请输入您要查询的百科知识:

 

词条 MULTI2
释义

  1. Cipher details

  2. History

  3. Cryptanalysis

  4. See also

  5. External links

{{Infobox block cipher
| name = MULTI2


| designers = Hitachi
| publish date = 1988
| derived from =
| derived to =
| key size = 64 bits
| block size = 64 bits
| structure = Feistel network
| rounds = Variable
| cryptanalysis =
}}

MULTI2 is a block cipher, developed by Hitachi in 1988. Designed for general-purpose cryptography, its current use is encryption of high-definition television broadcasts in Japan.

Cipher details

MULTI2 is a symmetric key algorithm with variable number of rounds. It has a block size of 64 bits, and a key size of 64 bits. A 256-bit implementation-dependent substitution box constant is used during key schedule. Scramble and descramble is done by repeating four basic functions (involutions).

History

  • 1988 MULTI2 patent applied by Hitachi, Ltd on April 28
  • 1989 Algorithm announced to DPS-SIG Information Processing Society of Japan
  • 1991 Patent number 4982429 granted for MULTI2 algorithm in United States
  • 1994 Algorithm registered with ISO/IEC 9979 and assigned registration number 9
  • 1995 MULTI2 adopted as standard cipher for CS-Digital broadcasting in Japan
  • 1998 Japanese Patent number 2760799 granted for MULTI2 algorithm

Cryptanalysis

There are a large class of equivalent keys in the Multi2 block cipher. The largest class (so far found) stems from the fact that the Pi3 round function in the key schedule is not bijective. For example, with the following 40-byte input key to the key schedule:

45 ec 86 d8 b6 5e 24 d5 38 fe 1d 90 ce fc a4 22 3e 39 1b e3 da 03 0f cb 9c 9e d7 c6 1c e4 73 61 d0 fa 39 86 58 5d 5b 90 

You can perform the following single byte modifications (modification here means XOR against the original key byte):

Can mod byte 5 with CFCan mod byte 7 with 77Can mod byte 20 with 9ACan mod byte 20 with A9Can mod byte 20 with D7Can mod byte 21 with 35Can mod byte 21 with 6ACan mod byte 21 with 9FCan mod byte 21 with CCCan mod byte 22 with 4DCan mod byte 22 with 7ACan mod byte 22 with A7Can mod byte 23 with 53Can mod byte 23 with AE

In this case there are 15 different keys which will schedule to the same 8 32-bit round keys for the ciphers bulk encryption path. The keys are all different in the first keyword used in the Pi3 round function (keys k[1] and k[5]). The collision occurs because a single byte difference turns into a pattern like 0X0X0000 (rotated by 0, 8, 16, or 24 bits) which then expands to a variation of 0X000X00 and finally in the second last line (with the rotate by 16 and the XOR) the differences cancel out. Turning into a zero-delta.

The problem stems from the fact that the function

x = ROL(x, y) ^ x

Where ROL means rotate left by y bits, is not bijective for any value of y. There are similar problems with the Pi2 and Pi4 functions but they are seemingly harder to exploit because the rotation value is smaller.

There are other observations too, for example

x = ROL(x, 1) - x

Found in Pi3, is an identity function for 50% of the values of x (where the most significant byte is zero).

This also means it is possible to have weak keys where instead of forcing single byte differences in the key, they are in the plaintext into Pi3 produces a zero-delta output and possibly leading to a 1R differential.

See also

  • Integrated Services Digital Broadcasting

External links

  • [https://web.archive.org/web/20070926205619/http://www.isg.rhul.ac.uk/~cjm/ISO-register/0009.pdf ALGORITHM REGISTER ENTRY, registered in 1994]
{{Cryptography navbox | block}}

2 : Feistel ciphers|ISDB

随便看

 

开放百科全书收录14589846条英语、德语、日语等多语种百科知识,基本涵盖了大多数领域的百科知识,是一部内容自由、开放的电子版国际百科全书。

 

Copyright © 2023 OENC.NET All Rights Reserved
京ICP备2021023879号 更新时间:2024/11/13 15:01:55