iso update
play

ISO Update Who knew standardization could be this fun? Lo Perrin - PowerPoint PPT Presentation

ISO Update Who knew standardization could be this fun? Lo Perrin Inria, France January 20, 2020 Dagstuhl 20041 General Context Randomness of a Structure: The Kolmogorov Anomaly Counter Arguments Conclusion How are Streebog and


  1. ISO Update Who knew standardization could be this fun? Léo Perrin Inria, France January 20, 2020 Dagstuhl 20041

  2. General Context “Randomness” of a Structure: The Kolmogorov Anomaly “Counter Arguments” Conclusion How are Streebog and Kuznyechik doing? 2 / 16

  3. General Context “Randomness” of a Structure: The Kolmogorov Anomaly “Counter Arguments” Conclusion Outline General Context 1 “Randomness” of a Structure: The Kolmogorov Anomaly 2 “Counter Arguments” 3 Conclusion 4 2 / 16

  4. General Context “Randomness” of a Structure: The Kolmogorov Anomaly “Counter Arguments” Conclusion Plan of this Section General Context 1 What are these Algorithms? Timeline and Results What the Designers Say “Randomness” of a Structure: The Kolmogorov Anomaly 2 “Counter Arguments” 3 Conclusion 4 2 / 16

  5. Common ground Both are standard symmetric primitives in Russia. Both were designed by the FSB (TC26). Both use the same 8 8 S-Box, π . General Context “Randomness” of a Structure: The Kolmogorov Anomaly “Counter Arguments” Conclusion Kuznyechik/Streebog Streebog Type Hash function Publication 2012 Kuznyechik Type Block cipher Publication 2015 3 / 16

  6. General Context “Randomness” of a Structure: The Kolmogorov Anomaly “Counter Arguments” Conclusion Kuznyechik/Streebog Streebog Type Hash function Publication 2012 Kuznyechik Type Block cipher Publication 2015 Common ground Both are standard symmetric primitives in Russia. Both were designed by the FSB (TC26). Both use the same 8 × 8 S-Box, π . 3 / 16

  7. Jun. 2018 Luxembourg representatives at ISO asked me about these Oct. 2018 ISO standardization of Streebog (ISO 10118-3) Dec. 2018 Publication of the TKlog decomposition FSE’19 Apr. 2019 ISO decision to postpone the inclusion of Kuznyechik Apr. 2019 Russian law mandating the use of Russian algorithms Summer 2019 Time to act Oct. 2019 ISO had to make a decision General Context “Randomness” of a Structure: The Kolmogorov Anomaly “Counter Arguments” Conclusion Timeline By March 2016, Kuznyechik and Streebog were both GOST standards and IETF RFCs. May 2016 Publication of the first decomposition (TU-decomposition) EC’16 Feb 2017 Publication of the second decomposition (Belarus-like) FSE’17 4 / 16

  8. Dec. 2018 Publication of the TKlog decomposition FSE’19 Apr. 2019 ISO decision to postpone the inclusion of Kuznyechik Apr. 2019 Russian law mandating the use of Russian algorithms Summer 2019 Time to act Oct. 2019 ISO had to make a decision General Context “Randomness” of a Structure: The Kolmogorov Anomaly “Counter Arguments” Conclusion Timeline By March 2016, Kuznyechik and Streebog were both GOST standards and IETF RFCs. May 2016 Publication of the first decomposition (TU-decomposition) EC’16 Feb 2017 Publication of the second decomposition (Belarus-like) FSE’17 Jun. 2018 Luxembourg representatives at ISO asked me about these Oct. 2018 ISO standardization of Streebog (ISO 10118-3) 4 / 16

  9. Summer 2019 Time to act Oct. 2019 ISO had to make a decision General Context “Randomness” of a Structure: The Kolmogorov Anomaly “Counter Arguments” Conclusion Timeline By March 2016, Kuznyechik and Streebog were both GOST standards and IETF RFCs. May 2016 Publication of the first decomposition (TU-decomposition) EC’16 Feb 2017 Publication of the second decomposition (Belarus-like) FSE’17 Jun. 2018 Luxembourg representatives at ISO asked me about these Oct. 2018 ISO standardization of Streebog (ISO 10118-3) Dec. 2018 Publication of the TKlog decomposition FSE’19 Apr. 2019 ISO decision to postpone the inclusion of Kuznyechik Apr. 2019 Russian law mandating the use of Russian algorithms 4 / 16

  10. Summer 2019 Time to act General Context “Randomness” of a Structure: The Kolmogorov Anomaly “Counter Arguments” Conclusion Timeline By March 2016, Kuznyechik and Streebog were both GOST standards and IETF RFCs. May 2016 Publication of the first decomposition (TU-decomposition) EC’16 Feb 2017 Publication of the second decomposition (Belarus-like) FSE’17 Jun. 2018 Luxembourg representatives at ISO asked me about these Oct. 2018 ISO standardization of Streebog (ISO 10118-3) Dec. 2018 Publication of the TKlog decomposition FSE’19 Apr. 2019 ISO decision to postpone the inclusion of Kuznyechik Apr. 2019 Russian law mandating the use of Russian algorithms Oct. 2019 ISO had to make a decision 4 / 16

