Xiaoyang Dong,Zheng Li,Xiaoyun Wang

DOI: https://doi.org/10.1007/s11432-017-9436-7

2019-01-02

Science China Information Sciences

Abstract:Post-quantum cryptography has attracted much attention from worldwide cryptologists. In ISIT 2010, Kuwakado and Morii gave a quantum distinguisher with polynomial time against 3-round Feistel networks. However, generalized Feistel schemes (GFS) have not been systematically investigated against quantum attacks. In this paper, we study the quantum distinguishers about some generalized Feistel schemes. For d-branch Type-1 GFS (CAST256-like Feistel structure), we introduce (2d - 1)-round quantum distinguishers with polynomial time. For 2d-branch Type-2 GFS (RC6/CLEFIA-like Feistel structure), we give (2d + 1)-round quantum distinguishers with polynomial time. Classically, Moriai and Vaudenay proved that a 7-round 4-branch Type-1 GFS and 5-round 4-branch Type-2 GFS are secure pseudo-random permutations. Obviously, they are no longer secure in quantum setting. Using the above quantum distinguishers, we introduce generic quantum key-recovery attacks by applying the combination of Simon’s and Grover’s algorithms recently proposed by Leander and May. We denote n as the bit length of a branch. For (d2-d+2)-round Type-1 GFS with d branches, the time complexity is 2(12d2−32d+2)⋅n2$${2^{\left( {\frac{1}{2}{d^2} - \frac{3}{2}d + 2} \right) \cdot \frac{n}{2}}}$$, which is better than the quantum brute force search (Grover search) by a factor 2(14d2+14d)n$${2^{\left( {\frac{1}{4}{d^2} + \frac{1}{4}d} \right)n}}$$. For 4d-round Type-2 GFS with 2d branches, the time complexity is 2d2n2$${2^{\frac{{{d^2}n}}{2}}}$$, which is better than the quantum brute force search by a factor 23d2n2$${2^{\frac{{3{d^2}n}}{2}}}$$.

computer science, information systems,engineering, electrical & electronic

Yaobin Shen,Chun Guo,Lei Wang

DOI: https://doi.org/10.13154/tosc.v2020.i1.425-457

2020-01-01

Abstract:We revisit the security of various generalized Feistel networks. Concretely, for unbalanced, alternating, type-1, type-2, and type-3 Feistel networks built from random functions, we substantially improve the coupling analyzes of Hoang and Rogaway (CRYPTO 2010). For a tweakable blockcipher-based generalized Feistelnetwork proposed by Coron et al. (TCC 2010), we present a coupling analysis and for the first time show that with enough rounds, it achieves 2n-bit security, and this provides highly secure, double-length tweakable blockciphers.

Yuying Man,Sihem Mesnager,Nian Li,Xiangyong Zeng,Xiaohu Tang

2023-09-05

Abstract:Substitution boxes (S-boxes) play a significant role in ensuring the resistance of block ciphers against various attacks. The Difference Distribution Table (DDT), the Feistel Boomerang Connectivity Table (FBCT), the Feistel Boomerang Difference Table (FBDT) and the Feistel Boomerang Extended Table (FBET) of a given S-box are crucial tools to analyze its security concerning specific attacks. However, the results on them are rare. In this paper, we investigate the properties of the power function $F(x):=x^{2^{m+1}-1}$ over the finite field $\gf_{2^n}$ of order $2^n$ where $n=2m$ or $n=2m+1$ ($m$ stands for a positive integer). As a consequence, by carrying out certain finer manipulations of solving specific equations over $\gf_{2^n}$, we give explicit values of all entries of the DDT, the FBCT, the FBDT and the FBET of the investigated power functions. From the theoretical point of view, our study pushes further former investigations on differential and Feistel boomerang differential uniformities for a novel power function $F$. From a cryptographic point of view, when considering Feistel block cipher involving $F$, our in-depth analysis helps select $F$ resistant to differential attacks, Feistel differential attacks and Feistel boomerang attacks, respectively.

