Known-key distinguishers on type-1 Feistel scheme and near-collision attacks on its hashing modes

Front. Comput. Sci., 2014, 8(3): 513–525

DOI 10.1007/s11704-014-2412-7

Known-key distinguishers on type-1 Feistel scheme andnear-collision attacks on its hashing modes

Le DONG 1,2,3, Wenling WU2, Shuang WU2, Jian ZOU2,3

1 College of Mathematics and Information Science, Henan Normal University, Xinxiang 453007, China

2 Institute of Software, Chinese Academy of Sciences, Beijing 100190, China

3 Graduate University of Chinese Academy of Sciences, Beijing 100149, China

c© Higher Education Press and Springer-Verlag Berlin Heidelberg 2014

Abstract We present some known-key distinguishers for a

type-1 Feistel scheme with a permutation as the round func-

tion. To be more specific, the 29-round known-key truncated

differential distinguishers are given for the 256-bit type-1

Feistel scheme with an SP (substitution-permutation) round

function by using the rebound attack, where the S -boxes

have perfect differential and linear properties and the lin-

ear diffusion layer has a maximum branch number. For two

128-bit versions, the distinguishers can be applied on 25-

round structures. Based on these distinguishers, we construct

near-collision attacks on these schemes with MMO (Matyas-

Meyer-Oseas) and MP (Miyaguchi-Preneel) hashing modes,

and propose the 26-round and 22-round near-collision attacks

for two 256-bit schemes and two 128-bit schemes, respec-

tively. We apply the near-collision attack on MAME and ob-

tain a 26-round near-collision attack. Using the algebraic de-

gree and some integral properties, we prove the correctness

of the 31-round known-key integral distinguisher proposed

by Sasaki et al. We show that if the round function is a per-

mutation, the integral distinguisher is suitable for a type-1

Feistel scheme of any size.

Keywords known-key, block cipher, generalized Feistel

scheme, type-1, rebound attack, integral distinguisher, alge-

braic degree

Received December 31, 2012; accepted September 6, 2013

E-mail: [email protected]

1 Introduction

A block cipher is a very important primitive of cryptography

that keeping the key secret is the primary security guaran-

tee. While there are some cryptography primitives that do not

employ a secret key, such as hash functions. Knudsen and

Rijmen proposed the notion of a known-key distinguisher on

block ciphers in 2007 [1], wherein all secret keys are known

a priori in this scenario. They presented a 7-round known-key

distinguisher for Feistel ciphers and a 7-round known-key in-

tegral distinguisher for AES. It is commonly believed that the

research on block ciphers with known keys will contribute to

hash function design.

Since the 1970s, Feistel networks have been a popular

structure and have the advantage that encryption and decryp-

tion operations, therein, are very similar [2–7]. Substitution-

permutation(SP) structure has become more and more com-

mon since AES was published. As a result, the study of the

security of the Feistel structure combining a round function

with SP structure has become hot topic in recent years. At

the International Workshop Fast Software Encryption (FSE)

2011, Sasaki and Yasuda used the rebound attack [8] to con-

struct an 11-round known-key distinguisher on Feistel-SP ci-

phers [9]. They assume that the S -boxes adopted by these

ciphers have perfect differential and linear properties, and the

linear transformations have optimal branch numbers. Sasaki

et al. improved on the original 11-round attack at the Aus-

tralasian Conference on Information Security and Privacy

514 Front. Comput. Sci., 2014, 8(3): 513–525

(ACISP) 2012 [10] and applied it to the block sipher Camel-

lia. Techniques for constructing differential tables were ap-

plied to reduce time complexities. Several other known-key

distinguishers for AES-like ciphers have been proposed in

[11–15].

The type-1 Feistel scheme was proposed by Zheng et al. in

Crypto 1989 [16], which is an extension of a Feistel network.

It can expand the size of a Feistel cipher through a simple

modification. Unlike a plain Feistel network, a type-1 Feistel

scheme updates only one of the four words in a round. Con-

sequently, more degrees of freedom can be used to construct

a truncated differential trail. A type-1 Feistel structure has

been used in more and more symmetric-key schemes such as

CAST-256 [17] (block cipher), MAME [18] and Lesamnta

[19] (hash functions). It is unclear that the security margin of

a type-1 Feistel scheme to resist certain new attacks, espe-

cially known-key attacks that can be directly applied to hash

functions. For instance, the designers of Lesamnta gave a 19-

round integral attack with three active words for the type-1

Feistel scheme [19]. However, Bouillaguet et al. found that

the attack would not work and proposed a 20-round inte-

gral characteristic for this scheme [20]. At the Annual In-

ternational Conference on Information Security and Cryp-

tology (ICISC) 2011, Sasaki and Aoki showed a start-from-

the-middle integral distinguisher with 31 rounds [21]. Bouil-

laguet et al. also gave a collision attack on the scheme based

on the its inherent cancelation property [20]. Consequently,

type-1 Feistel schemes are worth studying in the known-key

scenario. In addition, since a differential path for this scheme

may deduce that a collision or near-collision attack will take

place, the research of the (near-)collision on this scheme can

be done based known-key differential distinguishers. These

attacks can provide some significant information to inform

future designs of block ciphers and hash functions.

In this paper, we first build several 21-round known-key

distinguishers by applying the rebound attack. Next, we uti-

lize the degrees of freedom of non-active words to improve

the truncated differential path. Based on the improved path,

we construct 29-round known-key distinguishers for two 256-

bit type-1 Feistel schemes and 25-round known-key distin-

guishers for two 128-bit type-1 Feistel schemes.

We also prove the correctness of the 31-round integral dis-

tinguisher proposed by Sasaki and Aoki in 2011 [21]; this

is a result from an experiment on a type-1 Feistel scheme

of small size. We study the algebraic degree properties and

higher-order integral techniques to prove the correctness of

the integral path.

In Section 2, we give descriptions of the target scheme and

an introduction to the techniques used in this paper. Notations

are also introduced in this section. In Section 3, we show the

known-key truncated differential distinguishers of the type-1

Feistel scheme. In Section 4, the proof of correctness of the

31-round integral distinguisher is given. Section 5 concludes

the paper.

2 Preliminaries

2.1 The type-1 Feistel scheme with SP round functions

The type-1 Feistel scheme introduced by Zheng et al. is

a generalized Feistel scheme [16]. Its state consists of four

words of the same size. The round function F is computed

once in a round. One of the four words is updated and the

remaining three words are unchanged. Then, the order of the

four words are cyclically shifted to the left by one position.

The F function in Feistel structure is not necessarily a per-

mutation. However, for the scheme studied in this paper, the

F functions composed by the three operations are all permu-

tations. We assume that n denotes the size of a word and thus

the state size is 4n. Each n-bit word is divided into r cells

whose size is denoted by c, n = cr, where one cell is usu-

ally a byte or a nibble. Here we give three limitations for the

operations:

Key XOR It is a simple bitwise addition for the input

word of F and the round key Ki.

