how to analyse an s box and in the process prove the
play

How to Analyse an S-box, and, in the Process, Prove the Russian - PowerPoint PPT Presentation

Oct 14, 2022 •380 likes •1.23k views

How to Analyse an S-box, and, in the Process, Prove the Russian Standardizing Agency Wrong Lo Perrin Based on joint works with Biryukov, Bonnetain, Canteaut, Duval, Tian and Udovenko June 26, 2019 University of Rostock Introduction: S-Boxes

  1. How to Analyse an S-box, and, in the Process, Prove the Russian Standardizing Agency Wrong Léo Perrin Based on joint works with Biryukov, Bonnetain, Canteaut, Duval, Tian and Udovenko June 26, 2019 University of Rostock

  2. Introduction: S-Boxes and Standardization TU-Decomposition, a Russian God and a Grasshoper The Final Structure in the Russian S-box Conclusion From ↑ to ↓  → F 2 8 F 2 8     �→ κ ( 0 ) , 0  π : �→ κ ( 2 m − j ) , for 1 ≤ j ≤ 2 m − 1 , ( α 2 m + 1 ) j  α 2 m + 1 ) s ( j ) , for 0 < i , 0 ≤ j < 2 m − 1 .  �→ κ ( 2 m − i ) ⊕  α i +( 2 m + 1 ) j (   1 / 33

  3. Introduction: S-Boxes and Standardization TU-Decomposition, a Russian God and a Grasshoper The Final Structure in the Russian S-box Conclusion From Russia with Love , Terence Young et al. (1963). 2 / 33

  4. Introduction: S-Boxes and Standardization TU-Decomposition, a Russian God and a Grasshoper The Final Structure in the Russian S-box Conclusion Outline Introduction: S-Boxes and Standardization 1 TU-Decomposition, a Russian God and a Grasshoper 2 3 The Final Structure in the Russian S-box 4 Conclusion 3 / 33

  5. Introduction: S-Boxes and Standardization Basics of Symmetric Cryptography TU-Decomposition, a Russian God and a Grasshoper Block Cipher Design The Final Structure in the Russian S-box How Standardization (Doesn’t) Work Conclusion Outline Introduction: S-Boxes and Standardization 1 TU-Decomposition, a Russian God and a Grasshoper 2 3 The Final Structure in the Russian S-box 4 Conclusion 3 / 33

  6. Introduction: S-Boxes and Standardization Basics of Symmetric Cryptography TU-Decomposition, a Russian God and a Grasshoper Block Cipher Design The Final Structure in the Russian S-box How Standardization (Doesn’t) Work Conclusion Plan of this Section 1 Introduction: S-Boxes and Standardization Basics of Symmetric Cryptography Block Cipher Design How Standardization (Doesn’t) Work 2 TU-Decomposition, a Russian God and a Grasshoper 3 The Final Structure in the Russian S-box Conclusion 4 3 / 33

  7. Definition (Block Cipher) x Input: n -bit block x Parameter: k -bit key E Output: n -bit block E x 1 use the same E x Symmetry: E and E Properties needed: Diffusion Confusion No cryptanalysis! Introduction: S-Boxes and Standardization Basics of Symmetric Cryptography TU-Decomposition, a Russian God and a Grasshoper Block Cipher Design The Final Structure in the Russian S-box How Standardization (Doesn’t) Work Conclusion Symmetric Cryptography There are many symmetric algorithms! Hash functions, MACs... 4 / 33

  8. Properties needed: Diffusion Confusion No cryptanalysis! Introduction: S-Boxes and Standardization Basics of Symmetric Cryptography TU-Decomposition, a Russian God and a Grasshoper Block Cipher Design The Final Structure in the Russian S-box How Standardization (Doesn’t) Work Conclusion Symmetric Cryptography There are many symmetric algorithms! Hash functions, MACs... Definition (Block Cipher) x Input: n -bit block x Parameter: k -bit key κ κ E Output: n -bit block E κ ( x ) Symmetry: E and E − 1 use the same κ E κ ( x ) 4 / 33

