on s box reverse engineering from cryptanalysis to the
play

On S-Box Reverse-Engineering: from Cryptanalysis to the Big APN - PowerPoint PPT Presentation

Jul 09, 2023 •236 likes •1.32k views

On S-Box Reverse-Engineering: from Cryptanalysis to the Big APN Problem Lo Perrin DTU, Lyngby perrin dot leo at gmail 4th of July 2017 Boolean Functions and Their Applications The content of this talk is based on joint works with Biryukov,

  1. Introduction Overview of S-Box Reverse-Engineering Methods Statistical Analysis of the DDT/LAT The TU-Decomposition Summary of Different Techniques A Decomposition of the 6-bit APN Permutation Structural Atacks Against Block Ciphers Conclusion Looking Only at the Maximum ℓ log 2 ( Pr [max ( L ) ≤ ℓ ] ) δ log 2 ( Pr [max ( D ) ≤ δ ] ) 38 -0.084 14 -0.006 36 -0.302 34 -1.008 12 -0.094 32 -3.160 10 -1.329 30 -9.288 8 -16.148 28 -25.623 26 -66.415 6 -164.466 24 -161.900 4 -1359.530 22 -371.609 LAT DDT Probability that the maximum coefficient in the DDT/LAT of an 8-bit permutation is at most equal to a certain threshold. 10 / 42

  2. Introduction Overview of S-Box Reverse-Engineering Methods Statistical Analysis of the DDT/LAT The TU-Decomposition Summary of Different Techniques A Decomposition of the 6-bit APN Permutation Structural Atacks Against Block Ciphers Conclusion Looking Only at the Maximum ℓ log 2 ( Pr [max ( L ) ≤ ℓ ] ) δ log 2 ( Pr [max ( D ) ≤ δ ] ) 38 -0.084 14 -0.006 36 -0.302 34 -1.008 12 -0.094 32 -3.160 10 -1.329 30 -9.288 8 -16.148 28 -25.623 26 -66.415 6 -164.466 24 -161.900 4 -1359.530 22 -371.609 LAT DDT Probability that the maximum coefficient in the DDT/LAT of an 8-bit permutation is at most equal to a certain threshold. 10 / 42

  3. Introduction Overview of S-Box Reverse-Engineering Methods Statistical Analysis of the DDT/LAT The TU-Decomposition Summary of Different Techniques A Decomposition of the 6-bit APN Permutation Structural Atacks Against Block Ciphers Conclusion Taking Number of Maximum Values into Account −20 −30 Probability (log 2 ) −40 Pr[max = 28] −50 Pr[max = 26] Pr[max = 28, #28 ≤ N 28 ] −60 −70 0 5 10 15 20 25 30 35 40 N 28 11 / 42

  4. Introduction Overview of S-Box Reverse-Engineering Methods Statistical Analysis of the DDT/LAT The TU-Decomposition Summary of Different Techniques A Decomposition of the 6-bit APN Permutation Structural Atacks Against Block Ciphers Conclusion Application of this Analysis? We applied this method on the S-Box of Skipjack. 12 / 42

  5. Introduction Overview of S-Box Reverse-Engineering Methods Statistical Analysis of the DDT/LAT The TU-Decomposition Summary of Different Techniques A Decomposition of the 6-bit APN Permutation Structural Atacks Against Block Ciphers Conclusion What is Skipjack? Type Block cipher Bloc 64 bits Key 80 bits Authors NSA Publication 1998 (classified at first) 13 / 42

  6. Introduction Overview of S-Box Reverse-Engineering Methods Statistical Analysis of the DDT/LAT The TU-Decomposition Summary of Different Techniques A Decomposition of the 6-bit APN Permutation Structural Atacks Against Block Ciphers Conclusion Reverse-Engineering the S-Box of Skipjack Skipjack uses F , a permutation of F 8 2 with max ( LAT ) = 28 and #28 = 3 . 14 / 42

  7. Introduction Overview of S-Box Reverse-Engineering Methods Statistical Analysis of the DDT/LAT The TU-Decomposition Summary of Different Techniques A Decomposition of the 6-bit APN Permutation Structural Atacks Against Block Ciphers Conclusion Reverse-Engineering the S-Box of Skipjack Skipjack uses F , a permutation of F 8 2 with max ( LAT ) = 28 and #28 = 3 . −20 −30 Probability (log 2 ) −40 Pr[max = 28] −50 Pr[max = 26] Pr[max = 28, #28 ≤ N 28 ] −60 −70 0 5 10 15 20 25 30 35 40 N 28 14 / 42

  8. Introduction Overview of S-Box Reverse-Engineering Methods Statistical Analysis of the DDT/LAT The TU-Decomposition Summary of Different Techniques A Decomposition of the 6-bit APN Permutation Structural Atacks Against Block Ciphers Conclusion Reverse-Engineering the S-Box of Skipjack Skipjack uses F , a permutation of F 8 2 with max ( LAT ) = 28 and #28 = 3 . −20 −30 Probability (log 2 ) −40 Pr[max = 28] −50 Pr[max = 26] Pr[max = 28, #28 ≤ N 28 ] −60 −70 0 5 10 15 20 25 30 35 40 N 28 14 / 42

  9. Introduction Overview of S-Box Reverse-Engineering Methods Statistical Analysis of the DDT/LAT The TU-Decomposition Summary of Different Techniques A Decomposition of the 6-bit APN Permutation Structural Atacks Against Block Ciphers Conclusion Reverse-Engineering the S-Box of Skipjack Skipjack uses F , a permutation of F 8 2 with max ( LAT ) = 28 and #28 = 3 . −20 −30 Probability (log 2 ) −40 Pr[max = 28] −50 Pr[max = 26] Pr[max = 28, #28 ≤ N 28 ] −60 −70 0 5 10 15 20 25 30 35 40 N 28 Pr [max ( LAT ) = 28 and #28 ≤ 3] ≈ 2 − 55 14 / 42

  10. Introduction Overview of S-Box Reverse-Engineering Methods Statistical Analysis of the DDT/LAT The TU-Decomposition Summary of Different Techniques A Decomposition of the 6-bit APN Permutation Structural Atacks Against Block Ciphers Conclusion What Can We Deduce? F has not been picked uniformly at random. F has not been picked among a feasibly large set of random S-Boxes. Its linear properties were optimized (though poorly). 15 / 42

