Cryptanalysis of Block Ciphers and Hash Functions

John Erik Mathiassen

The PhD degree

The Selmer Center Department of Informatics University of Bergen Norway

July 20, 2005

¢¡¤£¦¥¨§ ©¢   ¥

 ! ¨"$#%'&(*)$+,%-/.,01&(2$34*%65(%7+/&8#"9%7.("$#:%<;0$.=0$%6#:"9%7>?@%-+*%'&(#:A7% /0$,0$%7*:6B

CD+,*.(E &(#:#FG;H.I)$#>J#:3(%/.?/01&82$3LKM.N>PORQS%6T'&()$*%@;U/0$.I)V!0$W/0X:M/0$%6,:

;H.I)$#>?2X.(Y01&'5I%MQS%6%72Z"S.I*,Q$#:%8B

[? Z,)$"9%7+\5N:,.(+,<].I+<^Y%7##:%7*%6,0_&(2$>_`&8+,X%dc-2b)$>$*%72eQ9.(/0Z>$%7*%7+*5(%

*"S%6T7f&8#g/01&82$3bYEh.I+ 0X%7#:"X:2$i=%M&=#.( >$)X+,:2Xij,0$: "X+,.lk*%6T6Y"S%6+,.V>PB

].I+¦>$%6,%6+*5I%64/01&82$3b¦Eh.I+=iI5N:2Xim=%?,0$:@.I"$"9.I+*,)$2$Un IO &(2X>oEh.I+=QS%6:2$im!

*)$"S%6+*5N:*.I+7Bp^ %0$%7#"S%6>q=%d&=#:.( ;U/0?QS.8/0Z,%7Tr0$2X:T'&8#R&82$>q"$+,&(T6,:T7&(#tsb)$%7\/:.(2$7B

^Y%d&8#;u&v N3(%6"X 0$: .(w=T6%.("S%62PO$;0$:Tr0?u%62x/%7+*%7>q&j#.('B

M;p&(2xj/.y,01&(2$3z`&8+,{Eh.I+{Q9%72$ie! m,)$"9%7+\5V,.I+6Ou&82$>|Eh.I+j&(#:#H0$:d5(&8#:)1&(QX#:%

0$%6#:"PB¤}m.I+*3N2$i{/.(iI%6,0$%7+p;U/00$:¢01&(p/&()$iI0x=%M&j#.('BDH01&8>,0$%M"$#:%7&(,)X+,%</.

5N:*0$ >$%7"$&(+*,@%62bEh.I+01&8#ER&j (%'&(+6O$;0$:Tr0Zix&'5I%M=%M,0$%M"$+,.(iI+,%6,Yu2$%6%7>$%6>Z/.

~

2X:,0y2q/@%8BGY&(#,.4%62b,%7+*%7>e0$:G.(w=T7%&4#.('B ;u&(2x-/.@/01&(2X3?,0$%"S%6.I"$#%{&8

,0$%M]R%6Tr0$2$:T7&(#€ 2X5I%6+,*n ¨.(EDG%62$¦&8+,3¦Eh.I+&j2$T7%-,.NT7:&(#t&8,@.(,"$0$%6+,%8B

 &(#:*.4;p&(2x-,.4/01&(2X3_‚p&(+\ƒF+,%72X%7%7#¤Eh.(+<#:% ,/2$i4=%!5N:*-0$

&8HcM&8,0$.I#:%738%GY2$5(%7+,*,%7H`t%7)V5I%72gB‡] 0$&(2$3bH,.d/0X%G"9%7.I"$#%Y&8ud j.(w=T7%<&82$>4&(##

,0$%M.(/0$%6+ .I2$%6Y,01&8@&(>$%-! ¨\r&' ¨2Z‚H%7#:i(:)$ˆ@%6@.(+/&(Q$#%(B

 ;p&82bM,.¦/01&82$3_&(##,0$%"$+*%7,%62x!&82$>y"1&(\-@%6{Q9%7+,G.(E‰/0$%=†V%6#:=%7+<„u%72x/%6+

Eh.I+/0$%¦2$:T6%¦;u.(+,3b:2$i_&8/=.I,"X0$%7+*%(O‰&(2$>|d mEŠ&(=:#U e&(2$>mEh+,:%62$>$!Eh.(+d/0X%7:+d#:.v5I%

&(2X>ZT7&(+,%8BHG&(ij‹G+,2X%! <\5V34>$%6,%7+\5I%6G/01&82$3bEh.(+ #:%6*/2$i@%M)$*%M0$:Y<Œ‡†¨T7.N>$%(B

}U/0$.I)Vtt1;H.I)$#>*"S%62$>@.I2x,0$t:2$\/%7&(>-.(EN;u%6%73b;u&(U/:2XiuEh.I+P! <<Œ‡†&l,r&8Tr3N

~

,. 2$:*0PB

€;u.I)X#:>j&(#,.-#:3(%u,.</01&82$3!! !"1&(+*%72x/‡K-%7+*>@&82$>=Ž(.I0$2@[q&8,0$f&8‰[q&8,0$f&(*,%62

Eh.I+p,%'&(Tr0X:2$ij=%</.=>$.j! ¨Q9%7*7O&(2$>2$% 5I%7+YiIU5I%M)$"PB

[? <;UEh%‡[Z:+*%7#:&p>$%7*%7+*5(%7R,"9%7T7:&(#(,01&(2$3b€Eh.I+P,)X"$"S.(+*/2$i@%‰&82$>M%72$T6.I)$+/&8iI:2$i

=%p/0$+*.I)$iI0,0$:6B¤‰,0$.v;H&#.(F.(EST7.()$+/&(i(%p/.M@.v5(%Eh+*.I‘Y.I+*;u&' {/.G%62$¦&8+,3

~

&(2X> 21&(#:#U ’/.“‚u%7#iI:)X ;0$#:%_*0$%y;p&8¨"$+,%6iI21&(2x'O<&(2$>”/.|iIU5I%yQ$+*,0•/.’.I)$+

>1&8)$iI0x/%6+[Z:+,&(2$>1&42e‚u%7#iI:)$?B-}z.v;M–d] 01&(2$3b-/.Z[Z+/&(2$>$&¦Eh.I+1&8>$>X ,0$:p;H.I2$>$%6+*Eh)$#t,:=%(B

¢¡¤£¦¥¨§¨© §¨ ¥¨§¨

 ! #"#$&%¨ (' )"(*)+,.-/'10&2#34'1$&$&%¨ 658792):;$&%¨ (<=4'3> ?0@%BAC0DE3F #%G'HE5 0&0@'IKJ

: MLN+POQ?RS UTN?OVIK2# #%¨3F%GH¨WV%¨"#3>0&:;HGWCXY.ZB[E\]_^`[bacYdKe,fPgihBd`jKkQ[mln].g¤o)p?p?p.Wq:;=F )rM%

ts?uvw:x yeKhB[mzCd@e{|].[_eKZ}l~g€P].NkQzV[SeBd|\hBlneBgihKeBWQ‚ƒ'„%G$ 1†? ‡) ;u VOV‚#H&3> #„;%¨H‰ˆ

Š

%¨H&=F'„#Wƒ 1‹;‹;‹)

CV|V ! #"#$&%¨ ¦' #"Œ*)V+,#-/'.0@2#3F'$&$%G PŽ U0@2)%:;=F%‘:x’ %¨“”OVIK2#%¨"# #=F%¨$ 3F

5 00K'IKJ!$|:; •R–0@%GH&'10@%¨"—793>‚#2#%GH$GMRS ˜<’’O)'rM'H@'10&3nW<’“;' WDL}D™:;=>=FrM' # W

'1 #"š-›:=>q1')WQ%G"#3œ0@:;H$GW’fc\’Pž Ÿ16\•o)p?pB ƒW¡q;:;=> #r¢%(£)s£M:x yeKhB[bzVd@e|{].[SeKZ

Š

l~g¤P].NkQzV[SeBd \hBlneBgihKeBW)‚ƒ'„%G$‘£? ; ‡C£;£¥#¦OC‚#H&3> #„;%GH_ˆ %¨H&=4'1„#W# 1‹;‹¥#

£V¡Q ! #")$&%G §'1 #"š*)Q+,¨-/'10@2)34'$$&%G i<¦H%G3>rU'„%' #"š79:=F=F3>$&3>:; ¤5 0&0@'IKJ!$

: ©-/L CªRS ¬«™3>=F­Q%GH‰0Œ' #"©«|«' #"#$IK2! #2W}%¨"#3>0&:;H&$¨W}XY.ZB[®\]_^`[bacYd@e

fPgihBd`jKkQ[mln].g•o)p?p¯WQq:;=F )rM%}£?°;°;uw:x yeKhB[mzCd@e}{|].[_eKZ(l~g±P].NkQzC[_eBd|\hBlneBgihKeBW

Š

‚#'„;%G$ ;°°‡) †?uCOV‚#H3F #„%GH‰ˆ %GH=4'„#W# ‹;‹?°C

¥)¡¡ C )"#$&%¨ W*)¡+,Q-/'.0@2#3F'$&$%G WQ' #"›²9Q-› )=F=F%¨HGP79H“C‚)0@' ƒ'=œ“C$&3F$‘:x’0@2#%

r¢"¡ }2ƒ'1$&2¦x³ # #I¨0&3F:; i(´¨]MµBe ZBz)µG®l~[m[Se&¶U[S]w·¡].zCd`gQY¸D]_^¢¹d`j`kQ[S].¸F]&ºj.

°CN*)¡+,¨-/'10&2#34'1$&$&%¨ š' #"›Q|¡ ! #"#$%G E3F )%t'H‘ #:» š<=4'3> ?0@%BAC0‘5 0&0@'IKJ

: ›LN+POQQ¼’%GIK2) #3FIG'=EH&%¨‚¨:;H‰0 ;u1¥#W#½ #3œq;%GH$&3œ0S“¦:x¹TP%GH&„%G WQ ‹‹¥#

†VN*)+,?-/'10&2#34'1$&$&%¨ ¹RSr¢‚#H&:q%G"M79:;=F=>3F$3F:; |5 0&0@'IKJ}:; ¢Ž7 TN¼D%¨IK2# #3FIG'=#H%G‚Q:;H0

£‹;†)Wƒ½‘ #3>q%GH&$3>0S“¤:1x¹T9%¨H&„;%¨ WQ ‹;‹;°V

uC«|-›:;=>=4' )"W’*)E+,’-/'10&2#34'$$&%¨ W6'1 #"§¼ «%G=>=F%¨$&%¨0&2®RSr¢‚#H&:q;%¨"¤²¡'$‰079:;H‰ˆ

H%G=F'10@3>:; ¾5 0&0@'IKJ¿ #$3F #„€E:»À'.0@%Á79:V")%G$GÂRS Ãw,™w0@:HGW

¹d`jKkQ[_]&ºdYBkƒÄCj¦YgQ¶§P]G¶l~gCºW¡q;:;=> #rM%} s;svU:x yeKhB[mzCd@e{|].[SeKZ®l~g€P].NkQzV[SeBd

Š

\hBlneBgihKeBWV‚ƒ'„;%¨$‘†?u‡Vv)¦OV‚#H3F #„;%¨H‰ˆ %GH&=F'„#W# ‹;‹;£)

vV‘¼ OV%G„%GH&$¨W¼ «‘%G=>=F%G$%¨0&2WE-Á-/';'$¨W' )"•*)+,-›'10@2#3F'$&$%G E3> #%t'HIG:;r®ˆ

‚)=F%BAV3œ0S“Á:q%GH}x³‚¤:1x,$&3>"#%G=mÅÆ #3>J:q•$&%¨ÇC )%G #I¨%G$GÁŸ@fcf¦fÈ´#dYg)ZGYChB[bln].g±].g¤Ÿ`gt^t].dBÉ

¢Y[bln].g±´ăeK].d`j.W¡°‹)ÊË 1¥?†;v‡) 1¥!u; CW# ‹‹¥#

sV‘¼ ¨OV%¨„;%GH$GW¡¼ Q«%¨=F=F%¨$&%B0@2W¨-Á¨-/';'1$GWQ' #"Ì*)¡+¨-/'.0@2#3F'$&$%G ,E3> #%t'H79:;r®ˆ

‚)=F%BAV3œ0S“¤:q;%GH²ƒ‚›:1x¦OV3>"#%G=mÅÆ #3>J:qŒOV%¨Ç! #%G #I¨%G$¨‘RS /ŸKf¦f¦f¿ŸBgƒ[n͏\¡j.Nkƒ]ZBl~zCÎ].g Ÿ`gt^t].d`¢Y[mln].g8´ăeK].dBj.W#‚ƒ'1„;%w £)W¡ 1‹;‹¥#

¢¡¤£¦¥¨§ ©  © §

¨ ! "$#%&'(

)+*-,/.10)32 45262¨.87:9;,=<=>?0A@A9CB%<1*-,ED

FHG->?9I0=.EJ1K¨>CLM0AG/>?0ON:PQ0=KSRT7:LM<1*E269CU

FHG->?9I0=.EJ1K¨>CLM0AG/>?0OVWB%UC*YXZJ1G1K¨>CLM0AG

[

JE\]\]B%9I,]0%^>?*12¤_W9I>?LQK6PQ26U

`baEcedf]

[

g!LMGE2hB%9jikG10lGnmoPMB%LMG->C2qpf>_r>C>?B%KSRT0AGYsbt

uZvwfxny{z}|M~€‚%ƒ„wf|'† S ‡qxˆ%x(‰Š‹%z? kŒbŽxZE‰† ‡qx

`baEcedf]

‘ [

G/>?*12’0APM2k0“^”ik2¨, KS*126.EJ1PM2¨UWLQG•_r>I>SB%KSR–U50AG¦F—>?2¨9?B“>C26.n7:LM<1*12¨9CU

Š‹%z? kŒbŽxZ1‰† ‡qx‚%x(‰OuZvwfxny:z}|M~€‚%ƒ˜wf|'† S ‡qx

`baEcedf]

‘

FH\O<19C0™%26.n7:0APMPQLMUCLQ0AGT_r>I>SB%KSRT0%G 7rN

uZvwfxny{z}|M~€‚%ƒ„wf|'† S ‡qx

`baEcedf]qš

me9C2¨LM\]B%@A2kB“G1.YK¨0APMPQLMUILM0AG›B“>C>?B%KSR–U50%G8œnsb

Š‹%z? kŒbŽxZ1‰† ‡qx‚%x(‰OuZvwfxny:z}|M~€‚%ƒ˜wf|'† S ‡qx

`baEcedfOš

7:9;,=<=>SB%GZB“PQ,fUCLQUj0%^$>C*12 œnskOVžB%UI*nXZJ1G1Kq>?LQ0AG Š‹%z? kŒbŽxZ1‰† ‡qxEŸ”u vwfx•y:z}|M~‚%ƒ„wf|'† S ‡qx‚%x(‰¡‹z?‡C‰f‡qz}|£¢bn=¤˜¤M‡qz

Introduction

1 Why do We Need Cryptography?

We use a lot of physical security in our everyday life to protect us physically. For the same reason we need (digital) cryptography to protect our digital possessions/information. Compared to the physi- cal world it is much easier to “steal” a digital document. Thousands of copies of a digital document are made in no time on a computer. Today more and more valuable information is stored electroni- cally, and a lot of transactions are made electronically. By electroni- cally we mean in digital format with zeroes and ones. Some decades ago most information were stored written on paper, and the only way of protecting a paper from intruders was to keep the intruders away from the paper. This could be done by a locked house, room, cupboard or safe, and to have access to the paper people need a key or a number combination or both. Sometimes we also need to identify ourselves to some security guards to enter the building, and thereby accessing information. The same security issues apply if the information is moved from one place to another. We need a secure (anonymous and/or physi- cally protected) courier. The way to get information stored on paper is to steal or copy the document, which is hard if security is good. Information in digital format can also be physically protected in the same way as paper documents. However this kind of protection would be very inconvenient, especially when it comes to transport- ing the information. The way we store and move digital data makes it impossible to keep any possible intruder from accessing the data. Just think of radio networks where the data is sent on the air, and is accessible to any person able to capture the signal. Also the com- munication over the Internet goes unencrypted (by default) through public networks, so it should be considered insecure. To physically protect the transport of these kinds of data is impossible or at least impractical. Therefore we must assume that our digital data is ac- cessible to anyone. On the other hand digital information has a big advantage to information printed or written on paper. It can be processed and transformed very fast by a computer. That way we can transform the information in a secret way before storing or sending it. Of course the transformation must be reversible for the authorized people, pro- grams or computers, and impossible to perform for unauthorized peo- ple. This transformation (of digital information) is called encryption, and its reverse transformation is called decryption. We will introduce encryption and decryption in the next section. Another issue is the authenticity and the origin of the informa- tion, contracts etc. In the “paper world” some of these issues are solved by handwritten signatures. By signing a paper the signature legally binds the content of the paper to the person signing it. Only that person could have been signing the paper, because his signa- ture is unique. In the digital world we have something similar called digital signatures. A digital “unique” tag identifying that person is attached to the document, but it is more than just a persons unique digital tag attached to the document because any digital tag might easily be copied and attached to other documents. Therefore a digi- tal signature must also depend on the whole document and a secret transformation (signing algorithm) only known to the signer. No one else should be able to make a tag to tie another person to a document, and if the signature is copied and appended to another document, or the document is changed, the signature will be invalid. It should be impossible for anyone not knowing the secret trans- formation to forge a signature, or even change a small part of the signed document without it being caught. The signing procedure should be easy for the signer and impossible for anyone else. On the other hand it should be easy for anyone to verify the signature, so the verifying algorithm must be public. There are some mathemati- cal formulas we believe achieve this kind of security. However these signing algorithms are inefficient compared to con- ventional encryption systems. Therefore signing large documents is very time consuming, and it is normal to use another kind of sys- tem to achieve shorter messages before signing them. Actually the

2 message itself is not made shorter but the system makes a short “unique” representation of the message called hash (popularly called fingerprint or message digest). This unique hash (of the message) is then signed. The transformation from message to hash is mostly called a (cryptographic) hash function. The smallest change in the message will (with very high probability) change the hash, and a signature on one hash is therefore in practice a signature on only one message. A digital signature does not only tie a person to a message, but inherent in the signature algorithm is the property that it also pre- vails the integrity of the signed message, by the fact that any change in the message will be detected by the verification algorithm (with a very high probability). In this thesis we will not focus on signatures, but on hash func- tions that make signature algorithms more efficient. These functions will be further explained in section 3. Two of the attached articles also contain the explanation of the MD2 hash function and some attacks on it.

2 Introduction to Block Ciphers (Encryption) In the previous section we explained why we needed encryption of digital data. In this chapter we will introduce how encryption is done, and some of the developments (milestones) within encryption. The Arabs, ancient Egyptians and the Romans empire had their own encryption system thousand of years ago. They had a simple structure because the encryption had to be done by hand calcula- tions. The Romans used a cipher called the Caesar cipher to send orders to the army or messages between army divisions. The proce- dure is simply to substitute each symbol in the text with another symbol. If we have all the letters in the alphabet in alphabetic order

ABCDEFGHIJKLMNOPQRSTUVWXYZ DEFGHIJKLMNOPQRSTUVWXYZABC all the letters in the unencrypted text are substituted by the let- ter three positions to the right. The encryption is simply: Find the letter in the upper letter sequence above, and replace it with the

3 letter under it in the shifted alphabet. So ’A’ is encrypted to ’D’, ’B’ to ’E’, and the last letter ’Z’ to ’C’. So the message

RETURN TO BASE would be encrypted to1

UHWXUQ WR EDVH and the encrypted message could be sent by a courier. If the courier was attacked, and the message was found by the attackers, they would hopefully not understand the message. The unencrypted text will from now on be referred to as plaintext and the encrypted text is called ciphertext. When the encrypted message arrives the receiver the ciphertext is decrypted by the reverse procedure: Replace each letter by the letter three positions to the left in the alphabet. The misplacement of exactly three positions in the alphabet prob- ably comes from the fact that the first letter ’C’ in Caesar is the third letter in the alphabet. But if someone finds the system it is totally useless, because every message could then be decoded. To make it more difficult we could introduce 25 systems one for each shift of the alphabet (a shift of 26 will give equality between the plaintext and ciphertext). If we choose one of the 25 systems it will take some more time before the enemy finds the system. Even then it is easy to try every shift for a small part of the ciphertext and the shift which gives a meaningful plaintext is guessed to be the correct shift. This is easily achieved even by hand calculations. Actually instead of saying that we use 25 systems it is meaning- ful to say we have one system and 25 keys. So we might have one encryption system and many keys to avoid an attacker trying all the keys. If the current key is found by the enemy, the key is simply changed, and hopefully keep the enemy busy forever. The simple alphabet substitution ciphers above may be general- ized by the rule that every letter is substituted by another one. In this way the number of keys will be increased from 25 to 26! 288 ≈ ≈

1 The spaces are normally removed from the ciphertext. Knowing the length of each word would make an attack much easier.

4 which is more than a system DES, invented in the 70’s still widely used today, has 256 keys. However the generalized substitution cipher can easily be broken by looking at how often each letter appears in the ciphertext, and compare with an average rate of each letter in English texts. It is also possible to exploit frequent pairs or triples in the ciphertext. Both the previous ciphers are substitution ciphers. There is also another known technique - transposition - and the ciphers using this technique are called transposition ciphers, and instead of substitut- ing the symbols with other symbols, the symbols within a block are interchanged according to a certain pattern defined by the key. Here is an example where the block size is three (letters) where the plain- text

SEC RET MES SAG E is encrypted to

ECS ETR ESM AGS E and the spaces are inserted for pedagogical reasons. Having a block size of n symbols we have n! permutations. Having block length 5 we have a key space of size 120 27 less than 7 bits key size. Exhaus- ≤ tive search on this can be calculated by hand. Typical block length of 128 bits compares to approximately 16 symbols, and the size of the key space in this permutation cipher of 16 symbols block size is 245, which corresponds to 45 bits key size in conventional block ciphers. A block cipher is a cipher where the plaintext is split into fixed length blocks, and encrypted by an encryption rule and a key to a fixed length ciphertext. Typically the ciphertext consists of the same symbol space, and the length of each ciphertext block is equal to the plaintext block length. The two first ciphers presented are both block ciphers where each letter is a block. In the first one we mentioned that the key size is too small - 25 different keys - and it is possible to try to decrypt some ciphertext using all keys and the one that gives a meaningful decryption will be the correct one. The second cipher where all letters are substituted with other ones

5 has a large key space 288, but the problem is that the block size is small, and the plaintext block frequency pattern is known and the redundancy is significant. In such cases it is easy to deduce which plaintext that maps to which ciphertext, so the substitution will eventually be known, and the cipher is broken by a ciphertext only2 attack. That is also an argument for choosing a big block size (at least 128 bits size is recommended). Shannon’s paper [31] has a nice illustration of the encryption process (Figure 1), using an encryption function E() with two inputs: the key K and the plaintext P , and it produces the output ciphertext C:

C = EK(P ) = E(K, P )

Sender Receiver

£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£ ¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥ ¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦

¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤ Eve

£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£ ¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥

¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤ ¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦

£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£ ¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥

¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤ ¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦

£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£ ¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥

¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤ ¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦

£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£ ¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥

¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤ ¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦

£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£ ¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥

¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤ ¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦

£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£ ¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥

¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤ ¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦

£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£ ¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥

¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤ ¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦

£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£ ¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥

¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤ ¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦

£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£ ¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥ ¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦

¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤P E C D P

£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£ ¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥

¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤ ¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦

£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£ ¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥

¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤ ¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦

¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡

¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢

£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£ ¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥

¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤ ¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦

¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡

¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢

£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£ ¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥

¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤ ¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦

¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡

¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢

£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£¡£ ¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥¡¥

¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤¡¤ ¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦¡¦

¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡

¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢

¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡

¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢

¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡

¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢

¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡

¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡

¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢K

¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡

¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢

¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡

¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢

¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡

¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢

¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡

¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢

¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢

Fig. 1. Shannon made this nice illustration of the encryption process. A key K is securely shared between the two parties, and the encryption C = Ek(P ) of P gives the ciphertext C which is sent on an open channel where the attacker might intercept it. This should not reveal anything about the plaintext P nor the key K to anyone not intended to read the message. The shaded area is where no one except the sender and receiver have access.

2 In a ciphertext only attack the ciphertext is known to the attacker, but not the plaintext. This is described further in Section 2.3.

6 Shannon suggests in [31] that we should use substitution and transposition (permutation) in an interleaved manner as shown in Figure 2. If only one of these components were iterated it would only give a new substitution cipher or permutation cipher. This would not be harder to break than a non-iterated substitution or permuta- tion, because the iterated function can defined as a one round itera- tion. However combining them in an interleaved manner produces a stronger construction. The permutation (transposition) layer is said to be the diffusion layer, where parts of the output from one S-box should influence as many S-boxes as possible in the next substitu- tion layer. That is; a change in one symbol before the first round would probably change many symbols after the first round, and nat- urally even more symbols after the second round (assumed that the transposition layer symbols are finer grained than the substitution layer symbols). But a cipher only consisting of transposition itera- tions would be no better than one single transposition, so it makes no sense to increase the number of rounds. Using only transposition rounds make the cipher totally linear, and it is easily broken by a known plaintext attack3, where both the input and the output from only one encryption are known. Normally the transposition layer is fixed through all rounds. Then the substitution layer brings in the confusion, which should not be linear, but also the substitution layer is predefined in a system. The parameter that gives the variation in a system is a constant which often is added in a linear manner the symbols just before each sub- stitution round. The constants for each round is called a round key, and the round keys are often deduced from the shorter encryption key K by a key schedule algorithm (Paper II). All modern ciphers are made to suit efficient encryption on com- puters. Without computers the task of encryption would be very inefficient, and only used for very sensitive data. The use of comput- ers forces us to use binary symbols 0, 1 in order to achieve efficient { } encryption. A substitution of only one symbol would not give a ci- pher a complex structure as we have only two possibilities, where the first one are: 0 1 and 1 0 which means that 0 is substituted by → →

3 In a known plaintext attack the plaintext is known in addition to the ciphertext. This is described further in Section 2.3.

7 K 1 s s s T

K 2 s s s P T EK

C

K r s s s T

Fig. 2. Block cipher principle where the key layer, substitutions and transpositions are interleaved and iterated. The r round keys Ki, i = 1, 2, . . . , r are made from a key K by a key schedule (Section 2.1) which is a part of the encryption system. The transposition layer might change the position of the symbols from the substitution boxes, but each (alphabet-)symbol might be more fine grained smaller symbols (One byte/letter on the computer consist of 8 bits/smaller symbols, where each bit is either 0 or 1.) Otherwise the iteration would not be more useful than one round, because the transposition normally does not change between the rounds, and are normally known. In modern ciphers the transposition layer is a linear transformation. It which gives a much better diffusion, and makes certain attacks harder.

8 1 and the other way around. The second substitution is the trivial substitution where the symbol is substituted by itself. Both these are simple linear substitutions, and would pose a big threat for the cipher. Normally we use b consecutive symbols to represent bigger sym- bols to give us an alphabet of size 2b instead of 2. If we use b = 4(bits) then the bigger alphabet of size 16 is then: 0000, 0001, 0010, . . ., 1111 . There are 16! 245 permutations of these{ symbols, which corre- } ≈ sponds to a 45 bits key. The typical S-box size is between 4 and 8 bits. As mentioned before typical block size in block ciphers is 16 sym- bols which on computers is equal to 128 bits. Then there are 2128 different plaintext blocks. If we fix the key and encrypt all different plaintext blocks the result would be 2128 different ciphertexts, be- cause otherwise a unique decryption is not possible. The size of the ciphertext block must be at least 128 bits (the plaintext size) and is almost without exception equal to the plaintext size. The encryption function used with a fixed key is therefore nothing else than a big substitution cipher which substitutes 128 bit symbols with other 128 bit symbols. There are 2128! different permutations possible here, but as we shall see the key only allows us to pick a small subset of these. The key is also specified in bit symbols. Typical size of the key is 128 bits, but the key size might be different from the block size, as is the case in DES (Data Encryption Standard) [22]. Having a key size of 128 bits the number of different keys is 2128. If K 0, 1 k there are 2k different keys to choose between. Each ∈ { } key should ideally “pick“ a random permutation of the 2n different plaintext blocks, but then we see that only 2k permutations from 2n! = 1 2 (2n 1) 2n are picked. On the other hand if the key is guessed·by· an· · attac− ker· the chance is 1/2k for a successful decryption, so if the attacker would like to try all the keys one by one, he would have to compute 2k−1 decryptions on the average to find the correct one. He needs also to know one or at most a few plaintexts and the related ciphertexts in order to succeed. If the plaintext is not known, but it is known that the plaintext is English text coded in ASCII, the attacker would need a few more plaintexts and the related ciphertexts to succeed, and the time spent would be slightly more.

9 If the cipher is well designed and there are no better attacks than the brute force attack on the cipher, then the key size is a threshold on the security. For security reasons it is an advantage with big keys, but using a bigger key increases the need for storage. The time to encrypt might4 increase, and the time to initialize and exchange the key also increases. It is therefore a trade off between security, cost and performance. In 1976 the block cipher DES (Data Encryption Standard) was published as an American standard by NBS (National Bureau of Standards), and is sometimes referred to as the first5 block cipher in open literature. It was based on IBM’s block cipher Lucifer, and modified by NBS (National Bureau of Standards) possibly with help from some other federal institutions. The DES has a block size of 64 bits and a key size of 56 bits, which was considered too small even in the 1970’s. There has not been any devastating attack on DES except from the exhaustive search with average time 255 encryptions. In 1998 a special purpose machine “Deep Crack” found a DES key in 56 hours, and one year later this machine and a distributed search on the Internet found a DES key in 22 hours. In 1990 Biham and Shamir published the differential attack [2,3], which was the first attack requiring less than 255 encryptions. This is a chosen plaintext attack and requires 247 chosen plaintexts and the corresponding ciphertexts. The linear attack [16] was discovered by Matsui and was pub- lished in 1993, and in 1994 he published some improvements [17]. The attack requires 243 known plaintext/ciphertext pairs. Some im- provements have also been published lately, but they are only small variations of the linear attack. In 1997 NIST (National Institute of Standards and Technology) announced for an open competition on designing the new federal standard AES (Advanced Encryption Standard), and a lot of sug- gestions were submitted. The finalists were the ciphers Mars, RC6,

4 The time to encrypt does not increase unless the number of rounds is increased and thereby the number round keys is increased. Sometimes the number of rounds must be increased to ensure better security when using a larger key, because it increases the threshold of expected security. 5 Strictly DES is not the first block cipher, because even the Caesars cipher is a block cipher. But the DES is the first public block cipher build by Shannon’s principles of iterated rounds and interleaving the transposition, substitution and key addition.

10 Rijndael, Serpent and Twofish, and Rijndael, made by Rijmen and Daemen, became the new standard [23] in 2001. AES has block size 128 bits and three different key sizes are possible: 128, 192 or 256 bits. A lot of other more or less successful ciphers have emerged the last 15 years, and some new attacks have been invented. A measure of security of a cipher could be measured by the time it has been around, and still has not been broken, but the effort people use to break the different ciphers vary a lot. Just think of how much effort has been and will be done to break AES after it has become an US standard. A much used method to measure the security of a cipher is to find its resistance to all known attacks, by estimating the number of rounds that can be broken by the different attacks. It is said that a cipher is (academically) broken if there is an attack on the whole cipher with time usage better than exhaustive search. The attack’s required number of plaintexts and ciphertexts should also be less than 2k, the number of possible keys (k is the bit size of the key). However if no known attacks is able to break a cipher this is no proof that the cipher is secure. There might be possible attacks that exploits certain weaknesses in the cipher which is not known by the time the cipher is made. It seems that it is very hard to prove that a cipher is secure. There are some examples around where “provable” secure ciphers are broken. To prove the security of a cipher could be compared to a prove that a certain building is physically secure and resists any attacks possible by anyone today or in the future.

2.1 Key Schedules in Iterative Ciphers

We have already introduced the use of round keys, but we have not shown how the round keys Ki , i = 1, 2, . . . , r are made from the key K. Figure 2 shows how most iterative ciphers are made. It also shows the layered structure consisting of the key layer, the substitution layer and the permutation layer. Let us define the function Ci = g(Ci−1, Ki) as the function consisting of one round key layer, one substitution layer and one permutation layer. An r-round cipher is then the r times iteration of g( , ) with a new round key K in each · · i round, where C0 - the plaintext P - is the input to the first round.

11 K P E C

e e e P C1 C2 Cr−1 C

K 1 K 2 K r

K Key Schedule Algorithm

Fig. 3. Key Schedule algorithm

The key schedule algorithm (Figure 3) takes the key K as input and outputs all the r round keys K1, K2, . . . , Kr. The size of Ki is not necessarily identical to the size of K. The size of the round keys is often equal to the size of the plaintext (and ciphertext) because the round keys are normally added bitwise modulo 2 to the intermediate ciphertexts - C 1 K . Often the round key K only depends on i− ⊕ i i Ki−1. The dependency could be defined by a function Ki = f(Ki−1), and K1 could be equal to K. Anyway the dependency between the different round keys should be complex, and certainly not linear. In Paper II we show that a certain linear dependency between the round keys makes the cipher more vulnerable to linear and differential at- tacks. The related key attacks [1] also exploit the simple dependency between the round keys.

2.2 Modes of Operation

The straightforward way to encrypt a message is to split it into blocks of size n - the block length in bits - and to encrypt one by one using the underlying block cipher. This is the Electronic Code Book (ECB) mode of operation. This way of encrypting has the disadvantage that equal blocks of plaintext encrypt to equal blocks of ciphertext. In case

12 of an encryption of a picture with little textures and few colors the ECB mode may reveal the contours of the picture. The Cipher Block Chaining (CBC) mode avoids this by adding the previous ciphertext block to the plaintext block before the encryption. Other modes are Cipher FeedBack (CFB) mode, Output FeedBack (OFB) mode and Counter (CTR) mode. All these five modes were in 2001 published by NIST in [24] as a recommendation of encryption modes. All the previous mentioned modes are only for confidentiality, but there are some modes for message authentication also. An ex- ample of such a construction is the CBC-MAC, which is based on the CBC mode of operation. The similarity is that the output from the last encryption with CBC is kept, and possibly truncated to avoid forgery. In [26] a authentication mode CMAC based on CBC-MAC was recently published by NIST as a recommendation. Lately it has become popular to make modes to provide both en- cryption and authentication, and the mode category is often called Authentication Encryption mode. Examples on these are the Counter with CBC-MAC (CCM) and the Offset CodeBook (OCB) modes, where the first was published by NIST as an recommendation in [25]. Paper III in this thesis presents an attack on the OCB mode.

2.3 Block Cipher Attacks

Kerckhoffs gave some nice definitions that we should take into con- sideration when designing encryption systems. Assume that every- thing about the system is known to the enemy. The only secret is the key itself, so if the enemy capture an encryption device and might extract the key, it should be changed if it is used in other devices, but without changing the whole system. It is normally much eas- ier to distribute a new key to the network than to distribute new encryption devices or software. An attack on a cipher is a method to extract information about the plaintext or get the plaintext itself given the ciphertext. If the key is known this is an easy task. Most attacks deal with finding the whole key or parts of the key. The brute force attack, a search through every key, is always possible, and is called exhaustive search. Then we need to know a few blocks of plaintexts and their cipher-

13 texts, and try all the keys until we find the correct match. We may categorize the attacks according their requirements:

– ciphertext only attack Only the ciphertext is known to the attacker. • – known plaintext/ciphertext attack The attacker know some plaintexts and the corresponding ci- • phertexts. – chosen plaintext/ciphertext attack The attacker may choose plaintexts (ciphertexts) and gets the • corresponding ciphertexts (plaintexts). – adaptive chosen plaintext (ciphertext) attack The attacker may choose plaintexts (ciphertexts) and gets the • corresponding ciphertexts, and based on that he can choose more plaintexts in a clever way based on observations of pre- vious plaintexts and ciphertexts.

The only attack where the plaintext is not known the ciphertext only attack, but the plaintext must have some redundancy or else it is impossible to distinguish the a correct key from a wrong one. In the other attacks the attacker knows the plaintext, and in the last attack he must be able to choose several plaintexts and do some calculations that makes him able to choose more texts in a clever way. The upper attacks are obviously stronger than the attacks belove, because if a cipher is secure against a specific attack type it is secure against all the attacks above in our list.

General Attacks There are some general attacks which are pos- sible on any block cipher. The first one - the exhaustive search - is already mentioned. This approach only needs one or a few (P, C)- pairs (plaintext/ciphertext pairs) depending on the ciphers block size and the key size. The philosophy of this attack is simply to try all keys one by one until the correct one is found. The plaintext P is 0 0 encrypted by all the keys K by: C = EK (P ) and the output C is checked if it is equal to the original ciphertext C. It is possible that another key K0 = K encrypts the plaintext block P to the same 6 ciphertext block C . For each key the probability that this happens

14 is on the average 2−|C|, where C is the block size of the cipher, and | | testing k = 2|K| keys would give a probability (1 2−|C|)|K| of a col- lision. A rough estimate would be that K / P −(P, C)-pairs would be enough for a successful attack. | | | | Another possible solution is to choose a favorite plaintext P0 that is always expected or can always be forced to be encrypted. The preprocessing step is to build a lookup table on all the keys and store the pairs (K, EK(P0)) sorted by the last element, ciphertext block. When the ciphertext C is the encryption of P0 by the secret key K, then the key, where the second element is equal to C, is guessed to be correct. In cases where several keys encrypt to the same ciphertext it is possible to find the correct one by trying all the possible keys on another ciphertext and see which one gives the expected plaintext or a reasonable plaintext. However this approach requires 2|K| encryptions in the preprocessing step and 2|K| memory, and one or a few plaintexts. This is impossible even for DES, since the attacker has to store 256 blocks, and it requires about 230 109 Gigabytes. ≈ In 1980 Hellman presented a trade off between these two meth- ods, Time/Memory trade off attack. The idea is still based on en- crypting the favorite plaintext P0, hopefully with all possible keys. The attack is probabilistic, because all the keys are not covered. It is very hard to cover all the keys. Instead of storing all keys as in the algorithm before, we are required to store only a fraction of the keys. The way it is done is to make a key chain K0, K1, . . . , Kt and store only the start point and the endpoint (K0, Kt). The key chain is made in a way that the next element in the chain is dependent on the previous by a function Ki = F (Ki−1) = R(EKi−1 (P0)), where R : 0, 1 n 0, 1 k is a mapping from the ciphertexts space to { } → { } 2 the key space. If t starting points are chosen the t chains cover t hopefully different keys. Because the function F is probably not injective it may be several points that maps to one point, and it can cause chains to “merge”. It also probably has many loops of different size. This makes it hard to cover all the keys by one function F . Therefore Hellman recom- mended to use t different functions Fi, and the functions are varied by changing only R - the mapping from the ciphertext space to the key space. All the chains using the same function Fi is said to be

15 a table. It is common to have t chains in each tables, and having t tables and chains of length t could cover all the keys if t3 = 2k. It gives us a chain length of t = 2k/3, which is also the numbers of chains6 in a table and the number of tables.

