Improving the security and efficiency of block ciphers based on LS-designs

Abstract

LS-designs are a family of bitslice ciphers aiming at efficient masked implementations against side-channel analysis. This paper discusses their security against invariant subspace attacks, and describes an alternative family of eXtended LS-designs (XLS-designs), that enables additional options to prevent such attacks. LS- and XLS-designs provide a large family of ciphers from which efficient implementations can be obtained, possibly enhanced with countermeasures against physical attacks. We argue that they are interesting primitives in order to discuss the general question of “how simple can block ciphers be?”.

Appendices

Appendix: Specifications of \(\mathsf {Mysterion}\)’s components

1.1 \(\mathsf {Mysterion}\) S-box

1.2 \(\mathsf {Mysterion}\) L-box

$$\begin{aligned} C= \begin{pmatrix} 0 &{} 1 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0\\ 0 &{} 0 &{} 1 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0\\ 0 &{} 0 &{} 0 &{} 1 &{} 0 &{} 0 &{} 0 &{} 0\\ 0 &{} 0 &{} 0 &{} 0 &{} 1 &{} 0 &{} 0 &{} 0\\ 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 1 &{} 0 &{} 0\\ 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 1 &{} 0\\ 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 1\\ 1 &{} \alpha ^3 &{} \alpha ^4 &{} \alpha ^{12} &{} \alpha ^8 &{} \alpha ^{12} &{} \alpha ^4 &{} \alpha ^3 \end{pmatrix}, C^8= \begin{pmatrix} 1 &{} \alpha ^3 &{} \alpha ^4 &{} \alpha ^{12} &{} \alpha ^8 &{} \alpha ^{12} &{} \alpha ^4 &{} \alpha ^3 \\ \alpha ^3 &{} \alpha ^{13} &{} \alpha ^4 &{} \alpha &{} 1 &{} \alpha ^2 &{} \alpha ^2 &{} \alpha ^{12} \\ \alpha ^{12} &{} \alpha ^{14} &{} \alpha ^{12} &{} \alpha ^{14} &{} \alpha ^2 &{} \alpha ^7 &{} \alpha ^5 &{} \alpha ^8 \\ \alpha ^{8} &{} 1 &{} \alpha ^{5} &{} \alpha ^{14} &{} \alpha ^{7} &{} \alpha &{} \alpha ^{2} &{} \alpha ^{3} \\ \alpha ^{3} &{} \alpha ^{14} &{} \alpha ^{9} &{} \alpha ^{10} &{} \alpha ^{10} &{} \alpha ^{9} &{} \alpha ^{14} &{} \alpha ^{3} \\ \alpha ^{3} &{} \alpha ^{2} &{} \alpha &{} \alpha ^{7} &{} \alpha ^{14} &{} \alpha ^{5} &{} 1 &{} \alpha ^{8} \\ \alpha ^{8} &{} \alpha ^{5} &{} \alpha ^{7} &{} \alpha ^{2} &{} \alpha ^{14} &{} \alpha ^{12} &{} \alpha ^{14} &{} \alpha ^{12} \\ \alpha ^{12} &{} \alpha ^{2} &{} \alpha ^{2} &{} 1 &{} \alpha &{} \alpha ^{4} &{} \alpha ^{13} &{} \alpha ^{3} \\ \end{pmatrix}. \end{aligned}$$

C is the companion matrix of the polynomial defined in Sect. 4.1. \(C^8\) is the underlying matrix of the \(\mathsf {Mysterion}\) \(\mathsf {L}\)-box.

1.3 \(\mathsf {ShiftColumns}\) of Mysterion-256

Proofs for the bound of the number of active \(\mathsf {S}\)-boxes

Proof of Theorem 2

The internal state of Mysterion-256 can be seen as a square, since the number of blocks is equal to the number of columns in a block in this case. Therefore, the proof directly results from the Four-Round Propagation Theorem of the AES Rijndael given in [10]. That is, the number of active S-boxes over four rounds of Mysterion-256 is lower bounded by the square of the branch number of the \(\mathsf {L}\)-box, which corresponds to \(9^2 = 81\) active \(\mathsf {S}\)-boxes (See Fig. 4).\(\square \)

