Improved Security Bounds for Generalized Feistel Networks

. We revisit the security of various generalized Feistel networks. Concretely, for unbalanced, alternating, type-1, type-2, and type-3 Feistel networks built from random functions, we substantially improve the coupling analyzes of Hoang and Rogaway (CRYPTO 2010). For a tweakable blockcipher-based generalized Feistel network proposed by Coron et al. (TCC 2010), we present a coupling analysis and for the ﬁrst time show that with enough rounds, it achieves 2 n -bit security, and this provides highly secure, double-length tweakable blockciphers.


Feistel Networks
Feistel networks consist of several iterative applications of a simple Feistel permutation for a domain-preserving function F i : {0, 1} n → {0, 1} n that is typically called its round function.Such networks are not only the high level abstraction of a large number of modern blockciphers including the Data Encryption Standard (DES) [FNS75,Smi71], but also widely used in many other crypto systems (e.g., inverse-free authenticated encryption [Min14]).
A popular approach to analyzing the security of Feistel networks, pioneered by Luby and Rackoff [LR88], is to model the round function F i as a secret random function.This allows proving its information theoretic indistinguishability, i.e., any distinguisher should not be able to distinguish the Feistel network from a random permutation on 2n-bit strings.With this model, Luby and Rackoff proved the security for 4-round Feistel networks, following which a long series of work has established either better security bounds [Pat90,Mau93,MP03,Vau03,Pat04,HR10a,Pat10] or reduced construction complexity [SP93,Pat93,Nan10,Nan15].

Generalized Feistel Networks (GFNs)
The above classical Feistel networks could be generalized in various manners.Concretely, replacing the domain preserving round function F i by expanding or contracting ones results in unbalanced Feistel [SK96]; using expanding and contracting round functions in an alternative manner results in alternating Feistel [AB96,Luc96]; finally, partitioning the inputs into more than two blocks (or branches) results in multi-line generalized Feistel, and the (probably) most popular instances are Type-1, Type-2, and Type-3 Feistel networks [ZMI90], that differ in the relations among the branches.Compared to classical Feistel, the improved flexibility of GFNs significantly widens their application spectrum, ranging from ultra-lightweight blockciphers [SIH + 11], full-domain secure encryption [MRS09], and wide cryptographic permutations [GM16].
Information theoretic security of GFNs could be analyzed in a model similar to classical Feistel, with various "birthday-bound" results showed in [NR99, MRS09, AB96, BR02, BRRS09, Luc96, ZMI90] and "beyond-birthday-bound" results found in [HR10a,Pat10].Most importantly to this paper, Hoang and Rogaway (henceforth "HR") [HR10a] proved asymptotically optimal security for all the aforementioned types of GFNs via the coupling technique.In detail, with a sufficient number of rounds, all the aforementioned GFNs are CCA-secure up to 2 n(1−ε) adversarial queries for any ε > 0. Though appearing nice, it requires a large number of rounds to asymptotically achieve n-bit security.

Tweakable Blockcipher-based GFN
Tweakable permutation (TP) and tweakable blockciphers (TBC) were introduced by Liskov et al. [LRW02]: the former models a family of (efficiently invertible) permutations indexed by a parameter called the tweak, and the latter is a family of keyed TPs.With such primitives, the round function F i of GFN may be replaced by some other primitives such as a TBC/TP, resulting in more possibilities.
As a concrete instance, Coron et al. [CDMS10] proposed a GFN that turns an n-bit TP with ω-bit tweak (ω > n) into a 2n-bit TP with (ω − n)-bit tweak, i.e., it trades the domain with the tweak space.As tweak extension is generally easier [CDMS10,MI15], this gives rise to a domain extender for TPs/TBCs.In this paper we denote by TGF r [ω, 2n] the r-round variant of Coron et al.'s construction.Coron et al. prove that TGF r [ω, 2n] achieves birthday 2 n/2 CCA security when r = 2, and optimal 2 n CCA security when r = 3.However, note that the size of the inputs to the underlying TP is actually larger than 2n-bit (i.e., n-bit block plus ω-bit tweak).As recently pointed out by Lee and Lee [LL18], the classical-sense optimal 2 n security is actually the birthday-bound for such a TP.Motivated by Lee and Lee's 2 4n/3 secure TBC construction, it's tempting to ask if similar beyond 2 n security results could be proved for TGF r [ω, 2n] with r ≥ 4 rounds.

Our Contributions
For all the GFNs mentioned before, we either improve existing coupling analyzes or present new when non-existing.Concretely, motivated by Lampe and Seurin [LS15] and Nachef et al.'s [NPV17], we improve the coupling analyzes of HR [HR10a,HR10b], and prove the following results: • For unbalanced Feistel UBF r [m, n], when n ≥ m, we prove 2q t+1 ( ) t security bound at (2 n m + 2)t + 2 n m + 1 rounds.The bound is comparable to HR's 2q t+1 ( ) t , while the number of rounds is almost halved from HR (4 n m + 4)t.When n < m, we prove 2q t+1 ( 2 n ) t security bound (the same as HR's bound) at 4t + 2 n m + 1 rounds which is much smaller than HR's (2 m n + 4)t rounds.
Table 1: Summary of improved CCA bounds in this paper.The rows correspond to the generalized Feistel networks illustrated in Fig. 1 and Fig. 2. Parameters k, m, n, ω, M, N describe the scheme and t determines the number of rounds r.
For the TBC-based GFN TGF r [ω, 2n], we present the first coupling analysis and prove 2 • q t+1 30q 2 2n t 1/2 security bound with 4t + 2 rounds.This for the first time establishes beyond the birthday bound 2 n for TGF r [ω, 2n].Moreover, it also approaches 2 2n as the number of rounds t increases.This gives rise to double-length blockciphers with high security: for example, when Deoxys-BC-256 is used, 10 rounds achieve 2 4×128 3 ≈ 2 170 security.While the efficiency is relatively low, the high security bounds make it suitable in specific application.

