Abstract
Designing cryptographic permutations and block ciphers using a substitutionpermutation network (SPN) approach where the nonlinear part does not cover the entire state has recently gained attention due to favorable implementation characteristics in various scenarios.For word-oriented partial SPN (P-SPN) schemes with a fixed linear layer, our goal is to better understand how the details of the linear layer affect the security of the construction. In this paper, we derive conditions that allow us to either set up or prevent attacks based on infinitely long truncated differentials with probability 1. Our analysis is rather broad compared to earlier independent work on this problem since we consider (1) both invariant and non-invariant/iterative trails, and (2) trails with and without active S-boxes.For these cases, we provide rigorous sufficient and necessary conditions for the matrix that defines the linear layer to prevent the analyzed attacks. On the practical side, we present a tool that can determine whether a given linear layer is vulnerable based on these results. Furthermore, we propose a sufficient condition for the linear layer that, if satisfied, ensures that no infinitely long truncated differential exists. This condition is related to the degree and the irreducibility of the minimal polynomial of the matrix that defines the linear layer. Besides P-SPN schemes, our observations may also have a crucial impact on the Hades design strategy, which mixes rounds with full S-box layers and rounds with partial S-box layers.
Highlights
Modern cryptography developed many techniques that go well beyond solving traditional confidentiality and authenticity problems in two-party communications
Focusing on P-substitutionpermutation network (SPN) schemes which use the same linear layer in each round (e.g., Zorro [GGNPS13]), here we study the properties that the matrix that defines the linear layer must satisfy in order to prevent infinitely long invariant subspace trails without active S-boxes
Due to the fact that the nonlinear layer is only partial in partial substitution-permutation network (P-SPN) schemes, parts of the state go through the S-box layer unchanged
Summary
Modern cryptography developed many techniques that go well beyond solving traditional confidentiality and authenticity problems in two-party communications This includes practical applications of secure multi-party computation (MPC), (fully) homomorphic encryption (FHE), and zero-knowledge (ZK) proofs using symmetric primitives. Designs of primitives in symmetric cryptography for these applications are usually led by heuristics such as simplifying their arithmetic representations or linear operations being more efficient than nonlinear ones in these scenarios The latter example is used in the context of masking, a widespread countermeasure against side-channel attacks in which all the computations are performed on shared secrets. Driven by all these application areas, many new symmetric primitives have recently been proposed.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