Information Theory

Chun Guo,Lei Wang

DOI: https://doi.org/10.1007/978-3-030-03326-2_8

2018-01-01

Abstract:Key-Alternating Feistel (KAF) ciphers, a.k.a. Feistel-2 models, refer to Feistel networks with round functions of the form , where is the (secret) round-key and is a public random function. This model roughly captures the structures of many famous Feistel ciphers, and the most prominent instance is DES. Existing provable security results on KAF assumed independent round-keys and round functions (ASIACRYPT 2004 & FSE 2014). In this paper, we investigate how to achieve security under simpler and more realistic assumptions: with round-keys derived from a short main-key, and hopefully with identical round functions. For birthday-type security, we consider 4-round KAF, investigate the minimal conditions on the way to derive the four round-keys, and prove that when such adequately derived keys and the same round function are used, the 4-round KAF is secure up to queries. For beyond-birthday security, we focus on 6-round KAF. We prove that when the adjacent round-keys are independent, and independent round-functions are used, the 6 round KAF is secure up to queries. To our knowledge, this is the first beyond-birthday security result for KAF without assuming completely independent round-keys. Our results hold in the multi-user setting as well, constituting the first non-trivial multi-user provable security results on Feistel ciphers. We finally demonstrate applications of our results on designing key-schedules and instantiating keyed sponge constructions.

Ying Xu,Xiaoni Du,Meichun Jia,Xiangyu Wang,Jian Zou

DOI: https://doi.org/10.1007/s11128-023-04135-6

IF: 1.965

2023-10-16

Quantum Information Processing

Abstract:Generalized Feistel networks are important components of symmetric ciphers, and detailed security evaluations in the quantum setting remain to be explored. In this paper, based on the strong–weak separability of certain branch output function, we present polynomial-time quantum distinguishers for 4F-function and 2F-function structures in quantum chosen-plaintext attack setting for the first time, and then quantum key-recovery attacks are achieved through Grover-meet-Simon algorithm, respectively. Under the condition of the semi-strong separability, firstly, we give a quantum distinguisher on 8-round 4F-function structure, from which we carry out a 12-round quantum key-recovery attack to guess 10 n -bit subkey, whose time complexities gain a factor of . When attacking rounds, we can recover -bit subkey in time . Secondly, we show a quantum distinguisher on 5-round 2F-function structure, and a 7-round quantum key-recovery attack is performed on it, which can recover 3 n -bit subkey in time . When , -bit subkey can be recovered with time complexities by a factor of . Furthermore, based on the weak separability, a 6-round quantum distinguisher for 2F-function structure is constructed, and an 8-round quantum key-recovery attack is achieved, and the time complexity is when . The results show that the time complexity of each attack scheme we proposed is much better than that of Grover's brute force search.

physics, multidisciplinary,quantum science & technology, mathematical

Fan Zhang,Xiaofei Dong,Xinjie Zhao,Yidi Wang,Samiya Qureshi,Yiran Zhang,Xiaoxuan Lou,Yongkang Tang

DOI: https://doi.org/10.1109/MASS.2018.00056

2018-01-01

Abstract:This paper proposed an advanced round modification fault analysis (RMFA) at the theoretical level on AEGIS-128, which is one of seven finalists in CAESAR competition. First, we clarify our assumptions and simplifications on the attack model, focusing on the encryption security. Then, we emphasize the difficulty of applying vanilla RMFA to AEGIS-128 in the practical case. Finally we demonstrate our advanced fault analysis on AEGIS-128 using machine-solver based algebraic techniques. Our enhancement can be used to conquer the practical scenario which is difficult for vanilla RMFA. Simulation results show that when the fault is injected to the initialization phase and the number of rounds is reduced to one, two samples of injections can extract the whole 128 key bits within less than two hours. This work can also be extended to other versions such as AEGIS-256.

