Generic Attacks on Feistel Ciphers With Internal …¬ƒcient against Feistel ciphers with internal...
Transcript of Generic Attacks on Feistel Ciphers With Internal …¬ƒcient against Feistel ciphers with internal...
Generic Attacks on Feistel Ciphers With InternalPermutations
Joana Treger, Jacques Patarin
PRiSM, Universite de Versailles
2008-11-27
Joana Treger, Jacques Patarin (PRiSM, Universite de Versailles)Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 1 / 39
Summary
1 Introduction
2 Generic attacks on the first 5 rounds
3 Generic attacks for any number of roundsGeneral methodComputation of the H-coefficientsExample on 3 roundsAttacking Feistel permutation generatorsExample on 6 rounds
4 Table of results and conclusion
Joana Treger, Jacques Patarin (PRiSM, Universite de Versailles)Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 2 / 39
Feistel ciphers (1/3)
Definition
Let f be a function from {1, . . . , 2n} to {1, . . . , 2n}.A Feistel cipher with round function f is defined by :
L
f
R
S T
Fig.: 1-round Feistel scheme
We call ψ(f ) or simply ψ such a construction.
ψ([L,R]) = [R, L ⊕ f (R)] = [S ,T ]
Joana Treger, Jacques Patarin (PRiSM, Universite de Versailles)Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 3 / 39
Feistel ciphers (2/3)
ψ is a permutation of {1, . . . , 22n} :
ψ−1([S ,T ]) = [T ⊕ f (S),S ] = [L,R]
L R
f
S T
T S
R L
Fig.: ψ−1 = τ ◦ ψ ◦ τ
Joana Treger, Jacques Patarin (PRiSM, Universite de Versailles)Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 4 / 39
Feistel ciphers 3/3
Definition
Let f1, . . . , fk be k functions from {1, . . . , 2n} to {1, . . . , 2n}.A k-round Feistel cipher with round functions f1, . . . , fk is defined by the
succesion of k rounds of a Feistel cipher with round function fi :
ψk(f1, . . . , fk):= ψ(fk) ◦ . . . ◦ ψ(f1)
L R
f 1
R X1
f
S T
SXk−2
k
L −13 kfX TS kfR f2f1f k−2X 1 X2
Joana Treger, Jacques Patarin (PRiSM, Universite de Versailles)Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 5 / 39
Luby-Rackoff revisited
Derived structures :
Classical Feistel ciphers.
Unbalanced Feistel ciphers with expanding internal functions.
Unbalanced Feistel ciphers with contracting internal functions.
Feistel ciphers with internal permutations.
Used in the design of Twofish, Camellia, DEAL.
[Knudsen-02] : attack on 5 rounds, impossible differential[Piret-05] : security proofs for 3 and 4 rounds, ≥ O(2n/2) messages 3-roundCPA − 2, 4-round CPCA − 2
Joana Treger, Jacques Patarin (PRiSM, Universite de Versailles)Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 6 / 39
Feistel ciphers with internal permutations
Different behaviour of these Feistel networks and the classical ones.
Example (3 rounds) :
L XR 2f1f S f T3
Attack on 3 round classical Feistel ciphers :
Relations considered between two input/output couples :R1 ⊕ S1 = R2 ⊕ S2.
Random permutation : probability 1/2n ; Feistel cipher : probability2/2n
R1 ⊕ S1 = R2 ⊕ S2 ⇔ f2(X1) = f2(X2)f2(X1) = f2(X2) ⇔ X1 = X2 or (X1 6= X2 and f2(X1) = f2(X2)).
Chosen plaintext attack : O(2n/2) messages.
Joana Treger, Jacques Patarin (PRiSM, Universite de Versailles)Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 7 / 39
Feistel ciphers with internal permutations
Different behaviour of these Feistel networks and the classical ones.
Example (3 rounds) :
L XR 2f1f S f T3
Attack on 3 round classical Feistel ciphers :
Relations considered between two input/output couples :R1 ⊕ S1 = R2 ⊕ S2.
