Generalized birthday attacks on unbalanced Feistel networks

  • Charanjit S. Jutla
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1462)


Unbalanced Feistel networks F k which are used to construct invertible pseudo-random permutations from kn bits to kn bits using d pseudo-random functions from n bits to (k − l)n bits, k ≥ 2 are studied. We show a new generalized birthday attack on F k , with d ≤ 3k − 3. With 2(k−1)n chosen plaintexts an adversary can distinguish F k (with d = 3k − 3) from a random permutation with high probability. If d < (3k − 3) then fewer plaintexts are required. We also show that for any F k (with d = 2k), any adversary with m chosen plaintext oracle queries, has probability O(m nk/2(k−1)n ) of distinguishing F k from a random permutation.


Block ciphers Feistel networks pseudo-random permutations second moment method birthday attacks 


  1. 1.
    W. Aiello, R. Venkatesan, Foiling birthday attacks in length-doubling transformations, Eurocrypt 1996, LNCS 1070.Google Scholar
  2. 2.
    N. Alon, J.H. Spencer, The probabilistic method, John Wiley and Sons, 1992.Google Scholar
  3. 3.
    FIPS 46, Data Encryption Standard, Federal Information Processing Standards Publication 46, U.S. Department of Commerce/N.I.S.T., National Technical Information Service, Springfield, Virginia, 1977.Google Scholar
  4. 4.
    D. Coppersmith, Another Birthday attack, Advances in Cryptology, Crypto 1985.Google Scholar
  5. 5.
    D. Coppersmith, Luby-Rackoff: Four rounds is not enough, IBM Research Report, RC20674, Dec. 96.Google Scholar
  6. 6.
    M. Girault, R. Cohen, M. Campana, A Generalized birthday attack, Eurocrypt 1988, LNCS 330.Google Scholar
  7. 7.
    L. Knudsen, X. Lai, B. Preneel, Attacks on fast double block length hash functions, J. of Cryptology, 1998, 11:59–72.MATHMathSciNetCrossRefGoogle Scholar
  8. 8.
    M. Luby, Pseudorandomness and cryptographic applications, Princeton University Press, 1996.Google Scholar
  9. 9.
    M. Luby and C. Rackoff, How to construct pseudorandom permutations from pseudorandom functions, SIAM J.of Comp., 17, pp.373–386, 1988.MATHMathSciNetCrossRefGoogle Scholar
  10. 10.
    J. Patarin, About Feistel Schemes with Six (or More) Rounds, Proc. Fast Software Encryption, March 1998.Google Scholar
  11. 11.
    R. Anderson, E. Biham, Two Practical and Provably Secure Block Ciphers: BEAR and LION, 1996 Workshop on Fast Software Encryption.Google Scholar
  12. 12.
    B. Schneier, J. Kelsey, Unbalanced Feistel Networks and Block-Cipher Design, Fast Software Encryption, Third International Workshop Proceedings (February 1996), Springer-Verlag, 1996, pp. 121–144.Google Scholar
  13. 13.
    Moni Naor, O. Reingold, On the Construction of Pseudo-Random Permutations: Luby-Rackoff Revisited, Proc. STOC 97Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1998

Authors and Affiliations

  • Charanjit S. Jutla
    • 1
  1. 1.T. J. Watson Research CenterIBMYorktown HeightsUSA

Personalised recommendations