Mind the Middle Layer: The HADES Design Strategy Revisited

Abstract

The HADES design strategy combines the classical SPN construction with the Partial SPN (PSPN) construction, in which at every encryption round, the non-linear layer is applied to only a part of the state. In a HADES design, a middle layer that consists of PSPN rounds is surrounded by outer layers of SPN rounds. The security arguments of HADES with respect to statistical attacks use only the SPN rounds, disregarding the PSPN rounds. This allows the designers to not pose any restriction on the MDS matrix used as the linear mixing operation.

In this paper we show that the choice of the MDS matrix significantly affects the security level provided by HADES designs. If the MDS is chosen properly, then the security level of the scheme against differential and linear attacks is significantly higher than claimed by the designers. On the other hand, weaker choices of the MDS allow for extremely large invariant subspaces that pass the entire middle layer without activating any non-linear operation (a.k.a. S-box).

We showcase our results on the Starkad and Poseidon instantiations of HADES. For Poseidon, we significantly improve the lower bounds on the number of active S-boxes with respect to both differential and linear cryptanalysis provided by the designers – for example, from 28 to 60 active S-boxes for the \(t=6\) variant. For Starkad, we show that for any variant with t (i.e., the number of S-boxes in each round) divisible by 4, the cipher admits a huge invariant subspace that passes any number of PSPN rounds without activating any S-box (e.g., a subspace of size \(2^{1134}\) for the \(t=24\) variant). Furthermore, for various choices of the parameters, this invariant subspace can be used to mount a preimage attack on the hash function that breakes its security claims. On the other hand, we show that the problem can be fixed easily by replacing t with any value that is not divisible by four.

Following our paper, the designers of Starkad and Poseidon amended their design, by adding requirements which ensure that the MDS matrix is chosen properly.

Research supported by the European Research Council under the ERC starting grant agreement number 757731 (LightCrypt) and by the BIU Center for Research in Applied Cryptography and Cyber Security in conjunction with the Israel National Cyber Bureau in the Prime Minister’s Office.

A Detailed Description of the Pattern Search Algorithm

In this appendix we describe in detail the pattern search algorithm we applied to variants of the Poseidon permutation. The code of the algorithm is publicly available at: https://anonymous.4open.science/r/bc580cca-659f-4e8f-b8c1-9dfcd5fb75a2/.

1.1 A.1 Checking a Single Pattern

In order to check whether there exists a differential characteristic following a specific pattern, one can use the following algorithm:

algorithm Check-Pattern(pattern), pattern \(\in \left( {\begin{array}{c}[n]\\ a\end{array}}\right) \)

1. 1.

   \(ST := (I_t ; 0_{a+t})\)

2. 2.

   \(E := \emptyset \)

3. 3.

   \(s := t+1\)

4. 4.

   for every \(i = 1:n\)

   1. (a)

      if \(i \in \text {pattern}\): \(ST_1 \leftarrow e_s, s\leftarrow s + 1\)

   2. (b)

      if \(i \notin \text {pattern}\): \(E \leftarrow E \cup ST_1\)

   3. (c)

      \(ST \leftarrow M \cdot ST\)

5. 5.

   Solve the equation system E, return TRUE if and only if there exists a nontrivial solution

Explanation of the Algorithm. Each row of the state corresponds to the coefficients in the linear combination of the \(t+a\) variables. Thus, the beginnings of the rows consist of the unit vectors \(e_1,\ldots , e_t\).

On a non-active S-box, we get a linear restriction by the coefficients in the first row. On an active S-box, we replace the first row by a new variable, which is represented by \(e_s\).

The state is updated after the S-box layer, using the MDS matrix. When we finish posing the linear equations, we can solve the system E using Gaussian elimination and check whether there exists a solution. We note that for linear characteristics, the same algorithm can be used, with the matrix \((M^T)^{-1}\) instead of M.

1.2 A.2 Checking All r-Round Patterns with a Active S-boxes

We can also iterate over all the patterns of length r with a active S-boxes, using the following simple recursive algorithm:

function Search-Pattern(pref, s, a, i, n):

1. 1.

   if \(i \ge n - 1 \wedge {\text {Check-Pattern}}(\text {pref}): \text {output pref}\)

2. 2.

   if \(i < t + 2s\): Search-Pattern(pref,\(s,a,i+1,n\))

3. 3.

   if \(s< a \wedge 2s < i\): Search-Pattern(pref \(\cup \{i\},s+1,a, i+1,n\))

Explanation of the Algorithm. The word “pref” denotes a prefix of the pattern, s is the number of active S-boxes in the prefix, i is the length of the prefix and n is the total number of S-boxes (i.e., the length of the final pattern). It should thus always hold that \(s\le a,s\le i\).

The function should be called with \(\text {pattern} = \emptyset , s = 0, a, i=2,n=t+2a\).

Note that we assume that the function was already called for each \(a' \le a\) and that no differential characteristic was found. We use this fact to reduce the number of checked patterns, since if a pattern contains a previously checked pattern as a substring, then we do not have to check it.

The condition for a non active S-box is: \(i < t + 2s\). Indeed, if \(i \ge t + 2s\), then the prefix already cannot contain active S-boxes (this is the case of a lower a that was already checked), and thus we do not need to check this prefix at all.

The condition for an active S-box is: \(s< a \wedge 2s < i\). Indeed, the condition \(s < a\) is obvious. The condition \(2s < i\) appears, since if \(2s \ge i\) then the suffix (starting from \(i+1\)) is a pattern that was already checked, as it corresponds to \(a' = a - s, n' = n-2s = t + 2(a-s) = t + 2a'\), and thus we do not need to check this prefix.

The stopping condition is at \(n-1\), as the last two S-boxes must be non-active or otherwise the prefix will correspond to \(a' = a - 1\). By the same reasoning, we start from \(i=2\), meaning that the first two S-boxes are also inactive.