Reference : Reverse-Engineering the S-Box of Streebog, Kuznyechik and STRIBOBr1
Scientific congresses, symposiums and conference proceedings : Paper published in a book
Engineering, computing & technology : Computer science
Reverse-Engineering the S-Box of Streebog, Kuznyechik and STRIBOBr1
Biryukov, Alex mailto [University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC) >]
Perrin, Léo Paul mailto [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > >]
Udovenko, Aleksei mailto [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > >]
Advances in Cryptology – EUROCRYPT 2016
Fischlin, Marc, Coron, Jean-Sébastien
Springer Berlin Heidelberg
Lecture Notes in Computer Science, 9665
35th Annual International Conference on the Theory and Applications of Cryptographic Techniques
from 8-05-2016 to 12-05-2016
International Association for Cryptologic Research (IACR)
[en] Reverse-Engineering ; S-Box ; Streebog ; Kuznyechik ; STRIBOBr1 ; White-Box ; Linear Approximation Table ; Feistel Network
[en] The Russian Federation's standardization agency has recently published a hash function called Streebog and a 128-bit block cipher called Kuznyechik. Both of these algorithms use the same 8-bit S-Box but its design rationale was never made public.

In this paper, we reverse-engineer this S-Box and reveal its hidden structure. It is based on a sort of 2-round Feistel Network where exclusive-or is replaced by a finite field multiplication. This structure is hidden by two different linear layers applied before and after. In total, five different 4-bit S-Boxes, a multiplexer,two 8-bit linear permutations and two finite field multiplications in a field of size $2^{4}$ are needed to compute the S-Box.

The knowledge of this decomposition allows a much more efficient hardware implementation by dividing the area and the delay by 2.5 and 8 respectively. However, the small 4-bit S-Boxes do not have very good cryptographic properties. In fact, one of them has a probability 1 differential.

We then generalize the method we used to partially recover the linear layers used to whiten the core of this S-Box and illustrate it with a generic decomposition attack against 4-round Feistel Networks whitened with unknown linear layers. Our attack exploits a particular pattern arising in the Linear Approximations Table of such functions.
Fonds National de la Recherche - FnR
Researchers ; Professionals ; Students ; General public

File(s) associated to this reference

Fulltext file(s):

Open access
GOST_reverse_engineering_eprint.pdfAuthor preprint975.43 kBView/Open

Bookmark and Share SFX Query

All documents in ORBilu are protected by a user license.