Complementing Feistel Ciphers
read more
Citations
Generic Key Recovery Attack on Feistel Scheme
WARP : Revisiting GFN for Lightweight 128-Bit Block Cipher
Revisiting Key-Alternating Feistel Ciphers for Shorter Keys and Multi-user Security
Revisiting Key-alternating Feistel Ciphers for Shorter Keys and Multi-user Security.
On the Indifferentiability of Key-Alternating Feistel Ciphers with No Key Derivation.
References
Camellia: A 128-Bit Block Cipher Suitable for Multiple Platforms - Design and Analysis
Distinguisher and Related-Key Attack on the Full AES-256
Related-key cryptanalysis of 3-WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA
Related Key Differential Attacks on 27 Rounds of XTEA and Full-Round GOST
Efficient Algorithms for Computing Differential Properties of Addition
Related Papers (5)
Frequently Asked Questions (14)
Q2. What is the reason for the reduction of one bit?
The reduction of one bit is due to the complementation property of DES, i.e. by flipping all the bits in the key and in the plaintext, all the bits of the ciphertext will flip as well.
Q3. What is the complementation property of a cipher?
The complementation property of such ciphers allows reduction of the key space by one bit as for the brute force of the whole key space it is sufficient to try only one half of all possible keys – the other half will produce a compliment ciphertext under a compliment plaintext.
Q4. What is the point of the analysis?
The starting point of their analysis is the observation that if instead of the requirement that the complementation property holds for all keys (as in the case of DES), the authors can examine only a subset of keys for which it applies.
Q5. What is the criteria for cryptanalysis of classical Feistel ciphers?
The authors have deduced a simple criteria for cryptanalysis of classical Feistel ciphers: if for the key schedule there exists a high probability differential that produces alternating differences in the round keys then the cipher is vulnerable to relatedkey attacks, regardless of the number of rounds in the state.
Q6. How many times can the authors produce a collision with the same fixed difference between the message words?
to produce q collisions with the same fixed difference between the message words (the difference is (0||−1||0) the authors need 2112 calls to the hash function7.
Q7. How many cores were used to recover the full key?
As the key recovery can be parallelized, another implementation was able to recover the full key in around 7 hours using four Intel i5 cores.
Q8. How many output differences can be approximated?
The authors can approximate with 27 as one of the output differences happens twice, which means that although the authors increase the number from 127 to 128, on the other hand the authors decrease the probability for this difference from 2−6 to 2−7, hence the two rounding errors compensate one another.
Q9. how many i bytes is the probability of a differential?
for T2 = T3 = (1, 1, 1, 1, 1, 1, 1, 1), the probability of the differential is at least:296 · 2−7(8+8+8+8) = 296 · 2−224 = 2−128 (28)If the authors take into account all possible T2, T3 for the probability of the differential the authors get:∑i,j2−7(8+i+j+8)Ci−44 · C j−4 4 2 112−8·(8−i)−8·(8−j)2−8(8−i)−i2−8(8−j)−j ≈ (29)≈ 2−128 (30)Thus, by Lemma 1, the size of the weak key class is 2128 · 2−128 = 1.
Q10. How many plaintexts are used in the attack?
Therefore the time complexity of the full key-recovery attack is 2 · (31 ·232 +28) ≈ 238 encryptions and a similar data complexity of 238 chosen plaintexts.
Q11. How many times does one have to guess the significant bit of the round key?
For each round, one has to guess only a single bit (the most significant bit) of the round key, thus step 3 has to be repeated at most 28 times.
Q12. What is the potential vulnerability of Feistel ciphers?
The authors have shown a potential vulnerability in Feistel ciphers based on the complementation property that results in relatively easily detectable related-key differential attacks.
Q13. How many output differences can be obtained from the S-box?
Every input difference to the S-box can go to 127 output differences or approximately to 27 out of 28 − 1 possible, which is around 2−1.
Q14. how many active bytes will enter the S-layer?
in the first and the fourth round of the key schedule, the number of active bytes has to be maximal, i.e. eight active bytes will enter the S-layer.