Abstract
Kuznyechik is an SPN block cipher that has been chosen recently to be standardized by the Russian federation as a new GOST cipher. The cipher employs a 256-bit key which is used to generate ten 128-bit round keys. The encryption procedure updates the 16-byte state by iterating the round function for nine rounds. In this work, we improve the previous 5-round Meet-in-the-Middle (MitM) attack on Kuznyechik by presenting a 6-round attack using the MitM with differential enumeration technique. Unlike previous distinguishers which utilize only the structural properties of the Maximum Distance Separable (MDS) linear transformation layer of the cipher, our 3-round distinguisher is computed based on the exact values of the coefficients of this MDS transformation. More specifically, first, we identified the MDS matrix that is utilized in this cipher. Then, we find all the relations that relate between subset of the inputs and outputs of this linear transformation. Finally, we utilized one of these relations in order to find the best distinguisher that can optimize the time complexity of the attack. Also, instead of placing the distinguisher in the middle rounds of the cipher as in the previous 5-round attack, we place it at the first 3 rounds which allows us to convert the attack from the chosen ciphertext model to the chosen plaintext model. Then, to extend the distinguisher by 3 rounds, we performed the matching between the offline and online phases around the linear transformation instead of matching on a state byte.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
GOST 28147–89. Information Processing Systems. Cryptographic Protection. Cryptographic Transformation Algorithm (in Russian)
The National Standard of the Russian Federation GOST R 34.11-2012. Russian Federal Agency on Technical Regulation and Metrology report (2015)
AlTawy, R., Duman, O., Youssef, A.M.: Fault analysis of kuznyechik. IACR Cryptology ePrint Archive, 2015/347 (2015). https://eprint.iacr.org/2015/347.pdf
AlTawy, R., Youssef, A.M.: A meet in the middle attack on reduced round Kuznyechik. IEICE Trans. 98–A(10), 2194–2198 (2015)
Biryukov, A., Derbez, P., Perrin, L.: Differential analysis and meet-in-the-middle attack against round-reduced TWINE. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 3–27. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48116-5_1
Biryukov, A., Khovratovich, D., Perrin, L.: Multiset-algebraic cryptanalysis of reduced Kuznyechik, Khazad, and secret SPNs. IACR Trans. Symmetric Cryptol. 2016(2), 226–247 (2017)
Biryukov, A., Perrin, L., Udovenko, A.: Reverse-engineering the S-Box of Streebog, Kuznyechik and STRIBOBr1. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 372–402. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49890-3_15
Bogdanov, A., Rechberger, C.: A 3-subset meet-in-the-middle attack: cryptanalysis of the lightweight block cipher KTANTAN. In: Biryukov, A., Gong, G., Stinson, D.R. (eds.) SAC 2010. LNCS, vol. 6544, pp. 229–240. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19574-7_16
Daemen, J., Knudsen, L., Rijmen, V.: The block cipher Square. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 149–165. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052343
Demirci, H., Selçuk, A.A.: A meet-in-the-middle attack on 8-round AES. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 116–126. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-71039-4_7
Derbez, P., Fouque, P.-A.: Exhausting Demirci-Selçuk meet-in-the-middle attacks against reduced-round AES. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 541–560. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-43933-3_28
Derbez, P., Fouque, P.-A., Jean, J.: Improved key recovery attacks on reduced-round AES in the single-key setting. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 371–387. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_23
Derbez, P., Perrin, L.: Meet-in-the-middle attacks and structural analysis of round-reduced PRINCE. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 190–216. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48116-5_10
Diffie, W., Hellman, M.E.: Special feature exhaustive cryptanalysis of the NBS data encryption standard. Computer 10(6), 74–84 (1977)
Dunkelman, O., Keller, N., Shamir, A.: Improved single-key attacks on 8-round AES-192 and AES-256. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 158–176. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17373-8_10
