.: Format-preserving encryption. In: Jacobson, M.J., Rijmen, V., Safavi-Naini, R. (eds.) SAC 2009. LNCS, vol. 5867, pp. 295–312. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-05445-7_19
Biham, E.: New types of cryptanalytic attacks using related keys. J. Cryptol. 7(4), 229–246 (1994). https://doi.org/10.1007/BF00203965
Biryukov, A., Dunkelman, O., Keller, N., Khovratovich, D., Shamir, A.: Key recovery attacks of practical complexity on AES-256 variants with up to 10 rounds. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 299–319. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_15
Biryukov, A., Wagner, D.: Slide attacks. In: Knudsen, L. (ed.) FSE 1999. LNCS, vol. 1636, pp. 245–259. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48519-8_18
Biryukov, A., Wagner, D.: Advanced slide attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 589–606. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-45539-6_41
Black, J., Rogaway, P.: Ciphers with arbitrary finite domains. In: Preneel, B. (ed.) CT-RSA 2002. LNCS, vol. 2271, pp. 114–130. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45760-7_9
Brightwell, M., Smith, H.: Using datatype-preserving encryption to enhance data warehouse security. In: 20th NISSC Proceedings (1997). http://csrc.nist.gov/nissc/1997
Chen, S., Steinberger, J.: Tight security bounds for key-alternating ciphers. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 327–350. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_19
Cogliati, B., et al.: Provable security of (tweakable) block ciphers based on substitution-permutation networks. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10991, pp. 722–753. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96884-1_24
Cogliati, B., Seurin, Y.: On the provable security of the iterated even-Mansour cipher against related-key and chosen-key attacks. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 584–613. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_23
Council, P.S.S.: Payment card industry (PCI) data security standard: requirements and security assessment procedures, version 1.2.1. (2009). www.pcisecuritystandards.org
Diffie, W., (translators), G.L.: SMS4 encryption algorithm for wireless networks. Cryptology ePrint Archive, Report 2008/329 (2008). http://eprint.iacr.org/2008/329
Dunkelman, O., Keller, N., Lasry, N., Shamir, A.: New slide attacks on almost self-similar ciphers. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12105, pp. 250–279. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45721-1_10
Dunkelman, O., Keller, N., Shamir, A.: A practical-time related-key attack on the KASUMI cryptosystem used in GSM and 3G telephony. J. Cryptol. 27(4), 824–849 (2014)
Dunkelman, O., Keller, N., Shamir, A.: Slidex attacks on the even-Mansour encryption scheme. J. Cryptol. 28(1), 1–28 (2015)
Dworkin, M.: Recommendation for block cipher modes of operation: methods for format-preserving encryption. NIST Special Publication 800–38G (2016). https://doi.org/10.6028/NIST.SP.800-38G
EMVCo: EMV Integrated Circuit Card Specifications for Payment Systems, Book 2, Security and Key Management (2008). Version 4.2
Feistel, H., Notz, W.A., Smith, J.L.: Some cryptographic techniques for machine-to-machine data communications. Proc. IEEE 63(11), 1545–1554 (1975)
Guo, C.: Understanding the related-key security of Feistel ciphers from a provable perspective. IEEE Trans. Inf. Theor. 65(8), 5260–5280 (2019). https://doi.org/10.1109/TIT.2019.2903796
Guo, J., Peyrin, T., Poschmann, A., Robshaw, M.: The LED block cipher. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 326–341. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23951-9_22
Hoang, V.T., Rogaway, P.: On generalized Feistel networks. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 613–630. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14623-7_33
Iwata, T., Kohno, T.: New security proofs for the 3GPP confidentiality and integrity algorithms. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 427–445. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-25937-4_27
Knudsen, L.R.: Cryptanalysis of LOKI91. In: Seberry, J., Zheng, Y. (eds.) AUSCRYPT 1992. LNCS, vol. 718, pp. 196–208. Springer, Heidelberg (Dec (1993). https://doi.org/10.1007/3-540-57220-1_62
