JLM
200
6021
2 14
:16
1
AE
S a
nd A
ttack
s on
Cry
ptog
raph
ic H
ashe
s
John
Man
ferd
elli
jlm@
cs.w
ashi
ngto
n.ed
ujm
anfe
r@m
icro
soft.
com
Por
tions
© 2
004-
2005
, Joh
n M
anfe
rdel
li.
This
mat
eria
l is
prov
ided
with
out w
arra
nty
of a
ny k
ind
incl
udin
g, w
ithou
t lim
itatio
n, w
arra
nty
of n
on-in
fring
emen
t or s
uita
bilit
y fo
r any
pur
pose
. Th
is m
ater
ial i
s no
t gua
rant
eed
to b
e er
ror f
ree
and
is in
tend
ed fo
r ins
truct
iona
l use
onl
y.
JLM
200
6021
2 14
:16
2
AE
S H
isto
ry�
Cal
l for
DE
S s
ucce
ssor
1/9
7�
Squa
re b
eget
s R
ijnda
el(1
998)
�R
ijnda
elD
esig
ners
:Vin
cent
Rijm
enan
d Jo
an D
aem
en�
Nin
e S
ubm
issi
ons
�C
AS
T-25
6, C
RY
PTO
N, D
EA
L, D
FC (c
iphe
r), E
2, F
RO
G, H
PC
, LO
KI9
7, M
AGE
NTA
, MA
RS
, RC
6, R
ijnda
el, S
AFE
R+,
Ser
pent
, and
Tw
ofis
h.�
Fina
lists
�M
AR
S, R
C6,
Rijn
dael
, Ser
pent
, and
Tw
ofis
h�
FIP
S 1
97 p
ublis
hed
11/2
001
JLM
200
6021
2 14
:16
3
AE
S
Pla
inte
xt
Cip
herte
xtr Rou
nds
k 1 k 2
k r
Key
Sch
edul
e
Key
JLM
200
6021
2 14
:16
4
AE
S R
equi
rem
ents
�12
8, 1
92, 2
56 b
it ke
ys�
Algo
rithm
s w
ill b
e ju
dged
on
the
follo
win
g fa
ctor
s:
�A
ctua
l sec
urity
of t
he a
lgor
ithm
com
pare
d to
oth
er s
ubm
itted
alg
orith
ms
(at t
he s
ame
key
and
bloc
k si
ze).
�Th
e ex
tent
to w
hich
the
algo
rithm
out
put i
s in
dist
ingu
isha
ble
from
a
rand
om p
erm
utat
ion
on th
e in
put b
lock
. �
Sou
ndne
ss o
f the
mat
hem
atic
al b
asis
for t
he a
lgor
ithm
�s s
ecur
ity.
�O
ther
sec
urity
fact
ors
rais
ed b
y th
e pu
blic
dur
ing
the
eval
uatio
n pr
oces
s, in
clud
ing
any
atta
cks
whi
ch d
emon
stra
te th
at th
e ac
tual
secu
rity
of th
e al
gorit
hm is
less
than
the
stre
ngth
cla
imed
by
the
subm
itter
.
�C
laim
ed a
ttack
s w
ill b
e ev
alua
ted
for p
ract
ical
ity.
�Ke
y ag
ility
(NS
A):
�Tw
o bl
ocks
enc
rypt
ed w
ith tw
o di
ffere
nt k
eys
shou
ld n
ot ta
ke m
uch
mor
e tim
e th
an tw
o bl
ocks
enc
rypt
ed w
ith th
e sa
me
key.
JLM
200
6021
2 14
:16
5
Mar
s (M
ultip
licat
ion,
Add
ition
, Rot
atio
n an
d S
ubst
itutio
n)
Bas
ic S
truct
ure
1.W
hite
n2.
8 ro
unds
of k
ey in
depe
nden
t mix
ing
3.16
roun
ds o
f key
ed F
eist
el tr
ansf
orm
s (2
S-b
oxes
)4.
8 ro
unds
of k
ey in
depe
nden
t mix
ing
5.W
hite
n
JLM
200
6021
2 14
:16
6
RC
6 D
esig
n P
hilo
soph
y
�Le
vera
ge o
ur e
xper
ienc
e w
ith R
C5:
use
dat
a-de
pend
ent r
otat
ions
to a
chie
ve a
hig
h le
vel o
f se
curit
y.�
Adap
t RC
5 to
mee
t AE
S re
quire
men
ts
�Ta
ke a
dvan
tage
of a
new
prim
itive
for i
ncre
ased
se
curit
y an
d ef
ficie
ncy:
32x
32 m
ultip
licat
ion,
whi
ch
exec
utes
qui
ckly
on
mod
ern
proc
esso
rs, t
o co
mpu
te
rota
tion
amou
nts.
Slid
e by
Ron
Riv
est (
Sec
ond
AE
S C
onfe
renc
e)
JLM
200
6021
2 14
:16
7
Est
imat
e of
num
ber o
f pla
inte
xt p
airs
requ
ired
to m
ount
a
diffe
rent
ial a
ttack
.
(Onl
y 212
8su
ch p
airs
are
ava
ilabl
e.)
Rou
nds
Pai
rs8
256
12211
7
16219
0
20
RC
6223
8
24229
9
Sec
urity
aga
inst
diff
eren
tial a
ttack
s
Infe
asible
Slid
e by
Ron
Riv
est (
Sec
ond
AE
S C
onfe
renc
e)
JLM
200
6021
2 14
:16
8
Rijn
dael
Ove
rvie
w
�Inp
ut �p c
onsi
stin
g of
Nb
wor
ds�k
with
Nk
wor
ds (N
k= 4
,6,8
)�S
tate �4
row
s, N
bco
lum
ns�K
ey �4 ro
ws,
Nk
colu
mns
�Out
put
�c c
onsi
stin
g of
Nb
wor
ds
All
tabl
es fi
lled
first
col
firs
t s0,
0, s 1
,0, s
2,0,
s 3,0, s
0,1,
�
JLM
200
6021
2 14
:16
9
Rijn
dael
Ove
rvie
w
�Des
ign
Phi
loso
phy
�Wid
e Tr
ails
�32
bit w
ord
oper
atio
ns�N
on-li
near
sub
stitu
tion
uses
arit
hmet
ic o
ver G
F(2)
�Mix
ing
uses
pol
ynom
ial a
rithm
etic
mod
(x4 +
1)
JLM
200
6021
2 14
:16
10
Rijn
dael
Rou
nd S
truct
ure
Nr=
max
(Nk,
Nb)
+6
1414
14N
k=8
1412
12N
k=6
1412
10N
k=4
Nb=
8N
b= 6
Nb=
4N
r
JLM
200
6021
2 14
:16
11
Rijn
dael
Sta
te L
ayou
t
Sta
te: s
i,j, i
= N
b (m
od 4
), j=
[Nb/
4], N
b=4j
+i
For N
b= 4
s 1,3
s 1,2
s 1,1
s 1,0
s 2,3
s 2,2
s 2,1
s 2,0
s 3,3
s 3,2
s 3,1
s 3,0
s 0,3
s 0,2
s 0,1
s 0,0
JLM
200
6021
2 14
:16
12
Rijn
dael
Key
Lay
out
Key
s: k
i,j, i
= N
k (m
od 4
), j=
[Nk/
4]
For N
k= 4
k 1,3
k 1,2
k 1,1
k 1,0
k 2,3
k 2,2
k 2,1
k 2,0
k 3,3
k 3,2
k 3,1
k 3,0
k 0,3
k 0,2
k 0,1
k 0,0
JLM
200
6021
2 14
:16
13
Rijn
dael
Alg
orith
m
Rijn
dael
(p, k
, Nb,
Nk)
{C
ompu
teR
ound
Key
s(K
, W[0
�N
r])st
ate=
pA
ddR
ound
Key
(0, s
tate
)fo
r (i=
1, i<
=Nr,
i++)
{fo
r eac
h by
te, b
in s
tate
Byte
Sub(
b)S
hiftR
ow(s
tate
)if(
i<N
r) Mix
Col
(sta
te)
Add
Rou
ndK
ey(i,
sta
te)
}c=
sta
te}
JLM
200
6021
2 14
:16
14
Inve
rse
Rijn
dael
Alg
orith
m
InvR
ijnda
el (c
, k, N
b, N
k) {
Com
pute
Rou
ndK
eys(
K, W
[0�
Nr])
stat
e= c
for (
i=0,
i<N
r, i+
+) {
Add
Rou
ndK
ey(N
r-i,
stat
e)if(
i>0) In
vMix
Col
(sta
te)
InvS
hiftR
ow(s
tate
)fo
r eac
h by
te, b
in s
tate
InvB
yteS
ub(b
)}
Add
Rou
ndK
ey(0
, sta
te)
p= s
tate
}
JLM
200
6021
2 14
:16
15
Rev
iew
: Arit
hmet
ic o
f GF(
2n )
�S
uppo
se m
(x) i
s an
irre
duci
ble
poly
nom
ial o
f deg
ree
n ov
er G
F(2)
: m(x
)= x
n
+ m
n-1
xn-1
+ �
+ m
0.
�Le
t a(x
) and
b(x
) be
poly
nom
ials
of d
egre
e <n
. Th
ey fo
rm a
vec
tor s
pace
of
dim
ensi
on n
ove
r GF(
2).