Ting-Ting Lin,Xue-Jia Lai,Wei-Jia Xue,Yin Jia

DOI: https://doi.org/10.1007/s11390-017-1727-x

2017-01-01

Abstract:The white-box attack is a new attack context in which it is assumed that cryptographic software is implemented on an un-trusted platform and all the implementation details are controlled by the attackers. So far, almost all white-box solutions have been broken. In this study, we propose a white-box encryption scheme that is not a variant of obfuscating existing ciphers but a completely new solution. The new scheme is based on the unbalanced Feistel network as well as the ASASASA (where “A” means affine, and “S” means substitution) structure. It has an optional input block size and is suitable for saving space compared with other solutions because the space requirement grows slowly (linearly) with the growth of block size. Moreover, our scheme not only has huge white-box diversity and white-box ambiguity but also has a particular construction to bypass public white-box cryptanalysis techniques, including attacks aimed at white-box variants of existing ciphers and attacks specific to the ASASASA structure. More precisely, we present a definition of white-box security with regard to equivalent key, and prove that our scheme satisfies such security requirement.

Guoqiang Bai,Rui Ma,Guang Xiao

IF: 1.019

2001-01-01

Chinese Journal of Electronics

Abstract:Guang Gong and Lein Harn proposed a new Diffie-Hellman public-key distribution scheme that is based on third-order linear feedback shift register sequences over GF(p) and its security is based on the difficulty of solving the discrete logarithm in GF(p(3)). However, a method for attacking the scheme is presented in this paper. Despite that the method could not break up it fully, it indicates that the security of the scheme is likely to be not being based on the difficulty of solving the discrete logarithm in GF(p(3)). With this method, we have also obtained the weak private keys of the scheme.

Helger Lipmaa,Bingsheng Zhang

DOI: https://doi.org/10.1007/978-3-642-16342-5_12

2010-01-01

Abstract:In a selective private function evaluation (SPFE) protocol, the client privately computes some predefined function on his own input and on m out of server's n database elements. We propose two new generalized SPFE protocols that are based on the new cryptocomputing protocol by Ishai and Paskin and an efficient CPIR. The first protocol works only for constant values of m,, but has 2 messages, and is most efficient when m = 1. The second SPFE protocol works for any m, has 4 messages, and is efficient for a large class of functionalities. We then propose an efficient protocol for private similarity test, where one can compute how similar client's input is to a specific element in server's database, without revealing any information to the server. The latter protocol has applications in biometric authentication.

Jianjie Zhao,Dawu Gu,Yong Wang

DOI: https://doi.org/10.1109/WISM.2009.112

2009-01-01

Abstract:Secret sharing is an important information security issue in many applications. We propose a novel general secret sharing scheme based on the modified Weil pairing function and two hard assumptions (computational Weil Diffie-Hellman assumption and elliptic curve discrete logarithmic assumption). The new scheme can present from adversaries' attacks. Since the secret shadows are chosen by the participants themselves, they could use their own shadows repeatedly and there will be no need for any secret communications existing between the dealer and participants. Performance analysis shows that our scheme has low computational cost.

Yiyuan Luo,Xuejia Lai,Jing Hu

2015-01-01

Journal of information science and engineering

Abstract:In this paper we prove beyond-birthday-bound for the (strong) pseudorandomness of many-round Lai-Massey scheme. Motivated by Hoang and Rogaway's analysis of generalized Feistel networks, we use the coupling technology from Markov chain theory and prove that for any epsilon > 0, with enough rounds, the Lai-Massey scheme is indistinguishable from a uniform random permutation by any computationally unbounded distinguisher making at most q similar to N1-epsilon combined chosen plaintext/ciphertext (CCA) queries, where N is the range size of the round function. Previous works by Vaudenay et al. and Yun et al. only proved the birthday-bound CCA security of Lai-Massey scheme.

