streebog and kuznyechik
play

Streebog and Kuznyechik Inconsistencies in the Claims of their - PowerPoint PPT Presentation

Mar 23, 2023 •267 likes •779 views

leo.perrin@inria.fr @lpp_crypto Streebog and Kuznyechik Inconsistencies in the Claims of their Designers Lo Perrin IETF Workshop, Montral Standards and S-boxes On the S-box of RFC 6986 and 7801 The Core Issue: the S-Box Generation

  1. leo.perrin@inria.fr @lpp_crypto Streebog and Kuznyechik Inconsistencies in the Claims of their Designers Léo Perrin IETF Workshop, Montréal

  2. Standards and S-boxes On the S-box of RFC 6986 and 7801 The Core Issue: the S-Box Generation Process Conclusion Partitions in the S-Box of Streebog and Kuznyechik Transactions in Symmetric Léo Perrin Cryptology , Volume 2019, No. 1, pp. Inria, France leo.perrin@inria.fr Abstract. Streebog and Kuznyechik are the latest symmetric cryptographic primitives 302-329. Best paper award! standardized by the Russian GOST. They share the same S-Box, π , whose design process was not described by its authors. In previous works, Biryukov, Perrin and Udovenko recovered two completely di ff erent decompositions of this S-Box. We revisit their results and identify a third decomposition of π . It is an instance of a fairly small family of permutations operating on 2 m bits which we call TKlog and which is closely related to fi nite fi eld logarithms. Its simplicity and the small number of components it uses lead us to claim that it has to be the structure intentionally used by the designers of Streebog and Kuznyechik. The 2 m -bit permutations of this type have a very strong algebraic structure: they map multiplicative cosets of the sub fi eld GF (2 m ) * to additive cosets of GF (2 m ) * . Furthermore, the function relating each multiplicative coset to the corresponding additive coset is always essentially the same. To the best of our knowledge, we are the fi rst to expose this very strong algebraic structure. We also investigate other properties of the TKlog and show in particular that it can What is this result? always be decomposed in a fashion similar to the fi rst decomposition of Biryukov et al., thus explaining the relation between the two previous decompositions. It also means that it is always possible to implement a TKlog e ffi ciently in hardware and that it always exhibits a visual pattern in its LAT similar to the one present in π . While we could not fi nd attacks based on these new results, we discuss the impact of our work on the security of Streebog and Kuznyechik. To this end, we provide a new simpler representation of the linear layer of Streebog as a matrix multiplication in the exact same fi eld as the one used to de fi ne π . We deduce that this matrix interacts in Why is it inconsistent with the a non-trivial way with the partitions preserved by π . Keywords: Boolean functions · Kuznyechik · Streebog · Reverse-Engineering · Parti- tions · Cosets · TKlog claims of the designers of these 1 Introduction Many symmetric primitives rely on S-Boxes as their unique source of non-linearity, including the AES [ AES01 ]. Such objects are small functions mapping F m 2 to F n 2 which are often speci fi ed via their look-up tables. algorithms? Their choice is crucial as both the security and the e ffi ciency of the primitive depends heavily on their properties. For example, a low di ff erential uniformity [ Nyb94 ] implies a higher resilience against di ff erential attacks [ BS91a , BS91b ]. On the other hand, the existence of a simple decomposition greatly helps with an e ffi cient bitsliced or hardware implementation [ LW14 , CDL16 ]. Thus, algorithm designers are expected to provide detailed explanation about their choice of S-Box. Each cipher that was published at a cryptography or security conference has provided such explanations. There are two prominent S-Boxes for which this information has not been provided. The fi rst is the so-called “F-table” of Skipjack [ U.S98 ], a lightweight block cipher designed Licensed under Creative Commons License CC-BY 4.0. IACR Transactions on Symmetric Cryptology ISSN 2519-173X, Vol. 2019, No. 1, pp. 302–329 DOI:10.13154/tosc.v2019.i1.302-329 1 / 11

  3. Standards and S-boxes On the S-box of RFC 6986 and 7801 The Core Issue: the S-Box Generation Process Conclusion Outline Standards and S-boxes 1 On the S-box of RFC 6986 and 7801 2 The Core Issue: the S-Box Generation Process 3 4 Conclusion 1 / 11

