Next Article in Journal
Influence of Varying Functionalization on the Peroxidase Activity of Nickel(II)–Pyridine Macrocycle Catalysts: Mechanistic Insights from Density Functional Theory
Next Article in Special Issue
A Skyline-Based Decision Boundary Estimation Method for Binominal Classification in Big Data
Previous Article in Journal
Simulation of Fire with a Gas Kinetic Scheme on Distributed GPGPU Architectures
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Algebraic Analysis of a Simplified Encryption Algorithm GOST R 34.12-2015

1
Department of Information Security, Southern Federal University, Rostov Oblast 347922, Russia
2
LLC TopSoft (Altarix), Moscow 440000, Russia
*
Author to whom correspondence should be addressed.
Computation 2020, 8(2), 51; https://doi.org/10.3390/computation8020051
Submission received: 20 April 2020 / Revised: 18 May 2020 / Accepted: 18 May 2020 / Published: 28 May 2020
(This article belongs to the Special Issue Recent Advances in Computation Engineering)

Abstract

:
In January 2016, a new standard for symmetric block encryption was established in the Russian Federation. The standard contains two encryption algorithms: Magma and Kuznyechik. In this paper we propose to consider the possibility of applying the algebraic analysis method to these ciphers. To do this, we use the simplified algorithms Magma ⊕ and S-KN2. To solve sets of nonlinear Boolean equations, we choose two different approaches: a reduction and solving of the Boolean satisfiability problem (by using the CryptoMiniSat solver) and an extended linearization method (XL). In our research, we suggest using a security assessment approach that identifies the resistance of block ciphers to algebraic cryptanalysis. The algebraic analysis of an eight-round Magma (68 key bits were fixed) with the CryptoMiniSat solver demanded four known text pairs and took 3029.56 s to complete (the search took 416.31 s). The algebraic analysis of a five-round Magma cipher with weakened S-boxes required seven known text pairs and took 1135.61 s (the search took 3.36 s). The algebraic analysis of a five-round Magma cipher with disabled S-blocks (equivalent value substitution) led to getting only one solution for five known text pairs in 501.18 s (the search took 4.92 s). The complexity of the XL algebraic analysis of a four-round S-KN2 cipher with three text pairs was 236.33 s (took 1.191 Gb RAM).

1. Introduction

The discussion of the potential vulnerability of algebraic analysis has attracted the attention of scientists all over the world to the algebraic methods of attack on information protection systems. The advantage of this method, compared to those described above, is in obtaining the correct encryption key in the presence of a small number of known pairs of plaintext/ciphertext. Mostly algebraic analysis is focused on nonlinear primitives of encryption algorithms and is based on describing the encryption algorithm in the form of systems of nonlinear equations connecting the secret key and the known data. In the work [1], it is stated that the author performed the analysis of the full-round algorithm GOST 28147-89. At the same time, the work did not disclose the used approaches to the analysis, but gives only a general description of the work done and its approximate complexity.
Referring to the work of C. Shannon [2], we can say that the assessment of reliability information protection with encryption algorithms is equal to doing “as much work as to solve a system of equations with a large number of unknowns”. For a long time, in the process of analyzing block encryption algorithms, most attention was paid to statistical methods of analysis, and algebraic methods of analysis that describe general approaches to the problem of analyzing the reliability of encryption algorithms were not sufficiently taken into consideration.
There are various ways to find solutions of nonlinear Boolean equations systems. During the analysis of science research bases, three main areas were identified in the field of solving such systems used in information security assessment (reliability of encryption algorithms) [3]:
  • SAT solvers: MiniSat, CryptoMiniSat, Glucose, Riss, Slime, Lingeling, Plingeling, CaDiCaL, etc.
  • Methods based on a Gröbner basis: Buchberger’s algorithm, F4, F5, Matrix-F5, Tropical F5, Method of Four Russians, etc.
  • Methods based on the linearization principle: relinearization, extended linearization (XL), extended sparse linearization (XSL), MutantXL, FXL, ElimLin, etc.
The above algebraic analysis methods are being actively developed and improved as applied to cryptographic algorithms (especially lightweight, because of their simplified mathematical structure). There are some recent results published on the topic of algebraic analysis (namely linearization methods and SAT solving). Taking into account the importance of substitution S-boxes for algebraic analysis, we note research [4], which discussed the effects of S-box representation on the efficiency of the algebraic analysis of block ciphers. Additionally, algebraic analysis is based on representation addition modulo 2n operations and their influence on efficiency is discussed in [5].
We should note that paper [6] aimed at analyzing the practical effectiveness of algebraic attacks using experiments for reduced block ciphers (an algebraic attack was implemented on a reduced LowMC cipher). As the basis of the attack, a dynamical elimination algorithm was developed. The research [7] is devoted to the development and analysis of quantum algorithms for solving a system of quadratic equations. The complexity calculations of the algorithms XL, FXL, ReversibleXL and GroverXL for random systems are performed. Research [8] is focused on the application of the XL algorithm to generic systems with 32 variables and 64 equations over GF16. Experiments have been carried out on two computer systems: a 64-core NUMA system and an8-node InfiniBand cluster, and a comparison of the investigated implementation of an XL algorithm with PWXL (a parallel implementation of XL) and Faugère’s F4 algorithms was also made. Algebraic attack (by a linearization method) on two/three/four rounds of Keccak-384 and two/three rounds of Keccak-512 were investigated in paper [9]. Paper [10] describes the application of algebraic cryptanalyses to 12-round LBlock, six-round MIBS, seven-round PRESENT and nine-round SKINNY lightweight block ciphers. A new approach to simplify the equation system was presented (by using additional polynomial relations—linear relation between intermediate state bits). Research [11] demonstrated that the block ciphers Jarvis and Friday (members of the MARVELlous family of cryptographic primitives) are vulnerable to Gröbner basis attacks. Algebraic attacks on reduced- and full-round DESL (a lightweight version of DES) are presented in [12].
Paper [13] describes the SAT-based algorithm to determine the multiplicative complexity of a Boolean function. A SAT-based cryptanalysis for the Grain v1 stream cipher is presented in [14]. Practical SAT-based guess-and-determine attacks for several stream ciphers are developed in [15]. The dissertation [16] describes an opportunity of synergy between Gröbner-like and DPLL-like solving. The author presented new types of solving algorithms (SRES) and made some experiments of algebraic fault attacks on the symmetric ciphers LED and derivatives of the block cipher AES.
In this paper, we consider the possibility of using linearization methods and SAT solvers to analyze information security properties for Russian symmetric block encryption standards and their modified versions.
Also we propose considering approaches to algebraic cryptanalysis of the simplified algorithms Magma and Kuznyechik (S-KN2, which is presented in [17]). The paper is organized as follows: Section 1 contains a brief description of the Russian symmetric block encryption standard GOST R 34.12-2015 and how its simplified versions are applied. Section 2 is devoted to the investigation of the basic algebraic analysis methods extended linearization and SAT solving. Section 3 includes proposed security assessment approaches and their input and output parameters. In Section 4 we consider algorithms for describing encryption transformations as systems of linearly independent equations (we fixed two basic nonlinear elements: S-box and addition modulo 2n). Section 5 presents the experimental results of applying algebraic analysis methods to the Magma cipher (some versions) and S-KN2 cipher.

