On Reverse-Engineering S-boxes with Hidden Design Criteria or Structure

Transcription

1 On Reverse-Engineering S-boxes with Hidden Design Criteria or Structure Alex Biryukov, Léo Perrin University of Luxembourg January 13, / 42

2 Introduction Skipjack Block cipher released by the NSA in block = 64 bits ; key = 80 bits ; 32 rounds 2 / 42

3 Introduction Facts / Denitions F is the 8x8 F-Table (S-Box) of Skipjack Algebraic degree: 7 Cycle lengths: 2, 10, 45, 68, / 42

4 Introduction Facts / Denitions F is the 8x8 F-Table (S-Box) of Skipjack Algebraic degree: 7 Cycle lengths: 2, 10, 45, 68, 131 Distribution of the coecients in the DDT and LAT of F (Note: we remove the rst line and column from them) D δ, = #{x GF (2 8 ), F (x + δ) + F (x) = } L a,b = #{x GF (2 8 ), a x = b S(x)} / 42

5 Introduction Distributions comparison Skipjack Random AES Di. Spec max a,b 1{L a,b} / 42

6 Introduction Distributions comparison Skipjack Random AES Di. Spec max a,b 1{L a,b} F is not very impressive... Picked uniformly random? Design criteria? Hidden structure? 4 / 42

7 Introduction Question How much information can we gather from the analysis of an S-Box? Can we reverse-engineer the design process used? 5 / 42

8 Identifying the Structure of an S-Box Outline 1 Introduction 2 Identifying the Structure of an S-Box Substitution-Permutation Network Simple Algebraic Expression Feistel Network 3 Ruling out Randomness Jackson Pollock Pattern Recognition Looking Back at the Tables 4 Skipjack's F-Table's Design A Possible Design Criteria Context of the design 5 Conclusion 6 / 42

9 Identifying the Structure of an S-Box Substitution-Permutation Network Substitution-Permutation Network Used by Iceberg, Khazad, Anubis (4x4 bijections + bit permutation) 7 / 42

10 Identifying the Structure of an S-Box Substitution-Permutation Network Substitution-Permutation Network Used by Iceberg, Khazad, Anubis (4x4 bijections + bit permutation) "2-rounds public key system with S-Boxes": Attempt at public key crypto using an ASASA structure. Broken (Biham 2000). SASAS: it is possible to recover all components from a 3-rounds Substitution-Permutation Network (Biryukov, Shamir 2001). 7 / 42

11 Identifying the Structure of an S-Box Substitution-Permutation Network Substitution-Permutation Network Used by Iceberg, Khazad, Anubis (4x4 bijections + bit permutation) "2-rounds public key system with S-Boxes": Attempt at public key crypto using an ASASA structure. Broken (Biham 2000). SASAS: it is possible to recover all components from a 3-rounds Substitution-Permutation Network (Biryukov, Shamir 2001). Fails on Skipjack: not a Substitution-Permutation Network with 3 rounds. 7 / 42

12 Identifying the Structure of an S-Box Simple Algebraic Expression Finding a simple algebraic expression Tree-search Score based on coecients in the DDT Operations:,, <<< n, k 8 / 42

13 Identifying the Structure of an S-Box Simple Algebraic Expression Finding a simple algebraic expression Tree-search Score based on coecients in the DDT Operations:,, <<< n, k Works on φ 3, φ : x 3 ((3 y 0x53) >>> 4 ) 0x8b... Fails on Skipjack: no simple algebraic structure. 8 / 42

14 Identifying the Structure of an S-Box Feistel Network Recovering Feistel functions for a Feistel Network Suppose that a n n S-Box was built using a two-branched Feistel Network (Robin, Zorro). Can we recover it? 9 / 42

15 Identifying the Structure of an S-Box Feistel Network Distinguishing attacks Against Feistel Networks r-rounds Feistel Network with two n-bits branches Luby-Racko: secure if r 4 and D << 2 n/2 Patarin showed: r 6 is enough for D << 2 n(1 ɛ) ( ) Any r: D = O(r 2 n ), T = O 2 kn2 n 10 / 42

16 Identifying the Structure of an S-Box Feistel Network Distinguishing attacks Against Feistel Networks r-rounds Feistel Network with two n-bits branches Luby-Racko: secure if r 4 and D << 2 n/2 Patarin showed: r 6 is enough for D << 2 n(1 ɛ) ( ) Any r: D = O(r 2 n ), T = O 2 kn2 n... What if D = 2 2n?... What if distinguishing is not enough?... What if modular addition is used instead of XOR? 10 / 42

