s-box reverse-engineering boolean functions, american
TRANSCRIPT
![Page 1: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/1.jpg)
S-Box Reverse-EngineeringBoolean Functions, American/Russian Standards, and Butterflies
Léo PerrinBased on joint works with Biryukov, Canteaut, Duval and Udovenko
June 6, 2018CECC’18
![Page 2: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/2.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
Outline
1 Building Blocks for Symmetric Cryptography
2 Statistics and Skipjack
3 TU-Decomposition and Kuznyechik
4 The Butterfly Permutations and Functions
5 Conclusion
1 / 46
![Page 3: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/3.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
Basics of Symmetric CryptographyBlock Cipher Design
Outline
1 Building Blocks for Symmetric Cryptography
2 Statistics and Skipjack
3 TU-Decomposition and Kuznyechik
4 The Butterfly Permutations and Functions
5 Conclusion
1 / 46
![Page 4: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/4.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
Basics of Symmetric CryptographyBlock Cipher Design
Symmetric Cryptography
There are many symmetric algorithms! Hash functions, MACs...
Definition (Block Cipher)
Input: n-bit block x
Parameter: k-bit key κ
Output: n-bit block Eκ(x)
Symmetry: E and E−1 use the same κ
E
x
Eκ(x)
κ
Properties needed:
Diffusion Confusion No cryptanalysis!
2 / 46
![Page 5: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/5.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
Basics of Symmetric CryptographyBlock Cipher Design
Symmetric Cryptography
There are many symmetric algorithms! Hash functions, MACs...
Definition (Block Cipher)
Input: n-bit block x
Parameter: k-bit key κ
Output: n-bit block Eκ(x)
Symmetry: E and E−1 use the same κ
E
x
Eκ(x)
κ
Properties needed:
Diffusion Confusion No cryptanalysis!
2 / 46
![Page 6: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/6.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
Basics of Symmetric CryptographyBlock Cipher Design
Symmetric Cryptography
There are many symmetric algorithms! Hash functions, MACs...
Definition (Block Cipher)
Input: n-bit block x
Parameter: k-bit key κ
Output: n-bit block Eκ(x)
Symmetry: E and E−1 use the same κ
E
x
Eκ(x)
κ
Properties needed:
Diffusion Confusion No cryptanalysis!
2 / 46
![Page 7: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/7.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
Basics of Symmetric CryptographyBlock Cipher Design
No Cryptanalysis?
Let us look at a typical cryptanalysis technique: the differentialattack.
3 / 46
![Page 8: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/8.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
Basics of Symmetric CryptographyBlock Cipher Design
Differential Attacks
⊕6ec1067e5c5391ae 6ec1067e5c5390ae
a =0000000000000100
x x⊕ a
a
Eκ Eκ
0x7e6f661193739cea 0x04d4595257eb06c8Eκ(x) Eκ(x⊕ a)
b =7abb3f43c4989a22
⊕
b
⊕
Differential AttackIf there aremany x such that Eκ(x)⊕ Eκ(x⊕ a) = b, then the cipher is not secure.
4 / 46
![Page 9: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/9.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
Basics of Symmetric CryptographyBlock Cipher Design
Differential Attacks
⊕6ec1067e5c5391ae 6ec1067e5c5390ae
a =0000000000000100
x x⊕ a
a
Eκ Eκ
0x7e6f661193739cea 0x04d4595257eb06c8Eκ(x) Eκ(x⊕ a)
b =7abb3f43c4989a22
⊕
b
⊕
Differential AttackIf there aremany x such that Eκ(x)⊕ Eκ(x⊕ a) = b, then the cipher is not secure.
4 / 46
![Page 10: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/10.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
Basics of Symmetric CryptographyBlock Cipher Design
Differential Attacks
⊕6ec1067e5c5391ae 6ec1067e5c5390ae
a =0000000000000100
x x⊕ a
a
Eκ Eκ
0x7e6f661193739cea 0x04d4595257eb06c8
Eκ(x) Eκ(x⊕ a)
b =7abb3f43c4989a22
⊕
b
⊕
Differential AttackIf there aremany x such that Eκ(x)⊕ Eκ(x⊕ a) = b, then the cipher is not secure.
4 / 46
![Page 11: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/11.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
Basics of Symmetric CryptographyBlock Cipher Design
Differential Attacks
⊕6ec1067e5c5391ae 6ec1067e5c5390ae
a =0000000000000100
x x⊕ a
a
Eκ Eκ
0x7e6f661193739cea 0x04d4595257eb06c8
Eκ(x) Eκ(x⊕ a)
b =7abb3f43c4989a22
⊕
b
⊕
Differential AttackIf there aremany x such that Eκ(x)⊕ Eκ(x⊕ a) = b, then the cipher is not secure.
4 / 46
![Page 12: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/12.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
Basics of Symmetric CryptographyBlock Cipher Design
Differential Attacks
⊕
6ec1067e5c5391ae 6ec1067e5c5390ae
a =0000000000000100
x x⊕ a
a
Eκ Eκ
0x7e6f661193739cea 0x04d4595257eb06c8
Eκ(x) Eκ(x⊕ a)
b =7abb3f43c4989a22
⊕
b
⊕
Differential AttackIf there aremany x such that Eκ(x)⊕ Eκ(x⊕ a) = b, then the cipher is not secure.
