Choosing Round Constants in Lightweight Block Ciphers and Cryptographic Permutations

Size: px

Start display at page:

Download "Choosing Round Constants in Lightweight Block Ciphers and Cryptographic Permutations"

Claud Greene
5 years ago
Views:

(joint work with Anne Canteaut, Gregor Leander, and Yann Rotella) October,

1 Choosing Round Constants in Lightweight Block Ciphers and Cryptographic Permutations Christof Beierle SnT, University of Luxembourg, Luxembourg (joint work with Anne Canteaut, Gregor Leander, and Yann Rotella) October, 10, 2018 Christof Beierle On Choosing Round Constants October, 10, / 34

2 Block Cipher vs. Cryptographic Permutation k x E y E: F n 2 F κ 2 F n 2, (x, k) E k (x) = y Christof Beierle On Choosing Round Constants October, 10, / 34

3 Block Cipher vs. Cryptographic Permutation k F 0 x E y x E y E: F n 2 F κ 2 F n 2, (x, k) E k (x) = y F : F n 2 F n 2, x E 0 (x) = y Special Case A cryptographic permutation can be seen as a block cipher with a fixed key! Christof Beierle On Choosing Round Constants October, 10, / 34

4 Why Round Constants are Needed Avoiding to use always the same round ( slide attacks) Avoiding symmetries Christof Beierle On Choosing Round Constants October, 10, / 34

5 Why Round Constants are Needed Avoiding to use always the same round ( slide attacks) Avoiding symmetries Example: NORX [Aumasson, Jovanovic, Neves 2014] If the input to the NORX permutation is in the set a a a a b b b b S = c c c c a, b, c, d Fw 2, d d d d the output also is in S. Christof Beierle On Choosing Round Constants October, 10, / 34

6 Basic Definitions Definition: Invariant Set Let F : F n 2 Fn 2 be a permutation. We say that S Fn 2 under F if F (S) = S or F (S) = F n 2 \ S. is an invariant set Christof Beierle On Choosing Round Constants October, 10, / 34

7 Basic Definitions Definition: Invariant Set Let F : F n 2 Fn 2 be a permutation. We say that S Fn 2 under F if F (S) = S or F (S) = F n 2 \ S. is an invariant set F S S F 1 F n 2 F n 2 Christof Beierle On Choosing Round Constants October, 10, / 34

8 Basic Definitions Definition: Invariant Set Let F : F n 2 Fn 2 be a permutation. We say that S Fn 2 under F if F (S) = S or F (S) = F n 2 \ S. F is an invariant set F S S S S F 1 F n 2 F n 2 F 1 F n 2 F n 2 Christof Beierle On Choosing Round Constants October, 10, / 34

9 Basic Definitions Definition: Invariant Set Let F : F n 2 Fn 2 be a permutation. We say that S Fn 2 under F if F (S) = S or F (S) = F n 2 \ S. F is an invariant set F S S S S F 1 F n 2 F n 2 F 1 F n 2 F n 2 Equivalently: Let g be the Boolean function defined by g(x) := 1 iff x S. Then, x F n 2 : g(f (x)) = g(x) or x F n 2 : g(f (x)) = g(x) + 1. Christof Beierle On Choosing Round Constants October, 10, / 34

10 Basic Definitions Definition: Invariant Set Let F : F n 2 Fn 2 be a permutation. We say that S Fn 2 under F if F (S) = S or F (S) = F n 2 \ S. F is an invariant set F S S S S F 1 F n 2 F n 2 F 1 F n 2 F n 2 Equivalently: Let g be the Boolean function defined by g(x) := 1 iff x S. Then, x F n 2 : g(f (x)) = g(x) or x F n 2 : g(f (x)) = g(x) + 1. Definition: Invariant Function Any Boolean function g : F n 2 F 2 for which g F + g is constant is called an invariant for F. Christof Beierle On Choosing Round Constants October, 10, / 34