Core Ideas for Improvements
Our improvements upon HR [HR10a] are due to more fine-grained analyses of the coupling probabilities.To further illustrate, consider for example the unbalanced Feistel with contracting round functions with domain {0, 1} n and {0, 1} m (n ≥ m).HR treated the construction as 2 n/m + 2 round small "chunks", and analyzed the latter in turn.Inside each chunk, the probability that the couple fails is at most 3 n/m /2 n .Since events in distinct chunks are independent, the final coupling probability easily follows.However, a close inspection shows that, in fact, n/m + 1 rounds (i.e., half of the size of the chunk) are already sufficient for a coupling to succeed.It seems that HR's use of the additional n/m + 1 rounds was intended to create a strong independence between distinct chunks and cinch a quite modular argument (as mentioned, they could focus on what happens inside a single chunk), but we are able to have a more dedicated analysis as follows: • First, as mentioned, we narrow each chunk.Our more fine-grained analysis shows that events in distinct chunks remain independent even if chunks are smaller; • Second, we add several rounds at the "beginning" of the construction, so that after these rounds, the intermediate values of the two evaluations (that will be considered during the coupling) will be somewhat random and collision-free.This is crucial for the coupling arguments (as in the balanced case [LS15]).
As such, ultimately we are able to have a comparable bound with almost a half number of rounds.

Other Related Works
Besides information theoretic indistinguishability, existing results on GFNs mainly concentrated on structural refinements, including e.g.improving the shuffle in multi-line GFNs [SM10], refining the models to fit into the so-called Feistel-2 model [LS15, GW18], and discussing the practical security of using substitution-permutation-style round functions [BS13].

Organization
The rest of this paper is organized as follows.Section 2 gives essential notation, security definitions and two useful mathematical lemmas.The security proofs of unbalanced Feistel cipher are detailed in Section 3. Sections 4 and 5 summarize the improved security bounds of alternating Feistel and multi-line Feistel (including type-1, type-2 and type-3 Feistel) respectively, and the proofs of these results can be found in Appendix A and B respectively.Section 6 presents the coupling analysis of TBC-based GFN.Section 7 concludes the paper.

