Generic attacks with standard deviation analysis on a-feistel schemes

Abstract

A usual way to construct block ciphers is to apply several rounds of a given structure. Many kinds of attacks are mounted against block ciphers. Among them, differential and linear attacks are widely used. Vaudenay showed that ciphers achieving perfect pairwise decorrelation are secure against linear and differential attacks. It is possible to obtain such schemes by introducing at least one random affine permutation as a round function in the design of the scheme. In this paper, we study attacks on schemes based on classical Feistel schemes where we introduce one or two affine permutations. Since these schemes resist against linear and differential attacks, we will study attacks based on specific equations on 4-tuples of plaintext/ciphertext messages. We show that these schemes are stronger than classical Feistel schemes.

1 Introduction

Many schemes have been designed in order to construct pseudo-random permutations using round functions. Examples of such schemes are given by classical Feistel schemes with random functions [7, 8, 14] or random permutations [6, 17], unbalanced Feistel schemes with expanding [5, 16, 21] or contracting functions [13, 15], Misty schemes [3, 11], generalized Feistel schemes of type 1, 2 and 3 [12]. Also, generic attacks on these different kinds of block ciphers have been extensively studied. By generic attacks, we mean that the keys are random functions.

In [18, 19], Vaudenay showed that if a block cipher has perfect pairwise decorrelation, then it is secure against linear and differential attacks. Moreover, adding an affine permutation as a round function in the construction of a block cipher allows to obtain perfect pairwise decorrelation and thus to prevent from linear and differential cryptanalysis. COCONUT and PEANUT [18] are examples of such schemes: they use any cipher then an affine permutation followed again by any cipher. In [13], the authors propose schemes for which there is first a pairwise independent permutation (an affine permutation is an example of a pairwise independent permutation) followed by a classical Feistel scheme or an unbalanced Feistel scheme with contracting functions, and with or without another affine permutation at the end. In [13], the security of these schemes is studied.

This is why it is quite natural and interesting to study generic attacks on schemes where we have a classical Feistel structure with several rounds together with one or two affine permutations as a round functions introduced at some stage of the construction. This defines a family of schemes that we will denote by A-Feistel schemes. For example, it is possible to apply first an affine permutation and then several rounds of a Feistel scheme. We can also begin with a Feistel scheme and end with an affine permutation. Another possibility is to introduce an affine permutation after several rounds of a Feistel scheme and then to go on with a Feistel scheme. It is also possible to have first an affine permutation then a Feistel scheme and again a random permutation. As far as we know, no systematic study of attacks has been done. This is the aim of this paper.

We will study Known Plaintext Attacks (KPA) and non adaptive Chosen Plaintext Attacks (CPA-1). Since we introduce an affine permutation at the beginning, at the end, inside the Feistel scheme, or both at the beginning and at the end, by symmetry, we will obtain results for Known Ciphertext Attacks (KCA) and non adaptive Chosen Ciphertext Attacks (CCA-1). The aim of our attacks is to distinguish a random permutation from a random permutation produced by the schemes. For some of our attacks, we will make a precise analysis of standard deviations.

The paper is organized as follows. In Section 2, we define A-Feistel schemes. In Section 3, we describe our best KPA and CPA-1 on schemes with one affine permutation. We show that it is possible to attack up to 3 rounds (for the Feistel scheme) with a number of messages less than 2²ⁿ when the affine permutation is placed at the beginning or at the end of the scheme. When the affine permutation is situated between two Feistel schemes, we can attack up to 4 rounds with less than 2²ⁿ messages (this means that when we add the number of rounds for each Feistel scheme, we obtain 4 rounds). Then we describe attacks against generators of permutations. We did some simulations of our attacks. The results of these simulations are given in Section 3.3. In Section 4, we present attacks on schemes for which we apply first an affine permutation, then a Feistel scheme with several rounds and then an affine permutation. Section 5 is devoted to the computation of standard deviations in the case of A-Feistel schemes since the computation for randoms permutation can be done automatically as we will explain in the next section.

2 Definition of A-Feistel schemes and overview of the attacks

We use the following standard notations. The number of messages is denoted by m. The set of the 2ⁿ binary strings of length n is denoted by {0, 1}ⁿ. For a, b ∈ {0, 1}ⁿ, [a, b] will be the string of length 2n of {0, 1}²ⁿ which is the concatenation of a and b. For a, b ∈ {0, 1}ⁿ, a ⊕ b stands for bit by bit exclusive or of a and b. The composition of functions is denoted by ∘. The set of all functions from {0, 1}ⁿ to {0, 1}ⁿ is F _n . Let f be a function of F _n . Let L, R, S and T be elements of {0, 1}ⁿ. One round of A-Feistel scheme is defined by \(\Psi (f)[L,R] = [S,T] ~\overset {\text {def}}{\Leftrightarrow }~ \left (S=R\; \text {and} \; T=L \oplus f(R) \right )\). More generally, let f ₁, f ₂, … , f _d be d functions of F _n . Then by definition: Ψ^d(f ₁, … , f _d ) = Ψ(f _d ) ∘⋯ ∘ Ψ(f ₂) ∘ Ψ(f ₁). The permutation Ψ^d(f ₁, … , f _d ) is called a “Feistel scheme with d rounds” and is denoted by Ψ^d.

We now define A-Feistel Schemes. We consider an affine permutation from {0, 1}²ⁿ to {0, 1}²ⁿ. It is written under the form φ : M → A ⋅ M ⊕ C where A ∈ G L(2n, F ₂) and C ∈ {0, 1}²ⁿ. In order to construct an A-Feistel scheme with “d rounds”, we use one or two affine permutations and a classical Feistel scheme with d rounds. Here d is related to the Feistel scheme. Let φ and φ′ be affine permutations, an A-Feistel scheme with d rounds is one of the following permutations: Ψ^d ∘ φ, φ ∘ Ψ^d, \(\Psi ^{d_{2}} \circ \varphi \circ \Psi ^{d_{1}}\) with d ₁ + d ₂ = d or φ′∘ Ψ^d ∘ φ. Since A is a linear permutation from {0, 1}²ⁿ to {0, 1}²ⁿ, it can be represented by a matrix, still denoted by A. We will write A under the form: \( \left (\begin {array}{cc} A_{1} & A_{2} \\ A_{3} & A_{4} \end {array} \right ) \)where each \(A_{i} \in \mathcal M (n\times n, \mathbb F_{2})\). We also set C = [C ₁, C ₂] where C _i ∈ {0, 1}ⁿ.

Perfect pairwise decorrelation of affine permutations

In [18, 19], Vaudenay showed how to construct perfect pairwise decorrelated ciphers on a field structure \(\mathcal {F}\) by F(M) = K ₁ + K ₂ ⋅ M where \((K_{1}, K_{2}) \in \mathcal {F}\times \mathcal {F}^{*}\). When the functions are defined on {0, 1}²ⁿ, the operations are taken over G F(2²ⁿ). We can also consider G F(2²ⁿ) as a vector space over {0, 1}. The function M ↦ K ₂ ⋅ M is linear and can be represented by a matrix. If we want to express this matrix in the canonical basis, the coordinates of K ₂ are on the first column of the matrix. In this paper, we consider that any invertible matrix can be used as the linear part of the affine permutation we are using. We still have perfect pairwise decorrelation: for any M, M′ such that M ≠ M′ the random variable (φ(M), φ(M′)) is uniformly distributed among all the pairs (Y, Y′) such that Y ≠ Y′.

Notation for A-Feistel schemes

1. 1.

   Ψ^d ∘ φ

   $$[L,R] \overset{\varphi}{\longrightarrow}[P,Q] \overset{\Psi(f_{1})}{\longrightarrow}[Q,X^{1}] \overset{\Psi(f_{2})}{\longrightarrow}[X^{1},X^{2}]\dots $$
   $$\overset{\Psi(f_{d-1})}{\longrightarrow}[X^{d-2},X^{d-1}] \overset{\Psi(f_{d})}{\longrightarrow}[S,T] $$

   Thus we have introduced internal variables: P = A ₁ ⋅ L ⊕ A ₂ ⋅ R ⊕ C ₁, Q = A ₃ ⋅ L ⊕ A ₄ ⋅ R ⊕ C ₂, X ¹ = P ⊕ f ₁(Q), X ² = Q ⊕ f ₂(X ¹) and for j ≥ 3, X ^j = X ^j−2 ⊕ f _j (X ^j−1).

2. 2.

   φ ∘ Ψ^d

   $$[L,R] \overset{\Psi (f_{1})}{\longrightarrow}[R,X^{1}] \overset{\Psi(f_{2})}{\longrightarrow}[X^{1},X^{2}]\dots $$
   $$\overset{\Psi(f_{d-1})}{\longrightarrow}[X^{d-2},X^{d-1}] \overset{\Psi(f_{d})}{\longrightarrow} [X^{d-1},X^{d}]\overset{\varphi}{\longrightarrow}[S,T] $$

   The internal variables are: \(X^{1} =L \oplus f_{1} (R)\), \(X^{2}= R \oplus f_{2} (X^{1})\) and for j ≥ 3, \(X^{j}= X^{j-2} \oplus f_{j} (X^{j-1})\). Since we apply φ at the end, we have: \(S= A_{1}{\cdot } X^{d-1} \oplus A_{2} {\cdot } X^{d}\oplus C_{1}\), \(T= A_{3} {\cdot } X^{d-1} \oplus A_{4} {\cdot } X^{d} \oplus C_{2}\).

3. 3.

