Generic Attacks on Feistel Ciphers With Internal Permutations Joana - - PowerPoint PPT Presentation

Generic Attacks on Feistel Ciphers With Internal Permutations

Joana Treger, Jacques Patarin

PRiSM, Universit´ e de Versailles

2008-11-27

Joana Treger, Jacques Patarin (PRiSM, Universit´ e de Versailles) Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 1 / 39

Summary

1

Introduction

2

Generic attacks on the first 5 rounds

3

Generic attacks for any number of rounds General method Computation of the H-coefficients Example on 3 rounds Attacking Feistel permutation generators Example on 6 rounds

4

Table of results and conclusion

Joana Treger, Jacques Patarin (PRiSM, Universit´ e de Versailles) Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 2 / 39

Feistel ciphers (1/3)

Definition

Let f be a function from {1, . . . , 2n} to {1, . . . , 2n}. A Feistel cipher with round function f is defined by :

L

f

R S T

Fig.: 1-round Feistel scheme

We call ψ(f ) or simply ψ such a construction. ψ([L, R]) = [R, L ⊕ f (R)] = [S, T]

Joana Treger, Jacques Patarin (PRiSM, Universit´ e de Versailles) Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 3 / 39

Feistel ciphers (2/3)

ψ is a permutation of {1, . . . , 22n} : ψ−1([S, T]) = [T ⊕ f (S), S] = [L, R]

L R

f

S T T S R L

Fig.: ψ−1 = τ ◦ ψ ◦ τ

Joana Treger, Jacques Patarin (PRiSM, Universit´ e de Versailles) Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 4 / 39

Feistel ciphers 3/3

Definition

Let f1, . . . , fk be k functions from {1, . . . , 2n} to {1, . . . , 2n}. A k-round Feistel cipher with round functions f1, . . . , fk is defined by the succesion of k rounds of a Feistel cipher with round function fi : ψk(f1, . . . , fk):= ψ(fk) ◦ . . . ◦ ψ(f1)

L R

f 1

R X

f

S T S X

k−2 k

L

−1 3 k

f

X T S

k

f

R

f

2

f

1

f k−2

X 1 X 2 Joana Treger, Jacques Patarin (PRiSM, Universit´ e de Versailles) Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 5 / 39

Luby-Rackoff revisited

Derived structures : Classical Feistel ciphers. Unbalanced Feistel ciphers with expanding internal functions. Unbalanced Feistel ciphers with contracting internal functions. Feistel ciphers with internal permutations.

Used in the design of Twofish, Camellia, DEAL. [Knudsen-02] : attack on 5 rounds, impossible differential [Piret-05] : security proofs for 3 and 4 rounds, ≥ O(2n/2) messages 3-round CPA − 2, 4-round CPCA − 2

Joana Treger, Jacques Patarin (PRiSM, Universit´ e de Versailles) Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 6 / 39

Feistel ciphers with internal permutations

Different behaviour of these Feistel networks and the classical ones. Example (3 rounds) :

L X R

2

f

1

f

S

f

T

3

Attack on 3 round classical Feistel ciphers : Relations considered between two input/output couples : R1 ⊕ S1 = R2 ⊕ S2. Random permutation : probability 1/2n ; Feistel cipher : probability 2/2n

R1 ⊕ S1 = R2 ⊕ S2 ⇔ f2(X1) = f2(X2) f2(X1) = f2(X2) ⇔ X1 = X2 or (X1 = X2 and f2(X1) = f2(X2)).

Chosen plaintext attack : O(2n/2) messages.

Joana Treger, Jacques Patarin (PRiSM, Universit´ e de Versailles) Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 7 / 39

Feistel ciphers with internal permutations

Different behaviour of these Feistel networks and the classical ones. Example (3 rounds) :

L X R

2

f

1

f

S

f

T

3

Attack on 3 round classical Feistel ciphers : Relations considered between two input/output couples : R1 ⊕ S1 = R2 ⊕ S2. Random permutation : probability 1/2n ; Feistel cipher : probability 2/2n

R1 ⊕ S1 = R2 ⊕ S2 ⇔ f2(X1) = f2(X2) f2(X1) = f2(X2) ⇔ X1 = X2 or (X1 = X2 and f2(X1) = f2(X2)).

