Research Article  Open Access
Multiset Structural Attack on Generalized Feistel Networks
Abstract
In this paper, we present new generic multiset attacks against generalized Feistel networks, by which we can recover all the unknown round functions completely instead of deciding whether an unknown encryption oracle is such network or a random permutation. With one round multiset distinguisher, we can recover the outermost round functions for round block cipher. Next we propose the dummyround technique, which allows us to make a fullround decomposition if the outermost round is recovered. Moreover, the dummyround technique barely increases the complexity of our attack. Using this generic method, we propose attacks on 7round RC6like and 7round CLEFIAlike structures. Our attacks can recover all the secret round functions, requiring only time complexity and chosen plaintexts, where indicates the block size of the cipher. For 64bit ciphers of these two structures, our results will lead to a practical attack.
1. Introduction
The architecture is a fundamental part of a block cipher. It plays an important role in both security aspects and implementation performances of the cipher. Two of the most frequently used architectural structures nowadays are the SubstitutionPermutation Networks and the generalized Feistel Networks; the latter contains the standard Feistel Network and its variants. Typical examples of the variant Feistel Networks include CLEFIA [1], RC6 [2], and CAST256 [3].
Among all the attacks against block ciphers, structural attack is an interesting branch which studies the security of the architectures. In this cryptanalysis, all of the internal functions are unknown or keydependent. The only information available to the attacker is the type of the general structure of the block cipher and size parameters of its components. The aim of the attack is to recover all the internal functions. Since this cannot exploit particular weaknesses (such as bad differential properties or weak avalanche effects) of concrete functions, structural recovery attacks are often weaker than traditional differential attacks or linear attacks on given cryptosystems. The advantage of these attacks is that they are applicable to large classes of cryptosystems, which is thus very useful in establishing general design rules for strong cryptosystems and in dealing with the algorithms with unknown design criteria.
Related Works. The structural attack is far from being new. In 2001, Biryukov and Shamir [4] investigated the recovery problem of iterated SPN ciphers, in which the substitutions and permutations are all secret and keydependent. In ASIACRYPT2014, Biryukov et al. proposed a recovery on ASASA scheme, which was designed by claiming that it could resist traditional attacks [5]. Soon this result was improved by Dinur et al. in [6], and a more efficient recovery algorithm was proposed. In [7], Tiessen et al. proposed a structural attack on a variant of AES (in which the Sboxes are kept unknown). Their attack was indeed an improved integral attack and could recover all the secret information up to 6 rounds.
The structural attack against generalized Feistel Networks was first studied in [8]: it was presented in their work that if the Feistel functions were completely unknown, the yoyo game could attack up to 5 rounds. The use of small Feistel Networks for lightweight SBox design was investigated in [9], and an efficient decomposition was discovered for the secret SBox of recent Russian standards [10] using reverseengineering.
Our Contribution. This paper mainly concentrates on the recovery attacks against generalized Feistel ciphers with bijective round functions. The main results of this paper are as follows:(1)We propose a new and special integral distinguisher for structural attack. If an round distinguisher is detected, we can always launch an efficient round structural attack of the outermost round functions.(2)We put forward the dummyround technique. This technique shows that if the decomposition of the outermost round function in an round iterative cipher is with (data/time) complexity , then the complexity to decompose all the internal round functions is at most with (data/time) complexity ; more precisely, given an algorithm which can recover the round functions at the last round of an round cipher, we add a dummy round at the beginning, so that the number of rounds remains the same; consequently we can use the same algorithm to recover the round functions from the second last round, and so on.(3)Therefore, for an round iterative cipher, we can use our integral distinguisher to make a fullround decomposition without a significantly increased complexity. Applying our results, we propose recovery attacks on 7round CLEFIAlike and 7round RC6like ciphers. To the best of our knowledge, these are the first and best structural attack results against these structures.
Organization. The rest of this paper is organized as follows. Section 2 introduces several basic definitions that will be used throughout this paper. Section 3 elaborates the generic multiset attack against generalized Feistel ciphers. Section 4 applies our attack on 7round CLEFIA/RC6like cipher, respectively. Section 5 concludes the paper.
