How to construct random functions
Journal of the ACM (JACM)
Pseudo-random permutation generators and cryptographic composition
STOC '86 Proceedings of the eighteenth annual ACM symposium on Theory of computing
How to construct pseudorandom permutations from single pseudorandom functions
EUROCRYPT '90 Proceedings of the workshop on the theory and application of cryptographic techniques on Advances in cryptology
A Pseudorandom Generator from any One-way Function
SIAM Journal on Computing
On the Round Security of Symmetric-Key Cryptographic Primitives
CRYPTO '00 Proceedings of the 20th Annual International Cryptology Conference on Advances in Cryptology
Indistinguishability of Random Systems
EUROCRYPT '02 Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques: Advances in Cryptology
Proceedings of the Third International Workshop on Fast Software Encryption
Composition does not imply adaptive security
CRYPTO'05 Proceedings of the 25th annual international conference on Advances in Cryptology
Composition implies adaptive security in minicrypt
EUROCRYPT'06 Proceedings of the 24th annual international conference on The Theory and Applications of Cryptographic Techniques
Hybrid symmetric encryption using known-plaintext attack-secure components
ICISC'05 Proceedings of the 8th international conference on Information Security and Cryptology
Feistel Networks Made Public, and Applications
EUROCRYPT '07 Proceedings of the 26th annual international conference on Advances in Cryptology
Weak Pseudorandom Functions in Minicrypt
ICALP '08 Proceedings of the 35th international colloquium on Automata, Languages and Programming, Part II
Indistinguishability amplification
CRYPTO'07 Proceedings of the 27th annual international cryptology conference on Advances in cryptology
Tweakable enciphering schemes from hash-sum-expansion
INDOCRYPT'07 Proceedings of the cryptology 8th international conference on Progress in cryptology
Free-start distinguishing: combining two types of indistinguishability amplification
ICITS'09 Proceedings of the 4th international conference on Information theoretic security
Efficient shared-key authentication scheme from any weak pseudorandom function
INDOCRYPT'06 Proceedings of the 7th international conference on Cryptology in India
Hi-index | 0.00 |
The Feistel-network is a popular structure underlying many block-ciphers where the cipher is constructed from many simpler rounds, each defined by some function which is derived from the secret key. Luby and Rackoff showed that the three-round Feistel-network – each round instantiated with a pseudorandom function secure against adaptive chosen plaintext attacks (CPA) – is a CPA secure pseudorandom permutation, thus giving some confidence in the soundness of using a Feistel-network to design block-ciphers. But the round functions used in actual block-ciphers are – for efficiency reasons – far from being pseudorandom. We investigate the security of the Feistel-network against CPA distinguishers when the only security guarantee we have for the round functions is that they are secure against non-adaptive chosen plaintext attacks (nCPA). We show that in the information-theoretic setting, four rounds with nCPA secure round functions are sufficient (and necessary) to get a CPA secure permutation. Unfortunately, this result does not translate into the more interesting pseudorandom setting. In fact, under the so-called Inverse Decisional Diffie-Hellman assumption the Feistel-network with four rounds, each instantiated with a nCPA secure pseudorandom function, is in general not a CPA secure pseudorandom permutation.