Known-Key Distinguishing and Partial-Collision Attacks on GFN-2 with SP F-Function

We study known-key distinguishing and partial-collision attacks on GFN-2 structures with various block lengths in this paper. For 4-branch GFN-2, we present 15-round known-key distinguishing attack and 11-round partial-collision attack which improve previous results. We also present 17-round known-key distinguishing attack on 6-branch GFN-2 and 27-round known-key distinguishing attack on 8-branch GFN-2 and show that several partial-collision attacks are derived from them. Additionally, some attacks are valid under special conditions for the F -function.


Introduction
e notion of known-key attack was introduced by Knudsen and Rijmen in 2007 [1]. It uses a known-key distinguisher which holds with much higher probability than that under the uniform distribution. In 2011, Sasaki and Yasuda used the rebound technique [2] to construct known-key distinguishers for the Feistel network whose Ffunction consists of cryptographically strong S-boxes and an MDS matrix and showed that those distinguishers are converted into partial-collision attacks on hash modes [3]. Later, their results have been applied to variants of the Feistel network [4][5][6].
Feistel network is the encryption structure of wellknown block ciphers such as DES [7], SEED [8], and Camellia [9]. It has been researched for secure and efficient block cipher design. In [4], Kang et al. presented known-key attacks on three types of generalized Feistel network (GFN) proposed by Nyberg [10]. Particularly, Type-II GFN (GFN-2) is well-balanced like Feistel network and suitable for lightweight designs because the iteration of the relatively small F-function makes a largeblock-length block cipher. So, it has been researched as an alternative of Feistel network, more than other types of GFN. It is often considered as one of design candidates in developing new block ciphers. In practice, the encryption structure of CLEFIA [11] is GFN-2, and HIGHT [12] adopted a slight variant of GFN-2. For this reason, it is important and useful to study and analyze the security of GFN-2.
We define GFN-2 with the parameters t, a, and b. t is the number of branches, a is the number of S-boxes which the Ffunction consists of, and b is the length of input and output of the bijective S-box. In this paper, the byte length and the word length are defined as b bits and ab bits. e block length of GFN-2 with the parameters t, a, and b is abt bits. We restrict (a, b) to (4,4), (4,8), (8,4), and (8,8) and t to 4, 6, and 8, which are mainly used and considered in block cipher designs.
In [4], Kang et al. analyzed only t � 4 cases of GFNs and assumed that the last-round function has no shuffle operation. ey presented a 13-round known-key distinguishing attack on GFN-2 and 9-round 1-word and 2-word partialcollision attacks on Matyas-Meyer-Oseas and Miyaguchi-Preneel hash modes of GFN-2. In this paper, we improve the results for GFN-2 in [4] and also present known-key distinguishing and partial-collision attacks for the cases of t � 6 and t � 8. Our results are summarized as follows: (i) For 4-branch GFN-2, we find a new 5-round inbound structure and make a 15-round known-key distinguishing attack. Assuming the last round has no shuffle operation, we show that a 11-round 3-word partial-collision attack is possible and that when a � 8, 15-round 1-word partial-collision attack is possible. Assuming the last round has the shuffle operation, we show that a 10-round 3-word partialcollision attack is possible and that when a � 8, 14round 1-word partial-collision attack is possible. (ii) For 6-branch GFN-2, we find a 7-round inbound structure and make a 17-round known-key distinguishing attack. When a � 8, we show that a 19round known-key distinguishing attack, a 17-round 2-word partial-collision attack without the last shuffle operation, and a 16-round 2-word partialcollision attack with the last shuffle operation are possible. (iii) For 8-branch GFN-2, we find a 11-round inbound structure and make a 27-round known-key distinguishing attack which is extended to 29 rounds when a � 8. We show that a 21-round 5-word partial-collision attack without the last-round shuffle operation and a 20-round 5-word partialcollision attack with the last-round shuffle operation are possible and that a 21-round 2-word partialcollision attack with the last-round shuffle operation is possible when (a, b) ≠ (4,8).
Considering the wide applicability of GFN-2 as a structure of the cryptographic algorithm, our attacks are useful and helpful in designing a new block cipher or hash function based on GFN-2. e remainder of this paper is organized as follows: Section 2 gives a brief description of GFN-2 structure and Matyas-Meyer-Oseas and Miyaguchi-Preneel mode and explains the inbound structure of Ffunction. Section 3 provides a general explanation of how to construct an inbound structure for GFN-2. From Section 4 to Section 6, we propose inbound structures, known-key distinguishers, and partial-collision attacks on GFN-2 for t � 4, 6, and 8. Finally, Section 7 concludes our work. Let t ≥ 4 be an even integer and r be a positive integer. For r-round t-branch GFN-2, we define all subkeys RK i,j generated from a key K as

