cryptanalysis of 256-bit key hyral via equivalent keys
DESCRIPTION
Cryptanalysis of 256-Bit Key HyRAL via Equivalent Keys. Nagoya University, Japan Yuki Asano , Shingo Yanagihara , and Tetsu Iwata ACNS2012, June 28, 2012, Singapore. Introduction. What is HyRAL ? A secret key blockcipher Block size : 128 bits The key length : 128, 129,…, 256 bits - PowerPoint PPT PresentationTRANSCRIPT
Cryptanalysis of 256-Bit Key HyRAL via Equivalent Keys
Nagoya University, JapanYuki Asano, Shingo Yanagihara, and Tetsu Iwata
ACNS2012, June 28, 2012, Singapore
Introduction• What is HyRAL?– A secret key blockcipher– Block size : 128 bits– The key length : 128, 129,…, 256 bits– One of the proposed algorithms for the CRYPTREC
project’s call• The CRYPTREC project– Maintaining the e-Government recommended ciphers list
in Japan– The list is planned to be revised in 2013
2
Background• The security of HyRAL
3
・ Differential attacks・ Linear attacks・ Impossible differential attacks・ Saturation attacks・ Higher order differential attacks・ Boomerang attacks
No security weaknesses have been identified.
Our Research• For 256-bit key HyRAL
1. We show that there are 251.0 equivalent keys (250.0 pairs of equivalent keys).
2. We propose an algorithm that derives an instance of equivalent keys with the expected time complexity of 248.8 encryptions.
3. We verify the proposed algorithm’s correctness by showing several instances of equivalent keys.
4
• The two distinct keys (K, K’) that satisfy EK(M) = EK’(M) for all plaintexts M
• The ciphertext remains the same even if the key is changed.
Equivalent Keys
5
Impact of Equivalent Keys• The existence of equivalent keys implies the theoretical
cryptanalysis of the cipher.– The key search space of a brute force attack is reduced.– For 256-bit key HyRAL, the search space is 2256-250.
• Suppose that we use 256-bit key HyRAL to construct a compression function in Davies-Meyer mode.
6
Impact of Equivalent Keys• Suppose that we use the previous compression function to
construct a hash function in Merkle-Damgård mode.
7
Specification of 256-Bit Key HyRAL
• OK1:The most significant 128 bits of the secret key K
• OK2:The least significant 128 bits of K
• KGA1 and KGA2:The Key Generation Algorithms
The Key Assignment Algorithm
The Data Processing Algorithm
8
Key Generation Algorithms:KGA1 and KGA2
• KGA1 and KGA2 differ only in the internally used constants CST1 and CST2.
• G1 and G2 functions of 128-bit input and output are used.
9
G1 and G2 Functions
• The input and output are 128 bits.• The Generalized Feistel Structure
of 4 rounds and 4 branches• fi functions of 32-bit input
and output are used.
G1 function G2 function
fi Function
• f1,…,f8 functions are keyless permutations over 32 bits.
• The structure of fi function is the SP-network.
11
8 bits
fi function
KAA and DPA• KAA (the Key Assignment Algorithm)– (KM1,KM3,KM2,KM4) are first parsed into 32-bit strings.
– (RK1,…,RK9, IK1,…,IK6) are generated by taking their linear combinations.
• DPA (the Data Processing Algorithm)– The overall structure is the 32 round Generalized
Feistel Structure with 4 branches.
12
Existence of Equivalent Keys
• Let ΔOK1 and ΔOK2 be the input differences for KGA1 and KGA2 , respectively.
• If the two output differences collide, then the input difference of KAA becomes null.
13
Existence of Equivalent Keys• When the input difference of KAA becomes null, we have the
following equivalent keys.
14
Differential Characteristic of KGA
• KGA1 and KGA2 are the same algorithms except for the internally used constants.
• We may regard them identically as long as we consider their differential characteristics.
•
15
Differential Characteristic of KGA• Lemma 1. For KGA, there exists a differential characteristic
with four active fi functions.
• Let δ be any non-zero 32-bit string.– The input difference of KGA : (δδδδ)– The output difference of KGA : (δδ00)(000δ)(δδδδ)(0000)
16
17
G 1 G2 G 1 G2 G 1
32 bits
Differential Characteristic of KGA• The probability of the differential characteristic:– DCPKGA(δ) = DPf1(δ)×DPf3(δ)×DPf5(δ)×DPf7(δ)
• Lemma 2. There exists non-zero δ such that DCPKGA(δ) > 2-128.
