Some group-theoretical results on Feistel Networks in a long-key scenario

The study of the trapdoors that can be hidden in a block cipher is and has always been a high-interest topic in symmetric cryptography. In this paper we focus on Feistel-network-like ciphers in a classical long-key scenario and we investigate some conditions which make such a construction immune to the partition-based attack introduced recently by Bannier et al.


Introduction
Most modern block ciphers belong to two families of symmetric cryptosystems, i.e. Substitution-Permutation Networks (SPN) and Feistel Networks. Typically, in both cases, each encryption function is a composition of key-dependent permutations of the plaintext space, called round functions, designed in a such way to provide both confusion and diffusion (see [21]). Confusion is provided applying public non-linear vectorial Boolean functions, called S-boxes, whereas diffusion is obtained by means of public linear maps, called diffusion layers. The private component of the cipher, i.e. the key, is derived from the user-provided information by means of a public procedure known as key-schedule. When the round functions are made in such a way the confusion and diffusion layers are followed by the XORaddition with the so-called round-key, where the round-key is every possible vector in the message space, the cipher is a long-key cipher.
Since the seventies, many researchers have studied the relationship between some algebraic properties of the confusion / diffusion layers and some algebraic weaknesses of the corresponding ciphers, using a permutation-group-theoretical approach. In 1975, Coppersmith and Grossman [13] considered a set of permutations which can be used to define a block cipher and, by studying the permutation group that they generate, they linked some properties of this group and the security of the corresponding cipher. From this work a new branch of research was born, which focuses on group-theoretical properties that can be exploited to attack encryption methods. In [18], the authors proved that if the permutation group generated by the encryption functions of a cipher is too small, then the cipher is vulnerable to birthday-paradox attacks. In [10] the authors proved that if such group is isomorphic to a subgroup of the affine group of the plaintext space, induced by a sum different to the classical bitwise XOR, then it is possible to embed a dangerous trapdoor on it. More relevant in [19], Paterson built a DES-like [15] cipher whose encryption functions generate an imprimitive group and showed how the knowledge of this trapdoor can be turned into an efficient attack to the cipher. For this reason, showing that the group generated by the encryption functions of a given cipher is primitive and not of affine type became a relevant branch of research (see [2,3,4,11,12,22,23,24,25]). Recently, in [5,6] the imprimitive attack shown by Paterson was generalized by means of a trapdoor which consists in mapping a partition of the plaintext space into a (different) partition of the ciphertext space. The authors also proved that only linear partitions can propagate round-by-round in a long-key SPN. Later Calderini [9] has shown which conditions ensure that linear partitions cannot propagate in a long-key SPN.
In this work we study some properties of the linear-partition propagation under the action of a long-key Feistel network. In particular, our aim is to prove that also in a Feistel-network-like long-key framework, if the cipher allows partition propagation, then the partitions are linear one. Moreover, we provide a partial generalisation of Calderini's result in the Feistel network case.

Preliminaries and notation
The notation and parameters which are used throughout this paper are presented in the following section.
Let n ∈ N and let us denote V = (F 2 ) n the n-dimensional vector space over F 2 equipped with the bit-wise XOR. Let us suppose dim(V ) = n = bs and let us write ) = s and ⊕ represents the direct sum of vector subspaces. The subspaces V j are called bricks. For any I ⊂ {1, ..., b}, with I = ∅ and I = {1, ..., b}, the direct sum i∈I V i is called a wall. We denote by Sym(V ) the symmetric group acting on V , i.e. the group of all the permutations on V . Let us also denote by AGL(V ) the group of all affine permutations of V , which is a primitive maximal subgroup of Sym(V ). The translation group on V is denoted by Let us now introduce block ciphers, the subject of this work.