2. GOST R 34.12-2015

GOST R 34.12-2015 was introduced as a new symmetric block cipher standard in Russia in 2016 [18]. The standard contains the descriptions of two encryption algorithms: the Magma cipher (GOST R 34.12-2015 n = 64) and Kuznyechik cipher (GOST R 34.12-2015 n = 128). We describe both of them below, as well as the simplified versions used (Magma ⊕ and S-KN2).

2.1. Magma Cipher (GOST R 34.12-2015 n = 64) and Magma ⊕

The Magma encryption algorithm is part of the symmetric encryption standard in the Russian Federation [18]. Previously, this encryption algorithm was called GOST 28147-89 and was slightly different from the current version. In the earlier version of the cipher, unfixed S-boxes were used. The Magma cipher is a symmetric block cipher designed according to the Feistel scheme. In Electronic Codebook (ECB) mode, 64 bits of a data block (T) are converted to 64 bits of ciphertext (C) under the influence of a 256-bit secret key. According to Feistel’s scheme, a data block is divided into two parts, each part containing 32 bits. The right part of the data is processed by the F-function in each round. The F-function consists of three operations:
  • Mixing data with secret key bits using module 232 addition;
  • S-box bit substitution;
  • 11 position cyclic shift to the left.
The F-function output is mixed with the left part of the data block by addition module two. After that, the left and right parts of the text are swapped. The scheme of the Magma encryption algorithm is shown in Figure 1. The S-boxes recommended by the GOST R 34.12-2015 standard for use in the Magma cipher are presented in Table 1.
The round encryption keys for use in each round are retrieved from the original 256-bit key. The original secret key is divided into eight 32-bit parts: K1, K2, K3, K4, K5, K6, K7, and K8. The round keys must be used in direct order from K1 to K8 in rounds one to 24 (three times) and in reverse order from K8 to K1 in rounds 25 to 32.

2.2. Kuznyechik Cipher (GOST R 34.12-2015 n = 128) and S-KN2 Cipher

The Kuznyechik cipher has been part of the government standard for symmetric data encryption in the Russian Federation since 2016. A full description of the encryption can be found in [18]. The cipher is based on the substitution and permutation network principle. The cipher input contains a data block of 128 bits, and the cipher text of 128 bits is generated at the output. For conversion, the secret key of 256 bits is used. The cipher starts by mixing the data with the first round key (addition module 2). After that, nine rounds of encryption are performed. Each round of encryption consists of three operations:
  • Byte exchange with S-block;
  • linear mixing bits L;
  • mixing data with secret key bits using module 2 addition.
The output of the ninth round of encryption forms the ciphertext. In order to decrypt the data, the reverse order of operations must be used, the operations must be inversed, respectively, and the round keys must also be used in reverse order.
All operations in Kuznyechik are performed in the finite field GF (2)[x]/p(x), where p(x) = x8 + x7 + x6 + x + 1 ∈ GF (2)[x]. Kuznyechik uses the following steps:
  • Byte exchange with S-block. The data block is divided into 16 bytes. Each byte is replaced by a new value according to the table defined in the standard;
  • linear mixing bits L. The operation is performed by using the multiplication of polynomials in the given field. Multiplication is performed 16 times until all bytes are changed;
  • mixing data with secret key bits using module 2 addition.
The secret key is divided into two parts, K1 and K2, which form the first two round key connections. These keys are used as inputs into a special Feistel scheme to form the remaining round keys.
The Kuznyechik cipher is a new algorithm and has not been sufficiently researched. The investigation of its properties is important. Applying simplified models for finding cryptographic properties is a common approach in cryptography.
For example, the S-DES algorithm, proposed by E. Schaefer and W. Stollings, is widely used for educational purposes [19]. A few simplified versions of AES were proposed by various authors: Rafael Chun-Wei Fan [20], Mohammed Musa, Edward Schaefer, and Stephen Vedig [21], Henri Gilbert [22], and others. These ciphers are used not only in education, but also to model various types of cryptanalytic attacks. Linear cryptanalysis of S-DES was proposed in [23]. The possibility of using differential cryptanalysis in addition to linear cryptanalysis is presented in [24]. The authors of [25] investigate the use of heuristic cryptanalysis for S-DES analysis. The authors of [26] present an approach to the cryptanalysis of S-DES using a genetic algorithm. The attack is carried out only on ciphertext, and on the basis of fitness function, many optimal keys are created. The authors of [27] present a new cryptanalysis attack aimed at the ciphertext generated by S-DES. The attack was carried out using a modified version of the BPSO (binary particle swarm optimization) algorithm. It is clear from the publication date that simplified versions of DES are still of interest to cryptographers. The number of publications on S-AES is no less. The authors of [28] present an approach to S-AES analysis using an impossible differential method. B. Hitapuru and S. Indarjani consider the possibility of applying the square attack to mini-AES [29]. The linear cryptanalysis of S-AES is presented by S. Indarjani, D. Mansouri, and H. K. Bizaki [30]. This investigation was continued by S. Campbell et al. [31]. The authors characterize a class of strongly nonlinear S-boxes for which their algorithm is always successful. They also show how to construct S-boxes to make the algorithm more resistant to linear cryptanalysis. S. Simmonds reviewed different approaches to S-AES analysis [32].
Two simplified versions for the Kuznyechik cipher were presented in [17]. The SKN-2 cipher was developed to simulate various cryptographic attack scenarios. The SKN-2 cipher is built in the image and likeness of the original Kuznyechik cipher. It converts a 16-bit data block using an SP network for three rounds. The secret key contains 32 bits. Round keys are generated from the original secret key using four rounds of the Feistel scheme. Each round consists of substitution S, linear transformation L, and the addition with the round subkey modulo two.
The original description of the S-KN2 cipher uses four rounds [17]. However, this amount can be increased easily. If the experiment allows you to use more rounds, then it is necessary to develop additional round keys according to the scheme. The S-KN2 cipher is shown in Figure 2. The first transformation is the mixing of data with the first round key. Hereinafter, data mixing with a round key is performed using modulo 2 addition (XOR operation). Further, each round contains three operations: replacing S, shuffling L, and addition with a round key. Consider each transformation in more detail.
In operation S, the data block is divided into four nibbles. For each nibble, a replacement is performed using Table 2. Table 2 has to be interpreted as follows: the upper row indicates the S-box input, while the lower one indicates the corresponding output. In this case, the inverse table will take the form shown in Table 3. The data in Table 2 and Table 3 are presented in hexadecimal form.
The L transform contains four iterations, each changing one nibble and right shifting another one. The nibbles are modified during encryption, as described by the following formulas:
a′0 = 4*a3 ⊕ a2 ⊕ 3*a1 ⊕ a0.
a′1 = 4*a′0 ⊕ a3 ⊕ 3*a2 ⊕ a1.
a′2 = 4*a′1 ⊕ a′0 ⊕ 3*a3 ⊕ a2.
a′3 = 4*a′2 ⊕ a′1 ⊕ 3*a′0 ⊕ a3.
The information is presented in the form of polynomials for the transformations. Multiplication is performed modulo Ψ(x) = x4 ⊕ x ⊕ 1. In [17], we propose an input–output matches table for polynomial multiplication by three. This table is easy to build and easy to use. A similar table can be constructed for multiplication by four.
For decryption, it is necessary to use the inverse operation L−1 (Figure 2). The following set of equations is used for that:
a3 = 4*a′2 ⊕ a′1 ⊕ 3*a′0 ⊕a′3.
a2 = 4*a′1 ⊕ a′0 ⊕ 3*a3 ⊕ a′2.
a1 = 4*a′0 ⊕ a3 ⊕ 3*a2 ⊕ a′1.
a0 = 4*a3 ⊕a2 ⊕ 3*a1 ⊕a′0.
To generate round keys, the Feistel scheme, shown in Figure 3, is used. The first two round keys (K1 and K2, which are obtained from the original secret key) are considered as input. The right part (key K1) is input into the function F. The function F is also shown in Figure 3 and consists of three operations: addition modulo two for the data block and constant Ci, replacement with the S-box, and linear mixing L. Ci constants are obtained by transforming i with the linear transform L.
Data decryption is implemented in the reverse direction from bottom to top. The inverse operations are applied instead of their counterparts. A sample encryption and decryption by S-KN2 is given in [17].