Coe
ffici
ents
of l
ike
expo
nent
�add
�: (a
n-1
xn-1
+ �
+ a 0
)+ (b
n-1
xn-1
+ �
+ b 0
)= (a
n-1+
b n-1
)xn-
1+
�+
a 0 +
b 0)
�E
uclid
ean
algo
rithm
: for
a(x
), b(
x) p
olyn
omia
ls o
f deg
rees
mc
n, th
ere
are
poly
nom
ials
q(x
), r(x
), de
g r(x
) <n
such
that
a(x
)=q(
x)b(
x)+r
(x)
�P
olyn
omia
ls o
ver G
F(2)
mod
ulo
m(x
) for
m a
fiel
d (w
ith 2
nel
emen
ts).
M
ultip
licat
ion
is m
ultip
licat
ion
of p
olyn
omia
ls m
od m
(x).
�In
vers
es e
xist
by
follo
win
g th
eore
m:
If a(
x) a
nd b
(x) a
re p
olyn
omia
ls th
eir
grea
test
com
mon
den
omin
ator
d(x
) can
be
writ
ten
asd(
x)=
a(x)
u(x)
+b(x
)v(x
) for
som
e u(
x), v
(x).
JLM
200
6021
2 14
:16
16
Exa
mpl
e of
mul
tiplic
atio
n an
d in
vers
e
�In
par
ticul
ar if
a(x
) and
b(x
) are
co-
prim
e: 1
= a(
x)u(
x)+b
(x)v
(x) f
or
som
e u(
x), v
(x).
�Ex
ampl
e�
m(x
)= x
2+x
+1.
m(x
) is
irred
ucib
le (o
ther
wis
e it
wou
ld h
ave
a ro
ot in
G
F(2)
�x+
(x+1
) =1,
1+(
x+1)
= x
�(x
+1)(
x+1)
= x2
+2x+
1=x2
+1=
(x) +
(x2
+x +
1)=
x (m
od m
(x))
�(x
+1) a
nd m
(x) a
re c
o-pr
ime
in fa
ct,
1= (x
+1) (
x) +
(x2
+x +
1)(1
)�
So
�x�i
s th
e m
ultip
licat
ive
inve
rse
of �x
+1�i
n G
F(4)
.�
Usu
ally
ele
men
ts o
f GF(
2n) a
re w
ritte
n in
pla
ce n
otat
ion
so x
5 +x3
+x2
+1=
10
1101
.
JLM
200
6021
2 14
:16
17
Byt
eSub
Prim
itive
Byt
eSub
(b)
if b=
=0 t= 0
else
t= b
-1
retu
rn(M
t + a
)
M=
circ
(1,0
,0,0
,1,1
,1,1
)a=
(1,1
,0,0
,0,1
,1,0
)TA
rithm
etic
ove
r GF(
2) w
ith m
(x)=
x8 +
x4+x
3 +x+
1.
JLM
200
6021
2 14
:16
18
Byt
eSub
Dat
aM
:a:
11
11
10
00
01
11
11
00
00
11
11
10
00
01
11
11
10
00
11
11
11
00
01
11
11
10
00
11
11
11
00
01
01100011
JLM
200
6021
2 14
:16
19
Byt
esub
s 1,3
s 1,2
s 1,1
s 1,0
s 2,3
s 2,2
s 2,1
s 2,0
s 3,3
s 3,2
s 3,1
s 3,0
s 0,3
s 0,2
s 0,1
s 0,0
t 1,3
t 1,2
t 1,1
t 1,0
t 2,3
t 2,2
t 2,1
t 2,0
t 3,3
t 3,2
t 3,1
t 3,0
t 0,3
t 0,2
t 0,1
t 0,0
JLM
200
6021
2 14
:16
20
Rijn
dael
Prim
itive
sS
hiftR
ow(s
tate
)sh
ift ro
w 1
by
0.
shift
row
2 b
y 1.
sh
ift ro
w 3
by
2 if
Nb<
8, 3
oth
erw
ise.
sh
ift ro
w 3
by
3 if
Nb<
8, 4
oth
erw
ise.
Mix
Col
(sta
te)
m
ultip
ly e
ach
colu
mn
of s
tate
by
c(x)
(mod
x4
+1)
c(x)
= 0x
03 x
3+
0x01
x2
+ 0x
01 x
+ 0
x02
InvM
ixC
ol(s
tate
)
mul
tiply
eac
h co
lum
n of
sta
te b
y d(
x) (m
od x
4+1
)d(
x)=
0x0b
x3
+ 0x
0d x
2+
0x09
x +
0x0
e
Add
Rou
ndK
ey(i,
stat
e)st
ate=
sta
te +
W[i]
JLM
200
6021
2 14
:16
21
Shi
ftRow
s 1,3
s 1,2
s 1,1
s 1,0
s 2,3
s 2,2
s 2,1
s 2,0
s 3,3
s 3,2
s 3,1
s 3,0
s 0,3
s 0,2
s 0,1
s 0,0
s 1,2
s 1,1
s 1,0
s 1,3
s 2,1
s 2,0
s 2,3
s 2,2
s 3,2
s 3,1
s 3,0
s 3,3
s 0,3
s 0,2
s 0,1
s 0,0
JLM
200
6021
2 14
:16
22
Mix
Col
s 1,3
s 1,3
s 1,1
s 1,0
s 2,3
s 2,3
s 2,1
s 2,0
s 3,3
s 3,3
s 3,1
s 3,0
s 0,3
s 0,3
s 0,1
s 0,0
s 1,3
s 1,3
s 1,1
t 1,0
s 2,3
s 2,3
s 2,1
t 2,0
s 3,3
s 3,3
s 3,1
t 3,0
s 0,3
s 0,3
s 0,1
t 0,0
t 0,0x
3 +t 1,
0x2 +
t 2,0x
+t3,
0=
(0x0
3x3 +
0x01
x2 +0x
01x+
0x02
) x(s
0,0x
3 +s 1
,0x2 +
s 2,0x+
s 3,0)(m
od x
4 +1)
JLM
200
6021
2 14
:16
23
Rou
ndK
eys
Com
pute
Rou
ndK
eys(
K[4
*Nk]
, W[N
b*(N
r+1)
]) {
for(i
=0; i
<Nk;
i++)
W
[i]=
(K[4
i], K
[4i+
1], K
[4i+
2], K
[4i+
3])
for(
i=N
k; i<
Nb*
Nr+
1); i
++) {
t= W
[i-1]
if((i
mod
Nk)
==0)
t= S
ubB
yte(
Rot
Byt
e(t))
+ R
Con
(i/N
k)el
se if
(Nk>
6 &
& (i
mod
Nk)
==0)
t=
Sub
Byt
e(t)
W[i]
= W
[i-N
k] +
t}
}
JLM
200
6021
2 14
:16
24
Rou
ndK
eys
Prim
itive
s
Sub
Byt
e(w
= (a
,b,c
,d)))
w=
(Byt
eSub
(a),
Byt
eSub
(b),
Byt
eSub
(c),
Byt
eSub
(d))
retu
rn(w
)
Rot
Byt
e(w
= (a
,b,c
,d))
w=
(b,c
,d,a
)re
turn
(w)
RC
on[i]
= (R
C[i]
, 0x0
0, 0
x00,
0x0
0);
RC
[1]=
0x0
1R
C[i+
1]=
RC
[i]*�
0x2�
[m
ultip
ly b
y �x
�]
JLM
200
6021
2 14
:16
25
AE
S F
inal
ist B
akeo
ff
Sco
re: 1
(low
) to
3 (h
igh)
. Fr
om N
IST
repo
rt 2
Oct
200
0.
31
21
2D
esig
n fe
atur
es
23
32
1H
W P
erf
23
31
1S
mar
t Car
d Pe
rf
11
32
2S
W P
erf
23
31
1Im
plem
enta
tion
33
22
3G
ener
al S
ecur
ity
Twof
ish
Ser
pent
Rijn
dael
(AE
S)
RC
6M
AR
S
JLM
200
6021
2 14
:16
26
Alg
ebra
ic A
ttack
s -P
revi
ew
�X
SL,
Cou
rtois
, Pie
przy
k, M
urph
y, R
obsh
aw1.
Gen
erat
e eq
uatio
ns o
f hig
her d
egre
e th
an th
e or
igin
al e
quat
ions
by
mul
tiply
ing
equa
tion
of a
n ac
tive
S-b
ox b
y pa
ssiv
e S
-box
equ
atio
ns2.
Sol
ve th
e eq
uatio
ns in
the
form
al te
rms
of th
e eq
uatio
ns�
Estim
ate
of li
near
ly in
depe
nden
t equ
atio
ns is
nec
essa
ry�
Cla
im th
at s
olvi
ng th
e eq
uatio
ns fo
r AE
S w
as p
ossi
ble
beca
use
the
estim
ated
num
ber o
f lin
early
inde
pend
ent e
quat
ions
was
ade
quat
e ge
nera
ted
exci
tem
ent.
�C
oppe
rsm
ith c
ast d
oubt
on
the
num
ber o
f lin
early
inde
pend
ent
equa
tions
.
JLM
200
6021
2 14
:16
27
Stre
am C
iphe
rs
�Sy
nchr
onou
s st
ream
cip
hers
�Th
e ke
ystre
am is
gen
erat
ed in
depe
nden
tly o
f the
pl
aint
ext a
nd th
e ci
pher
text
�U
sing
Key
ed P
RN
G�
Asyn
chro
nous
stre
am c
iphe
rs�
The
keys
tream
is g
ener
ated
as
a fu
nctio
n of
the
key,
K, a
nd a
t mos
t tpr
evio
us c
iphe
rtext
sym
bols
.
