on s-box reverse-engineering: from cryptanalysis to the

On S-Box Reverse-Engineering: fromCryptanalysis to the Big APN Problem

Léo Perrin

DTU, Lyngbyperrin dot leo at gmail

4th of July 2017Boolean Functions and Their Applications

The content of this talk is based on joint works with Biryukov, Canteaut, Duval, Khovratovichand Udovenko, and my PhD thesis.

http://orbilu.uni.lu/handle/10993/31195

IntroductionOverview of S-Box Reverse-Engineering Methods

The TU-DecompositionA Decomposition of the 6-bit APN Permutation

Conclusion

In this TalkWhat is an S-Box?S-Box Design

If you only know the Look-Up Table of an S-Box,what can you do?

Random?Was it picked uniformly atrandom?

Structured?Was it built using a particularstructure ?

1 / 42



Conclusion


S-Box?

An S-Box is a small non-linear function mappingm bits to nusually specified via its look-up table.

Typically, n =m,n ∈ {4, 8}

Used by many block ciphers/hash functions/stream ciphers.

Necessary for the wide trail strategy.

2 / 42



Conclusion


Example

Screen capture from [GOST, 2015].

3 / 42



Conclusion


S-Box Design

4 / 42



Conclusion


S-Box Design

Khazad...

iScream...

Grøstl...

4 / 42



Conclusion


S-Box Reverse-Engineering

S

5 / 42



Conclusion


S-Box Reverse-Engineering

S??

?

5 / 42



Conclusion


Motivation

A malicious designer can easily hide a structure in an S-Box.

To keep an advantage in implementation (WB crypto)...... or an advantage in cryptanalysis (backdoor)?

6 / 42



Conclusion


Motivation


To keep an advantage in implementation (WB crypto)...

... or an advantage in cryptanalysis (backdoor)?

6 / 42



Conclusion


Motivation


To keep an advantage in implementation (WB crypto)...... or an advantage in cryptanalysis (backdoor)?

6 / 42



Conclusion

Statistical Analysis of the DDT/LATSummary of Di�erent TechniquesStructural A�acks Against Block Ciphers

Outline

1 Introduction

2 Overview of S-Box Reverse-Engineering Methods

3 The TU-Decomposition

4 A Decomposition of the 6-bit APN Permutation

5 Conclusion

6 / 42



Conclusion


Plan of this Section

1 Introduction

2 Overview of S-Box Reverse-Engineering MethodsStatistical Analysis of the DDT/LATSummary of Di�erent TechniquesStructural A�acks Against Block Ciphers



5 Conclusion

6 / 42



Conclusion


The Two Tables

Let S : Fn2 → Fn2 be an S-Box.

Definition (DDT)

The Di�erence Distribution Table of S is a matrix of size 2n × 2n such that

DDT[a,b] = #{x ∈ Fn2 | S (x ⊕ a) ⊕ S (x ) = b}.

Definition (LAT)

The Linear Approximations Table of S is a matrix of size 2n × 2n such that

LAT[a,b] = #{x ∈ Fn2 | x · a = S (x ) · b} − 2n−1 =WS (a,b)

2

7 / 42



Conclusion


Coe�icient Distribution in the DDT

If an n-bit S-Box is bijective, then its DDT coe�icients behave likeindependent and identically distributed random variables following aPoisson distribution:

Pr [DDT[a,b] = 2z] =e−1/2

2zz.

Always even, ≥ 0Typically between 0 and 16 (for n =)

Lower is be�er.

8 / 42



Conclusion


Coe�icient Distribution in the LAT

If an n-bit S-Box is bijective, then its LAT coe�icients behave likeindependent and identically distributed random variables following thisdistribution:

Pr [LAT[a,b] = 2z] =

(2n−12n−2+z

)(2n2n−1

) .

Always even, signed.

Typically between -40 and 40 (for n = 8).

Lower absolute value is be�er.

9 / 42



Conclusion


Coe�icient Distribution in the LAT

If an n-bit S-Box is bijective, then its LAT coe�icients behave likeindependent and identically distributed random variables following thisdistribution:

Pr [LAT[a,b] = 2z] =

(2n−12n−2+z

)(2n2n−1

) .Always even, signed.

