Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cryptanalysis of 256-Bit Key HyRAL via Equivalent Keys Nagoya University, Japan Yuki Asano, Shingo Yanagihara, and Tetsu Iwata ACNS2012, June 28, 2012,

Published byLawrence McDaniel Modified over 8 years ago

Similar presentations

Presentation on theme: "Cryptanalysis of 256-Bit Key HyRAL via Equivalent Keys Nagoya University, Japan Yuki Asano, Shingo Yanagihara, and Tetsu Iwata ACNS2012, June 28, 2012,"— Presentation transcript:

1 Cryptanalysis of 256-Bit Key HyRAL via Equivalent Keys Nagoya University, Japan Yuki Asano, Shingo Yanagihara, and Tetsu Iwata ACNS2012, June 28, 2012, Singapore

2 Introduction What is HyRAL? – A secret key blockcipher – Block size : 128 bits – The key length : 128, 129,…, 256 bits – One of the proposed algorithms for the CRYPTREC project’s call The CRYPTREC project – Maintaining the e-Government recommended ciphers list in Japan – The list is planned to be revised in 2013 2

3 Background The security of HyRAL 3 ・ Differential attacks ・ Linear attacks ・ Impossible differential attacks ・ Saturation attacks ・ Higher order differential attacks ・ Boomerang attacks No security weaknesses have been identified.

4 Our Research For 256-bit key HyRAL 1.We show that there are 2 51.0 equivalent keys (2 50.0 pairs of equivalent keys). 2.We propose an algorithm that derives an instance of equivalent keys with the expected time complexity of 2 48.8 encryptions. 3.We verify the proposed algorithm’s correctness by showing several instances of equivalent keys. 4

5 The two distinct keys (K, K’) that satisfy E K (M) = E K’ (M) for all plaintexts M The ciphertext remains the same even if the key is changed. Equivalent Keys 5

6 Impact of Equivalent Keys The existence of equivalent keys implies the theoretical cryptanalysis of the cipher. – The key search space of a brute force attack is reduced. – For 256-bit key HyRAL, the search space is 2 256 -2 50. Suppose that we use 256-bit key HyRAL to construct a compression function in Davies-Meyer mode. 6

7 Impact of Equivalent Keys Suppose that we use the previous compression function to construct a hash function in Merkle-Damgård mode. 7

8 Specification of 256-Bit Key HyRAL OK 1 :The most significant 128 bits of the secret key K OK 2 :The least significant 128 bits of K KGA 1 and KGA 2 :The Key Generation Algorithms The Key Assignment Algorithm The Data Processing Algorithm 8

9 Key Generation Algorithms: KGA 1 and KGA 2 KGA 1 and KGA 2 differ only in the internally used constants CST 1 and CST 2. G 1 and G 2 functions of 128-bit input and output are used. 9

10 G 1 and G 2 Functions The input and output are 128 bits. The Generalized Feistel Structure of 4 rounds and 4 branches f i functions of 32-bit input and output are used. G 1 functionG 2 function

11 f i Function f 1,…,f 8 functions are keyless permutations over 32 bits. The structure of f i function is the SP-network. 11 8 bits f i function

12 KAA and DPA KAA (the Key Assignment Algorithm) – (KM 1,KM 3,KM 2,KM 4 ) are first parsed into 32-bit strings. – (RK 1,…,RK 9, IK 1,…,IK 6 ) are generated by taking their linear combinations. DPA (the Data Processing Algorithm) – The overall structure is the 32 round Generalized Feistel Structure with 4 branches. 12

13 Existence of Equivalent Keys Let ΔOK 1 and ΔOK 2 be the input differences for KGA 1 and KGA 2, respectively. If the two output differences collide, then the input difference of KAA becomes null. 13

14 Existence of Equivalent Keys When the input difference of KAA becomes null, we have the following equivalent keys. 14

15 Differential Characteristic of KGA KGA 1 and KGA 2 are the same algorithms except for the internally used constants. We may regard them identically as long as we consider their differential characteristics. 15

16 Differential Characteristic of KGA Lemma 1. For KGA, there exists a differential characteristic with four active f i functions. Let δ be any non-zero 32-bit string. – The input difference of KGA : (δδδδ) – The output difference of KGA : (δδ00)(000δ)(δδδδ)(0000) 16

