D.SYM.13 Final Report on New Developments in Symmetric …D.SYM.13 | Final Report on New Developments in Symmetric Key Cryptanalysis 1 Executive Summary Symmetric cryptography addresses

ECRYPT II ECRYPT II

ICT-2007-216676

ECRYPT II

European Network of Excellence in Cryptology II

Network of Excellence

Information and Communication Technologies

D.SYM.13

Final Report on New Developments in Symmetric KeyCryptanalysis

Due date of deliverable: 20. January 2013Actual submission date: 19. December 2012

Start date of project: 1 August 2008 Duration: 4 years

Lead contractor: Katholieke Universiteit Leuven (KUL)

Revision 1.0

Project co-funded by the European Commission within the 7th Framework Programme

Dissemination Level

PU Public X

PP Restricted to other programme participants (including the Commission services)

RE Restricted to a group specified by the consortium (including the Commission services)

CO Confidential, only for members of the consortium (including the Commission services)

Final Report on New Developments in Symmetric

Key Cryptanalysis

EditorSvetla Nikova (KU Leuven)

ContributorsAndrey Bogdanov (KU Leuven)Jonathan Etrog (Orange Labs)

Simon Knellwolf (FHNW),Willi Meier (FHNW),

Anne Canteaut (INRIA)Gaetan Leurent (University of Luxemburg)

Florian Mendel (TU Graz),Nicky Mouha (KU Leuven),

Kaisa Nyberg (Aalto),Jorge Nakahara Jr. (ULB),

Andrea Rock (Aalto),Vincent Rijmen (KU Leuven),Christian Rechberger (DTU),Martin Schlaffer (TU Graz),Tomislav Nad (TU Graz),

Vesselin Velichkov (University of Luxemburg)

19. December 2012Revision 1.0

The work described in this report has in part been supported by the Commission of the EuropeanCommunities through the ICT program under contract ICT-2007-216676. The information in this documentis provided as is, and no warranty is given or implied that the information is fit for any particular purpose.The user thereof uses the information at its sole risk and liability.

Contents

1 Introduction 3

2 Cube Attacks and Other Higher Order Differential Techniques 52.1 Cube Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

2.1.1 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62.1.2 Cube Attacks on Trivium . . . . . . . . . . . . . . . . . . . . . . . . . 7

2.2 Cube Testers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72.2.1 Terminology and Basic Idea . . . . . . . . . . . . . . . . . . . . . . . . 72.2.2 Examples of Testable Properties . . . . . . . . . . . . . . . . . . . . . 72.2.3 Cube Testers on Trivium . . . . . . . . . . . . . . . . . . . . . . . . . 8

2.3 Improving Cube Testers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82.3.1 Higher Order Derivatives of Boolean Functions . . . . . . . . . . . . . 82.3.2 Conditional Differential Cryptanalysis . . . . . . . . . . . . . . . . . . 92.3.3 Application to Trivium, Grain, and KATAN / KTANTAN . . . . . . . 92.3.4 Dynamic Cube Attack on Grain-128 . . . . . . . . . . . . . . . . . . . 10

2.4 Cube attacks and cube testers on other cryptographic schemes . . . . . . . . 102.5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

3 Trade-offs in generic attacks on stream ciphers 133.1 Exhaustive attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133.2 Time-Memory-Data trade-offs . . . . . . . . . . . . . . . . . . . . . . . . . . . 143.3 Time-Memory-Key trade-offs . . . . . . . . . . . . . . . . . . . . . . . . . . . 143.4 Distinguishing and Initialization-Phase Attacks . . . . . . . . . . . . . . . . . 15

4 Implications of Related-Key Attacks 194.1 Related-key attacks in theory . . . . . . . . . . . . . . . . . . . . . . . . . . . 194.2 Related-key attacks in practice . . . . . . . . . . . . . . . . . . . . . . . . . . 194.3 Related-key attacks and security claims . . . . . . . . . . . . . . . . . . . . . 204.4 Outline of recent attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

4.4.1 Attacks on AES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204.4.2 Attacks on other ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . 23

5 Linear Cryptanalysis 255.1 Piling-up lemma . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265.2 Matsui Algorithm 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265.3 Matsui Algorithm 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

5.3.1 Probability of success of Algorithm 2 . . . . . . . . . . . . . . . . . . . 28

i

ii

5.4 Linear hull . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285.5 Deriving methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295.6 Multiple-Linear and Multidimensional Linear Cryptanalysis . . . . . . . . . . 29

5.6.1 Multiple Linear Cryptanalysis (Biryukov Method) . . . . . . . . . . . 295.6.2 Multidimensional Linear Cryptanalysis . . . . . . . . . . . . . . . . . . 30

5.7 Zero-Correlation Linear Cryptanalysis . . . . . . . . . . . . . . . . . . . . . . 34

6 Cryptanalysis of ARX Structures 376.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376.2 The Differential Analysis of S-functions . . . . . . . . . . . . . . . . . . . . . 386.3 The Additive Differential Probability of ARX . . . . . . . . . . . . . . . . . . 396.4 UNAF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

6.4.1 Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396.4.2 Main UNAF Theorem . . . . . . . . . . . . . . . . . . . . . . . . . . . 406.4.3 Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

6.5 Maximum Probability Output Differences . . . . . . . . . . . . . . . . . . . . 426.5.1 S-function Toolkit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426.5.2 An A* Search Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . 42

6.6 Rotational Cryptanalysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436.7 ARX-tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456.8 Automated Search for Differential Characteristics . . . . . . . . . . . . . . . . 45

6.8.1 Main Concept . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466.8.2 Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

6.9 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

7 Analysis of AES-based Hash Functions 51

8 Meet-in-the-middle preimage attacks on hash functions 538.1 The basic approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538.2 Refinements and improvements . . . . . . . . . . . . . . . . . . . . . . . . . . 548.3 Discussion of results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

9 Biclique Cryptanalysis of Block Ciphers 57

10 Higher Order Differential Attacks on Hash Functions 6110.1 Zero-sum distinguishers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6110.2 Second-Order Differential Collisions (4-sums) . . . . . . . . . . . . . . . . . . 62

10.2.1 Basic Definitions and Preliminaries . . . . . . . . . . . . . . . . . . . . 6310.2.2 Application to Block-Cipher-Based Hash Functions . . . . . . . . . . . 64

D.SYM.13 — Final Report on New Developments in Symmetric Key Cryptanalysis 1

Executive Summary

Symmetric cryptography addresses the problem of protecting the secret information usinga shared secret key. The message is transformed in such a way that it cannot be recoveredwithout this key. Algorithms which are used for symmetric encryption are known as symmetricciphers: block ciphers and stream ciphers. The security of symmetric encryption algorithmscan in general not be proved (with the exception of the one-time pad). Instead, the trust ina symmetric cipher is based on the fact that no weaknesses have been found after a long andthorough evaluation phase. The field which focuses on methods to defeat the secrecy of theinformation, i.e. which aims at breaking the ciphers is called cryptanalysis.

In this deliverable we provide a state of the art survey of recent developments in symmetriccryptanalysis. This is our final report and it is an update of the previous deliverables D.SYM.6and D.SYM.9. It includes the best to our knowledge new results and techniques developedfor cryptanalysis of block ciphers, stream ciphers and hash functions.

2 ECRYPT II — European NoE in Cryptology II

Chapter 1

Introduction

In this deliverable we have collected the most important recent developments in symmetrickey cryptanalysis.

We start with cube attacks - a new type of algebraic attacks for key recovery, whichhas been introduced in 2008. Cube attacks are applicable to cryptographic functions thathave a public parameter and that are inherently of a low algebraic degree. A variant of cubeattacks are cube testers, based on efficient property-testing algorithms. Attacks related tocube attacks and cube testers have been applied to the stream ciphers Trivium, Grain andKATAN / KTANTAN, and to the SHA-3 candidate MD6. In chapter 2 we summarize themain results.

The second type of attacks that we discuss is the distinguishing attack, where theadversary tries to determine if a given bit stream comes from a known cipher or from apurely random source. Although often weaker than a key-recovery attack, the existenceof a distinguisher of high probability may lead to information about unknown plaintext orthe internal state can leak through the ciphertext. Distinguishing attacks become quiteconventional in the cryptographic literature, and many examples can be found, some of whichare listed in Chapter 3.4.

Trade-offs in generic attacks on stream ciphers are discussed in Chapter 3. We brieflydescribe three types of generic attacks: exhaustive attacks, time-memory-data trade-offs,time-memory-key trade-offs.

A series of related-key attacks on AES drawn much attention in 2009. For those generalrelated-key attacks there is no protocol or application known where the attacks could beconsidered to be practical. In Chapter 4 we summarize the results and discuss the mainideas. We also briefly mention related-key attacks applied to other ciphers.

Linear cryptanalysis is one of the most powerful statistical cryptanalysis tools usingknown plaintext/ciphertext pairs and it is based on probabilistic linear approximations. Whilethe idea to use probabilistic approximations has already appeared in 1992 applied to FEAL,the theory of linear cryptanalysis was described and experimented on DES by Matsui in 1994.More recent results will be discussed in Chapter 5.

Basic linear cryptanalysis uses one linear approximation, but can we improve the attacksby using several approximations? Answer to this question is given in Chapter 5.6, where newdevelopments in multiple-linear and multidimensional linear cryptanalysis are presented.

Increasingly, cryptographic primitives use operations such as addition modulo 2n, rotationand exclusive ORs (ARX), as well as bitwise Boolean functions. In NIST’s SHA-3 hash

3


function competition, this applies to 6 out of the 14 second-round candidates. An overview ofrecent developments in the field of ARX-based cryptography are presented in Chapter 6.

The submission of many AES-based hash function to the NIST SHA-3 competition hasinitiated new developments in the analysis of AES as a building block in hash functions.Two different directions of analyzing AES based hash functions have been recently proposed- an attack applied to AES in hashing mode, which uses local collisions to construct high-probability differential paths and the rebound attack, which uses the available degrees offreedom to find pairs for the (multiple) expansive parts of a path more efficiently. Bothapproaches are discussed in Chapter 7.

Meet-in-the-middle attacks on the preimage resistance of hash functions recently re-ceived renewed attention. This is both in the context of MD2 by Knudsen et al., attacks onround-1 SHA-3 candidates by Khovratovic et al., as well as a series of results on members ofthe MD4 family of hash functions by Aoki, Sasaki and others and Tiger. In Chapter 8, wedescribe them in a way to fit into the meeet-in-the-middle (MITM) framework of Aoki andSasaki.

In Section 9 we briefly summarize recent progress in key recovery for block ciphers due tothe new technique of biclique cryptanalysis to enhance meet-in-the-middle attacks.

In the last section we discuss two techniques based on higher order differential crypt-analysis to show non-random properties in hash functions and/or their building blocks.First, we describe zero-sum structures as a new distinguishing property. To construct zero-sum structures one exploits either the fact that the permutation or its inverse after a certainnumber of rounds has a low degree, or some saturation properties due to a low diffusion.Second, we describe an application of the Boomerang attack to hash functions to construct a4-sum for the underlying permutation or compression function.

Chapter 2

Cube Attacks and Other HigherOrder Differential Techniques

Cube attacks have been presented by Dinur and Shamir [DS09] in 2008 as a new cryptanalytictool applicable to a broad class of secret key primitives (stream ciphers and block ciphers).If the primitive has inherently low degree an attacker can recover the secret key by solving asystem of linear equations. The authors of [DS09] introduced a new terminology which wasreused in [ADMS09] to describe cube testers. In contrast to the cube attacks, cube testerstypically yield distinguishing rather than key recovery attacks. Both types of attack applyin a scenario where the attacker can make chosen queries to the cipher (chosen IV or chosenplaintext).

Cube attacks as well as cube testers have a natural description in terms of higher or-der derivatives of Boolean functions as defined by Lai [Lai94] in 1994. In this perspec-tive, cube testers have been improved using the idea of conditional differential cryptanalysisin [KMNP10,KMNP11]. A similar idea underlies the dynamic cube attack [DS11]. These im-provements resulted in the first attack on the stream cipher Grain-128 and on the best knownattacks on reduced variants of the stream ciphers Grain v1, Trivium, and the KATAN /KTANTAN family of lightweight block ciphers.

We first describe cube attacks and cube testers, before we describe the more recent im-provements. We also provide a short translation of the cube terminology to the terminologyof higher order differential cryptanalysis.

2.1 Cube Attacks

Cube attacks exploit implicit low-degree equations in cryptographic algorithms. They onlyrequire black box access to the target primitive, and were successfully applied to reducedvariants of the stream cipher Trivium [DS09]. A very similar technique has been proposedearlier in [Vie07]. The attacker recovers a secret key through specific queries to the cipher,followed by solving a linear system of equations in the secret key variables. A one timepreprocessing phase is required to determine which queries should be made during the onlinephase of the attack.

5


2.1.1 Terminology

Let f be a function mapping 0, 1n to 0, 1, n > 0. The algebraic normal form (ANF) of fis its representation as a polynomial over GF(2) in variables x1, . . . , xn. It has the form

2n−1∑i=0

ai · xi11 xi22 · · ·x

in−1

n−1 xinn ,

where a0, . . . , a2n−1 are binary coefficients, and ij denotes the j-th digit of the binary encodingof i. A key observation regarding cube attacks is that for any function f : 0, 1n → 0, 1,one has

a2n−1 =∑

x∈0,1nf(x).

That is, the sum of all entries in the truth table equals the coefficient of the highest degreemonomial in the ANF of f . For example, let n = 4 and f be defined as

f(x1, x2, x3, x4) = x1 + x1x2x3 + x1x2x4 + x3.

Summing f over all 16 distinct inputs yields zero, the coefficient of the monomial x1x2x3x4.Instead, cube attacks sum over a subset of the inputs. For example, summing over the fourpossible values of (x1, x2) ∈ 0, 12 gives

f(0, 0, x3, x4) + f(0, 1, x3, x4) + f(1, 0, x3, x4) + f(1, 1, x3, x4) = x3 + x4,

which is the polynomial that multiplies x1x2 in f :

f(x1, x2, x3, x4) = x1x2 · (x3 + x4) + x1 + x3.

Generalizing, given a function f : 0, 1n → 0, 1 and an index set I ⊂ 1, . . . , n,summing f over all possible values xi ∈ 0, 1 for i ∈ I results in the polynomial p such that

f(x1, . . . , xn) = tI · p(· · · ) + q(x1, . . . , xn)

where tI is the monomial containing all the xi with i ∈ I, p has no variable in common withtI , and no monomial in the polynomial q contains tI .

Following the terminology of [DS09], p is called the superpoly of I in f , tI is called amaxterm if p has degree 1, and f is called the master polynomial.

Preprocessing Phase

This phase must be done only once and does not require online access to the cipher. The goalis to find sufficiently many maxterms of the master polynomial. Each maxterm gives rise toa linear equation in the bits of the key. Hence, recovering the full key requires k maxterms,where k is the length of the key. Testing whether tI actually is a maxterm and reconstructingits linear representation in key bits is achieved by probabilistic linearity tests [BLR90].

Online Phase

The attacker now evaluates the superpolys of all the k maxterms by summing f over thecorresponding public variables. Each result corresponds to a linear combination of the key bits(determined in the preprocessing phase). Assuming that the degree of the master polynomialis d, each evaluation requires at most 2d−1 chosen queries. Once enough linear superpolys arefound, the key can be recovered by solving the system of linear equations.


2.1.2 Cube Attacks on Trivium

The stream cipher Trivium was designed by De Canniere and Preneel [De 06] and was chosenfor the final eSTREAM portfolio of hardware oriented ciphers1. Trivium takes as input a80-bit key and a 80-bit IV. Its initialization has 1152 rounds. Each round corresponds toclocking three non-linear feedback shift registers.

The cube attack could be successfully applied to a reduced variant with 767 initializationrounds [DS09].

2.2 Cube Testers

Unlike cube attacks, cube testers typically yield distinguishing rather than key recovery at-tacks. Cube testers have been introduced in [ADMS09] based on the terminology of [DS09],but similar ideas have been used earlier [EJT07,Fil02,KM08,KM08,Saa06].

2.2.1 Terminology and Basic Idea

Informally, a distinguisher for a master polynomial f , representing a cipher with a fixed secretkey, is a procedure that identifies a specific property of f that is unlikely to be observed fora randomly chosen function. In the case of cube testers, the procedure is allowed to makequeries with chosen values for some public variables. The set of public variables is dividedinto two complementary subsets: cube variables (CV) and superpoly variables (SV). Cubetesters evaluate the superpoly of the CV for different configurations of the SV in order toexhibit a distinguishing property. We illustrate these notions with our previous example,

f(x1, x2, x3, x4) = x1 + x1x2x3 + x1x2x4 + x3.

For the index set I = 1, 2 the superpoly is p(x3, x4) = x3 + x4. Here, x1 and x2 are theCV, and x3 and x4 are the SV. The superpoly is linear in the SV which can be detected bythe attacker. An even stronger property can be detected for the index set I = 3, 4. Then,the superpoly evaluates to 0 for every configuration of the SV x1 and x2. In comparison,for a function chosen uniformly at random from all functions 0, 14 → 0, 1, the superpolyof x3x4 is zero with probability only 1/16. This yields a distinguisher for f that alwaysidentifies f (no false negatives) and with probability 1/16 incorrectly identifies a randomfunction as f (false positives). The distinguisher makes 24 queries to f . Note that in thiscase, the distinguisher requires the entire truth table of f . At the cost of a higher rate of falsepositives, the number of queries can be reduced.

2.2.2 Examples of Testable Properties

Let us give some examples of properties which can be used to build cube testers. We let Cbe the size of CV, and S be the size of SV.

• Imbalance. A random function is expected to contain roughly the same number ofzeroes and ones in its truth table. A strongly imbalanced truth table can be used asa distinguishing property. Typically, not the entire truth table is queried, but only arandom sample. If the sample has size 2N , N < S, the distinguisher requires 2C+N

queries to the cipher.

1See http://www.ecrypt.eu.org/stream/


• Constantness. This is a special case of a maximally imbalanced truth table (all zeroor all one).

• Low Degree. A superpoly of a random function has degree at least S − 1 withhigh probability. Probabilistic tests for the degree of Boolean functions are givenin [AKK+03, Sam07], for example. The test in [AKK+03] for degree d queries thesuperpoly at about d4d points and always accepts if the ANF of the function has degreeat most k, otherwise it rejects with some bounded error probability.

• Linear Variables. This is a special case of low degree. Probabilistic linearity tests arealso required for the cube attacks, but in a slightly different context.

• Neutral Variables. Dually to the linearity, one can test whether a SV is neutral in thesuperpoly. Alternatively, this can be seen as a special case of imbalance on a restrictedpart of the truth table.

In practice, imbalance and neutral variables turned out to be most effective. Note that,in contrast to the cube attacks, these properties do not require the superpoly to have aparticularly low degree.

2.2.3 Cube Testers on Trivium

For a reduced variant of Trivium with 790 rounds, a distinguisher based on neutral variablesis given in [ADMS09]. The distinguisher requires 231 chosen IV queries.

2.3 Improving Cube Testers

Recently, cube testers have been improved in two directions. Both directions have in commonthat some SV are assigned with specific values in order to amplify the non-random behaviorof the superpoly. We first explain the basic idea from [KMNP10,KMNP11] that is based ona higher order differential view on cube testers. Then we summarize [DS11] which exploits aparticular weakness of Grain-128.

2.3.1 Higher Order Derivatives of Boolean Functions

Let us briefly review the terminology of Lai [Lai94] which gives a more general view on cubeattacks and cube testers in terms of higher order derivatives.

Let f : 0, 1n → 0, 1 be a Boolean function and a ∈ 0, 1n. The derivative of f withrespect to a is defined as

∆af(x) = f(x)⊕ f(x⊕ a).

Note that computing the derivative of f with respect to a gives the output difference of f forthe input difference a. Analogously, the following definition corresponds to the generalizationof higher order differential cryptanalysis [Knu94]. Let a1, . . . , ad ∈ 0, 1n. The d-th derivativeof f with respect to a1, . . . , ad is defined as

∆(d)a1,...,ad

f(x) =∑

c∈L(a1,...,ad)

f(x⊕ c),

where L(a1, . . . , ad) is the set of all 2d linear combinations of a1, . . . , ad.


Relation to Cube Attacks.

The superpoly of I ⊂ 1, . . . , n in f is precisely the derivative of f with respect to ei, i ∈ I,where ei ∈ 0, 1n has a one at position i and zeros otherwise. Hence, superpolys are a specialcase of higher order derivative with respect to points of Hamming weight one.

2.3.2 Conditional Differential Cryptanalysis

In [KMNP10, KMNP11] the differential view on cube testers is combined with the idea ofconditional differential cryptanalysis from [BAB93]. The technique has been extended tohigher order cryptanalysis and applied to constructions based on non-linear feedback shiftregisters (NLFSR).

Suppose a prototypical NLFSR-based cipher with an internal state of length ` which isinitialized with a key k and an initial value x. Let s0, s1, . . . be the consecutive state bitsgenerated by the cipher, such that (si, . . . , si+`) is the state after i rounds, and let h be theoutput function of the cipher such that h(si, . . . , si+`) is the output after i rounds. Everystate bit is a function of (k, x) and the same is true for the output of h. For some fixed i, letf = h(si, . . . , si+`).

The idea of conditional differential cryptanalysis is to derive conditions on x that controlthe propagation of the difference up to some round r. This results in a system of equations

∆as1(k, x) = γ1,∆as2(k, x) = γ2,

. . .∆asr(k, x) = γr,

(2.1)

where the γi ∈ 0, 1 describe the differential characteristic. The goal is to find a large sampleof inputs that follow the same characteristic, such that their difference is imbalanced at theoutput. The conditions may also involve variables of the key. This allows for key recovery orclassification of weak keys.

Analyzing the conditions is a crucial part of conditional differential cryptanalysis. If thesystem (2.1) is represented as an ideal in a suitable ring of Boolean polynomials, automatictools such as Grobner basis algorithms can be used for the analysis.

2.3.3 Application to Trivium, Grain, and KATAN / KTANTAN

Grain v1 is a stream cipher proposed by Hell, Johansson, and Meier [HJM07] and, as Trivium,has been selected for the final eSTREAM portfolio. It accepts an 80-bit key and a 64-bitinitial value. Initialization takes 160 rounds. Grain-128 was designed by Hell, Johansson,Maximov, and Meier [HJMM06] as a bigger version of Grain v1. It accepts a 128-bit key, a96-bit initial value, and initialization takes 256 roudns. Table 2.1 shows the results obtainedwith conditional differential cryptanalysis for reduced variants of Grain v1, Grain-128, andTrivium [KMNP10,KMNP11].

Conditional differential cryptanalysis also has been applied to the KATAN / KTANTANfamily of lightweight block ciphers, designed by De Canniere, Dunkelman, and Knezevic [DDK09].The family consists of six ciphers in two flavors and three block sizes. All members of thefamily showed a comfortable security margin with respect to conditional differential crypt-analysis.


Table 2.1: Conditional differential cryptanalysis of NLFSR-based stream ciphers. Indicatedis the query complexity (i.e., the number of chosen IVs). The time and memory complexitiesare negligible for all attacks.

Cipher Rounds Complexity Weak keys Type of attack

Grain v1 97 231 all key recovery104 239 all distinguisher

Grain-128 213 225 all key recovery215 225 all distinguisher

Trivium 798 225 all distinguisher868 225 231 distinguisher961 225 226 distinguisher

2.3.4 Dynamic Cube Attack on Grain-128

The dynamic cube attack [DS11] is another way to improve the efficiency of cube testersand to turn them into key recovery attacks. As for conditional differential cryptanalysisspecific values are assigned to the SV. But contrary to previous attacks, these values aredynamically adapted during the evaluation of the superpoly. This potentially increases thenon-random behavior and eventually leaks information on the key. Finding the dependenciesof the dynamic SV from the CV and eventually from the key is the intricate part of the attack.

In [DS11] a approach specific to Grain-128 has been used. The output function of Grain-128 has a single monomial of degree 3 (all other monomials have lower degree). This monomialcontributes most to the high degree of the master polynomial f . Hence, one can try to nullifythis monomial by nullifying one of its variables. In order to nullify this variable, one analyzesits algebraic representation in state bits, which gives rise to other variables that have to benullified, and so on.

The dynamic cube attack can recover the full key of Grain-128 about 238 times faster thanexhaustive search for about 7.5% of the keys [DGP+11]. This attack is an improvement of thefirst attack on full Grain-128 which only worked for a much smaller class of weak keys [DS11].

2.4 Cube attacks and cube testers on other cryptographicschemes

Cube attacks and cube testers have been applied in [ADMS09] to reduced-round versionsof the SHA-3 candidate hash function MD6, [RAB+]. In a similar spirit as reported forTrivium, extensive hardware assisted cube testers on the eSTREAM candidate stream ci-pher Grain-128 2 have been carried out in [ADH+]. A statistical framework related to cubeattacks, based on probabilistic neutral bits, has been independently developed and appliedin [FKM08] for reduced complexity key recovery in Grain-128 for up to 180 of its 256 roundsof initialization. A similar concept has successfully been applied in [KM08] to a T-functionbased self-synchronizing stream cipher proposed by Klimov and Shamir, [KS05]. This is in-teresting as the cryptanalysed cipher uses word-wise operations in the T-function approach,

2See http://www.ecrypt.eu.org/stream/


rather than low-degree boolean functions, as is the case for most other primitives cryptanal-ysed thus far by cube attacks. Finally, the zero-sum distinguishers as considered in [AM] areinfluenced by high-order differential cryptanalysis and by cube distinguishers.

2.5 Conclusion

In the last few years, higher order differential cryptanalysis underwent a revival in streamcipher cryptanalysis. Cube testers and their improvements can serve as a benchmark forevaluating the algebraic strength of constructions based on low degree components, and asa reference for choosing the number of rounds. The success of higher order differential tech-niques on stream ciphers influenced cryptanalysis of other primitives as well. Notable ex-amples are non-random properties of the SHA-2 compression function [LM11], and zero-sumdistinguishers [AM,BCC11].


Chapter 3

Trade-offs in generic attacks onstream ciphers

The literature describes several brute-force generic attacks on stream ciphers 1. From ahigh-level point of view, the attacks can be described as a sequence of two phases:

Precomputation phase: The results of the computations performed in this phase can bereused for several iterations of the attack. Typically, the results are some tables whichare used to speed up the last phase of the attack. We denote the binary logarithm ofthe computational complexity of this phase by P .

Online phase: The attacker collects data, which usually consists of ciphertexts and corre-sponding known or chosen plaintexts. We count the amount of data collected in unitsof k bits, and denote the binary logarithm of this quantity by D. This data is combinedwith the results of the precomputation phase to recover the key. We denote the binarylogarithm of the computational complexity of this phase by T .

We denote the binary logarithm of the sum of the memory requirements of the precomputationphase and the online phase of the attack by M .

3.1 Exhaustive attacks

For a straightforward exhaustive key search, there is no precomputation, the attacker collectsa negligible amount of known plaintexts, and uses a negligible amount of memory (P = D =M ≈ 0). The online computational complexity is given by T = k.

On the other hand, we can also imagine an attack scenario where the attacker precomputesthe ciphertext for a given chosen plaintext under all possible keys, and stores the result ina table. This gives P = M = k. The online phase of the attack consists of obtainingthe ciphertext corresponding to the chosen plaintext and looking up the key in the table(D ≈ T = 0).Notes:

1. For an SSC a chosen-plaintext attack can always be replaced by a known-plaintextattack with the same complexities.

1The content of this chapter was published in [Rij10]

13


2. Some authors argue that it is not realistic to say that the time to look up data in atable doesn’t depend on the size of the table [Ber05]. All authors agree that memorycost and computation cost are very different things. Hence, when comparing varioustrade-off curves or points on a given trade-off curve, one has to be careful. A point withmuch higher T , but slightly decreased M compared to its alternatives, might well bethe best choice.

Between the two extreme cases formed by exhaustive key search and a full table basedattack, several trade-off scenarios can be defined. They are discussed next. We denote thekey length (in bits) by k. The classical time-memory trade-off described by Hellman [Hel80]has the following complexities:

T = M = 2k/3, P = k and D = 0,

which can be generalized to

T + 2M = 2k, P = k and D = 0.

This trade-off works for any one-way function, hence also for stream ciphers. The attackrecovers the secret key.

3.2 Time-Memory-Data trade-offs

For stream ciphers with an unkeyed output transformation, it is possible to define trade-offattacks targeting the internal state instead of the the key. We denote the size of the internalstate (in bits) by s. Babbage and Golic (BG) [Bab95, Gol97] describe time-memory-datatrade-off attacks with:

T +M = s, D = T and P = M. (3.1)

Biryukov and Shamir (BS) [BS00] describe time-memory-data trade-off attacks targeting theinternal state with:

T + 2M + 2D = 2s, T ≥ 2D and P +D = s. (3.2)

In ‘practice,’ one usually chooses T = 2D for the Biryukov-Shamir trade-off. If the state size isat least twice the key length, then both the Babbage-Golic trade-offs and the Biryukov-Shamirtrade-offs become less efficient than the previously described attacks.

3.3 Time-Memory-Key trade-offs

In [HS05] a new type of trade-off is considered: the time-memory-key trade-off. The at-tack works in a scenario where an attacker can obtain a large number of short key streams,produced with different keys, but the same IV. The attack recovers one of the keys.

We denote by K the binary logarithm of the number of keys that are attacked in parallel.The trade-offs (3.1) and (3.2) become now:

T +M = k, K = T and P = M, (3.3)

T + 2M + 2K = 2k, T ≥ 2K and P +K = k . (3.4)


@@@@@@@@@@@@@@@ P = M(BG)

AAAAAAAAAAAAAAAM(BS)

T (BS)

T (BG)

6

k

T,M,P

-

kk/2

K

Figure 3.1: Time-Memory-Key trade-offs for the Babbage-Golic (BG) and for the Biryukov-Shamir (BS) curves. The precomputation (P ) curve is the same for both cases, and equal tothe BG memory M curve.

The data complexity of the attacks equals 1 k-bit string per key. The trade-off (3.4) isgeneralized in [BMS06] to:

T + 2M + 2K = (3− ε)k and P +K = k with 0 ≤ ε ≤ 1.

Figure 3.1 compares the Babbage-Golic trade-offs and the Biryukov-Shamir trade-offs.For increasing K, the Biryukov-Shamir has a faster decreasing memory complexity, but aslower decreasing computational complexity. It follows that the Biryukov-Shamir approach isbetter adapted to the current state of computing technology, where computations are cheaperthan memory.

3.4 Distinguishing and Initialization-Phase Attacks

In a distinguishing attack, the adversary tries to determine if a given bit stream comes from aknown cipher or from a purely random source (a bit stream chosen according to the uniformdistribution). In this case, the distinguisher is a tool that takes a bit stream as input andoutputs either 1 (cipher) or 0 (random). Additionally, such attacks may allow an adversary tomake predictions about upcoming portions of the keystream sequence. This is a generic kindof attack on stream ciphers. Although often weaker than a key-recovery attack, the existenceof a distinguisher of high probability may lead to information leakage, that is, informationabout unknown plaintext or the internal state can leak through the ciphertext. Distinguishingattacks become quite conventional in the cryptographic literature, and many examples canbe found, some of which are listed below.

Initialization or resynchronization mechanisms are sensitive components of synchronousstream ciphers, and have been targeted for a long time in attacks, such as [DGV94,Mul04a].Recovery from loss of synchronization (or resynchronization) can be performed by the receiver


without intervention by the sender if the plaintext has enough redundancy, or can be mitigatedby inserting synchronization patterns in the ciphertext at regular intervals. The aim is toguarantee that sender and receiver keep the same internal state during transmission, that is,they operate in sync.

Retransmitting state information in clear will compromise security and could be too costlyor ineffective due to the same problems that caused loss of synchronization in the first place.More effective solutions involve defining a new internal state based on information alreadyknown by sender and receiver: a secret key and fresh IVs. This setting of new IVs (resyn-chronization) becomes a source of potential attacks, when the adversary has control over theselection of IVs.

In [RH02], Rose and Hawkes argue that the existence of distinguishing attacks is not athreat to stream ciphers in practice. In particular, the data complexity of these attacks isunrelated to the key length and is often much beyond the amount that can be obtained inreal applications.

In [EHJ], Englund et al. describe generic distinguishing attacks on block ciphers in streammodes such as OFB and CTR, with complexity 2n/2 encryptions, with n the bit size of a textblock. This observation implied an upper bound of 2k/2 on the number of keystream bitsgenerated (or plaintext bits encrypted) by these modes before the key (of size k bits) ischanged [ZB05]. Englund et al. also describe a new resynchronization attack on LEX streamcipher requiring 265.66 keystream bits from a single IV and the first 132 bits from 265.66

messages initialized with different IVs. In [DK08], Dunkelman and Keller present a key-recovery attack on the updated (tweaked version of) LEX requiring 236.3 key stream bytes(possibly under different IVs) and time complexity 2112 operations.

In [FM00], Fluhrer and McGrew describe an attack that distinguish RC4 from a randomstream using 230.6 output key bytes. This attack works even if a few key bytes are discarded(blank rounds), which is a typical countermeasure against attacks that exploit biases in thedistribution of the first key bytes output by RC4.

In [Max05], Maximov propose attacks that distinguish the VMPC stream cipher [Zol04]from random using 254 bytes of the output key stream, and the RC4A stream cipher [PP04],an improved variant of RC4, with 258 key stream bytes. This attack on VMPC violated adesign criteria of the cipher that explicitly claimed resistance against distinguishing attacks.An improved attack on VMPC was reported in [TSK+05] requiring 238 key stream bytes, andon RC4A using 223 key bytes.

In [PPS06], Paul et al. presented distinguishing attacks on the Py stream cipher exploitinga statistical bias in the distribution of its output words in the first and third rounds. Morespecifically, the weakness originates from the non-uniform distribution of carry bits in themodular addition in Py. This attack requires 284.7 random key/IV’s, plus the first 24 bytesof the keystream. The time complexity is tini · 2

84.7, where tini is the running time of a singlekey/IV setup in Py. In [IOKM06], Isobe et al. report on key-recovery attacks on Py andPypy, under a chosen-IV setting. Their attack recover the 128-bit key with a time complexityof 248, under approximately 224 chosen IVs.

In [WP06a], Wu and Preneel described flaws in the IV setup of Py and Pypy streamciphers. For IVs with special differences, two keystreams can be identical for every 216 IVs.In [WP06b], Wu and Preneel presented key-recovery attacks on Py and Pypy based on weak-nesses in the IV setup algorithms of these two ciphers. More specifically, the problem is thattwo keystreams generated from the chosen IVs can be identical with high probability. In theirattack, if the IV size is more than 10 bytes, IVsizeb−9 bytes of the key can be recovered with


(IVsizeb − 4) · 219 chosen IVs, where IVsizeb is the IV size in bytes. For key and IV of 128bits each, the effective key length is reduced to 72 bits with approximately 224 chosen IVs.

Another chosen-IV attack, this time on the VEST family of stream ciphers, was presentedby Joux and Reinhard [JR07]. Their attack exploit collisions in the counter (diffusor) usedduring the IV setup phase. As a consequence, they can recover 53 bits of the internal cipherstate reducing the effort of exhaustive search by the same number of bits.

In [NP07], Naya-Plasencia reported on key-recovery/state-recovery and distinguishing at-tacks on Achterbahn-128/80, improving on previous attacks by Hell and Johansson [HJ06].The distinguishing part of her attack on Achterbahn-80 has complexity 274 operations andrequires 261 key stream bits. As for the (distinguishing part of the) attack on Achterbahn-128,it requires 280.4 operations and 260 key stream bits.

In [CP07], Cho and Pieprzyk presented a linear distinguisher for the Dragon stream ci-pher. The distinguisher exploits biases of two S-boxes and the modular addition. This attackallows to distinguish Dragon from a random bitstream using 2150.6 keystream bytes (whichis, nonetheless, larger than the maximum amount of keystream available) and memory com-plexity 259.

In [WP07], Wu and Preneel describe a differential-linear attack against the Phelix streamcipher, using 234 chosen nonces and 237 chosen plaintext words. The attack complexity is 241.5

operations.


Chapter 4

Implications of Related-KeyAttacks

4.1 Related-key attacks in theory

Let B(k, x) denote a block cipher with key input k and plaintext input x.The most traditional definition of security for a block cipher is the Pseudo-Random Per-

mutation (PRP) model, where an adversary needs to distinguish the block cipher with arandomly selected key from a random permutation. In this model, an adversary can querythe block cipher B output for different plaintext inputs xi and one fixed key k:

yi = B (k, xi) .

In the related-key attack model, the adversary can query the block cipher B output fordifferent plaintext inputs xi and different key inputs ki. However, the key inputs are notunder full control of the adversary. Instead, the adversary can choose a function fi on thekey space and obtain the ciphertexts:

yi = B (fi (k) , xi) .

As has been observed in [BK03], in order to make possible a sound definition of security inthis model, the set of admissible functions fi has to be restricted. The conditions output-inpredictability and collision resistance are introduced in [BK03]. If these conditions are notsatisfied, then security can’t be defined.

Already in [Bih02] it was observed that if an adversary can query a block cipher underdifferent keys, then, even if the keys are independently uniformly distributed, the adversarywill need a lower number of queries than in a model where the key is fixed. This impliesthat we have to take special precautions when defining the advantage of an adversary in arelated-key or any other multi-key model.

4.2 Related-key attacks in practice

IBM’s key control vector mechanism and certain legacy banking protocols include function-ality that can be abused to mount related-key attacks where the functions fi are restrictedto xoring with a known value

fi(ki) = ki ⊕ ci.

19


Hence, this type of related-key attacks can be considered to be practical. Note also that theset of functions defined by letting the constants ci take any value satisfies also the conditionsoutput-inpredictability and collision resistance.

For the more general related-key attacks like the ones described in the next section, thereis no protocol or application known where the attacks could be considered to be practical.

4.3 Related-key attacks and security claims

There exist a couple of methods to prove a design secure against differential and linearcryptanalysis, or at least basic versions of these attacks. Examples include provable secu-rity [NK95,Mat96], the wide trail design strategy [DR02], decorrelation [Vau03]. All of thesemethods assume a fixed key. Although many of the ciphers designed according to any of thesemethodologies include a key schedule that will provide some resistance against related-keyattacks, the security claims and proofs are not valid in a related-key model.

4.4 Outline of recent attacks

4.4.1 Attacks on AES

A series of related-key attacks on AES [BKN09,BDK+10b,BDK+10a] drawn much attentionin 2009. The authors heavily used the following new ideas

• The local collision technique from hash function cryptanalysis in order to get betterdifferential trails.

• Use of non-trivial relations between the keys: difference in subkeys.

• Use of conforming pairs as a certificate of non-idealness of a cipher.

• Use of parallelism in round operations to get higher-probability boomerangs.

We describe them consecutively in the next paragraphs.

Local collision. A local collision is a short collision trail in the internal state, whose dif-ference is controlled by the key schedule (message schedule in a hash function). The notioncomes from the cryptanalysis of SHA-0, where a local collision is produced by injecting one-bitdifferences in particular positions of the six consecutive message blocks.

A local collision in AES-256 is produced as follows (Figure 4.1). The subkey has a dif-ference in a single byte of the upper row, which is injected to a zero-difference internal state(disturbance). Then it is converted to an unknown difference by SubBytes, but is not touchedby ShiftRows. Finally, the difference is expanded by MixColumns to a full column differenceand is corrected by the next subkey addition. The appropriate column difference in the sub-key can be predicted with probability up to 2−6, so the local collision trail has probability upto 2−6 .

Due to the key schedule the differences spread to other subkeys thus forming the keyschedule difference. The resulting key schedule difference can be viewed as a set of localcollisions, where the expansion of the disturbance (also called disturbance vector) and thecorrection differences compensate each other. The probability of the full differential trail is


SubBytes

ShiftRowsMixColumns

Key schedule round

Key schedule round

disturbance

correction

Figure 4.1: A local collision in AES-256.

then determined by the number of active S-boxes in the key-schedule and in the internal state.The latter is just the number of the non-zero bytes in the disturbance vector.

An optimal trail corresponds to a minimal-weight disturbance expansion, which is a low-weight codeword of a linear code, as well as the resulting key schedule difference (Figure 4.2).

Disturbance

Correction+

Key schedule=

Figure 4.2: Full key schedule difference (4.5 key-schedule rounds) for AES-256.

Difference in subkeys. Due to nonlinearity of the key schedule, the difference in thesubkeys becomes partly undetermined after several key schedule rounds. The first AES-256paper solved this issue by imposing restrictions on the key, thus attacking a weak key class inthe secret-key model. The second paper introduced boomerang attacks, which allow shortertrails with no active S-boxes in the crucial part of a trail. In order to deal with the minimalnumber of related keys — four — difference in the subkeys was introduced as a relation. Asa result, each part of a boomerang deals with an optimal trail. The authors also proved thatthe resulting key quartet can be constructed for each key and does not collapse.

Insecurity in the chosen-key model. AES was regularly cited as an admissible instan-tiation of an ideal block cipher in provably secure constructions. The authors of [BKN09]


K0 K1

∆K1

K1

KA

KB

∇K3

K4K3

KD

∇K4

K2 K3 K4 K5

∇K3

K4K3

KC

∇K4

Figure 4.3: AES-256: Computing KB, KC , and KD from KA.

demonstrated that AES actually exhibits properties that are unlikely to find in an ideal ci-pher with the same query complexity. This implies that an ideal cipher being instantiatedwith AES may have undesirable properties and not fulfill the randomness requirements.

The property that was exploited is called a differential q-multicollision, which is a set of qpairs of plaintexts conforming to the related-key differential trail. Such a set can be found for

an ideal cipher with as many as O(q · 2q−2q+2

n) queries, while for AES-256 it can be constructed

with the complexity equivalent to q ·267 AES calls. A definition of a differential multicollisioncan be weakened to a so called partial multicollision, for which the complexities to be foundin an ideal cipher and AES are 252 and 237, respectively. This leads to a practical certificateof non-randomness. The complexity of all these attacks is significantly lower than the inverseof the probability of the respective differential trails due to the freedom in the choice of thekey and the application of equation-solver tool in the most expensive part of a trail.

Improvements in the boomerang attack. The paper on boomerang attacks [BDK+10b]formally introduced several tricks that are aimed to reduce the probability of a boomerangdistinguisher. The tricks deal with the switch phase of the boomerang attack, which is thetransition point between sub-ciphers E0 and E1 and also a place all the four differences ofa quartet of states are explicitly fixed. The authors noted that the differential trails for theboomerang attack should be constructed so that

• The number of S-boxes in the switch round that are active in both trails should be aslow as possible.

• The S-boxes that are active in both trails should possess the same input or outputdifferences.

Summary. These ideas resulted in the following advances in the cryptanalysis of AES:

• Related-key boomerang attacks on AES-192 and AES-256 in the secret-key model.

• Practical-complexity attacks on up to 10 rounds of AES-256 in the secret-key model.

• Practical-complexity attacks on AES-256 in the chosen-key model.


4.4.2 Attacks on other ciphers

Kasumi

Kasumi is a block cipher used in the third-generation GSM telephony. It is a modificationof a block cipher Misty and operates on a 64-bit block and a 128-bit key. The attack onKasumi [DKS] is a related-key boomerang attack with 232 time and 226 data complexity. Theauthors managed to verify the attack on a PC and.

The attack greatly benefits from a formal treatment of the boomerang tricks, first intro-duced in [BDK+10b] and [BCD03], and now called a sandwich attack. The idea is to separatethe switch phase of the boomerang attack into a single transformation M , so that the wholecipher E is decomposed as E1 M E0. The sub-ciphers E0 and E1 have the differential trails

∆E0−→ ∆′; ∇′ E1−→ ∇.

The authors consider the probability PM that in the return phase of the boomerang thebackward iteration of E0 gets the proper difference ∆′ if both iterations of E−11 give ∇′:

PM = P

Input Diff(E−10 ) = ∇′∣∣∣∣

E0−→ ∆′

E−11−→ ∇′

E−11−→ ∇′

.

In the regular boomerang attacks and in [BDK+10b] PM is equal to 1. The KASUMIpaper demonstrates how to exploit the case PM 6= 1 and formally introduced the frameworkfor the precise estimation of the distinguisher probability.

SQUARE

SQUARE is a block cipher with a 128-bit state and a 128-bit key. SQUARE follows the SPNstructure, which is quite similar to that of AES. However, key schedule of SQUARE is linearand admits linear relation between related keys. The attacker is able to choose the disturbancedifference in the local collision so that it is converted to the correction difference by a roundof the key schedule. As a result [KYS], one can get a differential trail with zero-differencerounds before and after the local collision round (Figure 4.4). However, the probability ofthe local collision drops to 2−28, because the disturbance difference at first expanded by thelinear transformation and only afterwards passes the S-box layer.

· · ·· · ·θ γ π θ γ π

ψ

θ γ π

ψ ψ

2−28

Figure 4.4: Related-key trail for SQUARE.

SQUARE has 8 rounds, so 4-round trails are long enough for the boomerang attack. Thetrails are produced from the 3-round trail in Figure 4.4, and the positions of the differencesare carefully chosen in order to benefit from the tricks in the switch phase (similar to AES andKASUMI). The linearity of the key schedule also admitted a simple linear relation betweenkeys.


Other ciphers

Several related-key attacks with little use of new techniques also appeared in 2009. The blockcipher Threefish, the core of SHA-3 candidate Skein, the block cipher XTEA were analyzedwith a simple boomerang attack with 33 and 36 rounds broken, respectively. The attacks usea linear relation between keys.

Chapter 5

Linear Cryptanalysis

Linear cryptanalysis is one of the most powerful statistical cryptanalysis tools using knownplaintext/ciphertext pairs and it is based on probabilistic linear approximations. Whilethe idea to use probabilistic approximations has already appeared in [TCG92] applied toFEAL [SM88], the theory of linear cryptanalysis was described and experimented on DES byMatsui [Mat94b,Mat94a].

Notation. In the following, we will denote random variables X,Y, . . . by capital letter andtheir realizations x ∈ X , y ∈ Y, . . . by small letters. The probability function of a variable Xfollowing a distribution D will be denoted PrD[x]. If the distribution or the distribution andthe random variable are clear from the context we can write PrX [x] or Pr[x], respectively.A sequence X1, X2, . . . , XN of independent and identically-distributed (i.i.d.) random vari-ables of length N is denoted by XiNi=1. For a realization of such a sequence we define byN(xiNi=1|η) = #1 ≤ i ≤ N : xi = η the relative frequency of η ∈ X . If the sequence isclear from the context we can write only N(η). For X = Fn2 , we can represent x ∈ X as a bitvector x. A vector representation is displayed by bold or Greek letters.

Let us denote P, C, and K the plaintext, ciphertext and key, respectively. Given the bitmasks α and γ, we consider the following relation:

αT(

PC

)= γTK.

We will use brackets to consider specific bits, e.g. P[i] denotes the ith bit of P. We usethe DES notation for Feistel ciphers and note by PH the left block of the plaintext, PL theright block, CH the left block of the ciphertext and CL the right block. Let (pi, ci)Ni=1 bea sequence of plaintext/ciphertext pairs. We will use the following centered counters of theapproximation:

uα = #(pi, ci) : αT(

pici

)= 0 −#(pi, ci) : αT

(pici

)= 1.