Typically between -40 and 40 (for n = 8).

Lower absolute value is be�er.

9 / 42



Conclusion


Looking Only at the Maximum

δ log2 (Pr [max(D) ≤ δ ])

14 -0.006

12 -0.094

10 -1.329

8 -16.148

6 -164.466

4 -1359.530

DDT

` log2 (Pr [max(L) ≤ `])

38 -0.08436 -0.30234 -1.00832 -3.16030 -9.28828 -25.62326 -66.41524 -161.90022 -371.609

LAT

Probability that the maximum coe�icient in the DDT/LAT of an 8-bitpermutation is at most equal to a certain threshold.

10 / 42



Conclusion


Taking Number of Maximum Values into AccountProbability (log2)

−70

−60

−50

−40

−30

−20

N28

0 5 10 15 20 25 30 35 40

2

4

5

Pr[max = 28]

Pr[max = 26]

Pr[max = 28, #28 ≤ N28]

11 / 42



Conclusion


Application of this Analysis?

We applied this method on the S-Box of Skipjack.

12 / 42



Conclusion


What is Skipjack?

Type Block cipher

Bloc 64 bits

Key 80 bits

Authors NSA

Publication 1998 (classified at first)

13 / 42



Conclusion


Reverse-Engineering the S-Box of Skipjack

Skipjack uses F , a permutation of F82 with max(LAT) = 28 and #28 = 3.

Probability (log2)

−70

−60

−50

−40

−30

−20

N28

0 5 10 15 20 25 30 35 40

2

4

5

Pr[max = 28]

Pr[max = 26]

Pr[max = 28, #28 ≤ N28]

Pr [max(LAT) = 28 and #28 ≤ 3] ≈ 2−55

14 / 42



Conclusion



Skipjack uses F , a permutation of F82 with max(LAT) = 28 and #28 = 3.Probability (log2)

−70

−60

−50

−40

−30

−20

N28

0 5 10 15 20 25 30 35 40

2

4

5

Pr[max = 28]

Pr[max = 26]

Pr[max = 28, #28 ≤ N28]

Probability (log2)

−70

−60

−50

−40

−30

−20

N28

0 5 10 15 20 25 30 35 40

2

4

5

Pr[max = 28]

Pr[max = 26]

Pr[max = 28, #28 ≤ N28]

Pr [max(LAT) = 28 and #28 ≤ 3] ≈ 2−55

14 / 42



Conclusion




−70

−60

−50

−40

−30

−20

N28

0 5 10 15 20 25 30 35 40

2

4

5

Pr[max = 28]

Pr[max = 26]

Pr[max = 28, #28 ≤ N28]

Pr [max(LAT) = 28 and #28 ≤ 3] ≈ 2−55

14 / 42



Conclusion




−70

−60

−50

−40

−30

−20

N28

0 5 10 15 20 25 30 35 40

2

4

5

Pr[max = 28]

Pr[max = 26]

Pr[max = 28, #28 ≤ N28]

Pr [max(LAT) = 28 and #28 ≤ 3] ≈ 2−5514 / 42



Conclusion


What Can We Deduce?

F has not been picked uniformly at random.

F has not been picked among a feasibly large set of random S-Boxes.

Its linear properties were optimized (though poorly).

The S-Box of Skipjack was builtusing a dedicated algorithm.

15 / 42



Conclusion


Conclusion on Skipjack

F

16 / 42



Conclusion


Di�erent Techniques

Statistics

17 / 42



Conclusion



Ad Hoc

17 / 42



Conclusion



StructuralA�acks

17 / 42



Conclusion


A�acks Against SPN (1/2)

S0,0 S0,1 ... S0,n/m−1

L0

S1,0 S1,1 ... S1,n/m−1

L1

S2,0 S2,1 ... S2,n/m−1

j 0 0

y j0 y j1 y jn/m−1

Zero sums

⊕2m−1j=0 S2,i (y

ji ) = 0, for all i . Repeat for di�erent constant then solve

system [Biryukov, Shamir, 2001]

18 / 42



Conclusion



S0,0 S0,1 ... S0,n/m−1

L0

S1,0 S1,1 ... S1,n/m−1

L1

S2,0 S2,1 ... S2,n/m−1

j 0 0


Zero sums

⊕2m−1j=0 S2,i (y

ji ) = 0, for all i .

Repeat for di�erent constant then solvesystem [Biryukov, Shamir, 2001]

18 / 42



Conclusion



S0,0 S0,1 ... S0,n/m−1

L0

S1,0 S1,1 ... S1,n/m−1

L1

S2,0 S2,1 ... S2,n/m−1

j 0 0


Zero sums

⊕2m−1j=0 S2,i (y

ji ) = 0, for all i . Repeat for di�erent constant then solve

system [Biryukov, Shamir, 2001] 18 / 42



Conclusion



Works against more than 3 rounds if deg(S (AS )r−1) is low enough.

SPN degree bound

0

20

40

60

80

100

120

Number of rounds

0 1 2 3 4 5 6 7 8

2

Degree Bound (SPN) [Biryukov et al., 2017]

Let σ operate onm bits, deg(σ ) =m − 1, and n be the block size.Rhoughly speaking, deg

(S (AS )r−1

)< n − 1 as long as

(m − 1) br /2c < n .

19 / 42



Conclusion


A�acks Against Feistel Networks

Degree Bound (Feistel Network) [Perrin and Udovenko, 2016]

Let {F i }i<r be permutations of Fn/22 of degree d and let F r (F ) denote ther -round n-bit Feistel Network with round function F i . If

d br /2c−1 + d dr /2e−1 < n ,

then some degree n − 1 terms in the ANF of F r (F ) are missing.

20 / 42



Conclusion


What Does it Take to Have Full Degree?

The degree based distinguishers for SPNs and Feistel networks can be seenas particular cases of this lemma.

LemmaLet F : Fn2 → F2 be a Boolean function and let G : Fn2 → F

n2 be a

permutation. Then:

deg(F ◦G ) = n − 1 =⇒ deg(F ) + deg(G−1) ≥ n .

21 / 42



Conclusion

Definition of the TU-decompositionApplication to the Last Russian Standards

Outline

1 Introduction




5 Conclusion

21 / 42



Conclusion



1 Introduction


3 The TU-DecompositionDefinition of the TU-decompositionApplication to the Last Russian Standards


5 Conclusion

21 / 42



Conclusion


What is the TU-Decomposition?

The TU-decomposition is a decomposition algorithm working against vastgroups of algorithms: 3-round Feistel, Dillon’s APN permutation, SAS, ...

S TU-decompositionT

U

µ

η

T and U are mini-block ciphers ; µ and η are linear permutations.22 / 42



Conclusion


TU-Decomposition in a Nutshell

Let L be the LAT of the target S : Fn2 → Fn2 .

1 Identify vector spacesU andV of dimensionn/2 such that:

L (a,b) = 0, ∀(a,b) ∈ U ×V .

2 Deduce linear permutations µ ′ and η′ such that

L (µ ′(a),η′(b)) = 0, ∀(a,b) ∈ Fn/22 × Fn/22

3 Built new LAT L ′ such that

L ′(a,b) = L (µ ′(a),η′(b))

and recover S ′ with LAT L ′. Deduce µ,η.

T

U

µ

η

S’

23 / 42



Conclusion


Bootstrapping TU-Decomposition

OK... But how do we findU andV?

For now: we just look at the LAT and hope for the best!

24 / 42



Conclusion


Kuznyechik/Stribog

Stribog

Type Hash function

Publication [GOST, 2012]

Kuznyechik

Type Block cipher


Common ground

Both are standard symmetric primitives in Russia.

Both were designed by the FSB (TC26).

Both use the same 8 × 8 S-Box, π .

25 / 42



Conclusion


Kuznyechik/Stribog

Stribog

Type Hash function


Kuznyechik

Type Block cipher


Common ground

Both are standard symmetric primitives in Russia.

Both were designed by the FSB (TC26).