17 Identifying the Structure of an S-Box Feistel Network CNF encoding Variables for each unknown S-Box: x 2 x 1 x 0 f 2 f 1 f s 0 2 s 0 1 s s 1 2 s 1 1 s s 2 2 s 2 1 s s 3 2 s 3 1 s / 42

18 Identifying the Structure of an S-Box Feistel Network CNF encoding Variables for each unknown S-Box: Encoding one round (example): x 2 x 1 x 0 f 2 f 1 f s 0 2 s 0 1 s s 1 2 s 1 1 s s 2 2 s 2 1 s s 3 2 s 3 1 s ( ) x R 2 x R 1 x R 0 = (f2 = s2) 1 xor: y R 2 = x L 2 f 2 mod. add.: y R 2 = x L 2 f 2 c 2, c 2 = Maj(c 1, x R 1, f 1 ) y L 2 = x R 2 11 / 42

19 Identifying the Structure of an S-Box Feistel Network High level algorithm 1 Assume a sequence (e.g. {a, b, c, a, c}) 2 Generate variables for each assumed S-Box (e.g. 3 sets) 3 For all c = S(p): 1 For all rounds: 1 For all inputs x R : encode the S-Box output 2 Encode y R = x L S r (x R ) or y R = x L S r (x R ) 3 Encode the equality of y L and x R 2 Encode that 1st input is p and last output is c 4 Solve with SAT-solver 5 If CNF is satisable 6 Else 1 Recover S-Boxes from assignment 2 return "Feistel" return "not a Feistel" 12 / 42

20 Identifying the Structure of an S-Box Feistel Network Results 4-rounds Feistel S-Boxes (, ): Dimensions 8x8 10x10 12x12 Time decomposing < Time discarding Time Decomposing < 1 s < 30 s < 10 min Decomposing more rounds depends on the sequence (e.g. "ababab" is easy) 13 / 42

21 Identifying the Structure of an S-Box Feistel Network Results 4-rounds Feistel S-Boxes (, ): Dimensions 8x8 10x10 12x12 Time decomposing < Time discarding Time Decomposing < 1 s < 30 s < 10 min Decomposing more rounds depends on the sequence (e.g. "ababab" is easy) Skipjack's F is not: a -Feistel (odd parity) a -Feistel with 4 independent rounds a -Feistel with 8 identical rounds 13 / 42

22 Ruling out Randomness Outline 1 Introduction 2 Identifying the Structure of an S-Box Substitution-Permutation Network Simple Algebraic Expression Feistel Network 3 Ruling out Randomness Jackson Pollock Pattern Recognition Looking Back at the Tables 4 Skipjack's F-Table's Design A Possible Design Criteria Context of the design 5 Conclusion 14 / 42

23 Ruling out Randomness Jackson Pollock Pattern Recognition Jackson Pollock Pattern Recognition Use the eye! 15 / 42

24 Ruling out Randomness Jackson Pollock Pattern Recognition Jackson Pollock Pattern Recognition Use the eye! (and redecorate your living-room with abstract crypto-art) 15 / 42

25 Ruling out Randomness Jackson Pollock Pattern Recognition DDT of the AES S-Box 16 / 42

26 Ruling out Randomness Jackson Pollock Pattern Recognition DDT of φ 2 17 / 42

27 Ruling out Randomness Jackson Pollock Pattern Recognition DDT of the Gold S-Box 18 / 42

28 Ruling out Randomness Jackson Pollock Pattern Recognition DDT of Skipjack's F-Table 19 / 42

29 Ruling out Randomness Jackson Pollock Pattern Recognition LAT of the AES S-Box 20 / 42

30 Ruling out Randomness Jackson Pollock Pattern Recognition LAT of CLEFIA's S-Box 0 21 / 42

31 Ruling out Randomness Jackson Pollock Pattern Recognition LAT of Iceberg's S-Box 22 / 42

32 Ruling out Randomness Jackson Pollock Pattern Recognition LAT of SAFER+'s S-Box 23 / 42

33 Ruling out Randomness Jackson Pollock Pattern Recognition LAT of Zorro's S-Box 24 / 42

34 Ruling out Randomness Jackson Pollock Pattern Recognition LAT of Zorro's S-Box (ltered) 25 / 42

35 Ruling out Randomness Jackson Pollock Pattern Recognition LAT of Skipjack's F-Table 26 / 42

36 Ruling out Randomness Jackson Pollock Pattern Recognition Results Can help distinguish some structure 27 / 42

37 Ruling out Randomness Jackson Pollock Pattern Recognition Results Can help distinguish some structure Fails on Skipjack: no "visible" structure. 27 / 42