JLM
200
6021
2 14
:16
28
Stre
am C
iphe
r Enc
rypt
ion
and
PR
NG
s
Pla
inte
xt:
PR
NG
(see
d):
Cip
herte
xt:
Enc
rypt
ion
Equ
atio
n: c
j=p j
⊕k j
JLM
200
6021
2 14
:16
29
Syn
chro
nous
Stre
am u
sing
Lin
ear
Feed
back
Shi
ft R
egis
ter (
LFS
R)
s t+L
�2s t
+L�1
s t+1
s t
a 1a 0
a L-2
a L-1
. . .
. . .
. . .
a i, s
j∈F q
Rec
urre
nce:
sj+
L= S
j=0,
1 �
L-1
ajs
j+L-
1
Pol
ynom
ial:
f(x)=
Sj=
0, 1
� L
-1 a
jxj -
xL
JLM
200
6021
2 14
:16
30
LFS
R-b
ased
key
stre
am g
ener
ator
�N
onlin
ear c
ombi
natio
n ge
nera
tors
�N
onlin
ear f
ilter
gen
erat
ors
JLM
200
6021
2 14
:16
31
RC
4
Initi
aliz
atio
nS
[0..2
55] =
0,1
,�,2
55K
[0..2
55] =
Key
,Key
,Key
,�fo
r i =
0 to
255
j = (j
+ S
[i] +
K[i]
) mod
256
swap
S[i]
and
S[j]
i=j=
0
Itera
tion
i = (i
+ 1
) mod
256
j = (j
+ S
[i]) m
od 2
56sw
ap S
[i] a
nd S
[j]t =
(S[i]
+ S
[j]) m
od 2
56O
utpu
t S[t]
JLM
200
6021
2 14
:16
32
RC
-4 F
acts
�RC
4 im
plem
ents
a p
erm
utat
ion
of th
e 2N
, N=2
n , w
here
n=8
is w
ord
size
.
�RC
4 ca
nnot
ent
er s
tate
s s:
i= a
, j=a
+1, S
[a+1
]=1.
The
re a
re N
-2of
thes
e.
�Not
atio
n�S
r, i r,
j ran
d t r
deno
te th
e R
C4
stat
e du
ring
initi
aliz
atio
n af
ter u
sing
key
w
ords
[0, 1
, �, r
].�I
(S),
J(S)
, T(S
), Z(
S) a
re th
e st
ate
indi
cies
, out
put i
ndex
and
first
ou
tput
wor
d of
RC
4 (i.
e.-j
ust a
fter i
nitia
lizat
ion
is c
ompl
ete)
. �T
(S)=
S[1]
+S[S
[1]],
Z(S
)= S
[T(S
)].�K
ey is
l-w
ords
long
�R
efer
ence
s�F
luhr
er, M
antin
and
Sha
mir.
Atta
cks
on R
C4
and
WE
P.
�Man
tin, M
aste
r�s T
hesi
s.
JLM
200
6021
2 14
:16
33
Atta
cks
on R
C4
and
FSR
s
�Si
mpl
e xo
r atta
ck o
n st
ream
with
out M
AC
or h
ow to
sw
indl
e yo
ur b
ank.
�R
epro
duce
inte
rnal
sta
te�
Solv
e fo
r �ta
ps�
�Lo
ok fo
r sho
rt cy
cles
�Al
lege
d R
C4
resi
sts
thes
e.
�R
C4
is a
goo
d st
ream
cip
her i
f you
thro
w a
way
firs
t bun
ch o
f by
tes
JLM
200
6021
2 14
:16
34
Bia
s in
Sec
ond
Byt
e of
RC
4
Let S
ibe
the
stat
e at
tim
e i a
nd le
t <z i>
be
the
outp
ut s
eque
nce.
Theo
rem
: P(z
2=0)
= 2/
N. (
roug
hly
twic
e w
hat w
e ex
pect
from
a ra
ndom
ci
pher
)
Pro
of: S
uppo
se S
0[2]=
0, S
0[1] =
X∫2,
S0[X
]= Y
.R
ound
1:
i=1,
X=S
0[1]+
0. E
xcha
nge
S0[1
] and
S0[Y
].
Rou
nd 2
:i=
2, j=
X+S
1[2]=
X.
Out
put S
1[S1[2
]+S 1
[X]]=
S1[X
]= 0
. S
o P
(zj=
0) ~
1/N
+ 1
/N (1
-1/N
) ~ 2
/n.
By B
ayes
, if z
2= 0
, we
can
extra
ct b
yte
of s
tate
with
pro
babi
lity
1/2.
JLM
200
6021
2 14
:16
35
Cry
ptog
raph
ic H
ashe
s
A c
rypt
ogra
phic
has
h (�
CH
�) is
a �o
ne w
ay fu
nctio
n,� h
, fro
m a
llbi
nary
st
rings
(of a
rbitr
ary
leng
th) i
nto
a fix
ed b
lock
of s
ize
n (c
alle
d th
e si
ze
of th
e ha
sh) w
ith th
e fo
llow
ing
prop
ertie
s:1.
Giv
en y
=h(x
) it i
s in
feas
ible
to c
alcu
late
a x
� ∫x
such
that
y=h
(x�).
(�O
ne w
ay,�
�non
-inve
rtibi
lity�
or �
pre-
imag
e� re
sist
ance
). F
unct
ions
sa
tisfy
ing
this
con
ditio
n ar
e ca
lled
One
Way
Has
h Fu
nctio
ns (O
WH
F)2.
Giv
en u
, it i
s in
feas
ible
to fi
nd w
suc
h th
at h
(u)=
h(w
). (w
eak
collis
ion
resi
stan
ce, 2
ndpr
e-im
age
resi
stan
ce).
3.It
is in
feas
ible
to fi
nd u
, w s
uch
that
h(u
)=h(
w).
(stro
ng c
ollis
ion
resi
stan
ce).
Not
e 3!
2. F
unct
ions
sat
isfy
ing
this
con
ditio
n ar
e ca
lled
Col
lisio
n R
esis
tant
Fun
ctio
ns (C
RFs
).
�Ju
st li
ke S
ymm
etric
cip
hers
ratio
of w
ork
fact
or fo
r com
puta
tion
of
hash
vs
wor
k fa
ctor
to b
reak
has
h sh
ould
be
very
hig
h.�
Adve
rsar
y ha
s co
mpl
ete
info
rmat
ion
on c
ompu
ting
hash
and
(o
bvio
usly
) can
com
pute
as
man
y ha
shes
from
the
targ
et a
s sh
e w
ants
.
JLM
200
6021
2 14
:16
36
Obs
erva
tions
on
Cry
ptog
raph
ic H
ashe
s
�H
ashe
s ar
e a
stro
ng �c
heck
sum
��
OW
HF
and
CR
F co
nditi
ons
mak
e C
Hs
satis
fy m
any
of th
e pr
oper
ties
of �r
ando
m fu
nctio
ns�
�Sm
all c
hang
es s
houl
d cr
eate
larg
e ch
ange
s (o
ther
wis
e th
e pr
e-im
age
of n
ear n
eigh
bors
are
nea
r nei
ghbo
rs m
akin
g co
llisi
ons
easy
to
find
)�
Smal
l inp
ut c
hang
es s
houl
d be
sta
tistic
ally
unr
elat
ed (u
ncor
rela
ted)
to
cha
nges
in a
sub
set o
f the
has
h bi
ts�
Anal
ysis
of C
Hs
very
sim
ilar t
o S
ymm
etric
Cip
her t
echn
ique
sP
opul
ar p
ract
ical
cry
ptog
raph
ic h
ashe
s�
MD
4, M
D5
(now
�bro
ken�
)�
SH
A-1
, SH
A-2
24, S
HA
-256
, SH
A-3
84, S
HA
-512
(las
t 4 a
re �S
HA
-2�)
�R
IPE
MD
JLM
200
6021
2 14
:16
37
Obs
erva
tions
�C
ollis
ion
Res
ista
nce !
2nd
pre-
imag
e re
sist
ance
�Le
t f(x
)= x
2 -1
(mod
p).
�
f(x) a
cts
like
a ra
ndom
func
tion
but i
s no
t a O
WH
F si
nce
squa
re
root
s ar
e ea
sy to
cal
cula
te m
od p
.
�Le
t f(x
)= x
2(m
od p
q).
�f(x
) is
a O
WH
F bu
t is
neith
er c
ollis
ion
nor 2
ndpr
e-im
age
resi
stan
t
�If
eith
er h
1(x)
or h
2(x)
is a
CR
HF
so is
h(x
)= h
1(x)
|| h
2(x)
�
MD
C+s
igna
ture
& M
AC+u
nkno
wn
Key
requ
ire a
ll th
ree
prop
ertie
JLM
200
6021
2 14
:16
38
Wha
t are
Has
h Fu
nctio
ns G
ood
for?
�M
odifi
catio
n D
etec
tion
Cod
es (M
DC
s): T
his
is a
stro
ng
chec
ksum
(int
egrit
y ch
eck)
. Som
etim
es c
alle
d �u
nkey
ed�
hash
es.
�M
essa
ge A
uthe
ntic
atio
n C
ode
(MA
Cs)
: If s
hare
d se
cret
is
part
of th
e ha
sh,
two
parti
es c
an d
eter
min
e au
then
ticat
ed
inte
grity
with
CH
s. C
alle
d �k
eyed
has
hes�
.