Random permutation : probability 1/2n ; Feistel cipher : probability2/2n
R1 ⊕ S1 = R2 ⊕ S2 ⇔ f2(X1) = f2(X2)f2(X1) = f2(X2) ⇔ X1 = X2 or (X1 6= X2 and f2(X1) = f2(X2)).
Chosen plaintext attack : O(2n/2) messages.
Known plaintext attack : O(2n/2) messages.
Does not work on Feistel cipher with round permutations !
Joana Treger, Jacques Patarin (PRiSM, Universite de Versailles)Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 7 / 39
Generic attacks
Definition
A generic attack on a Feistel cipher with internal permutations, is an attack
allowing to distinguish with high probability a Feistel cipher from a random
permutation, when the round permutations are randomly chosen.
We interest ourselves in generic attacks, necessiting < O(22n) messages(exhaustive search on the inputs).
When the complexity is ≥ O(22n), we interest ourselves in attacks onFeistel permutation generators.
Joana Treger, Jacques Patarin (PRiSM, Universite de Versailles)Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 8 / 39
Two-point attacks
Definition
two-point attacks are attacks using correlations between blocks of pairs of
distinct messages.
Example : previous attack on 3 rounds, relations considered between 2messages were R1 ⊕ S1 = R2 ⊕ S2.
Best known attacks against classical Feistel ciphers (except on 3rounds, CPCA-2).
Efficient against Feistel ciphers with internal permutations : thecomplexities of the two-point attacks found (except on 3 rounds,CPCA − 2) coincide with the known bounds of security (3 and 4rounds, [Piret-05]).
Joana Treger, Jacques Patarin (PRiSM, Universite de Versailles)Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 9 / 39
Notations
KPA : known plaintext attack
CPA − 1 : non-adaptive chosen plaintext attack
CPA − 2 : adaptive chosen plaintext attack
CPCA − 1 : non-adaptive chosen plaintext and ciphertext attack
CPCA − 2 : adaptive chosen plaintext and ciphertext attack
Bn : permutation on n bits.
Joana Treger, Jacques Patarin (PRiSM, Universite de Versailles)Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 10 / 39
Generic attack by hand : 1 and 2 rounds
L 1fR=S T
Relation considered : R = S .
Random permutation : probability 1/2n ; Feistel cipher : probability 1.
KPA : 1 message.
Joana Treger, Jacques Patarin (PRiSM, Universite de Versailles)Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 11 / 39
Generic attack by hand : 1 and 2 rounds
L 1fR=S T
Relation considered : R = S .
Random permutation : probability 1/2n ; Feistel cipher : probability 1.
KPA : 1 message.
L S f T3R 1f
Relations considered : R1 = R2, S1 ⊕ S2 = L1 ⊕ L2.
CPA − 1. Random permutation : probability 1/2n ; Feistel cipher :probability 1.
CPA − 1 : 2 messages.
KPA : O(2n/2) messages.
Joana Treger, Jacques Patarin (PRiSM, Universite de Versailles)Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 11 / 39
Generic attacks by hand : 3 rounds
L XR 2f1f S f T3
Relation considered : L1 = L2, R1 ⊕ R2 = S1 ⊕ S2.
CPA − 1. Random permutation : probability 1/2n ; Feistel cipher :probability 0
R1 ⊕ R2 = S1 ⊕ S2 ⇒ X1 = X2 ⇒ R1 = R2.
CPA − 1 : O(2n/2) messages.
KPA : O(2n) messages.
Joana Treger, Jacques Patarin (PRiSM, Universite de Versailles)Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 12 / 39
Generic attack by hand : 4 rounds
L R 1f X X S f Tf f2 3 41 2
Relation considered : R1 = R2, L1 ⊕ L2 = S1 ⊕ S2.
CPA − 1. Random permutation : probability 1/2n ; Feistel cipher :probability 0
R1 = R2 ⇒ X 11 ⊕ X 1
2 = L1 ⊕ L2.L1 ⊕ L2 = S1 ⊕ S2 = X 1
1 ⊕ X 12 ⇒ X 2
1 = X 22 ⇒ L1 = L2.
CPA − 1 : O(2n/2) messages.
KPA : O(2n) messages.
