Double-SP Is Weaker Than Single-SP: Rebound Attacks on Feistel Ciphers with Several Rounds
The current paper presents rebound attacks on generalized Feistel network (GFN) with double-SP functions, and show that double-SP functions are weaker than single-SP functions when a number of rounds is small. In 2011, Bogdanov and Shibutani showed that double-SP functions for R rounds could generate more active bytes than single-SP functions for 2R rounds, when R approaches to infinity. Hence, double-SP functions resist the differential and linear attacks more efficiently than single-SP functions. However, in practice, R is relatively small, and thus a comparison with dedicated attacks is also important. For 4-branch type-2 GFN with single-SP functions, the current best attack is up to 11 rounds (22 SP-layers) while no result exists for double-SP functions. In this paper, we present the first cryptanalysis for 4-branch type-2 GFN with double-SP functions. Up to 6 rounds (24 SP-layers), we can find near-collisions when such functions are instantiated in compression function modes, e.g. Davies-Meyer mode. The attack is extended to 7 rounds (28 SP-layers) with respect to a non-ideal property. The important knowledge provided with this paper is that including more active bytes does not immediately indicate stronger security. This is because attackers may control behaviors of several active S-boxes and mount efficient attacks.
Keywordsrebound attack generalized Feistel network double-SP single-SP near-collision known-key distinguisher (controlled) active S-box
Unable to display preview. Download preview PDF.
- 2.Bogdanov, A.: Bounds for balanced and generalized feistel constructions. In: ECRYPT II Symmetric Techniques Virtual Lab (2011)Google Scholar
- 3.Kanda, M., Moriai, S., Aoki, K., Ueda, H., Miyako Ohkubo, Y.T., Ohta, K., Matsumoto, T.: A new 128-bit block cipher E2. Technical Report ISEC98-12, The Institute of Electronics, Information and Communication Engineers (1998)Google Scholar
- 8.Suzaki, T., Minematsu, K., Morioka, S., Kobayashi, E.: TWINE: A lightweight block cipher for multiple platforms. In: Knudsen, L.R., Wu, H. (eds.) Selected Areas in Cryptography SAC 2012. LNCS, Springer, Heidelberg (2012)Google Scholar
- 10.Biham, E., Dunkelman, O.: The SHAvite-3 hash function. Submission to NIST (Round 2) (2009)Google Scholar
- 14.Mendel, F., Peyrin, T., Rechberger, C., Schläffer, M.: Improved Cryptanalysis of the Reduced Grøstl Compression Function, ECHO Permutation and AES Block Cipher. In: Jacobson Jr., M.J., Rijmen, V., Safavi-Naini, R. (eds.) SAC 2009. LNCS, vol. 5867, pp. 16–35. Springer, Heidelberg (2009)CrossRefGoogle Scholar
- 18.Daemen, J., Rijmen, V.: AES Proposal: Rijndael (1998)Google Scholar
- 19.U.S. Department of Commerce, National Institute of Standards and Technology: Specification for the ADVANCED ENCRYPTION STANDARD (AES) (Federal Information Processing Standards Publication 197) (2001)Google Scholar
- 22.Preneel, B., Govaerts, R., Vandewalle, J.: Hash Functions Based on Block Ciphers: A Synthetic Approach. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 368–378. Springer, Heidelberg (1994)Google Scholar