Lai-Massey Scheme and Quasi-Feistel Networks (Extended Abstract)

Transcription

1 La-Massey Scheme and Quas-Festel Networks (Extended Abstract Aaram Yun, Je Hong Park 2, and Jooyoung Lee 2 Unversty of Mnnesota - Twn Ctes aaramyun@gmalcom 2 ETRI Network & Communcaton Securty Dvson, Korea {hpark,lee05}@etrrekr Abstract We ntroduce the noton of quas-festel network, whch s generalzaton of the Festel network, and contans the La-Massey scheme as an nstance We show that some of the works on the Festel network, ncludng the works of Luby-Rackoff, Patarn, Naor-Rengold and Pret, can be naturally extended to our settng Ths gves a new proof for theorems of Vaudenay on the securty of the La-Massey scheme, and also ntroduces for La-Massey a new constructon of pseudorandom permutaton, analoguous to the constructon of Naor-Rengold usng parwse ndependent permutatons Also, we prove the brthday securty of (2b - and (3b 2-round unbalanced quas-festel networks wth b branches aganst CPA and CPCA attacks, respectvely Ths answers an unsolved problem ponted out by Patarn et al Keywords La-Massey scheme, Festel network, Luby-Rackoff, block cpher desgn, pseudorandom functon, ndstngushablty Introducton Festel and La-Massey Block cpher s one of the most mportant prmtves of the symmetrc-key cryptography There are many proposed desgns, and many mportant cryptanalytc results, ncludng dfferental cryptanalyss and lnear cryptanalyss Also some heurstc, but powerful methodologes for gvng strength aganst these attacks are proposed and studed Practcally, DES, whch was a Unted States federal standard block cpher, was wdely used for a long tme, untl Rndael replaced t as the new standard block cpher AES Despte the wde usage, and some heurstc arguments of securty aganst a few concrete attacks, stll there was no rgorous proof of securty for these practcal and popular block cphers The poneerng work of Luby and Rackoff [4] can be consdered as a partal remedy for such a stuaton They studed the securty of Festel cpher, when the round functons are ndependent random functons When the sze of the block s n, and when the adversary s restrcted to ask q queres, they showed that, when q 2 n/2, 3-round Festel cpher s secure aganst adaptve chosen plantext attacks (CPA, and 4-round Festel cpher s secure aganst adaptve chosen plantext and cphertext attacks (CPCA, even f the adversary s uncondtonally powerful n ts computatonal power In theoretcal cryptography, the result of Luby and Rackoff mples that pseudorandom permutatons exst, f one-way functons exst In more practcal ven, t gves a partal valdaton for the desgn of Festel cphers, for example, DES Of course, the securty of Festel

2 cpher n Luby-Rackoff model does not mply the securty for any specfc, concrete Festel cphers But the work of Luby and Rackoff shows at least the generc, structural strength of the basc Festel desgn The semnal work of Luby and Rackoff was extended n many ways by varous cryptographers Roughly, these could be classfed nto the followng three categores: Improvng the bound: most results on the Luby-Rackoff model consders adversares wthn the brthday bound However, n a seres of papers [6 8, 0, 2 4], Patarn extended the work of Luby and Rackoff beyond the brthday bound 2 Smplfyng the constructon: nstead of r ndependent random functons for r-round Festel cpher, some authors studed constructons where only one or two random functons are used, for example n [9] Also, Naor and Rengold showed how to smplfy the constructon by usng parwse-ndependent permutatons [5] 3 Explorng other structures: nstead of the Festel network, other structures lke MISTY and La-Massey were also studed n the Luby-Rackoff model Our goal n ths paper s to revst works belongng to the second and the thrd of the above categores Our startng pont s the La-Massey scheme The desgn of the La-Massey scheme has two nterestng aspects Not so much group theoretc: whle the Festel network, or the MISTY structure s based on a fnte abelan group, the La-Massey scheme s dfferent Of course, the structure s defned n terms of a fnte abelan group But n order to obtan securty n the Luby- Rackoff model, a mappng called orthomorphsm s needed An orthomorphsm s defned for a fnte abelan group, but the dependence s only very loose For example, one may say that a homomorphsm s strongly ted to the underlyng group, but an orthomorphsm s not Hence, we have at least one structure whch s not group-based, but where a securty proof n the Luby-Rackoff model s possble As secure as Festel: t looks lke a concdence, but the known securty of the La-Massey scheme s exactly the same as that of the Festel network, despte the dfference n the structure Vaudenay proved that, wthn the brthday bound, 3-round La-Massey scheme s CPA-secure, and 4-round La-Massey scheme s CPCA-secure [20] Ths securty level s precsely that of the Festel network studed by Luby and Rackoff Ths s n contrast to the MISTY structure, where 3-round MISTY structure s not CPAsecure, and 4-round MISTY structure s not CPCA-secure In case of MISTY, 4-round structure s CPA-secure, and 5-round s CPCA-secure 2 Our contrbuton In ths paper, we show that the above two aspects of the La-Massey scheme are not concdent We ntroduce the noton of quas-festel network, whch s a natural generalzaton of the Festel network, based on fnte quasgroups We show that ths noton contans the orgnal Festel network and also the La-Massey scheme, and we show that many of the works done on the Festel network can be extended naturally to the quas-festel network Specfcally,

3 We show that the orgnal work of Luby and Rackoff [4] can be extended to quas-festel network; n fact, we generalze ths result further to unbalanced cases, and we prove that (2b -round b-branched unbalanced (contractng quas-festel network s CPA-secure wthn the brthday bound, and (3b 2-round s CPCA-secure wthn the brthday bound 2 We show that varous results on the 3- or 4-round Festel network usng two ndependent random functons, stated n Patarn s Eurocrypt 92 paper [9], can n fact be lfted to quas-festel network 3 We generalze Pret s results [7], where random permutatons, nstead of random functons are used as round functons, to quas-festel network 4 We also show that the Naor-Rengold constructon [5] usng parwse ndependent permutatons can be lfted to our quas-festel settng Our frst result mples the securty of unbalanced Festel network wthn the brthday bound Ths was an unsolved problem, whch was ponted out by Patarn et al [5] Also, when restrcted to the La-Massey scheme, ths gves an alternatve proof of the Vaudenay s result n [20] Together, our results show that most of the works on the securty of Festel cpher n the Luby-Rackoff model can n fact be lfted to the quas-festel settng Hence, n the Luby- Rackoff model, we clam that t s very natural to regard the La-Massey scheme and the Festel network as belongng to the same famly Despte Vaudenay s work and some others, La-Massey scheme seems to be less studed, especally compared wth the works on Festel network n the Luby-Rackoff model Our results, especally 2 4 above, show that most of such works on Festel network n fact can be appled to the La-Massey scheme as well, and qute ncrease the number of known results on the Luby-Rackoff securty of the La-Massey scheme We beleve that the noton of quas-festel network provdes a unfyng framework by whch to study La-Massey scheme, and even the Festel network It s also our belef that other results on the Festel network can also be generalzed to the quas-festel settng For example, t s an nterestng open queston whether Patarn s work on the Festel network when q 2 n can be extended to the quas-festel network, therefore also to the La-Massey scheme 3 Related work In our work, we generalze results of Luby-Rackoff [4], Patarn [9], Pret [7], and Naor- Rengold [5] to quas-festel network Also, for proof technque, we rely on the Coeffcent H Technque of Patarn, among others Early on, Schneer and Kelsey noted that the noton of Festel network can be generalzed by requrng only that one part of the block beng encrypted controls the encrypton of another part of the block [8] Thus they ntroduced the noton of generalzed Festel network, whch does not rely on any group structure Ther noton s very smlar to the quas-festel network n sprt, but ther goal was not to prove the securty of the generalzed constructon, and nstead of the round functons f, the round keys k are gven as nput Our formulaton s crucal for buldng Luby-Rackoff-lke theory One may see our work as a rgorous treatment of ther generalzed Festel network Vaudenay proved n [20] that 3 and 4-round La-Massey scheme s secure aganst CPA and CPCA attacks, respectvely Our results on the securty of 3 and 4-round quas-festel