2.1. Block ciphers. Let M and K be non-empty sets, where |K| ≥ |M|. A block cipher Φ is a family of key-dependent permutations where M is called the message space and K the key space. The permutation E K is called the encryption function induced by the master key K. The block cipher Φ is called an iterated block cipher if there exists r ∈ N such that for each K ∈ K the encryption function E K is the composition of r key-dependent round functions, i.e. E K = ε 1,K ε 2,K . . . ε r,K . To provide efficiency, each round function is the composition of a public component provided by the designers, and a private component In the theory of modern iterated block cipher, two frameworks are mainly considered: Substitution-Permutation Networks, typically abbreviated as SPN (see e.g. AES [14]) and Feistel networks (see e.g. [15]). Figure 1 depicts the more general framework of SPNs, Feistel networks and their round functions; notice that inside the round function of a Feistel network, a function called F-function is applied to a half of the state. In both cases, the principles of confusion and diffusion suggested by Shannon [21] are implemented by considering each round function (or respectively F-function) as the composition of key-induced permutation as well as non-linear confusion layers and linear diffusion layers, which are invertible in the case of SPNs and preferably (but not necessarily) invertible in the case of Feistel networks. The following definition has been given in [1] and introduces a class of round functions for iterated block ciphers which is large enough to include the round functions of well-established SPNs and some F-functions of Feistel networks.
The maps γ (j) : V j → V j are traditionally called S-boxes; • λ ∈ Sym(V ) is a linear map, called diffusion layer; • σ k : V → V, x → x + k, called key-addition layer, represents the addition with the round key k, where + is the usual bitwise XOR.
In modern literature, terms SPN (or the similar notion of translation-based cipher [11]) and Feistel network may refer to a very diverse variety of ciphers. For the purposes of this paper we choose to focus only on ciphers with an XOR-based key addition. For this reason, saying SPN we refer to any cipher {E K | K ∈ K} ⊆ Sym(M) having an SPN-like structure with M = V and having classical round functions on V as round functions, and saying Feistel network to any cipher {E K | K ∈ K} ⊆ Sym(M) having a Feistel-network-like structure with M = V × V and having classical round functions on V as F-functions. In both cases, the composition ρ i def = γ i λ i is called the generating function of the i-th round of the cipher. Notice that usually in real-life ciphers it holds ρ 1 = id V , which means that in the first round only a key addition is applied to the plaintext (whitening). In this setting, an r-round cipher is defined once the list of its generating functions ρ 1 , . . . , ρ r and its key-schedule are given.
Once the key K ∈ K to be used for the encryption has been chosen, the encryption function is obtained by composing the r classical round functions induced by the corresponding round keys, which are, as previously mentioned, derived by the keyschedule. Hence, in the quite popular setting in which the round key is XORed to the state, the key-schedule is a function round key derived from the user-provided key K and ε i,K = ε S(K)i .
In the following section we recall some basic security notion for Boolean function that we will use later.  In the remainder of this section we recall notions of non-linearity which will be useful in this work. Let us recall that the non-linear layer of the ciphers which will be considered throughout this work act applying vectorial Boolean functions γ (i) to each brick of the block. Notice that we can always assume 0γ (i) = 0 without loss of generality, since otherwise 0γ (i) can be included as part of key-addition layer of the previous round, for each round index 1 ≤ i ≤ b (see [11,Remark 3.3]).
It is known that δ-differentially uniform functions with small δ are "farther" from being linear compared to functions to with a larger differential uniformity. Notice indeed that when f is linear, then δ = 2 s . Let us recall that 2-differentially uniform S-boxes, which reach the lower bound of the previous definition, are called Almost Perfect Non-linear (APN). Vectorial Boolean functions used as S-boxes in block ciphers must have low uniformity to prevent differential cryptanalysis (see [7]) and so APN S-boxes usually represent an optimal choice in terms of resistance to differential attacks.
We conclude this section giving another notion of non-linearity that we will use in some results of this work.
The function f is strongly δ-anti-invariant if for each U and W proper and non-trivial subspaces of (F 2 ) s , then Notice that if 1 ≤ δ < δ < s and f is strongly δ -anti-invariant, then it is also strongly δ-anti-invariant.

2.3.
A long-key scenario. As mentioned in the introduction, the focus of this work is on a specific type of key-schedule, i.e. the one defined as follows: Definition 2.5. Let Φ be an r-round cipher on M and let S : The group generated by the encryption functions of a long-key cipher and its properties will be investigated throughout this work. In the next section we will, in particular, study its behavior in relation to the attacks described in the following section.

