# Extended Generalized Feistel Networks Using Matrix Representation

## Abstract

While Generalized Feistel Networks have been widely studied in the literature as a building block of a block cipher, we propose in this paper a unified vision to easily represent them through a matrix representation. We then propose a new class of such schemes called Extended Generalized Feistel Networks well suited for cryptographic applications. We instantiate those proposals into two particular constructions and we finally analyze their security.

### Keywords

Generalized feistel networks Matrix representation Scheme proposal Security analysis**Introduction**

While a classical Feistel network, such as DES [23] or Camellia [2], divides a plaintext into \(2\)\(n\)-bit-long halves, a Generalized Feistel Network (GFN) divides it into \(k \ge 2\)\(n\)-bit-long subblocks. Various GFNs exist in the literature. This includes Source-Heavy (SH) as in RC2 [25] and SHA-1 [29]; Target-Heavy (TH) as in MARS [7]; Type-1 as in CAST-256 [1] and Lesamnta [11]; Type-2 as in RC6 [26], HIGHT [13] and CLEFIA [28]; Type-3 and Nyberg’s GFNs [24]. Pseudorandomness of these constructions is studied in [12, 21, 33] for Type-1, Type-2 and Type-3, in [12, 22] for SH GFN and [12, 21] for TH GFN. Figure 1 gives an example of Type-3 GFN. Usually GFNs perform a block-wise cyclic shift in their permutation layer.

In [30], Suzaki and Minematsu proposed to use a non-cyclic permutation instead and applied it to Type-2 GFNs. More precisely, they studied the maximum diffusion round. Roughly speaking, it is the minimum number of rounds such as every output block depends on every input block. They exhaustively searched all the optimum permutations for \(k \le 16\) and found that the diffusion in Type-2 GFNs can be improved. They also showed a lower bound on the maximum diffusion round of Type-2 GFNs and when \(k\) is a power of \(2\), they gave a generic construction based on de Bruijn graphs whose maximum diffusion round is close to the lower bound they found. Besides, they studied the pseudorandomness of these GFNs and their resistance against classical attacks and showed that it is actually improved as well. One of these Type-2 GFNs is used in TWINE [31].

Following the work of [30], Yanagihara and Iwata [32] studied the case of Type-1, Type-3, SH and TH GFNs with non-cyclic permutation. For Type-1 and Type-3 GFNs, they showed that the maximum diffusion round can be improved by changing the permutation while for SH and TH GFNs it cannot. Besides, for Type-1 GFNs, they gave an optimum generic construction for any \(k\) and identified a necessary and sufficient condition for improved Type-3 to have a finite maximum diffusion round. They also evaluated the resistance of all those GFNs against classical attacks and showed that it can be improved in the Type-1 and Type-3 cases.

In this paper, we first investigate a unified vision of GFNs using a matrix representation and use it to further study the diffusion properties of GFNs. We then extend this matrix representation and propose a broader class of Feistel networks that we call Extended Generalized Feistel Networks (EGFNs). We finally propose one particular EGFN with good diffusion properties and study the security of this proposal.

This paper is organized as follows: Sect. 1 gives the matrix representation of a GFN, its link with diffusion and shows how each possible GFN could be represented using a particular matrix. Section 2 extends GFNs into EGFNs and contains a particular EGFN proposal with good diffusion properties. In Sect. 3 we present a complete security analysis concerning this proposal.

## 1 Matrix Representation of Feistel Networks

Before defining the matrix representation of a GFN, let us introduce a few notations.

### 1.1 Definitions and Notations

### 1.2 Diffusion Delay

We say input block \(x_i\) affects output block \(y_j^r\) if \(x_i\) effectively appears in the expression of \(y_j^r\) seen as a function of \(x_0,\cdots ,x_{k-1}\). We say \(x_i\) has diffused at round \(r\) if \(x_i\) affects every \(y_j^r\) for \(0 \le j \le k-1\). If every input block \(x_i\) has diffused at round \(r\), we say the GFN has reached full diffusion, that is every output block \(y_j^r\) depends on every input block \(x_i\). We call full diffusion delay the minimum number of rounds required to reach full diffusion and denote it \(d^+\). In fact, the notion of full diffusion delay is a general notion that can be applied to any automaton as done in [3]. In the particular case of GFNs, this is exactly the same notion as the maximum diffusion round introduced in [30].

Another way to see the full diffusion delay is from a graph point of view. For a \(k\)-block GFN, let us define the associated directed graph as the graph with vertex set \(\{0,\cdots ,k-1\}\) and such that \((i,j)\) is an edge if the output \(y_j\) depends on the input \(x_i\) (directly or via a round-function). In other words, this is simply the usual Feistel schemes with outputs folded onto the input with same index. Knowing that, it is easy to see that the notion of *block* \(x_i\)*affecting block* \(y_j^r\) becomes *there exists a path of length exactly* \(r\) *going from* \(i\) *to* \(j\). Thus the full diffusion delay \(d^+\) can be alternately defined as the smallest integer \(r\) such that for all ordered pair of vertices \((i,j)\) there exists a path of length exactly \(r\) going from \(i\) to \(j\). Two things should now be noticed. First, if a GFN is in a full diffusion state at round \(r\) then it will remain so at round \(r+1\). Second, the full diffusion delay of a GFN depends solely on the structure of this graph and not on the round-functions used in the GFN.

