Fast Software Encryption: 5th International Workshop, FSE ’98, Paris, France, March 23–25, 1998, Proceedings (Lecture Notes in Computer Science, 1372) 354064265X, 9783540642657

Fast Software Encryption (FSE) is an annual research workshop devoted to the promotion of research on classical encrypti

130 41 3MB

English Pages 305 Year 1998

Report DMCA / Copyright

DOWNLOAD PDF FILE

Recommend Papers

Fast Software Encryption: 5th International Workshop, FSE ’98, Paris, France, March 23–25, 1998, Proceedings (Lecture Notes in Computer Science, 1372)
 354064265X, 9783540642657

  • 0 0 0
  • Like this paper and download? You can publish your own PDF file online for free in a few minutes! Sign Up
File loading please wait...
Citation preview

Lecture Notes in Computer Science Edited by G. Goos, J. Hartmanis and J. van Leeuwen

1372

3

Berlin Heidelberg New York Barcelona Budapest Hong Kong London Milan Paris Santa Clara Singapore Tokyo

Serge Vaudenay (Ed.)

Fast Software Encryption 5th International Workshop, FSE ’98 Paris, France, March 23-25, 1998 Proceedings

13

Series Editors Gerhard Goos, Karlsruhe University, Germany Juris Hartmanis, Cornell University, NY, USA Jan van Leeuwen, Utrecht University, The Netherlands

Volume Editor Serge Vaudenay Ecole Normale Sup´erieure, DMI 45, rue d’Ulm, F-75230 Paris Cedex 05, France E-mail: [email protected]

Cataloging-in-Publication data applied for Die Deutsche Bibliothek - CIP-Einheitsaufnahme Fast software encryption : 5th international workshop ; proceedings / FSE ’98, Paris, France, March 23 - 25, 1998. Serge Vaudenay (ed.). - Berlin ; Heidelberg ; New York ; Barcelona ; Budapest ; Hong Kong ; London ; Milan ; Paris ; Santa Clara ; Singapore ; Tokyo : Springer, 1998 (Lecture notes in computer science ; Vol. 1372) ISBN 3-540-64265-X

CR Subject Classification (1991): E.3, E.4, F.2.1, G.4 ISSN 0302-9743 ISBN 3-540-64265-X Springer-Verlag Berlin Heidelberg New York This work is subject to copyright. All rights are reserved, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, re-use of illustrations, recitation, broadcasting, reproduction on microfilms or in any other way, and storage in data banks. Duplication of this publication or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965, in its current version, and permission for use must always be obtained from Springer-Verlag. Violations are liable for prosecution under the German Copyright Law. c Springer-Verlag Berlin Heidelberg 1998  Printed in Germany Typesetting: Camera-ready by author SPIN 10631900 06/3142 – 5 4 3 2 1 0

Printed on acid-free paper

• • • •• • •

s o w r n ryp on ( ) s n n n l r s r h wor sh op vo o h prom o on o r s r h on l ss l n ryp on lg or h m s n r l ryp og r ph pr m v s s h s h sh n on s h n p l y ryp og r ph ys r or v w n on n h 1 0s h m h ol r n m or s r o s r y ryp og r ph y w s s l n m n y r s r h on r n s h s m o v oss n rson o org n s h rs n m r g ngl n n m r1 ; s s q n wor sh ops ollow L vn lg m ( m r1 ) m r g g n ( r ry 1 ) n sr l ( n ry1 7 ) h s pro n g s on n h p p rs o pr s n h h wor sh op n rh 1 h o l Lo vr n r s h s v n s org n z y h ol orm l p r r n h n r on l po r l h rh n q ( ) n oop r on w h h n rn on l sso on or ryp olog s rh ( ) n h s r h n s ppor o m pl s n roso h worl l rs n sm r r s n so w r wo om n s v ry los ly on n o o r r s r h on rn s s n pr vo s y rs h wor sh op pr s n s n w v n s n h sgn n n lys s o (n on -p l - y) ryp og r ph pr m v s lo ph rs s r m ph rs m ss g h n on o s h sh n on s n ps or n om g n rors s h r on h n w lg or h m s g n s r pr s n w h on r x m pl s; o h r r s r h rs h n ry o r h m n g v rs ls h n x wor sh op h s on n n g om p on w n ryp og r ph r n ryp n lys h s or h vol on ryp h s n h g h ly v oh vn ng h s o h r n n l n g h om m n y o v lop s m l n o sly s pr l h n olog y n s h or l n s g h n o h s r yo ryp og r ph pr m v s h s n gr pl s r o org n z h h wor sh op n rs n o h r h prog r m m om m h om m on s s s o oss n rson ( m r g U n v rs y) l h m ( h n on ) on opp rsm h ( s r h) n sh n g ng ( on l U n v rs yo n g por ) r ollm n n ( roso s r h ) L rs K n s n (U n v rs y o rg n ) m ss y ( r h) s r s ( s sh ) n r r n l (K ol U n v rs L vn ) r v s m ss on s h w s r lly r v w y l s hr om m m m rs h h ors w r s n s s n l r por s n 0 p p rs w r sl or pr s n on h wor sh op h s p p rs r pr s n n h s oo h sy r o r pro n g s on s s o • s x p p rs wh h r pr vo slypropos lg or h m s • wo p p rs on h ryp n lys s o m o s o op r on o • on p p r on h n lys s o ps or n om g n r ors

lo

ph rs

••

• • • •

hr n w hr n w wo p p rs on h h r p p rs on h rg m n s

sr m ph r propos ls lo ph r propos ls sgn n n lys s o h sh n on s n n lys s o on s r on s w h orm

ls

r y

s w h pr vo s wor sh ops h pro n g s r p l sh n pr n g rrl g ’s L r o s n om p r n s r s ( r vo s pro ngsw r vol m s 0 100 10 n 1 7 ) s w h pr vo s wor sh ops h n r rv w n sl on pro ss w s on l ron lly s n g m l n h L• x pro ss n g l n g g o on l wo l l o h n ll h h ors wh o s m ll m m rs o h prog r m m om m s w ll s l x ry or v r s wh o s x rn l r r s lso w sh o h n h pr n g r- rl g h o l Lo vr h ol orm l p r r n l rly q s rn rg v n ls n n om n q o n o n r gr l o o r g n ro s spon sors m pl s n roso n p r v h on vl n m r hn m n sn n

n

ry1

p p rs ov n p r lly w l rly

• • •• • • • • • • • • •

Table of Contents

Cryptanalysis I New Results in Linear Cryptanalysis of RC5 . . . . . . . . . . . . . . . . . . . . . . . . . . . Ali Aydın Sel¸cuk (University of Maryland Baltimore County)

1

Higher Order Differential Attack of a CAST Cipher . . . . . . . . . . . . . . . . . . . . 17 Shiho Moriai, Takeshi Shimoyama (TAO), Toshinobu Kaneko (TAO, Science University of Tokyo) Cryptanalysis of TWOPRIME . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Don Coppersmith (IBM Research), David Wagner (U.C. Berkeley), Bruce Schneier, John Kelsey (Counterpane Systems)

New Stream Ciphers JEROBOAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Herv´e Chabanne (SAGEM SA), Emmanuel Michon (Ecole Polytechnique) Fast Hashing and Stream Encryption with PANAMA . . . . . . . . . . . . . . . . . . . 60 Joan Daemen (Banksys), Craig S.K. Clapp (PictureTel Corporation) Joint Hardware / Software Design of a Fast Stream Cipher . . . . . . . . . . . . . . 75 Craig S.K. Clapp (PictureTel Corporation)

Design Construction Analysis On the Security of the Hashing Scheme Based on SL2 . . . . . . . . . . . . . . . . . . 93 Kanat S. Abdukhalikov (Institute for Pure and Applied Mathematics, Kazakhstan), Chul Kim (Kwangwoon University) About Feistel Schemes with Six (or more) Rounds . . . . . . . . . . . . . . . . . . . . . . 103 Jacques Patarin (BULL PTS) Monkey: Black-Box Symmetric Ciphers Designed for MONopolizingKEYs . 122 Adam Young (Columbia University), Moti Yung (CertCo)

Hash Functions MRD Hashing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134 Rei Safavi-Naini, Shahram Bakhtiari, Chris Charnes (University of Wollongong)

VIII

Table of Contents

New Constructions for Secure Hash Functions . . . . . . . . . . . . . . . . . . . . . . . . . 150 William Aiello (BellCore), Stuart Haber (Surety), Ramarathnam Venkatesan (Microsoft Research)

Pseudo-Random Generators Cryptanalytic Attacks on Pseudorandom Number Generators . . . . . . . . . . . . 168 John Kelsey, Bruce Schneier (Counterpane Systems), David Wagner (University of California Berkeley), Chris Hall (Counterpane Systems)

New Block Ciphers CS-CIPHER . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189 Jacques Stern, Serge Vaudenay (Ecole Normale Sup´erieure) On the Design and Security of RC2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206 Lars R. Knudsen (University of Bergen), Vincent Rijmen (K.U. Leuven), Ronald L. Rivest (MIT), Matthew J.B. Robshaw (RSA Laboratories) Serpent: A New Block Cipher Proposal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222 Eli Biham (Technion), Ross Anderson(Cambridge University), Lars R. Knudsen (University of Bergen)

Modes of Operations Attacking Triple Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239 Stefan Lucks (University of Mannheim) Cryptanalysis of some Recently-Proposed Multiple Modes of Operation . . . 254 David Wagner (University of California, Berkeley)

Cryptanalysis II Differential Cryptanalysis of the ICE Encryption Algorithm . . . . . . . . . . . . . 270 Bart Van Rompay (K.U. Leuven), Lars R. Knudsen (University of Bergen), Vincent Rijmen (K.U. Leuven) The First Two Rounds of MD4 are Not One-Way . . . . . . . . . . . . . . . . . . . . . . 284 Hans Dobbertin (German Information Security Agency) Differential Cryptanalysis of KHF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293 David Wagner (University of California, Berkeley)

Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297

li p rtm

U

to

• • •••• • •• s o s p ls p t to t prs t l p p ro m t o st t tr q r m to o r r so l s s o r p t l ss s ort ro k r p t l sso • • • • • •• •• l s s.

y n S lcu k



om p t r l tr l rs t o r l lt m o r o t lt m o r , , 1 0, U [email protected]

r

t tt l r r pt l t tt k o t t l sk t r p to ’ o s o t o rk s l r o so m ss m p t o s ol . r tt k s o . O r tt k s s t s m l r o s l sk . r o r ,t p l o r tt k s ro w• r−• s m p r t ll l so w r. s tt k s s lso t l r r p t l ss o to s o o l r rr o t p p ro m t o s s o z ro l s. lso s ss rt ss s o t l r t t to r so l or tt r l r tt k .

r p to lo

, r pt

l s s, lo k

p

rs,

,l

r r p t-

5 is s c t k y lock ciph si n y i st 5 . liski n in 1 pu lish lin c ypt n lytic tt ck on 5 t ypto 95 wh ich still m in s s th on ly n l lin tt ck on 5 th t h s n pu lish in th op n lit tu . oin to to th is tt ck s th . n th is p p w sh ow th t th tt ck o s n ot wo k s xp ct u to th ilu o som h i n ssu m ption s in ol . h n w p s n t som n w tt cks. Ou tt cks s on th s m lin pp oxim tion u s in th tt ck u t th y i n t om th t tt ck in th w y th y u s th pp oxim tion to co th s c tk y. st i fl y i w 5 n lin c ypt n lysis. 5 h s i l lock siz i l num o ou n s n i l l n th s c tk y. p ticu l 5 l o ith m is n yth s th p m t s n n ot s 5 -w/r/b w th wo siz in its (h l o lock is c ll ); b th k ysiz in yt s; r th n u m o ou n s. o th n c yption l o ith m w opt th n ot tion u s in 1 . h l o ith m is s ollows 



sr s r u

y

s o t

l t tw

t or y t

s

st

o r to r s. 3

6

l

l k

L = L0 + S0 R = R0 + S i = 2 2r + 1 Li = Ri− Ri = ((Li− − Ri− ) < < < Ri− ) + Si n th l o ith m “+ n ot s ition m o u lo 2w “− n ot s itwis xo th s th “< < < n ot s l t ot tion . h i it tion o th o loop is . h fi h l - ou n s to th two in iti l u tion s. Li− , Ri− ith n ot th l t n th i h t h l s o th in pu t n Si n ot s th su k y t th ith h l - ou n . (L0 , R0 ) is th pl in t xt (L r , R r ) is th ciph t xt. Lin c ypt n lysis is kin o st tistic l co l tion tt ck o lock ciph s wh ich w s lop yM tsu i 4 in 1993. h sic i o lin c ypt n lysis is to n lin l tion wh ich is c ll n m on th pl in t xt ciph t xt n k y its su ch th tth p o ility o th pp oxim tion is i n t om 1/2. u t i w on lu s su stitu t o th k y its in th pp oxim tion th pp oxim tion will h n om ly(i. . its p o ilitywill 1/2). h tt ck coll cts pl in t xt/ciph t xtp i s wh ich n c ypt u n th s m k y. h n h t i s ll possi l com in tion s o th k y its in ol in th pp oxim tion with ll th pl in t xt/ciph t xt p i s h h s coll ct . h co ct k y it com in tion is istin u ish y its n on - n om h io . M tsu i 3 sh ow th t th su cc ss p o ility o th tt ck is p opo tion l to N is th n u m o pl in t xt/ciph t xtp i s coll ct . N |p − 1/2| wh S om sp ci c n ot tion u s in th is p p is s ollows. 5 -w/r n ot s th 5 sch m with w itwo s n r ou n s wh ch ou n k y is n t in yst in x n x i . . . j n ot s in p n n tly. x i n ot s th ith ito th ith th ou h j th its o x; n n ot s 2r + 1. h m in o th p p is o n iz s ollows. n −2 w iscu ss th hi n ssu m ption s in th tt ck n xpl in wh y th y o n ot h ol . n −3 7 w p s n t ou tt cks n iscu ss th i su cc ss t s. n − w con clu with som op n s ch p o l m s in lin c ypt n lysis o 5 n iscu ss i fl y th cto s th t m k lin c ypt n lysis o 5 h th n lin c ypt n lysis o S -lik ciph s.

n th is s ction w tion s th tc u s th

i fl y iscu ss th tt ck to il.

-

tt ck n

sh ow th h i

n

ssu m p-

2 L tT n ot S 0 − S3 0 − −−−− S r− 0 . h pp oxim tt ck is R0 0 − L r 0 = T

tion u s

in th

(1)

N

wh ich is o t in

ycom

in in

s lts

th h l - ou n

r r pt

pp oxim

l ss o

tion

R 0 = R0 0 − S 0 n

th h l - ou n

pp oxim

tion Ri 0 = Li− 0 − Si 0

o i = 3, 5 , . . . , 2r − 1. h p o ility o th is pp oxim tion wh ich w n ot yp is + wr−• . h tt ck w s i n t om ll th p iou slypu lish lin c yptn lytic tt cks in th w y th t it w s com pos o m u ltipl st ps wh ch st p im to co on ito th ou n k y. h ou tlin o th tt ck l oith m is s ollows 2 3

t with Ln m o w = 1. u ss Sn 0 yu sin th u ss T yu sin th t with Ln m o w = 0. o i = 1, . . . , w − 1 u ss Sn i yu sin th t with Ln m o w = i.

h poin t th t is im po t n t o u s in th is l o ith m is th t t to c t in lu . Ln m o w is fi

ch st p

2 2 − pl in t xt/ciph t xt im pl m n t th is tt ck on 5 -16/2with 2|p − 1/2| p is o ch i n t lu o Ln m o w (i. . w − 2|p − 1/2|− t xts in tot l). h su cc ss t w o s o co in Sn w s ou n 11 15 % s oppos to th 95 99% th t w s xp ct y liski n in . n m o su p isin ly th su cc ss t i n otim p o s w in c s th m ou n to t us . h s su lts l u s to th ollowin o s tion s. n ot th n tth tth ith h l - ou n pL t i o i = 3, 5 , . . . , 2r − 1 ilityo th pp oxim tion p oxim tion Ri 0 = Li− 0 − Si 0 h ol s. h p o P ( i) c n c lcu l t s

P(

i) =

P ( i |Ri− m o w = 0) −P (Ri− m o w = 0) + P ( i |Ri− m o w − = 0) −P (Ri− m o w − = 0).

P ( i |Ri− m o w = 0) is lw ys u l to 1. P (Ri− m o w = 0) is u l to = 0) is u l to 1/2 h n c P ( i ) is u l to 1/w n P ( i |Ri− m o w − 1/2+ 1/2w ith . n im po t n t poin t in th tt ck is th t t ch st p th lu o to c t in lu n itis im plicitly ssu m th tth p o Ln m o w is fi ilityo pp oxim tion (1) o s n ot p n on Ln m o w. h is ssu m ption is s on two oth ssu m ption s 1. 2.

h p o h p o

ilityP (Ri− m o w = 0) o s n ot p n ilityP ( i |Ri− m o w =− 0) o s n ot

will to th s two ssu m ption s s sp cti ly.

on Ln m o w; p n on Ln m o w. n

l

l k

2 3 o s th tth p o ilityo z o ot tion in th n − 2nd h l - ou n i. . P (Rn−3 m o w = 0) p n s on Ln m o w h n c ssu m ption 1 o s n oth ol Rn−3 = Ln− = ((Rn− − Sn− ) > > > Rn− ) − Rn− = ((Ln − Sn− ) > > > Rn− ) − Rn− . h

o n c th pp oxim s n Rn−3 m o to th xp

th ist i u tion o Rn−3 is un io m . wh n Ln − Sn− is x o th p o ility o p o ility P (Rn−3 m o w = 0) n th tion (1) is in p n n to Ln m o w. n ot x m pl l tδ n ot th i n c Ln − Sn− m o w n ρ w. h p o ilityP (ρ = 0|δ = 0) o w = 16is 1.5 6/w s oppos ct p o ility1/w.

2

2

lso o s th t ssu m ption 2 ju st lik ssu m ption 1 th n − 2nd h l - ou n ; i. . P ( n− |ρ − = 0) is in p n i st w o s th tth h l - ou n pp oxim tion

o s n ot h ol o n to Ln m o w

Rn− 0 = Ln−3 0 − Sn− 0 c n

xp ss

in t m s o

Rn−

Sn−

n

ρ.

(2) h

pp oxim

tion is

Rn− 0 = Ln−3 0 − Sn− 0 = (Rn− − Sn− ) ρ − Rn−3 0 − Sn− 0 = (Rn− − Sn− ) ρ − ρ 0 − Sn− 0 . S con w kn ow om S ction 2.3 th t ρ (i. . Rn−3 m o w) is u l to > > Rn− )− Rn− ) m o w. h o w o s th tcon ition s (((Ln − Sn− ) > i in o m tion ou tRn− m o w. on Ln − Sn− n ρ to th x th h s two o s tion s im plyth twh n Ln − Sn− n Sn− con ition ρ − = 0 i s in o m tion ou t pp oxim tion (2) n possi lyc u s s = 0) to i n t om 1/2. o x m pl o th p o ility P ( n− |ρ − w = 16 Ln − Sn− = 1 Sn− = 0 th p o ilityP ( n− |ρ − = 0) is u l to 0.4 94 s oppos to 0.5 . t th is poin t w sh ou l m k th t th p o ility o th pp oxim tion o s n ot p n on th top w − l w its o Sn− . h is ct is c u s ρ n ou t on ly th l st l w its o Rn− ; th o Ln − Sn− i in o m tion l ss o Sn− . (Rn− − Sn− ) ρ h s u n i o m ist i u tion wh n ρ − l w 2 n x

yst p o th tt ck th i n c Ln − Sn− is x . h n Ln − Sn− is Rn−3 n Rn− h n on -u n i o m ist i u tion . h is cth s two cts

N

s lts

r r pt

l ss o

on th p o ility o th n − 2nd h l - ou n pp oxim tion i st th p o ility P (Rn−3 m o w = 0) m y i n t om 1/w. S con th p o ility = 0) m y i n t om 1/2. P ( n− |Rn−3 m o w − l 4 in pp n ix lists th i s o pp oxim tion (2) o i n t lu s o Ln −Sn− m o w n Sn− m o w o w = 16. h tis p ticu l lyim po t n t in l 4 in th tt ck o liski n in is th n ti n t i s wh ich co spon to th c s p < 1/2. S u cc ss o S t ps 2 n 3o th tt ck p n s on th ssu m ption th t p > 1/2 o y sin l lu o Ln m o w. th (i, j)th n ty o l 4 is n ti th n o Sn− m o w = j th tt ck ils with yh i h p o ility tth st p wh Ln − Sn− m o w is x to i n th ilu p o ility o s to on s th m ou n to t us o s to in n ity. ith sp ct to th n u m s in l 4 w c lcu l t th t th su cc ss t 5 -16/2 o s to 9.37 5 % o th tt ck o co in th l st ou n k y Sn in s th m ou n to t o s to in n ity. lso c lcu l t th su cc ss t with su lts m tch ou xp im n t l su lts in 2|p − 1/2|− t xts s 13.9% . h s S ction 2.2 yw ll.

lop num o n w lin c ypt n lytic tt cks on 5 . h y ll u s pp oxim tion (1) u tth y i n t om th tt ck o liski n in in th w yth yu s th pp oxim tion to co th ou n k ySn . Ou tt cks sim il to “ l o ith m 2 o M tsu i 3 wh ich is som tim s s th . u n oll th l st ou n n su stitu t th ctu l lu o Ln− 0 ρ n ot s Ln m o w in pp oxim tion (1) wh ich is (Rn − Sn ) ρ − Ln 0 wh (i. . th ot tion m ou n tin th l sth l - ou n ). S o th pp oxim tion com s R0 0 − (Rn − Sn ) ρ − Ln 0 = T.

(3)

n im po t n t i n c o ou tt cks om th 1 -m th o o M tsu i is th t i so wh n w su stitu t w on lu s o Sn in pp oxim tion (3) th th pp oxim tion is z o. M o o th i sc n xp ss in t m s o ilityo th pp oxim tion s will sh own in S ction 4 . s, Sn , ρ n th p o Ou tt cks c n cl ssi in to two typ s n th st on w x ρ (i. . lu t ch st p n w im to co on k y it Ln m o w) to c t in t tim . will to th tt cks o th is typ s th . n th s con typ o tt ck w im to co ou p o con s cu ti k y its tth s m tim . will to th tt cks o th is typ s th . will sc i th tt cks in m o t il in S ction s 5 n 6. n im po t n t issu in th xp im n t l com p ison o th tt cks p s n t in th ollowin s ction s is th t th y ll u n on l ti ly sm ll sion s o 5 su ch s r = 2, 4 . h son o th is ch oic o sm ll p m t s is ju stto m k th xp im n ts com pu t tion lly si l . Ou tt ck t ch n i u s ll u s th s m pp oxim tion (i. . pp oxim tion (3)) n th y i on lyin th w yth yu s th is pp oxim tion to co th s c tk y. h o in c sin th n u m o ou n s o s n oth m u ch cton th l ti p o m n c o

6

l

l k

ns

2 ρ+1

0

Sn

S' n

2 ρ+1

s

h i l s n ot s th possi l k y lu s th t c n ti o n ot s th n u m o i n t lu s o Rn 0. . . ρ su ch th t Sn 0. . . ρ . ns (Rn − s) ρ = (Rn − Sn ) ρ . Sn is th k y th t i s om Sn on ly t th ρth it. th s i

tt ck t ch n i u s n th n l com p ison o th

xp im n ts with tt cks.

l ti ly sm

ll

lu s o r

s m n tion in S ction 3 som th in sp ci l with pp oxim tion (3) is th t wh n w on k y lu s is su stitu t o Sn th i s o th pp oxim tion is n otz o. n im po t n to s tion to u n st n th h io o th pp oxim tion is th ollowin . h n s is su stitu t o Sn in pp oxim tion (3) th su lt is th s m s th su lt o Sn i n on ly i (Rn − s) ρ is th s m s wh n on o th ollowin two con ition s is (Rn − Sn ) ρ . h s two its s tis L t Smin n ot m in −Sn 0. . . ρ − 1 , s 0. . . ρ − 1 − n sim il ly l t Smax n ot m x−Sn 0. . . ρ − 1 , s 0. . . ρ − 1 − 1. s ρ = Sn ρ 2. s ρ − = Sn ρ

n n

Rn 0. . . ρ − 1 < Smin o Rn 0. . . ρ − 1 − Smax . Smin ≤ Rn 0. . . ρ − 1 < Smax .

o i n t lu s o Rn 0. . . ρ su ch th tw h L tns n ot th n u m (Rn − s) ρ = (Rn − Sn ) ρ . i u 1 illu st t s th lu o ns o 0 ≤ s < 2ρ

.

N

s lts

r r pt

l ss o

7

M o sp ci c lly ns is 2ρ o th co ctk ySn ; it c s s ytwo s s ts u th om Sn in ith i ction ; n itis z o tSn wh ich n ot s th k y th t i s om Sn on ly tth ρth it. ssu m in th t th p o ility th t th pp oxim tion h ol s n th p o ility th t th su lt o th pp oxim tion is th s m o oth s n Sn in p n n t(wh oth p o iliti s tk n o th pl in t xt) w o t in sim il u o th i s o th pp oxim tion with s su stitu t o Sn . i u 2 sh ows th xp ct i s o pp oxim tion (3) o i n t lu s o s. L t N n ot th n u m o pl in t xt/ciph t xtp i s s tis yin Ln m o w = ρ o o th os t xts su ch th t th l t si som x ρ. L t Us n ot th n u m o pp oxim tion (3) is 1 wh n w su stitu t s o Sn n l t Bs n ot th i s Bs o 0 ≤ s < 2ρ i s Us − N/2. i u 2 illu st t s th xp ct ssu m in BSn > 0. h si n i c n c o i u 2is th titsh ows wh tth xp ct i s o pp oxn w on lu s is su stitu t im tion (3) will wh n Ln m o w is x o th ou n k ySn . h is h io o th i s h s c u ci l ol in th tt cks w lop in th is p p sp ci llyin th 1- it tt cks (s S ction 5 ).

E[B s]

N(p-1/2)

0

S'' n Sn

S' n 2 ρ+1

s

–N (p-1/2 )

2 xp ct i s o i n t lu s o s o Ln m o w = ρ. Sn is th k y th t i s om th co ct k y Sn on ly t th ρ − 1st it. p n ot s th p o ilityo th pp oxim tion i n Ln m o w = ρ.

l

l k

n th is s ction w iscu ss th tt cks th t co th ou n k ySn in itwis sh ion (i. . co in on it t tim ). h im o th s tt cks is to co t with Ln m o w = ρ n i n th tth th k y itSn ρ − 1 y u sin th l y co . h i o tt ckin th ρ − 1st k y its Sn 0. . . ρ − 2 it in st o th ρth on is in spi y th ct th t p m y ith l ss o t th n 1/2 p n in on th lu o ρ Sn− n Sn− (s pp n ix th t i s om Sn on ly tth ρth it h s th ). M o o Sn th n u m th t with x ctin s i s o th co ctk y Sn (i. . BSn = −BSn ) o o w c n n ot istin u ish tw n Sn n Sn Ln m o w = ρ ( i u 2). h y u sin th t with Ln m o w = ρ sin c w o n otkn ow i p > 1/2 o n ot; n w c n n otkn ow i Sn ρ is 0 o 1. u tth is is n otth c s o Sn ρ − 1 . Sn th n u m th t i s om Sn on ly tth ρ − 1st it h s z o xp ct i s l ss o p ( i u 2). h o w c n o th t with Ln m o w = ρ t istin u ish tw n Sn n Sn n h n c n ou tSn ρ − 1 y u sin th n i p < 1/2. with Ln m o w = ρ ll o ou 1- it tt cks s on n ic tt ck l o ith m . ssu m n ot th two w h co th k y its Sn 0. . . ρ − 2 n l ts0 n s c n i t s 0−Sn 0. . . ρ − 2 n 1−Sn 0. . . ρ − 2 sp cti ly wh − n ot s i l wh ich is su ppos st in con c t n tion . Asi o i = 0, 1 is st tistic l to l o th co ct k y n sm ll o w on k y. h n ic tt ck l o ith m is s ollows

2

om pu t Asi o i = 0, 1. As• − As• u ss Sn ρ − 1 = 0; oth

wis

u ss Sn ρ − 1 = 1.

Ou 1- it tt cks n y th i n ition o th i l Asi . L tS si n ot th s t o poin ts in th 2ρ− n i h o h oo o si ; i. . th s t n y S si = −s |s − si |≤ 2ρ− − = = = =

Asi 2 As i 3 Asi Asi

|B si |. | s 

Bs |. Bs |. s si | m xs si −|Bs |−. si

n tu iti ly tt ck 1 sim plycom p s th i s o s0 n s . h oth th tt cks on th oth h n lso u s th i s s o th poin ts in th 2ρ− n i h o h oo o s0 n s (th ch oic o 2ρ− is c u s s0 + 2ρ− is th m i -poin to s0 n s ). s will iscu ss sh o tly ou xp im n ts h sh own th t tt ck 1 h s th stsu cc ss t m on th ou . c lcu l t th su cc ss t o tt ck 1 s  −



x

N p− /

−x

N p− /

• • 1 1 − e−y / dy − e−x / dx, 2π 2π

(4 )

N

n

th su cc ss

t o







s lts

r r pt

l ss o

tt ck 2 s

x

. 3

N p− /

−x

. 3

N p− /

• • 1 1 − e−y / dy − e−x / dx. 2π 2π

(5 )

tis n otst i h to w to o t in clos - o m th o tic l su lt o th su cc ss t o tt cks 3 n 4 . h o w com p th tt cks xp im n t lly on 5 -16/2on s m pl o 10 000 i n tc s s n o i n t lu s o ρ. h xp im n t l su lts in ic t th t tt ck 1 is th st m on th ou . o tt cks 1 n 2 th xp im n t l su lts m tch th th o tic l su lts i n in (4 ) n (5 ) yw ll. z tt cks 1 n

2

sp ci l c s s o

L t S si ,d n ot tt ck u s s th th tth is is th s m c lcu l t th 

 −

x

−x

wh ich is m xim iz su cc ss t m on

m o

n

l tt ck wh ich w c ll

th d n i h o h oo o si ; i. . S si ,d  = −s |s − si |≤ d−. n ic tt ck l o ith m with Asi = | s s ,d (Bs ) |. otic i s tt ck 1 o d = 0 n th s m s tt ck 2 o d = 2ρ− . su cc ss t o tt ck pp oxim t ly s −•

d • ρ −• d

− • • ρd−• d

N p− / N p− /

• • 1 1 − e−y / dy − e−x / dx, 2π 2π

td = 0. h is su ltim pli s th t tt ck 1 h s th h i h st ll sion s o tt ck .

2 lim it tion o tt ck 1 n lso oth 1- it tt cks iscu ss so is z o i s (i. . p = 1/2) wh ich occu s o c t in lu s o ρ Sn− n Sn− (s pp n ix ). n su ch c s s th s tt cks n o tt th n n om u ssin . On w yto o com th is p o l m is to u s th t with Ln m o w > ρ s w ll Sn ρ − 1 . s th os with Ln m o w = ρ to co p s n tsu ch m o i c tion o tt ck 1 wh ich w c ll . tu s s t with Ln m o w = ρ to u ss th t with Ln m o w = ρ + 1 s w ll s th Sn ρ − 1 s in tt ck 1 l t s0 n s n ot th two c n i t s 0−Sn 0. . . ρ − 2 n 1−Sn 0. . . ρ − 2 sp cti ly n sim il lyl tsi n ot i−Sn 0. . . ρ − 2 o th i s o ou possi l i = 00, 01, 10, 11. h i o tt ck 1 is to com p th i s is m xim iz o s0 0 o s 0 w k y c n i t s s0 0 s0 s 0 s . i s o u ss Sn ρ − 1 s 0 oth wis w u ss it s 1. h c lcu l tion o th n ot th i s th s ou poin ts is s ollows. s in tt ck 1 Bs• n Bs• o s0 n s t k n o th t with Ln m o w = ρ. S im il ly Bsi n ot s Ln m o w = th i s o si o i = 00, 01, 10, 11

10

l

l k

ρ + 1. u ss Sn ρ − 1 = 0 i |Bs• |+ m x−|Bs• • |, |Bs• • |− is t th n |Bs• |+ m x−|Bs• • |, |Bs• • |−. Oth wis w u ss Sn ρ−1 = 1. ( h is is th n ic n s |Bsi |+ m x−|Bs• i |, |Bs• i |−.) 1- it tt ck l o ith m wh Asi is 5 -16/2. h xxp im n t lly com p tt ck 1 n tt ck 1 on p im n t l su cc ss t s i n in l 1. N n ot s th il l n u m su lts sh ow th t tt ck 1 o t xts o ch p ticu l lu o Ln m o w. h is si n i c n tly tt th n tt ck 1. N 1 ,000 ,000 1 0,000 0,0001 00,000 tt k 1 7 . % 1 . % 6. % .% .1 % tt k 1 6. % 6. % .0% .% .%

S u cc ss t o tt ck 1 n 1 on it o th l st ou n k y Sn . h xp im n t l si n i c n tly tt th n tt ck 1.

5 -16/2 o co in on su lts sh ow th t tt ck 1 is

h i o th m u lti- it tt ck is u it st i h to w n st o xin Ln m o w t ch st p c lcu l t th i so th t with m n y i n t lu s o kn ow th twh n Ln m o w is x th h io o th i s o Ln m o w. w on k yis n ot n om (s S ction 4 ). yt kin th i s o m ny i nt i s will h m o “n o m lly ( i. . lu s o Ln m o w w h op th t th z o xp ct i s o w on k y positi xp ct i s o th co ctk y).

lth ou h th o m l sc iption o th m u lti- it tt ck m y pp com plic t . n ct it is lly in tu iti . S u ppos w h l y co th k y its oin to co th n xt  its Sn k + 1 . . . k +  . h Sn 0. . . k n w i s o ch k yc n i t is com pu t o th t with k + 1 ≤ Ln m o w ≤ k + . h on with th h i h st i s is cc pt . h o m l sc iption o th l o ith m is s ollows o th t xts su ch th tth l tsi o pp oxim tion Us n ot s th n u m (3) is 1 wh n w su stitu t s o Sn . h xp ssion Sn 0. . . k n ot s th p t o th ou n k y th t h s n co so .  n ot s th n u m o th k y its th tis tt ck ton it tion o th l o ith m . On c th s  its co th l o ith m is p t o th n xt its o Sn . k,  o 0 ≤ i < 2 com pu t Ui w ≤ k + .

Sn 0 ...k

o

th

t with k + 1 ≤ Ln m o

N

2 num

s lts

r r pt

l ss o

cc pt i th t m xim iz s th i s |Ui Sn 0 ...k − N/2| wh o t with k + 1 ≤ Ln m o w ≤ k + .

11

N is th

h ch oic o th p m t  is m tt o t -o . h com pu t tion l com pl xityo th tt ck in c s s s  ts l . M o sp ci c lly th n u m o cti t xt its t n it tion o tt ck M is k + 1 +  n th n u m o cti k y its is . n c th com pu t tion l com pl xity o n it tion o o th com pu t tion l com pl xity tt ck M is 2  k (s M tsu i 3). h w − o  i i in w. On th oth o co in ou n k y o w its is 2  −  − h n th li ilityo th u ss s lso in c s s s  ts l sp ci llyth os o th low o its s will sh own in S ction 6.2. h o th lu o  sh ou l ci with sp ctto th con st in ts o th il l com pu t tion l pow tim n th si su cc ss t . u t tt ck M h s som lim it tion s. o x m pl su ppos w t yin to co th k y its Sn k + 1 . . . k +  n l t Sn n ot th k y th t is th y it xc pt o th k + th on . h i s o Sn n Sn sm s Sn in tk n o th t with k + 1 ≤ Ln m o w < k +  will x ctly th s m sin c th y x ctly th s m t its 0, 1, . . . , k +  − 1. k n o th t i s o Sn will th in s o th i s o Sn with Ln m o w = k +  th (s S ction 4 ). h o wh n th i s o Ln m o w = k +  is n ti yhi h (i. . p < 1/2) w in co ctly u c th t Sn is th co ct k y with p o ility! S im il u m n ts pply to th low o its s w ll u t th i ct is l ss si n i c n t. h is ct im pli s th t th u ss s o th h i h o its will n ot y li l s illu st t yth xp im n t l su lts in S ction 6.2. 2 t st tt ck M on 5 -16/2 o  = 6, , 10 on s m pl o 10 000 i n t c s s. Ou su lts i n in l 2. h n t i s in th t l s i n s p c nt o th 10 000 t i ls. h ith colu m n o th t l s n ot s th p c n t o u ss s th t co ct tth its low th n i u tw on tth t m ou n t N ith it. n oth im po t n t poin t ou t th t l s is th t th n ot s th il l n u m o t xts o i n t lu o Ln m o w ( . . o  = 10 th tot l n u m o t xts u s is 10 − N ). ch os th is w y o p s n t tion to m k th com p ison tw n th t l s si . h xp im n t l su lts sh ow th tth su cc ss t o th low o its im p o s s  in c s s. u tth is im p o m n t com s l ss si n i c n t o h i h t m ou n ts. n oth im po t n tpoin tis th tin c sin th t m ou n t o s n ot h lp yon c t in poin t n th ilu t s t th low o its lm ostst iliz ou n 0. 0.9% . h h i h ilu t s th i h o its u to th ct iscu ss tth n o S ction 6.1 n th su cc ss t o th s its c n n ot im p o yon c t in poin t n with u n lim it m ou n t o t. h o w su st isc in th top two its u ss n st tin th n xtit tion o th tt ck to in clu th s its s w ll. h siz o th isc p tm y i nt o

1

l

 N 1 ,000 1 0,000 1 00,000 1 ,000,000

 N 1 ,000 1 0,000 1 00,000 1 ,000,000



0

N 1 ,000 1 0,000 1 00,000 1 ,000,000

l k l r t t 0 1 . % . % .0% . % . % .1 % 1 .6% 1 . % . % 1 . % .1 % 7.1 % 1 . % 1 . % 1 .6% 1 . % . % 7. % 0. % 1 . % 1 .7% 1 .6% .6% 7. % l r t t 0 1 6 7 7.1 % .7% . % .7% . % . % 6.0% 7.7% 1 . % 1 . % 1 . % 1 . % 1 . % . % .1 % 6. % 0. % 0. % 0. % 1 . % 1 . % 1 . % . % 7. % 0. % 0. % 0. % 1 . % 1 .1 % 1 . % . % 7. % l r t 0 1 .6% .7% . % .6% . % .0% 1 .1 % 1 . % 1 . % 1 . % 1 . % 1 . % 0. % 0. % 1 .0% 0. % 0. % 1 .1 % 0. % 0.7% 0. % 0. % 0. % 1 . %

t

6 7 .% .% 1 .6% .1 % 1. % 1. % 1 .1 % 1 . %

.6% .7% .6% .%

7.6% 7. % 6. % 7. %

2 ilu t s o tt ck M on 5 -16/2 o  = 6, , 10. h ith colu m n p s n ts th p c n t o u ss s th t co ct tth its low th n i u t su lts sh ow th tth tt ck ts tt s  in c s s; w on tth ith it. h u tth is im p o m n tis l ss si n i c n twh n th m ou n to t u s is h i h .

i n two siz s n sh ou l t m in i possi l ). n ot th siz o th isc st p to th l o ith m tt ck M 3

isc

th top j its o th k y stim

xp im n t lly (o th o tic lly p t yj n th ollowin t .

com p th two tt ck st t i s xp im n t llyon 5 -16/r o r = 2, 4 . l 3lists th su cc ss t s o tt ck 1 n tt ck M o u ssin th st i h t its o Sn . tt ck 1 p s n ts th m ostsu cc ss u l 1- it tt ck. N n ot s th n u m o pl in t xts il l o ch i n t lu o Ln m o w. s iscu ss in S ction 3 n th ou h th xp im n ts un o l ti lysm ll lu s o r th y i n l com p ison o th tt cks m in ly c u s th l ti p o m n c o th tt cks will n ot ct m u ch y n in c s in r sin c th y ll u s th s m pp oxim tion . h su lts su st th t tt ck M h s tt su cc ss t o sm ll com s tt s th m ou n to il l t m ou n ts o t u t tt ck 1

r

N

s lts

N 1 ,000 1 0,000 1 00,000 1 ,000,000 1 ,000 1 0,000 1 00,000 1 ,000,000

tt k 1 .1 % .% .% .% 0.6% 0. % .% 0. %

r r pt

l ss o

1

tt k 6 .% .7% 1 .7% .1 % 0.7% 0. % 6. % .0%

3 S u cc ss t s o tt ck 1 n tt ck M on 5 -16/r o co su lts sh ow th t tt ck M is tt o sm th st i h t its o Sn . h m ou n ts o il l t . h su cc ss t s ll sh ply s r in c s s.

in ll

tt ck M is th t th su cc ss t in c s s. n nt o tt ck 1 o o tt ck M o s n ot im p o m u ch yon 92% l ss o th in c s in th t m ou n t. u t th is n o su ch lim it on th su cc ss t o tt ck 1 . si s th 1- it tt cks h two oth nt so th m u lti- it tt cks. i st th y com pu t tion llyl ss xp n si . S con w on u ss in 1- it tt ck c n t ct li n c n co ct m o silysin c th i s s t w on it u ss will si n i c n tlysm ll th n wh tis xp ct . h m tic c s in th su cc ss t s s th n u m o ou n s r in c s s su sts th tou tt cks n otp ctic l n ou h to k 5 o l lu s o r n w. h is th ou h t is lso su ppo t y th ct th t ll o ou tt cks s on pp oxim tion (1) wh ich h s u it low i s o l lu s o r n w. t th is poin t it is n ot possi l to c lcu l t th x ct su cc ss t s o i n m ou n t o t . h is ct is u to th l ck o con c t o m u l o th l tion tw n th p o ility o pp oxim tion (1) n Ln m o w. ow w con j ctu th tth t ui m nt o si n i c n tsu cc ss t will com p l to |p − 1/2|− th tis 4 w r− wh ich is im p ctic llyh i h o son lyh i h lu s o w n r (i. . w − 32 r − 6).

p s n t som n w su lts ou t lin c ypt n lysis o 5 . i st w sh ow th t th tt ck o liski n in 1 o s n ot wo k s xp ct u stu i th st tistic l to som u n xp ct con s u n c s o xin Ln m o w. h io o pp oxim tion (1). h n w p s n t som n w t ch n i u s o u sin th is pp oxim tion to co th l st ou n k ySn . Ou su lts on th tt ck o liski n in h s si n i c n c s yon th lin c ypt n lysis o 5 tis si n i c n tto m ph siz th th i n ssu m ption s m yh xt m lys iou s con s u n c s. tis lso si n i c n tto sh ow th t

1

l

l k

xt m c h s to t k n wh n pplyin m th o lop o sp ci c ciph to ciph o i n ttyp . h tt cks w p s n t in th is p p x m pl s o h ow lin c ypt n lysis c n c yon wh n th i s is i n t om z o o w on k ysu stitu t in th pp oxim tion . tth is poin t itis n otpossi l to c lcu l t th x ctsu cc ss t o ou tt cks u to th l ck o con c t o m u l o th l tion w con tw n th p o ilityo pp oxim tion (1) n Ln m o w. ow j ctu th tth t u i m n t o si n i c n tsu cc ss t will com p l o w to |p − 1/2|− wh ich is im p ctic llyh i h o ou pp oxim tion . h li th t 5 still m in s s cu in stlin c ypt n lysis. h m n yop n s ch p o l m s th t to sol ou tth lin c ypt n lysis o 5 . n im po t n ton is to o t in th o tic l su lt o th l tion tw n th p o ilityo pp oxim tion (1) n Ln −Sn− n Sn− . n th is w y itwill possi l to o t in th o tic l su lts o th su cc ss t o th tt cks th t s on pp oxim tion (1) in clu in th on s p s n t in th is p p . M o o itsh ou l possi l to u s su ch l tion in n tt ck wh ich o t in s u th in o m tion ou tth ou n k ys Sn− n Sn− . n oth si n i c n t im p o m n t will to lop tt lin c ypt n lytic tt cks th n th on s p s n t h . ow n y tt ck s on pp oxim tion (1) will lim it yth low i s o th t pp oxim tion . h o n in tt pp oxim tion is ss n ti l to im p o in th lin c ypt n lysis o 5 si n i c n tly. u t n y s ch t yin to n tt lin pp oxim tion sh ou l w o p oposition o liski n in 1 th t st t s lim it tion o lin pp oxim tion s o 5. w yto ci cu m n tth is lim it tion m y to u s n on -lin pp oxim tion s 2; n otju st tth n ou n s u t tth in t m i t ou n s s w ll. h m in son o u sin lin pp oxim tion s in S -lik ciph s is th t it is sy to n pp oxim tion s o S - ox s sin c th y l ti ly sm ll. M o o i n pp oxim tion o n S - ox is lin itc n ist i u t to n st t in t m s o th in pu t ou tpu t n k y its o th t ou n . u t th is u m n t is n ot t u o 5 sin c it o s n ot h sm ll su - locks lik S - ox s. M o o u sin lin pp oxim tion s o s n ot h th nt o in sily ist i u t to in pu t ou tpu t n k y its s itis in S. h o w li th t tl st th o tic lly n in n on -lin pp oxim tion o 5 is n otsu st n ti llym o ifficu ltth n n in lin pp oxim tion . u titsh ou l n ot th t n in n pp oxim tion o 5 is n ot n syt sk in n l sin c th n o sm ll su - locks lik S - ox s. s l stm in u t n ot w h c n tly ou n ou tth tth p o ility p o y liski n pp oxim tion (1) is u l to + wr−• wh ich w s c lcu l t in . h son o th is u n xp ct su ltis th tth two con s cu ti h l - ou n n ot pp oxim tion s Ri 0 = Li− 0 − Si 0 n Ri 0 = Li 0 − Si 0 in p n n t n th o th pilin -u p l m m c n n ot u s to c lcu l t th p o ility o pp oxim tion (1). xp im n t lly ou n ou t th t th + p o ility p is xt m ly k y p n n t n itc n lot i n t om p n in on t h k y . n wh n o t h k y s t h p o ilit y r−• w

N

o l

s lts

r r pt

pp oxim tion (1) is lot i n t om + s th wh ol issu o lin c ypt n lysis o

t u lly ckn owl th in in . wou l lik to th n k to wou l lik to th n k to L o tt cks. m th n k u l to ll m i n sh ip u in m y isitth

1. . . . .

l ss o

1

. ow th is n w n in s n op n u stion .

wr−•

5

lu l iscu ssion s with M tt o l n S h m n o h is com m n ts on yzin o h is h lp with th im pl m y i n s tth S L s o th .

sh w n Lis th p p n n t tion o th i su ppo t n

. .

l sk . . . O r t l l r r p t l ss o t r p to l o rt m . . o p p rsm t , to r, • • • • • •• • •• • •• • •• •• • • • • •• • •• •• • , p s 1 71 1 . p r r rl , N o rk , 1 . . s . o s . No l r p p ro m t o s l r r pt l s s. U . r r, to r, • • • • • •• • •• • •• • •• •• • • • • • •• • •• • ••• • , p s 6. pr r- rl , N o rk , 1 6. . ts . r r p t l sso p r ).• • • •• • • • • • •• • •• •• • • ,to p p r. . ts . r r p t l ss m t o or p r. . ll s t , to r, • • • • • •• • •• • •• • •• •• • • • • • •• • •• • ••• • , p s 6 7. p r r- rl , rl , 1 . . st. r p to l o rt m . • • •• • • ••• • •• • • • •• • ••• • • • ••• • • •• •• •• • ••• • • • • • •• •• • • , p s 6 6. p r r- rl , N o rk , 1 .

h p o

ilityo th h l - ou n

pp oxim

tion

Rn− 0 = Ln−3 0 − Sn− 0

(6)

p n s on th lu o (Ln − Sn− ) m o w n Sn− m o w. h is ctim pli s x th i s o th pp oxim tion m y th twh n Ln Sn− n Sn− i n t om its i s 1/2w. l 4 lists th i so pp oxim tion (6) o i n t lu s o (Ln − Sn− ) m o w n Sn− m o w o w = 16. h s lu s com pu t y xh u sti ly oin th ou h ll possi l lu s i n c (Ln − Sn− ) m o w. h o (Ln , Rn ). h p m t δ n ot s th n t i s o th t l s th ctu l i s s s p opo tion o th i s 1/2w (i. . (p − 1/2)/(1/2w)).

16

l

l k

Sn−• m o w δ 0 1 6 7 0 . 0.7 1 .7 .1 1 .6 1 . 0 0.7 1 . 1 0. 01 . 1 . 0 .6 0. 0. 1 .00 1 . . 1 .7 0.7 .1 0. 0. 0 1 .7 0.1 1 .00 0. . 0 0.1 .6 0.7 . 0 0. 0.7 0. 0. 0.6 0.1 1 .00 0. 0. 1 .00 0. 0.00 1 .1 0.1 1 . 0. 0 0. 6 0. 1 . 1 . 0. 0.1 1 .000.7 1 . 7 0. 0 .7 .000. .1 1 . .00 1 . 0.7 1 .001 .00 1 .1 1 .1 0.7 1 .00 0. 1 .00 1 .000.7 1 .6 1 .1 1 .00 1 . 0. 1 0 0.7 1 .001 .00 1 .1 1 .1 0.7 1 .00 0. 1 1 1 . 0 1 . 00.7 1 .1 .1 1 .00 1 .7 1 . 1 0.7 1 .000. 0 0.6 1 .1 0.7 0. 0 0. 1 1 .00 1 .000. 1 .1 1 .1 1 .00 0.7 0. 1 0.7 1 .000. 0 0.6 0.1 1 .7 0. 0 1 . 1 1 . 0 . 01 . 0.6 .1 .00 . 0. Sn−• m o w δ 10 11 1 1 0 1 . 0. 1 . . 1 .7 1 . 1 0. 1. 1. . 0 0.000.6 1 . 1 . 0. . 0. 0. . .6 0.1 . 0 0. 0 . 0.1 0. 1 . 0. 0.7 0. 0. 0.6 1 . 0. 0 1 .00 0. 6 0. 0.1 . 0.7 0.7 0. 7 0. .6 1 . 0. 0 1 . 0 1 . 0.6 0. 0. 1 .00 1 .00 0. 1 .1 0.6 0. 1 . 1 . 0. 1 0 0.6 0. 0. 1 .00 1 .00 0. 1 1 1 .1 1 .6 0. 1 . 1 .7 1 . 1 0.6 0. 0. 0. 0 1 .00 0. 1 1 .1 0.6 0. 0.7 1 . 0. 1 1 .6 0.1 1 . 0. 0 1 .00 0. 1 1 .1 .6 0. 0.7 1 .7 .

1 1 1 .1 1 .7 1 .1 .00 .1 0. 0.1 .00 1 .1 0. 1 .1 0. 0 0.1 1 . 1 .1 1 . 0 1 .1 1 .00 1 .1 1 . 1 .1 1 .00 1 .1 1 . 0.6 0. 0 0.6 0.7 0.6 0. 0 1 .6 0.7

i s o th n − 2nd h l - ou n pp oxim tion s p opo tion o th o w = 16. h i l δ n ot s xp ct i s 1/2w wh n Ln m o w is x s in th t l sh ow th th ow i th i n c (Ln − Sn− ) m o w. h n u m n im p ct th h i n ssu m ption s h on th i s o th n − 2nd h l - ou n pp oxim tion .

a

a h ih o

ori i

kesh i h im oy m

n

a

osh ino u K neko

2

( l om m uni tions v n m nt rg niztion of p n) ••••••••••• ••••••••••••••••••• 2 i n niv rsity of okyo ••••••••••••••••••••••••

• • • • • • • • • h isp p rpropos s n w h igh ror r iff rnti l tt k h h igh r or r iff rnti l tt k propos t 97 y ko s n n K nu s n us xh ustiv s rh f orr ov ring th l st roun k y urn w tt k im prov sth om pl xity to th ostofsolv ing lin r syst m of qu tions s n x m pl w sh ow th h igh ror r iff rnti l tt k of iph rw ith 5 roun s h rquir num rof h os n pl int xtsis2 7 n th rquir om pl xity isl ssth n 22 tim sth om put tion ofth roun f un tion ur xp rim nt l rsultssh ow th t th l stroun k y ofth iph rw ith 5 roun s n r ov r in l ssth n 15 s on son n ltr st tion

igh eror er ifferenti l tt k isone o th e powerul lge r i rypt n lyses. t isuse ul or tt king iph erswh i h n e represente s oole n polynom i ls with low egrees. terL i m entione ryptogr ph i signifi n e o erivtives o oole n un tionsin 12 K nu sen use th isnotion to tt k iph erswh i h were se ure g inst onvention l ifferenti l tt ks11 . t ’97 ko sen n K nu sen 7 g ve n extension o K nu sen’s tt ks n roke th e iph erwith qu r ti un tions su h s th e iph er N 1 n th e sh em e y K ie er10. h ese were prov ly se ure iph ers g inst ifferenti l n line r rypt n lysis. urth erm ore t W ’97 h im oy m ori i n K neko 1 essenti llyre u e th e om plexity n th e num ero h osen pl intextsrequire orth e h igh eror er ifferenti l tt k o th e iph er N . n th isp perwe gener li e th e h igh eror er ifferenti l tt k es ri e in 1 n pply itto iph ers. iph ers re m ily o sym m etri iph ers onstru te usingth e esign pro e ure 1 propose y ms n vres. h e esign pro eure es ri esth tth ey ppe rto h ve goo resist n e to ifferenti l rypt n lysis5 line r rypt n lysis15 n rel te -key rypt n lysis . known tt k on iph ers is th e tt k wh i h uses we knesses o non-surje tive roun un tions n it requires 23 2 known texts or iph er with 6 roun s16 . n th is p perwe em onstr te th tsom e o sym m etri iph ers onstru te usingth e esign pro e ure n e roken y ourh igh eror er ifferenti l 

u r

r

y

r

st r

t r

r

ry t

3 72

7 3

18

h ih o

ori i

k sh i h im oy m

osh ino u K n ko

tt k i th e num ero roun sissm ll. -12 is m ousex m ple iph eruse in sever l om m er i l ppli tions utth isisnotourt rget. 12 seem sresist ntto our tt k. iph ers use th e eistel stru ture use in . he esign pro e ure llows wi e vriety o roun un tions. th s su stitution oxes ( - oxes) with ewerinput itsth n output its(e.g. × 3 2) . h ere re sever l propos ls or - oxes. orex m ple 3 suggeste onstru tingth e - oxes rom ent un tions. L teron 6 iph erswith r n om - oxeswere propose . n our tt k we use th e - oxespropose or -12 1 2 se on ent un tions. s or oper tions use or om ining input n su key or output resultso - oxes th e esign pro e ure es ri esth t sim ple w y is to spe i y th t ll oper tions re s. lth ough oth er oper tions( ition n su tr tion m o ulo 23 2 m ultipli tion m o ulo (23 2 ± 1) et.) m y e use inste we ssum e th t th e iph er o our t rgetuses s or ll oper tions. W e expl in th e h igh eror er ifferenti l tt k o th is iph erwith 5 roun s. W e egin y fi n ing th e oole n polynom i lso ll output itso oxes. h e polynom i lssh ow th t ll egrees re . W h en ll oper tionsin th e roun un tion re s th e egree o th e roun un tion is tm ost . th e righ th l o pl intextisfi xe t nyvlue th e egree o th e righ th l o th e -th roun is tm ost16 n th e 16-th or er ifferenti l e om es onst nt. h uswe n onstru tth e tt k equ tions orre overingth e l st(i.e. 5 -th ) roun key. n 7 exh ustive se r h w suse or fi n ing th e true key. th eir tt k were pplie to th is iph erwith 5 roun s th e require om plexity woul e 2 tim esth e om put tion o th e roun un tion using2 7 h osen pl intexts. urnew tt k n re overth e l stroun key y solvingth e line rsystem o equ tions. s result th e require num ero h osen pl intextsis2 7 n th e require om plexity is re u e to lessth n 22 tim es th e om put tion o th e roun un tion. urexperim ent l resultssh ow th t ll l stroun key itso th e iph er n e re overe in less th n 15 se on s on un U ltr 2 workst tion (U ltr 200 ).

a 2

r

ar s

to d dd s s c l

l

a

l

to 2 (2) (2) X

(2) (2) c

(2) c

d d s

s (2)

s

l

l

d

(2) X d X

(2) X s

s

l

2l d s

c

s c s

l

d

ss

d s

d

(2) s

c d d

2

X −

s

d

s



(2) X



d

0 2 0

0

igh r r r iff rnti l tt k of

(2) X c

(2) c

to 3

X X

eg ( )

d

X

c :

s s c

d

s s X

s

c

( c

c

d

(X X

s c

c

c

0) s



X

s

)

19

dc c dd s c

s

d

d

to

X

X

c

(2)

s

c s c d

iph r

s

X s c

c

s

c

c

c

c

c

sc

d

c

or n iter te lo k iph erwith lo k si e 2 its n keysi e its we e2 note pl intext y ( 2 − ) (2 ) key y ( 0 − 0) 2 ) (2 ) . h e iph er text (2) n iph ertext y (2 − 0 isrepresente y ve tor oole n un tion ( ) (2 − ( ) 2 )) X wh ere X n re setso vri les X 0( 2 − 0 . oor in t e ool e n un tion o ( ) is oole n − 0 un tion ( ) on X wh en isfi xe . n gener l ( ) isrepresente s ollows ( ) wh ere

• • −•



d ( )





0

( )

( )

( )







(

(2) 2 s c c sd s c X ⊆

s

(



2 −

d d s

s ( )

X

• • −•

( )

is0or1. to d

d



to 6 2 −

0)



d s

(

)

− •−•

d

( ))



d d d

d d

(2) 2 s c

d

c

c

s •

(





2 −

X

s c





0)

20

h ih o

ori i

k sh i h im oy m

osh ino u K n ko

h e ollowing propositions re known on th e h igh er or er ifferenti l o oole n un tions. rop os t o ⊆

12 (2) 2 •



rop os t o eg ( ( ))

(

• ••

1



d

)



(2) 2



d

d

s

•• •

tta



( )



22

(2) 2

ds

ro

( )

• •

( )

0

ur

h e ollowingisth e tt k pro e ure o ourh igh eror er ifferenti l tt k o n iter te lo k iph erwith lo k si e 2 n roun s. Let e th e -th roun su key n e h su key e its i.e. ( − ) . Let 0 e seto vri leso i.e. . − 0 ere we es ri e “( − 1) -roun tt k wh ere we fi n ert in onst nt vlue wh i h isin epen ento th e key (e.g. th e h igh eror er ifferenti l o th e outputo th e ( −1) -th roun ) n onstru tth e tt k equ tions orre overing th e l stroun key. ourse “( − 2) -roun tt k ispossi le th ough solving o th e tt k equ tions e om esr th er iffi ult. W e ssum e th tth e tt ker h s or n om pute ll h osen pl intexts in n th e orrespon ing iph ertexts wh ere isth e tot l egree o th e outputo th e ( − 1) -th roun n is ny vlue in (2) 2 . orsom e lo k iph ers th e tot l egree o th e outputo th e ( − 1) -th roun m y e iffi ultwith h oi eso n . oweverwe on’t onsi eritin th is p per. ven i th e lgorith m o th e iph er is not open (i.e. i it is l k ox) our tt k is ppli le wh en we know th e tot l egree o th e outputo th e ( − 1) -th roun y som e w ys. n th is se we st rt rom step 2. t r o rou u to n tt king iter te iph ers y h igh eror er ifferenti l tt ks itisuse ul to representth e roun un tion y oole n polynom i ls. W e n getth e egree over (2) o e h output ito th e roun un tion rom th ese polynom i ls. h e in orm tion on wh i h term s re in lu e in th e polynom i lsis lso h elp ul in step 3 . W e egin y representing - oxes y oole n polynom i l un tions. W h en th e es ription o th e - oxesisnotgiven ssom e lge r i expressions we onstru t oole n polynom i l un tions rom th e es ription t les(see e tion .1) .

igh r r r iff rnti l tt k of

iph r

21

2 o p ut t r or r r t a o outp ut o t (• − t rou urh igh eror er ifferenti l tt k ispossi le or n integer1 2 wh en th e -th or er ifferenti l o th e outputo th e ( − 1) -th roun is ert in onst ntvlue wh i h isin epen ento th e key. W h en isth is on ition true ne iswh en th e egree o th e outputo th e ( − 1) -th roun is − 1. noth eriswh en th e input n su keys re om ine with ssim ply n th e egree o th e outputo th e ( − 1) -th roun is . n th is se th e tot l egree o th e outputo th e ( − 1) -th roun with respe tto X isequ l to th e tot l egree with respe tto X n ( 1 − 1) e ore th e egree re h es2 (see 1 roposition 1 ) . n th ese ses th e -th or er ifferenti lo th e outputo th e ( −1) -th roun n e om pute y using roposition 1 with outknowingth e true key. 3 o s tru t atta uat o s or r ov r t as t rou y W e give th e et ils in th e se o eistel iph er. Let ( ) n ( ( ) ( ) ) wh ere enotesth e le th l o pl intext enotesth e righ th l enotesth e oole n polynom i l un tion o le th l o iph ertext n enotesth e ve tor oole n polynom i l un tion o righ th l. Let˜ ( ) e th e ve tor oole n polynom i l un tion o th e righ th l o th e outputo th e ( − 1) -th roun . h en we h ve (

( ))

( )

˜ ( )

th e -th or er ifferenti lo ˜ ( ) is onst nt we h ve th e ollowingequ tion n ny (2) 2 . orline rly in epen ent ⊆ (2) 2 (





( ))

( )





˜ ( )





(

)

we h ve ll pl intextsin n orrespon ing iph ertexts we o t in th e ollowingequ tion y om putinge h term using roposition 1. • • • • ( ( )) ( ) ˜ ( ) (1) •• •



•• •







th e tot l egree o is ( 1) equ tion (1) h s egree −1 with respe t to . h isis e use we n rewrite th e fi rstterm o equ tion (1) s ollows. ( h e fi rstor er ifferenti l o un tion o egree h s egree − 1.) • ( ( )) •

•• •

•• •



•• •



•• •

( \{



( )) (

(

( ))

( )) (

( ))



\{

( \{

( ))

(

( )

( ))

22

h ih o

ori i

k sh i h im oy m

osh ino u K n ko

in e is ve tor oole n un tion om pose o oor in te oole n un tions equ tion (1) orm sth e system o lge r i equ tionso egree −1 with unknowns. (Note th t isth e num ero itso th e l stroun key .) W e h ve som e w ysto solve th e system o lge r i equ tions n in th isp perwe t ke sim il rw y sone es ri e in . h tis we tr nsorm itto th e system o line r equ tionswh ere we reg r llm onom i lson in equ tion (1) sin epen ent unknown vri les. ere ter enotesth e num ero th e unknown vri les. W h en 2 th e unknown vri les re n . W h en − 0 3 th e unknown vri les re − 0 − −2 0 n he 2 . im il rly wh en • 2 3 . W h en t − tot l egree o is is tm ost . tu lly ism u h sm ller th n th is upper oun e use oeffi ients o som e o th e unknown vri les n n el e h oth er out or e use som e o th ese unknown vri les on’t exist orsom e . in ing sm ll isim port nt orre u ingth e om plexity. ener l th eory on tigh terupper oun o will ppe rin noth erp per. th e num ero unknown vri leso th e line requ tions( ) isl rger th n we h ve to setup equ tions(1) usingpl intextsin ifferent - im ension l sp es to eterm ine unknowns. owever th is oesnot in re se th e require num ero h osen pl intexts y tim es e use som e pl intexts n e use repe te ly. h tis or n integer we n o t in ifferent - im ension lve torsp es rom - im ension lve torsp e. h ere ore th en th e require num ero th e i we let e th e sm llest s.t. h osen pl intextsis tm ost2 • •• . 23

o p ar s o w t

ao s

u s

n th isse tion we om p re th e om plexity o ourh igh eror er ifferent tt k with ko sen n K nu sen’s tt k 7. h e om in nt om plexity issettingup th e system o line requ tions i.e. om putingth e oeffi ients(see lso e tion .3 ) . orth e se on n th ir term so equ tion (1) ×2 tim esth e om put tion o th e roun un tion isnee e . orth e fi rstterm o equ tion (1) t m ost( 1) × 2 tim esth e om put tion o th e roun un tion isrequire . h ere ore th e require om plexity is tm ost( 1) × 2 • •• . n th e oth er h n th e require om plexity or ko sen n K nu sen’s tt k 7 w s2 7 h eorem 1 . in e n 1 2 th e om plexity isre u e .

h e m ily o th e iph ers onstru te usingth e esign pro e ure 1 re known s iph ers n 1 es ri esth tth ey ppe rto h ve goo resist n e to ifferenti l rypt n lysis5 line r rypt n lysis15 n rel te -key rypt n lysis . h r is noth rw y of om putingth l ss om pl xity pp n ix

o ffi

i ntsofth

t rm sof gr • − 1 w ith

igh r r r iff rnti l tt k of

iph r

23

32

? h • ? 8 8 8 8 , CCW BB CC  , • • B C ZZ  ~ h = BB CC ? • BN C 32 C ZZ ~ h = CC ? • CW 32 ZZ ~ h= ? 32 2

3

roun

un tion

iph ers re se on th e r m ework o th e eistel iph er. h e roun un tion isspe ifi e s ollows(see lso ig.1.) . 3 2- it t h l isinputto th e un tion longwith su key . h ese two qu ntities re om ine using oper tion “ n th e 3 2- itresultissplitinto our - itpie es. h pie e is n ) . - oxes n re inputto ifferent × 3 2 - ox ( 2 3 2 om ine usingoper tion “ ;th e resultis om ine with 3 usingoper tion “ ;th isse on resultis om ine with usingoper tion “ . h e fi n l3 2- it resultisth e outputo th e roun un tion. he esign pro e ure llows wi e vriety o possi le roun un tions - oxes n oper tions( n ) . s or - oxes 3 suggeste onstru tingth e - oxes rom ent un tions. L teron 6 with r n om oxesw spropose . n our tt k we use th e - oxes se on ent un tions propose or -12 . s or oper tions sim ple w y to efi ne th e roun un tion isto spe i y th t lloper tions re s wh i h is ition on (2) lth ough oth eroper tionsm y e use inste . tu lly or ingto 1 som e re in th e h oi e o oper tion “ n on eiv ly give intrinsi im m unity to ifferenti l n line r rypt n lysis. h e im m unity to h igh eror er ifferenti l or h oi eso oper tions( n ) will e is usse in e tion 5 . s or th e num er o roun s it seem s th t th e esign pro e ure oesn’tspe i y on rete num er. owever in 1 itis es ri e th t iph erspossess num ero im provem ents om p re to in oth th e roun un tion n th e key sh e ule wh i h provi e goo ryptogr ph i propertiesin

2

h ih o

ori i

k sh i h im oy m

osh ino u K n ko

ewerroun s2 th n . h ere re lso sever lkey sh e ules or iph ers ut orth e purpose o our tt k th e key sh e ule m kesno ifferen e.

a oo a

oy o as o S

a

a

ox s

W e egin y representing - oxes y oole n polynom i l un tions. W e use th e - oxespropose or -12 . h e es ription o th e - oxesisgiven y t les. ne w y to onstru tth em n e seen in 19 . noth erm ore effi ient m eth o using m trix tr nsorm tion is lso known. h e o t ine oole n polynom i lso - oxeso upy loto sp e n we sh ow th ose o only som e itso in ppen ix . rom th e o t ine oole n polynom i ls itis onfi rm e th t llth e egrees o ll output itso ll - oxes re wh i h oesn’t ontr i tth e property o ent un tions th e egree o ent un tion (2) 2 (2) is tm ost . W h en th e oper tions n re s llth e egreeso lloutput itso th e roun un tion re tm ost . W e is ussth e h igh eror er ifferenti l tt k o th is iph erwith 5 roun s. 2

ar

uat o s or R

ov r

t

as t R ou

y

th e righ th l o pl intextisfi xe t ny vlue th e egree o th e righ th l o th e -th roun ˜ ( ) is tm ost16 n th e 16-th or er ifferenti lo ˜ ( ) e om es onst nt. h ere ore we n om pute itwith outknowingth e true key n we h ve th e ollowing tt k equ tions orre overing th e l stroun key . • • • ( ( )) ( ) ˜ ( ) (2) •

•• • •

wh ere



˜

(2) 3 2

•• • •

(2) 3 2

n



•• • •

(2) 3 2 .

swe es ri e in e tion 2.2 sin e th e tot l egree o is equ tion (2) h s egree 3 with respe tto 3 . t ollowsth tequ tion (2) 30 0 orm s system o equ tionso egree 3 with 3 2unknowns. ere ter we write or 3 orsim pli ity. 3 30 0 30 0 ere we tr nsorm th e system o equ tionso egree 3 to system o line r equ tionswith unknowns. or e re singth e om plexity itisim port ntto fi n ssm ll spossi le. n th isp perwe fi n sm ll y onsi eringth e stru ture o th e roun un tion o iph ers. h e outputo roun un tion isth e sum ( ) o th e outputso n wh ose setso input 2 3 vri les re isjoint i.e. th e seto inputvri leso is 3 30 2 th to 2 is 2 3 2 2 th to 3 is n th to is 2

or x m pl

-128 is 12or16roun

ist l iph r

21

igh r r r iff rnti l tt k of

iph r

25

ly llth e term sin lu e in equ tion (2) re pro u ts 7 0 . onsequent o vri les rom one o th e sets ove. h ere ore equ tion (2) istr nsorm e to th e system o line requ tions elow with th e ollowing unknown vri les wh ere 32 ( × 2 ) ( × 3 ) 36 .

•0 •• egree-1

3

• •0

0 2

30 3

•• egree-2

32



• •0

2

• • • •

00

.. . 3

0

0

0

.. . 3

0

..



.. .

. 3





• • • • •

.. . 3 0 0 2

.. .

30 3 0 0

2

2

.. .

