Abstract
In this paper we study the problem of recovering a secret S-box from its difference distribution table (DDT). While being an interesting theoretical problem on its own, the ability to recover the S-box from the DDT of a secret S-box can be used in cryptanalytic attacks where the attacker can obtain the DDT (e.g., in Bar-On et al.’s attack on GOST), in supporting theoretical analysis of the properties of difference distribution tables (e.g., in Boura et al.’s work), or in some analysis of S-boxes with unknown design criteria (e.g., in Biryukov and Perrin’s analysis).We show that using the well established relation between the DDT and the linear approximation table (LAT), one can devise an algorithm different from the straightforward guess-and-determine (GD) algorithm proposed by Boura et al. Moreover, we show how to exploit this relation, and embed the knowledge obtained from it in the GD algorithm. We tested our new algorithm on random S-boxes of different sizes, and for random 14-bit bijective S-boxes, our results outperform the GD attack by several orders of magnitude.
Highlights
Differential cryptanalysis, introduced by Biham and Shamir [BS91], has transformed the field of cryptanalysis and offered attacks against multiple symmetric-key primitives
We show that using this relation, it is possible to transform the difference distribution table (DDT) into multiple linear approximation tables,2 each of which is offering an S-box
In this paper we presented a new algorithm for reconstructing an S-box from its DDT
Summary
Differential cryptanalysis, introduced by Biham and Shamir [BS91], has transformed the field of cryptanalysis and offered attacks against multiple symmetric-key primitives (and a few public-key ones). The inverse problem of deducing the S-box from a given DDT, was mostly left unstudied. In Bar-On et al.’s slide attack on GOST [BOBDK18], the attacker can learn the DDT, and needs to deduce the secret S-box from it. Another line of research that will enjoy such efficient reconstruction algorithms is the study of the theoretical properties of DDTs. A recent work by Boura et al [BCJS19] studied a theoretical question — can two different S-boxes, that do not satisfy some trivial relation, share the same DDT. As part of this work, a guess-and-determine (GD) algorithm for the reconstruction of the S-box was introduced and used..
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have