When an encryption is done and the ciphertext C0 = EK (P0) is captured, we calculate Ki,1 = Ri(C0) for all functions Ri and check if Ki,1 is an endpoint in table i. If it is not the value Ki,1 is run through the function Fi until an endpoint matches (maximum t s times). If the function Fi iterated s times give us Kt = Fi (Ri(C0)) - the endpoint - a predecessor of C0 is calculated from the start point 0 0 t−s 0 K0 by K = Fi (K0). If K is the key then C0 = EK (P0), but it t−s could be that R(C0) has several predecessors and C0 = F (K0), 6 i or that the chain from C0 merge with the chain from K0 after some iterations such that the first chain “hits” the endpoint Kt. Both cases are false positives, and the search for the correct key has to continue. Assume that the key size is k bits. Then the attack requires 2k preprocessing encryptions to cover all the keys by having t tables of t chains - each having t elements. To store all the endpoints requires an order of M = t2 = 22n/3 memory. To be able to compare the chain from C0 with the chains from all the tables, we need to generate one chain per table because each table have a different “chain function” 2 Fi. Since t chains of possible length t requires t iterations, the time complexity is of order T = t2 = 22n/3. For efficiency7 reasons Rivest in 1982 introduced the term dis- tinguishing point. The endpoints of each chain is required to have a certain property which is easy to check, and that makes the chain length t in average. Then each point in these t chains from C0 is checked for this property using t simple operations instead of com- paring with t2 endpoints for each point of the t chains. A simple way of doing this is to require that the first b log2t bits of a point have ≈ a certain value. All these general attacks are possible on any block cipher, and it is therefore a requirement to make the cipher such that these

6 The number of chains in a table is often referred to as m, but it is often the case that m ≈ t gives the best results. 7 In order to avoid to look up every element of the t chains of C0 it is better to have a property to distinguish a possible endpoint from an impossible one. Unless a point has this property it is no use to look it up, because it cannot be an endpoint.

16 attacks are infeasible even if the power of the computers increases dramatically.

Statistical Attacks In todays cryptanalysis we have two main kinds of attacks, where in both the goal is to find the key8. The alge- braic attack on AES was introduced by Courtois [6,5], and it works by making many quadratic equations between the plaintext, cipher- text and the key. These equations are easily find for AES because of it’s simple mathematical structure. The big question is whether it is feasible to solve these equations in reasonable time and by rea- sonable memory resources. Although these equations represent the system exactly, the methods to solve them are heuristic, and it is not yet proved that they will work. In the statistical attacks the method is to find statistically unbal- anced relations or correlations between some plaintext bits and some ciphertext bits, and this correlations should be practically indepen- dent of the round keys in the intermediate rounds. A typical approach is to find this correlated relation for one round and its probability, and then try to apply one or different relations to several rounds and calculate the probability of this correlation. This relation could be used to find out if an apparently random sequence of bits is really the encryption by the specific block cipher in question. This attack is called a distinguishing attack, and gives information about which cipher is used. The distinguishing attack can often be used to find key infor- mation or key bits. If a relation is found between the first and the second last round, the part of last round key which involves this correlation is guessed. For the correct key guess the relation should give the predicted correlation, but for the other keys the relations should appear more or less random. The measured correlation from the correct key is called signal S, and the measure from the wrong keys is called noise N. To be able to separate the signal from the noise it is natural to think that the signal have to be stronger than the noise and S/N > 1, but there are also cases where S/N < 1 or even equal to 0 can be used.

8 In some attacks the attacker finds the decryption algorithm without caring about finding the key itself.

17 In Paper I we describe the linear attack [17,16] which is a statisti- cal attack. We also present some new practical attacks on DES, and show the complexity of the attacks. In Paper II we discuss the key schedules’ influence on the resistance against linear and differential attacks. The differential attack described in [2,3] is also a statistical attack.

3 Introduction to Hash Functions

As mentioned in the introduction a cryptographic hash function is a function that takes as input a message of arbitrary length and out- puts a relatively short fixed length string, which is called a hash code or simply a hash. Sometimes this short string is called fingerprint or message digest, because it is really a short representation of the of- ten longer message. These functions are used in digital signature schemes, for password protection and for message authentication.

m

H()

h

Fig. 4. General hash function who “compress” the message m to a practically “unique” hash value h

We denote the message m, the hash function H( ) and the output · hash h, Figure 4. Since the hash functions are used on computers we represent both the message and the hash by binary symbols 0 and 1, and an arbitrary long message is a sequence of bits m 0, 1 ∗, where shows that we do not fix the length. The hash is of∈length{ }n bits and∗ the hash is h 0, 1 n, and the hash function is a mapping ∈ { } H : 0, 1 ∗ 0, 1 n. A{ use}of→the{ hash} function is to provide secure password protec- tion. In the past it has been usual to store the passwords in a public

18 file on the file system, and sometimes the password file is leaked to unintended users. If the passwords pwi were stored in plain text, all the users on the system would be compromised from the leakage of this file. Therefore it has been common to store only the hash of the passwords hpwi = h(pwi), so if the file is compromised only the hpwis are known, and an intruder cannot log on by typing hpwi because the 0 hash of the password is always calculated and hpwi = h(hpwi) does not make sense, and is therefore most probably not a valid password. On the other hand if it is possible to find a preimage a of the hash hpwi such that h(a) = hpwi, the password system is not secure. That is one reason why it should always be computational infeasible to find the preimage of a cryptographic hash function, and this property is called preimage resistance. Another well known use of the hash functions is to provide mes- sage authentication. This includes both or one of the two types of authentication which is integrity of the message and the origin of the message. When a message is appended with the hash of the message m h, and sent over a channel (or stored), then the receiver (reader) can|| check if the received message m0 h0 is authentic by checking if h0 = h(m0). But it is very importan||t to notice that this assumes that the message and the hash are not changed to m0 = m such that m0 h(m0) is inserted instead of m h(m). So this could6 only be || || used in an already trusted channel, but if h or both h and m are encrypted9 the validation should be trusted, because if the encryp- tion hash Ek(h) is changed, the decryption would give another hash h0 = h = h(m) with a very high probability for a good hash func- tion.6 A similar argument is valid for a change in the message m or both the hash and the message. There are also special purpose mes- sage authentication functions called MACs (Message Authentication Codes), and MACs based on hash functions. The only difference is that they include a key k in the evaluation hk(m) = mac, and it must be impossible to calculate the mac of a message without know- ing the key. MACs are described in more details in [18]. For hash functions used for authentication it should be impossible to obtain

9 If only h is encrypted one must be careful about which type of encryption to use. Using stream cipher or exclusive or based encryption h ⊕ k is insecure since h is easily obtained from m and the key is extracted by adding h to the cipher text. This is not the case of both m and h are encrypted.

19 a second message m0 = m such that h(m0) = h(m) given the m and 6 h(m). This property is called second preimage resistance.

The computations of digital signatures sign : 0, 1 x 0, 1 y, or s = sign(m) (I here assume that the private k{ey is} inheren→ { t}in the sign function), are much slower than conventional encryption and hashing, and x - the length of the message m - is fixed and not too long (typically 160 x 2048). If the length of m is much longer than this, the signature≤ ≤function has to be iterated, and that is very time consuming and insecure. Therefore it is much more ef- ficient to sign the shorter representation of the message, the hash h where the length of the hash is smaller then the size of input to the signing algorithm, n < x. The signing is computationally infeasible if the secret signing key - private to the signer - is not known. On the other hand the verification key or public key should be public, such that the verification ver(m, s) 0, 1 could easily be done by anyone, and verify( , ) returns 0 for∈ {failure} and 1 for okay. Giving the public key it should· · be impossible to obtain the private key. Also the verification is sometimes very time consuming. Then it is much more efficient to verify a signature of the hash h; s = sign(h) by the verification function verify(h, s), so both the signing- and the verification procedure are slow and insecure without using a hash function. Anyway if the signing algorithm is secure, in the way that it should be impossible to obtain a valid signature s on a given mes- sage m, then the hash functions also have to be secure in order to obtain secure signatures. Just think of the possibility of obtaining a second preimage m0 = m of h = h(m) = h(m0) and where h is signed s = sign(h). Then6 s will also be a valid signature of m0 since s = sign(h(m)) = sign(h(m0)). Another very similar threat is if the attacker finds two unequal messages m and m0 that maps to the same hash value h, he might trick the signer to sign m by s = sign(h(m)). This signature will be a valid signature also for m0, by the same argument as for the second preimage attack.

In the three examples of use of the hash functions above, we mention some threats for the different uses. For a general hash func- tion it is therefore required that it resists these threats. The three properties we wish to have is:

20 – Preimage resistance Given h it should be impossible for anyone to obtain an m such that h = h(m) – 2nd-Preimage resistance Given h and m it should be impos- sible for anyone to obtain m0 such that m0 = m and such that 6 h(0m) = h(m) – Collision resistance It should be impossible for anyone to find m and m0 such that m0 = m and such that h(0m) = h(m) 6 It is common to think that collision resistance implies 2nd-preimage resistance, because if we have collision resistance but not 2nd-preimage resistance, it is possible to choose a preimage m and it is then pos- sible to find m0 such that m0 = m and h(m0) = h(m). Before we use this as a proof that collision 6 resistance implies 2nd-preimage resis- tance we might look at the brute force attacks and their complexity. To find a preimage m given only h is possible, but might take too much time to be achievable. The brute force method is to pick a random m and compute the hash and check if h = h(m). If not a new random message is picked. The probability that h(m) is equal to h is 2−n, where n is the bit size of the hash value h. This is expected to take 2n time. To find a second preimage m0 involves exactly the same method as finding a preimage, unless some relations between m and m0 have a higher probability of collision than 2−n, but then it is not a brute force attack. The expected time is therefore 2n also for this attack. To find a collision pair (m0, m) could be done by picking an arbi- trary m and then use the 2nd preimage attack to find m0, but there is a more efficient method based on the birthday paradox. The method n is based on picking t = √2 different messages m1, m2, . . . , mt, and calculate their hashes h1, h2, . . . , ht. If we now look at the individual differences δ = h h for i = j, we observe that there are roughly i,j i ⊕ j 6 t 2 t = 2n 2 ! ≈ differences, and it is expected that at least one of them is 0. Assume that δv,w = 0, then hv = hw, and the birthday paradox is therefore demystified by the fact that we now get 2n differences and not 2n/2. In order to have an attack on a hash function, one must have an attack which is better than the corresponding brute force attack.

21 Having a collision attack of complexity less than 2n, but greater than 2n/2 is not a break of the hash function. On the other hand a 2nd preimage attack with this complexity would be a break of the hash function. That is why it is wrong to say that resistance against collision attacks does imply resistance against 2nd preimage attacks. MD-strengthening (after Merkle [19] and Damg˚ard [7]) is a way to construct hash functions, and where the proof of security reduces to proof that the smaller compression function h( , ) is secure. It · · requires a compression function as described before, and the h0 (IV ) must be fixed and the bit representation of the bit length of the message must be appended the message and padding. If there is an attack on the hash function H( ), then a similar attack exists on · the compression function h( , ). That means that if it is proved that the compression function is·secure,· then it is proved that the hash function is secure also, if it follows the MD-strengthening rules. Also for hash functions it is common to refer to attacks to evalu- ate the security of a hash function. An upper bound on the security of a hash function could be the complexity of the best known attack on the hash function in question. That means if no attack is found the upper bound is uniquely defined by n, the size of the hash value h, by the complexities of the brute force attacks.

4 Summary of the Articles

This section introduces each of the articles included in this thesis. The articles [20,29,30] are not included as they are not in the scope of this thesis. The report [14] is an improvement of [10] and also overlaps with [4]. It was submitted to SAC04, but was not accepted, because of the lack of new results. In any case it contains the fastest known attack on DES, and also another estimate on a real attack on DES which is an improvement over previous attacks. Therefore the thesis includes this technical report. The main topics of the thesis are analysis of block ciphers and hash functions. The first part contains the block cipher analysis, which involves the three first papers [14,12,15]. The last part is on analysis of hash functions, which involves the two papers [11,13] .

22 4.1 On the Role of Key Schedules

There are a lot of different key schedules around, and some of them are good enough. Some key schedules are very time consuming, and as with block ciphers there should be some emphasis on making low cost key schedules to make re-keying fast. In case of frequent re- keying the slow key schedules really slow down the performance of the encryption. Some cipher even use the same key in each round, or at least a very simple design. Some of these designs are very vulnerable to related key attacks, and if the same round key is used in every round they are vulnerable to slide attacks. In this paper we show that weak key schedules are more vulnera- ble to linear and differential attacks. The linear hulls and differentials seem to have a higher probability over all the plaintexts. We tested it extensionally on Feistel ciphers, but it also seemed to be the case in a AES like SP-network. In the case of Feistel ciphers we did in fact prove that if the differences between the individual round keys are only a constant, then the identical difference in key and plain- text will lead to two ciphertexts with identical difference. In DES we actually have 255 key classes of size two, where the difference be- tween the round keys within the class is a constant: A key and it’s complement. In ciphers where this class is the whole key space, it will be the case that a differential or linear hull probability distribution over all plaintexts for one key, is exactly the same for all keys. That means that if we find a high linear or differential probability for one key, the same linear hull or differential will be weak for all the keys in the class. Future research could benefit from further investigation of key schedules and a classifications of what makes good and what makes bad designs.

4.2 Linear Attacks on DES

This paper contains two different linear attacks on DES based on Matsui’s attacks [16,17]. The first part explains a linear chosen plain- text attack, which is an improvement of the exhaustive search part of a factor 4. The reason for the improvement compared to the attack

23 in [10] is because we are able to reveal 2 more key bits in the first part of the attack. The second part is a known plaintext attack on DES, where the complexity is the same as in the chosen plaintext scenario, but the fact that it is a known plaintext attack makes it stronger. Matsui used two different linear approximations involving distinct key bits in both the middle rounds and the two outer rounds. Robshaw and Murphy [9] introduced a multiple linear equations attack, where the middle round and the outer round keys bits (S-boxes) involved must be exactly the same. In such cases the power of the attack will be stronger, by a bigger bias. In our attack we combine these two meth- ods, and find a way to combine the key ranking tables from the dif- ferent linear equation involving distinct key bits in the outer rounds. The actual attack is estimated and tested on 8 rounds, and estimated on 16 rounds. There is a good reason that this will work in exactly the same way for 16 rounds as for 8 rounds, and that is due to the fact that we use 4 rounds iterative characteristics, so the outer round key bits involved are exactly identical. However since the equations have a higher bias we need more known plaintexts in the 16 round attack. Our report [14] contained some of the same ideas as [4], and was submitted to SAC2004, but it was rejected. Therefore it is a small chance that it will be published in a well known conference or journal, but it still contains what we believe is the best key recovery attack on DES. The time when the using 242 known plaintext will be 227, and using 242 plaintexts the time will be 241, and the success rate for both is 85%. This compares with Matsui’s attack requiring 243 plaintexts and time 242 and it has a success rate of 85%.

4.3 Improved Collision Attack on OCB This paper presents an attack on OCB [27,28]. There is only one difference10 between encryption using OCB and encryption using ECB. In OCB a unique and secret offsets are added before and after encryption. When parts of the secret in the offsets are known, then

10 There are two other differences; The last block is encrypted different to support the encryption of any bit length, without the need for padding bits. The last difference is that an authentication tag is appended to the last ciphertext block.

24 we have found a much stronger way of exploiting this. While previous attacks [8] were able to cheat in a limited way in one message, our attack makes us able to permute any positions in any previous or future message made by the same key, but different and unknown nonce, without a chance of being detected by the authentication. This might be done without knowing anything about the plaintext of the ciphertexts we change. It must be mentioned that OCB is proved secure, and this attack is at the edge of the proved boundary, so this does not make the proof invalid. A way of increasing the chance of a collision11 will result in a devastating attack.

4.4 Collision and Preimage Attacks on MD2 Most of the hash functions based on or similar to MD4 design have been broken lately. The early and untraditional design of MD2 re- mained unbroken until Muller published his preimage attack on MD2 [21]. Only one paper on the security of MD2 has been published before that, and that is Rogier and Chauvauds paper on collision attacks of the compression function of MD2. In conventional design this would automatically lead to an attack on the whole hash func- tion, but because of the use of a checksum function this is not the case for MD2. Muller found the first preimage attack on the compression func- tion, and as a result of that he found an attack on the whole MD2 having time usage comparable to 2104 (also included the checksum). In our paper we found an improvement on the attack on the whole MD2, where the time usage is reduced to less than 298. The former attack had a lower limit on the preimage size of 128 blocks. We were able to find a method to reduce the size of the preimage, but at the cost of increased time usage. In the paper we improve the re- sult of Rogier and Chauvaud, by being able to find more collisions, and some other variants of the attack. We also introduce a pseudo collision attack on MD2 by finding two IV ’s that collide under the same message of arbitrary length, and time usage comparable to 215 compression function calculations. We also found a pseudo preimage

11 The way the offsets are made could be exploited to cancel differences in offsets and as a result give collisions.

25 attack with time complexity 295 where the message length is 2 or more.

4.5 Cryptanalysis of the MD2 Hash Function

This paper is to be submitted to “Journal of Cryptology”. We found some collision attacks on the compression function with no con- straints on hi−1. This improvement leads to the first collision attacks on MD2 better than exhaustive search by having time usage 260.8, even if the margins are small compared to exhaustive search with time usage 265.5. One problem with the collision attack was also the memory requirement of 265, but we also present the results of a time memory trade off to reduce this memory requirement. Even if this is a small improvement it is a breakthrough in the analysis of MD2. The collision attack on the compression function also lead to an improvement of the preimage attack on MD2 to time usage 295.7. The most significant improvement here is on finding shorter preimages where we have an improvement factor 213 for message length 43 instead of 128 and this is even a factor 25 than the first preimage attack [21] where the length must be at least 128. It seems that the earliest design was the last one to be broken, but the problem with the design is that it is not yet proved12 that the security of the hash function can be reduced to the security of the compression function.

References

1. E. Biham. New types of cryptanalytic attacks using related keys. In Tor Helle- seth, editor, Advances in Cryptology - EuroCrypt ’93, pages 398–409, Berlin, 1993. Springer-Verlag. Lecture Notes in Computer Science Volume 765. 2. E. Biham and A. Shamir. Differential cryptanalysis of DES-like cryptosystems (extended abstract). In Alfred J. Menezes and Scott A. Vanstone, editors, Advances in Cryptology - Crypto ’90, pages 2–21, Berlin, 1990. Springer-Verlag. Lecture Notes in Computer Science Volume 537. 3. E. Biham and A. Shamir. Differential cryptanalysis of the full 16-round DES. In Ernest F. Brickell, editor, Advances in Cryptology - Crypto ’92, pages 487–496, Berlin, 1992. Springer-Verlag. Lecture Notes in Computer Science Volume 740.

12 It might not be possible to prove this property for the MD2 design, or it might be proved that this property is not inherent in the MD2 design.

26 4. A. Biryukov, C. D. Canniere, and M. Quisquater. On Multiple Linear Approxi- mations. In M. Franklin, editor, Advances in Cryptology - CRYPTO’04, volume 3152 of Lecture Notes in Computer Science, pages 1–22. Springer-Verlag, 2004. 5. N. T. Courtois and J. Pieprzyk. Cryptanalysis of Block Ciphers with Overdefined Systems of Equations. 6. Nicolas T. Courtois and Josef Pieprzyk. Cryptanalysis of block ciphers with overdefined systems of equations, 2002. Preprint is available at http://eprint.iacr.org/2002/044/. 7. I. B. Damg˚ard. A design principle for hash functions. In G. Brassard, editor, Advances in Cryptology - Crypto ’89, pages 416–427, Berlin, 1989. Springer-Verlag. Lecture Notes in Computer Science Volume 435. 8. N. Ferguson. Collision attacks on ocb. Comments to NIST, February 2002, Avail- able at NIST’s webpage at. 9. B. S. Kaliski and M. J. B. Robshaw. Linear cryptanalysis using multiple approxi- mations. In Y. Desmedt, editor, Advances in Cryptology - Crypto ’94, pages 26–39, Berlin, 1994. Springer-Verlag. Lecture Notes in Computer Science Volume 839. 10. L. R. Knudsen and J. E. Mathiassen. A Chosen Plaintext Linear Attack on DES. In B. Schneier, editor, Fast Software Encryption 2000, volume 1978 of Lecture Notes in Computer Science, pages 262–272. Springer-Verlag, 2000. 11. L. R. Knudsen and J. E. Mathiassen. On the Role of Key Schedules in Attacks on Iterated Ciphers. In P. Samarati, P. Ryan, D. Gollmann, and R. Molva, editors, ESORICS 2004, volume 3193 of Lecture Notes in Computer Science, pages 322– 334. Springer-Verlag, 2004. 12. L. R. Knudsen and J. E. Mathiassen. Preimage and Collision Attacks on MD2. In H. Gilbert and H. Handschuh, editors, Fast Software Encryption 2005, volume 3557 of Lecture Notes in Computer Science, pages 255–267. Springer-Verlag, 2005. 13. L. R. Knudsen, J. E. Mathiassen, and F. Muller. Cryptanalysis of the md2 hash function. To be submitted to Journal of Cryptology, pages 000–000. 14. J. E. Mathiassen and L. R. Knudsen. Linear Known Plaintext Attack on DES. Technical report 274, University of Bergen, 2004. 15. J. E. Mathiassen and D. A. Osvik. Improved Collision Attack on OCB. Technical report 3??, University of Bergen, 2005. 16. M. Matsui. Linear cryptanalysis method for DES cipher. In T. Helleseth, editor, Advances in Cryptology - EuroCrypt ’93, pages 386–397, Berlin, 1993. Springer- Verlag. Lecture Notes in Computer Science Volume 765. 17. M. Matsui. The first experimental crypt analysis of the Data Encryption Standard. In Y. Desmedt, editor, Advances in Cryptology - Crypto ’94, pages 1–11, Berlin, 1994. Springer-Verlag. Lecture Notes in Computer Science Volume 839. 18. A. J. Menezes, P. C. Oorschot, and S. A. Vanstone. Handbook of Applied Cryptog- raphy. CRC Press, 1997. 19. R. C. Merkle. One way hash functions and DES. In G. Brassard, editor, Advances in Cryptology - Crypto ’89, pages 428–446, Berlin, 1989. Springer-Verlag. Lecture Notes in Computer Science Volume 435. 20. H. Molland, J. E. Mathiassen, and T. Helleseth. Improved Fast Correlation Attack using Low Rate Codes. In K. G. Paterson, editor, Cryptography and Coding, volume 2998 of Lecture Notes in Computer Science, pages 67–81. Springer-Verlag, 2003. 21. F. Muller. The MD2 hash function is not one-way. In P. J. Lee, editor, Advances in Cryptology - ASIACRYPT 2004, volume 3329 of Lecture Notes in Computer Science, pages 214–229. Springer-Verlag, 2004.

27 22. National Bureau of Standards. FIPS 46: Data Encryption Standard. National Bureau of Standards, U.S. Department of Commerce, January 1977. 23. National Institute of Standards and Technology. FIPS 197: Advanced Encryption Standard. National Institute of Standards and Technology, November 2001. 24. National Institute of Standards and Technology. NIST Special Publication 800- 38A, Recommendation for Block Cipher Modes of Operation - Methods and Tech- niques. Technical report, U.S. DoC/NIST, December 2001. Available at. 25. National Institute of Standards and Technology. NIST Special Publication 800- 38B, Recommendation for Block Cipher Modes of Operation: The CCM Mode for Authenticaion and Confidentiality. Technical report, U.S. DoC/NIST, May 2004. Available at. 26. National Institute of Standards and Technology. NIST Special Publication 800- 38B, Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication. Technical report, U.S. DoC/NIST, May 2005. Available at. 27. P. Rogaway, M. Bellare, J. Black, and T. Krovetz. OCB: A block-cipher mode of operation for efficient authenticated encryption. Available from. 28. P. Rogaway, M. Bellare, J. Black, and T. Krovetz. OCB: A block-cipher mode of operation for efficient authenticated encryption. Eight ACM Conference on Computer and Communications Security (CCS-8), pages 195–205. 29. T. Segers, T. Helleseth, M. Maas, and J. E. Mathiassen. Linear complexity over fp of sidel’nikov sequences. IEEE Transaction on Information Theory, 50:2468–2472, 2004. 30. T. Segers, T. Helleseth, M. Maas, and J. E. Mathiassen. Linear Complexity over Fp of Sidel’nikov Sequences. In IEEE Int. Symposium on Information Theory, page 123, 2004. 31. C. E. Shannon. Communication theory of secrecy systems. Bell System Technical Journal, 28:656–715, 1949.

28

¢¡¤£¦¥¨§ ©

 ! "# $&%')(*%,+-%.%'#/1023547698

:<;>=@?BADCFEHG7IBJLKM=ENJ

9]^_ $ `.abc $

dPRef=[email protected];>CjKlkUm>mk

rsPti#JCFuJUKMEHeROtq

}w?EH~Pt?*q :<\?@P!kUm>m

Linear Known Plaintext Attack on DES

John E. Mathiassen1 and Lars R. Knudsen2

1 Department of Informatics, University of Bergen, Norway 2 Department of Mathematics, Technical University of Denmark

Abstract. This paper presents a known and a chosen plaintext attack on the DES both of success rate 80% using 242 texts. The attacks improve on earlier results in that the total complexity is reduced by a factor of two both in the number of texts needed and in the number of computations required.

Keywords: Linear cryptanalysis, Cryptanalysis, Block cipher, DES, key recovery.

1 Introduction

The block cipher DES [1] is a Feistel cipher and was adopted as an US standard by NBS (now NIST) in 1977. It encrypts text of 64 bits using a (secret) 64 bits key, but where only 56 bits are used and the remaining 8 bits are discarded. An exhaustive search for the key would require at most 256 des computations, but there has been some shortcut attacks involving less DES computations still finding the key. In [2] the differential attack is introduced. The differential attack is a chosen plaintext attack which makes it possible to find the key in DES using 247 chosen plaintexts. It was the first attack on DES which successfully can recover the secret key faster than by brute force. The linear attack was first introduced on FEAL [3] and later adapted to DES [4,5]. The attack is a known plaintext attack and applied to DES finds the key using some 243 known plaintexts. To this date this is the best attack on DES in open literature. Despite the introduction of the new encryption standard AES, DES is still widely used. Other related articles not introduced in the rest of the text are [6,7,8]. 2 The Linear Attack

In this section the general linear attack [4] is presented and applied to block ciphers. The ciphertext C is the encryption of the plaintext P - both of size n - by an encryption function C = EK (P ) = E(P, K) using the key K of size nK bits. Most block ciphers repeat a simple round function Ci+1 = G(Ci, Ki), and maps the ciphertext Ci after i rounds of encryption to Ci+1 using a round key Ki. Preparing a linear attack one starts by finding one round ap- proximations for the cipher in question. An equation for such an approximation is:

(Ci αi) (Ci βi) = (Ki γi) · ⊕ +1 · · where the “ ” denotes the dot product, and the Greek letters denote · masks. The sum of some input bits plus the sum of some output bits is equal to the sum of some key bits with a probability pi. In linear attacks one is often interested in ei = (pi 1/2) which is the − imbalance. The size of the absolute value ei indicates the strength of an equation. | | The single round approximations are concatenated to a r-round approximation (P α) (C β) = (K γ) (1) · ⊕ · · from the first round to the last round. The concatenations and the probability calculations assume that the rounds are independent, and it works for many ciphers. The calculation of the probability of success p is done using piling up Lemma

r r 1 r−1 1 1 r−1 p = + 2 (pi ) = + 2 ei 2 i − 2 2 i Y=1 Y=1 assuming independent rounds. When using enough (P, C) pairs we have an indication on the value of K γ 0, 1 with a high probability. Using the normal · ∈ { } distribution function Φ(2√N e ) we get that N = (p 1/2)−2 = e−2 is the expected number of (P|,|C)-pairs needed to giv−e the value of K γ with a probability of 97, 72%. Half the possible keys K K · ∈ will satisfy this value, and we have one bit information. Assume we use N text pairs in an attack. Let T be the number of times the left side of Equation 1 is 0, and let U = T N/2. Then K γ is guessed to be − · sign(U) sign(e) + 1 K γ = · · 2 which says that K γ = 0 if both (T N/2) and (p 1/2) have the same sign, and· K γ = 1 if they−have different −sign, where x · sign(x) = |x| . The rest of the bits may be found by other similar equations, or by exhaustive key search. A more efficient method is described by Matsui in [5]. Using this method we may shorten our approximation by two rounds, in addition to find more key bits using one equation. A way to do it is to find a good approximation

(C α) (Cr β) = (K γ) 1 · ⊕ −1 · · from the second round to the second last round having probability 1 p = 2 + e, where e > 0 . Notice that C1 = G(P, K1) and Cr−1 = −1 | | G (C, Kr), but this require us to know or guess K1 and Kr. This is not efficient if the round keys Ki are close to n bits, which is the block size. Most ciphers use S-boxes, which are typically mappings of a small number of bits, e.g. 4 or 8. This allows us to guess the key bits input to the S-boxes involved in the equation

(G(P, K∗) α) (G−1(C, K∗) β) = (K γ) (2) 1 · ⊕ r · · ∗ where ’*’ indicates that Ki is the effective key bits of Ki involved in G(X, Ki) α. If the S-box size is s bits, and there is only one S-box · involved in the first and the last round, one needs to guess 2s key bits. This is the case in Matsui’s attack where the S-box size is s = 6 and one needs to guess 2s = 12 key bits in each equation. The Equation 2 will have probability of p of being correct if the correct sub key K∗ = (K∗, K∗) is used. If the imbalance e = p 1,r 1 r − 1/2 > 0 is greater than 0 the Equation 2 will follow this imbalance. ∗ Kg Using N plaintext/ciphertext pairs T 1,r counts how many times the g∗ left side of Equation 2 is equal to 0 using the key K1,r in the equation. g∗ ∗ We then have one counter for all possible sub-key guess K1,r K1,r. ∗ ∗ ∈ K1,r K1,r N Let the bias of the counter be U = T 2 , then hopefully − K∗ the bias of the counter for the correct sub-key U 1,r is greater that w∗ ∗ ∗ the imbalance for all the wrong guesses K1,r K1,r K1,r. That is ∗ w∗ ∈ ∗ \ g∗ K1,r K1,r ∗ K1,r K1,r U > U . The sub-key K1,r according to U > U for g∗ all possible sub-k eys K1,r is guessed to be the correct one. Then w e perform an exhaustive search on the rest of the bits, but during the exhaustive search we only try the keys where

K∗ sign(U 1,r ) sign(e) + 1 K γ = · · 2 which will be the case for half the keys, and we have 2s + 1 key bits from our linear equation. If the key shows to be wrong after the exhaustive search for the rest of the key bits, one is able∗ to select the key corresponding to Kg the second best value of U 1,r , and continue until the correct key is found. It is harder to predict the accurate success rate of this method, N because it is not enough to calculate the probability that T > 2 U > 0 given that K γ = 0 and e > 0 which by the normal dis-⇔ · tribution function is approximated to be 97, 72% using N = e−2 (P, C)-pairs. The approximation of the success rate works fine in most cases, but there are at least two reasons why this simple ap- proximation using the normal distribution is not accurate. For the first the counter for the correct sub key does not compete with one K∗ K∗ Kw∗ threashold U 1,r > 0, but all the other counters U 1,r > U 1,r , for all wrong keys Kw∗ = K∗ w w = 0, where w is of same size 1,r 1,r as the keys. It is usually satisfying⊕ to include6 a constan t 1 < c < 8 to the prediction of the number of texts needed N = c e−2, and we need more texts to keep the success rate at 97, 72%. ·

3 Previous improvements

In the past ten years there has been some improvements of Matsui’s attack and some additional techniques have been introduced some of which are presented here.

Multiple linear approximations [9] Using multiple linear equations [9] is more powerful than a single equation. The equations should have the same key bits involved and the same S-boxes involved in the outer rounds. The equations used should also have a bias e approximately the same and greater than 0. We have q equations

−1 (G(P, K ) αi) (G (C, Kr) βi) = (K γ) (3) 1 · ⊕ · · where all the q mask pairs (αi, βi) are different. Otherwise we have 1 some equal equation. Each equation have the probability pi = 2 +ei, g∗ g∗ K1,r and the counters for each possible sub-key K1,r should be U = g∗ K1,r aiUi , where the weights ai are calculated

P ei ai = q j=1 ei

∗ K∗ P K∗ Kg and the U 1,r with the greatest absolute value U 1,r > U 1,r is ∗ K1,r sign(U ) ·sign(e)+1 guessed as the key value and K γ = 2 is guessed to be the right side of Equation 3.· One advantage of using multiple equations is that the variance is reduced, so we need less plaintexts in order to keep the same success rate. Having q equations with identical bias e an expected success rate of 97, 72% requires NM = −1 −2 cM q e = N/q (P,C) pairs, where NM is the number pairs in the· m·ultiple case and N is the required number in the single equation case. The noise factor cM is somewhat more complicated, but is due to the weighting of the counters a weighted average over the constants ci for the different equations.

Optimal key ranking [10] Due to the symmetry of Feistel-ciphers it is possible to exchange the first and the last round masks, and have an equation involving dif- ferent key bits. In Matsui’s attack these two sets of bits are disjunct. The challenge here is to combine these two ranked key tables in or- der to find the correct combination in an optimal way. An optimal way of combining these two is described in [10]. The Equation 2 may be used in combination with

(G(P, K∗) β) (G−1(C, K∗) α) = (K γ0) (4) 1 · ⊕ r · · where γ0 is different from γ in Equation (2). Last section we saw that if γ = γ0, and if α and β involve the same S-box we have multiple equations, and the number of texts required for success is reduced. Notice also since different S-boxes are involved in Equation (2) and (4) one may have a disjoint set of key bits involved, and one gets two independent key ranking tables. Junod et al proved that to get an optimal ranking one should sort the sub-key can- didates by a decreasing sum of squares of the biases. That is, for each equation one has a counter T and T , and each possible key ∗ 1 2 Kg Kg∗ has its own counter T 1,r . The two tables are then sorted by i ∗ i Kg decreasing values (T i 1/2)2, and the sub-key candidate Kg∗ i ∗ −∗ g h∗ Kg K1 2 K2 2 with the highest sum U = (T1 1/2) + (T2 1/2) , where g∗ g∗ h∗ − − K = (K1 , K2 ), is ranked the most likely key. This is optimal, and k k1 k2 slightly better that previously used methods: U = R1(U ) R2(U ), ki · where Ri(U ) is the ranking of the key ki in the table of sorted g∗ g∗ K1,r K1,r U1 = T1 N/2 . −

Some other improvements on the linear attack

[11] introduced non-linear approximations in linear cryptanalysis. In the outer rounds the linear approximations are replaced by non- linear, and there was an improvements in a five rounds attack on DES recovering one bit. There was no significant improvements on the full rounds attack. [12] introduced an attack using a quadratic relation in S-box no. 5 to improve the linear attack. They use Matsui’s original linear relation in addition to a quadratic relation to increase the effectiveness of the attack by reducing the number of texts required by a factor 25/34. There is also a chosen plaintext attack presented in [13] where the success rate is good, but the exhaustive search phase requires 244 computations to succeed. In the next section we show how to reduce this complexity by a factor 4 by using the full potential of the effective key bits in the equation used. Another efficient attack using both differential and linear tech- niques is presented in [14,15]. It seems quite effective on reduced rounds DES, but is not so effective on the full DES. We are not going into details of these improvements of the linear attack, since these methods are not used in this article.

4 Improvements in the Linear Attack on DES

In this chapter we present what we believe are the two most effective attacks on DES due to complexity. First one we improve the perfor- mance of the chosen plaintext attack presented in [13]. Secondly, we present a known plaintext attack which uses Matsui’s equations combined with some new equations.

Chosen plaintext linear attack

This attack uses what is called pseudo keys to be able to reduce the number of approximated rounds by one. The probability of success increases and one finds more key bits. We will start by explaining some simpler techniques to explain the more complicated case. In- stead of having a 14 round approximation from the 2nd to the (r-1)st round, we use a 13 round approximation from the 3rd to the (r-1)st round:

Original approximation Our Approximation 2: - - - & 3: A D - - - ← & 4: D A B A D ← ⊕ & ← 5: B D D A B ← & ← ⊕ 6: - - - B D & ← 7: B D - - - ← & 8: D A B B D ← ⊕ & ← 9: A D D A B ← & ← ⊕ 10: - - - A D & ← 11: A D - - - ← & 12: D A B A D ← ⊕ & ← 13: B D D A B ← & ← ⊕ 14: - - - B D & ← 15: B D - - - ← The probability of the approximations are:

Approximation S-boxes Probability Masks in hex 1 10 A D S5 2 + 64 Ex 10x ← 1 20 ← B D S5 2 64 Fx 10x ← 1 − 12 ← B D’ S5 2 64 Fx 22x ← 1 − 16 ← A D’ S5 2 64 Ex 22x ← 1 − 2 ← D A B S 4x 04x ← ⊕ 1 2 − 64 ← The full equation where one guesses a pseudo-key in the second round is:

0 (P R A) (F (P L, F (P R, K∗) K ∗) A) (CL B) (F (CR, K∗ ) B) = K γ · ⊕ 5 6 1 ⊕ 2 · ⊕ · ⊕ 5 16 · · (5) 0∗ ∗ ∗ where K2 is a pseudo key, and K1 and K16 are the involved key bits from the round key in round 1 and 16 respectively. The subindex i in Fi refers to which S-box is involved in the approximation. That is, ∗ R ∗ K16 in F5(C , K16) refers to the key bits from K16 which are involved in S-box 5 in round 16. We will explain how to interpret this equation. In principle one approximates the sum of some output bits from S- box 5 in the second round plus some active key bits (K γ) and the sum of some of the output bits from S-box 5 in the last ·round. One knows the plaintext and the corresponding ciphertext, but not the R ∗ key K nor the round keys. To get the value of F1(C , K16) B one needs to know the input to the S-box 5. The text part C R is ·known, ∗ but the 6 key bits K16 are unknown, so they are guessed. This is simple and has been done before, the problem is to find the input to the S-box 5 in the second round. It is called the pseudo key trick, and is shown by Figure 1. The six input bits come from six different S-boxes in the first round S , S , S , S , S , S , presented according to the actual { 3 1 2 6 4 8} permuted order. To guess all the unknown key bits input to all these functions will involve too many effective key and text bits. The unknown input to the S-box 5 in the second round is denoted R ∗ L x2 = y1(P , K1) K2 P where y1 = (s3, s1, s2, s6, s4, s8) is the output bits from the⊕ S-b⊕oxes which give input to S-box 5 in the sec- ond round. If the input to these S-boxes involved in y1 is fixed, one

S1

£¡£¡£

¤¡¤¡¤

£¡£¡£

¤¡¤¡¤ £¡£¡£

¤¡¤¡¤ S2

£¡£¡£

¤¡¤¡¤

£¡£¡£

¤¡¤¡¤ £¡£¡£

¤¡¤¡¤ S £¡£¡£

¤¡¤¡¤ 3

£¡£¡£

¤¡¤¡¤

£¡£¡£

¤¡¤¡¤ £¡£¡£

¤¡¤¡¤ S £¡£¡£

¤¡¤¡¤ 4

PL

£¡£¡£

¤¡¤¡¤

¡ ¡

¢¡¢¡¢ £¡£¡£ ¤¡¤¡¤ P P

¡ ¡ R

K E ¢¡¢¡¢ £¡£¡£

S input¤¡¤¡¤ 1 ¡ ¡

5 ¢¡¢¡¢

£¡£¡£

¤¡¤¡¤

¡ ¡

¢¡¢¡¢

£¡£¡£

¤¡¤¡¤

¡ ¡

¢¡¢¡¢ £¡£¡£ S input

¤¡¤¡¤ 6

¡ ¡

¢¡¢¡¢

£¡£¡£

¤¡¤¡¤ ¡ ¡

S ¢¡¢¡¢ £¡£¡£

¤¡¤¡¤ 6

£¡£¡£

¤¡¤¡¤

£¡£¡£

¤¡¤¡¤

£¡£¡£ ¤¡¤¡¤

S8

L R * * . F5 (P ,F6 (P ,K1 ) K 2) Α K2 E

P ¥¡¥¡¥

R¦¡¦¡¦ ¥¡¥¡¥

¦¡¦¡¦ S input ¥¡¥¡¥ ¦¡¦¡¦ 5

S5

¥¡¥¡¥

¦¡¦¡¦

¥¡¥¡¥

¦¡¦¡¦

¥¡¥¡¥

¦¡¦¡¦

¥¡¥¡¥ ¦¡¦¡¦

Fig. 1. Detailed description of the first round trick. The plaintext is divided in two halves P = (P L, P R). The figure illustrates in detail in which order and how the different operations influence the input of S-box 5 in the second round.

