Single Key Recovery Attacks on 9-Round Kalyna-128/256 and Kalyna-256/512
25 Nov 2015-pp 119-135
TL;DR: In this paper, the security bound of Kalyna-b/k was evaluated against key recovery attacks in the single key model, and new 6-round distinguishers were constructed and then used to demonstrate 9-round attacks on these variants.
Abstract: The Kalyna block cipher has recently been established as the Ukranian encryption standard in June, 2015. It was selected in a Ukrainian National Public Cryptographic Competition running from 2007 to 2010. Kalyna supports block sizes and key lengths of 128, 256 and 512 bits. Denoting variants of Kalyna as Kalyna-b / k, where b denotes the block size and k denotes the keylength, the design specifies \(k \in \{b, 2b\}\). In this work, we re-evaluate the security bound of some reduced round Kalyna variants, specifically Kalyna-128 / 256 and Kalyna-256 / 512 against key recovery attacks in the single key model. We first construct new 6-round distinguishers and then use these distinguishers to demonstrate 9-round attacks on these Kalyna variants. These attacks improve the previous best 7-round attacks on the same.
Citations
More filters
Dissertation•
01 Oct 2017
TL;DR: This thesis investigates the security of some block ciphers constructed with new design strategies, and improves the previous results of the impossible differential cryptanalysis on Kiasu-BC and SKINNY.
Abstract: Block ciphers are among the mostly widely used symmetric-key cryptographic primitives, which are fundamental building blocks in cryptographic/security systems. Most of the public-key primitives are based on hard mathematical problems such as the integer factorization in the RSA algorithm and discrete logarithm problem in the DiffieHellman. Therefore, their security are mathematically proven. In contrast, symmetric-key primitives are usually not
constructed based on well-defined hard mathematical problems. Hence, in order to get some assurance in their claimed security properties, they must be studied against different types of
cryptanalytic techniques. Our research is dedicated to the cryptanalysis of block ciphers. In particular, throughout this thesis, we investigate the security of some block ciphers constructed
with new design strategies. These new strategies include (i) employing simple round function, and modest key schedule, (ii) using another input called tweak rather than the usual two
inputs of the block ciphers, the plaintext and the key, to instantiate different permutations for the same key. This type of block ciphers is called a tweakable block cipher, (iii) employing linear and non-linear components that are energy efficient to provide low energy consumption block ciphers, (iv) employing optimal diffusion linear transformation layer while following the AES-based construction to provide faster diffusion rate, and (v) using rather weak but larger
S-boxes in addition to simple linear transformation layers to provide provable security of ARX-based block ciphers against single characteristic differential and linear cryptanalysis.
The results presented in this thesis can be summarized as follows:
Initially, we analyze the security of two lightweight block ciphers, namely, Khudra and Piccolo against Meet-in-the-Middle (MitM) attack based on the Demirci and Selcuk approach exploiting the simple design of the key schedule and round function.
Next, we investigate the security of two tweakable block ciphers, namely, Kiasu-BC and SKINNY. According to the designers, the best attack on Kiasu-BC covers 7 rounds. However, we exploited the tweak to present 8-round attack using MitM with efficient enumeration cryptanalysis.
Then, we improve the previous results of the impossible differential
cryptanalysis on SKINNY exploiting the tweakey schedule and linear transformation layer.
Afterwards, we study the security of new low energy consumption block cipher, namely, Midori128 where we present the longest impossible differential distinguishers that cover complete 7 rounds. Then, we utilized 4 of these distinguishers to launch key recovery attack against 11 rounds of Midori128 to improve the previous results on this cipher using the impossible
differential cryptanalysis.
Then, using the truncated differential cryptanalysis, we are able to attack 13 rounds of Midori128 utilizing a 10-round differential distinguisher.
We also analyze Kuznyechik, the standard Russian federation block cipher, against MitM with efficient enumeration cryptanalysis where we improve the previous results on Kuznyechik, using MitM attack with efficient enumeration, by presenting 6-round attack.