3. Methods of Algebraic Analysis

3.1. Extended Linearization Method

The extended linearization method (XL) was proposed by N. Courtois, A. Klimov, J. Patarin, and A. Shamir in [33].
Let a field K and a system of quadratic equations m be given, where m is the number of equations of the system. Each equation i of the system is a polynomial of the form f i ( x 1 , , x n ) b i ., where i —is the number of the equation of the system, x 1 , , x n —are unknowns, b —is the free term of the equation. The goal of the extended linearization method is to obtain at least one solution x = ( x 1 , , x n ) K n for a given value of b = ( b 1 , , b m ) K m . All possible multiplications of unknowns x of degree k are denoted as the set W = { j = 1 k x i j , , j = 1 k x e j } , where x i j , x e j { x 1 , , x n } , i 1 , , i k { 1 , 2 , , n } , e 1 , , e k { 1 , 2 , , n } . Let D N , N —the set of natural numbers, then I D —is an ideal, generated by equations of the form w j i , where w j W , j { 1 , 2 , , | W | } , i { 1 , 2 , , m } , k { 1 , 2 , , D 2 } .
Stages of the extended linearization method:
  • Formation of the set W of all possible multiplications of variables x of degree k , where k { 1 , 2 , , D 2 } .
  • Composition of all multiplications of the form w j i I D , where w j W , j { 1 , 2 , , | W | } , i { 1 , 2 , , m } , k { 1 , 2 , , D 2 } .
  • Consideration of each monomial of degree greater than D as a new variable and applying the Gauss elimination method to the equations obtained in (b).
  • Repeat step (c) until the result is at least one equation with a single unknown x i .
  • Simplification of equations and repetition of the process to find the values of other unknowns.
Consider the calculation of the parameter of the XL analysis algorithm. Let D N —parameter of the XL algorithm. The algorithm is based on multiplying all the equations of the system by the products of variables in degree D 2 . As a result of multiplication, we obtain approximately R ( n D 2 ) m new equations. The total number of monomials found in these equations is T = ( n D ) . Most of the resulting equations are linearly independent. In this case, you need to choose a large enough D such that:
R = ( n D 2 ) m ( n D ) = T .
It is obvious that the total number of linearly independent equations cannot exceed the number of monomials T . If the system has a unique solution, then there is a value D , for which the inequality R T . holds. Moreover, the number of linearly independent equations from R will be close enough to the value of T . If the difference between the number of monomials and linearly independent equations is not large, then the system will be solvable. The system will be solved most easily with a very small value of the difference between the number of monomials and linearly independent equations.
It is expected that the value of D , at which the extended linearization method is applicable, will be equal to or close to the theoretical value of the parameter D . In this case, the algorithm of the extended linearization method will be effective, provided that:
R T m ( n D ) / ( n D 2 ) n 2 / D 2 .
From the Formula (1) we obtain that:
D n m .

