on s-box reverse-engineering: from cryptanalysis to the

On S-Box Reverse-Engineering: fromCryptanalysis to the Big APN Problem

Léo Perrin

DTU, Lyngbyperrin dot leo at gmail

4th of July 2017Boolean Functions and Their Applications

The content of this talk is based on joint works with Biryukov, Canteaut, Duval, Khovratovichand Udovenko, and my PhD thesis.

IntroductionOverview of S-Box Reverse-Engineering Methods

The TU-DecompositionA Decomposition of the 6-bit APN Permutation

Conclusion

In this TalkWhat is an S-Box?S-Box Design

If you only know the Look-Up Table of an S-Box,what can you do?

Random?Was it picked uniformly atrandom?

Structured?Was it built using a particularstructure ?

1 / 42

Conclusion

1 / 42

Conclusion

1 / 42

Conclusion

S-Box?

An S-Box is a small non-linear function mappingm bits to nusually specified via its look-up table.

Typically, n =m,n ∈ {4, 8}

Used by many block ciphers/hash functions/stream ciphers.

Necessary for the wide trail strategy.

2 / 42

Conclusion

S-Box?

An S-Box is a small non-linear function mappingm bits to nusually specified via its look-up table.

Typically, n =m,n ∈ {4, 8}

Used by many block ciphers/hash functions/stream ciphers.

Necessary for the wide trail strategy.

2 / 42

Conclusion

Example

Screen capture from [GOST, 2015].

3 / 42

Conclusion

S-Box Design

4 / 42

Conclusion

S-Box Design

4 / 42

Conclusion

S-Box Design

Khazad...

iScream...

Grøstl...

4 / 42

Conclusion

S-Box Reverse-Engineering

5 / 42

Conclusion

S-Box Reverse-Engineering

5 / 42

Conclusion

Motivation

A malicious designer can easily hide a structure in an S-Box.

To keep an advantage in implementation (WB crypto)...... or an advantage in cryptanalysis (backdoor)?

6 / 42

Conclusion

Motivation

To keep an advantage in implementation (WB crypto)...

... or an advantage in cryptanalysis (backdoor)?

6 / 42

Conclusion

Motivation

To keep an advantage in implementation (WB crypto)...... or an advantage in cryptanalysis (backdoor)?

6 / 42

Conclusion

Statistical Analysis of the DDT/LATSummary of Di�erent TechniquesStructural A�acks Against Block Ciphers

Outline

1 Introduction

2 Overview of S-Box Reverse-Engineering Methods

3 The TU-Decomposition

4 A Decomposition of the 6-bit APN Permutation

5 Conclusion

6 / 42

Conclusion

Plan of this Section

1 Introduction

2 Overview of S-Box Reverse-Engineering MethodsStatistical Analysis of the DDT/LATSummary of Di�erent TechniquesStructural A�acks Against Block Ciphers

5 Conclusion

6 / 42

Conclusion

The Two Tables

Let S : Fn2 → Fn2 be an S-Box.

Definition (DDT)

The Di�erence Distribution Table of S is a matrix of size 2n × 2n such that

DDT[a,b] = #{x ∈ Fn2 | S (x ⊕ a) ⊕ S (x ) = b}.

Definition (LAT)

The Linear Approximations Table of S is a matrix of size 2n × 2n such that

LAT[a,b] = #{x ∈ Fn2 | x · a = S (x ) · b} − 2n−1 =WS (a,b)

7 / 42

Conclusion

The Two Tables

Definition (DDT)

DDT[a,b] = #{x ∈ Fn2 | S (x ⊕ a) ⊕ S (x ) = b}.

Definition (LAT)

7 / 42

Conclusion

The Two Tables

Definition (DDT)

DDT[a,b] = #{x ∈ Fn2 | S (x ⊕ a) ⊕ S (x ) = b}.

