Constructing the Impossible Differential of Type-II GFN with Boolean Function and Its Application to WARP

Type-II generalized Feistel network (GFN) has attracted a lot of attention for its simplicity and high parallelism. Impossible differential attack is one of the powerful cryptanalytic approaches for word-oriented block ciphers such as Feistel-like ciphers. We deduce the impossible differential of Type-II GFN by analyzing the Boolean function in the middle round. The main idea is to investigate the expression with the variable representing the plaintext (ciphertext) difference words for the internal state words. By adopting the miss-in-the-middle approach, we can construct the impossible differential of Type-II GFN. As an illustration, we apply this approach to WARP, a lightweight 128-bit block cipher with a 128-bit key which was presented by Banik et al. at SAC 2020. The structure of WARP is a 32-branch Type-II GFN. Therefore, we find two 21-round truncated impossible differentials and implement a 32-round key recovery attack on WARP. For the 32-round key recovery attack on WARP, some observations are used to mount an effective attack. Taking the advantage of the early abort technique, the data, time, and memory complexities are 2^125.69 chosen plaintexts, 2^126.68 32-round encryptions, and 2¹⁰⁰-bit, repectively. To the best of our knowledge, this is the best attack on WARP in the single-key scenario.