Attacking the IETF/ISO Standard for Internal Re-keying CTR - ACPKM

. Encrypting too much data using the same key is a bad practice from a security perspective. Hence, it is customary to perform re-keying after a given amount of data is transmitted. While in many cases, the re-keying is done using a fresh execution of some key exchange protocol (e.g., in IKE or TLS), there are scenarios where internal re-keying, i.e., without exchange of information, is performed, mostly due to performance reasons. Originally suggested by Abdalla and Bellare, there are several proposals on how to perform this internal re-keying mechanism. For example, Liliya et al. offered the CryptoPro Key Meshing (CPKM) to be used together with GOST 28147-89 (known as the GOST block cipher). Later, ISO and the IETF adopted the Advanced CryptoPro Key Meshing (ACKPM) in ISO 10116 and RFC 8645, respectively. In this paper, we study the security of ACPKM and CPKM. We show that the internal re-keying suffers from an entropy loss in successive repetitions of the re-keying mechanism. We show some attacks based on this issue. The most prominent one has time and data complexities of O (2 κ/ 2 ) and success rate of O (2 − κ/ 4 ) for a κ -bit key. Furthermore, we show that a malicious block cipher designer or a faulty implementation can exploit the ACPKM (or the original CPKM) mechanism to significantly hinder the security of a protocol employing ACPKM (or CPKM). Namely, we show that in such cases, the entropy of the re-keyed key can be greatly reduced.


Introduction
A common security-enhancing practice is to restrict the duration in which a given key is used. This is done, for example, as a simple mitigation to attacks relying on collisions, such as Sweet32 [15]. It is thus, customary to change the encryption key after a set amount of time or encryptions. The maximum amount of data that can be safely encrypted under a single key in any cryptographic protocol is called the key lifetime.
Changing the key usually requires to run a key-exchange protocol, which can incur high computation and communication costs. This inspired further research on re-keying the existing secret key without running a key-exchange protocol.
To avoid frequent updates of the key, there are several ways of extending the where the user cannot control the input to the cipher, such as in CTR-mode, then the second problem is avoided.
The security of CTR-ACPKM was analyzed in [7]. In [6], Liliya et al., analyse ACPKM in combination with the GCM mode of operation (GCM-ACPKM). The analysis of CTR-ACPKM in [7] claims IND-CPNA security (indistinguishability under Chosen Plaintext and Nonce Attack) model. The claimed bound on the IND-CPNA advantage is where n is the block size, κ is the key size, σ j is the total length of data blocks processed under the j-th key (called a section), ℓ is the maximal number of sections, and r = κ n . This led both IETF and ISO to accept ACPKM as a mechanism for internal re-keying. In this paper, we show that despite the security proof, the proposed update causes an entropy drop in the key space. We show that this entropy loss impacts the security of CTR-ACPKM and puts users at risk. We note that entropy loss of repeated invocations of random functions has been studied before [26,?], as it also impacts the analysis of MACs and hash functions [40,33,24]. A survey covering these attacks can be found in [8]. We build on these results and offer a somewhat more delicate analysis of the entropy (specifically, we consider Shannon entropy rather than the H 0 entropy considered and used in most previous works).
In addition, if the designer of a cipher can successfully embed a high probability differential in the design (e.g., such as in the MALICIOUS framework [38]), then this entropy loss can be significantly accelerated. 1

The Multi User Security Setting
In the multi-user security setting the adversary is allowed to distribute its online queries adaptively across multiple instances of the construction. This setting is originally proposed in Biham's technical report [16,18] and formalized by Bellare et al. [12] in the context of public-key encryption. In other words, the adversary can obtain the encryption of a message with respect to a large number of users under independent keys K 1 , K 2 , ..., K u . For a nonce-based encryption algorithm, the adversary gets an encryption oracle that takes an index i ∈ {1, 2, ..., u}, a message, and a nonce, and returns an encryption of these under K i . The attacker can fix a pair of nonce and message (N, M), and send them to different users. Consequently, the attacker receives C i = E Ki (N, M) for each i = 1, 2, ..., u. Upon 1 One can argue that such ciphers, where we do not trust the designer, should not be accepted as standards. However, as evident by reality, many times such ciphers are being selected for widely deployed standards -e.g., the GEA-1 algorithm, the DUAL-EC DRBG, or Speck (which was standardized by ISO in RFID communication standards). Furthermore, some people, e.g., residents of the Russian Federation, must use some cryptographic standards that were not openly negotiated. Hence, it is important to understand what level of security they can expect from a given system.
receiving the responses, the attacker's goal is to recover at least one of the users' keys in a key-recovery attack. In a distinguishing game the adversary gets an encryption oracle that takes an index i ∈ {1, 2, ..., u}, a message, and a nonce, after which it returns either an encryption of these under K i in the real world or a random string of the same length in the ideal world.
The key recovery attack in the multi-user setting is an important aspect to consider from a mass-surveillance perspective, where billions of users use the same cryptographic algorithm with independent keys (e.g., CTR-ACPKM [41] or AES-GCM [14] is now widely used in TLS [3] protocol to protect web traffic and is currently used by billions of users daily). Due to its practical relevance, key recovery attacks in multi-user setting have been studied in a series of work in the last few years [11,14,19,21,22,29,34,36,35].

