Paper 2023/230

Attacking the IETF/ISO Standard for Internal Re-keying CTR-ACPKM

Orr Dunkelman, University of Haifa
Shibam Ghosh, University of Haifa
Eran Lambooij, University of Haifa

Encrypting too much data using the same key is a bad practice from a security perspective. Hence, it is customary to perform re-keying after a given amount of data is transmitted. While in many cases, the re-keying is done using a fresh execution of some key exchange protocol (e.g., in IKE or TLS), there are scenarios where internal re-keying, i.e., without exchange of information, is performed, mostly due to performance reasons. Originally suggested by Abdalla and Bellare, there are several proposals on how to perform this internal re-keying mechanism. For example, Liliya et al. offered the CryptoPro Key Meshing (CPKM) to be used together with GOST 28147-89 (known as the GOST block cipher). Later, ISO and the IETF adopted the Advanced CryptoPro Key Meshing (ACKPM) in ISO 10116 and RFC 8645, respectively. In this paper, we study the security of ACPKM and CPKM. We show that the internal re-keying suffers from an entropy loss in successive repetitions of the re- keying mechanism. We show some attacks based on this issue. The most prominent one has time and data complexities of $O(2^{\kappa/2} )$ and success rate of $O(2^{−\kappa/4} )$ for a $\kappa$-bit key. Furthermore, we show that a malicious block cipher designer or a faulty implementation can exploit the ACPKM (or the original CPKM) mechanism to significantly hinder the security of a protocol employing ACPKM (or CPKM). Namely, we show that in such cases, the entropy of the re-keyed key can be greatly reduced.

Available format(s)
Attacks and cryptanalysis
Publication info
Published by the IACR in TOSC 2023
CTR-ACPKMMulti-user AttackEntropy LossKey Collision
Contact author(s)
orrd @ cs haifa ac il
sghosh03 @ campus haifa ac il
eran @ hideinplainsight io
2023-02-21: approved
2023-02-20: received
See all versions
Short URL
Creative Commons Attribution


      author = {Orr Dunkelman and Shibam Ghosh and Eran Lambooij},
      title = {Attacking the IETF/ISO Standard for Internal Re-keying CTR-ACPKM},
      howpublished = {Cryptology ePrint Archive, Paper 2023/230},
      year = {2023},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.