Feng-Hao Liu,Chi-Jen Lu,Bo-Yin Yang,Jintai Ding

DOI: https://doi.org/10.1007/978-3-540-88403-3_13

2008-01-01

Abstract:Berbain, Gilbert, and Patarin presented QUAD, a pseudo random number generator (PRNG) at Eurocrypt 2006. QUAD (as PRNG and stream cipher) may be proved secure based on an interesting hardness assumption about the one-wayness of multivariate quadratic polynomial systems over F-2.The original BGP proof only worked for F-2 and left a gap to general F-q. We show that the result can be generalized to any arbitrary finite field F-q, and thus produces a stream cipher with alphabets in F-q.Further, we generalize the underlying hardness assumption to specialized systems in F-q (including F-2) that can be evaluated more efficiently. Barring breakthroughs in the current state-of-the-art for system-solving, a rough implementation of a provably secure instance of our new PRNG is twice as fast and takes 1/10 the storage of an instance of QUAD with the same level of provable security.Recent results on specialization on security are also examined. And we conclude that our ideas axe consistent with these new developments and complement them. This gives a clue that we may build secure primitives based on specialized polynomial maps which axe more efficient.

Chunfu Jia,Zheli Liu,Jingwei Li,Zongqing Dong,Xiaoying You

DOI: https://doi.org/10.1007/978-3-642-28744-2_83

2012-01-01

Abstract:Format-preserving encryption implies a block cipher which encrypts a plaintext of some specified format into a ciphertext of identical format. In the paper, we make an overview of various types of Feistel networks used in FPE schemes and show that all Feistel networks divide the input into two sub-blocks. Then we present an integer FPE scheme based on type-2 Feistel network which divides the input into k sub-blocks (here k=4) to provide better diffusion and be better immunity to differential cryptanalysis.

Yiyuan Luo,Xuejia Lai,Zheng Gong,Zhongming Wu

2009-01-01

Abstract:At Asiacrypt’99, Vaudenay modified the structure in the IDEA cipher to a new scheme, which they called as the Lai-Massey scheme. It is proved that 3-round Lai-Massey scheme is sufficient for pseudorandomness and 4-round Lai-Massey scheme is sufficient for strong pseudorandomness. But the author didn’t point out whether three rounds and four rounds are necessary for the pseudorandomness and strong pseudorandomness of the Lai-Massey Scheme. In this paper we find a tworound pseudorandomness distinguisher and a three-round strong pseudorandomness distinguisher, thus prove that three rounds is necessary for the pseudorandomness and four rounds is necessary for the strong pseudorandomness.

Chun Guo,Dongdai Lin

DOI: https://doi.org/10.1007/978-3-662-46494-6_6

2015-01-01

Abstract:Feistel constructions have been shown to be indifferentiable from random permutations at STOC 2011. Whereas how to properly mix the keys into an un-keyed Feistel construction without appealing to domain separation technique to obtain a block cipher which is provably secure against known-key and chosen-key attacks (or to obtain an ideal cipher) remains an open problem. We study this, particularly the basic structure of NSA's SIMON family of block ciphers. SIMON family takes a construction which has the subkey xored into a halve of the state at each round. More clearly, at the i-th round, the state is updated according to (x(i), x(i-1)) -> (x(i-1) circle plus F-i(x(i)) circle plus k(i), x(i)) For such key-alternating Feistel ciphers, we show that 21 rounds are sufficient to achieve indifferentiability from ideal ciphers with 2n-bit blocks and n-bit keys, assuming the n-to-n-bit round functions F-1, ... , F-21 to be random and public and an identical user-provided n-bit key to be applied at each round. This gives an answer to the question mentioned before, which is the first to our knowledge.

Yiyuan Luo,Xuejia Lai,Yujie Zhou

DOI: https://doi.org/10.1007/s10623-016-0235-2

IF: 1.4

2016-01-01

Designs Codes and Cryptography

Abstract:In this paper we present generic attacks on the Lai–Massey scheme inspired by Patarin’s attacks on the Feistel scheme. For bijective round functions, the attacking results are better than non-bijective round functions for the 3, 4-round Lai–Massey scheme. Our results show that there are some security differences of these two schemes against known attacks. The generic attacks on the 4-round and 5-round Lai–Massey scheme require more complexity than the 4-round and 5-round Feistel scheme respectively. Through the analysis we believe the Lai–Massey scheme has some advantage than the Feistel scheme within 5 rounds.