Chosen plaintext attack : O(2n/2) messages. Known plaintext attack : O(2n/2) messages. Does not work on Feistel cipher with round permutations !

Joana Treger, Jacques Patarin (PRiSM, Universit´ e de Versailles) Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 7 / 39

Generic attacks

Definition

A generic attack on a Feistel cipher with internal permutations, is an attack allowing to distinguish with high probability a Feistel cipher from a random permutation, when the round permutations are randomly chosen. We interest ourselves in generic attacks, necessiting < O(22n) messages (exhaustive search on the inputs). When the complexity is ≥ O(22n), we interest ourselves in attacks on Feistel permutation generators.

Joana Treger, Jacques Patarin (PRiSM, Universit´ e de Versailles) Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 8 / 39

Two-point attacks

Definition

two-point attacks are attacks using correlations between blocks of pairs of distinct messages. Example : previous attack on 3 rounds, relations considered between 2 messages were R1 ⊕ S1 = R2 ⊕ S2. Best known attacks against classical Feistel ciphers (except on 3 rounds, CPCA-2). Efficient against Feistel ciphers with internal permutations : the complexities of the two-point attacks found (except on 3 rounds, CPCA − 2) coincide with the known bounds of security (3 and 4 rounds, [Piret-05]).

Joana Treger, Jacques Patarin (PRiSM, Universit´ e de Versailles) Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 9 / 39

Notations

KPA : known plaintext attack CPA − 1 : non-adaptive chosen plaintext attack CPA − 2 : adaptive chosen plaintext attack CPCA − 1 : non-adaptive chosen plaintext and ciphertext attack CPCA − 2 : adaptive chosen plaintext and ciphertext attack Bn : permutation on n bits.

Joana Treger, Jacques Patarin (PRiSM, Universit´ e de Versailles) Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 10 / 39

Generic attack by hand : 1 and 2 rounds

L

1

f

R=S T

Relation considered : R = S. Random permutation : probability 1/2n ; Feistel cipher : probability 1. KPA : 1 message.

Joana Treger, Jacques Patarin (PRiSM, Universit´ e de Versailles) Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 11 / 39

Generic attack by hand : 1 and 2 rounds

L

1

f

R=S T

Relation considered : R = S. Random permutation : probability 1/2n ; Feistel cipher : probability 1. KPA : 1 message.

L S

f

T

3

R

1

f

Relations considered : R1 = R2, S1 ⊕ S2 = L1 ⊕ L2. CPA − 1. Random permutation : probability 1/2n ; Feistel cipher : probability 1. CPA − 1 : 2 messages. KPA : O(2n/2) messages.

Joana Treger, Jacques Patarin (PRiSM, Universit´ e de Versailles) Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 11 / 39

Generic attacks by hand : 3 rounds

L X R

2

f

1

f

S

f

T

3

Relation considered : L1 = L2, R1 ⊕ R2 = S1 ⊕ S2. CPA − 1. Random permutation : probability 1/2n ; Feistel cipher : probability 0

R1 ⊕ R2 = S1 ⊕ S2 ⇒ X1 = X2 ⇒ R1 = R2.

CPA − 1 : O(2n/2) messages. KPA : O(2n) messages.

Joana Treger, Jacques Patarin (PRiSM, Universit´ e de Versailles) Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 12 / 39

Generic attack by hand : 4 rounds

L R

1

f

X X S

f

T

f f

2 3 4 1 2

Relation considered : R1 = R2, L1 ⊕ L2 = S1 ⊕ S2. CPA − 1. Random permutation : probability 1/2n ; Feistel cipher : probability 0

R1 = R2 ⇒ X 1

1 ⊕ X 1 2 = L1 ⊕ L2.

L1 ⊕ L2 = S1 ⊕ S2 = X 1

1 ⊕ X 1 2 ⇒ X 2 1 = X 2 2 ⇒ L1 = L2.

CPA − 1 : O(2n/2) messages. KPA : O(2n) messages.