Our Contributions
In this work, we propose several attacks on the CTR-CPKM and on the CTR-ACPKM mode. These modes use the CPKM or the ACPKM internal re-keying technique to update the key (i.e. generating a new key for each section of a hard drive). Our work studies the entropy loss due to frequent re-keying using these schemes. Based on this entropy loss, we propose three attacks on the CTR-ACPKM (or the CTR-CPKM) mode. Our first attack is an improved exhaustive search. Secondly, we propose a distinguishing attack based on key collisions, which are more frequent due to the entropy loss. Our third attack is a key-recovery attack, motivated by [16]. In the last two attacks, the adversary is modeled in the multi-user security setting. Furthermore, we show that these attacks may be more efficient when the key size is greater than the block size. Furthermore, our experiments on several ciphers showed that the H 1 -entropy loss in the ACPKM transformation is much more effective than the H 0 -entropy loss. Based on this, we propose an improved master-key recovery attack.
In addition we propose two different attacks based on differential properties of the underlying block cipher. The crucial part of these attacks is that updated keys can be directly recovered if a differential property exists in the underlying block cipher. This may occur either accidentally or if the cipher was backdoored. We want to mention that all the attacks we have presented here are equally applicable to GCM-ACPKM [6] due to its similarity in the encryption part with CTR-ACPKM mode.
Next, we show that a malicious designer can further harm the mode, if a specific high probability related-key differential or linear property exists in the underlying block cipher. We show that such a property leads to a significantly higher entropy loss. Furthermore, we show that even an innocent implementation error can lead to devastating attacks. This issue may even be triggered when following the current ACPKM standard with a block size that is not a power of two. Finally, we proposes a related-key distinguisher on the CTR-ACPKM mode.
We discuss the attacks on the CTR-ACPKM mode, but these attacks trivially carry over to the CTR-CPKM mode.

Organization of the Paper
We develop necessary notations and conventions in section 2. In section 3 we apply the existing analysis to the ACPKM construction and analyse its security. Afterwards, in section 4, we refine the analysis of the loss of entropy and introduce new attacks based on this analysis. In section 5, we consider the misuse resistance of the ACPKM construction. In section 6 we discuss the security of ACPKM in the multi-user setting. Finally, we conclude the paper in section 7.

Preliminaries
For n ∈ N, [n] denotes the set {1, 2, . . . , n}. For any positive integer N and p, (N) p denotes N(N − 1)...(N − p + 1). We refer to an element of {0, 1} n as block. For X ∈ {0, 1} * , if ∥X∥ is a multiple of n, ∥X∥ n denotes the length of X in n-bit blocks, i.e., ∥X∥ n = ⌈∥X∥/n⌉. For any non-empty binary string X, , 1} * and a positive integer t ≤ ∥X∥, we use MSB t (X) and LSB t (X) to denote the bit string of the t most significant bits and the t least significant bits of X, respectively. For any nonnegative integer I and t, we denote the t-bit representation of I with str t [I] where the least significant bit is on the right. Similarly, from a bit string X ∈ {0, 1} t , we write int(X) to denote the integer representation of X. For a positive integer c < n, let INC c (X) be the function which takes the input X ∈ {0, 1} n and outputs the increment of X as H 0 [X] = log(|A|).

Definition 2.
(H 1 -entropy) Let X be a discrete random variable with possible outcomes in the set A = {x 1 , x 2 , ..., x n }. The H 1 -entropy is defined as -A set of consecutive blocks encrypted under the same key is called a section.
We use s to denote the number of blocks in a section.
The CTR-ACPKM works as follows. At first the message M is divided into w = ⌈∥M∥ n /s⌉ sections as In this mechanism the 0-th section of each message is processed by the CTR mode of operation with the initial counter IV∥0 n 2 and K 0 = K where K is the input key to the process. The β-th section is encrypted by the CTR mode with the section key K β−1 without initializing the counter to 0, i.e., with the counter starting from βs. This section key is calculated using the ACPKM transformation as follows: where κ is the size of the key used in the block cipher E K and r = ⌈κ/n⌉. Thus we can view the ACPKM transformation as a function from {0, 1} κ to itself. Moreover, D 1 , D 2 , ..., D r are pairwise different constants in {0, 1} n such that the n 2 -th bit (counting from the least significant bit) of each D i is equal to 1. The plaintext length is at most 2 n 2 −1 blocks. Also, the section size in bits must be divisible by the block size.
We note that both ISO 10116 [1] and RFC 8645 [41] suggest the use of D i 's which are a sequence of bytes whose most significant bits are set to 1: 80 x , 81 x , 82 x , 83 x , . . . , F F x . This was done to ensure a complete domain separation between calls to E made during encryption and the key update. As we discussed in Section 5.1 this separation does not hold when a non-power of 2 block size is used.

