The 6th IEEE International Conference on Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications 15-17 September 2011, Prague, Czech Republic

978-1-4577-1425-2/11/$26.00 ©2011 IEEE 743

Improvement for Distinguisher Efficiency of the 3-Round Feistel Network and a Random

Permutation Roman Oliynykov 1,2, Ivan Gorbenko 1,2, Victor Dolgov 1, Dmytro Kaidalov 1

1 Kharkov National University of Radioelectronics, Lenin’s av., 14, Kharkov 61166, Ukraine 2 JSC “Institute of Information Technologies”, Bakulina str., 12, Kharkov 61166, Ukraine

ROliynykov@gmail.com, GorbenkoI@iit.kharkov.ua, DolgovVI@mail.ru, Dmtr.Kd@gmail.com

Abstract— An exact value of round functions collision probability for 3-round Feistel network is derived. The upper bound of algorithm execution complexity for distinguishing Feistel network from a random permutation is given.

Keywords—cryptography; symmetric block cipher; Feistel

network; random permutation

I. INTRODUCTION Symmetric block ciphers are among the most widely

used cryptographic primitives. In addition to providing privacy via encryption, block ciphers are used as basic components in the construction of hash functions, message authentication codes, pseudorandom number generator, as part of various cryptographic protocols, etc.

Modern symmetric block ciphers have an iterative structure: rather weak cryptographic transformation (round function) is repeated many times to get secure cipher. As a high-level structure there can be used Feistel network, SPN-structure and Lai-Massey scheme. One of the most popular designs is Feistel network, which is used by many symmetric algorithms, including Camellia, DES, GOST 28147-89, etc.

Round function properties are well researched from the point of view of differential, linear, algebraic, and other types of analysis, while to the quantitative assessment of high-level structures devoted relatively few publications. One of the possible measures for evaluating the effectiveness and strength of a high-level structure can be a computational complexity of distinguishing symmetric block cipher from a random permutation.

Endomorphic block cipher generates a set of permutations, which is a subset of all permutations of the given degree (symmetric group). Specific permutation of the subset is given by the choice of the encryption key. In condition that the round function of the algorithm is random (parameterized by the encryption key), selection of the subset is determined by

the high-level structure of the cipher only. Accordingly, it is possible to construct of a distinguisher algorithm, which receives a part of permutation as an input (given number of input-output pairs), and at the output forms the probability that input pairs were generated by some symmetric block cipher. Note that definite (non-probabilistic) distinguishing is impossible, as a permutation formed by some cipher can also be randomly chosen from the complete set of permutations. Effectiveness of the distinguisher algorithm is defined by absolute difference values of the probabilities obtained by processing the permutation generated by block cipher and a random permutation. The upper bound of the efficiency of the distinguisher algorithm defines a quantitative measure of the high-level design of a symmetric block cipher.

Known bounds of the complexity of distinguishing 3-round Feistel network and a random permutation [1,2] use a number of assumptions, including the incompatibility of different events of collision absence at the output of the round function. Such an approach can be used in obtaining the upper bounds, but the upper limit of the probability values rather quickly reaches 1, which leads to significant inaccuracy. Approach proposed in this report allows the accurate evaluation or approximation with much smaller inaccuracy.

II. EXISTING RESULTS 3-round Feistel network (see Fig. 1) is a mapping

� � � � � � nnfff 22321 1,01,0:,, �� , consisting of three

consecutive round � � 123321 ,, ���� ��fff , where

each round can be presented as � � � � nni

22 1,01,0: �� ,

� � � �� �iiiiiii RfLRRL ,,� , with ii RL , – vectors

of n bits length, and � � � �nnif 1,01,0: � a random

function. Known result [2] determines the upper bound of the

efficiency of the distinguisher algorithm nC2 as

744

� � � �� � � 3212 ,,:1 fffffCP Rn �

� �� � nn

RnkFffCP2

:12

22 �� (1)

where k – number of requests sent to the input of the distinguisher algorithm, nF 2 – the set of all random functions of the form � � � � nn 22 1,01,0 � .

Figure 1. 3-round Feistel network

This formula does not take into account the increasing of the probability of collision occurrence with each unique request. In addition, during the derivation of the formula probabilities were summed up, which means that all events of collision absence are incompatible. In general case such an assumption is incorrect.

