Generalized Feistel Network (GFN) is widely used in block ciphers. CLEFIA is one of the GFN type-2 block ciphers. CLEFIA employs Diffusion Switching Mechanism (DSM) in its diffusion layer. DSM improves CLEFIA's security by increasing its number of active S-boxes, which is an indicator of security against differential and linear cryptanalyses. However, two matrices in DSM increase implementational cost. In this paper, we pursue the research question whether it is possible to achieve the same security as original CLEFIA with only one matrix without overhead in hardware. Our idea to answer the research question is applying byte-shuffling technique to CLEFIA. Byte-shuffling is an operation to shuffle 8-bit bytes. On the other hand, traditional GFN ciphers rotate 32-bit or larger words in their permutation layer. Since implementation of byte-shuffling is considered as cost-free in hardware, it adds no overhead in comparison with word rotation. Byte-shuffling has numerous shuffle patterns whereas word rotation has a few patterns. In addition, security property varies among the shuffle patterns. So, we have to find the optimal shuffle pattern(s) on the way to pursue the research question. Although one way to find the optimal shuffle pattern is evaluating all possible shuffle patterns, it is impractical to evaluate them since the evaluation needs much time and computation. We utilize even-odd byte-shuffling technique to narrow the number of shuffle patterns to be searched. Among numerous shuffle patterns, we found 168 shuffle patterns as the optimal shuffle patterns. They achieved full diffusion in 5 rounds. This is the same security as original CLEFIA. They achieved enough security against differential and linear cryptanalyses at 13th and 14th round, respectively, by active S-box evaluations. It is just one and two rounds longer than original CLEFIA. However, it is three and two rounds earlier than CLEFIA without DSM.

In this paper, generic attacks are presented against hash functions that are constructed by a hashing mode instantiating a Feistel or generalized Feistel networks with an SP-round function. It is observed that the omission of the network twist in the last round can be a weakness against preimage attacks. The first target is a standard Feistel network with an SP round function. Up to 11 rounds can be attacked in generic if a condition on a key schedule function is satisfied. The second target is a 4-branch type-2 generalized Feistel network with an SP round function. Up to 15 rounds can be attacked in generic. These generic attacks are then applied to hashing modes of ISO standard ciphers Camellia-128 without FL and whitening layers and CLEFIA-128.

CLEFIA is a 128-bit block cipher proposed by Shirai et al. at FSE2007. It has been reported that CLEFIA has a 9-round saturation characteristic, in which 32bits of the output of 9-th round 112-th order differential equals to zero. By using this characteristic, a 14-round CLEFIA with 256-bit secret key is attacked with 2113 blocks of chosen plaintext and 2244.5 times of data encryption. In this paper, we focused on a higher order differential of CLEFIA. This paper introduces two new concepts for higher order differential which are control transform for the input and observation transform for the output. With these concepts, we found a new 6-round saturation characteristic, in which 24bits of the output of 6-th round 9-th order differential equals to zero. We also show a new 9-round saturation characteristic using 105-th order differential which is a 3-round extension of the 6-round one. If we use it, instead of 112-th order differential, using the meet-in-the-middle attack technique for higher order differential table, the data and computational complexity for the attack to 14-round CLEFIA can be reduced to around 2-5, 2-34 of the conventional attack, respectively.

CLEFIA is a 128-bit block cipher proposed by Shirai et al. at FSE 2007, and it was selected as several standards. CLEFIA adopts a generalized Feistel structure with the switching diffusion mechanism, which realizes a compact hardware implementation for CLEFIA, and it seems one of the promising candidates to be used for restricted environments, which require that a cryptographic primitive is versatile. It means that we need to evaluate the security of CLEFIA even for unusual scenario such as known-key scenario. As Knudsen and Rijmen did for 7-round AES at Asiacrypt 2007, we construct 17-round known-key distinguisher using two integral characteristics. To combine the 17-round known-key distinguisher with the standard subkey recovery technique for a secret-key scenario, we can construct a known-key distinguisher for full CLEFIA-128 from a random permutation under the framework of middletext distinguisher proposed by Minier et al. at Africacrypt 2009. The known-key distinguisher requires query of 2112 texts, time complexity of 2112, and memory complexity of 23 blocks, with the advantage of e-1, where e is the base of the natural logarithm. Note that there is no practical impact on the security of CLEFIA-128 for the current usages, since the result can only work under the known-key setting and data used by the adversary are enormous and needs a special form.

This article presents a differential fault analysis (DFA) technique using round addition for a generalized Feistel network (GFN) including CLEFIA and RC6. Here the term “round addition” means that the round operation executes twice using the same round key. The proposed DFA needs bypassing of an operation to count the number of rounds such as increment or decrement. To verify the feasibility of our proposal, we implement several operations, including increment and decrement, on a microcontroller and experimentally confirm the operation bypassing. The proposed round addition technique works effectively for the generalized Feistel network with a partial whitening operation after the last round. In the case of a 128-bit CLEFIA, we show a procedure to reconstruct the round keys or a secret key using one correct ciphertext and two faulty ciphertexts. Our DFA also works for DES and RC6.

CLEFIA is a 128-bit block cipher proposed by Shirai et al. in 2007. On its saturation attack, Tsunoo et al. reported peculiar saturation characteristics in 2010. They formulated some hypotheses on the existence of the characteristics with no proof. In this paper we have theoretically proved their hypotheses. In their attack scenario, we show that the mod-2 distribution is a code word of Extended Hamming code, and then proof is given by using the property of Hadamard transform.

This paper describes a differential fault analysis (DFA) attack against CLEFIA. The proposed attack can be applied to CLEFIA with all supported keys: 128, 192, and 256-bit keys. DFA is a type of side-channel attack. This attack enables the recovery of secret keys by injecting faults into a secure device during its computation of the cryptographic algorithm and comparing the correct ciphertext with the faulty one. CLEFIA is a 128-bit blockcipher with 128, 192, and 256-bit keys developed by the Sony Corporation in 2007. CLEFIA employs a generalized Feistel structure with four data lines. We developed a new attack method that uses this characteristic structure of the CLEFIA algorithm. On the basis of the proposed attack, only 2 pairs of correct and faulty ciphertexts are needed to retrieve the 128-bit key, and 10.78 pairs on average are needed to retrieve the 192 and 256-bit keys. The proposed attack is more efficient than any previously reported. In order to verify the proposed attack and estimate the calculation time to recover the secret key, we conducted an attack simulation using a PC. The simulation results show that we can obtain each secret key within three minutes on average. This result shows that we can obtain the entire key within a feasible computational time.

The design and analysis of block ciphers is an established field of study which has seen significant progress since the early 1990s. Nevertheless, what remains on an interesting direction to explore in this area is to design block ciphers with provable security against powerful known attacks such as differential and linear cryptanalysis. In this paper we introduce seven new block cipher structures, named Feistel-variant A, B, CLEFIA and MISTY-FO-variant A, B, C, D structures, and show that these structures are provably resistant against differential cryptanalysis. The main results of this paper are that the average differential probabilities over at least 2 rounds of Feistel-variant A structure and 1 round of Feistel-variant B structure are both upperbounded by p2, while the average differential probabilities over at least 5 rounds of CLEFIA, MISTY-FO-variant A, B, C and D structures are upperbounded by p4+2p5, p4, p4, 2p4 and 2p4, respectively, if the maximum differential probability of a round F function is p. We also give provable security for the Feistel-variant A, B and CLEFIA structures against linear cryptanalysis. Our results are attained under the assumption that all of components in our proposed structures are bijective. We expect that our results are useful to design block ciphers with provable security against differential and linear cryptanalysis.