Arenberg Doctoral School of Science, Engineering & TechnologyFaculty of EngineeringDepartment of Electrical Engineering (ESAT)

Cryptanalysis and Design ofSymmetric Cryptographic Algorithms

Gautham SEKAR

Dissertation presented in partialfulfillment of the requirementsfor the degree of Doctor inEngineering

March 2011

Cryptanalysis and Design ofSymmetric Cryptographic Algorithms

Gautham SEKAR

Jury: Dissertation presented in partialProf. Dr. Ir. Jean Berlamont, Chair fulfillment of the requirementsProf. Dr. Ir. Ludo Froyen, Acting Chair for the degree of Doctor inProf. Dr. Ir. Bart Preneel, Promotor EngineeringProf. Dr. Ir. Vincent Rijmen, SecretaryProf. Dr. Ir. Joos VandewalleProf. Dr. Ir. Luc Van EyckenDr. Ir. Joan Daemen

(STMicroelectronics, Belgium)Dr. Ir. Henri Gilbert

(ANSSI, France)

March 2011

What is your aim in philosophy?To shew the fly the way out of the fly-bottle. – Ludwig Wittgenstein

© Katholieke Universiteit Leuven – Faculty of EngineeringAddress, B-3001 Leuven (Belgium)

Alle rechten voorbehouden. Niets uit deze uitgave mag worden vermenigvuldigden/of openbaar gemaakt worden door middel van druk, fotocopie, microfilm,elektronisch of op welke andere wijze ook zonder voorafgaande schriftelijketoestemming van de uitgever.

All rights reserved. No part of the publication may be reproduced in any form byprint, photoprint, microfilm or any other means without written permission fromthe publisher.

Legal depot D/2011/7515/33ISBN 978-94-6018-331-7

Dedicated to all my gurus, especially my parents

Acknowledgements

I like prefaces. I read them. Sometimes I do not read any further.– Malcolm Lowry

At the beginning of my doctoral research, I could barely foresee how much Iwas to mature and gain intellectually in the years to come. A lot many peopleare responsible for this development; unfortunately, I am able to thank only a fewhere.

Foremost of them all is my advisor Prof. Dr. Bart Preneel. I am greatly indebtedto him for giving me an opportunity to work at COSIC – it is a wonderful workplace.It is not justified if I simply thank him for steering me through the journey thathas culminated in this thesis, giving me ample freedom to pursue my topics ofinterest, patiently reviewing my papers, providing timely and insightful comments(often at short notice), and very generously allowing me to travel to a number ofworkshops and conferences. I have come to realise that the best way to expressmy gratitude for the support provided by him and for the role model he has been,is through continued contributions to cryptology – I am hopeful of doing so.

I have been extremely fortunate to have Prof. Dr. Vincent Rijmen as an assessor.Although officially not a promotor, he would generously agree to proofread mypapers and readily engage in detailed technical discussions. I sincerely thank himfor this generosity and patience.

I am honoured to have Dr. Joan Daemen, Dr. Henri Gilbert, Prof. Dr. JoosVandewalle and Prof. Dr. Luc Van Eycken serve as my jury members, and Prof.Dr. Jean Berlamont and Prof. Dr. Ludo Froyen as the chairmen of the jury. Theirtimely and insightful feedback was immensely helpful in fine-tuning the text thathas turned into this thesis. Thanks are due to the agencies that funded my doctoralstudies.

It has been a privilege to have coauthored papers with these brilliant people –Jean-Philippe Aumassson, Tor E. Bjørstad, Chang Chiann, Daniel Santana deFreitas, Ramon Hugo de Souza, Orr Dunkelman, Jorge Nakahara Jr., EmiliaKasper, Nicky Mouha, Souradyuti Paul, Thomas Peyrin, Christian Rechberger,Matthew J. B. Robshaw, Søren S. Thomsen, Meltem Sonmez Turan andVesselin Velichkov. Needless to say, I look forward to many more such fruitfulcollaborations. I would like to thank the anonymous referees of my papers for

i

ii

their constructive comments.Thanks are due to my promotor and Prof. Dr. Lynn Batten for their valuable

feedbacks on my talks that helped me hone my presentation skills.I would like to express my gratefulness to Souradyuti Paul and Hongjun Wu

for their guidance and support in the initial years of my research. Paul’s style oftutoring helped me in my supervision of a Summer internship. In the past twoyears, I have gained a lot from the technical discussions I have had with AnkushNigam, Nicky Mouha and Vesselin Velichkov. I thank them for the same.

I would like to thank Prof. Dr. Srinivas Kotyada, Prof. Dr. BalasubramanianRamachandran and Prof. Dr. Adi Shamir for discussions that helped me in my finalbachelor’s project. The project prepared me for the rigours of a PhD. ProfessorsKotyada and Ramachandran deserve a special mention for introducing me tocryptology, hosting my yearly research visits to the Institute of MathematicalSciences, Chennai, and entrusting me with the tasks of writing proposals forprojects and managing projects. My sincere thanks go to Prof. Dr. SwadhinPattanayak for giving me similar responsibilities.

Many thanks to Prof. Dr. Bimal Roy, Prof. Dr. Subhamoy Maitra and Prof.Dr. Sugata Gangopadhyay for keeping me occupied with interesting problems incryptology during my yearly visits to India. Special thanks go to Rajesh Pillai forconnecting me with many Indian academicians and policy makers, and teachingme a valuable thing or two on Indian cyber law and policy.

That I could reach this stage of my doctoral programme is in many ways becauseof the timely assistances provided by Pela, Elvira, Veronique, Elsy and Saartje inseveral administrative procedures. Before I started attending a basic course inDutch, I should have made umptillion requests to Pela to help translate severalofficial documents. I thank her for never complaining.

My gratitude goes to many affable (ex-)COSICs. Those not thanked aboveinclude: Amitabh, Andras, Andrey, Antoon, Bart, Benedikt, Brecht, Carmela,Christian, Christophe, Claudia, Dawu, Deniz, Elena, Elmar, Frederik, Jasper,Jongsu, Jongsung, Junfeng, Kerem, Kota, Kyoji, Li, Mina, Miroslav, Nessim,Ozgul, Panagiotis, Sebastian, Sebastiaan, Seda, . . . (my sincere apologies to thosewhose names have been left out due to constraints on time, memory and data).I am indebted to Mina for her assistance with administrative paperwork andvaluable editorial inputs that have come in handy while writing this thesis.

It is a pleasure to thank many of my relatives and friends (especially those frommy undergrad years) for their constant encouragement. Again, since there are toomany of them, I am sorry at my inability to provide names here.

I am at a loss for words to thank my parents for being the best people I know.My sister, Sharanya, has been a great source of moral support. I hope she enjoysreading this thesis.

Gautham SekarLeuven-Heverlee, March 2011

Abstract

Symmetric-key cryptology is the oldest form of cryptology in which identical keysare used by the sender and receiver of confidential data. There are two types ofmodern symmetric-key algorithms – block ciphers and stream ciphers. A majorportion of this thesis is devoted to the analysis and design of these algorithms.

We begin with the theoretical foundations of modern symmetric-key cryptologythat were laid down by Shannon in his landmark paper, ‘Communication Theoryof Secrecy Systems’. In this paper, he provides two necessary-and-sufficientprobabilistic conditions for perfect secrecy of a cryptosystem. We show that aparadox results if either probabilistic condition is both necessary and sufficient,and that the paradox is resolved if the condition is only necessary.

Following this, we present cryptanalytic results on five fast, software-orientedsynchronous stream ciphers – Py, Pypy, TPy, TPypy and HC-256 – that are basedon arrays, modular additions and bit-rotations. The attacks on the Py family ofciphers are in a related-key setting and the attacks on HC-256 are in the standard(non-related-key) setting. All the attacks are of the distinguish-from-random typethat are based on the correlations between array-elements and their correspondingindices.

Next, we show key recovery attacks on the self-synchronising stream cipherMoustique. Our attacks work in both a related-key setting and otherwise. Ahighlight is that we show that related-key weaknesses are useful in constructingattacks in the standard setting.

Our discussion on cryptanalysis of stream ciphers is followed by a treatment ofblock ciphers. In block ciphers, we focus on Feistel constructions. We present twonovel approaches to the classical meet-in-the-middle attack and use them to mountkey recovery attacks on reduced-round variants of the ciphers DES, GOST, XTEAand XETA. Apart from the novelties in the attack methodologies, a highlight isthat our meet-in-the-middle attacks require very few plaintext-ciphertext pairs.

One chapter of this thesis is devoted to the analysis of a full cryptosystem.That is, we attack not only the symmetric algorithm therein but also the keymanagement techniques. The cryptosystem is covered by several national patentsand an international patent. Our attacks are highly practical in nature, requiringvery few plaintext-ciphertext pairs and negligible time/memory. Of the otherattacks in this thesis, many are certificational but the best attacks on the respective

iii

iv

ciphers.On the design side, we construct two fast synchronous stream ciphers, viz., RCR-

64 and RCR-32, by tweaking the ciphers TPy and TPypy respectively. We providesome security analysis of the RCR ciphers. On select platforms, the RCR-64 isamong the fastest stream ciphers in the literature. Our designs have remainedunblemished for more than three years now. Along with the proposals of the RCRciphers, we also point out some common mistakes in the analysis and design ofsymmetric ciphers.

Aside from symmetric encryption algorithms, this thesis also deals withcryptographic hash functions (CHFs). CHFs are connected with the rest of thisthesis since they employ the design principles of symmetric encryption algorithms.We devote a chapter to the theory of hash functions. We find that there does notexist a hash function that is regular for more than a negligibly small fraction ofsubsets of the domain. Finally, we present an analysis of the ESSENCE family ofCHFs.

Samenvatting

Symmetrische-sleutelcryptologie is de oudste vorm van cryptologie waarbij iden-tieke sleutels gebruikt worden door de zender en ontvanger van vertrouwelijkegegevens. Moderne symmetrische versleutelingsalgoritmen kunnen onderverdeeldworden in 2 soorten – blokcijfers en stroomcijfers. Een belangrijk deel van ditproefschrift is gewijd aan de analyse en het ontwerp van deze algoritmen.

We beginnen met de theoretische grondslagen van de moderne symmetrische-sleutel cryptologie die door Shannon vastgelegd werden in zijn paper, ‘Com-municatietheorie van geheimhoudingssystemen’. In deze paper geeft hij aantwee noodzakelijke en voldoende probabilistische voorwaarden voor de perfectegeheimhouding van een cryptosysteem. We tonen aan dat er een paradoxontstaat indien een van beide probabilistische voorwaarden zowel noodzakelijkals voldoende is, en dat de paradox opgelost wordt als de voorwaarde alleennoodzakelijk is.

Naar aanleiding hiervan, presenteren wij cryptanalytische resultaten voor vijfsnelle, software-georienteerde synchrone stroomcijfers – Py, Pypy, TPy, TPypy enHC-256 – die gebaseerd zijn op arrays, modulaire optellingen en bitrotaties. Deaanvallen op de Py-familie van cijfers zijn in een verwante-sleutelscenario en deaanvallen op HC-256 zijn in het standaard (niet-verwante-sleutel) scenario. Alleaanvallen zijn van het type ‘onderscheiden-van-willekeurig’ die gebaseerd zijn opde correlaties tussen array-elementen en de overeenkomstige indices.

Vervolgens tonen we sleutelachterhalingsaanvallen voor het zelfsynchroniserendestroomcijfer Moustique. Onze aanvallen werken in zowel in het verwante-sleutel scenario als elders. Een pluspunt is dat we laten zien dat verwante-sleutelzwakheden bruikbaar zijn om aanvallen in het standaardscenario teconstrueren.

Onze discussie over cryptanalyse van stroomcijfers wordt gevolgd door eenbehandeling van blokcijfers. Voor blokcijfers richten we ons op Feistel-constructies.We presenteren twee nieuwe benaderingen van de klassieke ontmoeting-in-het-midden-aanval en gebruiken deze om sleutelachterhalingsaanvallen te consture-ren voor gereduceerde-ronde-varianten van de cijfers DES, GOST, XTEA enXETA. Afgezien van de nieuwigheden in de aanvalsmethodologieen, is het eenpluspunt dat onze ontmoeting-in-het-midden-aanvallen slechts weinig klaartekst-cijfertekstparen vereisen.

v

vi

Een hoofdstuk van dit proefschrift is gewijd aan de analyse van een volledigcryptosysteem. Dat wil zeggen, we vallen niet alleen het symmetrische algoritmedaarin aan, maar ook de sleutelbeheertechnieken. Het cryptosysteem wordtbeschermd door een aantal nationale octrooien en een internationaal octrooi.Onze aanvallen zijn zeer praktisch van aard, en vereisen zeer weinig klaartekst-cijfertekstparen en een verwaarloosbare tijd/geheugen. Van de andere aanvallenin dit proefschrift, zijn velen van theoretisch belang, maar wel de beste aanvallenvoor de respectievelijke cijfers.

Aan de ontwerpkant, construeren we twee snelle synchrone stroomcijfers,namelijk RCR-64 en RCR-32, door het aanpassen van respectievelijk de cijfers TPyen TPypy. Wij bieden een veiligheidsanalyse van de RCR cijfers. Op bepaaldeplatformen behoort RCR-64 tot de snelste stroomcijfers in de literatuur. Onzeontwerpen zijn ondertussen al meer dan drie jaar onaangetast. Samen met devoorstellen van de RCR cijfers, wijzen we ook op een aantal vaak voorkomendefouten in de analyse en het ontwerp van symmetrische cijfers.

Naast symmetrische encryptie-algoritmen, behandelt dit proefschrift ook cryp-tografische hashfuncties (CHFs). CHFs zijn verbonden met de rest van ditproefschrift, omdat zij gebruik maken van de ontwerpprincipes van symmetrischeencryptie-algoritmen. We wijden een hoofdstuk aan de theorie van hashfuncties.We vinden dat er geen hashfunctie bestaat die regulier is voor meer dan eenverwaarloosbaar klein deel van deelverzamelingen van het domein. Tot slotpresenteren we een analyse van het ESSENCE-familie van CHFs.

Contents

Acknowledgements i

Abstract iii

Samenvatting v

Contents vii

List of Figures xiii

List of Tables xv

List of Symbols xix

List of Abbreviations xxi

I Introduction 1

1 Introduction 31.1 Symmetric Encryption . . . . . . . . . . . . . . . . . . . . . . . . . 4

1.1.1 Stream Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . 51.1.2 Block Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . 9

1.2 Ideal Cipher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141.3 Confusion and Diffusion . . . . . . . . . . . . . . . . . . . . . . . . 141.4 Hash Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151.5 Cryptanalysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

1.5.1 Key Recovery Attacks . . . . . . . . . . . . . . . . . . . . . 191.5.2 Linear Cryptanalysis . . . . . . . . . . . . . . . . . . . . . . 211.5.3 Related-Key Attacks . . . . . . . . . . . . . . . . . . . . . . 221.5.4 Distinguishing Attacks . . . . . . . . . . . . . . . . . . . . . 221.5.5 Collision Attacks . . . . . . . . . . . . . . . . . . . . . . . . 25

1.6 Research Accomplishments . . . . . . . . . . . . . . . . . . . . . . 26

vii

viii CONTENTS

1.7 Outline of the Thesis . . . . . . . . . . . . . . . . . . . . . . . . . . 29

II Theory of Symmetric Cryptology 33

2 Revisiting Shannon’s Notion of Perfect Secrecy 352.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352.2 Perfect Secrecy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352.3 Motivational Observations . . . . . . . . . . . . . . . . . . . . . . . 372.4 Discussion and Conclusions . . . . . . . . . . . . . . . . . . . . . . 41

3 Challenging the Increased Resistance of Regular Hash FunctionsAgainst Birthday Attacks 433.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433.2 The Birthday Problem . . . . . . . . . . . . . . . . . . . . . . . . . 453.3 Balance and Regularity in the Existing Literature . . . . . . . . . . 453.4 Fraction of Regular Functions . . . . . . . . . . . . . . . . . . . . . 463.5 Subset Regularity . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483.6 Linear Subset Regularity . . . . . . . . . . . . . . . . . . . . . . . . 503.7 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533.8 Random Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . 543.9 Implications for Cryptanalysis of Block Ciphers . . . . . . . . . . . 553.10 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

III Cryptanalysis of Synchronous Stream Ciphers 57

4 Related-Key Attacks on the Py Family of Ciphers 594.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

4.1.1 Contribution of This Work . . . . . . . . . . . . . . . . . . 604.2 Description of the Stream Ciphers Py, Pypy, TPy and TPypy . . . 614.3 Notation and Conventions . . . . . . . . . . . . . . . . . . . . . . . 634.4 The Related-Key Weaknesses . . . . . . . . . . . . . . . . . . . . . 64

4.4.1 Analysis of the K Setup Algorithm KS . . . . . . . . . . . 644.4.2 Analysis of IV S1 and IV S2 . . . . . . . . . . . . . . . . . . 694.4.3 Analysis of RF1 . . . . . . . . . . . . . . . . . . . . . . . . 714.4.4 The Distinguisher . . . . . . . . . . . . . . . . . . . . . . . 734.4.5 Attacks with Shorter Keys . . . . . . . . . . . . . . . . . . . 74

4.5 Conclusions and Future Work . . . . . . . . . . . . . . . . . . . . . 74

5 Improved Distinguishing Attacks on HC-256 755.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

5.1.1 Contribution of This Work . . . . . . . . . . . . . . . . . . 765.2 Notation and Conventions . . . . . . . . . . . . . . . . . . . . . . . 76

CONTENTS ix

5.3 Specifications of HC-256 . . . . . . . . . . . . . . . . . . . . . . . . 765.3.1 The K/IV Setup . . . . . . . . . . . . . . . . . . . . . . . . 775.3.2 The KGA . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

5.4 Motivational Observation . . . . . . . . . . . . . . . . . . . . . . . 785.4.1 Our Improvement . . . . . . . . . . . . . . . . . . . . . . . 80

5.5 The Distinguisher . . . . . . . . . . . . . . . . . . . . . . . . . . . . 835.6 Conclusions and Future Work . . . . . . . . . . . . . . . . . . . . . 84

IV Cryptanalysis of Asynchronous Stream Ciphers 85

6 Correlated Keystreams in Moustique 876.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 876.2 Description of Moustique . . . . . . . . . . . . . . . . . . . . . . 87

6.2.1 The CCSR . . . . . . . . . . . . . . . . . . . . . . . . . . . 886.2.2 The Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

6.3 Observations on Moustique . . . . . . . . . . . . . . . . . . . . . 906.3.1 Limited Impact of the IV . . . . . . . . . . . . . . . . . . . 906.3.2 Differential Trails in the Filtering Function . . . . . . . . . 906.3.3 Impact of Key Bits on the CCSR . . . . . . . . . . . . . . . 90

6.4 Related-Key Effects . . . . . . . . . . . . . . . . . . . . . . . . . . 926.4.1 Correlated Keystreams . . . . . . . . . . . . . . . . . . . . . 926.4.2 Key Recovery Attacks . . . . . . . . . . . . . . . . . . . . . 94

6.5 Accelerated Exhaustive Key Search . . . . . . . . . . . . . . . . . . 956.5.1 The Strong Correlation Attack . . . . . . . . . . . . . . . . 956.5.2 The Piling-Up Attack . . . . . . . . . . . . . . . . . . . . . 96

6.6 Experimental Verification . . . . . . . . . . . . . . . . . . . . . . . 976.7 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

V Cryptanalysis of Block Ciphers 99

7 Meet-in-the-Middle Attacks on Feistel Constructions 1017.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

7.1.1 The Meet-in-the-Middle Attack . . . . . . . . . . . . . . . . 1047.1.2 Contribution of This Work . . . . . . . . . . . . . . . . . . 105

7.2 Meet-in-the-Middle Attacks on DES . . . . . . . . . . . . . . . . . 1077.2.1 Specifications of DES . . . . . . . . . . . . . . . . . . . . . 1077.2.2 An Alternative Description of DES . . . . . . . . . . . . . . 1077.2.3 Preliminaries of Our Attacks on 4-Round DES . . . . . . . 1097.2.4 Attack on 4 Rounds Using One KP . . . . . . . . . . . . . . 1117.2.5 Attack on 4 Rounds Using Multiple KPs . . . . . . . . . . . 1127.2.6 Attack on 4 Rounds Using CCs . . . . . . . . . . . . . . . . 1127.2.7 Attacks on 5-Round DES . . . . . . . . . . . . . . . . . . . 112

x CONTENTS

7.2.8 Attacks on 6-Round DES . . . . . . . . . . . . . . . . . . . 1147.3 Meet-in-the-Middle Attacks on XTEA and XETA . . . . . . . . . . 114

7.3.1 Notation and Conventions . . . . . . . . . . . . . . . . . . . 1147.3.2 Specifications of XTEA . . . . . . . . . . . . . . . . . . . . 1157.3.3 Motivational Observation . . . . . . . . . . . . . . . . . . . 1167.3.4 Attacks on 15 Rounds of XTEA . . . . . . . . . . . . . . . 1187.3.5 Attacks on 23 Rounds of XTEA . . . . . . . . . . . . . . . 1207.3.6 Attacks on XETA . . . . . . . . . . . . . . . . . . . . . . . 124

7.4 Meet-in-the-Middle Attacks on GOST . . . . . . . . . . . . . . . . 1247.4.1 Specifications of GOST . . . . . . . . . . . . . . . . . . . . 1247.4.2 Attacking up to 14 Rounds of GOST . . . . . . . . . . . . . 1257.4.3 Attack on 16-Round GOST . . . . . . . . . . . . . . . . . . 1267.4.4 Attack on 22-Round GOST . . . . . . . . . . . . . . . . . . 126

7.5 Worst- and Average-Case Analyses: A Comparison . . . . . . . . . 1277.6 Countermeasures . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1277.7 Conclusions and Open Problems . . . . . . . . . . . . . . . . . . . 128

VI Cryptanalysis of Cryptographic Hash Functions 131

8 Cryptanalysis of the ESSENCE Family of Hash Functions 1338.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1338.2 Description of the Compression Functions of ESSENCE . . . . . . 134

8.2.1 The Feedback Function F . . . . . . . . . . . . . . . . . . . 1358.3 Branch Number of the L Function . . . . . . . . . . . . . . . . . . 1368.4 A 31-Round Semi-Free-Start Collision Attack For ESSENCE-512 . 1368.5 Finding Message Pairs for the First Nine Rounds . . . . . . . . . . 1398.6 Distinguishing Attacks . . . . . . . . . . . . . . . . . . . . . . . . . 140

8.6.1 Weakness in the Feedback Function of ESSENCE . . . . . . 1408.6.2 Distinguishers on 14-Round ESSENCE . . . . . . . . . . . . 1418.6.3 The Distinguisher . . . . . . . . . . . . . . . . . . . . . . . 1418.6.4 Distinguishers using Biases in Other Bits . . . . . . . . . . 1428.6.5 Distinguishers for the Compression Function . . . . . . . . 1428.6.6 Key Recovery Attacks . . . . . . . . . . . . . . . . . . . . . 142

8.7 Slide Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1438.7.1 Slid Pairs with Identical Chaining Values . . . . . . . . . . 144

8.8 Fixed Points for the ESSENCE Block Ciphers . . . . . . . . . . . . 1448.9 Measures to Improve the Security of ESSENCE . . . . . . . . . . . 1458.10 Conclusions and Open Problems . . . . . . . . . . . . . . . . . . . 145

CONTENTS xi

VII Analysis of Cryptosystems: Attacking the Sym-metric Encryption Algorithm and Key ManagementTechniques 147

9 Practical Attacks on a Cryptosystem Proposed inPatent WO/2009/066313 1499.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1499.2 Notation and Conventions . . . . . . . . . . . . . . . . . . . . . . . 1519.3 Description of the Cryptosystem . . . . . . . . . . . . . . . . . . . 1519.4 A Trivial Attack on the Cryptosystem S . . . . . . . . . . . . . . . 1539.5 Motivational Observations . . . . . . . . . . . . . . . . . . . . . . . 1569.6 Attacks Due to Weaknesses in the Stream Cipher . . . . . . . . . . 157

9.6.1 Attacks in a Related-Key Setting . . . . . . . . . . . . . . . 1579.6.2 Attacks in a Non-Related-Key Setting . . . . . . . . . . . . 158

9.7 Conclusions and Open Problems . . . . . . . . . . . . . . . . . . . 159

VIII Design of Symmetric-Key Algorithms 161

10 Design of Synchronous Stream Ciphers 16310.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16310.2 Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16410.3 Security Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

10.3.1 Resistance to Distinguishers in the Standard Setting . . . . 16510.3.2 Resistance to Distinguishers in a Related-Key Setting . . . 16610.3.3 Resistance to Differential Attacks . . . . . . . . . . . . . . . 16610.3.4 Resistance to Algebraic Attacks . . . . . . . . . . . . . . . . 16710.3.5 Effect of Any Non-Zero Constant Rotation . . . . . . . . . 167

10.4 Performance Estimates . . . . . . . . . . . . . . . . . . . . . . . . . 16810.5 Discussion and Conclusions . . . . . . . . . . . . . . . . . . . . . . 16810.6 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170

IX Closing Remarks 171

11 Conclusions 173

12 Future Research 177

Bibliography 179

A Perfect Secrecy 197A.1 Radical Subjectivism and Other Paradoxes . . . . . . . . . . . . . 197

B Hash Function Regularity 199

xii CONTENTS

B.1 Linear Subset Regularity for 3-to-1 Bit Hash Functions . . . . . . . 199B.2 Calculating the Inverses of Matrices Ad . . . . . . . . . . . . . . . 200

C The Py Family 203C.1 Related Keys When Size of the IV is Varied . . . . . . . . . . . . . 203

D HC-256 205D.1 Experimental Results . . . . . . . . . . . . . . . . . . . . . . . . . . 205D.2 A Note on the Randomness of Keystream Bits when S2 does not

Occur . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

E XTEA 209E.1 Illustration of the Attack on Rounds 16–38 . . . . . . . . . . . . . 209E.2 Randomness of the Inner Round Subkeys in the 15-Round Attacks 211

F ESSENCE 213F.1 Finding the Lowest Weight Difference A . . . . . . . . . . . . . . . 213F.2 Making F Behave as a Linear Transformation . . . . . . . . . . . . 214F.3 A Message Pair for the First Nine Rounds . . . . . . . . . . . . . . 214F.4 Distinguishing Attacks on the Full 32-Round ESSENCE-256 . . . . 215F.5 Key Recovery Attacks on 32-Round ESSENCE . . . . . . . . . . . 217

List of Publications 219

Curriculum Vitae 223

List of Figures

1.1 The ECB mode of encryption . . . . . . . . . . . . . . . . . . . . . 101.2 The CBC mode of encryption . . . . . . . . . . . . . . . . . . . . . 101.3 The CFB mode of encryption . . . . . . . . . . . . . . . . . . . . . 111.4 The OFB mode of encryption . . . . . . . . . . . . . . . . . . . . . 111.5 The Merkle-Damgard construction: the message M is split into u

blocks, m1, m2, . . . , mu, with mu encapsulating the padded bits;FC is the compression function and h(M) is the hash value . . . . 16

2.1 Line diagram representing the system of equations (2.5); keys thatmap p1 and p4 to the ciphertexts are marked . . . . . . . . . . . . 38

3.1 In this example, d = 9 and r = 3; the shaded area represents oneof the C(9, 3) possible sets of 3 domain points that can map to therange point R1 given that the function is regular; for R2 there areonly C(6, 3) sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

6.1 State and filter of Moustique (p and c denote a plaintext bit andthe corresponding ciphertext bit); the only difference to Mosquitois that 1/3rd of Moustique state is now updated using a linearfunction g0 to improve diffusion within the CCSR . . . . . . . . . . 88

6.2 CCSR differential propagation using related keys k = (k0, k1, k2, k3,. . ., k95) and k∗ = (k0, k1 + 1, k2 + 1, k3, . . . , k95) . . . . . . . . . . 92

7.1 An alternative description of the general structure of the DES . . . 1087.2 F -function of DES . . . . . . . . . . . . . . . . . . . . . . . . . . . 1087.3 An alternative description of DES’ F -function . . . . . . . . . . . . 1097.4 4-round DES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1107.5 The Feistel structure of XTEA showing two rounds . . . . . . . . . 1167.6 The function F used in the round function of XTEA . . . . . . . . 116

8.1 One round of ESSENCE; each rn and kn (n = 0, . . . , 7) is a 32- or64-bit word . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

xiii

xiv LIST OF FIGURES

8.2 The compression function of ESSENCE; E is the round functionof ESSENCE when iterated N times, k denotes the message block,rini denotes the initial value of r7||r6||r5||r4||r3||r2||r1||r0 and rfindenotes the value of r for the next iteration . . . . . . . . . . . . . 135

9.1 Encrypting a plaintext message with E under key (K1,K2,K3,K4) 1539.2 An example (similar to the example in [8]) to illustrate the

generation of the extended ciphertext; in this example, whiletruncating the CBS, the redundant trailing bits are discarded (while4 leading bits could have instead been discarded) . . . . . . . . . . 154

9.3 Working of the cryptosystem S; β1 may be securely transmittedacross the insecure channel through the use of PKC . . . . . . . . 155

E.1 Attack on rounds 16–38 using Algorithm 7.1: the tables (not storedin memory) denote the two stages of Algorithm 7.1 and the shaded128 bits denote the correct 128-bit key; for a wrong key γ that passestest keys 1(), test keys 2() is performed 211 times . . . . . . . 209

E.2 23-round attack (rounds 16–38), using 11 inner rounds (the greyboxes represent bits that do not depend on K3[31 . . . 21]) . . . . . . 210

List of Tables

2.1 Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

3.1 Truth table for an m-to-i bit hash function h; αj,ℓ ∈ {0, 1}, ∀ j ∈{0, . . . , 2m − 1} and ℓ ∈ {0, . . . , i− 1} . . . . . . . . . . . . . . . . . 52

4.1 Data complexities§ of attacks on the Py and Py6 families of cipherswhen used with 256-bit keys and 128-bit IVs ; time complexitiesare indicated within parantheses unless they are identical to therespective data complexities (‘X’ denotes that the attack is notshown to work and ‘N/A’ means that the data is not directlyavailable from the corresponding source) . . . . . . . . . . . . . . . 62

4.2 Constructions of the algorithms of Py, Pypy, TPy and TPypy . . . 634.3 The variable s at the end of the iterations corresponding to j =

15, 16 and 17 of Algorithm A . . . . . . . . . . . . . . . . . . . . . 654.4 The variable s at the end of the iterations corresponding to j =

15, 16 and 17 of Algorithm B given D1 occurs . . . . . . . . . . . . 684.5 The variables s and Y at the end of the iterations corresponding to

j = 15, 16 and 17 of Algorithm C given event D2 ∩D1 occurs. . . . 694.6 When Gj (1 ≤ j ≤ 4) occurs, C1 ⊕ C2 ⊕ C3 ⊕ C4 = 0 . . . . . . . . 71

5.1 Notation and conventions . . . . . . . . . . . . . . . . . . . . . . . 77

6.1 The use of the functions g0 and g1 in the CCSR . . . . . . . . . . . 896.2 Related-key pairs and correlated keystreams; all these related-key

pairs and the magnitude of the correlation have been experimentallyverified . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

6.3 The codewords of the (7, 4) Hamming code . . . . . . . . . . . . . 96

7.1 Key recovery attacks on XTEA where the time complexities areaverages (‘N/A’ means that the data is not directly available fromthe corresponding source, ‘MitM’ stands for ‘Meet-in-the-Middle’) 104

7.2 Full-key recovery attacks on GOST where the time complexities areaverages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

xv

xvi LIST OF TABLES

7.3 Comparison of attacks on reduced-round DES where the successrate is at least 90% . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

7.4 Meet-in-the-middle on 4-round DES with 1 KP . . . . . . . . . . . 1117.5 Key bits determining the middle bits of 4-round DES . . . . . . . . 1137.6 Key bits determining the middle bits of 5-round DES . . . . . . . . 1137.7 Key bits determining the middle bits of 6-round DES . . . . . . . . 1147.8 Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1157.9 Subkeys used in XTEA . . . . . . . . . . . . . . . . . . . . . . . . 1167.10 All 7-round attacks; each attack requires 2 KPs and on average

295.00 computations of the 7 rounds for an average success probabil-ity of 1− 2−33 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

7.11 All 15-round attacks; each attack requires 3 KPs and on average295.00 computations of the 15 rounds for an average successprobability of 1− 2−65 . . . . . . . . . . . . . . . . . . . . . . . . . 120

7.12 All 23-round attacks . . . . . . . . . . . . . . . . . . . . . . . . . . 1247.13 All r-round block ciphers, where 8 ≤ r ≤ 14, with unused subkeys . 1257.14 Average time complexities and average success probabilities of the

attacks on up to 14 rounds, for several values of s and n . . . . . . 1267.15 All reduced-round XTEA block ciphers for which a 29-round attack

consists of 17 inner rounds . . . . . . . . . . . . . . . . . . . . . . . 129

8.1 A 31-round semi-free-start collision differential characteristic for theESSENCE-512 compression function; differences from R to Y arearbitrary, 0 represents the zero difference, A = 0A001021903036C3 138

8.2 Slid pairs for ESSENCE . . . . . . . . . . . . . . . . . . . . . . . . 1438.3 Slid pairs with identical chaining values . . . . . . . . . . . . . . . 144

9.1 Notation and conventions . . . . . . . . . . . . . . . . . . . . . . . 151

B.1 Constructing a 3-to-1 bit ls-regular hash function h(x), where x←x2 ∥ x1 ∥ x0; the values in bold were set initially, the others arederived from the ls-regular conditions . . . . . . . . . . . . . . . . 199

D.1 Results of probability simulations for different values of k . . . . . 206

F.1 All differences A with hw(A) = 17 that satisfy (F.1); there are nosolutions where hw(A) < 17 and (F.1) . . . . . . . . . . . . . . . . 214

F.2 Making F linear and imposing the required differential behaviourfor position j where A[j] = L(A)[j] = 1 can be done by adding nomore than 10 linear equations; exactly four such solutions exist . . 215

F.3 Making F linear and imposing the required differential behaviour forposition j where A[j] = 1 and L(A)[j] = 0 can be done by addingno more than 10 linear equations; exactly one such solution exists 216

LIST OF TABLES xvii

F.4 Making F linear for position j where A[j] = L(A)[j] = 0 can bedone by adding no more than 6 linear equations; at least six suchsolutions exist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216

F.5 A message pair satisfying the first 9 rounds of the characteristic ofTable 8.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217

xviii

List of Symbols

Sets and Elements

R real numbersN natural numbersZ integersF2 field of two elements{0, 1}n bit-string of length n{0, 1}∗ bit-string of arbitrary length

Operators

≪ left shift≫ right shift≪ circular left shift≫ circular right shift∨ bitwise or⊕ bitwise exclusive-or+ addition of two n-bit integers modulo 2n− subtraction of two n-bit integers modulo 2n∪

set union∩set intersection

◦ function composition

Additional Notation and Conventions

The term word typically denotes a 32-bit integer and occasionally a 64-bit integerIf E is an event, Ec denotes its complementThe concatenation of the strings a and b is denoted by a||bu32 denotes an unsigned 32-bit integerIf X is a set, |X| denotes its sizeIf x is an integer, |x| denotes the length of its binary representation or its absolutevalue, depending on the context

xix

xx LIST OF SYMBOLS

If A is a matrix, AT denotes its transposeC(u, v) denotes the quantity u!/(v! · (u− v)!)

List of Abbreviations

AES Advanced Encryption StandardASCII American Standard Code for Information InterchangeATM automated teller machineCBS concatenated bit-stringCC chosen ciphertextCCSR conditional complementing shift registerCHF cryptographic hash functionCP chosen plaintextDES Data Encryption StandardECRYPT European Network of Excellence in CryptologyESP Encapsulating Security PayloadHMAC hash-based message authentication codeIV initialization vectorIACR International Association for Cryptologic ResearchIEC International Electrotechnical CommissionIP Internet ProtocolISO International Organization for StandardizationKP known plaintextKGA keystream generation algorithmKSA key scheduling algorithmLSB least significant bitLFSR linear feedback shift registerMAC message authentication codeMSB most significant bitNESSIE New European Schemes for Signatures, Integrity and

EncryptionNIST National Institute of Standards and Technology, USAODNL ordered decimal number listPIN personal identification numberPKC public-key cryptographyPRNG pseudorandom number generatorRSA Rivest-Shamir-Adleman

xxi

xxii LIST OF ABBREVIATIONS

SHA Secure Hash AlgorithmSSL Secure Sockets LayerTCP Transmission Control ProtocolTLS Transport Layer SecurityWEP Wired Equivalent PrivacyXOR exclusive-or

Part I

Introduction

1

2

Chapter 1

Introduction

The word ‘Cryptology’ has a Greek etymology; it means ‘secret word’. Thedocumented history of cryptology begins with ancient Egypt (circa more than4500 years ago). It has predominantly been an art form used by the military andgovernments for message confidentiality. The art was transformed into a science bya 1948 paper [205] written by Shannon. This was arguably the beginning of moderncryptology, in which checking the integrity of the messages and authenticatingthe identities of the communicating parties have become as essential as ensuringmessage confidentiality.

The transformation of cryptology from an art to a science may have beenmotivated by the popularity of wireless communications in the 1920s. However, itis the birth of the computer era that arguably made open research (that is requiredof any scientific field of study) in cryptology possible. Today, cryptology lies atthe heart of many processes and applications that include electronic commerce,Internet banking, Internet shopping, automated teller machines, and even cars.The motivations behind this thesis trace back to this pervasiveness of cryptologyand the continual rise in the number of its application areas. We now provide aglossary of some fundamental terms.

Encryption is the process of converting a message (or plaintext) into an‘unintelligible’ form (called ciphertext) and decryption is the reverse process. Theciphertext is transmitted by the sender (given the placeholder name Alice incryptology literature) to the intended recipient (Bob) of the plaintext, across aninsecure communication channel (any third party can intercept data that flowsthrough such a channel). The algorithm used for performing encryption anddecryption is called the cipher.1 A cryptosystem can mean any system thatinvolves cryptology or just the algorithms, along with sets of possible inputs tothem, that are used to perform encryption and decryption of messages. The readershould easily be able to follow the meaning from the context in which the term

1The word ‘cipher’ is also used to denote the algorithm along with its input and output spaces.

3

4 INTRODUCTION

‘cryptosystem’ is used in this thesis. Cryptology has two sides – cryptography (i.e.,designing cryptosystems) and cryptanalysis (attacking cryptosystems).

Modern cryptography is divided into two branches: symmetric-key cryptographyand public-key cryptography. In the former, Alice and Bob share a string, knownas the key, which they do not disclose to a distrusted third party. This key isused to encrypt the plaintext. In PKC, in addition to this secret key sharedby Alice and Bob, each has a key that is made publicly available. The publickey of Bob is used by Alice to encrypt her plaintext. The resultant ciphertextis decrypted by Bob (and only Bob) using his private (secret) key. Public-keycryptosystems often involve heavy arithmetic operations and hence are unsuitablefor speedy transmissions of lengthy messages. Therefore, today PKC is mostly usedin tandem with symmetric-key cryptography, in securely exchanging the relativelyshort secret key of the latter. As this thesis is virtually disconnected with PKC,the reader interested in learning how popular public-key cryptosystems work isreferred to [121, 146, 179].

A part of this thesis is devoted to the study of cryptographic hash functions,that are used for message integrity verification, message authentication, userauthentication, etc. Modern CHFs structurally resemble modern symmetric-keyprimitives in that they use similar building blocks. We use terms such as symmetriccryptosystems, symmetric cryptographic algorithms, etc. to denote the set that iscomposed of any such algorithm/cryptosystem that uses similar design componentsas symmetric-key primitives.

1.1 Symmetric EncryptionThere are two main types of modern symmetric encryption algorithms:

• synchronous stream ciphers, and

• block ciphers.

In this section, we shall describe these types in some detail. In addition, weshall also describe a very rare type of stream ciphers called ‘asynchronous streamciphers’.

As early as 1883, Kerckhoffs laid down six design principles for symmetricciphers. Of these, the most relevant and important to today’s ciphers is theprinciple (today known as Kerckhoffs’ principle) that a cipher must not be requiredto be secret and that only the key should be secret. Note that this does not meanthat a cipher should be made public.

Keeping an algorithm secret, however, may be risky. It is possible that thesecret algorithm is reverse engineered later and found to be insecure. A fittingexample is the case of the cipher RC4. The algorithm was kept a trade secret untilit was reverse engineered in 1994 and leaked to the Cypherpunks mailing list andthe Usenet newsgroup sci.crypt [4]. Following this, the cipher came under a spateof attacks [78, 79, 85, 120, 133, 164].

SYMMETRIC ENCRYPTION 5

Such a risk is captured by the Shannon’s maxim [206] that states, “The enemyknows the system.” It is thus a widely used assumption in symmetric cryptologyand is to be understood wherever not explicitly mentioned in this thesis.

We shall now briefly describe the above listed types of symmetric encryptionalgorithms.

1.1.1 Stream CiphersA stream cipher takes as input the secret key and a parameter called theinitialization vector (IV) and outputs a stream of bits called the keystream. Thekeystream is XORed with the plaintext to produce the ciphertext. The IV is avery important parameter for the following reason. Suppose the IV is not usedand an attacker finds two identical and somewhat lengthy sequences of bits in theciphertext. Then, she may assume that the corresponding plaintext sequences arealso identical. Even if the plaintexts are not identical, the famous transmissionin depth problem will occur: the sum of the ciphertexts will be equal to the sumof the plaintexts, hence statistical deviations will be obvious. The best-knownpractical example where this property was exploited is the Venona project [18].

Given the importance of the IV, care needs to be taken in generating andupdating it. Initialization vectors are usually generated incrementally or randomly,depending on the application. In the latter case, the designer needs to ensure thatthe IVs are sufficiently long so that they may not be expected to ‘collide’ (more oncollisions to follow in Sect. 1.4). The seriousness of such collisions in compromisingthe security of a system is well understood from [122] where Kohno describes anattack on WinZip 9.0, exploiting collisions in the IVs. In [239], Wu provides a verygood example of problems associated with poor IV management. In his paper, hepoints out a disastrous security flaw in Microsoft Office XP, that results fromfailure to update the IV.

Initialization vectors are also used with block ciphers while encrypting longmessage, i.e., when the block ciphers are used in certain ‘modes of operation’ (thisis explained further in Sect. 1.1.2). In such cases too, poor IV management cancompromise security – an example is provided in Sect. 1.1.2.

Some attack models assume that the IVs are secret, some others assume thatthey are known to the attacker. In some models, the attacker is even able to selectthe IVs.

Most stream ciphers are made up of the following three parts.

• The Key Scheduling Algorithm. This algorithm takes the secret key K asthe input and outputs a finite set of bits that form the internal state of thecipher.

• The IV Scheduling Algorithm. This algorithm is usually implemented afterthe KSA. It takes as input the IV and the internal state that forms theoutput of the KSA. The IV scheduling algorithm or IV setup then mixes

6 INTRODUCTION

these inputs and outputs an updated internal state. Here, we would like topoint out that in many texts (e.g., [163]) the KSA and the IV schedulingalgorithm are collectively called the “key scheduling algorithm”.

• The Keystream Generation Algorithm. The input to this algorithm is theoutput at the end of the K/IV setup. In every iteration of the algorithm,the internal state is updated and a fixed-length string of bits is output.The sender Alice can ideally generate such fixed-length outputs indefinitelywithout re-keying or changing the IV. However, for enhanced security, state-of-the-art stream ciphers have restrictions for the number of iterations thatcan be performed before changing the K/IV .

As the K/IV setup is usually rerun only rarely, the performance of a streamcipher when used to encrypt a very long message (typically of several KBytes) isapproximately equal to the speed of execution of the KGA. In this thesis, we giveperformance figures for some stream ciphers (e.g. in Chapter 10). These are thespeeds of their KGAs and, therefore, approximate performance figures for longmessages.

We shall now describe the two types of stream ciphers (viz., synchronous andasynchronous).

Synchronous Stream Ciphers. In a synchronous stream cipher, the keystreamis generated independently of the plaintext and the ciphertext. Let t denote aparticular iteration of the KGA. Let the keystream block generated in this iterationbe denoted κt and the internal state bits used for the generation of κt be denotedSt. If fS and fκ respectively denote the state update and keystream generationfunctions, a synchronous stream cipher can be represented by the following set ofequations:

κt = fκ(St,K, IV) , (1.1)

St+1 = fS(St,K, IV) . (1.2)

In (1.1) and (1.2), St itself is a time-varying function of the K/IV. So, if the Kor the IV or both is not reused in the KGA, (1.1) can be rewritten in one of thefollowing three ways:

κt = fκ(St,K) ,

κt = fκ(St, IV) ,

κt = fκ(St) .

Advantages of using such a cipher are that ciphertext bits flipped duringtransmission do not affect the receiver’s decryption of the remaining bits and thatthe keystream can be precomputed. However, synchronous stream ciphers sufferfrom the following two, major problems.

SYMMETRIC ENCRYPTION 7

• Synchronisation between the sender and the receiver is lost even if a singleciphertext bit is lost during transmission. The same is the effect of addinga bit to the ciphertext.

• If the attacker is not completely passive and is, say, able to flip a ciphertextbit, then the corresponding plaintext bit is also flipped at the receiver’s end.

In this thesis, all the synchronous stream ciphers we deal with are based on largearrays, modular additions and bit-rotations. These ciphers structurally resembleand were motivated by the design of the stream cipher RC4. We shall now discussa little more about this type of ciphers.

RC4-Like Stream Ciphers. In 1915, two Dutch naval officers developed thefirst rotor machine – an electromechanical device that performed encryptionand decryption [60]. The best known rotor machine is the Enigma, which wasdeveloped and used by the Germans during World War II. Until the mid 1960s,rotor machines were widely used. The usage gradually declined with the birth ofthe computer age (only the KL-7 rotor machine continued to be used until the1980s). Subsequently, (stream) ciphers began to be built using LFSRs. This typeof ciphers has been well-studied and several attacks [45, 83, 101, 133, 145, 209] havebeen developed. Stream ciphers based on LFSRs are usually hardware-efficient,but typically less suited for high-speed software (i.e., PC-based) applications. Anexclusively software-oriented stream cipher called RC4 was designed by Rivest in1987 [235]. Its use of arrays in place of LFSRs probably marked the first deviationfrom LFSR-based designs. As mentioned in Sect. 1.1, the cipher was a tradesecret for several years before it was reverse engineered in 1994 and made its wayto public fora on the Internet. Since then RC4 has witnessed many attacks (seeSect. 1.1). However, due to its simple structure, high software performance andwidespread usage (e.g., in WEP and SSL), RC4 has inspired the designs of manyciphers. Of these, Py, Py6 and HC families of ciphers are worthwhile mentioning.It is interesting to note that the design of the Py and Py6 families of ciphers wasinfluenced by the design of the Enigma [27].

Array-based stream ciphers have also been well-studied; the cryptanalytictechniques described by Golic in [84] and Coppersmith et al. in [46] apply to awide range of stream ciphers. A recent trend in the design of array-based streamciphers is the use of very heavy KSAs. The motive behind this design strategy isto enhance the resistance of the ciphers to a certain kind of attacks called related-key attacks (discussed in Sect. 1.5.3). Most practical applications that employthese ciphers do not require frequent re-keying. Moreover, since such ciphersare primarily intended for software applications where memory is plentiful, theytypically use large arrays in an attempt to provide better resistance to certaintypes of attacks.

Asynchronous Stream Ciphers. A stream cipher in which the keystreamdepends on the previous ciphertext is called an asynchronous stream cipher (an

8 INTRODUCTION

example is Helix [76]). It is represented by:

κt = fκ(St,K, IV) , (1.3)

St+1 = fS(St,K, IV, C ′t) , (1.4)

where C ′t is a sequence of bits selected from the ciphertext Ct. Again, if K or IV

or both are not reused in the KGA, (1.3) can be rewritten in one of the followingthree ways:

κt = fκ(St,K) ,

κt = fκ(St, IV) ,

κt = fκ(St) .

Quite obviously, this type of ciphers suffers from the weakness that ciphertextbits flipped during transmission affect the receiver’s ability to decrypt one or moreof the remaining ciphertext bits. To reduce the intensity of this problem, manyasynchronous stream ciphers are designed such that the keystream depends ona very limited number of previous ciphertext bits. Such ciphers are called self-synchronising stream ciphers. The ciphers SSS, Mosquito and Moustique fallunder this category. The main advantage of this type of ciphers over synchronousstream ciphers is that the receiver is able to synchronise with the sender if bits areremoved from or added to the transmitted ciphertext. As for the disadvantages,Rueppel [186] points out the following:

• The attacker has some information on the input to the keystream generationprocess because a part of the input consists of ciphertext bits (which areknown to the attacker).

• Self-synchronising stream ciphers have limited analysability (i.e., whencompared to synchronous stream ciphers) because the internal state and thekeystream depend on plaintext bits. Therefore, at times the attacker mayneed to know some of these bits in order to be able to analyse the cipher.This is however not perceived by many as a drawback because attacks thatassume that the attacker only has ciphertext bits and plaintext statistics arerare today.

Note that these drawbacks apply to asynchronous stream ciphers per se.

Designing secure and efficient self-synchronising stream ciphers has been perceivedto be challenging (see e.g. [180]). More on this is to follow in Chapters 6 and 11of this thesis. With this we now proceed on to block ciphers.

SYMMETRIC ENCRYPTION 9

1.1.2 Block CiphersA block cipher is used to encrypt small plaintext messages (typically containing 64–256 bits). It is an invertible transformation that takes as inputs the secret key andfixed-length plaintext and outputs a fixed-length ciphertext. Thus a considerableportion of the internal state of the block cipher is ‘leaked’ to the attacker. Thismay also be the case with a stream cipher but, as we saw in Sect. 1.1.1, the stateis updated continuously rendering the leaked information on the state useless tothe attacker. In a block cipher, the state does not vary with time but the part ofit that is not leaked (that is the part useful to the attacker) is kept secret by thesecret key. This seemingly main difference between a stream cipher and a blockcipher is bridged when the block cipher is used in certain modes of operation. Thispoint is explained in the paragraphs to follow.

At the receiving end of a block cipher-encrypted plaintext message, the secret keyand the ciphertext are input to the inverse transformation to obtain the plaintext.

Here, the ciphertext should not be shorter than the plaintext. Otherwise, by thepigeonhole principle, decryption becomes impossible for one or more ciphertexts.From a performance point of view, it is undesirable to output ciphertext that islonger than the plaintext. Therefore, the plaintext and the ciphertext are of thesame length in a block cipher. Furthermore, in most contemporary block ciphers,this length is at least 128 bits. This is to make it difficult to a pair of collidinginputs – this can be further understood from Sect. 1.4.

To encrypt a long plaintext message (p), it is first split into blocks, each ofwhich is small enough to be input to a block cipher. The same block cipher (callit E) and the same secret key (K) are used to encrypt each block. Obviously,the lengths of the plaintext blocks are identical and dependent on the blockcipher used. Therefore, the last block may have to be ‘padded’ with extrabits. Let p1, p2, . . . , pu, denote the plaintext blocks with pu encapsulating thepadded bits, and let c1, c2, . . . , cu denote the corresponding ciphertexts. The blockcipher is typically used in one of the following five modes of operation to encryptp1, p2, . . . , pu.

Electronic Code Book (ECB). The blocks p1, p2, . . . , pu are encryptedindependently of one another. Figure 1.1 illustrates the ECB mode of encryption.

The disadvantage of the ECB mode is that the ciphertexts do not concealpatterns in the plaintexts. For example, if p1 and p2 are identical, then so arethe corresponding ciphertexts c1 and c2. This is particularly noticeable whileencrypting pictures. The ECB mode is therefore seldom used today.

Cipher-Block Chaining (CBC). The CBC mode of encryption is representedby the following equation:

ci = E(pi ⊕ ci−1,K) , i = 1, 2, . . . , u ,

where c0 is a random constant. The constant is also called the initialization vector

10 INTRODUCTION

p1

K E K E

c

p p

K E

c1 c

2

2 u

u

. . .

Figure 1.1. The ECB mode of encryption

p1 p2 pu

K E K E

c

K E

c1 c2 u

. . .

IV . . .

Figure 1.2. The CBC mode of encryption

or IV. The role of this IV is similar to the role of IV in a stream cipher. However,in addition, the IV must be secret for security against the so-called chosen plaintextattacks (this type of attacks is explained in Sect. 1.5) [14]. Figure 1.2 illustratesthe CBC mode of encryption.A disadvantage with the CBC mode is that encryption is not parallelisable.

Cipher Feedback (CFB). In this mode of encryption, the block cipher is anasynchronous stream cipher. The simplest version of the CFB mode is representedby the following equation:

ci = E(ci−1,K)⊕ pi , i = 1, 2, . . . , u ; c0 = IV .

The simplest version of the CFB mode of encryption is shown in Figure 1.3. Thishas the disadvantage that synchronisation is achieved only if a single block ormultiple blocks of ciphertext are lost or added. If, for example, a single bit isremoved or added, then synchronisation is completely lost. Furthermore, supposethat the state of an asynchronous stream cipher depends on b previous ciphertextbits. Then, a single-bit error during transmission can affect the decryption of up tob subsequent ciphertext bits. Self-synchronising stream ciphers which output oneor few bits at a time largely avoid these problems and hence the simplest version

SYMMETRIC ENCRYPTION 11

c1

p1

c2

p2

cu

pu

K E K EK E

IV . . .

. . .

Figure 1.3. The CFB mode of encryption

c1

p1

c2

p2

cu

pu

K E K EK E

IV . . .

. . .

Figure 1.4. The OFB mode of encryption

of the CFB is seldom used in practice. Instead, this version is combined with ashift register to make it function as a self-synchronising stream cipher.

Output Feedback (OFB). In this mode of encryption, the block cipher is asynchronous stream cipher. It is represented by:

vi = E(vi−1,K) , v0 = IV,

ci = pi ⊕ vi , i = 1, 2, . . . , u .

The OFB mode of encryption is shown in Figure 1.4.

Counter (CTR). The counter mode of encryption also makes the block cipherfunction like a synchronous stream cipher. It is similar to the OFB mode ofencryption. The difference is that there is no chaining (here it resembles the ECBmode), and along with K the input to every step is a function (call it g) of the IVand a counter. The counter mode is represented by:

vi = E(g(IV, wi),K) ,

ci = pi ⊕ vi, i = 1, 2, . . . , u ,

12 INTRODUCTION

where wi is the counter and g(IV, wi) is typically IV⊕wi or IV ||wi.

So far we have seen modes of encryption. We believe it is fairly straightforward towork out how decryption is performed in each of the above cases. Therefore, weomit their detailed descriptions here.

The above modes of operation do not provide sufficient security, especiallyagainst chosen ciphertext attacks (this type of attacks is discussed in Sect. 1.5).Authenticated encryption solves this problem, in addition to providing integrityassurance on the message. In authenticated encryption, the block ciphermode of operation allows one to combine encryption/decryption and messageauthentication in a single algorithm. Examples of such a mode are OffsetCodebook (OCB) [183], Counter with CBC-MAC (CCM) [232] and Galois/Counter(GCM) [140] – the descriptions of these modes are beyond the scope of this thesis.We shall now, however, briefly describe what MACs are and what they are usedfor.

MACs are used to provide message integrity and message origin authentication,and are deployed in a symmetric-key setting as follows. Let us suppose that Aliceand Bob share a keyK1||K2. Alice first evaluates a function of the plaintext (p) andK1; the result is called ‘MAC value’. She then appends this MAC value (MAC1,say) to p, encrypts the concatenated value using a stream/block cipher and K2,and transmits the ciphertext (c) to Bob. Upon receiving c, Bob decrypts it withK2 and separates the MAC value (i.e., MAC1) from p. He then computes a MACvalue (call this MAC2) for p with the subkey K1 that he has. If MAC2 = MAC1,he concludes that the p he obtained is the same p that was sent by Alice. He isthus also able to verify that the plaintext message originated from Alice.

We now revert back to our discussion on block ciphers. Like stream ciphersthe structure of a block cipher also contains a K setup in addition to a set ofround functions. The round function is a time-invariant function that is appliediteratively to blocks of bits, starting with the plaintext block, IV or chaining valuethat is input to the block cipher. Each block cipher has a number of rounds that isdetermined by security and performance considerations. For instance, the numberof rounds of a block cipher may be reduced in order to make its performance suitthe requirement of a certain targeted application. But doing so could make thecipher insecure. This is one of the main reasons why some attacks, such as the oneswe show in this thesis, on reduced-round block ciphers are considered importantin block cipher literature.

The best-known examples of block ciphers are the DES and the AES. The DESwas accepted as the US standard in 1977 and became a de facto standard for mostprotocols around the world [151]. By the mid ’90s, the DES had become outdated,with its short 56-bit key. But it was only in 2001 that it was replaced by theAES as the US standard [54]. Despite this, variants of DES continue to be widelydeployed, especially in the banking sector. This is mainly because at the turn ofthe millennium, banks had already been using DES and its predecessors (theseciphers will be discussed shortly) for more than 20 years. The apparent absence

SYMMETRIC ENCRYPTION 13

of major security problems in this period should have inspired considerable trustin DES. Besides, there were huge costs involved in moving to a new algorithm.

Both the DES and the AES have simple and strong designs (the only majorproblem with DES is its short key, and AES is yet to see even a near-practicalattack). The design simplicity and widespread deployment of each of these ciphershave greatly influenced the domination of block ciphers over stream ciphers in theliterature.2

The AES uses a substitution-permutation network (or SP network), while theDES uses a Feistel network. We shall now briefly discuss Feistel networks.3

Feistel Constructions. Feistel networks are constructions that work as follows.First the plaintext block is split into two equal parts (call them L0 and R0). Thefirst invocation of the round function processes the two parts as follows:

L1 = R0 , (1.5)

R1 = L0 ⊕ F (R0,K1) , (1.6)

where K1 is a subkey, for the first round, that is derived from the cipher’s key Kby the KSA, and F is often called the round function.4 The round function is theniteratively applied as:

Lr+1 = Rr , (1.7)

Rr+1 = Lr ⊕ F (Rr,Kr) , r = 1, 2, . . . , N − 1 , (1.8)

where N is the total number of rounds. Finally, LN ||RN is output as theciphertext.

The known use of Feistel networks in block ciphers can be dated back to theLucifer family of ciphers [74]. It was designed by IBM Corporation to be usedin the cash dispensing terminals of the Lloyds Bank Plc [123]. Lucifer inspiredthe design of DES. Ever since DES was adopted as the US encryption standard,Feistel networks have been extensively studied and interesting security propertiesdiscovered. For example, Luby and Rackoff proved that if the round functionis a truly random function, then three rounds are sufficient for the block cipherto be a truly random permutation [130]. Here, a random function (resp. random

2Stream ciphers appear to be seldom used in the banking sector because, in addition to thereasons stated above that concern the use of (variants of) DES, they are generally not very efficientin encrypting blocks of data that are typically encountered in electronic banking. Instead, theyare often better suited for low footprint, high speed and streaming data applications. Realisingthis, the community made an attempt in 2004 to resuscitate stream ciphers through an opencontest called eSTREAM [71] (more about this competition can be found in Sect. 1.6).