0∗ ∗ has a fixed, but unknown value y1. The fixed value of K2 = K2 y1 could be guessed instead. In that case the equation is ⊕

0 (P L A) (F (P L, K ∗) A) (CL B) (F (CR, K∗ ) B) = K γ, (6) · ⊕ 5 2 · ⊕ · ⊕ 5 16 · · which involves guessing only twelve key bits, and has only 13 effective text bits. The problem of keeping all the input bits to six S-boxes fixed is, that there are only 36 bits left to vary, and one does not have enough plaintexts to attack the DES. Of all these six S-boxes the sixth has a special property: Varying all six bits of this S-box does not influence the neighboring S-boxes. The other S-boxes have the property that varying all the bits will also vary the input to a neighboring S-box because of the expansion function E. We then 0∗ redefine y1 = (s3, s1, s2, 0, s4, s8) such that it is still fixed and K2 = ∗ R ∗ R ∗ L K2 y1 is still fixed, but x2 = y1(P , K1) K2 F6(P , K1 ) P = 0∗⊕ R ∗ L R ∗⊕ ⊕ ⊕ L K2 F6(P , K1 ) P , where F6(P , K1 ) = (0, 0, 0, s6, 0, 0) and P is varying.⊕ This explains⊕ the Equation (5). The probability p = 1/2+e = 1/2+16 56/238 of this equation 1 1 ∗ is slightly higher biased than that of Matsui. The predicted number of plaintexts needed is: 1 N = c (p )−2 = c e−2 = c 1.10 240, ∗ 1 − 2 ∗ 1 ∗ ∗ where c is a constant between 1 and 8. The constant c is dependent on a correlation between the equation for correct key and the equation applying the wrong ones. The prediction of the original attack is 40 N = cM 2.81 2 , where the constant cM is different from c. In the ∗ ∗ attack one uses multiple equations [9] having exactly the same key bits involved, and thus reducing the number of texts needed. The approximation

0 (P L A) (F (P R, F (P R, K∗) K ∗) A) (CL B) (F (CR, K∗ ) B) = K γ · ⊕ 5 6 1 ⊕ 2 · ⊕ · ⊕ 5 16 · · (7) involves exactly the same key bits as Equation (12) and have the same probability p2 = p1. The predicted number of texts needed is then

N = c (e2 + e2)−1 = c 1.10 239, ∗ 1 2 ∗ ∗ which is a reduction by a factor 2 compared to only using a single equation. This looks like an improvement by a factor of 5.12, but noise from the wrong keys are greater in this attack, since one guesses 15 key bits instead of 12 key bits, and because of the first round trick. The results in the Tables 1 and 2 show an overall factor 2 im- provement over Matsui’s attack including the exhaustive search for the remaining key bits. The reason why one does not see a greater improvement is that the wrong keys have a high correlation with the correct key, which leads to a greater value of the constant c.

Table 1. Comparison between Matsui’s attack, the chosen plaintext attack from [13] and the new attack using 100 simulations on 8 rounds of DES. It shows a reduction of a factor 4 in the exhaustive search computation compared to the previous attack, and a reduction of a factor 2 in the number of needed plaintexts in comparison to Matsui’s attack.

Matsui’s attack previous attack new attack plaintexts 242 243 241 242 241 242 Success rate 30% 85% 32% 86% 31% 90% Ex.key search 242 243 244 244 242 242 Table 2. Results of chosen plaintext attack on the DES using 2ˆ42 plaintexts. These results is data from 10 attacks on the DES. It shows that the simulations on 8 rounds of DES work as expected. The tests were run on a single 2 GHz Pentium 4 in less than two weeks. The exhaustive key search with complexity 241 will take another two weeks on a single PC.

Ex. search Success rate 241 80% 243 90% 245 100%

Known plaintext linear attack Here we first present some new equation for use in the linear attack. Then this equation is combined with Matsui’s original equation in order to have an improved attack. The attack uses Matsui’s equations:

L R ∗ R L R ∗ (P A) (F5(P , K1 ) A) (C B) (C D) (F1(C , K16) D) = K γ1 · ⊕ · ⊕ · ⊕ · ⊕ · (8)· and

(CL A) (F (CR, K∗ ) A) (P R B) (P L D) (F (P R, K∗) D) = K γ , · ⊕ 5 16 · ⊕ · ⊕ · ⊕ 1 1 · · 2 (9) where the index of Fi indicates that S-box i is involved in the func- tion. Equations (8) and (9) have the same probability since the same approximations are included, however in different rounds. The prob- 1 56 ability of the equations is 2 + 10 238 . Notice also that the right side of the equations involve different·key bits. We use also the following two equations:

L R ∗ R L R ∗ (P B) (F5(P , K1 ) B) (C A) (C D) (F1(C , K16) D) = K γ1 · ⊕ · ⊕ · ⊕ · ⊕ · (10)· and

(CL B) (F (CR, K∗ ) B) (P R A) (P L D) (F (P R, K∗) D) = K γ , · ⊕ 5 16 · ⊕ · ⊕ · ⊕ 1 1 · · 2 (11) where the right side of Equations (10) and (11) are equal to those of Equations (8) and (9), respectively. The probability of these equa- 1 56 tions is + 5 38 . The Equations (8) and (10) also involve the 2 · 2 same sub key bits in the functions. The same applies to the other two. We use several such pairs of equations where the involved key bits are exactly the same, and call them twin equations. One might calculate a new probability of success for the twin by the formula p = 1 + (p 1 )2 + (p 1 )2, so the imbalance is expected to be 2 1 − 2 2 − 2 2 q 2 e = e1 + e2. The predicted number of text pairs needed to succeed withq97, 72% is N = c e−2 = c/(e2 + e2). The number of text pairs · 1 2 required to get 97, 72% success using one of the two twin pairs is c 276 c 276 N = N = 1 · = 1 · , 1 2 512 (52 + 102) 515 · so the gain compared to using a single equation is R = 276 514/274 515 = 4/5. Using both twin pairs is equivalent to what Matsui· does· when he use two single equations, which is a way to double the numbers of bits found. But we may use other equations to find more key bits. We found another set of equations which can be used in advantage to get more key bits. These two approximations are twin pairs. The approximations involve S-box 5 in the first round and S-box 3 and S-box 4 in the last round. The equation of the first approximation is: L R ∗ R L 0 R ∗ 0 (P A) (F (P , K ) A) (C B) (C D ) (F , (C , K ) D ) = K γ · ⊕ 5 1 · ⊕ · ⊕ · ⊕ 3 4 16 · · 3 (12) and the second approximation is: L R ∗ R L 0 R ∗ 0 (P B) (F (P , K ) B) (C A) (C D ) (F , (C , K ) D ) = K γ , · ⊕ 5 1 · ⊕ · ⊕ · ⊕ 3 4 16 · · 3 (13) where γ3 is identical and the involved S-boxes are the same in both equations. A fourth twin pair having the same approximation is made by interchanging the role of the plaintext and ciphertext bits in the Equations (12) and (13) is

L R ∗ R L 0 R ∗ 0 (C A) (F5(C , K16) A) (P B) (P D ) (F3,4(P , K1 ) D ) = K γ4 · ⊕ · ⊕ · ⊕ · ⊕ · (14) · and the second approximation is:

L R ∗ R L 0 R ∗ 0 (C B) (F (C , K ) B) (P A) (P D ) (F , (P , K ) D ) = K γ · ⊕ 5 16 · ⊕ · ⊕ · ⊕ 3 4 1 · · 4 (15) 1 56 and the probability of the Equations (12) and (14) is 2 + 6 238 1 56 · and the Equations (12) and (14) has the probability 2 + 8 238 . The number of text pairs required to get 97, 72% success using ·the these one of these two twin pairs is

c 276 c 276 N = N = 2 · = 2 · , 3 4 512 (62 + 82) 514 · which is the same as for Equations (8) and (9). Using all these twin pairs together is useful, and gives us as many as 38 distinct key bits in case of a correct guess, that is we have 10 overlapping bits. The right side of the equations also give us 4 bits information, which leaves 14 remaining key bits to an exhaustive search. It is important to know that the new equations include one S-box in the first (or last*) round and two S-boxes in the last (or first*) round. As more unknown key bits is guessed more noise is added, so c2 is expected to be greater than c1. This should also be considered by using a weight w = c1/c2 to cancel this difference to give an optimal key ranking. Then the exact values of c1 and c2 is needed, and could possibly be calculated from the correlation between the functions for the correct and the right keys, but seems quite involved, so we leave it for future research. Each Equation (8), (10), (9), (11), (12), (13), (14), (15) have its own counter T1, T2, T3, T4, T5, T6, T7, T8 which counts how many times the right side of each of the equation is 0. Each of the twin pairs (multiple) Equations ((8),(10)), ((9),(11)), ((12),(13)) and ((14),(15)) have their own counter TM1, TM2, TM3 and TM4. Each TMi is a weighted sum of the counters for each of the twin pairs (multiple equations) (1, 2), (3, 4), (5, 6) and (7, 8)

TMi = a2i−1T2i−1 + a2iT2i where the weight is calculated as in [9] for odd indexes

e2i−1 a2i−1 = e2i−1 + e2i and for even indexes e2i a2i = e2i−1 + e2i Now we have individually weighted the set of equations that have exactly the same key bits involved. It remains to use a weighted ranking between the tables involving different key bits. The key bits in the different tables in our attack is not totally disjoint, but that is taken care of during the key ranking part. The ranking due to [10] is 4 2 T = (biTMi) Xi=1 where 2 2 bi = e2i−1 + e2i If we calculate the squared factorq between the different weights being used in our attack we get 2 b 2 b 2 √102 + 52 5 1 = 2 = = 2 2 b3 ! b4 ! √6 + 8 ! 4 and since we may change the weights by the same fraction without affecting the result we use b1 = b2 = 5 and b3 = b4 = 4 which shows that Matsui’s equation using multiple equations is slightly stronger by a factor 5/4. The combination of the different key tables is then

T = 5TM1 + 5TM2 + 4TM3 + 4TM4 and the key ranking is done by sorting the values of T in decreasing order, and we get an optimal Neyman-Pearson ranking procedure. If we look at Table 3 presenting results of 100 attacks we make the following observations – The results in this table is included to compare with the results from the paper [10]. They want to point out the improvements of better ranking methods. Using the same amount of text data the improvements in the exhaustive part is non-trivial, and the improvement factors for the different parameters range from 1, 11 to 2, 55. Where we present a factor 2 improvement it should not be mixed with their factor 2, 55. – The average factor of 28,88 is not a good statistical measure, be- cause the number are highly influenced by few high single event 6,13 like Cmax, which is a factor 2 improvement. This could be due to few deviations, but the results could indicate a more spread complexity. 14 – Cmin on 2 is hardly a coincidence since we have 22 of the keys ranked at first place. In 50% of the attacks the correct key is 17,46 ranked among the 11 (complexity 2 ) best which Cmed indi- cates, and this is an improvement of a factor 219,38. – We also use the ranking technique from [10], and therefore com- pare our results with the attack on DES with optimal ranking.

The results in Table 5 shows that a weighting of the different tables according to the [10] will give better results in the cases of using 243 and 242 known plaintexts, but is did not look better than not using weights if we used 241 texts. This indicates that the optimal weighting must be adjusted to the number of texts used.

Table 3. Comparison between Matsui’s attack using the optimal key ranking technique from [10] and our own attack also using this ranking. We do not think the table give a correct picture of the complexity, but the table is there just to compare the difference in improvement from [10]. In the 100 attacks giving the results in the table we simulate the use of 243 text pairs by using the same simulation methods as Matsui. The argument that this works is due to the use of exactly the same approximation in the 8 round attack as an 16 round attack, and this is well founded by experiments.

Matsui Matsui/optimal ranking Our/optimal ranking Improvement factor 8,88 log2 µC 41.4144 40.8723 31.9902 2 13,16 log2 C85% 40.7503 40.6022 27.4426 2 17,3219 log2 Cmin 32.1699 31.3219 14.0000 2 19,38 log2 Cmed 38.1267 36.7748 17.4594 2 6,13 log2 Cmax 45.4059 44.6236 38.4936 2

Table 4. Results of the known plaintext attack comparing with Matsui’s success rate 85% using 243 texts with exhaustive search complexity of 240.7503 . This is a more fair comparison, which will give us a factor 2 improvement compared to [4,5].

Data complexity 2ˆ43 2ˆ42 2ˆ41 Time complexity 227.44 241.31 247.23 Success probability 85% 85% 85% Table 5. Results of a simulation of 100 known plaintext attacks on 8 round of DES. The column marked with a “*” are the one where the different key tables are individually weighted. In the other columns the tables are not individually weighted.

Ex.search 2ˆ43 texts 2ˆ43 texts* 2ˆ42 texts 2ˆ42 texts* 2ˆ41 texts 2ˆ41 texts* 238 99% 99% 61% 66% 16% 16% 239 99% 100% 62% 71% 20% 17% 240 100% 100% 70% 80% 24% 22% 241 100% 100% 74% 84% 31% 28% 242 100% 100% 80% 92% 41% 37% 243 100% 100% 83% 93% 49% 44% 244 100% 100% 88% 96% 56% 53%

5 Conclusion This paper presents what we believe is the best shortcut attacks on DES due to complexity. We present an chosen plaintext attack having an total improvement of a factor 2 over the original attack. The other attack we present is a known plaintext attack, which have a factor 2 improvement. If we compare and use the same measures as [10] we get an improvement factor of approximately 220 in the exhaustive search phase. This way of measuring give us a huge ad- vantage, and should not be considered as the complexity measure. It was also pointed out by Matsui in [5] that the probability of ∗ the linear equation only depends on the value w where K1,16 w is ∗ ⊕ inserted into the equation and K1,16 is the correct sub-key. This fact may give us a more accurate method to predict the success rate of linear attacks. It might be used in a method to increase the success rate, and also remove the noise factor c. Different weighting of tables representing disjunct sub-keys gives different results dependent of how many text pairs we use. This shows the need for a more accurate weighting, or taking more factors into the consideration when calculating the weights. The fact that differ- ent equations have different noise factors ci indicates that we should take this into consideration when calculation the weights.

References

1. National Bureau of Standards, “Data encryption standard,” Federal Information Processing Standard (FIPS), Publication 46, National Bureau of Standards, U.S. Department of Commerce, Washington D.C., January 1977. 2. E. Biham and A. Shamir, “Differential cryptanalysis of DES-like cryptosystems,” Journal of Cryptology, vol. 4, no. 1, pp. 3–72, 1991. 3. M. Matsui and A. Yamagishi, “A new method for known plaintext attack of FEAL cipher,” in Advances in Cryptology - EUROCRYPT’92, LNCS 658, R. Rueppel, Ed. 1992, pp. 81–91, Springer Verlag. 4. M. Matsui, “Linear cryptanalysis method for DES cipher,” in Advances in Cryptol- ogy - EUROCRYPT’93, LNCS 765, T. Helleseth, Ed. 1993, pp. 386–397, Springer Verlag. 5. M. Matsui, “The first experimental cryptanalysis of the Data Encryption Stan- dard,” in Advances in Cryptology - CRYPTO’94, LNCS 839, Y.G. Desmedt, Ed. 1994, pp. 1–11, Springer Verlag. 6. S. Vaudenay, “An experiment on DES - statistical cryptanalysis,” in Proceedings of the 3rd ACM Conferences on Computer Security, New Delhi, India. 1995, pp. 139–147, ACM Press. 7. M. Matsui, “On correlation between the order of S-boxes and the strength of DES,” in Advances in Cryptology - EUROCRYPT’94, LNCS 950, A. De Santis, Ed. 1995, Springer Verlag. 8. M. Matsui, “New structure of block ciphers with provable security against differ- ential and linear cryptanalysis,” in Fast Software Encryption, Third International Workshop, Cambridge, UK, February 1996, LNCS 1039, D. Gollman, Ed. 1996, pp. 205–218, Springer Verlag. 9. B.S. Kaliski and M.J.B. Robshaw, “Linear cryptanalysis using multiple approxi- mations,” in Advances in Cryptology: CRYPTO’94, LNCS 839, Y. Desmedt, Ed. 1994, pp. 26–39, Springer Verlag. 10. P. Junod and S. Vaudenay, “Optimal key ranking procedures in a statistical crypt- analysis,” in Fast Software Encryption: FSE 2003, LNCS 2887, T. Johansson, Ed. 2003, pp. 235–246, Springer Verlag. 11. L.R. Knudsen and M.P.J. Robshaw, “Non-linear approximations in linear crypt- analysis,” in Advances in Cryptology: EUROCRYPT’96, LNCS 1070, U. Maurer, Ed. 1996, pp. 224–236, Springer Verlag. 12. T. Shimoyama and T. Kaneko, “Quadratic relation of s-box and its application to the linear attack of full round DES,” in Advances in Cryptology: CRYPTO’98, LNCS 1462, H. Krawczyk, Ed. 1998, pp. 200–211, Springer Verlag. 13. L. R. Knudsen and J. E. Mathiassen, “A chosen-plaintext linear attack on DES,” in Fast Software Encryption: FSE 2000, LNCS 1978, B. Schneier, Ed. 2000, pp. 262–272, Springer Verlag. 14. M.E. Hellman and S.K. Langford, “Differential–linear cryptanalysis,” in Advances in Cryptology: CRYPTO’94, LNCS 839, Y. Desmedt, Ed. 1994, pp. 26–39, Springer Verlag. 15. E. Biham, O. Dunkelmann, and N. Keller, “Enhancing differential-linear crypt- analysis,” in Advances in Cryptology: ASIACRYPT 2002, LNCS 2501, Y. Zheng, Ed. 2002, pp. 254–266, Springer Verlag.

¢¡¤£¦¥¨§ © ©

   "!$#%'& ( )*!+, -'$-.#/0!1 2+ /-3*&"#4+)56  !

7%8:9<;>=¤?@BA CEDE;

( Y6)+,!$%*&+)

X

M[ZE\B=>]_^`Za:b:b:cEd

7%ef^`ZTg3hi:g3d.j6?.Z38:kl8:9V8IUWPmd3j6?=`n48:Aodpq?rsKutvtRkl8:AEAod*=s?SKutxw:81MyDE;z?¨aIbub:cEd

?|guaua}'gugIcEd.Z 9WPRA3~uFG9¨OFz9Wt€8I~a:bub:cE?

{E{ {

On the role of key schedules in attacks on iterated ciphers

Lars R. Knudsen1 and John E. Mathiassen2

1 Department of Mathematics, Technical University of Denmark 2 Department of Informatics, University of Bergen, Norway

Abstract. This paper considers iterated ciphers and their resistance against linear and differential cryptanalysis. In the theory of these at- tacks one assumes independence of the round keys in the ciphers. Very often though, the round keys are computed in a key schedule algorithm from a short key in a nonrandom fashion. In this paper it is shown by experiments that ciphers with complex key schedules resist both at- tacks better than ciphers with more straightforward key schedules. It is well-known that by assuming independent round keys the probabilities of differentials and linear hulls can be modeled by Markov chains and that for most such ciphers the distribution of the probabilities of these converge to the uniform distribution after some number of rounds. The presented experiments illustrate that some iterated ciphers with very simple key schedules will never reach this uniform distribution. Also the experiments show that ciphers with well-designed, complex key schedules reach the uniform distribution faster (using fewer rounds) than ciphers with poorly designed key schedules. As a side result it was found that there exist ciphers for which the differential of the highest probability for one fixed key is also the differential of the highest probability for any other key. It is believed that this is the first such example provided in the literature.

1 Introduction

Most block ciphers today are so-called iterated ciphers. Here the ciphertext is computed as a function of the plaintext and the user- selected key, K, in a number of iterations. Typically, the user-selected key is input to a key scheduling algorithm, which returns a series of r keys, K1, . . . , Kr. Let g(·, ·) be a function which is a bijective mapping, when the second argument is fixed. Then the ciphertext is computed as cr, where

ci = g(ci−1, Ki), c0 is the plaintext and the Kis are the so-called round keys. This is called an r-round iterated cipher. Since g is assumed to be injective for fixed Ki, −1 ci−1 = g (ci, Ki), and the plaintext can be computed from the ciphertext and the round keys by inverting the encryption process. Differential cryptanalysis [2] and linear cryptanalysis [9] are the most effective short-cut attacks against iterated secret-key (block) ciphers today. The attacks have been applied to a wide range of ci- phers and are applicable particularly to iterated block ciphers where a weak function is iterated a number of times. The crucial step in differential and linear cryptanalysis is the search for so-called characteristics covering sufficiently many rounds of the cipher. An r-round characteristic is a tool to predict with a high probability some values of the ciphertext after each of the r rounds given some values of a plaintext blocks. In differential crypt- analysis one looks at differences between two plaintexts and their corresponding ciphertexts, in linear cryptanalysis one looks at lin- ear relations between the bits in a plaintext, the key used and in the corresponding ciphertext. Characteristics over several rounds are constructed by combining characteristics over one round, which are usually easy to find by brute force. This combination of probabilities is only valid when the characteristics for single rounds are indepen- dent, which usually will be the case by assuming independent round keys, but which is almost never the case for practical ciphers. An r-round differential [8] is a tool to predict with some probabil- ity some difference in a pair of ciphertexts after r rounds of encryp- tion given some difference in two plaintexts. Thus, the probability of a differential will in general be higher than for a corresponding characteristic predicting the same ciphertext bits given the same plaintext bits. To prove resistance against differential attacks or to conclude to have found the best differential attack one must be able to bound or find the best differentials; a bound on the best charac- teristics is not sufficient. For all existing ciphers it is impossible to find the best differentials, e.g. for a 64 bit block cipher like the DES [16] there are (264)2 possible differentials. The equivalent notion of a differential versus a characteristic for linear cryptanalysis is that of an r-round linear hull [13]. To prove resistance against linear attacks one must be able to bound or find the best linear hulls. This is also a hard problem for most practical ciphers.

[8] introduces the notion of a Markov cipher, for which a prob- ability of an r-round differential characteristic can be found from the probabilities of the involved one-round characteristics, if it is as- sumed that the round keys are independent and uniformly random. Most iterated ciphers in use today are Markov ciphers. The theory of Markov ciphers for linear cryptanalysis was described in [14]. For both attacks it was shown that for almost all iterated ciphers, which are Markov ciphers, the distribution of the probabilities of differen- tials and of linear hulls converge to the uniform distribution after some number of rounds.

For many Markov ciphers it is possible to find the highest prob- abilities of characteristics for both differential and for linear crypt- analysis. [10] and [17] describe results of such a search algorithm for various ciphers, e.g., for the DES. However, it should be stressed that the search assumes that the round keys involved are indepen- dent. However, all practical ciphers take a relative small key and expand it to a series of dependent round keys. It remains an open problem to find an algorithm which efficiently computes the proba- bilities of characteristics over several rounds for iterated ciphers with such key schedules.

To explore this problem a series of tests were conducted on several small ciphers. The method is as follows. A cipher was chosen together with a number of different key schedules. Then for different numbers of rounds the probabilities of all differentials and all linear hulls were computed and various quantities recorded from the tests.

This paper is organised as follows. §2 describes our experiments in more detail and §3 discusses the results obtained. In §4 we discuss some possible future work and open problems and §5 gives some concluding remarks. 2 Experiments

In this section we describe some experiments made on small Feistel ciphers with n-bit blocks and n-bit keys. A key schedule is introduced which take the n-bit key as input and which returns a series of round keys. The test cipher is an eight-bit Feistel cipher, where eight text bits i i and four key bits are input to each round. Let XL and XR denote the left most respectively rightmost four bits of the eight bit text input to the ith round and Ki the ith round key, then the text output from the round function is calculated:

i+1 i+1 i i i (XL , XR ) = (XR, F (XR ⊕ Ki) ⊕ XL) where F : {0, 1}4 → {0, 1}4 is a four to four bit nonlinear function and Ki is a four-bit round key. Two versions of this cipher were chosen. One where F is a bijec- tion and one where F is a randomly chosen mapping. The functions are F1 : {10, 3, 11, 7, 5, 13, 2, 6, 8, 0, 4, 9, 12, 14, 1, 15} and F2 : {5, 11, 9, 4, 7, 13, 8, 1, 1, 15, 7, 14, 2, 7, 9, 9} where the notation used means F1[0] = 10, F1[1] = 3, F1[2] = 11 etc. Five different key schedules were developed for our experiments. The first four key schedules all take an eight bit key K as input and produce r 4-bit round keys Ki for i = 1, . . . , r. All four algorithms take the user-selected key and divide it into two 4-bit halves, K L and KR. The first key schedule is defined as follows. Key schedule 1: Input: K = KL | KR

For i = 1 to r/2 do L K2i−1 = K R K2i = K For i = 0 to r do Ki = Ki XOR i Here the round keys are constructed simply by repeating the user- selected key halves over the rounds. It is well-known that such key schedules leaves the cipher very vulnerable to so-called related-key attacks[6, 1] and the slide attacks [3]. To avoid these attacks, a round constant is added to the round keys. However, the key schedule is still weak, in that the even-numbered rounds in the cipher depend only on one key half and the odd-number rounds in the cipher depend only on the other key half. To avoid this symmetry the second key schedule uses the key halves in a different order over the rounds.

Key schedule 2: Input: K = KL | KR

For i = 1 to r/4 do L K4i−3 = K R K4i−2 = K R K4i−1 = K L K4i = K For i = 0 to r do Ki = Ki XOR i

As before, a round constant is added to the round keys. The two first schedules use the 4-bit halves of K directly, that is, the least significant bit of a round key depends only on the least significant bit of the two halves of the input key. To avoid such properties the third schedule uses rotations to spread the bits of K over all positions in the round keys.

Key schedule 3: Input: K = KL | KR

L K1 = K R K2 = K L R K3 = LeftShift(K , 2) + RightShift(K , 2) R L K4 = LeftShift(K , 2) + RightShift(K , 2)

For i = 5 to r do Ki = Rotate(Ki−3, 1) For i = 1 to r do Ki = Ki XOR i Leftshift takes the two least significant bits of its input and shift these two positions to the left. Rightshift takes the two most significant bits of its input and shift these two positions to the right. As a conse- L quence, the third round key K3 depends on two bits from K and R two bits from K , whereas the fourth round key K4 depends on the remaining four bits from KL and KR. Then the remaining round keys are generated as rotated versions of previous round keys. To avoid trivial symmetries and weak keys, a round constant is exclusive-ored to all round keys. The fourth schedule is yet more complex. Here a series of tempo- rary round keys T K1, . . . , T Kr are generated in manner similar to the previous one. Then these round keys are used in the cipher in question to generate the (real) round keys for the experiments. The cipher is used in counter mode and the resulting ciphertext halves are exclusive-ored to generate the (real) round keys K1, . . . , Kr. Key schedule 4: Input: K = KL | KR

L T K1 = K R T K2 = K L R T K3 = K XOR K

For i = 4 to r do T Ki = Rotate(T Ki−3, 1) For i = 0 to r do T Ki = T Ki XOR i T K := {T K1, . . . , T Kr} For i = 1 to r do

C = (CL | CR) = encrypt(i, T K) L R Ki = C XOR C The fifth key schedule simply uses independent round keys, that is, for the test cipher (an 8-bit Feistel cipher) the user-selected key is of a total of 4r bits. For all the above key schedules an exhaustive search was imple- mented to find all differentials and linear hulls for all values of the user-selected key and for various number of rounds. For an r-round version of the cipher and for each key schedule the experiments were as follows: For each value of the key all r-round differentials and all r-round lin- ear hulls were computed. The hull and the differential with the high- est probability taken over all inputs and all the keys were recorded. Also recorded was the deviation of the best differential/the best lin- ear hull over all values of the keys and also the deviation of all differentials/all linear hulls over all values of the keys. Clearly, for the fifth key schedule this experiment is very time- consuming for large numbers of rounds. However there is a more efficient implementation, here explained only for differential crypt- analysis. Compute a so-called transition matrix M for one round of the cipher, where an entry (i, j) contains the probability that a dif- ference of i in the inputs to one round results in outputs of difference j. Thus M contains the probabilities of all one-round differentials. Then the probabilities all r-round differentials over the cipher can be found in M r. A summary of the experiments are presented in the Tables 1, 2, 3 and 4.

3 Results

The tables containing the results for differential cryptanalysis are interpreted as follows: The column “Round” is the number of rounds used in the cipher and “KS” is the key schedule used. “Best diff” is the differential with the highest probability taken over all plaintexts and over all keys, and “probability” the corresponding probability p multiplied by 256 (number of inputs to the cipher). The “Std. dev. best” is the standard deviation taken over all the keys for the best differential. The last column “Std. dev.” is the standard deviation taken over all the keys and all the differentials. All the values are multiplied by 256 in order to get a mean equal to 1.0. Note that due to the way the experiments for key schedule five were implemented it is not possible to record the value of “Std. dev. best”. The results are calculated similarly in the linear case: “Best hull” is the linear hull with the highest bias (|p − 1/2|) taken over all plaintexts and all keys, and “complexity” the corresponding value |p − 1/2|2. The deviations are calculated in the same way. All the values here are multiplied by 4 ∗ 256 in order to give a mean equal to 1.0. Also here it was not possible to record the value of “Std. dev. best” for key schedule five. Table 1. Best differentials on average for all keys and for one single key for 8-bit Feistel cipher with F : {10, 3, 11, 7, 5, 13, 2, 6, 8, 0, 4, 9, 12, 14, 1, 15}.

Round KS Best difference Probability Std. dev. best Std. dev. 4 1 30→30 16.00 0.000 1.462 4 2 30→30 16.00 0.000 0.702 4 3 30→30 16.00 0.000 0.645 4 4 30→30 16.00 0.000 0.644 4 5 30→30 16.00 - 0.635 7 1 23→ac 10.00 0.000 1.411 7 2 50→50 3.62 2.853 0.366 7 3 30→30 3.12 3.432 0.149 7 4 30→30 2.41 2.615 0.120 7 5 30→30 2.20 - 0.051 10 1 58→cf 12.00 0.000 1.416 10 2 4b→f9 2.88 2.919 0.360 10 3 43→c3 1.56 1.603 0.140 10 4 24→14 1.44 1.707 0.108 10 5 30→30 1.07 - 0.006 16 1 0c→37 10.00 0.000 1.411 16 2 11→90 3.12 2.346 0.358 16 3 3e→5f 1.59 2.056 0.140 16 4 9f→10 1.45 1.649 0.109 16 5 30→30 1.00 - 0.004

The computation for ciphers with independent round keys were carried out using transition matrices. Compute a matrix M with the probabilities of all one-round differentials. Then one can find the probabilities of all r-round differentials by calculation of the product M r. Similar computations were done for linear hulls. The results in Tables 1, 2, 3 and 4 suggest that a complex key schedule will add to the immunity against differential and linear attacks. By increasing the number of rounds it is seen that the prob- abilities of the best differential/linear hull converge the fastest to the uniform distribution with a complex key schedule. The standard deviation converges to zero as the probability distribution converges to the uniform distribution. It is also seen that the results for the most complex key schedule number four are closest to those using key schedule five, where independent keys are used. Note that the standard deviations for four rounds in Table 1 are zero for the first four key schedules and in each case for the best four-round differential 30 → 30. A closer analysis reveals that this differential has equal inputs in the first and fourth rounds and uses Table 2. Best hulls on average for all keys and for one single key for 8-bit Feistel cipher with F : {10, 3, 11, 7, 5, 13, 2, 6, 8, 0, 4, 9, 12, 14, 1, 15}.

Round KS Best hull Complexity Std. dev. best Std. dev. 4 1 ed→db 27.56 0.000 1.463 4 2 d4→ed 21.00 7.808 0.701 4 3 d4→ed 20.94 7.855 0.643 4 4 d7→ed 21.86 8.468 0.642 4 5 d4→ed 20.94 - 0.635 7 1 95→73 20.25 0.000 1.413 7 2 04→04 4.35 4.119 0.361 7 3 06→ed 2.15 2.429 0.135 7 4 0b→ed 2.20 2.264 0.103 7 5 06→ed 2.01 - 0.051 10 1 8b→90 18.06 0.000 1.417 10 2 7a→bd 3.53 5.108 0.355 10 3 93→ff 1.67 2.235 0.125 10 4 0d→1d 1.39 2.030 0.089 10 5 04→04 1.07 - 0.006 16 1 25→d2 18.06 0.000 1.413 16 2 8b→cb 3.31 6.525 0.353 16 3 51→5e 1.78 2.440 0.126 16 4 91→f0 1.40 1.896 0.089 16 5 08→ed 1.00 - 0.004 the combination through F of 3 → 3 (which has probability 1/4) in both the second and third rounds. So presumably for all keys this differential has probability (1/4)2. The reason is that for any fixed key the inputs to two consecutive rounds in a Feistel cipher uniquely determine both plaintext and ciphertext. Hence, these two inputs take together all 2n values exactly once. Thus, the probabilities of a differential for a fixed key in a Feistel cipher over two consecutive rounds can be found by computing the product of the individual one-round probabilities. Also note that the standard deviation over all the keys for the best differential/linear hull for the first key schedule is always zero. This key schedule is reminiscent of that of LOKI[4] and it is well- known that it gives rise to a number of related-key properties [7, 1], see Figure 1. More precisely, if c = eK (p) is the encrypted value of L R p using the key K | K , then it holds that eK⊕α(p ⊕ α) = c ⊕ α, where α = (KL | KR). However, it was not known until now (as far as these authors are informed) that if there is a differential of probability p for some particular value of the secret key (where the Table 3. Best differentials on average for all keys and for one single key for 8-bit Feistel cipher with F : {5, 11, 9, 4, 7, 13, 8, 1, 1, 15, 7, 14, 2, 7, 9, 9}.

Round KS Best difference Probability Std. dev. best Std. dev. 4 1 e0→ce 16.00 0.000 1.457 4 2 c0→fc 9.50 2.403 0.627 4 3 c0→fc 9.50 2.403 0.562 4 4 fc→c0 9.81 2.309 0.559 4 5 c0→fc 9.50 - 0.550 7 1 d0→ec 12.00 0.000 1.414 7 2 50→50 3.50 3.782 0.369 7 3 10→10 2.59 3.142 0.150 7 4 c0→c0 2.87 3.623 0.122 7 5 c0→c0 2.79 - 0.055 10 1 ca→e2 12.00 0.000 1.429 10 2 0e→0c 2.62 2.209 0.359 10 3 44→81 1.55 1.647 0.140 10 4 0c→c0 1.45 1.630 0.109 10 5 c0→fc 1.15 - 0.008 16 1 19→9a 10.00 0.000 1.413 16 2 93→7c 2.88 1.870 0.358 16 3 7c→32 1.56 1.603 0.141 16 4 b6→dd 1.37 1.687 0.108 16 5 c0→f0 1.01 - 0.004 probability is taken over all plaintexts), then the same differential has probability p for any other value of the secret key. The reason is the following. Assume that there are s pairs of plaintexts (pi,0, pi,1) each of some difference β and which encrypted using the key value L yield (ci,0, ci,1) for i = 1, . . . s, where the ciphertexts are of some difference γ. But then the s pairs of plaintexts (pi,0 ⊕ α, pi,1 ⊕ α) which are of difference β encrypt to the pair (ci,0 ⊕ α, ci,1 ⊕ α) of difference γ using the key value L ⊕ α. However this also means that for this cipher, the most likely differential for a fixed key is also the most likely differential for any other key. It is believed that this is the first reported example cipher in the literature with this property It is stressed however that this cipher is vulnerable to other attacks which are faster than exhaustive key search. O’Connor [15] showed that for a randomly chosen n-bit permu- tation, the expected highest probability of a differential will be less than 2m/2m. In our tests, this bound is 16/256. Empirical results indicate that the expected probability of the best differential for a randomly chosen eight-bit permutation is about 10/256. This ex- Table 4. Best hulls on average for all keys and for one single key for 8-bit Feistel cipher with F : {5, 11, 9, 4, 7, 13, 8, 1, 1, 15, 7, 14, 2, 7, 9, 9}.

