A New Encryption Standard of Ukraine: The Kalyna Block Cipher

The Kalyna block cipher was selected during Ukrainian National Public Cryptographic Competition (2007-2010) and its slight modification was approved as the new encryption standard of Ukraine in 2015. Main requirements for Kalyna were both high security level and high performance of software implementation on general-purpose 64-bit CPUs. The cipher has SPN-based (Rijndael-like) structure with increased MDS matrix size, a new set of four different S-boxes, preand postwhitening using modulo 2 addition and a new construction of the key schedule. Kalyna supports block size and key length of 128, 256 and 512 bits (key length can be either equal or double of the block size). On the time of this paper publishing, no more effective cryptanalytic attacks than exhaustive search are known. In this paper we present the adapted English translated specification of Kalyna as it is given in the national standard of Ukraine. 1 Introducton Block ciphers are the most widely used symmetric cryptographic primitives. Besides providing confidentiality, they are also used as main components in hashing functions, message authentication codes, pseudorandom number generators, etc. Until 2015 GOST 28147-89 was the main block cipher used in Ukraine [1]. Even now this cipher still provides acceptable level of 2 practical security. However, its software implementation is significantly slower and less effective on modern platforms comparing to newer solutions like AES [2]. In addition, more effective theoretical attacks than brute force search were discovered [3]. Based on the experience of international cryptographic competitions, like AES [4] or NESSIE [5], The State Service of Special Communication and Information Protection of Ukraine had been organized National Public Cryptographic Competition [6] to select a block cipher that could become a prototype of the national standard. Main requirements to candidates were a high level of cryptographic security, variable block size and key length (128, 256, 512), and an acceptable performance of encryption in software implementation. There were no restrictions concerning lightweight (hardware) implementations. The block cipher Kalyna was selected among other candidates [7] and its slight modification (aimed to performance improvement and more compact implementation) was approved as the national standard DSTU 7624:2014 [8]. The new standard describes both the block cipher and ten modes of operation for it. In this paper we describe an adapted version of the specification based on Electronic Code Book (ECB) mode as it is given in the national standard of Ukraine. 2 Symbols and notations The following notations are used in the standard. 0x – prefix of numbers given in the hexadecimal notation; GF (2) – the finite field with the irreducible polynomial x + x + x + x + 1; ⊕ – logical exclusive OR (XOR) operation for binary vectors; bxc – integer part of x, i.e. for a rational x the greatest y such that y ≤ x; |X| – the length of the bit sequence X; Ll,r(X) – the function that returns r least significant bits from the input sequence X of l-bit length; Rl,r(X) – the function that returns r most significant bits from the input sequence X of l-bit length; 3 – the right shift of the fixed length sequence (to the least significant symbols); the most significant symbols are filled with 0’s; number of symbols to be shifted is defined by the second argument – the left shift of the fixed length sequence (to the most significant symbols); the least significant symbols are filled with 0’s; number of symbols to be shifted is defined by the second argument ≫ – the cyclic shift (rotation) right of the fixed length sequence (the least significant symbols are moved to the most significant positions); ≪ – the cyclic shift (rotation) left of the fixed length sequence (the most significant symbols are moved to the least significant positions); + – addition defined on the additive group of the least nonnegative remainders Z264 (addition modulo 2); ⊗ – scalar product of two vectors defined over the finite field; l – the block size of Kalyna, l ∈ {128, 256, 512}; k – the key length of Kalyna, k ∈ {128, 256, 512} (k = l or k = 2 · l); c – the number of rows in the state matrix; Vj – j-dimensional vector space over GF (2), j ≥ 1; T (K) l,k – the basic encryption transformation, a mapping Vl 7→ Vl parametrized by the encryption key K; U (K) l,k – the basic decryption transformation, a mapping Vl 7→ Vl parametrized by the encryption key K; W1||W2 – concatenation of the two bit sequences in such a way that the left (the least significant) part of the resulting sequence is equal to W1 and the right (the most significant) one to W2; the length of the resulting sequence is equal to the sum of W1 and W2; Ξ ◦ Λ – sequential application of transformations Ξ and Λ (Λ is applied first); t – the number of iterations in the transformations T (K) l,k and U (K) l,k ;