Propagation of Subspaces in Primitives with Monomial Sboxes: Applications to Rescue and Variants of the AES

IF 1.7 Q3 COMPUTER SCIENCE, SOFTWARE ENGINEERING IACR Transactions on Symmetric Cryptology Pub Date : 2023-12-08 DOI:10.46586/tosc.v2023.i4.270-298
Aurélien Boeuf, A. Canteaut, Léo Perrin
{"title":"Propagation of Subspaces in Primitives with Monomial Sboxes: Applications to Rescue and Variants of the AES","authors":"Aurélien Boeuf, A. Canteaut, Léo Perrin","doi":"10.46586/tosc.v2023.i4.270-298","DOIUrl":null,"url":null,"abstract":"Motivated by progress in the field of zero-knowledge proofs, so-called Arithmetization-Oriented (AO) symmetric primitives have started to appear in the literature, such as MiMC, Poseidon or Rescue. Due to the design constraints implied by this setting, these algorithms are defined using simple operations over large (possibly prime) fields. In particular, many rely on simple low-degree monomials for their non-linear layers, essentially using x ↦ x3 as an S-box.In this paper, we show that the structure of the material injected in each round (be it subkeys in a block cipher or round constants in a public permutation) could allow a specific pattern, whereby a well-defined affine space is mapped to another by the round function, and then to another, etc. Such chains of one-dimensional subspaces always exist over 2 rounds, and they can be extended to an arbitrary number of rounds, for any linear layer, provided that the round-constants are well chosen.As a consequence, for several ciphers like Rescue, or a variant of AES with a monomial Sbox, there exist some round-key sequences for which the cipher has an abnormally high differential uniformity, exceeding the size of the Sbox alphabet.Well-known security arguments, in particular based on the wide-trail strategy, have been reused in the AO setting by many designers. Unfortunately, our results show that such a traditional study may not be sufficient to guarantee security. To illustrate this, we present two new primitives (the tweakable block cipher Snare and the permutation-based hash function Stir) that are built using state-of-the-art security arguments, but which are actually deeply flawed. Indeed, the key schedule of Snare ensures the presence of a subspace chain that significantly simplifies an algebraic attack against it, and the round constants of Stir force the presence of a subspace chain aligned with the rate and capacity of the permutation. This in turns implies the existence of many easy-to-find solutions to the so-called CICO problem.","PeriodicalId":37077,"journal":{"name":"IACR Transactions on Symmetric Cryptology","volume":null,"pages":null},"PeriodicalIF":1.7000,"publicationDate":"2023-12-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IACR Transactions on Symmetric Cryptology","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.46586/tosc.v2023.i4.270-298","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"COMPUTER SCIENCE, SOFTWARE ENGINEERING","Score":null,"Total":0}
引用次数: 0

Abstract

Motivated by progress in the field of zero-knowledge proofs, so-called Arithmetization-Oriented (AO) symmetric primitives have started to appear in the literature, such as MiMC, Poseidon or Rescue. Due to the design constraints implied by this setting, these algorithms are defined using simple operations over large (possibly prime) fields. In particular, many rely on simple low-degree monomials for their non-linear layers, essentially using x ↦ x3 as an S-box.In this paper, we show that the structure of the material injected in each round (be it subkeys in a block cipher or round constants in a public permutation) could allow a specific pattern, whereby a well-defined affine space is mapped to another by the round function, and then to another, etc. Such chains of one-dimensional subspaces always exist over 2 rounds, and they can be extended to an arbitrary number of rounds, for any linear layer, provided that the round-constants are well chosen.As a consequence, for several ciphers like Rescue, or a variant of AES with a monomial Sbox, there exist some round-key sequences for which the cipher has an abnormally high differential uniformity, exceeding the size of the Sbox alphabet.Well-known security arguments, in particular based on the wide-trail strategy, have been reused in the AO setting by many designers. Unfortunately, our results show that such a traditional study may not be sufficient to guarantee security. To illustrate this, we present two new primitives (the tweakable block cipher Snare and the permutation-based hash function Stir) that are built using state-of-the-art security arguments, but which are actually deeply flawed. Indeed, the key schedule of Snare ensures the presence of a subspace chain that significantly simplifies an algebraic attack against it, and the round constants of Stir force the presence of a subspace chain aligned with the rate and capacity of the permutation. This in turns implies the existence of many easy-to-find solutions to the so-called CICO problem.
查看原文
分享 分享
微信好友 朋友圈 QQ好友 复制链接
本刊更多论文
具有单项式 Sboxes 的原语中子空间的传播:AES 的救援和变体应用
受零知识证明领域进展的推动,文献中开始出现所谓的面向算术化(AO)的对称基元,如 MiMC、波塞冬或救援。由于这种设置所隐含的设计限制,这些算法都是通过对大域(可能是素域)的简单运算来定义的。在本文中,我们展示了在每一轮中注入的材料的结构(无论是块密码中的子密钥还是公共排列中的轮常量)可以允许一种特定的模式,即通过轮函数将一个定义明确的仿射空间映射到另一个仿射空间,然后再映射到另一个仿射空间,等等。这种一维子空间链在两轮中始终存在,而且可以扩展到任意轮数,适用于任何线性层,前提是轮常数选择得当。因此,对于 Rescue 或具有单项式 Sbox 的 AES 变体等几种密码来说,存在一些轮钥序列,对于这些序列,密码具有异常高的微分均匀性,超过了 Sbox 字母的大小。不幸的是,我们的研究结果表明,这种传统研究可能不足以保证安全性。为了说明这一点,我们介绍了两个新的基元(可调整的块密码 Snare 和基于排列的哈希函数 Stir),它们都是利用最先进的安全论据构建的,但实际上却存在严重缺陷。事实上,Snare 的密钥时间表确保了子空间链的存在,从而大大简化了对它的代数攻击,而 Stir 的回合常数则迫使子空间链的存在与置换的速率和容量相一致。这反过来又意味着存在许多容易找到的所谓 CICO 问题的解决方案。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 去求助
来源期刊
IACR Transactions on Symmetric Cryptology
IACR Transactions on Symmetric Cryptology Mathematics-Applied Mathematics
CiteScore
5.50
自引率
22.90%
发文量
37
期刊最新文献
On Large Tweaks in Tweakable Even-Mansour with Linear Tweak and Key Mixing Revisiting Yoyo Tricks on AES Key Committing Security of AEZ and More Related-Key Differential Analysis of the AES Propagation of Subspaces in Primitives with Monomial Sboxes: Applications to Rescue and Variants of the AES
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
已复制链接
已复制链接
快去分享给好友吧!
我知道了
×
扫码分享
扫码分享
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1