�M
essa
ge D
iges
ts (M
Ds)
: E
ncry
ptin
g (w
ith p
rivat
e ke
y) th
e C
H o
f a m
essa
ge (i
ts M
D) a
cts
as a
cer
tific
atio
n th
at th
e m
essa
ge w
as �a
ppro
ved�
by
poss
esso
r of p
rivat
e ke
y. T
his
is c
alle
d a
Dig
ital S
igna
ture
. [N
ote:
you
cou
ld �s
ign�
the
who
le m
essa
ge ra
ther
than
the
hash
but
this
wou
ld ta
ke
oodl
es o
f tim
e by
com
paris
on.]
JLM
200
6021
2 14
:16
39
Wha
t are
Has
h Fu
nctio
ns G
ood
for?
�Id
entit
y: U
niqu
ely
and
secu
rely
iden
tifie
s bi
t stre
ams
like
prog
ram
s. H
ash
is s
trong
nam
e fo
r pro
gram
.�
Entro
py m
ixin
g: S
ince
CH
s ar
e ra
ndom
func
tions
into
fixe
d si
ze b
lock
s w
ith th
e pr
oper
ties
of ra
ndom
func
tions
, the
y ar
e of
ten
used
to �m
ix� b
iase
d in
put t
o pr
oduc
e a
�see
d� fo
r a
psue
do-r
ando
m n
umbe
r gen
erat
or.
�Pa
ssw
ord
Pro
tect
ion:
Sto
re s
alte
d ha
sh o
f pas
swor
d in
stea
d of
pas
swor
d (N
eedh
am).
�Bi
t Com
mitm
ent
JLM
200
6021
2 14
:16
40
One
-Way
Fun
ctio
ns
Has
hes
com
e fro
m tw
o ba
sic
clas
ses
of o
ne-w
ay fu
nctio
ns�
Mat
hem
atic
al�
Mul
tiplic
atio
n: Z
=X�Y
�M
odul
ar E
xpon
entia
tion:
Z =
YX
(mod
n) (
Cha
um v
P
Has
h)�
Ad-h
oc (S
ymm
etric
cip
her-
like
cons
truct
ions
)�
Cus
tom
Has
h fu
nctio
ns (M
D4,
SH
A, M
D5,
RIP
EM
D)
JLM
200
6021
2 14
:16
41
Cha
um-v
anH
eijs
t-Pfit
zman
n C
ompr
essi
on F
unct
ion
�Su
ppos
e p
is p
rime,
q=(
p-1)
/2 is
prim
e, a
is a
prim
itive
root
in F
p, b
is
rand
om.
�g:
{1,2
,�,q
-1}2!
{1,2
,�,p
-1},
q=(p
-1)/2
by:
�g(
s, t)
= a
sbt
(mod
p)
�N
ot u
sed
in p
ract
ice:
too
slow
.�
Red
uctio
n to
dis
cret
e lo
g:S
uppo
se g
(s, t
)= g
(u, v
) can
be
foun
d. T
hen
asbt
(mod
p)=
au
bv(m
od p
). S
o as
-u(m
od p
)= b
v-t(m
od p
). L
et b
= ax
(mod
p).
The
n (s
-u)=
x(y-
t) (m
od p
-1).
But
p-1
= 2q
so
we
can
solv
e fo
r x, t
hus
dete
rmin
ing
the
disc
rete
log
of b
.
JLM
200
6021
2 14
:16
42
Mer
kle/
Dam
gard
Con
stru
ctio
n
Com
pres
sion
Func
tion
(f)
Has
h V
alue
Pad
ded
n bi
t blo
cks
Hi-1
Gra
phic
by
Josh
Ben
aloh
Inpu
t: x=
x 1||�
||xt
Inpu
t is
usua
lly p
adde
d
H0=
IVH
i= f(
Hi-1
, xi)
h(x)
= g(
h t)
JLM
200
6021
2 14
:16
43
Pad
ding
�St
anda
rd te
chni
que
�Le
t las
t mes
sage
blo
ck h
ave
k bi
ts.
If k=
n, m
ake
a ne
w
bloc
k an
d se
t k=
0.�
Appe
nd a
1 to
last
blo
ck le
avin
g r=
n-k-
1 re
mai
ning
bits
in
blo
ck.
�If
r>=6
4, a
ppen
d r-
64 0
s th
en a
ppen
d bi
t len
gth
of
inpu
t exp
ress
ed a
s 64
bit
unsi
gned
inte
ger
�If
r<64
, app
end
n-r0
�s (t
o fil
l out
blo
ck),
appe
nd n
-64
0�s
at b
egin
ning
of n
ext b
lock
then
app
end
bit l
engt
h of
in
put e
xpre
ssed
as
64 b
it un
sign
ed in
tege
r
JLM
200
6021
2 14
:16
44
Tech
niqu
e fo
r CH
s fro
m B
lock
Cip
hers
Let i
nput
be
x= x
1||
x 2||
� ||
xtw
here
eac
h x i
is n
bits
long
. Le
t g b
e a
func
tion
taki
ng a
n n
bit i
nput
to a
n m
bit
inpu
t. L
et E
(k, x
) be
a bl
ock
ciph
er w
ith m
bit
keys
pace
and
n bi
t blo
ck.
Let H
0= IV
.
Con
stru
ctio
n 1
Hi=
E(g
(Hi-1
), x i)
⊕H
i-1
Con
stru
ctio
n 2
Hi=
E(x
i, H
i-1) ⊕
Hi-1
Con
stru
ctio
n 3
Hi=
E(g
(Hi-1
), x i)
⊕x i
⊕H
i-1
Not
e: B
ecau
se o
f col
lisio
ns n
sho
uld
be >
64.
Idea
lly, m
=n a
nd g
= id
. D
ES
with
n=
64 is
too
smal
l. A
ES
with
n=m
=128
is b
ette
r.
JLM
200
6021
2 14
:16
45
Atta
cks
on C
rypt
ogra
phic
Has
hes
�Bi
rthda
y (Y
uval
) atta
cks
�Pr
obab
ility
of c
ollis
ion
dete
rmin
ed b
y �B
irthd
ay P
arad
ox� c
alcu
latio
n:
�(1
-1/n
) (1-
2/n)
� (1
-(k-1
)/n)=
(n!/k
!)/nk
�Pr
obab
ility
of c
ollis
ion
is >
.5 w
hen
k2>
n.�
Nee
d 280
blo
cks
for S
HA
.�
1+x c
ex , P
i=1i=
k(1
-i/n)
ce-k
(k-1
)/(2n
)
�D
obbe
rtin
Atta
cks
on M
D4
�C
ollis
ion
atta
ck b
ased
on
com
pres
sion
func
tion
wea
knes
s�
Biha
m, C
hen,
Cha
baud
, Jou
x, W
ang
et a
l, D
iffer
entia
l atta
cks
on
RIP
EM
D-1
28, H
AV
AL,
MD
4, M
D5,
SH
A-0
, SH
A-1
JLM
200
6021
2 14
:16
46
Atta
cks
on C
rypt
ogra
phic
Has
hes
�Be
rson
(199
2) u
sing
diff
eren
tial c
rypt
anal
ysis
on
1 ro
und
MD
-5.
�Bo
er a
nd B
osse
laer
s (1
993)
, Pse
udo
collis
ion
in M
D5.
�D
obbe
rtin
(199
6), C
ollis
ions
in c
ompr
essi
on fu
nctio
n. A
ttack
s in
spire
d R
IPE
MD
pro
posa
l.�
Biha
m a
nd C
hen
(200
4), C
ollis
ions
in S
HA
-0.
�C
haba
ud a
nd J
oux
(200
4), C
ollis
ions
in S
HA
-0 .
�W
ang,
Fen
g, L
ai, Y
u, (2
004)
, MD
4, M
D5,
RIP
EM
D�
Wan
g et
al,
(200
4, 2
005)
, SH
A-1
�SH
A-1
has
sto
od u
p be
st:
best
kno
wn
theo
retic
al a
ttack
(11/
05) r
equi
res
264op
erat
ions
.
JLM
200
6021
2 14
:16
47
Pre
fix a
ttack
s, a
nd H
MA
Cs
�Pr
efix
and
suf
fix a
ttack
s�
Has
h(m
1||m
2)=
Has
h(m
2), i
f int
erna
l sta
te c
ollid
es�
To fi
x: h
DB
L(h(
m)||
m)
�H
MA
C: k
eyed
-has
h m
essa
ge a
uthe
ntic
atio
n co
de
�Tw
o po
pula
r con
stru
ctio
ns�
HM
ACK(x
)= H
ash(
k|p|
m|k
), p
is a
pad
�H
MAC
K(x
)= S
HA
-1(K
⊕op
ad ||
SH
A-1
(K ⊕
ipad
)||x)
JLM
200
6021
2 14
:16
48
A C
rypt
ogra
phic
Has
h: S
HA
-1
Com
pres
sion
Func
tion
160-
bit s
tate
512-
bit i
nput
160
bits
of s
tate
Slid
e by
Jos
h Be
nalo
h
JLM
200
6021
2 14
:16
49
SH
A-0
/1
A= 0x67452301, B= 0xefcdab89,
C= 0x98badcfe, D= 0x10325476
E= 0xc3d2e1f0
Ft(X,Y,Z)= (X
∧Y)
∨((
¬X)
∧Z),
t= 0,…,19
Ft(X,Y,Z)= X
⊕Y
⊕Z,
t= 20,…,39
Ft(X,Y,Z)= (X
∧Y)
∨(X
∧Z)
∨(Y
∧Z),
t= 40,…,59
Ft(X,Y,Z)= X
⊕Y
⊕Z, t= 60,…,79
Kt= 0x5a827999, t= 0,…,19
Kt= 0x6ed9eba1, t=20,…,39
Kt= 0x8f1bbcdc, t= 40,…,59
Kt= 0xca62c1d6, t=60,…,79
Do until no more input blocks {
If last input block
Pad to 512 bits by adding 1
then 0s then 64 bits of
length.
