Yoyo trick on type ‐ II generalised Feistel networks

This work presents a structural attack against the type ‐ II generalised Feistel network (GFN) with secret internal functions. First, equivalent structures of the 7 ‐ round type ‐ II GFN are provided, which helps reduce the first guess of the secret round functions. Then, two yoyo game distinguishers are simultaneously employed for these structures to reduce the data complexity by half. Based on these two distinguishers, it is found that the original yoyo game algorithm, proposed to attack the 5 ‐ round Feistel structure, is not suitable for these structures, owing to the characteristics of the yoyo game cycle. To solve this problem, the partial look‐up table recycling technique is presented, which can utilise collision cycles with insufficient information. This technique performs better as the width of each branch ‘ n ’ grows. For yoyo game attacks, this study systematically investigates its cycle characteristics to determine the reason for the short collision cycle. For 7 ‐ round type ‐ II GFNs, this work presents the first decomposition thus far, which can be executed within a time complexity of O( n 2 4 n + 3 ) and a data complexity of O(2 3 n + 2 ). We believe this work enriches the yoyo game attack and the application of type ‐ II GFNs.

Our Contribution. First, we construct two yoyo game distinguishers for the 7-round type-II GFN, which can be used to establish linear equations for the secret functions. For one yoyo cycle, we independently detect that which distinguishes this cycle. Thus, the data complexity can be reduced by half. Furthermore, this method applies to other structures as long as multiple distinguishers exist.
Second, we study the characteristics of yoyo game cycles. Because the choice of mappings acting on the plaintext and ciphertext pairs, denoted by ϕ γ and ρ γ , respectively, determine the length of the yoyo game cycle or the number of efficient equations, to a great extent, selecting independent ϕ γ and ρ γ that provide longer yoyo cycles with a much higher probability is a more rational choice. This also reveals significant technical differences between the yoyo game against the FN and type-II GFN. Namely, the former uses independent mappings, whereas the latter does not.
Finally, owing to the differences between the FN and type-II GFN, it is difficult to obtain the whole recovered inner functions using the original yoyo game when n ⩾ 8. We propose the partial LUT recycling technique to revitalise the incomplete LUTs. For the 7-round type-II GFN, the partial LUT survives when it passes four checks at least. Then, the yoyo game is continued based on partial LUTs until we obtain the complete LUT. The experimental results show that when n < 6, our improvement is not significant. However, when n ⩾ 6, our improved algorithm overcomes the problem of insufficient equations and recovers the LUTs having less computation and fewer data than the original one. When n increases, the original yoyo game will be invalid. However, our attack still performs well. As a result, the recovery of the 7-round type-II GFN can be executed with a computational complexity O(n2 4n + 3 ) and a data complexity O (2 3n + 2 ) by our improved yoyo game attack.
Organisation. The remainder of this work is organised as follows: Section 2 provides some preliminaries. Section 3 presents some properties of the 7-round type-II GFN. In Section 4, we focus on the outermost inner-function recovery. The rest of the 7-round type-II GFN is recovered in Section 5. Finally, Section 6 concludes this work.

| PRELIMINARIES
This section shows some notations and concepts that will be used throughout the rest of this work. Type-II GFN. Let P = (p 1 , p 2 , p 3 , p 4 ) 2{0,1} 4n be the input of the ith round. The ith round output of type-II GFNs is defined by where F i and G i denote the round functions over {0,1} n (see Figure 1). Since the shuffle layer of the last round does not affect the attack described in this work, we omit the switch of the last round for simplicity.

| Equivalent structure of the 7-round type-II GFN
In [16], Biryukov et al. mentioned that there existed equivalent structures for the 5-round FN. In such structures, even if the internal functions are different, the encryption results are always consistent. These equivalent structures are quite helpful in reducing the computational cost. For the 7-round type-II GFN, we have obtained its equivalent structures.
Definition 1 Let T 1 and T 2 be two iterated blockcipher structures over f0; 1g N . If we always have T 1 (x) = T 2 (x), x 2 f0; 1g N for any input, T 1 and T 2 are said to be equivalent.
For the type-II GFN, we obtained a kind of equivalent structure, which is concluded by the next theorem. 3 ), x 1 ). For any con 1 , con 2 , con 3 and con 4 2{0,1} n , construct

