Known-key attacks on generalized Feistel schemes with SP round function

Hyungchul Kang, Deukjo Hong, Dukjae Moon, Daesung Kwon, Jaechul Sung, Seokhie Hong

Research output: Contribution to journalArticle

8 Citations (Scopus)

Abstract

We present attacks on the generalized Feistel schemes, where each round function consists of a subkey XOR, S-boxes, and then a linear transformation (i.e. a Substitution-Permutation (SP) round function). Our techniques are based on rebound attacks. We assume that the S-boxes have a good differential property and the linear transformation has an optimal branch number. Under this assumption, we firstly describe known-key distinguishers on the type-1, -2, and -3 generalized Feistel schemes up to 21, 13 and 8 rounds, respectively. Then, we use the distinguishers to make several attacks on hash functions where Merkle-Damgård domain extender is used and the compression function is constructed with Matyas-Meyer-Oseas or Miyaguchi-Preneel hash modes from generalized Feistel schemes. Collision attacks are made for 11 rounds of type-1 Feistel scheme. Near collision attacks are made for 13 rounds of type-1 Feistel scheme and 9 rounds of type-2 Feistel scheme. Half collision attacks are made for 15 rounds of type-1 Feistel scheme, 9 rounds of type-2 Feistel scheme, and 5 rounds of type-3 Feistel scheme.

Original languageEnglish
Pages (from-to)1550-1560
Number of pages11
JournalIEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences
VolumeE95-A
Issue number9
DOIs
Publication statusPublished - 2012 Sep 1

Fingerprint

Substitution
Permutation
Linear transformations
Substitution reactions
Attack
Collision Attack
Hash functions
S-box
Linear transformation
Rebound
Compression Function
Hash Function
Branch

Keywords

  • Collision attack
  • Generalized Feistel schemes
  • Hashing mode
  • Known-key distinguisher
  • Rebound attack

ASJC Scopus subject areas

  • Electrical and Electronic Engineering
  • Computer Graphics and Computer-Aided Design
  • Applied Mathematics
  • Signal Processing

Cite this

Known-key attacks on generalized Feistel schemes with SP round function. / Kang, Hyungchul; Hong, Deukjo; Moon, Dukjae; Kwon, Daesung; Sung, Jaechul; Hong, Seokhie.

In: IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, Vol. E95-A, No. 9, 01.09.2012, p. 1550-1560.

Research output: Contribution to journalArticle

Kang, Hyungchul ; Hong, Deukjo ; Moon, Dukjae ; Kwon, Daesung ; Sung, Jaechul ; Hong, Seokhie. / Known-key attacks on generalized Feistel schemes with SP round function. In: IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences. 2012 ; Vol. E95-A, No. 9. pp. 1550-1560.
@article{b267c76b88114b9aa3af366763c9384e,
title = "Known-key attacks on generalized Feistel schemes with SP round function",
abstract = "We present attacks on the generalized Feistel schemes, where each round function consists of a subkey XOR, S-boxes, and then a linear transformation (i.e. a Substitution-Permutation (SP) round function). Our techniques are based on rebound attacks. We assume that the S-boxes have a good differential property and the linear transformation has an optimal branch number. Under this assumption, we firstly describe known-key distinguishers on the type-1, -2, and -3 generalized Feistel schemes up to 21, 13 and 8 rounds, respectively. Then, we use the distinguishers to make several attacks on hash functions where Merkle-Damg{\aa}rd domain extender is used and the compression function is constructed with Matyas-Meyer-Oseas or Miyaguchi-Preneel hash modes from generalized Feistel schemes. Collision attacks are made for 11 rounds of type-1 Feistel scheme. Near collision attacks are made for 13 rounds of type-1 Feistel scheme and 9 rounds of type-2 Feistel scheme. Half collision attacks are made for 15 rounds of type-1 Feistel scheme, 9 rounds of type-2 Feistel scheme, and 5 rounds of type-3 Feistel scheme.",
keywords = "Collision attack, Generalized Feistel schemes, Hashing mode, Known-key distinguisher, Rebound attack",
author = "Hyungchul Kang and Deukjo Hong and Dukjae Moon and Daesung Kwon and Jaechul Sung and Seokhie Hong",
year = "2012",
month = "9",
day = "1",
doi = "10.1587/transfun.E95.A.1550",
language = "English",
volume = "E95-A",
pages = "1550--1560",
journal = "IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences",
issn = "0916-8508",
publisher = "Maruzen Co., Ltd/Maruzen Kabushikikaisha",
number = "9",

}

TY - JOUR

T1 - Known-key attacks on generalized Feistel schemes with SP round function

AU - Kang, Hyungchul

AU - Hong, Deukjo

AU - Moon, Dukjae

AU - Kwon, Daesung

AU - Sung, Jaechul

AU - Hong, Seokhie

PY - 2012/9/1

Y1 - 2012/9/1

N2 - We present attacks on the generalized Feistel schemes, where each round function consists of a subkey XOR, S-boxes, and then a linear transformation (i.e. a Substitution-Permutation (SP) round function). Our techniques are based on rebound attacks. We assume that the S-boxes have a good differential property and the linear transformation has an optimal branch number. Under this assumption, we firstly describe known-key distinguishers on the type-1, -2, and -3 generalized Feistel schemes up to 21, 13 and 8 rounds, respectively. Then, we use the distinguishers to make several attacks on hash functions where Merkle-Damgård domain extender is used and the compression function is constructed with Matyas-Meyer-Oseas or Miyaguchi-Preneel hash modes from generalized Feistel schemes. Collision attacks are made for 11 rounds of type-1 Feistel scheme. Near collision attacks are made for 13 rounds of type-1 Feistel scheme and 9 rounds of type-2 Feistel scheme. Half collision attacks are made for 15 rounds of type-1 Feistel scheme, 9 rounds of type-2 Feistel scheme, and 5 rounds of type-3 Feistel scheme.

AB - We present attacks on the generalized Feistel schemes, where each round function consists of a subkey XOR, S-boxes, and then a linear transformation (i.e. a Substitution-Permutation (SP) round function). Our techniques are based on rebound attacks. We assume that the S-boxes have a good differential property and the linear transformation has an optimal branch number. Under this assumption, we firstly describe known-key distinguishers on the type-1, -2, and -3 generalized Feistel schemes up to 21, 13 and 8 rounds, respectively. Then, we use the distinguishers to make several attacks on hash functions where Merkle-Damgård domain extender is used and the compression function is constructed with Matyas-Meyer-Oseas or Miyaguchi-Preneel hash modes from generalized Feistel schemes. Collision attacks are made for 11 rounds of type-1 Feistel scheme. Near collision attacks are made for 13 rounds of type-1 Feistel scheme and 9 rounds of type-2 Feistel scheme. Half collision attacks are made for 15 rounds of type-1 Feistel scheme, 9 rounds of type-2 Feistel scheme, and 5 rounds of type-3 Feistel scheme.

KW - Collision attack

KW - Generalized Feistel schemes

KW - Hashing mode

KW - Known-key distinguisher

KW - Rebound attack

UR - http://www.scopus.com/inward/record.url?scp=84865732721&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84865732721&partnerID=8YFLogxK

U2 - 10.1587/transfun.E95.A.1550

DO - 10.1587/transfun.E95.A.1550

M3 - Article

AN - SCOPUS:84865732721

VL - E95-A

SP - 1550

EP - 1560

JO - IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences

JF - IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences

SN - 0916-8508

IS - 9

ER -