Farfalle is a permutation-based construction for building a pseudorandom function which has been proposed by G. Bertoni et al. in 2017. In this work, we show that by observing suitable inputs to Farfalle, one can derive various constructions of a periodic function with a period that involves a secret key. As this admits the application of Simon's algorithm in the so-called Q2 attack model, we further show that in the case when internal rolling function is linear, then the secret key can be extracted under feasible assumptions. Furthermore, using the provided constructions of periodic functions for Farfalle, we show that one can mount forgery attacks on the session-supporting mode for authenticated encryption (Farfalle-SAE) and the synthetic initial value AE mode (Farfalle-SIV). In addition, as the wide block cipher mode Farfalle-WBC is a 4-round Feistel scheme, a quantum distinguisher is constructed in the case when input branches are containing at last two blocks, where length of one block corresponds to the size of a permutation employed in Farfalle (a similar attack can be mounted to Farfalle-WBC-AE). And finally, we consider the problem of extracting a secret round key out of different periods obtained from a (Generalized) Feistel scheme (GFN), which has not been addressed in any of the previous works which consider the application of Simon's (or Simon-Grover) algorithm to round reduced versions of GFNs. By applying two different interpolation formulas, we show that one can extract the round key by utilizing amount of different periods which is closely related to the polynomial/algebraic degree of underlying inner function.

翻译：Farfalle是一种基于置换的伪随机函数构造方法，由G. Bertoni等人于2017年提出。本工作表明，通过观测Farfalle的特定输入，可以构造多种涉及密钥的周期函数。由于该特性允许在所谓的Q2攻击模型中应用Simon算法，我们进一步证明：当内部滚动函数为线性时，可在可行假设下提取密钥。此外，利用所提出的Farfalle周期函数构造，我们展示了如何对支持会话的认证加密模式（Farfalle-SAE）和合成初始值AE模式（Farfalle-SIV）实施伪造攻击。同时，由于宽分组密码模式Farfalle-WBC是四轮Feistel结构，当输入分支至少包含两个分组（每个分组长度等于Farfalle所采用置换的规模）时，我们构建了量子区分器（类似攻击可应用于Farfalle-WBC-AE）。最后，我们研究了从（广义）Feistel网络（GFN）的多个不同周期中提取秘密轮密钥的问题——该问题在以往所有考虑将Simon算法（或Simon-Grover算法）应用于缩减轮数GFN的研究中均未被涉及。通过应用两种不同的插值公式，我们证明可以利用与底层内部函数多项式/代数次数密切相关的周期数量来提取轮密钥。