Joana Treger, Jacques Patarin (PRiSM, Universite de Versailles)Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 13 / 39
Generic attack by hand : 5 rounds [Knudsen-02]
R 1f X Xf f2 31 2L SX3 f Tf4 5
Relation considered : R1 = R2, S1 = S2, L1 ⊕ L2 = T1 ⊕ T2.
CPA − 1. Random permutation : probability 1/22n ; Feistel cipher :probability 0.
S1 = S2 ⇒ X 31 ⊕ X 3
2 = T1 ⊕ T2.R1 = R2 ⇒ X 1
1 ⊕ X 12 = L1 ⊕ L2.
T1 ⊕ T2 = L1 ⊕ L2 ⇒ X 21 = X 2
2 ⇒ X 11 = X 1
2 ⇒ L1 = L2.
CPA − 1 : O(2n) messages.
KPA : O(23n/2) messages.
Joana Treger, Jacques Patarin (PRiSM, Universite de Versailles)Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 14 / 39
Special case : 3 rounds, CPCA − 2
L XR 2f1f S f T3
Best attack is 3-point attack. The same attack as for classical Feistel ciphers[LR-88].
3 messages : [L1,R1]/[S1,T1], [L2,R1]/[S2,T2] and[L3,R3]/[S1,T1 ⊕ L1 ⊕ L2]. Relation considered : R2 ⊕ R3 = S2 ⊕ S3.
CPCA − 2. Feistel cipher : probability 1 ; Random permutation :probability 1/2n
R1 = R2 ⇒ X1 ⊕ X2 = L1 ⊕ L2.S1 = S3 ⇒ X1 ⊕ X3 = T1 ⊕ T3.T3 ⊕ T1 = L1 ⊕ L2 ⇒ X2 = X3.X2 = X3 ⇒ R2 ⊕ R3 = S2 ⊕ S3.
CPCA − 2 : 3 messages.
Joana Treger, Jacques Patarin (PRiSM, Universite de Versailles)Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 15 / 39
Remark, complexity ≪ 2n/2
Remark :
Distinguishing a random permutation on n bits from a random function :O(2n/2) messages.
⇒ When an attack needs ≪ 2n/2 messages, it works on Feistel cipherswith internal permutations and functions.
Joana Treger, Jacques Patarin (PRiSM, Universite de Versailles)Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 16 / 39
Plan
1 Introduction
2 Generic attacks on the first 5 rounds
3 Generic attacks for any number of roundsGeneral methodComputation of the H-coefficientsExample on 3 roundsAttacking Feistel permutation generatorsExample on 6 rounds
4 Table of results and conclusion
Joana Treger, Jacques Patarin (PRiSM, Universite de Versailles)Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 17 / 39
Towards a systematical analysis
We want the best generic two-point attack on a k-round Feistel cipher, for anyk .
1 Enumerate all possible cases C (equalities/inequalities between the inputand output blocks of 2 distinct messages).
2 For each case, evaluate the probability (depending on k) to get onespecific output pair from a specific input pair, for both a randompermutation and a Feistel permutation.
3 For each k and each type of attack (KPA, CPA,..), estimate the caseleading to the best attack.
4 Evaluate the number of messages needed to realize the attack.
Joana Treger, Jacques Patarin (PRiSM, Universite de Versailles)Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 18 / 39
1 : Enumerating all possible cases
Possible equalities between the blocks :
L1 = L2, or not
R1 = R2, or not
S1 = S2, or not
T1 = T2, or not
L1 ⊕ L2 = S1 ⊕ S2, or not, when k is even
R1 ⊕ R2 = T1 ⊕ T2, or not, when k is even
L1 ⊕ L2 = T1 ⊕ T2, or not, when k is odd
R1 ⊕ R2 = S1 ⊕ S2, or not, when k is odd
For k even : 13 cases.
For k odd : 11 cases.
Joana Treger, Jacques Patarin (PRiSM, Universite de Versailles)Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 19 / 39
2 : Computing the probabilities (1/2)
Given one input/output pair. Computing the probabilities P1 to get these two
precise outputs from the inputs :
In the case of a random permutation : easy.
