Security of Random Feistel Schemes with 5 or More Rounds

Abstract

We study cryptographic attacks on random Feistel schemes. We denote by m the number of plaintext/ciphertext pairs, and by k the number of rounds. In their famous paper [3], M. Luby and C. Rackoff have completely solved the cases m ≪ 2n/2: the schemes are secure against all adaptive chosen plaintext attacks (CPA-2) when fc ≥ 3 and against all adaptive chosen plaintext and chosen ciphertext attacks (CPCA-2) when k ≥ 4 (for this second result a proof is given in [9]). In this paper we study the cases m ≪ 2 n. We will use the "coefficients H technique" of proof to analyze known plaintext attacks (KPA), adaptive or non-adaptive chosen plaitext attacks (CPA-1 and CPA-2) and adaptive or non-adaptive chosen plaitext and chosen ciphertext attacks (CPCA-1 and CPCA-2). In the first part of this paper, we will show that when m ≪ 2n the schemes are secure against all KPA when k ≥ 4, against all CPA-2 when K ≥ 5 and against all CPCA-2 attacks when K ≥ 6. This solves an open problem of [1], [14], and it improves the result of [14] (where more rounds were needed and m ≪ 2 n(1-ε) was obtained instead of m ≪ 2n). The number 5 of rounds is minimal since CPA-2 attacks on 4 rounds are known when m ≪ O(2n/2) (see [1], [10]). Furthermore, in all these cases we have always obtained an explicit majoration for the distinguishing probability. In the second part of this paper, we present some improved generic attacks. For k = 5 rounds, we present a KPA with m ≃ 23n/2 and a non-adaptive chosen plaintext attack (CPA-1) with m ≃ 2n. For k ≥ 7 rounds we also show some improved attacks against random Feistel generators (with more than one permutation to analyze and ≥ 22n computations). © International Association for Cryptologic Research 2004.