on s-box reverse-engineering: from cryptanalysis to the
TRANSCRIPT
On S-Box Reverse-Engineering: fromCryptanalysis to the Big APN Problem
Léo Perrin
DTU, Lyngbyperrin dot leo at gmail
4th of July 2017Boolean Functions and Their Applications
The content of this talk is based on joint works with Biryukov, Canteaut, Duval, Khovratovichand Udovenko, and my PhD thesis.
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
In this TalkWhat is an S-Box?S-Box Design
If you only know the Look-Up Table of an S-Box,what can you do?
Random?Was it picked uniformly atrandom?
Structured?Was it built using a particularstructure ?
1 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
In this TalkWhat is an S-Box?S-Box Design
If you only know the Look-Up Table of an S-Box,what can you do?
Random?Was it picked uniformly atrandom?
Structured?Was it built using a particularstructure ?
1 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
In this TalkWhat is an S-Box?S-Box Design
If you only know the Look-Up Table of an S-Box,what can you do?
Random?Was it picked uniformly atrandom?
Structured?Was it built using a particularstructure ?
1 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
In this TalkWhat is an S-Box?S-Box Design
S-Box?
An S-Box is a small non-linear function mappingm bits to nusually specified via its look-up table.
Typically, n =m,n ∈ {4, 8}
Used by many block ciphers/hash functions/stream ciphers.
Necessary for the wide trail strategy.
2 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
In this TalkWhat is an S-Box?S-Box Design
S-Box?
An S-Box is a small non-linear function mappingm bits to nusually specified via its look-up table.
Typically, n =m,n ∈ {4, 8}
Used by many block ciphers/hash functions/stream ciphers.
Necessary for the wide trail strategy.
2 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
In this TalkWhat is an S-Box?S-Box Design
Example
Screen capture from [GOST, 2015].
3 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
In this TalkWhat is an S-Box?S-Box Design
S-Box Design
4 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
In this TalkWhat is an S-Box?S-Box Design
S-Box Design
4 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
In this TalkWhat is an S-Box?S-Box Design
S-Box Design
Khazad...
iScream...
Grøstl...
4 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
In this TalkWhat is an S-Box?S-Box Design
S-Box Reverse-Engineering
S
5 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
In this TalkWhat is an S-Box?S-Box Design
S-Box Reverse-Engineering
S??
?
5 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
In this TalkWhat is an S-Box?S-Box Design
Motivation
A malicious designer can easily hide a structure in an S-Box.
To keep an advantage in implementation (WB crypto)...... or an advantage in cryptanalysis (backdoor)?
6 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
In this TalkWhat is an S-Box?S-Box Design
Motivation
A malicious designer can easily hide a structure in an S-Box.
To keep an advantage in implementation (WB crypto)...
... or an advantage in cryptanalysis (backdoor)?
6 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
In this TalkWhat is an S-Box?S-Box Design
Motivation
A malicious designer can easily hide a structure in an S-Box.
To keep an advantage in implementation (WB crypto)...... or an advantage in cryptanalysis (backdoor)?
6 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Statistical Analysis of the DDT/LATSummary of Di�erent TechniquesStructural A�acks Against Block Ciphers
Outline
1 Introduction
2 Overview of S-Box Reverse-Engineering Methods
3 The TU-Decomposition
4 A Decomposition of the 6-bit APN Permutation
5 Conclusion
6 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Statistical Analysis of the DDT/LATSummary of Di�erent TechniquesStructural A�acks Against Block Ciphers
Plan of this Section
1 Introduction
2 Overview of S-Box Reverse-Engineering MethodsStatistical Analysis of the DDT/LATSummary of Di�erent TechniquesStructural A�acks Against Block Ciphers
3 The TU-Decomposition
4 A Decomposition of the 6-bit APN Permutation
5 Conclusion
6 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Statistical Analysis of the DDT/LATSummary of Di�erent TechniquesStructural A�acks Against Block Ciphers
The Two Tables
Let S : Fn2 → Fn2 be an S-Box.
Definition (DDT)
The Di�erence Distribution Table of S is a matrix of size 2n × 2n such that
DDT[a,b] = #{x ∈ Fn2 | S (x ⊕ a) ⊕ S (x ) = b}.
Definition (LAT)
The Linear Approximations Table of S is a matrix of size 2n × 2n such that
LAT[a,b] = #{x ∈ Fn2 | x · a = S (x ) · b} − 2n−1 =WS (a,b)
2
7 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Statistical Analysis of the DDT/LATSummary of Di�erent TechniquesStructural A�acks Against Block Ciphers
The Two Tables
Let S : Fn2 → Fn2 be an S-Box.
Definition (DDT)
The Di�erence Distribution Table of S is a matrix of size 2n × 2n such that
DDT[a,b] = #{x ∈ Fn2 | S (x ⊕ a) ⊕ S (x ) = b}.
Definition (LAT)
The Linear Approximations Table of S is a matrix of size 2n × 2n such that
LAT[a,b] = #{x ∈ Fn2 | x · a = S (x ) · b} − 2n−1 =WS (a,b)
2
7 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Statistical Analysis of the DDT/LATSummary of Di�erent TechniquesStructural A�acks Against Block Ciphers
The Two Tables
Let S : Fn2 → Fn2 be an S-Box.
Definition (DDT)
The Di�erence Distribution Table of S is a matrix of size 2n × 2n such that
DDT[a,b] = #{x ∈ Fn2 | S (x ⊕ a) ⊕ S (x ) = b}.
Definition (LAT)
The Linear Approximations Table of S is a matrix of size 2n × 2n such that
LAT[a,b] = #{x ∈ Fn2 | x · a = S (x ) · b} − 2n−1 =WS (a,b)
2
7 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Statistical Analysis of the DDT/LATSummary of Di�erent TechniquesStructural A�acks Against Block Ciphers
Coe�icient Distribution in the DDT
If an n-bit S-Box is bijective, then its DDT coe�icients behave likeindependent and identically distributed random variables following aPoisson distribution:
Pr [DDT[a,b] = 2z] =e−1/2
2zz.
