Security of Random Feistel Schemes with 5 or More Rounds

We study cryptographic attacks on random Feistel schemes. We denote by m the number of plaintext/ciphertext pairs, and by k the number of rounds. In their famous paper [3], M. Luby and C. Rackoff have completely solved the cases m ¿ 2: the schemes are secure against all adaptive chosen plaintext attacks (CPA-2) when k ≥ 3 and against all adaptive chosen plaintext and chosen ciphertext attacks (CPCA-2) when k ≥ 4 (for this second result a proof is given in [9]). In this paper we study the cases m ¿ 2. We will use the “coefficients H technique” of proof to analyze known plaintext attacks (KPA), adaptive or non-adaptive chosen plaitext attacks (CPA-1 and CPA-2) and adaptive or non-adaptive chosen plaitext and chosen ciphertext attacks (CPCA-1 and CPCA-2). In the first part of this paper, we will show that when m ¿ 2 the schemes are secure against all KPA when k ≥ 4, against all CPA-2 when k ≥ 5 and against all CPCA-2 attacks when k ≥ 6. This solves an open problem of [1], [14], and it improves the result of [14] (where more rounds were needed and m ¿ 2n(1−ε) was obtained instead of m ¿ 2). The number 5 of rounds is minimal since CPA-2 attacks on 4 rounds are known when m ≥ O(2) (see [1], [10]). Furthermore, in all these cases we have always obtained an explicit majoration for the distinguishing probability. In the second part of this paper, we present some improved generic attacks. For k = 5 rounds, we present a KPA with m ' 2 and a non-adaptive chosen plaintext attack (CPA1) with m ' 2. For k ≥ 7 rounds we also show some improved attacks against random Feistel generators (with more than one permutation to analyze and ≥ 2 computations).