## Cryptology ePrint Archive: Report 2015/426

Complementing Feistel Ciphers

Alex Biryukov and Ivica Nikolic

Abstract: In this paper, we propose related-key differential distinguishers based on the complementation property of Feistel ciphers. We show that with relaxed requirements on the complementation, i.e. the property does not have to hold for all keys and the complementation does not have to be on all bits, one can obtain a variety of distinguishers. We formulate criteria sufficient for attacks based on the complementation property. To stress the importance of our findings we provide analysis of the \textit{full-round} primitives: * For the hash mode of \camo without $FL,FL^{-1}$ layers, differential multicollisions with $2^{112}$ time * For GOST, practical recovery of the full key with 31 related keys and $2^{38}$ time/data

Category / Keywords: secret-key cryptography / Complementation, Feistel, Camellia, GOST, related-key, differential

Original Publication (with minor differences): IACR-FSE-2013