Round KS Best hull Complexity Std. dev. best Std. dev. 4 1 d6→cc 30.25 0.000 1.459 4 2 01→10 16.50 5.682 0.625 4 3 01→10 16.50 5.682 0.560 4 4 01→15 16.98 5.921 0.557 4 5 01→10 16.50 - 0.550 7 1 cc→a8 22.56 0.000 1.415 7 2 01→01 6.45 4.936 0.365 7 3 01→01 5.18 4.600 0.136 7 4 01→01 5.02 4.432 0.104 7 5 01→01 5.00 - 0.055 10 1 6d→6c 20.25 0.000 1.431 10 2 85→74 3.07 3.516 0.354 10 3 eb→fc 1.70 2.354 0.126 10 4 01→10 1.45 2.085 0.089 10 5 0c→0c 1.32 - 0.008 16 1 cb→4c 18.06 0.000 1.414 16 2 8a→a5 3.30 4.814 0.354 16 3 e2→bc 1.62 2.455 0.126 16 4 06→dc 1.41 2.060 0.089 16 5 0c→0c 1.01 - 0.004 plains why for any number of rounds using the first key schedule the probability of the best differentials stay around 12/256 and does not decrease with the number of rounds. Also, is explains exactly why the standard deviation over all keys for these differentials is zero. A similar phenomenon can be explained for the linear cryptanalysis case. The second key schedule will also have some of these properties, but here only in the cases where ∆KR = ∆KL, which is only the case for one of 2n/2 keys. It is anticipated that the results of our experiments will translate also to ciphers with bigger block size. However, exhaustive searches for differentials and linear hulls in a cipher for much higher values of n is very difficult. The complexities of these searches are O(23n) where n is the block size and the key size. Some further experiments in the reach of our computing capabilities were conducted. – Feistel ciphers of size 10 and 12 bits were tested in the differen- tial cryptanalysis case, where the nonlinear functions used were randomly chosen 5-bit respectively 6-bit bijective mappings, and L R L L R R R L P P P’ =P + ∆ K P’ =P + ∆ K L K + ∆ K =K’ K1 1 1 F F R R R R F(P +K 1) P +K 1 F(P +K 1) P +K 1

R R R L R L L K + ∆ K =K’ C + ∆ K C1 K2 C1 C 1 + ∆ K 2 2 1 F F R R R R F(C 1 +K 2) C 1 +K2 F(C 1 +K 2) C 1 +K2

L R L R R L C2 C2 C 2 + ∆ K C 2 + ∆ K

Fig. 1. Two rounds of a Feistel cipher where the keys in every second round are different by a constant. Two keys which differ by a value ∆K = (∆KL, ∆KR) will have exactly the same dependency between the rounds for all keys during both differential and linear attacks. Notice that inputs and outputs of F are exactly the same in all rounds.

where the key sizes are equal to the cipher size. The key sched- ules were chosen in a way similar to those reported in full detail above. The results of these tests are listed in Tables 5 and 6. – Feistel ciphers of size eight, where the nonlinear function is a 5 to 4 bit S-box. Here the four-bit input to the S-box is expanded to five bits, where after a 5-bit round key was added. The key size of this cipher was 10 bits. This cipher models DES-like ciphers where the nonlinear function varies with the keys. – An SP-network of 8 bits was tested, where one round consists of two 4 to 4 bit S-boxes together with a linear layer mixing the outputs of the boxes. The key size of this cipher is 8 bits. – An SP-network of 9 bits was tested, where one round consists of three 3 to 3 bit S-boxes together with a linear layer mixing the outputs of the boxes. The key size of this cipher is 9 bits.

The results show that the uniform distribution is reached faster for the 10-bit and 12-bit block ciphers than for the 8-bit block ci- phers reported on earlier. However, the overall picture is the same as before. A cipher with a well-designed key schedule reaches the uni- form distribution of the probabilities of differentials and linear hulls faster than with a badly designed key schedule. A good (complex) Table 5. Best differentials on average for all keys and for one single key for a 10-bit Feistel cipher.

Round KS Best difference Probability Std. dev. 4 1 1c0→200 32.00 1.436 4 2 1c0→200 32.00 0.443 4 3 1c0→200 32.00 0.385 4 4 1c0→200 32.00 0.382 4 5 1c0→200 32.00 1.518 7 1 008→163 12.00 1.415 7 2 020→001 3.31 0.254 7 3 200→200 2.32 0.071 7 4 200→200 2.50 0.056 7 5 200→200 2.31 0.051 10 1 2d1→255 14.00 1.411 10 2 07a→250 2.38 0.252 10 3 253→3d4 1.31 0.070 10 4 1de→193 1.22 0.054 10 5 1c0→200 1.05 0.004 key schedule therefore seems to help make a cipher more resistant to differential and linear attacks. Finally we note that there are many block ciphers which have key schedules which are very simple and reminiscent of the weak key schedules from our experiments. A few examples are Skipjack[12], Noekeon[5], and MISTY[11].

4 Future work

There is still open questions to try to explain from the experiments above. What exactly is the influence of the different key schedules on the complexity of linear and differential attacks. A few examples, why exactly is key schedule four better than key schedule three? Could there be some weaker dependencies between the round keys which also give high-probability differentials/hulls higher than the ones assuming independent round keys? Could there be an approxi- mation in one round which when averaged over all inputs has a small probability but which due to a round key dependency between the several rounds actually has a much higher probability? Table 6. Best differentials on average for all keys and for one single key for a 12-bit Feistel cipher.

Round KS Best difference Probability Std. dev. 4 1 040→300 16.00 1.418 4 2 040→300 16.00 0.236 4 3 040→300 16.00 0.194 4 4 040→300 16.00 0.168 4 5 040→700 16.00 2.673 7 1 0fb→df 16.00 1.414 7 2 040→001 3.34 0.178 7 3 3c3→229 1.25 0.047 7 4 240→240 1.16 0.027 7 5 ec0→ec0 1.15 0.029 10 1 2cd→3b9 16.00 1.414 10 2 0f6→315 2.03 0.178 10 3 11c→1e5 1.24 0.047 10 4 0ac→247 1.12 0.027 10 5 e80→e80 1.00 0.004

5 Concluding remarks

There is a huge number of block ciphers proposed today, almost all of which has an ad-hoc designed key schedule for which very little is known. In this paper it has been demonstrated by experiments that the key schedule of iterated ciphers influence the distribution of the probabilities of differentials and linear hulls. The more complex the key schedules, the better resistance against differential and linear attacks. Due to the available computing resources these experiments were conducted on small toy ciphers, however the authors have found no indication why the results should not apply also to ciphers with larger blocks. In fact, the constructed toy ciphers with independent round keys (or with a well-designed key-schedule) are most likely strong ciphers relative to their sizes. Just imagine a scaled-up version with 64-bit blocks, that is, with a randomly chosen (bijective) 32-bit mapping in the round function. Such a cipher is likely to be stronger than e.g., DES used with the same number of rounds.

References

1. E. Biham. New types of cryptanalytic attacks using related keys. In T. Helleseth, editor, Advances in Cryptology: EUROCRYPT’93, Lecture Notes in Computer Sci- ence 765, pages 398–409. Springer Verlag, 1993. 2. E. Biham and A. Shamir. Differential Cryptanalysis of the Data Encryption Stan- dard. Springer Verlag, 1993. 3. A. Biryukov and D. Wagner. Slide attacks. In L. R. Knudsen, editor, Fast Soft- ware Encryption, Sixth International Workshop, Rome, Italy, March 1999, Lecture Notes in Computer Science 1636, pages 245–259. Springer Verlag, 1999. 4. L. Brown, J. Pieprzyk, and J. Seberry. LOKI - a cryptographic primitive for authentication and secrecy applications. In J. Seberry and J. Pieprzyk, editors, Advances in Cryptology: AusCrypt’90, Lecture Notes in Computer Science 453, pages 229–236. Springer Verlag, 1990. 5. J. Daemen, M. Peeters, G. Van Assche, and V. Rijmen. Nessie proposal: NOEKEON. Submitted as an NESSIE Candidate Algorithm. Available from http://www.cryptonessie.org. 6. L.R. Knudsen. Cryptanalysis of LOKI’91. In J. Seberry and Y. Zheng, editors, Advances in Cryptology, AusCrypt 92, Lecture Notes in Computer Science 718, pages 196–208. Springer Verlag, 1993. 7. L.R. Knudsen. Cryptanalysis of LOKI. In H. Imai, R.L. Rivest, and T. Matsumoto, editors, Advances in Cryptology: AsiaCrypt’91, Lecture Notes in Computer Science 453, pages 22–35. Springer Verlag, 1993. 8. X. Lai, J.L. Massey, and S. Murphy. Markov ciphers and differential cryptanalysis. In D.W. Davies, editor, Advances in Cryptology - EUROCRYPT’91, Lecture Notes in Computer Science 547, pages 17–38. Springer Verlag, 1992. 9. M. Matsui. Linear cryptanalysis method for DES cipher. In T. Helleseth, editor, Advances in Cryptology - EUROCRYPT’93, Lecture Notes in Computer Science 765, pages 386–397. Springer Verlag, 1993. 10. M. Matsui. On correlation between the order of S-boxes and the strength of DES. In A. De Santis, editor, Advances in Cryptology - EUROCRYPT’94, Lecture Notes in Computer Science 950. Springer Verlag, 1995. 11. M. Matsui. New block encryption algorithm MISTY. In E. Biham, editor, Fast Software Encryption, Fourth International Workshop, Haifa, Israel, January 1997, Lecture Notes in Computer Science 1267, pages 54–68. Springer Verlag, 1997. 12. NSA. Skipjack and KEA algorithm specifications. http://csrc.ncsl.nist.gov/encryption/skipjack-1.pdf, May 1998. 13. K. Nyberg. Linear approximations of block ciphers. In A. De Santis, editor, Advances in Cryptology - EUROCRYPT’94, Lecture Notes in Computer Science 950, pages 439–444. Springer Verlag, 1995. 14. O’Connor and Golic. A unified Markov approach to differential and linear crypt- analysis. In Josef Pieprzyk and Reihaneh Safavi-Naini, editors, Advances in Cryp- tology – ASIACRYPT ’94, Lecture Notes in Computer Science 917, pages 387–397. Springer-Verlag, 1994. 15. L.J. O’Connor. On the distribution of characteristics in bijective mappings. In T. Helleseth, editor, Advances in Cryptology - EUROCRYPT’93, Lecture Notes in Computer Science 765, pages 360–370. Springer Verlag, 1994. 16. National Bureau of Standards. Data encryption standard. Federal Information Processing Standard (FIPS), Publication 46, National Bureau of Standards, U.S. Department of Commerce, Washington D.C., January 1977. 17. Toshio Tokita, Tohru Sorimachi, and Mitsuru Matsui. Linear cryptanalysis of LOKI and s2-DES. In Josef Pieprzyk and Reihanah Safavi-Naini, editors, Advances in Cryptology – ASIACRYPT ’94, Lecture Notes in Computer Science 917, pages 293–303. Springer Verlag, 1994.

¢¡¤£¦¥¨§ © © ©

  ! "# $%'&)(#(+*-,./%1023

46587:9<;>=@?BADC

MON PQ !"#R S %

T JLUV7-9:?HU#EXWY=@JLZ58=[F]\X^8^`_8a6b6^8c:d

efJZgE6=[FGhiJL9`Fj56kmln9k$58=@hoEXFG?BULId

pj9-?Bq6JL=@IK?BFnrD5XktsuJ=@v8J9wd 46x-Wyrz\6^6^`_{

¢¡ £¥¤§¦©¨ ¦¦  ¦! "#%$

&('*),+.-0/21436587:92),1;7(<=<2>+

?,@ABADCFE0AHGJIKADLNMOAHGQPR4LS;MOTUMOVMOAXWZY=G¢R4LW[Y=GOE]\^MOTF_DSDPa`JLaTFbcAHGOSdTUMfegYhWjiKAHGOk=ADL

lnm*oDpDq^rts=p2u

R4L!MO@TFSgva\=vwAHG]x,A©vGOAHSdADLNMy\hLzTFE0vGOY^bcADE0ADLNM0YhWMO@aA _DY=C{CFTFSdTFY2L

\^MdM|\=_|}~{€‚jY2LƒMO@aA„\=VMO@aADLNMOTF_Q\^MOAQ ƒADLa_HGdevMOT{Y=L E0Y† AY=W‡Y2vwAHG|\^MOT{Y=LˆI,i¢‰Š~F€‚

vGOADSdADLNMOS\n AHMOAD_‚MOT{Y=L Y=W,_HY2CFCFT{SdTFY=L‹E0AHMO@Y† ©\hLt \0xŒ\DeƒMOY]VaSdA„MO@A„_HY2CFCFT{SdTFY=L:P

\hLt gTUMŒTFSvwY2SdSdTFŽC{AMOY„VaSdA¢MO@aATFLWZY=GOE]\^MOT{Y=LgWGOY2E‘\_DY2CFCFTFSdT{Y=L’MOY§_|@t\hLak2AXSdY2E0A

ŽC{YN_|}†SgYhWMO@aAƒE0ADSdSO\hk2AƒVLaLaYhMOTF_DAQ “P‡TUWMO@aAHe@t\QbcA’\SdvwAD_DT{\=CvGOY2vwAHGdMfeN‰j”A

WZY2VaLa ]\x,\De MOY•VaSdAMO@aATFLW[YhGOE]\hMOTFY2L]WZGOY=E8\•_DY=C{CFTFSdTFY2LnMOY_|@t\hLak=AX\hL†e„W[VMOVGOA

E0ADSdSO\hk2AJT{Ln\hL†e§vwY2SdTUMOTFY2L“PxTUMO@Y2VMK}†LaYQxTFLak\=LNe†MO@aTFLak•\hŽwY2VMKMO@aA¢vaC{\hT{LNMOAH–†MOS

\hLt 0MO@aAXLY2L_DADSD‰aˆXLa_DAX\_HY2CFCFT{SdTFY=LƒT{S AHMOAD_HMOAD 0MO@AXvGOY2Žt\hŽaTFCFTUM4enY=W(SdVa_D_DAHSdSŒY=W _|@aAQ\^MOTFLakTFS

1 P^\=La XMO@aTFS:va\hGdM:Y=W†MO@aAŠ\^MdM|\=_|}X_Q\hLŽwA‡ Y2LAŠŽNeJ@t\hLt _Q\hC{_HVaC{\hMOTFY2LSD‰

R—MŒE§VS;M,\hC{SdY„ŽwAXE0ADLNMOTFY2LAQ MO@t\^M,Y2VG\hMdM|\h_‚}] ADvwADLa SKY=LnMO@AJ_HY2E0vaCFAH–TUM4e Y=W

MO@AJ AHMOAD_HMOTFY=L0Y=W:\_DY2CFCFTFSdT{Y=L:P\=La „MO@aTFSK YNADSŠLaYhMKb†TFY2C{\hMOA¢MO@aAŒSdAD_HVGOTUM4e§ŽwY2VaLa S

k=T{b2ADLyTFL˜~ ™NP šh—‰›JY^xKADbcAHGY=La_DA\„_DY=C{CFTFSdTFY2LƒTFS,W[Y=VaLa nMO@aAX\hMdM|\h_‚}]TFSSdT{E0vCFA\=La

ADb2\hS;M|\hMOTFLak‰

œ *žnŸ‡ K¡ƒ¢‹£˜¤¢Ÿ‡¥^¡nž

5¦'‡§,><]'(¨X'(©J>/c7:9214'*+z)Œ7tª(>˜«¢>a>+¬'(¨J14+­92>a/2><=9n<21f+,®a>ƒ92),> 14+­ª*>+j9214'*+¯'(¨J«,°f'‡®N3

®14©,)K>a/2<±X²ƒ),>³Œ/2<‹'(¨ '*©J>/c7:9214'*+.'*+,°—¶¥¨O'‡®·,<2>§‘'*+89c)K>!®a'(+K³Œ§,>+‡¸

921;7(°f1f9Q¶‘':¨ƒ9c),>6´µ>a<=6«J>14+,¹.©,/2'Š®a><2<=>a§±]º•7:92>a/!'(+»<2'*´µ>¼´µ'Š§,>aa/=>

7:°4<2'!·,<2>§6¨O'*/’7(·‡9c),>+j9214®a7:9c1f'*+¼°f143(>©9c),>¿¾’Àƒ¾n¸h5.Á©¾‹±KÂD¨•«J'(92)¥7(·K92),>a+­9214®t7ø

9214'*+¼7(+,§¥®'*+K³Œ§,>+­9c1;7:°41f9Q¶z½g>a/=>¿/2>Ċ·K14/2>§Å‡92),>>+,®a/h¶‡©‡9c14'(+6´¬'Š§,>‹7(+,§¼92),>

7:·K9c),>+­9c14®a7:9c1f'*+6´µ'‡§K>¿7(/2>˜9Q¶‡©K14®t7:°4°f¶µ/=·,+Æ<2>a©,7(/c7:92>a°—¶¥7(+,§6½ 1—9c)¥1f+,§,>a©¢>a+Š¸

§K>a+­9©3(>¶Š<±

º•7:92>a°f¶Ç1f9¬)Œ7(<¼«J>>a+ȨO'‡®·,<2>§È'*+È´¬7(3j14+,¹É´¬'Š§,>a<¬'(¨Ê'*©¢>a/27:9c1f'*+,<¬92'

),7(+,§,°f>n«¢'(92)>+,®a/h¶‡©‡9c14'(+!7(+K§ 7(·K92),>a+­9214®t7“9c14'(+·K<214+K¹˜'*+K°f¶'(+,>g92/214®

3:>¶(±­²ƒ),>˜Ë¾’ÀÌ´µ'‡§K>ÊÍZÎjÅZÏ:Ð,14<]7´µ'‡§,>y'(¨X'(©J>/c7:9214'*+ ·K<214+K¹7:+µ·K+,§,>a/=°f¶Š14+K¹

«K°4'Š®N3Ñ®14©,)K>a/ań7(+,§Ò1f9<2·,©,©¢'*/h9ca+­921;7(°f1f9Q¶Ñ7(+,§Ò14+­9c>¹*/21—9Q¶Ó«j¶ '(+,°f¶'*+,>’>+,®a/h¶Š©K9c1f'*+z©J>/0´¬><2<27(¹*>’«,°f'‡®N3ʽ 1f92)z'*+,°—¶

3 «,°4'Š®N3>+,®a/h¶Š©K9c1f'*+,<

'wª(>a/2)K>t7(§±gÂD9¬½y7(<6<=·,«,´µ1f9=9c>a§Ô9c'Ò՘Âhև²¿×{<6/2>Äj·,>a½Ø´¬'Š§,>Æ'(¨

'(©J>/c7:9214'*+Å«,·‡9ʾƒ¾ƒ5Ù½’7:<‹9c),>'*+,°—¶.´µ'Š§,>/=>a®'*´¬´µ>a+K§,>a§‘«­¶8՘Âhև²¿±JÁ

/=>t7(<='*+¼¨O'*/yËʾ’ÀÚ+,'(9g9c'«J>˜®a'*+,<=14§,>/2>§¥14+¯9c),1f921f9c1f'*+¯14<]9c)Œ7“9’1f9n1f<

©,7:9c>+j92>a§Å*7(+,§z7‹/=>a®'*´¬´µ>a+K§Œ7:9c1f'*+!«­¶ ՘Âhև²Ì½g'*·,°4§!«J>ƒ7©¨O/2>a>y´¼7(/=3(>9c14+K¹ ®a7(´µ©Œ7(14¹(+±

ÁÛ®'*°4°f14<=14'*+¬7:929c7(®N3µ'*+ÆËʾ’ÀÚ½’7:<’³Œ/2<2>+j92>a§¦14+‘ÍÝÜЂÅ,7:+,§¥<2),'w½g>a§

92)Œ7:9y7!®a'(°4°41f<21f'*+z®a'*·K°4§¼«¢>7<2>a/=14'*·Kt7“9g92'9c)K>¿7(·K92),>a+­9c1f®t7:9214'*+X±jޘ>a/=>

½g>ß©,/=>a<=>a+­9Æ7(+Ú7:929c7(®N3̽ ),14®N)à1f<¬´!·,®N)È´¬'(/2>¥9c),/=>t7:92>a+,1f+,¹Ì7(<µ<2'Š'*+È7:<

7.®a'*°f°414<=14'*+Ó'Š®a®·,/29c>a®9c>§± Ày':9c)Ò92),>a<=>¥7:929c7(®N3Ñ·,<2>¼92),>¼<27(´µ>

§K>9c>®9214'*+¥´µ>92),'‡§XÅ,7(+,§¥92),>®a'(´¬©,°f>á‡1f9Q¶¬'(¨•9c)K>¿§,>92>a®9214'*+¥':¨§7 ®'*°4°f14<=14'*+

§K'‡> 92),>¼<=>a®·,/21—9Q¶É«¢'*·,+K§,+Ò«­¶Ó9c),>¼7(·K9c)K'*/2<'(¨Ê͐·ŐÏ:ÐHÅ

«K·K9©7(< <2'Š'*+¦7(< 7z®a'*°f°41f<214'(+¼'Š®a®a·K/2<ƒ9c),>7(·‡9c),>+j9214®a7:9c1f'*+¥14<ƒ·,<=>a°f>a<2< ·,+K°4>a<=<

92),>Ê3(>¶Æ14<ƒ®N)Œ7(+K¹*>a§±

â ãàäÉå æ»ãÌçèŠéXŸàäÑ¡ƒ¢‹é•åÑ¡ƒ¡]êìëí¡ƒ¢‹é ²ƒ)K>¿Ëʾ’ÀïîHˋðJ<2>9 ¾y'Š§,>tÀy'Š'*3‡ñŊò§1f¹*·,/=>Ü(Ŋ>+,®a/h¶Š©K9c<

m ©K°;7(1f+j92>áŠ9g«,°4'Š®N3j<

9c' ®a1f©,),>a/h9c>†á‡9Ê«K°4'Š®N3Š< Å7(+,§Ñ76´µ>a<=¯7:·K9c),>+­9c14®a7:9c1f'*+ß9N7:¹ ±

Pi m Ci T

²ƒ)K>´¬'Š§,>˜·,<2>< 7!©,·,/=>«,°4'Š®N3¯®a1f©,),>a/y7(<ƒ7(+¼·,+,§,>/2°f¶Š1f+,¹ ®a1f©,),>/aŇ7(+,§¼92),> 1f<§>aÄj·Œ7:°K9c'‹92),>y«K°4'Š®N3<=14óa>g'(¨Œ9c)K>’·,+,§,>/2°—¶‡1f+,¹®14©,),>/aœ>ᇮa>©K9 «K°4'Š®N3<=14ó> n

¨O'(/n92),>°;7:<=9g®a14©K),>a/h9c>áŠ9y«,°4'Š®N3z½ ),14®N)6®a7(+6«¢>‹'(¨7(+­¶¼°f>a+,¹(92) 1 < len ≤ n

«K1f9c<±„ÂD9 14< 7:°4<2'.>a+,®/=¶Š©K92>a§Ô14+»7.§,1fðJ>a/=>a+­9 ½y7w¶É9c)Œ7:+Ò9c),>¼'(9c),>/ «,°f'‡®N3j

²ƒ)K>¥7(·K92),>a+­9c1f®t7:9214'*+Ñ9N7(¹ ŧ7(+,§

T Å1f¨’©,/2><2>a+­9aÅ 14<'(¨ °4>+,¹(9c) 1 ≤ τ ≤ n

<=),'*·,°f§Ú«¢>8'(¨‹/2>a7(<2'*+,7(«,°4>¦°4>+,¹(92)Ç9c'Ò7tª*'*1f§Ç9N7:¹Ò¹*·,><2<=14+,¹Ò7:929c7(®N3ja§XÅ]7(+,§õ1f9z1f< +,>ª*>a/¯/=>a·,<=>a§Ç½ 1—9c),1f+Ì7

>a7(®N)Ô´¬><2“ô!7‘+,'*+,®> N /=>a´¬7(14+K< 9c),>©(±

<=>a<=<214'(+Å­½ ),14®N)µ½ 14°4°‡«J> 9c)K>©©¢>a/=14'Š§z½ ),>a/=>˜9c)K>©3:>¶ K Å

ÂD9‹14<˜7(°4<='¼/=>aÄj·,14/=>a§892)Œ7:9©9c),>´¬><2<27(¹*>!°f>a+,¹:9c)ß1f<˜+,':9‹¹*/=>t7:92>a/©9c)Œ7(+ 2n/2

«¢>a®a7(·,<=>Ê92),>¿+,'*+K®a>¿)Œ7(<’92'¯«J>¿®N)Œ7:+,¹*>a§Æ«¢>¨O'*/=>Ê7 ®a'*°f°41f<214'(+¼14a/h¶¥°41f3(>°f¶

92'¯'‡®®a·,/±

²ƒ),>¯'*+K°f¶.§,1fðJ>a/=>a+,®>¯¨O/='*´ö-g¾’À÷´µ'‡§,>!>a+,®/=¶Š©K9c1f'*+Ó14<‹92)Œ7:976),'(©J>†¸

¨O·K°4°f¶6·,+,©,/=>a§,1f®9N7:«,°4>'(ðJ<2>9 14<©7(§K§,>a§ß«¢'(92)8«¢>¨O'*/=> 7(+,§87:¨d9c>/˜>+,®a/h¶Š©‡¸

Zi

<Æ14<6§K1fðJ>a/2>+­9.1f+È>t7(®N)ø/2'(·,+,§ù«J>®t7(·K<2>Ñ'(¨Ê9c),>‘½y7w¶à1f9¥1f< 9214'*+X±y²ƒ),>

Zi

§K>³Œ+,>§±•²½g'¦©Œ7(/c7:´¬>9c>a/=<¿§,>a®14§,>z92),> <2<=14'*+Ñ<=92/214+K¹

Zi ©¢>a/´¬><2<27(¹*>(Ž ),1f®N)Ò1f<§K>a©¢>a+,§,>+­9z'*+

L 7:+,§»7¼û^/27(+,§,'*´züz

±Šý‹>+,'(92>˜9c)K>˜>+,®a/h¶‡©‡9c14'(+¼'(¨92),>©©,°;7(1f+­9c>áŠ9 ½ 1f92)µ92),>

7:+,§¬92),>˜+K'*+,®a> N P

·K+,§,>a/=°f¶Š14+K¹¬®14©,),>/©7(< ½ )K14®N)8¹(1fª*><ƒ9c),>®a1f©,),>a/h9c>†á‡9 ±Œ²ƒ),> 1f<

EK(P ) C L §K>³Œ+,>§ß7(<

n

L = EK(0 ) 1f<ƒ§,>³,+,>a§87(< 7:+,§¦½ 1f°4°J+,'(9 ®N)Œ7(+K¹*>½ 1—9c),1f+Æ7z<2>a<=<21f'*+± R

R = EK(N ⊕ L)

þJÿ

E0ADSdSO\=k=AgE]\De˜_DY2LSdTFS;M0Y=W¢SdADbcA‚G|\=CŒvaC{\hT{LNMOAH–†M„ŽaCFYN_|}SDP­\=Lt ‹MO@AgAHLa_HGdevMOAD ‹E0ADSdSO\=k=AgTFS \=vvwADLt AQ ]MO@A•\=VMO@aADLNMOTF_Q\hMOTFY=LgM|\=k τ ‰ P[1] P[2] P[m−1] P[m] Checksum

len N −1 L. x

L Z[1] Z[2] Z[m−1] Z[m] Z[m] X[m]

EK EK EK EK EK EK

Y[m] R Z[1] Z[2] Z[m−1] first τ bits

C[1] C[2] C[m−1] C[m] T

u¦¥tu

¢¡¤£ ?,@T{S¨§tk=VGOATFCFCFVaS;MdG|\^MOADS¢MO@AˆI,i ©ŠL_HGdevMOTFY2L“‰

7:+,§Ç1f/2>¨O'(/2>¦®N)Œ7(+,¹*>§Ú1f+Ç7Ó+,>½#´¬><2(Å0«¢>a®a7(·,<2>¦9c),>Æ+,'(+,®a> N ®N),7(+,¹*><˜1f+ƨO'(/ƒ>t7(®N)¦´¬><2<27(¹*>(±Œ²ƒ)K>'(ðJ<2>9c<©7(/=>Ê92),>a+¦§,>³Œ+,>a§87(<

Zi = R ⊕ (L · γi)

½ )K>a/2> 1f<§9c),> 9c)z>°4>a´µ>a+­90':¨¢92),> ¿/c7t¶ ®'‡§,> tÅ­7(+K§ ±(²ƒ)Œ7:9 ¹*1fª(>a<

γi i γ1 = 1

·K< Ŋ7(+,§z92),> 9c)µ'*+,>ƒ1f<0>t7(µ®14>a+­9]9c'Ê®a7(°4®·,°;7:92>y¨O/2'(´

Z1 = R⊕L i ·,<21f+,¹ ©J'(°f¶Š+,'*´µ1;7(°“/2>©,/2><2>+j9c7:9c1f'*+ 92),>]©,/2>ªŠ14'*·,<•'*+K>n«­¶ ntz(i)

Zi = Zi−1·x

Åg½ ),>/2> 14<¯9c)K>8+j·,´ «¢>a/¬'(¨ '(/ n−1

Zi = Zi−1 · (0 1 << ntz(i)) ntz(i) ±

92/c7(1f°41f+,¹!ó>a/2'Š>a<©14+¥92),>Ê«,14+Œ7:/=¶6/=>a©,/=>a<=>a+­9N7:9214'*+¦'(¨ i Õ©>áŠ9˜92),>Ê>a+,®/=¶Š©K9214'*+ƨO'*/’9c)K> m − 1 ³Œ/=<=9©©,°;7:14+­9c>†á‡9 «K°4'Š®N3Š< 1f<

Ci = EK (Pi ⊕ Zi) ⊕ Zi ½ )K14®N)¦´¬1f¹*)­9ƒ«J>¿½ /=1f9292>a+¦7(<

Yi = EK (Xi)

½ )K>a/2> 7(+,§ ±,²ƒ),>>a+,®/=¶Š©K9214'*+¦14<ƒ<=14´µ©,°f¶ Xi = Pi ⊕ Zi Yi = Ci ⊕ Zi

DK(Ci ⊕ Zi) ⊕ Zi = DK(Yi) ⊕ Zi = Xi ⊕ Zi = Pi «,1—9c<˜14<‹>+,®a/h¶Š©K9c>§Ó92'¥7¼®14©,),>/=92>áŠ9¿'(¨ ²ƒ),>z°47(<=9˜«,°f'‡®N3Æ'(¨]°f>a+,¹(92) len len «,1—9c<

−1

Cm = MSBlen(EK (len ⊕ (L · x ) ⊕ Zm)) ⊕ Pm



?,@aAJG|\De _DY† A˜TFSg\=La Y=G| A‚GOT{LkÊY=W•MO@aA —ŽaTUMgLVE§ŽwAHGOS x@AHGOA˜\=CFCXMO@aA \= ;\=_DADLNM

2n L ‰ ADCFADE0ADLNMOSŒ@t\QbcAX@t\=E0E0TFLkxKADTFk2@NM 1

14</2>©,/2><2>a+­92>a§Ô7(< 7 ¸Q«K1f9<=9c/=14+,¹Kń7:+,§Ò½ ),>/2>¼92),>¬¨O·,+K®9c1f'*+

½ )K>a/2> len n

/2>9c·,/=+, ´¬'*+‡¸

MSBb(S) b S §K1;7(+z´.±­²'Ê<2>a>ƒ½ )­¶ 92),14<§½g'*/=3Šƒ´µ14¹()j9§°4'Š'*37:9 9c)K>©§K>a®a/h¶Š©K9c1f'*+

−1 MSBlen(EK (len ⊕ (L · x ) ⊕ Zm)) ⊕ Cm =

−1 −1 [MSBlen(EK (len⊕(L·x )⊕Zm))]⊕[MSBlen(EK (len⊕(L·x )⊕Zm))]⊕Pm =

Pm

7:+,§¦92),>ʧ,>a®/=¶Š©K9214'*+¦¹*1fª(>a< '(¨ °f>a+,¹:9c) 7(<ƒ>ᇩ¢>a®92>a§±

Pm len §,>©J>+,§,>+j9y'*+67:°4°K92),>‹´µ>a<=a+,®/=¶Š©K9c>§Æ7(<

Õ©>áŠ9ƒ7 Checksum ¨O'(°4°4'w½ <

T = MSBτ (EK(Checksum ⊕ Zm))

½ )K>a/2> ±jև1f+,®a>’92),>’°f>a+,¹(92)

Checksum = P1 ⊕P2 ⊕· · ·⊕Pm−1 ⊕Cm ⊕Ym

®'*·,°4§µ«¢>©°f>a<=<]92)Œ7(+ ½y>˜<2),'*·K°4§¯<=92/214®9c°—¶z)Œ7tª*> ½ /21—929c>+ ':¨ n−len

Cm n Cm|0 14+Æ9c),>7(«¢'wª*>!>†á‡©,/2><2<21f'*+,<ÅJ«,·‡9©½g>½ 1f°4°®'*+­9c1f+Š·K>92'¬·,<=> 7:+,§ n−len

Pm|0 92),>¼<=),'*/h9c>a/+,'(9c7:9c1f'*+,<ʨO'*/Ê<21f´¬©,°f14®1f9Q¶*±Õ˜'(9214®a>z92)Œ7:9 Cm ⊕ Ym = Pm ⊕ Åj7:+,§ −1

LSBn−len(Ym) LSBn−len(Ym) = LSBn−len(EK (len ⊕ (L · x ) ⊕

1fa§»92),> 9c'ß7tª('*14§»<='*´µ>a«¢'‡§K¶Ó´¬7(+,1f©,·,°47:9c1f+,¹69c),>

Zm) Checksum

®'*+­9c>+j96'(¨9c)K>8°;7:<=9¬«,°4'Š®N3õ«j¶Ô®N)Œ7:+,¹*14+K¹É9c)K>8°4>+,¹(92)±g²ƒ)K14<µ14<67tª('*14§,>§

«¢>a®a7(·,<=> §,>©J>+,§,<©'*+ Å,9c)K>°f>a+,¹:9c)Æ'(¨ ±

Ym len Pm

²'õ®N),>a®N3à92)Œ7:9¥9c)K>‘´¬><2‘14<¥+,':9¥®N)Œ7(+,¹(>a§ø'*+È9c),>ß½y7t¶à9c'»92),> <=>a+,§K>a/aŌ92),> Checksum0 '(¨9c)K>/=>a®>a1fª(>a§.´¬><2a< ´ ·,Ê>ª:7(°f·Œ7:92>a§

0

T = MSBτ (EK (Checksum ⊕ Zm))

14<>aÄj·Œ7(°n9c'.92),>6/=>a®a>1fª(>a§ 9c),>¬´¬><2<27(¹*>61fa§»92'ß«¢>

7:+,§»1f¨ T 0 T

7:·K9c),>+­9c14®:±

²ƒ),>z<=>a®·,/21—9Q¶8'(¨092),>zËʾ’ÀÛ/=>a°41f>a<©'*+892),> §,1¬®·,°f9Q¶¦'(¨]®N),7(+,¹*1f+,¹¬92),>

®14©,)K>a/=92>áŠ9c© 9c1f´¬> ®N)Œ7(+K¹*>a©©,°;7:14+­9c>†á‡92

92)Œ7:99c),> ù1—9c),'(·K9!3j+,'w½ 1f+,¹ß7(+­¶j9c)K14+,¹

Checksum /=>a´¬7(14+,<Ê9c)K>¼:± 1f9©14<©)Œ7(/=§.92'¼©,/=>a§,1f®9¿7µ®N)Œ7(+,¹(>!14+Æ9c)K>!©,°47(14+­9c>†áŠ9c<©«j¶

7:«J'*·‡9˜92),>!3:>¶ K

7z®>a/=9c7(14+Æ®N)Œ7:+,¹*>14+¥9c),>Ê®14©,),>/=92>áŠ9tŌ>ª*>a+.1f¨•9c)K>©K°;7(1f+j92>áŠ9 14<ƒ3j+,'w½ +±

Á˜+,'(9c)K>a/]<=92/c7(1f¹*)­90¨O'*/=½y7(/2§¬7(©,©K/2'­7(®N)¯1f< 9c'ʹ*·,><2<]9c),>©7(·K92),>a+­9214®t7“9c14'(+

Å07(+,§õ1—9 )Œ7(®a'*´µ´µ>a+,§,>§

9c7(¹ T 2−τ «,1f¹Ñ>+,'*·,¹()Ç9c'É7(®N),1f>ª(>¦92),>.°f>ª(>a° '(¨<=>a®·,/21—9Q¶Ì½’7(+­92>a§à1f+

92'É®N)K'‡'*<=> τ

92),>¼´.±§²ƒ),14¼®N)Œ7:+,®a>¥'(¨’®a'*°f°414<=14'*+K<1fa7(<2'(+»½ )j¶ «,1—9c<ŏ7(+,§Ó1—914<‹<2·,1—9N7(«,°f>¨O'*/‹·,<2> 92),>z«,°f'‡®N3¦<21fóa> <=),'*·,°f§‘«J>¯7:9°4>t7:<=9 128

±É>½ 14°4°J7(<=<2·,´µ>14+¬9c),>

92'*¹*>9c),>/y½ 1f92)¥Á-nÖJÅK½ ),1f®N)¥)Œ7(<ƒ«,°f'‡®N3µ<21fóa> 128

1f<Ê·,<2>§É½ 1f92)Ò7Æ«,°f'‡®N3ß®14©,)K>a/ʽ 1f9c) «,1f92<«K°4'Š®N3

/=>a¼Ëʾ’À 128

<=14ó>(±

 äÑ¡h¥^芥^¡nž  ŸŠŸ ]¤Kê ¡]ž ãàäÉå

²ƒ)K14< ®N)Œ7:©K9c>/z§,>a<=®a/21f«J><¯7ß®a'*°f°41f<214'(+Ò7:9=9N7(®N3Ñ'*+ÔËʾ’À‹Å07:+,§õ7ß+,>½ ½y7w¶

92'¬>†á‡©,°4'*1—9 7¯®a'*°f°414<=14'*+X±Kò§1f/2ʽ 14°f°X<=9c7(/=9©«­¶Æ§,><2®a/=14«,1f+,¹z9c),>§,>9c>a®9c1f'*+

©K)Œ7(<2>:Œ½ ),14®N)ù½y7(<¦7(°4<='Ì<2),'w½ +ø14+ ͗ÜÐH±ƒ²ƒ)K>Ñ<=>a®'*+,§ø©,)Œ7(<=>Ñ1f<¥),'w½ö92'

·K<2>¯9c),>¯§Œ7:9c7ƨO'(·,+,§Ó14+Ó9c),>¯§,>9c>®9c1f'*+Ñ©,)Œ7(<=>(±òŒ>a/2¹(·,<2'*+Ó)Œ7:

½ )K>a/2>©1f9 14<0©¢'*<2<=14«,°f>y9c'Ê®N)Œ7(+K¹*>ƒ¨O'*·,/"!n«,°f'‡®N3j<0'(¨¢9c),> ´µ>a<=ƒ·K<2>a§¬14+ 92),>

§K>9c>®9214'*+‘©,),7(<2>:Å«,·K9½g>z½ 14°4°<2)K'ý 9c),7:9¿1f914<‹©¢'*<=<214«K°4>!92'¥®N)Œ7(+,¹*>¯7:+j¶ Ž 1—9c),'*·‡9

«K°4'Š®N3‘'(¨’¨O·K92·,/2>µ´¬><2<27(¹*>aa+,®/=¶Š©K9c>§»½ 1f92)Ñ92),>¼<27(´¬>µ3(>¶ K

3j+,'w½ 1f+,¹¼7:+j¶j92),14+,¹µ7(«¢'*·K9ƒ92),>Ê©,°;7:14+­9c>†á‡9a± (*)¢+'+-,'./,0)2143658795;:<7=,')¢1?>@1BADCE%79F=>@:<7=,0)¢14)¨G

#%$'& L

֊·,©,©¢'*<2>½g>)Œ7tª*>Ê7 3j+,'w½ +Æ´µ>a<2<27(¹*> 7(+,§61—9c<’>+,®a/h¶Š©K9c1f'*+

P1,P2, . . . , Pm

±Hù)Œ7“90½y>ƒ°f'‡'*3ʨO'*/ 1f<§9Q½g'©K°;7(1f+j92>áŠ90«,°f'‡®N3j< 7(+,§

C1,C2, . . . , Cm, T Pi Pj

½ )K>a/2> 9c)K> 9Q½g'14+,©,·‡9c<09c'¿9c)K>©>+,®a/h¶Š©K9c1f'*+ 7(/2>ƒ>Äj·Œ7(°¢7(+,§z9c)K>a/2>«­¶

Xi, Xj

92),>’'*·‡9c©,·K92< 7(+,§ 7(/2>g>aÄj·Œ7(°‚±*և1f+,®a>g½y>’3j+,'w½

Yi = EK (Xi) Yj = EK(Xj)

92)Œ7:9 7(+,§ 9c)K>z'*«­ª‡1f'*·,<‹½y7t¶ß9c'¥®a7(+,®>a°§92),>

Pi = Xi ⊕ Zi Ci = Yi ⊕ Zi

':ðX<=>9 14<9c'ß®a7(°4®·,°;7“9c>67:+,§»<=92'*/2> ¨O'*/!7(°4°

Zi Wi = Pi ⊕ Ci = Xi ⊕ Yi

´µ>a<=a< ±Õ˜>áŠ9©'*«,<=>a/hª*>(ú Pi

Xi = Xj ⇔ Yi = Yj

⇓

Xi ⊕ Yi = Xj ⊕ Yj

m

I

RfMJE0TFk2@NMXŽwA•E0YhGOA_|@t\hLak=ADSDPÎaVMJMO@AE]\hTFL TKJÃAHGOADL_DA„TFS¢MO@t\hMJY2LCUeƒY2LA„E0ADSdSO\hk2AE0TFk2@NM

ŽwA _|@t\=Lk2AQ ÃP:\=Lt MO@t\^MMO@aA§ŽCFYN_‚}†SMOYyŽwA _|@t\hLak=AQ ˜LADAQ ©MOYnW[VCL§aCFCK\ySdvwAH_DT{\=CŠ_HGOTUMOAHGOT{\yMOY \QbcY2T{ nMOY§ŽwA• AHMOAD_‚MOAQ gŽNe0MO@aA•\hVMO@ADLNMOT{_D\hMOTFY2L“‰ Pi ⊕ Ci = Pj ⊕ Cj

m

Wi = Wj

²ƒ),7:9©´¬>a7(+,<’9c),7:9©1f¨•½y>)Œ7tª*> ½g>7:°4<2'¯)Œ7tª(> ō7(+K§ Xi = Xj Wi = Wj

Pi ⊕ Pj = Xi ⊕ Xj ⊕ Zi ⊕ Zj = L · (γi ⊕ γj).