11 Invariant Attacks Examples of invariants g for F : (g F + g is constant) } g = 0. Equivalent to having S = {} g = 1. Equivalent to having S = F n trivial invariants 2 Christof Beierle On Choosing Round Constants October, 10, / 34

12 Invariant Attacks Examples of invariants g for F : (g F + g is constant) } g = 0. Equivalent to having S = {} g = 1. Equivalent to having S = F n trivial invariants 2 g(x) = 1 iff x U for an affine subspace U F n 2. Invariant Subspace Attack [Leander et al. 2011] Christof Beierle On Choosing Round Constants October, 10, / 34

13 Invariant Attacks Examples of invariants g for F : (g F + g is constant) } g = 0. Equivalent to having S = {} g = 1. Equivalent to having S = F n trivial invariants 2 g(x) = 1 iff x U for an affine subspace U F n 2. Invariant Subspace Attack [Leander et al. 2011] Consider a block cipher E : F n 2 Fκ 2 Fn 2, (x, k) E k(x). Nonlinear Invariant Attack [Todo, Leander, Sasaki 2016] If for some keys k, one can find (non-trivial) invariants for E k, the cipher is vulnerable to the Nonlinear Invariant Attack. Keys which allow for the attack are called weak keys of E. Christof Beierle On Choosing Round Constants October, 10, / 34

14 This Leads to a Distinguisher The knowledge of a (non-trivial) invariant g for E k allows to distinguish the instance from a random permutation P rand. Christof Beierle On Choosing Round Constants October, 10, / 34

15 This Leads to a Distinguisher The knowledge of a (non-trivial) invariant g for E k allows to distinguish the instance from a random permutation P rand. given oracle access to O {E k, P rand } Christof Beierle On Choosing Round Constants October, 10, / 34

16 This Leads to a Distinguisher The knowledge of a (non-trivial) invariant g for E k allows to distinguish the instance from a random permutation P rand. given oracle access to O {E k, P rand } choose m 1,..., m d F n 2 Christof Beierle On Choosing Round Constants October, 10, / 34

17 This Leads to a Distinguisher The knowledge of a (non-trivial) invariant g for E k allows to distinguish the instance from a random permutation P rand. given oracle access to O {E k, P rand } choose m 1,..., m d F n 2 check if i {1,..., d} : g(o(m i )) + g(m i ) is constant Christof Beierle On Choosing Round Constants October, 10, / 34

18 Many Lightweight Ciphers Vulnerable to Invariant Attacks For instance: PRINT-cipher [Leander et al. 2011] Midori-64 [Guo et al. 2016] [Todo, Leander, Sasaki 2016] iscream [Leander, Minaud, Rønjom 2015] SCREAM [Todo, Leander, Sasaki 2016] NORX v2.0 [Chaigneau et al. 2017] Simpira v1 [Rønjom 2016] Haraka v.0 [Jean 2016] Christof Beierle On Choosing Round Constants October, 10, / 34

19 Main Goal: Prevent against Invariant Attacks Our Main Goal (Block Ciphers) Given a block cipher E : F n 2 Fκ 2 Fn 2, (x, k) E k(x). Show that there are no weak keys, i.e., for any k, one can find only trivial invariants for E k. Christof Beierle On Choosing Round Constants October, 10, / 34

20 Main Goal: Prevent against Invariant Attacks Our Main Goal (Block Ciphers) Given a block cipher E : F n 2 Fκ 2 Fn 2, (x, k) E k(x). Show that there are no weak keys, i.e., for any k, one can find only trivial invariants for E k. Our Main Goal (Cryptographic Permutation) Given a permutation F : F n 2 Fn 2, x F (x). Show that one can find only trivial invariants for F. Christof Beierle On Choosing Round Constants October, 10, / 34

21 Our Model Simplification (SPN): Assume the Same Invariant for all Layers We consider only those invariants g, that are simultaneously invariants for the S-box layer and for all Add ki L. k 1 k 2 k t S L S L S L S S S S S S S Almost all real attacks we know exploit such an iterative structure! One exception: [Beyne 2018] Christof Beierle On Choosing Round Constants October, 10, / 34

22 1 Lightweight SPNs: Proving Resistance against Invariant Attacks 2 Design Criteria on the Linear Layer and the Round Constants Christof Beierle On Choosing Round Constants October, 10, / 34

23 Structure of the Invariants for all Add ki L Let g be an invariant for both Add ki L and Add kj L. We then have: g(l(x) + k i ) = g(x) + const. g(l(x) + k j ) = g(x) + const. Christof Beierle On Choosing Round Constants October, 10, / 34

24 Structure of the Invariants for all Add ki L Let g be an invariant for both Add ki L and Add kj L. We then have: g(l(x) + k i ) = g(x) + const. g(l(x) + k j ) = g(x) + const. = g(l(x) + k i ) = g(l(x) + k j ) + const. g(y + k i + k j ) = g(y) + const. Christof Beierle On Choosing Round Constants October, 10, / 34

25 Structure of the Invariants for all Add ki L Let g be an invariant for both Add ki L and Add kj L. We then have: g(l(x) + k i ) = g(x) + const. g(l(x) + k j ) = g(x) + const. = g(l(x) + k i ) = g(l(x) + k j ) + const. g(y + k i + k j ) = g(y) + const. (k i + k j ) is a linear structure of g. Definition: Linear Structures of a Boolean Function g LS(g) := {α F n 2 : x g(x + α) + g(x) is constant} Christof Beierle On Choosing Round Constants October, 10, / 34

26 Requirements on an Invariant g k 1 k 2 k t S L S L S L S S S S S S S g has to be an invariant for the S-box layer and has to satisfy: LS(g) contains all round key differences (k i + k j ). LS(g) is invariant under L, i.e., L(LS(g)) = LS(g). Christof Beierle On Choosing Round Constants October, 10, / 34

27 Requirements on an Invariant g k 1 k 2 k t S L S L S L S S S S S S S g has to be an invariant for the S-box layer and has to satisfy: LS(g) contains all round key differences (k i + k j ). LS(g) is invariant under L, i.e., L(LS(g)) = LS(g). How does the key schedule look like? Christof Beierle On Choosing Round Constants October, 10, / 34

28 SPNs with very Simple Key Schedules In many lightweight block ciphers, the round keys only differ by addition of a publicly-known round constant, i.e., Thus, k i + k j = c i + c j LS(g). i : k i := k + c i. Christof Beierle On Choosing Round Constants October, 10, / 34

29 SPNs with very Simple Key Schedules In many lightweight block ciphers, the round keys only differ by addition of a publicly-known round constant, i.e., Thus, k i + k j = c i + c j LS(g). i : k i := k + c i. In a cryptographic permutation, we only have publicly-known round constants, i.e., i : k i := 0 + c i. Thus, k i + k j = c i + c j LS(g). Christof Beierle On Choosing Round Constants October, 10, / 34

30 Proving the Non-Existence of Invariants Main Condition on an Invariant g 1 g has to be an invariant for the S-box layer and 2 The smallest L-invariant subspace of F n 2 that contains all c i + c j must be a subset of LS(g). We denote this subspace by W L ({c i + c j i, j}). Christof Beierle On Choosing Round Constants October, 10, / 34

31 Proving the Non-Existence of Invariants Main Condition on an Invariant g 1 g has to be an invariant for the S-box layer and 2 The smallest L-invariant subspace of F n 2 that contains all c i + c j must be a subset of LS(g). We denote this subspace by W L ({c i + c j i, j}). Important Observation Assume that the S-box layer has no component of algebraic degree 1. If dim W L ({c i + c j i, j}) n 1, there are only the trivial invariants that fulfill the above main condition! Christof Beierle On Choosing Round Constants October, 10, / 34