Theorem 1 Let T be a 7-round type-II GFN whose inner function is
If T 0 is another type-II GFN whose inner function is then T 0 is equivalent to T.
Proof: Referring to Figure 2, we conclude that, for any choice of con 1 , con 2 , con 3 and con 4 2{0,1} n , the encryptions will receive the same ciphertexts from the same arbitrary plaintexts. □ According to Theorem 1, for a 7-round type-II GFN, we can freely fix one single arbitrary entry of F 1 without changing the encryption result.
Corollary 1 In the 7-round type-II GFN, if we fix F 1 (c) = 0 for any c 2{0,1} n , then we can always find a structure equivalent to the original one.

| Yoyo game property of the type-II GFN
Let us consider the differential trail of encryption. If the difference in positions (A, B, D) (see Figure 3) is equal to (0, 0, γ) for some γ ≠ 0, we call this differential trail the L γ -trail.

Definition 2
If the encryption of a plaintext pair (P, P 0 ) follows the L γ -trail (R γ -trail), this plaintext pair is said to be PL γ -connected (PR γ -connected). Similarly, if the decryption of a ciphertext pair (C, C 0 ) follows the L γ -trail (R γ -trail), we say that this ciphertext pair is CL γ -connected (CR γ -connected).
Proof: (Necessity) According to the L γ -trail, the difference in position D is 0. Then, it is easy to know that the differences in positions (F, G) are ðγ; γÞ γ ≠ 0 ð Þ, which is consistent with (1).
Therefore, (P, P 0 ) is PL γ -connected if and only if the pair satisfies linear equation (1). □ We refer to (1) as the PL γ -equivalent equations. From the decryption direction, we can obtain CL γ -equivalent equations similar to Theorem 2 and omit the similar proof for simplicity.

Theorem 3 The pair of ciphertexts
Consider a plaintext pair (P, P 0 ) and its corresponding ciphertext pair (C, C 0 ). Because (C, C 0 ) is derived from (P, P 0 ), they have the same difference in (A, B, D). Then, (P, P 0 ) is PL γconnected if ðEðPÞ; EðP 0 ÞÞ is CL γ -connected. Based on (1) and (2), we conclude the next property. We define two mappings ϕ γ and ρ γ over {0,1} 8n such that ϕ γ ðP; P 0 Þ ¼ ððp 0 Proof: The first equation in (1) can be transformed into From these two equations above, we can transform (1) into Consider the plaintext pair According to Theorem 2, ðP;P 0 Þ is PL γ -connected. We can also rewrite (2) as Similarly, we obtain the equivalent equations for the pairs satisfying the right trail in Figure 3.

PR γ -equivalent equations
By analysing these two systems of equations, we conclude a new property. The process for proving this property is parallel to that of Property 1. We define two mappings, ϕ γ 0 and ρ γ 0 , over {0,1} 8n , such that ϕ 0 With the preparations above, we start our decomposition in the remainder of this article.

