Analysis of the Kupyna-256 Hash Function

Christoph Dobraunig Maria Eichlseder Florian Mendel FSE 2016 m i T + Permutation-based design 2 n h −1 h AES-like round transformations i T ⊕ i 2 2 n n Similar to Grøstl Modular additions inside

www.iaik.tugraz.at The Kupyna Hash Function Ukrainian standard DSTU 7564:2014 [Oli+15; Олi+15a]

m1 m2 m t

IV f f f Ω hash 2 2 2 n n n n

n ∈ {256, 512}

1 / 14 www.iaik.tugraz.at The Kupyna Hash Function Ukrainian standard DSTU 7564:2014 [Oli+15; Олi+15a]

m1 m2 m t

IV f f f Ω hash 2 2 2 n n n n

n ∈ {256, 512} m i T + Permutation-based design 2 n h −1 h AES-like round transformations i T ⊕ i 2 2 n n Similar to Grøstl Modular additions inside

1 / 14 www.iaik.tugraz.at The Kupyna-256 Round Transformations

Kupyna-512: 8 × 16 state, 14 rounds Kupyna-256: 8 × 8 state, 10 rounds:

AddConstant SubBytes ShiftBytes MixBytes f3f3f3f3f3f3f3f3 f0f0f0f0f0f0f0f0 f0f0f0f0f0f0f0f0 S + f0f0f0f0f0f0f0f0 T : f0f0f0f0f0f0f0f0 f0f0f0f0f0f0f0f0 f0f0f0f0f0f0f0f0 f¯ı e¯ı d¯ı c¯ı b¯ı a¯ı 9¯ı 8¯ı

0i 1i 2i 3i 4i 5i 6i 7i T ⊕: S

r = MB ◦ RB ◦ SB ◦ AC i

2 / 14 Destroys byte-alignment & MDS property Branch number of T + reduced from 9 to ≤ 6:

MB AC

> MB > AC > x1:(00 00 00 00 00 00 00 00) 7−−→(00 00 00 00 00 00 00 00) 7−→(F3 F0 F0 F0 F0 F0 F0 70),

> MB > AC > x2:(00 00 00 00 00 00 00 FF) 7−−→(DB C7 38 AB FF 24 FF FF) 7−→(CE B8 29 9C F0 15 F0 70),

> MB > AC > ∆:(00 00 00 00 00 00 00FF ) 7−−→(DB C7 38 AB FF 24 FF FF) 7−→(3D 48 D9 6C 00 E5 00 00).

www.iaik.tugraz.at Modular Constant Addition

Prevent same trails for T +, T ⊕ Grøstl instead has different rotation constants

3 / 14 www.iaik.tugraz.at Modular Constant Addition

Prevent same trails for T +, T ⊕ Grøstl instead has different rotation constants

Destroys byte-alignment & MDS property Branch number of T + reduced from 9 to ≤ 6:

MB AC

> MB > AC > x1:(00 00 00 00 00 00 00 00) 7−−→(00 00 00 00 00 00 00 00) 7−→(F3 F0 F0 F0 F0 F0 F0 70),

> MB > AC > x2:(00 00 00 00 00 00 00 FF) 7−−→(DB C7 38 AB FF 24 FF FF) 7−→(CE B8 29 9C F0 15 F0 70),

> MB > AC > ∆:(00 00 00 00 00 00 00FF ) 7−−→(DB C7 38 AB FF 24 FF FF) 7−→(3D 48 D9 6C 00 E5 00 00).

3 / 14 www.iaik.tugraz.at The Rebound Attack [Men+09]

Ebw Ein Efw

inbound outbound outbound

Inbound phase

Eﬃcient match-in-the-middle phase in Ein Using available degrees of freedom

Outbound phase

Probabilistic part in Ebw and Efw Repeat inbound phase if needed

4 / 14 www.iaik.tugraz.at

Attack on the Compression Function ∆

www.iaik.tugraz.at Basic Attack Strategy

m i T + 2n

h −1 h i T ⊕ i 2n 2n

Semi-free-start collision: ∗ ∗ f (h −1, m ) = f (h −1, m ), m 6= m i i i i i i Arbitrary h 1 i −