In the case of a Feistel cipher with internal permutations : based on theH-coefficient values.
Joana Treger, Jacques Patarin (PRiSM, Universite de Versailles)Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 20 / 39
2 : Computing the probabilities (1/2)
Given one input/output pair. Computing the probabilities P1 to get these two
precise outputs from the inputs :
In the case of a random permutation : easy.
In the case of a Feistel cipher with internal permutations : based on theH-coefficient values.
Definition
[L1,R1] 6= [L2,R2] and [S1,T1] 6= [S2,T2] ∈ [1, 22n]. The H-coefficient
computes the number of (f1, . . . , fk) ∈ Bkn , such that
ψk(f1, . . . , fk)([Li ,Ri ]) = [Si ,Ti ], i = 1, 2.
→ The H value is the same for all pairs belonging to a same case C.
Joana Treger, Jacques Patarin (PRiSM, Universite de Versailles)Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 20 / 39
2 : Computing the probabilities (2/2)
Proposition
Suppose the H-coefficients computed. Then the previous probability P1 to get
one precise outpout from a given input pair is :1
22n(22n−1)in the case of a random permutation.
H|Bn|k in the case of a k-round Feistel cipher.
Joana Treger, Jacques Patarin (PRiSM, Universite de Versailles)Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 21 / 39
3 : Estimating the cases leading to the best attack
A case C with a largest difference between the previous probability P1
should lead to a better attack.
Joana Treger, Jacques Patarin (PRiSM, Universite de Versailles)Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 22 / 39
3 : Estimating the cases leading to the best attack
A case C with a largest difference between the previous probability P1
should lead to a better attack.
But : to get an attack, the difference in the probabilities has to result in adifference in the number of couples verifying the specific constraints ontheir blocks.
Joana Treger, Jacques Patarin (PRiSM, Universite de Versailles)Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 22 / 39
3 : Estimating the cases leading to the best attack
A case C with a largest difference between the previous probability P1
should lead to a better attack.
But : to get an attack, the difference in the probabilities has to result in adifference in the number of couples verifying the specific constraints ontheir blocks.
Thus : find the cases which realize a compromise between :
HUGE DIFFERENCEbetween the probabilitiesto obtain one specific pairof input/ouput couples
AND
NUMBER OF RELATIONSon the blocks,
that cannot be imposedby the type of attack.
Joana Treger, Jacques Patarin (PRiSM, Universite de Versailles)Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 22 / 39
4 : Evaluating the number of messages needed to realize theattack (1/2)
Let C be one specific case. Let us consider m messages and the randomvariables :
Xp counts the number of pairs of these messages verifying the equationsof C on the inputs and outputs when they correspond to a randompermutation
Xψk counts the same number for a k-round Feistel cipher with internalpermutation.
From the Chebytchev formula :
P{|X − E (X )| ≥ α · σ(X )} ≤ 1
α2,
we distinguish with high probability ψk from a random permutation if
|E (Xψk ) − E (Xp)| > σ(Xψk ) + σ(Xp).
For each case C, those values can be obtained from P1.
Joana Treger, Jacques Patarin (PRiSM, Universite de Versailles)Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 23 / 39
4 : Evaluating the number of messages needed to realize theattack (2/2)
We consider a case C with ne equations between the input and output blocksthat cannot be imposed by the type of attack considered.
We can solve |E (Xψk ) − E (Xp)| > σ(Xp) + σ(Xψk ) and find M :
M
2ne ·n · |H · 24n
|Bn|k− 1
1 − 1/22n| >
√
M
2ne ·n ,
where |H·24n
|Bn|k − 11−1/22n | is 24n times the differences of the P1’s.
We deduce the number m of messages needed to get these M pairs.
We get an attack with complexity O(m).
Remark : best attacks : ne minimal and |H·24n
|Bn|k − 11−1/22n | maximal.
