Improved Meet-in-the-Middle Attacks on Reduced Round Kuznyechik

Kuznyechik is an SPN block cipher that has been chosen recently to be standardized by the Russian federation as a new GOST cipher. The cipher employs a 256-bit key which is used to generate ten 128-bit round keys. The encryption procedure updates the 16-byte state by iterating the round function for nine rounds. In this work, we improve the previous 5-round Meet-in-the-Middle (MitM) attack on Kuznyechik by presenting a 6-round attack using the MitM with differential enumeration technique. Unlike previous distinguishers which utilize only the structural properties of the Maximum Distance Separable (MDS) linear transformation layer of the cipher, our 3-round distinguisher is computed based on the exact values of the coefficients of this MDS transformation. More specifically, first, we identified the MDS matrix that is utilized in this cipher. Then, we find all the relations that relate between subset of the inputs and outputs of this linear transformation. Finally, we utilized one of these relations in order to find the best distinguisher that can optimize the time complexity of the attack. Also, instead of placing the distinguisher in the middle rounds of the cipher as in the previous 5-round attack, we place it at the first 3 rounds which allows us to convert the attack from the chosen ciphertext model to the chosen plaintext model. Then, to extend the distinguisher by 3 rounds, we performed the matching between the offline and online phases around the linear transformation instead of matching on a state byte.