Quantum Meet-in-the-Middle Attack on Feistel Construction

Abstract

Inspired by Hosoyamada et al.'s work [14], we propose a new quantum meet-in-the-middle (QMITM) attack on r-round (r 7) Feistel construction to reduce the time complexity. Similar to Hosoyamada et al.'s work, our attack on 7-round Feistel is also based on Guo et al.'s classical meet-in-the-middle (MITM) attack [13]. The classic MITM attack consumes a lot of time mainly in three aspects: construct the lookup table, query data and find a match. Therefore, parallel Grover search processors are used to reduce the time of constructing the lookup table. And we adjust the truncated differentials of the 5-round distinguisher proposed by Guo et al. to balance the complexities between constructing the lookup table and querying data. Finally, we introduce a quantum claw finding algorithm to find a match for reducing time. The subkeys can be recovered by this match. Furthermore, for r-round (r > 7) Feistel construction, we treat the above attack on the first 7 rounds as an inner loop and use Grover's algorithm to search the last r-7 rounds of subkeys as an outer loop. In summary, the total time complexity of our attack on r-round (r 7) is only O(22n/3+(r-7)n/4) less than classical and quantum attacks. Moreover, our attack belongs to Q1 model and is more practical than other quantum attacks.