Talk:Feistel cipher

Schneier and Blaze's MacGuffin
Matt,

Perhaps Schneier and Blaze's MacGuffin should be added to the list? Thanks for the assist at padding. I'm going to look it over now. Oops about windowing vs winnowing. Remember the grey matter.... It's increasing the leak rate. Pretty soon I'll be suitable for a problem in introductory calculus.

ww 20:21, 12 Apr 2004 (UTC)

Missing part in the model of the structure
I was struggling with showing that encryption and decryption is the same (except for the reversel of the key order) in an assignment in my studies. I tried using this article as a basis to understand it, but discovered after a while that there is a minor flaw in the figure of the structure.

After the last round in the feistel structure is run, there is an extra flip of Ln/Rn, making the result of the last round and the entire process different. This is important when trying to understand why it works to run the same algorithm for decryption as for encryption.

You can see a correct model in William Stallings' book Network Security Essentials, on page 33, in the 2nd edition of the international version of the book.

Andre Rakvåg

Student, Norway — Preceding unsigned comment added by 129.241.200.78 (talk) 13:32, 2005 June 4 (UTC)


 * I believe the diagram is correct, since two swaps is equivalent to no swaps. Lunkwill 19:18, 6 Jun 2005 (UTC)

Determining the key space of a general Feistel
I am really fresh to this, so if this comment does not make much sense, please remove it. However, as a beginner, it would be really useful to have an example formula for the keyspace of a Feistel, and an explanation. I have a problem where I have to figure this out, and it would be great to know if I did it correctly ;) —Preceding unsigned comment added by Crabpot8 (talk • contribs)

Decryption formula
I am no expert, but by rearanging the encryption formulas should not we get this formula for decryption:
 * $$L_{i-1} = R_i \oplus f(L_i, K_{i-1})$$

rather then this
 * $$L_{i-1} = R_i \oplus f(L_i, K_i)$$

? —Preceding unsigned comment added by Dsrbecky (talk • contribs)

Diagram Location
Why was the diagram moved to the top, but the text of the in the Construction Details left the same: "This diagram illustrates both encryption and decryption. Note the reversal of the subkey order for decryption; this is the only difference between encryption and decryption:"

This makes no sense now because there is no longer a diagram there. I'll wait a few days for comments, but if nobody objects I'm going to revert it. — Preceding unsigned comment added by 128.186.122.151 (talk) 21:56, 2007 July 2 (UTC)


 * A diagram says a thousand words, so people coming to see the article for the first time get help with seeing the diagram early. I'll change the text to say: "The introductory diagram illustrates..." Alternatively we could have the diagram in both places. Daniel.Cardenas 22:54, 2 July 2007 (UTC)


 * This diagram is confusing, when the reader does not know the definition of the symbols used in the diagram. I agree with the previous writer that it makes more sense to have the diagram in the construction section, where a reader can immediately compare the definition and the diagram. There is also a small mismatch between using f in the definition and F in the diagram for the same function. 85.2.52.165 07:27, 3 July 2007 (UTC)


 * Thanks for making the edit. The article flows better now.
 * — Preceding unsigned comment added by 128.186.122.215 (talk) 16:08, 2007 July 3 (UTC)

How many rounds are there?
The diagram has $$n+1$$ rounds. The description has $$n$$ rounds and is incorrect. 85.2.52.165 08:11, 3 July 2007 (UTC)
 * Would it be possible to get a diagram with n rounds, i.e. using keys $$K_0$$ upto $$K_{n-1}$$ and fix the text accordingly? 83.76.200.238 (talk) 20:40, 11 September 2011 (UTC)

4 or 7 Rounds for Security?
Section Theoretical Work says
 * ...3 rounds is sufficient to make the block cipher a pseudorandom permutation, while 4 rounds is sufficient to make it a "strong" pseudorandom permutation...

while reference [2] has title
 * Luby-Rackoff: 7 Rounds Are Enough for Security

Can you clarify the statement in above section please? Thanks, 85.124.63.18 (talk) 21:39, 3 February 2009 (UTC)

Response: I think Luby and Rackoff originally proved weaker statements for 3 and 4 rounds, relating to attacks with less than 2^(n/2) oracle invocations. Patarin gives a stronger result in the case of more rounds. —Preceding unsigned comment added by 17.244.133.225 (talk) 07:25, 23 March 2010 (UTC)

Construction details
Are you sure the formula for the ciphertext block is correct? Shouldn't it be Rn,Ln instead of Rn+1,Ln+1? Or do you consider switching the places between Ln and Rn as step n+1? if so, please indicate... (Robinwal (talk) 03:28, 18 October 2012 (UTC))
 * At the moment text and diagrams are at least consistent. But they describe a cipher with n+1 rounds, which is not very intuitive. 178.195.225.28 (talk) 20:11, 18 October 2012 (UTC)

True, someone should change that though, cause it's confusing..... changing K0 to Kn-1, rounds 0 to n-1, and Rn+1,Ln+1 to Rn,Ln for the ciphertext would suffice. (Robinwal (talk) 20:50, 22 October 2012 (UTC))