S-layer There are r S -boxes with c-bit size in this layer.

We presume that these all have good differential diffusion

properties; the maximum differential and linear probability

is 2−c+2. If the input and output differences are fixed for the

S -box, the probability of matching them is 0.5 on average.

P-layer This layer is a linear diffusion layer, which has

the maximum branch number r + 1. Many algorithms adopt

the maximum distance separable matrixes in their design.

Note that F functions in different rounds are only distin-

guished by their different round keys.

If the above limitations are not satisfied, the rebound attack

we used in this paper may become infeasible; it is believed to

be more vulnerable to the traditional truncated differential at-

tack in this case.

As shown in Fig. 1, the type-1 Feistel scheme has four

branches, and the left one of them enters the F function. The

output is XORed the second branch Xi. Next all four words

rotate one word towards the left direction. One round of the

type-1 Feistel scheme with SP round function can be written

Le DONG et al. Known-key distinguishers on type-1 Feistel scheme and near-collision attacks on its hashing modes 515

as follows:

Wi+1 = P(S (Wi ⊕ Ki+1)) ⊕ Xi,

Xi+1 = Yi,

Yi+1 = Zi,

Zi+1 = Wi.

The block cipher CAST-256 [17] adopts the type-1 Feistel

scheme, and one variant of this has been used by several hash

functions in recent years, such as MAME [18] and Lesamnta

[19]. The type-1 variant has a word-rotation structure towards

right, and the third word Yi enters the F function to update the

value of Zi. In fact, the two forms are equivalent: invert one

and swap the words Wi and Xi, and Yi and Zi. In Section 3

and Section 4, we attack on the type-1 Feistel scheme with

the right form. It can be easily transformed to the attack on

the original one easily.

Fig. 1 Type-1 Feistel-SP structure (left) and its variant (right)

2.2 The rebound attack

In 2009, Mendel et al. introduced a new technique to ef-

ficiently analyze AES-based hash functions using the avail-

able degrees of freedom [8]. Instead of searching the differ-

ential path in one direction, this technique starts the attack

by choosing truncated differences in two different states and

construct a differential match at an S -layer of some round

in the middle. Once the match is found, we obtain the cor-

responding values as the starting points to propagate in both

directions; consequently, it is named the rebound attack.

This attack runs using a different method from the tradi-

tional differential attack. Since it needs to find a match in a

meet-in-the-middle approach, the effort to study the matching

properties is important.

This attack has been widely used and improved for

the cryptanalysis of hash functions and compression func-

tions of hash algorithms such as Whirlpool [8,12], Grøstl

[8,14,22,23], LANE [13,24], Twister [25], ECHO [14,22,23],

JH [26,27], Cheetah [28], and Luffa [29].

2.3 The integral attack

The integral attack [30–33] is well-known to be effective

against byte-based block ciphers. The idea of the attack is to

consider the propagation of sums of (many) values and to use

the existence of certain properties of the sum value to verify

key guesses.

In this attack some bytes of the plaintext are chosen to be

constant, denoted by C. Some bytes, denoted by A, are called

active bytes, which means that all words in the collection of

texts are different. It is easy to find that any bijective func-

tion can preserve the all-value set A, including the S -boxes.

In other words, the image of an active byte after a bijective

S -box is also an active byte, i.e., a byte taking on all values.

We call a byte balanced if the XOR of all texts in this entry is

0, and B denotes these bytes. If we can obtain some balanced

bytes in ciphertexts, the function can be distinguished from

an ideal permutation. We say that an integral distinguisher is

constructed.

2.4 Hashing modes

In 1994, Preneel et al. gave an approach to construct com-

pression functions based on block ciphers, namely PGV

modes [34], and 12 schemes of them were proved later

to be secure [35]. MMO (Matyas-Meyer-Oseas) and MP

(Miyaguchi-Preneel) modes are two particularly famous

modes of the 12 secure schemes.

Let Mi−1,Hi−1, and Hi be the input massage blocks, the in-

put chaining values, and the outputs, respectively. EK denotes

a block cipher with a key K. The MMO and MP modes are

computed as follows:

MMO: Hi = EHi−1 (Mi−1) ⊕ Mi−1,

MP: Hi = EHi−1 (Mi−1) ⊕ Mi−1 ⊕ Hi−1.

Based on the known-key differential distinguishers, we

construct near-collision attacks on compression functions

adopting the MMO or MP mode.

2.5 Notations

In this paper, we use Wi, Xi, Yi, and Zi (0 � i � 29) to de-

note the four words before the (i + 1)th round. Some other

conventions and symbols are described as follows:

W ji : jth cell of the word Wi. The same symbols are

applied to other words

Fi : F function in the ith round

Fi,in,Fi,out : input word or output word of Fi

F ji,in,F j

i,out : jth cell in the input word or the output

word of Fi

n : size of a word

516 Front. Comput. Sci., 2014, 8(3): 513–525

r : number of cells in a word

c : size of a cell

3 Known-key truncated differential distin-guishers of the type-1 Feistel scheme

In this section, we give some known-key distinguishers of the

type-1 Feistel scheme. Some notations are used in the follow-

ing text in order to present the truncated differential charac-

teristics. Most of these are the same as notations used in [9].

0: a word whose cells are all non-active,

1: a word with only one active cell,

P(1): a word which is the output of P on the input with one

active cell,

F: a word where all cells are active.

3.1 Basic 21-round attack on the type-1 Feistel scheme

3.1.1 Entire truncated differential path

First, we show the basic 21-round known-key truncated dif-

ferential distinguisher of the type-1 Feistel scheme. Table 1

shows the entire truncated differential path used for this at-

tack. In this table, inbound phase consists of six rounds (from

round 7 to round 12) while the first seven rounds and the last

nine rounds are the outbound phases.

Table 1 Basic 21R truncated differential path of type-1 Feistel scheme

Phase Round Wi Xi Yi Zi

Backward outbound 0 P(1) F F F

1 1 P(1) F F

2 0 1 P(1) F

3 0 0 1 P(1)

4 0 0 0 1

5 1 0 0 0

6 0 1 0 0

Inbound 7 0 0 1 0

8 P(1) 0 0 1

9 1 P(1) 0 0

10 0 1 P(1) 0

11 1 0 1 P(1)

12 0 1 0 1

Forward outbound 13 1 0 1 0

14 P(1) 1 0 1

15 1 P(1) 1 0

16 P(1) 1 P(1) 1

17 F P(1) 1 P(1)

18 P(1) F P(1) 1

19 F P(1) F P(1)

20 F F P(1) F

21 F F F P(1)

In the inbound phase, we find a pair of values following the

truncated differential path with the input difference (0,0,1,0)and the output difference (0,1,0,1). This phase consists of five

rounds. The outbound phase consists of sixteen rounds in two

directions. The truncated difference (0,1,0,1) propagates in

the forward direction for nine rounds with a probability of

1. The input difference of the inbound phase (0,0,1,0) propa-

gates in the backward direction for seven rounds with proba-

bility 1. Therefore, we only need to compute the complexity

of the inbound phase in this basic attack. Finally, both ends

of the entire differential path have four active words, and one

of the four words in each end is P(1) with 2c patterns.