2. Preliminaries
2.1. Generalized Feistel Ciphers
First, we will clarify what generalized Feistel cipher means in this paper.
Let be an even integer and a single round (denoted by ) of cell generalized Feistel cipher is defined asin which is a keyed function called a round function and is a cellwise permutation.
The encryption of a generalized Feistel cipher is defined aswhere the first input is the plaintext and the round output is the ciphertext.
2.2. Multiset Properties on Generalized Feistel Ciphers
Multiset attack [4] is a generic class of attacks which appeared in the literature under three different names: the square attack [11, 12], the saturation attack [13, 14], and the integral cryptanalysis [15], which can also be treated as a special variant of the higherorder differential attack [16], cube attack [17], and also of the division property [18]. This attack generally uses a set of chosen plaintexts that contain all possible values for some bits and has a constant value for the other bits. Corresponding ciphertexts are calculated from plaintexts in the set by using an encryption oracle. If ciphertexts just add up to zero in certain bits, we say that this cipher has the multiset distinguisher.
In [4], Biryukov and Shamir defined multiset, which can be represented as a list of (value, multiplicity) pairs, and the size of the multiset is the sum of all its multiplicities.
Example 1. The multiset can be represented as ; the size of is 9.
We define five multiset properties as follows:
Multiset Properties (All): Every possible value appears exactly once in the multiset. (Balance): The XOR of all values in the multiset is 0. (Even): Each value occurs even times in the multiset. (Constant): The value is fixed to a constant for all texts in the multiset. (Unknown): The output multiset is unknown.
Note that the definitions of , , are the same as in [4], and the property is equal to the property as defined in [4].
Generalized Feistel ciphers make use of three basic operations: XORoperation, branching operation, and secret round functions . Multiset properties over these operations comprise the multiset property of the ciphers and obey the major rules (see Table 1). For showing these rules, it is crucial to require the round functions of the generalized Feistel cipher to be invertible (or bijective).

In this paper, we will use multiset distinguisher in our attack, which is of the form , where , and the input state contains at least one cell equal to , and the output cells in state are not all equal to .
3. Generic Multiset Attack against Generalized Feistel Ciphers
By applying Table 1, one can build the multiset propagation system for any fixed generalized Feistel ciphers. In this attack, we are only interested in the multiset distinguishers with at least one cell of the output state satisfying property but neither nor , which we denoted as .
Example 2. The multiset satisfies property.
Since the main idea of getting the round functions is to collect enough round function related equations and solve them, then the proposal of excludes the trivial equation case (we will see later).
3.1. Recover the Outermost Round Function
For rounds generalized Feistel cipherwe will start by decomposing the outermost round.
The recovered result of the last round will be given by a lookup table. More precisely, we identify the secret function by fixing all the entries of the last round function. In order to achieve this goal, we build linear equations related to the entries with the help of the multiset property and then apply the Gaussian elimination algorithm to get all the entries.
Our attack uses a set of chosen plaintexts that contain all possible values at cells in positions and constant value ( cells) for the rest (denoted as ). After round encryption, if some cell of the output state satisfies property, we can recover the th round function as follows.
First, we denote the set , which is the ciphertexts encrypted by plaintexts in the set . Then, we consider a part of the last round which corresponds to the cell of the state after round encryption, where we know that the multiset of all values has property , and denote as the inverse of that part of the lastround . Finally, we get the equation, which is only related to the final round, satisfyingThen we assume that the multiset of the values has property . By the definition of the property, the left part of the equation above does not fall into the case in which each value occurs even times, thus being nontrivial (see Figure 1).
Remark. We need to mention that, for 16bit/32bit size block ciphers, we have checked the multiset property by simple experiments. The results indicate that the randomly chosen round functions present a good chance to lead properties for both CLEFIAlike and RC6like structures.
