Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Crooked indifferentiability of the Feistel Construction

Alexander Russell, Qiang Tang, Jiadong Zhu

TL;DR

The paper tackles subversion-resilient symmetric primitives by introducing crooked-indifferentiability for random permutations and presenting a direct Feistel construction that with enough rounds (approximately 8n, or 2000n/log(1/ε) for ε-subversion) becomes indistinguishable from a true random permutation even when round functions are adversarially subverted and the adversary knows the randomness. The approach builds on a two-layer idea: a subverted random function corrected via a public-randomness affine/Feistel composition, and a rigorous simulator-based proof that tracks chain structures (subverted/unsubverted) within a game-hopping framework, ensuring freshness and honesty of programmed values. The main contributions are a tight upper bound on the required rounds for crooked indifferentiability, a matching lower bound showing fewer rounds are insufficient, and a detailed security/effectiveness analysis that extends Crooked Indifferentiability to full models with explicit efficiency guarantees. The work advances subversion-resistant cryptography by providing a practically viable, subversion-tolerant construction that remains drop-in replaceable for randomized permutations, with formal replacement theorems adapted to the crooked setting. This has implications for kleptographic attacks and secure protocol design where subversion-resistant ideal ciphers are desirable in practice.

Abstract

The Feistel construction is a fundamental technique for building pseudorandom permutations and block ciphers. This paper shows that a simple adaptation of the construction is resistant, even to algorithm substitution attacks -- that is, adversarial subversion -- of the component round functions. Specifically, we establish that a Feistel-based construction with more than $2000n/\log(1/ε)$ rounds can transform a subverted random function -- which disagrees with the original one at a small fraction (denoted by $ε$) of inputs -- into an object that is \emph{crooked-indifferentiable} from a random permutation, even if the adversary is aware of all the randomness used in the transformation. We also provide a lower bound showing that the construction cannot use fewer than $2n/\log(1/ε)$ rounds to achieve crooked-indifferentiable security.

Crooked indifferentiability of the Feistel Construction

TL;DR

The paper tackles subversion-resilient symmetric primitives by introducing crooked-indifferentiability for random permutations and presenting a direct Feistel construction that with enough rounds (approximately 8n, or 2000n/log(1/ε) for ε-subversion) becomes indistinguishable from a true random permutation even when round functions are adversarially subverted and the adversary knows the randomness. The approach builds on a two-layer idea: a subverted random function corrected via a public-randomness affine/Feistel composition, and a rigorous simulator-based proof that tracks chain structures (subverted/unsubverted) within a game-hopping framework, ensuring freshness and honesty of programmed values. The main contributions are a tight upper bound on the required rounds for crooked indifferentiability, a matching lower bound showing fewer rounds are insufficient, and a detailed security/effectiveness analysis that extends Crooked Indifferentiability to full models with explicit efficiency guarantees. The work advances subversion-resistant cryptography by providing a practically viable, subversion-tolerant construction that remains drop-in replaceable for randomized permutations, with formal replacement theorems adapted to the crooked setting. This has implications for kleptographic attacks and secure protocol design where subversion-resistant ideal ciphers are desirable in practice.

Abstract

The Feistel construction is a fundamental technique for building pseudorandom permutations and block ciphers. This paper shows that a simple adaptation of the construction is resistant, even to algorithm substitution attacks -- that is, adversarial subversion -- of the component round functions. Specifically, we establish that a Feistel-based construction with more than rounds can transform a subverted random function -- which disagrees with the original one at a small fraction (denoted by ) of inputs -- into an object that is \emph{crooked-indifferentiable} from a random permutation, even if the adversary is aware of all the randomness used in the transformation. We also provide a lower bound showing that the construction cannot use fewer than rounds to achieve crooked-indifferentiable security.
Paper Structure (69 sections, 49 theorems, 75 equations, 7 figures, 13 algorithms)

This paper contains 69 sections, 49 theorems, 75 equations, 7 figures, 13 algorithms.