Chun Guo,Ling Song

DOI: https://doi.org/10.1007/s10623-024-01394-x

IF: 1.4

2024-03-25

Designs Codes and Cryptography

Abstract:Feistel constructions using contracting round functions were introduced in 1990s and generalized by Yun et al. (Des Codes Cryptogr 58(1):45–72, 2011) to a quasigroup-based definition. To our knowledge, the minimal number of rounds sufficient for CCA security remains elusive. We bridge this gap: for the general quasigroup-based contracting Feistel construction using round functions , , we prove CCA security at rounds. This matches the attacked rounds of Patarin et al. (in: Lai, Chen (ed) ASIACRYPT, Springer, Heidelberg, 2006). Interestingly, this means 4 rounds are already sufficient for CCA security of the case , which is the same as the balanced Feistel.

mathematics, applied,computer science, theory & methods

Zhichao Xu,Hong Xu,Lin Tan,Wenfeng Qi

DOI: https://doi.org/10.1016/j.jisa.2024.103773

IF: 4.96

2024-04-19

Journal of Information Security and Applications

Abstract:SPECK and SPARX are two kinds of block ciphers with an ARX structure. In this paper, we use the SAT-based automatic search tool to search for linear approximations of these two ARX ciphers. As a result, we find a linear approximation for 17-round SPECK128, which covers one more round than previous work. Based on this linear approximation, we propose improved linear cryptanalysis for 19-round SPECK128/192 and 20-round SPECK128/256, which cover one more round than previous work. For ARX cipher SPARX, we find an optimal linear approximation for 13-round SPARX-64, which covers three more rounds than previous work. We also find an optimal linear approximation for 10-round SPARX-128, which covers two more rounds than previous work. Furthermore, we find a linear approximation for 14-round SPARX-128 by splicing two short linear approximations, which covers four more rounds than previous work. Based on these linear approximations, we propose linear cryptanalysis for 15-round SPARX-64/128, 15-round SPARX-128/128 and 16-round SPARX-128/256.

computer science, information systems

Xiaoyang Dong,Xiaoyun Wang

DOI: https://doi.org/10.13154/tosc.v2016.i1.13-32

2016-01-01

Abstract:Since Knudsen and Rijmen proposed the known-key attacks in ASIACRYPT 2007, the open-key model becomes more and more popular. As the other component of the open-key model, chosen-key model was applied to the full attacks on AES-256 by Biryukov et al. in CRYPTO 2009. In this paper, we explore how practically the chosen-key model affect the real-world cryptography and show that 11-round generic Feistel-SP block cipher is no longer safe in its hashing modes (MMO and MP mode) as there exist collision attacks. This work improves Sasaki and Yasuda’s collision attacks by 2 rounds with two interesting techniques. First, we for the first time use the available degrees of freedom in the key to reduce the complexity of the inbound phase, which extends the previous 5-round inbound differential to a 7-round one. This results in a 12-round chosen-key distinguisher of Feistel-SP block cipher. Second, inspired by the idea of Wang et al., we construct collisions using two blocks. The rebound attack is used in the second compression function. We carefully balance the freedom of the first block and the complexity of the rebound attack, and extend the chosen-key attack to a 11-round collision attack on its hashing modes (MMO and MP mode).

Nicky Mouha,Qingju Wang,Dawu Gu,Bart Preneel

DOI: https://doi.org/10.1007/978-3-642-34704-7_5

2011-01-01

Abstract:Differential and linear cryptanalysis are two of the most powerful techniques to analyze symmetric-key primitives. For modern ciphers, resistance against these attacks is therefore a mandatory design criterion. In this paper, we propose a novel technique to prove security bounds against both differential and linear cryptanalysis. We use mixed-integer linear programming (MILP), a method that is frequently used in business and economics to solve optimization problems. Our technique significantly reduces the workload of designers and cryptanalysts, because it only involves writing out simple equations that are input into an MILP solver. As very little programming is required, both the time spent on cryptanalysis and the possibility of human errors are greatly reduced. Our method is used to analyze Enocoro-128v2, a stream cipher that consists of 96 rounds. We prove that 38 rounds are sufficient for security against differential cryptanalysis, and 61 rounds for security against linear cryptanalysis. We also illustrate our technique by calculating the number of active S-boxes for AES.