Mi= input block(32 bits)
i= 0,…,15
Wt= Mt, t= 0,…,15;
Wt= (Wt-3⊕Wt-8⊕Wt-14⊕Wt-16) <<<1,
t= 16,…,79
a= A; b= B; c= C; d= D; e= E;
for(t=0 to 79) {
x= (a<<<5)+ft(b,c,d)+e+Wt+Kt
e= d; d=c; c= b<<<30;
b=a; a= x;
}
A+= a; B+=b; C+= c; D+= d; E+= e;
}
Abse
nce
of th
is te
rm is
onl
y di
ffere
nce
betw
een
SH
A-0
and
SH
A-1
JLM
200
6021
2 14
:16
50
A C
rypt
ogra
phic
Has
h: S
HA
-1 Pic
ture
from
Wik
iped
ia
JLM
200
6021
2 14
:16
51
A C
rypt
ogra
phic
Has
h: S
HA
-1
Dep
endi
ng o
n th
e ro
und,
the
�non
-line
ar� f
unct
ion
fis
one
of th
e fo
llow
ing.
f(X,Y,Z) = (X
∧Y)
∨((
¬X)
∧Z)
f(X,Y,Z) = (X
∧Y)
∨(X
∧Z)
∨(Y
∧Z)
f(X,Y,Z) = X
⊕Y
⊕Z
JLM
200
6021
2 14
:16
52
A C
rypt
ogra
phic
Has
h: S
HA
-1
Wha
t�s in
the
final
32-
bit t
rans
form
?�
Take
the
right
mos
t wor
d.�
Add
in th
e le
ftmos
t wor
d ro
tate
d 5
bits
.�
Add
in a
roun
d-de
pend
ent f
unct
ion
fof t
he m
iddl
e th
ree
wor
ds.
�Ad
d in
a ro
und-
depe
nden
t con
stan
t.�
Add
in a
por
tion
of th
e 51
2-bi
t mes
sage
.
JLM
200
6021
2 14
:16
53
Bre
akin
g ne
ws
on �C
hine
se� A
ttack
s on
Has
hes
�D
on�t
use
MD
4 or
you
�ll lo
ok re
ally
real
lysi
lly.
�D
on�t
use
MD
5.�
Don
�t us
e R
IPE
MD
-128
�SH
A-1
app
ears
to h
ave
collis
ion
atta
cks
of th
e or
der
264
�U
se S
HA
-2 fu
nctio
ns�
Trun
cate
to p
rovi
de le
gacy
com
patib
ility
if y
ou h
ave
to (i
.e. �
gun
to h
ead)
�R
equi
red
by �S
uite
B� S
tand
ards
JLM
200
6021
2 14
:16
54
SH
A-2
�FI
PS
180
-2, 8
/02.
�
Def
ines
SH
A-2
56, S
HA
-384
, SH
A-5
12.
�SH
A-2
24 (t
runc
ated
) add
ed 2
/04
�G
reat
incr
ease
in m
ixin
g be
twee
n bi
ts o
f the
wor
ds
com
pare
d to
SH
A-1
.
�U
S P
aten
t 6,8
29,3
55�
Inve
ntor
: Gle
nn L
illy�
Assi
gnee
: NS
A�
Can
obt
ain
sour
ce fr
om
�ht
tp://
en.w
ikip
edia
.org
/wik
i/SH
A-2
JLM
200
6021
2 14
:16
55
Oth
er C
rypt
ogra
phic
Has
hes
and
Per
form
ance
.24
160
RIP
EM
D-1
60
.28
160
SH
A-1
.39
128
RIP
EM
D-1
28
.68
128
MD
5
112
8M
D4
Rel
ativ
e Sp
eed
Blo
ck S
ize
Has
h N
ame
JLM
200
6021
2 14
:16
56
Wha
t to
take
hom
e
�Sy
mm
etric
cip
hers
and
has
hes
prov
ide
key
ingr
edie
nts
for
�dis
tribu
ted
secu
rity�
�Fa
st d
ata
trans
form
atio
n to
pro
vide
con
fiden
tialit
y�
Inte
grity
�P
ublic
key
cry
pto
prov
ides
crit
ical
third
com
pone
nt (t
rust
neg
otia
tion,
key
di
strib
utio
n)�
It�s
impo
rtant
to k
now
pro
perti
es o
f cry
ptog
raph
ic p
rimiti
ves
and
how
lik
ely
poss
ible
atta
cks
are,
etc
.�
Mos
t mod
ern
ciph
ers
are
desi
gned
so
that
kno
win
g ou
tput
of n
-1
mes
sage
s pr
ovid
es n
o us
eful
info
rmat
ion
abou
t nth
mes
sage
.�
This
has
an
effe
ct o
n so
me
mod
es o
f ope
ratio
n.
JLM
200
6021
2 14
:16
57
Gen
eral
Mod
ern
Ref
eren
ces
Bla
ke, S
erou
ssi,
and
Sm
art,
Ellip
tic C
urve
s in
Cry
ptog
raph
y, C
ambr
idge
B
ress
oud
and
Wag
on, C
ompu
tatio
nal N
umbe
r The
ory.
Key
Pre
ss.
Bac
h an
d S
halli
t, A
lgor
ithm
ic N
umbe
r The
ory.
Ber
leka
mp,
Alg
ebra
ic C
odin
g Th
eory
. R
eprin
ted
by A
egea
n P
ark
Pres
s.B
iham
and
Sha
mir,
Diff
eren
tial C
rypt
anal
ysis
of D
ES
. Spr
inge
r.B
oneh
, Tw
enty
Yea
rs o
f atta
cks
on R
SA
. N
otic
es A
MS
.B
uchm
ann,
Intro
duct
ion
to C
rypt
ogra
phy.
Spr
inge
r.C
ohen
, A C
ours
e in
Com
puta
tiona
l Alg
ebra
ic N
umbe
r The
ory.
Spr
inge
r.D
amga
rd, L
ectu
res
on D
ata
Sec
urity
. Spr
inge
r.G
olum
b, S
hift
Reg
iste
r Seq
uenc
es.
Rep
rinte
d by
Aeg
ean
Par
k P
ress
.K
oblit
z, A
Cou
rse
in N
umbe
r The
ory
and
Cry
ptog
raph
y. S
prin
ger.
Kob
litz,
Alg
ebra
ic A
spec
ts o
f Cry
ptog
raph
y. S
prin
ger.
Kon
heim
, Cry
ptog
raph
y: A
Prim
er.
Wile
y.
JLM
200
6021
2 14
:16
58
Gen
eral
Mod
ern
Ref
eren
ces
Land
au, D
ES
, AE
S,
Sur
vey
artic
le.
Not
ices
AM
S.
Mac
Willi
ams
et. a
l., T
heor
y of
Err
or C
orre
ctin
g C
odes
. N
orth
Hol
land
.M
enez
es, v
an O
orsh
ot, V
anst
one,
Han
dboo
k of
App
lied
Cry
ptog
raph
y.
(Onl
ine:
http
://w
ww
.cac
r.mat
h.uw
ater
loo.
ca/h
ac/).
CR
C P
ress
.R
hee,
Cry
ptog
raph
y an
d S
ecur
e C
omm
unic
atio
ns.
Riv
est,
Cla
ss n
otes
on
Sec
urity
and
Cry
pto
onlin
e. (w
eb.m
it.ed
u).
Sch
neie
r, A
pplie
d C
rypt
ogra
phy.
Wile
y.S
imov
its, T
he D
ES
: Doc
umen
tatio
n an
d E
valu
atio
n. A
egea
n P
ark
Pre
ss.
Stin
son,
Cry
ptog
raph
y: T
heor
y an
d Pr
actic
e. C
RC
Pre
ss.
Wel
ch, C
odes
and
Cry
ptog
raph
y. O
xfor
d.
Web
site
s: w
ww
.rsa.
com
, ww
w.c
ount
erpa
ne.c
om, w
ww
.iacr
.org
has
load
s of
pre
prin
ts.
JLM
200
6021
2 14
:16
59
Hom
ewor
k 7
1.W
e sa
w th
at a
typi
cal r
ound
of A
ES
con
sist
ed o
f the
follo
win
g op
erat
ions
:for each byte, b in state
ByteSub(b)
ShiftRow(state)
if(i<Nr)
MixCol(state)
AddRoundKey(i, state)
For t
he 1
28 b
it ke
y, 1
28 b
it bl
ock
size
ver
sion
of R
ijnda
el, u
sing
look
up ta
bles
to
redu
ce th
e co
mpu
tatio
ns re
quire
d an
d as
sum
ing
basi
c op
erat
ions
(32
bi
t loo
kup,
32
bit x
or, e
tc) a
ll ta
ke a
bout
.001
mic
rose
cond
s an
d yo
ur
code
/dat
a bu
dget
is u
nder
16
MB
, des
ign
a im
plem
enta
tion
of th
e ro
und
oper
atio
ns th
at is
fast
er th
an im
plem
entin
g ea
ch o
f the
prim
itive
op
erat
ions
(Byt
eSub
, Shi
ftRow
, Mix
Col
).
