Multiset Structural Attack on Generalized Feistel Networks

In this paper, we present new genericmultiset attacks against generalized Feistel networks, by whichwe can recover all the unknown round functions completely instead of deciding whether an unknown encryption oracle is such network or a random permutation. With one r-round multiset distinguisher, we can recover the outermost round functions for r + 1-round block cipher. Next we propose the dummy-round technique, which allows us to make a full-round decomposition if the outermost round is recovered. Moreover, the dummy-round technique barely increases the complexity of our attack. Using this genericmethod, we propose attacks on 7-round RC6-like and 7-round CLEFIA-like structures. Our attacks can recover all the secret round functions, requiring only O(10 × 2) time complexity and O(5 × 2) chosen plaintexts, where n indicates the block size of the cipher. For 64-bit ciphers of these two structures, our results will lead to a practical attack.


Introduction
The architecture is a fundamental part of a block cipher.It plays an important role in both security aspects and implementation performances of the cipher.Two of the most frequently used architectural structures nowadays are the Substitution-Permutation Networks and the generalized Feistel Networks; the latter contains the standard Feistel Network and its variants.Typical examples of the variant Feistel Networks include CLEFIA [1], RC6 [2], and CAST256 [3].
Among all the attacks against block ciphers, structural attack is an interesting branch which studies the security of the architectures.In this cryptanalysis, all of the internal functions are unknown or key-dependent.The only information available to the attacker is the type of the general structure of the block cipher and size parameters of its components.The aim of the attack is to recover all the internal functions.Since this cannot exploit particular weaknesses (such as bad differential properties or weak avalanche effects) of concrete functions, structural recovery attacks are often weaker than traditional differential attacks or linear attacks on given cryptosystems.The advantage of these attacks is that they are applicable to large classes of cryptosystems, which is thus very useful in establishing general design rules for strong cryptosystems and in dealing with the algorithms with unknown design criteria.
Related Works.The structural attack is far from being new.In 2001, Biryukov and Shamir [4] investigated the recovery problem of iterated SPN ciphers, in which the substitutions and permutations are all secret and key-dependent.In ASI-ACRYPT2014, Biryukov et al. proposed a recovery on ASASA scheme, which was designed by claiming that it could resist traditional attacks [5].Soon this result was improved by Dinur et al. in [6], and a more efficient recovery algorithm was proposed.In [7], Tiessen et al. proposed a structural attack on a variant of AES (in which the S-boxes are kept unknown).Their attack was indeed an improved integral attack and could recover all the secret information up to 6 rounds.
The structural attack against generalized Feistel Networks was first studied in [8]: it was presented in their work that if the Feistel functions were completely unknown, the yoyo game could attack up to 5 rounds.The use of small Feistel Networks for lightweight S-Box design was investigated in [9], and an efficient decomposition was discovered for the secret S-Box of recent Russian standards [10] using reverseengineering.
Our Contribution.This paper mainly concentrates on the recovery attacks against generalized Feistel ciphers with 2 Mathematical Problems in Engineering bijective round functions.The main results of this paper are as follows: (1) We propose a new and special integral distinguisher for structural attack.If an -round distinguisher is detected, we can always launch an efficient +1-round structural attack of the outermost round functions.
(2) We put forward the dummy-round technique.This technique shows that if the decomposition of the outermost round function in an -round iterative cipher is with (data/time) complexity N, then the complexity to decompose all the internal round functions is at most with (data/time) complexity  × N; more precisely, given an algorithm which can recover the round functions at the last round of an -round cipher, we add a dummy round at the beginning, so that the number of rounds remains the same; consequently we can use the same algorithm to recover the round functions from the second last round, and so on.
(3) Therefore, for an -round iterative cipher, we can use our integral distinguisher to make a full-round decomposition without a significantly increased complexity.Applying our results, we propose recovery attacks on 7-round CLEFIA-like and 7-round RC6like ciphers.To the best of our knowledge, these are the first and best structural attack results against these structures.
Organization.The rest of this paper is organized as follows.Section 2 introduces several basic definitions that will be used throughout this paper.Section 3 elaborates the generic multiset attack against generalized Feistel ciphers.Section 4 applies our attack on 7-round CLEFIA/RC6-like cipher, respectively.Section 5 concludes the paper.

