Re: [Cfrg] Structure in the S-box of the Russian algorithms (RFC 6986, RFC 7801)

Leo Perrin <leo.perrin@inria.fr> Tue, 12 February 2019 14:23 UTC

Return-Path: <leo.perrin@inria.fr>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F25C1288BD for <cfrg@ietfa.amsl.com>; Tue, 12 Feb 2019 06:23:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.911
X-Spam-Level:
X-Spam-Status: No, score=-4.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j3JgzbsgWr_v for <cfrg@ietfa.amsl.com>; Tue, 12 Feb 2019 06:23:04 -0800 (PST)
Received: from mail2-relais-roc.national.inria.fr (mail2-relais-roc.national.inria.fr [192.134.164.83]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B43DD1200B3 for <cfrg@irtf.org>; Tue, 12 Feb 2019 06:23:03 -0800 (PST)
X-IronPort-AV: E=Sophos;i="5.58,362,1544482800"; d="scan'208,217";a="369107531"
Received: from zcs-store2.inria.fr ([128.93.142.29]) by mail2-relais-roc.national.inria.fr with ESMTP; 12 Feb 2019 15:22:48 +0100
Date: Tue, 12 Feb 2019 15:22:48 +0100 (CET)
From: Leo Perrin <leo.perrin@inria.fr>
To: Dmitry Khovratovich <khovratovich@gmail.com>
Cc: Paul Lambert <plambert@usfca.edu>, cfrg <cfrg@irtf.org>
Message-ID: <627147907.9722654.1549981368627.JavaMail.zimbra@inria.fr>
In-Reply-To: <CALW8-7L8y83sd5g0R-jFF3=6iE=HFrz=Z9CC1-=2v+F7Vxf72g@mail.gmail.com>
References: <47911132.8757406.1549835386894.JavaMail.zimbra@inria.fr> <1CE71837-B6F4-4A55-9B1B-21053E6ABD97@usfca.edu> <CALW8-7L8y83sd5g0R-jFF3=6iE=HFrz=Z9CC1-=2v+F7Vxf72g@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="=_9c83923b-e609-4d16-adf6-bbe570d88963"
X-Originating-IP: [128.93.64.216]
X-Mailer: Zimbra 8.7.11_GA_3706 (ZimbraWebClient - FF65 (Linux)/8.7.11_GA_3706)
Thread-Topic: Structure in the S-box of the Russian algorithms (RFC 6986, RFC 7801)
Thread-Index: pCUn0CfgOiuqijhEVxF3JrbJ80bDPw==
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/nC2xG9etneT93VfzWxWrBRMJnDc>
Subject: Re: [Cfrg] Structure in the S-box of the Russian algorithms (RFC 6986, RFC 7801)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Feb 2019 14:23:09 -0000

Hi, 

The S-box of the standard from Belarus was built using a much more classical structure, essentially a "regular" discrete logarithm mapping GF(2^8) to Z/2^8Z. In fact, its design was explained by its designers, although in a somewhat hard to find paper in a Russian speaking journal (the reference is in the ToSC'16 paper I co-authored with Udovenko). In contrast, the Russian S-box was never explained (including in Russian speaking sources) and it uses a strange variant of the logarithm mapping GF(2^8) to itself. Since the linear layers of the corresponding algorithms are also defined in GF(2^8), we have an "alignment" which I find worrying---especially since it involves a partition of the space into additive cosets of a vector subspace. 

The non-linearity (deduced from the maximum coefficient in the Linear Approximations Table) and the differential uniformity (maximum coefficient in the Difference Distribution Table) of the Russian S-box are the same as those of the usual discrete logarithm. A random S-box has worse differential and linear properties than a log-based S-box with overwhelmingly high probability (I estimate those probabilities in my paper). Still, the multiplicative inverse is far better from both a differential and a linear standpoint which is why both the AES and the SMS4 S-boxes fare better than the Russian S-box in this regard. A more careful analysis of the differential and linear properties finds them to be a tiny bit worse in pi than in a "normal" discrete logarithm. Hence, the justification for the structure used by the Russians cannot be an improvement of those quantities. 