  11. Introduction Overview of S-Box Reverse-Engineering Methods Statistical Analysis of the DDT/LAT The TU-Decomposition Summary of Different Techniques A Decomposition of the 6-bit APN Permutation Structural Atacks Against Block Ciphers Conclusion What Can We Deduce? F has not been picked uniformly at random. F has not been picked among a feasibly large set of random S-Boxes. Its linear properties were optimized (though poorly). The S-Box of Skipjack was built using a dedicated algorithm. 15 / 42

  12. Introduction Overview of S-Box Reverse-Engineering Methods Statistical Analysis of the DDT/LAT The TU-Decomposition Summary of Different Techniques A Decomposition of the 6-bit APN Permutation Structural Atacks Against Block Ciphers Conclusion Conclusion on Skipjack F 16 / 42

  13. Introduction Overview of S-Box Reverse-Engineering Methods Statistical Analysis of the DDT/LAT The TU-Decomposition Summary of Different Techniques A Decomposition of the 6-bit APN Permutation Structural Atacks Against Block Ciphers Conclusion Conclusion on Skipjack F 16 / 42

  14. Introduction Overview of S-Box Reverse-Engineering Methods Statistical Analysis of the DDT/LAT The TU-Decomposition Summary of Different Techniques A Decomposition of the 6-bit APN Permutation Structural Atacks Against Block Ciphers Conclusion Different Techniques Statistics 17 / 42

  15. Introduction Overview of S-Box Reverse-Engineering Methods Statistical Analysis of the DDT/LAT The TU-Decomposition Summary of Different Techniques A Decomposition of the 6-bit APN Permutation Structural Atacks Against Block Ciphers Conclusion Different Techniques Ad Hoc 17 / 42

  16. Introduction Overview of S-Box Reverse-Engineering Methods Statistical Analysis of the DDT/LAT The TU-Decomposition Summary of Different Techniques A Decomposition of the 6-bit APN Permutation Structural Atacks Against Block Ciphers Conclusion Different Techniques Structural Atacks 17 / 42

  17. Introduction Overview of S-Box Reverse-Engineering Methods Statistical Analysis of the DDT/LAT The TU-Decomposition Summary of Different Techniques A Decomposition of the 6-bit APN Permutation Structural Atacks Against Block Ciphers Conclusion Atacks Against SPN (1/2) ... S 0 , 0 S 0 , 1 S 0 , n / m − 1 L 0 ... S 1 , 0 S 1 , 1 S 1 , n / m − 1 L 1 ... S 2 , 0 S 2 , 1 S 2 , n / m − 1 18 / 42

  18. Introduction Overview of S-Box Reverse-Engineering Methods Statistical Analysis of the DDT/LAT The TU-Decomposition Summary of Different Techniques A Decomposition of the 6-bit APN Permutation Structural Atacks Against Block Ciphers Conclusion Atacks Against SPN (1/2) j 0 0 ... S 0 , 0 S 0 , 1 S 0 , n / m − 1 L 0 ... S 1 , 0 S 1 , 1 S 1 , n / m − 1 L 1 ... S 2 , 0 S 2 , 1 S 2 , n / m − 1 y j y j y j n / m − 1 0 1 18 / 42

  19. Introduction Overview of S-Box Reverse-Engineering Methods Statistical Analysis of the DDT/LAT The TU-Decomposition Summary of Different Techniques A Decomposition of the 6-bit APN Permutation Structural Atacks Against Block Ciphers Conclusion Atacks Against SPN (1/2) j 0 0 ... S 0 , 0 S 0 , 1 S 0 , n / m − 1 L 0 ... S 1 , 0 S 1 , 1 S 1 , n / m − 1 L 1 Zero sums ... S 2 , 0 S 2 , 1 S 2 , n / m − 1 y j y j y j n / m − 1 0 1 � 2 m − 1 S 2 , i ( y j i ) = 0 , for all i . j = 0 18 / 42

  20. Introduction Overview of S-Box Reverse-Engineering Methods Statistical Analysis of the DDT/LAT The TU-Decomposition Summary of Different Techniques A Decomposition of the 6-bit APN Permutation Structural Atacks Against Block Ciphers Conclusion Atacks Against SPN (1/2) j 0 0 ... S 0 , 0 S 0 , 1 S 0 , n / m − 1 L 0 ... S 1 , 0 S 1 , 1 S 1 , n / m − 1 L 1 Zero sums ... S 2 , 0 S 2 , 1 S 2 , n / m − 1 y j y j y j n / m − 1 0 1 � 2 m − 1 S 2 , i ( y j i ) = 0 , for all i . Repeat for different constant then solve j = 0 system [Biryukov, Shamir, 2001] 18 / 42

  21. Introduction Overview of S-Box Reverse-Engineering Methods Statistical Analysis of the DDT/LAT The TU-Decomposition Summary of Different Techniques A Decomposition of the 6-bit APN Permutation Structural Atacks Against Block Ciphers Conclusion Atacks Against SPN (2/2) Works against more than 3 rounds if deg ( S ( AS ) r − 1 ) is low enough. 120 100 SPN degree bound 80 60 40 20 0 0 1 2 3 4 5 6 7 8 Number of rounds 19 / 42

  22. Introduction Overview of S-Box Reverse-Engineering Methods Statistical Analysis of the DDT/LAT The TU-Decomposition Summary of Different Techniques A Decomposition of the 6-bit APN Permutation Structural Atacks Against Block Ciphers Conclusion Atacks Against SPN (2/2) Works against more than 3 rounds if deg ( S ( AS ) r − 1 ) is low enough. 120 100 SPN degree bound 80 60 40 20 0 0 1 2 3 4 5 6 7 8 Number of rounds Degree Bound (SPN) [Biryukov et al., 2017] Let σ operate on m bits, deg ( σ ) = m − 1 , and n be the block size. � S ( AS ) r − 1 � Rhoughly speaking, deg < n − 1 as long as ( m − 1 ) ⌊ r / 2 ⌋ < n . 19 / 42

