on reverse-engineering s-boxes · biryukov, perrin, udovenko on reverse-engineering s-boxes 15 /...

On Reverse-Engineering S-Boxes

Alex Biryukov1, Léo Perrin1, Aleksei Udovenko1

1SnT, University of Luxembourg

https://www.cryptolux.org

March 28, 2017CryptoAction Symposium 2017

https://www.cryptolux.org

Introduction

S-Box?

An S-Box is a small non-linear function mapping m bits to nusually specified via its look-up table.

Typically, m = n, n ∈ {4, 8}

Used by many block ciphers/hash functions/stream ciphers.

Necessary for the wide trail strategy.

Biryukov, Perrin, Udovenko On Reverse-Engineering S-Boxes 1 / 28

Introduction

Example

Screen capture from [GOST, 2015].


Introduction

S-Box Design

AES→←Whirlpool

← Scream


Introduction

S-Box Reverse-Engineering

s


Introduction

S-Box Reverse-Engineering

s?

?

?


Talk Outline

Outline

1 Introduction

2 Mathematical Background

3 Detailed Analysis of the Two Tables

4 TU-Decomposition

5 Conclusion


Introduction Mathematical Background Detailed Analysis of the Two Tables TU-Decomposition Conclusion

Plan

1 Introduction

2 Mathematical BackgroundThe Two TablesCoe�icients Distribution


4 TU-Decomposition

5 Conclusion



The Two Tables

Let S : Fn2 → F

n2 be an S-Box.

Definition (DDT)

The Di�erence Distribution Table of f is a matrix of size 2n × 2n suchthat

DDT[a, b] = #{x ∈ Fn2 | S (x ⊕ a) ⊕ S (x ) = b}.

Definition (LAT)

The Linear Approximations Table of S is a matrix of size 2n × 2n suchthat

LAT[a, b] = #{x ∈ Fn2 | x · a = S (x ) · b} − 2n−1.



Example

S = [4, 2, 1, 6, 0, 5, 7, 3]

The DDT of S.

8 0 0 0 0 0 0 00 0 0 0 2 2 2 20 0 0 0 2 2 2 20 0 4 4 0 0 0 00 0 0 0 2 2 2 20 4 4 0 0 0 0 00 4 0 4 0 0 0 00 0 0 0 2 2 2 2

The LAT of S.

4 0 0 0 0 0 0 00 0 2 2 0 0 2 −20 2 2 0 0 2 −2 00 2 0 2 0 −2 0 20 2 0 −2 0 −2 0 −20 −2 2 0 0 −2 −2 00 0 −2 2 0 0 −2 −20 0 0 0 −4 0 0 0



Coe�icient Distribution in the DDT

If an n-bit S-Box is bijective, then its DDT coe�icients behave likeindependent and identically distributed random variables followinga Poisson distribution:

Pr [DDT[a, b] = 2z] =e−1/2

2zz.



Coe�icient Distribution in the LAT

If an n-bit S-Box is bijective, then its LAT coe�icients behave likeindependent and identically distributed random variables followingthis distribution:

Pr [LAT[a, b] = 2z] =

(2n−1

2n−2+z

)(2n

2n−1

) .



Plan

1 Introduction


3 Detailed Analysis of the Two TablesMaximum Values in the TablesApplication to Skipjack

4 TU-Decomposition

5 Conclusion



Looking Only at the Maximum

δ log2 (Pr [max(D) ≤ δ ])

4 -1359.530

6 -164.466

8 -16.148

10 -1.329

12 -0.094

14 -0.006

DDT

` log2 (Pr [max(L) ≤ `])

22 -371.60924 -161.90026 -66.41528 -25.62330 -9.28832 -3.16034 -1.00836 -0.30238 -0.084

LATProbability that the maximum coe�icient in the DDT/LAT of an

8-bit permutation is at most equal to a certain threshold.



Taking Number of Maximum Values into Account

−160

−140

−120

−100

−80

−60

−40

−20

0

N30

0 5 10 15

Probability (log2)

−160

−140

−120

−100

−80

−60

−40

−20

0

N26

0 10 20 30 40 50 60 70

2

3

4

5

6

−160

−140

−120

−100

−80

−60

−40

−20

0

N28

0 10 20 30

Pr [max(LAT) = 24], Pr [max(LAT) = 26], Pr [max(LAT) = 28], Pr [max(LAT) = 30]



What is Skipjack? (1/2)

Type Block cipher

Bloc 64 bits

Key 80 bits

Authors NSA

Publication 1998



What is Skipjack? (2/2)

Skipjack was supposed to be secret...

... but eventually published in 1998 [National Security Agency, 1998],

It uses a 8 × 8 S-Box (F ) specified only by its LUT,

Skipjack was to be used by the Clipper Chip.



Reverse-Engineering F

For Skipjack, max(LAT) = 28 and #28 = 3.

