generic attacks on feistel ciphers with internal …¬ƒcient against feistel ciphers with internal...

Generic Attacks on Feistel Ciphers With InternalPermutations

Joana Treger, Jacques Patarin

PRiSM, Universite de Versailles

2008-11-27

Joana Treger, Jacques Patarin (PRiSM, Universite de Versailles)Generic Attacks on Feistel Ciphers With Internal Permutations 2008-11-27 1 / 39

Summary

1 Introduction

2 Generic attacks on the first 5 rounds

3 Generic attacks for any number of roundsGeneral methodComputation of the H-coefficientsExample on 3 roundsAttacking Feistel permutation generatorsExample on 6 rounds

4 Table of results and conclusion


Feistel ciphers (1/3)

Definition

Let f be a function from {1, . . . , 2n} to {1, . . . , 2n}.A Feistel cipher with round function f is defined by :

L

f

R

S T

Fig.: 1-round Feistel scheme

We call ψ(f ) or simply ψ such a construction.

ψ([L,R]) = [R, L ⊕ f (R)] = [S ,T ]


Feistel ciphers (2/3)

ψ is a permutation of {1, . . . , 22n} :

ψ−1([S ,T ]) = [T ⊕ f (S),S ] = [L,R]

L R

f

S T

T S

R L

Fig.: ψ−1 = τ ◦ ψ ◦ τ


Feistel ciphers 3/3

Definition

Let f1, . . . , fk be k functions from {1, . . . , 2n} to {1, . . . , 2n}.A k-round Feistel cipher with round functions f1, . . . , fk is defined by the

succesion of k rounds of a Feistel cipher with round function fi :

ψk(f1, . . . , fk):= ψ(fk) ◦ . . . ◦ ψ(f1)

L R

f 1

R X1

f

S T

SXk−2

k

L −13 kfX TS kfR f2f1f k−2X 1 X2


Luby-Rackoff revisited

Derived structures :

Classical Feistel ciphers.

Unbalanced Feistel ciphers with expanding internal functions.

Unbalanced Feistel ciphers with contracting internal functions.

Feistel ciphers with internal permutations.

Used in the design of Twofish, Camellia, DEAL.

[Knudsen-02] : attack on 5 rounds, impossible differential[Piret-05] : security proofs for 3 and 4 rounds, ≥ O(2n/2) messages 3-roundCPA − 2, 4-round CPCA − 2


Feistel ciphers with internal permutations

Different behaviour of these Feistel networks and the classical ones.

Example (3 rounds) :

L XR 2f1f S f T3

Attack on 3 round classical Feistel ciphers :

Relations considered between two input/output couples :R1 ⊕ S1 = R2 ⊕ S2.

Random permutation : probability 1/2n ; Feistel cipher : probability2/2n

R1 ⊕ S1 = R2 ⊕ S2 ⇔ f2(X1) = f2(X2)f2(X1) = f2(X2) ⇔ X1 = X2 or (X1 6= X2 and f2(X1) = f2(X2)).

Chosen plaintext attack : O(2n/2) messages.


Feistel ciphers with internal permutations

Different behaviour of these Feistel networks and the classical ones.

Example (3 rounds) :

L XR 2f1f S f T3

Attack on 3 round classical Feistel ciphers :

Relations considered between two input/output couples :R1 ⊕ S1 = R2 ⊕ S2.

Random permutation : probability 1/2n ; Feistel cipher : probability2/2n

R1 ⊕ S1 = R2 ⊕ S2 ⇔ f2(X1) = f2(X2)f2(X1) = f2(X2) ⇔ X1 = X2 or (X1 6= X2 and f2(X1) = f2(X2)).

Chosen plaintext attack : O(2n/2) messages.

Known plaintext attack : O(2n/2) messages.

Does not work on Feistel cipher with round permutations !


Generic attacks

Definition

A generic attack on a Feistel cipher with internal permutations, is an attack

allowing to distinguish with high probability a Feistel cipher from a random

permutation, when the round permutations are randomly chosen.

We interest ourselves in generic attacks, necessiting < O(22n) messages(exhaustive search on the inputs).