  23. Introduction Overview of S-Box Reverse-Engineering Methods Statistical Analysis of the DDT/LAT The TU-Decomposition Summary of Different Techniques A Decomposition of the 6-bit APN Permutation Structural Atacks Against Block Ciphers Conclusion Atacks Against Feistel Networks Degree Bound (Feistel Network) [Perrin and Udovenko, 2016] of degree d and let F r ( F ) denote the Let { F i } i < r be permutations of F n / 2 2 r -round n -bit Feistel Network with round function F i . If d ⌊ r / 2 ⌋− 1 + d ⌈ r / 2 ⌉− 1 < n , then some degree n − 1 terms in the ANF of F r ( F ) are missing. 20 / 42

  24. Introduction Overview of S-Box Reverse-Engineering Methods Statistical Analysis of the DDT/LAT The TU-Decomposition Summary of Different Techniques A Decomposition of the 6-bit APN Permutation Structural Atacks Against Block Ciphers Conclusion What Does it Take to Have Full Degree? The degree based distinguishers for SPNs and Feistel networks can be seen as particular cases of this lemma. Lemma Let F : F n 2 → F 2 be a Boolean function and let G : F n 2 → F n 2 be a permutation. Then: deg ( F ) + deg ( G − 1 ) ≥ n . deg ( F ◦ G ) = n − 1 = ⇒ 21 / 42

  25. Introduction Overview of S-Box Reverse-Engineering Methods Definition of the TU-decomposition The TU-Decomposition Application to the Last Russian Standards A Decomposition of the 6-bit APN Permutation Conclusion Outline 1 Introduction 2 Overview of S-Box Reverse-Engineering Methods The TU-Decomposition 3 A Decomposition of the 6-bit APN Permutation 4 Conclusion 5 21 / 42

  26. Introduction Overview of S-Box Reverse-Engineering Methods Definition of the TU-decomposition The TU-Decomposition Application to the Last Russian Standards A Decomposition of the 6-bit APN Permutation Conclusion Plan of this Section Introduction 1 2 Overview of S-Box Reverse-Engineering Methods 3 The TU-Decomposition Definition of the TU-decomposition Application to the Last Russian Standards A Decomposition of the 6-bit APN Permutation 4 Conclusion 5 21 / 42

  27. Introduction Overview of S-Box Reverse-Engineering Methods Definition of the TU-decomposition The TU-Decomposition Application to the Last Russian Standards A Decomposition of the 6-bit APN Permutation Conclusion What is the TU-Decomposition? The TU-decomposition is a decomposition algorithm working against vast groups of algorithms: 3-round Feistel, Dillon’s APN permutation, SAS, ... µ T TU-decomposition S U η T and U are mini-block ciphers ; µ and η are linear permutations. 22 / 42

  28. Introduction Overview of S-Box Reverse-Engineering Methods Definition of the TU-decomposition The TU-Decomposition Application to the Last Russian Standards A Decomposition of the 6-bit APN Permutation Conclusion TU-Decomposition in a Nutshell Let L be the LAT of the target S : F n 2 → F n 2 . µ T U η 23 / 42

  29. Introduction Overview of S-Box Reverse-Engineering Methods Definition of the TU-decomposition The TU-Decomposition Application to the Last Russian Standards A Decomposition of the 6-bit APN Permutation Conclusion TU-Decomposition in a Nutshell Let L be the LAT of the target S : F n 2 → F n 2 . 1 Identify vector spaces U and V of dimension µ n / 2 such that: L ( a , b ) = 0 , ∀ ( a , b ) ∈ U × V . T U η 23 / 42

  30. Introduction Overview of S-Box Reverse-Engineering Methods Definition of the TU-decomposition The TU-Decomposition Application to the Last Russian Standards A Decomposition of the 6-bit APN Permutation Conclusion TU-Decomposition in a Nutshell Let L be the LAT of the target S : F n 2 → F n 2 . 1 Identify vector spaces U and V of dimension µ n / 2 such that: L ( a , b ) = 0 , ∀ ( a , b ) ∈ U × V . T 2 Deduce linear permutations µ ′ and η ′ such that U L ( µ ′ ( a ) , η ′ ( b )) = 0 , ∀ ( a , b ) ∈ F n / 2 × F n / 2 2 2 η 23 / 42

  31. Introduction Overview of S-Box Reverse-Engineering Methods Definition of the TU-decomposition The TU-Decomposition Application to the Last Russian Standards A Decomposition of the 6-bit APN Permutation Conclusion TU-Decomposition in a Nutshell Let L be the LAT of the target S : F n 2 → F n 2 . 1 Identify vector spaces U and V of dimension µ n / 2 such that: L ( a , b ) = 0 , ∀ ( a , b ) ∈ U × V . T 2 Deduce linear permutations µ ′ and η ′ such that U L ( µ ′ ( a ) , η ′ ( b )) = 0 , ∀ ( a , b ) ∈ F n / 2 × F n / 2 2 2 3 Built new LAT L ′ such that η L ′ ( a , b ) = L ( µ ′ ( a ) , η ′ ( b )) and recover S ′ with LAT L ′ . Deduce µ , η . 23 / 42

  32. Introduction Overview of S-Box Reverse-Engineering Methods Definition of the TU-decomposition The TU-Decomposition Application to the Last Russian Standards A Decomposition of the 6-bit APN Permutation Conclusion TU-Decomposition in a Nutshell Let L be the LAT of the target S : F n 2 → F n 2 . 1 Identify vector spaces U and V of dimension µ n / 2 such that: L ( a , b ) = 0 , ∀ ( a , b ) ∈ U × V . T 2 Deduce linear permutations µ ′ and η ′ such that S’ U L ( µ ′ ( a ) , η ′ ( b )) = 0 , ∀ ( a , b ) ∈ F n / 2 × F n / 2 2 2 3 Built new LAT L ′ such that η L ′ ( a , b ) = L ( µ ′ ( a ) , η ′ ( b )) and recover S ′ with LAT L ′ . Deduce µ , η . 23 / 42

  33. Introduction Overview of S-Box Reverse-Engineering Methods Definition of the TU-decomposition The TU-Decomposition Application to the Last Russian Standards A Decomposition of the 6-bit APN Permutation Conclusion Bootstrapping TU-Decomposition OK... But how do we find U and V ? 24 / 42

  34. Introduction Overview of S-Box Reverse-Engineering Methods Definition of the TU-decomposition The TU-Decomposition Application to the Last Russian Standards A Decomposition of the 6-bit APN Permutation Conclusion Bootstrapping TU-Decomposition OK... But how do we find U and V ? For now: we just look at the LAT and hope for the best! 24 / 42

