On the Need for Multip ermutations Cryptanalysis of MD and SAFER Serge VAUDENAY Lab oratoire dInformatique URA du CNRS Departement de Mathematiqueset dInformatique Ecole Normale Superieure LIENS November On the need for multipermutations Cryptanalysis of MD and SAFER Serge Vaudenay LIENS rue dUlm Paris Cedex FRANCE November Abstract Cryptographic primitives are usually based on a network with some gates In SV it is claimed that all gates should b e multipermutations In this pap er we investigate a few combinatorial prop erties of multiper mutations We argue that gates which fail to b e multipermutations can op en the way to unsusp ected attacks We illustrate this statement with two examples Firstly we show how to construct collisions to MD restricted to its rst two rounds This allows to forge digests close to each other using the full compression function of MD Secondly we show that some generalizations of SAFER are sub ject to attack faster than exhaustive search in cases This attack can b e implemented if we decrease the number of rounds from to In SV multipermutations are introduced as formalization of p erfect diu sion The aim of this pap er is to show that the concept of multipermutation is a basic to ol in the design of dedicated cryptographic functions as functions that do not realize p erfect diusion may b e sub ject to some clever cryptanalysis in which the ow of information is controlled throughout the computation network We give two cases of such an analysis Firstly we show how to build collisions for MD restricted to its rst two 1 rounds MD is a three rounds hash function prop osed in Riv An attack on The Laboratoire dInformatique de lEcole Normale Superieure is a research group aliated with the CNRS 1 This part of research has b een supp orted by the Celar MD restricted to its last two rounds is detailed in BB An other unpublished attack on the rst two rounds has b een found by Merkle see the introduction of BB This attack do es not pro duce a real collision but dierent digests very close to each other according to the Hamming distance Here we present a new attack which is based on the fact that an inert function is not a multipermutation This attack requires less than one tenth of a second on a SUN workstation Moreover the same attack applied to the full MD compression function pro duces two dierent digests close to each other Secondly we show how to develop a known plaintext attack to a variant of SAFER K in which we replace the p ermutation exp by a weaker one 45 SAFER is a six rounds encryption function introduced in Mas It uses a bytepermutation namely exp in the group of nonzero integers mo dulo 45 1 for confusion If we replace exp by a random p ermutation P and log by P 45 45 we show that in of the cases there exists a known plaintext attack faster than exhaustive search Furthermore this attack can b e implemented for the function restricted to rounds This attack is based on the linear cryptanalysis introduced in Mat and recently gave way to the rst exp erimental attack of the full DES function in Mat Multip ermutations In SV multipermutations with inputs and outputs are introduced Here we prop ose to generalize to any number of inputs and outputs Denition A r nmultipermutation over an alphabet Z is a function f from r n Z to Z such that two dierent r ntuples of the form x f x cannot collide in any r positions Thus a nmultipermutation is nothing but a vector of n p ermutations over 2 Z A multipermutation is equivalent to a latin square A nmulti 3 p ermutation is equivalent to a set of n twowise orthogonal latin squares Latin squares are widely studied in DK An equivalent denition says that the set of all r ntuples of the form x f x is an error correcting co de with minimal distance n which is the maximal p ossible In the case of a linear function f this is the denition of MDS co des co des which reach Singletons b ound For more details ab out MDS co des see MS More generally a r nmultipermutation is equivalent to a r 4 Z r n Z r orthogonal array 2 a latin square over a nite set of k elements is a k k matrix with entries from this set such that all elements are represented in each column and each row 3 two latin squares A and B are orthogonal if the mapping i j 7! A B gets all ij ij p ossible couples 4 a M r n q r orthogonal array is a M r n matrix with entries from a set of q M r times elements such that any set of r columns contains all q p ossible rows exactly r q A multipermutation p erforms a perfect diusion in the sense that changing t of the inputs changes at least n t of the outputs If a function is not a multipermutation one can nd several values such that b oth few