how to analyse an s box and in the process prove the
play

How to Analyse an S-box, and, in the Process, Prove the Russian - PowerPoint PPT Presentation

Oct 14, 2022 •380 likes •1.23k views

How to Analyse an S-box, and, in the Process, Prove the Russian Standardizing Agency Wrong Lo Perrin Based on joint works with Biryukov, Bonnetain, Canteaut, Duval, Tian and Udovenko June 26, 2019 University of Rostock Introduction: S-Boxes

  1. How to Analyse an S-box, and, in the Process, Prove the Russian Standardizing Agency Wrong Léo Perrin Based on joint works with Biryukov, Bonnetain, Canteaut, Duval, Tian and Udovenko June 26, 2019 University of Rostock

  2. Introduction: S-Boxes and Standardization TU-Decomposition, a Russian God and a Grasshoper The Final Structure in the Russian S-box Conclusion From ↑ to ↓  → F 2 8 F 2 8     �→ κ ( 0 ) , 0  π : �→ κ ( 2 m − j ) , for 1 ≤ j ≤ 2 m − 1 , ( α 2 m + 1 ) j  α 2 m + 1 ) s ( j ) , for 0 < i , 0 ≤ j < 2 m − 1 .  �→ κ ( 2 m − i ) ⊕  α i +( 2 m + 1 ) j (   1 / 33

  3. Introduction: S-Boxes and Standardization TU-Decomposition, a Russian God and a Grasshoper The Final Structure in the Russian S-box Conclusion From Russia with Love , Terence Young et al. (1963). 2 / 33

  4. Introduction: S-Boxes and Standardization TU-Decomposition, a Russian God and a Grasshoper The Final Structure in the Russian S-box Conclusion Outline Introduction: S-Boxes and Standardization 1 TU-Decomposition, a Russian God and a Grasshoper 2 3 The Final Structure in the Russian S-box 4 Conclusion 3 / 33

  5. Introduction: S-Boxes and Standardization Basics of Symmetric Cryptography TU-Decomposition, a Russian God and a Grasshoper Block Cipher Design The Final Structure in the Russian S-box How Standardization (Doesn’t) Work Conclusion Outline Introduction: S-Boxes and Standardization 1 TU-Decomposition, a Russian God and a Grasshoper 2 3 The Final Structure in the Russian S-box 4 Conclusion 3 / 33

  6. Introduction: S-Boxes and Standardization Basics of Symmetric Cryptography TU-Decomposition, a Russian God and a Grasshoper Block Cipher Design The Final Structure in the Russian S-box How Standardization (Doesn’t) Work Conclusion Plan of this Section 1 Introduction: S-Boxes and Standardization Basics of Symmetric Cryptography Block Cipher Design How Standardization (Doesn’t) Work 2 TU-Decomposition, a Russian God and a Grasshoper 3 The Final Structure in the Russian S-box Conclusion 4 3 / 33

  7. Definition (Block Cipher) x Input: n -bit block x Parameter: k -bit key E Output: n -bit block E x 1 use the same E x Symmetry: E and E Properties needed: Diffusion Confusion No cryptanalysis! Introduction: S-Boxes and Standardization Basics of Symmetric Cryptography TU-Decomposition, a Russian God and a Grasshoper Block Cipher Design The Final Structure in the Russian S-box How Standardization (Doesn’t) Work Conclusion Symmetric Cryptography There are many symmetric algorithms! Hash functions, MACs... 4 / 33

  8. Properties needed: Diffusion Confusion No cryptanalysis! Introduction: S-Boxes and Standardization Basics of Symmetric Cryptography TU-Decomposition, a Russian God and a Grasshoper Block Cipher Design The Final Structure in the Russian S-box How Standardization (Doesn’t) Work Conclusion Symmetric Cryptography There are many symmetric algorithms! Hash functions, MACs... Definition (Block Cipher) x Input: n -bit block x Parameter: k -bit key κ κ E Output: n -bit block E κ ( x ) Symmetry: E and E − 1 use the same κ E κ ( x ) 4 / 33

