On ReverseEngineering SBoxes with Hidden Design Criteria or Structure
 19 Citations
 2.9k Downloads
Abstract
SBoxes are the key components of many cryptographic primitives and designing them to improve resilience to attacks such as linear or differential cryptanalysis is well understood. In this paper, we investigate techniques that can be used to reverseengineer Sbox design and illustrate those by studying the SBox F of the Skipjack block cipher whose design process so far remained secret. We first show that the linear properties of F are far from random and propose a design criteria, along with an algorithm which generates SBoxes very similar to that of Skipjack. Then we consider more general Sbox decomposition problems and propose new methods for decomposing SBoxes built from arithmetic operations or as a Feistel Network of up to 5 rounds. Finally, we develop an Sbox generating algorithm which can fix a large number of DDT entries to the values chosen by the designer. We demonstrate this algorithm by embedding images into the visual representation of Sbox’s DDT.
Keywords
Sbox design criteria Skipjack Linearity Functional decomposition problem Efficient implementation1 Introduction
Nonlinearity in cryptographic primitives is usually provided by socalled SBoxes, functions which map a few inputs bits to a few output bits and which are often specified as lookup tables. These have been a topic of intensive research since their properties are crucial for resilience of a cipher against differential [1, 2, 3] and linear [4, 5] attacks. Further, the structure or the method used to build the SBox can provide other benefits.
Indeed, the structure of an SBox can be leveraged for instance to improve the implementation of a primitive using it. The hash function Whirlpool [6] and the block ciphers Khazad [7], Fantomas, Robin [8] and Zorro [9] among others use \(8 \times 8\) bits SBoxes built from smaller \(4 \times 4\) ones, since storing several \(4 \times 4\) permutations as tables of 16 4bits nibbles is more memory efficient than storing one \(8 \times 8\) permutation as a table of 256 bytes. Except for implementation advantage, knowledge of the internal structure helps to produce more efficient masked implementations against sidechannel attacks, a notable example here being the AES [10] with its algebraic Sbox based on a power function.
In some cases the design process of an SBox might be kept secret for the purpose of implementing whitebox cryptography, as described e.g. in [11]. In this paper, Biryukov et al. describe a memoryhard whitebox encryption scheme based on a SubstitutionPermutation Network where the SBoxes are very large and are built using a socalled ASASA or ASASASA structure where “A” denotes an affine layer and “S” a nonlinear SBox layer. Preventing an adversary from decomposing these SBoxes into their “A” and “S” layers is at the core of the security claims for this scheme.
Moreover such memoryhard whitebox implementations with hidden structure of components can be of use in cryptocurrencies, for example in cases where an entity is interested in issuing a cryptocurrency of its own. One of the dangers is that powerful adversaries may launch a 51 % attack taking control of the mining process. Memory hard SBoxes with hidden structure can offer a distinct advantage in such setting since efficient implementation of the proofofwork function may be kept secret by the owners of the currency.
Examples of algorithms for which the components are known but the rationale behind their choice is not (at least at the time of release), are the block ciphers designed by or with the help of the US National Security Agency (NSA), namely the DES [12], Skipjack [13], SIMON and SPECK [14] (the last two do not use SBoxes though). Although the design criteria for the SBoxes of DES were later released [15] they were kept secret for 20 years in order to hide the existence of differential cryptanalysis, a technique only known by IBM and NSA at the time. Skipjack also uses an SBox, denoted F, which is a permutation of \(\{ 0,1 \}^{8}\). However, nothing was known so far about how this SBox was chosen.
 1.
Draw the “Pollock” visual representation of the LAT and DDT of S (see Sect. 4).
 2.
Check whether the linear and differential properties of S are compatible with a random function/permutation (see Sect. 2).
 3.
Compute the signature \(\sigma (S)\) of S.
 4.
 5.
Regardless of \(\sigma (S)\), run DecomposeFeistel \((S,R, \boxplus )\) for \(R \in [2, 5]\) (see Sect. 3.2).
 6.
Regardless of \(\sigma (S)\), run BreakArithmetic(S) (see Sect. 3.1).
We study in Sect. 2 the seemingly average linear properties of F. After a careful investigation and despite the fact that these properties are not impressive, we show that the probability for a random permutation of \(\{ 0,1 \}^{8}\) to have linear properties at least as good as those of F is negligible. This implies three things. First, F was not chosen uniformly at random. Second, F is very unlikely to have been picked among random candidates according to some criteria. Third, the method used to build it improved the linear properties. We also provide a candidate algorithm which can be used to generate SBoxes with very similar differential and linear properties.
In Sect. 3 we consider a general problem of decomposition of an Sbox with hidden structure and describe two algorithms which can be used to decompose SBoxes based on: (a) multiple iterations of simple arithmetic operations (for ex. like those found in a typical microprocessor) and (b) Feistel Networks with up to five independent rounds. The first algorithm is an optimised treesearch and the second one involves a SATsolver.
Finally, we show in Sect. 4 how visual representations of the difference distribution table (DDT) or the linear approximation table (LAT) of an SBox can help a cryptographer to spot nonrandomness at a glance. As a bonus, we present an algorithm which generates nonbijective SBoxes such that large set of entries in their DDT are set according to the designer’s choices. We illustrate it by embedding images in the visual representation of the SBox’s DDT.
2 Partially ReverseEngineering the SBox of Skipjack
2.1 Overview of the SBox of Skipjack and Useful Definitions
Skipjack is a block cipher with a block size of 64 bits and key size of 80 bits. The interested reader may refer to the official specification [13] or to the best attack on the cipher [18], an impossible differential attack leveraging its particular round structure. Further analysis trying to discover the design criteria of Skipjack is given in [19, 20].
Skipjack’s specification contains and 8\(\,\times \,\)8 bit bijective Sbox which is called “FTable” and which is given as a lookup table (we list it in the Appendix A). In order to study it we need to introduce the following concepts.
Definition 1
(Permutations Set). We denote \(\mathfrak {S}_{2^{n}}\) the set of all the permutations of \(\{ 0,1 \}^n\).
Definition 2
Differential cryptanalysis relies on finding differential transitions with high probabilities, i.e. pairs (a, b) such that \(s(x \oplus a) \oplus s(x) = b\) has many solutions which is equivalent to \(d_{a,b}\) being high. Therefore, cryptographers usually attempt to use SBoxes s with as low a value of \(\varDelta (s))\) as possible. A function differentially 2uniform, the best possible, is called Almost Perfect Nonlinear (APN). The existence of APN permutations of \(GF(2^n)\) for even n was only proved recently by Browning^{1} et al. [21] in the case \(n=6\), while the case \(n=8\) and beyond still remains an open problem. Hence, the differential uniformity of the SBoxes of the AES [10] and of most modern SBox based ciphers is equal to 4.
Distribution of the coefficients in the DDT of F.
Coefficient  Number  Proportion (%) in F  Poisson(1 / 2) (%) 