   \(\Psi ^{d_{2}} \circ \varphi \circ \Psi ^{d_{1}}\) with d ₁ + d ₂ = d

   $$[L,R] \overset{\Psi (f_{1})}{\longrightarrow}[R,X^{1}] \overset{\Psi(f_{2})}{\longrightarrow}[X^{1},X^{2}]\dots \overset{\Psi(f_{d_{1}})}{\longrightarrow}[X^{d_{1}-1},X^{d_{1}}] $$
   $$\overset{\varphi}{\longrightarrow}[P,Q] \overset{\Psi(f_{d_{1}+1})}{\longrightarrow}[Q,X^{d_{1} +1}] \overset{\Psi(f_{d_{1} +2})}{\longrightarrow} [X^{d_{1} +1},X^{d_{1} +2}] {\dots} \overset{\Psi (f_{d_{1}+d_{2}})}{\longrightarrow}[S,T] $$

   The internal variables are: X ¹ = L ⊕ f ₁(R), X ² = R ⊕ f ₂(X ¹) and for 3 ≤ j ≤ d ₁, X ^j = X ^j−2 ⊕ f _j (X ^j−1), \(P= A_{1} {\cdot } X^{d_{1}-1} \oplus A_{2} {\cdot } X^{d_{1}}\oplus C_{1}\), \(Q= A_{3} {\cdot } X^{d_{1}-1} \oplus A_{4} {\cdot } X^{d_{1}} \oplus C_{2}\), \(X^{d_{1}+1}= P \oplus f_{d_{1} +1} (Q)\), \(X^{d_{1} +2}= Q \oplus f_{d_{1} +2} (X^{d_{1} +1})\). For \(d_{1} +3 \leq j \leq d_{1}+d_{2}, \; X^{j}= X^{j-2} \oplus f_{j} (X^{j-1})\).

4. 4.

   φ′∘ Ψ^d ∘ φ

   $$[L,R] \overset{\varphi }{\longrightarrow}[P,Q] \overset{\Psi(f_{1})}{\longrightarrow}[Q,X^{1}] \overset{\Psi(f_{2})}{\longrightarrow}[X^{1},X^{2}]\dots $$
   $$\overset{\Psi(f_{d-1})}{\longrightarrow}[X^{d-2},X^{d-1}] \overset{\Psi(f_{d})}{\longrightarrow}[X^{d-1},X^{d}]\overset{\varphi^{\prime}}{\longrightarrow}[S,T] $$

   With the internal variables: P = A ₁ ⋅ L ⊕ A ₂ ⋅ R ⊕ C ₁, Q = A ₃ ⋅ L ⊕ A ₄ ⋅ R ⊕ C ₂, X ¹ = P ⊕ f ₁(Q), X ² = Q ⊕ f ₂(X ¹) and for j ≥ 3, X ^j = X ^j−2 ⊕ f _j (X ^j−1). Finally \(S= A^{\prime }_{1} {\cdot } X^{d-1} \oplus A^{\prime }_{2} {\cdot } X^{d}\oplus C^{\prime }_{1}\), \(T= A^{\prime }_{3} {\cdot } X^{d-1} \oplus A^{\prime }_{4} {\cdot } X^{d} \oplus C^{\prime }_{2}\).

Overview of the attacks

We present attacks that allow us to distinguish a permutation computed by the scheme from a random permutation. Depending on the number of rounds, it is possible to find some relations between the input and output variables. These relations hold conditionally to equalities on some internal variables due to the structure of the Feistel scheme.

Our attacks consist in using plaintext/ciphertexts 4-tuples and in counting the number \({\mathcal N}\) of these 4-tuples that satisfy the relations between the input and output variables. We then compare \({\mathcal N}_{scheme}\), the number of such 4-tuples we obtain with an A-Feistel scheme, with \({\mathcal N}_{perm}\), the corresponding number for a random permutation. The attack is successful, i.e. we are able to distinguish a permutation generated by an A-Feistel scheme from a random permutation, if the difference \(| \mathbb {E}({\mathcal N}_{scheme})- \mathbb {E}({\mathcal N}_{perm})|\) is larger than both standard deviations \(\sigma ({\mathcal N}_{perm})\) and \(\sigma ({\mathcal N}_{scheme})\), where \( \mathbb {E}\) denotes the expectation.

Indeed, thanks to the Chebychev formula, which states that for any random variable X, and any α > 0, we have \(\mathbb {P}\left (\vert X-\mathbb {E}(X)\vert \geq \alpha \sigma (X)\right )\leq \frac {1}{\alpha ^{2}}\), it is then possible to construct a prediction interval for \({\mathcal N}_{scheme}\) for example, in which future computations will fall, with a good probability.This gives the number of messages needed for the attack. In order to compute \(\mathbb {E}\) and σ for a scheme and a random permutation, we need to take into account the fact that the structures obtained from the plaintext/ciphertext 4-tuples are not independent.

However, their mutual dependence is very small. To compute \(\sigma ({\mathcal N}_{perm})\) and \(\sigma ({\mathcal N}_{scheme})\), we will use this well-known formula (see [4], p.97), that we will call the “Covariance Formula”: if x ₁,…x _n , are random variables, then if V represents the variance, we have

$$V\left( \sum\limits_{i=1}^{n} x_{i}\right) =\sum\limits_{i=1}^{n} V(x_{i}) + 2\sum\limits_{i=1}^{n-1} \sum\limits_{j=i+1}^{n} \left[\mathbb{E}(x_{i}\,x_{j}) - \mathbb{E}(x_{i}) \mathbb{E}(x_{j}) \right] $$

Recently, a tool has been developed in order to compute expectations and variances for \({\mathcal N}_{perm}\). This is a computer program that allows to avoid tedious computations. We will always use it throughout this paper. It is available at the following link: http://volte.u-cergy.fr/SitePerso/Articles/program.zip. This is also explained in [20].

3 A-Feistel schemes with one affine permutation

3.1 Preliminaries

Our attacks use 4-tuples of plaintext/ciphertexts. Suppose that we have 4 inputs [L _i , R _i ], [L _j , R _j ], [L _k , R _k ], [L _ℓ , R _ℓ ]. The conditions on the inputs will be: L _i = L _j , L _k = L _ℓ ≠ L _i , R _i = R _k , R _j = R _ℓ ≠ R _i , see Fig. 1. The corresponding outputs are denoted by [S _i , T _i ], [S _j , T _j ], [S _k , T _k ], [S _ℓ , T _ℓ ]. According to the construction of the scheme, we will set some conditions on the outputs.

Fig. 1

Equalities in L and R for the 4 inputs

As we have seen in the previous section, the affine permutation can be used as the first round, the last round, or any intermediate round. Notice that with an affine permutation, the two branches of the input are mixed, unlike with one round of a Feistel scheme where the right branch is only shifted. This will affect the choice of the conditions on the outputs.

When the affine permutation is used as the first or an intermediate round, the structure of the Feistel scheme will be dominant and the condition on the output will be: S _i ⊕ S _j ⊕ S _k ⊕ S _ℓ = 0. When the affine permutation is used as the last round, it will be dominant and we will have 2 conditions on the outputs: S _i ⊕ S _j ⊕ S _k ⊕ S _ℓ = 0 and T _i ⊕ T _j ⊕ T _k ⊕ T _ℓ = 0.

3.2 One affine permutation and a Feistel scheme with one round

Ψ(f ₁) ∘ φ: CPA-1 with 4 messages and KPA with \(2^{\frac {n}{2}}\) messages

Let [L, R] denote the input. The output is denoted by [S, T]. After the affine permutation, the output is denoted by [P, Q] where P = A ₁ ⋅ L ⊕ A ₂ ⋅ R ⊕ C ₁, and Q = A ₃ ⋅ L ⊕ A ₄ ⋅ R ⊕ C ₂. Then we apply a Feistel scheme and the output is given by [S, T] where S = Q and T = X ¹ = P ⊕ f ₁(Q) where f ₁ ∈ _R F _n . Here, we have: S = A ₃ ⋅ L ⊕ A ₄ ⋅ R ⊕ C ₂.

We first describe a CPA-1 with 4 messages. We choose L ₁, L ₂, R ₁, R ₂ such that L ₁ ≠ L ₂ and R ₁ ≠ R ₂. Then we construct the four following messages: [L ₁, R ₁], [L ₁, R ₂], [L ₂, R ₁] and [L ₂, R ₂]. Let us write \([S_{1},T_{1}]= \varphi [L_{1},R_{1}], [S^{\prime }_{1},T^{\prime }_{1}]= \varphi [L_{1},R_{2}]\), [S ₂, T ₂] = φ[L ₂, R ₂] and \([S^{\prime }_{2},T^{\prime }_{2}]= \varphi [L_{2},R_{1}]\). With an A-Feistel scheme, the probability to obtain \(S_{1}\oplus S^{\prime }_{1} \oplus S_{2} \oplus S^{\prime }_{2}=0\) is equal to one. For a random permutation, the same probability is about \(\frac {1}{2^{n}}\). Thus we need 4 messages to distinguish a random permutation from a permutation of the form Ψ(f ₁) ∘ φ.

We now give a KPA. If we have m messages, the number of (i, j, k, ℓ) such that L _i ⊕ L _j ⊕ L _k ⊕ L _ℓ = 0 and R _i ⊕ R _j ⊕ R _k ⊕ R _ℓ = 0 is about \(\frac {m^{4}}{2^{2n}}\). Thus, when \(m \simeq 2^{\frac {n}{2}}\), the probability to obtain a 4-tuple satisfying the above conditions is non-negligible. For such a 4-tuple, we check if S _i ⊕ S _j ⊕ S _k ⊕ S _ℓ = 0. The probability is 1 for an A-Feistel scheme and \(\frac {1}{2^{n}}\) for a random permutation.

Remark 1

In this KPA, we can notice that the complexity in time is much bigger, because, in order to find such 4 messages, we have to consider all couples of messages (i, j) with i < j and compute L _i ⊕ L _j , then look for collisions in this list. This is about \(\frac {m\times (m-1)}2\times m\ln m=O(m^{3}\ln m)=O(n2^{1.5n})\) operations.

φ ∘ Ψ(f ₁): CPA-1 with 4 messages and KPA with \( (n+1)2^{\frac {n}{2}}\) messages

The CPA-1 is similar to the previous one except that the conditions on the outputs are \(S_{1}\oplus S^{\prime }_{1} \oplus S_{2} \oplus S^{\prime }_{2}=0\) and \(T_{1}\oplus T^{\prime }_{1} \oplus T_{2} \oplus T^{\prime }_{2}=0\), since φ is at the end of the structure. For the KPA, if we have \(2^{\frac {n}{3}}\) messages then, by the birthday paradox, we can find, with a good probability, a pair [L _i , R _i ], [L _j , R _j ] such that R _i = R _j . Let d ₁ = L _i ⊕ L _j , d ₂ = S _i ⊕ S _j and d ₃ = T _i ⊕ T _j . Then we have: d ₂ = A ₂(d ₁) and d ₃ = A ₄(d ₁). This gives 2n (or a little less if A ₂ and A ₄ are not invertible) linear equations in the 2n ² unknown coefficients of A ₂ and A ₄. If we have \(n2^{\frac {n}{2}}\) known plaintexts, we can expect to find n pairs with equal R-parts. This shows that we get enough linear equations to determine A ₂ and A ₄ completely. Then we can distinguish the permutation generated by the A-Feistel from a random permutation by taking one more pair with R _i = R _j and check, if they satisfy the linear system given by the known A ₂ and A ₄. This provides a KPA with about \( (n+1)2^{\frac {n}{2}}\) messages.

