IETF Logo Mail Archive

Re: [Cfrg] Vulgarized explanations on the Russian S-box

Leo Perrin <leo.perrin@inria.fr> Thu, 04 April 2019 07:39 UTC

Return-Path: <leo.perrin@inria.fr>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4A1EB120396 for <cfrg@ietfa.amsl.com>; Thu, 4 Apr 2019 00:39:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.899
X-Spam-Level:
X-Spam-Status: No, score=-6.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ymmkdv6TSLGt for <cfrg@ietfa.amsl.com>; Thu, 4 Apr 2019 00:39:17 -0700 (PDT)
Received: from mail3-relais-sop.national.inria.fr (mail3-relais-sop.national.inria.fr [192.134.164.104]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2B5831201C1 for <cfrg@irtf.org>; Thu, 4 Apr 2019 00:39:16 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="5.60,306,1549926000"; d="scan'208,217";a="301755118"
X-MGA-submission: MDG3RmMQJP6heGkjtDFlxavdGIpdNvoUC2MWJeRWYIomMZYOpB8VLMIoOYzrW9i9brLnbP2ju+XJGvc36v8nYtfioeQ82oFH9FUX1zVx99ELnuOH5R8No3ziZltkORQqIKwKJ1PkvbWn3p2acKi89GPK8KBvS4utI9xzOzOGeX0Duw==
Received: from zcs-store2.inria.fr ([128.93.142.29]) by mail3-relais-sop.national.inria.fr with ESMTP; 04 Apr 2019 09:39:14 +0200
Date: Thu, 04 Apr 2019 09:39:14 +0200
From: Leo Perrin <leo.perrin@inria.fr>
To: Dmitry Belyavsky <beldmit@gmail.com>
Cc: Aaron Zauner <azet@azet.org>, cfrg <cfrg@irtf.org>
Message-ID: <1918801831.7185892.1554363554615.JavaMail.zimbra@inria.fr>
In-Reply-To: <CADqLbzJFR+OKGJKstmXcu1qonXEEHxJFjpggW5KKE3MSgsy9ng@mail.gmail.com>
References: <1735276178.1878431.1553421249214.JavaMail.zimbra@inria.fr> <CAN8NK9FRRL_F2NF5x5yb_Vf30MhQD69om1e7awcz6U9nexHB1Q@mail.gmail.com> <CADqLbzJFR+OKGJKstmXcu1qonXEEHxJFjpggW5KKE3MSgsy9ng@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="=_6ac5623a-db89-47eb-b717-eba6713bdb6f"
X-Originating-IP: [193.51.24.154]
X-Mailer: Zimbra 8.7.11_GA_3789 (ZimbraWebClient - FF66 (Linux)/8.7.11_GA_3789)
Thread-Topic: Vulgarized explanations on the Russian S-box
Thread-Index: M822TmMUrvyUyDlgZjsjKeQUhAn/Tg==
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/Vtolcfy4Fu1CqbUu39lMIxJWv0k>
Subject: Re: [Cfrg] Vulgarized explanations on the Russian S-box
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Apr 2019 07:39:20 -0000

Hi, 

The "TU-decomposition" (i.e. the first decomposition we found) does help with the implementation in hardware. Recently, I showed that the presence of this decomposition is always implied by the use of a TKlog---the structure I recently identified. Still though: 
1. what is the point of using a structure that helps with the implementation if you don't disclose it to implementers? 
2. while this structure does help with the implementation, using e.g. a 3-round Feistel network (a well known and well studied structure) would yield better results, 
3. in discussion with ISO members, the designers claimed that the TU-decomposition was not the one they intended. 

I find the claim in this last point very plausible. In my opinion, the presence of this hardware-friendlier decomposition is indeed an unintended side-effect of the use of a TKlog. However, this also implies that this improved hardware implementation was not the original justification for the use of this S-box. 

Cheers, 

/Léo 

> De: "Dmitry Belyavsky" <beldmit@gmail.com>
> À: "Aaron Zauner" <azet@azet.org>
> Cc: "Leo Perrin" <leo.perrin@inria.fr>, "cfrg" <cfrg@irtf.org>
> Envoyé: Mercredi 3 Avril 2019 12:46:05
> Objet: Re: [Cfrg] Vulgarized explanations on the Russian S-box

> Let's look from another side.
> Does a structure discovered by Leo open any chances to build more effective
> implementations of Streebog/Kuznechik?

> Thank you!

> On Wed, Apr 3, 2019 at 10:52 AM Aaron Zauner < [ mailto:azet@azet.org |
> azet@azet.org ] > wrote:

>> Thanks Leo,
>> Indeed an interesting read & contribution.

>> Aaron

>> On Sun, Mar 24, 2019 at 10:54 AM Leo Perrin < [ mailto:leo.perrin@inria.fr |
>> leo.perrin@inria.fr ] > wrote:

>>> Dear members,

>>> I have written detailed and (I hope) vulgarized explanations of my results on
>>> the Russian S-box which is used in RFC 6986 and RFC 7801. I provide some more
>>> information about the claims of the designers (in particular that they claim to
>>> have lost their generation algorithm...) and then argue that, until the
>>> designers of these algorithms clarify their design process, neither Kuznyechik
>>> nor Streebog should be used.

>>> Here is the link: [ https://who.paris.inria.fr/Leo.Perrin/pi.html |
>>> https://who.paris.inria.fr/Leo.Perrin/pi.html ]

>>> Best regards,

>>> /Léo
>>> _______________________________________________
>>> Cfrg mailing list
>>> [ mailto:Cfrg@irtf.org | Cfrg@irtf.org ]
>>> [ https://www.irtf.org/mailman/listinfo/cfrg |
>>> https://www.irtf.org/mailman/listinfo/cfrg ]

>> _______________________________________________
>> Cfrg mailing list
>> [ mailto:Cfrg@irtf.org | Cfrg@irtf.org ]
>> [ https://www.irtf.org/mailman/listinfo/cfrg |
>> https://www.irtf.org/mailman/listinfo/cfrg ]

> --
> SY, Dmitry Belyavsky

v2.23.0 | Report a Bug | By Email