Cryptanalysis of Block Ciphers and Hash Functions John Erik Mathiassen The PhD degree The Selmer Center Department of Informatics University of Bergen Norway July 20, 2005 ¢¡¤£¦¥¨§ ©¢ ¥ ! ¨"$#%'&(*)$+,%-/.,01&(2$34*%65(%7+/&8#"9%7.("$#:%<;0$.=0$%6#:"9%7>?@%-+*%'&(#:A7% /0$,0$%7*:6B CD+,*.(E&(#:#FG;H.I)$#>J#:3(%/.?/01&82$3LKM.N>PORQS%6T'&()$*%@;U/0$.I)V!0$W/0X:M/0$%6,: ;H.I)$#>?2X.(Y01&'5I%MQS%6%72Z"S.I*,Q$#:%8B [? Z,)$"9%7+\5N:,.(+,<].I+<^Y%7##:%7*%6,0_&(2$>_`&8+,<aY&(=3b:#:>X%dc-2b)$>$*%72eQ9.(/0Z>$%7*%7+*5(% *"S%6T7f&8#g/01&82$3bYEh.I+0X%7#:"X:2$i=%M&=#.(>$)X+,:2Xij,0$:"X+,.lk*%6T6Y"S%6+,.V>PB ].I+¦>$%6,%6+*5I%64/01&82$3b¦Eh.I+=iI5N:2Xim=%?,0$:@.I"$"9.I+*,)$2$Un IO&(2X>oEh.I+=QS%6:2$im! *)$"S%6+*5N:*.I+7Bp^ %0$%7#"S%6>q=%d&=#:.(;U/0?QS.8/0Z,%7Tr0$2X:T'&8#R&82$>q"$+,&(T6,:T7&(#tsb)$%7\/:.(2$7B ^Y%d&8#;u&v N3(%6"X 0$:.(w=T6%.("S%62PO$;0$:Tr0?u%62x/%7+*%7>q&j#.('B M;p&(2xj/.y,01&(2$3z`&8+,{Eh.I+{Q9%72$ie! m,)$"9%7+\5V,.I+6Ou&82$>|Eh.I+j&(#:#H0$:d5(&8#:)1&(QX#:% 0$%6#:"PB¤}m.I+*3N2$i{/.(iI%6,0$%7+p;U/00$:¢01&(p/&()$iI0x=%M&j#.('BDH01&8>,0$%M"$#:%7&(,)X+,%</. 5N:*0$>$%7"$&(+*,@%62bEh.I+01&8#ER&j (%'&(+6O$;0$:Tr0Zix&'5I%M=%M,0$%M"$+,.(iI+,%6,Yu2$%6%7>$%6>Z/. ~ 2X:,0y2q/@%8BGY&(#,.4%62b,%7+*%7>e0$:G.(w=T7%&4#.('B ;u&(2x-/.@/01&(2X3?,0$%"S%6.I"$#%{&8 ,0$%M]R%6Tr0$2$:T7&(# 2X5I%6+,*n ¨.(EDG%62$¦&8+,3¦Eh.I+&j2$T7%-,.NT7:&(#t&8,@.(,"$0$%6+,%8B &(#:*.4;p&(2x-,.4/01&(2X3_p&(+\F+,%72X%7%7#¤Eh.(+<#:% ,/2$i4=%!5N:*-0$<iI+*.I)$"m MV\ &8HcM&8,0$.I#:%738%GY2$5(%7+,*,%7H`t%7)V5I%72gB]0$&(2$3bH,.d/0X%G"9%7.I"$#%Y&8ud j.(w=T7%<&82$>4&(## ,0$%M.(/0$%6+.I2$%6Y,01&8@&(>$%-! ¨\r&' ¨2ZH%7#:i(:)$@%6@.(+/&(Q$#%(B ;p&82bM,.¦/01&82$3_&(##,0$%"$+*%7,%62x!&82$>y"1&(\-@%6{Q9%7+,G.(E/0$%=V%6#:=%7+<u%72x/%6+ Eh.I+/0$%¦2$:T6%¦;u.(+,3b:2$i_&8/=.I,"X0$%7+*%(O&(2$>|d mE&(=:#U e&(2$>mEh+,:%62$>$!Eh.(+d/0X%7:+d#:.v5I% &(2X>ZT7&(+,%8BHG&(ijG+,2X%! <\5V34>$%6,%7+\5I%6G/01&82$3bEh.(+#:%6*/2$i@%M)$*%M0$:Y<¨T7.N>$%(B }U/0$.I)Vtt1;H.I)$#>*"S%62$>@.I2x,0$t:2$\/%7&(>-.(EN;u%6%73b;u&(U/:2XiuEh.I+P! <<&l,r&8Tr3N ~ ,. 2$:*0PB ;u.I)X#:>j&(#,.-#:3(%u,.</01&82$3!! !"1&(+*%72x/K-%7+*>@&82$>=(.I0$2@[q&8,0$f&8[q&8,0$f&(*,%62 Eh.I+p,%'&(Tr0X:2$ij=%</.=>$.j! ¨Q9%7*7O&(2$>2$% 5I%7+YiIU5I%M)$"PB [? <;UEh%[Z:+*%7#:&p>$%7*%7+*5(%7R,"9%7T7:&(#(,01&(2$3bEh.I+P,)X"$"S.(+*/2$i@%&82$>M%72$T6.I)$+/&8iI:2$i =%p/0$+*.I)$iI0,0$:6B¤,0$.v;H&#.(F.(EST7.()$+/&(i(%p/[email protected](%Eh+*.IY.I+*;u&' {/.G%62$¦&8+,3 ~ &(2X> 21&(#:#U /.u%7#iI:)X ;0$#:%_*0$%y;p&8¨"$+,%6iI21&(2x'O<&(2$>/.