How
long
doe
s ea
ch ro
und
take
(abo
ut)?
Cou
nter
mod
e us
e of
AE
S is
use
d by
sel
ectin
g a
nonc
e (n
) and
con
stru
ctin
g ci
pher
blo
cks
AE
S K(n
||ctr)
, AE
SK(n
||ctr+
1), A
ES
K(n
||ctr+
2),�
. Th
e re
sulti
ng b
its a
re x
ored
into
the
plai
ntex
t (as
with
the
stre
am c
iphe
r).
Wha
t pro
perti
es o
f AE
S m
ake
this
saf
e? C
an th
e ke
ystre
ambe
ge
nera
ted
in p
arra
llela
nd s
tore
d fo
r lat
er u
se?
Wha
t per
form
ance
pr
oper
ties
does
this
mod
e ha
ve o
ver E
CB
?
JLM
200
6021
2 14
:16
60
Hom
ewor
k 7
2.S
how
that
f(x)
= x2
(mod
pq)
is a
One
-Way
Fun
ctio
n bu
t is
not
Col
lisio
n R
esis
tant
, whe
re p
and
q a
re p
rime.
3.Li
near
Fee
dbac
k S
hift
Reg
iste
rs C
rypt
osys
tem
: S
uppo
se X
is a
cry
ptos
yste
m im
plem
ente
d by
a 5
el
emen
t lin
ear f
eedb
ack
shift
regi
ster
whi
ch g
ener
ates
a
psue
dora
ndom
stre
am s
0, s 1
, s2,
�so
�s n
+5=
a 4s n
+4 ⊕
a 3s n
+3 ⊕
a 2s n
+2 ⊕
a 1s n
+1 ⊕
a 0s n
If th
e fir
st 1
0 ou
tput
bits
of t
he p
seud
o ra
ndom
gen
erat
or a
re
1110
1000
10, w
hat a
re th
e ne
xt 3
bits
? A
ssum
e n
is th
e re
gist
er
leng
th.
Abo
ut h
ow m
any
cons
ecut
ive
bits
do
you
need
to b
reak
a
LFS
R?
How
doe
s th
is c
ompa
re to
a s
tream
gen
erat
or o
n an
n
bit s
tate
that
is n
ot li
near
?
JLM
200
6021
2 14
:16
61
Hom
ewor
k 7
4.G
iven
i= 6
4, j=
245
and
S is
as
stat
ed b
elow
, wha
t are
th
e ne
xt 4
byt
es o
f out
put o
f RC
4? E
stim
ate
the
spee
d of
enc
rypt
ing
the
next
4 b
ytes
of o
utpu
t of a
n R
C4
ciph
er o
n a
com
pute
r in
whi
ch a
ssig
nmen
t add
ition
and
lo
gica
l AN
D re
quire
s .0
01 m
icro
seco
nds.
5.S
uppo
se tw
o pa
rties
sha
re a
sec
ret k
ey k
and
wis
h to
co
mm
unic
ate
a se
ries
of �y
es/n
o�an
swer
s ov
er a
pub
lic
chan
nel w
ithou
t dis
clos
ing
the
answ
ers.
Des
ign
a pr
otoc
ol to
do
this
usi
ng a
MA
C.
Be
care
ful t
o m
ake
sure
the
adve
rsar
y ca
nnot
figu
re o
ut a
ll th
e an
swer
s if
they
kno
w w
heth
er th
e �c
ode�
for a
few
of t
he y
es/n
o an
swer
s.
JLM
200
6021
2 14
:16
62
Hom
ewor
k 7
S[1
28�
255]
:
0x6d 0x15 0xc2 0xab 0x7a 0xa4 0x3f 0x00
0x48 0xa3 0xd1 0x4a 0x75 0xb7 0x85 0xd8
0xfb 0xfe 0xf2 0xe6 0x13 0x56 0xec 0xa7
0x9a 0xe2 0x64 0x53 0x5f 0x65 0xd3 0xc8
0x68 0x74 0x02 0xdc 0x6f 0x43 0xe1 0x8b
0xbf 0xa2 0x2a 0x80 0xbb 0x6a 0x28 0x78
0x17 0xf6 0xfc 0x67 0xb3 0x9e 0xcb 0x31
0xf9 0xaa 0x9b 0x2b 0xb8 0x1a 0x3e 0xf8
0xd2 0x5c 0x20 0x11 0x4b 0x3b 0x0b 0x6e
0xaf 0xca 0x6b 0x60 0x94 0x5a 0x61 0x27
0xb5 0x7e 0x4d 0xbe 0x57 0x26 0xcf 0xef
0xbc 0x40 0x72 0x14 0x83 0x47 0xf7 0x1b
0x79 0x50 0x1f 0x3c 0x5e 0x0f 0xf5 0x62
0x6c 0x21 0x70 0x4f 0xeb 0xea 0x98 0xfa
0xba 0x46 0x01 0xcd 0x88 0x0e 0x39 0xc1
0xd0 0xdf 0x2f 0x0c 0x29 0x66 0xd6 0xe8
S[0
�12
7]:
0x08 0xa5 0xe9 0x09 0x45 0xc0 0xed 0xf1
0x5d 0xfd 0x34 0xc3 0x4e 0x7b 0x9d 0x96
0x38 0x76 0x7c 0x49 0x8f 0xd9 0x35 0xcc
0x99 0xb0 0x2d 0x97 0xe7 0x1d 0xa9 0x16
0x7d 0x10 0x8c 0x89 0x51 0xa1 0xd7 0x5b
0x3d 0x1c 0x23 0x1e 0xe0 0xb2 0x84 0xa8
0xc5 0x24 0x86 0xb9 0x07 0xac 0xf0 0x52
0x32 0x92 0xda 0x06 0xe4 0xd4 0x82 0xd5
0xdb 0xae 0x04 0x4c 0x36 0xc6 0x19 0x2e
0xb4 0x2c 0x69 0xc7 0xce 0x71 0x91 0xa6
0xde 0x22 0x59 0xf4 0x54 0x25 0x42 0x0d
0xff 0x03 0x0a 0x44 0x87 0x37 0x8e 0x12
0x30 0x33 0x58 0x3a 0x81 0xf3 0x8d 0x9f
0xbd 0xc4 0x95 0x73 0x93 0x55 0x41 0xb6
0x90 0x63 0x9c 0x18 0x77 0xdd 0xe3 0xc9
0x8a 0xb1 0x7f 0xee 0xe5 0xad 0x05 0xa0
JLM
200
6021
2 14
:16
63
Bac
kup
JLM
200
6021
2 14
:16
64
Diff
eren
tial C
rypt
anal
ysis
: Ove
rvie
wLe
t P=(
P L, P
R),
P*=
(PL* ,
P R* )
and
C=
(CL,
CR),
C*=
(CL* ,
CR
* ) be
pai
rs o
f inp
uts
and
outp
uts
with
pre
scrib
ed x
ors
P�=
(PL� ,
PR
� ) =
(PL,
P R) ∆
(PL* ,
PR
* ) C
�=(C
L� , C
R� )
= (C
L, C
R) ∆
(CL* ,
CR
* )
Out
put x
or d
epen
ds n
on u
nifo
rmly
on
key
bits
. Le
t non
uni
form
dis
tribu
tion
�vot
e� o
n se
t co
ntai
ning
key
s.
Use
s ch
osen
pla
inte
xt/c
iphe
rtext
pai
rs to
get
en
ough
com
plia
nt p
airs
by
follo
win
g th
e xo
rof
two
plai
ntex
ts th
roug
h ro
unds
of D
ES
.E
xam
ine
last
roun
d to
dis
cove
r key
∆ ∆
∆∆
PP
*
K
S-b
ox CC
*
C�
S-b
ox
P� ==
JLM
200
6021
2 14
:16
65
Diff
eren
tial P
rofil
e of
sin
gle
S-b
ox
�Fo
r pre
scrib
ed in
put a
nd o
utpu
t diff
eren
ces
x�,y
� set
D
j(x�,y
�)= {u
: Sj(u
∆x�
) ∆S j
(u)=
y�},
then
�N
ote
that
u, u
∆x�
, u∆
k, u∆
x�∆
kw
ill al
l app
ear i
n th
is s
et�
k e
x ∆
Dj(x
�,y�),
if x
is a
n in
put (
pre-
key)
to S
i.
�|D
j(x�,
y�)|
has
non
unifo
rm d
istri
butio
n.�
For g
iven
inpu
t diff
eren
ce a
bout
80%
of t
he o
utpu
t di
ffere
nces
are
pos
sibl
e.�
p =
|Dj(x
�, y�
)| /2
m, m
is th
e di
men
sion
of t
he s
pace
of a
�. .�
Sham
ir an
d B
iham
den
ote
this
as
x� Ø
y� ,
p.
