kobe university repository : kernelrc6 is a common-key block cipher that was proposed as one of the...
TRANSCRIPT
-
Kobe University Repository : Kernel
タイトルTit le
Equivalent Keys in RC6-32/20/176(Special Sect ion on Informat ionTheory and Its Applicat ions)
著者Author(s) Mizuno, Hiroshi / Kuwakado, Hidenori / Tanaka, Hatsukazu
掲載誌・巻号・ページCitat ion
IEICE transact ions on fundamentals of electronics, communicat ionsand computer sciences,E84-A(10):2474-2481
刊行日Issue date 2001-10-01
資源タイプResource Type Journal Art icle / 学術雑誌論文
版区分Resource Version publisher
権利Rights Copyright(c)2001 IEICE
DOI
JaLCDOI
URL http://www.lib.kobe-u.ac.jp/handle_kernel/90001318
PDF issue: 2021-06-27
-
2474 IEICE TRANS. FUNDAMENTALS , VOL.E84-A , NO.IO OCTOBER 2001
PAPER Special Section on Information Theory and Its Applications
Equivalent Keys in RC6-32/20/176
Hiroshi MIZUNOt a ), Student Member, Hidenori KUWAKADOtt and Hatsukazu TANAKAtt, Regular Member~
SUMMARY RC6 is a common-key block cipher that was proposed as one of the AES candidates. Although any weakness of RC6 in the use of the confidentiality is not known, Saarinen pointed out the existence of almost equivalent keys in RC6 with 176-byte keys. This means that the Davies-Meyer hash function based on RC6 with 176-byte keys is not a good collision-resistance function . However, Saarinen could not find a precise collision of it. In this paper , we propose a practical method for obtain-ing a collision of the Davies-Meyer hash function based on RC6-32/ 20/ 176. In other words, there exist equivalent user supplied keys in RC6-32/20/176, and it is possible to obtain them practi-cally. This means that the essential key space of RC6-32 /20 /176 is smaller than the space provided by 176-byte keys. Our com-puter simulation shows that a collision can be found in about 100 minutes. We should notice that the result of this paper does not affect the security of the AES version of RC6 because RC6-32/ 20/ 176 discussed in this paper is different from the parameter of the AES version. key words: cryptanalysis, RC6, key schedule , equivalent key, Davies-Meyer hash function
1. Introduction
RC6 is a common-key block cipher that was proposed as one of the AES candidates [9]. The AES version of RC6 is extremely superior to other candidates with respect to the encryption/decryption speed on a 32-bit processor [4], [6] . It is believed that the security of RC6 is enough high [1]-[3] , [5]. The version of RC6 is more accurately specified as RC6-w/r/b, where w is the word size, r is the number of rounds, and b is the length of a user supplied key (encryption key) in bytes . For example, the AES version of RC6 is RC6-32/20/b, where b = 16,24,32. RC6 has a variable-length user supplied key. This is one of design policies, and is for choosing the level of security according to application or external consideration such as export restrictions [8] . A user supplied key is transformed into a set of round keys by the key schedule. The key schedule of RC6 allows the length of a user supplied key up to 256 bytes. If it is longer than 176 bytes, additional mixing steps are required. Accordingly, the longer the length of a user
Manuscript received January 19, 200l. Manuscript revised April 11 , 200l.
tThe author is with the Graduate School of Science and Technology, Kobe University, Kobe-shi, 657-8501 Japan.
ttThe authors are with the Faculty of Engineering, Kobe University, Kobe-shi, 657-8501 Japan.
a) E-mail : [email protected] .kobe-u.ac.jp
supplied key is over 176 bytes, the more the steps are required for the key schedule.
It is possible to use a common-key block cipher as a one-way hash function . The Davies-Meyer ha'ih function is one of such hash functions [7]. Let E(L, M) be an encryption algorithm where L is a key and AI is a message. The Davies-Meyer hash function is Con-structed from E(L , M) as follows . Given a message M. M is padded adequately and split into pieces Mi of the same length as the key. Then,
(1)
where "Eel) is exclusive-or. The hash value of M is the final value of Hi. Notice that the exclusive-or operation may be replaced with another arithmetic operation, for example, modular addition. Since the use of longer user supplied key decreases the number of pieces Nh the speed of a resulting hash function is directly related to the key length of the common-key block cipher. On the Davies-Meyer hash function based on RC6, the use of RC6-w/r/256 is most efficient. Although the flexibility of the key length in RC6 is originally for choosing the security level, it also affects the efficiency in the Davie:;-Meyer hash function.
Let us consider the relationship between the key schedule and collision resistance of the Davies-Meyer hash function. Usually, a user supplied key is traJls-formed into a set of round keys with a · key schedule. and the set of round keys play an essential role ill en-cryption. We denote by K(L) a key schedule that trans-forms the user supplied key L into the set of round keys. We note that the mapping from the user supplied key to the set of round keys is not always one-to-one. HellCE'. if K(Mi) = K(MD (Mi '# MD , then a collision occur::-in Eq. (1). Thus it is important that the key schedule is collision resistance.
The key schedule of RC6 is almost identical to the key schedule of Re5 [3], [8]. The only difference is that more words are derived from the user supplied key. It causes that studies of RC5 failed to reveal any weak-ness in the key schedule [3]. Rivest, Robshaw, Sidlle.'·. and Yin stated that while there is no proof that no t\\'o keys yield the same round keys, it appears to be highl.'· unlikely [3]. After then, Saarinen showed a method for finding almost equivalent round keys in the use of 176-byte round keys [10], [11] . Saarinen's method is based
-
MIZUNO et al.: EQUIVALENT KEYS IN RC6-32/20/176
on three simple deterministic conditions that provide almost equivalent round keys. Saarinen's method is ex-tremely easy to execute, and outputs almost equivalent keYS with complexity about 217. However, we stress th~t the Hamming distance of two hash values com-onted from the almost equivalent keys is at most 16, ~~d it is practically impossible to find precisely equiv-alent keys with Saarinen's method.
Similar to Saarinen's paper, this paper discusses the security of the key schedule of RC6-32/20/176. We show a method for computing equivalent keys. Dif-ferent from Saarinen's method, our method finds pre-cisely equivalent keys. Our method is based on five conditions for becoming equivalent keys; the first three conditions are deterministic and the last two conditions are data dependent. The complexity of our method is much higher than that of Saarinen's method. However, our method is practical; the time for finding a pair of equivalent keys is about 100 minutes by a personal com-puter.
Main contribution of this paper is to point out the weakness of the use of RC6-32/20/176 in the Davies-r-Ieyer hash function. In RC6-32/20/176, the space of llser supplied keys is same as that of round key sets, that is, the space provided by 176-byte keys. However, the existence of equivalent keys means that the essen-tial space of round key sets is smaller than the space provided by 176-byte keys. Since the key length of RC6 as the AES candidate is 16, 24, 32 bytes, the case of the 176-byte key discussed here is not the AES version. In addition, it seems difficult to modify our method for the AES version. Therefore, the result of this paper does not affect the security of the AES version of RC6.
The organization of this paper is as follows. Sec-tion 2 describes the key schedule of RC6-32/20/176. Although we basically follow the notation of [6], the description is diffusive for clearing the change of vari-ables. In Sect. 3, we describe a method for finding a pair of equivalent keys, and show the simulation results of the proposed method. Section 4 concludes this paper.
2. Key Schedule of RC6-32/20/176
\Vc describe the key schedule of RC6-32/20/176 below. The key schedule is a function from a 176-byte (1408-bit) user supplied key to 44 32-bit round keys, i.e.,
{O, 1}1408 -----+ {{O, 1}32, {O, 1}32, ... , {O, 1}32}. " .f v
44
We call the 44 32-bit round keys the set of round keys, and the space which consists of all 1408-bit strings the 1408-bit space. Accordingly the space of the in-put/output of the key schedule is the 1408-bit space.
In the following description, notice that diffusive notation is used to clear the change of variable values ~n each step, and the notation described here is used il1 Sect. 3. In this paper, when an integer is represented
2475
in hexadecimal notation, it is written with the prefix "Ox."
Key Schedule
Input: User supplied key L L = L[O, ... ,43] = L(O)[O, ... ,43]
Output: Set of round keys 8 8 = 8[0, ... ,43] = 8(3)[0, ... ,43]
Procedure:
8[0] = Oxb7e15163 for i = 1 to 43 do {
8(O)[i] = 8(0)[i -1] + Oxge3779b9 (2)
} A[O] = B[O] = i = 0 for s = 1 to 132 do { u = l(s - 1)/44J
A[s] = 8(u+1)[i] = (8(u) [i] + A[s - 1] + B[s - 1]) ~ 3 (3)
B[s] = L(u+1)[i] = (L(u)[i] + A[s] + B[s - 1])
i = (i + 1) mod 44 }
~ (A[s] + B[s - 1]) (4)
Note that the addition of Eqs. (2)-(4) is done on modulo 232 , and "x ~ y" means rotating x to the left by the amount given by the least significant 5 bits of y. Since the length of a user supplied key is equal to that of round key set, L(u) [i] and 8(u) [i] are renewed at the same time. Moreover, both L[O, ... ,43] and 8[0, ... ,43] are renewed three times respectively.
