Cryptanalysis of 256-Bit Key HyRAL via Equivalent Keys

Nagoya University, JapanYuki Asano, Shingo Yanagihara, and Tetsu Iwata

ACNS2012, June 28, 2012, Singapore

Introduction

• What is HyRAL?– A secret key blockcipher– Block size : 128 bits– The key length : 128, 129,…, 256 bits– One of the proposed algorithms for the CRYPTREC

project’s call• The CRYPTREC project– Maintaining the e-Government recommended ciphers list

in Japan– The list is planned to be revised in 2013

2

Background

• The security of HyRAL

3

・ Differential attacks・ Linear attacks・ Impossible differential attacks・ Saturation attacks・ Higher order differential attacks・ Boomerang attacks

No security weaknesses have been identified.

Our Research

• For 256-bit key HyRAL1. We show that there are 251.0 equivalent keys (250.0 pairs of

equivalent keys).2. We propose an algorithm that derives an instance of

equivalent keys with the expected time complexity of 248.8 encryptions.

3. We verify the proposed algorithm’s correctness by showing several instances of equivalent keys.

4

• The two distinct keys (K, K’) that satisfy EK(M) = EK’(M) for all

plaintexts M

• The ciphertext remains the same even if the key is changed.

Equivalent Keys

5

Impact of Equivalent Keys

• The existence of equivalent keys implies the theoretical cryptanalysis of the cipher.– The key search space of a brute force attack is reduced.– For 256-bit key HyRAL, the search space is 2256-250.

• Suppose that we use 256-bit key HyRAL to construct a compression function in Davies-Meyer mode.

6

Impact of Equivalent Keys

• Suppose that we use the previous compression function to construct a hash function in Merkle-Damgård mode.

7

Specification of 256-Bit Key HyRAL

• OK1:The most significant 128 bits of the secret key K

• OK2:The least significant 128 bits of K

• KGA1 and KGA2:The Key Generation Algorithms

The Key Assignment Algorithm

The Data Processing Algorithm

8

Key Generation Algorithms:KGA1 and KGA2

• KGA1 and KGA2 differ only in the internally used constants

CST1 and CST2.

• G1 and G2 functions of 128-bit input and output are used.

9

G1 and G2 Functions

• The input and output are 128 bits.• The Generalized Feistel Structure

of 4 rounds and 4 branches• fi functions of 32-bit input

and output are used.

G1 function G2 function

fi Function

• f1,…,f8 functions are keyless permutations over 32 bits.

• The structure of fi function is the SP-network.

11

8 bits

fi function

KAA and DPA

• KAA (the Key Assignment Algorithm)– (KM1,KM3,KM2,KM4) are first parsed into 32-bit strings.

– (RK1,…,RK9, IK1,…,IK6) are generated by taking their linear

combinations.

• DPA (the Data Processing Algorithm)– The overall structure is the 32 round Generalized

Feistel Structure with 4 branches.

12

Existence of Equivalent Keys

• Let ΔOK1 and ΔOK2 be the input differences for KGA1 and

KGA2 , respectively.• If the two output differences collide, then the input difference

of KAA becomes null.

13

Existence of Equivalent Keys

• When the input difference of KAA becomes null, we have the following equivalent keys.

14

Differential Characteristic of KGA

• KGA1 and KGA2 are the same algorithms except for the

internally used constants.

• We may regard them identically as long as we consider their differential characteristics.

•

15

Differential Characteristic of KGA

• Lemma 1. For KGA, there exists a differential characteristic with four active fi functions.

• Let δ be any non-zero 32-bit string.– The input difference of KGA : (δδδδ)– The output difference of KGA : (δδ00)(000δ)(δδδδ)(0000)

16

17

G １ G2 G １ G2 G １

32 bits

Differential Characteristic of KGA

• The probability of the differential characteristic:– DCPKGA(δ) = DPf1(δ)×DPf3(δ)×DPf5(δ)×DPf7(δ)

• Lemma 2. There exists non-zero δ such that DCPKGA(δ) > 2-128.

18

Differential Characteristic of KGA

• For 232 values of δ, we computed the value of DCPKGA(δ).

• There exist 89938 values of δ such that DCPKGA(δ) > 2-128.

