256ビット鍵HyRALの等価鍵 - Agency for Science

Download Report

Transcript 256ビット鍵HyRALの等価鍵 - Agency for Science 

Cryptanalysis of 256-Bit Key
HyRAL via Equivalent Keys
Nagoya University, Japan
Yuki Asano, Shingo Yanagihara, and Tetsu Iwata
ACNS2012, June 28, 2012, Singapore
Introduction
• What is HyRAL?
– A secret key blockcipher
– Block size : 128 bits
– The key length : 128, 129,…, 256 bits
– One of the proposed algorithms for the CRYPTREC
project’s call
• The CRYPTREC project
– Maintaining the e-Government recommended ciphers list
in Japan
– The list is planned to be revised in 2013
2
Background
• The security of HyRAL
・Differential attacks
・Linear attacks
・Impossible differential attacks
・Saturation attacks
・Higher order differential attacks
・Boomerang attacks
No security weaknesses have been identified.
3
Our Research
• For 256-bit key HyRAL
1. We show that there are 251.0 equivalent keys (250.0 pairs of
equivalent keys).
2. We propose an algorithm that derives an instance of
equivalent keys with the expected time complexity of 248.8
encryptions.
3. We verify the proposed algorithm’s correctness by
showing several instances of equivalent keys.
4
Equivalent Keys
• The two distinct keys (K, K’) that satisfy EK(M) = EK’(M) for all
plaintexts M
• The ciphertext remains the same even if the key is changed.
5
Impact of Equivalent Keys
• The existence of equivalent keys implies the theoretical
cryptanalysis of the cipher.
– The key search space of a brute force attack is reduced.
– For 256-bit key HyRAL, the search space is 2256-250.
• Suppose that we use 256-bit key HyRAL to construct
a compression function in Davies-Meyer mode.
6
Impact of Equivalent Keys
• Suppose that we use the previous compression function to
construct a hash function in Merkle-Damgård mode.
7
Specification of 256-Bit Key HyRAL
• OK1:The most significant 128 bits of the secret key K
• OK2:The least significant 128 bits of K
• KGA1 and KGA2:The Key Generation Algorithms
The Data Processing Algorithm
The Key Assignment Algorithm
8
Key Generation Algorithms:
KGA1 and KGA2
• KGA1 and KGA2 differ only in the internally used constants
CST1 and CST2.
• G1 and G2 functions of 128-bit input and output are used.
9
G1 and G2 Functions
• The input and output are 128 bits.
• The Generalized Feistel Structure
of 4 rounds and 4 branches
• fi functions of 32-bit input
and output are used.
G1 function
G2 function
fi Function
• f1,…,f8 functions are keyless permutations over 32 bits.
• The structure of fi function is the SP-network.
8 bits
fi function
11
KAA and DPA
• KAA (the Key Assignment Algorithm)
– (KM1,KM3,KM2,KM4) are first parsed into 32-bit strings.
– (RK1,…,RK9, IK1,…,IK6) are generated by taking their linear
combinations.
• DPA (the Data Processing Algorithm)
– The overall structure is the 32 round Generalized
Feistel Structure with 4 branches.
12
Existence of Equivalent Keys
• Let ΔOK1 and ΔOK2 be the input differences for KGA1 and
KGA2 , respectively.
• If the two output differences collide, then the input difference
of KAA becomes null.
13
Existence of Equivalent Keys
• When the input difference of KAA becomes null, we have the
following equivalent keys.
14
Differential Characteristic of KGA
• KGA1 and KGA2 are the same algorithms except for the
internally used constants.
• We may regard them identically as long as we consider their
differential characteristics.
•
15
Differential Characteristic of KGA
• Lemma 1. For KGA, there exists a differential characteristic
with four active fi functions.
• Let δ be any non-zero 32-bit string.
– The input difference of KGA : (δδδδ)
– The output difference of KGA : (δδ00)(000δ)(δδδδ)(0000)
16
32 bits
G1
G2
G1
G2
G1
17
Differential Characteristic of KGA
• The probability of the differential characteristic:
