Russian cryptography: block ciphers and modes of operation for them

Borodin Mikhail Yekaterinburg, 2016

Contents

• Block cipher

• History of block ciphers

• GOST 28147-89

• КузНечиК, Kuznyechik

• Modes of operation for block ciphers

Block ciphers

basic block cipher: a cipher that implements a reversible mapping of the set of plaintext blocks of the fixed length to the set of chiphertext blocks of the same length for any fixed key.

The NIST competition

• provide a high level of security

• be completely specified and easy to understand

• be economically implementable in electronic devices

• be available to all users

• be efficient to use

• be exportable

The security of the algorithm must reside in the key; the security should not depend on the secrecy of the algorithm.

The algorithm must:

The NIST competition, IBM «Lucifer»

IBMLucifer NIST

NSADES

What is better?

DES 32-bit32-bit

Li-1 Ri-1

Li Ri

F+Ki

48-bit

The NIST competition, AES

Main requirements: • block size of 128 bits • three key lengths: 128, 192 and 256 bits • free distribution

Additional requirements: • easy hardware and software implementation of

used operations • focus on 32-bit processors • simple cipher structure for cryptanalysis

possibility.

AES, Rijndael Input 128-bit

AddRoundKey

SubBytes

ShiftRows

MixColumns

AddRoundKey

SubBytes

ShiftRows

AddRoundKey

Output 128-bit

Nr-

1

Input 128-bit

AddRoundKey

InvSubBytes

InvShiftRows

InvMixColumns

AddRoundKey

InvShiftRows

InvSubBytes

AddRoundKey

Output 128-bit

Nr-

1

Encryption Decryption

GOST 28147-89

Main characteristics: • block size of 64 bits

• key length of 256 bits

• based on Feistel network

• unfixed 4-to-4-bit S-boxes

• 32 rounds

GOST 28147-89 32-bit32-bit

Li-1 Ri-1

Li Ri

+ <<<11 S-box

FKi

32-bit

GOST 28147-89

GOST 28147-89

Disadvantages: • small block length

• there are theoretical attacks

Advantages: • high-speed software and

hardware implementations

• there are compact implementation

• the lack of practical attacks Features: • unfixed S-boxes

• simple key schedule

GOST R 34.12-2015

Main characteristics: • block size of 128 bits

• key length of 256 bits

• based on SP-network

• 8-to-8-bit S-box

• recursive MDS-code

«КузНечиК», Kuznyechik

Kuznyechik

Input 128-bit

X

S

L

X

Output 128-bit

9

Encryption DecryptionInput 128-bit

X

Inv L

Inv S

X

Output 128-bit

9

Kuznyechik, implementations

Platform: i7-2600 @ 3.4GHz, Win7, Compiler VS2008 x64:

• Encryption - 138 MB/sec (24 c/byte)

• Decryption - 120 MB/sec (27 c/byte)

NVIDIA GeForce GTX TITAN, CUDA-cores -2688, GPU memory – 6 GB, Intel Core i7-4770K:

• Encryption - 5518 MB/sec

Modes of operation

• Electronic Codebook, ECB

• Counter, CTR

• Output Feedback, OFB

• Cipher Block Chaining, CBC

• Cipher Feedback, CFB

• Message Authentication Code algorithm

Padding

Let 𝐫 = 𝑷 𝐦𝐨𝐝 𝐧.

1. 𝑃 = 𝑃, if 𝑟 = 0 𝑃||0𝑛−𝑟 , else

2. 𝑃||1||0𝑛−𝑟−1

3. 𝑃 = 𝑃, if 𝑟 = 0

𝑃||1||0𝑛−𝑟−1, else

n-bit r-bitn-bit (n-r)-bit

Electronic Codebook, ECB

Counter, CTR

Output Feedback, OFB

Output Feedback, OFB

Cipher Block Chaining, CBC

Cipher Block Chaining, CBC

Cipher Feedback, CFB

Cipher Feedback, CFB

Message Authentication Code algorithm

Thank you for your attention!

• ГОСТ Р 34.12–2015 "Информационная технология. Криптографическая защита информации. Блочные шифры"

• ГОСТ Р 34.13–2015 "Информационная технология. Криптографическая защита информации. Режимы работы блочных шифров"

• FIPS PUB 46-3", Data Encryption Standard (DES)”, January 15, 1977, 1999

• ISO/IEC 18033-3:2010 Information technology – Security techniques – Encryption algorithms – Part 3: Block ciphers

• Schneier B. Applied cryptography: protocols, algorithms, and source code in C. – john wiley & sons, 2007

• Бондаренко А., Маршалко Г., Шишкин В. ГОСТ Р 34.12–2015: чего ожидать от нового стандарта? // Information Security/ – 2015. – № 4. – С. 48–50

• http://competitions.cr.yp.to/aes.html

• https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation

• A. Poschmann, S. Ling, H. Wang, 256 bit standardized crypto for 650 GE – GOST revisited, CHES 2010, LNCS 6225, pp. 219-233, 2010

• С. Смышляев. Вопросы применимости российских криптоалгоритмов, events.yandex.ru/events/meetings/24-july-2015/

• T. Isobe. A Single-Key Attack on the Full GOST Block Cipher, LNCS v. 6733, p. 290–305. Springer, 2011

• М. А. Бородин, А. С. Рыбкин «Высокоскоростные программные реализации блочного шифра "Кузнечик"» Проблемы информационной безопасности. Компьютерные системы. - 2014. - № 3. - С. 67-73

• I. Dinur, O. Dunkelman, A. Shamir. Improved Attacks on Full GOST, eprint.iacr.org

• D. Fomin, Implementation of an XSL block cipher with MDS-matrix liner transformation on NVIDIA CUDA. In 3rd Workshop on Current Trends in Cryptology (CTCrypt 2014)

• D. Fomin, A timing attack on CUDA implementations of an AES-type block cipher, CTCrypr 2015 Preproceedings, Kazan, 2015.