Understanding the Related-Key Security of Feistel Ciphers from a Provable Perspective

TL;DR

This paper provides a provable security analysis of Feistel ciphers under related-key attacks, establishing security bounds for different key-schedule types and unifying various cipher models.

Contribution

It introduces a provable security framework for Feistel ciphers with different key-schedules, analyzing their resistance to related-key attacks up to 2^{n/2} queries.

Findings

Proves security for 4 rounds with non-linear key-schedules.

Proves security for 6 rounds with affine key-schedules.

Unifies DES-like and Lucifer-like models under a common framework.

Abstract

We initiate the provable related-key security treatment for models of practical Feistel ciphers. In detail, we consider Feistel networks with four whitening keys $w_i(k)$ ($i=0,1,2,3$) and round-functions of the form $f(\gamma_i(k)\oplus X)$, where $k$ is the main-key, $w_i$ and $\gamma_i$ are efficient transformations, and $f$ is a public ideal function or permutation that the adversary is allowed to query. We investigate conditions on the key-schedules that are sufficient for security against XOR-induced related-key attacks up to $2^{n/2}$ adversarial queries. When the key-schedules are non-linear, we prove security for 4 rounds. When only affine key-schedules are used, we prove security for 6 rounds. These also imply secure tweakable Feistel ciphers in the Random Oracle model. By shuffling the key-schedules, our model unifies both the DES-like structure (known as Feistel-2 scheme in the cryptanalytic community, a.k.a. key-alternating Feistel due to Lampe and Seurin, FSE 2014) and the Lucifer-like model (previously analyzed by Guo and Lin, TCC 2015). This allows us to derive concrete implications on these two (more common) models, and helps understanding their differences---and further understanding the related-key security of Feistel ciphers.