4 network can be drectly appled to the La-Massey scheme, and n ths sense we gve a new proof of Vaudenay s theorems usng dfferent technque But hs work s formulated n terms of Decorrelaton theory [9], and for La-Massey scheme, our result s weaker than Vaudenay s For example, the result of Vaudenay allows almost orthomorphsms 2 Quas-Festel network Let X be a fnte set Then X k denotes the set of all k-tuples of elements of X, for any k We denote by Func(X, Y the set of all functons f : X Y, and by Perm(X the set of all permutatons f : X X We also defne Func(X def = Func(X, X Defnton We call a functon Γ : X X Y X a combner over (X, Y, f The mappng x Γ (x, y, z s a permutaton for any y X, z Y, and The mappng y Γ (x, y, z s a permutaton for any x X, z Y Let Γ be a combner over (X, Y If we defne, for any z Y, Γ z : X 2 X by Γ z (x, y def = Γ (x, y, z, then Γ z s a quasgroup for any z X Ths structure s also known as a Latn square Therefore, a combner Γ can be consdered as a parametrzed famly {Γ z } z Y of quasgroups We ll use the followng notaton to denote a combner Γ : Γ [x y z ] def = Γ (x, y, z From the propertes of the combner Γ, for any x, y X, and z Y, there exsts a unque element a X satsfyng Γ [a y z ] = x We ll denote ths a by Γ [x/y z ] Also, we ll denote the unque element b X satsfyng Γ [x b z ] = y as Γ [x\y z ] Then t s clear that the followng lemma holds: Lemma For any x, y X, and z Y, the followng equatons are satsfed: x = Γ [Γ [x/y z ] y z ] x = Γ [Γ [x y z ] /y z ] y = Γ [x Γ [x\y z ] z ] y = Γ [x\γ [x y z ] z ] Remark In ths paper, we ll only use combners over (X, X b, for some fxed nteger b > We call them b-combners over X Defnton 2 Let b > and r be fxed ntegers, and fx a b-combner Γ over X Suppose that P, Q : X b X b are permutatons Gven r functons f,, f r : X b X, we defne a functon Ψ = Ψ b,r P,Q (f,, f r : X b X b as follows; for x = (x, x 2,, x b X b, we compute y = Ψ(x by (z 0, z,, z b P (x 2 z +b Γ [z f (z z +b 2 z z +b 2 ] for =,, r 3 y Q (z r, z r+,, z r+b Clearly, Ψ s a permutaton, and ts nverse s gven by

5 (z r, z r+,, z r+b Q(y 2 z Γ [z +b /f (z z +b 2 z z +b 2 ] for = r,, 3 x P (z 0, z,, z b We call Ψ a b-branched, r-round quas-festel permutaton for f,, f r wth respect to (P, Q, Γ We use the notaton Ψ b,r P,Q (f,, f r for Ψ, but when P and Q are unmportant, or clear from the context, then we may smply wrte Ψ b,r (f,, f r Also, Ψ b,r (f,, f r can be consdered as a mappng Ψ b,r : Func(X b, X r Perm(X b We call ths mappng a b-branched, r-round quas-festel network wth respect to (P, Q, Γ We call X the underlyng set, P the pre-processng permutaton, and Q the post-processng permutaton Remark 2 We call the quas-festel network balanced when b = 2, and unbalanced when b > 2 Also, often by unquantfed quas-festel network we refer to the balanced case When b = 2, we omt b n the notaton Ψ b,r and smply wrte ths as Ψ r The above noton of quas-festel network seems to be very natural extenson of the Festel network In fact, we feel that, once the general structure s defned by the equaton z +b Γ [z f (z z +b 2 z z +b 2 ], the requrements for the combner Γ s almost forced upon us, n order to obtan a method for constructng secure cryptographc permutatons; f we would lke to make the whole constructon nvertble, then the best way s to make sure that x Γ [x y z ] s nvertble Also, n order to make the whole constructon cryptographcally secure, we would lke that, once z and z z +b 2 are fxed, the dstrbuton of f (z z +b 2 should have as much nfluence n determnng the value of z +b as possble, and the best way to acheve ths would be to make y Γ [x y z ] nvertble For example, at the other extreme, f y Γ [x y z ] s constant, then the round functons f don t have any nfluence to the output values, and the resultng permutaton s not random at all In the next secton, we show that the above constructon s a generalzaton whch contans both Festel and La-Massey constructons as specal cases 3 Examples of quas-festel networks 3 Festel The r-round Festel permutaton F(x = F(x L, x R from round functons f,, f r : {0, } n {0, } n s defned as follows: L x L, R x R 2 L + R, R + L f (R, for =,, r 3 y L L r+, y R R r+ 4 Return y = (y L, y R Snce L + = R for =,, r, we may defne R 0 def = L for consstency Then we can elmnate L completely from the above and t becomes

