New Approach towards Generalizing Feistel Networks and Its Provable Security

Liu, Jiajie; Sun, Bing; Li, Chao

doi:https://doi.org/10.1155/2021/2751797

Security and Communication Networks

On this page

Abstract Introduction Conclusion Appendix Data Availability Conflicts of Interest References Copyright Related Articles

Research Article | Open Access

Volume 2021 | Article ID 2751797 | https://doi.org/10.1155/2021/2751797

New Approach towards Generalizing Feistel Networks and Its Provable Security

Jiajie Liu,¹Bing Sun,¹and Chao Li¹

Academic Editor: Majid Khan

Received28 May 2021

Accepted21 Aug 2021

Published23 Sept 2021

Abstract

This paper proposes a new approach to generalizing Feistel networks, which unifies the classical (balanced) Feistel network and the Lai–Massey structure. We call the new structure extended Feistel (E-Feistel) network. To justify its soundness, we investigate its indistinguishability using Patarin’s H-coefficient technique. As a result, it is proved that the 4-round key-alternating E-Feistel (KAEF) cipher with adequately derived keys and identical round functions is secure up to queries, i.e., birthday-bound security. In addition, when adjacent round keys are independent and independent round functions are used, the 6-round KAEF is secure up to beyond-birthday-bound queries. Our results indicate that the E-Feistel structure is secure and reliable and can be adopted in designing practical block ciphers.

1. Introduction

In recent years, as a result of more attention paid on privacy protection and information security, research on the design and cryptanalysis of block ciphers has become a research hotpot. The design of block ciphers strictly highlights efficiency and security, which deeply rely on iterative structures they choose. According to whether encryption is consistent with decryption, iterative structures can be divided into two categories. The structures that have consistent encryption and decryption are beneficial in hardware implementation because decryption does not take up extra storage. This kind of structures contains the Feistel structure, the SM4 structure, the Mars structure, and the Lai–Massey structure as specific instances. Another kind of structures mainly consists of the substitution-permutation networks (SPN).

The Feistel structure was proposed by Feistel and Tuchman of IBM when designing Lucifer in the late 1960s [1]. The Feistel structure became popular after the widespread use of the data encryption standard (DES) [2]. The input of the Feistel structure is divided into two blocks whose length is equal. The round function is applied to one half, using a subkey, and then, the output is XORed with the other half. Then, two halves are exchanged with each other. As a result, the diffusion of the Feistel structure is relatively slow. The Feistel structure has consistent encryption with decryption, which is efficiently beneficial in hardware implementation. Several well-known block ciphers adopt the Feistel structure, for example, SIMON [3] and SIMECK [4]. In addition, there are many extensions of the Feistel structure, such as the SM4 structure [5], the Mars structure [6], and the generalized Feistel structure [7, 8].

The Lai–Massey scheme was proposed by Lai and Massey in the International Data Encryption Algorithm (IDEA) [9]. Similar to the Feistel structure, the Lai–Massey scheme takes two equal-sized plaintexts as its input. Unlike the Feistel structure, the round function is applied to the sum of the two pieces, and the result is then added to both half blocks. Furthermore, an orthomorphism is always introduced to one of the halves, to compensate the existence of a differential covering any rounds with probability 1. Generally, the Lai–Massey structure also has consistent encryption and decryption. There are several instances, such as MESH [10] and FOX [11], that utilize this structure.

Different from the Feistel structure and the Lai–Massey scheme, one round function of the SPN structure is composed of an invertible nonlinear function S layer controlled by a subkey and an invertible linear transformation P layer. Compared to the Feistel structure, the diffusion of the SPN structure might be faster. However, the decryption of an SPN structure is usually different from that of the encryption; thus, more resources might be required for the implementation. In recent years, there have been many ciphers using the SPN structure such as AES [12] and PHOTON [13]. Additionally, the SPN structure is often adopted as round functions in the design of Feistel ciphers such as SM4 [5] and Camellia [14].

Traditionally, the security of block ciphers is defined as the indistinguishability from random permutations when the keys are random and secret. This is known as pseudorandomness. However, in some block cipher-based schemes such as hash functions, the underlying block ciphers may not have secret keys. The security arguments for these schemes thereby cannot be based on the pseudorandomness of the underlying ciphers. To remedy this, theory community usually assumes their underlying ciphers as ideal ciphers, i.e., sets of independent random permutations indexed by the keys, and then argues the security of the whole schemes. By this, we expect practical block ciphers to be as secure as ideal ciphers, and a proof for such security is the final goal of the theory community. However, given the state of the art, the only choice is to replace some of the underlying components of the block ciphers by idealized oracles and then argue the closeness of the obtained idealized block ciphers and the ideal ciphers. The security proved in this way cannot be used as a guarantee for the actual security of practical block ciphers, but it is still helpful to deepen the understanding of that and promote theoretical research to the ultimate goal.

