Abstract
Generalized Feistel Schemes (GFSs) are important components of symmetric ciphers, which have been extensively studied in the classical setting. However, detailed security evaluations of GFS in the quantum setting still remain to be explored.
In this paper, we give improved polynomial-time quantum distinguishers on Type-1 GFS in quantum chosen-plaintext attack (qCPA) setting and quantum chosen-ciphertext attack (qCCA) setting. In qCPA setting, we give a new quantum polynomial-time distinguisher on \((3d-3)\)-round Type-1 GFS with branches \(d\ge 3\), which gains \((d-2)\) more rounds than the previous distinguishers. This leads us to obtain a better key-recovery attack with reduced time complexities by a factor of \(2^{\frac{(d-2)n}{2}}\), where n is the bit length of the branch. We also show a quantum distinguishing attack against \((d^2-d+1)\)-round version in qCCA setting, and this gives a key-recovery attack with much lower time complexity.
In addition, based on a 14-round quantum distinguisher, we give quantum key-recovery attacks on round-reduced CAST-256 block cipher. For the 256-bit key version, we could attack up to 20-round CAST-256 in time \(2^{111}\), which is faster than the quantum brute-force attack by a factor of \(2^{17}\). For the 128-bit key version, we could attack 17 rounds in time \(2^{55.5}\), while the best previous classical or quantum attacks are no more than 16 rounds.
Access provided by Autonomous University of Puebla. Download conference paper PDF
Similar content being viewed by others
Keywords
1 Introduction
Feistel block ciphers are featured by the efficient Feistel network, whose encryption and decryption processes are based on similar operations. This design has been extensively studied [8, 15, 20, 27] and adopted in many standard block ciphers, including DES, Triple-DES, Camellia [3], and GOST [12]. Feistel network was also generalized to form Generalized Feistel Networks (GFNs) or Generalized Feistel Schemes (GFSs). GFSs adopt more than two branches and different operations between the branches. At CRYPTO 1989, Zheng et al. [46] summarized several types of GFSs, called Type-1, Type-2, and Type-3 GFSs. In addition, some other GFSs were invented by Anderson and Biham [2], Lucks [32] and Schneier and Kelsey [38]. Many important primitives employ GFSs, such as block ciphers CAST-256 [1] (Type-1), CLEFIA [39] (Type-2), Simpira [14] (Type-2), as well as hash functions MD5 and SHA-1 (Type-1). GFSs inherit the advantages of Feistel network. Besides, it allows a small round function to construct a cipher with a larger block size, which is beneficial to lightweight implementations.
Classically, Luby and Rackoff [31] proved that the 3-round Feistel scheme is a secure pseudo-random permutation. At CRYPTO 1989, Zheng et al. [46] showed that the \((2d-1)\)-round Type-1 GFS is secure against chosen-plaintext attacks. Moriai and Vaudenay pointed out that \((d^2-d)\)-round Type-1 GFS is not secure against chosen-ciphertext attacks [33]. See also the analysis by Hoang and Rogaway [17]. Generic attacks on these constructions are also widely studied, such as birthday attack [23], meet-in-the-middle attack [16], differential attacks [34, 41], and Patarin et al.’s attacks [35, 36, 42].
It was a common belief that quantum attacks on symmetric primitives are of minor concern, as they mainly consist of employing Grover’s algorithm [13] to generically speed up search (sub-)problems. However, Kuwakado and Morii [28] found the first polynomial-time quantum distinguisher on 3-round Feistel block ciphers by using Simon’s algorithm [40]. This result proves that there is a case that quantum attacks can exponentially improve classical attacks. Later, various quantum attacks against symmetric primitives were invented, such as key-recovery attacks against Even-Mansour constructions [29], forgery or key-recovery attacks against block cipher based MACs [5, 24], key-recovery attacks against the FX construction [30], and so on.
At FOCS 2012, Zhandry et al. [45] classified the quantum cryptanalysis into two models, i.e., the standard security (Q1 model) and quantum security (Q2 model). In Q1 model, adversaries could only collect data classically and process them with local quantum computers. In contrast to this, in Q2 model, the adversaries could query the oracle with quantum superpositions of inputs, and obtain the corresponding superposition of outputs. Adversaries from Q2 model are more powerful, while Q2 model is not realistic for the foreseeable future. However, Q2 model is still theoretically interesting. Moreover, as stated by Ito et al. [22], “the threat of this attack model becomes significant if an adversary has access to its white-box implementation. Because arbitrary classical circuit can be converted into quantum one, the adversary can construct a quantum circuit from the classical source code given by the white-box implementation”. In this paper, we assume that the adversaries are in the Q2 model.
There have already been papers investigating Feistel schemes or GFSs against Q2 adversaries. Besides Kuwakado and Morii [28]’s work, Ito et al. [22] extended the quantum distinguisher to 4-round Feistel scheme under quantum chosen-ciphertext attack setting. Based on the Grover-meets-Simon algorithm by Leander and May [30], Hosoyamada et al. [19] and Dong et al. [11] introduced some quantum key-recovery attacks on Feistel schemes. Dong et al. [10] gave some quantum distinguishers and key-recovery attacks on some GFSs. Dong et al. [9] and Bonnetain et al. [6] studied 2K-/4K-Feistel schemes against quantum slide attacks. Notably, Hosoyamada and Iwata [18] proved a quantum security bound of the 4-Round Luby-Rackoff construction recently.
Our Contributions. We continue the work of Dong, Li, and Wang [10] to evaluate the security of Type-1 GFSs against quantum attacks. We focus on Type-1 GFSs, as the structure is employed in the above mentioned practical designsFootnote 1. We give some improved attacks on Type-1 GFSs in Q2 model with both quantum chosen-plaintext attack (qCPA) setting and quantum chosen-ciphertext attack (qCCA) setting. Then, some applications to CAST-256 block ciphers are given. We have three contributions:
-
First, in qCPA setting, we give new quantum polynomial-time distinguishers on \((3d-3)\)-round Type-1 GFS with branches \(d\ge 3\), which gain \((d-2)\) more rounds than the previous distinguishers. The improvement is obtained by shifting the position of \(\alpha _b\), which is a constant used to define a period, so that the period is preserved for longer rounds. It turns out that the observation is simple, but effective to improve the number of rounds that we can attack. Based on Leander and May’s algorithm [30], we could get better key-recovery attacks, whose time complexities gain a factor of \(2^{\frac{(d-2)n}{2}}\), where n is the bit length of the branch.
