Abstract
Feistel constructions using contracting round functions were introduced in 1990s and generalized by Yun et al. (Des Codes Cryptogr 58(1):45–72, 2011) to a quasigroup-based definition. To our knowledge, the minimal number of rounds sufficient for CCA security remains elusive. We bridge this gap: for the general quasigroup-based contracting Feistel construction using round functions \(F_i: \mathcal {X}^{b-1} \rightarrow \mathcal {X}\), \(b \ge 3\), we prove CCA security at \(b+1\) rounds. This matches the attacked rounds of Patarin et al. (in: Lai, Chen (ed) ASIACRYPT, Springer, Heidelberg, 2006). Interestingly, this means 4 rounds are already sufficient for CCA security of the case \(b=3\), which is the same as the balanced Feistel.
Similar content being viewed by others
Data availability
No datasets were generated or analysed during the current study.
Notes
Besides using trees, much more complicated manipulations are employed in [3] to prove beyond-birthday-bound security with tight round complexity.
References
Anderson R.J., Biham E.: Two practical and provably secure block ciphers: BEARS and LION. In: Gollmann, D. (ed.) FSE’96. LNCS, vol. 1039, pp. 113–120. Springer, Heidelberg (1996).
Berger T.P., Francq J., Minier M., Thomas G.: Extended generalized Feistel networks using matrix representation to propose a new lightweight block cipher: lilliput. IEEE Trans. Comput. 65(7), 2074–2089 (2016).
Bhattacharjee A., Bhaumik R., Dutta A., Nandi M., Raychaudhuri A.: BBB security for 5-round even-mansour-based key-alternating Feistel ciphers. Des. Codes Cryptogr. 92(1), 13–49 (2024). https://doi.org/10.1007/s10623-023-01288-4.
Chen S., Steinberger J.P.: Tight security bounds for key-alternating ciphers. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 327–350. Springer, Heidelberg (2014).
Cogliati B., Dodis Y., Katz J., Lee J., Steinberger J.P., Thiruvengadam A., Zhang Z.: Provable security of (tweakable) block ciphers based on substitution-permutation networks. In: Shacham H., Boldyreva A. (eds.) CRYPTO 2018, Part I, vol. 10991, pp. 722–753. LNCS. Springer, Heidelberg (2018).
Coron J.S., Dodis Y., Mandal A., Seurin Y.: A domain extender for the ideal cipher. In: Micciancio D. (ed.) TCC 2010, vol. 5978, pp. 273–289. LNCS. Springer, Heidelberg (2010).
Dobraunig C., Grassi L., Guinet A., Kuijsters D.: Ciminion: symmetric encryption based on Toffoli-gates over large finite fields, pp. 3–34. LNCS, Springer, Heidelberg (2021).
Guo C., Standaert F.X., Wang W., Wang X., Yu Y.: Provable security sp networks with partial non-linear layers. IACR Trans. Symm. Cryptol. 2021(2), 353–388 (2021).
Hoang V.T., Rogaway P.: On generalized Feistel networks. In: Rabin T. (ed.) CRYPTO 2010, vol. 6223, pp. 613–630. LNCS. Springer, Heidelberg (2010).
Lai X., Massey J.L.: A proposal for a new block encryption standard. In: Damgård I. (ed.) EUROCRYPT’90, vol. 473, pp. 389–404. LNCS. Springer, Heidelberg (1991).
Liu J., Sun B., Liu G., Dong X., Liu L., Zhang H., Li C.: New wine old bottles: feistel structure revised. IEEE Trans. Inf. Theory 69, 2000–2008 (2023).
Luby M., Rackoff C.: How to construct pseudorandom permutations from pseudorandom functions. SIAM J. Comput. 17(2), 373–386 (1988).
Lucks S.: Faster Luby-Rackoff ciphers. In: Gollmann D. (ed.) FSE’96, vol. 1039, pp. 189–203. LNCS. Springer, Heidelberg (1996).
Minematsu K.: Beyond-birthday-bound security based on tweakable block cipher. In: Dunkelman O. (ed.) FSE 2009, vol. 5665, pp. 308–326. LNCS. Springer, Heidelberg (2009).
Nachef V., Patarin J., Volte E.: Feistel Ciphers—Security Proofs and Cryptanalysis. Springer, New York (2017).
Patarin J.: The coefficients H technique (invited talk). In: Avanzi R.M., Keliher L., Sica F. (eds.) SAC 2008, vol. 5381, pp. 328–345. LNCS. Springer, Heidelberg (2009).
Patarin J., Nachef V., Berbain C.: Generic attacks on unbalanced Feistel schemes with contracting functions. In: Lai X., Chen K. (eds.) ASIACRYPT 2006, vol. 4284, pp. 396–411. LNCS. Springer, Heidelberg (2006).
Schneier B., Kelsey J.: Unbalanced Feistel networks and block cipher design. In: Gollmann D. (ed.) FSE’96, vol. 1039, pp. 121–144. LNCS. Springer, Heidelberg (1996).
Shen Y., Guo C., Wang L.: Improved security bounds for generalized Feistel networks. IACR Trans. Symm. Cryptol. 2020(1), 425–457 (2020).
Smith J.D.: An Introduction to Quasigroups and Their Representations. CRC Press, Boca Raton (2006).
Vaudenay S.: On the Lai-Massey scheme. In: Lam K.Y., Okamoto E., Xing C. (eds.) ASIACRYPT’99, vol. 1716, pp. 8–19. LNCS. Springer, Heidelberg (1999).
Yu W., Zhao Y., Guo C.: Provable related-key security of contracting feistel networks. In: Wu, Y., Yung, M. (eds.) Information Security and Cryptology—16th International Conference, Inscrypt 2020, Guangzhou, China, December 11–14, 2020, Revised Selected Papers. Lecture Notes in Computer Science, vol. 12612, pp. 466–490. Springer, New York (2020). https://doi.org/10.1007/978-3-030-71852-7_31.
Yun A., Park J.H., Lee J.: On Lai-Massey and quasi-feistel ciphers. Des. Codes Cryptogr. 58(1), 45–72 (2011). https://doi.org/10.1007/s10623-010-9386-8.
Zhang L., Wu W.: Pseudorandomness and super pseudorandomness on the unbalanced feistel networks with contracting functions. Chin. J. Comput. 32(7), 1320–1330 (2009).
Zheng Y., Matsumoto T., Imai H.: On the construction of block ciphers provably secure and not relying on any unproved hypotheses. In: Brassard G. (ed.) CRYPTO’89, vol. 435, pp. 461–480. LNCS. Springer, Heidelberg (1990).
Acknowledgements
We thank the anonymous reviewers of Designs, Codes and Cryptography for their valuable comments.
Funding
Chun Guo was supported by the National Key Research and Development Program of China (Grant 2023YFA1011200) and the National Natural Science Foundation of China (Grant 62372274). Ling Song was supported by the National Natural Science Foundation of China (Grant Nos. 62022036, 62372213, 62132008).
Author information
Authors and Affiliations
Contributions
C.G. contributed the security proof and L.S. contributed the CPA attack. Both authors reviewed the manuscript.
Corresponding author
Ethics declarations
Conflict of interest
The authors have no conflicts of interest to declare that are relevant to the content of this article.
Additional information
Communicated by X. Wang.
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Appendices
Examples of quasi-Feistel
Feistel. The r-round Feistel permutation \(\text {Feistel}_r[{\textbf {F}} ](x)=\text {Feistel}_r[{\textbf {F}} ](x_0, x_1)\) from round functions \({\textbf {F}} = (F_1, \ldots , F_r) \in \big ( \mathcal {F} (\{0,1\} ^n,\{0,1\} ^n)\big )^r\) is defined as follows:
-
1.
\(x_{i+1} \leftarrow x_{i-1} \oplus F_i\left( x_i\right) \), for \(i=1, \ldots , r\).
-
2.
Return \(y=\left( x_r, x_{r+1}\right) \).
This corresponds to an instance of the quasi-Feistel with \(\mathcal {X} = \{0,1\}^n\), \(P_{in}\) and \(P_{fi}\) identity permutations and \({{\Gamma }\llbracket x{\star } y \mid z \rrbracket } = x \oplus y\).
Contracting Feistel.
The r-round contracting Feistel permutation \(\text {ConFeistel}_r[{\textbf {F}} ](x)=\text {ConFeistel}_r[{\textbf {F}} ](x_0,\ldots , x_b)\) from functions \({\textbf {F}} = (F_1, \ldots , F_r) \in \big ( \mathcal {F} (\{0,1\}^{(b-1)n},\{0,1\} ^n)\big )^r\) is defined as follows:
-
1.
\(x_{i+1} \leftarrow x_{i-1} \oplus F_i(x_i,\ldots ,x_{i+b-2})\), for \(i=1, \ldots , r\).
-
2.
Return \(y=\left( x_r, x_{r+1}, \ldots , x_{r+b-1}\right) \).
This corresponds to an instance of the quasi-Feistel with \(\mathcal {X} = \{0,1\}^n\), \(\mathcal {Y} = \{0,1\}^{(b-1)n}\), \(P_{in}\) and \(P_{fi}\) identity permutations and \({{\Gamma }\llbracket x{\star } y \mid z \rrbracket } = x \oplus y\).
Lai-Massey. Let G be a finite abelian group. An orthomorphism \(\sigma : G \rightarrow G\) is a permutation such that \(x \mapsto \sigma (x)-x\) is also a permutation. Given such a \(\sigma \), we denote \(\sigma (x)-x\) by \(\varphi (x)\). We assume that all of \(\sigma , \sigma ^{-1}, \varphi , \varphi ^{-1}\) are very efficient to compute on G. The following is the definition of an r-round Lai-Massey permutation \(\text {LM}_r^{\sigma }[{\textbf {F}} ](x)=\text {LM}_r^{\sigma }[{\textbf {F}} ](x_0, x_1)\) with orthomorphism \(\sigma \), corresponding to round functions \({\textbf {F}} = (F_1, \ldots , F_r) \in \big ( \mathcal {F} (G,G)\big )^r\).
-
1.
\(\alpha _1 \leftarrow x_L, \beta _1 \leftarrow x_R\).
-
2.
\(\alpha _{i+1} \leftarrow \sigma \left( \alpha _i+F_i\left( \alpha _i-\beta _i\right) \right) , \beta _{i+1} \leftarrow \beta _i+F_i\left( \alpha _i-\beta _i\right) \), for \(i=1, \ldots , r\).
-
3.
\(y_L \leftarrow \alpha _{r+1}, y_R \leftarrow \beta _{r+1}\).
-
4.
Return \(y=\left( y_L, y_R\right) \).
Define \(H: G^2 \rightarrow G^2\) by \( H(x, y)=\left( \sigma ^{-1}(x)-y, x-y\right) . \) As shown by Yun et al. [23, Lemma 2], H is invertible, where \( H^{-1}(s, t)=\left( t-s+\varphi ^{-1}(t-s),-s+\varphi ^{-1}(t-s)\right) . \)
Then, as shown by Yun et al. [23, Theorem 1], the Lai-Massey construction is an instance of the quasi-Feistel construction with \(\mathcal {X} = G\), \(P_{in} =H\), \(P_{fi} = H^{-1}\) and
Further, the involved divisions are \( {\Gamma } \llbracket x / y \mid z \rrbracket =y+z-\varphi ^{-1}(x-z)+\sigma ^{-1}\left( \varphi ^{-1}(x-z)-y\right) \) and \( {\Gamma } \llbracket x \backslash y \mid z \rrbracket =x-z-\varphi ^{-1}(z-x)+\varphi ^{-1}(y-z). \).
Intuitions from CCA attack against \(\varPsi ^{2,3}[{\textbf {F}} ] \)
As discussed, the well-known CCA attack against 3-round balanced Feistel \(\text {Feistel}_3[{\textbf {F}} ]\) shows that \(\varPsi _{P_{in},P_{fi}}^{2,3}[{\textbf {F}} ] \) is not CCA secure. Using the notations from Appendix A, the attack proceeds as follows.
-
1.
Chooses \(x_0,x_0',x_1 \in \{0,1\} ^n\) with \(x_0 \ne x_0'\), and queries \(P(x_0,x_1) \rightarrow (x_3,x_4)\) and \(P(x_0',x_1) \rightarrow (x_3',x_4')\);
-
2.
Sets \(x_4'' \leftarrow x_4' \oplus x_0 \oplus x_0'\) and queries \(P^{-1}(x_4'',x_3') \rightarrow (x_0'',x_1'')\);
-
3.
Outputs 1 if and only if \(x_1'' = S' \oplus S \oplus R\).
We refer to Fig. 5 for the chains of values involved in the attack. The crucial idea is that the 3rd evaluation \(\text {Feistel}_3[{\textbf {F}} ]^{-1}(x_4'',x_3')\) does not give rise to a new \(F_2\)-call: \(x_2'' = x_4'' \oplus F_3(x_3') = (x_4' \oplus x_0 \oplus x_0') \oplus (x_2' \oplus x_4') = x_0 \oplus x_0' \oplus x_2' = x_2\)’
Let’s see why this idea fails on \(\varPsi _{P_{in},P_{fi}}^{b,b+1}[{\textbf {F}} ] \). It suffices to consider \(\varPsi _{\textsf {id},\textsf {id}}^{3,4}[{\textbf {F}} ] \) for the identity permutation id. Consider proceeding as follows:
-
1.
