How to Build an Ideal Cipher: The Indifferentiability of the Feistel Construction

Abstract

This paper provides the first provably secure construction of an invertible random permutation (and of an ideal cipher) from a public random function that can be evaluated by all parties in the system, including the adversary. The associated security goal was formalized via the notion of indifferentiability by Maurer et al. (TCC 2004). The problem is the natural extension of that of building (invertible) random permutations from (private) random functions, first solved by Luby and Rackoff (SIAM J Comput 17(2):373–386, 1988) via the four-round Feistel construction. As our main result, we prove that the Feistel construction with fourteen rounds is indifferentiable from an invertible random permutation. We also provide a new lower bound showing that five rounds are not sufficient to achieve indifferentiability. A major corollary of our result is the equivalence (in a well-defined sense) of the random oracle model and the ideal cipher model.