Reconstructing an S-box from its Difference Distribution Table

• Main Authors: Orr Dunkelman, Senyang Huang
• Format: Article
• Language: English
• Published: Ruhr-Universität Bochum 2019-06-01
• Series: IACR Transactions on Symmetric Cryptology
• Subjects: S-box; DDT; LAT; the sign determination problem
• Online Access: https://ojs-speed.ub.rub.de/index.php/ToSC/article/view/8319

In this paper we study the problem of recovering a secret S-box from its difference distribution table (DDT). While being an interesting theoretical problem on its own, the ability to recover the S-box from the DDT of a secret S-box can be used in cryptanalytic attacks where the attacker can obtain the DDT (e.g., in Bar-On et al.’s attack on GOST), in supporting theoretical analysis of the properties of difference distribution tables (e.g., in Boura et al.’s work), or in some analysis of S-boxes with unknown design criteria (e.g., in Biryukov and Perrin’s analysis). We show that using the well established relation between the DDT and the linear approximation table (LAT), one can devise an algorithm different from the straightforward guess-and-determine (GD) algorithm proposed by Boura et al. Moreover, we show how to exploit this relation, and embed the knowledge obtained from it in the GD algorithm. We tested our new algorithm on random S-boxes of different sizes, and for random 14-bit bijective S-boxes, our results outperform the GD attack by several orders of magnitude.