Structural Evaluation for Generalized Feistel Structures and Applications to LBlock and TWINE

The generalized Feistel structure (GFS) is the variant of Feistel structure with \(m>2\) branches. While the GFS is widely used, the security is not well studied. In this paper, we propose a generic algorithm for searching integral distinguishers. By applying the algorithm, we prove that the low bound for the length of integral distinguishers is \(m^2+m-1\) and \(2m+1\) for Type-1 GFS and Type-2 GFS, respectively. Meanwhile, we evaluate the security of the improved Type-1 and Type-2 GFSs when the size of each branch and the algebraic degree of F-functions are specified. Our results show that the distinguishers are affected by the parameters to various levels, which will provide valuable reference for designing GFS ciphers. Although our search algorithm is generic, it can improve integral distinguishers for specific ciphers. For instance, it constructs several 16-round integral distinguishers for LBlock and TWINE, which directly extends the numbers of attacked rounds.

We would like to thank the anonymous reviewers for their useful comments and suggestions. The research presented in this paper is supported by the National Basic Research Program of China (No. 2013CB338002) and National Natural Science Foundation of China (No. 61272476, No. 61232009 and No. 61202420).

Authors and Affiliations

1. TCA Laboratory, SKLCS, Institute of Software, Chinese Academy of Sciences, Beijing, China

   Huiling Zhang & Wenling Wu

2. State Key Laboratory of Cryptology, P.O. Box 5159, Beijing, 100878, China

   Huiling Zhang & Wenling Wu

3. University of Chinese Academy of Sciences, Beijing, China

   Huiling Zhang & Wenling Wu

Corresponding author

Correspondence to Huiling Zhang .

Editors and Affiliations

1. Luxembourg, Luxembourg

   Alex Biryukov

2. Microsoft Research India, Banglore, India

   Vipul Goyal

A Proofs for Proposition 2-4

Proposition 2

Proof

We give the proof for the case of \(m=4\), which can then simply be transferred to the general case. Denote \(\varLambda \) and \(\varLambda '\) as the multi-set of inputs and outputs, respectively. The checksum of \(\varLambda '\) for \(U = ({u_0}, \cdots ,{u_5})\) has

where \( \vee \) is OR. When \((w({u_0} \vee {u_1}),w({u_2}),w({u_3} \vee {u_4}),w({u_5}))\) \({\not \succcurlyeq }\) \(K\), the result is always 0. Its sufficient condition is \((w({u_0}) + w({u_1}),w({u_2}),w({u_3}) + w({u_4}),w({u_5}))\) \({\not \succcurlyeq }\) \(K\). Therefore, the division property of \(\varLambda '\) is \(\{ ({i_0},{k_0} - {i_0},{k_1},{i_1},{k_2} - {i_1},{k_3})\mathrm{{|}}0 \le {i_0} \le {k_0},0 \le {i_1} \le {k_2}\} \).

Proposition 3

Proof

The proposition describes a special case of Rule 1 in [9]. Readers can refer to [9] for the details of the proof.

Proposition 4

Proof

We prove the case when \(m=4\). The general case follows by a similar manner. Denote \(\varLambda \) and \(\varLambda '\) as the multi-set of inputs and the multi-set of outputs, respectively. The checksum of \(\varLambda '\) for \(U = ({u_0}, \cdots ,{u_3})\) has

where \(c \prec u\) denotes the elements of \(F_2^n\) satisfying c AND u equals to c. Obviously, it has \(w(c) + w(u \oplus c) = w(u)\) if \(c \prec u\). When \((w({u_0}),w({u_1}),w({u_1}) - w({c_1}),w({u_2}),w({u_3}),w({u_3}) - w({c_2}))\) \({\not \succcurlyeq }\) \(K\) for any \({{c_1} \prec {u_1}}\) and any \({{c_2} \prec {u_3}}\), the result is always 0. Thereafter, the division property of \(\varLambda '\) is \(\{ K{'^{(j)}} = (k_0^j,(k_1^j + k_2^j),k_3^j,(k_4^j + k_5^j))|0 \le j \le q - 1\} \).

B Results on Improved Type-1 GFS for 8 \(<m \le 16\)

Table 5 shows integral distinguishers for improved Type-1 GFS when the number of branches is more than 8.

C Results on Improved Type-2 GFS for 8 \( < \) \(m\le 16\)

Table 6 shows integral distinguishers for improved Type-2 GFS when the number of branches is more than 8.