  35. Introduction Overview of S-Box Reverse-Engineering Methods Definition of the TU-decomposition The TU-Decomposition Application to the Last Russian Standards A Decomposition of the 6-bit APN Permutation Conclusion Kuznyechik/Stribog Stribog Type Hash function Publication [GOST, 2012] Kuznyechik Type Block cipher Publication [GOST, 2015] 25 / 42

  36. Introduction Overview of S-Box Reverse-Engineering Methods Definition of the TU-decomposition The TU-Decomposition Application to the Last Russian Standards A Decomposition of the 6-bit APN Permutation Conclusion Kuznyechik/Stribog Stribog Type Hash function Publication [GOST, 2012] Kuznyechik Type Block cipher Publication [GOST, 2015] Common ground Both are standard symmetric primitives in Russia. Both were designed by the FSB (TC26). Both use the same 8 × 8 S-Box, π . 25 / 42

  37. Introduction Overview of S-Box Reverse-Engineering Methods Definition of the TU-decomposition The TU-Decomposition Application to the Last Russian Standards A Decomposition of the 6-bit APN Permutation Conclusion The LAT of the S-Box of Kuznyechik 26 / 42

  38. Introduction Overview of S-Box Reverse-Engineering Methods Definition of the TU-decomposition The TU-Decomposition Application to the Last Russian Standards A Decomposition of the 6-bit APN Permutation Conclusion Applying one Linear Layer 27 / 42

  39. Introduction Overview of S-Box Reverse-Engineering Methods Definition of the TU-decomposition The TU-Decomposition Application to the Last Russian Standards A Decomposition of the 6-bit APN Permutation Conclusion Applying two Linear Layers 28 / 42

  40. Introduction Overview of S-Box Reverse-Engineering Methods Definition of the TU-decomposition The TU-Decomposition Application to the Last Russian Standards A Decomposition of the 6-bit APN Permutation Conclusion Final Decomposition Number 1 α ⊙ I ⊙ Multiplication in F 2 4 ν 0 ν 1 α Linear permutation I Inversion in F 2 4 ν 0 , ν 1 , σ 4 × 4 permutations ϕ ⊙ ϕ 4 × 4 function σ ω Linear permutation ω 29 / 42

  41. Introduction Overview of S-Box Reverse-Engineering Methods Definition of the TU-decomposition The TU-Decomposition Application to the Last Russian Standards A Decomposition of the 6-bit APN Permutation Conclusion Final Decomposition Number 1 α T ⊙ I ⊙ Multiplication in F 2 4 ν 0 ν 1 α Linear permutation I Inversion in F 2 4 U ν 0 , ν 1 , σ 4 × 4 permutations ϕ ⊙ ϕ 4 × 4 function σ ω Linear permutation ω 29 / 42

  42. Introduction Overview of S-Box Reverse-Engineering Methods Definition of the TU-decomposition The TU-Decomposition Application to the Last Russian Standards A Decomposition of the 6-bit APN Permutation Conclusion Conclusion for Kuznyechik/Stribog? The Russian S-Box was built like a strange Feistel... 30 / 42

  43. Introduction Overview of S-Box Reverse-Engineering Methods Definition of the TU-decomposition The TU-Decomposition Application to the Last Russian Standards A Decomposition of the 6-bit APN Permutation Conclusion Conclusion for Kuznyechik/Stribog? The Russian S-Box was built like a strange Feistel... ... or was it? 30 / 42

  44. Introduction Overview of S-Box Reverse-Engineering Methods Definition of the TU-decomposition The TU-Decomposition Application to the Last Russian Standards A Decomposition of the 6-bit APN Permutation Conclusion Conclusion for Kuznyechik/Stribog? The Russian S-Box was built like a strange Feistel... ... or was it? Belarussian inspiration The last standard of Belarus [Bel. St. Univ., 2011] uses an 8-bit S-box, somewhat similar to π ... 30 / 42

  45. Introduction Overview of S-Box Reverse-Engineering Methods Definition of the TU-decomposition The TU-Decomposition Application to the Last Russian Standards A Decomposition of the 6-bit APN Permutation Conclusion Conclusion for Kuznyechik/Stribog? The Russian S-Box was built like a strange Feistel... ... or was it? Belarussian inspiration The last standard of Belarus [Bel. St. Univ., 2011] uses an 8-bit S-box, somewhat similar to π ... ... based on a finite field exponential! 30 / 42

  46. Introduction Overview of S-Box Reverse-Engineering Methods Definition of the TU-decomposition The TU-Decomposition Application to the Last Russian Standards A Decomposition of the 6-bit APN Permutation Conclusion Final Decomposition Number 2 (!) 0 1 2 3 4 5 6 7 8 9 a b c d e f log w , 16 T 0 0 1 2 3 4 5 6 7 8 9 a b c d e f T 1 0 1 2 3 4 5 6 7 8 9 a b c d e f ⊗ − 1 T 2 0 1 2 3 4 5 6 7 8 9 a b c d f e T 3 0 1 2 3 4 5 6 7 8 9 a b c f d e T 4 0 1 2 3 4 5 6 7 8 9 a b f c d e T T 5 0 1 2 3 4 5 6 7 8 9 a f b c d e T 6 0 1 2 3 4 5 6 7 8 9 f a b c d e T 7 0 1 2 3 4 5 6 7 8 f 9 a b c d e ⊞ T 8 0 1 2 3 4 5 6 7 f 8 9 a b c d e T 9 0 1 2 3 4 5 6 f 7 8 9 a b c d e q ′ T a 0 1 2 3 4 5 f 6 7 8 9 a b c d e T b 0 1 2 3 4 f 5 6 7 8 9 a b c d e T c 0 1 2 3 f 4 5 6 7 8 9 a b c d e T d 0 1 2 f 3 4 5 6 7 8 9 a b c d e ω ′ T e 0 1 f 2 3 4 5 6 7 8 9 a b c d e 0 f 1 2 3 4 5 6 7 8 9 a b c d e T f 31 / 42