Group-theoretical trapdoors
The study of groups related to block ciphers may reveal weaknesses which can be exploited to perform algebraic attacks. In this paper, we focus on some particular group-theoretical attacks (see e.g. [19,5]), based on undesirable properties of such permutation groups. Notice that the study of the group generated by the encryption functions is a hard task in general, since the dependence on the key-schedule is not easily turned into algebraic conditions. The aim of this work is to study the group generated by the encryption functions of Φ, denoted by Γ(Φ), in an easier setting, i.e. the one of a long-key cipher. In particular we will focus on Feistel networks, providing a first generalisation of the results obtained in [9] regarding translationbased ciphers. For this purpose we also make use of the following group where all the possible round keys for round h are considered. From this, the group can be obtained. As mentioned in Section 1, the group Γ ∞ has been extensively studied in recent years, being the closest to the one generated by the encryption function that can be successfully investigated. However it is worth stressing that Γ ∞ (Φ) may be a-priori way larger than the actual group of the encryption functions Γ(Φ).
The imprimitivity of such a group is one of the properties which may easily lead an attacker to a successful break of the cipher. The imprimitivity attack and its generalisation are described in the following section.
3.1. Imprimitive action and partition-based trapdoor. We recall that a permutation group G acting on V is called called primitive if no non-trivial partition of V is invariant under the action of G, i.e. there is no partition A of V , different from the trivial partitions {{v} | v ∈ V } and {V }, such that Ag ∈ A for all A ∈ A and g ∈ G. On the other hand, if a non-trivial G-invariant partition A exists, the group is called imprimitive. Each A ∈ A is called an imprimitivity block.
The imprimitivity is a very undesirable property for group generated by the encryption functions of a block cipher. As Paterson [19] showed, indeed, if this group is imprimitive, then it is possible to embed a trapdoor in the cipher which may allow attackers to recover crucial key-information with way less effort than a bruce force attack. Moreover, in [11] the authors characterised the cryptographic conditions of the boolean components of a cipher which guarantee that the corresponding group Γ ∞ is primitive. These results apply to the family of translation-based ciphers (see [11]), which is large enough to contain some of the most popular encryption methods (see [8,14]). The conditions on the layers of the cipher which will be considered in this work are the same used in [11], or generalisation of those. The idea of attacking a cipher by exploiting the imprimitive action of its group has been generalized in a recent work [5], where the partition-based attack is introduced. The basic idea behind the attack is that, even if the group is primitive, it may exists a sequence of partitions A 1 , . . . , A r such that the i-th round function of each encryption function maps A i into A i+1 . It is not hard to notice that, provided that this condition is true, the cipher can be attacked using an argument similar to the one exploiting the imprimitivity. In [5], the authors show an example of such attack on an SPN.
We report here some of the definitions and results presented in [5].
We denote A by L(U ).
The following result, introduced by Harpes and Massey in [17], characterizes the possible partitions A and B such that the translation group T (V ) maps A into B. We report now the main result of [5]. Theorem 3.3. Let Φ be an r-round long-key SPN on M = V . Suppose that there exist non-trivial partitions A and B such that for each key K the encryption function where ρ i is the classical round function for the i-th round. Assume also that ρ 1 is the identity map. Then • A r+1 = B • A i is a linear partition for any 1 ≤ i ≤ r + 1.
In the previously shown result, Bannier et al. proved that the only partitions which propagate round-by-round are the linear ones. The next results, proved in [9], shows which conditions are sufficient to avoid the linear-partition propagation in the SPN case. The aim of this work is to provide a partial generalisation of these results in the Feistel network case. As a consequence, Calderini derived the following result, which guarantees immunity from the partition-based attack [9].
Theorem 3.4. Let ρ 1 , . . . , ρ r ∈ Sym(V ) and let Φ be an r-round SPN on M = V , where the i-th round applies ρ i = γ i λ i such that 0ρ i = 0. Let us assume that for some 1 ≤ i < r we have • γ i and γ i+1 are parallel maps which apply 2 δ -differentially uniform and (δ − 1)-strongly anti-invariant S-boxes, for some δ < m, • λ i a strongly-proper diffusion layer. Then no encryption function E K maps a non-trivial partition of V into a non-trivial partition of V .

