2.
• Feistel Networks • F-Functions • RoundsContents • Balanced Feistel Networks • A Taxonomy of Feistel Networks • Unbalanced Feistel Networks • Homogenous & Heterogenous UFNs • Incomplete & Inconsistent UFNs • Generalized UFNs • Cycles & Rotations • Rate of Confusion • Rate of Diffusion • Examples • Comparison of Generic Constructions • Differential Cryptanalysis • Linear Cryptanalysis • Conclusions & Open Problems
3.
Feistel Networks Taxonomy Generic Constructions Comparison Conclusions & Open Problems F-FunctionsA Feistel network is a general method of transforming any function, usually calledF-Function, into a permutation. It was invented by Horst Feistel, a scientist fromIBM, in his design of Lucifer in the early 1970s and has been used in many blockcipher designs: DES, FEAL, Khufu and Khafre, Blowfish and RC5.Def1. The F-function of a conventional Feistel network can be expressed as: F : {0,1}n / 2 {0,1}k {0,1}n / 2Where n is the size of the block, F is a function taking n/2 bits and k bits of a key as input, and producing an output of length n/2 bits.
4.
Feistel Networks Taxonomy Generic Constructions Comparison Conclusions & Open Problems RoundsDef2. One round of a conventional (balanced) Feistel network is: Xi 1 (Fk i (msbn/2 (Xi )) lsb n/2 (Xi )) msbn/2 (Xi )Here, Xi is the input to the round, Xi+1 is the output of the round, ki is the key, n is the block length, lsbn/2(x) andmsbn/2(x) select the least significant and most significant u bits of X, indicates modulo-2 addition, and indicatesconcatenation.In each round msbn/2 (X) operates, via a key-dependent non-linear F-Functon onlsbn/2 (X). This is often referred to as the left half operating on the right half.
5.
Feistel Networks Taxonomy Generic Constructions Comparison Conclusions & Open Problems Balanced Feistel NetworksDef3. A Balanced Feistel Network consists of j rounds: Xi 1 (Fk i (msbn/2 (X i )) lsb n/2 (X i )) msb n/2 (X i )The keys ki are the round keys, which typically are out-put from a key schedule algorithm on input a key K.The security of a Feistel network is based on theiteration of the F-function. The number of roundsrequired for resistance to a given attack dependsof the properties of the function.
6.
Feistel Networks Taxonomy Generic Constructions Comparison Conclusions & Open Problems Unbalanced Feistel NetworksAn Unbalanced Feistel Network (UFN) is a Feistel network where the left half andthe right half are not of equal size.Def4. One round of a s-on-t, or s:t, UFN is: Xi 1 (F(msbs (Xi ), k i ) lsb t (Xi )) msbs (Xi )The msbn/2(Xi) called the source block. The lsbn/2(Xi) is called the target block. UFNswhere s > t are called source heavy, and UFNs where s < t are called target heavy. Asub-block, b, is gcd( s, t, n). The F-function is a collection of 2k mappings of the s-bitnumbers onto the t-bit numbers, or s/b sub-blocks onto t/b sub-blocks.
7.
Feistel Networks Taxonomy Generic Constructions Comparison Conclusions & Open Problems Homogenous & Heterogenous UFNsDef5. A UFN is homogenous when the F-function function is identical in eachround, except for the round keys. A UFN is heterogeneous when the F-function fordifferent rounds is not always identical except for the round keys.The advantage of a heterogenous UFN is that, since its internal properties changefrom round to round, it may be much more difficult to find any kind of characteristicthat propogates well through all of the different kinds of round that appear in thecipher.
8.
Feistel Networks Taxonomy Generic Constructions Comparison Conclusions & Open Problems Incomplete & Inconsistent UFNsDef6. A UFN is complete when s+t = n, that is, when in each round every bit in theblock is either part of the source block or part of the target block. A UFN isincomplete when s+t < n. In an incomplete UFN, the n-s-t = z bits that are not partof the source block or part ofthe target block are called the null block.Def7. UFN is consistent when s, t, z, and n remain constant for the entire cipher. AUFN in which the sizes of the source and target block change during encryption iscalled inconsistent.
