ANewEncryptionStandardofUkraine: The Kalyna Block Cipher Roman Oliynykov1, Ivan Gorbenko1, Oleksandr Kazymyrov4, Victor Ruzhentsev4, Oleksandr Kuznetsov3, Yurii Gorbenko1, Oleksandr Dyrda2, Viktor Dolgov3, Andrii Pushkaryov2, Ruslan Mordvinov4,DmytroKaidalov4 . 1 JSC Institute of Information Technologies, 2 State Service of Special Communication and Information Protection of Ukraine, 3 V.N.Karazin Kharkiv National University, 4 Kharkiv National University of Radio Electronics Ukraine [email protected], [email protected], [email protected] Abstract The Kalyna block cipher was selected during Ukrainian National Public Cryptographic Competition (2007-2010) and its slight modification was approved as the new encryption standard of Ukraine in 2015. Main requirements for Kalyna were both high security level and high performance of software implementation on general-purpose 64- bit CPUs. The cipher has SPN-based (Rijndael-like) structure with increased MDS matrix size, a new set of four different S-boxes, pre- and postwhitening using modulo 264 addition and a new construction of the key schedule. Kalyna supports block size and key length of 128, 256 and 512 bits (key length can be either equal or double of the block size). At the time of this paper publishing, no more effective cryptanalytic attacks than exhaustive search are known. In this paper we present the adapted English translated specification of Kalyna as it is given in the national standard of Ukraine. 1Introducton Block ciphers are the most widely used symmetric cryptographic primitives. Besides providing confidentiality, they are also used as main components in hashing functions, message authentication codes, pseudorandom number generators, etc. Until 2015 GOST 28147-89 was the main block cipher used in Ukraine [1]. Even now this cipher still provides acceptable level of practical security. However, its software implementation is significantly slower and less effective on modern Presented at the Norwegian Information Security Conference 2015 (NISK-2015). 2 platforms comparing to newer solutions like AES [2]. In addition, more effective theoretical attacks than brute force search were discovered [3]. Based on the experience of international cryptographic competitions, like AES [4] or NESSIE [5], The State Service of Special Communication and Information Pro- tection of Ukraine had been organized National Public Cryptographic Competition [6] to select a block cipher that could become a prototype of the national standard. Main requirements to candidates were a high level of cryptographic security, variable block size and key length (128, 256, 512), and an acceptable performance of encryp- tion in software implementation. There were no restrictions concerning lightweight (hardware) implementations. The block cipher Kalyna was selected among other candidates [7] and its slight modification (aimed to performance improvement and more compact implementation) was approved as the national standard DSTU 7624:2014 [8]. The new standard describes both the block cipher and ten modes of operation for it. In this paper we describe an adapted version of the specification based on Electronic Code Book (ECB) mode as it is given in the national standard of Ukraine. 2Symbolsandnotations The following notations are used in the standard. 0x–prefixofnumbersgiveninthehexadecimalnotation; GF (28) – the finite field with the irreducible polynomial x8 + x4 + x3 + x2 +1; –logicalexclusiveOR(XOR)operationforbinaryvectors; ⊕ x –integerpartofx,i.e.forarationalx the greatest y such b c that y x; X –thelengthofthebitsequenceX; | | Ll,r(X) –thefunctionthatreturnsr least significant bits from the input sequence X of l-bit length; Rl,r(X) –thefunctionthatreturnsr most significant bits from the input sequence X of l-bit length; –therightshiftofthefixedlengthsequence(totheleast significant symbols); the most significant symbols are filled with 0’s; number of symbols to be shifted is defined by the second argument –theleftshiftofthefixedlengthsequence(tothemost ⌧ significant symbols); the least significant symbols are filled with 0’s; number of symbols to be shifted is defined by the second argument o –thecyclicshift(rotation)rightofthefixedlengthsequence (the least significant symbols are moved to the most significant positions); n –thecyclicshift(rotation)leftofthefixedlengthsequence (the most significant symbols are moved to the least significant positions); + –additiondefinedontheadditivegroupoftheleastnon- 64 negative remainders Z264 (addition modulo 2 ); –scalarproductoftwovectorsdefinedoverthefinitefield; ⌦ 3 l – the block size of Kalyna, l 128, 256, 512 ; 2{ } k – the key length of Kalyna, k 128, 256, 512 (k = l or 2{ } k =2 l); · c –thenumberofcolumnsinthestatematrix; Vj – j-dimensional vector space over GF (2), j 1; (K) ≥ T –thebasicencryptiontransformation,amappingVl Vl l,k 7! parametrized by the encryption key K; (K) U –thebasicdecryptiontransformation,amappingVl Vl l,k 7! parametrized by the encryption key K; W1 W2 –concatenationofthetwobitsequencesinsuchawaythat || the left (the