4 / 46
![Page 13: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/13.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
Basics of Symmetric CryptographyBlock Cipher Design
Differential Attacks
⊕
6ec1067e5c5391ae 6ec1067e5c5390ae
a =0000000000000100
x x⊕ a
a
Eκ Eκ
0x7e6f661193739cea 0x04d4595257eb06c8
Eκ(x) Eκ(x⊕ a)
b =7abb3f43c4989a22
⊕
b
⊕
Differential AttackIf there aremany x such that Eκ(x)⊕ Eκ(x⊕ a) = b, then the cipher is not secure.
4 / 46
![Page 14: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/14.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
Basics of Symmetric CryptographyBlock Cipher Design
Basic Block Cipher Structure
How do we build block ciphers that prevent such attacks (as well asothers)?
S
⊕
S
⊕
S
⊕
S
⊕
S
⊕
S
⊕
S
⊕
S
⊕κi
L
Substitution-Permutation NetworkSuch a block cipher iterates the round function above several times. S is theSubstitution Box (S-Box).
5 / 46
![Page 15: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/15.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
Basics of Symmetric CryptographyBlock Cipher Design
Basic Block Cipher Structure
How do we build block ciphers that prevent such attacks (as well asothers)?
S
⊕
S
⊕
S
⊕
S
⊕
S
⊕
S
⊕
S
⊕
S
⊕κi
L
Substitution-Permutation NetworkSuch a block cipher iterates the round function above several times. S is theSubstitution Box (S-Box).
5 / 46
![Page 16: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/16.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
Basics of Symmetric CryptographyBlock Cipher Design
Basic Block Cipher Structure
How do we build block ciphers that prevent such attacks (as well asothers)?
S
⊕
S
⊕
S
⊕
S
⊕
S
⊕
S
⊕
S
⊕
S
⊕κi
L
Substitution-Permutation NetworkSuch a block cipher iterates the round function above several times. S is theSubstitution Box (S-Box).
5 / 46
![Page 17: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/17.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
Basics of Symmetric CryptographyBlock Cipher Design
The S-Box (1/2)
The S-Box π of the latest Russian standards, Kuznyechik (BC) and Streebog (HF).
6 / 46
![Page 18: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/18.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
Basics of Symmetric CryptographyBlock Cipher Design
The S-Box (2/2)
Importance of the S-Box
If S is such thatS(x)⊕ S(x⊕ a) = b
does not have many solutions x for all (a, b) then the cipher may be proved secureagainst differential attacks.
In academic papers presenting new block ciphers, the choice of S iscarefully explained.
7 / 46
![Page 19: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/19.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
Basics of Symmetric CryptographyBlock Cipher Design
The S-Box (2/2)
Importance of the S-Box
If S is such thatS(x)⊕ S(x⊕ a) = b
does not have many solutions x for all (a, b) then the cipher may be proved secureagainst differential attacks.
In academic papers presenting new block ciphers, the choice of S iscarefully explained.
7 / 46
![Page 20: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/20.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
Basics of Symmetric CryptographyBlock Cipher Design
S-Box Design
8 / 46
![Page 21: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/21.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
Basics of Symmetric CryptographyBlock Cipher Design
S-Box Design
8 / 46
![Page 22: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/22.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
Basics of Symmetric CryptographyBlock Cipher Design
S-Box Design
Khazad...
iScream...
Grøstl...
8 / 46
![Page 23: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/23.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
Basics of Symmetric CryptographyBlock Cipher Design
S-Box Reverse-Engineering
S
9 / 46
![Page 24: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/24.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
Basics of Symmetric CryptographyBlock Cipher Design
S-Box Reverse-Engineering
S??
?
9 / 46
![Page 25: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/25.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
Basics of Symmetric CryptographyBlock Cipher Design
Motivation (1/3)
A malicious designer can easily hide a structure in an S-Box.
To keep an advantage in implementation (WB crypto)...... or an advantage in cryptanalysis (backdoor).
10 / 46
![Page 26: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/26.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
Basics of Symmetric CryptographyBlock Cipher Design
Motivation (1/3)
A malicious designer can easily hide a structure in an S-Box.
To keep an advantage in implementation (WB crypto)...
... or an advantage in cryptanalysis (backdoor).
10 / 46
![Page 27: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/27.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
Basics of Symmetric CryptographyBlock Cipher Design
Motivation (1/3)
A malicious designer can easily hide a structure in an S-Box.
To keep an advantage in implementation (WB crypto)...... or an advantage in cryptanalysis (backdoor).
10 / 46
![Page 28: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/28.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
Basics of Symmetric CryptographyBlock Cipher Design
Motivation (2/3)
Definition (Kleptography)
The study of trapdoored cryptography is called kleptography (term introduced byJung and Young).
S-Box based backdoors in the literature
Rijmen, V., & Preneel, B. (1997). A family of trapdoor ciphers. FSE’97.
Patterson, K. (1999). Imprimitive Permutation Groups and Trapdoors inIterated Block Ciphers. FSE’99.
Blondeau, C., Civino, R., & Sala, M. (2017). Differential Attacks: UsingAlternative Operations. eprint report 2017/610.