DCPKGA(δ)Example of

δNumb

er

2-103 0xd7d7d0d7

1

2-104 0xc5c5d254

1

2-105 0x4e4ec554

1

2-106 0x3c3cf4ff 82-107 0x6161f9d9 1

2-108 0x054d9797

34

2-109 0x0101019a

157

2-110 0x0159591a

1579

2-111 0x0101e818

7685

2-112 0x01010520

80471

19

The Number of Equivalent Keys

• The number of equivalent keys can be derived as follows:

20

DCPKGA(δ)Example of

δNumb

er

2-103 0xd7d7d0d7

1

2-104 0xc5c5d254

1

・ ・ ・

・ ・ ・

・ ・ ・

2-112 0x01010520

80471

For each (OK1, OK2), there are four equivalent keys.

The same equivalent keys are counted for four times.For KGA1 and KGA2,

we consider all δ which satisfies DCPKGA(δ) > 2-128.

The Number of Equivalent Keys

• The number of pairs is the half of 251.0, which is 250.0.

Theorem 1. In 256-bit key HyRAL, there exist 251.0 equivalent keys (or 250.0 pairs of equivalent keys).

21

Equivalent Key Derivation Algorithm

• We consider the case of δ = 0xd7d7d0d7.– DCPKGA(δ) = 2-103 (DCPKGA(δ) is the maximum.)

• For , let be a list of that satisfy

• We may write down the lists as follows:

22

.

.

Equivalent Key Derivation Algorithm

• Let be fi function in the r-th round.

• We write the input and output strings of as and , respectively.

• Let (K1,K2,K3,K4) be the partition of OK1 or OK2 into 32-bit

strings.• Let (C1,C2,C3,C4) be the partition of CST1 or CST2 into 32-bit

strings.

23

Equivalent Key Derivation Algorithm

If we can derive (K1,K2,K3,K4) that satisfies

this implies that we have derived the equivalent key.

• Lemma 3. For arbitrarily fixed , and , where , the corresponding value of (K1,K2,K3,K4)

can be derived.

24

Step 1. Fix any 　 and that satisfy and .

25

Step 2. Fix any and .

Step 3. Derive (K1,K2,K3,K4) by using Lemma 3.

Step 4. Compute from (K1,K2,K3,K4), and proceed to Step 5 if is satisfied.

Otherwise return to Step 2.Step 5. Compute from (K1,K2,K3,K4), and output (K1,K2,K3,K4) and halt if is

satisfied. Otherwise return to Step 2.

Time Complexity of the Algorithm

• The probability that both 　 and are satisfied is

Therefore, we may expect that the algorithm returns (K1,K2,K3,K4) after trying 252 values of .

26

.

Time Complexity of the Algorithm

• The time complexity of the algorithm is computations of fi functions in order to derive both OK1 and OK2.

• This amounts to running encryption functions as there are 96 fi functions in the encryption

function of 256-bit key HyRAL.

27

• We have implemented our algorithm on a supercomputer system at Information Technology Center in Nagoya University.

• The systems we have used are called HX600 and FX1.

　 Number of CPUs/Cores

CPUTotal

memoryHX60

0384/1536

AMDOpteron 8380

6TB

FX1 768/3072 SPARC64 Ⅶ 24TB

Deriving Equivalent Keys

28

• δ = 0xd7d7d0d7, = 0x17170c17, = 0x1717292b

Deriving Equivalent Keys

　 System

Cores

Number of

Running time

OK1

HX600 1024 249 17h17min

OK2

FX1 1024 250 50h37minFX1 512 250 92h25min

HX600 256 251 270h17min

29

Deriving Equivalent Keys

• We have successfully derived one value of OK1 and three

values of OK2.

• Concrete instances of the equivalent keys (δ = 0xd7d7d0d7)

OK10x2fd918837136d461f4bc99938907dd0b

OK2

0xa20ed0f467141b2a3b038abb5f61d59e0xe3a1902aa60b6c3582a9131527d43b2f0x3218a5b25828a0b7d2122283894cc63b

30

Summary

• We showed that there are 250.0 pairs of equivalent keys.

• We developed the algorithm to derive an instance of equivalent keys.

• We demonstrated that we were able to derive concrete instances with the current computing environment.

• As a result, based on the results of this paper, HyRAL did not proceed to the second round evaluation process in the CRYPTREC project.

31