While reading on block ciphers and DES I read that two-round Feistel network is not a secure PRP? Is there any easy to understand proof to explain the intuition behind this statement. I did search around and also reviewed this question but wasn't really able to understand why it isn't secure PRP. Any help would be much appreciated!
Asked
Active
Viewed 4,766 times
1 Answers
8
I read that two-round Feistel network is not a secure PRP
That's easily seen:
It holds $P_L\oplus C_L=F_0(P_R)$. That implies a distinguishable property: for any fixed $P_R$ and whatever the round function $F_0$, when we flip bit(s) in $P_L$, that flips the corresponding bit(s) in $C_L$ and leaves the other bit(s) in $C_L$ unchanged.
That property allows a break under Chosen Plaintext Attack.
fgrieu
- 149,326
- 13
- 324
- 622