On the Need for Multip ermutations

Cryptanalysis of MD and SAFER

Serge VAUDENAY

Lab oratoire dInformatique URA du CNRS

Departement de Mathematiqueset dInformatique

Ecole Normale Superieure

LIENS November

On the need for multipermutations

Cryptanalysis of MD and SAFER

Serge Vaudenay



LIENS

rue dUlm

Paris Cedex

FRANCE

November

Abstract

Cryptographic primitives are usually based on a network with some

gates In SV it is claimed that all gates should b e multipermutations

In this pap er we investigate a few combinatorial prop erties of multiper

mutations We argue that gates which fail to b e multipermutations can

op en the way to unsusp ected attacks We illustrate this statement with

two examples

Firstly we show how to construct collisions to MD restricted to its rst

two rounds This allows to forge digests close to each other using the full

compression function of MD Secondly we show that some generalizations

of SAFER are sub ject to attack faster than exhaustive search in cases

This attack can b e implemented if we decrease the number of rounds from

to

In SV multipermutations are introduced as formalization of p erfect diu

sion The aim of this pap er is to show that the concept of multipermutation is

a basic to ol in the design of dedicated cryptographic functions as functions that

do not realize p erfect diusion may b e sub ject to some clever cryptanalysis in

which the ow of information is controlled throughout the computation network

We give two cases of such an analysis

Firstly we show how to build collisions for MD restricted to its rst two

1

rounds MD is a three rounds hash function prop osed in Riv An attack on



The Laboratoire dInformatique de lEcole Normale Superieure is a research group aliated

with the CNRS

1

This part of research has b een supp orted by the Celar

MD restricted to its last two rounds is detailed in BB An other unpublished

attack on the rst two rounds has b een found by Merkle see the introduction of

BB This attack do es not pro duce a real collision but dierent digests very

close to each other according to the Hamming distance Here we present a new

attack which is based on the fact that an inert function is not a multipermutation

This attack requires less than one tenth of a second on a SUN workstation

Moreover the same attack applied to the full MD compression function pro duces

two dierent digests close to each other

Secondly we show how to develop a known plaintext attack to a variant of

SAFER K in which we replace the p ermutation exp by a weaker one

45

SAFER is a six rounds encryption function introduced in Mas It uses a

bytepermutation namely exp in the group of nonzero integers mo dulo

45

1

for confusion If we replace exp by a random p ermutation P and log by P

45 45

we show that in of the cases there exists a known plaintext attack faster

than exhaustive search Furthermore this attack can b e implemented for the

function restricted to rounds This attack is based on the linear cryptanalysis

introduced in Mat and recently gave way to the rst exp erimental attack of

the full DES function in Mat

Multip ermutations

In SV multipermutations with inputs and outputs are introduced Here

we prop ose to generalize to any number of inputs and outputs

Denition A r nmultipermutation over an alphabet Z is a function f from

r n

Z to Z such that two dierent r ntuples of the form x f x cannot collide

in any r positions

Thus a nmultipermutation is nothing but a vector of n p ermutations over

2

Z A multipermutation is equivalent to a latin square A nmulti

3

p ermutation is equivalent to a set of n twowise orthogonal latin squares Latin

squares are widely studied in DK

An equivalent denition says that the set of all r ntuples of the form

x f x is an error correcting co de with minimal distance n which is the

maximal p ossible In the case of a linear function f this is the denition of

MDS co des co des which reach Singletons b ound For more details ab out MDS

co des see MS More generally a r nmultipermutation is equivalent to a

r 4

Z r n Z r orthogonal array

2

a latin square over a nite set of k elements is a k  k matrix with entries from this set

such that all elements are represented in each column and each row

3

two latin squares A and B are orthogonal if the mapping i j 7! A B gets all

ij ij

p ossible couples

4

a M r n q r orthogonal array is a M  r n matrix with entries from a set of q

M

r

times elements such that any set of r columns contains all q p ossible rows exactly

