Structural attacks on block ciphers Sondre Rnjom NSM/UiB September - PowerPoint PPT Presentation

Subspaces in block ciphers Subspace trail cryptanalysis Mixed Space Definition ( Mixed spaces ) The ith mixed subspace M i is defined as M i = MC � SR ( C i ) . For instance, M 0 corresponds to the image of 2 ( α + 1 ) · x 2 3 α · x 1 x 4 x 3 � ⇢ ( α + 1 ) · x 3 � x 1 x 4 α · x 2 6 7 � M 0 = � ∀ x 1 , x 2 , x 3 , x 4 ∈ F 2 8 6 7 � ( α + 1 ) · x 4 x 1 α · x 3 x 2 4 5 ( α + 1 ) · x 1 α · x 4 x 3 x 2 where α is the generator of the AES field.

Subspaces in block ciphers Subspace trail cryptanalysis Subspace Trail Cryptanalysis and its Applications to AES [GRR17], FSE ’17 SB SR MC For fixed I , J ⇢ { 0 , 1 , 2 , 3 } , | I | + | J |  4 1 R ( D I � a ) = C I � b 1 R ( ) � R ( ) = 2 R ( C I � a ) = M I � b 2 R ( ) � R ( ) = MC � SR ( ) 3 R 2 ( C I � a ) = M I � b 3 R 2 ( ) � R 2 ( ) = MC � SR ( ) 4 M I \ D J = { 0 } 4 R 4 ( ) � R 4 ( ) 6 = MC � SR ( ) A 1 , 1 ⇢ D J � a 1 , 1 A 2 , 1 ⇢ C J � a 1 , 1 A 3 , 1 ⇢ M J � a 3 , 1 R R R R D I � a 1 C I � a 2 M I � a 3 R R A 1 , q d ⇢ D J � a 1 , q d A 2 , q d ⇢ C J � a 2 , q d A 3 , q d ⇢ M J � a 3 , q d

Subspaces in block ciphers Subspace trail cryptanalysis Subspace Trail Cryptanalysis and its Applications to AES [GRR17], FSE ’17 SB SR MC For fixed I , J ⇢ { 0 , 1 , 2 , 3 } , | I | + | J |  4 1 R ( D I � a ) = C I � b 1 R ( ) � R ( ) = 2 R ( C I � a ) = M I � b 2 R ( ) � R ( ) = MC � SR ( ) 3 R 2 ( C I � a ) = M I � b 3 R 2 ( ) � R 2 ( ) = MC � SR ( ) 4 M I \ D J = { 0 } 4 R 4 ( ) � R 4 ( ) 6 = MC � SR ( ) A 1 , 1 ⇢ D J � a 1 , 1 A 2 , 1 ⇢ C J � a 1 , 1 A 3 , 1 ⇢ M J � a 3 , 1 R R R R D I � a 1 C I � a 2 M I � a 3 R R A 1 , q d ⇢ D J � a 1 , q d A 2 , q d ⇢ C J � a 2 , q d A 3 , q d ⇢ M J � a 3 , q d

Subspaces in block ciphers Subspace trail cryptanalysis Subspace Trail Cryptanalysis and its Applications to AES [GRR17], FSE ’17 SB SR MC For fixed I , J ⇢ { 0 , 1 , 2 , 3 } , | I | + | J |  4 1 R ( D I � a ) = C I � b 1 R ( ) � R ( ) = 2 R ( C I � a ) = M I � b 2 R ( ) � R ( ) = MC � SR ( ) 3 R 2 ( C I � a ) = M I � b 3 R 2 ( ) � R 2 ( ) = MC � SR ( ) 4 M I \ D J = { 0 } 4 R 4 ( ) � R 4 ( ) 6 = MC � SR ( ) A 1 , 1 ⇢ D J � a 1 , 1 A 2 , 1 ⇢ C J � a 1 , 1 A 3 , 1 ⇢ M J � a 3 , 1 R R R R D I � a 1 C I � a 2 M I � a 3 R R A 1 , q d ⇢ D J � a 1 , q d A 2 , q d ⇢ C J � a 2 , q d A 3 , q d ⇢ M J � a 3 , q d

Subspaces in block ciphers Subspace trail cryptanalysis Subspace Trail Cryptanalysis and its Applications to AES [GRR17], FSE ’17 SB SR MC For fixed I , J ⇢ { 0 , 1 , 2 , 3 } , | I | + | J |  4 1 R ( D I � a ) = C I � b 1 R ( ) � R ( ) = 2 R ( C I � a ) = M I � b 2 R ( ) � R ( ) = MC � SR ( ) 3 R 2 ( C I � a ) = M I � b 3 R 2 ( ) � R 2 ( ) = MC � SR ( ) 4 M I \ D J = { 0 } 4 R 4 ( ) � R 4 ( ) 6 = MC � SR ( ) A 1 , 1 ⇢ D J � a 1 , 1 A 2 , 1 ⇢ C J � a 1 , 1 A 3 , 1 ⇢ M J � a 3 , 1 R R R R D I � a 1 C I � a 2 M I � a 3 R R A 1 , q d ⇢ D J � a 1 , q d A 2 , q d ⇢ C J � a 2 , q d A 3 , q d ⇢ M J � a 3 , q d

Subspaces in block ciphers Subspace trail cryptanalysis Subspace Trail Cryptanalysis and its Applications to AES [GRR17], FSE ’17 SB SR MC For fixed I , J ⇢ { 0 , 1 , 2 , 3 } , | I | + | J |  4 1 R ( D I � a ) = C I � b 1 R ( ) � R ( ) = 2 R ( C I � a ) = M I � b 2 R ( ) � R ( ) = MC � SR ( ) 3 R 2 ( C I � a ) = M I � b 3 R 2 ( ) � R 2 ( ) = MC � SR ( ) 4 M I \ D J = { 0 } 4 R 4 ( ) � R 4 ( ) 6 = MC � SR ( ) A 1 , 1 ⇢ D J � a 1 , 1 A 2 , 1 ⇢ C J � a 1 , 1 A 3 , 1 ⇢ M J � a 3 , 1 R R R R D I � a 1 C I � a 2 M I � a 3 R R A 1 , q d ⇢ D J � a 1 , q d A 2 , q d ⇢ C J � a 2 , q d A 3 , q d ⇢ M J � a 3 , q d

Subspaces in block ciphers Subspace trail cryptanalysis Subspace Trail Cryptanalysis and its Applications to AES [GRR17], FSE ’17 SB SR MC For fixed I , J ⇢ { 0 , 1 , 2 , 3 } , | I | + | J |  4 1 R ( D I � a ) = C I � b 1 R ( ) � R ( ) = 2 R ( C I � a ) = M I � b 2 R ( ) � R ( ) = MC � SR ( ) 3 R 2 ( C I � a ) = M I � b 3 R 2 ( ) � R 2 ( ) = MC � SR ( ) 4 M I \ D J = { 0 } 4 R 4 ( ) � R 4 ( ) 6 = MC � SR ( ) A 1 , 1 ⇢ D J � a 1 , 1 A 2 , 1 ⇢ C J � a 1 , 1 A 3 , 1 ⇢ M J � a 3 , 1 R R R R D I � a 1 C I � a 2 M I � a 3 R R A 1 , q d ⇢ D J � a 1 , q d A 2 , q d ⇢ C J � a 2 , q d A 3 , q d ⇢ M J � a 3 , q d

Subspaces in block ciphers Subspace trail cryptanalysis Subspace Trail Cryptanalysis and its Applications to AES [GRR17], FSE ’17 SB SR MC For fixed I , J ⇢ { 0 , 1 , 2 , 3 } , | I | + | J |  4 1 R ( D I � a ) = C I � b 1 R ( ) � R ( ) = 2 R ( C I � a ) = M I � b 2 R ( ) � R ( ) = MC � SR ( ) 3 R 2 ( C I � a ) = M I � b 3 R 2 ( ) � R 2 ( ) = MC � SR ( ) 4 M I \ D J = { 0 } 4 R 4 ( ) � R 4 ( ) 6 = MC � SR ( ) A 1 , 1 ⇢ D J � a 1 , 1 A 2 , 1 ⇢ C J � a 1 , 1 A 3 , 1 ⇢ M J � a 3 , 1 R R R R D I � a 1 C I � a 2 M I � a 3 R R A 1 , q d ⇢ D J � a 1 , q d A 2 , q d ⇢ C J � a 2 , q d A 3 , q d ⇢ M J � a 3 , q d

Subspaces in block ciphers Subspace trail cryptanalysis Subspace Trail Cryptanalysis and its Applications to AES [GRR17], FSE ’17 SB SR MC For fixed I , J ⇢ { 0 , 1 , 2 , 3 } , | I | + | J |  4 1 R ( D I � a ) = C I � b 1 R ( ) � R ( ) = 2 R ( C I � a ) = M I � b 2 R ( ) � R ( ) = MC � SR ( ) 3 R 2 ( C I � a ) = M I � b 3 R 2 ( ) � R 2 ( ) = MC � SR ( ) 4 M I \ D J = { 0 } 4 R 4 ( ) � R 4 ( ) 6 = MC � SR ( ) A 1 , 1 ⇢ D J � a 1 , 1 A 2 , 1 ⇢ C J � a 1 , 1 A 3 , 1 ⇢ M J � a 3 , 1 R R R R D I � a 1 C I � a 2 M I � a 3 R R A 1 , q d ⇢ D J � a 1 , q d A 2 , q d ⇢ C J � a 2 , q d A 3 , q d ⇢ M J � a 3 , q d

Subspaces in block ciphers Subspace trail cryptanalysis Subspace Trail Cryptanalysis and its Applications to AES [GRR17], FSE ’17 SB SR MC For fixed I , J ⇢ { 0 , 1 , 2 , 3 } , | I | + | J |  4 1 R ( D I � a ) = C I � b 1 R ( ) � R ( ) = 2 R ( C I � a ) = M I � b 2 R ( ) � R ( ) = MC � SR ( ) 3 R 2 ( C I � a ) = M I � b 3 R 2 ( ) � R 2 ( ) = MC � SR ( ) 4 M I \ D J = { 0 } 4 R 4 ( ) � R 4 ( ) 6 = MC � SR ( ) A 1 , 1 ⇢ D J � a 1 , 1 A 2 , 1 ⇢ C J � a 1 , 1 A 3 , 1 ⇢ M J � a 3 , 1 R R R R D I � a 1 C I � a 2 M I � a 3 R R A 1 , q d ⇢ D J � a 1 , q d A 2 , q d ⇢ C J � a 2 , q d A 3 , q d ⇢ M J � a 3 , q d

Subspaces in block ciphers Subspace trail cryptanalysis Attack on Simpira

From subspace trails to invariant subspaces in Simpira Overview Simpira (now Simpira v1) Simpira: A Family of E ffi cient Permutations Using the AES Round Function , [GM16] a family of cryptographic permutations supporting 128 ⇥ b bits designed to achieve high throughput on all modern 64-bit processors uses only one building block, AES (Intel/AMD/ARM native instructions) Generalized Feistel Structure Claim: no structural distinguishers with complexity below 2 128 .

From subspace trails to invariant subspaces in Simpira Overview Simpira (now Simpira v1) Simpira: A Family of E ffi cient Permutations Using the AES Round Function , [GM16] a family of cryptographic permutations supporting 128 ⇥ b bits designed to achieve high throughput on all modern 64-bit processors uses only one building block, AES (Intel/AMD/ARM native instructions) Generalized Feistel Structure Claim: no structural distinguishers with complexity below 2 128 .

From subspace trails to invariant subspaces in Simpira Overview Simpira (now Simpira v1) Simpira: A Family of E ffi cient Permutations Using the AES Round Function , [GM16] a family of cryptographic permutations supporting 128 ⇥ b bits designed to achieve high throughput on all modern 64-bit processors uses only one building block, AES (Intel/AMD/ARM native instructions) Generalized Feistel Structure Claim: no structural distinguishers with complexity below 2 128 .

