Cryptanalysis of TWOPRIME

Transcription

1 Cryptanalyss of TWOPRIME Don Coppersmth IBM Research Bruce Schneer Counterpane Systems Davd Wagner U.C. Berkeley John Kelsey Counterpane Systems Abstract. Dng et al [DNRS97] propose a stream generator based on several layers. We present several attacks. Frst, we observe that the non-surjectvty of a lnear combnaton step allows us to recover half the key wth mnmal effort. Next, we show that the varous bytes are nsuffcently mxed by these layers, enablng an attack smlar to those on two-loop Vgenere cphers to recover the remander of the key. Combnng these technques lets us recover the entre TWOPRIME key. We requre the generator to produce 2 33 blocks (2 35 bytes), or 19 hours worth of output, of whch we examne about one mllon blocks (2 23 bytes); the computatonal workload can be estmated at 2 28 operatons. Another set of attacks trades off texts for tme, reducng the amount of known plantext needed to just eght blocks (64 bytes), whle needng 2 32 tme and 2 32 space. We also show how to break two varants of TWOPRIME presented n the orgnal paper. 1 Introducton The TWOPRIME stream cpher [DNRS97], ntroduced at FSE 97, uses a 128- bt key to generate 64-bt blocks of output at each tme step; these output blocks are exclusve-ored onto the plantext to produce cphertext. At a hgh level, TWOPRIME conssts of a keyed (non-bjectve) cryptographc functon wth 64-bt nputs and 64-bt outputs, whch s used n a counter-lke mode to generate keystream output. The algorthm has ten layers; the frst layer s drven by a counter, and the output of each layer becomes the nput to the next. We explot weaknesses of two of the layers to produce several dfferent attacks aganst the scheme. Our concluson s that there are too few layers for cryptographc strength. One of the man contrbutons of the TWOPRIME work s that the algorthm was desgned so that one could prove certan statements about the securty of the cpher: t has hgh lnear complexty, good cycle length, good resstance to LSFRsynthess attacks, and so on 1. Nonetheless, despte the proofs of varous securty propertes, n ths paper we show how to break TWOPRIME very effcently. 1 Note that t s possble to prove that usng any block cpher n counter mode has good lnear complexty and good cycle length at least, n the sense that [DNRS97] proved for TWOPRIME so n retrospect these proofs are perhaps not terrbly meanngful.

2 Our attacks fall nto two natural categores. The frst three attacks, dscussed n Sectons 4 7, recover half of the key (namely, K 2, K 3 ). The second category (see Sectons 8 9) ncludes two technques whch dentfy the remander of the key (K 0, K 1 ) once we ve found K 2, K 3. The rest of the paper s organzed as follows. In Secton 2 we revew the TWOPRIME scheme. In Secton 3 we gve some prelmnary remarks whch wll be useful n the cryptanalyss. Secton 4 gves a very easy attack to recover half of the key, based on the lnear map of layer 7 falng to be surjectve. Secton 5 shows another attack that reduces the plantext requrements; the cost for ths mprovement s an ncrease n the amount of offlne computaton requred. Secton 6 gves a more complcated attack to recover K 2, K 3 by breakng the perod of p 0 p 1 nto two perods of p 0 and p 1 respectvely. The probablstc analyss backng up ths attack s mentoned n Secton 7. In Secton 8 and 9 we fnsh wth two attacks whch can be used to recover the remander of the key n a more mundane manner. Secton 10 dscusses some of the computatonal requrements of each attack. Secton 11 and 12 dscuss varants of the orgnal scheme, and some attacks on these varants. Conclusons are reserved for Secton Descrpton of TWOPRIME The TWOPRIME scheme [DNRS97] uses a 128-bt key to generate 64-bt blocks of output at each tme step; these output blocks are exclusve-ored onto the plantext to produce cphertext. At a hgh level, TWOPRIME conssts of a keyed functon F K : Z Z and a custom mode for usng F to generate keystream output. The mode s somewhat smlar to counter mode: the nput to F comes from two ndependent 32-bt counters. Each counter s ntalzed wth a key-dependent value, and s stepped by addng a publc constant and then reducng modulo a publc 32-bt prme. The key, consstng of 16 bytes k 0,..., k 15, s dvded nto four 32-bt parts, named K 0, K 1, K 2 and K 3, wth the conventon K 0 = k 8 + k k k K 1 = k 12 + k k k K 2 = (k 0, k 1, k 2, k 3 ) K 3 = (k 4, k 5, k 6, k 7 ). The algorthm has ten layers, whch we wll descrbe. The output of each layer becomes the nput of the subsequent layer. Wth one excepton, each output conssts of eght bytes, and so s an element of Z The scheme s depcted graphcally n Fgure 1. The frst layer nvolves two prmes, p 0 = and p 1 = , and two fxed publc ntegers a 0 and a 1. At tme step t, the output of the frst layer s the two 32-bt ntegers r 0 = a 0 t + K 0 (mod p 0 ) and r 1 = a 1 t + K 1 (mod p 1 ). Each s broken nto four 8-bt bytes, yeldng a total of eght bytes output.