18
Differential Characteristic of KGA• For 232 values of δ, we computed the value of DCPKGA(δ).
• There exist 89938 values of δ such that DCPKGA(δ) > 2-128.
DCPKGA(δ) Example of δ
Number
2-103 0xd7d7d0d7 1
2-104 0xc5c5d254 1
2-105 0x4e4ec554 1
2-106 0x3c3cf4ff 82-107 0x6161f9d9 12-108 0x054d979
7 34
2-109 0x0101019a 157
2-110 0x0159591a 1579
2-111 0x0101e818 7685
2-112 0x01010520 80471
19
The Number of Equivalent Keys• The number of equivalent keys can be derived as follows:
20
DCPKGA(δ) Example of δ
Number
2-103 0xd7d7d0d7 1
2-104 0xc5c5d254 1
・ ・ ・・ ・ ・・ ・ ・
2-112 0x01010520 80471
For each (OK1, OK2), there are four equivalent keys.
The same equivalent keys are counted for four times.For KGA1 and KGA2,
we consider all δ which satisfies DCPKGA(δ) > 2-128.
The Number of Equivalent Keys• The number of pairs is the half of 251.0, which is 250.0.
Theorem 1. In 256-bit key HyRAL, there exist 251.0 equivalent keys (or 250.0 pairs of equivalent keys).
21
Equivalent Key Derivation Algorithm
• We consider the case of δ = 0xd7d7d0d7.– DCPKGA(δ) = 2-103 (DCPKGA(δ) is the maximum.)
• For , let be a list of that satisfy
• We may write down the lists as follows:
22
.
.
Equivalent Key Derivation Algorithm
• Let be fi function in the r-th round.
• We write the input and output strings of as and , respectively.
• Let (K1,K2,K3,K4) be the partition of OK1 or OK2 into 32-bit strings.
• Let (C1,C2,C3,C4) be the partition of CST1 or CST2 into 32-bit strings.
23
Equivalent Key Derivation Algorithm
If we can derive (K1,K2,K3,K4) that satisfies
this implies that we have derived the equivalent key.
• Lemma 3. For arbitrarily fixed , and , where , the corresponding value of (K1,K2,K3,K4)
can be derived.
24
Step 1. Fix any and that satisfy and .
25
Step 2. Fix any and .
Step 3. Derive (K1,K2,K3,K4) by using Lemma 3.
Step 4. Compute from (K1,K2,K3,K4), and proceed to Step 5 if is satisfied.
Otherwise return to Step 2.Step 5. Compute from (K1,K2,K3,K4), and output (K1,K2,K3,K4) and halt if is
satisfied. Otherwise return to Step 2.
Time Complexity of the Algorithm
• The probability that both and are satisfied is
Therefore, we may expect that the algorithm returns (K1,K2,K3,K4) after trying 252 values of .
26
.
Time Complexity of the Algorithm• The time complexity of the algorithm is computations
of fi functions in order to derive both OK1 and OK2.
• This amounts to running encryption functions as there are 96 fi functions in the encryption function of 256-bit key HyRAL.
27
• We have implemented our algorithm on a supercomputer system at Information Technology Center in Nagoya University.
• The systems we have used are called HX600 and FX1.
Number of CPUs/Cores CPU Total
memoryHX60
0 384/1536 AMDOpteron 8380 6TB
FX1 768/3072 SPARC64 Ⅶ 24TB
Deriving Equivalent Keys
28
• δ = 0xd7d7d0d7, = 0x17170c17, = 0x1717292b
Deriving Equivalent Keys
System
Cores
Number of
Running time
OK1
HX600 1024 249 17h17min
OK2
FX1 1024 250 50h37minFX1 512 250 92h25min
HX600 256 251 270h17min
29
Deriving Equivalent Keys
• We have successfully derived one value of OK1 and three values of OK2.
• Concrete instances of the equivalent keys (δ = 0xd7d7d0d7)
OK10x2fd918837136d461f4bc99938907dd0b
OK2
0xa20ed0f467141b2a3b038abb5f61d59e0xe3a1902aa60b6c3582a9131527d43b2f0x3218a5b25828a0b7d2122283894cc63b
30
Summary• We showed that there are 250.0 pairs of equivalent keys.
• We developed the algorithm to derive an instance of equivalent keys.
• We demonstrated that we were able to derive concrete instances with the current computing environment.
• As a result, based on the results of this paper, HyRAL did not proceed to the second round evaluation process in the CRYPTREC project.
31