Reverse-Engineering the S-Box of Streebog, Kuznyechik and STRIBOBr1

Biryukov, Alex; Perrin, Léo Paul; Udovenko, Aleksei

doi:10.1007/978-3-662-49890-3_15

Reference : Reverse-Engineering the S-Box of Streebog, Kuznyechik and STRIBOBr1


	Document type :	Scientific congresses, symposiums and conference proceedings : Paper published in a book
	Discipline(s) :	Engineering, computing & technology : Computer science
	To cite this reference:	http://hdl.handle.net/10993/23895

Title :	Reverse-Engineering the S-Box of Streebog, Kuznyechik and STRIBOBr1
Language :	English
Author, co-author :	Biryukov, Alex [University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC) >]
	Perrin, Léo Paul [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > >]
	Udovenko, Aleksei [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > >]
Publication date :	28-Apr-2016
Main document title :	Advances in Cryptology – EUROCRYPT 2016
Editor :	Fischlin, Marc, Coron, Jean-Sébastien
Publisher :	Springer Berlin Heidelberg
Collection and collection volume :	Lecture Notes in Computer Science, 9665
Pages :	372-402
Peer reviewed :	Yes
On invitation :	No
Audience :	International
ISBN :	978-3-662-49890-3
Event name :	35th Annual International Conference on the Theory and Applications of Cryptographic Techniques
Event date :	from 8-05-2016 to 12-05-2016
Event organizer :	International Association for Cryptologic Research (IACR)
Event place (city) :	Vienna
Event country :	Austria
Keywords :	[en] Reverse-Engineering ; S-Box ; Streebog ; Kuznyechik ; STRIBOBr1 ; White-Box ; Linear Approximation Table ; Feistel Network
Abstract :	[en] The Russian Federation's standardization agency has recently published a hash function called Streebog and a 128-bit block cipher called Kuznyechik. Both of these algorithms use the same 8-bit S-Box but its design rationale was never made public. In this paper, we reverse-engineer this S-Box and reveal its hidden structure. It is based on a sort of 2-round Feistel Network where exclusive-or is replaced by a finite field multiplication. This structure is hidden by two different linear layers applied before and after. In total, five different 4-bit S-Boxes, a multiplexer,two 8-bit linear permutations and two finite field multiplications in a field of size $2^{4}$ are needed to compute the S-Box. The knowledge of this decomposition allows a much more efficient hardware implementation by dividing the area and the delay by 2.5 and 8 respectively. However, the small 4-bit S-Boxes do not have very good cryptographic properties. In fact, one of them has a probability 1 differential. We then generalize the method we used to partially recover the linear layers used to whiten the core of this S-Box and illustrate it with a generic decomposition attack against 4-round Feistel Networks whitened with unknown linear layers. Our attack exploits a particular pattern arising in the Linear Approximations Table of such functions.
Funders :	Fonds National de la Recherche - FnR
Target :	Researchers ; Professionals ; Students ; General public
Permalink :	http://hdl.handle.net/10993/23895
DOI :	10.1007/978-3-662-49890-3_15

File(s) associated to this reference

Fulltext file(s):

	File	Commentary	Version	Size	Access
Open access	GOST_reverse_engineering_eprint.pdf		Author preprint	975.43 kB	View/Open

All documents in ORBi^lu are protected by a user license.

University of Luxembourg Library | Feedback | Legal notices