r

q

A multipermutation p erforms a perfect diusion in the sense that changing t

of the inputs changes at least n t of the outputs If a function is not a

multipermutation one can nd several values such that b oth few inputs and few

outputs are changed Those values can b e used in cryptanalysis as is shown in two

examples b elow This motivates the use of multipermutations in cryptographic

functions

The design of multipermutations over a large alphab et is a very dicult prob

lem as the design of twowise orthogonal latin squares in a wellknown dicult

one The only p owerful metho d seems to use an MDS co de combined with several

p ermutations at each co ordinate

In the particular case of inputs it is attractive to choose latin squares based

on a group law if we have a group structure over Z we can seek p ermutations

and such that

x y x y x y

is a p ermutation as it will b e sucient to get a multipermutation Unfortu

nately it is p ossible to prove that such p ermutations exist only when the Sylow

5

subgroup of Z is not cyclic using a theorem from HP More precisely they

do not exist when the Sylow subgroup is cyclic They are known to exist in all

solvable groups in which the Sylow subgroup is not cyclic but the existence in

the general case is still a conjecture Hence Z should not have a cyclic group

n

structure For instance we can use the GF group structure for n Such

multipermutations are prop osed in SV

32

In MD the group structure of GF is used but some functions are not

multipermutations On the other hand in SAFER the group structure of ZZ

256

which is cyclic is used so without multipermutations

Cryptanalysis of MD

Description of MD

MD is a hash function dedicated to bits micropro cessors It hashes any

bit string into a bits digest The input is padded following the Merkle

Damgardscheme Dam Mer and cut into bits long blo cks Then each

blo ck is pro cessed iteratively using the DaviesMeyer scheme DP MMO and

an encryption function C if B B is the sequence of blo cks the padded

1 n

message the hash value is

h h v

B B i

n

1

5 2

we agree the trivial group is not cyclic Actually x 7! x is an orthomorphism in all groups

with o dd order in which the Sylow subgroup is trivial

where v is an Initial Value and h v is C v v x is the key and v is the

i x x

message to encrypt

Here we intend to build a single blo ck collision to hv that is to say two

i

0

0

v It is obvious that this can b e used to blo cks x and x such that C v C

i x i x

build collisions to the hash function So we only have to recall the denition of

the function C v

x

The value v is represented as integers a b c and d co ded with bits and

the key x is represented as integers x x The initial denition of C uses

1 16

three rounds i The gure shows the computational graph of a single

j j

round i It uses a p ermutation and some b oxes B B is fed with a main

i

i i

input a blo ck integer x and three side inputs If p is the main input and q

(j )

i

r and s are the side inputs from top to b ottom the output is

ij

R p f q r s x k

i (j ) i

i

where R is the right circular rotation and k are constants and f is a par

ij i i

ticular function In the following we just have to know that f is the bitwise

2

ma jority function is the identical p ermutation and

1

2

Attack on the rst two rounds

If we ignore the third round of C it is very easy to build collisions We notice that

j

no B are multipermutations if p x k and two of the three integers q

2

2

j

r and s are set to zero then B x p q r s remains zero the same remark holds

2

with instead of So we can imagine an attack where two blo cks dier only

in x the other integers are almost all set to k and such that almost all the

16 2

outputs of the rst round are zero This p erforms a kind of corridor where the

mo died values are controlled until the nal collision

More precisely let x x equal k x b e an arbitrary integer your

1 11 2 12

phone number for instance and x x and x b e such that the outputs a c

13 14 15

and d of the rst round are zero The computation of x x and x is very easy

13 14 15

from the computational graph Thanks to the previous remark we can show that

the outputs a c and d of the second round do not dep end on x as the mo died

16

information in x is constrained in the register b Thus mo difying x do es not

16 16

mo dify a c and d

Letting the b output b e a function of x we just have to nd a collision to a

16

bits to bits function This can b e done very eciently using the birthday

paradox or the metho d An implementation on a Sparc Station uses one tenth

of second

a c

b d

-

??



1



B

i



-

??

-

2

-

B

i

-

-

??



