Feistel Networks made Public, and Applications.

1
Feistel Networks made Public, and Applications.

• Yevgeniy Dodis
• Prashant Puniya

2
Feistel Network
One round Feistel Construction

• Construction of a permutation on 2n bits from a
  n?n bit function f.
• Easily invertible.
• Feistel Network Iterated Feistel Construction.

3
Block Cipher Design

• Several practical block ciphers based on Feistel
  network.
• DES, Blowfish, Triple DES
• Use 16-48 round Feistel network
• Theoretical basis?
• Luby-Rackoff showed that 4 rounds of Feistel with
  pseudorandom round functions is a PRP.
• Several improvements Naor-Reingold, Patarin,
  Ramzan-Reyzin
• All apply to 3-6 rounds of Feistel.
• Why the disconnect?

4
Reason 1

• Round functions are not pseudorandom functions.
• All above theoretical results assume some of the
  round functions to be PRFs.
• Round functions in actual block ciphers are
  heuristically designed and arent pseudorandom.
• Maybe expect less from round functions.
• Weaker assumptions on round functions, such as
  unpredictability?

5
Reason 2

• Cannot argue secrecy of round values.
• Necessary for any of the theoretical results to
  be applicable.
• May not necessarily hold for actual block ciphers
  with non-pseudorandom round functions.
• Example need not hold for unpredictable fns.
• More generally, there may be situations where
  this has to be the case (more details later).

6
Summary

• All theoretical results are inapplicable once we
  relax the above assumptions, i.e. when
• Round functions may not be PRFs.
• Cannot argue secrecy of round values.
• In fact, we give a simple attack on the Feistel
  network in the paper if either of these
  assumptions does not hold.

7
Our results (in brief)

• Negative Results
• If round values are public, O(log n) round
  Feistel network is insecure.
• With unpredictable round fns., O(log n) rounds
  need not be secure (even if round values arent
  explicitly revealed)
• An attack using exponential (in of rounds)
  queries.
• Positive results
• ?(log n) rounds preserve PR/Unpredictability even
  if round values are leaked.

8
Implications for Block Ciphers

• If round functions are pseudorandom
• O(log n) round Feistel is insecure if round
  values revealed.
• ?(log n) round Feistel is a PRP even if round
  values revealed!
• If round functions are only unpredictable
• O(log n) round Feistel need not be secure even if
  round values are not explicitly revealed.
• ?(log n) round Feistel is an unpredictable
  permutation (UP).
• Safe fallback security for block ciphers.
• Even for stronger security notions
• Forces a weaker/more clever attack for ?(log n)
  rounds.
• Possible that weaker than PRF round functions
  suffice!
• ?(log n) matches the number of rounds in block
  ciphers much better than previous results.
• E.g. DES on 64 bits uses 16 rounds.

9
Our results (in brief)

• Negative Results
• If round values are public, O(log n) round
  Feistel network is insecure.
• With unpredictable round fns., O(log n) rounds
  need not be secure (even if round values arent
  explicitly revealed)
• An attack using exponential (in of rounds)
  queries.
• Positive results
• ?(log n) rounds preserve PR/Unpredictability even
  if round values are leaked.
• Give a general abstraction for the Feistel
  network.
• Many other applications (stay tuned!)

10
A useful abstraction.

• We describe a simple combinatorial game involving
  the Feistel network which is applicable to all
  scenarios that we consider.
• Involves a k-round Feistel network and an
  attacker A.
• A makes forward/inverse queries to Feistel.
• Can see all intermediate round values.
• Goal Force a collision of the middle ((k/2)th)
  round values of two different queries.

11
Negative Result

• We describe an attacker that wins this
  combinatorial game.
• The attacker makes O(1.62k) queries to the
  k-round Feistel network.
• Works for arbitrary round functions
• Hence, works in polynomial time for the O(log
  n)-round Feistel network.

12
Matching Positive Result

• We find a sufficient combinatorial condition on
  the round functions such that no efficient
  attacker can win if k?(log n).
• 5-XOR game
• Same rules as the main combinatorial game.
• Goal Attacker wins if some new round function
  output XOR of upto 5 previous round values.
• 5-XOR resistant functions resist such attacks.

Main Theorem If round functions of a k-round
Feistel network are 5-XOR resistant, then no
attacker can find a (k/2)th round value
collision within O(1.38k/2) queries.
13
Matching Positive Result (contd.)