Bannier, A., & Filiol, E. (2017). Partition-based trapdoor ciphers. InTech’17.
11 / 46
![Page 29: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/29.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
Basics of Symmetric CryptographyBlock Cipher Design
Motivation (3/3)
Even without malicious intent, an unexpected structure can be aproblem.
=⇒ We need tools to reverse-engineer S-Boxes!
12 / 46
![Page 30: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/30.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
The Two TablesStatistical Analysis of the Two TablesApplication to Skipjack
Outline
1 Building Blocks for Symmetric Cryptography
2 Statistics and Skipjack
3 TU-Decomposition and Kuznyechik
4 The Butterfly Permutations and Functions
5 Conclusion
12 / 46
![Page 31: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/31.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
The Two TablesStatistical Analysis of the Two TablesApplication to Skipjack
Summary
We can recover parts of the design process of an S-Box using some statistics.
1 The two tables (basics of Boolean functions for cryptography)
2 A satistical tool based on the two tables
3 Application to NSA’s Skipjack
13 / 46
![Page 32: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/32.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
The Two TablesStatistical Analysis of the Two TablesApplication to Skipjack
The Two Tables
Let S : Fn2 → Fn
2 be an S-Box.
Definition (DDT)
The Difference Distribution Table of S is a matrix of size 2n × 2n such that
DDT[a, b] = #{x ∈ Fn2 | S (x⊕ a)⊕ S(x) = b}.
Definition (LAT)
The Linear Approximations Table of S is a matrix of size 2n × 2n such that
LAT[a, b] = #{x ∈ Fn2 | x · a = S(x) · b} − 2n−1.
14 / 46
![Page 33: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/33.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
The Two TablesStatistical Analysis of the Two TablesApplication to Skipjack
The Two Tables
Let S : Fn2 → Fn
2 be an S-Box.
Definition (DDT)
The Difference Distribution Table of S is a matrix of size 2n × 2n such that
DDT[a, b] = #{x ∈ Fn2 | S (x⊕ a)⊕ S(x) = b}.
Definition (LAT)
The Linear Approximations Table of S is a matrix of size 2n × 2n such that
LAT[a, b] = #{x ∈ Fn2 | x · a = S(x) · b} − 2n−1.
14 / 46
![Page 34: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/34.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
The Two TablesStatistical Analysis of the Two TablesApplication to Skipjack
The Two Tables
Let S : Fn2 → Fn
2 be an S-Box.
Definition (DDT)
The Difference Distribution Table of S is a matrix of size 2n × 2n such that
DDT[a, b] = #{x ∈ Fn2 | S (x⊕ a)⊕ S(x) = b}.
Definition (LAT)
The Linear Approximations Table of S is a matrix of size 2n × 2n such that
LAT[a, b] = #{x ∈ Fn2 | x · a = S(x) · b} − 2n−1.
14 / 46
![Page 35: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/35.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
The Two TablesStatistical Analysis of the Two TablesApplication to Skipjack
Example
S = [4, 2, 1, 6, 0, 5, 7, 3]
The DDT of S.
8 0 0 0 0 0 0 00 0 0 0 2 2 2 20 0 0 0 2 2 2 20 0 4 4 0 0 0 00 0 0 0 2 2 2 20 4 4 0 0 0 0 00 4 0 4 0 0 0 00 0 0 0 2 2 2 2
The LAT of S.
4 0 0 0 0 0 0 00 0 2 2 0 0 2 −20 2 2 0 0 2 −2 00 2 0 2 0 −2 0 20 2 0 −2 0 −2 0 −20 −2 2 0 0 −2 −2 00 0 −2 2 0 0 −2 −20 0 0 0 −4 0 0 0
15 / 46
![Page 36: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/36.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
The Two TablesStatistical Analysis of the Two TablesApplication to Skipjack
Coefficient Distribution in the DDT
If an n-bit S-Box is bijective, then its DDT coefficients behave like independent andidentically distributed random variables following a Poisson distribution:
Pr [DDT[a, b] = 2z] =e−1/2
2zz.
Always even,≥ 0
Typically between 0 and 16.
Lower is better.
16 / 46
![Page 37: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/37.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
The Two TablesStatistical Analysis of the Two TablesApplication to Skipjack
Coefficient Distribution in the DDT
If an n-bit S-Box is bijective, then its DDT coefficients behave like independent andidentically distributed random variables following a Poisson distribution:
Pr [DDT[a, b] = 2z] =e−1/2
2zz.
Always even,≥ 0
Typically between 0 and 16.
Lower is better.
16 / 46
![Page 38: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/38.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
The Two TablesStatistical Analysis of the Two TablesApplication to Skipjack
Coefficient Distribution in the LAT
If an n-bit S-Box is bijective, then its LAT coefficients behave like independent andidentically distributed random variables following this distribution:
Pr [LAT[a, b] = 2z] =
( 2n−1
2n−2+z
)( 2n
2n−1
) .
Always even, signed.
Typically between -40 and 40.
Lower absolute value is better.
