Known-key distinguishers on type-1 Feistel scheme and near-collision attacks on its hashing modes
Transcript of Known-key distinguishers on type-1 Feistel scheme and near-collision attacks on its hashing modes
Front. Comput. Sci., 2014, 8(3): 513–525
DOI 10.1007/s11704-014-2412-7
Known-key distinguishers on type-1 Feistel scheme andnear-collision attacks on its hashing modes
Le DONG 1,2,3, Wenling WU2, Shuang WU2, Jian ZOU2,3
1 College of Mathematics and Information Science, Henan Normal University, Xinxiang 453007, China
2 Institute of Software, Chinese Academy of Sciences, Beijing 100190, China
3 Graduate University of Chinese Academy of Sciences, Beijing 100149, China
c© Higher Education Press and Springer-Verlag Berlin Heidelberg 2014
Abstract We present some known-key distinguishers for a
type-1 Feistel scheme with a permutation as the round func-
tion. To be more specific, the 29-round known-key truncated
differential distinguishers are given for the 256-bit type-1
Feistel scheme with an SP (substitution-permutation) round
function by using the rebound attack, where the S -boxes
have perfect differential and linear properties and the lin-
ear diffusion layer has a maximum branch number. For two
128-bit versions, the distinguishers can be applied on 25-
round structures. Based on these distinguishers, we construct
near-collision attacks on these schemes with MMO (Matyas-
Meyer-Oseas) and MP (Miyaguchi-Preneel) hashing modes,
and propose the 26-round and 22-round near-collision attacks
for two 256-bit schemes and two 128-bit schemes, respec-
tively. We apply the near-collision attack on MAME and ob-
tain a 26-round near-collision attack. Using the algebraic de-
gree and some integral properties, we prove the correctness
of the 31-round known-key integral distinguisher proposed
by Sasaki et al. We show that if the round function is a per-
mutation, the integral distinguisher is suitable for a type-1
Feistel scheme of any size.
Keywords known-key, block cipher, generalized Feistel
scheme, type-1, rebound attack, integral distinguisher, alge-
braic degree
Received December 31, 2012; accepted September 6, 2013
E-mail: [email protected]
1 Introduction
A block cipher is a very important primitive of cryptography
that keeping the key secret is the primary security guaran-
tee. While there are some cryptography primitives that do not
employ a secret key, such as hash functions. Knudsen and
Rijmen proposed the notion of a known-key distinguisher on
block ciphers in 2007 [1], wherein all secret keys are known
a priori in this scenario. They presented a 7-round known-key
distinguisher for Feistel ciphers and a 7-round known-key in-
tegral distinguisher for AES. It is commonly believed that the
research on block ciphers with known keys will contribute to
hash function design.
Since the 1970s, Feistel networks have been a popular
structure and have the advantage that encryption and decryp-
tion operations, therein, are very similar [2–7]. Substitution-
permutation(SP) structure has become more and more com-
mon since AES was published. As a result, the study of the
security of the Feistel structure combining a round function
with SP structure has become hot topic in recent years. At
the International Workshop Fast Software Encryption (FSE)
2011, Sasaki and Yasuda used the rebound attack [8] to con-
struct an 11-round known-key distinguisher on Feistel-SP ci-
phers [9]. They assume that the S -boxes adopted by these
ciphers have perfect differential and linear properties, and the
linear transformations have optimal branch numbers. Sasaki
et al. improved on the original 11-round attack at the Aus-
tralasian Conference on Information Security and Privacy
514 Front. Comput. Sci., 2014, 8(3): 513–525
(ACISP) 2012 [10] and applied it to the block sipher Camel-
lia. Techniques for constructing differential tables were ap-
plied to reduce time complexities. Several other known-key
distinguishers for AES-like ciphers have been proposed in
[11–15].
The type-1 Feistel scheme was proposed by Zheng et al. in
Crypto 1989 [16], which is an extension of a Feistel network.
It can expand the size of a Feistel cipher through a simple
modification. Unlike a plain Feistel network, a type-1 Feistel
scheme updates only one of the four words in a round. Con-
sequently, more degrees of freedom can be used to construct
a truncated differential trail. A type-1 Feistel structure has
been used in more and more symmetric-key schemes such as
CAST-256 [17] (block cipher), MAME [18] and Lesamnta
[19] (hash functions). It is unclear that the security margin of
a type-1 Feistel scheme to resist certain new attacks, espe-
cially known-key attacks that can be directly applied to hash
functions. For instance, the designers of Lesamnta gave a 19-
round integral attack with three active words for the type-1
Feistel scheme [19]. However, Bouillaguet et al. found that
the attack would not work and proposed a 20-round inte-
gral characteristic for this scheme [20]. At the Annual In-
ternational Conference on Information Security and Cryp-
tology (ICISC) 2011, Sasaki and Aoki showed a start-from-
the-middle integral distinguisher with 31 rounds [21]. Bouil-
laguet et al. also gave a collision attack on the scheme based
on the its inherent cancelation property [20]. Consequently,
type-1 Feistel schemes are worth studying in the known-key
scenario. In addition, since a differential path for this scheme
may deduce that a collision or near-collision attack will take
place, the research of the (near-)collision on this scheme can
be done based known-key differential distinguishers. These
attacks can provide some significant information to inform
future designs of block ciphers and hash functions.
In this paper, we first build several 21-round known-key
distinguishers by applying the rebound attack. Next, we uti-
lize the degrees of freedom of non-active words to improve
the truncated differential path. Based on the improved path,
we construct 29-round known-key distinguishers for two 256-
bit type-1 Feistel schemes and 25-round known-key distin-
guishers for two 128-bit type-1 Feistel schemes.
We also prove the correctness of the 31-round integral dis-
tinguisher proposed by Sasaki and Aoki in 2011 [21]; this
is a result from an experiment on a type-1 Feistel scheme
of small size. We study the algebraic degree properties and
higher-order integral techniques to prove the correctness of
the integral path.
In Section 2, we give descriptions of the target scheme and
an introduction to the techniques used in this paper. Notations
are also introduced in this section. In Section 3, we show the
known-key truncated differential distinguishers of the type-1
Feistel scheme. In Section 4, the proof of correctness of the
31-round integral distinguisher is given. Section 5 concludes
the paper.
2 Preliminaries
2.1 The type-1 Feistel scheme with SP round functions
The type-1 Feistel scheme introduced by Zheng et al. is
a generalized Feistel scheme [16]. Its state consists of four
words of the same size. The round function F is computed
once in a round. One of the four words is updated and the
remaining three words are unchanged. Then, the order of the
four words are cyclically shifted to the left by one position.
The F function in Feistel structure is not necessarily a per-
mutation. However, for the scheme studied in this paper, the
F functions composed by the three operations are all permu-
tations. We assume that n denotes the size of a word and thus
the state size is 4n. Each n-bit word is divided into r cells
whose size is denoted by c, n = cr, where one cell is usu-
ally a byte or a nibble. Here we give three limitations for the
operations:
Key XOR It is a simple bitwise addition for the input
word of F and the round key Ki.