3 partal key K 0 partal key K 1 (p 0, a 0 ) counter (p 1, a 1 ) counter S 0 S 0 S 0 S 0 S 0 S 0 S 0 S 0 K K 3 lnear permutaton K K 1 lnear compresson functon b S 0 S 0 S 0 S 0 S 0 S 0 S 0 S 0 K 2 K 3 bytewse exor plantext block cphertext block Fg. 1. Structure of the cpherng algorthm. In the second layer, each byte x s replaced by S 0 (x) = [(x 255 mod 257) mod 256]. It happens that S 0 s ts own nverse: S 0 (S 0 (x)) = x. The thrd layer nvolves addton (mod 256) of the key bytes consttutng K 2 and K 3. The fourth layer s a lnear permutaton : f x 0,..., x 7 are the nputs to ths

4 layer, the outputs are y j = ( x ) x j (mod 256). =0 Ths s ntended to mx the bytes; however, as we shall see, t s too weak. The only nteracton between the varous bytes x s through the sngle byte x (mod 256), and when that byte s controlled, the mxng s neffectve. The ffth layer nvolves addton (mod 256) of the key bytes consttutng K 0 and K 1. The sxth layer s a non-lnear expanson: each byte x s expanded to the concatenaton of four bytes S 1 (x), S 2 (x), S 3 (x), S 4 (x), where the S are varous nonlnear permutatons on Z 256. The output of ths layer s 32 bytes. The seventh layer apples a lnear compresson to reduce these 32 bytes back to 8 bytes; that s, a fxed publc 8 32 matrx {b j } maps Z to Z Upon nput (X 0,..., X 31 ), the lnear transform b produces the output (Y 0,..., Y 7 ) = b(x 0,..., X 31 ) accordng to the equaton Y 0 = X 0 + X 5 + X 10 + X 15 + X 16 + X 22 + X 24 + X 30, Y 1 = X 1 + X 6 + X 11 + X 12 + X 17 + X 23 + X 25 + X 31, Y 2 = X 2 + X 7 + X 8 + X 13 + X 18 + X 20 + X 26 + X 28, Y 3 = X 3 + X 4 + X 9 + X 14 + X 19 + X 21 + X 27 + X 29, Y 4 = X 16 + X 21 + X 26 + X 31 + X 0 + X 6 + X 8 + X 14, Y 5 = X 17 + X 22 + X 27 + X 28 + X 5 + X 11 + X 13 + X 3, Y 6 = X 18 + X 23 + X 24 + X 29 + X 10 + X 12 + X 2 + X 4, Y 7 = X 19 + X 20 + X 25 + X 30 + X 15 + X 1 + X 7 + X 9. The eghth layer apples the permutaton S 0 to each byte. In the nnth layer, bytes from K 2 and K 3 are exclusve-ored nto the bytes. The tenth round conssts of exclusve-orng these bytes (the output of the nnth round) onto the plantext to produce the cphertext, or (n the case of decrypton) onto the cphertext to recover plantext. Let us denote by x (j) (0 7, 1 j 10) the th byte of the output of the jth round. (For j = 6 we wll allow 0 31.) If the tme step t s mportant we wll wrte x (j,t). The notaton x (j) wll mean the whole 8-tuple of bytes [x (j), 0 7]. 3 Remarks on the scheme Durng most of the rounds, the varous bytes reman separate. Durng the frst round, four bytes are output from one 32-bt word, and four from another. The fourth round combnes bytes wth a lnear map, but (as has been remarked) ths does a weak job of mxng them. The seventh round combnes peces of the varous bytes much more thoroughly, but only wth a lnear transformaton. Also, the seventh round les close to the surface, whch lets us explot the lack of dffuson n the rest of the cpher. (1)