Definition (LAT)

7 / 42

Conclusion

Coe�icient Distribution in the DDT

If an n-bit S-Box is bijective, then its DDT coe�icients behave likeindependent and identically distributed random variables following aPoisson distribution:

Pr [DDT[a,b] = 2z] =e−1/2

Always even, ≥ 0Typically between 0 and 16 (for n =)

Lower is be�er.

8 / 42

Conclusion

Coe�icient Distribution in the DDT

If an n-bit S-Box is bijective, then its DDT coe�icients behave likeindependent and identically distributed random variables following aPoisson distribution:

Pr [DDT[a,b] = 2z] =e−1/2

Always even, ≥ 0Typically between 0 and 16 (for n =)

Lower is be�er.

8 / 42

Conclusion

Coe�icient Distribution in the LAT

If an n-bit S-Box is bijective, then its LAT coe�icients behave likeindependent and identically distributed random variables following thisdistribution:

Pr [LAT[a,b] = 2z] =

(2n−12n−2+z

)(2n2n−1

Always even, signed.

Typically between -40 and 40 (for n = 8).

Lower absolute value is be�er.

9 / 42

Conclusion

Coe�icient Distribution in the LAT

If an n-bit S-Box is bijective, then its LAT coe�icients behave likeindependent and identically distributed random variables following thisdistribution:

Pr [LAT[a,b] = 2z] =

(2n−12n−2+z

)(2n2n−1

) .Always even, signed.

Typically between -40 and 40 (for n = 8).

Lower absolute value is be�er.

9 / 42

Conclusion

Looking Only at the Maximum

δ log2 (Pr [max(D) ≤ δ ])

14 -0.006

12 -0.094

10 -1.329

8 -16.148

6 -164.466

4 -1359.530

` log2 (Pr [max(L) ≤ `])

38 -0.08436 -0.30234 -1.00832 -3.16030 -9.28828 -25.62326 -66.41524 -161.90022 -371.609

Probability that the maximum coe�icient in the DDT/LAT of an 8-bitpermutation is at most equal to a certain threshold.

10 / 42

Conclusion

Looking Only at the Maximum

δ log2 (Pr [max(D) ≤ δ ])

14 -0.006

12 -0.094

10 -1.329

8 -16.148

6 -164.466

4 -1359.530

` log2 (Pr [max(L) ≤ `])

38 -0.08436 -0.30234 -1.00832 -3.16030 -9.28828 -25.62326 -66.41524 -161.90022 -371.609

Probability that the maximum coe�icient in the DDT/LAT of an 8-bitpermutation is at most equal to a certain threshold.

10 / 42

Conclusion

Taking Number of Maximum Values into AccountProbability (log2)

0 5 10 15 20 25 30 35 40

Pr[max = 28]

Pr[max = 26]

Pr[max = 28, #28 ≤ N28]

11 / 42

Conclusion

Application of this Analysis?

We applied this method on the S-Box of Skipjack.

12 / 42

Conclusion

What is Skipjack?

Type Block cipher

Bloc 64 bits

Key 80 bits

Authors NSA

Publication 1998 (classified at first)

13 / 42

Conclusion

Reverse-Engineering the S-Box of Skipjack

Skipjack uses F , a permutation of F82 with max(LAT) = 28 and #28 = 3.

Probability (log2)

0 5 10 15 20 25 30 35 40

Pr[max = 28]

Pr[max = 26]

Pr[max = 28, #28 ≤ N28]

Pr [max(LAT) = 28 and #28 ≤ 3] ≈ 2−55

14 / 42

Conclusion

Skipjack uses F , a permutation of F82 with max(LAT) = 28 and #28 = 3.Probability (log2)

0 5 10 15 20 25 30 35 40

Pr[max = 28]

Pr[max = 26]

Pr[max = 28, #28 ≤ N28]

Probability (log2)

0 5 10 15 20 25 30 35 40

Pr[max = 28]

Pr[max = 26]

Pr[max = 28, #28 ≤ N28]

Pr [max(LAT) = 28 and #28 ≤ 3] ≈ 2−55

14 / 42

Conclusion

0 5 10 15 20 25 30 35 40

Pr[max = 28]

Pr[max = 26]

Pr[max = 28, #28 ≤ N28]

Pr [max(LAT) = 28 and #28 ≤ 3] ≈ 2−55

14 / 42

Conclusion

0 5 10 15 20 25 30 35 40

Pr[max = 28]

Pr[max = 26]

Pr[max = 28, #28 ≤ N28]

Pr [max(LAT) = 28 and #28 ≤ 3] ≈ 2−5514 / 42

Conclusion

What Can We Deduce?

