New Attacks on Feistel Structures with Improved Memory Complexities

Feistel structures are an extremely important and extensively researched type of cryptographic schemes. In this paper we describe improved attacks on Feistel structures with more than 4 rounds. We achieve this by a new attack that combines the main benefits of meet-in-the-middle attacks (which can reduce the time complexity by comparing only half blocks in the middle) and dissection attacks (which can reduce the memory complexity but have to guess full blocks in the middle in order to perform independent attacks above and below it). For example, for a 7-round Feistel structure on n-bit inputs with seven independent round keys of n/2 bits each), a MITM attack can use (2^1.5n ,2^1.5n) time and memory, while dissection requires (2^2n, 2^n) time and memory. Our new attack requires only (2^1.5n, 2^n) time and memory, using a few known plaintext/ciphertext pairs. When we are allowed to use more known plaintexts, we develop new techniques which rely on the existence of multicollisions and differential properties deep in the structure in order to further reduce the memory complexity. Our new attacks are not just theoretical generic constructions - in fact, we can use them to improve the best known attacks on several concrete cryptosystems such as CAST-128 (where we reduce the memory complexity from 2^111 to 2^64) and DEAL-256 (where we reduce the memory complexity from 2^200 to 2^144), without affecting their time and data complexities. An extension of our techniques applies even to some non-Feistel structures - for example, in the case of FOX, we reduce the memory complexity of all the best known attacks by a factor of 2^16

Quantum Key-recovery Attack on Feistel Structures

Post-quantum cryptography has drawn considerable attention from cryptologists on a global scale. At Asiacrypt 2017, Leander and May combined Grover\u27s and Simon\u27s quantum algorithms to break the FX-based block ciphers, which were introduced by Kilian and Rogaway to strengthen DES. In this study, we investigate the Feistel constructions using Grover\u27s and Simon\u27s algorithms to generate new quantum key-recovery attacks on different rounds of Feistel constructions. Our attacks require $2^{nr/4~-~3n/4}$ quantum queries to break an $r$-round Feistel construction. The time complexity of our attacks is less than that observed for quantum brute-force search by a factor of $2^{0.75n}$. When compared with the best classical attacks, i.e., Dinur \emph{et al.}\u27s attacks at CRYPTO 2015, the time complexity is reduced by a factor of $2^{0.5n}$ without incurring any memory cost

Multi-operation data encryption mechanism using dynamic data blocking and randomized substitution

Existing cryptosystems deal with static design features such as fixed sized data blocks, static substitution and apply identical set of known encryption operations in each encryption round. Fixed sized blocks associate several issues such as ineffective permutations, padding issues, deterministic brute force strength and known-length of bits which support the cracker in formulating of modern cryptanalysis. Existing static substitution policies are either not optimally fit for dynamic sized data blocks or contain known S-box transformation and fixed lookup tables. Moreover, static substitution does not directly correlate with secret key due to which it has not been shown safer especially for Advanced Encryption Standard (AES) and Data Encryption Standard (DES). Presently, entire cryptosystems encrypt each data block with identical set of known operations in each iteration, thereby lacked to offer dynamic selection of encryption operation. These discussed, static design features are fully known to the cracker, therefore caused the practical cracking of DES and undesirable security pitfalls against AES as witnessed in earlier studies. Various studies have reported the mathematical cryptanalysis of AES up to full of its 14 rounds. Thus, this situation completely demands the proposal of dynamic design features in symmetric cryptosystems. Firstly, as a substitute to fixed sized data blocks, the Dynamic Data Blocking Mechanism (DDBM) has been proposed to provide the facility of dynamic sized data blocks. Secondly, as an alternative of static substitution approach, a Randomized Substitution Mechanism (RSM) has been proposed which can randomly modify session-keys and plaintext blocks. Finally, Multi-operation Data Encryption Mechanism (MoDEM) has been proposed to tackle the issue of static and identical set of known encryption operations on each data block in each round. With MoDEM, the encryption operation can dynamically be selected against the desired data block from the list of multiple operations bundled with several sub-operations. The methods or operations such as exclusive-OR, 8-bit permutation, random substitution, cyclic-shift and logical operations are used. Results show that DDBM can provide dynamic sized data blocks comparatively to existing approaches. Both RSM and MoDEM fulfill dynamicity and randomness properties as tested and validated under recommended statistical analysis with standard tool. The proposed method not only contains randomness and avalanche properties but it also has passed recommended statistical tests within five encryption rounds (significant than existing). Moreover, mathematical testing shows that common security attacks are not applicable on MoDEM and brute force attack is significantly resistive

Breaking The FF3 Format-Preserving Encryption Standard Over Small Domains

The National Institute of Standards and Technology (NIST) recently published a Format-Preserving Encryption standard accepting two Feistel structure based schemes called FF1 and FF3. Particularly, FF3 is a tweakable block cipher based on an 8-round Feistel network. In CCS~2016, Bellare et. al. gave an attack to break FF3 (and FF1) with time and data complexity $O(N^5\log(N))$, which is much larger than the code book (but using many tweaks), where $N^2$ is domain size to the Feistel network. In this work, we give a new practical total break attack to the FF3 scheme (also known as BPS scheme). Our FF3 attack requires $O(N^{\frac{11}{6}})$ chosen plaintexts with time complexity $O(N^{5})$. Our attack was successfully tested with $N\leq2^9$. It is a slide attack (using two tweaks) that exploits the bad domain separation of the FF3 design. Due to this weakness, we reduced the FF3 attack to an attack on 4-round Feistel network. Biryukov et. al. already gave a 4-round Feistel structure attack in SAC~2015. However, it works with chosen plaintexts and ciphertexts whereas we need a known-plaintext attack. Therefore, we developed a new generic known-plaintext attack to 4-round Feistel network that reconstructs the entire tables for all round functions. It works with $N^{\frac{3}{2}} \left( \frac{N}{2} \right)^{\frac{1}{6}}$ known plaintexts and time complexity $O(N^{3})$. Our 4-round attack is simple to extend to five and more rounds with complexity $N^{(r-5)N+o(N)}$. It shows that FF1 with $N=7$ and FF3 with $7\leq N\leq10$ do not offer a 128-bit security. Finally, we provide an easy and intuitive fix to prevent the FF3 scheme from our $O(N^{5})$ attack

New Attacks on Feistel Structures with Improved Memory Complexities

International audienc