Open AccessAll‐subkeys‐recovery attacks on a variation of Feistel‐2 block ciphers
Author(s) -
Yang Dong,
Qi WenFeng,
Tian Tian
Publication year - 2017
Publication title -
iet information security
Language(s) - English
Resource type - Journals
SCImago Journal Rank - 0.308
H-Index - 34
eISSN - 1751-8717
pISSN - 1751-8709
DOI - 10.1049/iet-ifs.2016.0014
Subject(s) - key schedule , slide attack , block cipher , cipher , block size , mathematics , differential cryptanalysis , linear cryptanalysis , arithmetic , boomerang attack , computer science , two square cipher , transposition cipher , cryptography , algorithm , running key cipher , key (lock) , computer security , encryption
The Feistel‐2 cipher is a type of Feistel ciphers proposed by Isobe and Shibutani at Asiacrypt 2013. Its round functions consist of a public F ‐function and a subkey XORed before the F ‐function. Recently, a variation of the Feistel‐2 cipher, in which the subkey is XORed after the F ‐function, has been widely used in proposals such as SIMON and Simeck. The authors denote this type of Feistel ciphers as Feistel‐2. In this study, they study the security of Feistel‐2* ciphers. First, they propose the differential function reduction technique. Then, they present all‐subkeys‐recovery attacks against Feistel‐2* ciphers based on this technique. Let z be the key size to block size ratio of block ciphers. It is shown that their attacks can break up 6, 8 and 10 rounds of the Feistel‐2* cipher for z = 1, 3/2 and 2, respectively. Thanks to the meet‐in‐the‐middle approach, their attacks only need a few chosen plaintexts. Moreover, with higher‐data complexity, all attacks can be improved by one round. This implies that a secure Feistel‐2* cipher should at least iterate 8, 10 and 12 rounds for z = 1, 3/2 and 2, respectively.