Upper Bounds for the Security of Several Feistel Networks

  • Yosuke Todo
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7959)


In this paper, we are dealing with upper bounds for the security of some Feistel networks. Such a topic has been discussed since the introduction of Luby-Rackoff construction, but it is unrealistic construction because its round functions must be chosen at random from the set of all functions. Knudsen dealt with more practical construction where its round functions are chosen at random from a family of 2 k randomly chosen functions, and showed an upper bound for the security by demonstrating generic key recovery attacks. However it is still difficult for designers to choose functions randomly. Then, this paper considers the security of some Feistel networks which have more efficient and practical round functions and are indeed used by some Feistel ciphers in practice. For this Feistel ciphers, we discover new properties using the relation of plaintexts and ciphertexts. By using our properties, we propose new generic key recovery attacks, and confirm the feasibility by implementing the attack for small block sizes. Our results indicate that the 6 round networks are not enough to complicate the relationship between plaintexts and ciphertexts, and how to insert a round key is very influential in the upper bound for the security. This feature should be taken into account when the round function is designed in future. Moreover, for immunity to our attacks and maintenance of the efficiency, we show design principles for efficient and secure Feistel ciphers.


Block cipher Feistel networks Round functions Key recovery attacks 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Aoki, K., Ichikawa, T., Kanda, M., Matsui, M., Moriai, S., Nakajima, J., Tokita, T.: Camellia: A 128-Bit Block Cipher Suitable for Multiple Platforms - Design and Analysis. In: Stinson, D.R., Tavares, S. (eds.) SAC 2000. LNCS, vol. 2012, pp. 39–56. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  2. 2.
    Biham, E., Biryukov, A., Shamir, A.: Cryptanalysis of Skipjack Reduced to 31 Rounds Using Impossible Differentials. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 12–23. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  3. 3.
    Isobe, T., Shibutani, K.: All Subkeys Recovery Attack on Block Ciphers: Extending Meet-in-the-Middle Approach. In: Knudsen, L.R., Wu, H. (eds.) SAC 2012. LNCS, vol. 7707, pp. 202–221. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  4. 4.
    Knudsen, L.R.: The Security of Feistel Ciphers with Six Rounds or Less. J. Cryptology 15(3), 207–222 (2002)MathSciNetzbMATHCrossRefGoogle Scholar
  5. 5.
    Knudsen, L.R., Rijmen, V.: Known-Key Distinguishers for Some Block Ciphers. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 315–324. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  6. 6.
    Lampe, R., Patarin, J.: Security of Feistel Schemes with New and Various Tools. IACR Cryptology ePrint Archive 2012, 131 (2012)Google Scholar
  7. 7.
    Lee, H., Lee, S., Yoon, J., Cheon, D., Lee, J.: The SEED Encryption Algorithm RFC4269 (2005)Google Scholar
  8. 8.
    Luby, M., Rackoff, C.: How to construct pseudorandom permutations from pseudorandom functions. SIAM J. Comput. 17(2), 373–386 (1988)MathSciNetzbMATHCrossRefGoogle Scholar
  9. 9.
    Lucks, S.: Faster Luby-Rackoff Ciphers. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 189–203. Springer, Heidelberg (1996)CrossRefGoogle Scholar
  10. 10.
    National Soviet Bureau of Standards: Information Processing System – Cryptographic Protection – Cryptographic Algorithm GOST 28147-89 (1989)Google Scholar
  11. 11.
    Patarin, J.: How to Construct Pseudorandom and Super Pseudorandom Permutations from one Single Pseudorandom Function. In: Rueppel, R.A. (ed.) EUROCRYPT 1992. LNCS, vol. 658, pp. 256–266. Springer, Heidelberg (1993)CrossRefGoogle Scholar
  12. 12.
    Patarin, J.: Luby-Rackoff: 7 Rounds Are Enough for 2n(1 − ε)Security. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 513–529. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  13. 13.
    Patarin, J.: Security of Random Feistel Schemes with 5 or More Rounds. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 106–122. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  14. 14.
    Patarin, J.: Security of balanced and unbalanced Feistel Schemes with Linear Non Equalities. IACR Cryptology ePrint Archive 2010, 293 (2010)Google Scholar
  15. 15.
    Sasaki, Y., Yasuda, K.: Known-Key Distinguishers on 11-Round Feistel and Collision Attacks on Its Hashing Modes. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 397–415. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  16. 16.
    Shirai, T., Shibutani, K.: On Feistel Structures Using a Diffusion Switching Mechanism. In: Robshaw, M. (ed.) FSE 2006. LNCS, vol. 4047, pp. 41–56. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  17. 17.
    Suzuki, K., Tonien, D., Kurosawa, K., Toyota, K.: Birthday paradox for multi-collisions. In: Rhee, M.S., Lee, B. (eds.) ICISC 2006. LNCS, vol. 4296, pp. 29–40. Springer, Heidelberg (2006)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Yosuke Todo
    • 1
  1. 1.NTT CorporationJapan

Personalised recommendations