Cryptology ePrint Archive: Report 2015/1227

Single Key Recovery Attacks on 9-round Kalyna-128/256 and Kalyna-256/512

Akshima and Donghoon Chang and Mohona Ghosh and Aarushi Goel and Somitra Kumar Sanadhya

Abstract: The Kalyna block cipher has recently been established as the Ukranian encryption standard in June, 2015. It was selected in a Ukrainian National Public Cryptographic Competition running from 2007 to 2010. Kalyna supports block sizes and key lengths of 128, 256 and 512 bits. Denoting the variants of Kalyna as Kalyna-$b/k$, where $b$ denotes the block size and $k$ denotes the keylength, the design specifies $k \in \{b, 2b\}$. In this work, we re-evaluate the security bound of some reduced round Kalyna variants, specifically Kalyna-$128/256$ and Kalyna-$256/512$ against key recovery attacks in the single key model. We first construct new 6-round distinguishers and then use these distinguishers to demonstrate 9-round attacks on these Kalyna variants. These attacks improve the previous best 7-round attacks on the same.\\ Our 9-round attack on Kalyna-128/256 has data, time and memory complexity of $2^{105}$, $2^{245.83}$ and $2^{226.86}$ respectively. For our 9-round attack on Kalyna-256/512, the data/time/memory complexities are $2^{217}$, $2^{477.83}$ and $2^{443.45}$ respectively. The time and data complexities for Kalyna-256/512 reported in this work improve upon the previous best 7-round attack complexities on the same. The attacks presented in this work are currently the best on Kalyna. We apply multiset attack - a variant of meet-in-the-middle attack to achieve these results.

Category / Keywords: secret-key cryptography / Block cipher, Kalyna, Key Recovery, Differential enumeration, Single key model

Original Publication (with major differences): ICISC 2015

Date: received 23 Dec 2015

Contact author: aarushi12003 at iiitd ac in

Available format(s): PDF | BibTeX Citation

Version: 20151223:210544 (All versions of this report)

Short URL: ia.cr/2015/1227

Discussion forum: Show discussion | Start new discussion


[ Cryptology ePrint archive ]