Cryptography Reference
In-Depth Information
-
For Step 98, we want to ignore
C
98
(=
E
100
). This can be achieved by
1
B
98
=
E
98
(=
D
97
). Using the condition in Step 97, we have
⊕
D
≪
2
100
=
E
99
1
⊕
(8)
-
For Step 99, we need to ignore
D
99
(=
E
100
). This can be achieved by
B
99
=
E
99
.Thatis,
C
≪
2
100
=
E
99
.
(9)
Focusing on Eq. (7), for all possible
H
D
, we can only adjust the least significant
8bitsof
D
100
at most. The adjustment is achieved by
E
[7
−
0]
, and its value
determines the least significant 8 bits of
E
100
. From Eqs. (8) and (9), we need
to satisfy
D
≪
2
100
=
C
≪
2
⊕
100
.
1
(10)
D
100
=
(1+
D
100
)and
D
100
=
H
D
−
Rotating two bits, and substituting
1
⊕
−
D
0
−
E
[7
−
0]
and
C
100
=
H
C
−
C
0
−
E
[15
−
8]
,wehave
E
[15
−
8]
+
E
[7
−
0]
=
D
0
+1. Since we can choose an arbitrary value for
E
99
using
X
0
, the least significant 9 bits of Eq. (10) can almost always be satisfied using
E
[15
−
8]
and
E
[7
−
0]
. This condition can cancel the influence of the following
computation in
D
99[10
−
2]
(=
E
100[10
−
2]
)and
C
98[10
−
2]
(=
E
100[10
−
2]
). The
range we want to cancel is [7
C
0
−
H
C
+
H
D
−
0] in
E
100
, the shared bits we can cancel are
E
100[7
−
2]
. Thus, we choose
E
99
←
−
C
≪
2
100
, and adjust the least significant few
bits of
D
100
.
When all bits in
E
and
E
are determined, all variables in Table 10 are deter-
mined. We choose
E
and
E
to satisfy the remaining and unsatisfied condition
B
99[7
−
2]
=
E
99[7
−
2]
and
B
98[7
−
2]
=
E
98[7
−
2]
which comes from Eqs. (6) and
(8) as follows.
1. Fix
E
[15
−
8]
randomly.
2. Compute
C
E
[15
−
8]
,and
C
100
←
C
C
0
.
←
H
C
−
−
3. Compute
E
100[7
−
0]
←
(
C
≪
2
100
)
[7
−
0]
to satisfy the part of Eq. (6), and
E
100[7
−
0]
+
E
0[7
−
9]
(mod 2
8
).
4. Compute
D
E
[7
−
0]
←
←
H
D
−
E
[7
−
0]
and
D
100
←
D
−
D
0
. Compute
C
100[7
−
0]
←
D
100
)
[7
−
0]
to satisfy the part of Eq. (8).
5. Compute
C
[7
−
0]
←
(
1
⊕
C
100[7
−
0]
+
C
0[7
−
0]
(mod 2
8
)and
E
[15
−
8]
←
H
C
[7
−
0]
−
C
[7
−
0]
(mod 2
8
).
6. Choose
E
[31
−
16]
,
E
[31
−
16]
,and
E
[7
−
0]
randomly, and compute
A
,
B
,
...
,
E
. Note that some bits are already determined.
7. Compute the intermediate variables
A
j
,
B
j
,
...
,
E
j
for
j
=97
,
98
,
99
,
100,
and
A
j
,
B
j
,
...
,
E
j
for
j
=98
,
99
,
100. Note that some bits are already
determined.
8. Reversely compute the message words
X
10
,
X
4
,
X
0
,
Y
4
,and
Y
0
using Eq. (3).
We are now ready to write the detailed attack procedure.
1. Choose all message words that are not determined yet.
Search WWH ::
Custom Search