Feistel Shuffle

2023-05-13 • @kevincharm

The Feistel Shuffle is a generalised Feistel cipher (GFC) that implements format-preserving encryption (FPE), bijectively mapping $X \rightarrow X$ with pseudorandom permutation $\pi^S$ determined by a random seed $S$. This algorithm was originally proposed by Black & Rogaway [1].

Using the Feistel Shuffle, we can efficiently perform on-chain shuffles in the EVM by eliminating writes to storage due to its stateless nature.

Iteration Bounds

In our implementation of the generalised Feistel cipher, the selection of parameters $a$ and $b$ for a cipher on domain $k$ are automatically chosen as $a = b = h = \lceil \sqrt{k} \rceil$ (the next perfect square). This gives (from [1]):

$$\delta_{k} = 2 \cdot \sqrt{k} + 1$$

where $\delta_{k}$ denotes the number of elements that lie outside of the domain $k$ for which we need to perform an additional cycle-walk iteration.

It follows that the upper bound of cycle-walking iterations $C$ (from [2]) is denoted by:

$$C = \lceil \frac{n}{h} \rceil$$

Pseudorandom Round Functions

With an input domain $D$, the round function $f_i$ should output unique keys $K_0, ..., K_{r-1}$, where $D \subset K$, that will be used as the round keys for $r$ rounds of Feistel.

Feistel Rounds

According to [3], performing $r = 4$ rounds of Feistel is sufficient for CCA security. This practically means that $r = 4$ rounds are enough to create pseudorandom permutations that are indistinguishable from truly random permutations.

Randomness of Permutations

We do a little empirical testing to show the randomness of permutations generated by GFC-FPE.

The following figure shows the permuted indices (y-axis) for each input (x-axis) in a domain of size $10000$ with $r = 4$ Feistel rounds, using keccak256 and some 256-bit random seed as the pseudorandom function.

The following figure plots 10 instances of GFC-FPE outputs with the same configuration as above, but using a different 256-bit random seed for each instance.

Implementation

• TypeScript reference implementation

Literature

[1] John Black and Phillip Rogaway. 2002. Ciphers with arbitrary finite domains. In Topics in Cryptology—CT-RSA 2002: The Cryptographers’ Track at the RSA Conference 2002 San Jose, CA, USA, February 18–22, 2002 Proceedings, Springer, 114–130.

[2] Bruce Schneier and John Kelsey. 2005. Unbalanced Feistel networks and block cipher design. In Fast Software Encryption: Third International Workshop Cambridge, UK, February 21–23 1996 Proceedings, Springer, 121–144.

[3] Michael Luby and Charles Rackoff. 1988. How to construct pseudorandom permutations from pseudorandom functions. SIAM Journal on Computing 17, 2 (1988), 373–386.

[4] Viet Tung Hoang and Phillip Rogaway. 2010. On Generalized Feistel Networks. In CRYPTO, Springer, 613–630.

[5] Vitalik Buterin. 2018. feistel_shuffle.py. In ethereum/research.