Always even, ≥ 0Typically between 0 and 16 (for n =)
Lower is be�er.
8 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Statistical Analysis of the DDT/LATSummary of Di�erent TechniquesStructural A�acks Against Block Ciphers
Coe�icient Distribution in the DDT
If an n-bit S-Box is bijective, then its DDT coe�icients behave likeindependent and identically distributed random variables following aPoisson distribution:
Pr [DDT[a,b] = 2z] =e−1/2
2zz.
Always even, ≥ 0Typically between 0 and 16 (for n =)
Lower is be�er.
8 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Statistical Analysis of the DDT/LATSummary of Di�erent TechniquesStructural A�acks Against Block Ciphers
Coe�icient Distribution in the LAT
If an n-bit S-Box is bijective, then its LAT coe�icients behave likeindependent and identically distributed random variables following thisdistribution:
Pr [LAT[a,b] = 2z] =
(2n−12n−2+z
)(2n2n−1
) .
Always even, signed.
Typically between -40 and 40 (for n = 8).
Lower absolute value is be�er.
9 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Statistical Analysis of the DDT/LATSummary of Di�erent TechniquesStructural A�acks Against Block Ciphers
Coe�icient Distribution in the LAT
If an n-bit S-Box is bijective, then its LAT coe�icients behave likeindependent and identically distributed random variables following thisdistribution:
Pr [LAT[a,b] = 2z] =
(2n−12n−2+z
)(2n2n−1
) .Always even, signed.
Typically between -40 and 40 (for n = 8).
Lower absolute value is be�er.
9 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Statistical Analysis of the DDT/LATSummary of Di�erent TechniquesStructural A�acks Against Block Ciphers
Looking Only at the Maximum
δ log2 (Pr [max(D) ≤ δ ])
14 -0.006
12 -0.094
10 -1.329
8 -16.148
6 -164.466
4 -1359.530
DDT
` log2 (Pr [max(L) ≤ `])
38 -0.08436 -0.30234 -1.00832 -3.16030 -9.28828 -25.62326 -66.41524 -161.90022 -371.609
LAT
Probability that the maximum coe�icient in the DDT/LAT of an 8-bitpermutation is at most equal to a certain threshold.
10 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Statistical Analysis of the DDT/LATSummary of Di�erent TechniquesStructural A�acks Against Block Ciphers
Looking Only at the Maximum
δ log2 (Pr [max(D) ≤ δ ])
14 -0.006
12 -0.094
10 -1.329
8 -16.148
6 -164.466
4 -1359.530
DDT
` log2 (Pr [max(L) ≤ `])
38 -0.08436 -0.30234 -1.00832 -3.16030 -9.28828 -25.62326 -66.41524 -161.90022 -371.609
LAT
Probability that the maximum coe�icient in the DDT/LAT of an 8-bitpermutation is at most equal to a certain threshold.
10 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Statistical Analysis of the DDT/LATSummary of Di�erent TechniquesStructural A�acks Against Block Ciphers
Taking Number of Maximum Values into AccountProbability (log2)
−70
−60
−50
−40
−30
−20
N28
0 5 10 15 20 25 30 35 40
2
4
5
Pr[max = 28]
Pr[max = 26]
Pr[max = 28, #28 ≤ N28]
11 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Statistical Analysis of the DDT/LATSummary of Di�erent TechniquesStructural A�acks Against Block Ciphers
Application of this Analysis?
We applied this method on the S-Box of Skipjack.
12 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Statistical Analysis of the DDT/LATSummary of Di�erent TechniquesStructural A�acks Against Block Ciphers
What is Skipjack?
Type Block cipher
Bloc 64 bits
Key 80 bits
Authors NSA
Publication 1998 (classified at first)
13 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Statistical Analysis of the DDT/LATSummary of Di�erent TechniquesStructural A�acks Against Block Ciphers
Reverse-Engineering the S-Box of Skipjack
Skipjack uses F , a permutation of F82 with max(LAT) = 28 and #28 = 3.
Probability (log2)
−70
−60
−50
−40
−30
−20
N28
0 5 10 15 20 25 30 35 40
2
4
5
Pr[max = 28]
Pr[max = 26]
Pr[max = 28, #28 ≤ N28]
Pr [max(LAT) = 28 and #28 ≤ 3] ≈ 2−55
14 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Statistical Analysis of the DDT/LATSummary of Di�erent TechniquesStructural A�acks Against Block Ciphers
Reverse-Engineering the S-Box of Skipjack
Skipjack uses F , a permutation of F82 with max(LAT) = 28 and #28 = 3.Probability (log2)
−70
−60
−50
−40
−30
−20
N28
0 5 10 15 20 25 30 35 40
2
4
5
Pr[max = 28]
Pr[max = 26]
Pr[max = 28, #28 ≤ N28]
Probability (log2)
−70
−60
−50
−40
−30
−20
N28
0 5 10 15 20 25 30 35 40
2
4
5
Pr[max = 28]
Pr[max = 26]
Pr[max = 28, #28 ≤ N28]
Pr [max(LAT) = 28 and #28 ≤ 3] ≈ 2−55
14 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Statistical Analysis of the DDT/LATSummary of Di�erent TechniquesStructural A�acks Against Block Ciphers
Reverse-Engineering the S-Box of Skipjack
Skipjack uses F , a permutation of F82 with max(LAT) = 28 and #28 = 3.Probability (log2)
−70
−60
−50
−40
−30
−20
N28
0 5 10 15 20 25 30 35 40
2
4
5
Pr[max = 28]
Pr[max = 26]
Pr[max = 28, #28 ≤ N28]
Pr [max(LAT) = 28 and #28 ≤ 3] ≈ 2−55
14 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Statistical Analysis of the DDT/LATSummary of Di�erent TechniquesStructural A�acks Against Block Ciphers
Reverse-Engineering the S-Box of Skipjack
Skipjack uses F , a permutation of F82 with max(LAT) = 28 and #28 = 3.Probability (log2)
−70
−60
−50
−40
−30
−20
N28
0 5 10 15 20 25 30 35 40
2
4
5
Pr[max = 28]
Pr[max = 26]
Pr[max = 28, #28 ≤ N28]
Pr [max(LAT) = 28 and #28 ≤ 3] ≈ 2−5514 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Statistical Analysis of the DDT/LATSummary of Di�erent TechniquesStructural A�acks Against Block Ciphers
What Can We Deduce?