Joana Treger, Jacques Patarin (PRiSM, Universite de Versailles)Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 24 / 39
Plan
1 Introduction
2 Generic attacks on the first 5 rounds
3 Generic attacks for any number of roundsGeneral methodComputation of the H-coefficientsExample on 3 roundsAttacking Feistel permutation generatorsExample on 6 rounds
4 Table of results and conclusion
Joana Treger, Jacques Patarin (PRiSM, Universite de Versailles)Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 25 / 39
The reasoning
L
L
−13 kfX TS kfR f2f1f k−2X 1 X 2
−13 kfX TS kfR f2f1f k−2X 1 X 2
1 1 1 1 11 1
2 2 2 2 2 22
Fig.: ψk(f1, . . . , fk)([Li ,Ri ]) = [Si ,Ti ], i = 1, 2
Fix a possible sequence s ∈ {=, 6=}k , such that X i1 si X i
2.
For such a fixed sequence s, evaluate the number H(s) of possibilities for(f1, . . . , fk).
Find all possible sequences s and sum up :
H =∑
possible s
H(s).
Joana Treger, Jacques Patarin (PRiSM, Universite de Versailles)Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 26 / 39
H-coefficients
L
L
−13 kfX TS kfR f2f1f k−2X 1 X 2
−13 kfX TS kfR f2f1f k−2X 1 X 2
1 1 1 1 11 1
2 2 2 2 2 22
Fig.: ψk(f1, . . . , fk)([Li ,Ri ]) = [Si ,Ti ], i = 1, 2
The preceding steps can be done using combinatorial facts.
Joana Treger, Jacques Patarin (PRiSM, Universite de Versailles)Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 27 / 39
H-coefficients
L
L
−13 kfX TS kfR f2f1f k−2X 1 X 2
−13 kfX TS kfR f2f1f k−2X 1 X 2
1 1 1 1 11 1
2 2 2 2 2 22
Fig.: ψk(f1, . . . , fk)([Li ,Ri ]) = [Si ,Ti ], i = 1, 2
The preceding steps can be done using combinatorial facts. Thus :
We obtain general formulae for the H-coefficients
We obtain all attacks using correlations between two messages.
Joana Treger, Jacques Patarin (PRiSM, Universite de Versailles)Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 27 / 39
Plan
1 Introduction
2 Generic attacks on the first 5 rounds
3 Generic attacks for any number of roundsGeneral methodComputation of the H-coefficientsExample on 3 roundsAttacking Feistel permutation generatorsExample on 6 rounds
4 Table of results and conclusion
Joana Treger, Jacques Patarin (PRiSM, Universite de Versailles)Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 28 / 39
Example on 3 rounds, KPA. Table of values of H·24n
|Bn|3 − 11−1/22n
case :equalities :
10 eq.
H·24n
|Bn|3− 1
1−1/22n 1/22n
case :equalities :
21 eq.
31 eq.
41 eq.
51 eq.
H·24n
|Bn|3− 1
1−1/22n 1/2n 1/2n 1/2n 1/2n
case :equalities :
62 eq.
72 eq.
82 eq.
92 eq.
102 eq.
112 eq.
H·24n
|Bn|3− 1
1−1/22n 1/2n 1 1 1 1/2n 1/2n
case :equalities :
123 eq.
133 eq.