  4. Standards and S-boxes On the S-box of RFC 6986 and 7801 The Core Issue: the S-Box Generation Process Conclusion Outline Standards and S-boxes 1 On the S-box of RFC 6986 and 7801 2 The Core Issue: the S-Box Generation Process 3 4 Conclusion 1 / 11

  5. Design Public Analysis Deployment Academic community Industry Small teams Scope Try and break statement published Implements Algorithm algorithms algorithms in specification actual products... Design choices Well-studied ...unless a new justifications algorithms are attack is found Security eventually trusted analysis Publication Standardization Conf., competition NIST, ISO, IETF... Standards and S-boxes On the S-box of RFC 6986 and 7801 The Core Issue: the S-Box Generation Process Conclusion Life Cycle of a Cryptographic Primitive time 2 / 11

  6. Academic community Industry Small teams Scope Try and break statement published Implements Algorithm algorithms algorithms in specification actual products... Design choices Well-studied ...unless a new justifications algorithms are attack is found Security eventually trusted analysis Conf., competition NIST, ISO, IETF... Standards and S-boxes On the S-box of RFC 6986 and 7801 The Core Issue: the S-Box Generation Process Conclusion Life Cycle of a Cryptographic Primitive Design Public Analysis Deployment time Publication Standardization 2 / 11

  7. Scope Try and break statement published Implements Algorithm algorithms algorithms in specification actual products... Design choices Well-studied ...unless a new justifications algorithms are attack is found Security eventually trusted analysis Standards and S-boxes On the S-box of RFC 6986 and 7801 The Core Issue: the S-Box Generation Process Conclusion Life Cycle of a Cryptographic Primitive Design Public Analysis Deployment Academic community Industry Small teams time Publication Standardization Conf., competition NIST, ISO, IETF... 2 / 11

  8. Try and break published Implements algorithms algorithms in actual products... Well-studied ...unless a new algorithms are attack is found eventually trusted Standards and S-boxes On the S-box of RFC 6986 and 7801 The Core Issue: the S-Box Generation Process Conclusion Life Cycle of a Cryptographic Primitive Design Public Analysis Deployment Academic community Industry Small teams Scope statement Algorithm specification Design choices justifications Security analysis time Publication Standardization Conf., competition NIST, ISO, IETF... 2 / 11

  9. Try and break published Implements algorithms algorithms in actual products... Well-studied ...unless a new algorithms are attack is found eventually trusted Standards and S-boxes On the S-box of RFC 6986 and 7801 The Core Issue: the S-Box Generation Process Conclusion Life Cycle of a Cryptographic Primitive Design Public Analysis Deployment Academic community Industry Small teams Scope statement Algorithm specification Design choices justifications Security analysis time Publication Standardization Conf., competition NIST, ISO, IETF... 2 / 11

  10. Implements algorithms in actual products... Well-studied ...unless a new algorithms are attack is found eventually trusted Standards and S-boxes On the S-box of RFC 6986 and 7801 The Core Issue: the S-Box Generation Process Conclusion Life Cycle of a Cryptographic Primitive Design Public Analysis Deployment Academic community Industry Small teams Scope Try and break statement published Algorithm algorithms specification Design choices justifications Security analysis time Publication Standardization Conf., competition NIST, ISO, IETF... 2 / 11

  11. Implements algorithms in actual products... Well-studied ...unless a new algorithms are attack is found eventually trusted Standards and S-boxes On the S-box of RFC 6986 and 7801 The Core Issue: the S-Box Generation Process Conclusion Life Cycle of a Cryptographic Primitive Design Public Analysis Deployment Academic community Industry Small teams Scope Try and break statement published Algorithm algorithms specification Design choices justifications Security analysis time Publication Standardization Conf., competition NIST, ISO, IETF... 2 / 11

  12. Implements algorithms in actual products... ...unless a new attack is found Standards and S-boxes On the S-box of RFC 6986 and 7801 The Core Issue: the S-Box Generation Process Conclusion Life Cycle of a Cryptographic Primitive Design Public Analysis Deployment Academic community Industry Small teams Scope Try and break statement published Algorithm algorithms specification Design choices Well-studied justifications algorithms are Security eventually trusted analysis time Publication Standardization Conf., competition NIST, ISO, IETF... 2 / 11