3

-

B

i

-

-

??



4



B

i

-

-

??



5



B

i



-

??

-

6

-

B

i

-

-

??



7

-

B

B

i

-

-

L

??



8



B

i

O

i

-

-

C

??



9



B

K

i



-

??

-

10

-

B

i

-

-

??



11

-

B

i

-

-

??



12



B

i

-

-

??



13



B

i



-

??

-

14

-

B

i

-

-

??



15

-

B

i

-

-

??



16



B

i

-

? ? ? ?

Figure One round of C

? ? ? ? ? ? ? ?

2i1



k

? ? ? ? ? ? ? ?

Q Q Q Q

P P P P

? ? ? ? ? ? ? ?

2i



k

? ? ? ? ? ? ? ?

L L L L

@

@

@

@

@

@

? ? ? ? ? ? ? ?

L L L L

@

@ @

@

@

@

? ? ? ? ? ? ? ?

L L L L

? ? ? ? ? ? ? ?

Figure The ith round of SAFER

1

If we use the same attack on the fullMD function since the

3

only mo died x o ccurs in the very last computation in the third round So if this

round is fed with a collision it pro duces a collision on the a c and d output The

digests dier only in the second integer b Hence the average Hamming distance

b etween b oth digests is

Cryptanalysis of SAFER

Description of SAFER

SAFER is an encryption function dedicated to bits micropro cessors It encrypts

a bits message using a bits key The key is represented as integers

i i

k k A key scheduling algorithm pro duces several subkeys k k In

1 8

1 8

i 1

the following we just have to know that k is a simple function of k and k k

j j

j j

The encryption algorithm takes rounds and a half The ith round is sum

2i1

2i

marized in gure It uses the subkeys k After the th round the and k

j

j

13

as we would do in a half round simply consists in xoringadding the subkeys k

j

th round

represents the xor op eration on bits integers is the addition mo dulo

P is a p ermutation over the set of all integers dened in the SAFER design

Q is the inverse p ermutation of P L is a linear p ermutation over the algebraic

structure of the ring ZZ as

256

Lx y x y x y mo d

In the original design P is the exp onentiation in base mo dulo all

integers from to can b e co ded with bits is co ded as zero and

represent the group of all invertible integers mo dulo is a generator of this

group

In practical implementations we have to store the table of the p ermutation

P So there is no reason to study SAFER with this particular p ermutation

Here we will show that this choice is a very go o d one as for of all p ossible

p ermutations there exists a known plaintext attack faster than exhaustive search

Linear cryptanalysis of SAFER

The p ermutation L is not a multipermutation as we have

L x y L x y

1 1

for all x and y where L denotes the rst output of L So we have pairs

1

of tuples x y Lx y at Hamming distance Actually there are no

multipermutations which are linear over ZZ as its Sylow subgroup is cyclic

256

it is itself here We can use this prop erty of L by a dual p oint of view noticing

