1 Introduction

The core of symmetric cryptographic primitives and modes alike has been, historically, the block cipher. Its applications range from compression functions to authenticated encryption. For example, the AES block cipher [44] is at the core of AES-GCM [83], AES-CCM [104], AES-CBC [52], OCB [77], AEZ [67], and many other widely used modes.

Block ciphers usually consist of two main components: a (iterated) round function, which deals with input data, and a key schedule, which expands one key to multiple, random-looking, block-sized keys. Key material is regularly added to the data in-between evaluations of the round function. More recently, tweakable block ciphers [82] added a third input, the tweak, which in existing designs is essentially treated as key material [70].

A different approach has been gaining momentum in the last few years: permutation based cryptography. In this paradigm, there is no key; every part of the input is treated equally. Key material is then added only “at the top”, as in the Even-Mansour construction [50, 53], or the various keyed sponge modes [2, 19, 31, 41, 85]. This arguably makes designs cleaner and easier to analyze, as there are no separate processing lanes for key and data, and enables a clearer mixing of the key and the data.

For most permutation based modes of operation, security is argued in the random permutation model, meaning that the underlying permutation is assumed to be perfect. So as to meet this assumption as close as possible, permutations are often designed to prevent all kinds of structural defects, harmless as they may seem. This is the so-called “hermetic” design strategy. One usually accomplishes this by designing a strong iterated round function resistant to differential, linear, and other standard attacks, and adding round constants in-between evaluations of the round function. These constants achieve two goals:

  • They make every round distinct, preventing internal differentials [94], slide attacks [22], and a defective cycle structure [86];

  • They can prevent invariant subspace attacks, by breaking the symmetries that are preserved across round functions [9, 79].

Many permutations follow this design pattern, such as the Keccak permutation [18, 56], Ascon [49], PHOTON [66], Prøst [74], Gimli [16], Mixifer [99], or Xoodoo [40].

Other permutations, often single-purpose components of larger modes of operation, decide to omit such round constants, and let the mode of operation ensure that “bad” states are never reached. This is the case of Salsa20 [15] or NORX [4], in which invariance-breaking constants are simply added “at the top”. This can result in simpler designs, at the cost of losing the random permutation model as a useful modeling tool.

1.1 Invariances

Consider the event that for a permutation \({\mathsf {P}}:\{0,1\}^{n}\rightarrow \{0,1\}^{n}\), there are one or more functions \(\lambda :\{0,1\}^{n}\rightarrow \{0,1\}^{n}\) such that

$$\begin{aligned} \lambda \circ {\mathsf {P}}(x) = {\mathsf {P}}\circ \lambda (x) \end{aligned}$$
(1)

for any \(x\in \{0,1\}^{n}\). We say that \({\mathsf {P}}\) is invariant under \(\lambda \), and call \(\lambda \) an invariance for \({\mathsf {P}}\). The identity mapping is always an invariance for \({\mathsf {P}}\), but ideally, it is the only one, the reason being that non-trivial invariances expose non-random behavior of \({\mathsf {P}}\) and may allow and attacker to distinguish the primitive from random. Various examples of invariances for permutations are given in Sect. 2.

Invariances are inherent to symmetric cryptographic primitives. Barkan and Biham [8] studied invariances in AES under the guise of “self-duality”. The work was revisited by Van Le [102] and Bouillaguet et al.[25]. A particularly fruitful invariance in the AES round \(F_k\) is that of column rotation [102, Proposition 11]:

$$\begin{aligned} \lambda _i(F_k(x)) = F_{\lambda _i(k)}(\lambda _i(x))\,, \end{aligned}$$
(2)

where \(\lambda _i\) is any of the byte permutations

$$\begin{aligned} \begin{pmatrix} x_{ 4} &{} x_{ 8} &{} x_{12} &{} x_{ 0} \\ x_{ 5} &{} x_{ 9} &{} x_{13} &{} x_{ 1} \\ x_{ 6} &{} x_{10} &{} x_{14} &{} x_{ 2} \\ x_{ 7} &{} x_{11} &{} x_{15} &{} x_{ 3} \end{pmatrix}, \begin{pmatrix} x_{ 8} &{} x_{12} &{} x_{ 0} &{} x_{ 4} \\ x_{ 9} &{} x_{13} &{} x_{ 1} &{} x_{ 5} \\ x_{10} &{} x_{14} &{} x_{ 2} &{} x_{ 6} \\ x_{11} &{} x_{15} &{} x_{ 3} &{} x_{ 7} \end{pmatrix}, \begin{pmatrix} x_{12} &{} x_{ 0} &{} x_{ 4} &{} x_{ 8} \\ x_{13} &{} x_{ 1} &{} x_{ 5} &{} x_{ 9} \\ x_{14} &{} x_{ 2} &{} x_{ 6} &{} x_{10} \\ x_{15} &{} x_{ 3} &{} x_{ 7} &{} x_{11} \end{pmatrix}. \end{aligned}$$

This property was exploited for attacking the ALRED family of authenticators [45] based on the keyless AES round [51, Sect. 4]. This property has also been used for attacks on various AES based ciphers and permutations, such as on PAES [105] by Jean et al.[71, 72], on Simpira v1 [63] by Rønjom [97], and on Haraka v1 [76] by Jean [69]. Likewise, the permutations underlying ChaCha [13], BLAKE2 [5], and NORX [4] have similar invariances as the AES round. Notably, the cryptanalysis of NORX v2.0 [21, 30] and the “chosen-IV” attacks on BLAKE2 [65] exploit these properties.

Invariant subspace attacks were formalized by Leander et al.[79] alongside their cryptanalysis of the PRINTcipher [75]. The notion received further formal analysis by Leander et al.[80] and Beierle et al.[9]. Todo et al.[100] expanded the notion to nonlinear invariances. Beyne generalized the analysis, and applied it to Midori-64 [20].

1.2 Dealing with Invariances

Basically, there are two ways to resolve the potential weaknesses caused by the presence of invariances:

  • At the primitive level: avoid the presence of invariances. This is achieved by using more involved key schedules and round constants. Most invariant subspace attacks to date [20, 27, 64, 69, 79, 80, 97, 100] exploit weaknesses at the primitive level. Beierle et al.[9] studied the issue of invariances in SPNs, with particular focus on the linear layer, and investigated the effect of round constants on the resistance against invariant subspace attacks;

  • At the mode level: ensure that invariances are never inspected. In this case, the primitive must be “masked” at the mode level so that it is never evaluated for two values x and \(\lambda (x)\), where \(\lambda \) is any of the non-trivial invariances of \({\mathsf {P}}\).

The former approach delivers primitives that may function as standalone objects to be used as a black-box by mode designers and implementers. The latter approach allows for simpler, more minimalistic primitives, but mode designers should pay attention to the fact that invariances are avoided. Theorists, however, typically ignore the issue of invariances entirely, simply assuming ideal primitives.

1.3 Invariances in Practice

The issue of invariances is not a purely theoretical matter. Invariances are inherent to symmetric cryptography, and some cryptographic permutations, including the ones underlying Salsa20 [15], ChaCha [13], NORX [4], BLAKE2 [5], and CubeHash [14], do have certain invariances that make them easily distinguishable from their ideal counterparts. These invariances are not always attributed to flaws in the scheme: sometimes, the presence of invariances allows to obtain simpler and faster schemes. Yet, there are no available tools to study their behavior when used in permutation based modes. Given the popularity of ChaCha and AES-like building blocks to build new schemes, the case deserves proper formal understanding.

We stress that we do not advocate for general purpose primitive designers to design purposefully imperfect cryptographic primitives. Instead, our focus is on combined mode and primitive designers, noting that nowadays many cryptographic modes are designed alongside their single-purpose primitives. We have noticed this pattern in many CAESAR candidates [28], e.g., Prøst, NORX, ICEPOLE, Minalpher, PRIMATEs, and PAEQ. When designing a single-purpose permutation, as in these cases, it seems reasonable to handle properties that simplify or speed up the permutation by relying on the mode to protect against them (as is already the case, in a simpler setting, with Salsa20 and ChaCha).

1.4 Our Contribution

We present a structural analysis of how to handle the problem of invariant primitives at the mode level. Whereas Beierle et al. specify conditions on the use of round constants so as to avoid invariances, we describe how the security of masked primitive modes behaves in the presence of invariances. The work consists of a theoretical part (settling the model and deriving security bounds) and a practical part (translating the security bounds to attacks on concrete cryptographic permutations), as we will detail below.

1.4.1 Invariant Random Permutation Model

We first formalize a model for the use of invariant permutations in cryptographic modes. The model is fairly straightforward: instead of randomly drawing an n-bit permutation from the set of all n-bit permutations, one fixes a set of linear invariances \(\varLambda \) and draws the permutation from the set of all n-bit permutations that satisfy (1) for all \(\lambda \in \varLambda \). The model is given in Sect. 3.1. Note that the model is general; in fact, it covers more than the typical invariances we observe in Salsa20, ChaCha, NORX, and so on. We also point out that this practice is riskier than the hermetic design approach, as one needs to be sure that every allowed invariance is adequately covered by the analysis.

1.4.2 Analysis of Even-Mansour

Then, in Sect. 3.2 we analyze the plain single-key Even-Mansour construction [53] in the invariant permutation model. The tight security bound derived for this construction exactly pinpoints how the original (i.e., the random permutation model based) security bound deteriorates in the presence of invariances. Quite surprisingly: the loss is less trivial and more significant than initially thought. The reason for this is that a strong security bound can be derived only if for any input x to the primitive \({\mathsf {P}}\), the value \(\lambda (x)\) should never be evaluated by \({\mathsf {P}}\), for any \(\lambda \in \varLambda \).

In detail, the analysis leads to a security bound in the invariant permutation model that is at most \(|\varLambda |\) times the bound in the random permutation model plus \(|\varLambda |-1\) times a technical term \(\mathbf {P}^*\) that bounds the probability of collisions over the invariances.

