SpringerLink
Log in

Pitfalls and Shortcomings for Decompositions and Alignment

  • Conference paper
  • First Online:
Advances in Cryptology – EUROCRYPT 2023 (EUROCRYPT 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14007))

Abstract

In this paper we, for the first time, study the question under which circumstances decomposing a round function of a Substitution-Permutation Network is possible uniquely. More precisely, we provide necessary and sufficient criteria for the non-linear layer on when a decomposition is unique. Our results in particular imply that, when cryptographically strong S-boxes are used, the decomposition is indeed unique. We then apply our findings to the notion of alignment, pointing out that the previous definition allows for primitives that are both aligned and unaligned simultaneously.

As a second result, we present experimental data that shows that alignment might only have limited impact. For this, we compare aligned and unaligned versions of the cipher PRESENT.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
EUR 32.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or Ebook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
EUR 29.95
Price includes VAT (Germany)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
EUR 85.59
Price includes VAT (Germany)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
EUR 106.99
Price includes VAT (Germany)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free ship** worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    https://csrc.nist.gov/Projects/lightweight-cryptography/finalists.

  2. 2.

    Thankfully, for the case of counting S-boxes those requirements lead to trivial bounds for the probability/absolute correlation of a differential/linear trail, no matter the decomposition.

  3. 3.

    The arguments are mainly based on the rational canonical form of the linear layer and this form might change when using linear equivalent S-boxes and modifying the linear layer accordingly.

  4. 4.

    In other words, the direct sum enables us to express every element \(x \in W\) as \(\sum _i x_i\) for unique \(x_i \in U_i\). Hence, \(\pi _j^U\) is the map** defined by \(x = \sum _i x_i \mapsto x_j\).

  5. 5.

    More precisely, we allow the subspaces to be equal to \(\mathbb {F}_2^{n}\) but not to be \(\{0\}\).

  6. 6.

    This version is equivalent to the one from [8] since \(T(U_i) = U_{\tau (i)}\) means that T is the composition of a \(\Pi _N\)-Shuffle and a \(\Pi _N\) aligned linear function. As the composition of a \(\Pi _{N'}\) aligned and a \(\Pi _N\) aligned function is obviously \(\Pi _{N'}\) aligned if \(\Pi _N \le \Pi _{N'}\), it is then enough to check that M is \(\Pi _{N'}\) aligned, with \(\Pi _{N'}\) being non-trivial. Since it is only important that \(\Pi _{N'}\) is non-trivial, this can be done by checking if \(M\left( \bigoplus _{i \in J} U_i\right) = \bigoplus _{i \in J} U_i\) and \(M\left( \bigoplus _{i \notin J} U_i\right) = \bigoplus _{i \notin J} U_i\) for some \(J \subset \{1,\dots ,m\}\), i. e.  checking for all possible \(\Pi _{N'}\) with two boxes.

  7. 7.

    The code we used to make these experiments is available at: https://doi.org/10.5281/zenodo.7660387.

  8. 8.

    Note that in the case of trivial intersections, we have that \(\pi _i^U \circ \pi _j^W \circ \pi _{l \ne i}^U = \pi _j^W \circ \pi _i^U \circ \pi _{l \ne i}^U = 0\), which means that \(F \circ \pi _i^U \circ \pi _j^W \circ \pi _{l \ne i}^U + F(0) = 0\).

References

  1. Aldaya, A.C., García, C.P., Brumley, B.B.: From A to Z: projective coordinates leakage in the wild. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2020(3), 428–453 (2020)

    Google Scholar 

  2. Baksi, A., et al.: DEFAULT: cipher level resistance against differential fault attack. In: Tibouchi, M., Wang, H. (eds.) ASIACRYPT 2021. LNCS, vol. 13091, pp. 124–156. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-92075-3_5

    Chapter  Google Scholar 

  3. Beierle, C., Canteaut, A., Leander, G., Rotella, Y.: Proving resistance against invariant attacks: how to choose the round constants. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10402, pp. 647–678. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63715-0_22

    Chapter  Google Scholar 

  4. Beierle, C., Leander, G., Moradi, A., Rasoolzadeh, S.: CRAFT: lightweight tweakable block cipher with efficient protection against DFA attacks. IACR Trans. Symmetric Cryptol. 2019(1), 5–45 (2019)

    Article  Google Scholar 

  5. Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: On alignment in Keccak. In: ECRYPT II Hash Workshop, vol. 51, pp. 122 (2011)

    Google Scholar 

  6. Biryukov, A., Shamir, A.: Structural cryptanalysis of SASAS. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 395–405. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44987-6_24

    Chapter  Google Scholar 

  7. Bogdanov, A., et al.: PRESENT: an ultra-lightweight block cipher. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 450–466. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74735-2_31

    Chapter  Google Scholar 

  8. Bordes, N., Daemen, J., Kuijsters, D., Van Assche, G.: Thinking outside the superbox. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021. LNCS, vol. 12827, pp. 337–367. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84252-9_12

    Chapter  Google Scholar 

  9. Canteaut, A., et al.: Saturnin: a suite of lightweight symmetric algorithms for post-quantum security. IACR Trans. Symmetric Cryptol. 2020(S1), 160–207 (2020)

    Article  MathSciNet  Google Scholar 

  10. Carlet, C.: Boolean Functions for Cryptography and Coding Theory. Cambridge University Press, Cambridge (2021)

    Google Scholar 

  11. Daemen, J., Massolino, P.M.C., Mehrdad, A., Rotella, Y.: The subterranean 2.0 cipher suite. IACR Trans. Symmetric Cryptol. 2020(S1), 262–294 (2020)

    Google Scholar 

  12. Daemen, J., Rijmen, V.: Plateau characteristics. IET Inf. Secur. 1(1), 11–17 (2007)

    Article  Google Scholar 

  13. Eichlseder, M., Kales, D.: Clustering related-tweak characteristics: application to MANTIS-6. IACR Trans. Symmetric Cryptol. 2018(2), 111–132 (2018)

    Article  Google Scholar 

  14. Flórez-Gutiérrez, A., Naya-Plasencia, M.: Improving key-recovery in linear attacks: application to 28-round PRESENT. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12105, pp. 221–249. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45721-1_9

    Chapter  MATH  Google Scholar 

  15. Hall-Andersen, M., Vejre, P.S.: Generating graphs packed with paths estimation of linear approximations and differentials. IACR Trans. Symmetric Cryptol. 2018(3), 265–289 (2018)

    Article  Google Scholar 

  16. Kündgen, A., Leander, G., Thomassen, C.: Switchings, extensions, and reductions in central digraphs. J. Comb. Theory Ser. A 118(7), 2025–2034 (2011)

    Google Scholar 

  17. Lambin, B., Leander, G., Neumann, P.: Pitfalls and shortcomings for decompositions and alignment (full version). Cryptology ePrint Archive, Paper 2023/240 (2023). https://eprint.iacr.org/2023/240

  18. Leander, G.: On linear hulls, statistical saturation attacks, PRESENT and a cryptanalysis of PUFFIN. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 303–322. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-20465-4_18

    Chapter  Google Scholar 

  19. Leander, G., Rasoolzadeh, S.: Two sides of the same coin: weak-keys and more efficient variants of CRAFT. IACR Cryptology ePrint Archive, p. 238 (2021)

    Google Scholar 

  20. Liu, G., Qiu, W., Yi, T.: New techniques for searching differential trails in Keccak. IACR Trans. Symmetric Cryptol. 2019(4), 407–437 (2020)

    Article  Google Scholar 

  21. McCreesh, C., Prosser, P., Trimble, J.: The Glasgow subgraph solver: using constraint programming to tackle hard subgraph isomorphism problem variants. In: Gadducci, F., Kehrer, T. (eds.) ICGT 2020. LNCS, vol. 12150, pp. 316–324. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-51372-6_19

    Chapter  Google Scholar 

  22. Minaud, B., Derbez, P., Fouque, P.-A., Karpman, P.: Key-recovery attacks on ASASA. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9453, pp. 3–27. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48800-3_1

    Chapter  Google Scholar 

  23. Nyberg, K.: Differentially uniform map**s for cryptography. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 55–64. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48285-7_6

    Chapter  Google Scholar 

  24. Reis, T.B.S., Aranha, D.F., López, J.: PRESENT runs fast. In: Fischer, W., Homma, N. (eds.) CHES 2017. LNCS, vol. 10529, pp. 644–664. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66787-4_31

    Chapter  Google Scholar 

  25. Shannon, C.E.: A mathematical theory of cryptography. Mathematical Theory of Cryptography (1945)

    Google Scholar 

  26. Song, L., Huang, Z., Yang, Q.: Automatic differential analysis of ARX block ciphers with application to SPECK and LEA. In: Liu, J.K., Steinfeld, R. (eds.) ACISP 2016, Part II. LNCS, vol. 9723, pp. 379–394. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-40367-0_24

    Chapter  Google Scholar 

Download references

Acknowledgment

This work was funded by the by the project Analysis and Protection of Lightweight Cryptographic Algorithms (432878529) and by DFG (German Research Foudation), under Germany’s Excellence Strategy - EXC 2092 CASA - 390781972.

Author information

Authors and Affiliations

  1. Ruhr University Bochum, Bochum, Germany

    Baptiste Lambin, Gregor Leander & Patrick Neumann

  2. University of Luxembourg, Esch-sur-Alzette, Luxembourg

    Baptiste Lambin

Authors
  1. Baptiste Lambin
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Gregor Leander
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Patrick Neumann
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Patrick Neumann .

Editor information

Editors and Affiliations

  1. Bar-Ilan University, Ramat Gan, Israel

    Carmit Hazay

  2. Simula UiB, Bergen, Norway

    Martijn Stam

Rights and permissions

Reprints and permissions

Copyright information

© 2023 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Lambin, B., Leander, G., Neumann, P. (2023). Pitfalls and Shortcomings for Decompositions and Alignment. In: Hazay, C., Stam, M. (eds) Advances in Cryptology – EUROCRYPT 2023. EUROCRYPT 2023. Lecture Notes in Computer Science, vol 14007. Springer, Cham. https://doi.org/10.1007/978-3-031-30634-1_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-30634-1_11

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-30633-4

  • Online ISBN: 978-3-031-30634-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation