We provide new constructions for Luby-Rackoff block ciphers which are efficient in terms of computations and key material used. Next, we show that we can make some security guarantees for Luby-Rackoff block ciphers under much weaker and more practical assumptions about the underlying function; namely, that the underlying function is a secure Message Authentication Code. Finally, we provide a SHA-1 based example block cipher called Sha-zam.

Abstract. We provide new constructions for Luby-Racko � block ciphers which are e�cient in terms of computations and key material used. Next, we show that we can make some security guarantees for Luby-Racko� block ciphers under much weaker and more practical assumptions about the underlying function; namely, that the underlying function is a secure Message Authentication Code. Finally, we provide a SHA-1 based example block cipher called Sha-zam. 1

Abstract. Let A be a Feistel scheme with 5 rounds from 2n bits to 2n bits. In the present paper we show that for most such schemes A: 1. It is possible to distinguish A from a random permutation from 2n bits to 2n bits after doing at most O(2 7n 4) computations with O(2 7n 4) random plaintext/ciphertext pairs. 2. It is possible to distinguish A from a random permutation from 2n bits to 2n bits after doing at most O(2 3n 2) computations with O(2 3n 2) chosen plaintexts. Since the complexities are smaller than the number 2 2n of possible inputs, they show that some generic attacks always exist on Feistel schemes with 5 rounds. Therefore we recommend in Cryptography to use Feistel schemes with at least 6 rounds in the design of pseudo-random permutations. We will also show in this paper that it is possible to distinguish most of 6 round Feistel permutations generator from a truly random permutation generator by using a few (i.e. O(1)) permutations of the generator and by using a total number of O(2 2n) queries and a total of O(2 2n) computations. This result is not really useful to attack a single 6 round Feistel permutation, but it shows that when we have to generate several pseudorandom permutations on a small number of bits we recommend to use more than 6 rounds. We also show that it is also possible to extend these results to any number of rounds, however with an even larger complexity.

Abstract. Format-preserving encryption (FPE) encrypts a plaintext of some specified format into a ciphertext of identical format—for example, encrypting a valid credit-card number into a valid creditcard number. The problem has been known for some time, but it has lacked a fully general and rigorous treatment. We provide one, starting off by formally defining FPE and security goals for it. We investigate the natural approach for achieving FPE on complex domains, the “rank-then-encipher ” approach, and explore what it can and cannot do. We describe two flavors of unbalanced Feistel networks that can be used for achieving FPE, and we prove new security results for each. We revisit the cycle-walking approach for enciphering on a non-sparse subset of an encipherable domain, showing that the timing information that may be divulged by cycle walking is not a damaging thing to leak. 1

In [1], W. Aiello and R. Venkatesan have shown how to construct pseudo-random functions of 2n bits → 2n bits from pseudo-random functions of n bits → n bits. They claimed that their construction, called "Benes", reaches the optimal bound (m &lt< 2^n) of security against adversaries with unlimited computing power but limited by m queries in an adaptive chosen plaintext attack (CPA-2). However a complete proof of this result is not given in [1] since one of the assertions of [1] is wrong. Due to this, the proof given in [1] is valid for most attacks, but not for all the possible chosen plaintext attacks. In this paper we will in a way fix this problem since for all ε > 0, we will prove CPA-2 security when m... .

Abstract. Unbalanced Feistel schemes with expanding functions are used to construct pseudo-random permutations from kn bits to kn bits by using random functions from n bits to (k − 1)n bits. At each round, all the bits except n bits are changed by using a function that depends only on these n bits. C.S.Jutla [6] investigated such schemes, which he denotes by F d k, where d is the number of rounds. In this paper, we describe novel Known Plaintext Attacks (KPA) and Non Adaptive Chosen Plaintext Attacks (CPA-1) against these schemes. With these attacks we will often be able to improve the result of C.S.Jutla. We also give precise formulas for the complexity of our attacks in d, k and n. Key words: Unbalanced Feistel permutations, pseudo-random permutations, generic attacks on encryption schemes, Block ciphers. 1

Abstract. Generic attacks against classical (balanced) Feistel schemes, unbalanced Feistel schemes with contracting functions and unbalanced Feistel schemes with expanding functions have been studied in [12], [4], [15], [16]. In this paper we study schemes where we use alternatively contracting random functions and expanding random functions. We name these schemes “Alternating Unbalanced Feistel Schemes”. They allow constructing pseudo-random permutations from kn bits to kn bits where k ≥ 3. At each round, we use either a random function from n bits to (k−1)n bits or a random function from (k−1)n bits to n bits. We describe the best generic attacks we have found. We present“known plaintext attacks” (KPA) and “non-adaptive chosen plaintext attacks ” (CPA-1). Let d be the number of rounds. We show that if d ≤ k, there are CPA-1 with 2 messages and KPA with m the number of messages about 2 (d−1)n 4. For d ≥ k + 1 we have to distinguish k even and k odd. For k even, we have m = 2 in CPA-1 and m ≃ 2 kn 4 in KPA. When k is odd, we show that there exist CPA-1 for d ≤ 2k − 1 and KPA for d ≤ 2k + 3 with less than 2 kn messages and computations. Beyond these values, we give KPA against generators of permutations.

Abstract. Activation Codes are used in many different digital services and known by many different names including voucher, e-coupon and discount code. In this paper we focus on a specific class of ACs that are short, human-readable, fixed-length and represent value. Even though this class of codes is extensively used there are no general guidelines for thedesignofActivationCodeschemes. Wediscussdifferentmethodsthat are used in practice and propose BEPAC, a new Activation Code scheme that provides both authenticity and confidentiality. The small message spaceofactivationcodesintroducessomeproblemsthatareillustrated by an adaptive chosen-plaintext attack (CPA-2) on a general 3-round Feistel network of size 2 2n. This attack recovers the complete permutation from at most 2 n+2 plaintext-ciphertext pairs. For this reason, BEPAC is designed in such a way that authenticity and confidentiality are independent properties, i.e. loss of confidentiality does not imply loss of authenticity.

This paper is the extended version of the paper with the same title published at Asiacrypt’2001 and we have also included here the cryptanalysis results of the paper “Security of Random Feistel Schemes with 5 or more Rounds” published at Crypto’2004. Let A be a Feistel scheme with 5 rounds from 2n bits to 2n bits. In the present paper we show that for most such schemes A: 1. It is possible to distinguish A from a random permutation from 2n bits to 2n bits after doing at most O(2^n) computations with O(2^n) non-adaptive chosen plaintexts. 2. It is possible to distinguish A from a random permutation from 2n bits to 2n bits after doing at most O(2^(3n/2)) computations with O(2^(3n/2)) random plaintext/ciphertext pairs. Since the complexities are smaller than the number 2^2n of possible inputs, they show that some generic attacks always exist on Feistel schemes with 5 rounds. Therefore we recommend in Cryptography to use Feistel schemes with at least 6 rounds in the design of pseudo-random permutations. We will also show in this paper that it is possible to distinguish most of 6 round Feistel permutations generator from a truly random permutation generator by using a few (i.e. O(1)) permutations of the generator and by using a total number of O(2^2n) queries and a total of O(2^2n) computations. This result is not really useful to attack a single 6 round Feistel permutation, but it shows that when we have to generate several pseudo-random permutations on a small number of bits we recommend to use more than 6 rounds. We also show that it is also possible to extend these results to any number of rounds, however with an even larger complexity. Key words: Feistel permutations, pseudo-random permutations, generic attacks on encryption schemes, Luby-Rackoff theory.