Luby and Rackoff [15] proposed Luby–Rackoff (LR) scheme in 1985. They also proved that the balanced Feistel structure covering 3 rounds is a pseudorandom permutation and that covering 4 rounds is a super-pseudorandom permutation. Later, the LR scheme has attracted a lot of attention and become the most popular model for Feistel ciphers in which the round functions are set as random functions. Following [15], a long series of work established better security (maybe using a larger number of rounds) [16–18]. Significantly, Gentry and Ramzan [19] proved that the Feistel cipher covering 4 rounds without keys is secure against queries. On the basis, Guo and Wang [20] showed that 4-round key-alternating Feistel (KAF) using the same round function is secure against queries, i.e., birthday-bound security. Guo also proved that the 6-round key-alternating Feistel (KAF) using the independent round functions and appropriate keys is secure up to queries, i.e., beyond-birthday-bound security.

Iterative structures in block ciphers mainly adopt the three structures: the Feistel structure, the SPN structure, and the Lai–Massey scheme. The solidification of iterative structure may bring security risks; once backdoors of some iterative structures are founded, a series of block ciphers that adopt the structure would be effectively attacked and will not be secure any more. This promotes the diversity research of iterative structures. In this paper, we extend the original Feistel structure and propose an extended Feistel (E-Feistel) structure. This paper mainly focuses on studying the security of the E-Feistel structure from the perspective of theoretical security of the structure using H-coefficient technique. The main contributions are as follows:(1)We propose a new iterative structure, the E-Feistel structure, which also has consistent encryption with decryption(2)For birthday-bound security, we prove that the 4-round KAEF with the same round function is secure up to queries(3)For beyond-birthday-bound security, we prove that the 6-round KAEF with independent round functions is secure up to queries

This paper is organized as follows. We introduce the notations in Section 2. Section 3 presents the extended Feistel structure. Then, Sections 4 and 5, respectively, present our results on 4-round KAESF and 6-round KAEF and their security proofs. Section 6 concludes this paper.

2. Notations

Let denote the binary field and denote the dimensional vector space over . Throughout this paper, always corresponds to a column vector. Let . Then, the point product of two vectors and is calculated asdenoted as .

2.1. The H-Coefficient Technique

We use Patarin’s H-coefficient technique [21, 22] to prove the birthday-bound security of 4-round KAEF and the beyond-birthday-bound security of 6-round KAEF. Therefore, we sum up the interaction between distinguisher and its oracles in the queries of transcripts. Suppose enquiring the ith oracle ( or ) for q times; a record can be obtained, where represents the queries and answers of KAEF. Similarly, the queries made to are recorded as denoting the answer obtained by querying with . Let and . The transcript of the distinguisher is denoted as .

Given a set of function queries and a function , we say that extends , denoted if , for all . Similarly, given a transcript of permutation queries and a permutation , we say extends , denoted , if , for all . The latter definition also extends to the -round KAEF built on and a key ; in that case, we write . Finally, for and , if , then .

With regard to all achievable transcripts which represent an achievable record for queries of a series of oracles or , the probability that interacts with the real world and the ideal world is denoted as and , respectively. and are defined formally as follows:

We can estimate the distinguishing advantage by calculating and . The lemma is stated as follows:

Lemma 1 (see [23]). Assume that there exists a function such that, for every achievable transcript with and queries of two types, the following equation holds:Then, the following equation holds:

Lemma 2 (see [23]). Fix a transcript with . Assume that (i) and (ii) there is a function such that, for all , the following equation holds . Then, we have

3. The Extended Feistel Structure

The extended Feistel structure (E-Feistel structure) denoted as is defined in the following.

The round function and the branch have the same length, denoted as . Let and , where and . Let be a map over . The input and output of are denoted as and , respectively. Then, the map is defined aswhere , as illustrated in Figure 1.

Denote by all the maps from to . Then, the structure is defined as . has similar procedures of decryption and encryption.

Let and . We further associate and branch swapping with the following two matrices:

4. Four Rounds for Birthday-Bound Security

As seen in Figure 2, we assume that the 4-round idealized KAEF cipher uses the same random round function and 4 independent random round keys .

Firstly, we give the definition of round-key vectors in the 4-round key-alternating extended Feistel using the same round function (KAEFSF). The constraint on round keys does not need the round key to satisfy the condition of complete independence and randomness.

Definition 1 (suitable round-key vector for 4 rounds). A round-key vector is suitable if it satisfies the following conditions:(i) and are uniform in (but they need not to be independent)(ii) is also uniformly distributed in

Proposition 1. For , assume , and is a nonsingular matrix.

Proof. Since , and are both nonsingular matrices. So,is a nonsingular matrix. As a result, is a nonsingular matrix. For convenience, is denoted as .

