Algebraic Insights into the Secret Feistel Network
 4 Citations
 928 Downloads
Abstract
We introduce the highdegree indicator matrix (HDIM), an object closely related with both the linear approximation table and the algebraic normal form (ANF) of a permutation. We show that the HDIM of a Feistel Network contains very specific patterns depending on the degree of the Feistel functions, the number of rounds and whether the Feistel functions are 1to1 or not. We exploit these patterns to distinguish Feistel Networks, even if the Feistel Network is whitened using unknown affine layers. We also present a new type of structural attack exploiting monomials that cannot be present at round \(r1\) to recover the ANF of the last Feistel function of a rround Feistel Network. Finally, we discuss the relations between our findings, integral attacks, cube attacks, Todo’s division property and the congruence modulo 4 of the Linear Approximation Table.
Keywords
Highdegree indicator matrix Feistel network ANF Linear approximation table/walsh spectrum Division property Integral attack1 Introduction
While the importance of attacks targeting actual primitives is obvious, structural attacks can also lead to interesting development. In fact, the last few years have seen the publications of several such attacks. For example, the attack targeting the SASAS construction has been recently extended to larger constructions [1]. The ASASA structure, which might look weaker at first glance due to its lower number of nonlinear layers, has actually proved to be a challenging target; it was even proposed as the basis for public key encryption and whitebox scheme [2]. Attacking this generic structure requires sophisticated methods presented in [3] and [4]. Feistel Networks have also been the target of generic attacks in two different settings. If the Feistel functions are completely secret, attacks up to 5rounds are presented in [5]. If the Feistel functions consist in public functions preceded by the addition of a secret key, powerful attacks with very low data complexity are presented in [6].
As illustrated by the usage of the ASASA structure, generic constructions can be applied in whitebox cryptography where the aim is to prevent an attacker from having access to some of the inner components of the algorithm to perform some computations. Thus, structural attacks are important in this context. They can also be used to reverseengineer the secret structure of an SBox, allowing for example an attacker to enjoy the benefits of a lightweight implementation known a priori only by the designer of the SBox. The use of small Feistel Networks for lightweight SBox design is investigated in [7] and, in fact, a secret hardware efficient decomposition^{1} was recently discovered for the SBox of the last Russian standards [8] using such reverseengineering.
Our Contribution. Our results are based on the highdegree indicator matrix (HDIM), a new object we introduce. We associate to any nbit permutation F a \(n \times n\) Boolean matrix \(\hat{H}(F)\) which can be computed in time \(\text {O}(n2^{n1})\) using the full codebook and which is related all at once to the LAT/Walsh spectrum of F, to its algebraic normal form and to the existence of integral distinguishers.
Structural attacks against Feistel Networks. n is the branch size, d is the degree of the Feistel functions.
R  Type  Power  Restrictions  Time  Data  Ref. 

5  Differential  Distinguisher  Non bij. round func.  \(2^{n}\)  \(2^{n}\)  [11] 
Imp. diff.  Distinguisher  Bij. round func.  \(2^{2n}\)  \(2^{n}\)  [10]  
SATbased  Full recovery  \(n \le 7\)  Practical  \(2^{2n}\)  [12]  
Yoyo  Full recovery  –  \(2^{2n}\)  \(2^{2n}\)  [5]  
Integral  Full recovery  \(f_1\) or \(f_3\) bij.  \(2^{2.81n}\)  \(2^{2n}\)  [5]  
Guess & Det.  Full recovery  –  \(2^{n2^{3n/4}}\)  \(2^{2n}\)  [5]  
HDIMbased  Distinguisher  Bij. round func.  \(2^{2n1}\)  \(2^{2n1}\)  Sect. 6.1  
Imp. monom.  Full recovery  Bij. round func.  \(2^{3n}\)  \(2^{2n}\)  Sect. 5.2  
r  HDIMbased  Distinguisher  Bij. round func., \(\theta (d,r1) < 2n\)  \(2^{2n1}\)  \(2^{2n1}\)  Sect. 6.1 
HDIMbased  Distinguisher  Non bij. round func., \(\theta (d,r) < 2n\)  \(2^{2n1}\)  \(2^{2n1}\)  Sect. 6.1  
Imp. monom.  Full recovery  \(d^{r3} < n\)  \(2^{3n}\)  \(2^{2n}\)  Sect. 5.3 
Structural attacks against Feistel Networks whitened with unknown affine layers. The attacks recover parts of the unknown affine layers. n is the branch size, d is the degree of the Feistel functions.
Structure  Restrictions  Time  Data  Ref. 

