Keywords

1 Introduction

A block cipher is an important cryptographic primitive that is widely adopted in various secure communication protocols and security products. A block cipher is a pseudo-random permutation (PRP), i.e. it takes a key as input and provides distinct permutations that cannot be distinguished from a random permutation for distinct key inputs.

Designing an efficient block cipher is a long-term challenge in symmetric-key cryptography. One of the most popular approaches is to use the Feistel network, in which an n-bit state is divided into n / 2-bit halves denoted by \(a_i\) and \(b_i\), and the state is updated by iteratively applying the following two operations;

$$\begin{aligned} b_{i+1} \leftarrow a_i \oplus F_{K_i}(b_i), \qquad \qquad a_{i+1} \leftarrow b_i, \end{aligned}$$

where \(F_{K_i}\) is a keyed function taking a subkey \(K_i\) as input. The construction is known as the Luby-Rackoff construction. In this paper, we call it Feistel-F to make the name consistent with other constructions. The diagram of the construction is drawn in the left of Fig. 1. Luby and Rackoff [19] proved that when \(F_{K_i}\) is a pseudo-random function (PRF), 3-round and 4-round Feistel ciphers are PRPs up to \(O(2^{n/4})\) queries against chosen-plaintext attacks (CPAs) and chosen-ciphertext attacks (CCAs), respectively. Luby and Rackoff also showed the tightness of the number of rounds by demonstrating efficient attacks against 2 and 3 rounds in the corresponding attack models.

While the provable security bounds derived by Luby and Rackoff are attractive, using a PRF for \(F_{K_i}\) requires significant implementation costs, and this is often practically infeasible. To design a block cipher for practical usage, the subkey space is often limited to \(\{0,1\}^{n/2}\), and \(F_{K_i}(b_i)\) is defined as

$$\begin{aligned} b_{i+1} \leftarrow a_i \oplus F(K_i \oplus b_i), \qquad \qquad a_{i+1} \leftarrow b_i, \end{aligned}$$

where F is a public function. In this paper, we call this construction Feistel-KF. See the middle figure of Fig. 1. Feistel-KF includes a lot of practical designs, e.g. DES [20] and Camellia [1], where the function \(x\mapsto F(K_i\oplus x)\) is not a PRF, and generic attacks on this construction have been widely studied, e.g. impossible differential attacks [15], meet-in-the-middle attacks [10, 12], dissection attacks [5] and division property [24].

It is also possible to inject a subkey \(K_i \in \{0,1\}^{n/2}\) outside the F function as

$$\begin{aligned} b_{i+1} \leftarrow a_i \oplus F(b_i) \oplus K_i, \qquad \qquad a_{i+1} \leftarrow b_i. \end{aligned}$$

We call this construction Feistel-FK, which is illustrated on the right of Fig. 1. This construction provides implementation advantages and can be seen in several lightweight designs e.g. Piccolo [22], Simon [2] and Simeck [25].

Fig. 1.
figure 1

Our target constructions.

Full size image

The discussion so far is about the classical computation setting, while the security of symmetric-key schemes against quantum computers has become active recently. Owing to less mathematical structure in symmetric-key schemes than public-key schemes, there was a belief that simply doubling the key size in order to resist the exhaustive key search by Grover’s algorithm [9] is sufficient to protect symmetric-key schemes from quantum computers. However, Kuwakado and Morii [16] demonstrated that, by exploiting Simon’s algorithm [23], the Feistel ciphers can be distinguished from a random permutation only in polynomial-time of the output size under the assumption that the adversary can make quantum superposition queries. Since then, many polynomial-time attacks using Simon’s algorithm have been proposed e.g. key recovery against Even-Mansour construction [17], forgery on various CBC-like MACs [14], and cryptanalysis of AEZ [3]. Moreover, Leander and May [18] showed a clever method to combine Grover’s and Simon’s algorithms to recover the key against the FX construction. See also [21].

The attack model that adversaries can make quantum queries is worth investigating. This model is a natural extension of the classical attack models, and theoretically interesting. Any symmetric scheme broken in this model should not be implemented on a quantum computer. Moreover, the threat of this attack model becomes significant if an adversary has access to its white-box implementation. Because arbitrary classical circuit can be converted into quantum one, the adversary can construct a quantum circuit from the classical source code given by the white-box implementation.

There are several attacks on Feistel ciphers in the quantum setting. Besides the first work in [16], a meet-in-the-middle attack in the quantum setting was discussed in [11] and appending key-recovery rounds by applying the algorithm by Leander and May [18] was discussed in [7, 8, 11]. However, the following important issues have not been discussed by the previous work.

  • Security analysis of Feistel ciphers against chosen-ciphertext adversaries is missing. In the classical setting, the tight bound of the number of rounds is known for the Feistel-F construction, and clarifying the number of rounds that can be attacked in the quantum setting leads us a deeper understanding of the Feistel-F construction. Furthermore, the quantum setting assumes strong power of adversaries, hence considering CCAs is more reasonable. We note that there are results in a CCA setting on Feistel ciphers with a specific key scheduling function called 2 key- or 4 key-alternation Feistel ciphers and their variants [4, 6], however, we are considering more general constructions.

  • Discussion on practical constructions is missing. Although the Luby-Rackoff construction is a good object to study theoretical aspects of the Feistel ciphers, in general, it cannot be implemented efficiently in practice. Therefore, the analyses of practical constructions like Feistel-KF and Feistel-FK are needed. Again, we are interested in general constructions that do not rely on a specific key scheduling function.

Our Contributions. In this paper, we further investigate the security of the Feistel ciphers against quantum adversaries. In particular, we show CCA distinguishers that can distinguish more rounds than the previous CPA distinguishers. In addition, we extend the distinguishers to key recovery attacks for the practical constructions, i.e. Feistel-KF and Feistel-FK.

We start with several fundamental observations about Simon’s algorithm that detects a secret cycle-period in polynomial-time. The usage of Simon’s algorithm in the previous work can be classified into two types; the first type uses Simon’s algorithm for key recovery attacks, namely, the recovered secret cycle-period corresponds to the key of the construction such as [17] and [14], whereas the second type uses Simon’s algorithm for distinguishers, e.g. to distinguish the construction from an ideal one [16, 21] or to distinguish the right key guess from wrong key guesses [7, 8, 11, 18].

We observe that, for the second type, recovering the secret cycle-period is not necessary as long as a non-ideal behavior is detected. If we follow [14] to recover the secret cycle-period by using Simon’s algorithm, one has to derive the upper bound on the probability of a collision other than the period. However, there are cases where obtaining the upper bound is non-obvious, and it may be difficult to prove it in attacks on complicated constructions. This motivates us to relax the requirement of recovering the period in Simon’s algorithm. Technically, we focus on the property that the dimension of the space spanned by the vectors in Simon’s algorithm, instead of the exact period s. Namely, the dimension of the space is at most \(\ell -1\) if the target function has a period s, where \(\{0,1\}^{\ell }\) is the domain of the function evaluated by Simon’s algorithm. This modification eliminates the need to derive the upper bound on the probability of a collision other than the period s. Note that Santoli and Schaffner pointed out a similar observation [21], and we are dealing with a general class of block ciphers, and we also formalize a sufficient condition so that the distinguisher works.

We then apply the above observations to attack several Feistel ciphers. For the Feistel-F construction, we show that a cycle-period can be formed for 4 rounds in the CCA setting. This leads to a 4-round polynomial-time CCA distinguisher, which is 1-round longer than the CPA distinguisher by Kuwakado and Morii [16]. The attack is then extended to the practical constructions; Feistel-KF and Feistel-FK. For Feistel-KF, although the distinguisher is the same as the one for Feistel-F, we can now discuss the key recovery attack owing to the practical size of the secret key. We obtain 7-round key recovery attacks that recover 7n / 2-bit key with \(O(2^{3n/4})\) complexity. For Feistel-FK, the CCA distinguisher is extended to 6 rounds and we obtain 9-round key recovery attacks that recover 9n / 2-bit key with \(O(2^{3n/4})\) complexity. In addition, the CPA distinguisher is extended to 5 rounds and we obtain 8-round key recovery attacks that recover 8n / 2-bit key with \(O(2^{3n/4})\) complexity. A comparison of the number of attacked rounds is given in Table 1. Note that Table 1 focuses on attacks with complexity at most \(O(2^n)\), and it does not include attacks with higher complexities. Also, we consider only general constructions, so it does not include attacks against constructions with a particular key scheduling function such as [4, 6].

Table 1. Comparison of the number of attacked rounds in various settings. “Dist.” and “KR” denote distinguisher and key recovery attack, respectively. Superscript \(^P\) denotes that the attack complexity is only a polynomial of the function’s output size, while the others require exponential complexity.
Full size table

Paper Outline. This paper is organized as follows. Section 2 describes preliminaries. Section 3 introduces previous works. Section 4 explains the formalization of a distinguishing technique that relaxes Simon’s algorithm. Section 5 presents our CCA distinguisher against the 4-round Feistel-F constructions. The attack is then applied to chosen-ciphertext key-recovery attacks on Feistel-KF constructions in Sect. 6. Section 7 explains distinguishing and key-recovery attacks against Feistel-FK constructions in both CCA and CPA settings. We conclude the paper in Sect. 8.

2 Preliminaries

2.1 Notation

For a positive integer n, let \(\{0,1\}^n\) be the set of all n-bit strings. Let \(\mathrm {Perm}(n)\) be the set of all permutations on \(\{0,1\}^n\), and let \(\mathrm {Func}(n)\) be the set of all functions from \(\{0,1\}^n\) to \(\{0,1\}^n\). For bit strings a and b, \(a\parallel b\) denotes their concatenation. We also regard a and b as binary vectors, and let |a| be the dimension of the vector a. When \(|a|=|b|\), we denote their inner product as \(a\cdot b\). In this paper, e denotes Napier’s number. For a finite set \(\mathcal {X}\), we write \(X{\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}\mathcal {X}\) for the process of sampling an element uniformly from \(\mathcal {X}\) and assigning the result to X.

2.2 Simon’s Algorithm

In this section, we describe Simon’s algorithm [23] that is used in our quantum algorithms. Throughout this paper, we assume that readers have basic knowledge about quantum computation. Simon’s algorithm can solve the following problem.

Problem 1

Given a function \(f:\{0,1\}^n\rightarrow \{0,1\}^n\), assume that there exists a period \(s\in \{0,1\}^n\backslash \{0^n\}\) such that for any distinct \(x,x'\in \{0,1\}^n\), it holds that \(f(x)=f(x')\Leftrightarrow x'=x\oplus s\). The goal is to find the period s.

We assume that Simon’s algorithm has access to the quantum oracle \(U_f\), which is defined as . We use the Hadamard transform \(H^{\otimes n}\) that is applied on n-qubit state and gives . Simon proposed a circuit \({\mathcal S}_f\) that computes vectors that are orthogonal to s by using the quantum oracle \(U_f\). \({\mathcal S}_f\) is described as \((H^{{}\otimes n}\otimes I_n)\cdot U_f\cdot (H^{{}\otimes n}\otimes I_n)\) and works as follows:

  1. 1.

    We first apply the Hadamard transform \(H^{\otimes n}\) on the first n qubits of 2n-qubit state to obtain the state .

  2. 2.

    Then, we apply the unitary operator \(U_f\) to obtain the state .

  3. 3.

    Finally, we apply the Hadamard transform \(H^{\otimes n}\) on the first n qubits to obtain the state

    (1)

As we assume that f satisfies \(f(x)=f(x')\Leftrightarrow x'=x\oplus s\), we have for each y and x. Therefore, Eq. (1) is described as

where V is a linear subspace of \(\{0,1\}^n\) of dimension \(n-1\) that partitions \(\{0,1\}^n\) into cosets V and \(V+s\). The vector y such that \(y\cdot s\equiv 1\pmod {2}\) will satisfy \((-1)^{x\cdot y}+(-1)^{(x\oplus s)\cdot y}=0\). Thus, we will obtain a random vector y such that \(y\cdot s\equiv 0\pmod {2}\) by measuring the first n qubits. By repeating this routine that obtains a random vector y for O(n) times, with a high probability, we obtain \(n-1\) linearly independent such vectors, and then the period s can be recovered by solving the system of linear equations.

We note that, in Simon’s algorithm, we assume that the function f has a period s. In latter sections, we will use the circuit \({\mathcal S}_f\) to a function f that may not have any period, or may have multiple periods.

2.3 Kaplan et al.’s Observation

To apply Simon’s algorithm, the function f has to satisfy \(f(x)=f(x')\Leftrightarrow x'=x\oplus s\). We call this property Simon’s promise. If f does not satisfy this property and has other collisions in addition to s, then there is no guarantee that Simon’s algorithm works. However, Kaplan et al. showed that Simon’s algorithm can find s even if f has partial periods, where the partial period is defined as \(t\ne s\) such that \(f(x)=f(x\oplus t) \) holds for some x [14].

More precisely, suppose that a function \(f:\{0,1\}^\ell \rightarrow \{0,1\}^m\) satisfies only the condition that \(f(x)=f(x')\Leftarrow x'=x\oplus s\) for any distinct \(x,x'\in \{0,1\}^\ell \). Since now the counter condition \(f(x)=f(x')\Rightarrow x'=x\oplus s\) does not always hold, there may exist partial periods of f. Intuitively, if there exist many partial periods \(t_1,t_2,\dots \) which are very close to complete periods (i.e., \(\Pr _x\left[ f(x)=f(x\oplus t_j)\right] \) is close to 1 for each j), then it becomes hard to recover s. To describe this intuition formally, Kaplan et al. introduced the parameter \(\epsilon (f,s)\) defined as

$$\begin{aligned} \epsilon (f,s)= \underset{t\in \{0,1\}^{\ell }\backslash \{0^\ell ,s\}}{\max } \Pr _x\left[ f(x)=f(x\oplus t)\right] . \end{aligned}$$
(2)

This shows the maximum probability of partial periods of f. Notice that if f is a constant function, then \(\epsilon (f,s)=1\) and s cannot be recovered. On the other hand, if f satisfies Simon’s promise, then \(\epsilon (f,s)=0\). The following theorem about the success probability of Kaplan et al.’s observation was proved.

Theorem 1

([14]). If \(\epsilon (f,s)\le p_0\) for some positive number \(p_0<1\), the probability that Simon’s algorithm returns s after \(c\ell \) queries is at least \(1-(2(\frac{1+p_0}{2})^c)^\ell \).

This theorem shows that we still obtain s with \(O(\ell )\) quantum queries and the complexity does not increase significantly.

3 Previous Works

3.1 Quantum Distinguisher Against the 3-Round Feistel Cipher

Here we review the distinguishing algorithm of the 3-round Feistel cipher by Kuwakado and Morii [16]. Kuwakado and Morii considered the case where \(F_{K_i}\) in Fig. 1 is a random permutation, and we write \(P_i\) for \(F_{K_i}\).

Let \(\mathrm {FP}_3\) denote the encryption algorithm of the 3-round Feistel cipher, where random permutations \(P_1,P_2,P_3{\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}\mathrm {Perm}(n/2)\) are used as internal functions. \(\mathrm {FP}_3\) takes a plaintext \((a,b)\in (\{0,1\}^{n/2})^2\) as input and outputs a ciphertext \((c,d)\in (\{0,1\}^{n/2})^2\), where

$$\begin{aligned} c={}&b\oplus P_2(a\oplus P_1(b)),\\ d={}&a\oplus P_1(b) \oplus P_3(b\oplus P_2(a\oplus P_1(b))). \end{aligned}$$

Figure 2 illustrates \(\mathrm {FP}_3\).

Kuwakado and Morii considered the following problem.

Problem 2

Let \({\mathcal O}:\{0,1\}^n\rightarrow \{0,1\}^n\) be either \(\mathrm {FP}_3\) or a random permutation \(\varPi {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}\mathrm {Perm}(n)\). Given access to the quantum oracle , where \(x,y\in \{0,1\}^{n}\), the goal is to distinguish the two cases.

Let \(\alpha _0,\alpha _1\in \{0,1\}^{n/2}\) be arbitrary distinct constants. For \(\beta \in \{0,1\}\) and \(x\in \{0,1\}^n\), Kuwakado and Morii used \((x, \alpha _\beta )\) as the plaintext (ab). When \({\mathcal O}\) is \(\mathrm {FP}_3\), the lower half c of the ciphertext is described as

$$\begin{aligned} c={}&\alpha _\beta \oplus P_2(x\oplus P_1(\alpha _\beta )). \end{aligned}$$

Figure 3 illustrates c. Then, we see that \(c\oplus \alpha _\beta = P_2(x\oplus P_1(\alpha _\beta ))\) holds, which is illustrated in Fig. 4. If we change the value of \(\beta \), i.e., if we let \(\beta \) to \(\beta \oplus 1\), we see that the input value of \(P_2\) remains the same value by changing x to \(x\oplus P_1(\alpha _0)\oplus P_1(\alpha _1)\). Thus, we can construct a function \(f^{\mathcal O}(\beta \parallel x)\) that has the period \(1\parallel P_1(\alpha _0)\oplus P_1(\alpha _1)\) by defining \(f^{\mathcal O}\) as

$$\begin{aligned} f^{\mathcal O}:\{0,1\}\times \{0,1\}^{n/2}&\rightarrow \{0,1\}^{n/2} \nonumber \\ (\beta \parallel x)&{} \mapsto c\oplus \alpha _{\beta },\quad \mathrm {where}~(c, d)=\mathcal {O}(x, \alpha _{\beta }). \end{aligned}$$
(3)
Fig. 2.
figure 2

The 3-round Feistel cipher with \(P_i{\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}\mathrm {Perm}(n/2)\) being used as the internal function.

Full size image
Fig. 3.
figure 3

\(\mathrm {FP}_3(x, \alpha _\beta )\) and the lower half c of the ciphertext.

Full size image
Fig. 4.
figure 4

\(P_2(x\oplus P_1(\alpha _\beta ))\).

Full size image

Note that \(f^{\mathcal O}\) can also be evaluated in quantum superpositions. We can realize the unitary operator which makes O(1) quantum queries to \(U_{{\mathcal O}}\). If \({\mathcal O}\) is \(\mathrm {FP}_3\), then the function \(f^{\mathcal O}\) is described as

$$\begin{aligned} f^{\mathcal O}(\beta \parallel x)&{}=\alpha _\beta \oplus P_2(x\oplus P_1(\alpha _\beta )) \oplus \alpha _\beta \\&{}=P_2(x\oplus P_1(\alpha _\beta )), \end{aligned}$$

and the following lemma holds.

Lemma 1

If \(\mathcal O\) is \(\mathrm {FP}_3\), the function \(f^{\mathcal O}\) satisfies \(f^{\mathcal O}(\beta \parallel x)=f^{\mathcal O}(\beta '\parallel x')\Leftrightarrow \beta '\parallel x'=(\beta \parallel x)\oplus (1\parallel P_1(\alpha _0)\oplus P_1(\alpha _1))\) for any \(x, x'\in \{0,1\}^{n/2}\) such that \(x\ne x'\). That is, \(f^{\mathcal O}\) has the period \(s=1\parallel (P_1(\alpha _0)\oplus P_1(\alpha _1))\).

For completeness, a proof is presented in [13].

Lemma 1 guarantees that the function \(f^{\mathcal O}\) defined in Eq. (3) satisfies Simon’s promise if \(\mathcal O\) is \(\mathrm {FP}_3\), and we can recover the period s by applying Simon’s algorithm to \(f^{\mathcal O}\). Define a unitary operator \({\mathcal S}_{f^{\mathcal O}}\) by \({\mathcal S}_{f^{\mathcal O}} = (H^{{}\otimes n/2+1}\otimes I_{n/2})\cdot U_{f^{\mathcal O}}\cdot (H^{{}\otimes n/2+1}\otimes I_{n/2})\). The quantum distinguisher by Kuwakado and Morii works as follows.

  1. 1.

    Measure the first \(n/2+1\) qubits of to obtain the vector \(y\in \{0,1\}^{n/2+1}\).

  2. 2.

    Repeat Step 1 until we obtain n / 2 linearly independent vectors. If obtained, compute s by solving the system of linear equations.

  3. 3.

    Choose \(\beta \in \{0,1\}\) and \(z\in \{0,1\}^{n/2}\) randomly, and compute \(f^{\mathcal O}(\beta \parallel z)\) and \(f^{\mathcal O}((\beta \parallel z)\oplus s)\). If \(f^{\mathcal O}(\beta \parallel z)=f^{\mathcal O}((\beta \parallel z)\oplus s)\), then output “\({\mathcal O}\) is \(\mathrm {FP}_3\),” otherwise output “\({\mathcal O}\) is \(\varPi \).”

If \({\mathcal O}\) is \(\mathrm {FP}_3\), we obtain the period s in Step 2 with a high probability and it passes the test in Step 3. On the other hand, according to [16], if \({\mathcal O}\) is \(\varPi \), with a high probability, Simon’s algorithm returns a random string \(s'\), and the probability that \(f^{\mathcal O}(\beta \parallel z)=f^{\mathcal O}((\beta \parallel z)\oplus s')\) is about \(2^{-n/2}\). Therefore, the distinguisher above returns a correct answer by making O(n) quantum queries.

Remark 1

We need to truncate outputs of \({\mathcal O}\) for constructing the function \(f^{\mathcal O}\), since we use only the lower n / 2 bits of the output of \({\mathcal O}\). However, the oracle may return outputs of which the lower and upper parts are entangled, and it is not trivial to truncate such outputs without destroying the entanglement, as pointed out by Kaplan et al. [14]. To solve this problem, Hosoyamada and Sasaki showed how to simulate truncation of outputs of the oracles without destroying quantum entanglements [11], and the same technique can be used in our case.

3.2 Key Recovery Attacks Against the Feistel-KF Construction

Next, we introduce the idea of the key recovery attacks against the Feistel-KF construction by Hosoyamada and Sasaki [11], and Dong and Wang [8]. They combined the quantum distinguisher against the 3-round Feistel cipher (see Sect. 3.1) with the Grover search. The attack is a quantum chosen-plaintext attack, and recovers the keys of the r-round Feistel cipher in time \(\tilde{O}(2^{(r-3)n/4})\).

Attack Idea. Given the quantum encryption oracle of the r-round Feistel-KF construction, run the following procedures (on a quantum circuit).

  1. 1.

    Implement a quantum circuit which

    • takes the intermediate state value after the first \((r-3)\) rounds and the subkeys for the first \((r-3)\) rounds as input,

    • computes the plaintext by decrypting the first \((r-3)\) rounds,

    • makes a quantum query of the computed plaintext to the oracle,

    • and returns the oracle output.

    The input and output of this circuit correspond to those of the last 3 rounds. We denote this circuit by \(\mathcal {E}\), which is depicted in Fig. 5.

  2. 2.

    Guess the subkeys of the first \((r-3)\) rounds.

  3. 3.

    For each guess, check its correctness with the following procedure.

    1. (a)

      Apply the 3-round distinguisher to \(\mathcal E\).

    2. (b)

      If the distinguisher returns that “this is a random permutation”, then judge that the guess is wrong. Otherwise judge that the guess is correct.

Fig. 5.
figure 5

Construction of \(\mathcal {E}\) in the key recovery attack against the r-round Feistel-KF construction. The ciphertext corresponds to the output of the 3-round Feistel-KF construction which takes \((K_{r-2}, K_{r-1}, K_{r})\) as subkeys and \((x, \alpha _\beta )\) as input.

Full size image

Attack Complexity. The total length of the subkeys of the first \((r-3)\) rounds is \(((r-3)n/2)\) bits. Thus the exhaustive search of the first \((r-3)\) rounds can be done in time \(O(\sqrt{2^{(r-3)n/2}})\) by using the Grover search. Moreover, the 3-round distinguisher in the third step runs in time O(n) for each subkeys guess. The running time of the attack is \(O(\sqrt{2^{(r-3)n/2}}) \times O(\mathrm {poly}(n))=\tilde{O}(2^{(r-3)n/4})\).

Although how to formally combine the Grover search and the 3-round distinguisher is non-trivial, the technique developed by Leander and May [18] guarantees that those can be combined. See the previous papers [8, 11] for details.

4 Relaxing Simon’s Algorithm

This section presents quantum distinguishers that are based on the relaxed version of Simon’s algorithm [23]. In a nutshell, we discuss that it is enough to obtain several vectors that are orthogonal to the period, and thus we eliminate the need to recover the actual period. This is similar to the one by Santoli and Schaffner [21], while we are dealing with a general class of block ciphers, and we also formalize a sufficient condition so that the distinguisher works.

In more detail, instead of using the period for the basis of the distinguisher, we focus on the dimension of the space spanned by the vectors \(y_1,y_2,\ldots \) that are obtained by using \(\mathcal {S}_f\) (recall that \(\mathcal {S}_f\) is defined in Sect. 2.2). If f has the non-zero period s, then the dimension is at most \(|s|-1\), since the vectors \(y_1,y_2,\ldots \) are all orthogonal to the period s. On the other hand, as we prove in Theorem 2 below, if the function f does not have any period, the dimension of the space spanned by the vectors \(y_1,y_2,\ldots \) can reach |s| with a high probability. In other words, we can distinguish f by checking the dimension of the space spanned by the vectors \(y_1,y_2,\ldots \) without computing the actual period s. Thus, there will not be a problem if there are several partial periods or periods other than s because our distinguisher does not need the period s.

Note that this technique works only if we do not need the value of s. This technique cannot be applied to the key recovery attacks on Even-Mansour construction and forgery attacks on authentication and authenticated encryption schemes since the goal of these attacks needs s [14].

Below we formally explain how our distinguisher works. Let \({\mathcal O}:\{0,1\}^n\rightarrow \{0,1\}^n\) be either an encryption scheme \(E_K\) or a random permutation \(\varPi {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}\mathrm {Perm}(n)\), and suppose that the quantum oracles of \({\mathcal O}\) and \({\mathcal O}^{-1}\) are given. Our goal is to distinguish whether \({\mathcal O}= E_K\) or \({\mathcal O}=\varPi \). In what follows, when we use the symbol \(\pi \) for a permutation, we consider that \(\pi \) is a fixed (or constant) permutation.

Settings. Our distinguisher can be applied when there is a function family \(\{ f^\pi : \{0,1\}^\ell \rightarrow \{0,1\}^m \}_{\pi \in \mathrm {Perm}(n)}\) that satisfies the following conditions:

  1. 1.

    There is a (classical) algorithm \({\mathcal A}\) that makes black-box access to \(\pi ,\pi ^{-1}\), and computes \(f^\pi \). That is, for each permutation \(\pi \), \({\mathcal A}^{\pi ,\pi ^{-1}}\) computes \(f^\pi (x)\) if x is given as input. We assume that \({\mathcal A}\) makes O(1) queries and runs in time \(O(\mathrm {poly}(\ell ,m))\).

  2. 2.

    For the encryption scheme E and any key K, \(f^{E_K}\) has a period, i.e., there exists \(s \in \{0,1\}^\ell \) such that \(f^{E_K}(x\oplus s) = f^{E_K}(x)\) holds for all x (note that s depends on K).

Moreover, informally we expect that \(f^\varPi \) has no period with a high probability when \(\varPi \) is a random permutation. Note that the first condition implies that we can make a quantum circuit that realizes the unitary operator by making O(1) quantum queries to \({\mathcal O}\) and \({\mathcal O}^{-1}\), since any classical deterministic algorithm can be converted to a corresponding quantum algorithm.

Description of the Distinguisher. Let \({\mathcal S}_{f^{\mathcal O}}\) be the unitary operator that is defined as in Sect. 2. Recall that \({\mathcal S}_{f^{\mathcal O}} = (H^{{}\otimes \ell }\otimes I_m)\cdot U_{f^{{\mathcal O}}}\cdot (H^{{}\otimes \ell }\otimes I_m)\). Our distinguisher is described in Algorithm 1.

figure a

Analysis of the Distinguisher. Our distinguisher always returns the correct answer if \({\mathcal O}=E_K\), since by assumption, \(f^{E_K}\) has a period for any K, and thus the dimension of the space spanned by \({\mathcal Y}\) becomes strictly less than \(\ell \). Our distinguisher fails only if \({\mathcal O}=\varPi \) and the dimension of the space spanned by \({\mathcal Y}\) becomes less than \(\ell \). Below we analyze the failure probability, assuming that \(\eta \) (the number of iterations in Step 2) is sufficiently large.

The failure probability increases if the distribution of y in Step 3 is highly biased. Moreover, we obtain a vector y which is orthogonal to a partial period t of \(f^\varPi \) with a high probability in Step 3 if \({\Pr }_x\left[ f^\varPi (x)=f^\varPi (x\oplus t)\right] \) is large (i.e., t is close to a complete period) by definition of \({\mathcal S}_{f^{\mathcal O}}\). To capture how much the distribution of y is biased under the condition that random permutation \(\varPi \) matches a fixed permutation \(\pi \), we introduce a parameter \(\epsilon ^\pi _f\) defined as

$$\begin{aligned} \epsilon _f^{\pi } = \underset{t\in \{0,1\}^{\ell }\backslash \{0^\ell \}}{\max } \Pr _x\left[ f^\pi (x)=f^\pi (x\oplus t)\right] . \end{aligned}$$
(4)

We expect that, if \(\pi \) is chosen uniformly at random, this parameter \(\epsilon ^\pi _f\) is small on average.

Now take a small constant \(0 \le \delta < 1\) arbitrarily and say that a permutation \(\pi \) is irregular if \(\epsilon _f^{\pi } > 1-\delta \), i.e., \(\epsilon _f^{\pi }\) is relatively large. In addition, define the set of irregular permutations \(\mathsf{irr}_f^\delta \) as

$$\begin{aligned} \mathsf{irr}_f^\delta = \{\pi \in \mathrm {Perm}(n) \mid \epsilon _f^{\pi }> 1-\delta \}. \end{aligned}$$
(5)

Our intuition is that the failure probability becomes small if \(\Pr _{\varPi }[\varPi \in \mathsf{irr}_f^\delta ]\) is sufficiently small, and actually the following theorem holds.

Theorem 2

Let \(\ell \) and m be positive integers that are O(n). Assume that we have a quantum circuit with \(O(\mathrm {poly}(\ell ,m))\) qubits which computes \(f^{\mathcal O}\) by making O(1) queries to \({\mathcal O}\), and runs in time \(T=T(\ell ,m)\). Then, our distinguisher makes \(O(\eta )\) quantum queries, runs in time \(O(\eta T + \ell ^3)\), and distinguishes \(E_K\) from \(\varPi \) with probability at least

$$\begin{aligned} 1-{2^\ell }/{e^{\delta \eta /2}}-\Pr _\varPi [\varPi \in \mathsf{irr}_f^\delta ]. \end{aligned}$$
(6)

A proof is presented in [13]. This theorem guarantees that we can distinguish \(E_K\) from \(\varPi \) if \({2^\ell }/{e^{\delta \eta /2}}\) and \(\Pr _\varPi [\varPi \in \mathsf{irr}_f^\delta ]\) are small. In later sections, we apply the above theorem with \(\eta =2\ell /\delta \), in which case we have \({2^\ell }/{e^{\delta \eta /2}}=(2/e)^{\ell }\).

If we use the technique by Kaplan et al. (Theorem 1) to analyze a success probability of a distinguisher, we have to upper bound the parameter \(\epsilon (f^{E_K},s)\) that depends on the real construction \(E_K\), which may become hard if \(E_K\) has a complex structure. On the other hand, our technique (Theorem 2) requires only upper bounds of the terms that are not related to the real construction. Thus our technique makes analysis of a distinguisher easier than the technique by Kaplan et al. We remark that the probability evaluation in the ideal case that is similar to the last term of Eq. (6) is needed in the previous works [7, 14, 16] as well.

Fig. 6.
figure 6

The 4-round Feistel-F construction. \(F_i\in \mathrm {Func}(n/2)\).

Full size image

5 Quantum Distinguishing Attacks Against Feistel-F

In this section, we present our distinguisher against the 4-round Feistel-F construction with quantum chosen-ciphertext attacks. Based on this, we present in Sect. 6 quantum distinguishing attacks and key recovery attacks against the Feistel-KF construction.

We write \(F_{K_i}\) as \(F_i\). Note that \(F_i\) is still a keyed function and the absence of \(K_i\) does not imply that it is a keyless function. Let \(\mathrm {FF}_4\) denote the encryption algorithm of the 4-round Feistel-F construction, and \(\mathrm {FF}^{-1}_4\) denote its decryption algorithm. Figure 6 illustrates \(\mathrm {FF}_4\). Let \(F_1,\ldots ,F_4\in \mathrm {Func}(n/2)\) be the round functions of Feistel-F. \(\mathrm {FF}_4\) takes a plaintext \((a,b)\in (\{0,1\}^{n/2})^2\) as input and outputs a ciphertext \((c,d)\in (\{0,1\}^{n/2})^2\), where \(\mathrm {FF}_4:(a, b)\mapsto (c, d)\) is

$$\begin{aligned} c={}&a\oplus F_1(b)\oplus F_3(b\oplus F_2(a \oplus F_1(b))),\\ d={}&b\oplus F_2(a\oplus F_1(b))\oplus F_4\Bigl (a\oplus F_1(b)\oplus F_3(b\oplus F_2(a \oplus F_1(b)))\Bigr ). \end{aligned}$$

The decryption \(\mathrm {FF}^{-1}_4:(c,d)\mapsto (a,b)\) is defined as

$$\begin{aligned} a={}&c\oplus F_3(d\oplus F_4(c))\oplus F_1\Bigl (d\oplus F_4(c)\oplus F_2(c\oplus F_3(d\oplus F_4(c)))\Bigr ),\\ b={}&d\oplus F_4(c)\oplus F_2(c\oplus F_3(d\oplus F_4(c))). \end{aligned}$$

Let \(\varPi {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}\mathrm {Perm}(n)\) be a random permutation and \(\varPi ^{-1}\) be the inverse permutation of \(\varPi \). \(\varPi \) takes a plaintext \((a,b)\in (\{0,1\}^{n/2})^2\) as input and outputs a ciphertext \((c,d)\in (\{0,1\}^{n/2})^2\), and \(\varPi ^{-1}\) takes a ciphertext (cd) as input and outputs a plaintext (ab).

Given the quantum oracles of \({\mathcal O}\) and \({\mathcal O}^{-1}\), where \({\mathcal O}\) is either the 4-round Feistel-F \(\mathrm {FF}_4\) or a random permutation \(\varPi {\mathop {\leftarrow }\limits ^{{\scriptscriptstyle \$}}}\mathrm {Perm}(n)\), our goal is to distinguish the two cases. We now construct the function \(f^{\mathcal O}\) to use Algorithm 1. We first fix two arbitrary distinct constants \(\alpha _0,\alpha _1\in \{0,1\}^{n/2}\), and we define the function \(f^{\mathcal O}\) as

$$\begin{aligned} f^{\mathcal O}:\{0,1\}\times \{0,1\}^{n/2}&\rightarrow \{0,1\}^{n/2}\\ (\beta \parallel x)&{} \mapsto b\oplus \alpha _{\beta },\quad \mathrm {where}~(c, d)=\mathcal {O}(x, \alpha _{\beta }),\\&\quad \quad \quad \quad \quad \qquad \quad \quad (a, b)=\mathcal {O}^{-1}(c, d\oplus \alpha _0\oplus \alpha _1). \end{aligned}$$

That is, \(f^{\mathcal O}\) is obtained by first encrypting \((x,\alpha _{\beta })\) to obtain the ciphertext (cd), then decrypting \((c,d\oplus \alpha _0\oplus \alpha _1)\) to obtain the plaintext (ab), and we define \(f^{\mathcal O}\) as \(b\oplus \alpha _{\beta }\).

If \(\mathcal {O}\) is \(\mathrm {FF}_4\), then by connecting \(\mathrm {FF}_4\) and \(\mathrm {FF}^{-1}_4\), our function \(f^{\mathcal O}\) can be illustrated as in Fig. 7. We observe that \(F_4\) has no effect on the computation of \(f^{\mathcal O}\), and \(F_1\) in \(\mathrm {FF}^{-1}_4\) does not contribute to \(f^{\mathcal O}\). They are shown in gray in Fig. 7. We see that Fig. 7 is equivalent to Fig. 8, and the function \(f^{\mathcal O}\) is described as

$$\begin{aligned} f^{\mathcal O}(\beta \parallel {}x)={}&\alpha _0\oplus \alpha _1\oplus F_2(x\oplus F_1(\alpha _{\beta }))\nonumber \\&\oplus F_2\Bigl (x\oplus F_1(\alpha _{\beta })\oplus F_3(\alpha _{\beta } \oplus F_2(x\oplus F_1(\alpha _{\beta })))\nonumber \\&\qquad \oplus F_3(\alpha _{\beta }\oplus \alpha _0\oplus \alpha _1 \oplus F_2(x\oplus F_1(\alpha _{\beta })))\Bigr ). \end{aligned}$$
(7)
Fig. 7.
figure 7

The function \(f^{\mathcal O}\) with \(\mathrm {FF}_4\) and \(\mathrm {FF}^{-1}_4\), where \(\mathcal {O}\) is \(\mathrm {FF}_4\).

Full size image
Fig. 8.
figure 8

A circuit that is equivalent to \(f^{\mathcal O}\).

Full size image

Our main observation is the following lemma.

Lemma 2

If \({\mathcal O}=\mathrm {FF}_4\), \(f^{\mathcal O}\) satisfies \(f^{\mathcal O}(\beta \parallel x)=f^{\mathcal O}(\beta \oplus 1\parallel x\oplus F_1(\alpha _0)\oplus F_1(\alpha _1))\). That is, \(f^{\mathcal O}\) has the period \(s=1\parallel F_1(\alpha _0)\oplus F_1(\alpha _1)\).

Proof

Let \(Z_{\beta \parallel x}=x\oplus F_1(\alpha _\beta )\) (See Fig. 8). We prove the lemma based on two claims. The first claim is that \(Z_{\beta \parallel x}\) already has the period \(s=1\parallel F_1(\alpha _0)\oplus F_1(\alpha _1)\), and the second claim is that the subsequent computation of \(f^{\mathcal O}\) does not depend on \(\beta \) nor x.

First, \(Z_{\beta \parallel x}\) has the period s, since

$$\begin{aligned} Z_{(\beta \parallel x)\oplus s}={}&x\oplus F_1(\alpha _0)\oplus F_1(\alpha _1) \oplus F_1(\alpha _{\beta \oplus 1})\\ ={}&x\oplus F_1(\alpha _\beta )\\ ={}&Z_{\beta \parallel x}. \end{aligned}$$

We next show that the subsequent computation of \(f^{\mathcal O}\) does not depend on \(\beta \) nor x. If we describe \(f^{\mathcal O}\) in Eq. (7) by using \(Z_{\beta \parallel x}\), then we obtain

$$\begin{aligned} f^{\mathcal O}(\beta \parallel {}x)={}&\alpha _0\oplus \alpha _1\oplus F_2(Z_{\beta \parallel x})\\&{}\oplus F_2\Bigl (Z_{\beta \parallel x}\oplus F_3(\alpha _{\beta } \oplus F_2(Z_{\beta \parallel x})) \oplus F_3(\alpha _{\beta }\oplus \alpha _0\oplus \alpha _1 \oplus F_2(Z_{\beta \parallel x}))\Bigr ). \end{aligned}$$

Now this is equivalent to

$$\begin{aligned} f^{\mathcal O}(\beta \parallel {}x)={}&\alpha _0\oplus \alpha _1\oplus F_2(Z_{\beta \parallel x})\nonumber \\&{}\oplus F_2\Bigl (Z_{\beta \parallel x}\oplus F_3(\alpha _{0} \oplus F_2(Z_{\beta \parallel x})) \oplus F_3(\alpha _1\oplus F_2(Z_{\beta \parallel x}))\Bigr ) \end{aligned}$$
(8)

since \(\{\alpha _{\beta },\alpha _{\beta }\oplus \alpha _0\oplus \alpha _1\}=\{\alpha _0,\alpha _1\}\). We see that \(f^{\mathcal O}\) depends on \(Z_{\beta \parallel x}\) that has the period \(s=1\parallel F_1(\alpha _0)\oplus F_1(\alpha _1)\), and hence the lemma follows.    \(\square \)

Therefore, we can construct a distinguisher against the 4-round Feistel-F construction by using the function \(f^{\mathcal O}\). From Theorem 2, the success probability of the distinguisher with measuring \((2n+4)\) times is \(1-\left( {2}/{e} \right) ^{n/2+1}-\Pr _\varPi [\varPi \in \mathsf{irr}_f^{1/2}], \) where we use \(\delta = 1/2\) and \(\eta =2n+4\).

It is clear that \(\Pr _\varPi [\varPi \in \mathsf{irr}_f^{1/2}]\) is a small value, since it is highly unlikely that \(f^{\mathcal O}\) obtained from a random permutation has periods. In [13], we present experimental results for small values of n to show that \(\Pr _\varPi [\varPi \in \mathsf{irr}_f^{1/2}]\) is indeed a small value.

6 Quantum Attacks Against Feistel-KF

The distinguisher in the previous section can obviously be applied to the 4-round Feistel-KF construction, and we can distinguish it from random permutations in polynomial time. Similarly to the previous key recovery attacks against the Feistel-KF [8, 11] construction (see Sect. 3.2), our 4-round distinguisher can be combined with the Grover search to develop key recovery attacks. Our new key recovery attack recovers the keys of the r-round Feistel-KF construction in time \(\tilde{O}(2^{(r-4)n/4})\) in the quantum CCA setting.

Attack Idea. Our attack idea is almost the same as that of the previous attacks [8, 11], except that our attack uses not only the encryption oracle but also the decryption oracle. Given the quantum encryption and decryption oracles of the r-round Feistel-KF construction, run the following procedures (on a quantum circuit).

  1. 1.

    Implement a quantum circuit \(\mathcal {E}\) that takes the intermediate state value after the first \((r-4)\) rounds and the subkeys for the first \((r-4)\) rounds as input, and computes the last 4 rounds, in the same way as the first step of the attack idea in Sect. 3.2.

  2. 2.

    Implement a quantum circuit \(\mathcal {D}\) that computes the inverse of \(\mathcal {E}\). That is, implement a quantum circuit which

    • takes the ciphertext and the subkeys for the first \((r-4)\) rounds as input,

    • makes a quantum decryption query of the ciphertext to the oracle to obtain the plaintext,

    • computes the intermediate state value after the first \((r-4)\) rounds from the plaintext and the subkeys for the first \((r-4)\) rounds,

    • and returns the intermediate state.

  3. 3.

    Guess the subkeys of the first \((r-4)\) rounds.

  4. 4.

    For each guess, check its correctness with the following procedure.

    1. (a)

      Apply the 4-round distinguisher to \(\mathcal E\) and \(\mathcal {D}\).

    2. (b)

      If the distinguisher returns that “this is a random permutation”, then judge that the guess is wrong. Otherwise judge that the guess is correct.

Attack Complexity. The length of the first \((r-4)\)-round subkeys is \(((r-4)n/2)\) bits in total. Thus the exhaustive search on the first \((r-4)\) rounds can be done in time \(O(\sqrt{2^{(r-4)n/2}})\) by using the Grover search. Moreover, the 4-round distinguisher in the fourth step runs in time O(n) for each candidate subkeys. Therefore the running time of the attack becomes \(O(\sqrt{2^{(r-4)n/2}}) \times O(\mathrm {poly}(n))=\tilde{O}(2^{(r-4)n/4})\).

Our new attack reduces the time complexity \(\tilde{O}(2^{(r-3)n/4})\) of the previous attacks to \(\tilde{O}(2^{(r-4)n/4})\), by using our new CCA 4-round distinguisher instead of the previous CPA 3-round distinguisher by Kuwakado and Morii. Our attack is a chosen-ciphertext attack unlike that the previous attacks are chosen-plaintext attacks, since our 4-round distinguisher is a CCA distinguisher.

7 Quantum Attacks Against Feistel-FK

In Sect. 7.1, we show a quantum distinguishing attack against Feistel-FK. Based on this, we present in Sect. 7.2 a key recovery attack. The main difference from the previous sections is that the number of the distinguishable rounds increases. In Sect. 7.3, we present a quantum chosen-plaintext attack.

7.1 Distinguishers Against Feistel-FK

We present our distinguisher against the 6-round Feistel-FK construction with quantum chosen-ciphertext attacks. This attack is based on the distinguisher against the 4-round Feistel-F construction described in Sect. 5. We increase the number of rounds by adding the first and last rounds, and this is possible because we can compute the output of the first F function and the last F function in encryption (or decryption) without knowing the subkeys.

Let \((a,b)\in (\{1,0\}^{n/2})^2\) denote a plaintext and \((c,d)\in (\{1,0\}^{n/2})^2\) denote a ciphertext. Let \(\mathrm {FFK}_6:(a,b)\mapsto (c,d)\) denote the encryption algorithm of the 6-round Feistel-FK construction, and \(\mathrm {FFK}^{-1}_6:(c,d)\mapsto (a,b)\) denote its decryption algorithm. Figure 9 illustrates the 6-round Feistel-FK construction.

Fig. 9.
figure 9

The 6-round Feistel-FK construction.

Full size image
Fig. 10.
figure 10

The function \(f^{\mathcal O}\) with \(\mathrm {FFK}_6\) and \(\mathrm {FFK}^{-1}_6\), where \(\mathcal {O}\) is \(\mathrm {FFK}_6\). \(c'=c\oplus \alpha _0\oplus \alpha _1\) and \(d^{\prime }=d\oplus F(c)\oplus F(c\oplus \alpha _0\oplus \alpha _1)\).