  9. Introduction: S-Boxes and Standardization Basics of Symmetric Cryptography TU-Decomposition, a Russian God and a Grasshoper Block Cipher Design The Final Structure in the Russian S-box How Standardization (Doesn’t) Work Conclusion Symmetric Cryptography There are many symmetric algorithms! Hash functions, MACs... Definition (Block Cipher) x Input: n -bit block x Parameter: k -bit key κ κ E Output: n -bit block E κ ( x ) Symmetry: E and E − 1 use the same κ E κ ( x ) Properties needed: Diffusion Confusion No cryptanalysis! 4 / 33

  10. Introduction: S-Boxes and Standardization Basics of Symmetric Cryptography TU-Decomposition, a Russian God and a Grasshoper Block Cipher Design The Final Structure in the Russian S-box How Standardization (Doesn’t) Work Conclusion No Cryptanalysis? Let us look at a typical cryptanalysis technique: the differential attack. 5 / 33

  11. x x a a E E E x E x a b b Differential Attack If there are many x such that E x E x a b , then the cipher is not secure . 6ec1067e5c5390ae 6ec1067e5c5391ae 7abb3f43c4989a22 0x04d4595257eb06c8 0x7e6f661193739cea Introduction: S-Boxes and Standardization Basics of Symmetric Cryptography TU-Decomposition, a Russian God and a Grasshoper Block Cipher Design The Final Structure in the Russian S-box How Standardization (Doesn’t) Work Conclusion Differential Attacks ⊕ a = 0000000000000100 6 / 33

  12. x x a a E x E x a b b Differential Attack If there are many x such that E x E x a b , then the cipher is not secure . 6ec1067e5c5390ae 6ec1067e5c5391ae 7abb3f43c4989a22 0x04d4595257eb06c8 0x7e6f661193739cea Introduction: S-Boxes and Standardization Basics of Symmetric Cryptography TU-Decomposition, a Russian God and a Grasshoper Block Cipher Design The Final Structure in the Russian S-box How Standardization (Doesn’t) Work Conclusion Differential Attacks ⊕ a = 0000000000000100 E κ E κ 6 / 33

  13. x x a a E x E x a b b Differential Attack If there are many x such that E x E x a b , then the cipher is not secure . 6ec1067e5c5390ae 6ec1067e5c5391ae 7abb3f43c4989a22 0x04d4595257eb06c8 0x7e6f661193739cea Introduction: S-Boxes and Standardization Basics of Symmetric Cryptography TU-Decomposition, a Russian God and a Grasshoper Block Cipher Design The Final Structure in the Russian S-box How Standardization (Doesn’t) Work Conclusion Differential Attacks ⊕ a = 0000000000000100 E κ E κ 6 / 33

  14. x x a a E x E x a b Differential Attack If there are many x such that E x E x a b , then the cipher is not secure . 0x04d4595257eb06c8 0x7e6f661193739cea 6ec1067e5c5391ae 6ec1067e5c5390ae Introduction: S-Boxes and Standardization Basics of Symmetric Cryptography TU-Decomposition, a Russian God and a Grasshoper Block Cipher Design The Final Structure in the Russian S-box How Standardization (Doesn’t) Work Conclusion Differential Attacks ⊕ a = 0000000000000100 E κ E κ ⊕ b = 7abb3f43c4989a22 6 / 33

  15. a 0000000000000100 b Differential Attack If there are many x such that E x E x a b , then the cipher is not secure . 0x7e6f661193739cea 7abb3f43c4989a22 6ec1067e5c5391ae 6ec1067e5c5390ae 0x04d4595257eb06c8 Introduction: S-Boxes and Standardization Basics of Symmetric Cryptography TU-Decomposition, a Russian God and a Grasshoper Block Cipher Design The Final Structure in the Russian S-box How Standardization (Doesn’t) Work Conclusion Differential Attacks ⊕ x ⊕ a x a E κ E κ E κ ( x ) ⊕ E κ ( x ⊕ a ) b 6 / 33

  16. a 0000000000000100 b 0x04d4595257eb06c8 0x7e6f661193739cea 7abb3f43c4989a22 6ec1067e5c5390ae 6ec1067e5c5391ae Introduction: S-Boxes and Standardization Basics of Symmetric Cryptography TU-Decomposition, a Russian God and a Grasshoper Block Cipher Design The Final Structure in the Russian S-box How Standardization (Doesn’t) Work Conclusion Differential Attacks ⊕ x ⊕ a x a E κ E κ E κ ( x ) ⊕ E κ ( x ⊕ a ) b Differential Attack If there are many x such that E κ ( x ) ⊕ E κ ( x ⊕ a ) = b , then the cipher is not secure . 6 / 33