32 Proving the Non-Existence of Invariants Main Condition on an Invariant g 1 g has to be an invariant for the S-box layer and 2 The smallest L-invariant subspace of F n 2 that contains all c i + c j must be a subset of LS(g). We denote this subspace by W L ({c i + c j i, j}). Important Observation Assume that the S-box layer has no component of algebraic degree 1. If dim W L ({c i + c j i, j}) n 1, there are only the trivial invariants that fulfill the above main condition! Why? If dim W L ({c i + c j i, j}) n 1, then dim LS(g) n 1. Christof Beierle On Choosing Round Constants October, 10, / 34

33 Proving the Non-Existence of Invariants Main Condition on an Invariant g 1 g has to be an invariant for the S-box layer and 2 The smallest L-invariant subspace of F n 2 that contains all c i + c j must be a subset of LS(g). We denote this subspace by W L ({c i + c j i, j}). Important Observation Assume that the S-box layer has no component of algebraic degree 1. If dim W L ({c i + c j i, j}) n 1, there are only the trivial invariants that fulfill the above main condition! Why? If dim W L ({c i + c j i, j}) n 1, then dim LS(g) n 1. But then, g is linear (or affine). Christof Beierle On Choosing Round Constants October, 10, / 34

34 Proving the Non-Existence of Invariants Main Condition on an Invariant g 1 g has to be an invariant for the S-box layer and 2 The smallest L-invariant subspace of F n 2 that contains all c i + c j must be a subset of LS(g). We denote this subspace by W L ({c i + c j i, j}). Important Observation Assume that the S-box layer has no component of algebraic degree 1. If dim W L ({c i + c j i, j}) n 1, there are only the trivial invariants that fulfill the above main condition! Why? If dim W L ({c i + c j i, j}) n 1, then dim LS(g) n 1. But then, g is linear (or affine). Since the S-box layer does not have a linear (or affine) component, g must be trivial. Christof Beierle On Choosing Round Constants October, 10, / 34

35 Applying the Argument to some Examples Important Observation If dim W L ({c i + c j i, j}) n 1, the invariant attack does not apply! This holds for any (reasonable) choice of the S-box layer. Christof Beierle On Choosing Round Constants October, 10, / 34

36 Applying the Argument to some Examples Important Observation If dim W L ({c i + c j i, j}) n 1, the invariant attack does not apply! This holds for any (reasonable) choice of the S-box layer. Skinny dim W L ({c i + c j i, j}) = 64 (n = 64) the attack does not apply Christof Beierle On Choosing Round Constants October, 10, / 34

37 Applying the Argument to some Examples Important Observation If dim W L ({c i + c j i, j}) n 1, the invariant attack does not apply! This holds for any (reasonable) choice of the S-box layer. Skinny dim W L ({c i + c j i, j}) = 64 (n = 64) the attack does not apply Prince. dim W L ({c i + c j i, j}) = 56 (n = 64) dimension too low Christof Beierle On Choosing Round Constants October, 10, / 34

38 Applying the Argument to some Examples Important Observation If dim W L ({c i + c j i, j}) n 1, the invariant attack does not apply! This holds for any (reasonable) choice of the S-box layer. Skinny dim W L ({c i + c j i, j}) = 64 (n = 64) the attack does not apply Prince. dim W L ({c i + c j i, j}) = 56 (n = 64) dimension too low Mantis-7. dim W L ({c i + c j i, j}) = 42 (n = 64) dimension too low Christof Beierle On Choosing Round Constants October, 10, / 34

39 Applying the Argument to some Examples Important Observation If dim W L ({c i + c j i, j}) n 1, the invariant attack does not apply! This holds for any (reasonable) choice of the S-box layer. Skinny dim W L ({c i + c j i, j}) = 64 (n = 64) the attack does not apply Prince. dim W L ({c i + c j i, j}) = 56 (n = 64) dimension too low Mantis-7. dim W L ({c i + c j i, j}) = 42 (n = 64) dimension too low Midori-64. dim W L ({c i + c j i, j}) = 16 (n = 64) dimension too low Christof Beierle On Choosing Round Constants October, 10, / 34

