GOST GOST2 Attacks Summary Cryptanalysis of GOST2: Can Updated Key Schedule Solve all of GOST’s Problems? Orr Dunkelman (joint work with Achiya Bar-On and Tomer Ashur) University of Haifa June 29, 2016 Orr Dunkelman Cryptanalysis of GOST2 1/ 24 GOST GOST2 Attacks Summary Definition Attacks Standardization History of the GOST Block Cipher ◮ GOST 28147-89 defined a block cipher (A.K.A. Magma these days) ◮ 64-bit block, 256-bit key ◮ 32-round Feistel ◮ With different secret S-boxes for each industry (a few leaked) Orr Dunkelman Cryptanalysis of GOST2 2/ 24 GOST GOST2 Attacks Summary Definition Attacks Standardization The GOST Block Cipher S8✛ ✛ S7 SKr S6✛ S ✛ ❄ ✐✛ ≪ 11 ✛ 5 ✛ ✛ S4✛ S3✛ S2✛ S ✛ ❵❵ 1 ✥✥ ❵❵❵ ✥✥✥ ❵❵❵ ✥✥✥ ❵✥❵❵✥✥ ✥✥✥ ❵❵❵ ✥✥✥ ❵❵❵ ✥✥✥ ❵❵❵ Orr Dunkelman Cryptanalysis of GOST2 3/ 24 GOST GOST2 Attacks Summary Definition Attacks Standardization The GOST Key Schedule ◮ The key schedule takes a 256-bit key (eight 32-bit words — K0, K2, K3,..., K7) and uses them according to: K0 K1 K2 K3 K4 K5 K6 K7 K0 K1 K2 K3 K4 K5 K6 K7 K0 K1 K2 K3 K4 K5 K6 K7 K7 K6 K5 K4 K3 K2 K1 K0 ◮ The descending order — probably to defeat slide attacks Orr Dunkelman Cryptanalysis of GOST2 4/ 24 GOST GOST2 Attacks Summary Definition Attacks Standardization Attacks on GOST (Short and Partial History) ◮ Related-key differential attacks on reduced-round GOST (specific S-boxes) [KSW96] ◮ Chosen-key S-box recovery attacks [S99] ◮ Related-key differential attacks on reduced-round GOST [KS00] ◮ Related-key differential attacks on full GOST [K+04] ◮ Slide attacks on first 24 rounds [BW00] ◮ Slide attacks on full GOST for a weak key class of 2128 keys [BW00] ◮ Slide attacks on first 30 rounds [BDK07] Orr Dunkelman Cryptanalysis of GOST2 5/ 24 GOST GOST2 Attacks Summary Definition Attacks Standardization Attacks on GOST (Short and Partial History) Attack Data Memory Time S-boxes Reflection [I11] 232CP 264 2224 Bijective Fixed point/Algebraic [C11] 264KP 264 2248 Russian Banks Differential [CM11] 264KP 264 2226 Russian Banks Fixed point [DDS12] 264KP 236 2192 any Fixed point [DDS12] 264KP 219 2204 any Reflection [DDS12] 232KP 236 2224 any Reflection [DDS12] 232KP 219 2236 any Orr Dunkelman Cryptanalysis of GOST2 6/ 24 GOST GOST2 Attacks Summary Definition Attacks Standardization Very Quick Summary of the Reflection Attack ◮ Assume that at the entrance to round 25, the intermediate encryption value is (x, x) ◮ Then round 25 cancels round 24, round 26 cancels round 23, etc. x x ⊕ y y x L R S + K7 x x y x L R S + K7 x x ⊕ y Orr Dunkelman Cryptanalysis of GOST2 7/ 24 GOST GOST2 Attacks Summary Definition Attacks Standardization Very Quick Summary of the Reflection Attack ◮ Isobe noticed that for a reflection point, the intermediate encryption value after 16 rounds is equal to the ciphertext ◮ This allows for attacking 16-round GOST (using meet in the middle, or any attack you wish for) Orr Dunkelman Cryptanalysis of GOST2 8/ 24 GOST GOST2 Attacks Summary Definition Attacks Standardization ISO SC27 (Parallel Work) ◮ The Russian federation