0  39104  60.14  60.65 
2  20559  31.62  30.33 
4  4855  7.467  7.582 
6  686  1.055  1.264 
8  69  0.106  0.158 
10  5  0.008  0.016 
12  2  0.003  0.002 
We briefly mention the linear properties of F before studying them thoroughly in Sect. 2.2. In particular, we define the Linear Approximations Table of an SBox.
Definition 3
The quantity \(c_{i, j}\) has different names in the literature. It is called “bias” or “Imbalance” of the Boolean function \(x \mapsto i \cdot x \oplus j \cdot s(x)\) in, for example, [22]. In papers from the Boolean functions community, it is more often defined in terms of Walsh Spectrum, the Walsh Spectrum of a Boolean function being the multiset \(\{ c_{i, j} / 2 \}_{i \ge 0, j \ge 0}\). The maximum coefficient in the LAT of F is \(\varLambda (F) = 28\) and it occurs in absolute value 3 times.
For the sake of completeness, we also give the sizes of the cycles in which F can be decomposed: 2, 10, 45, 68, 131.
2.2 The Linear Properties are Too Good to be True

F was not chosen uniformly at random in \(\mathfrak {S}_{2^{8}}\),

the designers of Skipjack did not generate many random permutation to then pick the best according to some criteria as they would need to have generated at least about \(2^{55}\) SBoxes,

the method used to build F improved its linear properties.
2.3 A Possible Design Criteria
Distribution of \(\log _{2}(N_{\ell })\) in the LAT of different SBoxes.
\(\ell \)  Random  F  Flike  best \(R()\) 

20  9.164  9.147  9.230  9.311 
22  8.220  8.308  8.336  8.247 
24  7.173  7.267  7.280  6.400 
26  6.041  5.755  5.688  0.000 
28  4.826  1.585  1.157   
30  3.506       
32  2.146       
34  0.664       
Distribution of \(\log _{2}(N_{\ell })\) in the DDT of different SBoxes.
\(\ell \)  Random  F  Flike  Best \(R()\) 

