S-Box Reverse-Engineering: Boolean Functions, American/Russian Standards, and Butterflies Léo Perrin To cite this version: Léo Perrin. S-Box Reverse-Engineering: Boolean Functions, American/Russian Standards, and But- terflies. CECC 2018 - Central European Conference on Cryptology, Jun 2018, Smolenice, Slovakia. pp.1-99. hal-01953348 HAL Id: hal-01953348 https://hal.inria.fr/hal-01953348 Submitted on 12 Dec 2018 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. S-Box Reverse-Engineering Boolean Functions, American/Russian Standards, and Butterflies Léo Perrin Based on joint works with Biryukov, Canteaut, Duval and Udovenko June 6, 2018 CECC’18 Building Blocks for Symmetric Cryptography Statistics and Skipjack TU-Decomposition and Kuznyechik The Butterfly Permutations and Functions Conclusion Outline 1 Building Blocks for Symmetric Cryptography 2 Statistics and Skipjack 3 TU-Decomposition and Kuznyechik 4 The Butterfly Permutations and Functions 5 Conclusion 1 / 46 Building Blocks for Symmetric Cryptography Statistics and Skipjack Basics of Symmetric Cryptography TU-Decomposition and Kuznyechik Block Cipher Design The Butterfly Permutations and Functions Conclusion Outline 1 Building Blocks for Symmetric Cryptography 2 Statistics and Skipjack 3 TU-Decomposition and Kuznyechik 4 The Butterfly Permutations and Functions 5 Conclusion 1 / 46 Definition (Block Cipher) x Input: n-bit block x Parameter: k-bit key κ κ E Output: n-bit block Eκ(x) −1 Symmetry: E and E use the same κ Eκ(x) Properties needed: Diffusion Confusion No cryptanalysis! Building Blocks for Symmetric Cryptography Statistics and Skipjack Basics of Symmetric Cryptography TU-Decomposition and Kuznyechik Block Cipher Design The Butterfly Permutations and Functions Conclusion Symmetric Cryptography There are many symmetric algorithms! Hash functions, MACs... 2 / 46 Properties needed: Diffusion Confusion No cryptanalysis! Building Blocks for Symmetric Cryptography Statistics and Skipjack Basics of Symmetric Cryptography TU-Decomposition and Kuznyechik Block Cipher Design The Butterfly Permutations and Functions Conclusion Symmetric Cryptography There are many symmetric algorithms! Hash functions, MACs... Definition (Block Cipher) x Input: n-bit block x Parameter: k-bit key κ κ E Output: n-bit block Eκ(x) −1 Symmetry: E and E use the same κ Eκ(x) 2 / 46 Building Blocks for Symmetric Cryptography Statistics and Skipjack Basics of Symmetric Cryptography TU-Decomposition and Kuznyechik Block Cipher Design The Butterfly Permutations and Functions Conclusion Symmetric Cryptography There are many symmetric algorithms! Hash functions, MACs... Definition (Block Cipher) x Input: n-bit block x Parameter: k-bit key κ κ E Output: n-bit block Eκ(x) −1 Symmetry: E and E use the same κ Eκ(x) Properties needed: Diffusion Confusion No cryptanalysis! 2 / 46 Building Blocks for Symmetric Cryptography Statistics and Skipjack Basics of Symmetric Cryptography TU-Decomposition and Kuznyechik Block Cipher Design The Butterfly Permutations and Functions Conclusion No Cryptanalysis? Let us look at a typical cryptanalysis technique: the differential attack. 3 / 46 x x ⊕ a a Eκ Eκ 0x7e6f661193739ceaEκ(x) ⊕ 0x04d4595257eb06c8Eκ(x ⊕ a) b =7abb3f43c4989a22b Differential Attack If there are many x such that Eκ(x) ⊕ Eκ(x ⊕ a) = b, then the cipher is not secure. Building Blocks for Symmetric Cryptography Statistics and Skipjack Basics of Symmetric Cryptography TU-Decomposition and Kuznyechik Block Cipher Design The Butterfly Permutations and Functions Conclusion Differential Attacks 6ec1067e5c5391ae ⊕ 6ec1067e5c5390ae a =0000000000000100 4 / 46 x x ⊕ a a 0x7e6f661193739ceaEκ(x) ⊕ 0x04d4595257eb06c8Eκ(x ⊕ a) b =7abb3f43c4989a22b Differential Attack If there are many x such that Eκ(x) ⊕ Eκ(x ⊕ a) = b, then the cipher is not secure. Building Blocks for Symmetric Cryptography Statistics and Skipjack Basics of Symmetric Cryptography TU-Decomposition and Kuznyechik Block Cipher Design The Butterfly Permutations and Functions Conclusion Differential Attacks 6ec1067e5c5391ae ⊕ 6ec1067e5c5390ae a =0000000000000100 Eκ Eκ 4 / 46 x x ⊕ a a Eκ(x) ⊕ Eκ(x ⊕ a) b =7abb3f43c4989a22b Differential Attack If there are many x such that Eκ(x) ⊕ Eκ(x ⊕ a) = b, then the cipher is not secure. Building Blocks for Symmetric Cryptography Statistics and Skipjack Basics of Symmetric Cryptography TU-Decomposition and Kuznyechik Block Cipher Design The Butterfly Permutations and Functions Conclusion Differential Attacks 6ec1067e5c5391ae ⊕ 6ec1067e5c5390ae a =0000000000000100 Eκ Eκ 0x7e6f661193739cea 0x04d4595257eb06c8 4 / 46 x x ⊕ a a Eκ(x) ⊕ Eκ(x ⊕ a) b