Analysis of Kupyna
Christoph Dobraunig Maria Eichlseder Florian Mendel ASK 2015 www.iaik.tugraz.at
The Kupyna Hash Function www.iaik.tugraz.at The Kupyna Hash Function
Defined in the Ukrainian standard DSTU 7564:2014
Replacement for GOST R 34.11-94
Design is similar to Grøstl
1 / 29 www.iaik.tugraz.at The Kupyna Hash Function
m1 m2 mt
IV f f f ⌦ hash 2n 2n 2n n
Iterated hash function Wide-pipe design
Merkle-Damgard˚ design principle
Strong output transformation
2 / 29 www.iaik.tugraz.at The Kupyna Compression Function
mi T + 2n
hi 1 hi � T � 2n 2n
Permutation based design similar to Grøstl 8 8 state and 10 rounds for Kupyna-256 ⇥ 8 16 state and 14 rounds for Kupyna-512 ⇥
3 / 29 www.iaik.tugraz.at The Kupyna-256 Round Transformations
AddConstant SubBytes ShiftBytes MixBytes
f3 f3 f3 f3 f3 f3 f3 f3 f0 f0 f0 f0 f0 f0 f0 f0 f0 f0 f0 f0 f0 f0 f0 f0 S + f0 f0 f0 f0 f0 f0 f0 f0 T : f0 f0 f0 f0 f0 f0 f0 f0 f0 f0 f0 f0 f0 f0 f0 f0 f0 f0 f0 f0 f0 f0 f0 f0 fi ei di ci bi ai 9i 8i
0i 1i 2i 3i 4i 5i 6i 7i
S
T �:
AES-like round transformation
r = MB SH SB AC i � � �
4 / 29 www.iaik.tugraz.at
Analysis of Kupyna www.iaik.tugraz.at Existing Analysis of Grøstl
Grøstl received a large amount of cryptanalysis
Initiated by the design team itself rebound attack ! Several improvements have been made Internal differential attack
Zero-sum distinguisher
Meet-in-the-middle attacks
...
5 / 29 www.iaik.tugraz.at Existing Analysis of Grøstl
F. Mendel, T. Peyrin, C. Rechberger, and M. Schlaffer¨ Improved Cryptanalysis of the Reduced Grøstl Compression Function, ECHO Permutation and AES Block Cipher Selected Areas in Cryptography 2009
F. Mendel, C. Rechberger, M. Schlaffer,¨ and S. S. Thomsen The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl FSE 2009 H. Gilbert and T. Peyrin Super-Sbox Cryptanalysis: Improved Attacks for AES-Like Permutations FSE 2010 K. Ideguchi, E. Tischhauser, and B. Preneel Improved Collision Attacks on the Reduced-Round Grøstl Hash Function ISC 2010 F. Mendel, C. Rechberger, M. Schlaffer,¨ and S. S. Thomsen Rebound Attacks on the Reduced Grøstl Hash Function CT-RSA 2010
6 / 29 www.iaik.tugraz.at Existing Analysis of Grøstl
T. Peyrin Improved Differential Attacks for ECHO and Grøstl CRYPTO 2010 Y. Sasaki, Y. Li, L. Wang, K. Sakiyama, and K. Ohta Non-full-active Super-Sbox Analysis: Applications to ECHO and Grøstl ASIACRYPT 2010 C. Boura, A. Canteaut, and C. De Canniere` Higher-Order Differential Properties of Keccak and Luffa FSE 2011 M. Schlaffer¨ Updated Differential Analysis of Grøstl 2011 J. Jean, M. Naya-Plasencia, and T. Peyrin Improved Rebound Attack on the Finalist Grøstl FSE 2012
7 / 29 www.iaik.tugraz.at Existing Analysis of Grøstl
S. Wu, D. Feng, W. Wu, J. Guo, L. Dong, and J. Zou (Pseudo) Preimage Attack on Round-Reduced Grøstl Hash Function and Others FSE 2012 J. Jean, M. Naya-Plasencia, and T. Peyrin Multiple Limited-Birthday Distinguishers and Applications Selected Areas in Cryptography 2013
M. Minier and G. Thomas An Integral Distinguisher on Grøstl-512 INDOCRYPT 2013 F. Mendel, V. Rijmen, and M. Schlaffer¨ Collision Attack on 5 Rounds of Grøstl FSE 2014 Y. Sasaki, Y. Tokushige, L. Wang, M. Iwamoto, and K. Ohta An Automated Evaluation Tool for Improved Rebound Attack: New Distinguishers and Proposals of ShiftBytes Parameters for Grøstl CT-RSA 2014
