Moriai, ShihoVaudenay, Serge2007-01-192007-01-192007-01-191999https://infoscience.epfl.ch/handle/20.500.14299/239795Using the decorrelation techniques we compare the randomness of three schemes used in the AES candidates. The target schemes are the original Feistel scheme and two modified Feistel schemes: the MARS-like structure and the CAST256-like structure. As a result, the required numbers of rounds for Luby-Rackoff's randomness (which is related to resistance against chosen plaintext attacks) are 3, 5, and 7, respectively. Moreover, the required numbers of rounds for achieving the decorrelation bias of order two 2^-128are 9, 25, and 35, respectively. This holds for truly random round functions. Imperfect random round function can achieve similar decorrelation by using decorrelation modules like in DFC, but need a number of rounds of at least 9, 30 and 42 respectively.text::conference output::conference proceedings::conference paper