From subspace trails to invariant subspaces in Simpira Overview Simpira (now Simpira v1) Simpira: A Family of E ffi cient Permutations Using the AES Round Function , [GM16] a family of cryptographic permutations supporting 128 ⇥ b bits designed to achieve high throughput on all modern 64-bit processors uses only one building block, AES (Intel/AMD/ARM native instructions) Generalized Feistel Structure Claim: no structural distinguishers with complexity below 2 128 .

From subspace trails to invariant subspaces in Simpira Overview Simpira (now Simpira v1) Simpira: A Family of E ffi cient Permutations Using the AES Round Function , [GM16] a family of cryptographic permutations supporting 128 ⇥ b bits designed to achieve high throughput on all modern 64-bit processors uses only one building block, AES (Intel/AMD/ARM native instructions) Generalized Feistel Structure Claim: no structural distinguishers with complexity below 2 128 .

From subspace trails to invariant subspaces in Simpira Overview Simpira (now Simpira v1) Simpira: A Family of E ffi cient Permutations Using the AES Round Function , [GM16] a family of cryptographic permutations supporting 128 ⇥ b bits designed to achieve high throughput on all modern 64-bit processors uses only one building block, AES (Intel/AMD/ARM native instructions) Generalized Feistel Structure Claim: no structural distinguishers with complexity below 2 128 .

From subspace trails to invariant subspaces in Simpira Overview Simpira with b = 4 512 bit permutation f ( x ) : one AES round minus constants F-function: F t i ( x ) = f ( f ( x ) + k t , i ) Di ff erent constants in each new F-function Iterated for many rounds (not important) Suitable for a wide range of applications.

From subspace trails to invariant subspaces in Simpira Overview Simpira with b = 4 512 bit permutation f ( x ) : one AES round minus constants F-function: F t i ( x ) = f ( f ( x ) + k t , i ) Di ff erent constants in each new F-function Iterated for many rounds (not important) Suitable for a wide range of applications.

From subspace trails to invariant subspaces in Simpira Overview Simpira with b = 4 512 bit permutation f ( x ) : one AES round minus constants F-function: F t i ( x ) = f ( f ( x ) + k t , i ) Di ff erent constants in each new F-function Iterated for many rounds (not important) Suitable for a wide range of applications.

From subspace trails to invariant subspaces in Simpira Overview Simpira with b = 4 512 bit permutation f ( x ) : one AES round minus constants F-function: F t i ( x ) = f ( f ( x ) + k t , i ) Di ff erent constants in each new F-function Iterated for many rounds (not important) Suitable for a wide range of applications.

From subspace trails to invariant subspaces in Simpira Overview Simpira with b = 4 512 bit permutation f ( x ) : one AES round minus constants F-function: F t i ( x ) = f ( f ( x ) + k t , i ) Di ff erent constants in each new F-function Iterated for many rounds (not important) Suitable for a wide range of applications.

From subspace trails to invariant subspaces in Simpira Overview Simpira with b = 4 512 bit permutation f ( x ) : one AES round minus constants F-function: F t i ( x ) = f ( f ( x ) + k t , i ) Di ff erent constants in each new F-function Iterated for many rounds (not important) Suitable for a wide range of applications.

From subspace trails to invariant subspaces in Simpira Two round property Initial observation for two rounds ( x t 0 , x t 1 , x t 2 , x t 3 ) F t i ( x ) = f ( f ( x ) + k t , i ) where k t , i ∈ C 0 , 1 ( x t 0 , x t 1 , x t 2 , x t 3 ) ∈ F 4 ⇥ 4 ⇥ 4 2 8 S t + 1 =( x t + 1 , x t + 1 , x t + 1 , x t + 1 ) 0 1 2 3 =( F t 1 ( x t 0 ) ⊕ x t 1 , F t 2 ( x t 3 ) ⊕ x t 2 , x t 3 , x t 0 ) S t + 2 =( x t + 2 , x t + 2 , x t + 2 , x t + 2 ) 0 1 2 3 =( F t + 1 ( x t + 1 ) ⊕ x t + 1 , F t + 1 ( x t + 1 ) ⊕ x t + 1 , x t + 1 , x t + 1 ) 1 0 1 2 3 2 3 0 x t + 1 = x t 0 , x t + 1 = x t 3 , x t + 1 = F t 1 ( x t 0 ) ⊕ x t 1 3 2 0 ( x t + 2 , F t + 1 ( x t 0 ) � x t 3 , x t 0 , F t 1 ( x t 0 ) � x t 1 )) 0 2 Structure R 2 ( a , b , c , d ) − → ( z , F 1 ( a ) ⊕ d , a , F 2 ( a ) ⊕ b ) .

From subspace trails to invariant subspaces in Simpira Two round property Initial observation for two rounds ( x t 0 , x t 1 , x t 2 , x t 3 ) F t i ( x ) = f ( f ( x ) + k t , i ) where k t , i ∈ C 0 , 1 ( x t 0 , x t 1 , x t 2 , x t 3 ) ∈ F 4 ⇥ 4 ⇥ 4 2 8 S t + 1 =( x t + 1 , x t + 1 , x t + 1 , x t + 1 ) 0 1 2 3 =( F t 1 ( x t 0 ) ⊕ x t 1 , F t 2 ( x t 3 ) ⊕ x t 2 , x t 3 , x t 0 ) S t + 2 =( x t + 2 , x t + 2 , x t + 2 , x t + 2 ) 0 1 2 3 =( F t + 1 ( x t + 1 ) ⊕ x t + 1 , F t + 1 ( x t + 1 ) ⊕ x t + 1 , x t + 1 , x t + 1 ) 1 0 1 2 3 2 3 0 x t + 1 = x t 0 , x t + 1 = x t 3 , x t + 1 = F t 1 ( x t 0 ) ⊕ x t 1 3 2 0 ( x t + 2 , F t + 1 ( x t 0 ) � x t 3 , x t 0 , F t 1 ( x t 0 ) � x t 1 )) 0 2 Structure R 2 ( a , b , c , d ) − → ( z , F 1 ( a ) ⊕ d , a , F 2 ( a ) ⊕ b ) .