3. Equivalent Keys of RC6-32/20/176
3.1 Definition and Background
The key schedule of RC6 is a method for transforming a t-bit string (user supplied key) into a constant bit string (set of round keys), where 0 :S t :S 2047. When t > 1408, it is trivial that different user supplied keys can be mapped to the same set of the round keys. In addition, even if t :S 1408, it is not proved that the key schedule of RC6 is one-to-one mapping.
Definition 1: Let L1 and L2 be different user sup-plied keys. We call L1 and L2 equivalent keys if the set of round keys produced from L1 is equal to the set of round keys produced from L 2 .
-
2476
From this definition, if L1 and L2 are equivalent keys, then Eqs. (5),(6) hold for any message M and any ci-phertext C.
E(L 1 ,M) = E(L2 ,M)
D(L1 , C) = D(L2 , C),
(5)
(6)
where E is an encryption function and D is a decryption function.
The key schedule of RC6-32/20/176 is considered as a mapping from the space of 1408-bit user supplied keys to the space of 1408-bit sets of round keys. Sup-pose that the key schedule of RC6-32/20/176 is an ideal random mapping. Then, let us consider the number of equivalent keys for one user supplied key. The proba-bility P( f + 1) that a set of round keys has just f + 1 preimages, which are user supplied keys, is
e· f!
where e is the base of the natural logarithm function. Thus the average number N of equivalent keys for a set of round keys is
2 1408 -1
N = L (f + l)P(f + 1)
Roughly speaking, even if the key schedule of RC6-32/20/176 is an ideal random mapping, the essential space of round key sets is the about 1407-bit space, which is half of the appearance size. Needless to say, the exhaustive search on the 1407-bit space is infeasible. However, this analysis allows us to guess that the key schedule of RC6-32/20/176 is not a one-to-one mapping on the 1408-bit space, and a collision can occur in the Davies-Meyer hash function based RC6-32/20/176.
3.2 Idea of the Proposed Method
In the following description of the paper , addition, sub-traction, and multiplication are computed on modulo 232.
Let L1 and L2 be two user supplied keys as follows .
- (0)[ ] L1 - L1 0, ... ,43, - (0)[ ] L2 - L2 0, ... ,43
The differentials between two user supplied keys are denoted by
~L(u) [i] = L~u) [i] - L~u) Ii],
IEICE TRANS. FUNDAMENTALS, VOL.EB4-A, NO.lO OCTOBER 2 001
u = 0,1,2,3, i = 0, 1, ... ,43.
Similarly, the differentials between two round keys are denoted by
~S(u) [i] = S~u) [i] - siu) Ii],
u = 0,1,2,3, i = 0, 1, . . . ,43.
In this paper, we consider how to find the followill!)" form of equivalent keys L 1 , L 2 . b
{
# 0 i = 0,1,2,42,43, ~L(O)[i]
= 0 otherwise. (7)
Notice that this form is not a necessary condition for equivalent keys, and besides it is not a sufficient COIl-dition. The reason that we choose this form is that it is possible to limit the effects of ~L(O) [i] (i :::: 0,1,2,42,43) in the other variables, as explained bc-low.
Figure 1 shows idea of our method. In this fignrl' . s is the step number in the key schedule, L(u) [i] is the variable of Eq. (4), A[s] and B[s] are the variables of Eq. (3) and Eq. (4) respectively, and the steps with 110 differential are omitted.
First, B[l] of L1 is different from B[l] of £2 bc-cause of ~L(O)[O], which indicates mark (*1) . Thi~ differential also influences A[2] and B[2J, as marked
the effect of di fferential Q differential 0 no differential X
S A[s]
2 0
3 0
43 0
44 0
45 0
46 0
87 0
88 0
89 0
131 0
132 0
Fig. 1 Outline of the proposed method .
-
UN O et al.: EQUIVALENT KEYS IN RC6-32/20/176 MIZ
2)( *3). Similarly, the influences of 6..L(O) [lJ and ~£(O) [2J are shown in Fig.!. However, if .6.L(O) [0], L)£(O) [1], and 6..L(O) [2J are chosen adequately, then it is possible that A[3J of L1 is equal to A[3] of L2 and B[3J f £1 is equal to B[3J of L 2, as marked (*4)(*5). Then,
~or s == 4,3 , . . . ,42, there is no differential. For s = 43,44,45,46, s = 87,88,89, and s =
131. 132, the same idea is applied. If there is no dif-ferential on A[s] for s = 89,90, ... ,132, then L1 and L2 are equivalent keys.
3.3 Description of the Proposed Method
We denote by LSBV(x) the number given by the least significant five bits of x.