Chooses \(x_0,x_0',x_1,x_2 \in \{0,1\} ^n\) with \(x_0 \ne x_0'\), and queries \(P(x_0,x_1,x_2) \rightarrow (x_4,x_5,x_6)\) and \(P(x_0',x_1,x_2) \rightarrow (x_4',x_5',x_6')\);
-
2.
Sets \(x_6'' \leftarrow x_6' \oplus x_0 \oplus x_0'\) and queries \(P^{-1}(x_4',x_5',x_6'') \rightarrow (x_0'',x_1'',x_2'')\).
The two encryption processes have \(x_3 = x_0 \oplus F_1(x_1,x_2)\) and \(x_3' = x_0' \oplus F_1(x_1,x_2)\), and thus \(x_3 \oplus x_3' = x_0 \oplus x_0'\). Therefore, the 3rd evaluation \(\varPsi _{\textsf {id},\textsf {id}}^{3,4}[{\textbf {F}} ] ^{-1}(x_4',x_5',x_6'')\) still does not give rise to new \(x_3\) values: it has \(x_3'' = x_6'' \oplus F_4(x_4',x_5') = (x_6' \oplus x_0 \oplus x_0') \oplus (x_3' \oplus x_6') = x_0 \oplus x_0' \oplus x_3' = x_3\), However, it internally calls \(F_3(x_3,x_4')\) which remains new since \((x_3,x_4') \ne (x_3,x_4),(x_3',x_4')\). This call gives rise to a random output which cannot cause \(x_2'' = x_2\) anymore.
We remark that in our security proof, the tree formed by such three chains was addressed in Subcase 1.4.2.a in Sect. 4.3.1.
Details of Case 2 \(d^{(i)} = \leftarrow \) for Sect. 4.3
When \(d^{(i)} = \leftarrow \), the event \(\varPsi ^{b,b+1}[{\textbf {F}} ] (x_0^{(i)},x_1^{(i)},\ldots ,x_{b-1}^{(i)}) = (x_{b+1}^{(i)},x_{b+2}^{(i)},\ldots ,x_{2b}^{(i)})\) is equivalent with \(F_1,\ldots ,F_{b}\) satisfying the following equations:
Event \(\varPsi ^{b,b+1}[{\textbf {F}} ] (x_0^{(i')},x_1^{(i')},\ldots ,x_{b-1}^{(i')}) = (x_{b+1}^{(i')},x_{b+2}^{(i')},\ldots ,x_{2b}^{(i')})\) is equivalent with \(F_1,\ldots ,F_{b+1}\) satisfying equations in Eq. (20). Since \(d^{(i)} = \leftarrow \) and \(\tau \) is good, it holds \(x_{1}^{(i)} \ne x_{1}^{(i')},\ldots ,x_{b-1}^{(i)} \ne x_{b-1}^{(i')}\). By these, in Eq. (21), the \(b-1\) equations on \(F_1,\ldots ,F_{b-1}\) are distinct from the corresponding equations in Eq. (21).
It remains to argue \((x_b^{(i)},\ldots ,x_{2b-1}^{(i)}) \ne (x_b^{(i')},\ldots ,x_{2b-1}^{(i')})\), i.e., the equations on \(F_b\) are distinct. To this end, we distinguish cases as follows (though, they are similar to Sect. 4.3.1 by symmetry).
Subcase 2.1: the i-th and \(i'\)-th edges in \(\mathcal {G} (\tau )\) are in distinct trees. Similarly to Subcase 1.1, we have \(x_{b}^{(i)} \ne x_{b}^{(i')}\) and thus \((x_b^{(i)},\ldots ,x_{2b-1}^{(i)}) \ne (x_b^{(i')},\ldots ,x_{2b-1}^{(i')})\) by the goodness of \(\tau \).
Subcase 2.2: the i-th and \(i'\)-th edges are in the same tree in \(\mathcal {G} (\tau )\) and adjacent. Then we have \(x_{b}^{(i)} \ne x_{b}^{(i')}\) and thus \((x_b^{(i)},\ldots ,x_{2b-1}^{(i)}) \ne (x_b^{(i')},\ldots ,x_{2b-1}^{(i')})\) following an case-study that is the same as Subcase 1.2.