Both use the same 8 × 8 S-Box, π .25 / 42



Conclusion


The LAT of the S-Box of Kuznyechik

26 / 42



Conclusion


Applying one Linear Layer

27 / 42



Conclusion


Applying two Linear Layers

28 / 42



Conclusion


Final Decomposition Number 1

ω

σ

ϕ �

ν1ν0

I�

α

T

U

� Multiplication in F24

α Linear permutation

I Inversion in F24

ν0,ν1,σ 4 × 4 permutations

ϕ 4 × 4 function

ω Linear permutation

29 / 42



Conclusion


Final Decomposition Number 1

ω

σ

ϕ �

ν1ν0

I�

αT

U

� Multiplication in F24

α Linear permutation

I Inversion in F24

ν0,ν1,σ 4 × 4 permutations

ϕ 4 × 4 function

ω Linear permutation

29 / 42



Conclusion


Conclusion for Kuznyechik/Stribog?

The Russian S-Box was built like astrange Feistel...

... or was it?

Belarussian inspiration

The last standard of Belarus [Bel. St. Univ., 2011] uses an 8-bit S-box,

somewhat similar to π ...

... based on a finite field exponential!

30 / 42



Conclusion


Final Decomposition Number 2 (!)

ω ′

⊗−1

�

q′

logw,16

T

0 1 2 3 4 5 6 7 8 9 a b c d e fT0 0 1 2 3 4 5 6 7 8 9 a b c d e fT1 0 1 2 3 4 5 6 7 8 9 a b c d e fT2 0 1 2 3 4 5 6 7 8 9 a b c d f eT3 0 1 2 3 4 5 6 7 8 9 a b c f d eT4 0 1 2 3 4 5 6 7 8 9 a b f c d eT5 0 1 2 3 4 5 6 7 8 9 a f b c d eT6 0 1 2 3 4 5 6 7 8 9 f a b c d eT7 0 1 2 3 4 5 6 7 8 f 9 a b c d eT8 0 1 2 3 4 5 6 7 f 8 9 a b c d eT9 0 1 2 3 4 5 6 f 7 8 9 a b c d eTa 0 1 2 3 4 5 f 6 7 8 9 a b c d eTb 0 1 2 3 4 f 5 6 7 8 9 a b c d eTc 0 1 2 3 f 4 5 6 7 8 9 a b c d eTd 0 1 2 f 3 4 5 6 7 8 9 a b c d eTe 0 1 f 2 3 4 5 6 7 8 9 a b c d eTf 0 f 1 2 3 4 5 6 7 8 9 a b c d e

31 / 42



Conclusion


Conclusion on Kuznyechik/Stribog

π

32 / 42



Conclusion


Conclusion on Kuznyechik/Stribog

π

?

32 / 42



Conclusion

The Big APN Problem and its Only Known SolutionsOn Bu�erflies

Outline

1 Introduction




5 Conclusion

32 / 42



Conclusion



1 Introduction



4 A Decomposition of the 6-bit APN PermutationThe Big APN Problem and its Only Known SolutionsOn Bu�erflies

5 Conclusion

32 / 42



Conclusion


The Big APN Problem

Definition (APN function)

A function f : Fn2 → Fn2 is Almost Perfect Non-linear (APN) if

f (x ⊕ a) ⊕ f (x ) = b

has 0 or 2 solutions for all a , 0 and for all b.

Big APN Problem

Are there APN permutations operating on Fn2 where n is even?

33 / 42



Conclusion


Dillon et al.’s Permutation

Only One Known Solution!

For n = 6, Dillon et al. found an APN permutation.

It is possible to make a TU-decomposition!

34 / 42



Conclusion


On the Bu�erfly Structure

βx3

x1/3

�α

⊕

⊕

βx3

x3

�α

⊕

⊕

T

U

Definition (Open Bu�erfly H3α ,β

)

This permutation is an open bu�erfly.

LemmaDillon’s permutation is a�ine-equivalentto H3

w,1, where Tr (w ) = 0.

35 / 42



Conclusion


CCZ-equivalence (1/2)

Definition (CCZ-equivalence)

Let F and G be functions of Fn2 . They are CCZ-equivalent if there exists alinear permutation L of Fn2 × F

n2 such that

{(x , F (x )

),∀x ∈ Fn2

}=

{L(x ,G (x )

),∀x ∈ Fn2

}

Properties

CCZ-equivalence preserves:

the distribution of the coe�icients in the LAT (Walsh spectrum),

the distribution of the coe�icients in the DDT.