40 Applying the Argument to some Examples Important Observation If dim W L ({c i + c j i, j}) n 1, the invariant attack does not apply! This holds for any (reasonable) choice of the S-box layer. Skinny dim W L ({c i + c j i, j}) = 64 (n = 64) the attack does not apply Prince. dim W L ({c i + c j i, j}) = 56 (n = 64) the attack does not apply (using properties of the S-box layer) Mantis-7. dim W L ({c i + c j i, j}) = 42 (n = 64) the attack does not apply (using properties of the S-box layer) Midori-64. dim W L ({c i + c j i, j}) = 16 (n = 64) dimension too low Christof Beierle On Choosing Round Constants October, 10, / 34

41 How to Use Properties of the S-box LS(g) := {α F n 2 : x g(x + α) + g(x) is constant} LS 0 (g) := {α F n 2 : x g(x + α) + g(x) = 0} LS(g) We know dim LS 0 (g) {dim LS(g), dim LS(g) 1}. How to find LS 0 (g)? Christof Beierle On Choosing Round Constants October, 10, / 34

42 How to Use Properties of the S-box LS(g) := {α F n 2 : x g(x + α) + g(x) is constant} LS 0 (g) := {α F n 2 : x g(x + α) + g(x) = 0} LS(g) We know dim LS 0 (g) {dim LS(g), dim LS(g) 1}. How to find LS 0 (g)? First Lemma Let g be an invariant for Add ki L for some k i and let V be an L-invariant subspace of LS(g). Then, for any s V, it is s + L(s) LS 0 (g). Christof Beierle On Choosing Round Constants October, 10, / 34

43 How to Use Properties of the S-box LS(g) := {α F n 2 : x g(x + α) + g(x) is constant} LS 0 (g) := {α F n 2 : x g(x + α) + g(x) = 0} LS(g) We know dim LS 0 (g) {dim LS(g), dim LS(g) 1}. How to find LS 0 (g)? First Lemma Let g be an invariant for Add ki L for some k i and let V be an L-invariant subspace of LS(g). Then, for any s V, it is s + L(s) LS 0 (g). Second Lemma Let g be an invariant for S, where S : F n 2 Fn 2 is a permutation with an odd cycle. Then, s LS(g) {S(x) + x x F n 2 } implies s LS 0(g). Christof Beierle On Choosing Round Constants October, 10, / 34

44 How to Use Properties of the S-box Lemma Let g : F n 2 F 2 be an invariant for S and let Z be a subspace of F n 2 with Z LS 0 (g). Then g is constant on each coset Z + a g is constant on S(Z) Z + a1 S(z431) S(z3) Z + a2 Z S(z9) Z + a3 S(z1). Z + a 2 n dim Z Christof Beierle On Choosing Round Constants October, 10, / 34

45 How to Use Properties of the S-box Lemma Let g : F n 2 F 2 be an invariant for S and let Z be a subspace of F n 2 with Z LS 0 (g). Then g is constant on each coset Z + a g is constant on S(Z) Algorithm 1: R = {} 2: repeat 3: z $ Z 4: Compute S(z) 5: Add to R a representative of the coset defined by S(z) 6: until R = 2 n dim Z Christof Beierle On Choosing Round Constants October, 10, / 34

46 Example: LS Designs (e.g., Ascon) Important Observation If dim W L ({c i + c j i, j}) n 1, the invariant attack does not apply! This holds for any (reasonable) choice of the S-box layer. l s n = s l Christof Beierle On Choosing Round Constants October, 10, / 34

47 Example: LS Designs (e.g., Ascon) Important Observation If dim W L ({c i + c j i, j}) n 1, the invariant attack does not apply! This holds for any (reasonable) choice of the S-box layer. l s S n = s l Christof Beierle On Choosing Round Constants October, 10, / 34

48 Example: LS Designs (e.g., Ascon) Important Observation If dim W L ({c i + c j i, j}) n 1, the invariant attack does not apply! This holds for any (reasonable) choice of the S-box layer. l L 1 s L 2 L 3 L 4 Christof Beierle On Choosing Round Constants October, 10, / 34

