1 / 31

Cryptanalysis of 256-Bit Key HyRAL via Equivalent Keys

Cryptanalysis of 256-Bit Key HyRAL via Equivalent Keys. Nagoya University, Japan Yuki Asano , Shingo Yanagihara , and Tetsu Iwata ACNS2012, June 28, 2012, Singapore. Introduction. What is HyRAL ? A secret key blockcipher Block size : 128 bits The key length : 128, 129,…, 256 bits

plato
Download Presentation

Cryptanalysis of 256-Bit Key HyRAL via Equivalent Keys

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cryptanalysis of 256-Bit Key HyRAL via Equivalent Keys Nagoya University, Japan Yuki Asano, Shingo Yanagihara, and Tetsu Iwata ACNS2012, June 28, 2012, Singapore

  2. Introduction • What is HyRAL? • A secret key blockcipher • Block size : 128 bits • The key length : 128, 129,…, 256 bits • One of the proposed algorithms for the CRYPTREC project’s call • The CRYPTREC project • Maintaining the e-Government recommended ciphers list in Japan • The list is planned to be revised in 2013

  3. Background • The security of HyRAL ・Differential attacks ・Linear attacks ・Impossible differential attacks ・Saturation attacks ・Higher order differential attacks ・Boomerang attacks No security weaknesses have been identified.

  4. Our Research • For 256-bit key HyRAL • We show that there are 251.0 equivalent keys (250.0 pairs of equivalent keys). • We propose an algorithm that derives an instance of equivalent keys with the expected time complexity of 248.8 encryptions. • We verify the proposed algorithm’s correctness by showing several instances of equivalent keys.

  5. Equivalent Keys • The two distinct keys (K, K’) that satisfy EK(M) = EK’(M) for all plaintexts M • The ciphertext remains the same even if the key is changed.

  6. Impact of Equivalent Keys • The existence of equivalent keys implies the theoretical cryptanalysis of the cipher. • The key search space of a brute force attack is reduced. • For256-bit key HyRAL, the search space is 2256-250. • Suppose that we use 256-bit key HyRAL to construct a compression function in Davies-Meyer mode.

  7. Impact of Equivalent Keys • Suppose that we use the previous compression function to construct a hash function in Merkle-Damgård mode.

  8. Specification of 256-Bit Key HyRAL • OK1:The most significant 128 bits of the secret key K • OK2:The least significant 128 bits of K • KGA1and KGA2:The Key Generation Algorithms The Data Processing Algorithm The Key Assignment Algorithm

  9. Key Generation Algorithms:KGA1 and KGA2 • KGA1 and KGA2 differ only in the internally used constants CST1 and CST2. • G1 and G2 functions of 128-bit input and output are used.

  10. G1 and G2 Functions • The input and output are 128 bits. • The Generalized Feistel Structure of 4 rounds and 4 branches • fi functions of 32-bit input and output are used. G1 function G2 function

  11. fi Function • f1,…,f8 functions are keyless permutations over 32 bits. • The structure of fi function is the SP-network. 8 bits fi function

  12. KAA and DPA • KAA (the Key Assignment Algorithm) • (KM1,KM3,KM2,KM4) are first parsed into 32-bit strings. • (RK1,…,RK9, IK1,…,IK6) are generated by taking their linear combinations. • DPA (the Data Processing Algorithm) • The overall structure is the 32 round Generalized Feistel Structure with 4 branches.

  13. Existence of Equivalent Keys • Let ΔOK1 and ΔOK2be the input differences for KGA1 and KGA2 , respectively. • If the two output differences collide, then the input difference of KAA becomes null.

  14. Existence of Equivalent Keys • When the input difference of KAA becomes null, we have the following equivalent keys.

  15. Differential Characteristic of KGA • KGA1 and KGA2are the same algorithms except for the internally used constants. • We may regard them identically as long as we consider their differential characteristics.

  16. Differential Characteristic of KGA • Lemma 1. For KGA, there exists a differential characteristic with four active fi functions. • Let δ be any non-zero 32-bit string. • The input difference of KGA : (δδδδ) • The output difference of KGA : (δδ00)(000δ)(δδδδ)(0000)

  17. 32 bits G1 G2 G1 G1 G2

  18. Differential Characteristic of KGA • The probability of the differential characteristic: • DCPKGA(δ)= DPf1(δ)×DPf3(δ)×DPf5(δ)×DPf7(δ) • Lemma 2. There exists non-zero δ such that DCPKGA(δ) > 2-128.

  19. Differential Characteristic of KGA • For 232values of δ, we computed the value of DCPKGA(δ). • There exist 89938 values of δ such that DCPKGA(δ) > 2-128. 19

  20. The Number of Equivalent Keys For each (OK1, OK2), there are four equivalent keys. • The number of equivalent keys can be derived as follows: The same equivalent keys are counted for four times. For KGA1 and KGA2, we consider all δ which satisfies DCPKGA(δ) > 2-128.

  21. The Number of Equivalent Keys • The number of pairs is the half of 251.0, which is 250.0. Theorem 1. In 256-bit key HyRAL, there exist 251.0equivalent keys (or 250.0pairs of equivalent keys).

  22. Equivalent Key Derivation Algorithm • We consider the case of δ = 0xd7d7d0d7. • DCPKGA(δ) = 2-103 (DCPKGA(δ) is the maximum.) • For , let be a list of that satisfy • We may write down the lists as follows: . .

  23. Equivalent Key Derivation Algorithm • Let be fi function in the r-th round. • We write the input and output strings of as and , respectively. • Let (K1,K2,K3,K4) be the partition of OK1 or OK2 into 32-bit strings. • Let (C1,C2,C3,C4) be the partition of CST1 or CST2 into 32-bit strings.

  24. Equivalent Key Derivation Algorithm If we can derive (K1,K2,K3,K4) that satisfies this implies that we have derived the equivalent key. • Lemma 3. For arbitrarily fixed , and , where , the corresponding value of (K1,K2,K3,K4) can be derived.

  25. Step 4. Compute from (K1,K2,K3,K4), and proceed to Step 5 if is satisfied. Otherwise return to Step 2. Step 1. Fix any and that satisfy and . Step 5. Compute from (K1,K2,K3,K4), and output (K1,K2,K3,K4) and halt if is satisfied. Otherwise return to Step 2. Step 2. Fix any and . Step 3. Derive (K1,K2,K3,K4) by using Lemma 3.

  26. Time Complexity of the Algorithm • The probability that both and are satisfied is Therefore, we may expect that the algorithm returns (K1,K2,K3,K4) after trying 252values of . .

  27. Time Complexity of the Algorithm • The time complexity of the algorithm is computations of fifunctions in order to derive both OK1 and OK2. • This amounts to running encryption functions as there are 96 fi functions in the encryption function of 256-bit key HyRAL.

  28. Deriving Equivalent Keys • We have implemented our algorithm on a supercomputer system at Information Technology Center in Nagoya University. • The systems we have used are called HX600 and FX1.

  29. Deriving Equivalent Keys • δ = 0xd7d7d0d7, = 0x17170c17, = 0x1717292b

  30. Deriving Equivalent Keys • We have successfully derived one value of OK1and three values of OK2. • Concrete instances of the equivalent keys (δ = 0xd7d7d0d7)

  31. Summary • We showed that there are 250.0pairs of equivalent keys. • We developed the algorithm to derive an instance of equivalent keys. • We demonstrated that we were able to derive concrete instances with the current computing environment. • As a result, based on the results of this paper, HyRAL did not proceed to the second roundevaluation process in the CRYPTREC project.

More Related