s box decompositions and some applications
play

S-Box Decompositions and some Applications L eo Perrin January 28, - PowerPoint PPT Presentation

S-Box Decompositions and some Applications L eo Perrin January 28, 2019, Nancy My Area of Research: Symmetric Cryptography From Russia With Love Cryptanalysis of a Theorem Conclusion Curriculum Currently : post-doc at SECRET in Inria Paris


  1. S-Box Decompositions and some Applications L´ eo Perrin January 28, 2019, Nancy

  2. My Area of Research: Symmetric Cryptography From Russia With Love Cryptanalysis of a Theorem Conclusion Curriculum Currently : post-doc at SECRET in Inria Paris PhD : University of Luxembourg (symmetric cryptography) Masters : double degree Centrale Lyon/KTH (discrete math/theoretical CS) 1 / 44

  3. My Area of Research: Symmetric Cryptography From Russia With Love Cryptanalysis of a Theorem Conclusion Outline 1 My Area of Research: Symmetric Cryptography 2 From Russia With Love 3 Cryptanalysis of a Theorem 4 Conclusion 1 / 44

  4. My Area of Research: Symmetric Cryptography From Russia With Love Symmetric Cryptography 101 Cryptanalysis of a Theorem My Contributions Conclusion Outline 1 My Area of Research: Symmetric Cryptography 2 From Russia With Love 3 Cryptanalysis of a Theorem 4 Conclusion 1 / 44

  5. My Area of Research: Symmetric Cryptography From Russia With Love Symmetric Cryptography 101 Cryptanalysis of a Theorem My Contributions Conclusion Symmetric Cryptography We assume that a secret key has already been shared! 2 / 44

  6. My Area of Research: Symmetric Cryptography From Russia With Love Symmetric Cryptography 101 Cryptanalysis of a Theorem My Contributions Conclusion Symmetric Cryptography We assume that a secret key has already been shared! Definition (Block Cipher) x Input: n -bit block x Parameter: k -bit key κ κ E Output: n -bit block E κ ( x ) Symmetry: E and E − 1 use the E κ ( x ) same κ 2 / 44

  7. My Area of Research: Symmetric Cryptography From Russia With Love Symmetric Cryptography 101 Cryptanalysis of a Theorem My Contributions Conclusion Symmetric Cryptography We assume that a secret key has already been shared! Definition (Block Cipher) x Input: n -bit block x Parameter: k -bit key κ κ E Output: n -bit block E κ ( x ) Symmetry: E and E − 1 use the E κ ( x ) same κ No Key Recovery. Given many pairs ( x , E κ ( x )), it must be impossible to recover κ . 2 / 44

  8. My Area of Research: Symmetric Cryptography From Russia With Love Symmetric Cryptography 101 Cryptanalysis of a Theorem My Contributions Conclusion Symmetric Cryptography We assume that a secret key has already been shared! Definition (Block Cipher) x Input: n -bit block x Parameter: k -bit key κ κ E Output: n -bit block E κ ( x ) Symmetry: E and E − 1 use the E κ ( x ) same κ No Key Recovery. Given many pairs ( x , E κ ( x )), it must be impossible to recover κ . Indistinguishability. Given an n permutation P , it must be impossible to figure out if P = E κ for some κ . 2 / 44

  9. My Area of Research: Symmetric Cryptography From Russia With Love Symmetric Cryptography 101 Cryptanalysis of a Theorem My Contributions Conclusion Security Arguments The Specification Contains a full design rationale, meaning we can trust the cipher because: we trust the security arguments of the designer we have a starting point for cryptanalysis 3 / 44

  10. My Area of Research: Symmetric Cryptography From Russia With Love Symmetric Cryptography 101 Cryptanalysis of a Theorem My Contributions Conclusion Security Arguments The Specification Does not contain a full design rationale, meaning we cannot trust the cipher because: we have to start cryptanalysis from scratch what are they trying to hide? 3 / 44

  11. My Area of Research: Symmetric Cryptography From Russia With Love Symmetric Cryptography 101 Cryptanalysis of a Theorem My Contributions Conclusion To Build a Cipher Iterated Construction 4 / 44

  12. My Area of Research: Symmetric Cryptography From Russia With Love Symmetric Cryptography 101 Cryptanalysis of a Theorem My Contributions Conclusion To Build a Cipher Iterated Construction Two different sub-components for f Linear layer (diffusion) S-box layer (non-linearity) 4 / 44

  13. My Area of Research: Symmetric Cryptography From Russia With Love Symmetric Cryptography 101 Cryptanalysis of a Theorem My Contributions Conclusion The S-box 5 / 44

  14. My Area of Research: Symmetric Cryptography From Russia With Love Symmetric Cryptography 101 Cryptanalysis of a Theorem My Contributions Conclusion The S-box Importance of the S-box If S is such that the maximum number of x such that S ( x ) ⊕ S ( x ⊕ a ) = b is low for all a ̸ = 0 and b then the cipher may be proved secure against differential attacks. 5 / 44

  15. My Area of Research: Symmetric Cryptography From Russia With Love Symmetric Cryptography 101 Cryptanalysis of a Theorem My Contributions Conclusion S-box Design 6 / 44

  16. My Area of Research: Symmetric Cryptography From Russia With Love Symmetric Cryptography 101 Cryptanalysis of a Theorem My Contributions Conclusion S-box Design 6 / 44