  11. General Context “Randomness” of a Structure: The Kolmogorov Anomaly “Counter Arguments” Conclusion Timeline By March 2016, Kuznyechik and Streebog were both GOST standards and IETF RFCs. May 2016 Publication of the first decomposition (TU-decomposition) EC’16 Feb 2017 Publication of the second decomposition (Belarus-like) FSE’17 Jun. 2018 Luxembourg representatives at ISO asked me about these Oct. 2018 ISO standardization of Streebog (ISO 10118-3) Dec. 2018 Publication of the TKlog decomposition FSE’19 Apr. 2019 ISO decision to postpone the inclusion of Kuznyechik Apr. 2019 Russian law mandating the use of Russian algorithms Summer 2019 Time to act Oct. 2019 ISO had to make a decision 4 / 16

  12. General Context “Randomness” of a Structure: The Kolmogorov Anomaly “Counter Arguments” Conclusion The TKlog Structure  → F 2 8 F 2 8     �→ κ ( 0 )  0 π : α 17 j �→ κ ( 16 − j ) for 1 ≤ j ≤ 15    �→ κ ( 16 − i ) ⊕ ( α 17 ) s ( j ) α i + 17 j  for 0 < i , 0 ≤ j < 16  κ ( 15 ) ⊕ F 2 4 { 0 } F 2 4 κ ( { 1 , . . . , 15 } ) κ ( 14 ) ⊕ F 2 4 α 16 × F 2 4 α 2 × F 2 4 α × F 2 4 ... ... ... κ ( 0 ) ⊕ F 2 4 κ ( 0 ) 5 / 16

  13. https://www.cnews.ru/news/top/2019-04-02_vlasti_prinuditelno_perevedut_runet_na_rossijskie General Context “Randomness” of a Structure: The Kolmogorov Anomaly “Counter Arguments” Conclusion RUnet The use of national encryption standards is being made mandatory in Russia. 6 / 16

  14. https://www.cnews.ru/news/top/2019-04-02_vlasti_prinuditelno_perevedut_runet_na_rossijskie General Context “Randomness” of a Structure: The Kolmogorov Anomaly “Counter Arguments” Conclusion RUnet The use of national encryption standards is being made mandatory in Russia. 6 / 16

  15. In private conversations, they explicitely said they used a Fisher-Yates shuffle to generate random S-boxes. General Context “Randomness” of a Structure: The Kolmogorov Anomaly “Counter Arguments” Conclusion What its Designers Said (at ISO) [...] 7 / 16

  16. General Context “Randomness” of a Structure: The Kolmogorov Anomaly “Counter Arguments” Conclusion What its Designers Said (at ISO) [...] In private conversations, they explicitely said they used a Fisher-Yates shuffle to generate random S-boxes. 7 / 16

  17. General Context “Randomness” of a Structure: The Kolmogorov Anomaly “Counter Arguments” Conclusion Plan of this Section General Context 1 “Randomness” of a Structure: The Kolmogorov Anomaly 2 Definition How to Estimate It? “Counter Arguments” 3 Conclusion 4 7 / 16

  18. How likely is it for a random S-box to have a “structure”? General Context “Randomness” of a Structure: The Kolmogorov Anomaly “Counter Arguments” Conclusion General Question How “far” is the behaviour of a specific S-box from that of a “random S-box”? 8 / 16

  19. General Context “Randomness” of a Structure: The Kolmogorov Anomaly “Counter Arguments” Conclusion General Question How “far” is the behaviour of a specific S-box from that of a “random S-box”? How likely is it for a random S-box to have a “structure”? 8 / 16

  20. https://codegolf.stackexchange.com/questions/186498/ proving-that-a-russian-cryptographic-standard-is-too-structured General Context “Randomness” of a Structure: The Kolmogorov Anomaly “Counter Arguments” Conclusion Definition 165 ASCII characters that fit on 7 bits: this program is 1155 -bit long. Let P ( S ) be the bitlength of a C implementation of S ∈ S 2 n . Definition (Kolmogorov Anomaly) The Kolmogorov Anomaly of S for C is the opposite of the log 2 of the probability that a random S-box has a C implementation at most as long as that of S . 9 / 16

  21. General Context “Randomness” of a Structure: The Kolmogorov Anomaly “Counter Arguments” Conclusion Estimating the Kolmogorov Anomaly How to estimate it? ( ≤ 1155 ) -bit C programs implementing 8-bit permutations ( ≤ 1155 ) -bit strings S 2 8 For π , we get: = 2 1156 − 1 # ( ≤ 1155)-bit C prog. ≤ # ( ≤ 1155)-bit strings. ≈ 2 − 528 , | S 2 8 | | S 2 8 | 256 ! meaning that the Kolmogorov anomaly of π for C is at least 528. 10 / 16

  22. General Context “Randomness” of a Structure: The Kolmogorov Anomaly “Counter Arguments” Conclusion Plan of this Section General Context 1 “Randomness” of a Structure: The Kolmogorov Anomaly 2 “Counter Arguments” 3 Artist Rendition Summary of the Counter-Arguments I Was Told Conclusion 4 10 / 16

  23. General Context “Randomness” of a Structure: The Kolmogorov Anomaly “Counter Arguments” Conclusion Artist Rendition Discussions with the Alleged Designers, Allegory . Python M., 1969. 11 / 16

Recommend


More recommend