Re: [Cfrg] On the (non-)randomness of the S-box of Streebog and Kuznyechik

Dmitry Belyavsky <beldmit@gmail.com> Tue, 06 August 2019 14:09 UTC

Return-Path: <beldmit@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7381B120172 for <cfrg@ietfa.amsl.com>; Tue, 6 Aug 2019 07:09:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KMEhe3uU0xje for <cfrg@ietfa.amsl.com>; Tue, 6 Aug 2019 07:09:33 -0700 (PDT)
Received: from mail-vs1-xe32.google.com (mail-vs1-xe32.google.com [IPv6:2607:f8b0:4864:20::e32]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 62C1D120072 for <cfrg@irtf.org>; Tue, 6 Aug 2019 07:09:33 -0700 (PDT)
Received: by mail-vs1-xe32.google.com with SMTP id v6so58427598vsq.4 for <cfrg@irtf.org>; Tue, 06 Aug 2019 07:09:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=dvqk6AO9mELf1N1cLoiQmsBMlQaVt1W6tEbJfp/gXOc=; b=vVZqGYVUwQ/X0Thfa27PUKWpWxRFgQ3B6m9YHmjP+FmHGsCwNHXXA/BZNJuJRe0ojw 4qO9KpW47isdHYkFerEQfXucQrTe4Pg4wMFtsjELyS4ZTN0n034geU9TqPAtA4p4iFLr jvFJ/eTI0xgMa3sBvg4zahNXncxrT5BibF4rR8iZXA+RWTvIVIsN7kLqcdvGLIzNB/uQ y7iiuDao/7QLTkYKud+D+Bxhoy4g7TSkOr3/RZFJBjyk+Y5U7aqjwA16dZyojjda2KuY RnS+5ZjmUfW0sRG6p122DyxnPveW2VyFCeBPYESu0dZ2LrEewg68lCN7Xf7jH6qRNL7U gx2Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=dvqk6AO9mELf1N1cLoiQmsBMlQaVt1W6tEbJfp/gXOc=; b=VAzLKfZnATd/mn1JoeXLlaNfrQn2eHW0V8xCA/qTwYRgSbdPyjjHnSpQHK+aYA+hq9 EMTyPtN2rFL7WELzEt7re3uPYQoD78MPpPXnh28eriux7EBs9WYhOuTA64FEQX/sCItU ZMbC6hak0PmMXALHz/ZUxUa7ZTZacHLHWVotXZg20hReqnwW35arbidPanGL3GpFn9Xc 3WMO17IIAST3z8E+OHcF+sjW+Zg2kAImDaQ8gf6lsooqnZ0UACSl7Em12FldlJsIi6Kn VTF6bx4oo5pNbNBOCij96eG8yqS39khrbhzmOeVw8g8fKyGVaHIvD+NXGasT5kqY7N5n q54w==
X-Gm-Message-State: APjAAAWEahceefcydbbCe7TnjoZkqK2zbctCjlB6EPpwWenlIQ6io34n 6jctUl8lrTLsJqRiz0fBm7NxMKztQ/2D/Po2clQ=
X-Google-Smtp-Source: APXvYqwzqGACdqM0nDiDSiwsIgqC3H0kq1LVgEJhdAWnVdxshdk/4+grYJEYao19StvlfGz3sGn7nSuSWmJtUc0jd4w=
X-Received: by 2002:a67:cfc2:: with SMTP id h2mr2397360vsm.30.1565100572071; Tue, 06 Aug 2019 07:09:32 -0700 (PDT)
MIME-Version: 1.0
References: <1327417226.25659372.1565019306532.JavaMail.zimbra@inria.fr> <CADqLbz+2dbvxdaGKp_3XMprp4XMxDK=B=1GKCLmxkjThX9kPYg@mail.gmail.com> <CAMr0u6kGAPRoS70uqqOPJzv30tBR0pgMKLSrBO0eksWrB5Pi8w@mail.gmail.com> <cb745eda-cbc7-b35a-d3fe-6cdecf3cfd05@cs.tcd.ie> <CAMr0u6kWweGAaF3RoLNXkt3Np6xyfB_HxT6P1LLGFPqmVETqvg@mail.gmail.com>
In-Reply-To: <CAMr0u6kWweGAaF3RoLNXkt3Np6xyfB_HxT6P1LLGFPqmVETqvg@mail.gmail.com>
From: Dmitry Belyavsky <beldmit@gmail.com>
Date: Tue, 6 Aug 2019 17:09:20 +0300
Message-ID: <CADqLbzK-CjdLoOy2YTbzYjiEo_pofCY8u5oXEJsC5b-ofApFmQ@mail.gmail.com>
To: "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>
Cc: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Leo Perrin <leo.perrin@inria.fr>, cfrg <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="000000000000a2dbe0058f735f98"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/kI3MCTisCrh1gwgpoE3r0v_sVzY>
Subject: Re: [Cfrg] On the (non-)randomness of the S-box of Streebog and Kuznyechik
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Aug 2019 14:09:36 -0000