5 / 14 m i

h 1 h i − i

2n 2n

www.iaik.tugraz.at Basic Attack Strategy

∆ T +

T ⊕

Semi-free-start collision: ∗ ∗ f (h −1, m ) = f (h −1, m ), m 6= m i i i i i i Arbitrary h 1 i −

5 / 14 www.iaik.tugraz.at Rebound attack on 6 Rounds Similar to [Men+10]

Same truncated differential trail in both permutations T ⊕ and T +:

8 −→r1 8 −→r2 64 −→r3 64 −→r4 8 −→r5 8 −→r6 64

AC AC AC AC AC AC m1 SB SB SB SB SB SB RB RB RB RB RB RB MB MB MB MB MB MB

AC AC AC AC AC AC h SB SB SB SB SB SB h 0 RB RB RB RB RB RB 1 MB MB MB MB MB MB

outbound inbound outbound

6 / 14 ≈ 1 right pair with complexity 264 time-memory trade-off with T · M = 2128 with T ≥ 264 ⇒ 264 solutions with complexity of 264 (amortized cost 1)

match

ee eeee9fee2371c1cd e8f490d4751b5ecd 3a 45 135694ca2af19126 8550cc6d9a4943c5 c0 a2 47d37b3f795c62a5 0dcc010a7043e927 e6 72 cd3d831176abb4c8 a2b16311961e4d04 b9 73 45f2542f21a61cd2 b16020f41ecdbf10 5a ff b5269f3a9467ef3f f8ed85b7435ad5fc 8c f6 27d82aaf739cb215 1627514315de2bf8 08 32 9a677b8d52ab92ff 4d349690f1f8075e c0 differences match differences differences

2 Match-in-the-middle at SuperBox (SB − MB − AC − SB)

www.iaik.tugraz.at Inbound phase for T ⊕ Similar to [Men+10]

SB MB MB RB AC AC MB RB SB

1 Start with arbitrary differences in round 2 and 4

7 / 14 ≈ 1 right pair with complexity 264 time-memory trade-off with T · M = 2128 with T ≥ 264 ⇒ 264 solutions with complexity of 264 (amortized cost 1)

match

ee e8f490d4751b5ecd 3a ca 8550cc6d9a4943c5 c0 3f 0dcc010a7043e927 e6 11 a2b16311961e4d04 b9 2f b16020f41ecdbf10 5a 3a f8ed85b7435ad5fc 8c af 1627514315de2bf8 08 8d 4d349690f1f8075e c0 match differences differences

2 Match-in-the-middle at SuperBox (SB − MB − AC − SB)

www.iaik.tugraz.at Inbound phase for T ⊕ Similar to [Men+10]

ee eeee9fee2371c1cd 45 135694ca2af19126 SB a2 MB47d37b3f795c62a5 MB RB 72 AC cd3d831176abb4c8 73 45f2542f21a61cd2 AC MB ff RB b5269f3a9467ef3f f6 27d82aaf739cb215 SB 32 9a677b8d52ab92ff differences

1 Start with arbitrary differences in round 2 and 4

7 / 14 ≈ 1 right pair with complexity 264 time-memory trade-off with T · M = 2128 with T ≥ 264 ⇒ 264 solutions with complexity of 264 (amortized cost 1)

match

ee d4 ca 6d 3f 0a 11 11 2f f4 3a b7 af 43 8d 90 match differences

2 Match-in-the-middle at SuperBox (SB − MB − AC − SB)

www.iaik.tugraz.at Inbound phase for T ⊕ Similar to [Men+10]

ee eeee9fee2371c1cd e8f490d4751b5ecd 3a 45 135694ca2af19126 SB 8550cc6d9a4943c5 c0 a2 MB47d37b3f795c62a5 0dcc010a7043e927 e6 MB RB 72 AC cd3d831176abb4c8 a2b16311961e4d04 b9 73 45f2542f21a61cd2 AC b16020f41ecdbf10MB 5a ff RB b5269f3a9467ef3f f8ed85b7435ad5fc 8c f6 27d82aaf739cb215 SB 1627514315de2bf8 08 32 9a677b8d52ab92ff 4d349690f1f8075e c0 differences differences

1 Start with arbitrary differences in round 2 and 4

7 / 14 ≈ 1 right pair with complexity 264 time-memory trade-off with T · M = 2128 with T ≥ 264 ⇒ 264 solutions with complexity of 264 (amortized cost 1)

match

ee d4 ca 6d 3f 0a 11 11 2f f4 3a b7 af 43 8d 90

2 Match-in-the-middle at SuperBox (SB − MB − AC − SB)

www.iaik.tugraz.at Inbound phase for T ⊕ Similar to [Men+10]

1 Start with arbitrary differences in round 2 and 4

7 / 14 ee d4 ca 6d 3f 0a 11 11 2f f4 3a b7 af 43 8d 90

≈ 1 right pair with complexity 264 time-memory trade-off with T · M = 2128 with T ≥ 264 ⇒ 264 solutions with complexity of 264 (amortized cost 1)

www.iaik.tugraz.at Inbound phase for T ⊕ Similar to [Men+10]

match

1 Start with arbitrary differences in round 2 and 4 2 Match-in-the-middle at SuperBox (SB − MB − AC − SB)

7 / 14 ee d4 ca 6d 3f 0a 11 11 2f f4 3a b7 af 43 8d 90

time-memory trade-off with T · M = 2128 with T ≥ 264 ⇒ 264 solutions with complexity of 264 (amortized cost 1)

www.iaik.tugraz.at Inbound phase for T ⊕ Similar to [Men+10]

match

1 Start with arbitrary differences in round 2 and 4 2 Match-in-the-middle at SuperBox (SB − MB − AC − SB) ≈ 1 right pair with complexity 264

7 / 14 ee d4 ca 6d 3f 0a 11 11 2f f4 3a b7 af 43 8d 90

www.iaik.tugraz.at Inbound phase for T ⊕ Similar to [Men+10]

match

1 Start with arbitrary differences in round 2 and 4 2 Match-in-the-middle at SuperBox (SB − MB − AC − SB) ≈ 1 right pair with complexity 264 time-memory trade-off with T · M = 2128 with T ≥ 264 ⇒ 264 solutions with complexity of 264 (amortized cost 1)

7 / 14 AC creates dependences between SuperBoxes → ﬁx carry! Byte 0: x +F3>FF → 243 solutions → 230.6 valid pairs avg,. . . ⇒ 254.4 solutions with complexity of 263.4

match

20 Match-in-the-middle (AC − RB − SB − MB − AC − SB)

www.iaik.tugraz.at Inbound phase for T + AddConstant complicates analysis

SB MB MB RB AC AC MB RB SB

10 Start with arbitrary differences in round 2 and 4

8 / 14 AC creates dependences between SuperBoxes → ﬁx carry! Byte 0: x +F3>FF → 243 solutions → 230.6 valid pairs avg,. . . ⇒ 254.4 solutions with complexity of 263.4

match

ee eeee9fee2371c1cd cd 45 135694ca2af19126 c5 a2 47d37b3f795c62a5 27 72 cd3d831176abb4c8 04 73 45f2542f21a61cd2 10 ff b5269f3a9467ef3f fc f6 27d82aaf739cb215 f8 32 9a677b8d52ab92ff 5e differences X match differences

20 Match-in-the-middle (AC − RB − SB − MB − AC − SB)

www.iaik.tugraz.at Inbound phase for T + AddConstant complicates analysis

e8f490d4751b5ecd 3a SB 8550cc6d9a4943c5 c0 MB 0dcc010a7043e927 e6 MB RB AC a2b16311961e4d04 b9 AC b16020f41ecdbf10MB 5a RB f8ed85b7435ad5fc 8c SB 1627514315de2bf8 08 4d349690f1f8075e c0 differences

