We present attacks on the generalized Feistel schemes, where each round function consists of a subkey XOR, S-boxes, and then a linear transformation (i.e. a Substitution-Permutation (SP) round function). Our techniques are based on rebound attacks. We assume that the S-boxes have a good differential property and the linear transformation has an optimal branch number. Under this assumption, we firstly describe known-key distinguishers on the type-1, -2, and -3 generalized Feistel schemes up to 21, 13 and 8 rounds, respectively. Then, we use the distinguishers to make several attacks on hash functions where Merkle-Damgård domain extender is used and the compression function is constructed with Matyas-Meyer-Oseas or Miyaguchi-Preneel hash modes from generalized Feistel schemes. Collision attacks are made for 11 rounds of type-1 Feistel scheme. Near collision attacks are made for 13 rounds of type-1 Feistel scheme and 9 rounds of type-2 Feistel scheme. Half collision attacks are made for 15 rounds of type-1 Feistel scheme, 9 rounds of type-2 Feistel scheme, and 5 rounds of type-3 Feistel scheme.

We present the first known-key attack on SM4, which is the Chinese standard block cipher made for the wireless LAN WAPI. We make a known-key distinguisher using rebound techniques with the time complexity of 212.75. Then, with the distinguisher, we provide near-collision attacks on MMO and MP hash modes of SM4. Precisely, we find a 104-bit near-collision for 13 rounds of SM4 with the time complexity of 213.30 and a 32-bit near-collision for 17 rounds of SM4 with the time complexity of 212.91. They are much more efficient than generic attacks for the case of random permutation.