Single key recovery attacks on 9-Round Kalyna-128/256 and Kalyna-256/512

Abstract

The Kalyna block cipher has recently been established as the Ukranian encryption standard in June, 2015. It was selected in a Ukrainian National Public Cryptographic Competition running from 2007 to 2010. Kalyna supports block sizes and key lengths of 128, 256 and 512 bits. Denoting variants of Kalyna as Kalyna-b / k, where b denotes the block size and k denotes the keylength, the design specifies k∈{b,2b}k∈{b,2b}. In this work, we re-evaluate the security bound of some reduced round Kalyna variants, specifically Kalyna-128 / 256 and Kalyna-256 / 512 against key recovery attacks in the single key model. We first construct new 6-round distinguishers and then use these distinguishers to demonstrate 9-round attacks on these Kalyna variants. These attacks improve the previous best 7-round attacks on the same. Our 9-round attack on Kalyna-128/256 has data, time and memory complexity of 2105, 245.83 and 2226.86 respectively. For our 9-round attack on Kalyna-256/512, the data/time/memory complexities are 2217, 2477.83 and 2451.45 respectively. The attacks presented in this work are the current best on Kalyna. We apply multiset attack - a variant of meet-in-the-middle attack to achieve these results.