| Basic idea of the attack
The basic idea of our attack is that, starting from a PL γ -connected pair (P, P 0 ), by Property 1, D • ρ γ • E • ϕ γ ðP; P 0 Þ is also a new PL γ -connected pair. Therefore, we can obtain many PL γconnected pairs by repeating a process, which is also referred to as the 'yoyo game'. According to Theorem 2, we can obtain one linear equation related to F 1 from one single PL γ -connected pair. After collecting enough equations, the secret F 1 can be recovered by the Gauss elimination method. In a similar way, we can recover F 7 , G 1 and G 7 .
The main idea of recovering F 1 can be roughly concluded by the following steps: Step 1. Start from a random plaintext pair (P 0 , P 0 0 ) (in the rest of this work, we call it a start point). Set L ← ½� and i ← 0.
Step 2. Add the equation, , set i ← i + 1 and go to Step 2; else go to Step 4.
Step 4. Get the entries of F 1 by solving all the linear equations in L. If F 1 is fully recovered, output F 1 and end the yoyo trick. Otherwise, change a new start point and continue the above steps.
For the sake of clarity, Steps 1-3 comprise the equationaccumulating phase, and Step 4 is the equation-solving phase.
In the equation-accumulating phase, if a newly computed plaintext pair (P i , P i 0 ) has already appeared from the previous yoyo trick, we will receive an exactly identical state after its subsequence. None of the subsequent plaintext pairs offer new equations. Therefore, we set (P i+1 , P i+1 0 ) = (P 0 , P 0 0 ) in Step 3 as the termination condition.
In the equation-solving phase, the main task is to obtain the LUT of F 1 from L. Any possibility falls into one of the following three cases: 1) The equations have no solution. The only possibility is that the start point is not PL γ -connected (in the remainder of this work, we call it a wrong point; otherwise it is a right point). Such a wrong point will lead to contradictory entries. For example, conflicting solutions F 1 (0) = 0 and F 1 (0) = 1 may appear simultaneously.
2) The equations have more than one solution. This includes two cases: one in which the start point is true, but we cannot collect enough equations (i.e. L is not full rank). The other is where the start point is wrong, but no contradictory entry is yet detected.
3) The equations have a unique solution, which means that F 1 is fully recovered.
Next, we take a closer look at the equation-solving phase. Note that, for each of these equations in set L, there exist HOU AND CUI -5 exactly two variables on the left-hand side. In [16], Biryukov et al. provided a very efficient way to solve the above equations. Hence, we provide an overview of their excellent idea.

A direct application of Biryukov's yoyo solver.
The main idea for solving such equations is to launch a stepby-step method while playing the yoyo trick. Since there are always two variables on the left side of the equations, as soon as one is determined, the other is also determined. In the yoyo trick, we can deal with the new equation, which is extracted from the newly generated point. First, we need to prepare a set denoted by L to store the equations and choose a starting point, (P 1 , ). Then, we fix F 1 (q 1 ) = 0 and F 1 ðq 0 1 Þ ¼ q 0 2 � q 2 � γ in advance (according to Corollary 1, this step will not affect the correctness of our attack). Next, we iterate the yoyo game for one step to get a new point and extract one new equation. Without loss of generality, we assume that the current equation extracted is This falls into one of the three cases: Case 2 Either F 1 (p 1 ) or F 1 (p 1 0 ) has been fixed.
In Case 1, such an equation cannot provide enough information to fix these two values, and we add this equation to L.
In Case 2, without loss of generality, suppose that the fixed variable is F 1 (p 1 ). Then, the other variable, F 1 (p 1 0 ), can be determined directly. We update the LUT of F 1 by adding F 1 (p 1 0 ) to the p 1 0 th entry. Next, we check whether F 1 (p 1 0 ) can determine any uncertain value of F 1 by equations in the L set and turn to dispose these related equations in the same way. Finally, all the disposed equations from L are removed. This process is repeated until we can no longer fix any new entry of F 1 .
In Case 3, we only need to compare If there is a contradiction between the existing one and the newly computed one, it means that the start point is incorrect.
According to the three cases above, we can constantly update the LUT by checking the newly introduced equations. When we meet with a contradiction in our updating process, we change a new start point and perform this algorithm again until we obtain the complete LUT. For a system of 2 r equations, we use the quick-sort algorithm on L (because of each equation having two variables, we need two lists for sorting each variable) and require 2rlog2 lookups at most for each equation. In this way, the computational complexity is O(r2 r + 1 ) lookups.
Based on the algorithm by Biryukov et al., we perform experiments for the 7-round type-II GFN. However, we find one strange phenomenon: as n grows, there is increasing difficulty in finding a fully recovered F 1 by using the original yoyo [16]. However, for the 5-round FN, no matter how much n increases, almost all right LUTs are fully recovered. Therefore, it may not be the insufficiency of the yoyo itself but the lack of universality of the original yoyo. To address this problem, we present a theoretical analysis in Section 4.2. Then, we develop an improved algorithm in Section 4.3.

