Re: [Cfrg] Structure in the S-box of the Russian algorithms (RFC 6986, RFC 7801)

"Stanislav V. Smyshlyaev" <> Mon, 11 February 2019 06:44 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E5707130DDA for <>; Sun, 10 Feb 2019 22:44:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id DU45bgtprtma for <>; Sun, 10 Feb 2019 22:44:43 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::82e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 779AD12870E for <>; Sun, 10 Feb 2019 22:44:43 -0800 (PST)
Received: by with SMTP id y20so10916543qtm.13 for <>; Sun, 10 Feb 2019 22:44:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=op5EXwuc4NaV8GPjnrzn0AS2uSH/OT7tzOeB3h5iUds=; b=fmyzBVmZ7FVNVQ2tjmdJCRPEdKS+46z2g4PwvV8sFW2H5WQ0su/hbX1d03Ak5hAmxx 93buIk19ZZP0j2b1vpL9YwufZNjk/LMQ6/PxV1cwg2Uuo5OIN6lB0jezc9CcV64iatxY LRpQXKRWglNzXxBMby/FFwy+CgR8R3ta5wA6ZpE75o8tqX1qnJ4nqtmYSiTJTnvCqbn0 TUJweVkFpJpyqoV4BeCxdfTcRGiESzoznkw+j4lW7OLOcwHllM29RJwdsdXallp3E+4s WYelEGCwVtO6j48XQAm8G+wYDF3mW4iV5r1Lk+xG5t3aZNSWQWzXaIyNIlqiCKii7qrM Lozw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=op5EXwuc4NaV8GPjnrzn0AS2uSH/OT7tzOeB3h5iUds=; b=uZtcnmsAhB1BS/Yx2RIq+uwAhlbiYlDrTmYoGKwelZGyLSKJSAsXZYzteFs+/SqtpI 16gVbbseAObE9xIQgjkkSvmR+u2Y8iihIlAb9V4XZQgmem5Ikep5QcEnyh247ko1xR12 /ii/FOXimSmPUGcjhfHNaC3w2Qu4koLYowDy7oRvYhiGmbvRoq+B/RayuhgM8873RXGh CTNvNCaO3lcm9UVnEidh2ujlVvGZ4miALg7XDME9nTgBX+SJIbW71v7ZCqo/H1gaiaQy ixHrvwqw2NSs9IoF3Db/cE5NWw+qOSb5Nc/+t6dtAi6e6VE0lIR/glDO5jGlq9IUGJku 99/Q==
X-Gm-Message-State: AHQUAuZxehFciYLlzyyWRgcjny2mwSBR1zYgpuGxAgxTECOfPKYqDFPD sqT64s80ix9o+joJIKLwFCQqvyV2VwE6v+EL2HA=
X-Google-Smtp-Source: AHgI3IbaX35aGj6ZEJjf3Ldh65gSFzmeuoKqBLIDQQZXNw+xaPmqqlXQmD15feQ2KFEDp0GHAc44NOtQkC2xzIu6OSs=
X-Received: by 2002:ac8:3341:: with SMTP id u1mr7366545qta.58.1549867481993; Sun, 10 Feb 2019 22:44:41 -0800 (PST)
MIME-Version: 1.0
References: <> <>
In-Reply-To: <>
From: "Stanislav V. Smyshlyaev" <>
Date: Mon, 11 Feb 2019 09:42:43 +0300
Message-ID: <>
To: Tony Arcieri <>
Cc: Leo Perrin <>, CFRG <>
Content-Type: multipart/alternative; boundary="000000000000b694d5058198a432"
Archived-At: <>
Subject: Re: [Cfrg] Structure in the S-box of the Russian algorithms (RFC 6986, RFC 7801)
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 11 Feb 2019 06:44:47 -0000

Dear Tony,

In response to your tweet
and this message of yours.

I am not able to comment anything on the principles of the generation of
Streebog and Kuznyechik S-Boxes - I've always been working in a commercial
company that develops software and was never invlolved in synthesis of
Russian cryptoprimitives.

But I can tell you everything about the process of generation of Edwards
curves, since my colleagues and I were the ones who generated them (and
later proposed for standardization in addition to older Weierstrass ones) –
since we needed to increase performance of digital signatures used in our

You are totally right that W had not been selected according to modern good
principles of deterministic (and verifiable) search of suitable parameters.
It would be better if it was, but most of the curves that existed that time
were not even generated with parameters equal to hash values of some data
(with "verifiable pseudo-random" parameters).

But those curves were generated in 2012 - they reflected best practices and
state-of-the-art of that time. And Streebog was used for the obvious reason
- it was a new hash function that was standardized in Russia (as a part of
GOST R 34.11-2012 standard) and available for me and my colleagues.

Best regards,

пн, 11 февр. 2019 г. в 09:30, Tony Arcieri <>:

> On Sun, Feb 10, 2019 at 1:50 PM Leo Perrin <> wrote:
>> This situation is unlike anything else in the literature. [....] Still,
>> at the moment, I don't know of any attack leveraging my new decomposition
>> as the partition in the input is the partition in multiplicative cosets
>> (and not additive ones). Nevertheless, I can't think of a good reason for
>> the designers of these algorithms to use this structure and, worse, to keep
>> this fact secret; especially since the presence of such properties demands
>> a specific analysis to ensure that the algorithms are safe.
> Streebog was used as the hash function for the elliptic curve generation
> procedure for 512-bit Edwards curves standardized in GOST R 34.10-2012. I'm
> curious, even hypothetically, if this attack could be combined with an
> attacker-controlled hash input (W) to maliciously influence curve parameter
> selection.
> Thread:
> A selected email below with an interesting passage highlighted...
> ---------- Forwarded message ---------
> From: Stanislav V. Smyshlyaev <>
> Date: Wed, Jan 28, 2015 at 6:14 AM
> Subject: Re: [Cfrg] 512-bit twisted Edwards curve and curve generation
> methods in Russian standardization
> To: Alyssa Rowan < <>>, <>
> Dear Alyssa,
> As we believe (and as it has been mentioned earlier during discussion at
> CFRG), the initital seed value doesn't have to be chosen explicitly in case
> of trust in basic hash function properties – to gain some "backdoor-type"
> properties of the curve with d = hash(W), one has either to *combine such
> algebraic properties of a curve with properties of a hash function* (for
> a trivial example, to have an ability to obtain a hash preimage) or to
> choose a very probable "backdoor-type" property of a curve (such that it is
> possible to obtain by random choice of a curve).
> --
> Tony Arcieri
> _______________________________________________
> Cfrg mailing list