D Details of the Attack on LBlock

We need to guess 60-bit key to compute the value of \(\bigoplus (S(X_L^{16}[0] \oplus {K^{16}}[0])) \) according to the keyschedule. These guessed keys are marked by gray cubes in Fig. 8, and the procedure is as follows:

1. 1.

   Query \({2^{63}}\) plaintexts which are constant at one bit and are active at other bits.

2. 2.

   Count whether each 15-nibble value \(X_L^{23}[0,1,2,3,4,6,7]||X_R^{23}[0,1,2,3,4,5,\) 6, 7] appears even or odd times, and pick the values which appear odd times.

3. 3.

   Guess \({K^{22}}[3]\), and then compute \(X_R^{22}[3]\). Compress the data into \({2^{56}}\) texts of the value of \(X_L^{23}[0,2,3,4,6,7]\) \(||X_R^{23}[0,1,2,4,5,6,7]\) \(||X_R^{22}[3]\) appearing odd times.

4. 4.

   Guess \({K^{22}}[5]\), and then compute \(X_R^{22}[6]\). Compress the data into \({2^{52}}\) texts of the value of \(X_L^{23}[0,2,3,6,7]\) \(||X_R^{23}[0,1,2,4,6,7]\) \(||X_R^{22}[3,6]\) appearing odd times.

5. 5.

   Guess \({K^{22}}[1]\), and then compute \(X_R^{22}[2]\). Compress the data into \({2^{48}}\) texts of the value of \(X_L^{23}[2,3,6,7]\) \(||X_R^{23}[0,2,4,6,7]\) \(||X_R^{22}[3,6,2]\) appearing odd times.

6. 6.

   Guess \({K^{21}}[6]\), and then compute \(X_R^{21}[1]\). Compress the data into \({2^{44}}\) texts of the value of \(X_L^{23}[2,3,6,7]\) \(||X_R^{23}[0,2,4,6]\) \(||X_R^{22}[3,2]\) \(||X_R^{21}[1]\) appearing odd times.

7. 7.

   Guess \({K^{22}}[4]\), and then compute \(X_R^{22}[0]\). Compress the data into \({2^{44}}\) texts of the value of \(X_L^{23}[2,3,7]\) \(||X_R^{23}[0,2,4,6]\) \(||X_R^{22}[0,2,3]\) \(||X_R^{21}[1]\) appearing odd times.

8. 8.

   Guess \({K^{22}}[6]\), and then compute \(X_R^{22}[1]\). Compress the data into \({2^{44}}\) texts of the value of \(X_L^{23}[2,3]\) \(||X_R^{23}[0,2,4,6]\) \(||X_R^{22}[0,1,2,3]\) \(||X_R^{21}[1]\) appearing odd times.

9. 9.

   Guess \({K^{22}}[0]\), and then compute \(X_R^{22}[4]\). Compress the data into \({2^{44}}\) texts of the value of \(X_L^{23}[3]\) \(||X_R^{23}[0,2,4,6]\) \(||X_R^{22}[0,1,2,3,4]\) \(||X_R^{21}[1]\) appearing odd times.

10. 10.

    Guess \({K^{21}}[4]\), and then compute \(X_R^{21}[0]\). Compress the data into \({2^{40}}\) texts of the value of \(X_L^{23}[3]\) \(||X_R^{23}[0,2,4]\) \(||X_R^{22}[0,1,2,3]\) \(||X_R^{21}[0,1]\) appearing odd times.

11. 11.

    Due to the keyschedule, \({K^{20}}[0]\) is determined by rightmost two bits in \({K^{22}}[5]\) and leftmost two bits in \({K^{22}}[6]\), which are all guessed. We can directly compute \(X_R^{20}[4]\) and compress the data into \({2^{36}}\) texts of the value of \(X_L^{23}[3]\) \(||X_R^{23}[0,2,4]||X_R^{22}[0,1,3]||X_R^{21}[1]||X_R^{20}[4]\) appearing odd times.

12. 12.

    Due to the keyschedule, \({K^{20}}[1]\) is determined by rightmost two bits in \({K^{22}}[6]\) and leftmost two bits in \({K^{22}}[7]\). We only need guess the leftmost two bits in \({K^{22}}[7]\). Compute \(X_R^{20}[2]\) and compress the data into \({2^{36}}\) texts of the value of \(X_L^{23}[3]\) \(||X_R^{23}[0,2,4]\) \(||X_R^{22}[0,1,3]\) \(||X_R^{20}[2,4]\) appearing odd times.

