# Extended meet-in-the-middle attacks on some Feistel constructions

- 415 Downloads
- 3 Citations

## Abstract

We show key recovery attacks on generic balanced Feistel ciphers. The analysis is based on the meet-in-the-middle technique and exploits truncated differentials that are present in the ciphers due to the Feistel construction. Depending on the type of round function, we differentiate and show attacks on two types of Feistels. For the first type, which is one of the most practical Feistels, we show a 5-round distinguisher based on a truncated differential, which allows to launch 6-round and 10-round attacks, for single-key and double-key sizes, respectively. For the second type of Feistels, with round functions that follow the SPN structure composed of linear layers with maximal branch number, based on a 7-round distinguisher we show attacks that reach up to 14 rounds. Our attacks outperform all the known attacks for any key sizes and provide new lower bounds on the number of rounds required to achieve a practical and a secure Feistel. The attacks on first type have been experimentally verified with computer implementations of the attacks on small-state ciphers.

## Keywords

Feistel Generic attack Key recovery Meet-in-the-middle## Mathematics Subject Classification

94A60 (cryptography)## Notes

### Acknowledgments

Jérémy Jean and Ivica Nikolić were supported by the Singapore National Research Foundation Fellowship 2012 NRF-NRFF2012-06.

## References

- 1.Aoki K., Guo J., Matusiewicz K., Sasaki Y., Wang L.: Preimages for step-reduced SHA-2. In: Matsui M. (ed.) ASIACRYPT. LNCS, vol. 5912, pp. 578–597. Springer, Berlin (2009).Google Scholar
- 2.Aoki K., Ichikawa T., Kanda M., Matsui M., Moriai S., Nakajima J., Tokita T.: Camellia: a 128-bit block cipher suitable for multiple platforms—design and analysis. In: Stinson D.R., Tavares S.E. (eds.) Selected Areas in Cryptography. LNCS, vol. 2012, pp. 39–56. Springer, Berlin (2000).Google Scholar
- 3.Beaulieu R., Shors D., Smith J., Treatman-Clark S., Weeks B., Wingers L.: The SIMON and SPECK families of lightweight block ciphers. Cryptology ePrint Archive, Report 2013/404 (2013).Google Scholar
- 4.Biham E., Dunkelman O.: The SHAvite-3 hash function. Submission to NIST (Round 2) (2009).Google Scholar
- 5.CAST: Cryptographic algorithms approved for Canadian government use (2012).Google Scholar
- 6.Coppersmith D.: The data encryption standard (DES) and its strength against attacks. IBM J. Res. Dev.
**38**(3), 243–250 (1994).Google Scholar - 7.Daemen J., Knudsen L.R., Rijmen V.: The block cipher square. In: Biham, E. (ed.) FSE. LNCS, vol. 1267, pp. 149–165. Springer, Heidelberg (1997).Google Scholar
- 8.Demirci H., Selçuk A.A.: A meet-in-the-middle attack on 8-round AES. In: Nyberg K. (ed.) FSE. LNCS, vol. 5086, pp. 116–126. Springer, Heidelberg (2008).Google Scholar
- 9.Derbez P., Fouque P.A., Jean J.: Improved key recovery attacks on reduced-round AES in the single-key setting. IACR Cryptology ePrint Archive
**2012**, 477 (2012).Google Scholar - 10.Derbez P., Fouque P.A., Jean J.: Improved key recovery attacks on reduced-round AES in the single-key setting. In: Johansson T., Nguyen P.Q. (eds.) EUROCRYPT. LNCS, vol. 7881, pp. 371–387. Springer, Heidelberg (2013).Google Scholar
- 11.Dinur I., Dunkelman O., Keller N., Shamir A.: Efficient dissection of composite problems, with applications to cryptanalysis, knapsacks, and combinatorial search problems. In: Safavi-Naini R., Canetti R. (eds.) CRYPTO. LNCS, vol. 7417, pp. 719–740. Springer, Heidelberg (2012).Google Scholar
- 12.Dunkelman O., Keller N., Shamir A.: Improved single-key attacks on 8-round AES-192 and AES-256. In: Abe M. (ed.) ASIACRYPT. LNCS, vol. 6477, pp. 158–176. Springer, Heidelberg (2010).Google Scholar
- 13.Feistel H., Notz W., Smith J.: Some cryptographic techniques for machine-to-machine data communications. Proc. IEEE.
**63**(11), 1545–1554 (1975).Google Scholar - 14.Gilbert H., Minier M.: A collision attack on 7 rounds of Rijndael. In: AES Candidate Conference, pp. 230–241 (2000).Google Scholar
- 15.Guo J., Ling S., Rechberger C., Wang H.: Advanced meet-in-the-middle preimage attacks: first results on full tiger, and improved results on MD4 and SHA-2. In: Abe M. (ed.) ASIACRYPT. LNCS, vol. 6477, pp. 56–75 Springer, Heidelberg (2010).Google Scholar
- 16.ISO/IEC: Information technology—security techniques—encryption algorithms—part 3: block ciphers (2010).Google Scholar
- 17.Isobe T., Shibutani K.: All subkeys recovery attack on block ciphers: extending meet-in-the-middle approach. In: Knudsen LR, Wu H. (eds.) Selected Areas in Cryptography. LNCS, vol. 7707, pp. 202–221. Springer, Heidelberg (2012).Google Scholar
- 18.Isobe T., Shibutani K.: Generic key recovery attack on feistel scheme. In: Sako K., Sarkar P. (eds.) ASIACRYPT (1). LNCS, vol. 8269, pp. 464–485. Springer, Heidelberg (2013).Google Scholar
- 19.Knudsen L.R.: The security of feistel ciphers with six rounds or less. J. Cryptol.
**15**(3), 207–222 (2002).Google Scholar - 20.Luby M., Rackoff C.: How to construct pseudorandom permutations from pseudorandom functions. SIAM J. Comput.
**17**(2), 373–386 (1988).Google Scholar - 21.Merkle R.C., Hellman M.E.: On the security of multiple encryption. Commun. ACM
**24**(7), 465–467 (1981).Google Scholar - 22.Sasaki Y., Aoki K.: Finding preimages in full MD5 faster than exhaustive search. In: Joux A. (ed.) EUROCRYPT. LNCS, vol. 5479, pp. 134–152. Springer, Heidelberg (2009).Google Scholar
- 23.Shibutani K., Bogdanov A.: Towards the optimality of Feistel ciphers with substitution-permutation functions. Des. Codes Cryptogr.
**73**(2), 667–682 (2014).Google Scholar - 24.Shibutani K., Isobe T., Hiwatari H., Mitsuda A., Akishita T., Shirai T.: Piccolo: an ultra-lightweight blockcipher. In: Preneel B., Takagi T. (eds.) CHES. LNCS, vol. 6917, pp. 342–357. Springer, Heidelberg (2011).Google Scholar
- 25.Todo Y.: Upper bounds for the security of several feistel networks. In: Boyd C., Simpson L. (eds.) ACISP. LNCS, vol. 7959, pp. 302–317. Springer, Heidelberg (2013).Google Scholar
- 26.Wu W., Zhang L.: LBlock: a lightweight block cipher. In: Lopez J., Tsudik G. (eds.) ACNS. LCNS, vol. 6715, pp. 327–344. Springer, Berlin (2011).Google Scholar
- 27.Zhang L., Wu W., Wang Y., Wu S., Zhang J.: LAC: a lightweight authenticated encryption cipher. Submitted to the CAESAR competition (2014).Google Scholar