Cryptanalysis of 256-Bit Key HyRAL via Equivalent Keys Nagoya University, Japan Yuki Asano, Shingo Yanagihara, and Tetsu Iwata ACNS2012, June 28, 2012, Singapore
Introduction What is HyRAL? – A secret key blockcipher – Block size : 128 bits – The key length : 128, 129,…, 256 bits – One of the proposed algorithms for the CRYPTREC project’s call The CRYPTREC project – Maintaining the e-Government recommended ciphers list in Japan – The list is planned to be revised in
Background The security of HyRAL 3 ・ Differential attacks ・ Linear attacks ・ Impossible differential attacks ・ Saturation attacks ・ Higher order differential attacks ・ Boomerang attacks No security weaknesses have been identified.
Our Research For 256-bit key HyRAL 1.We show that there are equivalent keys ( pairs of equivalent keys). 2.We propose an algorithm that derives an instance of equivalent keys with the expected time complexity of encryptions. 3.We verify the proposed algorithm’s correctness by showing several instances of equivalent keys. 4
The two distinct keys (K, K’) that satisfy E K (M) = E K’ (M) for all plaintexts M The ciphertext remains the same even if the key is changed. Equivalent Keys 5
Impact of Equivalent Keys The existence of equivalent keys implies the theoretical cryptanalysis of the cipher. – The key search space of a brute force attack is reduced. – For 256-bit key HyRAL, the search space is Suppose that we use 256-bit key HyRAL to construct a compression function in Davies-Meyer mode. 6
Impact of Equivalent Keys Suppose that we use the previous compression function to construct a hash function in Merkle-Damgård mode. 7
Specification of 256-Bit Key HyRAL OK 1 :The most significant 128 bits of the secret key K OK 2 :The least significant 128 bits of K KGA 1 and KGA 2 :The Key Generation Algorithms The Key Assignment Algorithm The Data Processing Algorithm 8
Key Generation Algorithms: KGA 1 and KGA 2 KGA 1 and KGA 2 differ only in the internally used constants CST 1 and CST 2. G 1 and G 2 functions of 128-bit input and output are used. 9
G 1 and G 2 Functions The input and output are 128 bits. The Generalized Feistel Structure of 4 rounds and 4 branches f i functions of 32-bit input and output are used. G 1 functionG 2 function
f i Function f 1,…,f 8 functions are keyless permutations over 32 bits. The structure of f i function is the SP-network bits f i function
KAA and DPA KAA (the Key Assignment Algorithm) – (KM 1,KM 3,KM 2,KM 4 ) are first parsed into 32-bit strings. – (RK 1,…,RK 9, IK 1,…,IK 6 ) are generated by taking their linear combinations. DPA (the Data Processing Algorithm) – The overall structure is the 32 round Generalized Feistel Structure with 4 branches. 12
Existence of Equivalent Keys Let ΔOK 1 and ΔOK 2 be the input differences for KGA 1 and KGA 2, respectively. If the two output differences collide, then the input difference of KAA becomes null. 13
Existence of Equivalent Keys When the input difference of KAA becomes null, we have the following equivalent keys. 14
Differential Characteristic of KGA KGA 1 and KGA 2 are the same algorithms except for the internally used constants. We may regard them identically as long as we consider their differential characteristics. 15
Differential Characteristic of KGA Lemma 1. For KGA, there exists a differential characteristic with four active f i functions. Let δ be any non-zero 32-bit string. – The input difference of KGA : (δδδδ) – The output difference of KGA : (δδ00)(000δ)(δδδδ)(0000) 16
17 G1G1 G2G2 G1G1 G2G2 G1G1 32 bits
Differential Characteristic of KGA The probability of the differential characteristic: – DCP KGA (δ) = DP f1 (δ)×DP f3 (δ)×DP f5 (δ)×DP f7 (δ) Lemma 2. There exists non-zero δ such that DCP KGA (δ) >
Differential Characteristic of KGA For 2 32 values of δ, we computed the value of DCP KGA (δ). There exist values of δ such that DCP KGA (δ) > DCP KGA (δ)Example of δ Numbe r xd7d7d0d xc5c5d x4e4ec x3c3cf4ff x6161f9d x054d x a x a x0101e x
The Number of Equivalent Keys The number of equivalent keys can be derived as follows: 20 DCP KGA (δ)Example of δ Numbe r xd7d7d0d xc5c5d2541 ・ ・・ ・ ・・ ・ ・・ x For each (OK 1, OK 2 ), there are four equivalent keys. The same equivalent keys are counted for four times. For KGA 1 and KGA 2, we consider all δ which satisfies DCP KGA (δ) > For KGA 1 and KGA 2, we consider all δ which satisfies DCP KGA (δ) >
The Number of Equivalent Keys The number of pairs is the half of , which is Theorem 1. In 256-bit key HyRAL, there exist equivalent keys (or pairs of equivalent keys). 21
Equivalent Key Derivation Algorithm We consider the case of δ = 0xd7d7d0d7. – DCP KGA (δ) = (DCP KGA (δ) is the maximum.) For, let be a list of that satisfy We may write down the lists as follows: 22..