-
Second, assuming that we are in the qCCA setting, we show a distinguishing attack against the \((d^2-d + 1)\)-round version. The number of rounds is significantly larger than the above, and this follows the intuition in the classical setting where the diffusion of Type-1 GFS in the decryption direction is slow, which is pointed out in [33]. The distinguishers in both qCPA and qCCA settings and the key-recovery attacks are summarized in Tables 1 and 2.
-
Third, we also evaluate CAST-256 block cipher against quantum attacks. We find 14-round polynomial-time quantum distinguishers in qCPA setting. Note that the best previous one is 7 rounds [10]. Based on this, we could derive quantum key-recovery attack on 20-round CAST-256. Compared to this, the best previous quantum key-recovery attack is on 16 rounds. The results are summarized in Table 3. We also compare our quantum attacks with classical attacks in Table 4. When the key size of CAST-256 is 128, our result also reaches 17 rounds, which gains one more round than before.
2 Preliminaries
2.1 Notation
For a positive integer n, let \(\{0,1\}^n\) be the set of all strings of n bits. Let \(\mathrm {Perm}(n)\) be the set of all permutations on \(\{0,1\}^n\), and let \(\mathrm {Func}(n)\) be the set of all functions from \(\{0,1\}^n\) to \(\{0,1\}^n\). For vectors a and b of the same dimension, we denote their inner product by \(a\cdot b\). In this paper, e denotes Napier’s number.
2.2 Type-1 Generalized Feistel Schemes
In this section, we describe Type-1 generalized Feistel schemes (GFSs) [46]. In Type-1 GFS, we divide the dn-bit state into d branches, where \(d\ge 3\) and each branch constitutes an n-bit sub-block. Let \(\varPhi _r\) denote the encryption algorithm of the r-round Type-1 GFS, and \(\varPhi ^{-1}_r\) denote its decryption algorithm. Let \(R_1,R_2,\dots ,R_r\in \mathrm {Func}(n)\) be the keyed round functions of \(\varPhi _r\). We assume that the function \(R_i\) takes a \(k\)-bit key \(k_i\) as input (thus the total key length of \(\varPhi _r\) is \(rk\) bits). \(\varPhi _r\) takes a plaintext \((x_0^0,x_1^0,\dots ,x_{d-1}^0)\in (\{0,1\}^n)^d\) as input, and outputs a ciphertext \((x_0^r,x_1^r,\dots ,x_{d-1}^r)\in (\{0,1\}^n)^d\), where the i-th round is defined as
The decryption is naturally defined by reversing the direction of the shift of the branches. Figure 1 shows the i-th round of Type-1 GFS.
2.3 Simon’s Algorithm
Here we review Simon’s algorithm [40] that is the basis of our distinguishers. Simon’s algorithm solves the following problem efficiently.
Problem 1
Given a function \(f:\{0,1\}^n\rightarrow \{0,1\}^n\) that has a non-zero period \(s\in \{0,1\}^n\) such that
for any distinct \(x,x'\in \{0,1\}^n\), the goal is to find the period s.
In the classical setting, \(O(2^{n/2})\) queries are needed to find s, while Simon’s algorithm finds s with O(n) quantum queries.
In what follows, we recall how Simon’s algorithm works. Assume that we have access to the quantum oracle \(U_f\), which is defined as . For an n-qubit state , Hadamard transformation \(H^{{}\otimes n}\) is defined as . Simon proposed a circuit \({\mathcal S}_f\) that computes a vector that is orthogonal to s for a periodic function f, which is defined as \({\mathcal S}_f=(H^{{}\otimes n}\otimes I_n) \cdot U_f \cdot (H^{{}\otimes n}\otimes I_n)\) and works as follows.
If f satisfies \(f(x)=f(x')\Leftrightarrow x'=x\oplus s\), then Eq. (1) can be rearranged as
where V is a linear subspace of \(\{0,1\}^n\) of dimension \((n-1)\) that partitions \(\{0,1\}^n\) into cosets V and \(V+s\). The vector y such that \(y\cdot s\equiv 1\pmod {2}\) satisfies \((-1)^{x\cdot y}+(-1)^{(x\oplus s)\cdot y}=0\). Therefore, the vector y that we obtain by measuring the first n qubits of satisfies \(y\cdot s\equiv 0\pmod {2}\). By repeating this measurement for O(n) times, we obtain \((n-1)\) linearly independent vectors that are all orthogonal to s with a high probability. Then we can recover s by solving the system of linear equations with \(O(n^3)\) classical steps.
2.4 Quantum Distinguisher Based on Simon’s Algorithm
Next, we introduce a quantum distinguisher based on Simon’s algorithm. We follow the approach of Kaplan et al. [24] and Santoli and Schaffner [37], and the formalization by Ito et al. [22]. To recover s with Simon’s algorithm, the function f has to satisfy \(f(x)=f(x')\Leftrightarrow x'=x\oplus s\). However, for distinguishers, the condition can be relaxed.
In more detail, suppose that we are given an oracle \({\mathcal O}:\{0,1\}^n\rightarrow \{0,1\}^n\), which is either an encryption algorithm \(E_K\in \mathrm {Perm}(n)\) or a random permutation \(\varPi \in \mathrm {Perm}(n)\), and our goal is to distinguish the two cases. We assume that the quantum oracles \(U_{\mathcal O}\) and \(U_{{\mathcal O}^{-1}}\) are given. The distinguisher in [22] can be applied to a function \(f^{\mathcal O}:\{0,1\}^\ell \rightarrow \{0,1\}^m\), where there exists a non-zero period s when \({\mathcal O}=E_K\), i.e., \(f^{\mathcal O}\) such that \(f^{E_K}(x)=f^{E_K}(x\oplus s)\) holds for all x. We expect that, with a high probability, \(f^\varPi \) does not have any period. The distinguisher works as follows:
-
1.
