Known-Key Distinguishers on 11-Round Feistel and Collision Attacks on Its Hashing Modes

  • Yu Sasaki
  • Kan Yasuda
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6733)


We present new attacks on the Feistel network, where each round function consists of a subkey XOR, S-boxes, and then a linear transformation (i.e., an SP round function). Our techniques are based largely on what they call the rebound attacks. As a result, our attacks work most effectively when the S-boxes have a “good” differential property (like the inverse function xx − 1 in the finite field) and when the linear transformation has an “optimal” branch number (i.e., a maximum distance separable matrix). We first describe known-key distinguishers on such Feistel block ciphers of up to 11 rounds, increasing significantly the number of rounds from previous work. We then apply our distinguishers to the Matyas-Meyer-Oseas and Miyaguchi-Preneel modes in which the Feistel ciphers are used, obtaining collision and half-collision attacks on these hash functions.


known-key block cipher Feistel-SP rebound attack MDS collision attack hash function MMO Miyaguchi-Preneel 


  1. 1.
    Barreto, P.S.L.M., Rijmen, V.: The WHIRLPOOL hashing function. Submission to NESSIE (2003)Google Scholar
  2. 2.
    Biham, E., Shamir, A.: Differential cryptanalysis of DES-like cryptosystems. In: Menezes, A., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 2–21. Springer, Heidelberg (1991)Google Scholar
  3. 3.
    Biryukov, A., Khovratovich, D.: Related-key cryptanalysis of the full AES-192 and AES-256. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 1–18. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  4. 4.
    Biryukov, A., Khovratovich, D., Nikolić, I.: Distinguisher and related-key attack on the full AES-256. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 231–249. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  5. 5.
    Biryukov, A., Nikolić, I.: A New Security Analysis of AES-128. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677. Springer, Heidelberg (2009), CrossRefGoogle Scholar
  6. 6.
    Biryukov, A., Nikolić, I.: Automatic search for related-key differential characteristics in byte-oriented block ciphers: Application to AES, camellia, khazad and others. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 322–344. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  7. 7.
    Black, J.A., Rogaway, P., Shrimpton, T.: Black-Box Analysis of the Block-Cipher-Based Hash-Function Constructions from PGV. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 320–335. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  8. 8.
    Bouillaguet, C., Dunkelman, O., Leurent, G., Fouque, P.A.: Attacks on hash functions based on generalized Feistel—application to reduced-round Lesamnta and SHAvite-3_512. In: Biryukov, A., Gong, G., Stinson, D. (eds.) SAC 2010. LNCS, vol. 6544, pp. 18–35. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  9. 9.
    Daemen, J., Rijmen, V.: AES Proposal: Rijndael. Submission to NIST (1998)Google Scholar
  10. 10.
    Dillon, J.F.: APN polynomials: An update. In: Fq9 Conference (2009)Google Scholar
  11. 11.
    Gauravaram, P., Leurent, G., Mendel, F., Naya-Plasencia, M., Peyrin, T., Rechberger, C., Schläffer, M.: Cryptanalysis of the 10-round hash and full compression function of SHAvite-3-512. In: Bernstein, D.J., Lange, T. (eds.) AFRICACRYPT 2010. LNCS, vol. 6055, pp. 419–436. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  12. 12.
    Gilbert, H., Peyrin, T.: Super-sbox cryptanalysis: Improved attacks for AES-like permutations. In: Hong, S., Iwata, T. (eds.) FSE 2010. LNCS, vol. 6147, pp. 365–383. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  13. 13.
    Knudsen, L.R., Rijmen, V.: Known-key distinguishers for some block ciphers. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 315–324. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  14. 14.
    Lamberger, M., Mendel, F., Rechberger, C., Rijmen, V., Schläffer, M.: Rebound distinguishers: Results on the full whirlpool compression function. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 126–143. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  15. 15.
    Lu, J., Dunkelman, O., Keller, N., Kim, J.-S.: New impossible differential attacks on AES. In: Chowdhury, D.R., Rijmen, V., Das, A. (eds.) INDOCRYPT 2008. LNCS, vol. 5365, pp. 279–293. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  16. 16.
    Matsui, M., Yamagishi, A.: A new method for known plaintext attack of FEAL cipher. In: Rueppel, R.A. (ed.) EUROCRYPT 1992. LNCS, vol. 658, pp. 81–91. Springer, Heidelberg (1993)CrossRefGoogle Scholar
  17. 17.
    Mendel, F., Peyrin, T., Rechberger, C., Schläffer, M.: Improved cryptanalysis of the reduced Grøstl compression function, ECHO permutation and AES block cipher. In: Jacobson Jr., M.J., Rijmen, V., Safavi-Naini, R. (eds.) SAC 2009. LNCS, vol. 5867, pp. 16–35. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  18. 18.
    Mendel, F., Rechberger, C., Schläffer, M., Thomsen, S.S.: The rebound attack: Cryptanalysis of reduced whirlpool and grøstl. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 260–276. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  19. 19.
    Minier, M., Phan, R.C.-W., Pousse, B.: Distinguishers for ciphers and known key attack against rijndael with large blocks size. In: Preneel, B. (ed.) AFRICACRYPT 2009. LNCS, vol. 5580, pp. 60–76. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  20. 20.
    Minier, M., Naya-Plasencia, M., Peyrin, T.: Analysis of reduced-SHAvite-3-256 v2. In: Joux, A. (ed.) FSE 2011 Preproceedings. LNCS, vol. 6733, pp. 68–87 (2011)Google Scholar
  21. 21.
    Nikolić, I., Pieprzyk, J., Sokołowski, P., Steinfeld, R.: Known and chosen key differential distinguishers for block ciphers. In: Rhee, K., Nyang, D. (eds.) Preproceedings of ICISC 2010, 1A-3 (2010)Google Scholar
  22. 22.
    Nyberg, K.: Differentially uniform mappings for cryptography. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 55–64. Springer, Heidelberg (1994)CrossRefGoogle Scholar
  23. 23.
    Preneel, B., Govaerts, R., Vandewalle, J.: Hash functions based on block ciphers: A synthetic approach. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 368–378. Springer, Heidelberg (1994)CrossRefGoogle Scholar
  24. 24.
    Sasaki, Y.: Known-key attacks on Rijndael with large blocks and strengthening ShiftRow parameter. In: Echizen, I., Kunihiro, N., Sasaki, R. (eds.) IWSEC 2010. LNCS, vol. 6434, pp. 301–315. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  25. 25.
    Singleton, R.C.: Maximum distance q-nary codes. IEEE Trans. Inf. Theory 10, 116–118 (1964)MathSciNetCrossRefMATHGoogle Scholar
  26. 26.
    U.S. Department of Commerce, National Institute of Standards and Technology: Specification for the ADVANCED ENCRYPTION STANDARD (AES) (Federal Information Processing Standards Publication 197) (2001)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Yu Sasaki
    • 1
  • Kan Yasuda
    • 1
  1. 1.NTT Information Sharing Platform LaboratoriesNTT CorporationJapan

Personalised recommendations