Security Issues with the ACPKM Transformation
In this section we look at the security of multiple invocations of the ACPKM transformation. First we note that a cipher with a fixed plaintext and a random key behaves like a random function. This is a well known result and has, most notably, been used in the analysis of Hellman's time-memory trade-off attack [27].
Another well-known fact is that the iterative application of a random function is expected to reduce the H 0 -entropy of the image set [26]. We analyse how this loss of H 0 -entropy impacts the security of the ACPKM construction and show how to use this to recover section keys.
We denote the ACPKM transformation with key and block size κ by f : , 1} κ is the set of vertices and the set of edges, E f , consists of all the ordered pairs of the form (v, f (v)) for every vertex v ∈ {0, 1} κ . Statistical analysis of a random function's functional graph reveals some information about the function's multiple invocations. One of the most important properties we study here is the H 0 -entropy loss on multiple invocations of the ACPKM transformation. Notably, we are interested in the approximate size of the output set after, say, ν iterations of the ACPKM transformation over {0, 1} κ . We recall the definition of the ν-th iterate image point from [26]: Definition 3 (ν-th iterate image point [26]). A vertex in the functional graph G f is called an ν-th iterate image point if this is an image of the ν-th iterate f ν of the function f . We denote the set of all the ν-th iterate image points as I ν .
Flajolet and Odlyzko analyzed many properties of the functional graphs of random functions [26]. We recall one result from [26] to motivate our analysis in Theorem 1.

Theorem 1 ([26]
). If f : D → D be random function over a domain D of size N = 2 κ with a functional graph G f . Then as N → ∞, the expected size of I ν is The above theorem (Theorem 1) suggests that the number of ν-th iterate image points decreases, i.e., there is H 0 -entropy loss as H 0 is the codomain size. Hong et al. used this idea to find collisions in the state of the MICKEY stream cipher [30]. Moreover, based on their experiments, Hong et al. proposed the following conjecture: As ν goes to infinity, (1 − τ ν ) goes to 2 1−log 2 (ν) . This conjecture was proven to be true for ν ≤ 2 κ 2 by Bao et al. [8]. To conclude, in the ACPKM construction with key size κ, the H 0 entropy of the key-space after ν iterations is approximately κ The above analysis holds for any key and block size. However, as is evident in the case of GOST, it may be that k > n. Suppose that the size of the key, κ is rn where n is the size of the block cipher. Then the ACPKM method performs the key transformation as These D 1 , D 2 , . . . , D r are pairwise different constants. Then a key is valid only if all the parts are different. So there are at most 2 n (2 n − 1) . . . (2 n − r + 1) = (2 n ) r valid keys in each section from the second section onward. In this case, the entropy of the key-space in the s-th section reduces more than in the previous case. From the Theorem 1 we can obtain the entropy in the s-th section is reduced to (2 n ) r 2 1−log 2 (s) .

Attack Based on Entropy Loss
Next we look at how we can use the reduction in entropy to improve exhaustive search of later section keys. Since the entropy drops with each iteration, we need to try about 2 κ+1−log 2 ν keys for the ν-th section. For example, consider the following scenario with a key size of κ = 128 bits, a block size of n = 128 bits and a section size of 1024 bits (i.e., 8 blocks of 128 bits). To find the key for the 2 64 -th section, we need to try, as Theorem 1 suggests, about 2 65 keys.
While there are indeed only 2 65 possible keys, we do not get a simple list of them. For example, if we choose an arbitrary key, it is, with high probability, not a valid key for this section. Thus, to make use of the entropy loss of the function we need an efficient way to enumerate all the valid keys for the ν-th section.
The first way to enumerate all ν-th section keys is by using a naive precomputation approach: Take all possible 2 κ keys and update them ν − 1 times. Store the resulting values sorted by their frequency in a dictionary D ν . Once the sorted dictionary D ν is prepared, we can use it to find keys for the ν-th section. This approach takes ν2 κ time and requires about 2 κ+1−log 2 ν κ memory.
The second approach is an immediate optimization of the naive approach. We can use O(E(|I 1 |)κ) memory to reduce the time complexity of the preprocessing to ν−1 i=0 E(|I i |) updates. 2 To do so we use the set of keys that were valid keys for the (i − 1)-th section to compute the keys that are valid for the i-th section. Naturally, when i = 0 we use the full key space.
In both cases we need to build a dictionary D ν of keys which are valid for the ν-th section only once. This means that we can amortize the cost of its construction cost over many applications of the brute-force phase (like in Hellman's time memory trade-off attacks [27]). To conclude, given D ν , containing all valid keys for the ν-th section (and their frequency), one can find the keys of the ν-th section by an exhaustive search. Next we look at an improved exhaustive search algorithm to find the ν-th section key.