10 Start with arbitrary differences in round 2 and 4

8 / 14 AC creates dependences between SuperBoxes → ﬁx carry! Byte 0: x +F3>FF → 243 solutions → 230.6 valid pairs avg,. . . ⇒ 254.4 solutions with complexity of 263.4

match

cd cd 91 c5 5c 27 76 04 2f 10 9f fc d8 f8 9a 5e differences match differences

20 Match-in-the-middle (AC − RB − SB − MB − AC − SB)

www.iaik.tugraz.at Inbound phase for T + AddConstant complicates analysis

10 Start with arbitrary differences in round 2 and 4

8 / 14 AC creates dependences between SuperBoxes → ﬁx carry! Byte 0: x +F3>FF → 243 solutions → 230.6 valid pairs avg,. . . ⇒ 254.4 solutions with complexity of 263.4

match

20 Match-in-the-middle (AC − RB − SB − MB − AC − SB)

www.iaik.tugraz.at Inbound phase for T + AddConstant complicates analysis

e8f490d4751b5ecd 3a SB 8550cc6d9a4943c5 c0 MB 0dcc010a7043e927 e6 MB RB AC a2b16311961e4d04 b9 AC b16020f41ecdbf10MB 5a RB f8ed85b7435ad5fc 8c SB 1627514315de2bf8 08 4d349690f1f8075e c0 differences

10 Start with arbitrary differences in round 2 and 4

8 / 14 AC creates dependences between SuperBoxes → ﬁx carry! Byte 0: x +F3>FF → 243 solutions → 230.6 valid pairs avg,. . . ⇒ 254.4 solutions with complexity of 263.4

match

20 Match-in-the-middle (AC − RB − SB − MB − AC − SB)

www.iaik.tugraz.at Inbound phase for T + AddConstant complicates analysis

AC e8f490d4751b5ecd 3a RB 8550cc6d9a4943c5 c0 0dcc010a7043e927 e6 SB RB MB a2b16311961e4d04 b9 MBb16020f41ecdbf10MB 5a f8ed85b7435ad5fc 8c AC 1627514315de2bf8 08 SB 4d349690f1f8075e c0 differences

10 Start with arbitrary differences in round 2 and 4

8 / 14 AC creates dependences between SuperBoxes → ﬁx carry! Byte 0: x +F3>FF → 243 solutions → 230.6 valid pairs avg,. . . ⇒ 254.4 solutions with complexity of 263.4

match

cd cd 91 c5 5c 27 76 04 2f 10 9f fc d8 f8 9a 5e differences X match differences

20 Match-in-the-middle (AC − RB − SB − MB − AC − SB)

www.iaik.tugraz.at Inbound phase for T + AddConstant complicates analysis

ee eeee9fee2371c1cd AC e8f490d4751b5ecd 3a 45 135694ca2af19126 RB 8550cc6d9a4943c5 c0 a2 47d37b3f795c62a5 0dcc010a7043e927 e6 SB RB 72 MBcd3d831176abb4c8 a2b16311961e4d04 b9 73 45f2542f21a61cd2MBb16020f41ecdbf10MB 5a ff b5269f3a9467ef3f f8ed85b7435ad5fc 8c f6 27d82aaf739cb215 AC 1627514315de2bf8 08 32 9a677b8d52ab92ff SB 4d349690f1f8075e c0 differences differences

10 Start with arbitrary differences in round 2 and 4

8 / 14 cd cd 91 c5 5c 27 76 04 2f 10 9f fc d8 f8 9a 5e differences X

AC creates dependences between SuperBoxes → ﬁx carry! Byte 0: x +F3>FF → 243 solutions → 230.6 valid pairs avg,. . . ⇒ 254.4 solutions with complexity of 263.4

www.iaik.tugraz.at Inbound phase for T + AddConstant complicates analysis

match

10 Start with arbitrary differences in round 2 and 4 20 Match-in-the-middle (AC − RB − SB − MB − AC − SB)

8 / 14 cd cd 91 c5 5c 27 76 04 2f 10 9f fc d8 f8 9a 5e differences X

www.iaik.tugraz.at Inbound phase for T + AddConstant complicates analysis

match

10 Start with arbitrary differences in round 2 and 4 20 Match-in-the-middle (AC − RB − SB − MB − AC − SB) AC creates dependences between SuperBoxes → ﬁx carry! Byte 0: x +F3>FF → 243 solutions → 230.6 valid pairs avg,. . . ⇒ 254.4 solutions with complexity of 263.4

8 / 14 30 Propagate T + outbound (AddConstant: prob 2−2.45) ⇒ 251.95+ solutions with complexity 263.4+ (211.55 amortized)

128 4 Unbalanced Birthday: 2a pairs for T ⊕, 2 −a pairs for T + ⇒ Semi-free-start collision with complexity 269.8 (a = 69.8)

www.iaik.tugraz.at Outbound phase for T ⊕, T + and Match

AC AC AC AC AC AC 1 SB SB SB SB SB SB m RB RB RB RB RB RB MB MB MB MB MB MB

AC AC AC AC AC AC 0 SB SB SB SB SB SB 1 h RB RB RB RB RB RB h MB MB MB MB MB MB

outbound inbound outbound

3 Propagate T ⊕ outbound (truncated MixBytes: prob 1) ⇒ 264+ solutions with complexity 264+ (1 amortized)

9 / 14 128 4 Unbalanced Birthday: 2a pairs for T ⊕, 2 −a pairs for T + ⇒ Semi-free-start collision with complexity 269.8 (a = 69.8)

www.iaik.tugraz.at Outbound phase for T ⊕, T + and Match

AC AC AC AC AC AC 1 SB SB SB SB SB SB m RB RB RB RB RB RB MB MB MB MB MB MB

AC AC AC AC AC AC 0 SB SB SB SB SB SB 1 h RB RB RB RB RB RB h MB MB MB MB MB MB

outbound inbound outbound

3 Propagate T ⊕ outbound (truncated MixBytes: prob 1) ⇒ 264+ solutions with complexity 264+ (1 amortized)

30 Propagate T + outbound (AddConstant: prob 2−2.45) ⇒ 251.95+ solutions with complexity 263.4+ (211.55 amortized)

9 / 14 www.iaik.tugraz.at Outbound phase for T ⊕, T + and Match

AC AC AC AC AC AC 1 SB SB SB SB SB SB m RB RB RB RB RB RB MB MB MB MB MB MB

AC AC AC AC AC AC 0 SB SB SB SB SB SB 1 h RB RB RB RB RB RB h MB MB MB MB MB MB

outbound inbound outbound

3 Propagate T ⊕ outbound (truncated MixBytes: prob 1) ⇒ 264+ solutions with complexity 264+ (1 amortized)

30 Propagate T + outbound (AddConstant: prob 2−2.45) ⇒ 251.95+ solutions with complexity 263.4+ (211.55 amortized)

128 4 Unbalanced Birthday: 2a pairs for T ⊕, 2 −a pairs for T + ⇒ Semi-free-start collision with complexity 269.8 (a = 69.8)

9 / 14 www.iaik.tugraz.at Extending the Attack to 7 Rounds

AC AC AC AC AC AC AC 1 SB SB SB SB SB SB SB m RB RB RB RB RB RB RB MB MB MB MB MB MB MB

AC AC AC AC AC AC AC 0 SB SB SB SB SB SB SB 1 h RB RB RB RB RB RB RB h MB MB MB MB MB MB MB

outbound inbound outbound

8 −→r1 8 −→r2 64 −→r3 64 −→r4 8 −→r5 1 −→r6 8 −→r7 64

Inbound phase: the same as before Outbound phase: extended by one round (probability: 2−56)

⇒ Semi-free-start collision with complexity 2125.8

10 / 14 www.iaik.tugraz.at

Attack on the Hash Function Target trail for T ⊕:

SB AC AC AC MB RB SB SB RB AC MB RB RB SB MB

inbound outbound No differences in T +!

www.iaik.tugraz.at Basic Attack Strategy Similar to [MRS14]

m1 m2 m t

IV f f f Ω hash 2 2 2 n n n n Start with arbitrary difference in chaining variable Iteratively cancel differences in chaining variable

11 / 14 www.iaik.tugraz.at Basic Attack Strategy Similar to [MRS14]

m1 m2 m t

+ + + T T T IV ⊕ ⊕ ⊕ Ω hash 2 T 2 T T 2 n n n n Start with arbitrary difference in chaining variable Iteratively cancel differences in chaining variable Target trail for T ⊕:

