Transcript Document

Feistel Networks made
Public, and Applications.
Yevgeniy Dodis
Prashant Puniya
Feistel Network
L
Round values
f
f
S



R
Round function
Round function output
T
One round
Feistel Construction
Construction of a permutation on 2n bits from a
nn bit function f.
Easily invertible.
Feistel Network : Iterated Feistel Construction.
Block Cipher Design

Several practical block ciphers based on
Feistel network.



Theoretical basis?




DES, Blowfish, Triple DES…
Use 16-48 round Feistel network
Luby-Rackoff showed that 4 rounds of Feistel
with pseudorandom round functions is a PRP.
Several improvements: Naor-Reingold, Patarin,
Ramzan-Reyzin…
All apply to 3-6 rounds of Feistel.
Why the disconnect?
Reason 1

Round functions are not pseudorandom
functions.



All above theoretical results assume some of
the round functions to be PRFs.
Round functions in actual block ciphers are
heuristically designed and aren’t
pseudorandom.
Maybe expect less from round functions.

Weaker assumptions on round functions, such
as unpredictability?
Reason 2
Cannot argue secrecy of round values.
 Necessary for any of the theoretical
results to be applicable.
 May not necessarily hold for actual block
ciphers with non-pseudorandom round
functions.



Example: need not hold for unpredictable fns.
More generally, there may be situations where
this has to be the case (more details later).
Summary

All theoretical results are inapplicable once
we relax the above assumptions, i.e. when



Round functions may not be PRFs.
Cannot argue secrecy of round values.
In fact, we give a simple attack on the
Feistel network in the paper if either of
these assumptions does not hold.
Our results (in brief)

Negative Results:




If round values are public, O(log n) round
Feistel network is insecure.
With unpredictable round fns., O(log n) rounds
need not be secure (even if round values aren’t explicitly revealed)
An attack using exponential (in # of rounds) queries.
Positive results:

(log n) rounds preserve PR/Unpredictability
even if round values are leaked.
Implications for Block Ciphers

If round functions are pseudorandom



O(log n) round Feistel is insecure if round values revealed.
(log n) round Feistel is a PRP even if round values revealed!
If round functions are only unpredictable




O(log n) round Feistel need not be secure even if round
values are not explicitly revealed.
(log n) round Feistel is an unpredictable permutation (UP).
Safe fallback security for block ciphers.
Even for stronger security notions



Forces a weaker/more clever attack for (log n) rounds.
Possible that weaker than PRF round functions suffice!
(log n) matches the number of rounds in block
ciphers much better than previous results.

E.g. DES on 64 bits uses 16 rounds.
Our results (in brief)

Negative Results:




If round values are public, O(log n) round
Feistel network is insecure.
With unpredictable round fns., O(log n) rounds
need not be secure (even if round values aren’t explicitly revealed)
An attack using exponential (in # of rounds) queries.
Positive results:


(log n) rounds preserve PR/Unpredictability
even if round values are leaked.
Give a general abstraction for the Feistel
network.

Many other applications (stay tuned!)
A useful abstraction.

We describe a simple combinatorial game
involving the Feistel network which is
applicable to all scenarios that we
consider.

Involves a k-round Feistel network and an
attacker A.



A makes forward/inverse queries to Feistel.
Can see all intermediate round values.
Goal : Force a collision of the middle ((k/2)th)
round values of two different queries.
Negative Result

We describe an attacker that wins this
combinatorial game.

The attacker makes O(1.62k) queries to
the k-round Feistel network.


Works for arbitrary round functions
Hence, works in polynomial time for the
O(log n)-round Feistel network.
Matching Positive Result


We find a sufficient combinatorial condition on
the round functions such that no efficient
attacker can win if k=(log n).
5-XOR game:



Same rules as the main combinatorial game.
Goal : Attacker wins if some “new” round function
output = XOR of upto 5 previous round values.
5-XOR resistant functions : resist such attacks.
Main Theorem: If round functions of a k-round
Feistel network are 5-XOR resistant, then no
attacker can find a (k/2)th round value collision
within O(1.38k/2) queries.
Matching Positive Result (contd.)

This is a purely deterministic result.


If attacker does not win the 5-XOR game, then
it cannot find a (k/2)th round value collision
with less than O(1.38k/2) queries.
Using 5-XOR-resistance?


Relatively weak property, easily proven to hold
for UFs and PRFs
Applied to PRFs  (log n) round Feistel is PRP
(even if the round values are public!).

Applied to UFs  (log n) round Feistel is UP
(even if the round values are public!).