Improved Exhaustive Search
We now discuss improving the exhaustive search for the ν-th section keys. The main idea is that all keys in the functional graph of f , which have ν predecessors, are valid section keys (even if they are in a cycle). Thus by exploring the functional graph of f , we can find a large number of valid section keys for the ν-th section.
Using the above fact, we present Algorithm 1 to find valid section keys for the ν-th section. Algorithm 1 takes a random key K as an input and outputs a list L of candidate keys that are valid for the ν-th section. As long as we do not detect a cycle, we update the key K using ACPKM. We note that detecting a cycle is easy, as we maintain a list L of keys we encountered in the traversal of the graph. After ν calls to update, we start recording the keys we encounter. Once we identify a recorded key, we know we are in a cycle and stop. We note that even if we entered the cycle before we start recording keys -there is nothing wrong, as we need to enumerate the entire cycle to find all the candidate ν-section keys (as each value in the cycle has ν predecessors for sure). One can slightly optimize our algorithm by detecting if we entered a cycle before we start recording the keys (and then traverse the cycle once more to record it). Note that if it updates the key ν times without detecting a cycle, all subsequent updates produce valid section keys for the ν-th section which are stored in L.
If the size of the key is κ, we can expect, by the birthday paradox, to get a cycle after 2 κ/2 updates. Once we get a list L, we can choose another key outside of this list and start the algorithm again.

The H 1 -Entropy of the ACPKM Transformation
Previously we discussed the H 0 -entropy loss which is based on the cardinality of the section keys. We now focus on the H 1 -entropy or the Shannon entropy of the section keys. For any key K we define the following set where f is the ACPKM transformation. As we can see, P ν K is the set of master-keys that after ν sections can reach the section key K. Let Pr ν (K) be the probability that a key K is a valid key for the ν-th section. We can define this probability as: Based on this definition, we can compute the Shannon entropy for the valid keys of the ν-th section as The loss of H 1 -entropy suggests that the distribution of the master-keys is not uniform across the valid section keys. We ran an experiment to study the H 1entropy loss for truncated versions of AES-128 [23] and Simon [10]. The details of these ciphers are given in section A. The results of the experiments are given in Table 1 and Table 2. We can observe that the entropy loss for the H 1 -entropy is higher than H 0 -entropy.

Attack Motivated by H 1 -entropy Loss
We now propose a section key recovery attack motivated by the H 1 -entropy loss. The loss of the H 1 -entropy on key update suggests one crucial issue: the master keys are not uniformly distributed over the section keys. This fact suggests that not only one can cover many master keys by a ν-th section key, but also that there are section keys which cover more master keys (and thus have a greater probability of being correct, compared to other keys which may be valid ν-th section keys). We can thus look for the keys for which |P ν K | is larger, or enjoy the fact that by applying the ACPKM transform many times, they appear with  We designed Algorithm 2 based on this idea. We start with a random key, test it for the ν-th section. If the trial encryption succeeded, we are done. Otherwise, we apply the ACPKM transform repeatedly (like in Algorithm 1), and each time test the new computed value. Once a cycle is detected, we abort the experiment and pick a new random master key to start the process from. We continue to do so until either the correct ν-th section key is recovered, or if some number of experiments is reached.
Algorithm 2 Algorithm to find the ν-th section master key 1: for cnt = 1 to thresholdκ,ν do 2: Pick a key K at random.

3:
Set cycledetected ← 0 4: while cycledetected == 0 do 5: Test the key K using trial encryption 6: if The key K is the ν-th section key then 7: Output K and terminate 8: if Cycle Detected then 10: Set cycledetected ← 1 11: Declare "Failure" First, we note that this could be viewed as the application of Algorithm 1 to various random keys, and testing the keys suggested by Algorithm 1. One could avoid testing the same key twice by storing a large bitmap of 2 κ bits suggesting which keys were already covered before. In this case, one could also pick the next key by taking one of the keys that were not encountered during the attack.
Second, we note that unless such a large table is stored, one could simply run Algorithm 2 until all keys were covered. However, we note that the first iteration of the loop is expected to cover only keys that were not encountered before, whereas starting from the second iteration, we expect some of the found keys to be already explored (this follows the fact that the functional graph of the ACPKM, if modeled as a random graph, is expected to have one large component with a large cycle of length 2 κ/2 ). Hence, it is easy to see that each new iteration of Algorithm 2 offers diminishing returns.
At some point the cost of covering the list of proposed keys (which can be done in a memory-less fashion using any of the memory-less cycle finding algorithms), would be greater than the number of new keys offered by the new iteration. While we tried to find an exact formula to estimate the actual point in which the gain is negative (or close to zero), we could not. Hence, we suggest to perform tests or trails to determine the point, threshold κ,ν that for a κ-bit key in the ν-th section, the gain of this is approach (over a random guess) is positive.
We ran experiments to verify our attack on the 32-bit truncated version of AES-128 [23]. Table 3 gives for each iteration of Algorithm 2 what is the computational effort to do the iteration, how many new keys were encountered, what is the effectiveness (average number of recovered master key per computation of the ACPKM transformation), as well as on how many keys were covered so far. We note that these experiments were done for the case of κ = 32, ν = 256. We performed 100 experiments and report the average of the results. As can be seen in Table 3, for κ = 32, ν = 256, the gain becomes very close to 1 after 512 iterations. The results of one iteration in Algorithm 2 for various section numbers is given in Table 4.  We conclude this section with a discussion on the success probability of the attack. The size of the set of recovered master keys is K∈K ν |P ν K | and consequently, the success probability of the attack is K∈K ν |P ν K |/2 κ . To give a lower bound on the success probability we need to bound the size of P ν K . To find ex-  pected number of ν-th preimage, we recall the following Theorem 2 from [9].
Theorem 2. Let f be a random function from {0, 1} κ to itself and ν be a positive integer. Let y be a random image of f ν . Then the expected size of the set P ν y is Using Theorem 2 we can get the following lower bound As an example, consider the case that we choose the threshold to be 1, namely, Algorithm 2 performs only one iteration of the attack. One can see that of a section ν in the range 2 κ/4 ≤ ν < 2 κ/2 , we expect to cover 2 3κ/4 master-keys (this was also supported by our experiments, suggested in Table 3 and Table 4). In other words, the first iteration of Algorithm 2 alone, suggests an attack whose time complexity is about 2 κ/2 and its success rate is 2 −κ/4 .