Theorem 1. Assuming , for the 4-round idealized KAEFSF, the following equation holds:

Proof. According to Lemma 2, we can translate the proof of equation (9) into the proof of the following equation:For a fixed transcript with and , key vectors can be distinguished whether good or bad concerning . Then, the probability for good key can be estimated. For convenience’s sake, for any , ( otherwise) denotes whether there exists a corresponding record in or not.
Bad keys are now defined as follows.

Definition 2 (bad round-key vector for 4 rounds). In regard of , a suitable round-key vector is bad, as long as either of the two following conditions is satisfied: (B-1): there exists that satisfies either or (B-2): there exist two (not necessarily different) and in that satisfies The other transcripts are defined as good round-key vectors, denoted by .
For each of the records , since both and are uniformly distributed in and since , the probability that it satisfies (B-1) does not exceed . On the contrary, for each of the pairs of records and , since is uniform, the probability that the pair satisfies (B-2) does not exceed . Therefore,

4.1. Lowering Bounding the Probability for Good Keys

We now lower bound the probability for an arbitrary good round-key vector . For this, we follow a clean “predicate” approach from [24]. We define a “bad” predicate on . When conditions of are not fulfilled, the event occurs if and only if new and distinct equations on the random round function are satisfied. For convenience’s sake, we first define

Clearly, . Then, for any to bit function , the predicate holds if one of the following conditions is fulfilled: (C-1): such that or (C-2): there exist two (not necessarily different) and in such that (C-3): there exist two different and such that or

To compute , we consider the conditions in turn. First, as is good, for any , we have and . Thus, based on , the values and remain uniformly distributed, and thus,

So, . Second, for any two tuples and from , the two function values and are independent by . Then, as argued, we haveand thus, .

Third, for any tuples and , if , then is not possible. Otherwise, since is uniform (as argued before), the probability to have is . It is similar for the other condition thus, and

Using an arbitrary order, write , and for a given , let

For each , we assume that the outputs of in the 2 and 3 rounds are denoted as and , respectively:

Additionally, conditioned on and , (a) the induced values are distinct ones (otherwise if or , for some , then (C-3) is fulfilled; if , then (C-2) is fulfilled) and (b) the images remain fully undetermined and thus uniform, otherwise (C-1) is fulfilled. Therefore, for each , we haveand for any ,

Gathering this and equation (11) and Lemma 2 yields the claim of equation (10).

5. Six Rounds for Beyond-Birthday-Bound Security

As seen in Figure 3, we assume that the 6-round idealized KAEF cipher uses the 6 independent random round functions and 6 random round keys .

Similarly, we first define suitable round-key vectors.

Definition 3 (suitable round-key vector for 6 rounds). A round-key vector is suitable if it satisfies the following conditions:(i), , and are uniformly distributed in (ii), , and are uniformly distributed in possibilities(iii)For , and are independentDifferent from the proof of birthday-bound security, the upper bound of probability of various collisions should be small enough. As a result, all of key vectors need to be uniform. It is the same for the independence of key vectors. Beyond-birthday-bound security of KAEF can be proved under the instantiation with suitable round-key vectors.

Theorem 2. For the 6-round idealized cipher KAEF with the suitable round-key vector, the following equation holds:

It is worth noting that when , the security is beyond-birthday security. For example, when , the bound is of “typical” beyond-birthday form .

Similarly, we can translate the proof into the proof of the result; for any transcript , the following equation holds:

For a fixed a transcript with , , and , for , we follow similar procedures in Section 4 to complete the proof.

5.1. Bad Round-Key Vectors and Probability

For convenience, (and otherwise) denotes, for any , whether there exists a corresponding record in or not. Additionally, denotes the corresponding . The bad round-key vector is defined as follows.

Definition 4 (bad round-key vector for 6 rounds). With respect to , a suitable key vector is bad if it satisfies one of the following conditions: (B-1): there exist , , and such that and (B-2): there exist , , and such that and (B-3): there exist , , and such that and These bad key vectors are denoted as . The other key vectors are defined as good key vectors, denoted by .
Because there are at most choices for , , and and since , resp. , is uniform in , resp. possibilities, and furthermore, since and are independent, the following equation holds .
Similarly, we have . By symmetry, . As a result,

5.2. Analysis for Good Keys

For a fixed good round-key vector , we would get a lower bound for the probability . Inspired by Cogliati et al. [25, 26], it takes two steps. Firstly, through defining certain “bad” functions on , we would lower bound the probability under the condition. Secondly, under the assumption of “good” functions , the outer two rounds are removed; we only need to analyze the induced 4-round transcript to yield the final bounds.

For a fixed pair of such that and and for each , we set and . Then, tuples are obtained. The induced tuples are denoted by . For convenience, is used to denote all tuples whose third coordinate equals . Similarly, we define :

Additionally, we define several key-independent quantities characterizing :

The predicate holds if the induced set satisfies one of the following conditions: (C-1): there exist three records , , and such that and (C-2): there exist three records , , and such that and (C-3): there exist three records , , and such that and (C-4): there exist two distinct and in , and a pair in such that and , or symmetrically, two distinct and in and a pair in such that and (C-5): there exist two distinct and in and a pair in such that and , or symmetrically, two distinct and in and a pair in such that and is defined as good if does not hold.

