How many queries can you do (concretely, not asymptotically) for a balanced Feistel network with 7 rounds?

Question

In this paper Patarin says that: "for every $\epsilon > 0$, when $m \ll 2^{n(1 - \epsilon)}$ ... for 7 rounds or more it is secure against all adaptive chosen plaintext attacks" where m is the number of queries that the adversary can evaluate.

What concretely is meant by $m \ll 2^{n(1 - \epsilon)}$?

For instance, to have statistical security $2^{-\sigma}$ (e.g. $\sigma = 40$) concretely how many queries can be evaluated?

How would you even define << concretely? It's sort an asymptotic idea. — Adrian Self, Apr 26 '20 at 01:00
@kodlu Where statistical security is the advantage of an adversary has in the Chosen Plaintext Attack game, when they are able to make $m$ queries and have unlimited computational resources. — Daniel-耶稣活着, Apr 26 '20 at 02:24
ok so you want the advantage to be upper bounded by $2^{-40}.$ — kodlu, Apr 26 '20 at 03:22

score 1 · Answer 1 · answered Apr 25 '20 at 23:38

1

The linked paper is missing a lot of proof details. In any case, it seems impossible to say anything concrete for finite $n$ due to the existence of terms in $O(\cdot)$ notation in the bounds. You simply do not know how large those implied constants are.

answered Apr 25 '20 at 23:38

kodlu

22,423
2
27
57

Yeah--the missing proof details is a lot of the problem... In principle if the details of the proof were there I should be able to go through and figure out what the constants are in the $\mathcal{O}()$ notation. But since they are omitted, I was hoping someone out there might know of a place that someone had gone through and calculated the constants. Or if not, a place where I can find the full proof so I can go through and try to figure out the constants myself. – Daniel-耶稣活着 Apr 26 '20 at 02:28
Did it not reference where the full version is, in the paper? These kinds of arguments are usually asymptotic. – kodlu Apr 26 '20 at 03:21
1

see also here https://crypto.stackexchange.com/questions/43870/is-3-rounds-feistel-enough-for-making-prp?rq=1 for a related question and the followup comment which has links to more but based on @fgrieu's comment I don't hold high hopes that you'll get what you want. – kodlu Apr 26 '20 at 03:24
Yes, citation 15. "Extended version of this paper. Available from the author." I was hoping to find a source online, but I can contact the author. – Daniel-耶稣活着 Apr 26 '20 at 03:24
@Daniel-耶稣活着 : The question's paper is cited in Chapter 3 The H-Coefficient Method of Valerie Nachef, Jacques Patarin, Emmanuel Volte's Feistel Ciphers: Security Proofs and Cryptanalysis. Glancing at it from a distance, it looks like a clarified re-exposition. Not that I get much of it. – fgrieu May 11 '23 at 08:33

How many queries can you do (concretely, not asymptotically) for a balanced Feistel network with 7 rounds?

1 Answers1