Feistel Networks Made Public, and Applications [chapter]

Yevgeniy Dodis, Prashant Puniya
2007 Lecture Notes in Computer Science  
Feistel Network, consisting of a repeated application of the Feistel Transform, gives a very convenient and popular method for designing "cryptographically strong" permutations from corresponding "cryptographically strong" functions. Up to now, all usages of the Feistel Network, including the celebrated Luby-Rackoff's result, critically rely on (a) the (pseudo)randomness of round functions; and (b) the secrecy of (at least some of ) the intermediate round values appearing during the Feistel
more » ... utation. Moreover, a small constant number of Feistel rounds was typically sufficient to guarantee security under assumptions (a) and (b). In this work we consider several natural scenarios where at least one of the above assumptions does not hold, and show that a constant, or even logarithmic number of rounds is provably insufficient to handle such applications, implying that a new method of analysis is needed. On a positive side, we develop a new combinatorial understanding of Feistel networks, which makes them applicable to situations when the round functions are merely unpredictable rather than (pseudo)random and/or when the intermediate round values may be leaked to the adversary (either through an attack or because the application requires it). In essence, our results show that in any such scenario a super-logarithmic number of Feistel rounds is necessary and sufficient to guarantee security. Of independent interest, our technique yields a novel domain extension method for messages authentication codes and other related primitives, settling a question studied by An and Bellare in CRYPTO 1999.
doi:10.1007/978-3-540-72540-4_31 fatcat:74xqfotbbfcubkilau332ltgpi