3.2. SAT Solvers for Solving a System of Boolean Algebraic Equations

Any SAT problem is based on two key stages—checking the feasibility of an arbitrary Boolean function represented in conjunctive normal form (CNF) and finding a set of values at which such CNF is executed. Many SAT solvers are based on the DPLL (Devis, Putnam, Logemann, Loveland) algorithm, which was developed in 1962 precisely to determine the feasibility of Boolean formulas in CNF. For more than half a century, the DPLL algorithm has been the basis for most effective solvers for SAT problems. The main idea of the DPLL algorithm is to use methods to bypass the search tree in depth and apply the single clause rule [34]. The DPLL algorithm splits the set of sought CNF variables into two subsets, A and B, where variables with the value “true” are included in the set A, and variables with the value “false” in the set B. At each step, an arbitrary variable of the CNF is selected and the value “true” is assigned to it (adding a variable to subset A). Then the initial formula is simplified, and the simplified problem is solved. If the CNF obtained after simplification is feasible, then the value of the variable is chosen correctly, otherwise the selected variable is assigned the value “false” and it is transferred to the subset B. The task is solved again for the selected value of the “false” variable. Thus, it will either find the correct value of the variable (“true” or “false”), or it will be proved that the original formula is not feasible.
Each time a variable is checked, the original CNF is simplified according to the following two rules:
  • Variable propagation. If there is only one variable left in the sentence, assign it such a value that the sentence becomes true (put the variable in the subset A if there is no negation in the sentence, or put it in the set B if there is negation).
  • The elimination of “pure variables”. If a variable is found in the formula with only negation or only without negation, then it is called “pure” and it can be assigned such a value that it is always “true” (in this way we reduce the number of free variables).
If, after simplification, an empty clause is received (i.e., all simple conjuncts are false), the formula is not feasible and we return to the previous step. If no free variables remain, then the formula is considered feasible, and the operation of the algorithm can be stopped. If there is no disjoint left (uncommitted free variables can be set arbitrarily), then the check of the feasibility of the CNF also ends.
Consider the representation of the addition operation modulo two in CNF, and let the formula be given
x y z ,
then it should be presented in the form of clauses:
x y ¯ z ¯ , x ¯ y ¯ z , x y z , x ¯ y z ¯ .
You will need to create 2n−1 clauses to describe addition modulo two lengths n.
In order to reduce the number of clauses in the SAT representation, the fragmentation of the modulo two addition operation is used.
The formula of the form
x 0 x 1 x 2 x 3 x 4 x 5 x 6 x 7 ,
can be represented in the SAT solver, as:
y ¯ 0 x 0 x 1 x 2 x 3 , y ¯ 1 x 4 x 5 x 6 x 7 , y 0 y 1 ,
where y 0 = x 0 x 1 x 2 x 3 , y 1 = x 4 x 5 x 6 x 7 .
To simplify the search for solution sets using SAT solvers, a search on variables is also used instead of a search on literals.
For example, to represent the formula:
x 1 x 1 x 2 x 2 x 3 x 1 x 3 ,
each product of the unknowns should be represented as a separate clause, i.e., replaced with additional i1, …, i3 variables
x 1 i 1 i 2 i 3 , i 1 = x 1 x 2 , i 2 = x 2 x 3 , i 3 = x 1 x 3 .
We use the CryptoMiniSat package in the SageMath environment to solve a system of Boolean equations as an SAT problem. CryptoMiniSat is a DPLL-based SAT solver based on the MiniSat. The fundamental differences between CryptoMiniSat and MiniSat solver are as follows:
  • Clauses of addition modulo two are distinguished at the beginning of the search for solutions. They have their own separate search list, a separate extension mechanism, and a categorization algorithm. The use of such opportunities leads to a speed increase in searching for solutions of Boolean equations systems.
  • Clauses of addition modulo two (binary) are processed by special methods. First, the search is usually performed using special heuristics. Secondly, a tree structure is constructed of them, reflecting which of the variables is equivalent or anti-valent. The upper level of the constructed trees is usually replaced by lower values in the tree, thereby reducing the number of classes and variables in the analyzed task. This usually leads to the necessity of reassigning variables.
  • Technical and cryptographic SAT problems are very different, so CryptoMiniSat allows you to change the restart settings and change the type of learning heuristics using the Glucose or MiniSat training methods.
  • Clauses are removed from CNF as soon as at least one of the literals included in this clause takes a value equal to true. Unlike the MiniSat, the literals equal to false are also deleted in the clauses, thereby allowing the clause to be reduced.
  • The removal of dependent variables is carried out among the associated clauses of addition modulo two. Dependent variables are variables that are found only in one clause of addition modulo two. This simplification allows you to remove the variable from the task. It should be remembered that such a variable cannot be removed by using the exclusion of “pure” literals.
  • Variables take values “false” and “true” at fixed intervals. If one of the search branches leads to an error (returning an impracticable formula), then the second branch is checked. Moreover, the results of checking both branches of the search are saved for subsequent comparison.
The proposed algorithm for representing the transformations of substitutions allows us to form a system of Boolean equations describing the transformations in an arbitrary S-box. Using SAT solvers for algebraic analysis can be described in the following steps:
  • Representation of cryptographic transformation as a system of Boolean equations in the algebraic normal form (ANF).
  • Convert the equation system from ANF to CNF.
  • Solve a SAT problem to find a set of solutions by SAT solvers.
After the generation of the system of Boolean nonlinear equations, we substitute the input and output vectors of the S-block through known text pairs (plaintexts and ciphertexts) using a knowledge of encryption algorithm structure. At this stage, a system of Boolean equations presented in algebraic normal form (ANF) is obtained.
To use existed SAT solvers, we should convert the formed system of Boolean equations (in the ANF) to CNF. First, we should simplify the presentation of the equations generated for block ciphers in ANF.
In cryptographic tasks, the application of the following algorithm for converting from ANF to CNF turned out to be effective [35]:
  • Replacing constant 1 by a new unknown, since CNF should not contain constants.
  • Replacing all products of unknowns by new variables (apply the linearization method to the original nonlinear system).
  • The splitting of long chains formed as the addition modulo two unknowns into substrings of shorter length (for example, only four unknowns).
  • Representation of the transformed system in CNF.
In general terms, it can be said that a 2p−1 clause is required to represent the sum of unknowns with a length of p. Defragmentation of long sum chains (length l) for the equation x 0 x 1 x 2 x l 1 = 0 takes the form:
x 0 x 1 x 2 y 0 = 0 , y 0 x 5 x 6 y 1 = 0 , y i 1 x 4 i + 1 x 4 i + 2 y i = 0 , y h x l 3 x l 2 x l 1 = 0 ,
where x0, …, xl−1—are the original unknowns, y0,…,yh—are the new variables used to reduce the number of terms in the sum, l–is the number of the original unknowns, and h + 1—is the number of new variables.
To represent the resulting system in CNF, you can use the anf2cnf conversion library [36,37,38]. Then the system of equations in CNF is transferred to the SAT solver algorithm. We chose CryptoMiniSat 2.5 as one of the most efficient SAT solvers for cryptotasks. We made an experiment in the cloud environment SageMath Cloud [38].

4. Generation of a System of Boolean Equations Describing an Encryption Algorithm

The first step of algebraic analysis is the generation of a system of equations linking known data (plaintexts and ciphertexts) and an encryption key. For most encryption algorithms, a system of equations is constructed for substitution boxes because they are often the only non-linear encryption transformation.
Denote by x i , y i bits of the input and output vector of the substitution box over the field GF(2s), where i N , 0 i s 1 . We need to present the substitution operation in S-boxes in the form of a subsystem of equations valid with probability 1 for all possible input and corresponding output values of the observed S-Box. The common form of the equation describing the transformations in the S-Box can be given by the formula:
i , j = 0 s 1 a i , j x i x j i , j = 0 s 1 β i , j y i y j i , j = 0 s 1 γ i , j x i y j i = 0 s 1 δ i x i i = 0 s 1 ε i y i η = 0
where x i x j is the multiplication of the input bits of the S-box, y i y j is the multiplication of the output bits of the S-box, x i y j is the multiplication of the input and output bits, x i and y i are the input and output bits of the S-box, respectively, and α , β , γ , δ , ε , η are coefficients taking values of 0 or 1.
As part of the research, it is enough to consider the multiplication of two variables, however, for some algorithms (for which the algebraic immunity of substitution box is three), it may be necessary to increase the number of monomials used by including the product of three variables ( x i x j y k , x i y j y k ) into the equations.
In this case, equations will be given by the formula:
i , j = 0 s 1 a i , j , k x i y j y k i , j = 0 s 1 β i , j , k x i x j y k i , j = 0 s 1 γ i , j x i y j i = 0 s 1 δ i x i i = 0 s 1 ε i y i η = 0.
For a substitution box with an input size of s bits, we will get 2t possible equations, where t is the number of monomials in the system of equations. The parameter, t, is calculated by the formula:
t = ( 2 s 2 ) + 2 s + 1 .
When the block size is four bits, the number of monomials in the system is t = 37. Therefore, it is possible to make no more than 237 = 137,438,953,472 quadratic equations. Then, to select from the total number of possible equations, a truth table is formed using only transformations valid to the used substitution box. A general view of the truth table is shown in Table 4.
Some of the found equations, which were valid to the S-box substitution table, turned out to be linearly dependent and were not suitable for further use for algebraic analysis. It was necessary to choose only linearly independent equations for inclusion in the resultant system describing the transformations in the substitution box. When choosing linearly independent equations, we use the following condition [39]:
For any substitution box S ( x 1 , , x s ) ( y 1 , , y h ) , if the condition t > 2s is satisfied, then there are at least t − 2s linearly independent equations valid for all input values of the substitution box.
For the algebraic analysis of a GOST R 34.12-2015 (n = 64) cipher, it will be necessary to expand the system of equations by including the bitwise dependence between the input substitution bits, plaintext bits (or the input round vector), and the secret round key, i.e., to include the equations connecting addition modulo 232. Consider three vectors of n-bit size X = ( x 0 , x n 1 ) , Y = ( y 0 , y n 1 ) , Z = ( z 0 , z n 1 ) : for which addition modulo 2n is performed:
Z = X + Y mod 2 n .
In the modulo 2n addition operation, each result bit z i depends on the previous bits x n 1 , , x i , y n 1 , , y i .
Such transformations can be described as follows through two subsystems [40]:
{ z n 1 =   x n 1     y n 1 , z n 2 =   x n 2     y n 2     c n 2 , z n 3 =   x n 3     y n 3     c n 3 , z i =   x i     y i     c i , z 0 =   x 0     y 0     c 0 . = >   { c n 2 =   x n 1 y n 1 , c n 3 =   x n 2 y n 2     ( x n 2     y n 2 ) c n 2 , c i =   x i 1   y i 1   ( x i 1     y i 1 ) c i 1 , c 0 =   x 1 y 1     ( x 1   y 1 ) c 1 ,
where c n 2 , , c 0 is the transfer coefficients between digits.
In virtue of the considered above systems, it can be noted that the value c i can be immediately expressed through the remaining unknowns and simplified. In this case, we can create the following system describing the transformation of addition modulo 2n:
{ z n 1 = x n 1 y n 1 , z n 2 = x n 2 y n 2 x n 1 y n 1 , z n 3 = x n 3 y n 3 x n 1 y n 1 ( x n 2 y n 2 ) ( x n 2 y n 2 z n 2 ) , z i = x i y i x i + 1 y i + 1 ( x i + 1 y i + 1 ) ( x i + 1 y i + 1 z i + 1 ) , z 0 = x 0 y 0 x 1 y 1 ( x 1 y 1 ) ( x 1 y 1 z 1 ) .
For any n in system of equations, one linear and n 1 quadratic equations are additionally obtained. Thus, to use bitwise dependencies for 32-bit vectors of round keys, the system of equations will include an extra 32 equations for each round key. In this case, for each round key a new variable in the system will be used (an additional 32 unknowns).