F has not been picked uniformly at random.

F has not been picked among a feasibly large set of random S-Boxes.

Its linear properties were optimized (though poorly).

The S-Box of Skipjack was builtusing a dedicated algorithm.

15 / 42

Conclusion

What Can We Deduce?

F has not been picked uniformly at random.

F has not been picked among a feasibly large set of random S-Boxes.

Its linear properties were optimized (though poorly).

The S-Box of Skipjack was builtusing a dedicated algorithm.

15 / 42

Conclusion

Conclusion on Skipjack

16 / 42

Conclusion

Conclusion on Skipjack

16 / 42

Conclusion

Di�erent Techniques

Statistics

17 / 42

Conclusion

Ad Hoc

17 / 42

Conclusion

StructuralA�acks

17 / 42

Conclusion

A�acks Against SPN (1/2)

S0,0 S0,1 ... S0,n/m−1

S1,0 S1,1 ... S1,n/m−1

S2,0 S2,1 ... S2,n/m−1

y j0 y j1 y jn/m−1

Zero sums

⊕2m−1j=0 S2,i (y

ji ) = 0, for all i . Repeat for di�erent constant then solve

system [Biryukov, Shamir, 2001]

18 / 42

Conclusion

S0,0 S0,1 ... S0,n/m−1

S1,0 S1,1 ... S1,n/m−1

S2,0 S2,1 ... S2,n/m−1

Zero sums

⊕2m−1j=0 S2,i (y

system [Biryukov, Shamir, 2001]

18 / 42

Conclusion

S0,0 S0,1 ... S0,n/m−1

S1,0 S1,1 ... S1,n/m−1

S2,0 S2,1 ... S2,n/m−1

Zero sums

⊕2m−1j=0 S2,i (y

ji ) = 0, for all i .

Repeat for di�erent constant then solvesystem [Biryukov, Shamir, 2001]

18 / 42

Conclusion

S0,0 S0,1 ... S0,n/m−1

S1,0 S1,1 ... S1,n/m−1

S2,0 S2,1 ... S2,n/m−1

Zero sums

⊕2m−1j=0 S2,i (y

system [Biryukov, Shamir, 2001] 18 / 42

Conclusion

Works against more than 3 rounds if deg(S (AS )r−1) is low enough.

SPN degree bound

Number of rounds

0 1 2 3 4 5 6 7 8

Degree Bound (SPN) [Biryukov et al., 2017]

Let σ operate onm bits, deg(σ ) =m − 1, and n be the block size.Rhoughly speaking, deg

(S (AS )r−1

)< n − 1 as long as

(m − 1) br /2c < n .

19 / 42

Conclusion

Works against more than 3 rounds if deg(S (AS )r−1) is low enough.

SPN degree bound

Number of rounds

0 1 2 3 4 5 6 7 8

Degree Bound (SPN) [Biryukov et al., 2017]

Let σ operate onm bits, deg(σ ) =m − 1, and n be the block size.Rhoughly speaking, deg

(S (AS )r−1

)< n − 1 as long as

(m − 1) br /2c < n .

19 / 42

Conclusion

A�acks Against Feistel Networks

Degree Bound (Feistel Network) [Perrin and Udovenko, 2016]

Let {F i }i<r be permutations of Fn/22 of degree d and let F r (F ) denote ther -round n-bit Feistel Network with round function F i . If

d br /2c−1 + d dr /2e−1 < n ,

then some degree n − 1 terms in the ANF of F r (F ) are missing.

20 / 42

Conclusion

What Does it Take to Have Full Degree?

The degree based distinguishers for SPNs and Feistel networks can be seenas particular cases of this lemma.

LemmaLet F : Fn2 → F2 be a Boolean function and let G : Fn2 → F

n2 be a

permutation. Then:

deg(F ◦G ) = n − 1 =⇒ deg(F ) + deg(G−1) ≥ n .

21 / 42

Conclusion

Definition of the TU-decompositionApplication to the Last Russian Standards

Outline

1 Introduction

5 Conclusion

21 / 42

Conclusion

1 Introduction

3 The TU-DecompositionDefinition of the TU-decompositionApplication to the Last Russian Standards

5 Conclusion

21 / 42

Conclusion

What is the TU-Decomposition?

The TU-decomposition is a decomposition algorithm working against vastgroups of algorithms: 3-round Feistel, Dillon’s APN permutation, SAS, ...

S TU-decompositionT

T and U are mini-block ciphers ; µ and η are linear permutations.22 / 42

Conclusion

TU-Decomposition in a Nutshell

Let L be the LAT of the target S : Fn2 → Fn2 .

1 Identify vector spacesU andV of dimensionn/2 such that:

L (a,b) = 0, ∀(a,b) ∈ U ×V .

2 Deduce linear permutations µ ′ and η′ such that

L (µ ′(a),η′(b)) = 0, ∀(a,b) ∈ Fn/22 × Fn/22

3 Built new LAT L ′ such that

L ′(a,b) = L (µ ′(a),η′(b))

and recover S ′ with LAT L ′. Deduce µ,η.

23 / 42

Conclusion

L (a,b) = 0, ∀(a,b) ∈ U ×V .

L (µ ′(a),η′(b)) = 0, ∀(a,b) ∈ Fn/22 × Fn/22

L ′(a,b) = L (µ ′(a),η′(b))

23 / 42

Conclusion

L (a,b) = 0, ∀(a,b) ∈ U ×V .

L (µ ′(a),η′(b)) = 0, ∀(a,b) ∈ Fn/22 × Fn/22

L ′(a,b) = L (µ ′(a),η′(b))

23 / 42

Conclusion

L (a,b) = 0, ∀(a,b) ∈ U ×V .

L (µ ′(a),η′(b)) = 0, ∀(a,b) ∈ Fn/22 × Fn/22

L ′(a,b) = L (µ ′(a),η′(b))

23 / 42

Conclusion

L (a,b) = 0, ∀(a,b) ∈ U ×V .

L (µ ′(a),η′(b)) = 0, ∀(a,b) ∈ Fn/22 × Fn/22

L ′(a,b) = L (µ ′(a),η′(b))

23 / 42

Conclusion

Bootstrapping TU-Decomposition

OK... But how do we findU andV?

For now: we just look at the LAT and hope for the best!

24 / 42

Conclusion

Bootstrapping TU-Decomposition

OK... But how do we findU andV?

For now: we just look at the LAT and hope for the best!

24 / 42

Conclusion

Kuznyechik/Stribog

Stribog

Type Hash function

Publication [GOST, 2012]

Kuznyechik

Type Block cipher

Common ground

Both are standard symmetric primitives in Russia.

Both were designed by the FSB (TC26).

Both use the same 8 × 8 S-Box, π .

25 / 42

Conclusion

Kuznyechik/Stribog

Stribog

Type Hash function

Kuznyechik

Type Block cipher

Common ground

Both are standard symmetric primitives in Russia.

Both were designed by the FSB (TC26).