Joana Treger, Jacques Patarin (PRiSM, Universit´ e de Versailles) Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 13 / 39

Generic attack by hand : 5 rounds [Knudsen-02]

R

1

f

X X

f f

2 3 1 2

L S X

3

f

T

f4

5

Relation considered : R1 = R2, S1 = S2, L1 ⊕ L2 = T1 ⊕ T2. CPA − 1. Random permutation : probability 1/22n ; Feistel cipher : probability 0.

S1 = S2 ⇒ X 3

1 ⊕ X 3 2 = T1 ⊕ T2.

R1 = R2 ⇒ X 1

1 ⊕ X 1 2 = L1 ⊕ L2.

T1 ⊕ T2 = L1 ⊕ L2 ⇒ X 2

1 = X 2 2 ⇒ X 1 1 = X 1 2 ⇒ L1 = L2.

CPA − 1 : O(2n) messages. KPA : O(23n/2) messages.

Joana Treger, Jacques Patarin (PRiSM, Universit´ e de Versailles) Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 14 / 39

Special case : 3 rounds, CPCA − 2

L X R

2

f

1

f

S

f

T

3

Best attack is 3-point attack. The same attack as for classical Feistel ciphers [LR-88]. 3 messages : [L1, R1]/[S1, T1], [L2, R1]/[S2, T2] and [L3, R3]/[S1, T1 ⊕ L1 ⊕ L2]. Relation considered : R2 ⊕ R3 = S2 ⊕ S3. CPCA − 2. Feistel cipher : probability 1 ; Random permutation : probability 1/2n

R1 = R2 ⇒ X1 ⊕ X2 = L1 ⊕ L2. S1 = S3 ⇒ X1 ⊕ X3 = T1 ⊕ T3. T3 ⊕ T1 = L1 ⊕ L2 ⇒ X2 = X3. X2 = X3 ⇒ R2 ⊕ R3 = S2 ⊕ S3.

CPCA − 2 : 3 messages.

Joana Treger, Jacques Patarin (PRiSM, Universit´ e de Versailles) Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 15 / 39

Remark, complexity ≪ 2n/2

Remark : Distinguishing a random permutation on n bits from a random function : O(2n/2) messages. ⇒ When an attack needs ≪ 2n/2 messages, it works on Feistel ciphers with internal permutations and functions.

Joana Treger, Jacques Patarin (PRiSM, Universit´ e de Versailles) Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 16 / 39

Plan

1

Introduction

2

Generic attacks on the first 5 rounds

3

Generic attacks for any number of rounds General method Computation of the H-coefficients Example on 3 rounds Attacking Feistel permutation generators Example on 6 rounds

4

Table of results and conclusion

Joana Treger, Jacques Patarin (PRiSM, Universit´ e de Versailles) Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 17 / 39

Towards a systematical analysis

We want the best generic two-point attack on a k-round Feistel cipher, for any k.

1 Enumerate all possible cases C (equalities/inequalities between the input

and output blocks of 2 distinct messages).

2 For each case, evaluate the probability (depending on k) to get one

specific output pair from a specific input pair, for both a random permutation and a Feistel permutation.

3 For each k and each type of attack (KPA, CPA,..), estimate the case

leading to the best attack.

4 Evaluate the number of messages needed to realize the attack. Joana Treger, Jacques Patarin (PRiSM, Universit´ e de Versailles) Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 18 / 39

1 : Enumerating all possible cases

Possible equalities between the blocks :                        L1 = L2, or not R1 = R2, or not S1 = S2, or not T1 = T2, or not L1 ⊕ L2 = S1 ⊕ S2, or not, when k is even R1 ⊕ R2 = T1 ⊕ T2, or not, when k is even L1 ⊕ L2 = T1 ⊕ T2, or not, when k is odd R1 ⊕ R2 = S1 ⊕ S2, or not, when k is odd For k even : 13 cases. For k odd : 11 cases.

Joana Treger, Jacques Patarin (PRiSM, Universit´ e de Versailles) Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 19 / 39

2 : Computing the probabilities (1/2)

Given one input/output pair. Computing the probabilities P1 to get these two precise outputs from the inputs : In the case of a random permutation : easy. In the case of a Feistel cipher with internal permutations : based on the H-coefficient values.