Similarly, we can define full diffusion delay when considering decryption instead of encryption and denote it \(d^-\). Following the work of [30], we consider the both-way full diffusion delay \(d = \max (d^+,d^-)\). The both-way full diffusion delay \(d\) for the different classical GFNs is summed up in Table 1. For security reasons, it is necessary that \(d\) be finite.

### 1.3 Matrix Representation of Feistel Networks

As round-functions in a GFN are unlikely to be linear, such a matrix is not an exact representation. However it still retains enough information to evaluate diffusion; namely which output block \(y_i\) is influenced by which input block \(x_j\) and whether this done directly or via a round-function.

An important feature of GFNs is to transform a set of non-invertible round-functions into an invertible permutation. Hence the matrix of the GFN in decryption mode \({\mathcal {M}}^{-1}\) should not contain inverses of expressions containing a \(F\). This translates into \(\det ({\mathcal {M}})\) is independent of \(F\), or equivalently \(\det ({\mathcal {F}}) = \pm 1\), as \({\mathcal {P}}\) is a permutation matrix. This is the case for all of the classical GFNs (SH, TH,...) including those of [30, 32] because the matrix \({\mathcal {F}}\) is lower triangular with an all-one diagonal.

An other feature of many GFNs is quasi-involutiveness, that is encryption/decryption is roughly the same process, up to using the direct/inverse permutation layer \({\mathcal {P}}\). To ensure that, one asks that the round-function layer be quasi-involutive. Except the Type-3 GFNs where the round-functions must be evaluated sequentially, all GFNs round-function layers are quasi-involutive. We choose to focus on GFNs that satisfy this property:

**Definition 1**

- 1.
the main diagonal is filled with 1,

- 2.
the off-diagonal coefficients are either 0 or \(F\),

- 3.
for each index \(i\), row \(i\) and column \(i\) cannot both have an \(F\) coefficient.

In other words, the blocks of the GFN can be partitioned into three categories: blocks that emit (through a round-function), blocks that receive and blocks that do not emit nor receive. This definition encompasses most of the known GFNs, with the exception of the Type-3. The property of quasi-involutiveness comes from the following theorem.

**Theorem 1**

Let \({\mathcal {M}} = {\mathcal {P}}{\mathcal {F}}\) be a GFN according to Definition 1. Then \({\mathcal {F}}\) is invertible and \({\mathcal {F}}^{-1}~=~2{\mathcal {I}} -{\mathcal {F}}\), where \({\mathcal {I}}\) stands for the identity matrix.

*Proof*

To prove \({\mathcal {F}}\) is invertible, we compute \(\det ({\mathcal {F}})\). Because of Condition 3 of Definition 1, for each index \(i\) either row \(i\) or column \(i\) is all-zero except for the diagonal coefficient. Thus by successively expanding the determinant along either row \(i\) or column \(i\), \(\det ({\mathcal {F}}) = 1\).

To prove \({\mathcal {F}}^{-1} = 2{\mathcal {I}} -{\mathcal {F}}\), we equivalently prove \(({\mathcal {F}} - {\mathcal {I}})^2 = 0\). Let \(f_{i,j}\) (resp. \(f'_{i,j}\)) denote the coefficient of \({\mathcal {F}} - {\mathcal {I}}\) (resp. \(({\mathcal {F}} - {\mathcal {I}})^2\)) at row \(i\) and column \(j\). By definition of the matrix product, for all \(i\) and \(j\), we have \(f'_{i,j} = f_{i,i}f_{i,j} + f_{i,j}f_{j,j} + \sum _{\begin{array}{c} \ell \ne i \\ \ell \ne j \end{array}}f_{i,\ell }f_{\ell ,j} = \sum _{\begin{array}{c} \ell \ne i \\ \ell \ne j \end{array}}f_{i,\ell }f_{\ell ,j} \). In the sum, consider one term \(f_{i,\ell }f_{\ell ,j}\). As \(\ell \ne i\), \(f_{i,\ell }\) can either be zero or \(F\). But, if \(f_{i,\ell }\) is non-zero then the \(\ell \)-th column of \({\mathcal {F}}\) contains an \(F\) thus, by Condition 3 the \(\ell \)-th row must not contain any \(F\), implying \(f_{\ell ,j} = 0\) for all \(j \ne \ell \). Thus, each term \(f_{i,\ell }f_{\ell ,j}\) is zero, so \(f'_{i,j} = 0\). \(\square \)

Notice that in the case where the outputs of round-functions are xored with other blocks, then matrix \({\mathcal {F}}^{-1} = 2{\mathcal {I}} - {\mathcal {F}}\) is simply \({\mathcal {F}}\) itself. Besides, we can characterize the matrices \({\mathcal {F}}\) for which \({\mathcal {F}}^{-1} = 2{\mathcal {I}} - {\mathcal {F}}\) holds.