3We omit a treatment of SP networks as the part on block ciphers in this thesis entirely dealswith Feistel networks.

4Strictly speaking, the ‘round function’ of ciphers based on the Feistel network should denotethe transformations (1.5) and (1.6). Nevertheless, the reader will be able to understand themeaning of ‘round function’ depending on the context in which it is used in this thesis.

14 INTRODUCTION

permutation) is a function (resp. permutation) chosen uniformly at random from afinite set of functions (resp. permutations). Thus ciphers based on Feistel networks(also called Feistel ciphers, Luby-Rackoff ciphers or DES-like ciphers) have thesedesirable properties:

• simple round functions that make them easy to study,

• ease of decryption due to its similarity to encryption, and

• if the round function and the KSA are strong, then a small number of roundsmay be sufficient.

These properties, especially the first two, are not specific to Feistel networks.We shall now elaborate on the first and the third properties.

A round function should not be complicated in the sense that it discouragesattempts to evaluate the security of the cipher. Effort and time should be spentby the cryptanalyst in finding a weakness in the cipher (or that it resists a certaintype of attack) rather than to understand how it works.

The third property is desirable from a performance point of view. For this theKSA needs to be strong in order to avoid a certain type of key recovery attackscalled the meet-in-the-middle attack. This is one of the important observations ofthis thesis. We illustrate this point in Chapter 7, taking the Feistel ciphers DES,GOST, XTEA and XETA as examples. Here, we note that XTEA and XETA arenot Feistel ciphers in the strict sense but are considered so. This is because there isonly a small deviation from the Feistel construction in that XORs in (1.6) and (1.8)are replaced by modular additions. Sometimes such ciphers with minor structuraldifferences with the Feistel construction are called modified Feistel ciphers. Apartfrom ciphers listed above, prominent examples of Feistel ciphers (modified andotherwise) include Blowfish [192], Camellia [138], KASUMI [1], MARS [39] andTDEA [11].

1.2 Ideal CipherIn the case of stream ciphers, an ideal cipher is one in which the output keystreamis distributed uniformly at random. A block cipher with k-bit key and b-bit blockis considered an ideal cipher if it is indistinguishable from a b-bit permutationchosen uniformly at random (i.e., a random permutation). In other words, theideal cipher is chosen uniformly at random from the set of (2b!)2k possible blockciphers with k-bit key and b-bit block.

1.3 Confusion and DiffusionIn practice, a designer of a block cipher tries to ensure that the cipher has goodconfusion and diffusion properties and hopes that their cipher behaves like an ideal

HASH FUNCTIONS 15

cipher. The properties of confusion and diffusion were introduced by Shannonin [206] and interpreted by Massey in [136] as follows.

• Diffusion: “[T]he spreading out of the influence of a single plaintext digit overmany ciphertext digits so as to hide the statistical structure of the plaintext.”

• Confusion: “[T]he use of enciphering transformations that complicate thedetermination of how the statistics of the ciphertext depend on the statisticsof the plaintext.”

In order to add confusion to the cipher, designers use what are called substitution-boxes or S-boxes. An n1 × n2 S-box takes an n1-bit input and transforms it intoan n2-bit output. S-boxes provide a simple way to implement nonlinear functions.Diffusion is typically achieved with a careful choice of linear transformations.

Stream cipher algorithms, unlike block cipher algorithms, do not take theplaintext as an input. Instead, as mentioned in Sect. 1.1.1, a key-dependentbitstream is generated independently of the plaintext and XORed with it to yieldthe ciphertext. Thereby, the concept of diffusion as defined above does not applyto stream ciphers because flipping a plaintext bit flips the corresponding ciphertextbit with probability 1. However, we require that the relation between the key andthe keystream (equivalently the ciphertext) is as involved as possible. Hence, thenotion of confusion is relevant to stream ciphers.

1.4 Hash FunctionsA hash function is a function in which the domain is larger than the range with therange being a finite set. Each range point is called a hash value. Hash functionsare commonly used in database lookups and as checksum functions that are usedto detect/correct transmission errors. A cryptographic hash function is a hashfunction that should ideally satisfy the following three properties.

1. Collision resistance: Two domain points that map to the same hash valueconstitute a collision for a hash function. If it is hard to find a collision,then the hash function is said to offer collision resistance. For n-bit hashvalues, hardness means that it should not be possible to find a collisionin fewer than 2n/2 evaluations of the hash function. This 2n/2 bound isknown as the birthday bound as it results from the so-called birthday attack.Moreover, this bound may be seen as the best (i.e., highest) bound that canresult from making very reasonable assumptions in the birthday attack. Adetailed discussion on the birthday attack is provided in Chapter 3.

It must be noted that a hash function need not be collision resistant whenit is used in error detection/correction.

2. Preimage resistance: This means that given a n-bit hash value, it should notbe possible to find a corresponding domain point in fewer than 2n evaluationsof the hash function.

16 INTRODUCTION

m1

v1FC FC FC FCIV

m m m2 3

v v2 3 v

u

u

h (M). . .

Figure 1.5. The Merkle-Damgard construction: the message M is split intou blocks, m1, m2, . . . , mu, with mu encapsulating the padded bits; FC is thecompression function and h(M) is the hash value

3. Second preimage resistance: This means that given a domain point and itscorresponding hash value, it should be hard to find a different domain pointthat maps to the same hash value. For n-bit hash values, the time boundfor second preimage resistance is 2n.

In addition to database lookups, CHFs may be used in digital signature schemes,in MAC algorithms, as PRNGs, etc. Popular CHFs include MD4 [176], MD5 [177],SHA-1 [152], SHA-2 [153], RIPEMD [37], RIPEMD-160 [65] and Whirlpool [12].Although strictly not required, the size of the domain is finite in many knownCHFs; e.g., the domain of SHA-1 consists of all strings of length at most 264 − 1bits (see [152]). Taking into account computing power available today, Moore’slaw [148], advances in quantum computing and the birthday bound, the lengths ofhash values of present-day algorithms are typically 128, 160, 224, 256, 384 or 512bits.

The community had good confidence in the security of MD5 and SHA-1 (andhash function design principles per se) until Wang et al. reported that collisions forthese hash functions could be found much faster than the birthday bound [227, 228].Presently, the community is in pursuit of better hash function design principlesand an effort is on to find a replacement to SHA-1 and SHA-2. More on this effortwill be discussed in Sect. 1.6.

Merkle [143] and Damgard [55] independently devised an influential designtechnique for CHFs. The technique is employed in most CHFs today and worksas follows. The message to be hashed is split into several blocks and each blockis input to a function (called the compression function) that processes the blockand outputs a shorter block. The block output at the end of a compression stepis fed as input, along with the next input message block, to the next compressionstep. This process is called chaining and the output blocks (with the exceptionof the last block, that is the resultant hash value) are called chaining values. Forthe first message block that is compressed, a constant (also called the, initialvalue, initialization vector or IV) is chosen for the chaining value. This iterativeconstruction, called the Merkle-Damgard construction, is illustrated in Figure 1.5.

In CHFs that use the Merkle-Damgard construction, the message is almostalways split into blocks of equal length and this length depends on the compression

CRYPTANALYSIS 17

function. Since messages can be arbitrarily long, the final message block oftenwould need to be padded with bits; the pad is a string that encodes the length ofthe message. Even otherwise, padding is done for enhanced security. The mainhighlight of the Merkle-Damgard construction is that if the compression functionis collision resistant then so is the CHF based on it – the proof of this and theimportance of padding are beyond the scope of this thesis and the reader is referredto [55], [3] or [170]. The latter provides a thorough treatment of CHFs per se.

Whenever we discuss a CHF in this thesis, the reader could assume that it usesthe Merkle-Damgard construction if we do not explicitly mention it therein.

1.5 CryptanalysisThe goal of symmetric cryptanalysis is typically to do one of the following seventasks.

• When it concerns encryption/decryption:

– Recover the secret key used with a stream/block cipher.– Tell apart a symmetric-key algorithm from an ideal or random source.– Obtain plaintext information from the ciphertext.

• When it concerns hashing:

– Find colliding message pairs.– Recover (part of) a message from its hash value.

• In encryption/decryption and hashing:

– Find an arbitrary message and a valid MAC for it without theknowledge of the secret key shared by Alice and Bob – this is calleda MAC forgery attack.

– Find structural weaknesses in a symmetric algorithm so that they maybe subsequently exploited to achieve one of the above listed goals.

For symmetric encryption algorithms, cryptanalytic attacks fall into one of thefollowing five categories.

• Ciphertext-only attack: The attacker Eve uses only the ciphertext andstatistical information on the plaintext to perform cryptanalysis. This isa strong attack as the ciphertext is always available to Eve.

Let us consider the case where a meaningful document written in Englishis to be encrypted using a Caesar cipher. The cipher transforms a plaintextletter to another letter that is displaced by a fixed number of positions in thebasic Latin alphabet. The attacker can compute the frequency of each letter

18 INTRODUCTION

in the encrypted document and retrieve the plaintext using its statistics. Forinstance, the most frequently occurring letter in the ciphertext message islikely to correspond to a plaintext ‘E’ as it is the most frequently used letterin English [13]. This attack methodology, called frequency analysis, thusrequires only the ciphertext and the statistics of the plaintext.

• (Adaptive) chosen ciphertext attack: As the name suggests, in a chosenciphertext attack, Eve chooses ciphertexts (or a relation between pair(s)of ciphertexts) for her cryptanalysis. When the choice is determined byplaintext-ciphertext pairs already collected by Eve, the attack is called adap-tive chosen ciphertext attack. A chosen ciphertext and the correspondingplaintext (that is obtained using the ciphertext) are collectively called chosenciphertext.

To illustrate this attack model, let us consider the following example. Alicewishes to draw 100 Euros from her bank. She encrypts the request messageusing a stream cipher with a key that she shares with only the bank. Supposethat the malicious adversary Eve (who also maintains an account with thebank) is able to change the ciphertext transmitted by Alice. By Shannon’smaxim, Eve knows the cipher used by Alice. Upon analysing the cipher, itmay happen that Eve finds that a certain change in a ciphertext forces afixed change in the plaintext independent of the secret key used. Then, Evemay be able to change the transmitted ciphertext in such a way that thecorresponding plaintext message is a request for a transfer of 1000 Euros toher account.

A more practical example is given by Patterson and Yau in [162]. The CBCmode has the property that flipping the bth bit of the ith ciphertext blockflips the bth bit of the (i+ 1)th plaintext block (see (1.1.2) and Figure 1.2).In [162], the authors exploit this property of the CBC mode to attack theIPsec’s encryption protocol, ESP, that uses a block cipher in the CBC mode.

This attack model is considered somewhat weak because it typicallyinvolves a number of strong assumptions, such as Eve not being completelypassive.5

• Known plaintext attack: In this type of attack, Eve has one or few ciphertextsand the corresponding plaintexts (such plaintext-ciphertext pairs are calledknown plaintexts). For example, suppose that Eve intercepts a militarytelegram. She could then expect the plaintext message to have begun with“Confidential”, “Secret” or “Top Secret” and, using this, attempt to recoverthe rest of the message.

• (Adaptive) chosen plaintext attack: In a chosen plaintext attack model, Eveis able to choose plaintexts and obtain the corresponding ciphertexts (such

5In cryptology literature (see e.g. [193]) the placeholder name Mallory is used in place of Eveto emphasise that the attacker is not completely passive.

CRYPTANALYSIS 19

plaintext-ciphertext pairs are called chosen plaintexts). Alternatively, Eve isable to choose a relation between pair(s) of plaintexts for her cryptanalysis.When the choices are determined by plaintext-ciphertext pairs alreadycollected by Eve, the attack is called adaptive chosen plaintext attack.

During World War II, the British used this attack model in decryptingmessages encrypted by the Germans using the Enigma. The strategy usedwas at that time called gardening, and worked as follows. The Royal AirForce would place mines in the North Sea, thereby prodding the Germansto send out encrypted messages to minesweepers. The plaintext messageswould usually contain the word “minen” (“mines” in German).

• (Adaptive) chosen plaintext and (adaptive) chosen ciphertext attack: Thebest-known example of an attack technique that uses this model is theboomerang attack [223].

It is to be noted that (adaptive) chosen plaintext/ciphertext attacks donot make sense in the case of synchronous stream ciphers since the internalstate at any instant is independent of the plaintext and the ciphertext.

There are several types of cryptanalytic attacks; we list here the ones we discussin the forthcoming chapters of this thesis.

1.5.1 Key Recovery AttacksOften in the cryptanalysis of symmetric encryption algorithms the primary goal ofthe attacker is to recover the secret key in as little time as possible, using minimalresources (memory, ciphertexts, or plaintext-ciphertext pairs).

Let us consider a symmetric cipher with a k-bit key. An attacker who is unableto find a weakness or take advantage of a found weakness in the cipher, might haveto traverse the entire key space before hitting upon the right key. This process ofsearching over the full key space is called exhaustive key search or brute force attack,and to perform it the attacker usually requires at least one plaintext-ciphertextpair. At times, a ciphertext-only exhaustive key search may be possible. Considera block cipher EB with block size and key size of b bits and k bits, respectively.Now, suppose that bp bits in the b-bit block are parity bits. If the attacker makesa wrong guess of the key and decrypts the ciphertext, then the probability thatthe parity bits are all correct is 2−bp . For n independent blocks, this probabilityis 2−nbp . This is the probability that the wrong guess ‘passes the test’ that all nbpparity bits are correct. We have 2k − 1 wrong guesses and the trial decryptionsare independent. For the correct key guess, the probability is 1 that all parity bitsare correct. Therefore, the expected number of keys that remain without beingfiltered out, is (2k − 1) · 2−nbp ≈ 2k−nbp . The number n is chosen according to thedesired value of 2k−nbp .

In the literature (e.g., [142]), exhaustive key search is also sometimes used todenote an attack in which only half the key space is traversed. This is valid when

20 INTRODUCTION

a small number of plaintext-ciphertext pairs is used in the attack. In this case,the attacker requires about 2k−1 time ‘on an average’ (while in the previous case,the attacker hits upon the correct key in about 2k time in the ‘worst case’). Wenow explain the time complexities, taking the example block cipher EB of thepreceding paragraph.

Let k > b. The attacker, who has a plaintext-ciphertext pair (p1, c1), makesa guess K for the key and computes EB(p1) under K. She then checks if thecomputed value equals c1. For an incorrect guess, the probability that the equalityis satisfied is 2−b. Since the key space is larger than the ciphertext space, theattacker requires some additional plaintext-ciphertext pairs (say, m pairs) to filterout incorrect key guesses that pass the first equality check. The average numberof times that the attacker encrypts plaintexts is:

2−k ·2k−1∑i=0

(i · (1 + 2−b + 2−2b + . . .+ 2−mb) +m+ 1

)

= (2k − 1) · (1− 2−(m+1)b)(2) · (1− 2−b)

+m+ 1 ≈ 2k−1 ,

with i being the correct key and the approximation holding when 2b ≫ 1 and2k−1 ≫ m. In present-day block ciphers, b is usually greater than 32. Besides,the success probability of the attack is typically very close to 1 – this will becomeclear from our discussions in Sect. 7.3.3 of this thesis.6 The condition 2k−1 ≫ mis satisfied if the number of plaintext-ciphertext pairs is small. Therefore, theaverage number of encryptions performed by the attacker is approximately 2k−1.In the worst-case exhaustive key search, the number of encryptions is:

(2k − 1) · (1 + 2−b + 2−2b + . . .+ 2−mb) +m+ 1

= (2k − 1) · (1− 2−(m+1)b)(1− 2−b)

+m+ 1 ≈ 2k +m,

when 2b ≫ 1.In this thesis we shall see both average- and worst-case key recovery attacks.

Before we end this section, we recall that a brute force attack is a key recoveryattack; key recovery need not strictly refer to something that is better thanexhaustive key search. The meaning of key recovery is best understood fromthe context.

6In evaluating the average number of encryptions, we actually assume that the correct keyis output by the key search algorithm. This assumption is fine when the success probability isclose to 1. We use this assumption in Chapter 7 of this thesis.

CRYPTANALYSIS 21

1.5.2 Linear CryptanalysisLinear cryptanalysis was introduced by Matsui in 1993 [137]. The simplest versionof this attack works in a KP setting as follows for a block cipher. The attacker firsttries to find a linear equation relating a subset of plaintext bits from the plaintextblock, a subset of ciphertext bits from the corresponding ciphertext block and aset of key bits. The linear equation is of the form:

pi1 ⊕ pi2 ⊕ . . .⊕ pis ⊕ cj1 ⊕ cj2 ⊕ . . .⊕ cjt = km1 ⊕ cm2 ⊕ . . .⊕ kmu , (1.9)

where i1, . . . , is are the positions of the plaintext bits; j1, . . . , jt are the positions ofthe ciphertext bits and m1, . . . ,mu are the positions of the key bits. If (1.9) holdswith probability 0.5 + ϵ where ϵ = 0 (for a randomly given plaintext-ciphertextpair), then the attacker uses the maximum likelihood method to deduce the right-hand side of (1.9) as follows. Let N denote the total number of KPs that areavailable to and used by the attacker. For each KP, she checks whether the left-hand side of (1.9) is equal to 0. Suppose that N0 of the N trials yield a positiveanswer. Then, the right-hand side of (1.9) – call it K – can be recovered usingAlgorithm 1.1 [137].

Algorithm 1.1 An elementary form of linear cryptanalysis due to Matsuiif N0 > N/2 then

if ϵ > 0 thenK = 0 ;

elseK = 1 ;

end ifelse

if ϵ > 0 thenK = 1 ;

elseK = 0 ;

end ifend if

Linear cryptanalysis does not always recover the key immediately. In the aboveversion of linear cryptanalysis, when K is a single key bit, then we immediatelyhave a key recovery attack. Otherwise, the attacker is only able to derive someinformation about the key. This may or may not be lead to a key recovery attack.(For example, suppose that K is the XOR-sum of two key bits. Then only if oneof them is recovered somehow the other is recovered as well.) This is the reasonwhy we present linear cryptanalysis as a separate section.

The success probabilities of Algorithm 1.1 for different values of N are givenin [137, Table 2]. For example, when N = |ϵ|−2, the success probability is 0.9772.

22 INTRODUCTION

In Sect. 8.6.6 of this thesis, we shall demonstrate linear cryptanalysis by applyingit to a family of block ciphers.

1.5.3 Related-Key AttacksThe main idea behind a related-key attack is that the attacker knows/chooses arelation f between a pair of keys K1 and K2 (say, K1 = f(K2)), rather than theactual values of the keys, and subsequently she can extract secret information froma cryptosystem using the relation f [21, 111]. A related-key weakness is a causefor concern in a protocol where key-integrity is not guaranteed [112]. Related-key weaknesses are not new in the literature but are not to everyone’s taste [19].Nevertheless, works like [114, 115] outline the usefulness of such attacks. In [167],Phan and Handschuh showed the practical implications of related-key attacks forthe IBM 4758 cryptoprocessor. Their results follow related-key attacks due toBond [36] (where the relation is chosen by the attacker) on the control vectorsused by the IBM 4758 processor.

Since the publication of [114, 115], a good deal of research has been doneon related-key weaknesses on block ciphers [21, 111, 112, 116]. A related-keyweaknesses of a block cipher can be translated into an attack on a hash functionbuilt around that block cipher [24, 37, 93, 94, 225, 226, 228, 237]. Theoreticaltreatments of related-key attacks can be found in [15] and [131].

The discovery of related-key weaknesses of stream ciphers is not very commonin the literature, mainly due to the heavy operations executed in one-time KSAscompared to the operations performed in iterative block ciphers. Nonetheless,there is an example where a related-key weakness in the stream cipher RC4 isused to break the WEP with practical complexity [78]. Another case in which arelated-key attack on a stream cipher may be a cause for concern is when there isa hash function built around that stream cipher. An example of a hash functionbuilt around a stream cipher is RC4-Hash [43].

Note: An attack that works in a non-related-key setting is said to be in the standardsetting.

1.5.4 Distinguishing AttacksIn a distinguishing attack, the attacker is able to tell apart a cipher from an idealcipher. The adversary (algorithm) that does this job, taking as inputs the outputsof the cipher under examination, is called a distinguisher. A distinguisher alwaysresults when the output of a cipher is biased.Using the results that led the attackerto a distinguisher, she ‘may’ be able to recover the secret key, as in the analysisin Sect. 8.6. Even if this is not possible, distinguishing attacks may have practicalapplications. We shall now see some of them.

CRYPTANALYSIS 23

Suppose that Alice has two random-looking texts PA and PB and decides toencrypt one of them using a stream cipher ES with biased keystream and sendit to Bob. Further suppose that the attacker Eve is aware of the two texts thatAlice has, knows that one of them has been sent to Bob and has the correspondingciphertext C. Eve first guesses that the transmitted text is PA and then computesZ = PA ⊕ C. She then writes a distinguisher that takes Z as input and outputswhether it identifies Z as coming from ES or from an ideal source. In the casewhen the algorithm identifies Z as coming from ES , it is easy to see that Eve’sguess is correct; otherwise it is wrong. This is because of the following reasoning:

• If Eve’s guess is correct, then she actually input Z = PA ⊕ (PA ⊕ Z ′) = Z ′,where Z ′ is the keystream generated by Alice with her secret key. Sincethis keystream is biased, the input Z ′ to the distinguisher is biased and thealgorithm identifies that Z came from ES .

• If Eve’s guess is wrong, then she actually input Z = PA ⊕ (PB ⊕ Z ′) =PA ⊕ PB ⊕ Z ′. Now, Z ′ is biased, but then PB is random. Therefore, Z israndom and hence the algorithm identifies that it came from an ideal source.

In practice, the distinguisher in the above example would require many keystreamsamples where each sample is composed of bits from the same positions in thekeystream as Z (unless similar biases exist elsewhere in the keystream). Eachsample is generated with a key generated uniformly at random. Besides, the sameplaintext is encrypted by Alice with these randomly generated keys.

When outputs of a cipher are highly biased, we immediately have an attack. Inthe case of a stream cipher, if a keystream bit is highly biased towards zero, thenthe corresponding plaintext and ciphertext are very likely to be identical. Forblock ciphers, we demonstrate in Sect. 8.6, the power of high biases in the outputs(i.e., ciphertexts) in speeding up exhaustive key search.

The efficiency of a distinguishing adversary is measured by a parameter calledthe advantage. Let S denote an n-tuple, (s1, . . . , sn), where each si is a functionof one or more output bits of a cipher. Each value si is generated independentlyof another, under a key (or an alternative input to the cipher) chosen uniformly atrandom. Suppose that a distinguisher A, that takes S as input, outputs ‘Cipher’if it identifies S as coming from the cipher and ‘Random’ if it identifies S ascoming from an ideal source. Let SCipher (resp. SIdeal) denote the event that Sis generated by the cipher (resp. ideal source). Then, the advantage Adv of A isgiven by:

Adv(A) = |Pr(A(S) = Cipher|SCipher)− Pr(A(S) = Cipher|SIdeal)| .

A distinguishing attack that requires a large n for a considerable advantagemay not be perceived as very useful. However, the analysis that leads to thedetection of biased output may give good insights into the structural propertiesof the cipher and could serve as a launch pad for practical attacks. While we do

24 INTRODUCTION

not immediately see a fitting example, distinguishing attacks on the Py familyof stream ciphers provide a good case in point. In [200], Sekar et al. reporteda distinguishing attack, requiring about 2281 keystream samples, on the cipherTPypy. Their analysis techniques were utilised by Tsunoo et al. to reduce thedata requirement by a huge factor of about 282 [219].

Let us now examine the data requirements of distinguishing attacks. In the caseof a stream cipher, the objective of the attacker may be to just find out whetherthe cipher is, in theory, ideal or not. If the analysis of the cipher yields a biasedoutput, then that itself indicates deviation from ideal behaviour, thereby makingthe very effort of constructing a ‘distinguisher’ appear redundant. The attackerwould then not be bothered to construct a distinguisher.

Alternatively, the attacker may wish to implement the distinguisher in practicein one of the following two scenarios:

• She collects ciphertext bits and either knows/chooses the correspondingplaintext bits or guesses them (as in the example provided earlier in thissection) to get the keystream bits. She then wishes to find whether thecipher (say, ES) that produced the keystream is ideal or not. She analysesES and finds that it produces biased keystream. However, when sheimplements the distinguisher in practice, the probabilities are computedby counting the frequencies of occurrences of events (this is why in theabove example the distinguisher requires ‘many’ keystream samples Z). Forinstance, she computes the ratio of the number of times a keystream bittook the value 0 to the total number of simulations (with each simulationusing the same plaintext, but under a random key). Since the experimentinvolves a fixed number of trials, however large (if not the theoreticallymaximum possible number of trials), an ideal cipher need not necessarilyyield uniform probabilities for the keystream bits. The probability thata particular keystream bit is 0 is 0.5 ± ξ (for some ξ > 0), where ξis expected to be small when the number of trials is large. Likewise,given non-ideal behaviour one could expect considerable deviations from thetheoretically computed (biased) probabilities (towards uniform probabilities).Therefore, the distinguisher requires keystream samples, the number ofwhich is typically determined by confidence intervals drawn around thetheoretical biases. The concept of confidence intervals is better understoodfrom Sect. 5.5 of this thesis, where we outline a distinguishing attack on thestream cipher HC-256.

• The attacker does not intend to mount the distinguishing attack in practice,and only wishes to validate her theoretical analysis of the cipher. This is, forexample, when the theoretical estimate of the keystream bias is high enoughfor a practical simulation. The attacker here first computes the numberof samples required by the distinguisher theoretically, taking confidenceintervals into account. She then runs the cipher with many randomlygenerated keys, collects the keystream bits required by the distinguisher

CRYPTANALYSIS 25

and then checks if it outputs that the cipher is not ideal. In such a case,she can also collect keystream bits from a single key rather than from manykeys provided there are sufficiently many biased bits – with the biases beingidentical in sign and comparable in magnitude.

Note: In the above discussions, a randomly generated key actually means a (K, IV)pair generated uniformly at random.

The data requirement of a distinguishing attack as just a number of keystreamsamples is seen in a number of papers (see e.g. [163]) and even in Chapters 4and 5 of this thesis. The main result of these chapters is the detection of non-randomness in the keystreams of the ciphers Py, Pypy, TPy, TPypy and HC-256.The magnitudes of the biases found immediately indicate that is not possible toconstruct distinguishers in practice. For the sake of completeness, we evaluatedthe data requirements presenting each of them as a number of keystream samples.

If a distinguishing attack is on a block cipher or could be further developedinto a key/state recovery attack, then the data complexity is usually the numberof ciphertext samples or plaintext-ciphertext pairs. Examples include Sect. 8.6for block cipher attacks and the Kunzli-Meier distinguishing attack on the streamcipher MAG for state recovery [126].

As a final remark, we would like to point out that there are different approachesto distinguishing attacks. Well-known examples include distinguishing attacksbased on the χ2 test [92, 119, 106].

1.5.5 Collision AttacksIn Sect. 1.4, we have already seen what a collision for a CHF means. In thissection, we shall present some concepts that are related to collisions.

Pseudo-Collision for the Compression Function. We know from Sect. 1.4that the compression function in a Merkle-Damgard construction takes as inputsthe message block and the chaining value. Let us consider Figure 1.5. Suppose FCdenotes the compression function with message block input m and chaining valuev. For a chaining value v′ = v and message block m′ = m, if FC(m, v) = FC(m′, v′)then (m, v) and (m′, v′) are said to constitute a pseudo-collision or a free-start-collision for FC .

Semi-Free-Start-Collision. For a message block m′ = m and a random IV,if FC(m, v) = FC(m′, v) then (m, v) and (m′, v) are said to constitute a semi-free-start-collision for FC . The difference between a collision and a semi-free-startcollision is that in the former the IV is fixed while in the latter the IV is chosenaccording to a distribution.

Near-Collision. Given an IV, suppose that two messages M and M ′ produce

26 INTRODUCTION

different hash values but the Hamming distance between the hash values is small.Then, M and M ′ are said to constitute a near-collision for the hash function h.

The attacker does not usually have control over the IV or subsequent chaining val-ues. Therefore, a pseudo-collision or semi-free-start-collision for the compressionfunction FC cannot be immediately translated into attacks on the hash functionh. Among the two types of collisions, pseudo-collisions are weaker because theattacker deals with two different chaining values (and hence more difficulty in thecontrol).

In Chapter 8, we present semi-free-start collisions for the compression functionof the ESSENCE-512 CHF.

1.6 Research AccomplishmentsMy doctoral research has touched almost all the major areas in symmetriccryptology. Both the theory and practice of symmetric cryptology have beenresearched. Much of the doctoral period has been spent in evaluating algorithmssubmitted to the open competitions eSTREAM [71] and SHA-3 [154], and theECRYPT II [70] project.

eSTREAM was a multi-year effort to identify promising new stream ciphersand to develop the community’s knowhow of stream cipher design and analysis.Sponsored by the ECRYPT, the project began in 2004 with proposals for newstream ciphers being invited from industry and academia. These proposals wereintended to satisfy either a software-oriented or a hardware-oriented profile (orboth if possible). The original call for proposals generated considerable interestwith 34 proposals being submitted to the two different performance profiles [182].The project ended in April 2008 with an announcement of a portfolio of eightstream ciphers, four in each profile. This portfolio was revised in September 2008when one hardware-oriented cipher, F-FCSR-H v2, was eliminated [71].

SHA-3 is an ongoing competition organised by the NIST. It is aimed at selectinga CHF standard for use by the US government, and was largely motivated by theattacks due to Wang et al. on MD4, MD5, SHA-1 and RIPEMD (see Sect. 1.4).The original call for proposals in 2007 generated considerable interest with 64proposals being submitted in 2008. Of these, 51 were selected to Round 1, 14 ofthem advanced to Round 2 and, very recently, five second round candidates wereselected to the final round of the competition. At present, these five candidatesare being analysed by the research community.

ECRYPT II is an ongoing project of the European Commission’s SeventhFramework Programme (FP7). Its aim is to ‘continue intensifying the collabo-ration of European researchers in cryptology’ [70]. The project has a virtual labcalled “SymLab” to address the development of lightweight symmetric primitives.Lightweight primitives (examples can be found at http://www.ecrypt.eu.org/lightweight) find use in pervasive devices that have constraints on computing

RESEARCH ACCOMPLISHMENTS 27

power, energy consumption, power consumption, etc. Hence, the study anddevelopment of such primitives would be beneficial to industries such as the onesthat make sensor nodes and other low power embedded devices.

The research achievements during this doctoral period can be summarised asfollows (my personal contributions are indicated within square brackets).

Theory.

• Detection of a paradox resulting from Shannon’s definitions of perfect secrecy.[Main author.]

• Challenging the increased resistance of regular hash functions againstbirthday attacks. [Main author, jointly with Nicky Mouha.]

Synchronous Stream Ciphers.

• Distinguishing attacks on four submissions to the eSTREAM competition– Py, Py6, Pypy and HC-256 – and three related ciphers, viz., TPy, TPy6and TPypy [197, 198, 199, 200, 202]. [Main author of [202]. Main authorof [197, 198, 199, 200], jointly with Souradyuti Paul.]

• Design of four software-efficient ciphers – RCR-64, RCR-32, TPy6-A andTPy6-B – using our analysis of the Py and Py6 families of ciphers; to thebest of our knowledge, at an encryption speed of 2.65 cycles/byte on thePentium III, the TPy6-A is the fastest stream cipher in the literature [197,199]. Besides, the ciphers have not witnessed even theoretical attacks sincethey were published in 2007–2008. [Main author, jointly with SouradyutiPaul.]

Asynchronous Stream Ciphers.

• Practical-time key recovery attack, in a related-key setting, on the eS-TREAM candidate Moustique [110].

• A certificational key recovery attack on Moustique in the standardsetting [110]. [Contributed to Sect. 6.3.3 in investigating the steady statebehaviour of the CCSR. Proofread the distinguishing attack in Sect. 6.4.1.]

Block Ciphers.

• Meet-in-the-middle attacks on reduced-round variants of the DES, XTEA,XETA and GOST: We had already mentioned that DES was a USgovernment standard. GOST (formally, GOST 28147-89) is a currentRussian standard. XTEA and XETA are implemented in the Linuxkernel [68, 196, 195].

• Two new approaches to meet-in-the-middle attacks [68, 196, 195]. [Mainauthor of [196, 195], jointly with Nicky Mouha. Main author of [68], jointlywith Orr Dunkelman.]

28 INTRODUCTION

• A new approach to χ2 cryptanalysis of block ciphers: This approach wassuccessfully tested against reduced-round variants of the ciphers RC6, MRC6and ERC6 [106]. [Main technical contributor, jointly with Jorge Nakahara Jr.and Daniel Santana de Freitas, to the generic TEST() algorithm in [106].Performed χ2 attack simulations for RC6, MRC6 and ERC6, jointly withJorge Nakahara Jr., Daniel Santana de Freitas and Ramon Hugo de Souza.]

Cryptosystems.

• Highly practical attacks on a patented cryptosystem based on a streamcipher-like construction [203]. [Main author.]

Cryptographic Hash Functions.

• Cryptanalysis of the ESSENCE family of hash functions which wassubmitted to the SHA-3 competition [149]: We have several types of attacks– detection of a semi-free-start collision, distinguishing attacks, key recoveryattacks on the underlying block cipher family, slide attacks [33] and detectionof fixed points. [Constructed the distinguishing attacks and key recoveryattacks. Proofread the semi-free-start collision attack.]

In the theory part, our work on regular hash functions is, in our belief, relevantto the ongoing SHA-3 competition. Our research suggests that it would be a futileexercise to evaluate the regularity of a candidate hash algorithm. The work onShannon’s notion of perfect secrecy appears to be largely academic at the moment.One immediate merit of the work may be that it suggests one to be cautious whiledealing with a priori probabilities, Bayes’ theorem, etc.

On the cryptanalysis side, the above listed works include both theoretical aswell as practical attacks. The theoretical attacks on TPypy and HC-256 may beconsidered as the best in the literature. We have also constructed the best (goingby the number of rounds) low-data-complexity attacks in the standard setting onDES, XTEA and GOST. The attacks on Moustique, XETA, MRC6 and ERC6are the only known attacks on the ciphers.

The attacks in papers such as [198, 199] are of very high data/time complexities,and may come across as purely certificational. However, they have contributedsignificantly to our attempts at formulating better design principles for array-based synchronous stream ciphers [197, 199] – this also is one of the goals ofeSTREAM. And, needless to say, discoveries of newer attack techniques (such asthose in [68, 106, 196, 195]) are pivotal in advancing the field of cryptology.

In this thesis, we include results from the papers [68, 110, 149, 196, 199, 202]accepted to international (peer review) conferences during the doctoral period. Wealso include results from a paper published as an ISO/IEC report [195], COSICinternal report [203] and from papers [150, 201] that are presently under submissionafter internal (i.e., within COSIC) peer review. The rest of the papers that I havecoauthored [106, 166, 197, 198, 200] have not been included in this thesis. Ofthese, the papers [106, 166, 197, 198] were published in Lecture Notes in Computer

OUTLINE OF THE THESIS 29

Science volumes, and [200] was published as a technical report on the IACR’sePrint repository.

1.7 Outline of the ThesisThe main technical contents in the following chapters are organised as follows.

Chapter 2. We begin with the foundations of cryptology that were laiddown by Shannon in his landmark 1949 paper titled, “Communication Theoryof Secrecy Systems” [206]. In this paper, he introduces the notion of perfectsecrecy of a symmetric-key cryptosystem. He provides two necessary-and-sufficientprobabilistic conditions for perfect secrecy, but also points out that the logicalvalidity of his theory may be questioned as it is based on Bayesian interpretationof probability. In this chapter, we revisit the probability theory behind Shannon’snotion of perfect secrecy. We present a reasoning that results in a paradox. Wefind that the paradox is resolved if the aforesaid probabilistic conditions are onlynecessary and not sufficient.

Chapter 3. We follow the theoretical discussions in Chapter 2 with the theoryof hash functions in Chapter 3.

At EUROCRYPT 2004, Bellare and Kohno presented the concept of a regularhash function [16]. For a hash function to be regular, every hash value must havethe same number of preimages in the domain. The findings of their paper remainedunchallenged for over six years, and made their way into several research papersand textbooks. In their paper, Bellare and Kohno claim that regular hash functionsare more resistant against the birthday attack than random hash functions. Wecounter their arguments by using the fact that the choices of the attacker can belimited to any subset of the domain. Furthermore, we prove that it is not possibleto construct a hash function that is regular for only a small fraction of subsets ofthe domain. In order to avoid these problems, we propose to model hash functionsas random functions. Compared to regular functions, we argue that the statisticsof random functions are more similar to hash functions used in practice, regardlessof how the attacker chooses the domain points.

Chapter 4. This chapter marks our transition from the theory of symmetriccryptology to its practice. In this chapter, we present some cryptanalytical resultson a family of software-efficient synchronous stream ciphers.

The stream cipher TPypy was designed by Biham and Seberry in January 2007,after weaknesses in the related ciphers Py, Pypy and Py6 were discovered. Onemain contribution of this chapter is the detection of related-key weaknesses in thePy family of ciphers – notably in its seemingly strongest member TPypy. Underrelated keys, we show a distinguishing attack on TPypy with data complexity2193.7 which is lower than the previous best-known attack on the cipher by a

30 INTRODUCTION

factor greater than 25. We also show how this attack could be applied to TPy,Pypy and Py.

Chapter 5. The attacks presented in Chapter 4 are in a related-key setting.In Chapter 5, we present similar results on yet another fast, software-orientedsynchronous stream cipher, but this time in the standard setting.

The software-efficient stream cipher HC-256 was proposed by Wu at FSE 2004.Due to its impressive performance, the cipher was a well-received entrant to theECRYPT eSTREAM competition. The closely related stream cipher HC-128, alsodesigned by Wu, went on to find a place in the final portfolio of the competition.The cipher HC-256 is word-oriented, with 32 bits in each word, and uses a 256-bitkey and a 256-bit IV. Since HC-256 was published in 2004, barring a cache-timinganalysis of unprotected implementations, there had not been any attack on thecipher. In this chapter, we present a class of distinguishers on HC-256, eachof which requires testing the validity of about 2276.8 linear equations involvingbinary keystream variables. Thereby, our attacks improve the data complexity ofthe hitherto best-known distinguisher (presented by the designer along with thespecifications of the cipher) by a factor of about 12.

Chapter 6. In this chapter, we discuss self-synchronising stream ciphers.The stream cipher Moustique was one of the sixteen finalists in the ECRYPT

eSTREAM project. Unlike the other finalists it is a self-synchronising cipherand therefore offers very different functional properties, compared to the othercandidates. In this chapter, we present simple related-key phenomena inMoustique that lead to the generation of strongly correlated keystreams andto powerful key recovery attacks. Our best key recovery attack requires only 238

steps in the related-key scenario. Since the relevance of related-key properties issometimes called into question, we also show how the described effects can helpspeed up exhaustive search (without related keys), thereby reducing the effectivekey length of Moustique from 96 bits to 90 bits.

Results on self-synchronising stream ciphers are not very abundant in theliterature; it is hoped that the results of this chapter provide considerable insightsinto the topic.

Chapter 7. Following the discussions on stream ciphers, we move on to blockciphers. We focus entirely on Feistel structures, which many well-known and widelydeployed block ciphers have. We present meet-in-the-middle attacks on reduced-round variants of four ciphers – DES, XTEA, XETA and GOST. In some of theseattacks novel approaches to cryptanalysis have been used.

The DES is a 64-bit block cipher with 16 rounds. Due to its short key size of56 bits, it is not known to be used anywhere presently. However, TDEA – a blockcipher in which DES encryption/decryption algorithm is applied three times tothe text block – is widely used by financial institutions. For example, TDEA is

OUTLINE OF THE THESIS 31

implemented in the IBM 4758 processor to encrypt ATM-PINs [167]. Besides, DES-like ciphers are being suggested as a solution for encryption in RFID systems [129].

The cipher XTEA, designed by Needham and Wheeler, was published as atechnical report in 1997. The cipher was a result of fixing some weaknesses inthe cipher TEA (also designed by Wheeler and Needham), which was used inMicrosoft’s Xbox gaming console. XTEA is a 64-round Feistel cipher with a blocksize of 64 bits and a key size of 128 bits.

In addition to being a Russian standard, the cipher GOST is included inOpenSSL 1.0.0 and is currently being considered for inclusion in the ISO/IECstandards. This 32-round cipher has a block size of 64 bits and a key size of 256bits.

In this chapter, we first investigate the strength of DES against attacks that usea limited number of plaintexts and ciphertexts. By mounting meet-in-the-middleattacks on reduced-round DES, we find that up to 6-round DES is susceptible tothis kind of attacks.

Next, we present meet-in-the-middle attacks on twelve variants of the XTEAblock cipher, where each variant consists of 23 rounds. Two of these require only18 KPs and a computational effort equivalent to testing about 2117 keys for nearly100% success. Under the standard setting, there is no other attack reported on 23or more rounds of XTEA, that requires less time and fewer data than the above.All attacks on XTEA are applicable to a close variant called XETA. Both XTEAand XETA are implemented in the Linux kernel.

Following the attacks on XTEA and XETA, we present meet-in-the-middleattacks on several block ciphers, each consisting of 22 or fewer rounds of GOST.Our 22-round attack on rounds 10–31 requires only 5 KPs and a computationaleffort equivalent to testing about 2223 keys for nearly guaranteed success. Thisattack is the best (going by the number of rounds) low-data-complexity keyrecovery attack on GOST in the standard setting. All the key recovery attackson XTEA, XETA and GOST use average-case computations while the attacks onDES uses worst-case computations.

Finally, we suggest some measures to improve the security of XTEA, XETA andGOST.

A highlight of the meet-in-the-middle attacks in this chapter is that the datarequirement is very low. More importantly, the techniques used against the DESare novel – the attacker guesses intermediary encryption values in exchange forkey bits. The technique used against 15-round XTEA and 16-round GOST is alsoa novel variant of the classical meet-in-the-middle approach in which the ‘meet’corresponds to round keys in place of intermediate texts.

Chapter 8. In this chapter, we present cryptanalytic results on a recentlydesigned family of CHFs called ESSENCE which was accepted to the first roundof the SHA-3 competition. This chapter presents the first known attacks onESSENCE. We first present a semi-free-start collision attack on 31 out of 32 roundsof ESSENCE-512, invalidating the design claim that 24 rounds of ESSENCE secure

32 INTRODUCTION

it against differential cryptanalysis. We develop a novel technique to satisfy thefirst nine rounds of the differential characteristic. Next, we use the non-randomnessin the outputs of a feedback function to construct several distinguishers on 14-round ESSENCE block ciphers and the corresponding compression functions. Eachof these distinguishers requires only 217 output bits for nearly guaranteed success.We extend this analysis to construct (worst-case) key recovery attacks on the blockciphers. Following this, we show that the omission of round constants allows slidpairs and fixed points to be found. These attacks are independent of the numberof block cipher rounds. Finally, we suggest several countermeasures against theseattacks, while still keeping the design simple and easy to analyse.

Chapter 9. This is the final chapter on cryptanalysis. We evaluate acryptosystem proposed in the international patent WO/2009/066313, analysingit as a whole. In other words, we not only target the symmetric-key primitivetherein, but also the key management techniques.

The symmetric-key primitive in the cryptosystem resembles a stream cipher.The system differs markedly from cryptosystems used today in that the secretkey is changed with the plaintext. The patent does not discuss key management(generation, transmission) in sufficient detail. Some of the proposed methodsfor transmission of keys are highly insecure and an algorithm for key generationis missing. In this chapter, we find that related-key attacks of negligibly lowcomplexity (data/time) can result when certain (flawed) key generation algorithmsare used. We also present a negligibly-low-complexity attack in the standardsetting. We hope that the results caution potential users of the cryptosystem.

Chapter 10. Here, we present the design and analysis of two fast, software-oriented synchronous stream ciphers, viz., RCR-64 and RCR-32. The ciphers arerespectively derived from TPy and TPypy. The encryption speeds of RCR-64and RCR-32 are 2.7 cycles/byte and 4.45 cycles/byte on the Pentium III. Thesefigures make them marginally outperform TPy and TPypy, and place them amongthe fastest stream ciphers in the literature. Based on our security analysis, weconjecture that no attacks better than brute force are possible on the RCR ciphers.

In this chapter, we also briefly discuss stream cipher design principles in general.

Chapter 11. In this chapter, we give our concluding remarks. Here and inChapter 10, we provide general design principles for symmetric ciphers and pointout common design flaws.

Chapter 12. We provide here many interesting problems for future work.

Part II

Theory of SymmetricCryptology

33

34

Theory is important, at least in theory.– Keith Martin

Chapter 2

Revisiting Shannon’s Notion ofPerfect Secrecy

2.1 IntroductionIn 1948, Shannon laid the foundations of information theory with his landmarkpaper, ‘A Mathematical Theory of Communication’ [205]. In a follow-up paper,‘Communication Theory of Secrecy Systems’ [206], he defined the notion of perfectsecrecy of a cryptosystem. In [206], Shannon provides two necessary-and-sufficientprobabilistic conditions for perfect secrecy of a cryptosystem. However, he alsopoints out that the logical validity of his theory is questionable as it is basedon Bayesian interpretation of probability. In this chapter, we revisit Shannon’stheory of perfect secrecy from a different probabilistic viewpoint (that can also beclassified as Bayesian). Thereby, a reasoning that leads to a paradox is presented.The paradox that we point out in this paper concerns different ways of rationallyrelegating the a priori occurrence of a certain plaintext. We find that this paradoxis resolved if the two probabilistic conditions are necessary but not sufficient.We also identify and rectify an erratum and an important missing statement inShannon’s paper.

2.2 Perfect SecrecyIn [206], Shannon provides necessary and sufficient conditions for perfect secrecyof a cryptosystem (secrecy system in [206]). Formally, a statement ϕ is a necessarycondition of a statement λ if λ ⇒ ϕ. If ϕ ⇒ λ, then ϕ is a sufficient condition ofλ. To state Shannon’s conditions, we use the notation in Table 2.1.

35

36 REVISITING SHANNON’S NOTION OF PERFECT SECRECY

Table 2.1. Notation

Notation MeaningPr(p) a priori probability of plaintext (message in [206]) pPr(c) probability of obtaining ciphertext (cryptogram

in [206]) c from any causePr(c|p) conditional probability of obtaining c if p is chosenPr(p|c) a posteriori probability of plaintext p if c is

intercepted

Let the plaintext space (P) and ciphertext space (C) be finite. Then, accordingto Shannon [206], a necessary and sufficient condition for perfect secrecy is:

Pr(p|c) = Pr(p) , ∀ (p, c) ∈ (P, C) . (2.1)

Equation (2.1) is actually a shorthand for ‘Pr(p|c) = Pr(p) for every (p, c) pair,independently of the value of Pr(p)’. Using this definition, he states and provesthe following theorem [206, Theorem 6].

Theorem 2.1. A necessary and sufficient condition for perfect secrecy is that:

Pr(c|p) = Pr(c) , ∀ (p, c) ∈ (P, C) . (2.2)

Proof. By Bayes’ theorem, we have

Pr(c|p) = Pr(c) · Pr(p|c)Pr(p)

, ∀ (p, c) , (2.3)

if Pr(p) = 0, or alternatively:

Pr(p|c) = Pr(p) · Pr(c|p)Pr(c)

,∀ (p, c) , (2.4)

if Pr(c) = 0.

By definition, (2.1) is a necessary condition for perfect secrecy. That is, perfectsecrecy implies that (2.1) holds. This, in turn, implies that for every (p, c)

• either Pr(p) = 0 – a solution we exclude because (2.1) means that Pr(p|c) =Pr(p) holds independently of the value of Pr(p);

• or from (2.3), Pr(c|p) = Pr(c) where the equality holds independently ofPr(c).

Therefore, Pr(c|p) = Pr(c) for every (p, c) pair with the equality holdingindependently of Pr(c). Hence, by the transitivity of implication, (2.2) is a

MOTIVATIONAL OBSERVATIONS 37

necessary condition for perfect secrecy.1

Conversely for every (p, c) pair, if Pr(c|p) = Pr(c) independently of the valuesof Pr(c) then, from (2.4) we have that Pr(p|c) = Pr(p) irrespective of the Pr(p)value (given footnote 1, the solution Pr(c) = 0 is excluded). Since this impliesperfect secrecy (by definition, (2.1) is a sufficient condition for perfect secrecy), bythe transitivity of implication, (2.2) is a sufficient condition for perfect secrecy.

2.3 Motivational ObservationsIn this section, we present our main result starting with an example. Consider acryptosystem in which the plaintext space (P) and ciphertext space (C) consist ofall 2-bit messages. We denote the plaintexts and ciphertexts as follows.

Plaintexts: p1 = 00, p2 = 01, p3 = 10, p4 = 11.Ciphertexts: c1 = 00, c2 = 01, c3 = 10, c4 = 11.

Let the key space K = {k1 = 00, k2 = 01, k3 = 10, k4 = 11}. According to [206], itis possible to achieve perfect secrecy with only |K| = 4. We shall first see how.

Let Ekidenote encryption using key ki, i, j ∈ {1, . . . , 4}, and let

Ek1(p1, p2, p3, p4) = (c1, c2, c3, c4) ,

Ek2(p1, p2, p3, p4) = (c2, c1, c4, c3) ,

Ek3(p1, p2, p3, p4) = (c3, c4, c1, c2) ,

Ek4(p1, p2, p3, p4) = (c4, c3, c2, c1) .

(2.5)

In the absence of any information about the distribution of the plaintexts, thecryptanalyst’s assumption that each plaintext is equally likely is reasonable(further elaboration is provided in Appendix A.1). Hence,

Pr(pi) = 14, ∀ i ∈ {1, . . . , 4} . (2.6)

Performing cryptanalysis (i.e., deriving (2.5) and assuming that each key is equallylikely), she calculates the a posteriori probabilities as:

Pr(pi|cj) = 14, ∀ i, j ∈ {1, . . . , 4} . (2.7)

Now, (2.1) is satisfied for all i, j ∈ {1, 2, 3, 4}. Furthermore, when all keys areequally probable, (2.1) will be satisfied for all i, j ∈ {1, 2, 3, 4}, for any other set

1The proof requires that (2.2) is a shorthand for ‘P r(c|p) = P r(c) for every (p, c) pair,independently of the value of P r(c)’. This has not been explicitly stated by Shannon in [206,Sect. 10].

38 REVISITING SHANNON’S NOTION OF PERFECT SECRECY

of assignments for Pr(pi), i ∈ {1, 2, 3, 4}. By definition, therefore, perfect secrecyis obtained. Such a cryptosystem is called a ‘perfect system’. Figure 2.1 shows aline diagram representing (2.5).

p

p

p

2

3

4

p1

2

3

4

1c

c

c

c

01

1011

01

1011

00

00

Figure 2.1. Line diagram representing the system of equations (2.5); keys thatmap p1 and p4 to the ciphertexts are marked

The cryptanalyst’s assumptions in the above example, that each plaintext/keyis equally likely, are made by Shannon as well, in the example that he illustrateswith [206, Figure 5]. Before we proceed further, we would like to point out anerratum in Shannon’s analysis of his example. Shannon says (using a differentnotation),

“In this case we see that PE(M) = 1n = P (E) and we have perfect secrecy.”

In our notation, PE(M), P (E) and n are Pr(p|c), Pr(c) and |P|, respectively.While PE(M) = 1

n = P (E) is correct given the cryptanalyst’s assumptionthat every key and ciphertext is equally likely, it is not the reason why thecryptosystem is perfect. The condition must instead be “PE(M) = 1

n = P (M)”or “PM (E) = 1

n = P (E)”.Coming back to our analysis, we recall from Sect. 2.2 that (2.1) is a necessary

and sufficient condition for perfect secrecy. The cryptanalyst may use this tologically arrive at a paradoxical conclusion as follows. He begins with the followingobservation.

Observation 2.1. If the cryptosystem is perfect, (2.1) holds. If thecryptosystem is not perfect, then (2.1) does not hold.

Let Ln, n ≥ 1, denote the event: An n-bit cryptosystem (n being finite)

MOTIVATIONAL OBSERVATIONS 39

characterised by |P| = |C| = |K| = 2n = m is perfect. If (2.1) does not hold,it means that there exist i, j ∈ {1, . . . ,m} such that either

L′n: Pr(pi|Lcn)− Pr(pi|cj) = ϵ′n, where ϵ′n = 0, irrespective of the value of Pr(pi),

orL′′n: Pr(pi|Lcn) − Pr(pi|cj) = 0 for at least some value(s) of Pr(pi) (let R denote

the non-empty set of these value(s)); for other value(s) of Pr(pi), Pr(pi|Lcn) −Pr(pi|cj) = ϵ′′n, where ϵ′′n = 0.

(Note that the values of ϵ′n and ϵ′′n vary with the values of Pr(pi).)

The cryptanalyst does not know any of these (i, j) values before performingcryptanalysis and evaluating the cryptosystem. So the analysis below is theoretical,requiring only the cryptanalyst’s knowledge that there is (at least) one pair (i, j)with the above two possibilities. The values of i and j are immaterial to theanalysis and hence let us assume that (i, j) = (1, 1). This assumption is only tomake it easier for the reader to follow the subsequent analysis.

Before evaluating the cryptosystem, the cryptanalyst cannot know R. But, aswe shall show in the analysis, the cryptanalyst just uses the fact that Pr(p1) eitherlies in R or in [0, 1]−R = Rc.

An alternative form of the Bayes’ theorem (derived from the total probabilitytheorem [230]) is:

Pr(A) = Pr(A|L) · Pr(L) + Pr(A|Lc) · Pr(Lc) , (2.8)

for any two events A and L. Let us first consider the case when Pr(p1) ∈ R. Forthe n-bit cryptosystem, the cryptanalyst now uses (2.8) to obtain:2

Pr(p1) = Pr(p1|Ln) · Pr(Ln) + Pr(p1|Lcn) · Pr(Lcn) (2.9)

= Pr(p1|Ln) · Pr(Ln) + Pr(p1|L′n ∪ L′′

n) · Pr(L′n ∪ L′′

n) (2.10)

= Pr(p1|Ln) · Pr(Ln) + Pr(p1|L′n) · Pr(L′

n)

+Pr(p1|L′′n) · Pr(L′′

n) (2.11)

= Pr(p1|c1) · Pr(Ln) + (Pr(p1|c1) + ϵ′n) · Pr(L′n)

+Pr(p1|c1) · Pr(L′′n) (2.12)

= Pr(p1|c1) · (Pr(Ln) + Pr(L′n) + Pr(L′′

n)) + ϵ′n · Pr(L′n) (2.13)

= Pr(p1|c1) + ϵ′n · Pr(L′n), ϵ′n = 0 . (2.14)

2The statement of the total probability theorem in [234] says that L and Lc must bemeasurable for (2.8) to hold ([230] mentions no such requirement). Since n is finite, Ln (andhence Lc

n) is countable. Countable sets are measurable [175].

40 REVISITING SHANNON’S NOTION OF PERFECT SECRECY

To derive (2.14) the following two facts were used.

(a) L′n and L′′

n are mutually exclusive events.(b) Pr(p1|Ln) = Pr(p1|c1) since when Ln occurs the equality Pr(p1) = Pr(p1|c1)holds independently of the value of Pr(p1); thus Pr(p1) belonging to the imaginaryset R (or Rc) does not affect the equality.

Now, Pr(Ln) ∈ {0, 1}; else the cryptanalyst has concluded a priori that thecryptosystem is (not) perfect without any convincing reason.3 Given this, sincePr(Ln) = 1− Pr(L′

n)− Pr(L′′n), we have

Pr(L′n) + Pr(L′′

n) = 0 . (2.15)

When Pr(p1) ∈ Rc, using the facts (a) and (b) we get (following (2.9)):

Pr(p1) = Pr(p1|c1) · Pr(Ln) + (Pr(p1|c1) + ϵ′n) · Pr(L′n)

+(Pr(p1|c1) + ϵ′′n) · Pr(L′′n) (2.16)

= Pr(p1|c1) · (Pr(Ln) + Pr(L′n) + Pr(L′′

n)) + ϵ′n · Pr(L′n)

+ϵ′′n · Pr(L′′n) (2.17)

= Pr(p1|c1) + ϵ′n · Pr(L′n) + ϵ′′n · Pr(L′′

n), ϵ′n = 0, ϵ′′n = 0 .

(2.18)

Given (2.15), we now have the following three cases.

1. If Pr(L′n) = 0, then Pr(L′′

n) = 0 and (2.14), (2.18) respectively reduce to:

Pr(p1) = Pr(p1|c1) , (2.19)

Pr(p1) = Pr(p1|c1) + ϵ′′n · Pr(L′′n) , ϵ′′n = 0 . (2.20)

Therefore, when Pr(L′n) = 0, Pr(p1) equals Pr(p1|c1) only if Pr(p1) ∈ R.

Recall that the definition of perfect secrecy (see Sect. 2.2) requires Pr(p1) =Pr(p1|c1) to hold irrespective of the value of Pr(p1). Hence perfect secrecyis not achieved when Pr(L′

n) = 0.

2. If Pr(L′′n) = 0, then Pr(L′

n) = 0 and (2.14), (2.18) both reduce to:

Pr(p1) = Pr(p1|c1) + ϵ′n · Pr(L′n) , ϵ′n = 0 . (2.21)

From (2.21) it follows that Pr(p1) = Pr(p1|c1) irrespective of whether ornot Pr(p1) is in the set R. Again, perfect secrecy is not achieved.

3Appendix A.1 discusses this issue in detail.

DISCUSSION AND CONCLUSIONS 41

3. If Pr(L′n) = 0 and Pr(L′′

n) = 0, it immediately follows from the aboveanalysis that perfect secrecy is not achieved.

In conclusion, we have the following paradoxical result.

Result 1: The cryptanalyst is able to conclude that the n-bit cryptosystem, inprinciple, is not perfect even without assigning specific values to the a prioriprobabilities Pr(pi) or Pr(ci), i ∈ {1, . . . ,m}, like in the example in Sect. 2.3.

2.4 Discussion and ConclusionsIn Sect. 2.3, we presented a reasoning that leads the cryptanalyst to conclude thatthe n-bit cryptosystem is not perfect, without assigning specific values to the apriori probabilities Pr(pi) or Pr(ci), i ∈ {1, . . . ,m}, as in the example therein.An alternative reasoning (such as the one behind (2.6)) causes the cryptanalystto assign specific a priori probabilities that, after she performs cryptanalysis, maylead her to conclude (using Shannon’s definitions) that the cryptosystem is perfect.Each reasoning can, in some ways, be seen as a unique approach to rationallyrelegating the a priori occurrence of a certain plaintext.

This problem is closely related, if not identical, to what is called the referenceclass problem. The reference class problem is believed [90] to have originatedwith [221]. It arises when we classify a proposition Q in various ways, withPr(Q) depending on how Q is classified instead of objectively assuming a singleunconditional value. When probability is degree of belief (subjective Bayesianism),we can have as many rational interpretations of probability as there are doxasticstates of suitable parties to assign probability [91]. Hence, paradoxes may be notbe surprising.

Some paradoxes are entirely due to the underlying probability theory; examplesof such paradoxes can be found in Appendix A.1. But the argument behind theparadoxical result in Sect. 2.3 is not entirely due to the underlying probabilitytheory. It has a cause in Shannon’s notion of perfect secrecy, thereby suggestingthat there is a problem with Shannon’s definitions. This is because we find thatResult 1 can be resolved if (2.1) is a necessary but not a sufficient condition forperfect secrecy.

If (2.1) is only necessary and not sufficient for perfect secrecy then Pr(pi|Lcn)can equal Pr(pi|cj), for every i, j ∈ {1, . . . ,m}, irrespective of the value of Pr(pi).If so, then

Pr(pi) = Pr(pi|Ln) · Pr(Ln) + Pr(pi|Lcn) · Pr(Lcn)

= Pr(pi|cj) · Pr(Ln) + Pr(pi|cj) · (1− Pr(Ln))

= Pr(pi|cj) , ∀ i, j ∈ {1, . . . ,m},

independently of Pr(pi) . (2.22)

42 REVISITING SHANNON’S NOTION OF PERFECT SECRECY

In (2.22), we have used the fact that if (2.1) is a necessary condition then perfectsecrecy implies Pr(pi|Ln) = Pr(pi|cj) for every (i, j) and independently of thevalue of Pr(pi). From (2.22), however, the cryptanalyst cannot conclude thatthe cryptosystem is perfect; otherwise she has assumed that (2.1) is a sufficientcondition for perfect secrecy. Therefore, the cryptanalyst can perhaps evaluatethe cryptosystem only if the following condition does not hold:

Pr(pi|Lcn) = Pr(pi|cj) , ∀ i, j ∈ {1, . . . ,m}, independently of Pr(pi) . (2.23)

But she cannot check whether or not (2.23) holds without assigning specific valuesto the a priori probabilities Pr(pi) or Pr(ci), i ∈ {1, . . . ,m}, and evaluating thecryptosystem as in the example in Sect. 2.3. Hence it will not be possible for thecryptanalyst to arrive at Result 1.

Suppose (2.1) is not a sufficient condition for perfect secrecy. Since (2.1)implies (2.2), if (2.2) implies perfect secrecy, then by the transitivity ofimplication, (2.1) will imply perfect secrecy. This will mean that (2.1) is a sufficientcondition for perfect secrecy – we arrive at a contradiction. Hence if (2.1) is nota sufficient condition for perfect secrecy, then (2.2) cannot imply perfect secrecyand therefore is also not a sufficient condition. Thus, we have the following result.

Result 2: The paradoxical result in Sect. 2.3 is resolved if (2.1) – and hence (2.2)– is a necessary but not a sufficient condition for perfect secrecy.

We see Result 1 as not entirely a theoretical problem. In a practical situation,suppose that the cryptanalyst knows that the distribution of plaintexts is notuniform but she is unaware of how they are otherwise distributed. This makes itimpossible for her to assign specific values to the a priori probabilities Pr(pi),i ∈ {1, . . . ,m}. Now, suppose that she is able to compute Pr(pi|cj), for alli, j ∈ {1, . . . ,m}, by analysing the cipher and assuming a distribution for the keys.In such a situation, she may try to obtain Pr(pi), i ∈ {1, . . . ,m}, by assigning aspecific value to Pr(Ln) according to her belief and using (2.8). Here, her beliefmay appear rational. For instance, suppose that the cryptosystem she is analysingclosely resembles another cryptosystem that has been evaluated (i.e., by assigningspecific values to Pr(pi), i ∈ {1, . . . ,m}, computing the a posteriori probabilitiesPr(pi|cj) and using Shannon’s definitions) to be perfect. The cryptanalyst maydecide to assign a value close to 1 to Pr(Ln).

Given Result 2, an interesting open problem is to find a suitable way to redefineShannon’s conditions for prefect secrecy. Alternatively, one could try to findanother way to resolve the paradox. It would also be interesting to see whetherother parts of [206] are affected by the results of this chapter and to seek remedialmeasures if necessary. As we do not know this at the moment, we have used someof the results of [206] (e.g. the notion of unicity distance) in other parts of thisthesis.

Chapter 3

Challenging the IncreasedResistance of Regular HashFunctions Against BirthdayAttacks

3.1 IntroductionWe begin this chapter by recalling the definition of a hash function. Let h : D →R be a function, where the range R is a finite set and the domain D is of arbitrarysize. Denote |D| by d and |R| by r. If d > r, h is referred to as a hash function.

From Sect. 1.4, we know that any pair (x, y) where x, y ∈ D for which x = yand h(x) = h(y), is called a ‘collision’ for hash function h. (A possibly trivialcollision is a pair (x, y) where x, y ∈ D for which h(x) = h(y). That is, unlike fora collision, it is allowed that x = y.) For any choice of h, a collision is found witha generic birthday attack. In this, we pick points x1, . . . , xq from D and computeyi = h(xi) for i = 1, . . . , q. We say that the birthday attack is successful, if wefind h(xi) = h(xj), where 1 ≤ i < j ≤ q. We refer to q as the number of trialsof the birthday attack. It is interesting to find out the best way to choose thepoints x1, . . . , xq. By best we mean either (i) the smallest q can get given a fixedprobability of success, or (ii) the highest value for the success probability given afixed q.

In [16, 17], Bellare and Kohno consider only the case where the domain points arechosen independently and uniformly at random from all m-bit strings (therefore|D| = 2m). Yuval [246] instead suggests using q minor modifications of a message,in such a way that all messages are meaningful. Quisquater and Delescaille [173]showed that collisions for meaningful messages can also be found with negligible

43

44 CHALLENGING THE INCREASED RESISTANCE OF REGULAR HASH FUNCTIONS AGAINST BIRTHDAYATTACKS

memory requirements, i.e. without storing all (xi, h(xi)) for i = 1, . . . , q. Anefficient parallel implementation of their algorithm was proposed by Van Oorschotand Wiener [220].

For most applications, only a small subset of all m-bit strings are meaningful.If, for example, the messages consist of only ASCII characters, a necessary (butnot sufficient) requirement is that the MSB of every character is zero.

Let Ch(q) be the probability that the birthday attack finds a possibly trivialcollision for h after q trials. If for every domain point, the corresponding rangepoint of h is chosen independently and uniformly at random from all r rangepoints, h is a random function. The success probability of the birthday attackfor a random function is denoted as C$

h(q), with the ‘$’ denoting the uniformlydistributed random draw.

Bellare and Kohno [17] point out that if h is a random function, this does notnecessarily mean that h(x) is uniformly distributed in R. In order to have sucha uniform distribution in R, every range point must have the same fraction ofpreimages under the hash function. We refer to such a hash function as a regularfunction. This can be defined more formally as follows.

Definition 3.1 (Balance and Regularity). Let h : D → R be a hash function withdomain D of size d and range R = {R1, R2, . . . , Rr} of size r. For h to be a hashfunction, we must have d > r. For 1 ≤ i ≤ r, di = |h−1(Ri)| denotes the size ofthe preimage of Ri under h. The balance of h is then defined as:

µ(h) = logr(

d2

d21 + d2

2 + . . .+ d2r

). (3.1)

A hash function is regular iff µ(h) = 1 (that is, iff ∀ 1 ≤ i ≤ r : di = d/r) [17,Sect. 5].

If h is a regular function, the success probability of the birthday attack is denotedby Creg

h (q). Bellare and Kohno calculate1 that C$h(q) > (8/5) ·Creg

h (q), if d = 2r ≥10. Therefore, they conclude that “regular functions fare better than randomfunctions [against the birthday attack]”.

We recall that their reasoning assumes that the attacker chooses the messagesuniformly at random from D. In the following sections, we investigate the casewhere the attacker limits the choice of the domain points to subsets of D. We provethat it is not possible to construct a hash function that is regular with respect toonly a small fraction of subsets of the domain. For this, we introduce the conceptsof subset regularity and linear subset regularity.

Bellare and Kohno pointed out in their analysis that there is only a smalldifference between regular and random functions in their resistance against the

1In this proof, the values from the domain are randomly chosen, but with replacement. Thereplacement can result in a possibly trivial collision with a collision in the domain. The authorsshow in [17, Sect. 7.3] that the higher success probability is not due to the possibility of suchcollisions.

THE BIRTHDAY PROBLEM 45

birthday attack. For random functions, however, the problems described in thischapter do not apply.

NIST is currently holding a competition in search for a new hash functionstandard [154]. Our result may be relevant to the analysis of statistical propertiesof the hash functions in this competition.

It is to be noted that in this chapter and in Chapter B, the term ‘hash function’does not necessarily refer to a CHF.

3.2 The Birthday ProblemAssume that there are N people in one room. How large must N be, in order tohave a probability of at least 1/2 that two people share the same birthday? Itis assumed that birthdays are independently and uniformly distributed over the365 days of the year (leap years are ignored). This is the birthday problem (seeFeller [75, Sect. 2.3]), which dates back to von Mises [222]. The answer to theproblem is N ≥ 23.

Bloom showed that the probability that two people share the same birthday,is the lowest when birthdays are uniformly distributed [35]. Nunnikhoven [160]analysed the birthday problem for nonuniform birth frequencies.

Based on the mathematics of the birthday problem, Yuval proposed the birthdayattack for hash functions [246]. In the attack, a large number of messages aregenerated, until two messages are found that result in the same hash value. Theattack complexity depends on the distribution of the hash values. If the hashvalues are uniformly distributed, the analysis of the original birthday problemapplies. In case of a nonuniform distribution, collision probabilities were calculatedby Cachin [40, Sect. 3.2.5], as well as Bellare and Kohno [17].

In this chapter, we point out that the distribution of the hash values not onlydepends on the hash function, but also on how the attacker chooses the inputmessages. This is different from the birthday problem, where the probabilitydistribution of the birthdays is fixed in advance (to have a uniform distribution).In the following sections, we investigate the impact of the attacker’s choice of themessages.

3.3 Balance and Regularity in the Existing LiteratureThe results of [17] not only remained unchallenged for over six years, but werealso often cited in papers on cryptographic theory, in cryptanalysis papers and intextbooks. In this section, we give a brief overview of some of the most notableresults.

Since Bellare and Kohno introduced their balance measure in [16, 17], thismeasure has been applied to several hash functions. Already in their original paper,the balance measures of truncated variants of SHA-1 were analysed. Later, Yoshida

46 CHALLENGING THE INCREASED RESISTANCE OF REGULAR HASH FUNCTIONS AGAINST BIRTHDAYATTACKS

et al. calculated the balance of a reduced version of MAME [243]. Ødegard andGligoroski computed the balance measures of reduced versions of EDON-R [161].

In each of these papers, hash function balances are calculated. However, theresults show that not a single one of the hash functions variants under considerationis regular, and the balance measure seems to decrease if the number of output bitsis increased. The balance of the actual (untruncated) hash functions is nevercalculated, because this would be computationally infeasible. Because of thisdifficulty, we question the applicability of the balance measure to analyse practicalhash functions.

The notions of balance and regularity also appear in several textbooks. In [82],Goldwasser and Bellare state, “If h is not regular, it turns out the [birthday] attacksucceeds even faster, telling us that we ought to design hash functions to be as“close” to regular as possible.” In this chapter, we explain why we counter thisdesign criterion.

Buchmann’s book [38] states, “We assume that strings from [the domain] can bechosen such that the distribution on the corresponding hash values is the uniformdistribution.” However, it is the attacker who can freely determine how strings arechosen from the domain. In this chapter, we show that there always exists a wayfor the attacker to restrict the domain so that the resulting function is not regular.

In the first edition of his book [214], Stinson describes the birthday attack underthe assumption that the hash function is regular. This assumption is dropped inthe second edition [215], in favour of random oracles [77]. A random oracle isan oracle that answers every unique query with a response chosen uniformly atrandom from its output domain. A repeated query is met with identical response.

In [103], Joux refers to [16] for a more precise analysis of collisions in hashfunctions for the unbalanced case. Bellare and Kohno provide bounds for thisunbalanced case [17], which they refer to as “the generalized birthday problem”.The reader should not confuse this with the generalised birthday problem thatWagner studied earlier [224].

3.4 Fraction of Regular FunctionsWe begin with the following lemmata.

Lemma 3.1. The total number of hash functions h$ is given by rd.

Proof. Each of the d elements of the domain, can have r possible range points.This results in a total of rd combinations.

Lemma 3.2. The total number of functions hreg that are regular is given by

|hreg| =

{d!/((d/r)!)r if r | d ,0 if r - d .

(3.2)

FRACTION OF REGULAR FUNCTIONS 47

Proof. For a function to be regular, each range point must have the same numberof preimages under the function. This is achieved if and only if r | d. Given thatthe function is regular, the first range point that we consider has one of C(d, d/r)possible sets of d/r preimages mapping to it. Any domain point in the set thatmaps to this range point cannot map to any other range point; otherwise themappings do not constitute a function. Therefore, the second range point thatwe consider will have one of only C(d − d/r, d/r) possible sets of d/r preimagesmapping to it. Similarly, the ith range point will have one of C(d−(i−1) ·d/r, d/r)sets of domain points mapping to it. In total, therefore, we have

r∏i=1

C(d− (i− 1) · d/r, d/r) = d!((d/r)!)r

(3.3)

functions that are regular. Figure 3.1 illustrates the above arguments with anexample.

R2

R3

R1...

.. .

.

D R

..

.

..

Figure 3.1. In this example, d = 9 and r = 3; the shaded area represents one ofthe C(9, 3) possible sets of 3 domain points that can map to the range point R1given that the function is regular; for R2 there are only C(6, 3) sets

Theorem 3.1. Assume r | d. The probability that a random function is also aregular function, is given by:

|hreg||h$|

≈ 2−(r/2)·log2(2πd/r) . (3.4)

Proof. Stirling’s Approximation:

log2 (z!) ≈ 12

log2 (2πz) + z log2

(ze

). (3.5)

Using Lemma 3.1 and Lemma 3.2, we obtain:

log2

(|hreg||h$|

)= log2 (|hreg|)− log2

(|h$|)

48 CHALLENGING THE INCREASED RESISTANCE OF REGULAR HASH FUNCTIONS AGAINST BIRTHDAYATTACKS

= log2(d!/( d

r !)r)− log2

(rd)

= log2 (d!)− r log2

(d

r!)− d log2(r)

≈ 12

log2 (2πd) + d log2

(d

e

)

− r

2log2 (2πd/r)− d log2

(d

re

)− d log2(r)

= 12

log2 (2πd)− r

2log2 (2πd/r)

≈ −r2

log2

(2πdr

). (3.6)

Let us consider a random hash function with d = 2161 and r = 2160. Accordingto Theorem 3.1, the probability2 that this function is a regular function, is2−2160.9 . We note that it is therefore extremely unlikely that a hash functionchosen uniformly at random from the set of rd hash functions is regular. Thisrelates to the observations made in the literature study of Sect. 3.3, where wediscuss papers that analyse the balance of several hash function variants.

3.5 Subset RegularityFirst, we recall a rather obvious point from [17]. Assume that for an n-bit hashfunction h, we restrict the input of h to messages of at most m bits in length. Letg be a hash function, such that the domain is restricted to messages of at mostm′ bits, where m′ ≥ m. Suppose g(x) = h(x), ∀x : |x| ≤ m. Then, a collision forh will also be a collision for g. If g is SHA-1, then m′ can be at most 264 − 1. Acollision for, say, h : {0, 1}161 → {0, 1}160 where h(x) = g(x),∀x : |x| = 161, isa collision for SHA-1 for any m′ > 161. In other words, as separately stated byBellare and Kohno [17, Sect. 7.2],

“[A]n adversary attacking a hash function with a very large domain D might restrictits choices of domain elements to some smaller subset of D.”

2Although Stirling’s approximation (3.5) is used for a small value of z, namely d/r = 2, alldigits of the calculated probability using the approximation are correct.

SUBSET REGULARITY 49

One possibility is to restrict the domain elements to sets of size 2a, where a ∈ N.In this chapter, we assume that the attacker chooses to make such a restriction.We also assume that |D| is even, and that the size of the restricted domain isalways half the size of D.

For certain applications, the domain D must be restricted to a smaller subset.For example, if a message consists of ASCII characters, the MSB of every charactermust be zero.

Definition 3.2 (Subset regularity). Let h : D → R be a hash function with domainD and range R = {R1, R2, . . . , Rr} of size d and r respectively. Assuming |D| iseven, the attacker can restrict the elements of D to a subset S such that |S| = |D|/2.For 1 ≤ i ≤ r, si = |h−1(Ri) ∈ S| denotes the size of the preimage of Ri under h,when the domain is restricted to S. We say that a hash function is subset regularor s-regular, if it is not only regular, but also ∀ 1 ≤ i ≤ r : si = d/(2r). That is,it must also be regular when the domain is restricted to subset S. We impose thecondition d > 2r, to ensure that |S| > |R|.

We now have the following lemma.

Lemma 3.3. The total number of hash functions hsreg that are subset regular, isgiven by:

|hsreg| =

{((d/2)!/((d/2r)!)r)2 if 2r | d ,0 if 2r - d .

(3.7)

Proof. Suppose that |D| is even. Let the domain D be divided into two equally-sized sets, and consider only domain elements in one of these sets. Then everyrange point can have the same number of preimages, if and only if 2r | d. Thisalso implies r | d, which is required for the regularity criterion on the entire domain.The reasoning now is exactly the same as for Lemma 3.2, but with d replaced byd/2 as the regularity criterion holds on the smaller domain as well. Because thesubset regularity criterion has to hold on the other subset of the domain, wesquare the entire expression. If |D| is not even, it is not possible that h is subsetregular.

Theorem 3.2. If 2r | d, the probability that a regular function chosen uniformlyat random is also subset regular, is given by:

|hsreg||hreg|

≈ 2(−r/2)·log2(πd/2r) . (3.8)

Proof. Using Lemma 3.2 and Lemma 3.3, we obtain:

log2

(|hsreg||hreg|

)= log2 (|hsreg|)− log2 (|hreg|)

= log2

((d2 !/( d

2r !)r)2)− log2

(d!/( d

r !)r)

50 CHALLENGING THE INCREASED RESISTANCE OF REGULAR HASH FUNCTIONS AGAINST BIRTHDAYATTACKS

= 2 log2

(d

2!)− 2r log2

(d

2r!)− log2 (d!) + r log2

(d

r!)

≈ log2 (πd) + d log2

(d

2e

)− r log2 (πd/r)− d log2

(d

2re

)

− 12

log2 (2πd)− d log2

(d

e

)+ r

2log2 (2πd/r)

+ d log2

(d

re

)

= 12

log2

(πd

2

)+ r

2log2

(2rπd

)≈ −r

2log2

(πd

2r

). (3.9)

Assume that an attacker wants to find collisions for a regular hash function withd = 2162 and r = 2160. The attacker decides to restrict the choice of the domainpoints to a smaller subset, consisting of 2161 elements. According to Theorem 3.2,the probability3 that a randomly chosen regular function is also subset regular, is2−2160.5 .

This leads us to conclude that if h is a regular function chosen uniformlyat random (from all regular functions with the same domain and range), theprobability that h is also a regular function for a particular subset is negligible.

3.6 Linear Subset RegularityIn Sect. 3.5, we showed that a randomly chosen regular hash function is also s-regular with a probability of almost zero. Our calculations assumed that r wasat least reasonably large, otherwise finding collisions using the birthday attackbecomes feasible in practice.

One might therefore propose the design of a hash function h that is not onlyregular, but also s-regular with respect to arbitrary subsets. We now prove thatno such h exists, by showing that a hash function can be s-regular with respect toonly a negligible fraction of all C(d, d/2) possible subsets. In order to do this, wefirst introduce the definition of linear subset regularity or ls-regularity.

Definition 3.3 (Linear subset regularity). Let h : D → R be a hash functionwith d = |D| = 2m and r = |R|. Every element of D consists of m bits, whichwe label from x0 to xm−1, where x0 represents the LSB. The attacker can restrictthe elements of D to a smaller subset, including only domain points that satisfy

3The approximation given by (3.8) results in 2−2160.4 , but we have calculated this value moreaccurately by including additional terms in Stirling’s approximation (3.5).

LINEAR SUBSET REGULARITY 51

am−1xm−1 ⊕ am−2xm−2 ⊕ . . . ⊕ a0x0 = 0, where ai ∈ {0, 1}. We can thereforeconstruct 2m − 1 subsets of D, for all choices of ai, 0 ≤ i < m, except the all-zerocase. We impose d > 2r, to ensure that each of these subdomains is larger thanthe range R. We say that a hash function is linear subset regular or ls-regular, ifit is not only regular for the domain D, but also for each of the 2m − 1 subsets ofthe domain that we defined.

We first prove that there are no m-to-1 bit hash functions that are ls-regular.Using this, we prove that there are also no m-to-n bit hash functions that arels-regular.

Theorem 3.3. There does not exist an m-to-1 bit hash function that is ls-regular.

Proof. A necessary condition for a 3-to-1 bit hash function to be ls-regular, is thatexactly four hash values are 0, and that for every linear subset exactly two hashvalues are 0. This condition can be described by the following system of linearequations:

1 1 1 1 1 1 1 11 0 1 0 1 0 1 01 1 0 0 1 1 0 01 0 0 1 1 0 0 11 1 1 1 0 0 0 01 0 1 0 0 1 0 11 1 0 0 0 0 1 11 0 0 1 0 1 1 0

h(000)h(001)h(010)h(011)h(100)h(101)h(110)h(111)

=

42222222

. (3.10)

We find that there is only one solution, namely h(000) = h(001) = . . . =h(111) = 1/2. As none of these range points are in the set {0, 1}, we conclude thatthere does not exist a 3-to-1 bit hash function that is ls-regular. In Appendix B.1,we show how the explicit construction of a 3-to-1 bit ls-regular hash function fails.

Let the 8 × 8 matrix in (3.10) be denoted as A8. By Ad we denote the matrixthat results when the logical negation operator is applied to every element of Ad.Matrices Ad can then be constructed as follows:

A1 = [1] , (3.11)

Ad =[Ad/2 Ad/2Ad/2 Ad/2

], for 1 ≤ log2 (d) ∈ N . (3.12)

Every row of Ad corresponds to a subset of the domain defined by the linearexpression am−1xm−1 ⊕ am−2xm−2 ⊕ . . . ⊕ a0x0, where ai ∈ {0, 1}, 0 ≤ i <m indicates if a linear term is included or not, and x0 refers to the LSB. Bydefinition, we assume that a linear expression containing zero terms correspondsto the regularity condition. The values of ai are different for every row, and Ad isconstructed such that the top d/2 rows have am−1 = 0 and the bottom d/2 rowshave am−1 = 1.

52 CHALLENGING THE INCREASED RESISTANCE OF REGULAR HASH FUNCTIONS AGAINST BIRTHDAYATTACKS

In order to extend our result from 3-to-1 bit hash functions to m-to-1 bit hashfunctions, we must prove that the following system of equations has no solutionsthat consist of only elements in {0, 1}:

AdX = d

4[

2 1 1 . . . 1]T

. (3.13)

By counting the number of ones in every row of Ad, we find that X =[1 1 · · · 1

]T/2 is always a valid solution. This is the only solution if Ad is

invertible. In Appendix B.2, we prove that matrices Ad are invertible, by showingtheir relation to Hadamard matrices. As none of the elements of X are in the set{0, 1}, there are no m-to-1 bit hash functions that are ls-regular.

We now show that if no m-to-1 bit ls-regular hash functions exist, there existno m-to-n bit ls-regular hash functions.

Theorem 3.4. There exists no m-to-n bit hash function that is ls-regular.

Proof. We show by induction on n. Let P (n) denote the proposition:

There exists no m-to-n bit hash function that is ls-regular.

The base case P (1) is true by Theorem 3.3. Let P (i) be true for some i < n.Then, we derive the truth table of Table 3.1.

Table 3.1. Truth table for an m-to-i bit hash function h; αj,ℓ ∈ {0, 1}, ∀ j ∈{0, . . . , 2m − 1} and ℓ ∈ {0, . . . , i− 1}

x︷ ︸︸ ︷xm−1 xm−2 · · · x0

0 0 · · · 00 0 · · · 1...

.... . .

...0 1 · · · 11 0 · · · 01 0 · · · 1...

.... . .

...1 1 · · · 1

h(x)︷ ︸︸ ︷αi−1 αi−2 · · · α0

α0,i−1 α0,i−2 · · · α0,0

α1,i−1 α1,i−2 · · · α1,0...

.... . .

...α2m−1−1,i−1 α2m−1−1,i−2 · · · α2m−1−1,0

α2m−1,i−1 α2m−1,i−2 · · · α2m−1,0

α2m−1+1,i−1 α2m−1+1,i−2 · · · α2m−1+1,0...

.... . .

...α2m−1,i−1 α2m−1,i−2 · · · α2m−1,0

Now, if a hash function is ls-regular then it is

RELATED WORK 53

• regular, and

• subset regular under all linear conditions, each of which partitions thedomain into two equally-sized sets.

Therefore, if a hash function is not ls-regular then it is either (i) not regularor (ii) not subset regular with respect to at least one linear condition. Givencase (ii), without loss of generality, let us assume that subset regularity does nothold for xm−1 = 0. Then, in the truth table in Table 3.1, at least one of the2m−1 i-bit outputs corresponding to xm−1 = 0 appears more than the expected2m−1/2i = 2m−i−1 times. Again, without loss of generality, let the output {0}iappear t > 2m−i−1 times (i.e., say, αj,ℓ = 0 ∀ j ∈ {0, . . . , t−1} and ℓ ∈ {0, . . . , i−1}in Table 3.1). Then, if we append one bit to each of the t output strings {0}i, oneof the strings {0}i||0 and {0}i||1 appears strictly more than 2m−i−2 times. Since{0}i||0 and {0}i||1 should each appear exactly 2m−1/2i+1 = 2m−i−2 times whenthe m-to-(i + 1) bit hash function is subset regular under the linear conditionxm−1 = 0, P (i + 1) is true when P (i) is true. Given case (i), following a similarline of reasoning, replacing 2m−1 with 2m and recalculating the formulae, we obtainthat P (i)⇒ P (i+1). Therefore, by the principle of mathematical induction, P (n)is true.

Let us again consider a regular hash function with d = 2162 and r = 2160. If werequire this function to be ls-regular as well, the function must be subset regularfor a fraction of d− 1 out of all C(d, d/2) possible subsets consisting of half of thedomain elements. For d = 2162, this fraction evaluates to about 2−2162 . Therefore,by imposing subset regularity for only an extremely small fraction of the possiblesubsets that we consider, we prove that no ls-regular functions exist.

In the previous section, we showed that the fraction of subset regular hashfunctions is negligible. In this section, we obtained an even stronger result – theredoes not exist a hash function that is regular for more than a negligibly smallfraction of subsets of the domain.

Therefore, in the birthday attack, the attacker can always restrict the domainpoints in such a way that the resulting hash function is not regular. This countersBellare and Kohno’s interpretation of why regular functions fare better thanrandom functions against the birthday attack. However, we do not dispute themathematics of their analysis.

3.7 Related WorkIn 1956, Dumey [66] introduced the concept of (non-cryptographic) hashing. Itwas proposed as a solution to the dictionary problem. In the dictionary problem, asequence of operations Insert(k, x), Delete(k) and Lookup(k) are given. Theyare used to respectively insert, delete and look up key-value pairs (k, x), and are

54 CHALLENGING THE INCREASED RESISTANCE OF REGULAR HASH FUNCTIONS AGAINST BIRTHDAYATTACKS

performed on an initially empty table of key-value pairs. The goal is to minimisethe time and memory used by these operations.

Let h′ : D′ → R′ be a hash function, where both the domain |D′| = d′ and therange |R′| = r′ are finite, and d′ > r′. The construction known as chained hashingis then described as follows. We initialise an array A[1 . . . r′], and let A[i] containa linked list of all key-value pairs (k, x) for which h′(k) = i.

Assume that r′ | d′. For chained hashing, h′ is ideally chosen such that everyA[i] contains the same number of key-value pairs. This is related to the notionof a regular hash function by Bellare and Kohno, where every hash value has thesame number of preimages in the domain. If D′ is the set of all keys that areadded to the table, then the number of key-value pairs that have to be read wheneither of the three operations are performed, is at most d′/r′. If there exists anA[i] with fewer than d′/r′ elements, then there also exists an A[j] where i = jwith more than d′/r′ elements. Therefore, regular hash functions obtain the bestperformance in the worst-case scenario.

Doing a rigorous analysis of chained hashing is difficult, because the calculationsstrongly depend on sequence of keys. For example, by the pigeonhole principlethere always exists a sequence of keys that all map to the same hash value.Sometimes assumptions are placed on the sequence of keys, but these may bevery difficult (or even impossible) to guarantee in practice. This is also evidentfrom the analysis in this chapter.

As a novel solution to the dictionary problem, we mention the universal classesof hash functions proposed by Carter and Wegman [42]. In their paper, it isproposed that h′ is chosen uniformly at random, but not from the set of all possiblefunctions. The class of hash functions H ′ is chosen in such a way, that the averageperformance (for all h′ ∈ H ′) for the worst case input is bounded.

More formally, let h′ : D′ → R′ be a hash function, where both the domain|D′| = d′ and the range |R′| = r′ are finite, and d′ ≥ r′. A universal class of hashfunctions is then defined such that for a randomly chosen h′ ∈ H ′, the probabilitythat any h′(x) = h′(y) is at most 1/r′ for any two distinct x, y ∈ D′.

However, not all protocols allow a hash function to be selected uniformly atrandom from a class of hash functions. In that case, the notion of universal classesof hash functions is not meaningful.

3.8 Random FunctionsBellare and Kohno showed [17] that several reduced versions of SHA-1 do notbehave as regular functions. This indicates that regular functions may not be asuitable theoretical model to analyse the collision resistance of commonly usedhash functions. In previous sections, we also made an observation on Bellare andKohno’s claim that regular hash functions fare better than random hash functionsagainst the birthday attack. Based on this, we suggest not to model hash functionsas regular functions.

IMPLICATIONS FOR CRYPTANALYSIS OF BLOCK CIPHERS 55

Instead, we propose to model hash functions as random functions when analysingthe complexity of the birthday attack. We agree with Bellare and Kohno that “thedesign principle of attempting to make hash functions have random behavior [. . .]is sound and central to security” [17]. We now explain why random functions donot suffer from any of the problems described in this chapter.

A random function can be formally defined as follows.

Definition 3.4 (Random Function). Let F : {0, 1}∗ → {0, 1}n be a randomfunction. If xi ∈ {0, 1}n has not been queried before, the random functionchooses yi uniformly at random from all 2n range points, and outputs yi = F (xi).Otherwise, if xi = xj where j < i, the random function outputs yj = F (xj) =F (xi).

Unlike for a regular hash function, it is not necessary for a random function torequire that the domain consists of a finite number of elements. Also, it is clearfrom the random function definition, that for any subset of the domain, the rangepoints yi are chosen randomly and independently from a uniform distribution aswell. Because the statistics of a random function are the same no matter howthe domain points are chosen, the problems described in this chapter for regularfunctions do not apply.

3.9 Implications for Cryptanalysis of Block CiphersOur results, especially Theorem 3.1, have implications for block cipher cryptanal-ysis. In Chapter 7, we construct attacks on reduced-round versions of the blockciphers XTEA and GOST. In computing the complexities and success probabilitiesof these attacks, we assume that the reduced cipher has perfect confusion anddiffusion properties [206]. One may alternatively assume that the hash functionthat maps the key space of the block cipher to its ciphertext space is regular, andusing this compute the complexities and probabilities. In fact, this was how wetried to perform the computations initially. We however soon encountered twoproblems:

• the computations became more and more involved, and

• the assumption of regularity had to be made for every plaintext-ciphertextpair used in the attack.

The second problem lead us to questions such as the following:

• Are there considerably many regular functions so that assumptions ofregularity are reasonable?

• Is there a method to construct a regular function?

Our attempts at answering the above questions initiated this entire work on hashfunction balance.

56 CHALLENGING THE INCREASED RESISTANCE OF REGULAR HASH FUNCTIONS AGAINST BIRTHDAYATTACKS

3.10 ConclusionsThe notion of a regular hash function was introduced by Bellare and Kohno atEUROCRYPT 2004, and has subsequently appeared in several research papers. Itis defined as a hash function that has the same number of preimages in the domainfor every hash value. In their original paper, Bellare and Kohno state, “regularfunctions fare better than random functions [against the birthday attack]”.

This statement, which until now remained unchallenged, is based on theassumption that the attacker chooses the domain points uniformly at random.However, Bellare and Kohno note that “there are several variants of [the birthdayattack] which differ in the way the [domain] points x1, . . . , xq are chosen”. Onepossible restriction is that domain points correspond to meaningful messages. Forexample, if messages consist of only ASCII characters, the MSB of every charactermust be zero.

For simplicity, we assumed that the choices of the attacker are restricted tohalf of the domain points. In that case, we calculated that the probability thatthe resulting function is still regular under this restriction is very close to zero.Furthermore, to the best of our knowledge, there is no known method to constructsuch a regular function – or, for that matter, any function that is regular evenunder an unrestricted domain.

We attempted to extend the concept of regularity, requiring that a hash functionis also regular under subsets of the domain. We proved that no such hash functionexists, even if one only considers a very small fraction of all possible ways to dividethe domain into subsets.

Thus, the attacker can restrict the domain points in the birthday attack insuch a way that the resulting hash function is not regular. This is our point ofdisagreement with Bellare and Kohno’s analysis of why regular functions performbetter than random functions against the birthday attack.

If hash functions are modelled as random functions, they are not susceptible toany of the problems with regular functions that are described in this chapter.

Part III

Cryptanalysis of SynchronousStream Ciphers

57

58

Chapter 4

Related-Key Attacks on the PyFamily of Ciphers

4.1 IntroductionAt first we give a timeline of the Py family (Py, Pypy, TPy and TPypy) and thePy6 family (Py6 and TPy6) of synchronous stream ciphers.1

• April 2005 (Design). The ciphers Py and Py6 [27], designed by Biham andSeberry, are submitted to the ECRYPT eSTREAM project [71] for analysisand evaluation in the category of software-oriented stream ciphers. Theimpressive speed of the cipher Py in software (about 2.5 times faster thanthe RC4) makes it one of the fastest and most attractive contestants.

• March 2006 (Attack presented at FSE 2006). Paul, Preneel and Sekarreport distinguishing attacks with 289.2 data and comparable time againstthe cipher Py [166]. (Crowley [48] later reduced the complexity to 272 byemploying a Hidden Markov Model.)

• March 2006 (Design presented at the rump session of FSE 2006).A new cipher, Pypy [28], is proposed by the designers to preclude thedistinguishing attacks reported in [48, 166].

• May 2006 (Attack presented at ASIACRYPT 2006). Distinguishingattacks with 268.6 data complexity are reported against Py6 [165].

• October 2006 (Attack presented at EUROCRYPT 2007). Wu andPreneel show key recovery attacks against the ciphers Py, Py6 and Pypy

1In papers attacking these ciphers, all the six ciphers may be regarded as members of the Pyfamily. For better clarity we have, here and in Chapter 10, separated the ciphers into ‘Py family’and ‘Py6 family’.

59

60 RELATED-KEY ATTACKS ON THE PY FAMILY OF CIPHERS

with chosen IVs [242]. (This attack was subsequently improved by Isobe etal. [100].)

• January 2007 (Design). Three new ciphers – TPy, TPy6 and TPypy –are proposed by Biham and Seberry [26] to preclude the attacks in [242] onPy, Py6 and Pypy respectively. So far there is no published attack on TPy,TPy6 or TPypy.

• February 2007 (Attack). Sekar, Paul and Preneel publish distinguishingattacks on Py, Pypy, TPy and TPypy with data complexities 2281 each [200].

• June 2007 (Attack presented at ISC 2007). Sekar, Paul and Preneelshow new weaknesses in the stream ciphers Py and TPy [198]. Exploitingthese weaknesses distinguishing attacks on the ciphers are constructed wherethe best distinguisher requires 2268.6 data samples and comparable time.

• July 2007 (Attack and design presented at WEWoRC 2007). Sekar,Paul and Preneel show distinguishing attacks on Py6 and TPy6 that require2224.6 data and comparable time [197]. Moreover, they modify TPy6 todesign two new ciphers TPy6-A and TPy6-B which they show to precludeexisting attacks on the Py family.

• August 2007 (Attack presented at SAC 2007). Tsunoo et al.show distinguishing attacks on Py, Pypy, TPy and TPypy. Each attackrequires 2199 keystream samples and comparable time time [219]. This is aconsiderable improvement over the attacks reported in [200].

4.1.1 Contribution of This WorkBased on the specifications and the published analysis (until July 2007) of thePy family, we conjecture that the ciphers can be ordered in terms of increasingsecurity as: Py6 → Py → Pypy → TPy6 → TPy → TPypy (the strongest). Eachcipher was recommended by Biham and Seberry to be used with a 32-byte key Kand a 16-byte IV. The key size may, however, vary from 1 to 256 bytes (but shouldbe a multiple of a byte) and the IV size from 1 to 64 bytes (again, should be amultiple of a byte). The ciphers were claimed by the designers to be free fromrelated-key and distinguishing attacks [26, 27, 28]. In this chapter, we exploitweaknesses in the KSAs of Py, Pypy, TPy and TPypy to construct distinguishersin a related-key setting. Recall that we have already discussed the importance ofrelated-key attacks in Sect. 1.5.3.

In this chapter, we show the following result. Suppose two keys K1 and K2, ofsize 256 bytes each, are related in the following manner (with the byte numberindicated within square brackets; similarly for the IV):

1. K1[16]⊕K2[16] = 1 ,

2. K1[17] = K2[17] , and

DESCRIPTION OF THE STREAM CIPHERS PY, PYPY, TPY AND TPYPY 61

3. K1[i] = K2[i] , ∀ i ∈ {16, 17} .

Further suppose they are used with identical 16-byte IVs. Then the relationbetween the keys, exploiting the weaknesses of the K setup algorithms of Pyfamily, propagates through the IV setup algorithms and finally induces biases inthe outputs at the 1st and the 3rd rounds (iterations) of the KGA. Such related-key pairs are used to build a distinguisher for each of the aforementioned cipherswith 2193.7 output samples and comparable time (note that there are 22048 suchpairs in total, while our distinguisher needs any 2193.7 pairs of keys of the form(K, f(K)) where K is chosen uniformly at random).

Going by the data/time complexity, this result comprises the best attack on thecipher that appears to be the strongest member of the Py family – TPypy (seeTable 4.1). The attack on TPypy is also shown to be effective against Py, Pypyand TPy. These related-key attacks work for any IV size ranging from 16 to 64bytes. However, the attack complexities increase with shorter keys. Note that theusage of long keys in the Py family of ciphers makes it very attractive to be usedas a fast CHF family (e.g., by replacement of the key with the message block).2 Insuch cases, related-key weaknesses may have some relevance. As an example, let ussuppose that we find a pair of related keys that produces identical keystreams. Thisis tantamount to finding a collision for the CHF if it is constructed by replacing thecipher key with the message block and a part of the keystream with the chainingvalue.

The related-key attacks described in this chapter are of high complexities andtherefore would not pose a practical threat to the security of a Py-based CHFconstruction. Nevertheless, it appears prudent to be cautious as it may happenthat our related-key attacks are significantly improved in the future. One mayalternatively take the view that related-key weaknesses are certificational and thatthe very simple partition of the key space according to correlated keystreams isnot particularly desirable.

4.2 Description of the Stream Ciphers Py, Pypy, TPyand TPypy

Each of the Py family of ciphers is composed of three parts: (i) a K setupalgorithm, (ii) an IV setup algorithm, and (iii) a round function or KGA. Thefirst two parts are used for the initial one-time mixing of the secret key K and theIV. The K/IV setup generates a pseudorandom internal state composed of: (i)a permutation P of 256 elements, (ii) a 32-bit array Y of 260 elements, and (iii)a 32-bit variable s. The K/IV setup uses two intermediate variables: (i) a fixedpermutation of 256 elements denoted by internal permutation, and (ii) a variable

2We attempted such a construction in [159]. The resulting hash function family, called RUSH,hashes at speeds between 12 and 18 cycles/byte on AMD Athlon 64 X2. It must be noted,however, that RUSH is yet to undergo public scrutiny on its security.

62 RELATED-KEY ATTACKS ON THE PY FAMILY OF CIPHERS

Table 4.1. Data complexities§ of attacks on the Py and Py6 families of cipherswhen used with 256-bit keys and 128-bit IVs ; time complexities are indicatedwithin parantheses unless they are identical to the respective data complexities(‘X’ denotes that the attack is not shown to work and ‘N/A’ means that the datais not directly available from the corresponding source)

Type of attackand ref.

Py6 Py Pypy TPy6 TPy TPypy Successprob. /advantage

Distinguishing [166] X 289.2 X X 289.2 X ≈ 0.5Distinguishing [48] X 272 X X 272 X ≈ 0.5Distinguishing [165] 268.6 X X 268.6 X X ≈ 0.5Key recovery [242] X 224 (2200) 224 (2200) X X X N/A†

Key recovery [100] X 222.6

(2176)222.6

(2176)X X X N/A†

Distinguishing [200] X 2281 2281 X 2281 2281 Non-negligible

Distinguishing [197] 2224.6 X X 2224.6 X X Non-negligible

Distinguishing [198] X 2268.6 X X 2268.6 X Non-negligible

Distinguishing [219] X 2199 2199 X 2199 2199 Non-negligible

Related-key dist.(this chapter)

X 2193.7 2193.7 X 2193.7 2193.7 ≈ 0.5

§ The figures corresponding to:(a) [48, 166] are the number of output bytes,(b) [100, 242] are the number of IVs,(c) [165] are the number of XOR-sums of two output bits, and(d) the remaining results are the number XOR-sums of four output bits.† Though the success probability is not explicitly mentioned by the authors, we infer that it is close to 1.

EIV whose size is equal to that of the IV. The round function, which is executediteratively, is used to update the internal state (i.e., P , Y and s) and to generatethe keystream bits. The K setup algorithms of Py, Pypy, TPy and TPypy areidentical.

Table 4.2 outlines the compositions of the algorithms of Py, Pypy, TPyand TPypy. The K/IV setup and KGAs in Table 4.2 are provided inAlgorithms 4.3, 4.4, 4.5 and 4.6. In these algorithms, the swap(A[i], A[j]) denotesthe sequence of operations on array A (containing, say, NA elements) that aregiven in Algorithm 4.1.

Algorithm 4.1 swap(A[i], A[j])temp← A[i] ; /*temp: temporary variable*/A[i]← A[j] ;A[j]← temp ;

The rotate(A) denotes the sequence of operations on A that are provided inAlgorithm 4.2.

NOTATION AND CONVENTIONS 63

Algorithm 4.2 rotate(A)temp← A[0] ;for (i = 1; i < NA; i+ +) doA[i− 1]← A[i] ;

end forA[NA − 1]← temp ;

Furthermore, in Algorithms 4.3–4.6, the operators ‘+’ and ‘−’ denote additionmodulo 232 and subtraction modulo 232 respectively. From Sect. 4.4 onwards, ‘+’and ‘-’ are also used in expressions which relate two elements of array P . In thiscase, however, they respectively denote addition and subtraction over Z.

Table 4.2. Constructions of the algorithms of Py, Pypy, TPy and TPypy

TPypy TPy Pypy PyK setup KS KS KS KSIV setup IV S1 IV S1 IV S2 IV S2

KGA (round function) RF1 RF2 RF1 RF2

4.3 Notation and ConventionsWe use the following notation and conventions:

• The outputs generated when K1 and K2 are used are denoted by O and Zrespectively.

• Oa(b) (resp. Za(b)) denotes the bth bit (b = 0 denotes the LSB) of the secondoutput word generated at round (iteration) a when K1 (resp. K2) is used.We do not use the first output word anywhere in our analysis.

• P a−11 , Y a1 and sa−1

1 are the inputs to the KGA at round a when K1 is used.It is easy to see that when this convention is followed Oa takes a simple form:Oa = (sa1 ⊕ Y a[−1]) + Y a[P a[208]].

• Y a1 [b] and P a1 [b] denote the bth elements of array Y a1 and P a1 , respectively,when K1 is used.

• Y a1 [b](i) and P a1 [b](i) denote the ith bits (i = 0 denotes the LSBs) of Y a1 [b]and P a1 [b], respectively.

• In the preceding three points, the 1’s in the subscripts are replaced with 2’swhen K2 is used.

64 RELATED-KEY ATTACKS ON THE PY FAMILY OF CIPHERS

Algorithm 4.3 K setup: KSRequire: A key, an IV and an initial permutationEnsure: An array Y [−3, . . . , 256] and a 32-bit variable skeysizeb: size of K in bytes ;ivsizeb: size of IV in bytes ;s = internal permutation[keysizeb− 1] ;s← (s≪ 8) ∨ internal permutation[(s⊕ (ivsizeb− 1))&0xFF ] ;s← (s≪ 8) ∨ internal permutation[(s⊕K[0])&0xFF ] ;s← (s≪ 8) ∨ internal permutation[(s⊕K[keysizeb− 1])&0xFF ] ;for (j = 0; j < keysizeb; j + +) dos← s+K[j] ;s0 = internal permutation[s&0xFF ] ;s← (s≪ 8)⊕ (u32)s0 ;

end forfor (j = 0; j < keysizeb; j + +) dos← s+K[j] ;s0 = internal permutation[s&0xFF ] ;s← s⊕ ((s≪ 8) + (u32)s0) ;

end for/*Initialize the array Y */for (i = −3, j = 0; i <= 256; i+ +) dos← s+K[j] ;s0 = internal permutation[s&0xFF ] ;Y [i] = s← (s≪ 8)⊕ (u32)s0 ;j ≡ j + 1 mod keysizeb ;

end for

4.4 The Related-Key WeaknessesWe begin our analysis with two keys, K1 and K2 (each key is 256 bytes long), suchthatC1. K1[16] ⊕ K2[16] = 1 (without loss of generality, assume that the LSB ofK1[16] is 1) ,C2. K1[17] = K2[17] , andC3. K1[i] = K2[i] ,∀ i ∈ {16, 17} .

We now trace the internal state elements through the Algorithms 4.3–4.6.

4.4.1 Analysis of the K Setup Algorithm KS

We begin with the following algorithm that forms the first mixing loop of KS. ForK1 and K2, the values of the variable s through Algorithm A are listed in Table 4.3.Algorithm A is a part of the K setup algorithm KS (described in Algorithm 4.3).

THE RELATED-KEY WEAKNESSES 65

Algorithm 4.4 Part-I of the IV setup algorithms IV S1 and IV S2 – initialisationof P and EIV

Require: The Y , the s from the K setup algorithm KS and the IVEnsure: Rolling arrays P [0, . . . , 255], EIV [0, . . . , ivsizeb− 1] and the variable s

/*Create an initial permutation*/v = IV[0]⊕ ((Y [0]≫ 16)&0xFF ) ;d = (IV[1 mod ivsizeb]⊕ ((Y [1]≫ 16)&0xFF )) ∨ 1 ;for (i = 0; i < 256; i+ +) doP [i] = internal permutation[v] ;v ← v + d ;

end for/*Now P is a permutation*//*Initialise s*/s = ((u32)v ≪ 24)⊕ ((u32)d≪ 16)⊕ ((u32)P [254]≪ 8)⊕ ((u32)P [255]) ;s = s⊕ (Y [−3] + Y [256]) ;for (i = 0; i < ivsizeb; i+ +) dos← s+ IV[i] + Y [−3 + i] ;s0 = P [s&0xFF ] ;EIV [i] = s0 ;s← (s≪ 8)⊕ (u32)s0 ;

end for/*Again, but with the last words of Y , and update EIV */for (i = 0; i < ivsizeb; i+ +) dos← s+ IV[i] + Y [256− i] ;/*s← s+ EIV [(i+ ivsizeb− 1) mod ivsizeb] + Y [256− i] ; for IV S1*/s0 = P [s&0xFF ] ;EIV [i]← EIV [i] + s0 ;s← (s≪ 8)⊕ (u32)s0 ;

end for

Table 4.3. The variable s at the end of the iterations corresponding to j = 15, 16and 17 of Algorithm A

End of step corresponding to j = s (using K1) s (using K2)15 sA1,15 sA2,15(= sA1,15)

16 sA1,16 sA2,16(= sA1,16 − δ1 (say))

17 sA1,17 sA2,17(= sA1,17, if K2[17] = K1[17] + δ1)

66 RELATED-KEY ATTACKS ON THE PY FAMILY OF CIPHERS

Algorithm 4.5 Part-II of the IV setup algorithms IV S1 and IV S2 – updatingthe rolling arrays and the variable sRequire: Outputs of Part-I of the IV setupEnsure: The rolling arrays Y [−3, . . . , 256], P [0, . . . , 255] and the variable s

for (i = 0; i < 260; i+ +) do(u32)x0 = EIV [0]← EIV [0]⊕ (s&0xFF ) ;rotate(EIV ) ;swap(P [0], P [x0]) ;rotate(P ) ;Y [−3] = s← (s⊕ Y [−3]) + Y [x0] ;/*s← (s≪ 8) + Y [256] ;Y [−3]← Y [−3] + (s⊕ Y [x0]) ; for IV S1*/rotate(Y ) ;

end fors← s+ Y [26] + Y [153] + Y [208] ;if s = 0 thens = (keysizeb ∗ 8) + ((ivsizeb ∗ 8)≪ 16) + 0x87654321 ;

end if

Algorithm 4.6 Round functions: RF1 and RF2

Require: Y [−3, . . . , 256], P [0, . . . , 255] and the 32-bit variable sEnsure: 32-bit random output (for RF1) or 64-bit random output (for RF2)

/*Update and rotate P*/1: swap(P [0], P [Y [185]&255]) ;2: rotate(P ) ;

/*Update s*/3: s← s+ Y [P [72]]− Y [P [239]] ;4: s← s≪ ((P [116] + 18)&31) ;

/*Output 4 or 8 bytes (least significant byte first)*/5: output: ((s≪ 25)⊕ Y [256]) + Y [P [26]] ; /*This step is skipped for RF1*/6: output: (s⊕ Y [−1]) + Y [P [208]] ;

/*Update and rotate Y */7: Y [−3]← ((s≪ 14)⊕ Y [−3]) + Y [P [153]] ;8: rotate(Y ) ;

Algorithm A

for (j = 0; j < keysizeb; j + +) dos← s+K[j] ;s0 = internal permutation[s&0xFF ] ;s← (s≪ 8)⊕ (u32)s0 ;

end for

THE RELATED-KEY WEAKNESSES 67

If x is a 32-bit variable, let B(x) denote the least significant byte of x. InTable 4.3,

δ1 = sA1,16 − sA2,16 (4.1)

= ((sA1,15 +K1[16]) ≪ 8)⊕ IP [B(sA1,15 +K1[16])] (4.2)

−((sA2,15 +K2[16]) ≪ 8)⊕ IP [B(sA2,15 +K2[16])] , (4.3)

where IP denotes internal permutation.

Now, if key2[17] = key1[17] + δ1 (call this event D1), it is observed fromAlgorithm A that the following equation is satisfied:

sA2,17 = sA1,17 .

For event D1 to occur, δ1 should be an 8-bit integer. Running a simulation, it isdetermined that:

Pr(|δ1| = 8) ≈ 12.

Hence,

Pr(D1) ≈ 2−9 . (4.4)

If sA1,17 = sA2,17, then in every subsequent step of Algorithm A, the sA1 and sA2values are equal; that is, sA1,k = sA2,k for k = 18, 19, . . . , 255.

Algorithm B

for (j = 0; j < keysizeb; j + +) dos← s+K[j] ;s0 = internal permutation[s&0xFF ] ;s← s⊕ ((s≪ 8) + (u32)s0) ;

end for

Given thatD1 occurs; i.e., sA1 = sA2 at the end of Algorithm A (or sA1,255 = sA2,255),we now trace the values of s through Algorithm B which forms another part of theK setup. Table 4.4 compares the values of s, under the keys K1 and K2, at theend of the iterations corresponding to j = 15, 16 and 17 of Algorithm B.In Table 4.4,

δ2 = sB1,16 − sB2,16

= ((sB1,15 +K1[16]) ≪ 8)⊕ IP [B(sB1,15 +K1[16])]

−((sB2,15 +K2[16]) ≪ 8)⊕ IP [B(sB2,15 +K2[16])] . (4.5)

68 RELATED-KEY ATTACKS ON THE PY FAMILY OF CIPHERS

Table 4.4. The variable s at the end of the iterations corresponding to j = 15, 16and 17 of Algorithm B given D1 occurs

End of step corresponding to j = s (using K1) s (using K2)15 sB1,15 sB2,15(= sB1,15)

16 sB1,16 sB2,16(= sB1,16 − δ2 (say))

17 sB1,17 sB2,17(= sB1,17, if K2[17] = K1[17] + δ2)

Now, given event D1 occurs (i.e., sA1 = sA2 at the end of Algorithm A), if δ2 = δ1(call this event D2), we will have K2[17] = K1[17]+δ2, and hence from Algorithm Bthe following equation is satisfied:

sB2,17 = sB1,17 .

For event D2 to occur, δ2 should be an 8-bit integer. Running a simulation, it isdetermined that:

Pr(|δ2| = 8) ≈ 122.4 .

Hence,

Pr(D2|D1) ≈ 2−10.4 ⇒ Pr(D2 ∩D1) ≈ Pr(D1) · 2−10.4 ≈ 2−19.4 . (4.6)

If sB1,17 = sB2,17, then in every subsequent step of Algorithm B, the sB1 and sB2values are equal. In other words, sB1,k = sB2,k for k = 18, 19, . . . , 255.

Given that D2 ∩ D1 occurs; that is, sB1 = sB2 at the end of Algorithm B (orsB1,255 = sB2,255), the values of s and Y are traced through Algorithm C whichforms the final part of the K setup. Algorithm C constitutes the third for-loop ofthe K setup algorithm KS.

Algorithm C

for (i = −3, j = 0; i <= 256; i+ +) dos← s+K[j] ;s0 = internal permutation[s&0xFF ] ;Y [i] = s← (s≪ 8)⊕ (u32)s0 ;j ≡ j + 1 mod keysizeb ;

end for

Table 4.5 compares the values of s and Y , under the keys K1 and K2, at theend of the iterations corresponding to j = 15, 16 and 17 of Algorithm C.

THE RELATED-KEY WEAKNESSES 69

Table 4.5. The variables s and Y at the end of the iterations corresponding toj = 15, 16 and 17 of Algorithm C given event D2 ∩D1 occurs.

End of stepcorrespondingto j =

s (using K1) s (using K2) Y (using K1) Y (using K2)

15 sC1,15 sC2,15(= sC1,15) Y1[12] Y2[12](= Y1[12])

16 sC1,16 sC2,16(= sC1,16 − δ3 (say)) Y1[13] Y2[13]( = Y1[13])

17 sC1,17 sC2,17(= sC1,17, if K2[17] =K1[17] + δ3)

Y1[14] Y2[14](= Y1[14], ifK2[17] = K1[17] + δ3)

In Table 4.5,

δ3 = sC1,16 − sC2,16

= ((sC1,15 +K1[16]) ≪ 8)⊕ IP [B(sC1,15 +K1[16])]

−((sC2,15 +K2[16]) ≪ 8)⊕ IP [B(sC2,15 +K2[16])] . (4.7)

Now, given that event D2 ∩D1 occurs (i.e., sB1 = sB2 at the end of Algorithm B),if δ3 = δ1 (call this event D3), we will have K2[17] = K1[17] + δ3 and hence fromAlgorithm C, the following equation is satisfied:

sC2,17 = sC1,17 .

For event D3 to occur, δ2 should be an 8-bit integer. Running a simulation, it isdetermined that:

Pr(|δ3| = 8) ≈ 12.

Hence,

Pr(D3|D2 ∩D1) ≈ 2−9 ⇒ Pr(D3 ∩D2 ∩D1) ≈ Pr(D2 ∩D1) · 2−9 ≈ 2−28.4 .

(4.8)

If sC1,17 = sC2,17, then in every subsequent step of Algorithm C, the sC1 and sC2values are equal. Thus, sC1,k = sC2,k for k = 18, 19, . . . , 255, and Y1[j] = Y2[j],where j = 13.

4.4.2 Analysis of IV S1 and IV S2

Given that D3 ∩ D2 ∩ D1 occurs; i.e., sC1 = sC2 at the end of Algorithm C (orsC1,255 = sC2,255), and Y1[i] = Y2[i] (i = 13), we now trace the variables s, Y , P andEIV through Algorithm 4.4. We begin with the first mixing loop (Algorithm D).

70 RELATED-KEY ATTACKS ON THE PY FAMILY OF CIPHERS

Algorithm D

for (i = 0; i < ivsizeb; i+ +) dos← s+ IV[i] + Y [−3 + i] ;s0 = P [s&0xFF ] ;EIV [i] = s0 ;s← (s≪ 8)⊕ (u32)s0 ;

end for

Observe that s and Y (obtained after the K setup) and the IV are the basicelements used in Algorithm 4.4 to define the P and the EIV and to update s andY . We now model our attack in such a way that the same IV is used with both thekeys. Prior to the execution of Algorithm D, the only elements of array Y whichare used in Part-I of the IV setup are Y [0], Y [1], Y [−3] and Y [256]. Since Y [13]is not used, it follows that P1 (that is, P when K1 is used) and P2 (P under K2)are identical.

In Algorithm D as well, Y [13] is not used to update the s or define the EIVwhen the IV is of the recommended size of 16 bytes. For longer IVs, we can inducethe first difference in the keys (that is, where the LSBs alone differ) according tothe size of the IV. An example is provided in Appendix C.1. It is to be noted that,if the IV size is N bytes, the first difference in the keys should not be inducedanywhere: (i) in the first N bytes (i.e., key bytes 0 to N − 1), or (ii) in the lastN − 3 bytes (key bytes 260−N to 256).

Algorithm E

for (i = 0; i < ivsizeb; i+ +) dos← s+ IV[i] + Y [256− i] ;/*s = s+ EIV [(i+ ivsizeb− 1) mod ivsizeb] + Y [256− i] ; for IV S1*/s0 = P [s&0xFF ] ;EIV [i]← EIV [i] + s0 ;s← (s≪ 8)⊕ (u32)s0 ;

end for

Otherwise, it is immaterial as to where the first difference is set – in all thecases, nearly the same bias is induced. This is established from a large number ofexperiments.

Let us now consider Algorithm E. Again, Y [13] is not used to update the s orthe EIV (for both IV S1 and IV S2). Hence, at the end of Algorithm E, we haves1 = s2, EIV1 = EIV2, P1 = P2, and Y1[i] = Y2[i] (where i = 13). With thisresult, we proceed to Algorithm 4.5.