\(\mathsf {AF}^4\mathsf {A}\)  Bij. round func.  \(2^{6n}\)  \(2^{4n}\)  [8] 
\(\mathsf {AF}^r\mathsf {A}\)  Bij. round func., \(\theta (d,r1) < 2n\)  \(n2^{2n}\)  \(2^{2n}\)  Sect. 4.2 
Non bij. round func., \(\theta (d,r) < 2n\)  \(n2^{2n}\)  \(2^{2n}\)  Sect. 4.2  
\(\mathsf {AF}^r\mathsf {A^{1}}\)  Bij. round func., \(\theta (d,r) < 2n\)  \(n2^{2n}\)  \(2^{2n}\)  Sect. 4.2 
Non bij. round func., \(\theta (d,r+1) < 2n\)  \(n2^{2n}\)  \(2^{2n}\)  Sect. 4.2 
2 Notations and Boolean Functions Basics

\(\mathbb {F}_{2}^{}\) denotes the finite field of size 2,

the exclusiveOR (or XOR) is denoted \(\oplus \),

the logical AND is denoted \(\wedge \),

the hamming weight \(\text {hw}(x)\) of a vector x of \(\mathbb {F}_{2}^{n}\) is the number of ones in x,

S and \(\# S\) denote the size of a set S,

the scalar product of two elements \(x = (x_{0},...,x_{n1})\) and \(y = (y_{0},...,y_{n1})\) of \(\mathbb {F}_{2}^{n}\) is denoted “\(\cdot \)” and is equal to \(x \cdot y = \bigoplus _{i=0}^{n1} x_{i} \wedge y_{i}\),

if \(x = (x_{0},...,x_{n1})\) and \(u = (u_{0},...,u_{n1})\) are two elements of \(\mathbb {F}_{2}^{n}\) then \(x^u = \prod _{i=0}^{n1} x_i^{u_i}\), and

