9. Generic Attacks on Expanding Feistel Ciphers

“Generic” Unbalanced Feistel Ciphers with Expanding Functions are Unbalanced Feistel Ciphers with truly random internal round functions from n bits to (k − 1)n bits with k ≥ 3. From a practical point of view, an interesting property of these schemes is that since n < (k − 1)n and n can be small (8 bits for example), it is often possible to store these truly random functions in order to design efficient schemes. This was done in the construction of the hash function CRUNCH (Goubin et al., CRUNCH, Submission to NIST, October 2008) for example. Attacks on Unbalanced Feistel Ciphers with expanding functions have been first studied by Jutla (Generalized birthday attacks on unbalanced Feistel networks, Springer, Heidelberg, 1998, pp. 186–199). Then these attacks were improved and generalized in Patarin et al. (Generic attacks on unbalanced Feistel schemes with expanding functions, Springer, Heidelberg, 2007, pp. 325–341). However, in Patarin et al. (Generic attacks on unbalanced Feistel schemes with expanding functions, Springer, Heidelberg, 2007, pp. 325–341), some attacks were working only with particular functions (weak keys). This was due to bottlenecks in equalities as explained in Sect. 9.3.2. This issue has been addressed in Volte et al. (Improved generic attacks on unbalanced Feistel schemes with expanding functions, Springer, Heidelberg, 2010, pp. 94–111) where the authors created a computer program that systematically analyzes all the possible attacks, reject attacks with bottlenecks and detect the most efficient ones. This led to many new improved attacks by a systematic study of all 2-point and rectangle attacks when k ≤ 7. The generalization of these improved attacks was done for all k. This chapter is devoted to present the best attacks (KPA and NCPA) on Unbalanced Feistel Ciphers with Expanding Functions. According to the number of rounds, these attacks will be either 2-point attacks or different type of rectangle attacks. As pointed in Jutla (Generalized birthday attacks on unbalanced Feistel networks, Springer, Heidelberg, 1998, pp. 186–199) and (Patarin et al., Generic attacks on unbalanced Feistel schemes with expanding functions, Springer, Heidelberg, 2007, pp. 325–341; Volte et al., Improved generic attacks on unbalanced Feistel schemes with expanding functions, Springer, Heidelberg, 2010, pp. 94–111), there are surprisingly much more possibilities for these attacks than for generic balanced Feistel ciphers, generic unbalanced Feistel ciphers with contracting functions, or generalized Feistel ciphers. In fact, this large number of attack possibilities makes the analysis difficult. Many simulations on the attacks are also given, which confirm the theoretical analysis. Security results using the coupling method are given in Hoang and Rogaway (On generalized Feistel networks, Springer, Heidelberg, 2010, pp. 613–630).