Proving Resistance Against Invariant Attacks: How to Choose the Round Constants

Many lightweight block ciphers apply a very simple key schedule in which the round keys only differ by addition of a round-specific constant. Generally, there is not much theory on how to choose appropriate constants. In fact, several of those schemes were recently broken using invariant attacks, i.e., invariant subspace or nonlinear invariant attacks. This work analyzes the resistance of such ciphers against invariant attacks and reveals the precise mathematical properties that render those attacks applicable. As a first practical consequence, we prove that some ciphers including Prince, Skinny-64 and Mantis 7 are not vulnerable to invariant attacks. Also, we show that the invariant factors of the linear layer have a major impact on the resistance against those attacks. Most notably, if the number of invariant factors of the linear layer is small (e.g., if its minimal polynomial has a high degree), we can easily find round constants which guarantee the resistance to all types of invariant attacks, independently of the choice of the S-box layer. We also explain how to construct optimal round constants for a given, but arbitrary, linear layer.

[1]  Gregor Leander,et al.  A Cryptanalysis of PRINTcipher: The Invariant Subspace Attack , 2011, CRYPTO.

[2]  Anne Canteaut,et al.  PRINCE - A Low-Latency Block Cipher for Pervasive Computing Applications - Extended Abstract , 2012, ASIACRYPT.

[3]  Bogdanov Andrey,et al.  Midori: A Block Cipher for Low Energy , 2016 .

[4]  Rudolf Lide,et al.  Finite fields , 1983 .

[5]  L. Mirsky,et al.  The Theory of Matrices , 1961, The Mathematical Gazette.

[6]  I. Herstein,et al.  Topics in algebra , 1964 .

[7]  K. Conrad,et al.  Finite Fields , 2018, Series and Products in the Development of Mathematics.

[8]  Roberto Maria Avanzi,et al.  The QARMA Block Cipher Family. Almost MDS Matrices Over Rings With Zero Divisors, Nearly Symmetric Even-Mansour Constructions With Non-Involutory Central Rounds, and Search Heuristics for Low-Latency S-Boxes , 2017, IACR Trans. Symmetric Cryptol..

[9]  Mark Giesbrecht,et al.  Nearly Optimal Algorithms for Canonical Matrix Forms , 1995, SIAM J. Comput..

[10]  Thomas Peyrin,et al.  The SKINNY Family of Block Ciphers and its Low-Latency Variant MANTIS , 2016, IACR Cryptol. ePrint Arch..

[11]  Jérémy Jean,et al.  Cryptanalysis of NORX v2.0 , 2019, J. Cryptol..

[12]  Yu Sasaki,et al.  Invariant Subspace Attack Against Midori64 and The Resistance Criteria for S-box Designs , 2016, IACR Trans. Symmetric Cryptol..

[13]  Jérémy Jean,et al.  Cryptanalysis of Haraka , 2016, IACR Trans. Symmetric Cryptol..

[14]  Xuejia Lai,et al.  Additive and Linear Structures of Cryptographic Functions , 1994, FSE.

[15]  Claude Carlet,et al.  Boolean Functions for Cryptography and Error-Correcting Codes , 2010, Boolean Models and Methods.

[16]  Thomas Peyrin,et al.  The LED Block Cipher , 2011, IACR Cryptol. ePrint Arch..

[17]  Peter Lancaster,et al.  The theory of matrices , 1969 .

[18]  H. O. Foulkes Abstract Algebra , 1967, Nature.

[19]  Sondre Rønjom,et al.  Invariant subspaces in Simpira , 2016, IACR Cryptol. ePrint Arch..

[20]  Brice Minaud,et al.  A Generic Approach to Invariant Subspace Attacks: Cryptanalysis of Robin, iSCREAM and Zorro , 2015, EUROCRYPT.

[21]  Ed Dawson,et al.  On the linear structure of symmetric Boolean functions , 1997, Australas. J Comb..