1.4.3 Analysis of Keyed Sponge

The analysis of the Even-Mansour construction is particularly useful as it appears as building block in many security proofs. For example, security of the keyed sponge [2, 19, 31, 41, 59, 85, 90] and other MAC designs [87, 89] can be reduced to the security of the Even-Mansour construction. In Sect. 3.4, we show how the security analysis of the Even-Mansour construction generalizes to a security analysis of the keyed sponge in the invariant permutation model.

1.4.4 Instantiation

The term \(\mathbf {P}^*\) is involved, and can be described as a combinatorial property of the invariances (refer to Theorem 1 for precise statement of the bound). Further derivation of the bound is then tied to the specific primitive and invariances associated with it. This, so far, leaves us with only a partial solution. In Sect. 4 we look at the remaining term in more detail for specific cryptographic primitives and invariances.

In Sect. 4.1 we consider additive invariances for the Salsa20 permutation. This permutation satisfies that it is invariant under parallel addition of 16 times the value \(\varDelta =2^{31}\). We present a simple attack on Even-Mansour-Salsa20 in a constant number of construction queries that matches our security bound. The attack does not invalidate the security strength of Salsa20; it just confirms that its permutation should not be used in the Even-Mansour construction.

In Sect. 4.2 we consider linear invariances, noting that for a linear invariance \(\lambda \), the probability term \(\mathbf {P}^*\) can in turn be related with the rank of \(\mathrm {id}\oplus \lambda \). This rank can be easily computed, and attacks can be mounted on the Even-Mansour construction based on the cryptographic permutations exhibiting that invariance. For the 512-bit Chacha [13] permutation, we obtain a distinguishing attack with a complexity of \(2^{128}\) queries. For the 1600-bit Keccak permutation without round constants [18], a distinguishing attack in complexity \(2^{400}\) queries is derived, and this attack scales down to smaller versions of Keccak, up to an attack in \(2^{50}\) construction queries for 200-bit Keccak. We likewise derive a distinguishing attack for 1024-bit CubeHash [14] in \(2^{256}\) construction queries, and for 384-bit Gimli without round constants [16] in \(2^{96}\) construction queries. Again, none of these attacks invalidate the security claims of the primitives themselves. They rather demonstrate that one must be careful when using a cryptographic primitive that has invariances, and exemplify decisions that designers could conceivably make when designing a particular scheme.

The framework is likewise able to capture the attacks on NORXv2 [21, 30], as well as the BLAKE2 [65] attacks with chosen IV. It can furthermore readily be extended to match the invariant subspaces found on Simpira v1 [97], or the attacks that rely on a block cipher hitting a particular set of bad keys.

1.4.5 Discussion

The attacks on Even-Mansour instantiated with ChaCha, Keccak without round constants, CubeHash, and Gimli without round constants are well below the birthday bound on the corresponding state sizes. In Sect. 5.1, we consider different avenues to salvaging Even-Mansour. One approach is to consider tweakable variants of Even-Mansour, such as a generalization of the Masked Even-Mansour construction [62] that masks the key before it is added to the message. Details on this construction are given in Appendix A. In this appendix, we also explain how the results subsequently extend to the Offset Public Permutation (\({\mathsf {OPP}}\)) authenticated encryption scheme by Granger et al.[62]. Another approach is to consider 2-round Even-Mansour. In the random permutation model, this construction has received solid investigation lately [23, 32]. The attacks of Sect. 4 rely on the fact that an attacker may observe the structure of the inputs to and outputs of the cryptographic permutation, and by masking the input and output, or by adding an extra round, the attacker cannot observe this structure anymore, and the attack fails. Note that a minimal construction of 2-round Even-Mansour would take a single key, and add “round constants” to derive mutually slightly different round keys. Stretching the idea to multiple round Even-Mansour, this idea resembles the current practice of primitive level invariant subspace attack mitigation.

In Sect. 5.2, we discuss how our security analysis can be translated to multi-key security, where the attacker can query multiple instances of the constructions simultaneously. It appears that in this case, the attacker does not get any significant gain over the single-key setting. Finally, in Sect. 5.3, we informally discuss how our analyses may generalize to invariances that do not necessarily apply to the entire domain.

1.5 Notation

Throughout, parameters \(\kappa ,\tau ,n\in {\mathbb {N}}\) denote key size, tweak size, and state size. The set of n-bit permutations is denoted \(\mathsf {perm}(n)\). We denote by \(\mathsf {tperm}(\mathcal {T},n)\) the set of all families of n-bit permutations indexed by \(t\in \mathcal {T}\). For \(m\in {\mathbb {N}}\) such that \(m\le n\), we denote the falling factorial as \((n)_m=n(n-1)\cdots (n-m+1)=n!/(n-m)!\). For a finite set \(\mathcal {X}\), we denote by \(x\xleftarrow {{\scriptscriptstyle \$}}\mathcal {X}\) the uniformly random sampling of x from \(\mathcal {X}\).

2 Invariances

A permutation \({\mathsf {P}}\in \mathsf {perm}(n)\) is invariant under bijection \(\lambda \in \mathsf {perm}(n)\) if for any \(x\in \{0,1\}^{n}\),

$$\begin{aligned} \lambda \circ {\mathsf {P}}(x) = {\mathsf {P}}\circ \lambda (x)\,. \end{aligned}$$
(3)

We call \(\lambda \) an invariance for \({\mathsf {P}}\). Note that the identity function \(\mathrm {id}\) is always an invariance for \({\mathsf {P}}\) (regardless of \({\mathsf {P}}\)), and if \({\mathsf {P}}\) is invariant under \(\lambda ,\lambda '\), it is also invariant under \(\lambda ^{-1}\) and \(\lambda \circ \lambda '\). In particular, the set of invariances for \({\mathsf {P}}\) forms a group \((\varLambda ,\circ )\). For a group of invariances \(\varLambda \), we write \(\mathsf {perm}[\varLambda ](n)\) as the set of all permutations that are invariant under \(\varLambda \). In our work, we restrict our focus to linear invariances. We refer to Courtois [37, 38] for research on nonlinear invariances.

In the remainder of this section, we discuss invariances for various theoretical and practical functions.

2.1 Random Permutation

If \({\mathsf {P}}:\{0,1\}^{n}\rightarrow \{0,1\}^{n}\) is a random permutation, i.e., a function that generates each response uniformly at random without replacement from \(\{0,1\}^{n}\), with high probability \(\varLambda =\{\mathrm {id}\}\). Stated differently: with high probability, this function has no invariances except for the trivial one.

2.2 Iterated Random Permutation

In the case \({\mathsf {P}}:\{0,1\}^{n}\rightarrow \{0,1\}^{n}\) is the repeated composition of the same round function \(f^r(\cdot )\), we have the invariant

$$\begin{aligned} f \circ f^r = f^r \circ f\,. \end{aligned}$$

In the case of an unknown round function, as in the case of block ciphers, finding pairs of inputs of the form (xf(x)), i.e., slid pairs, is a core step of slide attacks [7, 22]. Since (xf(x)) implies (P(x), f(P(x)) at the output, recovering the key from such a slid pair is often efficiently achievable (e.g., KeeLoq [1]).

2.3 Salsa Family of Permutations

Salsa20 [15] is part of the eSTREAM portfolio of stream ciphers. Its core primitive is a permutation operating on a 16-word state, usually treated as a \(4\times 4\) matrix

$$\begin{aligned} \begin{pmatrix} x_{ 0} &{} x_{ 1} &{} x_{ 2} &{} x_{ 3} \\ x_{ 4} &{} x_{ 5} &{} x_{ 6} &{} x_{ 7} \\ x_{ 8} &{} x_{ 9} &{} x_{10} &{} x_{11} \\ x_{12} &{} x_{13} &{} x_{14} &{} x_{15} \end{pmatrix}\,. \end{aligned}$$

The Salsa20 round consists of four parallel “quarter-round” operations, as follows:

$$\begin{aligned} x_{ 0}, x_{ 4}, x_{ 8}, x_{12}&= G(x_{ 0}, x_{ 4}, x_{ 8}, x_{12})\,, \\ x_{ 5}, x_{ 9}, x_{13}, x_{ 1}&= G(x_{ 5}, x_{ 9}, x_{13}, x_{ 1})\,, \\ x_{10}, x_{14}, x_{ 2}, x_{ 6}&= G(x_{10}, x_{14}, x_{ 2}, x_{ 6})\,, \\ x_{15}, x_{ 3}, x_{ 7}, x_{11}&= G(x_{15}, x_{ 3}, x_{ 7}, x_{11})\,, \end{aligned}$$

followed by a transposition of the state. In other words, Salsa20 consists of the composition of “column rounds” followed by “row rounds”. The transposition is omitted after the last round.

Determining the invariances of Salsa20 is straightforward. The column rounds, when treating G as a random permutation, are invariant under any permutation of the diagonals. Furthermore, the transposition forces the admissible invariant permutations to be restricted to rotations.

Besides this set of rotational invariances, Salsa20’s G has itself some invariant properties. In particular, G is invariant with respect to addition (or xor) by \(\{2^{31}\}^{4}\), as observed by Wagner [103], Robshaw, and Castro et al.[29].

It is interesting to note that Salsa20’s predecessor, Salsa10 [12, §5], did not have any simple invariances, owing to its different quarter-round and the addition of a constant every two rounds. Salsa20’s invariances were an explicit design choice.

