![Page 1: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/1.jpg)
On S-Box Reverse-Engineering: fromCryptanalysis to the Big APN Problem
Léo Perrin
DTU, Lyngbyperrin dot leo at gmail
4th of July 2017Boolean Functions and Their Applications
The content of this talk is based on joint works with Biryukov, Canteaut, Duval, Khovratovichand Udovenko, and my PhD thesis.
![Page 2: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/2.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
In this TalkWhat is an S-Box?S-Box Design
If you only know the Look-Up Table of an S-Box,what can you do?
Random?Was it picked uniformly atrandom?
Structured?Was it built using a particularstructure ?
1 / 42
![Page 3: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/3.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
In this TalkWhat is an S-Box?S-Box Design
If you only know the Look-Up Table of an S-Box,what can you do?
Random?Was it picked uniformly atrandom?
Structured?Was it built using a particularstructure ?
1 / 42
![Page 4: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/4.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
In this TalkWhat is an S-Box?S-Box Design
If you only know the Look-Up Table of an S-Box,what can you do?
Random?Was it picked uniformly atrandom?
Structured?Was it built using a particularstructure ?
1 / 42
![Page 5: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/5.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
In this TalkWhat is an S-Box?S-Box Design
S-Box?
An S-Box is a small non-linear function mappingm bits to nusually specified via its look-up table.
Typically, n =m,n ∈ {4, 8}
Used by many block ciphers/hash functions/stream ciphers.
Necessary for the wide trail strategy.
2 / 42
![Page 6: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/6.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
In this TalkWhat is an S-Box?S-Box Design
S-Box?
An S-Box is a small non-linear function mappingm bits to nusually specified via its look-up table.
Typically, n =m,n ∈ {4, 8}
Used by many block ciphers/hash functions/stream ciphers.
Necessary for the wide trail strategy.
2 / 42
![Page 7: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/7.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
In this TalkWhat is an S-Box?S-Box Design
Example
Screen capture from [GOST, 2015].
3 / 42
![Page 8: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/8.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
In this TalkWhat is an S-Box?S-Box Design
S-Box Design
4 / 42
![Page 9: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/9.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
In this TalkWhat is an S-Box?S-Box Design
S-Box Design
4 / 42
![Page 10: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/10.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
In this TalkWhat is an S-Box?S-Box Design
S-Box Design
Khazad...
iScream...
Grøstl...
4 / 42
![Page 11: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/11.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
In this TalkWhat is an S-Box?S-Box Design
S-Box Reverse-Engineering
S
5 / 42
![Page 12: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/12.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
In this TalkWhat is an S-Box?S-Box Design
S-Box Reverse-Engineering
S??
?
5 / 42
![Page 13: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/13.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
In this TalkWhat is an S-Box?S-Box Design
Motivation
A malicious designer can easily hide a structure in an S-Box.
To keep an advantage in implementation (WB crypto)...... or an advantage in cryptanalysis (backdoor)?
6 / 42
![Page 14: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/14.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
In this TalkWhat is an S-Box?S-Box Design
Motivation
A malicious designer can easily hide a structure in an S-Box.
To keep an advantage in implementation (WB crypto)...
... or an advantage in cryptanalysis (backdoor)?
6 / 42
![Page 15: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/15.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
In this TalkWhat is an S-Box?S-Box Design
Motivation
A malicious designer can easily hide a structure in an S-Box.
To keep an advantage in implementation (WB crypto)...... or an advantage in cryptanalysis (backdoor)?
6 / 42
![Page 16: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/16.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Statistical Analysis of the DDT/LATSummary of Di�erent TechniquesStructural A�acks Against Block Ciphers
Outline
1 Introduction
2 Overview of S-Box Reverse-Engineering Methods
3 The TU-Decomposition
4 A Decomposition of the 6-bit APN Permutation
5 Conclusion
6 / 42
![Page 17: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/17.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Statistical Analysis of the DDT/LATSummary of Di�erent TechniquesStructural A�acks Against Block Ciphers
Plan of this Section
1 Introduction
2 Overview of S-Box Reverse-Engineering MethodsStatistical Analysis of the DDT/LATSummary of Di�erent TechniquesStructural A�acks Against Block Ciphers
3 The TU-Decomposition
4 A Decomposition of the 6-bit APN Permutation
5 Conclusion
6 / 42
![Page 18: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/18.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Statistical Analysis of the DDT/LATSummary of Di�erent TechniquesStructural A�acks Against Block Ciphers
The Two Tables
Let S : Fn2 → Fn2 be an S-Box.
Definition (DDT)
The Di�erence Distribution Table of S is a matrix of size 2n × 2n such that
DDT[a,b] = #{x ∈ Fn2 | S (x ⊕ a) ⊕ S (x ) = b}.
Definition (LAT)
The Linear Approximations Table of S is a matrix of size 2n × 2n such that
LAT[a,b] = #{x ∈ Fn2 | x · a = S (x ) · b} − 2n−1 =WS (a,b)
2
7 / 42
![Page 19: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/19.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Statistical Analysis of the DDT/LATSummary of Di�erent TechniquesStructural A�acks Against Block Ciphers
The Two Tables
Let S : Fn2 → Fn2 be an S-Box.
Definition (DDT)
The Di�erence Distribution Table of S is a matrix of size 2n × 2n such that
DDT[a,b] = #{x ∈ Fn2 | S (x ⊕ a) ⊕ S (x ) = b}.
Definition (LAT)
The Linear Approximations Table of S is a matrix of size 2n × 2n such that
LAT[a,b] = #{x ∈ Fn2 | x · a = S (x ) · b} − 2n−1 =WS (a,b)
2
7 / 42
![Page 20: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/20.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Statistical Analysis of the DDT/LATSummary of Di�erent TechniquesStructural A�acks Against Block Ciphers
The Two Tables
Let S : Fn2 → Fn2 be an S-Box.
Definition (DDT)
The Di�erence Distribution Table of S is a matrix of size 2n × 2n such that
DDT[a,b] = #{x ∈ Fn2 | S (x ⊕ a) ⊕ S (x ) = b}.