  17. i S S S S S S S S L Substitution-Permutation Network Such a block cipher iterates the round function above several times. S is the S ubstitution B ox (S-Box). Introduction: S-Boxes and Standardization Basics of Symmetric Cryptography TU-Decomposition, a Russian God and a Grasshoper Block Cipher Design The Final Structure in the Russian S-box How Standardization (Doesn’t) Work Conclusion Basic Block Cipher Structure How do we build block ciphers that prevent such attacks (as well as others)? 7 / 33

  18. Substitution-Permutation Network Such a block cipher iterates the round function above several times. S is the S ubstitution B ox (S-Box). Introduction: S-Boxes and Standardization Basics of Symmetric Cryptography TU-Decomposition, a Russian God and a Grasshoper Block Cipher Design The Final Structure in the Russian S-box How Standardization (Doesn’t) Work Conclusion Basic Block Cipher Structure How do we build block ciphers that prevent such attacks (as well as others)? κ i ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ S S S S S S S S L 7 / 33

  19. Introduction: S-Boxes and Standardization Basics of Symmetric Cryptography TU-Decomposition, a Russian God and a Grasshoper Block Cipher Design The Final Structure in the Russian S-box How Standardization (Doesn’t) Work Conclusion Basic Block Cipher Structure How do we build block ciphers that prevent such attacks (as well as others)? κ i ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ S S S S S S S S L Substitution-Permutation Network Such a block cipher iterates the round function above several times. S is the S ubstitution B ox (S-Box). 7 / 33

  20. Introduction: S-Boxes and Standardization Basics of Symmetric Cryptography TU-Decomposition, a Russian God and a Grasshoper Block Cipher Design The Final Structure in the Russian S-box How Standardization (Doesn’t) Work Conclusion The S-Box (1/2) The S-Box π of the latest Russian standards, Kuznyechik (BC) and Streebog (HF). 8 / 33

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The Aim Take a Haskell program Analyse it Prove statically that there are no unsafe

The Aim Take a Haskell program Analyse it Prove statically that there are no unsafe

CATCH: Case and Termination Checker for Haskell Neil Mitchell (Supervised by Colin Runciman) http://www.cs.york.ac.uk/~ ndm/ The Aim Take a Haskell program Analyse it Prove statically that there are no unsafe pattern matches

420 views • 19 slides
FCE,CAE and CPE levels Aims of the workshop Analyse the process involved in marking students

FCE,CAE and CPE levels Aims of the workshop Analyse the process involved in marking students

Assessing Writing at FCE,CAE and CPE levels Aims of the workshop Analyse the process involved in marking students pieces of writing. Analyse assessment criteria and glossary. Practise assessing with samples of students work.

315 views • 27 slides
Prove that it Plan for happened. success Helen McPhun The usual process Analysis

Prove that it Plan for happened. success Helen McPhun The usual process Analysis

Prove that it Plan for happened. success Helen McPhun The usual process Analysis Training...why? Performance expectations Two Cases : Two Stories Case # 1 Introduction of a national qualification aligned with the induction programme in

1.15k views • 41 slides
Annotations des gnomes Analyse du transcriptome Analyse des voies mtaboliques Jacques van

Annotations des gnomes Analyse du transcriptome Analyse des voies mtaboliques Jacques van

JGB71E - Bioinformatique applique Annotations des gnomes Analyse du transcriptome Analyse des voies mtaboliques Jacques van Helden Jacques.van-Helden@univ-amu.fr Aix-Marseille Universit, France Technological Advances for Genomics and

886 views • 75 slides
Analyse and binary transformation Guillaume Bouffard Analyse and binary transformation Guillaume

Analyse and binary transformation Guillaume Bouffard Analyse and binary transformation Guillaume

Analyse and binary transformation Guillaume Bouffard Analyse and binary transformation Guillaume Bouffard Outline 1 Introduction Profiling step 2 Translation step 3 Binary Modification 4 Proof Of Concept 5 Conclusion 6 2 / 19

779 views • 40 slides
CS70: Lecture 2. Outline. Today: Proofs!!! 1. By Example (or Counterexample). 2. Direct. (Prove P

