Abstract
The HADES design strategy combines the classical SPN construction with the Partial SPN (PSPN) construction, in which at every encryption round, the non-linear layer is applied to only a part of the state. In a HADES design, a middle layer that consists of PSPN rounds is surrounded by outer layers of SPN rounds. The security arguments of HADES with respect to statistical attacks use only the SPN rounds, disregarding the PSPN rounds. This allows the designers to not pose any restriction on the MDS matrix used as the linear mixing operation.
In this paper we show that the choice of the MDS matrix significantly affects the security level provided by HADES designs. If the MDS is chosen properly, then the security level of the scheme against differential and linear attacks is significantly higher than claimed by the designers. On the other hand, weaker choices of the MDS allow for extremely large invariant subspaces that pass the entire middle layer without activating any non-linear operation (a.k.a. S-box).
We showcase our results on the Starkad and Poseidon instantiations of HADES. For Poseidon, we significantly improve the lower bounds on the number of active S-boxes with respect to both differential and linear cryptanalysis provided by the designers – for example, from 28 to 60 active S-boxes for the \(t=6\) variant. For Starkad, we show that for any variant with t (i.e., the number of S-boxes in each round) divisible by 4, the cipher admits a huge invariant subspace that passes any number of PSPN rounds without activating any S-box (e.g., a subspace of size \(2^{1134}\) for the \(t=24\) variant). Furthermore, for various choices of the parameters, this invariant subspace can be used to mount a preimage attack on the hash function that breakes its security claims. On the other hand, we show that the problem can be fixed easily by replacing t with any value that is not divisible by four.
Following our paper, the designers of Starkad and Poseidon amended their design, by adding requirements which ensure that the MDS matrix is chosen properly.
Research supported by the European Research Council under the ERC starting grant agreement number 757731 (LightCrypt) and by the BIU Center for Research in Applied Cryptography and Cyber Security in conjunction with the Israel National Cyber Bureau in the Prime Minister’s Office.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
We note that for the specific variants with \(t=47,51\) proposed in [10], there does exist a large subspace that does not activate any S-box in the PSPN rounds, since the number of these rounds (25 for \(t=47\) and 24 for \(t=51\)) is smaller than t. While this might be undesirable, this is an inevitable result of the choice of the number of PSPN rounds, that does not depend on the MDS matrix.
- 2.
- 3.
The link to the code is: https://anonymous.4open.science/r/bc580cca-659f-4e8f-b8c1-9dfcd5fb75a2/.
- 4.
We refrain from giving a meaningful name to this class of matrices, since most probably it was already considered in previous works (which we were not able to find so far).
- 5.
Note that these results are weaker than the results claimed in [6, Sec. 6.2]; specifically, we replace c by \(c+2\), which affects the results significantly. In particular, this means that among the results presented in [6, Table 5], the complexity of the attack on the variant 128-e is increased from \(2^{44.2}\) to about \(2^{115}\), the complexity of the attack on 256-b is increased from \(2^{150.9}\) to about \(2^{220}\), and the attack on 128-c becomes infeasible. In addition, the attack on the variant 256-a fails as well, since for that variant we have \(c=t/2\), while the attack applies only for \(c<t/2\), as is explained in [6, Sec. 6]. The authors of [6] admitted (in private communication [5]) that the formula they wrote was incorrect, and agreed with our correction.
- 6.
We checked this experimentally, with numerous values of t and n. The only ‘counterexamples’ we are aware of occur for small values of n, that is, over small-sized binary fields.
- 7.
It should be noted that in our analysis, we considered only differential and linear attacks, and not other types of statistical attacks. However, for all other classes of attacks, the security arguments provided for SPN constructions are heuristic, and hence, there is no clear way to decide whether r full SPN rounds provide a better security guarantee against those attacks, compared to tr PSPN rounds. Therefore, we focus on differential and linear attacks, for which the results are ‘measurable’.