If you are interested in this kind of statistical analysis, I recommend chapter 9 of my PhD thesis [1]. 

Cheers, and thanks for your interest 
/Léo 

[1] http://orbilu.uni.lu/handle/10993/31195 

> De: "Dmitry Khovratovich" <khovratovich@gmail.com>
> À: "Paul Lambert" <plambert@usfca.edu>
> Cc: "Leo Perrin" <leo.perrin@inria.fr>fr>, "cfrg" <cfrg@irtf.org>
> Envoyé: Mardi 12 Février 2019 12:55:17
> Objet: Re: [Cfrg] Structure in the S-box of the Russian algorithms (RFC 6986,
> RFC 7801)

> Even more interesting is that the Belorussian Sbox has the same nonlinearity
> value of 102, despite all the differences introduced by Russians.

> On Tue, Feb 12, 2019 at 2:16 AM Paul Lambert < [ mailto:plambert@usfca.edu |
> plambert@usfca.edu ] > wrote:

>> Hi Leo,

>>> On Feb 10, 2019, at 1:49 PM, Leo Perrin < [ mailto:leo.perrin@inria.fr |
>>> leo.perrin@inria.fr ] > wrote:

>>> Dear CFRG Participants,

>>> My name is Léo Perrin, I am a post-doc in symmetric cryptography at Inria, and I
>>> would like to bring recent results of mine to your attention. They deal with
>>> the last two Russian standards in symmetric crypto, namely RFC 7801
>>> (Kuznyechik, a block cipher) and RFC 6986 (Streebog, a hash function). My
>>> conclusion is that their designers purposefully used (and did not disclose) a
>>> very specific structure to build their S-box. The knowledge of this structure
>>> demands a renewed analysis of their algorithms in its light. While I do not
>>> have an attack at the moment, these results lead me to urge caution about using
>>> these algorithms.

>>> Let me summarize my results.

>>> Both algorithms use the same 8-bit S-box, pi, which is only specified via its
>>> lookup table. The designers never disclosed their rationale for their choice
>>> and never disclosed the structure they used. I have managed to identify what I
>>> claim to be the structure purposefully used by its designers to construct pi.
>>> The corresponding paper was accepted at ToSC and is already on eprint: [
>>> https://urldefense.proofpoint.com/v2/url?u=https-3A__eprint.iacr..org_2019_092&d=DwMFAw&c=qgVugHHq3rzouXkEXdxBNQ&r=oIg4FfS8P761BlhMPJ2ys3IvSyH4XQ12Mbj_mXrCAJs&m=S0H637y57cjgJ_W4QG8e2TIQ0lLL3cDdmc5Lf8_MxfI&s=uVblnQv8g31qEeLvM80bundiG3ewh95591JrcjZKvGQ&e=
>>> | https://eprint.iacr.org/2019/092 ]

>>> With my then colleagues from the university of Luxembourg, we previously found
>>> two different structures in this component and published them a couple years
>>> ago [1,2]. However, we were not satisfied with these results as the structures
>>> we found were bulky and just plain weird. The one I just found is much simpler
>>> and has both previous decompositions as side effects---in fact, we conjectured
>>> the existence of such a nicer structure in [2]. Much more importantly, this new
>>> decomposition highlights some very specific (and, in my opinion, worrying)
>>> properties of pi that were not known before.

>>> In a nutshell, pi is actually defined over the finite field GF(2^8) in such a
>>> way as to map multiplicative cosets of GF(2^4) to additive cosets of GF(2^4).
>>> Furthermore, the restriction of the permutation to each multiplicative coset is
>>> always the same. Also, the linear layer of Streebog---specified via a 64x64
>>> binary matrix by its designers, including in RFC 6986---is in fact an 8x8
>>> matrix defined over GF(2^8) using the same irreducible polynomial as in the
>>> S-box. Thus, at least in the case of Streebog, both the linear layer and the
>>> S-box interact in a highly structured way with two partitions of GF(2^8) and
>>> one of those is its partition into additive cosets of the subfield (this will
>>> be important later).