| Characteristic of the yoyo game cycle
Let us recall the procedures of the yoyo game, shown in Figure 4. We start from a plaintext pair ðP 0 ; P 0 0 Þ and repeatedly use ϕ γ ; E; ρ γ and D to obtain a sequence of plaintext/ciphertext The aim of this subsection is to determine how many equations can be obtained from a full iteration of the yoyo game on average. The main tool we use is the collision cycle.

Definition 3
Let Ω be a finite set and f, g be two bijections defined on Ω. For any a 2 Ω, we define its collision cycle as The procedures of the yoyo game 6where r is the minimum positive index, such that a = (g • f ) r (a). We call r the collision length and a = (g • f ) r (a) a collision.

Example 2
In the yoyo game, we define two mappings f ≔ E • ϕ γ and g ≔ D • ρ γ based on the pre-defined four bijections, namely, D; ρ γ ; E and ϕ γ . We choose a plaintext pair (P, P 0 ) and play a yoyo game. Then, all plaintext/ciphertext pairs of this game are in the collision cycle, O (P,P 0 ) , that is, is definitely a bijection leading a branchless yoyo cycle), then the collision length value, that is, minfr : Y r ðP; P 0 Þ ¼ ðP; P 0 Þ; for some r > 0g denotes the number of plaintext pairs in this game. The original yoyo game [16] is somewhat inefficient for the type-II GFN because the collision length is often too short to yield a sufficient number of equations to obtain a complete LUT. Most of the time, we only obtain partial LUTs from such short collisions. Owing to the pre-setting rules, we must abandon these incomplete candidates. We find that there are always two special pairs in these short collision cycles, such that In the rest of the work, the fixed points of ϕ γ and ρ γ are unified by the name of simple fixed points.
Notably, both of ϕ γ and ρ γ are involutory. If one yoyo cycle contains a simple fixed point, then the points in both sides of such a simple fixed point are axisymmetric (see Figure 5). Therefore, one simple fixed point divides the cycle into two symmetric parts. An interesting question is, if a yoyo cycle contains two or more simple fixed points, how will such a symmetric feature change? In Theorem 4, we focus on the case of one yoyo cycle containing two simple fixed points.

Theorem 4
Let O ½P 0 � be an r-length yoyo cycle containing two simple fixed points. If integer k, t (0 ≤ k < t ≤ r − 1) are the coordinates of two simple fixed points, then we have Proof: We only prove the first case: with our target is to show that the cycle length is r = 2t − 2k.
The other three cases can be accomplished similarly. The basic idea of the proof is to find a positive integer r such that P 0 ½ � ¼ P r ½ � and then to prove that r is the smallest positive integer making this equation hold. Our proof begins F I G U R E 5 Axes with respect to the simple fixed points HOU AND CUI -7 with the observation that ½P k � ¼ ½P k � γ . On account of the involuntary property of ϕ γ and ρ γ , the following equation holds: In the same manner, we obtain a sequence of equations.
Next, we focus on P t By recalling that f and g in the yoyo are all bijections, Consequently, P 0 ½ � to P 2t−2k ½ � is a complete yoyo cycle. The task is now to show that for any r 0 2 N * ; 0 < r 0 < 2t − 2k, Suppose that there exists r 0 2 N * ; 0 < r 0 < 2t − 2k such that This contradicts our assumption that 0 < k < t < r.
In conclusion, according to the definition of the collision holds, we obtain r = 2t − 2k. □ Figure 6 shows Cases 1 and 3 in Theorem 4. The red point P k ½ � is a simple fixed point, and those of the same colour are equal. In Case 1, P t ½ � ¼ P t ½ � γ ¼ P 2k−t ½ � γ holds, meaning that the points on both ends of the red line merge into a single point. Hence, the successor of P t ½ � is exactly the same point as the successor of P 2k−t ½ � γ . A (2t − 2k)-length yoyo cycle is generated. In Case 3, the successor of C t ½ � and C 2k−t ½ � γ is also exactly the same point (both ends of the green line). It follows easily that the yoyo cycle length is 2t − 2k + 1.
By the discussion above, the length of a two-simple fixed point yoyo cycle is completely determined by the distance between the two simple fixed points. Furthermore, we find that there are only two kinds of yoyo cycles: one has and only has two simple fixed points, and the other contains no simple fixed point. We conclude this property in Corollaries 2 and 3.

Corollary 2 There are at most two simple fixed points in a yoyo cycle.
Proof: We will prove this by contradiction. Suppose that there are more than two simple fixed points in an r-length yoyo cycle. For the sake of simplicity, we only prove the case in which the first three consecutive simple fixed points are all plaintext pairs. Then, the other cases can be accomplished similarly. Without loss of generality, we assume that the first three simple fixed points are P k ½ �, P t ½ � and P s ½ �, respectively, where 0 ≤ k < t < s < r.
Notice that P s ½ � is a simple fixed point. By Equation (2) in Theorem 4, we obtain P t Then, 2s = 2t + n 1 r holds, where n 1 2 Znf0g. Likewise, we obtain P k ½ � γ ¼ P 2t−k ½ � γ by the two simple fixed points, P k ½ � and P t ½ �. Then, we deduce that 2t ¼ 2k þ n 2 r; n 2 2 Znf0g. Thus, we obtain 2s = 2k + (n 1 + n 2 )r. According to the assumption F I G U R E 6 A yoyo cycle with two simple fixed points 0 ≤ k < t < s, we have n 1 > 0 and n 2 > 0. This clearly forces 2s ≥ 2r, which contradicts with s < r. □

Corollary 3 There is no yoyo cycle having only one simple fixed point.
Proof: Without loss of generality, we simply prove that any yoyo cycle cannot contain only one plaintext fixed point. The same conclusion can be obtained for those having a single ciphertext fixed point. We assume the rlength yoyo cycle O P 0 ½ � containing only one simple fixed point P k ½ �, that is, there exist k 2 N; k < r such that The proof falls naturally into two parts: r is odd or r is even.
When r is odd, by Equation (2) in Theorem 4, we obtain � P kþ r−1 holds. Then, From this, we have which means ½C kþ r−1 2 � is a simple fixed point. This contradicts our assumption.
When r is even, similarly, we obtain P kþ r (2) and P kþ r From the assumption that 0 < k < r, k − r 2 ≡ k mod r is impossible. Hence, ½P k− r 2 � is a simple fixed point different from [P k ], which leads to a contradiction. Thus, any yoyo cycle cannot contain only one simple fixed point. □ Theorem 4 and Corollary 2 show that when we meet the second simple fixed point in a yoyo game, the length of this cycle is determined. Thus, the mathematical expectation of the yoyo cycle length is greatly influenced by the probability of simple fixed points. Corollaries 2 and 3 provide us a classification of all the yoyo game cycles: those containing exactly two simple fixed points and those without any simple fixed point, denoted by Class 1 and Class 2, respectively. Next, we are going to determine how often simple fixed points occur and what the expected values of the lengths of the two types of cycles are.
The cycle length of Class 1: For the cycles with two simple fixed points, we find that the probability of simple fixed points depends on whether the start point is right or wrong. We also divide them into two parts. One is derived from wrong start points and the other from right points. Part 1. If one cycle is formed by a wrong point, the probability of a simple fixed point appears, that is, P � is 2 −2n + 1 . Let k w be the average length between the start point and the first simple fixed point. First, we need to determine the probability of the event that ðP i ; P 0 i Þ is the first simple fixed point. Since the