ACPKM is not Misuse Resistant
While the previous attacks are inherent to the ACPKM mode (as well as the CPKM mode), these modes can also be wrongly instantiated in a way which further hinders the security. This increases the burden on the implementer, as a wrong implementation may have significant issues leading to a complete lack of security. As we show later, if the block size is not a multiple of 8 bits (as may happen in the case of Format Preserving Encryption), the use of the constants proposed in the RFC or the ISO standard may cause an immediate trivial attack on the scheme. Furthermore, when the underlining block cipher has a high probability differential or related-key differential (either as a design error or as a backdoor), the entropy of the new section keys significantly drops, and one should expect the previous attacks to aggravate. These issues suggest that ACPKM may be less suitable for deployment than other modes.

Special Block Sizes
Both ISO 10116 and RFC 8645 offer a concrete suggestion for the constants D i , which are required to update the key in ACPKM. The constants should be pairwise different for any block size n and key size k and the most significant bit of every byte should be 1. The latter condition is important to prevent the trivial collision in the inputs to the block cipher in the cases of message processing and key updating: if somehow this collision occurs in some section, one can recover the next section key and consequently all the onward section keys. Specifically, consider the case with key size and block size of n. 3 If the input to the sκ + α-th block (i.e., IV∥(sκ + α)) is equal with the constant D, then is the next section key. This vulnerability can be prevented by choosing D such that the counter update can never be D.
We now turn our attention to the case where the block size is not a multiple of 8 (e.g., in format-preserving encryption scheme). Suppose that the block size is n = 66 and the initial counter is IV∥0 33 . If the adversary can set the IV then he can set the IV to the first 33 bits of D. For example, let us consider the example of D given in RFC 8645 [41]. The 33-rd to 65-th bits of D are 00001001 . . . 0111. We can see that the 33-rd bit is not 1, so it is possible to reach this D within a valid number of sections. For the constant given in RFC 8645, this requires 303438365 ≈ 2 28 blocks to be encrypted (i.e., updates in the counter) which is less than 2 32 . According to RFC 8645 the maximum message size can be 2 c−1 blocks where 32 ≤ c ≤ (3/4)n. So the above attack is practical. Once this key is recovered (in a known-plaintext attack), all the keys can also be recovered easily.
In other words, ACPKM (as well as CPKM) should not be instantiated with ciphers whose block sizes are not a multiple of 8 bits, if they are used with the constants suggested in RFC 8645 and in ISO 10116. Hence, we urge the standardization bodies to explicitly disallow this combination (though as we later argue, it may be better to remove these modes from the standards altogether).

A Related-key Distinguisher on CTR-ACPKM
This section proposes a related-key distinguisher on the CTR-ACPKM mode. The related-key attack model was independently suggested by Biham [17] and Knudesn [31]. In the common interpretation of the RK model, the adversary may choose any reasonable relation between the keys, where the exact definition of "reasonable" is left to the cryptanalyst (see for example the discussion of permissible relations in [13]). We now propose an attack based on the following key relation: let K and K ′ be two keys such that K ′ = ACPKM(K). 4 Let us consider two CTR-ACPKM instances with section size s and s ′ such that 2s > s ′ > s. To find a related-key distinguisher, we consider two master keys K and K ′ for the CTR-ACPKM with section size s and s ′ , respectively, such that K ′ = ACPKM(K) = K 1 . Thus, the master key K ′ matches with the first section key of the master key K. Now we choose a nonce IV and two random message M 1 , M 2 for the two instances such that the number of blocks in the messages is at least s ′ blocks. Suppose that we query (M 1 , IV) to the CTR-ACPKM instance with section size s and obtain the ciphertext C 1 . Similarly, we query (M 2 , IV) to the CTR-ACPKM instance with section size s ′ and obtain the ciphertext C 2 . Now as we query with the same nonce, in this settings, we get the following relation This distinguishing property is easily detectable as we have the following relation on the (s + 1)-th block:

Weak Block Ciphers
A high probability differential (whether it exists in the block cipher by accident or as a backdoor) is far from a good thing from a security perspective. However, for the case of ACPKM, the existence of a differential or even a related-key differential is significantly worse. In some cases such a (related-key) differential may significantly hinder the security of ACPKM in real life; especially when the constants D i 's are chosen to exploit the (related-key) differential property. We discuss a few attacks based on (related-key) differential and linear property of the underlying cipher in the following. The summary of our attacks is shown in Table 5.