When the complexity is ≥ O(22n), we interest ourselves in attacks onFeistel permutation generators.


Two-point attacks

Definition

two-point attacks are attacks using correlations between blocks of pairs of

distinct messages.

Example : previous attack on 3 rounds, relations considered between 2messages were R1 ⊕ S1 = R2 ⊕ S2.

Best known attacks against classical Feistel ciphers (except on 3rounds, CPCA-2).

Efficient against Feistel ciphers with internal permutations : thecomplexities of the two-point attacks found (except on 3 rounds,CPCA − 2) coincide with the known bounds of security (3 and 4rounds, [Piret-05]).


Notations

KPA : known plaintext attack

CPA − 1 : non-adaptive chosen plaintext attack

CPA − 2 : adaptive chosen plaintext attack

CPCA − 1 : non-adaptive chosen plaintext and ciphertext attack

CPCA − 2 : adaptive chosen plaintext and ciphertext attack

Bn : permutation on n bits.


Generic attack by hand : 1 and 2 rounds

L 1fR=S T

Relation considered : R = S .

Random permutation : probability 1/2n ; Feistel cipher : probability 1.

KPA : 1 message.


Generic attack by hand : 1 and 2 rounds

L 1fR=S T

Relation considered : R = S .

Random permutation : probability 1/2n ; Feistel cipher : probability 1.

KPA : 1 message.

L S f T3R 1f

Relations considered : R1 = R2, S1 ⊕ S2 = L1 ⊕ L2.

CPA − 1. Random permutation : probability 1/2n ; Feistel cipher :probability 1.

CPA − 1 : 2 messages.

KPA : O(2n/2) messages.


Generic attacks by hand : 3 rounds

L XR 2f1f S f T3

Relation considered : L1 = L2, R1 ⊕ R2 = S1 ⊕ S2.

CPA − 1. Random permutation : probability 1/2n ; Feistel cipher :probability 0

R1 ⊕ R2 = S1 ⊕ S2 ⇒ X1 = X2 ⇒ R1 = R2.

CPA − 1 : O(2n/2) messages.

KPA : O(2n) messages.


Generic attack by hand : 4 rounds

L R 1f X X S f Tf f2 3 41 2

Relation considered : R1 = R2, L1 ⊕ L2 = S1 ⊕ S2.

CPA − 1. Random permutation : probability 1/2n ; Feistel cipher :probability 0

R1 = R2 ⇒ X 11 ⊕ X 1

2 = L1 ⊕ L2.L1 ⊕ L2 = S1 ⊕ S2 = X 1

1 ⊕ X 12 ⇒ X 2

1 = X 22 ⇒ L1 = L2.

CPA − 1 : O(2n/2) messages.

KPA : O(2n) messages.


Generic attack by hand : 5 rounds [Knudsen-02]

R 1f X Xf f2 31 2L SX3 f Tf4 5

Relation considered : R1 = R2, S1 = S2, L1 ⊕ L2 = T1 ⊕ T2.

CPA − 1. Random permutation : probability 1/22n ; Feistel cipher :probability 0.

S1 = S2 ⇒ X 31 ⊕ X 3

2 = T1 ⊕ T2.R1 = R2 ⇒ X 1

1 ⊕ X 12 = L1 ⊕ L2.

T1 ⊕ T2 = L1 ⊕ L2 ⇒ X 21 = X 2

2 ⇒ X 11 = X 1

2 ⇒ L1 = L2.

CPA − 1 : O(2n) messages.

KPA : O(23n/2) messages.


Special case : 3 rounds, CPCA − 2

L XR 2f1f S f T3

Best attack is 3-point attack. The same attack as for classical Feistel ciphers[LR-88].

3 messages : [L1,R1]/[S1,T1], [L2,R1]/[S2,T2] and[L3,R3]/[S1,T1 ⊕ L1 ⊕ L2]. Relation considered : R2 ⊕ R3 = S2 ⊕ S3.

CPCA − 2. Feistel cipher : probability 1 ; Random permutation :probability 1/2n

R1 = R2 ⇒ X1 ⊕ X2 = L1 ⊕ L2.S1 = S3 ⇒ X1 ⊕ X3 = T1 ⊕ T3.T3 ⊕ T1 = L1 ⊕ L2 ⇒ X2 = X3.X2 = X3 ⇒ R2 ⊕ R3 = S2 ⊕ S3.