3.1.2 Inbound phase

In this phase, our goal is to find a pair of values following

the truncated differential path as shown in Fig. 2. For con-

venience, we firstly assume that r and c satisfy c � r: this

happens for (N, c) = (128, 8), and (N, c) = (256, 8). Later we

give the techniques applying to two other parameters. Note

that the symbols #A, #A′, #B, #C in the following five steps

denote the word positions labeled in Fig. 2.

1) Choose a one-active-cell difference at #A (without loss

of generality, assume that the active cell is the first cell),

denoted by �#A, and compute the difference P(�#A)

which is determined by �#A. Furthermore, it is the

input difference of the S -layer in the fourth inbound

round. For each S -box in this round, compute all 2c−1

possible output differences from a fixed input difference

P(�#A) and store them with the responding value pairs

in a table.

2) Choose all differences at #B whose first cell is active

and other cells are non-active, which have 2c choices.

Compute P−1(�#B) for each choice, and it is the output

difference of the S -layer in the fourth inbound round.

Check whether or not we can match the differences of

all S -boxes in this S -layer. This can be done by look-up

in the tables we constructed in step 1.

3) Assuming that we find such a matched input-output dif-

ference pair, we obtain 2c values following the differ-

ence. Select one and then the difference of word #A and

the values on the red and green bold lines drawn in Fig.

2 are all fixed.

4) Choose a value of Z7 at random and compute the value

of #A. By applying an inverse S -layer and XORing the

K8, both the difference and the value of Z8 are deter-

mined.


5) Fixing F19,out to be K1

8 ⊕K112, we can guarantee that �#A

and �#A′ are equal. Then, the difference of F12,out can-

cel the difference of Z11 at #C. Note that if the values of

Z7 and X7 are selected, the values on the red broken line

are determined, so that the value of W13 is determined.

Fig. 2 The inbound phase of the 21-round distinguisher

As a result, we find a pair of values whose input difference

is (0,0,1,0) and output difference is (0,1,0,1) for five inbound

rounds.

Now, we estimate the time complexity and memory com-

plexity for the inbound phase. First, we need r · 2c S -box

computations, which is equivalent of 2c one-round compu-

tations and 2c−1 state in memory, to store the valid output

differences and the corresponding values. The complexity of

the last three steps is 1. Consequently, the total complexity of

the inbound phase is (2c one-round)+(1 four-round) compu-

tations and the memory is 2c−1.

Note that for its four input words, the values of Y7 and the

first cell in X7 are fixed, and two other words are free. Their

degrees of freedom can be used in the improved attack.

3.1.3 Outbound phase

For the type-1 Feistel scheme studied in this paper, one word

updates in a round, and if the third word Yi is non-active the

differential patterns of the four words only change the posi-

tions. In addition, there is a difference between the forward

direction and the backward direction. The updated word up-

dates again after four rounds in both directions. However, the

difference it has will propagate up another word after three

rounds, when the word enters an F function in the forward

direction, and it does this after one round in the backward

direction.

The output difference of the last round in the path has three

all-active-words and one word of the form P(1), which has

2c patterns. Hence, There are 23n+c differential patterns are

formed in the ciphertexts. For the plaintexts, the difference

pattern is the same as the ciphertext except for the order.

Since the difference propagates in two outbound phases

with a probability of 1, the total complexity of the attack is

[(2c one-round)+ (1 20round)]/21-round≈ 2c−4 21-round en-

cryption. Moreover, it needs 2c−1 state memory. Specifically,

if (N, c) = (256, 8), we need 28−4 = 24 computations and

28−1 = 27 memory. For the case of (128, 8), it is not neces-

sary to choose all the differences of #B to find a match, but

we need 28 computations and 27 memory to construct the ta-

bles. Thus, the time and memory complexities are the same

with parameters (256, 8).

3.1.4 Attacks for other two parameters

When (N, c) = (128, 4) or (256, 4), the degrees of freedom

of �#B are not sufficient to get a match in the fourth inbound

round. We utilize several techniques to apply the above attack

to the two parameters.

For the case of (128, 4), we can choose 24 �#B with one

active nibble. Note that the position of the active nibble is

fixed here. If it walks along all eight positions in #B, the de-

grees of freedom increase to 24 × 23 = 27. We expect to find

a match by running the inbound phase for two different �#A.

The time complexity of the attack applicable to this parame-

ter is 2(24+27)/21 ≈ 24 21-round computation, and it costs 23

memory. Since the positions of the active nibbles in W13 and

Y13 may be different, it is necessary to pay attention to the F

function in the eighteenth round. Fortunately, both the input

of F18, which is a 1 pattern word, and the word Z17 with the

P(1) form come from Y13. Accordingly, W18 = F18(Y17)⊕Z17

has the P(1) form. The differential characteristic of the ci-

phertext is still (F,F,F,P(1)).

If (N, c) = (256, 4), we select two active nibbles in #B with

all possible positions. This has a total of 24×24×16×15 �#B

to choose from. Hence, we expect to get a match by running

the inbound phase for two different �#A. The time complex-

ity is 2(212 ·15)/21 ≈ 213 in this case, and the memory it costs

is 23. Besides, the ciphertext has the (F,F,F,P(2)) form.

3.1.5 Comparison with a random permutation

By computing the generic birthday bound, we can write the

complexities of getting these output differential characteris-

tics or input differential characteristics for the four versions

518 Front. Comput. Sci., 2014, 8(3): 513–525

when the function is a random permutation. Note that for the

(n − c)-bit or (n − 2c)-bit collisions, the degrees of freedom

are enough for these 4-branch constructions. The complex-

ities are 212, 214, 228, and 228 for the random permutations

with the parameters (128, 8), (128, 4), (256, 8), and (256, 4),

respectively. Accordingly, we can distinguish between the

21-round type-1 Feistel scheme and a random permutation

for each parameter.

3.2 Extended attack by using the multi-inbound technique

Now, we improve the previous 21-round attack to more

rounds by using a multi-inbound technique. Utilizing the de-

grees of freedom of some non-active words, we extend the

inbound phase to 13 rounds. The inbound phase is divided

into two parts, and the second part with five rounds is very

similar to the inbound phase in the previous attack. There are

three inbound procedures in this phase, and all of them have

five rounds. For the sake of convenience, we call their first

rounds starting rounds, their fourth rounds matching rounds,

and their final rounds cancelation rounds. We firstly give the

attack on the type-1 Feistel scheme with parameter (256, 8).