Prepare an empty set \({\mathcal Y}\).
-
2.
Measure the first \(\ell \) qubits of and add the obtained vector y to \({\mathcal Y}\) for \(\eta \) times.
-
3.
Calculate the dimension d of the vector space spanned by \({\mathcal Y}\).
-
4.
If \(d=\ell \), then output \({\mathcal O}=\varPi \), otherwise output \({\mathcal O}=E_K\).
If \(f^{\mathcal O}\) has the period s, the obtained vector y is orthogonal to s. Therefore the dimension d of the vector space spanned by \({\mathcal Y}\) is at most \(\ell -1\). On the other hand, if \(f^{\mathcal O}\) has no period, the dimension can reach \(\ell \). Thus we can distinguish the two cases by checking the dimension.
This distinguisher fails only if \({\mathcal O}=\varPi \) and the dimension of the vector space spanned by \({\mathcal Y}\) is less than \(\ell \). To analyze the success probability of the distinguisher, define a parameter \(\epsilon _f^\pi \) as
where \(\pi \in \mathrm {Perm}(n)\) is a fixed permutation. This parameter shows how the dimension of y is biased when \(\varPi =\pi \). If this parameter is large (i.e., there exists t that is close to a period), then with a high probability, the vector space spanned by \({\mathcal Y}\) is orthogonal to t. Thus, we take a small constant \(0\le \delta <1\) arbitrarily, and we say that a permutation \(\pi \) is irregular if \(\epsilon _f^{\pi }>1-\delta \). In addition, define the set of the irregular permutations \(\mathsf{irr}_f^\delta \) as
The following theorem was proved in [22].
Theorem 1
([22]). Let \(\ell \) and m be positive integers that are O(n). Assume that we have a quantum circuit with \(O(poly(\ell ,m))\) qubits which computes \(f^{\mathcal O}:\{0,1\}^\ell \rightarrow \{0,1\}^m\) by making O(1) queries to \({\mathcal O}\), and runs in time \(T(\ell ,m)\). The distinguisher makes \(O(\eta )\) quantum queries, and distinguishes \(E_K\) from \(\varPi \) with probability at least
This shows that the distinguisher succeeds if \(\Pr _\varPi [\varPi \in \mathsf{irr}_f^\delta ]\) is a small value.
2.5 Hosoyamada and Sasaki’s Method to Truncate Outputs of Quantum Oracles
At ISIT 2010, Kuwakado and Morii [28] introduced a quantum distinguishing attack on 3-round Feistel scheme by using Simon’s algorithm. As shown in Fig. 2, let \(\alpha _0\) and \(\alpha _1\) be arbitrary constants, and define f as:
E is the 3-round Feistel scheme and f can be written as \(f(b,x)=R_2(R_1(\alpha _b)\oplus x))\). It is easy to see that f is a periodic function that satisfies \(f(b,x)=f(b\oplus 1, x\oplus R_1(\alpha _0)\oplus R_1(\alpha _1))\) for any (b, x). Then by using Simon’s algorithm, one obtains the period \(s=1\Vert R_1(\alpha _0)\oplus R_1(\alpha _1)\) in polynomial time.
In the above distinguisher, one has to truncate the 2n-bit output of E to obtain the right half n bits, namely \(x_1^3\). However, Kaplan et al. [24] and Hosoyamada et al. [19] pointed out that in quantum setting, it is non-trivial to truncate the entangled 2n qubits to n qubits, since the usual truncation destroys entanglements.
At SCN 2018, Hosoyamada and Sasaki [19] introduced a method to simulate truncation of outputs of quantum oracles without destroying quantum entanglements. Here, we review their method. Let \(\mathcal {O}:|x\rangle |y\rangle |z\rangle |w\rangle \mapsto |x\rangle |y\rangle |z\oplus \mathcal {O}_L(x,y)\rangle |w\oplus \mathcal {O}_R(x,y)\rangle \) be the encryption oracle \(E_K\), where \(\mathcal {O}_L\), \(\mathcal {O}_R\) denote the left and right n bits of the complete encryption, respectively. The goal is to simulate the oracle \(\mathcal {O}_R:|x\rangle |y\rangle |w\rangle \mapsto |x\rangle |y\rangle |w\oplus \mathcal {O}_R(x,y)\rangle \). Hosoyamada and Sasaki first try to simulate a tweaked \(\mathcal {O}_R\), i.e., \(\mathcal {O}'_R:|x\rangle |y\rangle |w\rangle |0^{n}\rangle \mapsto |x\rangle |y\rangle |w\oplus \mathcal {O}_R(x,y)\rangle |0^{n}\rangle \) with ancilla qubits. Let \(|+\rangle :=H^{\otimes n}|0^{n}\rangle =\frac{1}{\sqrt{2^{n}}}\sum _z|z\rangle \), where \(H^{\otimes n}\) is an n-qubit Hadamard gate. Thus,
Let \(z'=z\oplus \mathcal {O}_L(x,y)\). Then Eq. (2) becomes
So \(\mathcal {O}|x\rangle |y\rangle |+\rangle |w\rangle =|x\rangle |y\rangle |+\rangle |w\oplus \mathcal {O}_R(x,y)\rangle \). Hosoyamada and Sasaki define \(\mathcal {O}'_R:=(I\otimes H^{\otimes n})\circ \texttt {Swap}\circ \mathcal {O} \circ \texttt {Swap}\circ (I\otimes H^{\otimes n})\), where \(\texttt {Swap}\) is an operator that swaps the last 2n bits: \(|x\rangle |y\rangle |z\rangle |w\rangle \mapsto |x\rangle |y\rangle |w\rangle |z\rangle \). So we have
Hence, \(\mathcal {O}_R\) could be simulated given the complete encryption oracle \(\mathcal {O}\) using ancilla qubits. Intuitively, Hosoyamada and Sasaki first randomize the left part by using the Hadamard transformation, and then force it to become \(|0^n\rangle \) by applying the Hadamard transformation again.
