Cryptanalysis of 256-Bit Key

beepedblacksmithΠολεοδομικά Έργα

29 Νοε 2013 (πριν από 3 χρόνια και 7 μήνες)

74 εμφανίσεις

Cryptanalysis of 256
-
Bit Key
HyRAL

via Equivalent Keys

Nagoya University, Japan

Yuki Asano
, Shingo
Yanagihara
, and
Tetsu

Iwata

ACNS2012, June 28, 2012, Singapore


Introduction


What is
HyRAL
?


A secret key
blockcipher


Block size : 128 bits


The key length : 128, 129,…, 256 bits


One of the proposed algorithms for the CRYPTREC


project’s call


The CRYPTREC project


Maintaining the e
-
Government recommended ciphers list


in Japan


The list is planned to be revised in 2013

2

Background


The security of
HyRAL


3


Differential attacks


Linear attacks


Impossible differential attacks


Saturation attacks


Higher order differential attacks


Boomerang attacks

No security weaknesses have been identified.

Our Research


For 256
-
bit key
HyRAL

1.
We show that there are 2
51.0

equivalent keys (2
50.0

pairs of


equivalent keys).

2.
We propose an algorithm that derives an instance of


equivalent keys with the expected time complexity of 2
48.8



encryptions.

3.
We verify the proposed algorithm’s correctness by



showing several instances of equivalent keys.


4


The two distinct keys (K, K’) that satisfy E
K
(M) = E
K’
(M) for all


plaintexts M









The
ciphertext

remains the same even if the key is changed.


Equivalent Keys

5

Impact of Equivalent Keys


The existence of equivalent keys implies the theoretical
cryptanalysis of the cipher.


The key search space of a brute force attack is reduced.


For

256
-
bit key
HyRAL
, the search space is 2
256
-
2
50
.



Suppose that we use 256
-
bit key
HyRAL

to construct


a compression function in Davies
-
Meyer mode.





6

Impact of Equivalent Keys


Suppose that we use the previous compression function to


construct a hash function in
Merkle
-
Damgård

mode.


7

Specification of 256
-
Bit Key
HyRAL


OK
1
:The most significant 128 bits of the secret key K


OK
2
:The least significant 128 bits of K


KGA
1

and KGA
2
:The Key Generation Algorithms



The Key Assignment Algorithm

The Data Processing Algorithm

8

Key Generation Algorithms:

KGA
1

and KGA
2


KGA
1

and KGA
2

differ only in the internally used constants


CST
1

and CST
2
.


G
1

and G
2

functions of 128
-
bit input and output are used.

9

G
1

and G
2

Functions


The input and output are 128 bits.


The Generalized
Feistel

Structure


of 4 rounds and 4 branches


f
i

functions of 32
-
bit input


and output are used.



G
1

function

G
2

function

f
i

Function


f
1
,…,f
8

functions are keyless permutations over 32 bits.



The structure of
f
i

function is the SP
-
network.

11

8 bits

f
i

function

KAA and DPA


KAA (the Key Assignment Algorithm)


(KM
1
,KM
3
,KM
2
,KM
4
) are first parsed into 32
-
bit strings.


(RK
1
,…,RK
9
, IK
1
,…,IK
6
) are generated by taking their linear


combinations.



DPA (the Data Processing Algorithm)


The overall structure is the 32 round Generalized


Feistel

Structure with 4 branches.

12

Existence of Equivalent Keys


Let ΔOK
1

and ΔOK
2

be the input differences for KGA
1

and


KGA
2

, respectively.


If the two output differences collide, then the input difference


of KAA becomes null.



13

Existence of Equivalent Keys


When the input difference of KAA becomes null, we have the


following equivalent keys.







14

Differential Characteristic of KGA


KGA
1

and KGA
2

are the same algorithms except for the


internally used constants.



We may regard them identically as long as we consider their


differential characteristics.





15

Differential Characteristic of KGA


Lemma 1.

For KGA, there exists a differential characteristic


with four active
f
i

functions.



Let δ be any non
-
zero 32
-
bit string.


The input difference of KGA : (
δδδδ
)


The output difference of KGA : (δδ00)(000δ)(
δδδδ
)(0000)

16









17

G


G
2

G


G
2

G


32 bits

Differential Characteristic of KGA


The probability of the differential characteristic:


DCP
KGA
(δ)

= DP
f1
(δ)
×
DP
f3
(δ)
×
DP
f5
(δ)
×
DP
f7
(δ)



Lemma 2.

There exists non
-
zero δ such that DCP
KGA
(δ) > 2
-
128
.





18

Differential Characteristic of KGA


For 2
32

values of δ, we computed the value of DCP
KGA
(δ).




There exist 89938 values of δ


such that DCP
KGA
(δ) > 2
-
128
.