5. Assessment Approaches by Algebraic Analysis Methods

In the course of this research, a methodology was proposed for conducting algebraic analysis based on the application of the XL method and SAT solvers [41]. Two main encryption operations (substitution primitives and addition modulo 2n) were considered.
The initial data for the approach are:
  • The mathematical structure of the encryption algorithm;
  • the structure of the substitution operations (as they are defined in the algorithm);
  • available known data (the number of plaintext-ciphertext pairs).
The resulting characteristics of the approach are:
  • the encryption key value (or some sets of possible values);
  • parameters of the nonlinear Boolean equation system: the numbers of equations, unknowns, and monomials;
  • the computational complexity of solving the Boolean equation system;
  • the time complexity of solving the Boolean equation system;
  • the minimal number of known data (text pairs) that are needed to find the key in a reasonable time;
  • the required RAM for analysis.
General diagram of proposed methodology is shown in Figure 4.
SageMath [42] was chosen as the software development environment. The algebraic cryptanalysis was implemented by using the functions of sage.sat.converters.polybori for transforming the equation set from ANF into CNF (CNFEncoder). We applied sage.sat.boolean\_polynomials library [43,44] for access to the functionality of the SAT solver CryptoMiniSat. An IntelCore i5 2.8 GHz 8 GByte PC was used as a test bench, on which we received some numerical experimental results of the algebraic cryptanalysis application to Magma cipher (Table 5).
The algebraic analysis of an eight-round Magma (68 key bits were fixed) with a CryptoMiniSat solver demanded four known text pairs and took 3029.56 s to complete (the search took 416.31 s). During the analysis of an eight round Magma, 68 key bits were fixed: 0–15, 51–55, 64–66, 128–130, 179–183, 192–207, 224–231, and 244–255. The algebraic analysis of a five-round Magma cipher with weakened S-boxes required seven known text pairs and took 1135.61 s (the search took 3.36 s). The algebraic analysis of a five-round Magma cipher with disabled S-blocks (equivalent value substitution) led to getting only one solution for five known text pairs in 501.18 s (the search took 4.92 s).
As seen from the experimental results, to find the only one existing solution for disabled and weakened S-boxes, we need to add more known data (text pairs) to the SAT solvers.
The results of the experiments of time and memory complexity of the Magma cipher algebraic analysis are presented in Figure 5.
The algebraic analysis of Magma ⊕ encryption has the following obtained time dependence for the search for all sets of solutions (Figure 6).
The experimental dependences between the algebraic analysis total time complexity and the number of known plaintexts for the Magma algorithm are presented in Figure 7.
We evaluated the complexity of the algebraic analysis (by the XL method) for a simplified version of the Kuznyechik algorithm, namely S-KN2, without a round subkey generation scheme. For the substitution box (Table 2) we generated the following quadratic system of equations (including 21 linear independent equations):
x 1     x 3     y 1   =   0 , x 0 * x 2     x 1 * x 2     x 1 * x 3     x 0 * y 1     y 2     1   =   0 , x 0 * x 1     x 0 * x 3     x 0 * y 1   =   0 , x 0 * x 2     x 1 * x 2     x 0 * y 1     x 1 * y 1     x 1     y 2   1   =   0 , x 0 * x 3     x 0 * y 1     x 0 * y 2     x 1 * y 2     x 0     x 1     y 2   1   =   0 , x 0 * y 3     x 1 * y 3     x 0     x 1     x 2     x 3     y 2     y 3   =   0 , x 0 * x 3     x 2 * x 3     x 0     x 1     x 3     y 0     y 2     y 3   =   0 , x 1 * x 2     x 1 * y 0     x 2 * y 0     x 0     x 2     x 3     y 0     y 3     1   =   0 , x 1 * x 2     x 0 * x 3     x 2 * y 1     x 0     x 1     x 3     y 0     y 2     y 3   =   0 , x 0 * x 2     x 0 * x 3     x 0 * y 0     x 1 * y 0     x 0 * y 1     x 0 * y 2     x 2 * y 2     x 1     x 3     y 2     y 3   =   0 , x 0 * y 3     x 2 * y 3     x 1     x 2     y 0     y 2     1   =   0 , x 1 * x 2     x 0 * y 0     x 1 * y 0     x 3 * y 0     x 0 * y 3     x 0     x 1     x 2     x 3     y 2     y 3   =   0 , x 0 * x 2     x 1 * x 2     x 0 * y 1     x 3 * y 1     x 3     y 2     1   =   0 , x 0 * y 0     x 1 * y 0     x 0 * y 1     x 3 * y 2     x 0     x 1     x 2     y 3     1   =   0 , x 0 * x 2     x 0 * x 3     x 0 * y 3     x 3 * y 3     x 0     x 1     x 3     y 0     y 2     y 3   =   0 , x 1 * x 2     x 0 * y 0     y 0 * y 1     x 0 * y 3     x 0     x 1     x 2     x 3     y 2     y 3   =   0 , x 0 * x 2     x 1 * y 0     x 0 * y 1     x 0 * y 2     y 0 * y 2     x 0 * y 3     x 0     x 1     y 0     y 2     1   =   0 , x 0 * x 2     x 0 * x 3     y 0 * y 3     x 1     y 2     1   =   0 , x 0 * x 3     x 0 * y 0     x 1 * y 0     x 0 * y 2     y 1 * y 2     x 2     y 2     y 3   =   0 , x 0 * x 2     x 0 * x 3     y 1 * y 3     x 2     y 0   =   0 , x 0 * x 2     x 0 * x 3     y 2 * y 3     x 0     x 2     x 3     1   =   0 ,
For one encryption round at a substitution layer, we get 84 linear independent equations with 32 variables. At the next layer L-transformation, we increase the number of equations by adding four equations with 16 new bit variables:
a′0 = 4*a3 ⊕ a2 ⊕ 3*a1 ⊕a0.
a′1 = 4*a′0 ⊕ a3 ⊕ 3*a2 ⊕ a1.
a′2 = 4*a′1 ⊕ a′0 ⊕ 3*a3 ⊕ a2.
a′3 = 4*a′2 ⊕ a′1 ⊕ 3*a′0 ⊕ a3.
The estimations of the complexity of solving the system by the XL method and maximum required memory are given in Table 6.