We note the distribution function of the standard normal distribution by φ(x) =∫ x−∞

e−t2/2dt√2π

.

Principle. Given a relation

αT(

PC

)= γTK.

25


occurring with a probability p = 12 + s = 1

2(1 + ε) we denote s as the bias of the approxi-mation and ε as the correlation. The bias was the quantity used historically but it has beenreplaced by correlation and we will express everything by means of correlation in this sum-mary. We present first the two algorithms invented by Matsui before presenting variants ofthese algorithms.

5.1 Piling-up lemma

To build linear approximations of a cipher we use the following theorem, called the Piling-uplemma:

Theorem 5.1.1 Let XiNi=1 be binary statistically independent variables such that the cor-relation of Xi is εi. Then ⊕iXi is a random boolean variable with a correlation

∏i εi.

Hence it is possible to concatenate linear approximations. This can be used for buildinga linear approximation of a cipher using approximations of components. Nevertheless, inpractice the independence hypothesis is not always valid, so the estimation given should bechecked on each algorithm. For example, for DES [FIP99], it gives precise results while forother algorithms, such as RC5 [Riv95], an inner dependency provokes wrong results applyingthe piling up lemma [Sel98]. This kind of problem exists particularly when there are severalconsecutive active rounds.

5.2 Matsui Algorithm 1

The idea of Algorithm 1 is the following: if the absolute value of the correlation |ε| is suf-ficiently large compared to the number of plaintext/ciphertext pairs, then the value of γTkcan be recovered. Thus we have found a bit of information of the key. More precisely, if

γTk = 0 then αT(

PC

)(seen as a binary variable) will be distributed with a mean 1

2(1 + ε)

and a variance 14 − 4ε2 whereas if γTk = 1 then αT

(PC

)will be distributed with a mean

12(1 − ε) and a variance 1

4 − 4ε2. To distinguish the two distributions, Matsui’s Algorithm 1works as follows:

1. Take N plaintext/ciphertext pairs.

2. Compute the centered counter uα.

3. If uα > 0 then guess γTk = 0 (if ε > 0) or γTk = 1 (if ε < 0) otherwise guess γTk = 1(if ε > 0) or γTk = 0 (if ε < 0).

The probability of success of Algorithm 1 is given by the following theorem (with a numericapplication in Table 5.1)

Theorem 5.2.1 If |ε| is sufficiently small then the probability of success of Algorithm 1 isφ(√Nε).


N ε−2 2ε−2 4ε−2 8ε−2

Probability of success 84.1% 92.1% 97.7% 99.8%

Table 5.1: Probability of success of Algorithm 1.

5.3 Matsui Algorithm 2

Algorithm 2 uses the approximation as a distinguisher on inner rounds to recover externalkey bits. If the guess on the external key bits is correct then we should see the expectedcorrelation while if the guess is wrong then the linear approximation should occur with aprobability 1

2 because the link between the plaintext and the ciphertext will be random.Therefore we should distinguish a distribution with a mean 1

2(1± ε) among a lot of differentdistributions with a mean 1

2 . This attack recovers more key bits than Algorithm 1 and usesa approximation over fewer rounds so it gives more practical attacks. Algorithm 2 works asfollowing:

1. Take N plaintext/ciphertext pairs.

2. For each possible external key k, do a partial encryption/decryption over external roundsto compute the associated counter ukα.

3. Guess the value of the key which gives the greatest absolute value of ukα. The sign ofukα gives also a guess on one internal key bit.

Other key bits can be recovered with a brute force attack. This algorithm gives an attackon the full DES using 247 plaintext/ciphertext pairs and a probability of success of 96.7%in [Mat94b] with a partial decryption on one round and the following linear approximationover 15 rounds with a correlation −2−21.75:

αT(

PC

)= PH [7, 18, 24]⊕PL[12, 16]⊕CH [7, 18, 24, 29]⊕CL[15] and

γTK = K1[19, 23]⊕K3[22]⊕K4[44]⊕K5[22]⊕K7[22]⊕K8[44]

⊕ K9[22]⊕K11[22]⊕K12[44]⊕K13[22]⊕K15[22].

An important modification of this algorithm was introduced in [Mat94a], is named key rankingand consist in:

1. Taking N plaintext/ciphertext pairs.

2. For each possible external key k, do a partial encryption/decryption over external turnsto compute the associated counter ukα.

3. Rank the counters ukα with their absolute value.

4. Take the ukα with the maximum absolute value and try to find with exhaustive searchthe rest of the key bits. If it is impossible, try again with the ukα with the second greatestabsolute value and so on.


An application of this attack was an attack over the full version of DES using 243 plain-text/ciphertext pairs and a probability of success of 85% in [Mat94a] using the two followinglinear approximations over 14 rounds (each of them gives different external key bits):

αT(

PC

)= PL[7, 18, 24]⊕CL[15]⊕CH [7, 18, 24, 29] and

γTK = K2[22]⊕K3[44]⊕K4[22]⊕K6[22]⊕K7[44]⊕K8[22]

⊕ K10[22]⊕K11[44]⊕K12[22]⊕K14[22] together with

αT(

PC

)= CL[7, 18, 24]⊕PL[15]⊕PH [7, 18, 24, 29] and

γTK = K13[22]⊕K12[44]⊕K11[22]⊕K9[22]⊕K8[44]

⊕ K7[22]⊕K5[22]⊕K4[44]⊕K3[22]⊕K1[22].

In [Mat94a] Matsui estimates the complexity of this attack as 243 DES encryptions. This com-plexity is an overestimation as was indicated in [Jun01] by Junod who showed experimentallythat it was 241 DES encryptions. An important optimization concerning the computation ofexperimental correlations based on the FFT was presented by Collard et al. in [CSQ07].

5.3.1 Probability of success of Algorithm 2

The computation of the probability of success of Algorithm 2 is much more complex anddepends in the general case on the correlation and the number of external key bits recoveredin the attack. A first estimate was given by Matsui [Mat94b], has then been extended byJunod [Jun01] and was finally given by Selcuk [Sel08]. The important notion to evaluate thisprobability is the notion of the a-bit advantage, defined as follows

Definition 5.3.1 If, after the last step of the algorithm, the correct key belongs to the first2r keys among the 2m candidates, we say that we have an (m− r)-bit advantage.

In [Sel08] Selcuk proves the following theorem:

Theorem 5.3.1 Let P be the probability that Matsui Algorithm 2, with an m-bit external key,a linear approximation with correlation ε, and N known plaintext/ciphertext pairs, gives an a-bit advantage. Suppose that the linear approximations made by each key guess are statisticallyindependent and their probability is 1

2 for each wrong key guess, then for sufficiently large mand N

P = φ(√Nε− φ−1(1− 2−a−1)).

5.4 Linear hull

Introduced by Nyberg [Nyb95], the linear hull is an effect appearing when different lineartrails with the same plaintext and ciphertext masks coexist. It influences the correlation of

the binary variable αT(

PC

)and so linear hulls have been an important topic of research in

linear cryptanalysis. A detailed survey and bibliography is given in [Kel03].


5.5 Deriving methods

Several methods have been derive from linear cryptanalysis, among them we can underlinea few. Using some assumptions on the plaintext distribution allows to build only ciphertextattacks [Mat94b]. Furthermore, some assumptions over the plaintext distribution using chosenplaintext/ciphertext pairs allows to reduce the correlation of targeted approximation [KM01].Combining linear cryptanalysis with differential cryptanalysis is a quite effective cryptanalysisagainst many ciphers [LH94, BDK02] and using non linear approximations [KR96, SK98] isalso a possible direction.

5.6 Multiple-Linear and Multidimensional Linear Cryptanal-ysis

Basic linear cryptanalysis uses one linear approximation. The question is, can we improvethe attacks by using several approximations. In this section, we consider the different devel-opments in this direction.

Let us assume that we have m approximations

αTi

(PC

)= γTi K,

for 1 ≤ i ≤ m each with a correlation εi. We can combine the result by considering the resultas words in Fm2 . Then we have

αT(

PC

)= γTK,

where α is a m× (log2 |P|+ log2 |C|) matrix and γ a m× log2 |K| matrix.

Let Yi = αTi

(PC

)⊕ γTi K be the binary random variable corresponding to the linear

approximations defined by (αi, γi). Then, two linear approximations corresponding to (αi, γi)and (αj , γj) are statistically independent if for P,C,K randomly distributed, the variablesYi, Yj are independent.

There are mainly two approaches, multiple linear approximation and multidimensionallinear approximation. The difference is that the first one assumes statistically independentapproximations.

5.6.1 Multiple Linear Cryptanalysis (Biryukov Method)

Already in [Mat94a,JV03], two statistically independent approximations were used for the keyranking in Algorithm 2. In [KR94], Kalisky and Robshaw used m different approximationsαi for the plaintext-ciphertext pairs and the same mask γ = γi for the key. Assuming thatthe approximations were statistically independent, they were able to reduce the amount ofdata needed for Algorithm 1 and 2.

Biryukov et al. [BCQ04] proposed a method using m statically independent approxima-tions, where the mask for the plaintext-ciphertext pairs as well as for the key vary. Since theapproach of Kalisky and Robshaw can be seen as a special case of this method, we use theterm Biryukov method to refer to the use of independent approximations.


For the i’th approximation and N plaintext-ciphertext pairs, let εi be the correlation of

αTi

(PC

)and εi =

uαiN the empirical correlation.

For the extension of Matsui’s Algorithm 1, Biryukov et al. partition the keyspace to 2m

subgroups according to the result of z = γTk. The goal is to find the right subgroup and thusgain m bits of information of the key. In an on-line phase, the empirical correlations of them approximations are computed. Finally, in the off-line phase, the subgroup correspondingto z = (z1, z2, . . . , zm) is chosen for which the sum

g(k) =m∑i=1

((−1)ziεi − εi)2

is minimized. The time and memory complexity is mN in the on-line phase, and m2m andm in the off-line phase. Under the assumption of independent approximations, Biryukov etal. claim that N is proportional to 1/

∑mi=1 ε

2i .

For Algorithm 2, we have a sequence of plaintext-ciphertext pairs (p1, c1), (p2, c2), . . .,(pN , cN ) encrypted over several rounds. Let k denote the main key and kr the roundkey usedfor the encryption of the last round, and f the round function. We define by εkri the empiricalcorrelation of the pairs (pj , f

−1(cj ,kr)). The attack tries to minimize the following sum:

g(kr, z) =m∑i=1

((−1)ziεi − εkri )2 +∑

k′r 6=kr

m∑i=1

(εk′ri )2.

The first part of the sum is minimized for the right key subclass, and the second sum isminimized for the right last round key.

The problem of this approach is, that it assumes statistically independent approximations.Murphy showed in [Mur06] that this is not true in the general case. More specific, Hermelin etal. [HCN08] pointed out that in the case of reduced round Serpent the strong approximationsare normally not independent.

5.6.2 Multidimensional Linear Cryptanalysis

In [JM03], Johansson and Maximov apply for the first time a multidimensional analysis on thestream cipher Scream. Baigneres et al. develop in [BJV04] a statistical analysis of multidi-mensional approximations, without the assumption of statistical independence. They considerthe case where a sequence X1, X2, . . . , XN of i.i.d. random variables is drawn either from dis-tribution D0 or from distribution D1. In our case, D0 might be the uniform distribution over2m and D1 the distribution according the cipher and the right key. Baigneres et al. showthat the optimal statistic to distinguish between the two distributions is the Log-likelihoodratio

LLR(xiNi=1, D0, D1) =N∑i=1

log2PrD1 [xi]

PrD0 [xi]=∑η∈X

N(xiNi=1|η) log2PrD1 [η]

PrD0 [η].

The data complexity N is inversely proportional to∑

η∈X(PrD0

[η]−PrD1[η])2

PrD0[η] . If D0 is uniformly

distributed, this value is equivalent to the capacity C(D1) which is defined as follows:


Definition 5.6.1 For a distribution D over the set X of size 2m, the capacity of D is

C(D) = 2m∑η∈X

(PrD[η]− 2−m)2.

So given the m-dimensional distribution of D1 we have have an optimal distinguisher. How-ever, Baigneres et al. did not consider how to find this distribution.

Englund and Maximov [EM05] tried to find the probability distribution over the wholestream cipher Dragon. However, this method is only feasible if the word size is not largerthan 32 bits.

In [HCN08] Hermelin et al. showed that for finding the probability distribution D of them-dimensional random variable X, it is sufficient to know the one dimensional correlationsfor all values β ∈ Fm2 .

Theorem 5.6.1 Let X be a random variable over Fm2 with distribution D, β ∈ Fm2 , and letεβ denote the correlation of βTX. Then, the probability distribution D is given by

PrD[η] = 2−m∑β∈Fm2

(−1)βT ηεβ.

This property can be used as well for deriving the capacity of D by

C(D) =∑

β∈Fm2 \0

ε2β.

Multidimension Extension of Matsui’s Algorithm 1

Let Z be the m-bit random variable γTK, and let D be the probability distribution of

αT(

PC

)⊕ γTK = αT

(PC

)⊕ Z.

Then, for every z ∈ Fm2 the variable αT(

PC

)has distribution Dz which is a fixed permutation

of D. Let D =(qη = N(η)

N

)η∈Fm2

be the empirical distribution of Z. The goal is to find z such

that D = Dz. We remark that C(Dz) = C(D) for all z. In the on-line phase, the test obtainsthe empirical distribution D. This has a data, time and memory complexity of N , mN and2m, respectively.

In [HCN08], Hermelin et al. presented a multidimensional linear attack on reduced roundSerpent based on a log-likelihood statistic. The algorithm outputs the value z′ for which theDz is closest to the empirical distribution in Kullback-Leibler distance, i.e. for which the sum

h1(z) =∑η∈Fm2

qη logqη

PrDz [η]

is minimized. They compared the empirical results, with the experimental results of Collardet al. [CSQ08] using the Biryukov method. It was shown that the multidimensional methodwas more efficient for the same amount of data.


In a next step, Hermelin et al [HCN09b] compared the log-likelihood method with amethod minimizing the χ2 statistic

h2(z) =∑η∈Fm2

(qη − PrDz [η])2

qη,

and method based on the optimal distinguishing technique in [BJV04]. The last methodoutputs z for which

h3(z) =∑η∈Fm2

Nη logPrDz [η]

2−m

is maximized. The authors could show that for all three algorithms the time and memorycomplexity of the off-line phase is 22m and 2m, respectively. Theoretical analysis showed thatin the on-line phase, the first two methods, log-likelihood and χ2, have a data complexityof N = 2m/2/C(D), whereas the last method only has a complexity of m/C(D). However,empirical results showed that all three tests performed equally well with a data complexityof m/C(D).

In [HN10], Hermelin and Nyberg introduced an additional test statistic based on theconvolution of probability distributions. The algorithm outputs z which maximizes the con-volution of D and D at point z

h4(z) = (q ∗D)z.

This value can be computed efficiently by Fast Fourier Transform (FFT) in m2m. The authorscompare the test to a statistic that they call full Biryukov method. In contrary to Biryukov’smethod, it’s statistic g′(z) =

∑β∈Fm2

((−1)ziεβ − εβ)2 uses all linear combinations of theapproximations and does not need the statistical independence assumption. The rankingfunction of the convolution method can be expressed by means of one dimensional correlations:

h4(z) = 2−m∑β∈Fm2

(−1)βT zεβ εβ.

Thus, we can see that a ranking done by h4 is equivalent to a ranking done g′. The data,time and memory complexity of the on-line phase is the same for the full Biryukov methodand the convolution method, namely N , mN and 2m, where N is proportional to m/C(D).In the off-line phase, the full Biryukov methods has a time and memory complexity of 22m

and 2m. By using FFT to compute the convolution in the off-line phase, this method hasa time complexity of only m2m, which is significantly better than for the other tests. Thecomputation of the off-line phase in both methods can be reduced by considering only thestrongest correlations.

The original Biryukov method has the same time complexity as the convolution method,however it has, in general, a higher data complexity.

Multidimension Extension of Matsui’s Algorithm 2

In Matsui’s Algorithm 2, we have a sequence of plaintext-ciphertext pairs(p1, c1), (p2, c2), . . . , (pN , cN ). which are encrypted over several rounds. Let k′r be the actualsubkey for the last round of size ` bits. Let f be the round function. For any possible valuekr ∈ F`2 we define

zkrj = αT(

pjf−1(cj ,kr)

).


Then we compute in an on-line phase for every z ∈ Fm2 the empirical probability distribution(qkrη =

N(zkrj

N

j=1|η)

N

)η∈Fm2

. This can be done in a time and memory complexity of N+2m+`

and 2m+`, by first counting the frequencies of the m + ` bits in (pj , cj) which are necessaryto compute zkrj and doing the decryption only in the end. This part of the attack is the samefor all methods. The differences lie in the off-line phase. In the following, let us assume thatk′ and k′r are the correct key and roundkey and z′ = γTk′.

In [HCN09a], Hermelin et al. consider two methods using χ2 and LLR statistics. The χ2

test makes no assumption on DZ. It ranks the keys by the value

Skr = 2mN∑η∈Fmn

(qkrη − 2−m)2

It uses the assumption that for the right key k′r the empirical distribution will have the largest

distance from the uniform distribution. Let D be the distribution of Zk′rj , then we achieve

an a-bit advantage with a data complexity of N =√a2m/C(D) and a time and memory

complexity of 2m+` and 2m+2`. By storing not only Skr but the pair Skr , qkrη we increase the

memory complexity to 2m+`, but we can apply subsequently Algorithm 1 to obtain z′. The χ2

method is applicable for ciphers where the correlations of linear approximations vary with thekey and no accurate estimate of the probability distribution of the multidimensional linearapproximation cannot be obtained. A typical example of such a cipher is the Present blockcipher. The best known attack on Present uses a small number of statistically independentmultidimensional linear approximations, where linear hulls are used to estimate correlationsof single linear approximations. The χ2 variables related to each multidimensional approx-imation are then combined to a single χ2 variable for achieving as strong as possible lineardistinguisher with the full code book of data [Cho10].

The method using the LLR statistic of the optimal distinguishing problem searches for k′rand z′ at the same time. The ranking of kr is done by the value

Lkr = maxz∈Fm2

∑η∈Fm2

N(zkrj |η

)log

PrDz [η]

2−m.

For a given a-bit advantage, this method has a data complexity of N = (a+m)/C(D) and atime and memory complexity of 2m+` and 22m+`.

Applications to Stream Ciphers

There are mainly two kinds of multidimensional linear attacks on stream ciphers. The first onetries to distinguish the keystream from the output of a random source. Let Y1,Y2, . . . ,YN

be the keystream of the cipher, then we consider the m-dimensional approximation

Zt = αT

Yt

Yt+j1

. . .Yt+j`

applied on `+1 keystream words for 1 ≤ t ≤ N−j`. The idea was first used by Maximov andJohansson in [JM03,MJ07] to the stream cipher Scream. They approximate an 8 to 8 bits non-linear S-box by a linear function. For the distinguisher, they assume an unknown distribution


with a known statistical distance from uniform distribution. The statistical distance wasdetermined empirically. A distinguisher for a known probability distribution was first appliedto the Dragon stream cipher by Englund and Maximov in [EM05]. They computed directly theprobability distribution of Z, which is only possible for small word sizes and small values of m.Once they had the distribution, they used the optimal distinguisher from [BJV04]. In [HN08],Hermelin and Nyberg studied the case of a keystream generator applying a non-linear filterfunction on an LFSR. They showed that vector bent functions [NH07] give the best resistanceto multidimensional linear attacks. However, for this family of function the multidimensionalanalysis gains the most in comparison to the one-dimensional analysis. Hermelin and Nyberguse Walsh-Hadamard transform to efficiently compute the capacity of the approximationdistribution. In [HN09], Hakala and Nyberg apply a multidimensional distinguisher on theShannon stream cipher. This work was improved to a practical distinguisher by Ahmadianet al. in [AMS+ar].

The second approach can be used on ciphers with a linear state update function. By usinga multidimensional linear approximation on the initial state and the keystream we can findm bits of the initial state. This method was applied in a key recovery attack on the streamcipher Grain by Berbain et al. in [BGM06] and on the stream cipher SOSEMANUK by Choand Hermelin in [CHar].

5.7 Zero-Correlation Linear Cryptanalysis

Zero-correlation linear cryptanalysis was proposed by Bogdanov and Rijmen in [BR12] for thecryptanalysis of symmetric-key cryptographic primitives. It can be seen as the counterpartof impossible differential cryptanalysis in the domain of linear cryptanalysis. However, boththe cryptanalytic techniques and the mathematical background are quite different here.

The distinguishing property used in zero-correlation cryptanalysis is the existence of zero-correlation linear approximations over (a part of) the cipher for all (or a high proportion of)keys. Those are linear approximations that hold true with a probability p of exactly 1/2, thatis, strictly unbiased approximations having a correlation c = 2p − 1 equal to 0. In a goodblock cipher (with linear properties close to those of an ideal block cipher), for each individualkey considered separately, O(23n/2) out of 22n linear approximations have correlation zero.However, which subset of approximations exhibit zero-correlation depends on the key valueand differs a lot from key to key. Given one linear approximation of correlation zero, thework [BR12] proposes two distinguishers: One requiring the full code book of 2n plaintext-ciphertext pairs and the other one with chosen plainxtexts or ciphertexts of data complexity2n−1, where n is the bit size of the block cipher block.

An efficient technique to spot classes of zero-correlation linear approximations has beenproposed in [BR12]. Somewhat similarly to tracing the impossible differentials, it is basedon examining the correlation contributions of linear trails for certrain truncated input andoutput linear masks. To prove that a linear approximation has correlation zero (for anykey), it suffices to demonstrate that its linear hull does not contain any linear trails withcorrelation contribution other than 0. We notice here that zero-correlation is a truncatedlinear property. In fact, it is the existence of those vast classes of zero-correlation linearapproximations independently of the key value that makes the zero correlation more efficient.Bogdanov and Wang in [BW12] noted that and proposed a χ2 statistical test of reducingthe data complexity of zero-correlation cryptanalysis to 2n/

√` if ` zero correlation linear


approximations are available. It was accompanied by the first attack on 21 rounds of TEAand 25 rounds of XTEA using less than the full codebook.

The work [BLNW12] by Bogdanov, Leander, Nyberg and Wang, aims to overcome somelimitations of the distinguisher of [BW12] and to put the property of zero correlation intocontext. More precisely, the distinguisher of [BW12], though working fine and practice andbeing useful in cryptanalysis, relies on the assumption that all linear approximations withcorrelation zero are independent. In most cases, this assumption is formally not met, sinceall classes of zero-correlation approximations known so far are actually truncated, buildinglinear spaces of dimension log2 `. That is, almost all ` approximations used will be linearlydependent. The paper [BLNW12] proposes a multidimensional linear distinguisher for detect-ing zero correlation. This distinguisher does not have to make those unfounded independencyassumptions while maintaining the data complexity of O(2n/

√`).

It has been also identified in [BLNW12] that integrals can actually be seen as a spe-cial case of zero-correlation linear approximations. Moreover, integrals are equivalent tozero-correlation linear approximations if the input and output linear masks are independent(detached). Thus, zero correlation can be seen as a generalization of integral properties atthis point, which is a strong fundamental link. The integral zero-correlation distinguisher re-quires only O(2n/`) zero-correlation approximations where ` is the number of approximationsused. The theoretical findings of [BLNW12] are illustrated by attacking a Skipjack variantand round-reduced CAST-256 without weak-key assumption.

All in all, zero-correlation linear cryptanalysis is a novel cryptanalytic technique that canbe used for attacking symmetric-key ciphers. Some ciphers are more susceptible to zero-correlation linear cryptanalysis than to any other type of cryptanalysis attempted so far. Weexpect the zero-correlation linear cryptanalysis to be used in the evaluation of new ciphers aswell as the reevaluation of some existing ciphers.


Chapter 6

Cryptanalysis of ARX Structures

Due to their fast performance in software, an increasing number of cryptographic primitivesare constructed using the operations addition modulo 2n, bit rotation and XOR (ARX). Ex-amples include the block cipher FEAL [SM87], the Salsa20 stream cipher family [Ber08], aswell as the SHA-3 finalists BLAKE [AHMP08] and Skein [FLS+09]. Although ARX-basedalgorithms are very popular, their resistance to differential cryptanalysis [BS91] is not wellunderstood. In this document, we describe new developments in the area of the differentialcryptanalysis of ARX primitives.

We describe the framework of S-functions, which is accompanied by a software toolkit.1

This framework can be used to calculate the probability that given input differences leadto given output differences for ARX-based constructions. It can also be used to count thenumber of possible output differences. The calculations can be efficiently performed usingmatrix multiplications. The S-function framework is further extended to analyze adpARX,the probability with which additive differences propagate through the following sequenceof operations: modular addition, bit rotation and XOR (ARX). We introduce a new setof additive differences, called UNAF (unsigned non-adjacent form) that help to evaluatemore accurately the probabilities of differentials over multiple rounds of a cryptographicprimitive [VMDP12]. We also provide a method to compute maximum probability outputdifferences in ARX algorithms. It is applicable to XOR and modular differences as well as toUNAF differences.

Furthermore, we provide a summary of results in rotational cryptanalysis, a techniquethat was very recently used to attack reduced-round Threefish, the block cipher that is at thecore of the Skein hash function.

Lastly, we also describe ARXtools [Leu12], a series of tools to study ARX constructions,and present a tool to construct complex differential characteristics for several commonly usedhash functions.

6.1 Introduction

Differential cryptanalysis [BS91] and linear cryptanalysis [MY92] have shown to be two ofthe most powerful techniques in the cryptanalysis of symmetric-key cryptographic primitives.Security against linear and differential cryptanalysis is therefore typically a major design

1The S-function toolkit is part of the ECRYPT II Tools for Cryptography initiative, and is available at:http://www.ecrypt.eu.org/tools/s-function-toolkit

37


criterion for modern ciphers. An example of this is the wide-trail design strategy, used toprovide provable resistance against linear and differential cryptanalysis for the AES blockcipher [DR02].

The probability with which differences propagate through a sequence of operations mustbe calculated efficiently and accurately, in order to correctly assess the security of a cipheragainst differential cryptanalysis. Methods exist for the computation of differential proba-bilities through separate ARX operations [LM01, LWD04, MVDP10, VMDP11]. The accurateestimation of those probabilities becomes very difficult for sequences of operations over mul-tiple rounds. The reason is that in those cases a single differential is often composed of morethan one differential trail. The number of trails increases with the number of rounds. Thus agood estimation of the probability of the differential must take into account the probabilitiesof as many differential trails as possible (ideally all of them).

To address the problem outlined above, we propose a new type of difference called UNAF(unsigned non-adjacent form). By using UNAF differences we are able to consider multipledifferential trails when estimating the probability of a differential. This allows us to obtaina more accurate estimation of the probability of differentials over several rounds of an ARX

primitive.Additionally, we describe a method for computing maximum probability output differ-

ences. It is applicable to XOR, additive and UNAF differences. The implementation of thistechnique is publicly available as part of the S-function toolkit.

Furthermore, we describe ARXtools [Leu12] is a series of tools to study ARX constructionsand present a tool to construct complex differential characteristics automatically for severalcommonly used hash functions such as SHA-256, HAS-160 and RIPEMD-128/160.

6.2 The Differential Analysis of S-functions

In [MVDP10], Mouha et al. presented the first fully general framework to analyze these con-structions efficiently. It was inspired by the cryptanalysis techniques for SHA-1 by De Canniereand Rechberger [DR06] (clarified in [MDIP09]), and by methods introduced by Lipmaa,Wallen and Dumas [LWD04]. The framework was used to calculate the probability thatgiven input differences lead to given output differences, as well as to count the number ofoutput differences with non-zero probability. The methods are based on graph theory, andthe calculations can be efficiently performed using matrix multiplications.

The framework proposed by Mouha et al. is accompanied by a software toolkit, whichhas been made publicly available on-line2. It can be used to calculate XOR-differential prob-ability of addition (xdp+), the additive differential probability of XOR (adp⊕), as well asxdp+(α, β, . . .→ γ), which is the calculation of xdp+ for more than two inputs, and the dif-ferential probability xdp×C of multiplication by a constant C where differences are expressedby XOR.

The tool can also efficiently count the number of output differences for each of theseoperations. For example, this problem occurs in the cryptanalysis of Threefish-512 [AccM+09],where an exponential-in-n time algorithm is proposed. Using the toolkit, however, this canbe solved in linear time in n.

2The software toolkit is part of the ECRYPT II Tools for Cryptography website, and is available at:http://www.ecrypt.eu.org/tools/s-function-toolkit


Additionally, the toolkit provides a general algorithm to efficiently list the output differ-ences with the highest probability, assuming input differences and the operation are given.

6.3 The Additive Differential Probability of ARX

In [VMDP11], Velichkov et al. calculate the probability with which additive differences prop-agate through the following sequence of operations: modular addition, bit rotation and XOR(ARX). This probability is denoted by adpARX.

The S-function framework of [MVDP10] is extended to compute the differential proba-bility adpARX. A method is described to compute adpARX based on the matrix multiplicationtechnique proposed in [LWD04], and generalized in [MVDP10]. The time complexity of theproposed algorithm is linear in the word size. A formal proof for the correctness of thealgorithm is provided.

It is observed that the adpARX can differ significantly from the probability obtained by mul-tiplying the differential probabilities of addition, rotation and XOR. This confirms the needfor an efficient calculation of the differential probability for the ARX operation. The resultof [VMDP11] is the first in literature to calculate adpARX efficiently. Accurate and efficientcalculations of differential probabilities are required for the efficient search for characteristicsused in differential cryptanalysis.

6.4 UNAF

6.4.1 Definition

In this section, we will introduce UNAF differences, which we will use to accurately calculatedifferential probabilities of ARX constructions. Before we give the formal definition of a UNAFdifference, we first recall a few related concepts: the binary-signed digit (BSD) difference andthe non-adjacent form (NAF) difference.

Definition 6.4.1 (BSD difference) A BSD difference is a difference whose bits are signedand take values in the set 1, 0, 1:

∆±a : ∆±a[i] = (a2[i]− a1[i]) ∈ 1, 0, 1, 0 ≤ i < n . (6.1)

An additive difference ∆+a can be composed of more than one BSD difference ∆±a. Fromany BSD difference, the corresponding additive difference can be computed as: ∆+a =∑n−1

i=0 ∆±a[i] · 2i.All BSD differences corresponding to ∆+a can be obtained by replacing 01 with 11 and

vice versa and by replacing 01 with 11 and vice versa [EH07, Rei60]. Note also that thenumber of pairs (a1, a2) that satisfy the n-bit difference ∆+a is 2n, while the number of pairsthat satisfy any of its BSD differences ∆±a is 2k, where k is the number of zeros in the word∆±a. Therefore, the following inequality holds: 2k ≤ 2n, k = n−HW(∆±a).

The non-adjacent form (NAF) difference is a special BSD difference and is defined asfollows:

Definition 6.4.2 (NAF) A NAF (non-adjacent form) difference is a BSD difference in whichno two adjacent bits are non-zero:

∆Na : @i : (∆Na[i] 6= 0) ∧ (∆Na[i+ 1] 6= 0), 0 ≤ i < n− 1 . (6.2)


For every additive difference ∆+a, there is exactly one NAF difference ∆Na (ignoring thesign of the MSB). No other BSD difference has a lower Hamming weight than ∆Na [Rei60].We illustrate this with the following example:

Example 6.4.1 Let n = 4 and ∆+a = 3. Then all possible BSD differences corresponding to∆+a are 0011, 0101, 0111, 1111, 1111, 1101 and 1101. Of them, only 0101 is in non-adjacentform (NAF). It also has the lowest Hamming weight among all BSD differences, namely 2.

By enumerating all possible combinations of signs of the non-zero bits of ∆Na, we can con-struct a special set of additive differences. What is special about this set, is that all of itselements correspond to the same unsigned NAF difference. This set is a UNAF differenceand is denoted by ∆Ua. More formally:

Definition 6.4.3 (UNAF) A UNAF difference is a set of additive differences that correspondto the same unsigned NAF difference (i.e. a NAF difference with the signs ignored):

∆Ua = ∆+x : |∆Nx| = |∆Na| . (6.3)

It is easy to see that the size of the UNAF set ∆Ua is 2k, where k is the Hamming weight ofthe n-bit word ∆Na, excluding the MSB. We further clarify the concept of a UNAF differencewith the following example:

Example 6.4.2 Consider again an example where n = 4. Let ∆+a = 3, thus ∆Na = 0101.Then, ∆Ua = ∆+x1 = 3,∆+x2 = −3,∆+x3 = 5,∆+x4 = −5. This follows from |∆Nx1| =|∆Nx2| = |∆Nx3| = |∆Nx4| = |∆Na|, because |0101| = |0101| = |0101| = |0101| = 0101.

6.4.2 Main UNAF Theorem

The main UNAF theorem provides the motivation for applying UNAF differences to thedifferential analysis of ARX. Before we state it, we define the additive differential probabilityof XOR (adp⊕).

The differential probability of the operation XOR, when differences are expressed usingaddition modulo 2n, is denoted by adp⊕. For fixed additive differences α, β and γ, adp⊕ isequal to the number of pairs (a1, b1) for which the equality ((a1+α)⊕(b1+β))−(a1⊕b1) = γholds, divided by the total number of such pairs. More formally, adp⊕(α, β → γ) is definedas:

Definition 6.4.4 (adp⊕)

adp⊕(α, β → γ) =#(a1, b1) : c2 − c1 = γ

#(a1, b1)= 2−2n ·#(a1, b1) : c2 − c1 = γ , (6.4)

where c1 = a1 ⊕ b1, c2 = (a1 + α)⊕ (b1 + β) and 22n is the total number of pairs (a1, b1).

Efficient algorithms for the computation of adp⊕ were studied in [LWD04,MVDP10]. Nextwe state the main UNAF theorem. Its proof is given in [VMDP11].

Theorem 6.4.1 (Main UNAF theorem) If the probability with which input additive differ-ences ∆+a and ∆+b propagate to output difference ∆+c through XOR is non-zero, then the


probability with which any of the input additive differences belonging to the correspondingUNAF sets respectively ∆Ua and ∆Ub propagate to any of the output additive differencesbelonging to the UNAF set ∆Uc is also non-zero:

adp⊕(∆+a,∆+b→ ∆+c) > 0 =⇒ adp⊕(∆+ai,∆+bj → ∆+ck) > 0 ,

∀i, j, k : ∆+ai ∈ ∆Ua,∆+bj ∈ ∆Ub,∆+ck ∈ ∆Uc . (6.5)

Theorem 6.4.1 states that if a given additive differential is possible w.r.t. the XOR opera-tion, then all additive differentials whose inputs and outputs belong to the same UNAF sets,are also possible. This is illustrated with the following example.

Example 6.4.3 Let n = 4 and ∆+a = 5, ∆+b = 1, ∆+c = 6. Because adp⊕(5, 1 → 6) =0.15625 > 0, we can use Theorem 6.4.1 to show that adp⊕(∆+ai,∆

+bj → ∆+ck) > 0 for any∆+ai ∈ ∆Ua = 3,−3, 5,−5, ∆+bj ∈ ∆Ub = 1,−1 and ∆+ck ∈ ∆Uc = 6,−6.

6.4.3 Applications

UNAF differences are useful for obtaining better estimation of the probabilities of differentialsbased on additive differences. One such application is demonstrated on the ARX-based streamcipher Salsa20 [VMDP11] (complementing the work of [AK+08]). The main results from thisresearch are summarized in Table 6.1 and Fig. 6.1.

Table 6.1: Estimating the probabilities of differentials for three rounds of Salsa20 using UNAFdifferences.

i ∆3i ∆U3i padd punaf pexper

9 80000000 80000000 2−10.00 2−4.00 2−3.38

13 ffe00100 00200100 2−15.75 2−7.75 2−4.93

14 ff00001c 01000024 2−16.29 2−8.31 2−6.35

1 00e00fe4 01201024 2−23.01 2−13.04 2−10.18

2 00000800 00000800 2−35.59 2−16.62 2−11.08

3 fff000a0 001000a0 2−41.48 2−20.04 2−14.68

6 01038020 01048020 2−41.76 2−21.91 2−15.68

7 ffefc000 00104000 2−44.65 2−22.15 2−17.42

In Table 6.1 are presented eight differentials for three rounds of Salsa20. All of them haveinput difference ∆0

8 = 0x80000000 in the eighth word of the input state. The correspondingadditive and UNAF differences in word i from the state after the third round are shownrespectively in the second and third columns of the table. Three estimates of the probabilityof each differential are provided in columns 4, 5 and 6 respectively. The estimation paddwas obtained by using single additive differences. Therefore it reflects the probability of asingle differential trail. The estimation punaf is obtained using UNAF differences (i.e. setsof additive differences) and takes into account several differential trails at once. Finallypexper is the probability obtained experimentally. The information in Table 6.1 is graphicallyrepresented on Fig. 6.1.

From Table 6.1 and Fig. 6.1 it can be seen that although the probability estimationscomputed using UNAF differences deviate from the values obtained experimentally, they arestill more accurate than the estimations based on single additive differences.


Figure 6.1: Three estimates of the probabilities of eight differentials for three rounds ofSalsa20, based on the data from Table 6.1: (1) estimation obtained experimentally, (2) basedon UNAF differences and (3) based on single additive differences.

6.5 Maximum Probability Output Differences

6.5.1 S-function Toolkit

We now explain a technique which given an input difference, efficiently computes the out-put difference(s) with the highest probability. This technique has been implemented in theS-function toolkit, which is publicly available online.3

Besides computing maximum probability output differences, the S-function toolkit canalso calculate the XOR-differential probability of addition (xdp+), the additive differentialprobability of XOR (adp⊕), as well as xdp+(α, β, . . .→ γ), which is the calculation of xdp+ formore than two inputs, and the differential probability xdp×C of multiplication by a constant Cwhere differences are expressed by XOR. The toolkit also includes a linear-in-n-time algorithmto efficiently count the number of output differences for each of these operations.

6.5.2 An A* Search Algorithm

Let 2 be an operation that takes a finite number of n-bit input words a1, b1, d1, . . . andcomputes an n-bit output word c1 = 2(a1, b1, d1, . . .). Let • be a type of difference. Letα,β,ζ,. . . and γ be differences of type • such that a1 • a2 = α, b1 • b2 = β, d1 • d2 = ζ,. . . and c1 • c2 = γ for some a2,b2,d2,. . . and some c2. The differential probability withwhich input differences α, β, ζ, . . . propagate to output difference γ with respect to theoperation 2 is denoted as •dp2(α, β, ζ, . . .→ γ). Finally, let the difference • be such that itis possible to express its propagation through the operation 2 as an S-function consisting ofN states. Therefore, there exist adjacency matrices Aw[i] such that the probability •dp2 can

be efficiently computed as LAw[n−1] . . . Aw[1]Aw[0]C, where L = [1 1 · · · 1 ] is a 1×N matrix

and C = [1 0 · · · 0 ]T is an N ×1 matrix (as in [MVDP10]). The problem is to find an outputdifference γ such that its probability pγ over all possible output differences is maximal:

pγ = •dp2(α, β, ζ, . . .→ γ) = maxj• dp2(α, β, ζ, . . .→ γj) . (6.6)

We represent (6.6) as a problem of finding the shortest path in an node-weighted binarytree. We define the binary tree T = (N,E), where N is the set of nodes and E is the set ofedges. The height of T is n+1 with a dummy start node positioned at level −1 and the leavespositioned at level n− 1. Each node at level i : 0 ≤ i < n contains a value of γ[i], where i = 0is the LSB and i = n − 1 is the MSB. Every node on level i has two children at level i + 1.Since the input differences α, β, ζ, . . . are fixed, at every bit position i we can choose betweentwo matrices Aw[i], corresponding to the two possibilities for the output difference γ[i].

To find the output difference with the highest probability, we use the A* search algo-rithm [HNR68]. In this algorithm, an evaluation function f can be computed for every nodein the search tree. The f -function represents the weight of a node, and is based on thecost of the path from the start node, and a heuristic that estimates the distance to the goal

3http://www.ecrypt.eu.org/tools/s-function-toolkit


node. The algorithm always expands the node with the highest f -value (corresponding tothe highest probability). The A* search algorithm guarantees that the optimal solution willbe found, provided that the evaluation function f never underestimates the probability ofthe best output difference. After introducing some definitions, we will define an evaluationfunction f and prove in Theorem 6.5.1 that this f satisfies the required condition.

Let vector Xi = [xi,0 xi,1 · · · xi,N−1 ] be a transition probability vector, i.e. xi,r ≥ 0 for

0 ≤ r < N and∑N−1

r=0 xi,r ≤ 1. We define Hr as a column vector of length N , of which ther-th element (counting from 0) is 1 and all other elements are 0. The cost of a node at leveli is then denoted by ‖Xi‖ (the 1-norm of Xi) and is calculated as ‖Aw[i]Aw[i−1] · · ·Aw[0]C‖.Let us define a sequence of row vectors Gi,r, 0 ≤ r < N and 0 ≤ i < n. Each Gi,r isa product of matrices LAw[n−1]Aw[n−2] . . . Aw[i+1], where each of the A-matrices are chosen

such that Gi,rHr is maximized. The choice of the A-matrices may differ for different valuesof r. We define row vector Gi as the product of matrices LAw[n−1]Aw[n−2] . . . Aw[i+1], wherethe A-matrices are chosen such that GiXi is maximized. For a node at level i with cost ‖Xi‖,the evaluation function f is defined as

∑N−1r=0 Gi,rHrxi,r.

Theorem 6.5.1 The evaluation function f =∑N−1

r=0 Gi,rHrxi,r never underestimates theprobability of the best output difference.

Proof 6.5.1 The following inequality holds: Gi,rHr ≥ GiHr for 0 ≤ r < N . The lattercan be proven by contradiction: if Gi,rHr < GiHr for some r, then Gi,r is not the productof A-matrices that maximizes Gi,rHr, which contradicts its definition. Because probabilitiesare non-negative, we can multiply both sides of the inequality by the state probability xi,r, toobtain Gi,rHrxi,r ≥ GiHrxi,r, 0 ≤ r < N . By summing the left and the right sides of the

N inequalities, we obtain∑N−1

r=0 Gi,rHrxi,r ≥∑N−1

r=0 GiHrxi,r = GiXi. By definition, GiXi

is the best choice of A-matrices, starting from transition probability Xi. This proves that theleft-hand side of the inequality never underestimates the probability, which proves the theorem.

Before we can apply the A* algorithm to compute the best output difference, we mustdetermine the values of Gi,rHr for 0 ≤ i < n and 0 ≤ r < N . This is done by again runningthe A* algorithm for the most significant bit, then for the two most significant bits, and so onuntil we process the entire word. For the MSB, we define Gn−1,r = L for 0 ≤ r < N . For thetwo MSBs, we run the A* algorithm for every 0 ≤ r < N , setting the transition probabilityvector Xn−2 to Hr. This allows us to compute Gn−2,rHr. This process is continued untilG0,rHr for 0 ≤ r < N is calculated. Having calculated all values of Gi,rHr, we then use theA* algorithm to search for the best output difference by setting the state transition probabilityvector X−1 = C.

6.6 Rotational Cryptanalysis

In [KN10], the concept of rotational cryptanalysis is explained for ARX constructions. Let usconsider the pair (x, x≪ r), consisting of both x and x rotated to the left by r positions. Werefer to (x, x≪ r) as a rotational pair. Rotational cryptanalysis is based on the observationthat if the inputs to the XOR, rotation or bitwise Boolean function operations are rotationalpairs, the outputs are rotational pairs as well. With some probability, the same observationalso holds for the addition operation. If rotational pairs can be obtained more easily for a


given cryptographic primitive than for a random permutation, this observation can be usedto build a distinguisher or even a key recovery attack.

The concept of rotational cryptanalysis is not new, but has recently gained a lot of interestbecause of the increasing number of ARX-based designs. In pioneering work by Biham [Bih94],rotational pairs of keys were considered for the block ciphers LOKI89, LOKI91 and Lucifer.This approach was extended in [KSW97] to related-key attacks on several block ciphers. Thisis not pure rotational cryptanalysis, however, because the attacker searches for plaintexts ofthe form (p, F (p)), where F is the round transformation.

For Salsa20 [Ber08], Bernstein explicitly prevented attacks based on rotational pairs, byusing constants without rotational symmetry at the input of the permutation. However, hedid not give complexity estimates of such an attack.

In [MT09], a related-key attack was constructed using rotational pairs for a variant of theblock cipher ESSENCE. This attack uses the observation that rotational pairs pass throughbitwise Boolean functions with probability one. For the linear function L, the followingobservation was made:

Let us use the polynomial representation of F232 . A multiplication of any a ∈ F232 byx then corresponds to a binary left shift by one position, and an XOR with the feedbackpolynomial if and only if the most significant bit of a is one. The following relation thusholds:

MSB(a) = 0⇔ a · x = a 1 . (6.7)

The linear function L of ESSENCE is implemented as an LFSR. Using the polynomialrepresentation of F232 , we can write L(v) = v · x32.

We have that L(v · x) = (v · x) · x32 = (v · x32) · x = L(v) · x. For a random v ∈ F232 , withprobability 2−2 we have that MSB(v) = 0 and MSB(L(v)) = 0. In that case:

L(v 1) = L(v) 1 . (6.8)

If MSB(a) = 0, then a 1 and a ≪ 1 are equivalent. Because of the particular choiceof the Boolean function in ESSENCE, this attack does not work on ESSENCE itself, but ona variant of the ESSENCE block cipher.

The idea of rotational inputs was used as well to find fixed points and key collisions forthe permutation P used in the hash function Shabal [KMT09]. Rotational pairs were tracedthrough bitwise logical operations and rotations, however rotations were chosen in such a waythat there was no loss in probability for the additions operations in U(x) = x + x ≪ 1 andV(x) = x+ x≪ 2.

In [KN10], Khovratovich et al. formally explain the concept of rotational cryptanalysis,and applied it to reduced rounds of the Threefish block cipher, the core of the Skein hashfunction. As in [MT09], a related-key chosen-plaintext attack is constructed, where both keysand plaintexts are rotated. Cryptanalysis results are presented on 39, 42 and 43 full roundsof Threefish-256, -512 and -1024 respectively, where the attack complexity is estimated to beslightly less than generic.

In [KNR10], Khovratovich et al. combine the rotational cryptanalysis attack with therebound attack [MRST09a]. Before this result, the rebound attack approach was only appliedto AES-like constructions. A cryptanalytic result is obtained on an estimated 53/57 out ofthe 72 rounds of the Skein-256/512 compression function and the Threefish cipher.


A mention of the completeness of ARX is given in [Ber08]. A formal proof can be foundin [KN10]. Because ARX is shown to be functionally complete, it is possible to use addition,rotation and XOR to implement any circuit (including all block ciphers, hash functions andMACs), but not necessarily in the most efficient way. Although this result indicates thesoundness of ARX constructions, a new toolkit is required for the cryptanalysis and designof these primitives. Such a toolkit is presented in the next section.

6.7 ARX-tools

ARXtools [Leu12] is a series of tools to study ARX constructions. The first step is a tool toconstruct automata for the analysis of S-function, similar to [MVDP10]. The construction iscompletely automated, and the S-function can be written with a simple C-like syntax.

This tool is used to represent bitwise constraints as S-systems, and to implement effi-ciently the propagation of the generalized constraints of De Canniere and Rechberger [DR06].Moreover, new multi-bit constraints are introduced. The new set of constraint allow moreinformation to be extracted automatically when carries are used in modular additions, andthis allows to detect automatically some cases of incompatibility in ARX characteristics. Thenew constraints can also be represented by an S-system, and propagated efficiently.

Finally, ARXtools includes a graphical tool that allows to visualize a differential charac-teristics, and to modify it interactively, with automatic propagation of the constraints. Thiscan be used to verify a path that was built with another technique, and to help manualconstruction of a differential characteristic.

The first results obtained with the tools show that several previously published attacksare based on paths that are in fact incompatible. Problems have been discovered in simpledifferential characteristics, as well as in boomerang attacks. It seems that many paths thatfollow a “natural” construction lead to incompatibilities.

This highlights the need for further research in this area. Future works should try toidentify new interesting constraints, and to verify a wider range of differential attacks. Aninteresting problem would be to use the constraint propagation of ARXtools in order to builddifferential paths for ARX constructions automatically, as was done for SHA-1 [DR06].

6.8 Automated Search for Differential Characteristics

Most attacks on ARX based hash function use rather simple differential characteristics whichare constructed mostly manually or using basic cryptanalytic tools. However, the most effi-cient collision attacks on SHA-1 and similar hash functions use more complex characteristics,especially in the first few steps of the attack. Constructing such complex characteristics is ingeneral a difficult task. First, Wang et al. [WYY05] have constructed such a characteristic forSHA-1 manually. Later, De Canniere and Rechberger [DR06] proposed a method to efficientlyfind such complex characteristics for SHA-1 in an automated way. Furthermore, also the bestcollision attack on SHA-1 with practical complexity is based on this approach [DMR07,GA11].Unfortunately, the technique cannot be directly applied to more complex hash functions suchas SHA-2 [MNS11b].

Due to the increased complexity in newer designs, the analysis of hash functions hasbecome more difficult. Therefore, finding high probability differential characteristics as wellas conforming input pairs has become a more challenging task and doing any of these steps


by hand is almost impossible or at least, very time consuming. Hence, the development ofnew tools has become necessary. Recently, attacks on several widespread ARX based hashfunctions using a new automated search tool have been published [MNS11b,MNS11a,MNS12,MNSS12]. These results significantly improve upon the previous results. The tool is basedon the concept of generalized conditions and improves and extends the work by De Canniereand Rechberger on SHA-1 [DR06] in several ways.

6.8.1 Main Concept

The tool is based on the concept of generalized conditions which reflect that both the dif-ferences and the actual values of bits are important in a differential attack. In this conceptcharacteristics are allowed to impose arbitrary conditions on the pairs of bits. Based on thesegeneralized conditions an algorithm to search for complex differential characteristics is build.The basic idea of the search algorithm is to randomly pick an unrestricted bit position andimpose a new condition. Afterwards, it is calculated how this condition propagates. If an in-consistency occurs the algorithm backtracks to an earlier state of the search. This is repeateduntil all unrestricted bits are eliminated.

This technique is divided in four parts. In the first part a starting point for the searchalgorithm is constructed. Next a sophisticated search strategy which depends on the hashfunction, type of attack and starting point is defined. The third part consists of the consistencychecks performed during the search. Finally, the last part deals with the efficient propagationof conditions.

Determining a Starting Point

As shown in [DR06], for SHA-1 the starting point is defined by a certain characteristic for alinearized variant. As shown in [MNS11a] a starting point can also consist of two differentcharacteristics which are connected through a complex third characteristics. Furthermore,in [MNS11b] the authors need to extend the general strategy in order to successfully applythe technique on SHA-256. In [MNS12,MNSS12] the dual-stream design of RIPEMD-128 andRIPEMD-160 needed to be taken into account in order to have a good starting point andimprove over the linear approach from [MPRR06b]. Hence, determining a good starting pointmainly depends on the targeted hash function and we refer to the corresponding publicationsfor more details.

Search Algorithm

In general, the used search algorithm can is divided into three parts: decision, deduction andbacktracking [MNS11b]. The first aspect of the search strategy is the decision, where it isdecided which bit is chosen and which condition is imposed at its position. In the deductionpart the propagation of the imposed condition and the check for contradictions is done. Ifa contradiction occurs it needs to be backtracked and decisions need to be undone, which isthe third part of the search strategy.

In [MNS11b] an improved and advanced search algorithm is presented leading to practicalcollision attacks for step-reduced SHA-256. The main idea is to combine the search fordifferential characteristics and conforming message pairs. Additionally, conditions which arenot covered by generalized conditions are used in the search process. In doing those bits,which are involved in many relations with other bits are considered earlier. That way invalid


characteristics are detected at an early stage of the search. In addition, critical bits areremembered during the search to improve the backtracking process.

We want to note that the same algorithm with additional improvements and adapta-tions was used to construct collisions for various other hash functions such as HAS-160 andRIPEMD-128/160.

Propagation of Conditions

The efficient propagation of new conditions is crucial for the performance of the tool, sinceit is the most often needed operation in the search algorithm. Due to the nature of thesearch algorithm where changes to the characteristic (using generalized conditions) are doneon bit-level, the propagation of conditions is also done on bit-level. At the beginning of thesearch every bit is either fixed to a specific condition, e.g. output set to a zero-difference,or is unrestricted, i.e. has no conditions. During the search new conditions on specific bitsare imposed. Each bit is either input or output of a function and hence partially determinesthe conditions of other bits. All input bits which determine a output bit and the output bititself are forming a set, usually called a bit-slice. Therefore, whenever the conditions of a bitchanges, every other bit of the corresponding bit-slice needs to be updated.

In [MNS11b] the update process is done exhaustively by computing all possible conditionsof a bit-slice. This seems at first to be inefficient but the authors are using different techniquesto significantly speed up the process. For more details we refer to [MNS11b,MNS11a,MNS12,MNSS12].

Consistency Checks

To avoid inconsistent differential characteristics, a number of checks to detect contradictionsas early and efficiently as possible are applied. For more details we refer to [MNS11b].

6.8.2 Applications

In this section, we discuss the application of the tool to find automatically complex differentialcharacteristics to some commonly used hash functions, i.e. SHA-256, HAS-160 and RIPEMD-128/160.

SHA-256

In [MNS11b], the authors analyze the collision resistance of SHA-2 and provide the first resultssince the beginning of the NIST SHA-3 competition. They extend the previously best knownsemi-free-start collisions on SHA-2 [MPP+05,MPRR06a,HRW07,NB08, IMPR08,SS09] from24 to 32 (out of 64) steps and show a collision attack for 27 steps. All of their attacks arepractical and verified by colliding message pairs. They present the first automated tool forfinding complex differential characteristics in SHA-2 and show that the techniques on SHA-1cannot directly be applied to SHA-2. Due to the more complex structure of SHA-2 severalnew problems arise. Most importantly, a large amount of contradicting conditions occurwhich render most differential characteristics impossible. They show how to overcome thesedifficulties by including the search for conforming message pairs in the search for differentialcharacteristics.


HAS-160

HAS-160 is an iterated cryptographic hash function that is standardized by the Korean govern-ment and widely used in Korea. In [MNS11a], the authors present a semi-free-start collisionfor 65 (out of 80) steps of HAS-160 with practical complexity. The basic attack strategyis to construct a long differential characteristic by connecting two short ones by a complexthird characteristic. The short characteristics are constructed using techniques from codingtheory. To connect them, they are using an automatic search algorithm similar to the onein [MNS11b] for the connecting characteristic utilizing the nonlinearity of the step function.

RIPEMD-128 and RIPEMD-160

The ISO/IEC standards RIPEMD-128 and RIPEMD-160 were proposed 15 years ago. Due tothe same hash output length, RIPEMD-160 may be used as a drop-in replacement for SHA-1and RIPEMD-128 for hash functions like MD5. Only few results have been published forRIPEMD-128 or RIPEMD-160. The best attack for RIPEMD-128 is a preimage attack forthe first 33 steps of the hash function with complexity 2124.5. For RIPEMD-160 most attackshave a complexity very close to the generic bound.

In [MNS12], the authors analyze the security of RIPEMD-128 against collision attacks. Inthis work, the authors provide a new assessment of the security margin of RIPEMD-128 byshowing attacks on up to 48 (out of 64) steps of the hash function. They present a collisionattack reduced to 38 steps and a near-collisions attack for 44 steps, both with practicalcomplexity. Furthermore, they show non-random properties for 48 steps of the RIPEMD-128hash function, and provide an example for a collision on the compression function for 48 steps.

In [MNSS12], the authors provide the first security analysis of reduced RIPEMD-160 re-garding its collision resistance with practical complexity. In this paper, the authors presentthe first application of the attacks of Wang et al. on MD5 and SHA-1 to RIPEMD-160. Dueto the dual-stream structure of RIPEMD-160 the application of these attacks is nontrivialand almost impossible without the use of automated tools. They present practical exam-ples of semi-free-start near-collisions for the middle 48 steps (out of 80) and semi-free-startcollisions for 36 steps of RIPEMD-160. Furthermore, their results show that the differentialcharacteristics get very dense in RIPEMD-160 such that a full-round attack seems unlikelyin the near future.

For all attacks they use complex nonlinear differential characteristics. Due to the morecomplicated dual-stream structure of RIPEMD-128 and RIPEMD-160 compared to its prede-cessor, finding high-probability characteristics as well as conforming message pairs is nontriv-ial. Doing any of these steps by hand is almost impossible or at least, very time consuming.Therefore, they present a general strategy to analyze dual-stream hash functions and use theautomatic search tool for the two main steps of the attack.

6.9 Conclusion

This report introduced the framework of S-functions. This framework is used to calculatethe probability that given input differences lead to given output differences for ARX-basedconstructions, as well as to count the number of possible output differences. We extendedthe S-function framework: to analyze adpARX, and to analyze cryptosystems according to aspecific set of additive differences, referred to as UNAF.


We presented the main UNAF theorem, which shows how a UNAF difference groupsseveral possible additive differences together. Further, we investigated the propagation ofUNAF differences through the ARX operation. We defined the UNAF differential probabilityof ARX and noted that it can be computed efficiently using the S-functions framework proposedby Mouha et al.

UNAF differences were applied to the cryptanalysis of the stream cipher Salsa20. We foundthat for three rounds of Salsa20, the probability of the best differential based on additivedifferences is estimated as 2−10. Evaluating the same probability using UNAF differencesleads to the value 2−4. The latter is closer to the probability of the differential 2−3.39 thatwas determined experimentally.

Moreover, we described a technique that for given input differences, efficiently computersthe output difference(s) with the highest probability. The implementation of this techniqueis publicly available as part of the S-function toolkit.

Finally, we describe ARXtools a series of tools to study ARX constructions, and presenta tool to automatically construct complex differential characteristics for several commonlyused hash functions such as SHA-256 or RIPEMD-128/160.


Chapter 7

Analysis of AES-based HashFunctions

The submission of many AES-based hash function to the NIST SHA-3 competition [Nat07]has initiated new developments in the analysis of AES [Nat01] as a building block in hashfunctions. Since all inputs to hash functions are known, different types of attacks than onAES as a block cipher have emerged. Additionally, the message in a hash function can bechosen freely, which usually gives an attacker more freedom than in a block cipher, wherethe key is unknown and/or fixed. Two different directions of analyzing AES based hashfunctions have been published recently. Both attacks need specific (truncated) differentialpaths to work with. The recent attack on the AES block cipher applied to AES in hashingmode [BKN09] uses local collisions to construct high-probability differential paths, whereasthe rebound attack [MRST09b] uses the available degrees of freedom to find pairs for the(multiple) expansive parts of a path more efficiently. In related work [Pey07], the permutation-based hash proposal Grindahl [KRT07] was analyzed.

In [KBN09] the triangulation algorithm, a new tool for the collision search in hash func-tions has been proposed and applied to Rijndael in hashing mode. Further, in [BKN09] anattack to construct q-pseudo collisions for AES-256 in Davies-Meyer hashing mode has beenpublished. In this work, differences of the key-schedule are used to construct high-probabilitydifferential paths using local collisions in the state update. Due to the degrees of freedom ofthe 256-bit key-schedule, many local collisions and thus, a distinguishing attack on the fullcompression function is possible.

Further, the additional degrees of freedom available in a hash function have been ex-tensively used by the rebound attack, especially in the analysis of many AES based hashfunctions. The rebound attack [MRST09b] has been published by Mendel et al. in the anal-ysis of the AES-based hash functions Whirlpool [BR00] and Grøstl [GKM+08]. It can beapplied to both block cipher based and permutation based constructions. The idea of therebound attack is to divide an attack into two phases, an inbound and outbound phase. Theinbound phase is an efficient meet-in-the-middle phase, which exploits the available degrees offreedom in the middle of a (truncated) differential path to guarantee that the expensive partof the path holds. In the (mainly) probabilistic outbound phase the solutions of the inboundphase are computed backwards and forwards to obtain an attack on the hash or compressionfunction.

The rebound idea has also been applied to the AES-based SHA-3 candidates Twister [MRS09],

51


Cheetah [Wu09] and LANE [WFW09]. Further, two different lines of improvements have beenmade to the rebound attack recently. First, the efficiency of the inbound phase has been im-proved using different techniques in [MPRS09], and the inbound phase has also been extendedby one round using SuperBox techniques in the improved analysis of Whirlpool [LMR+09, Ap-pendix] and later applied to Grøstl in [MRST10] and independently in [GP10]. Second, mul-tiple inbound phases can be used if more degrees of freedom from a key-schedule or due tosparse truncated differential paths are available. This more powerful improvement allows todouble the number of attacked rounds and has been used in the analysis of the compressionfunctions Whirlpool [LMR+09] and LANE [MNPN+09]. Even more recently, generalizationsand a deeper study of the problem that needs to be solved in inbound phases have led toimprovements in a number of complicated cases [DDKS12,NP11]

The improved analysis of AES based hash functions can be interpreted as a weakness ofAES based designs. However, one can also argue that the simple structure of AES simplyaccelerates understanding, and thereby the development of attacks. In that case, more resultscan be expected later on other types of hash functions. An example is e.g. the rotationalrebound attack on Skein [KNR10]. Perhaps surprisingly, the techniques also found applicationto the cryptanalysis of keyed primitives: in a variant of the biclique attack on AES [BKR11a](see Section 9).

Chapter 8

Meet-in-the-middle preimageattacks on hash functions

Even though they may be traced back to Lai and Massey [LM92], meet-in-the-middle attackson the preimage resistance of hash functions recently received renewed attention. This isboth in the context of MD2 by Knudsen et al. [KM05,KMMT10,Mul04b], attacks on round-1SHA-3 candidates by Khovratovic et al. [KNW09], as well as a series of results on membersof the MD4 family of hash functions by Aoki, Sasaki and others [AGM+09,AS09,AS08,SA08,SA09a, GLRW10], and Tiger [IS09, GLRW10, Men09]. In the following, we describe them ina way to fit into the meeet-in-the-middle (MITM) framework of Aoki and Sasaki. Otherinteresting approaches to preimage attacks appeared e.g. in [Bih08, DR08, Leu08, MPR08a,MPR+08b,YWZW05,Rec10].

8.1 The basic approach

The general idea of the preimage attack can be explained as follows. Let us consider a block-cipher based hash function is Davies-Meyer mode. Further let us define a splitting point at aparticular round during the computation, and a matching point at another round.

1. Split the compression function into two chunks, where the values in one chunk do notdepend on some message word Wp and the values in the other chunk do not dependon another message word Wq (p 6= q). We follow the convention and call such wordsneutral with respect to the first and second chunk, respectively.

2. Fix all other values except for Wp,Wq to random values and assign random values tothe chaining registers at the splitting point.

3. Start the computation both backward and forward from the splitting point to form twolists Lp, Lq indexed by all possible values of Wp and Wq, containing the computed valuesof the chaining registers at the matching point.

4. Compare two lists to find partial matches (match for one or a few registers instead ofthe full chaining) at the matching point.

5. Repeat the above three steps with different initial configurations (values for splittingpoint and other message words) until a full match is found.

53


With the work effort of 2l compression evaluations (let the space for both Wp and Wq be2l), we obtain two lists, each one containing 2l values of the register to match. When weconsider all of the 22l possible pairs, we expect to get around 2l matches (assume we match lbits at the matching point). This means that after 2l computations we get 2l matches on oneregister, effectively reducing the search space by 2l. Leaving all the other registers to chanceallows us to find a complete match and thus a pseudo-preimage in 2n−l computations if thechaining is of n bits. We repeat the pseudo-preimage finding 2l/2 times, which costs 2n−l/2,and then find a message which links to one of the 2l/2 pseudo-preimages, this costs 2n−l/2.So the overall complexity for finding one preimage is 2n−l/2+1, with memory requirement oforder 2l.

8.2 Refinements and improvements

A number of refinements and improvements have been proposed recently that allowed attacksto cover more and more rounds, and sometimes also led to improved attack complexities. Wefirst discuss a selection of them with a focus on compression function attack techniques.

• Initial Structure. An Initial Structure (intrduced in [SA09a]) can swap the order ofsome message words near the splitting point, so that the length of the two chunks canbe extended. Assume that originally both chunks p and q contain both neutral wordsWp and Wq. After the initial structure, essentially the Wp and Wq near the splittingpoint are swapped, so that chunk p is independent from Wq and chunk q is independentfrom Wp. A probabilistic generalization is described and used in [GLRW10].

• Partial Matching and Partial Fixing. Partial matching can extend the attack for afew additional rounds. There are Wp and Wq near the matching point, which appear inother chunks and destroy the independence. However we can still compute few bits at thematching point, independently for both chunks, assuming no knowledge of Wp and Wq

near the matching point. Partial fixing will fix part of the Wp and Wq so that we can stillmake use of those fixed bits, and extend the attack for a few more rounds. Sometimes,Wp and Wq near the matching point behave in such a way that we can express thematching point as f(Wq) + σ(Wp) from chunk q, and g(Wp) + µ(Wq) from chunk p, forsome functions f, σ, g, µ depending on the underlying hash function. So we can computef(Wq)−µ(Wq) from chunk q and g(Wp)−σ(Wp) from chunk p independently, and thenfind matches. This is called indirect partial matching, see [AGM+09].

Note that a successful match gives only a pseudo-preimage, as the initial value is deter-mined during the attack. However, various techniques are known to convert pseudo-preimagesto a preimage.

• Generic. A generic technique described in [MvOV96, Fact 9.99]. One can computemany pseudo-preimages, and then find a message linking the IV to one of the inputchaining values of the pseudo-preimages.

• Dedicated. A number of tree [DR08,Leu08,MR07] and graph [DR08] based approachesare known that allow to exploit properties of compression function attacks for a moreefficient conversion from pseudo-preimages to preimages than the generic approach.Until recently the powerful pseudo-preimages technqiues like partial matching/fixing


and initial structure where believed to be incompatible with those conversion methods.In [GLRW10], an approach to combine both is described, leading to more efficientconversions while at the same time allowing to take advantage of compression functionattack techniques as described above.

8.3 Discussion of results

The method is well suited to cover many rounds in preimage attacks. For the SHA-2 familyand the Tiger hash function, this type of attack is able to cover more rounds than any otherattack (up to 43/46 rounds for SHA-2, and full-round Tiger [AGM+09, GLRW10]). On theother hand, it was not demonstrated yet that this approach can yield practical attacks as timecomplexity is often close to that of brute force search. The result on the MD4 compressionfunction in time 272 [GLRW10] may be seen as a exception to this. Also memory-requirementsare often non-regligible. As an example, the result on full MD5 [SA09a] with 128-bit outputneeds time 2123.4 and about 245 memory, while the result on full Tiger [GLRW10] with 192-bitoutput needs time 2188.2 and about 28 memory.


Chapter 9

Biclique Cryptanalysis of BlockCiphers

This chapter briefly summarizes recent progress in key recovery for block ciphers due to thenew technique of biclique cryptanalysis to enhance meet-in-the-middle attacks.

Following the lines of the work [BKR11a, BKR11b, KLR12], we motivate and summarizethe recent progress in meet-in-the-middle attacks on block ciphers, including the first keyrecovery against all three variants of AES in the standard single-key model faster than bruteforce.

Attacks on hash functions have received a lot of attention lately. First of all, this is dueto the relatively recent success in collision attacks of MD5 [WY05], SHA-0 [BCJ+05, CJ98]and SHA-1 [WYY05] (including the practical cryptanalysis MD5 [SLdW07, SSA+09] in thecontext) and to preimage attacks on MD5 [SA09b].

Differential cryptanalysis [BS91] was discovered at the example of block ciphers. However,it was successfully applied to hash function analysis as well and even found its own non-negligible development there. Moreover, the cryptanalysis of hash functions has got to thepoint that there has been evidence that techniques of hash function cryptanalysis can result innew insight into block ciphers, e.g. the related-key attacks on AES with local collisions [SA10,BDK+10b,BKN09,BN10].

Though there has been a great deal of meet-in-the-middle attacks on block ciphers re-cently [BR10,CBF11,CE85,DK10,ODP07,Iso11,WRG+11], they receive less focus from crypt-analysts than the standard attack vectors. A basic meet-in-the-middle attack requires onlythe information-theoretical minimum of plaintext-ciphertext pairs. The limited use of theseattacks can be attributed to the requirement for large parts of the cipher to be independentof particular key bits. As this requirement is not met in AES and most AES candidates, thenumber of rounds broken with this technique is rather small [DK10,CBF11], which seems toprevent it from producing results on yet unbroken number of rounds in AES. We also men-tion that the collision attacks [DS08, HDB09] use some elements of the meet-in-the-middleframework.

A new concept called bicliques was first introduced for hash cryptanalysis by Savelievaet al. [DKS11]. It originates from the splice-and-cut framework [AS08, AS09, JGW] in hashfunction cryptanalysis, and more specifically its element called initial structure. The bicliqueapproach led to the best preimage attacks on the SHA family of hash functions so far, includingthe attack on 50 rounds of SHA-512, and the first attack on a round-reduced Skein hash

57


function [DKS11]. The concept of bicliques for block ciphers and biclique cryptanalysis forblock ciphers was introduced in [BKR11a, BKR11b], and a predecessor, the splice-and-cutframework applied to block ciphers is found in [WRG+11].

Here bicliques allow to get significant cryptanalytic results, including the first key recoveryfor all versions of the full AES faster than brute force.

Tables 9.1 and 9.2 summarize the results on key recovery for AES and preimage findingfor AES in hash modes.

Table 9.1: Biclique key recovery for AES [BKR11a,BKR11b]rounds data computations/succ.rate memory biclique length in rounds

AES-128 secret key recovery

8 2126.33 2124.97 2102 5

8 2127 2125.64 232 5

8 288 2125.34 28 3

10 288 2126.18 28 3


9 280 2188.8 28 4

12 280 2189.74 28 4


9 2120 2253.1 28 6

9 2120 2251.92 28 4

14 240 2254.42 28 4

Table 9.2: Biclique preimage search of AES in hash modes (compression function) [BKR11a,BKR11b]

rounds computations succ.rate memory biclique length in rounds

AES-128 compression function preimage, Miyaguchi-Preneel

10 2125.83 0.632 28 3

AES-192 compression function preimage, Davies-Meyer

12 2125.71 0.632 28 4

AES-256 compression function preimage, Davies-Meyer

14 2126.35 0.632 28 4

The concept of a biclique. A biclique (a complete bipartite graph) connects 2d pairsof intermediate states with 22d keys. This is the main source of computational advantage inthe key recovery — by constructing a biclique on 2d vertices only, one covers quadratically asmany keys 22d. d is called the dimension of the biclique.

A biclique is characterized by its length (number of rounds covered) and dimension d.The dimension is related to the cardinality of the biclique elements and is one of the factorsthat determines the advantage over brute force.

Bicliques from independent related-key differentials. Often the easiest way toconstruct a biclique in a cipher is to consider two related-key differentials holding with prob-ability one – one with forward key modification and one with backward key modification. Ifthose differentials are truncated, this can result in a higher dimensional biclique. The bicliquekey recovery for the full AES uses bicliques of dimension d = 8 constructed from truncated


related-key probability-one differentials in [BKR11a,BKR11b].Bicliques from interleaving related-key differentials. This is frequently a more

involving approach. It is also based on related-key differentials. However, they can interleave(that is, intersect in active nonlinear components such as S-boxes). The propagation inthose differentials can also be of probabilistic nature. This removes the constraint on thebiclique length natural for bicliques from independent related-key differentials. This imposesa limitation of the highest dimension of a biclique though. It is typical to have d = 1 in keyrecoveries on round-reduced AES in [BKR11a, BKR11b]. The construction of such bicliquescan follow the rebound strategy borrowed from the domain of hash functions.

Summarizing, the novel biclique meet-in-the-middle cryptanalysis on block ciphers intro-duced in [BKR11a, BKR11b] is a promising cryptanalytic technique that is essential to thesecurity evaluation of modern block ciphers. It is advisable to include an assessment of thebiclique cryptanalysis applicability into any new block cipher design, as e.g. done for therecently proposed PRINCE [BCG+12].


Chapter 10

Higher Order Differential Attackson Hash Functions

The significant advances in the field of hash function research that have been made in therecent years, had a formative influence on the landscape of hash functions. The analysisof MD5 and SHA-1 has convinced many cryptographers that these widely deployed hashfunctions can no longer be considered secure [WYY05, WY05]. As a consequence, peopleare evaluating alternative hash functions in the SHA-3 initiative organized by NIST [Nat07].During this ongoing evaluation, not only the three classical security requirements (preimageresistance, 2nd preimage resistance and collision resistance) are considered. Researchers lookat (semi-) free-start collisions, near-collisions, etc. Whenever a behavior different from theone expected of a ’random oracle’ can be demonstrated for a new hash function, it is con-sidered suspect, and so are the weaknesses that are demonstrated only for the compressionfunction. In this chapter, we will discuss two techniques based on higher order differentialcryptanalysis to show non-random properties in hash functions and/or their building blocks.First, we describe zero-sum structures as a new distinguishing property. To construct zero-sum structures one exploits either the fact that the permutation or its inverse after a certainnumber of rounds has a low degree, or some saturation properties due to a low diffusion.Second, we describe an application of the Boomerang attack to hash functions to construct a4-sum for the underlying permutation or compression function.

10.1 Zero-sum distinguishers

The existence of zero-sum structures is a new distinguishing property which has been intro-duced by Aumasson and Meier in [AM09], and previously used by Knudsen and Rijmen in theparticular context of known-key attacks against block ciphers [KR07]. For a given functionF , a zero-sum is a set of inputs which sum to zero, and whose images by F also sum to zero.Such zero-sum properties can be seen as a generalization of multiset properties (a.k.a. integralproperties) [DKR97,KW02]. Classical integral attacks for block ciphers include higher-orderdifferential attacks and saturation attacks. Similarly, zero-sum structures may exploit eitherthe fact that the permutation or its inverse after a certain number of rounds has a low degree,or some saturation properties due to a low diffusion. The first type of weakness arises fromthe nonlinear part of the function whereas the second type arises from its linear part.

The fact that the existence of some zero-sums can be considered as a distinguishing prop-

61


erty has been investigated in [KR07, BC10] for instance. In particular, it has been shownthat any function F from 0, 1n into 0, 1n has at least one zero-sum of size 5 [BC10,Prop.1]. Efficient generic algorithms for finding zero-sums include the general birthday algo-rithm [Wag02], and the XHASH attack [BM97,BDPA10,AKK+10] whose complexity mainlycorresponds to K evaluations of F , where K is the size of the zero-sum. There is a trivial casewhere zero-sums can be easily found: any affine subspace of dimension deg(F ) + 1 is a zero-sum for F , leading to a distinguishing property when deg(F ) ≤ n− 1 (resp. deg(F ) ≤ n− 2if F is a permutation).

In the case where F is a permutation over 0, 1n, the zero-sums corresponding to theaffine subspaces of dimension deg(F ) + 1 have an additional property: any coset of such azero-sum is still a zero-sum. This leads to a much stronger property, introduced in [BC10],named zero-sum partition: for a permutation over 0, 1n, a zero-sum partition of size 2k isa collection of 2n−k disjoint zero-sums of size 2k. A generic algorithm for finding a zero-sumpartition consists in iteratively applying the XHASH attack, but it has a high time complexity:for a randomly chosen permutation, the description of the zero-sums found by such a genericalgorithm requires the evaluation of the permutation at almost all points since the searchingtechnique is not deterministic. This makes a huge difference with zero-sum partitions comingfrom a structural property of the permutation, which can be described by means of someclose formula. It is also worth noticing that structural zero-sums can be used for proving thatsome given permutations do not satisfy the expected property, and this may only require theevaluation of the permutation on a few sets in the partition.

As previously mentioned, the algebraic degree of a permutation F provides some particu-lar zero-sums, which correspond to all affine subspaces of 0, 1n with dimension (deg(F )+1).The fact that the permutation used in a hash function does not depend on any secret parame-ter allows to exploit the previous property starting from the middle, i.e., from an intermediateinternal state. This property was used by Aumasson and Meier [AM09] and also by Knudsenand Rijmen in the case of a known-key property of a block cipher [KR07]. The only infor-mation needed for finding such zero-sums on the iterated permutation using this approachis an upper bound on the algebraic degrees of several iterations of the round transforma-tion (resp. of its inverse). The trivial upper bond on the degree of an iterated permutationhas been improved in the case where the nonlinear layer of the permutation correspondsto the parallel application of several smaller Sboxes [BCC11]. Another improvement canalso be derived when the inverse of the Sbox has a much smaller degree than the Sbox it-self [DL11, BC11]. Besides the degree of the round transformation, a second element can beexploited for constructing zero-sum partitions, similarly to the techniques used for mountingsaturation attacks [BC10]. All these results have led to zero-sum partitions for several SHA-3candidates, including Keccak, Luffa, Hamsi, and Grøstl.

10.2 Second-Order Differential Collisions (4-sums)

In the following, we will discuss the application of higher order differential attacks to hashfunctions based on the boomerang attack proposed by Wagner [Wag99] in the cryptanalysisof block ciphers. As opposed to the technique described in the previous section the attack isparticular suited for ARX-based constructions such as the MD4-family of hash functions andthe SHA-3 finalists Blake and Skein. The application of the boomerang attack to hash func-tions as a tool to show non-random properties in the underlying permutation or compression


function was independently proposed by Biryukov et al. in the analysis of Blake [BNR11] andLamberger and Mendel for SHA-256 [LM11]. Since then it has been applied to many otherhash function designs, e.g. HAVAL [Sas11], RIPEMD-128/160 [SW12], Skein [LR12], etc.

10.2.1 Basic Definitions and Preliminaries

Higher-order differentials have been introduced by Lai in [Lai94] and first applied to blockciphers by Knudsen in [Knu94]. The application to stream ciphers was proposed by Dinurand Shamir in [DS09] and Vielhaber in [Vie07]. First attempts to apply these strategies tohash functions were published in [ADMS09]. While a standard differential attack exploits thepropagation of the difference between a pair of inputs to the corresponding output differences,a higher-order differential attack exploits the propagation of the difference between differences.

In this section, we recall the basic definitions of Lai [Lai94] and Knudsen [Knu94] that wewill use in the subsequent sections.

Definition 10.2.1 Let (S,+) and (T,+) be abelian groups. For a function f : S → T , thederivative at a point a1 ∈ S is defined as

∆(a1)f(y) = f(y + a1)− f(y) . (10.1)

The i-th derivative of f at (a1, a2, . . . , ai) is then recursively defined as

∆(a1,...,ai)f(y) = ∆(ai)(∆(a1,...,ai−1)f(y)) . (10.2)

Definition 10.2.2 A one round differential of order i for a function f : S → T is an (i+ 1)-tuple (a1, a2, . . . , ai; b) such that

∆(a1,...,ai)f(y) = b . (10.3)

When applying differential cryptanalysis to a hash function, a collision for the hash func-tion corresponds to a pair of inputs with output difference zero. Similarly, when using higher-order differentials we define a higher-order differential collision for a function as follows.

Definition 10.2.3 An i-th-order differential collision for f : S → T is an i-tuple (a1, a2, . . . , ai)together with a value y such that

∆(a1,...,ai)f(y) = 0 . (10.4)

Note that the common definition of a collision for hash functions corresponds to a higher-orderdifferential collision of order i = 1.

In this work, we concentrate on second-order differential collisions, i.e. i = 2:

f(y)− f(y + a2) + f(y + a1 + a2)− f(y + a1) = 0 (10.5)

Further we assume that we have oracle access to a function f : S → T and measure thecomplexity in the number of queries to f , i.e. query complexity, while ignoring all othercomputations, memory accesses, etc. Additionally, we will restrict ourselves to functions fmapping to groups (T,+) with |T | = 2n which are endowed with an additive operation.

We now want to lower bound the query complexity of producing a non-trivial differentialcollision of order 2.


Theorem 10.2.1 For a function f : S → T with |T | = 2n, the query complexity for producinga non-trivial differential collision of order 2 is Ω(2n/3).

For the proof of Theorem 10.2.1 we refer to [BLMN11].However, we want to note that the actual complexity might be much higher in practice

than this bound for the query complexity. We are not aware of any algorithm faster than2n/2

10.2.2 Application to Block-Cipher-Based Hash Functions

A well known construction to turn a block cipher into a compression function is the Davies-Meyer construction. The compression function call to produce the i-th chaining value xi fromthe i-th message block and the previous chaining value xi−1 has the form:

xi = E(mi, xi−1) + xi−1 (10.6)

When attacking block-cipher-based hash functions, the key is not a secret parameter so forthe sake of readability, we will slightly restate the compression function computation (10.6)where we consider an input variable y = (k||x) ∈ 0, 1k+n so that a call to the block ciphercan be written as E(y). Then, the Davis-Meyer compression function looks like:

f(y) = E(y) + τn(y), (10.7)

where τn(y) represents the n least significant bits of y.In an analogous manner, we can also write down the compression functions for the Matyas-

Meyer-Oseas and the Miyaguchi-Preneel mode which are all covered by the following propo-sition.

Proposition 10.2.1 For any block-cipher-based compression function which can be writtenin the form

f(y) = E(y) + L(y), (10.8)

where L is a linear function with respect to +, an i-th-order differential collision for the blockcipher transfers to an i-th-order collision for the compression function for i ≥ 2.

For the proof of Proposition 10.2.1, we refer to [BLMN11].Hence, if we want to construct a second order collision for the compression function f

it is sufficient to construct a second-order collision for the block cipher. The main idea ofthe attack is now to use two independent high probability differential characteristics – one inforward and one in backward direction – to construct a second-order differential collision forthe block cipher E and hence due to Proposition 10.2.1, for the compression function.

Therefore, the underlying block cipher E is split into two subparts, E = E1 E0. Fur-thermore, assume we are given two differentials for the two subparts, where one holds inthe forward direction and one in the backward direction and we assume that both have highprobability. This part of the strategy has been already applied in other cryptanalytic at-tacks [Wag99, BDK01, BDK05, KKS00]. We also want to stress, that due to our definitionabove, the following differentials are actually related-key differentials. We have

E−10 (y + β)− E−10 (y) = α (10.9)


andE1(y + γ)− E1(y) = δ (10.10)

where the differential in E−10 holds with probability p0 and in E1 holds with probability p1.Using these two differentials, we can now construct a second-order differential collision forthe block cipher E. This can be summarized as follows.

1. Choose a random value for X and compute X∗ = X+β, Y = X+γ, and Y ∗ = X∗+γ.

2. Compute backward from X,X∗, Y, Y ∗ using E−10 to obtain P, P ∗, Q,Q∗.

3. Compute forward from X,X∗, Y, Y ∗ using E1 to obtain C,C∗, D,D∗.

4. Check if P ∗ − P = Q∗ −Q and D − C = D∗ − C∗ is fulfilled.

Due to (10.9) and (10.10),

P ∗ − P = Q∗ −Q = α, resp. D − C = D∗ − C∗ = δ, (10.11)

will hold with probability at least p20 in the backward direction, resp. p21 in the forwarddirection. Hence, assuming that the differentials are independent the attack succeeds with aprobability of p20 · p21. It has to be noted that this independence assumption is quite strong,cf. [Mur11]. However, if this assumption holds, the expected number of solutions to (10.11) is1, if we repeat the attack about 1/(p20 ·p21) times. As mentioned before, in our case, there is nosecret key involved, so message modification and similar techniques can be used to improvethis complexity (cf. [LM11]).

The crucial point now is that such a solution constitutes a second-order differential collisionfor the block cipher E. We can restate (10.11) as

Q∗ −Q− P ∗ + P = 0 (10.12)

E(Q∗)− E(P ∗)− E(Q) + E(P ) = 0 (10.13)

If we set α := a1 and the difference Q− P := a2 we can rewrite (10.13) as

E(P + a1 + a2)− E(P + a1)− E(P + a2) + E(P ) = 0, (10.14)

that is, we have found a second-order differential collision for the block cipher E. Because ofProposition 10.2.1 the same statement is true for the compression function. We want to notethat the attack is applicable in a similar way to permutation based designs.


Bibliography

[AccM+09] Jean-Philippe Aumasson, Cagdas Calik, Willi Meier, Onur Ozen, Raphael C.-W.Phan, and Kerem Varıcı. Improved Cryptanalysis of Skein. In Mitsuru Matsui,editor, ASIACRYPT, volume 5912 of LNCS, pages 542–559. Springer, 2009.

[ADH+] Jean-Philippe Aumasson, Itai Dinur, Luca Henzen, Willi Meier, and Adi Shamir.Efficient FPGA implementation of high-dimensional cube testers on the streamcipher Grain-128. SHARCS 2009, Online at http://eprint.iacr.org/2009/218.

[ADMS09] Jean-Philippe Aumasson, Itai Dinur, Willi Meier, and Adi Shamir. Cube Testersand Key Recovery Attacks on Reduced-Round MD6 and Trivium. In FSE, pages1–22, 2009.

[AGM+09] Kazumaro Aoki, Jian Guo, Krysitan Matusiewicz, Yu Sasaki, and Lei Wang.Preimages for Step-Reduced SHA-2. In Matsui [Mat09], pages 578–597.

[AHMP08] Jean-Philippe Aumasson, Luca Henzen, Willi Meier, and Raphael C.-W. Phan.SHA-3 proposal BLAKE. Submission to the NIST SHA-3 Competition (Round2), 2008. http://131002.net/blake/blake.pdf.

[AK+08] Jean-Philippe Aumasson, Simon Fischer 0002, Shahram Khazaei, Willi Meier,and Christian Rechberger. New Features of Latin Dances: Analysis of Salsa,ChaCha, and Rumba. In Nyberg [Nyb08], pages 470–488.

[AKK+03] Noga Alon, Tali Kaufman, Michael Krivelevich, Simon Litsyn, and Dana Ron.Testing Low-Degree Polynomials over GF(2). In Sanjeev Arora, Klaus Jansen,Jose D. P. Rolim, and Amit Sahai, editors, RANDOM-APPROX, volume 2764of Lecture Notes in Computer Science, pages 188–199. Springer, 2003.

[AKK+10] J.-P. Aumasson, E. Kasper, L.R. Knudsen, K. Matusiewicz, R. Ødegard,T. Peyrin, and M. Schlaffer. Distinguishers for the compression function andoutput transformation of Hamsi-256. In Information Security and Privacy -ACISP 2010, volume 6168 of Lecture Notes in Computer Science, pages 87–103.Springer, 2010.

[AM] Jean-Philippe Aumasson and Willi Meier. Zero-sum distinguishers for re-duced Keccak-f and for the core functions of Luffa and Hamsi. Online athttp://www.131002.net/papers.html.

[AM09] J.-P. Aumasson and W. Meier. Zero-sum distinguishers for reduced Keccak-fand for the core functions of Luffa and Hamsi. Presented at the rump session ofCryptographic Hardware and Embedded Systems - CHES 2009, 2009.

67


[AMS+ar] Z. Ahmadian, J. Mohajeri, M. Salmasizadeh, R. Hakala, and K. Nyberg. Apractical distinguisher for the Shannon cipher. Journal of Systems and Software,to appear.

[AS08] Kazumaro Aoki and Yu Sasaki. Preimage attacks on one-block MD4, 63-stepMD5 and more. In SAC 2008, volume 5381 of LNCS, pages 103–119. Springer-Verlag, 2008.

[AS09] Kazumaro Aoki and Yu Sasaki. Meet-in-the-middle preimage attacks againstreduced SHA-0 and SHA-1. In Shai Halevi, editor, Advances in Cryptology— CRYPTO 2009, volume 5677 of Lecture Notes in Computer Science, pages70–89, Berlin, Heidelberg, New York, 2009. Springer-Verlag.

[BAB93] Ishai Ben-Aroya and Eli Biham. Differential Cryptanalysis of Lucifer. In Dou-glas R. Stinson, editor, CRYPTO, volume 773 of Lecture Notes in ComputerScience, pages 187–199. Springer, 1993.

[Bab95] Steve Babbage. A space/time tradeoff in exhaustive search attacks on streamciphers. European Convention on Security and Detection, 408, 1995.

[BC10] C. Boura and A. Canteaut. Zero-sum distinguishers for iterated permutationsand application to Keccak-f and Hamsi-256. In Selected Areas in Cryptography- SAC 2010, volume 6544 of Lecture Notes in Computer Science, pages 1–17.Springer, 2010.

[BC11] Christina Boura and Anne Canteaut. On the influence of the algebraic degree off1 on the algebraic degree of gf . Cryptology ePrint Archive, Report 2011/503,2011. http://eprint.iacr.org/.

[BCC11] Christina Boura, Anne Canteaut, and Christophe De Canniere. Higher-OrderDifferential Properties of Keccak and luffa. In Joux [Jou11], pages 252–269.

[BCD03] Alex Biryukov, Christophe De Canniere, and Gustaf Dellkrantz. Cryptanalysisof SAFER++. In Crypto 2003, volume 2729 of LNCS, pages 195–211. Springer-Verlag, 2003.

[BCG+12] Julia Borghoff, Anne Canteaut, Tim Guneysu, Elif Bilge Kavun, MiroslavKnezevic, Lars R. Knudsen, Gregor Leander, Ventzislav Nikov, Christof Paar,Christian Rechberger, Peter Rombouts, Søren S. Thomsen, and Tolga Yalcin.Prince - a low-latency block cipher for pervasive computing applications - ex-tended abstract. In Xiaoyun Wang and Kazue Sako, editors, ASIACRYPT,volume 7658 of Lecture Notes in Computer Science, pages 208–225. Springer,2012.

[BCJ+05] Eli Biham, Rafi Chen, Antoine Joux, Patrick Carribault, Christophe Lemuet,and William Jalby. Collisions of SHA-0 and reduced SHA-1. In Ronald Cramer,editor, EUROCRYPT 2005, volume 3494 of LNCS, pages 36–57. Springer-Verlag, 2005.

[BCQ04] A. Biryukov, C. De Canniere, and M. Quisquater. On multiple linear approxi-mations. In M.K. Franklin, editor, CRYPTO’04, volume 3152 of Lecture Notesin Computer Science, pages 1–22. Springer, 2004.


[BDK01] Eli Biham, Orr Dunkelman, and Nathan Keller. The Rectangle Attack - Rect-angling the Serpent. In Birgit Pfitzmann, editor, EUROCRYPT, volume 2045of LNCS, pages 340–357. Springer, 2001.

[BDK02] E. Biham, O. Dunkelman, and N. Keller. Enhancing differential-linear crypt-analysis. In Y. Zheng, editor, ASIACRYPT’02, volume 2501 of Lecture Notesin Computer Science, pages 254–266. Springer, 2002.

[BDK05] Eli Biham, Orr Dunkelman, and Nathan Keller. Related-Key Boomerang andRectangle Attacks. In Ronald Cramer, editor, EUROCRYPT, volume 3494 ofLNCS, pages 507–525. Springer, 2005.

[BDK+10a] Alex Biryukov, Orr Dunkelman, Nathan Keller, Dmitry Khovratovich, and AdiShamir. Key recovery attacks of practical complexity on AES-256 variants withup to 10 rounds. In EUROCRYPT’10, volume 6110 of LNCS, pages 299–319.Springer-Verlag, 2010.

[BDK+10b] Alex Biryukov, Orr Dunkelman, Nathan Keller, Dmitry Khovratovich, and AdiShamir. Related-key cryptanalysis of the full aes-192 and aes-256. In HenriGilbert, editor, EUROCRYPT 2010, volume 6110 of LNCS, pages 299–319.Springer-Verlag, 2010.

[BDPA10] G. Bertoni, J. Daemen, M. Peeters, and G. Van Assche. Note on zero-sumdistinguishers of Keccak-f . Public comment on the NIST Hash competition,available at http://keccak.noekeon.org/NoteZeroSum.pdf, 2010.

[Ber05] Dan J. Bernstein. Understanding brute force. In Workshop on Symmetric KeyEncryption (SKEW 2005), 2005.

[Ber08] Daniel J. Bernstein. The Salsa20 Family of Stream Ciphers. In Matthew J. B.Robshaw and Olivier Billet, editors, The eSTREAM Finalists, volume 4986 ofLNCS, pages 84–97. Springer, 2008.

[BGM06] C. Berbain, H. Gilbert, and A. Maximov. Cryptanalysis of grain. In M.J.B.Robshaw, editor, FSE’06, volume 4047 of Lecture Notes in Computer Science,pages 15–29. Springer, 2006.

[Bih94] Eli Biham. New Types of Cryptanalytic Attacks Using Related Keys. J. Cryp-tology, 7(4):229–246, 1994.

[Bih02] Eli Biham. How to decrypt or even substitute des-encrypted messages in 228steps. Information Processing Letters, 84(3):117–124, 2002.

[Bih08] Eli Biham. New Techniques for Cryptanalysis of Hash Functions and ImprovedAttacks on Snefru. In Nyberg [Nyb08], pages 444–461.

[BJV04] T. Baigneres, P. Junod, and S. Vaudenay. How far can we go beyond linearcryptanalysis? In P.L. Lee, editor, ASIACRYPT’04, volume 3329 of LectureNotes in Computer Science, pages 432–450. Springer, 2004.


[BK03] Mihir Bellare and Tadayoshi Kohno. A theoretical treatment of related-keyattacks: Rka-prps, rka-prfs, and applications. In EUROCRYPT 2003, volume2656 of LNCS, pages 491–506. Springer-Verlag, 2003.

[BKN09] Alex Biryukov, Dmitry Khovratovich, and Ivica Nikolic. Distinguisher andRelated-Key Attack on the Full AES-256. In Shai Halevi, editor, CRYPTO,volume 5677 of LNCS, pages 231–249. Springer, 2009.

[BKR11a] Andrey Bogdanov, Dmitry Khovratovich, and Christian Rechberger. Bicliquecryptanalysis of the full aes. In Dong Hoon Lee and Xiaoyun Wang, editors, ASI-ACRYPT 2011, volume 7073 of LNCS, pages 344–371. Springer-Verlag, 2011.

[BKR11b] Andrey Bogdanov, Dmitry Khovratovich, and Christian Rechberger. Bicliquecryptanalysis of the full aes. Cryptology ePrint Archive: Report 2011/449, 2011.