0  15.265  15.246  15.250  15.227 
2  14.270  14.327  14.314  14.380 
4  12.277  12.245  12.257  12.210 
6  9.693  9.422  9.492  9.126 
8  6.701  6.109  6.198  5.265 
10  3.374  2.322  2.287  0.714 
12  \(0.059\)  1.000  \(1.786\)  \(5.059\) 
14  \(4.059\)    \(5.059\)   
Using Improve\(R()\) with an appropriate threshold allows us to create SBoxes with both linear and differential properties very close to F. However, in order to achieve this, we need to choose a threshold value computed from F and which does not correspond to anything specific. In fact, to the best of our knowledge, the quantity \(R(s)\) does not have any particular importance unlike for instance the linearity \(\varLambda (s)\). Still, replacing \(R(s)\) by the linearity \(\varLambda (s)\) or a pair \((\varLambda (s), \#\{ (i,j), c_{i, j} = \varLambda (s) \})\) yields SBoxes which are very different from F. Such SBoxes indeed have a value of \(N_{\varLambda (s)2}\) much higher than in the random case, which is not the case for F.
While our definition of \(R(s)\) may seem arbitrary, it is the only one we could find that leads to linear properties similar to those of F. For instance it may have been tempting to base \(R(s)\) on the square of \(\ell \) which is used when computing the correlation potential of a linear trail, a quantity useful when looking for linear attacks. We would thus define \(R(s) = \sum _{\ell \ge 0} N_{\ell } \ell ^{2}\). However this quantity is worthless as an optimization criteria since it is constant: Parseval’s equality on the Walsh spectrum of a Boolean function imposes that the sum of the \((c_{i, j})^{2}\) over each column is equal to \(2^{2n2}\).
To conclude: we have found new nonrandom properties of the Sbox of Skipjack which are improving its strength against linear cryptanalysis and we developed and algorithm which could be used to generate such Sboxes.
2.4 Public Information About the Design of Skipjack
The only information indirectly published by the NSA on Skipjack corresponds to an “Interim Report” [24] written by external cryptographers and it contains no information on the specifics of the design. The most relevant parts of this report as far as the SBox is concerned are the following ones.
SKIPJACK was designed to be evaluatable [...]. In summary, SKIPJACK is based on some of NSA’s best technology. Considerable care went into its design and evaluation in accordance with the care given to algorithms that protect classified data.
Furthermore, after the “leakage” of an alleged version of Skipjack to usenet^{2}, Schneier replied with a detailed analysis of the cipher [26] which contained in particular the following quote indicating that the Sbox was changed in August 1992.
The only other thing I found [through documents released under FOIA] was a SECRET memo. [...] The date is 25 August 1992. [...] [P]aragraph 1 reads:
 1.
(U) The enclosed Informal Technical Report revises the Ftable in SKIPJACK
 2.
No other aspect of the algorithm is changed.
Note also that the first linear cryptanalysis of DES [4] had not been published yet in August 1992 when the FTable was changed. Gilbert et al. suggested at CRYPTO’90 [27] to use linear equation to help with key guessing in differential attack to attack FEAL. This block cipher was later attacked at CRYPTO’91 [28] and EUROCRYPT’92 [29] using directly some linear equations involving plaintext, ciphertext and key bits. We can but speculate about a connection between these papers and the change of SBox of Skipjack.
3 Algorithm Decomposing Particular Structures
A powerful tool able to discard quickly some possible structures for an SBox is its signature, as shown in Lemma 1.
Definition 4
(Permutation Signature). A permutation s of \(\{0,1\}^n\) has an odd signature if and only if it can be decomposed into an odd number of transpositions, a transposition being a function permuting two elements of \(\{0,1\}^n\). Otherwise, its signature is even.
The signature of \(f \circ g\) is even if and only if f and g have the same signature.
Lemma 1

Feistel Networks using XOR to combine the output of the Feistel function with the other branch,