Fig. 4

\(\mathsf {ShiftColumns}\) of Mysterion-256

Proof of Theorem 1

Contrary to Mysterion-256, we cannot directly use the Four-Round Propagation Theorem of the AES to lower bound the number of active S-boxes in Mysterion-128, since its number of columns is larger than its number of blocks (i.e. the state is no longer a square). However, similar bounds can be deduced from a modified version of the theorem proven in [10]. We show in the following how Mysterion-128 can fulfill the hypotheses of this theorem with a simple rearrangement of its operations. For this purpose, we first need to set some definitions and notations. First, a bundle is a 4-bit word and corresponds to a column in the representation of the internal state of Mysterion-128. We denote by \(\mathcal {L}\) the application of the \(\mathsf {L}\)-box on each block of the state, which are divided into four independent parts of eight bundles each. We call this partition of the bundles \(\Xi \). Mysterion-128 is a key-alternating block cipher and iteratively applies the same round function, composed of an \(\mathsf {S}\)-box layer, an \(\mathsf {L}\)-box layer, a \(\mathsf {ShiftColumns}\) layer, and key and round constant additions. As the latter do not influence the number of active S-boxes, we will omit them in the following. Based on this, four rounds of Mysterion-128 can then be written as:

$$\begin{aligned}&\mathsf {ShiftColumns} \circ \mathcal {L} \circ \mathsf {S}\circ \mathsf {ShiftColumns} \circ \mathcal {L} \circ \mathsf {S}\circ \mathsf {ShiftColumns} \circ \mathcal {L} \circ \mathsf {S}\circ \nonumber \\&\quad \mathsf {ShiftColumns} \circ \mathcal {L} \circ \mathsf {S}. \end{aligned}$$

We next reorganise these operations in order to highlight a particular structure of the linear transformation for 4 rounds, which allows a simpler analysis. More precisely, since \(\mathsf {ShiftColumns}\) commutes with \(\mathsf {S}\), we have the following equivalent definition of four rounds of Mysterion-128:

$$\begin{aligned}&\mathsf {ShiftColumns} \circ \mathcal {L} \circ \mathsf {ShiftColumns} \circ \mathsf {S}\circ \mathcal {L} \circ \mathsf {S}\circ \\&\quad \mathsf {ShiftColumns} \circ \mathcal {L} \circ \mathsf {ShiftColumns} \circ \mathsf {S}\circ \mathcal {L} \circ \mathsf {S}. \end{aligned}$$

Thanks to this representation, we easily identify two different transformations \(\tau ^a = \mathcal {L} \circ S\) and \(\tau ^b = \mathbf {L} \circ S\), where \(\mathbf {L} = \mathsf {ShiftColumns} \circ \mathcal {L} \circ \mathsf {ShiftColumns}\). Then four rounds of Mysterion-128 are the alternation of \(\tau ^a\) and \(\tau ^b\):

$$\begin{aligned} \tau ^a \circ \tau ^b \circ \tau ^a \circ \tau ^b. \end{aligned}$$

Figure 5 summarizes our notations and modified representation of Mysterion-128.\(\square \)

Fig. 5

Two equivalent representations of four rounds of Mysterion-128

We finally exploit the following theorem from [10]:

Theorem 3

For a key alternating block cipher with round tranformations \(\tau ^a\) and \(\tau ^b\), the number of active S-boxes of any trail over

$$\begin{aligned} \tau ^b \circ \tau ^a \circ \tau ^b \circ \tau ^a \end{aligned}$$

is lower bounded by \(\mathcal {B}(\mathcal {L}) \times \mathcal {B}(\mathbf {L},\Xi )\), where \(\mathcal {B}(\mathcal {L})\) is the branch number of the linear transformation \(\mathcal {L}\) and \(\mathcal {B}(\mathbf {L},\Xi )\) is the branch number of the linear transformation \(\mathbf {L}\) with respect to the partition of the bundles \(\Xi \).

The branch number of \(\mathcal {L}\) is 9 (the \(\mathsf {L}\)-box of \(\mathsf {Mysterion}\) is an MDS code \([16,8,9]_{\mathbb {F}_{2^4}}\)). The partition \(\Xi \) divide the state into the 4 blocks. We say a block is active when it has at least one active (i.e non zero) bundle. As the \(\mathsf {ShiftColumns}\) operation spreads two bundles of each block into other blocks, and as \(\mathcal {L}\) is MDS, we have that the minimum number of input/output active blocks, therefore the branch number of \(\mathbf {L}\) with respect to the partition \(\Xi \), is 5. As a result, the number of active S-boxes over four rounds is lower bounded by \(9\times 5 = 45\).