6 R 0 x L, R x R 2 R + R f (R, for =,, r 3 y L R r, y R R r+ 4 Return y = (y L, y R So, n ths case, the underlyng set X s smply {0, } n, and the permutatons P and Q are the dentty permutaton, and the combner Γ s gven by Γ [x y z ] = x y Therefore, we see that a Festel network s a specal case of the quas-festel network 32 Unbalanced Festel network wth contractng functons Smlarly, t s also clear that our quas-festel network generalzes the unbalanced Festel network wth contractng functons, formalzed n the paper of Patarn, Nachef, and Berban [5] Ths case s defned by specal b-combners over {0, } n, where Γ [x y z ] = x y 33 La-Massey The La-Massey scheme s slghtly more nvolved than Festel, and we need to do a lttle work to ft La-Massey nto our framework The La-Massey scheme was orgnally used n the IDEA cpher [2, 3] But n ths paper, by La-Massey scheme, we refer to the verson gven by Vaudenay n [20] Ths verson contans a smple functon called orthomorphsm, wthout whch the La-Massey scheme suffers a smple dstngushng attack Let G be a fnte abelan group An orthomorphsm σ : G G s a permutaton such that x σ(x x s also a permutaton Gven such a σ, we denote σ(x x by τ(x We assume that all of σ, σ, τ, τ are very effcent to compute on G The followng defnton for the mappng y = L(x s descrpton of r-round La-Massey permutaton wth orthomorphsm σ, correspondng to round functons f,, f r : G G α x L, β x R 2 α + σ(α + f (α β, β + β + f (α β, for =,, r 3 y L α r+, y R β r+ 4 Return y = (y L, y R Then, We defne H : G 2 G 2 by H(x, y = (σ x y, x y Theorem The La-Massey scheme s an nstance of the quas-festel network; the underlyng set X s the group G, the pre- and post-processng permutatons P and Q are both H, and the combner Γ s gven by Γ [x y z ] = z + τ ( z x + y + τ (z x We prove the Theorem n the Appendx A

7 4 Securty of unbalanced quas-festel network We show that (2b -round, b-branched quas-festel network s CPA-secure wthn the brthday bound, and (3b 2-round, b-branched quas-festel network s CPCA-secure wthn the brthday bound Note that when b = 2, the balanced case, these mply the results of Luby and Rackoff for 3- and 4-round Festel cphers [4] Also, ths shows for the frst tme that unbalanced Festel cpher wth contractng functons s secure wthn the brthday bound 4 (2b -round constructon Consder an nformaton-theoretc adversary A whch has oracle access to a functon f : X b X b A may query f q tmes, and we assume that A never makes pontless queres, that s, t never makes the same query more than once After q queres, A outputs 0 or We defne Adv CPA Ψ (A = Pr[ A(Ψ Ψ Ψ b,r $ (f b,r,, f r, where f Func(X ] Pr[ A(ρ ρ $ Func(X b ] Then, Theorem 2 For any fxed nteger b >, we get the followng: Adv CPA bq(q Ψ (A < b,2b 2 X b The proof technque of Theorem 2 s smlar to that of Theorem 3 below Therefore, n ths extended abstract, we wll only prove Theorem 3 42 (3b 2-round constructon Consder an nformaton-theoretc adversary A whch has oracle access to a permutaton π : X b X b A may query π or π q tmes, and agan we assume that A never makes pontless queres, that s, t never makes the same query more than once, and f t quered π(x and got y as the answer, then t never queres π (y, and vce versa After q queres, A outputs 0 or We defne Adv CPCA Ψ (A = Pr[ A(Ψ, Ψ Ψ Ψ b,r $ (f b,r,, f r, where f Func(X ] Pr[ A(ρ, ρ ρ $ Perm(X b ] Then, Theorem 3 For any fxed nteger b >, we get the followng: Adv CPCA Ψ b,3b 2 (A < We prove the Theorem 3 n the Appendx B bq(q q(q + 2 X b 2 X b

8 Remark 3 Note that bq(q q(q + 2 X b 2 X b < bq2 X b Therefore, Theorems 2 and 3 means that, as long as X b q, b the (2b -round quas-festel permutaton Ψ s ndstngushable to a random permutaton by any CPA-adversary, and the (3b 2-round quas-festel permutaton Ψ s ndstngushable to a random permutaton by any CPCA-adversary Remark 4 Naor and Rengold [5] proved results smlar to our Theorems 2 and 3 They showed that, for b-branched unbalanced Festel network wth contractng functons, (b + - round constructon s CPA-secure wth essentally the same bound as n Theorem 2, provded that the frst round s replaced by a parwse ndependent permutaton, and smlarly, (b + 2- round constructon s CPCA-secure, provded that the frst and the last rounds are replaced by parwse ndependent permutatons Our results replaces one round of parwse ndependent permutaton wth b rounds of normal quas-festel network Remark 5 Accordng to Patarn et al n [5], there s a chosen plantext attack for (2b - round, b-branched unbalanced Festel network wth contractng functons wth the number of plantext/cphertext par greater than or equal to 2 n(b 3 2 Ths s the best known attack for ths case, and ths greatly exceeds the brthday bound Therefore the tghtness of our securty proof s yet unknown 5 Quas-Festel network wth two random functons As a consequence of Theorems 2 and 3 from the prevous secton, we know that 3- or 4- round (balanced quas-festel network s CPA-secure or CPCA-secure, respectvely, wthn the brthday bound, when the round functons are chosen ndependently and unformly For Festel network, there were some results where the requrement of round functon ndependence was relaxed For example, n [9], Patarn studed the cases where the round functons are chosen from two ndependent random functons, or even a sngle random functon We obtaned generalzaton of Patarn s results for two ndependent random functons In ths extended abstract, we ll gve only nformal statements below 5 3-round constructons Suppose that f, g : X X are ndependent random functons Then there are four possble cases of constuctng 3-round quas-festel network wth round functons chosen from f or g: Ψ 3 (f, f, f, Ψ 3 (f, f, g, Ψ 3 (f, g, f, and Ψ 3 (f, g, g Among these, t s easy to show that Ψ 3 (f, f, f and Ψ 3 (f, g, f are not secure Ths s because that they are self-nverses of themselves when the left and rght halves are swapped Thus the remanng cases are Ψ 3 (f, f, g and Ψ 3 (f, g, g We can show that both are CPAsecure wthn the brthday bound Due to the possble nternal collson, the upper bound