3.3 One affine permutation and a Feistel scheme with two rounds

Ψ(f ₂) ∘ Ψ(f ₁) ∘ φ: CPA-1 with \(2^{\frac {n}{2}}\) messages and KPA with \(2^{\frac {5n}{4}}\) messages

Here, the output is given by [S, T] with S = X ¹ = P ⊕ f ₁(Q) and T = X ² = Q ⊕ f ₂(P ⊕ f ₁(Q)) where f ₁, f ₂ ∈ _R F _n . Remind that P = A ₁ ⋅ L ⊕ A ₂ ⋅ R ⊕ C ₁, and Q = A ₃ ⋅ L ⊕ A ₄ ⋅ R ⊕ C ₂.

We first mount a CPA-1 with \(2^{\frac {n}{2}}\) messages. We take only 2 distinct values for L: L ₁ and L ₂. Then, we choose m messages of the form [L ₁, R _i ], [L ₂, R _i ], \(1 \leq i \leq \frac {m}{2}\). We count the number \({\mathcal N}\) of (R _i , R _j ) values, R _i ≠ R _j such that with the 4 following messages, i : [L ₁, R _i ], i′ : [L ₂, R _i ] j : [L ₁, R _j ], j′ : [L ₂, R _j ], we have \(\displaystyle S_{i} \oplus S_{j} \oplus S_{i^{\prime }} \oplus S_{j^{\prime }}=0\). The number of such 4-tuples is about \(\frac {m^{2}}{4}\). Indeed, there are \(\frac {m}{2}\) possibilities for R _i and \(\left (\frac {m}{2}-1\right )\) possibilities for R _j . Then the other inputs are fixed. This shows that \({\mathcal N}_{perm} \simeq \frac {m^{2}}{4\cdot 2^{n}}\).

We now explain the computation of the mean value for an A-Feistel scheme. We will use the following proposition whose proof is straightforward.

Proposition 1

Let i, j, k, ℓ be four distinct indices. Suppose that L _i = L _j , L _k = L _ℓ ≠ L _i , R _i = R _k and R _j = R _ℓ ≠ R _i and we apply φ. Then we have the following properties:

• Q _i = Q _j ⇔ A ₄(R _i ⊕ R _j ) = 0. Thus if A ₄ is invertible, this condition will never be satisfied since R _i ≠ R _j . If A ₄ is not invertible, then the probability to have (2) is greater than \(\frac {1}{2^{n}}\). Indeed, it is easy to check that if dimker(A ₄) = t then the probability that \(R_{i} \oplus R_{j} \in \ker (A_{4})= \frac {2^{t}}{2^{n}}=\frac {1}{2^{n-t}}\geq \frac {1}{2^{n}}\).

• Q _i = Q _k ⇔ A ₃(L _i ⊕ L _k ) = 0. Thus if A ₃ is invertible, this condition will never be satisfied since L _i ≠ L _k . Again, if A ₃ is not invertible the probability to have (3) is greater than \(\frac {1}{2^{n}}\).

• Condition (4) is not related to conditions on the dimension of the kernels of either A ₃ or A ₄. Thus, this condition is satisfied with probability about \(\frac {1}{2^{n}}\).

We suppose that A ₃ and A ₄ are invertible. The other cases are quite similar. The conditions on the inputs imply that:

$$ P_{i} \oplus P_{j} \oplus P_{i^{\prime}} \oplus P_{j^{\prime}}=0 \; \text{and} \; Q_{i} \oplus Q_{j} \oplus Q_{i^{\prime}} \oplus Q_{j^{\prime}}=0 $$

(1)

Thus we get \(S_{i} \oplus S_{j} \oplus S_{i^{\prime }} \oplus S_{j^{\prime }}= f_{1} (Q_{i})\oplus f_{1} (Q_{j})\oplus f_{1} (Q_{i^{\prime }}) \oplus f_{1} (Q_{j^{\prime }})\). The equality (1) implies the following equivalences:

$$\begin{array}{@{}rcl@{}} Q_{i}&=&Q_{j} \Leftrightarrow Q_{i^{\prime}}=Q_{j^{\prime}} \end{array} $$

(2)

$$\begin{array}{@{}rcl@{}} Q_{i} &=&Q_{i^{\prime}} \Leftrightarrow Q_{j}=Q_{j^{\prime}} \end{array} $$

(3)

$$\begin{array}{@{}rcl@{}} Q_{i} &=& Q_{j^{\prime}} \Leftrightarrow Q_{i^{\prime}}=Q_{j} \end{array} $$

(4)

Thus if we have Q _i = Q _j or \(Q_{i}=Q_{i^{\prime }}\), or \(Q_{i} =Q_{j^{\prime }}\), we will obtain \(S_{i} \oplus S_{j} \oplus S_{i^{\prime }} \oplus S_{j^{\prime }}=0\). To obtain \(S_{i} \oplus S_{j} \oplus S_{i^{\prime }} \oplus S_{j^{\prime }}=0\), we have to possibilities:

1. 1.

   \(Q_{i} = Q_{j^{\prime }} \Leftrightarrow Q_{i^{\prime }}=Q_{j}\)

2. 2.

   \(Q_{i} \neq Q_{j^{\prime }} \Leftrightarrow Q_{i^{\prime }} \neq Q_{j}\) and \(S_{i} \oplus S_{j} \oplus S_{i^{\prime }} \oplus S_{j^{\prime }}=0\).

Then we obtain:

$$\mathbb{P}(S_{i} \oplus S_{j} \oplus S_{i^{\prime}} \oplus S_{j^{\prime}} =0) = \mathbb{P}(S_{i} \oplus S_{j} \oplus S_{i^{\prime}} \oplus S_{j^{\prime}} =0/ Q_{i} = Q_{j^{\prime}})\mathbb{P}(Q_{i} = Q_{j^{\prime}}) $$

$$+\mathbb{P}(S_{i} \oplus S_{j} \oplus S_{i^{\prime}} \oplus S_{j^{\prime}} 0/ Q_{i} \neq Q_{j^{\prime}})\mathbb{P}(Q_{i} \neq Q_{j^{\prime}}) $$

This shows that \(\mathcal {N}_{scheme} \simeq \frac {m^{2}}{4}\left (\frac {1}{2^{n}}+ \frac {1}{2^{n}} \left (1-\frac {1}{2^{n}}\right )\right )\). Thus \(\mathcal {N}_{scheme} \simeq \frac {m^{2}}{4}\left (\frac {2}{2^{n}}-\frac {1}{2^{2n}}\right )\) and \(\mathcal {N}_{scheme} \simeq \mathcal {N}_{perm}\). Then we will be able to distinguish when the probability to have \({\mathcal N}_{perm} \geq 1\) is non-negligible, i.e. when \(m \geq 2^{\frac {n}{2}}\). Remark that we can also try another [L ₁, L ₂]; for each [L ₁, L ₂] the probability of success of this attack is non-negligible. We have obtain a CPA-1 with \(m\simeq 2^{\frac {n}{2}}\) messages.

Remark 2

We can explain this computation as follows: we consider that the condition \(S_{i} \oplus S_{j} \oplus S_{i^{\prime }} \oplus S_{j^{\prime }}=0\) appears at random or due to equalities that are satisfied by internal variables. In the sequel, we will not perform all the computations but the ideas are the same.

Remark 3

In [13], it is proved that for d = 2, there is security against all adaptive chosen plaintext attacks (CPA-2) when the number of queries is \(m\leq 2^{\frac {n}{2}}\). Since for d = 2, we have a CPA-1 with \(2^{\frac {n}{2}}\) messages, the bound is tight. In their scheme, the authors use first a pairwise independent permutation and then a Feistel Scheme with 2 rounds. As said before, an affine permutation is an example of a pairwise independent permutation.

The previous attack can be transformed into a KPA with complexity \(O(2^{\frac {5n}{4}})\): we count the number \({\mathcal N}\) of (i, j, k, ℓ) such that

$$\begin{array}{ccccc} \left\lbrace \begin{array}{l} L_{i} = L_{j}\\ L_{k} = L_{\ell} \neq L_{i}\end{array}\right. & \text{and}&\left\lbrace \begin{array}{l} R_{i} = R_{k}\\ R_{j} = R_{\ell} \neq R_{i} \end{array}\right. & \text{and} & S_{i} \oplus S_{j} \oplus S_{k} \oplus S_{\ell}=0\end{array} $$

Notice that there are \({m \choose 4} \times {4 \choose 2}\) possibilities to obtain two distinct couples of pairs (i, j),(k, ℓ) with m indices. Thus, we have \({\mathcal N}_{perm} \simeq \frac {m^{4}}{4 \cdot 2^{5n}}\) and \({\mathcal N}_{scheme} \simeq \frac {m^{4}}{2 \cdot 2^{5n}}\) for an A-Feistel permutation. Therefore, this KPA succeeds when \(m \geq 2^{\frac {5n}{4}}\).

φ ∘ Ψ(f ₂) ∘ Ψ(f ₁): CPA-1 with \(2^{\frac {n}{2}}\) messages and KPA with \(2^{\frac {5n}{4}}\) messages

Here, after one round the output is [R, L ⊕ f ₁(R)]. Let X ¹ = L ⊕ f ₁(R). After the second round of a Feistel scheme, the output is [X ¹, X ²] where X ² = R ⊕ f ₂(X ¹). Then, after the affine permutation, we obtain S = A ₁ ⋅ X ¹ ⊕ A ₂ ⋅ X ² ⊕ C ₁ and T = A ₃ ⋅ X ¹ ⊕ A ₄ ⋅ X ² ⊕ C ₂.