CS70: Lecture 2. Outline. Today: Proofs!!! 1. By Example (or Counterexample). 2. Direct. (Prove P

CS70: Lecture 2. Outline. Today: Proofs!!! 1. By Example (or Counterexample). 2. Direct. (Prove P = Q . ) 3. by Contraposition (Prove P = Q ) 4. by Contradiction (Prove P .) 5. by Cases Quick Background and Notation. Integers closed

693 views • 16 slides
Vanilla Meta-interpreter prove ( G ) is true when base-level body G is a logical consequence of

Vanilla Meta-interpreter prove ( G ) is true when base-level body G is a logical consequence of

Vanilla Meta-interpreter prove ( G ) is true when base-level body G is a logical consequence of the base-level KB. prove ( true ). prove (( A &amp; B )) prove ( A ) prove ( B ). prove ( H ) ( H B ) prove ( B ).

641 views • 8 slides
5/10/20 L.O To analyse the main reasons for the Greek victory -I can identify certain techniques

5/10/20 L.O To analyse the main reasons for the Greek victory -I can identify certain techniques

5/10/20 L.O To analyse the main reasons for the Greek victory -I can identify certain techniques the Greek's used during battle L.O To analyse the main reasons for the Greek victory 5/10/20 Starter Who was Alexander the great? L.O To analyse

613 views • 40 slides
Analyse statique de programmes num eriques avec calculs flottants eme Rencontres Arithm 4 `

Analyse statique de programmes num eriques avec calculs flottants eme Rencontres Arithm 4 `

Analyse statique de programmes num eriques avec calculs flottants eme Rencontres Arithm 4 ` etique de lInformatique Math ematique Antoine Min e Ecole normale sup erieure 9 f evrier 2011 Perpignan 9/02/2011 Analyse

896 views • 70 slides
Proofs about functions Function consuming A is related to proof about A Q: How to prove two

Proofs about functions Function consuming A is related to proof about A Q: How to prove two

Proofs about functions Function consuming A is related to proof about A Q: How to prove two lists are equal? A: Prove they are both () or that they are both cons cells cons-ing equal cars to equal cdrs Q: How to prove two

224 views • 20 slides
Given: a // b &amp; s // t Prove: 4 @ 13 1 9 10 2 a 3 4 11 12 5 6 13 14 b 7

Given: a // b &amp; s // t Prove: 4 @ 13 1 9 10 2 a 3 4 11 12 5 6 13 14 b 7

Given: a // b &amp; s // t Prove: 4 @ 13 1 9 10 2 a 3 4 11 12 5 6 13 14 b 7 16 8 15 t s Congruent Figures - Figures that have the same size and shape. Hypothesize with your partnerwhat do you think is true,

321 views • 16 slides
A very elementary introduction to proofs Part 2 Example: Prove a function is not 1:1 By Dr.

A very elementary introduction to proofs Part 2 Example: Prove a function is not 1:1 By Dr.

A very elementary introduction to proofs Part 2 Example: Prove a function is not 1:1 By Dr. Isabel Darcy, Dept of Mathematics and AMCS, University of Iowa How do we prove a function is NOT 1:1

341 views • 10 slides
Foundation of proofs Jim Hefferon http://joshua.smcvt.edu/proofs The need to prove In

Foundation of proofs Jim Hefferon http://joshua.smcvt.edu/proofs The need to prove In

Foundation of proofs Jim Hefferon http://joshua.smcvt.edu/proofs The need to prove In Mathematics we prove things The base angles of an isoceles triangle are equal seems obvious to a person with mathematical aptitude. a if a = b

678 views • 52 slides
Large-scale drive-by download detec4on: visit n . process.

Large-scale drive-by download detec4on: visit n . process.

