Crooked indifferentiability of the Feistel Construction

TL;DR

This paper demonstrates that a sufficiently large number of Feistel rounds can produce a permutation indistinguishable from a random permutation, even when the round functions are subverted, highlighting the construction's robustness against certain attacks.

Contribution

It establishes a new security property called crooked-indifferentiability for Feistel constructions with a high number of rounds, even under adversarial subversion of round functions.

Findings

Feistel with >2000n/ log(1/ε) rounds achieves crooked-indifferentiability.

Construction resists algorithm substitution attacks on round functions.

Lower bound of 2n/ log(1/ε) rounds necessary for security.

Abstract

The Feistel construction is a fundamental technique for building pseudorandom permutations and block ciphers. This paper shows that a simple adaptation of the construction is resistant, even to algorithm substitution attacks -- that is, adversarial subversion -- of the component round functions. Specifically, we establish that a Feistel-based construction with more than $2000n/\log(1/\epsilon)$ rounds can transform a subverted random function -- which disagrees with the original one at a small fraction (denoted by $\epsilon$) of inputs -- into an object that is \emph{crooked-indifferentiable} from a random permutation, even if the adversary is aware of all the randomness used in the transformation. We also provide a lower bound showing that the construction cannot use fewer than $2n/\log(1/\epsilon)$ rounds to achieve crooked-indifferentiable security.