A paper by Luby and Rackoff on the construction of pseudorandom permutations from pseudorandom functions based on a design principle of the DES has recently initiated a burst of research activities on applications and generalizations of these results. This paper presents a strongly simplified treatment of these results and generalizes them by pointing out the relation to locally random functions, thereby providing new insight into the relation between probability-theoretic and complexity-theoretic results in cryptography. The rst asymptotically-optimal construction of a locally random function is presented and new design strategies for block ciphers based on these results are proposed.

Abstract. In this paper, we describe new results on the security, in the Luby-Rackoff paradigm, of two modified Feistel constructions, namely the L-scheme, a construction used at various levels of the MISTY blockcipher which allows to derive a 2n-bit permutation from several n-bit permutations, and a slightly different construction named the R-scheme. We obtain pseudorandomness and super-pseudorandomness proofs for Lschemes and R-schemes with a sufficient number of rounds, which extend the pseudorandomness and non superpseudorandomness results on the 4-round L-scheme previously established by Sugita [Su96] and Sakurai et al. [Sa97]. In particular, we show that unlike the 3-round L-scheme, the 3-round R-scheme is pseudorandom, and that both the 5-round L scheme and the 5-round R scheme are super pseudorandom (whereas the 4 round versions of both schemes are not super pseudorandom). The security bounds obtained here are close to those established by Luby and Rackoff for the three round version of the original Feistel scheme. 1

Abstract. Block ciphers are usually basedon one top-level scheme into which we plug “roundfunctions”. To analyze security, it is important to study the intrinsic security provided by the top-level scheme from the viewpoint of randomness: given a block cipher in which we replaced the lower-level schemes by idealized oracles, we measure the security (in terms of best advantage for a distinguisher) depending on the number of rounds and the number of chosen plaintexts. We then extrapolate a sufficient number of secure rounds given the regular bounds provided by decorrelation theory. This approach allows the comparison of several generalizations of the Feistel schemes andothers. In particular, we compare the randomness provided by the schemes used by the AES candidates. In addition we provide a general paradigm for analyzing the security provided by the interaction between the different levels of the block cipher structure. 1

Decorrelation theory has recently been proposed in order to address the security of block ciphers and other cryptographic primitives over a nite domain. We show here how to extend it to innite domains, which can be used in the Message Authentication Code (MAC) case. In 1994, Bellare, Kilian and Rogaway proved that CBC-MAC is secure when the input length is xed. This has been extended by Petrank and Racko in 1997 with a variable length. In this paper, we prove a result similar to Petrank and Racko's one by using decorrelation theory. This leads to a slightly improved result and a more compact proof. This result is meant to be a general proving technique for security, which can be compared to the approach which was announced by Maurer at CRYPTO'99. Decorrelation theory has recently been introduced. (See references [17] to [22].) Its rst aim was to address provable security in the area of block ciphers in order to prove their security against dierential [7] and linear cryptanalysis...

ii To my best friend and my parents. iii Table of Contents Acknowledgments vi

This paper is the extended version of the paper with the same title published at Asiacrypt’2001 and we have also included here the cryptanalysis results of the paper “Security of Random Feistel Schemes with 5 or more Rounds” published at Crypto’2004. Let A be a Feistel scheme with 5 rounds from 2n bits to 2n bits. In the present paper we show that for most such schemes A: 1. It is possible to distinguish A from a random permutation from 2n bits to 2n bits after doing at most O(2^n) computations with O(2^n) non-adaptive chosen plaintexts. 2. It is possible to distinguish A from a random permutation from 2n bits to 2n bits after doing at most O(2^(3n/2)) computations with O(2^(3n/2)) random plaintext/ciphertext pairs. Since the complexities are smaller than the number 2^2n of possible inputs, they show that some generic attacks always exist on Feistel schemes with 5 rounds. Therefore we recommend in Cryptography to use Feistel schemes with at least 6 rounds in the design of pseudo-random permutations. We will also show in this paper that it is possible to distinguish most of 6 round Feistel permutations generator from a truly random permutation generator by using a few (i.e. O(1)) permutations of the generator and by using a total number of O(2^2n) queries and a total of O(2^2n) computations. This result is not really useful to attack a single 6 round Feistel permutation, but it shows that when we have to generate several pseudo-random permutations on a small number of bits we recommend to use more than 6 rounds. We also show that it is also possible to extend these results to any number of rounds, however with an even larger complexity. Key words: Feistel permutations, pseudo-random permutations, generic attacks on encryption schemes, Luby-Rackoff theory.