Lemma 3. We have

Proof. Due to page limits, see Appendix A.

5.2.1. Analyzing the Inner Four Rounds

Let . We denote

This captures the probability that the inner four rounds of KAEF “extend” the tuples in . The probability can be related to it.

Lemma 4 (see [17]). Assume that there exists a function such that, for any good , the following equation holds:

Then, we have

Now, we prove the assumption of Lemma 4.

Lemma 5. For any fixed good tuple , there exists a function of the function pair and the round-key vector such that inequality (20) mentioned in Lemma 4 holds. Moreover,

Proof. The general expression of is a function of several variables defined before, which suffers from a bad readability. Therefore, we directly establish (and present) the bound on its expectation. However, due to space constraints, for the full proof, refer to Appendix B.
Below, we present a sketch and the core results. According to the type of the involved collisions, we divide the tuples in into four groups:Let , , and . Note that, by definition, these sets form a partition of : by definition , since otherwise would satisfy (C-1), since, for any would imply fulfilling (C-4), while would imply (C-5) , since, for any would imply (C-5), while would imply (C-4)We denote , and the event and . It can be seen thatWe next analyze the four groups in turn. The first one, i.e., , involves the most complicated analysis. Briefly, for each tuple in , it consists of three cases.
In the first case, neither of the two corresponding intermediate values and derived from and collides with values that have been in the history. The probability that extends in this case is roughly at leastIn the second case, the corresponding intermediate value Y collides with some “existing” values, yet the further derived Z is “free.” The probability that extends in this case is roughly at leastThe third case is symmetrical to the second one: Z collides with “existing” values, yet Y is “free.” The probability is roughly at leastSumming over the above, we obtainThe concrete bound isTo analyze , and , we again apply the bad predicate approach. These groups involve collisions and have relatively small sizes: (will be proved later). Therefore, any collisions between tuples in these groups and values related to or can be included in the bad predicates; for each tuple, in these three groups, the probability would be with , yet it remains in total. In all, the results are

Proof. It is analyzes for , and .
Lowering bounding . Consider first; we lower bound that probability that is equivalent to and , satisfying new and distinct equations. To this end, again, we define a predicate , which holds if there exists that fulfills one of the following conditions:(i)The value derived using is in , i.e., , where (ii)The Z value derived using collides with Z′ value of another tuple in , i.e., there exists such that , where (iii)The Z value derived using collides with Z′ value of another tuple in or , i.e., there exists such that We note that, for each , let ; then, the following equation holds (otherwise fulfilling (C-2)) and (according to the analysis of ). Thus, conditioned on , the value remains uniform. Therefore, for this ,(i)The probability that condition (i) is fulfilled at most (ii)For each , if the corresponding does not equal , then the probability of is at most ; otherwise, since the two tuples are distinct, it has to be , and thus, (iii)For each , the probability of is at most Summing over the above yieldsIt is not hard to see that conditioned on , the tuples in indeed give rise to distinct values (otherwise condition (ii) is fulfilled), for which , all remain undetermined (otherwise condition (i) or (iii) is fulfilled)). Furthermore, at the “right side,” they also give rise to distinct values with , all remain undetermined:(i) are also distinct, otherwise fulfilling (C-5)(ii)None of is in , otherwise fulfilling (C-1)(iii)Conditioned on , , all remain undetermined, otherwise some is shared between tuples in and Thus, in this case, the event is equivalent to and satisfying new and distinct equations, and the probability does not exceed .
We then consider . The analysis is similar to by symmetry; we define a predicate on , which holds if there exists such that one of the following conditions is fulfilled:(i)The induced value is in , i.e., , where . The probability is at most in total.(ii)The induced value collides with the value of another tuple in , i.e., there exists such that , where . The probability is at most .(iii)The induced value collides with value of another tuple in or , i.e., there exists such that . The probability is at most in total.Similar to ,And, conditioned on , tuples in give rise to distinct values , while the assumption ensures that they give rise to distinct values . Thus, the event is equivalent to and satisfying new and distinct equations. Therefore, conditioned on , we haveLower bounding : by definition, for any tuple , let and ; then, we have both and . Moreover, conditioned on , the two values and remain “undetermined” and uniform (otherwise, if , and imply being fixed, then a tuple in , or would share the same value with a tuple in , contradicting the definition of or fulfilling (C-4) or (C-5), respectively).
For these tuples, we would lower bound the probability that they induce new and distinct equations on and . To this end, we define a predicate on and , which holds if there exists a tuple such that if we let and , then one of the following conditions is fulfilled: At the “left side,” concerning ,(i)The induced value falls in , i.e., . As discussed, remains random; thus, the probability is clearly at most .(ii)The induced value collides with some “previously determined” , i.e., there exists another tuple such that . It necessarily is ; again, using the randomness of , we obtain the upper bound , for each . At the “right side,” concerning , similar to the above symmetry,(i): the probability is clearly at most .(ii)There exists another tuple such that . The upper bound is , for each .Thus, using , we obtainSimilar to the analysis for and , conditioned on , the event is equivalent to and satisfying new and distinct equations. Therefore,Summing up would yield a lower bound of the formWe note . Thus, using , we obtainfor whichWe now derive To this end, note that, by definition, and are quantities that depend on :We consider first. For each , if , then by . Thus, conditioned on , remains uniform, and . Therefore,Similarly, by symmetry, using the randomness supplied by ,
Then, we consider . We fix a record such that , and consider another . If , then it has to be , and thus, . Otherwise, as , remains random conditioned on , andThe number of distinct pairs of such tuples is at most . Thus, we know the expectation of the number of pairs:As the number of such that is , we obtainSymmetrically, Thus, Finally, since and resp. are uniform in and resp. possibilities,and . Gathering all the above yieldsas claimed in (8).