49 Example: LS Designs (e.g., Ascon) Important Observation If dim W L ({c i + c j i, j}) n 1, the invariant attack does not apply! This holds for any (reasonable) choice of the S-box layer. l L 1 s L 2 L 3 L 4 L 1 L L = 2 L 3 L 4 Christof Beierle On Choosing Round Constants October, 10, / 34

50 Where to Put the Constants? Important Observation If dim W L ({c i + c j i, j}) n 1, the invariant attack does not apply! This holds for any (reasonable) choice of the S-box layer. s l c (0) j c(1) j c(2) j c(3) j L 1 L L = 2 L 3, L 4 dim W L({c i + c j i, j}) l Christof Beierle On Choosing Round Constants October, 10, / 34

51 Where to Put the Constants? Important Observation If dim W L ({c i + c j i, j}) n 1, the invariant attack does not apply! This holds for any (reasonable) choice of the S-box layer. s l c (0) j c (1) j c (2) j c (3) j For the argument, it would be better to put the constants in the columns. Remark A low dimension doesn t imply insecurity of the permutation! Christof Beierle On Choosing Round Constants October, 10, / 34

52 1 Lightweight SPNs: Proving Resistance against Invariant Attacks 2 Design Criteria on the Linear Layer and the Round Constants Christof Beierle On Choosing Round Constants October, 10, / 34

53 Very Different Behavior for each Cipher Skinny dim W L ({c i + c j i, j}) = 64 The constants are sparse. In particular, c i + c j = 0xab Christof Beierle On Choosing Round Constants October, 10, / 34

54 Very Different Behavior for each Cipher Skinny dim W L ({c i + c j i, j}) = 64 The constants are sparse. In particular, c i + c j = 0xab Prince. dim W L ({c i + c j i, j}) = 56 Mantis-7. dim W L ({c i + c j i, j}) = 42 The c i + c j F 64 2 are dense (derived from the fractional digits of π). Christof Beierle On Choosing Round Constants October, 10, / 34

55 Very Different Behavior for each Cipher Skinny dim W L ({c i + c j i, j}) = 64 The constants are sparse. In particular, c i + c j = 0xab Prince. dim W L ({c i + c j i, j}) = 56 Mantis-7. dim W L ({c i + c j i, j}) = 42 The c i + c j F 64 2 are dense (derived from the fractional digits of π). Are the constants for Prince and Mantis just unluckily chosen? Christof Beierle On Choosing Round Constants October, 10, / 34

56 It s a Property of the Linear Layer For a single element c: W L (c) = L t (c), t N. Christof Beierle On Choosing Round Constants October, 10, / 34

57 It s a Property of the Linear Layer For a single element c: W L (c) = L t (c), t N. dim W L (c) equals the smallest d for which there exist λ 0,..., λ d F 2 : d λ t L t (c) = 0. t=0 Christof Beierle On Choosing Round Constants October, 10, / 34

58 It s a Property of the Linear Layer For a single element c: W L (c) = L t (c), t N. dim W L (c) equals the smallest d for which there exist λ 0,..., λ d F 2 : d λ t L t (c) = 0. t=0 dim W L (c) is the degree of the minimal annihilating polynomial of c. Christof Beierle On Choosing Round Constants October, 10, / 34

59 It s a Property of the Linear Layer For a single element c: W L (c) = L t (c), t N. dim W L (c) equals the smallest d for which there exist λ 0,..., λ d F 2 : d λ t L t (c) = 0. t=0 dim W L (c) is the degree of the minimal annihilating polynomial of c. Theorem There exists a c F n 2 such that dim W L(c) = d if and only if d is the degree of a divisor of the minimal polynomial m L of L. Christof Beierle On Choosing Round Constants October, 10, / 34