38 Ruling out Randomness Jackson Pollock Pattern Recognition Results Can help distinguish some structure Fails on Skipjack: no "visible" structure.... It would denitely look nice in your living room. > 27 / 42

39 Ruling out Randomness Looking Back at the Tables Statistical Method Skipjack refuses to cooperate: 1 not a SPN 2 no "simple" algebraic expression 3 not a Feistel 4 no visible pattern 28 / 42

40 Ruling out Randomness Looking Back at the Tables Statistical Method Skipjack refuses to cooperate: 1 not a SPN 2 no "simple" algebraic expression 3 not a Feistel 4 no visible pattern Maybe it was picked uniformly at random after all? 28 / 42

41 Ruling out Randomness Looking Back at the Tables Statistical Method Skipjack refuses to cooperate: 1 not a SPN 2 no "simple" algebraic expression 3 not a Feistel 4 no visible pattern Maybe it was picked uniformly at random after all? Breakthrough The distribution of the coecients in the DDT and LAT of random S-Boxes is xed ( 2 16 samples from xed distribution). 28 / 42

42 Ruling out Randomness Looking Back at the Tables Comparing the distributions of {D δ, } δ, 1 29 / 42

43 Ruling out Randomness Looking Back at the Tables Comparing the distributions of {L a,b} a,b 1 30 / 42

44 Ruling out Randomness Looking Back at the Tables Quantifying unlikelihood Probability to have a highest coecient equal to 28: P / 42

45 Ruling out Randomness Looking Back at the Tables Quantifying unlikelihood Probability to have a highest coecient equal to 28: P Probability to have at most 3 occurrences of 28 and nothing higher: P / 42

46 Ruling out Randomness Looking Back at the Tables Quantifying unlikelihood Probability to have a highest coecient equal to 28: P Probability to have at most 3 occurrences of 28 and nothing higher: P Mismatch in the dierential properties explained by the linear one: D δ, = 2 2 2n ( 1) a δ b L 2. a,b a GF (2 8 ) b GF (2 8 ) 31 / 42

47 Ruling out Randomness Looking Back at the Tables Quantifying unlikelihood Probability to have a highest coecient equal to 28: P Probability to have at most 3 occurrences of 28 and nothing higher: P Mismatch in the dierential properties explained by the linear one: D δ, = 2 2 2n ( 1) a δ b L 2. a,b a GF (2 8 ) b GF (2 8 ) Success (at last) Skipjack's F was not chosen uniformly at random 31 / 42

48 Skipjack's F-Table's Design Outline 1 Introduction 2 Identifying the Structure of an S-Box Substitution-Permutation Network Simple Algebraic Expression Feistel Network 3 Ruling out Randomness Jackson Pollock Pattern Recognition Looking Back at the Tables 4 Skipjack's F-Table's Design A Possible Design Criteria Context of the design 5 Conclusion 32 / 42

49 Skipjack's F-Table's Design A Possible Design Criteria Measuring how good the LAT coe. dist. is We dene R(S) for an S-Box S with LAT L as: R(S) = l 0 N l 2 l, N l = #{x LAT, x = l} 33 / 42

50 Skipjack's F-Table's Design A Possible Design Criteria Measuring how good the LAT coe. dist. is We dene R(S) for an S-Box S with LAT L as: R(S) = l 0 N l 2 l, N l = #{x LAT, x = l} Optimising R (outline): 1 Generate S at random 2 Compute LAT(S) 3 Identify the set X (l) of all inputs contributing to one of the high coecients l 4 Find (x, y) X (l) 2 such that R(S ) < R(S) where S (x) = S(y), S (y) = S(x). 5 Return S We can stop when the algorithm fails or when R is below some threshold. 33 / 42

51 Skipjack's F-Table's Design A Possible Design Criteria Results when imitating F Figure: Threshold = 10 10, R(F ) / 42

52 Skipjack's F-Table's Design A Possible Design Criteria Results for full optimization Figure: Threshold: 35 / 42

53 Skipjack's F-Table's Design A Possible Design Criteria Results when only using max value Figure: R(S) = (max(l), N max(l) ) 36 / 42

54 Skipjack's F-Table's Design A Possible Design Criteria Was F made in this fashion? Results very close to F / 42

55 Skipjack's F-Table's Design A Possible Design Criteria Was F made in this fashion? Results very close to F But constant chosen to match it (threshold R(F )).... And can be used to do better. 37 / 42

