Quantum cryptanalysis on some generalized Feistel schemes

Post-quantum cryptography has attracted much attention from worldwide cryptologists. In ISIT 2010, Kuwakado and Morii gave a quantum distinguisher with polynomial time against 3-round Feistel networks. However, generalized Feistel schemes (GFS) have not been systematically investigated against quantum attacks. In this paper, we study the quantum distinguishers about some generalized Feistel schemes. For d -branch Type-1 GFS (CAST256-like Feistel structure), we introduce (2 d - 1)-round quantum distinguishers with polynomial time. For 2 d -branch Type-2 GFS (RC6/CLEFIA-like Feistel structure), we give (2 d + 1)-round quantum distinguishers with polynomial time. Classically, Moriai and Vaudenay proved that a 7-round 4-branch Type-1 GFS and 5-round 4-branch Type-2 GFS are secure pseudo-random permutations. Obviously, they are no longer secure in quantum setting. Using the above quantum distinguishers, we introduce generic quantum key-recovery attacks by applying the combination of Simon’s and Grover’s algorithms recently proposed by Leander and May. We denote n as the bit length of a branch. For ( d 2 - d +2)-round Type-1 GFS with d branches, the time complexity is 2^( 1/2d^2 - 3/2d + 2) ·n/2 , which is better than the quantum brute force search (Grover search) by a factor 2^( 1/4d^2 + 1/4d)n . For 4 d -round Type-2 GFS with 2 d branches, the time complexity is 2^d^2n/2 , which is better than the quantum brute force search by a factor 2^3d^2n/2 .