Joana Treger, Jacques Patarin (PRiSM, Universit´ e de Versailles) Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 20 / 39

2 : Computing the probabilities (1/2)

Given one input/output pair. Computing the probabilities P1 to get these two precise outputs from the inputs : In the case of a random permutation : easy. In the case of a Feistel cipher with internal permutations : based on the H-coefficient values.

Definition

[L1, R1] = [L2, R2] and [S1, T1] = [S2, T2] ∈ [1, 22n]. The H-coefficient computes the number of (f1, . . . , fk) ∈ Bk

n , such that

ψk(f1, . . . , fk)([Li, Ri]) = [Si, Ti], i = 1, 2. → The H value is the same for all pairs belonging to a same case C.

Joana Treger, Jacques Patarin (PRiSM, Universit´ e de Versailles) Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 20 / 39

2 : Computing the probabilities (2/2)

Proposition

Suppose the H-coefficients computed. Then the previous probability P1 to get

• ne precise outpout from a given input pair is :

1 22n(22n−1) in the case of a random permutation. H |Bn|k in the case of a k-round Feistel cipher.

Joana Treger, Jacques Patarin (PRiSM, Universit´ e de Versailles) Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 21 / 39

3 : Estimating the cases leading to the best attack

A case C with a largest difference between the previous probability P1 should lead to a better attack.

Joana Treger, Jacques Patarin (PRiSM, Universit´ e de Versailles) Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 22 / 39

3 : Estimating the cases leading to the best attack

A case C with a largest difference between the previous probability P1 should lead to a better attack. But : to get an attack, the difference in the probabilities has to result in a difference in the number of couples verifying the specific constraints on their blocks.

Joana Treger, Jacques Patarin (PRiSM, Universit´ e de Versailles) Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 22 / 39

3 : Estimating the cases leading to the best attack

A case C with a largest difference between the previous probability P1 should lead to a better attack. But : to get an attack, the difference in the probabilities has to result in a difference in the number of couples verifying the specific constraints on their blocks. Thus : find the cases which realize a compromise between : HUGE DIFFERENCE between the probabilities to obtain one specific pair

• f input/ouput couples

AND NUMBER OF RELATIONS

• n the blocks,

that cannot be imposed by the type of attack.

Joana Treger, Jacques Patarin (PRiSM, Universit´ e de Versailles) Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 22 / 39

4 : Evaluating the number of messages needed to realize the attack (1/2)

Let C be one specific case. Let us consider m messages and the random variables : Xp counts the number of pairs of these messages verifying the equations

• f C on the inputs and outputs when they correspond to a random

permutation Xψk counts the same number for a k-round Feistel cipher with internal permutation. From the Chebytchev formula : P{|X − E(X)| ≥ α · σ(X)} ≤ 1 α2 , we distinguish with high probability ψk from a random permutation if |E(Xψk) − E(Xp)| > σ(Xψk) + σ(Xp). For each case C, those values can be obtained from P1.

Joana Treger, Jacques Patarin (PRiSM, Universit´ e de Versailles) Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 23 / 39

4 : Evaluating the number of messages needed to realize the attack (2/2)

We consider a case C with ne equations between the input and output blocks that cannot be imposed by the type of attack considered. We can solve |E(Xψk) − E(Xp)| > σ(Xp) + σ(Xψk) and find M : M 2ne·n · |H · 24n |Bn|k − 1 1 − 1/22n | >

• M

2ne·n , where | H·24n

|Bn|k − 1 1−1/22n | is 24n times the differences of the P1’s.

We deduce the number m of messages needed to get these M pairs. We get an attack with complexity O(m). Remark : best attacks : ne minimal and | H·24n

|Bn|k − 1 1−1/22n | maximal.

Joana Treger, Jacques Patarin (PRiSM, Universit´ e de Versailles) Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 24 / 39

Plan

1

Introduction

2

Generic attacks on the first 5 rounds

3

Generic attacks for any number of rounds General method Computation of the H-coefficients Example on 3 rounds Attacking Feistel permutation generators Example on 6 rounds

4

Table of results and conclusion

Joana Treger, Jacques Patarin (PRiSM, Universit´ e de Versailles) Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 25 / 39

The reasoning

L L

−1 3 k

f

X T S

k

f

R

f

2

f

1

f k−2

X 1 X 2

−1 3 k

f

X T S

k

f

R

f

2

f

1

f k−2

X 1 X 2

1 1 1 1 1 1 1 2 2 2 2 2 2 2

Fig.: ψk(f1, . . . , fk)([Li, Ri]) = [Si, Ti], i = 1, 2

Fix a possible sequence s ∈ {=, =}k, such that X i

1 si X i 2.