It does not preserve:

the position of the DDT/LAT coe�icients

the algebraic degree.

36 / 42



Conclusion


CCZ-equivalence (1/2)

Definition (CCZ-equivalence)

Let F and G be functions of Fn2 . They are CCZ-equivalent if there exists alinear permutation L of Fn2 × F

n2 such that

{(x , F (x )

),∀x ∈ Fn2

}=

{L(x ,G (x )

),∀x ∈ Fn2

}

Properties

CCZ-equivalence preserves:

the distribution of the coe�icients in the LAT (Walsh spectrum),

the distribution of the coe�icients in the DDT.

It does not preserve:

the position of the DDT/LAT coe�icients

the algebraic degree.36 / 42



Conclusion


Closed Bu�erflies

�α

⊕

x3

βx3 ⊕

�α

⊕

x3

βx3 ⊕

Definition (Closed bu�erfly V3α ,β

)

This quadratic function is a closedbu�erfly.

Lemma (Equivalence)

Open and closed bu�erflies with the sameparameters are CCZ-equivalent.

37 / 42



Conclusion


Bu�erflies and Feistel Networks

When α = 1, bu�erflies can be greatly simplified.

βx3⊕

x1/3 ⊕

βx3⊕

βx3 x3 βx3

⊕

⊕⊕

38 / 42



Conclusion


Some Properties of Bu�erflies

Theorem (Properties of bu�erflies [Canteaut et al., 2017])Let V3

α ,β and H3α ,β be bu�erflies operating on 2n bits, n odd. Then:

deg(V3α ,β

)= 2,

if n = 3, Tr (α ) = 0 and β + α 3 ∈ {α, 1/α }, thenmax(DDT ) = 2, max(W ) = 2n+1 and deg

(H3α ,β

)= n + 1 ,

if β = (1 + α )3, thenmax(DDT ) = 2n+1, max(W ) = 2(3n+1)/2 and deg

(H3α ,β

)= n ,

otherwise,

max(DDT ) = 4, max(W ) = 2n+1 and deg(H3α ,β

)∈ {n, n + 1}

and deg(H3α ,β

)= n if and only if

1 + α β + α 4 = (β + α + α 3)2 .

39 / 42



Conclusion

Conclusion

Outline

1 Introduction




5 Conclusion

39 / 42



Conclusion

Conclusion


1 Introduction




5 Conclusion

39 / 42



Conclusion

Conclusion

Conclusion

We can recover the majority of known S-Box structuresand derive new results about Skipjack and Kuznyechik.

We can generalize the permutation of Dillon et al...

but we can prove that our generalizations are never APN(except in the known case).

There are still S-Boxes with unknown building strategies(CMEA, CSS)!

40 / 42



Conclusion

Conclusion

The Last S-Box

14 11 60 6d e9 10 e3 2 b 90 d 17 c5 b0 9f c5d8 da be 22 8 f3 4 a9 fe f3 f5 fc bc 30 be 26bb 88 85 46 f4 2e e fd 76 fe b0 11 4e de 35 bb30 4b 30 d6 dd df df d4 90 7a d8 8c 6a 89 30 39e9 1 da d2 85 87 d3 d4 ba 2b d4 9f 9c 38 8c 55d3 86 bb db ec e0 46 48 bf 46 1b 1c d7 d9 1b e023 d4 d7 7f 16 3f 3 3 44 c3 59 10 2a da ed e98e d8 d1 db cb cb c3 c7 38 22 34 3d db 85 23 7c24 d1 d8 2e fc 44 8 38 c8 c7 39 4c 5f 56 2a cfd0 e9 d2 68 e4 e3 e9 13 e2 c 97 e4 60 29 d7 9bd9 16 24 94 b3 e3 4c 4c 4f 39 e0 4b bc 2c d3 9481 96 93 84 91 d0 2e d6 d2 2b 78 ef d6 9e 7b 72ad c4 68 92 7a d2 5 2b 1e d0 dc b1 22 3f c3 c388 b1 8d b5 e3 4e d7 81 3 15 17 25 4e 65 88 4ee4 3b 81 81 fa 1 1d 4 22 0 6 1 27 68 27 2e3b 83 c7 cc 25 9b d8 d5 1c 1f e5 59 7f 3f 3f ef

