This folder contains several scripts for Chapter 3, which is about structural/decomposition attacks on Feistel Networks. The code extensively uses the cryptools, a SageMath-based package of cryptanalytic tools. In particular, the SBox2 class is used for generation and analysis of small Feistel Networks.
Note that some results are cached and saved in the data/ folder.
- walsh.py: verification of various Walsh equations
- lat_FN.py: generate random 4-,5-,6-round Feistel Networks with nice LAT % 8
- af4a.py: implementation of the (simplified) attack on AF4A' from Theorem 3.26 (based on Type-I HDIM distinguisher)
- af5a.py: implementation of the (simplified) attack on AF5A-1 from Theorem 3.27 (based on Type-II HDIM distinguisher)
- empirical_typeII_nrounds.py: determine the maximum number of rounds for type-II distinguisher for various (small) Feistel Network parameters; results are cached for next scripts (Table 3.3)
- empirical_impmono_list.py: list impossible monomials empirically
- empirical_impmono_rank.py: compute rank of the impossible monomial attack empirically (Table 3.3)
- impmono.py: implementation of the impossible monomial attack, with empirical sampling of impossible monomial types
The implementations here are more like proofs-of-concept, even though some of them succeed quite often and recover secret functions. It would be interesting to:
- combine attacks to have a full decomposition attack implementation on some AFA variants
- harden them to solve cases when rank is not full, but close to full (i.e. add some bruteforce, may be some smart tricks)