Reverse-Engineering the S-Box of Streebog,...
19
Transcript of Reverse-Engineering the S-Box of Streebog,...
Reverse-Engineering the S-Box of Streebog, Kuznyechik
and Stribob
Alex Biryukov, Léo Perrin, Aleksei Udovenko
SnT, University of Luxembourg
August 18, 2015
Biryukov, Perrin, Udovenko (uni.lu) Reverse-Engineering GOST's S-Box August 18, 2015 1 / 7
Our target
De�nition (π)
π is the S-Box used by:
Streebog (GOST latest hash function),
Kuznyechik (GOST latest block cipher),
STRIBOBr1 (CAESAR candidate). Not used by STRIBOBr2.
Properties
Permutation of 8 bits
P[di�erential properties] ≤ 2−82.7
... No explanation whatsoever.
Biryukov, Perrin, Udovenko (uni.lu) Reverse-Engineering GOST's S-Box August 18, 2015 2 / 7
Our target
De�nition (π)
π is the S-Box used by:
Streebog (GOST latest hash function),
Kuznyechik (GOST latest block cipher),
STRIBOBr1 (CAESAR candidate). Not used by STRIBOBr2.
Properties
Permutation of 8 bits
P[di�erential properties] ≤ 2−82.7
... No explanation whatsoever.
Biryukov, Perrin, Udovenko (uni.lu) Reverse-Engineering GOST's S-Box August 18, 2015 2 / 7
Our target
De�nition (π)
π is the S-Box used by:
Streebog (GOST latest hash function),
Kuznyechik (GOST latest block cipher),
STRIBOBr1 (CAESAR candidate). Not used by STRIBOBr2.
Properties
Permutation of 8 bits
P[di�erential properties] ≤ 2−82.7
... No explanation whatsoever.
Biryukov, Perrin, Udovenko (uni.lu) Reverse-Engineering GOST's S-Box August 18, 2015 2 / 7
Our target
De�nition (π)
π is the S-Box used by:
Streebog (GOST latest hash function),
Kuznyechik (GOST latest block cipher),
STRIBOBr1 (CAESAR candidate). Not used by STRIBOBr2.
Properties
Permutation of 8 bits
P[di�erential properties] ≤ 2−82.7
... No explanation whatsoever.
Biryukov, Perrin, Udovenko (uni.lu) Reverse-Engineering GOST's S-Box August 18, 2015 2 / 7
Biryukov, Perrin, Udovenko (uni.lu) Reverse-Engineering GOST's S-Box August 18, 2015 3 / 7
Biryukov, Perrin, Udovenko (uni.lu) Reverse-Engineering GOST's S-Box August 18, 2015 4 / 7
Reverse-Engineering the S-Box
Pull on the thread!
1 Lines/dot
2 A vector space
3 Partial linear layers
4 Integral properties
5 High level structure
Linear layer L∗
⊕⊕
⊕⊕⊕
Structure of L∗ ◦ π−1 ◦ L∗
T
U
Biryukov, Perrin, Udovenko (uni.lu) Reverse-Engineering GOST's S-Box August 18, 2015 5 / 7
Reverse-Engineering the S-Box
Pull on the thread!
1 Lines/dot
2 A vector space
3 Partial linear layers
4 Integral properties
5 High level structure
Linear layer L∗
⊕⊕
⊕⊕⊕
Structure of L∗ ◦ π−1 ◦ L∗
T
U
Biryukov, Perrin, Udovenko (uni.lu) Reverse-Engineering GOST's S-Box August 18, 2015 5 / 7
Reverse-Engineering the S-Box
Pull on the thread!
1 Lines/dot
2 A vector space
3 Partial linear layers
4 Integral properties
5 High level structure
Linear layer L∗
⊕⊕
⊕⊕⊕
Structure of L∗ ◦ π−1 ◦ L∗
T
U
Biryukov, Perrin, Udovenko (uni.lu) Reverse-Engineering GOST's S-Box August 18, 2015 5 / 7
Reverse-Engineering the S-Box
Pull on the thread!