Definition (LAT)
The Linear Approximations Table of S is a matrix of size 2n × 2n such that
LAT[a,b] = #{x ∈ Fn2 | x · a = S (x ) · b} − 2n−1 =WS (a,b)
2
7 / 42
![Page 21: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/21.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Statistical Analysis of the DDT/LATSummary of Di�erent TechniquesStructural A�acks Against Block Ciphers
Coe�icient Distribution in the DDT
If an n-bit S-Box is bijective, then its DDT coe�icients behave likeindependent and identically distributed random variables following aPoisson distribution:
Pr [DDT[a,b] = 2z] =e−1/2
2zz.
Always even, ≥ 0Typically between 0 and 16 (for n =)
Lower is be�er.
8 / 42
![Page 22: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/22.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Statistical Analysis of the DDT/LATSummary of Di�erent TechniquesStructural A�acks Against Block Ciphers
Coe�icient Distribution in the DDT
If an n-bit S-Box is bijective, then its DDT coe�icients behave likeindependent and identically distributed random variables following aPoisson distribution:
Pr [DDT[a,b] = 2z] =e−1/2
2zz.
Always even, ≥ 0Typically between 0 and 16 (for n =)
Lower is be�er.
8 / 42
![Page 23: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/23.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Statistical Analysis of the DDT/LATSummary of Di�erent TechniquesStructural A�acks Against Block Ciphers
Coe�icient Distribution in the LAT
If an n-bit S-Box is bijective, then its LAT coe�icients behave likeindependent and identically distributed random variables following thisdistribution:
Pr [LAT[a,b] = 2z] =
(2n−12n−2+z
)(2n2n−1
) .
Always even, signed.
Typically between -40 and 40 (for n = 8).
Lower absolute value is be�er.
9 / 42
![Page 24: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/24.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Statistical Analysis of the DDT/LATSummary of Di�erent TechniquesStructural A�acks Against Block Ciphers
Coe�icient Distribution in the LAT
If an n-bit S-Box is bijective, then its LAT coe�icients behave likeindependent and identically distributed random variables following thisdistribution:
Pr [LAT[a,b] = 2z] =
(2n−12n−2+z
)(2n2n−1
) .Always even, signed.
Typically between -40 and 40 (for n = 8).
Lower absolute value is be�er.
9 / 42
![Page 25: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/25.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Statistical Analysis of the DDT/LATSummary of Di�erent TechniquesStructural A�acks Against Block Ciphers
Looking Only at the Maximum
δ log2 (Pr [max(D) ≤ δ ])
14 -0.006
12 -0.094
10 -1.329
8 -16.148
6 -164.466
4 -1359.530
DDT
` log2 (Pr [max(L) ≤ `])
38 -0.08436 -0.30234 -1.00832 -3.16030 -9.28828 -25.62326 -66.41524 -161.90022 -371.609
LAT
Probability that the maximum coe�icient in the DDT/LAT of an 8-bitpermutation is at most equal to a certain threshold.
10 / 42
![Page 26: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/26.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Statistical Analysis of the DDT/LATSummary of Di�erent TechniquesStructural A�acks Against Block Ciphers
Looking Only at the Maximum
δ log2 (Pr [max(D) ≤ δ ])
14 -0.006
12 -0.094
10 -1.329
8 -16.148
6 -164.466
4 -1359.530
DDT
` log2 (Pr [max(L) ≤ `])
38 -0.08436 -0.30234 -1.00832 -3.16030 -9.28828 -25.62326 -66.41524 -161.90022 -371.609
LAT
Probability that the maximum coe�icient in the DDT/LAT of an 8-bitpermutation is at most equal to a certain threshold.
10 / 42
![Page 27: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/27.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Statistical Analysis of the DDT/LATSummary of Di�erent TechniquesStructural A�acks Against Block Ciphers
Taking Number of Maximum Values into AccountProbability (log2)
−70
−60
−50
−40
−30
−20
N28
0 5 10 15 20 25 30 35 40
2
4
5
Pr[max = 28]
Pr[max = 26]
Pr[max = 28, #28 ≤ N28]
11 / 42
![Page 28: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/28.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Statistical Analysis of the DDT/LATSummary of Di�erent TechniquesStructural A�acks Against Block Ciphers
Application of this Analysis?
We applied this method on the S-Box of Skipjack.
12 / 42
![Page 29: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/29.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Statistical Analysis of the DDT/LATSummary of Di�erent TechniquesStructural A�acks Against Block Ciphers
What is Skipjack?
Type Block cipher
Bloc 64 bits
Key 80 bits
Authors NSA
Publication 1998 (classified at first)
13 / 42
![Page 30: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/30.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Statistical Analysis of the DDT/LATSummary of Di�erent TechniquesStructural A�acks Against Block Ciphers
Reverse-Engineering the S-Box of Skipjack
Skipjack uses F , a permutation of F82 with max(LAT) = 28 and #28 = 3.
Probability (log2)
−70
−60
−50
−40
−30
−20
N28
0 5 10 15 20 25 30 35 40
2
4
5
Pr[max = 28]
Pr[max = 26]
Pr[max = 28, #28 ≤ N28]
Pr [max(LAT) = 28 and #28 ≤ 3] ≈ 2−55
14 / 42
![Page 31: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/31.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Statistical Analysis of the DDT/LATSummary of Di�erent TechniquesStructural A�acks Against Block Ciphers
Reverse-Engineering the S-Box of Skipjack
Skipjack uses F , a permutation of F82 with max(LAT) = 28 and #28 = 3.Probability (log2)
−70
−60
−50
−40
−30
−20
N28
0 5 10 15 20 25 30 35 40
2
4
5
Pr[max = 28]
Pr[max = 26]
Pr[max = 28, #28 ≤ N28]
Probability (log2)
−70
−60
−50
−40
−30
−20
N28
0 5 10 15 20 25 30 35 40
2
4
5
Pr[max = 28]
Pr[max = 26]
Pr[max = 28, #28 ≤ N28]
Pr [max(LAT) = 28 and #28 ≤ 3] ≈ 2−55
14 / 42
![Page 32: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/32.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Statistical Analysis of the DDT/LATSummary of Di�erent TechniquesStructural A�acks Against Block Ciphers
Reverse-Engineering the S-Box of Skipjack
Skipjack uses F , a permutation of F82 with max(LAT) = 28 and #28 = 3.Probability (log2)
−70
−60
−50
−40
−30
−20
N28
0 5 10 15 20 25 30 35 40
2
4
5
Pr[max = 28]
Pr[max = 26]
Pr[max = 28, #28 ≤ N28]
Pr [max(LAT) = 28 and #28 ≤ 3] ≈ 2−55
14 / 42
![Page 33: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/33.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Statistical Analysis of the DDT/LATSummary of Di�erent TechniquesStructural A�acks Against Block Ciphers
Reverse-Engineering the S-Box of Skipjack
Skipjack uses F , a permutation of F82 with max(LAT) = 28 and #28 = 3.Probability (log2)
−70
−60
−50
−40
−30
−20
N28
0 5 10 15 20 25 30 35 40
2
4
5
Pr[max = 28]
Pr[max = 26]
Pr[max = 28, #28 ≤ N28]
Pr [max(LAT) = 28 and #28 ≤ 3] ≈ 2−5514 / 42
![Page 34: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/34.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Statistical Analysis of the DDT/LATSummary of Di�erent TechniquesStructural A�acks Against Block Ciphers
What Can We Deduce?