has submitted GOST (Magma) for standardization in 2010 to ISO SC27 (18033) ◮ Several issues spotted: ◮ S-boxes were not defined ◮ Related-key attacks ◮ By the time they were “addressed”, Isobe’s attack came out Orr Dunkelman Cryptanalysis of GOST2 9/ 24 GOST GOST2 Attacks Summary Definition Attacks Standardization In Mother Russia, Cipher Encrypts You! ◮ Following the failure of standardizing GOST, a new cipher was suggested ◮ Kuznyechik (Grasshopper) — 128-bit block, 256-bit key SPN ◮ Secret design process ◮ Interesting properties revealed by [BP15,BPU16] about how the S-box was designed ◮ And then came a new proposal. Orr Dunkelman Cryptanalysis of GOST2 10/ 24 GOST GOST2 Attacks Summary Specs Claims The GOST2 Block Cipher ◮ Dmukh, Dygin, and Marshalko offered a variant of GOST on eprint report 2015/065 ◮ Two main changes with respect to GOST: ◮ S-boxes are fully specified ◮ Key schedule changed to: K0 K1 K2 K3 K4 K5 K6 K7 K3 K4 K5 K6 K7 K0 K1 K2 K5 K6 K7 K0 K1 K2 K3 K4 K6 K5 K4 K3 K2 K1 K0 K7 Orr Dunkelman Cryptanalysis of GOST2 11/ 24 GOST GOST2 Attacks Summary Specs Claims The Security Claims Both Isobe and Dinur-Dunkelman-Shamir attacks exploit the reflection property for the last 16 iterations. For the proposed algorithm the probability of the corresponding event is negligible: P{K0 = K2 = K4 = K6, K1 = K3 = K5 = K7)} = 2−192 (if keys are selected at random). The first Dinur-Dunkelman-Shamir method works if K0 = K2 = K4 = K6 = K1 = K3 = K5 = K7. The probability of such event is 2−224. Since the new key schedule could be represented as a concatenation of different shifts of (K0,..., K7), 2-GOST (together with original GOST) is subjected to related-key attacks. At the same time, such attacks are difficult for practical implementation, since the probabilities of relations are negligible (see, for example, [5]), when keys are selected randomly. ... Eprint report 2015/065 Orr Dunkelman Cryptanalysis of GOST2 12/ 24 GOST GOST2 Attacks Summary Specs Claims The Security Claims Orr Dunkelman Cryptanalysis of GOST2 13/ 24 GOST GOST2 Attacks Summary Reflection Fixed A Reflection Property for GOST2 (Weak Key Class) ◮ Consider the key schedule of rounds 18–31, when K5 = K6: K5 K6 K7 K0 K1 K2 K3 K3 K4 K4 K6 K6 K5K5 K4 K4 K3 K3 K2 K1 K0 K7 ◮ Hence, if the intermediate encryption value after 25 rounds is (x, x), the ciphertext is equal to the value after 18 rounds Orr Dunkelman Cryptanalysis of GOST2 14/ 24 GOST GOST2 Attacks Summary Reflection Fixed A Reflection Attack on GOST2 (Weak Key Class) Require: 232 pairs of known plaintexts and ciphertexts - {Pi , Ci }. for S3, K5 = K6 do for (Pi , Ci ), K0 do K1, K2 ← Solve(Pi , S3, K0) −1 −1 −1 −1 −1 S ← R (R (R (R (R (Ci = S ))))) 13 SK13 SK14 SK15 SK16 SK17 18 T [S13] ← (Pi , K0, K1, K2) end for for K3, K4, K7 do S13 ← RSK12 (RSK11 (RSK10 (RSK9 (RSK8 (RSK7 (RSK6 (RSK5 (RSK4 (RSK3 (S3)))))))))) (Pi , K0, K1, K2) ← T [S13] TRY(K0, K1, K2, K3, K4, K5, K6, K7) end for end for Orr Dunkelman Cryptanalysis of GOST2 15/ 24 GOST GOST2 Attacks Summary Reflection Fixed