Implication to Domain extension of MACs!
Domain Extension of MACs

Problem : Given a fixed-length input (FIL)
MAC, construct an arbitrary-length input
(AIL) MAC.


Well studied if FIL-MAC is a PRF (in fact, often get AIL-PRF).
Also well studied if FIL-MAC is “shrinking” (variants of
Cascade construction work) [AB99,MS05].
Grey Area: What if the FIL-MAC is neither
PRF nor “shrinking”?
 Perhaps, most practically relevant case!

(a) FIL-MAC is typically a block cipher.
(b) overkill to assume it is a PRF!
Hash-then-MAC

Use a hash function to map to a short
message, then apply the FIL-MAC.

If FIL-MAC is a PRF, then an almostuniversal hash function works.

With general FIL-MACs, need collisionresistant hash functions!
CBC-MAC

Popular domain extension technique for
MACs

Secure if FIL-MAC is a PRF [BKR94].

Simple attack possible with general FILMACs [AB99].
Cascade construction

Also called Merkle-Damgard construction.

Need a shrinking FIL-MAC.

If FIL-MAC is a PRF, one can chop the
output and apply Cascade.

With general FIL-MACs, can chop at most
logarithmic number of output bits

Very Inefficient (+ poor exact security)
Naor-Reingold construction
A
very nice technique of getting PRFs
from UFs.
 Need
to extract a hardcore bit for
every output bit of PRF.

Very inefficient
Feistel Network
3-rounds already secure if FIL-MAC is a PRF.
 With general FIL-MACs, [AB99] gave an
attack on 3-round Feistel.



“more rounds do not appear to help” [AB]
Our result : With general FIL-MACs, k-round
Feistel network is a secure MAC if and only if
k=(log n).


Extend [AB99] to show that upto logarithmic
number of rounds do not help in general.
Somewhat surprisingly, secure with more rounds!
More efficient AIL-MAC?

Above method is still somewhat inefficient
for large inputs.



To get domain size (n2i), need (log n)i round
Feistel network.
Moreover, digest size grows as big as the
domain!
Can this be improved?



Yes!
Optimize our technique to get 2n  n bit MAC.
Use existing techniques for “shrinking” MACs
(variants of Cascade).
More efficient AIL-MAC

How to get 2nn bit MAC?

Chop n bits from the Feistel network output?


Cannot directly apply our technique.

With a little work, show that (log n) rounds are still
necessary and sufficient!
Our suggestion to practitioners: apply any secure
variant of Cascade to the 2nn MAC obtained by

Halving the output of an (log n)-round Feistel
network applied to any secure n-bit block cipher

Halving the output of a secure 2n-bit block cipher
itself, if the block cipher is already Feistel-based!

Note: this requires at least 256-bit block cipher
Other Applications
Verifiable Random Functions
Verifiable Random Functions (VRFs) are
verifiable analogues of PRFs.
 Given secret key SK:




Given public key PK:



Can compute VRF f and provide proofs of
correctness of f outputs.
Still cannot give proofs for two different outputs
for the same input (even for adversarial PK!).
Can verify proofs of correctness of f outputs.
All “unproved” outputs still look random.
Several known constructions [MRV,L,DY,D].
Verifiable Random Permutations
 We
introduce VRPs, similarly natural
verifiable analogues of PRPs.
 Can we build them from VRFs, just
like PRPs from PRFs?
 First Attempt: Use a 4-round Feistel
network with VRFs in each round and
apply the Luby-Rackoff result.

Doesn’t work: need to explicitly give
round values (and their proofs) to prove
VRP outputs.
Constructing VRPs from VRFs

Use our proof technique that works even if
round values are public.

Result : An (log n) round Feistel network
with VRFs as round functions is a
verifiable random permutation.

Cannot improve to O(log n) rounds, since our
attack works in this case as well.
Applications of VRPs

Non-interactive setup-free perfectly
binding commitments.

Non-interactive Lottery.

“Invariant Signatures” of [GO92] for
NIZKs.

Verifiable CBC Encryption/Decryption.

Verifiable huge (pseudo)random objects.

“Proof-transferrable” implementation of
Ideal Cipher Model.
Non-interactive commitments

Non-interactive, setup-free, perfectly-binding
commitments.


Best known construction uses one-way permutations
(Naor’s OWF-based commitment uses setup)
We note that VRPs work for this purpose.




To commit to m, send (SK(m),PK).
To open commitment, send m and the proof for SK(m).
Hiding : easy
Perfect Binding : a permutation even if PK is chosen
maliciously


Note: VRFs do not suffice even for computational binding!
Nevertheless, using our VRF  VRP construction,
we get such commitments from VRFs

Incomparable assumption to OWPs.
Non-interactive Lottery


Micali-Rivest suggest using a VRF f.

