While reading on block ciphers and DES I read that two-round Feistel network is not a secure PRP? Is there any easy to understand proof to explain the intuition behind this statement. I did search around and also reviewed this question but wasn't really able to understand why it isn't secure PRP. Any help would be much appreciated!
Asked
Active
Viewed 4,060 times
3
-
The key-word is Luby and Rackoff construction – kelalaka Oct 25 '20 at 09:07
-
Yes I read that and it didn't make sense to me maybe because of the notations used here: https://crypto.stanford.edu/pbc/notes/crypto/prp.html Is there an easy to understand explanation like an example or proof? – Alex Oct 25 '20 at 09:10
-
1Q: Luby-Rackoff theorem confusion and and search – kelalaka Oct 25 '20 at 11:02
1 Answers
7
I read that two-round Feistel network is not a secure PRP
That's easily seen:
It holds $P_L\oplus C_L=F_0(P_R)$. That implies a distinguishable property: for any fixed $P_R$ and whatever the round function $F_0$, when we flip bit(s) in $P_L$, that flips the corresponding bit(s) in $C_L$ and leaves the other bit(s) in $C_L$ unchanged.
That property allows a break under Chosen Plaintext Attack.
fgrieu
- 140,762
- 12
- 307
- 587
-
-
-
@hola: the common way of counting rounds in Feistel ciphers is counting how many round functions there are. In the picture, there are two. – fgrieu May 30 '21 at 07:46