**Theorem 2**

Let \({\mathcal {F}}\) be a matrix that verifies Conditions 1 and 2 of Definition 1. If \(({\mathcal {F}}-{\mathcal {I}})^2 = 0\) then \({\mathcal {F}}\) also verifies Condition 3.

*Proof*

Let \(f_{i,j}\) be the coefficient of \({\mathcal {F}}-{\mathcal {I}}\) at row \(i\) and column \(j\). For all \(i\) and \(j\), we have \(0 = \sum _{\ell = 0}^{k-1}f_{i,\ell }f_{\ell ,j} = \sum _{\ell \ne i,j}f_{i,\ell }f_{\ell ,j}\). All the coefficients \(f_{i,\ell }\) and \(f_{\ell ,j}\) in the previous equation are off-diagonal, thus are either \(F\) or \(0\). Hence the sum can be zero only if all its terms are zero. For each index \(\ell \), we need to prove that row \(\ell \) and column \(\ell \) cannot both have an \(F\) coefficient. Suppose column \(\ell \) has an \(F\) coefficient, say \(f_{i,\ell }\) with \(i \ne \ell \). This implies that for all \(j \ne \ell \), \(f_{\ell ,j} = 0\). Thus row \(\ell \) has no \(F\) coefficient. By transposing, the same goes when considering rows instead of columns. \(\square \)

In other words, the GFNs round-function layer matrices \({\mathcal {F}}\) which are quasi-involutive are exactly those where Condition 3 of Definition 1 holds.

Recall that the full diffusion delay can be expressed in term of distance in a directed graph. In fact, if one evaluates the matrix \({\mathcal {M}}\) of the GFN in \(F = 1\), we obtain the adjacency matrix of this graph. The full diffusion delay \(d^+\) is then the smallest integer such that \({\mathcal {M}}^{d^+}\) has no zero coefficient. The same goes for the decryption full diffusion delay \(d^-\), using \({\mathcal {M}}^{-d^-}\).

### 1.4 Matrix Equivalences

Now that we have matrices representing GFNs, we define an equivalence relations on them that will help us to find GFNs.

**Definition 2**

Two GFNs matrices \({\mathcal {M}}\) and \({\mathcal {M}}'\) are equivalent if there exists a permutation (matrix) \(\pi \) of the \(k\) blocks such that \(\pi {\mathcal {M}} \pi ^{-1} = {\mathcal {M}}'\).

In other words, two GFNs are equivalent if they are the same up to block reindexation and thus share the same properties, such as a common full diffusion delay. We then have the property of “equivalent decompositions”:

**Theorem 3**

Let \({\mathcal {M}} = {\mathcal {P}} {\mathcal {F}}\) and \({\mathcal {M}}'= {\mathcal {P}}'{\mathcal {F}}'\) be two GFNs according to Definition 1 and equivalent under Definition 2. Let also be \(\pi \) such that \(\pi {\mathcal {M}} \pi ^{-1} = {\mathcal {M}}'\). Then \(\pi {\mathcal {P}} \pi ^{-1} = {\mathcal {P}}'\) and \(\pi {\mathcal {F}} \pi ^{-1} = {\mathcal {F}}'\).

*Proof*

By hypothesis, we have \(\pi {\mathcal {P}}{\mathcal {F}} \pi ^{-1} = {\mathcal {P}}'{\mathcal {F}}'\). Also by definition, \({\mathcal {F}}\) and \({\mathcal {F}}'\) have an all-one diagonal and either \(F\) or zero elsewhere. Hence \({\mathcal {F}}\) and \({\mathcal {F}}'\) both evaluate to the identity matrix \({\mathcal {I}}\) in \(F = 0\). Thus, specifying the above equation in zero, we obtain \(\pi {\mathcal {P}} \pi ^{-1} = {\mathcal {P}}'\), which implies \(\pi {\mathcal {F}} \pi ^{-1} = {\mathcal {F}}'\). \(\square \)

In other words, two GFNs are equivalent if and only if both layers are equivalent with same conjugating element. For example, if one studies a class of GFNs with a fixed \({\mathcal {F}}\) matrix, as done in [30, 32], Theorem 3 allows to define an equivalence relation on the permutation layer.

### 1.5 Exhaustive Search of Feistel Networks

the full diffusion delay \(d\),

the number of round-functions per round \(s\),

the cost for full diffusion, i.e the total number of round-functions required for full diffusion, \(c = d \times s\).

