Feistel Networks Made Public, and Applications

  • Yevgeniy Dodis
  • Prashant Puniya
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4515)


Feistel Network, consisting of a repeated application of the Feistel Transform, gives a very convenient and popular method for designing “cryptographically strong” permutations from corresponding “cryptographically strong” functions. Up to now, all usages of the Feistel Network, including the celebrated Luby-Rackoff’s result, critically rely on (a) the (pseudo)randomness of round functions; and (b) the secrecy of (at least some of) the intermediate round values appearing during the Feistel computation. Moreover, a small constant number of Feistel rounds was typically sufficient to guarantee security under assumptions (a) and (b). In this work we consider several natural scenarios where at least one of the above assumptions does not hold, and show that a constant, or even logarithmic number of rounds is provably insufficient to handle such applications, implying that a new method of analysis is needed.

On a positive side, we develop a new combinatorial understanding of Feistel networks, which makes them applicable to situations when the round functions are merely unpredictable rather than (pseudo)random and/or when the intermediate round values may be leaked to the adversary (either through an attack or because the application requires it). In essence, our results show that in any such scenario a super-logarithmic number of Feistel rounds is necessary and sufficient to guarantee security.

Of independent interest, our technique yields a novel domain extension method for messages authentication codes and other related primitives, settling a question studied by An and Bellare in CRYPTO 1999.


Feistel Network Verifiable Random Functions/Permutations PRFs PRPs MACs Domain Extension 


  1. 1.
    An, J.H., Bellare, M.: Constructing VIL-mACs from FIL-mACs: Message authentication under weakened assumptions. In: Wiener, M.J. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 252–269. Springer, Heidelberg (1999)Google Scholar
  2. 2.
    Bellare, M., Rogaway, P.: Optimal Asymmetric Encryption. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 92–111. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  3. 3.
    Bellare, M., Rogaway, P.: The exact security of digital signatures - How to sign with RSA and Rabin. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 399–416. Springer, Heidelberg (1996)Google Scholar
  4. 4.
    Blum, M.: Coin Flipping by Telephone - A Protocol for Solving Impossible Problems. In: COMPCON 1982, pp. 133–137 (1982)Google Scholar
  5. 5.
    Dodis, Y.: Efficient construction of (Distributed) verifiable random functions. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 1–17. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  6. 6.
    Dodis, Y., Puniya, P.: On the Relation Between the Ideal Cipher and the Random Oracle Models. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 184–206. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  7. 7.
    Dodis, Y., Puniya, P.: Feistel Networks made Public, and Applications. Full Version, available from IACR EPrint ArchiveGoogle Scholar
  8. 8.
    Dodis, Y., Yampolskiy, A.: A Verifiable Random Function with Short Proofs and Keys. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 416–431. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  9. 9.
    Goldreich, O., Goldwasser, S., Nussboim, A.: On the Implementation of Huge Random Objects. In: FOCS 2003, pp. 68–79 (2003)Google Scholar
  10. 10.
    Goldreich, O., Levin, L.A.: A Hard-Core Predicate for all One-Way Functions. In: STOC 1989, pp. 25–32 (1989)Google Scholar
  11. 11.
    Goldwasser, S., Ostrovsky, R.: Invariant Signatures and Non-interactive Zero-Knowledge Proofs Are Equivalent. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 228–245. Springer, Heidelberg (1993)Google Scholar
  12. 12.
    Luby, M., Rackoff, C.: How to construct pseudo-random permutations from pseudo-random functions. SIAM Journal on Computing 17(2) (1988)Google Scholar
  13. 13.
    Lysyanskaya, A.: Unique Signatures and Verifiable Random Functions from the DH-DDH Separation. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 597–612. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  14. 14.
    Maurer, U.M., Oswald, Y.A., Pietrzak, K., Sjödin, J.: Luby-Rackoff Ciphers from Weak Round Functions? In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 391–408. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  15. 15.
    Maurer, U.M., Pietrzak, K.: The Security of Many-Round Luby-Rackoff Pseudo-Random Permutations. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 544–561. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  16. 16.
    Maurer, U.M., Sjödin, J.: Single-Key AIL-MACs from Any FIL-MAC. In: Caires, L., Italiano, G.F., Monteiro, L., Palamidessi, C., Yung, M. (eds.) ICALP 2005. LNCS, vol. 3580, pp. 472–484. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  17. 17.
    Micali, S., Rabin, M., Vadhan, S.: Verifiable Random functions. In: Proceedings of the 40th IEEE Symposium on Foundations of Computer Science, pp. 120–130 (1999)Google Scholar
  18. 18.
    Micali, S., Rivest, R.L.: Micropayments Revisited. In: Preneel, B. (ed.) CT-RSA 2002. LNCS, vol. 2271, pp. 149–163. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  19. 19.
    Naor, M.: Bit commitment using pseudo-randomness. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 128–136. Springer, Heidelberg (1990)Google Scholar
  20. 20.
    Naor, M., Reingold, O.: On the construction of pseudo-random permutations: Luby-Rackoff revisited. Journal of Cryptology 12, 29–66 (1999)zbMATHCrossRefMathSciNetGoogle Scholar
  21. 21.
    Naor, M., Yung, M.: Universal One-Way Hash Functions and their Cryptographic Applications. In: STOC 1989, pp. 33–43 (1989)Google Scholar
  22. 22.
    Patarin, J.: Security of Random Feistel Schemes with 5 or More Rounds. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 106–122. Springer, Heidelberg (2004)Google Scholar
  23. 23.
    Ramzan, Z., Reyzin, L.: On the Round Security of Symmetric-Key Cryptographic Primitives. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, p. 376. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  24. 24.
    Simon, D.R.: Findings Collisions on a One-Way Street: Can Secure Hash Functions Be Based on General Assumptions? In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 334–345. Springer, Heidelberg (1998)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Yevgeniy Dodis
    • 1
  • Prashant Puniya
    • 1
  1. 1.Department of Computer Science, Courant Institute of Mathematical SciencesNew-York UniversityUSA

Personalised recommendations