CPCA − 2 : 3 messages.


Remark, complexity ≪ 2n/2

Remark :

Distinguishing a random permutation on n bits from a random function :O(2n/2) messages.

⇒ When an attack needs ≪ 2n/2 messages, it works on Feistel cipherswith internal permutations and functions.


Plan

1 Introduction





Towards a systematical analysis

We want the best generic two-point attack on a k-round Feistel cipher, for anyk .

1 Enumerate all possible cases C (equalities/inequalities between the inputand output blocks of 2 distinct messages).

2 For each case, evaluate the probability (depending on k) to get onespecific output pair from a specific input pair, for both a randompermutation and a Feistel permutation.

3 For each k and each type of attack (KPA, CPA,..), estimate the caseleading to the best attack.

4 Evaluate the number of messages needed to realize the attack.


1 : Enumerating all possible cases

Possible equalities between the blocks :

L1 = L2, or not

R1 = R2, or not

S1 = S2, or not

T1 = T2, or not

L1 ⊕ L2 = S1 ⊕ S2, or not, when k is even

R1 ⊕ R2 = T1 ⊕ T2, or not, when k is even

L1 ⊕ L2 = T1 ⊕ T2, or not, when k is odd

R1 ⊕ R2 = S1 ⊕ S2, or not, when k is odd

For k even : 13 cases.

For k odd : 11 cases.


2 : Computing the probabilities (1/2)

Given one input/output pair. Computing the probabilities P1 to get these two

precise outputs from the inputs :

In the case of a random permutation : easy.

In the case of a Feistel cipher with internal permutations : based on theH-coefficient values.



Given one input/output pair. Computing the probabilities P1 to get these two

precise outputs from the inputs :

In the case of a random permutation : easy.

In the case of a Feistel cipher with internal permutations : based on theH-coefficient values.

Definition

[L1,R1] 6= [L2,R2] and [S1,T1] 6= [S2,T2] ∈ [1, 22n]. The H-coefficient

computes the number of (f1, . . . , fk) ∈ Bkn , such that

ψk(f1, . . . , fk)([Li ,Ri ]) = [Si ,Ti ], i = 1, 2.

→ The H value is the same for all pairs belonging to a same case C.



Proposition

Suppose the H-coefficients computed. Then the previous probability P1 to get

one precise outpout from a given input pair is :1

22n(22n−1)in the case of a random permutation.

H|Bn|k in the case of a k-round Feistel cipher.


3 : Estimating the cases leading to the best attack

A case C with a largest difference between the previous probability P1

should lead to a better attack.





But : to get an attack, the difference in the probabilities has to result in adifference in the number of couples verifying the specific constraints ontheir blocks.





But : to get an attack, the difference in the probabilities has to result in adifference in the number of couples verifying the specific constraints ontheir blocks.

Thus : find the cases which realize a compromise between :

HUGE DIFFERENCEbetween the probabilitiesto obtain one specific pairof input/ouput couples

AND

NUMBER OF RELATIONSon the blocks,

that cannot be imposedby the type of attack.


4 : Evaluating the number of messages needed to realize theattack (1/2)

Let C be one specific case. Let us consider m messages and the randomvariables :

Xp counts the number of pairs of these messages verifying the equationsof C on the inputs and outputs when they correspond to a randompermutation

Xψk counts the same number for a k-round Feistel cipher with internalpermutation.

From the Chebytchev formula :

P{|X − E (X )| ≥ α · σ(X )} ≤ 1

α2,

we distinguish with high probability ψk from a random permutation if

|E (Xψk ) − E (Xp)| > σ(Xψk ) + σ(Xp).

For each case C, those values can be obtained from P1.


4 : Evaluating the number of messages needed to realize theattack (2/2)

We consider a case C with ne equations between the input and output blocksthat cannot be imposed by the type of attack considered.

