Impossible differential cryptanalysis of FBC-128

Abstract

To promote the theory and application of cryptology, the design and implementation of cryptographic algorithms, in 2018, the Chinese Association for Cryptologic Research held the National Cryptographic Algorithm Design Competition. After the first round evaluation of security and implementation, FBC is selected one of the 10 block ciphers for the second round. FBC adopts 4-branch Extended Generalized Feistel Networks (EGFN) and it is designed with efficient implementation and good resistance against side-channel attacks. In this paper, we focus on the impossible differential attack, which is one of the most basic cryptanalytical methods, against FBC with 128-bit block size and key size (FBC-128). First, an equivalent expression with improved clarity of the round functions was derived. Then a structural property concerning the relationship among branches was explored. Combining those properties of its round function and structure, 9-round truncated impossible differentials were constructed for FBC-128, which is 2 rounds longer than previous works. Using this distinguisher, 13-round key recovery attack was mounted. The data and time complexity is 2126 chosen-plaintexts and 2122.96 encryptions respectively. To our knowledge, this is the best attack so far in terms of attacked rounds. Our attack exploited the properties of both structure and round function of FBC, and those observation and analysis would be beneficial to the understanding of FBC. Moreover, our results demonstrate when constructing impossible differentials, differentials with low hamming weight input and output difference may not always be optimal, which calls for more comprehensive analysis of the differential pattern.