10. Generic Attacks on Generalized Feistel Ciphers

Type-1, type-2 and type-3 and alternating Feistel schemes, are described by Zhen, Matsumoto, and Imai (On the construction of block ciphers provably secure and not relying on any unproved hypotheses, Springer, Heidelberg, 1990, pp. 461–480) (see also Hoang and Rogaway, On generalized Feistel networks, Springer, Heidelberg, 2010, pp. 613–630). These generalized Feistel schemes are used in well known block cipher networks that use generalized Feistel schemes: CAST-256 (type-1), RC-6 (type-2), and BEAR/LION (alternating). Also, type-1 and type-2 Feistel schemes are respectively used in the construction of the hash functions Lesamnta and SHAvite − 3₅₁₂. There exist many kind of attacks on these schemes: impossible differential attacks (Bouillaguet et al., New insights on impossible differential cryptanalysis, Springer, Heidelberg, 2012, pp. 243–259; Luo et al., Inform. Sci. 263:211–220, 2014), boomerang attacks (Choy and Yap, Impossible boomerang attacks for block cipher structures, Springer, Heidelberg, 2009, pp. 22–37) and differential attacks (Nachef et al., Differential attacks on generalized Feistel schemes, Springer, Heidelberg, 2013, pp. 1–19). However, the attacks we are going to describe in this chapter generally allow to attack more rounds (or at least the same number of rounds) than for example impossible differential attacks. Moreover in the presented attacks, there is no restriction on the round function, unlike for some impossible differential attacks where it is supposed to be bijective. Security results are given in Hoang and Rogaway (On generalized Feistel networks, Springer, Heidelberg, 2010, pp. 613–630).