# Meet in the middle attacks on generic feistel constructions

### [email protected] | Efi Arazi School of Computer Science

We show key recovery attacks on generic balanced Feistel ciphers. The analysis is based on the meet-in-the-middle technique and exploits. Generic Attacks on Classical Feistel Ciphers with Internal Permutations. Feistel . Meet-in-the-Middle Attacks on Generic Feistel Constructions. Advances in. Demirci, H., Selçuk, A.A.: A meet-in-the-middle attack on 8-round AES. J., Nikolic, I., Sasaki, Y.: Meet-in-the-middle attacks on generic Feistel constructions.

This situation does not seem to occur for the AES block cipher. However, in hash function modes, the splice-and-cut can exploit it by starting the forward chunk from the second last round. Slow diffusion with the omission of MixColumns in the second round Overall attack procedure. Because the backward computation is similar and straight-forward, we omit its explanation.

Overall, if we fix 14 bytes at 9 as shown in Fig. The obtained results are stored in a table and sorted. Similarly, we can compute the backward chunk for 2 8 values of 9[12] and obtain byte information at 5.

Because 2 bytes 5[1,11] are overlapped between the results from both chunks, we can efficiently check the match of those results. If the match is not found, the attack is repeated by changing the values of fixed 14 bytes at 9 or the values for the AES key-input.

Each chunk can be built using 2 8 possible neutral values with 2 8 computations. The results are stored in a table of the size 2 8 AES state and then sorted.

After that, 2 16 pairs are tested in the 2-byte match and 1 pair will succeed. Hence, if we repeat the attack times, we will find a pair that also matches other 14 bytes.

Also note that, the impact of the change of 9[12] does not propagate to all bytes at the matching stage. This is because the backward chunk is too short. If the number of attacked rounds is extended as explained in Sect. These techniques are directly applied to our 7-round attack that will be explained in Sect.

Specifically, the differential path described in Fig. Known-byte patterns for matching through MixColumns Initial-structure. The idea is choosing several bytes as neutral bytes, and determining these values so that several output bytes of the MixColumns or InverseMixColumns operations can be constant values. This minimizes the number of unknown bytes after the first MixColumns operation in each chunk, and thus, the number of attacked rounds is extended by one round in each chunk.

The construction of the initial-structure is shown in Fig. The neutral bytes for the forward chunk are 4 bytes B[0,1,2,3]. We choose 2 8 values of these bytes and use them to compute the forward chunk independently of the backward chunk.

These values are determined as follows; 1. Randomly choose constant values for 3 bytes at A A[1,2,3]. For all possible 2 8 values of B[0], we calculate the values of B[1,2,3] so that the chosen 3 bytes at A A[1,2,3] can be achieved through the InverseMixColumns operation. Note that, according to Eq. Because there are 3 free variables to control 3 bytes, this is possible by solving a system of equations.

The neutral bytes for the backward chunk are 3 bytes E[12,14,15]. We choose 2 8 values of these bytes as follows; 1. Randomly choose constant values for 2 bytes, which will be the impact from E[12,14,15] to the chosen 2 bytes at F F[13,15].

In details, by consid- 10 11 ering the MixColumns operation in Eq. For all possible 2 8 values of E[12], we calculate the values of E[14,15] by solving a system of equations so that the impact on the chosen 2 bytes at F F[13,15] can be achieved through the MixColumns operation. Because there are 2 free variables to control 2 bytes, this is always possible. As a result, for any 2 8 neutral values of E[12,14,15], the impact from these values to F[13,15] becomes the determined constant. Note that F[13,15] are also influenced by E[13], and thus, final values of F[13,15] are exclusive-or of the determined constant and values depending on E[13].

Finally, the forward computation from F can start with 14 known bytes and only 2 unknown bytes. Assume that many values of the partially known states of the form a and b in Fig. The goal of this match is efficiently finding paired values a, b that match through the MixColumns operation.

