International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

Luby-Rackoff Ciphers from Weak Round Functions?

Authors:
Ueli Maurer
Johan Sjödin
Yvonne Anne Oswald
Krzysztof Pietrzak
Download:
URL: http://eprint.iacr.org/2006/213
Search ePrint
Search Google
Abstract: The Feistel-network is a popular structure underlying many block-ciphers where the cipher is constructed from many simpler rounds, each defined by some function which is derived from the secret key. Luby and Rackoff showed that the three-round Feistel-network -- each round instantiated with a pseudorandom function secure against adaptive chosen plaintext attacks (CPA) -- is a CPA secure pseudorandom permutation, thus giving some confidence in the soundness of using a Feistel-network to design block-ciphers. But the round functions used in actual block-ciphers are -- for efficiency reasons -- far from being pseudorandom. We investigate the security of the Feistel-network against CPA distinguishers when the only security guarantee we have for the round functions is that they are secure against non-adaptive chosen plaintext attacks (NCPA). We show that in the information-theoretic setting, four rounds with NCPA secure round functions are sufficient (and necessary) to get a CPA secure permutation. Unfortunately, this result does not translate into the more interesting pseudorandom setting. In fact, under the so-called Inverse Decisional Diffie-Hellman assumption the Feistel-network with four rounds, each instantiated with a NCPA secure pseudorandom function, is in general not a CPA secure pseudorandom permutation. We also consider other relaxations of the Luby-Rackoff construction and prove their (in)security against different classes of attacks.
BibTeX
@misc{eprint-2006-21706,
  title={Luby-Rackoff Ciphers from Weak Round Functions?},
  booktitle={IACR Eprint archive},
  keywords={secret-key cryptography / block-ciphers, Feistel-network},
  url={http://eprint.iacr.org/2006/213},
  note={This is the full version of the paper presented at Eurocrypt 2006. jsjoedin@inf.ethz.ch 13325 received 26 Jun 2006},
  author={Ueli Maurer and Johan Sjödin and Yvonne Anne Oswald and Krzysztof Pietrzak},
  year=2006
}