Analysis of 3-line generalized Feistel networks with double SD-functions

Generalized Feistel networks (GFN) are broadly employed in the design of primitives for block ciphers, stream ciphers, and hash functions. Lately, endowing the functions of GFNs with the structure of nonlinear substitution followed by linear diffusion (substitution–diffusion, SD) has received a great deal of attention. In this contribution, we prove tight lower bounds on the number of differentially and linearly active S-boxes for 3-line GFNs with double SD-functions where two SD-structures are applied one after another. We also show 8-round impossible differentials for 3-line GFNs with bijective functions. Moreover, we demonstrate that the proportion of active S-boxes in all S-boxes for such GFNs is by up to 14% higher than that for 4-line GFNs with double SD-functions, when instantiated with MDS matrices. This indicates that, rather surprisingly, the 3-line GFNs can be more efficient in practice than those with 4 lines.

► Double SD-structures as F-functions for 3-line GFNs.
► Lower bounds on the number of active S-boxes in such 3-line GFNs.
► Tightness of these bounds for MDS matrices.
► 8-round impossible differentials for 3-line GFNs.
► 3-line GFNs are up to 14% more efficient than 4-line GFNs for double SD.