F has not been picked uniformly at random.
F has not been picked among a feasibly large set of random S-Boxes.
Its linear properties were optimized (though poorly).
The S-Box of Skipjack was builtusing a dedicated algorithm.
15 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Statistical Analysis of the DDT/LATSummary of Di�erent TechniquesStructural A�acks Against Block Ciphers
What Can We Deduce?
F has not been picked uniformly at random.
F has not been picked among a feasibly large set of random S-Boxes.
Its linear properties were optimized (though poorly).
The S-Box of Skipjack was builtusing a dedicated algorithm.
15 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Statistical Analysis of the DDT/LATSummary of Di�erent TechniquesStructural A�acks Against Block Ciphers
Conclusion on Skipjack
F
16 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Statistical Analysis of the DDT/LATSummary of Di�erent TechniquesStructural A�acks Against Block Ciphers
Conclusion on Skipjack
F
16 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Statistical Analysis of the DDT/LATSummary of Di�erent TechniquesStructural A�acks Against Block Ciphers
Di�erent Techniques
Statistics
17 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Statistical Analysis of the DDT/LATSummary of Di�erent TechniquesStructural A�acks Against Block Ciphers
Di�erent Techniques
Ad Hoc
17 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Statistical Analysis of the DDT/LATSummary of Di�erent TechniquesStructural A�acks Against Block Ciphers
Di�erent Techniques
StructuralA�acks
17 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Statistical Analysis of the DDT/LATSummary of Di�erent TechniquesStructural A�acks Against Block Ciphers
A�acks Against SPN (1/2)
S0,0 S0,1 ... S0,n/m−1
L0
S1,0 S1,1 ... S1,n/m−1
L1
S2,0 S2,1 ... S2,n/m−1
j 0 0
y j0 y j1 y jn/m−1
Zero sums
⊕2m−1j=0 S2,i (y
ji ) = 0, for all i . Repeat for di�erent constant then solve
system [Biryukov, Shamir, 2001]
18 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Statistical Analysis of the DDT/LATSummary of Di�erent TechniquesStructural A�acks Against Block Ciphers
A�acks Against SPN (1/2)
S0,0 S0,1 ... S0,n/m−1
L0
S1,0 S1,1 ... S1,n/m−1
L1
S2,0 S2,1 ... S2,n/m−1
j 0 0
y j0 y j1 y jn/m−1
Zero sums
⊕2m−1j=0 S2,i (y
ji ) = 0, for all i . Repeat for di�erent constant then solve
system [Biryukov, Shamir, 2001]
18 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Statistical Analysis of the DDT/LATSummary of Di�erent TechniquesStructural A�acks Against Block Ciphers
A�acks Against SPN (1/2)
S0,0 S0,1 ... S0,n/m−1
L0
S1,0 S1,1 ... S1,n/m−1
L1
S2,0 S2,1 ... S2,n/m−1
j 0 0
y j0 y j1 y jn/m−1
Zero sums
⊕2m−1j=0 S2,i (y
ji ) = 0, for all i .
Repeat for di�erent constant then solvesystem [Biryukov, Shamir, 2001]
18 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Statistical Analysis of the DDT/LATSummary of Di�erent TechniquesStructural A�acks Against Block Ciphers
A�acks Against SPN (1/2)
S0,0 S0,1 ... S0,n/m−1
L0
S1,0 S1,1 ... S1,n/m−1
L1
S2,0 S2,1 ... S2,n/m−1
j 0 0
y j0 y j1 y jn/m−1
Zero sums
⊕2m−1j=0 S2,i (y
ji ) = 0, for all i . Repeat for di�erent constant then solve
system [Biryukov, Shamir, 2001] 18 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Statistical Analysis of the DDT/LATSummary of Di�erent TechniquesStructural A�acks Against Block Ciphers
A�acks Against SPN (2/2)
Works against more than 3 rounds if deg(S (AS )r−1) is low enough.
SPN degree bound
0
20
40
60
80
100
120
Number of rounds
0 1 2 3 4 5 6 7 8
2
Degree Bound (SPN) [Biryukov et al., 2017]
Let σ operate onm bits, deg(σ ) =m − 1, and n be the block size.Rhoughly speaking, deg
(S (AS )r−1
)< n − 1 as long as
(m − 1) br /2c < n .
19 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Statistical Analysis of the DDT/LATSummary of Di�erent TechniquesStructural A�acks Against Block Ciphers
A�acks Against SPN (2/2)
Works against more than 3 rounds if deg(S (AS )r−1) is low enough.
SPN degree bound
0
20
40
60
80
100
120
Number of rounds
0 1 2 3 4 5 6 7 8
2
Degree Bound (SPN) [Biryukov et al., 2017]
Let σ operate onm bits, deg(σ ) =m − 1, and n be the block size.Rhoughly speaking, deg
(S (AS )r−1
)< n − 1 as long as
(m − 1) br /2c < n .