JLM
200
6021
2 14
:16
66
S1
Diff
eren
tial D
istri
butio
nS box 1
In 0 1 2 3 4 5 6 7 8 9 a b c d e f
0 64 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
1 0 0 0 6 0 2 4 4 0 10 12 4 10 6 2 4
2 0 0 0 8 0 4 4 4 0 6 8 6 12 6 4 2
3 14 4 2 2 10 6 4 2 6 4 4 0 2 2 2 0
4 0 0 0 6 0 10 10 6 0 4 6 4 2 8 6 2
5 4 8 6 2 2 4 4 2 0 4 4 0 12 2 4 6
6 0 4 2 4 8 2 6 2 8 4 4 2 4 2 0 12
7 2 4 10 4 0 4 8 4 2 4 8 2 2 2 4 4
8 0 0 0 12 0 8 8 4 0 6 2 8 8 2 2 4
9 10 2 4 0 2 4 6 0 2 2 8 0 10 0 2 12
a 0 8 6 2 2 8 6 0 6 4 6 0 4 0 2 10
b 2 4 0 10 2 2 4 0 2 6 2 6 6 4 2 12
c 0 0 0 8 0 6 6 0 0 6 6 4 6 6 14
2
d 6 6 4 8 4 8 2 6 0 6 4 6 0 2 0 2
e 0 4 8 8 6 6 4 0 6 6 4 0 0 4 0 8
f 2 0 2 4 4 6 4 2 4 8 2 2 2 6 8 8
10 0 0 0 0 0 0 2 14 0 6 6 12 4 6 8 6
11 6 8 2 4 6 4 8 6 4 0 6 6 0 4 0 0
12 0 8 4 2 6 6 4 6 6 4 2 6 6 0 4 0
JLM
200
6021
2 14
:16
67
S1
Diff
eren
tial D
istri
butio
n: a
noth
er v
iew
S box 1
D1(00, 0d): 0 found
D1(01, 0d): (0a,0b) (0b,0a) (22,23) (23,22) (3e,3f) (3f,3e) 6 found
D1(02, 0d): (08,0a) (0a,08) (29,2b) (2b,29) (35,37) (37,35) 6 found
D1(03, 0d): (14,17) (17,14) 2 found
D1(04, 0d): (13,17) (17,13) (1b,1f) (1f,1b) (2a,2e) (2e,2a) (3b,3f)
(3f,3b) 8 found
D1(05, 0d): (01,04) (04,01) 2 found
D1(06, 0d): (21,27) (27,21) 2 found
… … …
D1(33, 0d): (07,34) (0d,3e) (1a,29) (29,1a) (34,07)
(3e,0d) 6 found
D1(34, 0d): (06,32) (10,24) (16,22) (1c,28) (22,16)
(24,10) (28,1c) (32,06) 8 found
D1(35, 0d): (00,35) (35,00) 2 found
D1(36, 0d): (02,34) (0d,3b) (34,02) (3b,0d) 4 found
JLM
200
6021
2 14
:16
68
Exa
mpl
e: D
iffer
entia
l Cry
ptan
alys
is o
f S1
thro
ugh
a si
ngle
roun
dC
onsi
der i
nput
text
s an
d ou
tput
xor
sfro
m S
1 P
1=
0x01
, P1*
= 0
x35
whi
ch p
rodu
ce o
utpu
t xor
C1�=
0x0d
. (S
o C
1�=
0x34
).P
2 =
0x22
, P2*
= 0
x15
whi
ch p
rodu
ce o
utpu
t xor
C2�=
0x03
. (S
o C
2�=
0x34
).
Then
D1(
0x34
, 0xd
)={0
x06,
0x1
0, 0
x16,
0x1
c, 0
x22,
0x2
4, 0
x28,
0x3
2}.
D1(
0x34
, 0x3
)={0
x01,
0x0
2, 0
x15,
0x2
1, 0
x35,
0x3
6}.
And
(1) k
eP
1∆
D1(
0x34
, 0xd
) (2
) k e
P2∆
D1(
0x34
, 0x3
)
(1) r
educ
es th
e po
ssib
le k
ey s
et to
{0x0
7, 0
x33,
0x1
1, 0
x25,
0x1
7, 0
x23,
0x1
d,
0x29
} (2
) red
uces
the
poss
ible
key
set
to {0
x20,
0x1
4, 0
x23,
0x1
7, 0
x34,
0x0
0}.
The
inte
rsec
tion
(and
act
ual p
ossi
bilit
ies)
are
{ 0x
17, 0
x23}
JLM
200
6021
2 14
:16
69
One
Rou
nd D
iffer
entia
l use
d to
ana
lyze
4
roun
d D
ES
Met
hod
Use
1 ro
und
char
acte
ristic
to ri
ght.
Und
o ef
fect
of p
erm
utat
ion
mat
rix
and
solv
e ea
ch S
box
sep
arat
ely.
Th
is a
llow
s us
to s
olve
for 4
8 ke
y bi
ts.
This
1 ro
und
char
acte
ristic
will
be
used
to e
stim
ate
inpu
t xor
in
subs
eque
nt ro
unds
.
∆
20 0
0 00
00
00 0
0 00
00
20 0
0 00
00
00 0
0 00
00
FA�
= 0
a�=
0p
= 1
JLM
200
6021
2 14
:16
70
Diff
eren
tial C
rypt
anal
ysis
of 4
roun
ds
�D
�=a�
∆ B
� ∆L 4
��
d� =
R4�
�Be
caus
e b�
=L0�,
the
outp
ut x
or
of S
2, S 3
, � ,
S 8in
roun
d 2
is
0. T
his
give
s 28
bits
of B
� and
he
nce
28 b
its o
f D� i
s kn
own.
�Si
nce
B� i
s kn
own,
we
can
calc
ulat
e D
�= B
� ∆L 4
� usi
ng 4
en
cryp
ted
pairs
for e
ach
of th
e 7
rele
vant
S b
oxes
. All
key
cand
idat
es a
re in
this
set
w
hich
giv
es 7
x6=4
2 bi
ts o
f key
w
ith h
igh
prob
abilit
y.
∆
L 0=
20 0
0 00
00
R0=
00
00 0
0 00
L 4R
4FA
�a�
FB
�b�
∆
FD
�
c�
∆
FC
�∆
d�
JLM
200
6021
2 14
:16
71
Com
putin
g a
sing
le c
hara
cter
istic
�Th
e fir
st a
nd m
ost i
mpo
rtant
di
ffere
ntia
l is
(L�,0
) !(L
�,0),
p=1.
�An
othe
r is
(L�,0
x600
0000
0) !
(L� ∆
0x00
8082
00,0
x600
0000
0),
p=1/
4.�
Con
stru
ctio
n:
�E
(0x6
0000
000)
= E(
0110
000
0 �
000
0)=
0011
00 0
0000
0 �
00
0000
�S
1(00
1100
)� !
0xe
with
p=1
/4,
Sj(0
)� !
0 w
ith p
=1, j
>1 a
nd
P(0x
e000
0000
)=0x
0080
8200
.
∆
L in�
Rin�
L out
� Rou
t�
Fp
a�A
�
JLM
200
6021
2 14
:16
72
Mul
ti-ro
und
Cha
ract
eris
tics
�Se
quen
ce o
f Diff
eren
tials
with
id
entif
ied
inpu
t and
out
put
xors
. Eac
h ro
und
diffe
rent
ial
occu
rs w
ith p
roba
bilit
y p i
.�
Ove
rall
prob
abilit
y: p
= Pp i
�C
hara
cter
istic
to th
e rig
ht is
a
thre
e ro
und
char
acte
ristic
with
pr
obab
ility
(14/
64)2
�U
sed
to a
ppro
xim
ate
diffe
rent
ials
thro
ugh
mul
tiple
ro
unds
. �
Each
pai
r fol
low
ing
the
char
acte
ristic
at e
ach
roun
d is
ca
lled
a �r
ight
pai
r�.
Oth
er
pairs
are
�wro
ng p
airs
.��
Wro
ng p
airs
get
dis
tribu
ted
unifo
rmly
; rig
ht p
airs
follo
w
over
all c
hara
cter
istic
pr
obab
ility.
∆
WP=
00 8
0 82
00
60 0
0 00
00
WC=
00 8
0 82
00
60 0
0 00
00
FA
�= 0
0 80
82
00a�
= 60
00
00 0
0
FB�
= 0
b�=
0∆
FC
�= 0
0 80
82
00c�
= 60
00
00 0
0∆
p =
14/6
4
p =
14/6
4
p =
1
JLM
200
6021
2 14
:16
73
Thre
e R
ound
Cha
ract
eris
tic
�Th
is c
hara
cter
istic
occ
urs
with
pr
obab
ility
p=1
/16
and
form
s an
est
imat
e fo
r the
diff
eren
tial
inpu
t of t
he 4
thro
und
of th
e 6
roun
ds.
�(0
0 20
00
08
00 0
0 00
04)
!(0
0 00
04
00 0
0 20
00
08)
with
p=1
/16
is a
noth
er s
uch
char
acte
ristic
.
∆
40 0
8 00
00,
40
00 0
0 00
40 0
8 00
00,
40
00 0
0 00
F F∆
F∆
JLM
200
6021
2 14
:16
74
Diff
eren
tial C
rypt
anal
ysis
of 6
roun
ds
�Su
ppos
e (L
i-1, R
i-1),
k iar
e th
e in
puts
to ro
und
i. P L
= L 0
, PR=
R0.
�L 6
= R
4∆
f(k 6
, R6)
= L 3
∆ f(
k 6, R
6) ∆
f(k 4
, R3)
�L 6
�= L
3� ∆
f(k 6
, R6)
∆ f(
k 6, R
6*) ∆
f(k 4
, R3)
∆ f(
k 4, R
3*)
�L 6
� = C
Lan
d R
6 =C
Rar
e kn
own.
�Es
timat
e L 3
� = 4
0000
000,
R3�
= 40
0800
00, u
sing
the
diffe
rent
ial.
