Rectangle Attack Against Type-I Generalized Feistel Structures

作     者：ZHANG Yi LIU Guoqiang SHEN Xuan LI Chao ZHANG Yi;LIU Guoqiang;SHEN Xuan;LI Chao

作者机构：College of Liberal Arts and Sciences National University of Defense Technology Hunan Engineering Research Center of Commercial Cryptography Theory and Technology Innovation State Key Laboratory of Information Security Institute of Information Engineering Chinese Academy of Sciences College of Information and Communication National University of Defense Technology 

出 版 物：《Chinese Journal of Electronics》 (电子学报(英文))

年 卷 期：2022年第31卷第4期

页      面：713-720页

核心收录：

学科分类：0808[工学-电气工程] 0809[工学-电子科学与技术（可授工学、理学学位）] 07[理学] 070104[理学-应用数学] 0701[理学-数学] 

基　　金：supported by the National Natural Science Foundation of China (62172427, 61702537, 61772545, 62002370) State Key Laboratory of Information Security (2020-MS-02) Scientific Research Plan of National University of Defense Technology (ZK21-36) 

主　　题：Block cipher structures Rectangle attack Boomerang switch Structural attack Generalized Feistel networks 

摘      要：Type-I generalized Feistel networks(GFN) are widely used frameworks in symmetric-key primitive designs such as CAST-256 and Lesamnta. Different from the extensive studies focusing on specific block cipher instances, the analysis against Type-I GFN structures gives generic security evaluation of the basic frameworks and concentrates more on the effect of linear transformation. Currently, works in this field mainly evaluate the security against impossible differential attack,zero-correlation linear attack, meet-in-the-middle attack and yoyo game attack, while its security evaluation against rectangle attack is still missing. In this paper, we filled this gap and gave the first structural analytical results of Type-I GFN against rectangle attack. By exploiting its structural properties, we proved there exists a boomerang switch for Type-I GFN for the first time,which is independent of the round functions. Then we turned the boomerang switch into chosen plaintext setting and proposed a new rectangle attack model. By appending 1 more round in the beginning of the boomerang switch, we constructed a rectangle distinguisher and a key recovery attack could be performed.