19 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Statistical Analysis of the DDT/LATSummary of Di�erent TechniquesStructural A�acks Against Block Ciphers
A�acks Against Feistel Networks
Degree Bound (Feistel Network) [Perrin and Udovenko, 2016]
Let {F i }i<r be permutations of Fn/22 of degree d and let F r (F ) denote ther -round n-bit Feistel Network with round function F i . If
d br /2c−1 + d dr /2e−1 < n ,
then some degree n − 1 terms in the ANF of F r (F ) are missing.
20 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Statistical Analysis of the DDT/LATSummary of Di�erent TechniquesStructural A�acks Against Block Ciphers
What Does it Take to Have Full Degree?
The degree based distinguishers for SPNs and Feistel networks can be seenas particular cases of this lemma.
LemmaLet F : Fn2 → F2 be a Boolean function and let G : Fn2 → F
n2 be a
permutation. Then:
deg(F ◦G ) = n − 1 =⇒ deg(F ) + deg(G−1) ≥ n .
21 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Definition of the TU-decompositionApplication to the Last Russian Standards
Outline
1 Introduction
2 Overview of S-Box Reverse-Engineering Methods
3 The TU-Decomposition
4 A Decomposition of the 6-bit APN Permutation
5 Conclusion
21 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Definition of the TU-decompositionApplication to the Last Russian Standards
Plan of this Section
1 Introduction
2 Overview of S-Box Reverse-Engineering Methods
3 The TU-DecompositionDefinition of the TU-decompositionApplication to the Last Russian Standards
4 A Decomposition of the 6-bit APN Permutation
5 Conclusion
21 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Definition of the TU-decompositionApplication to the Last Russian Standards
What is the TU-Decomposition?
The TU-decomposition is a decomposition algorithm working against vastgroups of algorithms: 3-round Feistel, Dillon’s APN permutation, SAS, ...
S TU-decompositionT
U
µ
η
T and U are mini-block ciphers ; µ and η are linear permutations.22 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Definition of the TU-decompositionApplication to the Last Russian Standards
TU-Decomposition in a Nutshell
Let L be the LAT of the target S : Fn2 → Fn2 .
1 Identify vector spacesU andV of dimensionn/2 such that:
L (a,b) = 0, ∀(a,b) ∈ U ×V .
2 Deduce linear permutations µ ′ and η′ such that
L (µ ′(a),η′(b)) = 0, ∀(a,b) ∈ Fn/22 × Fn/22
3 Built new LAT L ′ such that
L ′(a,b) = L (µ ′(a),η′(b))
and recover S ′ with LAT L ′. Deduce µ,η.
T
U
µ
η
S’
23 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Definition of the TU-decompositionApplication to the Last Russian Standards
TU-Decomposition in a Nutshell
Let L be the LAT of the target S : Fn2 → Fn2 .
1 Identify vector spacesU andV of dimensionn/2 such that:
L (a,b) = 0, ∀(a,b) ∈ U ×V .
2 Deduce linear permutations µ ′ and η′ such that
L (µ ′(a),η′(b)) = 0, ∀(a,b) ∈ Fn/22 × Fn/22
3 Built new LAT L ′ such that
L ′(a,b) = L (µ ′(a),η′(b))
and recover S ′ with LAT L ′. Deduce µ,η.
T
U
µ
η
S’
23 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Definition of the TU-decompositionApplication to the Last Russian Standards
TU-Decomposition in a Nutshell
Let L be the LAT of the target S : Fn2 → Fn2 .
1 Identify vector spacesU andV of dimensionn/2 such that:
L (a,b) = 0, ∀(a,b) ∈ U ×V .
2 Deduce linear permutations µ ′ and η′ such that
L (µ ′(a),η′(b)) = 0, ∀(a,b) ∈ Fn/22 × Fn/22
3 Built new LAT L ′ such that
L ′(a,b) = L (µ ′(a),η′(b))
and recover S ′ with LAT L ′. Deduce µ,η.
T
U
µ
η
S’
23 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Definition of the TU-decompositionApplication to the Last Russian Standards
TU-Decomposition in a Nutshell
Let L be the LAT of the target S : Fn2 → Fn2 .
1 Identify vector spacesU andV of dimensionn/2 such that:
L (a,b) = 0, ∀(a,b) ∈ U ×V .
2 Deduce linear permutations µ ′ and η′ such that
L (µ ′(a),η′(b)) = 0, ∀(a,b) ∈ Fn/22 × Fn/22
3 Built new LAT L ′ such that
L ′(a,b) = L (µ ′(a),η′(b))
and recover S ′ with LAT L ′. Deduce µ,η.
T
U
µ
η
S’
23 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Definition of the TU-decompositionApplication to the Last Russian Standards
TU-Decomposition in a Nutshell
Let L be the LAT of the target S : Fn2 → Fn2 .
1 Identify vector spacesU andV of dimensionn/2 such that:
L (a,b) = 0, ∀(a,b) ∈ U ×V .
2 Deduce linear permutations µ ′ and η′ such that
L (µ ′(a),η′(b)) = 0, ∀(a,b) ∈ Fn/22 × Fn/22
3 Built new LAT L ′ such that
L ′(a,b) = L (µ ′(a),η′(b))
and recover S ′ with LAT L ′. Deduce µ,η.
T
U
µ
η
S’
23 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Definition of the TU-decompositionApplication to the Last Russian Standards
Bootstrapping TU-Decomposition
OK... But how do we findU andV?
For now: we just look at the LAT and hope for the best!
24 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Definition of the TU-decompositionApplication to the Last Russian Standards
Bootstrapping TU-Decomposition
OK... But how do we findU andV?
For now: we just look at the LAT and hope for the best!
24 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Definition of the TU-decompositionApplication to the Last Russian Standards
Kuznyechik/Stribog
Stribog
Type Hash function
Publication [GOST, 2012]
Kuznyechik
Type Block cipher
Publication [GOST, 2015]
Common ground
Both are standard symmetric primitives in Russia.
Both were designed by the FSB (TC26).
