Provable Related-Key Security of Contracting Feistel Networks

Abstract

We continue the line of works constructing related-key secure PRFs (Bellare and Cash, CRYPTO 2010) and PRPs (Barbosa and Farshim, FSE 2014). In detail, we consider generalized Feistel networks using contracting round functions from \(\{0,1\}^m\) to \(\{0,1\}^n\), and explore conditions that are sufficient for such Contracting Feistel Networks (CFNs) to achieve security up to \(2^{n/2}\) adversarial queries. As results, we show that provable related-key security is achieved with \(\lceil \frac{m}{n}\rceil +3\) rounds, as long as the CFN uses two independent main keys \(K_1,K_2\) in all the rounds in a close-to-alternating manner. Our results provide new approaches to construct related-key secure variable-input-length block ciphers from related-key secure variable-input-length PRFs.

W. Yu and Y. Zhao are co-first authors of the article.

A Security Proof for \(\mathsf {CFN} ^{F^{3n,n}}\)

The main flow quite resembles Sect. 3. In detail, we first replace the keyed function \(F^{3n,n}\) with an random function \(\mathsf {RF} ^{3n,n}:\mathcal {K} \times \{0,1\} ^{3n}\rightarrow \{0,1\} ^n\) and obtain the random CFN \(\mathsf {CFN} ^{\mathsf {RF} ^{3n,n}}\) with a security gap at most \(\mathbf {Adv}^{\mathrm {\Phi } \text {-rka}[2]}_{F^{3n,n}}(D)\). This allows us to focus on analyzing \(\mathbf {Adv}^{\mathrm {\Phi } \text {-rka}[1]}_{\mathsf {CFN} ^{\mathsf {RF} ^{3n,n},6}}(D)\) below.

1.1 A.1 Bad Transcripts

Definition 7

An attainable transcript \(\tau =(\mathcal {Q},\mathbf{K} )\) is bad, if the condition \(\text {EV}^{\mathsf {cf}}\vee \text {EV}^{\mathsf {sf}}\), which means either a claw or a switch exists in \(\mathbf{K} \), is fulfilled. Otherwise we say \(\tau \) is good.

It is clear that

$$\begin{aligned} {\Pr }\big [T_{id}\in \mathcal {T}_{bad}] = {\Pr }\big [\text {EV}^{\mathsf {cf}}\vee \text {EV}^{\mathsf {sf}}\big ] \le \mathbf {Adv}_\mathrm{\Phi }^{\textsf {cf}}(D) +\mathbf {Adv}_\mathrm{\Phi }^{\textsf {sf}}(D). \end{aligned}$$

(14)

1.2 A.2 Analyzing Good Transcripts

Bad Predicate. We define a “bad predicate” \(\mathsf {Bad} (\mathsf {RF} ^{3n,n})\) on the ideal keyed function \(\mathsf {RF} ^{3n,n}\), such that once \(\mathsf {Bad} (\mathsf {RF} ^{3n,n})\) is not fulfilled, the event \(T_{id}=\tau \) is equivalent to \(\mathsf {RF} ^{3n,n}\) satisfying 4q new and distinct equations. Since the keys of the 2nd and 4th rounds are same, while the keys of the 3rd and 5th rounds are also same, we need to ensure that for these four rounds, there exists 4q different equations. And then \(K_{1}^{bad}\) leads to \(\mathsf {RF} ^{3n,n}_{K_{2}}\) input collisions and \(K_{2}^{bad}\) causes \(\mathsf {RF} ^{3n,n}_{K_{1}}\) input collisions. Formally, the specific definition and probability analysis are as follows.

Definition 8

Given a function \(\mathsf {RF} ^{3n,n}\), the predicate \(\mathsf {Bad} (\mathsf {RF} ^{3n,n})\) is fulfilled, if either of the conditions “\(K_1\) is bad” and “\(K_2\) is bad” is fulfilled.

• The condition “\(K_1\) is bad” consists of five subconditions as follows.

  (B-1) there exists i and j such that \(X_{2,i}[n+1,4n]\) = \(X_{2,j}[n+1,4n],(i\ne j)\).

  (B-2) there exists i and j such that \(X_{2,i}[n+1,4n]\) = \(X_{4,j}[n+1,4n]\).

  (B-3) there exists i and j such that \(X_{2,i}[n+1,4n]\) = \(X_{6,j}[n+1,4n]\).