DCP
KGA
(
δ)

䕸E浰汥m潦o
δ

乵浢敲

2
-
103

0xd7d7d0d7

1

2
-
104

0xc5c5d254

1

2
-
105

0x4e4ec554

1

2
-
106

0x3c3cf4ff

8

2
-
107

0x6161f9d9

1

2
-
108

0x054d9797

34

2
-
109

0x0101019a

157

2
-
110

0x0159591a

1579

2
-
111

0x0101e818

7685

2
-
112

0x01010520

80471

19

The Number of Equivalent Keys


The number of equivalent keys can be derived as follows:


20

DCP
KGA
(
δ)

䕸慭灬攠潦o
δ

乵浢敲

2
-
103

0xd7d7d0d7

1

2
-
104

0xc5c5d254

1



















2
-
112

0x01010520

80471

For each (OK
1
, OK
2
), there are four equivalent keys.

The same equivalent keys
are counted for four times.

For KGA
1

and KGA
2
,

we consider all δ which satisfies
DCP
KGA
(δ) > 2
-
128
.

The Number of Equivalent Keys


The number of pairs is the half of 2
51.0
, which is 2
50.0
.



Theorem 1.
In 256
-
bit key
HyRAL
, there exist 2
51.0

equivalent keys

(or 2
50.0

pairs of equivalent keys).


21

Equivalent Key Derivation Algorithm


We consider the case of δ = 0xd7d7d0d7.


DCP
KGA
(δ) = 2
-
103

(DCP
KGA
(δ) is the maximum.)


For , let be a list of that satisfy




We may write down the lists as follows:



22

.

.

Equivalent Key Derivation Algorithm


Let be
f
i

function in the r
-
th

round.



We write the input and output strings of

as and ,


respectively.



Let (K
1
,K
2
,K
3
,K
4
) be the partition of OK
1

or OK
2

into 32
-
bit


strings.


Let (C
1
,C
2
,C
3
,C
4
) be the partition of CST
1

or CST
2

into 32
-
bit


strings.

23

Equivalent Key Derivation Algorithm


If we can derive (K
1
,K
2
,K
3
,K
4
) that satisfies






this implies that we have derived the equivalent key.




Lemma 3.
For arbitrarily fixed , and , where


, the corresponding value of (K
1
,K
2
,K
3
,K
4
)


can be derived.

24

Step 1. Fix any



and that

satisfy and .

25

Step 2. Fix any and .

Step 3. Derive (K
1
,K
2
,K
3
,K
4
) by using Lemma 3.

Step 4. Compute from (K
1
,K
2
,K
3
,K
4
), and
proceed to Step 5 if is satisfied.

Otherwise return to Step 2.

Step 5. Compute from (K
1
,K
2
,K
3
,K
4
), and
output (K
1
,K
2
,K
3
,K
4
) and halt if is
satisfied. Otherwise return to Step 2.

Time Complexity of the Algorithm


The probability that both


and


are


satisfied is




Therefore, we may expect that the algorithm returns


(K
1
,K
2
,K
3
,K
4
) after trying 2
52

values of

.






26

.

Time Complexity of the Algorithm


The time complexity of the algorithm is computations


of
f
i

functions in order to derive both OK
1

and OK
2
.




This amounts to running encryption


functions as there are 96
f
i

functions in the encryption


function of 256
-
bit key
HyRAL
.



27


We have implemented our algorithm on a supercomputer


system at Information Technology Center in Nagoya University.



The systems we have used are called HX600 and FX1.










Number of
CPUs
/Cores

CPU

Total memory

HX600

384/1536

AMDOpteron 8380

6TB

FX1

768/3072

SPARC64 Ⅶ

24TB

Deriving Equivalent Keys

28


δ = 0xd7d7d0d7, = 0x17170c17, = 0x1717292b




Deriving Equivalent Keys



System

Cores

Number of

Running time

OK
1

HX600

1024

2
49

17h17min

OK
2

FX1

1024

2
50

50h37min

FX1

512

2
50

92h25min

HX600

256

2
51

270h17min

29

Deriving Equivalent Keys


We have successfully derived one value of OK
1

and three


values of OK
2
.






Concrete instances of the equivalent keys (δ = 0xd7d7d0d7)




OK
1

0x2fd918837136d461f4bc99938907dd0b

OK
2

0xa20ed0f467141b2a3b038abb5f61d59e

0xe3a1902aa60b6c3582a9131527d43b2f

0x3218a5b25828a0b7d2122283894cc63b

30

Summary


We showed that there are 2
50.0

pairs of equivalent keys.



We developed the algorithm to derive an instance of


equivalent keys.



We demonstrated that we were able to derive concrete


instances with the current computing environment.



As a result, based on the results of this paper,
HyRAL

did not


proceed to the second round

evaluation process in the


CRYPTREC project.

31