5.3. Concluding the Pointwise Proximity Proof

Gathering Lemma 2, Lemma 4, and equation (22), we obtainwhere is the function specified in equation (44). Note that its expectation has been bounded in Lemma 5.

For , since and resp. are both uniformly distributed in and resp. possibilities, we have

At the end of previous section, we have shown and Injecting them into the bound of Lemma 3 yields

Gathering all the above eventually establishes equation (21).

6. Conclusion

For diversity of iterative structures, we propose an extended Feistel structure. The new iterative structure also has similar encryption with decryption. This paper mainly investigates the security of the new structure from studying the distinguishability between the ideal cipher adopting this structure and a random permutation. Results show that, for birthday-bound security, the 4-round KAEF is secure against queries and for beyond-birthday-bound security, the 6-round KAEF is secure against queries. As a result, the new iterative is a reliable structure and can provide more choices for cipher designing.

Appendix

A. Proof of Lemma 3

We upper bound the probabilities of the bad conditions in turn.

A.1. Condition (C-1)

For any , if there exist and such that and , then we would have and for the corresponding . It cannot be , as otherwise along with fulfilling (B-2) in Definition 3; similarly, it cannot be . Thus, conditioned on and , the two values and remain uniform. Thus, for each 3-tuple , the probability that the case of both and hold is at most . Since we have at most such 3-tuples, the total probability does not exceed .

A.2. Conditions (C-2) and (C-3)

Consider (C-2) first. By definitions, the number of triplets such that is , where is a “merged” notation for and the corresponding induced and . On the contrary, would imply . Now, if , then it cannot be , otherwise (B-2) is fulfilled. Whereas when , then conditioned on , the value is uniform, and thus, . As a result, we have . For condition (C-3), it is similar by symmetry, resulting in .

A.3. Condition (C-4)

Consider the first half of (C-4) first, and consider such two tuples and . We note that neither nor can be in , as otherwise it satisfies (B-2). Thus, conditioned on , both and remain uniform. Thus,

The number of choices of , and is at most ; thus, the probability of the first half is at most in total. For the second half, it is similar by symmetry, leading to the same bound . Thus, .

A.4. Condition (C-5)

Consider the first half of the condition, and consider such three tuples , , and , respectively. By , , depending on the state of , we distinguish two cases.(i)Case 1: . Then, we have at most choices for and at most choices for . Conditioned on , remains random; thus, Conditioned on , the value is also random; thus, we similarly have . Thus, the probability is at most in total;(ii)Case 2: . Then, we have choices for . Similar to Case 1, . Thus, the probability that there exists at least one such tuple is at most .

Summing over the two cases results in , the analysis for the second half is similar by symmetry, giving . Thus, .

B. Proof of Lemma 5

Lower bounding the probability is . We write using some arbitrary order. Let be the event that extends the lth tuple . Then, .

We next focus on lower bounding for the (l + 1)th tuple . The approach is to lower bound the probability that is equivalent to 2 new and distinct equations on , and . For this, we define four sets for positions “occupied by previous tuples:”

We note that, for any , conditioned on , the value has been “fixed” according to a corresponding tuple and cannot be deemed random, for with .

Let and . Then, given the round functions , the two intermediate values and would be determined. Depending on their state, the event consists of at least three cases:(i)Case 1 (“no collision”): the two induced values and satisfy Then, the following equation holds and .(ii)Case 2 (“left collision”): the induced satisfies but the further induced value satisfies Then, the following equation holds and .(iii)Case 3 (“right collision”): similar to Case 2 by symmetry, the induced value satisfies , but the further induced satisfies . Then, the following equation holds and .

By these, we have

Let and . We use three sections to bound each probability in turn.