Source
Issue  Differential Property Suppose that the underlying block cipher E has a differential property such that the plaintext difference ∆ X propagates to the ciphertext difference ∆ Y with probability p. Consider the case of k = 2n, i.e., the key size is twice the block size. So if the ACPKM transformation is and D 1 ⊕ D 2 = ∆ X then with probability p, we get that the next section key is This property holds for any section key from the second section onwards. Using this differential, the attacker expects such an output difference by observing O(1/p) sections and finding the instance for which the differential was satisfied in time O(2 n /p). In other words it is trivial to try in all sections (starting from 2nd section) the keys (K, K ⊕ ∆ Y ). After one such a pair is found the adversary can determine all the future section keys. In fact, this attack offers gain for any key size κ with κ > n + log 2 (1/p). For the case of κ ≥ 4n, we get a better attack. Suppose that the key update is In this case, one can observe difference between any of the 4 2 pairs from {D 1 , D 2 , D 3 , D 4 }. Suppose that the underlying block cipher E has a differential property that the plaintext difference ∆ X1 propagates to the ciphertext difference ∆ Y1 with probability p 1 and the plaintext difference ∆ X2 propagates to the ciphertext difference ∆ Y2 with probability p 2 . If D 1 ⊕ D 2 = ∆ X1 and D 3 ⊕ D 4 = ∆ X2 then with probability p 1 p 2 , the section key as well) offers multiple "possibilities" for using the differentials. For example, with probability p 2 1 the resulting updated key is K j,1 ||K j,1 ⊕ ∆ Y1 ||K j,3 ||K j,3 ⊕ ∆ Y1 , and with probability p 2 2 it is K j,1 ||K j,2 ||K j,1 ⊕ ∆ Y2 ||K j,2 ⊕ ∆ Y2 . We note that, in RFC 8645 [41] the suggested values for D i have the following equality: Thus, if there is a differential property such that the difference of one pair of the constants is equal to the input difference, then other pair also satisfies that. In that case, with probability p 2 , the section key is To reduce the chances of misuse, we suggest that the constants D ′ i s should not have such relations.
A differential weakness of the underlying cipher can also be used differently. An adversary can choose a suitable nonce such that for some block, the counter becomes D 1 ⊕ ∆ X . Suppose this counter occurs in the ν-th section, i.e., the νs + α-th input to the block cipher is D 1 ⊕ ∆ X for some α ∈ [1, s]. Then the (ν + 1)-th section key is ∆ Y ⊕ (M[νs + α] ⊕ C[νs + α]) with probability p. If one guesses this key with high probability, all the onward keys are known.
Related-key Differential Property In addition to the above issues with regular differential, related-key differential may offer another attack strategy. Assume that the input difference 0 leads to an output difference 0 under some input key difference ∆ K with probability p. In this case, let us consider two different keys K and K ′ with K ⊕ K ′ = ∆ K . Observe that during updates, the ACPKM transformation uses the same constant input to the underlying block cipher, i.e., the input difference is 0. So both the updates produce the same keys for the next round with probability p. This definitely reduces the entropy of the keys for the next round.
We have experimented with our-made variants of SIMON [10] and of TEA [42] block ciphers, where we have taken both block size of 16 bits and key size of 32 bits (see section A for details of these ciphers). For a random function the key entropy drops by about 0.66 bits in the first update. However, due to the related-key differential properties of TEA, 5 we observe a drop of almost 2.34 bits in the key entropy already in the first update. For SIMON, we observed a drop of 0.67 bits in the H 0 -entropy after the first update.
Linear Property High probability linear characteristics also effectively reduces the key entropy. Consider the key-update of ACPKM K j = E Kj−1 (D 1 )||E Kj−1 (D 2 ). 5 We remind the reader that TEA has 3 related key differential properties of the form Suppose that there are linear characteristics (λ I → λ O ) with bias ϵ, i.e., we have where λ K is the key mask and both equations holds with probability ϵ+ 1 2 . Using the pilling-up lemma: holds with probability 2ϵ 2 + 1 2 . Here (D 1 ⊕ D 2 ) is known to the adversary, so information about the j-th section key is revealed. Moreover , the existence of such a relation reduces the key entropy.

ACPKM in the Multi-User Setting
We now discuss the multi-user security of the ACPKM contstruction, taking into consideration the H 0 -entropy loss. One of the most critical implications of the H 0 -entropy loss is that the probability of a collision between two or more user keys increases. We take u to be the number of users and we let ν ≤ 2 κ 2 be the section number, then, due to the H 0 -entropy loss and by the birthday paradox, we can observe that if then, with high probability, two or more user keys collide after ν iterations of ACPKM. This vulnerability in the ACPKM construction highlights the impact of the entropy loss in real life. For example, if two different user keys collide in section ν, then all the section keys of those two users after the ν-th section are the same. Thus, if two or more user keys collide in some section ν, then the counter mode in CTR-ACPKM provides the same keystream for all the subsequent sections, provided that the users use the same IV.