least significant) part of the resulting sequence is equal to W1 and the right (the most significant) one to W2;thelengthoftheresultingsequenceisequaltothesum of the lengths of W1 and W2; ⌅ ⇤ –sequentialapplicationoftransformations⌅ and ⇤ (⇤ is ◦ applied first); (K) t –thenumberofiterationsinthetransformationsTl,k and (K) Ul,k ; t ⇤(i) –sequentialapplicationofthetransformations⇤(1), ⇤(2),..., i=1 ⇤(t) (the transformation ⇤(1) is applied first); Q (j) µl –representationofnon-negativeintegerj as an l-bit sequence (the little-endian convention is used); (K) (K) Kalyna-l/k –applicationofthetransformationsTl,k or Ul,k with the block size of l bits and the key length of k bits. 3Generalparameters (K) The basic encryption transformation is a mapping: Tl,k : Vl Vl that depends ! (K) on K Vk, where l, k 128, 256, 512 ,suchthatk = l or k =2 l. T is 2 2{ } · l,k implemented as an iterative application of several functions taking a 8 c matrix 8 ⇥ over GF (2 ) as an input argument x Vl. The 8 c matrix is the cipher internal 2 ⇥ state. (K) The basic decryption transformation Ul,k parametrized by the encryption key (K) K is the mapping inverse to Tl,k .Allpermittedcombinationsofparameters,that defines Kalyna-l/k,aregiveninTable1. 4Inputandoutputdata The basic transformations process an input block of l bits size (either plaintext or ciphertext). The internal state matrix G is represented as (gi,j), where gi,j V8, 2 i = 0, 7 and j = 0,c 1. The internal state matrix is filled by input bytes B1, B2, − ..., Bl/8 in the column-by-column order. 4 Table 1: The number of rounds and the number of rows in the state matrix for different values of block size and key length # Block size (l) Key length (k) Rounds (t) Rows of the state matrix (c) 1 128 10 128 2 2 256 14 3 256 14 256 4 4 512 18 5 512 512 18 8 5Encryption Structure of the basic encryption transformation (K) The basic encryption transformation Tl,k is defined in the following way: t 1 − (K) (Kt) (K⌫ ) (K0) T = ⌘ ⌧ ⇡0 ( ⌧ ⇡0) ⌘ , l,k l ◦ l ◦ l ◦ l ◦ l ◦ l ◦ l ◦ l ◦ l ⌫=1 Y where K –anencryptionkeyofk-bit length, (K⌫ ) ⌘l – the function of addition of the internal state with the round key K⌫ modulo 264, ⇡l0 –thelayerofnon-linearbijectivemapping(S-boxlayer)thatprocessbyte (i.e., elements of V8)vectors, 8 ⌧l –permutationofelementsgi,j GF (2 ) of the cipher internal state (right 2 circular shift), l –thelineartransformationoftheinternalstateelementsoverthefinitefield, (K⌫ ) l –thefunctionofmodulo2 addition of the round key K⌫ and the state matrix. In the functions ⇡0, ⌧l and l input argument x Vl and output value χ(x) Vl, l 2 2 χ ⇡0,⌧l, l ,arerepresentedasmatricesof8 c size. 2{ l } ⇥ Function of addition modulo 264 (K⌫ ) ⌘l processes columns of the internal state matrix G =(gi,j) and columns of the ⌫ 64 round key matrix K⌫ =(k ) using modulo 2 addition. The result is also an 8 c i,j ⇥ matrix (the internal state after the round key addition). In the addition operation the little-endian convention is used, i.e. less significant bytes have smaller indexes. Layer of non-linear bijective mapping The function ⇡0 implements the S-box layer. Each element gi,j V8 of the internal l 2 state matrix is substituted by ⇡i mod 4(gi,j), where ⇡s : V8 V8, s 0, 1, 2, 3 ,are 7! 2{ } substitutions (S-boxes) given in Appendix A. For example, let gi,j be 0x23 then ⇡0(0x23) = 0x4F . Another set of substitutions different from those presented in Appendix A can be used. In this case, S-boxes must be supplied in the prescribed manner. 5 Permutation of elements in the internal state The function ⌧l executes cyclic right shift for the rows of the state matrix G =(gi,j). The number of shifted elements depends on the row number i 0, 1,...,7 ,the 2{ } i l block size l 128, 256, 512 ,andiscalculatedaccordingtotheformulaδi = · . 2{ } b 512 c For example, the fifth row of the state matrix of the cipher with the 256-bit block size is circularly shifted right by two positions. Linear transformation To perform the function l each element gi,j V8 of the internal state matrix G 2 is represented as an element of the finite field GF (28) formed by the irreducible polynomial ⌥(x)=x8 + x4 + x3 + x2 +1,or0x11D in hexadecimal notation. 8 Each element of the resulting state matrix W =(wi,j) is calculated over GF (2 ) according to the formula wi,j =(υ i) Gj, o ⌦ where υ =(0x01, 0x01, 0x05, 0x01, 0x08, 0x06, 0x07, 0x04) is the vector that forms th the circulant matrix with the MDS property, and Gj is the j column of the state matrix G. The vector υ consists of the hexadecimal constants (bytes) that are elements of the finite field GF (28). The right circular shift is made with respect to elements of the set υ. Function of addition modulo 2 (K⌫ ) The function l , which is dependent on the parameter K⌫ Vl (the round key th 2 of the ⌫ iteration), takes the cipher internal state x Vl as the argument. Both 2 the round key and the internal state are represented as matrices of 8 c size. In (K⌫ ) ⇥ the function l the internal state matrix G and the matrix representation of the ⌫ round key K⌫ =(ki,j) are added using the XOR operation.