Security Analysis of GFN: 8-Round Distinguisher for 4-Branch Type-2 GFN

Generalized Feistel network (GFN) is a widely used design for encryption algorithm such as DES, IDEA and others. Generally, block ciphers are used not only for symmetric encryption but also as building blocks of cryptographic hash functions in modes such as Matyas-Meyer-Oseas (MMO) and Miyaguchi-Preneel. For these compression function modes, block ciphers are used with a key that is known to the attacker. Therefore a known-key distinguisher on the internal block cipher can be directly converted into a distinguisher on the compression function. In other words, the security of a compression mode relies on the security of the internal block cipher used. The security of the cipher in known-key setting is only due to the round function. Block ciphers popularly use sub-key XOR-ing followed by one or more SP-functions as the building block of a round function. The general understanding is that increasing the number of active S-boxes will cause more confusion and guarantee more secure ciphers against differential and linear cryptanalysis. In Indocrypt 2012, Sasaki compared the security of single-SP function with double-SP function and successfully mounted a distinguisher up to 7-round for 4-branch type-2 GFN with double-SP functions and up to 11-rounds of 2-branch single-SP functions by using the rebound attack technique. Based on the total number of S-boxes used and the number of rounds attacked, he argued that double-SP is in fact weaker than single-SP. The basis of this result is the number of rounds that the author could attack. In this work, we successfully increase the number of rounds attacked from 7 to 8 for 4-branch type-2 double-SP. The presented distinguisher is the first known distinguisher for 8 round 4-branch type-2 GFN with double SP-function. In our attack, we use an improved matching technique which is simpler than the byte-by-byte matching. This simple matching technique results in better complexity than the previously known 7 round distinguisher for most of the practical cases, allowing us to attack one extra round.

[1]  Yu Sasaki Double-SP Is Weaker Than Single-SP: Rebound Attacks on Feistel Ciphers with Several Rounds , 2012, INDOCRYPT.

[2]  Kyoji Shibutani,et al.  The 128-Bit Blockcipher CLEFIA (Extended Abstract) , 2007, FSE.

[3]  Hideki Imai,et al.  On the Construction of Block Ciphers Provably Secure and Not Relying on Any Unproved Hypotheses , 1989, CRYPTO.

[4]  Information Security and Privacy , 1996, Lecture Notes in Computer Science.

[5]  Vincent Rijmen,et al.  Known-Key Distinguishers for Some Block Ciphers , 2007, ASIACRYPT.

[6]  Yu Sasaki,et al.  Known-Key Distinguishers on 11-Round Feistel and Collision Attacks on Its Hashing Modes , 2011, FSE.

[7]  Kenneth H. Rosen,et al.  Discrete Mathematics and its applications , 2000 .

[8]  Mitsuru Matsui,et al.  Linear Cryptanalysis Method for DES Cipher , 1994, EUROCRYPT.

[9]  Michael Wiener,et al.  Advances in Cryptology — CRYPTO’ 99 , 1999 .

[10]  Eli Biham,et al.  Differential cryptanalysis of DES-like cryptosystems , 1990, Journal of Cryptology.

[11]  Douglas R. Stinson,et al.  Cryptography: Theory and Practice , 1995 .

[12]  Aggelos Kiayias,et al.  BiTR: Built-in Tamper Resilience , 2011, IACR Cryptol. ePrint Arch..

[13]  Kaoru Kurosawa,et al.  Advances in Cryptology - ASIACRYPT 2007, 13th International Conference on the Theory and Application of Cryptology and Information Security, Kuching, Malaysia, December 2-6, 2007, Proceedings , 2007, International Conference on the Theory and Application of Cryptology and Information Security.

[14]  Mridul Nandi,et al.  Progress in Cryptology - INDOCRYPT 2012 , 2012, Lecture Notes in Computer Science.

[15]  Florian Mendel,et al.  The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl , 2009, FSE.

[16]  Lars R. Knudsen,et al.  Truncated and Higher Order Differentials , 1994, FSE.

[17]  Kyoji Shibutani,et al.  Double SP-Functions: Enhanced Generalized Feistel Networks - Extended Abstract , 2011, ACISP.

[18]  Tor Helleseth,et al.  Advances in Cryptology — EUROCRYPT ’93 , 2001, Lecture Notes in Computer Science.

[19]  Michael Luby,et al.  How to Construct Pseudo-Random Permutations from Pseudo-Random Functions (Abstract) , 1985, CRYPTO.

[20]  Masanobu Katagi,et al.  The 128-Bit Blockcipher CLEFIA , 2007, RFC.

[21]  Gerhard Goos,et al.  Fast Software Encryption , 2001, Lecture Notes in Computer Science.