Accurate Estimation of the Full Differential Distribution for General Feistel Structures

  • Jiageng ChenEmail author
  • Atsuko Miyaji
  • Chunhua Su
  • Je Sen Teh
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9589)


Statistical cryptanalysis is one of the most powerful tools to analyze symmetric key cryptographic primitives such as block ciphers. One of these attacks, the differential attack has been demonstrated to break a wide range of block ciphers. Block cipher proposals previously obtain a rough estimate of their security margin against differential attacks by counting the number of active S-Box along a differential path. However this method does not take into account the complex clustering effect of multiple differential paths. Analysis under full differential distributions have been studied for some extremely lightweight block ciphers such as KATAN and SIMON, but is still unknown for ciphers with relatively large block sizes. In this paper, we provide a framework to accurately estimate the full differential distribution of General Feistel Structure (GFS) block ciphers with relatively large block sizes. This framework acts as a convenient tool for block cipher designers to determine the security margin of their ciphers against differential attacks. We describe our theoretical model and demonstrate its correctness by performing experimental verification on a toy GFS cipher. We then apply our framework to two concrete GFS ciphers, LBlock and TWINE to derive their full differential distribution by using super computer. Based on the results, we are able to attack 25 rounds of TWINE-128 using a distinguishing attack, which is comparable to the best attack to date. Besides that, we are able to depict a correlation between the hamming weight of an input differential characteristic and the complexity of the attack. Based on the proposed framework, LBlock and TWINE have shown to have 178 and 208-bit security respectively.


Differential attack GFS Differential distribution LBlock TWINE 


  1. 1.
    Albrecht, M.R., Leander, G.: An all-in-one approach to differential cryptanalysis for small block ciphers. In: Knudsen, L.R., Wu, H. (eds.) SAC 2012. LNCS, vol. 7707, pp. 1–15. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  2. 2.
    Alex Biryukov, P.D., Perrin, L.: Differential analysis and meet-in-the-middle attack against round-reduced twine. Cryptology ePrint Archive, Report 2015/240 (2015)Google Scholar
  3. 3.
    Selçuk, A.A., Biçak, A.: On probability of success in linear and differential cryptanalysis. In: Cimato, S., Galdi, C., Persiano, G. (eds.) SCN 2002. LNCS, vol. 2576, pp. 174–185. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  4. 4.
    Baignères, T., Junod, P., Vaudenay, S.: How far can we go beyond linear cryptanalysis? In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 432–450. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  5. 5.
    Biham, E., Shamir, A.: Differential cryptanalysis of DES-like cryptosystems. In: Menezes, A., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 2–21. Springer, Heidelberg (1991)Google Scholar
  6. 6.
    Biryukov, A., Nikolić, I.: Automatic search for related-key differential characteristics in byte-oriented block ciphers: application to AES, Camellia, Khazad and others. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 322–344. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  7. 7.
    Biryukov, A., Roy, A., Velichkov, V.: Differential analysis of block ciphers SIMON and SPECK. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 546–570. Springer, Heidelberg (2015)Google Scholar
  8. 8.
    Blondeau, C., Gérard, B.: Multiple differential cryptanalysis: theory and practice. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 35–54. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  9. 9.
    Blondeau, C., Gérard, B., Nyberg, K.: Multiple differential cryptanalysis using LLR and statistics. In: Visconti, I., De Prisco, R. (eds.) SCN 2012. LNCS, vol. 7485, pp. 343–360. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  10. 10.
    Granlund, T., et al.: The GNU Multiple Precision Arithmetic Library, 2.0.2 edn. TMG Datakonsult, Boston (1996)Google Scholar
  11. 11.
    Knudsen, L.R., Robshaw, M.: The Block Cipher Companion. Springer Science & Business Media, Heidelberg (2011)CrossRefzbMATHGoogle Scholar
  12. 12.
    Lu, J., Yap, W.-S., Wei, Y.: Weak keys of the full MISTY1 block cipher for related-key differential cryptanalysis. In: Dawson, E. (ed.) CT-RSA 2013. LNCS, vol. 7779, pp. 389–404. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  13. 13.
    Matsui, M.: On correlation between the order of S-Boxes and the strength of DES. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 366–375. Springer, Heidelberg (1995)Google Scholar
  14. 14.
    Neyman, J., Pearson, E.S.: On the Problem of the Most Efficient Tests of Statistical Hypotheses. Springer, New York (1992)CrossRefzbMATHGoogle Scholar
  15. 15.
    O’Connor, L., Goli, J.: A unified Markov approach to differential and linear cryptanalysis. In: Safavi-Naini, R., Pieprzyk, J.P. (eds.) ASIACRYPT 1994. LNCS, vol. 917, pp. 385–397. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  16. 16.
    Özen, O., Varıcı, K., Tezcan, C., Kocair, Ç.: Lightweight block ciphers revisited: cryptanalysis of reduced round PRESENT and HIGHT. In: Boyd, C., González Nieto, J. (eds.) ACISP 2009. LNCS, vol. 5594, pp. 90–107. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  17. 17.
    Shibutani, K.: On the diffusion of generalized Feistel structures regarding differential and linear cryptanalysis. In: Biryukov, A., Gong, G., Stinson, D.R. (eds.) SAC 2010. LNCS, vol. 6544, pp. 211–228. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  18. 18.
    Shirai, T., Shibutani, K., Akishita, T., Moriai, S., Iwata, T.: The 128-bit blockcipher CLEFIA (Extended Abstract). In: Biryukov, A. (ed.) FSE 2007. LNCS, vol. 4593, pp. 181–195. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  19. 19.
    Sun, S., Hu, L., Wang, P., Qiao, K., Ma, X., Song, L.: Automatic security evaluation and (related-key) differential characteristic search: application to SIMON, PRESENT, LBlock, DES(L) and other bit-oriented block ciphers. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 158–178. Springer, Heidelberg (2014)Google Scholar
  20. 20.
    Suzaki, T., Minematsu, K.: Improving the generalized Feistel. In: Hong, S., Iwata, T. (eds.) FSE 2010. LNCS, vol. 6147, pp. 19–39. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  21. 21.
    Suzaki, T., Minematsu, K., Morioka, S., Kobayashi, E.: TWINE: a lightweight block cipher for multiple platforms. In: Knudsen, L.R., Wu, H. (eds.) SAC 2012. LNCS, vol. 7707, pp. 339–354. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  22. 22.
    Wu, W., Zhang, L.: LBlock: a lightweight block cipher. In: Lopez, J., Tsudik, G. (eds.) ACNS 2011. LNCS, vol. 6715, pp. 327–344. Springer, Heidelberg (2011)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • Jiageng Chen
    • 1
    Email author
  • Atsuko Miyaji
    • 2
    • 3
    • 4
  • Chunhua Su
    • 2
  • Je Sen Teh
    • 5
  1. 1.Computer SchoolCentral China Normal UniversityWuhanChina
  2. 2.School of Information ScienceJapan Advanced Institute of Science and TechnologyNomiJapan
  3. 3.Japan Science and Technology Agency (JST) CRESTKawaguchi-shiJapan
  4. 4.Graduate School of EngineeringOsaka UniversityOsakaJapan
  5. 5.School of Computer SciencesUniversiti Sains MalaysiaGelugorMalaysia

Personalised recommendations