From the discussion in the previous subsection, we observe that L1 and L2 are equivalent keys if the fol-lowing system of equations hold.
.6.S(1)[2J = 0 (8)
.6.£(1)[2J = 0 (9)
.6.S(2) [OJ = 0 (10)
.6.S(2) [1 J = 0 (11)
.6.£(2)[lJ = 0 (12)
.6.S(3) [OJ = 0 (13)
.6.£(3)[OJ = 0 (14)
6S(3) [43J = 0 (15)
The objective of this section is to transform the above s.\·stem of equations into the system of equations repre-sented by .6.L(O) Ii], which are differentials between two Ilser supplied keys.
In the following discussion, the operator "~" is l2;i\'('n priority to over other arithmetic operators. We should note that although the order of "~" and other ;Il'itlllnetic operators is not commutative, the computed r('snlt is sometimes unchanged even if the operation or-der is replaced. The commutativity of "~" and sub-traction is examined in Sect. 3.4.
. First, since Eq. (8) means S~l) [2J - si1) [2J = 0, by 11SltIg Eq. (3) we have
(S~O)[2] + S~l)[lJ + L~l)[l]) ~ 3 - (SiO)[2J + SF)[lJ + L~1)[1]) ~ 3 = O.
'-\CC'orclingly, Eq. (8) is equivalent to the following equa-
tion because S~O) [2J = sial [2J.
2477
Next, we obtain the following equation from Eq. (9).
(L~O) [2J + S~l) [2J + L~l) [1]) ~ (S~1)[2J + L~l)[l])
- (L~O)[2J + si1)[2J + L~l)[l]) ~ (Si1)[2] + L~l)[l]) = 0
Assume that LSBV(L~l)[l]) is equal to LSBV(L~l)[l]). We can consider that this assumption holds with prob-ability 2-5 . Then, the following equation is obtained because of Eq. (8).
6..L(O)[2J + .6.L(I)[1J = 0
In a similar way, we transform the rest of the equa-tions. Consequently, we obtain the following system of equations. Notice that Eq. (17), Eq. (20), and Eq. (22) require the above assumption on the least significant five bits. In other words, the system of equations from Eq. (8) to Eq. (15) holds with probability 2- 15 when the following equations hold.
6..S(1)[lJ + 6..L(l) [1] = 0 (16)
6..L(O) [2J + 6..L(1) [lJ = 0 (17)
6..S(1)[43J + .6.L(I) [43J = 0 (18)
6..S(I) [lJ + 6..L(2) [OJ = 0 (19)
.6.L(1)[lJ + 6..L(2) [OJ = 0 (20)
.6.S(2) [43J + .6.L(2) [43J = 0 (21 )
6..L(2) [OJ + .6.L(2) [43J = 0 (22)
.6.S(2) [43J + 6..L(3) [42J = 0 (23)
In order to represent the above equations by 6..L(O) Ii], we continue to rewrite the equations.
From Eqs. (16),(19),(20), we have
2(6..S(1) [1]) = O. (24)
Namely, 6..S(1)[lJ = OxOOOOOOOO, or Ox80000000. As shown in Fig. 1, we expect that .6.S(1)[lJ '" O. Accord-ingly,
6..S(1) [lJ = Ox80000000. (25)
Using Eq. (3),
6..S(1)[lJ = (S~O)[lJ + S~l)[OJ + L~l)[O]) ~ 3 -(SiO)[lJ + si1) [OJ + L~l)[O]) ~ 3
-
2478
Since S~O) [1] = siO) [1] and S~l) [0] = SP) [0], if Eq. (26) holds, then the above equation holds with probability 2-1. This probability is derived under the assumption such that L~l)[O] is uniformly distributed from 0 to 232 _ 1 at random.
~S(1)[l] = ,6.L(1) [0] ~ 3.
From Eqs. (4),(25), Eq. (26) is transformed into
((L~O) [0] + S~l) [OJ)
~ 29 - (L~O) [0] + sF) [OJ) ~ 29) ~ 3 = Ox80000000
(26)
where LSBV(S(1) [OJ) is 29. Since S~l) [0] = si1) [0], if Eq. (27) holds, then the above equation holds with probability 2- 1 . This probability is derived under the assumption such that L~l) [0] is uniformly distributed from 0 to 232 - 1 at random.
L~O) [0] = L~O) [0] + Ox80000000. (27)
Hence, if Eq. (27) holds, then Eq. (24) holds with prob-ability 2-2
In order to obtain a condition on ~L(O) [1], let us
consider L~l)[l] and L~l)[l].
L~l)[l] = (L~O)[l] + S~l)[l] + L~l)[O]) ~ (S~l) [1] + L~l) [0])
L~l)[l] = (L~O)[l] + si1)[1] + L~l)[O])
(28)
~ (Si1)[1] + L~l)[O]) (29)
Here, the probability that LSBV(Si1) [1] + L~l) [0]) is 0 is 2-5 . From Eqs. (25),(26), we obtain
~L(1) [0] = Ox10000000. (30)
Hence, ifLSBV(Si1)[1]+L~1) [OJ) is 0, then LSBV(S~l) [1] + L~l) [0]) is always O. As a result, the amount of ro-tation of Eq. (28) and Eq. (29) is 0 with probability 2-5 . Therefore, if the following equation holds, then Eqs. (28),(29) hold with probability 2-5 .
~L(l)[l] = ,6.L(O) [1] + ,6.s(1) [1] + ~L(1)[O].
Here, from Eqs. (16),(25), we have
~L(1)[l] = ,6.S(l) [1] = Ox80000000. (31)
Accordingly, we obtain ~L(O) [1] = OxfOOOOOOO, that is,
L~O) [1] = L~O) [1] + OxfOOOOOOO.
From Eqs. (17),(31), we obtain ~L(O) [2] Ox80000000, that is,
L~O) [2] = L~O) [2] + Ox80000000.
(32)
(33)
IEICE TRANS. FUNDAMENTALS, VOL.E84-A, NO.10 OCTOBER 2001
Let us consider a condition on L(O) [42]. The fol_ lowing equation is obtained from Eqs. (20)-(23).
~L(1)[l] = ,6.L(2) [43] = ,6.L(3) [42] = ,6.S(2) [43]
Since ,6.L(1) [1] = Ox80000000, we obtain
,6.L(2) [43] = Ox80000000,
,6.L(3) [42] = Ox80000000,
~S(2) [43] = Ox80000000.
Here, S?) [43] (f = 1,2) are given as
(34)
(35)
(36)
S?)[43] = (S~1)[43] + S?)[42] + L~2)[42]) ~ 3,
where S~2) [42] = si2) [42]. Since ~S(2) [42] = O. if Eq. (37) holds, then the above equation holds with probability 2- 1 . This probability is derived under tilt' assumption such that si1) [43] and L~2) [42] are uni-formly distributed from 0 to 232 - 1 at random.
LlS(2) [43] = (~S(1) [43] + ~L(2) [42]) ~ 3 (37) .
To simplify the discussion, let us consider that both the Hamming weight of LlS(l) [43] and LlL(2) [42] are 1. Therefore, from Eqs. (36),(37),
~S(1) [43] = ~L(2) [42] = Ox08000000 (38)
For f = 1,2
S~1)[43] = (S~0)[43] + S?)[42] + L~1)[42]) ~ 3, (3DI
where ~S(0)[43] = 0 and LlS(1)[42] = O. If Eq. (ell) holds, then the probability that the above equation holds is given as
The derivation of this probability is explained in Sect. 3.4.
~S(1) [43] = ~L(1) [42] ~ 3.
Since ~S(1) [43] = Ox08000000, we obtain the follo\\'ing equation.
~L(1) [42] = Ox01000000.
For f = 1, 2, L~1)[42] are given as
L?)[42] = (L~0)[42] + S?)[42] + L?)[41]) ~ (S?) [42] + L~l) [41]),
where ~S(1)[42] = 0 and LlL(1) [41] = O. Then we ha\T.
~L(O) [42] = L~l) [42] ~ (S~l) [42] + L~l) [41J)
_L~1)[42] ~ (si 1) [42] + L~1)[41]). (-1:1
where "x ~ y" means rotating x to the right 1)\
-
ZU NO et al.: EQUIVALENT KEYS IN RC6-32/20/l76 MI
the aJllount given by the least significant 5 bits of y. Since ~S(l) [42] = 0 and b.L(l) [41] = 0, we note that LSBV(S~1) [42] + L~l) [41]) = LSBV(Si 1) [42] + L~l) [41]) holds. As a result, if Eq. (45) holds, then the probabil-it.\" that the above equation holds is given as
0.96. (44)
The derivation of this probability is explained in
Sect. 3.4.
~L(0)[42] = b.L{l) [42] ~ (SP) [42] + L~1)[41]), (45)
that is,
~L(O) [42] = OxOIOOOOOO ~ (SP) [42] + L~1)[4I]).
Accordingly, we obtain
L~0)[42] = L~0)[42] + OxOlOOOOOO ~ (SP ) [42] + L~1)[41]). (46)
From Eqs. (18),(38), we have the following equa-tion.
~L(1)[43] = Oxf8000000 (47)
For f = 1, 2, L?) [43] is computed as follows.
L~1)[43] = (L~0)[43] + S?)[43] + L?)[42]) ~ (s2) [43] + L~1)[42])
where b.S(1) [43] = Ox08000000 and b.L{l) [42] OxOlOOOOOO, then we have
b.L(O) [43] = L~l) [43] ~ (S~1) [43] + L~l) [42]) -L~O) [43] ~ (Si 1) [43J + L~l) [42]) -Ox09000000.
Since ~S{l)[43] = Ox08000000 and b.L(1) [42]
OxOlOOOOOO, we note that LSBV(S~l) [43] + L~l) [43]) = LSBV(SP) [43] + L~l) [43]) holds. Therefore, if Eq. (48) holds, then the above equation holds with probability about 0.09, which was the value obtained by computer simulation.
LlL(O) [43] = .b.L{l)[43] ~ (SP)[43J + L~1)[42]) -Ox09000000, (48)
that is,
LlL(O) [43] = Oxf8000000 ~ (sF) [43] + L~1)[42]) -Ox09000000.
Accordingly, we obtain
L~O ) [43J = L~O) [43] + Oxf8000000 ~ (Si l ) [43] + LP) [42])
2479
-Ox09000000. ( 49)
Summarizing the discussion above, if two user sup-plied keys L l , L2 satisfy the following conditions, they may be equivalent keys. Section 3.5 shows that its prob-ability is not negligible.
L~O) [0] = L~O) [0] + Ox80000000 L~O)[l] = L~O)[l] + OxfOOOOOOO L~O) [2] = LiO) [2J + Ox80000000 L~O) [42J = L~O) [42J + Ox01000000
~ (SP) [42J + L1l) [41]) L~O) [43] = LiO) [43] + Oxf8000000
~ (Si1) [43J + L~l) [42]) - Ox09000000
L 2(0)[qJ = L(10) [,;] , . -J. 0 1 2 42 43 • • t I , " , .
(50)
3.4 Commutativity of Shift and Modular Subtraction
We define ei as ei = 232 - i (1 -:; i -:; 32), which is a 32-bit word with Hamming weight 1. Note that i = 1 indicates the most significant bit and i = 32 indicates the least significant bit. For any 32-bit word a and any integer b (0 -:; b -:; 31) , let us consider the probability that the following equation holds.
((a + ei) ~ b) - (a ~ b) = ei ~ b. (51)
Note that LSBV(b) = b because 0 -:; b -:; 31. If b is equal to 0, then Eq. (51) always holds for any a.
Next, let us consider the case of 1 -:; b -:; 31 under the assumption that a is uniformly distributed from 0 to 232 - 1 at random. In the case of i -:; b, Eq. (51) holds for the following cases. The first case is that the i-th bit of a is 0, then the probability is 2-1 because of the assumption of a. Second, if the (i - 1)-th bit of a is 0 and the i-th bit of a is 1, then there is not a carry in the (i - 1 )-th bit of a. This probability is 2- 2 . The third case is that the (i - 2)-th bit of a is 0 and the (i -I)-th, and the i-th bits of a are 1, then the probability is 2-3 . In a similar way, we continue to the i-th case, i.e. the final case, that the most significant bit of a is 0, then the probability is 2- i . Accordingly, we can obtain the probability that Eq. (51) holds as
ill L 2t = 1 - 2i ' i -:; b. t=l
(52)
In the case of i > b, the probability that Eq. (51) holds is derived in a similar way. However, if a carry occurred in the (b + 1 )-th bit of a, then Eq. (51) does not hold since a is rotated by the amount b. Therefore, Eq. (51) holds for the following cases. The first case is that the i-th bit of a is 0, then the probability is 2- 1 . The second case is that the (i - 1 )-th bit of a is 0 and the
-
2480
i-th bit of a is 1, then the probability is 2-2. Similarly, we continue to the (i - b)-th case that the (b+ l)-th bit of a is 0, then the probability is 2-(i-b). As a result, the probability that Eq. (51) holds is computed as
i-b 1 1 L 2t = 1 - 2i - b ' i > b. t=l
(53)
Here, we explain the derivation of Eq. (40) . From Eqs. (38),(39),(41), we compute the probability that the following equation holds.
(S~D) [43] + S~l) [42] + L~l ) [42]) ~ 3
-(siD) [43] + si1) [42] + Li1) [42]) ~ 3 = Ox08000000,
that is ,
_(SiD) [43] +si1) [42] +Li1) [42]) ~ 3=e8 ~ 3.
Therefore, by setting a = siD) [43] + SP) [42] + Li1) [42], b = 3 and i = 8 in Eq. (51), the probability of Eq. (40) is computed as
From Eqs. (52),(53), when the differential ei is fixed and the rotating amount b is uniformly distributed from 0 to 31, then the probability prob(i) that Eq. (51) holds is given as follows .
1 ( i-I ( 1) 32 ( 1 )) prob(i) = 32 1 + ~ 1 - 2i-b + B 1 - 2i
= ~ (~(i -30) + 31) 32 22
Now, we explain the derivation of Eq. (44). From
Eqs. (42),(43),(45), we consider the case of a = Li1) [42], ~L(I ) [42] = e8 and b = LSBV(Si1) [42] + Li1) [41]). Then, the probability of Eq. (44) is computed as
prob(8) = 0.96.
3.5 Simulation Result
As the result of our computer simulation, we succeeded in finding 85 pairs when L1 and L2 are randomly chosen 21 x 232 pairs satisfying Eq. (50). Therefore, the exper-imental complexity that two user supplied keys satisfy Eq. (50) is about 230 . Also, it takes about 100 minutes to find a pair of equivalent keys by using a personal computer (Athlon 950 MHz).
The following equivalent keys L1 and L2 are one
IEICE TRANS. FUNDAMENTALS, VOL.E84-A, NO.ID OCTOBER 2001
of examples found by our computer simulation. First. a user supplied key L1 is given as follows.
LdO] = Ox98b81186, Ld1] = Oxbcfbcfad,
Ll [2] = Oxf807cb58,
L1 [i] = OxOOOOOOOO i = 3,4, ... ,43.
Then the values of another user supplied key L2 are different from L1 for i = 0, 1,2,42,43, as shown below.
L2 [0] = Ox18b81186, L2 [1] = Oxacfbcfad,
L 2 [2] = Ox7807cb58, L 2 [42] = Ox00008000,
L2 [43] = Oxf70lfOOO.
The set of round keys generated from L1 and that gen-erated from L2 are identical, and it takes the follOWing values.
S[O] = Ox318f f4f4 , S[2] = Ox00855013, S[4] = Oxbed02683, S[6] = Oxd50bbOae, S[8] = Oxe90cf419 , S[10] = Ox8fc99fOl , S[12] = Oxc6980e06, S[14] = Oxca42b5ed, S[16] = Oxf5e82658, S[18] = Ox6eeb1e23, S[20] = Ox4aa114fe, S[22] = Oxf9bae226 , S[24] = Oxaa223273 , S[26] = Oxe63cef69, S[28] = Ox4c3fc6e2, S[30] = Oxa103dfc6, S[32] = Ox7d2d0ge3, S[34] = Ox8eOa4671, S[36] = Ox59f91d34, S[38] = Ox67a9fa45, S[40] = Oxa4da29cd, S[42] = Ox7545302c,
4. Conclusions
S[l] = Ox6025a892, S[3] = Oxd8a5462b, S[5] = Oxd699c4bf, S[7] = Ox3f7a1be4, 8[9] = Oxe474225e , 8[11] = Oxb6bc2340, 8[13] = Oxc212c9b4, S[15] = Ox5d559530, 8[17] = Oxbe2a56a4, S[19] = Ox58f2cc46, 8[21] = Oxfb892ba3, 8[23] = Ox2b020913, 8[25] = Ox3a0233bf, 8[27] = Ox5606469a, 8[29] = Ox45728e2f, 8[31] = Ox15e532f7, 8[33] = Oxle924ebf, 8[35] = Oxd00509b8, 8[37] = Ox100c80ba, S[39] = Ox64cea033 , 8[41] = Ox8999a636, S[43] = Ox8715e638.
In this paper, we have discussed the security of the key schedule of RC6-32/20/176, and shown a practi-cal method for computing equivalent keys that pro-duce the same set of the round keys. While Saarinen showed the method for finding almost equivalent ke~'~ of RC6-32/20/176, we succeeded in obtaining preciselr
equivalent keys of RC6-32/20/ 176. Although the al-most equivalent keys can be obtained by about 217 tri-als in Saarinen's method, the equivalent keys can be
-
r-/lZUNO et a!.: EQUIVALENT KEYS IN RC6-32/20/176
d by about 230 trials in our method. Since the time one
f . one trail in Saarinen's method is much shorter than ~l t in our method and their objectives of methods are \~~erent, we can not compare the complexity of these (i thods simply. In order to find a pair of equivalent me . . keYS by using our method, It takes about 100 mmutes by: a personal computer. Therefore, we observe that the Davies-Meyer hash function based on RC6-32/20/176 . _ not collision resistance. The key schedule of RC6-;2/20/176 is a mapping from a 1408-bit user supplied key to a 1408-bit set of round keys. The result of this paper also means that the key schedule of RC6-32/20/176 is not permutation on the 1408-bit space, and the space of round key sets is smaller than the 1408-bit space.
We should notice that the result of this paper is not related to the security of the AES version of RC6. Although this paper discussed the case of the 176-byte key. the key of the AES version of RC6 is 16, 24 , or 32' bytes. Since our method utilizes the specification of the key schedule of RC6-32/20/176, it seems difficult to modify it to a method for the other key lengths.
Acknowledgement
The authors are grateful to the reviewers for their care-ful reading of the previous manuscript and their helpful C'OlIlments.
References
[I] .1. Borst, B. Preneel, and J. Vandewalle, "Linear crypt-analysis of RC5 and RC6," Fast Software Encryption FSE '99 , Lecture Notes in Computer Science, vo1.l636 , pp.16-:30, 1999.
[2] S. Contini , R .L. Rivest , M.J .B. Robshaw, R Sidney, and Y.L. Yin, "Improved analysis of some simplified variants of RC6," Fast Software Encryption FSE '99, Lecture Notes in Computer Science, vo1.l636, pp.1-15 , 1999.
[3] S. Contini, RL. Rivest, M.J .B. Robshaw, and Y.L. Yin , "The security of the RC6 block cipher," http:/ / www. r~a.security.com/rsalabs/ aes/ , 1998.
H] Information-technology Promotion Agency, "CRYPTREC Report 2000," http://www.ipa.go.jp/security/fy12/report/ cryptrec-report2k.pdf, 2001.
;.')] L.R. Knudsen and W. Meier, "Correlations in RC6 with a reduced number of rounds," Fast Software Encryption FSE2000, Lecture Notes in Computer Science, vo1.l978, pp.94-108, 2001.
if)] .J. Nechvatal, E. Barker, L. Bassham, W. Burr, M. Dworkin , .J. Foti , and E . Roback, "Report on the develop-ment of the advanced encryption standard (AES) ," http://csrc .nist.gov/ encryption/ aes/ round2/ r2report.pdf, 2000.
!ij B. Preneel, R. Govaerts, and J. Vandewalle, "Hash func-tions based on block ciphers: A synthetic approach ," Advances in Cryptology-CRYPTO'93, Lecture Notes in Computer Science, vol. 773, pp.368-378, 1994.
is] R.L. Rivest, "The RC5 encryption algorithm," The 2nd Fast Software Encryption FSE '95, Lecture Notes in Com-puter Science, vol.l008 , pp.86-96, :L995.
:9] R.L. Rivest, M.J .B. Robshaw, R Sidney, and Y.L. Yin ,
2481
"The RC6 block cipher," http://www.rsa.com/rsalabs/ aes/, 1998.
[10] M.O. Saarinen, "A note regarding the hash function use of MARS and RC6," Public Comments on AES Candidate Algorithms - Round1, http://csrc .nist .gov/encryption/ aes/ roundl / comments/ 990414-mjsarrinen.pdf, 1999.
[11] M.O. Saarinen, "Almost equivalent keys in RC6 found ," Archive AES Discussion Groups, RC6 Forum, http://aes. nist.gov / aes/ default.htm, 1999.
Hiroshi Mizuno received the B.E. degree from Kobe University in 2000. He is currently a student of Graduate School of Science and Technology, Kobe Univer-sity. His research interests include cryp-tography and information security.
Hidenori Kuwakado received the B.E. , M.E. and D.E. degrees from Kobe University in 1990, 1992, and 1999 respec-tively. He worked for Nippon Telegraph and Telephone Corporation from 1992 to 1996. Since 1996, he has been a Research Associate in the Faculty of Engineering, Kobe University. His research interests are in cryptography and information se-curity.
Hatsukazu Tanaka was born in Hyogo, Japan, on September 30, 1941. He received the B.E. degree from Kobe Uni-versity, Kobe, Japan in 1964, the M.E. degree in 1966, and the D.E. degree in 1969, both from Osaka University, Osaka, Japan. He was appointed as a Research Associate in the Faculty of Engineering, University of Osaka Prefecture in 1969. From 1972 through 1987 he was an Asso-ciate Professor in the Department of Elec-
trical Engineering, Kobe University. Since 1988 he has been a Professor in the Department of Electrical and Electronics En-gineering, Kobe University. From 1980 through 1981 he was a member of the Communication Group of the University of Toronto, Toronto, Ontario , Canada, as a Visiting Scientist. His main work is on the basic theory of Information Engineering such as Information Theory, Coding Theory, Cryptography and Infor-mation Security, Image Processing, etc. Dr. Tanaka is a Fellow member of IEEE and a member of IACR