5 The desgners explan that the nternal structure of TWOPRIME (.e. the functon F ) was chosen to resst nverson attacks (where one tres to use the output of F to work backwards). Two of our attacks succeed exactly because we can work backwards from the output of F. In fact, we use the non-nvertblty of F to our advantage n Sectons 4 5. Because F s not bjectve, not all ntermedate values are possble. In partcular, the combnaton of the sxth and seventh layers forms a non-surjectve functon, so not all 64-bt values are attanable as the output of the seventh layer. Furthermore, layers 8 10 depend only on K 2, K 3, and not on K 0, K 1. Therefore, we can solate the effect of K 2, K 3 and attack them standng alone. Later, we can peel off layers 8 10 and use separate technques (see Sectons 8 9) to recover the remander of the key (K 0, K 1 ). 4 Lnear algebra The lnear recombnaton step (layer seven) suffers from the followng regularty. Denote by τ the 8-vector [1, 1, 1, 1, 1, 1, 1, 1]. The matrx b j obeys τ b j = 0 (mod 256) for all ndces j. Ths mples that =0 τ x (7) = 0 (mod 256). (2) We can use ths nformaton, and a few known outputs of the stream generator, to recover the half of the key (K 2, K 3 ). For each byte poston we have x (7) = S 0 (x (8) ) = S 0 (x (9) k ), recallng that S 0 s ts own nverse. For each ths gves a fxed mappng from x (9) to x (7), ndependent of tme and of the other bytes. Denote by y j the unknown quantty y j = S 0 (j k ) whch would be the value of x (7) f x (9) = j. For each block of output of the stream cpher (at tme t) we obtan a lnear equaton relatng these quanttes: 0 = =0 τ x (7,t) = =0 τ y,x (9,t) (mod 256). After we obtan about 2,048 blocks (16, 384 bytes) of output, we wll have 2,048 lnear equatons n the 2,048 unknowns y j, 0 7, 0 j 255. Because of homogenety these equatons wll not be ndependent, and for fxed we wll recover y j only up to an unknown multplcatve factor and an unknown addtve shft: y j = α z j + β (mod 256) (3)

6 wth z j known but α, β unknown. But ths s clearly enough nformaton to recover the unknown key byte k, usng a few hundred operatons of tral-and-error. For each possble value for k, decrypt three or four values j = x (9) nto y j = S 0 (j k ) and check aganst (3). The correct k wll be compatble wth (3), and only a few others; a few more tral decryptons should rule out the false alarms. Havng determned (k 0,..., k 7 ) = (K 2, K 3 ), we stll 2 have to fnd K 0 and K 1. Ths seems to be more expensve (and less nterestng). We see a way of fndng them usng about 2 32 operatons and just a few known outputs of the stream cpher. See Sectons 8 9. The present attack does requre about 2048 blocks (16384 bytes) of stream output. Those known plantext requrements are not onerous, but t s possble to reduce them even further wth meet-n-the-mddle technques, whch we dscuss next. 5 A meet-n-the-mddle attack In ths attack, we take advantage of the non-surjectvty of layer seven n a dfferent way. It s essentally a meet-n-the-mddle attack, takng advantage of unattanable values at the output of the seventh layer. Roughly speakng, we guess (K 2, K 3 ) and work backwards from a block of known keystream to fnd the output of the seventh layer, usng unattanable values to rule out ncorrect guesses at (K 2, K 3 ). Ths would take 2 64 tme to mplement as stated; however, we have an optmzaton (agan based on meetn-the-mddle technques) to reduce the complexty to As before, we rely on the crucal observaton (2). If we take some keystream k ). Pluggng nto (2) gves us a relaton that the correct value of the key k 0,..., k 7 must satsfy. So the attack proceeds as follows. We defne block x (9), then nvertng layers 8 9 shows that x (7) = S 0 (x (9) g(k 2, y 0,..., y 3 ) = h(k 3, y 4,..., y 7 ) = S 0 (y k ) (mod 256) =0 S 0 (y k ) (mod 256). We obtan eght known keystream blocks x (9,j), 0 j 7, and let =4 g (K 2 ) = (g(k 2, x (9,0) 0,..., x (9,0) 3 ),..., g(k 2, x (9,7) 0,..., x (9,7) 3 )) h (K 3 ) = (g(k 3, x (9,0) 4,..., x (9,0) 7 ),..., g(k 3, x (9,7) 4,..., x (9,7) 7 )). 2 In some stuatons, recoverng just (K 2, K 3 ) mght concevably suffce. After all, ths gves us enough nformaton to predct some keystream bytes: gven any seven bytes from a keystream block, we can predct the eghth unknown byte wth certanty by usng (2). However, we can do much better. As we shall see, recoverng (K 0, K 1 ) n a second phase requres a bt more work, but t s stll feasble.