17 / 46
![Page 39: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/39.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
The Two TablesStatistical Analysis of the Two TablesApplication to Skipjack
Coefficient Distribution in the LAT
If an n-bit S-Box is bijective, then its LAT coefficients behave like independent andidentically distributed random variables following this distribution:
Pr [LAT[a, b] = 2z] =
( 2n−1
2n−2+z
)( 2n
2n−1
) .
Always even, signed.
Typically between -40 and 40.
Lower absolute value is better.
17 / 46
![Page 40: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/40.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
The Two TablesStatistical Analysis of the Two TablesApplication to Skipjack
Looking Only at the Maximum
δ log2 (Pr [max(DDT) ≤ δ])
14 -0.006
12 -0.094
10 -1.329
8 -16.148
6 -164.466
4 -1359.530
DDT
ℓ log2 (Pr [max(LAT) ≤ ℓ])
38 -0.08436 -0.30234 -1.00832 -3.16030 -9.28828 -25.62326 -66.41524 -161.90022 -371.609
LAT
Probability that the maximum coefficient in the DDT/LAT of an 8-bit permutationis at most equal to a certain threshold.
18 / 46
![Page 41: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/41.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
The Two TablesStatistical Analysis of the Two TablesApplication to Skipjack
Looking Only at the Maximum
δ log2 (Pr [max(DDT) ≤ δ])
14 -0.006
12 -0.094
10 -1.329
8 -16.148
6 -164.466
4 -1359.530
DDT
ℓ log2 (Pr [max(LAT) ≤ ℓ])
38 -0.08436 -0.30234 -1.00832 -3.16030 -9.28828 -25.62326 -66.41524 -161.90022 -371.609
LAT
Probability that the maximum coefficient in the DDT/LAT of an 8-bit permutationis at most equal to a certain threshold.
18 / 46
![Page 42: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/42.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
The Two TablesStatistical Analysis of the Two TablesApplication to Skipjack
What is Skipjack? (1/2)
Type Block cipher
Bloc 64 bits
Key 80 bits
Authors NSA
Publication 1998
19 / 46
![Page 43: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/43.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
The Two TablesStatistical Analysis of the Two TablesApplication to Skipjack
What is Skipjack? (2/2)
Skipjack was supposed to be secret...
... but eventually published in 1998.
Skipjack was to be used by the Clipper Chip,
It uses an 8× 8 S-Box (F) specified only by its LUT.
20 / 46
![Page 44: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/44.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
The Two TablesStatistical Analysis of the Two TablesApplication to Skipjack
What is Skipjack? (2/2)
Skipjack was supposed to be secret...
... but eventually published in 1998.
Skipjack was to be used by the Clipper Chip,
It uses an 8× 8 S-Box (F) specified only by its LUT.
20 / 46
![Page 45: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/45.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
The Two TablesStatistical Analysis of the Two TablesApplication to Skipjack
What is Skipjack? (2/2)
Skipjack was supposed to be secret...
... but eventually published in 1998.
Skipjack was to be used by the Clipper Chip,
It uses an 8× 8 S-Box (F) specified only by its LUT.
20 / 46
![Page 46: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/46.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
The Two TablesStatistical Analysis of the Two TablesApplication to Skipjack
Reverse-Engineering F
For Skipjack’s F, max(LAT) = 28 and#28 = 3.
Probability (log2)
−70
−60
−50
−40
−30
−20
N28
0 5 10 15 20 25 30 35 40
2
4
5
Pr[max = 28]
Pr[max = 26]
Pr[max = 28, #28 ≤ N28]
Pr [max(LAT) = 28 and#28 ≤ 3] ≈ 2−55
21 / 46
![Page 47: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/47.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
The Two TablesStatistical Analysis of the Two TablesApplication to Skipjack
Reverse-Engineering F
For Skipjack’s F, max(LAT) = 28 and#28 = 3.Probability (log2)
−70
−60
−50
−40
−30
−20
N28
0 5 10 15 20 25 30 35 40
2
4
5
Pr[max = 28]
Pr[max = 26]
Pr[max = 28, #28 ≤ N28]
Probability (log2)
−70
−60
−50
−40
−30
−20
N28
0 5 10 15 20 25 30 35 40
2
4
5
Pr[max = 28]
Pr[max = 26]
Pr[max = 28, #28 ≤ N28]
Pr [max(LAT) = 28 and#28 ≤ 3] ≈ 2−55
21 / 46
![Page 48: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/48.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
The Two TablesStatistical Analysis of the Two TablesApplication to Skipjack
Reverse-Engineering F
For Skipjack’s F, max(LAT) = 28 and#28 = 3.Probability (log2)
−70
−60
−50
−40
−30
−20
N28
0 5 10 15 20 25 30 35 40
2
4
5
Pr[max = 28]
Pr[max = 26]
Pr[max = 28, #28 ≤ N28]
Pr [max(LAT) = 28 and#28 ≤ 3] ≈ 2−55
21 / 46
![Page 49: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/49.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
The Two TablesStatistical Analysis of the Two TablesApplication to Skipjack
Reverse-Engineering F
For Skipjack’s F, max(LAT) = 28 and#28 = 3.Probability (log2)
−70
−60
−50
−40
−30
−20
N28
0 5 10 15 20 25 30 35 40
2
4
5
Pr[max = 28]
Pr[max = 26]
Pr[max = 28, #28 ≤ N28]
Pr [max(LAT) = 28 and#28 ≤ 3] ≈ 2−55
21 / 46
![Page 50: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/50.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
The Two TablesStatistical Analysis of the Two TablesApplication to Skipjack
What Can We Deduce?