  9. Introduction: S-Boxes and Standardization Basics of Symmetric Cryptography TU-Decomposition, a Russian God and a Grasshoper Block Cipher Design The Final Structure in the Russian S-box How Standardization (Doesn’t) Work Conclusion Symmetric Cryptography There are many symmetric algorithms! Hash functions, MACs... Definition (Block Cipher) x Input: n -bit block x Parameter: k -bit key κ κ E Output: n -bit block E κ ( x ) Symmetry: E and E − 1 use the same κ E κ ( x ) Properties needed: Diffusion Confusion No cryptanalysis! 4 / 33

  10. Introduction: S-Boxes and Standardization Basics of Symmetric Cryptography TU-Decomposition, a Russian God and a Grasshoper Block Cipher Design The Final Structure in the Russian S-box How Standardization (Doesn’t) Work Conclusion No Cryptanalysis? Let us look at a typical cryptanalysis technique: the differential attack. 5 / 33

  11. x x a a E E E x E x a b b Differential Attack If there are many x such that E x E x a b , then the cipher is not secure . 6ec1067e5c5390ae 6ec1067e5c5391ae 7abb3f43c4989a22 0x04d4595257eb06c8 0x7e6f661193739cea Introduction: S-Boxes and Standardization Basics of Symmetric Cryptography TU-Decomposition, a Russian God and a Grasshoper Block Cipher Design The Final Structure in the Russian S-box How Standardization (Doesn’t) Work Conclusion Differential Attacks ⊕ a = 0000000000000100 6 / 33

  12. x x a a E x E x a b b Differential Attack If there are many x such that E x E x a b , then the cipher is not secure . 6ec1067e5c5390ae 6ec1067e5c5391ae 7abb3f43c4989a22 0x04d4595257eb06c8 0x7e6f661193739cea Introduction: S-Boxes and Standardization Basics of Symmetric Cryptography TU-Decomposition, a Russian God and a Grasshoper Block Cipher Design The Final Structure in the Russian S-box How Standardization (Doesn’t) Work Conclusion Differential Attacks ⊕ a = 0000000000000100 E κ E κ 6 / 33

  13. x x a a E x E x a b b Differential Attack If there are many x such that E x E x a b , then the cipher is not secure . 6ec1067e5c5390ae 6ec1067e5c5391ae 7abb3f43c4989a22 0x04d4595257eb06c8 0x7e6f661193739cea Introduction: S-Boxes and Standardization Basics of Symmetric Cryptography TU-Decomposition, a Russian God and a Grasshoper Block Cipher Design The Final Structure in the Russian S-box How Standardization (Doesn’t) Work Conclusion Differential Attacks ⊕ a = 0000000000000100 E κ E κ 6 / 33

  14. x x a a E x E x a b Differential Attack If there are many x such that E x E x a b , then the cipher is not secure . 0x04d4595257eb06c8 0x7e6f661193739cea 6ec1067e5c5391ae 6ec1067e5c5390ae Introduction: S-Boxes and Standardization Basics of Symmetric Cryptography TU-Decomposition, a Russian God and a Grasshoper Block Cipher Design The Final Structure in the Russian S-box How Standardization (Doesn’t) Work Conclusion Differential Attacks ⊕ a = 0000000000000100 E κ E κ ⊕ b = 7abb3f43c4989a22 6 / 33

  15. a 0000000000000100 b Differential Attack If there are many x such that E x E x a b , then the cipher is not secure . 0x7e6f661193739cea 7abb3f43c4989a22 6ec1067e5c5391ae 6ec1067e5c5390ae 0x04d4595257eb06c8 Introduction: S-Boxes and Standardization Basics of Symmetric Cryptography TU-Decomposition, a Russian God and a Grasshoper Block Cipher Design The Final Structure in the Russian S-box How Standardization (Doesn’t) Work Conclusion Differential Attacks ⊕ x ⊕ a x a E κ E κ E κ ( x ) ⊕ E κ ( x ⊕ a ) b 6 / 33

  16. a 0000000000000100 b 0x04d4595257eb06c8 0x7e6f661193739cea 7abb3f43c4989a22 6ec1067e5c5390ae 6ec1067e5c5391ae Introduction: S-Boxes and Standardization Basics of Symmetric Cryptography TU-Decomposition, a Russian God and a Grasshoper Block Cipher Design The Final Structure in the Russian S-box How Standardization (Doesn’t) Work Conclusion Differential Attacks ⊕ x ⊕ a x a E κ E κ E κ ( x ) ⊕ E κ ( x ⊕ a ) b Differential Attack If there are many x such that E κ ( x ) ⊕ E κ ( x ⊕ a ) = b , then the cipher is not secure . 6 / 33

  17. i S S S S S S S S L Substitution-Permutation Network Such a block cipher iterates the round function above several times. S is the S ubstitution B ox (S-Box). Introduction: S-Boxes and Standardization Basics of Symmetric Cryptography TU-Decomposition, a Russian God and a Grasshoper Block Cipher Design The Final Structure in the Russian S-box How Standardization (Doesn’t) Work Conclusion Basic Block Cipher Structure How do we build block ciphers that prevent such attacks (as well as others)? 7 / 33

  18. Substitution-Permutation Network Such a block cipher iterates the round function above several times. S is the S ubstitution B ox (S-Box). Introduction: S-Boxes and Standardization Basics of Symmetric Cryptography TU-Decomposition, a Russian God and a Grasshoper Block Cipher Design The Final Structure in the Russian S-box How Standardization (Doesn’t) Work Conclusion Basic Block Cipher Structure How do we build block ciphers that prevent such attacks (as well as others)? κ i ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ S S S S S S S S L 7 / 33

  19. Introduction: S-Boxes and Standardization Basics of Symmetric Cryptography TU-Decomposition, a Russian God and a Grasshoper Block Cipher Design The Final Structure in the Russian S-box How Standardization (Doesn’t) Work Conclusion Basic Block Cipher Structure How do we build block ciphers that prevent such attacks (as well as others)? κ i ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ S S S S S S S S L Substitution-Permutation Network Such a block cipher iterates the round function above several times. S is the S ubstitution B ox (S-Box). 7 / 33

  20. Introduction: S-Boxes and Standardization Basics of Symmetric Cryptography TU-Decomposition, a Russian God and a Grasshoper Block Cipher Design The Final Structure in the Russian S-box How Standardization (Doesn’t) Work Conclusion The S-Box (1/2) The S-Box π of the latest Russian standards, Kuznyechik (BC) and Streebog (HF). 8 / 33

Recommend

The Aim Take a Haskell program Analyse it Prove statically that there are no unsafe

The Aim Take a Haskell program Analyse it Prove statically that there are no unsafe

CATCH: Case and Termination Checker for Haskell Neil Mitchell (Supervised by Colin Runciman) http://www.cs.york.ac.uk/~ ndm/ The Aim Take a Haskell program Analyse it Prove statically that there are no unsafe pattern matches

420 views • 19 slides
FCE,CAE and CPE levels Aims of the workshop Analyse the process involved in marking students

FCE,CAE and CPE levels Aims of the workshop Analyse the process involved in marking students

Assessing Writing at FCE,CAE and CPE levels Aims of the workshop Analyse the process involved in marking students pieces of writing. Analyse assessment criteria and glossary. Practise assessing with samples of students work.

315 views • 27 slides
Prove that it Plan for happened. success Helen McPhun The usual process Analysis

Prove that it Plan for happened. success Helen McPhun The usual process Analysis

Prove that it Plan for happened. success Helen McPhun The usual process Analysis Training...why? Performance expectations Two Cases : Two Stories Case # 1 Introduction of a national qualification aligned with the induction programme in

1.15k views • 41 slides
Annotations des gnomes Analyse du transcriptome Analyse des voies mtaboliques Jacques van

Annotations des gnomes Analyse du transcriptome Analyse des voies mtaboliques Jacques van

JGB71E - Bioinformatique applique Annotations des gnomes Analyse du transcriptome Analyse des voies mtaboliques Jacques van Helden Jacques.van-Helden@univ-amu.fr Aix-Marseille Universit, France Technological Advances for Genomics and

886 views • 75 slides
Analyse and binary transformation Guillaume Bouffard Analyse and binary transformation Guillaume

Analyse and binary transformation Guillaume Bouffard Analyse and binary transformation Guillaume

Analyse and binary transformation Guillaume Bouffard Analyse and binary transformation Guillaume Bouffard Outline 1 Introduction Profiling step 2 Translation step 3 Binary Modification 4 Proof Of Concept 5 Conclusion 6 2 / 19

779 views • 40 slides
CS70: Lecture 2. Outline. Today: Proofs!!! 1. By Example (or Counterexample). 2. Direct. (Prove P

CS70: Lecture 2. Outline. Today: Proofs!!! 1. By Example (or Counterexample). 2. Direct. (Prove P

CS70: Lecture 2. Outline. Today: Proofs!!! 1. By Example (or Counterexample). 2. Direct. (Prove P = Q . ) 3. by Contraposition (Prove P = Q ) 4. by Contradiction (Prove P .) 5. by Cases Quick Background and Notation. Integers closed

693 views • 16 slides
Vanilla Meta-interpreter prove ( G ) is true when base-level body G is a logical consequence of

Vanilla Meta-interpreter prove ( G ) is true when base-level body G is a logical consequence of

Vanilla Meta-interpreter prove ( G ) is true when base-level body G is a logical consequence of the base-level KB. prove ( true ). prove (( A &amp; B )) prove ( A ) prove ( B ). prove ( H ) ( H B ) prove ( B ).

641 views • 8 slides
5/10/20 L.O To analyse the main reasons for the Greek victory -I can identify certain techniques

5/10/20 L.O To analyse the main reasons for the Greek victory -I can identify certain techniques

5/10/20 L.O To analyse the main reasons for the Greek victory -I can identify certain techniques the Greek's used during battle L.O To analyse the main reasons for the Greek victory 5/10/20 Starter Who was Alexander the great? L.O To analyse

613 views • 40 slides
Analyse statique de programmes num eriques avec calculs flottants eme Rencontres Arithm 4 `

Analyse statique de programmes num eriques avec calculs flottants eme Rencontres Arithm 4 `

Analyse statique de programmes num eriques avec calculs flottants eme Rencontres Arithm 4 ` etique de lInformatique Math ematique Antoine Min e Ecole normale sup erieure 9 f evrier 2011 Perpignan 9/02/2011 Analyse

896 views • 70 slides
Proofs about functions Function consuming A is related to proof about A Q: How to prove two

Proofs about functions Function consuming A is related to proof about A Q: How to prove two

Proofs about functions Function consuming A is related to proof about A Q: How to prove two lists are equal? A: Prove they are both () or that they are both cons cells cons-ing equal cars to equal cdrs Q: How to prove two

224 views • 20 slides
Given: a // b &amp; s // t Prove: 4 @ 13 1 9 10 2 a 3 4 11 12 5 6 13 14 b 7

Given: a // b &amp; s // t Prove: 4 @ 13 1 9 10 2 a 3 4 11 12 5 6 13 14 b 7

Given: a // b &amp; s // t Prove: 4 @ 13 1 9 10 2 a 3 4 11 12 5 6 13 14 b 7 16 8 15 t s Congruent Figures - Figures that have the same size and shape. Hypothesize with your partnerwhat do you think is true,

321 views • 16 slides
A very elementary introduction to proofs Part 2 Example: Prove a function is not 1:1 By Dr.

A very elementary introduction to proofs Part 2 Example: Prove a function is not 1:1 By Dr.

A very elementary introduction to proofs Part 2 Example: Prove a function is not 1:1 By Dr. Isabel Darcy, Dept of Mathematics and AMCS, University of Iowa How do we prove a function is NOT 1:1

341 views • 10 slides
Foundation of proofs Jim Hefferon http://joshua.smcvt.edu/proofs The need to prove In

Foundation of proofs Jim Hefferon http://joshua.smcvt.edu/proofs The need to prove In

Foundation of proofs Jim Hefferon http://joshua.smcvt.edu/proofs The need to prove In Mathematics we prove things The base angles of an isoceles triangle are equal seems obvious to a person with mathematical aptitude. a if a = b

678 views • 52 slides
Large-scale drive-by download detec4on: visit n . process.

Large-scale drive-by download detec4on: visit n . process.