2 •

30 3







0

• • • • • • • • • • • • • • • • • • • • • •

3

•• egree-3







0

3

• • • • • • • • • • • • • • • • • • • • • •



0



• • • • • .. • • .• 3

30 3

W e nee equ tionsto eterm ine th e unknown vri les. owever sin e n ˜ re ve tor un tions om pose o ( 3 2) un tions only equ tions re o t ine rom equ tion (2) . h ere ore we h ve to om pute equ tion (2) or ( 3 6 3 2 12) ifferent . h is oesnotin re se th e require num ero h osen pl intexts y sm ny s ( 12) . e use we 7 ( 17) ifferent rom itonly ou lesth e n t ke 7 7 require num ero h osen pl intexts. n or erto setup th e system o line requ tions ove we om pute × oeffi ientm trix es ri e elow wh ere . W e prep re × oeffi ientm trix e use × m trixisnot lw ysnorm l. urexperim ent l resultssh ow th t 3 2× 12isenough to eterm ine th e key. ow to om pute oeffi ients n (2) in th e m tri esis s ollows. ere we es ri e th e om put tion o only th e oeffi ientso upper3 2rows. h e rem ining oeffi ients n e om pute using 11 ifferent in th e s m e w y.

26

h ih o



ori i

00

• • • • • • • • • • • • • • • • • • • • • • • • • •

.. . 3

.. . .. . .. . .. . .. .

k sh i h im oy m

0

0

0

.. .

0

3



− 0



.. .

..

..

.. .

ll oeffi ients

..

.

(0





.. . .. . .. . .. . .. .

.



.



.. .



n





• • • • • • • • • • • • • • • • • • • • • • • • • •

• • • • • • • • • • • • • • • • • • • • • •

3 0 0 2

.. .

30 3 0 0

2 3

.. .





• • • • • • • • • • • • • • • • • • • • • •

• • • • • • • • • • • • • • • • • • • • • • • • • •

30 3

0

.. . 3

.. . .. . .. . .. . .. . −

.. .

• • • • • • • • • • • • • • • • • • • • • • • • • • •



y using (

(

))

(3 )

•• • •

) is s ollows ¯• ¯• (0

(0 (

.. .

2

¯•

wh ere ¯ Let

0



n e om pute • •

wh ere



.. . 3

.. . .. . .. . .. . .. .

− 0

osh ino u K n ko

1 0

0) 3

(0 (3 2 (1 (

¯•

¯• 0)

¯• (2) 3 2

3 2) 1 ) ) )

(2) 3 2 n 0 3 1. 2 3 ) . is om pute s ollows • • ( ) ˜ ( ) •

•• • •

()

•• • •



LetA ( 0 ) (0 ) . lem entso A re oeffi ients 3 o th e unknown vri le lo te tth e -th row. W h en 0 3 2 A is olum n ve toro oeffi ientso . h ere ore A is om pute s ollows A W h en A is olum n ve toro A is om pute s ollows A

oeffi ientso •





i.e. wh en 3 2

1



W h en A is olum n ve toro oeffi ientso • • • i.e. wh en 1 A n e om pute sim il rly. W e h ve noth erm eth o with less om plexity in ppen ix .

igh r r r iff rnti l tt k of

3

o p

iph r

27

x ty

h isse tion is ussesth e require om plexity orourh igh eror er ifferenti l tt k. osto th e exe ution tim e isspen in th e ollowingpro e ures. om puting iph ertexts h igh eror er ifferenti ls om puting ll oeffi ientsin th e system o line requ tions solvingth e line requ tions o p ut p rt xts r or r r ta n or erto om pute equ tion ( ) we h ve to prep re 12sum so 2 iph ertexts ( outputo 5 -th roun ) n outputo th e -th roun . h is n e one with 2 7 iph ertexts n outputo th e -th roun sexpl ine in th e previousse tion. h ere ore th e require om plexity is5 × 2 7 tim esth e om put tion o th e roun un tion. Note th twe ssum e th tworkingoutth e sum (i.e. ) isnegligi le om p re with th e om put tion o th e roun un tion. o p ut a o ts t s ys t o ar uat o s ll oeffi ientsin th e system o line requ tions n e om pute y om puting equ tion (3 ) or (0 3 6 ) . h ere ore th e require om plexity is(3 6 1) × 2 7 tim es th e om put tion o th e roun un tion. h is is th e om in nt p rto th e h igh eror er ifferenti l tt k. in e in 7 ko sen n K nu sen es ri e th tth e ver ge om plexity w s23 × 2 7 our tt k h s h ieve spee up y 22 3 tim es. Sov t ar uat o s W e use uss- or n’selim in tion m eth o or solving th e line r equ tions. h e si e o m trix is × wh ere 3 n 3 6 . h e require om plexity isnegligi le om p re with th e om put tions ove. onsequently th e tot l om plexity is(5 3 6 1) × 2 7 22 tim esth e om put tion o th e roun un tion. h e w y to re u e th e om plexity y h l is in ppen ix . xp r

ta R s u ts

urexperim ent l resultssh owe th tth e ll l stroun key itso th e iph erwith 5 roun s oul e re overe in 13 .79 se on s( ver ge tim e o 100 tri ls) on unU ltr 2 workst tion (U ltr 200 ). le 1 sh ows n exe ution profi le o th e progr m pro u e y • • • • • wh i h is NU om m n to ispl y ll-gr ph profi le t .

n th is e tion th e im m unity to h igh eror er ifferenti l tt k or h oi eso - oxes n oper tions( n ) is is usse . e tion sh owe th t iph er with 5 roun s wh i h uses - oxes propose or -12 n s or lloper tions( n ) n e roken

28

h ih o

ori i

k sh i h im oy m

osh ino u K n ko

pro urs tim om puting iph rt xts h igh ror r iff rnti ls 083 s om puting ll o ffi i ntsin th lin r qu tions 1292s solv ingth lin r qu tions 00 s tot l 13 79 s

a

r tio 60 93 7 03 100

xe ution profi le o th e progr m

y ourh igh eror er ifferenti l tt k. in e th e egreeso - oxes or 12 re th e iph er n e roken up to only 5 -roun . owever i th e egree o th e roun un tion islower th e iph er oul e roken up to m ore num ero roun s. n 6 iph erswith r n om - oxes re propose n we m ust e re ulo th e egreeso th e - oxesin su h ses. Note th tit issh own th twh en r n om ly gener te - oxes re use th e resulting iph er isresist ntto oth ifferenti l n line r tt k in 13 . Let’s is uss oroth er h oi eso oper tions( n ) . om e m o ifi tions o oper tion “ re propose in 1 . ne ex m ple isth e inserto key- epen ent rot tion wh i h isuse in -12 i.e. ( ) ( (( ) 2) is 3 2- itkey 2 is 5 - itkey n isth e rot tion spe ifi e 2 ) wh ere y 2 . only oper tion “ isexten e to n rot tion n “ “ n “ re still th e iph erwith 5 roun so ourt rget n e roken y ourh igh eror er ifferenti l tt k th ough th e om plexity in re ses(rough estim te is2 0 ) . h ere re som e w ys to strength en -like iph ers g instth e h igh er or er ifferenti l tt k. ne isth e in re se o th e num ero roun s. noth er isth e m ixture o usingoper tionson ifferentgroups(e.g. n ition n “ . h ism kesth e egree h igh er (orsu tr tion) m o ulo 23 2 ) or“ “ so sh rply th titseem s iffi ultto rypt n ly e y th e h igh eror er ifferenti l tt k tth isst ge. tu lly th isi e isuse in -12 n lowfi sh 17. oreover lowfi sh useskey- epen ent - oxes. owever note th tth ese w ys re notsuffi ient on itionsto im m une to th e h igh eror er ifferenti l tt ks. ow to prove th e se urity g insth igh eror er ifferenti l tt ksisopen.

W e woul like to th nk th e re erees orm ny om m ents. W e lso th nk erge u en y oressenti l vi e wh i h n im prove our tt k ru e h neier n K um ro oki orh elp ul suggestions orim provingth e p per.

R 1 ur

ms onstru ting ym m tri iph rs sing th signs o s n ryptogr ph y ol12 No 3 Nov m i u lish rs 1997

sign ro pp 283 316 K luw r

igh r r r iff rnti l tt k of 2

5 6 7 8

9 10 11

12 13

1 15

16

17

18

19

29

ms h -128 n ryption lgorith m qu st f or om m nts ) 21 N tw ork orking roup nt rn t ngin ring sk or y 1997 ms n v rs signing - ox sf or iph rsrsist ntto iff rnti l rypt n lysis n ro ingsofth 3r sym posium on t t n rogrssof s rh in ryptogr ph y pp 181 190 1993 ih m N w yp sof rypt n lyti tt ks sing l t K ys v n s in ryptology 93 L tur Not sin om put r i n 765 pp 398 09 pring r- rl g 199 ih m n h m ir iff rnti l rypt n lysisof -lik ryptosyst m s ourn l of ryptology ol No 1 pp 3 72 pring r- rl g 1991 ys n v rs n th s urity ofth n ryption lgorith m n i n onfrn on l tri l n om put r ngin ring pp 332 335 199 ko s n n L K nu s n h nt rpol tion tt k on lo k iph rs n rpro ingsof st of tw r n ryption orksh op 97 pp 28 0 1997 K n ko know n-pl int xt tt k of Ls on th syst m oflin r qu tions on iff rn ( xt n str t) v n s in ryptology 91 L tur Not sin om put r i n 739 pp 85 88 pring rrl g 1993 K n ko K now n l int xt rypt n lyti tt k of L(in p n s ) r ns ol76- No 5 y pp 781 786 1993 K K i fr Nw sign on ptf or uil ing ur lo k iph rs n ro ingsof 96 pp 30 1 u lish ing ous 1996 L K nu s n run t n igh r r r iff rnti ls st of tw r n ryption on nt rn tion l orksh op L tur Not in om put r i n 1008 pp 196 211 pring r- rl g 1995 L i igh r r r riv tiv s n iff rnti l rypt n lysis om m uni tions n ryptogr ph y pp 227 233 K luw r m i u lish rs 199 L ys v rs sist n of -Lik n ryption lgorith m signs o s n ryptogr ph y to Lin r n iff rnti l rypt n lysis ol12 No 3 Nov pp 267 282 K luw r m i u lish rs 1997 K Ny rg n L K nu s n rov l urity g inst iff rnti l tt k ourn l of ryptology ol8 No 1 pp 27 37 pring r- rl g 1995 tsui Lin r rypt n lysis th o f or iph r v n s in ryptology 93 L tur Not s in om put r i n 765 pp 386 397 pring r- rl g 199 im n rn l n in n kn ss s ofNon-sur tiv oun un tions signs o s n ryptogr ph y ol12 No 3 Nov pp 25 3 266 K luw r m i u lish rs 1997 hn i r s ription of N w ri l -L ngth K y 6 - it lo k iph r ( low fi sh ) st of tw r n ryption m ri g urity orksh op L tur Not in om put r i n 809 pp 191 20 pring r- rl g 199 h im oy m ori i n K n ko m prov ingth igh r r r iff rnti l tt k n rypt n lysisofth iph r n r- ro ingsof1997 nf orm tion urity orksh op pp 1 8 1997 (to pp rin L tur Not sin om put r i n pring r- rl g) h im oy m m n ori i m prov st of tw r m pl m nt tion of lo k iph rs ( xt n str t) 97 i ing Nov 1997 L tur Not sin om put r i n 133 pp 269 273 pring r- rl g 1997 (

3

iph r

30

h ih o

ori i

a

k sh i h im oy m

osh ino u K n ko

a

ue to lim it tions o sp e we sh ow th e oole n polynom i ls o only its rom th e le stsignifi nt ito - ox o -12 . h ose o ll - oxeso -12 n e ownlo e rom • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • . W e use om puter lge r system is / sirto fi n th em . •0



•2

•3

• •3•2• • • •2• • • •3• • •3•2•0 • • •3•0 • • •3• • • •2• • • •3•0 • • •3• • 7• 3 • 2 • 0 • 7• 3 • 2 • • 7• • 2 • • 7• • 3 • 2 • 7• • 2 • 0 • 7• • 3 • 2 • 7• • • 3 • 7• • 2 • • 7• • 3 • • 7• • • • 7• • • 2 • 7• • • 2 • 7• • • 3 • 7• • • • • 2• 0 • • 2• • • 2• • • •0 • • •2 • • •3 • •2• • •3• • • •0 • • •2 • • • 0 • 7• 2 • 0 • 7• 2 • • 7• 3 • • 7• 3 • 2 • 7• • 0 • 7• • • 7• • • 7• • 0 • 7• • • 7• • • 7• • • •0 • • • • 2 • • 3 • 7• 0 • 7• • 7• 3 • 7• • 7• •3 • • • • 7• • •3•2•0 • • •2•0 • • •3•0 • • •3•2 • • •2•0 • • •3•0 • • •3•2 • • •2•0 • • •3•0 • • •3• • • • •0 • • • • • • • • 3 • 7• 3 • 2 • 0 • 7• 3 • 2 • • 7• • 3 • 0 • 7• • 3 • 2 • 7• • 3 • • 7• • 3 • • 7• • • 2 • 7• • • 3 • • 2 • 0 • • 2 • • 7• • • 0 • 7• • • • •3•2 • •2•0 • •2• • • • • • • 2 • • • 3 • • 2• 0 • • 2• • •3•0 • • •0 • • • • • •3 • • • • • •3 • • • • 7• 2 • • 7• • • 7• • 0 • 7• • 3 • 7• • • •0 •2• • 7• 3 • 2 • 7• • •3• • • • •3 • • • •2 • •3 • • • 7• 0 • 7• • 7• • •3 • • • • 7• • •3•2• • • •2• • • •3•0 • • •3•2 • •3•2•0 • •3•2• • • •2• • • •3• • • •3•2 • • •2•0 • • •3•0 • • •3• • • • • 2 • 7• 3 • 2 • 0 • 7• • 2 • 0 • 7• • 2 • • 7• • 3 • 0 • 7• • 3 • 2 • 7• • • 0 • 7• • • • 7• • • 3 • 7• • 3 • • 7• • • • 7• • • 2 • 7• • • 3 • 7• • • • 7• • • 2 • 3 • 2 • • • 2• • •3• • •2• • •3•2 • • • • • •2 • • •3 • •2•0 • •2• • •3•0 • •3•2 • • •0 • • • • • •0 • • • • 7• 2 • • 7• • 0 • 7• • 2 • 7• • 3 • 7• • 0 • 7• • • 7• • 0 • 7• • • 7• • 2 • 7• • 3 • 7• • • 7• • • • 0 • 2• 0 • 2• •3•0 •3• •3•2 • •2 • • • •2 • •3 • • • •0 • • • •2 • •3 • • • • • 7• • 7• •0 • • 2 • 7 1• • •3•2•0 • •3•2• • •3•2• • • •2• • • •3• • • •3•2 • • •2•0 • • •2• • • •3• • • •3•2 • • •3• • • •3•2 • • • • • • • • 3 • 7• • 3 • 0 • 7• • 3 • • 7• • 2 • 0 • 7• • 2 • • 7• • • 0 • 7• • • • 7• • • 2 • 7• • 2 • 0 • 7• • 3 • 0 • 7• • • 0 • 7• • • • 7• • • 2 • 7• • • 0 • 7• • • • 7• • • 2 • 7• • • • •2• • •3•2 • • •0 • • • • •2• • •3•0 • •3• • •3• • • •0 • • •2 • • •3 • • • • • •2 • • •3 • • • • 7• 2 • 0 • 7• 2• • 7• 3 • 0 • 7• 3 • • 7• • 0 • 7• • 2 • 7• • • 7• • 2 • 7• • • •0 •2•0 •2• •3•2 • •0 • • • •3 • •2 • • • 7• • • • • •2 • •3 • • • 7• 2 • 7• 3 • 7• • 7• •2 •3 • • • 7•

igh r r r iff rnti l tt k of

iph r

a

31

• i• • i• • i•

n e tion .2 it is es ri e om put tion o

th t in or er to om pute ll oeffi ients th e 7

(

(

))

(5 )

or( 1) isrequire . owever th ere is noth erm eth o o om putingth e h less om plexity. h e pointis oeffi ientso th e term so egree 3 • • • wit th e oeffi ientso th e term so egree 3 • • • isline rto th e inputo . Let • ( )) • • • (6) • • • ( •• • •



e term o th e inputo

egree 3 in equ tion (2) . h e egree o • • • is1 with respe tto sin e th e egree o is . h ere ore we h ve • • •

( )

A

B•

• • •

(7)

• •

h e oeffi iento (6) wh i h iswh twe w nt isrewritten s ollows. • • ( )) (A • • • ( ) B • • • ) • • • ( •

•• • •

•• • •



A ere we efi ne



()

(

(

)

A

• • • •

B•

• •

• • • •

wh ere

• • •

• •





B•

• •

• 0 ()

rom equ tion (5 ) we h ve

• • •

( )

h e fi rst n se on term s re om pute ( )

...

•• • •

• • •

• • •



)

•• • •





s



• • •

( ) ( ) ( ) ( )

B•

• •

s ollows

( ) • ( ) • • ( ) • ( ) • •



(0

1

(0

1

(0 (0

1 0)







1 •

1

( ) • • ( ) ( ) • ( ) • • ( ) • • ( ) ( ) ( ) • •

• •

1 0)

0)

(2) 3 2

(2) 3 2

0) (2) 3 2 (2) 3 2

h e om plexity require orth ism eth o is(12 1) × ( 1) tim esth e om put tion o th e roun un tion . W h en we use th ism eth o th e tot l om plexity is(5 1 1) × 2 7 13 × (3 6 1) 22 tim esth e om put tion o th e roun un tion .

on

opp sm ith

vi

• •



. . o unt p n y t

gn

u

hn i

n

oh n

ls y

h [email protected] k l y [email protected] {schneier,kelsey}@counterpane.com

• • •••• • •• i ng t l 9 p op o t g n to on v lly . p nt v l tt k . i t o v th t th no n u j ti vi ty o li n o i n ti o n t p llo u to ov h l th k y i th i ni l o t. xt h o th t th v i o u yt i n u intly i x y th ly n li ng n tt k i i l to th o o n t o lo o p i g n i ph to o v th i n o th k y. o i ni ng th t h ni qu l t u o v th nti O k y. qui th g n to to p o u 2• • lo k (2• • y t ) o 1 9 h o u o th o o utp ut o h ih x i n o ut o n i lli o n lo k (2• • y t ) th ti o n . no th o p ut ti o n l o k lo n ti t t 2• • o p t o tt k t o t xt o ti ui ng th o unt o k no n pl i nt xt n to ju t i g h t lo k (64 y t ) h i l n i ng 2• • ti •• n 2 p . l o h o h o to k t o v int o O p nt i n th o i gi n lp p .

u h OP M st m iph 97 in t o u t 97 u s s 1 it k y to g n t 6 - it lo ks o ou tpu t t h tim st p; th s ou tpu t lo ks x lu siv -O on to th pl in t xt to p o u iph t xt. t h ig h l vl OP M on sists o k y (n on - i tiv ) yptog ph i u n tion with 6 - it in pu ts n 6 - it ou tpu ts wh i h is u s in ou n t -lik m o to g n t k yst m ou tpu t. h lg o ith m h s t n l y s; th fi stl y is iv n y ou n t n th ou tpu t o h l y om s th in pu t to th n xt. xploit w kn ss s o two o th l y s to p o u s v l i n t tt ks g in st th s h m . Ou on lu sion is th tth too w l y s o yptog ph i st n g th . On o th m in on t i u tion s o th OP M wo k is th tth lg o ith m w s sig n so th ton ou l p ov t in st t m n ts ou tth s u ityo th iph ith s h ig h lin om pl xity g oo y l l n g th g oo sist n to L syn th sis tt ks n so on . on th l ss spit th p oo s o v iou s s u ity p op ti s in th is p p w sh ow h ow to k OP M v y i n tly. •



o t th t i t i p o il to p o v th t u i ng ny lo k i ph i n o unt o h go o li n o p l xi ty n g o o y l l ng th tl t i n th n th t 9 p ov o O o i n t o p t th p oo p h p no t t ily ni ng ul. u

y

t

tw

y t

7

y p t n ly i o

O

33

Ou tt ks ll in to two n tu l t g o i s. h fi stth tt ks is u ss in tion s – 7 ov h l o th k y (n m ly K , K ). h s on tgo y (s tion s – 9) in lu s two t h n i u s wh i h i n ti y th m in o th k y(K , K ) on w v ou n K , K . h st o th p p is o g n iz s ollows. n tion w vi w th OP M s h m . n tion 3w g iv som p lim in y m ks wh i h will u s u l in th ypt n lysis. tion g iv s v y sy tt k to ov h l o th k y s on th lin m p o l y 7 ilin g to su tiv . tion 5 sh ows n oth tt k th t u s th pl in t xt u i m n ts; th ost o th is im p ov m n tis n in s in th m ou n to offl in om pu t tion ui . kin g th p io tion 6g iv s m o om pli t tt k to ov K , K y o p p in to two p io s o p n p sp tiv ly. h p o ilisti n lysis kin g u p th is tt k is m n tion in tion 7 . n tion n 9 w fi n ish with two tt ks wh i h n u s to ov th m in o th k yin m o m un n m n n . tion 10 is u ss s som o th om pu t tion l u i m n ts o h tt k. tion 11 n 1 is u ss v i n ts o th o ig in l s h m n som tt ks on th s v i n ts. on lu sion s s v o tion 1 .

2 h OP M s h m 97 u s s 1 - itk yto g n t 6 - it lo ks o ou tpu t t h tim st p; th s ou tpu t lo ks x lu siv -O on to th pl in t xtto p o u iph t xt. t h ig h l v l OP M on sists o k y u stom m o o u sin g F to g n t k yst m u n tion FK • 6 → • 6 n ou tpu t. h m o is som wh tsim il to ou n t m o th in pu tto F om s om two in p n n t3 - it ou n t s. h ou n t is in iti liz with k y- p n n t v lu n is st pp y in g pu li on st n t n th n u in g m o u lo pu li 3 - itp im . in to ou 3 - itp ts h k y on sistin g o 16 yt s k , . . . , k is ivi n m K , K , K n K with th on v n tion K = k + k + k K = k + k + k K = (k , k , k , k )

6

+ k 6 + k

K = (k , k , k6 , k7 ). h lg o ith m h s t n l y s wh i h w will s i . h ou tpu to h l y om s th in pu t o th su s u n t l y . ith on x ption h ou tpu t on sists o ig h t yt s n so is n l m n t o • 6 . h s h m is pi t g ph i llyin ig u 1. h fi stl y in volv s two p im s p = − 17 n p = − 5 n two fi x pu li in t g s a n a . t tim st p t th ou tpu t o th fi st l y is th two 3 - itin t g s r = a t + K (m o p ) n r = a t + K (m o p ). h is ok n in to ou - it yt s yi l in g tot l o ig h t yt s ou tpu t.

34

on

opp

i th

vi

gn

p

til k y K•

u

hn i

p

?

?

K•

? -+

+

?

K•

?

S•

? -+ ?

1 –4

? ?

?

?

li n

?

?

S•

?

+

? ?

+

1 –4

?

S•

+

?

til k y K•

(p• , a• ) o unt

S•

?

l y

?

(p• , a• ) o unt

S•

o hn

+

?

?

p

ut ti on

?

+

?

+

?

+

?

1 –4

?

1 –4

1 –4

?

S•

?

+

?

S•

?

+

? ?

+

?

1 –4

? ?

+

?

1 –4

?

S•

?

+ 

K•

? ?

+ 

K•

?

1 –4

???? ???? ???? ???? ???? ???? ???? ???? li n

?

K•

?

S•

S•

? -⊕



-

?

? ?

o

?

S•

?



?

p

i o n un ti on b

?

?

S•

S•

?

?



?

yt



i

?

xo

pl i nt xt lo k

• •• • • • t u tu

?

S•

?



?

S•

?



?

? i ph

o th

iph

in g

?

S•

?

⊕

?

t xt lo k

lg o ith m .

K•

-

y p t n ly i o

O

3

n th s on l y h yt x is pl yS (x) = (x m o 5 7 )m o 5 6. th pp n s th tS is its own in v s S (S (x)) = x. h th i l y in volv s ition (m o 5 6) o th k y yt s on stitu tin g K n K . th in pu ts to th is h ou th l y is “lin p m u t tion i x , . . . , x7 l y th ou tpu ts 7  xi ) − xj yj = (

(m o

5 6).

i

h is is in t n to m ix th yt s; h ow v s w sh ll s itis too w k. h on ly in t tion tw n th v iou s yt s xi is th ou g h th sin g l yt i xi (m o 5 6) n wh n th t yt is on t oll th m ixin g is in tiv . h fi th l y in volv s ition (m o 5 6) o th k y yt s on stitu tin g K n K . h sixth l y is n on -lin xp n sion h yt x is xp n to th on t n tion o ou yt s S (x), S (x), S (x), S (x) wh th Si v iou s n on lin p m u t tion s on • 6 . h ou tpu to th is l y is 3 yt s. h s v n th l y ppli s lin om p ssion to u th s 3 yt s k to yt s; th tis fi x pu li 3 m t ix bij m ps • 6 to • 6 . pon t n s o m b p o u s th ou tpu t(Y , . . . , Y7 ) = in pu t(X , . . . , X ) th lin b(X , . . . , X ) o in g to th u tion ⎧ Y = X + X + X + X + X6 + X + X + X , ⎪ ⎪ ⎪ ⎪ = X + X6 + X + X + X 7 + X + X + X , Y ⎪ ⎪ ⎪ ⎪ Y = X + X7 + X + X + X + X + X 6 + X , ⎪ ⎪ ⎨ Y = X + X + X + X + X + X + X7 + X , (1) Y = X 6 + X + X 6 + X + X + X6 + X + X , ⎪ ⎪ ⎪ ⎪ Y = X7 + X + X7 + X + X + X + X + X , ⎪ ⎪ ⎪ ⎪ Y ⎪ 6 = X + X + X + X + X + X + X + X , ⎪ ⎩ Y7 = X + X + X + X + X + X + X7 + X . h yt . h ig h th l y ppli s th p m u t tion S to n th n in th l y yt s om K n K x lu siv -O in to th yt s. h t n th ou n on sists o x lu siv -O in g th s yt s (th ou tpu to th n in th ou n ) on to th pl in t xt to p o u th iph t xt o (in th s o yption ) on to th iph t xtto ov pl in t xt. j 7 ,1 j 10) th ith yt o th ou tpu t L t u s n ot y xi (0 i o th jth ou n . ( o j = 6 w will llow 0 i 31.) th tim st p t is j,t j im po t n tw will w it xi . h n ot tion x will m n th wh ol -tu pl o j yt s xi , 0 i 7 .

u in g m osto th ou n ou yt s

ou n s th v iou s yt s m ou tpu t om on 3 - itwo

in s p t . u in g th fi st n ou om n oth . h

36

on

opp

i th

vi

gn

u

hn i

o hn

l y

ou th ou n om in s yt s with lin m p u t( s h s n m k ) th is o s w k o o m ixin g th m . h s v n th ou n om in s pi s o th v iou s yt s m u h m o th o ou g h ly u ton lywith lin t n s o m tion . lso th s v n th ou n li s los to th su wh i h l ts u s xploitth l k o i u sion in th sto th iph . h sig n s xpl in th t th in t n l st u tu o OP M (i. . th u n tion F ) w s h os n to sist in v sion tt ks (wh on t i s to u s th ou tpu to F to wo k kw s). wo o ou tt ks su x tly us w n wo k kw s om th ou tpu to F . n t w u s th n on -in v ti ility o F to ou v n t g in tion s – 5 . u s F is n ot i tiv n ot ll in t m i t v lu s possi l . n p ti u l th om in tion o th sixth n s v n th l y s o m s n on -su tiv u n tion so n ot ll 6 - it v lu s tt in l s th ou tpu t o th s v n th l y . u n n oton K , K . h o w th m o l y s – 10 p n on lyon K , K n isol t th tt k th m st n in g lon . L t w n to K , K n p l o l y s – 10 n u s s p t t h n i u s (s tion s – 9) to ov th m in o th k y(K , K ).

h lin om in tion st p (l y s v n ) su s om th ollowin g g u l ity. n ot y τ t h -v t o 1, 1, 1, 1, −1, −1, −1, −1 . h m t ix bij o ys  5 6) o ll in i s j. h is im pli s th t i τi bij = 0 (m o 7 

τi xi

7

= 0 (m o

5 6).

()

i

to

n u s th is in o m tion n w kn own ou tpu ts o th st ov th h l o th k y(K , K ). o h yt position i w h v xi

xi

7

= S (xi ) = S (xi

wh i h wou l st m iph

to

ki ),

llin g th t S is its own in v s . o h i th is g iv s 7 to xi in p n n to tim n o th oth yt s. n ot yyij th u n kn own u n tity yij = S (j

m g n

fix

m

ppin g

om

ki )

7

h lo k o ou tpu t o th th v lu o xi i xi = j. o ( ttim t) w o t in lin u tion l tin g th s u n titi s 0=

7  i

τi xi

7 ,t

=

7  i

τi yi,x• • ,t• i

(m o

5 6).

y p t n ly i o

O

t w o t in ou t 0 lo ks (16, 3 yt s) o ou tpu t lin u tion s in th 0 u n kn own s yij 0 i 7 ,0 o h om og n ity th s u tion s will n ot in p n n t n to n n ov yij on lyu p to n u n kn own m u ltipli tiv sh i t yij = αi zij + βi (m o 5 6)

3

w will h v j 55. o fix i w u n kn own

0 us will itiv (3)

with zij kn own u tαi , βi u n kn own . u t th is is l ly n ou g h in o m tion to ov th u n kn own k y yt ki u sin g w hu n op tion s o t i l- n - o . o h possi l v lu o ki yptth o ou v lu s j = xi in to yij = S (j ki ) n h k g in st(3). om p ti l with (3) n on ly w oth s; wm o h o t ki will ti l yption s sh ou l u l ou tth ls l m s. vin g t m in (k , . . . , k7 ) = (K , K ) w still h v to fi n K n K . h is s m s to m o xp n siv ( n l ss in t stin g ). s w yo fi n in g op tion s n u st w kn own ou tpu ts o th st m th m u sin g ou t iph . tion s – 9. h p s n t tt k o s ui ou t 0 lo ks (163 yt s) o st m ou tpu t. h os kn own pl in t xt u i m n ts n oton ou s u titis possi l to u th m v n u th with m t-in -th -m i l t h n i u s wh i h w is u ss n xt.

n th is tt k w t k v n t g o th n on -su tivity o l y s v n in i n tw y. tis ss n ti lly m t-in -th -m i l tt k t kin g vntg o u n tt in l v lu s tth ou tpu to th s v n th l y . kw s om lo k o ou g h ly sp kin g w g u ss (K , K ) n wo k kn own k yst m to fi n th ou tpu t o th s v n th l y u sin g u n tt in l v lu s to u l ou t in o t g u ss s t (K , K ). h is wou l t k 6 tim to im pl m n t s st t ; h ow v w h v n optim iz tion ( g in s on m t. in -th -m i l t h n i u s) to u th om pl xityto s o w lyon th u i l o s v tion ( ). w t k som k yst m 7 ki ). Plu g g in g lo k x th n in v tin g l y s – 9 sh ows th t xi = S (xi in to ( ) g iv s u s l tion th t th o t v lu o th k y k , . . . , k7 m u st s tis y. o th tt k p o s s ollows. fin g(K , y , . . . , y ) =



S (yi

ki ) (m o

5 6)

i •

n o i tu ti on ov i ng ju t (K• , K• ) i ght gi v u no ug h i no ti o n to p it o k y t o k y t lo k n p it th i g h th ui ng (2). o v n o uh tt . on ph qui i t o o k ut i ti

on i v ly u y t gi vn unk no n y t h ll ov ti ll il .

. t ll th i ny v n y t i th t i nty y i ng (K• , K• ) i n

3

on

opp

i th

vi

gn

h(K , y , . . . , y7 ) =

u

7 

hn i

S (yi

o hn

l y

ki ) (m o

5 6).

,0

n

i

o t in

ig h tkn own k yst

g −(K ) = (g(K , x −

h (K ) = (g(K , x

, ,

m

lo ks x−

,...,x

,

, . . . , x7

,

,j

j

7

), . . . , g(K , x

,7

), . . . , g(K , x

,7

l t

,...,x

,7

))

, . . . , x7

,7

)).

ot th t o th o tv lu o (K , K ) w h v g −(K ) = h−(K ). t ll th is o t to m th in g s in th l n g u g o m t-in -th -m i l tt ks it sh ou l l h ow to ov (K , K ) with st n t h n i u s. ( th “m i l o th m t-in -th -m i l tt k will th 6 - it v lu h t isti o th ou tpu to th s v n th l y .) g −(K ) = h−(K ) i. . i st o h g u ss tK w om pu t g −(K ) n sto th p i (g −(K ), K ) in h sh t l in x on th fi st oo in t o th p i . t n u m tin g ll possi iliti s o K w will h v on st u t h sh t l o siz . h n o h g u ss tK w om pu t h−(K ) n look itu p in th h sh t l . w fin m t h g −(K ) = h−(K ) th n with h ig h p o ilityw will h v o t in th o tv lu s o (K , K ). n ig h tk yst m lo ks to n su th tth t stwill lim in t n ly ll in o tv lu s. On n ou n tth n u m o ls l m s y ou n tin g th u s S is h ig h lyn on -lin w num o solu tion s a, b to g −(a) = h−(b). u stifi in xp tin g th u n tion s g −, h−to h v ou g h lylik n om u n tion s i th y p ox o th o m • 6 → • 6 . om in in g th is h u isti with th w fi n th t th p o ility o g n tin g ls l m is 1 − e− ≈ 0.63 n th xp t n u m o ls l m s is 1. o i th in tu ition w n th in k o th p s n t tt k s pplyin g m tin -th -m i l tt k •• ••• splittin g th iph fi st with h o izon t l u t n th n splittin g it g in with v ti l u t. h h o izon t l u tis possi l u s l y s v n ils to su tiv n it is n fi i l u s l y s – 10 on ly p n on h l o th k y. ( h is slig h t i n th ou g h . n n o m l m t-in -th -m i l tt k on om pu t s o w p t-w y kw p t-w y n th n m ts in th m i l . n ou tt k on OP M u s l y s 6– 7 il to su tiv w on lyn to om pu t kw s n th o w p to th om pu t tion is su st n ti llysim plifi .) h v ti l u t is m possi l y th lin ity o l y s v n (o m o p is ly th lin ity o ( )). th “m i l is th v lu g −(K ) = h−(K ). om pu t u p th l th l n u p th ig h th l n th n m tin th “m i l o th ou tpu to th s v n th l y . h is s on ppli tion o m t-in -th -m i l om th t o K n h n u s t h n i u s l ts u s isol t th to K th tt k s wo klo sig n ifi n tly. n su m m y w n ov (K , K ) with offl in wo k sp n ou t ig h t lo ks (6 yt s) o kn own k yst m . s w sh ll s in tion 10 th om pu t tion l u i m n ts n otu n son l .

y p t n ly i o

h su h

p viou s two tt sso ) yu sin g i n oth tt k g h is tt k is sim il ou n in n s o n it ytim st ps

t t + p t + p t + p + p .

ou n t s tl y 1

y li with p io s p

w h v xi xi n

h n

= xi = xi

,a

u s th xi xi

on si

,a

th

,b ,c

, ,

xi xi

,c ,b

= xi = xi

,d ,d

, ,

0

tion s o su s u n tl y s

,a

= xi = xi

,a

39

ks ou l voi (in h ypoth ti l OP M n tlin t n s o m tion tl y s v n . o w v lop in stth t v n tu lity. to th tt ks on two-loop ig n iph s wh i h n in 6 n u 7 0. th ou tpu ts t ou sp ifi tim st p t l tu s on si a= b= c= d=

u s th

O

,b ,c

v n t• th tth 

xi

, ,

xi xi

,c ,b

= xi = xi

ollowin g two ,a

=

i



,d ,d

, ,

i i

n

p

sp tiv ly

3 7,

tim -in v i n t

0

i i

3 7.

u tion s oth h ol

xi

,c

(m o

5 6)

xi

,b

(m o

5 6).

i

7 

xi

,a

=

i

7  i

h u tion h ol s with p o ility ou t 1/ 5 6 ( o n om ly h os n tim in p n n t so th t v n t • h ol s with p o ility st p t ) n th two ou t1/65 5 36. h n it o s h ol w h v 7 

xi

,a

=

i

7 

xi

,b

=

i

7 

xi

,c

=

i

7 

,a ,a

= xi = xi

,b ,c

, ,

xi xi

,d

(m o

i

h is in tu n im pli s th tth ou tpu ts o l y xi xi

xi

,c ,b

= xi = xi

w ll ,d ,d

, ,

0

h v i i

3 7.

5 6).

40

on

h is

n

opp

i th

vi

pu sh

ow 6 ,a

gn

u

to g iv in o m 6 ,b

6 ,c

hn i

u s l y 7 is lin xi

7 ,a

(m o

+ xi

7 ,d

l y

tion on th ou tpu ts o l y 6 6 ,d

= xi , xi = xi , xi 6 ,a 6 ,c 6 ,b 6 ,d = xi , xi = xi , xi 6 ,a 6 ,d 6 ,b 6 ,c + xi = xi + xi , xi n

o hn

0 i 15 16 i 31 0 i 31,

5 6) w g t

= xi

7 ,b

+ xi

7 ,c

(m o

5 6).

()

u ppos w kn ow th t v n t • h s o u o tim st p t n th t w ,h 7 ,h = h v v il l o th ou tpu t o th st m iph xi . h n om xi ,h S (ki xi ) n ( ) w g t su it ility t st o possi l v lu s o k y yt h position 0 i 7 o h possi l v lu o ki w t st ki . h t is o 7 ,h ,h o t in om xi u sin g ki wou l s tis y( ) wh th th v lu s o xi S (ki xi

,a

)+ S (ki xi

,d

) = S (ki xi

,b

)+ S (ki xi

,c

) (m o

5 6). (5 )

h on t n tion o possi l yt s (k , k , . . . , k7 ) om th is st p p s n ts possi l s ttin g o (K , K ) on sist n t with th v n t • h vin g o u t th is tim st p t . will ll th is - yt s ttin g • • •• ••• • • • • . pv n t• i o u th n th o ts ttin g o (k , k , . . . , k7 ) will s nt m on g th s possi iliti s. it i n oto u w m y g ts v l ls l m s. h i u ltyis th tw o n otkn ow • • ••• •• wh th v n t• o u o n ot. m yfi n th t o on o th yt position s i th is n o possi l s ttin g o ki s tis yin g (5 ); in th is s w kn ow th t• i n oto u tt n th is s n is . Ou st t g ywill to t y ou t330 000 i n tv lu s o t n o h o on th t h s t l st on possi l s ttin g o h o th ig h t yt s ki tv lu th possi l v lu s o th -tu pl (k , k , . . . , k7 ) = (K , K ). h o sh ou l sh ow u p ou tfi v tim s m on g th s pu t tiv k ys n in o tv lu s sh ou l sh ow u p l ss o t n . vin g s t in th o tv lu o (K , K ) w will l to g tth k ys (K , K ) with l ss i u ltyin tion .

o ou n lysis itwill u s u l to kn ow th ollowin g two p o ility ist i u tion s. ,a ,d l tN (xa , xb , xc , xd ) o yt s xa , xb , xc , xd p s n tin g xi , . . . , xi th n u m o k y yt s k th twou l s tis y(5 ) S (ki xh

xa ) + S (ki

w n t to kn ow th in p n n t

xd ) = S (ki

xb ) + S (ki

xc ) (m o

5 6).

(6)

ist i u tion P (n) = P (N (xa , xb , xc , xd ) = n) wh n th n om v i l s. lso w n t to kn ow th ist i u tion

y p t n ly i o

O

41

P (n) = P (N (xa , xb , xc , xd ) = n) wh n th xh kn own to is om v n t• th tis wh n th o tk y yt ki is kn own to s tis y(6). h two l t yP (n) = nP (n). h xp im n t l ist i u tion s g iv n in th pp n ix. h fi st ist i u tion is lm ost Poisson with m n 1 P (n) = e− /n with th n ot l x ption s. u s with th tp o ilityw ith h v i st P ( 5 6) ≈ / 5 6 = − s ll k y (xa = xb n xc = xd ) o (xa = xc n xb = xd ) n in ith yt s k will wo k. on P (1 ) ≈ (1/ )/ 5 6 = − 7 n sim il ly P (6 ) ≈ (5 / )/ 5 6 P (3 ) ≈ (13/ )/ 5 6 n P (16), P ( ) sim il ly h ig h . h is h pp n s u s o i iosyn si s o th p m u t tion S . o x m pl in th s n= 1 on si th v n tth txa xd = xb xc = 11111101 in in y n xa n xb g in th s on -low st it. h is v n th s p o ility(1/ 5 6) (1/ ) = − 7 . h n th is h pp n s o ll 1 k y yt s k is g in g with xa in th s on u s S (x) = x− low st it w h v (k xa ) + (k xd ) = 5 7 . h n (m o 5 7 ) i x = 0 w h v S (k

xa ) + S (k

xd ) = S (k

xb ) + S (k

xc ) =

57

o h o th s 1 v lu s o k so th t N (xa , xb , xc , xd ) 1 . h is im pli s l u l tion s o t in o n = 6 , 3 , 16, . P (1 ) ≈ − 7 . im il hi it pp s xp im n t llyth tP (0) is littl h ig h th n xp t 0. 0 th th n 0.37 ; n P (1) is littl low . h is m y l t to th fi st two o s v tion s. h s vi tion s om th Poisson ist i u tion p ti u l lyth l tiv h ig h t m in o n u is n o ou ypt n lysis. v lu s o P ( 5 6) n P (1 ) h n v n t• h s h pp n th ist i u tion P (n) is l t to th n u m h yt position i. h n u m o t i l k y yt s ki th twou l s tis y (6) in o - yt k ys (k , k , . . . , k7 ) is g iv n y 7

N (xi

,a

, xi

,b

, xi

,c

, xi

,d

)

i

with xp t v lu ou t .3 ≈ 1 0, 000. h is xp t v lu is so h ig h us o th u n u su llyl g v lu s o P ( 5 6) n P (1 ). h n v n t• h s n oth pp n th ist i u tion P (n) is l v n t n th xp t n u m o - yt k ys is 1. n t with p o ility ou t 1 − (1 − ,a ,b ,c ,d 0. 0 ) ≈ 0.9 tl ston o th v lu s N (xi , xi , xi , xi ) is z o so th tn o - yt k ys v li ; with th om pl m n t yp o ility0.016 ll n on z o n th n th xp t n u m o k ys is 1/0.016≈ 6 . o with 330 000 xp im n ts th xp t n u m o - yt pu t tiv k ys is 5 1 0, 000+ (330, 000− 5 ) 1 = 930, 000. m on g th s th o tk ysh ou l pp fi v tim s n sh ou l sy to t t; in o t k ys sh ou l pp tm oston with possi l x ption o th os i in g om th o tk y in on lyon o two yt s.

42

on

opp

i th

vi

gn

u

hn i

o hn

l y

• • • • • • • lth ou g h th m n n u m o pu t tiv k ys is i ly sm ll th v i n is h u g ; th st n vi tion x s 10 . h is is u s o th l tiv lyh ig h p o ilityth t o g iv n tim st p n g iv n yt position 5 6o 1 ; i s v l su h yt s o u tth s m tim N (xa , xb , xc , xd ) is ith st p th is tim st p will yi l hu g n u m o pu t tiv k ys. n th is s n lt n tiv t st u tu is ll o . o x m pl i on tim st p h s two o m o su h yt position s l th t v n t • h s p o ly o u n u pu t tiv v lu s o th •• • • •• •• • six o w k y yt s. O w ou l sim plylist - yt pu t tiv k ys K n K s p t ly.

vin g t m in K n K y th tt k in tion 6 w lso kn ow th h n u l o position s wh v n t• h s o u ; w kn ow s v l pl s wh 

xi

,a

=

i

u s o th

l tion

xi

,a

=

i

 i

xi

,c

(m o

n

xi

w

xi

,c

(m o

5 6).

i

tw n xi 

wh n



S (xi



lso h v 5 6),

i

,a

)=



S (xi

,c

) (m o

5 6).

(7 )

i

possi iliti s w n fin ll th possi l v lu s o th on y num tion o ,a ,a ,a ,a ,x ,x ,x ) n h n y in g p a (m o p ) th t n tion (x ,c ,c ,c ,c ,x on t n tion (x ,x ,x ) wh i h s tis y (7 ). h is wh ittl s own th possi l v lu s o K om oll tion o to ou t / 5 6 = pospossi l si l v lu s. im il l u l tion s u ou h oi o K to ou t v lu s. h o tv lu s n g ott n y xh u stion .

n oth pp o h t ov in g (K , K ) is g iv n h . ssu m th tw h v p viou sly i n tifi (K , K ) u sin g n y o th tt ks om tion s – 6. h is tt k u i s on ly op tion s sp n two kn own k yst m lo ks; th o itsh ou l v y st. 7 u s o th o m o th lin l tion in l y 7 w fi n th tth su m x + 7 7 7 (m o 5 6) p n s on ly on th ou yt s xi , i = 1, 3, 5 , 7 . x − x − x6 s m t-in -th -m i l pp o h u i in g tim 56 = to is ov ll

y p t n ly i o

O

43

th v lu s o th -tu pl xi , i = 1, 3, 5 , 7 th t ou l l to g iv n v lu 7 7 7 7 (m o 5 6) p n s o th is su m . im il ly th su m x + x − x − x7 on ly on th ou yt s xi , i = 0, , , 6. om in th s two lists with n oth m t-in -th -m i l tt k n in tim w n ov th -tu pl x− om 7 n yg iv n v lu o th -tu pl x− . s tim to ypt on iph t xt k to l y 5 . o h o th kw om l y 5 t i l su k ys K om pu t o w to xi , 0 i 3 n 7 wh th th is yt su m x wh i h wou l n l to xi , 0 i 3. i i th lin p m u t tion t l y to m p xi , 0 i 3to xi , 0 i 3. xp t 5 6t i l su k ys K to p ss th is t st. im il ly v lop 5 6t i l su k ys K . y h o th su ltin g 65 5 36 p i s (K , K ) on n oth iph t xt to t m in th o tp i .

0

u

u

h fi st tt k sh ou l t k on ly w s on s to fi n ll o K n K in lu in g g th in g t. h m t-in -th -m i l tt k ov in g (K , K ) (s tion 5 ) ui s h sh t l looku ps n ou t wo s o m m o y. w k p th n ti t l in m m o y th t l looku ps will t k on ly 00s on s o so ( ssu m in g 100n s ss tim to m in m m o y wh i h is n otu n son l ). h sp u i m n ts m y m o n oti l . On sim pl pp o h is to ist i u t th t l oss lu st o 5 6 wo kst tion s h with 1 M o m m o y; su h lu st wou l t k ou g h ly 00 s on s to fi n (K , K ). n oth sim pl pp o h i on ly on wo kst tion is v il l is to t o tim o m m o y y splittin g th t l oss tim on wo kst tion n fi n ish in 5 6 00 ≈ 10 s on s ( ou t on m on th ) n n wo kst tion s will fi n ish n tim s s st th t. h is is n ot ou t o h n th in t st m ig h t l to fi n tt w ys to u m m o yn s o x m pl th p ll l ollision s h t h n i u s o v n Oo s h ot n in O 96 ( ppli to fi n “g ol n ollision ) look p om isin g . o th tt k s on i n ti yin g o u n s o v n t• (s tion s 6– ) tim st ps g n tin g 6 yt s. w n th g n to to u n o p + p ≈ tth v tis sp o 1 m g yt p s on th is will t k ou tn in t n h ou s. will look ton ly1 000 000 m ss g lo ks ( 000 000 yt s) 330 000 t th g in n in g ( p s n tin g a) n oth 330 000 in th m i l ( p s n tin g so los to h oth ) n n oth 330 000 oth b n c us p n p tth n . o h s l tion (a, b, c, d) w m ig h tn to v lu t 5 6= 0 5 5 , 0 i 7 . ow v liz th tm u h o th tim t i l k y yt s 0 ki w will fi n th t o x m pl k y yt k h s n o possi l v lu s so th t yt s n ot x m in o th is s . n tot l ou t 1 000 000 k y k , . . . , k7 n yt s n to x m in .

44

on

opp

i th

vi

gn

u

hn i

o hn

l y

h sm p p 97 p opos s st v sion OP M -1 i in g om OP M on ly in th s v n th l y ; in OP M -1 th is l y p 7 s v s h lv s. h tis th ou tpu t yt s xi , 0 i 3on ly p n on th in pu t 6 7 i 15 n th ou tpu t yt s xi , i 7 on ly p n on yt s xi , 0 6 tion tw n th in pu t yt s xi , 16 i 31. h is m n s th tth on lyin t th l t n ig h th lv s o th m ss g o u s u in g th “lin p m u t tion  in th ou th l y n th th in t tion is lim it to th on yt i xi (m o 5 6). n two tim st ps wh th is su m g s th h lv s om pl t ly sp t . 7 ,a xi = ow n x m in th ou tpu t ttim a = t n b = t + p . i 7 ,b xi (m o 5 6) (i. . th s on o th two on ition s o v n t• ) th n i th l t-h n h l o th ou tpu to h l y is th s m o a s o b xi xi

j,a

6 ,a

= xi

j,b

= xi

6 ,b

,

0

i

3,

,

0

i

15 .

j= 6

n p ti u l th l t-h n h lv s o th ou tpu ts will g . yi n ti yin g ig h t p i s (a, b) wh th s ou tpu t h lv s g w n u th v lu o K s in th OP M s . im il om pu t tion s g iv u s K . n th n u s xh u stiv s h to om pu tK in ou t st ps. o 7 x m pl i w g u ss th ou yt s p s n tin g ( j kj ) − ki , 0 i 3 n w kn ow th v lu s o K n K w n fi n th l t-h n h l o ll l y s u p th ou g h l y . n om p th n yption s o two u n l t tim st ps s ya n e to s wh th xi

,a

xi

,e

= xi

,a

xi

,e

,

0

i

3.

n ot th s ou yt s w on g . u t i th y u l w n us l y to h k on ou o ig in l ssu m ption s n u n ish in g u K g ivin g u s n oth u s with th o tv lu o K . h l u l tion o K is l tto th . n to u n th g n to o m ss g s ( yt s) o t n h ou s n x m in ou t 5 6= , 096 lo ks (3 7 6 yt s). h om pu t tion l u i m n ts o op tion s n oton ou s n th in t st m ig h t w ll fi n m o i n tm th o s to is ov K . n oth pp o h is lso v il l . n th fi stph s o th is tt k w ov (K , K ). h k y o s v tion is th t m o llin g h h l o l y s 6– 7 s possi l v lu s o th l th l n om u n tion on ly ou t1 − e− o th o th ou tpu to th s v n th l y will tu lly tt in l . h o in th om pu t u p th l t si o th iph to th ou tpu t fi st ph s w g u ss K o th s v n th l y n is g u ss s tK wh n th yp o u u n tt in l w s th t t ou t 5 0 in t m i t v lu s. u s (1 − e− ) < − lo ks ( 00 yt s) o kn own pl in t xt th will u ston v lu m in in g n m ly th o tv lu o K . sim il t h n i u ov s K .

y p t n ly i o

O

4

ow th s on ph s p o s s in tion 9. o h g u ss t K w om pu t o w own th l t si o th iph to th ou tpu t o l y 3 n kw to th ou tpu to l y h kin g to s wh th th two om p til . xp t 5 6v lu s o K to m in n sim il ly 5 6v lu s o K ; th s h k yt i l n yption . m in in g 6 possi iliti s n n sh o t th is s on pp o h ks OP M -1 with ou t th s m tim n sp om pl xity s th o spon in g tt k on OP M . u i slig h tlym o kn own pl in t xt u t5 0 lo ks ( 00 yt s) o kn own pl in t xt sh ou l ily v il l in m n ysyst m s.

2 h sm p p 97 p opos s s h m O P OP M on ly in th fi st l y in st o two p on lyon p im p = 6 − 5 9 n fi x m u ltipli a. h ttim t is (x , . . . , x7 ) = at + (K , K ) (m

M wh i h i s om im s p n p w h v ou tpu to th fi stl y o p).

slig h tm o ifi tion n l s ou tt k to u n g in stth is s h m s w ll. s on th v lu a (wh i h w s n ot sp ifi in th p p ) om pu t v lu s Δ n Δ su h th tin th in y p s n t tion o aΔ (m o p) th l t-m ost3 its 0 (so th t th l t h l is 0 n th ig h t h l p s n ts n in t g sm ll th n ). im il lyin th in y p s n t tion o aΔ (m o p) th l tm ost (h ig h sto ) two its 0 n th ig h tm ost3 its 0. h Δi sh ou l ou t n n om pu t u sin g m th o s om on tin u tion s. h n i w s l ttim st ps a= b= c= d=

t t + Δ t + Δ t + Δ + Δ

w will fi n with p o ility x in g (3/ ) > 0.5 6 th tth l t-h n h lv s o th ou tpu ts o l y 1 g ttim s a n b s w ll s ttim s c n d; n th ig h t-h n h lv s g t tim s a n c s w ll s t tim s b n d. h sto th tt k p o s s o . n th g n to to u n o som wh t lon g us Δ > p n w n to x m in som on m o iph t xt u s ou vo l on ition s on lyo u with p o ility0.5 6 u tth tt k is still si l . n oth pp o h is lso v il l . n k O P M with m t-in th -m i l t h n i u s. n t sim ply pplyin g th tt ks in tion s 5 n 9 im m i t ly ks O P M with ou t n ym o ifi tion s n . h is s on tim n pp o h u i s ig h t lo ks o kn own k yst m s w ll s sp .

46

on

opp

i th

vi

gn

u

hn i

o hn

l y

u t h ig h l v l th in tu ition h in som o ou ypt n lysis is th tw pply th m t-in -th -m i l tt k p t ly ttwo l v ls o st tion . i st w ivi th iph h o izon t lly tw n l y s n m t t th “m i l th ou tpu t o th s v n th l y t th h ig h st l v l o st tion . on w ivi th iph v ti llyin to l t n ig h th lv s n m tin th “m i l wh th “m i l is h t isti o th ou tpu to th s v n th l y . om o th t h n i u s .g . tion s 6– o n ot ll l n lyin to th is m o l. will ig n o th m o th m om n t. ot th tth v ti l split n vi w s om posin g th 6 - it u n tion F in to two p ll l 3 - it u n tion s G, H. n oth wo s splittin g F v ti lly o spon s to w itin g F (a, b) = (G(a), H(b)). O ou s g iv n su h p ll l om position w n pply ivi - n - on u tt k; sin kin g 3 su h om position l ts u s kF it u n tion h s om pl xity t m ost tim . in tm ost o w on lu th t F sh ou l sig n to sist p ll l om position n in p ti u l th sh ou l n o p ll l G, H th t pp oxim t F . h is u st om s own to n su in g th is pl n ty o i u sion w ll-kn own sig n p in ipl o iph sig n . h is l k o i u sion h lp m k ou tt ks on OP M possi l . n lso n lyz th h o izon t l splitin t m s o u n tion l om position . n th is s w fi n th t it o spon s to fi n in g G, H su h th t F = H G (i. . F (a) = H(G(a))). h n w n fi n su h G, H wh G is n on -su tiv ypt n lyst n H is i tiv th n m t-in -th -m i l tt ks m y llow th to isol t th to G om th to H. n oth wo s th ypt n lyst n o t n n lyz H with ou tt kin g in to ou n tth to G (o th k y its th t n t G); on H h s n ok n th ypt n lyst n th n p l o th to H (sin itis i tiv ) n tt k G lon . h su lto su h ivi n - on u tt k wou l th tF is n otm u h st on g th n th st on g sto G o H st n in g lon . OP M pu tsom o its st n g th in to G n som in to H with th su ltth tm u h o its st n g th w s w st . tt wou l h v n to on n t t ll th st n g th in on o G o H n m k th oth s sim pl s possi l to voi th is pot n ti l n g . h o w su g g st th ollowin g sig n p in ipl wh i h s m s o ly ppli l to th on st u tion o n on - i tiv yptog ph i u n tion s om p o u to ou n s. On sh ou l voi in t o u in g n on -su tivityin th m i l o th u n tion u s th tm ysp u p m t-in -th -m i l tt ks n th u s w st p iou s yptog ph i st n g th . ot th t th l tt sig n p in ipl o s som in tu itiv u stifi tion o th st u tu o m n y o to ys m ost su ss u l n on - i tiv yptog ph i u n tion s (su h s M 5 . . .). h vi s-M y on st u tion in u il s F s F (a) = G(a) a. ll th st n g th is on n t t in i tiv u n tion G (u su lly u iltou to lo k iph ); th n on -su tivityis in t o u l9 n n u M 90 s l t s possi l n s sim ply s possi l . M lso ollow ou su g g st sig n p in ipl th ytoo u s i tiv u n tion G t

y p t n ly i o

O

4

th

o n in t o u n on -su tivityon ly tth n poin ts ( y in g sim pl u n n yto th in pu to G n t u n tin g its ou tpu t). h is sig n p in ipl is n ot n ov l. t h s n is u ss in m o t il y P n l in th on t xto th sig n o om p ssion u n tion s o h sh u n tion s; s P 93 .g . tion . .

u Pu llin g it ll tog th w n i n ti yth im po t n t tt ks g in stth st m iph OP M . i st w n k OP M with 0 lo ks o kn own k yst m n wo k y u sin g th t h n i u s o tion s n 9. lt n tiv ly w n g t y with on ly lo ks o kn own k yst m with p t u s o m t-in -th -m i l tt ks ( tion s 5 n 9); th ostis th tw n sp s w ll s wo k. in lly w n ypt n lyz OP M with lo ks o kn own k yst m n ou t op tion s yu sin g th m th o s om tion s 6– ; th is l st tt k u s s n o sp i l tu s o th om p ssion u n tion in l y s v n (oth th n its lin ity). s th t o iph with 1 - itk y OP M is is ppoin tin g lyw k. h v poin t ou tw kn ss s in two o th l y s in OP M . us OP M h s on ly n in l y s h l y li s los to th su n ny w kn ss is m o sily xploit . h syst m n s m o l y s to h v n y s iou s yptog ph i st n g th .

9 . l92. 90. O

96. 93.

i n6 . u 0. i n 4.

. i ng . i i . nv ll n . lo “ O t t i ph i ng lg o i th ” p i ng L vo lu 1 26 p g –1 02 1 99 . . . lik i“ h 2 g i g t lg o i th ” 1 31 9 p i l 1 992. . . kl “ t o t On y h h un ti on ” u vo l 3 no 1 1 990. . .v n O o ho t n . . in “ p o vi ng i p l nt l ti n th i l tt k y o o g ni tu ” p g 22 236 p i ng l g 1 996. . n l “ i gn p i n i pl o i t h h un ti on ” i t 93 p i ng L vo lu 09 p g 1 – 2 1 994 . . i nk o v o k n o o u 1 96 . . uk n “ tu y o th i g n n i ng l n ulti p l lo o p n i ph i ng y t ” h po t 2 9 14 y 19 0 o k to n i ght . . i nt ni tz “ o u i ng O n y h un ti on o ” l nu 1 9 4 p p . 203–20 .

4

on

g iv h

opp

th

i th

vi

gn

u

hn i

o hn

xp im n t l ist i u tion s o P (n) n n 0 1 3 5 6 7 16 3 6 1 56 

e− /n 0.367 9 0.367 9 0.1 39 0.0613 0.015 3 0.0030 0.0005 0.0001 0 0 0 0 0 0 nP (n) = 1,

P (n) 0. 0 0.337 0.1 3 0.06 0.017 0.00 0.001 0.000 0.000 9 0.0000 0.0000 5 0.000019 0.00000 0.000031 

nP (n) ≈

P (n)

P (n) 0 0.337 0.367 0.1 5 0.07 0 0.0 0 0.006 0.001 0.00 0.000 0.000 0.001 0.0010 0.007 .3

l y

JEROBOAM erve •

h

nne

nd

m m

n u el

i h on 2

SAGEM SA ni te e e h e h e et evelo p p em ent Sy st` em es et T e m i n ux Se u i ses n e [email protected] • o le o ly te h niue li se u n e [email protected]  

• • •••• • •• ei nt o u e new st st e m i p h e JEROBOAM wo k i n wi th k ey o 1 2 o 24 i ts.JEROBOAM w s esine to wo k wi th eih t i nte n l 32-i t e i ste s lle m ulti p ly wi th - y ene to s (mwc). T h ese e i ste e ve y e sy to i m p lem ent i n so tw e n p o u e se uen e o ex ellent st ti sti l u li ty. e o nt o ne mwc i s e si ly k e y l ttie e u ti on l o i th m . en e we e le to i nte p o se no nli ne fi lte etween th ese we k e i ste s n th e p seu o - n o m o utp ut.

h e iph er JEROBOAM is d esig n ed to work effi ien tly on 16- it m i ropro essors h e key is 128- or 24 8- itlon g wh i h is u ite om fort le; fter sh ortsetu p e u iv len tin tim e to th e en ryption of 4 2- yte m ess g e JEROBOAM prod u es pseu d o-r n d om stre m on e n u se s sym m etri iph er to XOR le rtextof n ylen g th JEROBOAM w s d esig n ed with IDEA 811 s m od el t lies on l ssi l s h em e n d n e seen s n on lin e r om in tion of irreg u l rily lo ked pseu d or n d om g en er tors u rren t te h n i l re u irem en ts in d u s to u se on ly oper tion s d ire tly v il le on ll m i ropro essors we u se mwc s r n d om g en er tors n d th e n on lin e r lter is o t in ed y n ow l ssi l ltern n e of + n d 2 h e mwc m u ltiply-with - rryg en er tors re n ew prim itive in ryptog r ph y h ey llow f st om pu t tion s in d iff eren t prim e n ite d u e to rs g li 5 eld s ; th eir d es ription n d th e w yth ey n e rypt n lysed n e fou n d in Se t2 h e om plete d es ription of JEROBOAM is g iven in S e t 3 tis om pleted y slow C im plem en t tion n d testv lu es in S e t 7 n S e t 4 we d is u ss th e st tisti l ev lu tion of th e ou tpu t stre m s pseu d o-r n d om se u en e e stu d yin S e t 5 th e speed of JEROBOAM n d g ive m i ropro essor-in d epen d en tev lu tion 





u ent ess o le ti o n le Sup e i eu e es T ele o m m uni ti o ns i s n e. T hi s wo k w s o m p lete u i n te m i n lt i ni n pei o i n SAGEM SA. T h e e e en e ry r r JEROBOAM 4 i s th e o m p lete ull-o um ente ve si o n o th i s tile. th nk s to 1 0 o i ts p o i nte o n th e p k e DIEHARD ue to . s li. u

s

w

37 2

50

e ve

h

nne

m m nuel

ih o n

a 2

e

u tp y

y (mwc

t s

e a, b − 1 0 − c0 < a 0 − x0 < b e e e e ee (c• , x• • −

t eb

e e e

c• x• c•

t

e

e

e

e e e

ee

e

e

••

e ee

mwc e

e a

e

ax• + c• e

x•

(1

b.

(c• , x•

h e d ivision is ju st rig h tsh iftif we letb e power of 2 n JEROBOAM b = 2 6 n d we let th e rry c• e th e MSBs n d x• th e LSBs of 32- it word w h is w y (1 e om es in re d y-to- od e form w = a(w wh ere e

0xffff + w − 16

is th e log i l AND n d − th e rig h tsh ift n st te th e followin g resu ltfrom 5

p st 2 e e e m = ab − 1 e e f ee 0 e 0 k e e b

e •−

e retu rn x• = w

0xffff

e e S = −• x −0 − c < a, 0 − x < b− e # S = m+ 1 e •• •• • • x• x• S

e

b−1 e e (ZZ/m−ZZ, −

f e e m−

e e e

k m

f we h oose m to e s fe prim e ie oth m n d (m − 1 /2 re prim e we g et two n on trivi l or its for th is g r ph h e followin g resu ltsh ows h ow to swit h from on e or itto n oth er p st 1−x

3 e 

e f

e

Let • x−= f (• x d e n ed

g



S → S

yth e eu lid e n d ivision

x

• − −•

b−

yb

bc−+ x−= ax + c, with 0 − x−− b − 1 th en

ab − 1 − (bc−+ x− = ab − 1 − ax − c b(a − 1 − c− + (b − 1 − x− = a(b − 1 − x + (a − 1 − c

with 0 − b − 1 − x−− b − 1 wh i h m e n s g −f −g = f so f −g = g −f



h is w y we n swit h from on e-poin tor itto th e oth er n d m ore in terestin g from (m − 1 /2poin tor itto th e oth er

51

t u tp s on sid erin g on lys fe prim e m od u les m = a2 6 − 1 (0 < a < 2 6 le ve u s th e h oi e etween 392v lu es e wou ld ppre i te to u se every itin th e 32- itword w so we im pose th e on d ition 2 < a h ere re still 17 1 possi ilities left o expl in ou r n l h oi e letu s on sid er th e followin g resu lt wh i h est = lish es stron g lin k etween mwc n d th e well-kn own Leh m er g en er tor X• aX• m od m p st e

e e

e X0 = ax0 + c0 X•

e

e

ax0 + c0 < m

th e rem

e

n∈ N c• = X• m od a,

e x0 =

e

= aX• m od m

••

e

•−

b−1

e

x• =

X• a

(2

.

ax0 + c0 < m f

e

e

(2 is tru e for n = 0 S u ppose itis tru e for n Letq, r e th e u otien t n d in d er of th e eu lid e n d ivision of X• yb we g et X• = bq + r ve 0 − r < b

u ltiply ya it e om es aX• = abq + ar ve 0 − ar < ab we o t in th is w yth e eu lid e n d ivision of aX•

yab

ne

n

lso write

aX• = (ab − 1 q + ar + q is th is th e eu lid e n d ivision of aX• ab − 1

y ab − 1?Letu s h e k th t0 − ar + q
0.02 (th e g u re of m erit μ• n d ν• re d e n ed in 3 p 101 a(hex) ν22 ν32 ν 2 ν 2 ν62 μ2 μ3 μ μ μ6 365 94 8ef2 1339120837 5 4 27 3310233610 114 81 7 5 0 0221 1 981 7 2326

a

36804 37 95 9

135 4 5 34 4 17 65 869 2937 5 3287 7 7 1 1 7 60 0294 1 7 7 1 35 0 98 14 4 0885 6825 4 5 29 294 6827 82 667 1 820 0214 1 7 20 860 62

8fc4 9447

385 68 96a8 4 0995 a023 4 215 3 a4a9

14 87 4 90625 7 5 165 3097 8225 9 1017 1 85 0 034 21 87 0 5 1 215 16805 900267 7 92325 14 24 287 11181 97 0 0339 1 16236269 17 7 687 5 4 10 819065 384 5 1827 7 97 2020 035 5 5 180 27 0 95

4 2903a1=a797 184 0667 4 10 65 865 4 003614 08125 82060 025 2281 0 14 366 4 3995 a3=abdb 1935 5 600265 89065 4 315 4 903 930 211 0 02085 05 307 1 4 4 4 7 5 29 a5=b9a9 225 9005 84 2688064 0203 690 6862280 024 325 60 020 5 4 5 1813a7=ca65 2684 5 8697 0 7 3230 39339 5 164 105 5 24 80 024 4 225 297 1 7 9 5 3130 a6=cf8a 28227 96901 7 5 169 4 1931 4 691 889 25 5 0 024 824 9 2281 04 5 4 5 64 a4=d524 297 7 230097 83097 397 4 24 2831087 2620 0281 2181 7 7 1 86 5 7 225 a2=df89 327 4 7 006267 4 934 5 394 7 7 7 93122327 4 0 0229 3837 5 225 2 61914 a0=f1da 383334 3397 88869 7 14 4 34 014 7 5 0 297 0 027 3621 1 320 5 4

em rk th t th e wh ole m u ltipli tive on g ru en ti l g en er tor is im plied in th e spe tr l test; th e its we u se in JEROBOAM re in f t th e m ostsig n i n ton es 2 2

yp t

ys s

mwc

e kn ow th tth e se u en e prod u ed y m u ltipli tive on g ru en ti l g en er tor is pred i ti le ore pre isely rieze st d K nn n L g ri s n d S h m ir 1 prove th e followin g resu lt p st aX• m od m

e

e

e

e

e k

e

s = 1 + log 2 Δ• + e

e e e Δ•

on sid er th e m

e

e

e

⎜ ⎜ ⎜ A= ⎜ ⎜ ⎝

=

e e e e (X•

•−

1 log k 2 2 e

e

m 0 0 ··· 0 a −1 0 ··· 0 a2 0 −1 ··· 0 a• −

et i le p o o o

e e e e X•

e

trix2 ⎛



e

e e

⎞ ⎟ ⎟ ⎟ ⎟, ⎟ ⎠

0 0 ···−1

m o e o m p lete esult

n

e o un i n 1 .

53

we w n t to solve th e system of m od u l r e u tion s AX − C(m od m wh ere X = (x , x2 , . . . , x• n d C = (0, 0, . . . , 0 re two olu m n ve tors Letu s on sid er th e l tti e form ed yth e rows of th e m trixA n d red u e it yth e LLL lg orith m h is w y we g et m trix B = P A with “sm ll”n orm Δ• d e n ed s th e ig g esteu lid e n n orm of th e rows of B h e system n th en e written BX − C −(m od m f we h oose th e om po− n en ts of C in th e in teg er in terv l −m/2, m/2 n d if we kn ow in d v n e th t −X−is sm ll en ou g h ie −BX−< m/2 we loose th e m od u l r spe t n d we re le d to solve trivi l lin e r system BX = C −in ZZ K n owin g som e h ig h ord er its X • of X llows u s to h n g e th e u n kn own n d su stitu te X y th e sm ll u n kn own ve tor X − X • wh i h le d s u s to th e situ tion ove − C im plem en t tion of th is proposition sh ows th ts is rou g h lyn/k for ig m n d th t Leh m er g en er tor n e “ r ked ” in few se on d s y th e o serv tion of few MSBs or m ore pre ise resu lts see 4

JEROBOAM h e h e rtof JEROBOAM on sists of eig h t32- itmwc reg isters 16- itword s n d p rti u l r 16- itword

FIFO u eu e of two

mwc0 , mwc1 , mwc2 , mwc3 , mwc4 , mwc5 , mwc6 , mwc7 , queue1 , queue2 , lea for leader. 3

S tup ne

n

y

s

h oose etween

t 24 8- itkey n d

128- itkey

2 t y h e key is g iven y eig h t 32- it word s key0 key1 key2 key3 key4 key5 key6 key7 h e 32th itof e h word m u st e 0 n d n on e of th ese word s n e 0 h e in iti l v lu e of mwci is setto keyi queue1 n d queue2 re eive n y v lu es (we h ose 0xda37 0xc07f lea is in iti llyth e LSBs of mwc0 ke 21 y les3 of th e lg orith m elow n d prep re to en rypt 2 t y h e key is g iven y eig h t 16- it word s key0 key1 key2 key3 key4 key5 key6 key7 h e ith mwc re eives th e 32- itword (i + 1 2 6 + keyi n e n h oose n yof th e 2 2 possi le key even th e zero on e! h e followin g is id en ti l •

T hi si s th e fi st nk k ey o n wh ih th e p o i li ty (k 1 )/2k o o utp utti n o ne o th e ueue o ii n l setup v lues i s less th n th e unio m p o i li ty 2−• • .

54

e ve

h

nne

m m nuel

3 2

t y

1

on sid er th e its of lea 15

14

13

ih o n

y

12

11

10

9

8

7

6

5

4

3

2

1

0

swi2 sup0 lea0 chop ini1 sup2 five fifo ini2 lea1 ini0 sup1 lea2 swi0 cplt swi1

2 i0 is 4 ini2 + 2ini1 + ini0 3 f chop is 1 th en cmb = mwci0 − mwci0

+ mwci0

2

− mwci0

3

cmb = mwci0 + mwci0

− mwci0

2

+ mwci0

3

else .

6

4 5 6 7 8 9 10 11 12 13

+ d en otes th e m od u l r d d ition in ZZ/2 ZZ − th e it-to- it XOR h e ev lu tion of th ese two n on om m u t tive n on sso i tive oper tion s is d on e from leftto rig h t to cmb with th e ppropri te ltern tin g operf five is 1 d d mwci0 tion f fifo is 1 cmb en ters th e u eu e n d is repl ed yth e ou tpu tof th e u eu e utp ut tw t s y s cmb XOR tw cmb t sp w t t xt d v n e ll th e mwc d v n e on e m ore th e mwc in d exed y4 sup2 + 2sup1 + sup0 S wit h th e or itof th e mwc in d exed y4 swi2 + 2swi1 + swi0 newlea is th e mwc in d exed y4 lea2 + 2lea1 + lea0 f cplt is 1 it-to- it om plem en tnewlea h e n ew lea is newlea o to step 1

a

a

a a

e h ve u sed th e st tisti l tests d e n ed y K n u th 3 to h e k th e r n d om eh vior of th e ou tpu tword of JEROBOAM h ese em piri l tests re fre u en y test seri l test g p test poker test ou pon olle tor’s test perm u t tion test ru n test m x-of-t test ollision test n d seri l orrel tion test e d id n otn oti e n y sig n i n t i s every itof th e ou tpu t eh ves s oin -tossin g experim en td oes in d epen d en tlyfrom h is n eig h ou rs fu ll u t u ite orin g ev lu tion of th ese st tisti s n e fou n d in 4

a e iph ered 1, 2, . . . , 10 on d iff eren t s

yte les with

h u n d red th of se on d pre ise m e su re

55

β d en otes th e n u m ou tpu tword

er of lo ks n e ess ry to th e o ten tion of on e 16- it

i ropro essor

xploit tion system S peed (

yte/s

β

en tiu m 100

in d ows 95

07 3

261

en tiu m 120

in d ows 95

0 88

260

en tiu m 166

in d ows 95

1 21

261

en tiu m 166

in d ows N 4

1 17

27 0

en tiu m 200

in d ows 95

1 40

27 2

h e C om piler is i rosoft isu l C++ version 4 2 u sin g en tiu m od e g en er tion Let u s try to n d r pid estim tion of th e ost of JEROBOAM y le on st n d rd en tiu m ith th e slowest d d ressin g m od e on en tiu m 7 per tion

per n d S ize ( its

u n sig n ed m u ltipli tion

MUL

1616→ 32

su str tion

SUB

log i l n d

AND

d d ition

u n tity y les 9

11

32

1

2

16

16

2

ADD

16

11 7 5

2

rig h tsh ift

SHR

16

9

2

ex lu sive or

XOR

16

27 5

2

om plem en t

NEG

16

05

ot l y le n u m

er •

2 181

h is is 30% less of th e ove o serv tion u titis still th e s m e ord re of m g n itu d e om pu tin g C for N z fre u en y m i ropro essor on e n estim te th e en iph erin g speed v in m eg yte per se on d t N . C e n lly n ote th t th e speed of JEROBOAM stron g ly d epen d s on th e speed of th e m u ltipli tion of two u n sig n ed 16- itword s or in st n e experim en ts on n pro essor rin g u s to 25 % speed in g u p v ≈ 1.9

a a

mwc

e h ve seen th t mwc u sed lon e is in se u re e wou ld n ow like to in siston th e f tth t g iven th e se u en e form ed y th e su m in ZZ/2 6 ZZ of two mwc x• n d y• in two d iff eren t n ite eld s ZZ/pZZ n d ZZ/qZZ we d o n otkn ow h ow to re over th e in iti l term s x0 n d y0 h e ou tpu tof JEROBOAM is f r m ore tri ky n p rti u l r th is ou tpu t lw ys im plies th ird mwc with n XOR oper tion ie n oth er lg e r i stru tu re e in vite th e re d er to d eterm in e h ow to re over th e in it l on ten t of two mwc g iven th e LSBs of th eir su m th en to in orpor te th ird mwc with − n d n lly r k JEROBOAM

56

e ve

h

nne

m m nuel

ih o n

C 7

R

ut S w C

a p

a t t

/* 16-bit stream cipher JEROBOAM 2.0 Readable but slow C implementation */ #include typedef unsigned short w16 ; typedef unsigned long w32 ; static w16 a[8]={61914,42903,57225,43995,54564,47529,53130,51813}; static w32 mwc[8]; static w16 lea,queue1,queue2 ; #define nsetupcycle 21 void clockmwc(int i) { mwc[i]=(w32)(w16)mwc[i]*a[i]+(mwc[i]>>16); } void switchmwc(int i) { mwc[i]=((w32)(a[i]-1)> (j*4)) k = (k + n) & 0x0f;

/* mask selects four out of eight nibbles */ /* do for each of 8 mask values */ /* do for each of 16 table entries */ table nibbles to define table entry for swap */ + (key[(j*2 + i/8) & 0x3] >> ((i*4) & 0x1c));

/* swap masked nibbles between TbTa[i] and TbTa[k] */ xordif = (TbTa[i] ^ TbTa[k]) & mask; TbTa[i] = TbTa[i] ^ xordif; TbTa[k] = TbTa[k] ^ xordif; } mask = (mask > 28);

/* rotate mask left by 4 bits */

} { /* build 256 x 32 table T by interleaving left and right halves of TbTa */ UINT32 a, b; UINT32 expand[16] = { 0x00,0x01,0x04,0x05, 0x10,0x11,0x14,0x15, 0x40,0x41,0x44,0x45, 0x50,0x51,0x54,0x55 }; for (i = 0; i < 256; i++) { T[i] = 0; } /* clear look-up-table T */ for (j = 0; j < 16; j++) { k = TbTa[j]; a = (expand[(k >> 0 ) & 0xf] > 4 ) & 0xf] > 8 ) & 0xf] > 12) & 0xf] > 16) & 0xf] > 20) & 0xf] > 24) & 0xf] > 28) & 0xf] 0



m

on • •



A x)m

m

m

A 0 k

G

f fk x)

Pn x)

A

yl m m 1 fm α) 0. o rs ly fm α) 0 Am I t αfm α) + fm− α) fm− α). u t rm or )o s fm α) fm α)−fm− α) 1. o s tAm 1 t u s fm α)−fm− α)− fm α)2 Am I. qu tly fm α) fm− α) 1 f .

t

y

f k

B fk α + 1)

G

0

B

f Pn x + 1)

k

fk x) f .

o t

or r o B

pplyl m m

B α) s qu l to t or r o t   α+ 11 − . A BA 1 0 to t

l m

l m

t

tα + 1.

t rm So o oos s rr u l poly om l Pn x) or t or r o t l m tA A α) o s to s qu t lly l u l t fn x) − xfn− x) + fn−2 x)

u tl t ts fk x) − 0 S m l rly or t t rm to s qu t lly l u l t

u tl t ts fk x) − 0 s rr u l .

m o Pn x))

m o Pn x)). s lu to o t or r o t

fn x) − xfn− x) + fn−2 x) m o Pn x + 1)).

to o

o k l m

s t or r o A. tB B α) o s

m o Pn x + 1)) ot t t t

poly om

l Pn x + 1)

96

K n

.

uk

) ) fn > 0 ) fn > 0

i kov

u Ki m

n−1 f n>0 fn x) xgn x)2 f fn x) hn x)2 f

fn x)

f . s ) m m t ly ollo s rom s t t fn x) s su m o m o om ls o o m o om ls o r or o n. f2 k f2 k x)

x2 m•

+ x2 m•

) m−0 ) f2 m x)

λ + λ2 x2

m

x)

xm• + xm• + −−−+ xms )2 ,

+ −−−+ x2 mt x λ λ2

x xm• + xm• + −−−+ xmt )2 . 1

fm x)

x

λm + λm 2 )f

0 f x)

x

λ + λ2 )



f0 x) x λ0 + λ02 ) or ll m − k.

f . ) or m 0, 1 S u ppos ou r orm u l s tru fk

). u rt r rom ) t s sy to r or n su m o

x2 m• + x2 m• + −−−+ x2 ms

x)

gn x) ∈ 2 [x hn x) ∈ 2 [x

1.

x −fk x) + fk− x) 1 k− 1 λ + λk− ) x − λk + λk2 ) + 2 x x 1 k− 1 + λk− ) λ + λ2 ) λk + λk2 ) + λ 2 x x 1 k λ + λk2 + λ λ2 λk− + λk− ) + λk− + λ2k− ) 2 x 1 k + λk2 ). λ x

2 x2 − . ) f2 m x) x λ2 + λ22 ) x λ + λ2 )2 xx . t t l m ts λ λ2 r lu s o t m tr us A x). y lo to t so o t l o r to l u to s 2 x). lu s o A x)m r λm λm . r C ot s t t r o m t r C t 2 m

fm x)

1 fm x

m

m

x) + fm− x))

or r o y o tty s q − 1 or sq+ 1 s o A B) r q − 1 or q + 1. n > 1 t or rs o A B r o l tPn x) W r o to stm or q + 1. t n −1) o pr m um rs

1−

1 r A x)m x

m

1 m λ + λm 2 ). x

or l m t rom SL2 q ) t r s qu l to [3). S o m m l poss l lu s o t or rs rom l m m s t s sy to s t t or ot qu l to .

r om rr t t pro n + 1) pk• pk2 • r p . . . pr d2 n)

m

1

u l poly om l o r n>1 o r 2. l tyt tt or r o A α) s qu l to q − 1 −−−pkr r t om pos to to pro u t r r tpr m um rs. S t 1+

−n/2

2

)

r i

1 , pi

n

uriy o −n/2

1− 1+

c2 n)

i n 2

)

r

m

1 pi

i

f .S pr m

2

d2 n)

−1 sors. S u ppos n

P

fA

n n

n>1

c2 n)

+ 1 r r l t lypr m um rs t y k k − 1 pk• −−−pj j n + 1 pj j• • −−−pkr r .

Pr or A) − q − 1) 1 − Pr or A) < q − 1)   j r −1− Pr A q− /pi I − i

1−

f

q−1

B

9



d2 n) − 1.

Pn x) q−1 fA

on • •

 Pr A

q

r t



/pi

I

i j

j

 Pr Pn x)

sf

q−

 x)

/pi

i

r



 Pr Pn x)

sf

q

 x)

/pi

i j

S

f

q−

/pi

x)

q − 1)/pi − 1



sf

Pr Pn x)

q−

f

/pi

q−

 x) −

/pi

x) s

/pi − 2n

q−

S2 n)

r S2 n) s t um r o rr u l poly om ls o q [6) t u s 2 . u tS2 n) > n 1 − 2 n/• −• ) s 

sf

Pr Pn x) W

t

sm

stm

q−

/pi

to

 x)
1−

1

1+

−n/2

2 n/• −•

2

 r i

< r

− sf

squ r

q

q 2 npi

S2 n) n

1  1+ pi /pi

yl m m ,

t o

−n/2

 x) . S o

1 . pi

lly Pr or A) − q − 1

or B) − q − 1)

− 1 − Pr or A) < q − 1) − Pr or B) < q − 1) 1 − Pr or A) < q − 1)) +

1 − Pr or B) < q − 1)) − 1

− d2 n) − 1

c2 n).

ts

2

 .

9

K n

.

uk

i kov

u Ki m

tM pos t t r um r su t tt r o s ot stpr t lly rym ss o t 0M ) t t s M o s u t 0’s) or 1M ). or r to o lo or r tt k t ou l su t to A B t or rs t t r r trt M. l 1 s o s t t t s ot r to poly om l r su lts l r or r. us r k t yl m m . f fA

Pn x) 2

M

1−

M• 2 n−•

n > 3 B

f . Pr or A) − M ) −

M

Pr Pn x)

s fi x))

i



M i

Pr or A) > M

i− n

S2 n)


M )

> 1 − Pr or A) − M ) − Pr or B) − M ) > 1 −

M2 M2 > 1 − n− . nS2 n)

or m pl l t M 10 n 131. t pro l ty t t ot t or rs o A B r r trt M s r trt 1 − 10−2 . S o t pro s ul r l l ty t t or r om rr u l poly om l Pn x) t s m stt r s P przyk tt k s l ss t 10−2 . W o ot s u ss m port tprop rt s o t s s m o t to prop rty o to s t sso t yl y r p prot to s st lo l m o to s p prop rt s) st l ty u r su rou p s ty tt ks sy om pu t l ty us t s o [7 t l. . o r r s r ou r tt to to t rt l [ .



• • • • • • ••• • ••• • • • •• • • • •• •• • •• • • • • •• • • • •

t s s to p> . l l m

tro u t lo l or t m . rr u o p l m t s p > s pr m p . tα z ro o t tx t l q p [x / Pn   α −1 A A α) , 1 0 s

o t ll m or s s m or sr s ollo s. l poly om l Pn x) o r no r q pn n s su tlyl r ). poly om l Pn x) . . t l ss o t x)−)   αα−1 B B α) 1 1

n

m

tr

s rom G

uriy o

i n

q ).

SL2

t

m

m

on • •

99



pp

π −0, 1−− −A, B−, π 0) s o

o

π 1)

A,

B.

x x2 . . . xk s t

rym ss

m

tr

π x )π x2 ). . . π xk ) rom G. s s ll m or ollo SL2 q ).

s m s ll t rypto r p s s m [7 . t or m s o s t t t s t o

8

n>

f . t A

B



s o

k t t   10 , 11

2

A

lo ou s to t

s st

A B

s ly −

prop rt s

ol

SL2

−2

BA

 BA

1α−1 0 1   s 0

rou p

q)

 .

 α−  or to kso ’s t or m s [ ) t m tr 0 rt t rou p SL2 q ). ot t tSL2 q ) s o tr l t r Z −−I− r I st tty z ∈Z gz zg. As ∈ m tr . t s or y g ∈ SL2 q ) lu . Z t ry str s 0s , w, v) w, 0s , v) w, v, 0s ) s to t s m su y o s qu tly to oos rr u l poly om l Pn x) t tt o to As ∈ Z ollo s s ou l ot sm ll. s qu fi x) ∈ p [x o u to s 0,

f0 x) m

tr

f x) s



A x)  m

A x) f . y

1,

x −1 1 0

fi

2

x)

x) − fi x) or i − 0,

xfi



 ,

−fm fm fm −fm−

B x)

xx−1 1 1

3)

 .

 f m>0

u to .

Am ∈ Z f fm x) fPn x)

ffm α)

0

Am ∈ Z f

yl m m 9 fm α) 0. o rs ly fm α) f . Am ∈ Z t αfm α) − fm− α) −fm− α). u t t y 3) o s fm α) t m or tAm 1 t u s fm α) −fm− α) −1. o s qu tly fm α) −fm− α) 1 or fm α) −fm− α) −1 t u s t r Am or Am −I.

0 r r I

1 00

K n

.

uk

i kov

u Ki m

Bm ∈ Z f ffm α + 1) fPn x − 1) fm x) f . t ollo s rom

m−0 ) f2 p x)

fk





α + 1 −1 1 0

BA



9. )

f . )

Bm ∈ Z f

qu l ty A

l m m

0

λ + λ2 xp x2 − ) p−

fk x) x)

k λk • −λ• λ• −λ•

1

x λ λ2

m λm • −λ• λ• −λ•

fm x)

f

/2 λ•k−• −λ•k−• λ• −λ•

fk− x)

t

xfk x) − fk− x) 1 λ + λ2 ) λk − λk2 ) − λk− − λk− )) 2 λ − λ2 1 λk − λk2 + λ λ2 λk− − λk− ) − λk− − λk− )) 2 2 λ − λ2 λk − λk2 . λ − λ2

)W f2 p x)

λ2 p − λ22 p λ − λ2



λ2 − λ22 λ − λ2

p λ − λ2 )p−

f2 )p λ − λ2 )p− xp λ2 − λ λ2 + λ22 ) p− /2 p 2 x λ + λ2 ) − λ λ2 ) p− /2 xp x2 − ) p−

/2

.

rou p G s t u qu l m t −I o or r s [3). or r o y o tr l l m t rom G s qu l to p p or s sor o q − 1 or q + 1. m m s9 1 ollo t t or n > 1 t or r o l m t A r sp. B) s qu l to t r p or p. o s qu tly t or rs o t l m ts A B r sors o q − 1 or q + 1. r om rr u l poly om l o r n>1 t o t Pn x) stm t t pro l tyt tt or r o A s qu l to q − 1 or ts p. W k k pk• pk2 • −−−pj j pn + 1)/ pj j• • −−−pkr r t om q + 1. t pn − 1)/ r tpr m um rs. pos to to pro u to pr m s r p . . . pr r S t  r 1 1 1 + p−n/2 2 , dp n) 1 − pi i cp n)

 1 − 1 + p−n/2

2

 r i

1 pi

d2 n) − 1.

n

uriy o

i n

m

on • •

Pn x) n>

fA

p

q−1 fA

dp n)

1 01



f

q−1

B

cp n) f . S q − 1)/ r tpr m sors. W P

q + 1)/

r r l t ly pr m

Pr or A) − q − 1) 1 − Pr or A) < q − 1)   j r Pr A q− /2 pi ∈ Z − −1− i

q

/2 pi

rs t y

∈Z



i j

j

1−

 Pr A

um

 Pr Pn x)

sf

q−

/2 pi

 x)

i

r



 Pr Pn x)

sf

q

 x) .

/2 pi

i j

t

ot r  Pr Pn x)

r Sp n) s t o

p.

ts  Pr Pn x)

sf

um

q−

r o m o

/2 pi

u tSp n) >

q n

sf

 x)
1−

q−

/2 pi − n

Sp n)


0,

v





,

o “ om o n ou ”p m u ion i v n u l n o ion m u ion n o i om o n ou w n o ll o i lw ou m num o po i l l x on ip x .

n t n w

,

− − ≤ ( 22

)−

(

2

v

w



n i ion . .( i w .)

o m 10 o p ovin

v ⇒

e

n t rp r t t n s n o o i in u i (wi n on -n li i l p o ili ) p m u ion n om o n ou p m u ion n o om ul n om p m u ion n n m m u kn ow l num o l x / ip x p i . (M o o 2 p i l i num m u in n n pol n om i l in t r l x / ip x p i m .) m r ip m u

l ion ”) n

( u no in .

qu iv l n ) n o ion

n

ou n

in 11 (“m u l-

o

i s

m r 2 n om v p i l u l n “ on p u o n om n n m p in i im o n m i o i in u i p m u ion n i p ip x p i u n on l n n u “ om o n i ” m p u o n om n . ow v w in “v on p u o n om n ” n n o wi ppli ion in m in . u

x

m p ( own in 7 n 2 2 ou wi w Ψ ). n 7 ( n u n√ qu i  2 w u om o n i p m n om n

r k

i p op o ”i n o n ou . o n p ion m . n p ion l o i o w ol v w u p i m o n u o u on p u v

m

n

“ om o n i ”m x m pl l u um u lo um m om ul n om o l x/ o lp i in u i in . l p op n on o “ om o n i ” n n u l in p oo

us

t 2) p. 31 (o in 1 p. 309) i Ψ n Ψ 2 2 − n p o ili − − 2 i 2 2 2 o i wou l wi ul n om p m u ion o 2 (in 1) i ul w u o ow u i ou n iv n ko o Ψ in o n- l x k i i ( k m o n u − − ). i u l o ow Ψ i n o om o n ou n n on op pp wi on l wo (v p i l) m .

on p m u ow v Ψ i v • m n ion ov ( ) 2 n ). ( o Ψ iv n in i l o p oo o v

m p

2 ( − v lu

n Fn • 2•n

o ou will on 62

i x (o r M o r ) o n s

s

Ψ• s n t

6

m s wi

in

Ψ• s n t

t

)



2 2

m

i i w om o n ou ). low. o Ψ6 n



2

− .

o Ψ wi xp il

ion n o (n o Ψ w p oo o on p u o n on p u o n om n .)

i

l p oo o

ou

2 Fn • 2•n

im il

(in p op

us

n i n − 2 n Ψ Ψ 2 2 2 2 2 − 2 − 2 i ou wi w i n p o ili 2 n o Ψ ). o Ψ wou l wi ul n om p m u ion o 2 (in i n o om o n ou n n on - om o n i p op pp wi on l wo (v p i l) m .

q

n

s

ri n

m

r ow v in w v wo qu ion − − ) i n on - om o n i p op 2 m in o n- l x k (in ov o Ψ ). Ψ• s n t

63

m p Ψ6

(

m

n

t

wo in i ( wou l √ qu i 2 m o

ou

us

) o

1 23 . n i i i po i l o p ov p o − − n − 2 − − i wou l wi ul n om p m u ion o n on xpl in in x m pl 2 low. n

n

2

ili 2 i l ou wi w (in o Ψ 6 ). p oo 6 o Ψ i n o om o n ou .

2

1

2 2

2

3

u

2

d

u

d

2 2

m p

2 (

t 2

1

9) 3



0

o o m

o o − (− o 2 l m n on

7

(X ( lin )

) )

9

−o 2 l m n u

on

m

d

olu m n

0 o

u

o

o o

− d

( (X X

d v lu

Ψ6 . im il l o

l

o 1 ≤ ≤ 9. −0 n −0

−0 n −0 wo i in wo i in v lu o .

) )

o

u

v lu ⎪ ⎪ ⎪ ⎪ ⎪

o

w

i s

7 7

l ion p n w will low • Fn • o 2F•n• n 2 • • n in om o n ou .

Pr X ⎪ ⎪ ⎪ X ⎪ ⎪ X7 ⎪ ⎪ ⎪ ⎪ ⎪ 2

on i

(X

X2 X X

X X6 X

l ion

7

v lu om o n ou

6 o Ψk

o



− − N ∗ Ψ• s n t im pli i w um 2. Ψk on u ion iv n in x v lu o i

•• •

• k−• •

v lu o o

n

⎪ ⎪ ⎪ ⎪ ⎪

2

− −

6 7 7

− −

2 6

p

n

Fn • 2••n

in u 3). 1≤ ≤9 n

6

6

6

i Ψ6 w

m

n

6

6

w i

6

om

n on i ion

−X

i w

− . − . 7 on i in

.1) n

− −6 2

us

vn ( p oo i v o 1≤ ≤ . x m pl 2 o Ψ 6 .

y

X (

n

om o n ou ).

i

t

i Ψ6

u ⎪ ⎪ ⎪ ⎪ ⎪

− −6 −2 −2 − 2 (in

− −

2

X . M o ov w v v lu o i ov i ll on i ion ( ) i xpli i l w i n in ion .1 o Ψ 6 ). o x m pl ⇒ X − X − in X ⇒ − − in im il l 7 7 7 7 − o om x v lu o ( iv n in ion on l u (X ) w v

l im

− −

6 7

in u 3). o u xp i i w

− − lo X

2

6

X − X −

7

ll

⎪ ⎪ ⎪ ⎪ ⎪

) v lu

6

( ll

n

− −

2

n l i no

⎪ ⎪ ⎪ ⎪ ⎪

− −

6

6

( ll

i x (o r M o r ) o n s

n

2

⎪ ⎪ ⎪ ⎪ ⎪

m s wi

− −k −2 2k

im il w n i ll

•• •

• k−• •

n n

i o ). liz o

q

s

ri n

w X ... X k−2 v i l in m i ou n v i l n w ( ) no on i ion on qu li i ( ⇒ X − X − ). p oo o i o m u l i n o iffi u l n i iv n in p. 13 . • 2 ( k ). k − − 1 p i wi i in n n on -z o v lu o . ... − − l o − 1 p i wi i in n n on -z o v lu o . ... − 1≤ ≤ i qu li i u v lu w n m o li in u . ( o im pli i w o n o w i qu li i xpli i l ). t

⎪ ⎪ ⎪ ⎪ ⎪ ⎪ t

−o 2 l m n u

on

m

d x o X

o m ul ... X

iv n

k−2

2

wi





o . n

k − Fn − 2 • nm

o o



2

... X ... X lin )

2

X X

k− k−2

... X ... X

k−2 k−

X

d d

ov o i

w

u qu li i

− −k −k −2 k 2

o p

n

pon in in

m u



k•

− 2 k−2 (in l im

X X m

u

k−2

X

0

olu m n

− 2 k−2 o

o o on

− (− o 2 l m n

⎪ ⎪ ⎪ ⎪ ⎪ ⎪

n o v lu n

0



i Ψk w

− −k −2 2

om o n ou ).

o

Ψk i n o

om o n ou

on lu ion Ψk Ψk

m r ou qu li 3o ion 3)

ee

e e e

Ψk i n v o p u o n om n o iffi u l .

e



( i w

u p i

om o n ou m o Ψ k on



u

o u ) xpl in w ion ( u

p oo o m

.

o

i s

m s wi

i x (o r M o r ) o n s

9

m

r 2 n ion . in o o iv n xpli i on u ion wi n on k• 2 O ( ) w i num om o n ou p op w v k n o ou n o - on u ion o in w n in . i po i l o p ov i in w n i w n i x n ll v lu o on v in o m v lu w n n o in n i . ( i p op n p ov wi “M kov in ” o o x m pl ).

r

s

P u o n om Ψ Ψ2 Ψ Ψ Ψ Ψk



No No O O ≤O ≤O



(2 n ) • (2 n ) • (2 • n ) • (2 • n +

u

n No No No O ≤O • ) ≤O 2•n u

on p u oon om p u o n om No No No • • (2 n ) O (2 n ) • • (2 n ) ≤ O (2 n ) • • • • (2 • n + 2 • n ) ≤ O (2 • n + 2 • n ) u

Ψk

u

om o n ou No No No No No No ud

d

u n u w p n kn own ul ou qu li i o on u ion wi ou n . o x m pl w in i u Ψ i no on p u o n om ( i i w i n “No”) u i i p u o n om wi • o n- l x k. n vn o O (2 n ) o lo Ψ i v on p u o n om wi n vn o • • o n- l x k n o m o O ( 2 n ) in o nm o O (2 • n ) in ip x n o n- l x k. “ m o ” m n w o n o kn ow • • o n o i i n op n p o l m . i O (2 • n ) n O ( 2 n ) ou n im il op n p o l m own in u w n “≤” m ol pp . vn i n li i l w on u in 1991 o Ψ6 o Ψ7 lon i n li i l om p o 2. i i ill u n p ov n w ll ollowin p op e no

− + −

e Ω(2 )

op n p o l m

w m n ion

e

e

- e i

e e

e

e

ollowin e

e e

?

s n o o im p ov o p u o n om u n

p ov u i ion v iou u

ou n o p u o n om p m u ion o v u n w i n o

0

q

s

ri n

p m u ion n o (1 3 10 ). i om om p oo m u i o o in in m o i m n in o i in l on u ion . ow v in 1 n u n ion wi im p ov u i ou n no lon i ion n in 3 n 10 i n o p m u ion i n i l l im pl om p o on u ion . ou l w on lu n w on u ion ll v u i p op i n - on u ion ? ou l w o v lop n w n u n p ion m on n w on u ion ? i i on l “ ni l p o l m ” n i - on u ion in u on u ion u wi m o iffi u l p oo ? i qu ion i n o om pl l olv . ow v w v n in i p p u i p op i o - on u ion wi ix (o m o ) ou n in n w w p ov o ou m . Nv l w v n wo n w n u l n o ion ou qu li o on p u o n om p m u ion on p o “v on p u o n om n ” n on p o “ om o n ou p m u ion ”. v n no - on u ion iv om o n ou p m u ion . i ul m u p iin in i ow w v num o ou n o - on u ion m ill om “n on - n om pl ”in u l in p m u ion ( ow v w ou n n m i no l o oo l x o ip x o i k in o o in on o pl m i p u o n om ). v n ll iv n w ill op n qu ion ou u ko -lik n l i o i l m .

R

r .

s

. i o

.M.

y

9 . .M. or ( on o y. . .M

.V nk . .

s n ’9 p ri n

koff

M

i n o

) p or o ry o om p

o rn

on

om p

i n

vo .

n.

P ro ni o o q im o n o m p 9 00 . r i m i n ry v rsi on i n ro . 9 i n 99 p p . 9-99. o p p r i n

rr

. M r r .M ss y ry p o o y vo . p p . . . ri n P ’90 . . ri n ri n

p p . 0 - 0.

O

’9

.

. .

rV r

. .

- 9 99 . P p ri n rV r ’9

p ri n si s

rV r P ni v rsi

p ri n

rV r

pp.

p ri

P : i on o m p xiy nn. M ym p . o rn o ry p o pp.

9-

. o rn

o -

p p . 9 -0 . pp. 0- . P ri sV ov m

-

r 99 .

o 9. . ri n on r n on 0. 0. . ip rzy k . .V o rm

om p

n y p ri r

r n

i s

m s wi

i x (o r M o r ) o n s

o m m ni i o ns

’90 p ri n P p ri 99 s i on

rV r . “

riy pp. sm

p ri -

99

M -

pp.

0- 0. . . si s i p rm i o ns” .

o

• • • ••••• • m •

ou n g

n

Y•

oti u n g 2

p t. o f o m p ut n o lum n v ty [email protected]. • t o N w o k N . [email protected], [email protected]

• • •••• • •• on th p o l m o f g n ng l k ox ym m t ph th t l k nfo m t o n y n y to th gn . h o w h o w to o n t u t p h wh h w ll o nk y th t l k o n k y t p o utp ut lo k to th g n o f th y t m ( n ny m o ). h k y t l k o nly f p t ul p l nt xt t k no wn to th g n (k no wn t/m g tt k wh h ty p lly v l l npl n ). h tt k o fk l p to g p h n tu tg v un qu v nt g to th g n wh l u ng t o ng ( .g . xt n lly up p l ) k y . h n w ulty w th th g n o f p o o f l lo k ph th t t (p v o u tt k xp lo t n om n n k y g n to n o m g n y p t o n/ g n tu ) n th f t th t w o no t w nt y ( t t t l) o v l ty o f th p o o ng ( .g . th v l ty o f p h t xt h o ul no t l wh n k y h ng t .). t ng u h tw n th nt t th gn th v ng n n th u . how g n m th o o lo g y th t u th t (1 ) fth v no t v ng n th tt k u (n m ly th ph g o o ) n un t t l (2) fth v v ng n th n th v ng n l n t m o t o n p l nt xt t f o m v y p h t xt ( ut no p t/futu k y ) n (3) th g n l n o n p l nt xt t n on k y t fom h p h t xt lo k ( y n m o ). h m th o th fo h g h ly o u t g n t v ng n ng .

: esig n m eth o olog ies or sym m etri iph ers se ret ryptog r ph i lg orith m s spoofi n g kleptog r ph i tt ks tru st so tw re vs. t m per-proo h r w re esig n s t m per-proo reverse en g in eerin g pu li s ru tin y.

he g overn m en th s propose re en tly l ssifi e se ret lo k iph er lle kip k s p rt o th e lipper n iti tive. u rth erm ore sin e th e m i 80’s th e N ’s om m er i l n orsem en t rog r m h s een tive tryin g to se ryptog r ph y or se u re om pu ter n om m u n i tion se on t m perproo evi es (see h p g e 98). h e m otiv tion o th is p per is to in vestig te 

u

w

2

22

o nk y

l k

ox ym m t

ph

gn

fo

N o p o l zng K

1 23

th e possi ilities o esig n in g se ret sym m etri iph ers with soph isti te tr poors th t re h r to ete t n re im m u n e to reverse en g in eerin g n tth e s m e tim e m in t in th e si properties o lo k iph ers. h e issu e is essen ti lly m eth o olog i l s it poin ts t poten ti l n on -trivi l le k g e tt ks wh i h re possi le with l k- ox iph er esig n s s oppose to pu li esig n s. ( u r g o l is n eith er to u n erm in e kip k n or to l im n y on rete tt k we m erely poin t twh twe elieve is th re to se ret esig n s th tis eyon g ivin g trivi l kn own v n t g es.) e fi rst n ote th t it is e sy to m ou n t tt ks on se ret evi es e.g . y fi xin g th eir keys. u h trivi l v n t g e o e silyreverse-en g in eere se ret iph er (reverse en g in eerin g h s een sh own to e on rete possi ility re en tly n n e on e y om p n y with well-e u ippe m i ro-ele tron i l or tory). h is risks th e esig n er’s u n i u e v n t g e (o g ettin g oth er p st/ u tu re keys). h u s on e m y rg u e th tsu h esig n s will n ot e pu tto u se (e.g . y n g en ywh i h is on ern e ou tlosin g ou tto th e resou r e u l om p n ies). n th e oth er h n with u n i u e v n t g e even ter reverse en g in eerin g esig n er o se ret lg orith m will h ve less h esit tion to pu titin g en er l u se. h e ove sim plisti tt k is lso e sily ete t le wh en en ryption s u n er su ppose ly iff eren t keys” tu rn ou t to e i en ti l. n oth er tt k is y in g n en ryption o th e keyu n er se ret esig n er keyto iph ertexts; th is will e e silyn oti e le lo k u e to t exp n sion . twill n ot e possi le to l ssi y su h esig n s iph er. et n oth er tt k is y esig n in g se ret evi es u sin g pseu or n om n ess kn own to th e tt ker. owever lo k iph ers re eterm in isti u n tion s su h th twh en g iven th e s m e in pu twith th e s m e key th e s m e resu ltis expe te . h u s on e m y em ploy pseu or n om n ess or en ryption wh i h is erive rom th e key n m ess g e u t th en th e en ryption epen s stron g ly on th e key wh i h is u n kn own to th e esig n er ( tt ker). g n orin g th e key or u sin g on ly p rti l keyis st tisti lly ete t le. ovin g h e we th en n oti e th t wh en we resort to kn own m ess g e tt ks we m yon e in wh ile le k key its so su h tt ks n e m ore power u l in tt kin g . h is le k g e sh ou l n ot estroyth e u lityo th e iph er (e.g . m ke it in se u re w.r.t. iff eren ti l or lin e r rypt n lyti tt ks or oth er st tisti l tt ks). e wou l like to g o even u rth er n h ve th e iph er e im m u n e to reverse en g in eerin g wh i h is h r teristi o kleptog r ph i tt ks”on l k ox evi es (e.g . t m per resist n th r w re). h is m e n s or ex m ple th tth e pseu or n om u n tion ’s perm n en t key is n ot expose ter reverse en g in eerin g . it were expose th en th e se ret keys u se with oth er evi es wou l e expose . e h ope th tth e ove is u ssion reve ls som e o th e re son s eh in th e m eth o olog ywe propose h erein . h ere h s in orm tion se erlyin g th ese 96 97 t k wh ere rote tion ”. n

een m u h re en twork on esig n in g ryptosystem s to le k se ret u rely n su lim in lly to th e esig n ers. h e si n otion s u n tt ks s well s tools th t om plish th em were evelope in 97 . pe ifi lly th ey in tro u e th e n otion o tst n s or e retly m e e r p oor with n ivers l th eir tt k itis se retlyem e e tr p oor (pu li key) th t

1 24

m

o ung

ot

ung

is u se to se u rely le k th e se ret in orm tion ou t o th e ryptosystem . h eir tt ks re g e re spe ifi lly tow r s pu li key system s n exploitr n om n ess n su lim in l h n n els 9 in key g en er tion m ess g e en ryption n sig n in g . ere we sh ow h ow to per orm th ese tt ks on eterm in isti sym m etri lo k iph ers th t re se ret. e will propose esig n we ll on key” . he on key’ is g en er l esig n ( m eth o olog y). or on reten ess n l rityo presen t tion we g ive n lg orith m wh i h u ses n 80 itkey n h s lo k size o 6 its. h e esig n h s n spe twh i h is in h eren tlym ore h llen g in g th n tt ks. N m ely we w n tto llow stron g iph er n th e u se o th e tu l l rg e keysp e (th tis to esig n re l lo k iph er) n lo k iph ers in tu rn re eterm in isti lg orith m s (im plem en tin g perm u t tion wh i h is len g th -preservin g ). h e tt ker n n ot on trol th e h oi e o (stron g n r n om ) keys u se yth e iph er (we w n t to llow extern l sou r e keyin g ). u rth er th e tt ker n n ot kn ow wh en it h s ess to m ou n t th e tt k (we n n ot ssu m e som e p rti l on trol over th e evi e oper tion ). n ll th e e rly work on s th e t th tth e pu li key lg orith m s (key g en er tion or sig n in g ) were pro ilisti in n tu re w s exploite . h u s th e n tu r l u estion is h ow n we esig n kleptog r ph i tt ks in th is u lly eterm in isti settin g ? n th e presen t p per we sh ow th ti we re le to m ou n tm in im listi kn own -pl in text tt ks (kn own itper m ess g e) th en lose pproxim tion to tt k ( lle u si) n e per orm e on sym m etri iph er with se retspe ifi tion (th e n otion o u sim y e o in epen en tin terest). h e tt k g ives ex lu sive v n t g e to th e esig n er s in n h s stron g prote tion g in st reverse en g in eerin g (wh i h is n ee e g iven th e poten ti l o reverse en g in eerin g o t m per resist n t evi es wh i h h s een em on str te re en tlyin som e settin g s K 96).

u r tt k e rs resem l n e to setu p tt ks letu s re ll wh tis setu p n efi n e ou r u si-setu p tt k. h e ollowin g is th e efi n ition o reg u l r setu p 97 s C . 2. C •

. C su u

u ss

s

ssu u

)S s w

C u

C s U

us

s u

s s w

x

s )

s s

s

s

u

w

u

s w

ll o u m th o “ o nk y ” u (1 ) t llo w th tt •• • • • (2) t “ m o nk y o un w th th u t k y” n ph h o ul n t (3) jo k ng ly w n y th t th gn m o nk y to t ll t u t t un ut n z gn n fo llo w “ nt t t o n” o f ll ng p h g n ft

u C. k

w

u

C. E

to •• • • •o p o l z w y th t t u t u th t o n h to n lly (4 ) th n m ng t o fv o u k n !

o nk y

3. .

s

w u s

. u v 6.

s

u u

)

l k

ox ym m t

s s

v

u v

s

s w

C

x s s.

ph

u

s s u u

v

s v

gn

u

. s u

C .

) us s

fo

N o p o l zng K

D s

s

u

s u

s

u

w us

ss

s

C u

s s

s

s u .. v s )

x

U S S u us u tion s w qu

. 2.

w

s

v ); C s

u s

U

x

s

u

x v s

s s

us

x

u

ss

us .

s s v u s us s s s u s s w ) w C. 3. s s v D s s . . u u C ss u s s u s. s s ) w v s su u . C s s s u ) su ss u v s 6. s v s v ) x s u su ss u v s xs v w x s.

s s

s

u w . C

ss s se ret

us su

E w s

u

v ..

s x.

w

x v s s

s ). C

ss

us )

s

u

u

s

C

v w

u si-

x s

us

C u

ll

C ).

u

C.

) w

u s

h e kleptog r ph i tt k presen te in th is p per is wh t we setu p”. h e ollowin g is orm l efi n ition o u si-setu p s spe ifi

u u

). s

C s

12

s s ssu s

s

u u

s

n 96 setu p tt k w s g iven on keyg en er tion evi es. tw s sh own h ow n keyg en er tion evi e ou l e esig n e to ou tpu t pu li n priv te keyp ir su h th tth e u pper or er its o th e pu li key n e u se yth e esig n er to om pu te th e orrespon in g priv te key. ore g en er lly th eyprove th t n y ryptosystem th t on t in s su lim in l h n n el on t in s

12

m

o ung

ot

ung

version . n 97 itw s sh own h ow on e o th e expon en ts in iffie- ellm n key ex h n g e n e se u rely n su lim in lly le ke to th e esig n er over th e ou rse o two (wlog ) on se u tive key ex h n g es. h is setu p tt k w s th e fi rst setu p tt k th t i n ot m ke u se o expli it su lim in l h n n els u t r th er g en er te h n n els or le k g e u e to repe te exe u tion s. n 97 setu p tt ks were g iven or th e l m l pu li key ryptosystem th e l m l ig it l ig n tu re lg orith m th e ig it l ig n tu re lg orith m h n orr n oth er system s. h e tt ks on th e sig n tu re s h em es le k th e priv te sig n in g keyover th e ou rse o two (wlog ) on se u tive sig n tu res. ll th e ove tt ks u se r n om n ess em ploye yth e ryptosystem . ijm en n ren eel 97 g ve m u h m ore m itiou s ire tion wh i h is iff eren t rom ou rs. h ey su g g este th e on stru tion o th e fi rst ex m ple tr poor iph ers em on str tin g th t even n open esig n h s to e ju stifi e or pseu o-r n om ly g en er te to voi poten ti l spoofi n g s. ( ow se u re is th eir esig n n i stron g tr p oors exist t ll re still open ). n ee th e poten ti l existen e o tr p oor iph ers lre y poin ts t iffi u lty with se ret esig n . e will sh ow th twith on key th e tt k is ssu re n lso th e tt k n e se on m in im l kn owle g e (kn own it tt k) n th e len g th o key re overy tt k n e m u h sh orter th n th e spe ifi tr p oor iph ers se tt k in 97 ; (th ese re o ou rse v n t g es o tt ks on h i en esig n s wh i h re e sier in n tu re). n ppro h to g en er tin g tru st” in se ret iph er esig n w s ttem pte ypro u in g reporto n in spe tion te m in 93 in th e on texto kip k (m ore ou t th t report see 9 ). h e su tleties presen te h ere m y poten ti lly stsom e extr ou ts on se retw y to ssu re tru st y kn own te m (sin e on e oes n otkn ow h ow m u h th e te m kn ows n wh tin orm tion w s m e v il le to it). owever we m u st m en tion th t y th e s m e token we n n oth ve n y on rete om pl in t g in stth e spe ifi report ove. in lly let u s m en tion th t in th e on text o th e re en t N in iti tive to esig n th e n ext g en er tion o lo k iph er st n r ( ) th e work h ere reen or es th e n otion o pu li s ru tin y o su g g este st n r s (to voi v riou s tr p oors wh i h re in ee possi le).

h e on key se ret sym m etri iph er t kes n 80 it sym m etri key s in pu t in ition to 6 its o pl in text. tou tpu ts 6 it iph ertext lo k. on key u ses or pre- om pu t tion s th e LL1 pu li key iph er to e es ri e . e ssu m e th t on key is se ret iph er. h is is o ou rse n on sen si l sin e we re pu lish in g itn ow. h twe m e n is th tou r su g g estion is n in st n e o m eth o olog y o esig n n we n ssu m e th t iph er like it( v ri n t) m y e keptse ret n im plem en te . e ssu m e th titis t m per-resist n tso th t it is h r to g et. eth o olog i lly wh t is im port n t is th is l st t (o ein g h r to g et i.e. l k- ox to th e u ser) n n ot th e ex t ph ysi l ssu m ption ou t t m per resist n e (we re u lly w re o re en tly is overe we kn esses

o nk y

l k

ox ym m t

ph

gn

fo

N o p o l zng K

12

o ert in su h l im e esig n s wh ile we re w re o oth er esig n s wh i h were n otreverse -en g in eere so r).

n stkeyex h n g e lg orith m w s g iven th tu ses ellipti u rves. n th eir s h em e th e u rve E is seto poin ts (x, y) with x n y lyin g in th e fi el pu li ly efi n e F2 • • • . h ey im plem en t iffie- ellm n over th is u rve u sin g poin tP on E. h is s h em e ppe rs to e se u re s lon g s th e n ex l u lu s m eth o n n ot e exten e to ellipti u rves. t is trivi l m tter to efi n e pu li key en ryption lg orith m se on iffie- ellm n over E. u ppose li e wish es to en ryptth e m ess g e m wh ere m is 80 its in size. li e wish es to sen th is m ess g e to o wh ose priv te key is x wh ere x is in th e r n g e 2or er(E)-2. o ’s orrespon in g pu li key is th e poin ty xP . o sen th e en ryption o m li e h ooses r n om in teg er r in th e r n g e 2or er(E)-2 n om pu tes kP y iter tin g th e ition o P u sin g th e ou le n ”s h em e. li e th en om pu tes z ry. li e n th en u se som e or ll o th e sh re se retstrin g H(z) to en iph er th e v lu e m to g et th e v lu e c. ere H is su it le h sh u n tion . Note th t c n ee on ly e s l rg e s m. li e th en sen s (rP, c) to o . e ryption is str ig h torw r . Note th t li e sen s o 310 its orrespon in g to rP plu s 80 its th t on stitu te c. en e li e sen s o 390 its o in orm tion . Note th tth e iph ertextsize is sm ller th n wh tis possi le u sin g with 12 itm o u lu s. n th is p per we efi n e th is to e th e SM ALL1 pu li key ryptosystem . en e SM ALL1 u ses r n om p r m eter r th tis s le st2 n tm ostor er(E)-2 n t kes pu li keyy s in pu t. SM ALL1 t kes 80 its o in pu t t m• n pro u es 390 it SM ALL1(r, y, m• ). iph ertextc• . h e oper tion o SM ALL1 is en ote yc• SM ALL1 (x, c• ). LetSM ALL1 en ote e ryption . en e m•

h e esig n er h ooses keye pseu or n om u n tion F th t t kes s in pu t l rg e see (key) s n 63 it in pu t x n pro u es 63 it ou tpu t y. or n expl n tion on h ow to on stru tpseu or n om u n tion s see 86. h e F (s, x). h e esig n er lso h ooses two oper tion o F is en ote y y see s s n s2 u n i orm ly tr n om ( rom th e see s o th e g iven len g th ). h e esig n er h ooses priv te keyx r n om ly or u se in LL1 n om pu tes th e orrespon in g pu li key y. h e esig n er pu ts (F , s , s2 , y) in th e l k- ox evi e n keeps x priv te. : Let K en ote th e 80 it key o th e u ser. h e u ser wish es to u se th e l k- ox evi e to en rypt th e 6 it pl in text m ess g e m to g et th e orrespon in g 6 it iph ertextc. h e oper tion o on keyis en ote yc on key(K m). h e

12

m

o ung

ot

ung

evi e on t in s se retsym m etri lo k iph er lle CIP HER1. CIP HER1 t kes 63 it sym m etri key k• n 63 it pl in text m• . CIP HER1 prou es 63 it iph ertext c• . e en ote th e oper tion o CIP HER1 y c• CIP HER1(k• m• ). h e orrespon in g e ryption oper tion is CIP HER1 . ryptog r ph i llyse u re h sh en e m• CIP HER1 (k• , c• ). LetH en ote u n tion (e.g . ollision in tr t le u n tion or pseu o-r n om u n tion ) th t m ps {0, 1} to {0, 1} . G is r n om u n tion th tm ps {0, 1} to v lu e in th e in terv l 2or er(E)-2. h e ollowin g is th e om pu t tion o on key(K m) to g etc 1. 2. 3. . . 6. 7. 8. 9. 10. 11.

m• is setto th e lower or er 63 its o m H(K) k• c• CIP HER1(k• , m• ) th e lower or er 63 its o c is setto c• . r G(K) c• SM ALL1(r, y, K) i F (s , c• ) mod 390 b is setto th e ith ito c• . z F (s2 , c• ) mod 2 p is setto th e m ostsig n ifi n t ito m th e m ostsig n ifi n t ito c is setto e b

z

p

: h e ollowin g is th e oper tion o 1. 2. 3. . . 6. 7. 8. 9. 10. 11.

on key’(K ) wh i h retu rn s m

c• is setto th e lower or er 63 its o c H(K) k• m• CIP HER1 (k• , c• ) th e lower or er 63 its o m is setto m• r G(K) SM ALL1(r, y, K) c• i F (s , c• ) mod 390 b is setto th e ith ito c• . z F (s2 , c• ) mod 2 p is setto th e m ostsig n ifi n t ito c th e m ostsig n ifi n t ito m is setto e b

z

p

su h th t we u ppose th t we m n g e to o t in 390 iph ertexts c c ... c kn ow th e le stsig n ifi n t its o th e 390 orrespon in g pl in texts. u ppose u rth er th t F (s , c• ) mod 390 or 0 ≤ j ≤ 389 is perm u t tion on 0 1 ... 389. h e ollowin g lg orith m om pu tes th e iph ertext itin c• orrespon in g to c• . 1. c• is setto th e lower or er 63 its o c•

o nk y

2. 3. . . 6.

l k

ox ym m t

ph

gn

fo

N o p o l zng K

1 29

i F (s , c• ) mod 390 z F (s2 , c• ) mod 2 p is setto th e m ostsig n ifi n t ito m• p is setto th e m ostsig n ifi n t ito c• ou tpu ts p z p

h e ove lg orith m is pplie to c c ... c to re over th e iph ertextc• . e th en e ryptc• u sin g x to re over K. e h oose th e m ostsig n ifi n t itsin e i th e pl in textis or in st n e th is itis kn own to e zero. n t sin e th e lo k size is 6 its i th e pl in textis we n le k u sin g n wi th o 8 its. n oth er possi ility is to om press th e pl in text (wh en possi le) n th en h ig h or er its wh i h re kn own e ryption will e om press.

h e ove iph er is on ten tion o two se u re iph ers. h e pro lem is th e sep r ility o th e iph ers so th tm ess g es th t iff er on ly tth e l st ith s iph ertext wh i h lso iff ers on th t it. ( h is sep r ility in g en er l m y h elp in tt ks like h osen m ess g e tt ks. h is is th e se h ere s m ess g es om e in p irs n wh en th ey iff er on th e l st itth e iph ertexto on e im plies th to th e oth er in th e p ir). h is n e over om e y s in g o iph ers. N m ely y post-pro essin g (pre-pro essin g in e ryption ) y 2wh i h em ploys (s y t le st ou r) eistel tr n s orm tion s se on Lu ykoff ’s on stru tion L 88 with fi xe se ret pseu or n om u n tion . h is spre s th e lo l iff eren e in th e l st iton ly u n i orm lyover th e resu ltin g iph ertext. n oth er spe tth twe i over re u lly re th e sizes o th e v riou s keys (o th e pseu or n om u n tion s). we n ee l rg er keys in tot l we m y erive th ese keys pseu or n om ly (u sin g se ret fi xe in tern l see ) rom th e g iven key.

h ere re two perspe tives with wh i h to n lyze th e se u rity. h ose perspe tives re th e l k- ox perspe tive n th e perspe tive o n tt ker wh o is le to reverse-en g in eer th e evi e (h en e n o l k- ox ssu m ption ). n th is se tion we on si er oth o th ese in tu rn . e ssu m e th tth e iph ers n pseu or n om re se u re. u n tion s u se 1 LL1 G H n F Now we ssu m e th t g iven u ser is u n le to reverse-en g in eer th e l k- ox evi e. t ollows th tC is l k- ox ryptosystem with priv te spe ifi tion rom th e u ser’s perspe tive. e n ote th t spe ifi se u rity o lo k iph er” is n ot efi n e h ere (o ou rse su h g en eri efi n ition oes n otexist). u r g en er l m eth o olog yth ereore ttem pts to preserve with in th e over ll on key esig n wh tever se u rity n otion ” 1 h s se on th e stron g se u rity properties o th e oth er u il in g lo ks (pseu or n om u n tion s n perm u t tion s). n e m y rg u e

1 30

m

o ung

ot

ung

th t wh t we ssu m e re h e vy ryptog r ph i tools; u t th is sh ou l n ot e pro lem tth is st g e o th e evelopm en to th e m eth o olog y. n ee we le ve open th e issu e o m in im l ssu m ption s n ee e s well s th e effi ien yo esig n o iph ers with u si. h twe l im is ssu

s u C

s

M onkey s u s s u s

x

2 S s s .

w

G H v s

F

1 is se u re sym . c• on stitu tes se u re en ryption o m• sin e m etri iph er. trem in s to sh ow th tth e le stsig n ifi n t ito c on stitu tes se u re en ryption o th e le stsig n ifi n t ito m. in e F is se retpseu or n om u n tion n sin e s2 is u n kn own it ollows th tF (s2 , c• ) is r n om n u n kn own to th e u ser. h u s z F (s2 , c• ) mod 2 is r n om se ret it with respe tto th e u ser. in e th is itis ex lu sive-or’e (on e-tim e p e ) with th e le st sig n ifi n t it o m th e le st sig n ifi n t it o c on stitu tes se u re en ryption . Now th e two se u re v lu es g ive two sep r le en ryption s n n e viewe s se u re lo k iph er on 63 its on ten te to on e- itstron g stre m iph er en ryption . h e u rth er eistel like tr n s orm tion s in 2 se on pseu or n om u n tion wh i h stren g th en th e esig n ssu re stron g in sep r le en ryption ( u e to th e v l n h e” properties o pseu or n om u n tion s) n preven ts e sy h osen m ess g e tt ks. h e over ll iph er n e viewe s two iph ers s e . h e s e is s se u re s th e fi rst iph er (or s e h o th e iph ers or we ker tt ks) 93 8 . . e ll th t i th e pseu or n om u n tion (its key) is n ot kn own th en th e v lu e o th e u n tion t poin t n n ot e pproxim te even in very li er l sen se even i th e v lu es o th e u n tion t polyn om i lly m n y oth er poin ts is lso g iven 86. t is th is property o pseu or n om u n tion s th t m kes th is tt k se u re; pr ti l esig n s o pseu or n om u n tion s n e se on iter te stron g lo k iph ers with l rg e keys. n ly m in im l m ou n to se u rity t estis s rifi e yu sin g th e 63 it lo k iph er 1 s oppose to tru e 6 it lo k iph er (e.g . itis verye syto m o i y to work on 63 its). he ition l iten ryption o th e l st itis stron g iph er s well. Note lso th t iph er esig n s th t re tu n le to e h size in sm ll g r n u l rity (e.g . s in th e N ’s spe ifi tion s) h ve th is is v n t g e o ein g poten ti l 1 om pon en tin on key esig n wh ere th e iff eren e (on e itin ou r se) is th e m ou n to re u ire kn own its per m ess g e. Now su ppose th t n tt ker m n g es to reverse-en g in eer th e evi e (th u s 2 n e ig n ore h ere ter). h e tt ker th ere ore kn ows (F , s , s2 , y) n th e om plete spe ifi tion o th e iph er on key. n th is se th e reverseen g in eer is le to re over t m ost th e le st sig n ifi n t it orrespon in g to th e iph ertexts th t re ou tpu t y th e evi e s lon g s su ffi ien tn u m er o kn own -pl in text its re g th ere . o see th is n ote th t th e reverse-en g in eer n re over th e it z rom th e se ret key re overy lg orith m in th e s m e w y

o nk y

l k

ox ym m t

ph

gn

fo

N o p o l zng K

1 31

s th e esig n er. in e th e reverse-en g in eer lso kn ows p n presu m ly th e le stsig n ifi n t ito m h e or sh e n ex lu sive-or th ese th ree its tog eth er to re over on e o th e its o c• . th e reverse-en g in eer g ets su ffi ien t n u m er o kn own pl in texts th e reverse-en g in eer n re on stru tc• . h en e u ippe with th e v lu e c• or g iven key K (n ot v il le in th e evi e t tim e o reverse en g in eerin g i.e. p stor u tu re key) th e reverse-en g in eer n e ryptth e le st sig n ifi n tpl in text its o ll v lu es en rypte with K. n th e reverse-en g in eer lso re over th e its o K like th e esig n er? h e n swer to th is is n o s we will l im n ext.

su

ss u

ssu v s v s

s

S s u

u

G H

F x/ u K.

s u x s

. on si er th e iph ertextv lu es th tresu lt rom p rti u l r K. in e we ssu m e th t 1 is se u re th e reverse-en g in eer is u n le to le rn n yth in g ou t k• n h en e K rom th e 63 u pper or er its o th e iph ertexts lon e. Note th tth e ppli tion o th e pseu or n om u n tion to c• to erive th e le st sig n ifi n t iph ertext its h s th e eff e to th e ppli tion o r n om or le to c• to g etth e le stsig n ifi n t iph ertext its. h u s n yth in g th t n e e u e ou t K rom ll o th e its o th e iph ertexts n e e u e rom th e le st sig n ifi n t its lon e. o itrem in s to on si er wh t n e e u e rom th e le st sig n ifi n t its o th e iph ertexts lon e. in e m c n (F , s , s2 ) re lre ykn own to th e reverse-en g in eer th e reverse-en g in eer kn ows c• . trem in s to sh ow th t n oth in g ou t K n e le rn e rom c• . in e we ssu m e th t G is se u re r n om u n tion G(K) is r n om strin g to th e reverse-en g in eer. o sin e LL1 is se u re pu li key ryptosystem LL1( (K ) yK ) . c• is se u re pu li keyen ryption o K. n G re r n om u n tion s n th t l im 2 h in g es on th e t th t F LL1 is se u re pu li key en ryption u n tion . t th e s m e tim e l im 1 rg u es th t in th e even t th t th e evi e is n ever reverse-en g in eere n in th e even t th t th e esig n er n ever u ses h is or h er power on key s se u re sym m etri iph er. h u s in su m m ry th e p ility o u sers with respe t to on key n e roken own in to th ree iff eren t teg ories 1.

sers wh o re u n le to reverse-en g in eer th e evi e re u n le to le rn n y pl in text. 2. sers wh o re le to reverse-en g in eer th e evi e wh en g iven en ou g h kn own pl in text re le to le rn on e pl in text ito every iph ertext. 3. h e esig n er wh en g iven en ou g h kn own -pl in text is le to le rn ll pl in text its o every iph ertext(sin e itm on opolizes th e keys in u se). iven th e ove two l im s re ll lso th t on key n e lo e with extern l keys. on keyth ere ore on stitu tes u si-setu p. Note th t th is p per provi es m otiv tion or h vin g n ew pu li key ryptosystem s th t ou tpu t very sm ll iph ertexts (su h s h em es with yet h r to

1 32

m

o ung

ot

ung

n lyze se u rity se on polyn om i l m n ipu l tion h ve een esig n e.g . in 96). pu li key ryptosystem exists th t ou tpu ts iph ertexts th t re s y 200 its in size th en r ewer kn own -pl in texts n ee to e g th ere to le k th e se ret key K se u rely. ( h e size o th e pu li key lo k is rel te to th e n u m er o kn own m ess g es re u ire ).

e in tro u e th e n otion o u si-setu p n em on str te sym m etri iph er ( on key) wh i h on stitu tes u si-setu p. e sh owe h ow to esig n se ret iph er th t g ives n u n ir v n t g e to th e esig n er n th t is very ro u st g in streverse-en g in eerin g . u r resu lts im plyth tse retsym m etri iph ers im plem en te in l k- ox settin g s sh ou l on ly e u se i th ey om e rom tru ste sou r es n n n ot e sim ply tru ste se on exten sive st tisti l testin g . t stren g th en s th e n ee or open iph er esig n eff orts. e i n ot ttem ptto h i e wh i h kn own it” is re u ire or th e tt k. t m y e th e se th t in m ore on volu te iph ers wh ere th is n ee e - it is n ot spe ifi e th e om in tion o in tern l stre m iph er oper tion s pseu or n om oper tion s like - oxes n eistel tr n s orm tion s n expon en ti tion oper tion s n even h i e wh i h its re n ee e to e kn own ( n m yev e n in spe tin g te m l kin g th e orig in l esig n o u m en ts). in lly effi ien t n m in im l esig n s n esig n s th tm in t in spe ifi properties o lo k iph ers wh ile en lin g u sitt ks re le t s open u estion s.

K9 .

. n

on n

. K uh n.

m p

t n

ut o n y N o t . n . 1 99 p g 1 1 1 . 93. . . k ll . . nn ng . . K nt . . h n . u hm n k p k v w th k p k lg o th m nt m p o t uly 2 1 993. . . vn n . ol h n th ow of ph . y .3 1 9 10 11 . . . ol h . ol w n . l o w to o n t u t n o m un to n . 33(4 ) p p 21 0 21 1 9 . L . . Lu y n . ko o w to o n t u t u o n om m ut t o n fom u o n o m un t o n . n .1 1 9 p g 333 . 93. . u n . y ph th m p o t n o f ng t. n y y . 1 993 p g 1. 9 . . t n n l qu t o n ( ) n o m o p h m o f o ly no m l ( ) wo N w m l o f ym m t lg o th m n y y y 6 p g 33 4 1 99 . p ng l g. 9 . . jm n n . n l m ly o f p oo ph t o ftw n y p t o n 9 ( . . h m ). 94 . . o o w to v ng n n v t o ftw n yp to n 94 . 94 ( . . n l) LN 1 00 p ng l g.

o nk y h.

94 . 9 9 9

l k

ox ym m t

ph

gn

fo

N o p o l zng K

. hn . ppl y p to g p h y 1 994 . o h n ly n on n . h o pp l . m n . ll y . p t h k. tK y w th ll p t uv y tm . n y y 43 1 99 . p ng l g. . . m m o n . u l m n l h nn l p t n p nt. . 1 994 p g 4 9 4 3. . . o ung . ung . h k o f l k o x y p to g p h y. n y y 6 p g 9 1 03 p ng l g. . . o ung . ung . K l p to g p h y ng y p to g p h y g n t p h y. n y y y p g 2 4 . p ng . . o ung . ung . h v l n o fK l p to g p h tt k o n y p to y t m . n y y l g. .

1 33 . x h ng p g

y p to g l g. t Lo g p ng

i

vi-N in i 

ho o l o

h h

m

h ti i

n

h i

n

ni v i ty o o llo ng o ng N o th o llo ng o ng 2 22 u t li [rei, shahram, charnes]@uow.edu.au

• • •••• • •• p op o xi u nk it n i int h w n g n l th y t v o p il l o o p l t ly vo i .

h

n

l

v

two n w l o h h un ti on i n pi y ( ) o . n ly z th ui ty n n o tw ipl nt ti o n o th h . tup i n o p ut ti o n lly xp n i v . ow p t w h o w th t th i o p ut ti on n

ss u t nt t n ( )i ym m t i y ypto ph i p im itiv th t n u m in t ity in t tiv poo n . on i t t h t t n it y o two l o ith m . n r t n l o ith m k ( ). h t m om t o m n p o u t k i pp n to th m to p o u n u t nt t m . v r t n l o ith m t n u th n ti t m o th o m  n p o u tru / s v lu p n in on wh th th m i u th n ti o u u l n t. h t y i on ly n own to th l itim t om m u n i n t n h n v li t n on ly om pu t y th m . n ou t i t i to n t u u l n tm th ti pt l yth iv . om pu t tion lly u u u lly on t u t om h h u n tion yu in t y u in th h h in p o . u on t u t y x m in in th om pu t tion l om pl xity o v iou tt 10 11 n y h oo in th y t m p m t o th tth om pl xityo th t tt x th om pu t tion l ou o th n m y. on t u tion o th typ lw y u j tto vi ion n w tt om v il l . n p ov ly u n in t u h p ov ly m ll h n to t m p with th m n n o lim it on th om pu t tion l ou o th n m y i um . m n n t 16 in v ti t u n on ition lly u n v on t u tion o yi nt with p ov l u ity. h i on ) l o h h u n tion . t u tion u n - lm o t t on ly u n iv l2 ( 2 n t t tin with y tin on ’ 14 om po ition m th o n w 2 l n n l . n t h qu t ion o on t u tin iv n 2 2 u u to th p o l m o on t u tin om pu t tion lly i nt - 2 u n tion . 



up p o t o th i p o j t w u

y

t

tw

p

tly p o vi y t

y

u t lin 72

h

o un i l.

hi ng

13

m n n t ’ on t u tion w n yK w zy 6 wh o h ow th t u on ly qu i n - lm o t u n iv l2 ( h 2) h u n tion . n th i p p w m two on t i u tion . i tly w in t o u two n w l ) o h h u n tion wh i h in pi y o n (- 2 n 2 m on t t th i i n yitt m o y iz n th n p o h hin . h h m x m pl o h ou p’ 13 v lu tion h h in wh polyym t ixm u ltipli tion ov (2) n om i l v lu tion ov (2n ) i pl u ltin in t o tw im pl m n t tion . h h m h v i l p op ti u h m ll y iz n fl xi ilityin th lo iz o th h h m . ow v th y t m tu p i in n l om pu t tion lly xp n iv . N xt w om pl t ly i th 2-polyn om i l in loi l o p im in wh i h 2i p im itiv . h i u lt llow u to voi th tu p ph om pu t tion . tion 2 h th p lim in i . n tion 3 w i th two l o h h u n tion . tion 4 p nt on h h in n om p it with on on u t h h in n um m i th u lt on th 2polyn om i l . tion 5 on lu th p p .

n on ition lly u i n t u th n ti tion y t m pp o h th u ity o tiv poo h in on t u pt l to th iv  n tov th  p p s r m l

2

l n th L tH w

6 s t

tt

2

H

r v r r v r p r H ( ) h 2

t

st s ur .

n

t

n

n t

n t p opo th on t u tion o - u n o h h u n tion . L t m n n ot th to n n p tiv ly. s un t n i m ppin m n . n ot l o h h u n tion H ss

( )

3 n t ns r s ts

-

rw s

st

n

v

n

ytm p i llyim po t n t u th y iv th th v p ov l u ityp op ti . ith th i ytm i y th t h n th t tin u u l n tm -t p i  wh i h i t o vin qu n o m -t p i om m u n i tion h n n l.

l

u n t ns H ( ) ≤ H . −

ss m

n



m −

( )

n ition n xp h h u n tion

s

s

s

u n t ns H

n

H

n



h



≤ H



s

u in in y t in m to om

r

2

( ) n v r p r 2−n .





t

2

H

v o n . n

w n tw 2−n ;



in t m o p o iliti . o − ( ) ( −) ≤ o ll

w

v

x m pl m 

o

n



.

13

i

viN i ni h h

k h ti i h i h

n

m n n t ’ on t u tion wh i h i th i o ou y t m i th ollowm in . L tH n l o h h u n t ion om to n . h t n m itt 2 n th iv h t y th t on i t o two p t . h tp t i n ti n l m nt H n th on p ti n om ly n t on o n - itn u m . h t n m itt n iv m in t in tim p 2 ou n t n wh i h i in iti li n 1 n i in m nt yon t i ( ) + . h iv h m . h t v lu o th th m    n on t u t th i t n v i y th u th n ti ity o th iv m . m n n t p ov th t th i on t u tion i - u n th y iz i ym ptoti llyoptim l. pl in th on -tim p with p u o n om qu n n to in th u u n on ition l u ity to om pu t tion l u ity. n t

6 p

n t

ss s n s tru t n

K w zy h ow lly qu i th 6

r h

( )

2

pl k

.

2

( −) 6

r

u n t ns s n n

in 6 th t p ov l 2 p op ty ss ≤ .

s 

ss

s

tp s u r rt r.

u ity in th

u n t ns s



n

n

u n t ns s

n

t s

ov

n

st

R u n v rs 2 m w v

tp s u r

2

2

.

m 2

n m

k

n H s ( + 2) 2

o

n

tin on p ov th t om po ition o h h u n tion n y - 2 h h u n tion . th on t u tion o 2 tH n H ◦H

s ur

n

n ot

t s

tiv lyu

to n

2 2

.

o h h im il u lth ol o om po ition o - 2 n 22 l u n tion 12. h vnt o th om po ition m th o i th t to h i v om pu t tion u lth lly i n th h in it u to on t u t n i n t - 2 . hi h i t th m ph i o h in th n ty to th on t u tion o om ylo 15 K w zy 67 pu t tion lly i n t - 2 u n tion . oh n on 4 o w y 12 n h ou p 13 h v in v ti t om pu t tion lly i nt th t h v l tiv ly m ll y iz . h m o t i n t on t u tion i u t h h in 12.

n th i tion w tly in t o u l o u n tion M RD ( ) om wh i h i in pi y o n i it p op ti . 2 on l o h h u n tion H M RD ( ) n H M RD ( ) wh i h in lly w m om m on th im pl m n t tion o th two l

to n two M RD ( ). . n

i

hi ng

n th ( 3



to th i p p w u th n l m nt o n− ). n− • •

• •





• •

• •

o pon n tw n (2n ) p nt

13

in y t in in y n -tu pl



xim u m n i tn ( ) o w tu i in 3. h y w u y h n 2 o th pu po o i n ti tion n oh n on 4 o it t uth n ti tion . lth ou h ou p opo y t m i in pi y o w will iv n in p n n tp n t tion o th u w o n otu i tly n y u lt om th th o yo th o . h ou h ou tth tion w um i n owl o th th o y o n it l . om o th im po t n t n ition in lu in pp n ix 5 . th to o n x ll n tin t o u tion to th i topi . L t ( ) lin iz polyn om i l (m o p i ly 2-polyn om i l 2• 2 n−• ( ( ) n ot no m l i o n ) 2 n) ( n )) n n n n in y m t ix (2n ). h n -tu pl ( ( ) ( 2 ) i−• th i-th olu m n i th in y p n t tion o 2 . o lin iz L wh iv n y ( ) polyn om i l ( ) n m ppin L n n L L n 1 in yv to . wh .’ n ot m t ix m u ltipli tion n n t ( n n t v u ( ) t u n v t rs r s p t v .

n−

w

) r

n.

n

n L( ) n r n ns n

v u t rw n

n ov wh n o ( ) i tm o t h t o ll m ppin L n ot y M RD ( ). h im po t n tp op ti o M RD ( ) t t in 2t i L m m 9. l ll yth n n y wh o ow l ll y L olu m n olu m n α i L (α ). . . ( L α ) l m n t o n n th n t yin ow L n n ot th n - im n ion l v to p ov (2). o L (α ) α n . L t Vn Vn th n u s p i t h oll t ion o v t o Vn m ppin Vn f u h th t ( ) 0. f i u p o Vn in th o lin m ppin . L t o th m in im u m lin iz polyn om i l o α . 2dα n ot th rr . . . . .

s t

w n p r p rt s .

u n t 0 nt ns n 0 n. nt ns n 0 r 1 n. u rs n rw u rs s α n L t n t L t n u sp w r L s t L. 2. n t s s L ( ) ( ) s v n nu r tr s t n L L( ) s t n r p nt . w r 2t−dα . nu r rs n u n α n s α r v r n nt u rs n t s u n t n t u rs α t s .  t nu r r w s w t L( ) r n tw n ts n u t L( ) s x y. u n n v tr

13

i

viN i ni h h

k h ti i h i h

n

h p oo o th i l m m i th in pp n ix 5 . n L m m 9 p op ty3 h ow th ttwo v lu th t om pl m n t o h oth m pp to th m v lu . h i i n u n i l p op ty o h h in . t n m ov y t i tin ( ) to polyn om i l with n o num o t m o lt n tiv ly y t i tin in pu t to u t n− o l m n t o n on i tin o l m n t o th o m (α α 2 −−−α n− 0). n u m th th h v lu o om pl m n t L t min m in α∈ Fn α . i tin tin vi w o th two p opo m th o . n −M RD ( ) i w on ly on i lin iz polyn om i l o l th n 2dmin th n th ollowin p op ti h ol th y i t on qu n o L m m 9. t

min .

n

rr

s ts

s t

w n p r p rt s .

u rs t st n . . n v r rw n nt n  0 1 −− L 0−− −− L 1−− 0. .− − n n L( ) L( )  01 s n t nt n 0 r 1 − u n − n n .− − n n  0 1 − n −− L −−≤ 1. t s n L( )  01 u rs t st n . n nt − n n .− − n n  0 1 − n −− L −−≤ 1. L( ) − L( )

n.

t s u

n

tm o ton in olu m n . op ty3 h ow th t v y l m n to n o u qu iv l n tly two m ppin iv th m v lu wh n v lu t on th m l o l m n t o th l . op ty 4 u t th t −M RD ( ) i n 2 u n tion . m ppin om n to n n n n ot om ow v l m n t o −M RD ( ) p th in pu t wh i h i i qu i m n tin h h in . n th ollowin w n two l o h h u n tion on th l u m th tth om pl m n t yp op tyi m ov y t i tin −M RD ( ). th om in o l m n t o −M RD ( ) to n−. −



m

w

6 H − v ( − −)

m

− n − s −-lin ( ) − ( −).

r

−H

n

• • • •

() − − n m ppin o m ppin L − −M RD ( ) n n − n − L − − − ( ) ( ) − wh − n − − . h t i t h v lu L 2 2 n n n L 2n -tu pl  2 i o t in y pplyin n -in o L o L to n ot th t tiv ly on t in 2n − 2in o m tion it th u ltwith 2 . H

2 t•

2 H M RD ( ) s − n . ( oo in pp n ix 5 .)



• • • •

() o m ppin n th h 2n − 2 l m n to n . n oth wo − n. H

r

2

− −M RD ( ) n in 2 n − 2 h v lu L ( ) j

L

2 L

( )i

w i ht

ss

s

un t n w t

y t in j j L (α ) wh

u m o th v lu

o

−−−o l n th α i p im itiv L(

) t ll n on z o

hi ng

2 t•



2 3 H M − n RD ( ) s . ( oo in pp n ix 5 .)

3 2

r

2

ss

s

1 39

un t n w t

c c

• • • •

() h om p ion tio o th i - 2 h h u n tion i 21. o o t in h i h om p ion tio th om po ition m th o o opo ition 7 n u . iv th t il in tion 4 . v u tn t s v u s i hi v y n in th p o u t o in y in y in pu tv to . h i n i n tly im pl m n t t in m t ix L n h w n o tw . y i n om ly h o n in y v to  o l n th min . n dmin − 2i i t m in −−−i h o n lin iz polyn om i l ( ) i i n th m t ix L i l ul t . hi i t om pu t tion . tup p s h m in o to th y t m i u in th t-u p ph in o iv n n . h u lt o ou xp im n t o n 19 iv n to l u l t min o in l 1. h v on ly on i p im v lu o n lth ou h th o ti lly th i t i tion i n otn y. H

n dmin  2−• 3 2−• 1 1 1 0 2−• • 1 31 2 2−• • 1 2−•

f f

H

M RD (

)f f

n

19

f

min

f

U2

t n n th t om v lu li n 11 n 13 iv th m xim u m v lu li n 17 iv m ll . h i t l o min (th ti min n − 1) u toth w p o u y l u l tin th o th m in im u m lin iz polyn om i l o th p n t tiv l l m n t o th on ju t ou p . o h i h v lu o n th i pp o h om in in ly in i n t. u t in it n to on on ly on u in th li tim o th y t m th ov h o th qu i om pu t tion i pt l o n 4 0. o h i h v lu o n w qu i m o tion 4 .3 w p n t u lt wh i h i n t l o ith m o n in min . n i p im llow u to voi th i om pu t tion in xt n ion (2p ) wh n 2i p im itiv m o . o p ti l ppli tion n o u it l v lu o n m u t l ul t n pu li h . h u n th n h oo th n th t iv th qu i l vl o

1 0

i

u ity n

viN i ni h h

i m o t u it l

k h ti i h i h

o th m

iz

n

on i

.

• • • •

() om p ion tio o 2n − 1 to n . o voi th hi i n 2 with n tion o u ul ntm y pp n in xt z o t th n o m w u m th t 2 n −2 i lw y 1. p nt t n n i n tly on in h w n o tw . v lu tin 2 im il to L h h in u in 6. i u 1 iv h m ti L ( ) ou l i m o th i v lu tion . h L h x n pu li t p n p o u m xim u m l n th qu n ( polyn om i l i p im itiv ). th L − − − t h i u it wh i h im pl m n t th o th ou h on u tiv t t 2 L qu n o l m n t o n o lin t n o m tion n y Lp o u . h l tp ti n u m u l to pon in to th v lu o L ( ) L ( 2 ) −−− th t l u l t th w i h t u m o L ( i ). H

+

message

LFSR

Circuit implementing C Ll

Accumulator

fH h

i u it

L

n

im pl m n t

s1

)

u m u l to

h own in

i u

2.

C L(1)

s2

C L(2)

sn

C L(n)

2

n -tu pl th t

n

2 M RD (

f

L

h olu m n L (i) i 1 −−− n o L i to in wh i h i th t t o th L t m in th - to p o u th ou tpu t.

it u

n th t o th

in y it

hi ng L (i)

i 1 −−−n o m y it ) n om u min h h h in m th o th on u tiv ou tpu t o h h u n tion .

• u

opo wo u h h t l m ti . L t − Vn .

H

th y in o m tion (th y om pu t l om th t pt t. n lo i n tlyim pl m n t in o tw . to in th L llow p ll l o tw v lu tion o th

• • • •

ition 7 to l m m p −H M



on t u H M to n . n . h n

M

t n 2 l n n in 1 t l m nt n n ( ) wh

s n

o h h u n tion . n H K n n in 6. i y in y − n i n − n m t ix n 2−n .

ss w t

2

m to n . t l m n t h on l m p polyn om i l o n ov (2). o n th h h v lu h h u n tion i y ( ) wh i h i um to n− i n om i l o n polyn om i l ( ) in i i n ( ) y ( ) yi l om . h m in o ivi in th qu i h h v lu .

6 H in

i

s n

p opo ition 7 w h v th

n ◦H u n tion . ◦H 2. H M n u n tion .

1. H

n

K

K

M RD (

)

− n−

M RD (

)

− n

− n − − n

ss w t

2

ollowin k k

i

(2

i

(2

t

n th t o th i tion w will u th on ti v lu t ym t ix m u ltipli tion ov

H w t ( ) ( ) ( m) w p oo i t i h to w xt n ion o −

i yi u i l o − m u in n i u i l polyom lv i l i n n -tu pl wh i h i

m n 2 n−• .

om po ition .

h ollowin om p i on tw n th o t in om u t h in ( ) iv om th p m t n ppli tion o th p opo n th i om p i on w u m th wo iz o tw im pl m n t tion wo iz o pon th h w . h ollowin p opo ition h ow i tly ppli l to l wo iz . m

1 1

+

t

)-

2

l

o h

h

+ 2−k )-

2

l

o h

h

n k 2 k−•

om po ition in wh i h th (2).

i ov n th in i h tin to th tu l v lu o h h u n tion . o 1 it lth ou h in n i nt to th wo iz u ppo t y th t th u lt o ou n ly i

U2 t n H − r ( m) s opo ition 2in 12.) s



m

U2 . ( h

1 2

i

viN i ni h h

k h ti i h i h

n

on i typi l v lu o p m t n on i n x m pl o ou h m with im il v lu o . n p ti u l w on i th tm p 1024 - it m to 14 0- it i t n h olli ion p o ility o ou n m ily o h h u n tion i (2− )- U 2 with (4 20 − lo 2 14 0) it o 2− . h to om po with n U 2 to y. in i n ot U 2 it n o t in th qu i u ity( . opo ition 7 ). n ou h m w h ou l h oo n 32. n tion 4 .3 w h ow th t to n u it l v lu o n on n on lyto v i yth t2i p im itiv l m n tm o u lo th p im n . h ti 2i o i 1 n − 1 h ou l n t ll th l m n t o th t −1 2 n − 1−. l 2 h ow th t th t u it l v lu o n i 37 . h i i th l t p im t th n 32 o wh i h 2i p im itiv l m n t. h o in ou om p i on w u m n 37 .

n g ng ng ng ng 2 3 1 1 2 1 32 1 3 1 9 2 23 29 2 31 3 3 2 1 33 32 9 2 1 2 2 1 3 93 3 2 93 9 1 01 2 1 03 1 0 2 1 09 1 1 33 1 2 3 1 31 2 1 3 3 1 39 2 1 9 2 1 1 1 1 3 21 1 32 1 9 2 1 1 2 1 91 1 9 1 93 1 9 2 1 99 3 21 1 2 223 3 22 2 229 2333 239 21 21 2 3

2 5

25 7

f

f

n

ss n t n u th h in o iv n l v l o u ity th iz o th i ti low ou n n i u u lly l th n wh ti u in y t m . lth ou h oth h h u n tion n ppli to u th iz o th i t th iz o th o i in l m lo will m in l . o x m pl o 14 0 wo i t 1024 wo m iz m u t u . o 32 itm h in th i u lt in l v lu o th m in im u m iz o th m . th m l n th i 20 wo th n th i ti 7 tim lon th n th m n o 32 itm h in m p 64 0 it to 4 4 0 it . o in th i l ov h in th om pu t tion wh n th m l n th i m ll 13. v l l y o h h in in o w y’ m n o n wh n th m l n th i m ll n th op tion on th p in o th m (to in it l n th to th pt l m in im u m ) i w t u l. n ou m th o o th m v lu o th m lo l n th n 26 n o th yi m ll 7 4 wo (wh n n 37 ). n th i min

hi ng

(lo th m

1 3

− 1) 35 it . y h oo in l u it l n w n in lo l n th n l o th qu i l vl o u ity. n t im il lyto m l n th ou y t m n u o v iou yl n th wh i h n m ll 35 it . u 4 20 it wh i h i too lon wh n u in om pu t tion l u m o l wh th on -tim p i pl with p u o n om n to wh i h typi llyh yl n th o ou n 12 it . o w y 12 u t th u o p u o n om n u m n to to o t in th qu i y o h h in . st n t n th i tl n th i 14 0 it wh i h i m u h lon th n th qu i l n th (32-64 it ) in . o w yp nt in wh i h th xi t ou xt h h in l v l to u th i tl n th to 64 it . h xt l v l u ltin n ov ll lo o i n yo th y t m (p ti u l ly wh n th m i n otv y lon ). n ou h m th i tl n th n low 37 it . r u h m o n ot qu i l m m o y. ith n 37 it . n ot t h t o y i t i u t ion on ly t h non ly n 17 2 yt o L tu pl t m in in th polyn om i l ( ) n u u t o h h in L m u t l ul t n v . h m lo qu i 5 yt n 5 yt n o th i t. 2

min

2 u h m w im pl m n t n t t on i n t t . h im pl m n t tion n ivi in to two p t . n th t p t th y wh i h i th n in y o i n t o th lin iz polyn om i l o l th n 2n− i xt n to n n − n in y m t ix. h i m t ix i to in m m o y n o n otn to l ul t o h l u l tion . n th on p t th i m t ix i u o h h in iv n m ( . th x m pl iv n in pp n ix 5 ). n l u l t it i to in th y t m o m u ltipl u . h om pl xity o th i p ti qu iv l n tto th om pl xity o in y m t ix m u ltipli tion wh i h h n xt n iv ly tu i in th lit tu 5 . 3 n l u l t th m in im l lin iz polyn om i l o l m n t in (2n )− u in th -o it ( on ju y ou p ). in h l m n t o n o it h th m m in im l lin iz polyn om i l. on ly t t th u lt h th p oo will iv n l wh . n t y − 2 . hi h loi u tom o ph i m o (2n ) n − ll th t u us ou p t on (2 ) n p tition th i tin to o it . ( )- u p wh i h i in v i n tu n i. . σ . o ( n) i -polyn om i l i lin iz m o u lu i u n ion o -o it Ω −−−−−Ωr . polyn om i l ( ) wh o o i n t li in th ou n l ( ). ( )

r

upp s ( ) s n u us ( ) s

r

p

p n

n

.

v r

( n ).

r s

1

i

hu

viN i ni h h

h m o u lu

k h ti i h i h

t m in ( )

n

-polyn om i l wh i h i ( − )

n

ollow

β∈ M

o th t on u lt i L tΩ −α 2 − v to in th i o it

t n

. -o it.

n

(Ω)

α α2

ollowin

w t (Ω) α α2 (Ω) . . (Ω) s u u s.

(Ω)σ

(Ω) n ot lw y i u i l . t n h v n m ly V α + α 2 + −−− . su sp

th

(Ω) − V −

s.

w

(2)- p n o th

−α 2 − s i

r Ω

n

1- im n ion l -in v i n t u

r V

n

r

nv r nt

r t p (2)

(2) th n ( ) 0 L t ( ) th olu t t o − (2n ) ov i (α ) 0 it i o 1. o ov V α + α 2 + −−− i th z o u p 1- im n ion l -in v i n t u p i (α ) 1. u ppo n ow th t i p im u h th t2i p im itiv m o i. . 2p− ≡ 1m o n − 1 i th l tpow o 2 o wh i h th i i t u . 2 n Pr p s t n

t (Ω) − V − 9. 2 s p r tv m o

n n ly i o th lin m o u li in h o m 20 l t

t s

2 • p−• •

r n pr n 2p n 2 • p−• • + + −−−+

p s t n

iz polyn om i l to th ollowin

2

r 2

+

nt

n v r n t su sp s n rr u

o pon in u lt.

to th

t ns n (2p ) n w p p − n − (2 ) s 2 + ( ) 0.

i

s s u u s. u i l

2 s p r tv ( ) 1.

h v in t o u two n w v lu tion h h in h m th th v n u m o im po t n t n u u l p op ti . n p ti u l th v lu tion o i t u to m t ix m u ltipli tion ov (2) wh i h n i n tly im pl m n t . n l qu i u th v lopin n i n t l o ith m o l u l tin min in h . ow v w h v h t iz l o (2n ) wh i h qu i n o om on pu t tion . h v l o om p on H M RD ( ) with on .

hi ng

(s 1.

1

t )

o

ll ( ) i to n h n (0) 0. o (11 −−− 1) w h v − (2) (p 5 2 ). (2n ) 2. n lin iz polyn om i l th to z o o m u p −L o ( h o m 3.5 0 ). Now i ( ) o om th n o ll − −L w h v ( + ) ( )+ ( ) . on v ly i ( ) ( ) th n ( + ) 0 () ito u x tly−− L −tim . wh − − L . n i n l m n to u on 3. ( )h vn num o t m th n ( ) ( + 1) ( ) n w h v (0) (1) 0 n h n (11 −−− 1) 0. h i u lt in th ollowin om pl m n t yp op ty ( )

( + 11 −−−1)

( )+

(11 −−−1)

( )

i u n iqu m in im u m lin iz polyn om i l ( ) u h th t 4 . L t − n. h ( ) 0. n x m pl om pu t tion o th i polyn om i l i iv n in pp n ix iz polyn om i l u h th t −( ) 0 th xi t 5 . Now i −( ) i lin − − − ( )⊗ ( ) ( h o m 3.6 lin iz polyn om i l ( ) u h th t −−( ) iz polyn om i l o p 113 ). L t M u n ot th oll tion o lin h n w h v 2t−du wh wh i h i oot n −M u − u. u u i th o ( ). Now i i lin iz polyn om i l ti yin ( ) + 2 )( ) ( )+ 2 ( ) n h n o u n 2 ( ) − M u th n ( 2t−du in th olu m n l ll y . o ow ( ) o u h th t ( ) 5. o p i − (2n ) th n u m ( ) i th m th n u m o ow o with ( + ) 0 n h n th u lt. − h i om pl t th tp t. 2 −H

−−

on lyn

M RD (

−H

)

( )

L

( )

−− L



u

0 th n 0 th n

0−− ≤

M RD ( )−

L t ( − 2 ). in h v to p ov th t h i i tu oth z o.

to h ow th t

L(

1

L(

)−

)

2

) on

2

n

 −H

2n

0− M RD (

)− 2t

w

−−≤ 1

o o oll y10. Not th t in on i two . L(



2t



0

0 n o −− L ) 2 L( ) o oll y10 −− L L(

n

2

2

n n ot

2 −− 0 ≤ 1. −−≤ 1.

1

i

viN i ni h h

k h ti i h i h

n

h i p ov th th o m .



3 2

()

2 −2 j jα j n

o γ it

y



u

2



n−

−−

2

o th lin

2 n −2 j j L (α ) j n.

2 M RD (

2 ) ( )− −H M RD ( )−

−−

2

2 M RD (

−H

−H

ut

2 L

( − )

L (γx

−−

2

− γy ) n

−H

l

2 M RD (

α )

L (γs )

j

i 2

w h v

L

2 n −2 j

L(

o h ow th t th − n w h v

n

−H

ityo

-

( )

2

−−

2

)

w n ot th t o

( − ) ( )− M RD

−−

o 2

)

( − ) −H M RD ( )−

−− ≤

1 2t −



• • • •

5 (2 ) ( ) + 2+ 1 p im itiv polyn om i l o (α ) 0 o om α − . ou p th l m n t o in to on ju t h own in l 3 n n th m in im u m lin iz polyn om i l o h in th m ll t o th m in im u m lin iz polyn om i l i 16 w n u ll lin iz polyn om i l o l th n 16 with o o t m n on t u t m t ix wh i h p n t ou h h u n tion .

L tn n n ou p ou p. th o num

o ro p α, α• , α• , α• , α• • α• , α • , α • • , α • • , α • • α• , α • • , α • • , α • , α • • α• , α • • , α • • , α • • , α • • α• • , α • • , α • • , α • • , α • • α• • , α • • , α • • , α • • , α • •

x• x• x• x• x• x•

+ + + + + +

x• x• x• x• x• x•

+ + + + + +

po y o 1 x• + x• + 1 x• + x + 1 x• + x + 1 x• + x + 1 1

x+ x+ x+ x+ x+ x+

r z po y o x• + x• + x• + x• • x• • x• • x• + x• + x• + x• • x• • x• + x• + x• + x• •

3 f

n no m

n v i yth t−α α 6 α 2 α 2 l i o (2 ). L t ( ) L

α

7

.

− lin h v to

lyin p n n t n th u o pon in to ( ) i

( (α ) (α 6 ) (α 2 ) (α 2 ) (α 7 )) ((α ) (α 6 ) (α 2 ) (α 2 ) (α 7 ) ) (α 2 α 2 α 7 α α 6 ) (α + α 2 + α α + α + α 2 + α α + α + 1 α

α + α)

hi ng

h m

t ix p

n t tion o th

L

 n

 L

L

wh i h 00011

I u lt in n o L

wh

11010 ( )

u n tion L i ⎛ ⎞ 001 00 ⎜1 1 1 01⎟ ⎜ ⎟ ⎜ 1 1 0 0 0⎟ ⎜ ⎟ ⎝1 1 01 1⎠ 01 1 00

I i th i n tity m

L(

t

n

)−

1

01100 .

2

2

t ix. Now l t h v

00011 − 01100

1101001100

L(

)

L−

01111

n it l with 2n l m n t . on i on lyth in y l on i n th lth ou h m o to th u lt h ol o n l - y l . n n - im n ion l v to p ov (2). t n on t u t u in n i n i u i l polyn om i l ( ) o n . L tα n ot ooto ( ). h n i o n . n l m n to n i p r tv nti 1 α α 2 −−−α n− o m it pow n t ll n on -z o l m n t o n . p tition in to n u t r u p s (th -o it ). h l m nt o n n−• 2 −−−−. th l m n t o − 2 −−− 2 − on ju t ou p o on i t o − s si i lin lyin p n n tth n th y o m i o n. n r n−• o th o m − 2 −−− 2 −. v y l h tl ton n o m l i. h n u p n o L t n ot n l m n to n it l n. 0 n o n yoth i n i u i l polyn om i l ( ) ov n u h th t ( ) polyn om i l ( ) with ( ) 0 h ( ) to . t n h own th t v y l m n t o th l h u n iqu m in im u m polyn om i l n ll th on ju t l m n t h v th m m in im u m polyn  om i l. 2i with α i − (2) i ll polyn om i l o th o m ( ) iαi 2-polyn om i l w to th n r p n s. Lin iz polyn om i l ti yth ollowin two p op ti (α + ) (α ) + ( ) α ( α) (α ) α − − h o in h

− (2)

y p o u t o lin iz polyn om i l i n ot lin ( ) n p r u t o two polyn om i l 2( ) ( )⊗

2

( )

(

2

iz n

polyn om i l.

( ))

iv lin iz polyn om i l. L t − n ( ) n ot it m in im u m polyn om i l. h p n o i lin iz polyn om i l ( ) u h th t ( ) ( ) n n y oth lin iz polyn om i l o wh i h h own th t ( ) i u n iqu ( ) 2 ( ) ⊗ ( ). t n

n u ( )i 0 n .

n

r to o w itt n

1

i

viN i ni h h

k h ti i h i h

n

z u ppo th tα − ( ) o α w p o h v

n

n

(α ) 0. o n ollow . L t ( ) ( )

n  i

y

th m in im u m lin iz polyn om i l n ot th m in im u m polyn om i l o α .

2i

( )( )

(1)

i

wh m

in

( )i polyn om i l ov (2). o i 0 n l t i ( ) n ot th 2i y ( ). o ti y qu tion (1) w m u th v o ivi in n 

i i(

)≡ 0 m o

( )

(2)

i

xp n in (2) w o t in to n qu tion in n + 1 v i l n. olu tion th t u lt in polyn om i l with m in im u m t m in Not th tth i m th o qu i th t m in tion o th i u i l polyn om o pon in to th -o it . h i to th om pu t tion l om pl xityo l o ith m wh il th i u i l polyn om i l n ot qu i in th n l

h ( ). i l th i u lt.

1 . . L. t n .N . g n ni v l l o h un ti on ” o r o o p r y vo l. 1 no . 2 p p . 1 3–1 1 9 9. 2. . h n N w nti ti o n lg o i th ” i n ryp o r p y o y o r o r ( . w on n . o li .) vo l. 1 029 o r o o p r ( u n ln u t li) p p .2 –2 9 p i ng l g uly 1 99 . 3. . iuli n h o y o o wi th xi u nk it n ” ro o or o r o vo l. 21 no . 1 p p . 1 –1 2 1 9 . . . oh n on uth nti ti on o o N o nt u ti ng ti t i n o nk ti o ” o r y p o r p y no . p p . 20 –21 1 99 . . . w zy k h h i nk i ng n to o p ti l o n i ti on ” i n ro o o w r ryp o or op ’9 p p . – LN p i ng l g 1 993. . . w zy k L hi ng n uth nti ti on ” i n v ryp o o y ro o ’9 ( . . t .) vo l. 39 o r o o p r p p . 1 29–1 39 p i ng l g 1 99 . . . w zy k N w h un ti on o g uth nti ti on ” i n v r y p o o y ro o ’9 (L. . ui llo u n . . uiqu t .) L tu N o t i n o p ut in (LN ) ( li n) p p . 301 –31 0 1 99 . . . Lil n .Ni i t ro o o r pp o . ig i v i ty 1 99 . v ryp o o y ro o ’9 9. . u . vo l. 1 0 0 o r o o p r ( go ) p i ng l g 1 99 . 1 0. . n l y o ryp o r p o . h th i th o lik ni v i ty L uv n n. 1 993.

hi ng 11. 1 2. 1 3. 1 . 1 .

1 .

1 9

. n l n . .v n o ho t n th ui ty o wo lg o i th ” i n u 9 p p . 1 9–32. . og w y uk t hi ng n i t p p li ti o n to t g uth nti ti on ” i n v ryp o o y ro o ’9 L tu N o t i n o p ut in (LN ) p p . 30– 2 p i ng l g 1 99 . . h o up n t n o v ly u g uth nti ti on o n ni v l hi ng ” i n u 9 p p . 321 –331 . . . ti n on ni v l hi ng n uth nti ti on o ” o r y p o r p y vo l. p p . 3 9–3 0 1 99 . . y lo N p ti l n o n i ti o n lly u uth nti ti on ” i n v ryp o o y ro o ’9 pr pr ( . o l o wiz n . nti .) vo l. o r o o p r ( u g i t ly ) p p . 2 –2 y 1 99 . . N. g n n . L. t N w h un ti on n h i i n u th nti ti on n t qu li ty ” o r o o p r y vo l.22 p p . 2 –2 9 1 9 1 .

S

xt illi m

i llo

r2

t rt •

n

str t m

r th n m

n k ts n



ll o ([email protected]) u ty ([email protected]) o o ft h ([email protected]) •



• • •••• • •• p nt n w nt n p t l h fo o n t u t o n o f o ll o n t nt h h fun t o n n n ly z o pl th o fo o n ng x t ng h h fun t o n gn o to nh n th u ty. n o u n w o n t u to n w fi t p th np ut to l g h tly lo ng t ng u ng p t v w nt o u ll s u st t u t o s. h l ng th n ng l o t u ly nj t v o n w y fun t o n th t u ntly n o z th np ut o th t t h fo n v y to fo th o utp ut to f ll nto t g t t. h n w p p ly o p ss o u t o to th o utp ut o f th t t h fun t o n. n ly z th u ty o f th o n t u t o n un nt ty p o f u p to n o n o th t t h n o p o n fun t o n . h u p to n o n n o fun t o n o l nt t l ty o f t n “ ng t k n th g n y t u tu o f o p o n fun t o n . h u o f t t h ng to llo w u qu nt o n th o p o n fun t o n n y o f n p n nt nt t. h o n t u t o n llo w o n to u p o p ul n nt p tv u h 1 n th t y xh t w k n o ll o n t nt fun t o n . ut no tt k u ntly k no wn o n th on w y n n o zng p o p t wh n th y u t t h fun t o n n o u o n t u to n . h v l o ll o n t nt h h fun t o n o n • • • fo wh h th no k no wn t v tt k ut wh h to o lo w fo o tp t l p p l t o n . u u o f t t h fun t o n n l u to ou o p o n fun t o n o n • • • o th t th ult ng h h fun t o n h v p t l p t t pl nt t o n un t 4 0% o f th p of . l o ug g t o p f t n o o l o l h o w ng h o w to ul tt p tv fo g v n p f t o n . n th v n w l o n ly z h o w to fn g n t o ll o n fi n ng v y fo g vn p t v y u l ng “ n p n nt p tv .

n th is work w pr s n tn w n pr ti l on str tion s or s r h sh n tion s n n lyz th ir s rity. n ition w pr s n tsim pl m th o s or om in in g xistin g h sh - n tion sig n s so s to n h n th ir s rity. h r is om p llin g n or tt r n rst n in g o th prin ipl s o s r h sh - n tion sig n . 



t o f th u

g

y

wo k w g

t

o n wh l w th tw

g

y t

ll o

n

u ty. 72

67

N w

o n t u t o n fo

u

h

un t o n

1 1

M n y ryptog r ph i pro r s th t h n l v ry lon g it-strin g s m k s h sh n tion . h s rityo th s pro r s r li s on th c c o th h sh n tion in s or on th n tion s r n om izin g t. h sh n tion is ollision -r sist n t i it is in si l to fi n p ir o istin t rg m n ts s h th t ( ) ( ). h r r s v r l ppro h s to th sig n o s h h sh n tion s. h il it is n ot kn own wh th r n y rr n t sig n s h i v th sir prop rti s th y g n r lly ll in to two t g ori s sig n s s on n xistin g lo k iph r (or oth r ryptog r ph i prim itiv ) n stom sig n s rom s r t h . usto s u to s h r h v n n m r o propos ls or pr ti l s r h sh n tion on th t m its st so tw r im pl m n t tion s n or wh i h it is h op th t th ost o om p tin g h sh ollision s is in si l in pr ti iv 90 iv 92 94 95 96 96. v r l o th s r in wi spr s . ow v r th g n r l sig n prin ipl s or ryptog r ph i h sh n tion s r n ot w ll n rstoo . s in th s o lo k iph rs in pr ti g oo h sh n tion is sim ply on th t s rviv s th rr n t tt ks. n t ollision -fi n in g tt ks to o rtin sin g i r n ti l ppro h h v n s ss l g in st M M 4 n M 5 o 97 o 96 o 96 . M or r n tly v n th on -w yn ss o M 4 h s n h ll n g r 97 o 9 . On ppro h wo l to try to il on xistin g prim itiv s. or x m pl on n on t n t th o tp ts o two i r n th sh n tion s h opin g th tth two n tion s h v in p n n tly (s r 93 2.4 .5 n rt in om m ri l sig n s .g . r 95 ). ton s h op is w k n y rsorylook tth so r o or th pop l r h sh n tion s n v n m or so y o rtin s tt ks on M 4 -25 6 wh i h riv s two 12 - itv l s in th is m n n r o 96 . rr n tm th o s to xt n or str n g th n pr vio s sig n s in l th ollowin g in r s th n m r o ro n s ( s in M 5 ); som o in g or s r m lin g st ps ( s in -1); in r s th r siz n m k th m ixin g st p v ry with th ro n . ll o th s r n t r l tt m pts to in r s th s rity o h sh - n tion sig n t n n lysis s on s t o pl si l h risti ss m ption s wo l tt r n h n o r on fi n in th r s lt. n x m pl o s h n ss m ption is th i l- iph r m o l or • • • is ss low. s u t o s ro rs n oth r w ll st i ppro h (s M rk 9 ) s s th sig n on n xistin g tr st lo k .g . M M O 5 iph r. or s rity ss ssm n ts o s h s h m s s M rk 9 97 93 . ( or th is n oth r q stion s o t ryptog r ph i h sh n tion s r 93 n M O 97 h p. 9 r x ll n t r r n s.) n ort n t ly th s sig n s yi l im pl m n t tion s sin g • • • th t r slow r th n M 5 ( or x m pl ) lm ost y n or r o m g n it m kin g th m n pt l or m n y ppli tion s. h s l m s r o th i n yo sig n s on n - it iph r is its fin s th n m r o - it lo ks o t om pr ss p r ppli tion s o th iph r. ( om tim s s in r 93 r t is s to m n th in v rs o th is r tio.) On o th s g g stion s h r n l s s to in r s th r t sig n ifi n tly yi l in g pr ti l sig n s. o

1 2

ll

llo

tu t

th n

nk t

n

tis om m on to s i liz tion s o lo k iph rs s r n om p rm t tion s or n tion s rom ( )- its to - its in th n lysis. n th is s on n on str t - it v l s r h sh n tion s (s r r n s ov ). n th s o • •• wh r 64 th is yi l s 64 - ith sh n tion s wh i h r v ln r l to sim pl irth y tt ks. ow v r itis n on -trivi l to on str t2 - itv l s r h sh n tion s rom m ili s o - it v l h sh n tion s. h 2 - it v l h sh n tion m st h v lik 2 - itv l r n om n tion or p to 2n q ri s tth - itprim itiv s r n in to irth y ollision s ro n 2n/2 q ri s wh i h pot n ti lly o l s in n tt k g in st th sig n . sol tion or th is o tp t- o lin g pro l m w s g iv n in 96. h is on str tion is xp n siv m kin g ig h t lls to th n rlyin g r n om n tion n h n itis n ots it l or pr ti l 2 - itv l om pr ssion n tion . h n lysis o o r on str tion g in s y ss m in g th t oth o th two n tion l om pon n ts r r n om n tion s. h is is or th p rpos o provin g th xist n o s r h sh n tion s tr th r to x m in wh ts rity p r m t rs n hi v . n ition it m otiv t s th w k r ss m ption s n th n lysis th t ollow. 1 .1

w

o stru t o s

h on str tion s th tw propos fi rststr t h th in p tstrin g m il ly n th n om pr ss th r s lto th is xp n sion . r w ri fl ym otiv t th is ppro h . x s o st O r fi rst st g str t h s th in p t m il ly. will s prim itiv s th th v r son l on -w yn ss n r n om izin g h vior so s to o t in n lm ost s r ly on -to-on str t h n tion . h is trivi lly voi s ollision s in th fi rst st g n llows s to n lyz th is st g sin g istri tion l n on -w y prop rti s o th prim itiv s w m ploy. rth rm or th s proprti s m k it in si l or th v rs ry to or its o tp ts in to s t o h is h oi — or x m pl s to poin ts or wh i h h h s om p t ollision s or th s on st g . sh ow h ow to s pop l r h sh n tion s lik M 5 or -1 to o th is. r m rk th t in l rg r n om n ss t sts with M 4 n M 5 it h s n o s rv th t oth n tion s h v v ryg oo istri tion l prop rti s v n wh n th y r it r t 96. o r ss o st n o r s on st g w pply om pr ssion n tion . h is st g o l sim ply s n y n i t ollision -r sist n th sh n tion s h s -1 or M -160. n t th s rityo o r on str tion o s n otr q ir ollision r sist n rom th om pr ssion st g . or x m pl n v rs ry m ig h t fi n ollision s or th om pr ssion st g . ow v r th olli in g strin g s m y n ot in th r n g o th str t h n tion n v n th os th t r will h r to in v rt. On th oth r h n i th v rs ry g in s y fi n in g m n y in p t-o tp tp irs or th str t h n tion th n s ss l tt k on th wh ol on str tion m st fi n om pr ssion -st g ollision s rom m on g th is r stri t s to irlyr n om poin ts.

n

o stru t o s us x st r tv s pr ti l s ttin g th is work s g g sts w ys to s th h sh

n tion s th t r

N w

o n t u t o n fo

u

h

un t o n

1 3

rr n tly rok n or p rti lly rok n in s h w yth tw n p n on th ir -w yn ss n r n om n ss or istri tion l prop rti s r th r th n ir tly th ir ollision -s rity wh i h m y in o t or lr y viol t . n t r r m n y h oi s or h o th two om pon n ts o o r on str tion n y n om in in p n n tly. usto s u to s stom iz h sh n tion s or x m pl M 5 -1 n M -160 n s in ith r or oth st g s o o r on str tion . th h sh n tion h s its o o tp t th n it n s in th str t h in g st g s ollows. tm ost its r n or th in p tto th om pr ssion st g th n sim ply - it lo ks ( ) o in p tt xtto th h sh n tion . m or th n its r n or th in p tto th om pr ssion st g w propos th ollowin g sim pl h in in g . s th its o o tp t ov s th fi rst its o o tp to th h in in g r l . n ition on t n t th s its to th n xt its o in p tto th h sh n tion to g t n oth r its o o tp t n on tin th is h in in g r l s n . or th om pr ssion st g n y o th s h sh n tion s n s ir tly on th fi x -l n g th o tp to th xp n sion st g . r m rk h r th tM 4 m y lso s i n t or oth st g s. or x m pl s n ot ov th str t h in g st g is r q ir to on -w y. lth o g h two ro n s o M 4 h v r n tly n in v rt o 9 th in v rs o n is o l n g th 5 12. ot th t th r r v ry m n y in v rs s (2 2 − 2 ) or n v r g 12 - ito tp t. ow v r M 4 m ig h t s in o r str t h in g st g to xp n or x m pl 0- itin p ts to 12 - ito tp ts. n th is s or n ov rwh lm in g r tion o o tp ts n v rs rywo l r q ir to fi n th in v rs . n ition with s i n tly r n om n on -w y str t h n tion o r n lysis s g g sts th tr q ir m n ts or th om pr ssion n tion r on si r lyr l x . or x m pl sin g tr ly r n om str t h n tion th om pr ssion n tion n on lyh v irly n i orm pr im g str t r . u s t u on str tion s s on th s s t-s m n tion m y s in th str t h in g st g . h s s t-s m n tion m y lso s in th om pr ssion st g s it is kn own to yi l prov ly s r h sh n tion s on th ss m ption th t it is in si l to fi n lm ost sh ort st v tors in l tti s 96. ow v r th st l tti - s tt ks r q it pow r l or in g th l tti s ( n th h n or th im pl m n t tion ) to r l tiv lyl rg . s g g stsom on str tion s in th fi n l v rsion o th is p p r. M rk 9 m y n y • • • - s h sh n tion .g . M M O 5 s in ith r st g o o r on str tion in th s m w y s s ri ov or stom iz h sh n tion s. ow v r sin th s h sh n tion s on s m w its o in p tp r • • • ll (i. . th y h v low r t ) th r s ltin g h sh n tion will n pt lyslow or m ostpr ti l ppli tion s. n th is p p r w propos n w • • •- s on str tion or th om pr ssion st g . s o th prop rti s o th fi rst st g o r on str tion s s on ly two • • • lls to o t in 12 - it o tp t v l . h on str tion is xtr m ly sim pl . s in M rk 9 w will s m o ifi orm o • • • ll • • • • fin on on th th

1 4

ll

llo

tu t

th n

nk t

n

s ollows • • • • ( , ) • • • K ( ) (wh r is pot n ti lly th 16∗ 4 - it xp n k y). h o tp to th str t h in g st g is splitin to two pi s h o wh i h is s s p r t ly s th k yto on • • • • ll. h o tp ts o th two lls r sim ply on t n t . ss m in g th tth str t h st g is tr lyr n om n tion n th t• • • h s n lm ost r g l r pr im g str t r (i. . ll poin ts in th r n g h v pproxim t ly th s m n m r o k y-pl in t xt p irs m ppin g in to th m ) w sh ow th tth is on str tion is s r (s 3.3). h is is sig n ifi n tsim plifi tion on th r q ir m n ts o th prim itiv s to s in om pr ssion n tion . h s m s h m with o tth r n om izin g in iti l st g is in s r ; to h i v sim il r s rity wo l r q ir m or rig oro sly r n om - n tion lik prim itiv s n m n ym or lls to th m ( .g . s in 96). n m n y iph r- s on str tion s th strin g to h sh is s s k y to n rypt som in iti l or in t rm i t v l s o th h sh n tion . h s l • •• k ys h lin g lg orith m str t h s th g iv n 5 6- it k y in to 4 16 its. On w y to im prov th r t o • • • - s h sh n tion wo l to skip th k y-s h lin g lg orith m n 16 4 its o in p t t xt ir tly s i t k y. h is i is swi tlyr on n s th in v rti ilityo in t rm ro n s o • • • n m o n t m t-in -th -m i l tt k s ollows (s 5 n M 1 or r l t tt ks). h tt k r n pi k th t xt orr spon in g to th k ys or ll tth r ro n s r itr rily. pi ks th r m in in g ro n k ys r n om ly n xp ts irth y ollision tw n on ro n in th n ryptin g m o n th n xtl v l in th ryptin g m o . O r • • •- s s h m p rh ps on trov rsi l llows th th oro g h ly r n om iz o tp t rom th fi rst st g to s ir tly n th s to skip th k ys h lin g lg orith m . h is on si r ly in r s s th r t o th r s ltin g on str tion . h il th is propos l l rly n s st y th r is vi n to s pport th l im th tk yin g • • • in th is m n n r is s r . poin to tth tth is is sim il r to s h lin g th ro n k ys in • • • with in p n n t k ys m th o wh os s rity is los r to xh stiv s r h or th 5 6- it k y (r th r th n th xtn k yo l n g th 16 4 ) in th s n s th titt k s o t26 st ps (in l in g om p t tion l ov rh ) y rr n t i r n ti l tt ks n on m y xp t th is n m r to som wh t sm ll r or lin r tt ks. O o rs th k y is on si r h i n or th i r n ti l tt ks g in st lo k iph r. i r n ti l tt ks r r m or n t r l in th on t xt o s r h sh n tion s sin th tt k r n om p t ll th r q ir in p t-o tp tp irs yh im s l . n ition th tt k r o l on iv lym o n t m t-in -th -m i l tt k s on th in v rti ility o in ivi l ro n s o • • • s is ss ov ; t s h tt ks r n ot ppli l to o r s o • • • s th v rs ry h s littl tiv on trol ov r th k y its. x m pl p r m t rs r s ollows w n s r ly str t h 5 12- itstrin g to 16 4 - it strin g n s th l tt r o tp t s • • • k y. h n sin g th str t h o tp t s • • • k ywo l tiv ly llow s to om pr ss 5 12 its p r • • • ll. ith w ll optim iz ss m ly-l n g g im pl m n t tion s th is r s lts in

N w

o n t u t o n fo

u

h

un t o n

1

im pl m n t tion s th t r so m h st r th n st n r • • • - s on str tion s th t th y n s in pr ti . low or r n -tim s o pr lim in ry im pl m n t tion . str ss th tth s on st g is n ot to riv rom iph r n h n o r fi rstst g is n otm r ly k y s h lin g lg orith m . O t n s in th s o • • • or ig r th k ys h lin g in h sh - n tion sig n is r v rsi l tw m n on -w y n r n om izin g prop rti s in o r fi rst-st g n tion l om pon n t. h r v rsi ility m y m or ppropri t or iph rs wh r th k yis h l s r t th n itis or h sh n tion s wh r th ollision v rs ry n h oos th in p ts. O r str t h n tion s m y t lly str n g th n lo k- iph r on str tion s y h lpin g to voi w k k ys n r l t -k y tt ks; w om it t ils h r to o ysp on str in ts. ow v r th r r tt ks on pt tion s o • • • th tskip th k y-s h l r. low w poin t o t h ow th s o str t h n tion s n voi th s tt ks. ri fl y th tt k r m st l to h oos som portion s o th xt n k y rin g th tt k wh i h is wh tth r n om izin g xp n sion st p is sig n to pr l ith ov rwh lm in g pro ility th tt k r s h oi o xt n k ys will n ot in th r n g o th fi rst st g n th r is n o sy w y to t k sm ll strin g n xt n itto strin g lyin g in th r n g o th fi rstst g . li v o r sig n s r s l in pr ti n llow th ir s rity to n lyz n r xpli itly st t ss m ption s on th ryptog r ph i prim itiv s th t w s . in in g th w k st ss m ption s s i n t or th on str tion o ollision -r sist n t h sh n tion s is n m n t l n solv pro l m . O r on str tion s r is som r l t iss s th tm y h lp l oth or th pr ti l s w ll s th th or ti l poin t o vi w. o s m m riz th str t h in g st g sim plifi s th r q ir m n ts on th om pr ssion n tion wh i h is rg ly th r x o th t sk o sig n in g s r n tion s. h is is sig n ifi n t in its l n m y t llyl to st r on str tion s pon rth r r s r h . P r or p r orm pr lim in ry im pl m n t tion to t stth sp o on v rsion o o r on str tion n o n it s rprisin g ly st om p r to s v r l oth r h sh n tion s. O r t stim pl m n t tion on 166M h z n ti m ro ssor s l ptop om p t r yi l v rsion r n n in g ro n 60M its/s on . r s s ri ov w s M 5 or th str t h n tion m ppin g 96 6 its to 12 6 4 16 its n or th om pr ssion st g w s th • • • - s on str tion pro in g 12 - ith sh v l s. om p r th sp o o r on str tion oth to M 5 n to • • • - s h sh n tion s. t st with m n y v ri n ts or th • • • - s om pr ssion s h m s. h sp r port h r or th s n tion s is ov r stim t y ss m in g th tth y on s m los to 5 6 its o in p tp r • • • ll. h sp so M 5 o r h sh on str tion n • • • - s h sh in g r in th r tio 1 0.4 3 0.032. O r t stin g i n otoptim iz or pl torm - p n n tp r m t rs s h s h siz . h s lly q ot sp r tios tw n M 5 -1 M 160 r 1 0.4 1 0.34 0.13. h s r tios r t st tr t s p-

1

ll

llo

tu t

th n

nk t

n

proxim tion s sin m n y p r m t rs n s th s r tios to v ry m on g m o rn pro ssors. or x m pl ss m ly o in g n sp p i r n t lg orith m s t i r n tr t s. h il o r • • • o w s optim iz o r M 5 im pl m n t tion w s str ig h torw r on . n th fi n l v rsion wh i h will v ill rom th th ors (or t http://research.microsoft.com/crypto n http://www.surety.com/pub/) w sh ll pr s n t m or t il p r orm n n lysis o m or v ri s h m s. 1 .2

r

t

o

u

to

o

o stru t o s

n −4 low w s g g st som im p r t r n om -or l m o ls n sh ow h ow to il tt r prim itiv s rom g iv n im p r t on s. n th is v in w lso n lyz h ow to n g in st ollision -fi n in g v rs ry or g iv n prim itiv y il in g in p n n t prim itiv s.

will o t n m o l n tion s s r n om n tion s. r n om n tion h s th ollowin g prop rty. h n it is v l t on n in p t ( ss m to i r nt rom ll oth r in p ts th s v l t sin th r is n o n to v l t th n tion m or th n on on th s m in p t) th o tp tis n i orm ly istri t n in p n n to ll o tp tv l s th s r. fix o n in g n tion ( ) ( .g . 2 . n ) n th is will orr spon to o r n otion o n in si l m o n to r so r s ( .g . r n -tim or m m ory). ll n tion s ( .g . r n -tim s) low r- o n y ( ) n n tion s th t r sm ll r th n 1 ( ) . ll pro iliti s o th orm 1 − 1 ( ) . n tion m ppin g its to its is s i to y i is i n tly om p t l ( .g . in polyn om i l tim ) n g iv n ( ) wh r is r n om ly h os n n y in v rtin g lg orith m (−) with ( ( )) t k s t l st tim ( ) with ov rwh lm in g pro ility (ov r ). n ition i n or n y ( v rs rys ollision -fi n in g ) lg orith m C s ss l x tion C( , ) ( , −) − t l st ( ) th n w ll th is n tion s tis yin g ( ) ( ) t k s tim c . or orm l fi n ition s n im pl m n t tion s s on v rio s ss m ption s s m 7 M rk 9 Y 90 ; in ition r 93M O 97 r xll n tr r n s or th is topi . tis n otkn own wh tis th w k st ss m ption n r wh i h on n on str t ollision -r sist n th sh n tion s. iv n fi x -l n g th ollision -r sist n tc c m ppin g it in p ts to - it o tp ts ( ) on n il ollision -r sist n t h sh n tion fin on r itr ry-l n g th in p ts ollowin g th on str tion o M rkl M rk 90 n m g r m 9 . ssig n fi x - it in iti l-v l strin g V with M rkl - m g r str n g th n g iv n n in p t 2 −−− t ( orm tt n in g i. . with ppropri t p in g to n o th l n g th o th t xt s lo ks o l n g th − ) l t th v l o ( ) fin s ollows V; g( i− , i ) 1 − − ; ( ) h s w will on n tr t h r on i t. n lyzin g fi x -l n g th ollision -r sist n t om pr ssion n tion .

N w

o n t u t o n fo

u

h

un t o n

1

t r s ri in g o r n w on str tion (in −3.1) w pro to n lyz its s rity fi rst y ss m in g th tits om pon n ts r tr ly r n om n tion s o th ppropri t l ss (−3.2) n th n y w k n in g th s ss m ption s (−3.3). h is n lysis tr ts th prop rti s o o r on str tion o ryptog r ph i h sh n tion with fi x -l n g th in p ts. 3 .1

to

O r on str tion s fi rststr t h th in p ts n pply om pr ssion n tion n xt. s ri th r q ir m n ts on th s n tion s t r pr s n tin g som r tion l or str t h in g . ur tr t u to s in tro th s o c c c wh i h m il ly in r s th in p tl n g th s or th p rpos s o on str tin g c c m ps - itin p ts in to 2 itin p ts wh r h sh n tion s. 2 . h in p tstrin g s to will n ot y n th o tp tstrin g s will n ot yth p ir , ¯ . n orm lly th ys tis y On -w yn ss g iv n n y O tp ts o h v si som 1).

. ( ) itis h r to fi n n y −s h th t ( −) is lo lly r n om (i. . -wis in p n n t or

n r th r n om izin g on ition s w pos on s o tp ts is n in j tiv n tion on n ov rwh lm in g r tion o th in p ts i 2 − is l rg n o g h. O r fi n ition o on -w yn ss is lso kn own s pr im g r sist n . o r ss o u to s h o tp ts o th s str t h n tion s ( lon g with 2 - it ) r in to om pr ssion n tion rom (2 2 ) its to 2 its. will on si r th fi rst2 its o in p t s k y. h r m in in g 2 its o in p twill n ot yth p ir ,¯ n th o tp t y ,¯. O r ov r ll om pr ssion n tion will n ot y wh i h om pr ss s - it strin g s to 2 - itstrin g s. tis fi n s ollows ()

,¯,

f t

( ,¯)

h il th r r m n y in st n ti tion s or th on w will on n tr t on is s ollows. L t n ot om pr ssion n tion rom its own to its. h fi rst its o in p t o will on si r k y. or n ow w will fi n K ( ), K (¯). K,K ( ,¯) n o r im pl m n t tion s w s m o ifi orm o • • • s o r n tion (−) • • • •( , ) • • • K ( ) − ( , ) wh r ( , ) r pr s n ts n m ly K ( ) som sim pl n tion o n . ( or x m pl ( , ) w s s g g st in M M O 5 M rk 9 .) ot th tin th is s th h sh v l is 12 its n to r sistth tt ks to v n Oors h ot n i n r vO 94 192- ith sh v l s m y n . tis sy to g n r liz o r r s lt to 192 its y sin g th r lls to th n rlyin g iph r. h is will ov r in th om pl t v rsion o th p p r.

1

tion

ll

llo

utt rfl ov th

o

tu t

th n

nk t

n

r ss o fin v ri tion on th tt rfl y om pr ssion s ollows K,K (

,¯)

K(

) − ( ¯ ,¯),

K (¯) −

om pr ssion

n -

( , ),

wh r n r ppropri t ly h os n n (−) is v ry sim pl to om p t ( or x m pl ( ,) ). h is v ri tion pp rs to in r s th om pl xity o th tt ks sin g in v rsion lg orith m s. n th fi n l v rsion o th is p p r w pr s n t n n lysis o th is s h m . 3 .2

ss

ssu



g in o r n lysis o 2

1.



r

y ss m in g th t c

c

c

o

u

to s

n

r r n om

n tion s.

c c

y Θ(

y 2

22 n )

P ro o n y v rs ry wh i h m k s tot l o q ri s in s m to n n o n o tt r th n n v rs rywh i h m k s q ri s to oth n . will th s n lyz th l tt r typ o v rs ry. to th tth t oth n r r n om n tion s itis syto sh ow th t th v rs rym xim iz s its h n s o fi n in g ollision y sin g th o tp ts o its q ri s to s th in p tto its q ri s to . to sp lim it tion s w om it th is rg m n t h r . o ss m th v rs ry m k s q ri s to to pro ¯i {( i ,¯i )− s w ll s {( i ,¯i )− 1 − − wh r i k• ( ) n k• (¯). will ss m th t − . ix p ir o q ri s n 1− , − n l t s l l t th pro ility th t th is p ir o q ri s yi l s ollision i. . th t( i ,¯i ) ( j ,¯j ). h r r o r isjoin t s s. ¯i ¯j . h is v n to rs with pro s 1 ility2−2 m . i j n ¯ ¯ h is v n t o rs with pro ility s 2 i − j n i j n i j. tm ost2− n m . ¯i − ¯j n ¯i ¯j . h is v n t lso o rs with pro s 3 i j n − m n . ility tm ost2 ¯i − ¯j n ( i ,¯i ) ( j ,¯j ). h is v n t o rs with s i − j n pro ility tm ost2−2 n . in w r ss m in g th t − th pro ility th t th r is ollision or n th pro ility th t th r is th is fi x p ir o  q ri s is t m ost 4 22 n . n y ollision is 4 2q 22 n . h is n lysis is tig h t. l rly th pro ility th t ollision o rs in − q ri s is tl stΩ( 2 22 n ). 3 .3

ss w t

r

ssu

to s

n ow ss m th t on o th two n tion s h v s lik r n om n tion n sk wh t on ition s m st r q ir o th oth r n tion . t t rn s o t th tr th r s rprisin g lyw k r on ition s s .

N w

o n t u t o n fo

u

h

un t o n

1 9

ssu • s r o • s o st r u r n ow ss m h v s lik r n om n tion . O r g o l is to sh ow th titis s i n tto h v som ss m ption on th istri tion o th n m r o in v rs s −. L t lon g in g to poin t in th r n g o . fi n Sx( ) { − K ( ) m ( ) − S ( )− . or n y fi x n ot t h t ( ) 2 so t h tt h v rg x x y x m−n m−n v l o x ( ) ov r ll th v l s o is 2 . fin n x( ) x( ) 2 o s rv th t y x ( ) 2n . to

2.

y

x(

)2 − 2n

h is on ition is q iv l n tto th ollowin g L t r n om poin tin th ( x ( )2 ) h os n with pro ility2−n . h n or r n om ly h os n

r ng .

or r n om n th t r q irin g n l th t h x ( ) n tion m ig h th v or Θ(

y

2

2

tion th v l o is on st n twith h ig h pro ility. ot tion to -r g l r−is w k r on ition th n r q irin g ss th n or q l to ( or x m pl (1 (1))-r g l r or som v l o ). s y vl so with x ( )

3. y 22 n )

c

P ro o ss m th v rs rym n -th q ri s. h n ( i ,¯i )

P 

;

j

− S x ( );

i

y

n

n

on si r th

-th

¯i

¯j

¯

j

− Sx( )

P

 )2

x

 2 x(

¯i − S x (¯); ¯j − S x (¯)

y

2m

y

y

ri s. ix



2 x(



i

y

P 

k s q

y

( j ,¯j )

P y

c

c

2

(¯) 22 m

y 2 x (¯)

) 22 n

22 n



2

22 n

y

wh r th l stin q lity ollows rom th r g l rity ss m ption  . t ollows th t − th pro ilityo th v rs ryfi n in g ollision is tm ost 2q 2 22 n . o it ollows th t r n om n ss prop rti s o r s i n t to w k n th r q ir m n ts on on si r ly. lso n ot th t th o tp ts o n n ot om pl t lyin p n n t on ly4 -wis in p n n t. wor o tion is w rr n t h r . n o on -w yn ss prop rti s on r im pos oth r th n th g n r y on ition th n on m st r l o t th r tion o sy poin ts in th r n g o ( twh i h itis sy to in v rt ) in on r t im pl m n t tion s o .

1 0

ll

llo

tu t

th n

nk t

n

ssu • s o st j t v s r o n th is s tion w on si r th l o th pr vio s s tion will on si r r n om n tion n w will im pos som om p t tion l ss m ption s on . will fi rst ss m th t h s h ig h ollision s rity s fi n low. str ss h r th tth n tion s w on si r h r r n otn ss rily om pr ssin g . c

to

o

so

ur t

o c

( )

( ( ) ( ))2

y c

s

u to s . ( )

( )

y 2n y

y

ot th t m or g n r l v rsion o th fi n ition wo l llow th 2 to y n ypositiv on st n t. str ss th t wh n th n tion is str t h in g n r n om izin g l rg ollision s rity is m il n r listi ss m ption sin th n tion is lik ly to in j tiv on ov rwh lm in g r tion o th r n g . h ollision s rity will h lp s h r t riz th str n g th o o r s h m . tw will lso n o r str t h n tion to r sist n tto p rti l ollision s. ll th t m ps its to 2 its. fin p rti l ollision o siz to wh n in p ts yi l o tp ts wh i h ll h v th s m fi rst its or wh i h ll h v th s m s on its. t lly w will n to o n t or ll th p rti l { ¯ i −( i , ¯ i ) is r spon s n −. ot th t ollision s. fin K i − −is q l t o t h t ot l n m r o q ri s t o . fi n − K −wh n K K K 2 2 sim il rly. L t 2 − K −− 2 n 0 oth rwis . K is fi n K K K K. r pl

to c

P rt 2

o

so

ur t o

(2 )

s y

(2 ) ¯( )

c

2

u

to s . y y ¯( ) y c (2 )

o g iv n x m pl o th is fi n ition l t s pply it to r n om n tion wh r (2 ) j st om s th n m r o q ri s . n s h s th p rti l ollision s rity is 2m 4 . o s th is it n fi rst sh own th t or r n om 2 m m i 2 is tm ost2 2m n tion th xp t v l o K K i−2 ( 2 ) − 2− wh r th l stin q lity ollows wh n v r − 2m 2. h s m h ol s or K 2K . s is tm ost4 − 2m wh i h yi l s p rti l n th pro ilityth t 2 x m ollision s rityo 2 4 . h ollowin g th or m sh ows th t i th r n n in g tim o n v rs ry is (¯( )) th n it n on ly fi n ollision with pro ility (2n ) ( (2 )) n (1). or ¯( )

6.

c

c ( (2 ) (2 ))2

c

c

y

y

(2 ) ¯( )

(2 ) y (2 ) 2n

c

( (2 ) 2n )2

c y (2 )

N w

o n t u t o n fo

u

h

un t o n

1 1

P ro o th r

ppos n v rs ryr n n in g in tim fi n s ollision s on . h r r s s. s 1 h v rs ry fi n s ollision on . y ss m ption th is h pp n s with pro ility tm ost( (2 ) (2 ))2 . s 2 h v rs ryfi n s p rti l ollision s o . or h with K 1 th v rs rywill g t ollision on n h v pro ilityo ollision on ¯ t h ¯ with K 1. o in th is m ost2−n 2K . n n log o s st t m n th ol s or s th pro ility o ollision on th o tp t is 2−n 2 . y ss m ption 2 x s with pro ility tm ost ¯. n th is s o rs with pro ility tm ost ¯ 2n . s 3 h v rs ryfi n s n o ollision s or p rti l ollision s on . in is r r n om n tion th pro ilityo ollision is 2 22 n wh r is th n m o in p to tp tp irs o om p t yth v rs ry. in is lw ys o n rom ov y th is yi l s n pp r o n on th pro ility or th is s o − ( 2n )2 .

r w s g g stsim pl on str tion s n h risti s to on str tn w h sh n tion s sin g th ol on s so th tth n w on m y h r to r k v n i on or m or o th ol on s om n r tt k. .1 L t

o n

os t o g

two

o stru t o n tion s rom fi n it ( )

in rystrin g s to

its.

h n

fin

g( ), (g( ), )

y c y o on -w y n tion w m n low r o n f( ) on th tim to fi n n - it in v rs o th n tion on ll t n g lig i l r tion o th in st n s ( ) wh r is r n om ly h os n - it strin g . − h c c y o h sh n tion is low r o n f ( ) on th tim r q ir to fi n two in p ts n ( 2 ). fi rst l im 2 s h th t ( ) th tth ov on str tion tl stpr s rv s s rity. ot th sym m try w n n ot kn ow wh i h o th n tion s is m or s r ith r with r sp t to ollision s or with r sp tto in v rsion . 7.

g

c g

− H(

)−

c

− (− f ( ), g ( )),

y

c H(

)−

c

c

y

( f ( ), g ( ))

c

1 2

ll

llo

tu t

th n

nk t

n

P ro o n i ( ) ( 2 ) is ollision or th n w g t g- ollision t g( ) g( 2 ) n n - ollision t ( , ) ( , 2 ). im il rly or th in v rsion s rity. − t s m s to ss n ti l to s twi in th is on str tion . h in v rsion s rityo is n v r m or th n twi th m xim m o th two. n th r n om n tion m o l th om position o two n tion s s lly s s m or ollision s wh i h m k s it sy to istin g ish om position rom tr ly r n om n tion ; h ow v r h r w r in t r st in th i lty o fi n in g ollision s. in th n m r o ro n s in is th s m o th ro n s in n g on wo l h risti lly xp tth r s lt n t n tion to stron g r. ow w wo l lik to o t in n g th t h v s i th y w r in p n n t. th n tion s h v lm ost lik r n om n tion s th n o o rs th on str tion wo l s r. w n tto provi orm l kg ro n or n lyzin g th is. or th is w s th m o l o c c or th prim itiv s. n y xistin g prim itiv with n stim t s rity( tl st rr n tly) n th o g h t o s n im p r t r n om n tion with ppropri t p r m t rs. or th is w fi n two m s r s. irst w on si r sim pl r ( t m or r stri tiv ) it-l v l p r m t r. fi n th o ool n -v l r n om v ri l to r 1. to

.

c c 0− − 1

l ss to s y on si rin g th isti titg iv s s m or r son m o l. h s n tion s r sily − 2 ) m r ly yo s rvin g th r th o tp t s wh ol w m k th to

.

in ivi l its to in p n n tis l ss r ll h risti th n th p r tr n om n tion istin g ish rom tr lyr n om n tion s ( or tion o 1 s in th o tp tstrin g s. on si rin g ollowin g fi n ition .

c

y

c

c

r th y o so r th t o tp ts strin g s , , N with r l its o sp tiv pro iliti s , , N is m in {− lg i −. ot th tth in ivi th v l s o n -im p r t n tion n orr l t n th ym yn otlook t ll r n om . ow v r wh n it om s to ollision s rity -im p r t n tion s r g oo n o g h ig h m in - n tropy is n ss ry on ition or s r h sh n tion ; or x m pl i th m in - n tropy is low th n m h o th pro ility m y on n tr t in sm ll s t n itwo l to sy to fi n ollision . tth on ition is lso s i n t s sh own yL m m 11 low. O vio sly -r n om n tion is ( )-im p r t. c 1 2 P ro o

1 .

Om itt

c

c 1 − 2 2 lg 2 to sp

y

on str in ts.

y

2

2λH

p /2

N w

c

11.

c

o n t u t o n fo

y

u

h

c

un t o n

1 3

2

y

P ro o L t n -im p r t n tion . strin g o rs s n o with pro ility 0 th n w h v − lg − or − 2−hn . on si r ollision v rs ryth tm k s q ri s to wh i h w m o p r n om v ri l s , , q t kin g r sp tiv v l s , , q in r n . h xp t n m r o olli in g p irs is r

i

r

j

i,j

2−hn



i

2

i,j

i,j

w tk 1. h s th .2

j

2−hn −

2

c 2hn/2 tp t o n n ow l s th rti l r

2−hn

r o ollision s is tm ost 2 2−hn 2hn/2 th n th xp t n m hn/2 s l im . − ollision s rityo is tl st2

o stru t o

o “

t Pr

tv s

On w yto vi w th ov on str tion is th titt k s two im p r tlyr n om n tion s n yi l s n tion th tis los r to in g tr ly r n om n tion . ow r s th is n on si r th ollowin g on str tion ¯( ) t is r l tiv ly sy to n lyz th n tion m o l. 12.

( ) − g( ) on str tion

g −1 − 2 − (1 − 2 )2

t

it l v l in th c

r n om −g

P ro o n r two in p n n t ool n v ri l s oth with i s th n − h s i s 2 (1 − ) n s tisfi s −1 − 2 − (1 − 2 )2 . − ool n v ri l with i s h s g p tw n th pro iliti s o o rr n o 1 n 0 o − − (1 − )− −1 − 2 −. h sig n ifi n o th is l m m is th t th g p n rrows q r ti lly s w p ss rom or g to − g. h s or n y t r it r tion s o th is pro ss with in p n n t n tion s n rrows th g p to • −1 − 2 −2 . ow v r th is on str tion o ¯ o s n ot llow s to m k l im s in th ov l m m wh n w m ov rom th i liz r n om - n tion worl to om pl xity-th or ti worl wh r th n tion s in volv r sp ifi pr s m ly ollision -s r n tion s. h t is yo n n ot sh ow th t ¯ is ollision -s r i or g is. ow v r in n im p r tr n om n tion m o l itis sy to sh ow th ollowin g . iv n two im p r t r n om n tion s n g th xp t n m ro ¯ is th s m in oth q ri s to fi n ollision s or n s s. h s th on str tion or is tt r in th tit llows s to n lyz its s rity oth in th om pl xity n in th r n om - n tion worl s. t w n ow sh ow th t th ¯ on str tion h s th s rprisin g r s lto r tin g in p n n .

1 4

ll

llo

tu t

th n

n t itiv ly w s yth t is in p n fi n in g ollision s or o s n oth lp in m try in th fi n ition ; or t h n i l r th t ollision -fi n r or g m yh lp to

(2−

c g

to

y

13.

− ) c

y

c

c −

y c Ω(2nh/2 )

c Si

{

Sj

Si

g

c g

n

n to g i th provision o n or l or fi n in g ollision s or g. ot th sym son s w m st llow or th possi ility fin ollision s or .

c (, ) −S i −

nk t

g

,

, j − − {0,1−L

c c c

c

c c c

g

ow w l im th ollowin g . L t n g -r n om n -r n om r sp tiv ly. h n ¯ is -in p n n t o wh r is th ollision s rity o g. im il r om m n ts pply or in p n n with r sp tto . o s th is ss m w r g iv n n or l or g to fi n ollision s. ¯ olli s on th o tp ts o th or l i n on lyi olli s on th m s w ll. n g iv sim il r on str tion s n r s lts or im p r tr n om n tion s. h s in th im p r tor l m o l fi n in g ollision s or on o th n tion s o s n ot h lp in fi n in g ollision s or th om posit n tion t ll wh n th ollision fi n r is s s l k ox. sin g th is s h risti i on t k s ,g s -1 M 5 n oth r rok n th n ¯ wo l still n m n y lls to th ollision fi n rs i th o tp ts o th s n tion s h v pproxim t ly r n om ly v n to m il g r . h is is h lp l v n i on o th h sh n tion s is w k or x m pl r k l in 2 st ps. n th is s fi n in g ollision s or th om in tion m ystill in si l . or m or t il is ssion n s h m s s on th s on si r tion s s th ll v rsion o th is p p r. ow ts th n k rt r n l or h lp l is ssion s. th ir th or th n ks Y ov Y o i wh os q stion s r g r in g sm rt- r pli tion provi th in iti l in t r stin th is pro l m .

9 .

9 .

h p-

. llo n . nk t n. o l ng th y tt k n l ng th o u l ng t n fo to n . n v s y p to o y u o y p t ’ 6 L tu No t n o p ut n o l. 1 0 0 . . . u p p . 30 320 ( p ng l g 1 99 ). . n on n . h . g tN w h un t o n n st o tw y p t o 3 L tu N o t n o p ut n o l. 1 039 ( p ng l g 1 99 ).

N w 9 . 9 .



.

90. . . 9. o

9

.

o

9

.

o

9 .

o

9 .

o

9 . 9 . 9 .

K

9 .

o n t u t o n fo

u

h

un t o n

1

. o l . o v t . n w ll . t h h ng o n th nt u . n v s y p to o y y p to ’ 6 . N . K o l tz L tu N o t n o p ut n o l. 1 1 09 p p . 29 31 2( p ng l g 1 99 ). . o l n . n l ( .). t ty tv s o s u o t o sy st s po t o t ty tv s v u to 10 0 h pt 3 . L tu N o t n o p ut n o l. 1 00 ( p ng l g 1 99 ). . . h tl . opp th . . y n . . ty . . . . y . h . lp l n . h ll ng . t uth nt t o n u ng o fi t o n t t o n o o n p u l o n w y n yp to n fun t o n. . . t nt N o . 4 90 1 u h 1 3 1 990. ( n . . y n . h ll ng u p og lo w th o fi t o n t to n o n u o 6 o s o p ot to t s´ u t´ o tqu t s o u t o s p p .1 1 1 1 30( 1 9 ).) . n . ung . n w y g o up to n . n v s y p to o y y p to ’ 0 L tu N o t n o p ut n o l. 3 p p . 94 1 0 ( p ng l g 1 991 ). . opp th . no th th y tt k . n v s y p to o y y p to ’ L tu N o t n o p ut n o l. 21 p p . 14 1 ( p ng l g 1 9 ). . g . o ll o n f h h fun t o n n pu l k y g n tu h . n v s y p to o y u o y p t ’ 7 L tu N o t n o p ut n o l. 304 p p . 203 21 p ng l g (1 9 ). . g . g n p n p l fo h h fun t o n . n v s y p to o y y p to ’ L tu N o t n o p ut n o l. 4 3 p p . 4 1 4 2 p ng l g (1 9 ). . o t n. y p t n ly of 4. n st o tw ypto L tu N o t n o p ut n o l. 1 039 . . o ll n p p . 3 9 p ng l g (1 99 ). . o t n. y p t n ly of o p . u p on of u o yp t 9 p nt y . n l ( y 1 99 ). ( v l l t http://www.iacr.org/conferences/ec96/rump/.) . o t n. h t tu o f ft nt tt k . y to y t s o l.2 No . 2 ( u 1 99 ). ( v l l t http://www.rsa.com/rsalabs/pubs/cryptobytes/.) . o t n. w th two o un o p fun t o n no t o ll o n f . ou o y p to o y o l. 1 0 N o . 1 p p . 1 9 (1 99 ). . o t n. h fi t two o un of 4 no t o n w y. n st o tw y p t o L tu N o t n o p ut n p ng l g (to p p ). . o tn . o l n . n l. 1 0 t ng th n v on of . n st o tw y p t o L tu N o t n o p ut n o l. 1 039 p p . 1 2 p ng l g (1 99 ). . ol h . ol w n . l v . o ll o n f h h ng f o l tt p o l . h o y o f y p to g p h y L y o 9 09. ( v l l t http://theory.lcs.mit.edu/˜tcryptol/.) L. K nu n . n l. t n u h h ng on o . n v s y p to o y y p to ’ 7 L tu N o t n o p ut n o l. 1 294 p p . 4 49 p ng l g (1 99 ).

1

ll . 9 . k

0.

k

9.

k 90. 1. 90. N

9.

N

94 . 9 .

93. 9 . 93 .

93 .

. 9 .

v 90. v 92.

llo

tu t

th n

nk t

n

. . ty . . y n . . n t ng t o ng o n w y fun t o n w th y p to g p h lg o th . s o su u t vo l. 2 p p . 9 (1 9 ). . n z .v n o h o t . n to n . boo o pp y p to p y ( 1 99 ). . . k l . o to o l fo p u l k y y p to y t . n o 1 0 y po s u o u ty v y o p ut o ty p p . 1 22 1 33 ( p l 1 9 0). . . k l . n w y h h fun t o n n . n v s y p to o y y p to ’ L tu N o t n o p ut n o l. 4 3 p p . 4 2 4 4 ( p ng l g 1 990). . . k l . f t o ftw o n w y h h fun t o n. o u o y p to o y o l. 3 p p . 4 3 (1 990). . . kl n . ll n. n th u ty o f ult p l n y p t o n. o u to s o t o l. 24 N o . p p . 4 4 ( uly 1 9 1 ). . y gu h K . ht n . w t . 1 2 t h h fun t o n (N h h ). v w vo l. 2 p p . 1 2 1 32(1 990). .N o n . ung . n v l o n w y h h fun t o n n th yp to g p h p p l to n . n o s o t 2 1 st y po s u o o y o o pu t p p . 33 4 3 ( 1 9 9). N t o n l n t tut o f t n n h no lo g y. u h t n . N l nfo to n o ng t n u l t o n 1 01 ( y 1 994 ). . n o . nk t n. g h ly p ll l y p to g p h tt k . n t v s tu ss ss t u o ’ 7 L tu N o t n o p ut n ( p ng l g 1 99 ). . n l. ys s s o y p to p s u t o s. h. . t t o n K th o l k n v t t L uv n ( nu y 1 993). . n l p vt o un t o n (1 99 ). . n l . o v t . n w ll . h fun t o n o n lo k ph y nth t p p o h . n v s y p to o y y p to ’ 3 L tu N o t n o p ut n o l. 3 p p . 3 3 ( p ng l g 1 991 ). . n l . o v t . n w ll . nt l y p t n ly o fh h fun t o n o n lo k p h . n o s o t 1 st o o o pu t o u to s u ty p p . 1 3 1 ( 1 993). . . n. g t l z g n tu . n o u to s o u o pu t to . . L p to n . llo p p . 1 1 ( 1 9 ). . j n . n l. p o v h t t fo nt l y p t n l y o fh h fun t o n o n lo k p h . n st o tw ypto L tu N o t n o p ut n o l. 1 00 p p . 24 2 24 ( p ng l g 1 99 ). . v t. h 4 g g t lg o th . n v s y p to o y y p to ’ 0 L tu N o t n o p ut n o l. 3 p p . 303 31 1 ( p ng l g 1 991 ). . v t. h g g t lg o th . nt n t N two k o k ng o up qu t fo o nt 1 321 ( p l 1 992).

N w u 9 . v

94 .

u ty h no lo g n th g t l No t y• • 1 99 ). . v n o ho t n t o n to h h fun t o n o o o ( 1 994 ).

o n t u t o n fo

u

h

un t o n

1

. n w to qu ntly k u to n o ut y t . http://www.surety.com ( n nu y . n . ll l o ll o n h w th p p l n t lo g th . n o so t 2 pu t o u to u ty p p .21 0 21

oh n K ls y

ru

hn i r

vi

gn r

n

h ris

ll

ount p n yst m s •••••••••••••••••••••••••••••••••••••• n v sty of lf on k ly •••••••••••••••••••

• • • • • • • • • n th sp p w s uss s th m h n sm sus y l-w o l s u syst m sto g n t yptog ph k ys, n t lzton v to s, “ n om non s, n oth v lu s ssum to n om . gu th t s th ow n un u typ of yptog ph p m tv , n sh oul n lyz ssu h . p opos m o lf o s, s uss poss l tt ks g nstth sm o l, n m onst t th ppl lty of th m o l ( n ou tt ks) to f ou l-w o l s. los w th s usson ofl ssonsl n out sgn n us , n fw op n u stons.

tish r to im gin w ll- sign ryptogr ph i ppli tion th t o sn’tus r n om num rs ssion k ys initi li tion v tors s lts to h sh with p sswor s uni u p r m trs in igit l sign tur op r tions n non s in proto ols r ll ssum to r n om y systm sign rs n ortun tly m ny ryptogr ph i ppli tions on’t h v r li l sour o r l r n om its su h s th rm l nois in l tri l ir uits or pr is tim ing o ig r ountr li ks K 85 u 85 gn88 i 92 nst th y us ryptogr ph i m h nism ll s u o- n om Num r n r tor( N ) to g n r t th s vlu s h N oll ts r n om n ss rom vrious low- ntropy input str m s n tri s to g n r t outputs th t r in pr ti in istinguish l rom truly r n om str m s 86 L 93 94 94 lu94 ut98 n th isp p r w onsi r N s rom n tt k r’sp rsp tiv is uss th r uir m nts or N s giv si m o lo h ow su h N sm ustwork n tryto listth possi l tt ks g inst N s p i lly w onsi rw ys th t n tt k rm y us givn N to il to pp rr n om orw ys h n us knowl g o som N outputs(su h siniti li tion v tors) to gu ssoth r N outputs(su h ss ssion k ys) ot th t “ n om s w o th t s sly m sus . n th sp p , unl ssw s y oth w s ,th m y ssum th t “ n om v lu son s m pl of n om v l w h h sun f o m ly st ut ov th nt s tof• - tv to s, f o som •. 

u

y

t

tw

y t

3

6

ypt n lyt

to

o

tt kson

s u o n om

um

n

to s

169

ut

h isr s r h h sim port ntpr ti l n th or ti l im pli tions 1

N isitsown kin o ryptogr ph i prim itiv wh i h h snotso r n x m in in th litr tur n p rti ul r th r o sn’t s m to ny wi spr un rst n ingo th possi l tt kson N s oro th lim it tionson th us so iff r nt N signs ttrun rst n ing o th s prim itivswill m k it si rto sign n us N ss ur ly 2 N is singl point o ilur or m ny r l-worl ryptosystm s n tt k on th N n m k irr l vntth r ul s l tion o goo lgorith m s n proto ols 3 ny systm sus ly- sign N s orus th m in w ysth tm k vrious tt ks si rth n th y n r w r o vry littl in th litr tur to h lp systm sign rs h oos n us th s N swis ly 4 pr s ntr sultson r l-worl N s wh i h m y h v im pli tions or th s urity o l ryptogr ph i systm s 2

to

r

n tion 2 w n ourm o l o N n is ussth s to possi l tt ks on N s th t t th is m o l n tion 3 is uss ppli tions o th os tt kson s vr l r l-worl N s h n in tion 4 w n with is ussion o th l ssonsl rn n onsi r tion o som r l t op n pro l m s

n th ontxt o th is p p r N is ryptogr ph i lgorith m us to g n r t num rsth tm ust pp rr n om x m pl so th isin lu th N 9 17k yg n r tion m h nism N 85 n th 20 N 94 N h s s r tst t pon r u st itm ustg n r t outputs th t r in istinguish l rom r n om num rsto n tt k rwh o o sn’tknow n nnotgu ss n th is itisvry sim il rto str m iph r ition lly h ow vr N m ust l to ltritss r tst t ypro ssinginputvlu s th tm y unpr i t l to n tt k r N o tn st rtsin n st t th t is gu ss l to n tt k r (usu lly unintntion lly) n m ustpro ss m ny inputsto r h s ur st t om tim s th inputs m pl s r pro ss h tim n outputisg n r t g N 9 17 Oth rtim s th inputs m pl s r pro ss sth y om vil l g 20 N Not th tth inputs r intn to rry som unknown (to n tt k r) in orm tion into th N h s r th vlu stypi lly oll t rom ph ysi l pro ss s (lik h r riv l tn i s 94 ) us r intr tions with th m h in im 95 oroth r xtrn l h r -to-pr i tpro ss s ypi lly systm im pl m ntrs n sign rswill try to nsur th tth r issuffi i nt ntropy in th s inputsto m k th m ungu ss l y ny pr ti l tt k r

170

oh n

ls y,

u

hn

,

v

gn , h s

ll

Not th t th outputs r intn to st n in or r n om num rs in ss nti lly ny ryptogr ph i situ tion ym m tri k ys initi li tion v tors r n om p r m trsin sign tur s n r n om non s r om m on pplitions orth s outputs igur 1 or h igh -l vl vi w o N lso igur 2 r n s th trm inology it n igur 3 sh ows N with p rio i r s ing N s r typi lly onstru t rom oth r ryptogr ph i prim itivs su h s lo k iph rs h sh un tions n str m iph rs h r is n tur l tnn y to ssum th tth s urity o th s un rlyingprim itivswill tr nsl t to s urity orth N n th is p p r w onsi r s vr l n w tt kson N s ny o th s tt ksm y onsi r som wh t mi ow vr w li v th r r ition lly situ tionsth t ris in pr ti in wh i h th s tt ks r possi l w li v th t vn tt ksth t r notu u pr ti lsh oul rough tto th ttntion o th os wh o us th s N s to pr vntth N s’us in n ppli tion th t llow th tt ks Not th tin prin ipl ny m th o o istinguish ing tw n N outputs n r n om outputs is n tt k;in pr ti w r m u h m or outth ility to l rn th vlu so N outputsnots n y th tt k r n to pr i tor ontrol utur outputs

l k- oxvi w o

N

• ••• • • ••• • • • • • • •• • ••

-

••••

6

• • • ••• •••• • •• •• • • ••

2 1

u

r t

t

o

tt k

r t r t t tt k h n n tt k ris ir tly l to istinguish tw n N outputs n r n om outputs th isis ir t rypt n lyti tt k h iskin o tt k is ppli l to m ost utnot ll us s o N s or x m pl N us only to g n r t tripl k ys m y n vr vuln r l to th iskin o tt k sin th N outputs r n vr ir tly s n

ypt n lyt

2

tt kson

 

um

n

i w o intrn l op r tions orm ost



• •• ••• ••

?

6

••• ••



?

6

•• •••••

2

s u o n om

to s

171

N s

• ••• • • ••• • • • • • • •• • ••

-

 

• • • ••• •••• • •• •• • • ••

ut tt k n input tt k o urswh n n tt k ris l to us knowl g or ontrol o th N inputsto rypt n ly th N i to istinguish tw n N output n r n om vlu s nput tt ksm y urth r ivi into w u r u n u tt ks h os n input tt ksm y pr ti l g instsm rtr s n oth rt m p r-r sist nttok nsun r ph ysi l/ rypt n lyti tt k;th ym y lso pr ti l or ppli tionsth t in om ingm ss g s us r-s l t p sswor s n twork st tisti s t into th ir N s ntropy s m pl s pl y -input tt ks r lik ly to pr ti lin th s m situ tions utr uir sligh tly l ss ontrol orsoph isti tion on th p rto th tt k r K nown-input tt ksm y pr ti l in ny situ tion in wh i h som o th N inputs intn y th systm sign rto h r to pr i t turn outto sily pr i t in som sp i l s s ( n o vious x m pl o th isis n ppli tion wh i h us sh r - riv l tn y orsom o its N inputs utis ingrun using n twork riv wh os tim ings r o s rv l to th tt k r) 3 t t o ro xt o tt k st t om prom is xtnsion tt k ttm pts to xtn th vnt g so pr viously-su ssul ffort th th sr ovr s r spossi l uppos th t orwh tvrr son tm por ry p n tr tion o om putrs urity n in vrtntl k rypt n lyti su ss t th vrs ry m n g sto l rn th intrn l st t tsom pointin tim st t om prom is xtnsion tt k su swh n th tt k ris l to r ovrunknown N outputs(or istinguish th os N outputs rom r n om vlu s) rom or w s om prom is or r ovr outputs rom tr th N h s oll t s u n o inputs wh i h th tt k r nnotgu ss t t om prom is xtnsion tt ks r m ostlik ly to work wh n N is st rt in n ins ur (gu ss l ) st t u to insuffi i ntst rting ntropy h y n lso work wh n h s n om prom is y ny o th tt ks

172

oh n

ls y,

u

hn

,

v

gn , h s

ll

in th is list or y ny oth r m th o n pr ti itis pru ntto ssum th t o sion l om prom is s o th st t m y h pp n;to pr s rv th ro ustn sso th systm N ssh oul r sistst t om prom is xtnsion tt ks sth orough ly spossi l ()

ktr k tt k ktr king tt k us sth om prom is o N st t ttim to l rn pr vious N outputs ( ) r t o ro tt k p rm n nt om prom is tt k o ursi on n tt k r om prom is s ttim ll utur n p st vlu s r vuln r l to tt k ( ) t r tv u tt k n itr tiv gu ssing tt k us sknowl g o ttim n th intrvning N outputs to l rn ttim + wh n th inputs oll t uring th is sp n o tim r gu ss l ( utnotknown) y th tt k r ( ) t t tt k m tin th m i l tt k is ss nti lly om in tion o n itr tiv gu ssing tt k with ktr king tt k K nowl g o ttim s n +2 llow th tt k rto r ovr ttim + th

W n th iss tion w is ussth str ngth s n w kn ss so ourr l-worl N s th N 9 17 N th N th N n ryptoLi 3 h

N 9 17 N N 85 h 96 isintn s m h nism to g n r t k ys n s usingtripl s prim itiv (O ours itispossi l to r pl tripl with noth r lo k iph r) th s n us s g n r lpurpos N in m ny ppli tions 1

is s r ttripl k y g n r t som h ow tiniti li tion tim t m ust r n om n us only orth isg n r tor tisp rto th N ’s s r tst t wh i h isn vr h ng y ny N input 2 h tim w wish to g n r t n output w o th ollowing () • im st m p) • ( urr ntt ( ) output s ) • ( • () s +1 output ) • ( • h isg n r torisin wi spr

us in

nking n oth r ppli tions

r t r t t tt k ir t rypt n lysiso th isg n r tor pp rs to r uir rypt n lysiso tripl (orwh tvroth r lo k iph risin us ) s r sw know th ish sn vr n provn h ow vr

ypt n lyt

tt kson

s u o n om

um

n

to s

173

ut tt k h 9 17 N h s rti tion lw kn ss( ssum ing 64 - it lo k si ) with r sp tto r pl y -input tt ks n tt k rwh o n or th vlu sto r n istinguish th N ’s outputs rom r n om outputs trs ing out23 64 - itoutputs n s u n o r n om 64 - itnum rs w woul xp tto s ollision tr out23 outputs ow vr with ro n w xp t ollision rom 9 17 to r uir out26 3 outputs h isis m ostly m i w kn ss utitm y r l vnt in som ppli tions Oth rwis knowl g or ontrol o inputs o s not pp r to w k n th N g inst n tt k rth t o sn’tknow t t o ro xt o tt k h 9 17 N o snotprop rly r ovr rom st t om prom is h tis n tt k rwh o om prom is sth 9 17 tripl k y n om prom is th wh ol intrn l st t o th N rom th n on with outm u h ition l ffort w w h r th t om pp r ntonly wh n th om prom is xtnsion tt ks

r two fl ws in th N 9 17 N N is n ly with r sp tto st t

1 Only 64 itso th N ’sst t n vr ff t y th N inputs h ism nsth ton n tt k rh s om prom is th N n n vr ully r ovr vn trpro ssing s u n o inputsth tt k r oul n vrgu ss 2 h + 1 vlu is un tion o th pr viousoutput th pr vious • n o n tt k rwh o knows rom pr viousst t om prom is n knowsth si prop rti so th tim st m p us to riv • + 1 is sim ply notvry h r to gu ss r r r r r w Ou u onsi r n tt k r wh o l rns u h l tr tr th s intrn l vri l h s om tot lly iff r nt h is givn two su ssiv outputs output + 1 ( h snots n ny intrvningoutputs rom th N ) h tt k r’sgo lwill to l rn th vlu o s +1 O ours on n trivi lly m ount 64 - its r h n l rn th s vlu ow vr th r is m u h m or ff tiv w y to m ountth is tt k uppos th t h tim st m p vlu h stn itsth t r n’t lr yknown to th tt k r ( h is is r son l ssum ption or m ny systm s or x m pl onsi r m illis on tim r n n tt k rwh o knowsto outth n r sts on wh n n outputw sg n r t ) n tt k rwith two su ssiv outputs n m ount m t-in-th -m i l tt k to is ovrth intrn ls vlu r uiring out us w h v 2 tri l n ryptionsun rth known k y h isworks s

+1 s

h s

+1



(output + 1 ) •

(output

• •)

tt k rtri s llpossi l vlu s or • n orm son sort listo possi l + 1 vlu s th n tri s ll possi l vlu s or • n orm s noth r

174

oh n

ls y,

u

hn

,

v

sort listo possi l s + 1 vlu s th t pp rsin oth lists

gn , h s

h

orr ts

ll

+ 1 vlu isth on

r u n tt k rknowss n s ssom untion o output + 1 h n l rn s + 1 in lm ost ll s s h isistru us th tim st m p s m pl wills l om h v m u h ntropy singour rli r ssum ption o tn itso ntropy p rtim st m p s m pl th ism nsth tt k r willn only tn- itgu ss Not th tth tt k rn sonly to s u o th output notth outputits l h ism nsth t m ss g n rypt with k y riv rom th outputvlu issuffi i ntto m ountth is tt k (Not th iff r n tw n th is n th p rm n nt om prom is tt k ov in wh i h th tt k rn sr w N outputs) r h tt k r n m ov kw r s s sily s orw r with th itr tiv gu ssing tt k ssum ingh n n un tionso th N outputs ltrn tivly h m y look or th su ssiv p ir o ir tly vil l N outputs n r st to th unknown outputs h w nts to l rn n m ount th p rm n nt om prom is tt k th r om tim s N m y gn rt l rg s r t vlu n not ir tly output ny itso it h tt k rm y th usknow s n s + 8 utno intrvning vlu s in th isl vsh im with (s y) 80 itso ntropy itm igh t n ivly ssum th th nnotr ovrth s output vlu s ow vr th is isn’tn ss rily th s us m t-in-th -m i l tt k is vil l h isworks s ollows 1

h

tt k rm ountsth tt k s ri ov to l rn th N st t or n trth run o vlu sth tw r us tog th r 2 h tt k r rri s out m t-in-th -m i l tt k riving on s to possi l vlu s ors + 4 y gu ssing • ••• n riving s on list y gu ssing • ••• h s u n o ourtim st m psh ol s4 0 itso ntropy th iswill r uir 2 ffort h orr tvlu o s + 4 will pr s ntin oth lists so th s + 4 vlu sth tm th (th r will out 2 6 o th s ) yi l th possi l s u n so tim st m ps n th us output lo ks 3 h tt k r n try ll th s possi l outputs u n suntil h n sth righ ton ( or x m pl i th igh toutput lo ks r us s n n ryption k y 2 6 tri l ryptionswill suffi to lim in t ll th ls l rm s)

r r u n th ov is ussion w h v ssum th tin ivi u l N inputsh v x m ountso ntropy n th us t k x m ountso ffort to gu ss n pr ti th is usu lly won’t th s n k yp ir g n r tion m igh tr son lyus two 5 12- itps u or n om st rtingpoints th us r uiring tot l o sixt n N output r u sts ow vr th s lls will lm ost rt inly m in r pi su ssion nl ssth tim st m p on wh i h th s h s gr t l o pr ision m ny o th s • vlu s • vlu s r

ypt n lyt

tt kson

s u o n om

um

n

to s

17

will s on th s m orvry los tim st m p vlu s h ism y w ll m k m t-in-th -m i l tt kspr ti l vn th ough itm igh tnorm lly m k s ns to stim t tl stth r itso unpr i t ility p rtim st m p u r h N 9 17 k y g n r tor pp rsto irly s ur rom ll tt ksth t involv ith rstopping th tim rus or om prom ising th intrn l tripl k y pl ying ny tim rinput out23 tim sl sto rti tion l w kn ss w y to istinguish l rg num rs o 9 17 N outputs rom truly r n om s u n o its om prom isingth intrn ltripl k y om pl tly stroys th 9 17 N itn vr r ovrs vn tr g ttingth ous n so itsworth o ntropy in itss m pl tim rinputs or systm s th t us 9 17 th m ost o vious w y to r sist th is l ss o tt k isto o sion lly us th urr nt 9 17 st t to g n r t wh ol n w 9 17 st t in lu ing n w n n w st rting 0 32 h igit l ign tur t n r sp i tion N 94 lso s ri s irly sim pl N s on (or ltrn tivly onstru tion) wh i h w s intn org n r tingps u or n om p r m trs orth sign tur lgorith m in th isg n r tor pp rsto om with n N st m p o pprovl it h s n us n propos or ppli tions uit iff r ntth n th os orwh i h itw sorigin lly sign h N llows n option l us rinputwh il g n r ting k ys ut notwh il g n r ting sign tur p r m trs orourpurpos s th ough w will ssum th tth N n givn us rinputs t ny tim sistru with th oth r N s is uss in th isp p r h tim th N g n r ts n output itm y provi with n option l input • Not th tom itting th input rom th N sign woul gu r nt th tth N oul n vr r ovr rom st t om prom is ll rith m ti in th is N is llow to on m o ulo 2• wh r 160 5 12 n th r m in ro th is o um nt w will ssum th ism o ulusto s w th n

s

ypto+ + l y 97 n lu s n m pl m nt ton of 9.17 v s u ty g nsts om p om s tt ks. h tv nt s

nt

1. • • = • • (• •− • u nttm st m p). 2. output• = • • (• • • s • ). 3. s • + 1 = • • (• • • output• ). h s o spon sto n yptng th tm st m ps n m o , nst of n mo s s on n th st n 9.17 g n to . h tm st m p s s on th p og m s us g , n ts soluton spl tf o m - p n nt;on L nux, th s 0.01 s on soluton. h v not x m n th s los ly, utw not th t ou p m n nt om p om s tt k, ov , n xt n to w o k on ypto+ + s 9.17 v nt t ostof u ng 26 s h n th tt k

176

oh n

ls y,

u

hn

,

v

gn , h s

160 sin th isisth w k stvlu (with r sp tto on y th sign h N works s ollows

ll

tt k) th tis llow

1 2

h N m int ins n vr- h ngingst t • h N pts n option linput • h ism y i notsuppli 3 h N g n r ts h output s ollows ( ) output h sh ( • + • m o 2 6 0 ) ( ) • + output + 1 (m o 2 6 0 ) •

ssum

to

ro

r t r t t tt k th N ’s h sh un tion is goo th n th r sultingoutputs u n pp rsto h r to istinguish rom r n om s un twoul ni rom systm sign r’spointo vi w to h v som proo o th u lity o th is N ’soutputs s on th ollision-r sist n or on -w yn sso th h sh un tion;to ourknowl g no su h proo xists ut tt k onsi r n tt k rwh o n ontrol th inputss nt into th s inputs r s nt ir tly in th r is str igh torw r w y to or th N to r p tth s m output or vr h ish s ir tr l vn i th is N is ingus in systm in wh i h th tt k rm y ontrolsom o th ntropy s m pl ss ntinto th N o or th N to r p t th tt k r orm s •

•−

− output − 1 − 1

(m o 2 6 0 )

h is or sth s vlu to r p t wh i h or sth outputvlu sto r p t Not h ow vr th tth is tt k ils ui kly wh n th us rh sh sh is ntropy s m pl s or s n ingth m into th N n pr ti th isisth n tur lw y to pro ssth inputs n so w susp tth t w systm s r vuln r l to th is tt k t t o ro xt o tt k h N o sn’t h n l st t om prom is s sw ll sw m igh th v lik utitism u h ttrin th is r g r th n N 9 17 onsi r n tt k rwh o h ssom h ow om prom is th ntir intrn l st t o th N ut th n lost tr k o its inputs n outputs or longp rio nough ntropy xist in th os s m pl s th n th N will om sstrong s vr g inst tt k u ust swith N 9 17 th N l ksth ff ts o ungu ss l inputsin itsoutput onsi r n tt k rwh o h s om prom is th N ’sst t h ppli tion sin n inputth tth tt k r n’tgu ss ( g s m pl with 90 itso ntropy) th tt k rs sth n xtoutput h o sn’tn to gu ssth s m pl us th only ff ton utur outputsth is s m pl n h v isth rough th toutput Not th ti th n w • p n ir tly on • n h isw kn sswoul n’t xist n tt k rwh o kn w th • t st t oul stilltry u th ntropys m pl uti h i notgu ssth righ t vlu h woul los knowl g o th st t

ypt n lyt

tt kson

s u o n om

um

n

to s

177

r u h is N isvuln r l to n itr tiv gu ssing tt k trth st t h s n om prom is h tis i n tt k rknows • n knowsth t • h sonly 20 itso ntropy h n m ount 2 0 s r h n 0 h v listo 2 160- itoutputs on o wh i h isoutput Not th tth tt k r n sonly un tion o th outputth th n h k su h s sign tur m with output sitss r tp r m trvlu Not lso th tknowl g o th orr tvlu oroutput lso uni u ly trm in sth vlu o • to sin som

n tt k rknows • n output − 1 th n h is l rly l ktr k to knowl g o h is o sn’tim m i tly g in h im m u h •− h h sto lr y know output − 1 to l to o th is ow vr in ir um st n s th is oul turn outto us ul

r

onsi r situ tion in wh i h th tt k rknows • • n output + 1 utstilln sto know output n th is s h n solv or output ir tly output







− 2− output + 1

u r h st n r ’s N pp rsto uit s ur wh n us in th ppli tion orwh i h itw s sign sign tur p r m trg n r tion ow vr it o sn’t p rorm w ll s g n r l-purpos ryptogr ph i N us ith n l sitsinputspoorly n us itr ovrsm or slowly rom st t om prom is th n itsh oul o ptth N to m or g n r lus th ollowingm sur swoul lim in t m osto th tt ksw h v o s rv 1 2

p

uir h sh ingo ll N inputs t y th ollowing orm ul •



or pplyingth m

+ h sh (output +

•)

m o ulo 2 6 0

33 h N in lu with 20 is uilt lm ost ntir ly roun two op r tions 5 h sh ing n ition m o ulo 2 tisth m ost on ptu lly sim pl sign o ny w h v n ly h 20 N onsistso th ollowing 1 2

128 it ountr • m th o orpro ssinginputs o pro ssinput •

3



+

5(

•)



w



ollowing

m o ulo 2

m th o org n r tingoutputs o g n r t output ollowing 5 ( • ) m o ulo 2 •

o th

+ 1 m o ulo 2

w

o th

17

oh n

ls y,

u

hn

,

v

gn , h s

ll

r t r t t tt k willtr t 5 s r n om un tion h il th r h v n intr sting rypt n lyti r sultson 5 in th l sts vr ly rs non o th m off r n o viousw y to tt k th N r r u h r is str igh torw r tt k on ountrm o g n r tor o th is kin n tt k r h oos s som num r o su ssiv outputs th th xp ts to s n th n om puts th h sh o vry th possi l ountrvlu isgu r nt to s on o th s h sh s tr outputs; tth tpoint h knowsth wh ol ountrvlu h is tt k isim pr ti l or 128- it ountr utitgivs n upp r oun on th str ngth o th isg n r tor ith 23 outputs n tt k rwoul n to o 2 6 pr om put tion to m ount th tt k;with 2 outputs h woul n to o 2 0 pr om put tion h s tt ks lso r uir gr t lo m m ory th ough tim /m m ory tr -offs n r u th t h o to to n in r m ntth 128- itintrn l ountr h sth prop rty th titwill l k som in orm tion outth r sulting128- it ountr y h ow m ny 8- it op r tions th om putr m ust x ut h is op ns tim ing h nn l or n tt k r n tt k r l to o s rv th tim t k n to g n r t h n w output n l rn h ow m ny ro yts r in th ountr h tim itisin r m nt h is issim ply m ttro trm iningh ow m ny ytwis itionsh to on to in r m ntth ountr prop rly h r r two tsto th is tt k irst ountrvlu sth t r ll- ro in th irlow-or r w ytsl k gr t l o in orm tion th rough th tim ing h nn l;th s n onsi r kin o w k st t on wh n om in with th p rti lpr om put tion tt k is uss ov th tim ingin orm tion n us to know wh n to oth r h kingth N output g instpr om put t l h isis sm ll vnt g ut tt k not th ts vr l input- s tt ks r possi l g inst ’s N n p rti ul r h os n input tt ks xist g inst th N h y om uit pow rul wh n th tt k r n lso m onitor pr is tim ing in orm tion rom th m h in on wh i h th N is running w u n tt k r n or th into sh ortn y l y h oosing th inputvlu prop rly L tinput• h os n input orth N su h th t 5 (input• ) h s llon s in itslow-or r yts n tt k rr u sts longs u n o outputs y r u sting th s inputs on p r output h or s th N to y l m u h str us th low-or r ytso th ountr r x h us or 8 th y l l ngth issh ortn to 26 outputs Not th tth tt k r o sn’tknow wh tth os yts r uth know th tth y r th s m vry tim th N us sth m to g n r t noth routput m or pow rul w y to sh ortn th y l t k s vnt g o th irth y p r ox uppos r two h os n inputssu h th t 5( )+ 5( ) h s r

N

ypt n lyt

tt kson

s u o n om

um

n

to s

179

llon sin itslow-or r yts h n n tt k r n th p rio i s u n sinputsto th N n o s rv th outputs;with th ispro ur h sh oul s y l tr out2 − • outputs or x m pl orth s 16 itt k s out26 offl in work to n suit l i n tt k rus s n ffi i nt ollision s r h lgorith m (s g O 95 O 96 ) ;th is h oi o h os n inputswill or th g n r torto r p tim m i tly 3 or g n r lly w n g t sim pl tim tr vl” tt k i no n w inputs w r m ix in uringth l st outputs th n th tt k r n s n th N k in tim stps y n ing two h os n inputswh os 5 ig sts sum to − ( g in with th s m tim om pl xity) u m u h m or pow rul tt k is vil l i th tt k r n m onitorpr is op r tion tim ings n i 5 op r tsin onst nttim h ountrin r m ntop r tion in th sour o will l k h ow m ny ro yts r in th r sulting ountrvlu y h ow m ny 8- it itionsw r r uir n th us y h ow longth ountrin r m ntop r tion took uringth ountrin r m ntop r tion (unlik th op r tion us to om in in ntropy rom input) t ting 8- it itionsm nsth tth r sultinglow-or r − 1 yts r ro h tt k o ursin two st g s in th r u st g wh i h is on on th tt k rg n r tsth h os n ntropyvlu sh isto us l tr n lso g n r ts t l o h sh ountrvlu s n th x u st g wh i h is on h tim h wish sto tt k som N st t h us sth os h os n ntropy vlu s to or th intrn l ountr to vlu th th s its low-or r 104 itss tto ll ros h tt k r uir s2 offl in tri l h sh s n 2000 h os n- ntropy r u sts h pr om put tion st g works s ollows 1

or

1 to 12 th

tt k r n sinput0•• input •• su h th t 5 (input0•• ) +

5 (input •• )

is llon sin itslow-or r yts n th titsn xtlow stor r yt is vn h isis xp t to t k out2 • ffortusing ollision-s r h lgorith m h

st g o

x utingth

tt k works s ollows

1

h tt k rw th sin r m nttim ingvlu suntil h knowsth tth lowor r yt o th ountris ro ( n s th is us o th xtr ition op r tion wh i h ltrsth tim t k n orth inputto pro ss ) 2 or 1 to 12 h o sth ollowing () r u stsup t with input• h is or sth ountrvlu to ll on sin itslow yts

3

not th t s sgn f o only 64 tsof ollson- sst n , n so p h ps m gh tnot xp t to p ov m o th n 64 tsofs u ty. ow v ,th s pp sto n us f o g n tng1024- t m o ul n st lsh ngt pl k ys,so t s pp ntly ngtust f o m o th n 64 tsofs u ty.

1 0

oh n

ls y,

u

hn

,

v

gn , h s

ll

( )

r u sts n outputvlu n o s rvsth tim t k n orth output g n r tion in rringh ow m ny tim sth N x ut n 8- it op r tion in th in r m nt k psr u stingth up t with input• n th output untilh g ts + 28- it op r tions inst o + 1 ( ) tth ispoint h h s or th low + 1- ytsto ros 3 tth n o th ov loop th tt k rh s or th low-or rth irt n ytso th ountrto ro vlu s now rri sout rut- or s r h o th r m iningth r ytso n r ksth N t t

o

ro

xt

o

tt k

r u h N ’sinput-pro ssing m h nism h s potnti lly ng rousfl w itisor r-in p n nt h tis up ting th N with n th n with isth s m sup tingit rstwith n th n with h isfl w w sorigin lly is ovr y ul K o h r K o 95 l96 utitis still worth notingh r h ff to th isisto m k th N m or lik ly to st rtin n ins ur st t n lso to m k th N r uir onsi r lym or ntropy in itsinputs or itsst t isungu ss l r u h itr tiv gu ssing tt k worksh r h tis i n tt k rh s om prom is h t im t h us rup tsh iss t t with som • • gu ss l y n tt k r n th n g n r ts n output + 1 wh i h th tt k r n s ( vn i th toutputisus s sym m tri n ryption or uth nti tion k y or s k y or p n rypt un r pu li -k y) h n m int in h isknowl g o th N ’sst t th N m n gs to g tup t with n ungu ss l input tw n om prom is st t n visi l output h ow vr th n h los sh isknowl g o th st t r h N isvuln r l to ktr kingin str igh torw r w y h itr tiv gu ssing tt k works x tly sw ll kw r s orw r n wh n n tt k r o sn’th v n w ntropy s m pl s ktr king is x tly s sy sw lkingth g n r tor orw r 3

u

r

h 20 N isvuln r l to h os n-input tt kswh i h n or itinto sh ort y l s h os n-inputtim ing tt kswh i h n r v litss r tst t n itr tiv gu ssing n ktr king tt kswh i h n llow n tt k rto xtn h isknowl g o th s r tst t kw r n orw r th rough tim t lso m ust us vry r ully u to th tth tinputs ff titin n or r-in p n ntw y o m inim i th ng ro th s tt ks w m k th ollowingr om m ntions 1

u r

g inst h os n-input tt ksin th N

sign o th systm th tus sth

ypt n lyt

tt kson

s u o n om

um

n

to s

1 1

2

r ulusingth N in situ tionswh r tim ingin orm tion m igh t l k 3 pp n urr nttim st m p n /or ountrto ll inputs or s n ing th m into th N to lim in t th or r-in p n n o N inputs

3

r

to ’

ryptoli is ryptogr ph i li r ry vlop prim rily y k L y on l ith l illi m h n ll n tt l n initi lly s ri in L 93 h prim ry sour o r n om n ssin ryptoli is ru n m h nism or pulling(h op ully) unpr i t l vlu souto th lo k sk w tw n iff r nt tim rs vil l to th systm h s vlu s n us ir tly (th ough th o um nt tion w rns ll rsnotto r ly on m or th n 16 its o ntropy p r 3 2- itwor ) or n us to s on o th vil l ps u or n om num r g n r tors sr n or s n sr n n s n r not N s your nition utr th r r str m iph rs h tis th y o noth v n m h nism s orpro ssing ition l inputs on th fl y” utr th r r s on n th n run to g n r t ps u or n om num rs h is is notunr son l givn th ssum ption th t ru n livrstruly r n om its sn th systm sign r n sim ply gn rt wh ol n w st t vry w m inuts n oth rwis n n’t worry out ntropy oll tion h n om in ru n n sr n or ru n n s n n n ly in th s m w y s th oth r N s in th is p p r h tis w ssum th tth systm initi li sth st t o ith r sr n or s n using ru n n us s on o th s m h nism s to g n r t wh tvr ps u or n om vlu s r n n th tth wh ol m h nism is p rio i lly r initi li rom ru n ru n isth usth sour o N inputs n sr n or s n isth sour o N outputs r

to o

or t

sr n is s ri in L 93 ts s r tst t onsistso s rt s sh i tk y n n rr y o s vn 3 2- itvlu s 0••6 org ni r gistr h tim n outputisr uir two o th 3 2- itvlu s r t k n n on tn t to orm 64 - itvlu h isvlu is n rypt with un r th s r tk y h r sulting iph rtxtissplitinto two 3 2- ith lvs;on h l is O k into on o th 3 2- itvlu s(in th s m w y sh i tr gistr vlu m igh t up t ) th oth rh l isoutput h r gistristh n sh i t so th ttwo n w vlu swill us to g n r t th n xtoutput m or om pl t s ription n oun in L 93 r

s n pp rsin th ryptoli sour o (vrsion 1 2) tss r t st t onsists o 64 - it ountr s r tth r -k y tripl k y s r t20- yt pr x n s r t20- yt suffi x h n w 3 2- itoutput isg n r t s ollows

1 2

oh n

ls y,

u

hn

,

v

gn , h s

ll

1 2 3

s th 1 h sh un tion to om put a ( ) s tripl to om put • ( ) O tog th rth h igh -or r ytso th h sh vlu with th r sult rom th n ryption;outputth h igh -or r our ytso th isr sult 4 t +1 r

t

r

t

r h r is ir t rypt n lyti tt k on sr n r uiring2 ffort h tt k us sth tth t on th tt k rknows n ny on N iph rtxt output h n uil t l o th 23 possi l h lvso th th tw sus or k or h vlu h g ts wh ol 64 - it iph rtxt wh i h h n ryptinto 64 - itpl intxt yi l ing oth 3 2- itvlu s rom th rr y 1 2

h h

tt k rgu ss sth k y tt k rg tsth outputwh n th sh i tr gistrp irsus r ( • • ) ( • ) n ( oth r n n th p ir( ) will • ) orsom up t with th k 3 orth rsttwo outputvlu s th tt k r om puts ll 23 possi l k vlu s (th 3 2- ith l o th iph rtxtth tw s notoutput) h is llowsh im to om put • or h gu ss w xp tth r to only on p iro k gu ss sth tl sto th s m • vlu 4 h tt k rus sth k vlu rom th rstoutput(l rn in th pr vious stp) to om put wh tth n w • vlu sh oul th n m ounts noth r 23 gu sso th k vlu orth th ir stp n us sth isto riv th urr nt • n oth rr gistrvlu h h sth wrong vlu h xp ts notto n ny m th ingvlu or • ;i h h sth righ t vlu h xp ts to n on vlu th t gr s

h is m onstr ts rti tion lw kn ssin sr n tm ost;th om put tion l r uir m nts r vry pro ly outsi th r h o ny tt k rrigh t now r not w r o ny ir t rypt n lyti tt ks vil l on sh s n sign pp rsto usto vry ons rvtiv n unlik lyto tt k in th utur Not th tnoth inglik th tim ing tt k on ’s N is vil l h r spit th us o ountr

n

t oul gu th t sn h s only 6 ts ofst ngth , th s onst u ton w s nt n f o no m o st ngth th n th t. fi n th s gum ntun onv n ng. f s n w s l ly n tt m pt to g t m o th n 6 ts ofst ngth fom ; oth w s , n - o ount -m o w oul h v n us .

ypt n lyt

tt kson

s u o n om

um

n

to s

1 3

ut tt k h s systm s ptinputonly on n ptit ir tly rom ru n or uff rprovi yth ll r h is(r ) initi li sth N n th ontxto th ollowing is ussion known-input tt k m ns th tth tt k rh sl rn h ow to pr i tsom ru n vlu s l rly i th tt k r n know ll th ru n vlu s th r isno rypt n lysisto p rorm n intr stingr sulto ursi th N om sw k with only sm ll num ro pr i t l ru n vlu s r n tt k rwh o knows ny two vlu sus s pl intxt lo k or n m ount k ys r h tt k n r u th possi l num ro k ys to out2 m ustth n w ituntil th rsto th os vlu s m k sitinto th input g in n rry out n ition l23 s r h p r n i t k y; th is will trm in th k y uni u ly h is r uir s tot l o out2 tri l n ryptions n out2 lo kso m m ory rom th ispoint th tt k r n ui kly r ovrth r m ining st t o th N n tt k rwh o n gu ss ny two su h vlu swith 2• work n m ountth s m tt k with 2 • tri l n ryption n 2 lo kso m m ory n tt k rwh o knowsth k y n r ovrth r m ining N st t with 23 3 ffort using th s m m th o s ri or ir t rypt n lysiso th N ov m or su tl on rn m igh tinvolv fl wsin th u lity o s vlu s rom ru n onsi r n tt k rwh o knows or givn systm th tonly 2 3 2- itoutputs rom ru n r possi l sr n isr s ir tly rom ru n th is l s to irly sim pl tt k sr n ’s k y m ust om rom ru n n th tt k r n ui kly list ll possi l 5 6- itvlu sth t oul h v n g n r t g tting out2 6 o th m n th n rry out th tt k s ri ov n g n r l i th r r 2• possi l vlu s orth sr n ’s k yto g t th n th tt k willt k 2• 3 3 tri l ryptions h is is n im provm nt or 5 6 n tur lly Not th tth is m onstr tsth t sr n o sn’tpro t rom th ull ntropy itr ivs uringr s ing; n th x m pl ov sr n woul g t8 itso ntropy p r3 2- itwor us to r s it or tot l o 112 itso ntropy r w r o no r son l known-input tt kson s n n tt k rwith knowl g o n utnot pp rsto h v no h n to tth N ;sim il rly n tt k rwith knowl g o n ut not or pp rsto h v no h n to tth N t t o ro xt o tt k h s n n sr n g n r tors on’tpro ssinputs n so n n vr r ovr rom st t om prom is ow vr i ru n isus to g n r t wh ol n w st t vry w m inuts th s op o st t om prom is is m vry sm ll tis worth noting th t oth s n n sr n llow n tt k rin poss ssion o th ir urr ntst t to go kw r sw ll s orw r l rning ll vlu s vrg n r t y th m h tis i th N st t vris om prom is th tt k r n l rn vry

1 4

oh n

ls y,

u

hn

,

v

gn , h s

ll

output vrg n r t y th tst t th systm is sign to r initi li its N with ru n vlu son vry h our th n th ism ns om prom is o ll N outputs orth th our th systm r initi li sth N m or r u ntly th n th tt k rl rns w r outputs;i l ss r u ntly th n th tt k rl rnsm or outputs u

r ssum ing ru n is goo sour o unpr i t l vlu s th N s uilt y puttingittog th rwith ith r sr n or s n pp rto o r son l str ngth ut s n pp rsto m or r sist ntto vrious tt ks th n sr n Not h ow vr th tn rly ll o th s tt ks r uir k ys r h ing or oingsom sim il rly om put tion lly xp nsiv t sk m k th ollowingr om m n tions 1

ystm sign rssh oul vri y oth y st tisti l n lysis n y n n lysiso th irt rg tsystm s’ signswh th r ru n will r li ly provi unpr i t l num rson th irsystm s ( h ish ol stru or vry sour o unpr i t l inputs or vry N ) 2 n nvironm ntswh r ru n ’soutputs m y susp t(p rh ps u to m li ious tions y th tt k r) w r om m n th t s n r th r th n sr n m ploy

n th isp p r w h v rgu ortr ting N s sth irown kin o ryptogr ph i prim itiv istin t rom str m iph rs h sh un tions n lo k iph rs h v is uss th r uir m nts or N vlop str t tt ks g inst n i li N n th n m onstr t th os tt ks g inst our r l-worl N s u

or

u

r

n th rli rs tions w is uss possi l ountrm sur s orm ny o th tt ksw h vlop r w propos listo w ysto prot t N g inst h o th l ss so tt ksw is uss 1

u t o to rot t vu r out ut N is susp t to vuln r l to ir t rypt n lyti tt k th n outputs rom th N sh oul pr pro ss with ryptogr ph i h sh un tion Not th tnot ll possi l fl w N swill s ur vn trh sh ing th iroutputs so th is o sn’tgu r nt s urity utitm k s s urity m u h m or lik ly 2 ut t ou t r or t t or u o pr vntm ost h os n-input tt ks th inputssh oul h sh with tim st m p or ountr or ings ntinto th N th isistoo xp nsiv to on vry tim n inputispro ss th systm sign rm y w nt to only h sh inputsth t oul on iv ly un r n tt k r’s ontrol

ypt n lyt

3



tt kson

n r li

• •• ••• ••

?

••••



?

6 6

••••••

?

6

• •••



?

6

•• •••••

s u o n om

  N

um

n

with p rio i r s

to s

1

ing

• ••• • • ••• • • • • • • •• • ••

-

   

• • • ••• •••• • •• •• • • ••

3 O

o r t t rt t t or N slik N 9 17 wh i h l v l rg p rto th irst t un h ng l on initi li wh ol n w N st t sh oul o sion lly g n r t rom th urr nt N h iswill nsur th t ny N n ully r s its l givn nough tim n input ntropy 4 tt t o to t rt o t h stw y to r sist llth st t- om prom is xtnsion tt ksissim ply n vr to h v th N ’sst t om prom is h il it’snotpossi l to gu r nt th is systm sign rssh oul sp n loto fforton st rtingth ir N rom n ungu ss l point h n ling N s l sintllig ntly t ( ut98 ors vr lw ysth tth is n on ) 2

u

or

ving s ri s to possi l tt kson N s itis r son l to try to is ussw ysto vlop n w N sth twill r sistth m propos th ollowinggui lin s or vlopingn w N s 1

t so th t su

o o t tro h N sh oul sign ssul ir t rypt n lyti tt k im pli s su ssul tt k

1 6

2 3

4

5

6

3

oh n

ls y,

u

hn

,

v

gn , h s

ll

on som ryptogr ph i prim itiv th t’s li v to strong lly th is woul provn k ur t o t t ov r t h wh ol s r tintrn l st t sh oul h ng ovrtim h ispr vnts singl st t om prom is rom ingunr ovr l o t tro r o t h p rto th intrn l st t th tisus to g n r t outputssh oul s p r t rom th ntropy pool h g n r tion st t sh oul h ng only wh n nough ntropy h s n oll t to r sistitr tiv gu ssing tt ks or ing to ons rvtiv stim t igur 3 pi ts possi l r h it tur orim pl m nting t stroph i r s ing t ktr k h N sh oul sign to r sist ktr king lly th iswoul m n th toutput w sungu ss l in pr ti to n tt k rwh o om prom is th N st t ttim + 1 tm y lso pt l to sim ply p ssth N ’sst t th rough on -w y un tion vry w outputs lim itingth possi l s op o ny ktr king tt k t o ut tt k h inputsto th N sh oul om in into th N st t in su h w y th t givn n ungu ss l s u n o inputs n tt k r wh o st rts knowing th N st t ut not th input s u n n n tt k r wh o st rts knowing th input s u n utnotth st t r oth un l to gu ssth n ingst t h isprovi s som prot tion g inst oth h os n-input n st t om prom is xtnsion tt ks ov r ro o ro u k h N sh oul t k vnt g o vry ito ntropy in th inputsitr ivs n tt k rw ntingto l rn th ff ton th N st t o s u n o inputssh oul h v to gu ss th ntir inputs u n O

ro

n th is p p r w ’v gun th pro ss o systm ti lly n ly ing ow vr th r r s vr lintr sting r sw h vn’t ltwith h r 1

N s

t rly in th isp p r w m th ss rtion th t N s r istin tkin o ryptogr ph i prim itiv xisting N s r lm ost ll uiltouto xisting ryptogr ph i prim itivs h isr is sth u stion o wh th r itm k ss ns to uil i t N lgorith m s ypi lly th m otivtion or uil ing i t lgorith m isto im prov p rorm n r th r ppli tions wh r th N ’s p rorm n is s rious nough issu to m rit n w lgorith m ? 2 ur t roo in m ost urr ntly- l N s r s on xisting ryptogr ph i prim itivs itwoul ni to s som s urity proo s m onstr tingth tm ountingsom l sso tt k on th N is uivl nt to r king n un rlying lo k iph r str m iph r orh sh un tion 3 t rt o t On lik ly w y or n tt k rto om prom is th N st t is orth N to st rt in gu ss l st t h isr is sth issu

ypt n lyt

tt kson

s u o n om

um

n

to s

1 7

o h ow sign r n nsur th th issystm lw ysst rtsits N t n ungu ss l st t woul lik to s m or is ussion o th s issu sin th litr tur 4 o ro woul lik to s m or is ussion o h ow to r sist st t om prom is sin l systm s h isis n norm ouspr ti l issu wh i h h sr iv r l tivly littl ttntion in th litr tur 5 z Ot r h r r m ny N sw h v not is uss h r m inly u to tim n sp onstr ints n p rti ul r w woul lik to s om pl t is ussion o th l sso N us in n utm nn’s ryptli m ong oth r pl s h s N s tinto our m o l utlook vry iff r ntth n ny o th systm sw h v r vi w h r th y typi lly m int in onsi r ly l rg rst t (or pool”) in h op so um ul ting l rg m ountso ntropy 6 v o h v is uss fl wsin xisting N s r intr st in s ingn w signspropos th tr sistour tt ks N o ourown is urr ntly un r vlopm nt; t ilswill post to • • • • • • • • • • • • • • • • • • • • • • • • • • sth y om vil l

h uth ors woul lik to th nk r g u rin tr utm nn n m h ost k orh lp ul onvrs tions n om m ntson rly r tso th isp p r n oss n rson n s vr l nonym ousr r s orh lp ul sugg stionson im provingth p p r’spr s nt tion

gn

.

.

l96. 97. 94.

94. .

. . gn w , “ n om ou f o yptog ph yst m s, n n ry t y P Pr n p ng l g,19 , pp. 77– 1. 9.17 ( v s ), “ m n ton l t n f o n n l nsttuton y n g m nt( h ol s l ), m n nk s sso ton, 19 . . . l w n, “ op n t lzton f o th n om um n to , r tr u t n , n. 3, 2 n 1996. . , ypto+ + l y, •••••••••••••••••••••••••••••••••••••••••••. . v s, . h k , n . nst m h , “ yptog ph n om n ss fom u ul n n sk v s, n n ry t y P Pr n p ng l g, 1994, pp. 114–120. . stl k , . . o k , n . . h ll , “ n om n ss u m nts f o u ty, 17 0, nt n t ngn ng sk o , . 1994. . . h l , .L. o t nson, n . . oulth t, “ n L nom um n to ( ), n n ry t y Pr n P p ng l g, 19 , pp. 203–230.

1

oh n u

.

ut9 .

o 9 . L

93.

92.

93. 94. 9 .

96.

lu94. 92.

94.

6.

h 96. m9 .

ls y, .

u

hn

,

v

gn , h s

ll

u ,“ on ptf o gh f om n n om um n to s on h ys l n om o s , r q u n z, v . 39, 19 , pp. 1 7–190. . utm nn, “ of tw n ton of n om um sf o yptog ph u pos s, o ngs ofth 199 sn x u ty ym posum , 199 , to pp . . o h , post to • • • • • • • • • nt n t n w sg oup (m ss g • • • • • • • • • • • • • • • • • • • • • • • • ), 4 199 . . . L y, . . t h ll, n . . h ll, “ yptoL yptog ph y n of tw , ur ty y u Pr n sso ton, 1993, pp. 237–246. ton l nsttut f o tn s n h nology, “ y n g m nt sng 9.17, 171, . . p tm nt of om m , 1992. ton l nsttut f o tn s n h nology, “ u sh t n, 1 0, . . p tm ntof om m , 1993. ton l nsttut f o tn s n h nology,“ gt l gn tu t n, 1 6, . . p tm ntof om m , 1994. . . v n o s h ot n . . n ,“ ll l ollson s h w th ppl ton to h sh f un ton n s t log th m s, n n n ut r n un t n ur ty, w o k, , , 1994. . . v n o s h ot n . . n , “m p ov ng m pl m nt l m tP , p ng n-th -m l tt ks y o sofm gn tu , l g, 1996. . lum , “ uly n om um s, r ur n , v . 19, n. 13, ov 1994, pp. 113-11 . . ht m “ n ush g n to zu w nnungw on u sl n ufllszh l n f u sto h sts h m ul ton, h . . ss t ton, h n n v sty of h nology, 1992. ( n m n.) L o to s, yptog ph l y, 1994, ••••••••••••••••••••••••••••••••••••••••••••••••••••••••• ••••••••••••••. . nth n . . z n , “ n tng u s- n om un s fom lgh tly n om ou s, ur n ut r n yt n v . 33, 19 6, pp. 7 – 7. . hn , r y tr r y oh n ly ons, 1996. . m m m nn, P P r u ss, 199 .

ues te n n

e ge

u en y •

ol Norm l Sup ri ur N S •••••••••••••••••••••••••••••••••••••

• • • • • • • • • T h i p p rpr nt n w lo k iph rw h i h o r oo n ryption r t on ny pl torm . t i p rti ul rly optim iz orh r w r im pl m nt tion w h r th xp t r t i v r l p on m ll i t h ip w orkin t30 z. t i n om in up to t t t o th rt on pt in or rto m k it(h op ully) ur i u ion n tw ork on th t ouri rT r n orm m ultip rm ut tion h i h ly nonlin r on u ion ox .

e ent explosion o th e tele om m uni tion m ketpl e m otivtes th e ese h on en yption sh em es. T ingse u ityissuespush e th e gove nm ent to st tth e evelopm ento th e p in th e 70s 1 ll tele om m uni tion evi esnow nee to e se u e y en yption. ny tt ks h ve een p opose g inst in lu ing ih m n h m i s i e enti l ypt n lysis 5 6 n tsui sline ypt n lysis 15 16 . till th e estp ti l tt k seem sto e exh ustive se h wh i h h s e om e e l th e t ssh own y th e e entsu esso th e h llenge 3 1 . n th isp pe we p opose new sym m eti en yption sh em e wh i h h s een esigne in o e to e effi ienton ny pl to m in lu e h e p 8- itm i op o esso s( sm t s) m o e n 3 2- itm i op o esso s( entium ) n e i te h ips. • • •• ••• • • • | |isth e on ten tion o two stings o two itstings(with e u l length s) • isth e itwise ex lusive • • • ot tes itsting y one position to th e le t • isth e itwise o two itstings(with e u l length s) • itstings e w itten in h ex e im l y p king ou itsinto one igit( o inst n e • • 6 enotesth e itsting• • • • • • • • ) • th e num e ingo itsin itstingsis om igh tto le tst tingwith 0 ( • 0 enotesth e l st itin • ) • itsting n intege s e onve te in su h w y th t• • − | |•••| | • 0 o espon sto n intege • • − •2• − ••• • 0 •

u 

rto th i w ork h n upport tto p t ntm tt r.

u

t

tw

t

y th

• • • • • • • •• • • • • •• • • • •

7

0

n m y

190

u

St rn S r

u n y

• • •• •• • • • • ••

• • • • • • • •• •• • • •

• • •• •• • • • ( s o th e en h “ ff p ) is sym m eti lo k iph e wh i h n e use in ny m o e to en ypt lo k ste m ( th e iph e lo k h iningm o e see 2) . si lly th e • • •• •• • • • en yption un tion m ps 6 - itpl intext lo k • onto 6 - it iph e text lo k • y using se etkey • wh i h is itstingwith it y length up to 128. T h e • • •• •• • • • e yption un tion m psth e iph e textonto th e pl intext y usingth e s m e se etkey. e ssum e th t• is ep esente y itsting •



6

•••• •





6

•••• • 0 •

0

n we sim il ly w ite e lso ssum e th tth e sting• isp o 128 its • •

e with t ilingze o itsto get length 7

•••• • 0 •

( key • isth e e o e e uivlentto noth e key • wh i h onsistsin p ing• with ew ze o its.) key sh e ulingsh em e fi stp o essth e se etkey • in o e to o t in nine 6 - itsu keys• 0 •••••• ite tivelyin th iso e . th e se etkeyh sto e use seve l tim es we e om m en to p e om pute th isse uen e wh i h m y not ly in e se th e en yption te. T h e en yption lgo ith m p o essesite tivelye h su key in th e igh to e • 0 •••••• wh e e sth e e yption lgo ith m p o essesth em in th e eve se o e • •••••• 0 . e th us e om m en to keep sto ge o ll su keys o e yption o to ptth e key sh e ulingsh em e so th tit n gene te th e su keysin th e eve se o e . • ••

• • • • • • • • • ••• • • • • • • •

Let• e th e p e 128- itse etkey. e fi stsplitth e itstinginto two 6 - it stings enote • − n • − su h th t •

•− | | •− •

T h ose stingsiniti lize se uen e • − •••••• wh e e • 0 •••••• e th e nine 6 itsu keysto om pute. T h e se uen e om es om eistel sh em e s ••

• •−

• • • (• •− )

o • 0•••••8 wh e e • • • is efi ne elow (see eistel 9 ) . igu e 1 illust tes th e key sh e ulingsh em e togeth e with th e en yption itsel.

S• −s •s • • • •

? ? ? ?

? •  ? • • •

? ?

? •  ? • • • • • • •

? ? ? ? ? ?

? •  ?



191

• −s

`````  ?```` ? •  •  `````  ?```` ? •  •  ``````  ? ``` ? •  •  `````  ?```` ? •  •  `````  ?```` ? •  •  `````  ?```` ? •  •  `````  ?```` ? •  •  ``````  ? ``` ? •  •  `````  ?```` ? •  • 

s 0 •

s

s



s



s



s



s



s

s

s

s

s

s 6 •

s

s 7 •

s

s

• •• • • • n yption p o ess

s



192

u

St rn S r

u n y

T h e • • • un tion m ps 6 - itstingonto 6 - itsting y using 6 - it onst nt• • . n th e efi nition o • • •• •• • • • • 0 •••••• e efi ne sth e fi st yteso th e t le o pe m ut tion • wh i h will e efi ne elow •0 • • • • • •6 •7 • • • • is efi ne

•••••••••••••••• 6 •••••••••••••••• 6 •••••••••••••••• 6 •••••••••••••••• 6 •••••••••••••••• 6 •••••••••••••••• 6 •••••••••••••••• 6 •••••••••••••••• 6 •••••••••••••••• 6•

y • • • (• )

• (• (•

••))•

• is efi ne y yte-pe m ut tion • wh i h m ps n 8- itstingonto n 8- it sting o ingto t le n • is itt nsposition. ( o w e im plem ent tion willuse lookup t le o • wh e e sh w e im plem ent tion m yuse th e inne stu tu e o • wh i h will e et ile elow.) iven th e 6 - itsting• • • • we splititinto eigh t8- itstings enote • 6 •• 6 •••••• 7 ••0 su h th t• • 6 •• 6 | |•••| | • 7 ••0 . e next pply th e pe m ut tion • yte-wise we om pute • (• 6

|•••| | • 7 ••0 ) •• 6 |

• (• 6

•• 6

)| |•••| | • (• 7 ••0 ) •

T h e pe m ut tion • is th e 8 8 it-m tix t nsposition. o e p e isely given th e 6 - itsting • • (• • • ) we fi stsplititinto eigh t8- itstings • 6 •• 6 •••••• 7 ••0 s o • ove n w ite itin 8 8 it-m tix sh ion in su h w y th tth e fi st ow is• 6 •• 6 n so on. T h e pe m ut tion • sim ply t nsposes th e m tixso th tth e fi steigh t itso • (• ) e th e fi st itso • 6 •• 6 •••••• 7 ••0 in th iso e th e se on eigh t its e th e se on s its n so on. T h uswe h ve • (• )

•6 | | • | |•••| | •7| | •6 | | • | |•••| | • 0•

igu e 2illust tesh ow • • • wo ksin th e key sh e ulingsh em e. • ••

• • • • • • ••• • • • • • • •

T h e en yption p o essis pe o m e th ough eigh t oun s y using oun en yption un tion • wh i h is pe m ut tion on th e seto ll 6 - itstings. • enotesth e 6 - itpl intext lo k n • 0 •••••• isth e se uen e o th e 6 - it su keys th e iph e text lo k is •

• (• 7

•••• (•

• (• 0

• ) ) •••)

S-

? • ? • ? • ? • ? • ? • ? • ? • ????????





• ? ? • • • ? ? • • • ? •? • • ? ? • • • ? ? • • • ? ? • • • ? ? • • ? ?• • • ???????? r

6 •• 6

r

••

r





• •





7 •• 0

r

••

r

••

r

•• 6

r

••

r



193

7 ••0

• •• • • • T h e • • • un tion in th e key sh e ulingsh em e s epi te on igu e 1. T h e oun -en yption un tion • is se on th e st ou ie T nso m g ph n 16- itto 16- it un tion • s epi te on igu e 3 . t lso usestwo 6 - it onst nts• n • efi ne y th e in y exp nsion o th e m th em ti l onst nt •

• •

1 • 0

2•• • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • •

6

•••

T h uswe efi ne • •

•••••••••••••••• • • • • • • • • • • • • • • • ••

o e p e isely in e h en yption oun th ee tim es

we ite te th e ollowing sh em e

• we xo with onst nt(wh i h issu essively th e su key • • • n • ) • we splitth e 6 - itstinginto ou 16- itstings n we pply • to e h o it o t ining ou 16- itstingswh i h om ine into 6 - itsting

194

u

St rn S r • • • • ••• •

• • • • ••• •

r



u n y • • • • ••• •

r

• • • • ••• •

r

• • • • ••• •

r

• • • • ••• •

r

• • • • •••

r

r

? •? •? •? •? •? •? •?



PP,PP HH @ P H H @ ,  PP ?  ,  q• HHj• @R• - • • • • PP



PP,PP HH @ P H H @ ,  PP  ?  , q• HHj• @R• - • • • • PP













r

r

•• • • • ••• •





r

•• • • • ••• •

• •• • • •





r

•• • • • ••• •



r

•• • • • ••• •



•• • • • ••• •



?







r

•• • • • ••• •

••





PP,P HH @ PPPP H H @ ,

PP    ? , q HHj @R •



• • • •••

r

?



?

r

r

•• • • • •••



•• • • •••

ne en yption oun

• we splitit g in into eigh t8- itstings •6

•• 6

| | •

••

| | •

| • 7 •• 0 |

n we h nge th ei o e •6 The • • •| |• • n

•• 6

| | •

••

| | •

| | •

••

•• 6

| | •

••

| | • 7 ••0

s

| • 7 •• 0 |

••

| | •

••

| | •

| | •

••

••

| | •

•• 6

| | • 7 ••0 •

un tion t kes 16- itsting• wh i h issplitinto two 8- itstings om putes• (• ) • • | | •• y •• ••

wh e e • is efi ne

y • (• • )

• (• 7 | |•••| | • 0)

• (• (• • ) • • ) • (• • (• • ) • • )

• 7| | (• 6

(• • (• • )

• )| | • | | (•

••

6

)

••

• )| | • | | (•

• )| | • | | (• 0

• 7 )•

S••

••

r

••

? -•? •  • @R ,, • ? ,@,@ • ?, , @@ R•? •



? ? r

••



?





r

?

, , ,



••

?

r

-•? ? • r

••

• •• • • •

••

,,  , ? • ? • @@R





•• r

r

n •





? ? •



@@ @R•? ? • r





om put tion g ph o •

195



The• om put tion is epi te on igu e (with th e xo to itsinputwh i h is lw yspe o m e ) . T h e • yte-pe m ut tion (wh i h is lso use in th e key sh e ulingsh em e) is efi ne y th ee- oun eistel iph e ep esente on igu e 5 th e 8- itinput • issplitinto two - itstings• • | |• • we om pute su essively • •• ••

• • • (• • ) • • • (• ) • • (• • )

wh e e • n • e two spe i l un tions. T h e un tion • is efi ne y th e t le • • • • • • • • • • • • • • • • • • (• ) • • • • • • • • • • • • • • • • wh i h

om es om • (• )

T h e un tion • is efi ne



• • (• ) •

y th e t le

• • • • • • • • • • • • • • • • • • (• ) • • • • • • • • • • • • • • • • wh i h oesnot om e om sim ple exp ession. in lly th e vlue o • (• • ) isgiven s ollows y th e t le o • .

19

u

St rn S r

u n y



? r





-

? ?



- •?





r



r

?

• •• • • • T h e pe m ut tion • •• •• •• •• •• •• •• •• •• •• •• •• •• •• •• •• ••

•• •• •• •• •• •• •• •• •• •• •• •• •• •• •• •• ••

•• •• •• •• •• •• •• •• •• •• •• •• •• •• •• •• ••

•• •• •• •• •• •• •• •• •• •• •• •• •• •• •• •• ••

•• •• •• •• •• •• •• •• •• •• •• •• •• •• •• •• ••

•• •• •• •• •• •• •• •• •• •• •• •• •• •• •• •• ••

•• •• •• •• •• •• •• •• •• •• •• •• •• •• •• •• ••

•• •• •• •• •• •• •• •• •• •• •• •• •• •• •• •• ••

•• •• •• •• •• •• •• •• •• •• •• •• •• •• •• •• ••

•• •• •• •• •• •• •• •• •• •• •• •• •• •• •• •• ••

o inst n e we h ve • (• • ) • • sin e • (• ) • (• ) • n fi n lly • • • .

• ••

•• •• •• •• •• •• •• •• •• •• •• •• •• •• •• •• ••

•• •• •• •• •• •• •• •• •• •• •• •• •• •• •• •• •• • •

•• •• •• •• •• •• •• •• •• •• •• •• •• •• •• •• ••

•• •• •• •• •• •• •• •• •• •• •• •• •• •• •• •• ••

•• •• •• •• •• •• •• •• •• •• •• •• •• •• •• •• ••

•• •• •• •• •• •• •• •• •• •• •• •• •• •• •• •• ••

•• •• •• •• •• •• •• •• •• •• •• •• •• •• •• •• ••



• • (• )

• •





• • • • • • ••• • • • • • • •

e yption ispe o m e on igu e 6.

y ite ting

e yption- oun

un tion ep esente

S• • • • ••• •

• • • • ••• •

• • • • ••• •

• • • • ••• •

• • • • ••• •

• • • • ••• •

• • • • •••

• • • •••

















19

6 6 6 6 6 6 6 6 r

r

r

r

r

r

r



PPP, YHH H * @I 1 6 i  P P , PP P P H H H @@ , -• • • • • • •



PPP, YHH H * @I 1 6 i  P P , PP P P H H H @@ , -• • • • • • •





−•



−•



−•



−•



−•

−•

r

r •

•• • • • ••• •





−•

r

•• • • • ••• •



•• • • • ••• •

• •• • • •



r



•• • • • ••• •

•• • • • ••• •

r



•• • • • ••• •



6

−•

6 •



−•

•• • • • •••



r

6 r •• • • •••

ne e yption oun

et ils o th e e yption e le t to th e e (• • | | • • ) • − (• • | | • • ) n e om pute y •• ••



−•

r



−•

••



−•

PPP, * @I 1 YHH H 6 i  P P , PP P H H @@ ,  P H •



r

e.

e sim ply o se ve th t

• (• (• • ) • (• • ) ) • • (• • ) • (• • )

wh e e • (• ) • ••

(• • (• )

••

6

)

••

• • • • • • •• • •

s n ex m ple we en yptth e pl intext• • • • • • • • • • • • • • • • 6 with th e se et key • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • 6 . T h e su keysse uen e is •− •− •0 • •

•••••••••••••••• •••••••••••••••• •••••••••••••••• •••••••••••••••• ••••••••••••••••

6 6 6 6 6

19

u

St rn S r

u n y

• • •

•••••••••••••••• •••••••••••••••• •••••••••••••••• 6

• •7 •

•••••••••••••••• •••••••••••••••• ••••••••••••••••

o inst n e th e fi stgene te su key • 0 •0

•− •− •−

• (• (• −

6 6 6 6 6 6

••••••••••••••••

6

is

• • • • • • • • • • • • • • • • 6 ))

• (• • • • • • • • • • • • • • • • 6 ) •••••••••••••••• 6 •

T h e m ess geswh i h ente into e h oun • • • • • • • •

0

6 7

e

•••••••••••••••• •••••••••••••••• •••••••••••••••• •••••••••••••••• •••••••••••••••• •••••••••••••••• •••••••••••••••• ••••••••••••••••

6 6 6 6 6 6 6 6

n th e iph e textis• • • • • • • • • • • • • • • • 6 . n th e fi st oun th e m ess ge • 0 ist nso m e th ough th ee l ye sinto • . T h e inte m e i te esults etween th e l ye s e • • • • • • • • • • • • • • • • 6 n • • • • • • • • • • • • • • • • 6 . o inst n e in th e fi stl ye we t ke • 0 xo itwith • 0 pply • pe m ute th e ytes n get •••••••••••••••• 6. s n im plem ent tion test we m ention th ti we ite te one m illion tim es th e en yption on th e ll-ze o itstingwith th e p eviouskey we o t in th e fi n l iph e text• • • • • • • • • • • • • • • • 6 .

T h e st ou ie T nso m use in th e oun -en yption un tion • h s een use in seve l yptog ph i esignsin lu ing h no s T - sh ing 22 T sh 23 h no n u en y s llel T - sh ing 2 n ssey s 13 1 . T h isg ph h s een p ove to h ve ve y goo i usion p ope tieswh en one twi e (see 25 26 3 0) . T h e • stu tu e im plem ents p s efi ne y h no n u en y (see 25 29 3 0) . n th is se itm e nsth t• is pe m ut tion ove th e seto ll16- itstings n th tfi xing ny o th e two 8- itinputs it ily

S-

199

m kes oth 8- itoutputs e pe m ut tionso th e oth e one. T h isis ue to ve y p ti ul p ope ty o • n m ely th t oth • n • → • (• ) • • (• ) (wh i h is in t• ) e pe m ut tions. tu lly • n • e line involutions. T h ose p ope tiesm ke • e wh twe ll su h th t i we it ily fi xseven o th e eigh tinputs lloutputs e pe m ut tion o th e em ining ee input. T h ispe o m s goo i usion. T h e estgene l tt k m eth o son lo k iph e sh ve een into u e y ile t h sse T y- o i ih m h m i n tsui (see 11 28 5 6 15 16 10) . T h ey e now known s i e enti l n line ypt n lysis. e know stu y h ow • • •• •• • • • h s een p ote te g instit. T h e pe m ut tion • h s een h osen to e n nonline involution in th e sense th t oth i e enti l n line ypt n lysis e h . Nonline ity h s one m e su e o espon ingto i e enti l ypt n lysis(wh i h h s een efi ne y Ny e g 19 ) n one m e su e o espon ingto line ypt n lysis(wh i h h s een efi ne y h u n u en y 7) . e e we use th e o m lism into u e y tsui 17 x

L

x

(• ) (• )

m x



0•• •



• (•

u

0

• (• )

• •

m x 2

• ••

•)



u





• (• ) • − 1



2− n L 2− . T h e un tions• n • e su h th t x (• ) x (• ) th e T h eo em o oki n h t 3 (wh i h gene lizesth e T h eo em o Ny e g n K nu sen 20) we e ppli le in th issetting we woul th en o t in x (• ) − 2− n L (• ) 2 . ot h p ope t ies e h owev e s t il l s t is fi e s th e x expe im entsh ows. om 19 7 itisknown th t o ny un tion • on th e set o ll • - itstings we h ve 2 −• n L 2 −• utit x (• ) x (• ) −• is on e tu e th t2 is ette oun o even • (see o e tin 8 o inst n e) . o ou un tions e e son ly nonline . in e itiswellknown th t th e h eu isti om plexity o i e enti lo line ypt n lysisisg e te th n th e inve se o th e p o u to th e ll tive • oxes (see o x o L x o inst n e eys n T v es 12) h vingm ixing un tionsm kes tle stfi ve • oxpe oun to e tive so no ou oun so • • •• •• • • • h ve ny effi ient i e enti l o line h te isti .

n ny kin o im plem ent tion th e key sh e uling sh em e is ssum e to e p e om pute . T h is p t o • • •• •• • • • h s not e esigne to h ve spe i l im plem ent tion optim iz tion. T h e uth o s elieve th teve y tim e one h nges th e se etkey one h sto pe o m expensive om put tions(su h s sym m eti yptog ph y key ex h nge p oto olo key t nse p oto ols) so optim izingth e p e om put tion o th e su key se uen e ism e ningless. n th e ollowing e tions we only is ussim plem ent tion o th e en yption (o e yption) sh em e.

200

• ••

u

St rn S r

u n y

• • • • •• • •• • • • •• ••• •

• • •• •• • • • ish igh ly optim ize o L im plem ent tions. tm y e noti e th tth e • un tion h s een esigne to get ien ly oole n i uitim plem ent tion. tu lly igu e 7 illust tes h e p n n - i uitwith epth n only 16 n n g tes. e p opose two possi le e sy im plem ent tions. n th e fi stone we e lly im plem entone th i o single oun en yption. th stwo 6 - itinput egiste s n one 6 - itoutput egiste . tise sy to see th t n en yption n e pe o m e y ite tingth is i uit2 tim es n lo ingth e su key se uen e • 0 •••• •• •••• •••• t igh to w estim tes sh ows th is i uit e ui es 1216 n n -g teswith epth 26. T h isim plem ent tion n e e in ny m i op oesso with in lessth n 1m m in o e to get sim ple m i o o e en yption instu tion. ne 3 0 z- lo k y le is enough to om pute one l ye th us one 6 - iten yption e ui es2 lo k y les wh i h le sto 73 ps wh i h is uite st o su h h e p te h nology. T h e se on im plem ent tion onsistsin m king e i te h ip wh i h onsistso 2 tim esth e p evious i uitin pipeline h ite tu e. e estim te we nee 15 m m in o e to im plem ent 3 0000n n -g te i uitwh i h pe o m s 6 - iten yption with in one 3 0 z- lo k y le wh i h le sto n en yption te o 2 ps. T h is n e use to en ypt T netwo k om m uni tionso us.

ly ly ly ly ly

r4 • 0 • • • r3 • •6 • • r2 • 6 • •• r1 • • •• r0 •

• • •7 •

•6 • •7 • • 7• • • • •• 6 • • •• • •



• •• •7• • • •• • •• 6

• • • •

• 0 7



0• • •6 • • • •• • 6••

6

nput • 6 • • • utput • 0 • • •

• •• • • • m plem ent tion o •

T h ose esults n e om p e to T wh i h h s een im plem ente y itsu ish i. n tsui 18 th is h ip isspe ifi e to e ui e 65 000g tes wo king t1 z n en ypting t 5 0 ps. • ••

• • ••• • • • •• • •• • • • •• ••• • • • • • • • • • • •• • • • • • • • • • • • •

st igh to w non-optim ize im plem ent tion o • • •• •• • • • in st n on entium 13 3 z(see ppen ix) gives n en yption te o 2•1 pswh i h is e son ly st om p e to sim il im plem ent tionso .

S-

201

noth e (non-optim ize ) im plem ent tion in ssem ly o e en lesth e entium to pe o m 6 - iten yption with in 973 lo k y les wh i h le s to 8.3 pswo king t13 3 z. n evlu tion sim il to th e L -im plem ent tion estim tessh owsth tth e num e o “usu l oole n g te (xo n o not) e ui e to im plem ent6 p llel6 - iten yptionsusing ih m s it-sli e ti k on 6 - itm i op o esso is11968 wh i h issu st nti lly lessth n ih m sim plem ent tion o wh i h e ui es out16000instu tions(see ) . T h e e o e i we use 3 00 z lph m i op o esso wh i h e ui es•5 y lespe instu tions( sin ) we o t in n en yption te o out196 ps. • ••

• • ••• • • • •• • •• • • • •• ••• • • • • •• •• • •• • • • • • • • • • • • •

n im plem ent tion h s een one o h e p sm t pl to m . om p t 6805 ssem ly o e o ough ly 5 00 ytes n en ypt 6 - itstingin its u e y usingonly 6 ext yte- egiste swith in 1263 3 lo k y les. T h ism e ns th t h e p sm t wo king t z n en yptwith in 3 •16m s( t 19•8K ps te) wh i h is ette th n optim ize im plem ent tionso 1 . T h is im plem ent tion o • • •• •• • • • n still e optim ize . pl torm LS 121 n n 1m m LS 30000n n 15 m m tn r 32 it it li ( ntium ) it li ( lph ) ntium m ly o 05 m ly o

lo k r 30 30 133 133 300 133 4

u n y n ryption r t not z 3 p tim t z 2 p tim t z 2 p pp n ix z 11 p tim t z 19 p tim t z p non-optim iz z 20K p non-optim iz

• •• • • • m plem ent tionso • • •• •• • • •

• • •• •• • • • h s een sh own to o e uite sten yption teson seve lkin s o pl to m s wh i h issuit le o tele om m uni tion ppli tions. igu e 8 sum m e izesth e im plem ent tion esults. tsse u ity is se on h eu isti gum ents. ll tt ks e wel om e...

d e wish to th nk th e • • • • • • • •• • • • • •• • • • • o h vinginiti te po te th iswo k.

n sup-

202

1. 2. 3. 4. 5. . . . 9. 10. 11. 12. 13. 14. 15 . 1 . 1 .

1 .

u

t

St rn S r

u n y

n ryption St n r . P ss Pu . S. N tion l ur u o St n r 19 . S o o p r tion. P ss Pu 1 . S. N tion l ur u o St n r 19 0. K . oki K . h t . Stri t v lu tion o th m xim um v r o i rnti l proility n th m xim um v r o lin rpro ility. s s u s v ol. 0- pp. 1 199 . . ih m . tn w S im pl m nt tion in o tw r. n s w i r l L tur Not in om put rS i n 12 pp. 2 0 2 2 Sprin r- rl 199 . . ih m . Sh m ir. i rnti l rypt n ly i o th ull 1 -roun S. n v s P O 2 S nt r r li orni .S. . L tur Not in om put rS i n 40 pp. 4 49 Sprin r- rl 1993. . ih m . Sh m ir. ss Sprin r- rl 1993. . h u S. u n y. Link tw n i rnti l n lin r rypt n ly i . n v s O P ru i t ly L tur Not in om put rS i n 95 0 pp. 35 3 5 Sprin r- rl 1995 . s . o rtin. lm o t r tnonlin rpow r un tion on (2• ). u m itt . . i t l. rypto r ph y n om put rpriv y. v ol. 22 pp. 15 23 19 3. . il rt. s s u s s ´ u ´ s ´ s u Th o tor t l niv rit ri 11 199 . . il rt . h . t ti ti l tt k o th L- rypto y t m . n v s P O 0 S nt r r li orni .S. . L tur Not in om put rS i n 5 3 pp. 22 33 Sprin r- rl 1991. . . y S. . T v r . Su titution- rm ut tion N tw ork r i t ntto i rnti l n lin r rypt n ly i . u v ol. 9 pp. 1 19 199 . . L. y. S K- 4 yt -ori nt lo k- iph rin l orith m . n s w m ri nit K in om L tur Not in om put r S i n 09 pp. 1 1 Sprin r- rl 1994. . L. y. S K 4 on y rl t r. n s w mri nit K in om L tur Not in om put rS i n 09 pp. 212 241 Sprin r- rl 1994. . t ui. Lin r rypt n ly i m th o or S iph r. n v s O P 3 Lo th u Norw y L tur Not in om put rS i n 5 pp. 3 39 Sprin r- rl 1994. . t ui. T h fi rt xp rim nt l rypt n ly i o th t n ryption St n r . n v s P O S nt r r li orni .S. . L tur Not in om put rS i n 39 pp. 1 11 Sprin r- rl 1994. . t ui. N w tru tur o lo k iph r w ith prov l urity in t i rnti l n lin r rypt n ly i . n s w m ri nit K in om L tur Not in om put rS i n 1039 pp. 205 21 Sprin r- rl 199 . . t ui. N w lo k n ryption l orith m ST . n s w i r l L tur Not in om put rS i n 12 pp. 5 4 Sprin r- rl 199 . 6

S-

203

19. K . Ny r . r t nonlin r • - ox . n v s O P 1 ri h ton nit K in om L tur Not in om put rS i n 5 4 pp. 3 3 5 Sprin r- rl 1991. 20. K . Ny r L. . K nu n. rov l urity in t i rnti l rypt n ly i . u v ol. pp. 2 3 1995 . 21. r ni tion or onom i o-op r tion n v lopm nt P u s 2 rh 199 . 22. . . S h norr. Th in n i nt rypto r ph i h h un tion. r nt T 91. Non pu li . 23. . . S h norr. Th i nt rypto r ph i h h in . n v s O P 2 l ton u ¨r un ry L tur Not in om put r S i n 5 pp. 45 5 4 Sprin r- rl 1993. 24. .- . S h norr S. u n y. r ll l T -h h in . n s w m ri nit K in om L tur Not in om put rS i n 09 pp. 149 15 Sprin r- rl 1994. 25 . .- . S h norr S. u n y. l k ox rypt n ly i o h h n tw ork on m ultip rm ut tion . n v s O P ru i t ly L tur Not in om put rS i n 95 0 pp. 4 5 Sprin r- rl 1995 . 2 . . . S h norr S. u n y. l k ox rypt n ly i o rypto r ph i prim itiv . rly v rion v il l L NS port 95 2 L or toir n orSu m itt . m ti u l ol Norm l Sup ri ur 1995 . •••••••••••••••••••••••••••••••••••••••••••••••••••••• 2 . . . Sh nnon. om m uni tion th ory o r y y tm . s s u v ol. 2 pp. 5 15 1949. 2 . . T r y- or ir . il rt. know n pl int xt tt k o L-4 n L. n v s P O 1 S nt r r li orni .S. . L tur Not in om put rS i n 5 pp. 1 2 1 1 Sprin r- rl 1992. 29. S. u n y. n th n orm ultip rm ut tion rypt n ly i o 4 n S . n s w L uv n l ium L tur Not in om put r S i n 100 pp. 2 29 Sprin r- rl 1995 . 30. S. u n y. ´ u ´ s P v s u s Th o tor t l niv rit ri T h ni l portL NS-95 -10o th L or toir n orm ti u l ol Norm l Sup ri ur 1995 . 31. o k r r. Stron rypto r ph y m k th w orl rpl . ••••••••••••••••••••• ••••••••••••••••

d e e is s m ple im plem ent tion o th e h e to • • •• •• • • • . T h e p o e u e t kespl intext lo k • n p e om pute su key se uen e • ( s 9 8 ytes y) . T h isp og m ish igh ly optim iz le. typ

n n n n n n n n

un

_ _ _ _ _ _ _ _

n 00 0 02 03 0 0 06 0

r u nt 0x 0x 0x 0x62 0x 0x 0x2 0x6

204

u

St rn S r

n _ 0 0x n _ 0x n _ 2 0x n _ 3 0x 0 n _ 0x n _ 0x n _ 6 0x 3 n _ 0x u nt t p 2 6 0x2 0x0 0x6 0x 0 0x 0x 0x 0x 0x 0x2 0x 0x 6 0x2 0x 6 0x6 0x 0x3 0x 0x 6 0x 0x 0x00 0x 0x6 0x3 0x 6 0x 0x6 0x 0x0 0x 0x 6 0x03 0x 0x 0x 0x 0x 0x3 0x 2 0x 0x6 0x 0x 0x0 0x 0x 3 0x0 0x 0x02 0x3 0x2 0x 0x 0x 0x 0x 0x 0x 0x2 0x 0x 0x 6 0x 0x 0x 0x 0 0x 0x 0x2 0x 0x 0x 0x 0x 2 0x 3 0x 0 0x 2 0x 0x 0x 0x 0x6 0x 0x 3 0x 0x 0 0x 0x 0x 0 0x 0x 0x26 0x 0x 0x 0x 2 0x6 0x 0x 0x 0x 0x 0x 3 0x 0 0x 0x 3 0x 2 0x 0x 3 0x 2 0x 0x66 0x 3 0x 0x 0x 2 0x 0x 0x0 0x 0x 0x 0x 0x 0x 0x2 0x 0 vo

0x 0x 0x3 0x 0x 0x 3 0x 0x20 0x 6 0x 0x 0x 0x 2 0x 0x 0x 0x2 0x 0x 3 0x0 0x3 0x3 0x 0x 2 0x 0x 0x 0x 0x60 0x 6 0x 0x

0x 0x0 0x 0x 2 0x 0x 0x 0x 0x 3 0x 0x 0x 0 0x 0x 0x 0x 0x0 0x 3 0x6 0x36 0x 0x2 0x 2 0x 0x 0x 0x6 0x 0x 6 0x 0x 0 0x

n _ (u nt u nt u nt t px t prx t py nt n _ ( r t px t prx (t px ) (t px ) t py r r t p (t prx 0x ) t r t p t prx t py or( 0 ++ + ) _ ( 0 0 ) _ ( 2 3 2 3) _ ( ) _ ( 6 6 ) _ ( _ 00 _ 0 0 _ ( _ 02 _ 03 _ ( _ 0 _ 0 _ ( _ 06 _ 0 _ ( _ 0 _ 0 _ ( _ 2 _ 3 _ ( _ _ 2 _ ( _ 6 _ 3 or(

0

++)

u n y

0x 0x3 0x 0x 0x 0x 0x 0x62 0x 0x 0x 6 0x6 0x 0 0x33 0x 0x3 0x0 0x 0x3 0x06 0x 0x 0x 0x 0 0x 0x 0x 3 0x 0x22 0x 0x3 0x

0x 0x 6 0x 6 0x0 0x 0x63 0x 0x30 0x6 0x 0x 0x0 0x 0x2 0x 0x32 0x 0x0 0x 0 0x 0x6 0x 0x2 0x3 0x 0x 0x 2 0x 0x23 0x 0x2 0x

) r)

px t py

2) 6) 3) ) ) ) 6) )

c L rs . K n u s n •

p .o • •



n o rm

n t ijm n 2 on l L. . . o sh w

in

iv st3

n

tth w

s

n v rs y o rg n h n r N 0 0 rg n N o rw y [email protected] K . . L uv n K r n l r rl n 9 001 v rl lg um [email protected] . . . L o r o ry o r o m p u r n h no lo g y qu r m r g 01 9 [email protected] L o r o r s 1 00 rn rk w y wo o y 9 0 [email protected]

• • •••• • •• or p r l m n ry

h

lo k p h r w s s gn n 19 9 y o n v s ur y n . n h s p p r w sr o h h ph r n m p s o us o h r n l n l n r ry p n ly s s.

c 2is lo k iph r th tw s sig n in 1989 y on iv st or t u rity n . n iti lly h l s on fi n ti l n propri t ry lg orith m 2 w s pu lish s n n t rn t r t u rin g 1997 12. 2 h s m n y in t r stin g n u n iqu sig n tu r s p rti u l rly so wh n on on si rs th styl o iph rs th t om in t oth th lit r tu r n th m rk t t th tim o its in v n tion . h iph r w s in t n to p rti u l rly ffi i n ton 16- itpro ssors n with 6 - it lo k siz it w s in t n s rop-in r pl m n t or 11 . sig n ifi n t tu r o 2 is th fl xi ility off r to th u s r in t rm s o th ff tiv k y-siz . h is h s n ow om om m on tu r o m n y lo k iph r propos ls n it is prop rty th t h s prov n to im port n t in om m r i l ppli tion s. v r th y rs 2h s n ploy wi ly n it tu r s prom in n tly in th / s u r m ss g in g st n r 5 . u rr n tly th r r n o pu lish r su lts on th rypt n lyti str n g th o 2. s fi rst st p th is p p r s ts ou tsom t ils on h ow th si tt ks o iff r n ti l 1 n lin r 8 rypt n lysis m ig h t pply.

h r r two istin t p rts to u sin g t k s u s r-su ppli k yo tw n on •

. 

s u r

y r

rg s r r

.)

s r

r

m rk o w

r

r

ry

n

2. irst i pro u r 128 yt s in l n g th tog th r with ur y

n . 37 2

.206 22

.

n h

s gn n

ur y o

0

p r m t r th tsp ifi s th ff tiv k y-l n g th o n ryption . rom th is in orm tion n rr y −o 6 16- itrou n k ys is riv . h n 6 - itpl in t xt lo k is n rypt u sin g rr y −. n ryption on sists o two styl s o rou n s. n is t rm MIXING rou n n th oth r MASHING rou n . oth th k y xp n sion n n ryption om pon n ts r ly on th u s o su stitu tion t l ll PITABLE. h is t l sp ifi s r n om p rm u t tion on th in t g rs 0 ... 25 5 n w s riv rom th xp n sion o 3.1 15 9 .... h t l its l will n ot on rn u s ir tly in th is p p r u titis in lu or om pl t n ss in th pp n ix. will n ow s ri th tion o 2in m or t il. will u s to n ot th 16- it wor rot t l t y its will n ot itwis log i l N − will n ot itwis x lu siv -or n − will n ot itwis om pl m n t tion . ll 16- it wor ition is p r orm m o u lo 2 6 .

u rin g th k y xp n sion pro r tion s r u s . h rr y r rr to in two w ys.

u r oth yt op r tion s n 16- it wor op− th t stor s th 6 16- it rou n k ys will

) or wor op r tion s th position s o th u ff r will r rr to s 0 ... 63 wh r h is 16- itwor . ) or yt op r tion s th rr y o rou n k ys will r rr to s 0 ... 127 wh r h is n ig h t- it yt . t will lw ys th s th t 2 25 6− 2 1 ( h tis th low r or r yt is g iv n fi rst). u ppos th t yt s o k y r su ppli y th u s r with 1 − − 128. h k y xp n sion pro u r pl s th - yt k yin to 0 ... − 1 o th k y u ff r. g r l ss o th v lu o h ow v r th lg orith m h s m xim u m ff tiv k yl n g th in its th tis n ot 1. h ff tiv k yl n g th in yt s 8 n m sk s on th ff tiv k y l n g th in its 1 r riv s 8 − 1 8 n 25 5 m o 2 −T ) + T . K y xp n sion on sists o th ollowin g two loops n in t rm i t st p 1. for 1 ... 127 do PITABLE −1 − ( ition is m o u lo 25 6) 2. 128− 8 PITABLE 128− 8 3. for 127 − 8 ... 0 do PITABLE 1 − 8 t th n o th is k y xp n sion th rr y 0 ... 63 on t in s th 6 16- itsu k ywor s th twill us u rin g n ryption .

h n ryption op r tion is fi n in t rm s o prim itiv MIX n MASH op r tion s. n rr y o ou r 16- it wor s 0 ... 3 r u s to h ol th in iti l pl in t xt th in t rm i t r su lts n th fi n l iph rt xt. n i s to th is rr y r lw ys g iv n m o u lo .

0

L. . K nu s n

.

jm n

.L.

vs

. . . o sh w

MIX h prim itiv MIX op r tion is fi n s ollows wh r 0 1 1 2 2 3 n 3 5. r is g lo l v ri l so th t is lw ys th fi rstk y wor in th xp n k y wh i h h s n oty t n us in MIX op r tion . (

−1

− 2)

(−

−1

− 3);

1; ; MIXING rou n MIXING rou n on sists o MIX 0 MIX 1 MIX 2 MIX MASH h prim itiv MASH op r tion is fi n s ollows −1 MASHING rou n MASHING rou n g lo

on sists o MASH

0 MASH

h n tir n ryption op r tion n n ow l in t g r v ri l wh i h is on ly ff t n ryption

ith

3.

003fx ; 1 MASH

2 MASH

s ri s ollows. r yth m ixin g op r tion s.

3. is

2

1. n iti liz wor s 0 ... 3 to on t in th 6 - itpl in t xt lo k. 2. xp n th k y so th t wor s 0 ... 63 om fin . 3. n iti liz to z ro. . r orm fi v MIXING rou n s. 5. r orm on MASHING rou n . 6. r orm six MIXING rou n s. 7. r orm on MASHING rou n . 8. r orm fi v MIXING rou n s. 9. h iph rt xtis 0 ... 3. t lish provi

ryption is th r v rs o n ryption . in th t ils n sily sth y r n otin lu h r . stv tors or n ryption u sin g 2 r in th pp n ix.

2is r th r u n u su l in th tth 6 - itpl in t xt lo k is splitin to ou r wor s h o 16 its. n styl r m in is n t o th h sh u n tion 13 m u h o th n ryption pro ss r li s on on o th s wor s in g m o ifi y u n tion o th oth r th r th ou r wor s th n in g sw pp y li lly. h is sig n

n h

s gn n

ur y o

09

ppro h w s xplor som s v n y rs t r th sig n o 2 wh i h n ow m ig h t s ri s in g n u n l n ist l iph r . h k ys h u l or 2is lso u n u su l. 8is th n u m r o yt s n to on t in th g iv n 1 its o k y. h n 1 is on g ru n tto m o u lo 8 m sk on t in in g on s in th low-or r its is u s to riv th orr t ff tiv k y l n g th . h fi rst st p o th k y xp n sion xp n s th k y to u ll 128 yt s u sin g n on -lin r yt -wi k sh i t-r g ist r ppro h . t p th r is sim il r to th fi rst x pt th t it st rts t th h ig h n n works tow r s th low r n . t ps two n th r lso work tog th r to lim itth ff tiv k y siz to 1 its. t p th r orr spon s to u sin g k r g ist r o on ly 8 yt s n st p two n su r s th t th in iti l st t o th t r g ist r h s on ly 1 its o n tropy. lth ou g h th pro u r lim its th tu lly n tropy o th k y to 1 its it lso n su r s th t th fi n l k y t l p n s u pon h it o th su ppli k y. on su ppli s 16- yt k y u ts t 1 0 th n h n g in g n y it o th su ppli k y sh ou l r su lt in iff r n t k y t l lth ou g h th num r o possi l k yt l s is lim it to 2 0 .

iff r n ti l rypt n lysis 1 n pow r u l styl o tt k. y h oosin g p ir o pl in t xts with p rti u l r iff r n wh i h n pt to th iph r in qu stion th rypt n lyst h op s th t som i n tifi l n u n u su l h vior n o s rv ypro ssin g th iph rt xts. n possi l volu tion o th iff r n tw n p ir o pl in t xts u rin g n ryption n s ri y i i . n ss n h r t risti sp ifi s th iff r n tw n two p r ll l n ryption s t h st g o th n ryption pro ss n th r is som sso i t pro ilityth t p ir in g n rypt o s in ollow th is s ription . pl in t xtp ir th t ollows th h r t risti is typi lly ll i i . p ir th t o s n otis ll i. h rou g h ou t ou r tt k on 2 w sh ll fi n th iff r n tw n two 16- itwor s n to − . u rth rm or in ou r n lysis w sh ll in t r st in h ow sin g l - it iff r n s h v with in 2. h ision to r stri t ou r tt n tion to sin g l - it iff r n s ilit t s n lysis u t is lso m otiv t y typi l ssu m ption th t h r t risti s in volvin g m u ltipl - it iff r n s ov r in t g r ition will g n r lly h ol with low r pro ility th n sin g l - it h r t risti s 6. n ot th toth r m or om pl xt h n iqu s 27 m ig h top n n w v n u s or th n lysis o 2. it in position will u s t to n ot th 16- it wor with sin g l on rom th rig h t ll oth r its in g s tto z ro. lso vi w th l tm ost ito to n ot 1616- itwor to th m ostsig n ifi n t it. h u s w sh ll u s itwor with th on lyn on -z ro it in g th m ostsig n ifi n t it. will n ot th wor o 16 z ro its s 0000x wh r th su s ript x n ot s h x im l n ot tion n w will n ot th i i (i. . th n u m r o on s in th in ry xp n sion o som qu n tity ) s wt( ).

10

L. . K nu s n

.

jm n

.L.

vs

. . . o sh w

or th r m in r o th p p r w sh ll on si r MIXING n MASHING rou n s in th ollowin g w y. n st o vi win g th op r tion t h st p s tin g on iff r n twor w sh ll on si r th op r tion s to i n ti l (i. . t h MIX 1 )) u tth t tw n st ps st p 0 0 ( 3 2) (− 3 th wor s r rot t y li lly (i. . TEMP 0; 0 1; 1 2; 2 3; 3 TEMP). S

MIX

iv n n in pu t iff r n ( t 0000x 0000x 0000x ) to th fi rst MIX st p in MIXING rou n th ou tpu t iff r n or rot tion will ( t 0000x 0000x 0000x ) with pro ility − 1 2. ot tion th n m ov s th is sin g l it iff r n with in th wor n th ou r wor s r sw pp y li lly. n su m m riz th ou r si h r t risti s wh i h h ol with pro ility − 1 2(wh n v r g ov r ll pl in t xts n k y wor s) or MIX st p. h v lu o th rot tion p n s on th st p in wh i h th h r t risti is ppli . Not th t ition p r orm m o u lo 16. with in th su s ripto t is to ( t 0000x 0000x 0000x ) − (0000x 0000x 0000x t ) − (0000x 0000x t 0000x ) − (0000x t 0000x 0000x ) −

(0000x 0000x 0000x t+ s i ) (0000x 0000x t 0000x ) (0000x t 0000x 0000x ) ( t 0000x 0000x 0000x )

(1) (2) (3) ()

p rt rom (1) with 15 wh i h h ol s with pro ility 1 th s h rt risti s h ol with pro ility 1 2on v r g . h r r tim s wh r th h r t risti s o n oth ol . h ollowin g r th s s wh r th h r t risti h ol with rt in ty n (2) i ( 2 n (3) i ( 3 n () i ( 3

t) t) t)

( 1 t ) th n 0000x th n 1. t h n 1. t

1.

n th fi rstMIXING rou n th tt k r h oos s th pl in t xt n th is llows th rypt n lystto ptu r som o th s sp i l s s in n tt k. S

MASH

h r r two MASHING rou n s in 2 n th si MASH st p is 0 0 3 003fx . iv n n in pu t iff r n (0000x 0000x 0000x t ) − will to MASHING rou n with ( t 003fx ) 0000x th s m k ywor to oth s ts o p rti lly n rypt t . h ou r si u s u l h r t risti s or MASH r s ollows ( t 0000x 0000x 0000x ) − (0000x 0000x 0000x t ) (0000x 0000x 0000x t ) − (0000x 0000x t 0000x ) (0000x 0000x t 0000x ) − (0000x t 0000x 0000x ) (0000x t 0000x 0000x ) − ( t 0000x 0000x 0000x )

(5 ) (6) (7 ) (8)

n h

s gn n

ur y o

11

h r t risti (5 ) h ol s with pro ility 1 2u n l ss 15 wh n ith ol s with pro ility 1 h r t risti s (7 ) n (8) h ol with pro ility 1 0000x . n h r t risti (6) h ol s with pro ility 1 i ( t 0x3f) oin in g th s ou r h r t risti s tog th r to p ss ross MASHING rou n with pro ility 1 is str ig h torw r .

n th is s tion w om in h r t risti s or oth MIXING n MASHING rou n s wh il m ovin g tow r s u ll n lysis o 2. will ssu m th t th su k y wor s 0 ... 63 r in p n n t n w im to r ov r th xp n k y t l − in ou r tt k. h h r t risti s o in t r st r u ilt rou n sin g l - it iff r n s n s n ot in tion 3.1 th r r v n t g s to h vin g th is sin g l n on -z ro it in th m ostsig n ifi n t ito wor . p n in g on wh i h wor − is th su j t o th h r t risti w u s iff r n t rot tion m ou n ts tu r u rin g MIXING. h is l s to on ition s on th position o th sin g l - it iff r n in th pl in t xt th tprovi som v n t g s in n tt k. n oth r on si r tion is th pr s n o th MASHING rou n s n on im m ig h t to n u lli yth ir tion . on - it h r t risti sp ifi s n in pu t iff r n to MASHING rou n o n y on o th wor s th n provi 15 th h r t risti will p ss t in th rou g h th MASHING rou n u n h in r with pro ility 1. 5 15 th n th r is h r t risti th th ol s with pro ility 1 2. h r r six MIXING rou n s tw n th two MASHING rou n s n so with th iff r n ( t 0000x 0000x 0000x ) s in pu tto th fi rstMASHING rou n w n st lish th v lu s o th t r u s u l to u s. m or u r t r fl tion o th su ss o fi n l tt k is g iv n y on si rin g i i 10 in st o h r t risti s (wh i h provi on ly low r ou n to th pro ility o th iff r n ti l). n tion 3.5 w will on si r th issu o iff r n ti ls in m or t il u t rom th is poin t on w will n ti ip t l t r n lysis y r rrin g to th u s o iff r n ti ls u rin g ou r s ription o th tt k. h o s rv tion s provi so r llow u s to pr s n tin l 1 th iff r n ti ls th t r u s u l to u s.

n iff r n ti l rypt n lyti tt k th tt k r typi lly h oos s iff r n ti l or ( − 1) rou n s o n -rou n lo k iph r. h tt k r th n tri s to u k y in orm tion rom th l st rou n o th iph r 1 . r th m ost ff tiv tt k on 2 pp rs to r qu ir th t its o th su k y 0 u s in th fi rst MIXING rou n r r ov r fi rst. on si r iff r n ti l with in pu t iff r n (0000x 0000x 0000x t ). h ( 2 st rtin g v lu s o 1 n 2 r h os n so th t ( 1 t) t ). t r th fi rst MIX st p th iff r n will (0000x 0000x t 0000x ). h ou tpu t iff r n rom th s on MIX st p will p n on th v lu o it in r g ist r 3. th is it is z ro th n wor 1 with iff r n 0000x will

1

L. . K nu s n

.

jm n

a t xt (e• 0000x 0000x 0000x ) (e• 0000x 0000x 0000x ) (0000x e• 0000x 0000x ) (0000x e• 0000x 0000x ) (0000x e• 0000x 0000x ) (0000x 0000x e• 0000x ) (0000x 0000x e• 0000x ) (0000x 0000x 0000x e• ) (0000x 0000x 0000x e• )

.L.

vs

. . . o sh w

at ta t a t MIXING (e• • • • 0000x 0000x 0000x ) (e• • • • 0000x 0000x 0000x ) (0000x e• • • • 0000x 0000x ) (0000x e• • • • 0000x 0000x ) (0000x e• • • • 0000x 0000x ) (0000x 0000x e• • • • 0000x ) (0000x 0000x e• • • • 0000x ) (0000x 0000x 0000x e• • • • ) (0000x 0000x 0000x e• • • • )

a

t

−• • −• •

1

−• • −• •

1 0 1 ... 1

−• • −• • −• • −• • −• •

26 iff r n ti ls th t r pot n ti lly u s u l in n sso i t pro iliti s r low r ou n s provi y th t risti on t in with in th sp ifi iff r n ti l.

1

0 ...

tt k on n lysis o

2. h h r -

sl t n iff r n h os n . th rwis wor 2 with iff r n t will will in tro u in to n oth r wor . Not th tth v lu o th is it p n s on th pl in t xt(wh i h w kn ow) n on its o th fi rst16- itsu k ywor 0. n tr th ou tpu to th s on MIX st p to th n o th p n u ltim t MIXING rou n yu sin g th iff r n ti ls in l 1. th p ir is rig h tp ir th n w n r ov r on ito in orm tion rom 0 s ollows. n ss ry on ition or p ir to g oo p ir is th t t

(( 0 (− 3

( 3 1)

2) 0)

(9) 1)

0.

1 ) wh i h w on trol vi th L t 0 ( 3 2) (− 3 pl in t xt. h n w h v th ollowin g on ition or rig h tp ir ( n ot y th v lu riv n to z ro. L t t− ((16− 1) m o 16) its o (

0)

0)

0.

t−

h oi

o (10)

ys ttin g th top ((16− ) m o 16) its o 0 l t th qu n tity riv y s ttin g th top to z ro. h n w h v th t t−

0⇔

(

)

t−

.

(11)

o m ou n t n tt k to r ov r it ( − 1) o or som g iv n w n rypt pl in t xtp irs with 0 u n til w o t in rig h tp ir. n w h v rig h tp ir w o s rv th v lu o . rom th is w u th v lu o it( − 1) in n h n in 0. n th n r p t th is ppro h h oosin g p irs with iff r n t v lu s to so th tin orm tion on th su k y 0 is r ov r it y it. yu sin g iff r n t iff r n ti ls with iff r n tv lu s o (s l 1) w r its o l to in tro u som rror- h kin g in to th tt k2 . n th is w y th •

No

ll v lu s o t r v l

o r us

u

o h

wo MASHING ro un s.

n h

s gn n

ur y o

1

0 th tw r ov r n v rifi . ll r ov r its o 0 h v to orr t or th n xt ito 0 n orr tly riv . Not th t 1 n u s u l in r u in g th pl in t xt r qu ir m n ts or iff r n ti l tt k wh n m or th n on iff r n ti l is u s u l. ith u s u l iff r n ti ls w n sk or o 2n pl in t xts with sp ifi lly h os n iff r n s. rom th s w h o th h r t risti s. riv 2n− pl in t xtp irs or h r r m in s th issu o t tin g wh n t p ir is g oo p ir. n ot th t th iff r n t th st rt o th fi n l MIXING rou n h s m m in g w ig h t on or g oo p ir. m ig h t th r or m su r th m m in g w ig h t o th iph rt xt n i th w ig h t is l ss th n som th r sh ol th p ir n on si r rig h t p ir. p n in g on th th r sh ol w m ig h t pt som wron g p irs s in g rig h tp irs som th in g th twou l provi wron g n sw r to th it w wish to r ov r with pro ility 1 2. o im prov th ro u stn ss o th tt k on m ig h t im to oll t m or rig h t p irs. h n th v lu o th it su g g st m ost o t n n ssu m to th orr t v lu to th k y it w r tryin g to r ov r. s m on str tion w provi th su ss r t or iff r n t m ou n ts o pl in t xt in xp rim n ts on ig h t-rou n 2. ( h r r ig h t MIXING rou n s with MASHING in s rt t r rou n fi v s o u rs in 2.) ision on wh th r g oo p ir h o u rr w s m or in g to wh th r th m m in g w ig h t o th iff r n in th iph rt xt w s l ss th n som th r sh ol . h n on v lu or th k y ith n ou n t m or th n th oth r (th is iff r n in g n ot y ) th tv lu or th k y itw s s t. h n tryin th t l w s om pu t t r 20 xp rim n ts. 11 2 8

90% 100% 100%

m m in g w ig h t 12 13 22 20% 22 . 0% 22 7 . 30 30 2 95 % 2 20% 22 . 3 3 2 100% 2 65 % 23

s w pr viou slym n tion itis iff r n ti ls n th ir pro iliti s th tr fl t th ff tiv n ss o iff r n ti l tt k. h r s h r t risti s ri s on sp ifi volu tion o iff r n s th rou g h n ryption rom g iv n st rtin g iff rn th r m ig h t w ll h v n oth r p th s th rou g h th iph r to th s m t rg t iff r n th n th on s ri y on p rti u l r h r t risti . ith 2th is l s to p rti u l rlyin t r stin g in t r tion tw n th MIXING n MASHING rou n s. irst w will on si r in str t t rm s th pro ility th t on - it i rn in som wor pro u s on - it iff r n in th wor d wh n w fin d c or u n kn own on st n ts n c. n ppro h m ig h t to ition s n to on si r th in t rm i t wor on si r th is s two s p r t fi rst. in on - it iff r n in pro u s on - it iff r n in with pro ility1 2 n on - it iff r n in provi s on - it iff r n in d c with pro ility1 2w wou l s yth tth h r t risti ov r th two

1

L. . K nu s n

.

jm n

.L.

vs

. . . o sh w

ition s h s pro ility 1 . ow v r itwou l th n m isl in g to u s th is h r t risti to provi n pproxim tion to th pro ility o th iff r n ti l rom to d. n st th pro ility o th prop g tion o on - it iff r n rom to d is 1 2 sin c is fi x v lu . on s qu n tly th pro ility o th iff r n ti l rom to d m u st lso 1 2. ll th t th pro ility o th iff r n ti l is g iv n y th su m o th pro iliti s o ll th h r t risti s th ts tis yth iff r n ti l. ylookin g t two su ssiv ition s in isol tion w in v rt n tly r stri t ou r tt n tion to sin g l - it iff r n s in th in t rm i t v lu . L t 0 − − − 1 n ot th position o th on it iff r n in . on - it iff r n in will g iv − iff r n in with m m in g w ig h t with pro ility 2−h 1 − −n+ α+ or − . in th is - it iff r n w s n with pro ility 2 in will us y on - it iff r n in th pr viou s st p 3 n - it iff r n tr n s orm to on - it iff r n in d yth ition o c with pro ility 1 2. h u s w g t −

−n+ α

2 (2

n−α 

2−h )

i

−1

(12)

h

1i

− 1.

(13)

n pl wh r th is h s n ff tis wh n MIXING rou n ollows MASHING rou n . h wor 0 ... 3 is m o ifi y MASH st p in tu rn . tth fi rst su s qu n t MIX st p 0 is m o ifi ym n s o ition . y lookin g t th two ition s in isol tion on u n r- stim t s th pro ilityo th iff r n ti l. n th n lysis o 2w n to t k ou n to th is ff tsin it ppli s to som xt n t to th MIXING rou n s s w ll s u rin g th tr n sition tw n MIXING n MASHING rou n s. ith in th MIXING rou n s n in t rm i t qu n tity is u s s in pu t to m u ltipl xor u n tion . h is r u s th pro ility th t h m u ltipl xor th is p rti u l r h r t risti is ollow y tor o 2−h or wh n th m m in g w ig h t o th iff r n is . w n ot th n u m ro m u ltipl xin g u n tion s tw n two su ssiv ition s y th n (12) n r writt n s ollows n−α  h

2−h −2−hk −2− 



2



n−α 

2−

n−α)



ng n r l h g h p ro

s no ru l y.

2

)h

− k+

−2−

(1 )

2

) n−α)

h

h

n−α) k

 − k+

1 − 2− k+ ) n−α) 1 2 1 − 2− k+ ) 2 k+   1 . ≈ 2− k+ ) −1 2 −

−2−

nh

rn

 )

(15 ) 2−

k+

) n−α)

(16) (17 )

go s o

on

rn

w h su h

n h

s gn n

ur y o

1

h l st pproxim tion is r son l or sm ll r ( − 3) u t wou l n som orr tion or l rg r v lu s o . or 0 1 2 3 (17 ) g iv s 1 2 1 6 1 1 1 30 wh i h sh ou l om p r with th r sp tiv pro iliti s o th h r t risti s w pr viou sly riv 1 1 8 1 16 1 32. n th s o two on s u tiv MIXING rou n s w h v th t 3 n so th pro ility o on - itto on - it iff r n ti l ross two MIXING rou n s is 1 30− 2−3 1 2 0. h ff tw r u sin g h r n xt n to s ri s o ition s wh r y th in t rm i t v lu s o in t r st h v iff r n s with v ri ty o m m in g w ig h ts v n th ou g h th st rtin g n n in g iff r n h v w ig h ton . on si r th r on s u tiv m ixin g rou n s. L t on - it iff r n in th l tm ost wor s o two in pu ts n l t th position o th t it wh r 0 − − − 1. L td th iff r n in th l tm ost wor s t r th r m ixin g rou n s n n n ot th m m in g w ig h ts o th l tm ostwor s t r su ppos th t 2 on r sp tiv ly two m ixin g rou n s. h n th pro ility th t d is on - it iff r n n stim t s ollows wh r 3 n wh r or sim pli ityw h v lim in t th t rm or − . −

n−α  n−α  h•

h•





2

≈ 2−

2−h• −2−h• k −2−h• −2−h• k −2−



n−α 

− k+

2

h•



1 2 k+

)

) h•

−1

n−α 



 − k+

2

h• )

) h•

(19)

.

(20)



1 2 k+

(18)

−1

g in th fi n l pproxim tion r qu ir s th t is sm ll. or 3 is 2− (1 15 )2 . n n ow stim t th pro ilityo th iff r n ti l ov r th r m ixin g rou n s y2− (1 15 )2 −1 8− 1 3600. h is xt n s silyto m or rou n s n in g n r l th pro ility o iff r n ti l ov r m ixin g rou n s is (1 15 )r− − 1 16. Not th tth MASHING rou n s n p ss with pro ilityon . or m or u r t ss ssm n t slig h t orr tion sh ou l ppli or rou n s wh r th iff r n is los to th m ostsig n ifi n t it u t xp rim n t l vi n g iv n low su g g sts th tth xpr ssion s riv r r son l to u s . h num r o rou n s in th t l r rs to th n u m r o MIXING rou n s u s . t r fi v MIXING rou n s n ition l MASHING rou n is in s rt s o u rs wh n n ryptin g with 2. h fi n l olu m n is riv s n v r g ov r tl stfi v s ts o xp rim n ts or h row. i i i i i i 3 2 1 6 1 6 22 2 78 79 6 22 7 7 23 12 13 Not th tth pro ilityo th iff r n ti l o t in in th is s tion o s n ot t k in to ou n tt xtp irs wh i h h v in t rn l iff r n s in m or th n on wor or th y r syn h ron iz . h is w s o s rv o sion lly u rin g xp rim n ts

1

L. . K nu s n

.

jm n

.L.

vs

u t s s wh r iff r n s in m or th n on w ig n or th ir im p ton ou r stim t s.

. . . o sh w

wor r syn h ron iz

r rr

n

rriv tth ollowin g stim t s or th t r qu ir to r ov r in orm tion ou t th su k y 0 . n th is su k y wor h s n r ov r th tt k is r p t on wh t wou l n ow om r u v rsion o 2. h n w t k in to ou n tth k y-r ov ry t h n iqu s o tion 3. w stim t th t iff r n ti l tt k on 2with MIXING rou n s (in lu in g th MASHING rou n s) 2with 16MIXING rou n s r qu ir s tm ost2 r h os n pl in t xts. n tt k on r qu ir s u s o iff r n ti l with pro ility tl st2− .7 ( tl st sin w h v n oty t ou n t or su h ph n om n s on - it iff r n in th m ost sig n ifi n t it t MIXING rou n ). n th is r g r 2 with 16 MIXING rou n s 5 (2 p irs 3). tis om p r s vor lyto (2 7 p irs 1 ) n 12-rou n ir to o s rv h ow v r th t 2is n ot st iph r n n optim iz v rsion o n 12-rou n 5 r oth lik lyto st r th n 2.

Lin r rypt n lysis h s provi th stth or ti l tt k on in t rm s o t r qu ir m n ts 9 . ow v r its u s u ln ss on oth r iph rs is o t n lim it . h im o su h n tt k is to r l t its o th pl in t xt n iph rt xtto its o th k y vi lin r qu tion wh i h h ol s with som pro ility . u h n pproxim tion n g n r lly u s to provi n stim t or on ito th k y n m or vn t h n iqu s r v il l to xtr tm or k yin orm tion 9 . n pproxim tion h ol s with pro ility th n th im port n tqu n tity or th rypt n lystis th solu t v lu o th i s o th pproxim tion − − 1 2−. ypi lly th t r qu ir to u s su h n pproxim tion is g iv n y c − −2 kn own pl in t xts or som sm ll on st n tc 9 . 1 ). h MIX st p in 2is 0 0 ( 3 2) (− 3 ross in t g r ition th st lin r pproxim tion in volv s th l st sig n i i n t it o h qu n tity n will h ol with pro ility on . h m u ltipl xor 1 ) h s lin r pproxim tion s o v ryin g u n tion ( 3 2) (− 3 u s u ln ss. h solu t v lu o th h ig h stn on -trivi l i s is 1 wh n v rg ov r ll pl in t xts. n slig h t u s o n ot tion w will on si r 16- it wor s v tor in 2 6 n w will u s th 16- itqu n tity to in i t th its o th t r to u s in lin r pproxim tion . h is is m ost on v n i n tly s ri ym n s o th s l r pro u to two v tors. h u s th −0 1−-v tor will u s to n ot th sp ifi its o to u s in n pproxim tion n − is th v lu o th s its om in u sin g x lu siv -or. s u l lin r pproxim tion s ross th m u ltipl xor r o th orm −

− 1



− 1 −

− 3



− 2



− 2−

− 3

n h

s gn n

wh r wt( ) 1. or g n r lly pproxim with n on -z ro i s h v th orm −

ur y o

1

tion s to th m u ltipl xor u n tion

− 1 −β− 2−γ − 3

(21)

wh r is th itwis in lu siv -or o n β n γ is ith r 0 or it on sists o on s in position s wh r ith r or β h v on s. h g r t r th v lu o wt(γ) th low r th solu t v lu o th i s o th pproxim tion . h ollowin g pproxim tion to th fi rstMIX st p (wh i h in lu s th y li sw p o th − wor s) m ig h t u s u l −( 3

w

)

0

−( 0

)−

0

−(

)−

0

− 2

.

h is h s i so solu t v lu 1 . h ollowin g st ps r qu ir n o pproxim tion n th r pp rs to n o tt r n on -trivi l lin r pproxim tion s or om pl t MIXING rou n . m ig h tillu str t th is pproxim tion in th ollowin g w y 0 1 2 3

1 − − −

0

− − −

2

3 −

0



− − −

− −



−− −− −− −−

1 1 2 1 2 1 2

n on tin u in g th is pproxim tion in to th n xt MIXING rou n w wou l or to pproxim t th it 0 . n in t g r ition in volv s th su k y wor n p n in g on th is v lu th i s o th pproxim tion will v ry . h s on in t g r ition in volv s th ou tpu t rom th m u ltipl xor u n 1 or tion . yth on ition s g iv n ov th is pproxim tion m u stin volv 2 n w n on stru tth ollowin g pproxim tion s or th s on n th ir MIXING rou n s. r w ssu m th tth i s o th pproxim tion ross th m u ltipl xor u n tion is tm ost1 . im il rly w ssu m th tth i s o th ross th in t g r ition is tm ost1 . h is o u rs in pproxpproxim tion im tin g st ps 1 n 3 n th v lu o −−is g iv n or th os st ps in ivi u lly. 0 1 2 3

h typi l w yto m to th so- ll ii •

No h

1 −

− − −

2

su r th

− − −

2 − −

3 − 2



2

2





−−− 1 −− 1 −−− 1 −− 1

8 2 8 2

ff tiv n ss o lin r rypt n lysis is to pp l 8. y oin g th is w r l to stim t i s

h h wh o l ssu o k y p n s r r ly r ss n l.

n

n ln

r ry p

n ly s s s

o m p l xo n

1

L. . K nu s n

.

jm n

.L.

vs

. . . o sh w

o − 2−2 − 2−3 − 2−3 − 22 2−6 or ou r pproxim tion to th fi rsttwo MIXING rou n s o 2. n th s o 2 h ow v r rou tin u s o th pilin g -u p l m m n l to m isl in g r su lts. s n x m pl su ppos th tth two su k ys u s in st ps on n th r o rou n two r z ro. n isol tion th pproxim tion to st p on ( s y) h ol s with pro ility 5 8. n st p th r w fi n th tth s on pproxim tion ( 2 h l . n lysis sh ows s y) in volv s its th t pr viou sly t rm in wh th r h l is 13 20 n n ot5 8wh n th tth pro ilityth t 2 h ol s g iv n th t in isol tion . u rth rm or th pro ilityth t 2 o sn th ol 2 is on si r wh n o sn t h ol is 5 12 in st o 3 8. o wh n th two pproxim tion s r om in th pro ility th t th om in pproxim tion to rou n two h ol s is (5 8− 13 20) (3 8− 5 12) 9 16wh i h l s to i s o 1 16. h is is g r t r th n th 1 32pr i t yu s o th pilin g -u p l m m . u h o th om pli t in t r tion tw n th two pproxim tion s is u to th rol o ition in th iph r. s n x m pl i w su ppos th t ph ol s th n it n sh own th tth pro ility th tth l st proxim tion sig n ifi n t ito 2 is qu l to z ro is 11 20. in th is itpl ys pivot l rol in t rm in in g wh th r 2 h ol s itis n o su rpris th tth pilin g -u p l m m g iv s m isl in g r su lts. or th u s r o 2 th r is ir u m st n ti l vi n th t lin r rypt n lysis is u n lik ly to pos th r t to 2. u h tt ks pp r to in ff tiv or iph rs th tm ix in t g r ition n itwis op r tion s u n l ss th pproxim tion n lim it to th l stsig n ifi n t its ross n ition 6. u h r stri tion pp rs u n lik ly s n xt n sion o th u rr n t pproxim tion in to th ir MIXING rou n illu str t s 0 1 2 3 − 2 − − − 2 − − −−− 1 16 1 − 2 − 3 − 2 − − − − −− 1 2 2 2 3 3 − − 3− − − − 7 −−− 1 128 − − − 7 − −− 1 2 − 3− N v rth l ss th r r om pl x in t r tion s tw n th in ivi u l st ps o 2 n th s o t n provi u n in tu itiv r su lts. n p rti u l r w h v is ov r s s wh r in g n on -trivi l pproxim tion to n xistin g pproxim tion tu lly oosts th solu t v lu o th i s. ( u h n x m pl n ou n in st p 3 ov wh n th su k ys in ll rou n s r s t to z ro.) n r su h ir u m st n s th tru ff tiv n ss o lin r rypt n lysis in tt kin g 2h s to r m in n op n pro l m .

c n th is p p r w h v s slow r th n oth r lt rn r sist n to iff r n ti l ysis to 2h v provi

ri th lo k iph r 2. h il th iph r is p rh ps tiv s v il l to y it o s pp r to off r ff tiv rypt n lysis. u r tt m pts to pply lin r rypt n lsom in trig u in g in sig h ts u t r s y tin su ffi i n tto

n h

t rm in th tu l r sist n o op n pro l m . tis im port n tth t rom th rypt n lyti om m u n ity.

s gn n

ur y o

19

2 to lin r rypt n lysis; th is r m in s n 2 on tin u s to om u n r los s ru tin y

0

L. . K nu s n

.

jm n

.L.

vs

. . . o sh w

c 1. . . . . .

. . 9. 1 0. 11. 1 . 1 . 1 .

. h m n . h m r. ta y ta a y t ata y t ta a . p r ng r rl g N w o rk 1 99 . . o rs L. . K nu s n n . jm n. wo ks on r u . n . um y or a y t y y t vo lum 1 o t t t p g s 1 1 1 99 . p r ng r rl g . . ry uk o v n . K ush l v z. m p ro v ry p n ly s s o . r p rn . . lz n . h n r. h u n lo k p h r lg o r h m . n . r n l or a t t a y t vo lum 1 00 o t t t p g s 9 1 1 0 1 99 . p r ng r rl g . . uss . o m n . m s ll L. Lun l n L. p k . s s g p o n. p m r 1 99 . v l l ro m h p www.m .o rg r uss sm m m sg . . . K l sk n .L. n. n r n l n l n r ry p n ly s s o h n ry p o n lg o r h m . n . o p p rsm h or a y t y y t vo lum 9 o t t t p g s1 1 1 1 99 . p r ng r rl g . L. .K nu s n n . r. m p ro v rn l k son . n N .K o l z or a y t y y t vo lum 1 1 09 o t t t p g s 1 1 99 . p r ng r rl g . . su . L n r ry p n ly s s m h o or p h r. n . ll s h or a y t y y t vo lum o t t t p g s 9 1 99 . p r ng r rl g . . su . h rs xp r m n l ry p n ly s s o h n ry p o n n r . n . sm or a y t y y t vo lum 9o t t t p g s 1 1 1 1 99 . p r ng r rl g . .L . ss y n . urp h y. rk o v p h rs n r n l ry p n ly s s. n . v s or a y t y y t vo lum o t t t p g s1 1 991 . p r ng r rl g . N o n l ns u o n r s n h no lo g y (N ). at ata y t ta a . m r 0 1 99 . • • .L. vs. s rp o n o h n ry p o n l go r h m . l draft-rivest-rc2desc-00.txt v l l ro m ftp://ftp.ietf.org/internet-drafts/. .L. v s . h m ss g g s lg o r h m . n . . n zs n . . n son o rs a y t y y t vo lum o t t t p g s 0 1 1 1 991 . p r ng r rl g . .L. v s . h n ry p o n lg o r h m . n . r n l or a t t a y t vo lum 1 00 o t t t p g s 9 1 99 . p r ng r rl g .

n h

h su s u o n h x m l no

l PITABLE sp o n o r np u y

a* 00: 10: 20: 30: 40: 50: 60: 70: 80: 90: a0: b0: c0: d0: e0: f0:

0 d9 c6 17 bd 54 12 6f f8 08 96 c2 99 2d d3 0d c5

1 78 7e 9a 8f d6 75 bf 11 e8 1a e0 7c 5d 00 38 f3

2 f9 37 59 40 65 ca 0e c7 ea d2 41 3a fa e6 34 db

s v n

3 c4 83 f5 eb 93 1f da f6 de 71 6e 85 98 cf 1b 47

rs

4 19 2b 87 86 ce 3b 46 90 80 5a 0f 23 e3 e1 ab e5

5 dd 76 b3 b7 60 be 69 ef 52 15 51 b8 8a 9e 33 a5

6 b5 53 4f 7b b2 e4 07 3e ee 49 cb b4 92 a8 ff 9c

r

7 6 6

2

33

2

*b 7 8 ed 28 8e 62 13 61 0b f0 1c 73 d1 42 57 27 e7 06 f7 84 74 4b cc 24 7a fc ae 05 2c 63 b0 bb 77 0a

2

9 e9 4c 45 95 56 3d f2 c3 aa 9f 91 02 df 16 48 a6

ry

a fd 64 6d 21 c0 d4 1d d5 72 d0 af 36 29 01 0c 20

b 79 88 8d 22 14 30 9b 2f ac 5e 50 5b 10 3f 5f 68

ur y o

n ab.

c 4a 44 09 5c a7 a3 bc c8 35 04 a1 25 67 58 b9 fe

r

d a0 8b 81 6b 8c 3c 94 66 4d 18 f4 55 6c e2 b1 7f

e d8 fb 7d 4e f1 b6 43 1e 6a a4 70 97 ba 89 cd c1

f 9d a2 32 82 dc 26 03 d7 2a ec 39 31 c9 a9 2e ad

.

n

n 63 6 6 6 6 6

s gn n

00000000 00000000 ffffffff ffffffff 30000000 00000000 88 88bca90e 90875a 88bca90e 90875a7f 0f79c384 627bafb2 88bca90e 90875a7f 0f79c384 627bafb2 88bca90e 90875a7f 0f79c384 627bafb2 16f80a6f 85920584 c42fceb0 be255daf 1e

00000000 ffffffff 10000000 00000000 00000000 00000000

00000000 ffffffff 00000001 00000000 00000000 00000000

ebb773f9 278b27e4 30649edf 61a8a244 6ccf4308 1a807d27

93278eff 2e2f0d49 9be7d2c2 adacccf0 974c267f 2bbe5db1

00000000 00000000 2269552a b0f85ca6 00000000 00000000 5b78d3a4 3dfff1f1

1

a li 2

ih m

h n on r g n v r yo

oss n

rson 2

n L rs nu s n

r l;• • • • • • • • • • • • • • • • • • • • • • • n v r y ngl n ;• • • • • • • • • • • • • • • • • • rg n Norw y;• • • • • • • • • • • • • • • • • • • • • •

• • •••• • •• propo n w lo k ph r n or h v n n ryp on n r. gn h gh ly on rv v y ll llow v ry n pl n on. u h w ll un r oo ox n n w ru ur h ul n ou ly llow or r p v ln h or n l pl n on n n y n ly h n l u o on r ur y g n ll know n yp o k. h 12 lo k z n 2 k y l o on w r ng o pl or y onj ur o l ur hr k y rpl .

orm ny ppli tions th t n ryption t n r lgorith m isn ringth n ofitsus f ullif. ts5 6- itk y istoo sm ll ssh own y r nt istri ut k y s r h x r is 1 . lth ough tripl n solv th k y l ngth pro l m th lgorith m w s lso sign prim rily f orh r w r n ryption y tth gr tm jority of ppli tionsth tus itto y im pl m ntitin sof tw r wh r itisr l tivly in ffi i nt. orth s r sons th tion l nstitut of t n r s n h nology h sissu llf or su ssor lgorith m to ll th • • • • • ••• • • • •• • ••• • • •• • • • •• or• • • . h ss nti l r quir m ntisth t sh oul oth fstr n m or s ur th n tripl ;sp ifi lly itsh oul h v 1 it lo k l ngth n k y l ngth of 5 6 its(th ough k ysof1 n 19 itsm ust lso support ) . n th isp p r w pr s nt n i t f or . Our sign ph ilosoph y h s n h igh ly ons rvtiv;w i notf l it ppropri t to us novl n untst i sin iph rwh i h if pt f tr sh ortr vi w p rio will us to prot t norm ousvolum soffi n n i l tr ns tions h lth r or s n govrnm ntinf orm tion ovr p rio of s. th r f or i to us th - ox sf rom wh i h h v n su j t to intns stu y ovr m ny y rs n wh os prop rti s r th us w ll un rstoo in n w stru tur wh i h isoptim iz f or ffi i ntim pl m nt tion on m o rn pro ssorswh il sim ult n ously llowingusto pply th xtnsiv n lysis lr y on on . s r sult w n sh ow th tour sign r sists ll known tt ks in lu ingth os s on oth i r nti l 7 n lin r t h niqu s. 

u

y

t

tw

y t

72

222 2

rp n

Nw

lo k

ph r ropo l

223

propos s vr lvri ntsofth iph r wh i h w h v tnt tivly n m rp nt. h prim ry vri ntis 3 -roun iph r wh i h w li v to s s ur sth r -k y tripl utwh i h isonly sligh tly slow rth n wh n im pl m nt in on ntium (in som ss m ly l ngu g sitm y fstr th n ) . tis n -n twork op r ting on f our3 - itwor s th usgiving lo k siz of1 its. h ition l vri nts h v in r s lo k siz s. h lo k siz n ou l to 5 6 its ith r y in r singth wor siz f rom 3 to 6 its(wh i h will w ll suit to th n w g n r tion of6 - itpro ssors) or y usingth roun f un tion in istl onstru tion. h s two vri nts n om in to giv iph rwith 5 1 - it lo ks. t th is st g ll th vri nts r still tnt tiv. r still working on im provm nts n n lysis. susu lin th isfi l w n our g intr st p rti s to n lyz th iph r inf orm usof ny w kn ss n p sson ny r m rksor sugg stionsf orim provm nts. ll vlu sus in th iph rs r r pr s nt in littl - n i n in lu ingth itor r ( 3 1 in 3 - itwor s or 1 7 in th f ull 1 - it lo ks) n th or r ofwor sin th lo k. h us it is th l stsignifi nt it n wor is th l st signifi nt wor . h not tion is im port nt s th r r two quivl ntr pr s nt tionsof rp nt st n r r pr s nt tion n itsli r pr s nt tion.

h iph ( or

m in vri nt ofour iph r n rypts 1 - it pl intxt • to 1 - it rtxt• in • roun sun rth ontrolof• 1 1 - itsu k ys• •••••• • . h v h os n • 3 sth fult n will h n f orth r pl • y 3 in rto m k th s ription ofth iph rm or r l .) h iph ris n -n twork n onsistsof n initi l p rm ut tion • • ; 3 roun s h onsistingof k ym ixingop r tion p ssth rough - ox s n (in ll utth l stroun ) lin rtr nsf orm tion. n th l stroun th islin rtr nsf orm tion isr pl y n ition lk y m ixingop r tion; fi n l p rm ut tion • • .

h initi l n fi n lp rm ut tions o noth v ny ryptogr ph i signifi n . h y r us to sim plif y n optim iz im pl m nt tion ofth iph r wh i h is s ri in th n xt s tion n to im prov its om put tion l ffi i n y. oth th s two p rm ut tions n th lin rtr nsf orm tion r sp ifi in th pp n ix;th ir sign prin ipl swill m l rin th n xts tion. us th f ollowingnot tion. h initi l p rm ut tion • • is ppli to th pl intxt• giving • wh i h is th inputto th fi rstroun . h roun s r num r f rom to 3 1 wh r th fi rstroun isroun n th l stisroun 3 1. h outputofth fi rstroun (roun ) is• th outputofth s on roun (roun 1) is• 2 th outputofroun • is• • n so on untilth outputofth

224

l

h

o

n

ron

r

. K nu

n

l stroun (in wh i h th lin rtr nsf orm tion isr pl y n ition l k y m ixing) is not y • 2 . h fi n lp rm ut tion • • isnow ppli to giv th iph rtxt• . h roun f un tion • • (• •••••3 1 us sonly singl r pli t - ox. or x m pl • us s• 3 opi sofwh i h r ppli in p r ll l. h usth fi rst opy of• t k s its 1 n 3 of• • sitsinput n r turns soutput th fi rstf our itsof n intrm i t v tor;th n xt opyof• inputs its 7of • • n r turnsth n xtf our itsofth intrm i t v tor n so on. h intrm i t v toristh n tr nsf orm usingth lin rtr nsf orm tion giving • . im il rly • us s3 opi sof• in p r ll l on • • n tr nsf orm s th iroutputusingth lin rtr nsf orm tion giving• 2 . n th l stroun • w pply • on • • n O th r sult with • 2 r th rth n pplyingth lin rtr nsf orm tion. h r sult• 2 isth n p rm ut y • • givingth iph rtxt. h usth 3 roun sus 3 i r nt - ox s h ofwh i h m psf ourinput itsto f ouroutput its. h - ox isus only in on roun in wh i h itis us 3 tim sin p r ll l. h 3 - ox s r h os n sth 3 s p r t lin sof th igh t - ox s;th usour• (us in roun ) isth fi rstlin ofth • 1 our• (us in roun 1) isth s on lin ofth • 1 our• (us in roun ) isth fi rstlin ofth • n so on. swith th initi lp rm ut tion isth invrs ofth fi n lp rm ut tion. h usth iph rm y f orm lly s ri y th f ollowing qu tions

• •





• • (• ) • • (• • ) • • − (• • )

wh r • • (• ) • • (• )

• ( • (• • •)) (• • • • •)



• •

•••••• − • −1

wh r • isth ppli tion ofth - ox• • 3 tim sin p r ll l n • isth rtr nsf orm tion. lth ough h roun ofth propos iph rm igh ts m w k rth n roun of w sh lls low th tth ir om in tion ovr om sth w kn ss. h gr tr sp of h roun n th in r s num r ofroun s m k th iph r oth lm ost sfst s n m u h m or s ur .

lin

2

y t

ryption is i r ntf rom n ryption in th tth invrs ofth - ox sm ust us sw ll sth invrs lin r tr nsf orm tion n r vrs or rofth su k ys.

rp n

Nw

lo k

ph r ropo l

22

a M u h ofth m otivtion f orth ov sign will om l r sw onsi r h ow to im pl m ntth lgorith m ffi i ntly. o th isin itsli m o . or f ull s ription of itsli im pl m nt tion of s 9 ;th si i isth t just son n us 1- itpro ssorto im pl m nt n lgorith m su h s y x uting h r w r s ription ofit using logi linstru tion to m ul t h g t so on n lso us 3 - itpro ssorto om put 3 i r nt lo ksin p r ll l— in t usingth s 3 -w y M m h in . h isism u h m or ffi i ntth n th onvntion l im pl m nt tion in wh i h 3 - itpro ssorism ostly i l sit om putsop r tionson 6 its its or vn singl its. h itsli ppro h w sus in th r ntsu ssf ul k y s r h in wh i h sp r y l sf rom th ous n sofm h in sw r volunt r to solv h ll ng pos y . ow vrth pro l m with using itsli t h niqu s f or n ryption ( s oppos to k ys r h ) is th t on h s to pro ssm ny lo ksin p r ll l n lth ough sp i lm o sofop r tion n sign f orth is th y r notth m o sin om m on us . Our iph rh sth r f or n sign so th t llop r tions n x ut using3 -f ol p r ll lism uringth n ryption or ryption of singl lo k. n th itsli s ription ofth lgorith m ism u h sim pl rth n its onvntion l s ription. o initi l n fi n lp rm ut tions r r quir sin th initi l n fi n lp rm ut tions s ri in th st n r im pl m nt tion ov r just th onvrsionsofth t f rom n to th itsli r pr s nt tion. will now pr s nt n quivl nt s ription ofth lgorith m f or itsli im pl m nt tion. h iph r onsists sim ply of3 roun s. h pl intxt om s th fi rst intrm i t t • • f trwh i h th 3 roun s r ppli wh r h roun • •••••3 1 onsistsofth r op r tions 1.

y M ixing t h roun 1 - itsu k y • • is x lusiv or’ with th urr ntintrm i t t • • . ox s h 1 - it om in tion ofinput n k y is onsi r sf our 3 - it wor s. h - ox wh i h is im pl m nt s s qu n oflogi l op r tions( sitwoul in h r w r ) is ppli to th s f ourwor s n th r sultisf ouroutputwor s. h isth us m ploy to x ut th 3 opi softh - oxsim ult n ously r sultingwith • (• • • • ) 3 . Lin r r nsf orm tion h 3 itsin h ofth outputwor s r lin rly m ix y

• •• •• 2 •• • • • •

• (• •

2

• • • •

2

• •) • • • 13 • • • 3 • • 2 • 2 (• • • 3 )

22

l

h

o

n

ron

• • • • • • •



r

2

2

. K nu

n

• • • • • • • • • • • 2 • • • • • • 2 • • • • •• ••

1 7 • (•

• • 7)

5 2 ••

wh r • • • notsrot tion n • • notssh if t. n th l stroun th islin r tr nsf orm tion is r pl y n ition l k y m ixing • • • • − (• • − • • − ) • • . ot th t t h st g • • (• • ) • • n • • (• • ) • • . h fi rstr son f orth h oi oflin rtr nsf orm tion isto m xim iz th vl n h t. h - ox s h v th prop rty th t singl input it h ng will us two output itsto h ng ; sth i r n s tsof 1 3 5 7 13 m o ulo 3 h v no om m on m m r( x pton ) itf ollowsth t singl input it h ng will us m xim lnum rof it h ng s f trtwo n m or roun s. h tisth t h pl intxt it n h roun k y it t ll th t its f trth r roun s. vn if n oppon nt h oos ssom su k ys n works kw r s itisstill th s th t h k y it ts h t it ovrsix roun s. ( om h istori l inf orm tion on th sign ofth ov lin r tr nsf orm tion isgivn in th pp n ix.) h s on r son isth titissim pl n n us in pip lin pro ssorwith m inim um num rofpip lin st lls. h th ir r son isth titw s n lyz y progr m sw vlop f or invstig ting lo k iph rs n w f oun oun s on th pro iliti s ofth i r nti l n lin r h r tristi s. h s oun ssh ow th tth is h oi suits ourn s lth ough w woul lik to im prov on it. o w r still onsi ring oth r sim pl r h oi s f or th lin r tr nsf orm tion. On possi ility isto pt n L -lik tr nsf orm ofth f orm • • • • OL(• •− •• • ) f or• 1•••••6 wh r th f our t wor s r • •••••• th in i sof• r t k n m o ulo n th • • ’s r fi x . h pro l m swith su h sh m r th titish r to pip lin n th t vry h r tristi n rot t in ll itswor s n still r m in with th s m pro ility. r still workingon oth rpossi l lin rtr nsf orm tions.

swith th s ription ofth iph r w n s ri th k y sh ul in ith r st n r or itsli m o . or r sons ofsp w will giv th su st ntiv s ription f orth l ttr s . Our iph rr quir s13 3 - itwor sofk y m tri l. fi rst xp n th us rsuppli 5 6 itk y • to 3 3 1 - itsu k ys• . . . • 2 in th f ollowing w y. writ th k y • s igh t3 - itwor s• − . . . • − n xp n th s to n intrm i t k y (wh i h w ll • •• • • • ) • ... • y th f ollowing ffi n r urr n

rp n



(•





•−



•−

Nw



•−

lo k



•−

ph r ropo l

22

•) • • • 11

wh r • is th f r tion l p rtofth gol n r tio ( 5 1) • or • • • • • • • • • • in h x im l. h un rlyingpolynom i l • •7 • • 1 isprim itiv wh i h tog th rwith th ition ofth roun in xis h os n to nsur n vn istri ution ofk y itsth rough outth roun s n to lim in t w k k ys n r l t k ys. h roun k ys r now l ul t f rom th pr k ysusingth - ox s g in in itsli m o . h - ox inputs n outputs r t k n t ist n of3 3 wor s p rt in or rto m inim iz th k y l k g in th vntof i r nti l tt k on th l stfw roun softh iph r. us th - ox sto tr nsf orm th pr k ys• • into wor s• • ofroun k y y ivi ingth v torofpr k ysinto f ours tions n tr nsf orm ingth •’th wor sof h ofth f ours tionsusing • • −• s n sim ply f orth fult s • 3 sf ollows • . h is n • •• •• 6 6 •• • •• •• 6 7 ••

• (• •• • 2 (• ••

•• ••

•• 6 7 •• 66

) )

••• • • th n r num r ) sf ollows

•• 6 •• •• 2 6 ••

7 ••

• (• • (•

••

•• 2 ••

rth 3 - itvlu s• • s1 •



• • ••



••

6 6

•• ••

7 ••

••

) )

- itsu k ys•

• 2 •• •



(f ori

...

(1)

h r w r im pl m ntingth lgorith m in th f orm initi lly s ri in s tion ov r th rth n using itsli op r tions w now pply • • to th roun k y in or rto pl th k y itsin th orr t olum n i. . • • • • (• • ) .

sm ntion ov th i r nti l n lin rprop rti softh - ox s r w ll un rstoo . Our pr lim in ry stim ts in i t th t th num r of 2 known/ h os n pl intxtsr quir f or ith r typ of tt k woul x (th y r rt inly w llovr n w r workingon m or ur t oun s) . h r isth usno in i tion of ny us f ul sh ortut tt k;w li v th tsu h n tt k woul r quir n w th or ti l r kth rough . n ny s itsh oul not th tr g r l ssofth sign of 1 it lo k iph r itisnorm lly pru ntto h ng k ys w ll f or 6 lo ks h v n n rypt in or r to voi th ollision tt k ofs tion 5 . low. h iswoul sily pr vnt ll known sh ortut tt ks.

22

l

h

o

n

ron

r

. K nu

n

sign th iph rwith vi w to r u ing or voi ingvuln r iliti s risingf rom th f ollowingpossi l w kn ss s n tt ks. n our n lysis w us ons rvtiv oun sto n l our l im sto r sistr son l im provm nts in th stu i tt ks. or x m pl w n lyz th iph rusing -roun n -roun h r tristi s sh ortr y n roun sth n th iph r wh il th st tt k on us s h r tristi sth t r sh ortr y only th r roun s. Our stim tsofth pro iliti softh st h r tristi s r lso vry ons rvtiv;in pr ti th y sh oul onsi r ly low r. h r f or our om pl xity l im s r pro ly m u h low rth n th r lvlu s n rp ntis xp t to m u h m or s ur th n w tu lly l im . t

y

tt

sth lo k siz is1 its i tion ry tt k willr quir 2 i r ntpl intxtsto llow th tt k rto n ryptor rypt r itr ry m ss g sun r n unknown k y. h is tt k ppli sto ny trm inisti lo k iph rwith 1 - it lo ksr g r l ssofits sign. 2

O

t

or mo on f tr n rypting out 6 pl intxt lo ks in th n xp t to fi n two qu l iph rtxt lo ks. h is n l s n tt k r to om put th x lusiv-orofth two orr spon ingpl intxt lo ks 1 . ith progr ssivly m or pl intxt lo ks pl intxtr l tionsh ips n is ovr with progr ssivly h igh rpro ility. h is tt k ppli sto ny trm inisti lo k iph rwith 1 - it lo ksr g r l ssofits sign. y

tt

ork ysiz • k y ollision tt ks n us to f org m ss g swith om pl xity orgingm ss g sun r1 - itk ysisonly only • • 2 5 . h us th om pl xityoff 6 un r19 - itk ysitis 6 n un r 5 6- itk ysitis 2 . h is tt k ppli s to ny trm inisti lo k iph r n p n s only on its k y siz r g r l ssofits sign. t

y t

y

n im port ntf t out rp ntisth t ny h r tristi m usth v tl st on tiv - ox in h roun . t l sttwo tiv - ox s r r quir on vr g u to th prop rty th t i r n in only on itin th input us s i r n of tl sttwo itsin th outputof h - ox. h r f or ifonlyon it i rsin th inputofsom roun th n tl sttwo i rin th output n th s two its ttwo istin t - ox sin th f ollowingroun wh os output i rn s t tl stf our - ox sin th f ollowingroun . s rh f orth st h r tristi softh is iph r. orth is w m worst s ssum ption th t ll th ntri sin th i rn istri ution t l s

rp n

Nw

lo k

ph r ropo l

229

h v pro ility 1/ x ptth fw ntri swh i h h v only on itinput i rn n on itoutput i r n wh i h r ssum im possi l (pro ility z ro) . h s oun s r s tisfi y llth - ox s x ptf oron ntry of• wh r th m xim lvlu is1 /16 th h igh stpro iliti sin th vrious - ox s r 6• 16 n • 16 x ptin • 2 in wh i h itis • 16 n in • in wh i h itis 1 • 16. ssum l trth troun 3 isnot pproxim t y th h r tristi nyw y. h usth f ollowingr sultsh ol in p n ntlyofth or rofth - ox s us in th iph r n in p n ntly ofth h oi ofth - ox s so long s th y s tisf y th s m inim l on itions. s rh f orth st h r tristi s with up to s vn roun s n th on swith th h igh stpro iliti s r givn in l 1. oun

rn ro

1 2 3 4

2− 2− 2−7 2− 2−2 2−2 • 2−

oun son th

l l y

ro

n r ro l y (1• 2• • ) • −2 − • 1• 2• • 1 = 1• 2• 2 22 • −2 •2 1• 2• ( • 1 ) = 1• 2• 2 2• − • 1• 2• ( • 1 ) = 1• 2• 2 2 •6 −6 • 1• 2• ( • 1 ) = 1• 2• 2 2 •6 1• 2• ( • 1 )2 = 1• 2• 2− • 2 •6 27 − 2 •2 1• 2• ( • 1 ) = 1• 2• 2 22 • − • 1• 2• ( • 1 ) = 1• 2• 2 • 22 7 •6

iliti sof i

r nti l n Lin

r h r tristi s

n s th tth pro ility of 6-roun h r tristi is oun y h us th pro ility of -roun h r tristi is oun y − 2 − 6 . n pr ti th pro ility ofth st -roun h r tristi is xp t to m u h low rth n th is. h us vn if n tt k r n im pl m nt n 7 tt k still th tt k r quir sm or th n h os n pl intxts ( n g in th isis vry ons rvtiv stim t) . fth tt k r n im pl m ntonly tt k using -roun h r tristi th pro ility ofth h r tristi is − oun y − n th tt k r quir sm or pl intxtsth n r vil l . 3 - tt k woul r quir vn m or pl intxts. oti th tifth lin rtr nsf orm tion h us only rot ts th n vry h r tristi oul h v 3 quipro l rot t vri nts with ll th t wor srot t y th s m num rof its. h isisth r son th tw lso us sh if tinstru tions wh i h voi m ostofth s rot t h r tristi s. h v oun th pro iliti s of h r tristi s. ow vr it is oth m u h m or im port nt n m u h m or iffi ult to oun th pro iliti s of i r nti ls. n or r to r u th pro iliti s of i r nti ls w h v (1) r u th pro iliti softh h r tristi s ( ) nsur th tth r r fw h r tristi swith th h igh stpossi l pro ility n th tth y nnot rot t n still r m in vli (3 ) rr ng f or h r tristi sto tm ny i r nt its so th tth y nnot sily unifi into i r nti ls. −2

.

230

l

h

o

n

ron

r

. K nu

n

onj tur th tth pro ility ofth st -roun i r nti l isnot h igh rth n − 2 n th tsu h i r nti lifit xistswoul vry h r to fi n . ( ot th tf or ny fi x k y th r xp t to i r nti lswith pro ility − 2 ut vr gingovr llpossi l k ysr u sth is vr g pro ility to out − 2 .) y t

y

n lin r rypt n lysis itispossi l to fi n on - itto on - itr l tionsofth ox s. h pro ility ofth s r l tions r 1• • 16. h us -roun lin r h r tristi with only on tiv - oxin h roun woul h v pro ility 27 − 7 ( • 16) 2 1• n th t n tt k s on su h r l tions 1• woul r quir out known pl intxts ifit w r possi l t ll ( s th lin rtr nsf orm tion ssur sth tin th roun f ollowing roun with only on tiv - ox tl sttwo r tiv) . M or g n r l tt ks n us lin r h r tristi swith m or th n on tiv - ox in som ofth roun s. n th is s th pro iliti softh - ox s r oun y 1• 6• 16. swith i r nti l rypt n lysis w n oun th pro ility of h r tristi s. s rh f orth stlin r h r tristi of th is iph run rth ssum ptionsth t pro ility of ny ntry isnotf urth r f rom 1/ th n 6• 16 n th tth pro ility of h r tristi wh i h r l tson itto on itisnotf urth rf rom 1/ th n • 16. ot th t u to th r l tion tw n lin r n i r nti l h r tristi s th s r h s r vry sim il r;w tu lly m o ifi th s r h progr m us in th i r nti l s to s r h f or th stlin r h r tristi swith up to s vn roun s n th os with th h igh st pro iliti s r givn in l 1. n s th tth pro ility of 6-roun h r tristi is oun y − 2 •2 1• f rom wh i h w n on lu th tth pro ility of -roun − • h r tristi is oun y 1• . h pro ility of -roun h r − 2 •2 tristi is oun y 1• n n tt k s on itwoul r quir t l st known pl intxts. g in w wish to m ph siz th t ll th s fi gur s r ons rvtiv low r oun s n th tth tu l om pl xiti sof tt ks r xp t to su st nti lly h igh r. s on th s fi gur sw onj tur th tth pro ilityofth st -roun − lin r i r nti l is oun y 1• so n tt k woul n tl st lo ks. g in th isis vry ons rvtiv stim t;w li v th r lfi gur isovr 2 n th tlin r tt ks r th usinf si l . r workingon m or ur t fi gur s;m ntim th norm l pru ntpr ti of h nging k ysw ll f or 6 lo ksh v n n rypt will pr vntlin r tt ks. 6

O

t

y t

y

tisw llknown th t • th or r i r nti lof f un tion ofnonlin ror r• is onst nt n th is n xploit in h igh ror r i r nti l tt ks 1719 . h - ox s ll h v nonlin ror r5 1 . rom th ison woul xp t th tth nonlin ror rofth output its f tr• roun sis out3 • with th

rp n

Nw

m xim um vlu of1 7 r h l f trfi v roun s. th th igh ror r i r nti l tt ks r not ppli u

t

t

y t

lo k

ph r ropo l

231

h rf or w r onvin l to rp nt.

y

orsom iph rsitispossi l n vnt g ousto pr i tonly th vlu sof p rtsofth i rn s f tr h roun . h isnotion oftrun t i r nti l tt ks w sintro u y nu s n in 17. ow vr th m th o s m s st ppli l to iph rs wh r ll op r tions r on on l rg r lo ks of its. us ofth strong i usion ovr m ny roun s w li v th ttrun t i r nti l tt ks r not ppli l to rp nt. t

y

sth k y sh ul us srot tions n - ox s itish igh ly unlik ly th tk ys n f oun th t llow r l t k y tt ks 15 16 . M or ovr i r ntroun s of rp ntus i r nt - ox s so vn ifr l t k ysw r f oun r l t -k y tt kswoul not ppli l . rp nth snon ofth sim pl rvuln r iliti sth t n r sultf rom xploit l sym m tri sin th k y sh ul th r r no w k k ys s m i-w k k ys quivl ntk ys or om pl m nt tion prop rti s. Ot

tt

vi s’ tt k 1 13 n th m prov vi s tt k 6 r not ppli l th - ox s r invrti l n no upli tionsof t its r ppli . s fr s w know n ith r st tisti l rypt n lysis nor p rtitioning rypt n lysis 1 provi s l ss om pl x tt k th n i r nti lorlin r rypt n lysis.

sin

0

ut

y

h v not n on rn in th is sign to uil in ny p rti ul rprot tion g inst tt ks s on in u fults 3 1 11 . f n tt k r n progr ssivly r m ov th m h in instru tions y wh i h th is iph r is im pl m nt orprogr ssivly stroy s l t g ts orprogr ssivly m o if y th itsofth k y r gistr th n h n l rly xtr tth k y. tn to th vi w th t n tt k rwith th ilityto insp torm o if y th im pl m nt tion t ilwillh v m ny tt ks s notjuston om prom isingk ys uton su vrtingproto ols xtr tingpl intxt ir tly n so on . h m h nism sr quir to prot t g instsu h tt ks r l rg ly in p n ntofth sign of ny lo k iph r us 1 n r th us yon th s op ofth iswork.

232

l

h

o

n

ron

r

. K nu

n

a

im pl m nt th is iph r on 13 3 M z ntium /M M pro ssor. 3 roun itsli (unoptim iz ) im pl m nt tion ( vil l onlin f rom th uth ors’ w p g s) g v sp swh i h r only sligh tly slow rth n it n rypt 976 15 7 itsp rs on wh il th stoptim iz im pl m nt tion ( ri oung’sLi s) n rypts9 6 itsp rs on on th s m m h in . h p rf orm n ofth iph ron oth rpro ssorsin itsli m o sh oul only sligh tly slow rth n th st n r im pl m nt tion of . h n o in ss m lyl ngu g th is iph rm igh t vn fstrth n . tt k ssom wh t ovr instru tionsto n rypt1 itsvrsustypi lly 7 instru tionsto n rypt6 itsin . h r son our iph risnot5 % slow risth tith s n sign to m k goo us ofpip lining. h

instru tion ountis s on th o s rvtion th t g t ir uitof ny x - ox sr quir s tw n 19 n g tson th ntium tw n 1 on M M (usingonly M M instru tions) n tw n 1 n 5 on th lph (th num rsvry u to th i r nts tsofinstru tions wh i h r t il in th pp n ix) . M M h sth ition l vnt g th tit n op r t on 6 - itwor s or ltrn tivly on two 3 - itwor s ton (so two n ryptions n on in p r ll l usingth s m or i r ntk ys) . tis lso im pl m nt with gr trp r ll lism on som r nt h ips( .g. th ntium ) . On th oth rh n it o snoth v rot t op r tions so rot tsr quir f our instru tions( opy sh if tl f t sh if trigh t n O ) . ofth n

tis lso worth r m rking th tifth is iph r is opt s th vn n ryption t n r n h ip m k rswish to supporth igh sp im pl m nt tion th n itm y not n ss ry to h r w r n ryption ir uitto th . twoul suffi i ntto wh tw ll th L instru tion’. h is x uts n r itr ry ool n f un tion on f ourr gistrsun rth ontrol of truth t l n o in (6 - it) fi f th r gistr. stim t th tth ost ofim pl m ntingth ison n • - itpro ssorwill only out1 • g ts n itwoul h v m ny us soth rth n ryptogr ph y ( n x m pl woul im g pro ssing) . fsupport on L instru tion woul r pl m ostofth instru tionsin h roun n rp ntwoul om two orth r tim sfstr th n . t is lso worth noting th t h r w r im pl m nt tions ofth iph r n itr tivly pply on roun t tim lth ough th - ox sin h roun r i r nt. h tri k is sim il r to th L instru tion th sign rs of th h r w r n sign th roun f un tion to g t s ription ofth - ox s s p r m tr in som r gistr n om put th - ox s or ing to th is s ription. h is tri k ru i lly r u s th num r ofg ts r quir f or th h r w r im pl m nt tion ofth iph r. n stim t ofth g t ountwill provi in th f ull su m ission.

rp n

Nw

lo k

ph r ropo l

233

aa sw r m rk

ov th r r two w ysin wh i h th

lo k siz

n

ou l

1. in r s th wor l ngth (in th itsli im pl m nt tion) f rom 3 to 6 (orm or ) ; . s th roun -f un tion sth • -f un tion in istl onstru tion.

its

f oth ofth s r on th n th lo k siz will qu rupl . h s vri ntsm igh tr quir oth rm o ifi tionsofth iph r su h sm oifi tionsin th rot tion onst nts. li v th tth s vri nts r s ur (or n sily m so) . ork on th m isongoing.

h v pr s nt iph rwh i h w h v ngin r to s tisf y th r quir m nts. tis out sfst s n onj tur to ss ur sth r -k y tripl . tss urity isp rti lly s on th r us ofth th orough ly stu i om pon ntsof n th us n r w on th wi litr tur of lo k iph r rypt n lysispu lish in th l st . tsp rf orm n om sf rom llowing n ffi i nt itsli im pl m nt tion on r ng ofpro ssors in lu ingth m rk t l ing ntl/M M n om p ti l h ips. h isisstill pr lim in ry sign n m y h ng tw n th tim ofwriting n th fi n l su m ission. rs r invit to tt k th iph r to tst im pl m nt tionsin vrious nvironm nts n to r port ny intr stingfi n ings to th uth ors. p tnt ppli tion h s n fil utitisourintntion to gr nt worl wi roy lty-f r li ns f or onf orm ing im pl m nt tions in th vntth tth is iph ris opt sth vn n ryption t n r . in lly up to t inf orm tion on rp nt in lu ing th l tstr vision of th p p r n f oun on th uth ors’h om p g s •••••••••••••••••••••••••••••••••••• ••••••••••••••••••••••••••••••• ••••••••••••••••••••••••••••

h fi rst uth orw ssupport y ntl orpor tion uring visitto m ri g in ptm r1997wh il m u h ofth iswork w s on ; n th n m ofth iph r w ssugg st y i on uvl (s m os5 .19) .

1.

rh ” n

yst

ol n s o ur

ou l v n “ rn on v 30no 2(1991) pp 20 229

ur y y

234

l 2.

3. 4. . . . . 9.

10. 11.

12. 13. 14. 1 .

1 . 1 .

1 . 19.

20. 21. 22.

h

o

n

ron

r

. K nu

n

n ron K uh n “ p r n u on ry No ” n o N or s o o tro o r ro s (Nov 199 ) pp 1 11 n ron K uh n “ ow o k on p r n v ” to r ro s o ur ty ro to o s h r r r r t ry t ys s unpu l h p p r 1994 t s hn l h o w to o r ry t ss s 22 por 4 h n on ugu 199 h ryukov “ n prov n o v ’ k on ” n o ur o r y to o y v 10no 3 ( u r9 ) pp 19 20 h h r r t ry t ys s o t t ry to t r ( prng r1993) h “N w yp o ryp n ly k ng l K y ” n o ur o r y to o y v (1994) no 4pp 229 24 h “ Nw pl n on n o w r” n st o tw r ry to t t r to or s o prng r N v 12 pp 2 0 2 1 h h r“ rn l ul n ly o r K y ryp o y ” n s r y to o y r y to prng r N v 1294pp 13 2 on h llo p on “ n h por n o h k ng ryp ogr ph ro o ol or ul ” n s r y to o y uro r y t prng r N v 1233 pp 3 1 v st t o o ot t ss t or t prv o un on (19 ) v urph y “ r n rpl o ox ” n o ur o ry to o y v no 1 (199 ) pp 1 2 rp y “ r on ng ryp n ly ” n st o tw r ry to t t r to or s o prng r N v 12 pp 13 2 K l y hn r gn r “K y h ul ryp n ly o n rpl ” n s r y to o y r y to prng r N v 1109 pp 23 2 1 K nu n “ ryp n ly o K 91” n s r y to o y us r y t 2 prng r N K nu n “ run n gh r r r rn l ” n st o tw r ry to 2 t r to or s o prng r N v 100 pp 19 211 . . K nu n o rs ys s s to s h . . h rh u n v r y n rk 1994. . . r r r r t r t ry t ys s n o u to r y to r y wo s o o t str y . l h u ( or) K luw r u l h r 1994 o un on p r30 1993. u “ n r ryp n ly h o or ph r” n s r y to o y uro r y t 3 prng r N v pp 3 39 ur y n . • • • • • • • • • • • u n y “ n xp r n on l ryp n ly ” n 3r o r o o ut r o u to s ur ty r N w ro s u s y pp 139 14

rp n

t • • • •• •• •• •• ••

•• •• •• •• •• •• •• ••

•• •• •• •• •• •• •• ••

ut t

•• ••• ••• ••• ••• ••• ••• •••

• • • •• •• •• •• ••

2

•• •• •• •• •• •• •• ••

• •• • •• • •• • ••

• •• • •• •• •• •• ••

•• •• •• •• •• •• •• ••

•• •• •• •• •• •• •• ••

•• •• •• •• •• •• •• ••

lo k

ph r ropo l

23

•• •• •• •• •• •• •• •• ••

ut t

• •• • •• • •• • ••

Nw

•• ••• ••• ••• ••• ••• ••• •••

• • •• •• •• •• •• ••

•• •• •• •• •• •• •• ••

•• •• •• •• •• •• •• ••

•• ••• ••• ••• ••• ••• ••• •••

• • •• •• •• •• •• ••

•• •• •• •• •• •• •• ••

•• •• •• •• •• •• •• ••

•• ••• ••• ••• ••• ••• ••• •••

•• •• •• •• •• •• •• ••

•• ••• •• ••• •• ••• •• •••

•• ••• •• ••• •• ••• •• •••

•• ••• •• ••• •• ••• •• •••

•• ••• •• ••• •• ••• •• •••

•• ••• •• ••• •• ••• •• •••

•• ••• •• ••• •• ••• •• •••

•• ••• •• ••• •• ••• •• •••

• • •• •• •• •• •• •• •• ••

•• •• •• •• •• •• •• •• t

or h output itofth is tr nsf orm tion w s ri th listofinput its wh os p rity om sth output it. n h row w s ri f ouroutput its wh i h l tr ntrth s m - oxin th n xtroun . h its r list f rom to 1 7. ••• ••• ••• ••• ••• ••• • • • • • • • • • • ••• • • • • ••• • • • • ••• • • • • • •

•• •• •• •• •• •• •• •• •• •• •• •• •• •• •• •• •• •• •• • •

•• •• •• •• •• •• •• •• •• •• •• •• •• •• •• •• •• •• •• •• •• •• •• •• •• ••• •• ••• •• ••• •• •• •• •• •• •• •• •• •• •• •• ••

•• •• •• •• •• ••• •• •• ••• •• •• ••• ••• ••• ••• •• •• •• •• •• ••

•• •• ••• ••• ••• ••• ••• ••• ••• ••• ••• ••• ••• ••• ••• ••• ••• ••• •• •• ••

•••• •••• •••• •••• •••• •••• •••• •••• •••• •••• •••• •••• • • • •••• •••• •••• •••• ••• •••

••• ••• •••• • • • •• • • •• •••• • • • •• • • •• •••• • • •• •• • • •• •••• ••• •• •• • • •• ••• ••• •• •• • • •• ••• ••• •• •• ••• •• ••• ••• •• •• ••• •• •••• ••• •• •• ••• •• •••• ••• •• •• ••• •• •••• ••• •• •• ••• •• •••• ••• •• •• ••• •• •••• • • •• •• ••• •• •••• • • •• •• ••• •• •••• • • • •• • • •• ••• • • •• •• • • •• ••• • • •• •• • • •• ••• ••• •• •• ••• •• ••• ••• •• •• ••• •• ••• ••• •• •• ••• •• ••• ••• •• •• ••• •• ••• ••• •• ••

•• •• •• •• •• •• •• •• •• •• •• •• •• •• •• •• •• •• •• •• ••

•• •• •• •• •• •• •• •• •• •• •• •• •• •• •• •• •• •• •• •• ••

•• •• •• •• •• •• ••• ••• ••• ••• ••• •• •• •• •• •• •• •• •• •• ••

•••• ••• ••• ••• •••• •••• •••• •••• •••• •••• •••• •••• •••• ••• ••• ••• ••• ••• •••• •••• ••••

••• ••• ••• ••• ••• ••• ••• • • • • ••• • • • • ••• ••• ••• ••• ••• ••• ••• ••• •••

•• •• •• ••• ••• ••• ••• ••• ••• ••• •• •• •• •• •• •• •• •• •• •• ••

•••• •••• •••• •••• •••• •••• •••• • • • ••• ••• ••• ••• ••• ••• •••• •••• •••• •••• ••••

23

l

• • ••• ••• ••• ••• ••• ••• • • • • • • •••

•• •• •• •• •• •• •• •• •• •• ••

•• •• •• •• •• •• •• •• •• •• ••

h •• •• •• •• •• •• •• •• •• •• ••

o •• •• •• •• •• •• •• •• •• •• ••

•• •• •• •• •• •• •• •• •• •• ••

•••• •••• •••• •••• •••• •••• •••• ••• ••• ••• ••••

n

ron

••• •• ••• •• ••• •• ••• •• ••• •• ••• •• ••• •• ••• •• ••• ••• ••• ••• ••• •••

••• ••• ••• ••• ••• •••• •••• •••• •••• •••• ••••

r ••• ••• ••• ••• • • • • ••• ••• • • • • • •

. K nu •• •• •• •• •• •• •• •• •• • ••

n

•• •• •• •• •••• ••• ••• • ••• ••• • ••• ••• • ••• ••• • ••• ••• • ••• ••• • ••• ••• • •• ••• ••• ••• • •• •• ••• ••• • •• •• ••• ••• •

••• ••• • • • • • • ••• ••• ••• ••• ••• •••

x r r th

- ox s•

th rough •

(

h on

s p r t lin )

•• • •• • • •• •• • • •• • •• • • • • • •• • • •• • •• • •• • •• •• • • • • • • •• • •• • • •• •• •• • • • •• • • •• •• • • • • • • • •• • •• •• • • •• •• • • •• • •• • • • • • •• •• • • •• • •• • • •• • • •• •• • • •• • • •• • • •• • •• •• • •• • • • •• • • • • •• •• • •• • • •• • • •• • • •• • • •• • •• • • •• • • •• • • •• •• • •• • • • •• • • • • • • •• • • • •• •• •• •• • •• • • • • •• • • •• • • •• • •• •• • • •• •• • • • • • • •• •• • •• • • •• • •• •• • • • • •• • • • • •• •• • •• •• • •• • • •• • • • • • •• • •• •• • •• • • • •• •• • •• •• • • •• • • • • • •• • • •• • •• • • • • •• •• • • •• • •• • • • •• •• • • • • •• •• • •• • •• •• • •• • • •• • • • •• •• • • • • • • • •• •• •• • • •• • •• • • • • •• •• • •• • • •• • •• • •• • • •• • • • •• • •• •• • • • • • •• • • •• • • •• •• •• • • • •• • • • • •• •• • •• • • • •• •• • • • •• • • • • •• • •• •• • • • • •• • • •• •• •• •• • • • • • •• • •• • •• •• • • •• • •• • • • •• • • •• • •• • • • • •• •• • • •• • •• • • • • •• •• •• • • •• •• •• • • • • • • • •• •• • • • •• • • • • •• •• • • •• •• • • • • •• •• • •• • • •• • • •• • • •• •• • •• • • • •• • • •• • •• • • • •• • • • •• •• • • • •• •• •• • • • • • •• • • •• • •• •• •• • • • • • ••

•• •••• •• •••• •• ••• •• ••• •• ••• •• ••• •• ••• •• ••• •• ••• •• ••• •• •••

rp n

t h

v

t

Nw

tu t

lo k

ph r ropo l

23

u

r l vntinstru tionson th f ollowingpro ssors r ntium MM lph

O O O

O O O

O O O

rot t only sh if ts O O

only sh if ts

wh r th op r tion on • n • is• ∧( • ) th O op r tion is• ∨( • ) n th O op r tion is• ( • ) (or quivl ntly (• • ) ) . On M M rot t t k sf ourinstru tions wh il on n lph itt k sth r . On ntium n M M itm igh t n ss ryto opysom ofth r gistrs f or us sinstru tionsh v only two rgum nts; utsom instru tions n r fr ir tly to m m ory. h lph instru tionsh v 3 rgum nts(sr 1 sr n stin tion) ut nnotr fr ir tly to m m ory.

6

t

r w s ri som sign h istory. n ourfi rst sign th lin rtr nsf orm tionsw r just itp rm ut tions wh i h w r ppli srot tionsofth 3 - it wor sin th itsli im pl m nt tion. n or rto nsur m xim l vl n h th i w sto h oos th s rot tionsin w y th t nsur m xim l vl n h in th fw stnum rofroun s. h us w h os th r rot tions t h roun w us ( 1 3 7) f orth vn roun s n ( 5 13 ) f orth o roun s. h r son f or th is w sth t( ) rot ting ll f our wor sis of ours us l ss ( ) singl s tofrot tions i notsuffi f orf ull vl n h ( ) th s s tsofrot tions h v th prop rty th tno i r n ofp irsin ith rofth m oin i swith i rn ith rin th s m s torth oth rs t. ow vr w fltth tth vl n h w sstill slow s h it t only on itin th n xtroun n th uson tiv - ox t only outof th 3 - ox sin th n xtroun . s r sult w h to us 6 roun s n th iph rw sonly sligh tly fstrth n tripl . o w m ov to m or om pl x lin rtr nsf orm tion;th isim prov th vl n h n n lysissh ow th tw oul now r u th num rofroun sto 3 . li v th tth fi n l r sult is fstr n y tm or s ur iph r. lso onsi r im proving th iph r y r pl ingth O op r tions y s m ingly m or om pl x op r tions su h s itions. i not o th is u to two m jorr sons (1) Our n lysist k s vnt g ofth in p n n tw n th itsin th O op r tion sit llowsusto s ri th iph r in st n r w y n us th known kin sofs urity n lysis. h is n lysis woul noth ol ifth O op r tionsw r r pl ;( ) in som oth r iph rs th r pl m ntof O s y itions(oroth rop r tions) h sturn outto w k n th iph r r th rth n str ngth ningit.

23

l

h

o

n

ron

r

. K nu

n

t t n unoptim iz r fr n im pl m nt tion is vil l f rom th uth ors’h om p g s. ot h ow vrth tth iph r m y still m o ifi in th f utur sit progr ss sth rough th s l tion pro ss.

• ••• • • •• • • • •• •• • • • • • • ••• • t n Lu k



o r ti n o rm ti k ni vri t¨t nn i m 81 31 nn i m 5 rm ny [email protected]

• • •••• • •• t n r t ni qu to tt k tri p l n ry p ti on i t m ti nt m i l tt k w i r qui r 2• • • n ry p ti on t p . n t i p p r m or int tt k r p r nt . n o o ur tt k r u t o v r ll num r o t p to ro ug ly 2• • • . t r tt k o p ti m i z t num r o n ry p ti on t t o to i n r i ng t num r o o t r o p r ti o n . t i p o il to r k tri pl oi ng 2• • i ng l n ry p ti on ••• n no m o r t n 2 t r o p r ti on .



•• •• • • • • ••• • h m o t ll-kn o n ym m tri n ryption tn r ( ). t fi n lo k iph r u to qu tion r i r r in th m ll k n ryption h v n on i r or th

• •• • • •

ou l

n ryption (top) n

l orith m i th t n ryption ith 64 - it lo k n 5 6- it k y . y iz v r l v ri ti o m u ltipl in lu in ou l n tripl .

tripl

n ryption ( ottom )

? -

? -

E•

? -



-

E•

y

N

-

?

-

E•

-

E•

-

on i r r itr ry in l n ryption u n tion E−0, 1}k − ith k- it k y n lo k iz o s it n in p rti u l r

p rt o t i r u

-

E•

?

n th i p p r −0, 1}s −− −0, 1}s 

-

r t

w tw

on w i l t y t

ut o r w

tt 3

ni vri ty o 3

3

¨ o tti ng n.

24 0

t

n

uk

poin tou tth on qu n o ou r fi n in or tripl . in m u ltipl n ryption i m in ly o r l v n to tr n th n lo k iph r ith m ll k y p on n tr t on k − s. ith t o k- it k y L n M n t o n ryption u n tion E n E ou l n ryption i fin yC EM (EL (P )). r C n ot th iph rt xt n P th pl in t xt. im il rly tripl n ryption i fin 3 (EM (EL (P ))). i u r 1 ri ou l n tripl n ryption . yC EN L N th i fi n th p i l o t o-k y tripl n ryption . n th i p p r on n tr t on th o n r l (th r -k y) tripl n ryption . ou l i ou l n ryption ith E E E. ripl i u u lly D h r E n ot th ( in l ) n ryption fin yE E3 E E u n tion n D it ryption ou n t rp rt. t o 2k n n rl u m th u n tion E i n Di to h v lik i k r n om p rm u t tion EK ith K − −0, 1} h o n or in to th u n i orm pro ility i tri u tion . u lly n on r n om t ti ti l prop rti r on i r to kn o lo k iph r . n th p i l o th t o im port n t t ti ti l kn r kn o n th om pl m n t tion prop rty h i h i xploit in tion 6o th i p p r n m ll n u m ro k k y. ll tt k on i r in th i p p r r k y- r h tt k n xploitkn o n (or h o n ) p ir o pl in t xt n iph rt xt. o m u r th om pl xity o n tt k on i r ou r v lu 1. 2. 3.

h h h tt 4. h

num r o kn o n pl in t xt- iph rt xtp ir . tor p r qu ir or th tt k. i i (x) or x DK (y) to m ou n tth num r o in l n ryption y EK k. ov r ll n u m r o op r tion ( t p ”) to m ou n tth tt k.

h th ir v lu m n om xpl n tion l rly iv n k yK n pl in t xtx (or iph rt xty) th tt k r n om pu t th orr pon in iph rt xt i (x) (or th orr pon in pl in t xt). oo lo k iph r h v lik y EK r n om p rm u t tion h n iv n om tripl (pl in t xt iph rt xtk y) on n tfi n oth r tripl m or i n tlyth n y n ryptin / ryptin in . tt kin m u ltipl n ryption ith ou t r kin th u n rlyin n ryption u n tion n ri tt kin m u ltipl n ryption in th pr n o n ryption / ryption or l . i u r 2vi u liz u h n or l . h u n rlyin iph r i tr t l k ox. im ply rit in l n ryption ” or in th n ryption / ryption or l . M u h ork h n on ith r p tto th i m o l. h i vi l o m otiv t to p ifi lly ou n tth in l n ryption in ition to ou n tin ll t p . ot th t u h in l n ryption ou n t on t p u tin pr ti i n x ption lly om pl x t p yit l om p r to om m on op r tion lik om p ri on n t l look-u p . On m y ll on n tr t on th n u m r o in l n ryption n irr th n u m r o t p n th m ou n to p r qu ir . h i i n pprov m th o or tim tin th m in im u m tr n th o om po iph r in or r to m on tr t th ou n n o th om po ition t h n iqu . n th i on t xt

tt k i ng

• •• • • •

n

n ryption /

ri pl

n ry p ti on

24 1

ryption or l

y K

? v lu v

- E i /Di

- r ult r n

r

i EK (v) i d i DK (v) i d

n ry p t ry p t

6

i r ti on d

on n l t po i l kn o th u n rlyin n ryption u n tion . liz tion o th u n rlyin n ryption u n tion r i l to th tt k r y qu ryin n ryption / ryption or l u t th tt k r h n o kn o l ou tth or l in t rn l . n th qu l r r to th i poin to vi th l k- ox-on ly” m o l. h r to th i p p r i or n iz ollo . tion 2 ri pr viou ly kn o n tt k on n tr tin on th m t-in -th -m i l tt k. n tion 3 in tro u th n otion o t- olli ion ” n u it or t h n iqu to r u th n u m ro tp . n tion 4 n 5 on i r th t in l n ryption r m u h lo r th n h o th oth r t p n i n tt k optim iz to v in l n ryption ( u t n ot th tot l n u m r o t p ). n tion 6 xploit th om pl m n t tion prop rty o n tripl to u rth r im prov ou r tt k . in lly in tion 7 on n tr t on th on qu n o ou r fi n in or th u rityo tripl .



• • • • •• • • • • • •

ou l n ryption n rok n ith m t-in -th -m i l (M M ). h i tt k r qu ir −2k/s−kn o n pl in t xt/ iph rt xtp ir on th v r ou t2k u n it k n ou t m u h t p . or pl in t xt o tor ou t2 in l n ryption tor ll p n orr pon in iph rt xtc om pu t ll v lu IL EL (p) n p ir (IL , L) in t l in x yIL . in th r r 2k k y L th i r qu ir 2k u n it o tor 2k t p n 2k in l n ryption . o ll v lu IM DM (c) r om pu t . or th orr tk yp ir (L, M ) th qu tion IL IM m u th ol . h u th tt k r n to look u p IM in th pr viou ly om pu t t l o p ir (IL , L). o-k y tripl n ryption n rok n y h o n pl in t xt tt k u in ou t2k u n it o v ryth in 2k pl in t xt/ iph rt xtp ir 2k u n it o tor n 2k t p 5 . 2k in l n ryption h tkn o n yto tt k n r l tripl n ryption i l o yM M 4 tion 7 .2.3. L t pl in t xt/ iph rt xtp ir (p, c) iv n . ro ollo

24 2

t

n

uk

3 om pu t ll v lu bN DN (c) N − −0, 1}k n tor th p ir (bN , N ) in t l in x ybN . EM (EL (p)) ith L, M − −0, 1}k n look or 2. om pu t ll v lu bL,M (bL,M , N ) in th pr viou ly om pu t t l o p ir (bN , N ). bN u n til on ly on u h tripl 3. t ll k y tripl (L, M, N ) ith bL,M r m in .

1.

h fi r t t r qu ir ou t2k t p n in l n ryption n m u h u n it in l n ryption . h o tor . h on r qu ir ou t 2 k t p n th ir t i h p. ot th t n tl tl − −3k/s−p ir o pl in t xt n iph rt xt or th tt k. n th o tripl n l − 3 −3−5 6/64 − ou t 2 in l n ryption n th u h p ir ou t 2 6 u n it o tor m num r o t p (m in ly t l look-u p ). ( h x num r o tp n in l n ryption n or th M M tt k i 2 . h i i th n u m r u h n om p rin th M M tt k ith ou r pro ili ti tt k .) vn M M t h n iqu or tt kin t o-k y tripl n ryption h v n tu i y v n Oor h ot n i n r 6. h m u th or l o propo vn M M t h n iqu or tt kin ou l n ryption 7 . l y hn i r n n r 2 m on tr t h o to tt k th r -k ytripl u in r l t -k yt h n iqu . L t pl in t xtp n orr pon in iph rt xtc kn o n to th tt k r. u m th tt k r to l to h n th fi r t u k y rom L to L Δ ( oth L n L Δ u n kn o n to th h r u t Δ kn o n ). th tt k r r iv th ryption o c u n r th m o ifi k y th n m num r o in l h n fi n th u k y L u in on ly 2k t p ( n th n ryption ). h on n th ir u k y M n N n ou n in th o ou l n ryption . th m pl in t xt i n rypt 2 tim u in tripl un r 2 i r n tk y n tt k r n r ov r on o th 2 k y u in 2 t p ( n th m num r o in l n ryption ). h i r u lti u to ih m 1 . i v ri n to h r n ryptin n ryptin r qu ir to om pu t on in l n ryption n t o O o s- it lo k . ili n n o y 3 ri th u rity o in th l k- ox-on ly m o l on n tr tin on fi n in lo r ou n or th n u m r o in l n ryption v ry l k ox tt k n .



• • • •• • • • • • •• • •

n th i tion ri n op r tion o om pu t tion om p r to M M . on i r u n tion f −0, 1}∗ −− in pu t ith x  y n f (x) f (y). h t i th r xi t t S ith •

optim iz ” tt k to

v om

tp

−0, 1}s . i p ir x, y o o i t ith v lu v − −0, 1}s i −S−− t in pu t n f (x) v or ll

n o m p uti ng t o m p l xi ty o t i t g t o p r ti on o • • bL,M EM (EL (p)) lo o k i ng up t p i r (bL,M , N ) i n t l to m i nt i n t lo o p to g t r o unt .

o m p uti ng v lu t o p r ti on

tt k i ng

ri pl

n ry p ti on

24 3

x − S. u m in th u n tion f −0, 1}∗ −− −0, 1}s to h v lik r n om u n tion n th t1 − w − 2t in pu t r r n om ly h o n th xp t n u m r o i t ith t- olli ion i ou twt −2−s t− . iv n o v lu v − −0, 1}s on fi n in t- olli ion or pl in t xt/ iph rt xtp ir (pi , ci ) ou r tt k p n EL (pi ). on i r ll k y th u n tion fp• −0, 1}k −− −0, 1}s fp• (L) r o in pu t or th u n tion fp• i w 2k . L − −0, 1}k h n th n u m to ll k y h i h n ryptth pl in t xtpi to th rit K (a, i) or th ryptth iph rt xta u in E . im il rly rit K3 (b, i) or ll k y h i h iph rt xtci to b u in E 3 . . .  n L − −0, 1}k −EL (pi ) a K (a, i)  k 3 K3 (b, i) N − −0, 1} −EL (b) ci . −K (a, i)−− t th v lu a i o i t h oo tSA (i) − −0, 1}s o v lu SA (i) Ou r tt k

a − −0, 1}s −th r

ith t- olli ion . iv n o i t ith t- olli ion xi t

p ir (pi , ci )

 t- olli ion K (a, i). .

ork lik th i

1; p t kn o n p ir o pl in t xt n iph rt xt; l t(pi , ci ) − (−0, 1}s ) m pty; in iti liz th t K (·, i) K3 (·, i) n SA (i) to EL (pi ); . or L − −0, 1}k a K (a, i) −L}; K (a, i) SA (i) −a}; i −K (a, i)−− t th n SA (i) to ll v lu a o i t ith t- olli ion . −) (− o SA (i) i th 3 DN (ci ); or N − −0, 1}k b K3 (b, i) −N }; K3 (b, i) . or a − SA (i) EM (a); or M − −0, 1}k b or N − K3 (b, i) or L − K (a, i) tripletest(i, L, M, N ); i i 1; u n til tripletest pt . i

h pro

ur

tripletest”

n

r liz

lik th i

tripletest(i, L, M, N ) i −1, . . . , l}− −i}; SI d 3k − s δ; r p t h oo j − SI tr n om ; •

. i v t n m i r 8 w o xp lo i tt i o ro n o t i r m iro p y m nt m . o v riy t i ti m ti on on nu w ll k no wn p il t “ i rt y p r ox u u f u u c ∗ 2s/• c ( tu lly c π/2≈ 1 .25 .4 ti o n 2.1 .5 ).

24 4

t

n

uk

SI SI − −j}; 3 c EN (EM (EL (pj ))); d d − s; u n til (d − 0) or (cj  c); pt(L, M, N ) th i (cj c) th n l r j t(L, M, N ) n on tin u . h n

tripletest” i

ll

th

orr tk y-tripl

n

top

qu tion

3 (EM (EL (pi ))) EN

ci

3 h ol . n th pro u r r lookin or j  i u h th tEN (EM (EL (pj )))  3 k−s δ il o t n n ou h i. . t im ptt h k y -tripl (L, M, N ) cj . s orr t. h v lu δ rv u rity p r m t r th ri k to pt n in orr tk y-tripl i n o m or th t2−δ . On th v r ron k y-tripl r qu ir in i n ifi n tly m or th n th r in l n ryption i. . on om pu t tion o c . . . in or j − −1, . . . , l}− −i} 3 (EM (EL (pj ))) cj h ol on ou to 2s tim . h orr ttripl th qu tion EN δ i l y pt t r 3 k−s rou n . . . t o rou n r u i n t or tripl s (k 56 n s 64 ) i δ 20. n th qu l u m δ to l r n ou h ” n i n or th ri k o ptin n in orr tk y-tripl .

L tt

ho n

u h th twt −2−s

• • • • •• • • •

x 2k /(wt −2−s

t−

t−

t)

− 2k . x

(pi , ci )

• • •••• • • • •• • •• v ryt- olli ion K (a, i) − SA (i) on i t o tl tt k y n h n h tl t t −2−k h n to on t in th orr tfi r tk yL. v ryin x iph rt xt. or v ryi xp t i orr pon to p ir (pi , ci ) o pl in t xt n o i t ith t- olli ion K (a, i). to fi n ou twt −2−s t− v lu a to h u th xp t n u m r o (pl in t xt iph rt xt)-p ir n to on i r in or r to fi n th orr tfi r tk yL i 2k /(wt −2−s t− t). ti y to v ri y th ollo in (L, M, N ) i th orr t k y tripl K (a, i) − SA (i) n L − K (a, i) th n th pro u r tripletest(i, L, M, N ) i x u t in t ith th in x i n th k y (L, M, N ) p r m t r . − • • • • •• • • • w • Θ(2k ) • Θ(wt −2−s y

: t−

l

−2k −l

(pi , ci )

wt −2−s

t−

−l −t −2 k−s )

oth t r to x u t l tim . u rin v ry it r tion o th p t”loop n o r u lt o pr viou it r tion r n . n th m ou n to tor or th tt k n tim t yth tor p u rin on it r tion n th r qu ir n u m r o t p i l tim th v r num r o t p u rin

tt k i ng

ri pl

n ry p ti on

24 5

on on

it r tion . lo tim t th tor p n th n u m r o t p or u h it r tion . h n th n u m r o tp i oth loop o t r it r t 2k tim k th tor p or th t K (a, i) ou t2−2 . h n th fi r tloop i fi n i h n n ru ith th x ption o th (i. . 2k u n it ) i n o lon r n on loop 2k u n it o tor p r n t K (a, i) − SA (i). or th t or th t K3 (·, i). in w −2−s t− − 2k xp t th pro ility or n li i l n pproxim t th tor p or t −SA (i)−> 2k to y2k . xp tth xi t n o o on i r t . or v ry p ir (pi , ci ) wt −2−s t− t- olli ion ; th u th loop or a − SA (i)” i it r t wt −2−s t− tim on th v r . h loop or M . . . ” i it r t 2k tim h n wt − −s t− k −2 in l n ryption b EM (a) r on . o r n wt − 2 −s t− k k−s −2 t p . h xp t iz o tK3 (b, i) i 2 − 1. K (a, i) i 2 t- olli ion th u it on t in ou tt k y L n th pro u r tripletest i to ll wt −2−s t− −2k −2k−s −t tim . u rin h o th it r tion o t n n h n u rin th om pl t p r n n th n u m r o tp i l orith m Θ(2k ) u n it o tor lΘ(2k wt −2−s t− −2k wt −2−s t− −2k −2k−s −t) Θ(wt −2−s t− −2k wt −2−s t− −2k −2k−s −t) im il rlyto th n u m r o in l n ryption . − h on t n t h i n yth ym ptoti r m ll. iv n l p ir o pl in t xt p — i th or th n iph rt xt n ou t2k u n it o tor M M tt k. h n u m r o t p i • • • • • A • • • • • oB • • • • • iB . r • • • • • A ≈ 2−l −2k i th n u m r o t p t p or t • • • • • oB ≈ l −wt −2−s t− −2k i th n u m r o t p or th ou t r loop o t (i. . th n u m r o tim th op r tion b EM (a) i x u t ) n • • • • • iB ≈ 3−l −wt −2−s t− −2 k−s i th n u m r o t p or ll loop o t n or tripletest. or tripl (k 5 6 n s 64 ) xp t n u m r o t- olli ion i ou t th n 2kt −2−s t− 20 1 xp ton - olli ion th 2kt −2−s t− . t p n or l 2k /(wt −2−s t− t) tt k r qu ir ou t2 6 u n it o tor 3 0 n ou t • • • • • A ≈ 2 t p (m in ly t l look-u p n in l n 2 im il r t p or M M . ryption ) or th tt k— in t o 2 n im prov th i y h oo in t 7 h xp t n u m r o 7 - olli ion 2 25 6. in th tt k r qu ir ou t2 6 u n it o tor i 2kt −2−s t− t• • • • • A ≈ 2 0 p . or l 2k /(wt −2−s t− t) 2 6 /(25 6− ) 2 i 0 n • • • • • B ≈ 3−2 • • • • • oB ≈ l −wt −2−s t− −2k (2k /(wt −2−s t− t)) −wt −2−s 2 k /7 2 /7 ≈ 20 . , th u u

t−

−2k

m u h in l n ryption ). on lyn li h tlym or th n 2 0 t p ( n rom pr ti l poin t o vi th op r tion optim iz tt k i n ot v ry u l or r kin tripl . ti t r th n M M u tr qu ir m u h m or

24

t

n

uk

p ir o kn o n pl in t xt / iph rt xt( . . ou t2 i t 7 om p r M M ). u t rom th or ti l poin to vi th tt k p r orm n in i t tripl to k r th n i ly li v .



to 3 or l rly

• • • •• • • • • • •• • •• • • • • • • ••• • •

h pr viou tion t h n iqu to r u th n u m r o tp m to t n . o in th n xt t o tion on n tr t on r u in th num r o in l n ryption in t th n u m r o tp . hi tion l ith n n ryption optim iz ” tt k. n t o l t SA (i) p n in on pi h oo on fi x tSA n n o lon r xploitth o u r n o t- olli ion . L t th r l pl in t xt/ iph rt xt p ir (p , c ) . . . (pl , cl ) kn o n to th tt k r. n th pr viou tion om pu t t SA (i) − −0, 1}s or v ry in x i − −1, . . . , l}. o in t h oo on tSA SA (1) ··· SA (l). n −SA −− 2s . u m th a − SA to h iz −SA −o SA i fi x h o n r n om ly. ( u th in p n n o th t SA n −a − −0, 1}s −a EL (pi )} h r L n ot th orr t fi r t k y.) Ou r tt k on i t o th r t 1.

om pu t th

or a − SA

or b − −0, 1}s n

i − −1, . . . , l} om pu t th K3 (b, i)

3.

 a .

(i, L) − −1, . . . , l}− −0, 1}k −EL (pi )

S (a) 2.

t

N − −0, 1}

k

t

3 −EN (b)

 ci .

or M − −0, 1}k n a − SA b EM (a); or (i, L) − S (a) or N − K3 (b, i) tripletest(i, L, M, N ).

h ti th • • • • •• • • •

h n y

to fi n

th

−SA −≈ 2s /l

orr tk y yu in 1/2

th

l orith m ?

y

y

• • •••• • • • •• • •• h tt k u in fi n in th orr tk ytripl (L, M, N ) i or n yi − −1, . . . , l}th op r tion tripletest(i, L, M, N )”i x u t i. . i p ir (i, a) xi t in −1, . . . , l}− SA ith EL (pi ) a. h xi t n o u h irth yp r ox). − p ir n xp t i l −−SA −≈ 2s ( u to th On o th r ou r r qu ir to m ou n t th tt k i th n u m pl in t xt/ iph rt xtp ir . h t ou tth oth r r ou r ? • • • • •• • • • •

x

y l

−SA −≈ 2s /l s − k w w

x

2 k−s − l − 2 s− : x

k

r l o kn o n y

tt k i ng

• Θ(l −2k ) • Θ(2 k ) • Θ(23 k−s ) t

or i − −1, . . . , l} n

2.

or i − −1, . . . , l} n

n ry p ti on

24

y

L t th t S (·) n K3 (·, ·) n r liz lik th i

1.

ri pl

in iti liz

to

m pty.

EL (pi ); L − −0, 1}k a S (a) −(i, L)}. S (a) (−Or a − SA th n S (a) 3 DN (ci ); N − −0, 1}k b K3 (b, i) −N }. K3 (b, i)

h

fir tt o

. . . −)

h n th ov r ll n u m r o l m n t in th h loop i it r t l −2k tim r o l m n t in th t S (·) i th t K3 (·, ·) r l −2k th ov r ll n u m ro tp n m ( u t on lyn th t S (a) or a − SA ) n th n u m in l n ryption or th fi r tt o t i Θ(l −2k ). t 3 r qu ir m u h l tor th n th fi r t t o t . t ou t r loop or M − −0, 1}k n a − SA ” i it r t 2k −−SA −≈ 2k s /l tim . On th n vr th m i l loop or (i, L) − S (a)” i it r t l −2k /2s tim 2k−s < 1 th th in n r loop or N − K3 (b, i)” i it r t 2k−s tim . in ou t r n th m i l loop t rm in th n u m r (2k −−SA −)(l −2k /2s ) ≈ 2 k o t p or t 3. u t or th in l n ryption ou n t h o o t n th op r tion b EM (a)”i x u t in th ou t r loop (i. . 2k −−SA −≈ 2k s /l) n 3 (EM (EL (pj )))” i x u t th r tim th n u m r th op r tion c EN k ith in th pro u r tripletest (i. . 3(2 −−SA −)(l −2k /2s )(2k−s ) ≈ 3−23 k−s ). r qu ir th tripletest p rt om in t th u m i. . th l − 2 s− k num r o in l n ryption in t 3i ou t3−23 k−s Θ(23 k−s ). h u th tor r qu ir m n t or th tt k i om in t y t 2 th num r o t p n th n u m r o in l n ryption r om in t y t p Θ(2 k ) t p n p i lly 3. n n Θ(l −2k ) u n it o tor 3 k−s ) in l n ryption . − Θ(2 on n ily u rom th proo th on toti r m ll. n ou tl−2k u n it o tor 3−23 k−s 2k s /l in l n ryption . or tripl y l 2 6 kn o n p ir rn 2 6 − l − 2 . iv n n rou h ly2 u n it o tor (m in ly or th n h v y l th rou h loop or ou t2 tim 3−23 k−s ≈ 3−2 0 ≈ 206 tim

2k s /l 20

t n t hi n yth ym pou t2 k t p n ou t m y h oo l ith in th o pl in t xt n iph rt xt l m n t o th t K3 (·, ·)) to n rypt/ rypt ou t

l −2k 23

. n lik th op r tion optim iz tt k in h i h r th n u m ro t p th i tion n ryption optim iz tt k r u th n u m r o in l n ryption u tn otth n u m r o t p . h i optim iz tion r u th tim o th tt k in l n ryption r on i r ly lo r th n oth r op r tion .

24 8



t

n

uk

• • • •• • • • • • • • • • •• • •• • • • • • • ••• • •

h n ryption optim iz tt k i n yi lim it in tripletest i xh i h in u 3−23 k−s in l n ryption . ru u t 23 k−s tim in th k t h o proo o th or m 3 th orr t k y tripl (L, M, N ) i ou n a.” n th i tion i p ir (i, a) xi t in −1, . . . , l}− SA ith EL (pi ) m o i y th tt k; on ly x u t tripletest i th r xi t w p ir a n EL (pj ) a−. h i i (i, a), (j, a−) − −1, . . . , l}− SA ith EL (pi ) l to th vn tt k”. (M or n r lly x u t tripletest i r p ir (i , a ), . . . , (ir , ar ) ith EL (pj ) aj xi t in −1, . . . , l}− SA . n th i p p r on n tr t on r − −1, 2}.) On on h n th i or u to in r th . On th num r o kn o n pl in t xt/ iph rt xtp ir (p−, c−) in or r to u oth r h n n to x u t th tripletest m u h l r qu n tly. h fi r tt o t r th m or or t 3 o th ollo in 3.

or M − −0, 1}k S −}; or a − SA b EM (a); or (i, L) − S (a) or N − K3 (b, i) i (L, N ) − S th n tripletest(i, L, M, N ) l S S −(L, N )}.

• • • • •• • • • y

−SA −≈ 2−2s /l 1/2

y

orr t k y tripl . on i r • • •••• • • • •• • •• L t (L, M ∗ , N ) n ot th M ∗ ll oth r it r th it r tion o th loop or M − −0, 1}k ” ith M r r o p ir tion n n ot u n y y. −SA −≈ 2−2s /l th xp t n u m (i , a ), . . . , (ir , ar ) − −1, . . . , l}− SA ith EL (pj ) aj i r 2. th r tu lly xi t t o u h p ir (i , a ) n (i , a ) in −1, . . . , l}− SA th n th ollo in in lu ion h ol (i , L) − S (a ), (i , L) − S (a ),

N − K3 (EM (a ), i ), N − K3 (EM (a ), i ).

n

n th i th k y p ir (L, N ) i ou n t i ith in th x u tion o th l orith m . t fi r t (L, N ) − S” i ron n (L, N ) i in rt in to th t S. h on tim (L, N ) − S” i tru tripletest(i, L, M, N ) i x u t ( ith i − −i , i }) n pt u (L, M, N ) (L, M ∗ , N ) i th orr t k ytripl . − • • • • •• • • • : •

x

y l

−SA −≈ 2s w

w

/l x

x

tt k i ng

• Θ(l −2k ) • Θ(2 k ) • Θ(l −2k

2k

s

ri pl

n ry p ti on

24 9

y

/l)

h r ou r r qu ir m n t or th fi r tt o t o th vn tt k r th m or th n ryption optim iz tt k. n th th ir t n or fi x M n a th loop or (i, L) − S (a)” i th in n r loop or (L, N ) − S” i it r t ou t it r t ou tl −2k−s tim n th iz o th t S i rou h ly −S−≈ l −2 k− s − l. h 2k−s tim . Θ(l −2k ) u n it o tor n th u om in t th t K3 (·, ·) r qu ir l − 2k vn tt k tor r qu ir m n t . im il rly to th proo o th or m 4 th n u m r o t p i (2k −−SA −)(l − k s k k Θ(2 ). 2 /2 ) ≈ 2 in l n ryption . h op r tion h fi r tt o t to th r r qu ir l−2k 3 x ut ou t 23 k− s c EN (. . .) in th pro u r tripletest i to 3 k− s tim in u in 3−2 in l n ryption . h op r tion b EM (a) i to x u t 2k −−SA −≈ 2k s /l tim . in l −2k − 3−23 k− s th num r o in l n ryption i ou t l −2k

3−23 k−

i. . Θ(l −2k 2k s /l). n pr ti n ou t2k s /l l −2k

2k

s

s

/l ≈

l −2k

ou t l −2k u n it o tor n ryption / ryption .

ou t 2k

s/

in l

2k

s

/l,

ou t 2 k fi x l 2s/

n ryption .

tp

n



n (1)

iph rt xt or tt kin tripl iv n l 23 kn o n p ir o pl in t xt n p n 2 3 tp u ton ly2 0 in l n ryption . n 2 u n it o tor n om p ri on to th op r tion optim iz tt k th vn tt k llo u to r ti llyr u th m ou n to in l n ryption tth o to ou lin th num r o t p . o h t i ou r in ? m n tion in th in tro u tion in l n ryption i v ry om pl x op r tion om p r to y t l look-u p . u m on im pl m n t tion o to r qu ir t l look-u p p r rou n -u p n tim t i. . −16 2 t l look-u p p r n ryption ou r p lik th i •

h

xp t n u m ro 2 tp n m u h in l n ryption o th M tt k tu lly orr pon to ou t1.3−2 0 tripl n ryption . in l • h op r tion optim iz tt k o tion 3 n 20 tp n 0 n ryption . h orr pon to ou t1.3−2 tripl n ryption . • h n ryption optim iz tt k 2 t p (m o tly t l look-u p ) n 2 0 6 in l n ryption . h i i qu iv l n tto ou t2 0 tripl n ryption . • hi tion tt k r qu ir 2 3 t p (m o tly t l look-u p ) n 2 0 in l n ryption . h i orr pon to ou t1.3−2 0 tripl n ryption . M

Ou r r u lt1 or tripl n ryption (i. . 2 0 in l n ryption to r k tripl ) i v ry lo to ili n n o y w 3 or th n u m ro in l n ryption r qu ir to r k . or t il pp n ix .

25 0



t

n

uk

• • • • • •• • • • • •• • • •• • • • •• •• • • •

o r pr t n th u n rlyin in l lo k iph r to i l i. . to h v lik r n om p rm u t tion . u t i n ot n i l lo k iph r. M o tim port n t in th i on t xti th om pl m n t tion prop rty x n ot th om pl m n to v ryk yK − −0, 1}k th it- trin x th n or v rypl in t xtp − −0, 1}s n K (p)

K (p).

o

o th om pl m n t tion prop rty tth i n yo ou r tt k ? ir t n ot th r i n otm u h h rm or th tt k r. h n ryption optim iz tt k u i th t −p , . . . , pl } n SA r h o n u h th tth r xi t (i, a) − −1, . . . , l}− SA ith EL (pi ) a L th orr t fi r t u k y . proo o th or m 3. h i pro ility i n ot t ll t y th om pl m n m y r u im il rly or th vn tt k. t tion prop rty EL (pi ) a. h u r t o th op r tion optim iz tt k p n on th pro ility orr t fi r t u k y L p rti ip t in t- olli ion th t or pl in t xt pi th EL• (pi ) a. in K(a, i) −L, L , . . . , Lt } i. . EL (pi ) EL• (pi ) . . . th i pro ilityi n ot t yth om pl m n t tion prop rtyEL (pi ) a. on th r r m n y y or th tt k r to xploitth om pl m n t tion prop rty or m ll im prov m n t o n tt k. or th k o h ortn ho n on n tr t on on x m pl . ll th tt k in tion 3. L t SA a − SA ⇐⇒ a − SA h ol . h u h th t or ll a − −0, 1}s th qu iv l n tt k i u n h n x pt or t . or a − SA (i) or M − −0}− −0, 1}k− b EM (a); or N − K3 (b, i) or L − K (a, i) tripletest(i, L, M, N ); (− xt xploitb EM (a). −) or N − K3 (b, i) or L − K (a, i) tripletest(i, L, M , N ); h n ly i in tion 3i n otm u h t . ith r th xp t n u m ro p ir o pl in t xt n iph rt xt h n n or th om pl xity • • • • • A o t n or th tt k tor r qu ir m n t . ith r p t to t th loop or a − SA (i)” i it r t wt −2−s t− tim on th v r . h loop or M . . . ” i on ly it r t 2k− tim h n t −s t− −2k− in l n ryption b EM (a) r on . o r n w −2 • • • • • oB wt −2−s t− 2k− t p or t . o th r th t o loop or N − . . .” n m u h tim or • • • • • iB wt −2−s t− −2k −2k−s −t. h oo th p r m t r r t 7 u ≈ 2.2 n l 2 th op r tion optim iz tt k om pl xity i th u m o th r n u m r •• • • •A ≈ 2 0 • • • • • iB ≈ 3−2 0 n • • • • • oB ≈ 2 0 . .

tt k i ng

hi

tion

v ri n t o

n ot

t• • • • • A n

• • • • • oB ≈ 2 0 pproxim



t th ov r ll n u m

ro

tp

n

ri pl

n ry p ti on

25 1

• • • • • iB h n

.

in l

n ryption .

• • • • • • ••• • • • • • • • • •• ••• •

on to y t h n olo y n ith r M M n or n y o ou r tt k on titu t pr ti l y to r k tripl . in th u tu r n tt k lik M M ill on i r pr ti l or oin th i rt in ly om o th r qu ir r ou r ill m or v lu l th n oth r . h i p p r provi v ri tyo option h o to po i ly v u h ottl n k r ou r . om p ri on i iv n in t l 1. tt k

l

m m o ry

tp

2

3

2• •

2• • •

2• • •

o p . o p ti m . (v rint)

3

2• • (2• • )

2• • 2• •

2• • • .• 2• • • .•

2• • • .• 2• • • .•

n r. o p ti m .

4

l 2 2• • 2• •

l ∗ 2k 2• • 2• • 2• •

2• k 2• • • 2• • • 2• • •

3∗ 2• k−s + 2k• s /l 2• • • 3∗ 2• • • 3∗ 2• • •

5

l •• 2 2• • 2• •

l ∗ 2k 2• • 2• • 2• •

2• k• • 2• • • 2• • • 2• • •

vn

t.

• • • •• • • tt kin tripl iph rt xt n th xp t

n Oor h ot n r qu ir m n t t th r qu ir m n t i n pro h in tion 4 n n on ym ou r h u rr n t u th or

••

num

i ng l

l ∗ 2k•

n ry p ti on



+ 2k• 2• • • 2• • 2• •

s• •

/l

ith l kn o n ( h o n ) p ir o pl in t xt n r o r ou r r qu ir .

i n r 67 on i r tt k ith r m m ory o t o in r ru n n in tim . u lly r u in tor th m in o l o im provin n tt k lik M M . h pn 5 i to r th ru n n in tim tth o to tor . r riti iz th i m to m k ou r tt k l r li ti . r plyi th tth i M M tt k on ou l n ryption

25 2

t

n

uk

n t o-k ytripl n ryption oth h v l n tim -m m ory h r t ri ti i. . r qu ir rou h ly on t p o om pu t tion p r u n it o m m ory. n th i tr in y tor p t th o to ition l om pu t tion l t p v n Oor h ot n in r i rt in ly m k u h tt k m or r li ti . On th oth r h n th M M tt k on n r l (th r -k y) tripl n ryption h h i h ly u n l n tim -m m ory h r t ri ti 2k u n it o m m ory n 2 k tp r n i. . 2k t p p r u n ito m m ory. k i r on lyl r . . k 56 r in th ru n n in tim t th o t o ition l m m ory r qu ir m n t tu lly pp r to m k u h tt k r li ti . ( o yth ou h ou r tt k r r rom in pr ti l i th M M tt k. ti qu it i u lt to r on ly tim t th on om i lly t tim -m m ory h r t ri ti o u tu r t h n olo y or h i h u h tt k r pr ti l.) v n th ou h ou r tt k tr t th t

pr ti l to y th i p p r m on x y w x y l o th i p p r llu th t th ility to qu i kly p r orm m n y in l op r tion i n ot ru i l or r kin tripl (th ou h v n th r qu ir n u m r o in l op r tion i too l r to on i r i l to y). h n u m r o m m ory i. . t l look-u p pp r to om in tin — ith r t on qu n on th i u ltyo m iv lyp r ll l tripl r kin .



r

r rom

in

y

• • • • • • •• • • • • • • •• h u th or i th n k u l to u¨ i r ppr i t r r i in im provin

i or i u in th pr n t tion o th i m

n v ry m u h t ri l.

• • •• • • • • • • 1. 2. 3. 4. 5. . . 8. • •

