Improved Meet-in-the-Middle Attacks on Reduced Round Kuznyechik

Abstract

Kuznyechik is an SPN block cipher that has been chosen recently to be standardized by the Russian federation as a new GOST cipher. The cipher employs a 256-bit key which is used to generate ten 128-bit round keys. The encryption procedure updates the 16-byte state by iterating the round function for nine rounds. In this work, we improve the previous 5-round Meet-in-the-Middle (MitM) attack on Kuznyechik by presenting a 6-round attack using the MitM with differential enumeration technique. Unlike previous distinguishers which utilize only the structural properties of the Maximum Distance Separable (MDS) linear transformation layer of the cipher, our 3-round distinguisher is computed based on the exact values of the coefficients of this MDS transformation. More specifically, first, we identified the MDS matrix that is utilized in this cipher. Then, we find all the relations that relate between subset of the inputs and outputs of this linear transformation. Finally, we utilized one of these relations in order to find the best distinguisher that can optimize the time complexity of the attack. Also, instead of placing the distinguisher in the middle rounds of the cipher as in the previous 5-round attack, we place it at the first 3 rounds which allows us to convert the attack from the chosen ciphertext model to the chosen plaintext model. Then, to extend the distinguisher by 3 rounds, we performed the matching between the offline and online phases around the linear transformation instead of matching on a state byte.

A Chosen Plaintext MitM Attack on 5-Round Kuznyechik

The authors in [4] implied that their attack can only work in the chosen ciphertext model. In this appendix, we show how we can tweak their attack to work in the plaintext model. Figure 4 illustrates our 3-round distinguisher which starts at \(x_{1}\) and ends at \(y_{4}\). The \(\delta \)-set is chosen at byte 15 and the multiset is computed at byte 15. Our distinguisher is based on the following proposition:

Fig. 4.

Kuznyechik 5-round attack

Proposition 4

If a message m belongs to a pair of states conforming to the truncated differential characteristic of Fig. 4, then the multiset of differences \(\varDelta y_{4}[15]\) obtained from the \(\delta \)-set constructed from m in \(x_{1}[15]\) is fully determined by the following 19 bytes: \(\varDelta x_{1}[15], x_{2}, y_{4}[15]\) and \(\varDelta y_{4}[15]\).

Proposition 4 can be proved using the same approach used to prove Proposition 3.

Offline Phase. In this phase, we compute the multiset at \(y_4[15]\) using the 19 byte parameters mentioned in Proposition 4, i.e., we have \(2^{19 \times 8} =2^{152}\) multiset out of \(2^{467.6}\) theoretically possible ones.

Data Collection. The probability of the truncated differential characteristic can be evaluated as follows: transition from \(z_4\) to \(y_4\) over \(L^{-1}\) (\(16\rightarrow 1\)) of probability \(2^{-15\times 8}=2^{-120}\). Therefore, we need to collect \(2^{120}\) message pairs to guarantee that there exist one message pair which conform to the truncated path. We use the same structure that is used in the 6-round attack. Hence, we need to query \(2^{113}\) chosen plaintext.

Key Recovery. In order to build the \(\delta \)-set and compute the multiset, we need to guess \(K_6\). The key suggestions for the 16 bytes \(K_6\) can be obtained by guessing \(\varDelta y_4[15]\). Therefore, we have \(2^{8}\) values for the 16 bytes key \(K_6\).

The probability of finding a match in the table with the wrong key is \(2^{152}/2^{467.6}=2^{-315.6}\). Therefore, the number of key candidates of \(K_6\) after launching the attack is \(2^{120+8-315.6}=2^{-187.6}\), i.e., our attack will find one right value for \(K_6\). Then, the master key can be recovered by guessing \(K_5\) using two plaintext/ciphertext pairs.

Attack complexity. The memory complexity is \(2^{152}\times 512/128=2^{154}\) 128-bit. The data complexity is \(2^{113}\) chosen plaintext. The time complexity is \(2^{19\times 8} \times 2^{8} \times 3/5 + 2^{120} \times 2^8 \times 2^8 \times 2/5 + 2 \times 2^{128}\approx 2^{159.3}+2^{134.7}+2^{129}\approx 2^{159.3}\) encryptions. Our attack has an online time complexity of \(2^{134.7}\) encryptions. Therefore, this attack reduces the online time complexity of the previous attack [4] by a factor of \(2^{5.6}\) with the same data and a non significant increase in the memory complexity.