1

that some information ab out L x y only dep ends on y Namely we have

1

L x y y

1

8

where is the inner pro duct over ZZ so y is the least signicant bit of y

2

Similarly we have

L x y L x y x

1 2

Let us denote F the function dened by the three b ottom layers on gure

layers which uses L in a round If x x are the inputs of a round the

1 8

1 2

outputs are F y y where y P x k k We notice that if

1 8 1 1

1 1

F y y z z we have a linear characteristic

1 8 1 8

z z y y

3 4 3 4

this means there is a linear dep endance using inputs and outputs of F

There are other linear characteristics

z z y y

2 6 2 6

z z y y

5 7 5 7

z z y y

3 7 5 6

z z y y

5 6 2 4

z z y y

2 4 3 7

If L were a multipermutation the smallest characteristics would b e ab ones such

that a b This means more information would b e required in a cryptanalysis

1

Let q denote Prob x P x the bias which measures the dep endence

x

2

b etween the least lignicant bits of P x and x We get the same bias with Q in

place of P If x x is a plaintext if y P x k y Qx k

1 8 1 1 1 2 2 2

y P x k and if z z is the ciphertext let us write

8 8 8 1 8

bx z y y z z

3 4 3 4

1

10

Lemma in app endix A states that bx z k with probability q

2

i i

where k denotes the exclusive or of all k and k for i For a given

3 4

x z to compute bx z we only have to know k and k Lemma states that

3 4

1 1

the dierence with is negligible it o ccurs with probability roughly equal to

2 2

10

against q when wrong k and k are used in the computation of bx z

3 4

Thus trying all the p ossible k k it is p ossible to distinguish the go o d one

3 4

from the other candidates by statistical measure

Let us recall the following theorem see Fel for instance

Theorem Central limit theorem If B is the statistical average of N inde

pendent random variables with the same probability distribution of average and

standard deviation we have

p

Z

b

2

t N

2

p

e Prob B a b dt

a

Let B k k b e the average of bx z over all the N available couples x z

3 4

1

Lemma proves that the standard deviation of bx z is close to Let

2

p

10

N q

The central limit theorem states that if k k is wrong

3 4

Z

2

t

2

p p

B k k dt Prob e

3 4

N

and if k k is go o d

3 4

Z

3

2

t

2

p p

Prob B k k dt e

3 4

N

To get a probability greater than we have to reach the go o d k k

3 4

is accepted with probability and the bad ones are rejected with probability

So the number of plaintextsciphertexts required to distinguish the go o d

k k is

3 4

N

20

q

4

If jq j is greater than this is faster than exhaustive search

16

For only rounds in SAFER we have N So for all p ermutations

12

(2q )

P which are biased q this attack is faster than exhaustive search For

4

jq j the attack can b e implemented

4

The analysis of the distribution of q shows that we have jq j for of

the p ossible p ermutations P see app endix B We have q for only of

the p ermutations Unfortunately or fortunately for the P chosen by Massey

we have q so the weakness of the diusion phase is balanced by the strength

of the confusion phase Actually q is a prop erty of all exp onentiations which

are p ermutations see app endix B

Further analysis can improve this attack It is p ossible to use tighter computa

tions We can lo ok for a b etter tradeo b etween the workload and the probability

of success It is also p ossible to use several characteristics to decrease N for more