For such a fixed sequence s, evaluate the number H(s) of possibilities for (f1, . . . , fk). Find all possible sequences s and sum up : H =

• possible s

H(s).

Joana Treger, Jacques Patarin (PRiSM, Universit´ e de Versailles) Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 26 / 39

H-coefficients

L L

−1 3 k

f

X T S

k

f

R

f

2

f

1

f k−2

X 1 X 2

−1 3 k

f

X T S

k

f

R

f

2

f

1

f k−2

X 1 X 2

1 1 1 1 1 1 1 2 2 2 2 2 2 2

Fig.: ψk(f1, . . . , fk)([Li, Ri]) = [Si, Ti], i = 1, 2

The preceding steps can be done using combinatorial facts.

Joana Treger, Jacques Patarin (PRiSM, Universit´ e de Versailles) Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 27 / 39

H-coefficients

L L

−1 3 k

f

X T S

k

f

R

f

2

f

1

f k−2

X 1 X 2

−1 3 k

f

X T S

k

f

R

f

2

f

1

f k−2

X 1 X 2

1 1 1 1 1 1 1 2 2 2 2 2 2 2

Fig.: ψk(f1, . . . , fk)([Li, Ri]) = [Si, Ti], i = 1, 2

The preceding steps can be done using combinatorial facts. Thus : We obtain general formulae for the H-coefficients We obtain all attacks using correlations between two messages.

Joana Treger, Jacques Patarin (PRiSM, Universit´ e de Versailles) Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 27 / 39

Plan

1

Introduction

2

Generic attacks on the first 5 rounds

3

Generic attacks for any number of rounds General method Computation of the H-coefficients Example on 3 rounds Attacking Feistel permutation generators Example on 6 rounds

4

Table of results and conclusion

Joana Treger, Jacques Patarin (PRiSM, Universit´ e de Versailles) Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 28 / 39

Example on 3 rounds, KPA. Table of values of H·24n

|Bn|3 − 1 1−1/22n

case : equalities : 1 0 eq.

H·24n |Bn|3 − 1 1−1/22n

1/22n case : equalities : 2 1 eq. 3 1 eq. 4 1 eq. 5 1 eq.

H·24n |Bn|3 − 1 1−1/22n

1/2n 1/2n 1/2n 1/2n case : equalities : 6 2 eq. 7 2 eq. 8 2 eq. 9 2 eq. 10 2 eq. 11 2 eq.

H·24n |Bn|3 − 1 1−1/22n

1/2n 1 1 1 1/2n 1/2n case : equalities : 12 3 eq. 13 3 eq.

H·24n |Bn|3 − 1 1−1/22n

1 1

Fig.: Order of the leading term of H·24n

|Bn|3 − 1 1−1/22n in different cases

Joana Treger, Jacques Patarin (PRiSM, Universit´ e de Versailles) Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 29 / 39

Example on 3 rounds, KPA

In case 1 : E(Xp) ≃ M (M : number of pairs of messages) O(H·24n

|Bn|3 − 1 1−1/22n ) = 1/22n ⇒ |E(Xp) − E(Xψ3)| ≃ M 22n M 22n >

√ M ⇔ M > 24n

Joana Treger, Jacques Patarin (PRiSM, Universit´ e de Versailles) Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 30 / 39

Example on 3 rounds, KPA

In case 1 : E(Xp) ≃ M (M : number of pairs of messages) O(H·24n

|Bn|3 − 1 1−1/22n ) = 1/22n ⇒ |E(Xp) − E(Xψ3)| ≃ M 22n M 22n >

√ M ⇔ M > 24n In cases 2 to 5 : E(Xp) ≃ M

2n (M : number of pairs of messages)