  (B-4) there exists i and j such that \(X_{4,i}[n+1,4n]\) = \(X_{4,j}[n+1,4n],(i\ne j)\).

  (B-5) there exists i and j such that \(X_{4,i}[n+1,4n]\) = \(X_{6,j}[n+1,4n]\).

• The condition “\(K_2\) is bad” consists of five subconditions as follows.

  (B-6) there exists i and j such that \(X_{5,i}[n+1,4n]\) = \(X_{5,j}[n+1,4n],(i\ne j)\).

  (B-7) there exists i and j such that \(X_{5,i}[n+1,4n]\) = \(X_{3,j}[n+1,4n]\).

  (B-8) there exists i and j such that \(X_{5,i}[n+1,4n]\) = \(X_{1,j}[n+1,4n]\).

  (B-9) there exists i and j such that \(X_{3,i}[n+1,4n]\) = \(X_{3,j}[n+1,4n],(i\ne j)\).

  (B-10) there exists i and j such that \(X_{3,i}[n+1,4n]\) = \(X_{1,j}[n+1,4n]\).

Otherwise we say \(\tau \) is good.

Similarly to Sect. 3.2, we expand the probability of each \(\mathcal (B-i)\) to \(1/2^{n}\) and obtain

$$\begin{aligned} {\Pr }\big [K_1\text { is bad}\mid \lnot (\text {EV}^{\mathsf {cf}}\vee \text {EV}^{\mathsf {sf}})\big ] \le \frac{5q^{2}}{2^{n}},\\ {\Pr }\big [K_2\text { is bad}\mid \lnot (\text {EV}^{\mathsf {cf}}\vee \text {EV}^{\mathsf {sf}})\big ] \le \frac{5q^{2}}{2^{n}}. \end{aligned}$$

And we reach,

$$\begin{aligned} {\Pr }\big [\mathsf {Bad} (\mathsf {RF} ^{3n,n})] \le \frac{10q^{2}}{2^{n}}. \end{aligned}$$

(15)

Completing the Proof. For the remaining, we fix a good transcript \(\tau =(\mathcal {Q},K)\), where \(\mathcal {Q}=(\phi _{i},X_{1,i}[1,4n],X_{7,i}[1,4n])_{i=1,...,q}\).

First, we classify RKD functions \(\phi _{i}\), suppose that the quantity of \(\phi _{i}\) is \(\alpha \), which are denoted \(\phi ^{(1)},\phi ^{(2)},\cdot \cdot \cdot ,\phi ^{(\alpha )}\) respectively. \(\mathcal {Q}_{i}\)( \(i=1,\dots ,\alpha )\) are denoted a set of transcripts with RKD functions \(\phi _{i}\). For \(i=1,\dots ,\alpha \), define

$$ \begin{aligned}&\mathcal {Q}_{i}=\big \{(\phi ^{(i)},X_{1i}[1,4n],X_{7i}[1,4n]),\dots ,(\phi ^{(i)},X_{1q_{i}}[1,4n],X_{7q_{i}}[1,4n])\big \}, \end{aligned} $$

where \(\mathcal {Q}_{i}\) has \(q_{i}\) different inputs. Suppose that \(\phi ^{(1)},\phi ^{(2)},\cdot \cdot \cdot ,\phi ^{(\alpha )}\) can derive \(\beta \) different \(K_{1}\): \(K_{1}^{(1)}\), \(K_{1}^{(2)}\), \(\dots \), \(K_{1}^{(\beta )}\) \((\beta \le \alpha )\). Suppose that q queries to Related-Key Oracle constitute of \(q_{1}^{*},\dots ,q_{\beta }^{*}\) inputs separately in \(K_{1}^{(1)}\), \(K_{1}^{(2)}\), \(\dots \), \(K_{1}^{(\beta )}\). The probability to obtain \(\tau \) in ideal word is

$$\begin{aligned} \Pr [T_{id}=\tau ]=\bigg (\frac{1}{|\mathcal {K} |}\bigg )\prod _{i=0}^{\alpha }\frac{1}{(2^{4n})_{q_{i}}}\le \bigg (\frac{1}{|\mathcal {K} |}\bigg )\Big (2^{4n}-q\Big )^{-q}. \end{aligned}$$