H·24n
|Bn|3− 1
1−1/22n 1 1
Fig.: Order of the leading term of H·24n
|Bn|3− 1
1−1/22n in different cases
Joana Treger, Jacques Patarin (PRiSM, Universite de Versailles)Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 29 / 39
Example on 3 rounds, KPA
In case 1 :
E (Xp) ≃ M (M : number of pairs of messages)
O(H·24n
|Bn|3 − 11−1/22n ) = 1/22n ⇒ |E (Xp) − E (Xψ3)| ≃ M
22n
M22n >
√M ⇔ M > 24n
Joana Treger, Jacques Patarin (PRiSM, Universite de Versailles)Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 30 / 39
Example on 3 rounds, KPA
In case 1 :
E (Xp) ≃ M (M : number of pairs of messages)
O(H·24n
|Bn|3 − 11−1/22n ) = 1/22n ⇒ |E (Xp) − E (Xψ3)| ≃ M
22n
M22n >
√M ⇔ M > 24n
In cases 2 to 5 :
E (Xp) ≃ M2n (M : number of pairs of messages)
O(H·24n
|Bn|3 − 11−1/22n ) = 1/2n ⇒ |E (Xp) − E (Xψ3)| ≃ M
22n
M22n >
√M√2n
⇔ M > 23n
Joana Treger, Jacques Patarin (PRiSM, Universite de Versailles)Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 30 / 39
Example on 3 rounds, KPA
In case 1 :
E (Xp) ≃ M (M : number of pairs of messages)
O(H·24n
|Bn|3 − 11−1/22n ) = 1/22n ⇒ |E (Xp) − E (Xψ3)| ≃ M
22n
M22n >
√M ⇔ M > 24n
In cases 2 to 5 :
E (Xp) ≃ M2n (M : number of pairs of messages)
O(H·24n
|Bn|3 − 11−1/22n ) = 1/2n ⇒ |E (Xp) − E (Xψ3)| ≃ M
22n
M22n >
√M√2n
⇔ M > 23n
In cases 7, 8 and 9 :
E (Xp) ≃ M22n (M : number of pairs of messages)
O(H·24n
|Bn|3 − 11−1/22n ) = 1 ⇒ |E (Xp) − E (Xψ3)| ≃ M
22n
M22n >
√M
2n ⇔ M > 22n
Joana Treger, Jacques Patarin (PRiSM, Universite de Versailles)Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 30 / 39
Example on 3 rounds, KPA
In case 1 :
E (Xp) ≃ M (M : number of pairs of messages)
O(H·24n
|Bn|3 − 11−1/22n ) = 1/22n ⇒ |E (Xp) − E (Xψ3)| ≃ M
22n
M22n >
√M ⇔ M > 24n
In cases 2 to 5 :
E (Xp) ≃ M2n (M : number of pairs of messages)
O(H·24n
|Bn|3 − 11−1/22n ) = 1/2n ⇒ |E (Xp) − E (Xψ3)| ≃ M
22n
M22n >
√M√2n
⇔ M > 23n
In cases 7, 8 and 9 :
E (Xp) ≃ M22n (M : number of pairs of messages)
O(H·24n
|Bn|3 − 11−1/22n ) = 1 ⇒ |E (Xp) − E (Xψ3)| ≃ M
22n
M22n >
√M
2n ⇔ M > 22n
Cases 7, 8 and 9 are the cases leading to the best attack. O(2n) messages areneeded to get O(22n) pairs. Complexity of the attack : O(2n).
Joana Treger, Jacques Patarin (PRiSM, Universite de Versailles)Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 30 / 39
Example on 3 rounds, comments
L XR 2f1f S f T3
Not just one best attack. Here, 3 cases lead to the best attack :
case 7 : S1 = S2 and L1 ⊕ L2 = T1 ⊕ T2,
case 8 : R1 = R2 and S1 = S2,
case 9 : L1 = L2 and R1 ⊕ R2 = S1 ⊕ S2 (the one exposed in the firstpart).
Joana Treger, Jacques Patarin (PRiSM, Universite de Versailles)Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 31 / 39
Example on 3 rounds, comments
L XR 2f1f S f T3
Not just one best attack. Here, 3 cases lead to the best attack :
case 7 : S1 = S2 and L1 ⊕ L2 = T1 ⊕ T2,
case 8 : R1 = R2 and S1 = S2,
case 9 : L1 = L2 and R1 ⊕ R2 = S1 ⊕ S2 (the one exposed in the firstpart).
We could have deduced from the table that no KPA on 3 rounds comparableto the one on classical Feistel ciphers was possible :
there, for the case R1 ⊕ R2 = S1 ⊕ S2, the difference |H·24n
|Bn|3 − 11−1/22n | is
of about 1 for just 1 condition on the inputs and outputs.
here, there is no comparable case ⇒ no comparable KPA.