Subcase 2.3: the i-th and \(i'\)-th edges are not adjacent in \(\mathcal {G} (\tau )\) but in the same directed path. Let \(\Big ( \big ( (x_0^{(j_\ell )},x_1^{(j_\ell )},\ldots ,x_{b-1}^{(j_\ell )}),(x_{b+1}^{(j_\ell )},\ldots ,x_{2b-1}^{(j_\ell )},x_{2b}^{(j_\ell )}), x_b^{(j_\ell )}, d^{(j_\ell )} \big ) \Big )_{\ell = 1,\ldots ,s}\) be the path with \(j_s = i\) (recall that \(i > i'\)), and let \(j_t = i'\) (where \(t < s - 1\)). Since \(d^{(j_s)} = d^{(i)} = \leftarrow \), this means its “previous” edge (the \(j_{s-1}\)-th edge) in the path has:
-
\(d^{(j_{s-1})} = \rightarrow \) and \(j_{s-1} > j_t\) (by \(s - 1 > t\) and by Lemma 3), and
-
\((x_{b+1}^{(j_{s-1})},\ldots ,x_{2b-1}^{(j_{s-1})}) = (x_{b+1}^{(j_s)},\ldots ,x_{2b-1}^{(j_s)})\) (since they are adjacent and \(d^{(j_s)} = d^{(i)} = \leftarrow \)).
By these, it holds \(x_{b+1}^{(j_s)} = x_{b+1}^{(j_{s-1})} \ne x_{b+1}^{(j_t)},\ldots ,x_{2b-1}^{(j_s)}=x_{2b-1}^{(j_{s-1})} \ne x_{2b-1}^{(j_t)}\) by \(\lnot \text {(B-1)} \). This implies \((x_b^{(i)},\ldots ,x_{2b-1}^{(i)}) \ne (x_b^{(i')},\ldots ,x_{2b-1}^{(i')})\) in this subcase.
Subcase 2.4: the i-th and \(i'\)-th edges are not adjacent in \(\mathcal {G} (\tau )\) and are in distinct directed paths. Let \(\Big ( \big ( (x_0^{(j_\ell )},\ldots ,x_{b-1}^{(j_\ell )}),(x_{b+1}^{(j_\ell )},\ldots ,x_{2b}^{(j_\ell )}), x_b^{(j_\ell )}, d^{(j_\ell )} \big ) \Big )_{\ell = 1,\ldots ,s}\) and \(\Big ( \big ( (x_0^{(j_\ell ')},\ldots ,x_{b-1}^{(j_\ell ')}),(x_{b+1}^{(j_\ell ')},\ldots ,x_{2b}^{(j_\ell ')}), x_b^{(j_\ell ')}, d^{(j_\ell ')} \big ) \Big )_{\ell = 1,\ldots ,t}\) be the two paths ending at the i-th and \(i'\)-th edges respectively (i.e., \(j_s = i\) and \(j_t' = i'\)). Since the two paths are in the same tree, it holds either \((x_1^{(j_1)},\ldots ,x_{b-1}^{(j_1)})=(x_1^{(j_1')},\ldots ,x_{b-1}^{(j_1')})\) is the root of the tree or \((x_{b+1}^{(j_1)},\ldots ,x_{2b-1}^{(j_1)}) = (x_{b+1}^{(j_1')},\ldots ,x_{2b-1}^{(j_1')})\) is the root. Since the two edges are not adjacent, it holds either \(s > 1\) or \(t > 1\). By these, we distinguish seven subcases (which are symmetrical to the subcases in Subcase 1.4) as follows.
First, Subcases 2.4.1.a–\(-\)2.4.1.c address the cases of \((x_{b+1}^{(j_1)},\ldots ,x_{2b-1}^{(j_1)})=(x_{b+1}^{(j_1')},\ldots ,x_{2b-1}^{(j_1')})\) and \(d^{(i')} = \leftarrow \) (which are symmetrical to Subcases 1.4.1.a–\(-\)1.4.1.c). Discussions further distinguish whether s or t equals 1.