In Part-II of IV S2, when i = 16 (for IV S1 it is i = 17), the values of s generated

THE RELATED-KEY WEAKNESSES 71

with K1 and K2 are different due to the difference in Y [13]. This causes the EIV sto be different in the following iteration and hence P1 = P2 (i.e., after the rotate(P )step). In the subsequent iterations, the mixing becomes more thorough with theresult that at the end of 260 iterations, Y1[j] = Y2[j], j ∈ {−3, . . . , 12} (and P1, P2can be expected to appear as two independent, randomly generated permutations).This result holds only if x0 = 13 when i = 0, . . . , 15. The probability that thisoccurs is (255/256)j+4 ≈ 1 when j ∈ {−3, . . . , 12}. With this result, we shallanalyse the KGAs.

4.4.3 Analysis of RF1

Here we consider only the round function RF1. This is because a biased keystreamproduced by RF1 is also a biased keystream of RF2. The formulae for the LSBsof the outputs generated at rounds 1 and 3 when K1 and K2 are used are:

O1(0) = s1

1(0) ⊕ Y1

1 [−1](0) ⊕ Y 11 [P 1

1 [208]](0) , (4.9)

O3(0) = s3

1(0) ⊕ Y3

1 [−1](0) ⊕ Y 31 [P 3

1 [208]](0) , (4.10)

Z1(0) = s1

2(0) ⊕ Y1

2 [−1](0) ⊕ Y 12 [P 1

2 [208]](0) , (4.11)

Z3(0) = s3

2(0) ⊕ Y3

2 [−1](0) ⊕ Y 32 [P 3

2 [208]](0) . (4.12)

Let C1, C2, C3 and C4 denote Y 11 [P 1

1 [208]](0), Y 31 [P 3

1 [208]](0), Y 12 [P 1

2 [208]](0) andY 3

2 [P 32 [208]](0), respectively. Each row in Table 4.6 gives the conditions on the

elements of P1 and P2 which when simultaneously satisfied gives C1⊕C2⊕C3⊕C4 =0. The corresponding probabilities are also provided. From Table 4.6, it follows

Table 4.6. When Gj (1 ≤ j ≤ 4) occurs, C1 ⊕ C2 ⊕ C3 ⊕ C4 = 0

Event Conditions Probability ResultG1 P 1

1 [208] = P 31 [208] + 2, P 1

2 [208] = P 32 [208] + 2 2−16 C1 = C2,C3 = C4

G2 P 11 [208] = P 1

2 [208], P 11 [208], P 1

2 [208] ≤ 12,P 3

1 [208] = P 32 [208], P 3

1 [208], P 32 [208] ≤ 12

2−24.6 C1 = C3,C2 = C4

G3 P 11 [208] = P 3

2 [208] + 2, 2 ≤ P 11 [208] ≤ 12,

P 32 [208] ≤ 10, P 1

2 [208] = P 31 [208] + 2, 2 ≤

P 12 [208] ≤ 12, P 3

1 [208] ≤ 10

2−25.4 C1 = C4,C2 = C3

G4 G2 ∩G1 Negligible (≪ 2−25) C1 = C2 = C3 = C4

that events G2, G3 and G4 can be ignored when compared to G1. We now stateand prove the following theorem.

Theorem 4.1. s11 = s3

1 when the following four conditions are simultaneouslysatisfied:

72 RELATED-KEY ATTACKS ON THE PY FAMILY OF CIPHERS

1. P 21 [116] ≡ −18 mod 32 (event E1) ,

2. P 31 [116] ≡ −18 mod 32 (event E2) ,

3. P 21 [72] = P 3

1 [239] + 1 (event E3) ,

4. P 21 [239] = P 3

1 [72] + 1 (event E4) .

Proof. The formulae for s21 and s3

1 are (see Algorithm 4.6):

s21 = (s1

1 + Y 21 [P 2

1 [72]]− Y 21 [P 2

1 [239]]) ≪ (P 21 [116] + 18 mod 32) , (4.13)

s31 = (s2

1 + Y 31 [P 3

1 [72]]− Y 31 [P 3

1 [239]]) ≪ (P 31 [116] + 18 mod 32) . (4.14)

The condition P 21 [116] ≡ −18 mod 32 reduces (4.13) to:

s21 = s1

1 + Y 21 [P 2

1 [72]]− Y 21 [P 2

1 [239]] .

Therefore, (4.14) becomes:

s31 = (s1

1 +3∑i=2

(Y i1 [P i1[72]]− Y i1 [P i1[239]])) ≪ (P 31 [116] + 18 mod 32) . (4.15)

From Algorithm 4.2, we observe that Y a1 [α] = Y a+11 [α − 1] iff α ≥ −2. We

now use this observation along with the fact that P1[β] = −3, for any β ∈{0, . . . , 255}, since P1 is a permutation of {0, . . . , 255}. Given this, events E3and E4 reduce (4.15) to:

s31 = s1

1 ≪ (P 31 [116] + 18 mod 32) . (4.16)

When event E2 occurs, (4.16) becomes:

s31 = s1

1 ≪ 0 = s11 . (4.17)

This completes the proof.

Now, s11 = s3

1 ⇒ s11(0) = s3

1(0), Pr(E1) ≈ Pr(E2) ≈ 2−5 and Pr(E3) ≈ Pr(E4) ≈2−8. Intuitively, it seems very reasonable to assume that E1, E2, E3 and E4 areindependent. The actual value without independence assumption is in fact more,making the attack marginally better. Hence, Pr(E1 ∩ E2 ∩ E3 ∩ E4) = 2−26.Similarly, we have s1

2 = s32 when the following four conditions are simultaneously

satisfied:

1. P 22 [116] ≡ −18 mod 32 (event E5) ,

2. P 32 [116] ≡ −18 mod 32 (event E6) ,

3. P 22 [72] = P 3

2 [239] + 1 (event E7) ,4. P 2

2 [239] = P 32 [72] + 1 (event E8) .

THE RELATED-KEY WEAKNESSES 73

Again, s12 = s3

2 ⇒ s12(0) = s3

2(0) and

Pr

( 8∩i=1

Ei

)= 1

252 . (4.18)

From the analysis in Sects. 4.4.1 and 4.4.2, when D3 ∩ D2 ∩ D1 occurs, we haveY 1

1 [j] = Y 12 [j], where j ∈ {−3, . . . , 12}, and hence

Y 11 [−1](0) = Y 1

2 [−1](0) , andY 1

1 [1](0) = Y 12 [1](0) ⇒ Y 3

1 [−1](0) = Y 32 [−1](0) .

Therefore, from (4.9), (4.10), (4.11) and (4.12), we obtain that

O1(0) ⊕O

3(0) ⊕ Z

1(0) ⊕ Z

3(0) = 0 (4.19)

holds when the following three events simultaneously occur:

1. D3 ∩D2 ∩D1 ,2.∩8i=1 Ei , and

3. G1 .

In Sect. 4.4.4, we calculate the probability that (4.19) is satisfied and using thiscompute the number of keystream samples required by the distinguisher.

4.4.4 The DistinguisherLet L denote the event (

∩8i=1 Ei) ∩ (D3 ∩ D2 ∩ D1) ∩ (G1). From (4.8), (4.18)

and Table 4.6, we have Pr(L) = 2−52 · 2−28.4 · 2−16 = 2−96.4. Performing a largenumber of experiments, we make the reasonable assumption that the outputs aredistributed uniformly at random when L does not occur. Thereby, using Bayes’theorem we get:

Pr(O1(0) ⊕O

3(0) ⊕ Z

1(0) ⊕ Z

3(0) = 0) = Pr(O1

(0) ⊕O3(0) ⊕ Z

1(0) ⊕ Z

3(0)|L) · Pr(L)

+Pr(O1(0) ⊕O

3(0) ⊕ Z

1(0) ⊕ Z

3(0)|L

c) · Pr(Lc)

= 1 · 2−96.4 + 12· (1− 2−96.4)

= 12

+ 1297.4 . (4.20)

In the case of an ideal cipher, this probability would be 1/2. We can thereforemount a distinguishing attack here.

74 RELATED-KEY ATTACKS ON THE PY FAMILY OF CIPHERS

It must be noted that the probability computations leading to 4.20 are justifiedbecause of (i) the randomness provided by the IP to equations such as (4.5), (ii)the fact that K1[17] and K2[17] can almost randomly assume any 8-bit values(the two bytes should only not be equal), (iii) the likelihood of P1 and P2 beingindependent and randomly generated at the end of the IV setup, and (iv) theassumption of perfect K/IV setup in a single-K/IV setting.

To compute the number of samples O1(0)⊕O

3(0)⊕Z

1(0)⊕Z

3(0) required to establish

an optimal distinguisher3 with an advantage slightly greater than 0.5, we use thefollowing equation derived from [166] (which, in turn, is derived from the formulaein [9]):

nsamples = 0.4624 · 1p2 , (4.21)

where p is the magnitude of the bias. In our analysis, from (4.20) we get: p =2−97.4. Therefore, nsamples = 2193.7 for an advantage slightly greater than 0.5. Theinherent assumption in these calculations is that the distribution of the samplesO1

(0) ⊕ O3(0) ⊕ Z1

(0) ⊕ Z3(0) is close to the uniform distribution. Specifically, this

means that p≪ 0.5 – and this is true.

4.4.5 Attacks with Shorter KeysThe related-key attacks described in the previous sections can be applied withshorter keys also. However, the data complexity of the distinguisher increasesexponentially as the key size decreases. For example, when the key size is 128 bytes,the distinguisher works with 2229.7 data and comparable time for an advantageslightly greater than 0.5. If the key size is 64 bytes, the data complexity of thedistinguisher is 2247.7 for the same advantage.

4.5 Conclusions and Future WorkIn this chapter, we detected weaknesses in the KSAs of several members of the Pyfamily of synchronous stream ciphers. On each of Py, Pypy, TPy and TPypy, webuilt distinguishing attacks with data complexity 2193.7 and comparable time.

An open problem is to investigate whether these related-key attacks could beimproved and/or converted into efficient key recovery attacks. A direction is totry along the lines of the attack presented later in this thesis, in Sect. 8.6.6. A fewother open problems are presented in Chapter 10.

3Given a fixed number of samples, an optimal distinguisher attains the maximum advantage.

Chapter 5

Improved DistinguishingAttacks on HC-256

5.1 IntroductionHC-128 and HC-256 are software-oriented synchronous stream ciphers designed byWu [238, 241]. HC-256 was published in 2004. The ciphers were also submittedto the eSTREAM competition in 2005. On the Pentium M processor, the speedof HC-128 reaches 3.05 cycles/byte, while HC-256 requires about 4.15 cycles/byteon the Pentium 4. Due to these impressive performance figures, the ciphers wereseen as potential winners in the stream cipher contest. In the absence of attacks,both HC-256 and HC-128 were advanced to Phase III of the competition as ‘focus’ciphers. Since the main focus of eSTREAM was 128-bit security, HC-128 wasselected for the final eSTREAM portfolio under Profile 1 (software-based streamciphers). The ciphers belong to the family of array-based stream ciphers thatinclude, among others, the RC4 and Py [27, 107].

Until this work, barring a few interesting observations, HC-128 and HC-256had not witnessed any serious attacks. The designer himself has presenteddistinguishers along with the specifications in [238, 241]. In the case of HC-256, each distinguisher requires testing the validity of 2280 equations (whereeach equation involves 10 keystream output bits). In [67], Dunkelman reportedan observation that the keystream words of HC-128 leak information on theinternal state. However, this observation has not yet been exploited to constructdistinguishers or to recover the key.1 Zenner has presented cache-timing attackson unprotected implementations of HC-256 that allow reconstruction of the innerstate and also the key [247]. This attack requires 6,148 precise cache-timingmeasurements, 216 KP bits, 3 MBytes of memory and a computational effortequivalent to testing about 255 keys. However, the attack uses very strong

1This point is discussed in greater detail in Sect. 10.5.

75

76 IMPROVED DISTINGUISHING ATTACKS ON HC-256

assumptions – under these assumptions any unprotected implementation of acipher based on lookup tables such as AES or RC4 could be broken easily. In 2008,Maitra et al. presented some observations on HC-128 in [132]. There they exploitthe results of [211] (on linear approximation of modular addition of three integers)to show that the output generation of HC-128 can be well-approximated by linearfunctions. Using this they show that for HC-128, the distinguisher presentedin [241] for the LSB can be extended for the other bits. Their paper also studiesthe aforementioned observation due to Dunkelman [67]. Yet, their paper doesnot show any improvement over the existing attacks (i.e., those presented by thedesigner along with the specifications of the cipher).

5.1.1 Contribution of This WorkThe main idea behind our distinguishers is to note that the keystream generationof HC-256 involves two elements of the state array directly which are 10 placesapart. We exploit this to improve the distinguisher presented in [238]. Our attacksdo not work immediately for HC-128 as in the keystream output generation notwo elements of the state array are involved directly, but they are used with somerotation.

For the LSB, our analysis is similar to that in [238], but a more careful analysisshows that the bias probability was underestimated and thus the requirementof the keystream bits was overestimated in [238]. Our analysis improves theprobability and thus our distinguishers require fewer keystream words. Eachdistinguisher requires examining about 2276.8 equations where each equationinvolves 8 keystream output bits.

5.2 Notation and ConventionsWe use the notation listed in Table 5.1.

5.3 Specifications of HC-256The cipher uses a 256-bit key K and a 256-bit IV. Let K = K[0]|| . . . ||K[7] andIV = IV[0]|| . . . || IV[7], where each K[i] and IV[i] (i = 0, . . . , 7) is 32 bits in length.The internal state of HC-256 consists of two tables P and Q, each with 1024 32-bit

SPECIFICATIONS OF HC-256 77

Table 5.1. Notation and conventions

Symbol / Notation Meaning+ addition modulo 232

− subtraction modulo 232

� subtraction modulo 1024

si

keystream word generated at the (i +1)th iteration of the KGA

si(j), (h1(x))j , (h2(x))j ,ri(j) and (Q[r])j

jth bits (j = 0 for the LSB) of si, h1(x),h2(x), ri and Q[r], respectively

x(i)ith byte of the word x where x(0) andx(3) are the least and most significantbytes, respectively

elements. The following six functions are used in the specifications.

f1(x) = (x≫ 7)⊕ (x≫ 18)⊕ (x≫ 3) ,

f2(x) = (x≫ 17)⊕ (x≫ 19)⊕ (x≫ 10) ,

g1(x, y) = ((x≫ 10)⊕ (y ≫ 23)) +Q[(x⊕ y) mod 1024] ,

g2(x, y) = ((x≫ 10)⊕ (y ≫ 23)) + P [(x⊕ y) mod 1024] ,

h1(x) = Q[x(0)] +Q[256 + x(1)] +Q[512 + x(2)] +Q[768 + x(3)] ,

h2(x) = P [x(0)] + P [256 + x(1)] + P [512 + x(2)] + P [768 + x(3)] .

5.3.1 The K/IV Setup1. The K and the IV are expanded into an array W [0, . . . , 2559] as:

W [i] =

K[i] , 0 ≤ i ≤ 7 ;IV [i− 8] , 8 ≤ i ≤ 15 ;f2(W [i− 2]) +W [i− 7] + f1(W [i− 15])+W [i− 16] + i , 16 ≤ i ≤ 2559 .

2. Update the tables P and Q with the array W as:

P [i] = W [i+ 512] , for 0 ≤ i ≤ 1023,

Q[i] = W [i+ 1536] , for 0 ≤ i ≤ 1023 .

3. Run the KGA 4096 times without generating output.

78 IMPROVED DISTINGUISHING ATTACKS ON HC-256

5.3.2 The KGAThe KGA of HC-256 updates only one of the two tables P and Q in each iterationand outputs one word.

i = 0 ;repeat until enough keystream bits are generated.{k ≡ i mod 1024 ;if (i mod 2048) < 1024{P [k] = P [k] + P [k � 10] + g1(P [k � 3], P [k � 1023]) ;si = h1(P [k � 12])⊕ P [k] ;}else{Q[k] = Q[k] +Q[k � 10] + g2(Q[k � 3], Q[k � 1023]) ;si = h2(Q[k � 12])⊕Q[k] ;}end-ifi = i+ 1 ;

}end-repeat

5.4 Motivational ObservationFirst, we recall the analysis provided by the designer in [238]. The analysis exploitsweaknesses in the KGA and is based on the assumption of a flawless K/IV setup.At the (i+ 1)th iteration, if (i mod 2048) < 1024, the S-box P is updated as:

P [i mod 1024]← P [i mod 1024] + P [i� 10] + g1(P [i� 3], P [i� 1023]) .

Also, si = h1(P [i� 12])⊕ P [i mod 1024]. For 10 ≤ (i mod 2048) < 1023, this canalso be written as:

si ⊕ h1(zi) = (si−2048 ⊕ h′1(zi−2048)) + (si−10 ⊕ h1(zi−10)) +

g1(si−3 ⊕ h1(zi−3), si−2047 ⊕ h′1(zi−2047)) , (5.1)

where h1(x) and h′1(x) are different functions since they are related to different

S-boxes (see Sect. 5.3.2) and zi denotes the array element P [i�12] at the (i+1)thiteration.

MOTIVATIONAL OBSERVATION 79

Since addition and XOR are the same at the LSB-position,2 from (5.1) we get:

si(0) ⊕ si−2048(0) ⊕ si−10(0) ⊕ si−3(10) ⊕ si−2047(23)

= (h1(zi))0 ⊕ (h′1(zi−2048))0 ⊕ (h1(zi−10))0

⊕(h1(zi−3))10 ⊕ (h′1(zi−2047))23 ⊕ (Q[ri])0 , (5.2)

where 10 ≤ (i mod 2048) < 1023, ri ≡ (si−3⊕h1(zi−3)⊕si−2047⊕h′1(zi−2047)) mod

1024. Similarly, when 2048 · α+ 10 ≤ i, j < 2048 · α+ 1023,3 and i = j,

sj(0) ⊕ sj−2048(0) ⊕ sj−10(0) ⊕ sj−3(10) ⊕ sj−2047(23)

= (h1(zj))0 ⊕ (h′1(zj−2048))0 ⊕ (h1(zj−10))0

⊕(h1(zj−3))10 ⊕ (h′1(zj−2047))23 ⊕ (Q[rj ])0 . (5.3)

For the left-hand sides of (5.2) and (5.3) to be equal, i.e., for

si(0) ⊕ si−2048(0) ⊕ si−10(0) ⊕ si−3(10) ⊕ si−2047(23)

= sj(0) ⊕ sj−2048(0) ⊕ sj−10(0) ⊕ sj−3(10) ⊕ sj−2047(23) (5.4)

to hold for 2048 · α+ 10 ≤ i, j < 2048 · α+ 1023 (i = j), we require that

(h1(zi))0 ⊕ (h′1(zi−2048))0 ⊕ (h1(zi−10))0

⊕(h1(zi−3))10 ⊕ (h′1(zi−2047))23 ⊕ (Q[ri])0

= (h1(zj))0 ⊕ (h′1(zj−2048))0 ⊕ (h1(zj−10))0

⊕(h1(zj−3))10 ⊕ (h′1(zj−2047))23 ⊕ (Q[rj ])0 . (5.5)

Using the fact that zi = zi−2048 + zi−10 + g1(zi−3, zi−2047) and zj = zj−2048 +zj−10 + g1(zj−3, zj−2047), we approximate (5.5) as:

H(x1) = H(x2) , (5.6)

where H denotes a random secret 138-bit-to-1-bit S-box, x1 and x2 are two 138-bitrandom inputs, x1 = zi−3||zi−10||zi−2047||zi−2048||ri and x2 = zj−3||zj−10 ||zj−2047||zj−2048||rj .

We now restate Theorem 1 and its proof from [238].2For more significant bits, addition may be approximated by XOR with some biased

probability (see [211]).3α is an element in N such that 2048 · α + 1023 < 2123 (since HC-256 generates a maximum

of 2123 outputs or 2128 output bits from a single (K, IV) pair).

80 IMPROVED DISTINGUISHING ATTACKS ON HC-256

Theorem 5.1. Let H be an m-bit-to-n-bit S-box and all those n-bit elements arerandomly generated, where m ≥ n. Let x1 and x2 be two m-bit random inputs toH. Then H(x1) = H(x2) with probability 2−m + 2−n − 2−m−n.

Proof. Given x1 = x2, H(x1) = H(x2). If x1 = x2, then H(x1) = H(x2) withprobability 2−n. Since the probability that x1 = x2 is 2−m, then x1 = x2 withprobability 1 − 2−m. The probability that H(x1) = H(x2) is, therefore, 2−m +2−n − 2−m−n.

From Theorem 5.1, (5.6) and hence (5.4) holds with probability 1/2 + 2−139

given 2048 · α + 10 ≤ i, j < 2048 · α + 1023 and i = j. In Sect. 5.4.1, we showthat (5.4) holds with a marginally higher probability when i = j + 10.

5.4.1 Our ImprovementSimilar to the analysis above, our analysis is also based on the assumption of aperfect K/IV setup. When 2048·α+10 ≤ i, j < 2048·α+1023 and i = j+10, (5.4)and (5.5) respectively become:

sj−2038(0) ⊕ sj+10(0) ⊕ sj+7(10) ⊕ sj−2037(23)

= sj−2048(0) ⊕ sj−10(0) ⊕ sj−3(10) ⊕ sj−2047(23), and (5.7)

(h1(zj+10))0 ⊕ (h′1(zj−2038))0 ⊕ (h1(zj+7))10

⊕(h′1(zj−2037))23 ⊕ (Q[rj+10])0

= (h1(zj−10))0 ⊕ (h′1(zj−2048))0 ⊕ (h1(zj−3))10

⊕(h′1(zj−2047))23 ⊕ (Q[rj ])0 . (5.8)

Let L denote the event that (5.8) is satisfied. We now examine the following twocases under the assumption of a perfect K/IV setup.

Case 1. Let E denote the event zj−2038||zj+7||zj−2037 = zj−2048||zj−3||zj−2047.Since each z-term is a 32-bit variable distributed uniformly at random, theprobability that E occurs Pr(E) = 2−96. When E occurs, (5.8) reduces to:

(h1(zj+10))0 ⊕ (Q[rj+10])0 = (h1(zj−10))0 ⊕ (Q[rj ])0 . (5.9)

We know that

(h1(zj+10))0 = (Q[z(0)j+10])0 ⊕ (Q[256 + z

(1)j+10])0

⊕(Q[512 + z(2)j+10])0 ⊕ (Q[768 + z

(3)j+10])0 . (5.10)

MOTIVATIONAL OBSERVATION 81

Similarly,

(h1(zj−10))0 = (Q[z(0)j−10])0 ⊕ (Q[256 + z

(1)j−10])0

⊕(Q[512 + z(2)j−10])0 ⊕ (Q[768 + z

(3)j−10])0 . (5.11)

Let F denote the event z(2)j+10||z

(1)j+10||z

(0)j+10 = z

(2)j−10||z

(1)j−10||z

(0)j−10. Now, recall that

zj = zj−2048 + zj−10 + g1(zj−3, zj−2047) . (5.12)

Therefore,

zj+10 = zj−2038 + zj + g1(zj+7, zj−2037) . (5.13)

Observation 5.1. When event E occurs, it follows from (5.12) and (5.13) thatzj+10 and zj−10 take the forms zj+10 ≡ A+B+C mod 232 and zj−10 ≡ −A+B−C mod 232, respectively. Therefore, the LSBs of zj+10 and zj−10 are identical andhence Pr(F |E) = 2−23. Besides, the MSBs of zj+10 and zj−10 are equal if and onlyif zj+10 = zj−10 (which, in turn, happens with probability 2−31 since their LSBsare identical). In other words, Pr(zj+10 = zj−10|E) = 2−31 = Pr(zj+10(31) =zj−10(31)|E),4 where zj(k) denotes the kth significant bit of zj (k = 0 denotes theLSB).

We use Observation 5.1 throughout this chapter and Appendix D.

When F occurs, (5.9) reduces to:

(Q[768 + z(3)j+10])0 ⊕ (Q[rj+10])0 = (Q[768 + z

(3)j−10])0 ⊕ (Q[rj ])0 . (5.14)

Now, if z(3)j+10(7) = z

(3)j−10(7), that is, zj+10(31) = zj+10(31) (this is because z(3)

j+10(7)

is the MSB of zj+10, i.e., zj+10(31)), then 768 + z(3)j+10 = 768 + z

(3)j−10. Given this,

if rj+10||rj = (768 + z(3)j+10)||(768 + z

(3)j−10) (probability is 2−20 since rj is a 10-

bit variable) or rj+10||rj = (768 + z(3)j−10)||(768 + z

(3)j+10), then (5.14) holds. Note

that we cannot have both the relations rj+10||rj = (768 + z(3)j+10)||(768 + z

(3)j−10)

and rj+10||rj = (768 + z(3)j−10)||(768 + z

(3)j+10) to be satisfied; otherwise, z(3)

j+10(7) =z

(3)j−10(7) is violated.

Summarising the above results, we have (5.8) to be satisfied when the followingfour conditions (say S1) simultaneously occur:

4This is confirmed by our simple experiments with 8-bit and 16-bit integers. We firstconsidered the equations X ≡ A + B + C mod 256, Y ≡ −A + B − C mod 256, and evaluatedP r(X = Y ), P r(X(7) = Y(7)) while varying A, B, C over all possible 8-bit values. We obtained:P r(X = Y ) = P r(X(7) = Y(7)) = 2−7. With 16-bit values, when X ≡ A + B + C mod 216

and Y ≡ −A + B − C mod 216, we obtained: P r(X = Y ) = P r(X(15) = Y(15)) = 2−15. Weperformed several similar experiments and the results are tabulated in Appendix D.1.

82 IMPROVED DISTINGUISHING ATTACKS ON HC-256

1. zj−2048||zj+7||zj−2037 = zj−2038||zj−3||zj−2047 (this happens with probability2−96),

2. z(2)j+10||z

(1)j+10||z

(0)j+10 = z

(2)j−10||z

(1)j−10||z

(0)j−10 (from Observation 5.1, this proba-

bility is 2−23 given condition 1),

3. z(3)j+10(7) = z

(3)j−10(7), i.e., zj+10(31) = zj+10(31) (from Observation 5.1, this

probability is 1− 2−8 given condition 1 and condition 2),

4. rj+10||rj = (768 + z(3)j+10)||(768 + z

(3)j−10) (probability 2−20) or rj+10||rj =

(768 + z(3)j−10)||(768 + z

(3)j+10) (we have just observed that the two events are

mutually exclusive given condition 3; their combined probability is therefore2−20 + 2−20 = 2−19).

Therefore, Pr(S1) = 2−96 · 2−23 · (1− 2−8) · 2−19 ≈ 2−138.

Case 2. Proceeding along the lines of the arguments in Case 1, we define S2as follows:

1. zj−2038||zj+7||zj−2037 = zj−2048||zj−3||zj−2047 (probability 2−96),

2. z(3)j+10||z

(2)j+10||z

(1)j+10||z

(0)j+10 = z

(3)j−10||z

(2)j−10||z

(1)j−10||z

(0)j−10, i.e., zj+10 = zj−10

(from Observation 5.1, this probability is 2−31 given condition 1),

3. rj+10 = rj (probability 2−10).

From (5.9), (5.10) and (5.11), it is easy to see that event L occurs when S2occurs. The probability that S2 occurs Pr(S2) = 2−96 · 2−31 · 2−10 = 2−137.From condition 3 of S1 and condition 2 of S2, we have S1 and S2 to be mutuallyexclusive. Therefore, Pr(S1 ∪ S2) = 2−138 + 2−137 = 2−136.4.

Actually, there are a few other such favourable events which result in theoccurrence of L. However, from a large number of experiments we found thateach of them occurs with much lesser probability when compared to Pr(S1) orPr(S2). The combined probability of all the mutually exclusive events was foundto be approximately 2−136.35; therefore, the gain over Pr(S1 ∪ S2) is negligible.When none of these events occur, it follows that we will have at least two termsof one of the following two forms in (5.8):

(a) (Q[X])m, (Q[Y ])m (where X = Y ) , or(b) (Q[X])m, (Q[Y ])n (where m = n) .

In each case, it is easy to see that the two terms do not cancel out with biasedprobability. Besides, at least one of the two terms does not cancel out with anyother term in (5.8) with biased probability. In other words, when Q is a randomS-box, if X = Y with probability p = 0, then (Q[X])m = (Q[Y ])m holds with

THE DISTINGUISHER 83

probability 1/2 + p/2 by Theorem 5.1. When none of the S-like events occurs, wefind that Theorem 5.1 may, even in the best case, be applied in the same way toall pairs of terms in (5.8) except one. We also illustrate it with an example inAppendix D.2.

Therefore, when (S1 ∪ S2)c occurs, (5.8) and hence (5.7) holds with uniformprobability 1/2 under the reasonable assumption of a perfect K/IV setup.Applying Bayes’ rule, we obtain:

Pr(L) = Pr(L|S1 ∪ S2) · Pr(S1 ∪ S2) + Pr(L|(S1 ∪ S2)c) · Pr((S1 ∪ S2)c)

= 1 · 2−136.4 + 0.5 · (1− 2−136.4) = 1/2 + 2−137.4 . (5.15)

Note that:(i) had HC-256 been an ideal cipher, this probability would have been 1/2,(ii) in [238], this bias was 1/2 + 2−139.

5.5 The DistinguisherIn this section we build a distinguishing attack on HC-256 using the results ofSect. 5.4. To facilitate comparison between our attack and the attack in [238],we use the same formulae for the distinguisher as in [238]. Let N denote thetotal number of equations (5.7). Let p and p′ respectively denote the probabilitythat (5.7) holds given the outputs are collected from HC-256 and the probabilitythat (5.7) holds given the outputs are generated by an ideal cipher. That is,p = 0.5+2−137.4 (from (5.15)) and p′ = 0.5. Let D and D′ denote the distributionsof the XOR-sum of the 8 output bits in (5.7) from HC-256 and an ideal cipher,respectively. Then, µ = Np and µ′ = Np′ are the respective means of D and D′.Similarly, σ =

√Np(1− p) and σ′ =

√Np′(1− p′) denote the respective standard

deviations of D and D′. When N is large, it is a well-known result that each ofthese binomial distributions can be approximated with the normal distribution.Now, if |µ − µ′| > 2(σ + σ′), i.e., N > 2276.8, the cipher can be distinguishedfrom an ideal cipher with success rate 0.9772 (since the cumulative distributionfunction gives the value 0.9772 at µ+ 2σ).5 For N to be considered large enoughfor the normal approximation to the binomial distribution to hold, a commonlyemployed rule of thumb is: N ·p′′ > 5 and N ·(1−p′′) > 5, where p′′ ∈ {p, p′}. It isimmediately seen that both the above inequalities hold when N = 2276.8. In [238],N > 2280 for the same success rate. In [238], there was one advantage though.Every 1024 consecutive output words, there are many more equations (5.4) whencompared to equations (5.7) and therefore more number of equations (5.4) per(K, IV) pair.

Now, each equation (5.4) has 10 keystream bits, whereas each equation (5.7) hasonly 8 output bits. Therefore, for our distinguisher, 8 · 2276.8 = 2279.8 keystream

5The condition |µ − µ′| > 2(σ + σ′) comes from the fact that either µ + 2σ < µ′ − 2σ′ orµ − 2σ > µ′ + 2σ′ for the two distributions to have non-overlapping confidence intervals.

84 IMPROVED DISTINGUISHING ATTACKS ON HC-256

bits are required. Whereas, in [238], 10 ·2280 = 2283.3 keystream bits are needed tobuild the distinguisher. Thus our attack requires about 12 times fewer keystreambits. We like to point out one issue here. It is actually possible to mount thedistinguishing attack with fewer keystream bits. For example, if the adversaryis input 2106 sets of keystream bits (sj−2038(0), sj+10(0), sj+7(10), sj−2037(23),sj−2048(0), sj−10(0), sj−3(10), sj−2047(23)) from 2170.8 random (K, IV) pairs, then atotal 2279.8 output bits are available and the distinguishing attack can be mounted.

Thus the conjecture [238] that HC-256 will require more than 2174 keystreamoutput words (or, equivalently 2179 output bits) for distinguishing attack shouldbe restated.

5.6 Conclusions and Future WorkIn this chapter, we presented distinguishing attacks on the stream cipher HC-256.The hitherto best-known distinguisher on the cipher has been presented in [238]and requires 2280 equations (each involving 10 keystream output bits) to be testedfor a success rate of 0.9772. Each of our distinguishers requires 2276.8 equations(with 8 keystream bits in every equation) to be examined for the same successprobability. Thereby, we improved the data requirement in [238] by a factor ofabout 12.

In [48], Crowley employs a Hidden Markov Model to combine several biases inthe keystream of the cipher Py and improves the attacks described in [166]. Giventhe structural similarities between Py and HC-256, it may be possible to applythe same technique here to construct a more efficient distinguisher. We leave it asan open problem.

A variant of HC-256, named HC-256’, was also proposed by Wu in [238, Sect. 6]but without any accompanying cryptanalysis. Investigating whether our attackscould also applied to HC-256’ is another interesting open problem.

Part IV

Cryptanalysis of AsynchronousStream Ciphers

85

86

Chapter 6

Correlated Keystreams inMoustique

6.1 IntroductionThe self-synchronising cipher Mosquito was designed by Daemen and Kitsos [51]for the ECRYPT eSTREAM competition. As a self-synchronising stream cipherMosquito was already a rather unusual submission. There was only one otherself-synchronising stream cipher submitted to eSTREAM – SSS [184]. As alreadymentioned, it has been recognised that the design of secure and efficient self-synchronising stream ciphers is a difficult task. So, not very surprisingly, attackson SSS [53] and Mosquito [104] soon followed. As a result of the attackon Mosquito, a tweaked-variant of Mosquito, called Moustique [52], wasproposed for the second phase of analysis in the eSTREAM contest.

In this chapter we describe a set of simple related-key pairs for Moustique.Our observation illustrates unfortunate aspects of the tweaks in moving fromMosquito to Moustique. They lead directly to a very strong distinguisher forthe keystream generated from two related keys; and further to a rather devastatingkey recovery attack in the related-key setting [20]. Aside from very efficientdistinguishers and key recovery attacks in the related-key setting, the related keysalso lead to an improvement over exhaustive key search in the standard setting.

Throughout this chapter we use established notation.

6.2 Description of MoustiqueIn this section we describe the parts of the Moustique description that arerelevant to our observations. More information can be found in [52]. Moustiqueuses a 96-bit key. The key bits are denoted by kj , with 0 ≤ j ≤ 95. At each

87

88 CORRELATED KEYSTREAMS IN MOUSTIQUE

step Moustique takes as input one bit of ciphertext and produces one bit ofkeystream.

Moustique consists of two parts: a 128-bit CCSR holding the state and anonlinear output filter (see Figure 6.1) with 8 stages.

· · ·

CCSR

j →1 960

15↓i

?Filter

?+-

?

Keystreamp

c

Figure 6.1. State and filter of Moustique (p and c denote a plaintext bit andthe corresponding ciphertext bit); the only difference to Mosquito is that 1/3rdof Moustique state is now updated using a linear function g0 to improve diffusionwithin the CCSR

6.2.1 The CCSRThe CCSR is divided into 96 cells, denoted by qj with 1 ≤ j ≤ 96. Each cellcontains between 1 and 16 bits, denoted by qji . The updating function of theCCSR is given by:

Qj0 = gx(qj−10 , kj−1, 0, 0) , j = 1, 2 ;

Qji = gx(qj−1i , kj−1, q

vi , q

wi ) , 2 < j < 96 , ∀ i ; and j = 96, i = 0 ;

Q96i = g2(q95

i , q95−i0 , q94

i , q94−i1 ) , i = 1, 2, . . . 15 .

(6.1)

The Qji are the new values of the qji after one iteration. The subscript indices arealways taken modulo the number of bits in the particular cell. The values of x, vand w are defined in Table 6.1. A value 0 for v or w indicates that the ciphertext

DESCRIPTION OF MOUSTIQUE 89

Table 6.1. The use of the functions g0 and g1 in the CCSR

Index Function v w(j − i) ≡ 1 mod 3 g0 2(j − i− 1)/3 j − 2(j − i) ≡ 2 mod 3 g1 j − 4 j − 2(j − i) ≡ 3 mod 6 g1 0 j − 2(j − i) ≡ 0 mod 6 g1 j − 5 0

feedback bit (c) is used as input. The gx functions are defined as follows:

g0(a, b, d, e) = a+ b+ d+ e , (6.2)

g1(a, b, d, e) = a+ b+ d(e+ 1) + 1 , (6.3)

g2(a, b, d, e) = a(b+ 1) + d(e+ 1) . (6.4)

Addition and multiplication operations are over F2(2).

6.2.2 The FilterThe first stage of the filter compresses the 128 bits of the CCSR to 53 bits. First,the filter input a0 = (a0

1, . . . , a0128) is obtained by re-indexing the CCSR cells qji in

the following way:

a0j = qj0 , 1 ≤ j ≤ 96 ;a0j = qj−8

1 , 97 ≤ j ≤ 104 ;a0j = qj−12

2 , 105 ≤ j ≤ 108 ;a0j = qj−16

3 , 109 ≤ j ≤ 112 ;a0

105+2j = q95j , 4 ≤ j ≤ 7 ;

a0106+2j = q96

j , 4 ≤ j ≤ 7 ;a0

113+j = q96j , 8 ≤ j ≤ 15 .

(6.5)

Then, the 53 bits of output are obtained by taking 53 applications of g1:

a14j mod 53 = g1(a0

128−j , a0j+18, a

0113−j , a

0j+1), 0 ≤ j < 53 . (6.6)

The next four stages of the filter iteratively transform these 53 bits in a nonlinearfashion. The sixth stage compresses the 53 bits to 12. Finally, the last two stagesXOR these 12 bits together to produce a single bit of keystream. For simplicity, weomit the full description of the filter and refer the interested reader to the cipherspecifications [52]. We however note that the only nonlinear filter component isthe function g1.

90 CORRELATED KEYSTREAMS IN MOUSTIQUE

6.3 Observations on MoustiqueIn this section we provide the basic observations that we will need in this chapter.Some have already been observed in previous work [104].

6.3.1 Limited Impact of the IVObservation 6.1. The IV of Moustique influences only the first 105 bits of thekeystream.

This is a consequence of the fact that the IV of Moustique is used only toinitialise the state, and as every self-synchronising stream cipher does, it graduallyoverwrites its state with ciphertext bits.

6.3.2 Differential Trails in the Filtering FunctionAs was done in the attack on Mosquito [104], we can make some simpleobservations on the filter function of Moustique.

We note that the first stage of the filter is compressing and that no newinformation enters the filter after this stage. This leads to the first observation.

Observation 6.2. Any two 128-bit CCSR states that produce the same 53-bitoutput after the first stage of filtering, also produce an equal keystream bit.

Recall that the first stage of the Moustique output filter only uses the functiong1(a, b, d, e) = a+ b+ d(e+ 1) + 1. So a consequence of this observation is that fora given a and b if we flip input d, the output of g1 is unaffected with probabilityp = Pr(e = 1). Similarly, for a given a and b if we flip e, the output is unaffectedwith probability p = Pr(d = 0). To exploit this, we can observe the following.

Observation 6.3. State bits q10 , . . . , q

170 and q71

0 , . . . , q750 are used in the filter input

only in one location, and only as the third or fourth input to the function g1.

Suppose we flip one of these 22 bits. The two outputs of g1 are equal withprobability p and, consequently by Bayes’ theorem, the two outputs of the filterwill be equal with probability 0.5 + p/2. If the inputs to g1 are balanced, then wehave p = 0.5 and the probability the output bit is unchanged is 0.75 (i.e., withbias ε = 0.25).

6.3.3 Impact of Key Bits on the CCSRThe CC attack on Mosquito [104] exploited slow diffusion within the CCSRand so the state update function of Mosquito was tweaked. The state updateof Moustique uses a linear function g0 for updating one third of the state bits.While this improves the worst-case diffusion, it exhibits weaknesses that we exploitto construct related-key pairs that result in highly correlated keystreams.

OBSERVATIONS ON MOUSTIQUE 91

Moustique uses key bits only in the state update function of the CCSR. Eachof the 96 key bits is added to one of the 96 bits qj0. The state update function ofthe CCSR introduces diffusion in one direction only – a cell with index j does notdepend on cells with indices j′ > j. An immediate consequence is that key bit k95affects state bit q96

0 only.There are however more useful implications, which we introduce next. By

expanding (6.1) and Table 6.1, we obtain the following equations:

Q10 = c+ k0 ,

Q20 = q1

0 + k1 + 1 ,

Q30 = q2

0 + k2 + c(q10 + 1) + 1 ,

Q40 = q3

0 + k3 + q20 + q2

0 ,

Q50 = q4

0 + k4 + q10(q3

0 + 1) + 1 ,

Q60 = q5

0 + k5 + q10(c+ 1) + 1 ,

Q70 = q6

0 + k6 + q40 + q5

0 ,

Q80 = q7

0 + k7 + q40(q6

0 + 1) + 1 ,

Q90 = q8

0 + k8 + c(q70 + 1) + 1 ,

Q100 = q9

0 + k9 + q60 + q8

0 ,

Q110 = q10

0 + k10 + q70(q9

0 + 1) + 1 ,

...

where c denotes the ciphertext feedback bit. Our next observation is the following.

Observation 6.4. In the computation of Q40, the bit q2

0 is cancelled. Only bit Q30

depends on q20.

This leads to a related-key pair that for any ciphertext produces CCSR stateswith a one-bit difference. To see this, consider two instantiations of Moustiquerunning in decryption mode with the two keys denoted by k and k∗. Assume

ki = k∗i for i = 1, 2, and

ki = k∗i + 1 for i = 1, 2 .

We use both instantiations of Moustique to decrypt the same ciphertext andobserve the propagation of differences through the CCSR cells.

92 CORRELATED KEYSTREAMS IN MOUSTIQUE

Figure 6.2. CCSR differential propagation using related keys k = (k0, k1, k2, k3,. . ., k95) and k∗ = (k0, k1 + 1, k2 + 1, k3, . . . , k95)

In the first iteration of the CCSR, the differences in k1 and k2 will causedifferences in Q2

0 and Q30. After the second iteration, there will again be a

difference in Q20, but not in Q3

0, because the incoming difference in q20 cancels

out the difference in k2. What is left of course is the difference in q30 , which

propagates through the CCSR and the filter stages. However, after 92 iterations,this unwanted difference has been propagated out of the CCSR. We obtain a steadystate behaviour – at every iteration, both CCSRs differ in bit q2

0 only. Figure 6.2illustrates the propagation of the related-key differential within the CCSR.

Since Moustique has a cipher function delay of nine iterations, we can startderiving information from the keystream after nine more iterations. This will bedemonstrated in the next section.

6.4 Related-Key Effects6.4.1 Correlated KeystreamsThere are several classes of related keys for Moustique. We start with thesimplest case which, coincidentally, appears to demonstrate the greatest bias.

First related-key pairs: Consider two CCSR states with a difference only in bitq2

0 . According to Observation 6.4, this bit affects only one bit of the 53-bit output,namely bit a1

8, which is computed as:

a18 = q96

14 + q190 + q96

3 (q20 + 1) + 1 .

Notice that if q963 = 0, the difference is extinguished and the two states produce

equal output (by Observation 6.2). If q963 = 1, the difference passes on and the

two outputs will presumably collide with probability 12 . In fact q96

3 is computedusing a non-balanced function g2 and we have that Pr(q96

3 = 0) = 58 .

RELATED-KEY EFFECTS 93

Table 6.2. Related-key pairs and correlated keystreams; all these related-keypairs and the magnitude of the correlation have been experimentally verified

Position j of the Key bits to flip to induce Probabilitysingle bit difference the required difference z = z∗

2 1,2 0.81255 4,5,6 0.758 7,8,9,12 0.7511 10,11,12 0.7514 13,14,15,21 0.7517 16,17,18 0.7571 70,71,72 0.7574 73,74,75 0.75

So, after 105 cycles of the IV setup, the two instances of Moustique decryptingequal ciphertexts with related keys k and k∗ will produce equal keystream bits zand z∗ for which, by Bayes’ theorem, Pr(z = z∗) = 5

8 · 1 + 38 ·

12 = 13

16 .

More advanced related-key pairs: We can extend the simple related keysalready described. This allows us to obtain a range of related-key pairs thatgenerate a 1-bit difference in the CCSR. Using Table 6.1, the following observationis easy to verify.

Observation 6.5. If j ≤ 77 and j ≡ 2 mod 3, then qj0 occurs in the CCSR updateonly linearly.

This implies that for each of q50 , q

80 , q

110 , q14

0 , . . . , q770 , we can find a set of key bits

such that by flipping these key bits simultaneously and iterating the scheme, aone-bit difference between the two CCSRs is retained in a single bit position qj0.

Among these 25 one-bit differences in the CCSR state, eight will alsoinduce correlated keystream; these are bits q2

0 , q50 , q

80 , q

110 , q14

0 , q170 , q71

0 and q740

(Observation 6.3). Table 6.2 lists the pairs of related keys that are generated alongwith the correlation in the associated keystream outputs. Since the correlation isextremely high, only a very small amount of keystream is required to reliablydistinguish these related keystreams from a pair of random keystreams.

Furthermore, by simultaneously flipping relevant key bits for two or more indicesj, we obtain a range of related keys with weaker correlation. The bias can beestimated by Matsui’s Piling-up Lemma [137]; in the weakest case where all 8 keybit tuples are flipped, it is approximately ε = 2−8.6. We have verified this estimateexperimentally, and we now make the following conclusion.

Observation 6.6. Each key of Moustique produces correlated keystream with(at least) 28 − 1 = 255 related keys, with the bias ranging from ε = 2−1.7 toε = 2−8.6.

94 CORRELATED KEYSTREAMS IN MOUSTIQUE

6.4.2 Key Recovery AttacksWe shall here see how the distinguisher in Sect. 6.4.1 can be developed into a keyrecovery attack.

Using (6.6) with i = 42, (6.5), and the definition of g1 we have that

a19 = q86

0 + q600 + q71

0 (q430 + 1) + 1 .

As described in Section 6.4.1, if we take two instantiations of Moustique andflip the key bits k70, k71, and k72 in one instantiation, then only q71

0 will change.This change can only propagate to the output if the bit q43

0 equals zero. Thus,a difference in the output of two copies of Moustique running with these relatedkeys gives us one bit of information about the CCSR state (the value q43

0 = 0).Furthermore, the state bit q43

0 only depends on the first 43 bits of the key, whichleads to an efficient divide-and-conquer attack (in which the key is recovered inparts, one by one) as follows.

We first observe the output of two related instances of Moustique, using some(arbitrary) ciphertext c and record the time values where the output bits differ.We then guess 43 key bits k0, . . . , k42, compute the state bit q43

0 under the sameciphertext c, and check whether indeed q43

0 = 0 for all the recorded values. If thereis a contradiction then we know that our guess for the 43-bit subkey was wrong.On average, only 8 bits of keystream are required to eliminate wrong candidates;and n bits of keystream eliminate a false key with probability 1− 2−n/4.

The final attack requires a slight adjustment, as the existence of related keysintroduces some false positives. Namely, certain related keys produce extinguishingdifferential trails that never reach q43

0 . For example, if the guessed key only differsfrom the correct key in the bits k1 and k2 then this difference affects q2

0 only, andnot q43

0 . Thus, the key with bits k1 and k2 flipped passes our test. The same holdsfor all combinations of the 14 values of j smaller than 43 and with j ≡ 2 mod 3;as well as bit k39 and pair k41, k42. Altogether, we have found that out of the 243

key candidates, 216 survive and after running our attack we still need to determine96− (43− 16) = 69 key bits. This can be done by exhaustive key search, and the269 complexity of this stage dominates the attack.

Notice that in the first stage, we know in advance which related keys give falsepositives. Thus, we only need to test one key in each set of 216 related keys, andthe complexity of the first stage is 243−16 = 227. The complexity of the secondstage can be reduced if we were to allow the attacker access to multiple relatedkeys.

In such a case, a second stage to the attack would use (6.6) with i = 16 as:

a111 = q96

3 + q340 + q89

1 (q170 + 1) + 1 .

The state bit q170 can be changed by flipping k16, k17 and k18. The state bit q89

1depends on 89 key bits, of which we know already 43− 16 = 27 bits. In addition,we found 231 related-key differentials that extinguish without ever reaching q89

1 .

ACCELERATED EXHAUSTIVE KEY SEARCH 95

Hence, we need to test 289−27−31 = 231 keys to determine 31 more bits. In totalwe have then determined 27 + 31 = 58 bits of the key and the remaining 38 bitscan be determined by exhaustive search. The complexity of the attack can beestimated by 227 + 231 + 238 which is dominated by the third brute force phase.

We have verified the first two stages of the attack experimentally, and are indeedable to recover 58 bits of the key, given only 256 bits of keystream from two related-key pairs. Recovering the first 27 bits requires only a few minutes and 256 bits ofoutput from a single related-key pair.

6.5 Accelerated Exhaustive Key SearchNext, we show how the existence of related keys in Moustique can be used incryptanalysis even if we cannot observe the output of the cipher in a related-keysetting.

In Section 6.4, we observed that each key has eight related keys that producestrongly correlated output. In particular, the correlation can be detected fromvery short keystream. Thus, we can imagine the following attack scenario. Given,say, 128 bits of cipher output from a (k, IV) pair, compare this to the output ofthe cipher, using a candidate key k′, the same IV and equal ciphertext. If theoutputs are not correlated, eliminate key k′ as well as its 8 related keys.

In order to compete with brute force, we need to be able to eliminate relatedkeys efficiently. We now discuss two strategies representing different trade-offsbetween required keystream and computational complexity.

6.5.1 The Strong Correlation AttackIn the first approach we use the (7, 4) Hamming code. As Hamming codes areperfect, we know that for each 7-bit string s, there exists a codeword ci such thatthe Hamming distance between s and ci is at most one. The codewords of the (7,4) Hamming code are listed in Table 6.3.

Now, for each codeword ci, we fix candidate key bits k1, k4, k7, k10, k13, k16, k70to this codeword, and exhaustively search over the remaining 89 key bits. Thisstrategy guarantees that we test either the correct key or one of the closelyrelated keys given in Table 6.2. A related key can then be easily detectedfrom the strong correlation of the two keystreams. For example, assume thatthe correct subkey is (k1, k4, k7, k10, k13, k16, k70) and the closest codeword is(k1, k4 +1, k7, k10, k13, k16, k70). Then, according to Table 6.2, k∗ = (k1, k2, k3, k4 +1, k5 + 1, k6 + 1, k7, . . . , k95) is a related key that has been selected for testing.

Our experiments suggest that 128 keystream bits are sufficient to detectcorrelation between the correct key k and a related candidate key k∗ (see Sect. 6.6for experimental results). Given that IV setup takes 105 cipher clocks, the totalworst-case complexity of our attack is (105 + 128) · 24 · 289 ≈ 2100.9 cipher clocks.

96 CORRELATED KEYSTREAMS IN MOUSTIQUE

Table 6.3. The codewords of the (7, 4) Hamming code

c0 0000000 c4 0100110 c8 1000101 c12 1100011c1 0001011 c5 0101101 c9 1001110 c13 1101000c2 0010111 c6 0110001 c10 1010010 c14 1110100c3 0011100 c7 0111010 c11 1011001 c15 1111111

In comparison, naive brute force requires on average 2 keystream bits to eliminatefalse candidates, so the complexity is (105 + 2) · 296 = 2102.7 cipher clocks.

6.5.2 The Piling-Up AttackFollowing Observation 6.6, we partition the keys into 288 sets of 28 related keys andtest only one key in each set. After 105 clocks of IV setup, the states correspondingto two related keys differ in at most 8 bits (given in Table 6.2). If

a040 = a0

43 = 1 , and a097 = a0

100 = a0103 = a0

106 = a0109 = a0

112 = 0 , (6.7)

then none of these 8 bits influences a1, the output of the first filter stage, andhence the keystream bits generated by two related keys are equal. Consequently,if, while testing a key k′ we observe that the bit of keystream generated by k′

differs from the bit of the observed keystream at a time when the candidate statesatisfies (6.7), then we are sure that the key k we are looking for is not a relatedkey of k′ and we can discard k′ as well as its 28 − 1 related keys.

To estimate the amount of keystream needed to eliminate wrong keys, we notethat two unrelated keystreams overlap with probability 1

2 , so we can use half ofthe available keystream to test for condition (6.7). As Pr(a0

112 = 0) = 58 , while

the remaining bits in (6.7) are balanced, condition (6.7) is true with probabilityp = 5

8 ·127 . Thus, we need to generate on average 2

p = 409.6 bits of keystreamfrom one candidate key in order to rule out an entire class of 28 related keys. Intotal, the complexity of our attack can be estimated at (105 + 409.6) · 288 = 297.0

cipher clocks. Our experiments confirm this estimate and suggest that 5,000–6,000bits of known keystream are sufficient to eliminate all false candidates with highconfidence.

Both our strategies for accelerated exhaustive key search are rather simple andjust as easily parallelisable as plain exhaustive key search, so they are likely toprovide an advantage over simple brute force in practice. The piling-up attackis an estimated 50 times faster than exhaustive key search, indicating that theeffective key length of Moustique is reduced to 90 bits instead of the claimed96-bit security.

EXPERIMENTAL VERIFICATION 97

6.6 Experimental VerificationThe results in this work were verified using the source code for Moustiquethat was submitted to eSTREAM [71]. All sets of key bits identified inTable 6.2 were tested with one thousand random keys and their related partners.The minimum, maximum, and average number of agreements between the twogenerated keystreams, over the first 128 bits, was recorded. Note that foruncorrelated keystreams we would expect 64 matches.

Key bits to induce Minimum # Maximum # Average #the required difference matches matches matches

1,2 91 118 104.024,5,6 82 111 96.10

7,8,9,12 79 109 96.0310,11,12 74 108 95.81

13,14,15,21 79 110 96.1116,17,18 80 114 95.7270,71,72 77 109 96.2373,74,75 81 112 95.94

We then constructed a distinguisher by setting the agreement threshold to t ≥ 74.We chose randomly 10,000 related-key pairs, all of which passed the test indicatingthat the false negative rate is below 0.01%. In comparison, out of 10,000 128-bitkeystreams obtained from random key pairs, 440 passed the test, so the falsepositive rate was below 5%. Thus, we can use our accelerated key search toeliminate 95% of the keys, and then brute force the remaining candidates. Thetotal complexity of the attack is still below that of naive exhaustive search, andthe success rate is at least 99.99%.

6.7 ConclusionsIn moving from Mosquito, it seems that the design of the self-synchronisingstream cipher Moustique was established in a rather ad hoc way. While thetweaked design resists the chosen-ciphertext attack on Mosquito, we showedthat it still exhibits weaknesses that lead to strong distinguishers in the related-key setting. Further, we presented two different strategies for exploiting thosedistinguishers in a key recovery attack. The first strategy allows the attacker torecover the 96-bit secret key in 269 steps, assuming that the attacker is able toobserve the output of two instances of the cipher using the secret key and a relatedkey. The complexity of this attack can be reduced to 238 steps if the attacker isable to observe the output of three instances of the cipher using the secret key andtwo related keys. Both require a negligible amount of ciphertext; e.g., less than256 bits.

98 CORRELATED KEYSTREAMS IN MOUSTIQUE

We have also exploited the observations we made in a non-related-key attack.Our first attack breaks the cipher in around 2101 steps, using only 128 bits of KP. Iffurthermore a few thousand keystream bits are known, the complexity is reducedto 297 steps. In comparison, exhaustive key search would take 2103 equivalent steps,indicating that Moustique falls about 6 bits short of the claimed 96-bit security.While, admittedly, a 297 attack is still far from being practical, it illustrates therelevance of related-key weaknesses in the standard setting.

In order to preclude the aforementioned weaknesses, it appears that many carefulchanges would have to be made to Moustique. For example, the updatingfunction of the CCSR would have to be modified so that Observation 6.4 doesnot result. But, doing so may lead to a similar observation (of bits cancelling out)for some bit other than Q4

0. Besides, for Moustique we have several observationssimilar to Observation 6.4 – each one leading to a related-key pair (all suchpairs are listed in Table 6.2). This complicates the modification of the updatingfunction of the CCSR and, therefore, we do not immediately see a simple tweakfor Moustique.

Part V

Cryptanalysis of Block Ciphers

99

100

Chapter 7

Meet-in-the-Middle Attacks onFeistel Constructions

7.1 IntroductionIn this chapter, we study meet-in-the-middle attacks on block ciphers based onFeistel networks. We present new approaches to meet-in-the-middle attacks andtest them on the block ciphers DES, XTEA, XETA and GOST. The ciphers havestructures that closely resemble one another. The ciphers, especially the DESand GOST, are very popular and widely used. We begin this chapter with someintroductory remarks on these ciphers.

DES. The DES block cipher has 16 rounds, a block size of 64 bits and a keysize of 56 bits. As mentioned in Chapter 1, DES is a well-known and widelydeployed block cipher. Therefore, it has received a great deal of cryptanalyticattention.

Until 1991, when the differential cryptanalysis technique was applied to the fullDES [29, 30, 31], there were no short-cut attacks on the full cipher except for onethat used the property of the cipher that if the key and plaintext are bitwisecomplemented then so is the ciphertext. The attack exploiting this propertyimproves exhaustive key search by a factor of 2.

In [44], Chaum and Evertse presented several meet-in-the-middle attacks onreduced variants of DES. They showed that six rounds of DES (such as rounds 2–8) are susceptible to meet-in-the-middle attacks. They also showed that theirapproach cannot be extended to more than seven rounds of DES.

In 1987 Davies described a KP attack on DES [56]. The attack obtains 16 linearequations of the key bits given sufficiently many KPs by examining the bits thatare shared by neighbouring S-boxes. Davies’ attack on the full DES requires moreplaintexts than the entire code book. For 8-round DES, the attack requires about

101

102 MEET-IN-THE-MIDDLE ATTACKS ON FEISTEL CONSTRUCTIONS

240 KPs. In [57] these results were slightly improved but still could not attackthe full DES faster than exhaustive key search. In 1994 Biham and Biryukov [22]improved the attack to be applicable to the full DES. Their variant of the attackrequires 250 KPs and has a running time of 249 encryptions on an average. A CCvariant of the attack is presented in [125]; it has a data complexity of 245 CPs.

The first attack on DES that is faster than exhaustive key search is theaforementioned differential attack. The technique works as follows. Thecryptanalyst examines pairs of plaintexts and ciphertexts, trying to find a pairthat satisfies some differential (i.e., given some input difference between the twoplaintexts, the output difference of the two ciphertexts is as predicted). Once sucha pair is found, the key can be deduced. The differential attack on DES requires247 CPs.

In [137] another technique called linear cryptanalysis is applied to the DES. Thelinear attack on DES uses 243 KPs and deduces the key by checking whether somelinear relation between the plaintext and the ciphertext is satisfied. This attackwas later improved in [207] by exploiting nonlinear relations as well. The improvedattack has a data complexity of 242.6 KPs. Using CPs, Knudsen and Mathiassenreduced the data complexity in [137] by a factor of 2.

