Beyond-birthday security for permutation-based Feistel networks

Initiated by Luby and Rackoff (SIAM J. Computing, ’88), the information theoretic security of Feistel networks built upon random functions has been extensively studied. In sharp contrast, the exact security of Feistel networks built upon invertible random permutations remains largely unknown, particularly in the regime of beyond-birthday-bound. To bridge this gap, we reduce the problem to counting solutions to systems of linear equations and non-equations, and then derive lower bounds for the number of such solutions via a technical lemma. These yield known-plaintext security against 2^2n/3 adversarial queries at 3 rounds, 2^2n/3 chosen-plaintext security at 5 rounds, and 2^2n/3 chosen-ciphertext security at 7 rounds. To our knowledge, these are the first beyond-birthday bounds for permutation-based Feistel. As potential applications, these give rise to beyond-birthday secure domain extenders for blockciphers with efficiency among the best known.