Cryptology ePrint Archive: Report 2015/812

The Secret Structure of the S-Box of Streebog, Kuznechik and Stribob

Alex Biryukov and Léo Perrin and Aleksei Udovenko

Abstract: The last hash function and block cipher standardized by the Russian standardization body (GOST) both use the same S-Box. It is also used by an independent CAESAR candidate. This transformation is only specified as a look up table and the reason behind its choice is unknown.

We managed to reverse-engineer this S-Box and describe its unpublished structure. Our decomposition allows a much more efficient hardware implementation but the choice of the components used is puzzling from a cryptographic perspective.

This extended abstract does not explain \emph{how} we found this decomposition. We will describe our process in an extended version of this paper.

Category / Keywords: secret-key cryptography / Streebog, S-Box, Kuznyechik, Reverse-Engineering

Date: received 14 Aug 2015, last revised 31 Aug 2015

Contact author: leo perrin at uni lu

Available format(s): PDF | BibTeX Citation

Note: Made it clear that only STRIBOBr1 was using the S-Box we reverse-engineered, unlike STRIBOBr2.

Version: 20150831:124216 (All versions of this report)

Short URL:

Discussion forum: Show discussion | Start new discussion

[ Cryptology ePrint archive ]