Cryptology ePrint Archive: Report 2018/816

Revisiting Key-alternating Feistel Ciphers for Shorter Keys and Multi-user Security

Chun Guo and Lei Wang

Abstract: Key-Alternating Feistel (KAF) ciphers, a.k.a. Feistel-2 models, refer to Feistel networks with round functions of the form $F_i(k_i\oplus x_i)$, where $k_i$ is the (secret) round-key and $F_i$ is a public random function. This model roughly captures the structures of many famous Feistel ciphers, and the most prominent instance is DES.

Existing provable security results on KAF assumed independent round-keys and round functions (ASIACRYPT 2004 & FSE 2014). In this paper, we investigate how to achieve security under simpler and more realistic assumptions: with round-keys derived from a short main-key, and hopefully with identical round functions.

For birthday-type security, we consider 4-round KAF, investigate the minimal conditions on the way to derive the four round-keys, and prove that when such adequately derived keys and the same round function are used, the 4-round KAF is secure up to $2^{n/2}$ queries.

For beyond-birthday security, we focus on 6-round KAF. We prove that when the adjacent round-keys are independent, and independent round-functions are used, the 6 round KAF is secure up to $2^{2n/3}$ queries. To our knowledge, this is the first beyond-birthday security result for KAF without assuming completely independent round-keys.

Our results hold in the multi-user setting as well, constituting the first non-trivial multi-user provable security results on Feistel ciphers. We finally demonstrate applications of our results on designing key-schedules and instantiating keyed sponge constructions.

Category / Keywords: secret-key cryptography / blockcipher, provable security, multi-user security, key-alternating cipher, Feistel cipher, key-schedule design, keyed sponge

Original Publication (with major differences): IACR-ASIACRYPT-2018

Date: received 3 Sep 2018

Contact author: chun guo sc at gmail com

Available format(s): PDF | BibTeX Citation

Version: 20180906:193434 (All versions of this report)

Short URL: ia.cr/2018/816


[ Cryptology ePrint archive ]