Abstract
In 2015, the block cipher Kalyna has been approved as the new encryption standard of Ukraine. The cipher is a substitution-permutation network, whose design is based on AES, but includes several different features. Most notably, the key expansion in Kalyna is designed to resist recovering the master key from the round keys.
In this paper we present a cache attack on the Kalyna key expansion algorithm. Our attack observes the cache access pattern during key expansion, and uses the obtained information together with one round key to completely recover the master key. We analyze all five parameter sets of Kalyna. Our attack significantly reduces the attack cost and is practical for the Kalyna-128/128 variant, where it is successful for over 97% of the keys and has a complexity of only \(2^{43.58}\). To the best of our knowledge, this is the first attack on the Kalyna key expansion algorithm.
To show that the attack is feasible, we run the cache attack on the reference implementation of Kalyna-128/128, demonstrating that we can obtain the required side-channel information. We further perform the key-recovery step on our university’s high-performance compute cluster. We find the correct key within 37 hours and note that the attack requires 50K CPU hours for enumerating all key candidates.
As a secondary contribution we observe that the additive key whitening used in Kalyna facilitates first round cache attacks. Specifically, we design an attack that can recover the full first round key with only seven adaptively chosen plaintexts.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
For each byte, the probability of accepting is 3/4. For eight bytes, it is \((3/4)^8 \approx 2^{-3.32}\).
References
Acıiçmez, O.: Yet another microarchitectural attack: exploiting I-cache. In: CSAW (2007)
Acıiçmez, O., Koç, Ç.K., Seifert, J.: Predicting secret keys via branch prediction. In: CT-RSA (2007)
Akshima, D.C., Ghosh, M., Goel, A., Sanadhya, S.K.: Single key recovery attacks on 9-round Kalyna-128/256 and Kalyna-256/512. In: ICISC (2015)
Allan, T., Brumley, B.B., Falkner, K.E., van de Pol, J., Yarom, Y.: Amplifying side channels through performance degradation. In: ACSAC (2016)
AlTawy, R., Abdelkhalek, A., Youssef, A.M.: A meet-in-the-middle attack on reduced-round Kalyna-b/2b. IEICE Trans. Inf. Syst. 99-D(4), 1246–1250 (2016)
Belarus Standard STB 34.101.31-2011: Information technology and security data encryption and integrity algorithms (2011). http://apmi.bsu.by/assets/files/std/belt-spec27.pdf
Bernstein, D.J., Breitner, J., Genkin, D., Groot Bruinderink, L., Heninger, N., Lange, T., van Vredendaal, C., Yarom, Y.: Sliding right into disaster: left-to-right sliding windows leak. In: CHES (2017)
Bonneau, J., Mironov, I.: Cache-collision timing attacks against AES. In: Goubin, L., Matsui, M. (eds.) CHES 2006. LNCS, vol. 4249, pp. 201–215. Springer, Heidelberg (2006). https://doi.org/10.1007/11894063_16
Brasser, F., Müller, U., Dmitrienko, A., Kostiainen, K., Capkun, S., Sadeghi, A.: Software grand exposure: SGX cache attacks are practical. In: WOOT (2017)
Van Bulck, J., Piessens, F., Strackx, R.: Nemesis: Studying microarchitectural timing leaks in rudimentary CPU interrupt logic. In: CCS (2018)
Cabrera Aldaya, A., Brumley, B.B.: HyperDegrade: from GHz to MHz effective CPU frequencies. arXiv:2101.01077 (2021)
Cabrera Aldaya, A., Brumley, B.B., ul Hassan, S., Pereida García, C., Tuveri, N.: Port contention for fun and profit. In: IEEE SP (2019)
Cabrera Aldaya, A., García, C.P., Tapia, L.M.A., Brumley, B.B.: Cache-timing attacks on RSA key generation. TCHES 2019(4), 213–242 (2019)
Chakraborty, A., Bhattacharya, S., Alam, M., Patranabis, S., Mukhopadhyay, D.: RASSLE: return address stack based side-channel leakage. TCHES 2021(2), 275–303 (2021)
Chuengsatiansup, C., Feutrill, A., Sim, R.Q., Yarom, Y.: RSA key recovery from digit equivalence information. In: ACNS (2022)
Compton, K.J., Timm, B., VanLaven, J.: A simple power analysis attack on the Serpent key schedule. ePrint Archive 2009/473 (2009)
Dall, F., De Micheli, G., Eisenbarth, T., Genkin, D., Heninger, N., Moghimi, A., Yarom, Y.: CacheQuote: efficiently recovering long-term secrets of SGX EPID via cache attacks. TCHES 2018(2), 171–191 (2018)
Dassance, F., Venelli, A.: Combined fault and side-channel attacks on the AES key schedule. In: FDTC (2012)