S-layer There are r S -boxes with c-bit size in this layer.
We presume that these all have good differential diffusion
properties; the maximum differential and linear probability
is 2−c+2. If the input and output differences are fixed for the
S -box, the probability of matching them is 0.5 on average.
P-layer This layer is a linear diffusion layer, which has
the maximum branch number r + 1. Many algorithms adopt
the maximum distance separable matrixes in their design.
Note that F functions in different rounds are only distin-
guished by their different round keys.
If the above limitations are not satisfied, the rebound attack
we used in this paper may become infeasible; it is believed to
be more vulnerable to the traditional truncated differential at-
tack in this case.
As shown in Fig. 1, the type-1 Feistel scheme has four
branches, and the left one of them enters the F function. The
output is XORed the second branch Xi. Next all four words
rotate one word towards the left direction. One round of the
type-1 Feistel scheme with SP round function can be written
Le DONG et al. Known-key distinguishers on type-1 Feistel scheme and near-collision attacks on its hashing modes 515
as follows:
Wi+1 = P(S (Wi ⊕ Ki+1)) ⊕ Xi,
Xi+1 = Yi,
Yi+1 = Zi,
Zi+1 = Wi.
The block cipher CAST-256 [17] adopts the type-1 Feistel
scheme, and one variant of this has been used by several hash
functions in recent years, such as MAME [18] and Lesamnta
[19]. The type-1 variant has a word-rotation structure towards
right, and the third word Yi enters the F function to update the
value of Zi. In fact, the two forms are equivalent: invert one
and swap the words Wi and Xi, and Yi and Zi. In Section 3
and Section 4, we attack on the type-1 Feistel scheme with
the right form. It can be easily transformed to the attack on
the original one easily.
Fig. 1 Type-1 Feistel-SP structure (left) and its variant (right)
2.2 The rebound attack
In 2009, Mendel et al. introduced a new technique to ef-
ficiently analyze AES-based hash functions using the avail-
able degrees of freedom [8]. Instead of searching the differ-
ential path in one direction, this technique starts the attack
by choosing truncated differences in two different states and
construct a differential match at an S -layer of some round
in the middle. Once the match is found, we obtain the cor-
responding values as the starting points to propagate in both
directions; consequently, it is named the rebound attack.
This attack runs using a different method from the tradi-
tional differential attack. Since it needs to find a match in a
meet-in-the-middle approach, the effort to study the matching
properties is important.
This attack has been widely used and improved for
the cryptanalysis of hash functions and compression func-
tions of hash algorithms such as Whirlpool [8,12], Grøstl
[8,14,22,23], LANE [13,24], Twister [25], ECHO [14,22,23],
JH [26,27], Cheetah [28], and Luffa [29].
2.3 The integral attack
The integral attack [30–33] is well-known to be effective
against byte-based block ciphers. The idea of the attack is to
consider the propagation of sums of (many) values and to use
the existence of certain properties of the sum value to verify
key guesses.
In this attack some bytes of the plaintext are chosen to be
constant, denoted by C. Some bytes, denoted by A, are called
active bytes, which means that all words in the collection of
texts are different. It is easy to find that any bijective func-
tion can preserve the all-value set A, including the S -boxes.
In other words, the image of an active byte after a bijective
S -box is also an active byte, i.e., a byte taking on all values.
We call a byte balanced if the XOR of all texts in this entry is
0, and B denotes these bytes. If we can obtain some balanced
bytes in ciphertexts, the function can be distinguished from
an ideal permutation. We say that an integral distinguisher is
constructed.
2.4 Hashing modes
In 1994, Preneel et al. gave an approach to construct com-
pression functions based on block ciphers, namely PGV
modes [34], and 12 schemes of them were proved later
to be secure [35]. MMO (Matyas-Meyer-Oseas) and MP
(Miyaguchi-Preneel) modes are two particularly famous
modes of the 12 secure schemes.
Let Mi−1,Hi−1, and Hi be the input massage blocks, the in-
put chaining values, and the outputs, respectively. EK denotes
a block cipher with a key K. The MMO and MP modes are
computed as follows:
MMO: Hi = EHi−1 (Mi−1) ⊕ Mi−1,
MP: Hi = EHi−1 (Mi−1) ⊕ Mi−1 ⊕ Hi−1.
Based on the known-key differential distinguishers, we
construct near-collision attacks on compression functions
adopting the MMO or MP mode.
2.5 Notations
In this paper, we use Wi, Xi, Yi, and Zi (0 � i � 29) to de-
note the four words before the (i + 1)th round. Some other
conventions and symbols are described as follows:
W ji : jth cell of the word Wi. The same symbols are
applied to other words
Fi : F function in the ith round
Fi,in,Fi,out : input word or output word of Fi
F ji,in,F j
i,out : jth cell in the input word or the output
word of Fi
n : size of a word
516 Front. Comput. Sci., 2014, 8(3): 513–525
r : number of cells in a word
c : size of a cell
3 Known-key truncated differential distin-guishers of the type-1 Feistel scheme
In this section, we give some known-key distinguishers of the
type-1 Feistel scheme. Some notations are used in the follow-
ing text in order to present the truncated differential charac-
teristics. Most of these are the same as notations used in [9].
0: a word whose cells are all non-active,
1: a word with only one active cell,
P(1): a word which is the output of P on the input with one
active cell,
F: a word where all cells are active.
3.1 Basic 21-round attack on the type-1 Feistel scheme
3.1.1 Entire truncated differential path
First, we show the basic 21-round known-key truncated dif-
ferential distinguisher of the type-1 Feistel scheme. Table 1
shows the entire truncated differential path used for this at-
tack. In this table, inbound phase consists of six rounds (from
round 7 to round 12) while the first seven rounds and the last
nine rounds are the outbound phases.
Table 1 Basic 21R truncated differential path of type-1 Feistel scheme
Phase Round Wi Xi Yi Zi
Backward outbound 0 P(1) F F F
1 1 P(1) F F
2 0 1 P(1) F
3 0 0 1 P(1)
4 0 0 0 1
5 1 0 0 0
6 0 1 0 0
Inbound 7 0 0 1 0
8 P(1) 0 0 1
9 1 P(1) 0 0
10 0 1 P(1) 0
11 1 0 1 P(1)
12 0 1 0 1
Forward outbound 13 1 0 1 0
14 P(1) 1 0 1
15 1 P(1) 1 0
16 P(1) 1 P(1) 1
17 F P(1) 1 P(1)
18 P(1) F P(1) 1
19 F P(1) F P(1)
20 F F P(1) F
21 F F F P(1)
In the inbound phase, we find a pair of values following the
truncated differential path with the input difference (0,0,1,0)and the output difference (0,1,0,1). This phase consists of five
rounds. The outbound phase consists of sixteen rounds in two
directions. The truncated difference (0,1,0,1) propagates in
the forward direction for nine rounds with a probability of
1. The input difference of the inbound phase (0,0,1,0) propa-
gates in the backward direction for seven rounds with proba-
bility 1. Therefore, we only need to compute the complexity
of the inbound phase in this basic attack. Finally, both ends
of the entire differential path have four active words, and one
of the four words in each end is P(1) with 2c patterns.