\(\underline{Subcase\, 2.4.1.a: (x_{b+1}^{(j_1)},\ldots ,x_{2b-1}^{(j_1)})=(x_{b+1}^{(j_1')},\ldots ,x_{2b-1}^{(j_1')}), d^{(i')} = \leftarrow \, and\, t=1}\) (which means \(s>1\)). This subcase resembles Subcases 1.4.1.a by symmetry. By Lemma 3, it holds \(s \ge 3\). In addition, for the \(j_{s-1}\)-th record \(\big ( (x_0^{(j_{s-1})},\ldots ,x_{b-1}^{(j_{s-1})}),(x_{b+1}^{(j_{s-1})},\ldots ,x_{2b}^{(j_{s-1})}), x_b^{(j_{s-1})}, d^{(j_{s-1})} \big )\) it holds \(d^{(j_{s-1})} = \rightarrow \) and \((x_{b+1}^{(j_{s-1})},\ldots ,x_{2b-1}^{(j_{s-1})}) = (x_{b+1}^{(j_s)},\ldots ,x_{2b-1}^{(j_s)})\). Moreover, since \(s \ge 3\), it holds \(j_{s-1} \ne j_1'\). By this, it holds
by \(\lnot \text {(B-1)} \). This implies \((x_b^{(i)},\ldots ,x_{2b-1}^{(i)}) \ne (x_b^{(i')},\ldots ,x_{2b-1}^{(i')})\) in this subcase.
\(\underline{Subcase\, 2.4.1.b: (x_{b+1}^{(j_1)},\ldots ,x_{2b-1}^{(j_1)})=(x_{b+1}^{(j_1')},\ldots ,x_{2b-1}^{(j_1')}), d^{(i')} = \leftarrow \, and\, s=1}\) (which means \(t>1\)). It holds \(t \ge 3\) by Lemma 3, and \(d^{(j_{t-1}')} = \rightarrow \) and \((x_{b+1}^{(j_{t-1}')},\ldots ,x_{2b-1}^{(j_{s-1}')}) = (x_{b+1}^{(j_t')},\ldots ,x_{2b-1}^{(j_t')})\) for the record \(\big ( (x_0^{(j_{t-1}')},x_1^{(j_{t-1}')},\ldots ,x_{b-1}^{(j_{t-1}')}),(x_{b+1}^{(j_{t-1}')},\ldots ,x_{2b-1}^{(j_{t-1}')},x_{2b}^{(j_{t-1}')}), x_b^{(j_{t-1}')}, d^{(j_{t-1}')} \big )\). Moreover, since \(t \ge 3\), it holds \(j_{t-1}' \ne j_1\). By this, \(\lnot \text {(B-1)} \) implies \(x_{b+1}^{(i')} = x_{b+1}^{(j_{t-1}')} \ne x_{b+1}^{(i)} = x_{b+1}^{(j_1)},\ldots ,x_{2b-1}^{(i')} = x_{2b-1}^{(j_{t-1}')} \ne x_{2b-1}^{(i)} = x_{2b-1}^{(j_1)}\), and thus \((x_b^{(i)},\ldots ,x_{2b-1}^{(i)}) \ne (x_b^{(i')},\ldots ,x_{2b-1}^{(i')})\).
\(\underline{Subcase\, 2.4.1.c: (x_{b+1}^{(j_1)},\ldots ,x_{2b-1}^{(j_1)})=(x_{b+1}^{(j_1')},\ldots ,x_{2b-1}^{(j_1')}), d^{(i')} = \leftarrow , s>1\, and\, t>1.}\) By Lemma 3, it holds \(s \ge 3\) and \(t \ge 3\). In addition:
-
For the \(j_{s-1}\)-th record \(\big ( (x_0^{(j_{s-1})},\ldots ,x_{b-1}^{(j_{s-1})}),(x_{b+1}^{(j_{s-1})},\ldots ,x_{2b}^{(j_{s-1})}), x_b^{(j_{s-1})}, d^{(j_{s-1})} \big )\) it holds \(d^{(j_{s-1})} = \rightarrow \) and \((x_{b+1}^{(j_{s-1})},\ldots ,x_{2b-1}^{(j_{s-1})}) = (x_{b+1}^{(j_s)},\ldots ,x_{2b-1}^{(j_s)})\);
-
For the \(j_{t-1}'\)-th record \(\big ( (x_0^{(j_{t-1}')},\ldots ,x_{b-1}^{(j_{t-1}')}),(x_{b+1}^{(j_{t-1}')},\ldots ,x_{2b}^{(j_{t-1}')}), x_b^{(j_{t-1}')}, d^{(j_{t-1}')} \big )\) it holds \(d^{(j_{t-1}')} = \rightarrow \) and \((x_{b+1}^{(j_{t-1}')},\ldots ,x_{2b-1}^{(j_{t-1}')}) = (x_{b+1}^{(j_t')},\ldots ,x_{2b-1}^{(j_t')})\).
Moreover, since \(s \ge 3\) and \(t \ge 3\), it holds \(j_{s-1} \ne j_{t-1}'\). By this, it holds \(x_{b+1}^{(i)} = x_{b+1}^{(j_{s-1})} \ne x_{b+1}^{(i')} = x_{b+1}^{(j_{t-1}')},\ldots ,x_{2b-1}^{(i)} = x_{2b-1}^{(j_{s-1})} \ne x_{2b-1}^{(i')} = x_{2b-1}^{(j_{t-1}')}\) by \(\lnot \text {(B-1)} \), regardless of whether \(j_{s-1} > j_{t-1}'\) or \(j_{s-1} < j_{t-1}'\). This implies \((x_b^{(i)},\ldots ,x_{2b-1}^{(i)}) \ne (x_b^{(i')},\ldots ,x_{2b-1}^{(i')})\) in this subcase.
Second, Subcases 2.4.2.a and 2.4.2.b address the subcases with \((x_{b+1}^{(j_1)},\ldots ,x_{2b-1}^{(j_1)})=(x_{b+1}^{(j_1')},\ldots ,x_{2b-1}^{(j_1')})\) and \(d^{(i')} = \rightarrow \). Discussions further distinguish whether s or t equals 1.
\(\underline{Subcase\, 2.4.2.a: (x_{b+1}^{(j_1)},\ldots ,x_{2b-1}^{(j_1)})=(x_{b+1}^{(j_1')},\ldots ,x_{2b-1}^{(j_1')}), d^{(i')} = \rightarrow and\, s=1.}\) By Lemma 3, it holds \(t \ge 2\). Lemma 3 also implies \(j_t' > j_1'\). By this, it holds \(x_{b+1}^{(j_1)} = x_{b+1}^{(j_1')} \ne x_{b+1}^{(j_t')},\ldots ,x_{2b-1}^{(j_1)} = x_{2b-1}^{(j_1')} \ne x_{2b-1}^{(j_t')}\) by \(\lnot \text {(B-1)} \), and thus \((x_b^{(i)},\ldots ,x_{2b-1}^{(i)}) \ne (x_b^{(i')},\ldots ,x_{2b-1}^{(i')})\).
\(\underline{Subcase\, 2.4.2.b: (x_{b+1}^{(j_1)},\ldots ,x_{2b-1}^{(j_1)})=(x_{b+1}^{(j_1')},\ldots ,x_{2b-1}^{(j_1')}), d^{(i')} = \rightarrow and\, s>1.}\) By Lemma 3, it holds \(s \ge 3\) and \(t \ge 2\). In addition, it holds \(d^{(j_{s-1})} = \rightarrow \) and \((x_{b+1}^{(j_{s-1})},\ldots ,x_{2b-1}^{(j_{s-1})}) = (x_{b+1}^{(j_s)},\ldots ,x_{2b-1}^{(j_s)})\) for the record \(\big ( (x_0^{(j_{s-1})},\ldots ,x_{b-1}^{(j_{s-1})}),(x_{b+1}^{(j_{s-1})},\ldots ,x_{2b}^{(j_{s-1})}), x_b^{(j_{s-1})}, d^{(j_{s-1})} \big )\). By this, it holds \(x_{b+1}^{(j_{s-1})} \ne x_{b+1}^{(j_t')},\ldots ,x_{2b-1}^{(j_{s-1})} \ne x_{2b-1}^{(j_t')}\) by \(\lnot \text {(B-1)} \), regardless of whether \(j_{s-1} > j_t'\) or \(j_{s-1} < j_t'\), and thus \((x_b^{(i)},\ldots ,x_{2b-1}^{(i)}) \ne (x_b^{(i')},\ldots ,x_{2b-1}^{(i')})\).
Third, Subcase 2.4.3 considers \((x_1^{(j_1)},\ldots ,x_{b-1}^{(j_1)}) = (x_1^{(j_1')},\ldots ,x_{b-1}^{(j_1')})\) and \(d^{(i')} = \leftarrow \).