In a similar vein to Sect. 3.2, the probability in real world is

$$\begin{aligned}&\Pr [T_{re}=\tau ]={\Pr }\big [\textsf {RK}[\mathsf {CFN} ^{\mathsf {RF} ^{3n,n},6}_K]\vdash \mathcal {Q}\big ]\cdot \Pr _{K^*}[K^*=K] \\&~=\bigg (\frac{1}{|\mathcal {K} |}\bigg )\cdot \bigg (1-{\Pr }\big [\mathsf {Bad} (\mathsf {RF} ^{3n,n})\big ] \bigg )\cdot {\Pr }\big [\textsf {RK}[\mathsf {CFN} ^{\mathsf {RF} ^{3n,n},6}_K]\vdash \mathcal {Q}\mid \lnot \mathsf {Bad} (\mathsf {RF} ^{3n,n})\big ]. \end{aligned}$$

It can be seen that the event \(\textsf {RK}[\mathsf {CFN} ^{\mathsf {RF} ^{3n,n},6}_K]\vdash \mathcal {Q}\) is equivalent to the event that \(\mathsf {RF} ^{3n,n}\) satisfies 4q equations for the 2rd round to the 5th round, i.e., for \(i=1,...,q\),

$$\begin{aligned}&\mathsf {RF} _{K_2}^{3n,n}(X_{2i}[n+1,4n])=X_{2i}[1,n]\oplus X_{3i}[3n+1,4n],\\&\mathsf {RF} _{K_1}^{3n,n}(X_{3i}[n+1,4n])=X_{3i}[1,n]\oplus X_{4i}[3n+1,4n],\\&\mathsf {RF} _{K_2}^{3n,n}(X_{4i}[n+1,4n])=X_{4i}[1,n]\oplus X_{5i}[3n+1,4n],\\&\mathsf {RF} _{K_1}^{3n,n}(X_{5i}[n+1,4n])=X_{5i}[1,n]\oplus X_{6i}[3n+1,4n]. \end{aligned}$$

Therefore, we have the probability

$$\begin{aligned} {\Pr }&\big [\textsf {RK}[\mathsf {CFN} ^{\mathsf {RF} ^{3n,n},6}_K]\vdash \mathcal {Q}\mid \lnot \mathsf {Bad} (\mathsf {RF} ^{3n,n})\big ] \\ =~&\prod _{i=1}^{q}\bigg ({\Pr }\big [\mathsf {RF} _{K_2}^{3n,n}(X_{2i}[n+1,4n])=X_{2i}[1,n]\oplus X_{3i}[3n+1,4n]\big ] \\&\times {\Pr }\big [\mathsf {RF} _{K_1}^{3n,n}(X_{3i}[n+1,4n])=X_{3i}[1,n]\oplus X_{4i}[3n+1,4n]\big ] \\&\times {\Pr }\big [\mathsf {RF} _{K_2}^{3n,n}(X_{4i}[n+1,4n])=X_{4i}[1,n]\oplus X_{5i}[3n+1,4n]\big ] \\&\times {\Pr }\big [\mathsf {RF} _{K_1}^{3n,n}(X_{5i}[n+1,4n])=X_{5i}[1,n]\oplus X_{6i}[3n+1,4n]\big ] \bigg ) \\ =~&\Big (\frac{1}{2^{n}}\Big )^{4q}. \end{aligned}$$

In all, using Eq. (15), we have

$$\begin{aligned}&\frac{\Pr [T_{re}=\tau ]}{\Pr [T_{id}=\tau ]} \nonumber \\ \ge ~&\bigg (1-{\Pr }\big [\mathsf {Bad} (\mathsf {RF} ^{3n,n})\big ] \bigg )\cdot {\Pr }\big [\textsf {RK}[\mathsf {CFN} ^{\mathsf {RF} ^{3n,n},6}_K]\vdash \mathcal {Q}\mid \lnot \mathsf {Bad} (\mathsf {RF} ^{3n,n})\big ] \Big / \prod _{i=0}^{\alpha }\frac{1}{(2^{4n})_{q_{i}}} \nonumber \\ \ge ~&\Big (1-\frac{10q^{2}}{2^{n}}\Big )\times \Big (\frac{1}{2^{4n}}\Big )^{q}\times (2^{4n}-q)^{q} \nonumber \\ \ge ~&1-\Big (\frac{10q^{2}}{2^{n}}+ \frac{q^{2}}{2^{4n}}\Big ). \end{aligned}$$

(16)

Gathering Eq. (14) and (16), and using Lemma 1, we complete the proof of Theorem 2.