Preliminaries
We define the shuffle operation σ as σ � (σ(0), σ(1), . . ., en, we can give the following pseudocode which describes how the r-round tbranch GFN-2 encrypts a plaintext block X 0 � (X 0,0 , X 0,1 , e index i in the above pseudocode means the round order. Figure 2 depicts the i-th round function of GFN-2 with t � 8. roughout this paper, we assume that the key K and the subkey RK i,j 's are known and fixed. Since subkey-XORing operations are not important in the description of our work, we omit the notation and explanation about subkeys for simplicity. For example, we replace F(X i,j−1 , RK i,(j−1)/2 ) with F(X i,j−1 ).

Inbound Structure of F-Function.
A difference is the XOR between two values at the same position, and a differential trail is a set of all difference transitions in a block cipher. An inbound structure is a core part in rebound attack techniques [2] and is a set of all pairs satisfying a differential trail for a part of a block cipher. In order to give an easy explanation about inbound structure of F-function (ISF), we need to use the following notations of word difference forms: (i) 0: every byte in the word has the zero difference. (ii) Δ 1 : one byte has a nonzero difference and the other bytes in the word have zero differences. (iii) Δ P (1) : the word has difference forms which are the output of P on the input Δ 1 . at is, P(Δ 1 ) � Δ P(1).
We assume that all subkeys are known and fixed and that the number of zero entries is almost equal to that of nonzero entries in the difference distribution table (DDT) of the Sbox. We set the input and output difference forms of the Ffunction to Δ P(1) and Δ 1 , respectively. en, for all possible differences with the form of (Δ P(1) , Δ 1 ) ∈ {0, 1} ab ×{0, 1} ab , every S-box in the F-function meets nonzero input and output differences. For any choice of nonzero difference pair (α, β) ∈ {0, 1} b ×{0, 1} b , we call it valid if there exists any input pair whose input difference is α and the corresponding S-box output difference is β. By the assumption of DDT, the ratio of valid input and output difference pairs is around 0.5. On average, for a valid input-output difference pair (α, β), the Sbox has a single input pair (x 1 , We take a look at the example of ISF with a � 4 in Figure 3. Let the input differences of the four S-boxes be α 0 , α 1 , α 2 , and α 3 , and let the corresponding output differences be β 0 , β 1 , β 2 , and β 3 . Let x 0,0 , x 0,1 , x 1,0 , x 1,1 , x 2,0 , x 2,1 , x 3,0 , and x 3,1 be the inputs of the S-box satisfying (1) en, all the possible input pairs of the F-function are . .. at is, the number of possible input pairs of the F-function is 2 4 . erefore, the ISF contains about (2 b − 1) 2 pairs because the F-function has about (2 b − 1) 2 ×2 −4 possible input-output difference pairs with the form (Δ P(1) , Δ 1 ).
We assume that DDT of the S-box is given in advance and that DDT contains all possible input pairs for each input and output differences. en, the complexity of the phase checking the validity of an input-output difference pair for the S-box is dominant in the computational complexity required for constructing the ISF. It is about a×2 2b table lookups �2 2b F-function evaluations because the F-function consists of a S-boxes.