1 Lines/dot
2 A vector space
3 Partial linear layers
4 Integral properties
5 High level structure
Linear layer L∗
⊕⊕
⊕⊕⊕
Structure of L∗ ◦ π−1 ◦ L∗
T
U
Biryukov, Perrin, Udovenko (uni.lu) Reverse-Engineering GOST's S-Box August 18, 2015 5 / 7
Reverse-Engineering the S-Box
Pull on the thread!
1 Lines/dot
2 A vector space
3 Partial linear layers
4 Integral properties
5 High level structure
Linear layer L∗
⊕⊕
⊕⊕⊕
Structure of L∗ ◦ π−1 ◦ L∗
T
U
Biryukov, Perrin, Udovenko (uni.lu) Reverse-Engineering GOST's S-Box August 18, 2015 5 / 7
Reverse-Engineering the S-Box
Pull on the thread!
1 Lines/dot
2 A vector space
3 Partial linear layers
4 Integral properties
5 High level structure
Linear layer L∗
⊕⊕
⊕⊕⊕
Structure of L∗ ◦ π−1 ◦ L∗
T
U
Biryukov, Perrin, Udovenko (uni.lu) Reverse-Engineering GOST's S-Box August 18, 2015 5 / 7
Reverse-Engineering the S-Box
Pull on the thread!
1 Lines/dot
2 A vector space
3 Partial linear layers
4 Integral properties
5 High level structure
Linear layer L∗
⊕⊕
⊕⊕⊕
Structure of L∗ ◦ π−1 ◦ L∗
T
U
Biryukov, Perrin, Udovenko (uni.lu) Reverse-Engineering GOST's S-Box August 18, 2015 5 / 7
Reverse-Engineering the S-Box
Pull on the thread!
1 Lines/dot
2 A vector space
3 Partial linear layers
4 Integral properties
5 High level structure
Linear layer L∗
⊕⊕
⊕⊕⊕
Structure of L∗ ◦ π−1 ◦ L∗
T
U
Biryukov, Perrin, Udovenko (uni.lu) Reverse-Engineering GOST's S-Box August 18, 2015 5 / 7
Final Decomposition
ω
σ
φ �
ν1ν0
I�
α
� Multiplication in F24
α Linear permutation
I Inversion in F24
ν0, ν1, σ 4× 4 permutations
φ 4× 4 function
ω Linear permutation
P[ν1(x ⊕ 0x9)⊕ ν1(x) = 0x2] = 1
Biryukov, Perrin, Udovenko (uni.lu) Reverse-Engineering GOST's S-Box August 18, 2015 6 / 7
Final Decomposition
ω
σ
φ �
ν1ν0
I�
α
� Multiplication in F24
α Linear permutation
I Inversion in F24
ν0, ν1, σ 4× 4 permutations
φ 4× 4 function
ω Linear permutation
P[ν1(x ⊕ 0x9)⊕ ν1(x) = 0x2] = 1
Biryukov, Perrin, Udovenko (uni.lu) Reverse-Engineering GOST's S-Box August 18, 2015 6 / 7
Conclusion
Hardware Implementation
Structure Area (µm2) Delay (ns)
naive implementation 3889.6 362.52
using the decomposition 1530.1 46.11
https://eprint.iacr.org/2015/812.pdf
Thank you!
Biryukov, Perrin, Udovenko (uni.lu) Reverse-Engineering GOST's S-Box August 18, 2015 7 / 7
Conclusion
Hardware Implementation
Structure Area (µm2) Delay (ns)
naive implementation 3889.6 362.52
using the decomposition 1530.1 46.11
https://eprint.iacr.org/2015/812.pdf
Thank you!
Biryukov, Perrin, Udovenko (uni.lu) Reverse-Engineering GOST's S-Box August 18, 2015 7 / 7