6. Conclusions

In this article, we described the main steps of the algebraic analysis of cipher reliability and observed the Russian block encryption standard GOST R 34.12-2015 (n = 64, Magma and n = 128, Kuznyechik). We presented algorithms that can be used to teach the principles of the Kuznyechik block cipher (GOST R 34.12-2015). The S-KN2 algorithm can be used to illustrate popular cryptanalysis attacks against Kuznyechik and other similar block ciphers.
We observed approaches to implementing algebraic analysis to symmetric block ciphers: linearization, extended linearization, extended sparse linearization, and SAT solving. We proposed the experimental results of finding encryption keys with SAT solvers and extended linearization using Magma block ciphers. As examples for the experiment, we chose three fillings of Magma cipher substitution boxes (one from the standard, substitution with equivalent values S(X) = X, and a weak one) and simplified version Magma ⊕. We described the reduction of encryption transformation to a SAT problem. The number of literals and clauses, which are encountered with different numbers of known text pairs, was found. We also computed the evaluated complexity of the algebraic analysis of the S-KN2 cipher by the XL method for some known plaintext number.
The proposed approaches and algorithms can be further used for the security assessment of arbitrary ciphers based on substitutions and addition modulo 2n in terms of their resistance to algebraic cryptanalysis.

Author Contributions

Methodology, E.M.; software, P.P.; validation, E.I., E.M. and P.P. All authors have read and agreed to the published version of the manuscript.

Funding

This research was funded by Southern Federal University.

Conflicts of Interest

The authors declare no conflict of interest. The funders had no role in the design of the study; in the collection, analyses, or interpretation of data; in the writing of the manuscript, or in the decision to publish the results.