Large-scale drive-by download detec4on: visit n . process. analyse. report. Adriaan Dens Mar4jn Bogaard Students Master of System and Network

391 views • 37 slides
JOI NT USE STRATEGY 2013 San Diego Unified School District 1 . Prop Z Opportunity I m prove

JOI NT USE STRATEGY 2013 San Diego Unified School District 1 . Prop Z Opportunity I m prove

JOI NT USE STRATEGY 2013 San Diego Unified School District 1 . Prop Z Opportunity I m prove and install playfields for student and neighborhood joint use Develop and or im prove education, recreation and/ or com m unity resource

522 views • 23 slides
Structural recursively defined set R, prove P(b) for each base case b R Induction

Structural recursively defined set R, prove P(b) for each base case b R Induction

Mathematics for Computer Science Structural Induction MIT 6.042J/18.062J To prove P(x) holds for all x in Structural recursively defined set R, prove P(b) for each base case b R Induction P(c(x)) for each constructor, c, assuming

422 views • 4 slides
Short Food Supply Chains in The Netherlands an overview Carlijn Savelkouls &amp; Jan Willem

Short Food Supply Chains in The Netherlands an overview Carlijn Savelkouls &amp; Jan Willem

Short Food Supply Chains in The Netherlands an overview Carlijn Savelkouls &amp; Jan Willem van der Schans Carlijn.savelkouls@wur.nl Study Trip Finish Delegation, Wageningen, 30-11-2016 To im prove the quality of life w e analyse and

628 views • 45 slides
Design of an experimental set-up to analyse compliant mechanisms used for the deployment of a

Design of an experimental set-up to analyse compliant mechanisms used for the deployment of a

I NTRODUCTION S ET - UP FE MODEL I DENTIFICATION V ALIDATION C ONCLUSIONS Design of an experimental set-up to analyse compliant mechanisms used for the deployment of a panel Florence Dewalque, Olivier Brls Department of Aerospace and

383 views • 22 slides
Abstract: This paper will analyse the different ways by which law has been mapped, modelled and

Abstract: This paper will analyse the different ways by which law has been mapped, modelled and

Abstract: This paper will analyse the different ways by which law has been mapped, modelled and graphically represented in rela9on to and within the context of the internetworked society. Star9ng with Lawrence Lessig's illustra9on of the

275 views • 13 slides
Small Dealer Symposium Strategic Transactions Mario Frankovich, CEO Burgeonvest Bick Securities

Small Dealer Symposium Strategic Transactions Mario Frankovich, CEO Burgeonvest Bick Securities

Small Dealer Symposium Strategic Transactions Mario Frankovich, CEO Burgeonvest Bick Securities Limited Acquirers: Prove they can grow organically Prove they can recruit Prove they have a track record of making acquisitions

189 views • 5 slides
On Hardys and Caffarelli, Kohn, Nirenbergs inequalites. S eminaire EDP-Analyse de

On Hardys and Caffarelli, Kohn, Nirenbergs inequalites. S eminaire EDP-Analyse de

On Hardys and Caffarelli, Kohn, Nirenbergs inequalites. S eminaire EDP-Analyse de lInstitut Camille Jordan, Lyon, April 2019 Hoai-Minh Nguyen Ecole Polytechnique F ed erale de Lausanne EPFL, Switzerland joint with Marco

1.21k views • 83 slides
Techniques Used to Analyse the Affordability, Commutability and Demographics of Real Estate in

Techniques Used to Analyse the Affordability, Commutability and Demographics of Real Estate in

Techniques Used to Analyse the Affordability, Commutability and Demographics of Real Estate in School Catchment Areas Anthony Joseph My House Geek Chief Technology Officer YOW! Data 2019: 7 May 2019 linkedin.com/in/ blog.myhousegeek

395 views • 28 slides
Simulation abstraite : une analyse statique de modles Simulink Alexandre Chapoutot 1

Simulation abstraite : une analyse statique de modles Simulink Alexandre Chapoutot 1

Simulation abstraite : une analyse statique de modles Simulink Alexandre Chapoutot 1 Laboratoire MeASI - CEA LIST Soutenance de thse Ecole Polytechnique, Palaiseau 8 dcembre 2008 1 Sous la direction de Matthieu Martel Introduction

893 views • 71 slides
About OIM Analyse. Improve. Sustain. Proven track record since 1985 Partners with

About OIM Analyse. Improve. Sustain. Proven track record since 1985 Partners with

About OIM Analyse. Improve. Sustain. Proven track record since 1985 Partners with several blue-chip companies throughout Southern and Central Africa Business performance specialists in three key areas Integrated approach

504 views • 32 slides

More recommend