Equivalent Key Derivation Algorithm Let be f i function in the r-th round. We write the input and output strings of as and, respectively. Let (K 1,K 2,K 3,K 4 ) be the partition of OK 1 or OK 2 into 32-bit strings. Let (C 1,C 2,C 3,C 4 ) be the partition of CST 1 or CST 2 into 32-bit strings. 23
Equivalent Key Derivation Algorithm If we can derive (K 1,K 2,K 3,K 4 ) that satisfies this implies that we have derived the equivalent key. Lemma 3. For arbitrarily fixed, and, where, the corresponding value of (K 1,K 2,K 3,K 4 ) can be derived. 24
Step 1. Fix any and that satisfy and. Step 1. Fix any and that satisfy and. 25 Step 2. Fix any and. Step 3. Derive (K 1,K 2,K 3,K 4 ) by using Lemma 3. Step 4. Compute from (K 1,K 2,K 3,K 4 ), and proceed to Step 5 if is satisfied. Otherwise return to Step 2. Step 4. Compute from (K 1,K 2,K 3,K 4 ), and proceed to Step 5 if is satisfied. Otherwise return to Step 2. Step 5. Compute from (K 1,K 2,K 3,K 4 ), and output (K 1,K 2,K 3,K 4 ) and halt if is satisfied. Otherwise return to Step 2.
Time Complexity of the Algorithm The probability that both and are satisfied is Therefore, we may expect that the algorithm returns (K 1,K 2,K 3,K 4 ) after trying 2 52 values of. 26.
Time Complexity of the Algorithm The time complexity of the algorithm is computations of f i functions in order to derive both OK 1 and OK 2. This amounts to running encryption functions as there are 96 f i functions in the encryption function of 256-bit key HyRAL. 27
We have implemented our algorithm on a supercomputer system at Information Technology Center in Nagoya University. The systems we have used are called HX600 and FX1. Number of CPUs/Cores CPU Total memory HX600384/1536AMDOpteron 83806TB FX1768/3072 SPARC64 Ⅶ 24TB Deriving Equivalent Keys 28
δ = 0xd7d7d0d7, = 0x17170c17, = 0x b Deriving Equivalent Keys System Core s Number of Running time OK 1 HX h17min OK 2 FX h37min FX h25min HX h17min 29
Deriving Equivalent Keys We have successfully derived one value of OK 1 and three values of OK 2. Concrete instances of the equivalent keys (δ = 0xd7d7d0d7) OK 1 0x2fd d461f4bc dd0b OK 2 0xa20ed0f467141b2a3b038abb5f61d59e 0xe3a1902aa60b6c3582a d43b2f 0x3218a5b25828a0b7d cc63b 30
Summary We showed that there are pairs of equivalent keys. We developed the algorithm to derive an instance of equivalent keys. We demonstrated that we were able to derive concrete instances with the current computing environment. As a result, based on the results of this paper, HyRAL did not proceed to the second round evaluation process in the CRYPTREC project. 31