7 Note that, for the correct value of (K 2, K 3 ), we have g (K 2 ) = h (K 3 ). After all ths effort to frame thngs n the language of meet-n-the-mddle attacks, t should be clear how to recover (K 2, K 3 ) wth standard technques. (Here the mddle for the meet-n-the-mddle attack wll be the 64-bt value g (K 2 ) = h (K 3 ),.e. a characterstc of the output of the seventh layer.) Frst, for each guess at K 2, we compute g (K 2 ), and store the par (g (K 2 ), K 2 ) n a hash table ndexed on the frst coordnate of the par. After enumeratng all 2 32 possbltes for K 2, we wll have constructed a hash table of sze Then, for each guess at K 3, we compute h (K 3 ) and look t up n the hash table. If we fnd a match g (K 2 ) = h (K 3 ), then wth hgh probablty we wll have obtaned the correct values for (K 2, K 3 ). We need eght keystream blocks to ensure that the test wll elmnate nearly all ncorrect values. One can count the number of false alarms by countng the number of solutons a, b to g (a) = h (b). Because S 0 s hghly non-lnear, we are justfed n expectng the functons g, h to behave roughly lke random functons of the form Z Z Combnng ths heurstc wth the brthday paradox, we fnd that the probablty of generatng a false alarm s 1 e , and the expected number of false alarms s 1. To ad the ntuton, we can thnk of the present attack as applyng a meetn-the-mddle attack twce, splttng the cpher frst wth a horzontal cut and then splttng t agan wth a vertcal cut. The horzontal cut s possble because layer seven fals to be surjectve, and t s benefcal because layers 8 10 only depend on half of the key. (There s a slght dfference, though. In a normal meet-n-the-mddle attack, one computes forward part-way, backward part-way, and then meets n the mddle. In our attack on TWOPRIME, because layers 6 7 fal to be surjectve, we only need to compute backwards, and the forward part of the computaton s substantally smplfed.) The vertcal cut s made possble by the lnearty of layer seven (or, more precsely, the lnearty of (2)). Here the mddle s the value g (K 2 ) = h (K 3 ). We compute up the left half, and up the rght half, and then meet n the mddle of the output of the seventh layer. Ths second applcaton of meet-n-the-mddle technques lets us solate the effect of K 2 from that of K 3, and hence reduces the attacker s workload sgnfcantly. In summary, we can recover (K 2, K 3 ) wth 2 32 offlne work, 2 32 space, and about eght blocks (64 bytes) of known keystream. As we shall see n Secton 10, the computatonal requrements are not unreasonable. 6 Splttng the perod The prevous two attacks could be avoded (n a hypothetcal TWOPRIME successor) by usng a dfferent lnear transformaton at layer seven. So we develop here another attack aganst that eventualty. Ths attack s smlar to the attacks on two-loop Vgenere cphers, whch can be found n references [Sn68] and [Tuc70].

8 For an arbtrary tme step t 0, let us consder the outputs at four specfc tme steps: a = t 0 b = t 0 + p 0 c = t 0 + p 1 d = t 0 + p 0 + p 1. Because the counters at layer 1 are cyclc wth perods p 0 and p 1 respectvely, we have x (1,a) = x (1,b), x (1,c) = x (1,d), 0 3 x (1,a) = x (1,c), x (1,b) = x (1,d), 4 7, and hence, because the actons of subsequent layers are tme-nvarant, x (3,a) x (3,a) = x (3,b), x (3,c) = x (3,d) = x (3,c), x (3,b), 0 3 = x (3,d), 4 7. Consder the event E that the followng two equatons both hold: =0 =4 x (3,a) = x (3,a) = =0 =4 x (3,c) (mod 256) x (3,b) (mod 256). Each equaton holds wth probablty about 1/256 (for randomly chosen tme step t 0 ), and the two are ndependent, so that event E holds wth probablty about 1/ When t does hold, we have =0 x (3,a) = =0 x (3,b) = =0 x (3,c) = =0 x (3,d) (mod 256). Ths n turn mples that the outputs of layer 4 are well behaved: x (4,a) x (4,a) = x (4,b), x (4,c) = x (4,d) = x (4,c), x (4,b), 0 3 = x (4,d), 4 7. Ths can be pushed forward to gve nformaton on the outputs of layer 6: x (6,a) x (6,a) x (6,a) = x (6,b), x (6,c) = x (6,d) = x (6,c), x (6,b) = x (6,d) + x (6,d) = x (6,b) and because layer 7 s lnear (mod 256), we get x (7,a) + x (7,d) = x (7,b), 0 15, x (6,c), 0 31, + x (7,c) (mod 256). (4)

