Security of Feistel Schemes with New and Various Tools

We combine the H Coe cients technique and the Coupling technique to improve security bounds of balanced Feistel schemes. For q queries and round functions of n−bits to n−bits, we nd that the CCA Security of 4 + 2r rounds Feistel schemes is upperbounded by 2q r+3 ( 4q 2n ) r+1 2 + q(q−1) 2·22n . This divides by roughly 1.5 the number of needed rounds for a given CCA Security, compared to the previous results of Hoang and Rogaway [HR10] who found an advantage of 2q r+1 ( 4q 2n )r for 6r − 1 rounds Feistel schemes . Independently of this result, using a new theorem on H Coe cients, we compose 6 rounds Feistel schemes to upperbound the CCA security of 6r rounds Feistel schemes: ( 8q 2n )r + q(q−1) 2·22n when q ≤ 2 n 67n .