�Se
t S=
P-1(C
L ∆
400
0000
0)=
f(k6,
CR) ∆
f(k 6
, CR
*) ∆
f(k 4
, R3)
∆ f(
k 3, R
3*)=
S 1
(E1)
|| S
2(E
2) ||
� ||
S8(
E8)
whe
re E
1|| E
2|| �
|| E
8 ar
e th
e bi
ts o
btai
ned
by a
pply
ing
E to
400
8000
0.
�E 1
|| E 2
|| �
|| E
8 =0
0100
0000
0000
0000
1010
00..0
=08
||00|
|01|
|10|
|00|
|00|
|00|
|00.
�Si
nce
the
inpu
t Xor
s to
S2,
S5,S
6,S
7,S
8 ar
e 0,
f(k 4
, R3)
∆ f(
k 4, R
3*) i
s 0
in
the
corr
espo
ndin
g ou
tput
bit
posi
tions
and
we
are
left
with
the
sim
ple
diffe
rent
ial:
P-1
(CL ∆
400
0000
0)=
f(k6,
CR) ∆
f(k 6
, CR
*) fo
r S2,
S5,
S6,
S7,S
8.
JLM
200
6021
2 14
:16
75
Diff
eren
tial C
rypt
anal
ysis
of 6
roun
ds
�Fi
rst c
hara
cter
istic
yie
lds
30 b
its o
f key
. S
econ
d on
e ad
ds
anot
her 1
2 bi
ts o
f key
.�
Rec
all P
-1(C
L ∆
400
0000
0)=
f(k6,
CR) ∆
f(k 6
, CR
*)
for S
2,S
5,S
6,S
7,S
8�
This
occ
urs
with
p=
1/16
.�
Stra
ight
forw
ard
impl
emen
tatio
n yi
eldi
ng 3
0 ke
ybits
:�
Set u
p 230
coun
ters
�Bu
mp
coun
ter f
or s
ugge
sted
key
for e
ach
pair
of n
cho
sen
text
s�
Cor
rect
key
be
will
�vot
ed� a
t lea
st 1
/16
n tim
e (�r
ight
pai
rs�)
�In
corre
ct k
eys
will
be v
oted
rand
omly
eac
h w
ith p
roba
bilit
y 1/
230
JLM
200
6021
2 14
:16
76
Diff
eren
tial C
rypt
anal
ysis
of 6
roun
ds
�Im
prov
ing
the
�sig
nal t
o no
ise�
ratio
by
�filte
ring�
pai
rs�
For e
ach
of S
2, S
5, S
6, S
7, S
8 w
ith in
put x
or x
� and
out
put x
or y
�, lo
ok a
t x ∆
Dj(x
�,y�).
�If
this
is e
mpt
y, th
is m
ust b
e w
rong
pai
r.�
For a
ny g
iven
S b
ox th
e, th
is h
appe
ns w
ith p
roba
bilit
y .2
.�
The
prob
abilit
y th
at a
ll 5
S b
oxes
hav
e no
n-em
pty
cand
idat
e ke
y se
ts is
(.8)
5 =.3
3. C
all t
his
set o
f pai
rs R
P a
nd th
e co
mpl
emen
t W
P.
�R
P c
onta
ins
1/3
of th
e pa
irs, W
P c
onta
ins
2/3
�In
RP
, the
pro
babi
lity
of a
�cor
rect
vot
e� is
3/1
6
JLM
200
6021
2 14
:16
77
Alg
ebra
ic A
ttack
s
�As
we�
ve s
een,
cip
herte
xt c
an b
e ex
pres
sed
as a
lgeb
raic
func
tion
of
keys
and
pla
inte
xt (L
agra
nge
Inte
rpol
atio
n Th
eore
m).
�So
met
imes
key
bits
are
exp
ress
ible
as
func
tions
of p
lain
and
cip
her
text
s�
Thes
e ar
e ea
sy to
sol
ve if
the
equa
tions
are
line
ar e
ven
for v
ery
larg
e ke
y sp
aces
.�
Thes
e ar
e ve
ry h
ard
to s
olve
if th
e eq
uatio
ns a
re e
ven
quad
ratic
(NP
-ha
rd in
fact
, see
�Gen
eral
Sys
tem
of Q
uadr
atic
Equ
atio
ns�s
lide)
.�
Gen
eral
pro
blem
is �F
ind
one
solu
tion
of a
sys
tem
of m
equa
tions
in n
varia
bles
of b
ound
ed d
egre
e, D
, ove
r K (u
sual
ly fi
nite
): Σ
ba b
xb
+ c i
= 0,
xb
= x 1
b 1x 2
b 2...
Xnb n
, Σib
i cD
�W
e re
fer t
o th
is p
robl
em a
s S
olve
Alg
ebra
ic(K
,D,m
,n) a
nd o
ften
abbr
evia
te e
quat
ions
as
l j(x)
= 0.
JLM
200
6021
2 14
:16
78
Sol
ving
Sol
veA
lgeb
raic
(K,D
,m,n
)
�C
lass
ic T
echn
ique
is G
robn
er B
asis
, see
�La
uritz
en,
Con
cret
e A
bstra
ct A
lgeb
ra.
Cam
brid
ge.
�C
ox, L
ittle
, O�S
hea,
Usi
ng A
lgeb
raic
Geo
met
ry.
Spr
inge
r.�
Gro
bner
use
s B
uchb
erge
r�s A
lgor
ithm
whi
ch is
dou
bly
expo
nent
ial t
ime
in th
e w
orst
cas
e si
nce
the
mon
omia
l gro
w v
ery
rapi
dly
and
sing
ly
expo
nent
ial t
ime
on a
vera
ge.
�Th
is is
not
pra
ctic
al fo
r n>1
5.�
How
ever
, we
can
do b
ette
r with
an
over
defin
ed s
et o
f equ
atio
ns (m
>n).
�N
ote
first
that
if w
e pi
ck m
rand
om e
quat
ions
m>n
they
will
like
ly b
e in
cons
iste
nt.
�Le
t�s s
ee h
ow w
e m
ight
sol
ve o
verd
eter
min
ed s
yste
ms
by s
olvi
ng th
em
as w
e do
line
ar e
quat
ions
afte
r we
prov
e th
at s
olvi
ng e
ven
quad
ratic
sy
stem
s of
equ
atio
ns is
NP
har
d.
JLM
200
6021
2 14
:16
79
SH
A-0
Stra
tegy
(Cha
baud
and
Jou
x)
�Ba
sic
idea
is to
look
for s
mal
l diff
eren
ces
that
can
be
track
ed th
roug
h ro
unds
like
diff
eren
tial c
rypt
anal
ysis
.�
Con
side
r thr
ee a
ppro
xim
atio
ns to
the
SH
A-0
com
pres
sion
fu
nctio
n.�
SHI-1
�U
se X
or in
stea
d of
Add
�M
ake
f(i)lin
ear
�SH
I-2�
Use
Xor
inst
ead
of A
dd�
Res
tore
f(i)to
orig
inal
val
ues
�SH
I-3�
Res
tore
Add
�M
ake
f(i)lin
ear
JLM
200
6021
2 14
:16
80
SH
I-1 F
indi
ng C
ollis
ions
�As
sum
e th
e W
(i)ar
e un
rela
ted
and
follo
w p
rogr
ess
of a
cha
nge
to W
(1) .
RO
L 30(
W1 +
RO
L5(A
)+f(B
,C,D
)+E
+K)
5
W6 +
� -
fixes
W1
pertu
rbat
ion
64
RO
L 30(
-)3
W2 +
�2
DC
RO
L 30(
B)
AW
1 +R
OL 5
(A)+
f(B,C
,D)+
E+K
1
ED
CB
A
JLM
200
6021
2 14
:16
81
SH
I-1 E
rror
Pro
paga
tion
in H
ash E(i+
5)E 3
1(i+4)
E(i)
D(i+
5)D
31(i+
3)D
(i)
C(i+
5)C
31(i+
2)C
(i)
B(i+5)
B 31(i+
1)B(i)
A(i+5)
A(i+4)
A(i+3)
A(i+2)
A(i+1)
A 1(i)
A(i)
W31
(i+5)
W31
(i+4)
W31
(i+3)
W1(i+
2)W
6(i+1)
W1(i)
D
Stat
e
Per
turb
atio
nO
n bi
t 1C
orre
ctio
ns d
efin
ing
mas
ks
JLM
200
6021
2 14
:16
82
Mes
sage
Exp
ansi
on
�Pr
oces
s of
exp
andi
ng fr
om 1
6 32
bit
wor
ds to
80
32 b
it w
ords
in th
e co
mpr
essi
on fu
nctio
n is
cal
led
mes
sage
exp
ansi
on�
MD
5�
Per
mut
atio
ns�
SH
A-0
�Li
near
cod
e (L
FSR
)�
SH
A-1
�Li
near
cod
e w
ith ro
tatio
n
�H
as p
rofo
und
effe
ct o
n po
ssib
le d
istu
rban
ce v
ecto
rs in
Diff
eren
tial
atta
cks
�Be
ing
stud
ied
to p
rovi
de g
reat
er p
rote
ctio
n�
Rep
lace
xor
with
mod
ular
add
ition
to p
reve
nt c
odew
ord
diffe
renc
e pr
opag
atio
n�
Con
ditio
ns o
n ch
aini
ng v
aria
bles
for l
ocal
col
lisio
n (P
rob
betw
een
2-39
and
2-42 )
JLM
200
6021
2 14
:16
83
End