O(H·24n

|Bn|3 − 1 1−1/22n ) = 1/2n ⇒ |E(Xp) − E(Xψ3)| ≃ M 22n M 22n > √ M √ 2n ⇔ M > 23n

Joana Treger, Jacques Patarin (PRiSM, Universit´ e de Versailles) Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 30 / 39

Example on 3 rounds, KPA

In case 1 : E(Xp) ≃ M (M : number of pairs of messages) O(H·24n

|Bn|3 − 1 1−1/22n ) = 1/22n ⇒ |E(Xp) − E(Xψ3)| ≃ M 22n M 22n >

√ M ⇔ M > 24n In cases 2 to 5 : E(Xp) ≃ M

2n (M : number of pairs of messages)

O(H·24n

|Bn|3 − 1 1−1/22n ) = 1/2n ⇒ |E(Xp) − E(Xψ3)| ≃ M 22n M 22n > √ M √ 2n ⇔ M > 23n

In cases 7, 8 and 9 : E(Xp) ≃ M

22n (M : number of pairs of messages)

O(H·24n

|Bn|3 − 1 1−1/22n ) = 1 ⇒ |E(Xp) − E(Xψ3)| ≃ M 22n M 22n > √ M 2n ⇔ M > 22n

Joana Treger, Jacques Patarin (PRiSM, Universit´ e de Versailles) Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 30 / 39

Example on 3 rounds, KPA

In case 1 : E(Xp) ≃ M (M : number of pairs of messages) O(H·24n

|Bn|3 − 1 1−1/22n ) = 1/22n ⇒ |E(Xp) − E(Xψ3)| ≃ M 22n M 22n >

√ M ⇔ M > 24n In cases 2 to 5 : E(Xp) ≃ M

2n (M : number of pairs of messages)

O(H·24n

|Bn|3 − 1 1−1/22n ) = 1/2n ⇒ |E(Xp) − E(Xψ3)| ≃ M 22n M 22n > √ M √ 2n ⇔ M > 23n

In cases 7, 8 and 9 : E(Xp) ≃ M

22n (M : number of pairs of messages)

O(H·24n

|Bn|3 − 1 1−1/22n ) = 1 ⇒ |E(Xp) − E(Xψ3)| ≃ M 22n M 22n > √ M 2n ⇔ M > 22n

Cases 7, 8 and 9 are the cases leading to the best attack. O(2n) messages are needed to get O(22n) pairs. Complexity of the attack : O(2n).

Joana Treger, Jacques Patarin (PRiSM, Universit´ e de Versailles) Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 30 / 39

Example on 3 rounds, comments

L X R

2

f

1

f

S

f

T

3

Not just one best attack. Here, 3 cases lead to the best attack : case 7 : S1 = S2 and L1 ⊕ L2 = T1 ⊕ T2, case 8 : R1 = R2 and S1 = S2, case 9 : L1 = L2 and R1 ⊕ R2 = S1 ⊕ S2 (the one exposed in the first part).

Joana Treger, Jacques Patarin (PRiSM, Universit´ e de Versailles) Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 31 / 39

Example on 3 rounds, comments

L X R

2

f

1

f

S

f

T

3

Not just one best attack. Here, 3 cases lead to the best attack : case 7 : S1 = S2 and L1 ⊕ L2 = T1 ⊕ T2, case 8 : R1 = R2 and S1 = S2, case 9 : L1 = L2 and R1 ⊕ R2 = S1 ⊕ S2 (the one exposed in the first part). We could have deduced from the table that no KPA on 3 rounds comparable to the one on classical Feistel ciphers was possible : there, for the case R1 ⊕ R2 = S1 ⊕ S2, the difference | H·24n

|Bn|3 − 1 1−1/22n | is

• f about 1 for just 1 condition on the inputs and outputs.

here, there is no comparable case ⇒ no comparable KPA.