Preliminaries
. .Generalized Feistel Ciphers.First, we will clarify what generalized Feistel cipher means in this paper.
Let  be an even integer and a single round (denoted by ) of -cell generalized Feistel cipher is defined as in which   : {0, 1}  → {0, 1}  is a keyed function called a round function and  : {0, 1}  → {0, 1}  is a cell-wise permutation.
The encryption of a generalized Feistel cipher is defined as where the first input ( 0 , . . .,  −1 ) is the plaintext and the round output ( 0 , . . .,  −1 ) is the ciphertext.
. .Multiset Properties on Generalized Feistel Ciphers.Multiset attack [4] is a generic class of attacks which appeared in the literature under three different names: the square attack [11,12], the saturation attack [13,14], and the integral cryptanalysis [15], which can also be treated as a special variant of the higher-order differential attack [16], cube attack [17], and also of the division property [18].This attack generally uses a set of chosen plaintexts that contain all possible values for some bits and has a constant value for the other bits.Corresponding ciphertexts are calculated from plaintexts in the set by using an encryption oracle.If ciphertexts just add up to zero in certain bits, we say that this cipher has the multiset distinguisher.
In [4], Biryukov and Shamir defined multiset, which can be represented as a list of (value, multiplicity) pairs, and the size of the multiset is the sum of all its multiplicities.

We define five multiset properties as follows:
Multiset Properties A (All): Every possible value appears exactly once in the multiset.B (Balance): The XOR of all values in the multiset is 0. E (Even): Each value occurs even times in the multiset.C (Constant): The value is fixed to a constant for all texts in the multiset.U (Unknown): The output multiset is unknown.
Note that the definitions of B, E, C are the same as in [4], and the property A is equal to the property P as defined in [4].
Generalized Feistel ciphers make use of three basic operations: XOR-operation, branching operation, and secret round functions   .Multiset properties over these operations comprise the multiset property of the ciphers and obey the major rules (see Table 1).For showing these rules, it is crucial to require the round functions   of the generalized Feistel cipher to be invertible (or bijective).
In this paper, we will use multiset distinguisher in our attack, which is of the form ⟨ → ⟩, where  ∈ {C, A}  ,  ∈ {C, A, B, U}  , and the input state  contains at least one cell equal to A, and the output cells in state  are not all equal to U.

Generic Multiset Attack against Generalized Feistel Ciphers
By applying Table 1, one can build the multiset propagation system for any fixed generalized Feistel ciphers.In this attack, we are only interested in the multiset distinguishers with at least one cell of the output state satisfying property B but neither E nor A, which we denoted as B.
Since the main idea of getting the round functions is to collect enough round function related equations and solve them, then the proposal of B excludes the trivial equation case 0 = 0 (we will see later).
. .Recover the Outermost Round Function.For  + 1 rounds generalized Feistel cipher we will start by decomposing the outermost round.
The recovered result of the last round will be given by a look-up table.More precisely, we identify the secret function by fixing all the entries of the last round function.In order to achieve this goal, we build linear equations related to the entries with the help of the multiset property and then apply the Gaussian elimination algorithm to get all the entries.
Our attack uses a set of chosen plaintexts that contain all possible values at  cells 0 <  <  in positions  1 ,  2 , . . .,   and constant value V 0 ( −  cells) for the rest (denoted as A V 0 < 1 , 2 ,...,  > ).After -round encryption, if some cell of the output state satisfies B-property, we can recover the +1-th round function as follows.
First, we denote the set { 1 ,  2 , . . .,  2  }, which is the ciphertexts encrypted by plaintexts in the set A V 0 < 1 , 2 ,...,  > .Then, we consider a part of the last round which corresponds to the cell of the state after -round encryption, where we know that the multiset of all values has property B, and denote  +1 as the inverse of that part of the last-round   .Finally, we get the equation, which is only related to the final round, satisfying Then we assume that the multiset of the values  +1 (  ) has property B.By the definition of the B-property, the left part of the equation above does not fall into the case in which each value occurs even times, thus being nontrivial (see Figure 1).
Remark.We need to mention that, for 16-bit/32-bit size block ciphers, we have checked the multiset property by simple experiments.The results indicate that the randomly chosen round functions present a good chance to lead Bproperties for both CLEFIA-like and RC6-like structures.Next, we change the constant V 0 to obtain new sets A V 0 < 1 , 2 ,...,  > to get more linear equations with randomlooking subsets of variables.When sufficient linear equations are collected, we can solve the system by Gaussian elimination to recover  +1 , and the solving process of each system requires 2 2.81 steps with Strassen's Algorithm.
In the process of collecting linear equations, most generalized Feistel ciphers have the rank deficiency problem, which means we can never get a system of equations with a full rank of 2  .Similar problems also appear in the decompositions of SPN [4][5][6] and standard Feistel cipher [8].This is due to the fact that, for any of these ciphers, there exist several equivalent ciphers.Picking up any one from the equivalents, the encryption mapping keeps correct.Therefore, decompositions of such cipher structures are not unique.We will show it in our practical decompositions later.