References
Albrecht, M.R., Rechberger, C., Schneider, T., Tiessen, T., Zohner, M.: Ciphers for MPC and FHE. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 430–454. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_17
Bar-On, A., Dinur, I., Dunkelman, O., Lallemand, V., Keller, N., Tsaban, B.: Cryptanalysis of SP networks with partial non-linear layers. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 315–342. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_13
Becker, T., Weispfenning, V.: Gröbner bases - a computational approach to commutative algebra, 1st edn., p. 576. Springer, New York, USA (1993). https://doi.org/10.1007/978-1-4612-0913-3
Ben-Sasson, E., Goldberg, L., Levit, D.: STARK friendly hash - survey and recommendation. Cryptol. ePrint Arch. Rep. 2020, 948 (2020). https://eprint.iacr.org/2020/948
Beyne, T.: Personal communication (2020)
Beyne, T., et al.: Out of oddity – new cryptanalytic techniques against symmetric primitives optimized for integrity proof systems. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12172, pp. 299–328. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56877-1_11
Dinur, I., Liu, Y., Meier, W., Wang, Q.: Optimized interpolation attacks on LowMC. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9453, pp. 535–560. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48800-3_22
Dobraunig, C., Eichlseder, M., Mendel, F.: Higher-order cryptanalysis of LowMC. In: Kwon, S., Yun, A. (eds.) ICISC 2015. LNCS, vol. 9558, pp. 87–101. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-30840-1_6
Gérard, B., Grosso, V., Naya-Plasencia, M., Standaert, F.-X.: Block ciphers that are easier to mask: how far can we go? In: Bertoni, G., Coron, J.-S. (eds.) CHES 2013. LNCS, vol. 8086, pp. 383–399. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40349-1_22
Grassi, L., Kales, D., Khovratovich, D., Roy, A., Rechberger, C., Schofnegger, M.: Starkad and poseidon: new hash functions for zero knowledge proof systems. IACR Cryptol. ePrint Arch. 2019, 458 (2019). https://eprint.iacr.org/2019/458
Grassi, L., Khovratovich, D., Rechberger, C., Roy, A., Schofnegger, M.: Poseidon: a new hash function for zero-knowledge proof systems. In: USENIX Security Symposium. USENIX Association (2021)
Grassi, L., Lüftenegger, R., Rechberger, C., Rotaru, D., Schofnegger, M.: On a generalization of substitution-permutation networks: the HADES design strategy. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12106, pp. 674–704. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45724-2_23
Grassi, L., Rechberger, C., Schofnegger, M.: Weak linear layers in word-oriented partial SPN and hades-like ciphers. IACR Cryptol. ePrint Arch. 2020, 500 (2020). https://eprint.iacr.org/2020/500
NIST: Advanced Encryption Standard, Federal Information Processing Standards publications No. 197 (2001)
Roth, R.M., Lempel, A.: On MDS codes via Cauchy matrices. IEEE Trans. Inf. Theory 35(6), 1314–1319 (1989). https://doi.org/10.1109/18.45291
Silvester, J.R.: Determinants of block matrices. Math. Gaz. 84(501), 460–467 (2000)
StarkWare: Stark-friendly hash challenge (2019–2020). https://starkware.co/hash-challenge
Acknowledgements
The authors are grateful to Tim Beyne, Itai Dinur, Lorenzo Grassi and Christian Rechberger, for helpful discussions and suggestions.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Detailed Description of the Pattern Search Algorithm
A Detailed Description of the Pattern Search Algorithm
In this appendix we describe in detail the pattern search algorithm we applied to variants of the Poseidon permutation. The code of the algorithm is publicly available at: https://anonymous.4open.science/r/bc580cca-659f-4e8f-b8c1-9dfcd5fb75a2/.
1.1 A.1 Checking a Single Pattern
In order to check whether there exists a differential characteristic following a specific pattern, one can use the following algorithm:
algorithm Check-Pattern(pattern), pattern \(\in \left( {\begin{array}{c}[n]\\ a\end{array}}\right) \)
-
1.