• This is a purely deterministic result.
• If attacker does not win the 5-XOR game, then it
  cannot find a (k/2)th round value collision with
  less than O(1.38k/2) queries.
• Using 5-XOR-resistance?
• Relatively weak property, easily proven to hold
  for UFs and PRFs
• Applied to PRFs ? ?(log n) round Feistel is PRP
  (even if the round values are public!).
• Applied to UFs ? ?(log n) round Feistel is UP
  (even if the round values are public!).
• Implication to Domain extension of MACs!

14
Domain Extension of MACs

• Problem Given a fixed-length input (FIL) MAC,
  construct an arbitrary-length input (AIL) MAC.
• Well studied if FIL-MAC is a PRF (in fact, often
  get AIL-PRF).
• Also well studied if FIL-MAC is shrinking
  (variants of Cascade construction work)
  AB99,MS05.
• Grey Area What if the FIL-MAC is neither PRF nor
  shrinking?
• Perhaps, most practically relevant case!
• (a) FIL-MAC is typically a block cipher.
• (b) overkill to assume it is a PRF!

15
Hash-then-MAC

• Use a hash function to map to a short message,
  then apply the FIL-MAC.
• If FIL-MAC is a PRF, then an almost-universal
  hash function works.
• With general FIL-MACs, need collision-resistant
  hash functions!

16
CBC-MAC

• Popular domain extension technique for MACs
• Secure if FIL-MAC is a PRF BKR94.
• Simple attack possible with general FIL-MACs
  AB99.

17
Cascade construction

• Also called Merkle-Damgard construction.
• Need a shrinking FIL-MAC.
• If FIL-MAC is a PRF, one can chop the output and
  apply Cascade.
• With general FIL-MACs, can chop at most
  logarithmic number of output bits
• Very Inefficient ( poor exact security)

18
Naor-Reingold construction

• A very nice technique of getting PRFs from UFs.
• Need to extract a hardcore bit for every output
  bit of PRF.
• Very inefficient

19
Feistel Network

• 3-rounds already secure if FIL-MAC is a PRF.
• With general FIL-MACs, AB99 gave an attack on
  3-round Feistel.
• more rounds do not appear to help AB
• Our result With general FIL-MACs, k-round
  Feistel network is a secure MAC if and only if
  k?(log n).
• Extend AB99 to show that upto logarithmic
  number of rounds do not help in general.
• Somewhat surprisingly, secure with more rounds!

20
More efficient AIL-MAC?

• Above method is still somewhat inefficient for
  large inputs.
• To get domain size (n?2i), need ?(log n)i round
  Feistel network.
• Moreover, digest size grows as big as the domain!
• Can this be improved?
• Yes!
• Optimize our technique to get 2n ? n bit MAC.
• Use existing techniques for shrinking MACs
  (variants of Cascade).

21
More efficient AIL-MAC

• How to get 2n?n bit MAC?
• Chop n bits from the Feistel network output?
• Cannot directly apply our technique.
• With a little work, show that ?(log n) rounds are
  still necessary and sufficient!
• Our suggestion to practitioners apply any secure
  variant of Cascade to the 2n?n MAC obtained by
• Halving the output of an w(log n)-round Feistel
  network applied to any secure n-bit block cipher
• Halving the output of a secure 2n-bit block
  cipher itself, if the block cipher is already
  Feistel-based!
• Note this requires at least 256-bit block cipher

22
Other Applications
23
Verifiable Random Functions

• Verifiable Random Functions (VRFs) are verifiable
  analogues of PRFs.
• Given secret key SK
• Can compute VRF f and provide proofs of
  correctness of f outputs.
• Still cannot give proofs for two different
  outputs for the same input (even for adversarial
  PK!).
• Given public key PK
• Can verify proofs of correctness of f outputs.
• All unproved outputs still look random.
• Several known constructions MRV,L,DY,D.

24
Verifiable Random Permutations

• We introduce VRPs, similarly natural verifiable
  analogues of PRPs.
• Can we build them from VRFs, just like PRPs from
  PRFs?
• First Attempt Use a 4-round Feistel network with
  VRFs in each round and apply the Luby-Rackoff
  result.
• Doesnt work need to explicitly give round
  values (and their proofs) to prove VRP outputs.

25
Constructing VRPs from VRFs

• Use our proof technique that works even if round
  values are public.
• Result An ?(log n) round Feistel network with
  VRFs as round functions is a verifiable random
  permutation.
• Cannot improve to O(log n) rounds, since our
  attack works in this case as well.

26
Applications of VRPs

• Non-interactive setup-free perfectly binding
  commitments.
• Non-interactive Lottery.
• Invariant Signatures of GO92 for NIZKs.
• Verifiable CBC Encryption/Decryption.
• Verifiable huge (pseudo)random objects.
• Proof-transferrable implementation of Ideal
  Cipher Model.

27
Non-interactive commitments

• Non-interactive, setup-free, perfectly-binding
  commitments.
• Best known construction uses one-way permutations
  (Naors OWF-based commitment uses setup)
• We note that VRPs work for this purpose.
• To commit to m, send (?SK(m),PK).
• To open commitment, send m and the proof for
  ?SK(m).
• Hiding easy
• Perfect Binding a permutation even if PK is
  chosen maliciously
• Note VRFs do not suffice even for computational
  binding!
• Nevertheless, using our VRF ? VRP construction,
  we get such commitments from VRFs
• Incomparable assumption to OWPs.

28
Non-interactive Lottery

• Micali-Rivest suggest using a VRF f.
• Dealer publishes PK, and user selects X.
• The user wins if fSK(X) satisfies some
  pre-determined predicate.
• Problem Dealer can cheat by choosing PK such
  that fSK(X) never satisfies the predicate!
• Using a VRP instead solves this problem.
• A permutation even for malicious keys.
• Moreover, can determine number of winners
  beforehand!

29
VUPs and more

• We also give a way to construct verifiable
  unpredictable permutations from verifiable
  unpredictable functions.
• Using ?(log n) round Feistel network.
• Again, O(log n) rounds is not enough
• Note this uses full power of our technique.
• Hopefully, more applications of our technique
  will emerge in future?

30
Summary

• New understanding of Feistel network with a weak
  security requirement on round functions.
• 5-XOR-resistance, implied by both UFs PRFs.
• Number of rounds we predict is closer to the one
  used in current block ciphers.
• First efficient domain extension for MACs
  (starting with length-preserving MACs).
• Verifiable Random Permutations and applications.

31
Unpredictable Permutation
UP Theorem A k?(log n) round Feistel
construction with independent UFs in each round
is an unpredictable permutation.
Part I UFs are 5-XOR resistant
f
32
Unpredictable Permutation
UP Theorem A k?(log n) round Feistel
construction with independent UFs in each round
is an unpredictable permutation.
Part II Use the combinatorial Main Theorem to
argue no collisions of (k/2)th
round value.
33
Unpredictable Permutation
UP Theorem A k?(log n) round Feistel
construction with independent UFs in each round
is an unpredictable permutation.
Part III No (k/2)th round collision ? UP
f
No middle round value collision ? Rk/2 is a new
input to f.
34
Main Theorem
Main Theorem If round functions of a k-round
Feistel network are 5-XOR resistant, then no
attacker can find a (k/2)th round value
collision within O(1.38k/2) queries.
Part I Existence of Collision Queries
Rn/2-2b
Rn/2-1b
Rn/2b
Rn/2 in query b Rn/2 in query a
Rn/2-2b
Rn/2-1b
Rn/2b
? fn/2-1(Rn/2-1a)Rn/2b? Rn/2-2a
Rn/2-1 in query b Rn/2-1 in query a
? fn/2-2(Rn/2-2a)Rn/2-1b? Rn/2-3a
Rn/2-2a
Rn/2-1a
Rn/2a
35
Main Theorem
Main Theorem If round functions of a k-round
Feistel network are 5-XOR resistant, then no
attacker can find a (k/2)th round value
collision within O(1.38k/2) queries.
Part II Permitted orders of collision queries.
f(Ri1b3)Rib2? Ri2b1
Rib1
Ri1b1
Ri2b1
Rib2
Ri1b2
Ri2b2
Rib3
Ri1b3
Ri2b3
36
Main Theorem
Main Theorem If round functions of a k-round
Feistel network are 5-XOR resistant, then no
attacker can find a (k/2)th round value
collision within O(1.38k/2) queries.
Part III More and more and more collision
queries!
Rib1
Ri1b1
Ri2b1
Rib2
Ri1b2
Ri2b2
f(Ri-1b3)Ri-2b3? f(Ri1b2)? Ri2b1
Ri-1c1
Ri-2b3? Ri2b2? Rib2? Ri2b1
Rib3
Ri1b3
Ri2b3
Ri-1b3
Ri-2b3
37
Main Theorem
Main Theorem If round functions of a k-round
Feistel network are 5-XOR resistant, then no
attacker can find a (k/2)th round value
collision within O(1.38k/2) queries.

• Show that we are not double counting queries.
• Formulate a recursion on the number of queries to
  get a closed form expression.

38
Questions?