On the security aspects of protocol CRISP

Using the provable security approach, we analyze CRISP – a standardized Russian cryptographic protocol that aims to ensure confidentiality, integrity of transmitted messages, as well as protection against replay attacks. The main features of the protocol are non-interactivity, multicasting, and dynamic selection of a cipher suite. The protocol is considered as a specific mode of authenticated encryption with associated data (AEAD). We take into account that one key can be used by many protocol's participants and in different cipher suites. We impose requirements for the set of the cipher suites used in the protocol and show that the existing ones meet them. The security of the protocol is reduced to the PRF-security of KDF and to the security of AEAD-algorithms in all cipher suites. For the protocol with existing cipher suites, only the PRP-security of the «Magma» cipher is required. We obtain heuristic estimates for this computational problem using existing attacks on «Magma». Estimates of the maximum allowable amount of data processed using a single key are also given for existing cipher suites.