²ƒ),7:9‹´µ>t7:+,<©92)Œ7:9©½y>>t7(<=14°—¶¥®t7(+.®t7(°f®a·,°47:9c> «­¶ L L = (Pi ⊕ Pj) · (γi ⊕ −1 ±

γj) CEPOQ+0)¢,07R7=SB5UTP1B);VW+'5;AX¢5Y)¨G

#%$NM L

¿+,'w½ 1f+,¹ ½g>ß7:/2>¦7(«,°f>Æ92'Ò®N),>a7:9¬«j¶õ<=14´µ©,°f¶»®N)Œ7(+,¹*1f+,¹Ó9c),>¦©J'(<21f9214'*+

Z L

':¨‹7:+j¶É9Q½y'Ó«,°f'‡®N3j< >†á‡®a>a©‡9µ92),>¥°;7:<=9 «K°4'Š®N3¢Å§<214+K®a>61—9z14<>a+,®/=¶Š©K9c>§Ú1f+Ì7

§K1fðJ>a/2>+­9©½y7t¶*±XÖK7t¶¥½y>ʽy7(+­9˜92'¬®N)Œ7:+,¹*>Ê9c),>©,°;7:14+­9c>†á‡9©7“9©9Q½g'67:/2«,1—9c/c7:/=¶

©¢'*<=1f9c1f'*+,< 7(+,§ ±\[©>´¬>´ «¢>a/ 9c)Œ7:9

i j Ci = Yi ⊕ Zi = Yi ⊕ R ⊕ (γi · L)

7:+,§»§,>³Œ+,> ŕ½ ),14®N)Ì1f<©¢'*<=<214«K°4>¯9c'ß®a7(°4®·,°;7:92>z¨O'*/

∆i,jL = (γi ⊕ γj) · L

7(+,§ '(+,°f¶Ò«j¶Ì7Ó©K/214'(/z3Š+K'ý °f>a§,¹(>¦':¨ ±]Õ©'(9c1f®a>69c),7:9

7:+j¶»©J'*<=1f9214'*+ i j L

Ŋ7(+,§¯9c'®N)Œ7(+K¹*>©92),>©'(ðX<=>9n¨O/2'*´ 9c' ½y>©´ ·,

Zi ⊕ Zj = ∆i,jL Zi Zj

92),>Ê+,>½ 7:+,§ 7(<ƒ¨O'*°4°f'ý <ú ±Œ²ƒ),>+.½g>¨O'*/=´ 0 0 ∆i,jL Ci Cj

0 0 0 Ci = Cj ⊕ (∆i,jL) = Yj ⊕ Zj ⊕ (∆i,jL) = Yj ⊕ Zi

⇓

0 0 0

Yi = Yj = Ci ⊕ Zi 7:+,§

0 0 0 Cj = Ci ⊕ (∆i,jL) = Yi ⊕ Zi ⊕ (∆i,jL) = Yi ⊕ Zj ⇓

0 0 0

Yj = Yi = Cj ⊕ Zj

7:+,§ 92),>ɧK>a®a/h¶Š©K9c1f'*+ '(¨ 7:+,§ ½ 1f°4°¹(1fª*>Ñ·,<Æ9c),>Ñ+,>½ ©,/2>14´¬7(¹*>a<

Yj Yi

±J²ƒ),> >†áK®°4·,<=1fª(>z'*/‹'(¨092),> +,>½ ´¬><2a<¹(1fª*>< 0 7:+,§ 0

Xi = Xj Xj = Xi ·K<

0 0 0 0 Pi ⊕ Pj = (Xj ⊕ Zi ) ⊕ (Xi ⊕ Zj) =

0 0 (Xj ⊕ Xi) ⊕ (Zi ⊕ Zj) = (Xj ⊕ Xi) ⊕ ∆i,jL =

(Xi ⊕ Zi) ⊕ (Xj ⊕ Zj) = Pi ⊕ Pj

½ )K14®N)Æ©,/2'wª(>a<ƒ9c)Œ7“9ƒ9c),> ∗

Checksum = P1 ⊕ P2 ⊕ · · · ⊕ Pm−1 ⊕ Cm0 ⊕

7(+,§ß9c)K>a/2>¨O'*/2> 7(°4<='¼9c),> 9c7(¹ /2>´¼7(1f+,<‹·K+,®N)Œ7(+,¹(>a§±ÂD914<˜92),>a/=>¨O'*/=>

Ym T

©¢'*<=<214«K°4>]9c'‹a/=92>áŠ9c<9c),1f<½y7t¶¥îO>ᇮa>©K9 92),>y°47(<=9«,°f'‡®N3‡ñÅ

7:+,§.1—¨®N)Œ7(+,¹*>§.92),>¿½’7t¶6½g><=),'w½y>§.92),>Ê´¬><2Ê14<ƒ<=9214°f°7(·K92),>a+­9c1f®(±

É>Ê´¬1f¹*)­9 7(§,§Æ9c)Œ7“9ƒ9c),>¿9Q½g'¬+,>½ï´µ>a<2<27(¹*>Ê«,°f'‡®N3j<ƒ½ 14°f°X«¢>(ú

0 0 Pi = Pj ⊕ Zj ⊕ Zi

0 0

Pj = Pi ⊕ Zi ⊕ Zj

Õ©'(9c1f®a>§92)Œ7:9XûQ<=½y7(©,©,1f+,¹:ü„9Q½y' ®a1f©,),>/=9c>†áŠ9„«K°4'Š®N3Š<•7:°4<2'y®N)Œ7(+,¹*>092),>0<=½y7(©,©¢>a§

©K°;7(1f+j92>áŠ9cª(>a/¯9c),>Æ7:9=9N7(®N3Ò>a+Œ7(«K°4>aƨO·‡9c·,/=> ¸˜7:97:+j¶8©J'(<21f9214'*+ß½ 1—9c)‡¸

´µ>a<=a<¸©>a+,®/=¶Š©K92>a§É½ 1—9c)‘9c)K>zz3(>¶ K

'(·K9n3Š+K'ý 1f+,¹92),>©©,°;7(1f+­9c>áŠ9n'*/09c)K>˜+,'(+,®a>:Ň7:+,§¬92),>˜©K/2'*«Œ7:«,14°f1f9Q¶ ':¨«¢>a14+K¹ §K>9c>®92>a§81f<

0 ±

Áƒ®9c·Œ7(°f°f¶¦7(+­¶¦>ª(>a+‘+j·,´ «¢>a/˜'(¨0®14©,),>/=92>áŠ9c<1f+ß7µ´¬><2!´µ14¹*)­9©«¢>

©¢>a/=´ ·K92>a§¯14+¯7(+­¶z'(/2§,>/aÅ­7(+K§µ«­¶¯7:§,§,14+K¹9c'¿9c),>´92),>©7(©,©,/='*©,/2147:9c>^]]®a'*+Š¸

±„²ƒ),>6/2><2·,°—9c1f+,¹ß©,°47(14+­9c>†áŠ9c<½ 1f°4°]«¢> Å

∆i,jL Pi = Pj ⊕ Zj ⊕ Z i

1f<‹9c),>z®14©,)K>a/=92>áŠ9¿9N7:3(>a+Ó¨O/2'(´Ø92),> ×{92)Ñ©¢'*<=1f9c1f'*+ß1f+ß9c),>z<=>a+­9 ½ )K>a/2> 0

Ci j

´µ>a<=(±(²ƒ)K>ƒ'*+,°f¶§,1—ðX>/2>+,®a>’1f+!9c)K>’©,°;7:14+­9c>†á‡9§«,°4'Š®N3j<07(/=>y9c),>y©J'*<=1f9214'*+,<

½ )K>a/2>9c),>®a1f©,),>/=9c>†áŠ9c<‹),7wª(>!®N)Œ7:+,¹*>a§X±X- ª*>+‘1f¨9c),>©,°;7:14+­9c>†á‡92< 14+Æ9c),'*<=>

_

TFSJ\= a AQ nMOY§MO@A_DTFva@AHGdMOAH–†MŒM|\=}2ADLgWGOY2E‘MO@aA MO@’vwY=SdTUMOT{Y=LyMOY§MO@A MO@yvwY2SdTUMOTFY2L:‰ ` ∆i,j L i ` j 14<Ê+,'(9®N)Œ7(+K¹*>a§±•Á˜

©¢'*<=1f9c1f'*+,<Ê7(/=>¯®N)Œ7(+,¹*>§É92),>¬/=>a<=·,°f9214+,¹ Checksum

©J'*<=1f9214'*+,< ),7wª(>¯®N)Œ7(+,¹*>§Ò7:+,§‘9c),>z+,>½í®N),>®N3j<2·,´

<=·,´µ> 9c)Œ7:9 4 i, j, k, l «¢>a®'*´µ>a<

0 0 0 0 0 Checksum = Checksum ⊕ Zi ⊕ Zj ⊕ Zk ⊕ Zl ⊕ Zi ⊕ Zj ⊕ Zk ⊕ Zl =

Checksum ⊕ L · (γi ⊕ γj ⊕ γk ⊕ γl ⊕ γi ⊕ γj ⊕ γk ⊕ γl) = Checksum 14<ƒ

7:+,§.1f<ƒ>aÄj·Œ7(°92'z9c),>Ê'*°f§¦'(+,>(±¢Ö‡'z92),>¿9N7(¹ τ

#%$N# abF=)¨cd>ecd,'+-,f7hgi)¨Gkj%ld:8:m5;./.

7(+,§Ñ9c),>/2>«j¶ 1f< ń«,·‡9 ²ƒ)K>¼©,/='*«Œ7(«,1f°41—9Q¶ß9c)Œ7“9 −128

Xi = Xj Wi = Wj 2 ),7wªŠ1f+,¹

m ©,°;7:14+­9c>†á‡92<’7(+K§6®a1f©,),>a/h9c>†á‡92©,/2'(«Œ7(«,1f°41f9Q¶ '(¨7:9’°f>t7(Ê«,14/h9c),§,7w¶¼©Œ7(/27(§,'táJ±

<=14'*+Æ1f< 7(«J'(·K9 m22−129

Õ©'(9c1f®a>ß9c),7:9 1f<69c/2·K>É7:°4<2'̽ 1—9c)

Wi = Wj ∆i,jX = Xi ⊕ Xj = «¢>a®t7:·,<2> Yi ⊕ Yj = ∆i,jY 6= 0

∆i,jX = ∆i,jY

m

Xi ⊕ Yi = Xj ⊕ Yj

m

Wi = Pi ⊕ Ci = Pj ⊕ Cj = Wj.

7:°4<2'¼)Œ7(<¿©,/='*«Œ7(«,1f°41—9Q¶ ±²ƒ)Œ7“9 Àg·K99c)K>z>ª*>+­992)Œ7:9 −128

∆i,jX = ∆i,jY 2

´µ>t7:+,<92)Œ7:9 «¢'(92) 7(+K§ ¹(1fª*>

Xi = Xj ∆i,jX = ∆i,jY Wi = Wj

<=14+,®>9c),>¿©K/2'*«Œ7:«,14°f1f9c1f>a>aÄj·Œ7(°92),>©,/='*«Œ7(«K14°41—9Q¶¯9c)Œ7:9 7:®9c·Š¸

Wi = Wj ±

7:°4°f¶¬14< 7z®'*°4°f14<21f'*+61f<’9c),>/2>¨O'(/2> 0.5

Ë+,>µ´¬1f¹*)­97(§,§Ó9c)Œ7“992),>¯®a'*°f°41f<214'(+Ó7:929c7(®N3ß14<Ê®'*<=92°f¶*ŕ7:+,§É§K'‡><+,':9

ªŠ1f'*°;7:92>92),>z<2>®a·,/=1f9Q¶ß«¢'*·,+K§,<¿'(¨yËʾ’À‹±Ày·K9Ê1—¨n7¥®a'*°f°414<=14'*+¦>ª(>a+­9'‡®®a·,/=< 92),>7:929c7(®N3¼92),/2>a7:9c>+,<©92),>7(·K92),>a+­9c1f®a1—9Q¶6'(¨¨O·K9c·K/2>Ê´¬><2<27(¹*>a<±

n

äÑ¡]ž‹¤2h£˜è‡¥^¡]žo]ž˜¢ p©£©Ÿ‡£˜ Kérq ¡0 Kê

ÂQ+ß92),14<©©Œ7(©¢>a/˜½y> §K>a<2®/21f«J>z7¬®a'*°f°414<=14'*+¦7:9=9N7(®N3Æ'*+‘˾’À˜ÅJ½ ),>/2>!92),> §,>†¸

92>a®9c14'(+¬'(¨J®a'(°4°41f<21f'*+ 14<]>†á,7:®9c°—¶ 9c)K>˜<27(´¬> 7:©<2)K'ýÚ9c)Œ7:9n'*+K®a>©7

®'*°4°f14<=14'*+¯'Š®a®a·K/2©92' <=½y7(©Æ7(+K§¼9c),>/2>«j¶¬®N)Œ7(+K¹*>¿7(+­¶¬«,°4'Š®N3j<

':¨¨O·K9c·,/=>¿´¬><2<27(¹*>a‹3(>¶*Å,>ª*>+.1—¨9c),>¿+K'*+,®a>‹14<’®N)Œ7:+,¹*>a§X± '*+,®> 7®a'*°f°41f<214'(+1f<§¨O'*·,+,§X±

²ƒ)K>ƒ©,/2'*«,7(«,14°f1f9Q¶Ê'(¨¢<=·,®a®>a<2

²ƒ)K>g§,>9c>®9c1f'*+Ê'(¨K7 ®'*°4°f14<=14'*+§K'‡><+K'(9•)Œ7tª*>n«J>9292>a/•©,/2'(«Œ7(«,1f°41f9Q¶˜7(+K§®'*´¯¸

©K°4>á‡1—9Q¶.92)Œ7(+‘9c),>!©,/2'wª*>§É<=>a®·,/21—9Q¶‘«J'(·,+,§,<ŏ«,·K9¿1—9½ 14°f°„«¢> §,>ª:7(<=9c7:9c1f+,¹

'(+,®a>7z®a'*°f°41f<214'(+614<’¨O'*·K+,§±

Ë+,®> «,°4'Š®N3j<

L 14<¨O'*·K+,§Ê1f91f<>t7(n7(+­¶¿´µ>a<=0':¨K°f>a+,¹(92) 3

'(/¼´µ'*/2>:Ån½ 1—9c),'*·‡9¼«¢>a1f+,¹»®t7:·,¹*)­9¥«­¶Ç92),>ß7:·K9c),>+­9c14®a7:9c1f'*+à´µ>a®N)Œ7:+,14<=´.±

²ƒ)K>a/2>¨O'*/2>y1f9•½y'(·,°4§«J>nª*>a/h¶!1f+­9c>a/=>ay®a'(°4°41f<21f'*+,< 92'¼'Š®a®·,/˜´µ'*/=>':¨d9c>a+¦9c)Œ7:+‘7:9©/c7(+K§,'*´¦±ŒÁ%«¢>9292>a/ ½’7t¶Æ9c'µ³Œ+,§

L ½g'*·,°f§

©K/2'wª*>Ê9c),>Ê<=>a®a·K/21f9Q¶6«J'*·K+,§,<©'(¨0Ëʾ’ÀÈ14<ƒ½ /='*+,¹,±

s

éPtNé ,鞘¤Xéè

ÿ

€=‰vu„‰hwaA‚GOk2VaSdY=L:‰*IKY2CFCFTFSdT{Y=Lƒ\hMdM|\h_‚}†S,Y=LgˆI,iJ‰jIKY=E0E0ADLNMOSŠMOYBuXR;B?XPhwaAHŽGOVt\^Gden™yxyxc™NP b2\hT{CK

\=ŽaCFA•\^M¨uXRdB? SxKADŽava\=k=A•\hMQ‰

`

ÿ

™N‰{z­‰=|¢Y2k2\DxŒ\DeNPH}˜‰:iKADCFC{\hGOA2P<~‰:iKC{\=_|}wP(\hLt ©?X‰€GOYhb2AHM02‰„ˆI,i2‚ ŽaCFYN_|}h—_DTFv@aAHGE0Y† A„YhW

ÿ

Y2vwAHG|\^MOT{Y=LyW[YhGXA-ƒ0_DTFADLNM¢\=VMO@aADLNMOTF_Q\hMOAD gADL_HGdevMOTFY2L“‰ b2\hTFC\hŽaCFAWZGOY=E’‰

ÿ

š†‰{z­‰|¢Y2k2\Qx,\DeNP¦}˜‰2iKADCFC{\hGOA=P„~‰2iKC{\=_|}wPc\hLt §?X‰yGOY^bcAHM02‰aˆI,i2‚ ŽaCFYN_‚}„—_DTFva@AHGjE0Y† A‡Y=WwY=v

AHG|\hMOTFY2L0WZY=G,A-ƒ0_DTFADLNM,\hVMO@ADLNMOT{_D\hMOAQ ADL_HGdevMOTFY2L“‰< e†L‡ˆh‰<ŠB‹<Œ‹;Žy‘“’-”0’-/•'’Ž–‹;Žy—2˜/™h‰N’-”

9›œ‹;Žy—d—Q™h†ž• ‰Ÿ†ŸŽy %¡9’f•¢™^”'†£‰Ÿ¤¦¥0‹@‹8¡/§¨‘©QPtva\=k2AHS€‘ª¦«“¬†™yx"«†‰

š š

¢¡¤£¦¥¨§ ©

¤  ! #""%$&' ()+*&*,-.$/ (103254

687:9<;>=¤? @BADCE;

XWYZ"%$&[8\]

^ 7:;_Ta`K:bcTedf7:9VF¤MgAhG9_i\j+TUOkK!AHlIm!monp

68qsrt`Suon!n:vpwX?xyOkzQ{(FG9

Preimage and Collision Attacks on MD2

Lars R. Knudsen1 and John E. Mathiassen2

1 Department of Mathematics, Technical University of Denmark 2 Department of Informatics, University of Bergen, Norway

Abstract. This paper contains several attacks on the hash function MD2 which has a hash code size of 128 bits. At Asiacrypt 2004 Muller presents the first known preimage attack on MD2. The time complexity of the attack is about 2104 and the preimages consist always of 128 blocks. We present a preimage attack of complexity about 297 with the further advantage that the preimages are of variable lengths. Moreover we are always able to find many preimages for one given hash value. Also we introduce many new collisions for the MD2 compression function, which lead to the first known (pseudo) collisions for the full MD2 (including the checksum), but where the initial values differ. Finally we present a pseudo preimage attack of complexity 295 but where the preimages can have any desired lengths.

1 Introduction

A hash function is a function that takes an arbitrary long input, and produces a fixed length output. The output is often called a fingerprint of the input. A cryptographic hash function needs to satisfy certain security criteria in order to be called a secure hash function. Let H : {0, 1}∗ → {0, 1}n denote a hash function, whose output is of length n bits. A cryp- tographic hash function should be resistant against the following attacks: – Collision: Find x and x0 such that x =6 x0 and H(x) = H(x0). – 2nd preimage: Given x and y = H(x) find x0 =6 x such that H(x0) = y. – Preimage: Given y = H(x), find x0 such that H(x0) = y. Typically one requires that there must not exist attacks of these three types which are better than brute-force methods. Thus, to find a collision should not have a lower complexity than about 2n/2 and it should not be possible to find preimages in time less than 2n. It is common to construct hash functions from iterating a so- called a compression function h : {0, 1}n × {0, 1}l → {0, 1}n, which compresses a fixed number of bits. Here the output of one application of this function, hi, of length n is called a chaining vari- able and is used as an input in the next iteration together with the next message block mi+1 of length l. If the design of a hash function follows the principles of Merkle and Damg˚ard [4,1], it can be shown that a collision for the hash function H implies a collision for the compression function h. Thus, if one can design a secure compression function, then one can also design a secure hash function. Still, the first step towards finding weaknesses in the hash function may be to find weaknesses in the compression function. The first chaining vari- able in an iterated hash function is often called the IV (initial value) and this is often fixed. Attacks on hash functions where the attacker is able to choose or change the IV are called pseudo attacks. Must popular hash functions are using an iterative compression function and a fixed IV . Examples are MD4, MD5, SHA-1, and RIPEMD- 160. The organisation of this paper is as follows. Section 2 presents the MD2 hash function. Section 3 presents some collision attacks on the compression function where many details are included in an appendix. Section 4 presents several attacks on MD2 (including the checksum). They are a pseudo collision attack, several preimage at- tacks, as well as a pseudo preimage attack. As far as we are informed the complexities of all these attacks are the lowest known today. Be- low is a summary of all known results on MD2, where an asterisk (*) indicates that the attack is new.

Collision Preimage Comments Compression function 28[6] 273 [5] Hash function (pseudo) 216 (*) 295 (*) Arbitrary length messages Hash function - 2104[5] Message length 128 blocks Hash function - 297.6-2112 (*) Message length 44-128 blocks 2 The MD2

The MD2 hash algorithm is designed by Ron Rivest and published in 1988[2,3]. It is a function H : GF (256)∗ → GF (256)16, which takes an arbitrary number of bytes GF (256) and outputs a string of 16 bytes GF (256)16. The function consists of iterations of a compression 16 16 16 function h : GF (256) ×GF (256) → GF (256) , hi = h(hi−1, mi), where the input in the ith iteration is the ith message block mi and the chaining variable hi−1. The message m to be hashed is appended with some padding bytes and a checksum c before it is processed: m||p||c = m1||m2|| · · · ||mt+1, where |mi| = 128 for i = 1, 2, . . . , t + 1. At least one byte and at most 16 bytes of mt are padded. Let b be the length of the message in bytes, and i ≡ b mod 16, i ∈ {0, 1, . . . , 15}, then d = 16 − i (represented in a byte) is added to the message d times. There is at least one byte padding, so if the length is b ≡ 15 mod 16, then d = 1 the byte p = 1 is appended the message. If the message length in bytes is 0 modulo 16 , then d = 16 and the byte sequence p =16| · · · |16 of length 16 bytes is added to the message, so that the length of the message still is 0 modulo 16.

Next a checksum block mt+1 = c = c0 | c1 | · · · | c15 is appended to the message. The checksum [Algorithm 1] is generated processing every byte of the message one block at the time, starting at the first block. The checksum is initialized to 0, ci = 0 for i = 0, 1, . . . , 15. Then for all t message blocks, mi for i = 1, 2, . . . , t, process all 16 bytes of that block and the checksum j = 0, 1, . . . , 15 by the function cj = s(c(j−1) ⊕mi,j)⊕cj where mi,j is the j’th byte of the i’th block of the message and where s : {0, 1}8 → {0, 1}8 is a bijective mapping, which is also used in the compression function. The details of s are not important for the results in this paper. The hash function is iterated in the following way:

– h0 = iv = 0 – hi = h(hi−1, mi) for i = 1, 2, . . . , t + 1 – H(m) = ht+1

The compression function [Algorithm 2] of MD2 takes two in- puts of each 128 bits, cf., earlier, and consists of an 18-round it- erative process, where a vector of the 48 bytes constructed from Algorithm 1 Algorithm to compute the checksum c = c0||c1|| · · · ||c15 for j = 0, 1, . . . , 15 cj = 0 for i = 1 to t do for j = 0 to 15 do c s c ⊕ m ⊕ c j = ( j−1 mod 16 i,j ) j end /*for i*/ end /*for j*/

Algorithm 2 The compression function in MD2, where the output is the 16 first bytes of hi,1 | hi,2 | · · · | hi,16| · · · |hi,48. for j = 1 to 16 do hi,j = hi−i,j hi,16+j = mi,j hi,32+j = hi−i,j ⊕ mi,j t=0 for r = 1 to 18 do for j = 1 to 48 do t = hi,j = s(t) ⊕ hi,j end /*for j*/ t = r − 1modulo 256 end /*for r*/

hi−1||mi||hi−1 ⊕ mi and denoted

hi = hi,1||hi,2|| · · · ||hi,48 is repeatedly processed from left to right through the use of the same round function consisting of simple byte exclusive-ors and the eight- bit bijective mapping s(), also used in the checksum calculation.

3 Attacks on the Compression Function

In [6] a collision attack on the compression function of MD2 is given. Recall that this function computes hi = h(hi−1, mi). Rogier and Chavaud give 141 collisions for the compression function where for all collisions hi−1 is fixed to the value zero. Note that the IV of MD2 as stated in [2] is zero. We found some variations of this attack. First of all we found that the collision attack extends and it is possible to find many more collisions of this form. We implemented one improvement and found 32,784 collisions, all with hi−1 = 0. This attack takes very little time. Also we found that it is possible to find so-called multi- collisions for the compression function, that is, a set of different mis all with same output in the compression function and all with 72 hi−1 = 0. With a complexity of about 2 one expects a multiple collision of eight messages.

Another variation of Rogier and Chavauds attack is to fix mi to zero and find different values of hi−1 leading to identical outputs of the compression function and yet another variation is to fix mi⊕hi−1. These variants are similar to the above original one, although the complexities are slightly higher. [6] also consider cases where only a subset of the bytes of hi−1 are zeros. We show similar results for the variations. The details of the variant where hi−1 = 0 are descibed in Appendix B. The details of the other variants are described in an extended version of the paper available upon request. In the next section we shall use some of the improvements and variations of the attacks on the compression function.

4 Attacks on the MD2 Hash Function

4.1 A Pseudo Collision Attack on MD2

In Appendix B we mention a collision attack on the compression 0 0 0 function where mi = mi = 0 and hi−1 =6 hi−1, but where hi = hi. Using this attack we are able to find collision for MD2 (including the checksum) but using different IV s. We have found 130 such collisions in 2 seconds on a single PC, and can find ≈ 215 such collisions in about 512 seconds (under 9 minutes) with that property. For any 0 such collision hi−1 =6 hi−1, thus if two different IV values of MD2 0 0 are chosen to be IV = hi−1 and IV = hi−1 then one can find collisions for all of MD2 for a message using two different IV s.

0 – Find a pair (h0, m1) =6 (h0, m1) where m1 = 0 such that h(h0, m1) = 0 h(h0, m1). 0 0 – Set IV = h0 and IV = h0. – Choose message blocks m2|m3|, . . . , |mt. 0 – Then clearly H(IV, m) = H(IV , m), where m = m1|m2|m3|, . . . , |mt. Notice that the checksums for both hashes are identical since the message blocks are identical, and therefore we have pseudo collision for MD2. Let us now consider a situation where such collisions could be- come practical. Imagine a scenario where Alice and Bob use a digital signature system using a hash function. Imagine that they are sign- ing the same message m many times, e.g., “Alice owes Bob 100 US$”. In order to avoid that the same message gives an identical signature, Alice suggests to use a time-stamp, but Bob convinces her that in- stead he shall send Alice a fresh random hash-IV (e.g., a nonce) to be used in every new signature. Alice agrees to this, however de- mands that the IV Bob chooses should be run through the hash function first. And so, they agree on the following protocol. – Bob chooses a random IV – Alice calculates r = h(IV, 0), creates the hash as usual by h = H(r, m), and signs the hash value, sign(h). Assuming that the digital signature scheme and the hash function are secure, it seems hard for Bob to cheat. In every new signature a different IV is used, so Bob cannot play the replay attack. However using MD2 in this protocol is a problem since Bob is able to find many collisions of the type h(IV, 0) = h(IV 0, 0), and hence he is able to reuse the signature and message together with other IV s.

4.2 The Preimage Attack In [5] F. Muller presents the first known preimage attack on MD2 faster than a brute-force attack. The attack is divided into two parts: in the first part one finds many preimages of the compression func- tion and in the second part one finds those preimages which conform with the checksum function. Note that for most iterated hash func- tions a preimage attack of the compression function immediately gives at least a pseudo preimage on the hash function, but this is not true for MD2 because of the additional checksum block which is appended to the messages. [5] lists three different attacks on the compression function:

1. Given hi and hi−1, find a message mi such that hi = h(hi−1, mi). The complexity is 295. 2. Given hi and mi, find a value hi−i such that hi = h(hi−1, mi). The complexity is 295. 3. Given hi, find a value hi−i and a message mi such that hi = 73 h(hi−1, mi). The complexity is 2 . Here one unit in the complexity measures is the time to run the compression function once. All these attacks are expected to give one solution, but there might also be zero or several solutions. Assuming that the compression function is a random function, the probability 128 that there is no solution is (1 − 2−128)2 , and the probability that there are at least w solutions is:

w−1 128 w−1 2 −128i −128 2128−i 1 −1 pw ≈ 1 − 2 · (1 − 2 ) ≈ 1 − ( )e . " i ! # i! Xi=0 Xi=0 The first attack above can be used to find also preimages for (all of) MD2[5]. With h0 = 0 and h = h128 the attack is as follows, where h0 is given and i is initialised to 1:

1. Choose a random value of hi. 2. If more than 2 solutions of mi satisfying hi = h(hi−1, mi) is found: Increase i by 1. If i < 128: Goto step 1. 3. If no more than 2 solutions of m128 satisfying h128 = h(h127, m128) is found: Set i to 127 and goto step 1.

This gives 128 consecutive pairs (hi−1, hi) for which there are at least 2 different values of mi such that hi = h(hi−1, mi). Consequently there are at least 2128 different messages m (of 128 blocks) such that h = H(m), and therefore one of these messages is expected to conform with the checksum m128 = c. Let c[i] denote the checksum after i iterations (i message blocks). Using the birthday attack on the checksum function has a complexity of about 264:

– Compute 264 values of c[64] by iterating the checksum function 64 through 2 possible values of the blocks m1, m2, . . . , m64. – Compute 264 values of c[64] by calculating the checksum back- 64 wards through 2 possible values of the blocks m65, m66, . . . , m128 = c. – Search for a collision between elements in the two lists. The expected number of collisions in this last step is 1. The overall complexity of this attack is as follows. The probability of finding at least two solutions in the attack on the compression function is ap- −1 proximately p2 = 1−2e , and for each of the steps in the algorithm −1 −1 95 104 we expect p2 repeats. So the total complexity is 128·p2 ·2 ≈ 2 . The padding bytes have not been considered in this attack, but it is strightforward to ensure that the preimages have correct padding without increasing the complexity of the attack[5]. One drawback of this preimage attack is that the messages always consist of 128 blocks. It is left as an open question in [5] to find preimages with fewer blocks. In the next section we give an improvement in com- plexity of the above attack as well as variants where the messages have fewer than 128 blocks.

4.3 Improvement of the Preimage Attack First we give a preimage attack also with 128 blocks in the messages but with a lower complexity. We are given h0 = 0 and h = h128 and proceed as follows:

1. Given h0 = 0; use the collision attack from Section 3 (see also Appendix B) to find h1 and a collision for u ≥ 4 different values of m1 satisfying h1 = h(h0, m1). 2. Let h127 = h1, and use the preimage attack to try to find v ≥ 1 values of m128 such that h128 = h(h127, m128). If there are no solutions, use another collision from step 1. 3. Let h2 = h1 and find w ≥ 2 values of m2 such that h2 = h(h1, m2). If there are no solutions, repeat step 2 using another collision from step 1. 4. Set hi = h1 for i = 3, . . . , 126.

This is a situation where h0 = 0, h1 = h2 = · · · = h127, h128 = h, and the use of the birthday attack on the checksum is expected to give 1 solution. The first step has a relative small complexity as discussed before, but we might be forced to repeat steps 2 and 3. The probability of a solution in step 2 is approximately p1 = 0.63, and the probability in the third step is approximately p2 = 0.26. Total complexity of the attack is then

−1 −1 95 97.6 p1 · p2 · 2 ≤ 2 . Table 1. Complexities of the preimage attack for different message lengths, where in each case one solution is expected.

w ≥ message length complexity 2 128 297.6 3 80 299.3 4 64 2101.4 5 55 2103.8 6 50 2106.4 7 46 2109.2 8 43 2112.2

There are possible ways to shorten the number of blocks in the preimages, but at the expense of higher complexity. If we require that w ≥ 3 in step 3, we expect a slightly higher complexity, but the number of blocks in the preimages would drop to approximately 128 log32 . Table 1 shows the complexities and lengths of the preim- ages for different lower bounds of w. As an example, it is possible to lower the number of blocks in the preimages to 55 instead of 128, by requiring w ≥ 5 in which case the complexity is ≤ 2104. It is also possible to get more preimages without increasing the total (time) complexity. Since we use a preimage where hi−1 = hi, the possible length of the chain in the middle can be arbitrarily long, however the length is limited by the complexity of the collision attack of the checksum. One example is an attack where the messages are of length 191 and where w ≥ 2. This gives a memory and computational complexity of 295 in the birthday attack on the checksum, and it is expected to give 262 collisions and thereby 262 possible preimages, but total running time of the attack is unchanged.

4.4 A Pseudo Preimage Attack on MD2

In this section we present a pseudo preimage attack on MD2 which has better complexity than the preimage attack, and where the mes- sages can be (almost) as short or as long as we desire. This attack uses two attacks from [5] on the compression function having com- plexities 273 and 295 respectively. Initially a hash value h is given, and we are able to find a message m and an IV which give us the desired hash value h = H(IV, m). First use the method of finding pseudo preimages ht and mt+1 of ht+1 = h in the compression function. Remember that the last mes- sage block mt+1 is the checksum block, and we might repeat this preimage attack to find the second last message block, which also contains the padding bytes. Due to the high degree of freedom in the attack on the compression function, it is possible to choose be- tween 1 and 16 suitable padding bytes in this message block mt, but it is sufficient to choose the last byte of mt equal to 1, and the attack 73 still gives us mt and ht−1 with complexity 2 . Next we need to have at least one more message block in our preimage to make the checksum consistent with the (given) initial value c[0] = 0, (recall that c[i] denotes the checksum after i iterations (i message blocks). A potential problem with the checksum could be to fit the two fixed ends c[0] = 0 and c[t] = mt+1. However it turns out to be easy to “glue” two consecutive checksum values c[i − 1] and c[i] together by choosing an appropriate value mi. Notice that it is also possible to calculate the checksum c[i] = c(c[i − 1], mi) −1 backwards by inverting the function, c[i − 1] = c (c[i], mi). Now suppose we have found the message values m2 and the checksum, we compute c[2] and then c[1] by going backwards. We now “glue” c[0] and c[1] together by finding the appropriate m1. To get a preimage of two blocks we set h1 = ht−1 and m1 = mt−1, and use another pseudo 95 preimage attack from [5], having complexity 2 , to find IV = h0. Using the MD2 hash function on the IV and a message m will now give the required hash h = H(IV, m). The total complexity in this situation where the message length is two, is 295. For a required message length t, and given ht+1 = h the algorithm is as follows:

– Find ht and mt+1(= c) such that ht+1 = h(ht, mt+1). – Find ht−1 and mt (included valid padding byte), such that ht = h(ht−1, mt). – Repeat the preimage attack t − 2 times to find h1 and m2. – Find c[1] by calculating the checksum backwards by using mi for i = 2, 3, . . . , t + 1 – Use special property in the checksum algorithm to find m1 such that c[1] = c(0, m1). – Use the other pseudo preimage attack[5] to find IV = h0 given h1 and m1. The complexity of three first steps of the attack is t · 273 and the last step has complexity 295. The other parts of the algorithm have relatively small complexity and the total complexity of the attack is 295 as long as t ≤ 221. The message length could be as small as t = 2.

5 Conclusion

In this paper some new attacks on the hash function MD2 were presented. First some extended collision attacks on the compression function were given. Using one of these attacks it was shown to be possible to mount a pseudo collision on the MD2, which is the first known attack of its kind faster than the trivial attacks. The paper also presented the best known preimage attack on MD2 which is an improvment of a factor of 80 compared to existing attacks. Also, it was shown that the lengths of the preimages can be made smaller than in previous attacks, where the lengths were fixed and relatively high. Moreover it was shown that it is possible to extend the attack such that many preimages are found.

References

1. I.B. Damg˚ard. A design principle for hash functions. In G. Brassard, editor, Ad- vances in Cryptology: CRYPTO’89, Lecture Notes in Computer Science 435, pages 416–427. Springer Verlag, 1990. 2. B. Kaliski. The MD2 message-digest algorithm. Request for Comments (RFC) 1319, Internet Activities Board, Internet Privacy Task Force, April 1992. Available from http://www.faqs.org/rfcs/rfc1319.html. 3. A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone. Handbook of Applied Cryptography. CRC Press, 1997. 4. R. Merkle. One way hash functions and DES. In G. Brassard, editor, Advances in Cryptology - CRYPTO’89, Lecture Notes in Computer Science 435, pages 428–446. Springer Verlag, 1990. 5. F. Muller. The MD2 hash function is not one-way. In P.J. Lee, editor, Advances in Cryptology - ASIACRYPT 2004, LNCS 3329, pages 214–229. Springer Verlag, 2004. 6. N. Rogier and P. Chauvaud. MD2 is not secure without the checksum byte. In Designs, Codes and Cryptography, 12, pages 245–251, 1997. m hi−1 i hi−1 +mi

T1 T3

hi T2

Fig. 1. The MD2 compression function calculation shown as a matrix T. It also shows how the submatrices T1, T2 and T3 are defined, and one line at the time is computed from left to right. The 16 rightmost bytes of the last line of T1 (the dark area in the last line) contains hi = h(hi−1, mi) when the matrix is completed.