9 Suppose we know that event E has occurred for tme step t 0, and that we have avalable for the output of the stream cpher x (9,h). Then from x (7,h) = S 0 (k x (9,h) ) and (4), we get a sutablty test for possble values of key byte k. That s, for each poston 0 7, for each possble value of k, we test whether the values of x (7,h) obtaned from x (9,h) usng k would satsfy (4): S 0 (k x (9,a) )+S 0 (k x (9,d) ) =? S 0 (k x (9,b) )+S 0 (k x (9,c) ) (mod 256). (5) Each concatenaton of possble bytes (k 0, k 1,..., k 7 ) from ths step represents a possble settng of (K 2, K 3 ) consstent wth the event E havng occurred at ths tme step t 0. We wll call ths 8-byte settng a putatve key. If event E dd occur, then the correct settng of (k 0, k 1,..., k 7 ) wll be represented among these possbltes. If t dd not occur, we may get several false alarms. The dffculty s that we do not know, a pror, whether event E occurred or not. We may fnd that for one of the byte postons there s no possble settng of k satsfyng (5); n ths case we know that E dd not occur at t 0 and ths case can be dscarded. Our strategy wll be to try about 330,000 dfferent values of t 0, and for each one that has at least one possble settng for each of the eght bytes k, record the possble values of the 8-tuple (k 0, k 1,..., k 7 ) = (K 2, K 3 ). The correct value should show up about fve tmes among these putatve keys, and ncorrect values should show up less often. Havng ascertaned the correct value for (K 2, K 3 ), we wll be able to get the keys (K 0, K 1 ) wth less dffculty n Secton 8. 7 Probablstc analyss For our analyss t wll be useful to know the followng two probablty dstrbutons. For bytes x a, x b, x c, x d, representng x (9,a),..., x (9,d), let N(x a, x b, x c, x d ) be the number of key bytes k that would satsfy (5): S 0 (k x a ) + S 0 (k x d )? = S 0 (k x b ) + S 0 (k x c ) (mod 256). (6) We want to know the dstrbuton P 1 (n) = Pr(N(x a, x b, x c, x d ) = n) when the x h are ndependent random varables. We also want to know the dstrbuton P 2 (n) = Pr(N(x a, x b, x c, x d ) = n) when the x h are known to arse from event E, that s, when the correct key byte k s known to satsfy (6). The two are related by P 2 (n) = np 1 (n). The expermental dstrbutons are gven n the Appendx. The frst dstrbuton s almost Posson wth mean 1: P 1 (n) = e 1 /n!, wth three notable exceptons. Frst, P 1 (256) 2/256 2 = 2 15, because wth that probablty we ether have (x a = x b and x c = x d ), or (x a = x c and x b = x d ), and n ether case all key bytes k wll work.

10 Second, P 1 (128) (1/2)/256 2 = 2 17, and smlarly P 1 (64) (5/4)/256 2, P 1 (32) (13/8)/256 2, and P 1 (16), P 1 (8) are smlarly hgh. Ths happens because of dosyncrases of the permutaton S 0. For example, n the case n = 128, consder the event that x a x d = x b x c = n bnary, and x a and x b agree n the second-lowest bt. Ths event has probablty (1/256) 2 (1/2) = When ths happens, for all 128 key bytes k dsagreeng wth x a n the secondlowest bt, we have (k x a ) + (k x d ) = 257. Then, because S 0 (x) = x 1 (mod 257) f x 0, we have S 0 (k x a ) + S 0 (k x d ) = S 0 (k x b ) + S 0 (k x c ) = 257 for each of these 128 values of k, so that N(x a, x b, x c, x d ) 128. Ths mples P 1 (128) Smlar calculatons obtan for n = 64, 32, 16, 8. Thrd, t appears expermentally that P 1 (0) s a lttle hgher than expected: 0.40 rather than 0.37; and P 1 (1) s a lttle lower. Ths may be related to the frst two observatons. These devatons from the Posson dstrbuton, partcularly the relatve hgh values of P 2 (256) and P 2 (128), create a mnor nusance for our cryptanalyss. When event E has happened, the dstrbuton P 2 (n) s related to the number of tral key bytes k that would satsfy (6) n each byte poston. The number of 8-byte keys (k 0, k 1,..., k 7 ) s gven by 7 =0 N(x (9,a), x (9,b), x (9,c), x (9,d) ) wth expected value about , 000. Ths expected value s so hgh because of the unusually large values of P 2 (256) and P 2 (128). When event E has not happened, the dstrbuton P 1 (n) s relevant, and the expected number of 8-byte keys s 1. In fact wth probablty about 1 ( ) at least one of the values N(x (9,a), x (9,b), x (9,c), x (9,d) ) s zero, so that no 8-byte keys are vald; wth the complementary probablty 0.016, all are nonzero, and then the expected number of keys s 1/ So wth 330,000 experments, the expected number of 8-byte putatve keys s 5 120, (330, 000 5) 1 = 930, 000. Among these, the correct key should appear fve tmes, and should be easy to detect; ncorrect keys should appear at most once, wth possble excepton of those dfferng from the correct key n only one or two bytes. Remark: Although the mean number of putatve keys s farly small, the varance s huge; the standard devaton exceeds Ths s because of the relatvely hgh probablty that, for a gven tme step and byte poston, N(x a, x b, x c, x d ) s ether 256 or 128; f several such bytes occur at the same tme step, ths tme step wll yeld a huge number of putatve keys. In ths case an alternatve data structure s called for. For example, f one tme step has two or more such byte postons, declare that event E has probably occurred, and deduce putatve values for the remanng sx or fewer key bytes. Or we could smply lst 4-byte putatve keys K 2 and K 3 separately.