Preliminaries
Notations.If X is a set, then X $ ← − X denotes the operation of picking X from X uniformly at random.The bit length of a string X is denoted by |X|.Concatenation of strings X and Y is written as either X Y or simply XY .We denote X ⊕ Y the bitwise exclusive-or of two equal-length bit strings.For a string X, we denote by ls n (X) the last n bits of X, ms n (X) the first n bits of X for 1 ≤ n ≤ |X|.We denote by [a; b] the set of integers i such that a ≤ i ≤ b.
Security Definitions.We denote by Func(n, m) the set of all functions from {0, 1} n to {0, 1} m , and by Perm(M) the set of all permutations on M. Let Perm(T , M) be the set of all functions P : T × M → M such that for each t ∈ T , P (t, •) is a permutation on M. A blockcipher E : K × M → M is a family of permutations, where is a family of permutations, where E(K, t, •) is a permutation over M. We define two types of attacks with respect to the way the adversary makes its queries to the oracles, namely non-adaptive chosen-plaintext attack (NCPA) and (adaptive) chosen-plaintext and chosen-ciphertext attack (CCA).
For any q, we define the NCPA security of a blockcipher E/a tweakable blockcipher E as where the maximum is taken over all distinguishers A that asks at most q non-adaptively chosen oracle queries.Similarly, we define the CCA security of E/ E as where the maximum is taken over all distinguishers A that asks at most q oracle queries.
Mathematical Foundations.Given a finite event space Ω, let µ and ν be two probability distributions defined on Ω.The statistical distance (or total variation distance) between µ and ν is defined as A coupling of µ and ν is a pair of random variables (X, Y ) over Ω × Ω such that X ∼ µ and Y ∼ ν.In other words, (X, Y ) has marginal distributions µ and ν.We will use the following fundamental result of the coupling technique.The proof of this result can be found in [LPS12].
Lemma 1 (Coupling Lemma).Let µ and ν be two probability distributions on a finite event space Ω.Let random variable (X, Y ) be a coupling of µ and ν.
In some of our proofs, we will need to use the following inequality.
Coupling for Contracting Round Function Case.We first consider the case when the UBF r [m, n] is instantiated with contracting round functions, i.e., m ≤ n.For 1 ≤ j ≤ + 1, let A j 0 and B j 0 denote respectively the first m bits and last n bits of X j and for 1 ≤ i ≤ r, let A j i and B j i be recursively defined by A j i = ms m (B j i−1 ) and For any 1 ≤ j ≤ and 1 ≤ i ≤ r, we simply set F i (B j i−1 ) = F i (B j i−1 ).Since the first queries to the second Feistel are the same as to the first Feistel, this leads to the first outputs of both ciphers being identical.Let C +1 0 and D +1 0 denote the first m bits and the last n bits of U +1 .We then explain how the ( + 1)-th queries are coupled.For 1 ≤ i ≤ r, let C +1 i and D +1 i be recursively defined by For the first b rounds, we couple the random outputs in the processing of X +1 and U +1 arbitrarily.For round i > b, we define a bad event which may happen in each Feistel cipher.We say that coll i occurs if B +1 i is equal to B j i for some 1 ≤ j ≤ , namely the input value to the (i + 1)-th round function collides with the previous input values.Similarly, we say that ) as follows: ) is defined so as to ensure consistency with the earlier query (namely, if • if coll i does not occur while coll i occur, then It is clear that the round functions F in the second Feistel cipher are uniformly random when defined according to the first or the second rule above.When F i+1 (D +1 i ) is defined via the third rule, then ) is uniformly random conditioned on that coll i does not occur.Hence the distribution of the outputs of the second Feistel cipher is exactly the same as µ +1 .If neither coll i nor coll i occurs for b + 1 consecutive rounds i, i + 1, . . ., i + b, then U +1 and X +1 will have the same last m-bit outputs at rounds i + 1, i + 2, . . ., i + b + 1, and thus have identical outputs at round i + b + 1 and so the subsequent rounds, namely the coupling will be successful.Define COLL i = coll i ∪ coll i for any b + 1 ≤ i ≤ r.Let Fail be the event that the coupling does not succeed.Then We upper bound the term on the right side by the following lemma.
where is the number of queries that has made to the cipher before the coupling.
Proof.We first consider the event coll i , and the result for coll i can be obtained by similar arguments.Event coll i happens if ].This is equivalent to Writing it more concretely, it is equivalent to a series of equations: . . .
For the first equation, if , then it cannot hold since otherwise it would contradict the hypothesis that X +1 and X j are distinct.If B +1 i−1 = B j i−1 , then the first equation holds with probability at most 2 −m since F i is uniformly random.
For the second equation, we need to take the set , then the analysis of this equation is similar to the first one and thus holds with probability at most 2 and thus the second equation cannot hold otherwise it would contradict the hypothesis that X +1 and X j are two distinct queries.If k = j, then the second equation is equivalent to Since we are working in the non-adaptive setting, the adversary should choose all of its queries before receiving any responses from the Feistel cipher.Thus the analysis of this equation is similar to that of the first equation, and this equation holds with probability at most 2 −m .It is easy to see that except for the last equation, the analysis of the following equations is exactly the same as the second equation and thus each of them holds with probability at most 2 −m .
For the last equation Equation (2), we also need to take the set ∩ s∈S COLL s for S ⊆ [b + 1; i − 1] into account.The analysis for this equation is much more complicated.We divide two cases here with respect to the event in the (i − b + 1)-th round.
, then the outputs of the (i − b)-th function in these two ciphers must collide, which happens with probability at most 2 −m .Hence, in this case, the chance that the last equation holds is at most 2 We further divide two sub-cases here depending on whether k equals to j or not.
-Case 2.1: k = j.Then the last equation is equivalent to , which happens with probability at most 2 −m .Hence, in this case, the chance that the last equation holds is at most 2 , and thereafter On the other hand, in this case Equation ( 2) is equivalent to  3) and (4) gives ).We then consider the probability that Equation (4) holds.* Case 2.2.1: n − (b − 1)m = m/2.Then combining Equation (3) and Equation (4) we exactly have which occurs with probability at most 2 (b−1)m−n regardless of whether which occurs with probability at most 2 (b−1)m−n regardless of whether Then we can rely on the randomness of the first b rounds, we discuss further two sub-cases here: which holds with probability at most 2 −m .Hence in this sub-case, by the union bound, Equation (4) holds with probability at most From the similar argument as above case, Equation (4) holds with probability at most 2 (b−1)m−n+1 .* Case 2.2.4:If none of the above three cases occur, we recursively repeat the above arguments until that one of the above three cases happens since eventually we will arrive at the first b rounds and reply on the randomness of them.
Hence, the probability that Equation (4) holds is at most 2 (b−1)m−n+1 .Multiplying the probabilities from the first equation to the last equation, we finally obtain that for some j ∈ [1; ], By the union bound and summing over j ∈ [1; ], the probability that coll i happens is at most 2 /2 n .Similarly the probability that coll i happens is at most 2 /2 n , and thus the event COLL i holds with probability at most 4 /2 n .This allows us to bound the probability that the coupling fails and thus the NCPA- Proof.Using Lemma 1, for any ≤ q − 1, one has where the third inequality comes from the fact that Pr for any three events A, B, C, namely we simply reduce the number of intersection sets which would only enlarge the probability, and the last inequality is due to Lemma 3 and the union bound.Hence, by hybrid argument, we have which concludes the proof.
In order to prove the CCA-security of unbalanced Feistel cipher, we follow the classical strategy to compose two NCPA-secure ciphers, which is justified by the following lemma by Maurer, Pietrzak, and Renner [MPR07, Corollary 5].
Lemma 5 (Composition Lemma).If F and G are two independent blockciphers with the same domain, then for any q, one has Theorem 1.Let UBF r [m, n] be an unbalanced Feistel cipher with r rounds where r = 2 n/m + 2( n/m + 1)t + 1 and m ≤ n, then one has Coupling for Expanding Round Function Case.We then consider the case when m > n.See Fig. 1b for an illustration.Note that we define b = m/n here.The proof is the same as before, except that Lemma 3 is replaced by the following one.
, where is the number of queries that have been made to the cipher before the coupling.Proof.Recall that COLL i = coll i ∪ coll i .We first consider the event coll i , and the result for coll i can be obtained by similar arguments.Event coll i happens if This happens with probability at most 2 i−1 and A j i−1 must have the same last n bits.In other words, the (i − 1)-th round outputs of these two queries must share the last 2n bits.Repeating this reasoning leads us to examine the case that for every k < b, the (i − k)-th round outputs of the two queries must have the same last (k + 1)n bits.When this chain of arguments stops at round i − b + 1, the outputs at such round must agree at the last bn bits, which occurs with probability at most 2 −n by further recursive arguments.Hence by the union bound, the probability of Thus by the union bound, the event COLL i holds with probability at most 2 b/2 n .By the above lemma, we can obtain the NCPA-security of UBF r [m, n] with expanding round functions.
Lemma 7. Let UBF r [m, n] be an unbalanced Feistel cipher with r rounds, where r = b + 2t + 1 and m > n.Then Proof.Using Lemma 1 and Lemma 6, for any ≤ q − 1, one has Hence by hybrid argument, we have which concludes the proof.
Following the similar procedure in the case of m ≤ n, we obtain the CCA-security of UBF r [m, n] with expanding round functions.
Theorem 2. Let UBF r [m, n] be an unbalanced Feistel cipher with r rounds where r = 2 n/m + 4t + 1 and m > n, then one has Unbalanced Numeric Feistel.It's tempting to ask if the above improvements can be transited to numeric variants of unbalanced GFNs.However, we didn't suceed due to the high complexity of analyzing internal collision probabilities.As such, we leave this for future work.

