Complementing Feistel Ciphers
?
Alex Biryukov
1
and Ivica Nikoli´c
2
1
University of Luxembourg
2
Nanyang Technological University, Singapore
alex.biryukov@uni.lu inikolic@ntu.edu.sg
Abstract. In this paper, we propose related-key differential distinguish-
ers based on the complementation property of Feistel ciphers. We show
that with relaxed requirements on the complementation, i.e. the prop-
erty does not have to hold for all keys and the complementation does
not have to be on all bits, one can obtain a variety of distinguishers. We
formulate criteria sufficient for attacks based on the complementation
property. To stress the importance of our findings we provide analysis of
the full-round primitives:
– For the hash mode of Camellia-128 without F L, F L
−1
layers, dif-
ferential multicollisions with 2
112
time
– For GOST, practical recovery of the full key with 31 related keys
and 2
38
time/data
Key words: Complementation, Feistel, Camellia, GOST
1 Introduction
It is a well established fact that the effective key size of DES[9] is 55 instead
of 56 bits. The reduction of one bit is due to the complementation property of
DES, i.e. by flipping all the bits in the key and in the plaintext, all the bits of
the ciphertext will flip as well. Hence in an exhaustive key search, one has to
try only half of the possible values for the key – the other complemented half
would produce related ciphertexts. This property applies to all Feistel ciphers
with round keys obtained as permutations of the master key bits/words, and
with a round function that starts with an XOR of a single round key.
The complementation property can be seen as a simple related-key distin-
guisher applicable to all of the keys and detectable with a single pair of plaintexts
and a corresponding pair of ciphertexts. The difference in the round keys, plain-
texts and the ciphertexts is always -1, i.e. it is in all of the bits. In this paper
we investigate the cases of ciphers with complementation properties applicable
not necessarily to all of the keys, but only to a subset i.e. weak-key class, and
with round key differences other than -1. We are aware of only one published
result that analyzes the complementation property – the work of Bouillaguet et
al.[3]. Even there the focus in not on the original property – the authors examine
the generalizations of the complementation property, and exploit self-similarity
?
The paper has been published on Fast Software Encryption 2013.
of the rounds in the ciphers. Our work however targets exclusively the cases of
complementation and only Feistel ciphers.
The starting point of our analysis is the observation that if instead of the
requirement that the complementation property holds for all keys (as in the case
of DES), we can examine only a subset of keys for which it applies. This leads
to the problem of constructing a high probability differential in the key schedule
of the cipher. We give the conditions on the output difference in the differential
and obtain quite simple criteria for existence of related-key attacks based on
the complementation property. The importance of our findings is shown on the
example of two full-round Feistel ciphers: Camellia-128[1] and GOST[5]. We
analyze Camellia-128 without the non-linear layers F L, F L
−1
and show how to
find a pair of keys that follow the low probability differential in the key schedule
constructed to exploit the complementation – this allows us to attack the hash
mode of this version of the cipher. Thus we obtain the first analysis on the full-
round Camellia without the F L, F L
−1
in the hash mode – it requires around
2
112
encryptions. Complementation property of GOST has been known (see [7,
4]), however all of the proposed key recovery attacks require impractical time
complexity. We show that if one uses several similar complementation properties,
an efficient key recovery attack on GOST exists. Our attack requires 31 related-
key pair, and only 2
38
time and data complexities to recover the full 256-bit key.
Thus we are able to perform the first experimental cryptanalysis of GOST on a
computer.
2 Complementation Property of Feistel Constructions
The complementation property was first observed in DES. It is based on the
observation that if one flips all of the bits of the master key and the plaintext,
then all of the bits of the ciphertext will flip as well. The foundation of these
observations for Feistel ciphers is given below. Without loss of generality we
assume that the Feistel is balanced as the case for unbalanced Feistels can be
examined similarly.
A balanced Feistel with r rounds is defined as:
L
n+1
= F (L
n
, K
n
) ⊕ R
n
R
n+1
= L
n
,
where K
n
is the n-th round key, P = L
0
||R
0
is the plaintext, and C = L
r
||R
r
is the ciphertext. In the vast majority of Feistel ciphers, the round function
F (L, K) can be decomposed as
3
:
F (L, K) = G(L ⊕ K),
3
The round function of DES does not strictly follow this definition due to the expan-
sion of the initial input from 32 bits to 48 bits, nonetheless our reasoning can still
be applied to DES.
