Please use this identifier to cite or link to this item:
https://hdl.handle.net/2440/134725
Citations | ||
Scopus | Web of Science® | Altmetric |
---|---|---|
?
|
?
|
Type: | Conference paper |
Title: | Side-Channeling the Kalyna Key Expansion |
Author: | Chuengsatiansup, C. Genkin, D. Yarom, Y. Zhang, Z. |
Citation: | Lecture Notes in Artificial Intelligence, 2022 / Galbraith, S.D. (ed./s), vol.13161, pp.272-296 |
Publisher: | Springer International Publishing |
Publisher Place: | Cham, Switzerland |
Issue Date: | 2022 |
Series/Report no.: | Lecture Notes in Computer Science; 13161 |
ISBN: | 9783030953119 |
ISSN: | 0302-9743 1611-3349 |
Conference Name: | The Cryptographer’s Track at the RSA Conference (CT-RSA) (1 Mar 2022 - 2 Mar 2022 : virtual online) |
Editor: | Galbraith, S.D. |
Statement of Responsibility: | Chitchanok Chuengsatiansup, Daniel Genkin, Yuval Yarom, and Zhiyuan Zhang |
Abstract: | In 2015, the block cipher Kalyna has been approved as the new encryption standard of Ukraine. The cipher is a substitution-permutation network, whose design is based on AES, but includes several different features. Most notably, the key expansion in Kalyna is designed to resist recovering the master key from the round keys. In this paper we present a cache attack on the Kalyna key expansion algorithm. Our attack observes the cache access pattern during key expansion, and uses the obtained information together with one round key to completely recover the master key. We analyze all five parameter sets of Kalyna. Our attack significantly reduces the attack cost and is practical for the Kalyna-128/128 variant, where it is successful for over 97% of the keys and has a complexity of only 243.58 . To the best of our knowledge, this is the first attack on the Kalyna key expansion algorithm. To show that the attack is feasible, we run the cache attack on the reference implementation of Kalyna-128/128, demonstrating that we can obtain the required side-channel information. We further perform the key-recovery step on our university’s high-performance compute cluster. We find the correct key within 37 hours and note that the attack requires 50K CPU hours for enumerating all key candidates. As a secondary contribution we observe that the additive key whitening used in Kalyna facilitates first round cache attacks. Specifically, we design an attack that can recover the full first round key with only seven adaptively chosen plaintexts. |
Rights: | © 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG |
DOI: | 10.1007/978-3-030-95312-6_12 |
Grant ID: | http://purl.org/au-research/grants/arc/DE200101577 http://purl.org/au-research/grants/arc/DP210102670 |
Published version: | https://link.springer.com/book/10.1007/978-3-030-95312-6 |
Appears in Collections: | Computer Science publications |
Files in This Item:
There are no files associated with this item.
Items in DSpace are protected by copyright, with all rights reserved, unless otherwise indicated.