Alternating Feistel
Definition of the Scheme.An alternating Feistel cipher with r rounds (denoted by We assume r is even for simplicity.It then has key space K = (Func(n, m) × Func(m, n)) r/2 and message space {0, 1} n+m .See Fig. 1c for an illustration.For the numeric variant of the alternating Feistel, we define it from numeric round functions.Given integers M and N , let be an operation for which (Z M , ) is the group of integers modulo M and (Z N , ) is the group of integers modulo N .Then a numeric alternating Feistel cipher with r rounds (denoted by NALF r [M, N ]) is specified by r numeric round functions F 1 , . . ., F r where F i is from Z N to Z M if i is odd, and F i is from Z M to Z N if i is even.See Fig. 1d for an illustration.We consider the case that the alternating Feistel cipher starts with a contracting round function (m ≤ n or M ≤ N ), because a security bound with respect to this implies the same security bound with respect to the one starting with an expanding round function after one additional round.
Security of Alternating Feistel.We show the improved security bounds for both the alternating Feistel cipher and numeric alternating Feistel cipher by the way of a more fine-grained coupling argument, and obtain the following two theorems.
Theorem 3. Let ALF r [m, n] be an alternating Feistel cipher with r rounds where r = (12 n m + 2)t + 5 and m ≤ n, then one has Theorem 4. Let NALF r [M, N ] be a numeric alternating Feistel cipher with r rounds where r = (12 log M N + 2)t + 5 and M ≤ N , then one has We briefly discuss the reasons behind these better bounds.In the NCPA-security proof of the alternating Feistel cipher, we use 6 n m + 4 rounds to do the first coupling trial, which is the same as Hoang and Rogaway's method [HR10a], but in each of the following coupling trials, by using a stronger collision lemma, we are allowed to use only 6 n m + 1 rounds and thus reduce three rounds in each trial.On the other hand, in the proof from NCPA-security to CCA-security, we decompose the middle round function by the xor of two independent round functions and hence reduce one more round for the whole scheme.We obtain the improved bound of numeric alternating Feistel by using the similar method.The proofs of these two theorems can be found in Appendix A.

Multi-line GFNs
In this section, we will first give the definition of type-1, type-2 and type-3 Feistel cipher respectively, and then show the improved security bounds.

