Collision Attack on 4-Branch, Type-2 GFN Based Hash Functions Using Sliced Biclique Cryptanalysis Technique

Abstract

In this work, we apply the sliced biclique cryptanalysis technique to show 8-round collision attack on a hash function \(H\) based on 4-branch, Type-2 Generalized Feistel Network (Type-2 GFN). This attack is generic and works on 4-branch, Type-2 GFN with any parameters including the block size, type of round function, the number of S-boxes in each round and the number of SP layers inside the round function. We first construct a 8-round distinguisher on 4-branch, Type-2 GFN and then use this distinguisher to launch 8-round collision attack on compression functions based on Matyas-Meyer-Oseas (MMO) and Miyaguchi-Preneel (MP) modes. The complexity of the attack on 128-bit compression function is \(2^{56}\). The attack can be directly translated to collision attack on MP and MMO based hash functions and pseudo-collision attack on Davies-Meyer (DM) based hash functions. When the round function \(F\) is instantiated with double SP layer, we show the first 8 round collision attack on 4-branch, Type-2 GFN with double SP layer based compression function. The previous best attack on this structure was a 6-round near collision attack shown by Sasaki at Indocrypt’12. His attack cannot be used to generate full collisions on 6-rounds and hence our result can be regarded the best so far in literature on this structure.

A 8-Round Collision Attack on CLEFIA Based Compression Function

In this section, we investigate CLEFIA which is a real world-implementation of 4-branch, Type-2 GFN. In the attacks discussed in Sects. 4 and 5, we considered 4-branch, Type-2 GFN with double SP layer where right cyclic shift is applied on the message sub-blocks at the end of each round. This was done to facilitate direct comparison with previous results [8, 24] on the same structure. However in [34], Type-2 GFN’s have been defined with left cyclic shift and is followed in all the practical implementations of Type-2 GFN structure - e.g., RC6 [23], CLEFIA [28], HIGHT [13] etc. Yet, similar attack procedure (as discussed in Sect. 5) can be applied on CLEFIA but with different \(\varDelta _i\) and \(\nabla _j\) trails. CLEFIA is a 128-bit block cipher and supports three key lengths - 128-bit, 192-bit and 256-bit. The number of rounds correspondingly are 18, 22 and 26. Here, in this section, we examine CLEFIA with 128-bit keysize.⁵ \(WK_0\) and \(WK_1\) represent the whitening keys at the start of the cipher. Each round has two 32-bit round keys \(RK_{2i-2}\) and \(RK_{2i-1}\) (where, 1 \(\le \) i \(\le \) 18).

Fig. 10.

\(\varDelta _i\) difference injection in Round 4 and its propagation (Color figure online)

Fig. 11.

\(\nabla _j\) difference injection in Round 5 and its propagation (Color figure online)

Fig. 12.

1-round biclique placed in Round 4

In this attack, let \(\varDelta _i\) = (\(i \bar{0} \mid \bar{0} \bar{0} \mid \bar{0} \bar{0} \mid \bar{0} \bar{0}\)) be the \(\varDelta \) difference injected in Round 4 and \(\nabla _j\) = (\(\bar{0} \bar{0} \mid j \bar{0} \mid \bar{0} \bar{0} \mid \bar{0} \bar{0}\)) be the \(\nabla \) difference injected in Round 5 where (\(0 \le i,j \le 2^{16}-1\)). Here each \(\bar{0}\) represents \(0^{16}\). The attacker first chooses a random base value \(Q_{0,0}\) and then injects the \(\varDelta _i\) and \(\nabla _j\) differences accordingly. The propagation of \(\varDelta _i\) trail (marked as ‘|’ in green) and \(\nabla _j\) trail (marked as ‘-’ in red) is shown in Figs. 10 and 11 respectively. The dimension of this biclique is \(d\)=16. It is easy to check that \(\varDelta _i\) and \(\nabla _j\) trails are independent and do not share any non-linear components (shown in Fig. 12) between them in round 4. Thus a 1-round biclique (consisting of \(2^{2d}\) = \(2^{32}\) messages) is formed in $4 round.

From round 5 only \(\nabla _j\) trail is propagated in the forward direction and from round 3 only \(\varDelta _i\) trail is propagated in the backward direction (as shown in Fig. 13). At the end of \(8^{th}\) round it can be seen that \(\$1_3^2\) (marked in yellow in Fig. 13) in the backward direction is not affected by \(\varDelta _i\) trail and \(\$8_3^2\) (marked in yellow in Fig. 13) in the forward direction remains unaffected by \(\nabla _j\) trail. Through feed forward operation, 16 bits of \(\$1_3^2\) can then be matched with 16 bits of \(\$8_3^2\). Hence, in this attack we choose \(\$8_3^2\) to be our matching variable \(v\). The steps of collision attack for CLEFIA are exactly the same as discussed in Sects. 5 and 6. Therefore, we can generate collisions in 8-rounds of CLEFIA based hash function with a complexity of \(2^{56}\).

Fig. 13.

Matching in 8 rounds of CLEFIA (Color figure online)