Both use the same 8 × 8 S-Box, π .25 / 42

Conclusion

The LAT of the S-Box of Kuznyechik

26 / 42

Conclusion

Applying one Linear Layer

27 / 42

Conclusion

Applying two Linear Layers

28 / 42

Conclusion

Final Decomposition Number 1

ϕ �

ν1ν0

� Multiplication in F24

α Linear permutation

I Inversion in F24

ν0,ν1,σ 4 × 4 permutations

ϕ 4 × 4 function

ω Linear permutation

29 / 42

Conclusion

Final Decomposition Number 1

ϕ �

ν1ν0

� Multiplication in F24

α Linear permutation

I Inversion in F24

ν0,ν1,σ 4 × 4 permutations

ϕ 4 × 4 function

ω Linear permutation

29 / 42

Conclusion

Conclusion for Kuznyechik/Stribog?

The Russian S-Box was built like astrange Feistel...

... or was it?

Belarussian inspiration

The last standard of Belarus [Bel. St. Univ., 2011] uses an 8-bit S-box,

somewhat similar to π ...

... based on a finite field exponential!

30 / 42

Conclusion

... or was it?

30 / 42

Conclusion

... or was it?

30 / 42

Conclusion

... or was it?

30 / 42

Conclusion

Final Decomposition Number 2 (!)

ω ′

⊗−1

logw,16

0 1 2 3 4 5 6 7 8 9 a b c d e fT0 0 1 2 3 4 5 6 7 8 9 a b c d e fT1 0 1 2 3 4 5 6 7 8 9 a b c d e fT2 0 1 2 3 4 5 6 7 8 9 a b c d f eT3 0 1 2 3 4 5 6 7 8 9 a b c f d eT4 0 1 2 3 4 5 6 7 8 9 a b f c d eT5 0 1 2 3 4 5 6 7 8 9 a f b c d eT6 0 1 2 3 4 5 6 7 8 9 f a b c d eT7 0 1 2 3 4 5 6 7 8 f 9 a b c d eT8 0 1 2 3 4 5 6 7 f 8 9 a b c d eT9 0 1 2 3 4 5 6 f 7 8 9 a b c d eTa 0 1 2 3 4 5 f 6 7 8 9 a b c d eTb 0 1 2 3 4 f 5 6 7 8 9 a b c d eTc 0 1 2 3 f 4 5 6 7 8 9 a b c d eTd 0 1 2 f 3 4 5 6 7 8 9 a b c d eTe 0 1 f 2 3 4 5 6 7 8 9 a b c d eTf 0 f 1 2 3 4 5 6 7 8 9 a b c d e

31 / 42

Conclusion

Final Decomposition Number 2 (!)

ω ′

⊗−1

logw,16

0 1 2 3 4 5 6 7 8 9 a b c d e fT0 0 1 2 3 4 5 6 7 8 9 a b c d e fT1 0 1 2 3 4 5 6 7 8 9 a b c d e fT2 0 1 2 3 4 5 6 7 8 9 a b c d f eT3 0 1 2 3 4 5 6 7 8 9 a b c f d eT4 0 1 2 3 4 5 6 7 8 9 a b f c d eT5 0 1 2 3 4 5 6 7 8 9 a f b c d eT6 0 1 2 3 4 5 6 7 8 9 f a b c d eT7 0 1 2 3 4 5 6 7 8 f 9 a b c d eT8 0 1 2 3 4 5 6 7 f 8 9 a b c d eT9 0 1 2 3 4 5 6 f 7 8 9 a b c d eTa 0 1 2 3 4 5 f 6 7 8 9 a b c d eTb 0 1 2 3 4 f 5 6 7 8 9 a b c d eTc 0 1 2 3 f 4 5 6 7 8 9 a b c d eTd 0 1 2 f 3 4 5 6 7 8 9 a b c d eTe 0 1 f 2 3 4 5 6 7 8 9 a b c d eTf 0 f 1 2 3 4 5 6 7 8 9 a b c d e

31 / 42

Conclusion

Conclusion on Kuznyechik/Stribog

32 / 42

Conclusion

32 / 42

Conclusion

32 / 42

Conclusion

32 / 42

Conclusion

The Big APN Problem and its Only Known SolutionsOn Bu�erflies

Outline

1 Introduction

5 Conclusion

32 / 42

Conclusion

1 Introduction

4 A Decomposition of the 6-bit APN PermutationThe Big APN Problem and its Only Known SolutionsOn Bu�erflies

5 Conclusion

32 / 42

Conclusion

The Big APN Problem

Definition (APN function)

A function f : Fn2 → Fn2 is Almost Perfect Non-linear (APN) if

f (x ⊕ a) ⊕ f (x ) = b

has 0 or 2 solutions for all a , 0 and for all b.