F has not been picked uniformly at random.
F has not been picked among a feasibly large set of random S-Boxes.
Its linear properties were optimized (though poorly).
The S-Box of Skipjack was builtusing a dedicated algorithm.
15 / 42
![Page 35: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/35.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Statistical Analysis of the DDT/LATSummary of Di�erent TechniquesStructural A�acks Against Block Ciphers
What Can We Deduce?
F has not been picked uniformly at random.
F has not been picked among a feasibly large set of random S-Boxes.
Its linear properties were optimized (though poorly).
The S-Box of Skipjack was builtusing a dedicated algorithm.
15 / 42
![Page 36: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/36.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Statistical Analysis of the DDT/LATSummary of Di�erent TechniquesStructural A�acks Against Block Ciphers
Conclusion on Skipjack
F
16 / 42
![Page 37: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/37.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Statistical Analysis of the DDT/LATSummary of Di�erent TechniquesStructural A�acks Against Block Ciphers
Conclusion on Skipjack
F
16 / 42
![Page 38: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/38.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Statistical Analysis of the DDT/LATSummary of Di�erent TechniquesStructural A�acks Against Block Ciphers
Di�erent Techniques
Statistics
17 / 42
![Page 39: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/39.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Statistical Analysis of the DDT/LATSummary of Di�erent TechniquesStructural A�acks Against Block Ciphers
Di�erent Techniques
Ad Hoc
17 / 42
![Page 40: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/40.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Statistical Analysis of the DDT/LATSummary of Di�erent TechniquesStructural A�acks Against Block Ciphers
Di�erent Techniques
StructuralA�acks
17 / 42
![Page 41: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/41.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Statistical Analysis of the DDT/LATSummary of Di�erent TechniquesStructural A�acks Against Block Ciphers
A�acks Against SPN (1/2)
S0,0 S0,1 ... S0,n/m−1
L0
S1,0 S1,1 ... S1,n/m−1
L1
S2,0 S2,1 ... S2,n/m−1
j 0 0
y j0 y j1 y jn/m−1
Zero sums
⊕2m−1j=0 S2,i (y
ji ) = 0, for all i . Repeat for di�erent constant then solve
system [Biryukov, Shamir, 2001]
18 / 42
![Page 42: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/42.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Statistical Analysis of the DDT/LATSummary of Di�erent TechniquesStructural A�acks Against Block Ciphers
A�acks Against SPN (1/2)
S0,0 S0,1 ... S0,n/m−1
L0
S1,0 S1,1 ... S1,n/m−1
L1
S2,0 S2,1 ... S2,n/m−1
j 0 0
y j0 y j1 y jn/m−1
Zero sums
⊕2m−1j=0 S2,i (y
ji ) = 0, for all i . Repeat for di�erent constant then solve
system [Biryukov, Shamir, 2001]
18 / 42
![Page 43: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/43.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Statistical Analysis of the DDT/LATSummary of Di�erent TechniquesStructural A�acks Against Block Ciphers
A�acks Against SPN (1/2)
S0,0 S0,1 ... S0,n/m−1
L0
S1,0 S1,1 ... S1,n/m−1
L1
S2,0 S2,1 ... S2,n/m−1
j 0 0
y j0 y j1 y jn/m−1
Zero sums
⊕2m−1j=0 S2,i (y
ji ) = 0, for all i .
Repeat for di�erent constant then solvesystem [Biryukov, Shamir, 2001]
18 / 42
![Page 44: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/44.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Statistical Analysis of the DDT/LATSummary of Di�erent TechniquesStructural A�acks Against Block Ciphers
A�acks Against SPN (1/2)
S0,0 S0,1 ... S0,n/m−1
L0
S1,0 S1,1 ... S1,n/m−1
L1
S2,0 S2,1 ... S2,n/m−1
j 0 0
y j0 y j1 y jn/m−1
Zero sums
⊕2m−1j=0 S2,i (y
ji ) = 0, for all i . Repeat for di�erent constant then solve
system [Biryukov, Shamir, 2001] 18 / 42
![Page 45: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/45.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Statistical Analysis of the DDT/LATSummary of Di�erent TechniquesStructural A�acks Against Block Ciphers
A�acks Against SPN (2/2)
Works against more than 3 rounds if deg(S (AS )r−1) is low enough.
SPN degree bound
0
20
40
60
80
100
120
Number of rounds
0 1 2 3 4 5 6 7 8
2
Degree Bound (SPN) [Biryukov et al., 2017]
Let σ operate onm bits, deg(σ ) =m − 1, and n be the block size.Rhoughly speaking, deg
(S (AS )r−1
)< n − 1 as long as
(m − 1) br /2c < n .
19 / 42
![Page 46: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/46.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Statistical Analysis of the DDT/LATSummary of Di�erent TechniquesStructural A�acks Against Block Ciphers
A�acks Against SPN (2/2)
Works against more than 3 rounds if deg(S (AS )r−1) is low enough.
SPN degree bound
0
20
40
60
80
100
120
Number of rounds
0 1 2 3 4 5 6 7 8
2
Degree Bound (SPN) [Biryukov et al., 2017]
Let σ operate onm bits, deg(σ ) =m − 1, and n be the block size.Rhoughly speaking, deg
(S (AS )r−1
)< n − 1 as long as
(m − 1) br /2c < n .