Joana Treger, Jacques Patarin (PRiSM, Universite de Versailles)Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 31 / 39
Plan
1 Introduction
2 Generic attacks on the first 5 rounds
3 Generic attacks for any number of roundsGeneral methodComputation of the H-coefficientsExample on 3 roundsAttacking Feistel permutation generatorsExample on 6 rounds
4 Table of results and conclusion
Joana Treger, Jacques Patarin (PRiSM, Universite de Versailles)Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 32 / 39
Attacks on Feistel permutation generators
When m > 22n, we decide to attack a permutation generator. (λ number ofpermutations needed)Here, the preceding values :
are multiplied by λ for E (Xp),E (Xψk ),
are multiplied by√
(λ) for σ(Xp), σ(Xψk ) by√λ.
We can solveM · λ2ne .n
· |H · 24n
|Bn|k− 1
1 − 1/22n| >
√
M · λ2ne .n
,
with M maximal per permutation (⇒ m = 22n), and find λ.⇒ We get an attack with complexity O(m · λ) =O(22n · λ).
Remark : best attacks : ne minimal, |H·24n
|Bn|k − 11−1/22n | maximal and M maximal.
Joana Treger, Jacques Patarin (PRiSM, Universite de Versailles)Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 33 / 39
Plan
1 Introduction
2 Generic attacks on the first 5 rounds
3 Generic attacks for any number of roundsGeneral methodComputation of the H-coefficientsExample on 3 roundsAttacking Feistel permutation generatorsExample on 6 rounds
4 Table of results and conclusion
Joana Treger, Jacques Patarin (PRiSM, Universite de Versailles)Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 34 / 39
Example on 6 rounds, CPA. Table of values of H·24n
|Bn|6 − 11−1/22n
case :equalities :maximal M :
10 eq.24n
20 eq.23n
30 eq.23n
H·24n
|Bn|6− 1
1−1/22n 1/23n 1/23n 1/23n
case :equalities :maximal M :
41 eq.24n
51 eq.23n
61 eq.23n
71 eq.23n
81 eq.23n
H·24n
|Bn|6− 1
1−1/22n 1/22n 1/23n 1/22n 1/22n 1/22n
case :equalities :maximal M :
92 eq.24n
102 eq.24n
112 eq.23n
H·24n
|Bn|6− 1
1−1/22n 1/23n 1/22n 1/2n
Fig.: Order of the leading term of H·24n
|Bn|6− 1
1−1/22n in different cases
Joana Treger, Jacques Patarin (PRiSM, Universite de Versailles)Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 35 / 39
Example on 6 rounds, CPA
In case 1 :
E (Xp) ≃ λ · 24n
O(H·24n
|Bn|6 − 11−1/22n ) = 1/23n ⇒ |E (Xp) − E (Xψ6)| ≃ λ · 2n
λ · 2n >√λ · 22n ⇔ λ > 22n
Joana Treger, Jacques Patarin (PRiSM, Universite de Versailles)Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 36 / 39
Example on 6 rounds, CPA
In case 1 :
E (Xp) ≃ λ · 24n
O(H·24n
|Bn|6 − 11−1/22n ) = 1/23n ⇒ |E (Xp) − E (Xψ6)| ≃ λ · 2n
λ · 2n >√λ · 22n ⇔ λ > 22n
In case 4 :
E (Xp) ≃ λ·24n
2n
O(H·24n
|Bn|6 − 11−1/22n ) = 1/22n ⇒ |E (Xp) − E (Xψ3)| ≃ λ · 2n
λ · 2n >√λ · 23n ⇔ λ > 2n
Joana Treger, Jacques Patarin (PRiSM, Universite de Versailles)Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 36 / 39
Example on 6 rounds, CPA
In case 1 :
E (Xp) ≃ λ · 24n
O(H·24n
|Bn|6 − 11−1/22n ) = 1/23n ⇒ |E (Xp) − E (Xψ6)| ≃ λ · 2n
λ · 2n >√λ · 22n ⇔ λ > 22n
In case 4 :
E (Xp) ≃ λ·24n
2n
O(H·24n
|Bn|6 − 11−1/22n ) = 1/22n ⇒ |E (Xp) − E (Xψ3)| ≃ λ · 2n
λ · 2n >√λ · 23n ⇔ λ > 2n
In case 11 :
E (Xp) ≃ λ·23n
22n
O(H·24n
|Bn|6 − 11−1/22n ) = 1/2n ⇒ |E (Xp) − E (Xψ6)| ≃ λ
λ >√λ · 2n ⇔ λ > 2n
Joana Treger, Jacques Patarin (PRiSM, Universite de Versailles)Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 36 / 39
Example on 6 rounds, CPA
In case 1 :
E (Xp) ≃ λ · 24n
O(H·24n
|Bn|6 − 11−1/22n ) = 1/23n ⇒ |E (Xp) − E (Xψ6)| ≃ λ · 2n
λ · 2n >√λ · 22n ⇔ λ > 22n
In case 4 :
E (Xp) ≃ λ·24n
2n
O(H·24n
|Bn|6 − 11−1/22n ) = 1/22n ⇒ |E (Xp) − E (Xψ3)| ≃ λ · 2n
λ · 2n >√λ · 23n ⇔ λ > 2n
In case 11 :
E (Xp) ≃ λ·23n
22n
O(H·24n
|Bn|6 − 11−1/22n ) = 1/2n ⇒ |E (Xp) − E (Xψ6)| ≃ λ
λ >√λ · 2n ⇔ λ > 2n
Cases 4 and 11 are the cases leading to the best attacks. O(2n) permutationsand O(22n) messages per permutation are needed. Complexity of the
attacks : O(23n).
Joana Treger, Jacques Patarin (PRiSM, Universite de Versailles)Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 36 / 39
Table of results
number k
of roundsKPA CPA-1 CPA-2 CPCA-1 CPCA-2
1 1 1 1 1 1
2 2n/2 2 2 2 2
3 2n(+) 2n/2 2n/2 2n/2 3
4 2n 2n/2 2n/2 2n/2 2n/2
5 23n/2 2n 2n 2n 2n
6 23n(+) 23n(+) 23n(+) 23n(+) 23n(+)
7 23n 23n 23n 23n 23n
8 24n 24n 24n 24n 24n
9 26n(+) 26n(+) 26n(+) 26n(+) 26n(+)
10 26n 26n 26n 26n 26n
11 27n 27n 27n 27n 27n
12 29n(+) 29n(+) 29n(+) 29n(+) 29n(+)
k≥6, k=0 mod 3 2(k−3)n 2(k−3)n 2(k−3)n 2(k−3)n 2(k−3)n
k≥6, k=1 or 2 mod 3 2(k−4)n 2(k−4)n 2(k−4)n 2(k−4)n 2(k−4)n
Fig.: Maximum number of messages needed to get an attack on a k-round Feistelnetwork with internal permutations.
Joana Treger, Jacques Patarin (PRiSM, Universite de Versailles)Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 37 / 39
Table of results for classical Feistel ciphers [Patarin-01]
number k
of roundsKPA CPA-1 CPA-2 CPCA-1 CPCA-2
1 1 1 1 1 1
2 2n/2 2 2 2 2
3 2n/2 2n/2 2n/2 2n/2 3
4 2n 2n/2 2n/2 2n/2 2n/2
5 23n/2 2n 2n 2n 2n
6 22n 22n 22n 22n 22n
7 23n 23n 23n 23n 23n
8 24n 24n 24n 24n 24n
9 25n 25n 25n 25n 25n
10 26n 26n 26n 26n 26n
11 27n 27n 27n 27n 27n
12 28n 28n 28n 28n 28n
k≥6 2(k−4)n 2(k−4)n 2(k−4)n 2(k−4)n 2(k−4)n
Fig.: Maximum number of messages needed to get an attack on a k-round Feistelnetwork with internal functions.
Joana Treger, Jacques Patarin (PRiSM, Universite de Versailles)Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 38 / 39
Conclusion
We gave the best generic two-point attacks on Feistel ciphers with internalpermutations.
These are the best known generic attacks on such ciphers.
The complexities reach the known bounds on security (3 and 4 rounds,[Piret-05]).
However, other attacks may be possible, we did not concentrate on proofsof security.
Complexities found often close to the complexity of the attacks onclassical Feistel chiphers. This could not be predicted.
Joana Treger, Jacques Patarin (PRiSM, Universite de Versailles)Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 39 / 39