A note on some algebraic trapdoors for block ciphers
Marco Calderini

TL;DR
This paper establishes conditions under which translation-based block ciphers are resistant to a specific algebraic trapdoor, highlighting limitations of group-based security assessments against such vulnerabilities.
Contribution
It provides new sufficient conditions to prevent partition-based trapdoors in translation-based ciphers and discusses the limitations of group analysis for security guarantees.
Findings
Identifies conditions ensuring resistance to partition-based trapdoors.
Shows that group generated by round functions may not guarantee security.
Extends understanding of algebraic vulnerabilities in block ciphers.
Abstract
We provide sufficient conditions to guarantee that a translation based cipher is not vulnerable with respect to the partition-based trapdoor. This trapdoor has been introduced, recently, by Bannier et al. (2016) and it generalizes that introduced by Paterson in 1999. Moreover, we discuss the fact that studying the group generated by the round functions of a block cipher may not be sufficient to guarantee security against these trapdoors for the cipher.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
A note on some algebraic trapdoors for block ciphers
Abstract.
We provide sufficient conditions to guarantee that a translation based cipher is not vulnerable with respect to the partition-based trapdoor. This trapdoor has been introduced, recently, by Bannier et al. (2016) and it generalizes that introduced by Paterson in 1999. Moreover, we discuss the fact that studying the group generated by the round functions of a block cipher may not be sufficient to guarantee security against these trapdoors for the cipher.
Key words and phrases:
Cryptography, primitive group, block cipher, trapdoors, group generated by round functions.
1991 Mathematics Subject Classification:
Primary: 94A60, 20B15; Secondary: 20B35.
Marco Calderini
Department of Informatics, University of Bergen, Norway
1. Introduction
In the last years, since the work [11] of Coppersmith and Grossman, much attention has been devoted to the group generated by the round functions of a block cipher. In this context, Paterson [17] showed that the imprimitivity of the group can be exploited to construct a trapdoor. By a trapdoor we mean a hidden algebraic structure in the cipher design that would allow an attacker (with the knowledge of the trapdoor) to break it easily. In [9] Caranti, Dalla Volta and Sala introduced the definition of translation based cipher, which contains well-known ciphers like AES [12], SERPENT [1] and PRESENT [8]. For this class of ciphers, in [9] and [2], the authors provided cryptographic conditions on the S-Boxes and the mixing layer, in order to guarantee the primitivity of the group generated by the round functions of the cipher.
In a recent work [5], inspired by the partition cryptanalysis developed in [14], the authors introduce the partition-based trapdoor. This type of trapdoor generalizes that introduced by Paterson. Moreover, the authors give an example of a (toy) block cipher which is not vulnerable with respect to linear [16] and differential attacks [7], but that can be broken, easily, using the structure of the trapdoor. A more sophisticated way to use such a weakness is given in [6].
The principal aim of this work is to investigate an open question left by Paterson in his work [17], that is, if it might be possible to have the case where the round functions generate a primitive group but the subgroup generated by the -round cipher itself has a block structure. In particular, we want to find cryptographic properties that could avoid such a threat.
In this work, we give some conditions on the S-boxes and the mixing layer of a translation based cipher, in order to avoid the partition-based trapdoor. From this result, we are able to give a security proof for the group of encryption functions of a cipher with independent round-keys.
The paper is organized as follows. In Section 2, we recall some definitions and a series of properties and already known results. In Section 3, we show how we can avoid the partition-based trapdoor on a translation based cipher. Finally, in Section 4, we discuss the fact that studying the group generated by the round functions of a block cipher may not be sufficient to guarantee security against these trapdoors for the cipher, and we show that avoiding the partition-based trapdoor we can give some properties of the group generated by an -round cipher with independent round-keys. We report our conclusions and some final remarks in Section 5.
2. Preliminaries and notation
Let be a block cipher acting on a message space , for some (we suppose that coincides with the ciphertext space). Let be its key space. Then any key individuates a permutation on the space and our cipher is given by the set
[TABLE]
We are interested in determining the properties of the group . Unfortunately, the study of is a difficult task, in general. Most modern block ciphers are iterated ciphers, i.e., obtained by a composition of several key-dependent permutations, called rounds. This allows to investigate an other permutation group related to . For an iterated block cipher each is a composition of some permutations of , say . For any round , let
[TABLE]
therefore, we can define the group containing generated by the round functions
[TABLE]
2.1. Translation based ciphers
Here we consider translation based ciphers, introduced in [9]. This class of iterated block ciphers includes some well-known ciphers, as for instance AES [12] and SERPENT [1].
