Paper 2017/463

Proving Resistance against Invariant Attacks: How to Choose the Round Constants

Christof Beierle, Anne Canteaut, Gregor Leander, and Yann Rotella

Abstract

Many lightweight block ciphers apply a very simple key schedule in which the round keys only differ by addition of a round-specific constant. Generally, there is not much theory on how to choose appropriate constants. In fact, several of those schemes were recently broken using invariant attacks, i.e., invariant subspace or nonlinear invariant attacks. This work analyzes the resistance of such ciphers against invariant attacks and reveals the precise mathematical properties that render those attacks applicable. As a first practical consequence, we prove that some ciphers including Prince, Skinny-64 and Mantis7 are not vulnerable to invariant attacks. Also, we show that the invariant factors of the linear layer have a major impact on the resistance against those attacks. Most notably, if the number of invariant factors of the linear layer is small (e.g., if its minimal polynomial has a high degree), we can easily find round constants which guarantee the resistance to all types of invariant attacks, independently of the choice of the S-box layer. We also explain how to construct optimal round constants for a given, but arbitrary, linear layer.

Metadata
Available format(s)
PDF
Publication info
A minor revision of an IACR publication in CRYPTO 2017
DOI
10.1007/978-3-319-63715-0_22
Keywords
Block cipherNonlinear invariant attackInvariant subspace attackLinear layerRound constantsMantisMidoriPrinceSkinnyLED
Contact author(s)
christof beierle @ rub de
anne canteaut @ inria fr
gregor leander @ rub de
yann rotella @ inria fr
History
2017-09-21: last of 2 revisions
2017-05-28: received
See all versions
Short URL
https://ia.cr/2017/463
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2017/463,
      author = {Christof Beierle and Anne Canteaut and Gregor Leander and Yann Rotella},
      title = {Proving Resistance against Invariant Attacks: How to Choose the Round Constants},
      howpublished = {Cryptology {ePrint} Archive, Paper 2017/463},
      year = {2017},
      doi = {10.1007/978-3-319-63715-0_22},
      url = {https://eprint.iacr.org/2017/463}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.