9 of advantage of adversares are slghtly ncreased than n the case of ndependent random functons; the common advantage bound for the two cases s q(3q, 2 X whch s greater than the advantage bound q(q / X for the ndependent case, whch s from Theorem 2 wth b = round constructons Smlarly, there are eght possble cases of constuctng 4-round quas-festel network wth round functons chosen from two ndependent random functons f and g As n 3-round cases, we can easly see that Ψ 4 (f, f, f, f and Ψ 4 (f, g, g, f are not secure Ths leaves sx cases: Ψ 4 (f, f, f, g, Ψ 4 (f, f, g, f, Ψ 4 (f, f, g, g, Ψ 4 (f, g, f, f, Ψ 4 (f, g, f, g, and Ψ 4 (f, g, g, g We showed that they are all CPCA-secure wthn the brthday bound 6 Quas-Festel network wth random permutatons In ths secton, we show that for 3- and 4-round quas-festel network, one can use random permutatons as round functons to obtan securty wthn brthday bound Ths generalzes Pret s results [7] for Festel network wth random permutatons as round functons 6 3-round quas-festel wth random permutatons As n prevous sectons, consder an nformaton-theoretc adversary A wth up to q oracle queres to ts oracle f As usual, assume that A doesn t make pontless queres Ths tme we defne, Adv CPA Ψ (A = Pr[ A(Ψ Ψ Ψ 3 $ (f 3, f 2, f 3, where f Perm(X ] Pr[ A(f f $ Func(X 2 ] Theorem 4 Adv CPA q(q Ψ (A 3 X We gve proof of Theorem 4 n Appendx C q(q + X 62 4-round quas-festel wth random permutatons Smlarly, let A be an adversary wth oracle access to a permutaton π : X 2 X 2 and ts nverse A make at most q queres, and A makes no pontless queres Ths tme we defne, Adv CPCA Ψ (A = Pr[ A(Ψ, Ψ Ψ Ψ 4 $ (f 4, f 2, f 3, f 4, where f Perm(X ] Pr[ A(π, π π $ Perm(X 2 ] Theorem 5 Adv CPCA 2q(q Ψ (A 4 X The proof technque of Theorem 5 s smlar to that of Theorem 4 Therefore, n ths extended abstract we wll omt the proof

10 7 Naor-Rengold constructon for quas-festel network In ths secton we lft the Naor-Rengold constructon [5] of 4-round Festel constructon where parwse ndependent permutatons are used as frst and last rounds, to the quas-festel case Defnton 3 Let X be a fnte set, k an nteger (2 k X, and P a dstrbuton of permutatons on X If for any k-tuple (x,, x k of dstnct elements of X, the dstrbuton (f(x,, f(x k for f $ P s dentcal to the unform dstrbuton of dstnct k-tuples on X, then we say that P s k-wse ndependent Theorem 6 Let P, Q be parwse ndependent dstrbuton of permutatons on X 2 Let Ψ be the 2-round quas-festel network of ndependent random functons f, f 2, wth respect to (P, Q, Γ Ths means that we choose P $ P, Q $ Q, and defne Ψ as 2-round quas-festel network of f, f 2 wth respect to (P, Q, Γ, that s, Ψ ΨP,Q 2 (f, f 2 Let ρ $ Perm(X 2 be a random permutaton of X 2 For any CPCA-adversary A that makes at most q queres, we have Pr[ A(Ψ, Ψ ] Pr[ A(ρ, ρ ] < q2 X Note that one can also prove smlar results for CPA-securty, where the preprocessng permutaton s chosen randomly from parwse-ndependent dstrbuton of permutatons Remark 6 When we apply Theorem 6 to the La-Massey scheme, we see that 2-round La- Massey scheme s CPCA-secure, when pre- and post-processed by parwse ndependent permutatons It s a smple consequence of the followng obvous fact: Lemma 2 Let h be a fxed permutaton If P s a parwse ndependent dstrbuton of permutatons, then h P h s also a parwse ndependent dstrbuton of permutatons Actually, Naor and Rengold proved that only one random functon suffces to make the 4-round Naor-Rengold constructon CPCA-secure, when parwse ndependent permutatons are used as before We also have the correspondng theorem: Theorem 7 Let P, Q be parwse ndependent dstrbuton of permutatons on X 2, and let f $ Func(X, P $ P, Q $ Q Then let Ψ Ψ 2 P,Q (f, f Fnally, let ρ $ Perm(X 2 For any CPCA-adversary A that makes at most q queres, we have Pr[ A(Ψ, Ψ ] Pr[ A(ρ, ρ ] < 3q2 2 X We gve a bref sketch of proofs for Theorems 6 and 7 n Appendx D Remark 7 In fact, as mentoned before, Naor and Rengold also proved correspondng results for unbalanced Festel network Clearly, ths can also be generalzed to the quas-festel settng n the smlar way, and we ll omt the detals

11 8 Quas-Festel network and block cpher desgn From our results above, we see that most of the works for Festel network n the Luby-Rackoff model can be naturally extended to the quas-festel case Also, quas-festel network ncludes the La-Massey scheme as an nstance Therefore, we may conclude that, the La-Massey scheme (or for that matter, any other quas-festel network does not have any advantage over the Festel n terms of the Luby-Rackoff model, because both are nstances belongng to the same class, namely the quas-festel network Of course, that s not true when we apply a quas-festel network to block cpher desgn In our results, we consdered quas-festel cphers whch use random functons as round functons, or some varatons thereof Therefore, our results cannot be appled to more concrete versons of quas-festel cphers The desgner of a block cpher usually gves heurstc estmaton for securty aganst varous known attacks, and most of these attacks rely on specfc structures of the block cpher; n terms of our quas-festel network, we cannot talk much about the securty of a quas-festel block cpher, unless the concrete descrpton of the combner Γ s specfed Therefore t s not true that all quas-festel networks are equal n these cases As an example, consder the specfcaton of the FOX block cpher [] whch s now known as IDEA NXT In the securty analyss part, the desgners consdered Luby-Rackoff-lke securty, lnear/dfferental cryptanalyss, ntegral attacks, statstcal attacks, slde and related-key attacks, and so on Among these, all we can say at the generc quas-festel network level s the followng: The structure of a quas-festel block cpher has securty n the Luby-Rackoff model 2 When the round functons have suffcently small dfferental probabltes, and when the number of rounds, r, s large enough, a quas-festel block cpher s resstant to the dfferental attack; ths s smply because, n a quas-festel network, any dfferental characterstc on two rounds must nvolve at least one round functon Note that the observaton on dfferental characterstc s dentcal to that of the desgners of FOX block cpher Also, n general, we cannot say anythng about lnear cryptanalyss, unless a concrete specfcaton s gven Apart from the above two, almost all other attacks rely on specfc structures of the block cpher, therefore even wthn the famly of quas-festel networks, t s qute possble that some are better than others, n terms of securty aganst varous attacks 9 Concluson In ths paper, we ntroduced the noton of quas-festel network, and showed that some of the works on the Festel network can be naturally extended to our settng Also we proved the brthday securty of (2b - and (3b 2-round quas-festel networks aganst CPA and CPCA attacks, respectvely In the quas-festel network, due to the requrement that the round functons should be ndeed functons, many constrants occur For example, from the equalty X = Γ [L f (R R ], we get R = R Γ [L \X R ] = Γ [L \X R ] These systems of equatons are dependent on the specfc choce of the actual combner Γ used So, dfferent quas-festel networks produce dfferent systems of equatons Usually these equatons are ntertwned n complcated ways

