Differential Attacks on Generalized Feistel Schemes

While generic attacks on classical Feistel schemes and unbalanced Feistel schemes have been studied a lot, generic attacks on several generalized Feistel schemes like type-1, type-2 and type-3 and Alternating Feistel schemes, as defined in~\cite{HR}, have not been systematically investigated. This is the aim of this paper. We give our best Known Plaintext Attacks and non-adaptive Chosen Plaintext Attacks on these schemes and we determine the maximum number of rounds that we can attack. It is interesting to have generic attacks since there are well known block cipher networks that use generalized Feistel schemes: CAST-256 (type-1), RC-6 (type-2), MARS (type-3) and BEAR/LION (alternating). Also, Type-1 and Type-2 Feistel schemes are respectively used in the construction of the hash functions $Lesamnta$ and $SHAvite-3_{512}$

Generic Attacks on Alternating Unbalanced Feistel Schemes

\begin{abstract} Generic attacks against classical (balanced) Feistel schemes, unbalanced Feistel schemes with contracting functions and unbalanced Feistel schemes with expanding functions have been studied in \cite {P01}, \cite{Jut}, \cite{PNB06}, \cite{PNB07}. In this paper we study schemes where we use alternatively contracting random functions and expanding random functions. We name these schemes ``Alternating Unbalanced Feistel Schemes\u27\u27. They allow constructing pseudo-random permutations from $kn$ bits to $kn$ bits where $k \geq 3$. At each round, we use either a random function from $n$ bits to $(k-1)n$ bits or a random function from $(k-1)n$ bits to $n$ bits. We describe the best generic attacks we have found. We present``known plaintext attacks\u27\u27 (KPA) and ``non-adaptive chosen plaintext attacks\u27\u27 (CPA-1). Let $d$ be the number of rounds. We show that if $d \leq k$, there are CPA-1 with 2 messages and KPA with $m$ the number of messages about $2^{\frac {(d-1)n}{4}}$. For $d \geq k+1$ we have to distinguish $k$ even and $k$ odd. For $k$ even, we have $m=2$ in CPA-1 and $m \simeq 2^{\frac {kn}{4}}$ in KPA. When $k$ is odd, we show that there exist CPA-1 for $d \leq 2k-1$ and KPA for $d \leq 2k+3$ with less than $2^{kn}$ messages and computations. Beyond these values, we give KPA against generators of permutations. \end{abstract

On generalized Feistel networks

We prove beyond-birthday-bound security for the well-known types of generalized Feistel networks, including: (1) unbalanced Feistel networks, where the $n$-bit to $m$-bit round functions may have $n\ne m$; (2) alternating Feistel networks, where the round functions alternate between contracting and expanding; (3) type-1, type-2, and type-3 Feistel networks, where $n$-bit to $n$-bit round functions are used to encipher $kn$-bit strings for some $k\ge2$; and (4) numeric variants of any of the above, where one enciphers numbers in some given range rather than strings of some given size. Using a unified analytic framework we show that, in any of these settings, for any $\varepsilon>0$, with enough rounds, the subject scheme can tolerate CCA attacks of up to $q\sim N^{1-\varepsilon}$ adversarial queries, where $N$ is the size of the round functions\u27 domain (the size of the larger domain for alternating Feistel). This is asymptotically optimal. Prior analyses for generalized Feistel networks established security to only $q\sim N^{0.5}$ adversarial queries

Automatic Expectation and Variance Computing for Attacks on Feistel Schemes

There are many kinds of attacks that can be mounted on block ciphers: differential attacks, impossible differential attacks, truncated differential attacks, boomerang attacks. We consider generic differential attacks used as distinguishers for various types of Feistel ciphers: they allow to distinguish a random permutation from a permutation generated by the cipher. These attacks are based on differences between the expectations of random variables defined by relations on the inputs and outputs of the ciphers. Sometimes, one has to use the value of the variance as well. In this paper, we will provide a tool that computes the exact values of these expectations and variances. We first explain thoroughly how these computations can be carried out by counting the number of solutions of a linear systems with equalities and non-equalities. Then we provide the first applications of this tool. For example, it enabled to discover a new geometry in 4-point attacks. It gave an explanation to some phenomena that can appear in simulations when the inputs and outputs have a small number of bits

On the Field-Based Division Property: Applications to MiMC, Feistel MiMC and GMiMC (Full Version)

Recent practical applications using advanced cryptographic protocols such as multi-party computations (MPC) and zero-knowledge proofs (ZKP) have prompted a range of novel symmetric primitives described over large finite fields, characterized as arithmetization-oriented AO ciphers. Such designs, aiming to minimize the number of multiplications over fields, have a high risk of being vulnerable to algebraic attacks, especially to the higher-order differential attack. Thus, it is significant to carefully evaluate the growth of their algebraic degree. However, the degree estimation for AO ciphers has been a challenge for cryptanalysts due to the lack of general and accurate methods. In this paper, we extend the division property, a state-of-the-art framework for finding the upper bound of the algebraic degree over binary fields, to the scope of $\mathbb{F}_{2^n}$. It is a generic method to detect the algebraic degree for AO ciphers, even applicable to Feistel ciphers which have no better bounds than the trivial exponential one. In this general division property, our idea is to evaluate whether the polynomial representation of a block cipher contains some specific monomials. With a deep investigation of the arithmetical feature, we introduce the propagation rules of monomials for field-based operations, which can be efficiently modeled using the bit-vector theory of SMT. Then the new searching tool for degree estimation can be constructed due to the relationship between the algebraic degree and the exponents of monomials. We apply our new framework to some important AO ciphers, including Feistel MiMC, GMiMC, and MiMC. For Feistel MiMC, we show that the algebraic degree grows significantly slower than the native exponential bound. For the first time, we present a secret-key higher-order differential distinguisher for up to 124 rounds, much better than the 83-round distinguisher for Feistel MiMC permutation proposed at CRYPTO 2020. We also exhibit a full-round zero-sum distinguisher with a data complexity of $2^{251}$. Our method can be further extended for the general Feistel structure with more branches and exhibit higher-order differential distinguishers against the practical instance of GMiMC for up to 50 rounds. For MiMC in SP-networks, our results correspond to the exact algebraic degree proved by Bouvier et al. We also point out that the number of rounds in MiMC\u27s specification is not sufficient to guarantee the security against the higher-order differential attack for MiMC-like schemes with different exponents. The investigation of different exponents provides some guidance on the cipher design

Generic Round-Function-Recovery Attacks for Feistel Networks over Small Domains

Feistel Networks (FN) are now being used massively to encrypt credit card numbers through format-preserving encryption. In our work, we focus on FN with two branches, entirely unknown round functions, modular additions (or other group operations), and when the domain size of a branch (called $N$) is small. We investigate round-function-recovery attacks. The best known attack so far is an improvement of Meet-In-The-Middle (MITM) attack by Isobe and Shibutani from ASIACRYPT~2013 with optimal data complexity $q=r \frac{N}{2}$ and time complexity $N^{ \frac{r-4}{2}N + o(N)}$, where $r$ is the round number in FN. We construct an algorithm with a surprisingly better complexity when $r$ is too low, based on partial exhaustive search. When the data complexity varies from the optimal to the one of a codebook attack $q=N^2$, our time complexity can reach $N^{O \left( N^{1-\frac{1}{r-2}} \right) }$. It crosses the complexity of the improved MITM for $q\sim N\frac{\mathrm{e}^3}{r}2^{r-3}$. We also estimate the lowest secure number of rounds depending on $N$ and the security goal. We show that the format-preserving-encryption schemes FF1 and FF3 standardized by NIST and ANSI cannot offer 128-bit security (as they are supposed to) for $N\leq11$ and $N\leq17$, respectively (the NIST standard only requires $N \geq 10$), and we improve the results by Durak and Vaudenay from CRYPTO~2017

An Algebraic System for Constructing Cryptographic Permutations over Finite Fields

In this paper we identify polynomial dynamical systems over finite fields as the central component of almost all iterative block cipher design strategies over finite fields. We propose a generalized triangular polynomial dynamical system (GTDS), and give a generic algebraic definition of iterative (keyed) permutation using GTDS. Our GTDS-based generic definition is able to describe widely used and well-known design strategies such as substitution permutation network (SPN), Feistel network and their variants among others. We show that the Lai-Massey design strategy for (keyed) permutations is also described by the GTDS. Our generic algebraic definition of iterative permutation is particularly useful for instantiating and systematically studying block ciphers and hash functions over $\mathbb{F}_p$ aimed for multiparty computation and zero-knowledge based cryptographic protocols. Finally, we provide the discrepancy analysis a technique used to measure the (pseudo-)randomness of a sequence, for analyzing the randomness of the sequence generated by the generic permutation or block cipher described by GTDS

Breaking the FF3 Format Preserving Encryption

The NIST standard FF3 scheme (also known as BPS scheme) is a tweakable block cipher based on a 8-round Feistel Network. We break it with a practical attack. Our attack exploits the bad domain separation in FF3 design. The attack works with chosen plaintexts and tweaks when the message domain is small. Our FF3 attack requires $O(N^{\frac{11}{6}})$ chosen plaintexts with time complexity $N^{5}$, where $N^2$ is domain size to the Feistel Network. Due to the bad domain separation in 8-round FF3, we reduced the FF3 attack to an attack on 4-round Feistel Networks. In our generic attack, we reconstruct the entire codebook of 4-round Feistel Network with $N^{\frac{3}{2}} \left( \frac{N}{2} \right)^{\frac{1}{6}}$ known plaintexts and time complexity $N^{4}$