Results
As previously mentioned, the aim of this work is to prove, for long-key Feistel networks, some results which are linked to those recalled in the previous section. We study the linear partition-propagation under the action of a long-key Feistel network. The results obtained may be considered as a starting-point for a complete generalisation of the the results of Sect. 3.1 to Feistel networks, proved in [9] for translation-based ciphers. For this purpose, let us consider a typical Feistel structure. Let us introduce a formal 2n × 2n matrix which implements the Feistel structure. Such a formal matrix is defined as where 0 n in the n×n zero matrix, 1 n is the n×n identity matrix andρ is called Feistel operator induced by the generating function ρ, whose right action on (x 1 , x 2 ) ∈ V ×V is given by Note thatρ has the inverse matrix Let us define Let Φ be an r-round long-key Feistel network acting on V × V , having the following i-th round function ε i,K =ρ i σ (0,ki) , whereρ i is the i-th Feistel operator induced by ρ i and k i is the i-th round key. In this setting Lemma 4.1. If Φ is a long-key Feistel network as above, then .
In the following theorem we study which partitions can propagate in a long-key Feistel network. Suppose that there exist non-trivial partitions A and B such that for each key K the encryption function E K maps A to B. Define A 1 = A and A i+1 = A iρi , for 1 ≤ i ≤ r − 1, whereρ i is the Feistel operator induced by the generating function ρ i for the i-th round. Then, • A r+1 = B • A i is a linear partition, for any 2 ≤ i ≤ r. Moreover, if A = B, i.e. Γ(Φ) acts imprimitively, then A is a linear partition.
Remark 1. Note that we have defined the action of a round function of Φ on V × V in a such way that the corresponding round key acts on the right side of the message after applying the generating function ρ on the right factor of V × V . In some real-case scenarios, however, it may be possible that ρ acts after the action of the corresponding round key. If this is the case, the i-th round function is defined in the following way: In this setting we have that the group of the cipher with a long-key key-schedule is G def = σ (0,k1)ρ1 σ (k1,k2) · · · σ (kr−1,kr)ρr σ (kr,0) | (k 1 , . . . , k r ) ∈ V r , and so we haveρ 1ρ2 · · ·ρ r ∈ G. We cannot prove that G contains T (V × V ) as well. Note that, as observed in the proof of Theorem 4.2, any function of the type σ (0,k1)ρ1 σ (k1,k2) · · · σ (kr−1,kr)ρr σ (kr,0) can be represented as a function of type σ (0,k1)ρ1 σ (0,k2)ρ2 σ (0,k1+k3) · · · σ (0,kr−2+kr)ρr σ (kr,kr−1) , which is an element of Γ(Φ), recalling that Φ represents the cipher where the key addition is applied after the generating function. Thus, studying the properties of Γ(Φ) gives also important informations on G, e.g. if Γ(Φ) acts imprimitively, then so does G. More in general, partitions for Γ(Φ) are also partition for G.
In what follows, we aim at studying algebraic conditions which need to be satisfied by some partitions to prevent the partition-based attack. In particular, we classify a family of block systems which, in the case of Feistel networks, cannot be exploited for partition-based cryptanalysis. It is important to point out that the considered set of block systems contains the most used type of partitions for cryptanalysis. In order to do so, we need to study the subgroups of the direct product (V × V, +). We make use of the following result, due to Goursat [16,, which characterises the subgroups of the direct product of two groups in terms of suitable sections of the direct factors (see also [20]). In this bijection, each subgroup of G 1 × G 2 can be uniquely written as Note that the isomorphism ψ : A/B → C/D is induced by a homomorphism ϕ : A → C such that (a + B)ψ = aϕ + D for any a ∈ A, and Bϕ ≤ D. Such homomorphism is not unique.

