1

Improving the Generalized Feistel

Tomoyasu Suzaki and Kazuhiko Minematsu

NEC Corporation

FSE 2010 Feb. 7-10, Seoul Korea

2

Generalized Feistel Structure (GFS)

�One of the basic structure of block cipher.

�Proposed by Zheng et al. in 1989 (CRYPTO ‘89)*.

�GFS is a generalized form of the classical Feistel

structure.

�Classical Feistel structure

divide a message into two sub blocks.

�GFS

divide a message into k sub blocks (k > 2).

* Zheng et al. refers as a Feistel-Type Transformation (FTT).

3

Type-II GFS

Single round GFS :

(x0, x1, ..., xk-2, xk-1) →(F0(x0)⊕x1, x2, F1(x2)⊕x3, x4, ..., F(k-2)/2(xk-2)⊕xk-1, x0)

where F : {0,1}n→ {0,1}n

Employed by many ciphers, such as CLEFIA (k=4), HIGHT (k= 8).

n n n n n n

x0 x1 x2 x3 xk-2 xk-1

F0 F1 F(k-2)/2

4

Advantage/Disadvantage of GFS

� AdvantageFor a fixed message length, input/output length of round function gets shorter as the partition number kgrows.→ suitable for small-scale implementations.

�DisadvantageAs k grows, the diffusion property gets worse.

(We will explain this in the next slides)

5

F F

F

F F

F

Diffusion path of Type-II GFS (k=4,6)

F

F

F F F

F F F

F F F

F F F

F F F

F F F

Full diffusion

Collision

6

F F F F

F F F F

F F F F

F F F F

F F F F

F F F F

F F F F

F F F F

Diffusion path of Type-II GFS (k=8)

7

49

36

25

16

9

4

1

0

Number of collision

36.714

34.712

32.010

28.18

38.216

22.26

12.54

02

Proportion(%)Partition number k

100diffusion fullfor XORs ofNumber

Collisions ofNumber Proportion ×=

Collision of data paths for k partition Type-II GFS

Improvement possible ?

8

Contribution

�Propose “generalized” GFS (GGFS)� GGFS allowing arbitrary network

(but identical for each round)

� Propose criteria for the diffusion property

� Confirm the relationship between our criteria and several known security measures

�Pseudorandomness

� impossible differential characteristics

�saturation characteristics

�Build GGFSs with “good” diffusion� Exhaustive search

� Graph-based

9

block shuffle π / π-1

1

1

+iF1

0

+iF

iX 0

iX1

iX 2

iX 3i

kX 2−

i

kX 1−

1

0

+iX 1

1

+iX1

2

+iX 1

3

+iX1

2

+

−

i

kX 1

1

+

−

i

kX

Generalized GFS

1

1

+

−

i

mF

Iteration

Our goal is to find “good” block shuffle !

y = π(x) ↔ x = π-1(y)

10

Criteria for the diffusion property

).π(DRmax)DRmax(π10

def

iki −≤≤

=

}.)DRmax(π,)π(max{DRmax)(πDRmaxdef

1−± =

)}.π({DRmaxminDRmaxπ

def±

∈

∗ =kΠ

k

F F F

F F F

F F F

F F F

F F F

F F F

DRi(π) : Minimum rounds which i-th input block reaches all

output blocks.

Using DRi(π) we define the following criteria.

DR6(cyclic shift) = 6Optimum π is one that achieves DRmaxk*

11

DRmax for practical k

8

8

8

7

6

5

4

DRmax*k

16

14

12

10

8

6

4

Type-II

/ Nyberg 1

16

12

8

4

14

10

6

Partition number

k

We evaluated DRmax of all block shuffles for k up to 16.

1 Nyberg’s Generalized Feistel Network

12

Optimum block shuffle for k=8

F F

F F

F F

F F

F F

F F

F F

F F

F F

F F

F F

F F

Any even (odd) input block is connected to an odd (even) output block.

We define such shuffle “even-odd shuffle”.

Optimum shuffles we found are all even-odd shuffle.

13

Graphical interpretation

�As k grows, the cost of exhaustive search is expensive,

therefore we have to take a different approach.

�From the previous search result, we focus on even-

odd shuffles.

�We represent an even-odd shuffle as a graph and

translate DRmax evaluation into a graph theoretic

problem.

14

Graphical representation

F F F F

0 1 2 3 4 5 6 7

0 1 2 3

2i+1th block → 2jth block

Sufficient distance (SD(G[π]))

→ Next slideDRmax(π)

2ith block → 2j+1th block

Edge-colored directed graph

with k/2 nodes (degree 2)k sub blocks (k : even)

Corresponding graph G[π]GFS with even-odd shuffle π

vi vj

vi vj

15

�appropriate path :First and last are blue.

The next of red is blue.

�L-appropriately-reachable :Any two (possibly the same) nodes are connected via an

appropriate path of length L.

�Sufficient distance (SD) :Minimum of L such that the graph is L-appropriately-reachable.

Sufficient Distance (SD)

Diam(G) ≤ SD(G)

where Diam(G) is the diameter of G.

i.e., the maximum distance of any two vertices.

000 001 111110

001 110

16

Relation between DRmax and SD

If SD(G[π])=L for even-odd shuffle π,

DRmax(π) ≤ SD(G[π])+1.

F F F F

even-odd shuffle π

F F F F

even-odd shuffle π

F F F F

SD(G[π])

rounds

0

iX

L

jX

1+LXeven-odd shuffle π

(j :any even)

17

de Bruijn Graph

How to color the edges ?

We found a coloring of de Bruijn which achieves SD at most 2s+1.

(see the paper for details)

To build a graph having small SD → de Bruijn graph

� Property of de Bruijn graph :

� order 2s

� two-regular

� directed

� minimum diameter (s)

Good candidate for a graph

with small SD !

18

Our result

0

4

8

12

16

20

24

28

32

36

4 6 8 10 12 14 16 18 20 22 24 26 28 30 32Partition Number k

DR

max*

Type-II, Nyberg's GFS

Optimal GFS

de Bruijn

Lower Bound

Optimum

DR

max

*

Partition number k

19

Security evaluation

� Pseudorandomness

� Cryptanalysis

� Impossible Differential Attack

� Saturation Attack

20

Previous study of Pseudorandomness

�Luby and Rackoff proved pseudorandomness of

Feistel structure.

3 rounds Feistel is pseudorandom permutation (prp).

4 rounds Feistel is strong prp (sprp).

�Mitsuda and Iwata proved pseudorandomness of

Type-II GFS [MI08].

k+1 rounds Type-II is prp.

2k rounds Type-II is sprp.

We proved pseudorandomness of GFS with even-odd shuffle

using SD.

21

Pseudorandomness of GFS

AdvantageRoundAdvantageRound

4logk2logk+1de Bruijn

based GFS

2L+2 *L+2

SD(G[π])≤L

GGFS with

even-odd

2kk+1Type-II

GFS

[MI08]

sprpprp

2

12q

kLn+

2

2q

kLn

22

2q

kn

22

2q

kn

* max{ SD(G[π]), SD(G[π-1]) } ≤ L

2

2

log2q

kkn

2

2

log4q

kkn

22

Impossible differential characteristics

α

β

Ciphertext pair

Key

Decrypt one round using the ciphertext

pair obtained from the plaintext pair for

which the difference is α.

Reject the key for which the difference

is β.

The last remaining key is the correct key.

When the probability of α → β is zero

(Impossible Differential Characteristics :

IDC),

α → β is an impossible differential.Probability 0

F

23

Evaluation of IDC

F

DRmax(π)

0

DRmax(π-1)

γ ⊕ δ

Contradiction

Kim et al. showed the number

of rounds for IDC of Type-II

GFS is 2k+1.

From the characteristic of U-

method (proposed by Kim et

al.) and the definition of

DRmax, the number of rounds

for IDC of GFS becomes at

most 2DRmax+1.

F F

F F F

F F F

F F F

F F F

F F F

F F F

F F F

F F F

0 0 0 γ 0

0 0 0 0 γ0

24

Saturation characteristics

A

Ciphertexts

Key

F

A

F

F

F

F

C

A

B

A

U B

C

A

B ?

Decrypt one round using the 2n

ciphertexts obtained from the 2n all

plaintexts.

Reject the key for which the sum is

not balance.

The last remaining key is the correct

key.

n

A: ALL B: Balance

C: Constant U: Unknown

n

25

Evaluation of saturation characteristics (SC)

C

DR

max

(π)+

2D

Rm

ax(π

-1)-

2

Cα

β

α’Search of saturation characteristics :

1. α → β

After DRmax(π)+3 rounds, the

balance state does not

remain.

→ at most DRmax(π)+2 rounds.

2. Expansion from α to α’

At least one Constant must be

contained.

→ st most DRmax(π)-2 rounds.

α’ → β is at most 2DRmax rounds.

F F F

F F F

F F F

F F F

F F F

F F F

F F F

F F F

F F F

F F F

C C C A

A A C A A A

26

Numerical comparison

16321216sprp

16321216SC

91779prp

optimum optimumType-IIType-II

17

8

13

6

3317IDC

168DRmax

k = 16k = 8( round )

27

Conclusion

� Propose “Generalized” GFS that allow arbitrary network

� Propose criteria (Sufficient Distance) for the diffusion property

� de Bruijn graph based GFS has GOOD diffusion property

� A diffusive improvement showed leading to the improvement of security.

28

Thank you for your attention !