On the Multi-output Filtering Model and Its Applications

  • Teng Wu
  • Yin Tan
  • Kalikinkar MandalEmail author
  • Guang Gong
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10194)


In this paper, we propose a novel technique, called multi-output filtering model, to study the non-randomness property of a cryptographic algorithm such as message authentication codes and block ciphers. A multi-output filtering model consists of a linear feedback shift register and a multi-output filtering function. Our contribution in this paper is twofold. First, we propose an attack technique under IND-CPA using the multi-output filtering model. By introducing a distinguishing function, we theoretically determine the success rate of this attack. In particular, we construct a distinguishing function based on the distribution of the linear complexity of component sequences, and apply it on studying \({\textsf {TUAK}}\)’s \(f_1\) algorithm, \( {\textsf {AES} }\), \( {\textsf {KASUMI} }\), \( {\textsf {PRESENT} }\) and PRINTcipher. We demonstrate that the success rate of the attack on \( {\textsf {KASUMI} }\) and \( {\textsf {PRESENT} }\) is non-negligible, but \(f_1\) and \( {\textsf {AES} }\) are resistant to this attack. Second, we study the distribution of the cryptographic properties of component functions of a random primitive in the multi-output filtering model. Our experiments show some non-randomness in the distribution of algebraic degree and nonlinearity for \( {\textsf {KASUMI} }\).


Randomness Distinguishing attack TUAK Linear complexity 



The authors would like to thank the reviewers of the C2SI-Carlet 2017 conference for their insightful comments to improving the quality of the paper. The authors sincerely thank Reviewer 3 for pointing out an error in Corollary 1 and also mentioning a connection between Statistical test 1 and the saturation attack.


  1. 1.
    Aumasson, J.-P., Meier, W.: Zero-sum distinguishers for deduced Keccak-\(f\) and for the core functions of Luffa and Hamsi. In: Presented at the Rump Session of CHES 2009 (2009)Google Scholar
  2. 2.
    Bellare, M., Desai, A., Pointcheval, D., Rogaway, P.: Relations among notions of security for public-key encryption schemes. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 26–45. Springer, Heidelberg (1998). doi: 10.1007/BFb0055718 CrossRefGoogle Scholar
  3. 3.
    Bellare, M., Desai, A., Jokipii, E., Rogaway, P.: A concrete security treatment of symmetric encryption: analysis of the DES modes of operation. In: Proceedings of the 38th Symposium on Foundations of Computer Science. IEEE (1997)Google Scholar
  4. 4.
    Bertoni, G., Daemen, J., Peeters, M., Assche, G.V.: The Keccak reference. (2011).
  5. 5.
    Bogdanov, A., Knudsen, L.R., Leander, G., Paar, C., Poschmann, A., Robshaw, M.J.B., Seurin, Y., Vikkelsoe, C.: PRESENT: an ultra-lightweight block cipher. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 450–466. Springer, Heidelberg (2007). doi: 10.1007/978-3-540-74735-2_31 CrossRefGoogle Scholar
  6. 6.
    Boura, C., Canteaut, A.: Zero-sum distinguishers for iterated permutations and application to Keccak-f and Hamsi-256. In: Biryukov, A., Gong, G., Stinson, D.R. (eds.) SAC 2010. LNCS, vol. 6544, pp. 1–17. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-19574-7_1 CrossRefGoogle Scholar
  7. 7.
    Carlet, C.: Boolean functions for cryptography and error correcting codes. In: Crama, Y., Hammer, P.L. (eds.) The Monography Boolean Models and Methods in Mathematics, Computer Science, and Engineering, pp. 257–397. Cambridge University Press (2010)Google Scholar
  8. 8.
    Daemen, J., Rijmen, V.: The Design of Rijndael: AES - The Advanced Encryption Standard. Springer, New York (2002)CrossRefzbMATHGoogle Scholar
  9. 9.
    Daemen, J., Assche, G.: Differential propagation analysis of keccak. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 422–441. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-34047-5_24 CrossRefGoogle Scholar
  10. 10.
    Dinur, I., Shamir, A.: Cube attacks on tweakable black box polynomials. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 278–299. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-01001-9_16 CrossRefGoogle Scholar
  11. 11.
    Dinur, I., Dunkelman, O., Shamir, A.: New attacks on Keccak-224 and Keccak-256. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 442–461. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-34047-5_25 CrossRefGoogle Scholar
  12. 12.
    Dinur, I., Dunkelman, O., Shamir, A.: Collision attacks on up to 5 rounds of SHA-3 using generalized internal differentials. Cryptology ePrint Archive, Report 2012/627. (2012).
  13. 13.
    Duc, A., Guo, J., Peyrin, T., Wei, L.: Unaligned rebound attack: application to Keccak. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 402–421. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-34047-5_23 CrossRefGoogle Scholar
  14. 14.
    Goldwasser, S., Micali, S.: Probabilistic encryption. J. Comput. Syst. Sci. 28, 270–299 (1984)MathSciNetCrossRefzbMATHGoogle Scholar
  15. 15.
    Golomb, S.W., Gong, G.: Signal Design for Good Correlation - for Wireless Communication, Cryptography and Radar. Cambridge Press (2005)Google Scholar
  16. 16.
    Gong, G., Mandal, K., Tan, Y., Wu, T.: Security assessment of TUAK algorithm set. CACR Technical Report, University of Waterloo (2014)Google Scholar
  17. 17.
    Key, E.L.: An analysis of the structure and complexity of nonlinear binary sequence generators. IEEE Trans. Inf. Theory 22, 732–736 (1976)CrossRefzbMATHGoogle Scholar
  18. 18.
    Knudsen, L., Leander, G., Poschmann, A., Robshaw, M.J.B.: PRINTcipher: a block cipher for IC-printing. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 16–32. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-15031-9_2 CrossRefGoogle Scholar
  19. 19.
    Leander, G., Abdelraheem, M.A., AlKhzaimi, H., Zenner, E.: A cryptanalysis of PRINTcipher: the invariant subspace attack. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 206–221. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-22792-9_12 CrossRefGoogle Scholar
  20. 20.
    Matsui, M.: Linear cryptanalysis method for DES cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994). doi: 10.1007/3-540-48285-7_33 CrossRefGoogle Scholar
  21. 21.
    Meidl, W., Niederreiter, H.: On the expected value of the linear complexity and the \(k\)-error linear complexity of periodic sequences. IEEE Trans. Inf. Theory 48(11), 2817–2825 (2002)MathSciNetCrossRefzbMATHGoogle Scholar
  22. 22.
    Morawiecki, P., Pieprzyk, J., Srebrny, M., Straus, M.: Preimage attacks on the round-reduced Keccak with the aid of differential cryptanalysis, Cryptology ePrint Archive, Report 2013/561 (2013).
  23. 23.
    Morawiecki, P., Pieprzyk, J., Srebrny, M.: Rotational cryptanalysis of round-reduced KECCAK, Cryptology ePrint Archive, Report 2012/546. (2012).
  24. 24.
    Naya-Plasencia, M., Röck, A., Meier, W.: Practical analysis of reduced-round Keccak. In: Bernstein, D.J., Chatterjee, S. (eds.) INDOCRYPT 2011. LNCS, vol. 7107, pp. 236–254. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-25578-6_18 CrossRefGoogle Scholar
  25. 25.
    NIST, the SHA-3 competition (2007–2012).
  26. 26.
    Olejar, D., Stanek, M.: On cryptographic properties of random Boolean functions. J. Univers. Comput. Sci. 4(8), 705–717 (1998)MathSciNetzbMATHGoogle Scholar
  27. 27.
    Rueppel, R.A.: Analysis and Design of Stream Ciphers. Springer, Berlin (1986)CrossRefzbMATHGoogle Scholar
  28. 28.
    Todo, Y.: Integral cryptanalysis on full MISTY1. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 413–432. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-47989-6_20 CrossRefGoogle Scholar
  29. 29.
    Wu, T., Tan, Y., Mandal, K., Gong, G.: On the multi-output filtering model and its applications. CACR Technical Report, CACR 2017-01, University of Waterloo (2017).
  30. 30.
    3rd generation partnership project, Technical specification group services, system aspects, 3G security, specification of the 3Gpp. confidentiality, integrity algorithms; Document 2: KASUMI specification, V. 3.1.1 (2001)Google Scholar
  31. 31.
    Specification of the TUAK algorithm set: a second example algorithm set for the 3Gpp. authentication and key generation functions \(f_1, f_1^*, f_2, f_3, f_4, f_5 \text{and} f_5^*\), SP-130602, ETSI/SAGE, 13 Dec 2013.

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Teng Wu
    • 1
  • Yin Tan
    • 1
  • Kalikinkar Mandal
    • 1
    Email author
  • Guang Gong
    • 1
  1. 1.Department of Electrical and Computer EngineeringUniversity of WaterlooWaterlooCanada

Personalised recommendations