19 / 42
![Page 47: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/47.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Statistical Analysis of the DDT/LATSummary of Di�erent TechniquesStructural A�acks Against Block Ciphers
A�acks Against Feistel Networks
Degree Bound (Feistel Network) [Perrin and Udovenko, 2016]
Let {F i }i<r be permutations of Fn/22 of degree d and let F r (F ) denote ther -round n-bit Feistel Network with round function F i . If
d br /2c−1 + d dr /2e−1 < n ,
then some degree n − 1 terms in the ANF of F r (F ) are missing.
20 / 42
![Page 48: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/48.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Statistical Analysis of the DDT/LATSummary of Di�erent TechniquesStructural A�acks Against Block Ciphers
What Does it Take to Have Full Degree?
The degree based distinguishers for SPNs and Feistel networks can be seenas particular cases of this lemma.
LemmaLet F : Fn2 → F2 be a Boolean function and let G : Fn2 → F
n2 be a
permutation. Then:
deg(F ◦G ) = n − 1 =⇒ deg(F ) + deg(G−1) ≥ n .
21 / 42
![Page 49: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/49.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Definition of the TU-decompositionApplication to the Last Russian Standards
Outline
1 Introduction
2 Overview of S-Box Reverse-Engineering Methods
3 The TU-Decomposition
4 A Decomposition of the 6-bit APN Permutation
5 Conclusion
21 / 42
![Page 50: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/50.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Definition of the TU-decompositionApplication to the Last Russian Standards
Plan of this Section
1 Introduction
2 Overview of S-Box Reverse-Engineering Methods
3 The TU-DecompositionDefinition of the TU-decompositionApplication to the Last Russian Standards
4 A Decomposition of the 6-bit APN Permutation
5 Conclusion
21 / 42
![Page 51: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/51.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Definition of the TU-decompositionApplication to the Last Russian Standards
What is the TU-Decomposition?
The TU-decomposition is a decomposition algorithm working against vastgroups of algorithms: 3-round Feistel, Dillon’s APN permutation, SAS, ...
S TU-decompositionT
U
µ
η
T and U are mini-block ciphers ; µ and η are linear permutations.22 / 42
![Page 52: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/52.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Definition of the TU-decompositionApplication to the Last Russian Standards
TU-Decomposition in a Nutshell
Let L be the LAT of the target S : Fn2 → Fn2 .
1 Identify vector spacesU andV of dimensionn/2 such that:
L (a,b) = 0, ∀(a,b) ∈ U ×V .
2 Deduce linear permutations µ ′ and η′ such that
L (µ ′(a),η′(b)) = 0, ∀(a,b) ∈ Fn/22 × Fn/22
3 Built new LAT L ′ such that
L ′(a,b) = L (µ ′(a),η′(b))
and recover S ′ with LAT L ′. Deduce µ,η.
T
U
µ
η
S’
23 / 42
![Page 53: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/53.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Definition of the TU-decompositionApplication to the Last Russian Standards
TU-Decomposition in a Nutshell
Let L be the LAT of the target S : Fn2 → Fn2 .
1 Identify vector spacesU andV of dimensionn/2 such that:
L (a,b) = 0, ∀(a,b) ∈ U ×V .
2 Deduce linear permutations µ ′ and η′ such that
L (µ ′(a),η′(b)) = 0, ∀(a,b) ∈ Fn/22 × Fn/22
3 Built new LAT L ′ such that
L ′(a,b) = L (µ ′(a),η′(b))
and recover S ′ with LAT L ′. Deduce µ,η.
T
U
µ
η
S’
23 / 42
![Page 54: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/54.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Definition of the TU-decompositionApplication to the Last Russian Standards
TU-Decomposition in a Nutshell
Let L be the LAT of the target S : Fn2 → Fn2 .
1 Identify vector spacesU andV of dimensionn/2 such that:
L (a,b) = 0, ∀(a,b) ∈ U ×V .
2 Deduce linear permutations µ ′ and η′ such that
L (µ ′(a),η′(b)) = 0, ∀(a,b) ∈ Fn/22 × Fn/22
3 Built new LAT L ′ such that
L ′(a,b) = L (µ ′(a),η′(b))
and recover S ′ with LAT L ′. Deduce µ,η.
T
U
µ
η
S’
23 / 42
![Page 55: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/55.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Definition of the TU-decompositionApplication to the Last Russian Standards
TU-Decomposition in a Nutshell
Let L be the LAT of the target S : Fn2 → Fn2 .
1 Identify vector spacesU andV of dimensionn/2 such that:
L (a,b) = 0, ∀(a,b) ∈ U ×V .
2 Deduce linear permutations µ ′ and η′ such that
L (µ ′(a),η′(b)) = 0, ∀(a,b) ∈ Fn/22 × Fn/22
3 Built new LAT L ′ such that
L ′(a,b) = L (µ ′(a),η′(b))
and recover S ′ with LAT L ′. Deduce µ,η.
T
U
µ
η
S’
23 / 42
![Page 56: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/56.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Definition of the TU-decompositionApplication to the Last Russian Standards
TU-Decomposition in a Nutshell
Let L be the LAT of the target S : Fn2 → Fn2 .
1 Identify vector spacesU andV of dimensionn/2 such that:
L (a,b) = 0, ∀(a,b) ∈ U ×V .
2 Deduce linear permutations µ ′ and η′ such that
L (µ ′(a),η′(b)) = 0, ∀(a,b) ∈ Fn/22 × Fn/22
3 Built new LAT L ′ such that
L ′(a,b) = L (µ ′(a),η′(b))
and recover S ′ with LAT L ′. Deduce µ,η.
T
U
µ
η
S’
23 / 42
![Page 57: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/57.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Definition of the TU-decompositionApplication to the Last Russian Standards
Bootstrapping TU-Decomposition
OK... But how do we findU andV?
For now: we just look at the LAT and hope for the best!
24 / 42
![Page 58: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/58.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Definition of the TU-decompositionApplication to the Last Russian Standards
Bootstrapping TU-Decomposition
OK... But how do we findU andV?
For now: we just look at the LAT and hope for the best!
24 / 42
![Page 59: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/59.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Definition of the TU-decompositionApplication to the Last Russian Standards
Kuznyechik/Stribog
Stribog
Type Hash function
Publication [GOST, 2012]
Kuznyechik
Type Block cipher
Publication [GOST, 2015]
Common ground
Both are standard symmetric primitives in Russia.
