DES security if used a SHA3 function instead of Normal DES function?

Question

I was practicing some python programming and I decided to implement a simple DES encryption function, so i decided to take some shortcuts so instead of DES expansion boxes and s-Boxes i just used a simple keyed SHA3 hash function the input is: 32-bit right side + key(any length I want but I used 128-bit) The first 32-bit of hash are xor-ed with left side to produce ciphertext. So now ignoring that i designed my own crypto and the fact that I used a very simple key schedule function. what are the security advantages of using this hash function instead of normal one (taking in mind that it takes 128-bit key which is greater than 56-bit key of Normal DES), and how it will differ if I used SHA2 (would SHA2 susceptibility to length extension attacks affect the security). lastly what are the advantages of using this method.

Answer 1

The question as initially asked essentially considers a 64-bit symmetric Feistel cipher with 16 rounds, a large (128-bit) key, a near-ideal round function, but the same function and key at each round. A slide attack allows at least a distinguisher, I think with in the order of $2^{31}$ queries to an encryption oracle. With some more, it might be possible to construct plaintext/ciphertext pairs that where not queried. This is an interesting exercise. That makes the security lower than that of DES from several standpoints.

If there is a good key schedule (e.g. if the round counter is appended to the input of the hash), then we are back to a Feistel network, which given the block size and ample rounds is extremely secure. I very much doubt there's an attack better than brute force of the 128-bit key. Security is way above that of DES (but performance in native code is much lower).

With a key schedule based on rotation as in comment, things depend on the rotation count. But if it's by an odd number of bits, nothing disastrous will happen for overwhelmingly most key values.

If there was a security difference between SHA-2 and SHA-3, that would imply a break of one of these (against a random oracle model for constant input length). On top of that it would be with the attacked hash embedded in a setup extremely hostile to attacks. I discount that.