Security of Type-1, Type-2, and Type-3 Feistel
From a more careful analysis of coupling argument, we improve previous security bounds of type-1, type-2, and type-3 Feistel respectively, and obtain the following three theorems.
Theorem 5. Let Feistel1 r [k, n] be a type-1 Feistel cipher with r rounds, where r = Theorem 6.Let Feistel2 r [k, n] be a type-2 Feistel cipher with r rounds where r = 2kt + 1.Then Theorem 7. Let Feistel3 r [k, n] be a type-3 Feistel cipher with r rounds where r = (k+2)t+1.Then We use the similar idea to improve Hoang and Rogaway's bounds for these three multi-line Feistels.Taking type-1 Feistel as an example, in the proof of NCPA-security of type-1 Feistel, we use 2k − 1 rounds in the first coupling trial, but in each of the following trials, by proving a stronger collision lemma, we are able to use only 2k − 2 rounds and thus reduce one round in each trial.We also decompose the middle round function as the xor of two independent round functions and reduce one more round for the whole scheme.The proofs for these three theorems can be found in Appendix B. We first establish the NCPA-security of TGF r [ω, 2n] by the way of coupling.Assume that the number of distinct tweak values involved in the q queries is d, and each tweak W i corresponds to q i queries (thus d i=1 q i = q).As such, we reorder the q non-adaptive queries according to their tweaks, i.e., For each 1 ≤ s ≤ d and 1 ≤ ≤ q s − 1, we denote by µ s, the distribution of the ( + 1 + s−1 i=1 q i ) outputs of the TGF r [ω, 2n] when it receives inputs ((W 1 , X 1,1 ), . . ., (W s , X s, ), (W s , X s, +1 )), and µ s, +1 the distribution of the ( +1+ s−1 i=1 q i ) outputs of the TGF r [ω, 2n] when it receives inputs ((W 1 , X 1,1 ), . . ., (W s , X s, ), (W s , U s, +1 )) where U s, +1 is chosen uniformly at random from {0, 1} 2n \ {X s,1 , . . ., X s, }.Note that each distinct tweak gives rise to a different (apparently independent) family of permutations.Also it is apparent that µ s−1,qs − µ s,1 = 0 for any 1 ≤ s ≤ d, namely the statistical distance between two consecutive distributions with different tweaks is zero.Hence we can just consider distributions among queries with the same tweak.Fix s and .We now proceed to describe a coupling of µ s, and µ s, +1 .
The Coupling.For 1 ≤ j ≤ + 1, let A j s,0 and B j s,0 denote respectively the left half and right half of X s,j and for 1 ≤ i ≤ r, let A j s,i and B j s,i be recursively defined by A j s,i = B j s,i−1 and B j s,i = P i (W s B j s,i−1 , A j s,i−1 ).For any 1 ≤ j ≤ and 1 ≤ i ≤ r, we simply set P i (W s B j s,i−1 , A j s,i−1 ) = P i (W s B j s,i−1 , A j s,i−1 ).Since the first queries to the second Feistel are the same as to the first Feistel, this results in identical first outputs from both networks.Let C +1 s,0 and D +1 s,0 denote the left half and right half of U s, +1 respectively.We then explain how the ( + 1)-th queries are coupled.For 1 ≤ i ≤ r, let C +1 s,i and D +1 s,i be recursively defined by C +1 s,i = D +1 s,i−1 and D j s,i = P i (W s D j s,i−1 , C j s,i−1 ).We couple the random outputs in the processing X +1 and U +1 arbitrarily for the first round.For i ≥ 1, we define two bad events as follows which may happen in each TGF r [ω, 2n]: • coll i : there exists some j ≤ such that D +1 s,i = B j s,i ∧ B +1 s,i+1 = B j s,i+1 ; • coll i : there exists some j ≤ such that B +1 s,i = B j s,i ∧ D +1 s,i+1 = B j s,i+1 .
We justify the intuition behind these two bad events in turn.Denote by Set(B j s,i ) the set of previous outputs of P i+1 under the tweak W s ||B j s,i .If the first bad event happens, then we cannot assign the value B +1 s,i+1 to D +1 s,i+1 because D +1 s,i+1 is uniformly distributed in the set {0, 1} n \ Set(B j s,i ) and cannot be assigned with the value in Set(B j s,i ).If the second bad event occurs, then we cannot assign the value B +1 s,i+1 to D +1 s,i+1 because B +1 s,i+1 is uniformly distributed in the set {0, 1} n \ Set(B j s,i ) and cannot have the value in Set(B j s,i ).For i = 1, . . ., r − 1, we define P i+1 (W s D +1 s,i , C +1 s,i ) as follows: • if either coll i or coll i happens, then ) is defined so as to ensure consistency with earlier queries; • if neither of the two events happens, then we define the tweakable permutation as To bound the probability of above two bad events, we further define four events for i ≥ 2 as follows: s,i−1 appears at least c times in previous queries, namely the number of indices j ∈ {1, . . ., } such that B j s,i−1 = D +1 s,i−1 is ≥ c; s,i appears at least c times in previous queries, namely the number of indices j ∈ {1, . . ., } such that B j s,i = B +1 s,i is ≥ c; s,i appears at least c times in previous queries, namely the number of indices j ∈ {1, . . ., } such that B j s,i = D +1 s,i is ≥ c.
Note that c is a threshold here and will be determined at the end of our analysis.We analyze the event E1 i first.If the event E1 i occurs, then there must exist a sequence of indices j 1 , j 2 , . . ., j c ∈ {1, . . ., } such that Note that if B j1 s,i−2 = B j2 s,i−2 , then we cannot have B j1 s,i−1 = B j2 s,i−1 since otherwise this would contradict the assumption that X s,j1 and X s,j2 are two distinct queries.On the other hand, if s,i−2 , . . ., B s,i−2 } and each distinct value corresponds to i queries (thus a i=1 i = ).Then the probability of E1 i can be bounded by where (5) comes from Maclaurin's inequality (Lemma 2) and ( 6) comes from Stirling's approximation c! ≥ ( c e ) c .Following the similar argument as above, we can obtain We then proceed to analyze bad events coll i and coll i .If neither E1 i nor E2 i happens, then D +1 s,i is uniformly distributed in a set of size at least 2 n − c and so does B +1 s,i+1 .For convenience, we denote by by the union bound.Thus for the bad event coll i , we have Similarly, denote by E34 i = E3 i ∨ E4 i , for the second bad event coll i , we have If COLL i does not happen, then by above coupling method, these two ciphers would have identical outputs at (i + 2)-th round, i.e., the coupling succeeds.Otherwise we consider next two rounds.According to the previous analysis, the upper bound probability of COLL i is unrelated to previous i − 2 rounds, namely unrelated to COLL i−2 , COLL i−4 , . . ., COLL 1 .Let Fail s denote the event that we fail to couple these two tweakable ciphers with respect to the tweak W s .We bound the NCPA-security of TGF r [ω, 2n] by the following lemma.
Lemma 8. Let TGF r [ω, 2n] be a tweakable blockcipher-based generalized Feistel with r rounds, where r = 2t + 1.Then one has Proof.Using Lemma 1 and Equation ( 7), for any s ≤ d and ≤ q d − 1, one has where the last inequality comes from the fact that the upper bound probability of COLL 2i−1 is unrelated to COLL 2j−1 for 1 ≤ j ≤ i − 1.By hybrid argument, we have which concludes the proof.
Since we are now working on tweakable blockciphers, we cannot use Lemma 5 to obtain the CCA-security of TGF r [ω, 2n].Instead, we use another composition lemma for tweakable blockciphers to obtain the CCA-security.The proof of this lemma can be found in [LS14].
Lemma 9. Let E 1 and E 2 be two tweakable blockciphers with the same set of tweaks and the same message space, satisfying:

Then
Adv cca ] be a tweakable blockcipher-based Feistel with r rounds where r = 4t + 2. Then Proof.Since the internal construction of TGF r [ω, 2n] is different from those of previous Feistel ciphers, we cannot use the same strategy as in the proof of Theorem 1 by replacing the middle round function of a (2r − 1)-round Feistel with the xor of two independent functions.However, we can see a 2r -round TGF r [ω, 2n] as the cascade of and r -round TGF r [ω, 2n] and the inverse of the inverse of an independent r -round TGF r [ω, 2n] where r = 2t+1.Note that the NCPA-security of the inverse version of TGF r [ω, 2n] is exactly the same as the NCPA-security of TGF r [ω, 2n].The result then follows directly by combining Lemma 9 and Lemma 8.

NCPA Tightness at 3 Rounds.
To complete this section, we demonstrate a NCPA attack against 2-round TGF r [ω, 2n] with 2 n/2 complexity.This shows that Lemma 8 is tight when t = 1, i.e., with 3 rounds.The adversary choose q queries (W, A 1 0 B), . . ., (W, A q 0 B), i.e., the right halves of these plaintexts are same while the left halves are distinct, and ask these queries to 2-round TGF r [ω, 2n].The q left halves of the corresponding ciphertexts would be distinct since P 1 is a permutation for a fixed tweak W B. However, in the ideal world, when the adversary interacting with an 2n-bit random tweakable permutation, the chance that there exists a pair of ciphertexts having the same left half among these outputs is about q 2 /2 n .Hence the distinguishing advantage is ≈ 1 when q ≈ 2 n/2 .

Conclusion
We present (refined) coupling arguments for various generalized Feistel networks: for unbalanced, alternating, type-1, type-2, and type-3 Feistel networks, we substantially improved existing bounds; for a tweakable blockcipher-based domain extension scheme of Coron et al., we present the first 2n-bits security proof.
Unsurprisingly, coupling only reaches 2n-bits (or n-bits) security with a large number of rounds.It's unclear if the recently introduced promising χ 2 method [DHT17] could yield this result for any of the GFNs at a relatively small number of rounds r, and we leave this as an open question.