probability that the first i − 1 points are not simple fixed points is ð1 − 2 −2nþ1 Þ i−1 , the probability of this event is ð1 − 2 −2nþ1 Þ i−1 � 2 −2nþ1 . Then, we obtain Suppose the first simple fixed point is ðP k w ; P 0 k w Þ. Then, As per the analysis of Theorem 4, none of these points is a simple fixed point. The average length between ðP 2k w ; P 0 2k w Þ and the second simple fixed point is also k w , where the second simple fixed point is assumed to be a plaintext pair. Thus, we have According to the first proposition in Theorem 4, the mathematical expectation of the length of the cycle with two plaintext simple fixed points is HOU AND CUI By a similar analysis, we also obtain t = 3k w , t = 3k w − 1 and t = 3k w for the other three cases, respectively. Thus, the average cycle length of the Class 1 cycles is If the collision cycle is derived from a right point Let k r be the average length between the start point and the first simple fixed point, where k r = 2 n − 1 . In this case, the average cycle length is 2 n + 1 − 1.
The probability of Class 2: For cycles in Class 2 where simple fixed points do not appear, because the probability of a random point equal to the start point is 2 −8n , there is only about 2 −6n + 1 probability of such point within 2 2n + 1 points. With such small probability, the number of this kind of cycle is extremely small compared with that of Class 1. Thus, the collision cycles used in recovery are almost all of the first class.
Each cycle from a right point only offers 2 n + 1 − 1 equations on average. However, not all of them provide valid recovery. For example, one equation is F 1 (p 1 ) � F 1 (p 1 0 ) = δ. Thus, the equation provided by the point with the simple fixed point as the axis of symmetry is F 1 (p 1 0 ) � F 1 (p 1 ) = δ, which does not provide any new information. Therefore, only half of the points are available for recovery, owing to the repetition.
Experimental verification of the cycle length. In order to verify the correctness of the above analysis, we show the average length of 30,000 right-point and wrong-point cycles for n = 4, 5, 6, 7 in Table 1.
There is an essential difference between the 7-round type-II GFN and 5-round FN: ϕ γ /ρ γ in the type-II GFN involves exchanging the first two branches of a plaintext pair or the last two branches of a ciphertext pair, which allows both P i+1 /C i+1 and P i+1 0 /C i+1 0 to be affected by P i /C i and P i 0 /C i 0 collectively, but the ϕ γ /ρ γ in the Feistel transfers each plaintext/ciphertext independently, having P i+1 /C i+1 affected by P i /C i and P i+1 0 / C i+1 0 by P i 0 /C i 0 , respectively. Such functions in the 5-round Feistel produce three types of cycles: Type-P, Type-D and Type-S [16], which not only improves the yoyo game but also makes it possible to provide enough equations to recover a complete LUT. However, a similar property does not hold for the 7-round type-II GFN, and the average length of the collision cycle deriving from a right point is only 2 n+1 − 1. In each yoyo game collision cycle, half of the plaintexts provide repeated equations. On average, there are only 2 n effective equations for recovery. Therefore, it is more difficult to obtain complete LUTs as n increases.