We first describe a CPA-1 with \(2^{\frac {n}{2}}\) messages. The inputs are chosen as in the previous attack, but since φ is at the end of the structure, the conditions on the outputs are: \( S_{i} \oplus S_{j} \oplus S_{i^{\prime }} \oplus S_{j^{\prime }}=0\) and \( T_{i} \oplus T_{j} \oplus T_{i^{\prime }} \oplus T_{j^{\prime }}=0\). With an A-Feistel scheme, the conditions on the inputs imply that \({X^{1}_{i}} \oplus X^{1}_{i^{\prime }} \oplus {X^{1}_{j}} \oplus X^{1}_{j^{\prime }}=0\). If we impose for example \({X^{1}_{i}} =X^{1}_{j^{\prime }}\), then we will obtain \({X^{2}_{i}} \oplus X^{2}_{i^{\prime }} \oplus {X^{2}_{j}} \oplus X^{2}_{j^{\prime }}=0\) and the conditions on the outputs will be satisfied. The probability to have \({X^{1}_{i}} =X^{1}_{j^{\prime }}\) is about \(\frac {1}{2^{n}}\). Notice that the conditions on the outputs may also happen at random and in that case the probability is about \(\frac {1}{2^{2n}}\). Thus \({\mathcal N}_{scheme} \simeq \frac {m^{2}}{4\cdot 2^{n}}+ O(\frac {m^{2}}{2^{2n}})\). For a random permutation, the probability to get \( S_{i} \oplus S_{j} \oplus S_{i^{\prime }} \oplus S_{j^{\prime }}=0\) and \( T_{i} \oplus T_{j} \oplus T_{i^{\prime }} \oplus T_{j^{\prime }}=0\) is about \(\frac {1}{2^{2n}}\) and we have \({\mathcal N}_{perm} \simeq \frac {m^{2}}{4 \cdot 2^{2n}}\). Thus with \(m \simeq 2^{\frac {n}{2}}\) messages, the attack succeeds and we can distinguish an A-Feistel scheme from a random permutation.

As usual, this CPA-1 can be transformed into a KPA with \(2^{\frac {5n}{4}}\) messages.

Ψ(f ₂) ∘ φ ∘ Ψ(f ₁): CPA-1 with 4 messages and KPA with \(2^{\frac {n}{2}}\) messages

Let as usual [L, R] denote the input. Then we have: S = Q = A ₃ ⋅ R ⊕ A ₄(L ⊕ f ₁(R)) ⊕ C ₂ and T = P ⊕ f ₂(Q) with P = A ₁ ⋅ R ⊕ A ₂(L ⊕ f ₁(R)) ⊕ C ₁.

We have the following CPA-1 with 4 messages. We choose 4 messages [L ₁, R ₁], [L ₁, R ₂], [L ₂, R ₁], [L ₂, R ₂] such that L ₁ ≠ L ₂ and R ₁ ≠ R ₂. Then again we check if \(S_{1} \oplus S^{\prime }_{1} \oplus S_{2} \oplus S^{\prime }_{2} =Q_{1} \oplus Q^{\prime }_{1} \oplus Q_{2} \oplus Q^{\prime }_{2} =0\).

Again, this CPA-1 can be transformed into a KPA with \(2^{\frac {n}{2}}\) messages.

3.4 One affine permutation and a Feistel scheme with three rounds

Ψ(f ₃) ∘ Ψ(f ₂) ∘ Ψ(f ₁) ∘ φ: KPA with \(2^{\frac {7n}{4}}\) messages and CPA-1 with \(2^{\frac {3n}{2}}\) messages

We have the following values: [L, R] → [P, Q] → [Q, X ¹] → [X ¹, X ²] → [S, T]. Here,the output is given by [S, T] with S = X ² = Q ⊕ f ₂(X ¹) and T = X ³ = X ¹ ⊕ f ₃(X ²) where f ₁, f ₂, f ₃ ∈ _R F _n . Remind that P = A ₁ ⋅ L ⊕ A ₂ ⋅ R ⊕ C ₁, Q = A ₃ ⋅ L ⊕ A ₄ ⋅ R ⊕ C ₂ and X ¹ = P ⊕ f ₁(Q).

We begin with a KPA. We want count the number \({\mathcal N}\) of (i, j, k, ℓ) such that

$$\begin{array}{ccccc} \left\lbrace \begin{array}{l} L_{i} = L_{j}\\ L_{k} = L_{\ell} \neq L_{i}\end{array}\right. & \text{and}&\left\lbrace \begin{array}{l} R_{i} = R_{k}\\ R_{j} = R_{\ell} \neq R_{i} \end{array}\right. & \text{and} & S_{i} \oplus S_{j} \oplus S_{k} \oplus S_{\ell}=0\end{array} $$

When we have a random permutation, the computations have been done with the computer program as explained in Section 2 and we have obtained \( \mathbb {E}(\mathcal {N}_{perm}) \simeq \frac {m^{4}}{4 \cdot 2^{5n}}\), \(\sigma (\mathcal {N}_{perm})= O\left (\frac {m^{2}}{2^{\frac {5n}{2}}}\right )\). With an A-Feistel scheme, these equalities may happen at random or because there are some conditions which can be satisfied by internal variables. For example, we may have the following conditions:

$$\begin{array}{ccccc} \left\lbrace \begin{array}{l} L_{i} = L_{j}\\ L_{k} = L_{\ell} \neq L_{i}\end{array}\right. & \text{and}&\left\lbrace \begin{array}{l} R_{i} = R_{k}\\ R_{j} = R_{\ell} \neq R_{i} \end{array}\right. & \text{and} & \left\lbrace \begin{array}{l} Q_{i} =Q_{\ell} \\ {X^{1}_{i}} = {X^{1}_{j}} \end{array}\right.\end{array} $$

Here we have condition (4) on the Q _i values. There are no conditions on the kernels. But we could also impose the other conditions since A ₃ and A ₄ are not invertible with a non-negligible probability. Moreover, when we have Q _i = Q _ℓ , it is also possible to have \({X^{1}_{i}} = {X^{1}_{k}}\). We may also have no condition on the Q _i values and 2 conditions on the \({X^{1}_{i}}\) values (for example \({X^{1}_{i}} = {X^{1}_{j}}\) and \({X^{1}_{k}} =X^{1}_{\ell }\)). Thus, using the computations performed in Section 5, we get \( \mathbb {E}(\mathcal {N}_{scheme}) \simeq \frac {m^{4}}{4.2^{5n}} + \alpha \frac {m^{4}}{2^{6n}}\), where α depends on the properties of the kernels of A ₃ and A ₄ (2 ≤ α ≤ 9). We note here \( \mathbb {E}(\mathcal {N}_{scheme}) \simeq \frac {m^{4}}{4.2^{5n}} + O\left (\frac {m^{4}}{2^{6n}}\right )\). As computed in Section 5, again \( \sigma (\mathcal {N}_{scheme})=O\left (\frac {m^{2}}{2^{\frac {5n}{2}}}\right )\). We can distinguish as soon as the difference of the mean values is greater than both standard deviations, i.e. \( \frac {m^{4}}{2^{6n}} \geq \frac {m^{2}}{2^{\frac {5n}{2}}}\). This means we must have \(m \simeq 2^{\frac {7n}{4}}\).

Then we transform the previous KPA into a CPA-1 as follows. We choose all the possible [L, R] such that the first \(\frac {n}{2}\) bits of L are equal to 0. Therefore we have \(2^{\frac {n}{2}} \cdot 2^{n}= 2^{\frac {3n}{2}}\) possible inputs. We keep the same input and output conditions. Here \( \mathbb {E}(\mathcal N_{perm}) \simeq \frac {m^{4}}{4. 2^{4n}}\) and \(\sigma (\mathcal N_{perm}) =O(\frac {m^{2}}{2^{2n}})\) since each collision on L has probability about \(\frac {1}{2^{n/2}}\). The computation of the variance is similar to the computation done for the KPA. For an A-Feistel scheme, we get \( \mathbb {E}(\mathcal N_{scheme})\simeq \frac {m^{4}}{4 \cdot 2^{4n}}+ \alpha \frac {m^{4}}{4 \cdot 2^{5n}} \) and \(\sigma (\mathcal N_{scheme})= O\left (\frac {m^{2}}{2^{2n}}\right )\). This shows that we can distinguish a random permutation from an A-Feistel permutation as soon as \(\frac {m^{4}}{2^{5n}}\geq \frac {m^{2}}{2^{2n}}\). This gives a CPA-1 with \(2^{\frac {3n}{2}}\) messages.Computer simulations We have made computer simulations for this attack in the following way: for all values (or almost all values) of L, and all values of R, we compute S, T. Then for all i, j such that L _i = L _j and R _i < R _j , we add to a list the 3-tuple (S _i ⊕ S _j , R _i , R _j ). Finally we count how many collisions we have in this list. These simulations confirm our theoretical results (see Table 1). Here \(\bar {\mathcal N}\) stands for the expectation for either a random permutation, or a Ψ³ ∘ φ permutation.

Table 1 Simulation results

φ ∘ Ψ(f ₃) ∘ Ψ(f ₂) ∘ Ψ(f ₁): CPA-1 with 2ⁿ messages and KPA with \(2^{\frac {3n}{2}}\) messages

We have the following values: [L, R] → [R, X ¹] → [X ¹, X ²] → [X ², X ³] → [S, T] with X ¹ = L ⊕ f ₁(R), X ² = R ⊕ f ₂(X ¹), X ³ = X ¹ ⊕ f ₃(X ²), S = A ₁ ⋅ X ² ⊕ A ₂ ⋅ X ³ ⊕ C ₁ and T = A ₃ ⋅ X ² ⊕ A ₄ ⋅ X ³ ⊕ C ₂. Let us describe a CPA-1 with 2ⁿ messages. We take only 2 distinct values for L: L ₁ and L ₂. Then, we choose m messages of the form [L ₁, R _i ], [L ₂, R _i ], \(1 \leq i \leq \frac {m}{2}\). We count the number \({\mathcal N}\) of (R _i , R _j ) values, R _i ≠ R _j such that with the 4 following messages, i : [L ₁, R _i ], i′ : [L ₂, R _i ] j : [L ₁, R _j ], j′ : [L ₂, R _j ], we have \( S_i \oplus S_j \oplus S_{i^{\prime }} \oplus S_{j^{\prime }}=0\) and \( T_i \oplus T_j \oplus T_{i^{\prime }} \oplus T_{j^{\prime }}=0\).