Full size image

Given the quantum oracles of \({\mathcal O}\) and \({\mathcal O}^{-1}\), we define the function \(f^{\mathcal O}\) as

$$\begin{aligned} f^{\mathcal O}:\{0,1\}\times \{0,1\}^{n/2}&\rightarrow \{0,1\}^{n/2}\\ (\beta \parallel x) \quad&\mapsto a\oplus F(b)\oplus \alpha _{\beta }\\ \mathrm {where}~(c, d)&=\mathcal {O}(\alpha _{\beta }\oplus F(x), x),\\ (a, b)&=\mathcal {O}^{-1}(c\oplus \alpha _0\oplus \alpha _1, d\oplus F(c)\oplus F(c\oplus \alpha _0\oplus \alpha _1)). \end{aligned}$$

If \(\mathcal {O}\) is \(\mathrm {FFK}_6\), then our function \(f^{\mathcal O}\) can be illustrated as in Fig. 10. We observe that the F functions shown in gray in Fig. 10 and the subkeys \(K_6\) have no effect on the computation of \(f^{\mathcal O}\). By connecting \(\mathrm {FFK}_6\) and \(\mathrm {FFK}^{-1}_6\), we obtain Fig. 11 that is equivalent to Fig. 10. If we replace \(\alpha _\beta \) with \(\alpha _\beta \oplus K_1\) and \(F_i(x)\) with \(F(x)\oplus K_{i+1}\) in Fig. 7, we see that Fig. 7 is equivalent to Fig. 11. Therefore, from Eqs. (7) and (8), the function \(f^{\mathcal O}\) is described as

$$\begin{aligned} f^{\mathcal O}(\beta \parallel {}&x)\\ ={}&\alpha _0\oplus \alpha _1\oplus F(x\oplus F(\alpha _{\beta }\oplus K_1)\oplus K_2)\\&{}\oplus F\Bigl (x\oplus F(\alpha _{\beta }\oplus K_1)\oplus K_2\oplus F\bigl (\alpha _0 \oplus F(x\oplus F(\alpha _{\beta }\oplus K_1)\oplus K_2)\oplus K_3\bigr ) \\&\qquad \oplus F\bigl (\alpha _1 \oplus F(x\oplus F(\alpha _{\beta }\oplus K_1)\oplus K_2)\oplus K_3\bigr )\Bigr ) \end{aligned}$$

and it has the period \(s=1\parallel F(\alpha _0\oplus K_1)\oplus F(\alpha _1\oplus K_1)\).

Therefore, we can construct a distinguisher against the 6-round Feistel-FK construction by using the function \(f^{\mathcal O}\). From Theorem 2, the success probability of the distinguisher with measuring \((2n+4)\) times is \( 1-(2/e)^{n/2+1}-\Pr _\varPi [\varPi \in \mathsf{irr}_f^{1/2}], \) where we set \(\delta = 1/2\) and \(\eta = 2n+4\). Note that \(\Pr _\varPi [\varPi \in \mathsf{irr}_f^{1/2}]\) is a small value, as it is unlikely that \(f^{\mathcal O}\) obtained from a random permutation has periods.

Fig. 11.
figure 11

A circuit that is equivalent to Fig. 10.

Full size image

7.2 Key Recovery Attacks Against Feistel-FK

Similarly to the key recovery attacks against the Feistel-KF construction in Sect. 6, the distinguisher introduced above can be combined with the Grover search to develop key recovery attacks. We can recover keys of the r-round Feistel-FK construction in time \(\tilde{O}(2^{(r-6)n/4})\) in the quantum CCA setting.

Our attack idea follows the attack against the Feistel-KF construction in Sect. 6. Recall that the attack in Sect. 6 guesses the first \((r-4)\)-round subkeys since a 4-round distinguisher is available. On the other hand, as for the Feistel-FK construction, we can use the 6-round distinguisher in Sect. 7.1 instead of the 4-round distinguisher. Hence it is sufficient to guess only the first \((r-6)\)-round subkeys (instead of the first \((r-4)\)-round subkeys) when we attack the Feistel-FK construction. The time complexity of our attack becomes \(\tilde{O}(2^{(r-6)n/4})\), since the Grover search on the first \((r-6)\)-round subkeys (\(\frac{(r-6)n}{2}\) bits in total) requires \(O(\sqrt{2^{(r-6)n/2}}) = O(2^{(r-6)n/4})\) evaluations.

7.3 Quantum CPA Attacks Against Feistel-FK

We can also construct a distinguisher and recover the key of the Feistel-FK construction in the quantum CPA setting. As in Sect. 7.1, we can construct a 5-round distinguisher by following the 3-round distinguisher in Sect. 3.1 and by computing the output of the first F function and the last F function in encryption. Specifically, we use \((\alpha _\beta \oplus F(x), x)\) as the input of the oracle \({\mathcal O}\) and use \(d\oplus F(c)\oplus \alpha _\beta \) as the output of the function \(f^{\mathcal O}(\beta \parallel x)\), where \((c,d)={\mathcal O}\left( \alpha _\beta \oplus F(x), x\right) \). This function has the period \(s=1\parallel F(\alpha _0\oplus K_1)\oplus F(\alpha _1\oplus K_1)\).

Combined with the 5-round distinguisher, we can recover the subkeys of the r-round Feistel-FK construction as in Sect. 6. The time complexity of our key recovery attack is \(\tilde{O}(2^{(r-5)n/4})\), since the Grover search on the first \((r-5)\)-round subkeys (\(\frac{(r-5)n}{2}\) bits in total) requires \(O(\sqrt{2^{(r-5)n/2}}) = O(2^{(r-5)n/4})\) evaluations.

8 Concluding Remarks

In this paper, we first formalized a distinguishing algorithm against block ciphers that does not recover the period. We then considered quantum chosen-ciphertext attacks against Feistel ciphers. We gave a new quantum CCA distinguisher against Feistel ciphers that can distinguish more rounds than the previous CPA distinguishers. Our quantum CCA distinguishers can distinguish the 4-round Feistel-F and Feistel-KF constructions, and the 6-round Feistel-FK construction, from random permutations in polynomial-time of the output size. Moreover, we extended the distinguishers to key recovery attacks for the Feistel-KF and Feistel-FK constructions. Our quantum CCA key recovery attacks against the r-round Feistel-KF and Feistel-FK constructions recover keys in time \(\tilde{O}(2^{(r-4)n/4})\) and \(\tilde{O}(2^{(r-6)n/4})\), and quantum CPA key recovery attacks against the r-round Feistel-FK constructions recover keys in time \(\tilde{O}(2^{(r-5)n/4})\), respectively.

There are interesting open questions. First, we still do not know the tight bound on the number of rounds that we can distinguish the Feistel-F construction. From the result of Kuwakado and Morii, we know that the 3-round construction can be distinguished with quantum CPA, and this paper shows that the 4-round construction can be distinguished with quantum CCA. However, there is a possibility that these rounds can be extended, and deriving the tight number of rounds remains as a challenging question. Improving the complexity or extending the number of rounds of the attacks against Feistel-KF and Feistel-FK constructions is also an interesting question.