F has not been picked uniformly at random.
F has not been picked among a feasibly large set of random S-Boxes.
Its linear properties were optimized (though poorly).
The S-Box of Skipjack was builtusing a dedicated algorithm.
22 / 46
![Page 51: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/51.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
The Two TablesStatistical Analysis of the Two TablesApplication to Skipjack
What Can We Deduce?
F has not been picked uniformly at random.
F has not been picked among a feasibly large set of random S-Boxes.
Its linear properties were optimized (though poorly).
The S-Box of Skipjack was builtusing a dedicated algorithm.
22 / 46
![Page 52: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/52.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
The Two TablesStatistical Analysis of the Two TablesApplication to Skipjack
Timeline
1987 Initial design of Skipjack
Aug 90 (CRYPTO) Gilbert et al. use linear relations for key recovery (FEAL)
Aug 91 (CRYPTO) Attack against FEAL using linear relations between key,plaintext and ciphertext
May 92 (EUROCRYPT) Other attack against FEAL using linear relationsbetween key, plaintext and ciphertext
Aug 92 The S-Box (“F-table”) of Skipjack is changed
Jul 93 “interim report” on Skipjack published by external cryptographers
Aug 95 Alleged “Skipjack” (actually not) is leaked to usenet
Sep 95 Schneier published his thoughts on “alleged Skipjack”, includingthe result of a FOIA request
Jun 98 Declassification of Skipjack
23 / 46
![Page 53: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/53.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
The Two TablesStatistical Analysis of the Two TablesApplication to Skipjack
Timeline
1987 Initial design of Skipjack
Aug 90 (CRYPTO) Gilbert et al. use linear relations for key recovery (FEAL)
Aug 91 (CRYPTO) Attack against FEAL using linear relations between key,plaintext and ciphertext
May 92 (EUROCRYPT) Other attack against FEAL using linear relationsbetween key, plaintext and ciphertext
Aug 92 The S-Box (“F-table”) of Skipjack is changed
Jul 93 “interim report” on Skipjack published by external cryptographers
Aug 95 Alleged “Skipjack” (actually not) is leaked to usenet
Sep 95 Schneier published his thoughts on “alleged Skipjack”, includingthe result of a FOIA request
Jun 98 Declassification of Skipjack
23 / 46
![Page 54: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/54.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
The Two TablesStatistical Analysis of the Two TablesApplication to Skipjack
Timeline
1987 Initial design of Skipjack
Aug 90 (CRYPTO) Gilbert et al. use linear relations for key recovery (FEAL)
Aug 91 (CRYPTO) Attack against FEAL using linear relations between key,plaintext and ciphertext
May 92 (EUROCRYPT) Other attack against FEAL using linear relationsbetween key, plaintext and ciphertext
Aug 92 The S-Box (“F-table”) of Skipjack is changed
Jul 93 “interim report” on Skipjack published by external cryptographers
Aug 95 Alleged “Skipjack” (actually not) is leaked to usenet
Sep 95 Schneier published his thoughts on “alleged Skipjack”, includingthe result of a FOIA request
Jun 98 Declassification of Skipjack
23 / 46
![Page 55: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/55.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
The Two TablesStatistical Analysis of the Two TablesApplication to Skipjack
Timeline
1987 Initial design of Skipjack
Aug 90 (CRYPTO) Gilbert et al. use linear relations for key recovery (FEAL)
Aug 91 (CRYPTO) Attack against FEAL using linear relations between key,plaintext and ciphertext
May 92 (EUROCRYPT) Other attack against FEAL using linear relationsbetween key, plaintext and ciphertext
Aug 92 The S-Box (“F-table”) of Skipjack is changed
Jul 93 “interim report” on Skipjack published by external cryptographers
Aug 95 Alleged “Skipjack” (actually not) is leaked to usenet
Sep 95 Schneier published his thoughts on “alleged Skipjack”, includingthe result of a FOIA request
Jun 98 Declassification of Skipjack
23 / 46
![Page 56: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/56.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
The Two TablesStatistical Analysis of the Two TablesApplication to Skipjack
Timeline
1987 Initial design of Skipjack
Aug 90 (CRYPTO) Gilbert et al. use linear relations for key recovery (FEAL)
Aug 91 (CRYPTO) Attack against FEAL using linear relations between key,plaintext and ciphertext
May 92 (EUROCRYPT) Other attack against FEAL using linear relationsbetween key, plaintext and ciphertext
Aug 92 The S-Box (“F-table”) of Skipjack is changed
Jul 93 “interim report” on Skipjack published by external cryptographers
Aug 95 Alleged “Skipjack” (actually not) is leaked to usenet
Sep 95 Schneier published his thoughts on “alleged Skipjack”, includingthe result of a FOIA request
Jun 98 Declassification of Skipjack
23 / 46
![Page 57: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/57.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
The Two TablesStatistical Analysis of the Two TablesApplication to Skipjack
Conclusion on Skipjack
F
24 / 46
![Page 58: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/58.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
The Two TablesStatistical Analysis of the Two TablesApplication to Skipjack
Conclusion on Skipjack
F
24 / 46
![Page 59: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/59.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
Streebog and KuznyechikDecomposing the Mysterious S-Box
Outline
1 Building Blocks for Symmetric Cryptography
2 Statistics and Skipjack
3 TU-Decomposition and Kuznyechik
4 The Butterfly Permutations and Functions
5 Conclusion
24 / 46
![Page 60: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/60.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
Streebog and KuznyechikDecomposing the Mysterious S-Box
Summary
We can recover an actual decomposition using patterns in the LAT.