12 However, we notce that, only securty up to the brthday bound s studed n many works on the Festel network In that case, collson of ntermedate values cannot occur wth hgh probablty, therefore most of the equatons n the system descrbng the constructon smply dsappear In ths type of works, specfc choce of the Festel combner Γ [x y z ] = x y doesn t really matter that much, and often one may reproduce the proof usng an arbtrary combner In a sense, we mght say that, what was done n many works on Festel was to keep away from the nner complcaton of the Festel network, by avodng nternal collsons as much as possble when the number of queres s less than the brthday bound We beleve that these works are n fact not dealng wth Festel network, but actually quas-festel networks, snce only general propertes of the quas-festel network as a famly, not some specfc property of the Festel network, are used n the proof A notable excepton to the above summary s the work of Patarn Patarn studed the securty of the Luby-Rackoff cpher when q s less than 2 n, and possbly greater than the brthday bound In ths stuaton, one cannot afford to smply dscard problematc cases of nternal collson, and one has to serously analyze the complcated system of equatons It s qute possble that n Patarn s work, some propertes exclusve to the Festel network have actually been used Despte ths, t s an nterestng open problem whether t s possble to prove Patarn s theorem for the quas-festel network, therefore automatcally also for the La-Massey scheme Drect translaton of Patarn s proof to the quas-festel settng seems to be dffcult, but one may hope that some dfferent proof technque could be devsed for ths generalzed stuaton In [5], Patarn et al gave generc attacks for unbalanced Festel networks wth contractng functons The attack modes were KPA and CPA, and they gave attacks for dfferent r, the number of rounds In comparson, we showed CPA-securty-untl-brthday-bound of the case r = 2b The attack of Patarn et al for ths case requres the number of queres q much greater than the brthday bound It would be an nterestng further study to close ths gap between securty proofs and the attacks Also, one may study dfferent types of unbalanced quas-festel networks References P Junod and S Vaudenay FOX: a new famly of block cphers Selected Areas n Cryptography - SAC 2004, LNCS 2595, pp 3 46, Sprnger-Verlag, X La On the desgn and securty of block cphers ETH Seres n Informaton Processng, vol, Hartung- Gorre Verlag, Konstanz, X La and J L Massey A proposal for a new block encrypton standard Advances n Cryptology - EUROCRYPT 90, LNCS 473, pp , Sprnger-Verlag, 99 4 M Luby and C Rackoff How to construct pseudorandom permutatons from pseudorandom functons SIAM Journal on Computng, vol 7, no 2, pp , Aprl M Naor and O Rengold On the constructon of pseudorandom permutatons: Luby-Rackoff revsted Journal of Cryptology, vol 2, no, pp 29 66, J Patarn Pseudorandom permutatons based on the DES scheme Codng Theory and Applcatons - EUROCODE 90, LNCS 54, pp , Sprnger-Verlag, 99 7 J Patarn New results on pseudorandom permutaton generators based on the DES scheme Advances n Cryptology - CRYPTO 9, LNCS pp 30 32, Sprnger-Verlag, J Patarn Etude des générateurs de permutatons pseudo-aléatores basés sur le schéma du DES Ph D Thess, INRIA, Domane de Voluceau, Le Chesnay, France, 99 9 J Patarn How to construct pseudorandom and super pseudorandom permutatons from one sngle pseudorandom functon Advances n Cryptology - EUROCRYPT 92, LNCS 658, pp , Sprnger-Verlag, 993

13 0 J Patarn About Festel schemes wth 6 (or More rounds Fast Software Encrypton - FSE 98, LNCS 372, pp 03 2, Sprnger-Verlag, 998 J Patarn Generc attacks on Festel schemes Advances n Cryptology - ASIACRYPT 200, LNCS 2248, pp , Sprnger-Verlag, J Patarn Luby-Rackoff: 7 rounds are enough for 2 n( ɛ securty Advances n Cryptology - CRYPTO 2003, LNCS 2729, pp , Sprnger-Verlag, J Patarn Securty of random Festel schemes wth 5 or more rounds Advances n Cryptology - CRYPTO 2004, LNCS 352, pp 06 22, Sprnger-Verlag, J Patarn Securty of random Festel schemes wth 5 or more rounds Extended verson of [3], preprnt 5 J Patarn, V Nachef and C Berban Generc attacks on unbalanced Festel schems wth contractng functons Advances n Cryptology - ASIACRYPT 2006, LNCS 4284, pp 396 4, Sprnger-Verlag, S Patel, Z Ramzan and G S Sundaram Luby-Rackoff Cphers over Fnte Algebrac Structures or Why XOR s not so Exclusve Selected Areas n Cryptography - SAC 2002, LNCS 2595, pp Sprnger- Verlag, G Pret Luby-Rackoff Revsted: On the Use of Permutatons as Inner Functons of a Festel Scheme Desgns, Codes and Cryptography, vol 39, no 2, pp , B Schneer and J Kelsey Unbalanced Festel Networks and Block-Cpher Desgn Fast Software Encrypton - FSE 96, LNCS 039, Sprnger-Verlag, pp 2 44, S Vaudenay Provable Securty for Block Cphers by Decorrelaton Theoretcal Aspects of Computer Scence - STACS 98, LNCS 373, pp , Sprnger-Verlag, S Vaudenay On the La-Massey Scheme Advances n Cryptology - ASIACRYPT 99, LNCS 76, pp 8 9, Sprnger-Verlag, 999

14 A Proof of Theorem Recall that H : G 2 G 2 s gven by Then a smple calculaton shows that H(x, y = (σ x y, x y H (s, t = ( t s + τ (t s, s + τ (t s We denote α β by z One mmedately sees from the defnton of La-Massey that σ α + β + = α β = z Then we have Usng H and the La-Massey formula (z, z = (σ α β, α β = H(α, β (α +, β + = (σ(α + f (α β, β + f (α β, we may compute z + from z, z, and f (z ; startng wth (z, z, applyng H, we get (α, β, from whch we compute (α +, β +, from whch we get (z, z + by applyng H By expandng the formulas for H and H explctly, we get z + = z + τ ( z z + f (z + τ (z z Also, from the above descrpton, t s clear that gven z +, z, and f (z, we can compute z Hence, we may defne the combner Γ by Γ [x y z ] = z + τ ( z x + y + τ (z x Lemma 3 Γ s ndeed a combner over G; x Γ [x y z ] and y Γ [x y z ] are permutatons for any x, y, z G Proof Snce we can nvert the above procedure to get (z, z from (z, z +, the mappng x Γ [x y z ] should be nvertble Indeed, by manpulatng the above formula, we get Γ [x/y z ] = y + z τ (x z + σ ( τ (x z y Also, we see that y Γ [x y z ] s nvertble for any x, z G, whch s because that y occurs only once n Γ [x y z ], and the formula s bult by ether addng a group element or takng a permutaton Explctly, we have Now we can prove Theorem : Γ [x\y z ] = x z τ (z x + τ (y z Proof (Of Theorem We gve the followng equvalent descrpton of the La-Massey scheme; gven the nput x = (x L, x R = (α, β, we apply H to compute (z 0, z = H(α, β Then by the equaton z + = z + τ ( z z + f (z + τ (z z = Γ [z f (z z ], we compute z 2, z 3,, z t, z r+ Fnally, we compute the output (α r+, β r+ by (α r+, β r+ = H (z r, z r+

15 B Proof of Theorem 3 Frst, we ll show that, often, wthout loss of generalty, we may assume that the pre- and postprocessng permutatons P and Q are both dentty permutatons n the Luby-Rackoff model The followng Lemma s stated for the case of CPCA-adversary for unbalanced quas-festel network, but t s clear that one can easly prove correspondng results for other cases Lemma 4 Consder a b-branched, r-round unbalanced quas-festel network Ψ wth respect to (P, Q, Γ Let s defne Ψ to be the unbalanced quas-festel network wth respect to (I, I, Γ, where I : X b X b s the dentty permutaton I(x = x Then, for any CPCA-adversary A, Adv CPCA Ψ b,r (A = Adv CPCA (A Ψ b,r Proof We have Ψ = Q Ψ P If π s a random permutaton, then π = Q π P s also a random permutaton We see that the advantage of dstngushng Ψ from π s dentcal to that of dstngushng Ψ from π Hence, we assume that P = Q = I n ths secton and also n other parts of ths paper We prove securty of (3b 2-round unbalanced quas-festel networks For convenence, we would lke to ntroduce some notatonal conventons for ths secton Frst, we label the 3b 2 random functons by f, f 2,, f b, g, g 2,, g b, h, h 2,, h b For nputs x = (x, x2,, xb and outputs y = (y, y2,, yb, we would lke to estmate the probablty that Ψ(x = y for =,, q Instead of the usual ntermedate varables z ( for th nput, we ll re-label the old varables by ntroducng varables X and Y The correspondence s represented by the followng table z ( 0 z ( z ( b z( b z ( b+ z( 2b 2 z( 2b z( 2b z( 3b 3 z( 3b 2 z( 3b z( 4b 3 x x 2 x b X X 2 X b Y Y 2 Y b y y 2 y b The relaton between the above new functons and varables are summarzed n Table From our notatonal conventons, we see that, n order that Ψ b,3b 2 (f, f 2,, f b, g, g 2,, g b, h, h 2,, h b (x = y

16 Table Internal varables for 3b 2 rounds Round Functon Internal varables f x x 2 x b 2 f 2 x 2 x 3 x b X 3 f 3 x 3 x 4 x b X X 2 b 2 f b 2 x b 2 x b x b X b 4 X b 3 b f b x b x b X X b 3 X b 2 b g x b X X b 2 X b b + g 2 X X 2 X b Y b + 2 g 3 X 2 X 3 X b Y Y 2 2b 2 g b X b 2 X b Y Y b 3 Y b 2 2b g b X b Y Y 2 Y b 2 Y b 2b h Y Y 2 Y b y 2b + h 2 Y 2 Y 3 Y b y y 2 3b 3 h b 2 Y b 2 Y b y y b 3 y b 2 3b 2 h b Y b y y b 2 y b y y 2 y b 2 y b y b holds for =,, q, the followng equatons should be satsfed: X = Γ x f (x 2 x b x 2 x b X 2 = Γ x 2 f 2 (x 3 x b X x 3 x b X X b Y Y 2 Y b = Γ x b f b (x b X X b 2 x b X X b 2 = Γ x b g (X X b X X b = Γ X g 2 (X 2 X b Y X 2 X b Y = Γ y = Γ y 2 = Γ X b 2 X b Y g b (X b Y Y b 2 g b (Y Y b Y h (Y 2 Y b y Y 2 X b Y b Y Y b y y b = Γ Y b h b (y y b y y b Y b 2 From the above, we see that, gven (x,, xb and (y,, yb, the collecton of random functons (f,, f b determnes the values (X,, Xb, and smlarly (h,, h b determnes the values (Y,, Y b

17 Lemma 5 Fx some, such that < q Also, fx some k such that k b Then, the probablty that by randomly choosng f,, f b, X k X b = X k X b holds s at most X b k Proof The condton X k X b s equvalent to the followng b k condtons: = X k X b X k = X k, X k+ = X k+,, X b = X b Intutvely, each condton contrbutes at most / X to the probablty, therefore the overall probablty s at most / X b k To be more precse, let s choose the functons f,, f k arbtrarly Ths determnes X,, Xk Then, X k = Γ x k f k (x k+ x b X X k x k+ x b X X k X k = Γ x k f k (x k+ x b X X k x k+ x b X X k We clam that the probablty for X k = X k dvde the cases Frst, consde the case when to hold s at most / X To prove ths, we x k+ x b X X k In ths case, suppose that X k = X k = x k+ holds Then, x k = Γ X k /f k (x k+ x b X X k x k+ = Γ X k /f k (x k+ x b X X k x k+ = x k Then x k = xk, and ths mples that x k x k+ x b X X k = x k x k+ x b X X k ( x b X X k x b X X k x b X X k Then we have X k = X k and x k x k+ x b X X k 2 = x k x k+ x b X X k 2 Repeatng ths, we conclude that x xb = x xb whch contradcts that the nputs are all dstnct Hence, we conclude that when ( holds, no functon f k can make X k = X k,

18 hence the probablty s 0 Next, consder the case when ( does not hold In ths case, when f k (x k+ x b X Xk s determned, we have f k (x k+ x b X X k = Γ x k k \Xk x k+ x b X X k = Γ x k k \Xk x k+ x b X X k = Γ x k k \Γ x k f k (x k+ x b X X k x k+ x b X X k x k+ x b X X k Then, we can choose f k freely, except that the value for x k+ x b X Xk s constraned by the above formula Then the probablty s / X Then, regardless of whether ( holds or not, the probablty that X k = X k holds s less than or equal to / X Choose any f k whch satsfes the equaton Now, we see that the exact same argument can be used to show that the probablty that X k+ = X k+ holds s less than or equal to / X Choose any f k+ whch satsfes the equaton Contnung n ths way, the probablty that all of b k equatons X k = X k, X k+ = X k+,, X b = X b are satsfed s less than or equal to / X b k Corollary Fx some, such that < q Also, fx some k such that k b Then, the probablty that by randomly choosng h,, h b, holds s at most Y Y k = Y Y k X k Proof The functons h,, h b defnes the varables Y,, Y b The proof s essentally the same as the Lemma 5 Corollary 2 Fx some, such that < q Also, fx some k such that k b Then, the probablty that by randomly choosng f,, f b, h,, h b, s at most Proof The condton X k X b Y X k X b s equvalent to two condtons X k X b Y Y k Y k = X k X b Y Y k X b = X k X b and Y = X k X b Y Y k Y k = Y Y k The two condtons are ndependent, and the probablty that each holds are at most X b k and X k, respectvely

