8. Generic Attacks on Contracting Feistel Ciphers

This chapter deals with generic attacks on unbalanced Feistel ciphers with contracting functions. These ciphers are used to construct pseudo-random permutations from kn bits to kn bits by using r pseudo-random functions from (k − 1)n bits to n bits. The study concerns KPA and NCPA against these schemes with less than 2 ^kn plaintext/ciphertext pairs and complexity strictly less than O(2 ^rn ) for a number of rounds r ≤ 2k − 1. Consequently at least 2r rounds are necessary to avoid generic attacks. For k = 3, there exists attacks up to 6 rounds, so 7 rounds are required. When k ≥ 2k, it is possible to attack permutation generators instead of one permutation. Some results on contracting Feistel schemes or on small transformations of these schemes can be found in (Lucks, Faster Luby-Rackoff ciphers, Springer, Heidelberg, 1996, pp. 189–203; Naor and Reingold, J. Cryptology 12:29–66, 1999, Extended abstract in: Proc. 29th Ann. ACM Symp. on Theory of Computing, pp. 189–199, 1997). In Naor and Reingold (J. Cryptology 12:29–66, 1999, Extended abstract in: Proc. 29th Ann. ACM Symp. on Theory of Computing, pp. 189–199, 1997), Naor and Reingold studied the security of contracting Feistel schemes that begin and end with pairwise independent permutations. They provide lower bounds for the security of such schemes. Lucks (Faster Luby-Rackoff ciphers, Springer, Heidelberg, 1996, pp. 189–203) gives some security results on contracting Feistel schemes built with hash functions. Birthday bound security results are given in Yun et al. (Des. Codes Crypt. 58:45–72, 2011), first results above the birthday bound are proved in Patarin (Security of balanced and unbalanced Feistel schemes with linear non equalities, in Cryptology ePrint Archive: Report 2010/293). Security results based on the coupling method are given in Hoang and Rogaway (On generalized Feistel networks, Springer, Heidelberg, 2010, pp. 613–630). Generic attacks on contracting Feistel ciphers are studied in Patarin et al. (Generic attacks on unbalanced Feistel schemes with contracting functions, Springer, Heidelberg, 2006, pp. 396–411). A large number of attacks use the variance method described in Chap. 5.