details see KR Actually it is p ossible to decrease N by a factor of

Conclusion

In MD we have shown that the fact that f is not a multipermutation allows

2

to mount an attack Similarly in SAFER the diusion function is not a mul

tip ermutation This allows to imagine another attack This shows that we do

need multipermutations in the design of cryptographic primitives Research in

this area should b e motivated by this general statement

Acknowledgments

I would like to thank Antoon Bosselaers for helpful informations I thank the

Celar for having motivated the research on MD I also thank Jacques Stern

and HerveBronnimannfor their help

References

BB B den Bo er A Bosselaers An attack on the last two rounds of

MD In Advances in Cryptology CRYPTO Santa Barbara Cali

fornia USA Lectures Notes in Computer Science pp

SpringerVerlag

DK J Denes A D Keedwell Latin squares and their applications

AkademiaiKiadoBudap est

Dam I B DamgardA design principle for hash functions In Advances in

Cryptology CRYPTO Santa Barbara California USA Lectures

Notes in Computer Science pp SpringerVerlag

DP R W Davies W L Price Digital signature an up date In Proceed

ings of the International Conference on Computer Communications

Sydney pp NorthHolland

Fel W Feller An Introduction to Probability Theory and its Applications

vol Wiley

HP M Hall L J Paige Complete mappings of nite groups In Pacic

Journal of Mathematics vol pp

KR B R Kaliski Jr M J B Robshaw Linear cryptanalysis using mul

tiple approximations In Advances in Cryptology CRYPTO Santa

Barbara California USA Lectures Notes in Computer Science

pp SpringerVerlag

Mas J Massey SAFER K a byteoriented blo ckciphering algorithm

In Fast Software Encryption Proceedings of the Cambridge Security

Workshop Cambridge U K Lectures Notes in Computer Science

pp SpringerVerlag

Mat M Matsui Linear cryptanalysis metho d for DES cipher In Advances

in Cryptology EUROCRYPT Lofthus Norway Lectures Notes in

Computer Science pp SpringerVerlag

Mat M Matsui The rst exp erimental cryptanalysis of the Data Encryp

tion Standard In Advances in Cryptology CRYPTO Santa Bar

bara California USA Lectures Notes in Computer Science

pp SpringerVerlag

Mer R C Merkle One way hash functions and DES In Advances in

Cryptology CRYPTO Santa Barbara California USA Lectures

Notes in Computer Science pp SpringerVerlag

MMO S M Matyas C H Meyer J Oseas Generating strong oneway

functions with cryptographic algorithm IBM Technical Disclosure

Bul letin vol pp

MS F J McWilliams N J A Sloane The theory of errorcorrecting

codes NorthHolland

Riv R Rivest The MD Message Digest algorithm In Advances in

Cryptology CRYPTO Santa Barbara California USA Lectures

Notes in Computer Science pp SpringerVerlag

SV CP Schnorr S Vaudenay Black b ox cryptanalysis of hash networks

based on multipermutations To app ear in Advances in Cryptology

EUROCRYPT

App endix A

i i

Lemma If k denotes the least lignicant bit of the sum of al l k and k for

3 4

i let us denote y Qx k y P x k and

3 3 3 4 4 4

bx z y y z z

3 4 3 4

where z is the encrypted message of x using an unknown key bx z k

holds with probability

10+e

q

where e is the number of wrong integers in k k e if both are good and

3 4

e in most of cases The standard deviation of bx z is

q

20+2e

q

i

Proof Thanks to the prop erty of the linear characteristic if we denote by t the

j

xor of the least signicant bit of the input and the output of the P Q b ox in p osition

j in round i it is easy to se that

6 4

X X

0 0 i 0

bx z y y y y t k mo d

3 4

3 4 j

i=2 i=3

0 0 0

where k denotes the real k and y resp y denotes the real y resp y

3 4

3 4

Under the assumption that all inputs to P Q b oxes are uniformly distributed and

indep endent it is easy to prove by induction that

6 4

X X

10 i

Prob q t

j

i=2 i=3

This nishes the case where k and k are go o d

3 4

If k or k are wrong let us denote e if b oth are bad and e if only one is

3 4

bad Assume k is bad without loss of generality We have

3

0

Prob y y q

3

3

0

The comes from whether k k or not This nishes the computation of the

probability

The standard deviation comes from the following formula which holds for all

random variables

q

E b E b b

ut

App endix B

1

Lemma If q Probx P x where P is a permutation over

2

f n g we assume that n is a multiple of nq is always an even integer

and for al l integer k

4

n

k

2

Prob q

2 2

n n

n

k k n

4 4

for a permutation P uniformly distributed

n

denotes the number of even integers x such that P x is even we Proof If k

4

2k

So we just have to enumerate the number of p ermutations for a given have q

n

n

k

4

n n

elements in sets with elements the set of We have to choose sets with k

4 2

even integers which are mapp ed on even integers the set of their images the set of o dd

integers which are mapp ed on o dd integers and the set of their images We also have

n

integers how to connect even to even to choose p ermutations over a set of k

4

n

integers and o dd to o dd integers and p ermutations over a set of k integers

4

how to connect even to o dd integers and o dd to even integers So the number of

p ermutations is

4

2 2

n

n n

2

k k

n

k

4

ut

This allows to compute

i h

4

Prob jq j

for n and

Prob q

x 

the permutation x g is unbiased ie Lemma For any generator g of ZZ

257

q

128 2 256 128

Proof We have g g mo d so g is or As the exp o

0 128

nentiation in base g is a p ermutation and g we have g mo d

x+128 x x

We have g g g mo d so we can partition all the integers

into pairs fx x g of integers with the same least signicant bit The image of this

pair by the exp onentiation has two dierent least signicant bits so the bias q is ut