Because MixColumns is applied column by column, the match is also tested column by column. We explain the match for the first column as an example. The other columns can be tested in the same procedure. Let us consider the InverseMixColumns operation from b to a. By computing C for and C back in the computation for each chunk, we can perform the match by just comparing these values.

Note that AES has 4 columns in a state. The chunk separation for this attack is depicted in Fig. In this attack, states 16 to 19 are chosen as the initial-structure and we apply the match between states 7 and 8. The neutral bytes for the forward computation are 4 bytes at 16, namely, 16[0,1,2,3]. The neutral bytes for the backward computation are 3 bytes at 19, namely, 19[12,14,15].

To make the initial-structure work, we choose neutral bytes for the forward chunk so that 3 bytes 15[1,2,3] can be pre-determined constant values.

Similarly, neutral bytes for the backward chunk are computed so that impacts on 2 bytes 20[13,15] can be pre-determined constant values. The matching proce- 12 13 dure is exactly the same as the one explained in Section 4. The detailed attack procedure is explained below.

Note that the procedure below is a preimage attack on the compression function. To convert this attack to the one for a hash function, we need additional effort depending on the mode-of-operation used. Choose a value for the key-input, and compute all sub-keys. How to choose the value depends on the mode-of-operation.

In this procedure, we assume that the key-input can be any value. We remove this assumption later. Randomly choose constant values for 9 bytes in state 16 16[4,5,7,8,9,10, 13,14,15]for 3 bytes in state 15 15[1,2,3]and for impacts on 2 bytes in state 20 20[13,15] from the neutral bytes of the backward chunk. For all 2 8 values of 16[0], do as follows. Also compute C for in Eq. Sort the table T for after obtaining 2 8 values.

For all 2 8 values of 19[12], do as follows. If the attack does not succeed with 2 8 values of 19[12], go back to Step 2 or Step 1 if necessary and repeat the attack with different constant values. In this attack, the sum of the complexity for computing 2 8 results of 7 and 8 is roughly round AES computations.

### Figure 9 from Generic Key Recovery Attack on Feistel Scheme - Semantic Scholar

At Step 3c, we need a memory to store byte information for C for. At Step 5d we search for the table of the size 2 8. Hence, for all 2 8 values of 19[12], the cost is about 2 8 log 2 8 memory access, which is enough small compared to round AES for computing 7 and 8.

The success probability of the match is 2 8 for each column, and thus 2 32 for 4 columns. Note that, at Step 6, the algorithm can go back to Step 2 up to times for a fixed key-input. To repeat the attack more, we need to change the key-input at Step 1.

**#AGDQ2015 Super Mario Bros.: The Lost Levels (warpless) by GameJ06**

Top Given first-preimage Bottom Second-preimage construction Conversion to hash function scenario. How to convert this attack to the hash function scenario depends on the mode-of-operation used. In this scenario, we can choose the message so that the padding string can be satisfied. Instead, H N 1 cannot be fixed to IV. Therefore, we can always start from the IV, but cannot satisfy the padding string.

Because of the padding problem, this attack cannot generate preimages. Hence, we aim to generate second preimages. Assume that the given first preimage is 3-block long. The attack is depicted in Fig. Our attack copies the last message block in which the padding string is included.

For the first block, we choose several different message values M x 0 to find several different chaining variables H x 1. Hence, second preimages are generated with a complexity of Note that, a fixed H 2 cannot be mapped from a fixed H x 1 for any M 1 with a probability of 1 e 1. In such a case, we choose another H x 1 and repeat the attack. After several trials of H x 1, we will find a valid M 1 with a probability almost 1. In PGV, 12 schemes in Table 2 are secure.

Our attacks can be applied to all 12 schemes. In our attack, the key is chosen and fixed. Twelve secure PGV constructions. X i represents H i M i. Hence, only a second-preimage attack with computations is possible. Considering the long message attack [20], our attack has an advantage only if the length of the given message is 3- to 7-blocks. As a further generalization, applications to the generalized PGV construction proposed by [33] seems interesting.