Lemma 4.4 ([3]
). In the above notation, given any homomorphism ϕ inducing ψ, we have Proof. Note first that the right-hand side of (2) is contained in U ψ , since for a ∈ A and d ∈ D we have (a + B)ψ = aϕ + D = aϕ + d + D, that is, (a, aϕ + d) ∈ U ψ . Moreover U ψ is contained in the right-hand side of (2). Indeed, if (a, c) ∈ U ψ we have aϕ + D = (a + B)ψ = c + D, so that c = aϕ + d for some d ∈ D.
In the following result we consider two subgroups of V × V such that the first is mapped into the second by a Feistel operator. We highlight some condition that such subgroups have to satisfy. We will use the conditions derived from the next lemma also in Theorem 4.6 and in Theorem 4.8.
In the following theorem we show that the study of the partition propagation after two rounds of a Feistel network can be reduced to the study of the partition propagation in a round of the corresponding SPN. A similar argument is used to provide a reduction from the primitivity of the group generated by a Feistel network to the one of the related SPN [1].
Theorem 4.6. Let ρ 1 , ρ 2 ∈ Sym(V ) \ AGL(V ) and letρ 1 andρ 2 be the corresponding Feistel operators. Suppose that there exist two non-trivial and proper subgroups Then there exist U 1 and W 1 non-trivial and proper subgroups of V such that for each v ∈ V there exists w ∈ V such that Analogously, then there exist U 2 and W 2 non-trivial and proper subgroups of V such that for each v ∈ V there exists w ∈ V such that Proof. By Lemma 4.4 we have for each i = 1, 2. What follows from now on holds for both i = 1 and i = 2, where if i = 2 we consider i + 1 as (i + 1) mod 2 = 1. We can assume without loss of generality that 0ρ 1 = 0ρ 2 = 0. Using assumptions 1. and 2., applying we can assume v i+1 = w i and w i+1 = v i + w i ρ i . Therefore, in the general case, for that is, since the maps ϕ i are homomorphisms, Hence, considering a i = 0, it follows that is an isomorphism. Therefore Hence in Eq. (5) we can consider w i = 0, obtaining Since the function x → x + xϕ i ϕ i+1 is linear, we proved that ρ i ∈ AGL(V ), which is a contradiction since by hypothesis we are assuming ρ i ∈ Sym(V ) \ AGL(V ).
Since a i and a i ϕ i ϕ i+1 is contained in A i and a i ϕ i is an element of A i+1 for each a i ∈ A i , and |A i | = |A i+1 |, then by Eq. (5) we obtain This concludes the proof: indeed, if D 1 and D 2 are both proper and non-trivial subgroups of V , the claim follows from Eq. (4). Otherwise, the claim follows from Eq. (6).
The following result examines the converse implication of Theorem 4.6. Proof. Since L(U 1 )ρ = L(U 2 ), for each v ∈ V there exists w ∈ V such that Notice that in Eq. (7) we can choose w = vρ.
By Eq. (7), there exists u ∈ U 2 such that (u + v )ρ = u + v ρ and so for each (u, u ) ∈ U 1 and (v, v ) ∈ V × V we obtain and so Remark 2. Notice that if U 1 = U 2 then U 1 = U 2 . In this case, Theorem 4.7 provides the converse of Theorem 4.5 proved in [1]. In other words, the primitivity of the group ρ, T (V ) is a necessary and sufficient condition for the primitivity of the group generated by the round functions of the Feistel network acting on V × V and having ρ as generating function for each round.
As announced, we provide a partial generalisation of Theorem 3.4 in the Feistel network case. In particular, we show some types of block systems which are not usable for the purpose of the partition-based cryptanalysis. More precisely, we show that if a Feistel network has a sequence of non-trivial linear partitions which propagate from the first round to the last one, then such partitions cannot be of the type specified in the following theorem. In other words, we are studying the propagation of linear partitions under the action of r rounds, where each possible key can be chosen, i.e. under the action of a long-key Feistel network. The considered Feistel network has a generating function which is the composition of a parallel S-box followed by a diffusion layer, i.e. an SPN-like generating function. The same notation of Lemma 4.4 is used in the following result. Theorem 4.8. Let ρ 1 , . . . , ρ r ∈ Sym(V ) and let Φ be the r-round Feistel network where the i-th round applies the Feistel operatorρ i induced by ρ i . Let us assume that 0ρ i = 0 and ρ i = γ i λ i , where a) γ i is a parallel map which applies 2 δ -differentially uniform and (δ − 1)strongly anti-invariant S-boxes, for some δ < s, where s denotes the dimension of each brick, b) λ i a linear strongly-proper diffusion layer.