When we have an A-Feistel scheme, these two equalities may happen at random with probability about \(\frac {1}{2^{2n}}\). But we may also have equalities on the internal variables that will imply the equalities on the outputs.

The conditions on the inputs imply that \(X^1 _i \oplus X^1_{i^{\prime }} \oplus X^1 _j \oplus X^1 _{j^{\prime }}=0\). Moreover, some equalities between the X ¹ values may be satisfied. For example, we may have \(X^1_i =X^1_j \Leftrightarrow X^1_{i^{\prime }}=X^1_{j^{\prime }}\) or \(X^1_i =X^1_{j^{\prime }} \Leftrightarrow X^1_{i^{\prime }} =X^1_j\) but we cannot have \(X^1_i=X^1_{i^{\prime }} \Leftrightarrow X^1_j=X^1_{j^{\prime }}\) because this will imply L ₁ = L ₂. Suppose that we have \(X^1_i =X^1_{j^{\prime }} \Leftrightarrow X^1_{i^{\prime }} =X^1_j\), which happens with probability about \(\frac {1}{2^n}\). Then we get \(X^2 _i \oplus X^2_{i^{\prime }} \oplus X^2 _j \oplus X^2 _{j^{\prime }}=0\). Again, some equalities on the X ² values will imply \(X^3 _i \oplus X^3_{i^{\prime }} \oplus X^3 _j \oplus X^3_{j^{\prime }}=0\) and then the properties of the affine permutation will give the required conditions on the outputs.

We explain now the conditions on X ². Suppose that we have \(X^1_i =X^1_{j^{\prime }} \Leftrightarrow X^1_{i^{\prime }} =X^1_j\). Then it is possible to impose \(X^2_i =X^2_{j} \Leftrightarrow X^2_{i^{\prime }} =X^1_{j^{\prime }}\) for example and again the probability that this condition is satisfied is about \(\frac {1}{2^n}\). Notice that we cannot impose \(X^2_i =X^2_{j^{\prime }}\) since this will imply R _i = R _j . With a random permutation, the conditions on the outputs will only appear at random.

Thus we get \({\mathcal N}_{perm} \simeq \frac {m^2}{4\cdot 2^{2n}}\) and \({\mathcal N}_{scheme} \simeq \frac {m^2}{2 \cdot 2^{2n}}\). This shows that when m ≃ 2ⁿ we can distinguish a random permutation from a permutation produced by an A-Feistel scheme.

This CPA-1 can be transformed into a KPA with \(2^{\frac {3n}{2}}\) messages.

Ψ(f ₃) ∘ Ψ(f ₂) ∘ φ ∘ Ψ(f ₁) or Ψ(f ₃) ∘ φ ∘ Ψ(f ₂) ∘ Ψ(f ₁): CPA-1 with \(2^{\frac {n}{2}}\) messages and KPA with \(2^{\frac {5n}{4}}\) messages

The attack is similar to the previous one, except that the conditions on the output is S _i ⊕ S _j ⊕ S _k ⊕ S _ℓ = 0. We obtain \( \mathbb {E}(\mathcal {N}_{perm}) \simeq \frac {m^2}{4 \cdot 2^{n}}\) and \( \mathbb {E}(\mathcal {N}_{scheme}) \simeq \frac {m^2}{2\cdot 2^{n}}\). Thus when \(m \simeq 2^{\frac {n}{2}}\), we can distinguish a random permutation from a permutation generated by an A-Feistel scheme. This CPA-1 can be transformed easily into a KPA with \(2^{\frac {5n}{4}}\) messages.

3.5 One affine permutation and a Feistel scheme with four rounds

Ψ(f ₄) ∘ Ψ(f ₃) ∘ Ψ(f ₂) ∘ Ψ(f ₁) ∘ φ: attacks on generators of permutations

Here we are going to attack generators of permutations and not only a single permutation. Thus we want to distinguish a generator of random permutations from a generator of A-Feistel permutations. We suppose that we have μ permutations. The values are given by: [L, R] → [P, Q] → [Q, X ¹] → [X ¹, X ²] → [X ², X ³] → [S, T]. After round 4, the output is given by [S, T] where S = X ³ and T = X ⁴ = X ² ⊕ f ₄(X ³). Remind that P = A ₁ ⋅ L ⊕ A ₂ ⋅ R ⊕ C ₁, Q = A ₃ ⋅ L ⊕ A ₄ ⋅ R ⊕ C ₂, X ¹ = P ⊕ f ₁(Q), X ² = Q ⊕ f ₂(X ¹) and X ³ = X ¹ ⊕ f ₃(X ²). Again, we want to count the number \({\mathcal N}\) of (i, j, k, ℓ) such that

$$\begin{array}{ccccc} \left\lbrace \begin{array}{l} L_{i} = L_{j}\\ L_{k} = L_{\ell} \neq L_{i}\\\end{array}\right. & \text{and}&\left\lbrace \begin{array}{l} R_{i} = R_{k}\\ R_{j} = R_{\ell} \neq R_{i} \\ \end{array}\right. & \text{and} & S_{i} \oplus S_{j} \oplus S_{k} \oplus S_{\ell}=0\end{array} $$

When we have μ random permutations, \( \mathbb {E}(\mathcal {N}_{perm}) \simeq \mu \frac {m^4}{4\cdot 2^{5n}}\) and \(\sigma (\mathcal {N}_{perm}) = O\left (\sqrt \mu \frac {m^2}{2^{\frac {5n}{2}}}\right )\). With an A-Feistel scheme, these equalities may happen at random or because there are some conditions which can be satisfied by internal variables. For example, we may have (other conditions are possible):

$$\begin{array}{ccccc} \left\lbrace \begin{array}{l} L_{i} = L_{j}\\ L_{k} = L_{\ell} \neq L_{i}\\\end{array}\right. & \text{and}&\left\lbrace \begin{array}{l} R_{i} = R_{k}\\ R_{j} = R_{\ell} \neq R_{i} \\ \end{array}\right. & \text{and} & \left\lbrace \begin{array}{l} Q_{i} =Q_{\ell} \\ {X^{1}_{i}} = {X^{1}_{j}} \\ {X^{2}_{i}} = {X^{2}_{k}}\\ \end{array}\right.\end{array} $$

For μ permutations produced be an A-Feistel scheme, we obtain \( \mathbb {E}(\mathcal {N}_{scheme}) \simeq \mu \frac {m^4}{2^{5n}} +O\left (\mu \frac {m^4}{2^{7n}}\right )\) and \(\sigma (\mathcal {N}_{scheme}) = O\left (\sqrt \mu \frac {m^2}{2^{\frac {5n}{2}}}\right )\). We can distinguish when \(\mu \frac {m^4}{2^{7n}} \geq \sqrt \mu \frac {m^2}{2^{\frac {5n}{2}}}\). If we take the maximum number of messages (i.e. 2²ⁿ), we obtain μ = 2ⁿ and the number of needed computations is given by λ = μ ⋅ 2²ⁿ = 2³ⁿ.

Remark 4

It is not possible to have the same kind of conditions on successive variables. For example, we choose Q _i = Q _ℓ and then we have to change. If we impose again \(X^1_i =X^1_{\ell }\), then this will imply P _i = P _ℓ and we obtain a contradiction since we have permutations and [L _i , R _i ] ≠ [L _ℓ , R _ℓ ].

φ ∘ Ψ(f ₄) ∘ Ψ(f ₃) ∘ Ψ(f ₂) ∘ Ψ(f ₁): KPA with 2²ⁿ messages

We have the following values:

$$[L,R]\longrightarrow [R,X^1] \longrightarrow [X^1,X^2] \longrightarrow [X^2,X^3] \longrightarrow [X^3,X^4] \longrightarrow [S,T] $$

with X ¹ = L ⊕ f ₁(R), X ² = R ⊕ f ₂(X ¹), X ³ = X ¹ ⊕ f ₃(X ²), X ⁴ = X ² ⊕ f ₄(X ³), S = A ₁.X ³ ⊕ A ₂.X ⁴ ⊕ C ₁ and S = A ₃ ⋅ X ³ ⊕ A ₄ ⋅ X ⁴ ⊕ C ₂. We give here an attack which needs the maximal number of messages, i.e. 2²ⁿ. We count the number \({\mathcal N}\) of (i, j, k, ℓ) such that

$$\begin{array}{ccccc} \left\lbrace \begin{array}{l} L_{i} = L_{j}\\ L_{k} = L_{\ell} \neq L_{i}\\\end{array}\right. & \text{and}&\left\lbrace \begin{array}{l} R_{i} = R_{k}\\ R_{j} = R_{\ell} \neq R_{i} \\ \end{array}\right. & \text{and} & \left\lbrace \begin{array}{l} S_{i} \oplus S_{j} \oplus S_{k} \oplus S_{\ell}=0\\ T_{i} \oplus T_{j} \oplus T_{k} \oplus T_{\ell}=0\\ \end{array}\right. \end{array} $$

Here we have \( \mathbb {E}(\mathcal {N}_{perm}) \simeq \frac {m^4}{4\cdot 2^{6n}}\), \(\sigma (\mathcal {N}_{perm}) = O\left (\frac {m^2}{2^{3n}}\right )\) and \( \mathbb {E}(\mathcal {N}_{scheme}) \simeq \frac {m^4}{4\cdot 2^{6n}} + O\left (\frac {m^4}{2^{7n}}\right )\) and \(\sigma (\mathcal {N}_{scheme}) = O\left (\frac {m^2}{2^{3n}}\right )\). We can distinguish when \(\frac {m^4}{2^{7n}} \geq \frac {m^2}{2^{3n}}\). Thus the attack succeeds when m ≃ 2²ⁿ.