2.3.1 ChaCha, BLAKE2, and NORX

ChaCha [13] is a variant of Salsa20. It operates on the same \(4\times 4\) state as Salsa20, but the linear layer is slightly different. The ChaCha round first applies four parallel “quarter rounds”

$$\begin{aligned} x_{ 0}, x_{ 4}, x_{ 8}, x_{12}&= G(x_{ 0}, x_{ 4}, x_{ 8}, x_{12})\,, \\ x_{ 1}, x_{ 5}, x_{ 9}, x_{13}&= G(x_{ 1}, x_{ 5}, x_{ 9}, x_{13})\,, \\ x_{ 2}, x_{ 6}, x_{10}, x_{14}&= G(x_{ 2}, x_{ 6}, x_{10}, x_{14})\,, \\ x_{ 3}, x_{ 7}, x_{11}, x_{15}&= G(x_{ 3}, x_{ 7}, x_{11}, x_{15})\,, \end{aligned}$$

followed by a “shift rows” operation

$$\begin{aligned} \begin{pmatrix} x_{ 0} &{} x_{ 1} &{} x_{ 2} &{} x_{ 3} \\ x_{ 4} &{} x_{ 5} &{} x_{ 6} &{} x_{ 7} \\ x_{ 8} &{} x_{ 9} &{} x_{10} &{} x_{11} \\ x_{12} &{} x_{13} &{} x_{14} &{} x_{15} \end{pmatrix}\longmapsto \begin{pmatrix} x_{ 0} &{} x_{ 1} &{} x_{ 2} &{} x_{ 3} \\ x_{ 5} &{} x_{ 6} &{} x_{ 7} &{} x_{ 4} \\ x_{10} &{} x_{11} &{} x_{ 8} &{} x_{ 9} \\ x_{15} &{} x_{12} &{} x_{13} &{} x_{14} \end{pmatrix}\,. \end{aligned}$$

The next round uses the same quarter-round, followed by the inverse of the “shift rows” operation.

The invariances here are similar to Salsa20. The quarter-round layer is invariant under any permutation of state columns. The linear layer, however, is only invariant under rotations of columns. Thus, ChaCha is invariant under rotations of columns.

Several other permutations based on the ChaCha, such as the ones in BLAKE2 [5] and NORX [4], share the same property. The rotational invariance of this round structure was implicitly used in the “chosen-IV” BLAKE2 attacks of Guo et al.[65], as well as explicitly described in the cryptanalysis of NORXv2 [21, 30].

2.4 CubeHash

CubeHash [14] is an ARX permutation based SHA-3 candidate which, like Salsa20, had a highly symmetric round function. The underlying permutation works on a state of 32 words x[0..31] of 32 bits each. It is invariant under the following 15 permutations of words:

$$\begin{aligned} \scriptstyle (1,0,3,2,5,4,7,6,9,8,11,10,13,12,15,14,17,16,19,18,21,20,23,22,25,24,27,26,29,28,31,30)\,,\\ \scriptstyle (2,3,0,1,6,7,4,5,10,11,8,9,14,15,12,13,18,19,16,17,22,23,20,21,26,27,24,25,30,31,28,29)\,,\\ \scriptstyle (3,2,1,0,7,6,5,4,11,10,9,8,15,14,13,12,19,18,17,16,23,22,21,20,27,26,25,24,31,30,29,28)\,,\\ \scriptstyle (4,5,6,7,0,1,2,3,12,13,14,15,8,9,10,11,20,21,22,23,16,17,18,19,28,29,30,31,24,25,26,27)\,,\\ \scriptstyle (5,4,7,6,1,0,3,2,13,12,15,14,9,8,11,10,21,20,23,22,17,16,19,18,29,28,31,30,25,24,27,26)\,,\\ \scriptstyle (6,7,4,5,2,3,0,1,14,15,12,13,10,11,8,9,22,23,20,21,18,19,16,17,30,31,28,29,26,27,24,25)\,,\\ \scriptstyle (7,6,5,4,3,2,1,0,15,14,13,12,11,10,9,8,23,22,21,20,19,18,17,16,31,30,29,28,27,26,25,24)\,,\\ \scriptstyle (8,9,10,11,12,13,14,15,0,1,2,3,4,5,6,7,24,25,26,27,28,29,30,31,16,17,18,19,20,21,22,23)\,,\\ \scriptstyle (9,8,11,10,13,12,15,14,1,0,3,2,5,4,7,6,25,24,27,26,29,28,31,30,17,16,19,18,21,20,23,22)\,,\\ \scriptstyle (10,11,8,9,14,15,12,13,2,3,0,1,6,7,4,5,26,27,24,25,30,31,28,29,18,19,16,17,22,23,20,21)\,,\\ \scriptstyle (11,10,9,8,15,14,13,12,3,2,1,0,7,6,5,4,27,26,25,24,31,30,29,28,19,18,17,16,23,22,21,20)\,,\\ \scriptstyle (12,13,14,15,8,9,10,11,4,5,6,7,0,1,2,3,28,29,30,31,24,25,26,27,20,21,22,23,16,17,18,19)\,,\\ \scriptstyle (13,12,15,14,9,8,11,10,5,4,7,6,1,0,3,2,29,28,31,30,25,24,27,26,21,20,23,22,17,16,19,18)\,,\\ \scriptstyle (14,15,12,13,10,11,8,9,6,7,4,5,2,3,0,1,30,31,28,29,26,27,24,25,22,23,20,21,18,19,16,17)\,,\\ \scriptstyle (15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,0,31,30,29,28,27,26,25,24,23,22,21,20,19,18,17,16)\,. \end{aligned}$$

These invariances, or “symmetric states”, were first identified by Aumasson et al.[3] and later further classified by Ferguson et al.[55]. One of these invariances will be considered in detail in Sect. 4.2.3.

2.5 Bitsliced Designs

Keccak [18], Ascon [49], CBEAM [98], Mixifer [99], Xoodoo [40], and many others are part of a design principle that intentionally creates rotationally-invariant functions, and later adds constants as a symmetry-breaking step. As first exhibited by Daemen [39], such bitsliced designs are advantageous for practical reasons, both in implementation and performance tradeoffs, protection against side-channel attacks [42], as well as ease of analysis [98].

In the particular case of Keccak, whose state consists of a \(5\times 5\) matrix of \(\{1,2,4,8,16,32,64\}\)-bit words, the round function \(\chi \circ \pi \circ \rho \circ \theta \) is invariant under the rotation of every word by the same amount. Comparable invariances occur for the other primitives.

2.6 Gimli

Gimli [16] is a recently proposed permutation operating on a \(3\times 4\) matrix of 32-bit words. Its round functions, without the constant additions, lead to invariance under the following permutations of state columns:

$$\begin{aligned} \begin{pmatrix} x_{ 1} &{} x_{ 0} &{} x_{ 3} &{} x_{ 2} \\ x_{ 5} &{} x_{ 4} &{} x_{ 7} &{} x_{ 6} \\ x_{ 9} &{} x_{ 8} &{} x_{11} &{} x_{10} \end{pmatrix}, \begin{pmatrix} x_{ 2} &{} x_{ 3} &{} x_{ 0} &{} x_{ 1} \\ x_{ 6} &{} x_{ 7} &{} x_{ 4} &{} x_{ 5} \\ x_{10} &{} x_{11} &{} x_{ 8} &{} x_{ 9} \end{pmatrix}, \begin{pmatrix} x_{ 3} &{} x_{ 2} &{} x_{ 1} &{} x_{ 0} \\ x_{ 7} &{} x_{ 6} &{} x_{ 5} &{} x_{ 4} \\ x_{11} &{} x_{10} &{} x_{ 9} &{} x_{ 8} \end{pmatrix}. \end{aligned}$$

3 Secure Usage of Invariant Random Permutations

We consider the security of constructions reminiscent of the Even-Mansour construction [53]. The security model is outlined in Sect. 3.1, and Even-Mansour and its security in the invariant permutation model are stated in Sect. 3.2. The security proof is given in Sect. 3.3. This Even-Mansour construction and analysis is particularly useful as it appears as building block in many security proofs. In particular, by considering that the keyed sponge can be seen as a composition of the Even-Mansour construction, we demonstrate in Sect. 3.4 how the analysis of Even-Mansour in the invariant permutation model carries over to the keyed sponge.

We remark that the ideas generalize to other permutation based constructions, including multiple-round Even-Mansour [23] and generalizations of the Masked Even-Mansour construction [62]. See also Sect. 5.1.

3.1 Security Model

A distinguisher \({\mathsf {D}}\) is an algorithm that is given access to an oracle \({\mathsf {O}}\), written as \({\mathsf {D}}^{{\mathsf {O}}}\), and outputs a bit \(b\in \{0,1\}\). Its complexity is measured (solely) by the number of calls to its oracle. As such, we can consider it to be deterministic (as for any probabilistic distinguisher there is a deterministic one with at least the same success probability). The security of a construction \({\mathsf {C}}\) based on a primitive \({\mathsf {P}}\) is measured by the advantage of distinguishing \({\mathsf {C}}^{{\mathsf {P}}}\) from a random function \({\mathsf {R}}\) with the same interface and functionality as \({\mathsf {C}}\):

$$\begin{aligned} \varDelta _{{\mathsf {D}}}\left( {\mathsf {C}}^{{\mathsf {P}}},{\mathsf {P}}\;;\;{\mathsf {R}},{\mathsf {P}}\right) = \left|\mathbf {Pr}\left( 1 \leftarrow {\mathsf {D}}^{{\mathsf {C}}^{{\mathsf {P}}},{\mathsf {P}}}\right) - \mathbf {Pr}\left( 1 \leftarrow {\mathsf {D}}^{{\mathsf {R}},{\mathsf {P}}}\right) \right|\,, \end{aligned}$$
(4)

where the randomness is taken over the distributions of \({\mathsf {C}}\), \({\mathsf {P}}\), and \({\mathsf {R}}\). The security distance of (4) is depicted in Fig. 1. In our work, \({\mathsf {P}}\) is always an invariant permutation from \(\mathsf {perm}[\varLambda ](n)\), unless explicitly stated otherwise.

Fig. 1
figure 1

The indistinguishability model of (4)

Full size image

Note that if \(\varLambda =\{\mathrm {id}\}\), we retrieve indistinguishability in the random permutation model. Any caution that must be paid in the random permutation model must be paid in the invariant permutation model as well. For example, if a construction \({\mathsf {C}}\) is proven secure in the invariant permutation model, and it is subsequently instantiated using a concrete permutation, security may differ from the promised security statement and one must re-assess security of the scheme in combination with the permutation.