3.1.2 Inbound phase
In this phase, our goal is to find a pair of values following
the truncated differential path as shown in Fig. 2. For con-
venience, we firstly assume that r and c satisfy c � r: this
happens for (N, c) = (128, 8), and (N, c) = (256, 8). Later we
give the techniques applying to two other parameters. Note
that the symbols #A, #A′, #B, #C in the following five steps
denote the word positions labeled in Fig. 2.
1) Choose a one-active-cell difference at #A (without loss
of generality, assume that the active cell is the first cell),
denoted by �#A, and compute the difference P(�#A)
which is determined by �#A. Furthermore, it is the
input difference of the S -layer in the fourth inbound
round. For each S -box in this round, compute all 2c−1
possible output differences from a fixed input difference
P(�#A) and store them with the responding value pairs
in a table.
2) Choose all differences at #B whose first cell is active
and other cells are non-active, which have 2c choices.
Compute P−1(�#B) for each choice, and it is the output
difference of the S -layer in the fourth inbound round.
Check whether or not we can match the differences of
all S -boxes in this S -layer. This can be done by look-up
in the tables we constructed in step 1.
3) Assuming that we find such a matched input-output dif-
ference pair, we obtain 2c values following the differ-
ence. Select one and then the difference of word #A and
the values on the red and green bold lines drawn in Fig.
2 are all fixed.
4) Choose a value of Z7 at random and compute the value
of #A. By applying an inverse S -layer and XORing the
K8, both the difference and the value of Z8 are deter-
mined.
Le DONG et al. Known-key distinguishers on type-1 Feistel scheme and near-collision attacks on its hashing modes 517
5) Fixing F19,out to be K1
8 ⊕K112, we can guarantee that �#A
and �#A′ are equal. Then, the difference of F12,out can-
cel the difference of Z11 at #C. Note that if the values of
Z7 and X7 are selected, the values on the red broken line
are determined, so that the value of W13 is determined.
Fig. 2 The inbound phase of the 21-round distinguisher
As a result, we find a pair of values whose input difference
is (0,0,1,0) and output difference is (0,1,0,1) for five inbound
rounds.
Now, we estimate the time complexity and memory com-
plexity for the inbound phase. First, we need r · 2c S -box
computations, which is equivalent of 2c one-round compu-
tations and 2c−1 state in memory, to store the valid output
differences and the corresponding values. The complexity of
the last three steps is 1. Consequently, the total complexity of
the inbound phase is (2c one-round)+(1 four-round) compu-
tations and the memory is 2c−1.
Note that for its four input words, the values of Y7 and the
first cell in X7 are fixed, and two other words are free. Their
degrees of freedom can be used in the improved attack.
3.1.3 Outbound phase
For the type-1 Feistel scheme studied in this paper, one word
updates in a round, and if the third word Yi is non-active the
differential patterns of the four words only change the posi-
tions. In addition, there is a difference between the forward
direction and the backward direction. The updated word up-
dates again after four rounds in both directions. However, the
difference it has will propagate up another word after three
rounds, when the word enters an F function in the forward
direction, and it does this after one round in the backward
direction.
The output difference of the last round in the path has three
all-active-words and one word of the form P(1), which has
2c patterns. Hence, There are 23n+c differential patterns are
formed in the ciphertexts. For the plaintexts, the difference
pattern is the same as the ciphertext except for the order.
Since the difference propagates in two outbound phases
with a probability of 1, the total complexity of the attack is
[(2c one-round)+ (1 20round)]/21-round≈ 2c−4 21-round en-
cryption. Moreover, it needs 2c−1 state memory. Specifically,
if (N, c) = (256, 8), we need 28−4 = 24 computations and
28−1 = 27 memory. For the case of (128, 8), it is not neces-
sary to choose all the differences of #B to find a match, but
we need 28 computations and 27 memory to construct the ta-
bles. Thus, the time and memory complexities are the same
with parameters (256, 8).
3.1.4 Attacks for other two parameters
When (N, c) = (128, 4) or (256, 4), the degrees of freedom
of �#B are not sufficient to get a match in the fourth inbound
round. We utilize several techniques to apply the above attack
to the two parameters.
For the case of (128, 4), we can choose 24 �#B with one
active nibble. Note that the position of the active nibble is
fixed here. If it walks along all eight positions in #B, the de-
grees of freedom increase to 24 × 23 = 27. We expect to find
a match by running the inbound phase for two different �#A.
The time complexity of the attack applicable to this parame-
ter is 2(24+27)/21 ≈ 24 21-round computation, and it costs 23
memory. Since the positions of the active nibbles in W13 and
Y13 may be different, it is necessary to pay attention to the F
function in the eighteenth round. Fortunately, both the input
of F18, which is a 1 pattern word, and the word Z17 with the
P(1) form come from Y13. Accordingly, W18 = F18(Y17)⊕Z17
has the P(1) form. The differential characteristic of the ci-
phertext is still (F,F,F,P(1)).
If (N, c) = (256, 4), we select two active nibbles in #B with
all possible positions. This has a total of 24×24×16×15 �#B
to choose from. Hence, we expect to get a match by running
the inbound phase for two different �#A. The time complex-
ity is 2(212 ·15)/21 ≈ 213 in this case, and the memory it costs
is 23. Besides, the ciphertext has the (F,F,F,P(2)) form.
3.1.5 Comparison with a random permutation
By computing the generic birthday bound, we can write the
complexities of getting these output differential characteris-
tics or input differential characteristics for the four versions
518 Front. Comput. Sci., 2014, 8(3): 513–525
when the function is a random permutation. Note that for the
(n − c)-bit or (n − 2c)-bit collisions, the degrees of freedom
are enough for these 4-branch constructions. The complex-
ities are 212, 214, 228, and 228 for the random permutations
with the parameters (128, 8), (128, 4), (256, 8), and (256, 4),
respectively. Accordingly, we can distinguish between the
21-round type-1 Feistel scheme and a random permutation
for each parameter.
3.2 Extended attack by using the multi-inbound technique
Now, we improve the previous 21-round attack to more
rounds by using a multi-inbound technique. Utilizing the de-
grees of freedom of some non-active words, we extend the
inbound phase to 13 rounds. The inbound phase is divided
into two parts, and the second part with five rounds is very
similar to the inbound phase in the previous attack. There are
three inbound procedures in this phase, and all of them have
five rounds. For the sake of convenience, we call their first
rounds starting rounds, their fourth rounds matching rounds,
and their final rounds cancelation rounds. We firstly give the
attack on the type-1 Feistel scheme with parameter (256, 8).
