Data-Depend Hash Algorithm
ZiJie Xu and Ke Xu [email protected]
Abstract: We study some technologys that people had developed to
analyse and attack hash algorithm. We find a way that use data-depend function to resist differential attack. Then we design a hash algorithm that called Data-Depend Hash Algorit(DDHA). And DDHA is simple and strong under differential attack.
Key Word: Hash algorithm, data-depend function
1.
Introduction
Hash algorithm is the algorithm that computes a fixed size message digest from arbitrary size messages. After SHA-0 was published, some technologys that analyse and attack hash algorithm are developed. The major technologys is differential attack. Papers[Wy05, Dau05] has explain the attack.
Differential attack is the best technique to attack hash function. To attack hash function, it need do the work as follow:
1. Constitute a feasible difference path that has good possibility. 2. Constitute theadequate conditions for the difference path.
3. Find some technique to raise the possibility of the difference path. From mentioned above description of differential attack, it is easy to know that constituting a feasible difference path is the hinge. If it can make it hard to constitute a feasible difference path, it will be hard to attack the hash function. In appenix 1, we know that the data-depend circular shift has good defence feature. And we find a message expension function that make any difference path will has at least eight data-depend circular shift difference [appenix 2]. This make it hard to constitute a feasible difference path.
At the same time, we study some technologys[1,2] that used to attack hash algorithm, DDHA use some ways to resist these attack technologys.
DDHA:
1. ← variable assignment
2. Bitwise logical word operations:‘∧’–AND ,‘∨’–OR,‘⊕’ –XOR and ‘¬’–Negation.
3. Addition ‘+’ modulo 32
2 or modulo 64 2 .
4. The shift right operation, SHRn(x), where x is a 32-bit or 64-bit word
and n is an integer with 0≤n<32 (resp. 0≤n<64).
5.The shift left operation, SHLn(x) , where x is a 32-bit or 64-bit word
and n is an integer with 0≤n<32 (resp. 0≤n<64).
6. The rotate right (circular right shift) operation,ROTRn(x), where x is a
32-bit or 64-bit word and n is an integer with 0 ≤ n < 32 (resp. 0 ≤ n < 64).
7. The rotate left (circular left shift) operation, ROTLn(x), where x is a
32-bit or 64-bit word and n is an integer with 0 ≤ n < 32 (resp. 0 ≤ n < 64).
2.
Data-Depend Hash Algorithm (DDHA)
DDHA has two hash functions: DDHA-256(32-bitversion), DDHA-512 (64–bitversion). DDHA-256 is used for message no bigger than 264 ,
DDHA-512 is used for message no bigger than 264, The properties as
follow:
word Message size Block size Hash value size
DDHA-256 32 64
2
< 512 256
DDHA-512 64 64
2
< 1024 512
Properties of DDHA hash functions(size in bits)
In DDHA, the message will be preprocessed. After message is preprocessed, the message will prased in N message blocks, these blocks will be processed with a compression function in order.
2.1 Preprocessing
Preprocessing in DDHA include steps:
a. padding the message M, parsing the padded message into message blocks,
b. setting the initial hash value,
Suppose that the length of the message M is L bits. Append the bit “1” to the end of the message, followed by k zero bits, where k is the smallest, non-negative solution to the equation L+1+k ≡ 448 mod 512 (resp. L+1+k ≡ 960 mod 1024). Then append the 64-bit block that is equal to the number L expressed using a binary representation.
After message is padded, the message will be parsed into N 512-bits(resp. 1024-bits) message blocks.