We will use the H-coefficient technique [33, 92, 93]. Consider any two oracles \({\mathsf {O}}_1\) or \({\mathsf {O}}_2\) and an information-theoretic deterministic distinguisher \({\mathsf {D}}\) trying to distinguish both. It can make a finite amount of queries, gathered in a view \(\nu \). Denote by \(X_1\) (resp. \(X_2\)) the probability distribution of views in interaction with \({\mathsf {O}}_1\) (resp. \({\mathsf {O}}_2\)). Denote by \(\mathcal {V}\) the set of “attainable views”, i.e., views \(\nu \) such that \(\mathbf {Pr}\left( X_2=\nu \right) >0\).

Lemma 1

(H-coefficient technique) Consider a partition \(\mathcal {V}=\mathcal {V}_{\mathrm {good}}\cup \mathcal {V}_{\mathrm {bad}}\) of the set of views into “good” and “bad” views. Let \(\varepsilon \in [0,1]\) be such that \(\frac{\mathbf {Pr}\left( X_1=\nu \right) }{\mathbf {Pr}\left( X_2=\nu \right) } \ge 1-\varepsilon \) for all \(\nu \in \mathcal {V}_{\mathrm {good}}\). Then,

$$\begin{aligned} \varDelta _{{\mathsf {D}}}\left( {\mathsf {O}}_1\;;\;{\mathsf {O}}_2\right) \le \varepsilon + \mathbf {Pr}\left( X_2\in \mathcal {V}_{\mathrm {bad}}\right) \,. \end{aligned}$$
(5)

For view \(\nu = \{(x_1,y_1),\ldots ,(x_q,y_q)\}\) consisting of q input/output tuples, we denote by \({\mathsf {O}}\vdash \nu \) the event that oracle \({\mathsf {O}}\) satisfies that \({\mathsf {O}}(x_i)=y_i\) for all \(i=\{1,\ldots ,q\}\).

3.2 Even-Mansour

We consider the plain single-key Even-Mansour construction \({\mathsf {EM}}:\{0,1\}^{\kappa }\times \{0,1\}^{n}\rightarrow \{0,1\}^{n}\), where \(\kappa \le n\) [53]:

$$\begin{aligned} {\mathsf {EM}}^{{\mathsf {P}}}(k,m) = {\mathsf {P}}(m\oplus k0^*)\oplus k0^* \end{aligned}$$
(6)

(here, the number of appended zeros is, obviously, \(n-\kappa \)). In the random permutation model, where \({\mathsf {P}}\xleftarrow {{\scriptscriptstyle \$}}\mathsf {perm}(n)\), the Even-Mansour construction is known to be indistinguishable from a random permutation \(\pi \xleftarrow {{\scriptscriptstyle \$}}\mathsf {perm}(n)\) up to \(2qp/2^\kappa \), where the distinguisher makes q construction and p primitive queries [2, 35, 50, 53, 54, 84, 89]. We perform an analysis if \({\mathsf {EM}}\) is instantiated with a random invariant permutation \({\mathsf {P}}'\xleftarrow {{\scriptscriptstyle \$}}\mathsf {perm}[\varLambda ](n)\), for a fixed \(\varLambda \).

Theorem 1

Consider any fixed \(\varLambda \). Let \(k\xleftarrow {{\scriptscriptstyle \$}}\{0,1\}^{\kappa }\), \({\mathsf {P}}'\xleftarrow {{\scriptscriptstyle \$}}\mathsf {perm}[\varLambda ](n)\), and \(\pi \xleftarrow {{\scriptscriptstyle \$}}\mathsf {perm}(n)\). Consider any distinguisher \({\mathsf {D}}\) making at most q construction queries and p primitive queries. We have,

$$\begin{aligned} \varDelta _{{\mathsf {D}}}\left( {\mathsf {EM}}_k^{{\mathsf {P}}'},{\mathsf {P}}'\;;\;{\pi },{\mathsf {P}}'\right) \le&\frac{2|\varLambda |qp}{2^{\kappa }}\\&+ \max _{\varvec{z}=\{z_1,\dots ,z_q\}\subseteq \{0,1\}^{n}} \sum _{\lambda \in \varLambda \backslash \{\mathrm {id}\}} \sum _{z, z'\in \varvec{z}} \frac{2\#\!\left\{ k\,|\,z\oplus k0^* = \lambda \big (z'\oplus k0^*\big )\right\} }{2^\kappa }\,. \end{aligned}$$

We stress that in the summation, indeed, the case \(z=z'\) is included.

Unlike intuition, the proof is more complicated than the ideal permutation based one, and contains various hurdles to be overcome. The proof is given in Sect. 3.3. In Sect. 4, the second part of the bound of Theorem 1 will be considered for specific invariant permutations, including the 512-bit ChaCha permutation [13], the \(\{200,400,800,1600\}\)-bit Keccak permutation [18] with omitted round constants, the 1024-bit permutation of CubeHash [14], and the 384-bit permutation Gimli [16] with omitted round constants.

3.3 Proof of Theorem 1

Let \(k\xleftarrow {{\scriptscriptstyle \$}}\{0,1\}^{\kappa }\), \({\mathsf {P}}'\xleftarrow {{\scriptscriptstyle \$}}\mathsf {perm}[\varLambda ](\{0,1\}^{n})\), and \(\pi \xleftarrow {{\scriptscriptstyle \$}}\mathsf {perm}(n)\). Consider any fixed deterministic distinguisher \({\mathsf {D}}\) that has access to either \({\mathsf {O}}_1=({\mathsf {EM}}^{{\mathsf {P}}'},{\mathsf {P}}')\) or \({\mathsf {O}}_2=({\pi },{\mathsf {P}}')\). Gather its q constructions queries in a view \(\nu _{\mathrm {c}}=\{(m_1,c_1),\dots ,(m_q,c_q)\}\) and its p primitive queries in a view \(\nu _{\mathrm {p}}=\{(x_1,y_1),\dots ,(x_p,y_p)\}\). After \({\mathsf {D}}\)’s interaction with its oracle but before it outputs its decision bit b, we reveal the random key k (this simplifies the probability analysis in the H-coefficient technique later on). The complete view is denoted

$$\begin{aligned} \nu = (\nu _{\mathrm {c}},\nu _{\mathrm {p}},k)\,. \end{aligned}$$

We assume that \({\mathsf {D}}\) never repeats any query, hence \(\nu _{\mathrm {c}}\) and \(\nu _{\mathrm {p}}\) do not contain duplicate queries. We particularly assume that \({\mathsf {D}}\) never repeats any primitive query transformed over any \(\lambda \).

A view \(\nu \) is called bad if it satisfies one of the following conditions:

$$\begin{aligned} \mathsf {BAD}_{\mathrm {c}}&\Longleftrightarrow \exists \; (m,c)\in \nu _{\mathrm {c}}\,,\, 0\lambda \in \varLambda \backslash \{\mathrm {id}\}:\\&m\oplus k0^* = \lambda \big (m\oplus k0^*\big ) \text { or } c\oplus k0^* = \lambda \big (c\oplus k0^*\big )\,,\\ \mathsf {BAD}_{\mathrm {cc}}&\Longleftrightarrow \exists \; \text {distinct } (m,c),(m',c')\in \nu _{\mathrm {c}}\,,\, \lambda \in \varLambda :\\&m\oplus k0^* = \lambda \big (m'\oplus k0^*\big ) \text { or } c\oplus k0^* = \lambda \big (c'\oplus k0^*\big )\,,\\ \mathsf {BAD}_{\mathrm {cp}}&\Longleftrightarrow \exists \; (m,c)\in \nu _{\mathrm {c}}\,,\, (x,y)\in \nu _{\mathrm {p}}\,,\, \lambda \in \varLambda :\\&m\oplus k0^* = \lambda \big (x\big ) \text { or } c\oplus k0^* = \lambda \big (y\big )\,. \end{aligned}$$

In the real world \({\mathsf {O}}_1\), any construction query \((m,c)\in \nu _{\mathrm {c}}\) corresponds to a primitive evaluation \((m\oplus k0^*,c\oplus k0^*)\) of \({\mathsf {P}}'\). Events \(\mathsf {BAD}_{\mathrm {cc}}\) and \(\mathsf {BAD}_{\mathrm {cp}}\) resemble much of what is typically considered in simple Even-Mansour proofs: they capture the event of collisions among construction queries (the former) or between a construction query and a primitive query (the latter). In current proof, however, they cover the event of a collision even if transformed over any invariance \(\lambda \in \varLambda \).Footnote 1 New compared to classical Even-Mansour proofs is \(\mathsf {BAD}_{\mathrm {c}}\). This event considers the case that a single query collides with itself non-trivially under a transformation of a \(\lambda \in \varLambda \backslash \{\mathrm {id}\}\). Note that, by attainability of transcripts, we do not have to take into account collisions among primitive queries, not even under a transformation by any \(\lambda \in \varLambda \).

In below two lemmas, we will derive an upper bound on \(\mathbf {Pr}\left( X_2\in \mathcal {V}_{\mathrm {bad}}\right) \) (in Lemma 2), and show that for any good view, \(\mathbf {Pr}\left( X_1=\nu \right) \ge \mathbf {Pr}\left( X_2=\nu \right) \) (in Lemma 3). This completes the proof using Lemma 1 on the H-coefficient technique.

Lemma 2

We have

$$\begin{aligned} \mathbf {Pr}\left( X_2\in \mathcal {V}_{\mathrm {bad}}\right)&\le \frac{2|\varLambda |qp}{2^\kappa }\\&\quad + \max _{\varvec{z}=\{z_1,\dots ,z_q\}\subseteq \{0,1\}^{n}} \sum _{\lambda \in \varLambda \backslash \{\mathrm {id}\}} \sum _{z, z'\in \varvec{z}} \frac{2\#\!\left\{ k\,|\,z\oplus k0^* = \lambda \big (z'\oplus k0^*\big )\right\} }{2^\kappa }\,. \end{aligned}$$

Proof

The probability \(\mathbf {Pr}\left( X_2\in \mathcal {V}_{\mathrm {bad}}\right) \) equals the probability that \(\mathsf {BAD}:=\mathsf {BAD}_{\mathrm {c}} \vee \mathsf {BAD}_{\mathrm {cc}} \vee \mathsf {BAD}_{\mathrm {cp}}\) holds in the ideal world. By basic probability theory,

$$\begin{aligned} \mathbf {Pr}\left( X_2\in \mathcal {V}_{\mathrm {bad}}\right) = \mathbf {Pr}\left( \mathsf {BAD}\right) \le \mathbf {Pr}\left( \mathsf {BAD}_{\mathrm {c}}\right) + \mathbf {Pr}\left( \mathsf {BAD}_{\mathrm {cc}}\right) + \mathbf {Pr}\left( \mathsf {BAD}_{\mathrm {cp}}\right) \,, \end{aligned}$$
(7)

where we recall that in the ideal world, \(k\xleftarrow {{\scriptscriptstyle \$}}\{0,1\}^{\kappa }\).

