Luby-Rackoff: 7 Rounds Are Enough for 2n(1 − ε) Security

  • Jacques Patarin
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2729)


In [3] M. Luby and C. Rackoff have proved that 3-round random Feistel schemes are secure against all adaptative chosen plaintext attacks when the number of queries is m ≪ 2 n/2. Moreover, 4-round random Feistel schemes are also secure against all adaptative chosen plaintext and chosen ciphertext attacks when m ≪ 2 n/2. It was shown later that these bounds are tight for 3 and 4 rounds (see [9] or [1]).

In this paper our main results are that for every ε> 0, when m ≪ 2 n(1 − ε):

  • for 4 rounds or more, a random Feistel scheme is secure against known plaintext attacks (KPA).

  • for 7 rounds or more it is secure against all adaptative chosen plaintext attacks (CPA).

  • for 10 rounds or more it is secure against all adaptative chosen plaintext and chosen ciphertext attacks (CPCA).

These results achieve the optimal value of m, since it is always possible to distinguish a random Feistel cipher from a truly random permutation with \(\mathcal{O}(2^n)\) queries, given sufficient computing power.

This paper solves an open problem of [1, 9] and [17]. It significantly improves the results of [13] that proves the security against only 2\(^{\frac{3n}{4}}\) queries for 6 rounds, and the results of [6] in which the 2 n(1 − ε) security is only obtained when the number of rounds tends to infinity. The proof technique used in this paper is also of independent interest and can be applied to other schemes.


  1. 1.
    Aiollo, W., Venkatesan, R.: Foiling Birthday Attacks in Length- Doubling Transformations - Benes: A Non-Reversible Alternative to Feistel. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 307–320. Springer, Heidelberg (1996)Google Scholar
  2. 2.
    Black, J., Rogaway, P.: Ciphers with Arbitrary Finite Domains. In: Preneel, B. (ed.) CT-RSA 2002. LNCS, vol. 2271, pp. 114–130. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  3. 3.
    Luby, M., Rackoff, C.: How to construct pseudorandom permutations from pseudorandom functions. SIAM Journal on Computing 17(2), 373–386 (1988)zbMATHCrossRefMathSciNetGoogle Scholar
  4. 4.
    Maurer, U.: A simplified and generalized treatment of Luby-Rackoff pseudorandom permutation generators. In: Rueppel, R.A. (ed.) EUROCRYPT 1992. LNCS, vol. 658, pp. 239–255. Springer, Heidelberg (1993)CrossRefGoogle Scholar
  5. 5.
    Maurer, U.: Indistinguishability of Random Systems. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 110–132. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  6. 6.
    Maurer, U., Pietrzak, K.: The Security of Many-Round Luby-Rackoff Pseudo- Random Permutations. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, Springer, Heidelberg (2003)CrossRefGoogle Scholar
  7. 7.
    Naor, M., Reingold, O.: On the construction of pseudo-random permutations: Luby-Rackoff revisited. Journal of Cryptology 12, 29–66 (1999); Extended abstract was published. In: Proc. 29th Ann. ACM Symp. on Theory of Computing, pp. 189–199 (1997)Google Scholar
  8. 8.
    Patarin, J.: Pseudorandom Permutations based on the DES Scheme. In: Charpin, P., Cohen, G. (eds.) EUROCODE 1990. LNCS, vol. 514, pp. 193–204. Springer, Heidelberg (1991)Google Scholar
  9. 9.
    Patarin, J.: New results on pseudorandom permutation generators based on the DES scheme. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 301–312. Springer, Heidelberg (1992)Google Scholar
  10. 10.
    Patarin, J.: Etude des générateurs de permutations basés sur le schéma du DES. Ph. D. Thesis, Inria, Domaine de Voluceau, Le Chesnay, France (1991)Google Scholar
  11. 11.
    Patarin, J.: How to construct pseudorandom and super pseudorandom permutations from one single pseudorandom function. In: Rueppel, R.A. (ed.) EUROCRYPT 1992. LNCS, vol. 658, pp. 256–266. Springer, Heidelberg (1993)CrossRefGoogle Scholar
  12. 12.
    Patarin, J.: Improved Security Bounds for Pseudorandom Permutations. In: 4th ACM Conference on Computer and Communications Security, April 2-4, Zurich, Switzerland, pp. 142–150 (1997)Google Scholar
  13. 13.
    Patarin, J.: About Feistel Schemes with Six (or More) Rounds. In: Fast Software Encryption 1998, pp. 103–121 (1998)Google Scholar
  14. 14.
    Patarin, J.: Generic Attacks on Feistel Schemes. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 222–238. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  15. 15.
    Patarin, J.: Luby-Rackoff: 7 Rounds are Enough for 2n(1 − ε) Security. Extended version of this paper. Available from the authorGoogle Scholar
  16. 16.
    Patel, S., Ramzan, Z., Sundaram, G.: Toward making Luby-Rackoff ciphers optimal and practical. In: Knudsen, L.R. (ed.) FSE 1999. LNCS, vol. 1636, p. 171. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  17. 17.
    Pieprzyk, J.: How to construct pseudorandom permutations from Single Pseudorandom Functions. In: Damgård, I.B. (ed.) EUROCRYPT 1990. LNCS, vol. 473, pp. 140–150. Springer, Heidelberg (1991)Google Scholar
  18. 18.
    Ramzan, Z., Reyzin, L.: On the Round Security of Symmetric-Key Cryptographic Primitives. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 376–393. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  19. 19.
    Schneier, B., Kelsey, J.: Unbalanced Feistel Networks and Block Cipher Design. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 121–144. Springer, Heidelberg (1996)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  • Jacques Patarin
    • 1
  1. 1.University of Versailles 

Personalised recommendations