Feistel Shuffle (GFC-FPE)

A generalised Feistel cipher that implements format-preserving encryption, bijectively mapping $X \rightarrow X$ with pseudorandom permutation $\pi^{S}$ determined by a random seed $S$. This algorithm was originally proposed by Black & Rogaway [1].

Iteration Bounds

For this implementation of the generalised Feistel cipher, the selection of parameters $a$ and $b$ for a cipher on domain $k$ are automatically chosen as $a = b = h = \lceil \sqrt{k} \rceil$ (the next perfect square). This gives (from [1]):

$$ \delta_{k} = 2 \cdot \sqrt{k} + 1 $$

where $\delta_{k}$ denotes the number of elements that lie outside of the domain $k$ for which we need to perform an additional cycle-walk iteration.

It follows that the upper bound of cycle-walking iterations $C$ (from [2]) is denoted by:

$$ C = \lceil \frac{n}{h} \rceil $$

Pseudorandom Round Functions

With an input domain $D$, the round function $f_i$ should output unique keys $K_0, ..., K_{r-1}$, where $D \subset K$, that will be used as the round keys for $r$ rounds of Feistel.

Feistel Rounds

According to [3], performing $r = 4$ rounds of Feistel is sufficient for CCA security (whatever the hell that is).

Randomness of Permutations

We do a little empirical testing to show the randomness of permutations generated by GFC-FPE.

The following figure shows the permuted indices (y-axis) for each input (x-axis) in a domain of size $10000$ with $r = 4$ Feistel rounds, using keccak256 and some 256-bit random seed as the pseudorandom function.

The following figure plots 10 instances of GFC-FPE outputs with the same configuration as above, but using a different 256-bit random seed for each instance.

Literature

[1] John Black and Phillip Rogaway. 2002. Ciphers with arbitrary finite domains. In Topics in Cryptology—CT-RSA 2002: The Cryptographers’ Track at the RSA Conference 2002 San Jose, CA, USA, February 18–22, 2002 Proceedings, Springer, 114–130.

[2] Bruce Schneier and John Kelsey. 2005. Unbalanced Feistel networks and block cipher design. In Fast Software Encryption: Third International Workshop Cambridge, UK, February 21–23 1996 Proceedings, Springer, 121–144.

[3] Michael Luby and Charles Rackoff. 1988. How to construct pseudorandom permutations from pseudorandom functions. SIAM Journal on Computing 17, 2 (1988), 373–386.

[4] Viet Tung Hoang and Phillip Rogaway. 2010. On Generalized Feistel Networks. In CRYPTO, Springer, 613–630.

[5] Vitalik Buterin. 2018. feistel_shuffle.py. In ethereum/research.