Known-Key Distinguishers on 11-Round Feistel and Collision Attacks on Its Hashing Modes

  • Yu Sasaki
  • Kan Yasuda
Conference paper

DOI: 10.1007/978-3-642-21702-9_23

Part of the Lecture Notes in Computer Science book series (LNCS, volume 6733)
Cite this paper as:
Sasaki Y., Yasuda K. (2011) Known-Key Distinguishers on 11-Round Feistel and Collision Attacks on Its Hashing Modes. In: Joux A. (eds) Fast Software Encryption. FSE 2011. Lecture Notes in Computer Science, vol 6733. Springer, Berlin, Heidelberg


We present new attacks on the Feistel network, where each round function consists of a subkey XOR, S-boxes, and then a linear transformation (i.e., an SP round function). Our techniques are based largely on what they call the rebound attacks. As a result, our attacks work most effectively when the S-boxes have a “good” differential property (like the inverse function xx− 1 in the finite field) and when the linear transformation has an “optimal” branch number (i.e., a maximum distance separable matrix). We first describe known-key distinguishers on such Feistel block ciphers of up to 11 rounds, increasing significantly the number of rounds from previous work. We then apply our distinguishers to the Matyas-Meyer-Oseas and Miyaguchi-Preneel modes in which the Feistel ciphers are used, obtaining collision and half-collision attacks on these hash functions.


known-key block cipher Feistel-SP rebound attack MDS collision attack hash function MMO Miyaguchi-Preneel 
Download to read the full conference paper text

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Yu Sasaki
    • 1
  • Kan Yasuda
    • 1
  1. 1.NTT Information Sharing Platform LaboratoriesNTT CorporationJapan

Personalised recommendations