2.6 Combining Grover Search and Distinguishers
Leander and May combined Grover search and Simon’s algorithm to show a key recovery attack against the FX construction [30]. Hosoyamada and Sasaki [19], and Dong and Wang [11] showed key recovery attacks against Feistel schemes by using this combining technique.
Grover Search. Grover search provides a quadratic speed up on unsorted-database search [13]. Let N be the number of elements in the database, and assume that there exists only one target element. In the classical setting, we can find the target element in time O(N). However, in the quantum setting, Grover’s algorithm can find it in time \(O(\sqrt{N})\).
This algorithm was generalized later as quantum amplitude amplification by Brassard et al. [7] as in the following theorem.
Theorem 2
([7]). Let \({\mathcal A}\) be any quantum algorithm on q qubits that uses no measurement. Let \({\mathcal B}:\{0,1\}^q\rightarrow \{0,1\}\) be a function that classifies outcomes of \({\mathcal A}\) as good or bad. Let \(p>0\) be the initial success probability that a measurement of is good. Set \(m=\lfloor \pi / 4\theta _p \rfloor \), where \(\theta _p\) is defined so that \(\sin ^2(\theta _p)=p\) and \(0<\theta _p\le \pi /2\). Moreover, define the unitary operator \(Q=-{\mathcal A}S_0{\mathcal A}^{-1}S_{\mathcal B}\), where the operator \(S_{\mathcal B}\) conditionally changes the sign of the amplitudes of the good states,
while the operate \(S_0\) changes the sign of the amplitude if and only if the state is the zero state . Then, after the computation of , a measurement is good with probability at least \(\max \{1-p,p\}\).
Key Recovery Attack Against the FX Construction. The FX construction by Killian and Rogaway is a way to extend the key length of a block cipher [25, 26]. Let E be an n-bit block cipher that takes an m-bit key \(k_0\) as input. The FX construction under two additional n-bit keys \(k_1,k_2\) is described as
Figure 3 shows the FX construction.
Leander and May constructed a function f(k, x) that is defined as
If \(k=k_0\), f(k, x) satisfies \(f(k,x)=f(k,x\oplus k_1)\) for all \(x\in \{0,1\}^n\). That is, the function \(f(k_0,\cdot )\) has a period \(k_1\). However, if \(k\ne k_0\), with a high probability, the function \(f(k,\cdot )\) does not have any period. Then they apply Grover search over \(k\in \{0,1\}^m\). They construct the classifier \({\mathcal B}\) that identifies the states as good if \(k=k_0\) by using Simon’s algorithm to \(f(k,\cdot )\). The time complexity of Grover search is \(O(2^{m/2})\) and Simon’s algorithm runs in time O(n) in the classifier \({\mathcal B}\). Thus this attack runs in time \(O(2^{m/2})\). For more details, see [30].
3 Previous Attacks
In this section, we review the quantum attacks against Type-1 GFSs by Dong et al. [10]. They showed a \((2d-1)\)-round distinguishing attack and a \((d^2-d+2)\)-round key recovery attack.
We first review the distinguishing attack. Let \(\alpha _0, \alpha _1\in \{0,1\}^n\) be two arbitrary distinct n-bit constants, and \(x_1^0, x_2^0, \dots , x_{d-2}^0\in \{0,1\}^n\) be arbitrary n-bit constants. Given the oracle \({\mathcal O}\), they define a function \(f^{\mathcal O}\) as
Let the intermediate state value after the first i rounds be \((x_0^i, x_1^i,\dots , x_{d-1}^i)\). If \({\mathcal O}\) is \(\varPhi _{2d-1}\), then the function \(f^{\mathcal O}\) is described as
where in the second equality, we use the fact that \(x_0^{i}=x_{d-1}^{i+1}=x_{d-2}^{i+2}=\dots = x_1^{i+d-1}\) (See Fig. 4). Let \(h(\cdot )=R_{d-1}(R_{d-2}(\cdots R_2(R_1(\cdot )\oplus x_1^0)\oplus x_2^0 \cdots )\oplus x_{d-2}^0)\). We see that \(h(\cdot )\) is a function that is independent of the input (b, x), since \(x_1^0,x_2^0,\dots , x_{d-2}^0\) are constants. By using \(h(\cdot )\), we can describe Eq. (4) as \(f^{\mathcal O}=R_d(h(\alpha _b)\oplus x)\), and \(f^{\mathcal O}\) satisfies
This implies that the function \(f^{\mathcal O}\) has the period \((1,h(\alpha _0)\oplus h(\alpha _1))\).
If \({\mathcal O}\) is \(\varPi \), then with a high probability, \(f^{\mathcal O}\) does not have any period. Therefore, \(\Pr _\varPi [\varPi \in \mathsf{irr}_f^\delta ]\) is a small value and we can distinguish the two cases.
We next review the key recovery attack. We recover the key of the \((d^2-d+2)\)-round Type-1 GFS by appending \((d^2-3d+3)\) rounds after the \((2d-1)\)-round distinguisher (See Fig. 5). For each \(x^i_1\), where \(d\ge 3\), we have \(x^i_1=R_{i+1}(x^{i+1}_d,k_{i+1})\oplus x^{i+1}_0\). This implies that when we need the value of \(x^i_1\), we have to recover \(k_{i+1}\). From the property of Feistel cipher, we have \(x^i_j=x^{i+1}_{j-1}=\cdots =x^{i+j-1}_1\) for \(3\le j \le d\), and \(x^i_0=x^{i+d-1}_1\). For d branches, it holds that \(x^{2d-1}_1=R_{2d}(x^{2d}_{d-1},k_{2d})\oplus x^{2d}_0\), and thus we need to recover one sub-key \(k_{2d}\), and since \(x^{2d}_0=x^{3d-1}_1\) and \(x^{2d}_{d-1}=x^{3d-2}_1\) hold, we need two sub-keys \(k_{3d-1}\) and \(k_{3d}\). By parity of this reasoning, the subkey length that we need to recover becomes \([1+2+3+\cdots +(d-2)]k+k=(\frac{d^2}{2}-\frac{3d}{2}+2)k\) bits. Thus, the time complexity of the exhaustive search for \((d^2-d+2)\) rounds by Grover search is \(O(2^{(\frac{d^2}{2}-\frac{3d}{2}+2)\cdot \frac{k}{2}})\). The distinguisher runs in time O(n) and the time complexity of this attack is \(O(2^{(\frac{d^2}{2}-\frac{3d}{2}+2)\cdot \frac{k}{2}})\).
