#### DMCA

## Single Key Recovery Attacks on 9-round Kalyna-128/256 and Kalyna-256/512

### Citations

382 |
The Design of Rijndael: AES - The Advanced Encryption Standard.
- Daemen, Rijmen
- 2002
(Show Context)
Citation Context ...D is the most significant byte and 0x02 is the least significant byte. The representation in the little endian format would be [ 0x02, 0x03, 0x0A, 0x17, 0x30, 0x05, 0x06, 0xCD] corresponding to bytes =-=[0, 1, 2, 3, 4, 5, 6, 7]-=- of a column respectively. Key Scheduling Algorithm. The key scheduling algorithm of Kalyna first involves splitting of the master key K into two parts - Kα and Kω. If the block size and key size are ... |

22 | A.A.: A meet-in-the-middle attack on 8-round AES
- Demirci, Selçuk
- 2008
(Show Context)
Citation Context ... 29]. Now, according to the key schedule algorithm of Kalyna-128/256 from K3, we can compute K2 (according to Eq. 1) which allows us to compute the corresponding U2. Thus, by comparing the computed U2=-=[4, 5, 14, 15, 16, 17, 26, 27]-=- with the deduced U2[4, 5, 14, 15, 16, 17, 26, 27], a sieve of 8-bytes (since matching probability is 2 −64 ) can be applied. Similarly, knowledge of K4[2, 3, 6, 7, 8, 9, 12, 13, 18, 19, 22, 23, 24, 2... |

20 |
Rebound distinguishers: results on the full whirlpool compression function.
- Lamberger, Mendel, et al.
- 2009
(Show Context)
Citation Context ...r decreasing the attack complexities on AES. Derbez at al. in [5] improved Dunkelman et al.'s attack on AES-192/256 by refining the differential enumeration technique. By using reboundlike techniques =-=[8]-=-, they showed that the number of reachable multisets are much lower than those counted in Dunkelman et al.'s attack. This improvement allowed mounting of comparatively efficient attacks on AES and als... |

15 | A.: Improved Single-Key Attacks on 8-Round AES-192 and AES-256
- Dunkelman, Keller, et al.
(Show Context)
Citation Context ...precomputation complexity goes higher than brute force for Kalyna-128/256. In order to reduce the number of multisets, we apply the Differential Enumeration technique suggested by Dunkelman et al. in =-=[6]-=- and improved by Derbez et al. in [5]. We call the improved version proposed in [5] as Refined Differential Enumeration. Refined Differential Enumeration. The basic idea behind this technique is to ch... |

13 |
Understanding two-round differentials in AES,
- Daemen, Rijmen
- 2006
(Show Context)
Citation Context ...ferences at Z3, i.e., {Z03 ⊕Z03 , Z13 ⊕Z03 , . . ., Z2553 ⊕Z03} can be easily computed. 7 From now onwards, list denotes an ordered list This also allows her to calculate the list of differences at X4=-=[2, 3, 6, 7, 8, 9, 12, 13, 18, 19, 22, 23, 24, 25, 28, 29]-=-. By guessing X04 [2, 3, 6, 7, 8, 9, 12, 13, 18, 19, 22, 23, 24, 25, 28, 29], the attacker can cross the SB layer in round 4 and calculate the list of differences at X5[8, 9, 28, 29]. By guessing X 0 ... |

12 | Improved Key Recovery Attacks on ReducedRound
- Derbez, Fouque, et al.
- 2013
(Show Context)
Citation Context ...nst Kalyna for rounds ≥ 6. In [1], AlTawy et al. presented the first detailed key recovery attack against standardized Kalyna-128/256 and Kalyna-256/512. They applied meet-in-the-middle (MITM) attack =-=[6,5]-=- to break 7-rounds of both Kalyna variants and demonstrated the best attack on Kalyna so far. In this work, we extend the number of rounds attacked and show the first 9-round key recovery attack again... |

5 | On constructions of MDS matrices from companion matrices for lightweight cryptography
- Gupta, Ray
- 2013
(Show Context)
Citation Context ... the one byte difference at ∆P [31] propagates to 32-byte difference in ∆Z3[0−31] with probability 1. Next, the probability that 32-byte difference in ∆Z3[0−31] propagates to 16-byte difference in ∆X4=-=[2, 3, 6, 7, 8, 9, 12, 13, 18, 19, 22, 23, 24, 25, 28, 29]-=- is 2 −128 . This 16-byte difference in ∆X4 propagates to 4-byte difference in ∆W4[8, 9, 28, 29] followed by 8-byte difference in ∆W5[8− 15] with a probability of 2−96. Thus, the overall probability o... |

3 |
Improved single-key attacks on 9-round AES-192/256
- Li, Jia, et al.
(Show Context)
Citation Context ... if the values of X01 [0 − 7] are known, one can compute the corresponding X11 [0 − 7] and cross the S-box layer in round 1 to get ∆X2. From the bottom side, it can be seen that ∆W5[12] = ∆Z5[8] = ∆Z5=-=[9]-=- = ∆Z5[10] = ∆Z5[11] = 0. Thus, if ∆Z5[12, 13, 14] are known, then using Property 2 (as 8 bytes are known), we can deduce ∆Z5[15] (and ∆W5 [8-11, 13-15]). Knowledge of ∆Z5[8 − 15] allows us to to comp... |

1 |
A Meet-in-the-Middle Attack
- AlTawy, Abdelkhalek, et al.
(Show Context)
Citation Context ...t upto 5 rounds of this variant can be broken. Similar results are claimed for other Kalyna variants as well. The designers of Kalyna thus claim brute force security against Kalyna for rounds ≥ 6. In =-=[1]-=-, AlTawy et al. presented the first detailed key recovery attack against standardized Kalyna-128/256 and Kalyna-256/512. They applied meet-in-the-middle (MITM) attack [6,5] to break 7-rounds of both K... |

1 |
Next Generation of Block Ciphers Providing High-Level Security
- Oliynykov
- 2015
(Show Context)
Citation Context ...bit constant T , we define a multiset v as follows : Ci = f(T ||M i),where (0 ≤ i ≤ 255) (9) ui = 0x94 · Ci[8]⊕ 0xB4 · Ci[9]⊕ 0x4E · Ci[10]⊕ 0x7E · Ci[11]⊕ 0xC0 · Ci[13]⊕ 0xDA · Ci[14]⊕ 0xC5 · Ci[15] =-=(10)-=- v = {u0 ⊕ u0, u1 ⊕ u0, . . . , u255 ⊕ u0} (11) Note that, ( T || M0, T || M1, . . . , T || M255 ) forms a δ-list and atleast one element of v (i.e., u0 ⊕ u0 ) is always zero. Distinguishing Property.... |

1 |
Oleksandr Kazymyrov, Victor Ruzhentsev, Oleksandr Kuznetsov, Yurii Gorbenko, Oleksandr Dyrda, Viktor Dolgov, Andrii Pushkaryov, Ruslan Mordvinov, and Dmytro Kaidalov. A new encryption standard of ukraine: The kalyna block cipher. IACR Cryptology ePrint Ar
- Oliynykov, Gorbenko
(Show Context)
Citation Context ...enumeration, Single key model 1 Introduction The block cipher Kalyna proposed by Oliynykov et al. has been recently selected as Ukranian encryption standard in 2015. The official Kalyna specification =-=[11]-=- defines three block sizes, i.e., 128-bit, 256-bit and 512-bit and three key sizes - 128-bit, 256-bit and 512-bit where key size can be equal to or double the block length. Consequently, if we denote ... |

1 |
Meet-in-the-middle attacks on 10-round AES-256. Designs, Codes and Cryptography
- Rongjia, Chenhui
- 2015
(Show Context)
Citation Context ... X 0 3 [0-15], then the set of differences at Z3, i.e., {Z 0 3 ⊕ Z03 , Z13 ⊕ Z03 , . . ., Z2553 ⊕ Z03} can be easily computed. Now at this stage, she can easily calculate the set of differences at W3 =-=[0, 1, 2, 3, 12, 13, 14, 15]-=- which is equal to the set of differences at X4 [0, 1, 2, 3, 12, 13, 14, 15]. 4 . By guessing X04 [0, 1, 2, 3, 12, 13, 14, 15], the attacker can cross the SB layer in round 4 and calculate the set of ... |