Skip to main content
SpringerLink
Log in
Book cover

International Conference on Cryptology in India

INDOCRYPT 2019: Progress in Cryptology – INDOCRYPT 2019 pp 433–455Cite as

Quantum Attacks Against Type-1 Generalized Feistel Ciphers and Applications to CAST-256

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11898))

Abstract

Generalized Feistel Schemes (GFSs) are important components of symmetric ciphers, which have been extensively studied in the classical setting. However, detailed security evaluations of GFS in the quantum setting still remain to be explored.

In this paper, we give improved polynomial-time quantum distinguishers on Type-1 GFS in quantum chosen-plaintext attack (qCPA) setting and quantum chosen-ciphertext attack (qCCA) setting. In qCPA setting, we give a new quantum polynomial-time distinguisher on \((3d-3)\)-round Type-1 GFS with branches \(d\ge 3\), which gains \((d-2)\) more rounds than the previous distinguishers. This leads us to obtain a better key-recovery attack with reduced time complexities by a factor of \(2^{\frac{(d-2)n}{2}}\), where n is the bit length of the branch. We also show a quantum distinguishing attack against \((d^2-d+1)\)-round version in qCCA setting, and this gives a key-recovery attack with much lower time complexity.

In addition, based on a 14-round quantum distinguisher, we give quantum key-recovery attacks on round-reduced CAST-256 block cipher. For the 256-bit key version, we could attack up to 20-round CAST-256 in time \(2^{111}\), which is faster than the quantum brute-force attack by a factor of \(2^{17}\). For the 128-bit key version, we could attack 17 rounds in time \(2^{55.5}\), while the best previous classical or quantum attacks are no more than 16 rounds.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    Dong, Li, and Wang also analyzed Type-2 GFSs [10], and we do not know if quantum attacks on Type-2 GFSs can be improved.

  2. 2.

    This is intuitively obvious. However, precise computation of the probability is not known. See [21, Appendix C] (full version of [22]) for experimental computation of a related setting of Feistel cipher for small values of n.

References

  1. Adams, C., Gilchrist, J.: The CAST-256 encryption algorithm. RFC 2612, June 1999

    Google Scholar 

  2. Anderson, R.J., Biham, E.: Two practical and provably secure block ciphers: BEAR and LION. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 113–120. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-60865-6_48

    Chapter  Google Scholar 

  3. Aoki, K., et al.: Camellia: a 128-bit block cipher suitable for multiple platforms—design and analysis. In: Stinson, D.R., Tavares, S. (eds.) SAC 2000. LNCS, vol. 2012, pp. 39–56. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44983-3_4

    Chapter  Google Scholar 

  4. Bogdanov, A., Leander, G., Nyberg, K., Wang, M.: Integral and multidimensional linear distinguishers with correlation zero. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 244–261. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34961-4_16

    Chapter  Google Scholar 

  5. Bonnetain, X.: Quantum key-recovery on full AEZ. In: Adams, C., Camenisch, J. (eds.) SAC 2017. LNCS, vol. 10719, pp. 394–406. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-72565-9_20

    Chapter  Google Scholar 

  6. Bonnetain, X., Naya-Plasencia, M., Schrottenloher, A.: On quantum slide attacks. Cryptology ePrint Archive, Report 2018/1067 (2018). https://eprint.iacr.org/2018/1067

  7. Brassard, G., Hoyer, P., Mosca, M., Tapp, A.: Quantum amplitude amplification and estimation. Contemp. Math. 305, 53–74 (2002)

    Article  MathSciNet  MATH  Google Scholar 

  8. Dinur, I., Dunkelman, O., Keller, N., Shamir, A.: New attacks on Feistel structures with improved memory complexities. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 433–454. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-47989-6_21

    Chapter  Google Scholar 

  9. Dong, X., Dong, B., Wang, X.: Quantum attacks on some Feistel block ciphers. Cryptology ePrint Archive, Report 2018/504 (2018). https://eprint.iacr.org/2018/504

  10. Dong, X., Li, Z., Wang, X.: Quantum cryptanalysis on some generalized Feistel schemes. Sci. China Inf. Sci. 62(2), 022501 (2019)

    Article  MathSciNet  Google Scholar 

  11. Dong, X., Wang, X.: Quantum key-recovery attack on Feistel structures. Sci. China Inf. Sci. 61(10), 102501:1–102501:7 (2018)

    Article  Google Scholar 

  12. National Soviet Bureau of Standards: Information processing system - cryptographic protection - cryptographic algorithm GOST 28147–89

    Google Scholar 

  13. Grover, L.K.: A fast quantum mechanical algorithm for database search. In: Proceedings of the Twenty-Eighth Annual ACM Symposium on the Theory of Computing, Philadelphia, Pennsylvania, USA, May 22–24, 1996, pp. 212–219 (1996)