Duman, O., Youssef, A.M.: Fault analysis on Kalyna. Inf. Secur. J. A Glob. Perspect. 26(5), 249–265 (2017)
Fernandes Medeiros, S., Gérard, F., Veshchikov, N., Lerman, L., Markowitch, O.: Breaking Kalyna 128/128 with power attacks. In: SPACE (2016)
Ge, Q., Yarom, Y., Cock, D., Heiser, G.: A survey of microarchitectural timing attacks and countermeasures on contemporary hardware. J. Cryptogr. Eng. 8(1), 1–27 (2016). https://doi.org/10.1007/s13389-016-0141-6
Genkin, D., Pachmanov, L., Tromer, E., Yarom, Y.: Drive-by key-extraction cache attacks from portable code. In: ACNS (2018)
Genkin, D., Poussier, R., Sim, R.Q., Yarom, Y., Zhao, Y.: Cache vs. key-dependency: side channeling an implementation of Pilsung. TCHES 2020(1), 231–255 (2020)
Gras, B., Razavi, K., Bosman, E., Bos, H., Giuffrida, C.: ASLR on the line: practical cache attacks on the MMU. In: NDSS (2017)
Gruss, D., Spreitzer, R., Mangard, S.: Cache template attacks: automating attacks on inclusive last-level caches. In: USENIX Security (2015)
Gullasch, D., Bangerter, E., Krenn, S.: Cache games - bringing access-based cache attacks on AES to practice. In: IEEE SP (2011)
Hund, R., Willems, C., Holz, T.: Practical timing side channel attacks against kernel space ASLR. In: IEEE SP (2013)
Irazoqui, G., Eisenbarth, T., Sunar, B.: Systematic reverse engineering of cache slice selection in Intel processors. In: DSD (2015)
Irazoqui Apecechea, G., Eisenbarth, T., Sunar, B.: S\$A: a shared cache attack that works across cores and defies VM sandboxing - and its application to AES. In: IEEE SP (2015)
Irazoqui Apecechea, G., Inci, M.S., Eisenbarth, T., Sunar, B.: Wait a minute! A fast, cross-VM attack on AES. In: RAID (2014)
Kayaalp, M., Abu-Ghazaleh, N.B., Ponomarev, D.V., Jaleel, A.: A high-resolution side-channel attack on last-level cache. In: DAC (2016)
Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68697-5_9
Kocher, P.C., Jaffe, J., Jun, B.: Differential Power Analysis. In: Power Analysis Attacks, pp. 119–165. Springer, Boston, MA (2007). https://doi.org/10.1007/978-0-387-38162-6_6
Kryptos Logic: A brief look at North Korean cryptography, July 2018. https://www.kryptoslogic.com/blog/2018/07/a-brief-look-at-north-korean-cryptography/
Kumar Gupta, S., Ghosh, M., Mohanty, S.K.: Cryptanalysis of Kalyna block cipher using impossible differential technique. In: Giri, D., Buyya, R., Ponnusamy, S., De, D., Adamatzky, A., Abawajy, J.H. (eds.) Proceedings of the Sixth International Conference on Mathematics and Computing. AISC, vol. 1262, pp. 125–141. Springer, Singapore (2021). https://doi.org/10.1007/978-981-15-8061-1_11
Lin, L., Wu, W.: Improved meet-in-the-middle attacks on reduced-round Kalyna-128/256 and Kalyna-256/512. Des. Codes Crypt. 86(4), 721–741 (2017). https://doi.org/10.1007/s10623-017-0353-5
Liu, F., Yarom, Y., Ge, Q., Heiser, G., Lee, R.B.: Last-level cache side-channel attacks are practical. In: IEEE SP (2015)
MacWilliams, F.J., Sloane, N.: The Theory of Error-Correcting Codes. North-Holland Publishing Company, Amsterdam (1977)
Mangard, S.: A simple power-analysis (SPA) attack on implementations of the AES key expansion. In: Lee, P.J., Lim, C.H. (eds.) ICISC 2002. LNCS, vol. 2587, pp. 343–358. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36552-4_24
Mangard, S., Oswald, E., Popp, T.: Power Analysis Attacks. Springer, Boston, MA (2007). https://doi.org/10.1007/978-0-387-38162-6
Maurice, C., Le Scouarnec, N., Neumann, C., Heen, O., Francillon, A.: Reverse engineering Intel last-level cache complex addressing using performance counters. In: RAID (2015)
Moghimi, A., Irazoqui, G., Eisenbarth, T.: CacheZoom: how SGX amplifies the power of cache attacks. In: CHES (2017)
Mukhopadhyay, D., Chowdhury, D.R.: Key mixing in block ciphers through addition modulo \(2^n\). ePrint Archive 2005/383 (2005)
Oliynykov, R.: Kalyna block cipher reference implementation. https://github.com/Roman-Oliynykov/Kalyna-reference (2015). Accessed 6 Dec 2021
Oliynykov, R., Gorbenko, I., Kazymyrov, O., Ruzhentsev, V., Kuznetsov, O., Gorbenko, Y., Dyrda, O., Dolgov, V., Pushkaryov, A., Mordvinov, R., Kaidalov, D.: A new encryption standard of Ukraine: The Kalyna block cipher. ePrint Archive 2015/650 (2015)
Ortiz, J.J.G., Compton, K.J.: A simple power analysis attack on the twofish key schedule. CoRR abs/1611.07109 (2016)