SB AC AC AC MB RB SB SB RB AC MB RB RB SB MB

inbound outbound No differences in T +! 11 / 14 . . 64 ⊕ 1 Find 2 solutions for T -trail → 1 will cancel 8 bytes of hˆ1

⇒ Collision attack for 4 rounds with complexity 8 · 264 = 267

m24736895

ˆ ˆ h14723568 h47235689

www.iaik.tugraz.at Attack on 4 Rounds

∗ 1 Start with random messages m1, m1

m1 AC AC AC AC SB SB SB SB RB RB RB RB MB MB MB ˆ ˆ h0 h1 AC AC AC AC SB SB SB SB MB RB RB RB RB MB MB MB

12 / 14 . .

⇒ Collision attack for 4 rounds with complexity 8 · 264 = 267

m14736895

ˆ ˆ h47203568 h14735689

www.iaik.tugraz.at Attack on 4 Rounds

∗ 1 Start with random messages m1, m1

64 ⊕ 2 Find 2 solutions for T -trail → 1 will cancel 8 bytes of hˆ2

m2 AC AC AC AC SB SB SB SB RB RB RB RB MB MB MB ˆ ˆ h1 h2 AC AC AC AC SB SB SB SB MB RB RB RB RB MB MB MB

12 / 14 ⇒ Collision attack for 4 rounds with complexity 8 · 264 = 267

m21476895

ˆ ˆ h14703568 h14725689

www.iaik.tugraz.at Attack on 4 Rounds

∗ 1 Start with random messages m1, m . 1 . 64 ⊕ 3 Find 2 solutions for T -trail → 1 will cancel 8 bytes of hˆ3

m3 AC AC AC AC SB SB SB SB RB RB RB RB MB MB MB ˆ ˆ h2 h3 AC AC AC AC SB SB SB SB MB RB RB RB RB MB MB MB

12 / 14 ⇒ Collision attack for 4 rounds with complexity 8 · 264 = 267

m21736895

ˆ ˆ h14720568 h17235689

www.iaik.tugraz.at Attack on 4 Rounds

∗ 1 Start with random messages m1, m . 1 . 64 ⊕ 4 Find 2 solutions for T -trail → 1 will cancel 8 bytes of hˆ4

m4 AC AC AC AC SB SB SB SB RB RB RB RB MB MB MB ˆ ˆ h3 h4 AC AC AC AC SB SB SB SB MB RB RB RB RB MB MB MB

12 / 14 ⇒ Collision attack for 4 rounds with complexity 8 · 264 = 267

m21473689

ˆ ˆ h17203568 h14723689

www.iaik.tugraz.at Attack on 4 Rounds

∗ 1 Start with random messages m1, m . 1 . 64 ⊕ 5 Find 2 solutions for T -trail → 1 will cancel 8 bytes of hˆ5

m5 AC AC AC AC SB SB SB SB RB RB RB RB MB MB MB ˆ ˆ h4 h5 AC AC AC AC SB SB SB SB MB RB RB RB RB MB MB MB

12 / 14 ⇒ Collision attack for 4 rounds with complexity 8 · 264 = 267

m21473895

ˆ ˆ h14720368 h14723589

www.iaik.tugraz.at Attack on 4 Rounds

∗ 1 Start with random messages m1, m . 1 . 64 ⊕ 6 Find 2 solutions for T -trail → 1 will cancel 8 bytes of hˆ6

m6 AC AC AC AC SB SB SB SB RB RB RB RB MB MB MB ˆ ˆ h5 h6 AC AC AC AC SB SB SB SB MB RB RB RB RB MB MB MB

12 / 14 ⇒ Collision attack for 4 rounds with complexity 8 · 264 = 267

m21436895

ˆ ˆ h14720358 h14235689

www.iaik.tugraz.at Attack on 4 Rounds

∗ 1 Start with random messages m1, m . 1 . 64 ⊕ 7 Find 2 solutions for T -trail → 1 will cancel 8 bytes of hˆ7