  13. Standards and S-boxes On the S-box of RFC 6986 and 7801 The Core Issue: the S-Box Generation Process Conclusion Life Cycle of a Cryptographic Primitive Design Public Analysis Deployment Academic community Industry Small teams Scope Try and break statement published Implements Algorithm algorithms algorithms in specification actual products... Design choices Well-studied ...unless a new justifications algorithms are attack is found Security eventually trusted analysis time Publication Standardization Conf., competition NIST, ISO, IETF... 2 / 11

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Exponential S-Boxes: a Link Between the S-Boxes of BelT and Kuznyechik/Streebog Lo Perrin 1 ,

Exponential S-Boxes: a Link Between the S-Boxes of BelT and Kuznyechik/Streebog Lo Perrin 1 ,

Exponential S-Boxes: a Link Between the S-Boxes of BelT and Kuznyechik/Streebog Lo Perrin 1 , Aleksei Udovenko 1 1 SnT, University of Luxembourg https://www.cryptolux.org March 6, 2017 Fast Sofware Encryption 2017 Introduction S-Box Design

1.14k views • 58 slides
ISO Update Who knew standardization could be this fun? Lo Perrin Inria, France January 20,

ISO Update Who knew standardization could be this fun? Lo Perrin Inria, France January 20,

ISO Update Who knew standardization could be this fun? Lo Perrin Inria, France January 20, 2020 Dagstuhl 20041 General Context Randomness of a Structure: The Kolmogorov Anomaly Counter Arguments Conclusion How are Streebog and

551 views • 43 slides
Real-Time Communica/on in Web-browsers (RTCWeb) Michael

Real-Time Communica/on in Web-browsers (RTCWeb) Michael

Real-Time Communica/on in Web-browsers (RTCWeb) Michael Txen (tuexen@=-muenster.de) Outline RTCWeb overview Peer to peer protocol stack RTCWeb

490 views • 22 slides
iLab2 Introduction to SIP Daniel Raumer raumer@net.in.tum.de Agenda SIP - What? SIP

iLab2 Introduction to SIP Daniel Raumer raumer@net.in.tum.de Agenda SIP - What? SIP

Lehrstuhl Netzarchitekturen und Netzdienste Institut fr Informatik Technische Universitt Mnchen iLab2 Introduction to SIP Daniel Raumer raumer@net.in.tum.de Agenda SIP - What? SIP - How? Repetition Security iLab2

263 views • 14 slides
Advanced Distributed Systems Introduction & RFC #677 Wyatt Lloyd Some

Advanced Distributed Systems Introduction & RFC #677 Wyatt Lloyd Some

Advanced Distributed Systems Introduction & RFC #677 Wyatt Lloyd Some slides adapted from Minlan Yu Welcome! Rules No laptops, no phones: pay attention! Sit towards the front: participate! Today

919 views • 54 slides
Extending Catalog zones another approach in automating maintenance Leo Vandewoestijne

Extending Catalog zones another approach in automating maintenance Leo Vandewoestijne

Extending Catalog zones another approach in automating maintenance Leo Vandewoestijne dns.company Rev 0.000 Spoilers/Warnings - Not much new; working in Bind already - This presentation was prepared while having lack of time

578 views • 12 slides
Unraveling Meta-Learning: Understanding Feature Representations for Few-Shot Tasks Micah

Unraveling Meta-Learning: Understanding Feature Representations for Few-Shot Tasks Micah

Unraveling Meta-Learning: Understanding Feature Representations for Few-Shot Tasks Micah Goldblum, Steven Reich, Liam Fowl, Renkun Ni, Valeriia Cherepanova, Tom Goldstein University of Maryland, College Park, Maryland, USA

446 views • 6 slides
RFC 3706 A Traffic-Based Method of Detecting Dead Internet Key Exchange (IKE) Peers (Czerny

RFC 3706 A Traffic-Based Method of Detecting Dead Internet Key Exchange (IKE) Peers (Czerny

