Sciweavers

IACR
2016

Reverse-Engineering the S-Box of Streebog, Kuznyechik and STRIBOBr1

8 years 8 months ago
Reverse-Engineering the S-Box of Streebog, Kuznyechik and STRIBOBr1
The Russian Federation’s standardization agency has recently published a hash function called Streebog and a 128-bit block cipher called Kuznyechik. Both of these algorithms use the same 8-bit S-Box but its design rationale was never made public. In this paper, we reverse-engineer this S-Box and reveal its hidden structure. It is based on a sort of 2-round Feistel Network where exclusive-or is replaced by a finite field multiplication. This structure is hidden by two different linear layers applied before and after. In total, five different 4-bit S-Boxes, a multiplexer, two 8-bit linear permutations and two finite field multiplications in a field of size 24 are needed to compute the S-Box. The knowledge of this decomposition allows a much more efficient hardware implementation by dividing the area and the delay by 2.5 and 8 respectively. However, the small 4-bit S-Boxes do not have very good cryptographic properties. In fact, one of them has a probability 1 differential. We then gene...
Alex Biryukov, Léo Perrin, Aleksei Udovenko
Added 03 Apr 2016
Updated 03 Apr 2016
Type Journal
Year 2016
Where IACR
Authors Alex Biryukov, Léo Perrin, Aleksei Udovenko
Comments (0)