60 It s a Property of the Linear Layer For a single element c: W L (c) = L t (c), t N. dim W L (c) equals the smallest d for which there exist λ 0,..., λ d F 2 : d λ t L t (c) = 0. t=0 dim W L (c) is the degree of the minimal annihilating polynomial of c. Theorem There exists a c F n 2 such that dim W L(c) = d if and only if d is the degree of a divisor of the minimal polynomial m L of L. max dim W L (c) = deg m L c F n 2 Christof Beierle On Choosing Round Constants October, 10, / 34

61 Examples Skinny-64. m L = (X + 1) 16 F 2 [X] There exists a c F 64 2 with dim W L(c) = d if and only if d {1,..., 16}. Christof Beierle On Choosing Round Constants October, 10, / 34

62 Examples Skinny-64. m L = (X + 1) 16 F 2 [X] There exists a c F 64 2 with dim W L(c) = d if and only if d {1,..., 16}. Prince. m L = (X 4 + X 3 + X 2 + X + 1) 2 (X 2 + X + 1) 4 (X + 1) 4 F 2 [X] There exists a c F 64 2 with dim W L(c) = d if and only if d {1,..., 20}. Christof Beierle On Choosing Round Constants October, 10, / 34

63 Examples Skinny-64. m L = (X + 1) 16 F 2 [X] There exists a c F 64 2 with dim W L(c) = d if and only if d {1,..., 16}. Prince. m L = (X 4 + X 3 + X 2 + X + 1) 2 (X 2 + X + 1) 4 (X + 1) 4 F 2 [X] There exists a c F 64 2 with dim W L(c) = d if and only if d {1,..., 20}. Mantis and Midori. m L = (X + 1) 6 F 2 [X] There exists a c F 64 2 with dim W L(c) = d if and only if d {1,..., 6}. Christof Beierle On Choosing Round Constants October, 10, / 34

64 Considering more Constants: The Rational Canonical Form If deg(m L ) = n, there exists a basis for which the matrix of L is the companion matrix of m L. Definition: Companion Matrix Let p = X m + m 1 i=0 p ix i F 2 [X]. The companion matrix of p is C(p) := p 0 p 1 p 2... p m 1 Christof Beierle On Choosing Round Constants October, 10, / 34

65 Considering more Constants: The Rational Canonical Form If deg(m L ) = n, there exists a basis for which the matrix of L is the companion matrix of m L. Definition: Companion Matrix Let p = X m + m 1 i=0 p ix i F 2 [X]. The companion matrix of p is C(p) := p 0 p 1 p 2... p m 1 In general, there exists a basis for which the matrix of L is C(Q 1 ) C(Q 2 )... C(Q r ) for r polynomials Q r Q r 1 Q 1 = m L. Q 1, Q 2,..., Q r are called the invariant factors of L. Christof Beierle On Choosing Round Constants October, 10, / 34

66 Considering more Constants: The Rational Canonical Form Theorem Let Q 1, Q 2,..., Q r be the invariant factors of L. For any t r, we have max c 1,...,c t dim W L ({c 1,..., c t }) = t deg Q i. i=1 In particular, one needs r elements to obtain the maximal dimension F n 2. Christof Beierle On Choosing Round Constants October, 10, / 34

67 Considering more Constants: The Rational Canonical Form Theorem Let Q 1, Q 2,..., Q r be the invariant factors of L. For any t r, we have max c 1,...,c t dim W L ({c 1,..., c t }) = t deg Q i. i=1 In particular, one needs r elements to obtain the maximal dimension F n 2. Prince. The invariant factor decomposition is Q 1 = Q 2 = X 20 + X 18 + X 16 + X 14 + X 12 + X 8 + X 6 + X 4 + X Q 3 = Q 4 = X 8 + X 6 + X Q 5 = Q 6 = Q 7 = Q 8 = X For t = 5, max dim W L ({c 1,..., c 5 }) = = 58. We need 8 elements to get the full space. Christof Beierle On Choosing Round Constants October, 10, / 34