Suppose that there exists a sequence of r + 1 non-trivial linear partitions L(U 1 ), . . . , L(U r+1 ), where U i is a proper and non-trivial subgroup of V × V and L(U i )ρ i = L(U i+1 ) for all 1 ≤ i ≤ r. Then, none of the following condition is satisfied: Proof. We proceed in each case by contradiction.
Then, by Proposition 2, U i and U i+1 are walls and U i+1 = U i λ i , which contradicts the fact that λ i is strongly proper.
. This contradicts what previously proved.
and Ker ϕ i ≤ D i+1 , we have that ϕ i is an isomorphism over A i and A i ϕ i = A i+1 . Moreover, by Lemma 4.5, ρ i is linear over A i+1 . If A i = (F 2 ) n , then γ i is linear on V , which contradicts the fact that γ i satisfies the conditions in a). Suppose now A i < (F 2 ) n . As in the proof of Theorem 4.6 we obtain that Since ρ i is linear over A i+1 , then γ i is linear over A i+1 . If V j be a brick of the wall A i+1 , then the S-box of γ i relative to the brick V j is a linear map over V j , which is a contradiction.
hence U i is trivial.
It is worth noticing that the partition used by Paterson in his construction of a DES-like trapdoor cipher (see [19,Lemma 3]) is as in point 2 in the previous theorem.
We conclude this section by observing that it is possible to prove a result similar to Theorem 4.8 using a weaker notion of differential uniformity, defined in [11], provided a larger value of strong anti-invariance. Recalling that a map f ∈ Sym ((F 2 ) s ) is said to be weakly δ-uniform if for each a ∈ (F 2 ) s \ {0} we have xf + (x + a)f | x ∈ (F 2 ) s > 2 s−1 δ , the following alternative result is easily checked. Its proof is obtained reasoning as in the proof of Theorem 4.8, since Proposition 2 is still valid if one assumes that the S-boxes are weakly 2 δ -uniform and δ-strongly anti-invariant.
Theorem 4.9. Let ρ 1 , . . . , ρ r ∈ Sym(V ) and let Φ be the r-round Feistel network where the i-th round applies the Feistel operatorρ i induced by ρ i . Let us assume that 0ρ i = 0 and ρ i = γ i λ i , where a) γ i is a parallel map which applies weakly 2 δ -uniform and δ-strongly antiinvariant S-boxes, for some δ < s, b) λ i a linear strongly-proper diffusion layer.
Suppose that there exists a sequence of r + 1 non-trivial linear partitions L(U 1 ), . . . , L(U r+1 ), where U i is a proper and non-trivial subgroup of V × V and L(U i )ρ i = L(U i+1 ) for all 1 ≤ i ≤ r. Then, none of the following condition is satisfied:

Conclusions and open problems
In this work, partition propagation under the action of a long-key Feistel network has been investigated, and some previous results [5,6,9] set in a long-key SPN scenario have been generalized. In details, we proved that only linear partitions can propagate under the action of a long-key Feistel network. Moreover, we presented some types of block systems which are not usable for the purpose of the partitionbased cryptanalysis. In other words, we showed that if in a long-key Feistel network a sequence of non-trivial linear partitions propagate from the first round to the last one, then such partitions cannot be of some types used in specific attacks (see e.g. [19]).
The problem of giving a complete generalisation of Theorem 3.4 of [9] to the case of Feistel networks is still open. Moreover, the optimal result that a blockcipher designer can achieve in terms of group-theoretical security is to obtain a cipher whose corresponding group is the larger possible. For this reason, we aim at studying which conditions imply that the group of the encryption functions of a long-key cipher is the alternating or symmetric group, both in case of SPNs and Feistel networks.