SubstitutionPermutation Networks for which the diffusion layer is linear in \(GF(2)^b\) or can be decomposed into a sequence of permutations ignoring a fraction of the internal state.
Proof
Let b be the block size of the block ciphers considered. The proof for the case of Feistel Networks with XOR can be found in [30].
Let us look at substitution permutation networks. An SBox layer consists in the parallel application of several invertible SBoxes operating on n bits, with n dividing b. This operation can be seen as the successive application of the SBox on each n bit block, one after another. Such an operation ignores \(2^{bn}\) bits, meaning that its cycle decomposition consists in \(2^{bn}\) replicas of the same set of cycles. Since \(2^{bn}\) is even, the application of each SBox is even; which in turn implies that the successive application of the SBox on each block is even. More generally, any permutation which can be decomposed into a sequence of subpermutations ignoring a fraction of the internal state is even. The fact that permutations linear in \(GF(2)^b\) are even is showed in the proof of Lemma 2 in [31]. \(\square \)
The restriction put on the diffusion layer of SPN’s is usually not important, e.g. the diffusion layer of the AES fits the requirement. However, for small block sizes, it must be taken into account.
So far, we have proved that F has been built in contrast to being picked out of a set of random SBoxes according to some criteria. The signature of F is odd so Lemma 1 implies that F cannot be a Feistel Network with XOR. The generic attack on the SASAS structure [16] fails on F, meaning that it is not a simple SPN either. Finally, F is not affine equivalent to a monomial of \(GF(2^n)\) like for instance the SBox of the AES. Indeed, such functions have the same coefficients in the lines of their DDT, only the order is different. This observation lead to the definition of the differential spectrum by Blondeau et al. [32]. It also implies that, for a monomial, the number of coefficients equal to d in its DDT must divide \(2^n1\). As it is not the case for F, we can also rule out this structure.
However, this is not sufficient to conclude that F does not have a particular structure. It could be based on simple operations such as rotations, addition modulo \(2^{n}\) and multiplication available in a typical microprocessor (thus offering the designer a benefit of memoryefficient implementation) or on a Feistel Network which uses modular addition to combine the output of the Feistel function with the other branch. We study these two possibilities in this section by first describing an algorithm capable of decomposing SBoxes built from multiple simple arithmetic operations and then by presenting a new attack recovering all Feistel functions of a small Feistel Network of up to 5rounds regardless of whether XOR or modular addition is used.
The purpose of the algorithms we present in this section can be linked to the more general Functional Decomposition Problem (FDP) tackled notably over two rounds in [33]. In this paper, Faugère et al. introduce a general algorithm capable of decomposing \(h = (h_1,...,h_u)\) into \(\big (f_1(g_1,...,g_n), ..., f_u(g_1,...,g_n) \big )\) where the \(h_i\)’s, \(f_i\)’s and \(g_i\)’s are polynomials of n variables. The time complexity of this algorithm (see Theorem 3 of [33]) is lower bounded by \(\text {O}\big (n^{3 \cdot (d_f d_g  1)}\big )\) where \(d_f\) (respectively \(d_g\)) is the maximum algebraic degree of the \(f_i\)’s (respectively the \(g_i\)’s). Note that this lower bound on the time complexity is not tight. In fact, the ratio n / u of the number of input variables over the number of coordinates of h is also of importance, the lower being the better.
3.1 Iterated Simple Arithmetic Permutation
We introduce BreakArithmetic(s), an optimized treesearch capable of recovering the simple operations used to create such an SBox constructed as an arbitrary sequence of basic processor instructions. It is based on the following observation. Suppose that \(s = \phi _{r} \circ ... \circ \phi _{1}\), where the \(\phi _{i}\)’s are one of the following algebraic operations: constant XOR, constant addition modulo \(2^{n}\), multiplication by a constant modulo \(2^{n}\) and bit rotation by a constant. Then \(s \circ \phi _{1}^{1} = \big ( \phi _{r} \circ ... \circ \phi _{1} \big ) \circ \phi _{1}^{1} = \phi _{r} \circ ... \circ \phi _{2}\), meaning that \(s \circ \phi _{1}^{1}\) is “less complex”, “closer from the identity” than s itself. The aim of this algorithm is to peel of the \(\phi _{i}\)’s one after another by performing a treesearch among all possible simple operations which selects operations to consider first based on how closer they get us to the identity.
In order for this to work, we need to capture the concept of “distance to the identity” using an actual metric which can be implemented efficiently. We chose to base this metric on the DDT since it is less expensive to compute than the LAT^{3}. We define the following metric: \(M(s) = \sum _{\ell \ge 2}N_{\ell } (\ell  2)^{2}\). Our treesearch privileges candidates \(\phi _{1}\) such that \(M(s \circ \phi _{1}^{1})\) is closer from \(M(\text {Id})\), where \(\text {Id}\) is the identity function.
Our implementation of this algorithm is for example capable of recovering the decomposition of \(s : x \mapsto \psi \big ( \psi \big ( \psi (x) \big ) \big )\) with \(\psi : x \mapsto 0xa7 \cdot \big ( (3 \cdot x \oplus 0x53) >>> 4 \big ) \oplus 0x8b\). However, our algorithm could not find any such decomposition for Skipjack’s F despite running for 96 hours on a CUDA computer with more than 1000 cores for fast computation of the DDT.
3.2 Decomposing Feistel Structures
Another possible structure for F which is compatible with its having an odd signature is a Feistel Network where the XOR is replaced by a modular addition. In this section, we describe an algorithm which uses a SATsolver to recover the Feistel functions of small Feistel Networks which use either XOR or modular addition. We describe below the key idea of this attack, namely the encoding of the truth table of each Feistel function using Boolean variables and then how we can use this encoding to actually decompose a small Feistel Network.
Methods to distinguish Feistel Networks from random permutations have been actively investigated, notably in the work by Luby and Rackoff [34] as well as by Patarin [35, 36]. Here, we present a method which goes beyond distinguishing: it actually recovers all the Feistel functions for up to 5rounds of Feistel Networks with low branch width.
The variables used to encode an unknown function \(f : \{ 0,1 \}^{3} \rightarrow \{ 0,1 \}^{3}\), where (\(y_{2},y_{1},y_{0}) = f(x_{2},x_{1},x_{0})\).
\(x_{2}\)  \(x_{1}\)  \(x_{0}\)  \(y_{2}\)  \(y_{1}\)  \(y_{0}\) 

