A note on some algebraic trapdoors for block ciphers

We provide sufficient conditions to guarantee that a translation based cipher is not vulnerable with respect to the partition-based trapdoor. This trapdoor has been introduced, recently, by Bannier et al. (2016) and it generalizes that introduced by Paterson in 1999. Moreover, we discuss the fact that studying the group generated by the round functions of a block cipher may not be sufficient to guarantee security against these trapdoors for the cipher.


1.
Introduction. In the last years, since the work [7] of Coppersmith and Grossman, much attention has been devoted to the group generated by the round functions of a block cipher. In this context, Paterson [9] showed that the imprimitivity of the group can be exploited to construct a trapdoor. By a trapdoor we mean a hidden algebraic structure in the cipher design that would allow an attacker (with the knowledge of the trapdoor) to break it easily. In [2] Caranti, Dalla Volta and Sala introduced the class of translation based ciphers, which contains well-known ciphers like AES [4], SERPENT [5] and PRESENT [6]. For this class of cipher, in [2] and [10], the authors provided cryptographic conditions on the S-Boxes and then mixing layer, in order to guarantee the primitivity of the group generated by the round functions of the cipher.
In a recent work [11], inspired by the partition cryptanalysis developed in [12], the authors introduce the partition-based trapdoor. This type of trapdoor generalizes that introduced by Paterson. Moreover, the authors give an example of a (toy) block cipher which is not vulnerable with respect to linear and differential attacks, but that can be broken, easily, using the structure of the trapdoor.
In this work, we give some conditions on the S-boxes and the mixing layer of a translation based cipher, in order to avoid this new trapdoor. From this result, we are able to give a security proof for the group of encryption functions of a cipher with independent round-keys. In fact, it may happen that the group generated by the round functions is considered secure, while the group of encryption functions with independent round-keys is not.
The paper is organized as follows. In Section 2, we recall some definitions and a series of properties and already known results. In Section 3, we show how we can avoid the partition-based trapdoor on a translation based cipher. Finally, in Section 4, we discuss the fact that studying the group generated by the round functions of a block cipher may not be sufficient to guarantee security against these trapdoors for the cipher. We report our conclusions in Section 5. 2. Preliminaries and notation. Let C be a block cipher acting on a message space V = (F 2 ) d , for some d ≥ 1 (we suppose that V coincides with the ciphertext space). Let K be its key space. Then any key k ∈ K individuates a permutation τ k on the space V and our cipher is given by the set We are interested in determining the properties of the group Γ(C) = τ k | k ∈ K . Unfortunately, the study of Γ(C) is a difficult task, in general. Most modern block ciphers are iterated ciphers, i.e., obtained by a composition of several key-dependent permutations, called rounds. This allows to investigate an other permutation group related to C. For an iterated block cipher C each τ k is a composition of some permutations of V , say τ k,1 , ..., τ k,ℓ . For any round h, let therefore, we can define the group containing Γ(C) generated by the round functions

Translation based ciphers.
Here we consider translation based cipher, introduced in [2]. This class of iterated block ciphers includes some well-known ciphers, as for instance AES and SERPENT. We first fix the notation, in order to recall the definition of a translation based cipher C. Let m, b > 1 and V = V 1 ⊕ · · · ⊕ V b , where each V i are isomorphic to (F 2 ) m . We will denote by Sym(V ) the symmetric group on V . Given v ∈ V , we write σ v ∈ Sym(V ) for the translation of V mapping x to x + v. We denote by T (V ) the group of all translations of V . We will write the action of g ∈ Sym(V ) on an element v ∈ V as vg.
For any v ∈ V , we will write Any γ ∈ Sym(V ) that acts as vγ = v 1 γ 1 ⊕ · · · ⊕ v b γ b , for some γ i ∈ Sym(V i ), is called bricklayer transformation (a "parallel map") and any γ i 's is a brick. Traditionally, the maps γ i 's are called S-boxes and γ a "parallel S-box". A linear map λ : V → V is traditionally said a "Mixing Layer" when used in composition with parallel maps. For any I ⊂ {1, ..., b}, with I = ∅ and I = {1, ..., b}, we define i∈I V i a wall. Definition 2.1. A linear map λ ∈ GL(V ) is called a proper mixing layer if no wall is invariant under λ.