Distinguishing Attack Using Key Collision
We propose a distinguishing attack on CTR-ACPKM, using the above key collision. Assume that there are u users, where the adversary makes a single query to each user asking for the encryptions of w i sections, with i ∈ {1, 2, ..., u}. We denote the set of all encryptions by w = min{w 1 , ..., w u }. In this setting, we construct a deterministic distinguisher D for a distinguishing game to distinguish CTR-ACPKM construction from the ideal world as follows: Attack Algorithm. First, the adversary picks a random nonce, say IV and messages M i for the i-th user with ∥M i ∥ n = 2 sw for all i ∈ {1, 2, ..., u}. So each M i has w sections numbered 0, ..., w−1. Recall that s is the length of each section in n-bit blocks and κ is the key size. Then the adversary advances as follows: 1. Choose a suitable section ν with ν ≤ 2 κ 2 and u 2 ν ≥ 2 κ+2 . 2. For i = 1, ..., u, asks for the encryption of (i, IV, M i ) form the i-th user under key K i and obtained C i . 3. If there are i and j such that for all β ∈ [ν, w − 1] and α ∈ [1, s] then output 1, else output 0.
The distinguishing advantage of D is more than 1/2 when the number of users is at least 2 κ/2+1 / √ ν and D makes at least one query through each users. The detailed analysis of the algorithm is given in section B.
We now look at the practical security implications of the key collision between multiple users. Consider a system with a key size of κ = 128 bits, a block size of n = 128 bits, and a section size of s = 2 3 blocks. Now consider a message M consisting of 2 m blocks. From this we can see that the maximum number of sections is 2 m−3 . Note that due to Theorem 1 we cannot ask for more than ν ≤ 2 64 sections per user. However, since we are in the multi-user setting we can still generate a collision. As we have seen before we can generate a key collision at the ν-th section using u users where with ν ≤ min{2 64 , 2 m−3 }. Thus, in this example we need 2 32 users to get a collision in the 2 64 -th section key. Naturally we can increase the number of users to reduce the number of sections each user needs to encrypt. If in the above example we use 2 36 users, the attacker only needs to request for 2 56 sections to generate a collision in the section key.

Multi-user Key Recovery Attack
Next we discuss a section-key recovery attack in the multi-user setting. We use a similar idea to the H 0 -entropy loss and birthday paradox as we discussed in the previous distinguishing attack. This idea is motivated by [16]. Again, we consider a case with u users. We construct an adversary that makes a single query to each user. Let w i be the number of sections in the i-th user query for all i ∈ {1, 2, ..., u} and w = min{w 1 , ..., w u }. We show that the adversary can recover the section key of a targeted section for at least one user. We present the result in the following Lemma 1. Lemma 1. Let ν ∈ [1, w] be a fixed section number and s be the section size in the n-bit blocks. There exists an adversary A that makes a single query corresponding to each of the u users, can recover the ν-th section key of at least one user on the CTR-ACPKM in the multi-user setting. The success probability of the attack is more than 1/2 when the number of users is at least 2 κ+1 /νℓ and A makes at least one query through each users, where κ is the key size and each query is with at least νs blocks.
Proof. We construct a deterministic adversary A. Let us consider there are u users and A makes queries to the i-th user of the form (i, IV i , M i ). Attack Algorithm. A randomly chooses a nonce IV and chooses message M i for the i-th user for all i ∈ {1, 2, ..., u}. In that case, the adversary does the following: 1. Choose a suitable section ν with ν ≤ 2 .., K g ℓ } which are valid for the ν-th section (to find valid keys, one can use Algorithm 1 as described in Section 4.1). 5. For all j ∈ [1, κ], encrypt X j with each guessed key and obtain Y p,j = E K g p (X j ) for all p ∈ {1, 2, ..., ℓ}. 6. If there exists i and p such that .., s then output K g p as the i-th user key.
Analysis of the attack. The condition in step 6 holds if one user's ν-th section-key matches with one of the guessed key. We consider the indicator random variables for some sufficiently large d such that s = κ+d n−1 . Thus, for sufficiently large d, the expected number of false positive cases are small enough.
Again, if one section key is known to the adversary, all the onward section keys are revealed.
We can observe that the total complexity of the above attack critically depends on the adversary's target section. For a fixed number of users, if the adversary targets a section towards the end, it needs less computation. In Table 6 we can see the number of primitive queries (ℓ) and the number of users (u) that are required to get a key-recovery advantage of ≈ 1 2 in a fixed section (ν).   The same idea can also be implemented in the single-user setting. In that case the adversary also needs to guess the IV and the required condition is where m is the size of the nonce IV.