\({\mathbf {\mathsf{{BAD}}}}_{\mathbf{c}}\). Consider any query \((m,c)\in \nu _{\mathrm {c}}\) and any \(\lambda \in \varLambda \backslash \{\mathrm {id}\}\). As \(k\xleftarrow {{\scriptscriptstyle \$}}\{0,1\}^{\kappa }\), the bad event is set with probability at most

$$\begin{aligned} \frac{\#\!\left\{ k\,|\,m\oplus k0^* = \lambda \big (m\oplus k0^*\big )\right\} + \#\!\left\{ k\,|\,c\oplus k0^* = \lambda \big (c\oplus k0^*\big )\right\} }{2^\kappa }\,. \end{aligned}$$

Taking the sum over all queries and all choices of \(\lambda \), the bad event is set with probability at most

$$\begin{aligned} \mathbf {Pr}\left( \mathsf {BAD}_{\mathrm {c}}\right) \le&\sum _{(m,c)\in \nu _{\mathrm {c}}}\sum _{\lambda \in \varLambda \backslash \{\mathrm {id}\}} \frac{\#\!\left\{ k\,|\,m\oplus k0^* = \lambda \big (m\oplus k0^*\big )\right\} }{2^\kappa } \\&+ \sum _{(m,c)\in \nu _{\mathrm {c}}}\sum _{\lambda \in \varLambda \backslash \{\mathrm {id}\}} \frac{\#\!\left\{ k\,|\,c\oplus k0^* = \lambda \big (c\oplus k0^*\big )\right\} }{2^\kappa }\\ \le&\max _{\varvec{z}=\{z_1,\dots ,z_q\}\subseteq \{0,1\}^{n}} \sum _{\lambda \in \varLambda \backslash \{\mathrm {id}\}} \sum _{z\in \varvec{z}} \frac{2\#\!\left\{ k\,|\,z\oplus k0^* = \lambda \big (z\oplus k0^*\big )\right\} }{2^\kappa }\,. \end{aligned}$$

Note that the second bound is pretty tight. For each of the construction queries, the distinguisher either chooses m and receives randomly generated c or it chooses c and receives randomly generated m. For bounding the bad event, we simply give it the power to choose both m and c for every query. As the distinguisher achieves highest advantage if it chooses all m’s at its own discretion, the sum over the \(\#\!\left\{ k\,|\,m\oplus k0^* = \lambda \big (m\oplus k0^*\big )\right\} \)’s will dominate and the sum over the \(\#\!\left\{ k\,|\,c\oplus k0^* = \lambda \big (c\oplus k0^*\big )\right\} \)’s will disappear. Our bound is at most a factor 2 larger.

\({\mathbf {\mathsf{{BAD}}}}_{\mathbf{cc}}\). Consider any distinct queries \((m,c),(m',c')\in \nu _{\mathrm {c}}\) and any \(\lambda \in \varLambda \). If \(\lambda =\mathrm {id}\) the event happens with probability 0; we consider \(\lambda \in \varLambda \backslash \{\mathrm {id}\}\). As \(k\xleftarrow {{\scriptscriptstyle \$}}\{0,1\}^{\kappa }\), the bad event is set with probability at most

$$\begin{aligned} \frac{\#\!\left\{ k\,|\,m\oplus k0^* = \lambda \big (m'\oplus k0^*\big )\right\} + \#\!\left\{ k\,|\,c\oplus k0^* = \lambda \big (c'\oplus k0^*\big )\right\} }{2^\kappa }\,. \end{aligned}$$

Taking the sum over all distinct queries and all choices of \(\lambda \), the bad event is set with probability at most

$$\begin{aligned} \mathbf {Pr}\left( \mathsf {BAD}_{\mathrm {cc}}\right) \le&\sum _{(m,c)\ne (m',c')\in \nu _{\mathrm {c}}} \sum _{\lambda \in \varLambda \backslash \{\mathrm {id}\}} \frac{\#\!\left\{ k\,|\,m\oplus k0^* = \lambda \big (m'\oplus k0^*\big )\right\} }{2^\kappa }\\&+ \sum _{(m,c)\ne (m',c')\in \nu _{\mathrm {c}}}\sum _{\lambda \in \varLambda \backslash \{\mathrm {id}\}} \frac{\#\!\left\{ k\,|\,c\oplus k0^* = \lambda \big (c'\oplus k0^*\big )\right\} }{2^\kappa } \\ \le&\max _{\varvec{z}=\{z_1,\dots ,z_q\}\subseteq \{0,1\}^{n}} \sum _{\lambda \in \varLambda \backslash \{\mathrm {id}\}} \sum _{z\ne z'\in \varvec{z}} \frac{2\#\!\left\{ k\,|\,z\oplus k0^* = \lambda \big (z'\oplus k0^*\big )\right\} }{2^\kappa }\,. \end{aligned}$$

\({\mathbf {\mathsf{{BAD}}}}_{\mathbf{cp}}\). Consider any queries \((m,c)\in \nu _{\mathrm {c}}\), \((x,y)\in \nu _{\mathrm {p}}\), and any \(\lambda \in \varLambda \). The bad event is set if

$$\begin{aligned} k0^* \in \{m\oplus \lambda (x) \,,\, c\oplus \lambda (y)\}\,. \end{aligned}$$
(8)

As \(k\xleftarrow {{\scriptscriptstyle \$}}\{0,1\}^{\kappa }\), Eq. (8) holds with probability at most \(2/2^\kappa \). Taking the sum over all queries and all choices of \(\lambda \), the bad event is set with probability at most

$$\begin{aligned} \mathbf {Pr}\left( \mathsf {BAD}_{\mathrm {cp}}\right) \le \frac{2|\varLambda |qp}{2^\kappa }\,. \end{aligned}$$

Conclusion. Adding the separate bounds in accordance with (7) gives

$$\begin{aligned} \mathbf {Pr}\left( \mathsf {BAD}\right)&\le \frac{2|\varLambda |qp}{2^\kappa }\\&\quad + \max _{\varvec{z}=\{z_1,\dots ,z_q\}\subseteq \{0,1\}^{n}} \sum _{\lambda \in \varLambda \backslash \{\mathrm {id}\}} \sum _{z, z'\in \varvec{z}} \frac{2\#\!\left\{ k\,|\,z\oplus k0^* = \lambda \big (z'\oplus k0^*\big )\right\} }{2^\kappa }\,, \end{aligned}$$

where in the summation the values \(z,z'\) may be identical.\(\square \)

Lemma 3

For any good view \(\nu \in \mathcal {V}_{\mathrm {good}}\), \(\mathbf {Pr}\left( X_1=\nu \right) \ge \mathbf {Pr}\left( X_2=\nu \right) \).

Proof

In the real world \({\mathsf {O}}_1\), every tuple in \((\nu _{\mathrm {c}},\nu _{\mathrm {p}})\) defines exactly one input-output tuple of \({\mathsf {P}}'\xleftarrow {{\scriptscriptstyle \$}}\mathsf {perm}[\varLambda ](n)\). Therefore, we derive

$$\begin{aligned} \mathbf {Pr}\left( X_1 = \nu \right) =&\mathbf {Pr}\left( {\mathsf {P}}'\xleftarrow {{\scriptscriptstyle \$}}\mathsf {perm}[\varLambda ](n) \;;\; {\mathsf {EM}}_k^{{\mathsf {P}}'} \vdash \nu _{\mathrm {c}}\wedge {\mathsf {P}}'\vdash \nu _{\mathrm {p}}\bigm | k \right) \\&\cdot \mathbf {Pr}\left( k'\xleftarrow {{\scriptscriptstyle \$}}\{0,1\}^{\kappa }\;:\; k'=k\right) \\ =&\frac{1}{2^\kappa } \cdot \mathbf {Pr}\left( {\mathsf {P}}'\xleftarrow {{\scriptscriptstyle \$}}\mathsf {perm}[\varLambda ](n) \;;\; {\mathsf {P}}'\vdash \bar{\nu }_{\mathrm {c}}\cup \nu _{\mathrm {p}}\right) \,, \end{aligned}$$

where \(\bar{\nu }_{\mathrm {c}}= \{ (m\oplus k0^*,c\oplus k0^*) \mid (m,c)\in \nu _{\mathrm {c}}\}\), and where \(\bar{\nu }_{\mathrm {c}}\cup \nu _{\mathrm {p}}\) contains a total amount of \(q+p\) tuples among which there are no input or output collisions even when the tuples are transformed over any \(\lambda \in \varLambda \).

In the ideal world \({\mathsf {O}}_2\), we have

$$\begin{aligned} \mathbf {Pr}\left( X_2 = \nu \right) =&\mathbf {Pr}\left( \pi \xleftarrow {{\scriptscriptstyle \$}}\mathsf {perm}(n) \;;\; \pi \vdash \nu _{\mathrm {c}}\right) \\&\cdot \mathbf {Pr}\left( {\mathsf {P}}'\xleftarrow {{\scriptscriptstyle \$}}\mathsf {perm}[\varLambda ](n) \;;\; {\mathsf {P}}'\vdash \nu _{\mathrm {p}}\right) \\&\cdot \mathbf {Pr}\left( k'\xleftarrow {{\scriptscriptstyle \$}}\{0,1\}^{\kappa }\;:\; k'=k\right) \\ =&\frac{1}{(2^n)_q\cdot 2^{\kappa }}\cdot \mathbf {Pr}\left( {\mathsf {P}}'\xleftarrow {{\scriptscriptstyle \$}}\mathsf {perm}[\varLambda ](n) \;;\; {\mathsf {P}}'\vdash \nu _{\mathrm {p}}\right) \,. \end{aligned}$$

where \(\nu _{\mathrm {p}}\) represents a list of p tuples for which there are no input or outputs collisions even when transformed over any \(\lambda \in \varLambda \).

We obtain that

$$\begin{aligned} \frac{\mathbf {Pr}\left( X_1=\nu \right) }{\mathbf {Pr}\left( X_2=\nu \right) } =&\frac{\mathbf {Pr}\left( {\mathsf {P}}'\xleftarrow {{\scriptscriptstyle \$}}\mathsf {perm}[\varLambda ](n) \;;\; {\mathsf {P}}'\vdash \bar{\nu }_{\mathrm {c}}\cup \nu _{\mathrm {p}}\right) }{\frac{1}{(2^n)_{q}}\cdot \mathbf {Pr}\left( {\mathsf {P}}'\xleftarrow {{\scriptscriptstyle \$}}\mathsf {perm}[\varLambda ](n) \;;\; {\mathsf {P}}'\vdash \nu _{\mathrm {p}}\right) }\\ =&\frac{\mathbf {Pr}\left( {\mathsf {P}}'\xleftarrow {{\scriptscriptstyle \$}}\mathsf {perm}[\varLambda ](n) \;;\; {\mathsf {P}}'\vdash \bar{\nu }_{\mathrm {c}}\cup \nu _{\mathrm {p}}\bigm | {\mathsf {P}}'\vdash \nu _{\mathrm {p}}\right) }{\frac{1}{(2^n)_q}}\\ \ge&\frac{\mathbf {Pr}\left( {\mathsf {P}}\xleftarrow {{\scriptscriptstyle \$}}\mathsf {perm}(n) \;;\; {\mathsf {P}}\vdash \bar{\nu }_{\mathrm {c}}\cup \nu _{\mathrm {p}}\bigm | {\mathsf {P}}\vdash \nu _{\mathrm {p}}\right) }{\frac{1}{(2^n)_q}}\\ =&\frac{\frac{1}{(2^n-p)_q}}{\frac{1}{(2^n)_q}} \ge 1\,, \end{aligned}$$

where for the approximation we use that the list of tuples in \(\bar{\nu }_{\mathrm {c}}\cup \nu _{\mathrm {p}}\) do not collide even when transformed over any \(\lambda \in \varLambda \). \(\square \)

3.4 Keyed Sponge

The sponge hash function construction [17] consists of a sequential application of a permutation on a state, where the permutation evaluations are interleaved with absorption of data into the outer part of the state or extraction of data from that part of the state. Security is determined by the capacity, the size of the state that is not involved in the absorption or extraction. The construction has led to various MAC designs based on a permutation [2, 19, 31, 41, 59, 85, 87, 89, 90], that also consist of a sequential application of a permutation, but with the initial state masked using a key. For the sake of exemplification, we will consider the full-state keyed sponge of Mennink et al.[85]. We remark that follow-up work considered a more general scheme with a more accurate bound [41], but the scheme of the former is easier to describe concisely. We will drop the adjective “full-state” for simplicity.

The keyed sponge (\({\mathsf {KS}}\)) is a message authentication code. On input of a message \(M\in \{0,1\}^{*}\) and a parameter \(\ell \in {\mathbb {N}}\), it outputs a tag \(T\in \{0,1\}^{\ell }\). For identical messages but different parameters \(\ell ,\ell '\), the shortest response is a prefix of the longer one. Internally, it uses a permutation on an n-bit state split in an inner part of c bits and an outer part of r bits, in such a way that \(c+r=n\). We furthermore assume that \(\kappa =c\) (but see the proof of Theorem 2). The function is depicted in Fig. 2.

Security of the keyed sponge is measured by its “PRF security”, a distance to a variable output length random oracle \({\mathsf {R}}\) [10], i.e., (4) with \({\mathsf {R}}\) as random function:

$$\begin{aligned} \varDelta _{{\mathsf {D}}}\left( {\mathsf {KS}}_k^{{\mathsf {P}}},{\mathsf {P}}\;;\;{\mathsf {R}},{\mathsf {P}}\right) \,. \end{aligned}$$

Mennink et al.[85] proved the following security bound for \({\mathsf {KS}}\).

Theorem 2

(Mennink et al. [85]) Let \(k\xleftarrow {{\scriptscriptstyle \$}}\{0,1\}^{\kappa }\), \({\mathsf {P}}\xleftarrow {{\scriptscriptstyle \$}}\mathsf {perm}(n)\), and \({\mathsf {R}}\) be a random oracle as described above. For any distinguisher \({\mathsf {D}}\) making at most \(\sigma \) construction query blocks and p primitive queries,

$$\begin{aligned} \varDelta _{{\mathsf {D}}}\left( {\mathsf {KS}}_k^{{\mathsf {P}}},{\mathsf {P}}\;;\;{\mathsf {R}},{\mathsf {P}}\right) \le \frac{2\sigma ^2}{2^n} + \frac{2\sigma ^2}{2^c} + \frac{2\sigma p}{2^\kappa }\,. \end{aligned}$$
(9)

Proof

(sketch) Consider any fixed deterministic distinguisher \({\mathsf {D}}\) that makes a total amount of \(\sigma \) construction query blocks and p primitive queries. Consider \({\mathsf {EM}}_k^{{\mathsf {P}}}\) of (6). By xoring the key k twice in-between each two consecutive evaluations of \({\mathsf {P}}\),Footnote 2 we can observe that

$$\begin{aligned} {\mathsf {KS}}_k^{{\mathsf {P}}} = {\mathsf {KS}}_0^{{\mathsf {EM}}_k^{{\mathsf {P}}}}\,, \end{aligned}$$

where the subscripts denote the key input. Therefore,

$$\begin{aligned} \varDelta _{{\mathsf {D}}}\left( {\mathsf {KS}}_k^{{\mathsf {P}}},{\mathsf {P}}\;;\;{\mathsf {R}},{\mathsf {P}}\right)&= \varDelta _{{\mathsf {D}}}\left( {\mathsf {KS}}_0^{{\mathsf {EM}}_k^{{\mathsf {P}}}},{\mathsf {P}}\;;\;{\mathsf {R}},{\mathsf {P}}\right) \nonumber \\&\le \varDelta _{{\mathsf {D}}}\left( {\mathsf {KS}}_0^{{\pi }},{\mathsf {P}}\;;\;{\mathsf {R}},{\mathsf {P}}\right) + \varDelta _{{\mathsf {D'}}}\left( {{\mathsf {EM}}_k^{{\mathsf {P}}}},{\mathsf {P}}\;;\;{\pi },{\mathsf {P}}\right) \nonumber \\&= \varDelta _{{\mathsf {D}}}\left( {\mathsf {KS}}_0^{{\pi }}\;;\;{\mathsf {R}}\right) + \varDelta _{{\mathsf {D'}}}\left( {{\mathsf {EM}}_k^{{\mathsf {P}}}},{\mathsf {P}}\;;\;{\pi },{\mathsf {P}}\right) \,, \end{aligned}$$
(10)

where \(\pi \xleftarrow {{\scriptscriptstyle \$}}\mathsf {perm}(n)\) is a random permutation, and \({\mathsf {D}}'\) is some distinguisher that makes at most \(\sigma \) construction queries and p primitive queries. For the first term of (10), Mennink et al. proved that (simplified)

$$\begin{aligned} \varDelta _{{\mathsf {D}}}\left( {\mathsf {KS}}_0^{{\pi }}\;;\;{\mathsf {R}}\right) \le \frac{2\sigma ^2}{2^n} + \frac{2\sigma ^2}{2^c}\,. \end{aligned}$$
(11)

The second term of (10) is at most \(2\sigma p/2^\kappa \) (see the introductory text of Sect. 3.2).Footnote 3\(\square \)

We demonstrate how a security bound for \({\mathsf {KS}}\) based on an invariant permutation \({\mathsf {P'}}\xleftarrow {{\scriptscriptstyle \$}}\mathsf {perm}[\varLambda ](n)\) is easily derived.

Fig. 2
figure 2

The keyed sponge (\({\mathsf {KS}}\)) of [85]

Full size image

Theorem 3

Consider any fixed \(\varLambda \). Let \(k\xleftarrow {{\scriptscriptstyle \$}}\{0,1\}^{\kappa }\), \({\mathsf {P}}'\xleftarrow {{\scriptscriptstyle \$}}\mathsf {perm}[\varLambda ](n)\), and \({\mathsf {R}}\) be a random oracle as described above. For any distinguisher \({\mathsf {D}}\) making at most \(\sigma \) construction query blocks and p primitive queries,

$$\begin{aligned} \varDelta _{{\mathsf {D}}}\left( {\mathsf {KS}}_k^{{\mathsf {P}}'},{\mathsf {P}}'\;;\;{\mathsf {R}},{\mathsf {P}}'\right) \le \frac{2\sigma ^2}{2^n} + \frac{2\sigma ^2}{2^c} + \mathtt {BOUND}_{\text {Thm.}1}(\sigma ,p)\,, \end{aligned}$$
(12)

where \(\mathtt {BOUND}_{\text {Thm.}1}(\sigma ,p)\) is the bound of Theorem 1 for distinguisher’s parameters \(\sigma \) and p.