A Proof for Alternating Feistel
We generalize the operator in NALF r [M, N ] to any two group operators in Z M and Z N , and regard ALF r [m, n] as a special case.We now prove the NCPA-security of NALF r [M, N ].We shall use a similar strategy as in the case of UBF r [m, n].Fix an integer ≤ q − 1.We denote µ the distribution of the ( + 1) outputs of the NALF r [M, N ] when it receives inputs (X 1 , . . ., X , X +1 ), and µ +1 the distribution of ( + 1) outputs of the NALF r [M, N ] when it receives inputs (X 1 , . . ., X , U +1 ), where U +1 is chosen uniformly at random from Z M N \ {X 1 , . . ., X }.Our goal is to describe a coupling of µ and µ +1 .
The Coupling.To avoid the bound falling short with min(M, N ) which has been pointed out in [HR10a], we use the same expanding round functions at each even round for these two ciphers, and show how to couple them at odd round.For 1 ≤ j ≤ + 1, let A j 0 and B j 0 denote respectively the Z M part and Z N of X j and for 1 ≤ i ≤ r, let A j i and B j i recursively be defined as For any 1 ≤ j ≤ and odd i ∈ {1, 3, . . ., r − 1}, we simply set F i (B j i−1 ) = F i (B j i−1 ).Since the first queries to the second cipher are the same as to the first one, this leads to the first outputs of both ciphers being identical.Let C +1 0 and D +1 0 denote the Z M part and Z N of U +1 .We then explain how the ( + 1)-th queries are coupled.For the first two rounds, we couple the random outputs in the processing of X +1 and U +1 arbitrarily.For i ∈ {2, 4, . . ., r − 2}, we define a bad event which may occur in each Feistel cipher.We say that coll i occurs if B +1 i is equal to B j i for some 1 ≤ j ≤ , namely the input value to the (i + 1)-th round function at the ( + 1)-th query collides with the input value for some previous query X j .Similarly, we say that coll i occurs if D +1 i is equal to B j i for some 1 ≤ j ≤ .Define We first upper bound the probability of the event BCOLL i , and then show how to efficiently couple conditioned on BCOLL i .
Lemma 10.Consider a numeric alternating Feistel cipher NALF r [M, N ] with even r rounds.For any i ∈ {2, 4, . . ., r} and any subset S ⊆ {2, 4, . . ., i − 2}, one has where is the number of queries that has made to the cipher before the coupling. Proof.
].This is equivalent to i otherwise this would contradict the hypothesis that X +1 and X j are distinct queries.Summing over j ∈ [1; ], the probability of coll i is at most N .By similar reasoning, we can obtain the probability of coll i happens is at most N .The result then follows by the union bound.

