Known-key distinguishers on 15-round
4-branch type-2 generalised Feistel networks
with single substitution–permutation
functions and near-collision attacks
on its hashing modes
ISSN 1751-8709
Received on 9th December 2013
Accepted on 27th November 2014
doi: 10.1049/iet-ifs.2014.0402
www.ietdl.org
Le Dong
1
✉
, Yanling Wang
1
, Wenling Wu
2
, Jian Zou
3
1
College of Mathematics and Information Science, Henan Normal University, People’s Republic of China
2
Trusted Computing and Information Assurance Laboratory, Institute of Software, Chinese Academy of Sciences,
People’s Republic of China
3
College of Mathematics and Computer Science, Fuzhou University, People’s Republic of China
✉ E-mail: dongle127@163.com
Abstract: Generalised Feistel network (GFN) is a popular design for block ciphers and hash functions. The round function
of the network often chooses a substitution–permutation (SP) transformation (consists of a subkey XOR, an S-boxes layer
and a linear layer). In 2011, Bogdanov and Shibutani provided another choice to build round functions, namely the double
SP-functions, which has two SP-layers in series. They showed that a 4-branch type-2 GFN with double SP-functions was
stronger than the one with single SP-function in terms of the number of active S-boxes in a di fferential or linea r
cryptanalysis, but some subsequent results showed that the double SP-function is the weaker one in some known-key
scenarios and hashing modes. In this study, the authors present a new result of the 4-branch type-2 GFN, whose round
function is a single SP-function. They s how some 15-round truncated differential distinguishers for this network with
four usual parameters by utilising some rebound attack techniques. Based on these distinguishers, they construct
some 15-round near-collision attacks on the Matyas–Meyer–Oseas and Miyaguchi– Pren eel compression function
modes in which the 4-branch type-2 GFN with the single SP-function is used.
1 Introduction
Block cipher is one of the most important primitives to guarantee the
information security. Its security usually relies on the confidentiality
of the key. In 2007, Knudsen and Rijmen [1] presented another
security model, the ‘known-key distinguisher’, to evaluate the
security of block ciphers by distinguishing a block cipher when
the key value is known from an ideal function. From then on,
many results have been proposed to explore non-random
properties of block ciphers in the known-key scenario [2–9].
Sometimes, based on a known-key distinguisher, one can mount a
(near-) collision attack on certain hashing mode of a block cipher
[4, 5, 9] so that it may lead to a real threat to a hash function. As
a result, these efforts provide many useful materials for the future
designs of block ciphers and hash functions.
Many classical structures are common choices to design block
ciphers and hash functions, such as Feistel network and
generalised Feistel network (GFN). In 1989, Zheng et al. [10]
showed three kinds of GFNs, and the Feistel network is often
compared with the 4-branch type-2 GFN which can be viewed as
two parallel plain Feistel networks with a wordwise rotation.
Furthermore, the substitution–permutation (SP) transformation
consisting of a subkey XOR, an S-boxes layer and a linear layer is
a widely used structure to build the round function of GFN.
In 2011, Bogdanov and Shibutani [11] gave the notion of a
‘double SP-functions’ which uses two SP-layers in series instead
of one SP-layer. The designers proposed to instantiate the round
function of the 4-branch type-2 GFN with the double SP-functions
and showed that the functions for r rounds could generate more
active bytes than 2r-round traditional ‘single SP-function’ (uses
one SP-layer). See Fig. 1 for both single and double SP-functions.
After a year, Sasaki [3] applied the rebound attack to a 4-branch
type-2 GFN with double SP-functions and gave a comparison
between the double SP-function and the single SP-function. He
showed a 7-round (28 SP-layers) known-key distinguisher of the
4-branch type-2 GFN with double SP-functions and a 6-round (24
SP-layers) near-collision attack on its compression function modes
[e.g. MMO (Matyas–Meyer–Oseas) and MP (Miyaguchi–Preneel)
modes]. In 2013, Chang et al. [12] extended it to an 8-round (32
SP-layers) distinguisher, but it seems impossible to mount a
near-collision attack directly based on the distinguisher.
Correspondingly, Deukjo et al. provided a 13-round (26 SP-layers)
known-key distinguisher for the 4-branch type-2 GFN with a
single SP-function and a 9-round (18 SP-layers) near-collision
attack on its compression function modes [9]. Whereas, both
numbers of SP-layers in the distinguisher and the near-collision
attacks for the single-SP model of 4-branch type-2 GFN are less
than the numbers of SP-layers in the corresponding attacks for its
double-SP model. For the further comparison, it is worth studying
to find a distinguisher or a near-collision attack with more rounds
(SP-layers) for the 4-branch type-2 GFN with a single SP-function.
In this paper, we exploit the freedom degrees of the non-active
words to build 15-round (30 SP-layers) known-key truncated
differential distinguishers of the 4-branch type-2 GFN with the
single SP-function for four usual parameters. Furthermore,
applying these known-key distinguishers to the MMO and MP
hashing modes, we obtain a 15-round near-collision attack. In our
attacks, we increase the number of rounds (SP-layers) from 13 to
15 (from 26 to 30) in known-key truncated differential
distinguishers for the single-SP model of 4-branch type-2 GFN.
The number of SP-layers in our distinguishers, by contrast, is still
less than the number of SP-layers in the distinguisher for
IET Information Security
Research Article
IET Inf. Secur., 2015, Vol. 9, Iss. 5, pp. 277–283
277
&
The Institution of Engineering and Technology 2015