Goubin, L., et al.: Crunch. Submission to NIST (2008)
Luby, M., Rackoff, C.: How to construct pseudorandom permutations from pseudorandom functions. SIAM J. Comput. 17(2), 373–386 (1988)
Lucks, S.: Faster Luby-Rackoff ciphers. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 189–203. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-60865-6_53
Maines, L., Piva, M., Rimoldi, A., Sala, M.: On the provable security of BEAR and LION schemes. Appl. Algebra Eng. Commun. Comput. 22(5–6), 413–423 (2011). https://doi.org/10.1007/s00200-011-0159-z
Morris, B., Rogaway, P., Stegers, T.: How to encipher messages on a small domain. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 286–302. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03356-8_17
Nachef, V., Patarin, J., Volte, E.: Feistel Ciphers - Security Proofs and Cryptanalysis. Cryptology, Springer, Cham (2017)
Nandi, M.: On the optimality of non-linear computations of length-preserving encryption schemes. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9453, pp. 113–133. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48800-3_5
Naor, M., Reingold, O.: On the construction of pseudorandom permutations: Luby-Rackoff revisited. J. Cryptol. 12(1), 29–66 (1999)
Patarin, J.: Security of Random Feistel Schemes with 5 or More Rounds. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 106–122. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-28628-8_7
Patarin, J.: The “coefficients H’’ technique (invited talk). In: Avanzi, R.M., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. 328–345. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-04159-4
Patarin, J.: Security of balanced and unbalanced Feistel schemes with linear non equalities. Cryptology ePrint Archive, Report 2010/293 (2010). http://eprint.iacr.org/2010/293
Patarin, J., Nachef, V., Berbain, C.: Generic attacks on unbalanced Feistel schemes with expanding functions. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 325–341. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-76900-2_20
Sadeghiyan, B., Pieprzyk, J.: A construction for super pseudorandom permutations from a single pseudorandom function. In: Rueppel, R.A. (ed.) EUROCRYPT 1992. LNCS, vol. 658, pp. 267–284. Springer, Heidelberg (1993). https://doi.org/10.1007/3-540-47555-9_23
Schneier, B., Kelsey, J.: Unbalanced Feistel networks and block cipher design. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 121–144. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-60865-6_49
Shen, Y., Guo, C., Wang, L.: Improved security bounds for generalized Feistel networks. IACR Trans. Symm. Cryptol. 2020(1), 425–457 (2020)
Volte, E., Nachef, V., Patarin, J.: Improved generic attacks on unbalanced Feistel schemes with expanding functions. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 94–111. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17373-8_6
Yu, W., Zhao, Y., Guo, C.: Provable Related-key Security of Contracting Feistel Networks. In: Inscrypt 2020 (to appear, 2020)
Zheng, Y., Matsumoto, T., Imai, H.: On the construction of block ciphers provably secure and not relying on any unproved hypotheses. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 461–480. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_42
Acknowledgments
This work was partly supported by the Program of Qilu Young Scholars (Grant No. 61580089963177) of Shandong University, the National Natural Science Foundation of China (Grant No. 62002202), the National Key Research and Development Project under Grant No.2018YFA0704702, and the Shandong Nature Science Foundation of China (Grant No. ZR2020ZD02, ZR2020MF053).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Zhao, Y., Yu, W., Guo, C. (2021). Related-Key Analysis of Generalized Feistel Networks with Expanding Round Functions. In: Paterson, K.G. (eds) Topics in Cryptology – CT-RSA 2021. CT-RSA 2021. Lecture Notes in Computer Science(), vol 12704. Springer, Cham. https://doi.org/10.1007/978-3-030-75539-3_14
Download citation
DOI: https://doi.org/10.1007/978-3-030-75539-3_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-75538-6
Online ISBN: 978-3-030-75539-3
eBook Packages: Computer ScienceComputer Science (R0)