. . Numerical Application

S UASH with no truncation is trivially broken if we can factor the modulus N so it should

be at least of 1 024 bits. As an example, for r = ℓ = 1 024 we can take d = 14 so roughly

2d 16 000 chosen challenges. We obtain at most

ℓ(ℓ+1)

2 d 32 unknowns per equation

2

on average. We can then use a claw search algorithm that works with 216 numbers in memory

and 216 iterations to recover 32 bits of the key for each equation.

ei mod 2b = 2aT (ei) + i;

for an integer i 2 0; 2a

1 . Summing over all the ei’s yields

( =1

J

)

K

(i=1

)

q

q

∑i

mod N

mod 2b =

∑

mod 2b

ei

ei

N

= (2a

q

q

N) mod 2b a;

∑

∑i

i=1

T (ei) +

=1 i

for an

integer

2

0; q 1

. If weq let

= T (

q

i)

2

0; q 1

, we

nally obtain

q

Jmod N K

∑i=1

J

∑

∑i

b a

( . )

T

ei

=

T (ei) + T ( N) +

(modK2

)

(i=1

)

=1

words, we can show that, for v1; : : : ; vq

2 f

1; 1 such that

q

vi = 0, we have

T (

q

q

g

∑i=0

=1 viei

mod N) = i=1

(viT (ei)) + T (

N) +

(mod 2b a) ( . )

where 2

∑i

∑

1

q/2; q/2 and 2

1

q/2; 1 + q/2 .

e Mersenne Case. We further notice that when N is a Mersenne number, we readily have

J

K

J

K

N 1 (mod 2b). Hence, we have the simpli cation

(

q

q

=1 ei

mod 2ℓ

1) mod 2b = (i=1 ei ) mod 2b

∑i

∑

integer

0; q

1 .

en, we can write

for an T

q

e2i

Jmod 2ℓ K

1

=

q

T (ei) + T ( ) + (mod 2b a)

( . )

( =1

)

=1

∑i

∑i

is an integer of q

2a bits. It can be integrated in the in T (

N) + in other cases: all

T ( N) + values are numbers in the 0; 2d +

2d 1

range. Consequently, assuming

a

that q

2a, Equation ( . ) further simpli es to

2

q

mod 2ℓ 1) =

q

J

K

T

( =1 ei

=1

T (ei) +

(mod 2b

a)

( . )

∑i

∑i

T ( N) simpli estoeither 0,when ispositiveorequalto 0,or 2b

a

1,when isnegative.

Hence, the sum T ( N) + ranges in the interval

2 J

q/2; q/2

K

instead of

J

q; q

K

for

the general case.

. .

Adapting the Attack on SQUASH-

^

(

2

1

)

(mod N)

d

1

ℓ

ℓ

I

SI (0) = 2

(2

1)

2

2 kI

3

3

On the other hand, we have

(x2Zd R(x) mod N)

T (S^I (0) mod N) = T

= (

∑

N) + ) mod 2b a

x2Zd

T (R(x)) + T (

∑

Hence,

= (R^(0) + T (

N) + ) mod 2b a:

2

1

T (2d 1(2ℓ

1)

(

2ℓ

2I kI ) mod N) = (R^(0) + T ( N) + ) mod 2b a:

3

3

le -hand side (recall that r = b

a). Hence, the probability that there exists and such

^

2d

r

, so for 2d+ 1 < r

that T (SI (0)) matches the right-hand side of the equation is at most 2

it is likely that we can deduce kI .

e complexity of the attack in terms of queries remains

^

I+J 1+d

kI kJ

(mod N):

S(V ) = 2

Again, we can use Equation ( . ) to yield

T (2I+J 1+dkI kJ ) = (R^(V ) + T ( N) + )

mod 2b a

us, as long as 2d + 1 < r, we can deduce the value of kI kJ . Again, the complexity

of the attack is the same as before in number of queries and slightly overheaded in time for

computing the table of values of T ( N) + .

e Mersenne case. In the case where N is a Mersenne number, we need to make a speci c

treatment. Updating the notations of Equation ( . ) under the same assumptions yields

^

I+J+d 1

kI kJ mod 2

ℓ

1:

SI;J (0) = 2

^

(0)) =

^

b

a

T (SI;J

R(0) + mod 2

d

1

^+

^

^

forsome inthe 0; 2

range. Let SI;J

(0) and SI;J

(0) denotethevalueof SI;J (0) when

kI kJ

+1

^

^+

b a

1,

is equal to

1 respectively. Note that T (S

(0)) + T (S

(0)) = 2

J ^ and

K

^+

I;J

I;J

in other words T (SI;J (0)) and T (SI;J (0)) have all their bits inverted. Furthermore,

^+

(0)) =

T

2

(I+J+d

1) mod ℓ

T (S

1) mod ℓ)) a

I;J

(2((I+J+d

if

(I + J + d) mod ℓ

2 J

a + 1; b

K

=

{

0

otherwise:

^+

(0))

is is enough to deduce kI kJ for (I; J) pairs such that there is no for which T (SI;J

matches the right-hand side.

us we can recover kI kJ .

fI;Jg:UI UJ =V

1)22d 21V =0) mod N)

(2ℓ

1)2I+d 1kI + (2ℓ

U =V

I:∑I

N) + ) mod 2b

=

(R^(V ) + T (

a

with

2 J

0; 2d

K

; 2 0; 2d

1

K

if

V = 0

{

J

;

2d 1

+ 1; 2d 1 1

if

V = 0

2

1 2d 1; 2d 1

K

J

K

J

2

̸

. Take a value for d. Make a table of all T (

N) + values.

is table has less than

22d terms, and exactly 2d + 1 terms in the Mersenne case, and can be compressed by

dropping the d least signi

cant bits corresponding to the part. In the Mersenne case,

it can be compressed to nothing as numbers of form T (

N)+ are all in the interval

. J

2d 1; 2d

1

K

modulo 2b a.

Pick d challengesatrandomandqueryallthe 2d combinations C(x). Gettheresponses

R(x).

^

d

).

. Compute the discrete Fourier transform R in O(ℓd2

^

. For each V , try all 1 assignments of occurring unknowns in S(V ) and keep all those

^

^

N) + .

such that T (S(V ) mod N)

R(V ) matches an entry in the table of T (

Again, this attack uses O(2d) chosen challenges and a complexity of O(ℓ(d + 2s2

d )2d)

where s is the number of unknowns, i.e. s =

r(r+1)

resp. s =

r(r

1)

in the Mersenne case.

2

2

e remaining question is whether all wrong assignments are discarded.

For a given equation, each of the 2s2 d

wrong assignments is discarded with probability

22d (b a) resp. 2d

(b

a).

us, if b

a > 2d + s2 d resp. b

a > d + s2 d they can all

be

ltered out.

e minimum of the right-hand side is 2 log

2

s + 2 log

2

e ln 2

resp. log

2

s +

ln 2

2

log

2

(e ln 2) and reached by d = log

2

s + log

resp. d = log

2

s + log

ln 2. By taking this

2

2

2

respective value for d we have O(r2) chosen challenges and a complexity of O(ℓr2 log r), and

theconditionbecomes b

a > 4 log

r+2 log

2

e ln 2

2 resp. b

a > 2 log

2

r+log

2

(2e ln 2).

2

2

If b

a > 4 log2 r

2 resp. b

a > 2 log2 r this condition is always satis

ed.

e Mersenne case. Finally, the Mersenne case can simplify further using Equation ( . ).

We take d = 2 log2 r

log2 ℓ

1 and run the attack with O(r2/ℓ) chosen challenges and

complexity O(r2 log r). Assuming that all unknowns kI kJ sparsely spread on (UI UJ ; (I +

J

^

d useful bits with roughly one

1 + d) mod ℓ) pairs then T (R(V ) mod N) yields b a

kI kJ per bit and ends with d garbage bits coming from T ( N) + . So, we can directly

read the bits through the window and it works assuming that b

a > d, which reads b

a >

2 log2 r

log2 ℓ

1.

ApplicationtoS

UASHwithLinearMapping Wenowusetherecommendedparam-

eters by Shamir: ℓ = 128, N = 2128

1, a = 48, b = 80 and plug them into S

UASH- .

Although Shamir suggested to use a -bit secret key with non-linear mixing, we assume here

that the mixing is of the form f = g L with linear L but that g expands to r = 128 secret

bits (possibly non-linearly). We have s = 8 128 unknowns of form kiki′. With d = 10 we

obtain 1 024 vectors V so we can expect to

nd unknowns in each equation. Equations are

of form

N) + ) mod 2b

T (S^(V ) mod N) = (R^(V ) + T (

a

where (T (

N)+ ) mod 2b

a is in the range [

29; 29] which gives a set of at most 210 +1.

Filtering the 28

1 wrong assignments on the unknowns we can expect 2 13 false accep-