Type-Preserving Matrices and Security of Block Ciphers

We provide a new property, called Non-Type-Preserving, for a mixing layer which guarantees protection against algebraic attacks based on the imprimitivity of the group generated by the round functions. Our main result is to present necessary and sufficient conditions on the structure of the binary matrix associated to the mixing layer, so that it has this property. Then we show how several families of linear maps are Non-Type-Preserving, including the mixing layers of AES, GOST and PRESENT. Finally we prove that the group generated by the round functions of an SPN cipher with addition modulo a power of 2 as key mixing function is primitive if its mixing layer satisfies this property. Moreover we generalise the definition of a GOST-like cipher using a Non-Type-Preserving matrix as mixing layer and we show, under the only assumption of invertibility of the S-Boxes, that the corresponding group is primitive.


Introduction
Most modern block ciphers are iterated block ciphers, i.e. are obtained as composition of round functions, and belong to two families of cryptosystems, i.e. Substitution Permutation Networks (SPN) and Feistel Networks (FN). Within each round three permutations of the plaintext space operate, i.e. a non-linear layer and a linear layer which respectively perform confusion and diffusion (see [26]) and a key mixing function which combines the message with the corresponding round key. Most SPN's use the XOR as key mixing, but in many Feistel Networks (e.g. MARS [8], GOST [17], RC6 [24], SEA [27]) and in other block ciphers not belonging to these two families (e.g. IDEA [21]) the key mixing function is the addition modulo 2 n , for some integer n.
Using addition modulo 2 n as key mixing function may increase the nonlinearity of a round function. Intuitively, one could take that adding an extra nonlinear layer increases the complexity of attacks. Actually in [22] the authors prove from a theoretical point of view that adopting a key mixing defined by an addition modulo 2 n can help to prevent linear cryptanalysis. Then they consider two toy SPN's, GPig1 and GPig2, with the same structure but with key mixing respectively defined by XOR and addition modulo 2 n and check from an experimental point of view that the first one is weaker than the latter against linear cryptanalysis. On the other hand in [20] the authors investigate how the use of addition modulo 2 n in round functions influences algebraic attacks. Also in [16] statistical and algebraic properties of addition modulo a power of two are studied from a cryptographic point of view.
In this paper, we aim to investigate which properties of the mixing layer are useful to avoid particular classes of algebraic vulnerabilities on an SPN which uses addition modulo 2 n as key mixing function. Some algebraic properties of the round functions can indeed hide some weaknesses of the corresponding cipher. Firstly, in 1975 Coppersmith and Grossman [14] defined a family of functions which can be used as round functions of a block cipher and studied the permutation group generated by those. Then it has been found out that some group-theoretical properties can reveal weaknesses of the cipher itself. For example, if such group is too small, then the cipher is vulnerable to birthday-paradox attacks (see [19]). Recently, in [10] the authors proved that if such group is of affine type, then it is possible to embed a dangerous trapdoor on the cipher. More relevant, in [23] Paterson built a DES-like cipher whose encryption functions generate an imprimitive group and showed how the knowledge of this trapdoor can be turned into an efficient attack to the cipher. For this reason, a branch of research in symmetric cryptography is focused on showing that the group generated by the encryption functions of a given cipher is primitive (see [3,4,5,9,12,13,25,28,29,30]).
Our aim is to guarantee protection against algebraic attacks based on the imprimitivity of the group generated by the round functions of block ciphers which use addition modulo 2 n as key mixing function. We do so by identifying a necessary and sufficient property of the structure of the binary matrix associated to the mixing layer, under the only hypothesis of S-Box invertibility. In particular, we give the definition of type-preserving matrix and we prove that the group generated by the round functions of an SPN cipher with addition modulo 2 n as key mixing function is primitive if its mixing layer is not type-preserving.
The paper is organized as follows. In Section 2, we give our notation, as well as some basic definitions and results concerning block ciphers and primitive permutations groups. In Section 3 we present a new property for mixing layer, called non-type-preserving. Then, after having proved our result regarding the necessary and sufficient conditions for a mixing layer to be non-type-preserving, we show that some known mixing layers, such as those employed in GOST [17], PRESENT [7], AES [15] and GPig2 [22], are non-type-preserving. Even though the key mixing of AES and PRESENT is the classical XOR addition instead of the addition modulo 2 n , their mixing layers are real-life examples of non-type-preserving matrices. In Section 4, we prove that an SPN which uses addition modulo 2 n as key mixing function and a non-type-preserving matrix as mixing layer is primitive. Finally, we use a non-type-preserving mixing layer to extend a GOST-like cipher, defined in [5], and we prove its primitivity if the S-Boxes are invertible.