B.1. Case 1

As is in , we have . Furthermore, does not collide with any other tuples in since . So, conditioned on , remains random and

By symmetry,

Then, it can be seen the two equations and are fulfilled with probability , and thus,

One may notice that if we only consider this Case 1, then we would end up with an undesired birthday-type bound since .

However, this gap is filled in by the other two cases analyzed below.

B.2. Case 2

Recall that, in this case,

Instead of lower bounding we upper bound the probability of the opposite case. It can be seen that colliding with the involved implies that , where . Therefore, we proceed to upper bound:where stands for the eventwhere .

In detail, the to-be-bounded probability could be written as

Let . In the following, we distinguish five subcases and derive bound for each in turn.

B.2.1. Subcase 2.1

. Define as the number of preimages of under the map defined by , i.e.,

By this and by the constraint that , for each , the number of such that is . Therefore, the number of such “bad” pair is in total. On the contrary, similar to Case 1, can still be deemed random; thus,and

B.2.2. Subcase 2.2

, and . For this, we introduce a new $k-$dependent quantity:

Thus, the number of such pairs with is . We also have Therefore,

Since is uniform in values, it can be seen . Therefore, the expectation of the probability is at most .

B.2.3 Subcase 2.3

and . By definition, we havewhere are derived from the ith tuple , and if and only if i is the smallest index satisfying these conditions (i.e., , while ) and .

We focus on . For convenience, we let and write . We consider the conditional probabilities , for . It can be seen if fits into Case 3, then , and this is the discussion of subcase 2.3. So, we consider :(i)When fits into Case 1, according to the corresponding analysis, was derived via , and was uniform. Thus, Since we further have , the following equation holds(ii)When fits into Case 2, let and . Then, implies meaning that, for each triple , the number of choices for such is . For each such , the event essentially implies two collisions, i.e.,

Therefore,

By the above, for any j, we havewhere is denoted as B.

Thus,

This means

B.2.4. Subcase 2.4

, and . By definition, we havewhere and are derived from the ith tuple , and if and only if i is the smallest index satisfying these conditions (. We let and write . Now, the following equation holds ; thus, the collision relation translates into . Similar to subcase 2.3, we distinguish two cases.(i)When fits into CASE 1, we have and was uniform. Thus, This along with yields(ii)When fits into Case 3, let . Then, implies . Note that, for the fixed , and , the number of choices for is at most 1. And, for to collide with , the two collisions and are required to happen: which follows.

Using a counting similar to subcase 2.3, we obtain

B.2.5. Subcase 2.5

, and . By definition, we havewhere(1) and are derived from the ith tuple and if and only if i is the smallest index satisfying these conditions and .(2) and are derived from the jth tuple and if and only if j is the smallest index satisfying these conditions and .(i)If , then we utilize the constraint and follow the same line as the analysis of subcase 2.3. This shows the number of choices for is ; thus, the upper bound for each .(ii)If , then we utilize the constraint , and follow the same line as the analysis of subcase 2.4. Then, establish the bound for each .

In allsumming over the five cases yields

Clearly, once such collisions do not happen, the mentioned requirements are met, and we have . Moreover, as , we have (a) and (b) , i.e., the position of cannot be “taken” by previous tuples. By these,

B.3. Case 3

In this case, since , , and ,

Thus, by lowering bounding the probability of colliding with such “bad” , we would derive the result for this case. Similar to Case 2 by symmetry, we write

Let . Similar to subsection B.2, we also distinguish five subcases, and the arguments are similar by symmetry:(1), and . In this case, utilizing the constraint , we have where (2), and . Define Since is uniform in values, we have(3), and . By definition, we have where and are derived from the ith tuple and if and only if $i$ is the smallest index satisfying these conditions and . Then, similarly to the analysis for the subcase 2.3 in subsection B.2,(i)When fits into Case 1, it can be shown .(ii)When fits into Case 3, it can be shown . By this, By the above and a similar calculation, we have(4), and . By definition, we have It also holds . On the contrary, when fits into CASE 2, it can be shown as , which helps cinch . Therefore,(5), and . Similar to the last subcase in subsection B.2, it can be shown as The above gives rise to the following bound:

B.4. Summary for

Summing over the three cases results in

Note that , , and (b) . Therefore,

We finally consider . To this end, we note that, by definition, we have

Therefore,and similarly,

B.5. Analysis for , , and

Lower bounding : consider first; we lower bound the probability that it is equivalent to and satisfying new and distinct equations. To this end, again we define a predicate , which holds if there exists that fulfills one of the following conditions:(i)The value derived using is in , i.e., , where (ii)The value derived using collides with the value of another tuple in , i.e., there exists such that , where (iii)The value derived using collides with the value of a tuple in or , i.e., there exists such that