0  0  0  \(z^0_{2}\)  \(z^0_{1}\)  \(z^0_{0}\) 
0  0  1  \(z^1_{2}\)  \(z^1_{1}\)  \(z^1_{0}\) 
...  ...  ...  ...  ...  ... 
1  1  1  \(z^7_{2}\)  \(z^7_{1}\)  \(z^7_{0}\) 
A useful heuristic when trying to decompose more than 4 rounds is to look for decompositions with particular patterns in the sequence of the Feistel functions. For instance, decomposing a 5rounds Feistel Network with round functions \((S_{a},S_{b},S_{c},S_{d},S_{a})\) is easier than decomposing a similar structure with round functions \((S_{a},S_{b},S_{c},S_{d},S_{e})\) if this knowledge is hardcoded in the CNF by using the same sets of variables to encode both \(S_{e}\) and \(S_{a}\). In this case, DecomposeFeistel \((S,R,\text {operation})\) also takes the assumed sequence of the SBoxes as an additional input.
Another improvement comes from the observation that constants can be XORed (or added/subtracted) in the input of Feistel functions in the first \(R2\) rounds — provided they are cancelled by XORing (or adding/substracting) in the later rounds — without changing the output of the function. Using this, we can arbitrarily decide that the first Feistel functions all map, say, 0 to 0. This simplification of the CNF helps the SATsolver a lot and is actually necessary to attack 5 independent rounds.
We implemented Algorithm 2 and used the SATsolver Minisat [37] to solve the CNF formula generated. The time taken to decompose SBoxes actually made of small Feistel Networks is smaller than the time taken to discard an SBox which is not based on such a structure. Decomposing \(8 \times 8\) SBoxes built using 4rounds Feistel Networks, regardless of whether \(\oplus \) or \(\boxplus \) is used, takes less than a second on a regular desktop PC^{5} and discarding SBoxes built in other ways requires about 5 seconds. Decomposing 5rounds requires a bit less than a minute but discarding this structure takes longer, for instance 3 min to prove that F is not a 5rounds \(\oplus \)Feistel and 23 min to show that is it not a 5rounds \(\boxplus \)Feistel. It is also possible to attack larger instances provided enough RAM is available. A 4rounds Feistel Network corresponding to a \(14 \times 14\) SBox can be broken in about 2 hours using up to about 38 Go of RAM^{6}.
The CNF formulas equivalent to F being a Feistel Network with 3,4 or 5 rounds, using either \(\oplus \) or \(\boxplus \) are all unsatisfiable, meaning that F is not a Feistel Network with at most 5 rounds.
For the sake of completeness, we mention the existence of another time efficient attack on 5round Feistel Networks by Gaëtan Leurent based on a boomeranglike property [38]. Indeed one of the open problems is how far cryptanalytic techniques can go in analysis of ciphers with small block, where the full codebook is available to the attacker.
4 From an SBox to a Picture and Back Again
In order to distinguish an SBox from a random one we propose a new method which we call Pollock’s Pattern Recognition ^{7}. It is based on turning the DDT and the LAT of the SBox into a picture and then use the natural pattern finding power of the human eye to identify notrandom properties. We also describe a method to perform (partially) the inverse operation: Seurat’s Steganography ^{8}. It creates an SBox such that an image is embeded in the picture representation of its DDT.
4.1 Pollock’s Pattern Recognition
As is clear from Sect. 2, the distribution of the coefficients in the LAT of an SBox provides a powerful tool to distinguish a randomlooking SBox from a permutation chosen uniformly at random from the set of all permutations. We suggest here another method for looking at these coefficients which can also be applied to the DDT. The idea is to look at the whole table at once, be it a DDT or LAT, and then rely on the pattern matching capabilities of the pair human eye/human brain to possibly discard that the SBox was chosen uniformly at random. In order to look at the whole table, we associate to the values of the coefficients different colors. Exactly which color scale to use is a question which can only be answered by trying different ones. As an illustration of the power of this method, we provide pictures allowing us to discard the randomness of 4 SBoxes using merely a quick glance in Appendix B.

Zorro. The SBox of this cipher [9] is based on a 4rounds Feistel Network with a complex diffusion layer. As a consequence, the algorithm presented in Sect. 3.2 fails on it. The picture representation of its LAT, given in Fig. 4a, contains “stripes”. These correspond to coefficients equal to 6 (orange) and 2 (green). These never appear for half of the input masks according to a repeating pattern. Such a behaviour is not expected from a random permutation. The color scheme was chosen so as to highlight this property. We note that the congruence modulo \(2^k\) for some k of the coefficients of the LAT is related to the algebraic degree of \(i \cdot x \oplus j \cdot S(x)\) as explained for example in [39] (Proposition 6.1).

CLEFIA. This block cipher [40] uses two distinct SBoxes. The one denoted \(S_{0}\) has a particular structure based on smaller 4\(\,\times \,\)4 SBoxes. The LAT of this SBox is given in Fig. 4b: note the “dents” on the top and left side of the picture as well as the low number of colors compared to Fig. 4c which also depicts a LAT and uses the same colorscale. This low number of colors is a consequence of the fact that no coefficient in the LAT is congruent to 2 modulo 4 which in turn is related to this SBox having an algebraic degree equal to 6 on all of its coordinates. Neither this nor the “dents” are expected from a random permutation.