if \(x = (x_{0},...,x_{n1})\) and \(u = (u_{0},...,u_{n1})\) are two elements of \(\mathbb {F}_{2}^{n}\) then \(x \preccurlyeq u\) is true if and only if \((u_i = 0 \implies x_i = 0)\) is true for all i in \([0, n1]\). We say that u “covers” x.
We now define some of the key components used in our analysis.
Definition 1
(Boolean Function). We call Boolean function a function mapping \(\mathbb {F}_{2}^{n}\) to \(\mathbb {F}_{2}^{}\). A function mapping \(\mathbb {F}_{2}^{n}\) to \(\mathbb {F}_{2}^{m}\) is a vectorial Boolean function and its restrictions to each output bit are its coordinates. Finally, for a vectorial Boolean function F, the Boolean functions \(x \mapsto c \cdot F(x)\) are its components.
Note that a coordinate of a Boolean function is one of its components but that the converse is not necessarily true. Let us then introduce the concept of balancedness.
Definition 2
(Balanced Boolean Function). A (vectorial) Boolean function F mapping \(\mathbb {F}_{2}^{n}\) to \(\mathbb {F}_{2}^{m}\) is said to be balanced if the size of the preimages of all elements of \(\mathbb {F}_{2}^{m}\) are equal.
A Boolean function is balanced if and only if all of its components are balanced.
We also recall the definition of the Algebraic Normal Form of a Boolean function.
Definition 3
Definition 4
(Algebraic Degree). The algebraic degree of a Boolean function is the largest number of variables in a single term of its ANF, i.e. the maximum hamming weight of all u of \(\mathbb {F}_{2}^{n}\) such that \(a_u \ne 0\). The algebraic degree of a vectorial Boolean function is the maximum algebraic degree of its coordinates. The algebraic degree of a (vectorial) Boolean function f is denoted \(\deg (F)\).
We observe that the algebraic degree of a permutation of n bits is at most equal to \(n1\).
Our analysis will involve the LAT or Fourier Transform (related to the Walsh spectrum by a constant multiplication) of a Boolean function. These almost identical concepts are introduced below.
Definition 5
Remark 1
If F is an nbit permutation then, for all (a, b) in \((\mathbb {F}_{2}^{n})^2\), we have \(\mathcal {L}[a, b] \equiv 0 \mod 2\).
When a Boolean function \(\mu \) mapping n bits to m is linear, we use \(\mu \) to represent both the function itself and its matrix representation. The transpose of a matrix \(\mu \) is denoted \(\mu ^t\). Finally, we state the following wellknown remark regarding the algebraic degree of a (vectorial) Boolean function.
Remark 2
If F is a (vectorial) Boolean function and \(\mathcal {V}\) is a vector space of \(\mathbb {F}_{2}^{n}\) such that \(\mathcal {V} > 2^{\deg (F)}\), then \(\bigoplus _{v \in \mathcal {V}} F(v) = 0\).
3 Patterns in Biases Modulo 4 and HDIM
As we can see, the congruence of the biases is constant in each square of dimensions \(8 \times 8\) for the 4round Feistel Networks. Furthermore, there seems to be linear patterns for the 5round structure: if we divide the LAT into \(8 \times 8\) squares as before then we find that each square at position (i, j) is the sum of the squares at positions (i, 0) and (0, j) and a squarewise constant.
The reason behind these patterns is twofold. The first aspect is a generic observation about the linearity (in some sense) of the construction of the LAT modulo 4. Indeed, we show in this section that the function \((a,b) \mapsto (\mathcal {L}[a,b] \mod 4)\) for the LAT \(\mathcal {L}\) of a permutation is a bilinear form and that its matrix representation has interesting properties. The second aspect of the justification for the patterns is the probability 1 presence of zeroes in some positions which is discussed later in Sect. 4.
3.1 The HighDegree Indicator Matrix
We first rewrite the congruence modulo 4 of the biases in the LAT of a permutation using Boolean functions.
Lemma 1
Proof
Definition 6
Lemma 2
The coefficients of \(\hat{H}(F)\) indicate the presence of the highest degree terms in the coordinates of F. More precisely, \(\hat{H}(F)[i, j] = 1\) if and only if the ANF of \(F_{i}\) contains the monomial \(\prod _{k \ne j} x_{k}\) (which has degree \(n1\)).
Proof
Let F be an nbit permutation. As \(\hat{H}(F)[i,j]\) is the sum over of space of size \(2^{n}\) of the Boolean function \(x \mapsto \big ( e_{i} \cdot F(x) \big )\big ( e_{j} \cdot x \big ) = F_i(x) \cdot x_j\), it is equal to 0 unless this Boolean function has algebraic degree n. As F has degree \(n1\), this occurs if and only if \(F_{i}\) contains \(\prod _{k \ne j} x_{k}\). Indeed, in this case (and in this case only), the ANF of \(x_j \cdot F_i(x)\) contains the only possible degree n term \(\prod _{k=0}^{n1}x_k\). \(\square \)
This lemma is the reason behind the name “highdegree indicator matrix”. Indeed, the HDIM coefficients simply state whether each of the n possible \(n1\) degree terms appear in each coordinate of F or not.
We finally note that the HDIM of a function can be computed much more efficiently than the LAT or the difference distribution table. Indeed, we can compute a column of the HDIM by summing the function over a cube of dimension \(n1\) (see Sect. 6.1). The complexity for all n columns is therefore \(n2^{n1}\).
3.2 Some Properties of the HighDegree Indicator Matrix
Let us investigate the effect of some simple transformations on the HDIM. First, we point out that due to the fact that the LAT of the inverse of a permutation F is the transpose of the LAT of F, the HDIM of \(F^{1}\) is the transpose of the HDIM of F.
We now show that the HDIM of \(\eta \circ f \circ \mu \) can easily be deduced from that of f when \(\eta \) and \(\mu \) are nbit linear permutations. The corresponding theorem will be used in Sect. 4.2 to attack Feistel Networks whitened using affine layers.
Theorem 1
Proof
The ANF and the LAT of an nbit permutation are connected in the sense that it is possible to determine the congruence modulo 4 of the LAT \(\mathcal {L}\) of an nbit permutation F given parts of its ANF. Indeed, as we describe in this section, this congruence only depends on the terms of degree \(n1\) in the ANF of the coordinates of F.
4 The HighDegree Indicator Matrix of Feistel Networks
4.1 Artifacts in the HDIM of Feistel Networks
Theorem 2

if the Feistel functions are bijections and \(\theta (d,r) < 2n\), or

if the Feistel functions are not bijections and \(\theta (d,r+1) < 2n\).
Corollary 1