Note that the symbols #A, #B, #C, etc. in Subsection 3.2.1

and Subsection 3.2.2 denote the word positions labeled in the

corresponding figures.

3.2.1 First part of the inbound phase

The first part involves the last eight rounds of the inbound

phase and has two inbound computations. The two inbound

procedures are overlapped. The matching round of the first

inbound, namely the 10th inbound round, is also the sec-

ond round of the second inbound. In fact, the input differ-

ence of the F function in the cancelation round of the second

inbound, namely the last inbound round, is obtained by com-

puting S −1(�#F) ⊕ �#E, where �#E is precisely the differ-

ence to construct the match in the first inbound.

In this part, we start with two inbound procedures indepen-

dently to match the differences in the tenth inbound round

and the 12th inbound round. For the cancelation of the first

inbound procedures, we use the word value on the blue lines

drawn in Fig. 3. Besides, the cancelation of the second in-

bound procedure is achieved by using the values of #F.

After this, we can determine the the first cell differences

on the red broken lines and the 2c−1 difference candidates of

S −1(�#D). We use them to construct the third inbound match

in the second part. More specifically, our four attack proce-

dures is as follows:

Fig. 3 The first part of the 13-round inbound phase

1) Choose two one-active-cell differences at #D and #F

whose active cells are the first cells at the seventh and

the 9th inbound rounds, and compute the differences

P(�#D) and P(�#F). They are the input differences of

the S -layers in the tenth and the 12th inbound round.

Utilizing the technique we mentioned in the last subsec-

tion, compute all 2c−1 possible output differences from

a fixed input difference for each S -box. Store them and

the corresponding value pairs in some tables.

2) For each of the 2c possible differences in word #E and

word #G, apply the inverse permutation on them to

compute the corresponding full-cell differences. Check

if all S -boxes in the tenth and the 12th inbound rounds

have solutions. This can be done by looking up the ta-

bles constructed in step 1.

3) If we find such matches, we obtain 2c values follow-

ing the input-output difference for each match. Store

all 2c valid values following the match in the 12th in-

bound round in a table T1. Now we consider to cancel

the P(1) pattern difference in the 11th and the 13th in-

bound round. Notice that Y14 is a non-active word so

that the difference of Z17 can be canceled by modifying

the first cell value of F15(Y14) to equal K114 ⊕ K1

18.

4) The cancelation of the second inbound also can be done

through modifying the value of #F. To be specific, the

difference at #F is fixed and we assume that all 2c pos-


sible values can be assigned to its active cell. Choose

a valid values of #E following the matched difference.

Compute and check the following:

�[(S 1(S −11 (#F1) ⊕ K1

16 ⊕ F117,out ⊕ K1

20)]?= �#F1.

In summary, we try to find a c-bit match by using 2c de-

grees of freedom supplied by the values of #F. Considering

no solution in some cases for an S -box, we expect to find one

solution by choosing two values at #E. Note that the values

on the red solid lines are not fixed. We use their 2c degrees of

freedom to get another match later.

We construct two inbound procedures after the above four

steps. The values on the green and brown solid lines are all

fixed. In addition, the difference and value of #F1 are fixed so

that the two of Y115 are fixed. This propagates in the backward

direction, and we conclude that �Z112 is fixed. It is different

for the word #D. We cannot fix the its value because the de-

grees of freedom of Z13 will be used in the second part. As a

result, the first cell in X12 have 2c−1 possible differences. The

one-cell determinate difference at Z12 and the 2c−1 one-cell

possible differences at X12 propagate in the backward direc-

tion to the first part of the inbound phase, and there possible

candidates construct a match in the first five inbound rounds.

3.2.2 Second part of the inbound phase

We build a five-round inbound procedure now in the inverse

direction based on the the valid differences of X12 and Z12.

Fig. 4 gives the details. The starting round of this inbound

procedure is the fifth inbound round, and the cancelation

round is the first inbound round. The following five steps ex-

plain how the second part works:

1) When Z12 propagates backward and enters into F12, the

difference of its active cell has 2c−1 possible outputs (at

#A′). Choose one of them and compute P(�#A′). This is

the input difference of the S -layer in the fourth inbound

round. Compute and store the output differences for all

S -boxes.

2) For each of the 2c−1 possible difference in word

#B(equal to the differences of X12), apply the inverse

permutation on it to compute the corresponding differ-

ence. Check whether or not we can match the full-cell

differences by looking up the tables we constructed be-

fore. It is slightly short for the degrees of freedom. We

can solve it by choosing two different �#A′.

3) After finding such match, store all 2c valid values fol-

lowing the match in a table T2 and select one. Then,

modify the value of W12 to guarantee the one-cell dif-

ference match at the S -layer of the fifth inbound round.

Note that the cell �#A′1 is selected from the valid pos-

sible outputs of Z112 so that the difference match always

exists. The word W12 has two c-bit conditions so far,

which are utilized for two c-bit matches(see the blue

lines in Fig. 4). A word consists of more than three

cells for all the parameters, and thus there are at least

two-cell degrees of freedom we can use.

4) Choose a value W12 fulfilling the two conditions and

then the values of Z12 are fixed. We select a valid W16

from T1 constructed in advance and check if the value of

#F1 matches. It is expected to find a match by using the

2c values in T1. Once the match is found, the value of

Y15 is fixed, and so do W13. Then we compute the value

of Y12 by XORing W13 and Z12. Since Z13 is equal to Y12

and the value of W14 is determined, the value of word

#D is fixed. Check whether or not �#D1 matches �Y113

which is equal to the difference of #B1. If the match

failed, choose another W12 fulfilling the two conditions,

and the c-bit match in the ninth inbound round is also

true because the values of #A′ and #F have a coincident

relation. Repeat to compute Y15, Y12, and Y13 to check

the one-cell match at #N. We expect to find a match by

using one-cell degrees of freedom of W12.

5) Assuming that we obtain a match between #D and #B,

the value of Z10 can be deduced. Additionally, the value

of Y12 was fixed before, and then the value of Z9 is de-

termined. We can compute Z8 to check if �#A = �#A′.If this is shown to be false, return to step 3 and choose

another value from T2. We expect to find a match after

trying all the 2c values.

3.2.3 Attack evaluation

Firstly, we evaluate the time complexity and memory in the

first part. In the matching rounds of the first and the second

inbound procedures, the complexity is 2 · 2c 1-round com-

putations in time and 2 · 2c−1 words in memory. It costs 2c

memory to build T1 in step 3. There is a c-bit match in step

4 which should be done by walking along all 2c values of a

cell. Hence, it costs 2 · 2c 2-S -box computations in total. In

this part, the time complexity is 2c+1(1 + 2/r) 1-round com-

putations and the memory complexity is 2c+1 words.

