All-subkeys-recovery attacks on a variation of Feistel-2 block ciphers
The Feistel-2 cipher is a type of Feistel ciphers proposed by Isobe and Shibutani at Asiacrypt 2013. Its round functions consist of a public F-function and a subkey XORed before the F-function. Recently, a variation of the Feistel-2 cipher, in which the subkey is XORed after the F-function, has been widely used in proposals such as SIMON and Simeck. The authors denote this type of Feistel ciphers as Feistel-2. In this study, they study the security of Feistel-2* ciphers. First, they propose the differential function reduction technique. Then, they present all-subkeys-recovery attacks against Feistel-2* ciphers based on this technique. Let z be the key size to block size ratio of block ciphers. It is shown that their attacks can break up 6, 8 and 10 rounds of the Feistel-2* cipher for z = 1, 3/2 and 2, respectively. Thanks to the meet-in-the-middle approach, their attacks only need a few chosen plaintexts. Moreover, with higher-data complexity, all attacks can be improved by one round. This implies that a secure Feistel-2* cipher should at least iterate 8, 10 and 12 rounds for z = 1, 3/2 and 2, respectively.