Next, we change the constant to obtain new sets to get more linear equations with randomlooking subsets of variables. When sufficient linear equations are collected, we can solve the system by Gaussian elimination to recover , and the solving process of each system requires steps with Strassen's Algorithm.
In the process of collecting linear equations, most generalized Feistel ciphers have the rank deficiency problem, which means we can never get a system of equations with a full rank of . Similar problems also appear in the decompositions of SPN [4–6] and standard Feistel cipher [8]. This is due to the fact that, for any of these ciphers, there exist several equivalent ciphers. Picking up any one from the equivalents, the encryption mapping keeps correct. Therefore, decompositions of such cipher structures are not unique. We will show it in our practical decompositions later.
3.2. DummyRound Technique for the Inner Round Functions
After finding the outermost round function, we can just repeat our attack in the reverse direction by using chosen ciphertexts and recover the first round; then we are left with the rest inner round functions. If there exists an attack with much lower complexity, the complexity of recovery of all rounds is dominated by that of recovering the outer round. However, in some literatures now available, people still have to find new ways to recover the inner round functions [4–6, 8], mainly because the technique they used to attack the outer round cannot be applied in attacking the inner rounds.
A straightforward way is to transfer the inner round recovery problems into the outer round decomposition. We next provide a general technique called the dummyround technique.
DummyRound Technique. Let be the th round of the generalized Feistel cipher; then an round generalized Feistel cipher could be represented by . Using the multiset distinguisher and a linear equations system solver, we are able to recover the last round . In order to recover the rest of the round functions, we transfer it into the known round issues. We randomly choose round functions and construct a new round (called dummyround), i.e.,and then we get a new cipher .
Let ; then we getsince both and are known to us, then and are available. Then the equation above could be rewritten aswhich is exactly the same as the original structure. So for the original structure, if we are able to recover the outermost round , we can use the exact same method to find by introducing the dummyround (see Figure 2).
Therefore, the complexity of recovery of each round is dominated by the complexity of recovery of the final round. The dummyround technique allows reusing the finalround attack for all rounds. When several rounds are attacked, it is very likely that there exists an attack with much lower complexity for the inner rounds. Generally, in this case the total attack complexity is at most multiplied by the number of rounds.
4. Recovery on CLEFIALike and RC6Like Structures
In this section, we describe two existing generalized Feistel structures, named the CLEFIAlike and RC6like structures. Single rounds of these two structures are listed as follows (see Figure 3).
The th round of CLEFIAlike structure:
The th round of RC6like structure:
4.1. Multiset Distinguishers of CLEFIALike and RC6Like Structures
Choosing a fixed plaintext , we fulfill the following set of plaintexts which will help to find multiset distinguishers for CLEFIA/RC6like structures.
The traces of these integrals through CLEFIA/RC6like structures are depicted in Figure 4. Thus we build a multiset distinguisher for CLEFIA/RC6like structures. Consequently, we collect one equation
Similarly, we can also prove that is also legal for both of these two structures, which tells
Next we can change the value of in the chosen plaintexts set and generate sufficiently linear equations. When enough linear equations are obtained, we can solve the linear system by Gaussian elimination to recover and .
4.2. Equivalent Structure and Rank Deficiency
In the equationcollection phase of CLEFIA/RC6like structures, we cannot get a system of equations with a full rank of . This rank deficiency phenomenon is caused by the existence of equivalent structures, more precisely, due to the fact that a given structure instance is not uniquely determined by its round functions.
Proposition 3. Let be a decomposition solution of 3round CLEFIAlike (RC6like, resp.) mapping; then for any constants , letthen (, resp.) is also a decomposition solution of CLEFIAlike (RC6like, resp.) mapping.
Proof. By computing the encryption details of each cell in Figure 5, we can verify the correctness of this proposition directly.
Proposition 3 provides 3round equivalents for each structure. Combining 3round equivalents, we can get round () equivalent structures for these two ciphers: if and are replaced by and , respectively, then we can still keep the correctness of the whole structure by adding constants on rounds and .