Minimum number \(s\) of functions per round required to have a full diffusion in \(d\) rounds and corresponding total cost \(c = s \times d\). For each case, the number of different \({\mathcal {F}}\) matrices (\(\#{\mathcal {F}}\)) and the total number of GFNs (\(\#{\mathcal {M}}\)) are also given up to equivalence.

d | 1,2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 |
---|---|---|---|---|---|---|---|---|---|---|---|

s | \(\infty \) | 16 | 7 | 6 | 4 | 4 | 4 | 3 | 3 | 3 | 2 |

c | \(\infty \) | 48 | 28 | 30 | 24 | 28 | 32 | 27 | 30 | 33 | 24 |

\(\#{\mathcal {F}}\) | 0 | 1 | 1 | 8 | 3 | 13 | 13 | 1 | 6 | 6 | 1 |

\(\#{\mathcal {M}}\) | 0 | 5 | 3 | 26 | 9 | 101 | 652 | 18 | 100 | 56 | 5 |

Note that among the GFNs that fully diffuse in \(d = 6\), with \(s = 4\) round-functions, are the Type-2 GFNs with non-cyclic permutation given in [30], which are then diffusion-optimum among the GFNs of Definition 1.

## 2 New Feistel Network Proposals

### 2.1 Extended Generalized Feistel Networks

As done in Sect. 1.3 for GFNs, to be considered an EGFN we require that matrix \({\mathcal {M}} = {\mathcal {P}} {\mathcal {N}}\) is invertible and that \(\det ({\mathcal {M}})\) does not depend on \(F\) nor \(I\), which translates into \(\det ({\mathcal {N}}) = \pm 1\). Again, we choose to focus on EGFNs that are quasi-involutive. Hence the following definition.

**Definition 3**

- 1.
the main diagonal is filled with \(1\),

- 2.
the off-diagonal coefficients are either \(0\), \(F\) or \(I\),

- 3.
for each index \(i\), row \(i\) and column \(i\) cannot both contain a non-zero coefficient other than on the diagonal,

- 4.
for each index \(i\), if row \(i\) contains an \(I\) then it also contains an \(F\).

As in Sect. 1.3, Condition 3 allows to partition the blocks into emitters and receivers. Condition 4 ensures that the pseudorandomness evaluation of EGFNs can be computed (see Sect. 3.1). Because Definition 3 is essentially the same as Definition 1, the following theorem on quasi-involutiveness is straightforward.

**Theorem 4**

Let \({\mathcal {M}} = {\mathcal {P}}{\mathcal {N}}\) be an EGFN according to Definition 3. Then \(\det ({\mathcal {N}}) = 1\) and \({\mathcal {N}}^{-1}~=~2{\mathcal {I}} -{\mathcal {N}}\).

*Proof*

Same as Theorem 1, since Conditions 1, 2 and 3 of Definition 3 are essentially the same as in Definition 1. \(\square \)

Besides, define matrices \({\mathcal {L}}\) and \({\mathcal {F}}\) for the EGFNs of Definition 3.

**Definition 4**

Let \({\mathcal {M}} = {\mathcal {P}}{\mathcal {N}}\) be a EGFN according to Definition 3. Then define matrix \({\mathcal {F}} \in \mathbb {Z}[F]\) as the evaluation of \({\mathcal {N}}\) in \(I = 0\) and similarly matrix \({\mathcal {L}} \in \mathbb {Z}[I]\) as the evaluation of \({\mathcal {N}}\) in \(F = 0\).

Theorem 5 verifies this definition works as intended, that is \({\mathcal {M}} = {\mathcal {P}}{\mathcal {L}}{\mathcal {F}}\).

**Theorem 5**

Let \({\mathcal {N}}\), \({\mathcal {F}}\) and \({\mathcal {L}}\) be defined as in Definition 4, then \({\mathcal {N}} = {\mathcal {L}} + {\mathcal {F}} -{\mathcal {I}}\) and \({\mathcal {N}} = {\mathcal {L}} \times {\mathcal {F}} = {\mathcal {F}} \times {\mathcal {L}}\).

*Proof*

The first equation is a straightforward consequence of the definition of \({\mathcal {N}}\), \({\mathcal {L}}\) and \({\mathcal {F}}\). As for the second, let \(a_{i,j}\) be the coefficient at row \(i\) and column \(j\) of matrix \({\mathcal {LF}}\) and show that \(a_{i,i} = 1\) and \(a_{i,j} = {\mathcal {L}}_{i,j} + {\mathcal {F}}_{i,j}\) otherwise (with obvious notations). Write \(a_{i,i} = {\mathcal {L}}_{i,i}{\mathcal {F}}_{i,i} + \sum _{\ell \ne i}{\mathcal {L}}_{i,\ell }{\mathcal {F}}_{\ell ,i}\). Then \(a_{i,i} = {\mathcal {L}}_{i,i}{\mathcal {F}}_{i,i} = 1\) because all terms in the rightmost sum are \(0\) as a consequence of Condition 3 of Definition 3. For the same reason, if \(i \ne j\), \(a_{i,j} = {\mathcal {L}}_{i,i}{\mathcal {F}}_{i,j} + {\mathcal {L}}_{i,j}{\mathcal {F}}_{j,j} + \sum _{\begin{array}{c} \ell \ne i\\ \ell \ne j \end{array}}{\mathcal {L}}_{i,\ell }{\mathcal {F}}_{\ell ,j}\) and then \(a_{i,j} = {\mathcal {L}}_{i,j} + {\mathcal {F}}_{i,j}\). \(\square \)

Finally, the last thing to update to EGFNs is the equivalence relation. The definition of two equivalent EGFNs \({\mathcal {M}}\) and \({\mathcal {M}}'\) is the same as for GFNs, the only difference being that \({\mathcal {M}}\) and \({\mathcal {M}}'\) now also have \(I\) coefficients. In other words, a conjugating element \(\pi \) of \({\mathcal {M}}\) and \({\mathcal {M}}'\) exchanges the positions of \(F\)’s, as well as the positions of \(I\)’s but it cannot exchange an \(F\) and an \(I\). The analogous of Theorem 3 is straightforward.