Both were designed by the FSB (TC26).
Both use the same 8 × 8 S-Box, π .
25 / 42
![Page 60: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/60.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Definition of the TU-decompositionApplication to the Last Russian Standards
Kuznyechik/Stribog
Stribog
Type Hash function
Publication [GOST, 2012]
Kuznyechik
Type Block cipher
Publication [GOST, 2015]
Common ground
Both are standard symmetric primitives in Russia.
Both were designed by the FSB (TC26).
Both use the same 8 × 8 S-Box, π .25 / 42
![Page 61: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/61.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Definition of the TU-decompositionApplication to the Last Russian Standards
The LAT of the S-Box of Kuznyechik
26 / 42
![Page 62: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/62.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Definition of the TU-decompositionApplication to the Last Russian Standards
Applying one Linear Layer
27 / 42
![Page 63: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/63.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Definition of the TU-decompositionApplication to the Last Russian Standards
Applying two Linear Layers
28 / 42
![Page 64: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/64.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Definition of the TU-decompositionApplication to the Last Russian Standards
Final Decomposition Number 1
ω
σ
ϕ �
ν1ν0
I�
α
T
U
� Multiplication in F24
α Linear permutation
I Inversion in F24
ν0,ν1,σ 4 × 4 permutations
ϕ 4 × 4 function
ω Linear permutation
29 / 42
![Page 65: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/65.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Definition of the TU-decompositionApplication to the Last Russian Standards
Final Decomposition Number 1
ω
σ
ϕ �
ν1ν0
I�
αT
U
� Multiplication in F24
α Linear permutation
I Inversion in F24
ν0,ν1,σ 4 × 4 permutations
ϕ 4 × 4 function
ω Linear permutation
29 / 42
![Page 66: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/66.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Definition of the TU-decompositionApplication to the Last Russian Standards
Conclusion for Kuznyechik/Stribog?
The Russian S-Box was built like astrange Feistel...
... or was it?
Belarussian inspiration
The last standard of Belarus [Bel. St. Univ., 2011] uses an 8-bit S-box,
somewhat similar to π ...
... based on a finite field exponential!
30 / 42
![Page 67: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/67.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Definition of the TU-decompositionApplication to the Last Russian Standards
Conclusion for Kuznyechik/Stribog?
The Russian S-Box was built like astrange Feistel...
... or was it?
Belarussian inspiration
The last standard of Belarus [Bel. St. Univ., 2011] uses an 8-bit S-box,
somewhat similar to π ...
... based on a finite field exponential!
30 / 42
![Page 68: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/68.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Definition of the TU-decompositionApplication to the Last Russian Standards
Conclusion for Kuznyechik/Stribog?
The Russian S-Box was built like astrange Feistel...
... or was it?
Belarussian inspiration
The last standard of Belarus [Bel. St. Univ., 2011] uses an 8-bit S-box,
somewhat similar to π ...
... based on a finite field exponential!
30 / 42
![Page 69: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/69.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Definition of the TU-decompositionApplication to the Last Russian Standards
Conclusion for Kuznyechik/Stribog?
The Russian S-Box was built like astrange Feistel...
... or was it?
Belarussian inspiration
The last standard of Belarus [Bel. St. Univ., 2011] uses an 8-bit S-box,
somewhat similar to π ...
... based on a finite field exponential!
30 / 42
![Page 70: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/70.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Definition of the TU-decompositionApplication to the Last Russian Standards
Final Decomposition Number 2 (!)
ω ′
⊗−1
�
q′
logw,16
T
0 1 2 3 4 5 6 7 8 9 a b c d e fT0 0 1 2 3 4 5 6 7 8 9 a b c d e fT1 0 1 2 3 4 5 6 7 8 9 a b c d e fT2 0 1 2 3 4 5 6 7 8 9 a b c d f eT3 0 1 2 3 4 5 6 7 8 9 a b c f d eT4 0 1 2 3 4 5 6 7 8 9 a b f c d eT5 0 1 2 3 4 5 6 7 8 9 a f b c d eT6 0 1 2 3 4 5 6 7 8 9 f a b c d eT7 0 1 2 3 4 5 6 7 8 f 9 a b c d eT8 0 1 2 3 4 5 6 7 f 8 9 a b c d eT9 0 1 2 3 4 5 6 f 7 8 9 a b c d eTa 0 1 2 3 4 5 f 6 7 8 9 a b c d eTb 0 1 2 3 4 f 5 6 7 8 9 a b c d eTc 0 1 2 3 f 4 5 6 7 8 9 a b c d eTd 0 1 2 f 3 4 5 6 7 8 9 a b c d eTe 0 1 f 2 3 4 5 6 7 8 9 a b c d eTf 0 f 1 2 3 4 5 6 7 8 9 a b c d e
31 / 42
![Page 71: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/71.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Definition of the TU-decompositionApplication to the Last Russian Standards
Final Decomposition Number 2 (!)
ω ′
⊗−1
�
q′
logw,16
T
0 1 2 3 4 5 6 7 8 9 a b c d e fT0 0 1 2 3 4 5 6 7 8 9 a b c d e fT1 0 1 2 3 4 5 6 7 8 9 a b c d e fT2 0 1 2 3 4 5 6 7 8 9 a b c d f eT3 0 1 2 3 4 5 6 7 8 9 a b c f d eT4 0 1 2 3 4 5 6 7 8 9 a b f c d eT5 0 1 2 3 4 5 6 7 8 9 a f b c d eT6 0 1 2 3 4 5 6 7 8 9 f a b c d eT7 0 1 2 3 4 5 6 7 8 f 9 a b c d eT8 0 1 2 3 4 5 6 7 f 8 9 a b c d eT9 0 1 2 3 4 5 6 f 7 8 9 a b c d eTa 0 1 2 3 4 5 f 6 7 8 9 a b c d eTb 0 1 2 3 4 f 5 6 7 8 9 a b c d eTc 0 1 2 3 f 4 5 6 7 8 9 a b c d eTd 0 1 2 f 3 4 5 6 7 8 9 a b c d eTe 0 1 f 2 3 4 5 6 7 8 9 a b c d eTf 0 f 1 2 3 4 5 6 7 8 9 a b c d e
31 / 42
![Page 72: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/72.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Definition of the TU-decompositionApplication to the Last Russian Standards
Conclusion on Kuznyechik/Stribog
π
32 / 42
![Page 73: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/73.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Definition of the TU-decompositionApplication to the Last Russian Standards
Conclusion on Kuznyechik/Stribog
π
32 / 42
![Page 74: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/74.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Definition of the TU-decompositionApplication to the Last Russian Standards
Conclusion on Kuznyechik/Stribog
π
32 / 42
![Page 75: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/75.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Definition of the TU-decompositionApplication to the Last Russian Standards
Conclusion on Kuznyechik/Stribog
π
?