>>> This situation is unlike anything else in the literature. For example, while the
>>> inverse in GF(2^8) preserves the partition into multiplicative cosets of
>>> GF(2^8), the AES designers composed it with an affine mapping breaking the
>>> GF(2^8) structure. It is not the case here. On the other hand, Arnaud Bannier
>>> proved in his PhD (see also [3]) that an S-box preserving a partition of the
>>> space into additive cosets in such a way that it interacts with the linear
>>> layer was necessary to build some specific backdoors.

>>> Still, at the moment, I don't know of any attack leveraging my new decomposition
>>> as the partition in the input is the partition in multiplicative cosets (and
>>> not additive ones). Nevertheless, I can't think of a good reason for the
>>> designers of these algorithms to use this structure and, worse, to keep this
>>> fact secret; especially since the presence of such properties demands a
>>> specific analysis to ensure that the algorithms are safe.

>>> I felt I had to bring these results to the attention of the CFRG. If you have
>>> any questions I'd be happy to answer them!

>> Interesting work … looking at the walsh function based non-linearity of
>> Streebog, it is non-optimal (compared to AES and SMS4):
>> AES non-linearity (min, max) = (112.0, 112.0)
>> sms4 non-linearity (min, max) = (112.0, 112.0)
>> Streebog non-linearity (min, max) = (102.0, 110.0)

>> This was using: [
>> https://github.com/nymble/cryptopy/blob/master/analysis/sbox_nonlinearity.py |
>> https://github.com/nymble/cryptopy/blob/master/analysis/sbox_nonlinearity.py ]

>> Paul

>>> Best regards,
>>> /Léo Perrin

>>> [1] Alex Biryukov, Léo Perrin, Aleksei Udovenko. "Reverse-Engineering the S-Box
>>> of Streebog, Kuznyechik and STRIBOBr1". Eurocrypt'16, available online: [
>>> https://eprint.iacr.org/2016/071 | https://eprint.iacr.org/2016/071 ]
>>> [2] Léo Perrin, Aleksei Udovenko. "Exponential S-Boxes: a Link Between the
>>> S-Boxes of BelT and Kuznyechik/Streebog ". ToSC'16. Available online: [
>>> https://tosc.iacr.org/index.php/ToSC/article/view/567 |
>>> https://tosc.iacr.org/index.php/ToSC/article/view/567 ]
>>> [3] Arnaud Bannier, Nicolas Bodin, Éric Filiol. "Partition-based trapdoor
>>> ciphers". [ https://eprint.iacr.org/2016/493 | https://eprint.iacr.org/2016/493
>>> ]
>>> _______________________________________________
>>> Cfrg mailing list
>>> [ mailto:Cfrg@irtf.org | Cfrg@irtf.org ]
>>> [
>>> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.irtf..org_mailman_listinfo_cfrg&d=DwICAg&c=qgVugHHq3rzouXkEXdxBNQ&r=oIg4FfS8P761BlhMPJ2ys3IvSyH4XQ12Mbj_mXrCAJs&m=S0H637y57cjgJ_W4QG8e2TIQ0lLL3cDdmc5Lf8_MxfI&s=CbZRt6CVbiJLCAXEFyRawO2y5_gU6tsBtlsT9gxbQ14&e=
>>> |
>>> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.irtf..org_mailman_listinfo_cfrg&d=DwICAg&c=qgVugHHq3rzouXkEXdxBNQ&r=oIg4FfS8P761BlhMPJ2ys3IvSyH4XQ12Mbj_mXrCAJs&m=S0H637y57cjgJ_W4QG8e2TIQ0lLL3cDdmc5Lf8_MxfI&s=CbZRt6CVbiJLCAXEFyRawO2y5_gU6tsBtlsT9gxbQ14&e=
>>> ]

>> _______________________________________________
>> Cfrg mailing list
>> [ mailto:Cfrg@irtf.org | Cfrg@irtf.org ]
>> [ https://www.irtf.org/mailman/listinfo/cfrg |
>> https://www.irtf.org/mailman/listinfo/cfrg ]

> --
> Best regards,
> Dmitry Khovratovich