We start the second part by computing the first cells of

�#A′ and �#B. This requires 2 · 2c 1-S -box computations

and the memory can be ignored. However, we only need two

different �#A′ words for the latter match so that the cost can

520 Front. Comput. Sci., 2014, 8(3): 513–525

Fig. 4 The inbound phase of the 29-round distinguisher

be reduced to 2c 1-S -box computations. The time complex-

ity of the inbound match in step 1 and step 2 is 2 · 2c and

the memory is 2c−1 words. In step 3, we need 2c memory

to store T2 and the complexity of computing W12 is ignored.

For one selected value in step 3, two independent calcula-

tions are needed to get two c-bit matches in the ninth and the

seventh inbound rounds. The time complexity is 2c 1-round

computations+2c 4-round computations≈ 2c+2 1-round com-

putations. Finally, for the match in the first inbound round,

complexity 2c+2 is multiplied by 2c. Consequently, the time

complexity in the second part is 22c+2 1-round computations

and the memory complexity is 2c−1 + 2c words.

Notice that the outbound phase runs with the probability

of 1. As a result, the complexity for the inbound phase is

22c+2/29 and fewer than 2c+2 words memory which is equal

to 2c states. For the parameter (256,8), this needs 213.1 time

complexity and is 228 for a random permutation.

3.2.4 Attacks for other three parameters

When (N, c) = (128, 8) the complexity is also 213.1, but this

is more than the complexity for random permutation which is

212. We can attack up to 25 rounds of such ciphers by aban-

doning cancelation in the first inbound round which changes

Z7 to be P(1) form. The time complexity decreases to 2c+3/29

and it is 26.1 for this parameter.

If we regard a group of two S -boxes as a big S -box, the

attack can be directly applied to cases (128,4) and (256,4).

They have the same complexity as the attacks on the two ci-

phers with 8-bit S -boxes.

A summary of distinguishers presented in this section is

shown in Table 2.

Table 2 Summary of distinguishers

Parameters(N, c) Rounds Time MemoryComplexity for

ideal permutation

(256, 8) 29 213.1 28 228

(256, 4) 29 213.1 28 228

(128, 8) 25 26.1 28 212

(128, 4) 25 26.1 28 212

3.3 Application to MMO and MP modes

In this subsection, we apply previous 29-round(25-round)

known-key distinguishers to attack the MMO and MP hash-

ing modes using these Feistel-SP ciphers. The attack can gen-

erate 26-round or 22-round n-bit near-collisions depending

on the parameters. People usually think that known-key dis-

tinguishers are the only a weak property for a cipher, but dif-

ferential distinguishers we propose in this paper can deduce

the near-collision attacks so that they endanger the real-world

security of the hash functions using these structures.

Now we give the near-collision attack on the Feistel-SP

construction under the MMO mode. For the 29-round differ-

ential distinguishers on two 256-bit type-1 schemes, we no-

tice that the first word in the output of the 26th round has pat-

tern P(1) (or P(2)), and the first word in the input of the first

round has the same pattern. Consequently, differences in the

two words are equal with the probability of 2−c. If the two dif-

ferential values are equal, the first word in the output has no

difference under the MMO mode in which the message block

is in as the input enters the iteration and XORs the output

to compute the output of the compression function. Hence,

by repeating the process of constructing the distinguisher 2c

times (generate 2c different chaining value Hi−1) we expect to

obtain an n-bit near-collision for the 26-round function. The

time complexity is 221.1.

For the 25-round differential distinguishers on two 128-bit


type-1 schemes, the first four rounds are cancelled, and we

can construct a 22-round n-bit near-collision because the in-

put differential patterns are also (P(1),F,F,F)(or (P(2),F,F,F)).The time complexities are 214.1.

If we apply the MP mode to the Feistel-SP structure, we

can trivially extend previous near-collision attacks to them.

This is because our distinguishers are all on the known-key

scenario. Namely there is no difference in the keys (input

chaining value) so that the key addition to the output state

cannot make any impact upon the output value differences.

We can obtain the 26-round or 22-round near-collisions on

this mode. The time complexities are the same as the MMO

mode.

A summary of these near-collision attacks is shown in Ta-

ble 3.

Table 3 Summary of near-collision attacks

Parameters(N, c) Rounds Time MemoryComplexity for

ideal permutation

(256, 8) 26 221.1 28 232

(256, 4) 26 221.1 28 232

(128, 8) 22 214.1 28 216

(128, 4) 22 214.1 28 216

3.4 Application to MAME

3.4.1 Specification of MAME

MAME is a lightweight compression function which was

proposed in the Workshop on Cryptographic Hardware and

Embedded Systems (CHES) 2007. It adopts the MMO mode

and the inner block cipher uses the type-1 4-branch general-

ized Feistel-SP structure. fE denotes the block cipher and fRdenotes the round function. The block size and key size of fE

are both 256 bits so that each of the branches has 64 bits. In

addition, the 64-bit branch is stored in two 32-bit words, thus

the state has eight words denoted by (x(i)0 , x

(i)1 , . . . , x

(i)7 ). The

whole encryption process has 96 rounds.

The round function fR consists of a key addition, a non-

linear function F, and a word-wise permutation. First, the

fifth word x(i)4 XORs the round subkey and concatenates the

sixth word x(i)5 . Second, the two words enter into the non-

linear function F and output two updated words. Then the

two new words are XORed with x(i)6 and x(i)

7 , respectively. Fi-

nally, every word rotates to the right two words.

Function F is the composition of two layers: the S -box

layer S and the linear diffusion layer L. S is a concatenation

of 16 4-bit S boxes, and defined as follows:

S [16] = {4, 14, 15, 1, 13, 9, 10, 0, 11, 2, 7, 12, 3, 6, 8, 5}.

To increase the software performance, this layer adopts bit

slice implementation in which the four bits entering into one

S -box are selected once every 16 bits. The linear diffusion

layer L consists of the rotation and XOR operations. The lin-

ear diffusion layer is defined as follows:

bL = bL ⊕ (bH <<< 1), bH = bH ⊕ (bL <<< 3),

bL = bL ⊕ (bH <<< 4), bH = bH ⊕ (bL <<< 7),

bL = bL ⊕ (bH <<< 8), bH = bH ⊕ (bL <<< 14).

We omit the key scheduling function here because our at-

tack dose not involve it. We refer to [18] for details.

3.4.2 Application to MAME

In the support document of MAME, no (near-)collision at-

tack was provided. Afterward, Xue and Wu gave attacks on

MAME with 22, 23, and 24 rounds in 2010 [36]. The com-

plexity of the 24-round collision attack is about 2112 and

there is no sign that this method can be applied to func-

tions with more rounds. To our knowledge, there is no subse-

quent collision-like analysis for this compression function. In

this subsection, we show a near-collision attack on 26-round

MAME.

For the compression function MAME, the parameter is

(256, 4). Specifically, we should notice three operations in

the inner block cipher:

1) The round subkey XORs half of the bits of the input of

F.