A Properties of the MD2 Compression Function In order to be able to describe the attacks it is convenient to describe the compression function and its intermediate states in a 19 × 49- matrix i=0,1,...,18 T = (Ti,j)j=0,1,...,48, which is also shown in Figure 1, where the first row is made from hi−1, mi and hi−1 ⊕ mi. The first element T0,0 is never used, but (T0,j)j=1,2,...,48 = hi−1 | mi | hi−1 ⊕ mi−1. Next the rows of the matrix is processed in an iterative manner:

– T1,0 = 0 – Ti,0 = Ti−1,48 + i − 2 mod 256 for i = 2, 3, . . . , 18 (but not for i = 1) – Ti,j = Ti−1,j ⊕ s(Ti,j−1) for i = 1, 2, . . . , 18 and j = 1, 2, . . . , 48 – hi = (T18,j)j=1,2,...,16 After this procedure the matrix contains all the states of the com- pression matrix. As we shall see, it is sometimes advantageous in a i Ti−1,j i - Ti−1,j i Ti−1,j 6@ 6I@ ?I@ @ − @ s @ s s 1 @ @ @ 6 R@ 6 @ ? @

Ti,j−1 Ti,j Ti,j−1 Ti,j Ti,j−1 Ti,j

Fig. 2. The dependency of an element Ti,j in the matrix T . These three figures show these three dependencies Ti,j = Ti−1,j ⊕s(Ti,j−1), Ti−1,j = Ti,j ⊕s(Ti,j−1) and Ti,j−1 = −1 s (Ti,j ⊕ Ti−1,j ) respectively. cryptanalytic approach to try and compute the values in the matrix in a different order than the above line by line approach. To help us do this, we have derived five computing rules directly from the algorithm. The three first rules are shown in Figure 2. The two re- maining are just the dependencies between the first and last columns of T . The rules are:

1. Ti,j = Ti−1,j ⊕s(Ti,j−1), where i = 1, 2, . . . , 18 and j = 1, 2, . . . , 48. 2. Ti−1,j = Ti,j ⊕s(Ti,j−1), where i = 1, 2, . . . , 18 and j = 1, 2, . . . , 48. −1 3. Ti,j−1 = s (Ti,j⊕Ti−1,j), where i = 1, 2, . . . , 18 and j = 1, 2, . . . , 48. 4. Ti,0 = Ti−1,48 + (i − 2) mod 256, where i = 2, 3, . . . , 18. 5. Ti−1,48 = Ti,0 − (i − 2) mod 256, where i = 2, 3, . . . , 18. The three first rules give us five properties from [6] also shown in Figure 3 and Figure 4. Property 1: Let k < m and l < n. If the elements (Tk,j)j=l,l+1,...,n i=k,k+1,...,m from row k and (Ti,l) from column l are known the sub- i=k,k+1,...,m matrix (Ti,j)j=l,l+1,...,n is uniquely determined using rule 1 (Figure 3). Property 2: Let k < m and l < n. If the elements (Tk,j)j=l,l+1,...,n i=k,k+1,...,m from row k and (Ti,n) from column n are known the matrix i=k,k+1,...,m (Ti,j)j=l,l+1,...,n is uniquely determined using rule 3 (Figure 3). Property 3: Let k < m and l < n. If the elements (Tm,j)j=l,l+1,...,n i=k,k+1,...,m from row m and (Ti,l) from column l are known the matrix i=k,k+1,...,m (Ti,j)j=l,l+1,...,n is uniquely determined using rule 2 (Figure 3). Property 4: Let l < n and k < m, such that m − k = n − l. i=k,k+1,...,m If the elements (Ti,n) from column n are known then half

l n l n l n

¡ ¡ ¡ ¡ £¡£¡£¡£¡£ ¥¡¥¡¥¡¥¡¥¡¥

¢¡¢¡¢¡¢¡¢ ¤¡¤¡¤¡¤¡¤ ¦¡¦¡¦¡¦¡¦¡¦

¡ ¡ ¡ ¡ £¡£¡£¡£¡£ ¥¡¥¡¥¡¥¡¥¡¥

¤¡¤¡¤¡¤¡¤ ¦¡¦¡¦¡¦¡¦¡¦

k ¢¡¢¡¢¡¢¡¢ k k

¡ ¡ ¡ ¡ £¡£¡£¡£¡£ ¥¡¥¡¥¡¥¡¥¡¥

¢¡¢¡¢¡¢¡¢ ¤¡¤¡¤¡¤¡¤ ¦¡¦¡¦¡¦¡¦¡¦

¡ ¡ ¡ ¡ £¡£¡£¡£¡£ ¥¡¥¡¥¡¥¡¥¡¥

¢¡¢¡¢¡¢¡¢ ¤¡¤¡¤¡¤¡¤ ¦¡¦¡¦¡¦¡¦¡¦

¡ ¡ ¡ ¡ £¡£¡£¡£¡£ ¥¡¥¡¥¡¥¡¥¡¥

¢¡¢¡¢¡¢¡¢ ¤¡¤¡¤¡¤¡¤ ¦¡¦¡¦¡¦¡¦¡¦

¡ ¡ ¡ ¡ £¡£¡£¡£¡£ ¥¡¥¡¥¡¥¡¥¡¥

¢¡¢¡¢¡¢¡¢ ¤¡¤¡¤¡¤¡¤ ¦¡¦¡¦¡¦¡¦¡¦

¡ ¡ ¡ ¡ £¡£¡£¡£¡£ ¥¡¥¡¥¡¥¡¥¡¥

¢¡¢¡¢¡¢¡¢ ¤¡¤¡¤¡¤¡¤ ¦¡¦¡¦¡¦¡¦¡¦

¡ ¡ ¡ ¡ £¡£¡£¡£¡£ ¥¡¥¡¥¡¥¡¥¡¥

¢¡¢¡¢¡¢¡¢ ¤¡¤¡¤¡¤¡¤ ¦¡¦¡¦¡¦¡¦¡¦

¡ ¡ ¡ ¡ £¡£¡£¡£¡£ ¥¡¥¡¥¡¥¡¥¡¥

¢¡¢¡¢¡¢¡¢ ¤¡¤¡¤¡¤¡¤ ¦¡¦¡¦¡¦¡¦¡¦

¡ ¡ ¡ ¡ £¡£¡£¡£¡£ ¥¡¥¡¥¡¥¡¥¡¥

¤¡¤¡¤¡¤¡¤ ¦¡¦¡¦¡¦¡¦¡¦ m ¢¡¢¡¢¡¢¡¢ m m

Fig. 3. The figure from left to right shows the Properties 1, 2 and 3 respectively. If the dark areas are known the rest of the matrix is uniquely defined.

i=k,k+1,...,m the square matrix (Ti,j)j=l,l+1,...,n is uniquely determined under the i=k,k+1,...,m

diagonal (Ti,j)j=n+k−i,(n+k−i)+1,...,n using rule 3 (Figure 4).

§¡§¡§¡§¡§¡§ ©¡©¡©¡©¡© ¡ ¡ ¡ ¡

¨¡¨¡¨¡¨¡¨¡¨l n l n

§¡§¡§¡§¡§¡§ ©¡©¡©¡©¡©

¨¡¨¡¨¡¨¡¨¡¨ ¡ ¡ ¡ ¡

§¡§¡§¡§¡§¡§ ©¡©¡©¡©¡© ¡ ¡ ¡ ¡

k¨¡¨¡¨¡¨¡¨¡¨ k

§¡§¡§¡§¡§¡§ ©¡©¡©¡©¡©

¨¡¨¡¨¡¨¡¨¡¨ ¡ ¡ ¡ ¡

§¡§¡§¡§¡§¡§ ©¡©¡©¡©¡©

¨¡¨¡¨¡¨¡¨¡¨ ¡ ¡ ¡ ¡

§¡§¡§¡§¡§¡§ ©¡©¡©¡©¡©

¨¡¨¡¨¡¨¡¨¡¨ ¡ ¡ ¡ ¡

§¡§¡§¡§¡§¡§ ©¡©¡©¡©¡©

¨¡¨¡¨¡¨¡¨¡¨ ¡ ¡ ¡ ¡

§¡§¡§¡§¡§¡§ ©¡©¡©¡©¡©

¨¡¨¡¨¡¨¡¨¡¨ ¡ ¡ ¡ ¡

§¡§¡§¡§¡§¡§ ©¡©¡©¡©¡©

¨¡¨¡¨¡¨¡¨¡¨ ¡ ¡ ¡ ¡

§¡§¡§¡§¡§¡§ ©¡©¡©¡©¡©

¨¡¨¡¨¡¨¡¨¡¨ ¡ ¡ ¡ ¡

§¡§¡§¡§¡§¡§ ©¡©¡©¡©¡© ¡ ¡ ¡ ¡ m¨¡¨¡¨¡¨¡¨¡¨ m

Fig. 4. Illustration of the Properties 4 and 5. If the bottom row or the rightmost column is known, the shaded triangle is uniquely defined.

Property 5: Let k < m and l < n, such that n−l = m−k. If the elements (Tm,j)j=l,l+1,...,n from row m is known then half the square i=k,k+1,...,m matrix (Ti,j)j=l,l+1,...,n is uniquely determined under the diagonal i=k,k+1,...,m (Ti,j)j=n+k−i,(n+k−i)+1,...,n using rule 2 (Figure 4). Observe that the Properties 4 and 5 are similar and define exactly the same triangle, and that the Properties 1, 2 and 3 define the same rectangle. In the attacks of the compression function it is useful to denote the leftmost 17, the middle 17 and the rightmost 17 columns of the matrix T by (the matrices) T1, T2, respectively T3 as shown in Figure 1. Notice that the first and last column of T2 overlap with the last column of T1 and the first column of T3. B Collision Attacks on the Compression Function of MD2

B.1 Collision Attack where hi−1 = 0 The first part of this section is from [6] with our extensions at the end. We shall consider a special case where hi−1 = 0 and as a con-

T1 T3

 

 

 

 

hi T2

Fig. 5. The figure shows the collision attack on the compression function where hi−1 = 0. The dark areas are processed line by line.

sequence mi = hi−1 ⊕ mi and the first rows of T2 and T3 are equal. Since the first row of T1 and the first element in row 1 are known (defined to be 0), we are able to calculate row 1 of T1. Now we try to find values of mi such that the 13 first rows of T2 and T3 are equal, and in order to be equal the leftmost columns of T2 and T3 must be equal and the rightmost columns of T2 and T3 must be equal. Since the rightmost column of T2 coincide with the leftmost column of T3, the four of them must be equal in order for the matrices to be equal. Having the rightmost element (T1)1,16 in the first row of T1, we know that we must have:

(T1)1,16 = (T2)1,0 = (T3)1,0 = (T2)1,16 = (T3)1,16 = T1,48 and if we know T1,48 we know that T2,0 = T1,48 + 0 mod 256, so it is simple to complete row 2 of T1. We continue until row k: (T1)i,16 = (T2)i,16 = (T3)i,16 for i = 1, 2, . . . , k and calculate row k + 1 of T1 The k values in the right column of T2 and T3 are now known and we might complete a triangle in the rows 1, 2, . . . , k of these two matrices according to property 2, shown in Figure 5. The figure shows the situation where 13 rows (k = 13) are preprocessed and the triangles are completed, and there are 3 remaining bytes to be 24 chosen to complete row 13 of T2 and T3. The 2 possible choices of 24 these bytes will determine 2 different first rows mi = hi−1 ⊕ mi (property 3) and will complete row 13 in both of these matrices, and since the first 14 rows of T1 is already fixed we have a multi collision in: ((T1)i,0)i=1,2,...,14 8 3 containing (2 ) different messages mi. It remains to find collisions among these in the last 4 rows of column 0:

((T1)i,0)i=15,16,17,18 and equal values in row 0 and column 0 of T1 give an equal matrix by property 1, and we also have collisions in 16 bytes of the last row of T1, which is the chaining variable hi. The expected number of collisions in this case is approximately

(((28)3)2/2)/((28)4) = 215 = 32768 in theory, and we found 32784 collisions in practice. In [6] k = 14 and 2 bytes are varied, and the expected number of collisions were 128 and in practice there were 141 collisions, but to decrease k to get more collisions is not mentioned explicitly in the paper. In general we would expect

(((28)16−k)2/2)/((28)18−(k+1)) = 28(15−k)−1 collisions, only depending on the choice of k. The memory and com- putational complexity is proportional to the number of bytes varied: 28(16−k). In the preimage attack described earlier in this paper it is advan- tageous to use this attack when h0 = 0 and to get collisions in m1. It is possible to get more than 2 different m1 such that all of them give the same output h1, and if so we have a multiple collision. If we look for a d-tuple collision and we are able to vary b = 16 − k bytes in the first phase of the attack, we expect

8b 2 − − /28(b+1)(d 1) ≈ 28(b+1 d)/d! d ! d-tuple collisions. If b = 9 and d = 8 we expect ≈ 20,7 ≥ 1 multiple collisions of size 8, and the complexity is approximately 272. There are similar attacks on the compression function where mi = 0 or where hi−1 ⊕ mi = 0. For these two attacks and the one where hi−1 = 0 there are generalizations which are described in detail in an extended version of the paper available at:

http://www.ii.uib.no/~johnm/publications/md2-procExtended.pdf

¢¡¤£¦¥¨§ ©

 !#"$¦%'&)(+*),".-0/0012#34

562798;:¤< =?>A@CBC89D,>FEHG2IKJC>)LM7ONQPSRT6VUOJCNW6V8O8ODX>T6V>CBTY79D,BCDX7ON[Z¤R\@C][]QD,7

`_M$¦/_bac$edf

^ G2IK@g7O>62]hjilkm79npogUOIK][I2q2n

Cryptanalysis of the MD2 Hash Function

Lars R. Knudsen ?, John Erik Mathiassen ??, and Fr´ed´eric Muller ? ? ?

No Institute Given

Abstract. MD2 is a hash function designed by Ron Rivest for RSA Security. It produces hash results of 128 bits. Despite being a rather old design, one finds that the algorithm is still used widely today. In this paper we present both collision attacks and preimage attacks which are faster than naive attacks.

Keywords. Hash functions, digital signatures, MD2.

1 Introduction

Cryptographic hash functions are an important primitive used in various situations. The main fields of applications are message au- thentication codes, digital signatures, and therefore certificates. Hash functions are also used as a building tool in many protocols and ad- vanced constructions. By definition, a hash function H is a function mapping an input message m of arbitrary length to an output h of fixed length (typically this length ranges from 128 to 512 bits)

h = H(m).

The standard property required of a secure cryptographic hash func- tion is that the following tasks should be difficult : – find two inputs m and m0 such that m =6 m0 and H(m) = H(m0) (collision),

? Department of Mathematics, Technical University of Denmark, DK-2800 Kgs. Lyn- gby, Denmark, [email protected] ?? Department of Informatics, University of Bergen, N-5020 Bergen, Norway, [email protected] ? ? ? CDSSI Crypto Lab 51, Boulevard de Latour-Maubourg, 75700 Paris 07 SP France, [email protected] – for a given m, find m0 =6 m such that H(m) = H(m0) (second preimage), – for a given challenge h = H(m), find m0 such that H(m0) = h (preimage).

For more theory of hash functions the reader is referred to [12, 9]. Most of the hash functions used in practice belong to the so-called “MD family”. This family of hash functions was initially developed by Ron Rivest for RSA Security. The first proposal was MD2[5], an early, non-conventional, byte-oriented design. It was quickly followed by MD4[14] and MD5[15], two hash functions with a more modern, 32-bit-oriented design. Despite not being collision-resistant[3], MD4 has inspired most modern hash functions designs, like the RIPEMD family or the SHA family. Over the last years, the effort in attack- ing hash functions has mostly concentrated on collision-resistance, whereas only little progress has been made in preimage resistance. In this paper, we focus on the MD2 hash function[5]. Despite being the oldest hash functions from its family, and despite using an old-fashioned architecture, MD2 is still used in several contexts. For instance, if we look at the recent PKCS #1 v2.1, a cryptographic standard from RSA Security[8], the MD2 hash is still given as an ex- ample of one-way, collision-resistant hash function, while MD4 has been removed, presumably because of Dobbertin’s attack [3]. In ad- dition, it is said that “MD2 (is) recommended only for compatibility with existing applications based on PKCS #1 v1.5”. The underly- ing explanation is that the use of MD2 was highly encouraged in the previous version from 1993[7] where MD2 was recommended as a “conservative design”. This confidence in MD2 is not surprising because, despite being quite inefficient and based on an older design philosophy, MD2 has resisted cryptanalysis surprisingly well. MD2 still appears in various applications and even some proposed standards[1]. However, the crucial security point regarding MD2 is now its use in public-key infrastructures. Many certificates have been generated with RSA-MD2 in the past and many of them are still widely used (like Verisign certificates for instance). Actually, anyone can easily verify that recent versions of Windows are delivered with those MD2 certificates. Therefore millions of users are probably using MD2-based certificates on a regular basis. The security of certificates is a particular problem. Indeed, collision attacks do not threaten the security of the scheme, because the input of the signature primitive (typically the usual primitive used with MD2 is the RSA signature) is fixed. An attacker needs to find a collision between two inputs to MD2, one of them, however, being the data part of the certificate. If he succeeds, he will manage to forge a new valid certificate. Hence what is required here is exactly second preimage resistance of MD2. This is an important motivation to analyze the security of MD2 also regarding preimage and second preimage attacks. The only known attack on MD2 up until 2004 is a collision attack against the compression function[17]. This attack works with the correct IV, however it no longer works when a checksum is appended to the message, as imposed in the specifications[5]. For the full hash function, no attack was known, although potential approaches were discussed[12]. Then in 2004 Muller presented a preimage attack of complexity 2104, thus considerably faster than by brute force[11]. In [6] Muller’s attack was improved and a preimage attack of complexity 298 was presented. In this paper we present the first known attack on (the full) MD2 which can find collisions faster than by brute force. Also we present an improvement of the beforementioned preimage attack of complexity 296. Thus MD2 can no longer be regarded a secure hash function, neither in terms of being a collision-resistant function nor in terms of being a one-way hash function. The organisation of this paper is as follows. Section 2 describes the details of MD2 needed to understand the analysis in this pa- per. The collision and preimage attacks are described in Section 3 respectively Section 4, and Section 5 holds our conclusions.

2 Description of the MD2 hash function

The MD2 hash function H : GF (256)∗ → GF (256)16 is a mapping from an arbitrary long sequence of bytes to 16 bytes. The message m is split into t blocks of 16 bytes (m1, m2, . . . , mt) (the last block may not be complete) and is modified twice : – first, a padding of length between 1 and 16 bytes is added to the message such that its length is a multiple of 16 bytes. For that purpose, the initial length b of m (counted in bytes and modulo 16) is taken. The number 16 − b represented as a byte is added to the message 16 − b times, to complete the last message block – second, a checksum block of 16 bytes, depending on the whole message, is appended to the padded message. An iterative func- tion g : GF (256)16 × GF (256)16 → GF (256)16 called the checksum function is used. It is iterated over the whole message by

ci = g(ci−1, mi)

where the inputs to the ith iteration are the message block mi and the checksum chaining variable ci−1, and the output is the next chaining variable ci. The output from the last iteration ct = g(ct−1, mt) (also called mt+1) is appended to the message.

The resulting t + 1 message blocks (m1, m2, . . . , mt+1) are pro- cessed in an iterative manner by a compression function (Figure 1)

h : GF (256)16 × GF (256)16 → GF (256)16 such that

hi = h(hi−1, mi) where the inputs to the ith iteration are the message block mi and the chaining variable hi−1, and the output is the next chaining vari- able hi. The output from the last iteration of h(·, ·) is the hash value Hash(m) = h(ht, mt+1). One notices that this construction does not follow the popular Merkle-Damg˚ard construction [2, 10], since an additional checksum function is used after the padding operation.

The Checksum Function The checksum function has a 16-byte state s = s0, s1, . . . , s15, which all are initialized to zero. The function is iterated over the whole message, and in round i the message block mi and the state s are processed s = g(s, mi) as follows, for j = 1, . . . , 16:

sj = S(sj−1 ⊕ mi,j), where s−1 = s15 and where S() is a bijective mapping from GF (256) to GF (256). The exact details of this S-box S are not needed in this paper. After the last iteration of g(·, ·), the state s contains the checksum mt+1.

The Compression Function The compression function has a state of 49 bytes, T0, T1, . . . , T48. One iterates over this state several times before processing the next message block. T0 is set to zero and the remaining 48 bytes of the state are initialized to hi−1 | mi | hi−1 ⊕mi. After the initialization the algorithm is as follows:

For j from 1 to 18 do For k from 1 to 48 do Tk = Tk−1 ⊕ S(Tk) T0 = (j − 1) ⊕ T48 This is further described in Figure 1. It is interesting to notice that this construction is completely different from most hash functions which use a block-cipher oriented construction, using the Davies- Meyer construction.

0 h i−1 m i h i−1 mi

T0 T1 T2 T16 T17 T32 T33 T47 T48

S S S S S

+ r−2

Fig. 1. Vector-oriented representation of the compression function

To better illustrate the attacks on the compression function it is convenient to visualize the state during the 18 rounds as three state matrices A, B and C (see Figure 2), where A contains the states of the 16 bytes T1, T2, . . . , T16, shown in Figure 1, during all 18 rounds. The first row of A contains the initial state hi−1. The first rows of B and C are initialized with mi and hi−1 ⊕ mi respectively. B contains similarly the successive states of the 16 bytes T17, T18, . . . , T32, and C the successive states of the 16 bytes T33, T34, . . . , T48.

hi−1 mi hi−1 ⊕ mi

0 0 . . . 0 0 0 . . . 0 0 0 . . . 0 A0 A1 A15 B0 B1 B15 C0 C1 C15 - 1 1 . . . 1 - 1 1 . . . 1 - 1 1 . . . 1 - 0 A0 A1 A15 B0 B1 B15 C0 C1 C15 1 - - - - C15 + 1 ...... - 17 17 . . . 17 - 17 17 . . . 17 - B0 B1 B15 C0 C1 C15 17 - 18 18 . . . 18 C15 + 17 A0 A1 A15

hi

Fig. 2. Matrix-oriented representation of the compression function. The initialization 0 0 0 0 0 0 0 0 0 is done by: (A0, A1, . . . , A15) = hi−1, (B0 , B1 , . . . , B15) = mi and (C0 , C1 , . . . , C15) = hi−1 ⊕mi. Then values are updated from left to right and from top to bottom, according to the update rule defined previously. The last line of A contains the output of the compression function.

2.1 Summary To summarize, an MD2 hash value is computed as follows (see Fig- ure 3 for a graphical representation) : – Append the padding p to the message m according the padding rule and split the message into blocks of 16 bytes: m||p = (m1, m2, . . . , mt) – Iterate the checksum function ci = g(ci−1, mi) over the t message blocks to get mt+1 = c. (c0 = 0) – Iterate the compression function hi = h(hi−1, mi) on the message m||p||c = (m1, m2, . . . , mt+1) and get h from the last iteration

3 Collision Attacks against MD2

This section will introduce a collision attack against MD2. First we present a collision attack on the compression function, and then an attack on the (full) MD2 hash function. 0 g g g

m1 m2 mt mt+1

0 h h h h h

Fig. 3. Summary of the MD2 hash function with the ”double” chain.

3.1 Analysis of the Compression Function In this section we will describe a general collision attack on the MD2 compression function better than exhaustive search. To find a collision in the compression function h(·, ·) we have to find (at least) two messages mi which give the same output (hi) as output for any arbitrary value of the input (the chaining variable hi−1). Some collision attacks on the compression function of MD2 have been reported earlier [6, 17], but these are with constraints on hi−1 which limit the flexibility of the attacks. The middle matrix of Figure 4 illustrates the property that a rectangular (sub-)matrix of the state matrices can be completed and is unique if the first row is known and the right column is known. In the following attack we search for a collision in the right column of A, since the first row, hi−1, is already known. Since such a collision in this column will give a collision in the whole matrix A, it will certainly give a collision in the last row of A, which is hi. The collision attack on the compression function has two steps. In the first step we search for a set of messages mi giving a multi- collision in the first few (typically 5) rows of the right column of A. In the second step we use the birthday attack on the messages on the multi-collision set to find a collision in the remaining rows of the right column of A. Such a collision will, according to Property 2 mentioned above, give a collision in the whole matrix A, and therefore also the last row, hi. First Step. We perform a ”meet-in-the-middle” attack on the matrices B and C to find a multi-collision. A pre-condition in this attack is that we know what enters on the left hand side of B and

l n l n l n

¡ ¡ ¡ ¡ £¡£¡£¡£¡£ ¥¡¥¡¥¡¥¡¥

¢¡¢¡¢¡¢¡¢ ¤¡¤¡¤¡¤¡¤ ¦¡¦¡¦¡¦¡¦

¡ ¡ ¡ ¡ £¡£¡£¡£¡£ ¥¡¥¡¥¡¥¡¥

¤¡¤¡¤¡¤¡¤ ¦¡¦¡¦¡¦¡¦

k ¢¡¢¡¢¡¢¡¢ k k

¡ ¡ ¡ ¡ £¡£¡£¡£¡£ ¥¡¥¡¥¡¥¡¥

¢¡¢¡¢¡¢¡¢ ¤¡¤¡¤¡¤¡¤ ¦¡¦¡¦¡¦¡¦

¡ ¡ ¡ ¡ £¡£¡£¡£¡£ ¥¡¥¡¥¡¥¡¥

¢¡¢¡¢¡¢¡¢ ¤¡¤¡¤¡¤¡¤ ¦¡¦¡¦¡¦¡¦

¡ ¡ ¡ ¡ £¡£¡£¡£¡£ ¥¡¥¡¥¡¥¡¥

¢¡¢¡¢¡¢¡¢ ¤¡¤¡¤¡¤¡¤ ¦¡¦¡¦¡¦¡¦

¡ ¡ ¡ ¡ £¡£¡£¡£¡£ ¥¡¥¡¥¡¥¡¥

¢¡¢¡¢¡¢¡¢ ¤¡¤¡¤¡¤¡¤ ¦¡¦¡¦¡¦¡¦

¡ ¡ ¡ ¡ £¡£¡£¡£¡£ ¥¡¥¡¥¡¥¡¥

¢¡¢¡¢¡¢¡¢ ¤¡¤¡¤¡¤¡¤ ¦¡¦¡¦¡¦¡¦

¡ ¡ ¡ ¡ £¡£¡£¡£¡£ ¥¡¥¡¥¡¥¡¥

¢¡¢¡¢¡¢¡¢ ¤¡¤¡¤¡¤¡¤ ¦¡¦¡¦¡¦¡¦

¡ ¡ ¡ ¡ £¡£¡£¡£¡£ ¥¡¥¡¥¡¥¡¥

¢¡¢¡¢¡¢¡¢ ¤¡¤¡¤¡¤¡¤ ¦¡¦¡¦¡¦¡¦

¡ ¡ ¡ ¡ £¡£¡£¡£¡£ ¥¡¥¡¥¡¥¡¥

¤¡¤¡¤¡¤¡¤ ¦¡¦¡¦¡¦¡¦ m ¢¡¢¡¢¡¢¡¢ m m

Fig. 4. The figures from left to right show the properties 1,2 and 3 respectively. These matrices are submatrices of the state matrix of the compression function, and the following is always true: If the dark area of the matrix is set the rest of the matrix is uniquely defined. what goes out on the right hand side of C. We therefore fix the 1 2 3 4 1 2 3 4 5 values of (C15, C15, C15, C15). The values of (A15, A15, A15, A15, A15) are easily obtained from the fixed values since we know also hi−1. This is due to a property similar to the one in Figure 4. Having these pre-conditions and given a value of hi−1, the algorithm works as follows: 1 4 – Pick an arbitrary value for the 4 bytes (B15 . . . B15) x 64 • For 2 ≤ 2 values of the 8 bytes (mi,0 . . . mi,7) 1 4 ∗ Compute the 4 bytes (B7 . . . B7 ) (this is possible because i the sequence of A15’s is known) 1 4 ∗ Compute the 4 bytes (C7 . . . C7 ) (this is possible because hi−1 is known) ∗ Store these 4 + 4 = 8 bytes in a table T1 x • Sort T1 (which has 2 entries of 64 bits each) • Repeat the same process with (mi,8 . . . mi,15) to obtain a table 1 4 1 4 T2 that contains also the bytes (B7 . . . B7 , C7 . . . C7 ) • Find all collisions between T1 and T2. This can be done effi- ciently by computing the joint product T = T1 ./ T2 (see [18]) with complexity of the order of 2x • The resulting table T contains on average 22(x−32) candidate values for mi = (mi,0 . . . mi,15) • Loop over all these candidates to find all valid mi’s One can also refer to Figure 5 for the general philosophy of this attack. Dashed boxes represent the 8 bytes stored in tables T1 and T2, where we look for collisions. known initial guess known

value (32 bits) value

§¨§ ¨

©¨© ¨

§¨§ ¨

©¨© ¨

§¨§ ¨

©¨© ¨

§¨§ ¨

©¨© ¨

¨ ¨

¨ ¨

¨ ¨ ¨

guess on the ¨ guess on the guess on the guess on the

¨ ¨

¨ ¨

¨ ¨

¨ ¨

¨

¨ ¨

¨

¨

¨ ¨

¨

¨

¨ ¨

¨

¨ ¨

bytes 0 to 7 ¨ bytes 8 to 15 bytes 0 to 7 bytes 8 to 15

¨ ¨

¨ ¨ ¨

¨ ¨

¨ ¨

¨ ¨

¨ ¨

¨ ¨

¨ ¨

Fig. 5. The general philosophy of the attack

The same algorithm is used in Section 4.3, but then using x = 64. In that attack the attacker also has to loop through all the 232 1 4 different values of the 4 bytes (B15 . . . B15). Here, unless otherwise stated, only one arbitrary value of these bytes will be chosen. We use x 2 different messages in the left of mi and the same number in the 2x right of mi. This leaves us with 2 pair combinations in the search for a collision in the 4 first bytes in the mid column of both matrix B and C. The chance of having a collision here will be 2−8·4·2, and we therefore expect 22·(x−32) multi-collisions. Fixing the bytes in z rows instead of 4 will give us an expectation of w = 22·(x−8z) multi- collisions.

Second Step. Having the w multi-collisions from the first step we look for a collision in the remaining 17 − z rows among these w multi-collisions, because we have already fixed z+1 rows in matrix A when z values are fixed in the last column of matrix C. The algorithm works as follows:

– For all w values of mi from the first step, evaluate the compression matrix and look for collisions in hi

From the first step we have 22·(x−8z) multi-collisions in the values 1 2 z+1 A15, A15, . . . , A15 , and it remains to get collisions in the 17 − z z+2 z+3 18 remaining positions A15 , A15 , . . . , A15. We might combine these multi-collisions in pairs in

w w2 ≈ 2 ! 2 ways, where each of these pairs has a probability of 2−8·(17−z) of yielding a collision. Thus one expects to find

2 4·(x−8z) w −8·(17−z) w 2 4(x−6z−34)−1 · 2 ≈ · − = · − = 2 2 ! 28 (17 z)+1 28 (17 z)+1 collisions.

Complexity In the first step the complexity is 4 · 2x because we x go through 2 values of mi. However an estimate shows that the number of instructions in this phase is a factor 2−11 compared to a whole computation of the compression function. So the time to find w = 22·(x−8z) multi-collisions will be 2x−9. In the second step we go through one compression function iteration for each of these multi-collisions leading to 22·(x−8z) evaluations. The total time of this attack is then 2x−9 + 22·(x−8z) In order to get as low complexity as possible we want to balance x and z such that the two terms in the complexity expression are as low as possible. We might focus on balancing the exponents, and x − 9 = 2 · (x − 8z) gives us z = (x + 9)/16, and our choice of x such that 58 ≤ x ≤ 64 suggests that a choice of z = 4 is optimal in the sense that it balances the complexities from the steps 1 and 2.

Success probability There are several factors involved in the suc- cess probability calculation, since we have to combine the probabili- ties of two steps. But for simplicity it is assumed that one gets at least the average expected number of collisions in the first step: 22·(x−8z). It is well-known [13] that with a slight increase in the data the number of collisions increase dramatically. Assuming w = 22·(x−8z) multi- collisions from the first step we want to compute the probability of getting at least one collision in the second step. Using the birthday paradox formula one gets a probability of success of

4·(x−8z) − 2 − 4(x−6z−34)−1 8·(17−z)+1 2 p1 ≈ 1 − e 2 = 1 − e in the second stage. Table 1 shows the expected number of collisions, running time and the probability of success for different numbers of messages used Table 1. Time usage of the collision attack on the compression function.

# messages (log2) rows fixed z expected collisions time probability 58 4 1/2 252 0.39 59 4 8 254 1.00

in the first step in the attack. In an attack on the hash function we might choose between using 258 or 259 messages which gives the expectation of 1/2 or 8 collisions respectively, and the probabilities of at least one collision are 0.39 and 1.00.

3.2 Analysis of the Full Hash

In this section we will describe a collision attack on MD2. To be able to compare a collision attack on MD2 to the brute force attack we have to evaluate the time usage of the brute force attack. The birthday attack is a brute force collision attack possible on all hash functions. Using 264.5 messages m the probability of a collision of two messages m and m0 such that H(m) = H(m0) is ≈ 1 − e−1 ≈ 0.63. The brute force attack works as follows on MD2. Up to 15 bytes 64.5 of first message block m1 are varied in 2 different ways, since the last byte of m1 must be reserved for the padding byte ’1’. The next block m2 will be the checksum block, so the hash will be generated of (at least) two compression function iterations. We will exclude the time for the checksum calculation since the time spend on it is a factor 2−5.75 compared to the compression function. The total time spent in the collision search will then be 265.5 compression function calculations, and the memory used is 264.5 blocks (we ignore the factor 2 of storing both the message and hash in both our attack and the brute force attack). From the previous section we have an attack on the compression function that given hi−1 gives us a collision with probability p = 0.39 having complexity 252. This attack is repeated p−1 · 63 times such that we might expect a collision in the checksum also.

To see this remember that IV = h0 is 0. From [6] one finds an attack of complexity 231 which finds a 4-collision, that is, four mes- (1) (2) (3) (4) (i) (j) sages m1 , m1 , m1 and m1 such that h1 = h(0, m1 ) = h(0, m1 ) for all combinations of i, j ∈ {1, 2, 3, 4}. Given these four messages and h1, do the following (i := 2):

– Given hi−1 use the collision attack on the compression function 0 to find a collision (mi,mi) where both messages map to the same hi. – If i < 64, increase i by one and repeat first step.

Now we have a chain h1, h2, . . . , h64 with w ≥ 2 collisions in each round (in addition to v ≥ 4 in the first round), so we have 65 at least 2 multi-collisions [4] mapping h0 to h64. In conventional hash function design a single collision in the compression function is enough to have a collision for the hash function, but for MD2 this does not help if we do not have collisions on the checksum also. Since there are 2128 possible checksum values and 265 different messages, a collision in the checksum among one of these message pairs would be expected by the birthday paradox. The following algorithm will with high probability find a collision in the checksum also:

i – Given all ci−1, calculate all 2 {ci = g(ci−1, mi)} from all ci−1s and mis (∀ i = 1, 2, . . . , 64) 65 – Having 2 ”random” values c64 we expect a collision by the birth- day paradox.

65 Normally having 2 different checksums c64 we would expect 2 collisions or at least one collision with a probability 0.86. A bijective property of the checksum function g(·, ·) decreases this probability slightly to 0.74. This property is explained in detail in Appendix ??

Complexity In the first step we repeat the attack on the compres- 7.3 sion function 63/p1 ≈ 2 times and the total time usage will be 27.3 · 2 · 252 = 259.3. The second step uses one-round checksum calculations. One com- pression function iteration has 3 · 18 · 64 simple evaluations, and one checksum iteration has 64, which compares to 1/54 compres- sion function iterations. The checksum collision algorithm iterates the checksum 4 + 8 + · · ·+ 265 ≈ 266 times. The total time consump- tion is therefore comparable to 266/54 = 260.2 compression function evaluations. The overall time complexity of the attack is then 260.8 but one disadvantage is that it requires the storage of 265 checksums and message blocks. However there is a tradeoff between the time usage and the required memory. As an example, one tradeoff is a time usage of 263 and a memory requrement of 262. More results on this time/memory tradeoff are in Table 2.

Success probability The first step of this attack is to find a chain of chaining variables where we have a collision in each round. By repeating the attack on the compression function p−1 · 63 times we expect to get this chain of collisions. The success probability of the attack on the hash function is then only dependent on the success probability of the last step. Since this is a birthday attack it follows the success probability is:

2·65 − 2 −2 p ≈ 1 − e 2128+1 = 1 − e ≈ 0.86. But since we have this bijective property of g(·, ·), the probability of success is reduced to − 4 p ≈ 1 − e 3 ≈ 0.74.

Table 2. Time and memory size requirement of the different tradeoffs in the time/memory tradeoff attack.

Reduced 1. step time memory 1 260.8 264 2 261.6 263 3 263.1 262 4 264.5 261 Exhaustive search BF 265.5 264.5

4 Preimage Attacks against MD2

We split the analysis of MD2 between properties of the compression function and properties of the full hash function. If MD2 was con- structed using the Merkle-Damg˚ard paradigm, general techniques would apply to relate both properties [9]. Because of the checksum, MD2 requires two separate analysis.

4.1 Analysis of the Compression Function A large variety of definitions for preimage and second preimage at- tacks exist in the literature, depending on what is a fixed challenge for the attacker and what can be freely chosen. A classical refer- ence is [9], however a new classification of these notions has been recently given in [16]. In this section, we focus only on preimage attacks against the compression function of MD2. It is well known that these attacks can often be extended to attacks against the whole hash (see [9]).

4.2 Three Scenarios According to the previous notations, the compression function h(·, ·) operates by : hi = h(hi−1, mi) where the hi’s are intermediate hash values and mi is a message block. Basically we can consider 3 attack scenarios at this point :

1. hi and hi−1 are given and the attacker must find an appropriate mi 2. hi and mi are given and the attacker must find an appropriate hi−1 3. hi is given and the attacker must find appropriate hi−1 and mi Any of these attacks may be of interest to attack the whole hash. Obviously, the 1st and 2nd attack are very similar because the roles of hi−1 and mi in the compression function h of MD2 are almost symmetric. These 3 attack scenarios have received different names in the literature. Recently the names “aPre” (“a” stands for “always”), “ePre” (“e” stands for “everywhere”) and “Pre” have been given to these 3 notions [16]. In [9], the terminology of “preimage resistance” and “pseudo-preimage resistance” is used. In the following sections, we envisage each scenario separately and propose new attacks. For the Scenario 1 and 2 we propose an attack with complexity of 295. For the Scenario 3, we propose an attack with complexity of 273. 4.3 Attacking Scenario 1

In this scenario, we suppose that hi−1 and hi are a fixed challenge and our goal is to find an appropriate mi such that hi = h(hi−1, mi). First, we notice that a solution does not necessarily exist. Indeed all variables have length 128 bits here, so in average only one solution mi is expected, but there is no guarantee. We propose an attack that recovers all solutions corresponding to a given challenge (hi−1, hi). Basically our attack is a sophisticated combination of exhaustive search and meet-in-the-middle attacks. It proceeds with two distinct steps. In the following, we call (mi,0 . . . mi,15) the 16 bytes of mi. First Step. The first step of the attack is to derive all possi- ble information from the challenge (hi−1, hi). These two objects are stored at the first and last row of matrix A (see Figure 6 where

dashed cells correspond to the known bytes). 