– DCPKGA(δ) = DPf1(δ)×DPf3(δ)×DPf5(δ)×DPf7(δ)
• Lemma 2. There exists non-zero δ such that DCPKGA(δ) > 2-128.
18
Differential Characteristic of KGA
• For 232 values of δ, we computed the value of DCPKGA(δ).
DCPKGA(δ) Example of δ Number
2-103
0xd7d7d0d7
1
• There exist 89938 values of δ
2-104
0xc5c5d254
1
-105
KGA
-128
2
0x4e4ec554
1
such that DCP (δ) > 2 .
2-106
0x3c3cf4ff
8
2-107
0x6161f9d9
1
2-108
0x054d9797
34
2-109
0x0101019a
157
2-110
0x0159591a 1579
2-111
0x0101e818 7685
2-112
0x01010520 80471
19
The Number of Equivalent Keys
For of
each
(OK1, OKkeys
arederived
four equivalent
keys.
• The number
equivalent
can be
as follows:
2), there
DCPKGA(δ) Example of δ Number
2-103
0xd7d7d0d7
1
The same equivalent keys
2-104
0xc5c5d254
1
areKGA
counted
for four times.
For
・
・
・
1 and KGA2,
we consider all δ which satisfies
・
・
・
DCPKGA(δ) > 2-128.
・
・
・
2-112
0x01010520 80471
20
The Number of Equivalent Keys
• The number of pairs is the half of 251.0, which is 250.0.
Theorem 1. In 256-bit key HyRAL, there exist 251.0 equivalent keys
(or 250.0 pairs of equivalent keys).
21
Equivalent Key Derivation Algorithm
• We consider the case of δ = 0xd7d7d0d7.
– DCPKGA(δ) = 2-103 (DCPKGA(δ) is the maximum.)
• For
, let be a list of that satisfy
.
• We may write down the lists as follows:
.
22
Equivalent Key Derivation Algorithm
• Let
be fi function in the r-th round.
• We write the input and output strings of
respectively.
as
and
,
• Let (K1,K2,K3,K4) be the partition of OK1 or OK2 into 32-bit
strings.
• Let (C1,C2,C3,C4) be the partition of CST1 or CST2 into 32-bit
strings.
23
Equivalent Key Derivation Algorithm
If we can derive (K1,K2,K3,K4) that satisfies
this implies that we have derived the equivalent key.
• Lemma 3. For arbitrarily fixed
, and
, where
, the corresponding value of (K1,K2,K3,K4)
can be derived.
24
Step 4. Compute
from (K1,K2,K3,K4), and
proceed
is satisfied.
Step 1.toFixStep
any5 if and
that
Step 5. Compute
from (K1,K22.
,K ,K ), and
Otherwise return
satisfy
and to Step
. 3 4
output (K1,K2,K3,K4) and halt if
is
satisfied.
return
Step 2. Otherwise
Fix any
and to
. Step 2.
Step 3. Derive (K1,K2,K3,K4) by using Lemma 3.
25
Time Complexity of the Algorithm
• The probability that both
satisfied is
and
are
.
Therefore, we may expect that the algorithm returns
(K1,K2,K3,K4) after trying 252 values of
.
26
Time Complexity of the Algorithm
• The time complexity of the algorithm is
computations
of fi functions in order to derive both OK1 and OK2.
• This amounts to running
encryption
functions as there are 96 fi functions in the encryption
function of 256-bit key HyRAL.
27
Deriving Equivalent Keys
• We have implemented our algorithm on a supercomputer
system at Information Technology Center in Nagoya University.
• The systems we have used are called HX600 and FX1.
HX600
FX1
Number of
CPUs/Cores
384/1536
768/3072
CPU
Total memory
AMDOpteron 8380
SPARC64 Ⅶ
6TB
24TB
28
Deriving Equivalent Keys
• δ = 0xd7d7d0d7,
= 0x17170c17,
System CoresNumber of
OK1 HX600 1024
FX1 1024
OK2 FX1
512
HX600 256
249
250
250
251
= 0x1717292b
Running time
17h17min
50h37min
92h25min
270h17min
29
Deriving Equivalent Keys
• We have successfully derived one value of OK1 and three
values of OK2.
OK1
0x2fd918837136d461f4bc99938907dd0b
0xa20ed0f467141b2a3b038abb5f61d59e
OK2 0xe3a1902aa60b6c3582a9131527d43b2f
0x3218a5b25828a0b7d2122283894cc63b
• Concrete instances of the equivalent keys (δ = 0xd7d7d0d7)
30
Summary
• We showed that there are 250.0 pairs of equivalent keys.
• We developed the algorithm to derive an instance of
equivalent keys.
• We demonstrated that we were able to derive concrete
instances with the current computing environment.
• As a result, based on the results of this paper, HyRAL did not
proceed to the second round evaluation process in the
CRYPTREC project.
31