Cryptanalysis of 256

Bit Key
HyRAL
via Equivalent Keys
Nagoya University, Japan
Yuki Asano
, Shingo
Yanagihara
, and
Tetsu
Iwata
ACNS2012, June 28, 2012, Singapore
Introduction
•
What is
HyRAL
?
–
A secret key
blockcipher
–
Block size : 128 bits
–
The key length : 128, 129,…, 256 bits
–
One of the proposed algorithms for the CRYPTREC
project’s call
•
The CRYPTREC project
–
Maintaining the e

Government recommended ciphers list
in Japan
–
The list is planned to be revised in 2013
2
Background
•
The security of
HyRAL
3
・
Differential attacks
・
Linear attacks
・
Impossible differential attacks
・
Saturation attacks
・
Higher order differential attacks
・
Boomerang attacks
No security weaknesses have been identified.
Our Research
•
For 256

bit key
HyRAL
1.
We show that there are 2
51.0
equivalent keys (2
50.0
pairs of
equivalent keys).
2.
We propose an algorithm that derives an instance of
equivalent keys with the expected time complexity of 2
48.8
encryptions.
3.
We verify the proposed algorithm’s correctness by
showing several instances of equivalent keys.
4
•
The two distinct keys (K, K’) that satisfy E
K
(M) = E
K’
(M) for all
plaintexts M
•
The
ciphertext
remains the same even if the key is changed.
Equivalent Keys
5
Impact of Equivalent Keys
•
The existence of equivalent keys implies the theoretical
cryptanalysis of the cipher.
–
The key search space of a brute force attack is reduced.
–
For
256

bit key
HyRAL
, the search space is 2
256

2
50
.
•
Suppose that we use 256

bit key
HyRAL
to construct
a compression function in Davies

Meyer mode.
6
Impact of Equivalent Keys
•
Suppose that we use the previous compression function to
construct a hash function in
Merkle

Damgård
mode.
7
Specification of 256

Bit Key
HyRAL
•
OK
1
:The most significant 128 bits of the secret key K
•
OK
2
:The least significant 128 bits of K
•
KGA
1
and KGA
2
:The Key Generation Algorithms
The Key Assignment Algorithm
The Data Processing Algorithm
8
Key Generation Algorithms:
KGA
1
and KGA
2
•
KGA
1
and KGA
2
differ only in the internally used constants
CST
1
and CST
2
.
•
G
1
and G
2
functions of 128

bit input and output are used.
9
G
1
and G
2
Functions
•
The input and output are 128 bits.
•
The Generalized
Feistel
Structure
of 4 rounds and 4 branches
•
f
i
functions of 32

bit input
and output are used.
G
1
function
G
2
function
f
i
Function
•
f
1
,…,f
8
functions are keyless permutations over 32 bits.
•
The structure of
f
i
function is the SP

network.
11
8 bits
f
i
function
KAA and DPA
•
KAA (the Key Assignment Algorithm)
–
(KM
1
,KM
3
,KM
2
,KM
4
) are first parsed into 32

bit strings.
–
(RK
1
,…,RK
9
, IK
1
,…,IK
6
) are generated by taking their linear
combinations.
•
DPA (the Data Processing Algorithm)
–
The overall structure is the 32 round Generalized
Feistel
Structure with 4 branches.
12
Existence of Equivalent Keys
•
Let ΔOK
1
and ΔOK
2
be the input differences for KGA
1
and
KGA
2
, respectively.
•
If the two output differences collide, then the input difference
of KAA becomes null.
13
Existence of Equivalent Keys
•
When the input difference of KAA becomes null, we have the
following equivalent keys.
14
Differential Characteristic of KGA
•
KGA
1
and KGA
2
are the same algorithms except for the
internally used constants.
•
We may regard them identically as long as we consider their
differential characteristics.
•
15
Differential Characteristic of KGA
•
Lemma 1.
For KGA, there exists a differential characteristic
with four active
f
i
functions.
•
Let δ be any non

zero 32

bit string.
–
The input difference of KGA : (
δδδδ
)
–
The output difference of KGA : (δδ00)(000δ)(
δδδδ
)(0000)
16
17
G
１
G
2
G
１
G
2
G
１
32 bits
Differential Characteristic of KGA
•
The probability of the differential characteristic:
–
DCP
KGA
(δ)
= DP
f1
(δ)
×
DP
f3
(δ)
×
DP
f5
(δ)
×
DP
f7
(δ)
•
Lemma 2.
There exists non

zero δ such that DCP
KGA
(δ) > 2

128
.
18
Differential Characteristic of KGA
•
For 2
32
values of δ, we computed the value of DCP
KGA
(δ).
•
There exist 89938 values of δ
such that DCP
KGA
(δ) > 2