Permutation groups
We recall some basic notions from permutation group theory. Let G be a finite group acting on the set V . For each g ∈ G and v ∈ V we denote the action of g on v as vg. We denote by vG = {vg v ∈ G} the orbit of v ∈ V and by G v = {g ∈ G vg = v} its stabilizer. The group G is said to be transitive on V if for each v, w ∈ V there exists and G-invariant if for any B ∈ B and g ∈ G it holds Bg ∈ B. Any non-trivial and G-invariant partition B of V is called a block system. In particular any B ∈ B is called an imprimitivity block. The group G is primitive in its action on V if G is transitive and there exists no block system. Otherwise, the group G is imprimitive in its action on V . We remind the following well-known results whose proofs may be found e.g. in [11]. Lemma 2.1. A block of imprimitivity is the orbit vH of a proper subgroup H < G that properly contains the stabilizer G v , for some v ∈ V . Lemma 2.2. If T is a transitive subgroup of G, then a block system for G is also a block system for T .

Substitution Permutation Networks
Let n ∈ N and let V = F n 2 be the plaintext space. Let Sym(V ) be the symmetric group acting on V , i.e. the group of all permutations on V , and by AGL(V ) the group of all affine permutations of V , which is a primitive maximal subgroup of Sym(V ), i.e., AGL(V ) is a primitive proper subgroup such that there is no other primitive proper subgroup containing it.
A block cipher C is a family of key-dependent permutations of V where K is the key space, and V ≤ K . The permutation ε K is called the encryption function induced by the master key K. Let ϕ ∶ {1, . . . , r} × K → V be a public procedure known as key-schedule, such that ϕ(h, K) is the h-th round key, given the master key K. The block cipher C is called an iterated block cipher if there exists r ∈ N such that for each K ∈ K the encryption function ε K is the composition of r round functions, i.e. ε K = ε ϕ(1,K) ε ϕ(2,K) . . . ε ϕ(r,K) . Each round function ε ϕ(h,K) is a permutation of V depending on the h-th round key.
In this paper we mainly deal with ciphers of SPN type and we define a class of round functions for iterated block ciphers which is large enough to include the round functions of classical SPN's.
and × represents the Cartesian product of vector spaces. The spaces V j 's are called bricks. the maps γ j ∶ V j → V j are traditionally called S-Boxes, • λ ∈ Sym(V ) is a linear map, called mixing layer, • σ k ∶ V → V is the key mixing function, that is a permutation of V combining the message with the corresponding round key k.
Since studying the role of the key-schedule is out of the scopes of this paper, we can simply suppose that round keys are randomly-generated vectors in V .
Usually, the key mixing function of well-established SPN's, such as AES, PRESENT, SERPENT, is σ k ∶ x ↦ x + k, where + is the usual bitwise XOR. Note that SPN's featuring a XOR-based key addition have been also called Translation-Based ciphers in [13]. In many other ciphers (e.g. MARS [8], GOST [17], IDEA [21], RC6 [24], SEA [27]) the key mixing is the addition modulo 2 m , for some integer m. This kind of key mixing function may be used to increase the nonlinearity of a round function (see for example [22]). In particular, in this work we are interested in SPN's which combine the message with the key by the addition modulo 2 dim(V ) (see [20,22]).
Definition 2.4. We denote by SPNmod an SPN operating on the plaintext space V in which the key mixing function is the addition modulo 2 n , where n = dim(V ).