We leave this work as an open problem. Complexity on AES 6-rounds. To demonstrate the change of the complexity with a different number of rounds, we attacked 6-rounds.

The idea is omitting the match through the MC and apply the direct match instead. This enables attackers to reduce the number of known bytes in the backward chunk, and thus to keep 2 16 neutral values for each chunk. The final results are listed in Table 1. Known-key attack on 7-round AES. The success probability of the attack is 1 e 1.

The attacker is given a randomly chosen key k. Then, she carries out the pseudo-preimage attack on 7-round AES in Sect. With a complexity of 2a plaintext p s. They find some non-ideal differential property, while our attack finds a fixed point which has been discussed for a long time. The application of our known-key distinguisher to the hash function scenario is meaningful, which finds a preimage of 0 in several PGV constructions.

However, [17] attacks 8-round with a feasible complexity, while ours attacks 7-round with an infeasible complexity. Difficulties in chosen-key setting. In our attack, the key-input is fixed to a constant. It might be possible to extend the attack by actively choosing the keyinput. However, this is not trivial. Firstly, the splice-and-cut technique cannot be used for the key-schedule function, namely, most part of the first round key cannot be obtained from the last round key without computing the inversion.

Hence, the MitM attack would be difficult. Secondly, the previous related-key attacks on AES focused their attention on differential properties. It is unclear how to use the weak property of the key-schedule function to build preimages.

## Publications

Chunk separation for second preimage attack on 5-round Whirlpool. Our attack exploits the omission of MixColumns in the last round. To check the number of attacked rounds, we again use Fig. Due to MixColumns in the last round, we need to remove the 7th round from our target. Note that known byte positions at states 25 and 5 are identical. This indicates that we also need to remove the first round, and state 25 should be connected to state 6.

As a result, we can attack only 5 rounds. Whirlpool [30] is a hash function which is deeply based on AES with a larger state size. Because Whirlpool computes MixColumns during the last round, the above analysis can be directly applied as a preimage attack on reduced Whirlpool. Whirlpool uses 8 8-byte bit state and consists of 10 naturallyexpanded AES rounds. It produces the compression function output with the MP mode. The attack strategy is the same as 7-round attack on AES.

Hence we omit the details. Pseudo-preimages can be generated faster than the brute force attack by a factor of 2 8, which is Because Whirlpool uses the MP mode, this can be a second-preimage attack with a complexity of and a memory of One may note another study on the effects of the omission of MixColumns [14]. This attack can also generate second preimages of Whirlpool reduced to 5 rounds. Note that our results do not give impact on other AES-based hash functions e.

Acknowledgements I would like to thank the anonymous reviewers of FSE for many fruitful comments, especially for the research motivation and applications of the attack. Preimages for step-reduced SHA Preimage attacks on one-block MD4, step MD5 and more. Key recovery attacks of practical complexity on AES variants with up to 10 rounds.

Distinguisher and relatedkey attack on the full AES A new security analysis of AES Note that the algorithm presented in the proceedings of CHESS link has been modified slightly in the version available on eprint [38]. In particular, the definition of the round constants has been modified and an bit version of the cipher was introduced.

Midori A complete Midori64 encryption. Hardware Midori64 and Midori are two block ciphers designed to reduce energy consumption when implemented in hardware. They are both based on the same Midori structure.

It uses an AES-like structure where the internal state is divided into a 4x4 matrix of nibbles Midori64 or bytes Midori Encryption then relies on 4 operations: There are 4 different 8-bit S-Boxes built with an ASA-1 structure where S consists in the parallel application of a 4-bit S-Box distinct from the one used in Midori64 and A is one of 4 different 8-bit permutations. A different permutation of the 4 cells is applied on each row.

These were chosen so as to maximize diffusion. Each column is replaced by its image by a multiplication with an almost-MDS involution matrix M. The key schedule is very simple: For the bit version, the first half of the master key is XOR-ed in the internal state in odd rounds and the second in even rounds.

The XOR of the two halves is used as whitening keys and, again, sparse round constants equal to 0 except on the LSB of each nibble are used. Software Mysterion explores the LS-design paradigm introduced by the designers of Fantomas and Robin and combines it with an AES-like structure to increase the security level. In particular, it uses a bit-sliced S-Box. A round consists in the following operations: For Mysterion, the first column of each block is left unchanged, the second are rotated by one, etc.

For Mysterion, the columns are grouped 2-by-2 so that the first 2 columns of each block are left unchanged, the next 2 are rotated by 2, etc.

A circuit computing the S-Box S4. Hardware SKINNY is a family of lightweight tweakable block ciphers designed so as to have the smallest hardware footprint. All members of the family are SPN consisting of several iterations of the following operations transforming a 4x4 matrix of 4-bit nibbles bit variant or bytes bit variant. A picture summarizing this is given on the right. This operations adds such key material to half of the internal state.

### Browsing ORBilu

The rows are rotated to the right according to their index, i. This operation is identical to the one in the AES except for the direction of the rotation. Each column is multiplied by a binary matrix M given below. The main idea behind this design is to provide as low an area in hardware as possible without sacrificing neither speed nor security. These are obtained using a technique based on first transforming the existence of a trail into a MILP problem and then using a MILP solver to retrieve the result.

The components were chosen because of the good compromise they provide between cryptographic properties and hardware cost.

The S-Boxes can be computed using a simple circuit the one computing S4 is given on the right and the matrix M is a simple binary matrix: Block Ciphers that are Easier to Mask: How Far Can we Go? Software Zorro is a modified version of the AES intended to be easy to mask like Zorrothe masked hero. To achieve this, fewer calls to the S-box are made during each round and the S-box has been modified.

To compensate, the number of rounds has been increased to This design also borrows ideas from LED: Besides, the execution is split into "steps" of 4 rounds and the key is added only at the end of a step. This the operation AK add key which consists simply in xoring the master key. No security claims are made regarding related key attacks. Each round is made of 4 operations: Much thought has been put in the design of the S-box: It is based on a small 4-round Feistel cipher with mixing layer where the Feistel function is the monomial X3 in GF We call "bit-sliced S-Box" a non-linear layer consisting in the parallel application of several small non-linear functions which is supposed to be implemented using basic bitwise operations such as XOR, AND and OR.

While Mysterion is classified as AES-like in this list, it also fits in this category. This structure is intended to ease masking and thus to help thwart side-channel attacks when this cipher is implemented on a micro-controller. The S-Boxes of both ciphers Fantomas and Robin were chosen so as to be efficiently implemented in a bitslice fashion.

As a consequence, Robin has more rounds. Noekeon The round function of Noekeon Article: It operates on 4 words of 32 bits except for the S-Box layer, "Gamma", which operates on 4-bits nibbles. The same round key is used in every round; how it is derived depends on whether related-key attacks must be considered or not. However, there exists related-key differentials for both key schedules [96] It uses the following operations.

Consists in applying a 4-bit involution S-Box on nibbles independently. Each of the 32 nibbles considered in Gamma is made of the bits of index i in each of the 4 words for all i in [0, 31]. This leads to a simple bitslice implementation of this layer. Most choices for Gamma generated using the same design criteria would have lead to weak ciphers but the one chosen in Noekeon does not [96]. A linear layer which mixes words with each other and operates at the byte level.

It has a Lai-Massey structure where the Lai-Massey function is linear: Three of the four words are rotated by different offsets, namely 1, 5 and 2. Each rotations and their inverses are used. A round constant is XOR-ed in the internal state before applying Gamma during encryption.

Since the components are involution-based, decryption can be implemented using the same circuit as encryption. It is claimed to be suitable for implementation in hardware and on 8-bit processors.