Skip to main content

Advertisement

Springer Nature Link
Log in

A theoretical analysis of generalized invariants of bijective S-boxes

  • Published:
Cryptography and Communications Aims and scope Submit manuscript

Abstract

This article provides a rigorous mathematical treatment of generalized (GNI) and closed-loop invariants (CLI), which extend the standard notion of nonlinear invariants used in the cryptanalysis of block ciphers. We first introduce the concept of an active cycle set, which is useful for defining standard invariants of concatenated S-boxes. We also present an algorithm for finding the cycle decomposition of a substitution layer provided the knowledge of the cycle decomposition of the constituent S-boxes. Employing the cycle decomposition of a bijective S-box, we precisely characterize the cardinality of its generalized and CLIs. We demonstrate that quadratic invariants (especially useful for mounting practical attacks in cases when the linear layer is an orthogonal matrix) might not exist for many S-boxes used in practice, whereas there are many quadratic invariants of generalized type. For generalized invariants, we draw an important conclusion that these invariants are not affine invariant, and therefore for two affine permutations A1,A2 over \({\mathbb {F}_{2}^{m}}\) the set of generalized invariants of S is not necessarily the same as for A1SA2. In the context of closed-loop invariants, it is shown that the inverse mapping S(x) = x− 1 over \(\mathbb {F}_{2^{4}}\) admits quadratic CLIs that additionally possess linear structures, whereas for m > 4 there are no quadratic CLIs of S(x) = x− 1 over \(\mathbb {F}_{2^{m}}\). Moreover, we identify the existence of both standard and closed-loop invariants for the so-called MiMC (Minimal Multiplicative Complexity) [1] design, which uses an S-box layer based on the permutation S(x) = x3 over \(\mathbb {F}_{2^{m}}\) (m odd). We present a method to specify these invariants even when m is prime, for which the authors [1] claimed resistance against a type of invariant attacks—subfield attacks.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Algorithm 1
Algorithm 2

Similar content being viewed by others

Notes

  1. For 0 ≤ i ≤ 2m − 2, the q-cyclotomic class modulo 2m − 1 of i is defined as the set \(\mathcal {C}(q,i)=\{ q^{j}i : 0\leq j\leq t_{i}-1 \}\) where ti is the least positive integer such that \(q^{t_{i}}i\equiv i \text { mod } (2^{m}-1)\).

  2. φ denotes Euler’s totient function.

References

  1. Albrecht, M., Grassi, L., Rechberger, C., Roy, A., Tiessen, T.: MiMC: Efficient encryption and cryptographic hashing with minimal multiplicative complexity. In: Cheon, J., Takagi, T. (eds.) Advances in cryptology - ASIACRYPT 2016, 22nd international conference on the theory and application of cryptology and information security, Hanoi, Vietnam, December 4-8, 2016, Proceedings, vol 10031 of lecture notes in computer science, pp 191–219. Springer (2016)

  2. Banik, S., Bogdanov, A., Isobe, T., Shibutani, K., Hiwatari, H., Akishita, T., Regazzoni, F.: Midori: A block cipher for low energy. In: Iwata, T., Cheon, J. (eds.) Advances in cryptology - ASIACRYPT 2015, 21st international conference on the theory and application of cryptology and information security, Auckland, New Zealand, November 29 - December 3, 2015, Proceedings, vol 9453 of Lecture notes in computer science, pp 411–436. Springer (2015)

  3. Beierle, C., Canteaut, A., Leander, G., Rotella, Y.: Proving resistance against invariant attacks: how to choose the round constants. In: Katz, J., Shacham, H. (eds.) Advances in cryptology - CRYPTO 2017, 37th annual international cryptology conference, Santa Barbara, CA, USA, August 20-24, 2017, Proceedings, vol 10402 of lecture notes in computer science, pp 647–678. Springer (2017)

  4. Beierle, C., Canteaut, A., Leander, G.: Nonlinear approximations in cryptanalysis revisited. Trans. Symmetric Cryptol 2018(4), 80–101 (2018)

    Article  Google Scholar 

  5. Beierle, C., Jean, J., Kölbl, S., Leander, G., Moradi, A., Peyrin, T., Sasaki, Y., Sasdrich, P., Sim, S.M: The SKINNY family of block ciphers and its low-latency variant MANTIS. In: Robshaw, M., Katz, J. (eds.) Advances in cryptology - CRYPTO 2016, 36th annual international cryptology conference, Santa Barbara, CA, USA, August 14-18, 2016, Proceedings, vol 9815 of lecture notes in computer science, pp 123–153. Springer (2016)

