Improved Meet-in-the-Middle Attacks on Reduced Round Kuznyechik

Kuznyechik is an SPN block cipher that has been chosen recently to be standardized by the Russian federation as a new GOST cipher. The cipher employs a 256-bit key which is used to generate ten 128-bit round keys. The encryption procedure updates the 16-byte state by iterating the round function for nine rounds. In this work, we improve the previous 5-round Meet-in-the-Middle (MitM) attack on Kuznyechik by presenting a 6-round attack using the MitM with differential enumeration technique. Unlike previous distinguishers which utilize only the structural properties of the Maximum Distance Separable (MDS) linear transformation layer of the cipher, our 3-round distinguisher is computed based on the exact values of the coefficients of this MDS transformation. More specifically, first, we identified the MDS matrix that is utilized in this cipher. Then, we find all the relations that relate between subset of the inputs and outputs of this linear transformation. Finally, we utilized one of these relations in order to find the best distinguisher that can optimize the time complexity of the attack. Also, instead of placing the distinguisher in the middle rounds of the cipher as in the previous 5-round attack, we place it at the first 3 rounds which allows us to convert the attack from the chosen ciphertext model to the chosen plaintext model. Then, to extend the distinguisher by 3 rounds, we performed the matching between the offline and online phases around the linear transformation instead of matching on a state byte.

[1]  Amr M. Youssef,et al.  Differential Sieving for 2-Step Matching Meet-in-the-Middle Attack with Application to LBlock , 2014, LightSec.

[2]  Adi Shamir,et al.  Improved Attacks on Full GOST , 2012, IACR Cryptol. ePrint Arch..

[3]  Alex Biryukov,et al.  Multiset-Algebraic Cryptanalysis of Reduced Kuznyechik, Khazad, and secret SPNs , 2017, IACR Trans. Symmetric Cryptol..

[4]  Keting Jia,et al.  Improved Meet-in-the-Middle Attacks on AES-192 and PRINCE , 2013, IACR Cryptol. ePrint Arch..

[5]  Andrey Bogdanov,et al.  A 3-Subset Meet-in-the-Middle Attack: Cryptanalysis of the Lightweight Block Cipher KTANTAN , 2010, IACR Cryptol. ePrint Arch..

[6]  Amr M. Youssef,et al.  Second Preimage Analysis of Whirlwind , 2014, Inscrypt.

[7]  Jérémy Jean,et al.  Improved Key Recovery Attacks on Reduced-Round AES in the Single-Key Setting , 2013, IACR Cryptol. ePrint Arch..

[8]  Alex Biryukov,et al.  Differential Analysis and Meet-in-the-Middle Attack Against Round-Reduced TWINE , 2015, FSE.

[9]  Yonglin Hao,et al.  A Meet-in-the-Middle Attack on Round-Reduced mCrypton Using the Differential Enumeration Technique , 2015, NSS.

[10]  Takanori Isobe,et al.  A Single-Key Attack on the Full GOST Block Cipher , 2011, Journal of Cryptology.

[11]  Amr M. Youssef,et al.  Generalized MitM attacks on full TWINE , 2016, Inf. Process. Lett..

[12]  Anne Canteaut,et al.  Sieve-in-the-Middle: Improved MITM Attacks (Full Version) , 2013, IACR Cryptol. ePrint Arch..

[13]  Pierre-Alain Fouque,et al.  Exhausting Demirci-Selçuk Meet-in-the-Middle Attacks against Reduced-Round AES , 2013, IACR Cryptol. ePrint Arch..

[14]  Amr M. Youssef,et al.  Fault Analysis of Kuznyechik , 2015, IACR Cryptol. ePrint Arch..

[15]  Vincent Rijmen,et al.  The KHAZAD Legacy-Level Block Cipher , 2001 .

[16]  Alex Biryukov,et al.  Reverse-Engineering the S-Box of Streebog, Kuznyechik and STRIBOBr1 , 2016, EUROCRYPT.

[17]  Florian Mendel,et al.  The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl , 2009, FSE.

[18]  Vincent Rijmen,et al.  The Block Cipher Square , 1997, FSE.

[19]  Bart Preneel,et al.  Improved Meet-in-the-Middle Attacks on Reduced-Round DES , 2007, INDOCRYPT.

[20]  Whitfield Diffie,et al.  Special Feature Exhaustive Cryptanalysis of the NBS Data Encryption Standard , 1977, Computer.

[21]  Adi Shamir,et al.  Improved Single-Key Attacks on 8-Round AES-192 and AES-256 , 2010, Journal of Cryptology.

[22]  Yu Sasaki,et al.  Meet-in-the-Middle Attacks on Generic Feistel Constructions , 2014, ASIACRYPT.

[23]  Léo Perrin,et al.  Meet-in-the-Middle Attacks and Structural Analysis of Round-Reduced PRINCE , 2015, Journal of Cryptology.

[24]  Huaxiong Wang,et al.  256 Bit Standardized Crypto for 650 GE - GOST Revisited , 2010, CHES.

[25]  Shuang Wu,et al.  Investigating Fundamental Security Requirements on Whirlpool: Improved Preimage and Collision Attacks , 2012, ASIACRYPT.

[26]  Joan Daemen,et al.  AES Proposal : Rijndael , 1998 .

[27]  Yu Sasaki,et al.  Improved Preimage Attack for 68-Step HAS-160 , 2009, ICISC.

[28]  Amr M. Youssef,et al.  Preimage Attacks on Reduced-Round Stribog , 2014, AFRICACRYPT.

[29]  Li Lin,et al.  Improved Meet-in-the-Middle Distinguisher on Feistel Schemes , 2015, SAC.

[30]  Amr M. Youssef,et al.  Meet in the Middle Attacks on Reduced Round Kuznyechik , 2015, IACR Cryptol. ePrint Arch..

[31]  Amr M. Youssef,et al.  Meet-in-the-Middle Attacks on Reduced Round Piccolo , 2015, LightSec.

[32]  Keting Jia,et al.  Improved Single-Key Attacks on 9-Round AES-192/256 , 2014, FSE.

[33]  Ali Aydin Selçuk,et al.  A Meet-in-the-Middle Attack on 8-Round AES , 2008, FSE.