Dealer publishes PK, and user selects X.

The user wins if fSK(X) satisfies some predetermined predicate.

Problem: Dealer can cheat by choosing PK
such that fSK(X) never satisfies the predicate!
Using a VRP instead solves this problem.

A permutation even for malicious keys.

Moreover, can determine number of winners
beforehand!
VUPs and more…

We also give a way to construct verifiable
unpredictable permutations from verifiable
unpredictable functions.




Using (log n) round Feistel network.
Again, O(log n) rounds is not enough
Note: this uses full power of our technique.
Hopefully, more applications of our
technique will emerge in future…
Summary

New understanding of Feistel network with
a weak security requirement on round
functions.

5-XOR-resistance, implied by both UFs & PRFs.

Number of rounds we predict is closer to
the one used in current block ciphers.

First efficient domain extension for MACs
(starting with length-preserving MACs).

Verifiable Random Permutations and
applications.
Unpredictable Permutation
UP Theorem: A k=(log n) round Feistel
construction with independent UFs in each round is
an unpredictable permutation.
Part I: UFs are 5-XOR resistant
Feistel construction
f
Random round number i
Independently generated UFs
Forthen
a forward query, hopefully Ri+1 is:
If so,
•A =
new
value.
f(R_i)
Ri-1round
 XOR
of existing
•XOR round
of previous
round
values.
values.
(choose
at random)
randomly guess query number where XOR adversary wins
Unpredictable Permutation
UP Theorem: A k=(log n) round Feistel
construction with independent UFs in each round is
an unpredictable permutation.
Part II : Use the combinatorial “Main Theorem” to argue no
collisions of (k/2)th round value.
Unpredictable Permutation
UP Theorem: A k=(log n) round Feistel
construction with independent UFs in each round is
an unpredictable permutation.
Part III : No (k/2)th round collision  UP
Feistel construction
f
Round number (k/2)
Independently generated UFs
Queries made by
UP adversary (use f oracle)
Prediction output
Now
f(Rk/2)=R

R
Prediction input
get
Rk/2
get
R
(k/2)-1
(k/2)+1(k/2)+1
No middle round value collision  Rk/2 is a new input to f.
Main Theorem
Main Theorem: If round functions of a k-round
Feistel network are 5-XOR resistant, then no
attacker can find a (k/2)th round value collision
within O(1.38k/2) queries.
Part I: Existence of Collision Queries
(b)
Rn/2-2
b
Rn/2-1
b
Rn/2
b
Rn/2 inb’query bb’ = Rn/2b’ in query a
Rn/2-2
Rn/2-1
a
(b’)
Rn/2
 fn/2-1(Rn/2-1 )=Rn/2b Rn/2-2a
Rn/2-1 in query b’ = Rn/2-1 in query a
a
 fn/2-2(Rn/2-2 )=Rn/2-1b’ Rn/2-3a
Rn/2-2a
Rn/2-1a
Rn/2a
(a)
Main Theorem
Main Theorem: If round functions of a k-round
Feistel network are 5-XOR resistant, then no
attacker can find a (k/2)th round value collision
within O(1.38k/2) queries.
Part II: Permitted orders of collision queries.
f(Ri+1b3)=Rib2 Ri+2b1
Rib1
Ri+1b1
Ri+2b1
Rib2
Ri+1b2
Ri+2b2
Rib3
Ri+1b3
Ri+2b3
(b1)
(b2)
(b3)
Main Theorem
Main Theorem: If round functions of a k-round
Feistel network are 5-XOR resistant, then no
attacker can find a (k/2)th round value collision
within O(1.38k/2) queries.
Part III: More and more and … more collision queries!
Rib1
Ri+1b1
Ri+2b1
Rib2
Ri+1b2
Ri+2b2
f(Ri-1b3)=Ri-2b3 f(Ri+1b2) Ri+2b1
Ri-1c1
Ri-1b3
(b2)
(c1)
b2
=Ri-2b3 Ri+2b2 Ri  Ri+2b1
Ri-2b3
(b1)
Rib3
Ri+1b3
Ri+2b3
(ci)
(b3)
Main Theorem
Main Theorem: If round functions of a k-round
Feistel network are 5-XOR resistant, then no
attacker can find a (k/2)th round value collision
within O(1.38k/2) queries.
Show that we are not “double counting”
queries.
 Formulate a recursion on the number of
queries to get a closed form expression.
