Complementing Feistel Ciphers

Conference paper

DOI: 10.1007/978-3-662-43933-3_1

Part of the Lecture Notes in Computer Science book series (LNCS, volume 8424)
Cite this paper as:
Biryukov A., Nikolić I. (2014) Complementing Feistel Ciphers. In: Moriai S. (eds) Fast Software Encryption. FSE 2013. Lecture Notes in Computer Science, vol 8424. Springer, Berlin, Heidelberg


In this paper, we propose related-key differential distinguishers based on the complementation property of Feistel ciphers. We show that with relaxed requirements on the complementation, i.e. the property does not have to hold for all keys and the complementation does not have to be on all bits, one can obtain a variety of distinguishers. We formulate criteria sufficient for attacks based on the complementation property. To stress the importance of our findings we provide analysis of the full-round primitives:
  • For the hash mode of Camellia-128 without \(FL,FL^{-1}\) layers, differential multicollisions with \(2^{112}\) time.

  • For GOST, practical recovery of the full key with 31 related keys and \(2^{38}\) time/data.


Complementation Feistel Camellia GOST 

Copyright information

© Springer-Verlag Berlin Heidelberg 2014

Authors and Affiliations

  1. 1.University of LuxembourgLuxembourgLuxembourg
  2. 2.Nanyang Technological UniversitySingaporeSingapore

Personalised recommendations