Generalized Feistel Structures Based on Tweakable Block Ciphers

Abstract

A generalized Feistel structure (GFS) is a classical approach to construct a block cipher from pseudorandom functions (PRFs). Coron et al. at TCC 2010 instantiated a Feistel structure with a tweakable block cipher (TBC), and presented its provable security treatment. GFSs can naturally be instantiated with TBCs, and among several types of GFSs, the provable security result of TBC-based unbalanced GFSs was presented. TBC-based counterparts of the most basic types of GFSs , namely, type-1, type-2, and type-3 GFSs, can naturally be formalized, and the provable security result of these structures is open. In this paper, we present such formalization and show their provable security treatment. We use a TBC of n-bit blocks and n-bit tweaks, and we identify the number of rounds needed to achieve birthday-bound security and beyond-birthday-bound security (with respect to n). The n-bit security can be achieved with a finite number of rounds, in contrast to the case of classical PRF-based GFSs. Our proofs use Patarin’s coefficient-H technique, and it turns out deriving a collision probability of various internal variables is nontrivial. In order to complete the proof, we introduce an approach to first compute a collision probability of one specific plaintext difference (or a ciphertext difference), and then prove that the case gives the maximum collision probability. We fully verify the correctness of our security bounds for a class of parameters by experimentally deriving upper bounds on the collision probability of internal variables. We also analyse the optimality of our results with respect to the number of rounds and the attack complexity.