Understanding the Related-Key Security of Feistel Ciphers From a Provable Perspective

Abstract

We initiate the provable related-key security treatment for models of practical Feistel ciphers. In detail, we consider Feistel networks with four whitening keys $w_{i}(k)$ , $i=0,1,2,3$ , and round functions of the form $f(\gamma _{j}(k)\oplus X)$ , where $k$ is the master key, $w_{i}$ and $\gamma _{j}$ are efficient transformations, and $f$ is a public ideal function or permutation accessible by the adversary. We investigate the key-schedule conditions that are sufficient for security against XOR-induced related-key attacks up to $2^{n/2}$ adversarial queries. When the key schedules are non-linear , we prove security for four rounds. When only affine key schedules are used, we prove security for six rounds. These also imply secure tweakable Feistel ciphers in the Random Oracle model. By shuffling the key schedules, our model unifies both the DES-like structure (known as Feistel-2 scheme in the cryptanalytic community, also known as key-alternating Feistel due to Lampe and Seurin) and the Lucifer-like model (previously analyzed by Guo and Lin). This allows us to derive concrete implications on these two (more common) models and helps understanding their related-key security difference.