Osvik, D.A., Shamir, A., Tromer, E.: Cache attacks and countermeasures: the case of AES. In: Pointcheval, D. (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 1–20. Springer, Heidelberg (2006). https://doi.org/10.1007/11605805_1
Percival, C.: Cache missing for fun and profit. In: Proceedings of BSDCan (2005). https://www.daemonology.net/papers/htt.pdf
Pereida García, C., Brumley, B.B.: Constant-time callees with variable-time callers. In: USENIX Security (2017)
Pereida García, C., Brumley, B.B., Yarom, Y.: Make sure DSA signing exponentiations really are constant-time. In: CCS (2016)
Pessl, P., Groot Bruinderink, L., Yarom, Y.: To BLISS-B or not to be: attacking strongSwan’s implementation of post-quantum signatures. In: CCS (2017)
Schneier, B., Kelsey, J., Whiting, D., Ferguson, N., Wagner, D., Hall, C.: Twofish: a 128-bit block cipher. In: First AES Conference (1998)
Schneier, B., Kelsey, J., Whiting, D., Wagner, D., Hall, C., Ferguson, N.: On the Twofish key schedule. In: Tavares, S., Meijer, H. (eds.) SAC 1998. LNCS, vol. 1556, pp. 27–42. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48892-8_3
Shishkin, V., Dygin, D., Lavrikov, I., Marshalko, G., Rudskoy, V., Trifonov, D.: Low-weight and hi-end: draft Russian encryption standard. In: Current Trends in Cryptology (CTCrypt) (2014)
Shusterman, A., Kang, L., Haskal, Y., Meltser, Y., Mittal, P., Oren, Y., Yarom, Y.: Robust website fingerprinting through the cache occupancy channel. In: USENIX Security (2019)
Van Bulck, J., Piessens, F., Strackx, R.: SGX-step: a practical attack framework for precise enclave execution control. In: SysTex (2017)
Wagner, M., Heyse, S.: Single-trace template attack on the DES round keys of a recent smart card. ePrint Archive 2017/57 (2017)
Wagner, M., Heyse, S.: Improved brute-force search strategies for single-trace and few-traces template attacks on the DES round keys. ePrint Archive 2018/937 (2018)
Wang, G., Zhu, C.: Single key recovery attacks on reduced AES-192 and Kalyna-128/256. Sci. China Inf. Sci. 60(9), 1–3 (2016). https://doi.org/10.1007/s11432-016-0417-7
Wichelmann, J., Moghimi, A., Eisenbarth, T., Sunar, B.: MicroWalk: a framework for finding side channels in binaries. In: ACSAC (2018)
Xu, Y., Cui, W., Peinado, M.: Controlled-channel attacks: deterministic side channels for untrusted operating systems. In: IEEE SP (2015)
Yan, M., Fletcher, C.W., Torrellas, J.: Cache telepathy: leveraging shared resource attacks to learn DNN architectures. In: USENIX Security (2020)
Yarom, Y.: Mastik: a micro-architectural side-channel toolkit (2016). https://cs.adelaide.edu.au/~yval/Mastik
Yarom, Y., Falkner, K.: Flush+Reload: a high resolution, low noise, L3 cache side-channel attack. In: USENIX Security (2014)
Yarom, Y., Ge, Q., Liu, F., Lee, R.B., Heiser, G.: Mapping the Intel last-level cache. ePrint Archive 2015/905 (2015)
Yarom, Y., Genkin, D., Heninger, N.: CacheBleed: a timing attack on OpenSSL constant-time RSA. J. Cryptogr. Eng. 7(2), 99–112 (2017). https://doi.org/10.1007/s13389-017-0152-y
Yuce, B., Schaumont, P., Witteman, M.: Fault attacks on secure embedded software: threats, design, and evaluation. J. Hardw. Syst. Secur. 2(2), 111–130 (2018)
Acknowledgements
We would like to thank all reviewers for the insightful feedback, which has improved the paper.
This work was supported by the ARC Discovery Early Career Researcher Award (project number DE200101577); the ARC Discovery Project (project number DP210102670); the Air Force Office of Scientific Research (AFOSR) under award number FA9550-20-1-0425; The Blavatnik ICRC at Tel-Aviv University; the National Science Foundation under grant CNS-1954712; the Phoenix HPC service at the University of Adelaide; and gifts from AMD, Google, and Intel.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Chuengsatiansup, C., Genkin, D., Yarom, Y., Zhang, Z. (2022). Side-Channeling the Kalyna Key Expansion. In: Galbraith, S.D. (eds) Topics in Cryptology – CT-RSA 2022. CT-RSA 2022. Lecture Notes in Computer Science(), vol 13161. Springer, Cham. https://doi.org/10.1007/978-3-030-95312-6_12
Download citation
DOI: https://doi.org/10.1007/978-3-030-95312-6_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-95311-9
Online ISBN: 978-3-030-95312-6
eBook Packages: Computer ScienceComputer Science (R0)