41 / 42



Conclusion

Conclusion

42 / 42

AppendixBibliography Back-Up Slides

Details About SkipjackN

um

ber

of

occ

urr

ence

s (l

og s

cale

)

100

200

300

Absolute value of the coe�cients in the LAT

22 23 24 25 26 27 28

1 / 4


Proof of Full Degree Condition

If deg(F ◦G ) = n − 1, then ∃i ≤ n such that⊕

x ∈Ci (F ◦G ) (x ) = 1.

Let Ii : Fn2 → F2 be such that Ii (x ) = 1⇔ x ∈ Ci :⊕x ∈Ci

(F ◦G ) (x ) =⊕x ∈Fn2

F(G (x )

)× Ii (x ) ,

and let y = G (x ). Then:⊕x ∈Ci

(F ◦G ) (x ) =⊕y∈Fn2

F (y) × Ii(G−1 (y)

).

This sum is equal to 1 if and only if x 7→ F (x ) × Ii(G−1 (x )

)has degree n.

Ii is a�ine (Ii (x ) = 1 + xi ). Thus, the sum can be equal to 1 only if

deg(F ) + deg(G−1) ≥ n .

�

2 / 4




x ∈Ci (F ◦G ) (x ) = 1.


(F ◦G ) (x ) =⊕x ∈Fn2

F(G (x )

)× Ii (x ) ,


(F ◦G ) (x ) =⊕y∈Fn2

F (y) × Ii(G−1 (y)

).


)has degree n.

Ii is a�ine (Ii (x ) = 1 + xi ).

Thus, the sum can be equal to 1 only if

deg(F ) + deg(G−1) ≥ n .

�

2 / 4




x ∈Ci (F ◦G ) (x ) = 1.


(F ◦G ) (x ) =⊕x ∈Fn2

F(G (x )

)× Ii (x ) ,


(F ◦G ) (x ) =⊕y∈Fn2

F (y) × Ii(G−1 (y)

).


)has degree n.

Ii is a�ine (Ii (x ) = 1 + xi ). Thus, the sum can be equal to 1 only if

deg(F ) + deg(G−1) ≥ n .

�2 / 4

AppendixBibliography

Bibliography I

Bel. St. Univ. (2011).“Information technologies. Data protection. Cryptographic algorithms for encryptionand integrity control.”.State Standard of Republic of Belarus (STB 34.101.31-2011).http://apmi.bsu.by/assets/files/std/belt-spec27.pdf.

Biryukov, A., Khovratovich, D., and Perrin, L. (2017).Multiset-algebraic cryptanalysis of reduced Kuznyechik, Khazad, and secret SPNs.IACR Transactions on Symmetric Cryptology, 2016(2):226–247.

Canteaut, A., Duval, S., and Perrin, L. (2017).A generalisation of Dillon’s APN permutation with the best known di�erential andnonlinear properties for all fields of size 24k+2.IEEE Transactions on Information Theory, (to appear).

GOST (2012).Gost r 34.11-2012: Streebog hash function.https://www.streebog.net/.

3 / 4

http://apmi.bsu.by/assets/files/std/belt-spec27.pdf

https://www.streebog.net/

AppendixBibliography

Bibliography II

GOST (2015).

(GOST R 34.12–2015) information technology – cryptographic data security – blockciphers.

http://tc26.ru/en/standard/gost/GOST_R_34_12_2015_ENG.pdf.

Perrin, L. and Udovenko, A. (2016).

Algebraic insights into the secret feistel network.

In Peyrin, T., editor, Fast So�ware Encryption – FSE 2016, volume 9783 of Lecture Notes inComputer Science, pages 378–398. Springer, Heidelberg.

4 / 4

http://tc26.ru/en/standard/gost/GOST_R_34_12_2015_ENG.pdf

on s-box reverse-engineering: from cryptanalysis to the

Documents