Discussion and Future Work
We have presented attacks based on the entropy reduction of the key-space in the ACPKM internal re-keying technique. Based on the H 0 -entropy loss, we proposed an improved exhaustive search for the section keys. We also discussed a key collision attack, and a key-recovery attack in the multi-user setting due to the H 0 -entropy loss. Finally, we discussed that the H 1 -entropy loss is much more effective than H 0 -entropy loss and based on this, we propose a novel master-key recovery attack.
In addition to the attacks based on entropy loss, we proposed attacks based on faulty or backdoored implementations of CTR-ACPKM. Furthermore, we show that a malicious designer may further harm the mode if a specific related-key differential property exists in the underlying block cipher. Finally, we propose a related-key distinguisher on the CTR-ACPKM mode which is independent of the underlying primitive.
One open direction of research is to consider the entropy reduction into the security proofs of [7]. Note that using ACPKM without any change is acceptable if the key size is large (to begin with), the number of sections encrypted under one master key is not too large, and the delicate implementation issues are addressed. However, given our findings, we suggest that ISO and IETF will reconsider the use of ACPKM. Even if the use of ACPKM is not discouraged, appropriate warnings about the use cases should be clearly added to the respective standards.
Finally, we note that ACPKM (and CPKM) is suggested to use together with Russian standards such as GOST 28147-89 (Magam) and Kuznyechik. The design rationale of these ciphers was never revealed, and in the case of Kuznyechik multiple works suggested hidden design rationale [20,37]. Given that these modes are extremely sensitive to differential-based backdoors in the design, we further suggest using these modes only with block ciphers whose design criteria are completely trustworthy, and security against differential cryptanalysis can be guaranteed (as much as possible).  [2]. The round function of TEA16 is applied to the block (L r , R r ) as follows: for r = 0 · · · 32 and K 1 r ∥K 2 r is the r-th round key. X ≪ i and X ≫ i denotes the i bit left shift and i bit right shift of X, respectively. The value c is initially 0 and incremented by a fixed constant 0x9E at every two rounds. A schematic diagram of one cycle (two rounds) is given in Figure 1.

A.2 Related Key Properties of TEA16
Here we recall three related-key differential property of the block cipher TEA16, that holds for zero input difference. Let us denote one cycle of TEA16 by F . The following iterative differential characteristics holds with probability 1: Thus, TEA has 3 related-key differential property that takes zero input difference to zero output difference under 3 possible key difference.

A.3 Simon16
Simon16 is a reduced version of Simon [10] with a 16-bit block and 32-bit master key. It is an Feistel structure where the round function follows ARX construction and has 32 Feistel rounds. One round of Simon16 applied to the block L r ||R r and produce L r+1 ||R r+1 as follows: L r+1 = R r ⊕ ((S 1 (L r ) ∧ S 2 (L r )) ⊕ S 3 (L r ) ⊕ K r ) R r+1 = R r where S j (X) denotes the left circular shift of X by j positions and K i denotes the round key. Thus, we have changes the left circular shift amounts to 1,2, and 3 instead of 8, 1 and 2 used in the original Simon [10]. A schematic diagram of one round is given in Figure 2. The key schedule of Simon16 follows exactly the same key schedule as used in the original Simon [10]. At first the 32-bit master key K is parsed into four keys of size 8 bits to generate subkeys for the first 4 rounds, i.e., K where S −j (X) denotes the right circular shift of X by j positions. Here Z i is the i-th bit of a fixed bit sequence Z = 00011001110000110101001000101111.
We are not aware of any high probability related-key differential in Simon [10] and we expect none exist in Simon16.

A.4 AES16/AES32
AES16 (AES32) is the reduced version of AES [23] reduced to a 16-bit (32-bit) block cipher with 32-bit key. We take 32-bit key and plaintext, and add zero to the 12 most significant bytes to make it 128-bit key. Finally, the output of AES-128 is chopped to 16 bits (32 bits).
B Analysis of the Distinguishing Attack from subsection 6.1 Assume that there are u users, where the adversary makes a single query to each user. Let w i be the number of sections in the i-th user-query for all i ∈ {1, 2, ..., u} and w = min{w 1 , ..., w u }. We show that this adversary can distinguish CTR-ACPKM from a random function. We present our main result of this section in the following Lemma 2.
show that U ≥ 1 with high probability. As all the U i,j 's are pairwise independent random variables, by using Chebyshev's inequality we have We compute the expectation as follows: Similarly, from the pairwise independence of the variables U j,k , we can compute the variance as follows: Thus from Equation 4, we get Finally, from the statement of the lemma, as D makes at least 2 κ/2+1 / √ ν queries, we have the relation that u 2 ν ≥ 2 κ+2 . Thus, we get Pr[U ≥ 1] ≥ 1 2 .
Step-II: In this step, we bound the probability that D outputs 1 in the step 3 of the above algorithm while interacting with the ideal world. and let Z = i,j Z j,k . It is easy to observe that a random collision occurs if there exist i, j such that Z i,j = 1. As the outputs are chosen at uniformly random in the ideal world, such a random collision occurs with the probability at most ((2 n ) s ) w−ν ≤ u 2 ((2 n ) s ) w−ν .