9.
Feistel Networks Taxonomy Generic Constructions Comparison Conclusions & Open Problems Generalized UFNsThe most general case of a Feistel Network simply requires that one part of theblock being encrypted controls the encryption of another part of the block. Forexample, given some n-bit keyed reversible function, Ek (X), we can define a blockcipher whose rounds look like: Xi 1 Eki msbs ( X i ) (lsbt ( X i )) msb s ( X i )Further, we need not leave the source block alone in each round-we may performsome unkeyed reversible function on it, as well. Additionally, we can apply somenonreversible function on the source block to derive the key for the keyedreversible function.
10.
Feistel Networks Taxonomy Generic Constructions Comparison Conclusions & Open Problems Generalized UFNsDef7. One round of a s:t n-bit Generalized Unbalanced Feistel Network (GUFN) isdefined as: Xi 1 R(G(ki , msbs ( X i ), lsbt ( X i )), msbs ( X i ))where R is some reversible function, and G is some reversible function in the sensethat there is a function H such that for all K, Y, Z: H (K,Y,G(K,Y,Z)) = ZIf G = H, then the GUFN is called symmetric.
11.
Feistel Networks Taxonomy Generic Constructions Comparison Conclusions & Open Problems Cycles & RotationsA cycle is the number of rounds necessary for each bit in the block to have beenpart of both the source and target blocks at least once. A rotation is the number ofrounds needed for each bit in the block to return to its starting position. nLemma 1. A cycle, C, of a s:t UFN is C [ ] min( s, t ) nLemma 2. A rotation, G, of an s:t UFN is G [ ] gcd(s, t )Def9. A UFN is called even if C = G; otherwise it is called odd. A UFN is primewhen G = n.
12.
Feistel Networks Taxonomy Generic Constructions Comparison Conclusions & Open Problems Rate of ConfusionAn observer who knows some information about Xi, but not round key ki, shouldwind up knowing less about Xi+i. The process by which this observer losesknowledge of the sequence of Xi values is called confusion.In a Feistel Network, bit j of the block can be obscured only when bit j appears inthe target block of a given round. This means that the number of times that bit jcan be obscured per cycle can be no larger than the number of times per cycle thatbit j appears in the source block. This is called the rate of confusion, denoted as Rc.
13.
Feistel Networks Taxonomy Generic Constructions Comparison Conclusions & Open Problems Rate of ConfusionDef10. The rate of confusion of a consistent UFN is the minimum number of timesper cycle that any bit can occur in the target block. tLemma 3. For a s:t UFN, the rate of confusion, Rc nNote that it can never take fewer than 1/ Rc rounds for an observer to lose allinformation about the block in a UFN.
14.
Feistel Networks Taxonomy Generic Constructions Comparison Conclusions & Open Problems Rate of ConfusionThe rate of confusion and linear cryptanalysis An increase in Rc tends to increaseresistance to linear cryptanalysis, when all other variables are held constant.Lemma 4. A complete UFN is even if and only if min(s,t) divides n.Def11. An active round in a linear attack is a round in which there is some linearapproximation in the target block.
15.
Feistel Networks Taxonomy Generic Constructions Comparison Conclusions & Open Problems Rate of ConfusionTheorem 1. If an even complete UFN has C rounds per cycle, then the fraction ofrounds per cycle that are active in a linear attack is at least Rc = t/n.This follows from the fact that Rc measures the minimum number of times per cycle that any bit orsubset of bits may have appeared in the target block. □Theorem 2. Let p be the bias of the best possible approximation for an active roundunder a linear attack. Then the output bias of any nontrivial linear characteristicpropagating through C rounds is at most (2(CRc-1)pCRc).From our previous assertions, we can see that in each C rounds, there are at least CRc active roundsunder a linear attack. The best possible bias of a C-round approximation follows from this, and from therules for concatenating linear characteristics. □
16.
Feistel Networks Taxonomy Generic Constructions Comparison Conclusions & Open Problems Rate of ConfusionIntuitively, anytime a bit string with any uncertainty at all is XORed into the bits ofan approximation, that approximations bias decreases. Assuming that there is noperfect approximation of any subset of the F-functions outputs, this implies that ahigher rate of confusion leads to a smaller bias for a linear approximation sentthrough a full cycle. It is important to note, however, that a high rate of confusion isnot enough to guarantee resistance to linear cryptanalysis.
17.
Feistel Networks Taxonomy Generic Constructions Comparison Conclusions & Open Problems Rate of DiffusionAny change in Xi should have some chance to change every bit of Xi+1, for some t.The process by which one bit in the block has the chance to affect other bits in theblock is called diffusion.In a Feistel cipher, the only time bit j can affect other bits in the block is when bit jis in the source block. This leads naturally to the idea of the rate of diffusion.Def12. The rate of diffusion is the smallest number of times per cycle that a givenbit can have the chance to affect other bits in the block. sLemma 5. For a s:t UFN, the rate of diffusion is Rd t
18.
Feistel Networks Taxonomy Generic Constructions Comparison Conclusions & Open Problems Rate of DiffusionThe rate of diffusion is the measure of how many times per cycle each bit is used toencrypt other bits. It is upwardly bounded by the proportion of the block used asinput to the F-function.The rate of diffusion and differential cryptanalysis. An increase in Rd tends toincrease resistance to differential cryptanalysis, when all other variables are heldconstant.
19.
Feistel Networks Taxonomy Generic Constructions Comparison Conclusions & Open Problems Rate of DiffusionDef13. An active round under a differential attack is a round in which there is anonzero input difference into the F-function.Theorem 3. If an even complete UFN has C rounds per cycle, then the fraction ofrounds per cycle that are active in a differential attack is at least Rd = s/n.This follows from the definition of an active round under differential attack, and from the definition ofthe rate of diffusion. □
20.
Feistel Networks Taxonomy Generic Constructions Comparison Conclusions & Open Problems Rate of DiffusionTheorem 4. Let p be the greatest possible probability for a nontrivial characteristicto propagate through a round. Then, the probability of any nontrivial characteristicpropagating through C consecutive rounds is at most p(CRd) assuming thatcharacteristics can be concatenated by multiplying their probabilities.A differential characteristic has its probability computed by multiplying all of its constituentcharacteristics probabilities. No C round characteristic can have fewer than CRd active one roundcharacteristics, and inactive round character-istics have probability of one. Since no one round activecharacteristic can have probability of more than p, its clearly impossible for any C round characteristic tohave greater than pCRi probability. □
21.
Feistel Networks Taxonomy Generic Constructions Comparison Conclusions & Open Problems Rate of DiffusionIntuitively, each time an input difference appears in the source block, unless thedesired output difference happens with probability 1, the differential characteristicbecomes less likely to successfully pass through a cycle. However, it is important tonote that a high rate of diffusion alone is not sufficient to ensure resistance todifferential attack-the differential properties of the ciphers F-function must also betaken into account. Additionally, differential attacks on source-heavy UFNs (thosewith realtively high rates of diffusion) are compli-cated by the fact that inputs intosuccessive rounds are closely related. This is discussed below.
22.
Feistel Networks Taxonomy Generic Constructions Comparison Conclusions & Open Problems ExamplesMacGuffin is a 48:16 UFN (b = 16 and n = 64) designed to introduce the concept ofUFNs. The F-function closely mirrors DES; it consists of a permutation, an XOR of 48key bits, an S-box substitution (using the high-order two bit output of the eight DESS-boxes), and another permutation.BEAR and LION are block cipher constructions designed by Ross Anderson and EliBiham, which can be used to build a three-round inconsistent heterogenous UFNout of any keyed hash function with an n-bit output, and any stream cipher with ann-bit key.