**Theorem 6**

Let \({\mathcal {M}} = {\mathcal {P}} {\mathcal {L}} {\mathcal {F}}\) and \({\mathcal {M}}'= {\mathcal {P}}' {\mathcal {L}}' {\mathcal {F}}'\) be two equivalent EGFNs defined by Definition 3. Let also \(\pi \) be such that \(\pi {\mathcal {M}} \pi ^{-1} = {\mathcal {M}}'\). Then \(\pi {\mathcal {P}} \pi ^{-1} = {\mathcal {P}}'\), \(\pi {\mathcal {L}} \pi ^{-1} = {\mathcal {L}}'\) and \(\pi {\mathcal {F}} \pi ^{-1} = {\mathcal {F}}'\).

*Proof*

Same as Theorem 3 by evaluating \(I\), \(F\) or both in \(0\). \(\square \)

### 2.2 An Efficient Example

**Theorem 7**

For an even integer \(k\), let \({\mathcal {M}}\) be the \(k\)-block EGFN defined on Fig. 4 and let \(d\) be its full diffusion delay. Then if \(k = 2\) then \(d = 2\) and if \(k \ge 4\) then \(d = 4\).

*Proof*

Write Open image in new window where \({\mathcal {I}}\) stands for the \(\frac{k}{2} \times \frac{k}{2}\) identity matrix and the upper left quarter of \({\mathcal {M}}\) is Open image in new window. Note that \({\mathcal {A}}^2 \) has no zero coefficient. Then Open image in new window. If \(k = 2\) then \({\mathcal {M}}^2\) has no zero coefficient, hence \(d^+ = 2\). But if \(k > 2\), it still has. Computing Open image in new window shows it still has zero coefficients, as \({\mathcal {A}}\) does. Compute then Open image in new window. Thus \({\mathcal {M}}^4\) has no zero coefficient, hence if \(k \ge 4\), \(d^+ = 4\). To conclude, just note that Open image in new window, which implies \(d^- = d^+ = d\). \(\square \)

## 3 Security Analysis of Our Proposed Feistel Scheme

As done in [30], we analyze the proposed scheme with essentially \(k=8\) and \(k=16\) as parameters regarding first the pseudorandomness of the scheme and second its resistance to classical attacks.

### 3.1 Pseudorandomness

To prove the bounds of our scheme in those models, we follow the methodology of [30] based on the results of [20]. To do so, we introduce the following notations: Let \(\varPhi _{kn,r}\) denote our \(k\)-block scheme acting on \(n\)-bit blocks, using \(r\) rounds and with diffusion delay \(d\). We first introduce the following definition that will be useful for the next lemma:

**Definition 5**

**Lemma 1**

*Proof*

Intuitively, for Eq. (3), this lemma uses the fact that after the application of \(H\) the inputs of function \(\varPhi _{kn,2}\) are sufficiently distinct and are random strings. We then have rare collisions at the outputs of \(\varPhi _{kn,2}\). For Eq. (4), same arguments hold in both directions. The proof of this lemma is omitted as it is similar to those of Theorem 3.1 and Theorem 3.2 of [22] or is a direct extension of Lemma 9 and Theorem 7 of [19]. \(\square \)

**Theorem 8**

*Proof*

To demonstrate Theorem 8, we have first to show that \(\varPhi _{kn,d}\) is an \(\epsilon \)-AU function and second that \(\overline{\varPhi _{kn,d}}\) which is \(\varPhi ^{-1}_{kn,d}\) without the final shuffle is also an \(\epsilon \)-AU function.

To prove the second equation of Theorem 8, we use exactly the same reasoning on \(\overline{\varPhi _{kn,d}}\) to show that \(\mathrm {Pr}[Y_d = Y'_d] \le d/2^n\) with \(Y_h = \overline{\varPhi _{kn,h}}(\mathbf x )_{[s(h)]}\) for \(h=1, \cdots , d\). We then deduce that \(\overline{\varPhi _{kn,d}}\) is a \(\frac{kd}{2^n}\)-AU function. Combining the fact that \(\varPhi _{kn,d}\) is a \(\frac{kd}{2^n}\)-AU function and that \(\overline{\varPhi _{kn,d}}\) is a \(\frac{kd}{2^n}\)-AU function through Eq. (4) of Lemma 1, we obtain Eq. (6). \(\square \)

### 3.2 Evaluation of Security Against Classical Attacks

**Differential/Linear Cryptanalysis.** Differential and linear cryptanalysis are the most famous attacks on block ciphers. They have been introduced respectively in [5] and in [18]. Since their discovery, many works have been done to first show the links between both forms of cryptanalysis [8] and to find better ways to prevent those attacks from happening for a given cipher [9]. The usual consensus about this last point is to count the minimal number of active S-boxes crossed all along the cipher by differential and linear characteristics and thus to estimate the induced maximal differential/linear probability, under the independence assumption.