2
i.e. first the round key is bitwise added to the state L, followed by some additional
non-linear and linear transformations (G is usually a Substitution-Permutation
network). We use the term classical Feistels for the ciphers that have such an F
function.
Let KS(K) be the key schedule function of the cipher, i.e. given the master
key K, the function produces K
i
, i = 1, . . . , r round keys:
KS(K) = (K
1
, . . . , K
r
)
Further assume that all of the round keys K
i
are obtained by (possibly different)
bit permutations of the master key K (as in the case of DES). If one has two
related master keys K
1
, K
2
such that K
1
⊕ K
2
= −1 (with −1 we denote the
difference in all of the bits) then the following holds for all i: K
1
i
⊕ K
2
i
= −1.
Let P
1
, P
2
be two related plaintexts such that P
1
⊕ P
2
= −1, i.e. L
1
0
⊕ L
2
0
= −1
and R
1
0
⊕ R
2
0
= −1. Then by induction for each i we get:
L
1
i+1
⊕ L
2
i+1
=F (L
1
i
, K
1
i
) ⊕ R
1
i
⊕ F (L
1
i
, K
1
i
) ⊕ R
1
i
=
G(L
1
i
⊕ K
1
i
) ⊕ R
1
i
⊕ G(L
1
i
⊕ −1 ⊕ K
1
i
⊕ −1) ⊕ R
1
i
= R
1
i
⊕ R
2
i
= −1
R
1
i+1
⊕ R
2
i+1
=L
1
i
⊕ L
2
i
= −1
Therefore L
1
r
⊕ L
2
r
= −1, R
1
r
⊕ R
2
r
= −1 and hence there is a difference in all of
the bits of the ciphertext.
The complementation property of such ciphers allows reduction of the key
space by one bit as for the brute force of the whole key space it is sufficient to
try only one half of all possible keys – the other half will produce a compliment
ciphertext under a compliment plaintext.
The complementation property can be observed for ciphers that not nec-
essarily have a key schedule composed of bit permutations. Notice, the only
requirement on the key schedule is to produce complemented round keys.
Lemma 1 (Classical Feistel complementation). Let for an n-bit classical
Feistel cipher E
K
(P ) with k-bit keys and a key schedule KS(K) exist a differ-
ential with probability p for KS(K) with output difference in all of the bits in
all of the round keys, i.e.
∃∆ : KS(K ⊕ ∆) ⊕ KS(K)
p
−→ (−1, . . . , −1)
Then, if p > 2
−k
, distinguisher for a weak-key class of size p · 2
k
exists for the
cipher E
K
(P ).
Proof. Once the difference in all of the round keys is -1, the complementation
property can be applied, i.e. the differential in the state holds with probability
1. Therefore if the attacker can build a differential with the input difference in
the master keys ∆, and output difference -1 in all of the round keys, then the
differential (−1, ∆) → (−1) for the cipher E
K
(P ) holds with probability p. To
find the right key pair that follows the differential in the key schedule one has
to try around 1/p pairs of randomly chosen master keys with input difference
3
∆, therefore the size of this weak key class is 2
k
· p. For any cipher, to produce
a pair of complemented plaintexts that result in complemented ciphertexts, one
has to try around 2
n
pairs, however even when p < 2
−n
, a false positive (i.e.
a complementation pair of plaintexts-ciphertexts that indicate belonging of a
key to the weak-key class) can be easily detected by trying a few more pairs of
complementing plaintexts.
Remark 1 The complementation property holds regardless of the number of
rounds in the cipher, by increasing the number of rounds one cannot expect to
get a better resistance against this type of attacks.
Remark 2 The additional key whitenings at the beginning and at the end of
the Feistel do not influence the attack complexities, but merely change the input
difference in the plaintext and the output difference in the ciphertext.
The requirement of having the difference -1 in all of the round keys can be
replaced with the requirement of having some difference ∆ which is not nec-
essarily -1. We call this property a partial complementation. Also, instead of a
single difference ∆ one can require two differences ∆
1
, ∆
2
that alternate, i.e. the
first round key has ∆
1
, the second ∆
2
, the third ∆
1
, etc. – this is an alternating
complementation.
Lemma 2 (Classical Feistel partial alternating complementation). Let
for an n-bit classical Feistel cipher E
K
(P ) with k-bit keys and a key schedule
KS(K) exist a differential with probability p for KS(K) with alternating differ-
ences in the round keys, i.e.