Big APN Problem

Are there APN permutations operating on Fn2 where n is even?

33 / 42

Conclusion

The Big APN Problem

Definition (APN function)

A function f : Fn2 → Fn2 is Almost Perfect Non-linear (APN) if

f (x ⊕ a) ⊕ f (x ) = b

has 0 or 2 solutions for all a , 0 and for all b.

Big APN Problem

Are there APN permutations operating on Fn2 where n is even?

33 / 42

Conclusion

Dillon et al.’s Permutation

Only One Known Solution!

For n = 6, Dillon et al. found an APN permutation.

It is possible to make a TU-decomposition!

34 / 42

Conclusion

34 / 42

Conclusion

34 / 42

Conclusion

34 / 42

Conclusion

On the Bu�erfly Structure

Definition (Open Bu�erfly H3α ,β

This permutation is an open bu�erfly.

LemmaDillon’s permutation is a�ine-equivalentto H3

w,1, where Tr (w ) = 0.

35 / 42

Conclusion

On the Bu�erfly Structure

Definition (Open Bu�erfly H3α ,β

This permutation is an open bu�erfly.

LemmaDillon’s permutation is a�ine-equivalentto H3

w,1, where Tr (w ) = 0.

35 / 42

Conclusion

CCZ-equivalence (1/2)

Definition (CCZ-equivalence)

Let F and G be functions of Fn2 . They are CCZ-equivalent if there exists alinear permutation L of Fn2 × F

n2 such that

{(x , F (x )

),∀x ∈ Fn2

{L(x ,G (x )

),∀x ∈ Fn2

Properties

CCZ-equivalence preserves:

the distribution of the coe�icients in the LAT (Walsh spectrum),

the distribution of the coe�icients in the DDT.

It does not preserve:

the position of the DDT/LAT coe�icients

the algebraic degree.

36 / 42

Conclusion

CCZ-equivalence (1/2)

Definition (CCZ-equivalence)

Let F and G be functions of Fn2 . They are CCZ-equivalent if there exists alinear permutation L of Fn2 × F

n2 such that

{(x , F (x )

),∀x ∈ Fn2

{L(x ,G (x )

),∀x ∈ Fn2

Properties

CCZ-equivalence preserves:

the distribution of the coe�icients in the LAT (Walsh spectrum),

the distribution of the coe�icients in the DDT.

It does not preserve:

the position of the DDT/LAT coe�icients

the algebraic degree.36 / 42

Conclusion

Closed Bu�erflies

βx3 ⊕

Definition (Closed bu�erfly V3α ,β

This quadratic function is a closedbu�erfly.

Lemma (Equivalence)

Open and closed bu�erflies with the sameparameters are CCZ-equivalent.

37 / 42

Conclusion

Closed Bu�erflies

βx3 ⊕

Definition (Closed bu�erfly V3α ,β

This quadratic function is a closedbu�erfly.

Lemma (Equivalence)

Open and closed bu�erflies with the sameparameters are CCZ-equivalent.

37 / 42

Conclusion

Bu�erflies and Feistel Networks

When α = 1, bu�erflies can be greatly simplified.