    Google Scholar 

  14. Gueron, S., Mouha, N.: Simpira v2: a family of efficient permutations using the AES round function. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 95–125. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_4

    Chapter  Google Scholar 

  15. Guo, J., Jean, J., Nikolić, I., Sasaki, Y.: Meet-in-the-middle attacks on generic Feistel constructions. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 458–477. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45611-8_24

    Chapter  Google Scholar 

  16. Guo, J., Jean, J., Nikolic, I., Sasaki, Y.: Meet-in-the-middle attacks on classes of contracting and expanding Feistel constructions. IACR Trans. Symmetric Cryptol. 2016(2), 307–337 (2016)

    Google Scholar 

  17. Hoang, V.T., Rogaway, P.: On generalized Feistel networks. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 613–630. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14623-7_33

    Chapter  Google Scholar 

  18. Hosoyamada, A., Iwata, T.: 4-round Luby-Rackoff construction is a qPRP. In: Galbraith, S., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, Springer, Cham (2019). To appear

    Google Scholar 

  19. Hosoyamada, A., Sasaki, Y.: Quantum Demiric-Selçuk meet-in-the-middle attacks: applications to 6-round generic Feistel constructions. In: Catalano, D., De Prisco, R. (eds.) SCN 2018. LNCS, vol. 11035, pp. 386–403. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-98113-0_21

    Chapter  Google Scholar 

  20. Isobe, T., Shibutani, K.: Generic key recovery attack on Feistel scheme. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013. LNCS, vol. 8269, pp. 464–485. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-42033-7_24

    Chapter  Google Scholar 

  21. Ito, G., Hosoyamada, A., Matsumoto, R., Sasaki, Y., Iwata, T.: Quantum chosen-ciphertext attacks against Feistel ciphers. Cryptology ePrint Archive, Report 2018/1193 (2018). https://eprint.iacr.org/2018/1193

  22. Ito, G., Hosoyamada, A., Matsumoto, R., Sasaki, Y., Iwata, T.: Quantum chosen-ciphertext attacks against Feistel ciphers. In: Matsui, M. (ed.) CT-RSA 2019. LNCS, vol. 11405, pp. 391–411. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-12612-4_20

    Chapter  Google Scholar 

  23. Jutla, C.S.: Generalized birthday attacks on unbalanced Feistel networks. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 186–199. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0055728

    Chapter  Google Scholar 

  24. Kaplan, M., Leurent, G., Leverrier, A.,  Naya-Plasencia, M.: Breaking symmetric cryptosystems using quantum period finding. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp. 207–237. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53008-5_8

    Chapter  Google Scholar 

  25. Kilian, J., Rogaway, P.: How to protect DES against exhaustive key search. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 252–267. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68697-5_20

    Chapter  Google Scholar 

  26. Kilian, J., Rogaway, P.: How to protect DES against exhaustive key search (an analysis of DESX). J. Cryptol. 14(1), 17–35 (2001)

    Article  MathSciNet  MATH  Google Scholar 

  27. Knudsen, L.R.: The security of Feistel ciphers with six rounds or less. J. Cryptol. 15(3), 207–222 (2002)

    Article  MathSciNet  MATH  Google Scholar 

  28. Kuwakado, H., Morii, M.: Quantum distinguisher between the 3-round Feistel cipher and the random permutation. In: IEEE International Symposium on Information Theory, ISIT 2010, June 13–18, 2010, Austin, Texas, USA, Proceedings, pp. 2682–2685 (2010)

    Google Scholar 

  29. Kuwakado, H., Morii, M.: Security on the quantum-type Even-Mansour cipher. In: Proceedings of the International Symposium on Information Theory and its Applications, ISITA 2012, Honolulu, HI, USA, October 28–31, 2012, pp. 312–316 (2012)

    Google Scholar 

  30. Leander, G., May, A.: Grover meets Simon – quantumly attacking the FX-construction. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10625, pp. 161–178. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70697-9_6

    Chapter  Google Scholar 

  31. Luby, M., Rackoff, C.: How to construct pseudorandom permutations from pseudorandom functions. SIAM J. Comput. 17(2), 373–386 (1988)

    Article  MathSciNet  MATH  Google Scholar 

  32. Lucks, S.: Faster Luby-Rackoff ciphers. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 189–203. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-60865-6_53

    Chapter  Google Scholar 

  33. Moriai, S., Vaudenay, S.: On the pseudorandomness of top-level schemes of block ciphers. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 289–302. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44448-3_22

    Chapter  Google Scholar 

  34. Nachef, V., Volte, E., Patarin, J.: Differential attacks on generalized Feistel schemes. In: Abdalla, M., Nita-Rotaru, C., Dahab, R. (eds.) CANS 2013. LNCS, vol. 8257, pp. 1–19. Springer, Cham (2013). https://doi.org/10.1007/978-3-319-02937-5_1

    Chapter  MATH  Google Scholar 

  35. Patarin, J., Nachef, V., Berbain, C.: Generic attacks on unbalanced Feistel schemes with contracting functions. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 396–411. Springer, Heidelberg (2006). https://doi.org/10.1007/11935230_26

    Chapter  Google Scholar 

  36. Patarin, J., Nachef, V., Berbain, C.: Generic attacks on unbalanced Feistel schemes with expanding functions. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 325–341. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-76900-2_20

    Chapter  Google Scholar 

  37. Santoli, T., Schaffner, C.: Using Simon’s algorithm to attack symmetric-key cryptographic primitives. Quantum Inf. Comput. 17(1&2), 65–78 (2017)

    MathSciNet  Google Scholar 

  38. Schneier, B., Kelsey, J.: Unbalanced Feistel networks and block cipher design. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 121–144. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-60865-6_49

    Chapter  Google Scholar 

  39. Shirai, T., Shibutani, K., Akishita, T., Moriai, S., Iwata, T.: The 128-bit blockcipher CLEFIA (extended abstract). In: Biryukov, A. (ed.) FSE 2007. LNCS, vol. 4593, pp. 181–195. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74619-5_12

    Chapter  Google Scholar 

  40. Simon, D.R.: On the power of quantum computation. SIAM J. Comput. 26(5), 1474–1483 (1997)

    Article  MathSciNet  MATH  Google Scholar 

  41. Tjuawinata, I., Huang, T., Wu, H.: Improved differential cryptanalysis on generalized Feistel schemes. In: Patra, A., Smart, N.P. (eds.) INDOCRYPT 2017. LNCS, vol. 10698, pp. 302–324. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-71667-1_16

    Chapter  Google Scholar 

  42. Volte, E., Nachef, V., Patarin, J.: Improved generic attacks on unbalanced Feistel schemes with expanding functions. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 94–111. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17373-8_6

    Chapter  Google Scholar 

  43. Wagner, D.: The boomerang attack. In: Knudsen, L. (ed.) FSE 1999. LNCS, vol. 1636, pp. 156–170. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48519-8_12

    Chapter  Google Scholar 

  44. Wang, M., Wang, X., Hu, C.: New linear cryptanalytic results of reduced-round of CAST-128 and CAST-256. In: Avanzi, R.M., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. 429–441. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-04159-4_28

    Chapter  Google Scholar 

  45. Zhandry, M.: How to construct quantum random functions. In: 53rd Annual IEEE Symposium on Foundations of Computer Science, FOCS 2012, New Brunswick, NJ, USA, October 20–23, 2012, pp. 679–687 (2012)

    Google Scholar 

  46. Zheng, Y., Matsumoto, T., Imai, H.: On the construction of block ciphers provably secure and not relying on any unproved hypotheses. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 461–480. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_42

    Chapter  Google Scholar 

Download references

Acknowledgments

The authors thank the anonymous reviewers for helpful comments. Boyu Ni and Xiaoyang Dong are supported by the National Key Research and Development Program of China (No. 2017YFA0303903), the National Natural Science Foundation of China (No. 61902207), the National Cryptography Development Fund (No. MMJJ20180101, MMJJ20170121).

Author information

Authors and Affiliations

  1. Key Laboratory of Cryptologic Technology and Information Security, Shandong University, Ministry of Education, Qingdao, People’s Republic of China

    Boyu Ni

  2. School of Cyber Science and Technology, Shandong University, Qingdao, People’s Republic of China

    Boyu Ni

  3. Nagoya University, Nagoya, 464-8603, Japan

    Gembu Ito & Tetsu Iwata

  4. Institute for Advanced Study, Tsinghua University, Beijing, 100084, People’s Republic of China

    Xiaoyang Dong

Authors
  1. Boyu Ni
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Gembu Ito
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Xiaoyang Dong
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Tetsu Iwata
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Xiaoyang Dong or Tetsu Iwata .

Editor information

Editors and Affiliations

  1. University of Warwick, Warwick, UK

    Feng Hao

  2. CSIRO Data61, Marsfield, NSW, Australia

    Sushmita Ruj

  3. Nanyang Technological University, Singapore, Singapore

    Sourav Sen Gupta

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Ni, B., Ito, G., Dong, X., Iwata, T. (2019). Quantum Attacks Against Type-1 Generalized Feistel Ciphers and Applications to CAST-256. In: Hao, F., Ruj, S., Sen Gupta, S. (eds) Progress in Cryptology – INDOCRYPT 2019. INDOCRYPT 2019. Lecture Notes in Computer Science(), vol 11898. Springer, Cham. https://doi.org/10.1007/978-3-030-35423-7_22

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-35423-7_22

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-35422-0

  • Online ISBN: 978-3-030-35423-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation