Full-Round Differential Attack on the Original Version of the Hash Function Proposed at PKC 98

Transcription

1 Full-Round Differential Attack on the Original Version of the Hash Function Proposed at PKC 98 Donghoon Chang 1, Jaechul Sung 2, Soohak Sung 3,SangjinLee 1,and Jongin Lim 1 1 Center for Information Security Technologies(CIST), Korea University, Anam Dong, Sungbuk Gu, Seoul, Korea {pointchang, sangjin, jilim}@cist.korea.ac.kr 2 Korea Information Security Agency(KISA), Karag-dong, Songpa-gu, Seoul, Korea sjames@kisa.or.kr 3 Paichai University, Daejeon, Korea, sungsh@mail.paichai.ac.kr Abstract. Shin et al.[4] proposed a new hash function with 160-bit output length at PKC 98. Recently, at FSE 2002, Han et al.[5] cryptanalyzed the hash function proposed at PKC 98 and suggested a method finding a collision pair with probability 2 30, supposing that boolean functions satisfy the SAC(Strict Avalanche Criterion). This paper improves their attack and shows that we can find a collision pair from the original version of the hash function with probability through the improved method. Furthermore we point out a weakness of the function comes from shift values dependent on message. 1 Introduction MD4, MD5, RIPEMD-160, HAVAL, SHA-1 are well known dedicated hash functions. Dobbertin[2][3] showed that there are serious weakness in MD4 and MD5. Haval[11] was attacked partially. Shin et al.[4] proposed a new hash function with 160-bit output length at PKC 98. Recently, at FSE 2002, Han et al.[5] pointed out that, unlike the designer s attention, some of the boolean functions of the hash function proposed at PKC 98 do not satisfy the SAC(Strict Avalanche Criterion). And they analyzed the hash function proposed at PKC 98 and found a collision pair with probability 2 30, supposing that the boolean functions satisfy the SAC. However only one of boolean functions used in the hash function satisfies the SAC. So, their attack introduced at FSE 2002 can not be applied to the hash function itself. This paper improves the method proposed at FSE 2002 and shows that we can find a collision pair from the original version of the hash function with This work was supported by both Ministry of Information and Communication and Korea Information Security Agency, Korea, under project K. Nyberg and H. Heys (Eds.): SAC 2002, LNCS 2595, pp , c Springer-Verlag Berlin Heidelberg 2003

2 Full-Round Differential Attack 161 probability through the improved method. And we point out the problem of the hash function comes from shift values dependent on message. Next, we show that reduced versions for 3-pass HAVAL are attacked by our attack method. 2 The Hash Function Proposed at PKC 98 In this section, we briefly describe the hash function proposed at PKC 98, and we introduce notations used in this paper. word 32-bit string block 512-bit string used as input of compression function in the hash function + addition modulo 2 32 operation between two words X <<s left rotation X by s bits X Y bitwise logical AND operation of X and Y X Y bitwise OR operation of X and Y X Y bitwise XOR operation of X and Y 2.1 Input Block Length and Padding An input message is processed by 512-bit block. The proposed hash function pads a message by appending a single bit 1 next to the least significant bit of the message, followed by zero or more bit 0s until the length of the message is 448 modulo 512, and then appends to the message the 64-bit original message length modulo Initial Value(IV) The initial values of five chaining variables (A,B,C,D,E) used in processing message are as follows. A B C D E 0x xefcdab89 0x98badcef 0x xc3d2e1f0 2.3 Constants The following numbers are used as constants(k i is used in round i). K 1 = 0 K 2 = 0x5a K 3 = 0x6ed9eba1 K 4 = 0x8f1bbcdc 2.4 Expansion of Message Variables Eight message variables, X 16,X 17,,X 23 are additionally generated from original sixteen input message words, X 0,X 1,,X 15 as follows. So twenty-four message words are applied to the compression function. X 16+i =(X 0+i X 2+i X 7+i X 12+i ) <<1 (i =0, 1,, 7) (1)

3 162 Donghoon Chang et al. 2.5 Ordering of Message Words This hash function consists of four rounds. Each round has 24 steps. Table 1. The definition of permutation ρ i ρ(i) The ordering of message words is determined by ρ as follows. Round Permutation id ρ ρ 2 ρ Boolean Functions The boolean functions used at each round are as follows. Only the function f 2 satisfies the SAC, while it is not the case for f 0 and f 1. f 0(x 1,x 2,x 3,x 4,x 5)=(x 1 x 2) (x 3 x 4) (x 2 x 3 x 4) x 5 (2) f 1(x 1,x 2,x 3,x 4,x 5)=x 2 ((x 4 x 5) (x 1 x 3)) (3) f 2(x 1,x 2,x 3,x 4,x 5)=x 1 (x 2 (x 1 x 4)) (((x 1 x 4) x 3) x 5) (4) 2.7 Operation in One Step The operation in one step is defined as follows. The function f 0 is applied to the first round(0 23 step), the function f 1 is applied to the second round(24 47 step), the function f 2 is applied to the third round(48 71 step) and the function f 1 is applied to the fourth round(72 95 step). A i =(f(a i,b i,c i,d i,e i)+x + K) <<S i, B i = B <<10 i (5) A i+1 = E i,b i+1 = A i,c i+1 = B i,d i+1 = C i,e i+1 = D i (6) The operation in one step can be described in the figure Shift Operation The shift values used in each step, S i (i =0, 1, 2,, 95), are determined depending on message words as follows. Next table shows R function per round. S i = X R(i mod 24) mod 32 (7) Round R function ρ 3 ρ 2 ρ id For example, let s solve S 20, shift value at step 20. The step 20 is in the first round, so R function is ρ 3. Therefore S 20 = X ρ3 (20) mod 32 = X 8 mod 32.

4 Full-Round Differential Attack 163 Fig. 1. The operation in one step A i B i C i D i E i f << 10 X K << S i A i+1b i+1c i+1d i+1e i Each Step Operation through the Table The following table shows each step operation from step 0 to step 6. A i,b i,c i,d i,e i mean chaining variables after a equation (5) and before a equation (6) at i step. Table 2. The message input order, shift value and chaining values per step step A B C D E Input Shift value(mod 32) 0 A 0 B 0 C 0 D 0 E 0 X 0 X 13 1 A 1 B 1 C 1 D 1 E 1 X 1 X 22 2 A 2 B 2 C 2 D 2 E 2 X 2 X 2 3 A 3 B 3 C 3 D 3 E 3 X 3 X 14 4 A 4 B 4 C 4 D 4 E 4 X 4 X 3 5 A 5 B 5 C 5 D 5 E 5 X 5 X 6 6 A 6 B 6 C 6 D 6 E 6 X 6 X 7 : The updated part per step 3 The Analysis of the Original Version of the Hash Function Proposed at PKC The Analysis of Input and Output Difference for Boolean Functions Boolean function f 2 satisfies the SAC. This means that when it has a difference at only one bit, output bit becomes zero with 1/2 probability. At FSE 2002, under supposing that three boolean functions satisfy the SAC, Han et al. proposed a method finding a collision pair with probability 2 30.Butinfact,boolean functions f 0 and f 1 do not satisfy the SAC. In case of f 0, when only last input

5 164 Donghoon Chang et al. bit has a difference, output difference becomes always 1(table 3-5). Also, in case of f 1, when only second input bit has a difference, output difference becomes always 1(table 3-13). These mean the followings: if a message word having a difference is an input of a round using the function f 0, the difference avalanche occurs after four steps because fifth chaining variable have a difference. If message word having a difference is input of a round using the function f 1,the difference avalanche occurs after one step because second chaining variable have a difference. And the effect of difference avalanche is larger according as the number of steps increases. Therefore the method proposed by Han et al. at FSE 2002 cannot be applied to the original version of the hash function. But, in case of f 0, if we give simultaneously differences to fifth chaining variable and other chaining variable, the output bit becomes zero with some probability(table 3-8,9,11). This is similar to f 1.Wewillusethisfacttoattacktheoriginalversion of the hash function proposed at PKC 98. Table 3. The probability that output difference bit becomes 0 with the change of location of input difference bit of boolean function f i No. Func. Input Prob. No. Func. Input Prob. 1 f 0 x 1 1/2 17 f 1 x 2,x 3 3/8 2 f 0 x 2 1/2 18 f 1 x 2,x 5 3/8 3 f 0 x 3 3/4 19 f 1 x 1,x 4 3/8 4 f 0 x 4 3/4 20 f 1 x 1,x 2 3/8 5 f 0 x f 1 x 1,x 3 5/8 6 f 0 x 1,x 2 1/2 22 f 1 x 2,x 4 3/8 7 f 0 x 1,x 4 1/4 23 f 1 x 3,x 5 3/8 8 f 0 x 3,x 5 1/4 24 f 1 x 4,x 5 5/8 9 f 0 x 1,x 5 1/2 25 f 1 x 3,x 4 3/8 10 f 0 x 3,x 4 3/4 26 f 1 x 1,x 5 3/8 11 f 0 x 4,x 5 1/4 27 f 1 x 2,x 3,x 4 5/8 12 f 1 x 1 5/8 28 f 2 x 1 1/2 13 f 1 x f 2 x 2 1/2 14 f 1 x 3 5/8 30 f 2 x 3 1/2 15 f 1 x 4 5/8 31 f 2 x 4 1/2 16 f 1 x 5 5/8 32 f 2 x 5 1/2 3.2 The Analysis of Input and Output Difference for Step Operation At each step, such as equation (5), message word(x) having a difference has influence on a updating chaining variable(a i ). Therefore, we need to take the following facts into consideration for difference analysis. The step operation uses addition modulo If addition modulo 2 32 is substituted by, wemustconsider a probability according to a carry. If k=31, with respect to most significant

6 Full-Round Differential Attack 165 bit, addition modulo 2 32 and play the same role. If k 31, a carry happens with probability 1/2. So, the analysis of input and output difference of step operation is done by equations (8), (9), (10), (11). α and β denote arbitrary words, and p denotes the probability satisfying a equation. case 1:k =31 ((α 1 <<k )+β) (α + β) =1 <<k (p =1) (8) ((α 1 <<k )+(β 1 <<k )) (α + β) =0 (p =1) (9) case 2:k 31 ((α 1 <<k )+β) (α+β) =1 <<k (p =1/2) (10) ((α 1 <<k )+(β 1 <<k )) (α+β) =0 (p =1/2) (11) 3.3 The Analysis of Expansion of Message Words By (1), (12) (19) are obtained as follows. X 16 =(X 0 X 2 X 7 X 12) <<1 (12) X 17 =(X 1 X 3 X 8 X 13) <<1 (13) X 18 =(X 2 X 4 X 9 X 14) <<1 (14) X 19 =(X 3 X 5 X 10 X 15) <<1 (15) X 20 =(X 4 X 6 X 11 X 16) <<1 (16) X 21 =(X 5 X 7 X 12 X 17) <<1 (17) X 22 =(X 6 X 8 X 13 X 18) <<1 (18) X 23 =(X 7 X 9 X 14 X 19) <<1 (19) Through the expansion of message words, message words which are affected by each X i (0 i 15) are shown on Table 4 below. This fact was shown by Han et al. at FSE When we take a look at the table 4, if we give a difference to X 0, X 16 and X 20 also have some differences. Table 4. The effect of expansion of message words X 0 X 1 X 2 X 3 X 4 X 5 X 6 X 7 X 8 X 9 X 10 X 11 X 12 X 13 X 14 X 15 X 16 X 17 X 16 X 17 X 18 X 19 X 20 X 16 X 17 X 18 X 19 X 20 X 16 X 17 X 18 X 19 X 20 X 21 X 18 X 19 X 20 X 21 X 22 X 20 X 21 X 22 X 23 X 20 X 21 X 22 X 23 X 20 X 21 X 22 X 23 X 21 X 22 X 23 X 21 X 22 X 23 X 22 X 23 X The Analysis of Weakness of Shift Value Dependent on Message Words Generally, in case of MDx-hash functions, shift values are fixed. If shift values can be selected arbitrarily by attacker, a hash function using these shift values can be attacked easily by our attack method (described in Appendix A), regardless

7 166 Donghoon Chang et al. of the expansion of message words and ordering of message words and boolean functions and step operation. The original version of the hash function proposed at PKC 98 uses shift values dependent on message words. This principle of the design makes an attacker select shift values. So, in section 5, based on this fact, we will attack the original version of the hash function proposed at PKC The Selection of Message Blocks and Shift Values for Maximizing an Attack Probability 4.1 The Selection of Message Block Pair When we take a look at the table 4, for the expansion of message words, it is impossible to give a difference to only one message word pair. But we can give differences to two message word pairs. Four cases exist. (X 8,X 13 ),(X 9,X 14 ),(X 10,X 15 ),(X 11,X 20 ). Out of four cases, we select (X 11,X 20 ) for maximizing the probability of attack, because (X 11,X 20 )makes the smallest sum of four cases the sums of the differences of steps of inputting (X 8,X 13 ),(X 9,X 14 ), (X 10,X 15 ),(X 11,X 20 ) per round. The table of four cases is as follows. Table 5. The differences of steps of inputting each word pair per round Round (X 8,X 13) (X 9,X 14) (X 10,X 15) (X 11,X 20) 1 Round Round Round Round Sum The Selection of Differences of Message Block Pair and Shift Values The first standard giving differences to block pair is to give a difference to most significant bit for changing a modular addition with XOR operation. The second is to apply the same shift values to message block pair. We select message block pair and shift values as follows. X =(X i ) 0 i 15, X =( Xi ) 0 i 15 : message block pair X 11 X 11 =1 <<30 ( X 20 1 <<31 = X 20 ) X i = X i (i 11, 20) Value of 5 low-order bits of message words lsb 5 (X 1,X 4,X 7,X 12,X 15,X 16,X 17,X 20,X 23 )= (10, 0, 21, 21, 11, 0, 10, 0, 13)

8 Full-Round Differential Attack Input Order of Message Words and Shift Values per Round through the Table Table 6 shows input order of message words and shift values per step.(m: order of message words, : non-fixed value) Table 6. The message input order and shift values per step step M shift step M shift step M shift step M shift Full-Round Differential Attack From now on, we start to attack the original version of the hash function proposed at PKC 98 based on sections 3 and 4. Table 7 shows the full-round differential attack. Concretely we analyze steps generating differences. See Appendix A. A i, B i, C i, D i, E i mean the differences of chaining variables after a equation (5) and before a equation (6) at i step. The total probability is about Therefore we can find a collision pair of the original version of the hash function proposed at PKC 98 with probability Finding a Collision Pair in Practice by Simulation For finding a collision pair, we executed a program written in visual C 6.0 and running on a set of 10 PCs under Windows. From this, we found a collision pair in one computer with about 10 hours. The collision pair is as follows.

9 168 Donghoon Chang et al. Table 7. The Full-Round Differential Attack Step A B C D E X p Step A B C D E X p < < < / < / < <30 1/ < / <11 1 <30 1/ / <21 0 1/ <21 0 3/ <21 0 3/ < <21 0 1/ < <21 0 1/ < <31 0 3/ < <31 0 3/ < <31 0 1/ <31 1 <31 1/ / <20 1 < <30 1 <30 0 1/ <8 1 <30 0 3/ <8 1 < / < < <8 1 <30 1 <30 15/ <10 1 < / < / <20 1 <20 1 < / / <30 1 <20 1 < / <30 1 <20 1 < / <30 1 < / < / <30 3/ :The updated part per step

10 Full-Round Differential Attack 169 X 0 = 0xdf407f1a X 1 = 0x99c0464a X 2 = 0x3380a1fa X 3 = 0x0d40be50 X 4 = 0x6580c1c0 X 5 = 0xb X 6 = 0xf5c09a9e X 7 = 0x388077d5 X 8 = 0x1f X 9 = 0xb080db94 X 10 = 0xb700244c X 11 = 0x3480cc5e X 12 = 0xb5c00895 X 13 = 0xa9405c59 X 14 = 0x28c04748 X 15 = 0xba008ecb gx 11 = X 11 1 <<30, f Xi = X i(i 11) The output of compression function for two message blocks is as follows. 0xfe684dca 0x33524aa4 0x15ce9f59 0xd200e689 0x7b01f656 And a collision pair on the compression function leads to a collision on the full hash function by simply appending identical blocks or the padding fields for same-length messages. 7 On the Security of Reduced Versions of 3-Pass HAVAL HAVAL is a dedicated hash function of the MD family which was proposed by Zheng et al[11]. Kasselman et al. found collisions for the last two passes of 3-pass HAVAL[6]. Park et al., at ACISP 2002, found a 256-bit collision of the first two passes of 3-pass HAVAL and of the last two passes of 3-pass HAVAL[7]. In this paper, we attack reduced versions of 3-pass HAVAL using our method different from two previous attack methods(1-2 round: attack probability is 2 18,2-3 round: attack probability is 2 50 ). Concretely, we select two messages as follow. For 1-2 round of HAVAL, W 29 W 29 =1 <<31, W 31 1 <<20 = W 31. For 2-3 round of HAVAL, W 7 W 7 =1 <<31, W 31 1 <<30 = W 31.(See Appendix B: Table 8, 9) 8 Conclusion This paper shows that we can find a collision pair from the original hash function with probability not transforming boolean functions. This means that a weakness of the hash function proposed at PKC 98 comes from the shift values of the hash function. That is, shift values depending on messages can be a factor of reducing the security of hash functions. Also, our attack method is applied to the reduced version of HAVAL because HAVAL has the weakness of message input order. Therefore shift values have to be carefully chosen for the security of hash functions. And in case that shift values are fixed, the message input order have to be carefully chosen, also. Acknowledgements We thank to the anonymous referees for their useful comments.

11 170 Donghoon Chang et al. References 1. F. Chabaud and A. Joux, Differential Collisions in SHA-0, Advances in CRYPTO 98, LNCS 1462, Springer-Verlag, 1998, pp H. Dobbertin, Cryptanalysis of MD4, Fast Software Encryption, LNCS 1039, Springer-Verlag,1996, pp H. Dobbertin, Cryptanalysis of MD5 Compress, May www-cse.ucsd.edu/users/bsy/dobbertin.ps 4. Sanguk Shin, Kyunghyune Rhee, Daehyun Ryu, Sangjin Lee, ANewHashFunction Based on MDx-family and Its Application to MAC, Public Key Cryptography 98, pp Daewan Han, Sangwoo Park, Seongtaek Chee, Cryptanalysis of a Hash Function Proposed at PKC 98, Fast Software Encryption 2002, LNCS 2365, pp P.R. Kasselman and W.T. Penzhorn, Cryptanalysis of reduced version of HAVAL, Electronics Letters 6th January 2000 Vol.36 No.1, pp S.W. Park, S.H. Sung, S.T. Chee, J.I. Lim, On the Security of Reduced Versions of 3-Pass HAVAL, ACISP 2002, LNCS 2384, pp R. Rivest, The MD4 message digest algorithm, RFC 1320, Internet Activities Board, Internet Privacy Task Force, Apr R. Rivest, The MD5 message digest algorithm, RFC 1321, Internet Activities Board, Internet Privacy Task Force, Apr Federal Information Processing Standards Publication 180-1, April 17, Y. Zheng, J. Pieprzyk and J. Sebberry, HAVAL - A one-way hashing algorithm with variable length of output, Advances in Cryptology-Auscrypt 92, LNCS 718, Springer- Verlag, 1993, pp Appendix A 1. The Analysis of Steps of Table 7 The first round use the function f 0. The values of Table 7 are calculated as follows. E 11 =[f 0(E 10,A 10,B 10,C 10,D 10)+X 11 + K 1] <<S 11=13 [f 0(E 10,A 10,B 10,C 10, D 10)+(X 11 1 <<30 )+K 1] <<S 11=13 =1 <<11 (p =1/2) Above equality holds with probability 1/2 by (10). D 12 =[f 0(D 11,E 11,A 11,B 11,C 11)+X 12 + K 1] <<S 12 [f 0(D 11,E 11 1 <<11,A 11, B 11,C 11)+X 12 + K 1] <<S 12 =0 (p =1/2) Above equality holds with probability 1/2 by 2 of Table 3. C 13 = [f 0(C 12,D 12,E 12,A 12,B 12) +X 13 + K 1] <<S 13 [f 0(C 12,D 12,E 12 1 <<21,A 12, B 12)+X 13 + K 1] <<S 13 =0 (p =3/4) Above equality holds with probability 3/4 by 3 of Table 3. B 14 =[f 0(B 13,C 13,D 13,E 13,A 13)+X 14 + K 1] <<S 14=0 [f 0(B 13,C 13,D 13,E 13 1 <<21,A 13)+X 14 + K 1] <<S 14=0 =0 (p =3/4) Above equality holds with probability 3/4 by 4 of Table 3.

12 Full-Round Differential Attack 171 A 15 =[f 0(A 14,B 14,C 14,D 14,E 14)+X 15 + K 1] <<S 15=0 [f 0(A 14,B 14,C 14,D 14, E 14 1 <<21 )+X 15 + K 1] <<S 15=0 =1 <<21 (p =1/2) Above equality holds with probability 1/2 by (10) and by 5 of Table 3. E 16 =[f 0(E 15,A 15,B 15,C 15,D 15)+X 16 + K 1] <<S 16=0 [f 0(E 15 1 <<21,A 15 1 <<21,B 15,C 15,D 15)+X 16 + K 1] <<S 16=0 =1 <<21 (p =1/4) Above equality holds with probability 1/4 by (10) and by 6 of Table 3. D 17 = [f 0(D 16,E 16,A 16,B 16,C 16) +X 17 + K 1] <<S 17=10 [f 0(D 16,E 16 1 <<21,A 16 1 <<31,B 16,C 16)+X 17 + K 1] <<S 17=10 =0 (p =3/8) Above equality holds with probability 3/8 by 2, 3 of Table 3. C 18 =[f 0(C 17,D 17,E 17,A 17,B 17)+X 18 + K 1] <<S 18=21 [f 0(C 17,D 17,E 17 1 <<31,A 17 1 <<31,B 17)+X 18 + K 1] <<S 18=21 =0 (p =3/4) Above equality holds with probability 3/4 by 10 of Table 3. B 19 =[f 0(B 18,C 18,D 18,E 18,A 18)+X 19 + K 1] <<S 19 [f 0(B 18,C 18,D 18,E 18 1 <<31,A 18 1 <<31 )+X 19 + K 1] <<S 19 =0 (p =1/4) Above equality holds with probability 1/4 by 11 of Table 3. A 20 =[f 0(A 19,B 19,C 19,D 19,E 19)+X 20 + K 1] <<S 20 [f 0(A 19 1 <<31,B 19,C 19, D 19,E 19 1 <<31 )+(X 20 1 <<31 )+K 1] <<S 20 =0 (p =1/2) E 21 =[f 0(E 20,A 20,B 20,C 20,D 20)+X 21 + K 1] <<S 21 [f 0(E 20 1 <<31,A 20,B 20, C 20,D 20)+X 21 + K 1] <<S 21 =0 (p =1/2) 2. The Analysis of Steps of Table 7 The probabilities of following equalities also are calculated like the above method. E 36 =[f 1(E 35,A 35,B 35,C 35,D 35)+X 20 + K 2] <<S 36=21 [f 1(E 35,A 35,B 35,C 35, D 35)+(X 20 1 <<31 )+K 2] <<S 36=21 =1 <<20 (p =1) D 37 =[f 1(D 36,E 36,A 36,B 36,C 36)+X 3 + K 2] <<S 37=10 [f 1(D 36,E 36 1 <<20,A 36, B 36,C 36)+X 3 + K 2] <<S 37=10 =1 <<30 (p =1/2) C 38 =[f 1(C 37,D 37,E 37,A 37,B 37)+X 22 + K 2] <<S 38 [f 1(C 37,D 37 1 <<30,E 37 1 <<30,A 37,B 37)+X 22 + K 2] <<S 38 =0 (p =3/8) B 39 =[f 1(B 38,C 38,D 38,E 38,A 38)+X 6 + K 2] <<S 39=21 [f 1(B 38,C 38,D 38 1 <<8,E 38 1 <<30,A 38)+X 6 + K 2] <<S 39=21 =0 (p =25/64) A 40 =[f 1(A 39,B 39,C 39,D 39,E 39)+X 11 + K 2] <<S 40 [f 1(A 39,B 39,C 39,D 39 1 <<8,E 39 1 <<30 )+(X 11 1 <<30 )+K 2] <<S 40 =0 (p =15/128) E 41 =[f 1(E 40,A 40,B 40,C 40,D 40)+X 19 + K 2] <<S 41 [f 1(E 40 1 <<30,A 40,B 40, C 40,D 40 1 <<8 )+X 19 + K 2] <<S 41 =0 (p =25/64) D 42 =[f 1(D 41,E 41,A 41,B 41,C 41)+X 15 + K 2] <<S 42 [f 1(D 41 1 <<8,E 41,A 41, B 41,C 41)+X 15 + K 2] <<S 42 =0 (p =5/8)