If the maximal differential/linear probability of an S-box is denoted by DP/LP and if the minimal number of active S-boxes is \(N\), then the best differential/linear attack against the cipher has a complexity of about \(1/(DP^N)\) (resp. \(1/(LP^N)\)) operations. Thus, a cipher is supposed to be secure against differential/linear cryptanalysis as soon as \(1/(DP^N)\) (resp. \(1/(LP^N)\)) is greater than the entire codebook, equal here to \(2^{kn}\).

Finally, if we want to estimate the number of rounds that could be attacked using differential/linear cryptanalysis, we could estimate \(DP\) and \(LP\) for classical \(n\)-bit S-box construction, i.e. we write \(F\) the internal \(n\)-bit function as \(F(x)=S(K\oplus x)\) where \(K\) is a subkey different at each round. We have the following bounds on \(DP\) and \(LP\) for such an \(F\) function: if we assume \(n\) is even, then \(DP\) and \(LP\) are over bounded by \(2^{-n+2}\); if n is odd then \(DP\) and \(LP\) are over bounded by \(2^{-n+1}\). For example, if we assume that \(F\) works on 8-bit words with \(k=8\), our scheme ciphers 64-bit plaintexts. We have \(DP=LP=2^{-6}\) and the maximal number of active S-boxes that could be crossed is equal to 10 to have \(2^{64}>1/(DP^N)=2^{6 \cdot 10}\). From Table 3, we could deduce that, under those hypotheses, our scheme is resistant to differential/linear cryptanalysis as soon as 7 rounds have been performed. In the same way, with \(k=16\) and \(n=4\), \(DP=LP=2^{-2}\), the maximal number of S-boxes that could be crossed is equal to 31 and at least 9 rounds of our 16 branches scheme must at least be performed.

The total number of rounds to perform for preventing differential/linear attacks is smaller than the one required for the schemes proposed in [30] because the number of S-boxes crossed at each round is more important.

**Integral Attack.**In [15] L. Knudsen and D. Wagner analyze integral cryptanalysis as a dual to differential attacks particularly applicable to block ciphers with bijective components. A first-order integral cryptanalysis considers a particular collection of \(m\) words in the plaintexts and ciphertexts that differ on a particular component. The aim of this attack is thus to predict the values in the sums (i.e. the integral) of the chosen words after a certain number of rounds of encryption. The same authors also generalize this approach to higher-order integrals: the original set to consider becomes a set of \(ml\) vectors which differ in \(l\) components and where the sum of this set is predictable after a certain number of rounds. The sum of this set is called an \(l\)th-order integral. In [27], the authors improve the already known results in the case of Feistel structure noticing that computations of the XOR sum of the partial decryptions can be divided into two independent parts through a meet-in-the-middle approach. We define the following properties for a set of \(2^n\)\(n\)-bit words:

‘\(C\)’ (for Constant) in the \(i\)th entry, means that the values of all the \(i\)th words in the collection of texts are equal.

‘\(A\)’ (for All) means that all words in the collection of texts are different.

‘\(?\)’ means that the sum of words can not be predicted.

‘\(B\)’ (for Balanced) means that the sum of all words taken on a particular word is equal to 0.

**Impossible Differential Attack.** Impossible differential cryptanalysis [4] is a form of differential cryptanalysis for block ciphers. While ordinary differential cryptanalysis tracks differences that propagate through the cipher with a probability as large as possible, impossible differential cryptanalysis exploits differences with 0 probability in intermediate rounds of the cipher to sieve wrong key candidates.

More formally, impossible differential attacks are represented by a differential transition \(\alpha \not \rightarrow \beta \) with \(\alpha , \beta \in (\{0,1\}^n)^k\) for a cipher \(E\) with \(k\)\(n\)-bit blocks with \(Pr[E(x)+E(x+\alpha )=\beta ]=0\) for any \(x\). Intuitively, if we want to form an impossible differential transition for our EGFN, we need to first form the first part of the impossible differential on \(r_1\) rounds between the input differential \(\alpha ^0 = (\alpha _0^0, \cdots , \alpha _{k-1}^0)\) and the output differential after \(r_1\) rounds \(\alpha ^{r_1} = (\alpha _0^{r_1}, \cdots , \alpha _{k-1}^{r_1})\). Then, we form the second part of the impossible differential in the decryption direction on \(r_2\) rounds between \(\beta ^0 = (\beta _0^0, \cdots , \beta _{k-1}^0)\) and \(\beta ^{r_2} = (\beta _0^{r_2}, \cdots , \beta _{k-1}^{r_2})\). Then, the impossible differential on \(r_1 +r_2\) rounds is \(\alpha ^0 \not \rightarrow \beta ^0\) if the differences \(\alpha ^{r_1}\) and \(\beta ^{r_2}\) are not compatible in the middle of the cipher.