1 Our target, the S-Box of Kuznyechik and Streebog
2 TU-decomposition: what is it and how to apply it to Kuznyechik
25 / 46
![Page 61: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/61.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
Streebog and KuznyechikDecomposing the Mysterious S-Box
Kuznyechik/Stribog
Stribog
Type Hash function
Publication 2012
Kuznyechik
Type Block cipher
Publication 2015
Common ground
Both are standard symmetric primitives in Russia.
Both were designed by the FSB (TC26).
Both use the same 8× 8 S-Box, π.
26 / 46
![Page 62: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/62.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
Streebog and KuznyechikDecomposing the Mysterious S-Box
Kuznyechik/Stribog
Stribog
Type Hash function
Publication 2012
Kuznyechik
Type Block cipher
Publication 2015
Common ground
Both are standard symmetric primitives in Russia.
Both were designed by the FSB (TC26).
Both use the same 8× 8 S-Box, π.
26 / 46
![Page 63: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/63.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
Streebog and KuznyechikDecomposing the Mysterious S-Box
The LAT of π
27 / 46
![Page 64: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/64.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
Streebog and KuznyechikDecomposing the Mysterious S-Box
The LAT of η (reordered columns)
28 / 46
![Page 65: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/65.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
Streebog and KuznyechikDecomposing the Mysterious S-Box
The LAT of η ◦ π ◦ µ
29 / 46
![Page 66: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/66.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
Streebog and KuznyechikDecomposing the Mysterious S-Box
The TU-Decomposition
DefinitionThe TU-decomposition is a decomposition algorithm working against S-Boxes withvector spaces of zeroes in their LAT.
S TU-decompositionT
U
α
ω
T and U are mini-block ciphers ; µ and η are linear permutations.
30 / 46
![Page 67: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/67.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
Streebog and KuznyechikDecomposing the Mysterious S-Box
Final Decomposition Number 1
ω
σ
ϕ ⊙
ν1ν0
I⊙
α
⊙ Multiplication in F24
α Linear permutation
I Inversion in F24
ν0, ν1, σ 4× 4 permutations
ϕ 4× 4 function
ω Linear permutation
31 / 46
![Page 68: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/68.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
Streebog and KuznyechikDecomposing the Mysterious S-Box
Hardware Performance
Structure Area (µm2) Delay (ns)
Naive implementation 3889.6 362.52
Feistel-like 1534.7 61.53
Multiplications-first 1530.3 54.01
Feistel-like (with tweaked MUX) 1530.1 46.11
32 / 46
![Page 69: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/69.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
Streebog and KuznyechikDecomposing the Mysterious S-Box
Conclusion for Kuznyechik/Stribog?
The Russian S-Box was built like astrange Feistel...
... or was it?
Belarussian inspiration
The last standard of Belarus (BelT) uses an 8-bit S-box,
somewhat similar to π...
... based on a finite field exponential!
33 / 46
![Page 70: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/70.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
Streebog and KuznyechikDecomposing the Mysterious S-Box
Conclusion for Kuznyechik/Stribog?
The Russian S-Box was built like astrange Feistel...
... or was it?
Belarussian inspiration
The last standard of Belarus (BelT) uses an 8-bit S-box,
somewhat similar to π...
... based on a finite field exponential!
33 / 46
![Page 71: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/71.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
Streebog and KuznyechikDecomposing the Mysterious S-Box
Conclusion for Kuznyechik/Stribog?
The Russian S-Box was built like astrange Feistel...
... or was it?
Belarussian inspiration
The last standard of Belarus (BelT) uses an 8-bit S-box,
somewhat similar to π...
... based on a finite field exponential!
33 / 46
![Page 72: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/72.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
Streebog and KuznyechikDecomposing the Mysterious S-Box
Conclusion for Kuznyechik/Stribog?
The Russian S-Box was built like astrange Feistel...
... or was it?
Belarussian inspiration
The last standard of Belarus (BelT) uses an 8-bit S-box,
somewhat similar to π...
... based on a finite field exponential!
33 / 46
![Page 73: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/73.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
Streebog and KuznyechikDecomposing the Mysterious S-Box
Final Decomposition Number 2 (!)