| Recycling-based yoyo game
It would be wasteful to disregard the partial cycles from the right points. Therefore, when we get a collision cycle, a better choice is to judge whether it is from a right point. As long as a right collision cycle is screened out, we can ensure that the current LUT of F 1 is correct, and our subsequent recovery will be based on this LUT. Otherwise, if it is undetermined, we have to abandon it and return to the former LUT, which is identified as correct for continued recovery. Before we introduce the Partial LUT Recycling technique, we first take a closer look at the symmetrical property of the yoyo cycle.
In Section 4.1, we clarify that almost all the yoyo cycles of the 7-round type-II GFN contain exactly two simple fixed points.
Without loss of generality, we assume that [P k ] and [P t ] are two simple fixed points satisfying k < t (for the remaining three cases, we can launch similar arguments). Recalling the process of the yoyo game, we start from [P 1 ] and then iterate the mapping Y until we meet with the first simple fixed point [P k ]. By the symmetrical property, ½P kþs � ¼ ½P k−s � γ holds for 1 ≤ s ≤ k − 1. So the points from P kþ1 ½ � to P 2k−1 ½ � provides us with the exact same equations as those points from [P 1 ] to [P k−1 ]. Likewise, we have the same property for the second simple fixed points. Subsequently, we can divide the yoyo cycle into four trails by these two 'symmetrical axes' (see Figure 7). As a result, in an iteration of the yoyo game we never need to run a full cycle. Instead, we do the following: (1) run Trail 1 (from the start point to the first simple fixed point). (2) skip over Trail 2 and run Trail 3 (from Y½P 2k−1 � ≔ Y • ½P 1 � γ to the second simple fixed point).
In this way, we collect all the equations from the yoyo cycle at half the cost of running.
Partial LUTs recycling. We now consider a special case.
Assume that F 1 (p 1 ) � F 1 (p 1 0 ) = δ is a newly extracted equation; if both F 1 (p 1 ) and F 1 ðp 0 1 Þ have already been fixed before, then such an equation provides us a verification: When the mathematical expectation of the wrong candidate is less than one, we maintain the current partial LUT. On average, there exists one right point among 2 3n randomly chosen start points. If we assume there exist τ verifications as mentioned above, then the expectation of surviving candidates in 2 3n pairs can be roughly calculated by When τ = 4, the expectation is approximately 1 + 2 −n . At this time, we screen out the unique LUT approximately. Therefore, the LUT passing the verifications four times can be determined as correct. We just need to add these partial LUTs until the secret S-box is fully recovered.
Based on the analysis above, the main steps are as follows: Step 3 is the process of disposing the new points according to our rules. Step 4 checks if the current LUT can be retained.
Step 2. Generate one new plaintext pair by the yoyo game.
Step 3. Judge the new point: 1) If there is a contradiction, we terminate the iteration and go back to the LUT, which was last determined to be correct; change a new start point and restart the iteration. We divide the above process into five algorithms. See the Appendix for details.
Experiment results. In this section, we apply the basic algorithm in [16] and our improved algorithm on the 7-round type-II GFN. Our first experiment is based on 2 18 random start points. We use these start points to recover F 1 of the 7round type-II GFN, where n = 4, 5, 6 and 7. Table 2 shows the number of start points that can recover F 1 (on a standard Intel i5-8250u 1.8 GHz).
In the second experiment, we used 100, 000 right points for recovering F 1 to see how many fully recovered F 1 could be obtained. According to the results, all points can be classified into three parts: Part 1. F 1 can be fully recovered starting from this point. Part 2. In the yoyo cycle derived from this point, the number of verifications is greater than three, meaning that F 1 is not fully recovered. But we determine it as the right LUT. In other words, this point is available in the Partial LUTs' Recycling technique.
Part 3. In the cycle starting from this point, the number of verifications is lower than four. Table 3 shows the proportion of each part.
According to Table 1, our improved algorithm performs better than the original algorithm. In particular, when n increases, it becomes more difficult to obtain a fully recovered F 1 by the algorithm in [16]. This is because, as n increases, fewer LUTs can be fully recovered by 2 n effective equations on average. However, by employing the Partial LUTs' Recycling technique, our algorithm can find partial LUTs from right points and obtain the fully recovered F 1 based on them. According to Table 2, as n increases, the proportions of right points in Parts 1 and 3 decrease but that in Part 2 increases. When n ≥ 5, we obtain a right point that is available for recycling by every 2 3n guesses on average with a probability of more than 50%. To summarise, our algorithm overcomes the problem described at the beginning of this section.
We require approximately 2 2n + 1 start points to screen out one available right point (γ controlled by ourselves). In the experiments, most of the wrong start points are abandoned before producing 2 n equations. When a partial LUT is obtained, we can judge the correctness of each start point after a few steps of the subsequent recovery. Thus, recovering F 1 requires O(2 3n + 1 ) data complexity and O(n2 4n + 2 ) computational complexity. Employing two distinguishers simultaneously, we recover the outermost four functions with O(2 3n + 2 ) data complexity and O(n2 4n + 3 ) computational complexity.
Based on the analysis above, we provide two tips for the yoyo game design: 1) Try to select independent ϕ γ and ρ γ . This will help us utilise the type-S cycle to reduce computational complexity.