In general, the advantage of the Feistel network over a random permutation is defined as

||*),( *FPPFAdvantage �� , where �P – probability that distinguishing algorithm selects (decides that input values were formed by) Feistel network, and

*FP – probability that distinguishing algorithm selects a random permutation.

The probability �P was only estimated in (1), and the

probability *FP was assumed to be equal to zero. Obviously, this value is not considered due to the fact that it can vary depending on the distinguishing algorithm and it is difficult to assess without specific algorithm.

Therefore the maximum benefits can be expressed more precisely.

III. IMPROVED FORMULAS After taking into account that collisions on round

functions are not mutually exclusive events, and having reduced pool size on each request, it is possible to derive the exact value of the collision probability (one or more collisions) at 3-round Feistel network:

� � � �� � � 3212 ,,:1 fffffCP Rn �

�����

���

��

��

���

...12

112111

)2(2)1(2 k

n

k

n

���

����

�

� ))1((2

)2(211

kk

n k

.2

1112

0

))1((2

�

�

���

���

k

i

ik

n i (2)

This formula is derived without using the assumption of mutually exclusive events of collisions absence for different values given to the input of the encryption algorithm and takes into account the uniqueness of each request at the input of the distinguisher algorithm.

If the number of queries that cryptanalysist can send to the input of the symmetric block cipher is significantly less than the cardinality of the plaintexts/ciphertexts set ( nk 22�� ), it is possible to derive sufficiently accurate approximation of (2):

� � � �� �� 3212 ,,:1 fffffCP Rn �

���

��� �

��

���

2

)1(22

2111

2111

2 kk

n

C

n

k

)1(

2111

���

���

kk

n , (3)

where 2

)1(2

kkCk is the number of available

combinations of round function output values, which can lead to collisions.

The dependence of the distinguisher algorithm advantages for different number of requests at the input obtained by the formulas (1), (2) and (3) for blocks of length 16 ( 8n ) and 32 ( 16n ) bits is shown in Fig. 2 and 3. The upper bound of the probability obtained by relationship (1) reaches 1 on a small number of queries, and relationship (2) and (3) almost completely coincide.

Specific distinguishing algorithm for k pairs of inputs � �ji xx , verifies the following equations:

745

ji VV ji LL and jTiT (see Fig. 1). In case

that at least one of these equations holds, the return value for the 3-round Feistel network is 1, otherwise return value is 0.

The probability that ji VV ji LL and

jTiT holds for at least one pair of 2�k inputs

kxx ...,1 of 3-round Feistel network is

����

���

�

� 2

0

)1(

1 2111P

k

i

ik

n i

2)1(

2111

���

��� �

kk

n . (4)

Figure 2. Advantages of distinguisher for different number of

requests with block size of 16 bits

The probability that ji VV ji LL and

jTiT holds for at least one pair of 2�k inputs

kxx ...,1 of a random permutation is

����

���

�

� 2

0

)1(

2*

1 12111P

k

i

ik

n i

2)1(

2 12111

���

���

�

kk

n . (5)

Figure 3. Advantages of distinguisher for different number of

requests with block size of 32 bits

Having both probabilities (4) and (5), it is possible to determine the advantage of the distinguishing algorithm:

� �

� 2

0

))1((2*11 )

211(|P-P|)*,Adv(

k

i

ikn i

F�

��

�

� 2

0

)1(2 )

21221(

k

i

iknn

n

i

.12

11211

2)1(

2

2)1(

���

���

�

��

��� �

kk

n

kk

n

The dependence of the given algorithm advantage on number of queries for block size of 16 bits is shown on Fig. 4.

Figure 4. Dependence of the given algorithm advantage on

number of queries with block size of 16 bits

746

As it can be seen, the optimal number of queries for the maximal advantage of the distinguishing algorithm is

near to 22n

.

IV. CONCLUSIONS The derived estimation of distinguished algorithm

effectiveness is accurate and does not reach 1 at a small number of queries. Further, this result can be used to

compare the effectiveness of the Feistel network with other higher-level structures of symmetric block ciphers.

REFERENCES [1] M. Luby, C. Rackoff, “How to Construct Pseudorandom

Permutations from Pseudorandom Functions,” SIAM J.Computing, Vol. 17, No. 2, 1988.

[2] U.M. Maurer, “A simplified and Generalized Treatment of Luby-Rackoff Pseudorandom Permutations Generator,” Advances in Cryptology, EuroCrypt '92, Springer, 1992.