Even after DES was theoretically broken, it was claimed that DES was stillsecure, as it was not possible to mount these attacks in practice. As a response,RSA Data Security Inc. issued several “DES Challenges” during the mid ’90s.In each such challenge, RSA published a plaintext and its ciphertext encryptedusing DES under some unknown key, and offered a prize of several thousand USdollars for whoever found the secret key [212]. The first exhaustive key searchtook about 75 days and the key was found using 14,000–80,000 computers overthe Internet [5]. Ever since, the time required for each new DES challenge hasbeen reduced. In 1998, the Electronic Frontier Foundation (EFF) built a specialpurpose machine that cost less than 250,000 US dollars and retrieved the key in56 hours by means of exhaustive key search [73]. Today, using a COPACOBANAmachine an exhaustive key search of DES can be performed in 17 days for the costof less than 9,000 Euros [124].

In [174], Raddum and Semaev presented a new approach for solving sparsesystems of nonlinear equations and used them to attack up to 4 rounds of DES.With 16 KPs, their techniques produce an equation system with 1,080 variablesand 2,048 nonlinear equations from 4-round DES. While their methods work on 5or more rounds of DES, they are too complex to be considered in practice.

The approach of treating reduced-round DES as a system of algebraic equationswas also suggested in [47]. The attack described here represents DES as a systemof multivariate equations with the key bits as unknowns and tries to solve thesystem using SAT solvers. This technique can find the key faster than exhaustivekey search for DES with up to six rounds.

Despite these well-known weaknesses of DES, variants of the cipher are beingused for electronic payments and suggested for RFID applications (see Sect. 1.7).In every attack on DES prior to this work, either exhaustive key search is performed

INTRODUCTION 103

or a very large number of plaintext-ciphertext pairs is used. This gives somemotivation to investigate how many rounds of DES can be broken using one (orvery few) plaintext-ciphertext pairs. The results of this chapter shed more light onthe security of DES, leading to a better understanding on the way DES can be used.

XTEA and XETA. The cipher TEA (Tiny Encryption Algorithm) is a 64-roundcipher that operates on 64-bit blocks and uses a 128-bit key. Designed by Wheelerand Needham, it was presented at FSE 1994 [231]. Noted for its simple design, thecipher was subsequently studied extensively and came under a number of attacks.

In 1996, Kelsey et al. established that the effective key size of TEA was 126bits [111]. This result led to an attack on Microsoft’s Xbox gaming console whereTEA was used as a hash function [213].

In the following year, Kelsey, Schneier and Wagner showed a related-key attackon TEA with 223 CPs and 232 time [112]. Following these results, TEA wasredesigned by Needham and Wheeler to yield Block TEA and XTEA (eXtendedTEA) [156]. While XTEA has the same block size, key size and number of roundsas TEA, Block TEA caters to variable block sizes. Both TEA and XTEA areimplemented in the Linux kernel. The Linux kernel also includes a variant of XTEAcalled XETA [88]. The cipher XETA resulted from a bug in the C implementationof XTEA, where higher precedence was incorrectly given to XOR over addition inthe round function.

To correct weaknesses in Block TEA, Needham and Wheeler designed CorrectedBlock TEA or XXTEA, and published it in a 1998 report [157]. This cipher alsooperates on variable-length messages. The number of rounds is determined by theblock size, but it is at least six. An attack on the full Block TEA is presentedin [188], where some weaknesses in XXTEA are also detailed.

A number of cryptanalytic results on the TEA family have been reported since2002. Of these, attacks in the standard setting on XTEA (including the ones ofthis chapter) are listed in Table 7.1. Here, attacks that work only for classes ofweak keys are omitted.

In [108], it was shown that an ultra-low power implementation of XTEA mightbe better suited for low resource environments than AES. Note that XTEA’ssmaller block size also makes it advantageous if an application requires fewer than128 bits of data to be encrypted at a time.

GOST. The GOST block cipher is a Russian standard for encryption and messageauthentication [168]. It was designed in the erstwhile USSR, and declassified in1989. This cipher is used in several applications, including OpenSSL 1.0.0, anopen source toolkit for SSL/TLS [244]. Furthermore, it is being considered forinclusion in the ISO/IEC standards.

GOST has 32 rounds, a block size of 64 bits and a key size of 256 bits. Followingits release to the public, several cryptanalytic results were published. Full-keyrecovery attacks on GOST (including the ones of this chapter) are listed inTable 7.2. Here again, we have omitted attacks that work only for classes of

104 MEET-IN-THE-MIDDLE ATTACKS ON FEISTEL CONSTRUCTIONS

Table 7.1. Key recovery attacks on XTEA where the time complexitiesare averages (‘N/A’ means that the data is not directly available from thecorresponding source, ‘MitM’ stands for ‘Meet-in-the-Middle’)

Type of attack Ref. # rounds Time Data Pr(Success)MitM This chapter 7 295.00 2 KPs 1− 2−33

Impossible differential [147] 14 285 262.5 CPs Not givenDifferential [97] 15 2120 259 CPs Not given

MitM This chapter 15 295.00 3 KPs 1− 2−65

Truncated differential [97] 23 2120.65 220.55 CPs 0.969MitM This chapter 23 2117.00 18 KPs 1− 2−1025

Table 7.2. Full-key recovery attacks on GOST where the time complexities areaverages

Type of attack Ref. # rounds Time Data Pr(Success)MitM This chapter 8 2127.00 3 KPs 1− 2−65

MitM This chapter 9, 10 2159.00 3 KPs 1− 2−33

MitM This chapter 11, 12 2191.00 4 KPs 1− 2−65

Differential [204] 13 Not given 251 CPs Not givenMitM This chapter 13, 14 2223.00 4 KPs 1− 2−33

MitM This chapter 16 2223.00 5 KPs 1− 2−65

MitM This chapter 22 2223.00 5 KPs 1− 2−65

Slide [25] 24 264 ≈ 264 KPs Not givenSlide [25] 30 2253.7 ≈ 264 KPs Not given

Reflection [109] 30 2224 232 KPs Not givenReflection-MitM [99] 32 2224 232 KPs Not given

weak keys, as well as related-key attacks.

7.1.1 The Meet-in-the-Middle AttackThe meet-in-the-middle attack was first introduced by Diffie and Hellman in1977 [62]. Since then, this technique and its variants have been successfullyused against several popular block ciphers apart from DES (see e.g. the attackon KeeLoq [98]). Unlike Diffie-Hellman’s original attack, the meet-in-the-middleattacks in this chapter1 have negligible memory requirements.

1The attack presented in Sect. 7.3.4 of this chapter can also be seen as a meet-in-the-middleattack, however the (partial) encryptions and decryptions cannot be performed over all rounds,as the attacker only searches exhaustively over parts of the key. We therefore use a techniquesimilar to the partial-matching technique of Sasaki and Aoki. This very recent technique was

INTRODUCTION 105

Let M and K denote the message space and key space, respectively. Let GK ,HK : M × K → M be two block ciphers and FK = HK ◦ GK . In a meet-in-the-middle attack, the attacker deduces K from a given plaintext-ciphertext pair(p, c), where c = FK(p), by solving the equation:

GK(p) = H−1K (c) . (7.1)

7.1.2 Contribution of This WorkOur first contribution is the following new approach to meet-in-the-middle attacks.Rather than guessing all the key bits that are required to produce some value,our approach guesses actual intermediate encryption values, thus saving the needto guess many key bits to obtain the value of an intermediate encryption bit.This improves greatly on the attacks on up to 6 rounds of DES by Chaum andEvertse [44].

The new approach reduces the time complexity of the meet-in-the-middleattacks, as it allows for guessing significantly fewer number of key bits. Moreover,by obtaining several KPs, one can increase the number of intermediate encryptionbits that are guessed while decreasing the total time complexity of the attack. Thisfollows from the fact that even if with only one of the KPs, a specific key guesshas no possible intermediate encryption value which fits the meet-in-the-middlecondition, then the key guess is necessarily wrong.

Another possible use of our approach is in the chosen text scenario, where byfixing some bits of the plaintext (or the ciphertext), it is possible to force theintermediate values of several plaintext-ciphertext pairs to a specific value. Thisleads to a reduction in the number of bits that the attacker needs to guess (acrossseveral plaintext-ciphertext pairs).

This approach may also be used to improve other meet-in-the-middle attacks.To the best of our knowledge, this is the first case where the attacker guessesintermediate encryption values rather than keys in a meet-in-the-middle attack.In this chapter, we also provide insights into how our attacks might be extendedto attack DES with more than 6 rounds using a similar approach as describedabove.

We compare the results of our attack with other attacks in Table 7.3. We notethat these attacks have two properties which make them inferior to our results:

• The attacks are statistical, i.e., while our approach ensures finding the key,statistical attacks may fail.

• The mentioned time complexities for these attacks is the time complexityrequired to retrieve several key bits, while our complexities are mentionedfor finding the entire key.

successfully applied to several hash functions, including MD4 [7], MD5 [191], HAS-160 [96] andSHA-2 [6].

106 MEET-IN-THE-MIDDLE ATTACKS ON FEISTEL CONSTRUCTIONS

Table 7.3. Comparison of attacks on reduced-round DES where the success rateis at least 90%

# rounds Type of attack and ref. Data Time4 Differential 16 CPs Negligible†

Linear 52 KPs > 213.7 †

Algebraic ([47]) 1 KP 246

MitM ([44]) 1 KP 235 †

MitM (this chapter) 1 KP 232.0

MitM (this chapter) 15 KPs 220.0

MitM (this chapter) 6 CCs 219.3

5 Differential 64 CPs > 211.7 †

Linear 72 KPs > 213.8 †

Algebraic ([47]) 3 KPs 254.3

MitM ([44]) 1 KP 245.5 †

MitM (this chapter) 51 KPs 235.5

MitM (this chapter) 28 KPs 237.9

MitM (this chapter) 8 CPs 230

6 Differential 256 CPs 213.7

Linear > 104 KPs 213.9 †

Algebraic ([47]) N/A 250.1

MitM ([44]) 1 KP 252.9 †

MitM (this chapter) 1 KP 251.8

† The attack retrieves only parts of the key.

Following this, we present another novel approach to meet-in-the-middle attackswhere the place where the meet occurs is at round keys instead of at theintermediate texts. We demonstrate this approach against 16-round GOST and15-round XTEA.

We also apply the classical or straightforward meet-in-the-middle approach(such as the one used by Chaum and Evertse [44] on 22-round GOST and 23-round XTEA. These attacks constitute the best low-data-complexity attacks overthe entire key space, on the respective ciphers, in the standard setting. Fromthe discussions in this chapter, one would be able to immediately see that ourattacks on r-round XTEA also apply to r-round XETA with identical time/datacomplexities and success probabilities.

The attack techniques and the attacks per se in this chapter have the followingmotivations.

1. The key is recovered with (nearly) guaranteed success.

MEET-IN-THE-MIDDLE ATTACKS ON DES 107

2. The attack is in the standard setting.

3. The attack works for the full key space (i.e., no classes of weak keys areused).

4. Very few plaintext-ciphertext pairs are required.

7.2 Meet-in-the-Middle Attacks on DESWe shall now present our attacks on DES with up to 6 rounds. We first providethe specifications of DES and some related notation.

7.2.1 Specifications of DESDES is the most popular Feistel cipher. In Sect. 1.1.2, we have already describedthe Feistel network; the outline of DES is in Figure 7.1.

The DES uses two 64-bit permutations – IP (·) and FP (·) – before and afterthe round functions, respectively. These permutations satisfy FP = IP−1. Asboth IP (·) and FP (·) have no cryptographic effect, we disregard their existence.Let Lin, Rin be the left and right halves, respectively, entering the round, and letLout, Rout be the left and right halves that the round outputs. Then, the roundfunction is denoted by (Lout, Rout) = RoundKr

(Lin, Rin) and Kr ∈ {0, 1}48 is theround subkey. Given this setting, one round of DES (without the swap of theFeistel construction) is represented by Rout = Rin, Lout = Lin ⊕ F (Rin,Kr).

The F -function of DES accepts an input of 32 bits along with a 48-bit subkey.The input is expanded into 48 bits (by duplicating 16 of the 32 input bits), andthe expanded input is XORed with the subkey. The 48-bit outcome is dividedinto eight groups of six bits each. Each group enters a nonlinear lookup table, a6x4 S-box. The same eight S-boxes S1, S2, . . . , S8 are applied in that order in eachround. The output of the S-boxes is permuted according to some permutationtable P , and becomes the output of F . The outline of F is given in Figure 7.2.

The KSA of DES takes as an input the 56-bit user supplied key, K, and produces16 subkeys, K1, . . . ,K16, where each subkey is 48 bits long. The algorithm usestwo tables namely, Permuted Choice-1 (PC-1 ) and Permuted Choice-2 (PC-2 ).For the discussions in this chapter, the details of how the subkeys are derived arenot our primary focus. Therefore, we directly provide the subkeys, omitting thedescription of the KSA, and refer the reader interested in the description to [151].

7.2.2 An Alternative Description of DESSince the entire Sect. 7.2 is based on [44], we retain the same alternative descriptionof DES used by Chaum and Evertse. In their alternative description of DES,IP , FP , PC-1 are not used and E, P are combined into one table EP . Thismodel makes the description of the results more clear, while not affecting the

108 MEET-IN-THE-MIDDLE ATTACKS ON FEISTEL CONSTRUCTIONS

L 0 R 0

f

L R

L

R L

1 1

15 R 15

16 16

f

f

K

K

K

1

16

i

O U T P U T

I N P U T

Figure 7.1. An alternative description of the general structure of the DES

E

R (32 bits)

48 bits K (48 bits)

S 1 2 S 3S S 4 S 5 S 6 S 7 S 8

P

32 bit output

Figure 7.2. F -function of DES

correctness of the result. The F -function of the alternative description is illustratedin Figure 7.3

Let K denote the full 56-bit user supplied key. Following [151], we use thebig endian notation; i.e., ‘bit 1’ is the MSB of the key, and ‘bit 56’ is its LSB.

MEET-IN-THE-MIDDLE ATTACKS ON DES 109

R (32 bits)

48 bits K (48 bits)

S 1 2 S 3S S 4 S 5 S 6 S 7 S 8

32 bit output

EP

Figure 7.3. An alternative description of DES’ F -function

We denote the i-th subkey by Ki. If Y is some variable (say, an intermediateencryption value or a key), we use Y [a–b] to denote bits a, . . . , b of Y .

7.2.3 Preliminaries of Our Attacks on 4-Round DESWe now describe our attacks on 4-round DES. Let d′[1–m] = GK(p) and d′′[1–m] =H−1K (c). In our attacks on 4-round DES, as in attack by Chaum and Evertse, GK

consists of the first 2 rounds of DES and HK contains of rounds 3 and 4. Let usconsider d′[9–12] and d′′[9–12] as illustrated in Figure 7.4.

It was observed in [44] that in order to compute d′[9–12] and d′′[9–12], it issufficient to guess only 37 key bits. Thus, if for a key guess the computed valuesof d′[9–12] and d′′[9–12] disagree, then the key guess cannot be correct (as it leadsto contradiction) and can be discarded.

Our main observation is the fact that the values of d′[9–12] and d′′[9–12] can becomputed by guessing fewer key bits in exchange for guessing internal bits. Now,d′[9–12] is given by:

d′[9–12] = L0[9–12]⊕ S3[EP (R0)[13–18]⊕K1[13–18]] , (7.2)

and d′′[9–12] is given by:

d′′[9–12] = L4[9–12]⊕ S3[EP (L3)[13–18]⊕K3[13–18]] . (7.3)

Let L3 = [α1–α32], then

EP (L3)[13–18] = [α17α1α15α23α26α5] . (7.4)

If we guess K1[13–18] and K3[13–18], the only remaining unknowns in thecomputations of d′[9–12] and d′′[9–12] are α17, α1, α15, α23, α26, α5.

Consider α17. In order to compute this bit we can either guess key bitsK4[25–30]or guess α17 directly. Thus, a different attack algorithm for the meet-in-the-middle

110 MEET-IN-THE-MIDDLE ATTACKS ON FEISTEL CONSTRUCTIONS

LR

f K

L R

R 0L 0

f K 1

L 1R 1

f K

f

2

4

K 3

L R2 2

3 3

44

O U T P U T

The meet

in the middle

α

d’[1 − 32]

d’’[1 − 32]

Figure 7.4. 4-round DES

attack would be to guess all the 37 key bits suggested by Chaum and Evertse,except the 6 bits which compose K4[25–30]. For each guess of the 31 key bits, wetry the two possibilities of α17. If for both values the equality d′[9–12] = d′′[9–12]is not achieved, then the guess of the 31 bits is necessarily wrong. As for aspecific (wrong) guess of the key and of α17 the probability of equality is 1/16,the probability that a wrong 31-bit key guess has at least one α17 for which theequality is satisfied is 1 − (15/16)2 ≈ 1/8. Hence, we can guess 31 bits, and bytrying the two possibilities of α17 reduce the number of remaining candidates to228. From this point, we can either repeat Chaum and Evertse’s original attackor use a more advanced approach. In Table 7.5 we list the required key bits fordetermining d′[9–12] and d′′[9–12] and note which of the key bits are used onlyonce in the computations of d′ and d′′.

We can guess several αi values simultaneously, thus reducing the number ofpossible keys (in exchange for increasing the probability that a wrong key remains).For example, if we guess two intermediate encryption bits, the probability that akey remains is 1 − (15/16)4 ≈ 2−2.1. For three and four intermediate bits theremaining probabilities are 2−1.3 and 2−0.6, respectively. This approach can lead,in the extreme, to the following meet-in-the-middle attack.

MEET-IN-THE-MIDDLE ATTACKS ON DES 111

Table 7.4. Meet-in-the-middle on 4-round DES with 1 KP

Round S-box Number of Guessed Number of RemainingKey Bits Intermediate Bits Key Guess

3 S3 19 3 219 · 2−1.3 = 217.7

3 S2 +3 4 217.7 · 23 · 2−0.6 = 220.1

2 S1 +2 4 220.1 · 22 · 2−0.6 = 221.5

3 S4 +3 3 221.5 · 23 · 2−1.3 = 223.2

2† S4 +1 3 223.2 · 21 · 2−1.3 = 222.9

3 S3 - 3 222.9 · 2−1.3 = 221.6

2 S2 - 4 221.6 · 2−0.6 = 221.0

3 S1 - 4 221.0 · 2−0.6 = 220.4

2 S8 +9 2 (-2)‡ 220.4 · 29 · 2−4.1 = 225.3

3 S5 +5 1 (-5)‡ 225.3 · 25 · 2−8 = 222.3

3 S6 +4 2 (-5)‡ 222.3 · 24 · 2−7.1 = 219.2

2 S7 +4 1 (-4)‡ 219.2 · 24 · 2−7 = 216.2

3 S7 +3 2 (-5)‡ 216.2 · 23 · 2−7.1 = 212.1

3 S8 +2 1 (-9)‡ 212.1 · 22 · 2−12 = 22.1

Exhaustively search the remaining 22.1 keys.† – At this point the entire half of the key is known.‡ – The (−i) means that there are i bits that were earlier guessed and arenow known (and can be used to discard wrong inconsistent guesses).

7.2.4 Attack on 4 Rounds Using One KPWe first define a procedure to analyse a meet-in-the-middle attack on a specificS-box. Attacking Sx in round 2 means that we guess the key which enters thisS-box, as well as Sx in round 4 (in order to determine their outputs). We also needto know the 6 bits which enter this S-box; i.e., we need to know the output of 6 S-boxes in round 1. For example, performing a meet-in-the-middle on S3 of round 3involves guessing K1[1–12], K1[19–24], K2[13–18], K4[13–18] (a total of 19 bits),and guessing 3 intermediate encryption values (δ17, δ23, δ26; where L2 = [δ1–δ32]).Thus, it is expected that after such an analysis, of the 219 possible values for the19-bit key, only 217.7 values remain. Similarly, one can define a meet-in-the-middleattack on Sx in round 3 (while guessing the key of Sx in round 1, and the outputof 6 S-boxes in round 4).

To describe the attack algorithm, we give the sequence of attacked S-boxes.For each step, we give the number of additional key bits to be guessed, alongwith the number of intermediate bits that we have to guess, and the number ofremaining key guesses after the S-box is attacked. We can retrieve the full keyusing about 232.0 4-round DES encryptions by attacking the sequence of S-boxesgiven in Table 7.4.

112 MEET-IN-THE-MIDDLE ATTACKS ON FEISTEL CONSTRUCTIONS

7.2.5 Attack on 4 Rounds Using Multiple KPsIf several plaintext-ciphertext pairs are at our disposal, they can be used todeduce the value of the first 19 guessed bits in a more efficient way. We usethe first plaintext-ciphertext pair to reduce the number of possible keys to 217.7.Then, using the next plaintext-ciphertext pair, we repeat the analysis (with fewercandidates for the 19 bits of the key). As the probability that a key remains aftereach iteration of the analysis is 1− (15/16)8 ≈ 0.4, the number of trials t requiredfor discarding all the wrong keys satisfies: 219 · 0.4t < 1. Thus, after using 15plaintext-ciphertext pairs, we expect to have only the right value for 19 key bits,which can then be used to retrieve the remaining key bits in a similar manner.

The time complexity of the attack in this case is about 220 full 4-round DESencryptions (there are 219 keys, and 23 intermediate values to check for each ofthem).

7.2.6 Attack on 4 Rounds Using CCsIt is also possible to use CCs to improve the data complexity of the KP attack.If we choose the ciphertexts in such a way that the intermediate encryption bitswhich are guessed are the same for all the ciphertexts, we actually improve thefiltering each new plaintext-ciphertext pair offers. This follows the fact that in theKP scenario, each plaintext-ciphertext pair may allow a key guess to pass due to adifferent value in the intermediate encryption values. In the CC scenario, we firstguess the 19 key bits. A key which is not discarded, but has less than 8 possibleintermediate encryption values (which is the case for most of the keys), is testedwith the next plaintext-ciphertext pair only with the intermediate encryptionvalues which satisfied the meet-in-the-middle condition earlier.

A given key has probability 0.6 to be discarded with the first plaintext-ciphertextpair, probability 0.32 to pass to the next pair with only one candidate value forthe intermediate encryption bits, probability 0.074 to pass to the next pair withtwo candidate values for the intermediate encryption bits, and so forth. Thus, itis expected that the next pair discards 15 out of 16 remaining keys with one value,and about 14 out of 16 keys remaining with one value (while reducing the numberof possible intermediate encryption values of most of them to 1). We concludethat 6 CCs are sufficient to find the first 19 key bits (from where by repeating theprevious attacks we can find the rest of the key). The running time of the attackis 219.3 encryptions.

7.2.7 Attacks on 5-Round DESIn our attacks on 5-round DES, as in attack by Chaum and Evertse, GK consistsof the first 2 rounds of DES and HK contains of rounds 3, 4 and 5. We focus onthe intermediary bits d′[41–44] and d′′[41–44].

MEET-IN-THE-MIDDLE ATTACKS ON DES 113

Table 7.5. Key bits determining the middle bits of 4-round DES

Round/S-box Key bits Bit determined Bits appearing once †

1/3 5, 9, 13, 20, 24, 27 243/3 2, 8, 12, 16, 23, 274/1 2, 7, 11, 17, 20, 23 α1 7, 11, 174/2 6, 9, 12, 16, 21, 27 α5 6, 214/4 5, 8, 13, 19, 22, 26 α15 19, 22, 264/5 30, 33, 37, 43, 47, 53 α17 30, 33, 37, 43, 47, 534/6 29, 36, 39, 46, 51, 54 α23 29, 36, 39, 46, 51, 544/7 31, 34, 40, 45, 50, 55 α26 31, 34, 40, 45, 50, 55

Bits of Knot affecting (7.1) 1,3,4,10,14,15,18,25,28,32,35,38,41,42,44,48,49,52,56† – These bits appear only once in computing d′ and d′′.

Table 7.6. Key bits determining the middle bits of 5-round DES

Round/S-box Key bits Bit determined Bits appearing once †

1/1 2,6,12,15,18,25 β1 2, 121/2 1,4,7,11,16,22 β5 161/4 3,8,14,17,21,28 β15 3, 171/5 32,38,42,48,53,56 β171/6 31,34,41,46,49,52 β23 34, 461/7 29,35,40,45,50,54 β26 40, 50, 542/3 6,10,14,21,25,284/3 1,4,10,14,18,255/1 4,9,13,19,22,25 γ1 9, 13, 195/2 1,8,11,14,18,23 γ5 235/4 7,10,15,21,24,28 γ15 245/5 32,35,39,45,49,55 γ17 39,555/6 31,38,41,48,53,56 γ235/7 29,33,36,42,47,52 γ26 33, 36, 47

Bits of Knot affecting (7.1) 5,20,26,27,30,37,43,44,51† – These bits appear only once in the computation of d′ and d′′.

The attacks on 5-round DES proceed along the same lines as the attacks on4 rounds that were outlined in Sects. 7.2.3–7.2.6. Therefore, we present only theresults of our analysis of 5-round DES in Table 7.6. In this table (and the followingsection), [β1–β32] = R1, [γ1–γ32] = L4.

With 28 KPs our attack requires a time equivalent to 237.9 5-round encryptions.The time complexity is reduced to 235.5 when 51 KPs are available. Furtherreduction in the time complexity to 230 is possible if we have 8 CPs.

114 MEET-IN-THE-MIDDLE ATTACKS ON FEISTEL CONSTRUCTIONS

Table 7.7. Key bits determining the middle bits of 6-round DES

Round/S-box Key bits Bit determined Bits appearing once †

1/1 2,6,12,15,18,25 β11/3 5,9,13,20,24,27 β121/5 32,38,42,48,53,56 β171/6 31,34,41,46,49,52 β211/7 29,35,40,45,50,54 β281/8 30,33,37,43,47,51 β292/2 2,5,8,12,17,234/2 6,9,12,16,21,275/1 4,9,13,19,22,25 γ1 4, 195/3 3,6,12,16,20,27 γ125/5 32,35,39,45,49,55 γ175/6 31,38,41,48,53,56 γ215/7 29,33,36,42,47,52 γ28 365/8 30,37,40,44,50,54 γ29

There are no key bits of round 6 that appear only once in computing d′ and d′′.Bits of K

not affecting (7.1) 7,28† – These bits appear only once in computing d′ and d′′.

7.2.8 Attacks on 6-Round DESIn our attacks on 6-round DES, as in attack by Chaum and Evertse, GK consistsof the first 3 rounds of DES and HK contains of rounds 4, 5 and 6. We considerthe intermediary bits d′[5–8] and d′′[5–8].

The analysis of 6-round DES proceeds along the same lines as the analysis of4-round DES presented in Sects. 7.2.3–7.2.6. We therefore present only the resultsof our analysis Table 7.7 (recall that [β1–β32] = R1, [γ1–γ32] = L4).

7.3 Meet-in-the-Middle Attacks on XTEA and XETAWe shall now present our attacks on XTEA with up to 23 rounds. We first providethe specifications of XTEA and some related notation. We then describe ourattacks, introducing a new approach to meet-in-the-middle attacks in the process.In the end, we argue why our attacks on XTEA also apply to XETA.

7.3.1 Notation and ConventionsWe use the notation and conventions listed in Table 7.8.

MEET-IN-THE-MIDDLE ATTACKS ON XTEA AND XETA 115

Table 7.8. Notation

Symbol / Notation Meaning� Addition modulo 232

⌊x⌋ maxy∈Z(y ≤ x), Z is the set of integers[i] Select bit i, i = 0 is the LSB

[j . . . i] Select bits k where j ≥ k ≥ i, k = 0 is the LSB

7.3.2 Specifications of XTEAXTEA uses a modified Feistel network. The network uses a function F (seeFigure 7.6) which takes a 32-bit input x and produces a 32-bit output as:

F (x) = ((x≪ 4)⊕ (x≫ 5)) � x . (7.5)

The 128-bit key K of XTEA is divided into four 32-bit subkeys K0, . . . ,K3. Atevery round, one of the 4 subkeys is selected according to the KSA. A constantδ = ⌊(

√5 − 1) · 231⌋ is defined, derived from the golden ratio. Two bits from a

different multiple of δ are used at every round as the index of the subkey. The32-bit subkey αt used in round t, where 1 ≤ t ≤ 64, is chosen from the set{K0,K1,K2,K3} according to the following rule:

αt ←{Kδt[1...0] if t is odd ,Kδt[12...11] if t is even ,

(7.6)

whereδt =

⌊t

2

⌋δ , 1 ≤ t ≤ 64 . (7.7)

The two 32-bit parts of the 64-bit input to round t are denoted Lt−1 and Rt−1 (seeFigure 7.5). For round 1, the plaintext p is used as input: (L0 ∥ R0) ← p. Theinput for round t + 1 is computed recursively from the input to round t as givenby:

Lt ← Rt−1 , (7.8)

Rt ← Lt−1 � ((δt � αt)⊕ F (Rt−1)) , (7.9)

where αt is selected according to (7.6). For reference, we also list the subkeys usedin every round in Table 7.9. The application of � to Lt−1 in (7.9), is the differencebetween XTEA and other ‘Feistel ciphers’.

The ciphertext c of XTEA is produced by concatenating the two parts obtainedafter the 64th round: c← L64 ∥ R64.

Finally, we note that in the description above by round we mean a Feistel round.This is not to be confused with the term cycle used in the original proposal ofXTEA [156]. A cycle is equivalent to two Feistel rounds. Therefore XTEA has 64rounds or 32 cycles.

116 MEET-IN-THE-MIDDLE ATTACKS ON FEISTEL CONSTRUCTIONS

Table 7.9. Subkeys used in XTEA

Rounds Subkey used1, 8, 9, 10, 17, 18, 20, 25, 30, 33, 40, 41, 49, 50, 57, 60 K0

3, 6, 11, 16, 19, 26, 27, 28, 35, 36, 38, 43, 46, 48, 51, 58, 59 K14, 5, 13, 14, 21, 24, 29, 34, 37, 44, 45, 53, 54, 56, 61, 64 K2

2, 7, 12, 15, 22, 23, 31, 32, 39, 42, 47, 52, 55, 62, 63 K3

Figure 7.5. The Feistel structure of XTEA showing two rounds

7.3.3 Motivational ObservationWe begin by observing that the subkey K2 is not used in rounds 6–12. For theremainder of this section, let K ← (K0,K1, X,K3), where X can be any 32-bit

Figure 7.6. The function F used in the round function of XTEA

MEET-IN-THE-MIDDLE ATTACKS ON XTEA AND XETA 117

value, as subkey K2 is irrelevant in the analysis. Given one plaintext-ciphertextpair (p0, c0), with each key guess, we check whether:

E(6...12)K (p0) = c0 , (7.10)

where E(6...12)K denotes the 7-round (rounds 6–12) encryption using the key K. At

first glance, it may appear that 1 KP is sufficient. However, it is to be notedthat the key space (296 keys K) is larger than the ciphertext space (264 ciphertextblocks).

We now show that obtaining a second KP (p1, c1) is sufficient for an attack withan average time complexity2 of 295.00 7-round encryptions and an average successprobability of 1 − 2−33. We iterate over the 2k keys K, where k = 96. For everycandidate key K, (7.10) is tested using the first KP. If this equality is satisfied,the second KP is used to check:

E(6...12)K (p1) = c1 . (7.11)

If either (7.10) or (7.11) is not satisfied, the candidate key K is incorrect and canbe sieved. The approximate number of plaintext-ciphertext pairs that are neededcan also be estimated from Shannon’s unicity distance [206].

We make the reasonable assumption throughout Sect. 7.3 that the 7-, 15- and23-round block ciphers that we consider have perfect confusion and diffusionproperties [206]. If either the plaintext or the key, or both are changed, it isassumed that the corresponding ciphertext will be generated uniformly at random,independent from previously obtained ciphertexts.

Under this assumption, each of the 64-bit conditions that result from (7.10)and (7.11) is satisfied with probability 2−64 when the guessed key is incorrect.Each time complexity is stated as the number of equivalent encryptions of thecorresponding reduced-round block cipher.

The average success probability can be calculated as follows. For a wrongkey guess, the two 64-bit conditions are simultaneously satisfied with probability2−2·64 = 2−128. We can therefore eliminate a wrong key with probability 1−2−128.Assume that key i is the correct key, where 0 ≤ i < 2k. It will be output bythe algorithm if all previous keys are eliminated. This happens with probability(1 − 2−128)i. The correct key can be located anywhere among the list of 2kcandidate keys with equal probability. Therefore, the average success probabilityis:

2−k ·2k−1∑i=0

(1− 2−128)i = 2128−k · (1− (1− 2−128)2k

) ≈ 2128−k · (1− e−2k−128)

≈ 1− 2−33 . (7.12)2Note that this is different from the case of DES where we evaluated worst-case time

complexity and success probability. The pros and cons of worst- and average-case analysesare discussed in Sect. 7.5.

118 MEET-IN-THE-MIDDLE ATTACKS ON FEISTEL CONSTRUCTIONS

The approximations result from using the first and the second order Taylorapproximations of ex around 0. We now calculate the time complexity of theattack. Given 2 KPs, for a candidate key K to be determined as wrong, theexpected number of trials is 1+2−64. This is because for every wrong key, (7.10) isalways checked, and for 2−64 wrong keys (7.11) is checked as well. If the candidatekey is correct, two encryptions are always performed. As the correct key canbe located anywhere in the list of 2k candidates keys with equal probability, theaverage number of encryption of the attack algorithm3 is:

2−k ·2k−1∑i=0

(i · (1 + 2−64) + 2

)= 2−1 · (1 + 2−64) · (2k − 1) + 2 ≈ 295.00 . (7.13)

From Table 7.9, we obtain several other 7-round block ciphers that can beattacked in a similar way. Table 7.10 lists all such ciphers. Finally, we note that

Table 7.10. All 7-round attacks; each attack requires 2 KPs and on average 295.00

computations of the 7 rounds for an average success probability of 1− 2−33

Cipher consisting of XTEA rounds Unused subkey6–12 K224–30 K342–48 K046–52 K2

for n = 0 and n = 1 respectively, one can replace both (7.10) and (7.11) with:

E(6...r−1)K (pn) = D

(r...12)K (cn) , (7.14)

where r ∈ {6, . . . , 12}, E(6...5)K (pn) = pn, and D

(r...12)K denotes (13-r)-round

(rounds r–12) decryption using the key K.4 Therefore, what has essentially beenconstructed above can be viewed as meet-in-the-middle attacks. In (7.14), thevalue of r determines the subkeys that are required for encryption and decryption.

7.3.4 Attacks on 15 Rounds of XTEAThe attack described in Sect. 7.3.3 on rounds 6–12, can be extended to rounds6–20 as follows. First, the attacker perform a meet-in-the-middle attack, where(partial) encryptions and decryptions cannot be performed over all rounds, the

3As mentioned in footnote 5 of Chapter 1, we have implicitly assumed here that the algorithmoutputs the correct key. The error in the average number of encryptions, caused by thisassumption, is negligible because the success probability is very close to 1. In this chapter,we make the same assumption (for the same reason) in the subsequent attacks.

4Given the assumption that a 7-round block cipher has perfect confusion and diffusion,separate assumptions are not required for these further reduced block ciphers.

MEET-IN-THE-MIDDLE ATTACKS ON XTEA AND XETA 119

attacker only exhaustively searches over part of the key. From the remainingrounds, however, the number of possibilities for the full key is reduced. Only threeKPs (pn, cn), 0 ≤ n < 2 are required for the attack.

Let us now split a reduced-round XTEA block cipher into outer rounds andinner rounds. In the outer rounds, one particular subkey is not used, whereas theinner rounds use only this subkey. The attack is described for rounds 6–20. Ascan be seen from Table 7.9, the outer rounds (6–12) and (15–20) do not involveK2, whereas the two inner rounds (13–14) use only K2.

By encrypting plaintext p0 from round 6 to round 12 (i.e., until the beginningof round 13) and decrypting the corresponding ciphertext c0 for 6 rounds startingbackwards from round 20, we obtain the subkeys used in the inner rounds. Theyare denoted as K ′

2 and K′′

2 for inner rounds 13 and 14 respectively. Then, theattacker checks whether K ′

2 = K′′

2 . This can be understood from Figure 7.5.Therefore, not the ciphertext values (as in Sect. 7.3.3), but the key values ‘meetin the middle’. To the best of our knowledge, this is the first case where such anapproach is used.

If K ′

2 = K′′

2 , the candidate key of (K0,K1,K3) cannot be correct, and theattacker proceeds to the next candidate key. Otherwise, the candidate key isextended to (K0,K1,K2, K3), where K2 = K

′

2 = K′′

2 . Then, the meet-in-the-middle attack is performed as described in Sect. 7.3.3. That is, a plaintext isencrypted with candidate keys (K0,K1,K2, K3), to check which of the computedciphertexts agrees with the actual (corresponding) ciphertext. For the 15-roundattack, it is sufficient to use two additional KPs – (p1, c1) and (p2, c2).

The average success probability can be calculated as follows. Using (p0, c0) a32-bit condition is obtained when K ′

2 = K′′

2 is checked. Then, (p1, c1) and (p2, c2)each gives an additional 64-bit condition. A wrong key will pass these tests withprobability5 2−32 ·

(2−64)2 = 2−160. Thus, with probability 1 − 2−160, a wrong

key is eliminated. Assume that i is the correct key, where 0 ≤ i < 2k. It will beoutput by the algorithm if all previous keys are eliminated. This happens withprobability (1− 2−160)i. The correct key can be located anywhere among the listof 2k candidate keys with equal probability. The average success probability is:

2−96 ·296−1∑i=0

(1− 2−160)i = 2160−96 · (1− (1− 2−160)296) ≈ 264 · (1− e−264

)

≈ 1− 2−65 . (7.15)

We now calculate the time complexity of the attack. For a candidate key(K0,K1,K3) to be determined as wrong, the expected number of trials is1 + 2−32 + 2−96. This is because for every wrong candidate key (K0,K1,K3), theattacker always checks whether K ′

2 = K′′

2 . For 2−32 and 2−96 (wrong) candidate5If the texts obtained by encrypting p0 and decrypting c0, in the 13 outer rounds, are

distributed uniformly at random, then so are the subkeys K′2 and K

′′2 .

120 MEET-IN-THE-MIDDLE ATTACKS ON FEISTEL CONSTRUCTIONS

keys, the attacker encrypts using the second and third KP respectively. If thecandidate key is correct, the equivalent of three encryptions is always performed.As the correct key can be located anywhere in the list of 296 candidates keys withequal probability, the average number of (equivalent) encryptions of the algorithmis:

2−96 ·296−1∑i=0

(i · (1 + 2−32 + 2−96) + 3

)= 2−1 · (1 + 2−32 + 2−96) · (296 − 1) + 3

≈ 295.00 . (7.16)

Finally, in Table 7.11, we provide a list of all 15-round block ciphers that canbe attacked with the same complexity.

Table 7.11. All 15-round attacks; each attack requires 3 KPs and on average295.00 computations of the 15 rounds for an average success probability of 1−2−65

Cipher consisting of XTEA rounds Inner rounds Inner round subkey6–20 13,14 K216–30 22,23 K324–38 31,32 K334–48 40,41 K038–52 44,45 K242–56 49,50 K0

7.3.5 Attacks on 23 Rounds of XTEAIn this section, we extend the 15-round attack of Sect. 7.3.4 to 23 rounds. This23-round attack has an average time complexity of 2117.00 (equivalent) encryptionsand an average success probability of 1 − 2−1025. It requires only 18 known (notchosen) plaintexts and corresponding ciphertexts. For the same number of rounds,both the time complexity and the data complexity of our attack are much lowerthan those in [97]. Our attack is therefore the best attack on 23-round XTEAso far in the standard setting, and the only attack requiring such a low numberof plaintexts and corresponding ciphertexts. We note that the attack has beenoptimised to have the time complexity as low as possible. It is possible to reducethe number of KPs even further, but not without increasing the time complexityof the attack.

The technique used is a straightforward meet-in-the-middle approach, similarto the approach used in [44]. As in Sect. 7.3.4, the reduced-round XTEA blockcipher is split into outer rounds and inner rounds. In the outer rounds, one subkeyis not used. The inner rounds can contain any of the subkeys. Our attack appliesto rounds 16–38 of XTEA. Rounds 16–21 and 33–38 are the outer rounds, and do

MEET-IN-THE-MIDDLE ATTACKS ON XTEA AND XETA 121

not involve subkey K3. The inner rounds are rounds 22–32. The attack is a sievingattack, as the correct key is found by eliminating keys that lead to contradictions.The attack is given in Algorithm 7.1.

The k-bit key is recovered in two stages. First, the attacker exhaustively searchesover k1 bits of the key K and uses m KPs to check a one-bit condition thateach of the m plaintexts yield. These k1 bits consist of K0, K1, K2, and the 21LSBs of K3. This one-bit condition, tested in test keys 1(K), results from thefollowing observation, also illustrated in Appendix E.1. We see that, without usingK3[31 . . . 21], the attacker can calculate L27[0] ← E

(16...27)K (p)[0], and L

′

27[0] ←D

(28...38)K (c)[0]. As L27[0] = L

′

27[0] always holds if the candidate key K is correct,a wrong key can be discarded if L27[0] = L

′

27[0] . Note that only k1 bits of thecandidate key K are used to test this condition, as the remaining k2 bits do notaffect this condition.

If none of the m plaintexts cause a key to be discarded, the attacker exhaustivelysearches over the remaining k2 bits of key K in test keys 2(K). These k2 bitsare the 11 MSBs of K3. In this stage, ℓ ≤ m of the m plaintexts are reused. Now,(L27, R27)← E

(16...27)K (p) and (L′

27, R′

27)← D(28...38)K (c) are recalculated using the

full key K. For efficiency, this calculation is sped up by using stored values p⋆nand c⋆n for the outer rounds, and encrypting only the inner rounds. EquationsL27 = R27 and L

′

27 = R′

27 yield only 63-bit conditions, as L27[0] = L′

27[0] wasalready tested. If both equations are satisfied for all ℓ plaintexts, the candidatekey K is output as the correct key, and the algorithm halts.

Let us now determine the average time complexity and the average successprobability of Algorithm 7.1.

The algorithm succeeds if no wrong key K that passes all m + ℓ tests isencountered before the correct key. How efficiently the attacker searches throughthese candidate keys K, does not influence the success probability of Algorithm 7.1.We therefore assume that the exhaustive search is over 2k keys, and then bothtest keys 1(K) and test keys 2(K) are performed for each of these keys.

Each of the m plaintexts yields a one-bit condition in test keys 1(K), satisfiedrandomly with a probability of 2−1 for a wrong key guess. When ℓ ≤ m of theseplaintexts are reused in test keys 2(K), there is a condition on the 63 remainingbits, satisfied randomly with a probability of 2−63. A wrong key will be detected ifat least one of the m+ ℓ tests fail. This eliminates a wrong key with a probabilityof 1−2−m ·2−63ℓ. Assume that i is the correct key, where 0 ≤ i < 2k. Then, it willbe output by the algorithm if all previous candidate keys lead to contradictions.This happens with probability (1−2−m ·2−63ℓ)i. As the correct key can be locatedanywhere in the list of 2k candidate keys with equal probability, the average success

122 MEET-IN-THE-MIDDLE ATTACKS ON FEISTEL CONSTRUCTIONS

probability of the algorithm is:

2−k ·2k−1∑i=0

(1− 2−m · 2−63ℓ)i = 2m+63ℓ−k · (1− (1− 2−m−63ℓ)2k

)

≈ 2m+63ℓ−k · (1− e−2k−m−63ℓ

) . (7.17)

We now calculate the time complexity of the attack. Let i and j (where0 ≤ i < 2k1 and 0 ≤ j < 2k2) be parts of the correct key Kc where i =(Kc

0,Kc1,K

c2,K

c3[20 . . . 0]) and j = Kc

3[31 . . . 21]. Any 117-bit key (K0,K1,K2,K3[20 . . . 0]), tested in test keys 1(K) before the correct key, passes test keys -1(K) with probability 2−m. Therefore, of the i 117-bit keys tested before thecorrect key, i · 2−m keys are expected to pass test keys 1(K). For each of thesei · 2−m keys, test keys 2() is performed 2k2 times. Summarising,

• the attacker performs an expected i · T1 23-round computations, where T1is the expected number of 23-round computations for a wrong key undertest keys 1();

• the attacker additionally performs an expected i · 2−m · 2k2 · T2 23-roundcomputations, where T2 is the expected number of 23-round computationsfor a wrong key under test keys 2().

It is easy to see that

T1 ,m−1∑i=0

2−i . (7.18)

To compute T2, note that test keys 2() only encrypts the 11 inner rounds again,and uses stored values for (partial) encryptions and decryptions of the outer rounds.This is equivalent to 11/23 encryptions of the 23-round block cipher and therefore

T2 , 1123·ℓ−1∑j=0

2−63j . (7.19)

For the correct (partial) key i, the number of steps under test keys 1() is m. Todetermine the remaining part of the correct 128-bit key Kc, the attacker performsan expected j · T2 + (11/23) · ℓ 23-round computations, where:

1. j·T2 is the expected number of 23-round computations, under test keys 2(),for all the j wrong (partial) keys preceding key j;

2. ℓ is the number of 11-round steps under test keys 2() for the correct keyj.

MEET-IN-THE-MIDDLE ATTACKS ON XTEA AND XETA 123

As the correct key j can take any value in the set {0, . . . , 2k2 − 1}, the averagenumber of 23-round computations corresponding to the correct key i, is:

2−k2 ·2k2 −1∑j=0

(j · T2 + 11

23· ℓ). (7.20)

As the correct key i can take any value in the set {0, . . . , 2k1 − 1}, the averagenumber of 23-round computations in total is:

2−k1 ·2k1 −1∑i=0

i · T1 +m+ i · 2−m · 2k2 · T2 + 2−k2 ·2k2 −1∑j=0

(j · T2 + 11

23· ℓ) .

(7.21)

The derivation of (7.21) will be more clear from Figure E.1 in Appendix E.1.We now choose the parameters m and ℓ for the attack on rounds 16–38.

From (7.21), we find that we cannot lower the average time complexity below2117.00. Therefore, we choose m and ℓ such that we have the lowest number of KPs,and the highest success probability for this particular time complexity. Settingm = ℓ = 18, we find that 18 KPs are sufficient, and that the corresponding successprobability using (7.17) is 1− 2−1025. Note that an exhaustive search over the fullk-bit key using 18 KPs has the same success probability. This shows that all KPsare optimally used in our attack from an information theoretic point of view [206].The number of KPs may still be lowered further, but then the time complexitymust increase. This can be done by, say, increasing k1 (and thus performing themeet-in-the-middle on more than one bit).6 We do not consider such options, asthe number of KPs in our attack is already low enough for a practical attack.The time complexity, however, is still beyond reach with current hardware. Our23-round attack requires only negligible memory (about 4 · 64 · 18 = 212.17 bits tostore (pn, cn) and (p⋆n, c⋆n) values).

As shown in Table 7.12, a total of 12 variants of the XTEA block cipher can beattacked, where each variant consists of 23 rounds. For rounds 34–56, the attackworks in exactly the same way as for 16–38, and has the same complexities. The10 other attacks require that k1 = 122 – the exhaustive search is now over all butthe 6 MSBs of one subkey in Algorithm 7.1, in order to obtain a condition on onebit to perform the meet-in-the-middle. The middle bit involved in this conditionis given as well in Table 7.12.

Using (7.21), we calculate the time complexity for the 10 attacks that use 12or 13 inner rounds. The lowest possible average time complexity for our attackstrategy is 2122.00. For this time complexity, the best parameters are m = ℓ = 13.We then obtain an average success probability of 1− 2−705, using 13 KPs. Again,

6In the attack, one bit in the middle is independent of 11 key bits. Two bits in the middleare simultaneously independent of fewer than 11 key bits, thereby corresponding to a larger k1.

124 MEET-IN-THE-MIDDLE ATTACKS ON FEISTEL CONSTRUCTIONS

each of these attacks requires only negligible memory (about 211.70 bits to store(pn, cn) and (p⋆n, c⋆n) values).

Table 7.12. All 23-round attacks

Total rounds Inner rounds Middle bit Unused key bits # inner rounds16–38 22–32 L27[0] K3[31 . . . 21] 11 rounds34–56 40–50 L45[0] K0[31 . . . 21] 11 rounds6–28 13–24 L19[0] K2[31 . . . 26] 12 rounds8–30 12–23 L18[0] K3[31 . . . 26] 12 rounds24–46 31–42 L37[0] K3[31 . . . 26] 12 rounds26–48 30–41 L36[0] K0[31 . . . 26] 12 rounds30–52 34–45 L40[0] K2[31 . . . 26] 12 rounds42–64 49–60 L55[0] K0[31 . . . 26] 12 rounds20–42 26–38 L32[0] K1[31 . . . 26] 13 rounds38–60 44–56 L50[0] K2[31 . . . 26] 13 rounds2–24 8–20 L14[0] K0[31 . . . 26] 13 rounds12–34 16–28 L22[0] K1[31 . . . 26] 13 rounds

7.3.6 Attacks on XETAAs mentioned earlier, the cipher XETA is a close variant of XTEA, with the onlydifference being that XOR precedes over addition in the round function. Recallthat our attacks on XTEA exploit weaknesses in the KSA – and the exact samealgorithm constitutes the KSA of XETA. Therefore, all attacks in Sects. 7.3.3–7.3.5are applicable to XETA as well.

7.4 Meet-in-the-Middle Attacks on GOSTWe shall now present our attacks on GOST with up to 22 rounds. We first describeGOST and provide some related notation.

7.4.1 Specifications of GOSTLet � and � respectively denote addition and subtraction modulo 232. The 256-bitkey K of GOST is divided into eight 32-bit subkeys K0, . . . ,K7. At every round,one of the 8 subkeys is selected according to a simple KSA. The 32-bit subkey αiused in round i, where 1 ≤ i ≤ 32, is chosen from the set {K0, . . . ,K7} accordingto the following rule:

αi ←{Ki−1 mod 8 if i ∈ {1, . . . , 24} ,K32−i mod 8 if i ∈ {25, . . . , 32} .

(7.22)

MEET-IN-THE-MIDDLE ATTACKS ON GOST 125

Biryukov and Wagner showed in [34] that the reversal in the order in which thesubkeys are used in the last 8 rounds, helps preclude slide attacks. In the followingsections, we will show that this reversal in the subkey order is not a good designchoice with respect to meet-in-the-middle attacks.

The round function of GOST is very similar to that of the DES. Each rounduses eight 4 × 4 S-boxes. The concatenated output from the 8 S-boxes of roundi is denoted by S(x), where x is split into 4-bit words. The input for round i+ 1is computed iteratively from the input to round i as given by Li ← Ri−1 andRi ← Li−1 ⊕ (S(Ri−1 � αi) ≪ 11). We select αi according to (7.22).

The ciphertext c of GOST is produced by concatenating the two parts obtainedafter the 32nd round: c← R32 ∥ L32. A full description of the GOST block cipheris given in [168].

Note that [168] does not specify the S-boxes. Saarinen [187] has developed anattack with 232 CPs to recover the S-boxes, assuming the attacker has black boxaccess to the encryption device, and can specify the key used to encrypt. As hisattack works for any number of rounds, it can be used to turn each of the attacksin this paper into an attack with secret S-boxes. First, the S-boxes are recoveredusing Saarinen’s attack, and afterwards the secret key is recovered.

7.4.2 Attacking up to 14 Rounds of GOSTWe first observe that there are many block ciphers consisting of r rounds (8 ≤ r ≤14) of GOST, in which at least one subkey is not used. It immediately follows thatthese ciphers can be attacked faster than exhaustive key search.

From (7.22), we obtain these ciphers with unused subkey(s). Table 7.13 lists allthese ciphers.

Table 7.13. All r-round block ciphers, where 8 ≤ r ≤ 14, with unused subkeys

# rounds Rounds8 18–25, 19–26, 20–27, 21-28, 22-29, 23-30, 24-319 18–26, 19–27, 20–28, 21-29, 22-30, 23-3110 18–27, 19–28, 20–29, 21-30, 22-3111 18–28, 19–29, 20–30, 21-3112 18–29, 19–30, 20–3113 18–30, 19–3114 18–31

The complexities of the attacks on the block ciphers listed in Table 7.13 arecomputed in the same manner as in Sect. 7.3.3.7 Therefore, we provide onlythe average time complexities (average number of equivalent encryptions of thecorresponding reduced-round block ciphers) and the average success probabilities

7Here again, we use the reasonable assumption that the block ciphers in Table 7.13 and the16- and 22-round ciphers that we consider have perfect confusion and diffusion properties [206].

126 MEET-IN-THE-MIDDLE ATTACKS ON FEISTEL CONSTRUCTIONS

of the attacks, in Table 7.14. In this table, s, k and n respectively denote thenumber of unused subkeys, effective key length (i.e., 256 − 32s) and the numberof plaintext-ciphertext pairs required for the attack. (The approximate number ofplaintext-ciphertext pairs that are needed can also be calculated from Shannon’sunicity distance [206] as k/64.) An implicit assumption is that 2k−n·64 ≈ 0, forsome Taylor approximations (similar to that in (7.12)) of ex around 0 to hold. Wesee that every entry in Table 7.14 complies with this assumption.

Table 7.14. Average time complexities and average success probabilities of theattacks on up to 14 rounds, for several values of s and n

s n k Average time complexity Average success probability1 4 224 2223 1− 2−33

2 4 192 2191 1− 2−65

3 3 160 2159 1− 2−33

4 3 128 2127 1− 2−65

7.4.3 Attack on 16-Round GOSTWe begin with the observation that in rounds 17–32 of GOST, subkey K7 is usedconsecutively, in rounds 24 and 25. Additionally, this subkey is not used in anyof the other 14 rounds. Therefore, we use the exact same attack technique as inSect. 7.3.4 and provide only the results of our analysis here.

If n denotes the number of plaintext-ciphertext pairs required to mount themeet-in-the-middle attack, we require that n ≥ 5 for the Taylor approximationsto hold. When n = 5, the average success probability is 1− 2−65 and the averagenumber of 16-round computations is 2223.00.

Our attack assumes that the S-boxes are bijective. Note, however, that a similarattack works for non-bijective S-boxes, but then the computations of the timecomplexity and success probability become more involved.

It is to be noted that in this 16-round attack, as in Sect. 7.3.4, the subkeysin rounds 24 and 25 are distributed uniformly at random if the texts at thebeginning of round 24 (obtained from encryption) and end of round 25 (obtainedfrom decryption) are. The proof is very similar to that furnished in Appendix E.2for XTEA.

7.4.4 Attack on 22-Round GOSTWhen Ly (resp. Ry) is computed by decrypting the ciphertext till round y, wedenote it differently as L′

y (resp. R′y). From (7.22), we observe that the subkey

K0 is used only once in the block cipher consisting of rounds 10–31 of GOST.Therefore, here the attacker first checks for the equality of R16 and R′

16. These

WORST- AND AVERAGE-CASE ANALYSES: A COMPARISON 127

are obtained by respectively computing E(10...16)K (p0) and D(18...31)

K (c0), where K =(X,K1,K2,K3,K4,K5,K6,K7), X is any 32-bit value (since subkey K0 is notnecessary to perform these partial encryptions and decryptions).

If R16 = R′16 (this happens with probability 2−32 for a wrong key guess), the

corresponding value of K0 (= α17) is obtained using:

α17 = S−1((R17 ⊕ L16) ≫ 11) �R16 . (7.23)

The attacker uses n − 1 KPs (pj , cj) subsequently to check E(10...31)K (pj) = cj

with the value obtained for K0. For every j, where j is at most n−1, this equationis satisfied with probability 2−64 for a wrong key guess.

Using similar formulae as in Sect. 7.3.4, we find an average time complexity of2223.00 for a success probability of 1 − 2−65. A similar attack can be mountedon other reduced-round block ciphers, each with less than 22 GOST rounds (e.g.,rounds 11–31), where a particular subkey is used only once. Again, attacks similarto those in this section can be applied to the respective block ciphers even if theS-boxes are not bijective.

7.5 Worst- and Average-Case Analyses: A Compari-son

In our analysis of DES, we computed the worst-case time complexities andworst-case success probabilities of our attacks, using the fact that the S-boxesare balanced. However, for XTEA and GOST we performed average-casecomputations assuming very good confusion and diffusion properties for everyreduced-round block cipher considered. The main reason for the worst-casecomputations for DES is that Chaum and Evertse also did the same in [44].We performed average-case analysis for the other ciphers because (a) our attackswere the first meet-in-the-middle attacks on these ciphers, and (b) probabilitycomputations could be easily performed without making several approximations.In worst-case probability computations, one typically encounters approximationssuch as neglecting small reductions in event/sample space. However, an advantagewith worst-case computation is that the success rate of the attack behaves relativelyin a linear manner with the total number of equivalent encryptions performed.

7.6 CountermeasuresThe attacks on XTEA and XETA are because a particular subkey Ki is often notused for a large number of rounds. To prevent the attacks we propose to use eachof the subkeys K0,K1,K2,K3 once every four rounds, in a random order. Thiscountermeasure does not prevent trivial meet-in-the-middle attacks on 6 rounds.Note that the subkeys cannot repeat in a cyclic manner, as we want to avoid thepossibility of slide attacks.

128 MEET-IN-THE-MIDDLE ATTACKS ON FEISTEL CONSTRUCTIONS

The simple KSA of GOST makes it vulnerable to not only the meet-in-the-middle attacks described in this chapter, but also to other attacks in the literature(e.g., slide and related-key attacks). Therefore, it seems to us that the bestcountermeasure for GOST is to provide a stronger KSA.

In the case of DES, the KSA is more complex than that of GOST, XTEA orXETA. While a fix for DES seems useless considering its small key size, changingthe S-boxes may be a solution that present and potential users of DES-basedconstructions would want to consider. It would not be immediately possible toprescribe a countermeasure for DES assuming it supported long (say, 128-bit)keys – in such a case, its KSA would be different.

7.7 Conclusions and Open ProblemsIn this chapter, we presented meet-in-the-middle attacks on well-known Feistelconstructions, namely DES, XTEA and GOST. Our attacks break up to 6 roundsof DES, 23 rounds of XTEA and 22 rounds of GOST. If the attacker has only afew plaintext-ciphertext pairs (e.g., less than 19 KPs), then our results on 6-roundDES, 23-round XTEA and 22-round GOST may be seen as the best (going by thenumber of rounds) in the standard setting in the literature.

Another highlight of this chapter is the description of two novel approaches tomeet-in-the-middle attacks. In the first one, that we use against the DES, theattacker guesses fewer key bits in exchange for intermediate encryption values. Inthe second approach, the ‘meet’ in the middle corresponds to round keys in placeof intermediate texts.

We also showed that our attacks on XTEA could be applied to a close variantcalled XETA; we are unaware of any other published cryptanalysis results onXETA. Finally, we suggested countermeasures for XTEA, XETA and GOST.

Our research leaves room for alluring open problems. It can be seen fromTables 7.5, 7.6 and 7.7 that Chaum and Evertse have considered bits of the keyK that do not appear in the first columns of these tables; we have considered bitsof K that appear only once (and sometimes twice) in the first columns. Hence, anatural extension will be to experiment with bits which appear more frequentlyin the first columns of these tables. This technique could be tried on DES withhigher number of rounds. Another extension of the attacks described in this paperfollows a suggestion in [44] by which one may try to change the tables definingthe S-boxes. By either of these methods, it could be possible to cryptanalyse DESvariants consisting of 8 or more rounds. It is also interesting to see whether thesetechniques could be used to extend our attacks on GOST to more than 22 rounds.