11 8 Splttng the perod, agan Havng determned K 2 and K 3 by the attack n Secton 6, we also know the handful of postons where event E has occurred; we know several places where =0 x (3,a) = =0 x (3,c) (mod 256). Because of the relaton between x (3) and x (2) we also have whence =0 =0 x (2,a) = S 0 (x (1,a) ) = =0 =0 x (2,c) (mod 256), S 0 (x (1,c) ) (mod 256). (7) By enumeraton of 2 32 possbltes, we can fnd all the possble values of the concatenaton (x (1,a) 0, x (1,a) 1, x (1,a) 2, x (1,a) 3 ) and hence, by addng p 1 a 0 (mod p 0 ), the concatenaton (x (1,c) 0, x (1,c) 1, x (1,c) 2, x (1,c) 3 ), whch satsfy (7). Ths whttles down the possble values of K 0 from a collecton of 2 32 to about 2 32 /256 5 = 2 12 possble values. Smlar calculatons reduce our choce of K 1 to about 2 12 possble values. The correct values can be gotten by exhauston. 9 Meet-n-the-mddle, agan Another approach at recoverng (K 0, K 1 ) s gven here. We assume that we have prevously dentfed (K 2, K 3 ) usng any of the attacks from Sectons 4 6. Ths attack requres only 2 32 operatons, 2 24 space, and two known keystream blocks; therefore, t should be very fast. Because of the form of the lnear relaton n layer 7, we fnd that the sum x (7) 0 + x (7) 2 x (7) 4 x (7) 6 (mod 256) depends only on the four bytes x (5), = 1, 3, 5, 7. Use a meet-n-the-mddle approach, requrng tme = 2 24, to dscover all the 2 24 values of the 4-tuple [x (5), = 1, 3, 5, 7] that could lead to a gven value for ths sum. Smlarly the sum x (7) 0 + x (7) 2 x (7) 5 x (7) 7 (mod 256) depends only on the four bytes x (5), = 0, 2, 4, 6. Combne these two lsts wth another meet-n-the-mddle attack, and n tme 2 24 we can recover the 8-tuple x (5) from any gven value of the 8-tuple x (7). Use tme 2 24 to decrypt one cphertext back to layer 5. For each of the 2 32 tral subkeys K 0, compute forward to x (3), 0 3, and backward from layer 5 to x (4), 0 3. See whether there s a byte sum 7 =0 x(3) whch would enable the lnear permutaton at layer 4 to map x (3), 0 3 to x (4), 0 3. We expect 256 tral subkeys K 0 to pass ths test. Smlarly develop 256 tral subkeys K 1. Try each of the resultng 65,536 pars (K 0, K 1 ) on another cphertext to determne the correct par.

12 10 Computatonal requrements The frst attack should take only a few seconds to fnd all of K 2 and K 3, ncludng gatherng data. The meet-n-the-mddle attack recoverng (K 2, K 3 ) (see Secton 5) requres 2 32 hash table lookups and about 2 33 words of memory. If we keep the entre table n memory, the 2 32 table lookups wll take only 400 seconds or so (assumng 100ns access tme to man memory, whch s not unreasonable). The space requrements may be more notceable. One smple approach s to dstrbute the table across a cluster of 256 workstatons, each wth 128 MB of memory; such a cluster would take roughly 400 seconds to fnd (K 2, K 3 ). Another smple approach, f only one workstaton s avalable, s to trade off tme for memory: by splttng the table across tme, one workstaton can fnsh n seconds (about one month), and n workstatons wll fnsh n tmes as fast that. Ths s not out of reach, and the nterested reader mght be able to fnd better ways to reduce memory needs: for example, the parallel collson search technques of van Oorschot and Wener [OW96] (appled to fnd a golden collson ) look promsng. For the attack based on dentfyng occurrences of event E (see Sectons 6 8), we need the generator to run for p 0 + p tme steps, generatng 2 36 bytes. At the advertsed speed of 1 megabyte per second, ths wll take about nneteen hours. We wll look at only 1,000,000 message blocks (8,000,000 bytes): 330,000 at the begnnng (representng a), another 330,000 n the mddle (representng both b and c, because p 0 and p 1 are so close to each other), and another 330,000 at the end. For each selecton (a, b, c, d) we mght need to evaluate = 2048 tral key bytes 0 k 255, 0 7. However, realze that much of the tme we wll fnd that, for example, key byte k 1 has no possble values, so that bytes k 2,..., k 7 need not be examned for ths case. In total about 212,000,000 key bytes need to be examned. 11 TWOPRIME-1 The same paper [DNRS97] proposes a faster verson TWOPRIME-1, dfferng from TWOPRIME only n the seventh layer; n TWOPRIME-1, ths layer preserves halves. That s, the output bytes x (7), 0 3 only depend on the nput bytes x (6), 0 15, and the output bytes x (7), 4 7 only depend on the nput bytes x (6), Ths means that the only nteracton between the left and rght halves of the message occurs durng the lnear permutaton n the fourth layer, and there the nteracton s lmted to the one byte x(3) (mod 256). In two tme steps where ths sum agrees, the halves are completely separated. So we can examne the output at tme a = t 0 and b = t 0 +p 0. If 7 7 =4 x(3,b) =4 x(3,a) = (mod 256) (.e. the second of the two condtons for event E), then

