Partitions in the S-Box of Streebog and Kuznyechik

Streebog and Kuznyechik are the latest symmetric cryptographic primitives standardized by the Russian GOST. They share the same S-Box, π, whose design process was not described by its authors. In previous works, Biryukov, Perrin and Udovenko recovered two completely different decompositions of this S-Box.We revisit their results and identify a third decomposition of π. It is an instance of a fairly small family of permutations operating on 2m bits which we call TKlog and which is closely related to finite field logarithms. Its simplicity and the small number of components it uses lead us to claim that it has to be the structure intentionally used by the designers of Streebog and Kuznyechik.The 2m-bit permutations of this type have a very strong algebraic structure: they map multiplicative cosets of the subfield GF(2m)* to additive cosets of GF(2m)*. Furthermore, the function relating each multiplicative coset to the corresponding additive coset is always essentially the same. To the best of our knowledge, we are the first to expose this very strong algebraic structure.We also investigate other properties of the TKlog and show in particular that it can always be decomposed in a fashion similar to the first decomposition of Biryukov et al., thus explaining the relation between the two previous decompositions. It also means that it is always possible to implement a TKlog efficiently in hardware and that it always exhibits a visual pattern in its LAT similar to the one present in π. While we could not find attacks based on these new results, we discuss the impact of our work on the security of Streebog and Kuznyechik. To this end, we provide a new simpler representation of the linear layer of Streebog as a matrix multiplication in the exact same field as the one used to define π. We deduce that this matrix interacts in a non-trivial way with the partitions preserved by π.

[1]  Mitsuru Matsui,et al.  New Block Encryption Algorithm MISTY , 1997, FSE.

[2]  Alex Biryukov,et al.  Reverse-Engineering the S-Box of Streebog, Kuznyechik and STRIBOBr1 , 2016, EUROCRYPT.

[3]  Robert H. Deng,et al.  Cryptanalysis of Rijmen-Preneel Trapdoor Ciphers , 1998, ASIACRYPT.

[4]  Oleksandr Kazymyrov,et al.  Algebraic Aspects of the Russian Hash Standard GOST R 34.11-2012 , 2013, IACR Cryptol. ePrint Arch..

[5]  Kaisa Nyberg,et al.  Differentially Uniform Mappings for Cryptography , 1994, EUROCRYPT.

[6]  Eli Biham,et al.  Differential cryptanalysis of DES-like cryptosystems , 1990, Journal of Cryptology.

[7]  Vincent Rijmen,et al.  A Family of Trapdoor Ciphers , 1997, FSE.

[8]  Eric Filiol,et al.  Partition-Based Trapdoor Ciphers , 2016, IACR Cryptol. ePrint Arch..

[9]  Vasily Dolmatov,et al.  GOST R 34.11-2012: Hash Function , 2013, RFC.

[10]  Vincent Rijmen,et al.  Probability distributions of correlation and differentials in block ciphers , 2007, J. Math. Cryptol..

[11]  Aleksei Udovenko,et al.  Exponential S-Boxes: a Link Between the S-Boxes of BelT and Kuznyechik/Streebog , 2016, IACR Trans. Symmetric Cryptol..

[12]  Billy Bob Brumley,et al.  WHIRLBOB, the Whirlpool Based Variant of STRIBOB , 2015, Nordic Conference on Secure IT Systems.

[13]  Anne Canteaut,et al.  On CCZ-Equivalence, Extended-Affine Equivalence, and Function Twisting , 2018, IACR Cryptol. ePrint Arch..

[14]  Jing Yang,et al.  Maximal values of generalized algebraic immunity , 2009, Des. Codes Cryptogr..

[15]  Mitsuru Matsui,et al.  Linear Cryptanalysis Method for DES Cipher , 1994, EUROCRYPT.

[16]  Alex Biryukov,et al.  On Reverse-Engineering S-Boxes with Hidden Design Criteria or Structure , 2015, CRYPTO.

[17]  Kenneth G. Paterson,et al.  Imprimitive Permutation Groups and Trapdoors in Iterated Block Ciphers , 1999, FSE.

[18]  H. Niederreiter,et al.  Finite Fields: Encyclopedia of Mathematics and Its Applications. , 1997 .

[19]  Claude Carlet,et al.  Codes, Bent Functions and Permutations Suitable For DES-like Cryptosystems , 1998, Des. Codes Cryptogr..

[20]  Yongqiang Li,et al.  Constructing S-boxes for Lightweight Cryptography with Feistel Structure , 2014, CHES.

[21]  Kyoji Shibutani,et al.  The 128-Bit Blockcipher CLEFIA (Extended Abstract) , 2007, FSE.

[22]  Anne Canteaut,et al.  Construction of Lightweight S-Boxes Using Feistel and MISTY Structures , 2015, SAC.

[23]  Vasily Dolmatov GOST R 34.12-2015: Block Cipher "Kuznyechik" , 2016, RFC.