23.
Feistel Networks Taxonomy Generic Constructions Comparison Conclusions & Open Problems ExamplesThe MD4 Family of Hash Functions The underlying structure of all these hashfunctions is a block algorithm, with a Davies-Meyer feedforward function to convertit into a one-way hash function. In SHA, for example, the block algorithm is an 80-round, 128:32 even complete UFN.There are some additional complications making SHA a GUFN: the output of the F-function is combined with the target block using addition modulo 232 instead ofXOR, and there is an additional cyclic shift of part of the source block in eachround. Note that these hash functions compression functions are source-heavyheterogenous UFNs.
24.
Feistel Networks Taxonomy Generic Constructions Comparison Conclusions & Open Problems Differential CryptanalysisIf we assume a b:3b UFN, and that an input difference a produces a zero difference,this can be used to create a 4-round characteristic with probability p(In the following examples, a, b and 0 are all b-bit numbers. In this section, δs — δt is used to show theactual differential relationship which is being exploited).
25.
Feistel Networks Taxonomy Generic Constructions Comparison Conclusions & Open Problems Differential CryptanalysisIn general, the differential can be used in a ub:vb UFN to create a (u + v)-rounditerative characteristic with probability pu.While at first glance, this seems to imply that UFNs with a larger Rd are less likely tohave good multi-round differential characteristics, this is not always the case. As bgets smaller, the assumptions required to produce this characteristic become moreimplausible. However, as t gets smaller, it appears that high-probability differentialsbecome easier to find again. Note that this may lead to situations in which a multi-round characteristic is extremely difficult to find, but relatively easy to exploit.
26.
Feistel Networks Taxonomy Generic Constructions Comparison Conclusions & Open Problems Differential CryptanalysisConsider a different type of differential: Assume a b:3b UFN, and that an inputdifference a produces an output difference (0, b, 0) with probability p1, and aninput difference b produces an output difference (0, a, 0) with probability p2. Thesedifferentials can be used to create a 6-round characteristic with probability p1 p2 —one that can be concatenated with another similar characteristic to create a 12-round iterated characteristic with probability p12p22:
27.
Feistel Networks Taxonomy Generic Constructions Comparison Conclusions & Open Problems Differential CryptanalysisComplicationsRelated inputs to successive rounds. F-functions source-heavy UFNs have theproperty that successive rounds have some portions of their inputs in common. Thisis significantly different than the situation in a balanced Feistel Network, in whichthe entire input to the F-function was XORed with the output of the previousrounds F-function, and thus may be assumed to be somewhat random.
28.
Feistel Networks Taxonomy Generic Constructions Comparison Conclusions & Open Problems Differential CryptanalysisComplicationsKey-dependent characteristics. A key-dependent differential characteristic is adifferential characteristic whose probability is partially a function of the specificround keys chosen. In some cases, such as the attacks on RDES and Lucifer in, thisprovides a generally useful attack on the cipher. In other cases, such as in the weakkeys of IDEA, a rare weak key condition (consisting of an interaction between thecipher key, the key schedule, and the round function) can lead to relatively highprobability differential characteristics.
29.
Feistel Networks Taxonomy Generic Constructions Comparison Conclusions & Open Problems Differential CryptanalysisComplicationsUsing multiple key-dependent differential characteristics to learn key informationWhen there are many possible key-dependent differential characteristics, we maybe able to the fact that some characteristics pass through the cipher, while othersdo not, as a way to immediately learn quite a bit of internal key information.
30.
Feistel Networks Taxonomy Generic Constructions Comparison Conclusions & Open Problems Differential CryptanalysisComplicationsTreating different sub-blocks of the F-functions input differently. Good differentialcharacteristics seem less likely to exist when different sub-blocks of the F-functionsinput are treated differently enough that they do not have the same differentialproperties.
31.