  17. My Area of Research: Symmetric Cryptography From Russia With Love Symmetric Cryptography 101 Cryptanalysis of a Theorem My Contributions Conclusion S-box Design Grøstl... iScream... Khazad... 6 / 44

  18. My Area of Research: Symmetric Cryptography From Russia With Love Symmetric Cryptography 101 Cryptanalysis of a Theorem My Contributions Conclusion S-box Reverse-Engineering S 7 / 44

  19. My Area of Research: Symmetric Cryptography From Russia With Love Symmetric Cryptography 101 Cryptanalysis of a Theorem My Contributions Conclusion S-box Reverse-Engineering ? ? S ? 7 / 44

  20. My Area of Research: Symmetric Cryptography From Russia With Love Symmetric Cryptography 101 Cryptanalysis of a Theorem My Contributions Conclusion Why Reverse-Engineer S-boxes? (1/3) A malicious designer can hide a structure in an S-box. 8 / 44

  21. My Area of Research: Symmetric Cryptography From Russia With Love Symmetric Cryptography 101 Cryptanalysis of a Theorem My Contributions Conclusion Why Reverse-Engineer S-boxes? (1/3) A malicious designer can hide a structure in an S-box. To keep an advantage in implementation (white-box crypto)... 8 / 44

  22. My Area of Research: Symmetric Cryptography From Russia With Love Symmetric Cryptography 101 Cryptanalysis of a Theorem My Contributions Conclusion Why Reverse-Engineer S-boxes? (1/3) A malicious designer can hide a structure in an S-box. To keep an advantage in implementation (white-box crypto)... ... or an advantage in cryptanalysis (backdoor). eprint report 2015/767 8 / 44

  23. My Area of Research: Symmetric Cryptography From Russia With Love Symmetric Cryptography 101 Cryptanalysis of a Theorem My Contributions Conclusion Why Reverse-Engineer S-boxes? (2/3) S-box based backdoors in the literature Rijmen, V., & Preneel, B. (1997). A family of trapdoor ciphers . FSE’97. Paterson, K. (1999). Imprimitive Permutation Groups and Trapdoors in Iterated Block Ciphers . FSE’99. Blondeau, C., Civino, R., & Sala, M. (2017). Differential Attacks: Using Alternative Operations . eprint report 2017/610. Bannier, A., & Filiol, E. (2017). Partition-based trapdoor ciphers. In Partition-Based Trapdoor Ciphers . InTech’17. 9 / 44

  24. My Area of Research: Symmetric Cryptography From Russia With Love Symmetric Cryptography 101 Cryptanalysis of a Theorem My Contributions Conclusion Why Reverse-Engineer S-boxes? (3/3) Even without malicious intent, an unexpected structure can be a problem. = ⇒ We need tools to reverse-engineer S-boxes! 10 / 44

  25. My Area of Research: Symmetric Cryptography From Russia With Love Symmetric Cryptography 101 Cryptanalysis of a Theorem My Contributions Conclusion Design and Analysis Analysis GLUON-64 hash function (FSE’14) PRINCE block cipher (FSE’15) TWINE block cipher (FSE’15) Design SPARX block cipher (Asiacrypt’16) SPARKLE permutation, ESCH hash function, SCHWAEMM authenticated cipher (NIST submission) Purposefully hard functions (Asiacrypt’17) MOE block cipher (submitted to EC) 11 / 44

  26. My Area of Research: Symmetric Cryptography From Russia With Love Symmetric Cryptography 101 Cryptanalysis of a Theorem My Contributions Conclusion S-box Reverse-Engineering When the S-box has a BC structure Feistel network (SAC’15, FSE’16), SPN (ToSC’17) When it doesn’t Analysis of Skipjack (Crypto’15) Structures in the Russian S-box (Eurocrypt’16, ToSC’17, ToSC’19) Cryptanalysis of a Theorem (Crypto’16, IEEE Trans. Inf. Th.’17, FFA’19, CC’19) 12 / 44

  27. My Area of Research: Symmetric Cryptography From Russia With Love Symmetric Cryptography 101 Cryptanalysis of a Theorem My Contributions Conclusion S-box Reverse-Engineering When the S-box has a BC structure Feistel network (SAC’15, FSE’16), SPN (ToSC’17) When it doesn’t Analysis of Skipjack (Crypto’15) Structures in the Russian S-box (Eurocrypt’16, ToSC’17, ToSC’19) Cryptanalysis of a Theorem (Crypto’16, IEEE Trans. Inf. Th.’17, FFA’19, CC’19) 12 / 44

  28. My Area of Research: Symmetric Cryptography TU-Decomposition From Russia With Love Decomposing a Mysterious S-box Cryptanalysis of a Theorem The Plot Thickens Conclusion Outline 1 My Area of Research: Symmetric Cryptography 2 From Russia With Love 3 Cryptanalysis of a Theorem 4 Conclusion 12 / 44

  29. My Area of Research: Symmetric Cryptography TU-Decomposition From Russia With Love Decomposing a Mysterious S-box Cryptanalysis of a Theorem The Plot Thickens Conclusion Outline We can recover an actual decomposition using patterns in the LAT. 1 TU-decomposition: what is it and how to apply it? 2 First results on the Russian S-box 3 Its intended decomposition (I think) 13 / 44

Recommend


More recommend