SAFER+. This block cipher [41] uses an SBox based on exponentiation in \(\mathbb {Z}/256\mathbb {Z}\). Its LAT is given in Fig. 4c; note in particular the vertical lines whih appear in this representation.

Arithmetic. The DDT can also be used in the same fashion. For example, we can look at the DDT of an SBox generated using a simple algebraic expression similar to those discussed in Sect. 3.1, namely \(s : x \mapsto \psi \big ( \psi (x) \big )\) with \(\psi : x \mapsto 3 \cdot \big ( (3 \cdot x \oplus 0x53) >>> 4 \big ) \oplus 0x8b\). The representation of its DDT is in Fig. 4d. Note the white rectangles corresponding to subsets of impossible differentials and the loose similarity between the top left and bottom right quadrants on one hand and the top right and bottom left quadrants on the other hand. None of these characteristics are expected from the DDT of a random permutation. Note that with 3 iterations of \(\phi \) this Sbox becomes reasonably good.
We however were not able to spot any particular pattern in the Pollock representation of neither the DDT nor the LAT of Skipjack’s F. Such representations are given respectively in Figs. 3a and b in Appendix B. We used the function matrix_plot from the SAGE [42] software package to draw the Pollock representations.
4.2 Seurat’s Steganography
In this section, we present an algorithm allowing the creation of a nonbijective SBox such that the picture representation of its DDT contains a particular image. Since we draw this image dot after dot like in pointillism and since it hides said image, we call the method we present below Seurat’s Steganography. The pictures we embed are black and white, the white parts corresponding to places where differentials are impossible and black parts to places where the differentials have nonzero probability.
The Algorithm. We define white and black equations as those giving the corresponding pixel color in the Pollock representation of the DDT of an SBox.

White Equations. \(W_{a,b} : \forall x \in \{ 0,1 \}^m, ~ S(x+a) + S(x) \ne b\).

Black Equations. \(B_{a,b} : \exists x \in \{ 0,1 \}^m, ~ S(x+a) + S(x) = b\).

B The complete list of the black equations.

\({T}_{w}\) A table of booleans of size \(u \times v\) (the dimensions of the image) where \(T_w[a,b]\) is false if and only if the pixel at (a, b) cannot be white.

S A partially unspecified SBox such that all equations \(B_j\) for \(j < i\) hold and such that none of the \(W_j\) has a solution for any j.