Table of Contents

  1. Introduction
  2. Our Contribution
  3. The Model: Crooked Indifferentiability
  4. Preliminary: Indifferentiability
  5. Defining indifferentiability.
  6. Replacement.
  7. Crooked indifferentiability
  8. Crooked indifferentiability for random permutations.
  9. Replacement with crooked indifferentiability.
  10. Restrictions (of using crooked indifferentiability).
  11. Main Result and Technical Overview
  12. The Construction and Main Result
  13. Remark.
  14. $2n/\log(1/\epsilon)$ rounds are not enough
  15. Technical Overviews and Notations
  16. ...and 54 more sections

Key Result

theorem 1

Let $\mathcal{P}\xspace$ be a cryptosystem with oracle access to an ideal primitive $\mathcal{F}\xspace$. Let $\mathit{C}$ be an algorithm such that $\mathit{C}^{\mathcal{G}\xspace}$ is indifferentiable from $\mathcal{F}\xspace$. Then cryptosystem $\mathcal{P}\xspace$ is at least as secure in the $\

Figures (7)

  • Figure 1: The $\ell$ round classical Feistel construction.
  • Figure 2: The indifferentiability notion: the distinguisher $\mathcal{D}\xspace$ either interacts with algorithm $\mathit{C}$ and ideal primitive $\mathcal{G}\xspace$, or with ideal primitive $\mathcal{F}\xspace$ and simulator $\mathcal{S}\xspace$. Algorithm $\mathit{C}$ has oracle access to $\mathcal{G}\xspace$, while simulator $\mathcal{S}\xspace$ has oracle access to $\mathcal{F}\xspace$.
  • Figure 3: The environment $\mathcal{E}\xspace$ interacts with cryptosystem $\mathcal{P}\xspace$ and attacker $\mathcal{A}\xspace$. In the $\mathcal{G}\xspace$ model (left), $\mathcal{P}\xspace$ has oracle access to $\mathit{C}$ whereas $\mathcal{A}\xspace$ has oracle access to $\mathcal{G}\xspace$. In the $\mathcal{F}\xspace$ model, both $\mathcal{P}\xspace$ and $\mathcal{S}_\mathcal{A}\xspace\xspace$ have oracle access to $\mathcal{F}\xspace$.
  • Figure 4: The $H$-crooked indifferentiability notion: the distinguisher $\widehat{\mathcal{D}\xspace}\xspace$, in the first phase, manufactures and publishes a subverted implementation denoted as $\tilde{H}$, for ideal primitive $H$; then in the second phase, a random string $R$ is published; after that, in the third phase, algorithm $\mathit{C}$, and simulator $\mathcal{S}\xspace$ are developed; the $H$-crooked-distinguisher $\widehat{\mathcal{D}\xspace}\xspace$, in the last phase, either interacting with algorithm $\mathit{C}$ and ideal primitive $H$, or with ideal primitive $\mathcal{F}\xspace$ and simulator $\mathcal{S}\xspace$, return a decision bit. Here, algorithm $\mathit{C}$ has oracle access to $\tilde{H}$, while simulator $\mathcal{S}\xspace$ has oracle access to $\mathcal{F}\xspace$ and $\tilde{H}$.
  • Figure 5: The environment $\widehat{\mathcal{E}\xspace}\xspace$ interacts with cryptosystem $\mathcal{P}\xspace$ and attacker $\mathcal{A}\xspace$: In the $\mathcal{G}\xspace$ model (left), $\mathcal{P}\xspace$ has oracle accesses to $\mathit{C}$ whereas $\mathcal{A}\xspace$ has oracle accesses to $\mathcal{G}\xspace$; the algorithm $\mathit{C}$ has oracle accesses to the subverted $\tilde{\mathcal{G}\xspace}$. In the $\mathcal{F}\xspace$ model, both $\mathcal{P}\xspace$ and $\mathcal{S}_\mathcal{A}\xspace\xspace$ have oracle accesses to $\mathcal{F}\xspace$. In addition, in both $\mathcal{G}\xspace$ and $\mathcal{F}\xspace$ models, randomness $R$ is publicly available to all entities.
  • ...and 2 more figures

Theorems & Definitions (99)

  • definition 1: Indifferentiability TCC:MauRenHol04C:CDMP05
  • definition 2
  • theorem 1: TCC:MauRenHol04C:CDMP05
  • definition 3: $H$-crooked indifferentiability
  • definition 4: Abbreviated $H$-crooked indifferentiability
  • definition 5
  • theorem 2
  • proof
  • corollary 1: Proof of the warm-up construction.
  • theorem 3
  • ...and 89 more