Ψ(f ₄) ∘ Ψ(f ₃) ∘ Ψ(f ₂) ∘ φ ∘ Ψ(f ₁) or Ψ(f ₄) ∘ Ψ(f ₃) ∘ φ ∘ Ψ(f ₂) ∘ Ψ(f ₁) or Ψ(f ₄) ∘ φ ∘ Ψ(f ₃) ∘ Ψ(f ₂) ∘ Ψ(f ₁): KPA with \(2^{\frac {7n}{4}}\) messages and CPA-1 with \(2^{\frac {3n}{2}}\) messages

We only give the sketch of the attacks for Ψ(f ₄) ∘ Ψ(f ₃) ∘ Ψ(f ₂) ∘ φ ∘ Ψ(f ₁). The other cases are quite similar. We can mount a KPA with \(2^{\frac {7n}{4}}\) messages as follows. We count the number \({\mathcal N}\) of (i, j, k, ℓ) such that

$$\begin{array}{ccccc} \left\lbrace \begin{array}{l} L_{i} = L_{j}\\ L_{k} = L_{\ell} \neq L_{i}\\\end{array}\right. & \text{and}&\left\lbrace \begin{array}{l} R_{i} = R_{k}\\ R_{j} = R_{\ell} \neq R_{i} \\ \end{array}\right. & \text{and} & S_{i} \oplus S_{j} \oplus S_{k} \oplus S_{\ell}=0\end{array} $$

When we have a random permutation, we obtain from the computer program, that \( \mathbb {E}(\mathcal {N}_{perm}) \simeq \frac {m^4}{4\cdot 2^{5n}}\) and \(\sigma (\mathcal {N}_{perm})= O\left (\frac {m^2}{2^{\frac {5n}{2}}}\right )\). With an A-Feistel scheme, these equalitites may happen at random or because there are some conditions which can be satisfied by internal variables. For example, we may have the following conditions:

$$\begin{array}{ccccc} \left\lbrace \begin{array}{l} L_{i} = L_{j}\\ L_{k} = L_{\ell} \neq L_{i}\\\end{array}\right. & \text{and}&\left\lbrace \begin{array}{l} R_{i} = R_{k}\\ R_{j} = R_{\ell} \neq R_{i} \\ \end{array}\right. & \text{and} & \left\lbrace \begin{array}{l} Q_{i} =Q_{\ell} \\ {X^{2}_{i}} = {X^{2}_{j}} \\ \end{array}\right.\end{array} $$

Thus, using the computations similar to those performed in Section 5, we get we get \( \mathbb {E}(\mathcal {N}_{scheme}) \simeq \frac {m^4}{4\cdot 2^{5n}} + O\left (\frac {m^4}{2^{6n}}\right )\) and \(\sigma (\mathcal {N}_{scheme})= O\left (\frac {m^2}{2^{\frac {5n}{2}}}\right )\). We can distinguish an soon as the difference of the mean values is greater than both standard deviations, i.e. \( \frac {m^4}{2^{6n}} \geq \frac {m^2}{2^{\frac {5n}{2}}}\). This means we must have \(m \simeq 2^{\frac {7n}{4}}\). We now transform this KPA into a CPA-1. We choose all the possible [L, R] such that the first \(\frac {n}{2}\) bits of L are equal to 0. Therefore we have \(2^{\frac {n}{2}}\cdot 2^n= 2^{\frac {3n}{2}}\) possible inputs. We keep the same input and output conditions. Here \( \mathbb {E}(\mathcal N_{perm}) \simeq \frac {m^4}{4 \cdot 2^{4n}}\) and \(\sigma (\mathcal N_{perm}) =O\left (\frac {m^2}{2^{2n}}\right )\) since each collision on L has probability about \(\frac {1}{2^{n/2}}\). The computation of the variance is similar to the computation done for the KPA. For an A-Feistel scheme, we get \( \mathbb {E}(\mathcal N_{scheme})\simeq \frac {m^4}{4 \cdot 2^{4n}}+ O\left (\frac {m^4}{4 \cdot 2^{5n}}\right )\) and \(\sigma (\mathcal N_{scheme})= O\left (\frac {m^2}{2^{2n}}\right )\). This shows that we can distinguish a random permutation from an A-Feistel permutation as soon as \(\frac {m^4}{2^{5n}}\geq \frac {m^2}{2^{2n}}\). This gives a CPA-1 with \(2^{\frac {3n}{2}}\) messages.

3.6 Complexities of attacks on A-Feistel with one affine permutation

For the following rounds, we always have to add one more condition on the internal variables and we perform the same computations. We need to alternate the conditions on the indices. For d ≥ 5, the features of the attacks are summarized in Table 2.

Table 2 Attacks for d ≥ 5 with μ permutations

The we have the following property:

$$Complexity (\Psi^{d} \circ \varphi)= 2^{n} Complexity (\varphi \circ \Psi^{d} ) = 2^{2n} Complexity (\Psi^{d_{2}} \circ \varphi \circ \Psi^{d_{1}}) $$

This comes from the fact that we have one more condition on the output of φ ∘ Ψ^d compared with the output of Ψ^d ∘ φ and that there is one more internal condition on Ψ^d ∘ φ compared with \(\Psi ^{d_2} \circ \varphi \circ \Psi ^{d_1}\).

The complexities of our attacks are summarized in Table 3 (A-Feistel). We also mention the results for classical Feistel schemes Ψ^d [14]. As said before we only give the results for KPA and CPA-1. By symmetry, we obtain the corresponding complexities of a KCA and CCA-1: for example the complexity of KPA on Ψ³ ∘ φ is the complexity of a KCA on φ ∘ Ψ³ and so on. For d ≥ 5, we attack generators of permutations and not only a single permutation. Notice that for the same d, the scheme is stronger when the affine permutation is used as the first round. This comes from the fact that an affine permutation mixes the branches better than a Feistel scheme with one round.

Table 3 Complexities of attacks on A-Feistel with one affine permutation and on classical Feistel schemes Ψ^d

4 A-Feistel schemes with two affine permutations

This Section is devoted to attacks on schemes for which we have first an affine permutation, then a Feistel scheme with several rounds, and finally an affine permutation. The attacks are very similar to the ones in Section 3. We will give an example and provide the general results. We explain a CPA-1 and a KPA when we apply first an affine function φ, then a Feistel scheme with 2 rounds and we finish with an affine permutation φ′. We have the following values: [L, R] → [P, Q] → [Q, X ¹] → [X ¹, X ²] → [S, T], with P = A ₁ ⋅ L ⊕ A ₂ ⋅ R ⊕ C ₁, Q = A ₃ ⋅ L ⊕ A ₄ ⋅ R ⊕ C ₂, X ¹ = P ⊕ f ₁(Q), X ² = Q ⊕ f ₂(X ¹), \(S= A^{\prime }_1 {\cdot } X^1 \oplus A^{\prime }_2 {\cdot } X^2 \oplus C^{\prime }_1\), \(T= A^{\prime }_3 {\cdot } X^1 \oplus A^{\prime }_4 {\cdot } X^2 \oplus C^{\prime }_2\). For the CPA-1, we take only 2 distinct values for L: L ₁ and L ₂. Then, we choose m messages of the form [L ₁, R _i ], [L ₂, R _i ], \(1 \leq i \leq \frac {m}{2}\). We count the number \({\mathcal N}\) of (R _i , R _j ) values, R _i ≠ R _j such that with the 4 following messages, i : [L ₁, R _i ], i′ : [L ₂, R _i ] j : [L ₁, R _j ], j′ : [L ₂, R _j ], we have \( S_i \oplus S_j \oplus S_{i^{\prime }} \oplus S_{j^{\prime }}=0\) and \( T_i \oplus T_j \oplus T_{i^{\prime }} \oplus T_{j^{\prime }}=0\). Then, we obtain: \( \mathbb {E}(\mathcal N_{perm})\simeq \frac {m^2}{4 \cdot 2^{2n}}\) and \( \mathbb {E}(\mathcal N_{scheme})\simeq \frac {m^2}{2 \cdot 2^{2n}}\). This shows that it is possible to distinguish a random permutation from a permutation produced by an A-Feistel scheme with 2 affine permutations when m ≃ 2ⁿ. As usual, this CPA-1 can be transformed into a KPA with \(m \simeq 2^{\frac {3n}{2}}\). The results of our attacks (CPA-1 and KPA) are given in Table 4. By symmetry, we also get the results for KCA and CCA-1. For d ≥ 4, we give the complexity of the attacks on generators of permutations and on a single permutation.

Table 4 Complexities of attacks on A-Feistel with two affine permutations

Remark 5

Another possibility would be to alternate affine permutation and Feistel scheme with one round. This does not secure the scheme. Indeed, the diffusion is too slow. For example, we get the same complexities for Ψ³ ∘ φ and Ψ¹ ∘ φ ∘ Ψ¹ ∘ φ ∘ Ψ¹ ∘ φ. We have the same complexities for φ′∘ Ψ² ∘ φ and φ ∘ Ψ¹ ∘ φ ∘ Ψ¹ ∘ φ as well.

5 Computation of the mean value and the variance for a Ψ³ ∘ φ permutation

Here we compute the mean value and the standard deviation for a Ψ³ ∘ φ permutation. With an A-Feistel scheme, the equalities that we want to be satisfied may happen at random or because there are some conditions which are verified by the internal variables. We consider a KPA such that:

$$\begin{array}{ccccc} \left\lbrace \begin{array}{l} L_{i} = L_{j}\\ L_{k} = L_{\ell} \neq L_{i}\\\end{array}\right. & \text{and}&\left\lbrace \begin{array}{l} R_{i} = R_{k}\\ R_{j} = R_{\ell} \neq R_{i}\\ \end{array}\right. & \text{and} & S_{i} \oplus S_{j} \oplus S_{k} \oplus S_{\ell}=0\end{array} $$

Let δ _{i j k ℓ} be the Bernoulli variable that is equal to 1 when the above conditions are satisfied and 0 otherwise. Then by using the symmetries of the conditions, we have: \(\mathcal {N}_{scheme}= \frac {m(m-1)(m-2)(m-3)}{4}\delta _{ijk\ell }\).

5.1 Computation of the mean value

Here we have S _i ⊕ S _j ⊕ S _k ⊕ S _ℓ = Q _i ⊕ Q _j ⊕ Q _k ⊕ Q _ℓ ⊕ f ₂(X i1) ⊕ f ₂(X j1) ⊕ f ₂(X k1) ⊕ f ₂(X ℓ1). Since Q _i ⊕ Q _j ⊕ Q _k ⊕ Q _ℓ = 0 (by the conditions on the input variables), we get S _i ⊕ S _j ⊕ S _k ⊕ S _ℓ = 0 ⇔ f ₂(X i1) ⊕ f ₂(X j1) ⊕ f ₂(X k1) ⊕ f ₂(X ℓ1) = 0 (∗). Thus this may happen at random, or due to conditions satisfied by internal variables.

A ₃ and A ₄ are invertible

As stated in Proposition 1, the conditions that may appear on the internal variables depend on the properties of the kernels of A ₃ and A ₄. Here we suppose that A ₃ and A ₄ are invertible. We want to have f ₂(X i1) ⊕ f ₂(X j1) ⊕ f ₂(X k1) ⊕ f ₂(X ℓ1) = 0. In our attacks, we use the difference between the mean value obtained when we have a random permutation and the one obtained with a scheme. Thus we will compute the first terms of the mean value. We now look at the conditions on the internal variables that will imply (∗):

1. 1.

   Equalities on the Q variables. Since A ₃ and A ₄ are invertible, the only possibility is Q _i = Q _ℓ ⇔ Q _j = Q _k . This happens with probability \(\frac {1}{2^n}\). This implies \(X^1_i \oplus X^1 _j \oplus X^1_k \oplus X^1_{\ell }= 0\). Then we may have \(X^1_i =X^1_j \Leftrightarrow X^1_k =X^1_{\ell }\). The probability is \(\frac {1}{2^n}\). It is also possible to have \(X^1_i =X^1_k \Leftrightarrow X^1_j= X^1_{\ell }\) but it is not possible to have \(X^1_i = X^1_{\ell }\) since this implies P _i = P _ℓ . Remember that Q _i = Q _ℓ and we have an affine permutation. Then we multiply by the probability of Q _i = Q _ℓ . The probability in this case is \(\frac {2}{2^{2n}}\).

2. 2.

   We now suppose that Q _i ≠ Q _ℓ ⇔ Q _j ≠ Q _k . We want to have f ₂(X i1) ⊕ f ₂(X j1) ⊕ f ₂(X k1) ⊕ f ₂(X ℓ1) = 0. Then we can get (∗) if we have \(X^1_i=X^1_j\) and \(X^1_k=X^1_{\ell }\) or \(X^1_i=X^1_k\) and \(X^1_j=X^1_{\ell }\) or \(X^1_i=X^1_{\ell }\) and \(X^1_j=X^1_k\). The probability in that case is given by \(3\times \left (1-\frac {1}{2^n}\right )\times \frac {1}{2^{2n}}\).

3. 3.

   We are not in the previous case and we have (∗). Here the probability is \(\left (1-\frac {2}{2^{2n}} - 3\left (1-\frac {1}{2^n}\right )\frac {1}{2^{2n}}\right )\frac {1}{2^n}= \frac {1}{2^n}-\frac {5}{2^{3n}}+\frac {3}{2^{4n}}\).

Thus the probability to get (∗) is \(\frac {1}{2^n}+ \frac {5}{2^{2n}}-\frac {8}{2^{3n}}+\frac {3}{2^{4n}}\). In order to compute the mean value, we have to consider the conditions on the inputs. The probability that the inputs satisfy the conditions is computed with the help of the computer program mentioned in Section 2 and is given by \(\frac {1}{2^{4n}}\left (1-\frac {2}{2^n}+\frac {13}{2^{2n}}-\frac {24}{2^{3n}}+ \frac {98}{2^{4n}}+O\left (\frac {1}{2^{5n}}\right )\right )\). Thus we get \(\mathbb {E}(\delta _{ijk\ell })= \frac {1}{2^{5n}}\left (1 +\frac {3}{2^n}-\frac {5}{2^{2n}}+O\left (\frac {1}{2^{3n}}\right )\right )\) and \(\mathbb {E}(\mathcal N_{scheme} )\simeq \frac {m(m-1)(m-2)(m-3)}{4\cdot 2^{5n}}\) \(\left (1 +\frac {3}{2^n}-\frac {5}{2^{2n}}+O\left (\frac {1}{2^{3n}}\right )\right )\).

A ₃ is invertible and A ₄ is not invertible

The case where A ₃ in not invertible and A ₄ is invertible is similar. If A ₄ is not invertible, we can have Q _i = Q _j , since this is equivalent to have R _i ⊕ R _j ∈ ker(A ₄) whose probability is about \(\frac {1}{2^{n-t}}\) where t = dim(ker(A ₄)). Moreover, when we have Q _i = Q _j then we get \(X^1_i \oplus X^1_j \oplus X^1_k \oplus X^1_{\ell }=0\) and we obtain (∗) by setting \(X^1_i=X^1_k\) or \(X^1_i=X^1_{\ell }\). The conditions on the inputs do not change. Here, we obtain \(\mathbb {E}(\delta _{ijk\ell })= \frac {1}{2^{5n}}\left (1 + \frac {2}{2^{n-t}}+\frac {3}{2^n}+O\left (\frac {1}{2^{2n-t}}\right )\right )\) and \(\mathbb {E}(\mathcal N_{scheme} )\simeq \frac {m(m-1)(m-2)(m-3)}{4\cdot 2^{5n}}\left (1 + \frac {2}{2^{n-t}}+\frac {3}{2^n}+O\left (\frac {1}{2^{2n-t}}\right )\right )\). In that case, the difference of the mean values (for a random permutation and for a scheme) is \( \frac {2}{2^{n-t}}\). Thus if t > 0 then the attack will be better than the attack in the case where A ₃ and A ₄ are invertible.

A ₃ and A ₄ are not invertible

Since A ₃ is not invertible, we can have Q _i = Q _k . This is equivalent to L _i ⊕ L _k ∈ ker(A ₃) and the probability is about \(\frac {1}{2^{n-t^{\prime }}}\) where t′ = dim(ker(A ₃)). We proceed as previously and we obtain \(\mathbb {E}(\delta _{ijk\ell })= \frac {1}{2^{5n}}\left (1 + \frac {2}{2^{n-t}}+ \frac {2}{2^{n-t^{\prime }}} +\frac {3}{2^n}+O\left (\frac {1}{2^{2n-\max (t^{\prime },t)}}\right )\right )\) and \(\mathbb {E}(\mathcal N_{scheme} )\simeq \frac {m(m-1)(m-2)(m-3)}{4\cdot 2^{5n}}\left (1 + \frac {2}{2^{n-t}} + \frac {2}{2^{n-t^{\prime }}}+\frac {3}{2^n}+O\left (\frac {1}{2^{2n-\max (t,t^{\prime })}}\right )\right )\). The difference of the mean values (for a random permutation and for a scheme) is \( \min \left (\frac {2}{2^{n-t}},\frac {2}{2^{n-t^{\prime }}}\right )\).

5.2 Computation of the variance

We will make use of the “Covariance Formula” given in Section 2.

A ₃ and A ₄ are invertible

Here \(\mathbb {E}(\delta _{ijk\ell }) \mathbb {E}(\delta _{pqrs})= \frac {1}{2^{10n}}\left (1+\frac {6}{2^n}-\frac {1}{2^{2n}} +O\left (\frac {1}{2^{3n}}\right )\right ) \). Now, in order to compute the variance, the main issue is to know the value of \(\mathbb {E}(\delta _{ijk\ell }\delta _{pqrs})\). Again, we have to consider several cases. Our aim is to show that the variance behaves like the mean value. For example, when in {i, j, k, ℓ, p, q, r, s} we have 8 pairwise distinct values, we want the dominant term in the covariance part of the covariance formula \(\frac {m^4}{2^{5n}}\). This shows that we must not have terms in \(\frac {m^8}{2^{10n}}\) and in \(\frac {m^8}{2^{11n}}\). We have to look carefully on the first two terms of \(\mathbb {E}(\delta _{ijk\ell }\delta _{pqrs})-\mathbb {E}(\delta _{ijk\ell })\mathbb {E}(\delta _{pqrs})\).

Case 1. :

In {i, j, k, ℓ, p, q, r, s}, there are 8 pairwise distinct values. We are looking for the terms in \(\frac {m^8}{2^{10n}}\) and in \(\frac {m^8}{2^{11n}}\) when computing \(\mathbb {E}(\delta _{ijk\ell }\delta _{pqrs})\). We still have the following conditions on the inputs:

$$\begin{array}{llll} L_{i}=L_{j}, & R_{i} =R_{k}, & L_{p}=L_{q} ,& R_{p}=R_{r} \\ L_{k}=L_{\ell} \neq L_{i}, & R_{j}=R_{\ell}\neq R_{i}, & L_{r}=L_{s} \neq L_{p} ,& R_{q}=R_{s} \neq R_{p}\\ \end{array} $$

Then we add

$$\begin{array}{@{}rcl@{}} f_{2} \left( {X_{i}^{1}}\right) \oplus f_{2} \left( {X_{j}^{1}}\right) \oplus f_{2} \left( {X_{k}^{1}}\right) \oplus f_{2} \left( X_{\ell}^{1}\right) =0 \end{array} $$

(5)

$$\begin{array}{@{}rcl@{}} f_{2} \left( {X_{p}^{1}}\right) \oplus f_{2} \left( {X_{q}^{1}}\right) \oplus f_{2} \left( {X_{r}^{1}}\right) \oplus f_{2} \left( {X_{s}^{1}}\right)=0 \end{array} $$

(6)

In order to get the first two terms of \(\mathbb {E}(\delta _{ijk\ell }\delta _{pqrs})\), we have to consider the following cases:

1. 1.

   (Q _i = Q _ℓ and \(X^1_i=X^1_j\)) or (Q _i = Q _ℓ and \(X^1_i=X^1_k\)) and there is no condition on the internal variables \(Q_p, Q_q, Q_r,Q_s,X^1_p,X^1 _q, X^1 _r, X^1 _s\) except (6). In that case, the probability is given by \(\frac {2}{2^{2n}}\left (1-\frac {5}{2^{2n}} -\frac {3}{2^{3n}}\right )\frac {1}{2^n}\). Since there is also a symmetry in i, j, k, ℓ and p, q, r, s, we obtain \(\frac {4}{2^{3n}}\left (1-\frac {5}{2^{2n}} -\frac {3}{2^{3n}}\right )\).

2. 2.