Differential Attack If there are many x such that Eκ(x) ⊕ Eκ(x ⊕ a) = b, then the cipher is not secure. Building Blocks for Symmetric Cryptography Statistics and Skipjack Basics of Symmetric Cryptography TU-Decomposition and Kuznyechik Block Cipher Design The Butterfly Permutations and Functions Conclusion Differential Attacks 6ec1067e5c5391ae ⊕ 6ec1067e5c5390ae a =0000000000000100 Eκ Eκ 0x7e6f661193739cea ⊕ 0x04d4595257eb06c8 b =7abb3f43c4989a22 4 / 46 6ec1067e5c5391ae 6ec1067e5c5390ae a =0000000000000100 0x7e6f661193739cea ⊕ 0x04d4595257eb06c8 b =7abb3f43c4989a22 Differential Attack If there are many x such that Eκ(x) ⊕ Eκ(x ⊕ a) = b, then the cipher is not secure. Building Blocks for Symmetric Cryptography Statistics and Skipjack Basics of Symmetric Cryptography TU-Decomposition and Kuznyechik Block Cipher Design The Butterfly Permutations and Functions Conclusion Differential Attacks x ⊕ x ⊕ a a Eκ Eκ Eκ(x) ⊕ Eκ(x ⊕ a) b 4 / 46 6ec1067e5c5391ae 6ec1067e5c5390ae a =0000000000000100 0x7e6f661193739cea ⊕ 0x04d4595257eb06c8 b =7abb3f43c4989a22 Building Blocks for Symmetric Cryptography Statistics and Skipjack Basics of Symmetric Cryptography TU-Decomposition and Kuznyechik Block Cipher Design The Butterfly Permutations and Functions Conclusion Differential Attacks x ⊕ x ⊕ a a Eκ Eκ Eκ(x) ⊕ Eκ(x ⊕ a) b Differential Attack If there are many x such that Eκ(x) ⊕ Eκ(x ⊕ a) = b, then the cipher is not secure. 4 / 46 κi ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ S S S S S S S S L Substitution-Permutation Network Such a block cipher iterates the round function above several times. S is the Substitution Box (S-Box). Building Blocks for Symmetric Cryptography Statistics and Skipjack Basics of Symmetric Cryptography TU-Decomposition and Kuznyechik Block Cipher Design The Butterfly Permutations and Functions Conclusion Basic Block Cipher Structure How do we build block ciphers that prevent such attacks (as well as others)? 5 / 46 Substitution-Permutation Network Such a block cipher iterates the round function above several times. S is the Substitution Box (S-Box). Building Blocks for Symmetric Cryptography Statistics and Skipjack Basics of Symmetric Cryptography TU-Decomposition and Kuznyechik Block Cipher Design The Butterfly Permutations and Functions Conclusion Basic Block Cipher Structure How do we build block ciphers that prevent such attacks (as well as others)? κi ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ S S S S S S S S L 5 / 46 Building Blocks for Symmetric Cryptography Statistics and Skipjack Basics of Symmetric Cryptography TU-Decomposition and Kuznyechik Block Cipher Design The Butterfly Permutations and Functions Conclusion Basic Block Cipher Structure How do we build block ciphers that prevent such attacks (as well as others)? κi ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ S S S S S S S S L Substitution-Permutation Network Such a block cipher iterates the round function above several times. S is the Substitution Box (S-Box). 5 / 46 Building Blocks for Symmetric Cryptography Statistics and Skipjack Basics of Symmetric Cryptography TU-Decomposition and Kuznyechik Block Cipher Design The Butterfly Permutations and Functions Conclusion The S-Box (1/2) The S-Box π of the latest Russian standards, Kuznyechik (BC) and Streebog (HF). 6 / 46 In academic papers presenting new block ciphers, the choice of S is carefully explained. Building Blocks for Symmetric Cryptography Statistics and Skipjack Basics of Symmetric Cryptography TU-Decomposition and Kuznyechik Block Cipher Design The Butterfly Permutations and Functions Conclusion The S-Box (2/2) Importance of the S-Box If S is such that S(x) ⊕ S(x ⊕ a) = b does not have many solutions x for all (a; b) then the cipher may be proved secure against differential attacks. 7 / 46 Building Blocks for Symmetric Cryptography Statistics and Skipjack Basics of Symmetric Cryptography TU-Decomposition and Kuznyechik Block Cipher Design The Butterfly Permutations and Functions Conclusion The S-Box (2/2) Importance of the S-Box If S is such that S(x) ⊕ S(x ⊕ a) = b does not have many solutions x for all (a; b) then the cipher may be proved secure against differential attacks. In academic papers presenting new block ciphers, the choice of S is carefully explained. 7 / 46 Building Blocks for Symmetric Cryptography Statistics and Skipjack Basics of Symmetric Cryptography TU-Decomposition and Kuznyechik Block Cipher Design The Butterfly Permutations and Functions Conclusion S-Box Design 8 / 46 Building Blocks for Symmetric Cryptography Statistics and Skipjack Basics of Symmetric Cryptography