We initiate the provable related-key security treatment for models of practical Feistel ciphers. In detail, we consider Feistel networks with four whitening keys wi(k), i = 0, 1, 2, 3, and round functions of the form f(γj (k) ⊕ X), where k is the master key, wi and γj are efficient transformations, and f is a public ideal function or permutation accessible by the adversary. We investigate the key-schedule conditions that are sufficient for security against XOR-induced related-key attacks up to 2n/2 adversarial queries. When the key schedules are non-linear, we prove security for four rounds. When only affine key schedules are used, we prove security for six rounds. These also imply secure tweakable Feistel ciphers in the Random Oracle model. By shuffling the key schedules, our model unifies both the DES-like structure (known as Feistel-2 scheme in the cryptanalytic community, also known as key-alternating Feistel due to Lampe and Seurin) and the Lucifer-like model (previously analyzed by Guo and Lin). This allows us to derive concrete implications on these two (more common) models and helps understanding their related-key security difference.

中文翻译：

---

从可证明的角度理解 Feistel 密码的 Related-Key 安全性


我们为实际的 Feistel 密码模型启动了可证明的关联密钥安全处理。详细地说，我们考虑了具有四个白化键 wi（k）、i = 0、1、2、3 和形式为 f（γj （k） ⊕ X） 的舍入函数的 Feistel 网络，其中 k 是主键，wi 和 γj 是有效变换，f 是对手可以访问的公共理想函数或排列。我们研究了足以抵御 XOR 诱导的相关密钥攻击（最多 2n/2 个对抗性查询）的密钥计划条件。当关键时间表是非线性的时，我们会证明四轮的安全性。当仅使用仿射键 schedules 时，我们证明六轮的安全性。这也意味着 Random Oracle 模型中的安全可调整 Feistel 密码。通过对密钥计划进行洗牌，我们的模型统一了类 DES 结构（在密码分析社区中称为 Feistel-2 方案，由于 Lampe 和 Seurin 也称为密钥交替 Feistel）和类路西法模型（之前由 Guo 和 Lin 分析）。这使我们能够得出对这两个（更常见的）模型的具体影响，并有助于理解它们的 related-key 安全差异。