68 Considering more Constants: The Rational Canonical Form Theorem Let Q 1, Q 2,..., Q r be the invariant factors of L. For any t r, we have max c 1,...,c t dim W L ({c 1,..., c t }) = t deg Q i. i=1 In particular, one needs r elements to obtain the maximal dimension F n 2. Mantis and Midori. The invariant factor decomposition is Q 1 = Q 2 = Q 3 = Q 4 = Q 5 = Q 6 = Q 7 = Q 8 = X Q 9 = Q 10 = Q 11 = Q 12 = Q 13 = Q 14 = Q 15 = Q 16 = X For t = 7, max dim W L ({c 1,..., c 7 }) = 42. For t = 8, max dim W L ({c 1,..., c 8 }) = 48. We need 16 elements to get the full space. Christof Beierle On Choosing Round Constants October, 10, / 34

69 The Maximal Dimension for #D Constants max dim WL(D) #D Prince Mantis Christof Beierle On Choosing Round Constants October, 10, / 34

70 Choosing Random Round Constants For t r, the probability that t uniformly chosen constants c i generate the whole F n 2 can be computed from the invariant factors of L. Christof Beierle On Choosing Round Constants October, 10, / 34

71 Choosing Random Round Constants For t r, the probability that t uniformly chosen constants c i generate the whole F n 2 can be computed from the invariant factors of L. 1 P(dim WL(D) = 64) LED 0.2 Skinny64 Prince Mantis #D Christof Beierle On Choosing Round Constants October, 10, / 34

72 Conclusion For permutations based on SPNs with round constants, there is a (very simple) algorithmic way to prove the resistance against a large class of invariant attacks. Christof Beierle On Choosing Round Constants October, 10, / 34

73 Conclusion For permutations based on SPNs with round constants, there is a (very simple) algorithmic way to prove the resistance against a large class of invariant attacks. Simple Algorithm Input: Linear layer L, RC differences {c i + c j i, j} check if dim {L k (c i + c j ) k < order(l), i, j} n 1 Christof Beierle On Choosing Round Constants October, 10, / 34

74 Conclusion For permutations based on SPNs with round constants, there is a (very simple) algorithmic way to prove the resistance against a large class of invariant attacks. Simple Algorithm Input: Linear layer L, RC differences {c i + c j i, j} check if dim {L k (c i + c j ) k < order(l), i, j} n 1 Depending on the linear layer, one can derive an upper bound on the minimum number of round constants that are necessary for the argument > Design criteria Christof Beierle On Choosing Round Constants October, 10, / 34

75 Conclusion For permutations based on SPNs with round constants, there is a (very simple) algorithmic way to prove the resistance against a large class of invariant attacks. Simple Algorithm Input: Linear layer L, RC differences {c i + c j i, j} check if dim {L k (c i + c j ) k < order(l), i, j} n 1 Depending on the linear layer, one can derive an upper bound on the minimum number of round constants that are necessary for the argument > Design criteria Future work: Can we avoid the restriction of using the same invariant for each of the constituent building blocks? (see [Beyne 2018]) Christof Beierle On Choosing Round Constants October, 10, / 34

76 Conclusion For permutations based on SPNs with round constants, there is a (very simple) algorithmic way to prove the resistance against a large class of invariant attacks. Simple Algorithm Input: Linear layer L, RC differences {c i + c j i, j} check if dim {L k (c i + c j ) k < order(l), i, j} n 1 Depending on the linear layer, one can derive an upper bound on the minimum number of round constants that are necessary for the argument > Design criteria Future work: Can we avoid the restriction of using the same invariant for each of the constituent building blocks? (see [Beyne 2018]) Thanks for your attention! Any questions? Christof Beierle On Choosing Round Constants October, 10, / 34

Proving Resistance against Invariant Attacks: How to Choose the Round Constants

Proving Resistance against Invariant Attacks: How to Choose the Round Constants Christof Beierle 1, Anne Canteaut 2, Gregor Leander 1, and Yann Rotella 2 1 Horst Görtz Institute for IT Security, Ruhr-Universität