We note that, for each , let ; then, the following equation holds (otherwise fulfilling (C-2)) and (according to the analysis of ). Thus, conditioned on , the value remains uniform. Therefore, for this ,(i)The probability that condition (i) is fulfilled is at most .(ii)For each , if the corresponding does not equal , then the probability of is at most ; otherwise, since the two tuples are distinct, it has to be , and thus, .(iii)For each , the probability of is at most . Summing over the above yields

It is not hard to see that conditioned on , the tuples in indeed give rise to distinct values (otherwise condition (ii) is fulfilled), for which all remain undetermined (otherwise condition (i) or (iii) fulfilled). Furthermore, at the “right side,” they also give rise to distinct values with all undetermined:(i) are also distinct, otherwise fulfilling (C-5)(ii)None of is in , otherwise fulfilling (C-1)(iii)Conditioned on remain undetermined, otherwise some is shared between tuples in and and (C-5) is fulfilled

Thus, in this case, the event is equivalent to and satisfying new equations, the probability of which does not exceed .

We then consider . The analysis is similar to by symmetry; we define a predicate on , which holds if there exists such that one of the following conditions is fulfilled:(i)The induced value is in , i.e., , where . The probability is at most in total.(ii)The induced collides with the value of another tuple in , i.e., there exists a tuple such that , where . The probability is at most in total.(iii)The induced collides with the value of a tuple in or ; i.e., there exists such that . The probability is at most in total.

Similar to ,and conditioned on , tuples in give rise to distinct values , while the assumption ensures that they give rise to distinct values . Thus, the event is equivalent to and satisfying new equations. Therefore, conditioned on , we have

Lower bounding : by definition, for any tuple , let and ; then, we have both and . Moreover, conditioned on , the two values and remain “undetermined” and uniform (otherwise, if , or implies being fixed, then a tuple in or would share the same value with a tuple in , contradicting the definition of , or fulfilling (C-4) or (C-5), respectively).

For these tuples, we would lower bound the probability that they induce new and distinct equations on and . To this end, we define a predicate on and , which holds if there exists a tuple such that if we let and , then one of the following conditions is fulfilled.(1)At the “left side,” concerning ,(i)The induced value falls in , i.e., . As discussed, remains random; thus, the probability is clearly at most , for each .(ii)The induced value collides with some “previously determined” ; i.e., there exists another tuple that . It needs to be ; again, using the randomness of , we obtain the upper bound , for each ;(2)At the “right side,” concerning , similar to the above by symmetry, For each , the probability is at most :(i)There exists another tuple such that . The upper bound is , for each in . Thus, using , we obtain

Similar to the analysis for , conditioned on , the event is equivalent to and satisfying new and distinct equations. Therefore,

Data Availability

No data were used to support this study.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

