Understanding the Related-Key Security of Feistel Ciphers from a Provable Perspective

We initiate the provable related-key security treatment for models of practical Feistel ciphers. In detail, we consider Feistel networks with four whitening keys $w_i(k)$ ($i=0,1,2,3$) and round-functions of the form $f(\gamma_i(k)\oplus X)$, where $k$ is the main-key, $w_i$ and $\gamma_i$ are efficient transformations, and $f$ is a public ideal function or permutation that the adversary is allowed to query. We investigate conditions on the key-schedules that are sufficient for security against XOR-induced related-key attacks up to $2^{n/2}$ adversarial queries. When the key-schedules are non-linear, we prove security for 4 rounds. When only affine key-schedules are used, we prove security for 6 rounds. These also imply secure tweakable Feistel ciphers in the Random Oracle model. By shuffling the key-schedules, our model unifies both the DES-like structure (known as Feistel-2 scheme in the cryptanalytic community, a.k.a. key-alternating Feistel due to Lampe and Seurin, FSE 2014) and the Lucifer-like model (previously analyzed by Guo and Lin, TCC 2015). This allows us to derive concrete implications on these two (more common) models, and helps understanding their differences---and further understanding the related-key security of Feistel ciphers.Comment: The technical part is the same as the submission (only modify to fit into the double column). In "Related Work" comparison with [72] is added: in short, these two works focus on very different goals, and their general results aren't comparabl