This attack is better than the direct application of Grover search to the entire \((d^2-d+2)k\)-bit subkey. If we recover the subkey of r rounds for \(r>d^2-d+2\), the time complexity is \(O(2^{(\frac{d^2}{2}-\frac{3d}{2}+2)\cdot \frac{k}{2}+\frac{(r-d^2+d-2)k}{2}})\), since the subkey length that we need to recover becomes \((\frac{d^2}{2}-\frac{3d}{2}+2)k+(r-d^2+d-2)k\) bits in total.
4 \((3d-3)\)-Round Distinguishing Attack in qCPA Setting
In this section, we present our distinguishing attacks against \((3d-3)\)-round Type-1 GFSs. We improve the number of rounds that we can distinguish from \((2d-1)\) rounds to \((3d-3)\) rounds by shifting the position of \(\alpha _b\) in the plaintext.
As before, we first fix two arbitrary distinct constants \(\alpha _0, \alpha _1\in \{0,1\}^n\) and fix arbitrary constants \(x_0^0, x_1^0, \dots ,x_{d-3}^0\in \{0,1\}^n\). Given the oracle \({\mathcal O}\), we define a function \(f^{\mathcal O}\) as
Observe that the difference from Eq. (3) is the position of \(\alpha _b\).
If \({\mathcal O}\) is \(\varPhi _{3d-3}\), let \((x_0^i, x_1^i,\dots , x_{d-1}^i)\) be the intermediate state value after the first i rounds. Now \(f^{\mathcal O}\) is described as:
since \(x_0^{i}=x_{d-1}^{i+1}=x_{d-2}^{i+2}=\dots = x_1^{i+d-1}\) (See Fig. 6).
Our main observation is the following lemma.
Lemma 1
If \({\mathcal O}\) is \(\varPhi _{3d-3}\), then for any \(b\in \{0,1\}\) and \(x\in \{0,1\}^n\), the function \(f^{\mathcal O}\) satisfies
where \(C=R_{d-2}(R_{d-3}(\cdots R_1(x_0^0)\oplus x_1^0 \cdots )\oplus x_{d-3}^0)\). That is, \(f^{\mathcal O}\) has the period \(s=(1, R_{d-1}(C\oplus \alpha _0)\oplus R_{d-1}(C\oplus \alpha _1))\).
Proof
We first consider the intermediate state value after the first \((d-2)\) rounds in which \(\alpha _b\) reaches the leftmost position (See Fig. 6). The value is described as
For \(1\le i \le d-3\), \(x_0^i\) is described as
We see that \(x_0^i\) is a constant that is independent of the input (b, x), since \(x_0^0, x_1^0, \dots , x_{d-3}^0\) are constants. Let \(C=R_{d-2}(x_0^{d-3})\), which is independent of (b, x) and hence can be treated as a constant. The output after one more round, which is the output after the first \((d-1)\) rounds, is described as
Now we consider the value of \(x_0^{2d-2}\). This is the intermediate state value after the first \((2d-2)\) rounds in which \(\alpha _b\oplus C\) reaches the leftmost position again, and is described as
where \(R'(\cdot )=R_{2d-2}(R_{2d-3}(\cdots R_{d+1}(R_{d}(\cdot )\oplus x_0^0)\oplus x_0^1 \cdots )\oplus x_0^{d-3})\) (See Fig. 6). \(R'(\cdot )\) is a function that is independent of the input (b, x), since \(x_0^0,x_0^1,\dots , x_0^{d-3}\) are constants. From Eqs. (5) and (6), the function \(f^{\mathcal O}\) is described as
The function \(f^{\mathcal O}\) has the claimed period since it satisfies
and hence the lemma follows. \(\square \)
Therefore, we can distinguish the \((3d-3)\)-round Type-1 GFS by using the function \(f^{\mathcal O}\). The success probability of the distinguishing attack with measuring \((4n+4)\) times is at least \(1-(2/e)^{n+1}-\Pr [\varPi \in \mathsf{irr}_f^{1/2}]\), where we use \(\delta =1/2\) and \(\eta =4n+4\). Note that \(\Pr [\varPi \in \mathsf{irr}_f^{1/2}]\) is a small value, since with a high probability, the function \(f^{\mathcal O}\) does not have any period when \({\mathcal O}\) is \(\varPi \), since \(\varPi \) is a random permutation.Footnote 2
5 \((d^2-d+1)\)-Round Distinguishing Attack in qCCA Setting
If we can use the decryption oracle in the quantum setting, we can construct a distinguishing attack against the \((d^2-d+1)\)-round Type-1 GFS. We write the i-th round function in decryption as \(R_i\). Note that this is different from the notation in Sect. 4.
We fix two distinct constants \(\alpha _0, \alpha _1\) and \((d-2)\) constants \(x_1^0, x_2^0, \dots , x_{d-2}^0\), which are all n bits. Given the decryption oracle \({\mathcal O}^{-1}\), we define \(f^{{\mathcal O}^{-1}}\) as
Consider the case \({\mathcal O}^{-1}=\varPhi ^{-1}_{d^2-d+1}\), and let the intermediate state value after the first i rounds be \((x_0^i, x_1^i,\dots , x_{d-1}^i)\). \(f^{{\mathcal O}^{-1}}\) is described as:
since \(x_1^{i}=x_{2}^{i+1}=x_{3}^{i+2}=\dots = x_0^{i+d-1}\) (See Fig. 7).
