Meet in the Middle Attack on Type-1 Feistel Construction

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10726)


We provide a key recovery attack on type-1 Feistel construction based on the meet-in-the-middle technique. This construction is described by Zheng, Matsumoto, and Imai in CRYPTO 1989. Type-1 Feistel structure is a well-known construction used to construct ciphers and hash functions, such as CAST-256 and Lesamnta. For Type-1 Feistel construction with n-bit blocks and d sub-blocks, we launch a \(3d-1\) rounds distinguisher by using a special truncated differential. We present an attack on \(5d-3\) rounds with the data complexity \({{2}^{\frac{3}{d}n}}\) chosen plaintexts, the memory complexity \({{2}^{\frac{d-1}{d}n}}\) blocks, each block is n bits, and the time complexity \({{2}^{\frac{d-1}{d}n}}\) encryptions, which is the best known generic key recovery attack on Type-1 Feistel construction. The attack is valid if the key length \(k\ge n\).


Type-1 Feistel construction Meet in the middle attack Key recovery attack Generic attack 



The authors would like to thank editors and anonymous referees for their valuable suggestions. This work was supported by National Natural Science Foundation of China (Grant No.61772547, 61402523 and 61272488).


  1. 1.
    Feistel, H.: Cryptography and computer privacy. Sci. Am. 228, 15–23 (1973)CrossRefGoogle Scholar
  2. 2.
    Li, R.J., Jin, C.H.: Meet-in-the-middle attacks on 10-round AES-256. Des. Codes Crypt. 80(3), 459–471 (2015)MathSciNetCrossRefMATHGoogle Scholar
  3. 3.
    Sasaki, Y., Wang, L.: Meet-in-the-middle technique for integral attacks against Feistel ciphers. In: Knudsen, L.R., Wu, H. (eds.) SAC 2012. LNCS, vol. 7707, pp. 234–251. Springer, Heidelberg (2013). CrossRefGoogle Scholar
  4. 4.
    Lin, L., Wu, W., Zheng, Y.: Improved meet-in-the-middle distinguisher on Feistel schemes. In: Dunkelman, O., Keliher, L. (eds.) SAC 2015. LNCS, vol. 9566, pp. 122–142. Springer, Cham (2016). CrossRefGoogle Scholar
  5. 5.
    Dinur, I., Dunkelman, O., Keller, N., Shamir, A.: New attacks on feistel structures with improved memory complexities. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015, Part I. LNCS, vol. 9215, pp. 433–454. Springer, Heidelberg (2015). CrossRefGoogle Scholar
  6. 6.
    Derbez, P., Fouque, P.-A.: Automatic search of meet-in-the-middle and impossible differential attacks. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016, Part II. LNCS, vol. 9815, pp. 157–184. Springer, Heidelberg (2016). CrossRefGoogle Scholar
  7. 7.
    Guo, J., Jean, J., Nikolić, I., Sasaki, Y.: Meet-in-the-middle attacks on generic Feistel constructions. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014, Part I. LNCS, vol. 8873, pp. 458–477. Springer, Heidelberg (2014). Google Scholar
  8. 8.
    Guo, J., Jean, J., et al.: Extended meet-in-the-middle attacks on some Feistel constructions. Des. Codes Crypt. 80(3), 587–618 (2016)MathSciNetCrossRefMATHGoogle Scholar
  9. 9.
    Guo, J., Jean, J., et al.: Meet-in-the-middle attacks on classes of contracting and expanding Feistel constructions. In: FSE 2017, IACR Transactions on Symmetric Cryptology, pp. 1–31 (2017)Google Scholar
  10. 10.
    Zheng, Y., Matsumoto, T., Imai, H.: On the construction of block ciphers provably secure and not relying on any unproved hypotheses. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 461–480. Springer, New York (1990). CrossRefGoogle Scholar
  11. 11.
    Nachef, V., Patarin, J., Volte, E.: Feistel Ciphers Security Proofs and Cryptanalysis. Springer, Heidelberg (2017)CrossRefMATHGoogle Scholar
  12. 12.
    Fouque, P.-A., Jean, J., Peyrin, T.: Structural evaluation of AES and chosen-key distinguisher of 9-round AES-128. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 183–203. Springer, Heidelberg (2013). CrossRefGoogle Scholar
  13. 13.
    Matsui, M.: On correlation between the order of S-boxes and the strength of DES. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 366–375. Springer, Heidelberg (1995). Google Scholar
  14. 14.
    Nyberg, K.: Generalized Feistel networks. In: Kim, K., Matsumoto, T. (eds.) ASIACRYPT 1996. LNCS, vol. 1163, pp. 91–104. Springer, Heidelberg (1996). CrossRefGoogle Scholar
  15. 15.
    Blondeau, C., Minier, M.: Analysis of impossible, integral and zero-correlation attacks on type-II generalized Feistelnetworks using the matrix method. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 92–113. Springer, Heidelberg (2015). CrossRefGoogle Scholar
  16. 16.
    Nachef, V., Volte, E., Patarin, J.: Differential attacks on generalized Feistel schemes. In: Abdalla, M., Nita-Rotaru, C., Dahab, R. (eds.) CANS 2013. LNCS, vol. 8257, pp. 1–19. Springer, Cham (2013). CrossRefGoogle Scholar
  17. 17.
    Pudovkina, M., Toktarev, A.: Numerical semigroups and bounds on impossible differential attacks on generalized Feistel schemes. In: Kotulski, Z., Księżopolski, B., Mazur, K. (eds.) CSS 2014. CCIS, vol. 448, pp. 1–11. Springer, Heidelberg (2014). Google Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  1. 1.Zhengzhou Information Science and Technology InstituteZhengzhouChina

Personalised recommendations