A Structural Attack on Type-I Generalized Feistel Networks

This paper presents generic structural cryptanalysis against type-I generalized Feistel networks (GFN), in which all the inner transformations are unknown. The target of our attack is to retrieve all the unknown round functions. We provide an improved yoyo game distinguisher, in which one rejects a large group of start guesses by a single wrong guess, hence is quite advantageous for reducing the complexity. Next, we exploit this distinguisher to develop a recovery attack of such structure and find the look-up tables of the first, eighth, and ninth round functions. Then by the encryption and decryption similarity, we recover the LUTs of the second, third, and tenth round functions from the decrypt direction. Finally, we retrieve the rest rounds by using the analytic relationships between the plaintexts and their four-round encryption results. Our complete recovery requires time complexity <inline-formula> <tex-math notation="LaTeX">$O(2^{3.36n})$ </tex-math></inline-formula> and memory <inline-formula> <tex-math notation="LaTeX">$O(2^{n})$ </tex-math></inline-formula>, where <inline-formula> <tex-math notation="LaTeX">$n$ </tex-math></inline-formula> is the branch size. For 64-bit block cipher, our result will approximate a real-life attack. This paper is the first recovery attack against ten-round type-I GFN.

[1]  Itai Dinur,et al.  Decomposing the ASASA Block Cipher Construction , 2015, IACR Cryptol. ePrint Arch..

[2]  Aleksei Udovenko,et al.  Algebraic Insights into the Secret Feistel Network (Full version) , 2016, IACR Cryptol. ePrint Arch..

[3]  Aleksei Udovenko,et al.  Algebraic Insights into the Secret Feistel Network , 2016, FSE.

[4]  Alex Biryukov,et al.  On Reverse-Engineering S-Boxes with Hidden Design Criteria or Structure , 2015, CRYPTO.

[5]  Stefan Kölbl,et al.  Security of the AES with a Secret S-Box , 2015, FSE.

[6]  Tor Helleseth,et al.  Yoyo Tricks with AES , 2017, ASIACRYPT.

[7]  Stefan Lucks,et al.  Faster Luby-Rackoff Ciphers , 1996, FSE.

[8]  Jongsung Kim,et al.  Impossible Differential Cryptanalysis for Block Cipher Structures , 2003, INDOCRYPT.

[9]  Hideki Imai,et al.  On the Construction of Block Ciphers Provably Secure and Not Relying on Any Unproved Hypotheses , 1989, CRYPTO.

[10]  Kiyomichi Araki,et al.  On Generalized Feistel Structures Using the Diffusion Switching Mechanism , 2008, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[11]  Kaisa Nyberg,et al.  Generalized Feistel Networks , 1996, ASIACRYPT.

[12]  Moni Naor,et al.  On the Construction of Pseudorandom Permutations: Luby—Rackoff Revisited , 1996, Journal of Cryptology.

[13]  Alex Biryukov,et al.  Cryptographic Schemes Based on the ASASA Structure: Black-Box, White-Box, and Public-Key (Extended Abstract) , 2014, ASIACRYPT.

[14]  Bruce Schneier,et al.  Unbalanced Feistel Networks and Block Cipher Design , 1996, FSE.

[15]  Lars R. Knudsen,et al.  Cryptanalysis of PRESENT-like ciphers with secret S-boxes , 2011, IACR Cryptol. ePrint Arch..

[16]  Alex Biryukov,et al.  Reverse-Engineering the S-Box of Streebog, Kuznyechik and STRIBOBr1 , 2016, EUROCRYPT.

[17]  Alex Biryukov,et al.  Cryptanalysis of Feistel Networks with Secret Round Functions , 2015, SAC.

[18]  Jeff Gilchrist,et al.  The CAST-256 Encryption Algorithm , 1999, RFC.

[19]  Alex Biryukov,et al.  Structural Cryptanalysis of SASAS , 2001, Journal of Cryptology.

[20]  Eli Biham,et al.  Initial Observations on Skipjack: Cryptanalysis of Skipjack-3XOR , 1998, Selected Areas in Cryptography.