A New Encryption Standard of Ukraine: The Kalyna Block Cipher (opens in new tab)

(eprint.iacr.org)

15 pointsmykhal10y ago12 comments

12 comments

As cipher papers go, not especially interesting. The best ones have long sections explaining each of their design decisions. This paper starts out by pointing out that GOST is much slower than AES in practice, but never acknowledges that any conventional block cipher that isn't AES is probably doomed to inferior performance (because AES is hardware accelerated).

It would be interesting to see a country adopt a native stream cipher instead of a block cipher as their standard. The performance of stream ciphers is more competitive, you lose the requirement to define 8-10 "official modes" (most of which are insecure), and stream ciphers are virtually always what you want anyways: in 2015, block ciphers mostly exist in order to be transformed into stream ciphers via counter mode.

sdevlin10y ago

Building around S-box lookups also seems like a weird choice in 2015. I looked and couldn't find any considerations for cache-timing side channels. There really wasn't much advice for implementers at all.

I'm not sure this is a major vulnerability in practice, but it is strange not even to mention 10+ years of cache-timing attacks against AES.

pbsd10y ago

Kalyna was the result of a public competition started in 2006 [1], so it mirrors design preferences of that time. There were 4 other candidates, some were broken, and none of them seem any more cache-timing resistant than Kalyna.

[1] https://www.sav.sk/journals/uploads/0317154006ogdr.pdf

1 more reply

kfreds10y ago

I'm curious, if you use a stream cipher for file encryption how do you avoid the two-time pad problem?

tptacek10y ago

You don't encrypt with the same key/nonce pair twice. All the secure block cipher modes have the same restriction; for instance, you can't CBC-encrypt multiple messages with the same key/IV.

1 more reply

harshreality10y ago

estream II then? Did anything that came out of estream end up being used outside of proprietary product lines? Even Salsa is pretty well ignored in favor of Chacha. Are any governments using any of the estream ciphers internally?

tptacek10y ago

ChaCha is just a minimally updated, hardened version of Salsa20, by the same author as Salsa20.

It's a weird question to ask, I think, because of the modern ciphers in wide use, the only non-AES cipher (heh) is an estream finalist.

yuhong10y ago

As a side note, I wonder how bad MAC-then-encrypt is on a stream cipher compared to a block cipher. TKIP used CRC plus Michael MIC for example.

j / k navigate · click thread line to collapse

12 comments

tptacek10y ago

sdevlin10y ago

I'm not sure this is a major vulnerability in practice, but it is strange not even to mention 10+ years of cache-timing attacks against AES.

pbsd10y ago

[1] https://www.sav.sk/journals/uploads/0317154006ogdr.pdf

1 more reply

kfreds10y ago

I'm curious, if you use a stream cipher for file encryption how do you avoid the two-time pad problem?

tptacek10y ago

You don't encrypt with the same key/nonce pair twice. All the secure block cipher modes have the same restriction; for instance, you can't CBC-encrypt multiple messages with the same key/IV.

1 more reply

harshreality10y ago

tptacek10y ago

ChaCha is just a minimally updated, hardened version of Salsa20, by the same author as Salsa20.

It's a weird question to ask, I think, because of the modern ciphers in wide use, the only non-AES cipher (heh) is an estream finalist.

yuhong10y ago

As a side note, I wonder how bad MAC-then-encrypt is on a stream cipher compared to a block cipher. TKIP used CRC plus Michael MIC for example.

j / k navigate · click thread line to collapse