2) The maximum differential probability is 2−2 and this

adopts the bit slice implementation.

3) The branch number of linear layer is eight.

It is easy to find that the round key addition cannot impact

our attack because it is the equivalent of setting the other half

subkey to be zero. The bit slice implementation of S -box can

slightly change the process. When we select active nibbles

it needs to choose the four bits that enter the same S -box.

Since the branch number of the linear layer is not optimal,

the probability of the diffusion pattern 1 → 16 fails to meet

1. However, the probability that there are some output nib-

bles that have no difference is very low. Here, we need to pre-

compute which one-nibble input difference derives all-active

state. This may decrease the degrees of freedom, but we can

use two-nibble input and walk along all possible positions.

Furthermore, the increased compute dose not impact the total

time complexity.

As a result, we can apply the attack on 26-round MAME

compression function and obtain a 64-bit near-collision with

a complexity that is lower than the complexity of the trivial

attack.

522 Front. Comput. Sci., 2014, 8(3): 513–525

4 The proof of a 31-round known-key integraldistinguisher for type-1 Feistel scheme

For constructing the integral distinguisher on Lesamnta,

Sasaki and Aoki provided a known-key distinguisher for the

variant of the type-1 Feistel scheme whose F function is a

permutation [21].

However, the distinguisher is an experimental result for a

very lightweight version with a 32-bit state size and the F

function is a single S -box. It is worth discussing whether

or not the distinguisher is appropriate for the arbitrary-size

type-1 Feistel scheme and for a complex F permutation. In

this section, we prove the correctness of a 31-round type-1

Feistel scheme with any size and any F permutation, we can

always obtain two balance words at the input state and the

output state from a middletext with three active words and a

constant word.

In summary, the framework of the distinguisher can be in-

troduced as follows:

(B,?,?,?)13 rounds←−−−−−−− (C,A,A,A)

18 rounds−−−−−−−→ (?,?,?,B).

The far left word in the middletext is a constant word and

the others are active words. This passes to the 18 rounds en-

cryption computation and then we get a state with a balance

word in the fourth word. In the opposite direction, we obtain

a one-balanced-word state after computing 13 rounds of de-

cryption. Our proof is divided into two parts: the forward part

and the backward part.

4.1 Forwards

It is a fact that the algebraic degree of a function has a close

relationship with the integral attack. Utilizing the evaluation

of the upper bound of the algebraic degree for each round, we

can often find or prove a integral distinguisher. In the forward

part, we use the special properties of the algebraic degrees to

prove the correctness of the 18-round distinguisher. Here we

firstly list some basic results about the algebraic degree:

1) For an n-bit permutation P, the algebraic degrees for all

bits are at most n − 1.

2) Choose m1 bits of a function f as the variables and the

others are constants. If the algebraic degrees of the tar-

get bits in the output state are not more than m1 − 1,

change m2 constant bits into variables in the input state,

and the algebraic degrees of the target bits are at most

m1 + m2 − 1.

Second, we give upper bounds on the degrees of the four

words in every round for the type-1 Feistel scheme variant,

which is deduced by the above properties principally. Let n

denotes the size of a word, and the round function F is a

permutation. The upper bounds on the degrees are shown in

Table 4.

Table 4 The upper bound on the degree of the forward 18 rounds

Round Wi Xi Yi Zi

0 C A A A

1 A C A A

2 A A C A

3 A A A C

(1, n){1} (1, n){2} (1, n){3} 0

4 (n − 1, n){3} (1, n){1} (1, n){2} (1, n){3}5 (n − 1, 2n){2,3} (n − 1, n){3} (1, n){1} (1, n){2}6 (n − 1, 2n){1,2} (n − 1, 2n){2,3} (n − 1, n){3} (1, n){1}7 (n − 1, 2n){1,3} (n − 1, 2n){1,2} (n − 1, 2n){2,3} (n − 1, n){3}8 (2n − 1, 2n){2,3} (n − 1, 2n){1,3} (n − 1, 2n){1,2} (n − 1, 2n){2,3}9 (2n − 1, 3n){1,2,3} (2n − 1, 2n){2,3} (n − 1, 2n){1,3} (n − 1, 2n){1,2}10 (2n − 1, 3n){1,2,3} (2n − 1, 3n){1,2,3} (2n − 1, 2n){2,3} (n − 1, 2n){1,3}11 (2n − 1, 3n){1,2,3} (2n − 1, 3n){1,2,3} (2n − 1, 3n){1,2,3} (2n − 1, 2n){2,3}12 (3n − 1, 3n){1,2,3} (2n − 1, 3n){1,2,3} (2n − 1, 3n){1,2,3} (2n − 1, 3n){1,2,3}13 (3n − 1, 3n){1,2,3} (3n − 1, 3n){1,2,3} (2n − 1, 3n){1,2,3} (2n − 1, 3n){1,2,3}14 (3n − 1, 3n){1,2,3} (3n − 1, 3n){1,2,3} (3n − 1, 3n){1,2,3} (2n − 1, 3n){1,2,3}15 (3n − 1, 3n){1,2,3} (3n − 1, 3n){1,2,3} (3n − 1, 3n){1,2,3} (3n − 1, 3n){1,2,3}16 (3n, 3n){1,2,3} (3n − 1, 3n){1,2,3} (3n − 1, 3n){1,2,3} (3n − 1, 3n){1,2,3}17 (3n, 3n){1,2,3} (3n, 3n){1,2,3} (3n − 1, 3n){1,2,3} (3n − 1, 3n){1,2,3}18 (3n, 3n){1,2,3} (3n, 3n){1,2,3} (3n, 3n){1,2,3} (3n − 1, 3n){1,2,3}


In the initial state, three active words are independent. Ad-

ditionally, W1 is obtained by computing F(Y0) ⊕ Z0. As a re-

sult, W1, Y1, and Z1 are also independent. Similarly, three

active words in the next round are also independent and so do

the first three words in the output of the third round.

Now, we explain the upper bounds on the algebraic de-

grees in the table. We define some notations for convenience.

W3, X3, and Y3 are called the first word, the second word, and

the third word, respectively. We know that there are n bits in

each word, and each of the three active words has n active

bits. There are 3n active bits in total, and each active bit is

regarded as a variable. For the notation (a, b){c}, the meanings

of three parameters are as follows: a: the upper bound on the

algebra degrees for all bits; b: the upper bound on the num-

ber of variables in the algebraic normal form for all bits; c:

the origin of the variables. The subscripts with braces for a

word denote the serial number of the active words in the out-

put of the third round which the variables in this word come

from. Besides, the two elements in the parentheses represent

the upper bound on the algebraic degree of all bits in this

word and the variable number involving in this word. For in-

stance, (2n − 1, 2n){2,3} represent that (1) the upper bound on

the algebraic degrees for all bits in this word is 2n − 1; (2)

the algebraic normal form of each bit, at most, involves 2n

variables, and (3) all variables come from the second and the

third active words in the output of the third round, namely X3

and Y3.

In the output of the third round, the algebraic degrees of all

3n variables are 1. Since one word updates in each round and

the resulting word is put in the first position, we only need

to focus on the first word in each round. In the third round,

Y3 enters the round function F and then XOR Z3, which is a

constant word. Additionally, F is a permutation. Hence, the

algebraic degrees of all bits in W4 are at most n − 1 and there

are n variables in this word which come from the third word

Y3. In the next round, we compute W5 = F(Y4) ⊕ Z4 so that it

has 2n variables coming from the second and the third words

and the upper bounds of degrees is n − 1. Similarly, the de-

grees of W6 and W7 are not more than n − 1 and there are 2n

variables in them. Since Y7 = W5 consists of 2n variables and

it is a permutation from X3 to Y7, the degrees of all bits in

W8 is at most 2n − 1. We can deduce the upper bound on the

degrees of W9,W10, . . . ,W14 by using this method.

Now we consider word W15. Notice that the n variables in

W3 are not involved in Z5, Z8, and Z11. This means that if X3

and Y3 are constants, the words Z5, Z8, and Z11 are constants

so that this is a permutation of the only active word W3 to Y14.

In this case, the algebraic degree of all bits in W15 is at most

n−1. Consequently, when we reset X3 and Y3 to be active, the

algebraic degree of all bits in W15 is not more than 3n−1. The

word Z18 is equal to W15. As a result, the algebraic degree of

all bits in Z18 do not reach the maximum value, namely 3n.

The starting state (C,A,A,A) consists of 3n active bits. We

consider each active bit as a variable and walk along all 23n

values. It is equivalently a derivation of the function. Since

the algebraic degree of all bits in Z18 is less than 3n, it is a bal-

ance word (addition for XOR is zero for all 23n ciphertexts)

in this attack scenario.

4.2 Backwards

In this part, we prove the correctness of the trial in backward

by utilizing the properties of higher-order integral attack. We

firstly expound the propagation property for a starting state

with one active word, and then give the two-active-word-state

which can deduce the previous state after three rounds. Table

5 gives the details.

Table 5 The higher-order integral characteristic in backward

Round Wi Xi Yi Zi

14 B ? ? ?

13 A B ? ?

12 A A B ?

11 A A A B

10 A A A A

9 C A A A

8 C C A A

7 C C C A

6 A C C C

5 C A C C

4 C C A C

4 C C A A

3 A C C A

2 A A C C

1 C A A C

If the starting state is (C,C,A,C), the active word reaches

the first position after two rounds (from round 4 to round 6).

In the next inverse round, it XORs a constant and walks up to

the last position. The active word enters into the F function

in the 8th inverse round and outputs an active word related to

the input word. Then, there are two active words in the state.

Continuing to iterate, and we can obtain a full-active state

after the tenth inverse round whose four active words are de-

duced by one active word. One of the four active words passes

into the F function and XORs another active word in the next

inverse round. Since the two active word is correlative, the re-

sult word is balanced. Similarly, it generates a new balanced

word in a following round and at last the first word is bal-

524 Front. Comput. Sci., 2014, 8(3): 513–525

anced in the output state of the 14th inverse round. Namely,

one-word-balance property can be deduced for ten backward

rounds from a special one-word-active state. Besides, it only

needs two active words in the second and the third positions

to obtain a state after three backward rounds conforming the

third word active and independent (from round 1 to round 4).

Therefore, from state (C,A,A,C), we can get the one-active-

word state (B,?,?,?) after 13 inverse rounds.

In total, from the middle structure (C,A,A,A) two one-

word-balance states can be obtained after 18 rounds and 13

inverse rounds.

5 Conclusion

In this paper, we have proposed two 29-round known-key

truncated differential distinguishers for the type-1 Feistel

scheme with parameters (256, 8) and (256, 4). When (N, c) =

(128, 8) and (128, 4), the known-key truncated differential

distinguishers with 25 rounds are constructed. All distin-

guishers can be run in practical time. Unlike the attack on

the Feistel scheme, our distinguishers are built by utilizing

the degrees of freedom of non-active words. We show how

to construct the multi-inbound and connect them by guess-

ing and determining the value of non-active words in order.

Additionally, we construct the near-collision attacks based on

these distinguishers with MMO and MP hashing modes. The

near-collision attack is used to analyze the compression func-

tion MAME.

We also prove the correctness of the 31-round known-key

integral distinguishers of the type-1 Feistel scheme which

was discovered by Sasaki et al. In the forward part, the al-

gebraic degree is applied to prove the integral characteristic.

Some higher-order integral properties are employed in the

backward part. We illustrate that the distinguisher is suitable

for the balanced type-1 Feistel scheme with any size whose

round function is a permutation.

Acknowledgements This research project was promoted by the Scien-tific Research Foundation for High Level Talents of Henan Normal Univer-sity (01016500148) and the National Natural Science Foundation of China(Grant Nos. 61272476, 61232009).

References

1. Knudsen L R, Rijmen V. Known-key distinguishers for some block-

ciphers. In: Proceedings of the 13th International Conference on the

Theory and Application of Cryptology and Information Security. 2007,

315–324

2. Smid M E, Branstad D K. Data encryption standard: past and future.

Proceedings of the IEEE, 1988, 76(5): 550–559

3. Schneier B. Description of a new variable-length key, 64-bit block ci-

pher (blowfish). Lecture Notes in Computer Science, 1994, 809: 191–

204

4. Kazumaro A, Tetsuya I, Masayuki K, Mitsuru M, Shiho M, Junko N,

Toshio T. Camellia: a 128-bit block cipher suitable for multiple plat-

forms design and analysis. In: Proceedings of the 7th Annual Interna-

tional Workshop Selected Areas in Cryptography. 2001, 39–56

5. Wallen J. Design principles of the kasumi block cipher. Proceedings of

the Helsinki University of Technology Seminar on Network Security,

2000

6. Rivest R L. The RC5 encryption algorithm. In: Proceedings of the 2nd

International Workshop on Fast Software Encryption.1995, 86–96

7. Wu W, Zhang L. Lblock: a lightweight block cipher. In: Proceedings

of the 9th International Conference on Applied Cryptography and Net-

work Security. 2011, 327–344

8. Mendel F, Rechberger C, Schläffer M, Thomsen S S. The rebound at-

tack: Cryptanalysis of reduced Whirlpool and Grøstl. In: Proceedings

of the 16th International Workshop on Fast Software Encryption. 2009,

260–276

9. Sasaki Y, Yasuda K. Known-key distinguishers on 11-round feistel and

collision attacks on its hashing modes. In: Proceedings of the 18th In-

ternational Workshop on Fast Software Encryption. 2011, 397–415

10. Sasaki Y, Emami S, Hong D, Kumar A. Improved known-key distin-

guishers on Feistel-SP ciphers and application to camellia. In: Proceed-

ings of the 17th Australasian Conference Conference on Information

Security and Privacy. 2012, 87–100

11. Minier M, Phan R C W, Pousse B. Distinguishers for ciphers and

known key attack against rijndael with large blocks. Lecture Notes in

Computer Science, 2009, 5580: 60–76

12. Lamberger M, Mendel F, Rechberger C, Rijmen V, Schläffer M. Re-

bound distinguishers: Results on the full Whirlpool compression func-

tion. In: Proceedings of the 15th International Conference on the The-

ory and Application of Cryptology and Information Security. 2009,

126–143

13. Wu S, Feng D, Wu W. Cryptanalysis of the LANE hash function. In:

Proceedings of the 16th Annual International Workshop on Selected

Areas in Cryptography. 2009, 126–140

14. Gilbert H, Peyrin T. Super-sbox cryptanalysis: Improved attacks for

AES-like permutations. In: Proceedings of the 17th International

Workshop on Fast Soft Encryption. 2010, 365–383

15. Dong L, Wu W, Wu S, Zou J. Known-key distinguisher on round re-

duced 3D block cipher. In: Proceedings of the 12th International Work-

shop on Information Security Applications. 2011, 55–69

16. Zheng Y, Matsumoto T, Imai H. On the construction of block ciphers

provably secure and not relying on any unproved hypotheses. Lecture

Notes in Computer Science, 1989, 435: 461–480

17. Adams C, Tavares S, Heys H, Wiener M. The CAST-256 encryption

algorithm. Submission to AES competition, 1998

18. Yoshida H,Watanabe D, Okeya K, Kitahara J,Wu H, Küçük Ö, Preneel

B. Mame: A compression function with reduced hardware require-

ments. In: Proceedings of the 9th International Workshop Workshop

on Cryptographic Hardware and Embedded Systems. 2007, 148–165

19. Hirose S, Kuwakado H, Yoshida H. SHA-3 proposal: Lesamnta. Sub-

mission to NIST, 2008

20. Bouillaguet C, Dunkelman O, Leurent G, Fouque P A. Lecture Notes


in Computer Science, 2010, 6544: 18–35

21. Sasaki Y, Aoki K. Improved integral analysis on tweaked lesamnta. In:

Proceedings of the 14th International Conference on Information Se-

curity and Cryptology. 2011, 1–17

22. Peyrin T. Improved differential attacks for ECHO and Grøstl. In: Pro-

ceedings of the 30th Annual Cryptology Conference. 2010, 370–392

23. Mendel F, Peyrin T, Rechberger C, Schläffer M. Improved cryptanal-

ysis of the reduced Grøstl compression function, ECHO permutation

and aes block cipher. Lecture Notes in Computer Science, 2009, 5867:

16–35

24. Matusiewicz K, Naya-Plasencia M, Nikolic I, Sasaki Y, Schläffer M.

Rebound attack on the full LANE compression function. In: Proceed-

ings of the 15th International Conference on the Theory and Applica-

tion of Cryptology and Information Security. 2009, 106–125

25. Mendel F, Rechberger C, Schläffer M. Cryptanalysis of twister. In: Pro-

ceedings of the 7th International Conference on Applied Cryptography

and Network Security. 2009, 342–353

26. Rijmen V, Toz D, Varici K. Rebound attack on reduced-round versions

of JH. In: Proceedings of the 17th International Workshop on Fast Soft

Encryption. 2010, 286–303

27. Naya-Plasencia M, Toz D, Varici K. Rebound attack on JH42. In: Pro-

ceedings of the 17th International Conference on the Theory and Ap-

plication of Cryptology and Information Security. 2011, 252–269

28. Wu S, Feng D, Wu W. Practical rebound attack on 12-round Cheetah-

256. In: Proceedings of the 12th International Conference Annual In-

ternational Conference on Information Security and Cryptology. 2009,

300–314

29. Khovratovich D, Naya-Plasencia M, Röck A, Schläffer M. Cryptanal-

ysis of Luffa v2 components. In: Proceedings of the 17th International

Workshop on Selected Areas in Cryptography. 2010, 388–409

30. Daemen J, Knudsen L R, Rijmen V. The block cipher square. In: Pro-

ceedings of the 4th International Workshop on Fast Soft Encryption.

1997, 149–165

31. Ferguson N, Kelsey J, Lucks S, Schneier B, Stay M, Wagner D, Whit-

ing D. Improved cryptanalysis of Rijndael. In: Proceedings of the 7th

International Workshop on Fast Soft Encryption. 2000, 213–230

32. Galice S, Minier M. Improving integral attacks against Rijndael-256

up to 9 rounds. Lecture Notes in Computer Science, 2008, 5023: 1–15

33. Knudsen L R,Wagner D. Integral cryptanalysis. In: Proceedings of the

9th International Workshop on Fast Soft Encryption. 2002, 112–127

34. Preneel B, Govaerts R, Vandewalle J. Hash functions based on block

ciphers: A synthetic approach. Lecture Notes in Computer Science,

1993, 773: 368–378

35. Black J, Rogaway P, Shrimpton T. Black-box analysis of the

blockcipher-based hash-function constructions from PGV. Lecture

Notes in Computer Science, 2002, 2442: 320–335

36. Yu X, Wenling W. Cryptanalysis of MAME compression function. In:

Proceedings of the 2010 International Conference on Computer Design

and Applications. 2010, 5: 602–605

Le Dong is a lecturer in the Henan

Normal University, China. He received

his PhD from the Institute of Soft-

ware, Chinese Academy of Sciences

in 2013. He received his MS and BS

from Zhengzhou University in 2006

and 2003, respectively. His research

interests include cryptanalysis of hash

functions and block ciphers.

Wenling Wu is a researcher and PhD

supervisor in the Institute of Software,

Chinese Academy of Sciences. She re-

ceived her PhD from Xidian Univer-

sity in 1997, and her MS and BS

from Northwest University in 1990 and

1987. Her research interests are crypt-

analysis and the design of block ci-

phers.

Shuang Wu is a research associate

in the Institute of Software, Chinese

Academy of Sciences. He received his

PhD from the Chinese Academy of Sci-

ences in 2011, and his BS from Ts-

inghua University in 2005. His research

interests are cryptanalysis and the de-

sign of hash functions.

Jian Zou is a PhD candidate in the In-

stitute of Software, Chinese Academy

of Sciences. He received his BS from

Central China Normal University in

2009. His research interests are crypt-

analysis and the design of hash func-

tions.

Known-key distinguishers on type-1 Feistel scheme and near-collision attacks on its hashing modes

Documents

Transcript of Known-key distinguishers on type-1 Feistel scheme and near-collision attacks on its hashing modes