if the Feistel functions are bijections and \(\theta (d,r1) < 2n\), or

if the Feistel functions are not bijections and \(\theta (d,r) < 2n\).
Proof
Let r and d be such that \(\mathsf {F}^{r1}_{d}\) fits the hypothesis of Theorem 2. The right word of the output of a \(\mathsf {F}^{r}_{d}\) structure is the left word output by a \(\mathsf {F}^{r1}_{d}\) structure. As each line of the HDIM corresponds to one output bit, the top n rows of the HDIM of the rround FN are equal to the bottom n rows of the same permutation reduced to \((r1)\)round. Because of Theorem 2, this bottom half is such that the first n columns are all 0. Thus, the first n columns of the first n rows of the HDIM of a \(\mathsf {F}^{r}_{d}\) are all equal to 0. \(\square \)
If \(r = r_{\text {max}}(d, 2n)\) then the 2nbit permutation \(\mathsf {F}^{r}_{d}\) exhibits an artifact of size \(n^{2}\) in its HDIM.
4.2 Bypassing Affine Whitening
In the context of component reverseengineering/whitebox cryptography, it may not be sufficient to be able to attack generic Feistel structure. Indeed, simply whitening a generic structure with secret affine layers can prevent many attacks from succeeding at small cost for the designer. For example, applying affine layers before and after a 5round Feistel Network would prevent the yoyogame used in [5] to be exploitable. Similarly, the recent attacks against ASASA [3, 4] are much more sophisticated than the attack against SASAS proposed by Biryukov et al. in the first place [19]. We also note that the secret structure of the SBox of the last Russian standard primitives recently recovered was indeed whitened with seemingly random linear layers [8].
Attack 1
This distinguisher requires the full codebook and as much time as is needed to compute the HDIM and solve a system of equations. Since the system is small, the bottleneck is the computation of the HDIM which can be done in time \(\text {O}(n 2^{2n})\) where n is the branch size.
We can use the exact same reasoning to attack one more round if the decomposition of \(\eta \) and \(\mu \) involve the same “linear Feistel function” a. This happens in particular if \(\eta = \mu ^{1}\). In this case, we can use the distinguisher obtained from the following attack.
Attack 2
Note that if there is a single whitening affine layer applied at some side, we have a similar system with \(n^2\) unknowns. If we consider one more round, we will have \(n^2\) equations as well. Therefore we can attack \(\mathsf {F}^{r}_{d}\mathsf {A}\), where r is the maximum number of rounds satisfying Corollary 1. Another view on this attack is given in Sect. 5.3.
5 The Impossible Monomials Attack
In the previous sections we used absent terms of highest degree to recover whitening linear layers from Feistel Networks. In this section we generalize this method to terms of lower degree and, as a result, we present an attack recovering a secret round function from a 5round Feistel Network with bijections. Furthermore, we generalize this attack to more rounds if the degrees of the round functions are small.
5.1 Impossible Monomials in Feistel Networks
Lemma 3
Let \(a, b \in \mathbb {F}_{2}^{n}\) be some vectors of variables and let \(f: \mathbb {F}_{2}^{n} \rightarrow \mathbb {F}_{2}^{}\) be a Boolean function of degree at most d. Then if some term in the ANF of \(f(a \oplus b)\) has degree \(d_a\) on variables from a, then it has degree at most \(d  d_a\) on variables from b. In particular, there are no terms of degree d on a and nonzero degree on b.
Proof
Let \(s(a,b) = a \oplus b\). Then \(\deg {s} = 1\) and \(\deg {(f \circ s)} \le d\). Hence a term containing \(d_a\) variables from a contains at most \(dd_a\) variables from b.
Lemma 4
Let \(\pi :\mathbb {F}_{2}^{n} \rightarrow \mathbb {F}_{2}^{n}\) be a permutation and let \(f: \mathbb {F}_{2}^{n} \rightarrow \mathbb {F}_{2}^{}\) be some Boolean function of degree at most \(n1\). Then \(\deg {(f \circ \pi )} \le n  1\).
Proof
By the Möbius transform, the term of degree n is present in the ANF of \(f \circ \pi \) if and only if the sum of \(f \circ \pi \) over \(\mathbb {F}_{2}^{n}\) is equal to 1. Since \(\pi \) is a permutation, we have that \(\sum _{x\in \mathbb {F}_{2}^{n}} f (\pi (x)) = \sum _{x\in \mathbb {F}_{2}^{n}} f(x)\). But this last sum is equal to zero because \(\deg {f} \le n1\). Therefore, there is no term of degree n in the ANF of \(f \circ \pi \) and we conclude that \(\deg {(f \circ \pi )} \le n1\).
We now formally describe classes of impossible monomials using the following theorem.
Theorem 3
 1.
\(i \in R\) and \(hw(u_l) = n\);
 2.
\(i \in R\) and \(hw(u_l) = n1, hw(u_r) = n1\);
 3.
\(i \in R\) and \(hw(u_l) = n1, hw(u_r) = n\);
 4.
\(i \in L\) and \(hw(u_l) = n, \ \ \quad hw(u_r) = n1\).
Proof
 1.
Consider the 4round integral characteristic from Fig. 4. Let C be any cube which contains the whole left part. From the integral characteristic it follows that the sum of F over the cube C has zero on the right side. Therefore by the Möbius transform the corresponding ANF coefficients are zero.
 2.Let \(f_0,f_1,f_2,f_3: \mathbb {F}_{2}^{n} \rightarrow \mathbb {F}_{2}^{n}\) be the round functions of F. The equation for the right half of the output is then given by:Clearly, the first two terms do not contain any monomial of degree \(n1\) on l and \(n1\) on r. Consider the expression \(f_2(r \oplus f_1(l \oplus f_0(r)))\). Assume that a term with degree \(n1\) on both l and r is present in the ANF of the expression. Then the term is present in the expansion of some product of at most \(n1\) bits, where the bits are output bits of the expression \((r) \oplus f_1(l \oplus f_0(r))\), i.e. in the term each of the \(n1\) factors is either a bit from (r) or from \(f_1(l \oplus f_0(r))\). Note that the term may not be generated by choosing bits only from (r), because in that case there will be no variables from l in it. Therefore there are at most \(n2\) bits taken from the outer (r); \(n1\) variable from l and at least one variable \(r_i\) are taken from \(f_1(l \oplus f_0(r))\). It means that there exists a monomial function \(\pi \) such that \(\pi \circ f_1(l \oplus f_0(r))\) contains term of degree \(n1\) on l and degree at least 1 on r. By Lemma 4, \(\pi \circ f_1\) has degree at most \(n1\) and by Lemma 3 there can not be such term in \(\pi \circ f_1(l \oplus f_0(r))\).$$\begin{aligned} F_R(lr) = l \oplus f_0(r) \oplus f_2(r \oplus f_1(l \oplus f_0(r))). \end{aligned}$$(3)
5.2 An Attack on 5Round Feistel Network
In this section we use the impossible monomials to attack 5round Feistel Network built from permutations. The key idea is to observe the presence of some 4round impossible monomials in the 5round network and extract some information about the last round function. Consider some monomial \(x^u\) which is impossible at the right side of a 4round Feistel Network. We now add the 5th round. If we observe \(x^u\) on the left side, then we know that this monomial has come from the last round function. Otherwise, we know that it has not come from the last round function and it gives us some information as well. Using these observations we build a system of linear equations where the unknowns are the ANF coefficients of the coordinates of the last round function. By solving the system we recover the ANF coefficients and hence the function itself. Note that in order to compute the ANF, we have to obtain the full codebook.
The ANF of \(F^5_{i}\) with \(i \in L\) contains some monomial from the first or the second group from Theorem 3 if and only if the ANF of \(f_i \circ F^5_R\) does. Since we can compute the ANF of \(F^5_R\), we can check which possible terms from the ANF of \(f_i\) generate the impossible monomial. Then from the presence of the impossible monomial in the ANF of \(F^5_{i+n}\) we deduce if the number of such terms in the ANF of \(f_i\) is odd or even. This gives us a linear equation over \(\mathbb {F}_{2}^{}\) where the unknowns are the ANF coefficients of \(f_i\). For an illustration see Fig. 5.
Note that the 4round impossible monomials which are still impossible in a 5round Feistel Network do not leak any information about f. For example, since Feistel Network is a bijection, the monomial of degree 2n is impossible for any number of rounds but it can not be used in the attack. However it is the only such monomial. Therefore we can use \(2^n1\) impossible monomials from the first group of Theorem 3 and \(n^2\) ones from the second group. Each such monomial yields an equation per each bit of f. There are \(2^n\) unknown coefficients in the ANF of \(f_i\) so the number of equations will be enough to recover \(f_i\) for all i and hence f with high probability. Note that we can recover f only up to xor with a constant because the constant may propagate through the Feistel Network and merge with other round functions (see the introduction of [5] for a more detailed explanation of this phenomenon).
The complexity of the attack is \(O(2^{3n})\) and is dominated by generating the equation matrix, which is the same for all output bits (the only difference is the target vector). For each of the \(2^n\) possible terms in the ANF of \(f_i\) we compute the ANF of the term applied after F in time \(O(2^{2n})\) and then we check if this term generates the impossible monomials. The next step is to solve the systems. Since the equation matrix is the same for all output bits, we can do some precomputation (for example the LUdecomposition) once and solve all n systems of equations very fast. Computing the target vectors is dominated by computing the ANF of \(F^5_i\) for \(i \in L\) which takes total time of \(O(n2^{2n})\).
As a consequence of the algebraic nature of the attack, if the round function has lower degree, then the complexity decreases. Indeed, there are less unknowns and therefore both steps of generating the equation matrix and solving the systems take less time. As an edge case, consider the \(F^5A\) structure where the affine layer can be seen as the 6th round with a function of degree 1. The complexity of recovering the affine round is \(O(n2^{2n})\), as was shown in Sect. 4.2.
Note that the attack can be run in the reverse direction as well, so that we recover the first round function instead of the last one.
We have implemented the attack in Sage [21]. We successfully attacked a 5round Feistel Network with bijections and branch size of up to 9 bits and recovered the outer secret round functions in a few minutes on a modern laptop.
5.3 A Generalization of the Attack on Feistel Networks with Low Degree Round Functions
When the round functions in a Feistel Network have low degree, the degree deficiency is decreasing slowly and as a result impossible monomials may exist for more than 5 rounds. Moreover, since there are less unknowns to recover, we need less impossible monomials to mount the attack.
In the following theorem we give a lower bound on the maximum number of Feistel rounds for which the large class of monomials is impossible. Namely, this class is point 1 from Theorem 3. The size of the class is \(2^n\), which is enough to recover a round function of full degree. Therefore this is the lower bound on maximum number of rounds that can be attacked using the ANF recovery technique from Sect. 5.2.
Theorem 4
Let F be a 2nbit \(\mathsf {F}^{r}_{d}\) with arbitrary functions and let its ANF be as in the Eq. 2. Then \(a^{F_i}_{u_lu_r} = 0\) if \(d^{r2} < n, i \in R\) and \(hw(u_l)=n\).
Proof
Let lr be the input to F. Consider the degrees on the variables from l at the intermediate states. Initially, the degrees are 1 on the left and 0 on the right. After the first round the degrees are the same, because input to the round function has no variables from l. Now if we have the respective degrees \(d_1,d_2\) at some point and we add a swap and xor with the round function, the degrees become \(max(d_2, d\cdot d_1), d_1\). Then for 2 rounds the degrees are d, 1, for 3 rounds  \(d^2, d\), and, in general, for r rounds the degrees are \(d^{r1}, d^{r2}\). Therefore, when \(d^{r2} < n\), the rround Feistel Network has no monomials with degree n on l in the right branch of the output.
As a corollary of the theorem, we can attack a 2nbit \(\mathsf {F}^{r}_{d}\) if \(d^{r3} < n\). Note that for the 5round Feistel with bijections which we attacked in the previous section this bound is not satisfied (for \(n \ge 3\)): \(d^{53} = (n1)^2 > n\), i.e. we attacked more rounds than we could attack by Theorem 4. Though we expect that the bound is tight for the specified class of monomials in FN with nonbijective round functions, there are another classes of impossible monomials for Feistel Networks with more rounds. Moreover, if the degree is low, there are less ANF coefficients to recover and, therefore, smaller classes of impossible monomials may be enough for attack. As an edge case, consider an additional round function of degree 1 (a linear function). The impossible monomials of degree \(2n1\) from Corollary 1 can be used to recover such round function, as was shown in attacks from Sect. 4.2. The maximal number of rounds (without the last linear one) for this attack is given by the condition \(\theta (d,r) = d^{\lfloor {r/2} \rfloor 1} + d^{\lceil {r/2} \rceil 1} < 2n\) (or 1 more round if the Feistel functions are bijections). In general case, if the Feistel functions are bijections, we can attack 5 normal rounds plus 1 linear round.
6 Relationship Between Our Results and Other Attacks
6.1 Integral Attacks
 1.
we can compute the HDIM of an nbit permutation in time \(\text {O}(n 2^{n1})\), and
 2.
zeroes in column j imply the existence of an integral distinguisher.
In light of this, we state the following corollary of Corollary 1.
Corollary 2

the Feistel functions are bijections and \(\theta (d,r1) < 2n\), or

the Feistel functions are not bijections and \(\theta (d,r) < 2n\).
We notice a relation between our attacks and the socalled division property. This tool for finding integral attacks was introduced by Todo in [9] and later used by the same author to attack the full MISTY1 [22]. In his seminal paper, Todo gives some integral distinguishers against Feistel Network for various block sizes, number of rounds, degree of the Feistel functions for both bijective and nonbijective Feistel functions. Interestingly, his results are extremely similar to ours! Indeed, while there is no generic formula in Todo’s paper, the application of his algorithm shows the existence of cubes of size \(2n1\) whose sum is equal to 0 for a number of rounds identical to the ones we predicted. In fact, results about the division property of the output of a Feistel Network can be extracted from its HDIM. To explain this, we first recall the definition of the division property.
Definition 7
(Division Property). Let \(\mathbb {X}\) be a multiset of \(\mathbb {F}_{2}^{n}\) and k be an integer of [0, n]. We say that \(\mathbb {X}\) has the division property \(\mathcal {D}^{n}_{k}\) if, for all u in \(\mathbb {F}_{2}^{n}\) such that \(\text {hw}(u) \le k\), \(\bigoplus _{x \in \mathbb {X}} x^u = 0\).
This property is further generalized into the vectorial division property which we define in the particular case of a Feistel Network.
Definition 8
(Vectorial Division Property (for Feistel Networks)). Let \(\mathbb {X}\) be a multiset of \((\mathbb {F}_{2}^{n})^2\) and \(k^L, k^R\) be integers of [0, n]. We say that \(\mathbb {X}\) has the collective division property \(\mathcal {D}^{n}_{(k^L, k^R)}\) if, for all u, v in \(\mathbb {F}_{2}^{n}\) such that \(\text {hw}(u) \le k^L\) and \(\text {hw}(v) \le k^R\), \(\bigoplus _{(x,y) \in \mathbb {X}} x^u y^v = 0\).
In particular, Todo applied his technique to 2nbit \(\mathsf {F}^{r}_{d}\). The integral distinguisher against the highest number of rounds correspond to integrals over cubes of size \(2n1\) were the constant bit has to be on the left side.^{4} As we have seen, summing over such a cube is equivalent to computing half of the lines of the HDIM of the function.
The relation between the ANF and integral attacks is further stressed by the attack we described in Sect. 5. Indeed, the complexity of this attack is very similar to that of the integral attack against 5round FN with bijective Feistel functions described in [5].
7 Conclusion
Investigating surprising visual patterns in the LAT of Feistel Network lead us to interesting results. To explain them, we introduced the highdegree indicator matrix (HDIM). It causes a form of linearity of the LAT modulo 4 and is related to the presence (or lack thereof) of some monomials in the ANF of the permutation. We identified patterns in the distribution of these monomials for Feistel Networks and provided theorems allowing us to predict the existence of these patterns (Theorem 2 and Corollary 1). More generally, we showed how the predictable absence of some monomials can be leveraged to attack a Feistel Network in an impossible monomial attack. We also drew some connections between our results and integral distinguisher.
Footnotes
 1.
Whether this hidden structure serves another purpose is still an open problem.
 2.
If F is not a permutation but some function with degree at most \(n1\), then this term a priori does not go away when taking the modulo 4 of the expression.
 3.
We note that adding constants to make the layers affine is equivalent to replacing the Feistel functions by other ones with identical properties.
 4.
It is actually on the right side in Todo’s paper. Unlike in our paper, the Feistel function is XORed in the right branch in his case.
Notes
Acknowledgment
We thank Alex Biryukov and Dmitry Khovratovich for helpful discussions. We also thank the anonymous reviewers for their helpful comments. The work of Léo Perrin is supported by the CORE ACRYPT project (ID C12154009992) funded by the Fonds National de la Recherche (Luxembourg). The work of Aleksei Udovenko is supported by the Fonds National de la Recherche, Luxembourg (project reference 9037104).
References