Large-scale drive-by download detec4on: visit n . process. analyse. report. Adriaan Dens Mar4jn Bogaard Students Master of System and Network

391 views • 37 slides
JOI NT USE STRATEGY 2013 San Diego Unified School District 1 . Prop Z Opportunity I m prove

JOI NT USE STRATEGY 2013 San Diego Unified School District 1 . Prop Z Opportunity I m prove

JOI NT USE STRATEGY 2013 San Diego Unified School District 1 . Prop Z Opportunity I m prove and install playfields for student and neighborhood joint use Develop and or im prove education, recreation and/ or com m unity resource

522 views • 23 slides
Structural recursively defined set R, prove P(b) for each base case b R Induction

Structural recursively defined set R, prove P(b) for each base case b R Induction

Mathematics for Computer Science Structural Induction MIT 6.042J/18.062J To prove P(x) holds for all x in Structural recursively defined set R, prove P(b) for each base case b R Induction P(c(x)) for each constructor, c, assuming

422 views • 4 slides
Gaussian Multiscale Spatio-temporal Models for Areal Data Marco A. R. Ferreira (University of

Gaussian Multiscale Spatio-temporal Models for Areal Data Marco A. R. Ferreira (University of

Gaussian Multiscale Spatio-temporal Models for Areal Data Marco A. R. Ferreira (University of Missouri) Scott H. Holan (University of Missouri) Adelmo I. Bertolde (UFES) Outline Motivation Multiscale factorization The multiscale

974 views • 68 slides
Standardizing Your Compliance Activities to Implement Data Analytics and RPA #AuditBoardWebinars

Standardizing Your Compliance Activities to Implement Data Analytics and RPA #AuditBoardWebinars

Standardizing Your Compliance Activities to Implement Data Analytics and RPA #AuditBoardWebinars Jason Sechrist Director of Audit and Compliance Solutions AuditBoard Former Head IT Compliance and Internal Audit Volunteer Board/Audit

427 views • 30 slides
A Statement on Standardization Orr Dunkelman 1 , Atul Luykx 2 , Lo Perrin 3 1 orrd@cs.haifa.ac.il

A Statement on Standardization Orr Dunkelman 1 , Atul Luykx 2 , Lo Perrin 3 1 orrd@cs.haifa.ac.il

A Statement on Standardization Orr Dunkelman 1 , Atul Luykx 2 , Lo Perrin 3 1 orrd@cs.haifa.ac.il 2 Atul.Luykx@esat.kuleuven.be 2 leo.perrin@uni.lu March 7, 2017 Fast Sofware Encryption 2017 ISO/IEC ISO, IEC ISO promotes worldwide

136 views • 9 slides
Blockchains, the web and standardization: the big opportunity conversation starter Keynote

Blockchains, the web and standardization: the big opportunity conversation starter Keynote

Blockchains, the web and standardization: the big opportunity conversation starter Keynote Arvind Narayanan Princeton University @random_walker Standardization: is it too soon? Are Bitcoin and other blockchains sound? Academic research on

445 views • 27 slides
Unit 2: Probability and distributions Lecture 3: Normal distribution Statistics 101 Thomas

Unit 2: Probability and distributions Lecture 3: Normal distribution Statistics 101 Thomas

Unit 2: Probability and distributions Lecture 3: Normal distribution Statistics 101 Thomas Leininger May 23, 2013 Announcements Announcements 1 Normal distribution 2 Normal distribution model 68-95-99.7 Rule Standardizing with Z scores

706 views • 67 slides
Introduction to Business Statistics QM 120 Chapter 6 Spring 2008 Chapter 6: Continuous

Introduction to Business Statistics QM 120 Chapter 6 Spring 2008 Chapter 6: Continuous

DEPARTMENT OF QUANTITATIVE METHODS &amp; INFORMATION SYSTEMS Introduction to Business Statistics QM 120 Chapter 6 Spring 2008 Chapter 6: Continuous Probability Distribution 2 When a RV x is discrete, we can assign a positive probability to

646 views • 25 slides
The Normal Distribution The normal distribution plays a central role in probability theory and in

The Normal Distribution The normal distribution plays a central role in probability theory and in

ST 380 Probability and Statistics for the Physical Sciences The Normal Distribution The normal distribution plays a central role in probability theory and in statistics. It is often used as a model for the distribution of continuous random

197 views • 16 slides
Randomness DS-GA 1013 / MATH-GA 2824 Optimization-based Data Analysis

Randomness DS-GA 1013 / MATH-GA 2824 Optimization-based Data Analysis

Randomness DS-GA 1013 / MATH-GA 2824 Optimization-based Data Analysis http://www.cims.nyu.edu/~cfgranda/pages/OBDA_fall17/index.html Carlos Fernandez-Granda Gaussian random variables Gaussian random vectors Randomized projections SVD of a

1.92k views • 164 slides

More recommend