2.1.2 Initial Hash Value and constants
DDHA use the same initial hash value as that of SHA-2 (given as follow):
DDHA-256 DDHA-512
, 19 0 5 0 , 9 83 1 0 , 05688 9 0 , 527 510 0 , 53 54 0 , 372 6 3 0 , 85 67 0 , 667 09 6 0 0 7 0 6 0 5 0 4 0 3 0 2 0 1 0 0 cd be x H ab d f x H c b x H f e x H a ff xa H ef c x H ae xbb H e a x H = = = = = = = = , 2179 19137 0 5 0 , 6 41 9 83 1 0 , 1 6 3 2 05688 9 0 , 1 682 527 510 0 , 1 36 1 5 53 54 0 , 82 94 372 6 3 0 , 73 8584 67 0 , 908 3 667 09 6 0 0 7 0 6 0 5 0 4 0 3 0 2 0 1 0 0 e cd be x H b bd abfb d f x H f c e b c b x H f d fade e x H f d f a ff xa H b f fe ef c x H b caa ae xbb H bcc f e a x H = = = = = = = =
The initial hash value for DDHA
DDHA use 32 constant words, these words are separated into two parts C1 and C2 as follow:
, 40821 49 0 1 , 679438 0 1 , 987193 0 1 , 901122 6 0 1 , 7 895 0 1 , 1 5 0 1 , 7 44 8 0 1 15 14 13 12 11 10 9 b x C e xa C xfd C b x C be cd x C bb xffff C af f b x C = = = = = = = , 5665 4 40821 49 0 1 , 8 27 1 679438 0 1 , 5 99 6 987193 0 1 , 039 4 9 901122 6 0 1 , 05 04881 7 895 0 1 , 3085 4 1 5 0 1 , 127 7 44 8 0 1 15 14 13 12 11 10 9 ac c b x C cf fa e xa C e db e xfd C d d d b x C d be cd x C ef d bb xffff C fa afeaa f b x C = = = = = = =
Constants C1 of DDHA
C2 as follow:
DDHA-256 DDHA-512
, 8 4 2 8 0 2 , 9 02 676 0 2 , 8 3 0 2 , 905 3 9 0 2 , 14 455 0 2 , 87 50 4 0 2 , 6 33707 0 2 , 6 1 21 0 2 , 8 3 7 0 2 , 681 1 8 0 2 , 02441453 0 2 , 105 62 0 2 , 7 6 9 0 2 , 51 5 265 0 2 , 340 040 0 2 , 2562 61 0 2 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 a c a d x C d f x C f xfcefa C e e xa C ed a x C d d xf C d xc C cde e x C fbc d xe C e a xd C x C d f xd C aa c b xe C a e x C b xc C e xf C = = = = = = = = = = = = = = = = , 391 86 8 4 2 8 0 2 , 2 7 92 02 676 0 2 , 235 3 8 3 0 2 , 82 7537 905 3 9 0 2 , 1 0811 4 14 455 0 2 , 3014314 87 50 4 0 2 , 0 6 2 6 33707 0 2 , 4 87 66 1 21 0 2 , 1 885845 3 7 0 2 , 47 681 1 8 0 2 , 92 0 024414538 0 2 , 3 59 655 105 62 0 2 , 039 93 7 6 9 0 2 , 7 9423 51 5 265 0 2 , 97 340432 040 0 2 , 4292244 2562 61 0 2 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 d aeb c a d x C bb d ad d f x C af bd f xfcefa C e f e e xa C a e ed a x C a d d xf C e ce fe d xc C f e fa cde e x C dd fbc d xe C d ffeff e a xd C ccc f x C c b d f xd C a aafc c b xe C a ab a e x C aff b xc C f e xf C = = = = = = = = = = = = = = = =
Constants C2 of DDHA
2.2 processing.
If there are N message blocks M0,...,MN−1.
The DDHA has a compression function. The input of compression function include chaining variable(8 words, i i
H
H0,..., 7), message block(16 words, i i
m
m0,..., 15), constants(32 words, C10,...,C115 ,C20,...,C215), and other
N
N N N
i j
i j j i
j j
i j j j
i i i
j
h return
c c tm oc h m repeattime n
compressio h
i next
temp tm
tm then tm
if
temp tm
tm
occ oc oc then oc
if
occ oc oc
j next
occ then m
if if end
temp
then m
tm if else
temp
then m
tm if
temp m
tm tm
to j
for occ temp
c c oc tm h m repeattime n
compressio h
N to i
for oc oc
j next
tm
to j
for
) 2 , 1 , , , , , (
0 0
0 0
0
) (
1 ) (
15 0
1 0
) 2 , 1 , , , , , (
2 0
0 0
0
17 0
1 1 17 17 16
16 16
1 1 1
0 0
1 1 0
¬ ¬ ¬
←
+ = =
+ =
+ = =
+ =
= ≠
= > =
< + + =
= =
= ←
− =
= =
← =
− − +
Processing of DDHA
2.3 compresion fuction
The function compression(repeattime, i
m ,h, tm,oc,ct1,ct2) takes as
input seven values:
* an integer value repeattime. User can set repeattime to get higher intensity. The default value of repeattime is 1.
* a message block i i i
m m
m = 0,..., 31
* a chain value h=h0,..., h7
* an value oc=oc0, oc1.
* a Constant ct1=ct10,...,ct115
* a Constant ct2=ct20,...,ct215
The compression function use two functions: SR(m, h,ct1,ct2), ME(m). In DDHA, the word is carved up to sixteen parts, every part is used as parameter of data-depend circular shift once. And in function ME(m), the circular shift operation is based on part not bit.