  47. Introduction Overview of S-Box Reverse-Engineering Methods Definition of the TU-decomposition The TU-Decomposition Application to the Last Russian Standards A Decomposition of the 6-bit APN Permutation Conclusion Final Decomposition Number 2 (!) 0 1 2 3 4 5 6 7 8 9 a b c d e f log w , 16 T 0 0 1 2 3 4 5 6 7 8 9 a b c d e f T 1 0 1 2 3 4 5 6 7 8 9 a b c d e f ⊗ − 1 T 2 0 1 2 3 4 5 6 7 8 9 a b c d f e T 3 0 1 2 3 4 5 6 7 8 9 a b c f d e T 4 0 1 2 3 4 5 6 7 8 9 a b f c d e T T 5 0 1 2 3 4 5 6 7 8 9 a f b c d e T 6 0 1 2 3 4 5 6 7 8 9 f a b c d e T 7 0 1 2 3 4 5 6 7 8 f 9 a b c d e ⊞ T 8 0 1 2 3 4 5 6 7 f 8 9 a b c d e T 9 0 1 2 3 4 5 6 f 7 8 9 a b c d e q ′ T a 0 1 2 3 4 5 f 6 7 8 9 a b c d e T b 0 1 2 3 4 f 5 6 7 8 9 a b c d e T c 0 1 2 3 f 4 5 6 7 8 9 a b c d e T d 0 1 2 f 3 4 5 6 7 8 9 a b c d e ω ′ T e 0 1 f 2 3 4 5 6 7 8 9 a b c d e 0 f 1 2 3 4 5 6 7 8 9 a b c d e T f 31 / 42

  48. Introduction Overview of S-Box Reverse-Engineering Methods Definition of the TU-decomposition The TU-Decomposition Application to the Last Russian Standards A Decomposition of the 6-bit APN Permutation Conclusion Conclusion on Kuznyechik/Stribog π 32 / 42

  49. Introduction Overview of S-Box Reverse-Engineering Methods Definition of the TU-decomposition The TU-Decomposition Application to the Last Russian Standards A Decomposition of the 6-bit APN Permutation Conclusion Conclusion on Kuznyechik/Stribog π 32 / 42

  50. Introduction Overview of S-Box Reverse-Engineering Methods Definition of the TU-decomposition The TU-Decomposition Application to the Last Russian Standards A Decomposition of the 6-bit APN Permutation Conclusion Conclusion on Kuznyechik/Stribog π 32 / 42

  51. Introduction Overview of S-Box Reverse-Engineering Methods Definition of the TU-decomposition The TU-Decomposition Application to the Last Russian Standards A Decomposition of the 6-bit APN Permutation Conclusion Conclusion on Kuznyechik/Stribog π ? 32 / 42

  52. Introduction Overview of S-Box Reverse-Engineering Methods The Big APN Problem and its Only Known Solutions The TU-Decomposition On Buterflies A Decomposition of the 6-bit APN Permutation Conclusion Outline 1 Introduction 2 Overview of S-Box Reverse-Engineering Methods The TU-Decomposition 3 A Decomposition of the 6-bit APN Permutation 4 Conclusion 5 32 / 42

  53. Introduction Overview of S-Box Reverse-Engineering Methods The Big APN Problem and its Only Known Solutions The TU-Decomposition On Buterflies A Decomposition of the 6-bit APN Permutation Conclusion Plan of this Section Introduction 1 2 Overview of S-Box Reverse-Engineering Methods 3 The TU-Decomposition A Decomposition of the 6-bit APN Permutation 4 The Big APN Problem and its Only Known Solutions On Buterflies Conclusion 5 32 / 42

  54. Introduction Overview of S-Box Reverse-Engineering Methods The Big APN Problem and its Only Known Solutions The TU-Decomposition On Buterflies A Decomposition of the 6-bit APN Permutation Conclusion The Big APN Problem Definition (APN function) A function f : F n 2 → F n 2 is Almost Perfect Non-linear (APN) if f ( x ⊕ a ) ⊕ f ( x ) = b has 0 or 2 solutions for all a � 0 and for all b . 33 / 42

  55. Introduction Overview of S-Box Reverse-Engineering Methods The Big APN Problem and its Only Known Solutions The TU-Decomposition On Buterflies A Decomposition of the 6-bit APN Permutation Conclusion The Big APN Problem Definition (APN function) A function f : F n 2 → F n 2 is Almost Perfect Non-linear (APN) if f ( x ⊕ a ) ⊕ f ( x ) = b has 0 or 2 solutions for all a � 0 and for all b . Big APN Problem Are there APN permutations operating on F n 2 where n is even? 33 / 42

  56. Introduction Overview of S-Box Reverse-Engineering Methods The Big APN Problem and its Only Known Solutions The TU-Decomposition On Buterflies A Decomposition of the 6-bit APN Permutation Conclusion Dillon et al.’s Permutation Only One Known Solution! For n = 6 , Dillon et al. found an APN permutation. 34 / 42

  57. Introduction Overview of S-Box Reverse-Engineering Methods The Big APN Problem and its Only Known Solutions The TU-Decomposition On Buterflies A Decomposition of the 6-bit APN Permutation Conclusion Dillon et al.’s Permutation Only One Known Solution! For n = 6 , Dillon et al. found an APN permutation. 34 / 42

  58. Introduction Overview of S-Box Reverse-Engineering Methods The Big APN Problem and its Only Known Solutions The TU-Decomposition On Buterflies A Decomposition of the 6-bit APN Permutation Conclusion Dillon et al.’s Permutation Only One Known Solution! For n = 6 , Dillon et al. found an APN permutation. 34 / 42

  59. Introduction Overview of S-Box Reverse-Engineering Methods The Big APN Problem and its Only Known Solutions The TU-Decomposition On Buterflies A Decomposition of the 6-bit APN Permutation Conclusion Dillon et al.’s Permutation Only One Known Solution! For n = 6 , Dillon et al. found an APN permutation. It is possible to make a TU-decomposition! 34 / 42

  60. Introduction Overview of S-Box Reverse-Engineering Methods The Big APN Problem and its Only Known Solutions The TU-Decomposition On Buterflies A Decomposition of the 6-bit APN Permutation Conclusion On the Buterfly Structure βx 3 ⊕ Definition (Open Buterfly H 3 α , β ) x 1 / 3 This permutation is an open buterfly. α ⊕ ⊙ ⊕ ⊙ α x 3 βx 3 ⊕ 35 / 42

  61. Introduction Overview of S-Box Reverse-Engineering Methods The Big APN Problem and its Only Known Solutions The TU-Decomposition On Buterflies A Decomposition of the 6-bit APN Permutation Conclusion On the Buterfly Structure T βx 3 ⊕ Definition (Open Buterfly H 3 α , β ) x 1 / 3 This permutation is an open buterfly. α ⊕ ⊙ U ⊕ ⊙ Lemma α Dillon’s permutation is affine-equivalent x 3 to H 3 w , 1 , where Tr ( w ) = 0 . βx 3 ⊕ 35 / 42

  62. Introduction Overview of S-Box Reverse-Engineering Methods The Big APN Problem and its Only Known Solutions The TU-Decomposition On Buterflies A Decomposition of the 6-bit APN Permutation Conclusion CCZ-equivalence (1/2) Definition (CCZ-equivalence) Let F and G be functions of F n 2 . They are CCZ-equivalent if there exists a linear permutation L of F n 2 × F n 2 such that � � � , ∀ x ∈ F n � � � � , ∀ x ∈ F n � x , F ( x ) L x , G ( x ) = 2 2 36 / 42

  63. Introduction Overview of S-Box Reverse-Engineering Methods The Big APN Problem and its Only Known Solutions The TU-Decomposition On Buterflies A Decomposition of the 6-bit APN Permutation Conclusion CCZ-equivalence (1/2) Definition (CCZ-equivalence) Let F and G be functions of F n 2 . They are CCZ-equivalent if there exists a linear permutation L of F n 2 × F n 2 such that � � � , ∀ x ∈ F n � � � � , ∀ x ∈ F n � x , F ( x ) L x , G ( x ) = 2 2 Properties CCZ-equivalence preserves: the distribution of the coefficients in the LAT (Walsh spectrum), the distribution of the coefficients in the DDT. It does not preserve: the position of the DDT/LAT coefficients the algebraic degree. 36 / 42

  64. Introduction Overview of S-Box Reverse-Engineering Methods The Big APN Problem and its Only Known Solutions The TU-Decomposition On Buterflies A Decomposition of the 6-bit APN Permutation Conclusion Closed Buterflies Definition (Closed buterfly V 3 α , β ) This quadratic function is a closed buterfly. ⊙ ⊕ ⊙ ⊕ α α x 3 x 3 βx 3 βx 3 ⊕ ⊕ 37 / 42

  65. Introduction Overview of S-Box Reverse-Engineering Methods The Big APN Problem and its Only Known Solutions The TU-Decomposition On Buterflies A Decomposition of the 6-bit APN Permutation Conclusion Closed Buterflies Definition (Closed buterfly V 3 α , β ) This quadratic function is a closed buterfly. ⊙ ⊕ ⊙ ⊕ α α x 3 x 3 Lemma (Equivalence) βx 3 βx 3 ⊕ ⊕ Open and closed buterflies with the same parameters are CCZ-equivalent. 37 / 42

  66. Introduction Overview of S-Box Reverse-Engineering Methods The Big APN Problem and its Only Known Solutions The TU-Decomposition On Buterflies A Decomposition of the 6-bit APN Permutation Conclusion Buterflies and Feistel Networks When α = 1 , buterflies can be greatly simplified. βx 3 ⊕ ⊕ βx 3 βx 3 x 3 x 1 / 3 ⊕ ⊕ ⊕ βx 3 ⊕ 38 / 42

  67. Introduction Overview of S-Box Reverse-Engineering Methods The Big APN Problem and its Only Known Solutions The TU-Decomposition On Buterflies A Decomposition of the 6-bit APN Permutation Conclusion Some Properties of Buterflies Theorem (Properties of buterflies [Canteaut et al., 2017] ) Let V 3 α , β and H 3 α , β be buterflies operating on 2 n bits, n odd. Then: � � V 3 deg = 2 , α , β if n = 3 , Tr ( α ) = 0 and β + α 3 ∈ { α , 1 / α } , then max ( DDT ) = 2 , max ( W ) = 2 n + 1 and deg � H 3 � = n + 1 , α , β if β = ( 1 + α ) 3 , then max ( DDT ) = 2 n + 1 , max ( W ) = 2 ( 3 n + 1 ) / 2 and deg � H 3 � = n , α , β otherwise, max ( DDT ) = 4 , max ( W ) = 2 n + 1 and deg � � H 3 ∈ { n , n + 1 } α , β � � H 3 and deg = n if and only if α , β 1 + α β + α 4 = ( β + α + α 3 ) 2 . 39 / 42

  68. Introduction Overview of S-Box Reverse-Engineering Methods The TU-Decomposition Conclusion A Decomposition of the 6-bit APN Permutation Conclusion Outline 1 Introduction 2 Overview of S-Box Reverse-Engineering Methods The TU-Decomposition 3 A Decomposition of the 6-bit APN Permutation 4 Conclusion 5 39 / 42

  69. Introduction Overview of S-Box Reverse-Engineering Methods The TU-Decomposition Conclusion A Decomposition of the 6-bit APN Permutation Conclusion Plan of this Section 1 Introduction 2 Overview of S-Box Reverse-Engineering Methods The TU-Decomposition 3 A Decomposition of the 6-bit APN Permutation 4 Conclusion 5 39 / 42

  70. Introduction Overview of S-Box Reverse-Engineering Methods The TU-Decomposition Conclusion A Decomposition of the 6-bit APN Permutation Conclusion Conclusion We can recover the majority of known S-Box structures and derive new results about Skipjack and Kuznyechik. 40 / 42

  71. Introduction Overview of S-Box Reverse-Engineering Methods The TU-Decomposition Conclusion A Decomposition of the 6-bit APN Permutation Conclusion Conclusion We can recover the majority of known S-Box structures and derive new results about Skipjack and Kuznyechik. We can generalize the permutation of Dillon et al... 40 / 42

  72. Introduction Overview of S-Box Reverse-Engineering Methods The TU-Decomposition Conclusion A Decomposition of the 6-bit APN Permutation Conclusion Conclusion We can recover the majority of known S-Box structures and derive new results about Skipjack and Kuznyechik. We can generalize the permutation of Dillon et al... but we can prove that our generalizations are never APN (except in the known case). 40 / 42