\(ST := (I_t ; 0_{a+t})\)
-
2.
\(E := \emptyset \)
-
3.
\(s := t+1\)
-
4.
for every \(i = 1:n\)
-
(a)
if \(i \in \text {pattern}\): \(ST_1 \leftarrow e_s, s\leftarrow s + 1\)
-
(b)
if \(i \notin \text {pattern}\): \(E \leftarrow E \cup ST_1\)
-
(c)
\(ST \leftarrow M \cdot ST\)
-
(a)
-
5.
Solve the equation system E, return TRUE if and only if there exists a nontrivial solution
Explanation of the Algorithm. Each row of the state corresponds to the coefficients in the linear combination of the \(t+a\) variables. Thus, the beginnings of the rows consist of the unit vectors \(e_1,\ldots , e_t\).
On a non-active S-box, we get a linear restriction by the coefficients in the first row. On an active S-box, we replace the first row by a new variable, which is represented by \(e_s\).
The state is updated after the S-box layer, using the MDS matrix. When we finish posing the linear equations, we can solve the system E using Gaussian elimination and check whether there exists a solution. We note that for linear characteristics, the same algorithm can be used, with the matrix \((M^T)^{-1}\) instead of M.
1.2 A.2 Checking All r-Round Patterns with a Active S-boxes
We can also iterate over all the patterns of length r with a active S-boxes, using the following simple recursive algorithm:
function Search-Pattern(pref, s, a, i, n):
-
1.
if \(i \ge n - 1 \wedge {\text {Check-Pattern}}(\text {pref}): \text {output pref}\)
-
2.
if \(i < t + 2s\): Search-Pattern(pref,\(s,a,i+1,n\))
-
3.
if \(s< a \wedge 2s < i\): Search-Pattern(pref \(\cup \{i\},s+1,a, i+1,n\))
Explanation of the Algorithm. The word “pref” denotes a prefix of the pattern, s is the number of active S-boxes in the prefix, i is the length of the prefix and n is the total number of S-boxes (i.e., the length of the final pattern). It should thus always hold that \(s\le a,s\le i\).
The function should be called with \(\text {pattern} = \emptyset , s = 0, a, i=2,n=t+2a\).
Note that we assume that the function was already called for each \(a' \le a\) and that no differential characteristic was found. We use this fact to reduce the number of checked patterns, since if a pattern contains a previously checked pattern as a substring, then we do not have to check it.
The condition for a non active S-box is: \(i < t + 2s\). Indeed, if \(i \ge t + 2s\), then the prefix already cannot contain active S-boxes (this is the case of a lower a that was already checked), and thus we do not need to check this prefix at all.
The condition for an active S-box is: \(s< a \wedge 2s < i\). Indeed, the condition \(s < a\) is obvious. The condition \(2s < i\) appears, since if \(2s \ge i\) then the suffix (starting from \(i+1\)) is a pattern that was already checked, as it corresponds to \(a' = a - s, n' = n-2s = t + 2(a-s) = t + 2a'\), and thus we do not need to check this prefix.
The stopping condition is at \(n-1\), as the last two S-boxes must be non-active or otherwise the prefix will correspond to \(a' = a - 1\). By the same reasoning, we start from \(i=2\), meaning that the first two S-boxes are also inactive.
Rights and permissions
Copyright information
© 2021 International Association for Cryptologic Research
About this paper
Cite this paper
Keller, N., Rosemarin, A. (2021). Mind the Middle Layer: The HADES Design Strategy Revisited. In: Canteaut, A., Standaert, FX. (eds) Advances in Cryptology – EUROCRYPT 2021. EUROCRYPT 2021. Lecture Notes in Computer Science(), vol 12697. Springer, Cham. https://doi.org/10.1007/978-3-030-77886-6_2
Download citation
DOI: https://doi.org/10.1007/978-3-030-77886-6_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-77885-9
Online ISBN: 978-3-030-77886-6
eBook Packages: Computer ScienceComputer Science (R0)