References

A. Sorkin, “Lucifer, a cryptographic algorithm,” Cryptologia, vol. 8, no. 1, pp. 22–42, 1984.
View at: Publisher Site | Google Scholar
D. Coppersmith, C. Holloway, S. M. Matyas, and N. Zunic, “The data encryption standard,” Information Security Technical Report, vol. 2, no. 2, pp. 22–24, 1997.
View at: Publisher Site | Google Scholar
R. Beaulieu, D. Shors, J. Smith, S. Clark, and L. Wingers, “The Simon and Speck lightweight block ciphers.,” in Proceedings of the 52nd Annual Design Automation Conference, pp. 1–6, San Francisco, CA, USA, June 2015.
View at: Publisher Site | Google Scholar
G. Yang, B. Zhu, V. Suder, M. D. Aagaard, and G. Gong, “The simeck family of lightweight block ciphers,” in Proceedings of Cryptographic Hardware and Embedded Systems - CHES 2015 -17th International Workshop, pp. 307–329, Saint-Malo, France, September 2015.
View at: Publisher Site | Google Scholar
W. Diffie and G. Ledin, “SMS4 encryption algorithm for wireless networks,” IACR Cryptol. ePrint Arch., vol. 329, 2008.
View at: Google Scholar
G. Bose, The 128-bit block cipher MARS, 2003, Master's thesis, Florida International University, Miami, FL, USA.
K. Nyberg, “Generalized feistel networks,” in Proceedings of Advances in Cryptology -ASIACRYPT’96, International Conference on the Theory and Applications of Cryptology and Information Security, pp. 91–104, Kyongju, South Korea, April 1996.
View at: Publisher Site | Google Scholar
T. P. Berger, J. Francq, M. Minier, and G. Thomas, “Extended generalized feistel networks using matrix representation to propose a new lightweight block cipher: lilliput,” IEEE Transactions on Computers, vol. 65, no. 7, pp. 2074–2089, 2016.
View at: Publisher Site | Google Scholar
S. Vaudenay, “On the Lai-Massey scheme,” in Proceedings of Advances in Cryptology -ASIACRYPT99, International Conference on the Theory and Applications of Cryptology and Information Security, pp. 8–19, Singapore, November 1999.
View at: Publisher Site | Google Scholar
J. N. Jr, V. Rijmen, B. Preneel, and J. Wandelle, “The mesh block ciphers,” in Proceedings of Information Security Applications, 4th International Workshop, pp. 458–473, WISA, Jeju Island, Korea, August 2003.
View at: Google Scholar
P. Junod and S. Vaudenay, “Fox : a new family of block ciphers,” in Proceedings of Selected Areas in Cryptography, 11th International Workshop, SAC, pp. 114–129, Waterloo, Canada, August 2004.
View at: Publisher Site | Google Scholar
J. Daemen and V. Rijmen, The Design of Rijndael - the Advanced Encryption Standard(AES), Springer, Berlin, Germany, 2nd edition, 2020.
J. Guo, T. Peyrin, and A. Poschmann, “The Photon family of lightweight hash functions,” in Proceedings of Advances in Cryptology—CRYPTO 2011 - 31st Annual Cryptology Conference, pp. 222–239, Santa Barbara, CA, USA, August 2011.
View at: Publisher Site | Google Scholar
K. Aoki, T. Ichikawa, M. Kanda et al., “Camellia: a 128-bit block cipher suitable for multiple platforms- design and analysis,” in Proceedings of Selected Areas in Cryptography, 7th Annual International Workshop, SAC, pp. 39–56, Ontario, Canada, August 2000.
View at: Google Scholar
M. Luby and C. Rackoff, “How to construct pseudo-random permutations from pseudo-random functions,” in Proceedings of the Advances in Cryptology—CRYPTO ’85, p. 447, Santa Barbara, CA, USA, August 1985.
View at: Google Scholar
J. Patarin, “Security of random feistel schemes with 5 or more rounds,” in Proceedings of the Advances in Cryptology-CRYPTO 2004, pp. 106–122, Santa Barbara, CA, USA, August 2004.
View at: Publisher Site | Google Scholar
V. T. Hoang and P. Rogaway, “On generalized feistel networks,” in Proceedings of Advances in Cryptology-CRYPTO 2010, pp. 613–630, Springer, Santa Barbara, CA, USA, August 2010.
View at: Publisher Site | Google Scholar
M. Barbosa and P. Farshim, “The related-key analysis of feistel constructions,” in Proceedings of the International Workshop on Fast Software Encryption FSE 2014, pp. 265–284, London, UK, March 2014.
View at: Google Scholar
C. Gentry and Z. Ramzan, “Eliminating random permutation oracles in the even-mansour cipher,” in Proceedings of Advances in Cryptology - ASIACRYPT 2004, 10th International Conference on the Theory and Application of Cryptology and Information Security, pp. 32–47, Jeju Island, Korea, December 2004.
View at: Publisher Site | Google Scholar
C. Guo and L. Wang, “Revisiting key-alternating feistel ciphers for shorter keys and multi-user security,” in Proceedings of Advances in Cryptology—ASIACRYPT 2018 - 24th International Conference on the Theory and Application of Cryptology and Information Security, pp. 213–243, Brisbane, Australia, December 2018.
View at: Publisher Site | Google Scholar
J. Patarin, “How to construct pseudorandom and super pseudorandom permutations from one single pseudorandom function,” in Proceedings of Advances in Cryptology - EUROCRYPT ’92, Workshop on the Theory and Application of of Cryptographic Techniques, pp. 256–266, Balatonfured, Hungary, May 1992.
View at: Google Scholar
S. Chen and J. Steinberger, “Tight security bounds for key-alternating ciphers,” in Proceedings of the Advances in Cryptology - EUROCRYPT 2014 - 33rd Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 327–350, Copenhagen, Denmark, May 2014.
View at: Publisher Site | Google Scholar
V. T. Hoang and S. Tessaro, “Key-alternating ciphers and key-length extension: exact bounds and multi-user security,” in Proceedings of the CRYPTO 2016, pp. 3–32, Berlin, Germany, August 2016.
View at: Publisher Site | Google Scholar
Y. Dodis, J. Katz, J. Steinberger, A. Thiruvengadam, and Z. Zhang, “Provable security of substitution-permutation networks” cryptology eprint archive,” Tech. Rep., 2017, http://eprint.iacr.org/2017/016.pdf Report 2017/016.
View at: Google Scholar
B. Cogliati and Y. Seurin, “Beyond-birthday-bound security for tweakable even-mansour ciphers with linear tweak and key mixing,” in Proceedings of the International Conference on the Theory and Application of Cryptology and Information SecurityASIACRYPT 2015, pp. 134–158, Auckland, New Zealand, December 2015.
View at: Publisher Site | Google Scholar
B. Cogliati, R. Lampe, and Y. Seurin, “Tweaking even-mansour ciphers,” in Proceedings of the Annual Cryptology Conference CRYPTO 2015, pp. 189–208, Santa Barbara, CA, USA, August 2015.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2021 Jiajie Liu et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

324

Downloads

389

Citations