17 17 G1G1 G2G2 G1G1 G2G2 G1G1 32 bits

18 Differential Characteristic of KGA The probability of the differential characteristic: – DCP KGA (δ) = DP f1 (δ)×DP f3 (δ)×DP f5 (δ)×DP f7 (δ) Lemma 2. There exists non-zero δ such that DCP KGA (δ) > 2 -128. 18

19 Differential Characteristic of KGA For 2 32 values of δ, we computed the value of DCP KGA (δ). There exist 89938 values of δ such that DCP KGA (δ) > 2 -128. DCP KGA (δ)Example of δ Numbe r 2 -103 0xd7d7d0d71 2 -104 0xc5c5d2541 2 -105 0x4e4ec5541 2 -106 0x3c3cf4ff8 2 -107 0x6161f9d91 2 -108 0x054d979734 2 -109 0x0101019a157 2 -110 0x0159591a1579 2 -111 0x0101e8187685 2 -112 0x0101052080471 19

20 The Number of Equivalent Keys The number of equivalent keys can be derived as follows: 20 DCP KGA (δ)Example of δ Numbe r 2 -103 0xd7d7d0d71 2 -104 0xc5c5d2541 ・ ・・ ・ ・・ ・ ・・ 2 -112 0x0101052080471 For each (OK 1, OK 2 ), there are four equivalent keys. The same equivalent keys are counted for four times. For KGA 1 and KGA 2, we consider all δ which satisfies DCP KGA (δ) > 2 -128. For KGA 1 and KGA 2, we consider all δ which satisfies DCP KGA (δ) > 2 -128.

21 The Number of Equivalent Keys The number of pairs is the half of 2 51.0, which is 2 50.0. Theorem 1. In 256-bit key HyRAL, there exist 2 51.0 equivalent keys (or 2 50.0 pairs of equivalent keys). 21

22 Equivalent Key Derivation Algorithm We consider the case of δ = 0xd7d7d0d7. – DCP KGA (δ) = 2 -103 (DCP KGA (δ) is the maximum.) For, let be a list of that satisfy We may write down the lists as follows: 22..

23 Equivalent Key Derivation Algorithm Let be f i function in the r-th round. We write the input and output strings of as and, respectively. Let (K 1,K 2,K 3,K 4 ) be the partition of OK 1 or OK 2 into 32-bit strings. Let (C 1,C 2,C 3,C 4 ) be the partition of CST 1 or CST 2 into 32-bit strings. 23

24 Equivalent Key Derivation Algorithm If we can derive (K 1,K 2,K 3,K 4 ) that satisfies this implies that we have derived the equivalent key. Lemma 3. For arbitrarily fixed, and, where, the corresponding value of (K 1,K 2,K 3,K 4 ) can be derived. 24

25 Step 1. Fix any and that satisfy and. Step 1. Fix any and that satisfy and. 25 Step 2. Fix any and. Step 3. Derive (K 1,K 2,K 3,K 4 ) by using Lemma 3. Step 4. Compute from (K 1,K 2,K 3,K 4 ), and proceed to Step 5 if is satisfied. Otherwise return to Step 2. Step 4. Compute from (K 1,K 2,K 3,K 4 ), and proceed to Step 5 if is satisfied. Otherwise return to Step 2. Step 5. Compute from (K 1,K 2,K 3,K 4 ), and output (K 1,K 2,K 3,K 4 ) and halt if is satisfied. Otherwise return to Step 2.

26 Time Complexity of the Algorithm The probability that both and are satisfied is Therefore, we may expect that the algorithm returns (K 1,K 2,K 3,K 4 ) after trying 2 52 values of. 26.

27 Time Complexity of the Algorithm The time complexity of the algorithm is computations of f i functions in order to derive both OK 1 and OK 2. This amounts to running encryption functions as there are 96 f i functions in the encryption function of 256-bit key HyRAL. 27

28 We have implemented our algorithm on a supercomputer system at Information Technology Center in Nagoya University. The systems we have used are called HX600 and FX1. Number of CPUs/Cores CPU Total memory HX600384/1536AMDOpteron 83806TB FX1768/3072 SPARC64 Ⅶ 24TB Deriving Equivalent Keys 28

29 δ = 0xd7d7d0d7, = 0x17170c17, = 0x1717292b Deriving Equivalent Keys System Core s Number of Running time OK 1 HX60010242 49 17h17min OK 2 FX110242 50 50h37min FX15122 50 92h25min HX6002562 51 270h17min 29

30 Deriving Equivalent Keys We have successfully derived one value of OK 1 and three values of OK 2. Concrete instances of the equivalent keys (δ = 0xd7d7d0d7) OK 1 0x2fd918837136d461f4bc99938907dd0b OK 2 0xa20ed0f467141b2a3b038abb5f61d59e 0xe3a1902aa60b6c3582a9131527d43b2f 0x3218a5b25828a0b7d2122283894cc63b 30

31 Summary We showed that there are 2 50.0 pairs of equivalent keys. We developed the algorithm to derive an instance of equivalent keys. We demonstrated that we were able to derive concrete instances with the current computing environment. As a result, based on the results of this paper, HyRAL did not proceed to the second round evaluation process in the CRYPTREC project. 31

Download ppt "Cryptanalysis of 256-Bit Key HyRAL via Equivalent Keys Nagoya University, Japan Yuki Asano, Shingo Yanagihara, and Tetsu Iwata ACNS2012, June 28, 2012,"

Similar presentations

6.1.2 Overview DES is a block cipher, as shown in Figure 6.1.

6.1.2 Overview DES is a block cipher, as shown in Figure 6.1.
DES The Data Encryption Standard (DES) is a classic symmetric block cipher algorithm. DES was developed in the 1970’s as a US government standard The block.

DES The Data Encryption Standard (DES) is a classic symmetric block cipher algorithm. DES was developed in the 1970’s as a US government standard The block.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Data Encryption Standard (DES)

Data Encryption Standard (DES)
1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.

1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.
Complexity class NP Is the class of languages that can be verified by a polynomial-time algorithm. L = { x in {0,1}* | there exists a certificate y with.

Complexity class NP Is the class of languages that can be verified by a polynomial-time algorithm. L = { x in {0,1}* | there exists a certificate y with.
Cryptography and Network Security Chapter 3

Cryptography and Network Security Chapter 3
Block Ciphers and the Data Encryption Standard

Block Ciphers and the Data Encryption Standard
Data Encryption Standard (DES)

Data Encryption Standard (DES)
Foundations of Cryptography Lecture 12 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 12 Lecturer: Moni Naor.
Block ciphers 1 Session 3. Contents Design of block ciphers Non-linear transformations 2/25.

Block ciphers 1 Session 3. Contents Design of block ciphers Non-linear transformations 2/25.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
1 Chapter 5 Hashes and Message Digests Instructor: 孫宏民 Room: EECS 6402, Tel:03-5742968, Fax : 886-3-572-3694.

1 Chapter 5 Hashes and Message Digests Instructor: 孫宏民 Room: EECS 6402, Tel: , Fax :
Session 6: Introduction to cryptanalysis part 2. Symmetric systems The sources of vulnerabilities regarding linearity in block ciphers are S-boxes. Example.

Session 6: Introduction to cryptanalysis part 2. Symmetric systems The sources of vulnerabilities regarding linearity in block ciphers are S-boxes. Example.
JLM 20060209 12:161 Homework 6 – Problem 1 S-box 4 is observed to have the indicated output xor when presented with the indicated inputs In1: 0x22, In2:

JLM :161 Homework 6 – Problem 1 S-box 4 is observed to have the indicated output xor when presented with the indicated inputs In1: 0x22, In2:
Sec final project A Preposition Secret Sharing Scheme for Message Authentication in Broadcast Networks 90321019 王怡君.

Sec final project A Preposition Secret Sharing Scheme for Message Authentication in Broadcast Networks 王怡君.
FEAL FEAL 1.

FEAL FEAL 1.
DES 1 Data Encryption Standard DES 2 Data Encryption Standard  DES developed in 1970’s  Based on IBM Lucifer cipher  U.S. government standard  DES.

DES 1 Data Encryption Standard DES 2 Data Encryption Standard  DES developed in 1970’s  Based on IBM Lucifer cipher  U.S. government standard  DES.
Foundations of Network and Computer Security J J ohn Black Lecture #3 Aug 28 th 2009 CSCI 6268/TLEN 5550, Fall 2009.

Foundations of Network and Computer Security J J ohn Black Lecture #3 Aug 28 th 2009 CSCI 6268/TLEN 5550, Fall 2009.

Similar presentations

Ads by Google