ω′
⊗−1
⊞
q′
logw,16
T
0 1 2 3 4 5 6 7 8 9 a b c d e fT0 0 1 2 3 4 5 6 7 8 9 a b c d e fT1 0 1 2 3 4 5 6 7 8 9 a b c d e fT2 0 1 2 3 4 5 6 7 8 9 a b c d f eT3 0 1 2 3 4 5 6 7 8 9 a b c f d eT4 0 1 2 3 4 5 6 7 8 9 a b f c d eT5 0 1 2 3 4 5 6 7 8 9 a f b c d eT6 0 1 2 3 4 5 6 7 8 9 f a b c d eT7 0 1 2 3 4 5 6 7 8 f 9 a b c d eT8 0 1 2 3 4 5 6 7 f 8 9 a b c d eT9 0 1 2 3 4 5 6 f 7 8 9 a b c d eTa 0 1 2 3 4 5 f 6 7 8 9 a b c d eTb 0 1 2 3 4 f 5 6 7 8 9 a b c d eTc 0 1 2 3 f 4 5 6 7 8 9 a b c d eTd 0 1 2 f 3 4 5 6 7 8 9 a b c d eTe 0 1 f 2 3 4 5 6 7 8 9 a b c d eTf 0 f 1 2 3 4 5 6 7 8 9 a b c d e
34 / 46
![Page 74: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/74.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
Streebog and KuznyechikDecomposing the Mysterious S-Box
Conclusion on Kuznyechik/Stribog
π
35 / 46
![Page 75: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/75.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
Streebog and KuznyechikDecomposing the Mysterious S-Box
Conclusion on Kuznyechik/Stribog
π
35 / 46
![Page 76: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/76.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
Streebog and KuznyechikDecomposing the Mysterious S-Box
Conclusion on Kuznyechik/Stribog
π
35 / 46
![Page 77: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/77.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
Streebog and KuznyechikDecomposing the Mysterious S-Box
Conclusion on Kuznyechik/Stribog
π
?
35 / 46
![Page 78: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/78.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
The Big APN Problem and its Only Known SolutionOn Butterflies
Outline
1 Building Blocks for Symmetric Cryptography
2 Statistics and Skipjack
3 TU-Decomposition and Kuznyechik
4 The Butterfly Permutations and Functions
5 Conclusion
35 / 46
![Page 79: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/79.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
The Big APN Problem and its Only Known SolutionOn Butterflies
Summary
We can obtain newmathematical results using reverse-engineering techniques.
1 The big APN problem and its only known solution
2 Decomposing and generalizing this solution as butterflies
36 / 46
![Page 80: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/80.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
The Big APN Problem and its Only Known SolutionOn Butterflies
NSUCRYPTO (Olympiad in Cryptography)
“Try to find an APN permutation on 8 variables or prove that it doesn’t exist.”
https://nsucrypto.nsu.ru/
37 / 46
![Page 81: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/81.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
The Big APN Problem and its Only Known SolutionOn Butterflies
The Big APN Problem
Definition (APN function)
A function S : Fn2 → Fn
2 is Almost Perfect Non-linear (APN) if
S(x⊕ a)⊕ S(x) = b
has 0 or 2 solutions for all a ̸= 0 and for all b.
Big APN Problem
Are there APN permutations operating on Fn2 where n is even?
38 / 46
![Page 82: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/82.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
The Big APN Problem and its Only Known SolutionOn Butterflies
The Big APN Problem
Definition (APN function)
A function S : Fn2 → Fn
2 is Almost Perfect Non-linear (APN) if
S(x⊕ a)⊕ S(x) = b
has 0 or 2 solutions for all a ̸= 0 and for all b.
Big APN Problem
Are there APN permutations operating on Fn2 where n is even?
38 / 46
![Page 83: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/83.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
The Big APN Problem and its Only Known SolutionOn Butterflies
Dillon et al.’s Permutation
Only One Known Solution!
For n = 6, Dillon et al. found an APN permutation.
It is possible to make a TU-decomposition!
39 / 46
![Page 84: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/84.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
The Big APN Problem and its Only Known SolutionOn Butterflies
Dillon et al.’s Permutation
Only One Known Solution!
For n = 6, Dillon et al. found an APN permutation.
It is possible to make a TU-decomposition!
39 / 46
![Page 85: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/85.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
The Big APN Problem and its Only Known SolutionOn Butterflies
Dillon et al.’s Permutation
Only One Known Solution!
For n = 6, Dillon et al. found an APN permutation.
It is possible to make a TU-decomposition!
39 / 46
![Page 86: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/86.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
The Big APN Problem and its Only Known SolutionOn Butterflies
Dillon et al.’s Permutation
Only One Known Solution!
For n = 6, Dillon et al. found an APN permutation.
It is possible to make a TU-decomposition!
39 / 46
![Page 87: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/87.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
The Big APN Problem and its Only Known SolutionOn Butterflies
On the Butterfly Structure
βx3
x1/3
⊙α
⊕
⊕
βx3
x3
⊙α
⊕
⊕
T
U
Definition (Open Butterfly H3α,β)
This permutation is an open butterfly.
LemmaDillon’s permutation is affine-equivalent toH3w,1, where Tr (w) = 0.
40 / 46
![Page 88: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/88.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
The Big APN Problem and its Only Known SolutionOn Butterflies
On the Butterfly Structure
βx3
x1/3
⊙α
⊕
⊕
βx3
x3
⊙α
⊕
⊕
T
U
Definition (Open Butterfly H3α,β)
This permutation is an open butterfly.
LemmaDillon’s permutation is affine-equivalent toH3w,1, where Tr (w) = 0.