Matyas-Meyer-Oseas and Miyaguchi-Preneel Modes.
Matyas-Meyer-Oseas (MMO) and Miyaguchi-Preneel (MP) modes belong to 12 secure PGV hash modes, [15] which invoke a single call of the underlying block cipher to build a compression for a Merkle-Damgård hash function. Note that a compression function takes a message block and an input chaining variable value to produce an output chaining variable value. In both of two hash modes, the input chaining variable which cannot be controlled by anyone becomes the key of the block cipher, the message block which can be controlled by anyone becomes the plaintext block of the block cipher, and the output chaining variable is produced by XORing the ciphertext block with the plaintext block and the key. See Figure 4. roughout this paper, we assume the hash mode of GFN-2 is MMO or MP whenever we explain partial-collision attacks.

Inbound Structure of GFN-2
We explore the inbound structures of GFN-2 (ISG2) which minimize nonzero difference words with the form Δ 1 . Such ISG2s have relatively long difference propagation in forward and backward directions and best attacks on hash modes. We suggest a general methodology to construct differential trails suitable for good ISG2s as follows: (1) Set the round number R of ISG2 to an intended positive integer. (2) Select the number of ISFs and randomly choose the application positions of ISFs. For each chosen position, set the input and output differences of the Ffunction to Δ P(1) and Δ 1 , respectively. (3) Use only the difference forms 0, Δ 1 , and Δ P (1) to propagate and adjust the differences from ISFs in forward and backward directions such that nonzero differences are minimized. (4) Check whether the input and output differences of ISG2 have the minimum number of nonzero word differences with the form Δ 1 . If it is, return the differential trail; otherwise, go to Step (2).

Attacks on 4-Branch GFN-2
4.1. 5-Round Inbound Structure. We make the 5-round inbound structure satisfying the differential trail in Figure 5. It is represented as a hexadecimal vector (0×40, 0×81, 0×46, Figure 3: Differences in the inbound structure of F-function with a � 4. Security and Communication Networks 3 0×91, 0×06, 0×10) by Table 1. e input state of ISG2 is X 0 � (X 0,0 , X 0,1 , X 0,2 , X 0,3 ) and the output state of the i-th round is X i+1 � (X i+1,0 , X i+1,1 , X i+1,2 , X i+1,3 ) for i ∈ {0, 1, 2, 3, 4}. Let ΔX i,j be the difference at X i,j and let ΔF(X i,j ) be the difference at F(X i,j ). We use two ISFs to find pairs contained in the 5-round ISG2 according to the following steps: (1) Apply the ISF to the F-function taking X 1,0 as input. Store about 2 2b pairs satisfying the input difference with the form Δ P(1) and the output difference with the form Δ 1 for the F-function, in a table named ISF-1.
(2) Apply the ISF to the F-function taking X 3,0 as input, independently of Step (1). Store about 2 2b pairs satisfying the input difference with the form Δ P (1) and the output difference with the form Δ 1 for the Ffunction, in a table named ISF-2. (3) Choose a random value for X 0,2 and compute F(X 0,2 ). en, compute X 2,0 and F(X 2,0 ) for all values of F(X 1,0 ) in ISF-1.
So, if we choose N random values of (X 0,1 , X 5,3 ), the 5round ISG2 contains N pairs and the corresponding complexity is NT.