56 Skipjack's F-Table's Design A Possible Design Criteria Was F made in this fashion? Results very close to F But constant chosen to match it (threshold R(F )).... And can be used to do better. Still, the shape of the curve is hard to imitate (slight bump, cli, small maximum). 37 / 42

57 Skipjack's F-Table's Design A Possible Design Criteria Was F made in this fashion? Results very close to F But constant chosen to match it (threshold R(F )).... And can be used to do better. Still, the shape of the curve is hard to imitate (slight bump, cli, small maximum). Success (kind of) They have likely used a similar criteria (low sum of number of high values, high weight for high values) and optimized for it. 37 / 42

58 Skipjack's F-Table's Design Context of the design Skipjack's Time-line 1987: Initial design of Skipjack 38 / 42

59 Skipjack's F-Table's Design Context of the design Skipjack's Time-line 1987: Initial design of Skipjack 1992, May (EUROCRYPT'92): Matsui and Yamagishi present rst linear attack (FEAL) 38 / 42

60 Skipjack's F-Table's Design Context of the design Skipjack's Time-line 1987: Initial design of Skipjack 1992, May (EUROCRYPT'92): Matsui and Yamagishi present rst linear attack (FEAL) 1992, Aug 25: The F-Table of Skipjack is changed 38 / 42

61 Skipjack's F-Table's Design Context of the design Skipjack's Time-line 1987: Initial design of Skipjack 1992, May (EUROCRYPT'92): Matsui and Yamagishi present rst linear attack (FEAL) 1992, Aug 25: The F-Table of Skipjack is changed 1995, Aug 9: Someone (anonymous) posts S-1 to sci.crypt 38 / 42

62 Skipjack's F-Table's Design Context of the design Skipjack's Time-line 1987: Initial design of Skipjack 1992, May (EUROCRYPT'92): Matsui and Yamagishi present rst linear attack (FEAL) 1992, Aug 25: The F-Table of Skipjack is changed 1995, Aug 9: Someone (anonymous) posts S-1 to sci.crypt 1995, Sep: Schneier analyses S-1 and quotes: The enclosed Informal Technical Report revises the F-table in SKIPJACK 3. No other aspect of the algorithm is changed. 38 / 42

63 Skipjack's F-Table's Design Context of the design Skipjack's Time-line 1987: Initial design of Skipjack 1992, May (EUROCRYPT'92): Matsui and Yamagishi present rst linear attack (FEAL) 1992, Aug 25: The F-Table of Skipjack is changed 1995, Aug 9: Someone (anonymous) posts S-1 to sci.crypt 1995, Sep: Schneier analyses S-1 and quotes: The enclosed Informal Technical Report revises the F-table in SKIPJACK 3. No other aspect of the algorithm is changed. 1998, May 20: Skipjack ocially released by NSA 38 / 42

64 Conclusion Outline 1 Introduction 2 Identifying the Structure of an S-Box Substitution-Permutation Network Simple Algebraic Expression Feistel Network 3 Ruling out Randomness Jackson Pollock Pattern Recognition Looking Back at the Tables 4 Skipjack's F-Table's Design A Possible Design Criteria Context of the design 5 Conclusion 39 / 42

65 Conclusion Conclusion There are many things we can try to reverse-engineer an S-Box. 40 / 42

66 Conclusion Conclusion There are many things we can try to reverse-engineer an S-Box. Skipjack's F was not random Linear properties optimized, perhaps using something similar to R 4, / 42

67 Conclusion Conclusion There are many things we can try to reverse-engineer an S-Box. Skipjack's F was not random Linear properties optimized, perhaps using something similar to R 4,22. NSA's "Cryptolog" (internal crypto newspaper) mentions Matsui and Yamagishi's paper. Change made in 2 months? Is it badly optimized from lack of time? Or was linear cryptanalysis known before hand? 40 / 42

68 Conclusion Open Questions How can we build a large S-Box or a small program in such a way as to hide the simple structure used to generate it? 41 / 42

69 Conclusion Open Questions How can we build a large S-Box or a small program in such a way as to hide the simple structure used to generate it? Motivations: Build large S-Boxes from smaller ones? Implementation? Masking? Hide malicious property? White-Box crypto? Assymetric proof of work? Something else? 41 / 42

70 Conclusion Challenge! 3 S-Boxes, 3 structures. Can you decompose them? 42 / 42