On Reverse-Engineering S-Boxes Alex Biryukov 1 , Léo Perrin 1 , Aleksei Udovenko 1 1 SnT, University of Luxembourg https://www.cryptolux.org March 28, 2017 CryptoAction Symposium 2017
Introduction S-Box? An S-Box is a small non-linear function mapping m bits to n usually specified via its look-up table. Biryukov, Perrin, Udovenko On Reverse-Engineering S-Boxes 1 / 28
Introduction S-Box? An S-Box is a small non-linear function mapping m bits to n usually specified via its look-up table. Typically, m = n , n ∈ { 4 , 8 } Used by many block ciphers/hash functions/stream ciphers. Necessary for the wide trail strategy. Biryukov, Perrin, Udovenko On Reverse-Engineering S-Boxes 1 / 28
Introduction Example Screen capture from [GOST, 2015] . Biryukov, Perrin, Udovenko On Reverse-Engineering S-Boxes 2 / 28
Introduction S-Box Design Biryukov, Perrin, Udovenko On Reverse-Engineering S-Boxes 3 / 28
Introduction S-Box Design Biryukov, Perrin, Udovenko On Reverse-Engineering S-Boxes 3 / 28
Introduction S-Box Design AES → ← Whirlpool ← Scream Biryukov, Perrin, Udovenko On Reverse-Engineering S-Boxes 3 / 28
Introduction S-Box Reverse-Engineering s Biryukov, Perrin, Udovenko On Reverse-Engineering S-Boxes 4 / 28
Introduction S-Box Reverse-Engineering ? ? s ? Biryukov, Perrin, Udovenko On Reverse-Engineering S-Boxes 4 / 28
Talk Outline Outline 1 Introduction 2 Mathematical Background Detailed Analysis of the Two Tables 3 TU-Decomposition 4 Conclusion 5 Biryukov, Perrin, Udovenko On Reverse-Engineering S-Boxes 5 / 28
Introduction Mathematical Background Detailed Analysis of the Two Tables TU-Decomposition Conclusion Plan Introduction 1 Mathematical Background 2 The Two Tables Coefficients Distribution Detailed Analysis of the Two Tables 3 4 TU-Decomposition 5 Conclusion Biryukov, Perrin, Udovenko On Reverse-Engineering S-Boxes 5 / 28
Introduction Mathematical Background Detailed Analysis of the Two Tables TU-Decomposition Conclusion The Two Tables Let S : F n 2 → F n 2 be an S-Box. Biryukov, Perrin, Udovenko On Reverse-Engineering S-Boxes 6 / 28
Introduction Mathematical Background Detailed Analysis of the Two Tables TU-Decomposition Conclusion The Two Tables Let S : F n 2 → F n 2 be an S-Box. Definition (DDT) The Difference Distribution Table of f is a matrix of size 2 n × 2 n such that DDT [ a , b ] = # { x ∈ F n 2 | S ( x ⊕ a ) ⊕ S ( x ) = b } . Biryukov, Perrin, Udovenko On Reverse-Engineering S-Boxes 6 / 28
Introduction Mathematical Background Detailed Analysis of the Two Tables TU-Decomposition Conclusion The Two Tables Let S : F n 2 → F n 2 be an S-Box. Definition (DDT) The Difference Distribution Table of f is a matrix of size 2 n × 2 n such that DDT [ a , b ] = # { x ∈ F n 2 | S ( x ⊕ a ) ⊕ S ( x ) = b } . Definition (LAT) The Linear Approximations Table of S is a matrix of size 2 n × 2 n such that LAT [ a , b ] = # { x ∈ F n 2 | x · a = S ( x ) · b } − 2 n − 1 . Biryukov, Perrin, Udovenko On Reverse-Engineering S-Boxes 6 / 28
Introduction Mathematical Background Detailed Analysis of the Two Tables TU-Decomposition Conclusion Example S = [ 4 , 2 , 1 , 6 , 0 , 5 , 7 , 3 ] The DDT of S . The LAT of S . 8 0 0 0 0 0 0 0 4 0 0 0 0 0 0 0 0 0 0 0 2 2 2 2 0 0 2 2 0 0 2 − 2 0 0 0 0 2 2 2 2 0 2 2 0 0 2 − 2 0 0 0 4 4 0 0 0 0 0 2 0 2 0 − 2 0 2 0 0 0 0 2 2 2 2 0 2 0 − 2 0 − 2 0 − 2 0 4 4 0 0 0 0 0 0 − 2 2 0 0 − 2 − 2 0 0 4 0 4 0 0 0 0 0 0 − 2 2 0 0 − 2 − 2 0 0 0 0 2 2 2 2 0 0 0 0 − 4 0 0 0 Biryukov, Perrin, Udovenko On Reverse-Engineering S-Boxes 7 / 28
Introduction Mathematical Background Detailed Analysis of the Two Tables TU-Decomposition Conclusion Coefficient Distribution in the DDT If an n -bit S-Box is bijective, then its DDT coefficients behave like independent and identically distributed random variables following a Poisson distribution: Pr [ DDT [ a , b ] = 2 z ] = e − 1 / 2 2 z z . Biryukov, Perrin, Udovenko On Reverse-Engineering S-Boxes 8 / 28
Introduction Mathematical Background Detailed Analysis of the Two Tables TU-Decomposition Conclusion Coefficient Distribution in the LAT If an n -bit S-Box is bijective, then its LAT coefficients behave like independent and identically distributed random variables following this distribution: � 2 n − 1 � 2 n − 2 + z Pr [ LAT [ a , b ] = 2 z ] = � . � 2 n 2 n − 1 Biryukov, Perrin, Udovenko On Reverse-Engineering S-Boxes 9 / 28
Introduction Mathematical Background Detailed Analysis of the Two Tables TU-Decomposition Conclusion Plan Introduction 1 Mathematical Background 2 3 Detailed Analysis of the Two Tables Maximum Values in the Tables Application to Skipjack 4 TU-Decomposition 5 Conclusion Biryukov, Perrin, Udovenko On Reverse-Engineering S-Boxes 9 / 28
Introduction Mathematical Background Detailed Analysis of the Two Tables TU-Decomposition Conclusion Looking Only at the Maximum log 2 ( Pr [ max ( L ) ≤ ℓ ] ) ℓ δ log 2 ( Pr [ max ( D ) ≤ δ ] ) 22 -371.609 4 -1359.530 24 -161.900 26 -66.415 6 -164.466 28 -25.623 8 -16.148 30 -9.288 32 -3.160 10 -1.329 34 -1.008 12 -0.094 36 -0.302 14 -0.006 38 -0.084 DDT LAT Probability that the maximum coefficient in the DDT/LAT of an 8-bit permutation is at most equal to a certain threshold. Biryukov, Perrin, Udovenko On Reverse-Engineering S-Boxes 10 / 28
Introduction Mathematical Background Detailed Analysis of the Two Tables TU-Decomposition Conclusion Taking Number of Maximum Values into Account 0 0 0 −20 −20 −20 −40 −40 −40 Probability (log 2 ) −60 −60 −60 −80 −80 −80 −100 −100 −100 −120 −120 −120 −140 −140 −140 −160 −160 −160 0 10 20 30 40 50 60 70 0 10 20 30 0 5 10 15 N 26 N 28 N 30 Pr [ max ( LAT ) = 24 ] , Pr [ max ( LAT ) = 26 ] , Pr [ max ( LAT ) = 28 ] , Pr [ max ( LAT ) = 30 ] Biryukov, Perrin, Udovenko On Reverse-Engineering S-Boxes 11 / 28
Introduction Mathematical Background Detailed Analysis of the Two Tables TU-Decomposition Conclusion What is Skipjack? (1/2) Type Block cipher Bloc 64 bits Key 80 bits Authors NSA Publication 1998 Biryukov, Perrin, Udovenko On Reverse-Engineering S-Boxes 12 / 28
Introduction Mathematical Background Detailed Analysis of the Two Tables TU-Decomposition Conclusion What is Skipjack? (2/2) Skipjack was supposed to be secret... ... but eventually published in 1998 [National Security Agency, 1998] , Biryukov, Perrin, Udovenko On Reverse-Engineering S-Boxes 13 / 28
Introduction Mathematical Background Detailed Analysis of the Two Tables TU-Decomposition Conclusion What is Skipjack? (2/2) Skipjack was supposed to be secret... ... but eventually published in 1998 [National Security Agency, 1998] , It uses a 8 × 8 S-Box ( F ) specified only by its LUT, Biryukov, Perrin, Udovenko On Reverse-Engineering S-Boxes 13 / 28
Introduction Mathematical Background Detailed Analysis of the Two Tables TU-Decomposition Conclusion What is Skipjack? (2/2) Skipjack was supposed to be secret... ... but eventually published in 1998 [National Security Agency, 1998] , It uses a 8 × 8 S-Box ( F ) specified only by its LUT, Skipjack was to be used by the Clipper Chip . Biryukov, Perrin, Udovenko On Reverse-Engineering S-Boxes 13 / 28
Introduction Mathematical Background Detailed Analysis of the Two Tables TU-Decomposition Conclusion What is Skipjack? (2/2) Skipjack was supposed to be secret... ... but eventually published in 1998 [National Security Agency, 1998] , It uses a 8 × 8 S-Box ( F ) specified only by its LUT, Skipjack was to be used by the Clipper Chip . Biryukov, Perrin, Udovenko On Reverse-Engineering S-Boxes 13 / 28
Introduction Mathematical Background Detailed Analysis of the Two Tables TU-Decomposition Conclusion Reverse-Engineering F For Skipjack, max ( LAT ) = 28 and # 28 = 3. Biryukov, Perrin, Udovenko On Reverse-Engineering S-Boxes 14 / 28
Introduction Mathematical Background Detailed Analysis of the Two Tables TU-Decomposition Conclusion Reverse-Engineering F For Skipjack, max ( LAT ) = 28 and # 28 = 3. 0 0 0 −20 −20 −20 −40 −40 −40 Probability (log 2 ) −60 −60 −60 −80 −80 −80 −100 −100 −100 −120 −120 −120 −140 −140 −140 −160 −160 −160 0 10 20 30 40 50 60 70 0 10 20 30 0 5 10 15 N 26 N 28 N 30 Biryukov, Perrin, Udovenko On Reverse-Engineering S-Boxes 14 / 28
Recommend
More recommend