βx3⊕

x1/3 ⊕

βx3⊕

βx3 x3 βx3

⊕⊕

38 / 42

Conclusion

Some Properties of Bu�erflies

Theorem (Properties of bu�erflies [Canteaut et al., 2017])Let V3

α ,β and H3α ,β be bu�erflies operating on 2n bits, n odd. Then:

deg(V3α ,β

if n = 3, Tr (α ) = 0 and β + α 3 ∈ {α, 1/α }, thenmax(DDT ) = 2, max(W ) = 2n+1 and deg

(H3α ,β

)= n + 1 ,

if β = (1 + α )3, thenmax(DDT ) = 2n+1, max(W ) = 2(3n+1)/2 and deg

(H3α ,β

)= n ,

otherwise,

max(DDT ) = 4, max(W ) = 2n+1 and deg(H3α ,β

)∈ {n, n + 1}

and deg(H3α ,β

)= n if and only if

1 + α β + α 4 = (β + α + α 3)2 .

39 / 42

Conclusion

Outline

1 Introduction

5 Conclusion

39 / 42

Conclusion

1 Introduction

5 Conclusion

39 / 42

Conclusion

We can recover the majority of known S-Box structuresand derive new results about Skipjack and Kuznyechik.

We can generalize the permutation of Dillon et al...

but we can prove that our generalizations are never APN(except in the known case).

There are still S-Boxes with unknown building strategies(CMEA, CSS)!

40 / 42

Conclusion

40 / 42

Conclusion

40 / 42

Conclusion

40 / 42

Conclusion

The Last S-Box

14 11 60 6d e9 10 e3 2 b 90 d 17 c5 b0 9f c5d8 da be 22 8 f3 4 a9 fe f3 f5 fc bc 30 be 26bb 88 85 46 f4 2e e fd 76 fe b0 11 4e de 35 bb30 4b 30 d6 dd df df d4 90 7a d8 8c 6a 89 30 39e9 1 da d2 85 87 d3 d4 ba 2b d4 9f 9c 38 8c 55d3 86 bb db ec e0 46 48 bf 46 1b 1c d7 d9 1b e023 d4 d7 7f 16 3f 3 3 44 c3 59 10 2a da ed e98e d8 d1 db cb cb c3 c7 38 22 34 3d db 85 23 7c24 d1 d8 2e fc 44 8 38 c8 c7 39 4c 5f 56 2a cfd0 e9 d2 68 e4 e3 e9 13 e2 c 97 e4 60 29 d7 9bd9 16 24 94 b3 e3 4c 4c 4f 39 e0 4b bc 2c d3 9481 96 93 84 91 d0 2e d6 d2 2b 78 ef d6 9e 7b 72ad c4 68 92 7a d2 5 2b 1e d0 dc b1 22 3f c3 c388 b1 8d b5 e3 4e d7 81 3 15 17 25 4e 65 88 4ee4 3b 81 81 fa 1 1d 4 22 0 6 1 27 68 27 2e3b 83 c7 cc 25 9b d8 d5 1c 1f e5 59 7f 3f 3f ef

41 / 42

Conclusion

42 / 42

AppendixBibliography Back-Up Slides

Details About SkipjackN

Absolute value of the coe�cients in the LAT

22 23 24 25 26 27 28

Proof of Full Degree Condition

If deg(F ◦G ) = n − 1, then ∃i ≤ n such that⊕

x ∈Ci (F ◦G ) (x ) = 1.

Let Ii : Fn2 → F2 be such that Ii (x ) = 1⇔ x ∈ Ci :⊕x ∈Ci

(F ◦G ) (x ) =⊕x ∈Fn2

F(G (x )

)× Ii (x ) ,

and let y = G (x ). Then:⊕x ∈Ci

(F ◦G ) (x ) =⊕y∈Fn2

F (y) × Ii(G−1 (y)

This sum is equal to 1 if and only if x 7→ F (x ) × Ii(G−1 (x )

)has degree n.

Ii is a�ine (Ii (x ) = 1 + xi ). Thus, the sum can be equal to 1 only if

deg(F ) + deg(G−1) ≥ n .

x ∈Ci (F ◦G ) (x ) = 1.

(F ◦G ) (x ) =⊕x ∈Fn2

F(G (x )

)× Ii (x ) ,

(F ◦G ) (x ) =⊕y∈Fn2

F (y) × Ii(G−1 (y)

)has degree n.

deg(F ) + deg(G−1) ≥ n .

x ∈Ci (F ◦G ) (x ) = 1.