Joana Treger, Jacques Patarin (PRiSM, Universit´ e de Versailles) Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 31 / 39

Plan

1

Introduction

2

Generic attacks on the first 5 rounds

3

Generic attacks for any number of rounds General method Computation of the H-coefficients Example on 3 rounds Attacking Feistel permutation generators Example on 6 rounds

4

Table of results and conclusion

Joana Treger, Jacques Patarin (PRiSM, Universit´ e de Versailles) Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 32 / 39

Attacks on Feistel permutation generators

When m > 22n, we decide to attack a permutation generator. (λ number of permutations needed) Here, the preceding values : are multiplied by λ for E(Xp), E(Xψk), are multiplied by

• (λ) for σ(Xp), σ(Xψk) by

√ λ. We can solve M · λ 2ne.n · |H · 24n |Bn|k − 1 1 − 1/22n | >

• M · λ

2ne.n , with M maximal per permutation (⇒ m = 22n), and find λ. ⇒ We get an attack with complexity O(m · λ) =O(22n · λ). Remark : best attacks : ne minimal, | H·24n

|Bn|k − 1 1−1/22n | maximal and M maximal.

Joana Treger, Jacques Patarin (PRiSM, Universit´ e de Versailles) Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 33 / 39

Plan

1

Introduction

2

Generic attacks on the first 5 rounds

3

Generic attacks for any number of rounds General method Computation of the H-coefficients Example on 3 rounds Attacking Feistel permutation generators Example on 6 rounds

4

Table of results and conclusion

Joana Treger, Jacques Patarin (PRiSM, Universit´ e de Versailles) Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 34 / 39

Example on 6 rounds, CPA. Table of values of H·24n

|Bn|6 − 1 1−1/22n

case : equalities : maximal M : 1 0 eq.

24n

2 0 eq.

23n

3 0 eq. 23n

H·24n |Bn|6 − 1 1−1/22n

1/23n 1/23n 1/23n case : equalities : maximal M : 4 1 eq.

24n

5 1 eq.

23n

6 1 eq.

23n

7 1 eq.

23n

8 1 eq.

23n H·24n |Bn|6 − 1 1−1/22n

1/22n 1/23n 1/22n 1/22n 1/22n case : equalities : maximal M : 9 2 eq.

24n

10 2 eq.

24n

11 2 eq.

23n H·24n |Bn|6 − 1 1−1/22n

1/23n 1/22n 1/2n

Fig.: Order of the leading term of H·24n

|Bn|6 − 1 1−1/22n in different cases

Joana Treger, Jacques Patarin (PRiSM, Universit´ e de Versailles) Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 35 / 39

Example on 6 rounds, CPA

In case 1 : E(Xp) ≃ λ · 24n O(H·24n

|Bn|6 − 1 1−1/22n ) = 1/23n ⇒ |E(Xp) − E(Xψ6)| ≃ λ · 2n

λ · 2n > √ λ · 22n ⇔ λ > 22n

Joana Treger, Jacques Patarin (PRiSM, Universit´ e de Versailles) Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 36 / 39

Example on 6 rounds, CPA

In case 1 : E(Xp) ≃ λ · 24n O(H·24n

|Bn|6 − 1 1−1/22n ) = 1/23n ⇒ |E(Xp) − E(Xψ6)| ≃ λ · 2n

λ · 2n > √ λ · 22n ⇔ λ > 22n In case 4 : E(Xp) ≃ λ·24n

2n

O(H·24n

|Bn|6 − 1 1−1/22n ) = 1/22n ⇒ |E(Xp) − E(Xψ3)| ≃ λ · 2n

λ · 2n > √ λ · 23n ⇔ λ > 2n

Joana Treger, Jacques Patarin (PRiSM, Universit´ e de Versailles) Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 36 / 39

Example on 6 rounds, CPA

In case 1 : E(Xp) ≃ λ · 24n O(H·24n

|Bn|6 − 1 1−1/22n ) = 1/23n ⇒ |E(Xp) − E(Xψ6)| ≃ λ · 2n

λ · 2n > √ λ · 22n ⇔ λ > 22n In case 4 : E(Xp) ≃ λ·24n

2n

O(H·24n

|Bn|6 − 1 1−1/22n ) = 1/22n ⇒ |E(Xp) − E(Xψ3)| ≃ λ · 2n

λ · 2n > √ λ · 23n ⇔ λ > 2n In case 11 : E(Xp) ≃ λ·23n

22n

O(H·24n

|Bn|6 − 1 1−1/22n ) = 1/2n ⇒ |E(Xp) − E(Xψ6)| ≃ λ

λ > √ λ · 2n ⇔ λ > 2n

Joana Treger, Jacques Patarin (PRiSM, Universit´ e de Versailles) Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 36 / 39