We can solve |E (Xψk ) − E (Xp)| > σ(Xp) + σ(Xψk ) and find M :

M

2ne ·n · |H · 24n

|Bn|k− 1

1 − 1/22n| >

√

M

2ne ·n ,

where |H·24n

|Bn|k − 11−1/22n | is 24n times the differences of the P1’s.

We deduce the number m of messages needed to get these M pairs.

We get an attack with complexity O(m).

Remark : best attacks : ne minimal and |H·24n

|Bn|k − 11−1/22n | maximal.


Plan

1 Introduction





The reasoning

L

L

−13 kfX TS kfR f2f1f k−2X 1 X 2


1 1 1 1 11 1

2 2 2 2 2 22

Fig.: ψk(f1, . . . , fk)([Li ,Ri ]) = [Si ,Ti ], i = 1, 2

Fix a possible sequence s ∈ {=, 6=}k , such that X i1 si X i

2.

For such a fixed sequence s, evaluate the number H(s) of possibilities for(f1, . . . , fk).

Find all possible sequences s and sum up :

H =∑

possible s

H(s).


H-coefficients

L

L



1 1 1 1 11 1

2 2 2 2 2 22


The preceding steps can be done using combinatorial facts.


H-coefficients

L

L



1 1 1 1 11 1

2 2 2 2 2 22


The preceding steps can be done using combinatorial facts. Thus :

We obtain general formulae for the H-coefficients

We obtain all attacks using correlations between two messages.


Plan

1 Introduction





Example on 3 rounds, KPA. Table of values of H·24n

|Bn|3 − 11−1/22n

case :equalities :

10 eq.

H·24n

|Bn|3− 1

1−1/22n 1/22n

case :equalities :

21 eq.

31 eq.

41 eq.

51 eq.

H·24n

|Bn|3− 1

1−1/22n 1/2n 1/2n 1/2n 1/2n

case :equalities :

62 eq.

72 eq.

82 eq.

92 eq.

102 eq.

112 eq.

H·24n

|Bn|3− 1

1−1/22n 1/2n 1 1 1 1/2n 1/2n

case :equalities :

123 eq.

133 eq.

H·24n

|Bn|3− 1

1−1/22n 1 1

Fig.: Order of the leading term of H·24n

|Bn|3− 1

1−1/22n in different cases


Example on 3 rounds, KPA

In case 1 :

E (Xp) ≃ M (M : number of pairs of messages)

O(H·24n

|Bn|3 − 11−1/22n ) = 1/22n ⇒ |E (Xp) − E (Xψ3)| ≃ M

22n

M22n >

√M ⇔ M > 24n



In case 1 :


O(H·24n

|Bn|3 − 11−1/22n ) = 1/22n ⇒ |E (Xp) − E (Xψ3)| ≃ M

22n

M22n >

√M ⇔ M > 24n

In cases 2 to 5 :

E (Xp) ≃ M2n (M : number of pairs of messages)

O(H·24n

|Bn|3 − 11−1/22n ) = 1/2n ⇒ |E (Xp) − E (Xψ3)| ≃ M

22n

M22n >

√M√2n

⇔ M > 23n



In case 1 :


O(H·24n

|Bn|3 − 11−1/22n ) = 1/22n ⇒ |E (Xp) − E (Xψ3)| ≃ M

22n

M22n >

√M ⇔ M > 24n

In cases 2 to 5 :


O(H·24n

|Bn|3 − 11−1/22n ) = 1/2n ⇒ |E (Xp) − E (Xψ3)| ≃ M

22n

M22n >

√M√2n

⇔ M > 23n

In cases 7, 8 and 9 :


O(H·24n

|Bn|3 − 11−1/22n ) = 1 ⇒ |E (Xp) − E (Xψ3)| ≃ M

22n

M22n >

√M

2n ⇔ M > 22n



In case 1 :


O(H·24n

|Bn|3 − 11−1/22n ) = 1/22n ⇒ |E (Xp) − E (Xψ3)| ≃ M

22n

M22n >

√M ⇔ M > 24n

In cases 2 to 5 :


O(H·24n

|Bn|3 − 11−1/22n ) = 1/2n ⇒ |E (Xp) − E (Xψ3)| ≃ M

22n

M22n >

√M√2n

⇔ M > 23n

In cases 7, 8 and 9 :


O(H·24n

|Bn|3 − 11−1/22n ) = 1 ⇒ |E (Xp) − E (Xψ3)| ≃ M

22n

M22n >

√M

2n ⇔ M > 22n

Cases 7, 8 and 9 are the cases leading to the best attack. O(2n) messages areneeded to get O(22n) pairs. Complexity of the attack : O(2n).


Example on 3 rounds, comments

L XR 2f1f S f T3

Not just one best attack. Here, 3 cases lead to the best attack :

case 7 : S1 = S2 and L1 ⊕ L2 = T1 ⊕ T2,

case 8 : R1 = R2 and S1 = S2,

case 9 : L1 = L2 and R1 ⊕ R2 = S1 ⊕ S2 (the one exposed in the firstpart).


Example on 3 rounds, comments

L XR 2f1f S f T3

Not just one best attack. Here, 3 cases lead to the best attack :

case 7 : S1 = S2 and L1 ⊕ L2 = T1 ⊕ T2,

case 8 : R1 = R2 and S1 = S2,

case 9 : L1 = L2 and R1 ⊕ R2 = S1 ⊕ S2 (the one exposed in the firstpart).

We could have deduced from the table that no KPA on 3 rounds comparableto the one on classical Feistel ciphers was possible :

there, for the case R1 ⊕ R2 = S1 ⊕ S2, the difference |H·24n

|Bn|3 − 11−1/22n | is

of about 1 for just 1 condition on the inputs and outputs.

here, there is no comparable case ⇒ no comparable KPA.


Plan

1 Introduction





Attacks on Feistel permutation generators

When m > 22n, we decide to attack a permutation generator. (λ number ofpermutations needed)Here, the preceding values :

are multiplied by λ for E (Xp),E (Xψk ),

are multiplied by√

(λ) for σ(Xp), σ(Xψk ) by√λ.

We can solveM · λ2ne .n

· |H · 24n

|Bn|k− 1

1 − 1/22n| >

√

M · λ2ne .n

,

with M maximal per permutation (⇒ m = 22n), and find λ.⇒ We get an attack with complexity O(m · λ) =O(22n · λ).

Remark : best attacks : ne minimal, |H·24n

|Bn|k − 11−1/22n | maximal and M maximal.


Plan

1 Introduction





Example on 6 rounds, CPA. Table of values of H·24n

|Bn|6 − 11−1/22n

case :equalities :maximal M :

10 eq.24n

20 eq.23n

30 eq.23n

H·24n

|Bn|6− 1

1−1/22n 1/23n 1/23n 1/23n


41 eq.24n

51 eq.23n

61 eq.23n

71 eq.23n

81 eq.23n

H·24n

|Bn|6− 1

1−1/22n 1/22n 1/23n 1/22n 1/22n 1/22n


92 eq.24n

102 eq.24n

112 eq.23n

H·24n

|Bn|6− 1

1−1/22n 1/23n 1/22n 1/2n

Fig.: Order of the leading term of H·24n

|Bn|6− 1

1−1/22n in different cases


Example on 6 rounds, CPA

In case 1 :

E (Xp) ≃ λ · 24n

O(H·24n

|Bn|6 − 11−1/22n ) = 1/23n ⇒ |E (Xp) − E (Xψ6)| ≃ λ · 2n

λ · 2n >√λ · 22n ⇔ λ > 22n



In case 1 :

E (Xp) ≃ λ · 24n

O(H·24n

|Bn|6 − 11−1/22n ) = 1/23n ⇒ |E (Xp) − E (Xψ6)| ≃ λ · 2n

λ · 2n >√λ · 22n ⇔ λ > 22n

In case 4 :

E (Xp) ≃ λ·24n

2n

O(H·24n

|Bn|6 − 11−1/22n ) = 1/22n ⇒ |E (Xp) − E (Xψ3)| ≃ λ · 2n

λ · 2n >√λ · 23n ⇔ λ > 2n



In case 1 :

E (Xp) ≃ λ · 24n

O(H·24n

|Bn|6 − 11−1/22n ) = 1/23n ⇒ |E (Xp) − E (Xψ6)| ≃ λ · 2n

λ · 2n >√λ · 22n ⇔ λ > 22n

In case 4 :

E (Xp) ≃ λ·24n

2n

O(H·24n

|Bn|6 − 11−1/22n ) = 1/22n ⇒ |E (Xp) − E (Xψ3)| ≃ λ · 2n

λ · 2n >√λ · 23n ⇔ λ > 2n

In case 11 :

E (Xp) ≃ λ·23n

22n

O(H·24n

|Bn|6 − 11−1/22n ) = 1/2n ⇒ |E (Xp) − E (Xψ6)| ≃ λ

λ >√λ · 2n ⇔ λ > 2n



In case 1 :

E (Xp) ≃ λ · 24n

O(H·24n

|Bn|6 − 11−1/22n ) = 1/23n ⇒ |E (Xp) − E (Xψ6)| ≃ λ · 2n

λ · 2n >√λ · 22n ⇔ λ > 22n

In case 4 :

E (Xp) ≃ λ·24n

2n

O(H·24n

|Bn|6 − 11−1/22n ) = 1/22n ⇒ |E (Xp) − E (Xψ3)| ≃ λ · 2n

λ · 2n >√λ · 23n ⇔ λ > 2n

In case 11 :

E (Xp) ≃ λ·23n

22n

O(H·24n

|Bn|6 − 11−1/22n ) = 1/2n ⇒ |E (Xp) − E (Xψ6)| ≃ λ

λ >√λ · 2n ⇔ λ > 2n

Cases 4 and 11 are the cases leading to the best attacks. O(2n) permutationsand O(22n) messages per permutation are needed. Complexity of the

attacks : O(23n).


Table of results

number k

of roundsKPA CPA-1 CPA-2 CPCA-1 CPCA-2

1 1 1 1 1 1

2 2n/2 2 2 2 2

3 2n(+) 2n/2 2n/2 2n/2 3

4 2n 2n/2 2n/2 2n/2 2n/2

5 23n/2 2n 2n 2n 2n

6 23n(+) 23n(+) 23n(+) 23n(+) 23n(+)

7 23n 23n 23n 23n 23n

8 24n 24n 24n 24n 24n

9 26n(+) 26n(+) 26n(+) 26n(+) 26n(+)

10 26n 26n 26n 26n 26n

11 27n 27n 27n 27n 27n

12 29n(+) 29n(+) 29n(+) 29n(+) 29n(+)

k≥6, k=0 mod 3 2(k−3)n 2(k−3)n 2(k−3)n 2(k−3)n 2(k−3)n

k≥6, k=1 or 2 mod 3 2(k−4)n 2(k−4)n 2(k−4)n 2(k−4)n 2(k−4)n

Fig.: Maximum number of messages needed to get an attack on a k-round Feistelnetwork with internal permutations.


Table of results for classical Feistel ciphers [Patarin-01]

number k

of roundsKPA CPA-1 CPA-2 CPCA-1 CPCA-2

1 1 1 1 1 1

2 2n/2 2 2 2 2

3 2n/2 2n/2 2n/2 2n/2 3

4 2n 2n/2 2n/2 2n/2 2n/2

5 23n/2 2n 2n 2n 2n

6 22n 22n 22n 22n 22n

7 23n 23n 23n 23n 23n

8 24n 24n 24n 24n 24n

9 25n 25n 25n 25n 25n

10 26n 26n 26n 26n 26n

11 27n 27n 27n 27n 27n

12 28n 28n 28n 28n 28n

k≥6 2(k−4)n 2(k−4)n 2(k−4)n 2(k−4)n 2(k−4)n

Fig.: Maximum number of messages needed to get an attack on a k-round Feistelnetwork with internal functions.


Conclusion

We gave the best generic two-point attacks on Feistel ciphers with internalpermutations.

These are the best known generic attacks on such ciphers.

The complexities reach the known bounds on security (3 and 4 rounds,[Piret-05]).

However, other attacks may be possible, we did not concentrate on proofsof security.

Complexities found often close to the complexity of the attacks onclassical Feistel chiphers. This could not be predicted.


generic attacks on feistel ciphers with internal …¬ƒcient against feistel ciphers with internal...

Documents