13 the left-hand half of the output of each layer s the same for a as for b: x (j,a) x (6,a) = x (j,b), 0 3, j 6 = x (6,b), In partcular the left-hand halves of the outputs wll agree. By dentfyng eght pars (a, b) where these output halves agree, we can deduce the value of K 0 as n the TWOPRIME case. Smlar computatons gve us K 1. We can then use exhaustve search to compute K 2 n about 2 32 steps. For example, f we guess the four bytes representng ( 7 j=0 k j) k, 0 3, and we know the values of K 0 and K 1, we can fnd the left-hand half of all layers up through layer 8. We can compare the encryptons of two unrelated tme steps, say a and e, to see whether x (8,a) x (8,e)? = x (9,a) x (9,e), 0 3. If not, these four bytes are wrong. But f they are equal, we can use layer 8 to deduce K 2, gvng us another check on our orgnal assumptons, and furnshng us wth the correct value of K 2. The calculaton of K 3 s left to the reader. We needed to run the generator for 2 32 messages (2 35 bytes), or ten hours, and examne about = 4, 096 blocks (32,768 bytes). The computatonal requrements of 2 32 operatons are not onerous, and the nterested reader mght well fnd more effcent methods to dscover K 2. Another approach s also avalable. In the frst phase of ths attack, we recover (K 2, K 3 ). The key observaton s that modellng each half of layers 6 7 as a random functon only about 1 e 1 of the 2 32 possble values for the left half of the output of the seventh layer wll actually be attanable. Therefore, n the frst phase, we guess K 2, compute up the left sde of the cpher to the output of the seventh layer, and dscard guesses at K 2 when they produce unattanable ntermedate values. Because (1 e 1 ) 50 < 2 32, we see that after about 50 blocks (400 bytes) of known plantext, there wll be just one value remanng namely, the correct value of K 2. A smlar technque recovers K 3. Now the second phase proceeds as n Secton 9. For each guess at K 0, we compute forward down the left sde of the cpher to the output of layer 3 and backward to the output of layer 4, checkng to see whether the two are compatble. We expect 256 values of K 0 to reman, and smlarly 256 values of K 1 ; these remanng 2 16 possbltes can be checked by tral encrypton. In short, ths second approach breaks TWOPRIME-1 wth about the same tme and space complexty as the correspondng attack on TWOPRIME. We requre slghtly more known plantext, but 50 blocks (400 bytes) of known plantext should be readly avalable n many systems. 12 ONEPRIME The same paper [DNRS97] proposes a scheme ONEPRIME, whch dffers from TWOPRIME only n the frst layer: nstead of two prmes p 0 and p 1, we have

14 only one prme p = and fxed multpler a. The output of the frst layer at tme t s (x (1) 0,..., x(1) 7 ) = at + (K 0, K 1 ) (mod p). A slght modfcaton enables our attack to run aganst ths scheme as well. Based on the value a (whch was not specfed n the paper), compute values 0 and 1 such that n the bnary representaton of a 0 (mod p), the left-most 34 bts are 0 (so that the left half s 0 and the rght half represents an nteger smaller than 2 30 ). Smlarly n the bnary representaton of a 1 (mod p), the leftmost (hghest order) two bts are 0, and the rghtmost 32 bts are 0. Each should be about 2 34 and can be computed usng methods from contnued fractons. Then f we select tme steps a = t 0 b = t c = t d = t we wll fnd, wth probablty exceedng (3/4) 2 > 0.56, that the left-hand halves of the outputs of layer 1 agree at tmes a and b, as well as at tmes c and d; and the rght-hand halves agree at tmes a and c, as well as at tmes b and d. The rest of the attack proceeds as before. We need the generator to run for somewhat longer, because 0 > p 0, and we need to examne someone more cphertext, because our favorable condtons only occur wth probablty 0.56, but the attack s stll feasble. Another approach s also avalable. We can break ONEPRIME wth meet-nthe-mddle technques. In fact, smply applyng the attacks n Sectons 5 and 9 mmedately breaks ONEPRIME, wthout any modfcatons needed. Ths second approach requres eght blocks of known keystream as well as 2 33 tme and 2 32 space. 13 Dscusson At a hgh level, the ntuton behnd some of our cryptanalyss s that we apply the meet-n-the-mddle attack repeatedly, at two levels of abstracton. Frst, we dvde the cpher horzontally between layers, and meet at the mddle the output of the seventh layer at the hghest level of abstracton. Second, we dvde the cpher vertcally nto left and rght halves, and meet n the mddle, where the mddle s a characterstc of the output of the seventh layer. Some of the technques, e.g. Sectons 6 8, do not fall cleanly nto ths model. We wll gnore them for the moment. Note that the vertcal splt can be vewed as decomposng the 64-bt functon F nto two parallel 32-bt functons G, H. In other words, splttng F vertcally corresponds to wrtng F (a, b) = (G(a), H(b)). Of course, gven such a parallel