(F ◦G ) (x ) =⊕x ∈Fn2

F(G (x )

)× Ii (x ) ,

(F ◦G ) (x ) =⊕y∈Fn2

F (y) × Ii(G−1 (y)

)has degree n.

deg(F ) + deg(G−1) ≥ n .

x ∈Ci (F ◦G ) (x ) = 1.

(F ◦G ) (x ) =⊕x ∈Fn2

F(G (x )

)× Ii (x ) ,

(F ◦G ) (x ) =⊕y∈Fn2

F (y) × Ii(G−1 (y)

)has degree n.

deg(F ) + deg(G−1) ≥ n .

x ∈Ci (F ◦G ) (x ) = 1.

(F ◦G ) (x ) =⊕x ∈Fn2

F(G (x )

)× Ii (x ) ,

(F ◦G ) (x ) =⊕y∈Fn2

F (y) × Ii(G−1 (y)

)has degree n.

Ii is a�ine (Ii (x ) = 1 + xi ).

Thus, the sum can be equal to 1 only if

deg(F ) + deg(G−1) ≥ n .

x ∈Ci (F ◦G ) (x ) = 1.

(F ◦G ) (x ) =⊕x ∈Fn2

F(G (x )

)× Ii (x ) ,

(F ◦G ) (x ) =⊕y∈Fn2

F (y) × Ii(G−1 (y)

)has degree n.

deg(F ) + deg(G−1) ≥ n .

�2 / 4

AppendixBibliography

Bibliography I

Bel. St. Univ. (2011).“Information technologies. Data protection. Cryptographic algorithms for encryptionand integrity control.”.State Standard of Republic of Belarus (STB 34.101.31-2011).http://apmi.bsu.by/assets/files/std/belt-spec27.pdf.

Biryukov, A., Khovratovich, D., and Perrin, L. (2017).Multiset-algebraic cryptanalysis of reduced Kuznyechik, Khazad, and secret SPNs.IACR Transactions on Symmetric Cryptology, 2016(2):226–247.

Canteaut, A., Duval, S., and Perrin, L. (2017).A generalisation of Dillon’s APN permutation with the best known di�erential andnonlinear properties for all fields of size 24k+2.IEEE Transactions on Information Theory, (to appear).

GOST (2012).Gost r 34.11-2012: Streebog hash function.https://www.streebog.net/.

AppendixBibliography

Bibliography II

GOST (2015).

(GOST R 34.12–2015) information technology – cryptographic data security – blockciphers.

http://tc26.ru/en/standard/gost/GOST_R_34_12_2015_ENG.pdf.

Perrin, L. and Udovenko, A. (2016).

Algebraic insights into the secret feistel network.

In Peyrin, T., editor, Fast So�ware Encryption – FSE 2016, volume 9783 of Lecture Notes inComputer Science, pages 378–398. Springer, Heidelberg.

on s-box reverse-engineering: from cryptanalysis to the

Documents

cryptography and cryptanalysis

cryptography & cryptanalysis

algebraic--differential cryptanalysis of des algebraic...

session 6: introduction to cryptanalysis part 1. contents...

cryptanalysis of lash

differential cryptanalysis and boomerang...ﬀtial...

s-box reverse-engineering boolean functions, american

cryptanalysis lab 07

box-rib, reverse box rib, hr-36, mini-v-beam and …...

reverse-engineering the s-box of streebog, kuznyechik and...

block ciphers and cryptanalysis - reverse engineering team

experimenting linear cryptanalysis

reverse-engineering the s-box of streebog, kuznyechik and...

differential cryptanalysis

cryptanalysis, reverse-engineering and design of symmetric

cryptanalysis of the shpilrain-ushakov protocol in...

fault-based cryptanalysis on block ciphers · 1/ 62 fault...

linear cryptanalysis

03 cryptanalysis aes

opening pandora's box: effective techniques for reverse...