Double-SP Is Weaker Than Single-SP: Rebound Attacks on Feistel Ciphers with Several Rounds

  • Yu Sasaki
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7668)


The current paper presents rebound attacks on generalized Feistel network (GFN) with double-SP functions, and show that double-SP functions are weaker than single-SP functions when a number of rounds is small. In 2011, Bogdanov and Shibutani showed that double-SP functions for R rounds could generate more active bytes than single-SP functions for 2R rounds, when R approaches to infinity. Hence, double-SP functions resist the differential and linear attacks more efficiently than single-SP functions. However, in practice, R is relatively small, and thus a comparison with dedicated attacks is also important. For 4-branch type-2 GFN with single-SP functions, the current best attack is up to 11 rounds (22 SP-layers) while no result exists for double-SP functions. In this paper, we present the first cryptanalysis for 4-branch type-2 GFN with double-SP functions. Up to 6 rounds (24 SP-layers), we can find near-collisions when such functions are instantiated in compression function modes, e.g. Davies-Meyer mode. The attack is extended to 7 rounds (28 SP-layers) with respect to a non-ideal property. The important knowledge provided with this paper is that including more active bytes does not immediately indicate stronger security. This is because attackers may control behaviors of several active S-boxes and mount efficient attacks.


rebound attack generalized Feistel network double-SP single-SP near-collision known-key distinguisher (controlled) active S-box 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bogdanov, A., Shibutani, K.: Double SP-Functions: Enhanced Generalized Feistel Networks. In: Parampalli, U., Hawkes, P. (eds.) ACISP 2011. LNCS, vol. 6812, pp. 106–119. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  2. 2.
    Bogdanov, A.: Bounds for balanced and generalized feistel constructions. In: ECRYPT II Symmetric Techniques Virtual Lab (2011)Google Scholar
  3. 3.
    Kanda, M., Moriai, S., Aoki, K., Ueda, H., Miyako Ohkubo, Y.T., Ohta, K., Matsumoto, T.: A new 128-bit block cipher E2. Technical Report ISEC98-12, The Institute of Electronics, Information and Communication Engineers (1998)Google Scholar
  4. 4.
    Shibutani, K., Isobe, T., Hiwatari, H., Mitsuda, A., Akishita, T., Shirai, T.: Piccolo: An Ultra-Lightweight Blockcipher. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 342–357. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  5. 5.
    Bogdanov, A., Shibutani, K.: Analysis of 3-line generalized feistel networks with double sd functions. Inf. Process. Lett. 111(13), 656–660 (2011)MathSciNetCrossRefGoogle Scholar
  6. 6.
    Suzaki, T., Minematsu, K.: Improving the Generalized Feistel. In: Hong, S., Iwata, T. (eds.) FSE 2010. LNCS, vol. 6147, pp. 19–39. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  7. 7.
    Wu, W., Zhang, L.: LBlock: A Lightweight Block Cipher. In: Lopez, J., Tsudik, G. (eds.) ACNS 2011. LNCS, vol. 6715, pp. 327–344. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  8. 8.
    Suzaki, T., Minematsu, K., Morioka, S., Kobayashi, E.: TWINE: A lightweight block cipher for multiple platforms. In: Knudsen, L.R., Wu, H. (eds.) Selected Areas in Cryptography SAC 2012. LNCS, Springer, Heidelberg (2012)Google Scholar
  9. 9.
    Yanagihara, S., Iwata, T.: On Permutation Layer of Type 1, Source-Heavy, and Target-Heavy Generalized Feistel Structures. In: Lin, D., Tsudik, G., Wang, X. (eds.) CANS 2011. LNCS, vol. 7092, pp. 98–117. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  10. 10.
    Biham, E., Dunkelman, O.: The SHAvite-3 hash function. Submission to NIST (Round 2) (2009)Google Scholar
  11. 11.
    Minier, M., Naya-Plasencia, M., Peyrin, T.: Analysis of Reduced-SHAvite-3-256 v2. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 68–87. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  12. 12.
    Knudsen, L.R., Rijmen, V.: Known-Key Distinguishers for Some Block Ciphers. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 315–324. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  13. 13.
    Minier, M., Phan, R.C.-W., Pousse, B.: Distinguishers for Ciphers and Known Key Attack against Rijndael with Large Blocks. In: Preneel, B. (ed.) AFRICACRYPT 2009. LNCS, vol. 5580, pp. 60–76. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  14. 14.
    Mendel, F., Peyrin, T., Rechberger, C., Schläffer, M.: Improved Cryptanalysis of the Reduced Grøstl Compression Function, ECHO Permutation and AES Block Cipher. In: Jacobson Jr., M.J., Rijmen, V., Safavi-Naini, R. (eds.) SAC 2009. LNCS, vol. 5867, pp. 16–35. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  15. 15.
    Sasaki, Y., Yasuda, K.: Known-Key Distinguishers on 11-Round Feistel and Collision Attacks on Its Hashing Modes. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 397–415. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  16. 16.
    Sasaki, Y., Emami, S., Hong, D., Kumar, A.: Improved Known-Key Distinguishers on Feistel-SP Ciphers and Application to Camellia. In: Susilo, W., Mu, Y., Seberry, J. (eds.) ACISP 2012. LNCS, vol. 7372, pp. 87–100. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  17. 17.
    Shirai, T., Shibutani, K., Akishita, T., Moriai, S., Iwata, T.: The 128-Bit Blockcipher CLEFIA (Extended Abstract). In: Biryukov, A. (ed.) FSE 2007. LNCS, vol. 4593, pp. 181–195. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  18. 18.
    Daemen, J., Rijmen, V.: AES Proposal: Rijndael (1998)Google Scholar
  19. 19.
    U.S. Department of Commerce, National Institute of Standards and Technology: Specification for the ADVANCED ENCRYPTION STANDARD (AES) (Federal Information Processing Standards Publication 197) (2001)Google Scholar
  20. 20.
    Mendel, F., Rechberger, C., Schläffer, M., Thomsen, S.S.: The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 260–276. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  21. 21.
    Black, J., Rogaway, P., Shrimpton, T.: Black-Box Analysis of the Block-Cipher-Based Hash-Function Constructions from PGV. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 320–335. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  22. 22.
    Preneel, B., Govaerts, R., Vandewalle, J.: Hash Functions Based on Block Ciphers: A Synthetic Approach. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 368–378. Springer, Heidelberg (1994)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Yu Sasaki
    • 1
  1. 1.NTT Secure Platform LaboratoriesNTT CorporationMusashino-shiJapan

Personalised recommendations