32 / 42
![Page 76: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/76.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
The Big APN Problem and its Only Known SolutionsOn Bu�erflies
Outline
1 Introduction
2 Overview of S-Box Reverse-Engineering Methods
3 The TU-Decomposition
4 A Decomposition of the 6-bit APN Permutation
5 Conclusion
32 / 42
![Page 77: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/77.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
The Big APN Problem and its Only Known SolutionsOn Bu�erflies
Plan of this Section
1 Introduction
2 Overview of S-Box Reverse-Engineering Methods
3 The TU-Decomposition
4 A Decomposition of the 6-bit APN PermutationThe Big APN Problem and its Only Known SolutionsOn Bu�erflies
5 Conclusion
32 / 42
![Page 78: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/78.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
The Big APN Problem and its Only Known SolutionsOn Bu�erflies
The Big APN Problem
Definition (APN function)
A function f : Fn2 → Fn2 is Almost Perfect Non-linear (APN) if
f (x ⊕ a) ⊕ f (x ) = b
has 0 or 2 solutions for all a , 0 and for all b.
Big APN Problem
Are there APN permutations operating on Fn2 where n is even?
33 / 42
![Page 79: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/79.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
The Big APN Problem and its Only Known SolutionsOn Bu�erflies
The Big APN Problem
Definition (APN function)
A function f : Fn2 → Fn2 is Almost Perfect Non-linear (APN) if
f (x ⊕ a) ⊕ f (x ) = b
has 0 or 2 solutions for all a , 0 and for all b.
Big APN Problem
Are there APN permutations operating on Fn2 where n is even?
33 / 42
![Page 80: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/80.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
The Big APN Problem and its Only Known SolutionsOn Bu�erflies
Dillon et al.’s Permutation
Only One Known Solution!
For n = 6, Dillon et al. found an APN permutation.
It is possible to make a TU-decomposition!
34 / 42
![Page 81: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/81.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
The Big APN Problem and its Only Known SolutionsOn Bu�erflies
Dillon et al.’s Permutation
Only One Known Solution!
For n = 6, Dillon et al. found an APN permutation.
It is possible to make a TU-decomposition!
34 / 42
![Page 82: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/82.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
The Big APN Problem and its Only Known SolutionsOn Bu�erflies
Dillon et al.’s Permutation
Only One Known Solution!
For n = 6, Dillon et al. found an APN permutation.
It is possible to make a TU-decomposition!
34 / 42
![Page 83: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/83.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
The Big APN Problem and its Only Known SolutionsOn Bu�erflies
Dillon et al.’s Permutation
Only One Known Solution!
For n = 6, Dillon et al. found an APN permutation.
It is possible to make a TU-decomposition!
34 / 42
![Page 84: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/84.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
The Big APN Problem and its Only Known SolutionsOn Bu�erflies
On the Bu�erfly Structure
βx3
x1/3
�α
⊕
⊕
βx3
x3
�α
⊕
⊕
T
U
Definition (Open Bu�erfly H3α ,β
)
This permutation is an open bu�erfly.
LemmaDillon’s permutation is a�ine-equivalentto H3
w,1, where Tr (w ) = 0.
35 / 42
![Page 85: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/85.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
The Big APN Problem and its Only Known SolutionsOn Bu�erflies
On the Bu�erfly Structure
βx3
x1/3
�α
⊕
⊕
βx3
x3
�α
⊕
⊕
T
U
Definition (Open Bu�erfly H3α ,β
)
This permutation is an open bu�erfly.
LemmaDillon’s permutation is a�ine-equivalentto H3
w,1, where Tr (w ) = 0.
35 / 42
![Page 86: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/86.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
The Big APN Problem and its Only Known SolutionsOn Bu�erflies
CCZ-equivalence (1/2)
Definition (CCZ-equivalence)
Let F and G be functions of Fn2 . They are CCZ-equivalent if there exists alinear permutation L of Fn2 × F
n2 such that
{(x , F (x )
),∀x ∈ Fn2
}=
{L(x ,G (x )
),∀x ∈ Fn2
}
Properties
CCZ-equivalence preserves:
the distribution of the coe�icients in the LAT (Walsh spectrum),
the distribution of the coe�icients in the DDT.
It does not preserve:
the position of the DDT/LAT coe�icients
the algebraic degree.
36 / 42
![Page 87: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/87.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
The Big APN Problem and its Only Known SolutionsOn Bu�erflies
CCZ-equivalence (1/2)
Definition (CCZ-equivalence)
Let F and G be functions of Fn2 . They are CCZ-equivalent if there exists alinear permutation L of Fn2 × F
n2 such that
{(x , F (x )
),∀x ∈ Fn2
}=
{L(x ,G (x )
),∀x ∈ Fn2
}
Properties
CCZ-equivalence preserves:
the distribution of the coe�icients in the LAT (Walsh spectrum),
the distribution of the coe�icients in the DDT.
It does not preserve:
the position of the DDT/LAT coe�icients
the algebraic degree.36 / 42
![Page 88: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/88.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
The Big APN Problem and its Only Known SolutionsOn Bu�erflies
Closed Bu�erflies
�α
⊕
x3
βx3 ⊕
�α
⊕
x3
βx3 ⊕
Definition (Closed bu�erfly V3α ,β
)
This quadratic function is a closedbu�erfly.
Lemma (Equivalence)
Open and closed bu�erflies with the sameparameters are CCZ-equivalent.
37 / 42
![Page 89: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/89.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
The Big APN Problem and its Only Known SolutionsOn Bu�erflies
Closed Bu�erflies
�α
⊕
x3
βx3 ⊕
�α
⊕
x3
βx3 ⊕
Definition (Closed bu�erfly V3α ,β
)
This quadratic function is a closedbu�erfly.
