New Attacks on Feistel Structures with Improved Memory Complexities

Feistel structures are an extremely important and extensively researched type of cryptographic schemes. In this paper we describe improved attacks on Feistel structures with more than 4 rounds. We achieve this by a new attack that combines the main benefits of meet-in-the-middle attacks (which can reduce the time complexity by comparing only half blocks in the middle) and dissection attacks (which can reduce the memory complexity but have to guess full blocks in the middle in order to perform independent attacks above and below it). For example, for a 7-round Feistel structure on n-bit inputs with seven independent round keys of n / 2 bits each, a MITM attack can use (\(2^{1.5n}\), \(2^{1.5n}\)) time and memory, while dissection requires (\(2^{2n}\), \(2^{n}\)) time and memory. Our new attack requires only (\(2^{1.5n}\), \(2^{n}\)) time and memory, using a few known plaintext/ciphertext pairs. When we are allowed to use more known plaintexts, we develop new techniques which rely on the existence of multicollisions and differential properties deep in the structure in order to further reduce the memory complexity.

[1]  Kyoji Shibutani,et al.  Generic Key Recovery Attack on Feistel Scheme , 2013, IACR Cryptol. ePrint Arch..

[2]  Andrey Bogdanov,et al.  Biclique Cryptanalysis of the Full AES , 2011, ASIACRYPT.

[3]  David Chaum,et al.  Crytanalysis of DES with a Reduced Number of Rounds: Sequences of Linear Factors in Block Ciphers , 1985, CRYPTO.

[4]  Dmitry Khovratovich,et al.  Bicliques for Preimages: Attacks on Skein-512 and the SHA-2 family , 2012, IACR Cryptol. ePrint Arch..

[5]  María Naya-Plasencia,et al.  Scrutinizing and Improving Impossible Differential Attacks: Applications to CLEFIA, Camellia, LBlock and Simon (Full Version) , 2014, IACR Cryptol. ePrint Arch..

[6]  Anne Canteaut,et al.  Sieve-in-the-Middle: Improved MITM Attacks (Full Version) , 2013, IACR Cryptol. ePrint Arch..

[7]  K. P. Chow,et al.  New Differential Cryptanalytic Results for Reduced-Round CAST-128 , 2010, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[8]  Yu Sasaki,et al.  Finding Preimages of Tiger Up to 23 Steps , 2010, FSE.

[9]  Andrey Bogdanov,et al.  A 3-Subset Meet-in-the-Middle Attack: Cryptanalysis of the Lightweight Block Cipher KTANTAN , 2010, IACR Cryptol. ePrint Arch..

[10]  Yu Sasaki,et al.  Preimage Attacks on One-Block MD4, 63-Step MD5 and More , 2009, Selected Areas in Cryptography.

[11]  Adi Shamir,et al.  Efficient Dissection of Composite Problems, with Applications to Cryptanalysis, Knapsacks, and Combinatorial Search Problems , 2012, CRYPTO.

[12]  Carlisle M. Adams,et al.  The CAST-128 Encryption Algorithm , 1997, RFC.

[13]  Whitfield Diffie,et al.  Special Feature Exhaustive Cryptanalysis of the NBS Data Encryption Standard , 1977, Computer.

[14]  Yu Sasaki,et al.  Meet-in-the-Middle Attacks on Generic Feistel Constructions , 2014, ASIACRYPT.

[15]  Kyoji Shibutani,et al.  Improved All-Subkeys Recovery Attacks on FOX, KATAN and SHACAL-2 Block Ciphers , 2014, FSE.

[16]  Tetsu Iwata,et al.  Advances in cryptology - ASIACRYPT 2014 : 20th International Conference on the Theory and Application of Cryptology and Information Security, Kaoshiung, Taiwan, December 7-11, 2014 : proceedings , 2014 .

[17]  Yu Sasaki,et al.  Preimage Attacks on Step-Reduced MD5 , 2008, ACISP.

[18]  Ralph Howard,et al.  Data Encryption Standard , 1987, Definitions.

[19]  Michael Luby,et al.  How to Construct Pseudo-Random Permutations from Pseudo-Random Functions (Abstract) , 1986, CRYPTO.

[20]  D. Chaum,et al.  Cryptanalysis of DES with a reduced number of rounds , 1986, CRYPTO 1986.

[21]  Serge Vaudenay,et al.  FOX : A New Family of Block Ciphers , 2004, Selected Areas in Cryptography.