From subspace trails to invariant subspaces in Simpira Two round property Initial observation for two rounds ( x t 0 , x t 1 , x t 2 , x t 3 ) F t i ( x ) = f ( f ( x ) + k t , i ) where k t , i ∈ C 0 , 1 ( x t 0 , x t 1 , x t 2 , x t 3 ) ∈ F 4 ⇥ 4 ⇥ 4 2 8 S t + 1 =( x t + 1 , x t + 1 , x t + 1 , x t + 1 ) 0 1 2 3 =( F t 1 ( x t 0 ) ⊕ x t 1 , F t 2 ( x t 3 ) ⊕ x t 2 , x t 3 , x t 0 ) S t + 2 =( x t + 2 , x t + 2 , x t + 2 , x t + 2 ) 0 1 2 3 =( F t + 1 ( x t + 1 ) ⊕ x t + 1 , F t + 1 ( x t + 1 ) ⊕ x t + 1 , x t + 1 , x t + 1 ) 1 0 1 2 3 2 3 0 x t + 1 = x t 0 , x t + 1 = x t 3 , x t + 1 = F t 1 ( x t 0 ) ⊕ x t 1 3 2 0 ( x t + 2 , F t + 1 ( x t 0 ) � x t 3 , x t 0 , F t 1 ( x t 0 ) � x t 1 )) 0 2 Structure R 2 ( a , b , c , d ) − → ( z , F 1 ( a ) ⊕ d , a , F 2 ( a ) ⊕ b ) .

From subspace trails to invariant subspaces in Simpira Two round property Initial observation for two rounds ( x t 0 , x t 1 , x t 2 , x t 3 ) F t i ( x ) = f ( f ( x ) + k t , i ) where k t , i ∈ C 0 , 1 ( x t 0 , x t 1 , x t 2 , x t 3 ) ∈ F 4 ⇥ 4 ⇥ 4 2 8 S t + 1 =( x t + 1 , x t + 1 , x t + 1 , x t + 1 ) 0 1 2 3 =( F t 1 ( x t 0 ) ⊕ x t 1 , F t 2 ( x t 3 ) ⊕ x t 2 , x t 3 , x t 0 ) S t + 2 =( x t + 2 , x t + 2 , x t + 2 , x t + 2 ) 0 1 2 3 =( F t + 1 ( x t + 1 ) ⊕ x t + 1 , F t + 1 ( x t + 1 ) ⊕ x t + 1 , x t + 1 , x t + 1 ) 1 0 1 2 3 2 3 0 x t + 1 = x t 0 , x t + 1 = x t 3 , x t + 1 = F t 1 ( x t 0 ) ⊕ x t 1 3 2 0 ( x t + 2 , F t + 1 ( x t 0 ) � x t 3 , x t 0 , F t 1 ( x t 0 ) � x t 1 )) 0 2 Structure R 2 ( a , b , c , d ) − → ( z , F 1 ( a ) ⊕ d , a , F 2 ( a ) ⊕ b ) .

From subspace trails to invariant subspaces in Simpira Two round property Initial observation for two rounds ( x t 0 , x t 1 , x t 2 , x t 3 ) F t i ( x ) = f ( f ( x ) + k t , i ) where k t , i ∈ C 0 , 1 ( x t 0 , x t 1 , x t 2 , x t 3 ) ∈ F 4 ⇥ 4 ⇥ 4 2 8 S t + 1 =( x t + 1 , x t + 1 , x t + 1 , x t + 1 ) 0 1 2 3 =( F t 1 ( x t 0 ) ⊕ x t 1 , F t 2 ( x t 3 ) ⊕ x t 2 , x t 3 , x t 0 ) S t + 2 =( x t + 2 , x t + 2 , x t + 2 , x t + 2 ) 0 1 2 3 =( F t + 1 ( x t + 1 ) ⊕ x t + 1 , F t + 1 ( x t + 1 ) ⊕ x t + 1 , x t + 1 , x t + 1 ) 1 0 1 2 3 2 3 0 x t + 1 = x t 0 , x t + 1 = x t 3 , x t + 1 = F t 1 ( x t 0 ) ⊕ x t 1 3 2 0 ( x t + 2 , F t + 1 ( x t 0 ) � x t 3 , x t 0 , F t 1 ( x t 0 ) � x t 1 )) 0 2 Structure R 2 ( a , b , c , d ) − → ( z , F 1 ( a ) ⊕ d , a , F 2 ( a ) ⊕ b ) .

From subspace trails to invariant subspaces in Simpira Two round property Initial observation for two rounds ( x t 0 , x t 1 , x t 2 , x t 3 ) F t i ( x ) = f ( f ( x ) + k t , i ) where k t , i ∈ C 0 , 1 ( x t 0 , x t 1 , x t 2 , x t 3 ) ∈ F 4 ⇥ 4 ⇥ 4 2 8 S t + 1 =( x t + 1 , x t + 1 , x t + 1 , x t + 1 ) 0 1 2 3 =( F t 1 ( x t 0 ) ⊕ x t 1 , F t 2 ( x t 3 ) ⊕ x t 2 , x t 3 , x t 0 ) S t + 2 =( x t + 2 , x t + 2 , x t + 2 , x t + 2 ) 0 1 2 3 =( F t + 1 ( x t + 1 ) ⊕ x t + 1 , F t + 1 ( x t + 1 ) ⊕ x t + 1 , x t + 1 , x t + 1 ) 1 0 1 2 3 2 3 0 x t + 1 = x t 0 , x t + 1 = x t 3 , x t + 1 = F t 1 ( x t 0 ) ⊕ x t 1 3 2 0 ( x t + 2 , F t + 1 ( x t 0 ) � x t 3 , x t 0 , F t 1 ( x t 0 ) � x t 1 )) 0 2 Structure R 2 ( a , b , c , d ) − → ( z , F 1 ( a ) ⊕ d , a , F 2 ( a ) ⊕ b ) .

From subspace trails to invariant subspaces in Simpira Two round property The parallel F-function f ( x ) one AES round minus key addition f ( x ) ⇥ f ( x ) (in parallell) constants c 1 = and c 2 = Parallell F-function F 1 ( a ) ⇥ F 2 ( a ) = f ( f ( a ) � c 1 ) ⇥ f ( f ( a ) � c 2 )

From subspace trails to invariant subspaces in Simpira Subspace trail in parallell F -functions Trivial Invariant subspace in f ( x ) ⇥ f ( x ) f ( a ) ⇥ f ( a ) = b ⇥ b SB SB SR SR MC MC

From subspace trails to invariant subspaces in Simpira Subspace trail in parallell F -functions Constants space constants c 1 = and c 2 = � c 1 � c 2 Adding a constant We begin with an invariant space a ⇥ a f ( ) ⇥ f ( ) = ⇥ ...then add constants in the middle... f ( ) ⇥ f ( ) � = ⇥ ⇥

From subspace trails to invariant subspaces in Simpira Subspace trail in parallell F -functions Constants space constants c 1 = and c 2 = � c 1 � c 2 Adding a constant We begin with an invariant space a ⇥ a f ( ) ⇥ f ( ) = ⇥ ...then add constants in the middle... f ( ) ⇥ f ( ) � = ⇥ ⇥

From subspace trails to invariant subspaces in Simpira Subspace trail in parallell F -functions Constants space constants c 1 = and c 2 = � c 1 � c 2 Adding a constant We begin with an invariant space a ⇥ a f ( ) ⇥ f ( ) = ⇥ ...then add constants in the middle... f ( ) ⇥ f ( ) � = ⇥ ⇥

From subspace trails to invariant subspaces in Simpira Subspace trail in parallell F -functions Constants space constants c 1 = and c 2 = � c 1 � c 2 Adding a constant We begin with an invariant space a ⇥ a f ( ) ⇥ f ( ) = ⇥ ...then add constants in the middle... f ( ) ⇥ f ( ) � = ⇥ ⇥

From subspace trails to invariant subspaces in Simpira Subspace trail in parallell F -functions One more round We begin with an invariant subspace a ⇥ a SB SB f ( ) ⇥ f ( ) = ⇥ ...then add constants in the middle... f ( ) ⇥ f ( ) � ⇥ = ⇥ SR SR ... and apply another AES round... f ( ) ⇥ f ( ) = MC � SR ( ) ⇥ MC � SR ( ) MC MC Subspace trail in paralllel F-function F 1 ( ) ⇥ F 2 ( ) = MC � SR ( ) ⇥ MC � SR ( )

From subspace trails to invariant subspaces in Simpira Subspace trail in parallell F -functions One more round We begin with an invariant subspace a ⇥ a SB SB f ( ) ⇥ f ( ) = ⇥ ...then add constants in the middle... f ( ) ⇥ f ( ) � ⇥ = ⇥ SR SR ... and apply another AES round... f ( ) ⇥ f ( ) = MC � SR ( ) ⇥ MC � SR ( ) MC MC Subspace trail in paralllel F-function F 1 ( ) ⇥ F 2 ( ) = MC � SR ( ) ⇥ MC � SR ( )

From subspace trails to invariant subspaces in Simpira Subspace trail in parallell F -functions One more round We begin with an invariant subspace a ⇥ a SB SB f ( ) ⇥ f ( ) = ⇥ ...then add constants in the middle... f ( ) ⇥ f ( ) � ⇥ = ⇥ SR SR ... and apply another AES round... f ( ) ⇥ f ( ) = MC � SR ( ) ⇥ MC � SR ( ) MC MC Subspace trail in paralllel F-function F 1 ( ) ⇥ F 2 ( ) = MC � SR ( ) ⇥ MC � SR ( )

From subspace trails to invariant subspaces in Simpira Subspace trail in parallell F -functions One more round We begin with an invariant subspace a ⇥ a SB SB f ( ) ⇥ f ( ) = ⇥ ...then add constants in the middle... f ( ) ⇥ f ( ) � ⇥ = ⇥ SR SR ... and apply another AES round... f ( ) ⇥ f ( ) = MC � SR ( ) ⇥ MC � SR ( ) MC MC Subspace trail in paralllel F-function F 1 ( ) ⇥ F 2 ( ) = MC � SR ( ) ⇥ MC � SR ( )

From subspace trails to invariant subspaces in Simpira Subspace trail in parallell F -functions One more round We begin with an invariant subspace a ⇥ a SB SB f ( ) ⇥ f ( ) = ⇥ ...then add constants in the middle... f ( ) ⇥ f ( ) � ⇥ = ⇥ SR SR ... and apply another AES round... f ( ) ⇥ f ( ) = MC � SR ( ) ⇥ MC � SR ( ) MC MC Subspace trail in paralllel F-function F 1 ( ) ⇥ F 2 ( ) = MC � SR ( ) ⇥ MC � SR ( )

From subspace trails to invariant subspaces in Simpira Subspace trail in parallell F -functions One more round We begin with an invariant subspace a ⇥ a SB SB f ( ) ⇥ f ( ) = ⇥ ...then add constants in the middle... f ( ) ⇥ f ( ) � ⇥ = ⇥ SR SR ... and apply another AES round... f ( ) ⇥ f ( ) = MC � SR ( ) ⇥ MC � SR ( ) MC MC Subspace trail in paralllel F-function F 1 ( ) ⇥ F 2 ( ) = MC � SR ( ) ⇥ MC � SR ( )

From subspace trails to invariant subspaces in Simpira Invariant subspace over 2 rounds ( a , b , c , d ) R 2 ! ( z , F 1 ( a ) � d , a , F 2 ( a ) � b ) � F 1 ( ) ⇥ F 2 ( ) = MC � SR ( ) ⇥ MC � SR ( ) (Imagine MC � SR around all values of the state) ( � ) = ( a , b , c , d ) , , , R 2 ( , F 1 ( ) � , F 2 ( ) � ) � , = ( ) � � � , , , = ( ) � , , , = ( � ) , , ,

From subspace trails to invariant subspaces in Simpira Invariant subspace over 2 rounds ( a , b , c , d ) R 2 ! ( z , F 1 ( a ) � d , a , F 2 ( a ) � b ) � F 1 ( ) ⇥ F 2 ( ) = MC � SR ( ) ⇥ MC � SR ( ) (Imagine MC � SR around all values of the state) ( � ) = ( a , b , c , d ) , , , R 2 ( , F 1 ( ) � , F 2 ( ) � ) � , = ( ) � � � , , , = ( ) � , , , = ( � ) , , ,

From subspace trails to invariant subspaces in Simpira Invariant subspace over 2 rounds ( a , b , c , d ) R 2 ! ( z , F 1 ( a ) � d , a , F 2 ( a ) � b ) � F 1 ( ) ⇥ F 2 ( ) = MC � SR ( ) ⇥ MC � SR ( ) (Imagine MC � SR around all values of the state) ( � ) = ( a , b , c , d ) , , , R 2 ( , F 1 ( ) � , F 2 ( ) � ) � , = ( ) � � � , , , = ( ) � , , , = ( � ) , , ,

From subspace trails to invariant subspaces in Simpira Invariant subspace over 2 rounds ( a , b , c , d ) R 2 ! ( z , F 1 ( a ) � d , a , F 2 ( a ) � b ) � F 1 ( ) ⇥ F 2 ( ) = MC � SR ( ) ⇥ MC � SR ( ) (Imagine MC � SR around all values of the state) ( � ) = ( a , b , c , d ) , , , R 2 ( , F 1 ( ) � , F 2 ( ) � ) � , = ( ) � � � , , , = ( ) � , , , = ( � ) , , ,

From subspace trails to invariant subspaces in Simpira Invariant subspace over 2 rounds ( a , b , c , d ) R 2 ! ( z , F 1 ( a ) � d , a , F 2 ( a ) � b ) � F 1 ( ) ⇥ F 2 ( ) = MC � SR ( ) ⇥ MC � SR ( ) (Imagine MC � SR around all values of the state) ( � ) = ( a , b , c , d ) , , , R 2 ( , F 1 ( ) � , F 2 ( ) � ) � , = ( ) � � � , , , = ( ) � , , , = ( � ) , , ,

From subspace trails to invariant subspaces in Simpira Invariant subspace over 2 rounds ( a , b , c , d ) R 2 ! ( z , F 1 ( a ) � d , a , F 2 ( a ) � b ) � F 1 ( ) ⇥ F 2 ( ) = MC � SR ( ) ⇥ MC � SR ( ) (Imagine MC � SR around all values of the state) ( � ) = ( a , b , c , d ) , , , R 2 ( , F 1 ( ) � , F 2 ( ) � ) � , = ( ) � � � , , , = ( ) � , , , = ( � ) , , ,

From subspace trails to invariant subspaces in Simpira Invariant subspace over 2 rounds ( a , b , c , d ) R 2 ! ( z , F 1 ( a ) � d , a , F 2 ( a ) � b ) � F 1 ( ) ⇥ F 2 ( ) = MC � SR ( ) ⇥ MC � SR ( ) (Imagine MC � SR around all values of the state) ( � ) = ( a , b , c , d ) , , , R 2 ( , F 1 ( ) � , F 2 ( ) � ) � , = ( ) � � � , , , = ( ) � , , , = ( � ) , , ,

From subspace trails to invariant subspaces in Simpira Invariant subspace over 2 rounds ( a , b , c , d ) R 2 ! ( z , F 1 ( a ) � d , a , F 2 ( a ) � b ) � F 1 ( ) ⇥ F 2 ( ) = MC � SR ( ) ⇥ MC � SR ( ) (Imagine MC � SR around all values of the state) ( � ) = ( a , b , c , d ) , , , R 2 ( , F 1 ( ) � , F 2 ( ) � ) � , = ( ) � � � , , , = ( ) � , , , = ( � ) , , ,

From subspace trails to invariant subspaces in Simpira Invariant subspace over 2 rounds ( a , b , c , d ) R 2 ! ( z , F 1 ( a ) � d , a , F 2 ( a ) � b ) � F 1 ( ) ⇥ F 2 ( ) = MC � SR ( ) ⇥ MC � SR ( ) (Imagine MC � SR around all values of the state) ( � ) = ( a , b , c , d ) , , , R 2 ( , F 1 ( ) � , F 2 ( ) � ) � , = ( ) � � � , , , = ( ) � , , , = ( � ) , , ,

From subspace trails to invariant subspaces in Simpira Invariant subspace over 2 rounds ( a , b , c , d ) R 2 ! ( z , F 1 ( a ) � d , a , F 2 ( a ) � b ) � F 1 ( ) ⇥ F 2 ( ) = MC � SR ( ) ⇥ MC � SR ( ) (Imagine MC � SR around all values of the state) ( � ) = ( a , b , c , d ) , , , R 2 ( , F 1 ( ) � , F 2 ( ) � ) � , = ( ) � � � , , , = ( ) � , , , = ( � ) , , ,

From subspace trails to invariant subspaces in Simpira Invariant subspace over 2 rounds Invariant subspaces in Simpira ( � ) = ( a , MC � SR ( z 1 � x ) , b , MC � SR ( z 2 � x � c )) , , , where a , b set to all possible values ( q 32 ) z i set to all possible values in two left columns ( q 16 ) x set to all possible values in two right columns ( q 8 ) c random fixed value in two right columns ( q 8 ) Conclusion for Simpira Invariant subspaces in round function from non-invariant subspaces in AES F-function. Covers whole plaintext space with 2 64 invariant cosets of dimension 56 over F q (first time?) Trivial distinguisher

From subspace trails to invariant subspaces in Simpira Invariant subspace over 2 rounds Invariant subspaces in Simpira ( � ) = ( a , MC � SR ( z 1 � x ) , b , MC � SR ( z 2 � x � c )) , , , where a , b set to all possible values ( q 32 ) z i set to all possible values in two left columns ( q 16 ) x set to all possible values in two right columns ( q 8 ) c random fixed value in two right columns ( q 8 ) Conclusion for Simpira Invariant subspaces in round function from non-invariant subspaces in AES F-function. Covers whole plaintext space with 2 64 invariant cosets of dimension 56 over F q (first time?) Trivial distinguisher

From subspace trails to invariant subspaces in Simpira Invariant subspace over 2 rounds Invariant subspaces in Simpira ( � ) = ( a , MC � SR ( z 1 � x ) , b , MC � SR ( z 2 � x � c )) , , , where a , b set to all possible values ( q 32 ) z i set to all possible values in two left columns ( q 16 ) x set to all possible values in two right columns ( q 8 ) c random fixed value in two right columns ( q 8 ) Conclusion for Simpira Invariant subspaces in round function from non-invariant subspaces in AES F-function. Covers whole plaintext space with 2 64 invariant cosets of dimension 56 over F q (first time?) Trivial distinguisher

From subspace trails to invariant subspaces in Simpira Invariant subspace over 2 rounds Invariant subspaces in Simpira ( � ) = ( a , MC � SR ( z 1 � x ) , b , MC � SR ( z 2 � x � c )) , , , where a , b set to all possible values ( q 32 ) z i set to all possible values in two left columns ( q 16 ) x set to all possible values in two right columns ( q 8 ) c random fixed value in two right columns ( q 8 ) Conclusion for Simpira Invariant subspaces in round function from non-invariant subspaces in AES F-function. Covers whole plaintext space with 2 64 invariant cosets of dimension 56 over F q (first time?) Trivial distinguisher

From subspace trails to invariant subspaces in Simpira Invariant subspace over 2 rounds Invariant subspaces in Simpira ( � ) = ( a , MC � SR ( z 1 � x ) , b , MC � SR ( z 2 � x � c )) , , , where a , b set to all possible values ( q 32 ) z i set to all possible values in two left columns ( q 16 ) x set to all possible values in two right columns ( q 8 ) c random fixed value in two right columns ( q 8 ) Conclusion for Simpira Invariant subspaces in round function from non-invariant subspaces in AES F-function. Covers whole plaintext space with 2 64 invariant cosets of dimension 56 over F q (first time?) Trivial distinguisher

From subspace trails to invariant subspaces in Simpira Invariant subspace over 2 rounds Invariant subspaces in Simpira ( � ) = ( a , MC � SR ( z 1 � x ) , b , MC � SR ( z 2 � x � c )) , , , where a , b set to all possible values ( q 32 ) z i set to all possible values in two left columns ( q 16 ) x set to all possible values in two right columns ( q 8 ) c random fixed value in two right columns ( q 8 ) Conclusion for Simpira Invariant subspaces in round function from non-invariant subspaces in AES F-function. Covers whole plaintext space with 2 64 invariant cosets of dimension 56 over F q (first time?) Trivial distinguisher

From subspace trails to invariant subspaces in Simpira Invariant subspace over 2 rounds Zero-di ff erence cryptanalysis of AES

Zero-di ff erence cryptanalysis of AES Zero di ff erences and exchange operations in SPNs The zero di ff erence pattern Definition (Zero di ff erence pattern) Let α = ( α 0 , α 1 , . . . , α n � 1 ) 2 F n q . Define ν ( α ) = ( z 0 , z 1 , . . . , z n � 1 ) 2 F n 2 where ( 1 if α i is zero , z i = 0 otherwise .

Zero-di ff erence cryptanalysis of AES Zero di ff erences and exchange operations in SPNs Setting Let α = ( α 0 , α 1 , . . . , α n � 1 ) 2 F n q denote the state of a block cipher. Let q = 2 k and let s be a kxk permutation s-box. The S-box working on a state is defined by S ( α ) = ( s ( α 0 ) , s ( α 1 ) , . . . , s ( α n � 1 )) Let L be a linear layer in the block cipher We consider a substitution permutation networn (SPN) of the form S � L � S � L � S .

Zero-di ff erence cryptanalysis of AES Zero di ff erences and exchange operations in SPNs Setting Let α = ( α 0 , α 1 , . . . , α n � 1 ) 2 F n q denote the state of a block cipher. Let q = 2 k and let s be a kxk permutation s-box. The S-box working on a state is defined by S ( α ) = ( s ( α 0 ) , s ( α 1 ) , . . . , s ( α n � 1 )) Let L be a linear layer in the block cipher We consider a substitution permutation networn (SPN) of the form S � L � S � L � S .

Zero-di ff erence cryptanalysis of AES Zero di ff erences and exchange operations in SPNs Setting Let α = ( α 0 , α 1 , . . . , α n � 1 ) 2 F n q denote the state of a block cipher. Let q = 2 k and let s be a kxk permutation s-box. The S-box working on a state is defined by S ( α ) = ( s ( α 0 ) , s ( α 1 ) , . . . , s ( α n � 1 )) Let L be a linear layer in the block cipher We consider a substitution permutation networn (SPN) of the form S � L � S � L � S .

Zero-di ff erence cryptanalysis of AES Zero di ff erences and exchange operations in SPNs Setting Let α = ( α 0 , α 1 , . . . , α n � 1 ) 2 F n q denote the state of a block cipher. Let q = 2 k and let s be a kxk permutation s-box. The S-box working on a state is defined by S ( α ) = ( s ( α 0 ) , s ( α 1 ) , . . . , s ( α n � 1 )) Let L be a linear layer in the block cipher We consider a substitution permutation networn (SPN) of the form S � L � S � L � S .

Zero-di ff erence cryptanalysis of AES Zero di ff erences and exchange operations in SPNs The S-box Lemma For two states α and β in F n q , the zero di ff erence pattern is preserved by a permutation S-box ν ( α � β ) = ν ( S ( α ) � S ( β )) . Proof. Follows since α i � β i = 0 i ff s ( α i ) � s ( β i ) = 0 and thus the S-box preserves the zero di ff erence pattern.

Zero-di ff erence cryptanalysis of AES Zero di ff erences and exchange operations in SPNs The S-box Lemma For two states α and β in F n q , the zero di ff erence pattern is preserved by a permutation S-box ν ( α � β ) = ν ( S ( α ) � S ( β )) . Proof. Follows since α i � β i = 0 i ff s ( α i ) � s ( β i ) = 0 and thus the S-box preserves the zero di ff erence pattern.

Zero-di ff erence cryptanalysis of AES Zero di ff erences and exchange operations in SPNs The exchange operation Definition For a vector c 2 F n 2 and a pair of states α , β 2 F n q define a new state ρ c ( α , β ) by ( if c i = 1 , α i ρ c ( α , β ) i = if c i = 0 . β i Example Let c = ( 0110 ) and α = ( α 0 , α 1 , α 2 , α 3 ) and β = ( β 0 , β 1 , β 2 , β 3 ) . Then 0 = ρ ( 0110 ) ( α , β ) = ( β 0 , α 1 , α 2 , β 3 ) α and 0 = ρ ( 0110 ) ( β , α ) = ( α 0 , β 1 , β 2 , α 3 ) β

Zero-di ff erence cryptanalysis of AES Zero di ff erences and exchange operations in SPNs The exchange operation Definition For a vector c 2 F n 2 and a pair of states α , β 2 F n q define a new state ρ c ( α , β ) by ( if c i = 1 , α i ρ c ( α , β ) i = if c i = 0 . β i Example Let c = ( 0110 ) and α = ( α 0 , α 1 , α 2 , α 3 ) and β = ( β 0 , β 1 , β 2 , β 3 ) . Then 0 = ρ ( 0110 ) ( α , β ) = ( β 0 , α 1 , α 2 , β 3 ) α and 0 = ρ ( 0110 ) ( β , α ) = ( α 0 , β 1 , β 2 , α 3 ) β

Zero-di ff erence cryptanalysis of AES Zero di ff erences and exchange operations in SPNs Properties of the exchange operation (I) Lemma a) ρ c ( α , β ) i � ρ c ( β , α ) i = α � β b) S ( ρ c ( α , β )) � S ( ρ c ( β , α )) = S ( α ) � S ( β ) c) ρ c ( S ( α ) , S ( β )) = S ( ρ c ( α , β )) Proof. a) ( α i ⊕ β i if c i = 1 , ρ c ( α , β ) ⊕ ρ c ( β , α ) = β i ⊕ α i if c i = 0 b) ( s ( α i ) ⊕ s ( β i ) if c i = 1 , s ( ρ c ( α , β )) ⊕ s ( ρ c ( β , α )) = s ( β i ) ⊕ s ( α i ) if c i = 0 . c) ( s ( α i ) if c i = 1 , ρ c ( S ( α ) , S ( β )) = S ( ρ c ( α , β )) = s ( β i ) if c i = 0 .

Zero-di ff erence cryptanalysis of AES Zero di ff erences and exchange operations in SPNs Properties of the exchange operation (I) Lemma a) ρ c ( α , β ) i � ρ c ( β , α ) i = α � β b) S ( ρ c ( α , β )) � S ( ρ c ( β , α )) = S ( α ) � S ( β ) c) ρ c ( S ( α ) , S ( β )) = S ( ρ c ( α , β )) Proof. a) ( α i ⊕ β i if c i = 1 , ρ c ( α , β ) ⊕ ρ c ( β , α ) = β i ⊕ α i if c i = 0 b) ( s ( α i ) ⊕ s ( β i ) if c i = 1 , s ( ρ c ( α , β )) ⊕ s ( ρ c ( β , α )) = s ( β i ) ⊕ s ( α i ) if c i = 0 . c) ( s ( α i ) if c i = 1 , ρ c ( S ( α ) , S ( β )) = S ( ρ c ( α , β )) = s ( β i ) if c i = 0 .

Zero-di ff erence cryptanalysis of AES Zero di ff erences and exchange operations in SPNs Properties of the exchange operation (I) Lemma a) ρ c ( α , β ) i � ρ c ( β , α ) i = α � β b) S ( ρ c ( α , β )) � S ( ρ c ( β , α )) = S ( α ) � S ( β ) c) ρ c ( S ( α ) , S ( β )) = S ( ρ c ( α , β )) Proof. a) ( α i ⊕ β i if c i = 1 , ρ c ( α , β ) ⊕ ρ c ( β , α ) = β i ⊕ α i if c i = 0 b) ( s ( α i ) ⊕ s ( β i ) if c i = 1 , s ( ρ c ( α , β )) ⊕ s ( ρ c ( β , α )) = s ( β i ) ⊕ s ( α i ) if c i = 0 . c) ( s ( α i ) if c i = 1 , ρ c ( S ( α ) , S ( β )) = S ( ρ c ( α , β )) = s ( β i ) if c i = 0 .

Zero-di ff erence cryptanalysis of AES Zero di ff erences and exchange operations in SPNs Properties of the exchange operation (I) Lemma a) ρ c ( α , β ) i � ρ c ( β , α ) i = α � β b) S ( ρ c ( α , β )) � S ( ρ c ( β , α )) = S ( α ) � S ( β ) c) ρ c ( S ( α ) , S ( β )) = S ( ρ c ( α , β )) Proof. a) ( α i ⊕ β i if c i = 1 , ρ c ( α , β ) ⊕ ρ c ( β , α ) = β i ⊕ α i if c i = 0 b) ( s ( α i ) ⊕ s ( β i ) if c i = 1 , s ( ρ c ( α , β )) ⊕ s ( ρ c ( β , α )) = s ( β i ) ⊕ s ( α i ) if c i = 0 . c) ( s ( α i ) if c i = 1 , ρ c ( S ( α ) , S ( β )) = S ( ρ c ( α , β )) = s ( β i ) if c i = 0 .

Zero-di ff erence cryptanalysis of AES Zero di ff erences and exchange operations in SPNs Properties of the exchange operation (I) Lemma a) ρ c ( α , β ) i � ρ c ( β , α ) i = α � β b) S ( ρ c ( α , β )) � S ( ρ c ( β , α )) = S ( α ) � S ( β ) c) ρ c ( S ( α ) , S ( β )) = S ( ρ c ( α , β )) Proof. a) ( α i ⊕ β i if c i = 1 , ρ c ( α , β ) ⊕ ρ c ( β , α ) = β i ⊕ α i if c i = 0 b) ( s ( α i ) ⊕ s ( β i ) if c i = 1 , s ( ρ c ( α , β )) ⊕ s ( ρ c ( β , α )) = s ( β i ) ⊕ s ( α i ) if c i = 0 . c) ( s ( α i ) if c i = 1 , ρ c ( S ( α ) , S ( β )) = S ( ρ c ( α , β )) = s ( β i ) if c i = 0 .