2.3.1 SR(m,h,ct1,ct2)
The function SR(m,h,ct1,ct2) takes as input four values: * a chain value h=h0,..., h7
* a message block m=m0,..., m32
* a Constant ct1=ct10,...,ct115
* a Constant ct2=ct20,...,ct215
And SR(m,h,ct1,ct2) as follow:
j next
h h
to j
for h t
j next
ct h t ROTR
h
to j
for
h h h h t
j next
ct h t ROTR
h
to j
for
h h h h t
h h ROTR
h
j next
m h ROTR
h
i j
i im
to j
for
m h h
i i
im
to i
for
j j
i j
rv rl j m j
i j
rv rl j m j
rv rl m
im j rv rl j m j
im
im im im
im
1 7
)) ) 8 (( (
7 6 5 4
)) ) 7 (( (
4 3 2 1
0 4 )) 7 ( ( 4
1 ))
) 1 (( ( 0
0
1 7
2 ) ( 7
4
1 ) ( 4
1
) (
) (
8 ) 2 mod ( 8 mod ) 1 ( 1
7 1
) (
8 ) 2 mod ( 1
15 0
−
∧ × + >>
∧ × + >>
∧ × >>
∧ × − >>
← = ←
+ − ←
=
+ + + ←
+ − ←
=
+ + + ←
+ ←
+ ←
× +
+ >> ←
= + ←
× +
>> ←
i next
t h0 ←
SR function of DDHA
In DDHA-256, the word length is 32, rl is 2, rv is 3. In DDHA- 512, the word length is 64, rl is 4, rv is 15.
2.3.2 message expension function ME(m)
The message expension function ME(m) takes as input one value: * a message block m=m0,..., m15
And ME(m) as follow:
) ( 15 0
) (
15 0
) ( 15
0
i rl i i
i i
i i
m ROTR m
to i
for i next
m t m
to i
for
m t
× =
← =
⊕ ←
= =
⊕
m return
i next
t m m
to i
for
m t
i next
i i
i i
) (
15 0
) ( 15
0
⊕ ←
= =
⊕
=function ME of DDHA
In DDHA-256, the word length is 32, rl is 2. In DDHA- 512, the word length is 64, rl is 4.
With function SR(m,h,ct1,ct2), ME(m), the compression function as follows:
j j j
i
tm c
c
to j
for
m ME mb
m ma
ct c
ct c
h h
⊕ =
= ← ← ← ← ←
3 3
15 0
) ( 2 4
1 1 1
1
) 4 ( 4
) 3 ( 3
15 0
1 1 ) 3 , 4 , 1 , (
) 4 , 3 , 1 , (
1 4 4
4 4
4 4
4 4
1 1 1
1 1 1
1 3 3
0 2 2
17 1 1
16 0 0
h return
h h h
j next
if end
j next
c ROTR c
c ROTR c
to j
for
then repeattime
if
c c h mb SR
c c h ma SR
repeattime to
j for
oc c
c
oc c
c
tm c
c
tm c
c j next
i
j j
j j
+ ←
← ← =
> =
⊕ =
⊕ =
⊕ =
⊕ =
compression function of DDHA
In DDHA-256, the word bit-length is 32. In DDHA- 512, the word bit-length is 64.
3 Security of DDHA
In this section, we discuss the resistance of DDHA to Differential attack, Length extension, Multicollisions.
3.1 Differential attack
From appendix 2, we will know that if there is any difference in the message, the difference path for DDHA will has at least eight data-depend circular shift difference that ∆r ≠0, r is the parameter of data-depend
circular shift.
By proposition A.1, it is known that if a data-depend circular shift difference that (r1−r2)≠0, the possibility of a data-depend circular shift
difference is gcd−n
2 , gcd is the greatest common divisor of (r1−r2) and n.
256 2 ) 32 , 2 1 ( gcd
4 ) 2 1 ( 4
4 , 0 1 2
−
≤ −
=
< − < −
< ≤
DDHA r r GCD
r r r r
512 8 ) 64 , 2 1 ( gcd
16 ) 2 1 ( 16
16 , 0 1 2
−
≤ −
=
< − < −
< ≤
DDHA r r GCD
r r r r
So the possibility of a difference path for DDHA will be:
) 2 . ( 2
2(gcd n) 8 16 8 n resp 64 8 n
p≤ − × ≤ −× −×
At the same time, in a difference path for DDHA if a chain value that
0
=
∆r has defences, some bits in the parameter r will be fixed, this depend
on the defences that the chain value has. Here we suppose attacker can find the needed defences.
3.2 Length extension
Length extension is the attaca against keyed hash of form h=Hk(m)
or h=H(k||m). The attack as: given h=Hk(m), the padding data is p, then
find m' that make h=H(k||m|| p||m') . The (m|| p||m') is the fabricated
message.
Let tm is sum of the message blocks defore last block.
In DDHA, if (...||mN−2||mN−1) is padded message data, and mN−1 is the
last message block, the final chain values is hN =compression(repeattime,mN−1, )
2 , 1 , , , 1
c c oc tm
hN ¬ ¬
¬ − . If a block N
m is extended, then the chain value
between N N
m
m −1, will be hN =compression(repeattime,mN−1,hN−1,tm,oc,c1,c2) from )
2 , 1 , , , , ,
(repeattime m 1 h 1 tm oc c c
n compressio
hN = N− ¬ N− ¬ ¬ . The knowledge of
) || ||
(... mN−2 mN−1
DDHA can not be used to compute the hash of
) || || ||
(... mN−2 mN−1 mN .