13. 13.

    Guess \({K^{21}}[1]\) and compute \(X_R^{21}[2]\) and compress the data into \({2^{32}}\) texts of the value of \(X_L^{23}[3]\) \(||X_R^{23}[2,4]\) \(||X_R^{22}[0,3]\) \(||X_R^{21}[2]\) \(||X_R^{20}[2,4]\) appearing odd times.

14. 14.

    Guess \({K^{20}}[2]\) and compute \(X_R^{20}[5]\) and compress the data into \({2^{28}}\) texts of the value of \(X_L^{23}[3]\) \(||X_R^{23}[2,4]\) \(||X_R^{22}[0]\) \(||X_R^{20}[2,4,5]\) appearing odd times.

15. 15.

    Guess \({K^{21}}[0]\) and compute \(X_R^{21}[4]\) and compress the data into \({2^{28}}\) texts of the value of \(X_L^{23}[3]\) \(||X_R^{23}[2,4]\) \(||X_R^{21}[4]\) \(||X_R^{20}[2,4,5]\) appearing odd times.

16. 16.

    Due to the keyschedule, \({K^{19}}[5]\) is determined by \({K^{22}}[3]\) and \({K^{22}}[4]\). Compute \(X_R^{19}[6]\) and compress the data into \({2^{24}}\) texts of the value of \(X_L^{23}[3]||X_R^{23}[2,4]||\) \(X_R^{20}[2,4]\) \(||X_R^{19}[6]\) appearing odd times.

17. 17.

    Guess \({K^{22}}[2]\) and then compute \(X_R^{22}[5]\) and compress the data into \({2^{20}}\) texts of the value of \(X_R^{22}[5]\) \(||X_R^{23}[4]\) \(||X_R^{20}[2,4]\) \(||X_R^{19}[6]\) appearing odd times.

18. 18.

    Guess \({K^{21}}[5]\) and then compute \(X_R^{21}[6]\) and compress the data into \({2^{16}}\) texts of the value of \(X_R^{21}[6]\) \(||X_R^{20}[2,4]\) \(||X_R^{19}[6]\) appearing odd times.

19. 19.

    Due to the keyschedule, \({K^{19}}[4]\) is determined by \({K^{22}}[2]\) and \({K^{22}}[3]\). Compute \(X_R^{19}[0]\) and compress the data into \({2^{12}}\) texts of the value of \(X_R^{20}[2]\) \(||X_R^{19}[0,6]\) appearing odd times.

20. 20.

    Guess \({K^{18}}[0]\) and compute \(X_R^{18}[4]\) and compress the data into \({2^{8}}\) texts of the value of \(X_R^{19}[6]\) \(||X_R^{18}[4]\) appearing odd times.

21. 21.

    Due to the keyschedule, \({K^{17}}[4]\) is determined by the rightmost three bits of \({K^{20}}[2]\) and the leftmost bit of \({K^{20}}[3]\). Guess the leftmost bit of \({K^{20}}[3]\), compute \(X_R^{17}[0]\) and compress the data into \({2^{4}}\) texts of the value of \(X_R^{17}[0]\) appearing odd times.

22. 22.

    Due to the keyschedule, \({K^{16}}[0]\) is determined by the rightmost bit of \({K^{21}}[3]\) and the leftmost three bits of \({K^{21}}[4]\). Guessing the rightmost bit of \({K^{21}}[3]\), and then we compute the sum \(\bigoplus (S(X_L^{16}[0] \oplus {K^{16}}[0])) \).

Key state for key recovery

Full size image

Complexity for Computing \(\bigoplus (S(X_L^{16}[0] \oplus {K^{16}}[0])) \). The complexity for each step is estimated as a product of the previous date size and the total number of guessed bits. In total,

That is \({2^{77.3}} \times \frac{1}{8} \times \frac{1}{{23}} \approx {2^{69.8}}\) 23-round encryptions. After step 22, we obtain a list with \({2^{60}}\) entries which contains 64-bit information: \(\bigoplus (S(X_L^{16}[0] \oplus {K^{16}}[0])) \) and corresponding 60-bit guessed key.

Reprints and permissions

© 2015 Springer International Publishing Switzerland

Policies and ethics