We can characterize the translation-based class by the following: • it is the composition of a finite number of rounds, such that any round τ k,h can be written as γ h λ h σ k h , where γ h is a round-dependent bricklayer transformation (but it does not depend on k) and 0γ h = 0, λ h is a round-dependent linear map (but it does not depend on k), k h is in V and depends on both k and the round (k h is called a "round key"), • for at least one round, called a "proper" round, we have (at the same time) that λ h is proper and that the map Φ h : K → V given by k → k h is surjective.
The assumption 0γ h = 0 is not restrictive. Indeed, we can always include 0γ h in the round key addition of the previous round (see [2,Remark 3.3]).
Let m ≥ 1, and let f : Vectorial Boolean functions used as S-boxes in block ciphers must have low uniformity to prevent differential cryptanalysis (see [1]). By [2, Fact 3], a vectorial Boolean function differentially δ-uniform satisfies

2.2.
Partition-based trapdoors. We recall that a permutation group G acting on V is called called primitive if it has no nontrivial G-invariant partition of V . That is, there no exists a partition A of V different from the trivial partitions On the other hand, if a nontrivial G-invariant partition exists, the group is called imprimitive. As said before a property of Γ ∞ considered undesirable is the imprimitivity. Paterson [9] showed that if this group is imprimitive, then it is possible to embed a trapdoor in the cipher.
Another trapdoor, based on the idea of the imprimitive action, is the Partitionbased trapdoor, introduced in a recent work [11]. In this work the authors give some conditions to construct a translation-based cipher which associates a partition of the plaintext space to another partition of the ciphertext space.
We report some of the definitions and result presented in [11].
Remark 1. Note that a permutation group G is imprimitive if there exists a nontrivial partition A such that for all ρ ∈ G Aρ = A.
The following result, introduced by Harpes in [12], characterizes the possible partitions A and B such that T (V ) maps A to B. We report now the main theorem of [11]. In [11] the following result is reported for a SPN cipher with the same s-Box and mixing-layer for each round, but can be extended to any translation based cipher with independent round keys.
Theorem 2.7. Let C be a translation based cipher on V . Suppose that there exist A and B non-trivial partitions such that for all ℓ-tuples of round-keys 3. Avoiding the partition-based trapdoor. In this section we will give sufficient conditions on the components of a tb cipher sufficients to guarantee that such a trapdoor cannot be implemented. Proof. The fact that γ maps L(U ) to L(W ) and 0γ = 0 imply that U γ = W . Moreover for all v ∈ V we have that vγ ∈ (U + v)γ. Then (U + v)γ = W + vγ. This implies that (u + v)γ + vγ ∈ W for all v ∈ V and u ∈ U .
From Lemma 3.1 we have the following. Proof. Suppose that γ maps L(U ) to L(W ) and that U is not a wall. Then let from Lemma 3.1. Moreover uγ ∈ W . It follows that uγ + (u + v i )γ + v i γ ∈ W . The vector uγ + (u + v i )γ + v i γ has all nonzero components but for the one in V i , This contradicts the first condition on the γ i 's. Thus Thus, |Im(γ iu )| for any non-zero u is greater or equal to 2 m−r and, being γ i a permutation, the set Im(γ i u ) does not contain the zero vector, which implies dim(W ∩ V i ) ≥ m − r + 1. This contradicts the second condition on the γ i 's. Then, U is a wall and, being γ a parallel map U = W .
Vice versa, consider any wall U , as γ is a parallel map, it is easy to check that γ The following definition was introduced in [10]. We define a strongly-proper round of a tb cipher as a proper round, where the mixing-layer is also strongly proper. Theorem 3.3. Let a round h < ℓ be a strongly proper round and suppose that the brick-layer transformations of round h and round h + 1, γ h and γ h+1 , satisfy Condition 1) and 2) of Proposition 3. Then, there do not exist A and B non-trivial partitions such that for all ℓ-tuple of round keys the encryption functions map A to B.