Example on 6 rounds, CPA

In case 1 : E(Xp) ≃ λ · 24n O(H·24n

|Bn|6 − 1 1−1/22n ) = 1/23n ⇒ |E(Xp) − E(Xψ6)| ≃ λ · 2n

λ · 2n > √ λ · 22n ⇔ λ > 22n In case 4 : E(Xp) ≃ λ·24n

2n

O(H·24n

|Bn|6 − 1 1−1/22n ) = 1/22n ⇒ |E(Xp) − E(Xψ3)| ≃ λ · 2n

λ · 2n > √ λ · 23n ⇔ λ > 2n In case 11 : E(Xp) ≃ λ·23n

22n

O(H·24n

|Bn|6 − 1 1−1/22n ) = 1/2n ⇒ |E(Xp) − E(Xψ6)| ≃ λ

λ > √ λ · 2n ⇔ λ > 2n Cases 4 and 11 are the cases leading to the best attacks. O(2n) permutations and O(22n) messages per permutation are needed. Complexity of the attacks : O(23n).

Joana Treger, Jacques Patarin (PRiSM, Universit´ e de Versailles) Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 36 / 39

Table of results

number k

• f rounds

KPA CPA-1 CPA-2 CPCA-1 CPCA-2 1 1 1 1 1 1 2 2n/2 2 2 2 2 3 2n(+) 2n/2 2n/2 2n/2 3 4 2n 2n/2 2n/2 2n/2 2n/2 5 23n/2 2n 2n 2n 2n 6 23n(+) 23n(+) 23n(+) 23n(+) 23n(+) 7 23n 23n 23n 23n 23n 8 24n 24n 24n 24n 24n 9 26n(+) 26n(+) 26n(+) 26n(+) 26n(+) 10 26n 26n 26n 26n 26n 11 27n 27n 27n 27n 27n 12 29n(+) 29n(+) 29n(+) 29n(+) 29n(+) k≥6, k=0 mod 3 2(k−3)n 2(k−3)n 2(k−3)n 2(k−3)n 2(k−3)n k≥6, k=1 or 2 mod 3 2(k−4)n 2(k−4)n 2(k−4)n 2(k−4)n 2(k−4)n

Fig.: Maximum number of messages needed to get an attack on a k-round Feistel network with internal permutations.

Joana Treger, Jacques Patarin (PRiSM, Universit´ e de Versailles) Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 37 / 39

Table of results for classical Feistel ciphers [Patarin-01]

number k

• f rounds

KPA CPA-1 CPA-2 CPCA-1 CPCA-2 1 1 1 1 1 1 2 2n/2 2 2 2 2 3 2n/2 2n/2 2n/2 2n/2 3 4 2n 2n/2 2n/2 2n/2 2n/2 5 23n/2 2n 2n 2n 2n 6 22n 22n 22n 22n 22n 7 23n 23n 23n 23n 23n 8 24n 24n 24n 24n 24n 9 25n 25n 25n 25n 25n 10 26n 26n 26n 26n 26n 11 27n 27n 27n 27n 27n 12 28n 28n 28n 28n 28n k≥6 2(k−4)n 2(k−4)n 2(k−4)n 2(k−4)n 2(k−4)n

Fig.: Maximum number of messages needed to get an attack on a k-round Feistel network with internal functions.

Joana Treger, Jacques Patarin (PRiSM, Universit´ e de Versailles) Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 38 / 39

Conclusion

We gave the best generic two-point attacks on Feistel ciphers with internal permutations. These are the best known generic attacks on such ciphers. The complexities reach the known bounds on security (3 and 4 rounds, [Piret-05]). However, other attacks may be possible, we did not concentrate on proofs

• f security.

Complexities found often close to the complexity of the attacks on classical Feistel chiphers. This could not be predicted.

Joana Treger, Jacques Patarin (PRiSM, Universit´ e de Versailles) Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 39 / 39