|iIU5I%yQ$+*,0/..I)$+ >1&8)$iI0x/%6+[Z:+,&(2$>1&42eu%7#iI:)$?B-}z.v;Md]01&(2$3b-/.Z[Z+/&(2$>$&¦Eh.I+<iIU5V2$i4>1&8>$>X ,0$:p;H.I2$>$%6+*Eh)$#t,:=%(B ¢¡¤£¦¥¨§¨© §¨ ¥¨§¨ ! #"#$&%¨(')"(*)+,.-/'10&2#34'1$&$&%¨658792):;$&%¨(<=4'3>?0@%BAC0DE3F#%G'HE5 0&0@'IKJ :MLN+POQ?RSUTN?OVIK2##%¨3F%GH¨WV%¨"#3>0&:;HGWCXY.ZB[E\]_^`[bacYdKe,fPgihBd`jKkQ[mln].g¤o)p?p?p.Wq:;=F )rM% ts?uvw:x yeKhB[mzCd@e{|].[_eKZ}l~gP].NkQzV[SeBd|\hBlneBgihKeBWQ'%G$ 1? ) ;u VOV#H&3>#;%¨H %¨H&=F'#W 1;;) CV|V ! #"#$&%¨¦'#"*)V+,#-/'.0@2#3F'$&$%GPU0@2)%:;=F%:x %¨OVIK2#%¨"# #=F%¨$ 3F 5 00K'IKJ!$|:;R0@%GH&'10@%¨"793>#2#%GH$GMRS<O)'rM'H@'10&3nW<;'WDL}D:;=>=FrM'#W '1#"-:=>q1')WQ%G"#30@:;H$GWfc\P 16\o)p?pB W¡q;:;=> #r¢%(£)s£M:x yeKhB[bzVd@e|{].[SeKZ l~g¤P].NkQzV[SeBd \hBlneBgihKeBW)'%G$£? ; C£;£¥#¦OC#H&3>#;%GH_ %¨H&=4'1#W# 1;¥# £V¡Q! #")$&%G§'1#"*)Q+,¨-/'10@2)34'$$&%Gi<¦H%G3>rU'%'#"79:=F=F3>$&3>:;¤5 0&0@'IKJ!$ :©-/L CªRS¬«3>=F­Q%GH0'#"©«|«'#"#$IK2! #2W}%¨"#3>0&:;H&$¨W}XY.ZB[®\]_^`[bacYd@e fPgihBd`jKkQ[mln].go)p?p¯WQq:;=F )rM%}£?°;°;uw:x yeKhB[mzCd@e}{|].[_eKZ(l~g±P].NkQzC[_eBd|\hBlneBgihKeBW #';%G$ ;°°) ?uCOV#H3F#%GH %GH=4'#W# ;?°C ¥)¡¡ C )"#$&%¨W*)¡+,Q-/'.0@2#3F'$&$%GWQ'#"²9Q- )=F=F%¨HGP79HC)0@''=C$&3F$:x0@2#% r¢"¡ }2'1$&2¦x³ ##I¨0&3F:;i(´¨]MµBe ZBz)µG®l~[m[Se&¶U[S]w·¡].zCd`gQY¸D]_^¢¹d`j`kQ[S].¸F]&ºj. °CN*)¡+,¨-/'10&2#34'1$&$&%¨'#"Q|¡ ! #"#$%GE3F)%t'H #:»<=4'3>?0@%BAC05 0&0@'IKJ :LN+POQQ¼%GIK2)#3FIG'=EH&%¨¨:;H0 ;u1¥#W#½#3q;%GH$&30S¦:x¹TP%GH&%GWQ ¥# VN*)+,?-/'10&2#34'1$&$&%¨¹RSr¢#H&:q%G"M79:;=F=>3F$3F:;|5 0&0@'IKJ}:;¢7 TN¼D%¨IK2##3FIG'=#H%GQ:;H0 £;)W½#3>q%GH&$3>0S¤:1x¹T9%¨H&;%¨WQ ;;°V uC«|-:;=>=4')"W*)E+,-/'10&2#34'$$&%¨W6'1#"§¼ «%G=>=F%¨$&%¨0&2®RSr¢#H&:q;%¨"¤²¡'$079:;H H%G=F'10@3>:;¾5 0&0@'IKJ¿ #$3F#E:»À'.0@%Á79:V")%G$GÂRSÃw,w<D'10@%¨H&$&:W%G")3>0@:HGW ¹d`jKkQ[_]&ºdYBkÄCj¦YgQ¶§P]G¶l~gCºW¡q;:;=> #rM%} s;svU:x yeKhB[mzCd@e{|].[SeKZ®l~gP].NkQzV[SeBd \hBlneBgihKeBWV';%¨$?uVv)¦OV#H3F#;%¨H %GH&=F'#W# ;;£) vV¼ OV%G%GH&$¨W¼ «%G=>=F%G$%¨0&2WE-Á-/';'$¨W')"*)+,-'10@2#3F'$&$%GE3>#%t'HIG:;r® )=F%BAV30SÁ:q%GH}x³¤:1x,$&3>"#%G=mÅÆ#3>J:q$&%¨ÇC )%G#I¨%G$GÁ@fcf¦fÈ´#dYg)ZGYChB[bln].g±].g¤`gt^t].dBÉ ¢Y[bln].g±´ÄeK].d`j.W¡°)ÊË 1¥?;v) 1¥!u; CW# ¥# sV¼ ¨OV%¨;%GH$GW¡¼ Q«%¨=F=F%¨$&%B0@2W¨-Á¨-/';'1$GWQ'#"Ì*)¡+¨-/'.0@2#3F'$&$%G,E3>#%t'H79:;r® )=F%BAV30S¤:q;%GH²:1x¦OV3>"#%G=mÅÆ#3>J:qOV%¨Ç! #%G#I¨%G$¨RS/Kf¦f¦f¿Bg[nÍ\¡j.Nk]ZBl~zCÎ].g `gt^t].d`¢Y[mln].g8´ÄeK].dBj.W#'1;%w £)W¡ 1;¥# ¢¡¤£¦¥¨§ © © § ¨! "$#%&'( )+*-,/.10)32 45262¨.87:9;,=<=>?0A@A9CB%<1*-,ED FHG->?9I0=.EJ1K¨>CLM0AG/>?0ON:PQ0=KSRT7:LM<1*E269CU FHG->?9I0=.EJ1K¨>CLM0AG/>?0OVWB%UC*YXZJ1G1K¨>CLM0AG [ JE\]\]B%9I,]0%^>?