Feistel Networks Taxonomy Generic Constructions Comparison Conclusions & Open Problems Differential CryptanalysisConclusions1. As a general rule, differential cryptanalysis becomes more difficult as the rate ofdiffusion becomes higher—that is, more source-heavy UFNs tend to have moreinherent resistance to differential attacks.2. F-functions which treat different sub-blocks of input differently are much morelikely to be resistant to differential cryptanalysis than F-functions which treatdifferent sub-blocks identically.
32.
Feistel Networks Taxonomy Generic Constructions Comparison Conclusions & Open Problems Differential CryptanalysisConclusions3. Determining the susceptibility to differential attack of a UFN is somewhat morecomplex than is suggested by the first section of our discussion, above. In particular,source heavy UFNs have related inputs going into successive rounds’ F-functions,and in some circumstances, this can lead to new vul-nerabilities to differentialcryptanalysis. In other circumstances, such UFNs can actually be strengthenedagainst some kinds of differential attack by this property.
33.
Feistel Networks Taxonomy Generic Constructions Comparison Conclusions & Open Problems Linear CryptanalysisConsider an F-function with a linear approximation of some output bits, a, based onsome linear combination of the key bits only. Note that, in the tables in this section, As — Atis used to denote the actual linear approximation being exploited in a given round.In these examples, ? indicates no approximation.
34.
Feistel Networks Taxonomy Generic Constructions Comparison Conclusions & Open Problems Linear CryptanalysisIf we assume a 3b:b UFN, this linear approximation gives rise to a 4-roundcharacteristic with probability (1/2+ pi)While at first glance, this seems to imply that UFNs with a larger Rc are less likely tohave good multi-round linear characteristics, this is not always the case: as t getslarger with respect to s, it is more likely to have linear relationships.
35.
Feistel Networks Taxonomy Generic Constructions Comparison Conclusions & Open Problems Linear CryptanalysisComplicationsThere are some complications that need to be dealt with in linear cryptanalysis ofUFNs. First, an n-round b:3b UFN has an F-function output which has three timesas many output bits as input bits. This appears to make linear relationshipsbetween the input and output bits, or simply between output bits, more likely tooccur. Second, in a source-heavy UFN, the inputs to successive rounds F-functionsare closely related—depending upon the definition of the F-function, this mayfurther complicate linear cryptanalysis of this kind of UFN.
36.
Feistel Networks Taxonomy Generic Constructions Comparison Conclusions & Open Problems Linear CryptanalysisConclusionsWhile this analysis is by no means exhausting, it strongly suggests that resistanceto linear cryptanalysis is tied directly to Rc: as the size of t grows with respect to s,linear attacks become more difficult. However, the larger the target block, themore likely it is to have some useful linear approximations. Extremely target-heavyUFNs (such as an 8:1024 UFN) are certain to have some strong linearapproximations in the outputs of their F-functions.
37.
Feistel Networks Taxonomy Generic Constructions Comparison Conclusions & Open Problems ConclusionsThe structure of the Feistel network affects the security of the block cipher.Modifying the ratio of s and t can systematically affect the security of the cipher,when all other variables are held constant. Additionally, such issues as how theround keys are combined into the cipher can become important in UFN design—much more so than in balanced Feistel cipher design.UFN designs may allow us to design faster and better block ciphers than we could ifwe limited ourselves to balanced Feistel structures.
38.
Feistel Networks Taxonomy Generic Constructions Comparison Conclusions & Open Problems Open ProblemsIt seems that source-heavy UFNs have some inherent resistance to differentialattacks. Assuming some basic number of cycles, perhaps four, is there an optimals:t ratio for resistance to differential attacks?Is it reasonable to alternate several rounds of source-heavy UFN for resis-tance todifferential attacks, followed by several rounds of target-heavy UFN for resistanceto linear attacks? What would differential and linear attacks against such structureslook like?
39.
Feistel Networks Taxonomy Generic Constructions Comparison Conclusions & Open Problems ResourceUnbalanced Feistel Networks and Block-Cipher Design by Bruce Schneier and John Kelsey
Be the first to comment