Proof

Consider any fixed deterministic distinguisher \({\mathsf {D}}\) that makes a total amount of \(\sigma \) construction query blocks and p primitive queries. Consider \({\mathsf {EM}}_k^{{\mathsf {P'}}}\) of (6). By xoring the key k twice in-between each two consecutive evaluations of \({\mathsf {P'}}\), we can observe that

$$\begin{aligned} {\mathsf {KS}}_k^{{\mathsf {P'}}} = {\mathsf {KS}}_0^{{\mathsf {EM}}_k^{{\mathsf {P'}}}}\,, \end{aligned}$$

where the subscripts denote the key input. Therefore,

$$\begin{aligned} \varDelta _{{\mathsf {D}}}\left( {\mathsf {KS}}_k^{{\mathsf {P'}}},{\mathsf {P'}}\;;\;{\mathsf {R}},{\mathsf {P'}}\right)&= \varDelta _{{\mathsf {D}}}\left( {\mathsf {KS}}_0^{{\mathsf {EM}}_k^{{\mathsf {P'}}}},{\mathsf {P'}}\;;\;{\mathsf {R}},{\mathsf {P'}}\right) \nonumber \\&\le \varDelta _{{\mathsf {D}}}\left( {\mathsf {KS}}_0^{{\pi }},{\mathsf {P'}}\;;\;{\mathsf {R}},{\mathsf {P'}}\right) + \varDelta _{{\mathsf {D'}}}\left( {{\mathsf {EM}}_k^{{\mathsf {P'}}}},{\mathsf {P'}}\;;\;{\pi },{\mathsf {P'}}\right) \nonumber \\&= \varDelta _{{\mathsf {D}}}\left( {\mathsf {KS}}_0^{{\pi }}\;;\;{\mathsf {R}}\right) + \varDelta _{{\mathsf {D'}}}\left( {{\mathsf {EM}}_k^{{\mathsf {P'}}}}, {\mathsf {P'}}\;;\;{\pi },{\mathsf {P'}}\right) \,, \end{aligned}$$
(13)

where \(\pi \xleftarrow {{\scriptscriptstyle \$}}\mathsf {perm}(n)\) is a random permutation, and \({\mathsf {D}}'\) is some distinguisher that makes at most \(\sigma \) construction queries and p primitive queries. The first term is bounded as (11) as before, and for the second term of (13) we rely on Theorem 1. \(\square \)

4 Understanding Invariance Loss

The bound of Theorem 1 precisely demonstrates what aspect of the invariant permutation must be exploited in order to break the Even-Mansour construction: further analysis boils down to upper bounding the sizes of the sets \(\#\!\left\{ k\,|\,\dots \right\} \). Focus on Even-Mansour with key size \(\kappa =n\), and consider the task of upper bounding

$$\begin{aligned} \max _{\varvec{z}=\{z_1,\dots ,z_q\}\subseteq \{0,1\}^{n}} \sum _{z, z'\in \varvec{z}} \#\!\left\{ k\,|\,z\oplus k = \lambda \big (z'\oplus k\big )\right\} \end{aligned}$$
(14)

for any invariance \(\lambda \ne \mathrm {id}\). In the specific case that \(\lambda \) satisfies \(\lambda (x\oplus y)=\lambda (x)\oplus \lambda (y)\), which always holds in our work as we consider linear invariances, we will resort to a rewritten version of (14) that will be easier to work with:

$$\begin{aligned} \max _{\varvec{z}=\{z_1,\dots ,z_q\}\subseteq \{0,1\}^{n}} \sum _{z, z'\in \varvec{z}} \#\!\left\{ k\,|\,k \oplus \lambda (k) = z \oplus \lambda (z')\right\} \,. \end{aligned}$$
(15)

Bounding this quantity seems to relate to upper bounding the set of weak keys k, but the goal is not quite the same. Rather, the current issue boils down to quantifying the image of \(k\mapsto k\oplus \lambda (k)\) and the ability of an adversary in selecting \(\varvec{z}=\{z_1,\dots ,z_q\}\) so as to maximize the number of “hits”: choices \(z,z'\in \varvec{z}\) such that \(z \oplus \lambda (z')\) has many preimages over \((\mathrm {id}\oplus \lambda )^{-1}\).

We will consider the problem of bounding (14) for the case of additive invariances in Sect. 4.1, and derive a practical attack on Even-Mansour based on Salsa20. Then, in Sect. 4.2, we will consider linear invariances (that satisfy \(\lambda (x\oplus y)=\lambda (x)\oplus \lambda (y)\)), and restrict our focus to bounding (15). We will investigate how to maximize this set, and subsequently show how the analysis applies to the 512-bit ChaCha permutation [13] (distinguishing attack in \(2^{128}\) construction queries), the n-bit Keccak permutation without round constants [18] (distinguishing attack in \(2^{n/4}\) construction queries), CubeHash [14] (distinguishing attack in \(2^{256}\) construction queries), and Gimli without round constants [16] (distinguishing attack in \(2^{96}\) construction queries).

4.1 Additive Invariances

As mentioned in Sect. 2.3, the Salsa20 permutation \({\mathsf {P}}'\) is invariant under addition of the constant \(\varDelta =2^{31}\) to each of the 16 words. Call this invariance \(\lambda ^{\mathrm {add}}\):

$$\begin{aligned} \lambda ^{\mathrm {add}}: k \mapsto k \oplus \{\varDelta \}^{16}\,. \end{aligned}$$
(16)

It is easy to verify that

$$\begin{aligned} \#\!\left\{ k\,|\,z\oplus k = \lambda ^{\mathrm {add}}\big (z'\oplus k\big )\right\} = {\left\{ \begin{array}{ll} 2^{\kappa } \text { for } z'=z\oplus \{\varDelta \}^{16}\,,\\ 0 \quad \text {otherwise}\,. \end{array}\right. } \end{aligned}$$

Based on this observation, we can describe a simple distinguishing attack on Even-Mansour-Salsa20 that succeeds in constant time.

  1. 1.

    Fix any \(m,m'\) that satisfy \(m\oplus m'=\{\varDelta \}^{16}\). Query m and \(m'\) to the construction oracle to obtain the corresponding c and \(c'\);

  2. 2.

    For the real world \({\mathsf {EM}}^{{\mathsf {P}}'}\), we necessarily have

    $$\begin{aligned} c\oplus k = {\mathsf {P}}'(m\oplus k)&= {\mathsf {P}}'\circ \lambda ^{\mathrm {add}}(m'\oplus k)\\&= \lambda ^{\mathrm {add}}\circ {\mathsf {P}}'(m'\oplus k) = \lambda ^{\mathrm {add}}(c'\oplus k) = c'\oplus k \oplus \{\varDelta \}^{16}\,. \end{aligned}$$
  3. 3.

    If, indeed, \(c\oplus c'=\{\varDelta \}^{16}\), \({\mathsf {D}}\) is with high probability interacting with \({\mathsf {EM}}_k^{{\mathsf {P}}'}\); otherwise, it is interacting with \({\pi }\).

The attentive reader will recognize this as an elementary differential distinguisher.

Concretely, the attack means the following for the second term of Theorem 1. Assume that \(\varLambda =\{\lambda ^{\mathrm {add}}\}\). Above attack shows that there exists an adversary that makes \(q=2\) construction queries, and that can in this way select 2 values \(\varvec{z}=\{z_1,z_2\}\) such that

$$\begin{aligned} \sum _{z, z'\in \varvec{z}} \frac{2\#\!\left\{ k\,|\,z\oplus k0^* = \lambda ^{\mathrm {add}}\big (z'\oplus k0^*\big )\right\} }{2^\kappa } \approx 1\,. \end{aligned}$$

In other words, the bound of Theorem 1 becomes void, and as \(q=2\), this can be considered a practical attack.

4.2 Linear Invariances

For linear \(\lambda \), quantifying the image of \(k\mapsto k\oplus \lambda (k)\) is easy: if the rank of \(\mathrm {id}\oplus \lambda \) is r, its image has size \(2^r\). Consequently, the lower the rank of \(\mathrm {id}\oplus \lambda \), the higher (15) can get. On the other hand, if \(\lambda \) is a linear orthomorphismFootnote 4 there is no image size reduction.

The second challenge is to choose \(\varvec{z}\) in such a way as to hit as many elements of the image of \(\mathrm {id}\oplus \lambda \) as possible. One way this can be accomplished is by random sampling \(z \in \varvec{z}\) from linear combinations of a basis of \(\mathrm {id}\oplus \lambda \). Query both z and \(\lambda ^{-1}(z)\) if they are distinct. Given q (not necessarily distinct) queries we have up to \(\left( {\begin{array}{c}q\\ 2\end{array}}\right) \) values, and the expected number of queries until every element of \(\mathrm {id}\oplus \lambda \) is covered is a variant of the coupon collector’s problem [57], and is given by \(\left( \sqrt{8 \cdot 2^r \cdot H_{2^r} + 1} + 1\right) /2\), where \(H_n\) is the nth harmonic number. We can approximate it by \(\sqrt{8\cdot (\log (2^r) + 0.5772156649\ldots )\cdot 2^r}\) or, more loosely, \(\sqrt{8 r}\cdot 2^{r/2}\).

In some cases a basis of \(\mathrm {id}\oplus \lambda \) can be generated quite easily. For example, in the invariances covered below, it suffices to find the smallest set \(\varvec{z} \subset {\mathbb {F}}_2^{r}\) such that \(\{ z \oplus z' : z, z' \in \varvec{z}\} = {\mathbb {F}}_2^{r}\). This is equivalent to a well-studied problem in coding theory: finding a minimal length code \([n, n - r]\) of co-dimension r and covering radius 2 [36]. Explicit constructions of these codes are given in, e.g., [26, 47, 58]. Such sets are also known, in Galois geometry, as “1-saturating sets” [48, 61], “saturated sets” [47, 101], “dense sets” [24], or “spanning sets” [26]. Clark and Pedersen [34] give a particularly simple solution, described in Algorithm 1, for \(r \ge 4\), of length \(2\cdot 2^{r/2} - 2\) for even r, and \(3\cdot 2^{\lfloor r/2 \rfloor } - 2\) for odd r.

figure a

The above reasoning immediately translates to a distinguisher for the single-key Even-Mansour block cipher when used with a permutation carrying a linear invariance \(\lambda \):

  1. 1.

    Query the oracle with \(\varvec{z}\) such that as much—or all—possible values of \(k \oplus \lambda (k)\) are covered by \(z \oplus \lambda (z')\), with \(z,z' \in \varvec{z}\). This can be accomplished by random sampling or by an appropriate covering code as described above;

  2. 2.