Note that the symbols #A, #B, #C, etc. in Subsection 3.2.1
and Subsection 3.2.2 denote the word positions labeled in the
corresponding figures.
3.2.1 First part of the inbound phase
The first part involves the last eight rounds of the inbound
phase and has two inbound computations. The two inbound
procedures are overlapped. The matching round of the first
inbound, namely the 10th inbound round, is also the sec-
ond round of the second inbound. In fact, the input differ-
ence of the F function in the cancelation round of the second
inbound, namely the last inbound round, is obtained by com-
puting S −1(�#F) ⊕ �#E, where �#E is precisely the differ-
ence to construct the match in the first inbound.
In this part, we start with two inbound procedures indepen-
dently to match the differences in the tenth inbound round
and the 12th inbound round. For the cancelation of the first
inbound procedures, we use the word value on the blue lines
drawn in Fig. 3. Besides, the cancelation of the second in-
bound procedure is achieved by using the values of #F.
After this, we can determine the the first cell differences
on the red broken lines and the 2c−1 difference candidates of
S −1(�#D). We use them to construct the third inbound match
in the second part. More specifically, our four attack proce-
dures is as follows:
Fig. 3 The first part of the 13-round inbound phase
1) Choose two one-active-cell differences at #D and #F
whose active cells are the first cells at the seventh and
the 9th inbound rounds, and compute the differences
P(�#D) and P(�#F). They are the input differences of
the S -layers in the tenth and the 12th inbound round.
Utilizing the technique we mentioned in the last subsec-
tion, compute all 2c−1 possible output differences from
a fixed input difference for each S -box. Store them and
the corresponding value pairs in some tables.
2) For each of the 2c possible differences in word #E and
word #G, apply the inverse permutation on them to
compute the corresponding full-cell differences. Check
if all S -boxes in the tenth and the 12th inbound rounds
have solutions. This can be done by looking up the ta-
bles constructed in step 1.
3) If we find such matches, we obtain 2c values follow-
ing the input-output difference for each match. Store
all 2c valid values following the match in the 12th in-
bound round in a table T1. Now we consider to cancel
the P(1) pattern difference in the 11th and the 13th in-
bound round. Notice that Y14 is a non-active word so
that the difference of Z17 can be canceled by modifying
the first cell value of F15(Y14) to equal K114 ⊕ K1
18.
4) The cancelation of the second inbound also can be done
through modifying the value of #F. To be specific, the
difference at #F is fixed and we assume that all 2c pos-
Le DONG et al. Known-key distinguishers on type-1 Feistel scheme and near-collision attacks on its hashing modes 519
sible values can be assigned to its active cell. Choose
a valid values of #E following the matched difference.
Compute and check the following:
�[(S 1(S −11 (#F1) ⊕ K1
16 ⊕ F117,out ⊕ K1
20)]?= �#F1.
In summary, we try to find a c-bit match by using 2c de-
grees of freedom supplied by the values of #F. Considering
no solution in some cases for an S -box, we expect to find one
solution by choosing two values at #E. Note that the values
on the red solid lines are not fixed. We use their 2c degrees of
freedom to get another match later.
We construct two inbound procedures after the above four
steps. The values on the green and brown solid lines are all
fixed. In addition, the difference and value of #F1 are fixed so
that the two of Y115 are fixed. This propagates in the backward
direction, and we conclude that �Z112 is fixed. It is different
for the word #D. We cannot fix the its value because the de-
grees of freedom of Z13 will be used in the second part. As a
result, the first cell in X12 have 2c−1 possible differences. The
one-cell determinate difference at Z12 and the 2c−1 one-cell
possible differences at X12 propagate in the backward direc-
tion to the first part of the inbound phase, and there possible
candidates construct a match in the first five inbound rounds.
3.2.2 Second part of the inbound phase
We build a five-round inbound procedure now in the inverse
direction based on the the valid differences of X12 and Z12.
Fig. 4 gives the details. The starting round of this inbound
procedure is the fifth inbound round, and the cancelation
round is the first inbound round. The following five steps ex-
plain how the second part works:
1) When Z12 propagates backward and enters into F12, the
difference of its active cell has 2c−1 possible outputs (at
#A′). Choose one of them and compute P(�#A′). This is
the input difference of the S -layer in the fourth inbound
round. Compute and store the output differences for all
S -boxes.
2) For each of the 2c−1 possible difference in word
#B(equal to the differences of X12), apply the inverse
permutation on it to compute the corresponding differ-
ence. Check whether or not we can match the full-cell
differences by looking up the tables we constructed be-
fore. It is slightly short for the degrees of freedom. We
can solve it by choosing two different �#A′.
3) After finding such match, store all 2c valid values fol-
lowing the match in a table T2 and select one. Then,
modify the value of W12 to guarantee the one-cell dif-
ference match at the S -layer of the fifth inbound round.
Note that the cell �#A′1 is selected from the valid pos-
sible outputs of Z112 so that the difference match always
exists. The word W12 has two c-bit conditions so far,
which are utilized for two c-bit matches(see the blue
lines in Fig. 4). A word consists of more than three
cells for all the parameters, and thus there are at least
two-cell degrees of freedom we can use.
4) Choose a value W12 fulfilling the two conditions and
then the values of Z12 are fixed. We select a valid W16
from T1 constructed in advance and check if the value of
#F1 matches. It is expected to find a match by using the
2c values in T1. Once the match is found, the value of
Y15 is fixed, and so do W13. Then we compute the value
of Y12 by XORing W13 and Z12. Since Z13 is equal to Y12
and the value of W14 is determined, the value of word
#D is fixed. Check whether or not �#D1 matches �Y113
which is equal to the difference of #B1. If the match
failed, choose another W12 fulfilling the two conditions,
and the c-bit match in the ninth inbound round is also
true because the values of #A′ and #F have a coincident
relation. Repeat to compute Y15, Y12, and Y13 to check
the one-cell match at #N. We expect to find a match by
using one-cell degrees of freedom of W12.
5) Assuming that we obtain a match between #D and #B,
the value of Z10 can be deduced. Additionally, the value
of Y12 was fixed before, and then the value of Z9 is de-
termined. We can compute Z8 to check if �#A = �#A′.If this is shown to be false, return to step 3 and choose
another value from T2. We expect to find a match after
trying all the 2c values.
3.2.3 Attack evaluation
Firstly, we evaluate the time complexity and memory in the
first part. In the matching rounds of the first and the second
inbound procedures, the complexity is 2 · 2c 1-round com-
putations in time and 2 · 2c−1 words in memory. It costs 2c
memory to build T1 in step 3. There is a c-bit match in step
4 which should be done by walking along all 2c values of a
cell. Hence, it costs 2 · 2c 2-S -box computations in total. In
this part, the time complexity is 2c+1(1 + 2/r) 1-round com-
putations and the memory complexity is 2c+1 words.
