Analyzing the step function

The MD6 step function consists of three operations: XOR, AND, and the g operator. We will analyze differential properties of each operation in terms of how a difference and its Hamming weight propagates from the input to the ouput. Then, we will study differential properties of the step function and derive some inequalities that will be useful in the later lower bound proof.

For ease of discussion, we first introduce some notations. For each operation to be studied, we use uppercase letters X, Y, Z to denote the w-bit inputs and output. We use ∆X, ∆Y, ∆Z to denote the differences and DX, DY, DZ to

denote the Hamming weight of these differences. We use lowercase letters x, y, z to denote a single bit in the w-bit words.

6.9.2.1 XOR gate

Differential properties of XOR is straightforward. In particular, the equation ∆Z = ∆X ⊕ ∆Y holds with probability one. In terms of the Hamming weight

of the difference, we have

max(DX, DY) − min(DX, DY) ≤ DZ≤ DX+ DY.

6.9.2.2 AND gate

We can view the AND operation between two w-bit words as a layer of w independent AND gates, with each AND gate taking two input bits x and y and producing one output bit z. The differential behavior of the AND gate depends on its input differences ∆x and ∆y. We consider the following two cases.

• If ∆x = ∆y = 0, then Pr[∆z = 0] = 1. We will call this AND gate “inactive”.

• If ∆x = 1 or ∆y = 1, then Pr[∆z = 0] = Pr[∆z = 1] = 1/2. We will call this AND gate “active”. 1

In terms of the Hamming weight of the difference, we have 0 ≤ DZ ≤ DX+ DY.

The notion of active AND gates plays an important role in the later lower bound proof. In particular, an active AND gate always contributes a probability of 1/2 to the overall probability of the differential path, no matter what the output difference of the AND gate is. Since the AND operation is the only non- trivial operation in terms of differential probabilities2_{, the total number of active}

AND gates in the differential path is closely related to the total probability of the path.

In a way, the role of AND gates in MD6 resembles that of S-boxes in AES. The main distinction is that an AND gate operates at the bit level in MD6 while an S-box operates at the byte level in AES.

6.9.2.3 g operator

The gr,`operator provides intra-word diffusion by mixing up data within a word.

Let Z = gr,`(X). We know that ∆Z = gr,`(∆X) holds with probability one.

It is easy to derive an upper bound on DZ. Since the combination of one

shift and XOR can at most double the number of differences, we have

DZ ≤ 4DX. (6.4)

Lower bound analysis on DZ is more interesting, and it relates to the design

choices for the shift amounts. More specifically, each pair of shift amounts (r, `) in MD6 were chosen in such a way that

DX ≤ 4 would imply DZ ≥ 2. (6.5)

1_{We assume that the inputs (x, y) and (x}0_{, y}0_{) are chosen at random with the constraint}

that they follow the required difference.

2_{That is, probabilities associated with the input and output differences are not always zero}

CHAPTER 6. COMPRESSION FUNCTION SECURITY 105

In other words, in order for the output to have only a single bit difference, the minimum Hamming weight of the input difference is at least 5. The main purpose of such a design choice is to prevent an adversary from constructing differential paths of MD6 with very low Hamming weight in every step. For example, given Inequality 6.5, it would be impossible to construct a sparse differential path in which Di= |∆Ai| is at most one for all i.

For DX > 4, we do not have any non-trivial lower bounds on DZ other

than it has to be positive, since non-zero input difference would imply non-zero output difference. So DX > 4 would imply that DZ ≥ 1.

In a way, the role of the g operator in MD6 is similar to that of the MDS matrix in AES. It effectively imposes a non-trivial lower bounds on the Ham- ming weight sum of the input and output difference. The main distinction is g operates at the bit level while the MDS operates at the byte level.

6.9.2.4 Combining individual operations

We have studied differential properties of the three operations in the MD6 step function, and the results are summarized in Figure (6.1) and Figure (6.2).

operation output difference ∆Z probability

Z = X ⊕ Y ∆Z = ∆X ⊕ ∆Y 1

if ∆x = ∆y = 0, then ∆z = 0 1 z = x ∧ y if ∆x = 1 or ∆y = 1,

then ∆z = 0 or 1 1/2

Z = g(X) ∆Z = g(∆X) 1

Figure 6.1: Differential characteristics for ⊕, ∧, and g. Note that for ∧, the result is for an AND gate at the bit level.

operation upper bound lower bound

Z = X ⊕ Y DZ ≤ DX+ DY DZ ≥ max(DX, DY) − min(DX, DY)

Z = X ∧ Y DZ ≤ DX+ DY DZ ≥ 0

Z = g(X) DZ ≤ 4DX DZ ≥ 2, if 0 < DX ≤ 4

DZ ≥ 1, if DX> 4

Figure 6.2: Hamming weight of differential characteristics for ⊕, ∧, and g. In what follows, we analyze how the input/output differences for individual operations within a step can be joined together to form a differential character- istics for the step with non-zero probability. We pay special attention to how the Hamming weight of the differences propagate from input to output.

First, we decompose the step function into two sub-steps:

X = Ai−t0⊕ Ai−t5⊕ (Ai−t1∧ Ai−t2) ⊕ (Ai−t3∧ Ai−t4), Ai = g(X).

Using the inequalities in Figure (6.2), we can derive upper and lower bounds on DX= |∆X|, in terms of the Hamming weight of the six input differences in

step i. We obtain the following two inequalities.

DX ≤ U BX= 5

X

k=0

Di−tk, (6.6)

DX ≥ LBX = max(Di−t0, Di−t5) − min(Di−t0, Di−t5) −

4

X

k=1

Di−tk.(6.7) The above two inequalities together define a range for DX. Given DX, the

Hamming weight of the output differences Di = |∆Ai| follows the constraints

given in Figure (6.2).

We remark that by focusing on the Hamming weight rather the actual value of the differences, we avoid the potential complication of analyzing how individ- ual bit differences can line up properly from one operation to another. We lose some accuracy in the analysis since we can only obtain a range of possible values for the Hamming weight. Nevertheless, we will see that the approach not only simplies the analysis but also greatly reduces the complexity of searching for valid differential path weight patterns, thereby making a computer-aided search possible.