If \(\alpha _i^{d}\) for \(i\) in \(\{k/2, \cdots , k-1\}\) has type \(\gamma \), there exists a data path, \(P\) that does not pass through any \(F\) (i.e. the equation corresponding to this path does not contain \(\alpha _i^0\) as a part of arguments of \(F\)). If \(\alpha _j^{d}\) for \(j\) in \(\{0, \cdots , k/2-1\}\) has type \(\delta \) then \(\alpha _l^{d+1}\) with \(l={\mathcal {P}}(i)\) has type \(\delta + \gamma \). If \(\beta _k^{d}\) has type \(\gamma \), we are able to construct an impossible differential attack on \(2d+1\) rounds.

If all the data paths pass through at least one \(F\) function, then both \(\alpha ^d\) and \(\beta ^d\) do not contain differences of type neither \(\gamma \) nor 0. Thus, we could only mount differences on \(d-1\) rounds for the direct sens (i.e. \(\alpha \) difference) and on \(d\) rounds for the decryption sens (i.e. \(\beta \) difference). The maximal number of rounds for this type of impossible differential attack is \(2d-1\) rounds.

By definition of \(d\), there exists \(\alpha ^0\) such that \(\alpha ^{d-1}_i\) has type \(\gamma \) for some \(i\). Similarly, there exists \(\beta ^0\) with \(\beta ^{d-1}_j\) has type \(\gamma '\) for some \(j\). If \(i = j\) and \(\gamma \ne \gamma '\), we can construct an impossible differential attack on \(2d-2\) rounds.

## 4 Conclusion

In this article, we have introduced a generic matrix representation that captures most existing Generalized Feistel Networks. We explained diffusion properties of those schemes through this representation. We then introduce a new kind of schemes called Extended Generalized Feistel Networks that adds a diffusion layer to the classical GFNs. We finally instantiated this class of schemes into two proposals and proved the security of them under classical security and attack models.

Our further work will be to propose a complete block cipher using small S-boxes for round-functions and based on our EGFNs proposals that have proved security bounds and provide a more efficient diffusion with a reasonable additional cost, and confront our theoretical study to the ruthless world of cryptanalysis and of cryptanalysts.