References

  1. Courtois, N. Algebraic Complexity Reduction and Cryptanalysis of GOST. Available online: http://www.nicolascourtois.com/papers/gostac11.pdf (accessed on 27 May 2020).
  2. Shannon, C.E. Communication Theory of Secrecy Systems. Bell Syst. Tech. J. 1949, 28, 656–715. [Google Scholar] [CrossRef]
  3. Pasalic, E. On Cryptographically Significant Mappings over GF(2). Available online: Arithmetic of Finite Fields. In Proceedings of the Second International Workshop, WAIFI, Siena, Italy, 6–9 July 2008; pp. 189–204. [Google Scholar]
  4. Arabnezhad-Khanoki, H.; Sadeghiyan, B.; Pieprzyk, J. Algebraic Attack Efficiency Versus S-Box Representation. Available online: https://eprint.iacr.org/2017/007.pdf (accessed on 27 May 2020).
  5. Dehnavi, S.M.; Rishakani, A.M.; Mirzaeeshamsabad, M.R.; Maimani, H.; Pasha, E. Cryptographic Properties of Addition Modulo 2n. Available online: https://eprint.iacr.org/2016/181.pdf (accessed on 27 May 2020).
  6. Greve, B.; Ytrehus, Ø.; Raddum, H. Variable Elimination-a Tool for Algebraic Cryptanalysis. Available online: https://eprint.iacr.org/2019/112.pdf (accessed on 27 May 2020).
  7. Bernstein, D.J.; Yang, B.-Y. Asymptotically Faster Quantum Algorithmsto Solve Multivariate Quadratic Equations. Available online: https://eprint.iacr.org/2017/1206.pdf (accessed on 27 May 2020).
  8. Cheng, C.-M.; Chou, T.; Niederhagen, R.; Yang, B.-Y. Solving Quadratic Equations with XLon Parallel Architectures. Extended Version. Available online: https://eprint.iacr.org/2016/412.pdf (accessed on 27 May 2020).
  9. Liu, F.; Isobe, T.; Meier, W.; Yang, Z. Algebraic Attacks on Round-ReducedKeccak/Xoodoo. Available online: https://eprint.iacr.org/2020/346.pdf (accessed on 27 May 2020).
  10. Arabnezhad-Khanoki, H.; Sadeghiyan, B. Toward a More Efficient Gröbner-Based Algebraic Cryptanalysis. Available online: https://eprint.iacr.org/2019/1415.pdf (accessed on 27 May 2020).
  11. Albrecht, M.R.; Cid, C.; Grassi, L.; Khovratovich, D.; Lüftenegger, R.; Rechberger, C.; Schofnegger, M. Algebraic Cryptanalysis of STARK-Friendly Designs: Application toMARVELlous and MiMC. Available online: https://eprint.iacr.org/2019/419.pdf (accessed on 27 May 2020).
  12. Matheis, K.; Steinwandt, R.; Suárez Corona, A. Algebraic Properties of the Block Cipher DESL. Symmetry 2019, 11, 1411. [Google Scholar] [CrossRef] [Green Version]
  13. Soeken, M. Determining the Multiplicative Complexity of Boolean Functions Using SAT. Available online: https://eprint.iacr.org/2020/530.pdf (accessed on 27 May 2020).
  14. Schaffhauser, A. SAT Solvers and their Limits with NFSR-based Stream Ciphers: An Example with Grain v1. In Proceedings of the Third Central European Cybersecurity Conference (CECC 2019), Munich, Germany, 15–16 November 2019; Association for Computing Machinery: New York, NY, USA, 2019; pp. 1–5. [Google Scholar] [CrossRef]
  15. Pavlenko, A.; Semenov, A.; Ulyantsev, V. Evolutionary Computation Techniques for Constructing SAT-Based Attacks in Algebraic Cryptanalysis. In Applications of Evolutionary Computation; EvoApplications 2019; Lecture Notes in Computer Science; Kaufmann, P., Castillo, P., Eds.; Springer: Cham, Switzerland, 2019; Volume 11454. [Google Scholar]
  16. Horáček, J. Algebraic and Logic Solving Methods for Cryptanalysis. Ph.D. Thesis, University of Passau, Passau, Germany, 2020. Available online: https://opus4.kobv.de/opus4-uni-passau/files/773/horacek_dissertation.pdf (accessed on 27 May 2020).
  17. Ishchukova, E.; Babenko, L.; Anikeev, M. Two Simplified Versions of Kuznyechik Cipher (GOST R 34.12-2015). In Proceedings of the 10th International Conference on Security of Information and Networks, Jaipur, India, 13–15 October 2017; Association for Computing Machinery: New York, NY, USA, 2017; pp. 287–290. [Google Scholar] [CrossRef]
  18. Information Technology Cryptographic Data Security Block Ciphers English Version. Available online: https://tc26.ru/upload/iblock/fc9/GOST_R_34_12_2015_ENG.pdf (accessed on 27 May 2020).
  19. Stallings, W. Cryptography and Network Security: Principles and Practice; Prentice Hall Pub: Upper Saddle River, NJ, USA, 1998; p. 562. [Google Scholar]
  20. Mini Advanced Encryption Standard (Mini-AES): A Testbed for Cryptanalysis Students, by Raphael Chung-Wei Phan. Cryptologia 2002, 26, 283–306. [CrossRef]
  21. Musa, M.A.; Schaefer, E.F.; Wedig, S. A simplified AES algorithm and its linear and differential cryptanalyses. Cryptologia 2003, 27, 148–177. [Google Scholar] [CrossRef]
  22. Gilbert, H. A Simplified Representation of AES. In Advances in Cryptology–ASIACRYPT 2014; Lecture Notes in Computer Science; Sarkar, P., Iwata, T., Eds.; Springer: Berlin/Heidelberg, Germany, 2014; Volume 8873. [Google Scholar]
  23. Sunjiv Soyjaudah, K.M.; Sumithra Devi, K.A. Overview of Linear Cryptanalysis on S-DES and Block Ciphers using Hill Cipher Method. Int. J. Comput. Appl. 2013, 63. [Google Scholar]
  24. Ooi, K.S.; Vito, B.C. Cryptanalysis of S-DES. IACR Cryptol. ePrint Arch. 2002, 2002, 45. Available online: https://eprint.iacr.org/2002/045.pdf (accessed on 27 May 2020).
  25. Nalini, N.; Rao, G.R. Cryptanalysis of Simplified Data Encryption Standard via Optimisation Heuristics. IJCSNS Int. J. Comput. Sci. Netw. Secur. 2006, 6, 240–246. [Google Scholar]
  26. Vimalathithan, R.; Valarmathi, M.L. Cryptanalysis of S-DES using Genetic Algorithm. Int. J. Recent Trends Eng. 2009, 2, 76–79. [Google Scholar]
  27. Dworak, K.; Boryczka, U. Cryptanalysis of SDES Using Modified Version of Binary Particle Swarm Optimization. In Computational Collective Intelligence; Lecture Notes in Computer Science; Núñez, M., Nguyen, N., Camacho, D., Trawiński, B., Eds.; Springer: Cham, Switzerland, 2015; Volume 9330. [Google Scholar]
  28. Phan, R.C.-W. Impossible Differential Cryptanalysis of Mini-AES. Cryptologia 2003, 27, 361–374. [Google Scholar] [CrossRef]
  29. Hitapuru, B.; Indarjani, S. Square attack on Mini-AES and Simplified AES using all variants of active nibble position. In AIP Conference Proceedings; AIP Publishing LLC: Melville, NY, USA, 2016; Volume 1729. [Google Scholar]
  30. Mansoori, S.D.; Bizaki, H.K. On the vulnerability of Simplified AES Algorithm Against Linear Cryptanalysis. IJCSNS Int. J. Comput. Sci. Netw. Secur. 2007, 7, 257–263. [Google Scholar]
  31. Campbell, S.; Grinchenko, M.; Smith, W. Linear Cryptanalysis of Simplified AES Under Change of S-Box. Cryptologia 2013, 37, 120–138. [Google Scholar] [CrossRef]
  32. Simmons, S. Algebraic Cryptanalysis of Simplified AES. Cryptologia 2009, 33, 305–314. Available online: http://www.nku.edu/~christensen/Alg%20cryptanalysis%20SAES.pdf (accessed on 27 May 2020). [CrossRef]
  33. Courtois, N.; Klimov, A.; Patarin, J.; Shamir, A. Efficient algorithms for solving over defined systems of multivariate polynomial equations. In EUROCRYPT 2000; Lecture Notes in Computer Science; Springer: Berlin, Heidelberg, Germany, 2000; Volume 1807, pp. 392–407. [Google Scholar] [CrossRef] [Green Version]
  34. Ripatti, A.V. Algorithms of Splitting and van der Waerden Numbers. Available online: https://habrahabr.ru/post/224069/ (accessed on 27 May 2020). (In Russian).
  35. Bard, G.; Courtois, N.; Jefferson, C. Efficient Methods for Conversion and Solution of Sparse Systems of Low-Degree Multivariate Polynomials over GF (2) via SAT-Solvers. Cryptology ePrint Archive. 2007, Volume 24. Available online: https://eprint.iacr.org/2007/024.pdf (accessed on 27 May 2020).
  36. Albrecht, M. Tools for Algebraic Cryptanalysis. In Proceedings of the ECRYPT Workshop on Tools for Cryptanalysis, Egham, UK, 22–23 June 2010; pp. 13–14. [Google Scholar]
  37. Soos, M. ANF2CNF Script Released. Available online: http://www.msoos.org/2010/09/anf2cnf-script-released/ (accessed on 27 May 2020).
  38. Soos, M. ANF to CNF Conversion. Available online: http://www.msoos.org/2010/07/anf-to-cnf-conversion/ (accessed on 27 May 2020).
  39. Courtois, N.; Bard, G. Algebraic Cryptanalysis of the Data Encryption Standard. In Proceedings of the 11-th IMA Conference, Cirencester, UK, 18–20 December 2007; pp. 152–169. [Google Scholar]
  40. Courtois, N.; Debraize, B. Specific S-Box Criteria in Algebraic Attacks on Block Ciphers with Several Known Plaintexts. In Proceedings of the WEWoRC 2007, Bochum, Germany, 4–6 July 2007; Volume 4945, pp. 100–113. [Google Scholar]
  41. Maro, E.A. Modeling of algebraic analysis of PRESENT cipher by SAT solvers. In Proceedings of the VIII International Workshop on Mathematical Models and their Applications (IWMMA-2019), Krasnoyarsk, Russia, 18–21 November 2019; IOP Conference Series: Materials Science and Engineering. Volume 734. [Google Scholar]
  42. The Sage Developers. SageMath, the Sage Mathematics Software System; Version 9.1; The Sage Developers: Newcastle upon Tyne, UK, 2020; Available online: http://www.sagemath.org (accessed on 27 May 2020).
  43. Sage Reference Manual: Sat Release 7.5. Available online: http://doc.sagemath.org/pdf/en/reference/sat/sat.pdf (accessed on 27 May 2020).
  44. Sage Reference Manual: Cryptography Release 7.5. Available online: http://doc.sagemath.org/pdf/en/reference/cryptography/cryptography.pdf (accessed on 27 May 2020).
Figure 1. Magma encryption algorithm.
Figure 1. Magma encryption algorithm.
Computation 08 00051 g001
Figure 2. General data flow diagram of S-KN2.
Figure 2. General data flow diagram of S-KN2.
Computation 08 00051 g002
Figure 3. Round subkeys generation scheme.
Figure 3. Round subkeys generation scheme.
Computation 08 00051 g003
Figure 4. Security assessment methodology approach.
Figure 4. Security assessment methodology approach.
Computation 08 00051 g004
Figure 5. Search complexity with different numbers of Magma rounds.
Figure 5. Search complexity with different numbers of Magma rounds.
Computation 08 00051 g005
Figure 6. Search complexity with different numbers of Magma rounds.
Figure 6. Search complexity with different numbers of Magma rounds.
Computation 08 00051 g006
Figure 7. Dependences between the total computation time of the algebraic analysis and the numbers of known plaintexts.
Figure 7. Dependences between the total computation time of the algebraic analysis and the numbers of known plaintexts.
Computation 08 00051 g007
Table 1. Magma S-boxes.
Table 1. Magma S-boxes.
S11246210511914813703151
S26823910512114471113015
S31135821510131417412960
S41282113415670105314911
S57155108161309314114212
S65131569212101178143140
S78142569112154110131037
S81714130583415106912112
Table 2. S-box setup.
Table 2. S-box setup.
Input0123456789abcdef
Output36a7f05b2c1e49d8
Table 3. Inverse S-box setup.
Table 3. Inverse S-box setup.
Input0123456789abcdef
Output5a80c613fd279eb4
Table 4. Truth table for an s-bit S-block.
Table 4. Truth table for an s-bit S-block.
S-Block InputS-Block OutputAll Compositions of S-Block Inputs and Outputs
All possible S-block inputs (from 0 to 2s)xsx1ysy1xsxs−1x2 × 1ysys−1y2y1xsysx1y1
0011
1101
Table 5. Algebraic analysis of Magma.
Table 5. Algebraic analysis of Magma.
SAT MethodXL Method
Number of Known Text PairsNumber of EquationsNumber of UnknownsNumber of LiteralsNumber of ClausesNumber of SolutionsTotal Time, sSearch Time, sRAM, GByteComplexity by Number of AdditionsSearch Time, s
Three rounds of Magma
21008160299752,43832200.260.11236,330.86
31512192430678,516232.70.520.14238,082.91
420162245512104,654138.510.480.16239,326.86
Three rounds of Magma (with weakened S-boxes)
2120035214709400828.510.350.13236,671.09
31800480196514,084139.910.470.14238,433.71
Three rounds of Magma (with S-box S(X) = X)
2120035212927393204821.112.100.28236.671.09
31800480188911,014137.191.070.16238.433.71
Three rounds of Magma
21200352281938,811136.550.350.13236,671.09
Four rounds of Magma
213442566492114,47225652.591.930.32237,572.04
320163209435171,3242106.330.710.39239,336.91
4268838412,384228,3581135.420.690.48240,5716.32
Four rounds of Magma (with weakened S-boxes)
21600512294016,64212896.100.770.31237,922.6
32400704386924,9822142.360.880.35239,678.75
43200896479833,3162195.611.230.36240,9220.79
540001088572541,6462294.721.510.38241,8840.46
648001280683949,9222612.034.110.39242,6769.98
756001472795158,1741700.962.630.41243,34111.43
Four rounds of Magma (with S-box S(X) = X)
32400704372619,2804106.761.330.28239,678.75
43200896460625,8302144.661.100.30240,9220.79
540001088548432,2941242.211.240.35241,8840.46
Four rounds of Magma
21600512483967,886493.4410.270.37237,912.58
324007047202101,9681202.561.320.48239,678.75
Five rounds of Magma
3252044814,696266,2004452.7484.411.38240,2913.44
4336055419,448354,3542729.15124.471.44241,5431.97
5420064024,259443,9321797.2124.661.52242,5062.20
Five rounds of Magma (with weakened S-boxes)
33000928593239,5494320.174.151.62240,6417.14
440001184743652,8722488.654.471.76241,8840.46
550001440919466,1132478.312.511.87242,8579.25
66000169610,70579,5062875.246.912.13243,64137.09
77000195212,45992,70711135.613.362.26244,30216.27
Five rounds of Magma (with S-box S(X) = X)
33000928533832,87340678.80520.891.73240,6417.14
440001184706843,9262415.3128.651.82241,8840.46
550001440878754,6471501.184.921.85242,8579.25
Five rounds of Magma
3300092810,596152,0451394.6824.961.42240,6417.14
Eight rounds of Magma (with weakened S-boxes)
45376204815,395110,84440965972.411843.674.59243,92166.3
Eight rounds of Magma (with S-box S(X) = X)
45376204813,76492,37010244842.311374.123.86243,92166.3
Eight rounds of Magma
45376204830,062431,26713029.56416.313.6243,92166.3
Table 6. Evaluated complexity of the algebraic analysis of the S-KN2 cipher by the XL method.
Table 6. Evaluated complexity of the algebraic analysis of the S-KN2 cipher by the XL method.
Number of Known Text PairsNumber of EquationsNumber of UnknownsComplexity by Number of AdditionsRAM, GByte
One-round S-KN2 cipher
18832225,570.001
217648228,320.008
326464230,120.028
Two-round S-KN2 cipher
117664228,570.008
235296231,570.066
3528128233,330.224
Three-round S-KN2 cipher
126480230,330.028
2528112233,160.187
3792144235,080.756
Four-round S-KN2 cipher
1352112231,570.066
2704160234,570.531
31056208236,331.191

Share and Cite

MDPI and ACS Style

Ishchukova, E.; Maro, E.; Pristalov, P. Algebraic Analysis of a Simplified Encryption Algorithm GOST R 34.12-2015. Computation 2020, 8, 51. https://doi.org/10.3390/computation8020051

AMA Style

Ishchukova E, Maro E, Pristalov P. Algebraic Analysis of a Simplified Encryption Algorithm GOST R 34.12-2015. Computation. 2020; 8(2):51. https://doi.org/10.3390/computation8020051

Chicago/Turabian Style

Ishchukova, Evgenia, Ekaterina Maro, and Pavel Pristalov. 2020. "Algebraic Analysis of a Simplified Encryption Algorithm GOST R 34.12-2015" Computation 8, no. 2: 51. https://doi.org/10.3390/computation8020051

APA Style

Ishchukova, E., Maro, E., & Pristalov, P. (2020). Algebraic Analysis of a Simplified Encryption Algorithm GOST R 34.12-2015. Computation, 8(2), 51. https://doi.org/10.3390/computation8020051

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop