Generic Key Recovery Attack on Feistel Scheme

We propose new generic key recovery attacks on Feistel-type block ciphers. The proposed attack is based on the all subkeys recovery approach presented in SAC 2012, which determines all subkeys instead of the master key. This enables us to construct a key recovery attack without taking into account a key scheduling function. With our advanced techniques, we apply several key recovery attacks to Feistel-type block ciphers. For instance, we show 8-, 9- and 11-round key recovery attacks on n-bit Feistel ciphers with 2n-bit key employing random keyed F-functions, random F-functions, and SP-type F-functions, respectively. Moreover, thanks to the meet-in-the-middle approach, our attack leads to low-data complexity. To demonstrate the usefulness of our approach, we show a key recovery attack on the 8-round reduced CAST-128, which is the best attack with respect to the number of attacked rounds. Since our approach derives the lower bounds on the numbers of rounds to be secure under the single secret key setting, it can be considered that we unveil the limitation of designing an efficient block cipher by a Feistel scheme such as a low-latency cipher.

[1]  Yu Sasaki,et al.  Preimage Attacks on Full-ARIRANG: Analysis of DM-Mode with Middle Feed-Forward , 2011, WISA.

[2]  Xiaoli Yu,et al.  Reflection Cryptanalysis of PRINCE-Like Ciphers , 2013, Journal of Cryptology.

[3]  Kyoji Shibutani,et al.  Piccolo: An Ultra-Lightweight Blockcipher , 2011, CHES.

[4]  Carlisle M. Adams,et al.  Constructing Symmetric Ciphers Using the CAST Design Procedure , 1997, Des. Codes Cryptogr..

[5]  Eli Biham,et al.  Differential Cryptanalysis of Snefru, Khafre, REDOC-II, LOKI and Lucifer , 1991, CRYPTO.

[6]  Jian Guo,et al.  Preimages for Step-Reduced SHA-2 , 2009, IACR Cryptol. ePrint Arch..

[7]  Yu Sasaki Preimage Attacks on Feistel-SP Functions: Impact of Omitting the Last Network Twist , 2013, ACNS.

[8]  Adi Shamir,et al.  Improved Attacks on Full GOST , 2012, IACR Cryptol. ePrint Arch..

[9]  Andrey Bogdanov,et al.  A 3-Subset Meet-in-the-Middle Attack: Cryptanalysis of the Lightweight Block Cipher KTANTAN , 2010, IACR Cryptol. ePrint Arch..

[10]  Carlisle M. Adams,et al.  The CAST-128 Encryption Algorithm , 1997, RFC.

[11]  Andrey Bogdanov,et al.  PRESENT: An Ultra-Lightweight Block Cipher , 2007, CHES.

[12]  Anne Canteaut,et al.  Sieve-in-the-Middle: Improved MITM Attacks (Full Version) , 2013, IACR Cryptol. ePrint Arch..

[13]  Vincent Rijmen,et al.  Linear hulls with correlation zero and linear cryptanalysis of block ciphers , 2014, Des. Codes Cryptogr..

[14]  Jacques Patarin,et al.  Security of Random Feistel Schemes with 5 or More Rounds , 2004, CRYPTO.

[15]  Eli Biham,et al.  Cryptanalysis of Skipjack Reduced to 31 Rounds Using Impossible Differentials , 1999, Journal of Cryptology.

[16]  Orr Dunkelman,et al.  Another Look at Complementation Properties , 2010, FSE.

[17]  Kyoji Shibutani,et al.  All Subkeys Recovery Attack on Block Ciphers: Extending Meet-in-the-Middle Approach , 2012, Selected Areas in Cryptography.

[18]  Vincent Rijmen,et al.  Low-Data Complexity Attacks on AES , 2012, IEEE Transactions on Information Theory.

[19]  Yu Sasaki,et al.  Preimage Attacks on One-Block MD4, 63-Step MD5 and More , 2009, Selected Areas in Cryptography.

[20]  Anne Canteaut,et al.  PRINCE - A Low-Latency Block Cipher for Pervasive Computing Applications - Extended Abstract , 2012, ASIACRYPT.

[21]  Shirley M. Radack,et al.  Federal Information Processing Standard (FIPS) 199, Standards for Security | NIST , 2004 .

[22]  Mitsuru Matsui,et al.  Camellia: A 128-Bit Block Cipher Suitable for Multiple Platforms - Design and Analysis , 2000, Selected Areas in Cryptography.

[23]  Alex Biryukov,et al.  Complementing Feistel Ciphers , 2013, FSE.

[24]  Dongvu Tonien,et al.  Birthday Paradox for Multi-Collisions , 2008, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[25]  Pierre-Alain Fouque,et al.  Automatic Search of Attacks on round-reduced AES and Applications , 2011, IACR Cryptol. ePrint Arch..

[26]  Shuang Wu,et al.  Security Analysis of PRINCE , 2013, FSE.

[27]  Thomas Peyrin,et al.  The LED Block Cipher , 2011, IACR Cryptol. ePrint Arch..

[28]  Yu Sasaki,et al.  Known-Key Distinguishers on 11-Round Feistel and Collision Attacks on Its Hashing Modes , 2011, FSE.

[29]  Mohammad Dakhilalian,et al.  New Results on Impossible Differential Cryptanalysis of Reduced-Round Camellia-128 , 2009, Selected Areas in Cryptography.

[30]  Takanori Isobe,et al.  A Single-Key Attack on the Full GOST Block Cipher , 2011, Journal of Cryptology.

[31]  Ventzislav Nikov,et al.  Low-Latency Encryption - Is "Lightweight = Light + Wait"? , 2012, CHES.

[32]  Yu Sasaki,et al.  Meet-in-the-Middle Preimage Attacks on AES Hashing Modes and an Application to Whirlpool , 2011, FSE.

[33]  Christophe De Cannière,et al.  KATAN and KTANTAN - A Family of Small and Efficient Hardware-Oriented Block Ciphers , 2009, CHES.

[34]  Jongsung Kim,et al.  Cryptanalysis of reduced versions of the Camellia block cipher , 2012, IET Inf. Secur..

[35]  Vincent Rijmen,et al.  Known-Key Distinguishers for Some Block Ciphers , 2007, ASIACRYPT.