Guo, J., Jean, J., Nikolić, I., Sasaki, Y.: Meet-in-the-middle attacks on generic feistel constructions. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 458–477. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45611-8_24
Li, L., Jia, K., Wang, X.: Improved meet-in-the-middle attacks on AES-192 and PRINCE. IACR Cryptology ePrint Archive, 2013/573 (2013). https://eprint.iacr.org/2013/573.pdf
Lin, L., Wu, W.: Improved meet-in-the-middle distinguisher on Feistel schemes. IACR Cryptology ePrint Archive, 2015/051 (2015). https://eprint.iacr.org/2015/051.pdf
Shishkin, V., Dygin, D., Lavrikov, I., Marshalko, G., Rudskoy, V., Trifonov, D.: Low-Weight and Hi-End: Draft Russian Encryption Standard, pp. 183–188 (2014)
Tolba, M., Abdelkhalek, A., Youssef, A.M.: Meet-in-the-middle attacks on reduced round piccolo. In: Güneysu, T., Leander, G., Moradi, A. (eds.) LightSec 2015. LNCS, vol. 9542, pp. 3–20. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-29078-2_1
Tolba, M., Youssef, A.M.: Generalized MitM attacks on full TWINE. Inf. Process. Lett. 116, 128–135 (2016)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Chosen Plaintext MitM Attack on 5-Round Kuznyechik
A Chosen Plaintext MitM Attack on 5-Round Kuznyechik
The authors in [4] implied that their attack can only work in the chosen ciphertext model. In this appendix, we show how we can tweak their attack to work in the plaintext model. Figure 4 illustrates our 3-round distinguisher which starts at \(x_{1}\) and ends at \(y_{4}\). The \(\delta \)-set is chosen at byte 15 and the multiset is computed at byte 15. Our distinguisher is based on the following proposition:
Proposition 4
If a message m belongs to a pair of states conforming to the truncated differential characteristic of Fig. 4, then the multiset of differences \(\varDelta y_{4}[15]\) obtained from the \(\delta \)-set constructed from m in \(x_{1}[15]\) is fully determined by the following 19 bytes: \(\varDelta x_{1}[15], x_{2}, y_{4}[15]\) and \(\varDelta y_{4}[15]\).
Proposition 4 can be proved using the same approach used to prove Proposition 3.
Offline Phase. In this phase, we compute the multiset at \(y_4[15]\) using the 19 byte parameters mentioned in Proposition 4, i.e., we have \(2^{19 \times 8} =2^{152}\) multiset out of \(2^{467.6}\) theoretically possible ones.
Data Collection. The probability of the truncated differential characteristic can be evaluated as follows: transition from \(z_4\) to \(y_4\) over \(L^{-1}\) (\(16\rightarrow 1\)) of probability \(2^{-15\times 8}=2^{-120}\). Therefore, we need to collect \(2^{120}\) message pairs to guarantee that there exist one message pair which conform to the truncated path. We use the same structure that is used in the 6-round attack. Hence, we need to query \(2^{113}\) chosen plaintext.
Key Recovery. In order to build the \(\delta \)-set and compute the multiset, we need to guess \(K_6\). The key suggestions for the 16 bytes \(K_6\) can be obtained by guessing \(\varDelta y_4[15]\). Therefore, we have \(2^{8}\) values for the 16 bytes key \(K_6\).
The probability of finding a match in the table with the wrong key is \(2^{152}/2^{467.6}=2^{-315.6}\). Therefore, the number of key candidates of \(K_6\) after launching the attack is \(2^{120+8-315.6}=2^{-187.6}\), i.e., our attack will find one right value for \(K_6\). Then, the master key can be recovered by guessing \(K_5\) using two plaintext/ciphertext pairs.
Attack complexity. The memory complexity is \(2^{152}\times 512/128=2^{154}\) 128-bit. The data complexity is \(2^{113}\) chosen plaintext. The time complexity is \(2^{19\times 8} \times 2^{8} \times 3/5 + 2^{120} \times 2^8 \times 2^8 \times 2/5 + 2 \times 2^{128}\approx 2^{159.3}+2^{134.7}+2^{129}\approx 2^{159.3}\) encryptions. Our attack has an online time complexity of \(2^{134.7}\) encryptions. Therefore, this attack reduces the online time complexity of the previous attack [4] by a factor of \(2^{5.6}\) with the same data and a non significant increase in the memory complexity.
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this paper
Cite this paper
Tolba, M., Youssef, A.M. (2018). Improved Meet-in-the-Middle Attacks on Reduced Round Kuznyechik. In: Kim, H., Kim, DC. (eds) Information Security and Cryptology – ICISC 2017. ICISC 2017. Lecture Notes in Computer Science(), vol 10779. Springer, Cham. https://doi.org/10.1007/978-3-319-78556-1_2
Download citation
DOI: https://doi.org/10.1007/978-3-319-78556-1_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-78555-4
Online ISBN: 978-3-319-78556-1
eBook Packages: Computer ScienceComputer Science (R0)