8 / 29 www.iaik.tugraz.at The Rebound Attack
Ebw Ein Efw
inbound outbound outbound
Inbound phase
efficient meet-in-the-middle phase in Ein using available degrees of freedom
Outbound phase
probabilistic part in Ebw and Efw repeat inbound phase if needed
9 / 29 www.iaik.tugraz.at
Attack on the Compression Function mi
2n
hi 1 hi � 2n 2n
www.iaik.tugraz.at Basic Attack Strategy
� T +
T �
semi-free-start collision:
f (hi 1, mi )=f (hi 1, m⇤), mi = m⇤ � � i 6 i
arbitrary hi 1 �
10 / 29 www.iaik.tugraz.at Attack on 6 Rounds
In the attack we use the same truncated differential trail in both + permutations T � and T :
r r r r r r 8 1 8 2 64 3 64 4 8 5 8 6 64 �! �! �! �! �! �!
AC AC AC AC AC AC SB SB SB SB SB SB m1 RB RB RB RB RB RB MB MB MB MB MB MB
AC AC AC AC AC AC SB SB SB SB SB SB h0 RB RB RB RB RB RB h1 MB MB MB MB MB MB
11 / 29 www.iaik.tugraz.at
Rebound attack for T �
AC AC AC AC AC AC SB SB SB SB SB SB RB RB RB RB RB RB MB MB MB MB MB MB
outbound inbound outbound
Inbound phase start with differences in round 2 and 4 match-in-the-middle using values of the state
Outbound phase uses truncated differentials probabilistic propagation in MixBytes
12 / 29 ee d4 ca 6d 3f 0a 11 11 2f f4 3a b7 af 43 8d 90
www.iaik.tugraz.at
Inbound phase for T �
match
ee ee ee 9f ee 23 71 c1 cd e8 f4 90 d4 75 1b 5e cd 3a 45 13 56 94 ca 2a f1 91 26 85 50 cc 6d 9a 49 43 c5 c0 a2 47 d3 7b 3f 79 5c 62 a5 SB 0d cc 01 0a 70 43 e9 27 e6 MB 72 cd 3d 83 11 76 ab b4 c8 MB a2 b1 63 11 96 1e 4d 04 RB b9 AC 73 45 f2 54 2f 21 a6 1c d2 AC b1 60 20 f4 1e cd bf 10 MB 5a ff RB b5 26 9f 3a 94 67 ef 3f f8 ed 85 b7 43 5a d5 fc 8c f6 27 d8 2a af 73 9c b2 15 SB 16 27 51 43 15 de 2b f8 08 32 9a 67 7b 8d 52 ab 92 ff 4d 34 96 90 f1 f8 07 5e c0
differences match differences differences
Start with arbitrary differences in round 2 and 4
Match-in-the-middle at SuperBox (SB MB AC SB) � � � with complexity 264 we get 1 right pairs ⇠ time-memory trade-off with T M = 2128 with T 264 · � 264 solutions with complexity of 264 (amortized cost 1) )
13 / 29 www.iaik.tugraz.at
Outbound phase for T �
AC AC AC AC AC AC SB SB SB SB SB SB RB RB RB RB RB RB MB MB MB MB MB MB
outbound inbound outbound
Propagate through MixBytes of round 1, 5 and 6 using truncated differences (active bytes: 8 8 resp. 1 8) ! ! probability: 1 in each direction
264 solutions following the differential trail with compexity 264 )
14 / 29 www.iaik.tugraz.at Rebound attack for T +
AC AC AC AC AC AC SB SB SB SB SB SB RB RB RB RB RB RB MB MB MB MB MB MB
outbound inbound outbound
AddConstant ( AC ) modular addition destroys the byte-alignment complicates the application of the attack
15 / 29 cd cd 91 c5 5c 27 76 04 2f 10 9f fc d8 f8 9a 5e
differences X
www.iaik.tugraz.at Inbound phase for T +
match
