Quantum Meet-in-the-Middle Attack on Feistel Construction

TL;DR

This paper introduces a quantum meet-in-the-middle attack on Feistel ciphers that significantly reduces the attack complexity for 7 or more rounds, leveraging quantum algorithms like Grover's search and claw finding.

Contribution

It presents a novel quantum attack method on Feistel networks that improves efficiency over previous classical and quantum attacks, especially for r ≥ 7 rounds.

Findings

Reduces attack time complexity for 7-round Feistel to a lower exponential scale.

Introduces a practical quantum attack model (Q1) for Feistel ciphers.

Extends the attack to r-round Feistel by combining inner and outer loop searches.

Abstract

Inspired by Hosoyamada et al.'s work [14], we propose a new quantum meet-in-the-middle (QMITM) attack on $r$-round ($r \ge 7$) Feistel construction to reduce the time complexity. Similar to Hosoyamada et al.'s work, our attack on 7-round Feistel is also based on Guo et al.'s classical meet-in-the-middle (MITM) attack [13]. The classic MITM attack consumes a lot of time mainly in three aspects: construct the lookup table, query data and find a match. Therefore, parallel Grover search processors are used to reduce the time of constructing the lookup table. And we adjust the truncated differentials of the 5-round distinguisher proposed by Guo et al. to balance the complexities between constructing the lookup table and querying data. Finally, we introduce a quantum claw finding algorithm to find a match for reducing time. The subkeys can be recovered by this match. Furthermore, for $r$-round ($r > 7$) Feistel construction, we treat the above attack on the first 7 rounds as an inner loop and use Grover's algorithm to search the last $r-7$ rounds of subkeys as an outer loop. In summary, the total time complexity of our attack on $r$-round ($r \ge 7$) is only $O(2^{2n/3+(r-7)n/4})$ less than classical and quantum attacks. Moreover, our attack belongs to Q1 model and is more practical than other quantum attacks.