A Reflection Attack on GOST2 (Weak Key Class) K0,K1,K2 K3,...,K12 K13,...,K17 K18,...,K24 K25,...,K31 S3 S13 C S25 P Rounds 0–2 Rounds 3–12 Rounds 13–17 Rounds 18–24 Rounds 25–31 C L25 “ R25 K0 K1,K2 K0,K1,K2,K5 “ K6 S3 K3,K4,...,K7 S13 ◮ Data complexity: 232 KPs ◮ Memory complexity: 264 blocks ◮ Time complexity: 2192 ◮ Weak Key Size: 2224 ◮ Attack can be transformed into an impossible reflection attack for all other keys (data increased to 264, saves a factor of 5.4 on exhaustive search) Orr Dunkelman Cryptanalysis of GOST2 16/ 24 GOST GOST2 Attacks Summary Reflection Fixed A Fixed Point Property for GOST2 ◮ Consider the key schedule of rounds 10–22: K3 K4 K5 K6 K7 K0 K1 K2 K5 K6 K7 K0 K1 K2 K3 K4 ◮ The keys of rounds 10–15 are the same as 16–21 ◮ Hence, a fixed point of rounds 10–15 is a fixed point for rounds 10–21 Orr Dunkelman Cryptanalysis of GOST2 17/ 24 GOST GOST2 Attacks Summary Reflection Fixed A Fixed-Point Attack on GOST2 Require: 264 pairs of known plaintexts and ciphertexts. for (Pi , Ci ), SK0, SK1, SK2, SK7 do −1 −1 −1 −1 S ← R (R (R (R (Ci )))) 28 SK28 SK29 SK30 SK31 S3 ← RK2 (RK1 (RK0 (Pi ))) T [S3||S28] ← (K0, K1, K2, K7) end for for S10 = S16 = S22, K3, K4, K5, K6, K7 do S13 ← RSK12 (RSK11 (RSK10 (S10))) for K0[0–11], K2[0–11], K1[10] do (K0[0–11], K1[12–19], K2[0–11]) ← SOLVE(S16, S13, K0[0–11], K2[0–11], Carry) end for − − − − − − − S ← R 1 (R 1 (R 1 (R 1 (R 1 (R 1 (R 1 (S ))))))) 3 SK3 SK4 SK5 SK6 SK7 SK8 SK9 10 S28 ← RSK27 (RSK26 (RSK25 (RSK24 (RSK23 (RSK22 (S22)))))) (K0, K1, K2, K7) ← T [S3||S28] Filter(K0, K1, K2, K7) TRY(K0, K1, K2, K3, K4, K5, K6, K7) Orr Dunkelmanend for Cryptanalysis of GOST2 18/ 24 GOST GOST2 Attacks Summary Reflection Fixed A Fixed-Point Attack on GOST2 K0,K1,K2 K3,...,K9 K10,...,K15 K16,...,K21 K22,...,K28 K28,...,K31 S3 S10 S16 S22 P Rounds 0–2 Rounds 3–9 Rounds 10–15 Rounds 16–21 Rounds 22–27 Rounds 28–31 C X X X 0 1 2 1 7 2 P K ,K ,K S3 K r12-19s S28 K ,...,K C K0r0-11s,K2r0-11s K3,...,K7 X X X K3,...,K7 S3 S28 ◮ Data complexity: 264 KPs ◮ Memory complexity: 2160 blocks ◮ Time complexity: 2237 We are working on reducing memory consumption. Orr Dunkelman Cryptanalysis of GOST2 19/ 24 GOST GOST2 Attacks Summary Summary ◮ New GOST2 does not offer full security against fixed-point and reflection attacks ◮ Same related-key attacks can be applied (including complementation property) ◮ Simple ways to handle these issues exist Orr Dunkelman Cryptanalysis of GOST2 20/ 24 GOST GOST2 Attacks Summary Summary of Attacks Type of attack Time Data Memory No. of keys (blocks) Fixed point 2237 264KP 2160 All Reflection 2192 232KP 264 2224 Impossible reflection 2253.56 263CP 2160 2256 − 2224 Impossible reflection 2254.56 264KP 2160 2256 − 2224 Orr Dunkelman Cryptanalysis of GOST2 21/ 24 GOST GOST2 Attacks Summary Some Aftermath ◮ We posted our results (not including some optimizations we now have) on eprint (report 2016/532) ◮ And we got an interesting email from Grigory Marshalko: .
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages24 Page
-
File Size-