##
###
Revisiting Key-Alternating Feistel Ciphers for Shorter Keys and Multi-user Security
[chapter]

Chun Guo, Lei Wang

2018
*
Lecture Notes in Computer Science
*

Key-Alternating Feistel (KAF) ciphers, a.k.a. Feistel-2 models, refer to Feistel networks with round functions of the form Fi(ki⊕xi), where ki is the (secret) round-key and Fi is a public random function. This model roughly captures the structures of many famous Feistel ciphers, and the most prominent instance is DES. Existing provable security results on KAF assumed independent round-keys and round functions (ASI-ACRYPT 2004 & FSE 2014. In this paper, we investigate how to achieve security
## more »

... r simpler and more realistic assumptions: with round-keys derived from a short main-key, and hopefully with identical round functions. For birthday-type security, we consider 4-round KAF, investigate the minimal conditions on the way to derive the four round-keys, and prove that when such adequately derived keys and the same round function are used, the 4-round KAF is secure up to 2 n/2 queries. For beyond-birthday security, we focus on 6-round KAF. We prove that when the adjacent round-keys are independent, and independent round-functions are used, the 6 round KAF is secure up to 2 2n/3 queries. To our knowledge, this is the first beyond-birthday security result for KAF without assuming completely independent round-keys. Our results hold in the multi-user setting as well, constituting the first non-trivial multi-user provable security results on Feistel ciphers. We finally demonstrate applications of our results on designing keyschedules and instantiating keyed sponge constructions. To obtain a 2n-bit BC, the IEM model requires 2n-bit permutations. Whereas following the Feistel approach, several n-to-n-bit functions suffice. Moreover, these functions need not to be invertible (this might be the reason why Feistel ciphers were extremely popular before 1990s). In all, Feistel ciphers could be built upon primitives with smaller domain and less structural properties, which is particularly appealing from a theoretical point of view. From the security point of view, without any additional hardness assumption other than the idealness of round functions, provable security is limited by the domain-size of the round functions [48]. Therefore, IEM benefits from the use of larger primitives: with t independent 2n-bit random permutations and 2tn key bits, t-round IEM is provably secure up to 2 2tn t+1 adversarial queries [15] which approaches 2 2n for large t. In contrast, Feistel models can only be secure against at most 2 n queries [48], which is far less than its domain-size 2 2n . This upper bound is very unsatisfying. Despite this limitation as well as the gap between the idealized model and the rather weak round functions in practice, this provable approach supplies insights into the BC structures, excludes generic attacks, and may help refine designs. Due to these, this approach is valuable and has received a lot of attention. The Luby-Rackoff (LR) Scheme, in reference to the seminal work of Luby and Rackoff [37], might be the most popular model for Feistel ciphers so far. In this model, the round functions G i (k i , x R ) are pseudorandom functions (PRFs). Via a standard hybrid argument, this is transposed to the Feistel networks formed by uniformly random and Secret round functions SG i (x R ). Following [37], a long series of work established either better security (maybe using a larger number of rounds)-with [39,48,30, 3, 43] to name a few,-or reduced complexity for security [51,46,44,45]. Key-Alternating Feistel Ciphers. Works along the line of Luby and Rackoff are very generic and could cover all possible forms of round functions. On the opposite side, the LR model falls short of showing how to concretely design keyed primitives (BCs) from (conceptually) simpler keyless primitives-it just "defers" the task to designing keyed round functions G i (k i , x R ), which is, however, not known to be simpler than designing the BCs themselves. In reality, general purpose Feistel ciphers usually employ length-preserving keyless round functions, and xor each round-key before applying the corresponding round function. Examples include DES, GOST, Camellia variant without F L/F L −1 functions [9], MIBS [33], and two recent designs LBlock [56] and Twine [54] (they are multi-line generalizations of Feistel). This idea corresponds to Feistel networks with round functions instantiated in the probably simplest form of where F i is keyless and public; and at the i-th round, the intermediate state is updated according to This model was named Key-Alternating Feistel (KAF) by Lampe and Seurin [35], and is also known as Feistel-2 schemes according to IACR Tikz library. It has been extensively studied by the cryptanalytic community [9, 32,28], and frequently became the instructive example for new attacks [10, 2] . The gap between LR and KAF ciphers is non-negligible. For example, with less than 2 2n complexity, the best known generic key recovery attacks break 4-round LR [32] which is in sharp contrast with 6-round KAF [28]. Moreover, 6-or even 5-round LR model is already sufficient for optimal information theoretic security against 2 n queries [43, chapter 17]. However, for KAF we exhibit a generic distinguishing attack against t rounds using O( (t−2)n t−1 ) queries, which means O(n) number of rounds are necessary for optimal security. These indicate the LR model misses some important structural properties in practical Feistel ciphers, and KAF is likely to be a better model for the reality. By the above, theoretical analysis of the KAF model is of significance. In this respect, one would assume the (keyless) round functions F i as public random functions that can be queried by the adversary in a black-box way, and try to establish indistinguishability for the worlds (KAF k , F 1 , . . . , F t ) and (P, F 1 , . . . , F t ) in the random oracle model, i.e. the cipher KAF with a secret random key k is indistinguishable from a random permutation P even if given the access of the t random round functions F 1 , . . . , F t . This is very similar to the setting introduced for IEM [11]. In this vein, we are only aware of two works. First, an early work of Gentry and Ramzan (GR) [24] proved a birthday-type security for a 4-round keyless Feistel scheme with pre-and post-whitening keys, which can be translated into a 4-round KAF variant. Then, a recent work of Lampe and Seurin (LS) [35] proved beyond-birthday security up to 2 tn t+1 adversarial queries for 6t-round KAF, assuming the round functions and round-keys are both completely independent [35]. 4 4 A more recent work of Gilboa et al. [25] analyzed a variant of 2-round IEM, which corresponds to a KAF variant with whitening keys. We'll elaborate later. 5 A permutation ϕ of F n 2 is an orthomorphism if K → K ⊕ ϕ(K) is also a permutation. The Feistel-like linear transformation ϕ(KL KR) = KL ⊕ KR KL is a very efficient instance. Orthomorphisms have found many cryptographic applications, particularly in minimizing LR [51] and IEM models [14] .

doi:10.1007/978-3-030-03326-2_8
fatcat:koiebntubvb6hdi4plkhjc3n7q