A Structural Attack on Type-I Generalized Feistel Networks

This paper presents generic structural cryptanalysis against type-I generalized Feistel networks (GFN), in which all the inner transformations are unknown. The target of our attack is to retrieve all the unknown round functions. We provide an improved yoyo game distinguisher, in which one rejects a large group of start guesses by a single wrong guess, hence is quite advantageous for reducing the complexity. Next, we exploit this distinguisher to develop a recovery attack of such structure and find the look-up tables of the first, eighth, and ninth round functions. Then by the encryption and decryption similarity, we recover the LUTs of the second, third, and tenth round functions from the decrypt direction. Finally, we retrieve the rest rounds by using the analytic relationships between the plaintexts and their four-round encryption results. Our complete recovery requires time complexity O(2(3.36n)) and memory O(2(n)), where n is the branch size. For 64-bit block cipher, our result will approximate a real-life attack. This paper is the first recovery attack against ten-round type-I GFN.