Editing Feistel cipher (section)

==Construction details==

Let <math>\mathrm{F}</math> be the round function and let <math>K_0, K_1, \ldots, K_n</math> be the sub-keys for the rounds <math>0, 1, \ldots, n</math> respectively.

Then the basic operation is as follows:

Split the plaintext block into two equal pieces: (<math>L_0</math>, <math>R_0</math>).

For each round <math>i = 0, 1, \dots, n</math>, compute

: <math>L_{i+1} = R_i,</math>
: <math>R_{i+1}= L_i \oplus \mathrm{F}(R_i, K_i),</math>

where <math>\oplus</math> means [[XOR]]. Then the ciphertext is <math>(R_{n+1}, L_{n+1})</math>.

Decryption of a ciphertext <math>(R_{n+1}, L_{n+1})</math> is accomplished by computing for <math>i = n, n - 1, \ldots, 0</math>

: <math>R_{i} = L_{i+1},</math>
: <math>L_{i} = R_{i+1} \oplus \operatorname{F}(L_{i+1}, K_i).</math>

Then <math>(L_0, R_0)</math> is the plaintext again.

The diagram illustrates both encryption and decryption. Note the reversal of the subkey order for decryption; this is the only difference between encryption and decryption.

===Unbalanced Feistel cipher===
Unbalanced Feistel ciphers use a modified structure where <math>L_0</math> and <math>R_0</math> are not of equal lengths.<ref>{{cite book |last1=Schneier |first1=Bruce |last2=Kelsey |first2=John |title=Fast Software Encryption |chapter=Unbalanced Feistel networks and block cipher design |volume=1039 |date=21 February 1996 |pages=121–144 |doi=10.1007/3-540-60865-6_49 |url=https://www.schneier.com/academic/paperfiles/paper-unbalanced-feistel.ps.gz |access-date=21 November 2017 |language=en |series=Lecture Notes in Computer Science |isbn=978-3-540-60865-3}}</ref> The [[Skipjack (cipher)|Skipjack]] cipher is an example of such a cipher. The [[Texas Instruments]] [[digital signature transponder]] uses a proprietary unbalanced Feistel cipher to perform [[challenge–response authentication]].<ref name="crypto-rfid">{{cite journal |last1=Bono |first1=Stephen |last2=Green |first2=Matthew |last3=Stubblefield |first3=Adam |last4=Juels |first4=Ari |last5=Rubin |first5=Aviel |last6=Szydlo |first6=Michael |title=Security Analysis of a Cryptographically-Enabled RFID Device |journal=Proceedings of the USENIX Security Symposium |date=5 August 2005 |url=https://www.usenix.org/event/sec05/tech/bono/bono.pdf |access-date=21 November 2017}}</ref>

The [[Thorp shuffle]] is an extreme case of an unbalanced Feistel cipher in which one side is a single bit. This has better provable security than a balanced Feistel cipher but requires more rounds.<ref name="thorp">{{cite book |last1=Morris |first1=Ben |last2=Rogaway |first2=Phillip |last3=Stegers |first3=Till |title=Advances in Cryptology - CRYPTO 2009 |chapter=How to Encipher Messages on a Small Domain |volume=5677 |date=2009 |pages=286–302 |doi=10.1007/978-3-642-03356-8_17 |url=http://www.cs.ucdavis.edu/~rogaway/papers/thorp.pdf |access-date=21 November 2017 |language=en |series=Lecture Notes in Computer Science |isbn=978-3-642-03355-1}}</ref>

===Other uses===
The Feistel construction is also used in cryptographic algorithms other than block ciphers. For example, the [[optimal asymmetric encryption padding]] (OAEP) scheme uses a simple Feistel network to randomize ciphertexts in certain [[Public-key cryptography|asymmetric-key encryption]] schemes.

A generalized Feistel algorithm can be used to create strong permutations on small domains of size not a power of two (see [[format-preserving encryption]]).<ref name=thorp />

===Feistel networks as a design component===
Whether the entire cipher is a Feistel cipher or not, Feistel-like networks can be used as a component of a cipher's design. For example, [[MISTY1]] is a Feistel cipher using a three-round Feistel network in its round function, [[Skipjack (cipher)|Skipjack]] is a modified Feistel cipher using a Feistel network in its G permutation, and [[Threefish]] (part of [[Skein (hash function)|Skein]]) is a non-Feistel block cipher that uses a Feistel-like MIX function.