Related-Key Analysis of Generalized Feistel Networks with Expanding Round Functions

We extend the prior provable related-key security analysis of (generalized) Feistel networks (Barbosa and Farshim, FSE 2014; Yu et al., Inscrypt 2020) to the setting of expanding round functions, i.e., n-bit to m-bit round functions with n < m. This includes Expanding Feistel Networks (EFNs) that purely rely on such expanding round functions, and Alternating Feistel Networks (AFNs) that alternate expanding and contracting round functions. We show that, when two independent keys K1,K2 are alternatively used in each round, (a) 2dmn e + 2 rounds are sufficient for related-key security of EFNs, and (b) a constant number of 4 rounds are sufficient for related-key security of AFNs. Our results complete the picture of provable related-key security of GFNs, and provide additional theoretical support for the AFN-based NIST format preserving encryption standards FF1 and FF3.

[1]  Stefan Lucks,et al.  Faster Luby-Rackoff Ciphers , 1996, FSE.

[2]  Jonathan Katz,et al.  Provable Security of (Tweakable) Block Ciphers Based on Substitution-Permutation Networks , 2018, CRYPTO.

[3]  J.L. Smith,et al.  Some cryptographic techniques for machine-to-machine data communications , 1975, Proceedings of the IEEE.

[4]  Jacques Patarin,et al.  Security of Random Feistel Schemes with 5 or More Rounds , 2004, CRYPTO.

[5]  Lars R. Knudsen,et al.  Cryptanalysis of LOKI91 , 1992, AUSCRYPT.

[6]  Alex Biryukov,et al.  Advanced Slide Attacks , 2000, EUROCRYPT.

[7]  Jacques Patarin,et al.  Security of balanced and unbalanced Feistel Schemes with Linear Non Equalities , 2010, IACR Cryptol. ePrint Arch..

[8]  Adi Shamir,et al.  Slidex Attacks on the Even–Mansour Encryption Scheme , 2013, Journal of Cryptology.

[9]  Markus G. Kuhn,et al.  Low Cost Attacks on Tamper Resistant Devices , 1997, Security Protocols Workshop.

[10]  Morris J. Dworkin,et al.  Recommendation for Block Cipher Modes of Operation: Methods for Format-Preserving Encryption , 2016 .

[11]  Alex Biryukov,et al.  Slide Attacks , 1999, FSE.

[12]  Mihir Bellare,et al.  Format-Preserving Encryption , 2009, IACR Cryptol. ePrint Arch..

[13]  Adi Shamir,et al.  New Slide Attacks on Almost Self-Similar Ciphers , 2019, IACR Cryptol. ePrint Arch..

[14]  Eli Biham,et al.  Two Practical and Provably Secure Block Ciphers: BEARS and LION , 1996, FSE.

[15]  Tetsu Iwata,et al.  New Security Proofs for the 3GPP Confidentiality and Integrity Algorithms , 2004, FSE.

[16]  Provable Related-Key Security of Contracting Feistel Networks , 2020, Inscrypt.

[17]  Valérie Nachef,et al.  Generic Attacks on Unbalanced Feistel Schemes with Expanding Functions , 2007, ASIACRYPT.

[18]  Eli Biham,et al.  New types of cryptanalytic attacks using related keys , 1994, Journal of Cryptology.

[19]  Phillip Rogaway,et al.  On Generalized Feistel Networks , 2010, CRYPTO.

[20]  Thomas Peyrin,et al.  The LED Block Cipher , 2011, IACR Cryptol. ePrint Arch..

[21]  Alex Biryukov,et al.  Key Recovery Attacks of Practical Complexity on AES Variants With Up To 10 Rounds , 2010, IACR Cryptol. ePrint Arch..

[22]  Benoit Cogliati,et al.  On the Provable Security of the Iterated Even-Mansour Cipher Against Related-Key and Chosen-Key Attacks , 2015, EUROCRYPT.

[23]  Phillip Rogaway,et al.  How to Encipher Messages on a Small Domain , 2009, CRYPTO.

[24]  Yaobin Shen,et al.  Improved Security Bounds for Generalized Feistel Networks , 2020, IACR Cryptol. ePrint Arch..

[25]  David Cash,et al.  Pseudorandom Functions and Permutations Provably Secure against Related-Key Attacks , 2010, CRYPTO.

[26]  Chun Guo,et al.  Understanding the Related-Key Security of Feistel Ciphers From a Provable Perspective , 2018, IEEE Transactions on Information Theory.

[27]  Moni Naor,et al.  On the Construction of Pseudorandom Permutations: Luby—Rackoff Revisited , 1996, Journal of Cryptology.

[28]  Kyoji Shibutani,et al.  Midori: A Block Cipher for Low Energy , 2015, ASIACRYPT.

[29]  경제운 일본 i-Construction , 2018 .

[30]  Kenneth G. Paterson,et al.  Related-Key Security for Pseudorandom Functions Beyond the Linear Barrier , 2014, Journal of Cryptology.

[31]  Mihir Bellare,et al.  A Theoretical Treatment of Related-Key Attacks: RKA-PRPs, RKA-PRFs, and Applications , 2003, EUROCRYPT.

[32]  Jacques Patarin,et al.  The "Coefficients H" Technique , 2009, Selected Areas in Cryptography.

[33]  Adi Shamir,et al.  A Practical-Time Related-Key Attack on the KASUMI Cryptosystem Used in GSM and 3G Telephony , 2010, Journal of Cryptology.

[34]  Massimiliano Sala,et al.  On the provable security of BEAR and LION schemes , 2011, Applicable Algebra in Engineering, Communication and Computing.

[35]  John P. Steinberger,et al.  Tight Security Bounds for Key-Alternating Ciphers , 2014, EUROCRYPT.

[36]  Manuel Barbosa,et al.  The Related-Key Analysis of Feistel Constructions , 2014, IACR Cryptol. ePrint Arch..

[37]  Babak Sadeghiyan,et al.  A Construction for Super Pseudorandom Permutations from A Single Pseudorandom Function , 1992, EUROCRYPT.

[38]  Bruce Schneier,et al.  Unbalanced Feistel Networks and Block Cipher Design , 1996, FSE.

[39]  Valérie Nachef,et al.  Feistel Ciphers - Security Proofs and Cryptanalysis , 2017 .

[40]  Jorge Luis Villar Santos,et al.  Public verifiability from pairings in secret sharing schemes , 2009 .

[41]  Mridul Nandi On the Optimality of Non-Linear Computations of Length-Preserving Encryption Schemes , 2015, ASIACRYPT.

[42]  Valérie Nachef,et al.  Generic Attacks on Unbalanced Feistel Schemes with Expanding Functions , 2007, ASIACRYPT.

[43]  Lei Wang,et al.  Improved Security Bounds for Generalized Feistel Networks , 2020 .

[44]  Michael Luby,et al.  How to Construct Pseudo-Random Permutations from Pseudo-Random Functions (Abstract) , 1986, CRYPTO.

[45]  Whitfield Diffie,et al.  SMS4 Encryption Algorithm for Wireless Networks , 2008, IACR Cryptol. ePrint Arch..

[46]  Hideki Imai,et al.  On the Construction of Block Ciphers Provably Secure and Not Relying on Any Unproved Hypotheses , 1989, CRYPTO.

[47]  John Black,et al.  Ciphers with Arbitrary Finite Domains , 2002, CT-RSA.