Choice of compression function constants - The MD6 hash function A proposal to NIST for SHA-3

6.2.1 Constant Q

The constant Q is chosen rather arbitrarily as the binary representation of the fractional part of√6. (Why 6? Because it is MD6!)

CHAPTER 6. COMPRESSION FUNCTION SECURITY 91

Other values for Q could have been chosen, even 0. Our proofs do not depend on Q having any particular value; merely that it is fixed.

However, it was felt that a “complex” value such as√6 − 2 might have some advantages over an all-zero value; having many 1-bits in Q would force some AND gates to have non-zero inputs early on. Some of the algebraic attacks do seem to suggest that fewer rounds are needed for security if Q is chosen to be non-zero in a “random-looking” way as MD6 does.

6.2.2 Tap positions

The tap positions were computed by a program, tapopt.c, which is included with our MD6 submission to NIST.

The program takes as input the desired values for n and c, and produces as output “optimal” values for the tap positions t0, t1, t2, t3, t4, and t5, subject

to the constraints that •

c < t0< t1< t2< t3< t4< t5= n

• The tap positions must all be nonzero modulo c.

• The tap positions must not be equal to each other modulo c.

• The tap positions, other than t5must be relatively prime to n. (This is a

trivial condition if n is prime.)

• The difference t4− t3 must not be equal to the difference t2− t1.

The search for an optimal set of tap positions is brute-force; every seqeuence of possible tap positions satisfying the above constraints is considered.

For a given set of tap positions, the computation of the compression function is simulated, and for each value A[i] computed, it is recorded which of the input words A[0..n − 1 it “formally depends upon.” A word A[i] formally depends upon input A[j] if i = j or if i > n and at least one of the words A[i − t0], A[i −

t1], A[i − t2], A[t3], A[t4], or A[i − t5] formally depends upon A[j].

We can say a word A[i] is “complete” if it formally depends upon all input words A[0] . . . A[n − 1].

The “measure” of a set of taps is i − (n − 1) + c, where i is the largest i such that A[i] is not complete. This value is the least number of steps needed to ensure that all c outputs are formally dependent on all n inputs (and that running more steps won’t change this fact).

The optimization for n = 89, c = 16 takes just a few minutes on a laptop. As discussed and illustrated in Chapter 9, the program tapopt.c can be used to find optimal tap positions for other choices of n and c.

6.2.3 Shift amounts and properties of g

Once the tap positions were determined, the shift amounts were determined by a second program, shiftopt.c.

Because none of the shift amounts are zero, the function g is one-to-one (i.e., invertible). Thus, an input change always causes an output change.

Also, as noted in Section 3.9.3, a one-bit change to the input of g will cause from two to four bits of the output of g to change.

Furthermore, the shift amounts were chosen so that in order to get a one-bit output change, at least five bits of input must be changed.

These properties were used in our proof in Section 6.9 of the resistance of MD6 to differential attacks.

6.2.4 Avalanche properties

The tap positions and the shift amounts were both selected by programs “tapopt” and “shiftopt” in a heuristic but deterministic way that attempts to optimize the influence of each input bit on each output bit in a minimum number of steps.

The tap positions were chosen as described in Section 3.9.1. This “optimization” only paid attention to word-level dependencies, and ignored bit-position (intraword) effects. It was found that after 102 steps (i.e. just over six rounds) each word computed depends, in a formal sense, on each input word.

After the tap positions were chosen, the shift amounts were chosen deterministically from a large pseudorandom sample of shift tables to heuristically optimize the rate of diffusion at the bit-level. The program “shiftopt” ex- plicitly considers the constant and linear terms of the algebraic normal form representing each output bit as a function of the input bits, and measures how close each such polynomial is to having approximately half of the maximum number of possible linear terms present. After a total 11 rounds, the selected shift amounts heuristically optimized this measure; the output bits appeared “random” based on this metric.

These optimization methods support the hypothesis that the MD6 compression function begins to look “fairly random” after only 11 rounds.

Once the tap positions and shift amounts were selected, other tests, described in the following sections, help to assess the cryptographic strength of the resulting compression function.

6.2.5 Absence of trapdoors

MD6 was designed to be demonstrably free of trapdoors.

The architecture of MD6 is remarkably simple; such simplicity makes the insertion of trapdoors infeasible.

Moreover, the various constants of MD6, such as Q = √6 − 2, the tap positions, and the shift amounts, are all computed deterministically by programs

CHAPTER 6. COMPRESSION FUNCTION SECURITY 93

that are available for inspection. The computations and optimizations they implement are directed towards maximizing the cryptographic strength of MD6. Thus, while there is of course no guarantee that MD6 is free from cryptographic weakness, it is arguably free of maliciously inserted trapdoors.

In document The MD6 hash function A proposal to NIST for SHA-3 (Page 93-96)