Lemma (Equivalence)
Open and closed bu�erflies with the sameparameters are CCZ-equivalent.
37 / 42
![Page 90: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/90.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
The Big APN Problem and its Only Known SolutionsOn Bu�erflies
Bu�erflies and Feistel Networks
When α = 1, bu�erflies can be greatly simplified.
βx3⊕
x1/3 ⊕
βx3⊕
βx3 x3 βx3
⊕
⊕⊕
38 / 42
![Page 91: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/91.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
The Big APN Problem and its Only Known SolutionsOn Bu�erflies
Some Properties of Bu�erflies
Theorem (Properties of bu�erflies [Canteaut et al., 2017])Let V3
α ,β and H3α ,β be bu�erflies operating on 2n bits, n odd. Then:
deg(V3α ,β
)= 2,
if n = 3, Tr (α ) = 0 and β + α 3 ∈ {α, 1/α }, thenmax(DDT ) = 2, max(W ) = 2n+1 and deg
(H3α ,β
)= n + 1 ,
if β = (1 + α )3, thenmax(DDT ) = 2n+1, max(W ) = 2(3n+1)/2 and deg
(H3α ,β
)= n ,
otherwise,
max(DDT ) = 4, max(W ) = 2n+1 and deg(H3α ,β
)∈ {n, n + 1}
and deg(H3α ,β
)= n if and only if
1 + α β + α 4 = (β + α + α 3)2 .
39 / 42
![Page 92: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/92.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Conclusion
Outline
1 Introduction
2 Overview of S-Box Reverse-Engineering Methods
3 The TU-Decomposition
4 A Decomposition of the 6-bit APN Permutation
5 Conclusion
39 / 42
![Page 93: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/93.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Conclusion
Plan of this Section
1 Introduction
2 Overview of S-Box Reverse-Engineering Methods
3 The TU-Decomposition
4 A Decomposition of the 6-bit APN Permutation
5 Conclusion
39 / 42
![Page 94: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/94.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Conclusion
Conclusion
We can recover the majority of known S-Box structuresand derive new results about Skipjack and Kuznyechik.
We can generalize the permutation of Dillon et al...
but we can prove that our generalizations are never APN(except in the known case).
There are still S-Boxes with unknown building strategies(CMEA, CSS)!
40 / 42
![Page 95: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/95.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Conclusion
Conclusion
We can recover the majority of known S-Box structuresand derive new results about Skipjack and Kuznyechik.
We can generalize the permutation of Dillon et al...
but we can prove that our generalizations are never APN(except in the known case).
There are still S-Boxes with unknown building strategies(CMEA, CSS)!
40 / 42
![Page 96: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/96.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Conclusion
Conclusion
We can recover the majority of known S-Box structuresand derive new results about Skipjack and Kuznyechik.
We can generalize the permutation of Dillon et al...
but we can prove that our generalizations are never APN(except in the known case).
There are still S-Boxes with unknown building strategies(CMEA, CSS)!
40 / 42
![Page 97: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/97.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Conclusion
Conclusion
We can recover the majority of known S-Box structuresand derive new results about Skipjack and Kuznyechik.
We can generalize the permutation of Dillon et al...
but we can prove that our generalizations are never APN(except in the known case).
There are still S-Boxes with unknown building strategies(CMEA, CSS)!
40 / 42
![Page 98: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/98.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Conclusion
The Last S-Box
14 11 60 6d e9 10 e3 2 b 90 d 17 c5 b0 9f c5d8 da be 22 8 f3 4 a9 fe f3 f5 fc bc 30 be 26bb 88 85 46 f4 2e e fd 76 fe b0 11 4e de 35 bb30 4b 30 d6 dd df df d4 90 7a d8 8c 6a 89 30 39e9 1 da d2 85 87 d3 d4 ba 2b d4 9f 9c 38 8c 55d3 86 bb db ec e0 46 48 bf 46 1b 1c d7 d9 1b e023 d4 d7 7f 16 3f 3 3 44 c3 59 10 2a da ed e98e d8 d1 db cb cb c3 c7 38 22 34 3d db 85 23 7c24 d1 d8 2e fc 44 8 38 c8 c7 39 4c 5f 56 2a cfd0 e9 d2 68 e4 e3 e9 13 e2 c 97 e4 60 29 d7 9bd9 16 24 94 b3 e3 4c 4c 4f 39 e0 4b bc 2c d3 9481 96 93 84 91 d0 2e d6 d2 2b 78 ef d6 9e 7b 72ad c4 68 92 7a d2 5 2b 1e d0 dc b1 22 3f c3 c388 b1 8d b5 e3 4e d7 81 3 15 17 25 4e 65 88 4ee4 3b 81 81 fa 1 1d 4 22 0 6 1 27 68 27 2e3b 83 c7 cc 25 9b d8 d5 1c 1f e5 59 7f 3f 3f ef
41 / 42
![Page 99: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/99.jpg)
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Conclusion
42 / 42
![Page 100: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/100.jpg)
AppendixBibliography Back-Up Slides
Details About SkipjackN
um
ber
of
occ
urr
ence
s (l
og s
cale
)
100
200
300
Absolute value of the coe�cients in the LAT
22 23 24 25 26 27 28
1 / 4
![Page 101: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/101.jpg)
AppendixBibliography Back-Up Slides
Proof of Full Degree Condition
If deg(F ◦G ) = n − 1, then ∃i ≤ n such that⊕
x ∈Ci (F ◦G ) (x ) = 1.
Let Ii : Fn2 → F2 be such that Ii (x ) = 1⇔ x ∈ Ci :⊕x ∈Ci
(F ◦G ) (x ) =⊕x ∈Fn2
F(G (x )
)× Ii (x ) ,
and let y = G (x ). Then:⊕x ∈Ci
(F ◦G ) (x ) =⊕y∈Fn2
F (y) × Ii(G−1 (y)
).
This sum is equal to 1 if and only if x 7→ F (x ) × Ii(G−1 (x )
)has degree n.
Ii is a�ine (Ii (x ) = 1 + xi ). Thus, the sum can be equal to 1 only if
deg(F ) + deg(G−1) ≥ n .
�
2 / 4
![Page 102: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/102.jpg)
AppendixBibliography Back-Up Slides
Proof of Full Degree Condition
If deg(F ◦G ) = n − 1, then ∃i ≤ n such that⊕
x ∈Ci (F ◦G ) (x ) = 1.
Let Ii : Fn2 → F2 be such that Ii (x ) = 1⇔ x ∈ Ci :⊕x ∈Ci
(F ◦G ) (x ) =⊕x ∈Fn2
F(G (x )
)× Ii (x ) ,
and let y = G (x ). Then:⊕x ∈Ci
(F ◦G ) (x ) =⊕y∈Fn2
F (y) × Ii(G−1 (y)
).
This sum is equal to 1 if and only if x 7→ F (x ) × Ii(G−1 (x )
)has degree n.
Ii is a�ine (Ii (x ) = 1 + xi ). Thus, the sum can be equal to 1 only if
deg(F ) + deg(G−1) ≥ n .
�
2 / 4
![Page 103: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/103.jpg)
AppendixBibliography Back-Up Slides
Proof of Full Degree Condition
If deg(F ◦G ) = n − 1, then ∃i ≤ n such that⊕
x ∈Ci (F ◦G ) (x ) = 1.
Let Ii : Fn2 → F2 be such that Ii (x ) = 1⇔ x ∈ Ci :⊕x ∈Ci
(F ◦G ) (x ) =⊕x ∈Fn2
F(G (x )
)× Ii (x ) ,
and let y = G (x ). Then:⊕x ∈Ci
(F ◦G ) (x ) =⊕y∈Fn2
F (y) × Ii(G−1 (y)
).
This sum is equal to 1 if and only if x 7→ F (x ) × Ii(G−1 (x )
)has degree n.
Ii is a�ine (Ii (x ) = 1 + xi ). Thus, the sum can be equal to 1 only if
deg(F ) + deg(G−1) ≥ n .
�
2 / 4
![Page 104: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/104.jpg)
AppendixBibliography Back-Up Slides
Proof of Full Degree Condition
If deg(F ◦G ) = n − 1, then ∃i ≤ n such that⊕
x ∈Ci (F ◦G ) (x ) = 1.
Let Ii : Fn2 → F2 be such that Ii (x ) = 1⇔ x ∈ Ci :⊕x ∈Ci
(F ◦G ) (x ) =⊕x ∈Fn2
F(G (x )
)× Ii (x ) ,
and let y = G (x ). Then:⊕x ∈Ci
(F ◦G ) (x ) =⊕y∈Fn2
F (y) × Ii(G−1 (y)
).
This sum is equal to 1 if and only if x 7→ F (x ) × Ii(G−1 (x )
)has degree n.
Ii is a�ine (Ii (x ) = 1 + xi ). Thus, the sum can be equal to 1 only if
deg(F ) + deg(G−1) ≥ n .
�
2 / 4
![Page 105: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/105.jpg)
AppendixBibliography Back-Up Slides
Proof of Full Degree Condition
If deg(F ◦G ) = n − 1, then ∃i ≤ n such that⊕
x ∈Ci (F ◦G ) (x ) = 1.
Let Ii : Fn2 → F2 be such that Ii (x ) = 1⇔ x ∈ Ci :⊕x ∈Ci
(F ◦G ) (x ) =⊕x ∈Fn2
F(G (x )
)× Ii (x ) ,
and let y = G (x ). Then:⊕x ∈Ci
(F ◦G ) (x ) =⊕y∈Fn2
F (y) × Ii(G−1 (y)
).
This sum is equal to 1 if and only if x 7→ F (x ) × Ii(G−1 (x )
)has degree n.
Ii is a�ine (Ii (x ) = 1 + xi ).
Thus, the sum can be equal to 1 only if
deg(F ) + deg(G−1) ≥ n .
�
2 / 4
![Page 106: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/106.jpg)
AppendixBibliography Back-Up Slides
Proof of Full Degree Condition
If deg(F ◦G ) = n − 1, then ∃i ≤ n such that⊕
x ∈Ci (F ◦G ) (x ) = 1.
Let Ii : Fn2 → F2 be such that Ii (x ) = 1⇔ x ∈ Ci :⊕x ∈Ci
(F ◦G ) (x ) =⊕x ∈Fn2
F(G (x )
)× Ii (x ) ,
and let y = G (x ). Then:⊕x ∈Ci
(F ◦G ) (x ) =⊕y∈Fn2
F (y) × Ii(G−1 (y)
).
This sum is equal to 1 if and only if x 7→ F (x ) × Ii(G−1 (x )
)has degree n.
Ii is a�ine (Ii (x ) = 1 + xi ). Thus, the sum can be equal to 1 only if
deg(F ) + deg(G−1) ≥ n .
�2 / 4
![Page 107: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/107.jpg)
AppendixBibliography
Bibliography I
Bel. St. Univ. (2011).“Information technologies. Data protection. Cryptographic algorithms for encryptionand integrity control.”.State Standard of Republic of Belarus (STB 34.101.31-2011).http://apmi.bsu.by/assets/files/std/belt-spec27.pdf.
Biryukov, A., Khovratovich, D., and Perrin, L. (2017).Multiset-algebraic cryptanalysis of reduced Kuznyechik, Khazad, and secret SPNs.IACR Transactions on Symmetric Cryptology, 2016(2):226–247.
Canteaut, A., Duval, S., and Perrin, L. (2017).A generalisation of Dillon’s APN permutation with the best known di�erential andnonlinear properties for all fields of size 24k+2.IEEE Transactions on Information Theory, (to appear).
GOST (2012).Gost r 34.11-2012: Streebog hash function.https://www.streebog.net/.
3 / 4
![Page 108: On S-Box Reverse-Engineering: from Cryptanalysis to the](https://reader033.vdocuments.net/reader033/viewer/2022042914/626a3ed350cda504265f77f5/html5/thumbnails/108.jpg)
AppendixBibliography
Bibliography II
GOST (2015).
(GOST R 34.12–2015) information technology – cryptographic data security – blockciphers.
http://tc26.ru/en/standard/gost/GOST_R_34_12_2015_ENG.pdf.
Perrin, L. and Udovenko, A. (2016).
Algebraic insights into the secret feistel network.
In Peyrin, T., editor, Fast So�ware Encryption – FSE 2016, volume 9783 of Lecture Notes inComputer Science, pages 378–398. Springer, Heidelberg.
4 / 4