  6. Bogdanov, A., Knudsen, L.R., Leander, G., Paar, C., Poschmann, A., Robshaw, M.J.B., Seurin, Y., Vikkelsoe, C.: PRESENT: An ultra-ligthweight block cipher. In: Paillier, P., Verbauwhede, I. (eds.) Cryptographic hardware and embedded systems - CHES 2007, 9th international workshop, Vienna, Austria, September 10-13, 2007, Proceedings, vol 4727 of lecture notes in computer science, pp 450–466. Springer (2007)

  7. Biham, E., Shamir, A.: Differential cryptanalysis of DES-like cryptosystems. In: Menezes, A.J., Vanstone, S.A. (eds.) Advances in cryptology - CRYPTO 1990, 10th annual international cryptology conference, Santa Barbara, California, USA, August 11-15, 1990, Proceedings, vol 537 of lecture notes in computer science, pp 2–21. Springer (1990)

  8. Borghoff, J., Canteaut, A., Güneysu, T., Kavun, E.B, Knezevic, M., Knudsen, L.R., Leander, G., Nikov, V., Paar, C., Rechberger, C., Rombouts, P., Thomsen, S.S., Yalcin, T.: PRINCE - A low-latency block cipher for pervasive computing applications. In: Wang, X., Sako, K. (eds.) Advances in cryptology - ASIACRYPT 2012, 18th international conference on the theory and application of cryptology and information security, Beijing, China, December 2-6, 2012, Proceedings, vol 7658 of lecture notes in computer science, pp 208–225. Springer (2012)

  9. Daemen, J., Rijmen, V.: The design of Rijndael: AES - the advanced encryption standard. Inf. Sec. Cryp. Springer, ISBN 3-540-42580-2 (2002)

  10. Grosso, V, Leurent, G, Standaert, F, Varici, K: SCREAM v3. CAESAR competition. http://competitions.cr.yp.to/round2/screamv3.pdf (2014)

  11. Grosso, V., Leurent, G., Standaert, F., Varici, K.: LS-designs: Bitslice encryption for efficient masked software implementations. In: Cid, C., Rechberger, C. (eds.) Fast software encryption - FSE 2014, 21st International Workshop, London, UK, March 3-5, 2014, revised selected papers, vol 8540 of lecture notes in computer science, pp 18–37. Springer (2014)

  12. Guo, J., Peyrin, T., Poschmann, A., Robshaw, M.J.B: The LED block cipher. In: Preneel, B., Takagi, T. (eds.) Cryptographic Hardware and embedded systems - CHES 2011, 13th international workshop, Nara, Japan, September 28 - October 1, 2011. Proceedings, vol 6917 of lecture notes in computer science, pp 326–341. Springer (2011)

  13. Harpes, C., Kramer, G.G., Massey, J.L.: A generalization of linear cryptanalysis and the applicability of Matsui’s Piling-Up Lemma. In: Guillou, L.C., Quisquater, J.J. (eds.) Advances in cryptology - EUROCRYPT 1995, international conference on the theory and application of cryptographic techniques, Saint-Malo, France, May 21-25, 1995, Proceeding, vol 921 of lecture notes in computer science, pp 24–38. Springer (1995)

  14. Huang, T., Tjuawinata, I., Wu, H.: Differential-linear cryptanalysis of ICEPOLE. In: Leander, G. (ed.) Fast software encryption - FSE 2015, 22nd international workshop, Istanbul, Turkey, March 8-11, 2015, revised selected papers, vol 9054 of lecture notes in computer science, pp 243–263. Springer (2015)

  15. Knudsen, L.R.: Truncated and higher order differentials. In: Preneel, B. (ed.) Fast software encryption - FSE 1994, second international workshop. Leuven, Belgium, December 14-16, 1994, Proceedings, vol 1008 of lecture notes in computer science, pp 196–211. Springer (1994)

  16. Knudsen, L.R., Robshaw, M.J.B.: Non-linear approximations in linear cryptanalysis. In: Maurer, U. (ed.) Advances in cryptology - EUROCRYPT 1996, international conference on the theory and application of cryptographic techniques, Saragossa, Spain, May 12-16, 1996, Proceeding, vol 1070 of lecture notes in computer science, pp 224–236. Springer (1996)

  17. Knudsen, L.R., Wagner, D.A.: Integral cryptanalysis. In: Daemen, J., Rijmen, V. (eds.) Fast software encryption - FSE 2002, 9th international conference workshop, Leuven, Belgium, February 4-6, 2002, Proceedings, vol 2365 of lecture notes in computer science, pp 112–127. Springer (2002)