−160

−140

−120

−100

−80

−60

−40

−20

0

N30

0 5 10 15

−160

−140

−120

−100

−80

−60

−40

−20

0

N28

0 10 20 30

Probability (log2)

−160

−140

−120

−100

−80

−60

−40

−20

0

N26

0 10 20 30 40 50 60 70

2

3

4

5

6

Pr [max(LAT) = 28 and #28 = 3] ≈ 2−55





−160

−140

−120

−100

−80

−60

−40

−20

0

N30

0 5 10 15

Probability (log2)

−160

−140

−120

−100

−80

−60

−40

−20

0

N26

0 10 20 30 40 50 60 70

2

3

4

5

6

−160

−140

−120

−100

−80

−60

−40

−20

0

N28

0 10 20 30

−160

−140

−120

−100

−80

−60

−40

−20

0

N30

0 5 10 15

−160

−140

−120

−100

−80

−60

−40

−20

0

N28

0 10 20 30

Probability (log2)

−160

−140

−120

−100

−80

−60

−40

−20

0

N26

0 10 20 30 40 50 60 70

2

3

4

5

6

Pr [max(LAT) = 28 and #28 = 3] ≈ 2−55





−160

−140

−120

−100

−80

−60

−40

−20

0

N30

0 5 10 15

−160

−140

−120

−100

−80

−60

−40

−20

0

N28

0 10 20 30

Probability (log2)

−160

−140

−120

−100

−80

−60

−40

−20

0

N26

0 10 20 30 40 50 60 70

2

3

4

5

6

Pr [max(LAT) = 28 and #28 = 3] ≈ 2−55



What Can We Deduce?

F has not been picked uniformly at random.

F has not been picked among a feasibly large set of randomS-Boxes.

Its linear properties were optimized (though poorly).

The S-Box of Skipjack was builtusing a dedicated algorithm.



Conclusion for Skipjack

F



Plan

1 Introduction



4 TU-DecompositionPrincipleResults on Kuznyechik/Streebog

5 Conclusion



TU-Decomposition in a Nutshell

1 Identify linear pa�erns in zeroes ofLAT;

2 Deduce linear layers µ,η such thatπ is decomposed as in right picture;

3 Decompose U, T ;

4 Put it all together.

T

U

µ

η



Kuznyechik/Stribog

Stribog

Type Hash function

Publication [GOST, 2012]

Kuznyechik

Type Block cipher

Publication [GOST, 2015]

Common ground

Both are standard symmetric primitives in Russia.

Both were designed by the FSB (TC26).

Both use the same 8 × 8 S-Box, π .



The LAT of π



The LAT of η ◦ π ◦ µ



Final Decomposition Number 1

ω

σ

ϕ �

ν1ν0

I�

α

� Multiplication inF24

α Linear permutation

I Inversion in F24

ν0,ν1,σ 4 × 4 permutations

ϕ 4 × 4 function

ω Linear permutation

P[ν1 (x ⊕ 0x9) ⊕ ν1 (x ) = 0x2] = 1



Final Decomposition Number 1

ω

σ

ϕ �

ν1ν0

I�

α

� Multiplication inF24

α Linear permutation

I Inversion in F24

ν0,ν1,σ 4 × 4 permutations

ϕ 4 × 4 function

ω Linear permutation

P[ν1 (x ⊕ 0x9) ⊕ ν1 (x ) = 0x2] = 1Biryukov, Perrin, Udovenko On Reverse-Engineering S-Boxes 21 / 28


Conclusion for Kuznyechik/Stribog?

The Russian S-Box was built like astrange Feistel...

... or was it?

Belarussian inspiration

The last standard of Belarus [STB 34.101.31-2011, 2011] uses an8-bit S-box,

somewhat similar to π ...

... based on a finite field exponential!

Exponential in π

π ◦ exp

has max(DDT ) = 128 (Pr < 2−340) and a TU-decomposition!



Final Decomposition Number 2 (!)

ω ′

⊗−1

�

q′

logw,16

T

0 1 2 3 4 5 6 7 8 9 a b c d e fT0 0 1 2 3 4 5 6 7 8 9 a b c d e fT1 0 1 2 3 4 5 6 7 8 9 a b c d e fT2 0 1 2 3 4 5 6 7 8 9 a b c d f eT3 0 1 2 3 4 5 6 7 8 9 a b c f d eT4 0 1 2 3 4 5 6 7 8 9 a b f c d eT5 0 1 2 3 4 5 6 7 8 9 a f b c d eT6 0 1 2 3 4 5 6 7 8 9 f a b c d eT7 0 1 2 3 4 5 6 7 8 f 9 a b c d eT8 0 1 2 3 4 5 6 7 f 8 9 a b c d eT9 0 1 2 3 4 5 6 f 7 8 9 a b c d eTa 0 1 2 3 4 5 f 6 7 8 9 a b c d eTb 0 1 2 3 4 f 5 6 7 8 9 a b c d eTc 0 1 2 3 f 4 5 6 7 8 9 a b c d eTd 0 1 2 f 3 4 5 6 7 8 9 a b c d eTe 0 1 f 2 3 4 5 6 7 8 9 a b c d eTf 0 f 1 2 3 4 5 6 7 8 9 a b c d e



Conclusion on Kuznyechik/Stribog

πFeistel-like

Exponential-like



Conclusion on Kuznyechik/Stribog

Feistel-like

Exponential-like ?? ???