128
.
DCP
KGA
(
δ)
䕸E浰汥m潦o
δ
乵浢敲
2

103
0xd7d7d0d7
1
2

104
0xc5c5d254
1
2

105
0x4e4ec554
1
2

106
0x3c3cf4ff
8
2

107
0x6161f9d9
1
2

108
0x054d9797
34
2

109
0x0101019a
157
2

110
0x0159591a
1579
2

111
0x0101e818
7685
2

112
0x01010520
80471
19
The Number of Equivalent Keys
•
The number of equivalent keys can be derived as follows:
20
DCP
KGA
(
δ)
䕸慭灬攠潦o
δ
乵浢敲
2

103
0xd7d7d0d7
1
2

104
0xc5c5d254
1
・
・
・
・
・
・
・
・
・
2

112
0x01010520
80471
For each (OK
1
, OK
2
), there are four equivalent keys.
The same equivalent keys
are counted for four times.
For KGA
1
and KGA
2
,
we consider all δ which satisfies
DCP
KGA
(δ) > 2

128
.
The Number of Equivalent Keys
•
The number of pairs is the half of 2
51.0
, which is 2
50.0
.
Theorem 1.
In 256

bit key
HyRAL
, there exist 2
51.0
equivalent keys
(or 2
50.0
pairs of equivalent keys).
21
Equivalent Key Derivation Algorithm
•
We consider the case of δ = 0xd7d7d0d7.
–
DCP
KGA
(δ) = 2

103
(DCP
KGA
(δ) is the maximum.)
•
For , let be a list of that satisfy
•
We may write down the lists as follows:
22
.
.
Equivalent Key Derivation Algorithm
•
Let be
f
i
function in the r

th
round.
•
We write the input and output strings of
as and ,
respectively.
•
Let (K
1
,K
2
,K
3
,K
4
) be the partition of OK
1
or OK
2
into 32

bit
strings.
•
Let (C
1
,C
2
,C
3
,C
4
) be the partition of CST
1
or CST
2
into 32

bit
strings.
23
Equivalent Key Derivation Algorithm
If we can derive (K
1
,K
2
,K
3
,K
4
) that satisfies
this implies that we have derived the equivalent key.
•
Lemma 3.
For arbitrarily fixed , and , where
, the corresponding value of (K
1
,K
2
,K
3
,K
4
)
can be derived.
24
Step 1. Fix any
and that
satisfy and .
25
Step 2. Fix any and .
Step 3. Derive (K
1
,K
2
,K
3
,K
4
) by using Lemma 3.
Step 4. Compute from (K
1
,K
2
,K
3
,K
4
), and
proceed to Step 5 if is satisfied.
Otherwise return to Step 2.
Step 5. Compute from (K
1
,K
2
,K
3
,K
4
), and
output (K
1
,K
2
,K
3
,K
4
) and halt if is
satisfied. Otherwise return to Step 2.
Time Complexity of the Algorithm
•
The probability that both
and
are
satisfied is
Therefore, we may expect that the algorithm returns
(K
1
,K
2
,K
3
,K
4
) after trying 2
52
values of
.
26
.
Time Complexity of the Algorithm
•
The time complexity of the algorithm is computations
of
f
i
functions in order to derive both OK
1
and OK
2
.
•
This amounts to running encryption
functions as there are 96
f
i
functions in the encryption
function of 256

bit key
HyRAL
.
27
•
We have implemented our algorithm on a supercomputer
system at Information Technology Center in Nagoya University.
•
The systems we have used are called HX600 and FX1.
Number of
CPUs
/Cores
CPU
Total memory
HX600
384/1536
AMDOpteron 8380
6TB
FX1
768/3072
SPARC64 Ⅶ
24TB
Deriving Equivalent Keys
28
•
δ = 0xd7d7d0d7, = 0x17170c17, = 0x1717292b
Deriving Equivalent Keys
System
Cores
Number of
Running time
OK
1
HX600
1024
2
49
17h17min
OK
2
FX1
1024
2
50
50h37min
FX1
512
2
50
92h25min
HX600
256
2
51
270h17min
29
Deriving Equivalent Keys
•
We have successfully derived one value of OK
1
and three
values of OK
2
.
•
Concrete instances of the equivalent keys (δ = 0xd7d7d0d7)
OK
1
0x2fd918837136d461f4bc99938907dd0b
OK
2
0xa20ed0f467141b2a3b038abb5f61d59e
0xe3a1902aa60b6c3582a9131527d43b2f
0x3218a5b25828a0b7d2122283894cc63b
30
Summary
•
We showed that there are 2
50.0
pairs of equivalent keys.
•
We developed the algorithm to derive an instance of
equivalent keys.
•
We demonstrated that we were able to derive concrete
instances with the current computing environment.
•
As a result, based on the results of this paper,
HyRAL
did not
proceed to the second round
evaluation process in the
CRYPTREC project.
31
Comments 0
Log in to post a comment