In the case of XTEA, when constructing the 23-round attack in Sect. 7.3.5, wefound that for any number of inner rounds (where all subkeys can be used) upto 16, there is no corresponding attack on more than 23 rounds. However, if thenumber of inner rounds can be increased to 17, this leads to a 29-round attack.

CONCLUSIONS AND OPEN PROBLEMS 129

All such 29-round attacks are listed in Table 7.15. We present the cryptanalysisof these 29-round XTEA block ciphers as an open problem.

Table 7.15. All reduced-round XTEA block ciphers for which a 29-round attackconsists of 17 inner rounds

Total rounds Inner rounds Subkey containing unused key bits11–39 27–33 K015–43 21–37 K229–57 35–51 K133–61 40–56 K3

An interesting observation from an anonymous reviewer is that there is alsoa 15-round attack, on rounds 2–16 of XTEA. In this case, subkey K0 is usedconsecutively in the inner rounds 8, 9 and 10, but not elsewhere. By exhaustivelysearching over K1,K2,K3 and six of the LSBs of K0, we can perform the samemeet-in-the-middle attack that is described in Sect. 7.3.5. However, this attack hasa higher time and data complexity than the other 15-round attacks of Sect. 7.3.4,for a success probability comparable to 1− 2−65.

130 MEET-IN-THE-MIDDLE ATTACKS ON FEISTEL CONSTRUCTIONS

Algorithm 7.1 Recovering the key of the 23-round XTEA block cipher consistingof rounds 16–38; an average 2117.00 (equivalent) encryptions and 18 KPs arerequired for an average success probability of 1− 2−1025

Require: m KPs p0 . . . pm−1 and the corresponding ciphertexts c0 . . . cm−1Ensure: The output key K (of length k bits) is the correct key with probability

2m+63ℓ−k(1− e−2k−m−63ℓ), where ℓ is chosen such that ℓ ≤ m1: global p⋆0, . . . , p⋆m−1, c⋆0, . . . , c⋆m−1 ;2: function test key 1(K) do3: for n← 0, . . . ,m− 1 do4: p⋆n ← E

(16...21)K (pn) ;

5: c⋆n ← D(33...38)K (cn) ;

6: (L27, R27)← E(22...27)K (p⋆n) ;

7: (L′27, R

′27)← D

(28...32)K (c⋆n) ;

8: if L27[0] = L′27[0] then

9: return false ;10: end if11: end for12: return true ;13: end function14: function test key 2(K) do15: for n← 0, . . . , ℓ− 1 do16: (L27, R27)← E

(22...27)K (p⋆n) ;

17: (L′27, R

′27)← D

(28...32)K (c⋆n) ;

18: if L27 = L′27 or R27 = R′

27 then19: return false ;20: end if21: end for22: return true ;23: end function24: for (K0,K1,K2)← (0 . . . 232 − 1, 0 . . . 232 − 1, 0 . . . 232 − 1) do25: for K3[20 . . . 0]← 0 . . . 221 − 1 do26: K ← (K0,K1,K2, 011 ∥ K3[20 . . . 0])† ;27: if test key 1(K) then28: for K3[31 . . . 21]← 0 . . . 211 − 1 do29: if test key 2(K) then30: output K and halt ;31: end if32: end for33: end if34: end for35: end for† Since the 11 bits K3[31 . . . 21] do not affect L27[0] or L′

27[0], one can have any value β from the set{1, . . . , 211 − 1} in place of 011. We have used 011 for ease of understanding how the attack works.

Part VI

Cryptanalysis of CryptographicHash Functions

131

132

Chapter 8

Cryptanalysis of the ESSENCEFamily of Hash Functions

8.1 IntroductionThe ESSENCE family of CHFs, designed by Martin [134], was a Round 1candidate in the SHA-3 competition. It is a family of block cipher-based CHFsusing the Merkle-Damgard mode of operation. The ESSENCE family usessimple algorithms that are easily parallelisable and well-established mathematicalprinciples. ESSENCE comes with a proof of security against linear and differentialcryptanalysis, that until this work remained unchallenged.

In this chapter, we first describe several undesired properties of the ESSENCEL function. These can be used to build a semi-free-start collision attack [142,pp. 371–372] on 31 out of 32 rounds of the ESSENCE-512 compression functionusing a differential characteristic. This directly invalidates the design claim that 24rounds of ESSENCE make it resistant to differential cryptanalysis [134]. To buildour attack, we describe a novel technique to satisfy the conditions imposed by thecharacteristic in the first nine rounds. We do not know of a similar technique inexisting literature.

Then, we find that the ESSENCE compression functions use a nonlinearfeedback function F that is unbalanced. We first exploit this to build efficientdistinguishers on 14-round versions of the ESSENCE block ciphers as well as thecompression functions. These distinguishers require only 217 output bits. Wethen show how to use these results to recover the key with a few KPs and acomputational effort less than that of exhaustive search. We also show that, undersome circumstances, the attacks on 14-round ESSENCE could be extended to thefull 32-round block cipher and compression function.

Following this, we observe that the omission of round constants in ESSENCEleads to several attacks that cannot be prevented by increasing the number of

133

134 CRYPTANALYSIS OF THE ESSENCE FAMILY OF HASH FUNCTIONS

rounds. Slide attacks can be applied to any number of rounds of the ESSENCEcompression function. We also find fixed points for any number of rounds of theESSENCE block ciphers, each leading to a compression function output of zero.

ESSENCE was not qualified to the second round of the SHA-3 competition;however, its appealing features (like design simplicity and hardware efficiency)make any effort on tweaking it appear worthwhile. Therefore, in this chapter, wealso suggest some countermeasures to thwart the aforesaid attacks.

In later work, Naya-Plasencia et al. [155] present different results on ESSENCE.Our work presents not only differential cryptanalysis but also distinguishingattacks and slide attacks. Furthermore, some of our techniques can easily begeneralised to other block ciphers and CHFs.

8.2 Description of the Compression Functions ofESSENCE

The inputs to an ESSENCE compression function are an eight-word chaining valueand an eight-word message block. Each word is 32 bits (resp. 64 bits) in lengthfor ESSENCE-224/256 (resp. ESSENCE-384/512). Each compression functionuses a permutation E, that in turn uses a nonlinear feedback function F , a lineartransformation L, some XORs and word shifts.

The message block m = (m0, . . . ,m7) forms the initial value of an eight-wordstate k = (k0, . . . , k7). In the case of the block cipher, m is the key k = (k0, . . . , k7).Similarly, the chaining value c = (c0, . . . , c7) is the initial chaining value of aneight-word state r = (r0, . . . , r7). In the case of the block cipher, c is the plaintext.Both states are iterated N times. The designer recommends N to be a multipleof 8, N ≥ 24 for resistance to differential and linear cryptanalysis and N = 32as a measure of caution [134]. Figure 8.1 illustrates one round of ESSENCE. The

? ? ? ? ? ? ?

?

�������

- ?-

L?F

? ? ? ? ? ? ?

?

�������

- ?-

L?F

6�� �r7 r6 r5 r4 r3 r2 r1 r0 k7 k6 k5 k4 k3 k2 k1 k0

Figure 8.1. One round of ESSENCE; each rn and kn (n = 0, . . . , 7) is a 32- or64-bit word

compression function uses a Davies-Meyer feed-forward (see Figure 8.2). Thatis, at the end of N rounds, the value r7||r6||r5||r4||r3||r2||r1||r0 is XORed withthe initial chaining value. The result is the r7||r6||r5||r4||r3||r2||r1||r0 for the nextiteration.

DESCRIPTION OF THE COMPRESSION FUNCTIONS OF ESSENCE 135

E -- ?

6

k

-rini rfin

Figure 8.2. The compression function of ESSENCE; E is the round function ofESSENCE when iterated N times, k denotes the message block, rini denotes theinitial value of r7||r6||r5||r4||r3||r2||r1||r0 and rfin denotes the value of r for thenext iteration

8.2.1 The Feedback Function F

The nonlinear feedback function, F , of ESSENCE-224/256 (resp. ESSENCE-384/512) takes seven 32-bit (resp. 64-bit) input words and outputs a single 32-bit(resp. 64-bit) word as follows:

F (a, b, c, d, e, f, g) = abcdefg + abcdef + abcefg + acdefg +

abceg + abdef + abdeg + abefg +

acdef + acdfg + acefg + adefg +

bcdfg + bdefg + cdefg +

abcf + abcg + abdg + acdf + adef +

adeg + adfg + bcde+ bceg + bdeg + cdef +

abc+ abe+ abf + abg + acg + adf +

adg + aef + aeg + bcf + bcg + bde+

bdf + beg + bfg + cde+ cdf + def +

deg + dfg +

ad+ ae+ bc+ bd+ cd+

ce+ df + dg + ef + fg +

a+ b+ c+ f + 1 , (8.1)

136 CRYPTANALYSIS OF THE ESSENCE FAMILY OF HASH FUNCTIONS

where the multiplication and addition are taken in F2 (i.e., they are the same asbitwise XOR and bitwise AND, respectively).

8.3 Branch Number of the L FunctionThe L function of ESSENCE is a linear transformation from 32 (or 64) bits to32 (resp. 64) bits and it is the only component that causes diffusion between thedifferent bit positions of a word. Therefore, its properties are very important forboth linear and differential cryptanalysis.

In this section, we focus on the branch number [49] of the L function forboth linear and differential cryptanalysis. The branch number for differentialcryptanalysis can be defined as the minimum number of non-zero input and outputdifferences for the L function. These branch numbers are 10 and 16 for the32-bit and 64-bit L functions respectively. If we were to consider only one-bitdifferences at either the input or the output of L, these numbers would be 14 and27 respectively.

The branch number for linear cryptanalysis can be defined as the minimumnumber of non-zero terms in a linear equation relating the input and output bitsof the L function. These branch numbers are 10 and 17 for the 32-bit and 64-bitL function respectively. Considering linear relations that involve only one bit atthe input or one bit at the output, we would find branch numbers of 12 and 26respectively.

Although one-bit differences are spread out well by the L function, this is clearlynot the case for differences in multiple bits. This problem is most severe with the64-bit L function. In the next section, we will show how this property can be usedto build narrow trails for all digest sizes of ESSENCE.

8.4 A 31-Round Semi-Free-Start Collision Attack ForESSENCE-512

In this section, we will focus only on ESSENCE-512 for the sake of brevity andclarity. As the strategy is not specific to any particular digest size, these resultscan easily be generalised to all digest sizes of ESSENCE.

Although the ESSENCE L function spreads out one-bit differences very well, asmentioned in the previous section, this is not the case for differences in multiplebits. We therefore propose to use the differential characteristic of Table 8.1, toobtain 31-round semi-free-start collisions for ESSENCE-512.

To construct narrow trails, we use the non-zero difference A with the lowestpossible Hamming weight. For this difference, we impose the condition (¬A) ∧L(A) = 0, where ¬ represents the negation operation and all logical operationsare to be performed bitwise. This can be formulated as follows. If there is adifference at the output of the L function at a particular bit position, there must

A 31-ROUND SEMI-FREE-START COLLISION ATTACK FOR ESSENCE-512 137

be a difference at the input of L at this bit position as well. This requirementis necessary, as the F function can absorb or propagate an input difference atthe output, but if no input difference is present, then there won’t be an outputdifference either at this particular bit position. This places a restriction on theoutput difference of the L function for this bit position.

There exist exactly 8 differences A with a weight of 17 and lower weightdifferences A do not exist. These differences are available in Appendix F.1, alongwith a method to calculate them efficiently.

The last two columns of Table 8.1 provide an estimate of the probability thatthe characteristic is satisfied for every round. For these, we have assumed that theF function propagates or absorbs an input difference with equal probability. Anmore accurate calculation of these probabilities takes into account that the shiftregister causes input values of the F function to be reused.

We find that this probability is different for bit positions where A and L(A)both contain a difference, and for bit positions where only A contains a difference.As such, of all differences A with weight 17, we select the difference that hasthe highest weight of L(A). Five such differences exist, and we arbitrarily selectthe difference with the smallest absolute value, A = 0A001021903036C3. Thecorresponding L(A) = 0200100180301283 has weight 11. As such, we find thatrounds 10 to 16 of the KSA of the underlying block cipher (hereafter called simply‘KSA’), and rounds 18 to 24 of the compression function, each have a probabilityof 2−8.415·6−8·11 = 2−138.49. For rounds 18 to 23 of the KSA, we find a probabilityof 2−7.193·6−7·11 = 2−120.16.

To find semi-free-start collisions, we first search for a message pair that satisfiesthe key expansion characteristic, and then afterwards search for a chaining valuepair that satisfies the compression function characteristic. These two searches canbe decoupled, as the chaining value does not influence the KSA. As such, theprobabilities for the message pairs and IV pairs can be summed up instead ofmultiplied.

As will be shown in the next section, only two round function calls arerequired to find a message (or IV) that satisfies the first nine rounds of thekey expansion (or compression function). To find a pair of messages (or IVs)that satisfy the differential characteristic, we use the same depth-first searchalgorithm that was introduced for SHA-1 in [41]. The memory requirements ofthis search algorithm are negligible. We assume that the cost of visiting a nodein this search tree is equivalent to one round function call, or 2−5 compressionfunction calls. The complexity calculation of [41] then shows that a 31-roundsemi-free-start collision can be found using the characteristic of Table 8.1 after2138.49+120.16+1−5 + 2138.49+1−5 = 2254.65 equivalent compression function calls.This is faster than a generic birthday attack, which requires about 2256 compressionfunction evaluations.

138 CRYPTANALYSIS OF THE ESSENCE FAMILY OF HASH FUNCTIONS

Table 8.1. A 31-round semi-free-start collision differential characteristic for theESSENCE-512 compression function; differences from R to Y are arbitrary, 0represents the zero difference, A = 0A001021903036C3

Round Register r Register k Pr for CV Pr for m0 0 0 0 0 0 0 0 0 A 0 0 0 0 0 0 0 1 11 0 0 0 0 0 0 0 A 0 0 0 0 0 0 0 A 1 12 0 0 0 0 0 0 A 0 0 0 0 0 0 0 A 0 2−17 2−17

3 0 0 0 0 0 A 0 0 0 0 0 0 0 A 0 0 2−17 2−17

4 0 0 0 0 A 0 0 0 0 0 0 0 A 0 0 0 2−17 2−17

5 0 0 0 A 0 0 0 0 0 0 0 A 0 0 0 0 2−17 2−17

6 0 0 A 0 0 0 0 0 0 0 A 0 0 0 0 0 2−17 2−17

7 0 A 0 0 0 0 0 0 0 A 0 0 0 0 0 0 2−17 2−17

8 A 0 0 0 0 0 0 0 A 0 0 0 0 0 0 0 2−17 2−17

9 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 A 1 110 0 0 0 0 0 0 0 0 0 0 0 0 0 0 A 0 1 2−17

11 0 0 0 0 0 0 0 0 0 0 0 0 0 A 0 0 1 2−17

12 0 0 0 0 0 0 0 0 0 0 0 0 A 0 0 0 1 2−17

13 0 0 0 0 0 0 0 0 0 0 0 A 0 0 0 0 1 2−17

14 0 0 0 0 0 0 0 0 0 0 A 0 0 0 0 0 1 2−17

15 0 0 0 0 0 0 0 0 0 A 0 0 0 0 0 0 1 2−17

16 0 0 0 0 0 0 0 0 A 0 0 0 0 0 0 0 1 2−17

17 0 0 0 0 0 0 0 A 0 0 0 0 0 0 0 A 1 118 0 0 0 0 0 0 A 0 0 0 0 0 0 0 A 0 2−17 2−17

19 0 0 0 0 0 A 0 0 0 0 0 0 0 A 0 0 2−17 2−17

20 0 0 0 0 A 0 0 0 0 0 0 0 A 0 0 0 2−17 2−17

21 0 0 0 A 0 0 0 0 0 0 0 A 0 0 0 0 2−17 2−17

22 0 0 A 0 0 0 0 0 0 0 A 0 0 0 0 0 2−17 2−17

23 0 A 0 0 0 0 0 0 0 A 0 0 0 0 0 0 2−17 2−17

24 A 0 0 0 0 0 0 0 A 0 0 0 0 0 0 R 2−17 125 0 0 0 0 0 0 0 0 0 0 0 0 0 0 R S 1 126 0 0 0 0 0 0 0 0 0 0 0 0 0 R S T 1 127 0 0 0 0 0 0 0 0 0 0 0 0 R S T U 1 128 0 0 0 0 0 0 0 0 0 0 0 R S T U V 1 129 0 0 0 0 0 0 0 0 0 0 R S T U V W 1 130 0 0 0 0 0 0 0 0 0 R S T U V W X 1 131 0 0 0 0 0 0 0 0 R S T U V W X Y 1 1

FINDING MESSAGE PAIRS FOR THE FIRST NINE ROUNDS 139

8.5 Finding Message Pairs for the First Nine RoundsTo find messages that satisfy the first few rounds of the characteristic, single-message modification [227] cannot be used. This is because the entire message isloaded into the r-registers before the round function is applied, instead of injectingone message word every round. We therefore propose to use another technique,that turns out to be even more efficient than single-message modification. Thisconcept is explained for the KSA only, as it is completely analogous for thecompression function.

In this section, we will adopt a stream-based notation for the round function.Denote the initial eight-word state (k7, k6, k5, k4, k3, k2, k1, k0) as (x−2, x−1, x0,x1, x2, x3, x4, x5). After clocking one for one round, the value of the register k0 isrepresented by x6, and so on. In this text, we will not make a distinction betweenlinear and affine equations, and use the term ‘linear equation’ for any equationthat contains no monomials of a degree more than one.

Finding a pair of messages that satisfy the characteristic, can be seen as solving aset of nonlinear equations defined by the round function. Solving a set of nonlinearequations is a difficult problem in general. This is even more the case as we arenot looking for a single solution, but for a very large set of solutions.

What we can do, however, is impose linear conditions on the variables x0 to x12,in such a way that the round function behaves as a linear function. We then obtaina set of linear equations, of which every solution corresponds to a message pairthat follows the first nine rounds of the characteristic. Enumerating the solutionsof this linear space has a negligible computation cost compared to a round functionevaluation.

For every solution, we have to apply the round function twice to obtain x13and x14. These are guaranteed to follow the characteristic as well. They serveas a starting point to satisfy the conditions of the remaining characteristic ina probabilistic way. After reaching round 31, we can calculate x−2 and x−1by applying two inverse round functions. These values will always satisfy thecharacteristic.

Let A[j] denote the jth significant bit (j = 0 denotes the LSB) of A. The onlynonlinear function of ESSENCE is the F function. As the F function operates onevery bit in parallel, the linear conditions that have to be added, depend on thevalues A[j] and L(A)[j] at every bit position j. The equations we use are given inAppendix F.2. Note that for bit positions j where A[j] = 0, it is not a problemif x0[j] or x12[j] are represented by a nonlinear expression, as these bits are notinvolved in any of the linear conditions anyway.

As the equations in Appendix F.2 show, we need to add 10 equations for everybit position j where A[j] = 1, and 6 equations if A[j] = 0. Also, to represent the64-bit values x8 to x12 resulting from the round function, we need to add 5 · 64additional equations for outputs of the round function. In total, we obtain a setof 10 · 17 + 6 · (64 − 17) + 5 · 64 = 772 linear equations in 13 · 64 = 832 binaryvariables.

140 CRYPTANALYSIS OF THE ESSENCE FAMILY OF HASH FUNCTIONS

We build this system of equations by successively adding 10+5 = 15 or 6+5 = 11more equations for every bit position j. With some small probability, the systemof equations becomes inconsistent. If this happens, we add a different set of linearequations for this bit position. Even this may fail with some probability, in whichcase we add a linearisation of the F function using 7 + 5 instead of 6 + 5 equationsfor this particular bit position. This may or may not decrease the number ofsolutions slightly, but it allows us to avoid backtracking.

For one particular run, using only the equations mentioned in Appendix F.3,we find a consistent system of 772 linear equations in 832 binary variables. Thenumber of linearly independent equations turns out to be 771. As such, we havefound 2832−771/2 = 260 pairs of messages that satisfy the first 9 rounds. We divideby two to avoid counting the same pair twice. If more than 260 pairs of messagesneeded, we can simply run this program again to find the next set of messages. Asincluding these 771 equations would use up a lot of space, we give only one of the260 message pairs in Table F.5.

This technique is very similar to the techniques of multi-message modifi-cation [227], tunneling [113], neutral bits [23] and the amplified boomerangattack [105]. These 260 messages correspond to 60 auxiliary differential paths forthe amplified boomerang attack. No results are known to us where these auxiliarydifferential paths were also obtained in a fully automated way.

8.6 Distinguishing AttacksOur motivational observation is that the nonlinear feedback function F isunbalanced. Exploiting this, we first construct distinguishers on 14-roundESSENCE (for the block ciphers and the compression functions) and then for thefull 32-round ESSENCE. Towards the end of this section, we present key recoveryattacks on the ESSENCE family of block ciphers. These attacks can be seen asan immediate consequence of our distinguishing attacks.

8.6.1 Weakness in the Feedback Function of ESSENCEIn [134], the designer notes that the security of the algorithms is heavily dependenton F (see Sect. 8.2.1), as it is the only nonlinear function in ESSENCE. This gaveus some motivation to study the properties of F . The function F takes seven 32-bit or 64-bit words (say, a, . . . , g) as inputs and produces a 32-bit or 64-bit wordas the output. The function works in a bitsliced manner.

Let F (a, b, c, d, e, f, g)[j] denote the jth significant bit (j = 0 denotes the LSB)of F (a, b, c, d, e, f, g). Our motivational observation is the following (confirmedboth experimentally and from the tables in Appendix D of [134]).Observation 8.1. If a, . . . , g are uniformly distributed, then

Pr(F (a, b, c, d, e, f, g)[j] = 0) = 12

+ 127 . (8.2)

DISTINGUISHING ATTACKS 141

8.6.2 Distinguishers on 14-Round ESSENCEIn this section, we use Observation 8.1 to build distinguishers on 14 rounds ofESSENCE. First, we consider the block ciphers, then the compression functions.

Let kn[j], rn[j] and L(rn)[j] respectively denote the jth significant bits (j = 0denotes the LSB) of kn, rn and L(rn). In the beginning, suppose the key k andthe initial value r are such that k0[0] = r0[0]. Then, after 7 rounds, k7[0] = r7[0].Now, if after the 7th round, L(r0)[0] = 0 and F (r6, r5, r4, r3, r2, r1, r0)[0] = 0 (fromObservation 8.1, this occurs with 0.5+2−7 probability,1) then after the 8th round,we will have r0[0] = 0. Note that the condition L(r0)[0] = 0 after the 7th roundis the same as the condition L(r1)[0] = 0 after the 8th round. Therefore, whenthe key and the plaintext are initially related in the form k0[0] = r0[0], and whenthe outputs after 8 rounds satisfy the condition L(r1)[0] = 0 (this occurs withprobability 1/2), then Pr(r0[0] = 0) = 1/2 + 2−7. Now, r0 and r1 after the 8thround are respectively equal to r6 and r7 after the 14th round. Hence, when thekey and the plaintext are related in the form k0[0] = r0[0], and when the outputsafter 14 rounds satisfy the condition L(r7)[0] = 0, then

Pr(r6[0] = 0) = 12

+ 127 . (8.3)

8.6.3 The DistinguisherOur distinguisher on ESSENCE is constructed by collecting n outputs r6[0], after14 rounds, generated by as many keys (so that the n samples are independent) suchthat k0[0] = r0[0] initially. Let D0 and D1 denote the distributions of the outputsfrom a 14-round ESSENCE block cipher and a random permutation, respectively.Given L(r7)[0] = 0, let p0 and p1 respectively denote the probability that r6[0] = 0holds given the outputs are collected from 14-round ESSENCE and the probabilitythat r6[0] = 0 holds given the outputs are generated by a random source. That is,p0 = 1/2 + 2−7 (from (8.3)) and p1 = 1/2. Then, µ0 = n · p0 and µ1 = n · p1 arethe respective means of D0 and D1. Similarly, σ0 =

√n · p0 · (1− p0) and σ1 =√

n · p1 · (1− p1) denote the respective standard deviations of D0 and D1. Whenn is large, we know that each of these binomial distributions can be approximatedwith the normal distribution. Given this, as seen earlier in Sect. 5.5, if |µ0−µ1| >2(σ0 + σ1), i.e., n > 216, the output of the cipher can be distinguished from arandom permutation with a success probability of 0.9772 (since the cumulativedistribution function of the normal distribution gives the value 0.9772 at µ+ 2σ)provided L(r7)[0] = 0. To determine whether n is large enough for the normalapproximation to the binomial distribution to hold, we check if n · p > 5 andn · (1 − p) > 5, where p ∈ {p0, p1}. A simple calculation proves that both theseinequalities hold when n = 216. Since the condition L(r7)[0] = 0 holds with

1The bit L(r0)[0] is the XOR-sum of r0[0] and several other bits of r0. We assume that allr0[j] are independent and uniformly distributed. Then the condition L(r0)[0] = 0 does not affectP r(r0[0] = 0) and therefore the bias in P r(F (r6, r5, r4, r3, r2, r1, r0)[0] = 0) is also unaffected.

142 CRYPTANALYSIS OF THE ESSENCE FAMILY OF HASH FUNCTIONS

0.5 probability, we need to generate 2 · 216 = 217 samples of r6[0] from as manykeys (such that k0[0] = r0[0] initially) to build the distinguisher with a successprobability of 0.9772. Our simulations support this result.

8.6.4 Distinguishers using Biases in Other BitsSince the function F operates on its input bits in a bitsliced manner, it is easy to seethat the distinguisher presented for the LSB of r6 also works for more significantbits. In other words, if initially k0[j] = r0[j], for any j in {0, . . . , 31}, then with 217

samples of r6[j] at the the end of 14 rounds, it is possible to distinguish a 14-roundESSENCE block cipher from a random permutation with a success probability of0.9772.

8.6.5 Distinguishers for the Compression FunctionThe ESSENCE compression functions are Davies-Meyer constructions in which theoutput of the corresponding block ciphers are respectively XORed with the initialchaining values. In other words, the output of each compression function is theXOR-sum of the values of r7||r6||r5||r4||r3||r2||r1||r0 before and after applying thepermutation E. This XOR-sum is the chaining value r7||r6||r5||r4||r3|| r2||r1||r0 forthe next iteration. As we assume that an attacker can observe both the chainingvalue input and the compression function output, it is trivial to undo the Davies-Meyer feedforward and apply the distinguishers of the 14-round block cipher.

These observations are extended to 32-round ESSENCE in Appendix F.4.

8.6.6 Key Recovery AttacksIn this section, we show that the distinguishing attacks on the ESSENCE familyof block ciphers can be developed into key recovery attacks.

Let us say that we have n KPs. Considering that the plaintexts are initiallyloaded directly into the r-registers [135], we expect n/2 plaintexts to have r0[j] = 0.Without loss of generality, let us consider this partition of the plaintext spacewhere r0[j] = 0. Now, from our analysis in Sect. 8.6.2, we can collect statistics onL(r7)[j]⊕r6[j] at the end of the 14 rounds and observe its tendency for sufficientlylarge n — if L(r7)[j]⊕ r6[j] = 0 more often, then the key bit k0[j] = 0; likewise, ifL(r7)[j]⊕r6[j] = 1 more often, then the key bit k0[j] = 1 (the results are swappedif we begin with plaintexts in which r0[j] = 1).

Using a similar analysis, we can recover the rest of the key bits in k0. The numberof KPs required is 215. This is obtained as follows, using linear cryptanalysis [137].We are interested in finding whether, after 14 rounds, the number of times thatL(r7)[j]⊕ r6[j] = 0 holds is greater than n/4. Accordingly, we determine the keybit k0[j]. From Sect. 1.5.2, we recall that the success probability of this method is0.9772 when n/2 = |p−1/2|−2, where p is the probability that L(r7)[j]⊕ r6[j] = 0(or 1). Substituting p = 1/2 ± 2−7 in the above formula for n, we get: n =

SLIDE ATTACKS 143

Table 8.2. Slid pairs for ESSENCE

c 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000c′ FFFFFFFF 00000000 00000000 00000000 00000000 00000000 00000000 00000000m 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000m′ FFFFFFFF 00000000 00000000 00000000 00000000 00000000 00000000 00000000r 6B202EF2 BB610A07 97E43146 9BD34AE3 C8BC7CBF B8EE4A3C B6118DC5 775F7BBFr′ C07ABCFA 6B202EF2 BB610A07 97E43146 9BD34AE3 C8BC7CBF B8EE4A3C B6118DC5

215. It follows that the probability that this recovered key word (k0) is correctis (0.9772)32 ≈ 0.48. The other 224 bits of the key can be exhaustively searched.Thereby, we expect that 2224/0.48 ≈ 2225.1 keys have to be tested before thecorrect key is obtained with guaranteed success. This key recovery attack canalso be applied on the block cipher of ESSENCE-224 (which is identical to theblock cipher of ESSENCE-256) with the same complexities. For the block ciphersof ESSENCE-384/512, we require 215 KPs and a computational effort equivalentto testing 2448/(0.9772)64 ≈ 2450.1 keys (where exhaustive search requires testing2512 keys) for guaranteed success.

These observations are extended to 32-round ESSENCE in Appendix F.5.

8.7 Slide AttacksIn this part of the study, we provide an efficient method to find two inputs (c,m)and (c′,m′) such that their output (after feed-forward) r and r′ are shifted versionsof each other; i.e., if ri = r′

i+1 for 0 ≤ i < 7.The necessary conditions on (c,m) and (c′,m′) are:

1. ci = c′i+1 for 0 ≤ i ≤ 7,

2. c′0 = m7 ⊕ c7 ⊕ F (c6, . . . , c0)⊕ L(c0),

3. mi = m′i+1 , for 0 ≤ i ≤ 7,

4. m′0 = m7 ⊕ F (m6, . . . ,m0)⊕ L(m0).

If these conditions hold, then after 32 rounds (and XORing with the initial value),the output of any compression function in the ESSENCE family satisfies ri = r′

i+1for 0 ≤ i < 7.

As an example, let mi = 0 for all i. Then we must choose m′i = 0 for all i > 0,

and m′0 = 1n where 1n represents the 32-bit or 64-bit unsigned integer of which

all bits are set. Let ci = 0 for all i, let c′i = 0 for all i > 0, and let c′

0 = 1n. Then,the two outputs of the compression function (with N = 32) are given in Table 8.2

For every choice of (c,m), an input (c′,m′) such that this property on thecompression function outputs is obtained, can be found in time equivalent to

144 CRYPTANALYSIS OF THE ESSENCE FAMILY OF HASH FUNCTIONS

Table 8.3. Slid pairs with identical chaining values

c, c′ 243F6A88 243F6A88 243F6A88 243F6A88 243F6A88 243F6A88 243F6A88 243F6A88m 00000000 00000000 00000000 00000000 00000000 00000000 00000000 F6B1EB63m′ 094E149C 00000000 00000000 00000000 00000000 00000000 00000000 00000000r BE31AA01 EB6E9F07 EAD99889 6FE79B44 391CCD35 67FDB8B6 FC3AA0F6 6E80148Er′ F86D77C6 BE31AA01 EB6E9F07 EAD99889 6FE79B44 391CCD35 67FDB8B6 FC3AA0F6

about one compression function evaluation. Hence, in total about 2512 pairs ofinputs producing slid pairs can be found by the above method. This observationcan easily be extended to slide the output by 2, 3, . . . , 7 steps.

8.7.1 Slid Pairs with Identical Chaining ValuesIt is also possible to find slid pairs with c = c′. Let the initial state of the registerr be of the form (c0, c0, . . . , c0), where c0 is selected randomly. For a messageblock m of the form (m0,m1, . . . ,m7) where m7 = F (c0, . . . , c0) ⊕ L(c0) and therest of the mi’s are selected arbitrarily, select m′ as (m′

0,m′1, . . . ,m

′7), such that

m′i+1 = mi for i = 0, 1, 2, . . . , 6 and m′

0 = m7 ⊕ F (m6, . . . ,m0) ⊕ L(m0). Then,the outputs of the compression function for m and m′ also satisfy ri = r′

i+1 for0 ≤ i < 7. It is possible to select c in 232 different ways, and for each selected c, wecan choose 27·32 different message blocks, therefore the number of such slid pairsis 2256. As an example, assume c0 = 243f6a88, which is the truncated fractionalpart of π, and all ‘free’ message words are zero.

8.8 Fixed Points for the ESSENCE Block CiphersIf a fixed point for one round of an ESSENCE block cipher can be found, thisautomatically leads to a fixed point for all 32 steps of the block cipher. Afterapplying the Davies-Meyer feed-forward, the resulting compression function outputwill then be zero.

If two different fixed points are found, this would lead to a free-start collision.This free-start collision is preserved after the output padding is applied.

For a fixed point for one round, c0 = c1 = . . . = c7 and m0 = m1 = . . . = m7should hold. This is obvious – after one step, all register values move one place, butmust have the same value as in the previous step to form a fixed point. Moreover,the round update functions should satisfy the following two equations.

F (c0, c0, c0, c0, c0, c0, c0)⊕ c0 ⊕ L(c0)⊕m0 = c0 ,

F (m0,m0,m0,m0,m0,m0,m0)⊕m0 ⊕ L(m0) = m0 .

Solving the equations, one gets the following values for ESSENCE-256 andESSENCE-512:

MEASURES TO IMPROVE THE SECURITY OF ESSENCE 145

ESSENCE-256 ESSENCE-512c0 993AE9B9 D5B330380561ECF7m0 307A380C 10AD290AFFB19779

Using similar methods, we have found that the only fixed points for two, threeor four rounds is the same fixed point for one round applied two, three or fourtimes respectively. We have not been able to extend this result for more rounds.As such, we have not been able to find a free-start collisions using this technique.Depending how the compression function is used, however, it might be undesirablethat we can easily find inputs that fix the compression function output to zero.

8.9 Measures to Improve the Security of ESSENCEFrom the analysis in Sect. 8.3–8.6, it is clear that ESSENCE has weaknesses in Land F .

The concatenation of both the input and output of the L function can be seenas an error-correcting code with [n, k] = [64, 32] or [128, 64]. The branch numberis then equal to the error-correcting code of these dimensions with the highestminimum weight. Best-known results from coding theory [87] can be used toconstruct an L function with a branch number for both linear and differentialcryptanalysis of 12 or 22 respectively. Better codes may exist according tocurrently known upper bounds for the minimum weight, but have so far not beenfound.

A search can be made for variants of these codes (possibly with a slightly lowerbranch number) that satisfy all design criteria for the L function. Althoughthe resulting function will always be linear, it may however not be possible toimplement it as an LFSR.

In (8.1), the function F is in algebraic normal form (ANF). We know that thecoefficient of the maximum degree monomial in this ANF is equal to the XOR-sumof all the entries in the truth table of F . To thwart the attacks in Sect. 8.6 andAppendix F.5, it is necessary that F is balanced. Discarding the maximum degreemonomial is a possible solution.

Other countermeasures include increasing the number of rounds and addinground constants. In Sect. 8.7 and Sect. 8.8, we saw how the omission of roundconstants allowed slid pairs and fixed points to be found. Increasing the number ofrounds does not thwart these attacks, but it increases the security margin againstthe semi-free-start collision attacks of this chapter.

8.10 Conclusions and Open ProblemsIn this chapter, we first presented a semi-free-start collision attack on 31 outof 32 rounds of ESSENCE-512 with a complexity of 2254.65 compression functionevaluations. We found messages that satisfy the first nine rounds of the differential

146 CRYPTANALYSIS OF THE ESSENCE FAMILY OF HASH FUNCTIONS

characteristic of the semi-free-start collision attack as the solution of a large set oflinear equations. We found that six linear input conditions are sufficient to makeF behave as a linear function in Table F.4. It is an open problem if solutions usingfewer equations exist.

Next, we presented a set of distinguishers on 14-round ESSENCE. Thedistinguishers can be applied to the block ciphers as well as the compressionfunctions. Each of the distinguishers on 14-round ESSENCE requires 217 outputbits. The distinguishers work on all digest sizes of ESSENCE with the samecomplexity. We also showed how the distinguishing attacks can be developed intokey recovery attacks.

We then showed how the omission of round constants allowed slid pairs andfixed points to be found. This problem cannot be solved by increasing the numberof rounds.

Finally, we suggest some measures to improve the security of ESSENCE. Thesesuggestions are rather preliminary and need to be worked on further in order toobtain a more secure family of CHFs.

Part VII

Analysis of Cryptosystems:Attacking the Symmetric

Encryption Algorithm and KeyManagement Techniques

147

148

Don’t get involved in partial problems, but always take flight to where there isa free view of the whole single great problem, even if this view is still not a clearone.

– Ludwig Wittgenstein

Chapter 9

Practical Attacks on aCryptosystem Proposed inPatent WO/2009/066313

9.1 IntroductionA new cryptosystem is proposed by Artus in [8]. The design is covered bythe following patents: international (WO/2009/066313), US (US 2010/0153723),European (EP 2183875), Australian (AU 2008327506), Canadian (CA 2695019),Indian (1456/MUM/2007) and Russian (national reference number 2010104728).The Russian patent document is not yet publicly available. So far, to the best ofour knowledge, there is no cryptanalysis result on this cryptosystem in the openliterature. As the text (especially, cryptology parlance) is not entirely clear in [8],we base this chapter on our best possible interpretation of it.

The cryptosystem (as it is not named in [8], we call it S) consists of a keydistribution mechanism and a symmetric-key primitive. The latter is a streamcipher-like construction; for conciseness, henceforth, we shall call it a stream cipher.The system significantly differs from cryptosystems used today. The secret key ofthe stream cipher is changed with every new message (plaintext). It is not clear tous what the designer means by ‘new message’ – there is no specific message lengthmentioned in [8]. The designer proposes some means for the initial key exchangebetween the sender and the receiver (e.g., via SMS, without any mention aboutencryption) and assumes that these are secure. Even though the designer notesthat one could use “other means” (see [8]) to securely initiate communication,there is not a single mention of PKC.

Besides, the patent just mentions that the keys are changed in a random mannerbut fails to mention how. Performance estimates are also missing. Since keys

149

150 PRACTICAL ATTACKS ON A CRYPTOSYSTEM PROPOSED INPATENT WO/2009/066313

are changed so often, the key generation algorithm and performance figures areextremely vital. Also required in [8] are the targeted applications for which thecryptosystem has been designed, and a more detailed security evaluation. Lookingat the design, we presume that the proposed system is intended for software-oriented applications.

In this chapter, we first point out problems associated with some of the proposedmethods in [8] to initiate communication between the sender and the receiver.Following this, we present other attacks assuming that PKC is used to exchange theinitial keys. The attacks work in both a related-key setting and otherwise, undersome reasonable assumptions. Most of these assumptions have been made due tothe absence of sufficient details in [8]. This and the fact that our assumptions arereasonable would be understood from the following sections.

In the non-related-key setting, we present an attack that recovers one plaintextbit from the corresponding ciphertext bit in nearly zero time. This attack resultsfrom the way in which decimal-to-binary conversions are performed in [8]. Whendecimal numbers are converted to binary and stored in (fixed-length) registers,some of the MSBs may be zeroes (we call them leading zeroes). In [8], leadingzeroes are discarded while converting decimal numbers to binary, thereby ensuringthat the MSBs of the (truncated) binary numbers are all ones.

The related-key attacks result when certain key generation algorithms are used(the patent does not provide any algorithm for key generation). Each of theseattacks requires only 2 plaintext-ciphertext pairs1 and negligible time to recover akey or key-dependent information with guaranteed success. As the key is changedwith every new message, related-key attacks are important to be addressed. In away, this chapter tells one how not to use the proposed cryptosystem, especiallywith respect to key management.

Another motive behind this work is to caution potential users of the cryp-tosystem. We believe that they would interpret the unclear description of thecryptosystem in the same way as we have done in this chapter. The practical natureof the attacks presented in this chapter seems to suggest that WO/2009/066313has no industrial applicability, as opposed to what the international search reportof the patent claims. Given that the system is covered by 7 patents, it may not beunreasonable to imagine that there would be several potential buyers. To furthersubstantiate this point, we take the example of KeeLoq [144]. The block cipherKeeLoq is a proprietary algorithm which is or was used in remote keyless entrysystems [233]. It was designed in South Africa in the mid 1980’s by researcherswho had little or no prior record of designing cryptographic algorithms. The cipherwas sold to Microchip Technology Inc. and subsequently used by companies suchas Chrysler, Daewoo, Fiat, General Motors, Honda, Toyota, Volvo, VolkswagenGroup, Clifford and Jaguar [144, 233]. In the last few years, several researchershad analysed the cipher [233], and a practical attack was published in 2008 [98].

1Here, the term plaintext or ciphertext may have a connotation. This point is explainedfurther in the chapter.

NOTATION AND CONVENTIONS 151

9.2 Notation and ConventionsIn this chapter, we use the notation and conventions listed in Table 9.1.

Table 9.1. Notation and conventions

Symbol / Notation Meaningβi(x) bit x of βi, x = 0 denotes the LSB of βiβci(x) bit-complement of βi(x)

len(m) length of m in bits†

†It is not mentioned in [8] whether the leading zeroes are discarded while codinglen(m) in binary.

9.3 Description of the CryptosystemThe stream cipher (as it is not named in [8], we call it E) uses keys that aresufficiently long to thwart brute force attacks. The designer, however, does notrecommend any particular key size. The internal state of E consists of an array Athat stores N digits chosen arbitrarily from the decimal representation of π. Wedenote the array by A[0, . . . , N − 1]. It is not mentioned in [8] whether this arrayis secret or not. Despite this, we present in this chapter attacks that recover thesecret key or plaintext without the attacker knowing A[0, . . . , N − 1]. The key (orseed) is a 4-tuple (K1,K2,K3,K4) where:

1. K1 is an arbitrarily chosen array index such that 0 ≤ K1 ≤ N − 1,

2. K2 is a number that uniquely corresponds to a subset of r elements (r ≥√N)

of A[0, . . . , N − 1] (i.e., 1 ≤ K2 ≤ C(N, r)),

3. K3 is a number that uniquely corresponds to an ordering of the r elementsdetermined by K2 (i.e., 1 ≤ K3 ≤ r!)

4. K4 determines how consecutive decimal digits in the r-element ordered listare concatenated; 1 ≤ K4 ≤ 2r−1.

We call each of these four components of the seed a subkey. According to [8],the seed is “dynamically” changed, in a random manner, for every message sent.To initiate communication between the sender (Alice) and the receiver (Bob), amechanism is proposed. The text in the paper, that describes this mechanism, isnot entirely clear to us and we believe that the designer may have been inspired bychaffing-and-winnowing [178]. The technique proposed in [8], however, does notemploy a MAC; so it is definitely not chaffing-and-winnowing.

152 PRACTICAL ATTACKS ON A CRYPTOSYSTEM PROPOSED INPATENT WO/2009/066313

Alice first sends a file (a pilot-file according to [8]) to Bob. This file containsa long string of random-looking numbers of which the initial seed is a part. Thefollowing assumption is made by the designer.

Assumption 9.1. An algorithm to locate the initial seed, using four numbers, inthe string of random numbers of the pilot-file is known to both Alice and Bob, butnot to an eavesdropper (Mallory).

We denote the Algorithm in Assumption 9.1 by L and the four numbers by thetuple (α1, α2, α3, α4). This 4-tuple is now sent by Alice, separately, by “Text, SMSor other means” [8].

The seed for the second message is encrypted using the first seed and then sentto Bob. The seed for the third message is encrypted using the second seed, andso on.

Figure 9.1 shows the working of the cipher E. The key (K1,K2,K3,K4) firstproduces an ODNL. The numbers in the list are converted to binary and theresultant bit-strings are concatenated to give a single CBS. Let extended message(plaintext) denote the message (plaintext) concatenated with the seed that isintended to be used to encrypt the next message. The CBS is truncated ifit is longer than the extended message.2 The (truncated) keystream is thenXORed with the extended message to yield the extended ciphertext. Figure 9.2illustrates, with an example, the generation of the extended ciphertext. Theextended ciphertext is split into two parts of variable lengths. A concatenation isthen performed, where the length (in bits) of the plaintext is placed between thetwo parts of the extended ciphertext. The resultant bitstream is transmitted toBob. It is assumed by the designer that Bob (not Mallory) knows

• where the length of the plaintext is placed, i.e., the starting point of thebit-string representing the length of the plaintext (starting point, hereafter)in the bit-string of the extended ciphertext,

• the length (in bits) of the length of the plaintext.

Again, it is not mentioned in [8] whether the leading zeroes are discarded whilecoding the length of the length of the plaintext (from the length of the plaintext) inbinary. Since it is an algorithm that is a part of S, by the Shannon’s maxim [206],it is known to Mallory. Similarly, Mallory knows whether the leading zeroes arediscarded while coding the length of the plaintext (from the plaintext) in binary.

Figure 9.3 shows the working of the cryptosystem S with a fixed starting pointthat immediately follows the LSB of the extended ciphertext. In this figure,Eβ1(m1||β2) is the output of stream cipher encryption, using the key β1, of themessage m1 concatenated with the key β2 (which is used to encrypt the nextmessage m2).

2Details on how the truncation is done are missing in [8].

A TRIVIAL ATTACK ON THE CRYPTOSYSTEM S 153

Extended message

Keystream

Extended ciphertext

(ODNL) produced

Array index jfirst element = A[j]

An ordering of

K 1 K K K2 3 4

the r elements binary: concatenatedbit string (CBS)

Truncate if required

converted intoThe ODNL

r A set ofelements,

A partition of anthe ordering:

ordered decimal number list

Figure 9.1. Encrypting a plaintext message with E under key (K1,K2,K3,K4)

9.4 A Trivial Attack on the Cryptosystem SIn this section, we outline a trivial attack on the cryptosystem S. Recall that thealgorithm L is known only to Alice and Bob. A risk that this poses is, as statedin Sect. 1.1, when the secret algorithm is reverse engineered later and found to beinsecure.

By Shannon’s maxim, L is known to Mallory. Given this, she can obtainthe initial seed from the pilot-file using (α1, α2, α3, α4). The pilot-file and(α1, α2, α3, α4) may be obtained by Mallory if these are sent through an insecurechannel by Alice without encrypting properly. This sometimes applies to, forexample, sending raw data by SMS. Though GSM phones support ciphers likeA5/1, A5/2 and A5/3, encryption is disabled in some countries. Besides, practicalattacks have been found in the A5/1 and A5/2 ciphers [10, 81]. Messaging viaSMS has some other security vulnerabilities due to its store-and-forward feature.

The problem can be overcome if PKC (Diffie-Hellman protocol [61], RSA [179],or elliptic curve cryptography [121, 146]) is one of the “other means” (see Sect. 9.3)of communicating the initial seed to Bob in [8]. Chaffing-and-winnowing isanother technique that could be used to achieve confidentiality without performingencryption. However, if this technique were to be used, a MAC is required (HMAC-SHA1 has been suggested in [178]) and its secret key is shared by the sender andreceiver using PKC (e.g., authenticated Diffie-Hellman key exchange). Chaffing-and-winnowing is primarily used to thwart attempts by law enforcement to regulateconfidentiality by regulating encryption [178].

Even when the initial keys are exchanged securely, regardless of the techniqueused, we find the system S to contain serious weaknesses. We describe these in

154 PRACTICAL ATTACKS ON A CRYPTOSYSTEM PROPOSED INPATENT WO/2009/066313

( m ) = 20i

48

: Array index 4, i.e., element 91

Discard leading zeroes

2 K , K 3

K 4

1( K , , , )K K K2 3 4

K

β : i

A [0, . . . , 47] = {1, 4, 1, 5, 9, 2, . . . , 3, 7, 5}

(Keystream)

Extended ciphertext :

ODNL : 99, 463, 82, 17, 370, 33, 38

. . . i + 1β i + 1 β

c

(24)

. . . β i + 1Extended message : i + 1β (0) ; length = 45

i

(23)

Discard 4 trailing bits

β

= π

Ordered r − element set : {9, 9, 4, 6, 3, 8, 2, 1, 7, 3, 7, 0, 3, 3, 3, 8} ; r >

Truncated CBS ; length = 45

m i (24)

i + 1

Message m : 1111 1111 1111 1111 1111 ; len

3 . 1415 9265 3589 7932 3846 2643 3832 7950 2884 1971 6939 9375 . . .

CBS : 1100011 111001111 1010010 10001 101110010 100001 100110 ; length = 49

0011100 000110000 0101 (0)

||

||

Figure 9.2. An example (similar to the example in [8]) to illustrate the generationof the extended ciphertext; in this example, while truncating the CBS, theredundant trailing bits are discarded (while 4 leading bits could have instead beendiscarded)

A TRIVIAL ATTACK ON THE CRYPTOSYSTEM S 155

, β1m 2

, βm 2 3

β 1

β 1 1 and len ( len ( m ) ) ; so he gets: Bob already knows

β1m 2 ,

, βm 2 3

β and len ( len ( m ) ) ; so he gets: 2 2Bob already knows

.

.

....

.

.

.

β 1

Ε β 1

m 1

Ε β m 2

Alice

2

[Insecure channel]

2( || β ) || ) 1 ( len m

) ( 2

3

( || β ) || len m

Bob

Figure 9.3. Working of the cryptosystem S; β1 may be securely transmittedacross the insecure channel through the use of PKC

Sects. 9.5 and 9.6.In this chapter, we construct a couple of attacks (in Sect. 9.6) under the following

assumption.

Assumption 9.2. The bit-string representing the length of the plaintext trails theLSB of the extended ciphertext.

With every message, if Alice were to provide the corresponding starting pointsecurely to Bob, then she needs to use PKC. But doing so would make the schemevery slow for practical usage. To solve this, Alice and Bob can, alternatively,agree on one fixed starting point – for example, immediately following the LSBof the extended ciphertext (as in Figure 9.3). To agree on a single starting pointvalue, Alice can enter it into the pilot file, extend the tuple (α1, α2, α3, α4) to(α1, α2, α3, α4, α5) and modify the algorithm L accordingly. Now,

• if the pilot file and the 5-tuple (α1, α2, α3, α4, α5) are sent to Bob through aninsecure channel without encrypting properly (e.g., via SMS), then Mallorymay obtain the starting point when she knows L.

• Assume that PKC is used to transmit the pilot file and (α1, α2, α3, α4, α5).Even then, for a transmitted bit-string of length d, the probability thatMallory correctly guesses the starting point, without knowing the length ofthe plaintext, is at least 1/d. The probability is high when d is small.

• In the preceding case, if Mallory knows the length of the plaintext (len(m),say), then she can search for the bit-string in the string of bits transmitted

156 PRACTICAL ATTACKS ON A CRYPTOSYSTEM PROPOSED INPATENT WO/2009/066313

by Alice. There are at most d − len(len(m)) + 1 matches;3 therefore, theprobability that Eve correctly guesses the starting point is at least 1/(d −len(len(m)) + 1). Again, the probability is high when d is small or when themessage m is long.

In these scenarios, therefore, Assumption 9.2 is reasonable. But even if thisassumption is not made, it is possible to attack S. We present this attack inSect. 9.6.

9.5 Motivational ObservationsWe continue our analysis, starting with the following observations. Let mi and βi(i ≥ 1) respectively denote the ith message and the seed used to encrypt it. Theinitial seed is β1.

Observation 9.1. Let βi ← (K1,K2,K3,K4) and βj ← (K1,K2,K3,K′4), where

K ′4 = K4. Then, regardless of the relation between K4 and K ′

4, the LSBs of theCBSs produced by the two keys are identical.

Observation 9.2. Let us consider the following two scenarios.

Scenario 1: Consider βi ← (K1,K2,K3,K4) and βj ← (K1,K′2,K

′3,K

′4), j > i,

where K ′2, K ′

3 and K ′4 are such that the ODNL obtained using βj is a list that is

formed by appending numbers to the ODNL obtained using βi. Let len(mi||βi+1) =len(mj ||βj+1). Then, we have the following observation.

Observation: If the truncation of the CBS is such that the redundant trailing bitsare discarded, the keystreams corresponding to βi and βj are identical.

Scenario 2: Consider βi ← (K1,K2,K3,K4) and βj ← (K ′1,K

′2,K

′3,K

′4), j > i,

where K ′1, K ′

2, K ′3 and K ′

4 are such that the ODNL obtained using βj is alist that is formed by prefixing numbers to the ODNL obtained using βi. Letlen(mi||βi+1) = len(mj ||βj+1). Then, we have the following observation.

Observation: If the truncation of the CBS is such that the redundant leading bitsare discarded, the keystreams corresponding to βi and βj are identical.4

Observation 9.3. Given Assumption 9.2, if βi and len(len(mi)) are known toMallory, she can obtain mi and βi+1 (see Figure 9.3).

3This upper bound is reached only when the transmitted bits are all ones or all zeroes; hence,one expects fewer matches. Our analysis, therefore, is worst-case with respect to the attacker.

4Since [8] does not discuss how the truncation of the CBS is done, it is not possible to tellwhich of the two scenarios results in identical keystreams. This is also the reason why we ruleout the possibility that bits are discarded from the middle of a CBS.

ATTACKS DUE TO WEAKNESSES IN THE STREAM CIPHER 157

9.6 Attacks Due to Weaknesses in the Stream CipherIn this section, we present several attacks on the cryptosystem that stem fromflawed key management techniques and weaknesses in the underlying stream cipher.We use the observations of Sect. 9.5.

9.6.1 Attacks in a Related-Key SettingIn a related-key setting, we present the following two attacks.

Attack 1: In this attack, Mallory obtains key-dependent information frommessage-dependent information. We begin with Observation 9.1. Suppose thatthe identical LSBs (denote them by b) of the CBSs produced by βi and βj are inthe keystream (i.e., only the redundant leading bits of the CBS are discarded).5Given Assumption 9.2, if len(len(mi)) and len(len(mj)) are known to Mallory, sheknows βi+1(0)⊕b and βj+1(0)⊕b. From these two values, she obtains key-dependentinformation in the form of βi+1(0) ⊕ βj+1(0). Often, in practice, Mallory knowslen(mi) or mi, so she can compute len(len(mi)). Therefore, to mount this attack,Mallory only requires the lengths of two plaintexts, or 2 KPs and the correspondingintercepted texts (i.e., extended ciphertexts concatenated respectively with thelengths of the plaintexts).

Attack 2: This attack works as follows. Consider the case when β1 and β2 aresuch that the keystreams they produce are identical (i.e., as in Observation 9.2).First, Mallory collects Eβ1(m1||β2), using the knowledge of len(m1) or m1 itself.Now, Mallory forces Alice to encrypt a message of Mallory’s choice, of lengthequal to len(m1||β2) (e.g., message with len(m1||β2) zero-bits).6 Alice encryptsthis new message with the key β2. Since Mallory has chosen the plaintext message,she has its length and hence obtains the keystream that is produced by β1 (sincethe keystreams produced by β2 and β1 are identical). Using this, the len(m1) andEβ1(m1||β2), she recovers β2. The attack requires 1 KP (or 1 message length), 1CP (in which the ‘plaintext’ is actually ‘extended plaintext’), the correspondingintercepted texts, and negligible time.

The attacker can continue recovering subsequent messages and keys. Forexample, after recovering β2, given the message length len(m2), the message m2and the key β3 can be obtained. Subsequently, using β3 and len(m3), she canrecover m3 and β4; and so on.

5The manner in which the CBS is truncated would normally be a part of the algorithm that isknown to the attacker; hence, it is reasonable to assume that Mallory knows whether the leadingor the trailing bits are discarded.

6Since the attacker is not passive in Attack 2, we have used the placeholder name Mallory inplace of Eve, throughout this chapter (see Sect. 1.5).

158 PRACTICAL ATTACKS ON A CRYPTOSYSTEM PROPOSED INPATENT WO/2009/066313

9.6.2 Attacks in a Non-Related-Key SettingThe stream cipher can also be attacked in a non-related-key setting. The attackworks as follows.

Attack 3: In the example given in [8], while the CBS is formed from the ODNL,the leading zeroes of each number in the ODNL are discarded. When S works thisway, the MSB of the keystream is 1 if the leading bits of the CBS are not discardedwhile forming the keystream (i.e., only the redundant trailing bits of the CBS arediscarded). Given that the MSB of the keystream is 1, Mallory computes the MSBof the plaintext by complementing the MSB of the intercepted text. This attackrecovers only one plaintext bit from the corresponding ciphertext bit, but requirespractically zero time.

Even if Mallory does not know where the len(mi) is inserted in the interceptedtext (i.e., Assumption 9.2 is not made), she can mount Attack 3. If she knowslen(len(mi)) or len(mi), she can conclude that the recovered bit is a plaintext bitwith probability p ≥ 1− 1/(d− len(len(mi)) + 1) (see Sect. 9.4). This probabilityis high because of the following argument. The minimum length of βi+1 is 4 bitsbecause it has 4 subkeys. Since d = len(len(mi)) + len(mi) + len(βi+1), for azero-length message, d ≥ 5. Therefore, for any message, d − len(len(mi)) + 1 ≥5 ⇒ p ≥ 0.8. This attack, in addition to the requirements of Attack 3, requiresmessage-dependent information in the form of len(len(mi)) or len(mi). Thesuccess probability is at least 0.8.

Attack 3 works regardless of whether the array A[0, . . . , N − 1] is secret or not.The same is the case with the attack in Sect. 9.4 and Attacks 1 and 2. However,for Mallory to recover a message mi using a recovered key βi, she needs to knowA[0, . . . , N − 1] to compute the keystream.

Attacks due to a poor choice of the array: Depending on how the arrayA[0, . . . , N − 1] is chosen, we may have more attacks. For example, let us considerthe following array containing elements from around the Feynman point in thedecimal number sequence of π:

A[0, . . . , 20] = {9, 9, 6, 0, 5, 1, 8, 7, 0, 7, 2, 1, 1, 3, 4, 9, 9, 9, 9, 9, 9} .

Let r = 17. The number of possibilities for the key is 21 ·C(21, 17) ·17! ·216 ≈ 281.3

– this is large enough to make a straightforward exhaustive key search nearlyinfeasible in practice. Suppose that the array is public. Since there are 6 evennumbers in the array and r = 17, the number of odd numbers in the ODNL isat least 11. If there are exactly t odd numbers (1 ≤ t ≤ 11) in the ODNL, theprobability that an odd number is the last digit in the ODNL is t/17. Therefore,the probability that the last digit in the ODNL is odd is at least 11/17. In otherwords, given that redundant trailing bits are not discarded during truncation ofthe CBS, the probability that the LSB of the extended ciphertext is complemented

CONCLUSIONS AND OPEN PROBLEMS 159

during transmission is at least 11/17. One may, alternatively, exploit the presenceof the unusually many 9’s in the array in some clever manner. It may not becommon for the users of the system to choose such number sequences, but asmaller bias may result when the array contains unequal numbers of even and odddigits (note that the array need not contain contiguous digits from the decimalrepresentation of π).