inputs and few outputs are changed Those values can b e used in cryptanalysis as is shown in two examples b elow This motivates the use of multipermutations in cryptographic functions The design of multipermutations over a large alphab et is a very dicult prob lem as the design of twowise orthogonal latin squares in a wellknown dicult one The only p owerful metho d seems to use an MDS co de combined with several p ermutations at each co ordinate In the particular case of inputs it is attractive to choose latin squares based on a group law if we have a group structure over Z we can seek p ermutations and such that x y x y x y is a p ermutation as it will b e sucient to get a multipermutation Unfortu nately it is p ossible to prove that such p ermutations exist only when the Sylow 5 subgroup of Z is not cyclic using a theorem from HP More precisely they do not exist when the Sylow subgroup is cyclic They are known to exist in all solvable groups in which the Sylow subgroup is not cyclic but the existence in the general case is still a conjecture Hence Z should not have a cyclic group n structure For instance we can use the GF group structure for n Such multipermutations are prop osed in SV 32 In MD the group structure of GF is used but some functions are not multipermutations On the other hand in SAFER the group structure of ZZ 256 which is cyclic is used so without multipermutations Cryptanalysis of MD Description of MD MD is a hash function dedicated to bits micropro cessors It hashes any bit string into a bits digest The input is padded following the Merkle Damgardscheme Dam Mer and cut into bits long blo cks Then each blo ck is pro cessed iteratively using the DaviesMeyer scheme DP MMO and an encryption function C if B B is the sequence of blo cks the padded 1 n message the hash value is h h v B B i n 1 5 2 we agree the trivial group is not cyclic Actually x 7! x is an orthomorphism in all groups with o dd order in which the Sylow subgroup is trivial where v is an Initial Value and h v is C v v x is the key and v is the i x x message to encrypt Here we intend to build a single blo ck collision to hv that is to say two i 0 0 v It is obvious that this can b e used to blo cks x and x such that C v C i x i x build collisions to the hash function So we only have to recall the denition of the function C v x The value v is represented as integers a b c and d co ded with bits and the key x is represented as integers x x The initial denition of C uses 1 16 three rounds i The gure shows the computational graph of a single j j round i It uses a p ermutation and some b oxes B B is fed with a main i i i input a blo ck integer x and three side inputs If p is the main input and q (j ) i r and s are the side inputs from top to b ottom the output is ij R p f q r s x k i (j ) i i where R is the right circular rotation and k are constants and f is a par ij i i ticular function In the following we just have to know that f is the bitwise 2 ma jority function is the identical p ermutation and 1 2 Attack on the rst two rounds If we ignore the third round of C it is very easy to build collisions We notice that j no B are multipermutations if p x k and two of the three integers q 2 2 j r and s are set to zero then B x p q r s remains zero the same remark holds 2 with instead of So we can imagine an attack where two blo cks dier only in x the other integers are almost all set to k and such that almost all the 16 2 outputs of the rst round are zero This p erforms a kind of corridor where the mo died values are controlled until the nal collision More precisely let x x equal k x b e an arbitrary integer your 1 11 2 12 phone number for instance and x x and x b e such that the outputs a c 13 14 15 and d of the rst round are zero The computation of x x and x is very easy 13 14 15 from the computational graph Thanks to the previous remark we can show that the outputs a c and d of the second round do not dep end on x as the mo died 16 information in x is constrained in the register b Thus mo difying x do es not 16 16 mo dify a c and d Letting the b output b e a function of x we just have to nd a collision to a 16 bits to bits function This can b e done very eciently using the birthday paradox or the metho d An implementation on a Sparc Station uses one tenth of second a c b d - ?? 1 B i - ?? - 2 - B i - - ?? 3 - B i - - ?? 4 B i - - ?? 5 B i - ?? - 6 - B i - - ?? 7 - B B i - - L ?? 8 B i O i - - C ?? 9 B K i - ?? - 10 - B i - - ?? 11 - B i - - ?? 12 B i - - ?? 13 B i - ?? - 14 - B i - - ?? 15 - B i - - ?? 16 B i - ? ? ? ? Figure One round of C ? ? ? ? ? ? ? ? 2i1 k ? ? ? ? ? ? ? ? Q Q Q Q P P P P ? ? ? ? ? ? ? ? 2i k ? ? ? ? ? ?