Abstract
The Feistel construction is one of the most studied ways of building block ciphers. Several generalizations were then proposed in the literature, leading to the Generalized Feistel Network, where the round function first applies a classical Feistel operation in parallel on an even number of blocks, and then a permutation is applied to this set of blocks. In 2010 at FSE, Suzaki and Minematsu studied the diffusion of such construction, raising the question of how many rounds are required so that each block of the ciphertext depends on all blocks of the plaintext. They thus gave some optimal permutations, with respect to this diffusion criteria, for a Generalized Feistel Network consisting of 2 to 16 blocks, as well as giving a good candidate for 32 blocks. Later at FSE’19, Cauchois et al. went further and were able to propose optimal even-odd permutations for up to 26 blocks.In this paper, we complete the literature by building optimal even-odd permutations for 28, 30, 32, 36 blocks which to the best of our knowledge were unknown until now. The main idea behind our constructions and impossibility proof is a new characterization of the total diffusion of a permutation after a given number of rounds. In fact, we propose an efficient algorithm based on this new characterization which constructs all optimal even-odd permutations for the 28, 30, 32, 36 blocks cases and proves a better lower bound for the 34, 38, 40 and 42 blocks cases. In particular, we improve the 32 blocks case by exhibiting optimal even-odd permutations with diffusion round of 9. The existence of such a permutation was an open problem for almost 10 years and the best known permutation in the literature had a diffusion round of 10. Moreover, our characterization can be implemented very efficiently and allows us to easily re-find all optimal even-odd permutations for up to 26 blocks with a basic exhaustive search
Highlights
The Feistel network is one of the main generic designs for building modern block ciphers
There are theoretical arguments suggesting that it is a good method to construct block ciphers, as Luby and Rackoff proved in 1988 [LR88] that if each Fi is a pseudorandom function and all three are independent, 3 rounds of the Feistel construction are enough to get a block cipher which is indistinguishable from a random permutation under the Chosen Plaintext Attack (CPA) model, and 4 rounds with 4 independent functions are enough in the Chosen Ciphertext Attack (CCA) model
This was later improved by Pieprzyk in 1990 [Pie90] : if one takes f as a pseudorandom function, 4 rounds of Feistel with Fi = f for i = 1, 2, 3 and F4 = f 2 are sufficient to obtain a block cipher that is indistinguishable from a random permutation in the CPA model
Summary
The Feistel network is one of the main generic designs for building modern block ciphers. This is essentially a parallel application of k Feistels followed by a cyclic shift of the blocks They showed that when all Fi,j are pseudorandom functions, 2k + 1 rounds of such a construction provide a block cipher that is indistinguishable from a random permutation. At ASIACRYPT’96, Nyberg [Nyb96] studied a variant of the Type-2 Feistel construction using a different permutation than the cyclic shift, called Generalized Feistel Network Such a construction was used to design block ciphers such as TWINE [SMMK12] and Piccolo [SIH+11]. Focusing on blocks instead of bits allows them to get rid of the precise specification of the functions Fi,j as well as the exact size of the blocks, giving structural results They tied the diffusion round of a given GFN to its resistance against Impossible Differential distinguishers [BBS99], proving that if a GFN has a diffusion round of DR, it needs strictly more than 2DR + 1 rounds to avoid any Impossible Differential distinguisher. For the 32 blocks case, and the impossible differentials, all our permutations have a one-round shorter longest impossible differential distinguisher compared to what was proposed by [CGT19], which brings it down to 17 rounds
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
