2015 Reports : Cryptology ePrint Archive Forum

**Re: 2015/650 It looks like not secure**

**Re: 2015/650 It looks like not secure**

**Re: 2015/650 It looks like not secure**

**Re: 2015/650 It looks like not secure**

Discussion forum for Cryptology ePrint Archive reports posted in 2015. Please put the report number in the subject.

2015/650 It looks like not secure

Posted by: **movax** (IP Logged)

Date: 05 July 2015 00:27

I have had a brief look into that "new cipher", and it seems to me that it is weak. The reason is that for each 8-bit word x of the state/input plaintext there is a mapping (although secret) to another word y of the ciphertext, independently from the adjacent words. This is true if we remove the very first and the very last arithmetic addition modulo 2^64, and it is true for the full version with a very high probability (probability of the carry bit). The mapping x->y of each word can be seen as an S-box for that individual mapping, and it is constant for the same key/iv setup. After roughly 256+ known pairs plaintext-ciphertext the mapping is then revealed (even without having to derive the secret key, although this might also be possible with a little more thinking).

Posted by: **Oleksandr Kazymyrov** (IP Logged)

Date: 05 July 2015 09:03

It seems like a guessing. Do you have a formal prove of "... for each 8-bit word x of the state/input plaintext there is a mapping (although secret) to another word y of the ciphertext, independently from the adjacent words."?

Posted by: **Oleksandr Kazymyrov** (IP Logged)

Date: 05 July 2015 16:11

The answer of Roman Oliynykov is presented below, while his account is waiting for the approval.

"Thanks for interest to Kalyna, but your hypothesis is incorrect. It seems to you that it's possible split the whole 128-bit cipher into 16 independent 8-bit ciphers, and only arithmetic addition modulo 2^{64} prevents you. It's not true, you don't take into account linear operations of the cipher. Otherwise you can easily do the same with AES, Camellia and many other byte-oriented symmetric primitives and break them with chosen plaintext attack with 2^8 complexity. You can practically check (and disprove) your

hypotheses by fixing any 15 input bytes of the plaintext and changing the remaining byte, looking to changing of the ciphertext. You can take any implementation of AES (which does not have modular addition). Optimized implementation of Kalyna, as well as AES, you can download from here: [github.com]."

"Thanks for interest to Kalyna, but your hypothesis is incorrect. It seems to you that it's possible split the whole 128-bit cipher into 16 independent 8-bit ciphers, and only arithmetic addition modulo 2^{64} prevents you. It's not true, you don't take into account linear operations of the cipher. Otherwise you can easily do the same with AES, Camellia and many other byte-oriented symmetric primitives and break them with chosen plaintext attack with 2^8 complexity. You can practically check (and disprove) your

hypotheses by fixing any 15 input bytes of the plaintext and changing the remaining byte, looking to changing of the ciphertext. You can take any implementation of AES (which does not have modular addition). Optimized implementation of Kalyna, as well as AES, you can download from here: [github.com]."

Posted by: **movax** (IP Logged)

Date: 05 July 2015 21:41

Hello Roman Oliynykov and others,

I have double checked my concerns, and I have to confess that you are right, and I was wrong. Indeed, the linear transformation is not per-word, as it seemed to me from the brief look, but per-column.

However, how did you create your S-boxes?

Edited 1 time(s). Last edit at 05-Jul-2015 21:57 by movax.

I have double checked my concerns, and I have to confess that you are right, and I was wrong. Indeed, the linear transformation is not per-word, as it seemed to me from the brief look, but per-column.

However, how did you create your S-boxes?

Edited 1 time(s). Last edit at 05-Jul-2015 21:57 by movax.

Posted by: **Oleksandr Kazymyrov** (IP Logged)

Date: 06 July 2015 16:40

The generation method of substitutions was described in [eprint.iacr.org]. All parameters were taken randomly, except x^{-1}.

Please log in for posting a message. Only registered users may post in this forum.