Dear Stephen,

RFC 7091 seems to be a translation of the corresponding GOST standard.

RFC 8624 contains a reference to RFC5933, where the GOST algorithms for
DNSSec were introduced.
The reference is correct, the reference to the superseding algorithms is
correct too.

So it seems that no errata required here.


On Tue, Aug 6, 2019 at 4:56 PM Stanislav V. Smyshlyaev <smyshsv@gmail.com>;
wrote:

> Dear Stephen,
>
> >> So that sounds like an erratum may be worthwhile for each of 8624 and
> 7901? I guess the code points defined for DNSSEC are really for the old
> algorithms and ought not point to the RFCs for the new ones?
> >> And that hasn't really got anything to do with the meat of Leo's
> findings - it's just that his work flagged up the erroneous references.
> Personally, I agree that it would be good to do the updates here. But, as
> for DNSSEC, I hope that the authors of RFC 5933 (or, maybe, Dmitry
> Belyavsky) can comment better.
>
>
>
> вт, 6 авг. 2019 г. в 16:33, Stephen Farrell <stephen.farrell@cs.tcd.ie>;:
>
>>
>> Hiya,
>>
>> On 06/08/2019 14:14, Stanislav V. Smyshlyaev wrote:
>> > Stephen, GOST R 34.11-94 is built using a completely different
>> > construction, so (Leo will correct me, if I am mistaken) the discovered
>> > properties are not related to GOST R 34.11-94. I’d also like to clarify
>> > that this GOST R 34.11-94 is an old hash function, which has been
>> > deprecated for about 7 years in Russia.
>>
>> So that sounds like an erratum may be worthwhile
>> for each of 8624 and 7901? I guess the code points
>> defined for DNSSEC are really for the old algorithms
>> and ought not point to the RFCs for the new ones?
>> Those'd be valid errata I reckon, as it was a bit
>> of a mistake (though entirely understandable) to
>> refer to the new RFCs when the code points are for
>> the old algorithms. Those errata would just say
>> that the normative references to the new RFC were
>> wrong and should've been to the old RFC. And that
>> hasn't really got anything to do with the meat of
>> Leo's findings - it's just that his work flagged
>> up the erroneous references.
>>
>> As to whether to deprecate the algorithms due to
>> Leo's findings, I agree that the existence of
>> deployments that'd be affected needs to be taken
>> into account in terms of the timing of when that
>> might reasonably be done. And the fact that the
>> algorithms in question are national standards is
>> also a relevant point, though of course deprecating
>> the RFCs has no formal effect on such national
>> standards.
>>
>> Personally though, I think discovery of undeclared
>> and unexplained structure such as this in a crypto
>> algorithm ought be taken as a negative, even if there
>> is no known attack at present, so I'd be for moving
>> to deprecate when that is practical, in this case,
>> as I would in any other similar case.
>>
>> Cheers,
>> S.
>>
>

-- 
SY, Dmitry Belyavsky