ee ee ee 9f ee 23 71 c1 cd e8 f4 90 d4 75 1b 5e cd 3a 45 13 56 94 ca 2a f1 91 26 AC 85 50 cc 6d 9a 49 43 c5 c0 a2 47 d3 7b 3f 79 5c 62 a5 RB 0d cc 01 0a 70 43 e9 27 e6 72 cd 3d 83 11 76 ab b4 c8 SB a2 b1 63 11 96 1e 4d 04 RB b9 MB 73 45 f2 54 2f 21 a6 1c d2 MB b1 60 20 f4 1e cd bf 10 MB 5a ff b5 26 9f 3a 94 67 ef 3f f8 ed 85 b7 43 5a d5 fc 8c f6 27 d8 2a af 73 9c b2 15 AC 16 27 51 43 15 de 2b f8 08 32 9a 67 7b 8d 52 ab 92 ff SB 4d 34 96 90 f1 f8 07 5e c0 differences match differences differences
Start with arbitrary differences in round 2 and 4
Match-in-the-middle (AC RB SB MB AC SB) � � � � � first AC creates dependences between SuperBoxes only consider inputs that never (resp. always) result in a carry
16 / 29 www.iaik.tugraz.at Number of solutions
Byte 0: x + F3 > FF 243 solutions ! Byte 1: x + 1 + F0 > FF 241 solutions ! ...
Byte position Valid values Valid pairs (average) Byte 0 243 230.6 Byte 1–6 241 226.8 Byte 7 256 256
254.4 solutions in total (cost 263.4) )
17 / 29 www.iaik.tugraz.at
Outbound phase for T �
AC AC AC AC AC AC SB SB SB SB SB SB RB RB RB RB RB RB MB MB MB MB MB MB
outbound inbound outbound
Propagate through MixBytes in round 1, 5 and 6
probability: 1 (same as for T �)
Propagate through AddConstant in round 1, 2, 5 and 6
2.45 probability: 2�
251.95 solutions following the differential trail with complexity 263.4 )
18 / 29 www.iaik.tugraz.at Attack on 6 Rounds
AC AC AC AC AC AC SB SB SB SB SB SB m1 RB RB RB RB RB RB MB MB MB MB MB MB
AC AC AC AC AC AC SB SB SB SB SB SB h0 RB RB RB RB RB RB h1 MB MB MB MB MB MB
a Construct 2 pairs following the differential trail in T � one solution with amortized cost 1
128 a + Construct 2 � pairs following the differential trail in T one solution with amortized cost 211.55
semi-free-start collision with complexity 269.8 (for a = 69.8) )
19 / 29 www.iaik.tugraz.at Extending the Attack to 7 Rounds
Sequence of active SBoxes:
r r r r r r r 8 1 8 2 64 3 64 4 8 5 1 6 8 7 64 �! �! �! �! �! �! �!
Inbound phase is the same as before
56 Outbound phase is extended by one round (probability: 2� )
semi-free-start collision with complexity 2125.8 )
20 / 29 www.iaik.tugraz.at Attacks on Kupyna-256
Compression Function
rounds complexity memory
6269.8 264 72125.8 264
21 / 29 www.iaik.tugraz.at
Attack on the Hash Function www.iaik.tugraz.at Basic Attack Strategy
Combines ideas of the attack on SMASH with the rebound attack
Similar to the attack on Grindahl
Attack uses a new type of truncated differential trail spanning over more than one message block Starting with an (almost) arbitrary difference in the chaining variable
Iteratively canceling the differences in the chaining variable
Having only differences in one of the two permutations (e.g. T �)
22 / 29 www.iaik.tugraz.at Equivalent Description of Kupyna
To simplify the description of the attack we use an equivalent description of the hash function
ˆ 1 h0 = MB� (IV) ˆ ˆ ˆ ˆ + ˆ hi = T �(MB(hi 1) mi ) T (mi ) hi 1 for 1 i t � � � � � ˆ hash =⌦(MB(ht )) ˆ with hi = MB(hi )
+ The last MixBytes transformation of the permutations T � and T are swapped with the XOR operation of the feed-forward
23 / 29 www.iaik.tugraz.at Attack on 4 Rounds
The core of the attack on 4 rounds are truncated differential trails ˆ for T � with only 8 active bytes at the output of round r4
r r r r 64 1 64 2 8 3 8 4 8 �! �! �! �!