The following lemma holds.
Lemma 2
If \({\mathcal O}^{-1}\) is \(\varPhi ^{-1}_{d^2-d+1}\), then for any \(b\in \{0,1\}\) and \(x\in \{0,1\}^n\), the function \(f^{{\mathcal O}^{-1}}\) satisfies
That is, \(f^{{\mathcal O}^{-1}}\) has the period \(s=(1, R_{1}(\alpha _0)\oplus R_{1}(\alpha _1))\).
Proof
In the first round, \(R_1(\alpha _b)\) is xored into x. In the d-th round, the value \(R_1(\alpha _b)\oplus x\) is used as the input of \(R_d\), and the output of \(R_d\) is xored into \(x_1^0\). This implies that \(x_1^d\) is
See Fig. 7. The function \(R(\cdot )=R_d(\cdot )\oplus x_1^0\) is independent of the input (b, x), since \(x_1^0\) is a constant. Therefore, Eq. (8) can be described as
with some function \(R\in \mathrm {Func}(n)\). After additional \((d-1)\) rounds, this value is used as the input of \(R_{2d-1}\), and the output of \(R_{2d-1}\) is xored into the sub-block which was \(x_2^0\) at the input. The sub-block which was \(x_2^0\) at the input is a constant because it is not xored by the value that includes b nor x (Specifically, it depends only on \(x_1^0\)). Therefore, for some function \(R'\in \mathrm {Func}(n)\), the value of \(x_1^{2d-1}\) is described as
After that, for each \((d-1)\) rounds, this value is used as the input to the round function and the output is xored into the sub-block which was \(x_i^0\) at the input, for \(i=3,4,\ldots ,d-2\). We see that the sub-block itself depends on \(x_1^0,\ldots ,x_{i-1}^0\), but it is a constant that is independent of the input (b, x) since a value related to (b, x) is not xored into the sub-block. Therefore, the value of \(x_1^{2d-1+(d-1)\times (d-4)}=x_1^{d^2-3d+3}\) is described as
for some function \(R''\in \mathrm {Func}(n)\).
In the \((d^2-2d+2)\)-th round, \(R_{d^2-2d+2}(R''(R_1(\alpha _b)\oplus x))\) is xored into the sub-block which was \(\alpha _b\) at the input. Since only the value that does not include b nor x is xored into the sub-block which was \(\alpha _b\), with some function \(R'''\in \mathrm {Func}(n)\), the value of \(x_1^{d^2-2d+2}\) is described as
From Eqs. (7) and (9), the function \(f^{{\mathcal O}^{-1}}\) can be written as
The function \(f^{\mathcal O}\) satisfies
and hence we have the lemma. \(\square \)
The success probability of the distinguishing attack using the function \(f^{{\mathcal O}^{-1}}\) with measuring \((4n+4)\) times is at least \(1-(2/e)^{n+1}-\Pr [\varPi \in \mathsf{irr}_f^{1/2}]\), where we use \(\delta =1/2\) and \(\eta =4n+4\). We see that \(\Pr [\varPi \in \mathsf{irr}_f^{1/2}]\) is a small value, and hence the attack succeeds with a high probability.
6 Key Recovery Attacks on Type-1 GFSs
Similarly to the previous key recovery attacks by Dong et al. [10] that combine Grover search and the distinguisher, we can construct key recovery attacks against Type-1 GFSs based on our distinguishers.
With the \((3d-3)\)-round distinguisher in qCPA setting, we can recover the key of the \(d^2\)-round Type-1 generalized Feistel cipher in time \(O(2^{(\frac{d^2}{2}-\frac{3d}{2}+2)\cdot \frac{k}{2}})\) by replacing the \((2d-1)\)-round distinguisher in Dong et al.’s attack with our \((3d-3)\)-round distinguisher. In general, the key recovery attack against the r-round version, where \(r\ge d^2\), runs in time \(O(2^{(\frac{d^2}{2}-\frac{3d}{2}+2)\cdot \frac{k}{2}+\frac{(r-d^2)k}{2}})\).
With the \((d^2-d+1)\)-round distinguisher in qCCA setting, by using the decryption oracle, we can recover the key of the r-round Type-1 GFS for \(r> d^2-d+1\) in time \(O(2^{\frac{(r-(d^2-d+1))k}{2}})\), because the subkey length that we need to recover is \((r-d^2+d-1)k\) bits.
If \(d=3\), the time complexity of these two key recovery attacks is the same because \((\frac{d^2}{2}-\frac{3d}{2}+2)\cdot \frac{k}{2}+\frac{(r-d^2)k}{2} - \frac{(r-(d^2-d+1))k}{2}=\frac{k(d-2)(d-3)}{4}\). If \(d>3\), the key recovery attack with the \((d^2-d+1)\)-round distinguisher is better than the one with the \((3d-3)\)-round distinguisher.
7 Quantum Attacks on Round-Reduced CAST-256 Block Cipher in qCPA Setting
CAST-256 block cipher [1] is a first-round AES candidate. It has 48 rounds, including 24 rounds Type-1 GFS and 24 rounds inverse Type-1 GFS. The block size is 128 bits, which are divided into four 32-bit branches and the key size can be 128, 192 or 256 bits. Each round function absorbs 37-bit subkey. Our attack is quite general and does not need any other details of the cipher.
In this section, we introduce a new 14-round quantum distinguisher in qCPA on CAST-256 shown in Fig. 8. The distinguisher, started from the 24th round, is composed of 1-round Type-1 GFS and 13-round inverse Type-1 GFS. It is derived based on the result presented in Sect. 5. When \(d=4\), \((d^2-d+1) = 13\) round distinguisher is obtained (from round \(R_{25}\) to \(R_{37}\) of CAST-256). Thanks to the special structure of CAST-256, we could add one more round \(R_{24}\) to the 13-round distinguisher for free. Hence, the 14-round distinguisher is derived.
