Security Analysis of GFN: 8-Round Distinguisher for 4-Branch Type-2 GFN

TLDR: The presented distinguisher is the first known distinguisher for 8 round 4-branch type-2 GFN with double SP-function, and uses an improved matching technique which is simpler than the byte-by-byte matching.

Abstract: Generalized Feistel network (GFN) is a widely used design for encryption algorithm such as DES, IDEA and others. Generally, block ciphers are used not only for symmetric encryption but also as building blocks of cryptographic hash functions in modes such as Matyas-Meyer-Oseas (MMO) and Miyaguchi-Preneel. For these compression function modes, block ciphers are used with a key that is known to the attacker. Therefore a known-key distinguisher on the internal block cipher can be directly converted into a distinguisher on the compression function. In other words, the security of a compression mode relies on the security of the internal block cipher used. The security of the cipher in known-key setting is only due to the round function. Block ciphers popularly use sub-key XOR-ing followed by one or more SP-functions as the building block of a round function. The general understanding is that increasing the number of active S-boxes will cause more confusion and guarantee more secure ciphers against differential and linear cryptanalysis. In Indocrypt 2012, Sasaki compared the security of single-SP function with double-SP function and successfully mounted a distinguisher up to 7-round for 4-branch type-2 GFN with double-SP functions and up to 11-rounds of 2-branch single-SP functions by using the rebound attack technique. Based on the total number of S-boxes used and the number of rounds attacked, he argued that double-SP is in fact weaker than single-SP. The basis of this result is the number of rounds that the author could attack. In this work, we successfully increase the number of rounds attacked from 7 to 8 for 4-branch type-2 double-SP. The presented distinguisher is the first known distinguisher for 8 round 4-branch type-2 GFN with double SP-function. In our attack, we use an improved matching technique which is simpler than the byte-by-byte matching. This simple matching technique results in better complexity than the previously known 7 round distinguisher for most of the practical cases, allowing us to attack one extra round.