. . Dummy-Round Technique for the Inner Round Functions.
After finding the outermost round function, we can just repeat our attack in the reverse direction by using chosen ciphertexts and recover the first round; then we are left with the rest inner round functions.If there exists an attack with much lower complexity, the complexity of recovery of all rounds is dominated by that of recovering the outer round.However, in some literatures now available, people still have to find new ways to recover the inner round functions [4][5][6]8], mainly because the technique they used to attack the outer round cannot be applied in attacking the inner rounds.
A straightforward way is to transfer the inner round recovery problems into the outer round decomposition.We next provide a general technique called the dummy-round technique.
Dummy-Round Technique.Let   be the -th round of the generalized Feistel cipher; then an  + 1-round generalized Feistel cipher could be represented by   ∘  −1 ∘ ⋅ ⋅ ⋅ ∘  0 .Using the multiset distinguisher and a linear equations system solver, we are able to recover the last round   .In order to recover the rest of the -round functions, we transfer it into the known  + 1-round issues.We randomly choose /2 round functions  0 ,  1 , . . .,  (−2)/2 and construct a new round  −1 (called dummy-round), i.e., and then we get a new cipher since both   and  −1 are known to us, then  =  −1  () and  =  −1 −1 () are available.Then the equation above could be rewritten as which is exactly the same as the original structure.So for the original structure, if we are able to recover the outermost round   , we can use the exact same method to find  −1 by introducing the dummy-round  −1 (see Figure 2).Therefore, the complexity of recovery of each round is dominated by the complexity of recovery of the final round.The dummy-round technique allows reusing the final-round attack for all rounds.When several rounds are attacked, it is very likely that there exists an attack with much lower complexity for the inner rounds.Generally, in this case the total attack complexity is at most multiplied by the number of rounds.

Recovery on CLEFIA-Like and RC6-Like Structures
In this section, we describe two existing generalized Feistel structures, named the CLEFIA-like and RC6-like structures.Single rounds of these two structures are listed as follows (see Figure 3).The -th round of CLEFIA-like structure: The -th round of RC6-like structure: . .Multiset Distinguishers of CLEFIA-Like and RC -Like Structures.Choosing a fixed plaintext ( 0 ,  1 ,  2 ,  3 ), we fulfill the following set of 2  plaintexts which will help to find multiset distinguishers for CLEFIA/RC6-like structures.
The traces of these integrals through CLEFIA/RC6like structures are depicted in Figure 4. Thus we build a multiset distinguisher ⟨(C, A, C, C) → (U, U, U, B)⟩ for CLEFIA/RC6-like structures.Consequently, we collect one equation Similarly, we can also prove that ⟨(C, C, C, A) → (U, B, U, U)⟩ is also legal for both of these two structures, which tells Next we can change the value of  0 ,  1 ,  3 in the chosen plaintexts set and generate sufficiently linear equations.When enough linear equations are obtained, we can solve the linear system by Gaussian elimination to recover  12 and  13 .
. .Equivalent Structure and Rank Deficiency.In the equation-collection phase of CLEFIA/RC6-like structures, we cannot get a system of equations with a full rank of 2  .This rank deficiency phenomenon is caused by the existence of equivalent structures, more precisely, due to the fact that a given structure instance is not uniquely determined by its round functions.
Proof.By computing the encryption details of each cell in Figure 5, we can verify the correctness of this proposition directly.
Proposition 3 provides 3-round equivalents for each structure.Combining 3-round equivalents, we can get round ( ≥ 3) equivalent structures for these two ciphers: if  2 and  2+1 are replaced by  2 ⊕ and  2+1 ⊕, respectively, then we can still keep the correctness of the whole structure by adding constants on rounds  − 1 and  − 2.
A natural question is, except for this type of equivalents, if there still exists any other equivalent structure, we have to be faced with the rank deficiency problem again.Since proving the nonexistence of equivalents is quite difficult, we tested this issue in an actual implementation of the attack for  = 4. Fortunately, we always got a linear system of rank 15 in 16 variables, which indicates that the constant addition type is the unique equivalent structure of these two ciphers.Since the arbitrarily chosen  can be used to be added to the output of the "real"  13 , the various solutions are simply equivalent keys which represent the same plaintext/ciphertext mapping.