i The index of the equation in B for which we need to find a solution.
Some optimizations are possible. First of all, it is not necessary to write this algorithm using recursion. It is also not necessary to let L be as large as possible. In fact \( L  \le 2\) is sufficient, although \( L  = 1\) does not work unless the picture is very simple. It is also possible to allow some noise by tweaking \(\text {CheckW}(S,x,y,T_w)\) to return true with low probability for pairs (x, y) even if they blacken a white pixel.
Two outputs of this algorithm are presented in Appendix C: the SBoxes are given along with the Pollock representation of their DDT which clearly show the pictures we chose to embed in them. The differential and linear properties of the SBox described in Table 6 are close from what would be expected from a random function (differential uniformity of 14, linearity of 39), meaning that it could be used in a context were a \(8 \times 8\) random function would be sufficient.
Since our algorithm does not require the pixels to be organised inside a square, we can also use it to force white or black pixels to appear anywhere in the DDT of an SBox. This could be used to place a sort of trapdoor by for instance ensuring that a truncated differential compatible with the general structure of a cipher is present. Another possible use could be to “sign” a SBox: Alice would agree with Bob to generate a SBox for him and tell him before hand where some black/white pixels will be. Bob can then check that those are placed as agreed.
5 Conclusion
Knowledge of the internal structure of an Sbox gives clear advantages to the designer of a cipher in terms of efficient or sidechannel resistant implementation. It is also crucial in the whitebox or cryptocurrency setting. Hiding the Sbox’s structure can be also a way to hide superior cryptanalysis techniques or trapdoors.
In this paper we have introduced several approaches and algorithms to decompose an SBox with unknown structure and we illustrated them by studying the SBox of the NSA’s block cipher Skipjack. This allowed us to rule out some possible structure, and to prove that its linear properties are too unlikely to have happened at random. We also provided an algorithm capable of generating very similar SBoxes (Table 5).
An open problem related to this work is the study of block ciphers with small block sizes: how far can cryptanalysis go given a whole codebook? How many rounds of smallblock Feistel Network or SPN is it feasible to break?
Footnotes
 1.
The fact that Browning works at the NSA shows that this agency values theoretical considerations, which makes the simplicity of F all the stranger.
 2.
An anonymous member of sci.crypt posted what they claimed to be Skipjack at a time when this algorithm was still classified [25]. Although the algorithm described, “S1”, turned out to be different from Skipjack as we know it, it used similar notations — the SBox is called “FTable” — and the keyschedule leads to identical round keys being used every 5 rounds, just like in the actual Skipjack.
 3.
One can also notice that linear operations do not alter the DDT profile of the permutation and thus one has to recompute the metric only after nonlinear operations.
 4.
A formula in Conjunctive Normal Form is the conjunction of multiple clauses, each of them being the disjunction of some possibly negated variables.
 5.
The PC used for the experiments has a Intel(R) Core(TM) i73770 CPU (3.40GHz) for a cpu and 8 Go of RAM.
 6.
This experiment was performed on a single core of a dedicated server with 500 Go of RAM.
 7.
The pictures obtained in this fashion have a strong abstract feel to them, hence a name refering to the painter Jackson Pollock for this algorithm.
 8.
As will be explained later, this algorithm works by drawing the image to embed point after point just like in a pointillist painting, hence the name of the painter who invented this method.
Notes
Acknowledgement
We thank the CRYPTO reviewers for their helpful comments. We also thank Anne Canteaut for pointing out the connection between algebraic degree and congruence of the coefficient of the LAT modulo \(2^k\). The work of Léo Perrin is supported by the CORE ACRYPT project (ID C12154009992) funded by the Fonds National de la Recherche (Luxembourg).
Supplementary material
References
 1.Biham, E., Shamir, A.: Differential cryptanalysis of DESlike cryptosystems. J. Cryptology 4(1), 3–72 (1991)MathSciNetCrossRefzbMATHGoogle Scholar
 2.Nyberg, K.: Differentially uniform mappings for cryptography. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 55–64. Springer, Heidelberg (1994) CrossRefGoogle Scholar
 3.Blondeau, C., Nyberg, K.: Perfect nonlinear functions and cryptography. Finite Fields Appl. 32, 120–147 (2015). Special Issue: Second Decade of FFAMathSciNetCrossRefGoogle Scholar
 4.Matsui, M.: Linear cryptanalysis method for DES cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994) CrossRefGoogle Scholar
 5.Nyberg, K.: Linear approximation of block ciphers. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 439–444. Springer, Heidelberg (1995) CrossRefGoogle Scholar
 6.Barreto, P., Rijmen, V.: The whirlpool hashing function. In: First open NESSIE Workshop, Leuven, Belgium, vol. 13, p. 14 (2000)Google Scholar
 7.Barreto, P., Rijmen, V.: The khazad legacylevel block cipher. Primitive submitted to NESSIE 97 (2000)Google Scholar
 8.Grosso, V., Leurent, G., Standaert, F.X., Varıcı, K.: LSDesigns: bitslice encryption for efficient masked software implementations. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 18–37. Springer, Heidelberg (2015) Google Scholar
 9.Gérard, B., Grosso, V., NayaPlasencia, M., Standaert, F.X.: Block ciphers that are easier to mask: how far can we go? In: Bertoni, G., Coron, J.S. (eds.) CHES 2013. LNCS, vol. 8086, pp. 383–399. Springer, Heidelberg (2013) CrossRefGoogle Scholar
 10.Daemen, J., Rijmen, V.: The Design of Rijndael: AESthe Advanced Encryption Standard. Springer, Heidelberg (2002) CrossRefGoogle Scholar
 11.Biryukov, A., Bouillaguet, C., Khovratovich, D.: Cryptographic schemes based on the \({\sf ASASA}\) structure: blackbox, whitebox, and publickey (extended abstract). In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 63–84. Springer, Heidelberg (2014) Google Scholar
 12.U.S. DEPARTMENT: OF COMMERCE/National Institute of Standards and Technology: Data encryption standard. Publication, Federal Information Processing Standards (1999)Google Scholar
 13.National Security Agency, N.S.A.: SKIPJACK and KEA Algorithm Specifications (1998)Google Scholar
 14.Beaulieu, R., Shors, D., Smith, J., TreatmanClark, S., Weeks, B., Wingers, L.: The simon and speck families of lightweight block ciphers. IACR Cryptology ePrint Archive 2013, 404 (2013)Google Scholar
 15.Coppersmith, D.: The Data Encryption Standard (DES) and its strength against attacks. IBM J. Res. Dev. 38(3), 243–250 (1994)MathSciNetCrossRefzbMATHGoogle Scholar
 16.Biryukov, A., Shamir, A.: Structural cryptanalysis of SASAS. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 394–405. Springer, Heidelberg (2001) Google Scholar
 17.Patarin, J.: LubyRackoff: 7 rounds are enough for formula \(2^{n(1\epsilon )}\) security. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 513–529. Springer, Heidelberg (2003) CrossRefGoogle Scholar
 18.Biham, E., Biryukov, A., Shamir, A.: Cryptanalysis of skipjack reduced to 31 rounds using impossible differentials. J. Cryptology 18(4), 291–311 (2005)MathSciNetCrossRefzbMATHGoogle Scholar
 19.Knudsen, L.R., Robshaw, M., Wagner, D.: Truncated differentials and skipjack. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 165–180. Springer, Heidelberg (1999) CrossRefGoogle Scholar
 20.Knudsen, L., Wagner, D.: On the structure of skipjack. Discrete Appl. Math. 111(1), 103–116 (2001)MathSciNetCrossRefzbMATHGoogle Scholar
 21.Browning, K., Dillon, J., McQuistan, M., Wolfe, A.: An apn permutation in dimension six. Finite Fields: Theory Appl. 518, 33–42 (2010)MathSciNetGoogle Scholar
 22.Daemen, J., Rijmen, V.: Probability distributions of correlation and differentials in block ciphers. J. Math. Cryptology JMC 1(3), 221–242 (2007)MathSciNetzbMATHGoogle Scholar
 23.O’Connor, L.: Properties of linear approximation tables. In: Preneel, B. (ed.) FSE 1995. LNCS, vol. 1008, pp. 131–136. Springer, Heidelberg (1995)CrossRefGoogle Scholar
 24.Brickell, E.F., Denning, D.E., Kent, S.T., Maher, D.P., Tuchman, W.: Skipjack review: Interim report (1993)Google Scholar
 25.Anonymous: This looks like it might be interesting. sci.crypt (usenet), August 1995. https://groups.google.com/forum/#!msg/sci.crypt/vLtuBDoqPfc/jm6MshFbomgJ
 26.Schneier, B.: The S1 Algorithm. mail to the cypherpunk mailing list (1995). http://cypherpunks.venona.com/date/1995/09/msg00315.html
 27.Gilbert, H., Chassé, G.: A statistical attack of the FEAL8 cryptosystem. In: Menezes, A., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 22–33. Springer, Heidelberg (1991) Google Scholar
 28.TardyCorfdir, A., Gilbert, H.: A known plaintext attack of FEAL4 and FEAL6. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 172–182. Springer, Heidelberg (1992) Google Scholar
 29.Matsui, M., Yamagishi, A.: A new method for known plaintext attack of FEAL cipher. In: Rueppel, R.A. (ed.) EUROCRYPT 1992. LNCS, vol. 658, pp. 81–91. Springer, Heidelberg (1993) CrossRefGoogle Scholar
 30.Patarin, J.: Generic attacks on feistel schemes. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 222–238. Springer, Heidelberg (2001) CrossRefGoogle Scholar
 31.Wernsdorf, R.: The round functions of RIJNDAEL generate the alternating group. In: Daemen, J., Rijmen, V. (eds.) FSE 2002. LNCS, vol. 2365, pp. 143–148. Springer, Heidelberg (2002) CrossRefGoogle Scholar
 32.Blondeau, C., Canteaut, A., Charpin, P.: Differential properties of power functions. Int. J. Inf. Coding Theory 1(2), 149–170 (2010)MathSciNetCrossRefzbMATHGoogle Scholar
 33.JeanCharles, F., Perret, L.: An efficient algorithm for decomposing multivariate polynomials and its applications to cryptography. J. Symbolic Comput. 44(12), 1676–1689 (2009)MathSciNetCrossRefzbMATHGoogle Scholar
 34.Luby, M., Rackoff, C.: How to construct pseudorandom permutations from pseudorandom functions. SIAM J. Comput. 17(2), 373–386 (1988)MathSciNetCrossRefzbMATHGoogle Scholar
 35.Patarin, J.: New results on pseudorandom permutation generators based on the DES scheme. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 301–312. Springer, Heidelberg (1992) Google Scholar
 36.Patarin, J.: Security of random feistel schemes with 5 or more rounds. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 106–122. Springer, Heidelberg (2004) CrossRefGoogle Scholar
 37.Een, N., Sörensson, N.: Minisat: A sat solver with conflictclause minimization. Sat 5 (2005)Google Scholar
 38.Biryukov, A., Leurent, G., Perrin, L.: ESC 2015 Sbox ReverseEngineering Challenge. In: Early Symmetric Crypto, ESC 2015, pp. 104–107 (2015)Google Scholar
 39.Canteaut, A.: Analyse et Conception de Chiffrements à Clef Secrète. Habilitation à diriger des recherches, Institut National de Recherche en Informatique et Automatique, Rocquencourt, September 2006Google Scholar
 40.Shirai, T., Shibutani, K., Akishita, T., Moriai, S., Iwata, T.: The 128Bit blockcipher CLEFIA (extended abstract). In: Biryukov, A. (ed.) FSE 2007. LNCS, vol. 4593, pp. 181–195. Springer, Heidelberg (2007) CrossRefGoogle Scholar
 41.Massey, J.L.: Safer k64: A byteoriented blockciphering algorithm. In: Anderson, R. (ed.) FSE 1993. LNCS, vol. 809, pp. 1–17. Springer, Heidelberg (1994) CrossRefGoogle Scholar
 42.Stein, W., et al.: Sage Mathematics Software (Version 5.10). The Sage Development Team (2013). http://www.sagemath.org