We also fix two distinct constants \(\alpha _0, \alpha _1\) and 2 constants \(x_2^{23}, x_3^{23}\), which are all n bits. Given the 14-round CAST-256 encryption oracle \({\mathcal O}\), we define \(f^{{\mathcal O}}\) as
According to Lemma 2, \(f^{\mathcal O}\) has the period \(s=(1,R_{24}(\alpha _0)\oplus R_{25}(\alpha _0)\oplus R_{24}(\alpha _1)\oplus R_{25}(\alpha _1))\). As is shown in Sect. 6, we could add or append several rounds to attack \(r>14\) rounds CAST-256 in time \({\mathcal O}(2^{\frac{37(r-14)}{2}})\), because the subkey length that we need to recover is \(37(r-14)\) bits. Thus we could attack 20-round CAST-256 with 256-bit key in time \(2^{111}\), which is faster than Grover’s algorithm by a factor of \(2^{128-111}=2^{17}\).
8 Conclusions
In this paper, we give some improved polynomial-time quantum distinguishers on Type-1 GFS in qCPA and qCCA settings. First, we give new qCPA quantum distinguishers on \((3d-3)\)-round Type-1 GFS with branches \(d\ge 3\), which gain \((d-2)\) more rounds than the previous distinguishers. Hence, we could get better key-recovery attacks, whose time complexities gain a factor of \(2^{\frac{(d-2)n}{2}}\). We also obtain \((d^2-d+1)\)-round qCCA quantum distinguishers on Type-1 GFS, which gain many more rounds than the previous distinguishers. In addition, we also discuss the quantum attack on CAST-256 block cipher.
As an open question, the tight bound of the number of rounds that we can distinguish is not known. There is a possibility that we can distinguish more than \((3d - 3)\) rounds in qCPA setting, and we may distinguish more than \((d^2 - d + 1)\) rounds in qCCA setting. Moreover, we may distinguish more than 14 rounds of CAST-256 when considering its special structure, which applies both Type-1 GFS and its inverse as the round functions. We anticipate the analysis with respect to the provable security approach in [18] can settle the problem, while this is beyond the scope of this paper. We also note that we do not know the impact of combining qCPA and qCCA as applied against 4-round Feistel block ciphers in [22].
Another open question is that, we could apply \((d^2-d+1)\)-round qCCA quantum distinguishers to other block ciphers. Note that when the branch number is large, the distinguisher becomes very long.
Notes
- 1.
Dong, Li, and Wang also analyzed Type-2 GFSs [10], and we do not know if quantum attacks on Type-2 GFSs can be improved.
- 2.
References
Adams, C., Gilchrist, J.: The CAST-256 encryption algorithm. RFC 2612, June 1999
Anderson, R.J., Biham, E.: Two practical and provably secure block ciphers: BEAR and LION. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 113–120. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-60865-6_48
Aoki, K., et al.: Camellia: a 128-bit block cipher suitable for multiple platforms—design and analysis. In: Stinson, D.R., Tavares, S. (eds.) SAC 2000. LNCS, vol. 2012, pp. 39–56. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44983-3_4
Bogdanov, A., Leander, G., Nyberg, K., Wang, M.: Integral and multidimensional linear distinguishers with correlation zero. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 244–261. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34961-4_16
Bonnetain, X.: Quantum key-recovery on full AEZ. In: Adams, C., Camenisch, J. (eds.) SAC 2017. LNCS, vol. 10719, pp. 394–406. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-72565-9_20
Bonnetain, X., Naya-Plasencia, M., Schrottenloher, A.: On quantum slide attacks. Cryptology ePrint Archive, Report 2018/1067 (2018). https://eprint.iacr.org/2018/1067
Brassard, G., Hoyer, P., Mosca, M., Tapp, A.: Quantum amplitude amplification and estimation. Contemp. Math. 305, 53–74 (2002)
Dinur, I., Dunkelman, O., Keller, N., Shamir, A.: New attacks on Feistel structures with improved memory complexities. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 433–454. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-47989-6_21
Dong, X., Dong, B., Wang, X.: Quantum attacks on some Feistel block ciphers. Cryptology ePrint Archive, Report 2018/504 (2018). https://eprint.iacr.org/2018/504
Dong, X., Li, Z., Wang, X.: Quantum cryptanalysis on some generalized Feistel schemes. Sci. China Inf. Sci. 62(2), 022501 (2019)
Dong, X., Wang, X.: Quantum key-recovery attack on Feistel structures. Sci. China Inf. Sci. 61(10), 102501:1–102501:7 (2018)
National Soviet Bureau of Standards: Information processing system - cryptographic protection - cryptographic algorithm GOST 28147–89
Grover, L.K.: A fast quantum mechanical algorithm for database search. In: Proceedings of the Twenty-Eighth Annual ACM Symposium on the Theory of Computing, Philadelphia, Pennsylvania, USA, May 22–24, 1996, pp. 212–219 (1996)
Gueron, S., Mouha, N.: Simpira v2: a family of efficient permutations using the AES round function. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 95–125. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_4
Guo, J., Jean, J., Nikolić, I., Sasaki, Y.: Meet-in-the-middle attacks on generic Feistel constructions. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 458–477. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45611-8_24
Guo, J., Jean, J., Nikolic, I., Sasaki, Y.: Meet-in-the-middle attacks on classes of contracting and expanding Feistel constructions. IACR Trans. Symmetric Cryptol. 2016(2), 307–337 (2016)
Hoang, V.T., Rogaway, P.: On generalized Feistel networks. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 613–630. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14623-7_33
Hosoyamada, A., Iwata, T.: 4-round Luby-Rackoff construction is a qPRP. In: Galbraith, S., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, Springer, Cham (2019). To appear
Hosoyamada, A., Sasaki, Y.: Quantum Demiric-Selçuk meet-in-the-middle attacks: applications to 6-round generic Feistel constructions. In: Catalano, D., De Prisco, R. (eds.) SCN 2018. LNCS, vol. 11035, pp. 386–403. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-98113-0_21
Isobe, T., Shibutani, K.: Generic key recovery attack on Feistel scheme. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013. LNCS, vol. 8269, pp. 464–485. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-42033-7_24
Ito, G., Hosoyamada, A., Matsumoto, R., Sasaki, Y., Iwata, T.: Quantum chosen-ciphertext attacks against Feistel ciphers. Cryptology ePrint Archive, Report 2018/1193 (2018). https://eprint.iacr.org/2018/1193
Ito, G., Hosoyamada, A., Matsumoto, R., Sasaki, Y., Iwata, T.: Quantum chosen-ciphertext attacks against Feistel ciphers. In: Matsui, M. (ed.) CT-RSA 2019. LNCS, vol. 11405, pp. 391–411. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-12612-4_20
Jutla, C.S.: Generalized birthday attacks on unbalanced Feistel networks. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 186–199. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0055728
Kaplan, M., Leurent, G., Leverrier, A., Naya-Plasencia, M.: Breaking symmetric cryptosystems using quantum period finding. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp. 207–237. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53008-5_8
Kilian, J., Rogaway, P.: How to protect DES against exhaustive key search. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 252–267. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68697-5_20
Kilian, J., Rogaway, P.: How to protect DES against exhaustive key search (an analysis of DESX). J. Cryptol. 14(1), 17–35 (2001)
Knudsen, L.R.: The security of Feistel ciphers with six rounds or less. J. Cryptol. 15(3), 207–222 (2002)
Kuwakado, H., Morii, M.: Quantum distinguisher between the 3-round Feistel cipher and the random permutation. In: IEEE International Symposium on Information Theory, ISIT 2010, June 13–18, 2010, Austin, Texas, USA, Proceedings, pp. 2682–2685 (2010)
Kuwakado, H., Morii, M.: Security on the quantum-type Even-Mansour cipher. In: Proceedings of the International Symposium on Information Theory and its Applications, ISITA 2012, Honolulu, HI, USA, October 28–31, 2012, pp. 312–316 (2012)
Leander, G., May, A.: Grover meets Simon – quantumly attacking the FX-construction. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10625, pp. 161–178. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70697-9_6
Luby, M., Rackoff, C.: How to construct pseudorandom permutations from pseudorandom functions. SIAM J. Comput. 17(2), 373–386 (1988)
Lucks, S.: Faster Luby-Rackoff ciphers. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 189–203. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-60865-6_53
Moriai, S., Vaudenay, S.: On the pseudorandomness of top-level schemes of block ciphers. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 289–302. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44448-3_22
Nachef, V., Volte, E., Patarin, J.: Differential attacks on generalized Feistel schemes. In: Abdalla, M., Nita-Rotaru, C., Dahab, R. (eds.) CANS 2013. LNCS, vol. 8257, pp. 1–19. Springer, Cham (2013). https://doi.org/10.1007/978-3-319-02937-5_1
Patarin, J., Nachef, V., Berbain, C.: Generic attacks on unbalanced Feistel schemes with contracting functions. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 396–411. Springer, Heidelberg (2006). https://doi.org/10.1007/11935230_26
Patarin, J., Nachef, V., Berbain, C.: Generic attacks on unbalanced Feistel schemes with expanding functions. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 325–341. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-76900-2_20
Santoli, T., Schaffner, C.: Using Simon’s algorithm to attack symmetric-key cryptographic primitives. Quantum Inf. Comput. 17(1&2), 65–78 (2017)
Schneier, B., Kelsey, J.: Unbalanced Feistel networks and block cipher design. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 121–144. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-60865-6_49
Shirai, T., Shibutani, K., Akishita, T., Moriai, S., Iwata, T.: The 128-bit blockcipher CLEFIA (extended abstract). In: Biryukov, A. (ed.) FSE 2007. LNCS, vol. 4593, pp. 181–195. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74619-5_12
Simon, D.R.: On the power of quantum computation. SIAM J. Comput. 26(5), 1474–1483 (1997)
Tjuawinata, I., Huang, T., Wu, H.: Improved differential cryptanalysis on generalized Feistel schemes. In: Patra, A., Smart, N.P. (eds.) INDOCRYPT 2017. LNCS, vol. 10698, pp. 302–324. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-71667-1_16
Volte, E., Nachef, V., Patarin, J.: Improved generic attacks on unbalanced Feistel schemes with expanding functions. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 94–111. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17373-8_6
Wagner, D.: The boomerang attack. In: Knudsen, L. (ed.) FSE 1999. LNCS, vol. 1636, pp. 156–170. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48519-8_12
Wang, M., Wang, X., Hu, C.: New linear cryptanalytic results of reduced-round of CAST-128 and CAST-256. In: Avanzi, R.M., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. 429–441. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-04159-4_28
Zhandry, M.: How to construct quantum random functions. In: 53rd Annual IEEE Symposium on Foundations of Computer Science, FOCS 2012, New Brunswick, NJ, USA, October 20–23, 2012, pp. 679–687 (2012)
Zheng, Y., Matsumoto, T., Imai, H.: On the construction of block ciphers provably secure and not relying on any unproved hypotheses. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 461–480. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_42
Acknowledgments
The authors thank the anonymous reviewers for helpful comments. Boyu Ni and Xiaoyang Dong are supported by the National Key Research and Development Program of China (No. 2017YFA0303903), the National Natural Science Foundation of China (No. 61902207), the National Cryptography Development Fund (No. MMJJ20180101, MMJJ20170121).
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Ni, B., Ito, G., Dong, X., Iwata, T. (2019). Quantum Attacks Against Type-1 Generalized Feistel Ciphers and Applications to CAST-256. In: Hao, F., Ruj, S., Sen Gupta, S. (eds) Progress in Cryptology – INDOCRYPT 2019. INDOCRYPT 2019. Lecture Notes in Computer Science(), vol 11898. Springer, Cham. https://doi.org/10.1007/978-3-030-35423-7_22
Download citation
DOI: https://doi.org/10.1007/978-3-030-35423-7_22
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-35422-0
Online ISBN: 978-3-030-35423-7
eBook Packages: Computer ScienceComputer Science (R0)