    If there are two queries such that \(k\oplus \lambda (k) = m_i \oplus \lambda (m_j)\), then we also have

    $$\begin{aligned} c_i \oplus k&= {\mathsf {P}}'(m_i \oplus k) \\&= {\mathsf {P}}'\circ \lambda (m_j \oplus k) \\&= \lambda \circ {\mathsf {P}}'(m_j \oplus k) \\&= c_j \oplus k\,, \end{aligned}$$

    whence \(m_i \oplus \lambda (m_j) = c_i \oplus \lambda (c_j)\) and \(m_i \oplus c_i = \lambda (m_j \oplus c_j)\);

  3. 3.

    Such a pair will be found in approximately \(2^{r/2}\) queries, where r is the rank of \(\mathrm {id}\oplus \lambda \). If r is significantly smaller than n, this leads to a distinguisher that also yields the value of \((\mathrm {id}\oplus \lambda )(k)\).

In terms of Theorem 1, above attack rather aims at recovering \((\mathrm {id}\oplus \lambda )(k)\), which can possibly be done faster than recovering k as the \(\mathrm {id}\oplus \lambda \) has rank \(r\le \kappa \). Nevertheless, every image of \(\mathrm {id}\oplus \lambda \) has \(2^{\kappa -r}\) preimages, and after \(q\approx 2^{r/2}\) queries, above attack maximizes

$$\begin{aligned} \sum _{z, z'\in \varvec{z}} \#\!\left\{ k\,|\,k \oplus \lambda (k) = z \oplus \lambda (z')\right\} \end{aligned}$$

to approximately \(2^\kappa \). For the second term of Theorem 1, this implies that

$$\begin{aligned} \sum _{z, z'\in \varvec{z}} \frac{2\#\!\left\{ k\,|\,z\oplus k0^* = \lambda \big (z'\oplus k0^*\big )\right\} }{2^\kappa } \approx 1\,. \end{aligned}$$

As in Sect. 4.1, the bound of Theorem 1 becomes void. In this case, however, more construction queries are needed, namely \(q\approx 2^{r/2}\). It depends on the construction and on the invariance whether r is low enough for this attack to be considered practical.

4.2.1 ChaCha

The invariance \(\lambda :\{0,1\}^{512}\rightarrow \{0,1\}^{512}\) present in ChaCha [13] for which \(\mathrm {id}\oplus \lambda \) has the lowest rank is the rotation of each 128-bit column by 2 positions (see also Sect. 2.3.1). The rank of \(\mathrm {id}\oplus \lambda \) is thus 256, and the image of \(k \oplus \lambda (k)\) can be given by two copies of \({\mathbb {F}}_2^{256}\) side by side. Using Algorithm 1, the attack succeeds in at most \(2^{129}-2\) queries.

4.2.2 Keccak

We may consider the n-bit Keccak permutation [18], with \(n\in \{200,400,800,1600\}\), modified to omit the constant addition \(\iota \). In this case, we have 25 parallel operations that swap one half of each word with the other half. The rank of this operation is n/2 and, as above, the attack would succeed in approximately \(2^{n/4}\) queries.

4.2.3 CubeHash

The 1024-bit state of CubeHash [14] is split into 32 words of 32 bits. The state can then be decomposed into 32 independent 32-bit vectors, corresponding to each bit of each word, and an invariance reminiscent of those in Sect. 2.4 is applied. In this case, we can consider the invariance corresponding to “swap each adjacent word”, which has rank 512. The attack succeeds in approximately \(2^{256}\) queries.

4.2.4 Gimli

For Gimli [16], assuming omission of the round constants, one can decompose its 384-bit state into 96 independent 4-bit vectors, corresponding to each bit of each column, after which a permutation matrix \(\pi \) is applied. From Sect. 2.6, we can conclude that this permutation \(\pi \) is either of

$$\begin{aligned} \begin{pmatrix} 0&{}1&{}0&{}0\\ 1&{}0&{}0&{}0\\ 0&{}0&{}0&{}1\\ 0&{}0&{}1&{}0 \end{pmatrix}, \begin{pmatrix} 0&{}0&{}1&{}0\\ 0&{}0&{}0&{}1\\ 1&{}0&{}0&{}0\\ 0&{}1&{}0&{}0 \end{pmatrix}, \begin{pmatrix} 0&{}0&{}0&{}1\\ 0&{}0&{}1&{}0\\ 0&{}1&{}0&{}0\\ 1&{}0&{}0&{}0 \end{pmatrix}. \end{aligned}$$
(17)

For each of these, the rank of \(\mathrm {id}\oplus \pi \) equals 2, meaning that the rank of \(\mathrm {id}\oplus \lambda \) is 192. The attack succeeds in approximately \(2^{96}\) queries.

5 Conclusion

5.1 Salvaging Use of Even-Mansour

One way to mitigate the attacks on Even-Mansour of Sect. 4 is to consider a tweakable variant of Even-Mansour, such as a generalization of the Masked Even-Mansour construction [62]. This construction uses a tweak to mask the key before it is added to the message. In detail, it does not simply add \(k0^*\) to the message (as in (6)), but rather it adds

$$\begin{aligned} \varPhi (u,s)\,, \end{aligned}$$

where s is a tweak and u is a subkey derived from the key using the permutation \({\mathsf {P}}\). This masking function can be assumed to eliminate any structure in

$$\begin{aligned} \varPhi (u,s) \oplus \lambda \circ \varPhi (u,s')\,. \end{aligned}$$

We elaborate on this generalization of the Masked Even-Mansour construction, and prove security in the invariant permutation model, in Appendix A.1. In Appendix A.2, we subsequently explain how the analysis extends to security of the Offset Public Permutation (\({\mathsf {OPP}}\)) authenticated encryption scheme by Granger et al.[62]. For these constructions, it particularly becomes clear that exploiting invariances becomes significantly harder, if not impossible. On the downside, the security analysis becomes much more technically involved. A less (conceptually) costly way of salvaging Even-Mansour is to add the key using, say, \({\mathbb {F}}_{2^n}\) multiplication instead of xor, after which the typical invariance is no longer linear.

Another way to mitigate the attacks on Even-Mansour is to consider 2-round Even-Mansour [23, 32]:

$$\begin{aligned} {\mathsf {2EM}}^{{\mathsf {P}}}(k,m) = {\mathsf {P}}({\mathsf {P}}(m\oplus k0^*)\oplus \iota (k0^*))\oplus k0^*\,, \end{aligned}$$
(18)

where \(\iota \) is an orthomorphism (i.e., both \(\iota \) and \(\iota \oplus \mathrm {id}\) are a permutation). An attacker that has oracle access to \({\mathsf {2EM}}^{{\mathsf {P'}}}\) for an invariant permutation \({\mathsf {P'}}\in \mathsf {perm}[\varLambda ](n)\) is unable to observe the input-output pattern of \({\mathsf {P'}}\) and cannot mount attacks comparable to those of Sect. 4.

The attack could be slowed down as well by preventing the adversary to have full control over the input of the construction. For example, in the keyed sponge of Sect. 3.4, the data is absorbed over the entire state, but the original keyed sponge [2, 19] maintains an inner part on which no data is absorbed. The adversary has to run the algorithm and wait for the inner part to fall into a symmetric state.

5.2 Multi-Key Security

In the random permutation model, the Even-Mansour construction is known to admit only a small loss: it is proven to be secure up to \((q^2+2qp)/2^\kappa \) [88]. The loss is caused by the possible presence of cross-collisions between construction queries for different keys. A similar loss occurs in analyses in the random invariant permutation model: the adversary succeeds if two evaluations for different keys, say (mc) for key k and \((m',c')\) for key \(k'\), collide under a transformation of any invariance \(\lambda \):

$$\begin{aligned} m\oplus k0^* = \lambda \big (m'\oplus k'0^*\big ) \text { or } c\oplus k0^* = \lambda \big (c'\oplus k'0^*\big )\,. \end{aligned}$$

The extra loss is marginal as for each query m (or, in inverse direction, c) that the distinguisher makes, it has to tie itself to a specific key instance. As noted by Lee et al.[81], one may consider this extra choice as a tweak, transforming the scheme into a specific form of tweaked Even-Mansour [35].

5.3 Extension to Different Primitives and Invariances

The treatment of Sect. 2 can be generalized to cover invariances that only apply to a subset \(S \subset \{0,1\}^{n}\) of potential inputs. Or perhaps this subset is not known, but only the probability of randomly hitting it. Midori [6] is an interesting example of that kind. The high number of fixed points (3, 7, 8, 9) of its S-box, combined with a simple binary diffusion matrix and poor choice of key schedule constants, results in a weak set of \(2^{32}\) keys \(\{0, 1\}^{16\times 2}\) for which the cipher is entirely linear—and invariant—for inputs of the form \(\{8, 9\}^{16}\) [64].

Furthermore, Sect. 2 generalizes to arbitrary (not necessarily bijective) functions \(\{0,1\}^{n}\rightarrow \{0,1\}^{n}\) verbatim. The generalization is particularly meaningful for block ciphers \({\mathsf {E}}:\{0,1\}^{\kappa }\times \{0,1\}^{n}\rightarrow \{0,1\}^{n}\), recalling the invariance in AES of (2) that has been exploited in cryptanalytic attacks of AES based ciphers [69, 71, 72, 97], as explained in Sect. 1.1.

For example, one may consider NOEKEON without round constants [43], for which

$$\begin{aligned} \lambda \circ {\mathsf {NOEKEON}}(k,m)={\mathsf {NOEKEON}}(\lambda (k),\lambda (m))\,. \end{aligned}$$
(19)

We stress that this condition does not apply to NOEKEON due to the presence of round constants.

Related to invariance subspace attacks are weak key attacks on block ciphers. An example of such a similarity is the complementation property of DES [46]:

$$\begin{aligned} {\mathsf {E}}(k,x) \oplus \varDelta = {\mathsf {E}}(k\oplus \varDelta ,x\oplus \varDelta )\,, \end{aligned}$$

for \(\varDelta =11\ldots 11\).