### References

- 1.Adams, C., Gilchrist, J.: The CAST-256 encryption algorithm. Network Working Group, RFC 2612, June 1999. http://tools.ietf.org/html/rfc2612 (1999)
- 2.Aoki, K., Ichikawa, T., Kanda, M., Matsui, M., Moriai, S., Nakajima, J., Tokita, T.:
*Camellia*: a 128-bit block cipher suitable for multiple platforms - design and analysis. In: Stinson, D.R., Tavares, S. (eds.) SAC 2000. LNCS, vol. 2012, pp. 39–56. Springer, Heidelberg (2001) Google Scholar - 3.Arnault, F., Berger, T.P., Minier, M., Pousse, B.: Revisiting LFSRs for cryptographic applications. IEEE Trans. Info. Theory
**57**(12), 8095–8113 (2011)CrossRefMathSciNetGoogle Scholar - 4.Biham, E., Biryukov, A., Shamir, A.: Cryptanalysis of skipjack reduced to 31 rounds using impossible differentials. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 12–23. Springer, Heidelberg (1999) Google Scholar
- 5.Biham, E., Shamir, A.: Differential cryptanalysis of DES-like cryptosystems. In: Menezes, A., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 2–21. Springer, Heidelberg (1991) Google Scholar
- 6.Biryukov, A., Shamir, A.: Structural cryptanalysis of SASAS. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 394–405. Springer, Heidelberg (2001) Google Scholar
- 7.Burwick, C., Coppersmith, D., D’Avignon, E., Gennaro, R., Halevi, S., Jutla, C., Matyas Jr, S.M., O’Connor, L., Peyravian, M., Stafford, D., Zunic, N.: MARS - a candidate cipher for AES.
*NIST AES Proposal*(1999)Google Scholar - 8.Chabaud, F., Vaudenay, S.: Links between differential and linear cryptanalysis. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 356–365. Springer, Heidelberg (1995)Google Scholar
- 9.FIPS 197. Advanced encryption standard. Federal Information Processing Standards Publication 197, Department of Commerce/N.I.S.T., U.S. (2001)Google Scholar
- 10.Gilbert, H., Minier, M.: New results on the pseudorandomness of some blockcipher constructions. In: Matsui, M. (ed.) FSE 2001. LNCS, vol. 2355, pp. 248–266. Springer, Heidelberg (2002) Google Scholar
- 11.Hirose, S., Kuwakado, H., Yoshida, H.: SHA-3 Proposal: Lesamnta. http://www.hitachi.com/rd/yrl/crypto/lesamnta/index.html (2008)
- 12.Hoang, V.T., Rogaway, P.: On generalized feistel networks. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 613–630. Springer, Heidelberg (2010) CrossRefGoogle Scholar
- 13.Hong, D., Sung, J., Hong, S.H., Lim, J.-I., Lee, S.-J., Koo, B.-S., Lee, C.-H., Chang, D., Lee, J., Jeong, K., Kim, H., Kim, J.-S., Chee, S.: HIGHT: a new block cipher suitable for low-resource device. In: Goubin, L., Matsui, M. (eds.) CHES 2006. LNCS, vol. 4249, pp. 46–59. Springer, Heidelberg (2006) Google Scholar
- 14.Kim, J., Hong, S., Lim, J.: Impossible differential cryptanalysis using matrix method. Discrete Math.
**310**(5), 988–1002 (2010)CrossRefMATHMathSciNetGoogle Scholar - 15.Knudsen, L.R., Wagner, D.: Integral cryptanalysis. In: Daemen, J., Rijmen, V. (eds.) FSE 2002. LNCS, vol. 2365, pp. 112–127. Springer, Heidelberg (2002) Google Scholar
- 16.Luby, M., Rackoff, C.: How to construct pseudorandom permutations from pseudorandom functions. SIAM J. Comput.
**17**(2), 373–386 (1988)CrossRefMATHMathSciNetGoogle Scholar - 17.Luo, Y., Wu, Z., Lai, X., Gong, G.: A unified method for finding impossible differentials of block cipher structures. IACR Cryptology ePrint Archive 2009:627 (2009)Google Scholar
- 18.Matsui, M.: Linear cryptanalysis method for DES cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994)Google Scholar
- 19.Maurer, U.M.: Indistinguishability of random systems. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 110–132. Springer, Heidelberg (2002) CrossRefGoogle Scholar
- 20.Mitsuda, A., Iwata, T.: Tweakable pseudorandom permutation from generalized feistel structure. In: Baek, J., Bao, F., Chen, K., Lai, X. (eds.) ProvSec 2008. LNCS, vol. 5324, pp. 22–37. Springer, Heidelberg (2008) Google Scholar
- 21.Moriai, S., Vaudenay, S.: On the pseudorandomness of top-level schemes of block ciphers. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 289–302. Springer, Heidelberg (2000) CrossRefGoogle Scholar
- 22.Naor, M., Reingold, O.: On the construction of pseudorandom permutations: Luby-Rackoff revisited. J. Cryptol.
**12**(1), 29–66 (1999)CrossRefMATHMathSciNetGoogle Scholar - 23.National Bureau of Standards: U.S. Department of Commerce. Data Encryption Standard (1977)Google Scholar
- 24.Nyberg, K.: Generalized feistel networks. In: Kim, K., Matsumoto, T. (eds.) ASIACRYPT 1996. LNCS, vol. 1163, pp. 91–104. Springer, Heidelberg (1996) Google Scholar
- 25.Rivest, R.L.:. A description of the RC2(r) encryption algorithm. Network Working Group, RFC 2268, March 1998. http://tools.ietf.org/html/rfc2268 (1998)
- 26.Rivest, R.L., Robshaw, M.J.B., Sidney, R., Yin, Y.L.: The RC6 block cipher, august 1998. http://people.csail.mit.edu/rivest/pubs/RRSY98.pdf (1998)
- 27.Sasaki, Y., Wang, L.: Meet-in-the-middle technique for integral attacks against feistel ciphers. In: Knudsen, L.R., Wu, H. (eds.) SAC 2012. LNCS, vol. 7707, pp. 234–251. Springer, Heidelberg (2013) Google Scholar
- 28.Shirai, T., Shibutani, K., Akishita, T., Moriai, S., Iwata, T.: The 128-bit blockcipher CLEFIA (Extended Abstract). In: Biryukov, A. (ed.) FSE 2007. LNCS, vol. 4593, pp. 181–195. Springer, Heidelberg (2007) Google Scholar
- 29.SHS. Secure hash standard. In: FIPS PUB 180–4, Federal Information Processing Standards Publication (2012)Google Scholar
- 30.Suzaki, T., Minematsu, K.: Improving the generalized feistel. In: Hong, S., Iwata, T. (eds.) FSE 2010. LNCS, vol. 6147, pp. 19–39. Springer, Heidelberg (2010) Google Scholar
- 31.Suzaki, T., Minematsu, K., Morioka, S., Kobayashi, E.: TWINE: a lightweight block cipher for multiple platforms. In: Knudsen, L.R., Wu, H. (eds.) SAC 2012. LNCS, vol. 7707, pp. 339–354. Springer, Heidelberg (2013)Google Scholar
- 32.Yanagihara, S., Iwata, T.: Improving the permutation layer of Type 1, Type 3, Source-Heavy, and Target-Heavy generalized feistel structures. IEICE Trans.
**96–A**(1), 2–14 (2013)CrossRefGoogle Scholar - 33.Zheng, Y., Matsumoto, T., Imai, H.: On the construction of block ciphers provably secure and not relying on any unproved hypotheses. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 461–480. Springer, Heidelberg (1990) Google Scholar