9.7 Conclusions and Open ProblemsIn this chapter, we presented several attacks on a cryptosystem patented byArtus [8]. The attacks are of extremely low data complexity and require nearlyzero time. We also pointed out a major weakness in the key exchange schemeproposed in [8]. It is hoped that the results of this chapter have shed light onhow not to design ciphers and how the proposed cryptosystem has to be used inpractice.

The patent also proposes a so-called “embodiment” of the cryptosystem in whichAlice, instead of encrypting keys along with plaintexts, transmits the keys as pilot-messages. One can immediately see that this embodiment is also vulnerable tothe attack of Sect. 9.4 and Attack 3 of Sect. 9.6.

While it seems that some of the attacks presented in this chapter could be easilyaverted (e.g., by using PKC for key exchange), it is also possible that there arebetter attacks in the standard setting. As the flaws pointed out in this chapterare serious enough, there was not enough motivation for us to work further inthe standard setting. However, if the cryptosystem is tweaked in future, so as tothwart the attacks in this chapter, a more detailed analysis may be worthwhilecarrying out.

160

Part VIII

Design of Symmetric-KeyAlgorithms

161

162

If I have seen further it is by standing on ye sholders of Giants.– Issac Newton

Chapter 10

Design of Synchronous StreamCiphers

10.1 IntroductionBefore we begin, we would like to point out that this chapter is a continuation ofChapter 4. Therefore, we do not reproduce here some algorithms and tables ofChapter 4. The reader is to refer Chapter 4 for these algorithms and tables, andwhenever any notation or concept is not immediately clear.

Between 2005 and 2008, the Py and Py6 family of ciphers came under severalcryptanalytic attacks (see Table 4.1). In spite of the weaknesses, the ciphers retainsome attractive features such as modification of the internal state with cleverimplementations of rolling arrays and fast mixing of several arithmetic operations.This motivated us to explore the possibility of designing new ciphers that retainall the good properties of the Py and Py6 families of ciphers, and yet are secureagainst all the existing and new attacks.

In this chapter, we provide the specifications of two synchronous stream ciphers– RCR-64, RCR-32. The ciphers were designed by tweaking the KGAs of the Pyfamily of ciphers (see Table 4.2, Algorithm 4.6, [26] and [27]).

The ciphers RCR-64 and RCR-32 are tweaks of TPy and TPypy, respectively.The changes were made only to the KGAs where variable rotations are replacedwith constant rotations. Our extensive analysis shows that the modifications freethe Py family of ciphers from all the existing attacks (e.g., the attacks presented inChapter 4). Furthermore, the performance of the ciphers is marginally improved.The cipher RCR-64 is one of the fastest stream ciphers in the literature, encryptingat approximately 2.7 cycles/byte on the Pentium III. The names are chosen toreflect the functionalities involved in the ciphers. For example, RCR-64 denotes:Rolling, Constant Rotation and 64 -bit output per round (i.e., iteration of theKGA).

163

164 DESIGN OF SYNCHRONOUS STREAM CIPHERS

10.2 SpecificationsThe RCR-64 and RCR-32 are each recommended to be used with a 32-byte key Kand a 16-byte IV. However, as in the case of TPy and TPypy, K may be between1 and 256 bytes in length (provided the length is a multiple of a byte) and the IVbetween 1 and 64 bytes in length (again, length should be a multiple of a byte).Each cipher is composed of three parts: (i) a K setup algorithm, (ii) an IV setupalgorithm, and (iii) a round function or KGA. As mentioned in Sect. 10.1, in thetweaking process we leave the (identical) K/IV setups of TPy and TPypy (seeSect. 4.2) unchanged. Therefore, from Table 4.2, KS (i.e., Algorithm 4.3) is theK setup of RCR-64 as well as of RCR-32. Likewise, IV S1 (Algorithm 4.4) is theIV setup.

The KGAs of RCR-64 and RCR-32 are very similar to those of TPy and TPypy.The only change in each KGAs is that the variable rotation of s is replaced by aconstant rotation (call it c) of 19. The round functions of RCR-64 and RCR-32are shown in Algorithm 10.1.

Algorithm 10.1 Round functions of RCR-64 and RCR-32Require: Y [−3, . . . , 256], P [0, . . . , 255], a 32-bit variable sEnsure: 64-bit random output (for RCR-64) or 32-bit random output (for RCR-

32)/*Update and rotate P*/

1: swap(P [0], P [Y [185]&255]) ;2: rotate(P ) ;

/*Update s*/3: s← s+ Y [P [72]]− Y [P [239]] ;4: s ← (s ≪ 19) ; /*Tweak: The variable s undergoes a constant, non-zero

rotation (c = 19).*//*Output 4 or 8 bytes (the least significant byte first)*/

5: output: ((s≪ 25)⊕ Y [256]) + Y [P [26]] /*This step is skipped for RCR-32.*/6: output: (s⊕ Y [−1]) + Y [P [208]]

/*Update and rotate Y */7: Y [−3]← ((s≪ 14)⊕ Y [−3]) + Y [P [153]] ;8: rotate(Y ) ;

10.3 Security AnalysisWe now present some security analysis of the RCR ciphers. In this analysis, Acdenotes the bitwise complement of A. In Sects. 10.3.1 and 10.3.5, we use thenotation in Sect. 4.3 with the following differences: (i) the subscripts denoting thekey used (in the related-key model) no longer appear, and (ii) the superscriptsdenoting the round number become subscripts here. Moreover, by sr(i) and er(i)

SECURITY ANALYSIS 165

we respectively denote the ith bits (i = 0 for the LSB) of sr and er (this term isfurther explained). Section 10.3.2 uses the exact same notation listed in Sect. 4.3.The reason behind the differences in the notation is to accommodate the aforesaidbitwise complement operation.

10.3.1 Resistance to Distinguishers in the Standard SettingWe recall that the KGAs of TPy and TPypy contain weaknesses that wereexploited to construct distinguishing attacks on the ciphers. We now list theseattacks and reason why they do not work against the RCR ciphers.

1. Attacks by Paul et al. [166]: These attacks apply to TPy. Condition 1under Theorem 1 of [166] (i.e., P2[116] ≡ −18 mod 32) is no longer usefulto mount the same distinguishers on RCR-64. The reason is that c = 19translates to the event P2[116] ≡ 1 mod 32 in the case of TPy. This event,in turn, does not intuitively appear to produce any other correlation in thekeystream. Note that c = 0 translates to the condition P2[116] ≡ −18 mod32. Therefore, c = 0 is not a safe design choice.

2. Attacks by Crowley [48]: These attacks apply to TPy. The attacks arebuilt around Theorem 1 of [166]. Hence, for the same reason as in point 1,Crowley’s attacks do not work on the RCR-64.

3. Attacks by Sekar et al. [200]: These attacks apply to both TPy and TPypy.Again, condition 1 under Theorem 1 (i.e, P2[116] ≡ −18 mod 32) is no longeruseful to mount the same distinguishers on RCR-64 or RCR-32. The reasonis that c = 19 translates to the event P2[116] ≡ 1 mod 32 in the case of TPyand TPypy. And, the condition P2[116] ≡ −18 mod 32 is common to all the144 sets of conditions in [200].

4. Attacks by Sekar et al. [198]: These attacks apply to TPy. Condition 1under Theorem 1 (P1[116] ≡ −18 mod 32), is no longer useful to mountthe same attacks on RCR-64. The reason is that c = 19 translates to theevent P1[116] ≡ 1 mod 32 in the case of TPy. (Again, this event does notintuitively appear to produce any other correlation in the keystream.) Thisleads to another important observation that none of the large number ofweaknesses detected in TPy in [198] can be found in RCR-64.

5. Attacks by Tsunoo et al. [219]: These attacks apply to both TPy and TPypy.In Theorem 1 of [219], we again have the condition P2[116] ≡ −18 mod 32.For a similar reason as that in point 2 above (the only difference being adifferent number of sets of conditions – see Table 1 in [219]), this conditionis no longer useful to attack the RCR-64 or the RCR-32.

In Sect. 10.3.5, we elaborate more on the usefulness of the constant rotation ofs in precluding distinguishing attacks on the RCR ciphers. Here, it may appear

166 DESIGN OF SYNCHRONOUS STREAM CIPHERS

that a constant rotation results in cyclic repetition of s every 32 rounds. However,in each round a 32-bit random is added to s (see line 3 of Algorithm 10.1) andhence such a cycle, or any short cycle, can only occur with negligible probability.

10.3.2 Resistance to Distinguishers in a Related-Key SettingThe related-key attacks presented in Chapter 4 bear similarities to the attacksin [166]. In these related-key attacks the conditions P 2

a [116] ≡ −18 mod 32, a ∈{1, 2}, are no longer useful to mount the same attacks on RCR-64 or RCR-32.The reason is that c = 19 translates to the events P 2

a [116] ≡ 1 mod 32, a ∈ {1, 2},in the case of TPy and TPypy. Here again, c = 0 translates to the conditionP 2

2 [116] ≡ −18 mod 32. Hence, c = 0 is not a safe design choice with respect torelated-key attacks either.

It may seem that the security of the RCR ciphers is threatened by the unchangedK setup algorithms of TPy and TPypy. However, several weaknesses that wedetected in the K setup, in our experiments, were compensated by the heavymixing in Part-II of the IV setup algorithm IV S1 (see Algorithm 4.5) and theinvertibility of IV S1 that eliminates the equivalent-IVs problem of [242].

As a result, we expect that the s generated at the end of the IV setup IV S1 isdistributed uniformly at random. Therefore, the outputs generated in the KGAare not expected to be correlated unless we rotate s by a variable term.1 In theround functions of the ciphers RCR-64 and RCR-32, s is rotated by a constantterm and hence the ciphers are expected to be free from any correlations betweenthe outputs.

10.3.3 Resistance to Differential AttacksThe RCR ciphers resist the following powerful differential attacks.

1. Attacks on Py and Pypy by Wu and Preneel [242]: The attacks stemfrom weaknesses in the (identical) IV setup algorithms of Py and Pypy.Besides detecting equivalent IVs, they also show how some key-dependentinformation can been recovered. The ciphers TPy and TPypy werespecifically designed to rule out these weaknesses. Since the IV setupalgorithms of RCR-64 and RCR-32 are identical to those of TPy and TPypy,differential attacks are no longer applicable to either of the RCR ciphers.

2. Attacks on Py and Pypy by Isobe et al. [100]: Each of these key recoveryattacks consists of a so-called “expansion process” and a “compressionprocess” that are executed after recovering a part of the array Y using theanalysis presented in [242]. Since the latter analysis is ineffective on the RCRciphers, so is the analysis by Isobe et al.

1Note that this variable term is set to different values at different rounds to construct theattacks.

SECURITY ANALYSIS 167

10.3.4 Resistance to Algebraic AttacksThe RCR-64 and RCR-32 are array-based stream ciphers. The sizes of the internalstates of RCR-32 and RCR-64 are 10,400 bits each, which is very large. Togetherwith storing the result of the K setup in a rolling array, a total of 4,164 bytesmay be required. Given the thorough mixing of these huge internal states, itappears infeasible to mount algebraic attacks that are otherwise common againstLFSR-based stream ciphers that have low footprints.

10.3.5 Effect of Any Non-Zero Constant RotationThe distinguishing attacks presented in [166] are based on the fact that, whencertain conditions on the elements of array P are satisfied then sr(i) = sr+2(j).

We now examine the effect of constant rotation (c) in steps 3 and 4 of the KGAsof TPy and TPypy (see Algorithm 4.6). We have from these steps:

sr(i) = (sr−1 + Yr[Pr[72]]− Yr[Pr[239]], c)(i) (10.1)

= (sr−1 + Yr[Pr[72]]− Yr[Pr[239]])(i−c mod 32) . (10.2)

Let ξ denote i− c mod 32. Therefore,

sr(i) = sr−1(ξ) ⊕ Yr[Pr[72]](ξ) ⊕ Y cr [Pr[239]](ξ) ⊕ er(k) ,

where e denotes the carry term generated while linearising (10.2) and er(0) = 1.Similarly, if φ denotes j − c mod 32, we have

sr+2(j) = sr+1(φ) ⊕ Yr+2[Pr+2[72]](φ) ⊕ Y cr+2[Pr+2[239]](φ)

⊕er+2(φ) . (10.3)

Again, we have

sr+1(φ) = sr(ψ) ⊕ Yr+1[Pr+1[72]](ψ) ⊕ Y cr+1[Pr+1[239]](ψ)

⊕er+1(ψ) , (10.4)

where ψ denotes φ− c mod 32, and

sr(ψ) = sr−1(η) ⊕ Yr[Pr[72]](η) ⊕ Y cr [Pr[239]](η) ⊕ er(η) , (10.5)

where η denotes ψ − c mod 32.Substituting (10.4) and (10.5) in (10.3), we obtain that the expression for sr(i)⊕

sr+2(j) contains the term sr−1(ξ) ⊕ sr−1(η). It now follows that if ξ = η, it is verylikely that the terms sr(i) and sr+2(j) are not correlated. Besides, we have anumber of Y -terms at different bit positions and the terms do not cancel out ifi = j.

168 DESIGN OF SYNCHRONOUS STREAM CIPHERS

Now, η ≡ j − 3c mod 32 and ξ ≡ i − c mod 32. Hence, when i = j, we havec = 0 in order that ξ = η be satisfied. Thus, with c = 19, we expect that therewill be no correlations in the output stream in order that a distinguisher be builtwith data complexity less than that of exhaustive search. The constant 19 can beimagined as the replacement of the term P [116] in step 4 of Algorithm 4.6 (seeSect. 4.2) with the constant 1. Our choice of 1 is as the smallest positive constant.Other than this, c = 19 is not influenced by any factors and any non-zero constantin the place of 19 is expected to work as well.

10.4 Performance EstimatesThe software performances of the RCR ciphers was measured by the NESSIE testsuite under the NESSIE API for synchronous stream ciphers [158]. Barring TPy6-A, we are not aware of any other stream cipher that improves the performance ofthe RCR-64 on the following two platforms.

Intel Pentium III: The speeds of RCR-64 and RCR-32 on the Pentium III are 2.7cycles/byte and 4.45 cycles/byte, respectively. These figures make them marginallyfaster than TPy (2.8 cycles/byte) and TPypy (4.58 cycles/byte) respectively. TheK setup algorithms of the RCR ciphers are identical and consume about 2,800cycles each. The IV setup algorithms are also identical and take about 4,400cycles each.

Intel Core Duo: The speeds of RCR-64 and RCR-32 are 2.32 cycles/byte and3.82 cycles/byte, respectively. Again, these figures are marginally better than the2.38 cycles/byte for TPy and the 3.93 cycles/byte for TPypy.Note: As mentioned in Sect. 10.3.4, the size of the internal state of each of theRCR ciphers is 10,400 bits. However, fast implementations may require severalhundreds of additional bytes for the internal state.

10.5 Discussion and ConclusionsIn this chapter we presented tweaks of the ciphers TPy and TPypy, namely RCR-64and RCR-32. Our approach to the design process was motivated by the followingthree goals.

Design goals:

1: Make modifications that eliminate all the existing attacks against the Pyfamily.

2: Ensure that the performance is improved or is at least unaltered significantly.3: Ensure resistance to all pertinent attack techniques in the literature.

DISCUSSION AND CONCLUSIONS 169

Such a design process may be practical, but a more ideal design process wouldalso try to take into account foresights of new attack techniques. At each stage ofthe design process, all the three goals were simultaneously considered. In theprevious sections of this chapter, we have seen how goals 1 and 2 have beenaccomplished. Given the large number of cryptanalytic results on the Py family(see Table 4.1) indicating detailed studies of the ciphers, the accomplishment ofgoal 1 gives us good confidence that goal 3 is also accomplished. This confidence isaugmented by the apparent infeasibility to mount algebraic attacks. We thereforeconjecture that attacks better than brute force are not possible on RCR ciphers.

Summing up, the following are the highlights of the RCR ciphers:

• compatibility with very long keys, up to 2048 bits in length,

• extremely high speeds in software – about 1.5 to 3 times faster than the RC4on the Pentium III and Core Duo,

• resistance to a multitude of published attacks on closely related designs,

• a detailed security analysis backing the designs,

• absence of attacks, even certificational ones, since the ciphers were publishedat INDOCRYPT 2007.

Two similar designs called TPy6-A and TPy6-B are proposed in [197]. TheTPy6-A outputs 64 bits every round while the TPy6-B outputs 32 bits. Theciphers were designed by tweaking the cipher TPy6. The software speeds ofTPy6-A and TPy6-B are approximately equal to those of RCR-64 and RCR-32,respectively. The design processes and security analyses for the RCR ciphers andthe TPy6 tweaks are very similar. The interested reader is referred to [197] forthe specifications and the security analysis of these TPy6 tweaks.

In the process of designing the four ciphers, we have made the following three,general observations on the analysis and design of symmetric ciphers.

• Design principles for block ciphers at times seem to be hastily applied tostream ciphers: In the KGAs of the RCR ciphers and the Py family, the 32-bit variable s is either rotated (i) using an element of a permutation P , or(ii) by a constant term. Intuitively, these appear to be better design choiceswhen compared to rotating s using an element of Y . This is because it acryptanalyst can more easily impose conditions on Y -terms than on P -termsto control the rotations (e.g., to construct distinguishing attacks similarto the ones presented in Chapter 4). Besides, control is impossible withconstants or when the permutation is a constant (such constant permutationsare employed in block ciphers). This seems to have motivated the designersto consider using permutation-based rotations. However, only the IP is aconstant permutation. This is updated in the IV setup algorithms, using the

170 DESIGN OF SYNCHRONOUS STREAM CIPHERS

IV and elements of Y , to yield the P that is used in the first round of theKGAs. The permutation P is now no longer ‘completely uncontrollable’.

• Some analysis techniques that work for block ciphers can misleadingly appearto be useful to analyse stream ciphers: We had mentioned in Sect. 5.1 thatDunkelman had reported an observation on HC-128 that the keystream ofthe cipher leaks information on the internal state. In the same discussionforum [67], Wu correctly points out that such observations are not usefulto analyse stream ciphers because, as noted in Sects. 1.1.1 and 1.1.2, theirinternal states are updated continuously. This makes it extremely difficult(especially when the update functions are nonlinear) to recover the internalstates or mount distinguishing attacks.

• Designers tend to overlook theoretical attacks: In Sect. 1.5.4, we had pointedout that Tsunoo et al. made a significant improvement to a theoreticalattack on the stream cipher TPypy by Sekar et al. [200, 219]. In theevolution of TPypy from Py, the distinguishing attacks in [48, 166] wereconsidered in the design process because the attacks had close to practicalcomplexities. The attack in [200] was however overlooked because of itsextremely high complexity. Designers often tend to deem such attacks arepurely certificational and fail to modify their designs to thwart the attacks.Despite the significant improvement in the attack complexity, the attackin [219] is still theoretical. Nevertheless, it would be hasty to assume that asimilar significant improvement to this attack is impossible.

10.6 Future WorkOur present work leaves room for interesting problems for future work. The usageof long keys and IVs (e.g., 256-byte keys and 64-byte IVs) in the RCR ciphersmakes them good candidates to be used as hash functions. One can also try tocombine a MAC and an encryption algorithm in a single primitive using RCRciphers.

Part IX

Closing Remarks

171

172

Chapter 11

Conclusions

In this thesis, we have dealt with the theory and practice of symmetric-keycryptology. Beginning with theory, we discussed Shannon’s notion of perfectsecrecy and hash function balance. Next, we presented cryptanalytic results oneight state-of-the-art stream ciphers and four block ciphers, including a coupleof very widely deployed government standards. In the later part of the thesis,we presented attacks on a family of CHFs submitted to the ongoing SHA-3competition and practical attacks on a cryptosystem covered by several patents.

In the theory section, the first contribution of this thesis is highlighting theneed for a redefinition of Shannon’s notion of perfect secrecy of a symmetric-key cryptosystem. In arriving at our result, we examine probabilities from aphilosophical standpoint. Our next contribution is our finding that there existsno regular hash function, even if one only considers a very small fraction of allpossible ways to divide the domain into subsets. Hence, in the birthday attackthe attacker can restrict the domain points in such a way that the resulting hashfunction is not regular. We thereby disagree with Bellare and Kohno’s analysisin [16, 17] of why regular functions perform better than random functions againstthe birthday attack. If hash functions are modelled as random functions, they arenot susceptible to any of the problems with regular functions that are describedin our work.

On the cryptanalysis side, one of our main contributions is in the area of blockciphers where we described novel approaches to meet-in-the-middle attacks andtested them successfully on US and Russian encryption standards. The highlightof these new techniques is that they require very few plaintext-ciphertext pairsand nearly guarantee success in recovering the full secret key. We find these newtechniques, and the meet-in-the-middle approach per se, to make a good startingpoint for analysis of Feistel constructions with simple KSAs.

Our work on stream ciphers was primarily focussed on RC4-like synchronousstream ciphers. This type of stream ciphers has been analysed well in the recentyears in some doctoral theses. In Paul’s thesis [163], he says,

173

174 CONCLUSIONS

“Our investigations affirm that, without certain precautions, any array-based streamcipher can come under distinguishing attacks”.

While we agree with this, it is also important to take a note of the efficiencies ofrecently published distinguishers on this type of ciphers (especially the ones withlarge lookup tables). In this thesis, we have seen that the best distinguishers onTPy, TPypy and HC-256 are of impractical complexities. Besides, RCR-64, RCR-32 and HC-128 have remained unblemished for several years. Among other attackson this type of stream ciphers, cache-timing attacks seem the most prominent andthreatening. However, from our literature survey, we find that such attacks havealways had strong requirements such as the availability of noise-free cache-timingmeasurements.

Therefore, our opinion is that we do not have to worry anymore about havingto design a software-efficient synchronous stream cipher that is free from practicalas well as major certificational attacks (i.e., those that are devoid of very strongassumptions) while still being able to support long keys. This complies, in part,with the following statement of Wu’s thesis [240]:

“We are in the era that an extremely strong symmetric key cipher can be designedeasily.”

The reason we do not fully agree with Wu’s opinion is because we believe thatsecure and efficient self-synchronising stream ciphers are hard to design. In theECRYPT eSTREAM competition, there were only three self-synchronising ciphers(SSS, Mosquito and Moustique) as opposed to dozens of synchronous ciphers.This reduced interest in designing self-synchronising stream ciphers is becauseencryption is no longer taking place at a communication layer where there arebit or character losses. At the IP, TCP or application layer, the channels arereliable (no bit losses), hence self-synchronising ciphers are seldom needed. Ofthe three self-synchronising ciphers submitted to eSTREAM, SSS came under apractical attack, Mosquito under a near-practical attack (both attacks being inthe standard setting) and Moustique under a practical attack in a related-keysetting (seen in Chapter 6 of this thesis). Consequently, none of them made itto the final portfolio. While the eSTREAM project succeeded in improving thecommunity’s knowhow on the design of self-synchronising ciphers, there is still along way ahead.

In this thesis, we have presented highly practical attacks on a cryptosystem thatis covered by several national patents and an international patent. The symmetricencryption algorithm in the cryptosystem resembles a stream cipher. This researchwork reaffirms that it is rather safe to use widely accepted design principles. Thepatented cryptosystem comes across to us as a very good example to understandthe following remark made by Preneel in 2002 [171]:

CONCLUSIONS 175

“Cryptography is a fascinating discipline, which tends to attract ‘do-it-yourself’people, who are not aware of the scientific developments of the last 25 years; theirhome-made algorithms can typically be broken in a few minutes by an expert”.

The evolution of the RCR ciphers from the cipher Py, that the design part ofthis thesis discusses, particularly appeals to us as one of the better ways in whichthe design process of a symmetric-key algorithm should proceed. The RCR ciphersare fast, with the RCR-64 requiring only about 2.32 cycles/byte on the Intel CoreDuo. Another attractive feature of the RCR ciphers is that they support very longkeys, of up to 256 bytes in length. Components of the RCR ciphers (K/IV setups),their forerunners (the Py family), and closely related ciphers (the Py6 family andHC-256) have been studied in detail and till date no weaknesses have been found.

In the process of designing the RCR ciphers, we have also made some generalobservations on symmetric cipher analysis and design. Notable ones among theseare that: (i) analysis techniques that work for block ciphers can misleadinglyappear to be useful to analyse stream ciphers, and (ii) that designers of symmetricciphers tend to overlook certificational weaknesses. We indicate, giving examples,the problems associated with these observations.

A chapter of this thesis has been devoted to the study of the ESSENCE family ofCHFs. There, we have presented a semi-free-start collision for 31-round ESSENCE-512, thereby refuting the designer’s claim that 24 rounds are sufficient for resistanceagainst differential cryptanalysis. Furthermore, we have presented distinguishingattacks on 14-round block ciphers and have developed them into key recoveryattacks. We then showed how the omission of round constants allowed slid pairsand fixed points to be found, and that it is not possible to solve this problemby increasing the number of rounds. We have also suggested some measures toimprove the security of ESSENCE. The discussions on hash functions, both onregularity as well as on ESSENCE, are connected with the rest of the thesis. Thisis because ESSENCE is built around a family of block ciphers and the notion ofregularity may be extended to the case of block ciphers too.

176

Chapter 12

Future Research

A journey of a thousand miles begins with a single step.– Confucius

In addition to the open problems mentioned in Chapters 2–10 of this thesis, wesee several larger problems for future work.

• On the cryptanalysis side, a perennial open problem is finding newerattack techniques. Since the start of this doctoral research, several newapproaches to cryptanalysis have emerged. Notable examples include thecube attack [63], the rebound attack [141], reflection cryptanalysis [109], thenew approach to χ2 cryptanalysis presented in [106], the new approachesto meet-in-the-middle attacks presented in Chapter 7, the reflection-meet-in-the-middle attack [99], and the splice-and-cut, partial-fixing and partial-matching techniques [7, 190]. New approaches to differential cryptanalysisof block ciphers, especially to impossible differential cryptanalysis [117], maybe a useful direction to proceed.

• RC4 is the most widely used software-oriented synchronous stream cipher.Despite years of cryptanalysis, the cipher is still practically secure. Apractical attack on the RC4 is, therefore, bound to have profoundimplications. New or improved attacks on other popular/standardisedciphers such as PANAMA [50], MUGI (an ISO/IEC standard) [229], ORYX(TIA standard) [218], SNOW 2.0 (an ISO/IEC standard) [72] and SNOW3G (a 3GPP cipher) [2] would also be well-received by the community.Cryptanalysis of the eSTREAM finalists [71] also makes an interesting topicfor future research.

• As stated earlier, the study of self-synchronising stream ciphers calls formore attention – we require better design principles. We had mentioned inSect. 1.1.2 that a block cipher in the simplest CFB mode can be transformed

177

178 FUTURE RESEARCH

into a self-synchronising stream cipher using shift registers. Despite this andthe presence of such secure and efficient block ciphers like the AES, it hasnot been possible to construct a very secure self-synchronising stream cipher.Insufficient motivation to do so, given the compromise one has to make inthe performance (self-synchronising really only applies to 1-bit CFB modeand AES in 1-bit CFB mode is 128 times slower than AES in CTR mode orCBC mode), seems unlikely as such constructions have been used even in theearly ’90s [139]. Those who still sought to overcome the inefficiency problemproposed dedicated designs – notably, Mosquito, Moustique and Hiji-bij-bij [189]. However, all these three ciphers have been broken. This leads usto look towards synchronous stream ciphers. Other than [139], we do notknow of any attempt to examine the differences in the design principles ofthe two types of stream ciphers. One may try to use in self-synchronisingstream ciphers the design components (e.g., rolling arrays) employed by somesecure synchronous stream ciphers. However, efficiency may then again comeinto question. Examining the recently proposed pipelined statistical cipherfeedback (PSCFB) mode [95] or inventing similar block cipher modes may beinteresting directions to proceed in.

• On the design side, it seems possible to push the performance envelope ofthe RCR ciphers further by doing away with the permutation P , replacingevery P -term in the KGAs with a carefully chosen constant. Since steps 1and 2 of Algorithm 10.1 are thus eliminated, the performance of the RCRciphers would be drastically improved. Furthermore, the internal statesize is reduced which improves the ciphers’ usability in memory-constrainedsoftware applications. The execution time of the IV setup algorithm IV S1would also be reduced significantly. More importantly, our experiments, withconstants in place of P -terms in the KGA, reveal that it is easy to make thealgorithms immune to the published distinguishing attacks on the Py family.However, we note that extensive additional analysis must be performed as,with the elimination of P , the KGA looks far simpler.

• The design of lightweight cryptographic algorithms has recently caught theattention of the community. The SymLab of the ECRYPT II project isaddressing the development of lightweight symmetric algorithms. As alreadymentioned, lightweight algorithms find use in constrained pervasive devices.Hence, the study and development of such primitives would be worthwhile.

Bibliography

[1] 3rd Generation Partnership Project. Specification of the 3GPP Confidentiality andIntegrity Algorithms; Document 2: KASUMI Specification, 2001. (p. 14.)

[2] 3rd Generation Partnership Project. Specification of the 3GPP Confidentiality andIntegrity Algorithms UEA2 & UIA2. Document 2: SNOW 3G Specification, 2006.(p. 177.)

[3] Elena Andreeva. Domain Extenders for Cryptographic Hash Functions. PhD thesis,Katholieke Universiteit Leuven, 2010. (p. 17.)

[4] Anonymous. Thank you Bob Anderson. Cypherpunks mailing list, 1994. Availableat http://web.archive.org/web/20080120083537/http://cypherpunks.venona.com/date/1994/09/msg00304.html. (p. 4.)

[5] Anonymous. Team of Universities, Companies and Individual Computer UsersLinked Over the Internet Crack RSA’s 56-Bit DES Challenge, June 1997. PressRelease, RSA Data Security, Inc. Available at http://www.rsa.com/press -release.aspx?id=661. (p. 102.)

[6] Kazumaro Aoki, Jian Guo, Krystian Matusiewicz, Yu Sasaki, and Lei Wang.Preimages for Step-Reduced SHA-2. In ASIACRYPT, pages 578–597, 2009.(p. 105.)

[7] Kazumaro Aoki and Yu Sasaki. Preimage Attacks on One-Block MD4, 63-StepMD5 and More. In Selected Areas in Cryptography, pages 103–119, 2008. (pp. 105and 177.)

[8] Raymonde Gene Clifford Artus. METHOD AND SYSTEM FOR ENCRYPTIONOF DATA. International Patent, May 2009. Available at http://www.wipo.int/pctdb/en/wo.jsp?WO=2009066313. (pp. xiv, 149, 150, 151, 152, 153, 154, 156, 158,and 159.)

[9] Thomas Baigneres, Pascal Junod, and Serge Vaudenay. How Far Can We GoBeyond Linear Cryptanalysis? In Pil Joong Lee, editor, ASIACRYPT, volume3329 of Lecture Notes in Computer Science, pages 432–450. Springer, 2004. (p. 74.)

[10] Elad Barkan, Eli Biham, and Nathan Keller. Instant Ciphertext-OnlyCryptanalysis of GSM Encrypted Communication. In Dan Boneh, editor,CRYPTO, volume 2729 of Lecture Notes in Computer Science, pages 600–616.Springer, 2003. (p. 153.)

[11] William C. Barker. Recommendation for the Triple Data Encryption Algorithm(TDEA) Block Cipher. NIST Draft Special Publication, 800-67(Version 1.1),

179

180 BIBLIOGRAPHY

May 2008. Available at http://csrc.nist.gov/publications/nistpubs/800-67/SP800-67.pdf. (p. 14.)

[12] Paulo S. L. M. Barreto and Vincent Rijmen. The Whirlpool Hashing Function.ISO/IEC Standard, 2004. (p. 16.)

[13] Henry Beker and Fred Piper. Cipher Systems: The Protection of Communications.Northwood Books, London, UK, 1982. (p. 18.)

[14] Mihir Bellare, Anand Desai, E. Jokipii, and Phillip Rogaway. A Concrete SecurityTreatment of Symmetric Encryption. In FOCS, pages 394–403, 1997. (p. 10.)

[15] Mihir Bellare and Tadayoshi Kohno. A Theoretical Treatment of Related-KeyAttacks: RKA-PRPs, RKA-PRFs, and Applications. In Eli Biham, editor,EUROCRYPT, volume 2656 of Lecture Notes in Computer Science, pages 491–506.Springer, 2003. (p. 22.)

[16] Mihir Bellare and Tadayoshi Kohno. Hash Function Balance and Its Impact onBirthday Attacks. In Christian Cachin and Jan Camenisch, editors, EUROCRYPT,volume 3027 of Lecture Notes in Computer Science, pages 401–418. Springer, 2004.(pp. 29, 43, 45, 46, and 173.)

[17] Mihir Bellare and Tadayoshi Kohno. Hash Function Balance and Its Impact onBirthday Attacks, 2004. Full Version. Available at http://cseweb.ucsd.edu/˜mihir/papers/balance.html. (pp. 43, 44, 45, 46, 48, 54, 55, and 173.)

[18] Robert L. Benson. The Venona Story. Published by theCenter for Cryptologic History, National Security Agency, USA,2001. Available at http://www.nsa.gov/about/ files/cryptologic -heritage/publications/coldwar/venona story.pdf. (p. 5.)

[19] Daniel J. Bernstein. Related-key attacks: Who cares? Comment on Phorum:ECRYPT forum, June 2005. Available at http://www.ecrypt.eu.org/stream/phorum/read.php?1,23. (p. 22.)

[20] Eli Biham. New Types of Cryptoanalytic Attacks Using related Keys (ExtendedAbstract). In EUROCRYPT, pages 398–409, 1993. (p. 87.)

[21] Eli Biham. New Types of Cryptanalytic Attacks Using Related Keys. J. Cryptology,7(4):229–246, 1994. (p. 22.)

[22] Eli Biham and Alex Biryukov. An Improvement of Davies’ Attack on DES. InEUROCRYPT, pages 461–467, 1994. (p. 102.)

[23] Eli Biham and Rafi Chen. Near-Collisions of SHA-0. In Matthew K. Franklin,editor, CRYPTO, volume 3152 of Lecture Notes in Computer Science, pages 290–305. Springer, 2004. (p. 140.)

[24] Eli Biham, Orr Dunkelman, and Nathan Keller. A Simple Related-Key Attack onthe Full SHACAL-1. In Masayuki Abe, editor, CT-RSA, volume 4377 of LectureNotes in Computer Science, pages 20–30. Springer, 2007. (p. 22.)

[25] Eli Biham, Orr Dunkelman, and Nathan Keller. Improved Slide Attacks. InBiryukov [32], pages 153–166. (p. 104.)

[26] Eli Biham and Jennifer Seberry. Tweaking the IV Setup of the Py Family of Ciphers- The Ciphers TPy, TPypy, and TPy6. Available at http://www.cs.technion.ac.il/˜biham/. (pp. 60 and 163.)

BIBLIOGRAPHY 181

[27] Eli Biham and Jennifer Seberry. Py (Roo): A Fast and Secure Stream Cipher usingRolling Arrays. Technical Report 2005/023, eSTREAM, ECRYPT Stream CipherProject, 2005. (pp. 7, 59, 60, 75, and 163.)

[28] Eli Biham and Jennifer Seberry. Pypy (Roopy): Another Version of Py. TechnicalReport 2006/038, eSTREAM, ECRYPT Stream Cipher Project, 2006. (pp. 59and 60.)

[29] Eli Biham and Adi Shamir. Differential Cryptanalysis of DES-like Cryptosystems.J. Cryptology, 4(1):3–72, 1991. (p. 101.)

[30] Eli Biham and Adi Shamir. Differential Cryptanalysis of the Full 16-Round DES.In Ernest F. Brickell, editor, CRYPTO, volume 740 of Lecture Notes in ComputerScience, pages 487–496. Springer, 1992. (p. 101.)

[31] Eli Biham and Adi Shamir. Differential Cryptanalysis of the Data EncryptionStandard. Springer, 1993. (p. 101.)

[32] Alex Biryukov, editor. Fast Software Encryption, 14th International Workshop,FSE 2007, Luxembourg, Luxembourg, March 26-28, 2007, Revised Selected Papers,volume 4593 of Lecture Notes in Computer Science. Springer, 2007. (pp. 180and 187.)

[33] Alex Biryukov and David Wagner. Slide Attacks. In Knudsen [118], pages 245–259.(p. 28.)

[34] Alex Biryukov and David Wagner. Advanced Slide Attacks. In Bart Preneel, editor,EUROCRYPT, volume 1807 of Lecture Notes in Computer Science, pages 589–606.Springer, 2000. (p. 125.)

[35] D. M. Bloom. A Birthday Problem. American Mathematical Monthly, 80:1141–1142, 1973. (p. 45.)

[36] Mike K. Bond. A chosen key difference attack on control vectors. Technical report,Computer Laboratory, University of Cambridge, 2000. Available at http://www.cl.cam.ac.uk/˜mkb23/research/CVDif.pdf. (p. 22.)

[37] Antoon Bosselaers and Bart Preneel, editors. Integrity Primitives for SecureInformation Systems, Final Report of RACE Integrity Primitives Evaluation RIPE-RACE 1040, volume 1007 of Lecture Notes in Computer Science. Springer, 1995.(pp. 16 and 22.)

[38] Johannes A. Buchmann. Introduction to Cryptography. Springer, second edition,2004. (p. 46.)

[39] Carolynn Burwick, Don Coppersmith, Edward D’Avignon, Rosario Gennaro, ShaiHalevi, Charanjit Jutla, Stephen M. Matyas Jr., Luke O’Connor, MohammadPeyravian, David Safford, and Nevenko Zunic. MARS – a candidate cipher forAES, September 1999. (p. 14.)

[40] Christian Cachin. Entropy Measures and Unconditional Security in Cryptography.PhD thesis, Swiss Federal Institute of Technology Zurich, 1997. Reprint as vol. 1of ETH Series in Information Security and Cryptography, ISBN 3-89649-185-7,Hartung-Gorre Verlag, Konstanz, 1997. (p. 45.)

[41] Christophe De Canniere and Christian Rechberger. Finding SHA-1 Characteristics:General Results and Applications. In Lai and Chen [127], pages 1–20. (p. 137.)

182 BIBLIOGRAPHY

[42] J. Lawrence Carter and Mark N. Wegman. Universal Classes of Hash Functions.Journal of Computer and System Sciences, 18(2):143–154, April 1979. (p. 54.)

[43] Donghoon Chang, Kishan Chand Gupta, and Mridul Nandi. RC4-Hash: ANew Hash Function Based on RC4. In Rana Barua and Tanja Lange, editors,INDOCRYPT, volume 4329 of Lecture Notes in Computer Science, pages 80–94.Springer, 2006. (p. 22.)

[44] David Chaum and Jan-Hendrik Evertse. Crytanalysis of DES with a ReducedNumber of Rounds: Sequences of Linear Factors in Block Ciphers. In Williams[236], pages 192–211. (pp. 101, 105, 106, 107, 109, 120, 127, and 128.)

[45] Vladimor V. Chepyzhov, Thomas Johansson, and Ben J. M. Smeets. A SimpleAlgorithm for Fast Correlation Attacks on Stream Ciphers. In Schneier [194], pages181–195. (p. 7.)

[46] Don Coppersmith, Shai Halevi, and Charanjit S. Jutla. Cryptanalysis of StreamCiphers with Linear Masking. In Yung [245], pages 515–532. (p. 7.)

[47] Nicolas T. Courtois and Gregory V. Bard. Algebraic Cryptanalysis of the DataEncryption Standard. Technical Report 2006/402, Cryptology ePrint Archive, 2006.(pp. 102 and 106.)

[48] Paul Crowley. Improved Cryptanalysis of Py. In SASC 2006 - Stream CiphersRevisited, pages 52–60, 2006. (pp. 59, 62, 84, 165, and 170.)

[49] Joan Daemen. Cipher and hash function design strategies based on linear anddifferential cryptanalysis. PhD thesis, Katholieke Universiteit Leuven, 1995.(p. 136.)

[50] Joan Daemen and Craig S. K. Clapp. Fast Hashing and Stream Encryption withPANAMA. In Serge Vaudenay, editor, FSE, volume 1372 of Lecture Notes inComputer Science, pages 60–74. Springer, 1998. (p. 177.)

[51] Joan Daemen and Paris Kitsos. Submission to ECRYPT call for stream ciphers: theself-synchronizing stream cipher Mosquito. Technical Report 2005/018, eSTREAM,ECRYPT Stream Cipher Project, 2005. (p. 87.)

[52] Joan Daemen and Paris Kitsos. The self-synchronizing stream cipher Moustique.Technical report, eSTREAM, ECRYPT Stream Cipher Project, June 2006.Available at http://www.ecrypt.eu.org/stream/mosquitop3.html. (pp. 87and 89.)

[53] Joan Daemen, Joseph Lano, and Bart Preneel. Chosen Ciphertext Attack on SSS.Technical Report 2005/044, eSTREAM, ECRYPT Stream Cipher Project, 2005.(p. 87.)

[54] Joan Daemen and Vincent Rijmen. The Design of Rijndael: AES - The AdvancedEncryption Standard. Springer, 2002. (p. 12.)

[55] Ivan Damgard. A Design Principle for Hash Functions. In Gilles Brassard, editor,CRYPTO, volume 435 of Lecture Notes in Computer Science, pages 416–427.Springer, 1989. (pp. 16 and 17.)

[56] Donald W. Davies. Investigation of a Potential Weakness in the DES Algorithm,1987. Private Communications. (p. 101.)

BIBLIOGRAPHY 183

[57] Donald W. Davies and Sean Murphy. Pairs and Triplets of DES S-Boxes. J.Cryptology, 8(1):1–25, 1995. (p. 102.)

[58] Bruno de Finetti. Sul significato soggestivo della probabilita. FundamentaMathematicae, 17:298–329, 1931. (p. 197.)

[59] Bruno de Finetti. La prevision: ses lois logiques ses sources subjectives; Foresight:its Logical Laws, its Subjective Sources (English edition). Annales de l’InstitutHenri Poincare, 7:1–68, 1937 (original work), 1964 (English edition). (p. 197.)

[60] Karl de Leeuw. The Dutch Invention of the Rotor Machine, 1915–1923. Cryptologia,27(1):73–94, 2003. (p. 7.)

[61] Whitfield Diffie and Martin E. Hellman. New Directions in Cryptography. IEEETransactions on Information Theory, 22:644–654, 1976. (p. 153.)

[62] Whitfield Diffie and Martin E. Hellman. Exhaustive Cryptanalysis of the NBSData Encryption Standard. Computer, 10(6):74–84, 1977. (p. 104.)

[63] Itai Dinur and Adi Shamir. Cube Attacks on Tweakable Black Box Polynomials.In Joux [102], pages 278–299. (p. 177.)

[64] Itai Dinur and Adi Shamir. Side Channel Cube Attacks on Block Ciphers. TechnicalReport 2009/127, Cryptology ePrint Archive, 2009. (p. 215.)

[65] Hans Dobbertin, Antoon Bosselaers, and Bart Preneel. RIPEMD-160: AStrengthened Version of RIPEMD. In Gollmann [86], pages 71–82. (p. 16.)

[66] Arnold I. Dumey. Indexing for Rapid Random Access Memory Systems. Computersand Automation, 5(12):6–9, December 1956. First paper in open literature onhashing. First use of hashing by taking the modulus of division by a prime number.Mentions chaining for collision handling, but not open addressing. See Ershov, 1958for the latter. (p. 53.)

[67] Orr Dunkelman. A Small Observation on HC-128. Comment on Phorum: ECRYPTforum. (pp. 75, 76, and 170.)

[68] Orr Dunkelman, Gautham Sekar, and Bart Preneel. Improved Meet-in-the-MiddleAttacks on Reduced-Round DES. In Srinathan et al. [210], pages 86–100. (pp. 27and 28.)

[69] Stefan Dziembowski and Krzysztof Pietrzak. Leakage-Resilient Cryptography. InFOCS, pages 293–302. IEEE Computer Society, 2008. (p. 217.)

[70] ECRYPT. European Network of Excellence in Cryptology II. Available at http://www.ecrypt.eu.org/. (p. 26.)

[71] ECRYPT. The eSTREAM Project. Available at http://www.ecrypt.eu.org/stream/. (pp. 13, 26, 59, 97, and 177.)

[72] Patrik Ekdahl and Thomas Johansson. A New Version of the Stream Cipher SNOW.In Kaisa Nyberg and Howard M. Heys, editors, Selected Areas in Cryptography,volume 2595 of Lecture Notes in Computer Science, pages 47–61. Springer, 2002.(p. 177.)

[73] Electronic Frontier Foundation. Cracking DES, Secrets of Encryption Research,Wiretap Politics & Chip Design. O’Reilly Media, 1998. (p. 102.)

[74] Horst Feistel. Cryptography and Computer Privacy. Scientific American,228(5):15–23, May 1973. (p. 13.)

184 BIBLIOGRAPHY

[75] William Feller. An Introduction to Probability Theory and its Applications. JohnWiley & Sons, New York, USA, 1950. (p. 45.)

[76] Niels Ferguson, Doug Whiting, Bruce Schneier, John Kelsey, Stefan Lucks, andTadayoshi Kohno. Helix: Fast Encryption and Authentication in a SingleCryptographic Primitive. In Thomas Johansson, editor, FSE, volume 2887 ofLecture Notes in Computer Science, pages 330–346. Springer, 2003. (p. 8.)

[77] Amos Fiat and Adi Shamir. How to Prove Yourself: Practical Solutions toIdentification and Signature Problems. In Andrew M. Odlyzko, editor, CRYPTO,volume 263 of Lecture Notes in Computer Science, pages 186–194. Springer, 1986.(p. 46.)

[78] Scott R. Fluhrer, Itsik Mantin, and Adi Shamir. Weaknesses in the Key SchedulingAlgorithm of RC4. In Serge Vaudenay and Amr M. Youssef, editors, Selected Areasin Cryptography, volume 2259 of Lecture Notes in Computer Science, pages 1–24.Springer, 2001. (pp. 4 and 22.)

[79] Scott R. Fluhrer and David A. McGrew. Statistical Analysis of the Alleged RC4Keystream Generator. In Schneier [194], pages 19–30. (p. 4.)

[80] David A. Freedman. Notes on the Dutch Book Argument, 2003. Available athttp://www.stat.berkeley.edu/˜census/dutchdef.pdf. (p. 197.)

[81] Ian Goldberg, David Wagner, and L. Green. The (Real-Time) Cryptanalysis ofA5/2, 2010. Presented at the rump session of CRYPTO 1999. (p. 153.)

[82] Shafi Goldwasser and Mihir Bellare. Lecture Notes on Cryptography, 2008.Available at http://cseweb.ucsd.edu/˜mihir/papers/gb.pdf. (p. 46.)

[83] Jovan Dj. Golic. Towards Fast Correlation Attacks on Irregularly Clocked ShiftRegisters. In EUROCRYPT, pages 248–262, 1995. (p. 7.)

[84] Jovan Dj. Golic. Linear Models for Keystream Generators. IEEE Trans. Computers,45(1):41–49, 1996. (p. 7.)

[85] Jovan Dj. Golic. Linear Statistical Weakness of Alleged RC4 Keystream Generator.In EUROCRYPT, pages 226–238, 1997. (p. 4.)

[86] Dieter Gollmann, editor. Fast Software Encryption, Third International Workshop,Cambridge, UK, February 21-23, 1996, Proceedings, volume 1039 of Lecture Notesin Computer Science. Springer, 1996. (pp. 183 and 186.)

[87] Markus Grassl. Tables of Linear Codes and Quantum Codes, June 2008. Availableat http://www.codetables.de/. (p. 145.)

[88] Aaron Grothe. Kernel v2.6.14 tea.c. Linux Headquarters, 2004. Available at http://www.linuxhq.com/kernel/v2.6/14/crypto/tea.c. (p. 103.)

[89] Jacques Hadamard. Resolution d’une question relative aux determinants. Bulletindes Sciences Mathematiques, 17:240–246, 1893. (p. 200.)

[90] Alan Hajek. The Reference Class Problem is Your Problem Too. Synthese,156(3):563–585, 2006. (pp. 41 and 197.)

[91] Alan Hajek. Interpretations of Probability. Stanford Encyclopedia ofPhilosophy, December 2009. Available at http://plato.stanford.edu/entries/probability-interpret/. (p. 41.)

BIBLIOGRAPHY 185

[92] Helena Handschuh and Henri Gilbert. χ2 Cryptanalysis of the SEAL EncryptionAlgorithm. In Eli Biham, editor, FSE, volume 1267 of Lecture Notes in ComputerScience, pages 1–12. Springer, 1997. (p. 25.)

[93] Helena Handschuh, Lars R. Knudsen, and Matthew J. B. Robshaw. Analysis ofSHA-1 in Encryption Mode. In David Naccache, editor, CT-RSA, volume 2020 ofLecture Notes in Computer Science, pages 70–83. Springer, 2001. (p. 22.)

[94] Helena Handschuh and David Naccache. SHACAL. In First NESSIE Workshop,Leuven, Belgium, 2000. (p. 22.)

[95] Howard M. Heys and Liang Zhang. Pipelined Statistical Cipher Feedback: A NewMode for High Speed Self-Synchronizing Stream Encryption. IEEE Transactionson Computers, 99(PP), 2010. (p. 178.)

[96] Deukjo Hong, Bonwook Koo, and Yu Sasaki. Improved Preimage Attack for 68-StepHAS-160. In ICISC, pages 332–348, 2009. (p. 105.)

[97] Seokhie Hong, Deukjo Hong, Youngdai Ko, Donghoon Chang, Wonil Lee, andSangjin Lee. Differential Cryptanalysis of TEA and XTEA. In ICISC, pages 402–417, 2003. (pp. 104 and 120.)

[98] Sebastiaan Indesteege, Nathan Keller, Orr Dunkelman, Eli Biham, and BartPreneel. A Practical Attack on KeeLoq. In Nigel P. Smart, editor, EUROCRYPT,volume 4965 of Lecture Notes in Computer Science, pages 1–18. Springer, 2008.(pp. 104 and 150.)

[99] Takanori Isobe. A Single-Key Attack on the Full GOST Block Cipher, 2011. Toappear. (pp. 104 and 177.)

[100] Takanori Isobe, Toshihiro Ohigashi, Hidenori Kuwakado, and Masakatu Morii.How to Break Py and Pypy by a Chosen-IV Attack. Technical Report 2006/060,eSTREAM, ECRYPT Stream Cipher Project, 2006. (pp. 60, 62, and 166.)

[101] Thomas Johansson and Fredrik Jonsson. Fast Correlation Attacks throughReconstruction of Linear Polynomials. In Mihir Bellare, editor, CRYPTO, volume1880 of Lecture Notes in Computer Science, pages 300–315. Springer, 2000. (p. 7.)

[102] Antoine Joux, editor. Advances in Cryptology - EUROCRYPT 2009, 28thAnnual International Conference on the Theory and Applications of CryptographicTechniques, Cologne, Germany, April 26-30, 2009. Proceedings, volume 5479 ofLecture Notes in Computer Science. Springer, 2009. (pp. 183 and 190.)

[103] Antoine Joux. Algorithmic Cryptanalysis. Chapman & Hall / CRC Press, 2009.(p. 46.)

[104] Antoine Joux and Frederic Muller. Chosen-Ciphertext Attacks AgainstMOSQUITO. In Robshaw [181], pages 390–404. (pp. 87 and 90.)

[105] Antoine Joux and Thomas Peyrin. Hash Functions and the (Amplified) BoomerangAttack. In Alfred Menezes, editor, CRYPTO, volume 4622 of Lecture Notes inComputer Science, pages 244–263. Springer, 2007. (p. 140.)

[106] Jorge Nakahara Jr., Gautham Sekar, Daniel Santana de Freitas, Chang Chiann,Ramon Hugo de Souza, and Bart Preneel. A New Approach to χ2 Cryptanalysisof Block Ciphers. In Pierangela Samarati, Moti Yung, Fabio Martinelli, andClaudio Agostino Ardagna, editors, ISC, volume 5735 of Lecture Notes in ComputerScience, pages 1–16. Springer, 2009. (pp. 25, 28, and 177.)

186 BIBLIOGRAPHY

[107] Robert J. Jenkins Jr. ISAAC. In Gollmann [86], pages 41–49. (p. 75.)[108] Jens-Peter Kaps. Chai-Tea, Cryptographic Hardware Implementations of xTEA.

In INDOCRYPT, pages 363–375, 2008. (p. 103.)[109] Orhun Kara. Reflection Cryptanalysis of Some Ciphers. In Dipanwita Roy

Chowdhury, Vincent Rijmen, and Abhijit Das, editors, INDOCRYPT, volume 5365of Lecture Notes in Computer Science, pages 294–307. Springer, 2008. (pp. 104and 177.)

[110] Emilia Kasper, Vincent Rijmen, Tor E. Bjørstad, Christian Rechberger, MatthewJ. B. Robshaw, and Gautham Sekar. Correlated Keystreams in Moustique. In SergeVaudenay, editor, AFRICACRYPT, volume 5023 of Lecture Notes in ComputerScience, pages 246–257. Springer, 2008. (pp. 27 and 28.)

[111] John Kelsey, Bruce Schneier, and David Wagner. Key-Schedule Cryptoanalysis ofIDEA, G-DES, GOST, SAFER, and Triple-DES. In Neal Koblitz, editor, CRYPTO,volume 1109 of Lecture Notes in Computer Science, pages 237–251. Springer, 1996.(pp. 22 and 103.)

[112] John Kelsey, Bruce Schneier, and David Wagner. Related-key cryptanalysis of3-WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA. In Yongfei Han,Tatsuaki Okamoto, and Sihan Qing, editors, ICICS, volume 1334 of Lecture Notesin Computer Science, pages 233–246. Springer, 1997. (pp. 22 and 103.)

[113] Vlastimil Klima. Tunnels in Hash Functions: MD5 Collisions Within a Minute.Technical Report 2006/105, Cryptology ePrint Archive, 2006. (p. 140.)

[114] Lars R. Knudsen. Cryptanalysis of LOKI. In Hideki Imai, Ronald L. Rivest,and Tsutomu Matsumoto, editors, ASIACRYPT, volume 739 of Lecture Notes inComputer Science, pages 22–35. Springer, 1991. (p. 22.)

[115] Lars R. Knudsen. Cryptanalysis of LOKI91. In Jennifer Seberry and YuliangZheng, editors, AUSCRYPT, volume 718 of Lecture Notes in Computer Science,pages 196–208. Springer, 1992. (p. 22.)

[116] Lars R. Knudsen. A Key-schedule Weakness in SAFER K-64. In Don Coppersmith,editor, CRYPTO, volume 963 of Lecture Notes in Computer Science, pages 274–286.Springer, 1995. (p. 22.)

[117] Lars R. Knudsen. DEAL - A 128-bit Block Cipher. Technical Report 151, Universityof Bergen, Norway, February 1998. Available at http://www2.mat.dtu.dk/people/Lars.R.Knudsen/newblock.html. (p. 177.)

[118] Lars R. Knudsen, editor. Fast Software Encryption, 6th International Workshop,FSE ’99, Rome, Italy, March 24-26, 1999, Proceedings, volume 1636 of LectureNotes in Computer Science. Springer, 1999. (pp. 181 and 193.)

[119] Lars R. Knudsen and Willi Meier. Correlations in RC6 with a Reduced Number ofRounds. In Schneier [194], pages 94–108. (p. 25.)

[120] Lars R. Knudsen, Willi Meier, Bart Preneel, Vincent Rijmen, and Sven Verdoolaege.Analysis Methods for (Alleged) RC4. In Kazuo Ohta and Dingyi Pei, editors,ASIACRYPT, volume 1514 of Lecture Notes in Computer Science, pages 327–341.Springer, 1998. (p. 4.)

[121] Neal Koblitz. Elliptic curve cryptosystems. Mathematics of Computation, 48:203–209, 1987. (pp. 4 and 153.)

BIBLIOGRAPHY 187

[122] Tadayoshi Kohno. Analysis of the WinZip encryption method. Technical Report2004/078, Cryptology ePrint Archive, 2004. (p. 5.)

[123] Alan G. Konheim. Computer Security and Cryptography. John Wiley & Sons,Hoboken, New Jersey, USA, 2007. (p. 13.)

[124] Sandeep Kumar, Christof Paar, Jan Pelzl, Gerd Pfeiffer, and Manfred Schimmler.Breaking Ciphers with COPACOBANA - A Cost-Optimized Parallel Code Breaker.In Louis Goubin and Mitsuru Matsui, editors, CHES, volume 4249 of Lecture Notesin Computer Science, pages 101–118. Springer, 2006. (p. 102.)

[125] Sebastien Kunz-Jacques and Frederic Muller. New Improvements of Davies-MurphyCryptanalysis. In Bimal K. Roy, editor, ASIACRYPT, volume 3788 of LectureNotes in Computer Science, pages 425–442. Springer, 2005. (p. 102.)

[126] Simon Kunzli and Willi Meier. Distinguishing Attack on MAG. Technical Report2005/053, Cryptology ePrint Archive, 2005. (p. 25.)

[127] Xuejia Lai and Kefei Chen, editors. Advances in Cryptology - ASIACRYPT 2006,12th International Conference on the Theory and Application of Cryptology andInformation Security, Shanghai, China, December 3-7, 2006, Proceedings, volume4284 of Lecture Notes in Computer Science. Springer, 2006. (pp. 181 and 189.)

[128] Pierre-Simon Laplace. Essai philosophique sur les probabilités; A PhilosophicalEssay on Probabilities (English edition). Dover Publications, Inc., New York, USA,1814 (original work), 1951 (English edition). (p. 197.)

[129] Gregor Leander, Christof Paar, Axel Poschmann, and Kai Schramm. NewLightweight DES Variants. In Biryukov [32], pages 196–210. (p. 31.)

[130] Michael Luby and Charles Rackoff. How to Construct Pseudorandom Permutationsfrom Pseudorandom Functions. SIAM J. Comput., 17(2):373–386, 1988. (p. 13.)

[131] Stefan Lucks. Ciphers Secure against Related-Key Attacks. In Roy and Meier [185],pages 359–370. (p. 22.)

[132] Subhamoy Maitra, Goutam Paul, and Shashwat Raizada. Some Observationson HC-128. Technical Report 2008/499, Cryptology ePrint Archive, 2008. Alsoappears in the pre-proceedings of the International Workshop on Coding Theoryand Cryptography, 2009. (p. 76.)

[133] Itsik Mantin and Adi Shamir. A Practical Attack on Broadcast RC4. In MitsuruMatsui, editor, FSE, volume 2355 of Lecture Notes in Computer Science, pages152–164. Springer, 2001. (pp. 4 and 7.)

[134] Jason Worth Martin. ESSENCE: A Family of Cryptographic HashingAlgorithms. Submitted to the NIST SHA-3 hash function competi-tion. Available at http://www.math.jmu.edu/∼martin/essence/Supporting -Documentation/essence compression.pdf. (pp. 133, 134, and 140.)