. i m 2• • ni l r p o rt 0884 o m p ut r in p rtm nt ni o n 1 99 o un i n t www• . . l y . n ir . gn r “ y ul ry p t n ly i o 34 n ri plp ri ng r N 1 1 09 23 25 1 . . i lin . o g w y u ry p to 9 p ri ng r N 1 1 09 25 2 2 ull v r i o n o un i n t www• . .. n z . .v n o r o t . . n to n r 1 99 . . . rk l . . llm n u u o m m uni ti on o t o l. 24 N o . (1 981 ). . .v n or ot . . in r uro ry p t 90 p ri ng r N 4 3 31 8 325 . . . v n o r o t . . in r u ry p to 9 p ri ng r N 1 1 09 229 23 . . . i v t . m i r W ry p to y t o l. 2 N o . 1 (1 99 ) 11.

http://www.cs.technion.ac.il/Reports/ http://wwwcsif.cs.ucdavis.edu/˜rogaway/papers/list.html

tt k i ng



ri pl

n ry p ti on

25 3

• • • • •• •• • • • • • • • • • •

m n tion in th in tro u tion th l k- ox-on ly m o l provi prov n n viron m n t to m on tr t th ou n n o om po iph r. ili n n o y 3 n lyz th lo k iph r n it u rityin th i m o l. ot th tin th l k- ox-on lym o l on on n tr t on th n u m r o n ryption n ir r ll oth r op r tion . n r liz v ri n to i EX on th n ryption u n tion E −0, 1}k −−0, 1}s −− −0, 1}s . n EX k yi tripl (L, M, N ) − −0, 1}k −−0, 1}s − −0, 1}s . h n ryption u n tion i EX L,M,N (p) N − EL (M − p) h r −” n ot th it- i O . om p r to tripl i m zin ly l n t n i n t. L t l n ot th n u m r o kn o n (or h o n ) p ir o pl in t xt n iph rt xt. ili n n o y prov or EX th t th tt k r vnt in i tin u i h in t n r n om n on n u n r l t to E n EX n ryption u in k y-tripl (L, M, N ) u n kn o n to th tt k r i  − l −x −2−k−s . r x n ot th n u m r o in l n ryption .  1/2 n l s/2 th i r qu ir in l n ryption (2) ou t x − 2k s/ − . . ou tx − 2 or . ( ot th t ili n n o y on i r k 5 5 n i n or th ition l k y it o . hi i n ry or lo r ou n in th l k- ox-on ly m o l u to th om pl m n t tion prop rty.) y pr n tin h o n pl in t xt tt k ili n n o y l o m on tr t th t th ov ou n i ti h t x pt or m ll tor. Ou r r u lt(1) in tion 5 or r kin tripl n ryption i u rpri in ly lo to ili n n o y lo r ou n (2) or EX. on lu in or r to fin om in iph r y th n EX (or ) on h to t in rom tripl n ryption (tripl ) or to or o th l k- ox-on ly m o l. n oth r or th i p p r iv vi n th tit ill i u ltto prov tripl to m u h tron r th n th m or i nt on tru tion .

• • • • •• • • •• ••• • • • • • • • • • • • ••• •• • • • • •• • • • •••• •• • • • • • • • • • • • • ••• • vi

n

n i rsit o io rn i r •••••••••••••••••••

• • •••• • •• n r r tn in n tri o s o o r tio n i ro o s ou r n tri o s n n u ru o so o r tio n o r . t s on tu r t t t o it ( in rti u 2 r t r t o ) o r in t tri o s is t st n t t t u ru o s r o r s u r t n n tri o . r s ntn tt s o n u t on o t ro o s o s. n r utt o o i ’s ro o s o s it t o st 6 o in 2 ( n in u o n t o ) tri n r tio n s n t n n os n o s n t ts; n o t r o n ro n it so t or or . is r is s u stio n s o u t t su it iit o t ro o s o s n ro i s u rt r i n or t r iit o in n r in in ; o r si t t o u r r su ts o n o t is ro i ’s o n tu r s s r on n tn tt o i its o r o ru rs ri s o n ou n t os n u ri s iit n i to t in i ’s o .



•• •• • • • • ••• •

is th m ostth o ou h ly- n lyz iph in th op n lit tu ut t m o th n two s itis h in th n o itsus ulli tim th 5 6itk y-l n th issim ply too sh o tto s u insts iousk ys h o ts. h o th is tint stin th s h o m ultipl m o o op tion o wh i h p ovi sin s st n th inst xh ustiv k ys h wh il t inin th h i h l vl o n lysis n onfi n th t sin l u ntly o s. ih m ih 96 n lyz tm ny tipl m o so op tion n ok v ym o onsi x ptth om m only-us tipl m o (wh n us with som out h inin t h niqu ) . n o tun tly u to itssh o t6 it lo k l n th tipl h s som sh o tom in s itis sus pti l to i tion y tt ks(wh n 26 known txts vil l ) n m th in - iph txt tt ks(wh p ti lin o m tion outth pl intxtis ov y usin th i th y p ox wh n 2 2 known txts vil l ) . o im p ov th isst t o i s ih m p opos 9 n w lo k m o s n 2 n w st m m o so op tion o . h om pl xity o tt kin th s n w m o sis onj tu to tl st2 2 . h qu upl m o sw onj tu 

u

s

w

72

2

26

r

tn

sis o

o

nt

P ro o s

u ti

o

so O

r tio n

to m o s u th n nytipl m o ;u th m o th om pl xityo tt kin two o th qu upl m o sw s onj tu to tl st2 2 . h isp p sh owsth t wh n w llow h os nh os n-txt tt ks m ost o th p opos m o s notsi nifi ntly m o s u th n sin l . p ovi n w tt ks inst ll uton o th m o s. Not th t ih m ’sstu i sw p m is on m o sti tiv th tm o l th t i not m it h os ntt ks so ou sults o not isp ov ih m ’s onj tu s; utou position isth tth s n w sults is qu stions outth s u ity o ih m ’s p opos m o s n illust t th ppli tion o n l t h niqu s o ypt n lysiso m ultipl m o so op tion. tion 3 o mo is ussion on th ispoint. h p p iso niz s ollows. tion 2 st lish ssom not tion n oth k oun n tion 3 is uss sou th tm o l. tion sh owsh ow to tt k two im po t nt l ss so m o susin ivi - n - onqu st t y n ppli sth is sultto tt k sixo ih m ’sp opos m o s. tion 5 sh ows h ow to tt k ou m o o ih m ’sm o susin n ow-pip tt ks. in lly tion 6 is uss ssom im pli tionso ou sults n tion 7 w psup th p p with som on lu in m ks.



• • • ••• •• • • •• •

ih m vlop on is not tion o m ultipl m o swh i h iswo th sum m izin h . ll o h is n w m o s iv om th st n mo s o op tion n O sw ll sth i o spon in − yption m o s t. h not tion sto th m o wh th outputo n yption is to th inputo n yption; th op to n xtn to tipl n h i h -o m o s. h not tion O sto m o wh i h ppli sO to itsinput th n n yptswith mo n fi n lly ppli sth s m O k yst m to th t sult. (Not th st m sxo into th input n th outputo n t om sin l k y n th o •• • •• • • .) h is n n liz to m o s su h sO wh w pply O th n th n O in th n n th n O on m o . ( in ll th O outputst m s th s m !) h not tion O → sto st m m o wh i h ppli s n yption to th k yst m n t yO mo n xo sth sultto th pl intxt. n o ou s us th → op to to fi n tipl n h i h -o m o s too. o l ity w will ttm ptto us th s m not tion o pl intxt iph txt t. th ou h outth isnot. w it • 0 •• •••• ( sp tivly • 0 •• ••••) o th lo kso th pl intxt( sp. iph txt). l t• 0•• 1•••• not th 5 6- it k ys n w it • • 0•• • 1•••• o th o spon in s. num th k ys • 0•• 1•••• o in to th o th tth sin l -m o pp s in th is − not tion o inst n in O th O -m o isk y with • 0 − th with • 1 n th with • 2. h n m ultipl pl intxt/ iph txt p is o t in in n tt k un w w it • • o th ull pl intxto th

6

i

n r

• -th m ss w it • • • o th •-th lo k o • • n so on. l t• • (• ) st n o th sin l n yption o th input lo k • un th k y • .

0

0

2

h

0

d

d

d

d

d

2

• •• • • •

0

d

2

2

d

d

d

d

d

d





mo

.

− − s n x m pl o th isnot tion w pi tth th m o in i u 1. ll o ou tt ks ov th s t k ys. h si i s h in th tt ks not nti ly novl;m ny o th m ppli tions o th n l toolswo k out y opp sm ith oh nson n ty s 97 n ih m ih 9 ih 9 ih 96 . h nin n w lo k m o swh i h ih m p opos

1. O 2. O 3. O

− −

r

. 5. 6. 7. . 9.

sis o

O

o

nt



u ti

o

so O

r tio n

7

− −

O O O

n .

p opos st m m o

1. O 2. O n th

P ro o s





h



tn

→ →



→ →

s n

.

ollowin s tions w fi n n w tt kson ll o th s x ptO .

• • • • • ••• • • • • •

n th iss tion w x m in th tt k m o l. h oppon ntis ssum to h v th n ss y om put tion lpow to p o m 2 6 o -lin ti l n yptions. ssum ( sisst n ) th tth v s y n p o m known-pl intxt h os npl intxt n h os n- iph txt tt ks. o w h v not vi t om ih m ’sm o l. list low th im po t nt i n s. • ••

• • • •• • •••• • •• •

h m ostim po t nt i n tw n th two m o ls om swh n w x m in th t tm nto s. n ou m o l m o is ss nti lly m ini-p oto ol sp i yin h ow to p o m s u m ss t nspo t. o s n th s tm ss • on n iph s• un th pp op i t m ultipl m o with k y • n with n om ly h os n s• • 0•••••• • • t nsm ittin th un l • • 0•••••• • • •• ov th ins u m ium ;th iv ypts• with th sp ifi sun th sh k y • n ov sth ypt m ss • . h su tl ty om swh n w intou tiv tt k swith th ility to p o m h os n- iph txt tt ks su h v s i s to sp i y ny iph txt• lon with ny s to sth y wish n th y will iv th yption • o th t iph txt. Ou tt k m o l ptu sth isnotion. us w llow h os n- iph txt tt ks w lso llow ( s n tu l ons qu n ) h os nh os n- iph txt tt ks. tiswo th notin th tth is h oi in u s sli h t ssym ty tw n h os n-pl intxt n h os n- iph txt tt ks v s i sm y ontol th in h os n- iph txt tt ks utnotin h os n-pl intxt tt ks. n ont st ih m i not onsi h os ntt ks; vn knowntt ks w m ntion only in w sp i l s s. is m o l is m o l nt n l n o n lysis; o inst n th sym m ty nsu sth tth s u ity to o m o isth s m s o itsinv s . lso tt ks ll th m o

i

n r

om p llin wh n th y p o m in ih m ’sm o sti tiv m o l. in lly ih m ’s tt ks m in ppli l vn wh n sp i l m su sto p ot tth t k n wh sou tt ksm y stopp y su h m su s. t k th ons vtiv ph ilosoph y th tou m o lsh oul llow v s i s onsi l l w y;i th yptosystm n st n up to tt k in su h m o l ou ssu n o s u ity will ll th t . to ou justifi tion o th is pp o h isth ttipl with out h inin l y o sp tty oo s u ity with only w sh o tom in s i w w ntto o tt ou th sh ol sh oul quit h i h . Ou tt kswill t k vnt o th is ility to ontolth so th y not i tly om p l to ih m ’s sults. ow v num o th h os ntt ks n onv t to knowntt kswith only m ino in s in th om pl xityo ypt n lysis so som om p isonsm y possi l . tion 6. vn wh w not w o knowntt ks w vi w ou h os ntt ks s tifi tion l w kn ss sth tsh oul tth v y l st is w nin fl s outth s u ity o th m o sin qu stion. h issu j tis noty t xh ust . tion 6 o som sim pl ount m su sto sist h os ntt ks som ount - ount m su s n th i im pli tions o th int p t tion o ou sults. • ••

• • • • ••• • • ••• • • •

ih m ’s m o l lso i s om ou s in noth sp t w llow ptiv h os n-txt tt ks wh s ih m i not onsi ptiv tt ks. o ov ih m n lly qui onlyon n ypt st m o h is n lys s. n ont st ll o ou tt ks stin th l n u o ptiv tt ks. vi w th is istin tion s l tivlym ino . llo ou ptiv tt ks n sily onv t to nonptiv tt kswith n li i l in s in om pl xity ( n o sion lly su st nti l in s in th num o m ssy t ils) ;in sh o t th ptivity ism ly onvni nt not un m nt l. • ••

• • • • • • • • • • • • • • • •• • ••

On ph ilosoph i l pointisth tw ty to xpli it outth sou quim nts o ou tt ks listin s p tly th num o h os n txts o in yptions n m m o y wo sn . h isth n to ssi n pp op i t oststo h sou o in to h iso h s u ity nvi onm nt. twoul sim pl to l l h tt k with sim pl om pl xity m su th t qu tsth osto on h os n txtwith th osto on ti l yption. n su h m su h s t n fi ts o sim pli yin n lysis sum m izin sults n om p in m o s; n itis v y us ul fi st pp oxim tion. h w k is th t h i h ly th o ti l tt ks n in 2 6 h os n txts m y qu t with m o s ious tt ksn in only2 6 ti l yptions. n p ti th t istin tion n iti l. h o wh possi l w im to im p ov th qu lity o th pp oxim tion y usin m o xpli it om pl xity m su s.

r



tn

sis o

o

nt

P ro o s

u ti

o

so O

r tio n

9

• •• •• • •• • • •• • • • • • • • ••• • • •

i st w listsom i ly l m nt y tt kson s v l m o s. h s ll h v th fl vo o “ ivi - n - onqu l o ith m s n m ly w isol t th to h su k y with h os n- iph txtp o n th n ov h su k y with 2 6 xh ustiv k ys h . y th n o th is s tion w will s h ow to tt k th lo k m o s O 1 2••• • n 0 1 2••• • o ny• in th sp i l s wh − h mo • is ith o . h intuition isth t in su h m o s w h v th l tion •

0

= •0



• 0 (• •

0)

•••



• •

(• • • )

(1)

on th fi st lo k;th isish i h ly lin n th o h i h ly suspi ious. will lso s h ow to tt k st m m o s o th o m O → 1→ − − ••• → • i h mo • ison o O . h i isth tw n pply ivi - n - onqu tt k th tisol tsth to th l stk y • • (with sin l h os n- iph txtqu y th tp o s• • • ) ;w th n stip o th l stm o n ontinu it tivly. • ••

• • • •• • • •• • • •

Ou tt k on th O mo is om pos o th ph s s; h ph s isol tsth to on k y • • . i st w ov th k y • 1 us in th fi st mo y usin on h os nh os n- iph txtqu y n m ly w isol t th to • 1 y p o in • • 1. n th s on ph s w ov th k y • 2 y p o in • • 2with sim il h os n- iph txtqu y. in lly • 0 is ov y xh ustiv k ys h . n th fi stph s w p o • • 1 to isol t th to • 1 n ov • 1 with 2 6 xh ustiv k ys h . L t• 0•• 0 known pl intxt/ iph txt p i with known s. onstu t h os n iph txtqu y • 1 s ollows. i k • • 1 1 = • • 1 0 s t• • 01 = • • 00•• • 21 = • • 20 t k • 1 = • 0 n o t in th yption • 1 o th n w iph txt. Not th t y qu tion 1 •00

•01 = •



(• • 1 0)





(• • 1 1 ) •

h o w m y fi n • 1 y 2 6 xh ustiv k ys h o nizin th i h t k y vlu wh n th ov qu tion h ol s;with h i h p o ility w xp tno w on k y vlu to su viv th h k. h s on ph s ov s• 2 in n nti ly n lo ous sh ion th is tim p o in • • 2inst o • • 1. in lly in th th i ph s w p o m 2 6 xh ustiv s h ov • 0(th only m inin unknown k yvlu ) . h o th tot l om pl xityo th tt k istwo h os n- iph txts n 5 2 6 o -lin ti l n yptions.

6

i

• ••

n r

• • • •• • • •• • •

,• •

− h O mo n ok n in w y nti ly n lo ousto th ypt n lysiso O p o • • 1 in on h os n- iph txtqu y to ov • 1 th n p o • • 2to l n • 2 n xh ustivly s h ov • 0. o − th O mo too n ok n with two h os n- iph txts n 5 2 6 o -lin ti l n yptions.

• ••

• • • •• • • •• • • •• • • •

h O th ism o

• ••

w n

• • • •• • • •• • •

h is m o

mo n lso ok n with th s m t h niqu . o h os n- iph txts n 7 2 6 o -lin ti l n yptions.

th

,•

•• • •

,•

sy to k usin th s m t h niqu s. (Not th t th − m o isillust t in i u 1.) s o in th fi st ph s w n p o • • 0to isol t th to • 0 n ov • 0 y xh ustiv s h ; ontinu to ov th sto th k ys. n th isw y w n k th − − m o with tot l o th h os n- iph txts n 7 2 6 o -lin ti l n yptions.

• •• O

is lso −

• •• • • • • • • • • →



mo •

0

= •0

is h

t iz



2 •

• 2 (• •

n th fi stph s o ou tt k o p is ly l t • 0•• 0 • • 00•• • 1 0•• • 20 n onstu • 1 = • 0 pi k • • 21 = • • 20 N xtissu h os n- iph txtqu not th t • • 20

• • 21 = •

• 2 (• 0



y th

l tion

(• • 1



• 0 (• •

0) ) ) •

w p o • • 2 to isol t th to • 2. known pl intxt/ iph txt p i with s t h os n- iph txtqu y s ollows. t n s t• • 01 = • • 00•• • 1 1 = • • 1 0• y o th • 1 •• • • 1 to t• 1 . in lly 0



0

0)



• 2 (• 0

1



0

1 );

th is l tion l tsus ov • 2with 2 6 xh ustiv s h . h s on ph s o th tt k p o s • • 1 in sim il w y to ov • 1. in lly • 0 n o t in in th i ph s y ut o . n sum th is ypt n lysis qui s5 2 6 o -lin ti l n yptions n two h os n- iph txts.

r

• ••

tn

sis o

o

nt

P ro o s

u ti

o

so O

r tio n

6

• •• • • •• • • ••

Ou tt k on O → → mo p o sin v y sim il w y to th t s i in th p viousp ph . p o • • 2in h os n- iph txt tt k wh i h llowsusto isol t th to • 2 y th ollowin l tion •

0

0



0

1

•00



1 = •

• 2 (• •

20)



• 2 (• •

21 ) •

h n • 1 is ov n lo ously n • 0 y xh ustiv k ys h . h tot l om pl xity o th is tt k istwo h os n- iph txtqu i s n 5 2 6 o -lin ti l n yptions.



• • • • • • •• •• • • ••• • • •

n th is s tion w s i num o n ow-pip tt ks. ( y “n ow pip w m n t h nn l th tis l tivly n ow only 6 itswi o inst n .) h si t h niqu isto i nti y som n ow pip th ou h wh i h ll i usion is h nn l ;th n you n t un h o txts n look o ollision in th tn ow pip . h i th y p ox ssu susth tw will fi n ollision in th n ow pip l tivly qui kly (with in 2• • 2 txts o • - it pip ) . h n w h op (1) th tw n o niz th ollision y lookin only t th pl intxt n iph txt n (2) th tw n us th tknowl to u som l tion wh i h isol tsth to juston k y. h n th tt k is si n o tly w will l to fi n o niz l ollisionsin th n ow pip th t l t us u im po t nt in o m tion out som k y • • st n in lon . t ov in • • with 2 6 xh ustiv k ys h w m ov th t o th tk y n ttm ptto solv th u mo y it tin th tt k. − − n th iss tion w sh ow h ow to k th lo k mo sw ll sth O O n O − m o s. • ••

• • • •• • • •• • •

,•

•• • •

,•

− − o k (s i u 2) w fi st ov • 0 y p o in • • 1. L t• 0•• 0 known pl intxt/ iph txtp i with known s n uil h os n iph txtqu y s ollows. i k • • 1 1 = • • 1 0 s t • • • 1 = • • • 0 o • = 1 t k • 1 = • 0 n o t in th yption • 1 o th n w iph txt. Not th t

•• 1 0

•• 1 1 = •

• 0 (• •

00

• 0 0)



• 0 (• •

01

• 0 1 )•

h o w m y fi n • 0 y 2 6 xh ustiv k ys h o nizin th i h t k y vlu wh n th ov qu tion h ol s;with h i h p o ility th h k will lim in t ll in o t u ss s tth k y. On w ’v l n • 0 with 2 6 wo k n on h os n- iph txtqu y w n p l o th to • 0 n u th p o l m to th to kin th − − mo .

6

i

n r •

c

c

c

• •

• •

• •

c

c

c

•• •

• •

• •

• •

•• •

• •

• •

• •

c

c

c

• •

• •

• •

c

c

c

•• •

•• •



• •• • • •

h





mo

.

− − ih m onj tu th tth qu m o ism o s u th n ny tipl m o . Not th tou p s nt tt k o snotim m i tly isp ov ih m ’s onj tu sin ou u tion li son m ountin h os nh os n- iph txtqu y wh i h isnot llow in ih m ’ss u ity m o l. n tion 6.2w xtn itto wo k with only known- qu i s wh i h in sus stp los to ih m ’sm o l. • •• •• • •• • •• • • ••• • • • now s i h ow to fi nish th tt k on − − . ll th t m ins is to n lyz th tipl m o − − . ih m h s sh ow h ow to k th is tipl m o with 26 66 h os n pl intxts n 2 wo k ih 96 . Non th l ss in ou s u ity m o l 26 txts quit h i h i n on m i h twon wh th th mo i nt tt ks. − − h nsw isy s. p s ntn xt n w tt k on 2 6 wh i h qui s only 2 h os n- iph txt h os nqu i s n 6 2 ti l n yptions. h is n us s su outin to vlop ull tt k on th − − qu m o with ou h ly quivl nt om pl xity. • • • • • •• • • • • • • • − • • • − • ov • 2 y p o in • • 1. ix it y s• • 0•• • 2. onstu t2 2 h os n- iph txtqu i s s ollows. o h • pi k • 0 • n • • 1 • n om ly n l t • • = • • 1 • . Now w o t in th yptions• • o th os 2 2 iph txts. s h o ••• su h th t

r

tn

sis o

o

nt

P ro o s

u ti

o

so O

r tio n

63

• • = • • (usin h sh t l so s to voi in sin th om pl xity o th tt k) . Not th ttwo pl intxtswill t inly m th in th fi st lo k (i. . •0• = •0• ) i •• 1 •

•• 1 • = •

• 2 (• 0



• • 2)



• 2 (• 0



• • 2)

(2)

h ol s us th n th sultin ollision tw n th s on n th i l y swill n ss ily p op t up to th pl intxt. o ov i qu tion 2 h ol s th n in t th two pl intxts • • •• • will m th in th i nti ty. ( h isis us th vlu tth ottom o th th i ly tth s on lo k is• • • 2 (• 0 • • 2) ;now th h oi o • • •• • nsu sth t• • • • 2) • • 1 • • • 1 • ) = • • 1 • • • 2 (• 0 • • • 2) = • • 1 • (• • 2 (• 0 • • • 2 (• 0 • • • 2) = • 2 • • • 2 (• 0 • • • 2) so w will t ollision tth ottom o th th i l y n th iswilln ss ilyp op t up to th pl intxt.) in w n t 2 2 iph txts n th lo k siz is6 its y th i th y p ox with h i h p o ility w will fi n on p i ••• s tisyin qu tion 2 n so with h i h p o ility w will s • • = • • o som ••• . On th oth h n us • istwo lo ks(12 its) lon th h n so s in h n m th • • = • • y i ntis v y low. h o w xp tto s on m th • • = • • n w n on lu th t o su h ••• qu tion 2m usth ol . On w ’v oun p i ••• wh qu tion 2h ol s w n us itto isol t th to • 2. h isl tsus ov • 2usin 2 6 xh ustiv k ys h . in lly − knowin • 2l tsus u th p o l m to th to kin mo wh i h n on y st n t h niqu swith out ny in s in om pl xity. − − h isl tsus k th tipl m o with 6 2 6 ti l nyptions n 2 2 h os n- iph txt h os n- qu i s. ( n t th tt k n xtn to wo k just s i ntly with knownh os n- iph txtqu i s inst o h os n- qu i s;itjust om s itm ssi to s i .) • • •••• • •• • •• •• • • •• • • • o sum m iz w n pply th s t h niqu s − − to k th qu lo k m o with 2 2 h os niph txtqu i s n 7 2 6 ti l n yptions. Not th t w oul m ti lly u th num o h os n- iph txt − qu i sn i th w tt w yto k th tipl m o − . • ••

• • • •• • • •• • • •

o th O mo w us noth n ow-pip tt k om in with i th y um ntto fi n ollision in th O st m s n t y two i ntm ss s. n t 2 2 h os n- iph txtqu i s s ollows. ix 6 - it onst nt• fi x• • 1•• • 2 n l t• • = (•••••••••) o ll•. h onlyvlu th tv i swill • • 0• wh i h w pi k n om ly. O t in th yptions• • o th os h os n iph txts. Now w s h o ••• su h th t• • 0 (• • 0• ) = • • 0• ; th is l tion nsu s th t th two O st m s o • • •• • will m th up ( x ptth tth y will outo ph s y on lo k) . O ou s ivn su h n ••• w n ov • 0with 2 6 xh ustiv k ys h .

6

i

n r

ow n w o niz su h o tun t vnt Not th tp lin o th s on mo u in yption o • • l vs( • •• •• •• ) wh il o • • w t ( •• •• •• • ) . u th m o p lin o th fi st mo w t( • • •• •• ) o • • n ( • •• •• • ) o • • . ( wo on not tion th qu stion m ks“ just p s nt it yunknown vlu s;two nti s oth m k with “ n not qu l.) n oth wo s w n o niz ••• su h th t• • 0 (• • 0• ) = • • 0• y th qui m ntth t• • = • 2 • n • • = • • ; ls l m ssh oul v y n with 2 2 h os n iph txts th i th y p ox ssu sus th tw xp tto fi n tl ston su h ••• . On w ’v oun ••• su h th t• • 0 (• • 0• ) = • • 0• w n ov • 0 with 2 6 xh ustiv s h . h is u sth p o l m o kin O to th to kin ( m o v y sim il to) . h l tt m o n ok n i ntly with st n t h niqu s n in tw n ov • 1•• 2with on h os n iph txt n 3 2 6 ti l n yptions. n tot l w n kO with 2 2 h os n iph txts n 2 6 ti l n yptions. • ••

• • • •• • • •• • • •• • • •

O n ok n sim il ly. i st w s m t h niqu s s i ov o O o is k ( m o v y sim il to) with two h os n iph txtqu i s n 5 2 6 ti l n ypt n lysiso O n s2 2 h os n ti l n yptions. • ••

• • • •• • • •• • •

.

ov • 0 usin h n ll w n n th t n yptions. n tot l iph txts n 6

th to on ou 26

,• •

− mo . not w o ny ston tt kson th O h v n ow-pip tt k th t ov sth k y with 2 2 o in ti l yptions 2 2 h os n iph txts n no m m o y; ut us th is sultis so w k w will in om s i in ith . lso h v n tt k th t qui s26 6 knownh os n- iph txtqu i s 6 2 o in ti l yptions n 26 6 m m o y. h is too is h i h ly un listi utw will sk th th tt k h o om pl tn ss. p o m u h s in tion 5 .2 with th ition l om pli tion th tw m ust lso o n int n l k h nn l to m th . h oos 26 iph txts • • = (•••••••••) o ll •. s k ••• su h th t • • 0 (• • 0• ) = • • 0• wh i h will nsu th t th two O st m sm th up (outo ph s y on lo k) ;w lso qui th t • • 2 (• 0 • • • 0 (• • 0• ) • • 2• ) = • • 2• wh i h yi l s ollision (outo − ph s y on lo k) in th l y ’sint n l k h nn l. h s two on itions nsu th tw n o niz su h p i ••• yth on ition • 2 ••• • = • ••• • . u th m o th i th y p oxp i tsth tw will n ount on su h ••• ;on w ’v o niz it w n us th known sto ov • 0with 2 6 xh ustiv k ys h . h n th sto th k y m t i l n o t in with m t-in-th -m i l s h .

r

tn

sis o

o

nt

P ro o s

u ti

o

so O

r tio n

6

n sh o t w un l to m k m u h p o sson th n lysiso O − n so w l v it s n op n qu stion o oth sto x m in . • ••

• • • •• • • •• • • •• • •

,• •

− p s nt n tt k th t ksth O m o with on 2 h os n iph txtqu y n 2 wo k. h isis n un listi tt k utitsh ows th tth isqu upl m o o snot tt in th st n th on m i h ti lly h op o in qu m o wh n h os n- qu i s th t. i st w p o • • 2 to isol t th t o • 0•• 1. L t • 0•• 0 known pl intxt/ iph txtp i with known s• • • 0. onstu t h os n iph txtqu y • 1 •• • • 1 y t kin • 1 = • 0 l ttin • • • 1 = • • • 0 o • = 0•1•3 n pi kin it y • • 21 i nt om • • 20. h n w h v th l tion

• • 20 • • 21 = •



(• 0 0 • • 1 •

• 0 (• •

0) ) •



(• 0 1

•• 1 •

• 0 (• •

0) ) •

wh i h llowsusto isol t th to • 0•• 1. Now w ov • 0•• 1 with 2 2 xh ustiv k ys h . in lly on w ’v l n • 0•• 1 w n ov • 2•• 3 with s on xh ustiv k ys h . ( n t w oul us th m t-in-th -m i l tt k on ou l to ov • 2•• 3 utth iswill not u th tot l om pl xity o th ull tt k si nifi ntly.) h tot l om pl xity o th tt k is3 2 2 o in ti l n yptions n on h os n- iph txtqu y. h issh owsth tth qu upl m o O − isno ston th n tipl (with out h inin ) inst h os nh os n-txtk y- ov y tt ks n so th ou th l y s m sw st . tisint stin to not th tth p s nt tt k o snot pply to th tipl − vn th ou h th ism i h ts m lik p ox tfi st mo O l n . h is l vs op n th ount -intuitiv possi ility th tth O − − tipl m o m i h tw ll ston th n th O qu upl m o .



• ••• • •••• •

ll o ou tt ksh v li on th ility to ontol th o y ou tt k m o l. h is is sth issu o wh th itis possi l to p vntth s tt kswith sim pl ount m su s. h nsw s m sto m ix y s th som sim pl ount m su s utth y h v lim it tions. su vy som possi l pp o h sh . • ••

• • • • •• • • • • • • • • •

• • • • • • • •• • •• • • On su stion isto n yptth s o t nsm ission (with s y tipl o qu upl ) th th n s n in th sin th l . h isth w tsth tt k s ility to h oos th x tvlu so th s.

66

i

n r

On th oth h n th is pp o h h s w kn ss wh n on n ypts h in p n ntly th tt k n still us ol vlu sin n w h os n iph txts. om o ou tt ks(suit ly m o ifi ) n onv t to wo k instth isp oto ol wh n (1) th y only ly on th ility to o • (o som h oi so • ) to th s m o ll h os n iph txts n (2) th tu l vlu o • isi l vnt. s n illust tion w sh ow th tO → → isno s with th isp oto olth n o tk • • 20 = • • 22 = • • • • 21 = • • 23 = •• • • 1 0 = • • 1 1 = •• • • 1 2 = • • 1 3 = • o som unknown • •••••• i ntity •

• 2 (• 0

0 •

0

0) •

• 2 (• 0

n 1

o •

0

1) = •

0 to • 2 (• 0

onst nt;th n w h v th 2 •

0

2) •

• 2 (• 0

3



0

3 )•

wh i h l tsus ov • 2with 2 6 wo k n ou h os n- iph txtqu i s n • 1 will ll soon th t . o n yptin th sisno u nt o s ty. • • • •• • •• • • noth n tu l tion isto sim ply insistth ts n s pply to th s wh i h iv s m ust v i y o yptin . y p ot tin th int ity o th s th isstops h os ntt ks. h is pp o h still l vsth us sop n to knowntt ks wh n th y xist. om m o s sus pti l to knowntt ks;oth sm y not . low o w illust tionso th is n . n n l th knowntt ks th tw know o usu lly qui m o txtsth n th i h os nount p ts so in th sm y u th th tl vl. noth um nt instth is pp o h is s on n in in onsi tions. Now w h v n w p oto ol wh i h is m o om pli t n wh i h into u s n wh ol n w p im itiv to th m ix. n up pl in on ilu m o with two i ith th n yption l o ith m o th is om p om is th n th m ss k ysm ust ov . tisp h psim p u ntto ly on th s u ityo th to p ot t onfi nti lity just s ons vtiv ypto ph i si n lls o in p n nts ssion k ys o uth nti tion n onfi nti lity l o ith m s(to lim itth im p to th om p om is o ny on l o ith m ) w woul o w llto voi linkin th s u ity o ou with th s u ity o ou n yption l o ith m . oul p h psfi st n ypt n th n uth nti t th s to stop oth knowntt ks n tt kswh i h ttm ptto pl y ol s. ow v in th ism u h om pl xity to th systm m y in to tstth lim itso on ’s om o t zon ; tth l st m o n lysiss m sn . • • • • • • • • • • • • • •• •• • • opp sm ith t l. 97 h v ppli novl ount m su to stop h os ntt k w is ov on th i o i in l p opos l. h y lim itth possi l vlu s o h to sm llsu s t on is fix t0 n th oth 6 - it h s o its itsfi x t0. h is un n y lim itsth ility o n tt k to ontol th n ount sth tt k w oun .

r

tn

sis o

o

nt

P ro o s

u ti

o

so O

r tio n

67

h isis v y l v ti k utitonly s m sus ul in t in s s. in un n y to swill notstop m osto th tt kslist in th isp p . ixin t in s t 0 woul t m ny o th tt ks ut it s m s th t su h m su oul v s ly ts u ity in oth w ys o num o th m o s p opos y ih m . ts m spossi l th tth is ount m su m y into u s m ny p o l m s s itsolvs n so w w yo p n in upon it o s u ity. • • • • • • • • • •• • • h isis y no m ns n xh ustiv listo vil l m i s. Non th l ss w n m k som om m ntsth ts m o ly ppli l . ny o th o vious ount m su sh v noty t n su j t to ont n lysis n w h v ttm pt to sh ow th tth som pit llsto w th out o . till its m slik lyth tt h niqu s n vlop to p ot tth squit th o ou h ly o som (i not ll) o ih m ’sm o s. O ou s on h sto us th m n us th m with xt m ;itis t ilslik th isth tpl u l im pl m nt tions. h nt l qu stion isth is will su h ount m su sp ov osttiv o will th s vn m o ssu o t un th w i h to th xt p utionsth y qui o s h isn . • ••

• • •• • • •• • • • • • • • • ••• •• • •• • • • • • • • ••• • • • • ••

toppin h os ntt ksisnot nou h i th si i s h in th os tt ks n lv into sh p tt k. o illust t th point w not th t num o ou h os ntt ks n onv t to knowntt ks. su lly th isin s sth num o txtsn to m ountth tt k. h s knowntt ks inv i ly m o i ultto s i n p h ps m o i ult to is ov th n th i h os nount p ts. o x m pl ll o tion ’s ivi - n - onqu tt kson tipl m o s h os n pl intxts. s i th y n m o ifi to wo k with 26 knowntt k to fi n two txtswith m th in vlu so • • 0•• • 1;th n th tp i l ts you p o • • 2 n th us ov • 2 n • 1 is ov sim il ly. h num o known- qu i s n u yusin m t-in-th -m i l t h niqu s. o inst n on n k O with 2 2 knownh os n pl intxts. s i th y tt k to fi n two txts• • •• • with • • 0• = • • 0• . l n th t •



(• • 1 • )





(• • 1 • ) = •

• 2 (• •

2• )



• 2 (• •

2• ) •

wh i h l tsus ov • 1•• 2 with om pl xity 2 6 y st n m t-in-th m i l tt k. ( h st i h to w im pl m nt tion o th t tt k lso qui s 2 6 sp th ou h th sp qui m nts n m ti lly u y usin p ll l ollision s h l o ith m s O 96 .) pplyin th s t h niqu s w n onv tou h os ntt ksto tt ks wh i h n 2 2 knownh os n txts n • (2 6 ) wo k o llth tipl m o s in tion s w ll s o O . O lso lls with 2 2 knownh os n txts u to pi o lin lu k • 0 nnot t

6

i

n r

• 0 • 0 . im il ly w n o t in tt ks qui in 26 knownh os n txts 6 − − n • (2 ) wo k inst n O . − Ou o i in l tt k on O n in on h os nqu y n 2 2 wo k n xtn to wo k with 26 knownh os n txts n 2 − − 2 wo k. in lly w n t n tt k on th t 6 6 ov s• 0with 2 knownh os n txts n 2 ti l n yptions n om th n k th wh ol qu m o with noth 6 2 6 ti l n yptions n 2 2 knownh os n txts. ( h s stim ts ou h n th t ilso th n lysis un h k .) n i nt lly th s sultswoul isp ov ih m ’s onj tu s o s v l o h ism o s •• w m k th m jo on ssion o ptin th vli ityo knowntt ks. ( ition l m il on ssions qui in som s s.) o inst n − − − − itwoul sh ow th t n O not m o s u th n ll tipl m o s i w lso ssum th tth issom tipl m o wh i h sists ll tt kso om pl xiti s son l stipl with l ssth n 26 ;th l tt ssum ption isquit out h inin is n x ll nt n i t o on su h m o . O ll with om pl xity 2 6 wh i h woul isp ov (i w ptknowntt ks) ih m ’s onj tu th tith s s u ity to o tl st2 2 . h tipl m o s − ( x ptO ) ll to tt ks with 2 6 om pl xity (i w pt knowntt ks) wh i h isl ssth n th onj tu 2 2 s u ity to . h s sults o not tu lly ut ih m ’s onj tu s u ity to s. ow v th xistn o knowntt kso low -th n- xp t om pl xity in sus stp los to un st n in th tu s u ity l vl o th s m o s.



• • • • •• ••• • •

h isp p h sp s nt n w tt kson ll uton o ih m ’sp opos m o s. h s tt ks ly on th ility to ontolth s n th o qui quit pow ul v s i swh i h m y o m y not on n in p ti . O ll th − p opos m o s O s m sto h v th st sist n to th h os ntt kswh i h w know o . h s sultsillust t th i ulty o uil in s u m o sth t ont in inn h inin . h n o int n l k m h nism sisth tth ypt n lystm y l to p o th int n lso th m ultipl m o o op tion y usin h os n-txtqu i s;in m ny s s th is llowsth ypt n lystto isol t th to p to th k yin m t i l. h iswo k s i s n w ilu m o o su h systm swh n th v s y n in ontolo vlu s. h isp s nts ition l vi n o th ility o onstu tions s on int n l k. li v th titwoul p u nt o ons vtiv ypto ph i n in s to voi m ultipl m o swith inn h inin untilth y tt -un stoo y s h s. o now tipl s m s to p ovi m o o ust o t l st tt -un stoo s u ity.

r



tn

sis o

o

nt

P ro o s

u ti

o

so O

r tio n

69

• • • • • • •• • • • • • • •• h

s iptiv t m “n ow pip is u to oh n K ls y. h uth o is ply t ulto li ih m o h is om m nts wh i h h v tlyim p ov th qu lity o th iswo k.

• • •• • • • • • • i9

.

.

i

“O n o s o O r tio n ” r r 99 . . i “ r tn sis o u ti o 9 7 rin r r 99 . . i “ r tn sis o ri o so O r o rt 9 9 6. . o rs it . . o n so n n . . t in in it O u t u t s in ” o no 9 9 6. P. . n O o rs o t n . . in r “ ro t i tt s o r rs o n itu ” rin r r 9 9 6. 9

i9

.

i 9 6. 9 7.

O

9 6.

rin

w s o

O

r tio n ”

r tio n ”

n io n t

s “ ri

in

i

i

nt s

ni r

o

t in 36

f t

2

n

o p y• L

. K nu

n2 • •

n

in nt ij

n

• • •

. .L uvn O .M l n 94 3001 v l lg u •••••••••••••••••••••••••••••• ••••••••••••••••••••• pt. o f n fo t n v ty o f g n t h nt 020 g n o w y •••••••••••••••

• • •••• • •• 4 t lo k ph p nt t th t o ftw n ypt o n o k h op n n u y 19 9 . t n t o u th o n pt o f k y p u t t o n to p ov th tn g n t ff nt l n ln ypt n ly . n th p p w w ll h ow h ow v th t w n u low n g w gh t ff n to p fo p t l k y p n n t ff n t l tt k o n . h n o n lu o n th t th k y p u t t on n ot ff tv tw o n j tu to .

7 wh i h t n o •• •• •• • ••• • • • • ••• •• • • • • • • •• • i 64 it i tl lo k iph with tu tu i il to th • • •• • • • •• • ••• • • •• • • • •• . h tn lgo ith t k 64 itk y n u 16 u k y in 16 oun . h i tv i nt h in wh i h u oun with 64 itk y n th op n n v i nt wh i h u 16 oun n 64 itk y . s u u h oun un tion p 3 2 it input to 3 2 itoutput u ing 60 it u k y. i tth 3 2 itinputi xp n to 4 0 itvlu . 20 it u k y p o k y p ut tion n 4 0 it u k y i xo to th ultingvlu . in lly itu ou 10 to it ox n p ut tion to o t in th 3 2 it ulto th oun un tion. n th i p p it nu o igh tto l t t ting t it z o. o th igh t o t ito n itvlu V i V0 wh il th l t o t iti V• − . h ou ox u in th oun un tion l l 0 1 2 n 3. • •• • • •



po n o y th p o j t o f th lO fo n tfi hn l n u ltu l ff (O ) lg u . h u th o wo k w on u ng h t y n L uvn po t o to l f llow o f th h o u n l o f th . .L uvn. . .O . h t n t po n o y th u n fo n tfi h l n lg u . y

t

t

y t

3 2

2 0 2 3



T s ou 10 itvlu

u

nt l

0

ypt n ly

o f th

n

h 3 2 itinput to th 2 3.

1

ypt o n

lg o th

un tion i

21

xp n

to

T th n

u 20 it u k y p o k y p ut tion on xp n 4 0 ittxt w pping it tw n 0 n 2 n tw n 1 3. p ut tion k y it10+ ( 10) i t it o 0 n 2 will w pp . p ut tion k y it ( 10) i t it o 1 n 3 will w pp .

T with T

h

S s 3 2 itvlu . h 4 3 in th i u o on tn t X n l to C. o h (i u i l polyno y (C ⊕ • ) o T vi

4 0 it

ult o

th k y

p

ut tion i

xo

4 0 it u k y. u

ou 10 to it ox to p th 4 0 itvlu to ox i il in tu tu to th o u in L K loi i l xpon nti tion. o th 10 itinputX w X 0 to o th ow l to . it X X o th olu n ow th i X o tvlu • n loi i l p i i l) • . h itoutputo n ox o n inputX i givn loi i l ith ti . • un

u u in lly th oxinto th 3 2 itoutputo th

ou it oxoutput un tion.

o

in

T s u h k y h uling lgo ith p 64 itk y to 16 60 it u k y . h u k y iti p n nton only on k y it. h h in k y h ul i i ply th fi t igh t oun o th t n k y h ul . h k y h ul uil on th k y h ul n p 64 itk y to 16 60 it u k y .

i nti l ypt n ly i w into u y ih n h i 2 n n u to p o h o n pl intxt tt k . h i i i th t two h o n pl intxt with t in i n ⊕ 2 n n iph to two iph txt u h th tC C ⊕ C2 h p ifi vlu with non n gligi l p o ility n uh h t i ti ( C ) i u ul in iving t in it o th k y. h h to i nti l tt k i th fi n ing n th u o h t i ti with h igh p o iliti . h n ly i o in 7 on i only y ti i n wh i h h v qu l l t n igh t16 ith lv o th 3 2 itinputto th un tion. h i i li to th t t tgy in th y th only i n not t y th k y p ut tion. on qu n th tt k h to t g t tl t

22

t

n

o p yL

.

nu

n

n

nt

two ox t ti n th p o iliti too tt k. h pp o h u in ou tt k i to u i w igh t( low po i l ) . h th th y will t tion p n on th vlu o only w k y it. onlyon oxin th oun un tion. n th i w yw p o ility h igh nough to (th o ti lly) ov u to 1 oun in ti l th n th xp t h o pli tion i th tth tt k o k y

j

n

low to

u

in

n

with y th h i n n fin h k y o o t o xh p n nt. t

li ti

low ing k y p u u t i ti with th lgo ith u tiv h.

f xpl in in th p viou tion w will o u on low ing w igh t i n th t only on oxin th oun un tion. ti notpo i l to uil 2 oun it tiv h t i ti lik th on u o th n ly i o 2 with i n th t only on ox(u ingonly th i l 6 it outo th 10input it to th t ox o th titi not t y th xp n ion in th oun un tion) . n h ow v uil 3 oun it tiv h t i ti o th o p ifi in igu 1. 0

? j hhhhhhh p o  hhhhhh 0 ? j hhhhhhh o  hhhhhh ? j o

.1

0

p o .

p o .

2

0

0

3 oun it tiv h

t i ti .

u w ti tth i n n to on ox th y n h v ing w igh to no o th n 4 h in th itoutputo n ox liv t th p ut tion n th k y p n ntp ut tion in th n xt oun up to 4 it to n oxin th n xt ppli tion o th oun un tion.



nt l

ypt n ly

o f th

n

ypt o n

lg o th

23

h h t i ti will vli i n not t y th k y ut tion in th o pon ing oun . h i h pp n i th p ut tion k y it u in th itpo ition th t tin n qu l to z o ( o th i n willnot p ut o th l t20 ith l o th xp n txtto th igh to vi v ) . h lo h t i ti th t vli only i t in p ut tion k y it qu lto on ( o pon ingto th it tin o o oth ) . n g n l w llth •• • • •••• • • • h t i ti ( . th tt k on Lu i 1 ) wh i h h v t in p o ility with p tto u to th k y p . h i u g i vi l wh n th y i p ov th p o ility ov th tp o ility o non on ition l h t i ti y to h igh th n th inv o th • • • ••• • ••• • (th tio tw n th iz o th u t n th iz o th k y p ) p i lly i v l uh h t i ti n i ntly h th tu tu o h o n pl intxt. w on i only i n with ingw igh ton th i tot l o 10 on ition l h t i ti with p

2− l 1 li t o o th to on tu t 3 oun h with th o pon ingp o g ttwi th nu o h wh i h h ).

1 2 2 29 31 2 3 10 2 3 4 22 1 30 1 23 22

T

h i ton . to n

i

3

2

2−

n o ingw igh t1 wh i h n u − t i ti with p o ility 2 t og th 2 iliti . y int h ngingth vlu o n w t i ti ( x pt o th ou th nty in th t l

( lo g 2 )

.4 .4 .4

2

( lo g 2 ) o u n 2 o u n 3 0 0 .4 1 1 1 0 0 0 .4 0 0 .4 1 1 .4 1 0 9 1 0 0 0 1 1

i nti l h t i ti with ingw igh t1 n 2− . 2 n n not yth itpo ition in th 3 2 itvlu th ti t l o li tth qui vlu o th p ut tion k y it o pon ing in th on n th i oun o th h t i ti .

24

t

n

o p yL

w

.

6

nu

u

n

n

nt

j

n

s

u th t3 oun h t i ti with 2 n 1 ollow y tivi l oun with p o ility 1. h p o ility o th i 4 oun h t i ti i 2− 2− 2− 3 . ti vli i th it tin th i n n 2 notp ut in th p tiv oun ( oun 2 n 3 ) . h i n t n lt to th ollowing on ition it14 it2

0 o th p 0 o th p

ut tion u k y in oun 2. ut tion u k y in oun 3 .

x in tion o th k y h o th 64 itu k y it20

1 n

it12

uling lgo ith

h ow th

o

pon ing on ition

0.

igu 2 h ow th 6 oun lgo ith n th 4 oun h t i ti . h xp t input i n to th oun un tion in oun i th xp t output i n qu l th i n in th igh th l o th iph txt. h i llow u to h k i n it y n ypt p i (with th igh t i n in th pl intxt) i igh tp i o th h t i ti . h i n 1 liv n input i n to ox 1 o 3 p n ingon th vlu o th o pon ing p ut tion k y it. o th output i n o ox 0 n 2h v to z o w ll th output i n o ith 1 o 3. hi o pon to h king th vlu o 24 − 1 23 it. o w ong . h p o ility p i h p o ility 2−2 3 o u viving th i fi lt ing p o o g n ting igh tp i i u h h igh (2− 3 ) o wh n p i u viv th fi lt ing with h igh p o ility iti igh tp i . o uh igh tp i w know th input n th i n tth output ( C• ⊕ ) o th l t oun n o ll po i l u k y w n h k wh th th y o pon . p tth i o out ou igh tp i (w n to g n t 2 p i o pl intxt) th o t u k y will ugg t h out4 2 3 ti n n i tingui h o oth ugg t u k y . h ign l to noi tio (th tio o th nu o ti th o tk y i ugg t n th nu o ti n it y k y i ugg t ) o th i tt k n l ul t with th th o i in 2. t p n on th nu o pl intxtp i th p o ility o th h t i ti th nu o i ult n ou k y it th tw ounton th v g ount p n ly p i n th tion o th n ly p i ong ll th p i . 2• n th i w h v oxw ountingon o th xo op tion) . h

2 n 2− 3 . h n on nt ting on on 20 k y it (10 u o th p ut tion n 10 v g ount qu l 2 2 in w ounton 22 0



nt l

ypt n ly

o f th

n

ypt o n

lg o th

0

? j hhhhhhh p o  hhhhhh 0 ? j hhhhhhh p o  hhhhhh ? j hhhhhhh p o  hhhhhh 0 ? j hhhhhhh p o  hhhhhh 0 ? j hhhhhhh  hhhhhh C ? j

.1

.

.

2

.1



C•

C•

h

h

t i ti o

n tt k on 6 oun

.

2

2

t

n

o p yL

.

nu

n

u k y n h k n itvlu ( i tion (fi lt ing) qu l 2−2 3 . n 2

2 2− 3 2 2 2−2 3 22 0

u

nt

j

n

n tth outputo th th ign l to noi tio i

n i il ly o th oth th ox 3 u th p ut tion k y it o th on ox wh i h u th ju tth 10 xo k y it. n th i w y w ining4 it o th u k y n w

n

22 2−

ox) .

h

2

. ow v 0 n 2 w ll 1 n wh i h w h v to t in only on . p ut tion k y it w n ounton t in ll60 it o th u k y. h ily oun y xh u tiv h.

s T

n xtn th p viou tt k in t igh to w nn u ing 6 oun 2− 2− 2− 2− 2−2 . t i ti with p o ility 2 2 h tt k n i p ov h ow v y in ting oun o th fi t oun o th h t i ti with out u ingth p o ility lik in th tt k on 2. h u volution o i n ( u ingth n yption o igh tp i ) i h own in igu 3 . n th fi t oun th i n tth inputo th oun un tion i n input i n to ox 0o 2 p n ingon th vlu o th o pon ingp ut tion k y it. gu th i it n p tth tt k i w h v gu w ong. o p n t th i n tth outputo th oun un tion o oun 1 y u ing tu tu o 2 pl intxt h



⊕ (



0) ¯•

⊕ (



0) ⊕ (0 )

o 0

2

with • noting llth po i iliti o th it th t xo with th output it o 0o 2 ( ) not th l t n igh t3 2 ith lv o 64 ittxt. 2− 2− 2− 2− . h p o ility o th h t i ti i 2 2 h on ition o itto vli it14 it2 it2 h

o it3

0 o th p 0 o th p 0 o th p

ut tion u k y in oun 3 . ut tion u k y in oun 4 . ut tion u k y in oun 6.

pon ing on ition o th 64 0 it 9

1 n

it2

itu

k yi

1.

n th fin tu tu th 2 p i o wh i h 2 ti yth fi t oun . h n i ol t in 2 ti ollow . in th xp t output i n o ox 1 n 3 in oun 7 z o w o tth txt o ingto th vlu o th o pon ing it in th igh th l o th iph txt n fi n th th ingvlu . fi lt th u th y ox 0o 2(lik in th 6 oun tt k) n n xp t2 2− 2− igh tp i in tu tu . y u ing2 3 tu tu 4 igh tp i xp t . n tot l h ow v th 2 23 22 p i . t fi lt ing o 23 it w xp t th will in 2 64 w ong



nt l

ypt n ly

o f th

n

ypt o n

lg o th

v• • v•2

? j hhhhhh  hhhhhhh 0 ? j hhhhhhh p o  hhhhhh 0 ? j hhhhhh  p o hhhhhhh ? j hhhhhhh p o  hhhhhh 0 ? j hhhhhh  p o hhhhhhh 0 ? j hhhhhhh p o  hhhhhh ( γ) ? j hhhhhh  hhhhhhh ( γ) C ? j

.1

.

.

2

.1

.

2



C•

C•

h

h

t i ti o

n tt k on

oun

.

2

2

t

n

o p yL

.

nu

n

n

nt

j

n

p i . o th i ixtu o igh t n w ong p i w ty ll po i l u k y on nt tingon on ox t ti . n th l ul tion o th ign l to noi tio o th i tt k th i n xt to 2− i po y th fi t oun tu tu ( 23 2 utonly 2 3 2 p i ti y th fi t oun ) 23

2 3 2 2− 2 2 2 2−2 3 22 0

22 2−2

n ily xtn th i tt k to k itvli o u tgu th vlu o it2o th p ut tion u k y in in t o 0 th oun un tion in th t oun liv n o 2 . ith p o ility 2− th i output xo will p o th tt k in i il w y. h on ition o th it3

0 n

it 9

2 twi ny k y . oun 6. it qu l 1 output xo i nt γ 30 n w n 64 itu k y i

1.

lt n tivly w n o n igh t oun tt k u ingth h 31 n 26. o ingto l 1 th p o ility o th i 2− 2− 2− 2−2 0 . h on ition o th p i 2 2 it t n l t to th ollowing on ition o th u k y it4

1

it1

1 n

it4

t i ti with h t i ti ut tion k y

1.

o th p ut tion k y itin oun 6 o n’ti po n xt on ition on th u k y n w on’th v to gu th i itwh n u ingth h t i ti with 31 n 26. s h

s

s s

tt k o th 6 oun v ion n th oun v ion ( h in ) h v n i pl nt n on th v g wo k p i t . ow v u inglow ingw igh t i n u o o pli tion . h input i n to th l t oun i u y th output i n o th p viou oun . h toutput i n i u y ju ton ox n h ingw igh t o no o th n with n v g o 4 . h ox in th l t oun iv 2 it o th it. u th k y p ut tion w p it tw n th p tn ’ ox 0− 2 n 1− 3 n ox will fi n lly iv tw n 0 n 4 o th it tit input p n ingon th vlu o th p ut tion u k y. nly th it n u n input i n . ox 0 o 1 g t it th n p tivly 2o 3 will g t4 − it. p ti ul ox g t it with po i l i n th p o ility to g tinput i n z o i pp oxi tly 2−• . n l 2w li t th po i l vlu o th tp o ility n th tion o u k y o wh i h it h ol . th input i n to n oxi z o llo th gu o th p ut tion u k y th t u z o i n will ount will ll po i iliti



nt l

ypt n ly

p o

l tyf 1 2− 2−2 2−3 2−

T

o

iliti

o f th

n

ypt o n

lg o th

29

t on of u k y 1 2 4 2 2 4 2 1 2

to g t z o input i

n

to n

ox.

o th xo u k y. h o th tt k i l i nt n w h v to look o o o igh tp i o th h t i ti (in p ti tw n 4 n ) h n u o pl intxt. n to th ox will lw y o tion 2− o th k y th input i z o ow n t in only o o th p ut tion k y it n non o th xo k y it. utth n th p tn ox h p o ility o z o input i n o only 2− . t in th p ut tion k y it vi th i ox n th 10 xo k y it th tw nnot t in n look o xh u tivly t th i nti l tt k (tog th with th 4 it o th u k y th t not u in th 60 it u k y o th l t oun ) . ti po i l to xploitth o ion o z o input i n to i p ov ou tt k. th input i n to n oxin th l t oun i z o th output i n i z o w ll. n th t w know th o pon ing i n t th inputto th oun un tion in th on to l t oun n w n h ki it vlu o pon to th vlu th ti qui o th h t i ti . n th i w yw n o o xt fi lt ing wh i h i i po t nt o th oun tt k wh w xp tto g t64 w ongp i . twill in th ign l to noi tio n u th nu o qui pl intxt.

h 3 oun it tiv h t i ti n xtn in t igh to w w y to tt k th lgo ith with n it y nu o oun . uti th nu o oun x 9 th ign l to noi tio will op low on king th tt k i po i l (th l t k o p viou tion llow only ligh t i p ov nt y xt fi lt ing) . h h ow v v lw y to i p ov th ign l to noi tio. u to i n n th (10u n t th

s h n p i u viv th fi lt ing( n i u igh tp i ollowing th h t i ti ) w know th input n th tth outputo th l t oun n h k wh th th y o pon . i tt k w on nt t on on ox n ounton 20 u k y it o th p ut tion n 10 o xo ing) . w n on i two p tn ox ( 0 n 2o 1 n 3) t ti . h y h 10 p ut tion k y it n oth u 10 xo k y

20

t

n

o p yL

.

nu

n

n

nt

j

n

it. h i llow u to ounton 3 0k y it n ult in n i p ov nto th ign l to noi tio y to o 2 u w h k th vlu o o it tth outputo th on ox(in th l ul tion o w h v 2• 23 0 n 23 0 2 2 ) . n th o y u th i p ov nt ( y to o 2 o 2 2 ) po i l y on i ing p tivly th o ou ox ( 0o 60k y it) . s s u h n p i i u to ollow th h t i ti w n l o h k u k y it in th fi t oun o th lgo ith . n th i fi t oun w u p i l tu tu ( . th tt k on oun ) n gu th vlu o th p ut tion k y it o pon ingwith th i n o ingw igh ton . n w n ounton th 10 xo k y it o th ox wh th i n o ingw igh t1 i lo t . o ov u to th k y h ul o o th u k y it in th fi t oun p ntth u k y it o o th u k y it in th l t oun o th lgo ith . h i llow u to i p ov th ign l to noi tio y to o 2 y ountingon ju t w o k y it. Not l o th t o o th k y it th tw ounton l y known u o th on ition on th u k y o th h t i ti . s u h o ti po t nti p ov nt n y ptingth h t i ti . n th p viou tt k w u th h t i ti with th h igh tp o iliti . h ulting tt k ll 2 tt k ( . ih n h i 2) u th y on’t k u ption o th l ttwo oun o th lgo ith . n t w n p o 1 tt k u ing h t i ti up to th l tto on oun . n x pl o th l t oun o uh h t i ti i h own in igu 4 . lth ough th p o ility o u h h t i ti i g n lly low th n o 2 tt k iti u ul u it llow uh o fi lt ing n n ov ll u tion o th ign l to noi tio. n th l t oun w n h k i th i n tth outputo th oun un tion ( C• in igu 4 ) i po i l lik w i in th l tto on oun in th p viou tt k . h i o pon to h kingth vlu o 23 it. utw n l o h k th i n in th igh t h l o th iph txt( C• in igu 4 ) th u fi lt o 3 2 o it. hi ult in n i p ov nto th ign l to noi tio y to o 23 2 p nt th to y wh i h th p o ility o th h t i ti • • wh i u wh n w p o 1 tt k in t o 2 tt k. su s u u o oun th p o ility o th h t i ti pl intxt ( u ing4 igh tp i o th h w n oth gu o th p ut tion k y th nu o u k y it ount on ( x lu

s l 3 li t o h nu th qui nu o ho n t i ti u i nt n th t itin th fi t oun tu tu ) ing k y it in th fi t oun



nt l

ypt n ly

o f th

n

ypt o n

? j hhhhhh  p o hhhhhhh 0 ? j hhhhhhh p o  hhhhhh 0 ? j

21

.

.1

C•

C•

h

lg o th

t i ti (l t oun

) o

1

tt k.

u

o th ov l p) th ign l to noi tio n th tion o k y th t oun with th tt k. h n th nu o oun x 9 w li ttwo i nt tt k 2 tt k (wh th ign l to noi tio i i p ov y ountingon o k y it n h king th i n in th fi t oun ) n 1 tt k (wh i h h low p o ility n qui o pl intxt) . h n th nu o oun i ultipl o 3 w h v li t only th 1 tt k u it’ p o ility i th o th 2 tt k ( • 1) . n th oth w h v • 2− o − 2 . • 2 Not th tth k y tion i low o 1 tt k u th h t i ti i po o on ition on th u k y ( x ptwh n th nu o oun i ultipl o 3 ) . h t l h ow th tth i nti l n ly i wo k o up to 1 oun o o th i tt k k y it fix n n xh u tiv h woul h v 2 po i iliti ou tt k qui t o t2 pl intxt. n

s i l 3 w wo k o h t i th two h o in

th p viou tt k u ingth t on ition l h t i ti . n h v li t o h ow ny k y th i wo k . o h in th tt k tion 2−2 o th k y . o oth k y h ow v w nu i nt ti with low p o ility. n u v l h t i ti with to pl intxt i w u p i l tu tu o th pl intxt. o t i ti th i i qu tt tu tu (lik th on u o th n ly i 2) o th n o tt tu tu n o on. h nu o pl intxt

22

t #

n

ou n 4

o p yL p o

w n th th

i

p n on th h t l to t in nypo h t i ti with th h igh nu o th h in h

t 1 3

qui

n

n

l ty • # pl n t t • # 4 10 13 1 13 1 19 23 2 29 2 30 32 3 32 3 39 42 39 43 39 43 4 49 4 49 2 2 2 2

nti l n ly i

#

T

nu

0

9 10 10 11 11 12 13 13 14 14 1 1 1

T

.

o h in v u th

t

o

i ti i l tp lgo

n

nt

j

ou n t 20 20 20 20 20 20 20 20 20 20 20 30 20 0 20 20 0 30



it y nu

n

23 1 1 10 4

• k yf

23 1 24 1 0 10 2 11 3 3

t on • ll ll 2 2 2 4 4 4

9

o

oun

. ( log2 )

with th low tp o ility. w w ntto k y with w po i l pl intxt w u o iliti . l 4 h ow th volution o ith .

# pl n t t ( lo g 2 ) k y f t o n 23 2% 24 3% 2 1% 2 % 2 9 %

( oun ) th nu tion o k y th t n

o h oun .

t i ti

n pl intxt

h v i tt k on th lgo ith u ing i nti l n ly i . h in on lu ion o th i p p i th tk y p ut tion o notp vnt i nti l ypt n ly i . lth ough th n ly i i o o pli t n o k y p n nt in ou opinion th intntion o th ign h not n h .



nt l

ypt n ly

o f th

n

ypt o n

lg o th

23

h t3 oun it tiv h t i ti th t n u in ou tt k h p o ility o 2− 3 wh i h i h igh th n th p o ility o 2− o th t 3 oun h t i ti o L K ’91 6 ( i il lo k iph th t k u o ou i nti l 12to it ox ) . h v lo on t t p ti l tt k on th ligh tw igh t v ion h in . n it i o itfi n th tk y in 2 % o th u ing 22 3 h o n pl intxt n in 9 % o th u ing22 pl intxt. h opti l h t i ti o ou tt k on h in h p o ilityo 2− wh i h i u h h igh th n th p o ility o th opti l h t i ti on y ti input i n wh i h w h own to 2− in 7.

f 1. .

n

oy

n

.

h





nt l S

ypt n ly o f Lu f v . t n on . p ng

l g 19 9 4 pp. 1 19 9 . 2. . h n . h S p ng l g 19 9 3. 3. L. own M . w n . p zyk n . y “ p ov n g t n to ff n t l ypt n ly n th g n o f LO v S . . v t n . M t u o to . p ng l g 19 9 3 pp. 3 0. 4 . L. own . p zyk n . y “LO ypto g ph t v fo u th n t t o n n y ppl t o n v S . y n . p zyk . p ng l g 19 9 0 pp. 229 23 . . 4 S l n fo t on o ng t n ( ) u l t on 4 t on l u u of t n . . p t n t of o h n g to n . . n u y 19 . . L. n u n “ ypt n ly o f LO 91 v S . y n . h ng . p ng l g 19 9 3 pp. 19 20 . . M. w n “ h g n o f th n ypt o n lg o th S w S 6 . h . p ng l g 19 9 pp. 9 2.

• • • • •• •• • • • • • • • • • • • • • • • • • • • • • • • •• • • d d ns rm n

n

rtn

rm t n .

.

u rt

n

x2 3 63 3133 nn

•••••••••••••••••••••••

n 1 rt s n n

t ss n t tt r r vr tv tt s n t s ns s n t n • •• s n vst 3 s r t st t s n t ns t • • • t r sp tt s n-r sstn n 2 n vr tt n t n n ss s n t n s r n n n n n s s ss t s r vst tn ns q n s r s t n t s n s n n r • • • n ts s ss rs T r r t s rt t p r t r nt v p n n t t s r n n s ns n pp t nstr tpr s r s n pr s s rststp st t r t n p rt r s t n t • •• t r vrs n • • • r t t r r n ts n r n t r -r n pr ss n n t n s n t vr t n s tssp t n s pt( nt v p n r ) • •• tt

s sst n n rt n pr n ts r vn sst n s ss •

W

6 7

W 

ntt

n

•••••••••• •••••••••• •••••••••• •••••••••• •••••••••• •••••••••• •••••••••• ••••••••••

• • • • • •

• •

y

t

n

•••••••••• •••••••••• •••••••••• •••••••••• •••••••••• •••••••••• •••••••••• ••••••••••

nt p t t t s u

n

s n t

S nt

v

n pr sr

st

pr

• • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • ••

v nstr t t t t sv • • ••

s • • • • • • • •

•• • • • • • • •• • • •

tw

r tt y t

ss • • • • • • • •

• 6 7



| |• | |•••| |•

•••••••••• •••••••••• •••••••••• •••••••••• •••••••••• •••••••••• •••••••••• ••••••••••

r s rt

stt 7

• • • • •

6 7

r n s

s •••••••••• •••••••••• •••••••••• •••••••••• ••••••••••

• ••

rst

r

r pr

ssn

un s

ss •

st

r

tn

t

s 96- tstrn

s vst •

• •

n

tn ) sn n r ss s t pr ss n t- n t 29 3 2

t t

tt - n

n r pr s nt t n •

• | |• | |•

• • • • • • • • • •• • • • • • • • • • •• • • • • • • • • • ••

n t • • • •• • • • •••• t pr ss n n t n • •• t rst r n s t • •• pr ss n n t n n r rt p t t • •• s v • rst• • • •• • • • •••• s pp t • •••••• t t n nt v s p rt t sp t n • •• ••

T

n

• • • • • • • • • • • • • • • • (• • • )•

• • • t

p

• • • •••• (• • • ) | |••

r • st 6 - tr pr s nt t n t t- n t t ( n • t n • n t t n • n t r ts t z r s sp s t tt t- n t t tn tp 12 16 3 2(t n tr tv pp t n n t n t s16 r s s np t) T v• s T s nst t

n •

2

r n t t tstrn

s



n

• • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • •• tp t • • • •• • • • ••••(• • ;• •••••• ) • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • ••

st n t n t v rt s •••••• •• •• •• s np tT 6 • ••

(• )

n

pp t n • •• tp t st s v

•• • • • •••• •

t

• • • •• • • • ••••(• ;• 6 •••••• •• •• •• ) • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • •• d

S pp s • • (• • •• • •• • •• • ) n t pr ssv • (• •• •• •• ) r vn S t• (• •• •• •• ) • − •• r ppr s sr n t n t s(t n rn ntr s r t s r p- t n t r ps tv stps) • • • • • • • • • • • • • • • • • • • • • •• •

26

ns

rt n

np t r str •• • • • • • • • 6 • 7 • • • • • • • • • • • • • • • •

r str •• •• •• ••

• • • • •

r str •• •• ••

r str •• ••

• • • • • • •

• • • • • •

stp stp 0 stp 1 stp 2 stp 3 stp stp stp 6 stp 7 stp stp 9 stp 10 stp 11 stp 12 stp 13 stp 1 stp 1

• • • • • • • • • • • • • • • • • • • • • •• • np t r str • • • • • • • • • • • • • • • • • • • 6 • • • • • • • • 7 • • • • • T

ts nst nt• tv

r str • • • • • • • • • • • • • • • •

r str • • • • • • • • • • • • • • • •

ss t tt ntnts t n stps1216 202 stps13 1721 2

d n r n t t ppr n sp r t t r strs n r n t

rt n t n ntnts n t

r str • • • • • • • • • • • • • • • •

stp stp 16 stp 17 stp 1 stp 19 stp 20 stp 21 stp 22 stp 23 stp 2 stp 2 stp 26 stp 27 stp 2 stp 29 stp 3 0 stp 3 1

- n -r strs q s n stps1 1 2226 r sp -

s pp n t sr -r strs r t s n t t r

rst

un s

r

t

s • n • rn • •••••• n • t stps16 20 2 2 1721 2 29 1 2226 3 0 n 3 1 r sp tv n stp 16 vt q t n •

(• + • (• 3 •• •• ) + •

+• ) •• 3

(• + • + •

n

27

r r nst n

+• ) •• 3

t •

• • • • • • • • • • T s• (• • • 29) − 2• − • n s n p t • •• •• •• pp n • •••••• n stp 0 11 T vs• •• •• •• n tt tr n • •• •• r t stps1213 1 s • n stp 1 t p t • • n stp 19 t p t • • n stp 23 t p t• n n • n stp 27 t p t n t rv r • s“ rv r v” t ttr• -v t st sn n t n v n pr t r s tr n T s n t2 tr st s ss vr t rt n sp p t r 100 r r s “ ntn s ppr t n” r t p tt n • ( r • s r sp tv n r rt v s nt ntn t ;s s n p rt t -pr )

• • •• • • • • • • 1.

. rt n • •• • •• • • •• ••• • • • • • st t r n r pt n ( r r s r pt r p rt m s m r 1 6) tu r ts n m pu t r pr n r r 1 6 pp. 72. 2. . rt n • • • ••• •• • • • • • • • ••• • • •••• • • • ••• • • r pt ts t n s tt r rtr s . 2/2 m m r 1 6 pp. 1 6. 3. . st • • • • • • • • ••• • • •• •• • •• • •• • •••• • qu st r m m n ts ( ) n t rn t t t s r n t rn t r s r pr 1 2. . . . . s • • •••• • • •• •• ••• •• • • • • • • • • • • • • • • u tn rtr s m r 1 6 (s ttp // .rs . m / /).

p n n n 132

• • • • • • •• d

d

d

T

d

d

rstp rt t pr r s t n t v rt st t t r n n n t np tr q r t p n r n nt t pr r n s s -pr n t1 -20 n ts n t vr

#define unsigned long #define shift(x i) ( )(((x)(3 -(i)))) #define f(x y z) ((x) (y) ( (x)) (z)) #define g(x y z) ( )((x) (y) (x) (z) (y) (z)) #include m in(int c ch r v ]) int i k sh tri ls eros nes record 1 diff test; 0 1 3

eight; ;

2

ns

rt n

0 1 3 4 5 9 elt _ elt _ 0 0_ sic _ 0 1 3 0 1 3; 0 1 3 0 1 3 0 1 3 0 1 3; 0 1 3 4 5 9 11 1 13 14 15 1 1 1 0 1 3 4 5 0 1 ;

10 11 sic; 0

1

13

1

14

15;

3;

10; 19; ;

if( c!= ) fprintf(stdout " s ge: %s seed n" exit(1);

v 0]);

sr nd( toi( v 1])); 1 = 0x5 999; = 0x5 90 134; = 0x5 90 134; e h ve here speci l c se of more gener l lgorithm n gener l nd re different ut h ve only sm ll mming difference o to choose these const nts ill e expl ined in the complete p per out this tt ck eros=0; nes=0; tri ls=0; ere you c n specify the h sh v lue 0=0x0; 1=0x0; =0x0; 3=0x0;

0= 1= = 3=

(

0; 1; ; 3;

ere st rts the first p rt: se rching _ : record = 33; = ; = r nd(); 3 = r nd() 0xffffff f; 0 = ; 15 = 0x0; 1 = shift( 13)- - 15; 14= 0x3 0; = shift( 14 1 13); 1 = shift( g( 3 ) 15 0= 1= = 3=

0

0- 0; 1- 1; - ; 3- 3;

0 = shift( 1 = shift( = 1; 3 = 1; 4 = shift(

9)9)-

-

- 1; - 1;

)-

-

- 1;

1 13);

1

1

3)

rst 5 = = = 1 = 13= 14= _

un s

r

t

4; 4; shift( 3 )- - - 1; shift( 19)- - - 1; shift( 19)- - - 1; shift( 19)- - 1; sic = r nd();

= = = = = = = = = 0=

0; = 1; = ; shift( f( shift( f( shift( f( shift( f( shift( f( shift( f( shift( f( shift( f( ; 1= ; = ; 3=

for(i=0; i< 50; i

= 3; ) 0 3); ) 1 ); ) 11); ) 3 19); ) 4 3); ) 5 ); ) 11); ) 19); ;

)

tri ls=tri ls 1; sh=i 0x1f; diff=shift(1 sh); = _ sic diff; 3 = shift( f( 3 0

= shift( = shift(

1)

5)-f( 9)-f( 1

= shift( 0 9)-f( 1 9 = shift( 3 5)-f( 0 10 = shift( 1)-f( 3 11 = shift( 1 13)-f(

1 0

= shift( 3 = shift( = shift( 1

elt _ elt _

= shift( = elt _

eight=0; for(k=0; k