We first fix the notation, in order to recall the definition of a translation based cipher . Let and
[TABLE]
where each is isomorphic to . We will denote by the symmetric group on . Given , we write for the translation of mapping to . We denote by the group of all translations of . We will write the action of on an element as .
For any , we will write , where . Also, we consider the projections mapping .
Any that acts as , for some , is called bricklayer transformation (a “parallel map”) and any ’s is a brick. Traditionally, the maps ’s are called S-boxes and a “parallel S-box”. A linear map is traditionally said a “Mixing Layer” when used in composition with parallel maps. For any , with and , we define a wall.
Definition 2.1**.**
A linear map is called a proper mixing layer if no wall is invariant under .
We can characterize translation-based block ciphers by the following:
Definition 2.2** ([9]).**
A block cipher over is called translation based (tb) if:
- •
it is the composition of a finite number of rounds, such that any round can be written as , where
is a round-dependent bricklayer transformation (but it does not depend on ) and ,
- -
is a round-dependent linear map (but it does not depend on ),
- -
is in and depends on both and the round ( is called a “round key”),
- •
for at least one round, called a “proper” round, we have (at the same time) that is proper and that the map given by is surjective.
The assumption is not restrictive. Indeed, we can always include in the round key addition of the previous round (see [9, Remark 3.3]).
Let , and let be a vectorial Boolean function. We denote by the derivative of in the direction of .
Definition 2.3**.**
Let be a vectorial Boolean function, for any we define
[TABLE]
Then, is said differentially -uniform if
[TABLE]
Vectorial Boolean functions used as S-boxes in block ciphers must have low uniformity to prevent differential cryptanalysis (see [7]). By [9, Fact 3], a vectorial Boolean function differentially -uniform satisfies
[TABLE]
Definition 2.4**.**
Let and , we say that is strongly -anti-invariant if, for any two subspaces and of such that , then either or .
2.2. Partition-based trapdoors
We recall that a permutation group acting on is called primitive if it has no nontrivial -invariant partition of . That is, there no exists a partition of different from the trivial partitions , , such that for all and . On the other hand, if a nontrivial -invariant partition exists, the group is called imprimitive.
As said before a property of considered undesirable is the imprimitivity. Paterson [17] showed that if this group is imprimitive, then it is possible to embed a trapdoor in the cipher.
Another trapdoor, based on the idea of the imprimitive action, is the Partition-based trapdoor, introduced in a recent work [5]. In this work the authors give some conditions to construct a translation-based cipher which associates a partition of the plaintext space to another partition of the ciphertext space.
We report some of the definitions and results presented in [5].
Definition 2.5**.**
Let be a permutation of and be two partitions of . Let denote the set . We say that maps to if . Moreover, let be a permutation group we say that maps to if for all , maps to .
Remark 1**.**
Note that a permutation group is imprimitive if there exists a non-trivial partition such that for all .
Definition 2.6**.**
A partition of is said linear if there exists a subspace of such that
[TABLE]
We denote with such a partition.
The following result, introduced by Harpes in [14], characterizes the possible partitions and such that maps to .
Proposition 1**.**
Let and be two partitions of . Then the permutation group maps to if and only if and is a linear partition.
Focusing on the mixing-layer we have.
Proposition 2** ([5]).**
Let be a linear permutation of , i.e. , and let be a subspace of . Then .
We report now the main theorem of [5]. In [5] the following result is reported for a SPN cipher with the same S-box and mixing-layer for each round, but can be extended to any translation based cipher with independent round keys.
Theorem 2.7**.**
Let be a translation based cipher on . Suppose that there exist and non-trivial partitions such that for all -tuples of round-keys the encryption function maps to . Define and for , where is the -th round function without the round key translation. Then
- •
**
- •
for any is a linear partition.
3. Avoiding the partition-based trapdoor
In this section we will give sufficient conditions on the components of a tb cipher to guarantee that such a trapdoor cannot be implemented.
Lemma 3.1**.**
Let be a permutation on such that and suppose that maps to then for all
[TABLE]
Proof.
The fact that maps to and imply that . Moreover for all we have that . Then . This implies that
[TABLE]
for all and . ∎
From Lemma 3.1 we have the following.
Proposition 3**.**
Let be a brick-layer transformation, i.e. with for all . Suppose that for all is
- (1)
differentially -uniform, with , 2. (2)
strongly -anti-invariant
Let and be non-trivial linear partitions of , then maps to if and only if and are walls, in particular .
Proof.
Suppose that maps to and that is not a wall. Then let . There exists such that because is not a wall. Moreover . Indeed, let , with . For all such that for all we have that
[TABLE]
from Lemma 3.1. Moreover . It follows that . The vector has all nonzero components but for the one in , which is . As is a brick layer transformation, if , then . So, if the vector is zero for all , then , of size 1. This contradicts the first condition on the ’s.
Thus is a proper subspace of and is also a proper subspace of . Since for all , we have for all . Thus, for any non-zero is greater or equal to and, being a permutation, the set does not contain the zero vector, which implies . This contradicts the second condition on the ’s. Then, is a wall and, since is a parallel map, we have .
Vice versa, consider any wall , as is a parallel map, it is easy to check that maps in itself. ∎
The following definition was introduced in [2].
Definition 3.2**.**
Let . is said to be a strongly proper mixing-layer if it does not map a proper wall in an other wall.
We define a strongly-proper round of a tb cipher as a proper round, where the mixing-layer is also strongly proper.
Theorem 3.3**.**
Let a round be a strongly proper round and suppose that the brick-layer transformations of round and round , and , satisfy Condition 1) and 2) of Proposition 3. Then, there do not exist and non-trivial partitions such that for all -tuples of round keys the encryption functions map to .
Proof.
Suppose that the partition-based trapdoor is applicable for all -tuples of round keys. From Theorem 2.7 we have that there exist two linear partitions and such that maps to . Thus maps to . From Proposition 3 we have that is a wall and the same for . Now being strongly-proper we have that is not a wall. Then from Theorem 2.7 we have that maps to another linear partition, but it is not possible since is not a wall and this contradicts Proposition 3. ∎
The result of Theorem 3.3 can be generalized, using a weaker condition on the mixing-layers composing the round functions. Consider, for example, the mixing-layer of AES. This is not strongly-proper, as there exists a wall which is sent in another wall. Indeed, the state of AES can be represented as a matrix of bytes (Table 1). That is, , where is isomorphic to .
The mixing-layer of AES is composed by two linear functions ShiftRow (SR) and MixColumn (MC). The ShiftRows transformation acts in a way such that a wall is sent in an other wall, and in particular is sent in .
Now, as MixColumn combines the blocks of a same column of the state, we have that (which is the first column of the state) is sent in itself (Table 2). However, the previous attack cannot be applied to AES as the mixing layer satisfies the following property.
Definition 3.4**.**
Let be the mixing-layers used in a tb cipher with rounds. We say that the ordered family is strongly proper if for all possible non-trivial wall there exists such that is not a wall.
Corollary 1**.**
Let be a tb cipher with strongly proper and for each round the parallel map satisfies the conditions of Proposition 3. Then the partition-based trapdoor is not applicable.
Proof.
Suppose that the partition-based trapdoor is applicable. From Theorem 2.7 we have that each round functions (without the translation with respect to the round key) maps a linear partition into . From Lemma 3.1 the space is a wall for all . Then, being a parallel map and we have
[TABLE]
for all .
Since is strongly proper, there exists such that is not a wall, which contradicts the fact that is a wall for all . ∎
It may seem that the previous corollary requires strong conditions on the mixing layers and on the S-boxes. We show that the requirement on the mixing layers is necessary.
Proposition 4**.**
Let be a tb cipher, with not strongly proper. Then the partition trapdoor is applicable.
Proof.
Because is not strongly propers, then there exists a proper wall such that is a wall for all . Now being the a parallel map we have that for all wall and
[TABLE]
which concludes the proof. ∎
4. Security proof for a cipher with independent round-keys
In this section we will discuss the fact that studying the group to understand the security of a block cipher could not be enough.
We report an example of block cipher whose components satisfy the cryptographic properties given in [2] sufficient to thwart the trapdoor introduced by Paterson [17], but that is weak with respect to the partition-based trapdoor.
Let , , with and be the inverse permutation for all , i,e. (using the representation as univariate polynomial). Consider the following mixing-layer
[TABLE]
where is the identity matrix of size . It is easy to check that is a proper mixing-layer but not strongly proper.
Consider now the linear partitions , and suppose to have rounds where we use and in each one. From [2, Theorem 3.1] is primitive, but each encryption function maps to , where is the permutation of such that for all and .
Obviously, the mixing-layer is not interesting from a cryptographic point of view. We use this only as an example to show that if is primitive this does not guarantee security on . Moreover, if we use a number of rounds such that for some , then is primitive and the group is imprimitive.
As we pointed out in Section 2, it would be interesting to study the group . However, this group depends, strongly, on the key-schedule used to create the round-keys. For this reason, usually, we study the properties of the group (see for instance [4, 13, 19, 20, 21]). But, as we showed above, we could have that even if the group is considered secure, the group may be not secure with respect to the trapdoors considered here. Then, we think that it is better to consider, and study, the group of a cipher obtained using independent round-keys, that is,
[TABLE]
where, letting , is the encryption function obtained using as round-key at round . Clearly, is such that
[TABLE]
We can summarize the results obtained in this work for in the following:
Theorem 4.1**.**
Let be a tb cipher. Suppose that one of the following properties is satisfied:
- (1)
there exists a round which is a strongly proper round and the brick-layer transformations , satisfy Condition 1) and 2) of Proposition 3, 2. or 3. (2)
the family is strongly proper and for each round the parallel map satisfies Condition 1) and 2) of Proposition 3.
Then the partition-based trapdoor is not applicable. Moreover, is primitive.
Proof.
From Theorem 3.3 (or Corollary 1) we have that there do not exist two partitions and such that for all . Moreover, the group is imprimitive if and only if there exists a partition such that for all (see Remark 1), which is a particular case where the partition-based trapdoor is applicable. ∎
5. Conclusions and final remarks
An interesting open problem proposed by Paterson [17] was to investigate if it is possible to construct a block cipher such that the group is primitive, but the resulting cipher is weak with respect to the imprimitive trapdoor. As we pointed out in Section 4, it may happen that the cipher is vulnerable even if the group generated by the round functions results to be primitive. For this reason, here, we studied the group generated by the cipher with independent round keys. We think that studying algebraic properties for this group could be more appropriate to investigate security properties of a cipher. In particular, we gave sufficient conditions on the components of a cipher , so that the partition trapdoor given in [5] cannot be applied to the encryption functions generating . As a consequence, we obtained also the primitivity for the group .
Note that this type of trapdoor can be easily avoided. Indeed, as noted in [2], for an invertible vectorial Boolean function to be strongly -anti-invariant is equivalent to have no linear components (i.e. the nonlinearity is greater than [math]). Such a property is usually requested by the S-boxes of a cipher to avoid linear cryptanalysis [16]. Moreover, to achieve a good diffusion we need that the mixing layer satisfies the condition given in Definition 3.4. Therefore, from Theorem 4.1, sufficient conditions to thwart the partition trapdoor are:
- •
S-boxes with differential -uniformity and nonlinearity different from [math].
- •
strongly proper mixing layers (or that satisfy the condition in Definition 3.4).
For well-know ciphers like AES, PRESENT and SERPENT we have that these two characteristics are satisfied.
In the work [6], the authors give a method to construct the S-boxes of a block-cipher in order to let be possible the partition trapdoor (see Section 3 in [6]). Using their method they construct a cipher, with S-boxes defined over , which is weak with respect to their trapdoor. It is possible to check that such a cipher cannot be attacked using the classical linear and differential cryptanalysis. However, as the same author stated, the structure of their linear and differential tables is likely to betray the existence of a backdoor and can be used to find it. For this reason they create an other attack perturbing the S-boxes of the cipher, in order to strengthen it. These new S-boxes “behave” similarly to their secret counterparts, that means the output of a perturbed S-box is with high probability equals to the output of the corresponding non-perturbed S-box.
The mixing layer used in this block cipher is similar to the AES mixing layer, in particular we can check that the condition in Definition 3.4 is satisfied. The perturbed S-boxes are at most differentially -uniform (and thus -uniform). So, if we would analize if the properties of Theorem 4.1 are satisfied we need to check if it is strongly -anti-invariant. This computation could be possible, but quite long. So we could verify the resistance of the block cipher to the partition trapdoor in an other way.
In Theorem 4.1 we use the differential uniformity of the S-boxes to say that is greaten than . So, we could generalize the first condition in Proposition 3 as follow.
- (1’)
for all nonzero .
Note that this condition is pretty similar to the weak differential uniformity introduced in [10] and also studied in [3].
Using this fact, we have, for the case of the perturbed S-boxes of the cipher, that . So, we can check if the the S-boxes are strongly -anti-invariant. This check is much easier, indeed we need to check if vector subspaces of dimension at least are mapped onto an other vector subspace. Using the software MAGMA it is possible, now, to check that all the S-boxes of the cipher are strongly -anti-invariant. Which implies that the cipher is secure with respect to the trapdoor. Then, using only the analysis reported in this work, we cannot detect the backdoor introduced in [6]. However the high differential uniformity of the S-boxes could lead to some suspect, suggesting the existence of a backdoor.
So it is a very interesting open problem to understand which cryptographic properties can be useful to avoid also the attack with perturbed S-boxes.
Another requested property for a cipher is that the group generated by the encryption functions is not “small” (see for instance [15]). Usually, this property is investigated for the group of the round functions ([4, 13, 19]). With an ad hoc proof, in [21] and [20] Wernsdorf proved respectively that and , where is the alternating group. In [2, 10] are given conditions for tb ciphers so that is the symmetric (alternating) group.
In the case of ciphers like AES and PRESENT, where the same S-box and mixing layer are used in each round, we have that is normal in (see for instance [4, Lemma 3.4]), so if is the symmetric (alternating) group we have . However, this is no more the case of ciphers like, e.g., SERPENT, where the used S-box depends on the round. Then, it may happen that the group of the round functions generates the symmetric (alternating) group, while the group generated by the encryption functions is not.
Moreover, the only condition that is the symmetric (alternating) group does not guarantee that the cipher is secure with respect the trapdoor studied in this work. Indeed, if we consider the example of the cipher given in Section 4, adding at the last round a strongly-proper mixing layer we will obtain that is the alternating group. This is implied by Theorem 4.7 in [2]. However, as in Section 4, such a cipher can be broken using the partition based trapdoor. Another example of a weak cipher having is given in [18].
Another interesting future research could be investigating assumptions on the components of a cipher which can guarantee that the group is the symmetric (alternating) group.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] R. Anderson, E. Biham, L. Knudsen, SERPENT: A New Block Cipher Proposal, in: Fast Software Encryption, LNCS, Springer, Berlin , 1372 (1998), 222–238.
- 2[2] R. Aragona, M. Calderini, A. Tortora, M. Tota, Primitivity of PRESENT and other lightweight ciphers. Journal of Algebra and Its Applications Online Ready (2017), 1–18.
- 3[3] R. Aragona, M. Calderini, D. Maccauro, M. Sala, On weak differential uniformity of vectorial Boolean functions as a cryptographic criterion, Appl. Algebra Engrg. Comm. Comput. , 27 (2016), 359–372.
- 4[4] R. Aragona, A. Caranti, M. Sala, The group generated by the round functions of a GOST-like cipher, Ann. Mat. Pura Appl. , 196 (2016), 1–17.
- 5[5] A. Bannier, N. Bodin, E. Filiol, Partition-Based Trapdoor Ciphers, preprint, https://eprint.iacr.org/2016/493.pdf .
- 6[6] A. Bannier, and E. Filiol. Partition-based trapdoor ciphers . Partition-Based Trapdoor Ciphers. In Tech, 2017.
- 7[7] E. Biham and A. Shamir. Differential cryptanalysis of DES-like cryptosystems. Journal of Cryptology , 4 (1991), 3–72.
- 8[8] A. Andrey Bogdanov, L. R. Knudsen, G. Leander, C. Paar, A. Poschmann, M. J. B. Robshaw, Y. Seurin, C. Vikkelsoe, PRESENT: An ultra-lightweight block cipher, in: Proc. of CHES 2007, LNCS, Springer , 4727 (2007), 450–466.