RFC 3706 A Traffic-Based Method of Detecting Dead Internet Key Exchange (IKE) Peers (Czerny Andeas) Summery 1. Introduction 2. Keepalives and Heartbeats 3. DPD Protocol 4. Resistance to Replay Attack and False Proof of Liveliness Situation

890 views • 20 slides
Pre-Expression of Interest Transportation Technology RFI Procurement Process Sign in sheet

Pre-Expression of Interest Transportation Technology RFI Procurement Process Sign in sheet

Pre-Expression of Interest Transportation Technology RFI Procurement Process Sign in sheet Q&A process Deadline for questions 7/23/18 5 p.m. EOI submission is a required pre qualification process for product demos

385 views • 9 slides
NCATS Strategic Planning Dorit Zuk, Ph.D. Director, OPCS A NCATS Council/ CAN Review Board

NCATS Strategic Planning Dorit Zuk, Ph.D. Director, OPCS A NCATS Council/ CAN Review Board

NCATS Strategic Planning Dorit Zuk, Ph.D. Director, OPCS A NCATS Council/ CAN Review Board Meeting eptember 3 rd , 2015 S 2 3 Strategic Planning Process Timeline S mall group Dec 2014-Apr 2015 discussions with staff Focus groups Aug

624 views • 16 slides
Alternate Dispute Resolution / Allegation Guidance Memorandum January 19, 2010 Michael Headrick

Alternate Dispute Resolution / Allegation Guidance Memorandum January 19, 2010 Michael Headrick

Alternate Dispute Resolution / Allegation Guidance Memorandum January 19, 2010 Michael Headrick Chairman, BOD, NAECP Alternate Dispute Resolution Feedback from industry on ADR w as generally positive Need consistency in the NRCs

168 views • 5 slides
New York Ne ork & Ne New Jersey UpdateJu July y 2018 Ne Netw twork rk Membe mber

New York Ne ork & Ne New Jersey UpdateJu July y 2018 Ne Netw twork rk Membe mber

New York Ne ork & Ne New Jersey UpdateJu July y 2018 Ne Netw twork rk Membe mber r Webi bina nar Hosted by: William OHearn, Communications/Outreach Manager, NJ and NY Elizabeth Barminski, Working Group Coordinator

703 views • 21 slides
Donn ees Manquantes : 2 exemples S eparation de RFI sur SMOS & Video Inpainting Andr

Donn ees Manquantes : 2 exemples S eparation de RFI sur SMOS & Video Inpainting Andr

Donn ees Manquantes : 2 exemples S eparation de RFI sur SMOS & Video Inpainting Andr es Almansa GT SPU Traitement donn ees spatiales 27 septembre, 2014 Andr es Almansa Donn ees Manquantes SMOS images restoration

442 views • 23 slides
Purchasing Department REQUEST FOR INTEREST RFI # 1818 December 29, 2017 RFI Title: H. L. Mooney

Purchasing Department REQUEST FOR INTEREST RFI # 1818 December 29, 2017 RFI Title: H. L. Mooney

4 County Complex Court Phone (703) 335-8925 P.O. Box 2266 Fax (703) 335-7954 Woodbridge, VA 22192-9201 www.pwcsa.org Purchasing Department REQUEST FOR INTEREST RFI # 1818 December 29, 2017 RFI Title: H. L. Mooney Water Reclamation Facility

223 views • 6 slides
Duality on Value Semigroups Philipp Korell Technische Universitt Kaiserslautern July 4, 2016

Duality on Value Semigroups Philipp Korell Technische Universitt Kaiserslautern July 4, 2016

Duality on Value Semigroups Philipp Korell Technische Universitt Kaiserslautern July 4, 2016 Joint work w/ Laura Tozzo & Mathias Schulze Example Complex algebroid curve R = C [[ x , y ]] / x 3 y + y 6 = C [[ x , y ]] /

567 views • 28 slides
Prioritization: Webinar Rachael Fleurence, PhD Danielle Whicher, PhD August 27, 2014 1 Webinar

Prioritization: Webinar Rachael Fleurence, PhD Danielle Whicher, PhD August 27, 2014 1 Webinar

Value of Information Analysis for Research Prioritization: Webinar Rachael Fleurence, PhD Danielle Whicher, PhD August 27, 2014 1 Webinar Agenda About PCORI Prioritization at PCORI How can we use Value of Information? PCORI RFI on VOI