  73. Introduction Overview of S-Box Reverse-Engineering Methods The TU-Decomposition Conclusion A Decomposition of the 6-bit APN Permutation Conclusion Conclusion We can recover the majority of known S-Box structures and derive new results about Skipjack and Kuznyechik. We can generalize the permutation of Dillon et al... but we can prove that our generalizations are never APN (except in the known case). There are still S-Boxes with unknown building strategies (CMEA, CSS)! 40 / 42

  74. Introduction Overview of S-Box Reverse-Engineering Methods The TU-Decomposition Conclusion A Decomposition of the 6-bit APN Permutation Conclusion The Last S-Box 14 11 60 6d e9 10 e3 2 b 90 d 17 c5 b0 9f c5 d8 da be 22 8 f3 4 a9 fe f3 f5 fc bc 30 be 26 bb 88 85 46 f4 2e e fd 76 fe b0 11 4e de 35 bb 30 4b 30 d6 dd df df d4 90 7a d8 8c 6a 89 30 39 e9 1 da d2 85 87 d3 d4 ba 2b d4 9f 9c 38 8c 55 d3 86 bb db ec e0 46 48 bf 46 1b 1c d7 d9 1b e0 23 d4 d7 7f 16 3f 3 3 44 c3 59 10 2a da ed e9 8e d8 d1 db cb cb c3 c7 38 22 34 3d db 85 23 7c 24 d1 d8 2e fc 44 8 38 c8 c7 39 4c 5f 56 2a cf d0 e9 d2 68 e4 e3 e9 13 e2 c 97 e4 60 29 d7 9b d9 16 24 94 b3 e3 4c 4c 4f 39 e0 4b bc 2c d3 94 81 96 93 84 91 d0 2e d6 d2 2b 78 ef d6 9e 7b 72 ad c4 68 92 7a d2 5 2b 1e d0 dc b1 22 3f c3 c3 88 b1 8d b5 e3 4e d7 81 3 15 17 25 4e 65 88 4e e4 3b 81 81 fa 1 1d 4 22 0 6 1 27 68 27 2e 3b 83 c7 cc 25 9b d8 d5 1c 1f e5 59 7f 3f 3f ef 41 / 42

  75. Introduction Overview of S-Box Reverse-Engineering Methods The TU-Decomposition Conclusion A Decomposition of the 6-bit APN Permutation Conclusion 42 / 42

  76. Appendix Back-Up Slides Bibliography Details About Skipjack 300 Number of occurrences (log scale) 200 100 22 23 24 25 26 27 28 Absolute value of the coefficients in the LAT 1 / 4

Recommend

Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin

Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin

Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin SnT, University of Luxembourg April 25, 2017 PhD Defence Introduction On S-Box Reverse-Engineering On Lightweight Cryptography Conclusion

1.76k views • 137 slides
Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin

Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin

Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin CSC &amp; SnT, University of Luxembourg CryptoLUX Team ; supervised by Alex Biryukov July 5th 2018 Introduction What is cryptography?

1.14k views • 71 slides
Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Objectives Models for Cryptanalysis Cryptanalysis of Monoalphabetic Ciphers

Cryptanalysis of Classical Ciphers Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Models for Cryptanalysis Cryptanalysis of

657 views • 20 slides
Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse Engineering Take a

Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse Engineering Take a

Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse Engineering Take a product, understand how it works Usually limited to certain aspects, not full systems Need to know a little bit about a lot of topics to gain

636 views • 11 slides
Reverse Engineering TCP/ IP Reverse Engineering TCP/ IP Steven Low EAS, Caltech Joint work

Reverse Engineering TCP/ IP Reverse Engineering TCP/ IP Steven Low EAS, Caltech Joint work

Reverse Engineering TCP/ IP Reverse Engineering TCP/ IP Steven Low EAS, Caltech Joint work with: Li J W Li, J. Wang, Pongsajapan, Tan, Tang, M. Wang P j T T M W Outline Background Layering as optimization decomposition L

932 views • 47 slides
Next-Generation Debuggers For Reverse Engineering For Reverse Engineering The ERESI team

Next-Generation Debuggers For Reverse Engineering For Reverse Engineering The ERESI team

Next-Generation Debuggers For Reverse Engineering For Reverse Engineering The ERESI team eresi@asgardlabs.org This presentation is about .. The Embedded ERESI debugger : e2dbg The Embedded ERESI tracer : etrace The ERESI reverse

849 views • 47 slides
CS 166: Information Security Reverse Engineering &amp; Digital Rights Management Prof. Tom

CS 166: Information Security Reverse Engineering &amp; Digital Rights Management Prof. Tom

CS 166: Information Security Reverse Engineering &amp; Digital Rights Management Prof. Tom Austin San Jos State University SRE Software Reverse Engineering Also known as Reverse Code Engineering (RCE) Or simply reversing

1.04k views • 80 slides
Reverse Engineering MAC: A Non-Cooperative Game Model Jianwei Huang Information Engineering The

Reverse Engineering MAC: A Non-Cooperative Game Model Jianwei Huang Information Engineering The

Reverse Engineering MAC: A Non-Cooperative Game Model Jianwei Huang Information Engineering The Chinese University of Hong Kong Joint work with J.-W. Lee, A. Tang, M. Chiang and A. R. Canderbank J. Huang (CUHK) Reverse Engineering MAC Nov.

605 views • 38 slides
Reverse Engineering Closed, heterogeneous platforms and the defenders dilemma Looking back at

Reverse Engineering Closed, heterogeneous platforms and the defenders dilemma Looking back at

Reverse Engineering Closed, heterogeneous platforms and the defenders dilemma Looking back at the last 20 years of RE and looking ahead at the next few SSTIC 2018 -- Thomas Dullien (Halvar Flake) Progress in Reverse Engineering 2010

941 views • 64 slides
Reverse engineering basics @KirilsSolovjovs on twitter Mg.sc.comp. Kirils Solovjovs

Reverse engineering basics @KirilsSolovjovs on twitter Mg.sc.comp. Kirils Solovjovs

Reverse engineering basics @KirilsSolovjovs on twitter Mg.sc.comp. Kirils Solovjovs http://kirils.org for more Possible Security Reverse engineering? www.indiamart.com Contents Hardware architecture Processors and machine language

536 views • 25 slides
Understanding human speech recognition: Reverse-engineering the engineering solution using

Understanding human speech recognition: Reverse-engineering the engineering solution using