Group generated by the round functions and Primitivity
Besides the classical statistical attacks (e.g. differential and linear cryptanalysis), it is proved that also some algebraic attacks can be effective and dangerous (see, for instance, [10,19,23]). In this paper we focus on a particular attack, described in [23], based on the imprimitivity of the permutation group generated by the round functions of a block cipher.
Let C = {ε K K ∈ K} ⊆ Sym(V ) be an r-round iterated block cipher. Several researchers have shown in recent years that the group generated by the encryption functions of a block cipher can reveal weaknesses of the cipher itself (see for example [10,19,23]). However, the study of Γ(C) is not an easy issue in general, since it strongly depends on the key-schedule function (for an example of a key-schedule related study, see [6]). Hence the research focuses on the group generated by the round functions where all the possible round keys for round h are considered as varying K ∈ K. Such group contains Γ(C) and allows to ignore the effect of the key-schedule.
In our case C is an r-round SPNmod cipher and the i-th round function is which we suppose surjective w.r.t. any round. The corresponding group generated by the round functions is Throughout this paper, sometimes we will denote γλ with ρ.
Note that we can consider two group structures on V . The first operation is the bitwise XOR, which will be denoted by ⊕ and which makes V into a vector space over F 2 . The second operation, denoted by ⊞, is the sum modulo 2 n . That is, we represent a, b ∈ V as a = (a 0 , a 1 , . . . , a n−1 ) with c i ∈ {0, 1} integers. (Here + denotes the ordinary sum of integers.) Therefore V under ⊞ is equivalent to the group Z 2 n of integers modulo 2 n , and we will denote it by (Z 2 n , ⊞).
We recall the following elementary fact we will be using repeatedly without further mention.
Now we prove the first property of the group generated by the round functions of an SPNmod cipher. Let In particular, Γ ∞ acts transitively on V . Proof.
Since the map v ↦ σ v is an isomorphism (V, ⊞) → T , so we have the following well known result 11]). The subgroups of T are of the form where U is a subgroup of (V, ⊞).

Lemma 2.8 ([11]
). If Γ ∞ acting on V has a block system, then this consists of the cosets of a ⊞-subgroup of V , that is, it is of the form where W is a non-trivial, proper subgroup of (V, ⊞).

Imprimitivity attack
The cryptanalysts' interest into the imprimitivity of the group generated by the round functions of a block cipher arises from the study performed in [23], where it is shown how the imprimitivity of the group can be exploited to construct a trapdoor that may be hard to detect. In particular, the author gives an example of a DES-like cipher which can be easily broken since its round functions generate an imprimitive group, but which is resistant to both linear and differential cryptanalysis.

Some other definitions and known results
Now we will recall some preliminary results proved in [5], and to do so we will adopt the same notation introduced therein. We shall denote • a subset of F m 2 of cardinality 1 by a white box ; • a subset of F m 2 of cardinality 1 < t < 2 m by a ruled box ; • the full set F m 2 by a black box. We will say that a box has white, ruled or black type.
where each space V i has dimension m. The type of D will be a sequence of δ white, ruled or black boxes, where the i-th box represents the projection of D on V i . Remark 2.10 (Remark 4.9 in [5]). According to Lemma 2.5, a subgroup D of Z 2 n is of the form ⟨ 2 q ⟩, for some 0 ≤ q < n. Hence a subgroup D = ⟨ 2 q ⟩ of Z 2 n has one of the following two types.
1. When q ≡ 0 (mod m), the subgroup has n w white boxes and δ − n w black boxes, where 0 ≤ n w ≤ δ such that q = n w m. Note that there are no white boxes when q = 0 (the subgroup is the full group Z 2 n ), and there are no black boxes when q = n (the subgroup is {0}).
2. When q ≡ 0 (mod m), there is a ruled box which is the box containing the q-th bit.
Due to Remark 2.10, we can associate to the type of any subgroup D in Z 2 n the triple (n w , n r , n b ), where n w , n r and n b are respectively the number of white, ruled and black boxes. We have the following bounds: With a slight abuse of notation, we use the triple (n w , n r , n b ) to denote the type of D.
In the next lemma, proved in [5], we consider the behavior of the modular sum ⊞ with respect to types. Lemma 2.11. If D is a subgroup of Z 2 n and v ∈ Z 2 n , then D and v ⊞ D have the same type.

Type-preserving matrices
In this section we study the diffusion properties of an invertible mixing layer λ, namely how the multiplication by a full-rank binary matrix Λ mixes the bricks V 1 , . . . , V δ . To do so, we consider Λ to be a δ × δ block matrix whose blocks are binary square matrices of order m: We will also use the notation Λ (i1,j1)∶(i2,j2) for the submatrices of Λ: Observe that if Λ i,j = 0 whenever i ≠ j, i.e. Λ is a diagonal block matrix, then γλ is a parallel map. Our interest lies in the image of D ⊆ F n 2 through the mixing layer, thus we will work with the set Im D λ = {vΛ ∶ v ∈ D}. In many cases we will need to work with submatrices of Λ, and for the sake of simplicity we will write Im D Λ (i1,j1)∶(i2,j2) to denote the restriction of the image Im Λ (i1,j1)∶(i2,j2) to the set obtained by projecting D on the coordinates corresponding to the boxes j 1 , . . . , j 2 . We will study which properties of Λ imply type Im D λ = type(D). (2) , or equivalently the corresponding mixing layer λ, satisfying equation (2) for any D ⊆ F n 2 , is called type-preserving. Vice versa, if Λ is not type-preserving, then we say that it is non-type-preserving.
Remark 3.2. In Section 4 we prove that the non-type-preserving property of a mixing layer given in the previous definition is useful to avoid imprimitivity attacks on block ciphers with the following structure: • SPN with addition 2 n as key mixing function (Theorem 4.1), • GOST-like with addition 2 n 2 as key mixing function and invertible S-Boxes where n is the length of the whole block.
In this paper we are mainly interested in the subsets D of F n 2 , such as the subgroups of Z 2 n , with type (n w , n r , n b ) satisfying equation (1). Therefore in the remaining part of this section the subsets D of F n 2 are all of this kind. Observe that any v ∈ D can be written as the concatenation (v w v r v b ), where the lengths of v w , v r and v b are determined by the type of D. In particular, v w ∈ F mnw 2 , v r ∈ F mnr 2 and v b ∈ F mn b 2 , with the following properties due to the structure of D: Now we can state our main result, whose proof is a consequence of several lemmas.
are satisfied.
The above lemma gives us a necessary property on Λ to have a mixing layer which preserves the type (n w , 0, δ − n w ). The next result assures that this is also sufficient.
Proof of Lemma 3.5. We construct D so that its type would be (n w , 0, δ − n w ). Then, any vector v ∈ D can be written as a concatenation Due to Λ (nw+1,1)∶(δ,nw) being the zero matrix, the first mn w bits of the image of any v ∈ D are equal to v w Λ (1,1)∶(nw,nw) , hence the first n w boxes of Im D λ are white. On the other hand, since λ is invertible, Λ has full rank, which can only be possible by assuming that Λ (nw+1,nw+1)∶(δ,δ) is invertible. By equation (5), we therefore have , from which we conclude that type Im D λ = (n w , 0, δ − n w ).
Note that in Lemma 3.4 and Lemma 3.5 we did not consider the cases n w = 0 and n w = δ, because they respectively correspond to the cases 1 and 2 which we have already discussed.
At last, the case 4, type(D) = (n w , 1, δ − n w − 1). Proof of Lemma 3.6. We proceed in four steps, assuming each time that a property among (a), (b), (c) and (d) would not be necessary. We use again the notation where the length of the three vectors depends on the type of D, and we recall that v w is the same for each v ∈ D. Firstly, we look at what happens if we deny property (a). In this case, we con- nw) . It follows that the first mn w bits of v b Λ are different from the first mn w bits in v b Λ, hence the first n w boxes in Im D λ are not white, and so the type of D is not (n w , 1, δ − n w − 1). Similarly, if we deny the second property, we have the same conclusion by choosing We do not go through the entire proofs of Properties (c) and (d), since they are quite similar to what we already did above. The difference is that we need to use the entire D instead of just two vectors v and v ′ , and therefore prove that Im D λ does not have respectively a ruled box (by denying property (c)) and the right number of black boxes (by denying property (d)).
As we did for Lemma 3.4, we can also prove that the four necessary properties in Lemma 3.6 are also sufficient.
Observe that in Lemma 3.6 and Lemma 3.7 we did not consider n w = 0 and n w = δ − 1. We discuss these cases in the following two results. Conversely, if there exist D of type (0, 1, δ−1) for which Λ satisfies the two properties above, then Λ preserves the type of D. Conversely, if Λ satisfies the two properties above, then there exists D whose type is preserved by Λ.
Note that the properties described in Lemmas 3.8 and 3.9 are particular cases of the ones presented in Lemma 3.6. We omit the proofs of these lemmas, since they can be obtained using the same arguments applied to prove Lemma 3.6 and Lemma 3.7. Hence, we denoted the new properties in the same way, and, with a slight abuse of notation, in the following we will simply refer to Lemma 3.6 and its properties, even though when speaking of types (0, 1, δ − 1) and (δ − 1, 1, 0) we should be careful and use the dedicated results.
Putting everything together, we obtain the proof of Theorem 3.3 as a straightforward consequence of Lemmas 3.4, 3.5, 3.6, 3.7, 3.8 and 3.9.
In the next section we show how some known families of mixing layers are nontype-preserving with respect to the subsets of F n 2 with type (n w , n r , n b ) satisfying equation (1).