   Here we have Q _i ≠ Q _ℓ , (\(X^1_i=X^1_j\) and \(X^1_k=X^1_{\ell }\)) or (\(X^1_i=X^1_k\) and \(X^1_j=X^1_{\ell }\)) or (\(X^1_i=X^1_{\ell }\) and \(X^1_j=X^1_k\)) and there is no condition on the internal variables \(Q_p, Q_q, Q_r,Q_s,X^1_p,X^1 _q, X^1 _r, X^1 _s\) except (6). Again there is also a symmetry in i, j, k, ℓ and p, q, r, s. The probability is \(\frac {6}{2^{3n}}\left (1-\frac {1}{2^n}\right )\left (1-\frac {5}{2^{2n}}-\frac {3}{2^{3n}}\right )\).

3. 3.

   We do not have any conditions on \(Q_i, Q_j, Q_k,Q_{\ell },X^1_i,X^1 _j, X^1 _k, X^1_{\ell }\) and \(Q_p, Q_q, Q_r,Q_s,X^1_p,X^1 _q, X^1 _r, X^1 _s\) but we have (5) and (6). In that case, the probability is \(\left (1- \frac {10}{2^{3n}}- \frac {50}{2^{5n}} +\frac {18}{2^{7n}}\right )^2\frac {1}{2^{2n}}\).

Thus the probability to get (5) and (6) is \(\frac {1}{2^{2n}}\left (1 +\frac {10}{2^n}-\frac {60}{2^{3n}}+O\left (\frac {1}{2^{4n}}\right )\right )\). In order to compute the mean value, we have to consider the conditions on the inputs. The probability on the inputs is obtained thanks to the computer program again and is given by

$$\frac{2^{2n}(2^{n} -1)^{2}(2^{n} -2)(2^{n} -3)(2^{2n} +3\times 2^{n} -6)}{2^{2n}(2^{2n} -1)(2^{2n} -2)(2^{2n} -3)(2^{2n} -4 )(2^{2n} -5)(2^{2n} -6)(2^{2n} -7)} $$

The computation gives: \(\frac {1}{2^{2n}}\left (1-\frac {4}{2^n}+\frac {18}{2^{2n}}- \frac {36}{2^{3n}}+0\left (\frac {1}{2^{4n}}\right )\right )\) Thus we get \(\mathbb {E}(\delta _{ijk\ell }\delta _{pqrs})=\) \(\frac {1}{2^{10n}}\left (1 +\frac {6}{2^n}-\frac {22}{2^{2n}}+O\left (\frac {1}{2^{3n}}\right )\right )\). In that case, the dominant term in \(\mathbb {E}(\delta _{ijk{\ell }}\delta _{pqrs}) - \mathbb {E}(\delta _{ijk{\ell }})\mathbb {E}(\delta _{pqrs})\), is in \(O\left (\frac {1}{2^{12n}}\right )\) and when \(m \simeq 2^{\frac {7n}{4}}\), we will have \(\frac {m^4}{2^{5n}}\simeq \frac {m^8}{2^{12n}}\). In that case, we have \(V(\delta _{ijk\ell })=O\left (\frac {1}{2^{5n}}\right )\).

Remark 6

There are other possibilities on the internal variables in order to get (5) and (6), but they involve too many equations and this is not useful since we are interested in finding the first two leading terms. For example, it is possible to have no conditions on Q _i , Q _j , Q _k , Q _ℓ , Q _p , Q _q , Q _r , Q _s , but X _i = X _j , X _k = X _ℓ and \(\left (X^1_i,X^1_j,X^1_k,X^1_{\ell }\right )=\left (X^1_p,X^1_q,X^1_r,X^1_s\right )\).

Case 2. :

In {i, j, k, ℓ, p, q, r, s}, there are 7 pairwise distinct values. We may assume for example that i = p (there are 16 possibilities of equalities between the indices). We have the following relations:

$$\left\{ \begin{array}{lll} L_{i}=L_{j}=L_{q}, & R_{i}=R_{k}=R_{r}, &f_{2} \left( {X_{i}^{1}}\right) \oplus f_{2} \left( {X_{j}^{1}}\right) \oplus f_{2} \left( {X_{k}^{1}}\right) \oplus f_{2} \left( X_{\ell}^{1}\right) =0 \\ L_{k} = L_{\ell}\neq L_{i}, & R_{j}= R_{\ell}\neq R_{i}, & f_{2} \left( {X_{i}^{1}}\right) \oplus f_{2} \left( {X_{q}^{1}}\right) \oplus f_{2} \left( {X_{r}^{1}}\right) \oplus f_{2} \left( {X_{s}^{1}}\right)=0 \\ L_{r}=L_{s} \neq L_{i}, & R_{q}=R_{s} \neq R_{i}, & \\ \end{array} \right. $$

The number of inputs is given by 2³ⁿ(2ⁿ − 1)²(2ⁿ − 2).

In that case, we just have to check that there is no term in \(\frac {1}{2^{10n}}\) in \(\mathbb {E}(\delta _{ijk{\ell }}\delta _{pqrs}) - \mathbb {E}(\delta _{ijk{\ell }})\mathbb {E}(\delta _{pqrs})\). This is the easy part of the computation, since the term in \(\frac {1}{2^{10n}}\) appears when there is no relations between the internal variables. Thus the dominant term in \(\mathbb {E}(\delta _{ijk{\ell }}\delta _{pqrs}) - \mathbb {E}(\delta _{ijk{\ell }})\mathbb {E}(\delta _{pqrs})\), is in \(O\left (\frac {1}{2^{11n}}\right )\) and \(V(\delta _{ijk\ell })=O\left (\frac {1}{2^{5n}}\right )\).

Case 3. :

In {i, j, k, ℓ, p, q, r, s}, there are 6 pairwise distinct values. The dominant term in \(\mathbb {E}(\delta _{ijk{\ell }}\delta _{pqrs}) - \mathbb {E}(\delta _{ijk{\ell }})\mathbb {E}(\delta _{pqrs})\) is in \(O\left (\frac {1}{2^{6n}}\right )\).

Finally, from cases 1, 2 and 3, we have \(V(\mathcal N_{scheme})= O\left (\frac {m^4}{2^{5n}}\right )+ O\left (\frac {m^6}{2^{9n}}\right )\) and when \(m\leq 2^{\frac {7n}{4}}\), we have \(V(\mathcal N_{scheme}) =O\left (\frac {m^4}{2^{5n}}\right )\). Then the difference of the mean values will be greater than the standard deviations and again the attack succeeds.

Remark 7

The conditions on the inputs imply that it is not possible to have 5 distinct indices in {i, j, k, ℓ, p, q, r, s}.

A ₃ is invertible and A ₄ is not invertible

Here we are interested in obtaining the first three terms of \(\mathbb {E}(\delta _{ijk\ell }\delta _{pqrs})\), i.e the terms in \(\frac {1}{2^{10n}}+ \frac {1}{2^{11n-t}} + \frac {1}{2^{11n}}\). We will show that the dominant term in \(\mathbb {E}(\delta _{ijk{\ell }}\delta _{pqrs}) - \mathbb {E}(\delta _{ijk{\ell }})\mathbb {E}(\delta _{pqrs})\) is in \(O\left (\frac {1}{2^{12n-2t}}\right )\). Thus if \(m\simeq 2^{\frac {7n-2t}{4}}\), we will get that the variance behave like the mean value and the attack will succeed if the difference of the mean value is greater than both standard deviations. This will be the case if \(m= O(2^{\frac {7n-2t}{4}})\). In order to get this result, we proceed as in the case where A ₃ and A ₄ are invertible. When in {i, j, k, ℓ, p, q, r, s}, there are 8 pairwise distinct values, we study the conditions in the internal variables in order to get (5) and (6). Again we take into account the cases that do not involve too many equations. We consider the same possibilities as in the previous case. The probability to get (5) and (6) is \(\frac {1}{2^{2n}}\left (1 + \frac {4}{2^{n-t}}+\frac {10}{2^n}+O\left (\frac {1}{2^{2n-2t}}\right )\right )\). In order to compute the mean value, we have to consider the conditions on the inputs. We obtain \(\mathbb {E}(\delta _{ijk\ell }\delta _{pqrs})= \frac {1}{2^{10n}}\left (1 +\frac {4}{2^{n-t}}+\frac {6}{2^n}+O\left (\frac {1}{2^{2n-2t}}\right )\right )\). In that case, the dominant term in \(\mathbb {E}(\delta _{ijk{\ell }}\delta _{pqrs}) - \mathbb {E}(\delta _{ijk{\ell }})\mathbb {E}(\delta _{pqrs})\), is in \(O\left (\frac {1}{2^{12n-2t}}\right )\) when \(m \simeq 2^{\frac {7n-2t}{4}}\), and we will have \(\frac {m^4}{2^{5n}}\simeq \frac {m^8}{2^{12n-2t}}\). When in {i, j, k, ℓ, p, q, r, s}, there are 7 or 6 pairwise distinct values, the computations are similar. Finally, when \(m \simeq 2^{\frac {7n-2t}{4}}\), we obtain and \(V(\mathcal {N}_{scheme})=O\left (\frac {m^4}{2^{5n}}\right )\). Then the difference of the mean values will be greater than the standard deviations and again the attack succeeds.

A ₃ and A ₄ are not invertible

The computations are very similar to those performed previously. We just have to add the possibility to get the equality Q _k = Q _ℓ . Then we obtain \(\mathbb {E}(\delta _{ijk\ell }\delta _{pqrs})= \frac {1}{2^{10n}}\left (1 +\frac {4}{2^{n-t}} +\frac {4}{2^{n-t^{\prime }}}+\frac {6}{2^n}+O\left (\min \left (\frac {1}{2^{2n-2t}},\frac {1}{2^{2n-2t^{\prime }}}\right )\right )\right )\). When \(m \simeq \min (2^{\frac {7n-2t}{4}}, 2^{\frac {7n-2t^{\prime }}{4}})\), the dominant term in the variance will be in \(\frac {m^4}{2^{5n}}\). Then the difference of the mean values will be greater than the standard deviations and again the attack succeeds.

6 Conclusion

In this paper, we provided 4-point attacks on A-Feistel schemes. Our results are given in Tables 2 and 3. With 4-point attacks, it is more difficult to attack A-Feistel schemes than classical Feistel schemes. Simulations of our attacks given in Table 1 (Section 3.4) confirm our theoretical analysis for the complexity of these attacks. The analysis of the attacks requires to study the standard deviations of random variables and the use of a computer program that gives exact values for expectations and standard deviations.