[BLMN11] Alex Biryukov, Mario Lamberger, Florian Mendel, and Ivica Nikolic. Second-Order Differential Collisions for Reduced SHA-256. In Dong Hoon Lee andXiaoyun Wang, editors, ASIACRYPT, volume 7073 of LNCS, pages 270–287.Springer, 2011.

[BLNW12] Andrey Bogdanov, Gregor Leander, Kaisa Nyberg, and Meiqin Wang. Integraland Multidimensional Linear Distinguishers with Correlation Zero. In ASI-ACRYPT 2012, volume 7658 of LNCS, pages 244–261, Berlin, 2012. Springer-Verlag.

[BLR90] Manuel Blum, Michael Luby, and Ronitt Rubinfeld. Self-Testing/Correctingwith Applications to Numerical Problems. In STOC, pages 73–83. ACM, 1990.

[BM97] M. Bellare and D. Micciancio. A new paradigm for collision-free hashing: In-crementality at reduced cost. In Advances in Cryptology - EUROCRYPT’97,volume 1233 of Lecture Notes in Computer Science, pages 163–192. Springer,1997.

[BMS06] Alex Biryukov, Sourav Mukhopadhyay, and Palash Sarkar. Improved time-memory trade-offs with multiple data. In Selected Areas in Cryptography (SAC2005), volume 3897 of LNCS, pages 110–127. Springer-Verlag, 2006.

[BN10] Alex Biryukov and Ivica Nikolic. Automatic search for related-key differen-tial characteristics in byte-oriented block ciphers: Application to aes, camellia,khazad and others. In Henri Gilbert, editor, EUROCRYPT 2010, volume 5677of LNCS, pages 322–344. Springer-Verlag, 2010.

[BNR11] Alex Biryukov, Ivica Nikolic, and Arnab Roy. Boomerang Attacks on BLAKE-32. In Antoine Joux, editor, FSE, volume 6733 of LNCS, pages 218–237.Springer, 2011.

[BR00] Paulo S. L. M. Barreto and Vincent Rijmen. The Whirlpool Hashing Func-tion. Submitted to NESSIE, September 2000, revised May 2003, 2000. Avail-able online: http://paginas.terra.com.br/informatica/paulobarreto/

WhirlpoolPage.html.


[BR10] Andrey Bogdanov and Christian Rechberger. A 3-subset meet-in-the-middleattack: Cryptanalysis of the lightweight block cipher ktantan. In A. Biryukov,G. Gong, and D. Stinson, editors, SAC 2010, volume 6544 of LNCS, pages229–240. Springer-Verlag, 2010.

[BR12] Andrey Bogdanov and Vincent Rijmen. Linear Hulls with Correlation Zero andLinear Cryptanalysis of Block Ciphers, 2012. Accepted, in press.

[BS91] Eli Biham and Adi Shamir. Differential cryptanalysis of des-like cryptosystems.J. Cryptology, 4(1):3–72, 1991.

[BS00] Alex Biryukov and Adi Shamir. Cryptanalytic time/memory/data tradeoffsfor stream ciphers. In ASIACRYPT 2000, volume 1976 of LNCS, pages 1–13.Springer-Verlag, 2000.

[BW12] Andrey Bogdanov and Meiqin Wang. Zero Correlation Linear Cryptanalysiswith Reduced Data Complexity. In FSE 2012, volume 7549 of LNCS, pages29–48, Berlin, 2012. Springer-Verlag.

[CBF11] Patrick Derbez Charles Bouillaguet and Pierre-Alain Fouque. Automatic searchof attacks on round-reduced aes and applications. In Henri Gilbert, editor,CRYPTO 2011, volume 2442 of LNCS, pages 169–187. Springer-Verlag, 2011.

[CE85] David Chaum and Jan-Hendrik Evertse. Crytanalysis of des with a reducednumber of rounds: Sequences of linear factors in block ciphers. In H. C. Williams,editor, CRYPTO 1985, volume 218 of LNCS, pages 192–211. Springer-Verlag,1985.

[Cho10] J.Y. Cho. Linear cryptanalysis of reduced-round PRESENT. In J. Pieprzyk,editor, CT-RSA’10, volume 5985 of Lecture Notes in Computer Science, pages302–317. Springer, 2010.

[CHar] J.Y. Cho and M. Hermelin. Improved linear cryptanalysis of SOSEMANUK. InICISC’09, Lecture Notes in Computer Science. Springer, to appear.

[CJ98] Florent Chabaud and Antoine Joux. Differential collisions in SHA-0. InH. Krawczyk, editor, CRYPTO 1998, volume 1462 of LNCS, pages 56–71.Springer-Verlag, 1998.

[CP07] J.Y. Cho and J. Pieprzyk. An improved distinguisher for dragon. eSTREAMECRYPT Stream Cipher Project, report 2007/002, 2007.

[CSQ07] B. Collard, F.-X. Standaert, and J.-J. Quisquater. Improving the time com-plexity of Matsui’s linear cryptanalysis. In K.-H. Nam and G. Rhee, editors,ICISC’07, volume 4817 of Lecture Notes in Computer Science, pages 77–88.Springer, 2007.

[CSQ08] B. Collard, F.-X. Standaert, and J.-J. Quisquater. Experiments on the multiplelinear cryptanalysis of reduced round serpent. In K. Nyberg, editor, FSE’08,volume 5086 of Lecture Notes in Computer Science, pages 382–397. Springer,2008.


[DDK09] Christophe De Canniere, Orr Dunkelman, and Miroslav Knezevic. KATANand KTANTAN - A Family of Small and Efficient Hardware-Oriented BlockCiphers. In Christophe Clavier and Kris Gaj, editors, CHES, volume 5747 ofLNCS, pages 272–288. Springer, 2009.

[DDKS12] Itai Dinur, Orr Dunkelman, Nathan Keller, and Adi Shamir. Efficient dissectionof composite problems, with applications to cryptanalysis, knapsacks, and com-binatorial search problems. In Reihaneh Safavi-Naini and Ran Canetti, editors,CRYPTO, volume 7417 of Lecture Notes in Computer Science, pages 719–740.Springer, 2012.

[De 06] Christophe De Canniere. Trivium: A Stream Cipher Construction Inspired byBlock Cipher Design Principles. In Sokratis K. Katsikas, Javier Lopez, MichaelBackes, Stefanos Gritzalis, and Bart Preneel, editors, ISC, volume 4176 of LNCS,pages 171–186. Springer, 2006.

[DGP+11] Itai Dinur, Tim Guneysu, Christof Paar, Adi Shamir, and Ralf Zimmermann.An Experimentally Verified Attack on Full Grain-128 Using Dedicated Recon-figurable Hardware. IACR Cryptology ePrint Archive, 2011:282, 2011.

[DGV94] J. Daemen, R. Govaerts, and J. Vandewalle. Resynchronization weaknesses insynchronous stream ciphers. In Eurocrypt 1993, volume 765 of LNCS, pages159–167. Springer-Verlag, 1994.

[DK08] O. Dunkeman and N. Keller. A new attack on the lex stream cipher. In Asi-acrypt 2008, volume 5350 of Lecture Notes in Computer Science, pages 539–556.Springer-Verlag, 2008.

[DK10] Orr Dunkelman and Nathan Keller. The effects of the omission of last round’smixcolumns on aes. Inf. Process. Lett., 110(8-9):304–308, 2010.

[DKR97] J. Daemen, L.R. Knudsen, and V. Rijmen. The block cipher Square. In FastSoftware Encryption - FSE’97, volume 1267 of Lecture Notes in Computer Sci-ence, pages 149–165. Springer-Verlag, 1997.

[DKS] Orr Dunkelman, Nathan Keller, and Adi Shamir. A practical-time attack on theA5/3 cryptosystem used in third generation GSM telephony. Technical report,http://eprint.iacr.org/2010/013.pdf, YEAR = 2010,.

[DKS11] Christian Rechberger Dmitry Khovratovich and Alexandra Savelieva. Bicliquesfor preimages: attacks on Skein-512 and the SHA-2 family. Cryptology ePrintArchive: Report 2011/286, 2011.

[DL11] M. Duan and X. Lai. Improved zero-sum distinguisher for full round Keccak-fpermutation. IACR ePrint Report 2011/023, January 2011. http://eprint.

iacr.org/2011/023.

[DMR07] Christophe De Canniere, Florian Mendel, and Christian Rechberger. Collisionsfor 70-step sha-1: On the full cost of collision search. In Carlisle M. Adams, AliMiri, and Michael J. Wiener, editors, Selected Areas in Cryptography, volume4876 of Lecture Notes in Computer Science, pages 56–73. Springer, 2007.


[DR02] Joan Daemen and Vincent Rijmen. The Design of Rijndael: AES - The AdvancedEncryption Standard. Springer, 2002.

[DR06] Christophe De Canniere and Christian Rechberger. Finding SHA-1 Character-istics: General Results and Applications. In Xuejia Lai and Kefei Chen, editors,ASIACRYPT, volume 4284 of Lecture Notes in Computer Science, pages 1–20.Springer, 2006.

[DR08] Christophe De Canniere and Christian Rechberger. Preimages for Reduced SHA-0 and SHA-1. In Wagner [Wag08], pages 179–202.

[DS08] Huseyin Demirci and Ali Aydin Selcuk. A meet-in-the-middle attack on 8-roundAES. In Kaisa Nyberg, editor, FSE 2008, volume 5086 of LNCS, pages 116–126.Springer-Verlag, 2008.

[DS09] Itai Dinur and Adi Shamir. Cube Attacks on Tweakable Black Box Polynomi-als. In Antoine Joux, editor, EUROCRYPT, volume 5479 of Lecture Notes inComputer Science, pages 278–299. Springer, 2009.

[DS11] Itai Dinur and Adi Shamir. Breaking Grain-128 with Dynamic Cube Attacks. InAntoine Joux, editor, FSE, volume 6733 of Lecture Notes in Computer Science,pages 167–187. Springer, 2011.

[EH07] Nevine Maurice Ebeid and M. Anwar Hasan. On Binary Signed Digit Repre-sentations of Integers. Des. Codes Cryptography, 42(1):43–65, 2007.

[EHJ] A note on distinguishing attacks. IEEE 2007.

[EJT07] Hakan Englund, Thomas Johansson, and Meltem Sonmez Turan. A Frameworkfor Chosen IV Statistical Analysis of Stream Ciphers. In K. Srinathan, C. PanduRangan, and Moti Yung, editors, INDOCRYPT, volume 4859 of LNCS, pages268–281. Springer, 2007.

[EM05] H. Englund and A. Maximov. Attack the Dragon. In S. Maitra, C.E. Veni Mad-havan, and R. Venkatesan, editors, INDOCRYPT’05, volume 3797 of LectureNotes in Computer Science, pages 130–142. Springer, 2005.

[Fil02] Eric Filiol. A New Statistical Testing for Symmetric Ciphers and Hash Func-tions. In Robert H. Deng, Sihan Qing, Feng Bao, and Jianying Zhou, editors,ICICS, volume 2513 of LNCS, pages 342–353. Springer, 2002.

[FIP99] PUB FIPS. 46-3: Data Encryption Standard (DES). National Institute forStandards and Technology, Gaithersburg, MD, USA, 1999.

[FKM08] Simon Fischer, Shahram Khazaei, and Willi Meier. Chosen IV statistical anal-ysis for key recovery attacks on stream ciphers. In Serge Vaudenay, editor,AFRICACRYPT, volume 5023 of LNCS, pages 236–245. Springer, 2008.

[FLS+09] Niels Ferguson, Stefan Lucks, Bruce Schneier, Doug Whiting, Mihir Bellare,Tadayoshi Kohno, Jon Callas, and Jesse Walker. The Skein Hash FunctionFamily. Submission to the NIST SHA-3 Competition (Round 2), 2009. http:

//www.skein-hash.info/sites/default/files/skein1.2.pdf.


[FM00] S. Fluhrer and D. McGrew. Statistical analysis of the alleged rc4 keystream.In Fast Software Encryption 2000, volume 1978 of Lecture Notes in ComputerScience. Springer-Verlag, 2000.

[GA11] E.A. Grechnikov and A.V. Adinetz. Collision for 75-step SHA-1: IntensiveParallelization with GPU. Cryptology ePrint Archive, Report 2011/641, 2011.http://eprint.iacr.org/.

[GKM+08] Praveen Gauravaram, Lars R. Knudsen, Krystian Matusiewicz, Florian Mendel,Christian Rechberger, Martin Schlaffer, and Søren S. Thomsen. Grstl – a SHA-3candidate. Submission to NIST, 2008. Available online: http://groestl.info.

[GLRW10] Jian Guo, San Ling, Christian Rechberger, and Huaxiong Wang. AdvancedMeet-in-the-Middle Preimage Attacks: First Results on Full Tiger, and Im-proved Results on MD4 and SHA-2. Cryptology ePrint Archive, Report2010/016, 2010. http://eprint.iacr.org/.

[Gol97] Jovan Dj. Golic. Cryptanalysis of alleged a5 stream cipher. In EUROCRYPT,volume 1233 of LNCS. Springer-Verlag, 1997.

[GP10] Henri Gilbert and Thomas Peyrin. Super-sbox cryptanalysis: Improved attacksfor aes-like permutations. In Seokhie Hong and Tetsu Iwata, editors, FSE,volume 6147 of Lecture Notes in Computer Science, pages 365–383. Springer,2010.

[HCN08] M. Hermelin, J.Y. Cho, and K. Nyberg. Multidimensional linear cryptanalysis ofreduced round Serpent. In Y. Mu, W. Susilo, and J. Seberry, editors, ACISP’08,volume 5107 of Lecture Notes in Computer Science, pages 203–215. Springer,2008.

[HCN09a] M. Hermelin, J.Y. Cho, and K. Nyberg. Multidimensional extension of Matsui’sAlgorithm 2. In O. Dunkelman, editor, FSE’09, volume 5665 of Lecture Notesin Computer Science, pages 209–227. Springer, 2009.

[HCN09b] M. Hermelin, J.Y. Cho, and K. Nyberg. Statistical tests for key recoveryusing multidimensional extension of Matsui’s Algorithm 1. EUROCRYPT’09POSTERSESSION, 2009.

[HDB09] Mustafa Coban Huseyin Demirci, Ihsan Taskin and Adnan Baysal. Improvedmeet-in-the-middle attacks on aes. In Bimal K. Roy and Nicolas Sendrier, edi-tors, INDOCRYPT 2009, volume 5922 of LNCS, pages 144–156. Springer-Verlag,2009.

[Hel80] Martin Hellman. A cryptanalytic time-memory trade-off. IEEE Transactionson Information Theory, 26:401–406, 1980.

[HJ06] M. Hell and T. Johansson. Cryptanalysis of achterbahn-version 2. eSTREAMECRYPT Stream Cipher Project, report 2006/042, 2006.

[HJM07] Martin Hell, Thomas Johansson, and Willi Meier. Grain: A Stream Cipher forConstrained Environments. IJWMC, 2(1):86–93, 2007.


[HJMM06] Martin Hell, Thomas Johansson, Alexander Maximov, and Willi Meier. AStream Cipher Proposal: Grain-128. In ISIT, pages 1614–1618, 2006.

[HN08] M. Hermelin and K. Nyberg. Multidimensional linear distinguishing attacksand boolean functions. In BFCA’08, 2008. Proceedings available on-linehttp://www.liafa.jussieu.fr/bfca.

[HN09] R. Hakala and K. Nyberg. A multidimensional linear distinguishing attack onthe Shannon cipher. International Journal of Applied Cryptography, 1(3):161–168, 2009.

[HN10] M. Hermelin and K. Nyberg. Dependent linear approximations - the algorithmof Biryukov and others revisited. In J. Pieprzyk, editor, CT-RSA’10, volume5985 of Lecture Notes in Computer Science, pages 318–333. Springer, 2010.

[HNR68] Peter E. Hart, Nils J. Nilsson, and Bertram Raphael. A formal basis for theheuristic determination of minimum cost paths. IEEE Transactions On SystemsScience And Cybernetics, 4(2):100–107, July 1968.

[HRW07] Marko Holbl, Christian Rechberger, and Tatjana Welzer. Searching for messagesconforming to arbitrary sets of conditions in sha-256. In Stefan Lucks, Ahmad-Reza Sadeghi, and Christopher Wolf, editors, WEWoRC, volume 4945 of LectureNotes in Computer Science, pages 28–38. Springer, 2007.

[HS05] Jin Hong and Palash Sarkar. New applications of time memory data tradeoffs.In ASIACRYPT 2005, volume 3788 of LNCS, pages 353–372. Springer-Verlag,2005.

[IMPR08] Sebastiaan Indesteege, Florian Mendel, Bart Preneel, and Christian Rech-berger. Collisions and other non-random properties for step-reduced sha-256. InRoberto Maria Avanzi, Liam Keliher, and Francesco Sica, editors, Selected Ar-eas in Cryptography, volume 5381 of Lecture Notes in Computer Science, pages276–293. Springer, 2008.

[IOKM06] T. Isobe, T. Ohigashi, H. Kuwakado, and M. Morii. How to break py and pypyby a chosen-iv attack. eSTREAM, ECRYPT Stream Cipher Project, report2006/060, 2006.

[IS09] Takanori Isobe and Kyoji Shibutani. Preimage attacks on reduced Tiger andSHA-2. In Fast Software Encryption — 16th International Workshop, FSE 2009,pages 139–155, 2009.

[Iso11] Takanori Isobe. A single-key attack on the full gost block cipher. In AntoineJoux, editor, FSE 2011, volume 6733 of LNCS, pages 290–305. Springer-Verlag,2011.

[JGW] Christian Rechberger Jian Guo, San Ling and Huaxiong Wang. Advanced meet-in-the-middle preimage attacks: First results on full tiger, and improved resultson md4 and sha-2. In ASIACRYPT 2010, YEAR = 2010, editor = M. Abe,volume = 6477, pages = 56–75, series = LNCS, publisher = Springer-Verlag,.


[JM03] T. Johansson and A. Maximov. A linear distinguishing attack on Scream. InIEEE International Symposium on Information Theory, ISIT 2003, page 164,2003.

[Jou11] Antoine Joux, editor. Fast Software Encryption - 18th International Workshop,FSE 2011, Lyngby, Denmark, February 13-16, 2011, Revised Selected Papers,volume 6733 of Lecture Notes in Computer Science. Springer, 2011.

[JR07] A. Joux and J.-R. Reinhard. Overtaking vest. eSTREAM, ECRYPT StreamCipher Project, report 2007/021, 2007.

[Jun01] P. Junod. On the complexity of Matsui’s attack. In S. Vaudenay and A.M.Youssef, editors, SAC’01, volume 2259 of Lecture Notes in Computer Science,pages 199–211. Springer, 2001.

[JV03] P. Junod and S. Vaudenay. Optimal key ranking procedures in a statisticalcryptanalysis. In T. Johansson, editor, FSE’03, volume 2887 of Lecture Notesin Computer Science, pages 235–246. Springer, 2003.

[KBN09] Dmitry Khovratovich, Alex Biryukov, and Ivica Nikolic. Speeding up CollisionSearch for Byte-Oriented Hash Functions. In CT-RSA, pages 164–181, 2009.

[Kel03] L. Keliher. Linear cryptanalysis of substitution-permutation networks. PhDthesis, School of Computing, Queen’s University, Kingston, Ontario, Canada,2003.

[KKS00] John Kelsey, Tadayoshi Kohno, and Bruce Schneier. Amplified Boomerang At-tacks Against Reduced-Round MARS and Serpent. In Bruce Schneier, editor,FSE, volume 1978 of LNCS, pages 75–93. Springer, 2000.

[KLR12] Dmitry Khovratovich, Gaetan Leurent, and Christian Rechberger. Narrow-bicliques: Cryptanalysis of full idea. In David Pointcheval and Thomas Jo-hansson, editors, EUROCRYPT, volume 7237 of Lecture Notes in ComputerScience, pages 392–410. Springer, 2012.

[KM01] L.R. Knudsen and J.E. Mathiassen. A chosen-plaintext linear attack on DES. InB. Schneier, editor, FSE’00, volume 1978 of Lecture Notes in Computer Science,pages 262–272. Springer, 2001.

[KM05] Lars R. Knudsen and John Erik Mathiassen. Preimage and Collision Attackson MD2. In Henri Gilbert and Helena Handschuh, editors, FSE, volume 3557of LNCS, pages 255–267. Springer, 2005.

[KM08] Shahram Khazaei and Willi Meier. New directions in cryptanalysis of self-synchronizing stream ciphers. In Dipanwita Roy Chowdhury, Vincent Rijmen,and Abhijit Das, editors, INDOCRYPT, volume 5365 of LNCS, pages 15–26.Springer, 2008.

[KMMT10] Lars R. Knudsen, John Erik Mathiassen, Frederic Muller, and Søren S. Thomsen.Cryptanalysis of MD2. J. Cryptology, 23(1):72–90, 2010.


[KMNP10] Simon Knellwolf, Willi Meier, and Marıa Naya-Plasencia. Conditional Differen-tial Cryptanalysis of NLFSR-Based Cryptosystems. In Masayuki Abe, editor,ASIACRYPT, volume 6477 of Lecture Notes in Computer Science, pages 130–145. Springer, 2010.

[KMNP11] Simon Knellwolf, Willi Meier, and Marıa Naya-Plasencia. Conditional Differen-tial Cryptanalysis of Trivium and KATAN. In Ali Miri and Serge Vaudenay,editors, Selected Areas in Cryptography, 2011.

[KMT09] Lars R. Knudsen, Krystian Matusiewicz, and Søren S. Thomsen. Observationson the Shabal keyed permutation. Official Comment to the NIST SHA-3 Com-petition, 2009. http://www.mat.dtu.dk/people/S.Thomsen/shabal/shabal.pdf.

[KN10] Dmitry Khovratovich and Ivica Nikolic. Rotational Cryptanalysis of ARX. FastSoftware Encryption, 11th International Workshop, FSE 2010, Seoul, Korea,2010.

[KNR10] Dmitry Khovratovich, Ivica Nikolic, and Christian Rechberger. Rotational Re-bound Attacks on Reduced Skein. In Masayuki Abe, editor, ASIACRYPT,volume 6477 of Lecture Notes in Computer Science, pages 1–19. Springer, 2010.

[Knu94] Lars R. Knudsen. Truncated and Higher Order Differentials. In Bart Preneel,editor, FSE, volume 1008 of LNCS, pages 196–211. Springer, 1994.

[KNW09] Dmitry Khovratovich, Ivica Nikolic, and Ralf-Philipp Weinmann. Meet-in-the-Middle Attacks on SHA-3 Candidates. In FSE, pages 228–245, 2009.

[KR94] B.S. Jr Kaliski. and M.J.B. Robshaw. Linear cryptanalysis using multiple ap-proximations. In Y. Desmedt, editor, CRYPTO’94, volume 839 of Lecture Notesin Computer Science, pages 26–39. Springer, 1994.

[KR96] L.R. Knudsen and M.J.B. Robshaw. Non-linear approximations in linear crypt-analysis. In U.M. Maurer, editor, EUROCRYPT’96, volume 1070 of LectureNotes in Computer Science, pages 224–236. Springer, 1996.

[KR07] L.R. Knudsen and V. Rijmen. Known-key distinguishers for some block ciphers.In Advances in cryptology - ASIACRYPT 2007, volume 4833 of Lecture Notesin Computer Science, pages 315–324. Springer, 2007.

[KRT07] Lars R. Knudsen, Christian Rechberger, and Søren S. Thomsen. The grindahlhash functions. In Alex Biryukov, editor, FSE, volume 4593 of Lecture Notes inComputer Science, pages 39–57. Springer, 2007.

[KS05] Alexander Klimov and Adi Shamir. New applications of T-functions in blockciphers and hash functions. In Henri Gilbert and Helena Handschuh, editors,FSE, volume 3557 of LNCS, pages 18–31. Springer, 2005.