∃∆ : KS(K ⊕ ∆) ⊕ KS(K)
p
−→ (∆
1
, ∆
2
, ∆
1
, ∆
2
, . . . , ∆
1
, ∆
2
)
Then, if p > 2
−k
, distinguisher for a weak-key class of size p · 2
k
exists for the
cipher E
K
(P ).
Proof. We can follow the same logic as in the proof of Lemma 1 with one ex-
ception – the initial difference in the plaintext should be (∆
1
, ∆
2
). Then in each
round, in the XOR the difference from the round key (either ∆
1
or ∆
2
) would
cancel the difference in the state. As they alternate with the same period of two
rounds, the XOR will always produce zero difference, hence the probability of
the differential in the state would be 1. Depending if the number of rounds is
even or odd, the difference in the ciphertext would be either (∆
1
, ∆
2
) for even
rounds, or (∆
2
, ∆
1
) for odd rounds.
Remark 3 Lemma 2 is more general then Lemma 1, as the later is a particular
case of the former for ∆
1
= ∆
2
= −1.
The round function of some Feistel ciphers instead of an XOR applies mod-
ular addition of the round key, i.e. F (L, K) = G(L + K). We call this type
of ciphers, modular Feistels. The (complementary) differential in the state of a
modular Feistel not necessarily holds with probability 1 – the precise probability
4
depends on the differences in the round key K
i
and the state word L
i
as well as
on the number of rounds.
An efficient algorithm for computing the differential probability of modular
addition was presented by Limpaa and Moriai in [8]. Our further analysis is
based on this algorithm, however, due to space constraints we would not provide
its description. Let (X)
m
be the m rightmost (least significant) bits of an n-bit
word X and let |X| be the Hamming weight, i.e. the number of bits with value
1, of the word X.
Lemma 3 (Modular Feistel alternating complementation
4
). Let for an
r-round n-bit modular Feistel cipher E
K
(P ) with k-bit keys and a key sched-
ule KS(K) exist a differential with probability p for KS(K) with alternating
differences in the round keys, i.e.
∃∆ : KS(K ⊕ ∆) ⊕ KS(K)
p
−→ (∆
1
, ∆
2
, ∆
1
, ∆
2
, . . . , ∆
1
, ∆
2
)
Then, if p·2
−d
r
2
e(|(∆
1
)
n−1
|+|(∆
2
)
n−1
|)
> 2
−k
and 2
−d
r
2
e(|(∆
1
)
n−1
|+|(∆
2
)
n−1
|)
> 2
−n
,
distinguisher for a weak-key class of size p · 2
k
exists for the cipher E
K
(P ).
Proof. In modular ciphers, we have to compute the probability of the differential
in the state as well. As in r rounds, there are
5
d
r
2
e round keys with ∆
1
difference,
and the same number of keys with difference ∆
2
, it is sufficient to find only
the probability of one round (with both ∆
1
and ∆
2
). The differences from the
incoming round key and the state word should cancel, thus avoid any incoming
difference in the SP network of the round function. Hence, by Algorithm 2 of [8],
γ should be equal to zero, and the maximal probability of one round is reached
when the incoming differences in the round key K
i
and the state word L
i
(or
in the notation from [8], α = β) are the same – in this case the probability of
modular addition is 2
−|(∆
1
)
n−1
|
or 2
−|(∆
2
)
n−1
|
. Taking into account the number
of rounds, one obtains the claimed probability. The second requirement in the
Lemma is to ensure that the probability of the differential in the state is not
bellow 2
−n
.
The variations of the complementation property presented above are indeed
related-key differential distinguishers for ciphers. In both classical and modular
Feistels, the size of the weak-key class depends only on the probability of the
differential in the key schedule. However, to find and detect if a specific key
belongs to the weak-key class differs between these two families, as for classical
Feistels, the probability of the differential in the state is 1, whereas for modular
Feistels, this probability might be lower. Hence, in the case of former one has to
try around 2
P
different pairs of keys and encrypt one pair of plaintexts, while
in the case of modular Feistels, for each of the 2
P
pairs of related-key has to
encrypt 2
Q
pairs of plaintexts (2
−P
, 2
−Q
are the probabilities of the differential
in the key schedule and in the state).
4
One of our anonymous reviewers has informed us that a similar idea was used against
DESX in Kelsey et al. [6].
5
When r is odd, there are d
r
2
e round keys with difference ∆
1
, and d
r
2
e − 1 round keys
with ∆
2
.
5