We start the second part by computing the first cells of
�#A′ and �#B. This requires 2 · 2c 1-S -box computations
and the memory can be ignored. However, we only need two
different �#A′ words for the latter match so that the cost can
520 Front. Comput. Sci., 2014, 8(3): 513–525
Fig. 4 The inbound phase of the 29-round distinguisher
be reduced to 2c 1-S -box computations. The time complex-
ity of the inbound match in step 1 and step 2 is 2 · 2c and
the memory is 2c−1 words. In step 3, we need 2c memory
to store T2 and the complexity of computing W12 is ignored.
For one selected value in step 3, two independent calcula-
tions are needed to get two c-bit matches in the ninth and the
seventh inbound rounds. The time complexity is 2c 1-round
computations+2c 4-round computations≈ 2c+2 1-round com-
putations. Finally, for the match in the first inbound round,
complexity 2c+2 is multiplied by 2c. Consequently, the time
complexity in the second part is 22c+2 1-round computations
and the memory complexity is 2c−1 + 2c words.
Notice that the outbound phase runs with the probability
of 1. As a result, the complexity for the inbound phase is
22c+2/29 and fewer than 2c+2 words memory which is equal
to 2c states. For the parameter (256,8), this needs 213.1 time
complexity and is 228 for a random permutation.
3.2.4 Attacks for other three parameters
When (N, c) = (128, 8) the complexity is also 213.1, but this
is more than the complexity for random permutation which is
212. We can attack up to 25 rounds of such ciphers by aban-
doning cancelation in the first inbound round which changes
Z7 to be P(1) form. The time complexity decreases to 2c+3/29
and it is 26.1 for this parameter.
If we regard a group of two S -boxes as a big S -box, the
attack can be directly applied to cases (128,4) and (256,4).
They have the same complexity as the attacks on the two ci-
phers with 8-bit S -boxes.
A summary of distinguishers presented in this section is
shown in Table 2.
Table 2 Summary of distinguishers
Parameters(N, c) Rounds Time MemoryComplexity for
ideal permutation
(256, 8) 29 213.1 28 228
(256, 4) 29 213.1 28 228
(128, 8) 25 26.1 28 212
(128, 4) 25 26.1 28 212
3.3 Application to MMO and MP modes
In this subsection, we apply previous 29-round(25-round)
known-key distinguishers to attack the MMO and MP hash-
ing modes using these Feistel-SP ciphers. The attack can gen-
erate 26-round or 22-round n-bit near-collisions depending
on the parameters. People usually think that known-key dis-
tinguishers are the only a weak property for a cipher, but dif-
ferential distinguishers we propose in this paper can deduce
the near-collision attacks so that they endanger the real-world
security of the hash functions using these structures.
Now we give the near-collision attack on the Feistel-SP
construction under the MMO mode. For the 29-round differ-
ential distinguishers on two 256-bit type-1 schemes, we no-
tice that the first word in the output of the 26th round has pat-
tern P(1) (or P(2)), and the first word in the input of the first
round has the same pattern. Consequently, differences in the
two words are equal with the probability of 2−c. If the two dif-
ferential values are equal, the first word in the output has no
difference under the MMO mode in which the message block
is in as the input enters the iteration and XORs the output
to compute the output of the compression function. Hence,
by repeating the process of constructing the distinguisher 2c
times (generate 2c different chaining value Hi−1) we expect to
obtain an n-bit near-collision for the 26-round function. The
time complexity is 221.1.
For the 25-round differential distinguishers on two 128-bit
Le DONG et al. Known-key distinguishers on type-1 Feistel scheme and near-collision attacks on its hashing modes 521
type-1 schemes, the first four rounds are cancelled, and we
can construct a 22-round n-bit near-collision because the in-
put differential patterns are also (P(1),F,F,F)(or (P(2),F,F,F)).The time complexities are 214.1.
If we apply the MP mode to the Feistel-SP structure, we
can trivially extend previous near-collision attacks to them.
This is because our distinguishers are all on the known-key
scenario. Namely there is no difference in the keys (input
chaining value) so that the key addition to the output state
cannot make any impact upon the output value differences.
We can obtain the 26-round or 22-round near-collisions on
this mode. The time complexities are the same as the MMO
mode.
A summary of these near-collision attacks is shown in Ta-
ble 3.
Table 3 Summary of near-collision attacks
Parameters(N, c) Rounds Time MemoryComplexity for
ideal permutation
(256, 8) 26 221.1 28 232
(256, 4) 26 221.1 28 232
(128, 8) 22 214.1 28 216
(128, 4) 22 214.1 28 216
3.4 Application to MAME
3.4.1 Specification of MAME
MAME is a lightweight compression function which was
proposed in the Workshop on Cryptographic Hardware and
Embedded Systems (CHES) 2007. It adopts the MMO mode
and the inner block cipher uses the type-1 4-branch general-
ized Feistel-SP structure. fE denotes the block cipher and fRdenotes the round function. The block size and key size of fE
are both 256 bits so that each of the branches has 64 bits. In
addition, the 64-bit branch is stored in two 32-bit words, thus
the state has eight words denoted by (x(i)0 , x
(i)1 , . . . , x
(i)7 ). The
whole encryption process has 96 rounds.
The round function fR consists of a key addition, a non-
linear function F, and a word-wise permutation. First, the
fifth word x(i)4 XORs the round subkey and concatenates the
sixth word x(i)5 . Second, the two words enter into the non-
linear function F and output two updated words. Then the
two new words are XORed with x(i)6 and x(i)
7 , respectively. Fi-
nally, every word rotates to the right two words.
Function F is the composition of two layers: the S -box
layer S and the linear diffusion layer L. S is a concatenation
of 16 4-bit S boxes, and defined as follows:
S [16] = {4, 14, 15, 1, 13, 9, 10, 0, 11, 2, 7, 12, 3, 6, 8, 5}.
To increase the software performance, this layer adopts bit
slice implementation in which the four bits entering into one
S -box are selected once every 16 bits. The linear diffusion
layer L consists of the rotation and XOR operations. The lin-
ear diffusion layer is defined as follows:
bL = bL ⊕ (bH <<< 1), bH = bH ⊕ (bL <<< 3),
bL = bL ⊕ (bH <<< 4), bH = bH ⊕ (bL <<< 7),
bL = bL ⊕ (bH <<< 8), bH = bH ⊕ (bL <<< 14).
We omit the key scheduling function here because our at-
tack dose not involve it. We refer to [18] for details.
3.4.2 Application to MAME
In the support document of MAME, no (near-)collision at-
tack was provided. Afterward, Xue and Wu gave attacks on
MAME with 22, 23, and 24 rounds in 2010 [36]. The com-
plexity of the 24-round collision attack is about 2112 and
there is no sign that this method can be applied to func-
tions with more rounds. To our knowledge, there is no subse-
quent collision-like analysis for this compression function. In
this subsection, we show a near-collision attack on 26-round
MAME.