A  B C

      

       

      

      

      

        ......

......

!!!###''''''' %%

$$$ (((((( &&

""......

!!!###''''''' %%

""$$$ (((((( &&

!!!###''''''' %%

""$$$ (((((( &&

!!!###''''''' %%

""$$$ (((((( &&

Fig. 6. Initial knowledge when hi and hi−1 are fixed

Because of dependencies in the computation of the matrices, more information can be derived directly from the challenge. For instance, t t t−1 when Ai−1 and Ai are known, we can obtain Ai since :

t t−1 t Ai = Ai ⊕ S(Ai−1) and S is invertible. In Figure 7, we represent by dashed boxes the large portion of A that can be directly derived this way. The second row is known because the byte introduced on the left hand side is known and always equal to 0. In addition, if we guess the byte introduced on the left i.e. 1 hand side of the 3rd row in A ( C15 + 1), then we can derive the full content of matrix A by similar considerations. In particular the i i bytes A15’s are all known, and also the bytes C15’s for i > 0.

=¡=?¡?¡?A¡A¡A C¡C E¡E G¡GI¡I¡IK¡K¡K M¡M O¡OQ¡Q¡QS¡S¡S U¡U W¡WY¡Y¡Y[¡[¡[

>¡>@¡@¡@ B¡B D¡D F¡F H¡H J¡J L¡L N¡N P¡PR¡R¡R T¡T V¡V X¡XZ¡Z¡Z \¡\

=¡=?¡?¡?A¡A¡A C¡C E¡E G¡GI¡I¡IK¡K¡K M¡M O¡OQ¡Q¡QS¡S¡S U¡U W¡WY¡Y¡Y[¡[¡[

>¡>@¡@¡@ B¡B D¡D F¡F H¡H J¡J L¡L N¡N P¡PR¡R¡R T¡T V¡V X¡XZ¡Z¡Z \¡\

=¡=?¡?¡?A¡A¡A C¡C E¡E G¡GI¡I¡IK¡K¡K M¡M O¡OQ¡Q¡QS¡S¡S U¡U W¡WY¡Y¡Y[¡[¡[

>¡>@¡@¡@ B¡B D¡D F¡F H¡H J¡J L¡L N¡N P¡PR¡R¡R T¡T V¡V X¡XZ¡Z¡Z \¡\

]¡]_¡_¡_a¡a¡a c¡c e¡e g¡gi¡i¡ik¡k¡k m¡m o¡oq¡q¡qs¡s¡s u¡u w¡wy¡y¡y{¡{¡{

^¡^`¡`¡` b¡b d¡d f¡f h¡h j¡j l¡l n¡n p¡pr¡r¡r t¡t v¡v x¡xz¡z¡z |¡|

]¡]_¡_¡_a¡a¡a c¡c e¡e g¡gi¡i¡ik¡k¡k m¡m o¡oq¡q¡qs¡s¡s u¡u w¡wy¡y¡y{¡{¡{

^¡^`¡`¡` b¡b d¡d f¡f h¡h j¡j l¡l n¡n p¡pr¡r¡r t¡t v¡v x¡xz¡z¡z |¡|

]¡]_¡_¡_a¡a¡a c¡c e¡e g¡gi¡i¡ik¡k¡k m¡m o¡oq¡q¡qs¡s¡s u¡u w¡wy¡y¡y{¡{¡{

`¡`¡` b¡b d¡d f¡f h¡h j¡j l¡l n¡n p¡pr¡r¡r t¡t v¡v x¡xz¡z¡z |¡|

0 ^¡^

;¡;¡;

<¡<

;¡;¡;

<¡<

;¡;¡;

<¡<

7¡7¡79¡9¡9

8¡8¡8 :¡:

7¡7¡79¡9¡9

8¡8¡8 :¡:

7¡7¡79¡9¡9

8¡8¡8 :¡:

1¡13¡3¡35¡5¡5

2¡24¡4¡4 6¡6

1¡13¡3¡35¡5¡5

2¡24¡4¡4 6¡6

1¡13¡3¡35¡5¡5

2¡24¡4¡4 6¡6

#¡# %¡%+¡+¡+-¡-¡-

$¡$ &¡&,¡,¡, .¡.

#¡# %¡%+¡+¡+-¡-¡-

$¡$ &¡&,¡,¡, .¡.

#¡# %¡%+¡+¡+-¡-¡-

$¡$ &¡&,¡,¡, .¡.

¡ ¡ !¡! '¡')¡)¡)/¡/¡/

¡ "¡" (¡(*¡*¡* 0¡0

¡ ¡ !¡! '¡')¡)¡)/¡/¡/

¡ "¡" (¡(*¡*¡* 0¡0

¡ ¡ !¡! '¡')¡)¡)/¡/¡/

¡ "¡" (¡(*¡*¡* 0¡0

¡¡¡¡ ¡ ¡¡¡¡¡

¡¡ ¡ ¡ ¡¡¡ ¡

¡¡¡¡ ¡ ¡¡¡¡¡

¡¡ ¡ ¡ ¡¡¡ ¡

¡¡¡¡ ¡ ¡¡¡¡¡

¡¡ ¡ ¡ ¡¡¡ ¡

£¡£¥¡¥¡¥§¡§¡§©¡©¡© ¡ ¡ ¡¡¡¡

¤¡¤¦¡¦¡¦ ¨¡¨ ¡ ¡ ¡¡¡ ¡

ä*ä ê*ê ì*ì

£¡£¥¡¥¡¥§¡§¡§©¡©¡© ¡ ¡ ¡¡¡¡

¤¡¤¦¡¦¡¦ ¨¡¨ ¡ ¡ ¡¡¡ ¡

ä*ä ê*ê ì*ì

£¡£¥¡¥¡¥§¡§¡§©¡©¡© ¡ ¡ ¡¡¡¡

¤¡¤¦¡¦¡¦ ¨¡¨ ¡ ¡ ¡¡¡ ¡

â*â æ*æ*æè*è*è î*î*îð*ð*ð

ã*ã ä*äå*åç*ç*ç é*é ê*êë*ë ì*ìí*íï*ï*ï ñ*ñ

ô*ô ú*ú ü*ü

â*â æ*æ*æè*è*è î*î*îð*ð*ð

ã*ã å*åç*ç*ç é*é ë*ë í*íï*ï*ï ñ*ñ

ô*ô ú*ú ü*ü

â*â æ*æ*æè*è*è î*î*îð*ð*ð

ã*ã å*åç*ç*ç é*é ë*ë í*íï*ï*ï ñ*ñ

Î*Î*Î ò*ò ö*ö*öø*ø*ø þ*þ*þ ¡ ¡

Ï*Ï ó*ó ô*ôõ*õ÷*÷*÷ ù*ù ú*úû*û ü*üý*ýÿ*ÿ*ÿ ¢¡¢

Ò*Ò Ô*Ô Ú*Ú Ü*Ü

Î*Î*Î ò*ò ö*ö*öø*ø*ø þ*þ*þ ¡ ¡

Ï*Ï ó*ó õ*õ÷*÷*÷ ù*ù û*û ý*ýÿ*ÿ*ÿ ¢¡¢

Ò*Ò Ô*Ô Ú*Ú Ü*Ü

Î*Î*Î ò*ò ö*ö*öø*ø*ø þ*þ*þ ¡ ¡

Ï*Ï ó*ó õ*õ÷*÷*÷ ù*ù û*û ý*ýÿ*ÿ*ÿ ¢¡¢

¸*¸*¸Ð*Ð*Ð Ö*Ö*ÖØ*Ø*Ø Þ*Þ*Þà*à*à

Ò*Ò Ô*Ô Ú*Ú Ü*Ü ¹*¹ Ñ*Ñ Ó*Ó Õ*Õ×*×*× Ù*Ù Û*Û Ý*Ýß*ß*ß á*á

¾*¾ À*À Æ*Æ È*È

¸*¸*¸Ð*Ð*Ð Ö*Ö*ÖØ*Ø*Ø Þ*Þ*Þà*à*à

¹*¹ Ñ*Ñ Ó*Ó Õ*Õ×*×*× Ù*Ù Û*Û Ý*Ýß*ß*ß á*á

¾*¾ À*À Æ*Æ È*È

¸*¸*¸Ð*Ð*Ð Ö*Ö*ÖØ*Ø*Ø Þ*Þ*Þà*à*à

¹*¹ Ñ*Ñ Ó*Ó Õ*Õ×*×*× Ù*Ù Û*Û Ý*Ýß*ß*ß á*á

¶*¶º*º*º¼*¼*¼ Â*Â*ÂÄ*Ä*Ä Ê*Ê*ÊÌ*Ì*Ì

¾*¾ À*À Æ*Æ È*È ·*· »*» ½*½ ¿*¿ Á*ÁÃ*Ã*Ã Å*Å Ç*Ç É*ÉË*Ë*Ë Í*Í

¦*¦ ¨*¨ ®*® °*°

¶*¶º*º*º¼*¼*¼ Â*Â*ÂÄ*Ä*Ä Ê*Ê*ÊÌ*Ì*Ì

·*· »*» ½*½ ¿*¿ Á*ÁÃ*Ã*Ã Å*Å Ç*Ç É*ÉË*Ë*Ë Í*Í

¦*¦ ¨*¨ ®*® °*°

¶*¶º*º*º¼*¼*¼ Â*Â*ÂÄ*Ä*Ä Ê*Ê*ÊÌ*Ì*Ì

·*· »*» ½*½ ¿*¿ Á*ÁÃ*Ã*Ã Å*Å Ç*Ç É*ÉË*Ë*Ë Í*Í

„*„ * ¢*¢*¢¤*¤*¤ ª*ª*ª¬*¬*¬ ²*²*²´*´*´

* ¡*¡ £*£ ¥*¥ ¦*¦§*§ ¨*¨©*©«*«*« ­*­ ®*®¯*¯ °*°±*±³*³*³ µ*µ

ˆ*ˆ Š*Š * ’*’ ˜*˜ š*š

„*„ * ¢*¢*¢¤*¤*¤ ª*ª*ª¬*¬*¬ ²*²*²´*´*´

* ¡*¡ £*£ ¥*¥ §*§ ©*©«*«*« ­*­ ¯*¯ ±*±³*³*³ µ*µ

ˆ*ˆ Š*Š * ’*’ ˜*˜ š*š

„*„ * ¢*¢*¢¤*¤*¤ ª*ª*ª¬*¬*¬ ²*²*²´*´*´

* ¡*¡ £*£ ¥*¥ §*§ ©*©«*«*« ­*­ ¯*¯ ±*±³*³*³ µ*µ

†*† Œ*Œ*ŒŽ*Ž*Ž ”*”*”–*–*– œ*œ*œž*ž*ž

‡*‡ ˆ*ˆ‰*‰ Š*Š‹*‹ * * *‘*‘ ’*’“*“•*•*• —*— ˜*˜™*™ š*š›*›** Ÿ*Ÿ

l*l n*n t*t v*v |*| ~*~

†*† Œ*Œ*ŒŽ*Ž*Ž ”*”*”–*–*– œ*œ*œž*ž*ž

‡*‡ ‰*‰ ‹*‹ * * ‘*‘ “*“•*•*• —*— ™*™ ›*›** Ÿ*Ÿ

l*l n*n t*t v*v |*| ~*~

†*† Œ*Œ*ŒŽ*Ž*Ž ”*”*”–*–*– œ*œ*œž*ž*ž

‡*‡ ‰*‰ ‹*‹ * * ‘*‘ “*“•*•*• —*— ™*™ ›*›** Ÿ*Ÿ

.*.*. j*j p*p*pr*r*r x*x*xz*z*z €*€*€‚*‚*‚

l*l n*n t*t v*v |*| ~*~ /*/ k*k m*m o*o q*q s*s u*u w*wy*y*y {*{ }*} *** ƒ*ƒ

P*P R*R T*T Z*Z \*\ b*b d*d

.*.*. j*j p*p*pr*r*r x*x*xz*z*z €*€*€‚*‚*‚

/*/ k*k m*m o*o q*q s*s u*u w*wy*y*y {*{ }*} *** ƒ*ƒ

P*P R*R T*T Z*Z \*\ b*b d*d

.*.*. j*j p*p*pr*r*r x*x*xz*z*z €*€*€‚*‚*‚

/*/ k*k m*m o*o q*q s*s u*u w*wy*y*y {*{ }*} *** ƒ*ƒ

,*,*,N*N*N V*V*VX*X*X ^*^*^`*`*` f*f*fh*h*h

-*-*- O*O P*PQ*Q R*RS*S T*TU*U W*W Y*Y Z*Z[*[ \*\]*]_*_*_ a*a b*bc*c d*de*eg*g*g i*i

4*4 6*6 8*8 >*> @*@ F*F H*H

,*,*,N*N*N V*V*VX*X*X ^*^*^`*`*` f*f*fh*h*h

-*-*- O*O Q*Q S*S U*U W*W Y*Y [*[ ]*]_*_*_ a*a c*c e*eg*g*g i*i

4*4 6*6 8*8 >*> @*@ F*F H*H

,*,*,N*N*N V*V*VX*X*X ^*^*^`*`*` f*f*fh*h*h

-*-*- O*O Q*Q S*S U*U W*W Y*Y [*[ ]*]_*_*_ a*a c*c e*eg*g*g i*i

)*)0*0*02*2*2 :*:*:<*<*< B*B*BD*D*D J*J*JL*L*L

+*+1*1*1 3*3 4*45*5 6*67*7 8*89*9 ;*; =*= >*>?*? @*@A*AC*C*C E*E F*FG*G H*HI*IK*K*K M*M

)*)0*0*02*2*2 :*:*:<*<*< B*B*BD*D*D J*J*JL*L*L

+*+1*1*1 3*3 5*5 7*7 9*9 ;*; =*= ?*? A*AC*C*C E*E G*G I*IK*K*K M*M

)*)0*0*02*2*2 :*:*:<*<*< B*B*BD*D*D J*J*JL*L*L

+*+1*1*1 3*3 5*5 7*7 9*9 ;*; =*= ?*? A*AC*C*C E*E G*G I*IK*K*K M*M

Fig. 7. Known values in the matrix A

Second Step. We perform the meet-in-the-middle attack, de- scribed in the first phase of the collision attack in section 3.1, on matrices B and C to find an appropriate value of mi. Basically at this point, we know what enters on the left hand side of B and what goes out on the right hand side of C. Hence, we apply the “meet- in-the-middle” algorithm using 2x = 264 values of both halves of the first rows of B and C. One can also refer to Figure 5 for the general philosophy of this attack.

Analysis In this attack, there are two outside loops. A loop of size 28 comes from the First Step of the attack (we need to guess one byte in order to find the full content of A). Besides an outside loop of length 232 is required in the “meet-in-the-middle” algorithm. Inside these loops we need to create and to sort the tables T1 and T2. Those are tables with 264 entries, sorted using a key of 64 bits. Sorting the tables can be done efficiently with an appropriate “bucket-sort” al- gorithm so the cost is above 264 instructions. Creating the tables has also a cost of the order of 264 instructions. Since these two operations are performed twice (once for T1 and once for T2), the complexity is of the order of Complexity = 28 × 232 × (4 × 264) = 2106 basic instructions. This corresponds approximatively to 295 appli- cations of the compression function (a quick estimation shows that about 211 instructions are needed for the compression function). This should be compared to the complexity of an exhaustive search to find a preimage which would cost 2128 applications of the compression function. However, our attack requires about 271 bits of memory. High memory requirements are known to increase the “real” cost of attacks [19]. Nevertheless this complexity is of the order of 23n/4 while 2n would be expected for a good compression function on n bits. Further improvements have been investigated but no attack with complexity below 23n/4 was found. Still, it is possible to improve slightly the memory requirements.

4.4 Attacking Scenario 1 with Less Memory

The general idea of the attack of Section 4.3 is to split the target mi in two halves (mi,0 . . . mi,7) and (mi,8 . . . mi,15) of 64 bits each. The modified attack consists in splitting mi in 4 parts instead of 2 using the following algorithm :

1 2 1 2 1 2 – Guess the 6 bytes {(B7 , B7 ), (B15, B15), (C7 , C7 )} • Guess the 4 bytes mi,0 . . . mi,3 1 2 1 2 ∗ Compute and store in table T1 the bytes B3 , B3 , C3 , C3 • Guess the 4 bytes mi,4 . . . mi,7 1 2 1 2 ∗ Compute and store in table T2 the bytes B3 , B3 , C3 , C3 • Guess the 4 bytes mi,8 . . . mi,11 1 2 1 2 ∗ Compute and store in table T3 the bytes B11, B11, C11, C11 • Guess the 4 bytes mi,12 . . . mi,15 1 2 1 2 ∗ Compute and store in table T4 the bytes B11, B11, C11, C11 32 • Compute the joint product T = T1 ./ T2 of size 2 . It contains candidate values for (mi,0 . . . mi,7) 0 32 • Compute the joint product T = T3 ./ T4 of size 2 . It con- tains candidate values for (mi,8 . . . mi,15) 3 4 • Guess 2 additional bytes B15 and B15 3 4 3 4 ∗ For each element of T compute the 4 bytes B7 , B7 , C7 , C7 ∗ Compute similarly these 4 bytes for each element of T 0 ∗ Search for a collision in the two resulting lists 32 • This results in a list of 2 candidates for (mi,0 . . . mi,15) This advanced attack has complexity of the order of

28 × 248 × 216 × 232 ' 2104 instructions, like previously. However the largest tables we handle have 232 entries of 32 bits. The philosophy of this improved attack is described in Figure 8.

known initial guess initial guess initial guess known

value (16 bits) (16 bits) (16 bits) value

}~}

~ ƒ~ƒ ‡~‡ ‹~‹

‚~‚ †~† Š~Š

}~}

~ ƒ~ƒ ‡~‡ ‹~‹

‚~‚ †~† Š~Š

bytes }~} bytes bytes bytes bytes bytes bytes bytes

~ ƒ~ƒ ‡~‡ ‹~‹

€~€ „~„ ˆ~ˆ Œ~Œ

~ ‚~‚ ~ †~†‰~‰ Š~Š~

€~€ „~„ ˆ~ˆ Œ~Œ

~ ~ ‰~‰ ~

€~€ „~„ ˆ~ˆ Œ~Œ

~ ‰~‰ ~

0 to 3 ~ 4 to 7 8 to 11 12 to 15 0 to 3 4 to 7 8 to 11 12 to 15

Ž~Ž

~ “~“

’~’

Ž~Ž

~ “~“

’~’

bytes Ž~Ž bytes bytes bytes

~ “~“

~ ”~”

‘~‘ ’~’•~•

~ ”~”

‘~‘ •~•

~ ”~” •~• 0 to 7 ‘~‘ 8 to 15 0 to 7 8 to 15 second guess (16 bits)

Fig. 8. The general philosophy of the improved attack

4.5 Attacking Scenario 2

In the second scenario, the message block mi is fixed and we search an appropriate hi−1. Attacking this scenario is very similar to at- tacking scenario 1 because there is an important symmetry in the compression function. In the previous attack we managed to reconstruct the content of A from the initial challenge, and then applied a “meet-in-the-middle” attack to B and C. In Scenario 2, we can reconstruct the content of B from the challenge (mi, hi) and then attack by the middle the matrices A and C. Details of this attack are not very helpful to break the full MD2 hash, so we decided not to explore further this scenario.

4.6 Attacking Scenario 3

Finally, we suppose that only hi is fixed, and the problem is to find any pair (hi−1, mi) solution of the equation

hi = h(hi−1, mi). This type of attack is often referred to as a pseudo-preimage at- tack on the compression function [9]. Of course, it can be no more difficult to find such a solution because we have more degrees of free- dom. So the aim is to find an attack with complexity better than the previous 295. In this section, we describe an attack with complexity of the order of 273 against this scenario.

The Attack First notice that one expects 2128 × 2128 = 2128 2128 solutions to this problem on the average. Therefore it is reasonable to impose some additional constraints on the messages. Like for the previous attacks, we first derive all possible informa- tion from the given challenge (hi here). In addition, we impose the 1 2 constraint that A15 = A15 = c, where c is some constant, say c = 0 for instance. Figure 9 represents the resulting known values in the

matrix A.

©¡©¡©

ª¡ª

©¡©¡©

ª¡ª

©¡©¡©

ª¡ª

­¡­¡­«¡«¡«

®¡®¡® 0 ¬¡¬

­¡­¡­«¡«¡«

®¡®¡® ¬¡¬

­¡­¡­«¡«¡«

®¡®¡® ¬¡¬

¯¡¯ç¡ç¡ç§¡§¡§

°¡°è¡è¡è ¨¡¨

¯¡¯ç¡ç¡ç§¡§¡§

°¡°è¡è¡è ¨¡¨

¯¡¯ç¡ç¡ç§¡§¡§

°¡°è¡è¡è ¨¡¨

Í¡Í £¡£¡£¥¡¥¡¥

ΡΠæ¡æ¤¡¤¡¤ ¦¡¦

å¡å

Í¡Í £¡£¡£¥¡¥¡¥

ΡΠæ¡æ¤¡¤¡¤ ¦¡¦

å¡å

Í¡Í £¡£¡£¥¡¥¡¥

ΡΠæ¡æ¤¡¤¡¤ ¦¡¦

±¡±¡± ¡Ÿ¡Ÿ¡Ÿ¡¡¡¡¡

²¡² ä¡ä ž¡žå¡å ¡ ¡ ¢¡¢

ã¡ã

±¡±¡± ¡Ÿ¡Ÿ¡Ÿ¡¡¡¡¡

²¡² ä¡ä ž¡ž ¡ ¡ ¢¡¢

ã¡ã

±¡±¡± ¡Ÿ¡Ÿ¡Ÿ¡¡¡¡¡

²¡² ä¡ä ž¡ž ¡ ¡ ¢¡¢

³¡³¡³á¡á¡á ¡ ‘¡‘—¡—¡—™¡™¡™

ã¡ã ´¡´¡´ â¡â ¡ ’¡’˜¡˜¡˜ š¡š

³¡³¡³á¡á¡á ¡ ‘¡‘—¡—¡—™¡™¡™

´¡´¡´ â¡â ¡ ’¡’˜¡˜¡˜ š¡š

³¡³¡³á¡á¡á ¡ ‘¡‘—¡—¡—™¡™¡™

´¡´¡´ â¡â ¡ ’¡’˜¡˜¡˜ š¡š

µ¡µß¡ß¡ß‹¡‹¡‹ ¡ “¡“•¡•¡•›¡›¡›

¶¡¶à¡à¡à Œ¡Œ Ž¡Ž ”¡”–¡–¡– œ¡œ

µ¡µß¡ß¡ß‹¡‹¡‹ ¡ “¡“•¡•¡•›¡›¡›

¶¡¶à¡à¡à Œ¡Œ Ž¡Ž ”¡”–¡–¡– œ¡œ

µ¡µß¡ß¡ß‹¡‹¡‹ ¡ “¡“•¡•¡•›¡›¡›

¶¡¶à¡à¡à Œ¡Œ Ž¡Ž ”¡”–¡–¡– œ¡œ

·¡· ‰¡‰¡‰‡¡‡¡‡ ¡ ƒ¡ƒ¡¡¡¡

¸¡¸ ޡފ¡Š¡Š ˆ¡ˆ †¡† „¡„‚¡‚¡‚ €¡€

Ý¡Ý

·¡· ‰¡‰¡‰‡¡‡¡‡ ¡ ƒ¡ƒ¡¡¡¡

¸¡¸ ޡފ¡Š¡Š ˆ¡ˆ †¡† „¡„‚¡‚¡‚ €¡€

Ý¡Ý

·¡· ‰¡‰¡‰‡¡‡¡‡ ¡ ƒ¡ƒ¡¡¡¡

¸¡¸ ޡފ¡Š¡Š ˆ¡ˆ †¡† „¡„‚¡‚¡‚ €¡€

¹¡¹¡¹ o¡oq¡q¡qs¡s¡su¡u¡u w¡w y¡y{¡{¡{}¡}¡}

Ý¡Ý º¡º Ü¡Ü p¡pr¡r¡r t¡tv¡v x¡x z¡z|¡|¡| ~¡~

Û¡Û

¹¡¹¡¹ o¡oq¡q¡qs¡s¡su¡u¡u w¡w y¡y{¡{¡{}¡}¡}

º¡º Ü¡Ü p¡pr¡r¡r t¡tv¡v x¡x z¡z|¡|¡| ~¡~

Û¡Û

¹¡¹¡¹ o¡oq¡q¡qs¡s¡su¡u¡u w¡w y¡y{¡{¡{}¡}¡}

º¡º Ü¡Ü p¡pr¡r¡r t¡tv¡v x¡x z¡z|¡|¡| ~¡~

»¡»¡»Ù¡Ù¡Ù O¡O Q¡QS¡S¡SU¡U¡U W¡W Y¡Y[¡[¡[]¡]¡]

Û¡Û ¼¡¼ Ú¡Ú P¡P R¡RT¡T¡T V¡V X¡X Z¡Z\¡\¡\ ^¡^

»¡»¡»Ù¡Ù¡Ù O¡O Q¡QS¡S¡SU¡U¡U W¡W Y¡Y[¡[¡[]¡]¡]

¼¡¼ Ú¡Ú P¡P R¡RT¡T¡T V¡V X¡X Z¡Z\¡\¡\ ^¡^

»¡»¡»Ù¡Ù¡Ù O¡O Q¡QS¡S¡SU¡U¡U W¡W Y¡Y[¡[¡[]¡]¡]

¼¡¼ Ú¡Ú P¡P R¡RT¡T¡T V¡V X¡X Z¡Z\¡\¡\ ^¡^

½¡½×¡×¡×;¡;¡; _¡_ a¡ac¡c¡ce¡e¡e g¡g i¡ik¡k¡km¡m¡m

¾¡¾ Ø¡Ø <¡< `¡` b¡bd¡d¡d f¡f h¡h j¡jl¡l¡l n¡n

½¡½×¡×¡×;¡;¡; _¡_ a¡ac¡c¡ce¡e¡e g¡g i¡ik¡k¡km¡m¡m

¾¡¾ Ø¡Ø <¡< `¡` b¡bd¡d¡d f¡f h¡h j¡jl¡l¡l n¡n

½¡½×¡×¡×;¡;¡; _¡_ a¡ac¡c¡ce¡e¡e g¡g i¡ik¡k¡km¡m¡m

¾¡¾ Ø¡Ø <¡< `¡` b¡bd¡d¡d f¡f h¡h j¡jl¡l¡l n¡n

¿¡¿ Õ¡Õ%¡%¡%=¡=¡= ?¡? A¡AC¡C¡CE¡E¡E G¡G I¡IK¡K¡KM¡M¡M

À¡À Ö¡Ö &¡& >¡> @¡@ B¡BD¡D¡D F¡F H¡H J¡JL¡L¡L N¡N

¿¡¿ Õ¡Õ%¡%¡%=¡=¡= ?¡? A¡AC¡C¡CE¡E¡E G¡G I¡IK¡K¡KM¡M¡M

À¡À Ö¡Ö &¡& >¡> @¡@ B¡BD¡D¡D F¡F H¡H J¡JL¡L¡L N¡N

¿¡¿ Õ¡Õ%¡%¡%=¡=¡= ?¡? A¡AC¡C¡CE¡E¡E G¡G I¡IK¡K¡KM¡M¡M

À¡À Ö¡Ö &¡& >¡> @¡@ B¡BD¡D¡D F¡F H¡H J¡JL¡L¡L N¡N

Á¡Á Ñ¡Ñ #¡#'¡'¡')¡)¡) +¡+ -¡-/¡/¡/1¡1¡1 3¡3 5¡57¡7¡79¡9¡9

Â¡Â Ò¡Ò $¡$ (¡( *¡* ,¡, .¡.0¡0¡0 2¡2 4¡4 6¡68¡8¡8 :¡:

Á¡Á Ñ¡Ñ #¡#'¡'¡')¡)¡) +¡+ -¡-/¡/¡/1¡1¡1 3¡3 5¡57¡7¡79¡9¡9

Â¡Â Ò¡Ò $¡$ (¡( *¡* ,¡, .¡.0¡0¡0 2¡2 4¡4 6¡68¡8¡8 :¡:

Á¡Á Ñ¡Ñ #¡#'¡'¡')¡)¡) +¡+ -¡-/¡/¡/1¡1¡1 3¡3 5¡57¡7¡79¡9¡9

Â¡Â Ò¡Ò $¡$ (¡( *¡* ,¡, .¡.0¡0¡0 2¡2 4¡4 6¡68¡8¡8 :¡:

Ã¡Ã¡Ã Ó¡Ó ð¡ð ¡ ¡¡¡¡ ¡ ¡¡¡¡¡ ¡ ¡ ¡ ¡ !¡!¡!

Ä¡Ä Ô¡Ô ñ¡ñ ¡ ¡ ¡ ¡ ¡¡¡ ¡ ¡ ¡ ¡ ¡ "¡"

ô¡ô ö¡ö ü¡ü þ¡þ

Ã¡Ã¡Ã Ó¡Ó ð¡ð ¡ ¡¡¡¡ ¡ ¡¡¡¡¡ ¡ ¡ ¡ ¡ !¡!¡!

Ä¡Ä Ô¡Ô ñ¡ñ ¡ ¡ ¡ ¡ ¡¡¡ ¡ ¡ ¡ ¡ ¡ "¡"

ô¡ô ö¡ö ü¡ü þ¡þ

Ã¡Ã¡Ã Ó¡Ó ð¡ð ¡ ¡¡¡¡ ¡ ¡¡¡¡¡ ¡ ¡ ¡ ¡ !¡!¡!

Ä¡Ä Ô¡Ô ñ¡ñ ¡ ¡ ¡ ¡ ¡¡¡ ¡ ¡ ¡ ¡ ¡ "¡"

Å¡Å¡ÅÏ¡Ï¡Ï ò¡ò ø¡ø¡øú¡ú¡ú ¡ ¡ £¡£¡£ ¥¡¥ §¡§©¡©¡© ¡ ¡

Æ¡Æ¡Æ Ð¡Ð ó¡ó ô¡ôõ¡õ ö¡ö÷¡÷ ù¡ù û¡û ü¡üý¡ý þ¡þÿ¡ÿ¢¡¢¡¢ ¤¡¤ ¦¡¦ ¨¡¨ ¡ ¡ ¡

Ø¡Ø Ú¡Ú à¡à â¡â è¡è ê¡ê

Å¡Å¡ÅÏ¡Ï¡Ï ò¡ò ø¡ø¡øú¡ú¡ú ¡ ¡ £¡£¡£ ¥¡¥ §¡§©¡©¡© ¡ ¡

Æ¡Æ¡Æ Ð¡Ð ó¡ó õ¡õ ÷¡÷ ù¡ù û¡û ý¡ý ÿ¡ÿ¢¡¢¡¢ ¤¡¤ ¦¡¦ ¨¡¨ ¡ ¡ ¡

Ø¡Ø Ú¡Ú à¡à â¡â è¡è ê¡ê

Å¡Å¡ÅÏ¡Ï¡Ï ò¡ò ø¡ø¡øú¡ú¡ú ¡ ¡ £¡£¡£ ¥¡¥ §¡§©¡©¡© ¡ ¡

Æ¡Æ¡Æ Ð¡Ð ó¡ó õ¡õ ÷¡÷ ù¡ù û¡û ý¡ý ÿ¡ÿ¢¡¢¡¢ ¤¡¤ ¦¡¦ ¨¡¨ ¡ ¡ ¡

Ç¡Çˡˡ˚¡š¡š Ö¡Ö Ü¡Ü¡ÜÞ¡Þ¡Þ ä¡ä¡äæ¡æ¡æ ì¡ì¡ìî¡î¡î

Ø¡Ø Ú¡Ú à¡à â¡â è¡è ê¡ê È¡ÈÌ¡Ì¡Ì ›¡› ×¡× Ù¡Ù Û¡Û Ý¡Ý ß¡ß á¡á ã¡ãå¡å¡å ç¡ç é¡é ë¡ëí¡í¡í ï¡ï

¼¡¼ ¾¡¾ À¡À Æ¡Æ È¡È Î¡Î Ð¡Ð

Ç¡Çˡˡ˚¡š¡š Ö¡Ö Ü¡Ü¡ÜÞ¡Þ¡Þ ä¡ä¡äæ¡æ¡æ ì¡ì¡ìî¡î¡î

È¡ÈÌ¡Ì¡Ì ›¡› ×¡× Ù¡Ù Û¡Û Ý¡Ý ß¡ß á¡á ã¡ãå¡å¡å ç¡ç é¡é ë¡ëí¡í¡í ï¡ï

¼¡¼ ¾¡¾ À¡À Æ¡Æ È¡È Î¡Î Ð¡Ð

Ç¡Çˡˡ˚¡š¡š Ö¡Ö Ü¡Ü¡ÜÞ¡Þ¡Þ ä¡ä¡äæ¡æ¡æ ì¡ì¡ìî¡î¡î

È¡ÈÌ¡Ì¡Ì ›¡› ×¡× Ù¡Ù Û¡Û Ý¡Ý ß¡ß á¡á ã¡ãå¡å¡å ç¡ç é¡é ë¡ëí¡í¡í ï¡ï

ɡɘ¡˜¡˜º¡º¡º ¡¡ÂÄ¡Ä¡Ä Ê¡Ê¡ÊÌ¡Ì¡Ì Ò¡Ò¡ÒÔ¡Ô¡Ô

¼¡¼ ¾¡¾ À¡À Æ¡Æ È¡È Î¡Î Ð¡Ð Ê¡Ê™¡™¡™ »¡» ½¡½ ¿¡¿ Á¡Á Ã¡Ã Å¡Å Ç¡Ç É¡ÉË¡Ë¡Ë Í¡Í Ï¡Ï Ñ¡ÑÓ¡Ó¡Ó Õ¡Õ

¡ ¢¡¢ ¤¡¤ ª¡ª ¬¡¬ ²¡² ´¡´

ɡɘ¡˜¡˜º¡º¡º ¡¡ÂÄ¡Ä¡Ä Ê¡Ê¡ÊÌ¡Ì¡Ì Ò¡Ò¡ÒÔ¡Ô¡Ô

ʡʙ¡™¡™ »¡» ½¡½ ¿¡¿ Á¡Á Ã¡Ã Å¡Å Ç¡Ç É¡ÉË¡Ë¡Ë Í¡Í Ï¡Ï Ñ¡ÑÓ¡Ó¡Ó Õ¡Õ

¡ ¢¡¢ ¤¡¤ ª¡ª ¬¡¬ ²¡² ´¡´

ɡɘ¡˜¡˜º¡º¡º ¡¡ÂÄ¡Ä¡Ä Ê¡Ê¡ÊÌ¡Ì¡Ì Ò¡Ò¡ÒÔ¡Ô¡Ô

ʡʙ¡™¡™ »¡» ½¡½ ¿¡¿ Á¡Á Ã¡Ã Å¡Å Ç¡Ç É¡ÉË¡Ë¡Ë Í¡Í Ï¡Ï Ñ¡ÑÓ¡Ó¡Ó Õ¡Õ

–¡–œ¡œ¡œž¡ž¡ž ¦¡¦¡¦¨¡¨¡¨ ®¡®¡®°¡°¡° ¶¡¶¡¶¸¡¸¡¸

¡ ¢¡¢ ¤¡¤ ª¡ª ¬¡¬ ²¡² ´¡´ —¡—¡¡ Ÿ¡Ÿ ¡¡¡ £¡£ ¥¡¥ §¡§ ©¡© «¡« ­¡­¯¡¯¡¯ ±¡± ³¡³ µ¡µ·¡·¡· ¹¡¹

–¡–œ¡œ¡œž¡ž¡ž ¦¡¦¡¦¨¡¨¡¨ ®¡®¡®°¡°¡° ¶¡¶¡¶¸¡¸¡¸

—¡—¡¡ Ÿ¡Ÿ ¡¡¡ £¡£ ¥¡¥ §¡§ ©¡© «¡« ­¡­¯¡¯¡¯ ±¡± ³¡³ µ¡µ·¡·¡· ¹¡¹

–¡–œ¡œ¡œž¡ž¡ž ¦¡¦¡¦¨¡¨¡¨ ®¡®¡®°¡°¡° ¶¡¶¡¶¸¡¸¡¸

—¡—¡¡ Ÿ¡Ÿ ¡¡¡ £¡£ ¥¡¥ §¡§ ©¡© «¡« ­¡­¯¡¯¡¯ ±¡± ³¡³ µ¡µ·¡·¡· ¹¡¹

Fig. 9. Known values in the matrix A

We observe that the complete rightmost column of A is known, which helps when considering the behaviour of matrix B. At this point, a 6-bytes constant (k0 . . . k5) is chosen at random. Then we apply the following algorithm : 72 – Pick 2 messages mi of the form

mi = (mi,0 . . . mi,9, k0 . . . k5)

where the mi,j’s are chosen at random. It is straightforward to compute the matrix B for each mi since the rightmost column of A is known. Hence we build a table T (with 272 entries) where i we store the rightmost column of B, i.e. the B15’s 64 – Pick 2 intermediate hashes hi−1 of the form

hi−1 = (hi−1,0 . . . hi−1,9, k0 . . . k5)

1 where the hi−1’s are chosen at random . It is straightforward to compute the complete matrix A for each hi−1. Therefore all values i C15 for i > 0 are also known. Besides

hi−1 ⊕ mi = (∗, . . . , ∗, k0 ⊕ k0, . . . , k5 ⊕ k5) = (∗, . . . , ∗, 0, 0, 0, 0, 0, 0) thus the 6 rightmost boxes of the first row of C are known and equal to 0. Hence a lot of information about C can be derived i

(see Figure 10). By the way, the bytes B15 for 11 ≤ i ≤ 17 are

œ¡œ¡œž¡ž¡ž ¡ ¢¡¢¡¢¤¡¤¡¤ ¦¡¦

¡ Ÿ¡Ÿ ¡¡¡£¡£¡£¥¡¥¡¥ §¡§

œ¡œ¡œž¡ž¡ž ¡ ¢¡¢¡¢¤¡¤¡¤ ¦¡¦

¡ Ÿ¡Ÿ ¡¡¡£¡£¡£¥¡¥¡¥ §¡§

œ¡œ¡œž¡ž¡ž ¡ ¢¡¢¡¢¤¡¤¡¤ ¦¡¦

¡ Ÿ¡Ÿ ¡¡¡£¡£¡£¥¡¥¡¥ §¡§

СÐÒ¡Ò¡ÒÔ¡Ô¡Ô Ö¡ÖءءØÚ¡Ú¡Ú Ü¡Ü

Ñ¡Ñ Ó¡Ó Õ¡Õ ×¡×١١ÙÛ¡Û¡Û Ý¡Ý

СÐÒ¡Ò¡ÒÔ¡Ô¡Ô Ö¡ÖءءØÚ¡Ú¡Ú Ü¡Ü

Ñ¡Ñ Ó¡Ó Õ¡Õ ×¡×١١ÙÛ¡Û¡Û Ý¡Ý

СÐÒ¡Ò¡ÒÔ¡Ô¡Ô Ö¡ÖءءØÚ¡Ú¡Ú Ü¡Ü

Ñ¡Ñ Ó¡Ó Õ¡Õ ×¡×١١ÙÛ¡Û¡Û Ý¡Ý

È¡È¡È Þ¡Þéêéêéìêìêì îêîðêðêðòêòêò ôêô

É¡É¡É ß¡ß ëêë íêí ïêïñêñêñóêóêó õêõ

È¡È¡È Þ¡Þéêéêéìêìêì îêîðêðêðòêòêò ôêô

É¡É¡É ß¡ß ëêë íêí ïêïñêñêñóêóêó õêõ

Æ¡Æ¡ÆÊ¡Ê¡Ê öêöøêøêøúêúêú üêüþêþêþ ¡ ¡ £¡£

Ç¡Ç¡ÇË¡Ë¡Ë ÷ê÷ ùêù ûêû ýêýÿêÿêÿ¢¡¢¡¢ ¤¡¤

È¡È¡È Þ¡Þéêéêéìêìêì îêîðêðêðòêòêò ôêô

É¡É¡É ß¡ß ëêë íêí ïêïñêñêñóêóêó õêõ

Æ¡Æ¡ÆÊ¡Ê¡Ê öêöøêøêøúêúêú üêüþêþêþ ¡ ¡ £¡£

Ç¡Ç¡ÇË¡Ë¡Ë ÷ê÷ ùêù ûêû ýêýÿêÿêÿ¢¡¢¡¢ ¤¡¤

Æ¡Æ¡ÆÊ¡Ê¡Ê öêöøêøêøúêúêú üêüþêþêþ ¡ ¡ £¡£

Ç¡Ç¡ÇË¡Ë¡Ë ÷ê÷ ùêù ûêû ýêýÿêÿêÿ¢¡¢¡¢ ¤¡¤

Æ¡Æ¡ÆÊ¡Ê¡Ê öêöøêøêøúêúêú üêüþêþêþ ¡ ¡ £¡£

Ç¡Ç¡ÇË¡Ë¡Ë ÷ê÷ ùêù ûêû ýêýÿêÿêÿ¢¡¢¡¢ ¤¡¤

Ä¡ÄΡΡÎÌ¡Ì¡Ì ¥¡¥§¡§¡§©¡©¡© ¡ ¡ ¡ ¡¡ ¡

Å¡ÅÏ¡Ï¡ÏÍ¡Í¡Í ¦¡¦ ¨¡¨ ¡ ¡ ¡¡¡¡ ¡

Ä¡ÄΡΡÎÌ¡Ì¡Ì ¥¡¥§¡§¡§©¡©¡© ¡ ¡ ¡ ¡¡ ¡

Å¡ÅÏ¡Ï¡ÏÍ¡Í¡Í ¦¡¦ ¨¡¨ ¡ ¡ ¡¡¡¡ ¡

í¡í¡í ó¡óï¡ï¡ïñ¡ñ¡ñ ¡¡¡¡¡ ¡¡¡¡¡ ¡

î¡î ô¡ôð¡ð¡ðò¡ò¡ò ¡ ¡ ¡ ¡¡¡¡¡ ¡

Ä¡ÄΡΡÎÌ¡Ì¡Ì ¥¡¥§¡§¡§©¡©¡© ¡ ¡ ¡ ¡¡ ¡

Å¡ÅÏ¡Ï¡ÏÍ¡Í¡Í ¦¡¦ ¨¡¨ ¡ ¡ ¡¡¡¡ ¡

í¡í¡í ó¡óï¡ï¡ïñ¡ñ¡ñ ¡¡¡¡¡ ¡¡¡¡¡ ¡

î¡î ô¡ôð¡ð¡ðò¡ò¡ò ¡ ¡ ¡ ¡¡¡¡¡ ¡

í¡í¡í ó¡óï¡ï¡ïñ¡ñ¡ñ ¡¡¡¡¡ ¡¡¡¡¡ ¡

î¡î ô¡ôð¡ð¡ðò¡ò¡ò ¡ ¡ ¡ ¡¡¡¡¡ ¡

í¡í¡í ó¡óï¡ï¡ïñ¡ñ¡ñ ¡¡¡¡¡ ¡¡¡¡¡ ¡

î¡î ô¡ôð¡ð¡ðò¡ò¡ò ¡ ¡ ¡ ¡¡¡¡¡ ¡

¡¡Âõ¡õ¡õ û¡û÷¡÷¡÷ù¡ù¡ù !¡!#¡#¡#%¡%¡% '¡')¡)¡)+¡+¡+ -¡-

áà ö¡ö ü¡üø¡ø¡øú¡ú¡ú "¡" $¡$ &¡& (¡(*¡*¡*,¡,¡, .¡.