13 172 Donghoon Chang et al. 3. The Analysis of Steps of Table 7 The probabilities of following equalities also are calculated like the above method. B 54 =[f 2(B 53,C 53,D 53,E 53,A 53)+X 20 + K 3] <<S 54=21 [f 2(B 53,C 53,D 53,E 53, A 53)+(X 20 1 <<31 )+K 3] <<S 54=21 =1 <<20 (p =1) A 55 =[f 2(A 54,B 54,C 54,D 54,E 54)+X 8 + K 3] <<S 55 [f 2(A 54,B 54 1 <<20,C 54, D 54,E 54)+X 8 + K 3] <<S 55 =0 (p =1/2) E 56 =[f 2(E 55,A 55,B 55,C 55,D 55)+X 18 + K 3] <<S 56 [f 2(E 55,A 55,B 55 1 <<30, C 55,D 55)+X 18 + K 3] <<S 56 =0 (p =1/2) D 57 =[f 2(D 56,E 56,A 56,B 56,C 56)+X 11 + K 3] <<S 57=0 [f 2(D 56,E 56,A 56,B 56 1 <<30,C 56)+(X 11 1 <<30 )+K 3] <<S 57=0 =0 (p =1/4) C 58 =[f 2(C 57,D 57,E 57,A 57,B 57)+X 5 + K 3] <<S 58 [f 2(C 57,D 57,E 57,A 57,B 57 1 <<30 )+X 5 + K 3] <<S 58 =0 (p =1/2) B 59 =[f 2(B 58,C 58,D 58,E 58,A 58)+X 4 + K 3] <<S 59 [f 2(B 58 1 <<30,C 58,D 58, E 58,A 58)+X 4 + K 3] <<S 59 =0 (p =1/2) 4. The Analysis of Steps of Table 7 The probabilities of following equalities also are calculated like the above method. D 87 =[f 1(D 86,E 86,A 86,B 86,C 86)+X 20 + K 4] <<S 87=11 [f 1(D 86,E 86,A 86,B 86, C 86)+(X 20 1 <<31 )+K 4] <<S 87=11 =1 <<10 (p =1) C 88 =[f 1(C 87,D 87,E 87,A 87,B 87)+X 4 + K 4] <<S 88=0 [f 1(C 87,D 87 1 <<10,E 87, A 87,B 87)+X 4 + K 4] <<S 88=0 =1 <<10 (p =1/2) B 89 =[f 1(B 88,C 88,D 88,E 88,A 88)+X 17 + K 4] <<S 89=10 [f 1(B 88,C 88 1 <<10,D 88 1 <<20,E 88,A 88)+X 17 + K 4] <<S 89=10 =1 <<20 (p =5/16) A 90 =[f 1(A 89,B 89,C 89,D 89,E 89)+X 12 + K 4] <<S 90 [f 1(A 89,B 89 1 <<20,C 89 1 <<20,D 89 1 <<20,E 89)+X 12 + K 4] <<S 90 =0 (p =5/8) E 91 =[f 1(E 90,A 90,B 90,C 90,D 90)+X 19 + K 4] <<S 91 [f 1(E 90,A 90,B 90 1 <<30, C 90 1 <<20,D 90 1 <<20 )+X 19 + K 4] <<S 91 =0 (p =25/64) D 92 =[f 1(D 91,E 91,A 91,B 91,C 91)+X 8 + K 4] <<S 92=0 [f 1(D 91 1 <<20,E 91,A 91, B 91 1 <<30,C 91 1 <<20 )+X 8 + K 4] <<S 92=0 =0 (p =15/64) C 93 =[f 1(C 92,D 92,E 92,A 92,B 92)+X 9 + K 4] <<S 93 [f 1(C 92 1 <<20,D 92,E 92,A 92, B 92 1 <<30 )+X 9 + K 4] <<S 93 =0 (p =25/64) B 94 =[f 1(B 93,C 93,D 93,E 93,A 93)+X 11 +K 4] <<S 94 [f 1(B 93 1 <<30,C 93,D 93,E 93, A 93)+(X 11 1 <<30 )+K 4] <<S 94 =0 (p =3/16) A 95 =[f 1(A 94,B 94,C 94,D 94,E 94)+X 1 + K 4] <<S 95=13 [f 1(A 94,B 94,C 94,D 94,E 94) + X 1 + K 4] <<S 95=13 =0 (p =1)

14 Full-Round Differential Attack 173 Appendix B Table 8. Attack on the first two passes of 3-pass HAVAL Step A B C D E F G H X p Step A B C D E F G H X p < < < < < /2 8 1 < / < /2 9 1 < / < / < / < / < / < / < / < / < / < / < / < / < / < / < / < / < / < / < / < / < / < / < / < / < / < / < / < / < / < / < / < / < / < / < / < / < / < / < / < / < / < / < / <30 1/ <30 1/ :The updated part per step

15 174 Donghoon Chang et al. Table 9. Attack on the last two passes of 3-pass HAVAL Step A B C D E F G H X p Step A B C D E F G H X p <31 1 < <31 0 1/ <31 0 1/ <31 0 1/ <31 0 1/ <31 0 1/ <31 0 1/ <31 0 1/ <20 1/ < < < / < / < / < / < / < / < / <20 1/ :The updated part per step