Unlike the previous attack, our attack exploits the exact values of the coefficients of the MDS transformation that is used in the cipher.
Finally, we present key recovery attacks using the multidimensional zero-correlation cryptanalysis against SPARX-128, which follows the long trail design strategy, to provide provable security of ARX-based block ciphers against single characteristic differential and
linear cryptanalysis.
8 citations
TL;DR: On the basis of the conducted research, it can be concluded that the functions constructed in accordance with the developed method have high persistence indexes and exceed the known functions by these indicators.
Abstract: In this article, heuristic methods of hill climbing for cryptographic Boolean functions satisfying the required properties of balance, nonlinearity, autocorrelation, and other stability indicators are considered. A technique for estimating the computational efficiency of gradient search methods, based on the construction of selective (empirical) distribution functions characterizing the probability of the formation of Boolean functions with indices of stability not lower than required, is proposed. As an indicator of computational efficiency, an average number of attempts is proposed to be performed using a heuristic method to form a cryptographic Boolean function with the required properties. Comparative assessments of the effectiveness of the heuristic methods are considered. The results of investigations of the cryptographic properties of the formed Boolean functions in comparison with the best known assessments are given. On the basis of the conducted research, it can be concluded that the functions constructed in accordance with the developed method have high persistence indexes and exceed the known functions by these indicators.
6 citations
TL;DR: The securities of reduced AES-192 and Kalyna-128/256 are re-evaluate against key recovery attack in the single-key model and a new 5-round distinguisher is built, more efficient in terms of data and memory complexities.
Abstract: Dear editor, We re-evaluate the securities of reduced AES-192 and Kalyna-128/256 against key recovery attack in the single-key model. The meet-in-the-middle attack (MIMT) was first introduced into the analysis of AES by Demirci and Selçuk [1] at FSE 2008. The main idea was to set up a precomputation table for an ordered sequence of values. Later, ref. [2] showed that the storage of this table could be further reduced if one considered the ordered sequence of differences instead of values. At ASIACRYPT 2010, Dunkelman et al. [3] proposed the multiset tabulation and the differential enumeration techniques. The former replaced the ordered sequence of 256-byte values by a multiset of these values, while the latter allowed the adversary to efficiently enumerate the parameters that determine the multiset through a differential characteristic. Subsequently, Derbez et al. [4] reinforced the differential enumeration by incorporating the rebound concept with it. At FSE 2014, the key-dependent sieve technique, whose function was to filter wrong values of the sequence in the precomputation table, was developed by Li et al. [5]. Recently, ref. [6] further improved this kind of attack by combining the previous techniques with some MixColumns properties. Ref. [7, 8] also use the relation between subkey bytes to improve the distinguisher cryptanalysis. Moreover, due to the similarity between AES and Kalyna, these ideas and techniques for the MIMT attacks on AES can also apply to Kalyna. As a result, AlTawy et al. [9] mounted the first 7-round MIMT attacks on both Kalyna-128/256 and Kalyna-256/512. Afterwards, two single key recovery attacks on 9round Kalyna-128/256 and Kalyna-256/512 were launched by Akshima et al. [10]. Our contribution. Inspired by the idea of [6], we first propose an observation for AES-192, upon which a new 5-round distinguisher is built. Then a 9-round MIMT attack, derived from this distinguisher, is mounted with 2 chosen plaintexts, 2 9-round encryptions and 2 128-bit blocks. Compared to [5], where data/time/memory complexities are 2, 2 and 2, respectively, our attack is more efficient in terms of data and memory complexities. Particularly, the new distinguisher can be constructed in time 2 and memory 2, while the previous one in [5] requires 2 encryptions and 2 128-bit blocks. In fact, the data and memory complexities of [5] are higher than those of the exhaustive search for AES-192. Consequently, ref. [5] has to utilize the data/time/memory tradeoff to optimize the result. In the case of Kalyna-128/256, we first improve the previous best known 9-round key recovery at-
4 citations
TL;DR: This paper focuses on the key-recovery attacks on reduced-round Kalyna-128/256 andKalyna-256/512 with the meet-in-the-middle method and proposes an addition plaintext structure to solve this.
Abstract: Kalyna is an SPN-based block cipher that was selected during the Ukrainian National Public Cryptographic Competition (2007–2010) and its slight modification was approved as the new encryption standard of Ukraine. In this paper, we focus on the key-recovery attacks on reduced-round Kalyna-128/256 and Kalyna-256/512 with the meet-in-the-middle method. The differential enumeration technique and key-dependent sieve technique which are popular to analyze AES are used to attack them. Using the key-dependent sieve technique to improve the complexity is not an easy task, we should build some tables to achieve this. Since the encryption procedure of Kalyna employs pre- and post-whitening operations using addition modulo $$2^{64}$$
applied on the state columns independently, we carefully study the propagation of this operation and propose an addition plaintext structure to solve this. For Kalyna-128/256, we propose a 6-round distinguisher, and achieve a 9-round (out of total 14-round) attack. For Kalyna-256/512, we propose a 7-round distinguisher, then achieve an 11-round (out of total 18-round) attack. As far as we know, these are currently the best results on Kalyna-128/256 and Kalyna-256/512.
4 citations
20 Jul 2019
TL;DR: This chapter will introduce the prominent methods of cryptanalysis that utilize certain behavior in the cipher structure that disturbs the assumed randomness of the output or the cipher text.
Abstract: Cryptanalysis comes into deferent forms in order to support that rigorous analysis of the structure cryptographic primitive to evaluate and verify its claimed security margins. This analysis will follow the attack models represented previously in order to exploit possible weakness in the primitive. Thus, achieving the associated attack goals which will vary from a distinguishing attack to a total break that is defined based on the security margins or claims of the primitive under study. For example, for a hash function, total break constitutes finding a collision or obtaining the message from the hash value. While in block ciphers it revolves around recovering the secret key. When it comes to the claimed security margins, the design approaches will follow certain security models as in provable security or practical security or a mixture of both. The role of cryptanalyst is to subject these primitives to different existing categories of cryptanalysis approaches and tailor new ones that will push the design’s security margins if possible to new limits where these attacks are not applicable any more This chapter will introduce the prominent methods of cryptanalysis that utilize certain behavior in the cipher structure. Such behavior disturbs the assumed randomness of the output or the cipher text. This Paper will explore the basic definitions of prominent cryptanalysis methods that targets the specific structure of a cipher namely differential and linear cryptanalysis and their different variants. It will also discuss other potential crytpanalytic methods that are usually used in symmetric-key ciphers analysis especially block ciphers.
1 citations
References
More filters
Book•
14 Feb 2002
TL;DR: The underlying mathematics and the wide trail strategy as the basic design idea are explained in detail and the basics of differential and linear cryptanalysis are reworked.
Abstract: 1. The Advanced Encryption Standard Process.- 2. Preliminaries.- 3. Specification of Rijndael.- 4. Implementation Aspects.- 5. Design Philosophy.- 6. The Data Encryption Standard.- 7. Correlation Matrices.- 8. Difference Propagation.- 9. The Wide Trail Strategy.- 10. Cryptanalysis.- 11. Related Block Ciphers.- Appendices.- A. Propagation Analysis in Galois Fields.- A.1.1 Difference Propagation.- A.l.2 Correlation.- A. 1.4 Functions that are Linear over GF(2).- A.2.1 Difference Propagation.- A.2.2 Correlation.- A.2.4 Functions that are Linear over GF(2).- A.3.3 Dual Bases.- A.4.2 Relationship Between Trace Patterns and Selection Patterns.- A.4.4 Illustration.- A.5 Rijndael-GF.- B. Trail Clustering.- B.1 Transformations with Maximum Branch Number.- B.2 Bounds for Two Rounds.- B.2.1 Difference Propagation.- B.2.2 Correlation.- B.3 Bounds for Four Rounds.- B.4 Two Case Studies.- B.4.1 Differential Trails.- B.4.2 Linear Trails.- C. Substitution Tables.- C.1 SRD.- C.2 Other Tables.- C.2.1 xtime.- C.2.2 Round Constants.- D. Test Vectors.- D.1 KeyExpansion.- D.2 Rijndael(128,128).- D.3 Other Block Lengths and Key Lengths.- E. Reference Code.
3,444 citations
10 Feb 2008
TL;DR: A 5-round distinguisher for AES is presented and a time-memory tradeoff generalization of the basic attack is given which gives a better balancing between different costs of the attack.
Abstract: We present a 5-round distinguisher for AES. We exploit this distinguisher to develop a meet-in-the-middle attack on 7 rounds of AES-192 and 8 rounds of AES-256. We also give a time-memory tradeoff generalization of the basic attack which gives a better balancing between different costs of the attack. As an additional note, we state a new square-like property of the AES algorithm.
201 citations
02 Dec 2009
TL;DR: This work presents a distinguishing attack on the full compression function of Whirlpool by improving the rebound attack on reducedWhirlpool with two new techniques and shows how to turn this near-collision attack into a distinguishable attack for the full 10 round compression function.
Abstract: Whirlpool is a hash function based on a block cipher that can be seen as a scaled up variant of the AES The main difference is the (compared to AES) extremely conservative key schedule In this work, we present a distinguishing attack on the full compression function of Whirlpool We obtain this result by improving the rebound attack on reduced Whirlpool with two new techniques First, the inbound phase of the rebound attack is extended by up to two rounds using the available degrees of freedom of the key schedule This results in a near-collision attack on 95 rounds of the compression function of Whirlpool with a complexity of 2176 and negligible memory requirements Second, we show how to turn this near-collision attack into a distinguishing attack for the full 10 round compression function of Whirlpool This is the first result on the full Whirlpool compression function
166 citations
26 May 2013
TL;DR: This paper revisits meet-in-the-middle attacks on AES in the single-key model and improves on Dunkelman, Keller and Shamir attacks at Asiacrypt 2010 and describes the best attack on 7 rounds of AES-128 where data/time/memory complexities are below 2100.
Abstract: In this paper, we revisit meet-in-the-middle attacks on AES in the single-key model and improve on Dunkelman, Keller and Shamir attacks at Asiacrypt 2010. We present the best attack on 7 rounds of AES-128 where data/time/memory complexities are below 2100. Moreover, we are able to extend the number of rounds to reach attacks on 8 rounds for both AES-192 and AES-256. This gives the best attacks on those two versions with a data complexity of 2107 chosen-plaintexts, a memory complexity of 296 and a time complexity of 2172 for AES-192 and 2196 for AES-256. Finally, we also describe the best attack on 9 rounds of AES-256 with 2120 chosen plaintexts and time and memory complexities of 2203. All these attacks have been found by carefully studying the number of reachable multisets in Dunkelman et al. attacks.
160 citations
TL;DR: Three new cryptanalytic techniques are introduced and used to get the first non-marginal attack on 8-round AES-192, making its time complexity about a million times faster than exhaustive search, and reducing its data complexity to about 1/32,000 of the full codebook.
Abstract: AES is the most widely used block cipher today, and its security is one of the most important issues in cryptanalysis. After 13 years of analysis, related-key attacks were recently found against two of its flavors (AES-192 and AES-256). However, such a strong type of attack is not universally accepted as a valid attack model, and in the more standard single-key attack model at most 8 rounds of these two versions can be currently attacked. In the case of 8-round AES-192, the only known attack (found 10 years ago) is extremely marginal, requiring the evaluation of essentially all the 2128 possible plaintext/ciphertext pairs in order to speed up exhaustive key search by a factor of 16. In this paper we introduce three new cryptanalytic techniques, and use them to get the first non-marginal attack on 8-round AES-192 (making its time complexity about a million times faster than exhaustive search, and reducing its data complexity to about 1/32,000 of the full codebook). In addition, our new techniques can reduce the best known time complexities for all the other combinations of 7-round and 8-round AES-192 and AES-256.
110 citations