For the compression function MAME, the parameter is
(256, 4). Specifically, we should notice three operations in
the inner block cipher:
1) The round subkey XORs half of the bits of the input of
F.
2) The maximum differential probability is 2−2 and this
adopts the bit slice implementation.
3) The branch number of linear layer is eight.
It is easy to find that the round key addition cannot impact
our attack because it is the equivalent of setting the other half
subkey to be zero. The bit slice implementation of S -box can
slightly change the process. When we select active nibbles
it needs to choose the four bits that enter the same S -box.
Since the branch number of the linear layer is not optimal,
the probability of the diffusion pattern 1 → 16 fails to meet
1. However, the probability that there are some output nib-
bles that have no difference is very low. Here, we need to pre-
compute which one-nibble input difference derives all-active
state. This may decrease the degrees of freedom, but we can
use two-nibble input and walk along all possible positions.
Furthermore, the increased compute dose not impact the total
time complexity.
As a result, we can apply the attack on 26-round MAME
compression function and obtain a 64-bit near-collision with
a complexity that is lower than the complexity of the trivial
attack.
522 Front. Comput. Sci., 2014, 8(3): 513–525
4 The proof of a 31-round known-key integraldistinguisher for type-1 Feistel scheme
For constructing the integral distinguisher on Lesamnta,
Sasaki and Aoki provided a known-key distinguisher for the
variant of the type-1 Feistel scheme whose F function is a
permutation [21].
However, the distinguisher is an experimental result for a
very lightweight version with a 32-bit state size and the F
function is a single S -box. It is worth discussing whether
or not the distinguisher is appropriate for the arbitrary-size
type-1 Feistel scheme and for a complex F permutation. In
this section, we prove the correctness of a 31-round type-1
Feistel scheme with any size and any F permutation, we can
always obtain two balance words at the input state and the
output state from a middletext with three active words and a
constant word.
In summary, the framework of the distinguisher can be in-
troduced as follows:
(B,?,?,?)13 rounds←−−−−−−− (C,A,A,A)
18 rounds−−−−−−−→ (?,?,?,B).
The far left word in the middletext is a constant word and
the others are active words. This passes to the 18 rounds en-
cryption computation and then we get a state with a balance
word in the fourth word. In the opposite direction, we obtain
a one-balanced-word state after computing 13 rounds of de-
cryption. Our proof is divided into two parts: the forward part
and the backward part.
4.1 Forwards
It is a fact that the algebraic degree of a function has a close
relationship with the integral attack. Utilizing the evaluation
of the upper bound of the algebraic degree for each round, we
can often find or prove a integral distinguisher. In the forward
part, we use the special properties of the algebraic degrees to
prove the correctness of the 18-round distinguisher. Here we
firstly list some basic results about the algebraic degree:
1) For an n-bit permutation P, the algebraic degrees for all
bits are at most n − 1.
2) Choose m1 bits of a function f as the variables and the
others are constants. If the algebraic degrees of the tar-
get bits in the output state are not more than m1 − 1,
change m2 constant bits into variables in the input state,
and the algebraic degrees of the target bits are at most
m1 + m2 − 1.
Second, we give upper bounds on the degrees of the four
words in every round for the type-1 Feistel scheme variant,
which is deduced by the above properties principally. Let n
denotes the size of a word, and the round function F is a
permutation. The upper bounds on the degrees are shown in
Table 4.
Table 4 The upper bound on the degree of the forward 18 rounds
Round Wi Xi Yi Zi
0 C A A A
1 A C A A
2 A A C A
3 A A A C
(1, n){1} (1, n){2} (1, n){3} 0
4 (n − 1, n){3} (1, n){1} (1, n){2} (1, n){3}5 (n − 1, 2n){2,3} (n − 1, n){3} (1, n){1} (1, n){2}6 (n − 1, 2n){1,2} (n − 1, 2n){2,3} (n − 1, n){3} (1, n){1}7 (n − 1, 2n){1,3} (n − 1, 2n){1,2} (n − 1, 2n){2,3} (n − 1, n){3}8 (2n − 1, 2n){2,3} (n − 1, 2n){1,3} (n − 1, 2n){1,2} (n − 1, 2n){2,3}9 (2n − 1, 3n){1,2,3} (2n − 1, 2n){2,3} (n − 1, 2n){1,3} (n − 1, 2n){1,2}10 (2n − 1, 3n){1,2,3} (2n − 1, 3n){1,2,3} (2n − 1, 2n){2,3} (n − 1, 2n){1,3}11 (2n − 1, 3n){1,2,3} (2n − 1, 3n){1,2,3} (2n − 1, 3n){1,2,3} (2n − 1, 2n){2,3}12 (3n − 1, 3n){1,2,3} (2n − 1, 3n){1,2,3} (2n − 1, 3n){1,2,3} (2n − 1, 3n){1,2,3}13 (3n − 1, 3n){1,2,3} (3n − 1, 3n){1,2,3} (2n − 1, 3n){1,2,3} (2n − 1, 3n){1,2,3}14 (3n − 1, 3n){1,2,3} (3n − 1, 3n){1,2,3} (3n − 1, 3n){1,2,3} (2n − 1, 3n){1,2,3}15 (3n − 1, 3n){1,2,3} (3n − 1, 3n){1,2,3} (3n − 1, 3n){1,2,3} (3n − 1, 3n){1,2,3}16 (3n, 3n){1,2,3} (3n − 1, 3n){1,2,3} (3n − 1, 3n){1,2,3} (3n − 1, 3n){1,2,3}17 (3n, 3n){1,2,3} (3n, 3n){1,2,3} (3n − 1, 3n){1,2,3} (3n − 1, 3n){1,2,3}18 (3n, 3n){1,2,3} (3n, 3n){1,2,3} (3n, 3n){1,2,3} (3n − 1, 3n){1,2,3}
Le DONG et al. Known-key distinguishers on type-1 Feistel scheme and near-collision attacks on its hashing modes 523
In the initial state, three active words are independent. Ad-
ditionally, W1 is obtained by computing F(Y0) ⊕ Z0. As a re-
sult, W1, Y1, and Z1 are also independent. Similarly, three
active words in the next round are also independent and so do
the first three words in the output of the third round.
Now, we explain the upper bounds on the algebraic de-
grees in the table. We define some notations for convenience.
W3, X3, and Y3 are called the first word, the second word, and
the third word, respectively. We know that there are n bits in
each word, and each of the three active words has n active
bits. There are 3n active bits in total, and each active bit is
regarded as a variable. For the notation (a, b){c}, the meanings
of three parameters are as follows: a: the upper bound on the
algebra degrees for all bits; b: the upper bound on the num-
ber of variables in the algebraic normal form for all bits; c:
the origin of the variables. The subscripts with braces for a
word denote the serial number of the active words in the out-
put of the third round which the variables in this word come
from. Besides, the two elements in the parentheses represent
the upper bound on the algebraic degree of all bits in this
word and the variable number involving in this word. For in-
stance, (2n − 1, 2n){2,3} represent that (1) the upper bound on
the algebraic degrees for all bits in this word is 2n − 1; (2)
the algebraic normal form of each bit, at most, involves 2n
variables, and (3) all variables come from the second and the
third active words in the output of the third round, namely X3
and Y3.
In the output of the third round, the algebraic degrees of all
3n variables are 1. Since one word updates in each round and
the resulting word is put in the first position, we only need
to focus on the first word in each round. In the third round,
Y3 enters the round function F and then XOR Z3, which is a
constant word. Additionally, F is a permutation. Hence, the
algebraic degrees of all bits in W4 are at most n − 1 and there
are n variables in this word which come from the third word
Y3. In the next round, we compute W5 = F(Y4) ⊕ Z4 so that it
has 2n variables coming from the second and the third words
and the upper bounds of degrees is n − 1. Similarly, the de-
grees of W6 and W7 are not more than n − 1 and there are 2n
variables in them. Since Y7 = W5 consists of 2n variables and
it is a permutation from X3 to Y7, the degrees of all bits in
W8 is at most 2n − 1. We can deduce the upper bound on the
degrees of W9,W10, . . . ,W14 by using this method.
Now we consider word W15. Notice that the n variables in
W3 are not involved in Z5, Z8, and Z11. This means that if X3
and Y3 are constants, the words Z5, Z8, and Z11 are constants
so that this is a permutation of the only active word W3 to Y14.
In this case, the algebraic degree of all bits in W15 is at most
n−1. Consequently, when we reset X3 and Y3 to be active, the
algebraic degree of all bits in W15 is not more than 3n−1. The
word Z18 is equal to W15. As a result, the algebraic degree of
all bits in Z18 do not reach the maximum value, namely 3n.
The starting state (C,A,A,A) consists of 3n active bits. We
consider each active bit as a variable and walk along all 23n
values. It is equivalently a derivation of the function. Since
the algebraic degree of all bits in Z18 is less than 3n, it is a bal-
ance word (addition for XOR is zero for all 23n ciphertexts)
in this attack scenario.
4.2 Backwards
In this part, we prove the correctness of the trial in backward
by utilizing the properties of higher-order integral attack. We
firstly expound the propagation property for a starting state
with one active word, and then give the two-active-word-state
which can deduce the previous state after three rounds. Table
5 gives the details.
Table 5 The higher-order integral characteristic in backward
Round Wi Xi Yi Zi
14 B ? ? ?
13 A B ? ?
12 A A B ?
11 A A A B
10 A A A A
9 C A A A
8 C C A A
7 C C C A
6 A C C C
5 C A C C
4 C C A C
4 C C A A
3 A C C A
2 A A C C
1 C A A C
If the starting state is (C,C,A,C), the active word reaches
the first position after two rounds (from round 4 to round 6).
In the next inverse round, it XORs a constant and walks up to
the last position. The active word enters into the F function
in the 8th inverse round and outputs an active word related to
the input word. Then, there are two active words in the state.
Continuing to iterate, and we can obtain a full-active state
after the tenth inverse round whose four active words are de-
duced by one active word. One of the four active words passes
into the F function and XORs another active word in the next
inverse round. Since the two active word is correlative, the re-
sult word is balanced. Similarly, it generates a new balanced
word in a following round and at last the first word is bal-
524 Front. Comput. Sci., 2014, 8(3): 513–525
anced in the output state of the 14th inverse round. Namely,
one-word-balance property can be deduced for ten backward
rounds from a special one-word-active state. Besides, it only
needs two active words in the second and the third positions
to obtain a state after three backward rounds conforming the
third word active and independent (from round 1 to round 4).
Therefore, from state (C,A,A,C), we can get the one-active-
word state (B,?,?,?) after 13 inverse rounds.
In total, from the middle structure (C,A,A,A) two one-
word-balance states can be obtained after 18 rounds and 13
inverse rounds.
5 Conclusion
In this paper, we have proposed two 29-round known-key
truncated differential distinguishers for the type-1 Feistel
scheme with parameters (256, 8) and (256, 4). When (N, c) =
(128, 8) and (128, 4), the known-key truncated differential
distinguishers with 25 rounds are constructed. All distin-
guishers can be run in practical time. Unlike the attack on
the Feistel scheme, our distinguishers are built by utilizing
the degrees of freedom of non-active words. We show how
to construct the multi-inbound and connect them by guess-
ing and determining the value of non-active words in order.
Additionally, we construct the near-collision attacks based on
these distinguishers with MMO and MP hashing modes. The
near-collision attack is used to analyze the compression func-
tion MAME.
We also prove the correctness of the 31-round known-key
integral distinguishers of the type-1 Feistel scheme which
was discovered by Sasaki et al. In the forward part, the al-
gebraic degree is applied to prove the integral characteristic.
Some higher-order integral properties are employed in the
backward part. We illustrate that the distinguisher is suitable
for the balanced type-1 Feistel scheme with any size whose
round function is a permutation.
Acknowledgements This research project was promoted by the Scien-tific Research Foundation for High Level Talents of Henan Normal Univer-sity (01016500148) and the National Natural Science Foundation of China(Grant Nos. 61272476, 61232009).
References
1. Knudsen L R, Rijmen V. Known-key distinguishers for some block-
ciphers. In: Proceedings of the 13th International Conference on the
Theory and Application of Cryptology and Information Security. 2007,
315–324
2. Smid M E, Branstad D K. Data encryption standard: past and future.
Proceedings of the IEEE, 1988, 76(5): 550–559
3. Schneier B. Description of a new variable-length key, 64-bit block ci-
pher (blowfish). Lecture Notes in Computer Science, 1994, 809: 191–
204
4. Kazumaro A, Tetsuya I, Masayuki K, Mitsuru M, Shiho M, Junko N,
Toshio T. Camellia: a 128-bit block cipher suitable for multiple plat-
forms design and analysis. In: Proceedings of the 7th Annual Interna-
tional Workshop Selected Areas in Cryptography. 2001, 39–56
5. Wallen J. Design principles of the kasumi block cipher. Proceedings of
the Helsinki University of Technology Seminar on Network Security,
2000
6. Rivest R L. The RC5 encryption algorithm. In: Proceedings of the 2nd
International Workshop on Fast Software Encryption.1995, 86–96
7. Wu W, Zhang L. Lblock: a lightweight block cipher. In: Proceedings
of the 9th International Conference on Applied Cryptography and Net-
work Security. 2011, 327–344
8. Mendel F, Rechberger C, Schläffer M, Thomsen S S. The rebound at-
tack: Cryptanalysis of reduced Whirlpool and Grøstl. In: Proceedings
of the 16th International Workshop on Fast Software Encryption. 2009,
260–276
9. Sasaki Y, Yasuda K. Known-key distinguishers on 11-round feistel and
collision attacks on its hashing modes. In: Proceedings of the 18th In-
ternational Workshop on Fast Software Encryption. 2011, 397–415
10. Sasaki Y, Emami S, Hong D, Kumar A. Improved known-key distin-
guishers on Feistel-SP ciphers and application to camellia. In: Proceed-
ings of the 17th Australasian Conference Conference on Information
Security and Privacy. 2012, 87–100
11. Minier M, Phan R C W, Pousse B. Distinguishers for ciphers and
known key attack against rijndael with large blocks. Lecture Notes in
Computer Science, 2009, 5580: 60–76
12. Lamberger M, Mendel F, Rechberger C, Rijmen V, Schläffer M. Re-
bound distinguishers: Results on the full Whirlpool compression func-
tion. In: Proceedings of the 15th International Conference on the The-
ory and Application of Cryptology and Information Security. 2009,
126–143
13. Wu S, Feng D, Wu W. Cryptanalysis of the LANE hash function. In:
Proceedings of the 16th Annual International Workshop on Selected
Areas in Cryptography. 2009, 126–140
14. Gilbert H, Peyrin T. Super-sbox cryptanalysis: Improved attacks for
AES-like permutations. In: Proceedings of the 17th International
Workshop on Fast Soft Encryption. 2010, 365–383
15. Dong L, Wu W, Wu S, Zou J. Known-key distinguisher on round re-
duced 3D block cipher. In: Proceedings of the 12th International Work-
shop on Information Security Applications. 2011, 55–69
16. Zheng Y, Matsumoto T, Imai H. On the construction of block ciphers
provably secure and not relying on any unproved hypotheses. Lecture
Notes in Computer Science, 1989, 435: 461–480
17. Adams C, Tavares S, Heys H, Wiener M. The CAST-256 encryption
algorithm. Submission to AES competition, 1998
18. Yoshida H,Watanabe D, Okeya K, Kitahara J,Wu H, Küçük Ö, Preneel
B. Mame: A compression function with reduced hardware require-
ments. In: Proceedings of the 9th International Workshop Workshop
on Cryptographic Hardware and Embedded Systems. 2007, 148–165
19. Hirose S, Kuwakado H, Yoshida H. SHA-3 proposal: Lesamnta. Sub-
mission to NIST, 2008
20. Bouillaguet C, Dunkelman O, Leurent G, Fouque P A. Lecture Notes
Le DONG et al. Known-key distinguishers on type-1 Feistel scheme and near-collision attacks on its hashing modes 525
in Computer Science, 2010, 6544: 18–35
21. Sasaki Y, Aoki K. Improved integral analysis on tweaked lesamnta. In:
Proceedings of the 14th International Conference on Information Se-
curity and Cryptology. 2011, 1–17
22. Peyrin T. Improved differential attacks for ECHO and Grøstl. In: Pro-
ceedings of the 30th Annual Cryptology Conference. 2010, 370–392
23. Mendel F, Peyrin T, Rechberger C, Schläffer M. Improved cryptanal-
ysis of the reduced Grøstl compression function, ECHO permutation
and aes block cipher. Lecture Notes in Computer Science, 2009, 5867:
16–35
24. Matusiewicz K, Naya-Plasencia M, Nikolic I, Sasaki Y, Schläffer M.
Rebound attack on the full LANE compression function. In: Proceed-
ings of the 15th International Conference on the Theory and Applica-
tion of Cryptology and Information Security. 2009, 106–125
25. Mendel F, Rechberger C, Schläffer M. Cryptanalysis of twister. In: Pro-
ceedings of the 7th International Conference on Applied Cryptography
and Network Security. 2009, 342–353
26. Rijmen V, Toz D, Varici K. Rebound attack on reduced-round versions
of JH. In: Proceedings of the 17th International Workshop on Fast Soft
Encryption. 2010, 286–303
27. Naya-Plasencia M, Toz D, Varici K. Rebound attack on JH42. In: Pro-
ceedings of the 17th International Conference on the Theory and Ap-
plication of Cryptology and Information Security. 2011, 252–269
28. Wu S, Feng D, Wu W. Practical rebound attack on 12-round Cheetah-
256. In: Proceedings of the 12th International Conference Annual In-
ternational Conference on Information Security and Cryptology. 2009,
300–314
29. Khovratovich D, Naya-Plasencia M, Röck A, Schläffer M. Cryptanal-
ysis of Luffa v2 components. In: Proceedings of the 17th International
Workshop on Selected Areas in Cryptography. 2010, 388–409
30. Daemen J, Knudsen L R, Rijmen V. The block cipher square. In: Pro-
ceedings of the 4th International Workshop on Fast Soft Encryption.
1997, 149–165
31. Ferguson N, Kelsey J, Lucks S, Schneier B, Stay M, Wagner D, Whit-
ing D. Improved cryptanalysis of Rijndael. In: Proceedings of the 7th
International Workshop on Fast Soft Encryption. 2000, 213–230
32. Galice S, Minier M. Improving integral attacks against Rijndael-256
up to 9 rounds. Lecture Notes in Computer Science, 2008, 5023: 1–15
33. Knudsen L R,Wagner D. Integral cryptanalysis. In: Proceedings of the
9th International Workshop on Fast Soft Encryption. 2002, 112–127
34. Preneel B, Govaerts R, Vandewalle J. Hash functions based on block
ciphers: A synthetic approach. Lecture Notes in Computer Science,
1993, 773: 368–378
35. Black J, Rogaway P, Shrimpton T. Black-box analysis of the
blockcipher-based hash-function constructions from PGV. Lecture
Notes in Computer Science, 2002, 2442: 320–335
36. Yu X, Wenling W. Cryptanalysis of MAME compression function. In:
Proceedings of the 2010 International Conference on Computer Design
and Applications. 2010, 5: 602–605
Le Dong is a lecturer in the Henan
Normal University, China. He received
his PhD from the Institute of Soft-
ware, Chinese Academy of Sciences
in 2013. He received his MS and BS
from Zhengzhou University in 2006
and 2003, respectively. His research
interests include cryptanalysis of hash
functions and block ciphers.
Wenling Wu is a researcher and PhD
supervisor in the Institute of Software,
Chinese Academy of Sciences. She re-
ceived her PhD from Xidian Univer-
sity in 1997, and her MS and BS
from Northwest University in 1990 and
1987. Her research interests are crypt-
analysis and the design of block ci-
phers.
Shuang Wu is a research associate
in the Institute of Software, Chinese
Academy of Sciences. He received his
PhD from the Chinese Academy of Sci-
ences in 2011, and his BS from Ts-
inghua University in 2005. His research
interests are cryptanalysis and the de-
sign of hash functions.
Jian Zou is a PhD candidate in the In-
stitute of Software, Chinese Academy
of Sciences. He received his BS from
Central China Normal University in
2009. His research interests are crypt-
analysis and the design of hash func-
tions.