Cryptology ePrint Archive: Report 2017/463

Proving Resistance against Invariant Attacks: How to Choose the Round Constants

Christof Beierle and Anne Canteaut and Gregor Leander and Yann Rotella

Abstract: Many lightweight block ciphers apply a very simple key schedule in which the round keys only differ by addition of a round-specific constant. Generally, there is not much theory on how to choose appropriate constants. In fact, several of those schemes were recently broken using invariant attacks, i.e., invariant subspace or nonlinear invariant attacks. This work analyzes the resistance of such ciphers against invariant attacks and reveals the precise mathematical properties that render those attacks applicable. As a first practical consequence, we prove that some ciphers including Prince, Skinny-64 and Mantis7 are not vulnerable to invariant attacks. Also, we show that the invariant factors of the linear layer have a major impact on the resistance against those attacks. Most notably, if the number of invariant factors of the linear layer is small (e.g., if its minimal polynomial has a high degree), we can easily find round constants which guarantee the resistance to all types of invariant attacks, independently of the choice of the S-box layer. We also explain how to construct optimal round constants for a given, but arbitrary, linear layer.

Category / Keywords: Block cipher, Nonlinear invariant attack, Invariant subspace attack, Linear layer, Round constants, Mantis, Midori, Prince, Skinny, LED

Original Publication (in the same form): IACR-CRYPTO-2017

Date: received 24 May 2017

Contact author: christof beierle at rub de, anne canteaut@inria fr, gregor leander@rub de, yann rotella@inria fr

Available format(s): PDF | BibTeX Citation

Version: 20170528:181843 (All versions of this report)

Short URL: ia.cr/2017/463

Discussion forum: Show discussion | Start new discussion


[ Cryptology ePrint archive ]