3.3 Multicollisions
Many technique is developed to find Multicollisions of hash function, Joux’s technique[1] and Kelsey/Schneier’s technique[2] is representative technique.
3.3.1 Joux’s technique
Joux [1] has proposed a technique to find a k
2 -collision for hash
functions with n-bit hash values in /2 2n
To a pair (hi,hi+1), If replace m1i+1 with m2i+1 will not change any
parameter in follow calculation, it can apply Joux’s technique.
Let tm is sum of the first i message blocks, and ocoi is the munber of o block before i-th chaining hash value i
h .
In DDHA, if replace 1 1i+
m with m2i+1 will change the parameter tm in
follow calculation.
And it can alter Joux’s technique to apply it on DDHA. To pair (hi,hi+1),
it need find message blocks (m30,...,m3i3−1,m40,...,m4i3−1) that satisfy (3.1). let
i
ocou3 is the munber of o block in (m30,...,m3i−1), and ocou4i is the munber of o block in (m40,...,m4i−1), And ocou30 =ocou40 =0.
So to find Multicollisions of DDHA, to every pair chain value (hi,hi+1), it
need find message blocks that satisfy (3.1). Then to k
2 -collision for DDHA,
the message blocks must satify k systems that like (3.1).
+ + = − = + + = + = + + = − = + + = + = = = = = − − = − − + = + − − = − − + = + − = − = − = − =
∑
∑
∑
∑
∑
∑
∑
∑
) 2 , 1 , 4 , 4 4 , 4 , 4 , ( ) 2 3 ( ,..., 1 ) 2 , 1 , 4 , 4 4 , 4 , 4 , ( 4 ) 2 , 1 , , 4 4 , , 4 , ( 4 ) 1 . 3 ( ) 2 , 1 , 3 , 3 3 , 3 , 3 , ( ) 2 3 ( ,..., 1 ) 2 , 1 , 3 , 3 3 , 3 , 3 , ( 3 ) 2 , 1 , , 3 3 , , 3 , ( 3 4 3 4 3 4 4 3 3 1 3 1 3 0 1 4 1 4 1 0 1 0 0 1 1 3 1 3 0 1 3 1 3 1 0 1 0 0 1 3 3 1 3 0 1 3 0 1 0 1 0 c c ocou oco m tm h m repeattime n compressio h i ii c c ocou oco m tm h m repeattime n compressio h c c oco m tm h m repeattime n compressio h c c ocou oco m tm h m repeattime n compressio h i ii c c ocou oco m tm h m repeattime n compressio h c c oco m tm h m repeattime n compressio h ocou ocou m m m tm m tm i i i j j i i i ii i ii j j ii ii ii i i i i i j j i i i ii i ii j j ii ii ii i i i i i j j i j j i j j i j j3.3.2 Kelsey/Schneier’s technique
Kelsey/Schneier’s technique bases on fixed-points of hash function. When constitute Multicollisions for a hash function, Kelsey/Schneier’s technique[2] will change the order of the blocks.
1
2
m
1
2k−
m
1
1k−
m 1 1 m 0 1 m 0 2 m 0
In DDHA, change the order of the blocks maybe change the parameter tm or oc in some follow calculation. It is hard to apply Kelsey/Schneier’s technique on DDHA. There is a simple way to resist this attack, it need use some parameter that is relate to the order of the block in blocks.
4. Improvement
In compression function, there are 512 data-depend circular shift operations, this will increase the calculation. If DDHA use a message expension function that has higher minimum hamming weight in less expand message words, it will make DDHA has same intensity with less calculation. There is a message expension function as follow:
i
rl rl
rl rl
rl
i rl i
i rl i
i rl i
i rl i
i rl i i
i i i
m em em
to i
for
m ROTR m
ROTR
m ROTR m
ROTR m
ROTR em
i next
m ROTR em
em
to i
for i next
m ROTR
em em
to i
for i next
m ROTR
em em
to i
for m em
i next
m ROTR
em em
to i
for em
i next
m ROTR em
em
to i
for em
m em
i next
m em
to i
for
⊕ ←
=
⊕ ⊕
⊕ ⊕
←
⊕ ←
=
⊕ ←
=
⊕ ←
= ←
⊕ ←
= ←
⊕ ←
= ← ←
← =
× ×
× ×
×
× × +
× +
× − × =
⊕
20 20
4 9 3
4
2 8 1
11 0
7 20
19 19
) 3 ( 19
19
) 1 ( 19
19 7 19
) 16 ( 18
18 18
17 17
17
15 0 16
15 5
) ( )
(
) ( )
( )
(
) ( 15
12
) ( 11
8
) ( 6
0
) ( 15
0 0
) ( 15
0 0
) (
) ( )
( )
(
) ( )
( )
(
) ( )
( )
(
) ( )
( )
(
) ( )
( )
(
20 7
20 3
20 20
20
19 7
19 3
19 19
19
18 7
18 3
18 18
18
17 7
17 3
17 17
17
16 7
16 3
16 16
16
em ROTR em
ROTR em
ROTR em
em
em ROTR em
ROTR em
ROTR em
em
em ROTR em
ROTR em
ROTR em
em
em ROTR em
ROTR em
ROTR em
em
em ROTR em
ROTR em
ROTR em
em i next
rl rl
rl
rl rl
rl
rl rl
rl
rl rl
rl
rl rl
rl
× ×
× ×
× ×
× ×
× ×
⊕ ⊕
⊕ ←
⊕ ⊕
⊕ ←
⊕ ⊕
⊕ ←
⊕ ⊕
⊕ ←
⊕ ⊕
⊕ ←
function ME1 of DDHA
In DDHA-256, the word length is 32, rl is 2. In DDHA- 512, the word length is 64, rl is 4.
Function ME1 has a character, if a set include different expension message words, it has different minimum Hamming weight. We given the minimum Hamming weight here:
expension message words minimum Hamming weight
16 0,..., em
em 2
17 0,..., em
em 4
19 0,..., em
em 6
20 0,..., em
em 8
Function ME1 will produce 21 expension message words which minimum Hamming weight is 8. it will reduce the calculation.
5.
Conclusions
After study the technologys[wy05, Dau05] and the defence feature of data-depend function, and we find a message expension function that will make every defence path for DDHA will has at least eight data-depend circular shift defences, this make it hard to constitute a feasible difference path that has good possibility. Base on data-depende function and the message expension function, we design the hash function DDHA.
At the same time, we study other attack technologys[1,2] and length extension, and we use some measures in view of these technologys, these measures wreck the condition that applying the technologys need, this make it harder to apply these technologys on DDHA.
DDHA uses a value repeattime that user can set the value to change rounds to change the strength. It make it easy to raise the intensity of system.
References:
[WY05] Xiaoyun Wang and Hongbo Yu. How to break MD5 and other hash functions. In Cramer [Cra05], pages 19–35.
[Dau05] Magnus Daum. Cryptanalysis of Hash Functions of the MD4-Family. PhD thesis, Ruhr-Universit¨at Bochum, 2005.
[1] Antoine Joux. Multicollisions in iterated hash functions. application to cascaded construc-tions. In CRYPTO, 2004.
Appendix 1: Difference of data-depend circular shift
Here we just discuss circular right shift. And we just discuss XOR differences[Dau05].
If n
F
x∈ 2 , x has n-bits as:
) ,..., (x 1 x0
xa n−
If y,x is n-bits word, n is 32(resp. 64), 0≤r <32(resp.64) is an integer
that has 5(resp. 6) bits, then the circular right shift is:
)) (
)) ( (( )
(x x n r x r
ROTR
y= r = << − ∨ >>
If there is (x1,y1,r1) and (x2,y2,r2) meet:
) 2 ( 2
) 1 (
1 1 2
x ROTR y
x ROTR
y = r = r
At fisrt, there is:( =log2n−1
wbl )
∆ ∆
= ∆
∆ ∆
= ∆
= =
× ∆
= −
⊕ −
− ⊕ ⊕
⊕ −
− ⊕ ⊕
− −
− −
= ±
∑
)) 2 , 1 ( ),..., 2
, 1 ( ( : ) 2 , 1 (
)) 2 , 1 ( ),..., 2 , 1 ( ( : ) 2 , 1 (
) 2 ,..., 2 , 2 ,..., 2 ( : 2
) 1 ,..., 1 , 1 ,..., 1 ( : 1
) 2 ) 2 , 1 ( ( 2
1
2 1 1
2 1 1
0 0 1
1
2 1
0 1 2
1 1
0 1 1
0
r r r
r n n
r n
r
r n
r
i wbl
i i i
x x x
x y
y
x x x
x x
x
x x
x x
y
x x
x x
y
r r r
r
Let the greatest common divisor of (r1−r2) and n is )
, 2 1 (
gcd=GCD r −r n . Then there exists:
1. if r1=r2, there has:
)) 2 , 1 ( (
)) 2 , 1 ( ),..., 2 , 1 ( ), 2 , 1 ( ),..., 2 , 1 ( ( ) 2 , 1 (
1
1 1 1
1 0
0 1
1 1 1
x x ROTR
x x x
x x
x x
x y
y
r
r r n
n r
r ⊕
⊕ −
− ⊕ ⊕
− − ⊕ ⊕
∆ =
∆ ∆
∆ ∆
= ∆
So, if r1=r2, the difference of y1 and y2 will just depend on the difference of x1 and x2. of course it also depend on r1.
To given ∆⊕(y1,y2), there are 2n x1
. To given (x1,∆⊕(y1,y2)), there is a
2
x that meet x2=x1⊕(LOTRr1∆⊕(x1,x2)). So there are 2n pair (x1,x2) has
same ∆⊕(y1,y2).
2. if r1≠r2.
−
=
−
=
∆
=
−
=
−
=
∆
=
× + + × + + ⊕ × + × + ⊕1
gcd
,...,
0
))
1
gcd
/
(
,...,
0
|
)
1
.
(
)
2
,
1
(
(
:
1
gcd
,...,
0
))
1
gcd
/
(
,...,
0
|
)
2
,
1
(
(
:
mod gcd) 2 ( mod gcd) 1 ( mod gcd) ( mod gcd) (j
n
i
A
x
x
py
j
n
i
x
x
px
n i j r n i r j j n i j n i j jTo gven defence of patr px ,j pyj:
))
1
gcd
/
(
,...,
0
|
)
2
,
1
(
(
:
( gcd) mod ( gcd) mod−
=
∆
=
⊕ +× +×n
i
x
x
dx
j i n j i nThere are /gcd 1
2n − diffence as follow:
))
2
gcd
/
(
,...,
0
|
)
2
,
1
(
(
:
1
( 1 gcd) mod ( 2 gcd) mod−
=
∆
=
⊕ + +× + +×n
i
x
x
dy
j r i n r j i nTo given pair (dx, dy1), there exists:
)
2
.
(
)
2
,
1
(
))
2
,
1
(
)
2
,
1
(
mod gcd) 2 ( mod gcd) 1 ( mod gcd) 2 ( mod gcd) 1 ( 2 gcd / 0 mod gcd) ( mod gcd) ( 1 gcd / 0(
A
x
x
x
x
x
x
n j r n n r n j n i j r n i r j n i n i j n i j n i − + + − + + ⊕ × + + × + + ⊕ − = × + × + ⊕ − =∆
=
∆
⊕
∆
⊕
⊕
Proposition A.1: if r1≠r2 , the possibility of a difference pair
(∆⊕(y1,y2),∆⊕(x1,x2)) is 2gcd−n.
Proof:
At first, Divide ∆⊕(y1,y2) and ∆⊕(x1,x2) into gcd parts as (A.1), and
every part satisfy (A.2). To given pair (dx, dy1), it will has the system:
)
3
.
(
)
2
gcd
/
(
,...,
0
2
1
1
)
1
gcd
/
(
,...,
0
2
1
mod gcd) 2 ( mod gcd) 1 ( , mod gcd) ( mod gcd) ( ,A
n
i
x
x
dy
n
i
x
x
dx
n i j r n i r j i j n i j n i j i j
−
=
⊕
=
−
=
⊕
=
× + + × + + × + × +Apply elimination method on system (A.3), it will get (A.2). The system
has two roots on GF(2).
The difference pair (∆⊕(y1,y2),∆⊕(x1,x2)) include gcd parts that satisfy
(A.2) (A.3). So there are gcd
2 pair (x1,x2) satify these systems.
So there are gcd
2 pair (x1,x2) have the given defference
(∆⊕(y1,y2),∆⊕(x1,x2)). Of course these pairs (x1,x2) satisfy x2=∆⊕(x1,x2)⊕x1.
To given defference (∆⊕(x1,x2)), there are 2n x1, And to given pair
(∆⊕(x1,x2),x1), there is a x2 that satisfy x2=∆⊕(x1,x2)⊕x1, so there are 2n
pair (x1,x2) have the given defference (∆⊕(x1,x2)).
Appendix 2: Message_expension(m)
In DDHA, the message m is expand from 16 words to 32 words. It can use a 512×1024(resp.1024×2048) generator matrix to describe it. It a little
hard to find out the minimum deffences in expand message words with the big matrix. We will find out the minimum deffences in expand message words with other way.
At first, the follow facts is used to simplify the discussion:
1. Because the degree of the Algebraic Normal Form (ANF) that describe function ME(m) is 1. Finding out the minimum deffences in expand message words is be equal finding out the minimum Hamming weight of the expand message words when the Hamming weight of message bigger than 0.
2. The words in DDHA is carved up to sixteen parts. So it can describe a word as follow:
) ,..., (
: w15 w0
W =
Where wi:=(bJ,...,b0) 0≤i<16, every part wi has J bits. Then the
message words m and expand message words em as follow:
≤ ≤ =
= =
15 , 0
) ,..., ,
,..., ,
( :
) ,.., ,
,..., ,
( :
, ,
0 , 31 15
, 1 0 , 0 14
, 0 15 , 0
0 , 15 15 , 1 0 , 0 14 , 0 15 , 0
j i m
em
em em
em em
em em
m m
m m
m m
j i j i
Then function ME(m) can be described with steps as follow, let m1 and m2 include 16 words.
≤ ≤ ⊕
←
≤ ≤ ←
≤ ≤ ⊕
←
⊕
⊕
= +
=
15 0
2 ) 2 (
15 0
) 1 ( 2
15 0
) (
1
15 0 16
15 0
i m
m em
i m
ROTR m
i m
m m
i j
j i
i i i
i j j i
Then there exists:
16 mod ) 16 ( , , 1 2i j m i i j
m = −+
Let HW(w) is Hamming weight of w. Then there exists:
Proposition B.1: If
≤ ≤ ⊕
=
≤ ≤ =
≤ ≤ =
⊕
= ) 0 15(
15 0
) ,..., ( :
15 0
) ,..., ( :
15 0 15 0
15 0
i x
x y
i x
y y
i x
x x
j j i
There exists:
1. If
⊕
15j=0xj =0, then HW(y)=HW(x).2. If
⊕
15j=0xj =1, then HW(y)=16-HW(x).3. If HW(x)>0 and
⊕
15j=0xj =0, then HW(y)≥2.4. If HW(x)>0 and
⊕
15j=0xj =1, then HW(y)≥1.proof:
There exists:
) 1 . 1 . ( 16
)
( 15
0x B
x HW
j j ≤
=
∑
=1. If
⊕
15j=0xj =0 Then) 2 . 1 . ( 15
0 )
( 150x x i B
x
yi = i⊕
⊕
j= j = i ≤ ≤Then
HW(y)=HW(x) 2. If
⊕
15j=0xj =1 Then15 0
1 )
( 150 = ⊕ =¬ ≤ ≤
⊕
=x
⊕
= x x x iyi i j j i i
Then
) 3 . 1 . ( )
( 16
) ( 16
) 1 ( )
( 15
0 15
0 15
0y x x HW x B
y HW
i i
i i
i i = − = − = −
=
∑
=∑
=∑
=3. If HW(x)≥1 and
⊕
15j=0xj =0, if HW(x)=1, there has⊕
15j=0xj =1. So:2 ) (x ≥ HW
By (B.1.2), there exists: HW(y)=HW(x)≥2
4. If HW(x)≥1 and
⊕
15j=0xj =1, and if HW(x)=16, there has 0 150 =
⊕
j= xj , so there exists:15 ) (x ≤ HW
By (B.1.3), there exists: HW(y)=16−HW(x)≥16−15=1 □
Proposition B.2: In message words of DDHA, if there exists 0≤ j1≤15
make ,1 1
15
0 =
⊕
i= mi j , Then there exist HW(em)≥16.Proof:
There has:
1 15 0
1 , 15
0 1
, 15
0 = =
≤ ≤ =
⊕
⊕
i= i j i= i ji i
m em
i m
em
There has: m1i =emi⊕(
⊕
15j=0emi,j)By proposition B.1, thus
I i m
H m
m HW
j i
j j
∉ =
− =
1 1
0 16 )) 1 ,..., 1 ((
1 ,
1 , 15 1
, 0
Let J={(16+j1−i) mod 16 | i∉I i=0,...,15}, there are 16-H0 members in J.
Because m2i,j =m1i,(16−i+j) mod 16
Then
1 1 1 1 2
1 ,
16 mod ) 1 16 ( ,
16 mod ) 16 ( , ,
= = =
∈ ∉
=
+ + −
+ −
j i
j i i i
j i i j i
m m
J j I i m
m
There seixst: emi+16 ←(
⊕
15j=0m2j)⊕m2i 0≤i≤15By proposition B.1, there exits:
0 16
) (
)) 2 ,..., ((
1 )) 2 ,..., ((
31 16 ,
31 16 , 31
16 , 31
16
, 31 ,
16
H em
em em
m em HW
J j m
em HW
J j
i i j
J j
i i j J
j
i i j j
j
− ≥ ≥
+ =
∈ ≥
∑∑
∑∑
∑∑
∈ =
∉ = ∈ =
Then
16
) 0 16 ( 0
)) ,..., ((
)) ,..., ((
)
( 0 15 16 31
=
− + ≥
+ =
H H
em em
HW em
em HW em
HW
□
Proposition B.3: In message words of DDHA, if HW(m)≥0 there
exist HW(em)≥8.
Proof:
There exists:
)) ,..., (( ))
,..., ((
15 0
15 0 15
0 em HW m m
em HW
i m
emi i
= ≤ ≤ =
1.if there exists j1 make , 1 1 15
0 =
exists: ) . 3 . ( 8 16 )
(em B a
HW ≥ > .
2. if there exists
15 0
0 , 15
0 = ≤ ≤
⊕
i= emij j Then there exists:16 mod ) 16 ( , , , , 1 15 0 1 , , 1 2 15 , 0 ) ( 1 j i i j i j i j i i j i j i m m j i em em em m + − = = ≤ ≤ = ⊕ =
⊕
Let I0j ={i|emi,j=1 0≤i≤15 0≤ j≤15}, I1j ={i|m1i,j =1 0≤i≤15 0≤ j≤15}
then: )) ,..., (( ) 1 ( 0 } 15 0 15 0 1 | { } 15 0 15 0 1 1 | { 1 15 0 , , em em HW m HW I j i em i j i m i I j j i j i j = = ≤ ≤ ≤ ≤ = = ≤ ≤ ≤ ≤ = =
Let 0 { ,...} { |( 15 1 ) 0 15 0}
0 ,
0 = > ≥ ≥
= jb j
∑
= I jJB
i ij , and because
15 0
0 , 15
0 = ≤ ≤
⊕
i= emij j Then by proposition B.1:) 1 . 3 . ( 0 2 ) ( ) 1 ( 1 ,
1jm , i I jemi j j JB B
I
i i j =
∑
≥ ∈∑
∈ ∈Then there has:
16 mod ) 16 ( , , 1 2i j m i i j
m = −+
So there exist:
) 2 . 3 . ( )) ,..., (( )) 1 ,..., 1 (( )) 2 ,..., 2
((m 0 m 15 HW m 0 m 15 HW em0 em15 B
HW = =
2.1 If there exists i1c make (
⊕
15i=0m2i,i1c)=1, by proposition B.1 and(B.3.2), there exists:
) . 3 . ( 8 16 )) 2 ,..., 2 (( 16 )) 2 ,..., 2 (( )) 2 ,..., 2 (( 16 )) 2 ,..., 2 (( )) ,..., (( )) ,..., (( )) ,..., (( )) 2 ,..., 2 (( 16 )) ,..., (( )) ,..., (( 1 , 15 1 , 0 1 , 15 1 , 0 1 , 15 1 , 0 15 0 31 16 15 0 31 0 1 , 15 1 , 0 1 , 31 1 , 16 31 16 b B m m HW m m HW m m HW m m HW em em HW em em HW em em HW m m HW em em HW em em HW c i c i c i c i c i c i c i c i c i c i > = − + ≥ − + ≥ + = − = ≥
) 3 . 3 . ( )
2 ( ))
,..., ((
31 16
2 ) 2 (
2
31 16
, 16 ,
1 15
0 1 ,
16 ,
B m
HW em
em HW
i m
m m
emi j i j i i j i j
=
≤ ≤ =
⊕
= −
⊕
= −Because HW(m)≥0, there are at least one member in JB0. Let
0 0 jb
jb = , and by proposition B.1, there are at least two members in I1jb0.
Suppose i1a≠i1b∈I1jb0, then:
1 1
1
1i1a,jb0 = and m i1b,jb0 =
m
Then there has:
1 2
1
1 2
1
16 mod ) 1 0 16 ( , 1 0
, 1
16 mod ) 1 0 16 ( , 1 0
, 1
= =
= =
− +
− +
b i jb b i jb
b i
a i jb a i jb
a i
m m
m m
Because there has: 0≤ jb0,i1a,i1b≤15 and i1a≠i1b
There has: (16+ jb0−i1a) mod 16 ≠ (16+ jb0−i1b) mod 16
Because (
⊕
15i=0m2i)=0, Then by proposition B.1:) 4 . 3 . ( 4
)) 2
,...., 2
((
)) 2
,...., 2
(( )
2 (
2 ) 2
(
2 ) 2
(
16 mod ) 1 0 16 ( , 15 16
mod ) 1 0 16 ( , 0
16 mod ) 1 0 16 ( , 15 16
mod ) 1 0 16 ( , 0 15
0 , (16 0 1) mod 16 15
0 , (16 0 1 ) mod 16
B m
m HW
m m
HW m
HW m m
b i jb b
i jb
a i jb a
i jb i i jb ib
i i jb ia
≥
+ ≥
≥ ≥
− + −
+
− + −
+
= + −
= + −
∑
∑
By (B.3.2) (B.3.3) (B.3.4), there exist:
) . 3 . ( 8
4 2
) 2 ( 2
)) ,..., ((
)) ,..., ((
)) ,...,
(( 0 31 0 15 16 31
c B m
HW
em em
HW em
em HW em
em HW
= × ≥
× =
+ =
So by (B.3.a) (B.3.b) (B.3.c), if HW(m)≥0 there exist HW(em)≥8. □