Examples of non-type-preserving mixing layers
In this section we characterize some known classes of mixing layers by proving whether they are non-type-preserving with respect to the subsets of F n 2 whose type satisfy equation (1). The aim of this section is to highlight that the definition of non-type-preserving mixing layer is not restrictive. Indeed, in many real-life ciphers, such as GOST, PRESENT and AES, such kind of mixing layers are used. With a slight abuse of notation, any of these mixing layers will simply be denoted as non-type-preserving.

Rotation of a GOST-like cipher
In [5], the mixing layer of a GOST-like cipher is defined as the permutation matrix Λ s with s ∈ {m, . . . , (δ − 1)m}. Let {e 1 , . . . , e n } be the canonical basis of F n 2 .
Definition 3.11. Let π s ∈ Sym(n) be the permutation defined by π s = 1 2 . . . n π s (1) π s (2) . . . π s (n) such that, for each 1 ≤ x ≤ n, π s (x) = x + s mod n (6) where m ≤ s ≤ (δ − 1)m. The permutation binary matrix associated to π is the following circulant matrix The mixing layer associated to π 11 is where we denote the r × t zero matrix by 0 and the t × t identity matrix by 1 t . Proof. We write Λ as the block matrix where 1 t is the t × t identity matrix. We will deal with several cases independently, starting by s = m.
In this case, for each n w ∈ {1, . . . , δ − 1} we have Λ nw+1,nw = 1 m , hence equation (3) is never satisfied. Moreover, it follows that also property (b) is never satisfied. So, the only possibility left is that Λ satisfies both property (c) and property (d) of Lemma 3.8, so that Λ would preserve a certain set D of type (0, 1, δ − 1). However, since Λ 1,2 = 1 m , it follows that property (c) cannot be satisfied by a set of such type. Let now s be strictly larger than m. Then, property (b) is never satisfied, hence we only need to deal with Lemma 3.8. Note that we can still apply the same argument as we did above, and therefore prove that property (c) cannot be applied. These two cases together prove that for any s ∈ {m, . . . , m(δ − 1)} the rotation of s bits is non-type-preserving. We assume now that s is not inside the interval, and prove that Λ is a type-preserving matrix. Trivially, if s = 0 then Λ is the identity matrix, which is a type-preserving matrix. In the other possible cases, Λ (δ,1)∶(δ,δ−1) is not a full-rank matrix, and Λ δ,δ ≠ 0. Then, Λ satisfies respectively property (b) and property (c) of Lemma 3.9, implying that Λ is type-preserving.
Corollary 3.14. The mixing layer of a GOST − like cipher is non-type-preserving.

Mixing layer of an AES-like cipher
Let where δ = 2 t , for some even integer t, and we write the matrix as a 2 t 2 × 2 t 2 block matrix with each block being in GL 2 t 2 (F 2 m ); in particular, 0 is the zero matrix in GL 2 t 2 (F 2 m ) and M is an MDS matrix in GL 2 t 2 (F 2 m ).
With the same notation as above, let be a circulant block matrix, where I j is the matrix in GL 2 t 2 (F 2 m ) with the identity element of F 2 m in position (j, j) and the zero element of F 2 m everywhere else. Let us define Λ as the following block matrix in GL δ (F 2 m ) Example 3.18. In the case of AES we have 16 bricks of dimension 8, that is, δ = 16 and m = 8. Let where we write it as a 4 × 4 block matrix with each block being in GL 4 (F 2 8 ); in particular, 0 is the zero matrix in GL 4 (F 2 8 ) and using the hexadecimal notation.
With the same notation above, let where I j is the matrix in GL 4 (F 2 8 ) with 1 x in position (j, j) and 0 x everywhere else. The mixing layer of AES is the following matrix in GL 16 (F 2 8 ) Proposition 3.19. Λ is non-type-preserving.
Corollary 3.20. The mixing layer of AES is non-type-preserving.
Proof. The result directly follows from Proposition 3.19, anyway we make explicit the algebraic computations in the case of the AES cipher. In [15] the authors define the mixing layer of AES using the left matrix action. Since in this paper we are using the right action, we have to consider the transpose of Λ AES Finally, we note that the coefficient (16, 1) of (Λ AES ) T is the coefficient (4, 1) of . . , 14}, so we can apply Corollary 3.10.

Applications
We consider an SPNmod cipher with non-type-preserving mixing layer and we prove, under some assumptions, that the group generated by its round functions is primitive. Similarly, we generalize a GOST-like cipher using a non-type-preserving mixing layer, and thus we obtain the same result under the only hypothesis on the invertibility of the S-Boxes.

Primitivity of an SPNmod cipher
In this section we prove that an SPNmod cipher with invertible S-Boxes and nontype-preserving mixing layer is primitive. where γ j ∈ Sym(V j ) and 0γ j ≠ 0.
Proof. Recall that ρ def = γλ and that by Lemma 2.6 we have Γ ∞ = ⟨ T , ρ ⟩ . In order to prove that Γ ∞ is primitive, according to Lemma 2.8, we have to show that there are no non-trivial proper subgroup D of (V, ⊞) and v ∈ V such that Since 0 ∈ D, we can take v = 0ρ, hence it is enough to prove that if D ≠ {0} is a proper subgroup of Z 2 n , then Dρ ≠ 0ρ ⊞ D. Clearly, an invertible parallel S-Box maps any set having a type to another set having the same type, since each S-box is a bijection. Hence D and Dγ share the same type and, by Lemma 2.11, this is the same type as 0ρ ⊞ D. Therefore 0ρ ⊞ D cannot be equal to Dρ if we prove that, for any non-trivial proper subgroup D of Z 2 n , Dγ and Dρ = (Dγ)λ have different types. Finally, the latter statement follows from Theorem 3.3, since by hypothesis λ is non-type-preserving.
Remark 4.2. The cipher GPig2 [22] is an example of SPNmod cipher satisfying the hypothesis of Theorem 4.1 and so the group generated by its round functions is primitive.

Generalization of the mixing layer of a GOST-like cipher and primitivity
In this section, we use a known structure of a block cipher to give an example of a cipher that is primitive if a non-type-preserving mixing layer is used. In particular, we consider a GOST-like cipher, defined in [5], with a generalized mixing layer using any non-type-preserving matrix instead of a rotation. Then we prove that the group generated by the round functions is primitive if the S-Boxes are invertible.
We give the definition of a generalized GOST-like cipher and of the corresponding group generated by the round functions, arranging the definition of a GOST-like cipher given in [5] by substituting the rotation by m ≤ s ≤ m(δ − 1) with any nontype-preserving mixing layer.
The plaintext space is V = V 1 × V 2 , where V 1 , V 2 are two copies of F n 2 , and the key space K is another copy of F n 2 . Clearly V inherits both group structures componentwise from V 1 , V 2 . Let us consider • V i , for i = 1, 2, as the Cartesian product of δ > 1 spaces V i j , all of the same dimension m > 1; • a non-linear map (parallel S-Box) γ ∈ Sym(V i ) which acts in parallel way on each V i j , where γ j ∈ Sym(V i j ) and 0γ j ≠ 0; • a non-type-preserving linear map λ ∈ Sym(V i ); • ρ def = γλ ∈ Sym(V i ).
We are ready to define a round function of a generalized GOST-like cipher. Let H = K × K = V be the key space, a round takes the form with k, h ∈ H. The corresponding group generated by the round functions will thus be Proof. The proof is the same as the one given in Section 4 of [5], which uses the Goursat's Lemma [18], until the case Dρ = 0ρ ⊞ D with D a non-trivial proper subgroup of Z 2 n is reached. Finally, for this case we can proceed as done in the proof of Theorem 4.1 and apply Theorem 3.3.

Conclusions and open problems
A key feature of a block cipher is the ability of resisting against known attacks, such as differential, linear and algebraic attacks. In this work we focus on the imprimitivity attack proposed in [23]; we approached this problem in the case of block ciphers with addition mod 2 n as key mixing function. Our main result is the characterization of binary matrices (associated to mixing layers) accordingly to the newly introduced property of being type-preserving. Then, we show how non-typepreserving matrices assure resistance against imprimitivity attacks (see Theorems 4.1 and 4.3).
The study of primitivity in block ciphers is dependent on the key mixing function. Therefore, it could be interesting to adapt the definition of non-type-preserving mixing layer to other actions of the key. Future directions will be the analyses of n-bits block ciphers whose key mixing function is the addition mod 2 m , acting in parallel on disjoint subsets of m n bits of the state. We remark that the case m = n is the topic of this work, while the case m = 1 implies that the key mixing function is the addition mod 2 between the key and the state, hence it is already discussed in [13].
A further work will be to design an instance of the generalized GOST-like cipher, presented in Section 4.2, by choosing a non-type-preserving mixing layer, a parallel S-Box and a key-schedule and then to make a more detailed analysis of its security, including the study of classical statistical attacks. This approach could indeed give new insights on ciphers using addition mod 2 n as key mixing function.