Both use the same 8 × 8 S-Box, π .
25 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Definition of the TU-decompositionApplication to the Last Russian Standards
Kuznyechik/Stribog
Stribog
Type Hash function
Publication [GOST, 2012]
Kuznyechik
Type Block cipher
Publication [GOST, 2015]
Common ground
Both are standard symmetric primitives in Russia.
Both were designed by the FSB (TC26).
Both use the same 8 × 8 S-Box, π .25 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Definition of the TU-decompositionApplication to the Last Russian Standards
The LAT of the S-Box of Kuznyechik
26 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Definition of the TU-decompositionApplication to the Last Russian Standards
Applying one Linear Layer
27 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Definition of the TU-decompositionApplication to the Last Russian Standards
Applying two Linear Layers
28 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Definition of the TU-decompositionApplication to the Last Russian Standards
Final Decomposition Number 1
ω
σ
ϕ �
ν1ν0
I�
α
T
U
� Multiplication in F24
α Linear permutation
I Inversion in F24
ν0,ν1,σ 4 × 4 permutations
ϕ 4 × 4 function
ω Linear permutation
29 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Definition of the TU-decompositionApplication to the Last Russian Standards
Final Decomposition Number 1
ω
σ
ϕ �
ν1ν0
I�
αT
U
� Multiplication in F24
α Linear permutation
I Inversion in F24
ν0,ν1,σ 4 × 4 permutations
ϕ 4 × 4 function
ω Linear permutation
29 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Definition of the TU-decompositionApplication to the Last Russian Standards
Conclusion for Kuznyechik/Stribog?
The Russian S-Box was built like astrange Feistel...
... or was it?
Belarussian inspiration
The last standard of Belarus [Bel. St. Univ., 2011] uses an 8-bit S-box,
somewhat similar to π ...
... based on a finite field exponential!
30 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Definition of the TU-decompositionApplication to the Last Russian Standards
Conclusion for Kuznyechik/Stribog?
The Russian S-Box was built like astrange Feistel...
... or was it?
Belarussian inspiration
The last standard of Belarus [Bel. St. Univ., 2011] uses an 8-bit S-box,
somewhat similar to π ...
... based on a finite field exponential!
30 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Definition of the TU-decompositionApplication to the Last Russian Standards
Conclusion for Kuznyechik/Stribog?
The Russian S-Box was built like astrange Feistel...
... or was it?
Belarussian inspiration
The last standard of Belarus [Bel. St. Univ., 2011] uses an 8-bit S-box,
somewhat similar to π ...
... based on a finite field exponential!
30 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Definition of the TU-decompositionApplication to the Last Russian Standards
Conclusion for Kuznyechik/Stribog?
The Russian S-Box was built like astrange Feistel...
... or was it?
Belarussian inspiration
The last standard of Belarus [Bel. St. Univ., 2011] uses an 8-bit S-box,
somewhat similar to π ...
... based on a finite field exponential!
30 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Definition of the TU-decompositionApplication to the Last Russian Standards
Final Decomposition Number 2 (!)
ω ′
⊗−1
�
q′
logw,16
T
0 1 2 3 4 5 6 7 8 9 a b c d e fT0 0 1 2 3 4 5 6 7 8 9 a b c d e fT1 0 1 2 3 4 5 6 7 8 9 a b c d e fT2 0 1 2 3 4 5 6 7 8 9 a b c d f eT3 0 1 2 3 4 5 6 7 8 9 a b c f d eT4 0 1 2 3 4 5 6 7 8 9 a b f c d eT5 0 1 2 3 4 5 6 7 8 9 a f b c d eT6 0 1 2 3 4 5 6 7 8 9 f a b c d eT7 0 1 2 3 4 5 6 7 8 f 9 a b c d eT8 0 1 2 3 4 5 6 7 f 8 9 a b c d eT9 0 1 2 3 4 5 6 f 7 8 9 a b c d eTa 0 1 2 3 4 5 f 6 7 8 9 a b c d eTb 0 1 2 3 4 f 5 6 7 8 9 a b c d eTc 0 1 2 3 f 4 5 6 7 8 9 a b c d eTd 0 1 2 f 3 4 5 6 7 8 9 a b c d eTe 0 1 f 2 3 4 5 6 7 8 9 a b c d eTf 0 f 1 2 3 4 5 6 7 8 9 a b c d e
31 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Definition of the TU-decompositionApplication to the Last Russian Standards
Final Decomposition Number 2 (!)
ω ′
⊗−1
�
q′
logw,16
T
0 1 2 3 4 5 6 7 8 9 a b c d e fT0 0 1 2 3 4 5 6 7 8 9 a b c d e fT1 0 1 2 3 4 5 6 7 8 9 a b c d e fT2 0 1 2 3 4 5 6 7 8 9 a b c d f eT3 0 1 2 3 4 5 6 7 8 9 a b c f d eT4 0 1 2 3 4 5 6 7 8 9 a b f c d eT5 0 1 2 3 4 5 6 7 8 9 a f b c d eT6 0 1 2 3 4 5 6 7 8 9 f a b c d eT7 0 1 2 3 4 5 6 7 8 f 9 a b c d eT8 0 1 2 3 4 5 6 7 f 8 9 a b c d eT9 0 1 2 3 4 5 6 f 7 8 9 a b c d eTa 0 1 2 3 4 5 f 6 7 8 9 a b c d eTb 0 1 2 3 4 f 5 6 7 8 9 a b c d eTc 0 1 2 3 f 4 5 6 7 8 9 a b c d eTd 0 1 2 f 3 4 5 6 7 8 9 a b c d eTe 0 1 f 2 3 4 5 6 7 8 9 a b c d eTf 0 f 1 2 3 4 5 6 7 8 9 a b c d e
31 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Definition of the TU-decompositionApplication to the Last Russian Standards
Conclusion on Kuznyechik/Stribog
π
32 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Definition of the TU-decompositionApplication to the Last Russian Standards
Conclusion on Kuznyechik/Stribog
π
32 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Definition of the TU-decompositionApplication to the Last Russian Standards
Conclusion on Kuznyechik/Stribog
π
32 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Definition of the TU-decompositionApplication to the Last Russian Standards
Conclusion on Kuznyechik/Stribog
π
?
32 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
The Big APN Problem and its Only Known SolutionsOn Bu�erflies
Outline
1 Introduction
2 Overview of S-Box Reverse-Engineering Methods
3 The TU-Decomposition
4 A Decomposition of the 6-bit APN Permutation
5 Conclusion
32 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
The Big APN Problem and its Only Known SolutionsOn Bu�erflies
Plan of this Section
1 Introduction
2 Overview of S-Box Reverse-Engineering Methods
3 The TU-Decomposition
4 A Decomposition of the 6-bit APN PermutationThe Big APN Problem and its Only Known SolutionsOn Bu�erflies
5 Conclusion
32 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
The Big APN Problem and its Only Known SolutionsOn Bu�erflies
The Big APN Problem
Definition (APN function)
A function f : Fn2 → Fn2 is Almost Perfect Non-linear (APN) if
f (x ⊕ a) ⊕ f (x ) = b
has 0 or 2 solutions for all a , 0 and for all b.
Big APN Problem
Are there APN permutations operating on Fn2 where n is even?
33 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
The Big APN Problem and its Only Known SolutionsOn Bu�erflies
The Big APN Problem
Definition (APN function)
A function f : Fn2 → Fn2 is Almost Perfect Non-linear (APN) if
f (x ⊕ a) ⊕ f (x ) = b
has 0 or 2 solutions for all a , 0 and for all b.
Big APN Problem
Are there APN permutations operating on Fn2 where n is even?
33 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
The Big APN Problem and its Only Known SolutionsOn Bu�erflies
Dillon et al.’s Permutation
Only One Known Solution!
For n = 6, Dillon et al. found an APN permutation.
It is possible to make a TU-decomposition!
34 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
The Big APN Problem and its Only Known SolutionsOn Bu�erflies
Dillon et al.’s Permutation
Only One Known Solution!
For n = 6, Dillon et al. found an APN permutation.
It is possible to make a TU-decomposition!
34 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
The Big APN Problem and its Only Known SolutionsOn Bu�erflies
Dillon et al.’s Permutation
Only One Known Solution!
For n = 6, Dillon et al. found an APN permutation.
It is possible to make a TU-decomposition!
34 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
The Big APN Problem and its Only Known SolutionsOn Bu�erflies
Dillon et al.’s Permutation
Only One Known Solution!
For n = 6, Dillon et al. found an APN permutation.
It is possible to make a TU-decomposition!
34 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
The Big APN Problem and its Only Known SolutionsOn Bu�erflies
On the Bu�erfly Structure
βx3
x1/3
�α
⊕
⊕
βx3
x3
�α
⊕
⊕
T
U
Definition (Open Bu�erfly H3α ,β
)
This permutation is an open bu�erfly.
LemmaDillon’s permutation is a�ine-equivalentto H3
w,1, where Tr (w ) = 0.
35 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
The Big APN Problem and its Only Known SolutionsOn Bu�erflies
On the Bu�erfly Structure
βx3
x1/3
�α
⊕
⊕
βx3
x3
�α
⊕
⊕
T
U
Definition (Open Bu�erfly H3α ,β
)
This permutation is an open bu�erfly.
LemmaDillon’s permutation is a�ine-equivalentto H3
w,1, where Tr (w ) = 0.
35 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
The Big APN Problem and its Only Known SolutionsOn Bu�erflies
CCZ-equivalence (1/2)
Definition (CCZ-equivalence)
Let F and G be functions of Fn2 . They are CCZ-equivalent if there exists alinear permutation L of Fn2 × F
n2 such that
{(x , F (x )
),∀x ∈ Fn2
}=
{L(x ,G (x )
),∀x ∈ Fn2
}
Properties
CCZ-equivalence preserves:
the distribution of the coe�icients in the LAT (Walsh spectrum),
the distribution of the coe�icients in the DDT.
It does not preserve:
the position of the DDT/LAT coe�icients
the algebraic degree.
36 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
The Big APN Problem and its Only Known SolutionsOn Bu�erflies
CCZ-equivalence (1/2)
Definition (CCZ-equivalence)
Let F and G be functions of Fn2 . They are CCZ-equivalent if there exists alinear permutation L of Fn2 × F
n2 such that
{(x , F (x )
),∀x ∈ Fn2
}=
{L(x ,G (x )
),∀x ∈ Fn2
}
Properties
CCZ-equivalence preserves:
the distribution of the coe�icients in the LAT (Walsh spectrum),
the distribution of the coe�icients in the DDT.
It does not preserve:
the position of the DDT/LAT coe�icients
the algebraic degree.36 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
The Big APN Problem and its Only Known SolutionsOn Bu�erflies
Closed Bu�erflies
�α
⊕
x3
βx3 ⊕
�α
⊕
x3
βx3 ⊕
Definition (Closed bu�erfly V3α ,β
)
This quadratic function is a closedbu�erfly.
Lemma (Equivalence)
Open and closed bu�erflies with the sameparameters are CCZ-equivalent.
37 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
The Big APN Problem and its Only Known SolutionsOn Bu�erflies
Closed Bu�erflies
�α
⊕
x3
βx3 ⊕
�α
⊕
x3
βx3 ⊕
Definition (Closed bu�erfly V3α ,β
)
This quadratic function is a closedbu�erfly.
Lemma (Equivalence)
Open and closed bu�erflies with the sameparameters are CCZ-equivalent.
37 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
The Big APN Problem and its Only Known SolutionsOn Bu�erflies
Bu�erflies and Feistel Networks
When α = 1, bu�erflies can be greatly simplified.
βx3⊕
x1/3 ⊕
βx3⊕
βx3 x3 βx3
⊕
⊕⊕
38 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
The Big APN Problem and its Only Known SolutionsOn Bu�erflies
Some Properties of Bu�erflies
Theorem (Properties of bu�erflies [Canteaut et al., 2017])Let V3
α ,β and H3α ,β be bu�erflies operating on 2n bits, n odd. Then:
deg(V3α ,β
)= 2,
if n = 3, Tr (α ) = 0 and β + α 3 ∈ {α, 1/α }, thenmax(DDT ) = 2, max(W ) = 2n+1 and deg
(H3α ,β
)= n + 1 ,
if β = (1 + α )3, thenmax(DDT ) = 2n+1, max(W ) = 2(3n+1)/2 and deg
(H3α ,β
)= n ,
otherwise,
max(DDT ) = 4, max(W ) = 2n+1 and deg(H3α ,β
)∈ {n, n + 1}
and deg(H3α ,β
)= n if and only if
1 + α β + α 4 = (β + α + α 3)2 .
39 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Conclusion
Outline
1 Introduction
2 Overview of S-Box Reverse-Engineering Methods
3 The TU-Decomposition
4 A Decomposition of the 6-bit APN Permutation
5 Conclusion
39 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Conclusion
Plan of this Section
1 Introduction
2 Overview of S-Box Reverse-Engineering Methods
3 The TU-Decomposition
4 A Decomposition of the 6-bit APN Permutation
5 Conclusion
39 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Conclusion
Conclusion
We can recover the majority of known S-Box structuresand derive new results about Skipjack and Kuznyechik.
We can generalize the permutation of Dillon et al...
but we can prove that our generalizations are never APN(except in the known case).
There are still S-Boxes with unknown building strategies(CMEA, CSS)!
40 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Conclusion
Conclusion
We can recover the majority of known S-Box structuresand derive new results about Skipjack and Kuznyechik.
We can generalize the permutation of Dillon et al...
but we can prove that our generalizations are never APN(except in the known case).
There are still S-Boxes with unknown building strategies(CMEA, CSS)!
40 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Conclusion
Conclusion
We can recover the majority of known S-Box structuresand derive new results about Skipjack and Kuznyechik.
We can generalize the permutation of Dillon et al...
but we can prove that our generalizations are never APN(except in the known case).
There are still S-Boxes with unknown building strategies(CMEA, CSS)!
40 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Conclusion
Conclusion
We can recover the majority of known S-Box structuresand derive new results about Skipjack and Kuznyechik.
We can generalize the permutation of Dillon et al...
but we can prove that our generalizations are never APN(except in the known case).
There are still S-Boxes with unknown building strategies(CMEA, CSS)!
40 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Conclusion
The Last S-Box
14 11 60 6d e9 10 e3 2 b 90 d 17 c5 b0 9f c5d8 da be 22 8 f3 4 a9 fe f3 f5 fc bc 30 be 26bb 88 85 46 f4 2e e fd 76 fe b0 11 4e de 35 bb30 4b 30 d6 dd df df d4 90 7a d8 8c 6a 89 30 39e9 1 da d2 85 87 d3 d4 ba 2b d4 9f 9c 38 8c 55d3 86 bb db ec e0 46 48 bf 46 1b 1c d7 d9 1b e023 d4 d7 7f 16 3f 3 3 44 c3 59 10 2a da ed e98e d8 d1 db cb cb c3 c7 38 22 34 3d db 85 23 7c24 d1 d8 2e fc 44 8 38 c8 c7 39 4c 5f 56 2a cfd0 e9 d2 68 e4 e3 e9 13 e2 c 97 e4 60 29 d7 9bd9 16 24 94 b3 e3 4c 4c 4f 39 e0 4b bc 2c d3 9481 96 93 84 91 d0 2e d6 d2 2b 78 ef d6 9e 7b 72ad c4 68 92 7a d2 5 2b 1e d0 dc b1 22 3f c3 c388 b1 8d b5 e3 4e d7 81 3 15 17 25 4e 65 88 4ee4 3b 81 81 fa 1 1d 4 22 0 6 1 27 68 27 2e3b 83 c7 cc 25 9b d8 d5 1c 1f e5 59 7f 3f 3f ef
41 / 42
IntroductionOverview of S-Box Reverse-Engineering Methods
The TU-DecompositionA Decomposition of the 6-bit APN Permutation
Conclusion
Conclusion
42 / 42
AppendixBibliography Back-Up Slides
Details About SkipjackN
um
ber
of
occ
urr
ence
s (l
og s
cale
)
100
200
300
Absolute value of the coe�cients in the LAT
22 23 24 25 26 27 28
1 / 4
AppendixBibliography Back-Up Slides
Proof of Full Degree Condition
If deg(F ◦G ) = n − 1, then ∃i ≤ n such that⊕
x ∈Ci (F ◦G ) (x ) = 1.
Let Ii : Fn2 → F2 be such that Ii (x ) = 1⇔ x ∈ Ci :⊕x ∈Ci
(F ◦G ) (x ) =⊕x ∈Fn2
F(G (x )
)× Ii (x ) ,
and let y = G (x ). Then:⊕x ∈Ci
(F ◦G ) (x ) =⊕y∈Fn2
F (y) × Ii(G−1 (y)
).
This sum is equal to 1 if and only if x 7→ F (x ) × Ii(G−1 (x )
)has degree n.
Ii is a�ine (Ii (x ) = 1 + xi ). Thus, the sum can be equal to 1 only if
deg(F ) + deg(G−1) ≥ n .
�
2 / 4
AppendixBibliography Back-Up Slides
Proof of Full Degree Condition
If deg(F ◦G ) = n − 1, then ∃i ≤ n such that⊕
x ∈Ci (F ◦G ) (x ) = 1.