m7 AC AC AC AC SB SB SB SB RB RB RB RB MB MB MB ˆ ˆ h6 h7 AC AC AC AC SB SB SB SB MB RB RB RB RB MB MB MB

12 / 14 ⇒ Collision attack for 4 rounds with complexity 8 · 264 = 267

m21473695

ˆ ˆ h14203568 h14723569

www.iaik.tugraz.at Attack on 4 Rounds

∗ 1 Start with random messages m1, m . 1 . 64 ⊕ 8 Find 2 solutions for T -trail → 1 will cancel 8 bytes of hˆ8

m8 AC AC AC AC SB SB SB SB RB RB RB RB MB MB MB ˆ ˆ h7 h8 AC AC AC AC SB SB SB SB MB RB RB RB RB MB MB MB

12 / 14 m21473685

ˆ ˆ h14720356 h14723568

www.iaik.tugraz.at Attack on 4 Rounds

∗ 1 Start with random messages m1, m . 1 . 64 ⊕ 9 Find 2 solutions for T -trail → 1 will cancel 8 bytes of hˆ9

m9 AC AC AC AC SB SB SB SB RB RB RB RB MB MB MB ˆ ˆ h8 h9 AC AC AC AC SB SB SB SB MB RB RB RB RB MB MB MB

⇒ Collision attack for 4 rounds with complexity 8 · 264 = 267

12 / 14 www.iaik.tugraz.at Extending the Attack to 5 Rounds

Target trail for T ⊕:

AC AC AC AC AC SB SB SB SB SB RB RB RB RB RB MB MB MB MB

Rebound attack ﬁnds 28 solutions with 264 time and memory Thus each step only succeeds with probability 2−56

Use tricks of [MRS14] ⇒ Collision attack with complexity 2120

13 / 14 www.iaik.tugraz.at Conclusion

Rounds Complexity Memory Attacks on Kupyna-256 Compression Function 6 269.8 264 7 2125.8 264

Hash Function 4 267 264 5 2120 264

Modular additions Destroy byte-alignment & MDS property Not suﬃcient to diversify T +, T ⊕ Designers’ security claims violated [Олi+15b] Security of Kupyna is not threatened

14 / 14 www.iaik.tugraz.at BibliographyI

[Men+09] F. Mendel, C. Rechberger, M. Schläffer, and S. S. Thomsen The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl FSE 2009 [Men+10] F. Mendel, C. Rechberger, M. Schläffer, and S. S. Thomsen Rebound Attacks on the Reduced Grøstl Hash Function CT-RSA 2010 [MRS14] F. Mendel, V. Rijmen, and M. Schläffer Collision Attack on 5 Rounds of Grøstl FSE 2014 [Oli+15] R. Oliynykov, I. Gorbenko, O. Kazymyrov, V. Ruzhentsev, O. Kuznetsov, Y. Gorbenko, A. Boiko, O. Dyrda, V. Dolgov, and A. Pushkaryov A New Standard of Ukraine: The Kupyna Hash Function Cryptology ePrint Archive, Report 2015/885 2015 [ZD15] J. Zou and L. Dong Cryptanalysis of the Round-Reduced Kupyna Hash Function http://ia.cr/2015/959 2015 www.iaik.tugraz.at BibliographyII

[Олi+15a] Р. В. Олiйников, I. Д. Горбенко, О. В. Казимиров, В. I. Руженцев, А. О. Бойко, О. О. Кузнєцов, Ю. I. Горбенко, В. I. Долгов, О. В. Дирда, and А. I. Пушкарьов ДСТУ 7564:2014. Нацiональний стандарт України.Iнформацiйнi технологiї. Криптографiчний захист iнформацiї. Функцiя ґешування “Купина”. Ministry of Economical Development and Trade of Ukraine (in Ukrainian) 2015 [Олi+15b] Р. Олiйников, I. Горбенко, О. Казимиров, В. Руженцев, А. Бойко, О. Кузнєцов, Ю. Горбенко, В. Долгов, О. Дирда, and А. Пушкарьов Функцiя ґешування “Купина”: Основны Властивости. http://de.slideshare.net/oliynykov/kupyna (in Ukrainian) 2015