 1.Biryukov, A., Khovratovich, D.: Decomposition attack on SASASASAS. IACR Cryptology ePrint Archive, report 2015/46 (2015)Google Scholar
 2.Biryukov, A., Bouillaguet, C., Khovratovich, D.: Cryptographic schemes based on the ASASA structure: blackbox, whitebox, and publickey (extended abstract). In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 63–84. Springer, Heidelberg (2014)Google Scholar
 3.Dinur, I., Dunkelman, O., Kranz, T., Leander, G.: Decomposing the ASASA block cipher construction. Cryptology ePrint Archive, report 2015/507 (2015). http://eprint.iacr.org/
 4.Minaud, B., Derbez, P., Fouque, P.A., Karpman, P.: Keyrecovery attacks on ASASA. In: Iwata, T., et al. (eds.) ASIACRYPT 2015. LNCS, vol. 9453, pp. 3–27. Springer, Heidelberg (2015). doi: 10.1007/9783662488003_1 CrossRefGoogle Scholar
 5.Biryukov, A., Leurent, G., Perrin, L.: Cryptanalysis of Feistel Networks with secret round functions. In: Dunkelman, O., et al. (eds.) SAC 2015. LNCS, vol. 9566, pp. 102–121. Springer, Heidelberg (2016). doi: 10.1007/9783319313016_6 CrossRefGoogle Scholar
 6.Dinur, I., Dunkelman, O., Keller, N., Shamir, A.: New attacks on Feistel structures with improved memory complexities. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 433–454. Springer, Heidelberg (2015)CrossRefGoogle Scholar
 7.Canteaut, A., Duval, S., Leurent, G.: Construction of lightweight SBoxes using Feistel and MISTY structures (full version). Cryptology ePrint Archive, report 2015/711 (2015). http://eprint.iacr.org/
 8.Biryukov, A., Perrin, L., Udovenko, A.: Reverseengineering the SBox of Streebog, Kuznyechik and STRIBOBr1. In: Fischlin, M., Coron, J.S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 372–402. Springer, Heidelberg (2016). doi: 10.1007/9783662498903_15 CrossRefGoogle Scholar
 9.Todo, Y.: Structural evaluation by generalized integral property. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 287–314. Springer, Heidelberg (2015)Google Scholar
 10.Knudsen, L.R.: DEAL: a 128bit block cipher, AES submission (1998)Google Scholar
 11.Patarin, J.: Generic attacks on Feistel schemes. Cryptology ePrint Archive, report 2008/036 (2008). http://eprint.iacr.org/
 12.Biryukov, A., Perrin, L.: On reverseengineering SBoxes with hidden design criteria or structure. In: Gennaro, R., Robshaw, M. (eds.) Advances in Cryptology – CRYPTO 2015. Lecture Notes in Computer Science, vol. 9215, pp. 116–140. Springer, Berlin Heidelberg (2015)CrossRefGoogle Scholar
 13.Carlet, C.: Boolean functions for cryptography and error correcting codes. In: Boolean Models and Methods in Mathematics, Computer Science, and Engineering, vol. 2, pp. 257–397 (2010)Google Scholar
 14.Perrin, L., Udovenko, A.: Algebraic insights into the secret Feistel network (full version). Cryptology ePrint Archive, report 2016/398 (2016). http://eprint.iacr.org/ Google Scholar
 15.Wu, W., Zhang, L.: LBlock: a lightweight block cipher. In: Lopez, J., Tsudik, G. (eds.) ACNS 2011. LNCS, vol. 6715, pp. 327–344. Springer, Heidelberg (2011)CrossRefGoogle Scholar
 16.Matsui, M.: New block encryption algorithm MISTY. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 54–68. Springer, Heidelberg (1997)CrossRefGoogle Scholar
 17.Beaulieu, R., Shors, D., Smith, J., TreatmanClark, S., Weeks, B., Wingers, L.: The SIMON and SPECK families of lightweight block ciphers. IACR Cryptology ePrint Archive, report 2013/404 (2013)Google Scholar
 18.U.S. Department of Commerce/National Institute of Standards and Technology: Data encryption standard. Publication, Federal Information Processing Standards (1999)Google Scholar
 19.Biryukov, A., Shamir, A.: Structural cryptanalysis of SASAS. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 395–405. Springer, Heidelberg (2001)CrossRefGoogle Scholar
 20.ETSI/Sage: Specification of the 3Gpp confidentiality and integrity algorithms 128EEA3 & 128EIA3. Document 4: Design and Evaluation Report, Technical report, ETSI/Sage, September 2011. (http://www.gsma.com/aboutus/wpcontent/uploads/2014/12/EEA3_EIA3_Design_Evaluation_v2_0.pdf)
 21.The Sage Developers: Sage Mathematics Software (Version 6.8) (2015). http://www.sagemath.org
 22.Todo, Y.: Integral cryptanalysis on full MISTY1. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 413–432. Springer, Heidelberg (2015)CrossRefGoogle Scholar