| DECOMPOSING THE REMAINING ROUNDS OF THE TYPE-II GFN
In Section 4, we recovered F 1 , G 7 , F 7 and G 1 . Next, we focus on recovering 5-round inner functions. Similar to the 7-round structure, the difference trail in Figure 8 was chosen.
we also find two functions here, f and g, such that c is an arbitrary constant in {0,1} n . These two functions can be used to recover 5-round constructions as with the 7-round recovery. If the difference of (P, P 0 ) is (0, 0, 0, γ), this pair must be 5-round PL γ -connected. Thus, it is easy to obtain G 6 and G 2 by choosing (P, P 0 ) with a difference of (0, 0, 0, γ). Additionally, choosing (C, C 0 ) with a difference of (0, γ, 0, 0) can recover F 6 and F 2 . Therefore, the procedure of startingpoint judgement can be omitted. The time complexity is only O(n2 n+1 ). Compared with the 7-round recovery, its complexity can be ignored. Then, we can recover the remaining functions by direct contrast, and the complexity can also be ignored. Finally, we recover the whole 7-round type-II GFN with computational complexity of O(n2 4n+3 ) and data O(2 3n+2 ).

| CONCLUSION
In this study, the yoyo game was used to recover all inner functions of a 7-round type-II GFN, requiring a computational complexity of O(n2 4n+3 ) and a data complexity of O (2 3n+2 ).
Initially, we employed the original yoyo game on type-II GFNs. However, we found that using the yoyo game directly in [16] led to a high computational complexity. When n ≥ 8, this approach had little chance of success. To solve this T A B L E 3 The rate of three parts in 100,000 random right points n = 4 n = 5 n = 6 n = 7 n = 8 problem, we studied the collision cycle's characteristic, which enabled us to obtain a clear view of yoyo game collision cycles.
It was ϕ γ and ρ γ , which was different from that employed in Feistel, which limited the length of the collision cycles in the type-II GFN. Finally, we proposed the Partial LUTs' Recycling technique to make yoyo games more applicable to type-II GFNs and provided two tips for the yoyo game design. Our experiments showed that for 7-round type-II GFNs, the improved algorithm overcame the insufficient equation problem. This technique is more suitable for type-II GFNs and other structures having short collision cycles.
This work broadens the application of yoyo games and enriches such attacks. It will serve as a reference for further yoyo game designs.
How to cite this article: Hou, T., Cui, T.: Yoyo trick on type-II generalised Feistel networks. IET Inf. Secur. 1-14 (2021). https://doi.org/10.1049/ise2.12035 APPENDIX Algorithm 1 is a general yoyo game framework. It returns the LUT of the internal function, F 1 . The recovery is carried out on two auxiliary sets, L 0 and F 1 0 . Only when F 1 0 is determined to be right, can the real LUT F 1 receive values from F 1 0 . After many iterations of the Partial LUTs Recycling until the final one is fully filled, this algorithm outputs the recovered F 1 .

Algorithm 1
Yoyo cryptanalysis against a 7-round type-II GFN: recovering the outermost round L ← empty set to store equations Algorithm 2 plays an essential role. The inputs are the partially recovered F 1 and the set L, which is used to store unsolved equations. We will update them until the collision is met. It returns SUCCESS or FAIL, which respectively represents correctness or incorrectness of F 1 .