19 Corollary 3 The probablty that X k X b Y Y k = X k X b Y Y k does not hold for any < q and any k b s at least bq(q 2 X b The Corollary 3 gves us a guarantee that no nternal collson occurs wth at least that probablty In order to prove Theorem 3, we need the followng Theorem 8 Note that ths estmaton of transton probablty from gven nputs to gven outputs s the core of Patarn s coeffcent H technque Theorem 8 Let x X b, q be dstnct nputs, and let y X b, q be dstnct outputs Let s denote by h the probablty that Ψ, the b-branched, (3b 2-round unbalanced quas- Festel permutaton for 3b 2 random functons, satsfes, q, Then we have Proof Wth probablty at least Ψ(x = y h ( X bq bq(q 2 X b bq(q 2 X b, we may choose random functons f,, f b, h,, h b such that X k X b Y Y k X k X b Y Y k for any < q and any k b Then the probablty that we may choose random functons g,, g b so that Y = Γ x b g (X X b X X b Y 2 = Γ X g 2 (X 2 X b Y X 2 X b Y = Γ X b 2 g b (X b Y Y b 2 y = Γ X b g b (Y Y b Y Y b X b Y b Y Y b 2 holds for =,, q s equal to (/ X b q Puttng all of the above together, we get the result Now we are ready to go back to proof of the Theorem 3:

20 Proof (Of Theorem 3 The queres of A to ts oracle π have form π(x or π (y We may wrte the queres as π ɛ (Q, and denote by σ the answer of the oracle to the query Then (ɛ, Q s dependent only to A, and (ɛ 2, Q 2 s dependent to A and σ, and (ɛ 3, Q 3 s dependent to A and σ, σ 2, and so on Fnally A(π, the answer of A s dependent only to A and σ,, σ q ; f π : X b X b s another permutaton such that π ɛ (Q = σ, then A s queres to both π and π would be dentcal, and the answers would be dentcal, therefore A(π = A(π Hence, f the queres of A to ts oracle π are (ɛ, Q, and f the answers t gets are σ, then we may wrte A(σ,, σ q, nstead of A(π Let s defne def P = Pr[ A(Ψ, Ψ Ψ Ψ b,3b 2 $ (f,, f 3b 2, where f Func(X ] P def = Pr[ A(π, π π $ Perm(X b ] Note that by defnton, Adv CPCA Ψ (A = P b,3b 2 P If N s the number of σ,, σ q such that A(σ,, σ q, then P = Number of π Perm(X b such that A(π Number of π Perm(X b = = = Hence, we get Then, P = σ,,σ q A(σ,,σ q σ,,σ q A(σ,,σ q Number of π Perm(X b compatble wth σ,, σ q Number of π Perm(X b ( X b q! ( X b! N ( ( X ( bq 2 q X b X b X b σ,,σ q A(σ,,σ q σ,,σ q A(σ,,σ q P > P N = P X bq P ( X b q q = ( ( = P = X b q(q 2 X b Pr [(f,, f 3b 2 s compatble wth σ,, σ q ] ( X bq ( q(q 2 X ( b bq(q ( q(q + 2 X b 2 X b bq(q 2 X b = N ( X bq bq(q 2 X b bq(q 2 X b (2

21 If we swtch the outputs and 0 of A, n the same way we also get, ( bq(q P > P q(q + 2 X b 2 X b From the above two nequaltes, we fnally get Adv CPCA Ψ b,3b 2 (A = P P < bq(q q(q + 2 X b 2 X b C Proof of Theorem 4 In order to prove Theorem 4, we need some preparatons We know that wthout loss of generalty, we may set P = Q = I Lemma 6 Suppose that L, R, X, S, T X are gven, for =,, q, such that (L, R are dstnct Also suppose that the followng fve condtons are satsfed; R = R Γ [L \X R ] = Γ [L \X R ] X are dstnct S are dstnct Γ [R \S X ] are dstnct Γ [X \T S ] are dstnct (C (C2 (C3 (C4 (C5 Then, the number of 3-tuples (f, f 2, f 3 Perm(X 3 satsfyng s equal to X = Γ [L f (R R ] S = Γ [R f 2 (X X ] T = Γ [X f 3 (S S ] ( X q + r! ( X q! ( X q! where r s the number of ndependent equatons of form R = R Proof In other words, q r = {R =,, q} f s free as a permutaton except for the prescrbed q r ponts Therefore there are precsely ( X q + r! such functons f, satsfyng X = Γ [L f (R R ] Smlarly there are ( X q! f 2 s, and ( X q! f 3 s Lemma 7 Suppose that L, R X are gven, for =,, q, such that (L, R are dstnct Then the number of q-tuples (X,, X q satsfyng R = R Γ [L \X R ] = Γ [L \X R ] (C s equal to X! ( X q + r! where r s the number of ndependent equatons of form R = R

22 Proof If we set then the condton (C s equvalent to X = Γ [L f(r R ], R = R f(r = f(r Let R, R 2,, R q r be any set of q r representatve elements for {R =,, q} Then, choosng X satsfyng (C s equvalent to choosng dstnct f(r, =,, q r There are exactly such choces X ( X ( X (q r = X! ( X q + r! Lemma 8 Suppose that L, R X are gven, for =,, q, such that (L, R are dstnct Then the number of three q-tuples (X,, X q, (S,, S q, (T,, T q satsfyng R = R Γ [L \X R ] = Γ [L \X R ] X are dstnct S are dstnct Γ [R \S X ] are dstnct Γ [X \T S ] are dstnct (C (C2 (C3 (C4 (C5 s at least X! X 2q ( ( X q + r! q(q q(q ( X X where r s the number of ndependent equatons of form R = R Proof By Lemma 7, The number of choces for X, S, T satsfyng (C s X! X 2q ( X q + r!, because (C does not depend on S, T, so these can be freely chosen Then, n order to fnd a lower bound for tuples satsfyng all of (C,, (C5, we have to fnd an upper bound for tuples satsfyng (C but not some of (C2,, (C5 Frst, consder the case where (C holds but (C2 s not true Fx an arbtrary, such that < q Consder the case when (C holds and also X = X s true In the proof of Lemma 7, we may set R = R, and R 2 = R We have X choces for f (R, but once ths s chosen, the value for f 2 (R 2 s fxed due to the equaton X = X Therefore, there are at most X ( X 2 ( X (q r = X! ( X q + r! ( X choces n total Snce there are q(q /2 choces for <, and X 2q unrestrcted choces for S and T, there are at most X! X 2q q(q ( X q + r! 2( X