386 views • 14 slides
Via Teleconference 1 Item 7 Energy Efficiency (EE) and Outreach Programs Update Public

Via Teleconference 1 Item 7 Energy Efficiency (EE) and Outreach Programs Update Public

Valley Clean Energy Community Advisory Committee Meeting June 25, 2020 Via Teleconference 1 Item 7 Energy Efficiency (EE) and Outreach Programs Update Public Comments To Provide Public Comment on any agenda item please: E-mail 300

617 views • 26 slides
Foundations of Computer Science Lecture 1 Warmup: A Taste for Discrete Math and Computing

Foundations of Computer Science Lecture 1 Warmup: A Taste for Discrete Math and Computing

Foundations of Computer Science Lecture 1 Warmup: A Taste for Discrete Math and Computing Background Disease spread, speed-dating, friendship networks 3 Challenge Problems (Today) Warmup: A Taste for Discrete Math and Computing Resources and

731 views • 59 slides
Dominant colors in images CLUS TERIN G METH ODS W ITH S CIP Y Shaumik Daityari Business

Dominant colors in images CLUS TERIN G METH ODS W ITH S CIP Y Shaumik Daityari Business

Dominant colors in images CLUS TERIN G METH ODS W ITH S CIP Y Shaumik Daityari Business Analyst Dominant colors in images All images consist of pixels Each pixel has three values: Red , Green and Blue Pixel color: combination of these RGB

535 views • 30 slides
COLOR IN GRAPHICS & VISUALIZATION Graphics & Visualization: Principles & Algorithms

COLOR IN GRAPHICS & VISUALIZATION Graphics & Visualization: Principles & Algorithms

Graphics & Visualization Chapter 11 COLOR IN GRAPHICS & VISUALIZATION Graphics & Visualization: Principles & Algorithms Chapter 11 Introduction The study of color, and the way humans perceive it,

994 views • 55 slides
RGB-D Mapping: Using Depth Cameras for Dense 3D Modeling of Indoor Environments Peter Henry 1 ,

RGB-D Mapping: Using Depth Cameras for Dense 3D Modeling of Indoor Environments Peter Henry 1 ,

RGB-D Mapping: Using Depth Cameras for Dense 3D Modeling of Indoor Environments Peter Henry 1 , Michael Krainin 1 , Evan Herbst 1 , Xiaofeng Ren 2 , and Dieter Fox 1,2 1 University of Washington Computer Science and Engineering 2 Intel Labs

919 views • 42 slides
Scene Understanding with 3D Deep Networks Thomas Funkhouser Princeton University Disclaimer: I

Scene Understanding with 3D Deep Networks Thomas Funkhouser Princeton University Disclaimer: I

Scene Understanding with 3D Deep Networks Thomas Funkhouser Princeton University Disclaimer: I am talking about the work of these people Shuran Song Fisher Yu Yinda Zhang Andy Zeng Maciej Halber Jianxiong Xiao Angela Dai Matt Fisher

1.79k views • 82 slides
Multimodal 2DCNN action recognition from RGB-D Data with Video Summarization Vicent Roig Ripoll

Multimodal 2DCNN action recognition from RGB-D Data with Video Summarization Vicent Roig Ripoll

Multimodal 2DCNN action recognition from RGB-D Data with Video Summarization Vicent Roig Ripoll Master in Artificial Intelligence UPC, UB, URV Masters Thesis Advisor: Sergio Escalera Guerrero Co-advisor: Maryam Asadi-Aghbolaghi October,

831 views • 39 slides
COLOR SPECTRUM RECONSTRUCTION USING NEURAL NETWORKS 2 Hyperspectral-sensing.nb THE GOAL

COLOR SPECTRUM RECONSTRUCTION USING NEURAL NETWORKS 2 Hyperspectral-sensing.nb THE GOAL

COLOR SPECTRUM RECONSTRUCTION USING NEURAL NETWORKS 2 Hyperspectral-sensing.nb THE GOAL Spectral images tell us much more about natural objects than the usual RGB color images. By looking at the reflectance at specific wavelengths, we can see

503 views • 22 slides

More recommend