40 / 46
![Page 89: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/89.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
The Big APN Problem and its Only Known SolutionOn Butterflies
Closed Butterflies
⊙α
⊕
x3
βx3 ⊕
⊙α
⊕
x3
βx3 ⊕
Definition (Closed butterfly V3α,β)
This quadratic function is a closed butterfly.
Lemma (Equivalence)
Open and closed butterflies with the sameparameters are CCZ-equivalent.
41 / 46
![Page 90: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/90.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
The Big APN Problem and its Only Known SolutionOn Butterflies
Closed Butterflies
⊙α
⊕
x3
βx3 ⊕
⊙α
⊕
x3
βx3 ⊕
Definition (Closed butterfly V3α,β)
This quadratic function is a closed butterfly.
Lemma (Equivalence)
Open and closed butterflies with the sameparameters are CCZ-equivalent.
41 / 46
![Page 91: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/91.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
The Big APN Problem and its Only Known SolutionOn Butterflies
Some Properties of Butterflies
Theorem (Properties of butterflies)Let V3α,β and H3
α,β be butterflies operating on 2n bits, n odd. Then:
deg(V3α,β
)= 2,
if n = 3, Tr (α) = 0 and β + α3 ∈ {α, 1/α}, thenmax(DDT) = 2, max(W) = 2n+1 and deg
(H3α,β
)= n+ 1 ,
if β = (1+ α)3 , thenmax(DDT) = 2n+1, max(W) = 2(3n+1)/2 and deg
(H3α,β
)= n ,
otherwise,
max(DDT) = 4, max(W) = 2n+1 and deg(H3α,β
)∈ {n, n+ 1}
and deg(H3α,β
)= n if and only if
1+ αβ + α4 = (β + α+ α3)2 .
42 / 46
![Page 92: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/92.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
Conclusion
Outline
1 Building Blocks for Symmetric Cryptography
2 Statistics and Skipjack
3 TU-Decomposition and Kuznyechik
4 The Butterfly Permutations and Functions
5 Conclusion
42 / 46
![Page 93: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/93.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
Conclusion
Open Problem
A hidden structure!CMEA uses an 8-bit (non-bijective) S-Box... With a TU-decomposition!
What is its actual structure?
43 / 46
![Page 94: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/94.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
Conclusion
Open Problem
A hidden structure!CMEA uses an 8-bit (non-bijective) S-Box... With a TU-decomposition!
What is its actual structure?
43 / 46
![Page 95: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/95.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
Conclusion
Conclusion
1 Cryptographers use mathematics but mathematicians couldalso use crypto!
2 If you design a cipher, justify every step of your design.
3 If you choose a cipher, demand a full design explanation.
44 / 46
![Page 96: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/96.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
Conclusion
Conclusion
1 Cryptographers use mathematics but mathematicians couldalso use crypto!
2 If you design a cipher, justify every step of your design.
3 If you choose a cipher, demand a full design explanation.
44 / 46
![Page 97: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/97.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
Conclusion
Conclusion
1 Cryptographers use mathematics but mathematicians couldalso use crypto!
2 If you design a cipher, justify every step of your design.
3 If you choose a cipher, demand a full design explanation.
44 / 46
![Page 98: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/98.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
Conclusion
The Last S-Box
14 11 60 6d e9 10 e3 2 b 90 d 17 c5 b0 9f c5d8 da be 22 8 f3 4 a9 fe f3 f5 fc bc 30 be 26bb 88 85 46 f4 2e e fd 76 fe b0 11 4e de 35 bb30 4b 30 d6 dd df df d4 90 7a d8 8c 6a 89 30 39e9 1 da d2 85 87 d3 d4 ba 2b d4 9f 9c 38 8c 55d3 86 bb db ec e0 46 48 bf 46 1b 1c d7 d9 1b e023 d4 d7 7f 16 3f 3 3 44 c3 59 10 2a da ed e98e d8 d1 db cb cb c3 c7 38 22 34 3d db 85 23 7c24 d1 d8 2e fc 44 8 38 c8 c7 39 4c 5f 56 2a cfd0 e9 d2 68 e4 e3 e9 13 e2 c 97 e4 60 29 d7 9bd9 16 24 94 b3 e3 4c 4c 4f 39 e0 4b bc 2c d3 9481 96 93 84 91 d0 2e d6 d2 2b 78 ef d6 9e 7b 72ad c4 68 92 7a d2 5 2b 1e d0 dc b1 22 3f c3 c388 b1 8d b5 e3 4e d7 81 3 15 17 25 4e 65 88 4ee4 3b 81 81 fa 1 1d 4 22 0 6 1 27 68 27 2e3b 83 c7 cc 25 9b d8 d5 1c 1f e5 59 7f 3f 3f ef
45 / 46
![Page 99: S-Box Reverse-Engineering Boolean Functions, American](https://reader034.vdocuments.net/reader034/viewer/2022042914/626a3d6697280519dc0324a6/html5/thumbnails/99.jpg)
Building Blocks for Symmetric CryptographyStatistics and Skipjack
TU-Decomposition and KuznyechikThe Butterfly Permutations and Functions
Conclusion
Conclusion
46 / 46