Cai Wingfield CSLB, Department of Psychology Workshop on Neurocomputation: From Brains to Machines University of Cambridge 25 November 2015 Understanding human speech recognition: Reverse-engineering the engineering solution using EMEG

196 views • 18 slides
Reverse Engineering CAPTCHAs Abram Hindle, Micheal W. Godfrey, Richard C. Holt Software

Reverse Engineering CAPTCHAs Abram Hindle, Micheal W. Godfrey, Richard C. Holt Software

Reverse Engineering CAPTCHAs WCRE 2008 Reverse Engineering CAPTCHAs Abram Hindle, Micheal W. Godfrey, Richard C. Holt Software Architecture Group David R. Cheriton School of Computer Science University of Waterloo Canada

726 views • 57 slides
Reverse engineering AT32UC3As JTAG Introduction Overview LSE Summer Week 2014 TAP

Reverse engineering AT32UC3As JTAG Introduction Overview LSE Summer Week 2014 TAP

Reverse engineering AT32UC3As JTAG Pierre Surply Reverse engineering AT32UC3As JTAG Introduction Overview LSE Summer Week 2014 TAP Controller Scan Chain Pierre Surply Boundary Scan UC3 JTAG EPITA 2016 Reverse engineering Jul

968 views • 72 slides
Reverse Engineering Dr. Vadim Zaytsev aka @grammarware UvA, MSc SE, 9 November 2015 Roadmap

Reverse Engineering Dr. Vadim Zaytsev aka @grammarware UvA, MSc SE, 9 November 2015 Roadmap

Reverse Engineering Dr. Vadim Zaytsev aka @grammarware UvA, MSc SE, 9 November 2015 Roadmap W44 Introduction V.Zaytsev W45 Metaprogramming J.Vinju W46 Reverse Engineering V.Zaytsev W47 Software Analytics M.Bruntink W48 Clone

751 views • 31 slides
Reverse Engineering DSP Code GameCube DSP Analyzing GCN DSP code Pierre Bourdon Conclusion

Reverse Engineering DSP Code GameCube DSP Analyzing GCN DSP code Pierre Bourdon Conclusion

Reverse Engineering DSP Code Pierre Bourdon Introduction DSP Reverse Engineering DSP Code GameCube DSP Analyzing GCN DSP code Pierre Bourdon Conclusion delroth@lse.epita.fr http://lse.epita.fr February 12, 2013 Context Reverse

856 views • 18 slides
Introduction .NET Reverse Engineering Eric DePree Introduction to .NET Programs written for

Introduction .NET Reverse Engineering Eric DePree Introduction to .NET Programs written for

Introduction .NET Reverse Engineering Eric DePree Introduction to .NET Programs written for .NET are easy to reverse engineer. This is not in any way a fault in the design of .NET; it is simply a reality of modern, intermediate-compiled

132 views • 10 slides
Explaining the Boom-Bust Cycle in the U.S. Housing Market: A Reverse-Engineering Approach

Explaining the Boom-Bust Cycle in the U.S. Housing Market: A Reverse-Engineering Approach

Overview Evidence Model Calibration Quantitative Results Reverse Engineered Shocks Conclusion Extras Explaining the Boom-Bust Cycle in the U.S. Housing Market: A Reverse-Engineering Approach Paolo Gelain Kevin J. Lansing Gisle J.

717 views • 50 slides
Reverse engineering using computational algebra Elena Dimitrova School of Mathematical and

Reverse engineering using computational algebra Elena Dimitrova School of Mathematical and

Reverse engineering using computational algebra Elena Dimitrova School of Mathematical and Statistical Sciences Clemson University http://edimit.people.clemson.edu/ Algebraic Biology E. Dimitrova (Clemson) Reverse engineering using

864 views • 57 slides
Computer and Information Security Fall 2019 Reverse Engineering Tyler Bletsch Duke University

Computer and Information Security Fall 2019 Reverse Engineering Tyler Bletsch Duke University

ECE590 Computer and Information Security Fall 2019 Reverse Engineering Tyler Bletsch Duke University With additional content by Jiaming Li, NC State University, 2015 What is software reverse engineering? Determine and possibly change

629 views • 35 slides
Reverse engineering - traces to state machines Neil Walkinshaw and Kirill Bogdanov 1 1 Department

Reverse engineering - traces to state machines Neil Walkinshaw and Kirill Bogdanov 1 1 Department

Inference Competition Reverse engineering - traces to state machines Neil Walkinshaw and Kirill Bogdanov 1 1 Department of Computer Science The University of Sheffield TAIC PART, September 4, 2010 U. of Sheffield Reverse engineering - traces

660 views • 17 slides
Software Maintenance Overview Legacy code Reverse-engineering Re-engineering

Software Maintenance Overview Legacy code Reverse-engineering Re-engineering

Software Maintenance Overview Legacy code Reverse-engineering Re-engineering Preventative Maintenance Michal Young / Stuart Faulk 05/16/99 1 Post-Deployment Evolution a.k.a. maintenance General definition:

238 views • 10 slides
ECE590 Computer and Information Security Fall 2018 Reverse Engineering Tyler Bletsch Duke

ECE590 Computer and Information Security Fall 2018 Reverse Engineering Tyler Bletsch Duke

ECE590 Computer and Information Security Fall 2018 Reverse Engineering Tyler Bletsch Duke University With additional content by Jiaming Li, NC State University, 2015 What is software reverse engineering? Determine and possibly change

643 views • 35 slides
17 th Workshop on Software Engineering Education and Reverse Engineering Primosten, Croatia

17 th Workshop on Software Engineering Education and Reverse Engineering Primosten, Croatia

17 th Workshop on Software Engineering Education and Reverse Engineering Primosten, Croatia September 2018 &quot;A proposed model for peer assessment in t he digit al age: Leveraging social media plat forms&quot; | 17t h Workshop on

248 views • 13 slides
Reverse-engineering human intelligence, and engineering more human-like AI Josh Tenenbaum MIT

Reverse-engineering human intelligence, and engineering more human-like AI Josh Tenenbaum MIT

Reverse-engineering human intelligence, and engineering more human-like AI Josh Tenenbaum MIT Computational Cognitive Science Group CSAIL Department of Brain and Cognitive Sciences March 2013 A success story: Intelligence as statistics

379 views • 5 slides

More recommend