Using the rebound attack all the 264 solutions for this truncated differential trail with a given/fixed difference difference at the 64 input of Tˆ � can be found with complexity 2 in time and memory
AC AC AC AC SB SB SB SB RB RB RB RB MB MB MB
24 / 29 Collision attack for 4 rounds with complexity of 8 264 = 267 ) ·
m4735689
ˆ ˆ h2473568 h4735689
www.iaik.tugraz.at Attack on 4 Rounds
Choose some arbitrary m1, m1⇤ to get a full active state in h10
64 Construct 2 solutions for the truncated differential trail in P0 to find a m2 such that 8 bytes of the difference in h20 are canceled
m2
AC AC AC AC SB SB SB SB RB RB RB RB MB MB MB
ˆ ˆ h1 h2
AC AC AC AC SB SB SB SB MB RB RB RB RB MB MB MB
25 / 29 Choose some arbitrary m1, m1⇤ to get a full active state in h10
Collision attack for 4 rounds with complexity of 8 264 = 267 ) ·
m2475689
ˆ ˆ h1473568 h2475689
www.iaik.tugraz.at Attack on 4 Rounds
Construct 264 solutions for a rotated variant of the truncated
differential trail to cancel another 8 bytes of the difference in h30
m3
AC AC AC AC SB SB SB SB RB RB RB RB MB MB MB
ˆ ˆ h2 h3
AC AC AC AC SB SB SB SB MB RB RB RB RB MB MB MB
25 / 29 Choose some arbitrary m1, m1⇤ to get a full active state in h10
m2473568
ˆ ˆ h1247356 h2473568
www.iaik.tugraz.at Attack on 4 Rounds
Repeat this in total 8 times until a collision has been found in h90 h30
m9
AC AC AC AC SB SB SB SB RB RB RB RB MB MB MB
ˆ ˆ h8 h9
AC AC AC AC SB SB SB SB MB RB RB RB RB MB MB MB
Collision attack for 4 rounds with complexity of 8 264 = 267 ) ·
25 / 29 www.iaik.tugraz.at
Extending the Attack to 5 Rounds www.iaik.tugraz.at Attack on 5 Rounds of Grøstl-256
For the attack on 5 rounds we use truncated differential trails with only one active byte at the output of round r3
r r r r r 64 1 64 2 8 3 1 4 8 5 8 �! �! �! �! �!
Using the rebound attack all the 28 solutions for this truncated differential with a given/fixed difference at the input of P0 can be found with complexity 264 in time and memory
AC AC AC AC AC SB SB SB SB SB RB RB RB RB RB MB MB MB MB
26 / 29 www.iaik.tugraz.at Attack on 5 Rounds
56 Each step of the attack will succeed only with probability 2�
We can compensate this by using more message blocks and repeating each step of the attack 256 times
Any of the 28 solutions can be used to get a new starting point for the next iteration, while keeping the same bytes inactive in chaining variable
Collision attack for 5 rounds with complexity of 8 264+56 = 2123 ) ·
27 / 29 www.iaik.tugraz.at Summary
Compression Function
rounds complexity memory
6269.8 264 72125.8 264
Hash Function
rounds complexity memory
4267 264 52120 264
28 / 29 www.iaik.tugraz.at
Thank you! http://eprint.iacr.org/2015/956
29 / 29