Optimum Attack on 3-Round Feistel-2 Structure

Feistel-2 structure is a variant of Feistel structure such that the i(th) round function is given by F-i(k(i)circle plus x), where F-i is a public random function and k(i) is a key of n/2 bits. Lampe and Seurin showed that 3-round Feistel-2 structure is secure if D +T << 2(n/4) (which is equivalent to D << 2(n/4) and T << 2(n/4)), where D is the number of queries to the encryption oracle and T is the number of queries to each F-i oracle. On the other hand, only the meet -in-the-middle attack is known for 3-round Feistel-2 structure which works only for (D, T) = (O(1), O(2(n/2))) with O(2n(/2)) amount of memory. In this paper, we first show that 3-round Feistel-2 structure is broken by a key recovery attack if DT >= 2(n/2) (which requires 0(D +T) amount of memory). Since it works for D = T = O(2(n/4)), this attack proves that the security bound of Lampe and Seurin is tight at D = T = O(2(n/4)). We next present a memoryless key recovery attack for (D, T) = (O(1), O(2(n/4))). We finally show a memoryless key recovery attack for D = O(2(n/4)) and T = O(2(n/4)).