next up previous
Next: Conclusions Up: Bias in the LEVIATHAN Previous: S-Box Matching Attack

Experiments

We looked for these biases on a reduced version of LEVIATHAN with \( n=16,h=16 \).

For the PRF-PRF attack, we ran over 256 distinct keys generating \( N=6291456 \) 32-bit LevPair outputs for each, and sorting them to find collisions. We count as a collision each instance where a distinct pair of inputs result in the same output; thus, where \( m>2 \) outputs have the same value, we count this as \( m(m-1)/2 \) distinct collisions. For a random function we would expect to find approximately3 \( 256(N(N-1)/2)/2^{2n}\approx 1179678 \) collisions in total across all keys, while the PRF-PRF attack would predict an expected \( 256(N(N-1)/2)/2^{2n-1}\approx 2359296 \). The experiment found 2350336 collisions; this is \( 1077.9 \) standard deviations (SDs) from the expected value in the random function model, and \( 5.83 \) SDs from the expected value in the model provided by the PRF-PRF attack. This shows that this model identifies a substantial bias in the cipher, but there is a further bias in the collision probability of roughly 0.38% yet to be accounted for.

For the S-box matching attack, we generated \( N=16777216 \) LevPair outputs for each of 256 keys, counting outputs with the \( C(x,y)=1^{32} \) property. A random function would generate an expected \( 256N/2^{16}=65536 \) such outputs, while the S-box matching attack predicts that LevPair will generate an expected \( 256N/2^{15}=131072 \) such outputs. The experiment found \( 135872 \) such outputs; this is \( 274.8 \) SDs from the expected value in the random function model, and \( 13.26 \) SDs from the expected value in the model provided by the S-box matching attack. Again, this shows that while a substantial source of bias has been identified, there is still a bias of 3.66% yet to be accounted for. Scott Fluhrer has reported finding this attack effective in experiments against the full LEVIATHAN with \( n=32,h=16 \).


Footnotes

... approximately3
The approximation \( E\left( \left\vert \left\{ \{x,y\}:f(x)=f(y)\right\} \right\vert \right) \app... ...right\vert \left( \left\vert A\right\vert -1\right) /2\left\vert B\right\vert \) for the number of collisions in a random function \( f:A\mapsto B \) is very precise where \( \left\vert B\right\vert \) is large; where we refer to the predictions of the random function model, it is the model with this approximation.
next up previous
Next: Conclusions Up: Bias in the LEVIATHAN Previous: S-Box Matching Attack
papers@paul.cluefactory.org.uk