Lemma 11. For an integer
We will extend the coupling strategy in [HR10a, Appendix B] to reduce the total number of rounds in the coupling procedure.Fix some even integer i ∈ {2, 4, . . ., r − 2b − 2}.We let i+2b+1 whenever BCOLL i does not occur and where ϕ i is the permutation given by Lemma 11, otherwise we couple it arbitrarily.We show this coupling strategy is sound since when BCOLL i failed, C i is a tuple of n-bit uniformly random values and so does C * i = ϕ i (C i ), and A +1 i+2b+1 is a n-bit uniformly random string and so does C +1 i+2b+1 .Hence conditioned on BCOLL i and from Lemma 11, the chance that X +1 and U +1 disagree on their outputs at round i + 2b + 2 is at most 1 N .From Lemma 11 and by the union bound, the probability that BCOLL i occurs is at most 2(b + 1) /N conditioned on ∩ s∈S COLL s for any subset S ⊆ {2, 4, . . ., i − 2}.Denote by Fail i the event that we fail to couple these two ciphers at round i + 2b + 2, then we have Let Fail denote the event that we fail to couple these two Feistel ciphers at the end.We then bound the NCPA-security of NALF r [M, N ].
Lemma 12. Let NALF r [M, N ] be a numeric alternating Feistel cipher with r rounds, where r = 2 + (2b + 1)t + 1 and M ≤ N .Then Proof.Using Lemma 1 and from the above coupling analysis, for any ≤ q − 1, one has where the last inequality is due to Lemma 10.Hence, by hybrid argument, we have which concludes the proof.
Following the similar arguments as in the case of unbalanced Feistel cipers, we obtain the CCA-security of NALF r [M, N ] and subsequently the CCA-security of ALF r [m, n].
The Coupling.For 1 ≤ i ≤ + 1 and 1 ≤ j ≤ k, let A i 0 [j] denote the j-th n bits of X i and for 1 ≤ s ≤ r, let A i s [1], . . ., A i s [k] be recursively defined as For any 1 ≤ i ≤ and 1 ≤ s ≤ r, we simply let ).Since the first queries to the second Feistel are the same as those to the first one, this leads to the first outputs of both ciphers being identical.For 1 ≤ j ≤ k, let B +1 0 [j] denote the j-th n bits of U +1 and for 1 ≤ s ≤ r, let We then explain how the ( + 1)-th queries are coupled.For the first k − 2 rounds, we couple the random outputs in the processing of X +1 and U +1 arbitrarily.For round i ≥ k − 1, we define a bad event which may happen in each Feistel cipher.We say that coll i occurs if for some 1 ≤ j ≤ .Similarly, we say that coll i occurs if for some 1 ≤ j ≤ .Then for i = 0, 1, . . ., r − 1, we define F i+1 (B +1 i [1]) as follows: ) is defined so as to ensure consistency with the earlier queries; • if coll i does not occur while coll i occurs, then F i+1 (B +1 i ) is chosen uniformly at random from {0, 1} n ; • if neither coll i nor coll i occurs, then we define If neither coll i nor coll i occurs for k consecutive rounds i, . . ., i + k − 1 then X +1 and U +1 will have the same first n bits output at rounds i + 1, . . ., i + k, and thus have identical outputs at round i + k and so any subsequent rounds, namely the coupling will be successful.Denote COLL i = coll i ∪ coll i for any k − 1 ≤ i ≤ r.Let Fail be the event that the coupling does not succeed.Then We upper bound the term on the right hand side by the following lemma.
Lemma 13.In the blockcipher Feistel1 r [k, n], for any i ∈ [k − 1; r] and any subset where is the number of queries that has made to the cipher before the coupling.
Proof.We first consider the event coll i .Event coll i occurs if differs, then this equation occurs with probability at most 2 −n , because F i is uniformly random and independent of ∩ s∈S COLL s .If Repeating this argument leads us to examine the outputs at round i − 2 should agree at the first 3n bits, and then the outputs at round i − 3 should agree at the first 4n bits, and so on.Finally when this argument arrive at round i − k + 1, the outputs at this round must be identical which contradicts the hypothesis that X +1 and X j are two distinct queries.Hence by the union bound and summing over j ∈ [1; ], the event coll i holds with probability at most (k − 1) /2 n .This allows us to upper bound the probability that the coupling fails and thus the NCPA-security of Feistel1 r [k, n].Lemma 14.Let Feistel1 r [k, n] be a type-1 Feistel cipher with r rounds, where r = 2t(k − 1) + 1.Then Using Lemma 1 and Lemma 13, for any ≤ q − 1, one has Hence by hybrid argument, we have As pointed out in [HR10b], type-1 Feisel is not symmetric, and the inverse of type-1 Feistel has worse NCPA-security than its forward version.So we need another lemma rather than directly applying Lemma 13 to prove the NCPA-security of its inverse.We follow a similar strategy as in [HR10b], but bound the collision probability in a different way.We define another cipher called type-4 Feistel.Let F : {0, 1} n → {0, 1} n define a permutation Φ F over {0, 1} kn by way of Φ With the same notations as in the NCPA-security proof of Feistel1 r [k, n], we say coll i occurs if for some 1 ≤ j ≤ , and say coll i occurs if Then the NCPA-security proof for Feistel4 r [k, n] is similar to that of Feistel1 r [k, n], but Lemma 13 is replaced by the following result.processing of X +1 and U +1 arbitrarily.For round i > k − 1, we define a bad event that may occurs in each cipher.We say coll i occurs if there exists some s ≤ k/2 such that for some 1 ≤ j ≤ , that is, the input value to the (i + 1)-th round function f i+1,s collides with the previous input values.Similarly, we say that coll for some 1 ≤ j ≤ and 1 ≤ s ≤ k/2.Then for i = 0, . . ., r − 1 and 1 ≤ s ≤ k/2, we define f i+1,s (B +1 i [2s − 1]) as follows: ) is defined so as to ensure consistency with the previous query; If neither coll i nor coll i occurs for two consecutive rounds i, i + 1 then X +1 and U +1 will have identical outputs at round i + 2 then so are their outputs at any subsequent rounds, namely the coupling succeeds.Denote COLL i = coll i ∪ coll i for any k − 1 ≤ i ≤ r.Let Fail denote the event that the coupling does not succeed.Then We bound the probability of failure of coupling by the following lemma.

Lemma 17. In the blockcipher
where is the number of queries that has made to the cipher before the coupling.
Proof.We begin to analyze the event coll i .The proof for coll i is similar.We will show that the chance two queries have the same input to f i+1,s is at most (k − 1)/2 n for any 1 ≤ s ≤ k/2.Hence by the union bound and summing over j ∈ [1; ], the chance that coll i happens is as most k(k − 1) /2 n+1 .Suppose that X +1 and X j have the same input to f i+1,s , i.e., A +1 then the prior equation occurs with probability at most 2 −n since f i,s is uniformly random and independent of ∩ s∈S COLL s .If Finally when this argument arrive at round i − k + 1, then the outputs of these two queries must be identical which is a contradiction.Hence by the union bound, the chance that X +1 and X j have the same input to f i+1,s is at most (k − 1)/2 n .
We then use the above lemma to bound the probability of coupling fails and therewith the NCPA-security of Feistel2 r [k, n].
Lemma 18.Let Feistel2 r [k, n] be a type-2 Feistel cipher with r rounds, where r = kt + 1.Then Improved Security Bounds for Generalized Feistel Networks Proof.From Lemma 1 and Lemma 17, for any ≤ q − 1, one has By hybrid argument, we can get Using the similar arguments as in the proof of Theorem 1, we can obtain the CCAsecurity of Feistel2 r [k, n] by composing two NCPA-secure ciphers.

B.3 Type-3 Feistel
We now prove the NCPA-security of Feistel3 r [k, n].We use the similar notations as those in type-2 case.For i ≥ k − 1, we say coll i occurs if there exists some s ≤ k − 1 such that for some 1 ≤ j ≤ .Similarly, we say that coll i occurs if is similar to that of type-2 Feistel, except Lemma 17 is replaced by the following one.