¡¡Âõ¡õ¡õ û¡û÷¡÷¡÷ù¡ù¡ù !¡!#¡#¡#%¡%¡% '¡')¡)¡)+¡+¡+ -¡-

áà ö¡ö ü¡üø¡ø¡øú¡ú¡ú "¡" $¡$ &¡& (¡(*¡*¡*,¡,¡, .¡.

¡¡Âõ¡õ¡õ û¡û÷¡÷¡÷ù¡ù¡ù !¡!#¡#¡#%¡%¡% '¡')¡)¡)+¡+¡+ -¡-

áà ö¡ö ü¡üø¡ø¡øú¡ú¡ú "¡" $¡$ &¡& (¡(*¡*¡*,¡,¡, .¡.

À¡À¡Àý¡ý¡ý ¤¡¤ÿ¡ÿ¡ÿ¢¡¢¡¢ /¡/1¡1¡13¡3¡3 5¡57¡7¡79¡9¡9 ;¡;

»¡» Á¡Á þ¡þ ¥¡¥ ¡ ¡ £¡£¡£ 0¡0 2¡2 4¡4 6¡68¡8¡8:¡:¡: <¡<

º¡º

À¡À¡Àý¡ý¡ý ¤¡¤ÿ¡ÿ¡ÿ¢¡¢¡¢ /¡/1¡1¡13¡3¡3 5¡57¡7¡79¡9¡9 ;¡;

»¡» Á¡Á þ¡þ ¥¡¥ ¡ ¡ £¡£¡£ 0¡0 2¡2 4¡4 6¡68¡8¡8:¡:¡: <¡<

º¡º

À¡À¡Àý¡ý¡ý ¤¡¤ÿ¡ÿ¡ÿ¢¡¢¡¢ /¡/1¡1¡13¡3¡3 5¡57¡7¡79¡9¡9 ;¡;

»¡» Á¡Á þ¡þ ¥¡¥ ¡ ¡ £¡£¡£ 0¡0 2¡2 4¡4 6¡68¡8¡8:¡:¡: <¡<

¸¡¸¡¸ ¼¡¼¾¡¾¡¾¦¡¦¡¦ ¡ ¨¡¨¡¨ ¡ ¡ =¡=?¡?¡?A¡A¡A C¡CE¡E¡EG¡G¡G I¡I

¹¡¹¡¹ º¡º½¡½ ¿¡¿ §¡§ ¡ ©¡©¡© ¡ ¡ >¡> @¡@ B¡B D¡DF¡F¡FH¡H¡H J¡J

¸¡¸¡¸ ¼¡¼¾¡¾¡¾¦¡¦¡¦ ¡ ¨¡¨¡¨ ¡ ¡ =¡=?¡?¡?A¡A¡A C¡CE¡E¡EG¡G¡G I¡I

¹¡¹¡¹ ½¡½ ¿¡¿ §¡§ ¡ ©¡©¡© ¡ ¡ >¡> @¡@ B¡B D¡DF¡F¡FH¡H¡H J¡J

¸¡¸¡¸ ¼¡¼¾¡¾¡¾¦¡¦¡¦ ¡ ¨¡¨¡¨ ¡ ¡ =¡=?¡?¡?A¡A¡A C¡CE¡E¡EG¡G¡G I¡I

¹¡¹¡¹ ½¡½ ¿¡¿ §¡§ ¡ ©¡©¡© ¡ ¡ >¡> @¡@ B¡B D¡DF¡F¡FH¡H¡H J¡J

¨¡¨¡¨ª¡ª¡ª ¬¡¬®¡®¡®°¡°¡° ²¡²´¡´¡´¶¡¶¡¶ Œ¡ŒŽ¡Ž¡Ž¡¡’¡’¡’ ”¡”–¡–¡–˜¡˜¡˜ š¡š

©¡©¡©«¡«¡« ­¡­ ¯¡¯ ±¡± ³¡³µ¡µ¡µ·¡·¡· ¡ ¡ ‘¡‘“¡“ •¡•—¡—¡—™¡™¡™ ›¡›

¨¡¨¡¨ª¡ª¡ª ¬¡¬®¡®¡®°¡°¡° ²¡²´¡´¡´¶¡¶¡¶ Œ¡ŒŽ¡Ž¡Ž¡¡’¡’¡’ ”¡”–¡–¡–˜¡˜¡˜ š¡š

©¡©¡©«¡«¡« ­¡­ ¯¡¯ ±¡± ³¡³µ¡µ¡µ·¡·¡· ¡ ¡ ‘¡‘“¡“ •¡•—¡—¡—™¡™¡™ ›¡›

¨¡¨¡¨ª¡ª¡ª ¬¡¬®¡®¡®°¡°¡° ²¡²´¡´¡´¶¡¶¡¶ Œ¡ŒŽ¡Ž¡Ž¡¡’¡’¡’ ”¡”–¡–¡–˜¡˜¡˜ š¡š

©¡©¡©«¡«¡« ­¡­ ¯¡¯ ±¡± ³¡³µ¡µ¡µ·¡·¡· ¡ ¡ ‘¡‘“¡“ •¡•—¡—¡—™¡™¡™ ›¡›

É¡ÉË¡Ë¡ËÍ¡Í¡Í Ï¡ÏÑ¡Ñ¡ÑÓ¡Ó¡Ó Õ¡Õסס×١١٠p¡pr¡r¡rt¡t¡t v¡vx¡x¡xz¡z¡z |¡|

Ê¡ÊÌ¡Ì¡ÌÎ¡Î¡Î Ð¡Ð Ò¡Ò Ô¡Ô Ö¡ÖءءØÚ¡Ú¡Ú q¡q s¡s u¡u w¡wy¡y¡y{¡{¡{ }¡}

É¡ÉË¡Ë¡ËÍ¡Í¡Í Ï¡ÏÑ¡Ñ¡ÑÓ¡Ó¡Ó Õ¡Õסס×١١٠p¡pr¡r¡rt¡t¡t v¡vx¡x¡xz¡z¡z |¡|

Ê¡ÊÌ¡Ì¡ÌÎ¡Î¡Î Ð¡Ð Ò¡Ò Ô¡Ô Ö¡ÖءءØÚ¡Ú¡Ú q¡q s¡s u¡u w¡wy¡y¡y{¡{¡{ }¡}

·¡·¹¡¹¡¹»¡»¡» ½¡½¿¡¿¡¿Á¡Á¡Á áÃÅ¡Å¡ÅÇ¡Ç¡Ç ~¡~€¡€¡€‚¡‚¡‚ „¡„†¡†¡†ˆ¡ˆ¡ˆ Š¡Š

¸¡¸º¡º¡º¼¡¼¡¼ ¾¡¾ À¡À ¡ ġÄÆ¡Æ¡ÆÈ¡È¡È ¡ ¡ ƒ¡ƒ ¡ ‡¡‡¡‡‰¡‰¡‰ ‹¡‹

É¡ÉË¡Ë¡ËÍ¡Í¡Í Ï¡ÏÑ¡Ñ¡ÑÓ¡Ó¡Ó Õ¡Õסס×١١٠p¡pr¡r¡rt¡t¡t v¡vx¡x¡xz¡z¡z |¡|

Ê¡ÊÌ¡Ì¡ÌÎ¡Î¡Î Ð¡Ð Ò¡Ò Ô¡Ô Ö¡ÖءءØÚ¡Ú¡Ú q¡q s¡s u¡u w¡wy¡y¡y{¡{¡{ }¡}

·¡·¹¡¹¡¹»¡»¡» ½¡½¿¡¿¡¿Á¡Á¡Á áÃÅ¡Å¡ÅÇ¡Ç¡Ç ~¡~€¡€¡€‚¡‚¡‚ „¡„†¡†¡†ˆ¡ˆ¡ˆ Š¡Š

¸¡¸º¡º¡º¼¡¼¡¼ ¾¡¾ À¡À ¡ ġÄÆ¡Æ¡ÆÈ¡È¡È ¡ ¡ ƒ¡ƒ ¡ ‡¡‡¡‡‰¡‰¡‰ ‹¡‹

·¡·¹¡¹¡¹»¡»¡» ½¡½¿¡¿¡¿Á¡Á¡Á áÃÅ¡Å¡ÅÇ¡Ç¡Ç ~¡~€¡€¡€‚¡‚¡‚ „¡„†¡†¡†ˆ¡ˆ¡ˆ Š¡Š

¸¡¸º¡º¡º¼¡¼¡¼ ¾¡¾ À¡À ¡ ġÄÆ¡Æ¡ÆÈ¡È¡È ¡ ¡ ƒ¡ƒ ¡ ‡¡‡¡‡‰¡‰¡‰ ‹¡‹

·¡·¹¡¹¡¹»¡»¡» ½¡½¿¡¿¡¿Á¡Á¡Á áÃÅ¡Å¡ÅÇ¡Ç¡Ç ~¡~€¡€¡€‚¡‚¡‚ „¡„†¡†¡†ˆ¡ˆ¡ˆ Š¡Š

¸¡¸º¡º¡º¼¡¼¡¼ ¾¡¾ À¡À ¡ ġÄÆ¡Æ¡ÆÈ¡È¡È ¡ ¡ ƒ¡ƒ ¡ ‡¡‡¡‡‰¡‰¡‰ ‹¡‹

¥¡¥§¡§¡§©¡©¡© «¡«­¡­¡­¯¡¯¡¯ ±¡±³¡³¡³µ¡µ¡µ b¡bd¡d¡df¡f¡f h¡hj¡j¡jl¡l¡l n¡n

¦¡¦¨¡¨¡¨ª¡ª¡ª ¬¡¬ ®¡® °¡° ²¡²´¡´¡´¶¡¶¡¶ c¡c e¡e g¡g i¡ik¡k¡km¡m¡m o¡o

¥¡¥§¡§¡§©¡©¡© «¡«­¡­¡­¯¡¯¡¯ ±¡±³¡³¡³µ¡µ¡µ b¡bd¡d¡df¡f¡f h¡hj¡j¡jl¡l¡l n¡n

¦¡¦¨¡¨¡¨ª¡ª¡ª ¬¡¬ ®¡® °¡° ²¡²´¡´¡´¶¡¶¡¶ c¡c e¡e g¡g i¡ik¡k¡km¡m¡m o¡o

¥¡¥§¡§¡§©¡©¡© «¡«­¡­¡­¯¡¯¡¯ ±¡±³¡³¡³µ¡µ¡µ b¡bd¡d¡df¡f¡f h¡hj¡j¡jl¡l¡l n¡n

¦¡¦¨¡¨¡¨ª¡ª¡ª ¬¡¬ ®¡® °¡° ²¡²´¡´¡´¶¡¶¡¶ c¡c e¡e g¡g i¡ik¡k¡km¡m¡m o¡o

“¡“•¡•¡•—¡—¡— ™¡™›¡›¡›¡¡ Ÿ¡Ÿ¡¡¡¡¡£¡£¡£ T¡TV¡V¡VX¡X¡X Z¡Z\¡\¡\^¡^¡^ `¡`

”¡”–¡–¡–˜¡˜¡˜ š¡š œ¡œ ž¡ž ¡ ¢¡¢¡¢¤¡¤¡¤ U¡U W¡W Y¡Y [¡[]¡]¡]_¡_¡_ a¡a

“¡“•¡•¡•—¡—¡— ™¡™›¡›¡›¡¡ Ÿ¡Ÿ¡¡¡¡¡£¡£¡£ T¡TV¡V¡VX¡X¡X Z¡Z\¡\¡\^¡^¡^ `¡`

”¡”–¡–¡–˜¡˜¡˜ š¡š œ¡œ ž¡ž ¡ ¢¡¢¡¢¤¡¤¡¤ U¡U W¡W Y¡Y [¡[]¡]¡]_¡_¡_ a¡a

“¡“•¡•¡•—¡—¡— ™¡™›¡›¡›¡¡ Ÿ¡Ÿ¡¡¡¡¡£¡£¡£ T¡TV¡V¡VX¡X¡X Z¡Z\¡\¡\^¡^¡^ `¡`

”¡”–¡–¡–˜¡˜¡˜ š¡š œ¡œ ž¡ž ¡ ¢¡¢¡¢¤¡¤¡¤ U¡U W¡W Y¡Y [¡[]¡]¡]_¡_¡_ a¡a

¡ƒ¡ƒ¡ƒ ¡ ¡ ‡¡‡‰¡‰¡‰‹¡‹¡‹ ¡¡¡‘¡‘¡‘ F¡FH¡H¡HJ¡J¡J L¡LN¡N¡NP¡P¡P R¡R

‚¡‚„¡„¡„†¡†¡† ˆ¡ˆ Š¡Š Œ¡Œ Ž¡Ž¡¡’¡’¡’ G¡G I¡I K¡K M¡MO¡O¡OQ¡Q¡Q S¡S

¡ƒ¡ƒ¡ƒ ¡ ¡ ‡¡‡‰¡‰¡‰‹¡‹¡‹ ¡¡¡‘¡‘¡‘ F¡FH¡H¡HJ¡J¡J L¡LN¡N¡NP¡P¡P R¡R

‚¡‚„¡„¡„†¡†¡† ˆ¡ˆ Š¡Š Œ¡Œ Ž¡Ž¡¡’¡’¡’ G¡G I¡I K¡K M¡MO¡O¡OQ¡Q¡Q S¡S

¡ƒ¡ƒ¡ƒ ¡ ¡ ‡¡‡‰¡‰¡‰‹¡‹¡‹ ¡¡¡‘¡‘¡‘ F¡FH¡H¡HJ¡J¡J L¡LN¡N¡NP¡P¡P R¡R

‚¡‚„¡„¡„†¡†¡† ˆ¡ˆ Š¡Š Œ¡Œ Ž¡Ž¡¡’¡’¡’ G¡G I¡I K¡K M¡MO¡O¡OQ¡Q¡Q S¡S

o¡oq¡q¡qs¡s¡s u¡uw¡w¡wy¡y¡y {¡{}¡}¡}¡¡ 8¡8:¡:¡:<¡<¡< >¡>@¡@¡@B¡B¡B D¡D

p¡pr¡r¡rt¡t¡t v¡v x¡x z¡z |¡|~¡~¡~€¡€¡€ 9¡9 ;¡; =¡= ?¡?A¡A¡AC¡C¡C E¡E

o¡oq¡q¡qs¡s¡s u¡uw¡w¡wy¡y¡y {¡{}¡}¡}¡¡ 8¡8:¡:¡:<¡<¡< >¡>@¡@¡@B¡B¡B D¡D

p¡pr¡r¡rt¡t¡t v¡v x¡x z¡z |¡|~¡~¡~€¡€¡€ 9¡9 ;¡; =¡= ?¡?A¡A¡AC¡C¡C E¡E

o¡oq¡q¡qs¡s¡s u¡uw¡w¡wy¡y¡y {¡{}¡}¡}¡¡ 8¡8:¡:¡:<¡<¡< >¡>@¡@¡@B¡B¡B D¡D

p¡pr¡r¡rt¡t¡t v¡v x¡x z¡z |¡|~¡~¡~€¡€¡€ 9¡9 ;¡; =¡= ?¡?A¡A¡AC¡C¡C E¡E

Û¡ÛÝ¡Ý¡Ýß¡ß¡ß á¡áã¡ã¡ãå¡å¡å ç¡çé¡é¡éë¡ë¡ë *¡*,¡,¡,.¡.¡. 0¡02¡2¡24¡4¡4 6¡6

Ü¡ÜÞ¡Þ¡Þà¡à¡à â¡â ä¡ä æ¡æ è¡èê¡ê¡êì¡ì¡ì +¡+ -¡- /¡/ 1¡13¡3¡35¡5¡5 7¡7

Û¡ÛÝ¡Ý¡Ýß¡ß¡ß á¡áã¡ã¡ãå¡å¡å ç¡çé¡é¡éë¡ë¡ë *¡*,¡,¡,.¡.¡. 0¡02¡2¡24¡4¡4 6¡6

Ü¡ÜÞ¡Þ¡Þà¡à¡à â¡â ä¡ä æ¡æ è¡èê¡ê¡êì¡ì¡ì +¡+ -¡- /¡/ 1¡13¡3¡35¡5¡5 7¡7

]¡]_¡_¡_a¡a¡a c¡ce¡e¡eg¡g¡g i¡ik¡k¡km¡m¡m ¡¡¡ ¡ ¡ "¡"$¡$¡$&¡&¡& (¡(

^¡^`¡`¡`b¡b¡b d¡d f¡f h¡h j¡jl¡l¡ln¡n¡n ¡ ¡ !¡! #¡#%¡%¡%'¡'¡' )¡)

Û¡ÛÝ¡Ý¡Ýß¡ß¡ß á¡áã¡ã¡ãå¡å¡å ç¡çé¡é¡éë¡ë¡ë *¡*,¡,¡,.¡.¡. 0¡02¡2¡24¡4¡4 6¡6

Ü¡ÜÞ¡Þ¡Þà¡à¡à â¡â ä¡ä æ¡æ è¡èê¡ê¡êì¡ì¡ì +¡+ -¡- /¡/ 1¡13¡3¡35¡5¡5 7¡7

]¡]_¡_¡_a¡a¡a c¡ce¡e¡eg¡g¡g i¡ik¡k¡km¡m¡m ¡¡¡ ¡ ¡ "¡"$¡$¡$&¡&¡& (¡(

^¡^`¡`¡`b¡b¡b d¡d f¡f h¡h j¡jl¡l¡ln¡n¡n ¡ ¡ !¡! #¡#%¡%¡%'¡'¡' )¡)

]¡]_¡_¡_a¡a¡a c¡ce¡e¡eg¡g¡g i¡ik¡k¡km¡m¡m ¡¡¡ ¡ ¡ "¡"$¡$¡$&¡&¡& (¡(

^¡^`¡`¡`b¡b¡b d¡d f¡f h¡h j¡jl¡l¡ln¡n¡n ¡ ¡ !¡! #¡#%¡%¡%'¡'¡' )¡)

]¡]_¡_¡_a¡a¡a c¡ce¡e¡eg¡g¡g i¡ik¡k¡km¡m¡m ¡¡¡ ¡ ¡ "¡"$¡$¡$&¡&¡& (¡(

^¡^`¡`¡`b¡b¡b d¡d f¡f h¡h j¡jl¡l¡ln¡n¡n ¡ ¡ !¡! #¡#%¡%¡%'¡'¡' )¡)

K¡KM¡M¡MO¡O¡O Q¡QS¡S¡SU¡U¡U W¡WY¡Y¡Y[¡[¡[ ¡¡¡¡¡ ¡¡¡¡¡ ¡

L¡LN¡N¡NP¡P¡P R¡R T¡T V¡V X¡XZ¡Z¡Z\¡\¡\ ¡ ¡ ¡ ¡¡¡¡¡ ¡

K¡KM¡M¡MO¡O¡O Q¡QS¡S¡SU¡U¡U W¡WY¡Y¡Y[¡[¡[ ¡¡¡¡¡ ¡¡¡¡¡ ¡

L¡LN¡N¡NP¡P¡P R¡R T¡T V¡V X¡XZ¡Z¡Z\¡\¡\ ¡ ¡ ¡ ¡¡¡¡¡ ¡

K¡KM¡M¡MO¡O¡O Q¡QS¡S¡SU¡U¡U W¡WY¡Y¡Y[¡[¡[ ¡¡¡¡¡ ¡¡¡¡¡ ¡

L¡LN¡N¡NP¡P¡P R¡R T¡T V¡V X¡XZ¡Z¡Z\¡\¡\ ¡ ¡ ¡ ¡¡¡¡¡ ¡

Fig. 10. Known values in the matrix C

also known at this point. We store these elements in a table T 0 The final step of the attack is to find collisions on the objects of 56 bits 11 17 (B15 , . . . , B15 )

1 1 Actually there is an extra constraint, that hi−1,0 ⊕S(0) = A0. Thus only 1 out of 256 values of hi−1 is valid. This induce no extra cost because once (hi−1,1 . . . hi−1,9) are 1 1 chosen and A0 fixed, the value of hi−1,0 is fully determined by hi−1,0 = A0 ⊕ S(0). However this must be taken into account when choosing the hi−1’s that have been computed by two different means and stored in ta- bles T and T 0. Using the birthday paradox, we expect 280 collisions because |T | × |T 0| × 2−56 = 272 × 264 × 2−56 = 280

All these collisions can be found efficiently by computing T ./ T 0 (see [18]). Each collision corresponds to some pair (hi−1, mi). In or- der for this pair to solve the initial problem, we need an additional equality between

1 10 – The bytes (B15, . . . , B15 ) stored in table T – The value of the same bytes obtained when we fill up all the content of matrix C (which is possible for each candidate since hi−1 ⊕ mi is now known).

Hence a little extra processing is required to find a real solution and a condition on 80 bits must be verified. However, we have 280 can- didates from the joint product of T and T 0 so one “real” solution should be found among them. The probability of failure (i.e. that no 1 solution exists) can be roughly approximated to e ' 0.368. Other- wise, we can pick a little more candidates for mi and hi−1 or choose other constants.

Analysis The bottleneck in the previous attack is the time spent 80 analyzing each of the 2 candidates (hi−1, mi). However, using an “early-abort” strategy, most candidates can be eliminated after the 1 first check for the value B15. Therefore, only half a row of matrix C must be computed in average. To compute the compression function, 3 × 18 = 54 rows are computed. So we have a speedup by a factor

2 × 54 ' 26.75 compared to a full computation of h(·, ·). Therefore this pseudo-preimage attack has complexity of about 273.25 computations of the compression function, and requires about 278 bits of memory. This is much faster than the expected value of 2128. All attacks against the compression function are summarized in Table 3. Table 3. Summary of the attacks against the compression function.

Attack Fixed challenge Variable Time Memory 95 71 Simple hi and hi−1 mi 2 2 95 38 Improved hi and hi−1 mi 2 2 73 78 Pseudo-Preimage hi hi−1 and mi 2 2

4.7 Analysis of the Full Hash

We have described several preimage attacks against MD2’s basic primitive, the compression function. Now the question is to turn this into a preimage attack for the full hash. For a given challenge h, our goal is to find a message m such that hashing m with MD2 gives h : H(m) = h. Classical techniques exist to turn attacks against the compression function into attacks against the full hash. However they apply to classical iterated hash functions, like those based on the Merkle-Damg˚ard paradigm. The use of an additional checksum in MD2 make things slightly more complicated. We must satisfy three constraints simultaneously here :

– Map the IV of MD2 to the target hash. – Satisfy the checksum constraint, i.e. the last message block should be a checksum of the previous blocks. – Satisfy the padding constraint, i.e. the last but one message block should end with a valid padding. In a second preimage attack a solution is to keep the last two message blocks (padding mt and checksum mt+1). In a pure preimage attack valid values of the last two blocks are not known, so they must be found. Two steps will solve this:

• Given h, use scenario 3 to find ht and mt+1 (checksum block) • Given ht, use scenario 3 to find ht−1 and mt which satisfy the padding constraints. Setting constant k5 = 1 in the attack will give us a valid padding value 1 in the last byte.

In both cases the remaining part is to find a preimage of ht−1 73 instead of h = ht+1. The expected complexity of this is 2 × 2 = 274. However this is a potential problem only in case of preimage attacks, and since these attacks have much higher complexity, we do not take the padding into account in the following. Basic Attack First consider the case of a message m containing 128 blocks of 128 bits each. We want to map h0 = 0 to h128 = h after 128 iterations of the compression function and proceed as follows :

1. Use the collision attack of [6] to find h1 and 4 values of the mes- sage block m1 such that h1 = h(h0, m1). 2. Choose h127 = h1 and use the preimage attack of Section 4.3 to find v ≥ 1 values of m128 such that h128 = h(h127, m128). If there are no solutions, use another collision at step 1. 3. Let h2 = h1 and find w ≥ 2 values of m2 such that h2 = h(h1, m2) using the attack from Section 4.3. If there are no solutions, repeat from Step 1 with another collision. 4. Set hi = h1 for i = 3, . . . , 126. At each stage, we pick mi to be one of the w possible choices of m2. Then we know that hi−1 is mapped to hi for all i ≥ 3.

At the end, we obtained a message which maps h0 = 0 to h128 = h. Moreover, several message blocks can be chosen at each step. So we could in theory enumerate ”for free” a large number of candidates. Provided v ≥ 1 and w ≥ 2, there are at least 2128 such candidates. This idea to find 2n solutions after only n steps is related to the multi-collision attack described in [4]. The problem is that each candidate does not necessarily satisfy the checksum constraint. However since we have many of them (at least 2128), we expect to find a valid preimage. Since the checksum function g is invertible, we do not need to enumerate all candidates. A ”meet-in-the-middle” approach is possible :

– Start from m128 and invert g for all possible choices of m64, . . . , m127. We obtain w64 ≥ 264 possible values of the intermediate check- sum. We keep in memory 264 of these values. – Start from m1 and compute g for all possible choices of m2, . . . , m64. We obtain w64 ≥ 264 possible values of the intermediate check- sum.

The birthday paradox tells us that a collision should occur between both sets of intermediate checksums. This collision gives a ”valid” preimage, i.e. a message that maps h0 = 0 to h128 = h, while also satisfying the checksum constraint. The probability for success in Step 2 is approximately p1 = 1 − 1 e = 0.63, and the probability for success in Step 3 is approximately 2 p2 = 1 − e = 0.26. So the total complexity of the attack corresponds −1 −1 95 97.6 to p1 · p2 · 2 = 2 computations of the compression function.

Variation of the message length Different trade-offs are possi- ble : For instance, we can easily increase the message length, without extra cost. Since we use a preimage where hi−1 = hi, the possible length of the intermediate chain is arbitrary long. If we proceed by simple duplication of the intermediate message blocks, the complex- ity remains unchanged. It is then possible to build several preimages of the same h. By increasing the length of the intermediate chain, we can obtain much 128 more than 2 messages that map h0 to h. For example, suppose we found 2190 such values, by considering a chain of length 191 with w = 2. To find which solutions satisfy the checksum constraint, there is no need to enumerate all of them. With the meet-in-the-middle algorithm, we can find all preimages in time and memory complexity of about 295. Since the checksum constraint is on 128 bits, we should find 2190 × 2−128 = 262 possible preimages of the same h. A problem of the basic attack is that the lower bound on the preimage length is 128 message blocks. It is possible to shorten this length, but at expense of an increased complexity. The idea is to put stronger constraints on w at step 3. Suppose that w ≥ 3. Then 128 we obtain 2 candidates using only log3(128) blocks of message. 2.5 However, the probability p2 decreases to 1 − e which gives a total complexity of 299.3. We computed the resulting complexities for several values of w and summarized these results in Table 5.

4.8 Variant of the preimage attack

The chain of chaining variables giving a multi-collision may also be build up by using the collision attack (Section 3.1) to find multi- collisions on the compression function. The trick is then to use x = 64 and to repeat step one of the collision attack after picking another 1 4 value for the 4 bytes (B15 . . . B15). In the second step of the collision attack one has to look for w-collisions instead of single collisions. The results of using the attack to find multi-collisions are shown in Table 4. This multi-collision attack can be used to improve the preimage attack. To find shorter preimages is much more efficient using this attack.

Table 4. Time usage of the preimage attack for different message lengths.

# messages 2x rows fixed z multi-collision size w expected collisions time probability 64 4 4 11 280 1.00 64 4 6 23 289 1.00 64 4 8 1.63 293 0.80 64 4 9 23 295 1.00 64 4 10 4 296 0.98

Step 3 and 4 from the previous attack is changed and step 2 is moved to the end. Given the hash value h we want to find a preimage m such that h = H(m) in the following way (i=2):

1. Use the collision attack of [6] to find h1 and 8 values of the mes- sage block m1 such that h1 = h(h0, m1) 2. Given hi−1 use the multi-collision attack on the compression func- tion to find w ≥ 2 values mi which maps to one hi. 3. If i < 126: Increase i by one and repeat the previous step. 4. Use the preimage attack to find a preimage m127 of h127 = h given h126 from the first loop. Now we have a multi-collision, i.e. several messages m that maps the h0 = 0 to h127 = h, and use the ”meet-in-the-middle” attack from the previous attack to satisfy the checksum constraint.

Complexity The first step to find a 8-collision has complexity 280. The loop repeats the collision attack 125 times, each with a proba- 52 bility of success p1 = 0.39 and complexity 2 . The expected number 8.3 of times needed to run the collision attack is 125/p1 ≈ 2 , and the total complexity of the loop is then 260.3. The last part using the preimage attack has complexity 295/0.63 ≈ 295.7, and is the dominat- ing part. So the attack has complexity about 296, and the preimage length is 127. Here it is also possible to shorten the length of the preimage without increasing the time usage too much. We simply put stronger constraints on w at step 3. Suppose that w ≥ 4. Then we obtain 2128 candidates using only log4(128) blocks of message. The complexity of step 3 is 280 (Table 1) and still much lower than step 4, and the total complexity will still be lower than 296. The resulting complex- ities for several values of w are summarized in Table 5.

Table 5. Complexities of the preimage attacks giving preimages of different length. The ”old attack” is the first preimage attack, which uses the preimage attack on the compression function [6].

w message length new attack old attack 2 127 295.7 297.6 4 64 295.7 2101.4 6 50 296.2 2106.4 8 43 298.6 2112.2

Success probability This is the same as for the other preimage attacks. It can be made close to one by increasing the message size by one block. We expect one or more collisions in each of the attacks of Table 5.

5 Summary of attacks and conclusion

We have described several attacks against the hash function MD2 which was designed in the early 90’s by Ron Rivest for RSA Secu- rity. MD2 is one of the earliest hash function design, though few cryptanalysis results have been published until recently. Our results improve on previous works published in [17, 6, 11]. We showed collision and preimage attacks against MD2 faster than naive attacks. They suggest that MD2 should no longer be used in modern applications. All attacks are given in Table 6. To summarize, MD2 can be attacked in collision (with any IV) with complexity of 260.8 applications of the compression function and can be attacked in preimage with complexity of 295.7. Since the output size of MD2 is 128 bits long, the best attacks should cost, respectively 264 and 2128. These results are particularly interesting, because it is very rare to break the preimage resistance of a cryptographic hash function.

Table 6. Summary of all attacks against MD2

Attack Comments Time Probability Collision [17] Compression Function, IV = 0 28 1 Collision Compression Function, any IV 252 0.39 Collision Compression Function, any IV 254 1 Collision Full Hash, any IV 260.8 1 Preimage Compression Function, scenario 1 295 1 Preimage Compression Function, scenario 3 273 1 Preimage Full Hash 295.7 1

References

1. D. Balenson. RFC 1423 - privacy enhancement for internet electronic mail: Part iii: Algorithms, modes, and identifiers. RSA Laboratories, February 1993. 2. I. Damg˚ard. A Design Principle for Hash Functions. In G. Brassard, editor, Advances in Cryptology – Crypto’89, volume 435 of Lectures Notes in Computer Science, pages 416–427. Springer, 1990. 3. H. Dobbertin. Cryptanalysis of MD4. Journal of Cryptology, 11(4):253–271, 1998. 4. A. Joux. Multicollisions in Iterated Hash Functions. Application to Cascaded Constructions. In M. Franklin, editor, Advances in Cryptology – CRYPTO’04, volume 3152 of Lectures Notes in Computer Science, pages 306–316. Springer, 2004. 5. B. Kaliski. The MD2 message-digest Algorithm. RSA Laboratories, April 1992. 6. L.R. Knudsen and J.E. Mathiassen. Preimage and collision attacks on MD2. To appear. In Fast Software Encryption, FSE2005, Lectures Notes in Computer Sci- ence. Springer, 2005. 7. RSA Laboratories. PKCS #1 v1.5: RSA Encryption Standard. Available at http://www.rsalabs.com/pkcs/pkcs-1, 1993. 8. RSA Laboratories. PKCS #1 v2.1: RSA Encryption Standard. Available at http://www.rsalabs.com/pkcs/pkcs-1, 2002. 9. A. Menezes, P. van 0orschot, and S. Vanstone. Handbook of Applied Cryptography. CRC Press, 1996. 10. R. Merkle. One Way Hash Functions and DES. In G. Brassard, editor, Advances in Cryptology – Crypto’89, volume 435 of Lectures Notes in Computer Science, pages 428–446. Springer, 1990. 11. F. Muller. The MD2 Hash Function is Not One-Way. In P. Lee, editor, Advances in Cryptology - Asiacrypt’04, volume 3329 of Lectures Notes in Computer Science, pages 214–229. Springer, 2004. 12. B. Preneel. Analysis and Design of Cryptographic Hash Functions. PhD thesis, Katholieke Universiteit Leuven, January 1993. 13. R. Rivest and A. Shamir. Payword and micromint: Two simple micropayment schemes. Cryptobytes, 2(1):7–11, 1996. 14. R.L. Rivest. The MD4 message digest algorithm. In S. Vanstone, editor, Advances in Cryptology - CRYPTO’90, Lecture Notes in Computer Science 537, pages 303– 311. Springer Verlag, 1991. 15. R.L. Rivest. The MD5 message-digest algorithm. Request for Comments (RFC) 1321, Internet Activities Board, Internet Privacy Task Force, April 1992. 16. P. Rogaway and T. Shrimpton. Cryptographic Hash Function Basics: Definitions, Implications, and Separations for Preimage Resistance, Second-Preimage Resis- tance, and Collision Resistance. In B. Roy and W. Meier, editors, Fast Software Encryption – 2004, pages 349–366, 2004. Pre-proceedings Version. 17. N. Rogier and P. Chauvaud. MD2 is not secure without the checksum byte. De- signs, Codes and Cryptography, 12:245–251, 1997. 18. D. Wagner. A Generalized Birthday Problem. In M. Yung, editor, Advances in Cryptology – Crypto’02, volume 2442 of Lectures Notes in Computer Science, pages 288–303. Springer, 2002. Extended Abstract. 19. M. Wiener. The Full Cost of Cryptanalytic Attacks. Journal of Cryptology, 17(2):105–124, March 2004.