\(\underline{Subcase\, 2.4.3: (x_1^{(j_1)},\ldots ,x_{b-1}^{(j_1)}) = (x_1^{(j_1')},\ldots ,x_{b-1}^{(j_1')})\, and\, d^{(i')} = \leftarrow .}\) By Lemma 3, it holds \(s \ge 2\) and \(t \ge 2\). This means:
-
For the \(j_{s-1}\)-th record \(\big ( (x_0^{(j_{s-1})},\ldots ,x_{b-1}^{(j_{s-1})}),(x_{b+1}^{(j_{s-1})},\ldots ,x_{2b}^{(j_{s-1})}), x_b^{(j_{s-1})}, d^{(j_{s-1})} \big )\) it holds \(d^{(j_{s-1})} = \rightarrow \) and \((x_{b+1}^{(j_{s-1})},\ldots ,x_{2b-1}^{(j_{s-1})}) = (x_{b+1}^{(j_s)},\ldots ,x_{2b-1}^{(j_s)})\);
-
For the \(j_{t-1}'\)-th record \(\big ( (x_0^{(j_{t-1}')},\ldots ,x_{b-1}^{(j_{t-1}')}),(x_{b+1}^{(j_{t-1}')},\ldots ,x_{2b}^{(j_{t-1}')}), x_b^{(j_{t-1}')}, d^{(j_{t-1}')} \big )\) it holds \(d^{(j_{t-1}')} = \rightarrow \) and \((x_{b+1}^{(j_{t-1}')},\ldots ,x_{2b-1}^{(j_{t-1}')}) = (x_{b+1}^{(j_t')},\ldots ,x_{2b-1}^{(j_t')})\).
Moreover, since \(s \ge 2\) and \(t \ge 2\), it holds \(j_{s-1} \ne j_{t-1}'\). By this, it holds \(x_{b+1}^{(j_{s-1})} \ne x_{b+1}^{(j_{t-1}')},\ldots ,x_{2b-1}^{(j_{s-1})} \ne x_{2b-1}^{(j_{t-1}')}\) (and further \((x_b^{(i)},\ldots ,x_{2b-1}^{(i)}) \ne (x_b^{(i')},\ldots ,x_{2b-1}^{(i')})\)) by \(\lnot \text {(B-1)} \), regardless of whether \(j_{s-1} > j_{t-1}'\) or \(j_{s-1} < j_{t-1}'\).
The final subcase considers \((x_1^{(j_1)},\ldots ,x_{b-1}^{(j_1)}) = (x_1^{(j_1')},\ldots ,x_{b-1}^{(j_1')})\) and \(d^{(i')} = \rightarrow \).
\(\underline{Subcase\, 2.4.4: (x_1^{(j_1)},\ldots ,x_{b-1}^{(j_1)}) = (x_1^{(j_1')},\ldots ,x_{b-1}^{(j_1')})\, and\, d^{(i')} = \rightarrow .}\) Note that \(d^{(i)} = \leftarrow \) implies \(s \ge 2\). For the \(j_{s-1}\)-th record \(\big ( (x_0^{(j_{s-1})},\ldots ,x_{b-1}^{(j_{s-1})}),(x_{b+1}^{(j_{s-1})},\ldots ,x_{2b}^{(j_{s-1})}), x_b^{(j_{s-1})}, d^{(j_{s-1})} \big )\) it holds \(d^{(j_{s-1})} = \rightarrow \) and \((x_{b+1}^{(j_{s-1})},\ldots ,x_{2b-1}^{(j_{s-1})}) = (x_{b+1}^{(j_s)},\ldots ,x_{2b-1}^{(j_s)})\). By this, it holds \(x_{b+1}^{(j_{s-1})} \ne x_{b+1}^{(j_1')},\ldots ,x_{2b-1}^{(j_{s-1})} \ne x_{2b-1}^{(j_1')}\) by \(\lnot \text {(B-1)} \), regardless of whether \(j_{s-1} > j_1'\) or \(j_{s-1} < j_1'\). This implies \((x_b^{(i)},\ldots ,x_{2b-1}^{(i)}) \ne (x_b^{(i')},\ldots ,x_{2b-1}^{(i')})\) in this subcase.
Summary for Subcase 2.4. In summary, when \(d^{(i)} = \leftarrow \) and the i-th and \(i'\)-th edges are not adjacent in \(\mathcal {G} (\tau )\) and are in distinct directed paths (and \(\tau \) is good), it always holds \((x_b^{(i)},\ldots ,x_{2b-1}^{(i)}) \ne (x_b^{(i')},\ldots ,x_{2b-1}^{(i')})\).
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Guo, C., Song, L. CCA security for contracting (quasi-)Feistel constructions with tight round complexity. Des. Codes Cryptogr. (2024). https://doi.org/10.1007/s10623-024-01394-x
Received:
Revised:
Accepted:
Published:
DOI: https://doi.org/10.1007/s10623-024-01394-x