Searching for differential path weight patterns

In this section, we describe how to search for valid differential path weight patterns of MD6 up to s rounds. Since each Di can potentially take any value

from 0 to w, exhaustive search is infeasible even for very small s. Instead, we proceed with a more intelligent search by eliminating as many invalid patterns as possible.

Let D0, D1, ...Di−1 be a differential path weight pattern up to i − 1 steps.

Let us focus on step i and consider the last operation Z = g(X). We know that DX lies in the range [LBX, U BX]. For each possible Di= DZ ∈ [0, w], we

can eliminate many impossible values by checking against several conditions on Di, U BX, and LBX. In particular, the following values of Di are invalid:

1. Di = 0 and LBX > 0.

(Output difference can’t be zero if input difference to g is non-zero.) 2. Di > 0 and Di> 4U BX.

(See Inequality (6.4).) 3. Di = 1 and U BX< 5.

(See Inequality (6.5).)

We next outline an algorithmic procedure to search for valid differential path weight patterns and count the number of active AND gates for a segment of s rounds of the MD6 computation. The procedure, called SearchDiff(), is described in Figure (6.3).

At a high level, the search is carried out in a depth-first manner with nodes at level i of the search tree representing possible values of Di. For each node, the

total number of AND gates up to this point is computed. If the number is larger than the preset threshold, all search branches below the node are terminated.

We remark that it is possible that a small number of invalid Di may pass

through during the search, but it will not affect our lower bound analysis in the sense that we might prove a lower bound that is smaller than the actual value for AAGs.

6.9.3.4 Deriving lower bounds through computer-aided search We implemented the algorithmic procedure given in Figure (6.3). The search program runs for increasing number of rounds s. For each s, the threshold on the maximum number of active AND gates in the segment, maxAAG, is incre- mented until a valid differential weight pattern is found, and the stopping value for maxAAG then yields on lower bound on AAGs. The complete experimental

CHAPTER 6. COMPRESSION FUNCTION SECURITY 109

SearchDiff(i, s, maxAAG)

1. Check whether the search reaches the end of the s-round segment. If not, proceed to the next step. Otherwise, output the differential path weight pattern and the number of active AND gates. Stop.

2. Compute upper bound U BX and lower bound LBX for DX in step i.

3. For Di= 0, 1, ...w − 1

(a) Check whether Di is an invalid value given (LBX, U BX). If so,

proceed to the next Di.

(b) Compute the number of new active AND gates given Di.

(c) Compute sumAAG, the total number of active AND gates up to step i. If sumAAG > maxAAG, proceed to the next Di.

(d) SearchDiff(i + 1, s, maxAAG).

Figure 6.3: Algorithmic procedure to search for valid linear paths.

s ≤ 5 6 7 8 9 10 11 12 13 14 15

LB on AAGs 0 3 4 4 4 4 7 13 19 20 26

Figure 6.4: Lower bounds on the number of active AND gates in a differential path up to s rounds. The results were obtained through computer search.

Here we elaborate a little on the output result from our search program. Let i.d denote that Di = d. For s = 15, our program produces the following

differential path weight pattern:

54.1 71.2 143.2 232.2 .

The total Hamming weight of the pattern is 1 + 2 + 2 + 2 = 7, and the total number of active AND gates is 7 × 4 − 2 = 26. Note that the “−2” in the calculation is due to the fact that i = 232 is less than t4− t3 = 36 steps from

the right boundary 240, which is one of the special cases (Case 3) for counting the number of active AND gates.

Finally, we are ready to derive a lower bound on the workload of any differential-style collision search attack on MD6. As we discussed early, the workload is at least 2AAGr_{, where AAG}

r is the minimum number of active

AND gates in any r-round differential path of MD6.

It is tempting to immediately combine Inequality (6.8) with our experimental results in Figure (6.4). However, we still need to consider the important issue of security margins3_{. It is possible for an attacker to penetrate a few rounds at the}

beginning of the hash computation by manipulating the inputs and influencing the behavior of the differential path. To be conservative, we eliminate 15 rounds from the specified total number of rounds r when calculating the lower bounds on the number of AND gates.

Using Inequality (6.8), we have

AAGr−15≥ AAG15× b

r − 15

15 c. (6.9)

Figure (6.5) gives the lower bounds (LB = 2AAGr−15_{) on the workload of} any differential style collision attack for various output sizes d. The comparison with the birthday bound (BB = 2d/2) is also given.

d r r − 15 br−15 15 c AAGr−15≥ LB ≥ BB 40 50 35 2 52 252 ₂20 80 60 45 3 78 278 240 128 72 57 3 78 278 ₂64 160 80 65 4 104 2104 280 224 96 81 5 130 2130 ₂112 256 104 89 5 150 2150 2128 384 136 121 8 208 2208 ₂192 512 168 153 10 260 2260 2256

Figure 6.5: Lower bounds on the workload of differential collision attacks. The result for d = 256 was computed as AAG89≥ AAG15× 5 + AAG14= 26 × 15 +

20 = 150. All other results were obtained using Inequality (6.9). We see that differential attacks are less efficient than a simple birthday attack.

We have thus obtained the desired result:

The workload for a standard differential attack against MD6 is provably larger than the workload for a simple “birthday attack,” for all NIST specified output sizes.

In fact, we have a stronger result—the workload for a standard differential attack against MD6 is provably larger than the workload for a simple “birthday attack,” for all output sizes 1 ≤ d ≤ 512.

A standard differential attack will not be effective against MD6—there are no differential paths with sufficiently high probability to make such an attack more efficient than a simple birthday bound attack looking for collisions.

We consider this a very significant result, since in large part it has been the success of differential attacks against hash functions that motivated NIST to organize the SHA-3 hash function competition. The fact that MD6 is not vulnerable to standard differential attacks is very appealing.

cipher or hash function without compromising the desired security level. Security margins are commonly studied in block cipher design and analysis. For example, all AES candidates have clearly stated security margins.

CHAPTER 6. COMPRESSION FUNCTION SECURITY 111

Of course, there may be nonstandard differential attacks (e.g. that used various forms of generalized differentials, as in [19]) that fall outside the scope of our proof. Further research is needed to explore and exclude such possibilities; our proof is merely a first step in such analysis.

On the other hand, there is probably a significant amount of “slack” in our result, and thus the bound could be made tighter and/or extended to more general attacks. It is quite possible that the actual lower bound on the number of active AND gates can be much larger. Here we list some of the reasons:

• Some of the differential path weight patterns may not correspond to any valid differential path of MD6.

• The s-round differential path weight pattern that our program found is not iterative, and so it cannot be concatenated to yield a pattern for r rounds.

• We did not count the AND gates across the boundary of two consecutive rounds.

If we can address some of the above problems, then we can further improve our lower bound analysis. It would also be interesting to explore how these bounds might be affected by other choices for the tap positions.