Lemma 19. In the blockcipher
where is the number of queries that has made to the cipher before the coupling.
Proof.We first analyze the event coll i and the proof for coll i is similar.We will show taht the probability that two queries have the same input to f i+1,s is at most (k − 1)/2 n for any 1 ≤ s ≤ k − 1. Hence by the union bound and summing over j ∈ [1; ], the chance that coll i happens is at most (k − 1) 2 /2 n .Fix s ≤ k − 1. Suppose that X +1 and X j have the same input to f i+1,s , i.e.
then the prior equation holds with probability at most 2 −n since f i,s is uniformly random and independent of ∩ s∈S COLL s .If Repeating this argument leads us to examine at round i − c for every c < k, it should hold that Eventually when this argument arrive at round i − k + 1, the outputs of these two queries at this round must be equal which contradicts the hypothesis that X +1 and X j are two distinct queries.Hence by the union bound the chance that X +1 and X j have the same input to f i+1,s is at most (k − 1)/2 n .We proceed to prove the NCPA-security of the inverse of Feistel3 r [k, n], denoted by Feistel3 r [k, n] −1 .Using Lemma 5 then yields the result.We follow a similar strategy as in [HR10b], but bound the collision probability in a different way.Given Feistel cipher with r rounds is obtained by the r-fold composition of Φ F permutations, and will be denoted as Feistel5 r [k, n] : K × {0, 1} kn → {0, 1} kn .It has key space K = (Func(n, n)) (k−1)n and message space {0, 1} kn .We can see there exists a relation between We use the similar notations as in type-2 case.We say coll i occurs if there exists some 1 ≤ j ≤ such that , namely the first block of outputs at round i collides with some previous block.Similarly we define the event coll i that B +1 i [1] = A j i for some 1 ≤ j ≤ , and let COLL i = coll i ∪ coll i .For the first round, we couple the internal outputs in processing of X +1 and U +1 arbitrarily.For 2 ≤ i ≤ r and 1 ≤ s ≤ k − 1, we define f i,s (B +1 i [s + 1]) as follows: To bound the probability that this coupling method fails, we first prove the following lemma.
Lemma 20.In the blockcipher Feistel5 r [k, n], for any i ∈ [1; r] and any subset S ⊆ [1, i−1], one has where is the number of queries that has made to the cipher before the coupling.
Proof.We first consider the event coll i .The event coll i says that Since X +1 = X j , there must exist some 1 ≤ c ≤ k such that , then apparently the above equation cannot hold.So there must exist some 1 ≤ c ≤ k − 1 such that We will prove the above equation holds with probability at most (k − 1)/2 n by induction on k.For k = 2, the equation is equivalent to [2] which holds with probability at most 1/2 n since there exist some 1 ≤ c ≤ 2 such that . Suppose the assumption holds for k = x − 1, we will prove that it is also true when k = x.For k = x, the equation is Since the assumption is ture when k = x − 1, namely the equation holds with probability at most (x − 2)/2 n .Thus for k = x, the targeted equation holds with probability at most , the equation holds with probability 1/2 n regardless of the conditioned set ∩ s∈S COLL s .Hence the event coll i holds with probability at most (k − 1)/2 n .The analysis for the event coll i is similar and by the union bound, the event COLL i holds with probability at most 2(k − 1)/2 n .We now bound the probability that the coupling fails and thus the NCPA-security of type-5 Feistel.If at rounds i and i + 1, for any 1 ≤ s ≤ k − 1, A +1 i [s + 1] and B +1 i [s + 1] are both fresh, namely both never appeared in the set {A 1 i [s + 1], . . ., A i [s + 1]}, and A +1 i+1 [s + 1] and B +1 i+1 [s + 1] are also both fresh, namely both never appeared in the set {A 1 i+1 [s + 1], . . ., A i+1 [s + 1]}, then according to above coupling rules, X +1 and U +1 will share the same output at round i + 1 and thus any subsequent rounds.For 2 ≤ i ≤ r and 1 ≤ s ≤ k − 1, denote by BAD1 i,s the event that A +1 i [s + 1] is not fresh.Note that BAD1 i,1 is exactly the event coll i .Then we have where the third inequality is due to Lemma 20, and the second inequality is because conditioned on BAD1 i,s−1 , f i,s (A +1 i [s]) is uniformly distributed in the set {0, 1} n and thus the probability that is not fresh is at most /2 n .Similarly for 2 ≤ i ≤ r and 1 ≤ s ≤ k − 1, we denote by BAD2 i,s the event that B +1 i [s + 1] is not fresh.For any i ≥ 2, by coupling these two ciphers at rounds i and i + 1, the probability that X +1 and U +1 do not share the same outputs at round i + 1 is at most 4( (k − 1) Denote by Fail i the event that we fail to couple these two ciphers at round i for i ≥ 3, so thus we have Pr[Fail i ] ≤ (8k − 12) 2 n according to above analysis.Denote by Fail the probability that we fail to couple these two ciphers at the end.Then following a similar procedure in the proof of type-1 Feistel, we can obtain the NCPA-security result of type-5 Feistel, and thus the CCA-security of type-3 Feistel.

Lemma 4 .
Let UBF r [m, n] be an unbalanced Feistel cipher with r rounds, where r = b + (b + 1)t + 1 and m ≤ n.Then Rev denote the operation on {0, 1} m+n where Rev(A, B) = (B, A), and |A| = m and |B| = n.Following a similar strategy in [MP03], we can rewrite a r-round unbalanced Feisel scheme as Rev • G −1 • F where F and G are (r + 1)/2-round Feistel schemes.This can be achieved by replacing the middle round function with the xor of two independent round functions.It can be seen that such replacement does not change the distribution of the outputs of the scheme.Then from Lemma 4 and Lemma 5, we obtain the CCA-security bound of UBF r [m, n].
where |A[i]| = n.A type-4 Feistel cipher with r rounds is specified by the r-fold composition of Φ F permutations, and will be denoted as Feistel4 r [k, n] : K × {0, 1} kn → {0, 1} kn .It has key space K = (Func(n, n)) r and message space {0, 1} kn .Let Feistel1 r [k, n] −1 be the inverse of type-1 Feistel, we can see there exists a relation between Feistel1 r [k, n] −1 and Feistel4 r [k, n].Let Rot denote the right rotational shift by n bits.Then Rot −1 • Feistel1 r [k, n] −1 • Rot is a Feistel4 r [k, n].It is clear Rot does not change the distinguishing advantage since it is a public operation.So it is suffices to bound the NCPA-security of Feistel4 r [k, n].
Feistel3 r [k, n] −1 and Feistel5 r [k, n] : Rot −1 • Feistel3 r [k, n] • Rot is a Feistel5 r [k, n]where Rot denotes the right rotational shift by n bits.Since Rot is a public operation, it suffices to bound the NCPA-security of Feistel5 r [k, n].