15 decomposton, we can apply a dvde-and-conquer attack; snce breakng a 32- bt functon has complexty at most 2 32, such a decomposton lets us break F n at most tme. So we conclude that F should be desgned to resst parallel decomposton, and n partcular there should be no parallel G, H that approxmate F. Ths just comes down to ensurng there s plenty of dffuson, a well-known desgn prncple for cpher desgn. Ths lack of dffuson helped make our attacks on TWOPRIME possble. We can also analyze the horzontal splt n terms of functonal decomposton. In ths case, we fnd that t corresponds to fndng G, H such that F = H G (.e. F (a) = H(G(a))). When we can fnd such G, H where G s non-surjectve and H s bjectve, then meet-n-the-mddle attacks may allow the cryptanalyst to solate the effect of G from the effect of H. In other words, the cryptanalyst can often analyze H wthout takng nto account the effect of G (or the key bts that enter G); once H has been broken, the cryptanalyst can then peel off the effect of H (snce t s bjectve) and attack G alone. The result of such a dvdeand-conquer attack would be that F s not much stronger than the strongest of G or H standng alone. TWOPRIME put some of ts strength nto G, and some nto H, wth the result that much of ts strength was wasted. Far better would have been to concentrate all the strength n one of G or H and make the other as smple as possble, to avod ths potental danger. Therefore, we suggest the followng desgn prncple, whch seems broadly applcable to the constructon of non-bjectve cryptographc functons from a product of rounds. One should avod ntroducng non-surjectvty n the mddle of the functon, because that may speed up meet-n-the-mddle attacks and thus waste precous cryptographc strength. Note that the latter desgn prncple offers some ntutve justfcaton for the structure of many of today s most successful non-bjectve cryptographc functons (such as MD5, SHA,...). The Daves-Meyer constructon [Wn84] bulds F as F (a) = G(a) a. Here all the strength s concentrated n a bjectve functon G (usually bult out of a block cpher); the non-surjectvty s ntroduced as late as possble, and as smply as possble. MD2 [Kal92] and Snefru [Mer90] also follow our suggested desgn prncple: they too use a bjectve functon G at the core, and ntroduce non-surjectvty only at the endponts (by addng smple redundancy to the nput of G, and truncatng ts output). Ths desgn prncple s not novel. It has been dscussed n more detal by Preneel n the context of the desgn of compresson functons for hash functons; see [Pre93, e.g. Secton 4.2]. 14 Conclusons Pullng t all together, we can dentfy three mportant attacks aganst TWOPRIME. Frst, we can break TWOPRIME wth 2048 blocks of known keystream and 2 32 work by usng the technques of Sectons 4 and 9. Alternatvely, we can get by wth only 8 blocks of known keystream wth repeated use of meet-n-the-mddle

16 attacks (Sectons 5 and 9); the cost s that we need 2 32 space as well as 2 33 work. Fnally, we can cryptanalyze TWOPRIME wth 2 33 blocks of known keystream and about 2 28 operatons by usng the methods from Sectons 6 8; ths last attack uses no specal features of the compresson functon n layer seven (other than ts lnearty). We see that, for a cpher wth a 128-bt key, TWOPRIME s dsappontngly weak. We have ponted out weaknesses n two of the layers n TWOPRIME. Because TWOPRIME has only nne layers, each layer les close to the surface, and any weakness s more easly exploted. The system needs more layers to have any serous cryptographc strength. References [DNRS97] C. Dng, V. Nem, A. Renvall, and A. Salomaa, TWOPRIME: A Fast Stream Cpherng Algorthm, Fast Software Encrypton, FSE 97, Sprnger LNCS volume 1267, pages , [Kal92] B.S. Kalsk, The MD2 Message Dgest Algorthm, RFC 1319, Aprl [Mer90] R.C. Merkle, A Fast Software One-Way hash Functon, Journal of Cryptology, vol 3 no 1, [OW96] P.C. van Oorschot and M.J. Wener, Improvng mplementable meet-nthe-mddle attacks by orders of magntude, CRYPTO 96, pages , Sprnger-Verlag, [Pre93] B. Preneel, Desgn prncples for dedcated hash functons, Fast Software Encrypton, t FSE 93, Sprnger LNCS volume 809, pages 71 82, [Sn68] A. Snkov, Elementary Cryptanalyss, A Mathematcal Approach. New York: Random House, [Tuc70] B. Tuckerman, A study of the Vgenere-Vernam sngle and multple loop encpherng systems, IBM Research Report RC2879, 14 May 1970, Yorktown Heghts NY. [Wn84] R. Wnterntz, Producng One-Way Hash Functons from DES, Advances n Cryptology: Proceedngs of Crypto 83, Plenum Press, 1984, pp

17 A Appendx We gve here the expermental dstrbutons of P 1 (n) and P 2 (n): n e 1 /n! P 1 (n) P 2 (n) np1 (n) = 1, np2 (n) 4.3 Ths artcle was processed usng the L A TEX macro package wth LLNCS style