. . Recover the Round Functions
Recover the Outermost Round  12 and  13 .For the original structure, the outermost round consists of  12 and  13 .In order to get 2  equations for  12 and  13 , respectively, we should use 2 2 chosen plaintexts of the form ( 0 , ,  2 , ), in which  0 ,  2 are constants.For each fixed , we get a single equation of  12 by varying  through all the possible 2  values.Also, we can get an additional equation of  13 by fixing  and varying  through all the 2  possible values.
Solving each system of linear equations by Gaussian elimination requires 2 2.81 steps, and thus we need 2×2 2.81 = 2 2.81+1 steps to recover  12 and  13 .
Recover   (4 ≤  ≤ 11).Since we have found a way to recover the outermost round, i.e.,  12 and  13 , of these two 7-round structures, then for the inner rounds, we can use the dummyround technique introduced in the last section to recover the rest round functions of CLEFIA/RC6-like structures.
According to the basic principle of dummy-round technique, we peel off the last round and add a dummy-round before the first round, and then we apply the "outermostround recovery algorithm" to recover  10 and  11 ; then we repeat this process again and again, until all the internal round functions from rounds 6 to 3 are recovered.
It should be noticed that the shortest round numbers of equivalent structures of the two target structures are both 3.In decomposing these structures from rounds 6 to 3, we can still ignore the influence of the rank deficiency for   (4 ≤  ≤ 11).Therefore, the total complexity of this procedure can be obtained by multiplying the number of rounds by the complexity of the outermost round decomposition, i.e., 4 × 2 2 chosen plaintexts and 4 × 2 2.81+1 steps.
Recover  0 ∼  3 .For the remaining last two rounds, we are able to get  0 ,  1 ,  2 , and  3 by the plaintext-ciphertext comparison.
For 2-round CLEFIA structure, the encryption satisfies the system of equations (see Figure 6).And for 2-round RC6 structure, the similar system of equations can be obtained.We need about 4 × 2  calls of the codebook to recover these 4 round functions.
If we use  to denote the block size of the structure, i.e.,  = 4×, then the total time complexity is about 10×2 2.81 = 10 × 2 0.7 and the data complexity is about 5 × 2 2 = 5 × 2 0.5 .Our result will lead to a practical decomposition for the case of  = 64.

Summary
Structural attack is now a generic attack against secretcomponent based block ciphers.In this paper we propose an efficient decomposition algorithm for the generalized Feistel structure with bijective round functions.We use the integral property to find the outermost round and introduce the dummy-round technique to find the rest.This technique allows the final-round attack to be used on all the rounds left and does not depend on how the final round is recovered.Our attack provides a practical threat for 7-round CLEFIA-like and 7-round RC6-like ciphers with data length up to 64 bits.We believe that the new progress of the integral attacks, such as the division property [18] and cube attack [17], will lead to more efficient decompositions.Future work will concentrate on discovering more efficient decomposition algorithms.

Figure 3 :
Figure 3: Single rounds of the target structures.

Table 1 :
Multiset properties of basic operations.