{"title":"Security analysis of P-SPN schemes against invariant subspace attack with inactive S-boxes","authors":"Bolin Wang, Wenling Wu","doi":"10.1007/s10623-024-01465-z","DOIUrl":null,"url":null,"abstract":"<p>The security requirements of new applications such as cloud computing, big data, and the Internet of Things have promoted the development and application of security protocols such as secure multi-party computation, fully homomorphic encryption, and zero-knowledge proof. In order to meet these demands, there is a need for new symmetric ciphers that minimize multiplications in <span>\\( {\\mathbb {F}}_{2^{n}} \\)</span> or <span>\\( {\\mathbb {F}}_{p} \\)</span>, where <i>p</i> is prime. One construction that addresses this demand is Partial SPN (P-SPN) construction, where the S-box layer is only applied to a portion of the state in each round. And there have been several research on the construction over the past years. The key to the design of P-SPN construction lies in the linear layers, but systematic exploration in this direction has been lacking in the existing work. In this work, we first establish a lower bound on the dimension of the maximal invariant subspace without active S-boxes for a generic P-SPN scheme. Subsequently, we concentrate on the linear layers of P-SPN construction. Through a meticulous examination of intriguing and beneficial characteristics for various matrices, we showcase that the security of a P-SPN scheme against invariant subspace attack depends on the degree of the minimal polynomial of the matrix. Inadequate choices of the matrices allow for large invariant subspaces that navigate any number of rounds without activating any S-boxes. A comprehensive proof for the Conjecture 1 proposed by Keller and Rosemarin is presented, which not only further improves the lower bound on the dimension of the maximal invariant subspace for the P-SPN rounds of STARKAD permutation, but also implies a lower bound on the dimension of the maximal invariant subspace for block matrices with special blocks. For a block circulant matrix with special blocks, a better annihilating polynomial exists and a lower bound on the dimension of the maximal invariant subspace can be identified. For circulant matrices and block circulant matrices with circulant blocks, we introduce methods to ascertain the range or exact value of the minimal polynomial degree. This determination advances the exploration of the invariant subspaces in these matrices. Especially if the number of S-Boxes in a P-SPN scheme is 1, we can attain the exact value of the dimension for the maximal invariant subspace. All the cases discussed here are invariant subspaces with inactive S-boxes. Our work intends to provide concise cryptanalytic methods for new proposals following P-SPN or HADES design principles. In addition, we derive a way to make sure that a circulant matrix <i>C</i> is resistant to invariant subspace attack with inactive S-boxes, thus providing design criteria for the construction of such matrices in the design of P-SPN schemes.\n</p>","PeriodicalId":11130,"journal":{"name":"Designs, Codes and Cryptography","volume":"35 1","pages":""},"PeriodicalIF":1.4000,"publicationDate":"2024-07-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Designs, Codes and Cryptography","FirstCategoryId":"100","ListUrlMain":"https://doi.org/10.1007/s10623-024-01465-z","RegionNum":2,"RegionCategory":"数学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"COMPUTER SCIENCE, THEORY & METHODS","Score":null,"Total":0}
引用次数: 0
Abstract
The security requirements of new applications such as cloud computing, big data, and the Internet of Things have promoted the development and application of security protocols such as secure multi-party computation, fully homomorphic encryption, and zero-knowledge proof. In order to meet these demands, there is a need for new symmetric ciphers that minimize multiplications in \( {\mathbb {F}}_{2^{n}} \) or \( {\mathbb {F}}_{p} \), where p is prime. One construction that addresses this demand is Partial SPN (P-SPN) construction, where the S-box layer is only applied to a portion of the state in each round. And there have been several research on the construction over the past years. The key to the design of P-SPN construction lies in the linear layers, but systematic exploration in this direction has been lacking in the existing work. In this work, we first establish a lower bound on the dimension of the maximal invariant subspace without active S-boxes for a generic P-SPN scheme. Subsequently, we concentrate on the linear layers of P-SPN construction. Through a meticulous examination of intriguing and beneficial characteristics for various matrices, we showcase that the security of a P-SPN scheme against invariant subspace attack depends on the degree of the minimal polynomial of the matrix. Inadequate choices of the matrices allow for large invariant subspaces that navigate any number of rounds without activating any S-boxes. A comprehensive proof for the Conjecture 1 proposed by Keller and Rosemarin is presented, which not only further improves the lower bound on the dimension of the maximal invariant subspace for the P-SPN rounds of STARKAD permutation, but also implies a lower bound on the dimension of the maximal invariant subspace for block matrices with special blocks. For a block circulant matrix with special blocks, a better annihilating polynomial exists and a lower bound on the dimension of the maximal invariant subspace can be identified. For circulant matrices and block circulant matrices with circulant blocks, we introduce methods to ascertain the range or exact value of the minimal polynomial degree. This determination advances the exploration of the invariant subspaces in these matrices. Especially if the number of S-Boxes in a P-SPN scheme is 1, we can attain the exact value of the dimension for the maximal invariant subspace. All the cases discussed here are invariant subspaces with inactive S-boxes. Our work intends to provide concise cryptanalytic methods for new proposals following P-SPN or HADES design principles. In addition, we derive a way to make sure that a circulant matrix C is resistant to invariant subspace attack with inactive S-boxes, thus providing design criteria for the construction of such matrices in the design of P-SPN schemes.
期刊介绍:
Designs, Codes and Cryptography is an archival peer-reviewed technical journal publishing original research papers in the designated areas. There is a great deal of activity in design theory, coding theory and cryptography, including a substantial amount of research which brings together more than one of the subjects. While many journals exist for each of the individual areas, few encourage the interaction of the disciplines.
The journal was founded to meet the needs of mathematicians, engineers and computer scientists working in these areas, whose interests extend beyond the bounds of any one of the individual disciplines. The journal provides a forum for high quality research in its three areas, with papers touching more than one of the areas especially welcome.
The journal also considers high quality submissions in the closely related areas of finite fields and finite geometries, which provide important tools for both the construction and the actual application of designs, codes and cryptographic systems. In particular, it includes (mostly theoretical) papers on computational aspects of finite fields. It also considers topics in sequence design, which frequently admit equivalent formulations in the journal’s main areas.
Designs, Codes and Cryptography is mathematically oriented, emphasizing the algebraic and geometric aspects of the areas it covers. The journal considers high quality papers of both a theoretical and a practical nature, provided they contain a substantial amount of mathematics.