Plan

1 Introduction



4 TU-Decomposition

5 Conclusion



For More Information (1/2)

Theoretical background + S-Box of Skipjack

Biryukov, A. and Perrin, L. (2015). On Reverse-Engineering S-Boxes with HiddenDesign Criteria or Structure.In Advances in Cryptology – CRYPTO 2015, pages 116–140

S-Box of Stribog/Kuznechik (Feistel)

Biryukov, A., Perrin, L., and Udovenko, A. (2016). Reverse-Engineering the S-Box ofStreebog, Kuznyechik and STRIBOBr1.In Advances in Cryptology – EUROCRYPT 2016, pages 372–402

S-Box of Stribog/Kuznechik (Exponential)

Perrin, L. and Udovenko, A. (2017). Exponential S-boxes: a link between the S-boxesof BelT and Kuznyechik/Streebog.IACR Transactions on Symmetric Cryptology, 2016(2):99–124



For More Information (2/2)

APN Permutation

Perrin, L., Udovenko, A., and Biryukov, A. (2016). Cryptanalysis of a Theorem:Decomposing the Only Known Solution to the Big APN Problem.In Advances in Cryptology – CRYPTO 2016, pages (93–122)

Online

1 https://eprint.iacr.org/2015/976 (Skipjack)

2 https://eprint.iacr.org/2016/071 (Stribog/Kuznechik 1)

3 https://eprint.iacr.org/2016/539 (6-bit APN)

4 http://tosc.iacr.org/index.php/ToSC/article/view/567/509

(Stribog/Kuznechik 2)


https://eprint.iacr.org/2015/976



http://tosc.iacr.org/index.php/ToSC/article/view/567/509


Conclusion

We can recover a lot from an LUT

white-box crypto is all the hardest,

we can use cryptanalysis to discover new math results,

secret services’ algorithms are all the more suspicious!

Nothing-up-my-sleeve

Always justify your constants!



Open Positions @ uni.lu

post-doc in real-world crypto/blockchain/ privacy

post-doc in lightweight crypto and side-channel a�acks (FDISCproject)

PhDs in applied crypto (PRIDE project)

https://www.cryptolux.org/index.php/Home

Thank you!


https://www.cryptolux.org/index.php/Home

Appendix

Details About SkipjackN

um

ber o

f occu

rren

ces

100

200

300

Absolute value of the coe�cients in the LAT

22 23 24 25 26 27 28


Appendix

Bibliography I

Biryukov, A. and Perrin, L. (2015).On Reverse-Engineering S-Boxes with Hidden Design Criteriaor Structure.In Advances in Cryptology – CRYPTO 2015, pages 116–140.

Biryukov, A., Perrin, L., and Udovenko, A. (2016).Reverse-Engineering the S-Box of Streebog, Kuznyechik andSTRIBOBr1.In Advances in Cryptology – EUROCRYPT 2016, pages 372–402.

GOST (2012).Gost r 34.11-2012: Streebog hash function.https://www.streebog.net/.


https://www.streebog.net/

Appendix

Bibliography II

GOST (2015).(GOST R 34.12–2015) information technology – cryptographicdata security – block ciphers.http:

//tc26.ru/en/standard/gost/GOST_R_34_12_2015_ENG.pdf.

National Security Agency, N. S. A. (1998).SKIPJACK and KEA Algorithm Specifications.

Perrin, L. and Udovenko, A. (2017).Exponential S-boxes: a link between the S-boxes of BelT andKuznyechik/Streebog.IACR Transactions on Symmetric Cryptology, 2016(2):99–124.


http://tc26.ru/en/standard/gost/GOST_R_34_12_2015_ENG.pdf

http://tc26.ru/en/standard/gost/GOST_R_34_12_2015_ENG.pdf

Appendix

Bibliography III

Perrin, L., Udovenko, A., and Biryukov, A. (2016).Cryptanalysis of a Theorem: Decomposing the Only KnownSolution to the Big APN Problem.In Advances in Cryptology – CRYPTO 2016, pages (93–122).

STB 34.101.31-2011 (2011).“Information technologies. Data protection. Cryptographicalgorithms for encryption and integrity control.”.State Standard of Republic of Belarus (STB 34.101.31-2011).http://apmi.bsu.by/assets/files/std/belt-spec27.pdf.


http://apmi.bsu.by/assets/files/std/belt-spec27.pdf

on reverse-engineering s-boxes · biryukov, perrin, udovenko on reverse-engineering s-boxes 15 /...

Documents