A natural question is, except for this type of equivalents, if there still exists any other equivalent structure, we have to be faced with the rank deficiency problem again. Since proving the nonexistence of equivalents is quite difficult, we tested this issue in an actual implementation of the attack for . Fortunately, we always got a linear system of rank 15 in 16 variables, which indicates that the constant addition type is the unique equivalent structure of these two ciphers. Since the arbitrarily chosen can be used to be added to the output of the “real” , the various solutions are simply equivalent keys which represent the same plaintext/ciphertext mapping.
4.3. Recover the Round Functions
Recover the Outermost Round and . For the original structure, the outermost round consists of and . In order to get equations for and , respectively, we should use chosen plaintexts of the form , in which are constants. For each fixed , we get a single equation of by varying through all the possible values. Also, we can get an additional equation of by fixing and varying through all the possible values.
Solving each system of linear equations by Gaussian elimination requires steps, and thus we need steps to recover and .
Recover . Since we have found a way to recover the outermost round, i.e., and , of these two 7round structures, then for the inner rounds, we can use the dummyround technique introduced in the last section to recover the rest round functions of CLEFIA/RC6like structures.
According to the basic principle of dummyround technique, we peel off the last round and add a dummyround before the first round, and then we apply the “outermostround recovery algorithm” to recover and ; then we repeat this process again and again, until all the internal round functions from rounds 6 to 3 are recovered.
It should be noticed that the shortest round numbers of equivalent structures of the two target structures are both 3. In decomposing these structures from rounds 6 to 3, we can still ignore the influence of the rank deficiency for . Therefore, the total complexity of this procedure can be obtained by multiplying the number of rounds by the complexity of the outermost round decomposition, i.e., chosen plaintexts and steps.
Recover . For the remaining last two rounds, we are able to get , and by the plaintextciphertext comparison.
For 2round CLEFIA structure, the encryption satisfies the system of equations (see Figure 6).And for 2round RC6 structure, the similar system of equations can be obtained.
We need about calls of the codebook to recover these 4 round functions.
If we use to denote the block size of the structure, i.e., , then the total time complexity is about and the data complexity is about . Our result will lead to a practical decomposition for the case of .
5. Summary
Structural attack is now a generic attack against secretcomponent based block ciphers. In this paper we propose an efficient decomposition algorithm for the generalized Feistel structure with bijective round functions. We use the integral property to find the outermost round and introduce the dummyround technique to find the rest. This technique allows the finalround attack to be used on all the rounds left and does not depend on how the final round is recovered. Our attack provides a practical threat for 7round CLEFIAlike and 7round RC6like ciphers with data length up to 64 bits. We believe that the new progress of the integral attacks, such as the division property [18] and cube attack [17], will lead to more efficient decompositions. Future work will concentrate on discovering more efficient decomposition algorithms.
Data Availability
The data used to support the findings of this study are included within the article.
Conflicts of Interest
The authors declare that there are no conflicts of interest regarding the publication of this paper.
Acknowledgments
This work was supported by the National Natural Science Foundation of China (Grant Nos. 61772547, 61402523, and 61272488).