23 choces where (C s true but (C2 s false Next, consder the case when (C s true but (C3 s false In ths case, X can be chosen ust lke Lemma 7, but, unrelated to the choces for X, the choces for S should satsfy S = S for some < Therefore, the number of choces s at most X! X 2q q(q ( X q + r! 2 X We can argue almost dentcally for the case when (C s true but (C4 s false; the number of choces for ths case s agan at most X! X 2q q(q ( X q + r! 2 X Fnally, the analyss for the case when (C s true but (C5 s false can be handled dentcal to the case when (C s true but (C2 s false; the number s agan at most Therefore, there are at least = X! X 2q q(q ( X q + r! 2( X X! X 2q ( X q + r! X! X 2q q(q ( X q + r! 2( X X! X 2q q(q ( X q + r! 2 X X! X 2q q(q ( X q + r! 2 X X! X 2q q(q ( X q + r! 2( X ( X! X 2q q(q q(q ( X q + r! ( X X choces where all of (C,, (C5 are true Now we are ready to prove Theorem 4 The proof s smlar to that of Theorem 3, but we have to be carefully ntroduce the extra varable X nto our probablty estmaton Proof (Of Theorem 4 Let s defne def P = Pr[ A(Ψ Ψ Ψ 3 $ (f, f 2, f 3, where f Perm(X ] P def = Pr[ A(f f $ Func(X 2 ] Note that by defnton, Adv CPA Ψ 3 (A = P P The queres of A to ts oracle f have form f(τ Let s denote by σ the answer of the oracle to the query f(τ Then τ s dependent only to A, and τ 2 s dependent to A and σ, and τ 3 s dependent to A and σ, σ 2, and so on Fnally A(f, the answer of A s dependent only to A and σ,, σ q ; f f : X 2 X 2 s another functon such that f (τ = σ, then A s

24 queres to both f and f would be dentcal, and the answers would be dentcal, therefore A(f = A(f Hence, f the queres of A to ts oracle f are τ, and f the answers t gets are σ, then we may wrte A(σ,, σ q, nstead of A(f Let N be the number of q-tuples (σ,, σ q satsfyng A(σ,, σ q Then, If N s the number of σ,, σ q such that A(σ,, σ q, then Then, P = Number of f Func(X 2 such that A(f Number of f Func(X 2 = = σ,,σ q A(σ,,σ q σ,,σ q A(σ,,σ q = N X 2q σ,,σ q A(σ,,σ q Number of f Func(X 2 compatble wth σ,, σ q Number of f Func(X 2 ( X 2 X 2 q ( X 2 X 2 P = Number of (f, f 2, f 3 such that A(Ψ 3 (f, f 2, f 3 Perm(X 3 Number of (f, f 2, f 3 compatble wth σ,, σ q = Perm(X 3 = σ = X /(C A(σ X,σ /(C,,(C5 A(σ X,σ /(C,,(C5 A(σ Number of (f, f 2, f 3 compatble wth X, σ Perm(X 3 Number of (f, f 2, f 3 compatble wth X, σ Perm(X 3 ( X q + r! ( X q! ( X q! ( X! 3 ( Lemma 6 = (No of X, σ, satsfyng (C,, (C5 and A(σ ( X q + r! ( X q! ( X q! ( X! 3 We have to estmate the number of X, σ satsfyng (C,, (C5 and also A(σ By Lemma 7, There are X! N ( X q + r! choces for X, σ satsfyng (C and A(σ It s because that, for each N choces of σ wth A(σ, one can choose X by Lemma 7 By Lemma 7 and Lemma 8, There are at most X! X 2q ( X q + r! ( q(q X q(q + X

25 choces for X, σ satsfyng (C but not satsfyng some of (C2,, (C5 Therefore, the number of X, σ satsfyng all of (C,, (C5 and also A(σ s at least ( X! X! X 2q q(q N ( X q + r! ( X q + r! q(q + X X ( ( X! q(q = N X 2q q(q + ( X q + r! X X ( ( X! q(q = X 2q P X 2q q(q + ( X q + r! X X ( X! X 2q = P q(q q(q ( X q + r! X X When we put ths nto the above, we get P (No of X, σ, satsfyng (C,, (C5 and A(σ ( X q + r! ( X q! ( X q! ( X! 3 ( X! X 2q = P q(q q(q ( X q + r! (( X q!2 ( X q + r! X X ( X! 3 ( ( = P q(q q(q X q ( X q! 2 X X X! P q(q q(q X X By swtchng the outputs and 0 of A, we obtan P P These two nequaltes prove the Theorem 4 D Proof sketch of Theorems 6 and 7 q(q X q(q X In the proof of Theorem 3 n Appendx B, we used Theorem 8 crucally For the balanced case, that s when b = 2, Theorem 8 estmates the transton probablty for gven nput/output pars for 4-round unbalanced quas-festel permutaton When we choose pre- and postprocessng permutatons P, Q randomly from parwse ndependent dstrbutons, we can prove the analogue of Theorem 8 for 2-round balanced quas-festel network Lemma 9 Let x ( = (x ( L, x( R X 2, q be dstnct nputs, and let y ( = (y ( L, y( R X 2, q be dstnct outputs Let P, Q be parwse ndependent dstrbutons of permutatons on X 2 $ Let f, f 2 Func(X, and let P $ P, Q $ Q Let s denote by h the probablty that, q, Then we have Ψ 2 P,Q(f, f 2 (x ( = y ( h ( X 2q q(q X

26 Remark 8 Note that when b = 2, the nequalty n the Theorem 8 s dentcal to the above nequalty Proof Let s defne random varables L, R, S, T on X, =,, q, by (L, R p(x (, (S, T q(y ( Snce P s parwse ndependent dstrbuton of permutatons, we know that for any gven, the probablty that R = R s at most / X So, the probablty that R are not dstnct s at most q(q /(2 X Hence, the probablty that R are dstnct s at least q(q 2 X Smlarly, the probablty that S are dstnct s agan at least q(q 2 X Now, under the condton that R are dstnct and S are dstnct, the probablty that S = Γ [L f (R R ] T = Γ [R f 2 (S S ] holds for =,, q s exactly X q X q Combnng all of the above, we get h ( X 2q q(q 2 ( 2 X X 2q q(q X Now the proof of Theorem 6 s smple; we argue essentally dentcal to the proof of Theorem 3, but use Lemma 9, nstead of Theorem 8 Then, the proof of Theorem 7 s also easy; we agan estmate the transton probablty as n Lemma 9, but ths tme we have to consder the probablty that R = S The rest of the proof s dentcal to that of Theorem 6