Let Ii : Fn2 → F2 be such that Ii (x ) = 1⇔ x ∈ Ci :⊕x ∈Ci
(F ◦G ) (x ) =⊕x ∈Fn2
F(G (x )
)× Ii (x ) ,
and let y = G (x ). Then:⊕x ∈Ci
(F ◦G ) (x ) =⊕y∈Fn2
F (y) × Ii(G−1 (y)
).
This sum is equal to 1 if and only if x 7→ F (x ) × Ii(G−1 (x )
)has degree n.
Ii is a�ine (Ii (x ) = 1 + xi ). Thus, the sum can be equal to 1 only if
deg(F ) + deg(G−1) ≥ n .
�
2 / 4
AppendixBibliography Back-Up Slides
Proof of Full Degree Condition
If deg(F ◦G ) = n − 1, then ∃i ≤ n such that⊕
x ∈Ci (F ◦G ) (x ) = 1.
Let Ii : Fn2 → F2 be such that Ii (x ) = 1⇔ x ∈ Ci :⊕x ∈Ci
(F ◦G ) (x ) =⊕x ∈Fn2
F(G (x )
)× Ii (x ) ,
and let y = G (x ). Then:⊕x ∈Ci
(F ◦G ) (x ) =⊕y∈Fn2
F (y) × Ii(G−1 (y)
).
This sum is equal to 1 if and only if x 7→ F (x ) × Ii(G−1 (x )
)has degree n.
Ii is a�ine (Ii (x ) = 1 + xi ). Thus, the sum can be equal to 1 only if
deg(F ) + deg(G−1) ≥ n .
�
2 / 4
AppendixBibliography Back-Up Slides
Proof of Full Degree Condition
If deg(F ◦G ) = n − 1, then ∃i ≤ n such that⊕
x ∈Ci (F ◦G ) (x ) = 1.
Let Ii : Fn2 → F2 be such that Ii (x ) = 1⇔ x ∈ Ci :⊕x ∈Ci
(F ◦G ) (x ) =⊕x ∈Fn2
F(G (x )
)× Ii (x ) ,
and let y = G (x ). Then:⊕x ∈Ci
(F ◦G ) (x ) =⊕y∈Fn2
F (y) × Ii(G−1 (y)
).
This sum is equal to 1 if and only if x 7→ F (x ) × Ii(G−1 (x )
)has degree n.
Ii is a�ine (Ii (x ) = 1 + xi ). Thus, the sum can be equal to 1 only if
deg(F ) + deg(G−1) ≥ n .
�
2 / 4
AppendixBibliography Back-Up Slides
Proof of Full Degree Condition
If deg(F ◦G ) = n − 1, then ∃i ≤ n such that⊕
x ∈Ci (F ◦G ) (x ) = 1.
Let Ii : Fn2 → F2 be such that Ii (x ) = 1⇔ x ∈ Ci :⊕x ∈Ci
(F ◦G ) (x ) =⊕x ∈Fn2
F(G (x )
)× Ii (x ) ,
and let y = G (x ). Then:⊕x ∈Ci
(F ◦G ) (x ) =⊕y∈Fn2
F (y) × Ii(G−1 (y)
).
This sum is equal to 1 if and only if x 7→ F (x ) × Ii(G−1 (x )
)has degree n.
Ii is a�ine (Ii (x ) = 1 + xi ).
Thus, the sum can be equal to 1 only if
deg(F ) + deg(G−1) ≥ n .
�
2 / 4
AppendixBibliography Back-Up Slides
Proof of Full Degree Condition
If deg(F ◦G ) = n − 1, then ∃i ≤ n such that⊕
x ∈Ci (F ◦G ) (x ) = 1.
Let Ii : Fn2 → F2 be such that Ii (x ) = 1⇔ x ∈ Ci :⊕x ∈Ci
(F ◦G ) (x ) =⊕x ∈Fn2
F(G (x )
)× Ii (x ) ,
and let y = G (x ). Then:⊕x ∈Ci
(F ◦G ) (x ) =⊕y∈Fn2
F (y) × Ii(G−1 (y)
).
This sum is equal to 1 if and only if x 7→ F (x ) × Ii(G−1 (x )
)has degree n.
Ii is a�ine (Ii (x ) = 1 + xi ). Thus, the sum can be equal to 1 only if
deg(F ) + deg(G−1) ≥ n .
�2 / 4
AppendixBibliography
Bibliography I
Bel. St. Univ. (2011).“Information technologies. Data protection. Cryptographic algorithms for encryptionand integrity control.”.State Standard of Republic of Belarus (STB 34.101.31-2011).http://apmi.bsu.by/assets/files/std/belt-spec27.pdf.
Biryukov, A., Khovratovich, D., and Perrin, L. (2017).Multiset-algebraic cryptanalysis of reduced Kuznyechik, Khazad, and secret SPNs.IACR Transactions on Symmetric Cryptology, 2016(2):226–247.
Canteaut, A., Duval, S., and Perrin, L. (2017).A generalisation of Dillon’s APN permutation with the best known di�erential andnonlinear properties for all fields of size 24k+2.IEEE Transactions on Information Theory, (to appear).
GOST (2012).Gost r 34.11-2012: Streebog hash function.https://www.streebog.net/.
3 / 4
AppendixBibliography
Bibliography II
GOST (2015).
(GOST R 34.12–2015) information technology – cryptographic data security – blockciphers.
http://tc26.ru/en/standard/gost/GOST_R_34_12_2015_ENG.pdf.
Perrin, L. and Udovenko, A. (2016).
Algebraic insights into the secret feistel network.
In Peyrin, T., editor, Fast So�ware Encryption – FSE 2016, volume 9783 of Lecture Notes inComputer Science, pages 378–398. Springer, Heidelberg.
4 / 4