Known-Key Distinguisher.
We can get a differential trail in Table 2 by propagating differences from the 5-round ISG2 in forward and backward directions. ΔX i � (ΔX i,0 , . . ., ΔX i,3 ) is the representation of the difference of the state. ISG2 Table 1: Hexadecimal representation for two consecutive words.  covers from ΔX 0 to ΔX 5 , the backward propagation covers from ΔX −1 to ΔX −5 , and the forward propagation covers from ΔX +1 to ΔX +5 . e rebound attack framework calls this propagation, Outbound Phase [2]. In this phase, the transition between the input and output difference forms under the F-function is determined by the rule in Table 3. e differential trail in Table 2 is represented as 0xFB ⟶ 0xEF by hexadecimal digits. In Table 2, the difference form at X i,j is denoted by ΔX i,j . In the case of ideal cipher with the block length of abt bits, we explain how to find at least one pair satisfying 0xFB ⟶ 0xEF. Firstly, we make a set of 2 b abtbit values such that all possible byte values appear at the nonzero byte difference, which is indicated by the difference form Δ P (1) , and a randomly chosen constant value is at the zero byte differences. After applying the linear function P to the third words of the elements in the set, we get about 2 2b−1 pairs with the difference form (?, ?, Δ P(1) , ?). en, the output difference form is (?, Δ P(1) , ?, ?) with the probability 2 −(a−1)b , and we get 2 (−a+3)b−1 � 2 2b−1 ×2 −(a−1)b pairs satisfying 0×FB ⟶ 0×EF. Since a � 4 or a � 8 in the block cipher designs, (−a + 3)b − 1 is a negative integer. erefore, we expect a pair satisfying 0xFB ⟶ 0xEF by repeating this work 2 (a−3)b+1 � 1/ 2 (−a+3)−1 times, and the complexity is In the case of 4-branch GFN-2, we can get one pair satisfying 0xFB ⟶ 0xEF with 9×2 2b F � 9×2 2b /30 because a pair contained in the 5-round ISG2 satisfies 0xFB ⟶ 0xEF, the complexity required in the computation of the outbound phase is negligible, and one evaluation of the 15-round 4branch GFN-2 requires 30 evaluations of the F-function. When a � 4 or a � 8, the complexity in the case of GFN-2 is lower than that of the ideal cipher and so, 0xFB ⟶ 0xEF can be used as a valid 15-round known-key distinguisher. By the way, the attack advantage in the case of a � 4 is much smaller than that of a � 8. e summary of the attack complexity can be seen in Table 4. e validity of the distinguishing attack has nothing to do with the existence of the shuffle operation in the last round, but we just write the distinguishing attack result in the case that the shuffle operation exists in the last round.
is computed for 2 2b+1 times and F −1 (X 3,2 + X 5,0 ) is computed for 2 4b+1 times. (vi) e complexity of Step (7) is 2 3b+1 F because F(X 6,0 ) is computed for 2 3b+1 times. (vii) e complexity of Step (8) is 2 2b+2 F because F(X 5,4 ) and F(X 6,4 ) are computed for 2 2b+1 times. (viii) e complexity of Steps (4) and (9) is negligible compared to the other steps. Table 5 summarizes known-key distinguishing and partial-collision attacks on 6-branch GFN-2, based on the 7-round ISG2. e first attack in Table 5 is a 19-round known-key distinguishing attack. e condition that a known-key distinguisher for 6-branch GFN-2 is valid for all values of (a, b) is that the distinguisher has more than two nonzero words in both input and output differences. e 17-round known-key distinguisher 0x6FF ⟶ 0xBFD is the longest one which is valid for all values of (a, b). Table 5 shows that the partial-collision attacks on 6-branch GFN-2 are valid only for a � 8.

Conclusion
In this paper, we analyzed the security of GFN-2 in the known-key setting. We improved the results of 4-branch GFN-2 presented in \cite{KangHoMoKwSuHo12}. We also  presented the first known-key distinguishing and partialcollision attacks on 6-branch and 8-branch GFN-2 structures. We explained each attack such that the complexity and validity are easily understood. Our attacks do not mean that any block cipher with GFN-2 structure is insecure but can be useful and helpful in having an insight about the security of GFN-2 in known-key settings and in designing a new block cipher or hash function.

Data Availability
No data were used to support this study.

Conflicts of Interest
e author declares that there are no conflicts of interest regarding the publication of this paper.