[135] Jason Worth Martin. Personal Communication, 2009. (p. 142.)[136] James L. Massey. An Introduction to Contemporary Cryptology. Proceedings of

the IEEE, 76(5):533–549, May 1988. (p. 15.)[137] Mitsuru Matsui. Linear Cryptoanalysis Method for DES Cipher. In EUROCRYPT,

pages 386–397, 1993. (pp. 21, 93, 102, and 142.)

188 BIBLIOGRAPHY

[138] Mitsuru Matsui, Junko Nakajima, and Shiho Moriai. A Description of the CamelliaEncryption Algorithm. RFC 3713, April 2004. Available at http://tools.ietf.org/html/rfc3713. (p. 14.)

[139] Ueli M. Maurer. New Approaches to the Design of Self-Synchronizing StreamCiphers. In EUROCRYPT, pages 458–471, 1991. (p. 178.)

[140] David A. McGrew and John Viega. The Security and Performance of theGalois/Counter Mode (GCM) of Operation. In Anne Canteaut and KapaleeViswanathan, editors, INDOCRYPT, volume 3348 of Lecture Notes in ComputerScience, pages 343–355. Springer, 2004. (p. 12.)

[141] Florian Mendel, Christian Rechberger, Martin Schlaffer, and Søren S. Thomsen.The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl. In OrrDunkelman, editor, FSE, volume 5665 of Lecture Notes in Computer Science, pages260–276. Springer, 2009. (p. 177.)

[142] Alfred Menezes, Paul C. van Oorschot, and Scott A. Vanstone. Handbook of AppliedCryptography. CRC Press, 1996. (pp. 19 and 133.)

[143] Ralph C. Merkle. Secrecy, authentication, and public key systems. PhD thesis,Stanford University, 1979. (p. 16.)

[144] Microchip Technology, Inc. KeeLoq Authentication Products, 2009. Available athttp://www.microchip.com/keeloq/. (p. 150.)

[145] Miodrag J. Mihaljevic, Marc P. C. Fossorier, and Hideki Imai. A Low-Complexityand High-Performance Algorithm for the Fast Correlation Attack. In Schneier [194],pages 196–212. (p. 7.)

[146] Victor S. Miller. Use of Elliptic Curves in Cryptography. In Williams [236], pages417–426. (pp. 4 and 153.)

[147] Dukjae Moon, Kyungdeok Hwang, Wonil Lee, Sangjin Lee, and Jongin Lim.Impossible Differential Cryptanalysis of Reduced Round XTEA and TEA. In FSE,pages 49–60, 2002. (p. 104.)

[148] Gordon E. Moore. Cramming more components onto integrated circuits.Electronics, 38(8), 1965. (p. 16.)

[149] Nicky Mouha, Gautham Sekar, Jean-Philippe Aumasson, Thomas Peyrin, Søren S.Thomsen, Meltem Sonmez Turan, and Bart Preneel. Cryptanalysis of theESSENCE Family of Hash Functions. In Feng Bao, Moti Yung, Dongdai Lin, andJiwu Jing, editors, Inscrypt, volume 6151 of Lecture Notes in Computer Science,pages 15–34. Springer, 2009. (p. 28.)

[150] Nicky Mouha, Gautham Sekar, and Bart Preneel. Challenging the IncreasedResistance of Regular Hash Functions Against Birthday Attacks. In submission.(p. 28.)

[151] National Bureau of Standards. Data Encryption Standard. Federal InformationProcessing Standards, 46(1), January 1977. (pp. 12, 107, and 108.)

[152] National Institute of Standards and Technology. Secure Hash Standard. FederalInformation Processing Standards, 180(1), 1995. (p. 16.)

[153] National Institute of Standards and Technology. Secure Hash Standard. FederalInformation Processing Standards, 180(2), 2002. (p. 16.)

BIBLIOGRAPHY 189

[154] National Institute of Standards and Technology. Announcing Request forCandidate Algorithm Nominations for a New Cryptographic Hash Algo-rithm (SHA-3) Family. Federal Register, 27(212):62212–62220, November2007. Available at http://csrc.nist.gov/groups/ST/hash/documents/FR -Notice Nov07.pdf. (pp. 26 and 45.)

[155] Marıa Naya-Plasencia, Andrea Rock, Jean-Philippe Aumasson, Yann Laigle-Chapuy, Gaetan Leurent, Willi Meier, and Thomas Peyrin. Cryptanalysis ofESSENCE. In Seokhie Hong and Tetsu Iwata, editors, FSE, volume 6147 of LectureNotes in Computer Science, pages 134–152. Springer, 2010. (p. 134.)

[156] Roger M. Needham and David J. Wheeler. Tea extensions. Technical report,Computer Laboratory, University of Cambridge, October 1997. Available at http://www.cix.co.uk/˜klockstone/xtea.pdf. (pp. 103 and 115.)

[157] Roger M. Needham and David J. Wheeler. Correction to xtea. Technical report,Computer Laboratory, University of Cambridge, October 1998. Available at http://www.movable-type.co.uk/scripts/xxtea.pdf. (p. 103.)

[158] NESSIE. New European Schemes for Signature, Integrity and Encryption.Available at http://www.cryptonessie.org. (p. 168.)

[159] Ankush Nigam, Gautham Sekar, and Bart Preneel. Optimised SoftwareImplementation of the Compression Functions of the RUSH Family ofCryptographic Hash Functions. Technical report, COSIC internal, 2009. (p. 61.)

[160] Thomas S. Nunnikhoven. A Birthday Problem Solution for Nonuniform BirthFrequencies. The American Statistician, 46(4):270–274, November 1992. (p. 45.)

[161] Rune Steinsmo Ødegard and Danilo Gligoroski. On the Randomness andRegularity of Reduced EDON-R Compression Function. Technical Report2009/234, Cryptology ePrint Archive, 2009. (p. 46.)

[162] Kenneth G. Paterson and Arnold K. L. Yau. Cryptography in Theory and Practice:The Case of Encryption in IPsec. In Serge Vaudenay, editor, EUROCRYPT, volume4004 of Lecture Notes in Computer Science, pages 12–29. Springer, 2006. (p. 18.)

[163] Souradyuti Paul. Cryptanalysis of Stream Ciphers Based on Arrays and ModularAddition. PhD thesis, Katholieke Universiteit Leuven, 2006. (pp. 6, 25, and 173.)

[164] Souradyuti Paul and Bart Preneel. A New Weakness in the RC4 KeystreamGenerator and an Approach to Improve the Security of the Cipher. In Roy andMeier [185], pages 245–259. (p. 4.)

[165] Souradyuti Paul and Bart Preneel. On the (In)security of Stream Ciphers Basedon Arrays and Modular Addition. In Lai and Chen [127], pages 69–83. (pp. 59and 62.)

[166] Souradyuti Paul, Bart Preneel, and Gautham Sekar. Distinguishing Attacks onthe Stream Cipher Py. In Robshaw [181], pages 405–421. (pp. 28, 59, 62, 74, 84,165, 166, 167, and 170.)

[167] Raphael Chung-Wei Phan and Helena Handschuh. On Related-Key and CollisionAttacks: The Case for the IBM 4758 Cryptoprocessor. In Kan Zhang and YuliangZheng, editors, ISC, volume 3225 of Lecture Notes in Computer Science, pages111–122. Springer, 2004. (pp. 22 and 31.)

190 BIBLIOGRAPHY

[168] Josef Pieprzyk and Leonid Tombak. Soviet Encryption Algorithm, 1994.Translated from Russian. Available at http://freeworld.thc.org/root/phun/stego-challenge/gost-spec.pdf. (pp. 103 and 125.)

[169] Krzysztof Pietrzak. A Leakage-Resilient Mode of Operation. In Joux [102], pages462–482. (p. 217.)

[170] Bart Preneel. Analysis and Design of Cryptographic Hash Functions. PhD thesis,Katholieke Universiteit Leuven, 1993. (p. 17.)

[171] Bart Preneel. The NESSIE Project: Towards New Cryptographic Algorithms. Pro-ceedings of Information Security Applications, 3rd International Workshop, WISA2002, 2002. Available at http://www.cosic.esat.kuleuven.be/publications/article-439.pdf. (p. 174.)

[172] Yu. V. Prokhorov. A Posteriori Distribution. Encyclopaedia of Mathematics, 1,1987. (p. 198.)

[173] Jean-Jacques Quisquater and Jean-Paul Delescaille. How Easy is Collision Search?Application to DES (Extended Summary). In EUROCRYPT, pages 429–434, 1989.(p. 43.)

[174] Havard Raddum and Igor Semaev. New Technique for Solving Sparse EquationSystems. Technical Report 2006/475, Cryptology ePrint Archive, 2006. (p. 102.)

[175] Norman Ramsey and Avi Pfeffer. Stochastic lambda calculus and monadsof probability distributions. In 29th ACM SIGPLAN-SIGACT Symposium onPrinciples of Programming Languages (POPL), pages 154–165. ACM, 2002. (p. 39.)

[176] Ronald L. Rivest. The MD4 Message-Digest Algorithm. RFC 1186, April 1992.Available at http://tools.ietf.org/html/rfc1320. (p. 16.)

[177] Ronald L. Rivest. The MD5 Message-Digest Algorithm. RFC 1321, April 1992.Available at http://www.ietf.org/rfc/rfc1321.txt. (p. 16.)

[178] Ronald L. Rivest. Chaffing and Winnowing: Confidentiality without Encryption,April 1998. Available at http://people.csail.mit.edu/rivest/Chaffing.txt.(pp. 151 and 153.)

[179] Ronald L. Rivest, Adi Shamir, and Leonard M. Adleman. A Method for ObtainingDigital Signatures and Public-Key Cryptosystems. Commun. ACM, 21(2):120–126,1978. (pp. 4 and 153.)

[180] Matthew J. B. Robshaw. The eSTREAM Project. Seminar talk at SPEED 2007.(p. 8.)

[181] Matthew J. B. Robshaw, editor. Fast Software Encryption, 13th InternationalWorkshop, FSE 2006, Graz, Austria, March 15-17, 2006, Revised Selected Papers,volume 4047 of Lecture Notes in Computer Science. Springer, 2006. (pp. 185and 189.)

[182] Matthew J. B. Robshaw and Olivier Billet, editors. New Stream Cipher Designs- The eSTREAM Finalists, volume 4986 of Lecture Notes in Computer Science.Springer, 2008. (pp. 26 and 194.)

[183] Phillip Rogaway, Mihir Bellare, and John Black. OCB: A block-cipher mode ofoperation for efficient authenticated encryption. ACM Trans. Inf. Syst. Secur.,6(3):365–403, 2003. (p. 12.)

BIBLIOGRAPHY 191

[184] Gregory Rose, Philip Hawkes, Michael Paddon, and Miriam Wiggers de Vries.Primitive Specification for SSS. Technical Report 2005/028, eSTREAM, ECRYPTStream Cipher Project, 2005. (p. 87.)

[185] Bimal K. Roy and Willi Meier, editors. Fast Software Encryption, 11thInternational Workshop, FSE 2004, Delhi, India, February 5-7, 2004, RevisedPapers, volume 3017 of Lecture Notes in Computer Science. Springer, 2004.(pp. 187, 189, and 194.)

[186] Rainer A. Rueppel. New Approaches to Stream Ciphers. PhD thesis, Swiss FederalInstitute of Technology Zurich, 1984. (p. 8.)

[187] Markku-Juhani Olavi Saarinen. A chosen key attack against the secret S-boxesof GOST, 1998. Available at http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.41.5532. (p. 125.)

[188] Markku-Juhani Olavi Saarinen. Cryptanalysis of Block TEA, October1998. Available at http://groups.google.com/group/sci.crypt.research/msg/f52a533d1e2fa15e. (p. 103.)

[189] Palash Sarkar. Hiji-bij-bij: A New Stream Cipher with a Self-synchronizing Modeof Operation. In Thomas Johansson and Subhamoy Maitra, editors, INDOCRYPT,volume 2904 of Lecture Notes in Computer Science, pages 36–51. Springer, 2003.(p. 178.)

[190] Yu Sasaki and Kazumaro Aoki. Preimage Attacks on 3, 4, and 5-Pass HAVAL. InJosef Pieprzyk, editor, ASIACRYPT, volume 5350 of Lecture Notes in ComputerScience, pages 253–271. Springer, 2008. (p. 177.)

[191] Yu Sasaki and Kazumaro Aoki. Finding Preimages in Full MD5 Faster ThanExhaustive Search. In EUROCRYPT, pages 134–152, 2009. (p. 105.)

[192] Bruce Schneier. Description of a New Variable-Length Key, 64-bit Block Cipher(Blowfish). In Ross J. Anderson, editor, FSE, volume 809 of Lecture Notes inComputer Science, pages 191–204. Springer, 1993. (p. 14.)

[193] Bruce Schneier. Applied Cryptography. John Wiley & Sons, second edition, January1996. (p. 18.)

[194] Bruce Schneier, editor. Fast Software Encryption, 7th International Workshop,FSE 2000, New York, NY, USA, April 10-12, 2000, Proceedings, volume 1978 ofLecture Notes in Computer Science. Springer, 2001. (pp. 182, 184, 186, and 188.)

[195] Gautham Sekar, Nicky Mouha, and Bart Preneel. Meet-in-the-Middle Attackson Reduced-Round GOST. Technical Report ISO/IEC JTC 1/SC 27 N8875,40th meeting of the ISO/IEC SC 27/WG 2, April 2010. Belgian national bodycontribution. (pp. 27 and 28.)

[196] Gautham Sekar, Nicky Mouha, Vesselin Velichkov, and Bart Preneel. Meet-in-the-Middle Attacks on Reduced-Round XTEA. In Aggelos Kiayias, editor, CT-RSA,volume 6558 of Lecture Notes in Computer Science, pages 250–267. Springer, 2011.(pp. 27 and 28.)

[197] Gautham Sekar, Souradyuti Paul, and Bart Preneel. New Attacks on the StreamCipher TPy6 and Design of New Ciphers the TPy6-A and the TPy6-B. In StefanLucks, Ahmad-Reza Sadeghi, and Christopher Wolf, editors, WEWoRC, volume4945 of Lecture Notes in Computer Science, pages 127–141. Springer, 2007. (pp. 27,28, 60, 62, and 169.)

192 BIBLIOGRAPHY

[198] Gautham Sekar, Souradyuti Paul, and Bart Preneel. New Weaknesses in theKeystream Generation Algorithms of the Stream Ciphers TPy and Py. In Juan A.Garay, Arjen K. Lenstra, Masahiro Mambo, and Rene Peralta, editors, ISC, volume4779 of Lecture Notes in Computer Science, pages 249–262. Springer, 2007. (pp. 27,28, 60, 62, and 165.)

[199] Gautham Sekar, Souradyuti Paul, and Bart Preneel. Related-Key Attacks on thePy-Family of Ciphers and an Approach to Repair the Weaknesses. In Srinathanet al. [210], pages 58–72. (pp. 27 and 28.)

[200] Gautham Sekar, Souradyuti Paul, and Bart Preneel. Weaknesses in thePseudorandom Bit Generation Algorithms of the Stream Ciphers TPypy and TPy.Technical Report 2007/037, eSTREAM, ECRYPT Stream Cipher Project, 2007.(pp. 24, 27, 28, 29, 60, 62, 165, and 170.)

[201] Gautham Sekar and Bart Preneel. Revisiting Shannon’s Notion of Perfect Secrecy.In submission. (p. 28.)

[202] Gautham Sekar and Bart Preneel. Improved Distinguishing Attacks on HC-256. InTsuyoshi Takagi and Masahiro Mambo, editors, IWSEC, volume 5824 of LectureNotes in Computer Science, pages 38–52. Springer, 2009. (pp. 27 and 28.)

[203] Gautham Sekar and Bart Preneel. Practical Attacks on a Cryptosystem Proposedin Patent WO/2009/066313. Technical report, COSIC internal, 2010. (p. 28.)

[204] Haruki Seki and Toshinobu Kaneko. Differential Cryptanalysis of Reduced Roundsof GOST. In Douglas R. Stinson and Stafford E. Tavares, editors, Selected Areas inCryptography, volume 2012 of Lecture Notes in Computer Science, pages 315–323.Springer, 2000. (p. 104.)

[205] Claude E. Shannon. A Mathematical Theory of Communication. Bell SystemTechnical Journal, 27(3):379–423, 623–656, 1948. Available at http://www2.research.att.com/˜njas/doc/shannon1948.pdf. (pp. 3 and 35.)

[206] Claude E. Shannon. Communication Theory of Secrecy Systems. Bell SystemTechnical Journal, 28(4):656–715, 1949. (pp. 5, 15, 29, 35, 36, 37, 38, 42, 55, 117,123, 125, 126, and 152.)

[207] Takeshi Shimoyama and Toshinobu Kaneko. Quadratic Relation of S-box andIts Application to the Linear Attack of Full Round DES. In Hugo Krawczyk,editor, CRYPTO, volume 1462 of Lecture Notes in Computer Science, pages 200–211. Springer, 1998. (p. 102.)

[208] Victor Shoup, editor. Advances in Cryptology - CRYPTO 2005: 25th AnnualInternational Cryptology Conference, Santa Barbara, California, USA, August 14-18, 2005, Proceedings, volume 3621 of Lecture Notes in Computer Science. Springer,2005. (pp. 193 and 194.)

[209] Thomas Siegenthaler. Decrypting a Class of Stream Ciphers Using Ciphertext Only.IEEE Trans. Computers, 34(1):81–85, 1985. (p. 7.)

[210] K. Srinathan, C. Pandu Rangan, and Moti Yung, editors. Progress in Cryptology -INDOCRYPT 2007, 8th International Conference on Cryptology in India, Chennai,India, December 9-13, 2007, Proceedings, volume 4859 of Lecture Notes inComputer Science. Springer, 2007. (pp. 183 and 192.)

BIBLIOGRAPHY 193

[211] Othmar Staffelbach and Willi Meier. Cryptographic Significance of the Carry forCiphers Based on Integer Addition. In Alfred Menezes and Scott A. Vanstone,editors, CRYPTO, volume 537 of Lecture Notes in Computer Science, pages 601–614. Springer, 1990. (pp. 76 and 79.)

[212] Staff Writer. Users take crack at 56-bit crypto. CNET News.com, 1997. Availableat http://news.com.com/2100-1023-278658.html?legacy=cnet. (p. 102.)

[213] Michael Steil. 17 Mistakes Microsoft Made in the Xbox Security System, December2005. 22nd Chaos Communications Congress, Berlin, Germany. (p. 103.)

[214] Douglas Robert Stinson. Introduction to Cryptography. CRC Press, first edition,1995. (p. 46.)

[215] Douglas Robert Stinson. Introduction to Cryptography. Chapman & Hall / CRCPress, second edition, 2002. (p. 46.)

[216] James Joseph Sylvester. Thoughts on inverse orthogonal matrices, simultaneoussignsuccessions, and tessellated pavements in two or more colours, with applicationsto Newton’s rule, ornamental tile-work, and the theory of numbers. PhilosophicalMagazine, 34:461–475, 1867. (p. 200.)

[217] William J. Talbott. Dutch Book Arguments. Stanford Encyclopediaof Philosophy, 2008. Available at http://plato.stanford.edu/entries/epistemology-bayesian/supplement2.html. (p. 197.)

[218] Telecommunications Industry Association. Common Cryptographic Algorithms,June 1995. (p. 177.)

[219] Yukiyasu Tsunoo, Teruo Saito, Takeshi Kawabata, and Hiroki Nakashima.Distinguishing Attack Against TPypy. In Carlisle M. Adams, Ali Miri, andMichael J. Wiener, editors, Selected Areas in Cryptography, volume 4876 of LectureNotes in Computer Science, pages 396–407. Springer, 2007. (pp. 24, 60, 62, 165,and 170.)

[220] Paul C. van Oorschot and Michael J. Wiener. Parallel Collision Search withCryptanalytic Applications. J. Cryptology, 12(1):1–28, 1999. (p. 44.)

[221] John Venn. The Logic of Chance. Macmillan and Co., London and Cambridge,UK, 1866. (p. 41.)

[222] Richard von Mises. Uber Aufteilungs- und Besetzungswahrscheinlichkeiten; OnPartitioning and Occupation Probabilities (English edition). Istanbul UniversitesiFen Fakultesi Mecmuasi, 4:145–163, 1939. (p. 45.)

[223] David Wagner. The Boomerang Attack. In Knudsen [118], pages 156–170. (p. 19.)[224] David Wagner. A Generalized Birthday Problem. In Yung [245], pages 288–303.

(p. 46.)[225] Xiaoyun Wang, Andrew Yao, and Frances Yao. Cryptanalysis of SHA-1. In

Cryptographic Hash Workshop, NIST, Gaithersburg, USA, October 2005. (p. 22.)[226] Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu. Finding Collisions in the Full

SHA-1. In Shoup [208], pages 17–36. (p. 22.)[227] Xiaoyun Wang and Hongbo Yu. How to Break MD5 and Other Hash Functions. In

Ronald Cramer, editor, EUROCRYPT, volume 3494 of Lecture Notes in ComputerScience, pages 19–35. Springer, 2005. (pp. 16, 139, and 140.)

194 BIBLIOGRAPHY

[228] Xiaoyun Wang, Hongbo Yu, and Yiqun Lisa Yin. Efficient Collision Search Attackson SHA-0. In Shoup [208], pages 1–16. (pp. 16 and 22.)

[229] Dai Watanabe, Soichi Furuya, Hirotaka Yoshida, Kazuo Takaragi, and BartPreneel. A New Keystream Generator MUGI. In Joan Daemen and Vincent Rijmen,editors, FSE, volume 2365 of Lecture Notes in Computer Science, pages 179–194.Springer, 2002. (p. 177.)

[230] Eric W. Weisstein. Total Probability Theorem. MathWorld - A Wolfram Web Re-source. Available at http://mathworld.wolfram.com/TotalProbabilityTheorem.html. (pp. 39 and 198.)

[231] David J. Wheeler and Roger M. Needham. TEA, a Tiny Encryption Algorithm.In Bart Preneel, editor, FSE, volume 1008 of Lecture Notes in Computer Science,pages 363–366. Springer, 1994. (p. 103.)

[232] Doug Whiting, Russ Housley, and Niels Ferguson. Counter with CBC-MAC (CCM).RFC 3610, September 2003. Available at http://tools.ietf.org/html/rfc3610.(p. 12.)

[233] Wikipedia. KeeLoq, July 2010. Available at http://en.wikipedia.org/wiki/KeeLoq. (p. 150.)

[234] Wikipedia. Law of total probability, June 2010. Available athttp://en.wikipedia.org/wiki/Law of total probability. (p. 39.)

[235] Wikipedia. RC4, November 2010. Available at http://http://en.wikipedia.org/wiki/RC4. (p. 7.)

[236] Hugh C. Williams, editor. Advances in Cryptology - CRYPTO ’85, Santa Barbara,California, USA, August 18-22, 1985, Proceedings, volume 218 of Lecture Notes inComputer Science. Springer, 1986. (pp. 182 and 188.)

[237] Robert S. Winternitz. Producing a One-Way Hash Function from DES. InCRYPTO, pages 203–207, 1983. (p. 22.)

[238] Hongjun Wu. A New Stream Cipher HC-256. In Roy and Meier [185], pages226–244. (pp. 75, 76, 78, 79, 83, and 84.)

[239] Hongjun Wu. The Misuse of RC4 in Microsoft Word and Excel. Technical Report2005/007, Cryptology ePrint Archive, 2005. (p. 5.)

[240] Hongjun Wu. Cryptanalysis and Design of Stream Ciphers. PhD thesis, KatholiekeUniversiteit Leuven, 2008. (p. 174.)

[241] Hongjun Wu. The Stream Cipher HC-128. In Robshaw and Billet [182], pages39–47. (pp. 75 and 76.)

[242] Hongjun Wu and Bart Preneel. Differential Cryptanalysis of the Stream CiphersPy, Py6 and Pypy. In Moni Naor, editor, EUROCRYPT, volume 4515 of LectureNotes in Computer Science, pages 276–290. Springer, 2007. (pp. 60, 62, and 166.)

[243] Hirotaka Yoshida, Dai Watanabe, Katsuyuki Okeya, Jun Kitahara, Hongjun Wu,Ozgul Kucuk, and Bart Preneel. MAME: A Compression Function with ReducedHardware Requirements. In Pascal Paillier and Ingrid Verbauwhede, editors, CHES,volume 4727 of Lecture Notes in Computer Science, pages 148–165. Springer, 2007.(p. 46.)

BIBLIOGRAPHY 195

[244] Eric A. Young and Tim J. Hudson. OpenSSL version 1.0.0, March 2010. Availableat http://www.openssl.org/. (p. 103.)

[245] Moti Yung, editor. Advances in Cryptology - CRYPTO 2002, 22nd AnnualInternational Cryptology Conference, Santa Barbara, California, USA, August 18-22, 2002, Proceedings, volume 2442 of Lecture Notes in Computer Science. Springer,2002. (pp. 182 and 193.)

[246] Gideon Yuval. How to Swindle Rabin. Cryptologia, 3:187–189, 1979. (pp. 43and 45.)

[247] Erik Zenner. A Cache Timing Analysis of HC-256. In Roberto Maria Avanzi, LiamKeliher, and Francesco Sica, editors, Selected Areas in Cryptography, volume 5381of Lecture Notes in Computer Science, pages 199–213. Springer, 2008. (p. 75.)

196

Appendix A

Perfect Secrecy

A.1 Radical Subjectivism and Other ParadoxesIn deriving (2.15), we had ruled out that Pr(Ln) ∈ {0, 1} because in (2.9),Pr(Ln) is an a priori probability. The inherent assumption is that prior toassigning a specific value to Pr(Ln), the cryptanalyst has not already evaluatedthe cryptosystem.

However, if the cryptanalyst is a radical subjectivist – someone whose ‘rationaldegrees of belief’ (see Sect. 2.4) can be whatever she prefers, as long as they arecoherent [90]1 – she may respectively assign the values 1 and 0 to the a prioriprobabilities Pr(Ln) and Pr(Lcn) (so that the assignments obey the probabilitycalculus) and contend that the assignments are not irrational. If so she has againarrived at a paradoxical conclusion that the cryptosystem is perfect even withoutassigning specific values to a priori probabilities Pr(pi) or Pr(ci), i ∈ {1, . . . ,m}.Alternatively, she has paradoxically concluded that the cryptosystem is not perfectupon making the assignments Pr(Lcn) = 1 and Pr(Ln) = 0.

Even if (2.1) is only a necessary condition for perfect secrecy, the cryptanalystmay still ‘radically’ assign suitable a priori values to Pr(Ln) and Pr(Lcn) andarrive at a paradox. Unfortunately, there is no way to objectively resolve theseparadoxes. In Sect. 2.3 and the discussion in Sect. 2.4, we had implicitly assumedthat the cryptanalyst is not such a radical subjectivist as described above.

A cryptanalyst may view Pr(Ln) as the ratio of the number of perfect n-bitcryptosystems to the total number (mm2) of n-bit cryptosystems. This follows thecryptanalyst’s belief that the cryptosystem under evaluation is equally likely tobe any of the mm2 cryptosystems. In other words, she considers Pr(Ln) to be thesimplest non-informative prior. Now, given that the sample space is equiprobable,by the classical definition of probability (given by Laplace [128]), Pr(Ln) is the

1Coherence means that the degrees of belief should obey the probability calculus [58, 59, 80,217].

197

198 PERFECT SECRECY

ratio of the number of perfect n-bit cryptosystems to the total number of n-bitcryptosystems.

As a final note we would like to point out an issue concerning a posterioriprobabilities. Although there is no difference between the meanings of ‘a posteriori’and ‘conditional’, the former term is used when the condition is directly observedin the course of the experiment and the latter is used otherwise [172]. Going bythis definition, the probabilities Pr(p1|Ln), Pr(p1|L′

n) and Pr(p1|L′′n) are only

conditional and not a posteriori. This is because none of the events Ln, L′n

and L′′n is observed in the course of the probabilistic analysis of Sect. 2.3 (under

the assumption that the cryptanalyst has not evaluated the cryptosystem before).Going by [230], the probabilities Pr(p1|Ln), Pr(p1|L′

n) and Pr(p1|L′′n) need not

be a posteriori for (2.11) to be valid (the statement of the law of total probabilityin [230] uses ‘a posteriori’ and ‘conditional’ without distinction). Therefore wehave correctly used (2.11). Calling the probabilities Pr(pi|cj) (i, j ∈ {1, . . . ,m})a posteriori is justified if the cryptanalyst has intercepted the ciphertexts beforecommencing cryptanalysis.

Appendix B

Hash Function Regularity

B.1 Linear Subset Regularity for 3-to-1 Bit HashFunctions

Here, we will attempt to construct a 3-to-1 bit ls-regular hash function h(x). Letthe input x be a binary string, resulting from the concatenation of the three inputbits, such that x← x2 ∥ x1 ∥ x0. We set h(000) = A, where A can be either 0 or1. The other output symbol will then be denoted by B. We now consider threecases, as shown in Table B.1.

• Case 1: Assume h(001) = A. Subset regularity with respect to x2 thenleads to h(010) = h(011) = B. Furthermore, subset regularity with respectto x1 results in h(100) = h(101) = B. For h to be regular, we must have

Table B.1. Constructing a 3-to-1 bit ls-regular hash function h(x), where x ←x2 ∥ x1 ∥ x0; the values in bold were set initially, the others are derived from thels-regular conditions

Case 1x2 x1 x0 h(x)0 0 0 A0 0 1 A0 1 0 B0 1 1 B1 0 0 B1 0 1 B1 1 0 A1 1 1 A

Case 2x2 x1 x0 h(x)0 0 0 A0 0 1 B0 1 0 A0 1 1 B1 0 0 B1 0 1 A1 1 0 B1 1 1 A

Case 3x2 x1 x0 h(x)0 0 0 A0 0 1 B0 1 0 B0 1 1 A1 0 0 B1 0 1 A1 1 0 A1 1 1 B

199

200 HASH FUNCTION REGULARITY

h(110) = h(111) = A. However, we now find that restricting the inputs withx2 ⊕ x1 = 0 results in a constant function.

• Case 2: Assume h(001) = B and h(010) = A. Subset regularity withrespect to x2 then leads to h(011) = B. Furthermore, subset regularity withrespect to x0 results in h(100) = h(110) = B. For h to be regular, we musthave h(101) = h(111) = A. However, we now find that restricting the inputswith x2 ⊕ x0 = 0 results in a constant function.

• Case 3: Assume h(001) = B and h(010) = B. Subset regularity withrespect to x2 then leads to h(011) = A. Furthermore, subset regularity withrespect to x1 ⊕ x0 results in h(100) = h(111) = B. For h to be regular, wemust have h(101) = h(110) = A. However, we now find that restricting theinputs with x2 ⊕ x1 ⊕ x0 = 0 results in a constant function.

Consequently, there are no 3-to-1 bit hash functions that are ls-regular. Alsonote that imposing all but one ls-regular condition in Table B.1 leads to an affinehash function. We found by exhaustive search that all 3-to-1 bit hash functionswhere all but one ls-regular conditions are imposed, result in affine hash functions.

B.2 Calculating the Inverses of Matrices Ad

In this section, we prove that the matrices Ad of Theorem 3.3 are invertible, byshowing their relation to Hadamard matrices. We give an explicit formula for theirinverses.

Hadamard matrices are square matrices of which all elements are either 1 or −1.They were initially proposed by Sylvester [216]. Hadamard [89] later showed thatthese matrices are the solution to his maximum determinant problem. An d × dHadamard matrix Hd can be defined a matrix satisfying:

HdHTd = dId , (B.1)

where Id denotes the d× d identity matrix.If d is a power of two, Sylvester [216] proposed the following construction for Hd:

H1 = [1] , (B.2)

Hd =[Hd/2 Hd/2Hd/2 −Hd/2

], for 1 ≤ log2(d) ∈ N . (B.3)

Let Jd be the d×d matrix where every element is equal to one. Matrix Kd is thed× d matrix where every element of the first column is 1, and all other elementsare zero. Note that KdK

Td = Jd. Matrices Ad of Theorem 3.3 satisfy the equation

Hd = 2Ad− Jd. We now show that matrices Ad are invertible, and calculate their

CALCULATING THE INVERSES OF MATRICES AD 201

inverse. Using (B.1), we obtain:

(2Ad − Jd)(2Ad − Jd)T = dId (B.4)

⇔ (2Ad − Jd)(2ATd − JTd ) = dId

⇔ 4AdATd − 2AdJTd − 2JdATd + JdJTd = dId

⇔ 4AdATd − d(KTd + Jd)− d(Kd + JTd ) + dJd = dId

⇔ 4AdATd − dKTd − dKd − dJTd = dId

⇔ 4AdATd − dKTd − dKd − dKdK

Td = dId

⇔ 4AdATd = d(Kd + Id)(Kd + Id)T . (B.5)

As KdKd = Kd, we have (Kd+Id)(Id−Kd/2) = Kd−KdKd/2+Id−Kd/2 = Id.Therefore, (Kd + Id)−1 = Id −Kd/2. From (B.5), we then obtain

AdATd (2Id −Kd)T (2Id −Kd) = dId . (B.6)

This equation shows that Ad is invertible, and that its inverse is given by:

A−1d = 1

dATd (2Id −Kd)T (2Id −Kd) . (B.7)

202

Appendix C

The Py Family

C.1 Related Keys When Size of the IV is VariedAs mentioned in Sect. 4.4.2, for longer IVs, one can induce the first difference inthe keys (that is, where the LSBs alone differ) accordingly as the size of the IVused. For example, when the size of the IV is 32 bytes, we consider two keys – K1and K2 (each key is 256 bytes long) – such that

1. K1[32]⊕K2[32] = 1 ,

2. the LSB of K1[32] is 1 ,

3. K1[33] = K2[33] , and

4. K1[i] = K2[i] , ∀ i ∈ {32, 33} .

More generally, if the IV is of size N bytes, the first difference in the keys shouldnot be induced anywhere: (i) in the first N bytes (i.e., key bytes 0 to N − 1), or(ii) in the last N −3 bytes (key bytes 260−N to 256). Otherwise, it is immaterialas to where the first difference is set.

203

204

Appendix D

HC-256

D.1 Experimental ResultsHere, we elaborate on footnote 4 in Sect. 5.4.1. Consider the equations:

X ≡ A+B + C mod 2k , (D.1)

Y ≡ −A+B − C mod 2k , (D.2)

where X, Y , A, B, C are k-bit random variables. Let X(b) denote the bth bit ofX (b = 0 denotes the LSB and b = k − 1 denotes the MSB). Since the ‘+’ and‘-’ operators are the same as the XOR for the LSB position, we have from (D.1)and (D.2):

X(0) = A(0) ⊕B(0) ⊕ C(0) ,

Y(0) = A(0) ⊕B(0) ⊕ C(0) .

Therefore, X(0) = Y(0) ⇒ Pr(X = Y ) = 2−(k−1). Now, we ran simulationsto evaluate Pr(X(k−1) = Y(k−1)) and Pr(X = Y |X(k−1) = Y(k−1)) for differentvalues of k. As there was no need to vary B, we fixed it to zero and variedA and C over all possible k-bit values. The results are provided in Table D.1.Following this trend, we obtain that for k = 32, Pr(X(31) = Y(31)) = 2−31 andPr(X = Y |X(31) = Y(31)) = 0.

205

206 HC-256

Table D.1. Results of probability simulations for different values of k

k Pr(X(k−1) = Y(k−1)) Pr(X = Y |X(k−1) = Y(k−1))4 2−3 05 2−4 06 2−5 07 2−6 08 2−7 09 2−8 010 2−9 011 2−10 012 2−11 013 2−12 014 2−13 015 2−14 016 2−15 017 2−16 018 2−17 019 2−18 0

D.2 A Note on the Randomness of Keystream Bitswhen S2 does not Occur

We restate (5.7) and (5.8) here:

sj−2038(0) ⊕ sj+10(0) ⊕ sj+7(10) ⊕ sj−2037(23)

= sj−2048(0) ⊕ sj−10(0) ⊕ sj−3(10) ⊕ sj−2047(23) ,

(h1(zj+10))0 ⊕ (h′1(zj−2038))0 ⊕ (h1(zj+7))10 ⊕ (h′

1(zj−2037))23 ⊕ (Q[rj+10])0

= (h1(zj−10))0 ⊕ (h′1(zj−2048))0 ⊕ (h1(zj−3))10 ⊕ (h′

1(zj−2047))23 ⊕ (Q[rj ])0 .

Suppose the 1024 elements of Q are distributed uniformly at random; samewith the elements of Q′. We now examine the case when zj−2037||zj+7||zj+10 =zj−2047||zj−3||zj−10, rj+10 = rj , but zj−2038 = zj−2048, i.e., one of the eventscomprising Sc2. When zj−2037||zj+7|| zj+10 = zj−2047||zj−3||zj−10 and rj+10 =rj , (5.8) reduces to:

(h′1(zj−2038))0 = (h′

1(zj−2048))0 . (D.3)

A NOTE ON THE RANDOMNESS OF KEYSTREAM BITS WHEN S2 DOES NOT OCCUR 207

Similar to (5.10) and (5.11), we have

(h′1(zj−2038))0 = (Q′[z(0)

j−2038])0 ⊕ (Q′[256 + z(1)j−2038])0

⊕(Q′[512 + z(2)j−2038])0 ⊕ (Q′[768 + z

(3)j−2038])0 , (D.4)

(h′1(zj−2048))0 = (Q′[z(0)

j−2048])0 ⊕ (Q′[256 + z(1)j−2048])0

⊕(Q′[512 + z(2)j−2048])0 ⊕ (Q′[768 + z

(3)j−2048])0 . (D.5)

Note that on the right-hand side of (D.4), we have four distinct array indices. Thatis, we access four elements of Q′ from four different positions; similarly in (D.2).If zj−2038 = zj−2048, then at least one of the following events happens:

1. z(0)j−2038 = z

(0)j−2048 ,

2. z(1)j−2038 = z

(1)j−2048 ,

3. z(2)j−2038 = z

(2)j−2048 ,

4. z(3)j−2038 = z

(3)j−2048 .

If the first case alone happens, from (D.4) and (D.5), we get:

(h′1(zj−2038))0 ⊕ (h′

1(zj−2038))0 = (Q′[z(0)j−2038])0 ⊕ (Q′[z(0)

j−2048])0 . (D.6)

Since Q′[z(0)j−2038] and Q′[z(0)

j−2048] are two 32-bit elements from different positions inthe same Q′ array, they are equal with uniform probability. That is, (Q′[z(0)

j−2038])0

and (Q′[z(0)j−2048])0 are equal with probability 1/2. This implies that (D.6) and

hence (D.3) holds with probability 1/2. This, in turn, implies that (5.8) andhence (5.7) holds with uniform probability 1/2. Now, let us suppose only twoof the above cases occurs; for example, cases 1 and 2. Then, we will have fourterms – (Q′[z(0)

j−2038])0, (Q′[z(0)j−2048])0, (Q′[z(1)

j−2038])0 and (Q′[z(1)j−2048])0 – with four

different array indices, and hence their XOR-sum is zero with uniform probability1/2. Hence, it follows that (5.7) holds with probability 1/2.

Extending the above argument to other events that result in the outcome zj−2038= zj−2048 (for example, the occurrence of cases 1, 2 and 3 but not case 4), onecan similarly verify that (5.7) holds with probability 1/2. For the other eventscomprising Sc2, we arrive at the same result; however, a complete treatment isbeyond the scope of this thesis.

208

Appendix E

XTEA

E.1 Illustration of the Attack on Rounds 16–38In Figure E.2, we illustrate the 23-round attack of Sect. 7.3.5. The attack is onrounds 16–38, and uses 11 inner rounds (22–32). Grey boxes represent bits that donot depend on the value of K3[31 . . . 21]. In Figure E.1, we illustrate Algorithm 7.1from the point of view of computation of its time complexity.

2117

117 bits

i

j

11 bits

211

elements

elements

test_keys_1( ) test_keys_2( )

γ

Figure E.1. Attack on rounds 16–38 using Algorithm 7.1: the tables (not storedin memory) denote the two stages of Algorithm 7.1 and the shaded 128 bitsdenote the correct 128-bit key; for a wrong key γ that passes test keys 1(),test keys 2() is performed 211 times

209

210 XTEA

Figure E.2. 23-round attack (rounds 16–38), using 11 inner rounds (the greyboxes represent bits that do not depend on K3[31 . . . 21])

RANDOMNESS OF THE INNER ROUND SUBKEYS IN THE 15-ROUND ATTACKS 211

E.2 Randomness of the Inner Round Subkeys in the15-Round Attacks

Here, we show that if the texts obtained by encrypting p0 and decrypting c0 in the13 outer rounds (of a 15-round attack) are distributed uniformly at random, thenso are the subkeys in the inner rounds. As there are only two inner rounds, theproblem may be viewed as follows. In Figure 7.5, if Lt−1||Rt−1 and Lt+1||Rt+1 aredistributed uniformly at random, then we need to show that αt and αt+1 are alsodistributed uniformly at random. Henceforth, in this section, the term randommeans distributed uniformly at random.

Since F is a bijection, the output of F is random given Rt−1 is random. Weknow that modular addition (or subtraction) or XOR of two random values resultsin a random value. Given this, since Rt = Lt+1 and Lt+1||Lt−1 is random, fromFigure 7.5 we obtain that δt�αt is random. As δt is a constant, αt is random. Bysimilar arguments, it is easily seen that αt+1 is also random.

212

Appendix F

ESSENCE

F.1 Finding the Lowest Weight Difference A

We wish to find a difference A that satisfies:

(¬A) ∧ L(A) = 0 , (F.1)

andhw(A) ≤ w , (F.2)

where hw(A) is the number of bits set in A and w is to be as small as possible.We proceed as follows. Let w represent the (still unknown) weight of the lowest

weight difference A. We then split w into two integers w0 and w1, such thatw0 + w1 = w and |w1 − w0| ≤ 1. Let L−1 represent the inverse L function, suchthat L−1(L(x)) = x. Let M(x) = L(x)⊕ x. The design of ESSENCE guaranteesthat M is invertible, as L is not allowed to have any eigenvalues in the groundfield.

First step: We enumerate all x where hw(x) ≤ w0 and after calculating A =L−1(x), we check (F.1) and (F.2).

Second step: We enumerate all y where hw(y) ≤ w1 and after calculating A =M−1(y), we check if (F.1) and (F.2).

Equation (F.1) implies that the bit positions where L(A) is 1, is always a subsetof bit positions where A is 1. Therefore, we only have to consider two cases:the case where the set of bit positions where L(A) is 1 contains no more thanw0 elements, and the case where the set bit positions where L(A) is 0 and A is1 contains not more than w1 elements. As w0 + w1 = w, these two steps areguaranteed to find all A that satisfy (F.1) and (F.2). If no solution is found, weincrease w by one and perform the two steps again, enumerating only the newvalues of x and y.

213

214 ESSENCE

Table F.1. All differences A with hw(A) = 17 that satisfy (F.1); there are nosolutions where hw(A) < 17 and (F.1)

A246182243068002548C3044860D0004A91860890C1A000940A001021903036C31400204320606D862800408640C0DB0C5000810C8181B618A001021903036C30

The total complexity of this search is(∑w0

i=0 C64i

)+(∑w1

j=0 C64j

). As we find

w = 17 here, the total number of 64-bit linear function evaluations is(∑8

i=0 C64i

)+(∑9

j=0 C64j

)≈ 235. This calculation can be performed in less than a minute on a

recent desktop computer. The solutions are shown in Table F.1.

F.2 Making F Behave as a Linear TransformationWe consider three separate cases, depending on the values of A and L(A) for aparticular bit position j.

If A[j] = 1, we can enumerate all possible input conditions, such that F behaveslinearly and has the required differential behaviour. Because we enumerate allpossibilities, we obtain an optimal result – it is not possible to add fewer than 10linear equations. All existing solutions where 10 linear equations are added, areshown in Table F.2 (for L(A)[j] = 1) and Table F.3 (for L(A)[j] = 0).

If A[j] = 0, the differential behaviour is always satisfied. If there is no inputdifference, there will not be an output difference either. We found that adding6 equations is sufficient. We do not rule out the possibility that fewer than 6equations are sufficient. The solutions we found are given in Table F.3.

We will omit the index j, so that x0 to x12 represent one-bit variables. Theexpressions F (x0, . . . , x6) and F (x6, . . . , x12) are not added to the system of linearequations of the attack, as this is not necessary. They are only mentioned to showthat their differential behaviour is correct.

F.3 A Message Pair for the First Nine RoundsWe give a message pair that satisfies the first 9 rounds of the characteristic ofTable 8.1 in Table F.5.

DISTINGUISHING ATTACKS ON THE FULL 32-ROUND ESSENCE-256 215

Table F.2. Making F linear and imposing the required differential behaviour forposition j where A[j] = L(A)[j] = 1 can be done by adding no more than 10 linearequations; exactly four such solutions exist

Solution 1 Solution 2 Solution 3 Solution 4x0 ⊕ x2 = 1 x1 = 1 x1 = 1 x1 = 1x1 = 0 x2 ⊕ x5 = 0 x2 ⊕ x5 = 0 x2 = 1x3 = 1 x2 ⊕ x7 = 1 x2 ⊕ x7 = 1 x3 = 0x4 = 1 x2 ⊕ x8 = 0 x2 ⊕ x8 = 0 x4 = 1x5 = 1 x2 ⊕ x9 = 0 x2 ⊕ x9 = 0 x5 = 1x7 = 0 x2 ⊕ x12 = 1 x3 = 0 x7 = 0x8 = 1 x3 = 0 x4 = 1 x8 = 1x9 = 0 x4 = 1 x10 = 0 x9 = 1x10 = 0 x10 = 0 x11 = 0 x10 = 0x12 = 1 x11 = 0 x12 = 1 x11 = 0

F (x0, . . . , x6) = x6 ⊕ 1 x0 ⊕ x6 x0 ⊕ x6 x0 ⊕ x6F (x1, . . . , x7) = x2 ⊕ 1 x2 ⊕ 1 x2 ⊕ 1 0F (x2, . . . , x8) = 0 x2 ⊕ 1 x2 ⊕ 1 0F (x3, . . . , x9) = 0 x5 x5 1F (x4, . . . , x10) = 1 1 1 1F (x5, . . . , x11) = 1 0 0 0F (x6, . . . , x12) = 0 x7 ⊕ 1 0 x12 ⊕ 1

F.4 Distinguishing Attacks on the Full 32-RoundESSENCE-256

The attacks described in Sect. 8.6.2 can be easily extended to the full ESSENCE-256 block cipher. Let us suppose the key k and the plaintext are related such thatafter 18 rounds, r0[0] = k0[0]. Given this, using similar arguments as those usedto derive (8.3), we obtain that at the end of 32 rounds, if L(r7)[0] = 0, then

Pr(r6[0] = 0) = 12

+ 127 . (F.3)

We can thus construct a distinguisher by collecting 217 outputs r6[0], after 32rounds, generated by as many keys (so that the samples are independent) giventhat after 18 rounds, k0[0] = r0[0]. In other words, the attacker first tests whetherk0[0] = r0[0] after 18 rounds. If this condition is satisfied, she collects the outputr6[0] after 32 rounds provided L(r7)[0] = 0. Therefore, this constitutes a known-key distinguishing attack which one may view as an attack on a large set of weakkeys. Alternatively, the attack scenario may be such that two bits of the internalstate after 18 rounds are leaked to the attacker. A similar assumption was madein [64], as a model for certain side-channel attacks. More generally, this scenario

216 ESSENCE

Table F.3. Making F linear and imposing the required differential behaviour forposition j where A[j] = 1 and L(A)[j] = 0 can be done by adding no more than10 linear equations; exactly one such solution exists

Solution 1x0 ⊕ x2 = 0x1 = 0x3 = 1x4 = 1x5 = 1x7 = 0x8 = 1x9 = 0x10 = 0x12 = 1

F (x0, . . . , x6) = 1F (x1, . . . , x7) = x2 ⊕ 1F (x2, . . . , x8) = 0F (x3, . . . , x9) = 0F (x4, . . . , x10) = 1F (x5, . . . , x11) = 1F (x6, . . . , x12) = 0

Table F.4. Making F linear for position j where A[j] = L(A)[j] = 0 can be doneby adding no more than 6 linear equations; at least six such solutions exist

Solution 1 Solution 2 Solution 3 Solution 4 Solution 5 Solution 6x3 = 0 x3 = 0 x3 = 1 x4 = 0 x4 = 0 x4 = 0x4 = 0 x4 = 0 x4 = 1 x5 = 1 x5 = 1 x5 = 1x5 = 1 x5 = 1 x5 = 1 x6 = 1 x6 = 1 x6 = 1x6 = 0 x6 = 1 x6 = 1 x7 = 0 x7 = 0 x7 = 0x7 = 1 x7 = 1 x7 = 1 x8 = 1 x8 = 1 x8 = 1x9 = 1 x8 = 1 x8 = 1 x9 = 0 x10 = 0 x11 = 1

F (x1, . . . , x7) = x1 ⊕ 1 x2 x1 x1 ⊕ x2 ⊕ 1 x1 ⊕ x2 ⊕ 1 x1 ⊕ x2 ⊕ 1F (x2, . . . , x8) = x2 ⊕ x8 ⊕ 1 x2 ⊕ 1 x2 x3 ⊕ 1 x3 ⊕ 1 x3 ⊕ 1F (x3, . . . , x9) = x8 ⊕ 1 x9 ⊕ 1 x9 0 x9 x9F (x4, . . . , x10) = x8 0 x9 ⊕ x10 ⊕ 1 x10 ⊕ 1 x9 ⊕ 1 x9 ⊕ x10 ⊕ 1F (x5, . . . , x11) = x8 ⊕ x10 ⊕ 1 x10 ⊕ x11 ⊕ 1 x10 ⊕ x11 ⊕ 1 x10 ⊕ 1 x9 ⊕ 1 x9 ⊕ x10 ⊕ 1

KEY RECOVERY ATTACKS ON 32-ROUND ESSENCE 217

Table F.5. A message pair satisfying the first 9 rounds of the characteristic ofTable 8.1

i mi m′i mi ⊕m′

i

0 FFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFF 00000000000000001 1A001021983836CB 1A001021983836CB 00000000000000002 5809832A1DEA2458 5809832A1DEA2458 00000000000000003 8AEF5FEBEB9FDAAB 8AEF5FEBEB9FDAAB 00000000000000004 32F9D8578015D297 32F9D8578015D297 00000000000000005 0D031372423B91AC 0D031372423B91AC 00000000000000006 B804AC08CD97E348 B804AC08CD97E348 00000000000000007 E8BB8E649DC3B35F E2BB9E450DF3859C 0A001021903036C3

is captured by the notion of leakage resilience [69, 169], i.e., security when even“a bounded amount of arbitrary (adversarially chosen) information on the internalstate [. . .] is leaked during computation” [69]. Although this assumption leadsto trivial attacks (e.g., observe the full internal state of AES at the penultimaterounds), it assists to evaluate security against a wider range of adversaries, and tobetter understand the resilience of algorithms against ‘extreme’ adversaries.

Since the condition k0[0] = r0[0] (after 18 rounds) holds with 0.5 probability,the adversary would need to examine with 217 · 2 = 218 randomly generated keysto mount the distinguishing attack with a success probability of 0.9772.

It is easy to see that distinguishers of the same complexity can be built bycollecting any other bit of r6 (after 32 rounds) because F operates in a bitslicedmanner. As in Sect. 8.6.5, when the attacker can observe both the chaining valueinput and the compression function output, the above distinguishers can be appliedonto the compression function as well.

F.5 Key Recovery Attacks on 32-Round ESSENCEIn Appendix F.4, we extended the distinguisher on 14-round ESSENCE-256 to 32rounds by selecting plaintexts based upon the intermediate value of r0[j] and k0[j]at round 18. This result may be viewed in terms of a KP key recovery attackagainst a vulnerable implementation of the ESSENCE-256 block cipher. Let ussay that we are attacking such an implementation of the 32-round ESSENCE-256block cipher where through some means (side-channel analysis, cache pollution,etc.) we can read bit j of r0 after 18 rounds. Like in Sect. 8.6.6, we focus on asubset of 214 plaintexts where r0[j] = 0 (or 1) for all 214 texts after 18 rounds.Applying the same analysis as in Sect. 8.6.6 to the remaining 14 rounds givesus the value of k0[j] at round 18. If our vulnerable implementation allows us toread all the bit positions of r0, then with probability 0.48, we can recover the fullkey word k0 at round 18. Since the KSA is easily invertible, we can recover the

218 ESSENCE

original key with minimal effort. Again, a similar analysis can be applied to theother members of the ESSENCE family of block ciphers.

List of Publications

In Proceedings of International Conferences/Workshops

1. Gautham Sekar, Nicky Mouha, Vesselin Velichkov, and Bart Preneel. Meet-in-the-Middle Attacks on Reduced-Round XTEA. In Aggelos Kiayias, editor,CT-RSA, volume 6558 of Lecture Notes in Computer Science, pages 250–267.Springer, 2011.

2. Nicky Mouha, Gautham Sekar, Jean-Philippe Aumasson, Thomas Peyrin,Søren S. Thomsen, Meltem Sonmez Turan, and Bart Preneel. Cryptanalysisof the ESSENCE Family of Hash Functions. In Feng Bao, Moti Yung,Dongdai Lin, and Jiwu Jing, editors, Inscrypt, volume 6151 of Lecture Notesin Computer Science, pages 15–34. Springer, 2011.

3. Gautham Sekar and Bart Preneel. Improved Distinguishing Attacks on HC-256. In Tsuyoshi Takagi and Masahiro Mambo, editors, IWSEC, volume 5824of Lecture Notes in Computer Science, pages 38–52. Springer, 2009.

4. Jorge Nakahara Jr., Gautham Sekar, Daniel Santana de Freitas, ChangChiann, Ramon Hugo de Souza, and Bart Preneel. A New Approach toχ2 Cryptanalysis of Block Ciphers. In Pierangela Samarati, Moti Yung,Fabio Martinelli, and Claudio Agostino Ardagna, editors, ISC, volume 5735of Lecture Notes in Computer Science, pages 1–16. Springer, 2009.

5. Emilia Kasper, Vincent Rijmen, Tor E. Bjørstad, Christian Rechberger,Matthew J. B. Robshaw, and Gautham Sekar. Correlated Keystreams inMoustique. In Serge Vaudenay, editor, AFRICACRYPT, volume 5023 ofLecture Notes in Computer Science, pages 246–257. Springer, 2008.

6. Gautham Sekar, Souradyuti Paul, and Bart Preneel. New Attacks on theStream Cipher TPy6 and Design of New Ciphers the TPy6-A and the TPy6-B. In Stefan Lucks, Ahmad-Reza Sadeghi, and Christopher Wolf, editors,WEWoRC, volume 4945 of Lecture Notes in Computer Science, pages 127–141. Springer, 2008.

7. Orr Dunkelman, Gautham Sekar, and Bart Preneel. Improved Meet-in-the-Middle Attacks on Reduced-Round DES. In K. Srinathan, C. Pandu Rangan,

219

220 PUBLICATIONS

and Moti Yung, editors, INDOCRYPT, volume 4859 of Lecture Notes inComputer Science, pages 86–100. Springer, 2007.

8. Gautham Sekar, Souradyuti Paul, and Bart Preneel. Related-Key Attackson the Py-Family of Ciphers and an Approach to Repair the Weaknesses.In K. Srinathan, C. Pandu Rangan, and Moti Yung, editors, INDOCRYPT,volume 4859 of Lecture Notes in Computer Science, pages 58–72. Springer,2007.

9. Gautham Sekar, Souradyuti Paul, and Bart Preneel. New Weaknesses inthe Keystream Generation Algorithms of the Stream Ciphers TPy and Py.In Juan A. Garay, Arjen K. Lenstra, Masahiro Mambo, and Rene Peralta,editors, ISC, volume 4779 of Lecture Notes in Computer Science, pages 249–262. Springer, 2007.

10. Souradyuti Paul, Bart Preneel, and Gautham Sekar. Distinguishing Attackson the Stream Cipher Py. In Matthew J. B. Robshaw, editor, FSE,volume 4047 of Lecture Notes in Computer Science, pages 405–421. Springer,2006.

Technical Reports

1. Gautham Sekar and Bart Preneel. Practical Attacks on a CryptosystemProposed in Patent WO/2009/066313. COSIC internal report, 12 pages,2010.

2. Gautham Sekar, Nicky Mouha, and Bart Preneel. Meet-in-the-MiddleAttacks on Reduced-Round GOST. Published by the ISO/IEC as Belgiannational body contribution (report ISO/IEC JTC 1/SC 27 N8875) to their40th SC 27/WG 2 meeting, 19 April 2010. Also submitted to InformationProcessing Letters.

3. Gautham Sekar, Souradyuti Paul, and Bart Preneel. Weaknesses in thePseudorandom Bit Generation Algorithms of the Stream Ciphers TPypyand TPy. Technical Report 2007/075, Cryptology ePrint Archive, 18 pages,2007.

Deliverables

1. Tor E. Bjørstad, Andrey Bogdanov, Henri Gilbert, Kota Ideguchi, SebastiaanIndesteege, Ozgul Kucuk, Gregor Leander, Nicky Mouha, Jorge NakaharaJr., Axel Poschmann, Christian Rechberger, Vincent Rijmen, GauthamSekar, Kyoji Shibutani, Martin Schlaffer, Francois-Xavier Standaert, ElmarTischhauser, Vesselin Velichkov, and Ivan Visconti. WG2 – LightweightCryptographic Algorithms. In Jorge Nakahara Jr., editor, ECRYPT IIdeliverable, D.SYM.5, ICT-2007-216676, 56 pages. Delivered 1 July 2010.

PUBLICATIONS 221

In Submission

1. Gautham Sekar and Bart Preneel. Revisiting Shannon’s Notion of PerfectSecrecy.

2. Nicky Mouha, Gautham Sekar, and Bart Preneel. Challenging the IncreasedResistance of Regular Hash Functions Against Birthday Attacks.

222

Curriculum Vitae

Gautham Sekar was born on August 14, 1984 in Chennai (formerly Madras), India,to Mr. Sekar Ciruseri Ramachandran and Mrs. Amrutha Sekar. He received hisBachelor’s degree in Electronics and Instrumentation Engineering from the BirlaInstitute of Technology & Science, Pilani, India, in June 2006. He simultaneouslygraduated with a Master’s degree in Physics from the same institute. He didhis Master’s thesis on RC4-like stream ciphers at the research group COSIC(Computer Security and Industrial Cryptography) of the Katholieke UniversiteitLeuven, Belgium. In November 2006, he joined COSIC as a pre-doctoral studentand since October 2007 he has been working there as a doctoral student. BetweenNovember 2007 and February 2010, he made three research visits to the Instituteof Mathematical Sciences, Chennai, India. In May 2007, he received the Dr.Ranjit Singh Chauhan Undergraduate Research Award from the Birla Instituteof Technology & Science, Pilani.

223

224

Arenberg Doctoral School of Science, Engineering & TechnologyFaculty of Engineering

Department of Electrical Engineering (ESAT)

Research group ESAT/SCD

Kasteelpark Arenberg 10 Box 2446

B-3001 Leuven-Heverlee Belgium