  18. Leander, G., Abdelraheem, M.A., AlKhzaimi, H., Zenner, E.: A cryptanalysis of PRINTcipher: the invariant subspace attack. In: Rogaway, P. (ed.) Advances in cryptology - CRYPTO 2011, 31st annual cryptology conference, Santa Barbara, CA, USA, August 14-18, 2011, Proceedings, vol 6841 of lecture notes in computer science, pp 206–221. Springer (2011)

  19. Langford, S.K., Hellman, M.E.: Differential-linear cryptanalysis. In: Desmedt, Y.G. (ed.) Advances in cryptology - CRYPTO1994, 14th annual international cryptology conference, Santa Barbara, California, USA, August 21-25, 1994, Proceedings, vol 839 of lecture notes in computer science, pp 17–25. Springer (1994)

  20. Matsui, M.: Linear cryptanalysis method for DES cipher. In: Helleseth, T. (ed.) Advances in cryptology - EUROCRYPT 1993, workshop on the theory and application of of cryptographic techniques, Lofthus, Norway, May 23-27, 1993, Proceedings, vol 765 of lecture notes in computer science, pp 386–397. Springer (1993)

  21. Todo, Y., Leander, G., Sasaki, Y.: Nonlinear invariant attack. In: Cheon, J., Takagi, T. (eds.) Advances in cryptology - ASIACRYPT 2016 - 22nd international conference on the theory and application of cryptology and information security, Hanoi, Vietnam, December 4-8, 2016, Proceedings, vol 10032 of Lecture notes in computer science, pp 3–33. Springer (2016)

  22. Todo, Y., Leander, G., Sasaki, Y.: Nonlinear Invariant Attack: Practical Attack on Full SCREAM, iSCREAM, and Midori64. J. Cryptol. 32, 383–1422 (2018)

    MathSciNet  MATH  Google Scholar 

  23. Wei, Y., Ye, T., Wu, W., Pasalic, E.: Generalized nonlinear invariant attack and a new design criterion for round constants. Trans. Symmetric Cryptology 2018(4), 62–79 (2019)

    Google Scholar 

Download references

Acknowledgements

The authors would like to thank the National Natural Science Foundation of China, Guangxi Science and Technology Foundation, Guangxi Natural Science Foundation and the Slovenian Research Agency for their financial support on this work.

Funding

The second author is supported in part by the National Natural Science Foundation of China (61872103), in part by Guangxi Science and Technology Foundation (Guike AB18281019), in part by Guangxi Natural Science Foundation (2019GXNSFGA245004). The third author is partly supported by the Slovenian Research Agency (research program P1-0404 and research projects J1-1694, J1-9108 and N1-0159).

Author information

Authors and Affiliations

  1. University of Primorska, FAMNIT & IAM, Koper, 6000, Slovenia

    René Rodríguez & Enes Pasalic

  2. Guilin University of Electronic Technology, Guilin, Guangxi Province, 541004, China

    Yongzhuang Wei & Enes Pasalic

Authors
  1. René Rodríguez
    View author publications

    You can also search for this author inPubMed Google Scholar

  2. Yongzhuang Wei
    View author publications

    You can also search for this author inPubMed Google Scholar

  3. Enes Pasalic
    View author publications

    You can also search for this author inPubMed Google Scholar

Contributions

The concept of active cycle sets, the algorithm in Section 2.2 and the idea for Section 4.3 were provided by the second author. Section 4.2 is mainly due to the third author as well as the idea of studying properties of generalized invariants using the cycle structure of permutations. Main results and examples in Sections 34.1 and 4.3 and Theorem 6 are due to the first author. All authors contributed to the writing of the main manuscript text and its review.

Corresponding author

Correspondence to René Rodríguez.

Ethics declarations

Ethics approval and consent to participate

There are no ethical issues concerning the submitted article since its topic is cryptography and therefore it does not include a study on humans or animals.

Consent for Publication

The authors give their consent for possible publication of the submitted material.

Competing interests

There are no competing interests with other researchers or scientific institutions.

Additional information

Availability of supporting data

There is no supporting data related to the submitted article.

Publisher’s note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Rodríguez, R., Wei, Y. & Pasalic, E. A theoretical analysis of generalized invariants of bijective S-boxes. Cryptogr. Commun. 15, 487–512 (2023). https://doi.org/10.1007/s12095-022-00615-1

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s12095-022-00615-1

Keywords

Mathematics Subject Classification (2010)