*12¤_W9I>?LQK6PQ26U `baEcedf] [ g!LMGE2hB%9jikG10lGnmoPMB%LMG->C2qpf>_r>C>?B%KSRT0AGYsbt uZvwfxny{z}|M~%wf|' S qx%x(%z? kbxZE qx `baEcedf] [ G/>?*120APM2k0^ik2¨, KS*126.EJ1PM2¨UWLQG_r>I>SB%KSRU50AG¦F>?2¨9?B>C26.n7:LM<1*12¨9CU %z? kbxZ1 qx%x(OuZvwfxny:z}|M~%wf|' S qx `baEcedf] FH\O<19C0%26.n7:0APMPQLMUCLQ0AGT_r>I>SB%KSRT0%G 7rN uZvwfxny{z}|M~%wf|' S qx `baEcedf]q me9C2¨LM\]B%@A2kBG1.YK¨0APMPQLMUILM0AGB>C>?B%KSRU50%G8nsb %z? kbxZ1 qx%x(OuZvwfxny:z}|M~%wf|' S qx `baEcedfO 7:9;,=<=>SB%GZBPQ,fUCLQUj0%^$>C*12 nskOVB%UI*nXZJ1G1Kq>?LQ0AG %z? kbxZ1 qxEu vwfxy:z}|M~%wf|' S qx%x(¡z?Cfqz}|£¢bn=¤¤Mqz Introduction 1 Why do We Need Cryptography? We use a lot of physical security in our everyday life to protect us physically. For the same reason we need (digital) cryptography to protect our digital possessions/information. Compared to the physi- cal world it is much easier to \steal" a digital document. Thousands of copies of a digital document are made in no time on a computer. Today more and more valuable information is stored electroni- cally, and a lot of transactions are made electronically. By electroni- cally we mean in digital format with zeroes and ones. Some decades ago most information were stored written on paper, and the only way of protecting a paper from intruders was to keep the intruders away from the paper. This could be done by a locked house, room, cupboard or safe, and to have access to the paper people need a key or a number combination or both. Sometimes we also need to identify ourselves to some security guards to enter the building, and thereby accessing information. The same security issues apply if the information is moved from one place to another. We need a secure (anonymous and/or physi- cally protected) courier. The way to get information stored on paper is to steal or copy the document, which is hard if security is good. Information in digital format can also be physically protected in the same way as paper documents. However this kind of protection would be very inconvenient, especially when it comes to transport- ing the information. The way we store and move digital data makes it impossible to keep any possible intruder from accessing the data. Just think of radio networks where the data is sent on the air, and is accessible to any person able to capture the signal. Also the com- munication over the Internet goes unencrypted (by default) through public networks, so it should be considered insecure.