S-Box Matching Attack

The definitions of the $F$ and $G$ functions are very similar; $G$ is the same as $F$ except that it treats its inputs in the opposite order, and inverts one of them. If $G$ did not apply bitwise inversion to its first input (call this function $G'$ ), then the two functions would be related by $F\circ \textrm{Swap}=\textrm{Swap}\circ G'$ (with Swap having the obvious definition $\textrm{Swap}(x,y)=(y,x)$ ); this would mean in turn that $F(a,a)=\textrm{Swap}(G'(a,a))$ for any $a$ , and thus that $C(F(a,a))=C(G'(a,a))$ , with the result, as we shall see, that repeating pairs were visible in the output roughly twice as often as they should be. The inversion on the first input of $G$ breaks this symmetry; however, it turns out that it does not prevent a related attack.

Computation of PairCom requires 32 S-box lookups, but for each computation of the $S$ function the same 8-bit index, drawn from the least significant byte, is fed to each of the four S-boxes. Changes to the other bytes carry directly into the output of $S$ , without nonlinearity or mixing; in other words, where $\Delta x=\Delta x_{3}\vert\Delta x_{2}\vert\Delta x_{1}\vert^{n/4}$ , we find $S(x\oplus \Delta x)=S(x)\oplus \Delta x$ . We call this least significant byte the index to the S-box. If $(x,y)$ is the input to PairCom, only bytes $x_{3},x_{0}$ of $x$ are indices to S-boxes in $F$ , and only bytes $x_{2},x_{1}$ are indices in $G$ ; by inverting only these two bytes in our pair $(a,a)$ , we can avoid the symmetry-breaking effect of the inversion as far as the nonlinear components are concerned, which results in the same four S-box indices being used in both the $F$ and $G$ branches of PairCom.

**Figure 3:** S-box matching input to $C\circ \textrm {PairCom}$ . The function $F$ is on the left, $G$ on the right, and $C$ underneath; dotted lines indicate bitwise inversion (the first step of the $G$ function) and the `` $\oplus \oplus \oplus S$ '' symbol represents the function $S(x_{3}\vert x_{2}\vert x_{1}\vert x_{0})=x_{3}\oplus S_{3}(x_{0})\vert x_{2}\oplus S_{2}(x_{0})\vert x_{1}\oplus S_{1}(x_{0})\vert S_{0}(x_{0})$ .
$\resizebox*{1\textwidth}{!}{\includegraphics{stefan.epsi}}$

Figure 3 illustrates this attack. For an arbitrary $n$ -bit string $a=a_{3}\vert a_{2}\vert a_{1}\vert a_{0}$ , we define symbols for intermediate values in $F(a,a)$ :

$\begin{eqnarray*} b_{3}\vert b_{2}\vert b_{1}\vert b_{0} & = & S(a_{3}\vert a_{2... ...}\vert c_{0})\oplus (c'_{3}\vert c'_{2}\vert c'_{1}\vert c'_{0}) \end{eqnarray*}$

With these definitions, we find that $\textrm{PairCom}(a_{3}\vert\overline{a_{2}}\vert\overline{a_{1}}\vert a_{0},\... ...verline{d_{2}},\: d_{1}\vert\overline{d_{0}}\vert\overline{d_{3}}\vert d_{2})$ :

$\begin{eqnarray*} C(F(x,y)) & = & C(L(S(L(S(x)))),\; S(R(S(R(y)))))\\ & = & C(... ...& = & d_{1}\vert\overline{d_{0}}\vert\overline{d_{3}}\vert d_{2} \end{eqnarray*}$

From this it is clear that for any input of the appropriate form, one output word is the inverse of the other; or in other words, if we now XOR the two word outputs from PairCom together (which, conveniently, is the same as applying the LEVIATHAN compression function $C$ a second time), we find

$\begin{eqnarray*} C(\textrm{PairCom}(a_{3}\vert\overline{a_{2}}\vert\overline{a_... ...d_{1}\vert\overline{d_{0}}\vert\overline{d_{3}}\vert d_{2}=1^{n} \end{eqnarray*}$

Since we model LevAbove as a random function we conclude that inputs to PairCom have probability $2^{-n}$ of matching this form in the normal calculation of LevPair. Where inputs do not match this form, we assume that PairCom behaves as a random function and therefore that for random $(x,y)$ not matching this form, $\textrm{Pr}\left( C(\textrm{PairCom}(x,y))=1^{n}\right) =2^{-n}$ ; this assumption is borne out by experiment. From this we conclude that LevPair is twice as likely as a random function to produce an output $(x_{0},x_{1})$ such that $C(x_{0},x_{1})=1^{n}$

$\begin{displaymath} \textrm{Pr}\left( C(\textrm{LevPair}(t\vert z))=1^{n}\right) =2^{-n}+(1-2^{-n})2^{-n}\approx 2^{1-n}\end{displaymath}$

For $n=32$ , a test for the presence of this bias should therefore take on the order of $2^{33}$ samples of LevPair, ie $2^{36}$ bytes, as for the previous attack.