References
 T. Shirai, K. Shibutani, T. Akishita, S. Moriai, and T. Iwata, “The 128bit blockcipher CLEFIA,” in Fast Software Encryption 2007, vol. 4593 of LNCS, pp. 181–195, Springer, Berlin, Germany, 2007. View at: Google Scholar
 L. R. Ronald and M. J. B. Robshaw, “The RC6 block cipher,” in Proceedings of the First Advanced Encryption Standard (AES) Conference, 1998. View at: Google Scholar
 C. Adams and J. Gilchrist, “The CAST256 encryption algorithm,” Tech. Rep. No. RFC 2612, 1999. View at: Publisher Site  Google Scholar
 A. Biryukov and A. Shamir, “Structural cryptanalysis of SASAS,” in Advances in Cryptology EUROCRYPT 2001, vol. 2045 of LNCS, pp. 395–405, Springer, Berlin, Germany, 2001. View at: Google Scholar  MathSciNet
 A. Biryukov, C. Bouillaguet, and D. Khovratovich, “Cryptographic schemes based on the ASASA structure: Blackbox, whitebox, and publickey,” in Advances in Cryptology ASIACRYPT 2014, vol. 8873 of LNCS, pp. 63–84, Springer, Berlin, Germany, 2015. View at: Publisher Site  Google Scholar  MathSciNet
 I. Dinur, O. Dunkelman, and K. Thorsten, “Decomposing the ASASA block cipher construction,” IACR Cryptology ePrint Archive, vol. 2015, p. 507, 2015. View at: Google Scholar
 T. Tiessen, L. R. Knudsen, S. Kölbl, and M. M. Lauridsen, “Security of the AES with a secret SBox,” in Fast Software Encryption 2015, vol. 9054 of Lecture Notes in Computer Science, pp. 175–189, Springer, Berlin, Germany, 2015. View at: Publisher Site  Google Scholar
 A. Biryukov, G. Leurent, and L. Perrin, “Cryptanalysis of feistel networks with secret round functions,” in Selected Areas in Cryptography SAC 2015, vol. 9566 of LNCS, pp. 102–121, Springer, Cham, Switzerland, 2015. View at: Publisher Site  Google Scholar  MathSciNet
 Y. Li and M. Wang, “Constructing Sboxes for lightweight cryptography with Feistel structure,” in Cryptographic Hardware and Embedded Systems CHES 2014, vol. 8731 of LNCS, pp. 127–146, Springer, Berlin, Germany, 2014. View at: Google Scholar
 A. Biryukov, L. Perrin, and A. Udovenko, ““Reverseengineering the Sbox of Streebog,” Kuznyechik and STRIBOBr1,” in Advances in Cryptology EUROCRYPT 2016, vol. 9665 of LNCS, pp. 372–402, Springer, Berlin, Germany, 2016. View at: Google Scholar  MathSciNet
 E. Biham, “Cryptanalysis of Patarin's 2round public key system with S boxes (2R),” in Advances in Cryptology EUROCRYPT 2000, vol. 1807 of LNCS, pp. 408–416, Springer, Berlin, Germany, 2000. View at: Google Scholar
 A. Biryukov and A. Shamir, “Structural cryptanalysis of SASAS,” Journal of Cryptology, vol. 23, no. 4, pp. 505–518, 2010. View at: Publisher Site  Google Scholar  MathSciNet
 J. Borghoff, L. R. Knudsen, G. Leander et al., “Slenderset differential cryptanalysis,” Journal of Cryptology, vol. 26, no. 1, pp. 11–38, 2013. View at: Publisher Site  Google Scholar  MathSciNet
 G. Liu, C. Jin, and C. Qi, “Improved slenderset linear cryptanalysis,” in Fast Software Encryption 2014, vol. 8540 of LNCS, pp. 431–450, Springer, Berlin, Germany, 2015. View at: Google Scholar
 B. Minaud, P. Derbez, P.A. Fouque, and P. Karpman, “Keyrecovery attacks on ASASA,” in Advances in Cryptology ASIACRYPT 2015, vol. 9453 of LNCS, pp. 3–27, Springer, Berlin, Germany, 2015. View at: Publisher Site  Google Scholar  MathSciNet
 L. Xuejia, “Higher order derivatives and differential cryptanalysis,” in Communications and Cryptography, vol. 276, pp. 227–233, Springer, Boston, Mass, USA, 1994. View at: Google Scholar
 I. Dinur and A. Shamir, “Cube attacks on tweakable black box polynomials,” in Advances in Cryptology EUROCRYPT 2009, vol. 5479 of Lecture Notes in Computer Science, pp. 278–299, Springer, Berlin, Germany, 2009. View at: Publisher Site  Google Scholar
 Y. Todo, “Structural evaluation by generalized integral property,” in Advances in Cryptology EUROCRYPT 2015, vol. 9056 of LNCS, pp. 287–314, Springer, Berlin, Germany, 2015. View at: Publisher Site  Google Scholar  MathSciNet
Copyright
Copyright © 2019 Ruya Fan et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.