12

"Recently" the Ukraine standardized a new block cipher Kalyna, which according to the abstract of
"A New Encryption Standard of Ukraine: The Kalyna Block Cipher" by Oliynykov et al. (warning: the paper contains a lot of test-vectors) is basically a modified version of AES.

The high-level changes (to Rijndael) were described as "four new S-boxes, new pre- and post-whitening, a new larger MDS-matrix and a new key schedule".

What was the (likely main) reason to not standardize Rijndael or AES?

As a "bonus" / side question:
What was the (most likely) design rationale behind the changes being made to Rijndael?

kelalaka
  • 49,797
  • 12
  • 123
  • 211
SEJPM
  • 46,697
  • 9
  • 103
  • 214

2 Answers2

8

The most likely rationale to change the AES design is political. It's a NIST standard, designed in Western Europe.

It's a bad idea! How much scrutiny has it received? Almost none. How much will it receive? Almost none. Bad idea.

Yehuda Lindell
  • 28,270
  • 1
  • 69
  • 86
7

I ("SEJPM" as of now) have contacted the authors asked them the same questions as in my question. I'm posting this as community wiki, as it's not my answer to this question but rather theirs. Now the responses follow:

First off, the authors are working on a design rationale in english for their new cipher. As soon as it's published, it will be linked here. The points in the following answer are either extracted from the e-mail answer to SEJPM or from linked materials and may not reflect the opinions of SEJPM.

What was the main reason not to standardize plain Rijndael or AES?

TL;DR: Kalyna has better security and performance properties than AES on modern CPUs.
The answer mentions that there needs to be a variety of ciphers, for constrained devices, for high-security, for fast software encryption, etc. Next point is that AES is good. But there are other solution like ChaCha which are getting standardized and AES isn't our cipher in the long-run, for the near future yes, but for long-term security we need a higher security level. The need for a new cipher was there, because higher perfomance on 64-bit platforms is needed as well as longer block- and keylengths. Kalyna was the result of this.

What was the design rationale behind the changes to the s-boxes?

For several years, the criterias for the selection of the s-boxes has been carefully done. The s-boxes chosen protect against algebraic attacks on AES as well as standard cryptanalytical attacks. Details may be found in this paper.

What was the design rationale behind the new whitening system?

Improved perfomance on 64-bit platforms and better security properties of the cipher, more information will follow in the design rationale paper.

Why was the MDS-matrix changed and expanded?

Security got enhanced by this change and it optimized speed more for 64-bit platforms as per the requirement on p. 65 of this document.

Why was the key schedule changed?

As explained on pages 74 and following of the presentation the key schedule should resist all known attacks on key-schedules and harden the cipher against attacks. It is required that leakage of a round-key doesn't easily compromise of all round keys. Absence of weak keys is another requirement as is simplicity of the schedule and side-channel attack resistance. Kalyna provides all these features, the key-schedule is basically a CSPRNG generating the round-keys, which was already done by Twofish and Blowfish, but Kalyna is significantly faster.

SEJPM
  • 46,697
  • 9
  • 103
  • 214