310 likes | 423 Views
Cryptanalysis of 256-Bit Key HyRAL via Equivalent Keys. Nagoya University, Japan Yuki Asano , Shingo Yanagihara , and Tetsu Iwata ACNS2012, June 28, 2012, Singapore. Introduction. What is HyRAL ? A secret key blockcipher Block size : 128 bits The key length : 128, 129,…, 256 bits
E N D
Cryptanalysis of 256-Bit Key HyRAL via Equivalent Keys Nagoya University, Japan Yuki Asano, Shingo Yanagihara, and Tetsu Iwata ACNS2012, June 28, 2012, Singapore
Introduction • What is HyRAL? • A secret key blockcipher • Block size : 128 bits • The key length : 128, 129,…, 256 bits • One of the proposed algorithms for the CRYPTREC project’s call • The CRYPTREC project • Maintaining the e-Government recommended ciphers list in Japan • The list is planned to be revised in 2013
Background • The security of HyRAL ・Differential attacks ・Linear attacks ・Impossible differential attacks ・Saturation attacks ・Higher order differential attacks ・Boomerang attacks No security weaknesses have been identified.
Our Research • For 256-bit key HyRAL • We show that there are 251.0 equivalent keys (250.0 pairs of equivalent keys). • We propose an algorithm that derives an instance of equivalent keys with the expected time complexity of 248.8 encryptions. • We verify the proposed algorithm’s correctness by showing several instances of equivalent keys.
Equivalent Keys • The two distinct keys (K, K’) that satisfy EK(M) = EK’(M) for all plaintexts M • The ciphertext remains the same even if the key is changed.
Impact of Equivalent Keys • The existence of equivalent keys implies the theoretical cryptanalysis of the cipher. • The key search space of a brute force attack is reduced. • For256-bit key HyRAL, the search space is 2256-250. • Suppose that we use 256-bit key HyRAL to construct a compression function in Davies-Meyer mode.
Impact of Equivalent Keys • Suppose that we use the previous compression function to construct a hash function in Merkle-Damgård mode.
Specification of 256-Bit Key HyRAL • OK1:The most significant 128 bits of the secret key K • OK2:The least significant 128 bits of K • KGA1and KGA2:The Key Generation Algorithms The Data Processing Algorithm The Key Assignment Algorithm
Key Generation Algorithms:KGA1 and KGA2 • KGA1 and KGA2 differ only in the internally used constants CST1 and CST2. • G1 and G2 functions of 128-bit input and output are used.
G1 and G2 Functions • The input and output are 128 bits. • The Generalized Feistel Structure of 4 rounds and 4 branches • fi functions of 32-bit input and output are used. G1 function G2 function
fi Function • f1,…,f8 functions are keyless permutations over 32 bits. • The structure of fi function is the SP-network. 8 bits fi function
KAA and DPA • KAA (the Key Assignment Algorithm) • (KM1,KM3,KM2,KM4) are first parsed into 32-bit strings. • (RK1,…,RK9, IK1,…,IK6) are generated by taking their linear combinations. • DPA (the Data Processing Algorithm) • The overall structure is the 32 round Generalized Feistel Structure with 4 branches.
Existence of Equivalent Keys • Let ΔOK1 and ΔOK2be the input differences for KGA1 and KGA2 , respectively. • If the two output differences collide, then the input difference of KAA becomes null.
Existence of Equivalent Keys • When the input difference of KAA becomes null, we have the following equivalent keys.
Differential Characteristic of KGA • KGA1 and KGA2are the same algorithms except for the internally used constants. • We may regard them identically as long as we consider their differential characteristics.
Differential Characteristic of KGA • Lemma 1. For KGA, there exists a differential characteristic with four active fi functions. • Let δ be any non-zero 32-bit string. • The input difference of KGA : (δδδδ) • The output difference of KGA : (δδ00)(000δ)(δδδδ)(0000)
32 bits G1 G2 G1 G1 G2
Differential Characteristic of KGA • The probability of the differential characteristic: • DCPKGA(δ)= DPf1(δ)×DPf3(δ)×DPf5(δ)×DPf7(δ) • Lemma 2. There exists non-zero δ such that DCPKGA(δ) > 2-128.
Differential Characteristic of KGA • For 232values of δ, we computed the value of DCPKGA(δ). • There exist 89938 values of δ such that DCPKGA(δ) > 2-128. 19
The Number of Equivalent Keys For each (OK1, OK2), there are four equivalent keys. • The number of equivalent keys can be derived as follows: The same equivalent keys are counted for four times. For KGA1 and KGA2, we consider all δ which satisfies DCPKGA(δ) > 2-128.
The Number of Equivalent Keys • The number of pairs is the half of 251.0, which is 250.0. Theorem 1. In 256-bit key HyRAL, there exist 251.0equivalent keys (or 250.0pairs of equivalent keys).
Equivalent Key Derivation Algorithm • We consider the case of δ = 0xd7d7d0d7. • DCPKGA(δ) = 2-103 (DCPKGA(δ) is the maximum.) • For , let be a list of that satisfy • We may write down the lists as follows: . .
Equivalent Key Derivation Algorithm • Let be fi function in the r-th round. • We write the input and output strings of as and , respectively. • Let (K1,K2,K3,K4) be the partition of OK1 or OK2 into 32-bit strings. • Let (C1,C2,C3,C4) be the partition of CST1 or CST2 into 32-bit strings.
Equivalent Key Derivation Algorithm If we can derive (K1,K2,K3,K4) that satisfies this implies that we have derived the equivalent key. • Lemma 3. For arbitrarily fixed , and , where , the corresponding value of (K1,K2,K3,K4) can be derived.
Step 4. Compute from (K1,K2,K3,K4), and proceed to Step 5 if is satisfied. Otherwise return to Step 2. Step 1. Fix any and that satisfy and . Step 5. Compute from (K1,K2,K3,K4), and output (K1,K2,K3,K4) and halt if is satisfied. Otherwise return to Step 2. Step 2. Fix any and . Step 3. Derive (K1,K2,K3,K4) by using Lemma 3.
Time Complexity of the Algorithm • The probability that both and are satisfied is Therefore, we may expect that the algorithm returns (K1,K2,K3,K4) after trying 252values of . .
Time Complexity of the Algorithm • The time complexity of the algorithm is computations of fifunctions in order to derive both OK1 and OK2. • This amounts to running encryption functions as there are 96 fi functions in the encryption function of 256-bit key HyRAL.
Deriving Equivalent Keys • We have implemented our algorithm on a supercomputer system at Information Technology Center in Nagoya University. • The systems we have used are called HX600 and FX1.
Deriving Equivalent Keys • δ = 0xd7d7d0d7, = 0x17170c17, = 0x1717292b
Deriving Equivalent Keys • We have successfully derived one value of OK1and three values of OK2. • Concrete instances of the equivalent keys (δ = 0xd7d7d0d7)
Summary • We showed that there are 250.0pairs of equivalent keys. • We developed the algorithm to derive an instance of equivalent keys. • We demonstrated that we were able to derive concrete instances with the current computing environment. • As a result, based on the results of this paper, HyRAL did not proceed to the second roundevaluation process in the CRYPTREC project.