[KSW97] John Kelsey, Bruce Schneier, and David Wagner. Related-key cryptanalysisof 3-WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA. In YongfeiHan, Tatsuaki Okamoto, and Sihan Qing, editors, ICICS, volume 1334 of LNCS,pages 233–246. Springer, 1997.


[KW02] L.R. Knudsen and D. Wagner. Integral cryptanalysis. In Fast Software En-cryption - FSE 2002, volume 2365 of Lecture Notes in Computer Science, pages112–127. Springer-Verlag, 2002.

[KYS] Bonwook Koo, Yongjin Yeom, and Junghwan Song. Related-key boomerangattack on block cipher SQUARE. Technical report, http://eprint.iacr.org/2010/073.pdf, YEAR = 2010,.

[Lai94] Xuejia Lai. Higher order derivatives and differential cryptanalysis. In Richard E.Blahut, Daniel J. Costello, Ueli Maurer, and Thomas Mittelholzer, editors, Com-municationis and Cryptography: Two Sides of one Tapestry, pages 227–233.Kluwer Academic Publishers, 1994.

[Leu08] Gaetan Leurent. MD4 is not one-way. In Nyberg [Nyb08], pages 412–428.

[Leu12] Gaetan Leurent. Arxtools: A toolkit for arx analysis, 2012. Availableonline: http://csrc.nist.gov/groups/ST/hash/sha-3/Round3/March2012/

documents/papers/LEURENT_paper.pdf.

[LH94] S.K. Langford and M.E. Hellman. Differential-linear cryptanalysis. InY. Desmedt, editor, CRYPTO’94, volume 839 of Lecture Notes in ComputerScience, pages 17–25. Springer, 1994.

[LM92] Xuejia Lai and James L. Massey. Hash Function Based on Block Ciphers. InEUROCRYPT, pages 55–70, 1992.

[LM01] Helger Lipmaa and Shiho Moriai. Efficient Algorithms for Computing Differ-ential Properties of Addition. In Mitsuru Matsui, editor, FSE, volume 2355 ofLNCS, pages 336–350. Springer, 2001.

[LM11] Mario Lamberger and Florian Mendel. Higher-Order Differential Attack onReduced SHA-256. Cryptology ePrint Archive, Report 2011/037, 2011.

[LMR+09] Mario Lamberger, Florian Mendel, Christian Rechberger, Vincent Rijmen, andMartin Schlaffer. Rebound Distinguishers: Results on the Full Whirlpool Com-pression Function. In Matsui [Mat09], pages 126–143.

[LR12] Gaetan Leurent and Arnab Roy. Boomerang Attacks on Hash Function UsingAuxiliary Differentials. In Orr Dunkelman, editor, CT-RSA, volume 7178 ofLNCS, pages 215–230. Springer, 2012.

[LWD04] Helger Lipmaa, Johan Wallen, and Philippe Dumas. On the Additive DifferentialProbability of Exclusive-Or. In Bimal K. Roy and Willi Meier, editors, FSE,volume 3017 of LNCS, pages 317–331. Springer, 2004.

[Mat94a] M. Matsui. The first experimental cryptanalysis of the Data Encryption Stan-dard. In Y. Desmedt, editor, CRYPTO’94, volume 839 of Lecture Notes inComputer Science, pages 1–11. Springer, 1994.

[Mat94b] M. Matsui. Linear cryptoanalysis method for DES cipher. In T. Helleseth,editor, EUROCRYPT’93, volume 765 of Lecture Notes in Computer Science,pages 386–397. Springer, 1994.


[Mat96] Mitsuru Matsui. New structure of block ciphers with provable security againstdifferential and linear cryptanalysis. In FSE 1996, volume 1039 of LNCS, pages205–218. Springer-Verlag, 1996.

[Mat09] Mitsuru Matsui, editor. Advances in Cryptology - ASIACRYPT 2009, 15thInternational Conference on the Theory and Application of Cryptology and In-formation Security, Tokyo, Japan, December 6-10, 2009. Proceedings, volume5912 of LNCS. Springer, 2009.

[Max05] A. Maximov. Two linear distinguishing attacks on vmpc and rc4a and weaknessof the rc4 family of stream ciphers. In Fast Software Encryption 2005, volume3557 of LNCS, pages 342–358. Springer-Verlag, 2005.

[MDIP09] Nicky Mouha, Christophe De Canniere, Sebastiaan Indesteege, and Bart Pre-neel. Finding Collisions for a 45-Step Simplified HAS-V. In Heung Youl Youmand Moti Yung, editors, WISA, volume 5932 of LNCS, pages 206–225. Springer,2009.

[Men09] Florian Mendel. Two Passes of Tiger Are Not One-Way. In Bart Preneel,editor, AFRICACRYPT, volume 5580 of Lecture Notes in Computer Science,pages 29–40. Springer, 2009.

[MJ07] A. Maximov and T. Johansson. A linear distinguishing attack on Scream. IEEETransactions on Information Theory, 53(9):3127–3144, 2007.

[MNPN+09] Krystian Matusiewicz, Marıa Naya-Plasencia, Ivica Nikolic, Yu Sasaki, and Mar-tin Schlaffer. Rebound Attack on the Full Lane Compression Function. InMatsui [Mat09], pages 106–125.

[MNS11a] Florian Mendel, Tomislav Nad, and Martin Schlaffer. Cryptanalysis of Round-Reduced HAS-160. In Howon Kim, editor, ICISC, volume 7259 of Lecture Notesin Computer Science, pages 33–47. Springer, 2011.

[MNS11b] Florian Mendel, Tomislav Nad, and Martin Schlaffer. Finding SHA-2 Char-acteristics: Searching Through a Minefield of Contradictions. In Dong HoonLee and Xiaoyun Wang, editors, ASIACRYPT, volume 7073 of Lecture Notes inComputer Science, pages 288–307. Springer, 2011.

[MNS12] Florian Mendel, Tomislav Nad, and Martin Schlaffer. Collision Attacks on theReduced Dual-Stream Hash Function RIPEMD-128. In Anne Canteaut, edi-tor, FSE, volume 7549 of Lecture Notes in Computer Science, pages 226–243.Springer, 2012.

[MNSS12] Florian Mendel, Tomislav Nad, Stefan Scherz, and Martin Schlaffer. DifferentialAttacks on Reduced RIPEMD-160. In Dieter Gollmann and Felix C. Freiling,editors, ISC, volume 7483 of Lecture Notes in Computer Science, pages 23–38.Springer, 2012.

[MPP+05] Krystian Matusiewicz, Josef Pieprzyk, Norbert Pramstaller, Christian Rech-berger, and Vincent Rijmen. Analysis of simplified variants of sha-256. InChristopher Wolf, Stefan Lucks, and Po-Wah Yau, editors, WEWoRC, vol-ume 74 of LNI, pages 123–134. GI, 2005.


[MPR08a] Florian Mendel, Norbert Pramstaller, and Christian Rechberger. A (Second)Preimage Attack on the GOST Hash Function. In Nyberg [Nyb08], pages 224–234.

[MPR+08b] Florian Mendel, Norbert Pramstaller, Christian Rechberger, Marcin Kontak,and Janusz Szmidt. Cryptanalysis of the GOST Hash Function. In Wagner[Wag08], pages 162–178.

[MPRR06a] Florian Mendel, Norbert Pramstaller, Christian Rechberger, and Vincent Rij-men. Analysis of step-reduced sha-256. In Matthew J. B. Robshaw, editor, FSE,volume 4047 of Lecture Notes in Computer Science, pages 126–143. Springer,2006.

[MPRR06b] Florian Mendel, Norbert Pramstaller, Christian Rechberger, and Vincent Rij-men. On the collision resistance of ripemd-160. In Sokratis K. Katsikas, JavierLopez, Michael Backes, Stefanos Gritzalis, and Bart Preneel, editors, ISC, vol-ume 4176 of Lecture Notes in Computer Science, pages 101–116. Springer, 2006.

[MPRS09] Florian Mendel, Thomas Peyrin, Christian Rechberger, and Martin Schlaffer.Improved Cryptanalysis of the Reduced Grøstl Compression Function, ECHOPermutation and AES Block Cipher. In Selected Areas in Cryptography, pages16–35, 2009.

[MR07] Florian Mendel and Vincent Rijmen. Weaknesses in the HAS-V compressionfunction. In Kil-Hyun Nam and Gwangsoo Rhee, editors, Information Securityand Cryptology ICISC 2007, volume 4817 of Lecture Notes in Computer Science,pages 335–345, Berlin, Heidelberg, New York, 2007. Springer-Verlag.

[MRS09] Florian Mendel, Christian Rechberger, and Martin Schlaffer. Cryptanalysis ofTwister. In ACNS, pages 342–353, 2009.

[MRST09a] Florian Mendel, Christian Rechberger, Martin Schlaffer, and Søren S. Thomsen.The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl. In FSE,pages 260–276, 2009.

[MRST09b] Florian Mendel, Christian Rechberger, Martin Schlaffer, and Søren S. Thomsen.The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl. In FSE,pages 260–276, 2009.

[MRST10] Florian Mendel, Christian Rechberger, Martin Schlaffer, and Søren S. Thomsen.Rebound Attacks on the Reduced Grøstl Hash Function. In CT-RSA, pages350–365, 2010.

[MT09] Nicky Mouha and Meltem Sonmez Turan. A related-key attack on the ESSENCEblock cipher. ECRYPT II First Hash Function Retreat, 2010, Graz, Austria(Rump session talk), 2009.

[Mul04a] F. Muller. Differential attacks and stream ciphers. State of the Art in StreamCiphers. eSTREAM, ECRYPT Network of Excellence in Cryptology, 2004.

[Mul04b] Frederic Muller. The MD2 Hash Function Is Not One-Way. In Pil Joong Lee,editor, ASIACRYPT, volume 3329 of LNCS, pages 214–229. Springer, 2004.


[Mur06] S. Murphy. The independence of linear approximations in symmetric cryptanal-ysis. IEEE Transactions on Information Theory, 52(12):5510–5518, 2006.

[Mur11] Sean Murphy. The Return of the Cryptographic Boomerang. IEEE Transactionson Information Theory, 57(4):2517–2521, 2011.

[MVDP10] Nicky Mouha, Vesselin Velichkov, Christophe De Canniere, and Bart Preneel.The Differential Analysis of S-Functions. In Alex Biryukov, Guang Gong, andDouglas R. Stinson, editors, Selected Areas in Cryptography, volume 6544 ofLNCS, pages 36–56. Springer, 2010.

[MvOV96] Alfred J. Menezes, Paul C. van Oorschot, and Scott A. Vanstone. Handbook ofApplied Cryptography. CRC Press, 1996.

[MY92] Mitsuru Matsui and Atsuhiro Yamagishi. A New Method for Known PlaintextAttack of FEAL Cipher. In EUROCRYPT, pages 81–91, 1992.

[Nat01] National Institute of Standards and Technology (NIST). FIPS PUB 197: Ad-vanced Encryption Standard. Federal Information Processing Standards Publi-cation 197, U.S. Department of Commerce, November 2001. Available online:http://www.itl.nist.gov/fipspubs.

[Nat07] National Institute of Standards and Technology. Announcing Request for Candi-date Algorithm Nominations for a New Cryptographic Hash Algorithm (SHA-3)Family. Federal Register, 27(212):62212–62220, November 2007.

[NB08] Ivica Nikolic and Alex Biryukov. Collisions for step-reduced sha-256. In Nyberg[Nyb08], pages 1–15.

[NH07] K. Nyberg and M. Hermelin. Multidimensional Walsh transform and a char-acterization of bent functions. In P.V. Kumar T. Helleseth and O. Ytrehus,editors, Proceedings of the 2007 IEEE Information Theory Workshop on Infor-mation Theory for Wireless Networks, IEEE, pages 83–86, 2007.

[NK95] Kaisa Nyberg and Lars R. Knudsen. Provable security against a differentialattack. Journal of Cryptology, 8(1):27–38, 1995.

[NP07] M. Naya-Plasencia. Cryptanalysis of achterbahn-128/80. eSTREAM, ECRYPTNetwork of Excellence in Cryptology, report 2007-019, 2007.

[NP11] Marıa Naya-Plasencia. How to improve rebound attacks. In Phillip Rogaway,editor, CRYPTO, volume 6841 of Lecture Notes in Computer Science, pages188–205. Springer, 2011.

[Nyb95] K. Nyberg. Linear approximation of block ciphers. In A. De Santis, editor,EUROCRYPT’94, volume 950 of Lecture Notes in Computer Science, pages439–444. Springer, 1995.

[Nyb08] Kaisa Nyberg, editor. Fast Software Encryption, 15th International Workshop,FSE 2008, Lausanne, Switzerland, February 10-13, 2008, Revised Selected Pa-pers, volume 5086 of LNCS. Springer, 2008.


[ODP07] Gautham Sekar Orr Dunkelman and Bart Preneel. Improved meet-in-the-middle attacks on reduced-round DES. In K. Srinathan, C. Pandu Rangan,and Moti Yung, editors, INDOCRYPT 2007, volume 4859 of LNCS, pages 86–100. Springer-Verlag, 2007.

[Pey07] Thomas Peyrin. Cryptanalysis of grindahl. In Kaoru Kurosawa, editor, ASI-ACRYPT, volume 4833 of Lecture Notes in Computer Science, pages 551–567.Springer, 2007.

[PP04] S. Paul and B. Preneel. A new weakness in the rc4 keystream generator andan approach to improve the security of the cipher. In Fast Software Encryption2004, volume 3017 of LNCS, pages 245–259. Springer-Verlag, 2004.

[PPS06] S. Paul, B. Preneel, and G. Sekar. Distinguishing attacks on the stream cipherpy. In Fast Software Encryption 2006, volume 4047 of LNCS, pages 405–421.Springer-Verlag, 2006.

[RAB+] Ronald L. Rivest, Benjamin Agre, Daniel V. Bailey, Christopher Crutchfield,Yevgeniy Dodis, Kermin Elliott Fleming, Asif Khan, Jayant Krishnamurthy,Yuncheng Lin, Leo Reyzin, Emily Shen, Jim Sukha, Drew Sutherland, EranTromer, and Yiqun Lisa Yin. The MD6 hash function – a proposal to NIST forSHA-3. http://groups.csail.mit.edu/cis/md6/.

[Rec10] Christian Rechberger. Second-preimage analysis of reduced SHA-1. In ACISP2010, Lecture Notes in Computer Science. Springer-Verlag, 2010. To appear.

[Rei60] George W. Reitwiesner. Binary arithmetic. Advances in Computers, 1:231–308,1960.

[RH02] G. Rose and P. Hawkes. On the applicability of distinguishing attacks againststream ciphers. IACR ePrint archive, http://eprint.iacr.org/2002/142, 2002.

[Rij10] Vncent Rijmen. Stream ciphers and the estream project. ISeCure, 2(1):3–11,January 2010.

[Riv95] R.L. Rivest. The RC5 encryption algorithm. Dr Dobb’s Journal-Software Toolsfor the Professional Programmer, 20(1):146–149, 1995.

[SA08] Yu Sasaki and Kazumaro Aoki. Preimage attacks on 3, 4, and 5-pass HAVAL.In Josef Pawel Pieprzyk, editor, Advances in Cryptology - ASIACRYPT 2008,volume 5350 of Lecture Notes in Computer Science, pages 253–271, Berlin, Hei-delberg, New York, 2008. Springer-Verlag.

[SA09a] Yu Sasaki and Kazumaro Aoki. Finding preimages in full MD5 faster thanexhaustive search. In Antoine Joux, editor, Advances in Cryptology — EU-ROCRYPT 2009, volume 5479 of Lecture Notes in Computer Science, pages134–152, Berlin, Heidelberg, New York, 2009. Springer-Verlag.

[SA09b] Yu Sasaki and Kazumaro Aoki. Finding preimages in full md5 faster thanexhaustive search. In Antoine Joux, editor, EUROCRYPT 2009, volume 5479of LNCS, pages 134–152. Springer-Verlag, 2009.


[SA10] Yu Sasaki and Kazumaro Aoki. Alex biryukov and orr dunkelman and nathankeller and dmitry khovratovich and adi shamir. In Antoine Joux, editor, EU-ROCRYPT 2010, volume 6110 of LNCS, pages 299–319. Springer-Verlag, 2010.

[Saa06] Markku-Juhani Olavi Saarinen. Chosen-IV Statistical Attacks on eStream Ci-phers. In Manu Malek, Eduardo Fernandez-Medina, and Javier Hernando, edi-tors, SECRYPT, pages 260–266. INSTICC Press, 2006.

[Sam07] Alex Samorodnitsky. Low-degree tests at large distances. In David S. Johnsonand Uriel Feige, editors, STOC, pages 506–515. ACM, 2007.

[Sas11] Yu Sasaki. Boomerang Distinguishers on MD4-Family: First Practical Resultson Full 5-Pass HAVAL. In Ali Miri and Serge Vaudenay, editors, Selected Areasin Cryptography, volume 7118 of LNCS, pages 1–18. Springer, 2011.

[Sel98] A.A. Selcuk. New results in linear cryptanalysis of RC5. In S. Vaudenay, edi-tor, FSE ’98, volume 1372 of Lecture Notes in Computer Science, pages 1–16.Springer, 1998.

[Sel08] A.A. Selcuk. On probability of success in linear and differential cryptanalysis.Journal of Cryptology, 21(1):131–147, 2008.

[SK98] T. Shimoyama and T. Kaneko. Quadratic relation of S-box and its applicationto the linear attack of full round DES. In H. Krawczyk, editor, CRYPTO’98,volume 1462 of Lecture Notes in Computer Science, pages 200–211. Springer,1998.

[SLdW07] Marc Stevens, Arjen K. Lenstra, and Benne de Weger. Chosen-prefix collisionsfor MD5 and colliding X.509 certificates for different identities. In Moni Naor,editor, EUROCRYPT 2007, volume 4515 of LNCS, pages 1–22. Springer-Verlag,2007.

[SM87] Akihiro Shimizu and Shoji Miyaguchi. Fast Data Encipherment AlgorithmFEAL. In EUROCRYPT, pages 267–278, 1987.

[SM88] A. Shimizu and S. Miyaguchi. Fast data encipherment algorithm FEAL. InD. Chaum and W.L. Price, editors, EUROCRYPT’87, volume 304 of LectureNotes in Computer Science, pages 267–278. Springer, 1988.

[SS09] Somitra Kumar Sanadhya and Palash Sarkar. A combinatorial analysis of re-cent attacks on step reduced sha-2 family. Cryptography and Communications,1(2):135–173, 2009.

[SSA+09] Marc Stevens, Alexander Sotirov, Jacob Appelbaum, Arjen K. Lenstra, DavidMolnar, Dag Arne Osvik, and Benne de Weger. Short chosen-prefix collisions forMD5 and the creation of a rogue ca certificate. In Shai Halevi, editor, CRYPTO2009, volume 5677 of LNCS, pages 55–69. Springer-Verlag, 2009.

[SW12] Yu Sasaki and Lei Wang. Distinguishers beyond Three Rounds of the RIPEMD-128/-160 Compression Functions. In Feng Bao, Pierangela Samarati, and Jiany-ing Zhou, editors, ACNS, volume 7341 of LNCS, pages 275–292. Springer, 2012.


[TCG92] A. Tardy-Corfdir and H. Gilbert. A known plaintext attack of FEAL-4 andFEAL-6. In J. Feigenbaum, editor, CRYPTO’91, volume 576 of Lecture Notesin Computer Science, pages 172–181. Springer, 1992.

[TSK+05] Y. Tsunoo, T. Saito, H. Kubo, M. Shigeri, T. Suzaki, and T. Kawabata. Themost efficient distinguishing attack on vmpc and rc4a. eSTREAM, ECRYPTStream Cipher Project, report 2005/037, 2005.

[Vau03] Serge Vaudenay. Decorrelation: A theory for block cipher security. Journal ofCryptology, 16(4):249–286, 2003.

[Vie07] Michael Vielhaber. Breaking ONE.FIVIUM by AIDA an Algebraic IV Differen-tial Attack. Cryptology ePrint Archive, Report 2007/413, 2007.

[VMDP11] Vesselin Velichkov, Nicky Mouha, Christophe De Canniere, and Bart Preneel.The Additive Differential Probability of ARX. In Joux [Jou11], pages 342–358.

[VMDP12] Vesselin Velichkov, Nicky Mouha, Christophe De Canniere, and Bart Preneel.UNAF: A Special Set of Additive Differences with Application to the DifferentialAnalysis of ARX. In Anne Canteaut, editor, FSE, volume 7549 of Lecture Notesin Computer Science, pages 287–305. Springer, 2012.

[Wag99] David Wagner. The Boomerang Attack. In Lars R. Knudsen, editor, FSE,volume 1636 of LNCS, pages 156–170. Springer, 1999.

[Wag02] D. Wagner. A generalized birthday problem. In Advances in Cryptology -CRYPTO 2002, volume 2442 of Lecture Notes in Computer Science, pages 288–303. Springer-Verlag, 2002.

[Wag08] David Wagner, editor. Advances in Cryptology - CRYPTO 2008, 28th AnnualInternational Cryptology Conference, Santa Barbara, CA, USA, August 17-21,2008. Proceedings, volume 5157 of LNCS. Springer, 2008.

[WFW09] Shuang Wu, Dengguo Feng, and Wenling Wu. Cryptanalysis of the LANE HashFunction. In Selected Areas in Cryptography, pages 126–140, 2009.

[WP06a] H. Wu and B. Preneel. Attacking the iv setup of py and pypy. eSTREAM,ECRYPT Stream Cipher Project, report 2006/050, 2006.

[WP06b] H. Wu and B. Preneel. Key recovery attack on py and pypy with chose ivs.eSTREAM, ECRYPT Stream Cipher Project, report 2006/052, 2006.

[WP07] H. Wu and B. Preneel. Differential-linear attacks against the stream cipherphelix. eSTREAM, ECRYPT Stream Cipher Project, report 2007/056, 2007.

[WRG+11] Lei Wei, Christian Rechberger, Jian Guo, Hongjun Wu, Huaxiong Wang, andSan Ling. Improved meet-in-the-middle cryptanalysis of KTANTAN. Cryptol-ogy ePrint Archive: Report 2011/201, 2011.

[Wu09] Shuang Wu. Semi-free Start Collision for 12-round Cheetah-256. NIST hashfunction mailing list: [email protected], 2009. Available online: http:

//ehash.iaik.tugraz.at/uploads/0/08/Cheetah256-12r.txt.


[WY05] Xiaoyun Wang and Hongbo Yu. How to break MD5 and other hash functions.In Ronald Cramer, editor, EUROCRYPT 2005, volume 3494 of LNCS, pages19–35. Springer-Verlag, 2005.

[WYY05] Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu. Finding Collisions in the FullSHA-1. In Victor Shoup, editor, CRYPTO, volume 3621 of LNCS, pages 17–36.Springer, 2005.

[YWZW05] Hongbo Yu, Gaoli Wang, Guoyan Zhang, and Xiaoyun Wang. The Second-Preimage Attack on MD4. In Yvo Desmedt, Huaxiong Wang, Yi Mu, andYongqing Li, editors, CANS, volume 3810 of LNCS, pages 1–12. Springer, 2005.

[ZB05] E. Zenner and M. Bosgaard. How secure is secure? on message and iv lengthsfor synchronous stream ciphers. eSTREAM, ECRYPT Stream Cipher Project,report 2005/039, 2005.

[Zol04] B. Zoltak. Vmpc one-way function and stream cipher. In Fast Software Encryp-tion 2004, volume 3017, pages 210–225. Springer-Verlag, 2004.

Documents

D.SYM.13 Final Report on New Developments in Symmetric …D.SYM.13 | Final Report on New Developments in Symmetric Key Cryptanalysis 1 Executive Summary Symmetric cryptography addresses