Proof. Suppose that the partition-based trapdoor is applicable for all ℓ-tuple of round keys. From Theorem 2.7 we have that there exist two linear partitions L(U ) and L(W ) such that γ h λ h maps L(U ) to L(W ). Thus γ h maps L(U ) to L(W (λ h ) −1 ). From Proposition 3 we have that U is a wall and the same W (λ h ) −1 . Now being λ h strongly-proper we have that W is not a wall. Then from Theorem 2.7 we have that γ h+1 maps L(W ) to another linear partition, but it is not possible as W is not a wall and this contradicts Proposition 3.
The result of Theorem 3.3 can be generalized, using a weaker condition on the mixing-layers composing the round functions. Consider, for example, the mixinglayer of AES. This is not strongly-proper, as there exists a wall which is sent in another wall. Indeed, the state of AES can be represented as a 4 × 4 matrix of bytes (Table 1). That is, Table 1. AES state The mixing-layer of AES is composed by two linear functions ShiftRow (SR) and MixColumn (MC). The ShiftRows transformation acts in a way such that a wall is sent in an other wall, and in particular V 1 ⊕V 6 ⊕V 11 ⊕V 16 is sent in V 1 ⊕V 5 ⊕V 9 ⊕V 13 . Now, as MixColumn combines the blocks of a same column of the state, we have that V 1 ⊕ V 5 ⊕ V 9 ⊕ V 13 (which is the first column of the state) is sent in itself (Table  2). However, the previous attack cannot be applied to AES as the mixing layer satisfies the following property. Table 2. AES wall Definition 3.4. Let λ 1 , ..., λ ℓ be the mixing-layers used in a tb cipher with ℓ rounds. We say that the ordered family Λ = (λ 1 , ..., λ ℓ ) is strongly proper if for all possible non-trivial wall W there exists j < ℓ such that W λ 1 · ... · λ j is not a wall. Proof. Suppose that the partition-based trapdoor is applicable. From Theorem 2.7 we have that each round functions (without the translation with respect to the round key) τ h = γ h λ h maps a linear partition L(U h ) into L(U h+1 ). From Lemma 3.1 the space U h is a wall for all 1 ≤ h ≤ ℓ. Then, being γ h a parallel map and 0γ h = 0 we have Since Λ is strongly proper, there exists j < ℓ such that U 1 λ 1 · ... · λ j is not a wall, which contradicts the fact that U h is a wall for all 1 ≤ h ≤ ℓ.
It may seem that the previous corollary requires strong conditions on the mixing layers and on the S-boxes. We show that the requirement on the mixing layers is necessary.
Proof. Because Λ = (λ 1 , ..., λ ℓ ) is not strongly propers, then there exists W a proper wall such that W λ 1 · ... · λ j is a wall for all 1 ≤ j ≤ ℓ. Now being the γ h a parallel map we have that for all wall W ′ and v ∈ V which concludes the proof. 4. Security proof for a cipher with independent round-keys. In this section we will discuss the fact that studying the group Γ ∞ to understand the security of a block cipher C could not be enough.
We report an example of block cipher C whose components satisfy the cryptographic properties given in [10] sufficient to thwart the trapdoor introduced by Paterson [9], but that is weak with respect to the partition-based trapdoor.
Let V = (F 2 ) mb , V i = (F 2 ) m , with m, b ≥ 1 and γ i ∈ Sym(V i ) be the inverse permutation for all 0 ≤ i ≤ b − 1, i,e. γ i : x → x 2 m −2 (using the representation as univariate polynomial). Consider the following mixing-layer where I m×m is the identity matrix of size m × m. It is easy to check that λ is a proper mixing-layer but not strongly proper. Consider now the linear partitions L(V 1 ), ..., L(V b ), and suppose to have ℓ rounds where we use λ and γ in each one. From [10, Theorem 3.1] Γ ∞ (C) is primitive, but each encryption function maps L(V i ) to L(V σ ℓ (i) ), where σ is the permutation of {1, ..., b} such that σ : i → i + 1 for all i < b and σ : b → 1. Obviously, the mixing-layer λ is not interesting from a cryptographic point of view. We use this only as an example to show that if Γ ∞ (C) is primitive this does not guarantee security on C. Moreover, if we use a number ℓ of rounds such that L(V i ) = L(V σ ℓ (i) ) for some i, then Γ ∞ (C) is primitive and the group Γ(C) is imprimitive.
As we pointed out in Section 2, it would be interesting to study the group Γ(C). However, this group depends, strongly, on the key-schedule used to create the roundkeys. For this reason, usually, we study the properties of the group Γ ∞ (C). But, as we showed above, we could have that even if the group Γ ∞ (C) is consider secure, the group Γ(C) may be not secure with respect to the trapdoors considered here. Then, we think that it is better to consider, and study, the group of a cipher C obtained using independent round-keys, that is, where, letting K = (k 1 , . . . , k ℓ ), τ K is the encryption function obtained using k h ∈ V as round-key at round h. Clearly, Γ ind (C) is such that We can summarize the results obtained in this work for Γ ind (C) in the following: Theorem 4.1. Let C be a tb cipher. Suppose that one of the following properties is satisfied: 1. there exists a round h which is a strongly proper round and the brick-layer transformations γ h , γ h+1 satisfy Condition 1) and 2) of Proposition 3, or 2. the family Λ = (λ 1 , ..., λ ℓ ) is strongly proper and for each round h the parallel map γ h satisfies Condition 1) and 2) of Proposition 3. Then the partition-based trapdoor is not applicable. Moreover, Γ ind (C) is primitive.
Proof. From Theorem 3.3 (or Corollary 1) we have that there do not exist two partitions A and B such that Aτ k = B for all τ k ∈ Γ ind (C). Moreover, the group Γ ind (C) is imprimitive if and only if there exists a partition such that Aτ k = A for all τ k ∈ Γ ind (C) (see Remark 1), which is a particular case where the partition-based trapdoor is applicable.

5.
Conlusions. An interesting open problem proposed by Paterson [9] is to investigate if it is possible to construct a block cipher such that the group Γ ∞ is primitive, but the resulting cipher is weak with respect to the imprimitive trapdoor. As we pointed out in Section 4, it may happen that the cipher is vulnerable even if the group generated by the round functions results to be primitive. For this reason, here, we studied the group Γ ind generated by the cipher with independent round keys. We think that studying algebraic properties for this group could be more appropriate to investigate security properties of a cipher. In particular, we gave sufficient conditions on the components of a cipher C, so that the partition trapdoor given in [11] cannot be applied to the encryption functions generating Γ ind (C). As a consequence, we obtained also the primitivity for the group Γ ind (C).
Note that this type of trapdoor can be easily avoided. Indeed, as noted in [10], for an invertible vectorial Boolean function to be strongly 1-anti-invariant is equivalent to have no linear components (i.e. the nonlinearity is greater than 0). Such a property is usually requested by the S-boxes of a cipher to avoid linear cryptanalysis. Moreover, to achieve a good diffusion we need that the mixing layer satisfies the condition given in Definition 3.4. Therefore, from Theorem 4.1, sufficient conditions to thwart the partition trapdoor are: • S-boxes with differential 4-uniformity and nonlinearity different from 0.
• strongly proper mixing layers (or that satisfy the condition in Definition 3.4).
Another requested property for a cipher is that the group generated by the encryption functions is not "small" (see for instance [8]). Usually, this property is investigated for the group of the round functions ( [13,14]). In [3,10] are given conditions for tb ciphers so that Γ ∞ is the symmetric (alternating) group.
In the case of ciphers like AES, where the same S-box and mixing layer are used in each round, we have that Γ ind (C) is normal in Γ ∞ (C), so if Γ ∞ (C) is the symmetric (alternating) group we have the same for Γ ind (C). However, this is no more the case of ciphers like, e.g., SERPENT, where the used S-box depends on the round. Then, it may happen that the group of the round functions generates the symmetric (alternating) group, while the group generated by the encryption functions is not. An interesting future research could be investigating assumptions on the components of a cipher C which can guarantee that the group Γ ind (C) is the symmetric (alternating) group.