An algebraic approach to symmetric linear layers in cryptographic primitives

Abstract

Subterranean 2.0 is a permutation-based cipher suite which works with a 257 bit-state. It is designed for lightweight cryptography, and it scores very well with respect to energy consumption. Its security has been investigated by the designers against well-known attack vectors. A possible point of concern is the relatively low order of its linear layer, which equals 256. In the past, such properties have been exploited by invariant subspace attacks. We define linear mappings with a similar structure as the linear layer of Subterranean as SC-compositions. In this work, we explore finding SC-compositions with a higher order than 256. We rely on concepts from abstract algebra and number theory to understand the relation between the order and the bit-states of SC-compositions. Using a 257 bit-state as done in Subterranean is an unfortunate choice for designing such SC-compositions with a high order. We present two examples with different bit-states, each having a significantly higher order than 256.

1 Introduction

Subterranean 2.0 [5] is a permutation-based cipher suite designed for lightweight cryptography which performs very well with respect to energy consumption. Its round function works on a 257 bit-state, and it consists of the composition of a linear and non-linear layer. In this paper, we focus on the linear layer of Subterranean, which consists of a composition of two invertible linear maps denoted by π_s and 𝜃_s. The map 𝜃_s belongs to the group of invertible 257 × 257-circulant matrices denoted by \(\mathcal {C}_{257}^{*}\), and π_s belongs to the group which the designers call the multiplicative shuffles denoted by \(\mathcal {S}_{257}\). These maps will be explained in detail in this paper.

It was shown in [5] that the order of π_s ∘ 𝜃_s equals 256, which is relatively low. Having a low order for the linear layer of a permutation could be exploited by invariant subspace attacks [3]. This however is not necessarily of direct concern, as many other conditions must also be satisfied for invariant subspace attacks to be effective. Still it is interesting from a mathematical point of view to better understand the algebraic structure of the linear layer of Subterranean to explain why the order is low. This will also help to design compositions of the form π ∘ 𝜃 with higher order, where \(\pi \in \mathcal {S}_{m}\) (m-dimensional multiplicative shuffles) and \(\theta \in \mathcal {C}_{m}^{*}\) (m-dimensional invertible circulant matrices), and where we allow bit-states m to be different than 257. We define such a composition as an m-bit SC-composition. Studying SC-compositions can be useful for future work when designing linear layers used in Subterranean-like permutations.

The main goal of this paper is to gain insight in the relation between the bit-state m and the possible magnitudes of the order of m-bit SC-compositions, where we consider all finite fields instead of just the binary field \(\mathbb {F}_{2}\). We do so by looking into the algebraic structure of the groups \(\mathcal {S}_{m}\) and \(\mathcal {C}_{m}^{*}\). Especially circulant matrices have a rich algebraic structure from which a lot of symmetric features can be extracted. Besides in Subterranean 2.0, circulant matrices are also used in many well-known cryptographic primitives like the Advanced Encryption Standard (AES) [6] and in LEDAcrypt [2], which is a code-based post-quantum cryptographic primitive. There are also many lattice-based cryptographic primitives which rely on rings whose algebraic structure is very similar to the ones of circulant matrices, like NTRU [8], SABER [14], CRYSTALS-Kyber [4] and CRYSTALS-Dilithium [12].

1.1 Our contribution

In this paper, we present a mathematical framework based on abstract algebra to study the algebraic properties of SC-compositions. This framework was used for constructing two upper bounds and a lower bound for the order of SC-compositions, which provides insight in the relation between the bit-states, the underlying field, and the order. We show that the order of the linear layer of Subterranean, which equals 256, can also be deduced using these bounds. Moreover, we use these bounds together with the theory of Mersenne prime numbers to construct two examples of SC-compositions with different bit-states, each having a higher order than 256. For example, choosing m = 191, we constructed an SC-composition of order 5.24 ⋅ 10⁶, which has higher order than 256 while having less states than 257.

1.2 Outline

In Section 2, we introduce multiplicative shuffles and circulant matrices, together with a basic treatment of their algebraic structure. We also discuss the ring of circulant matrices of dimension m over the field \(\mathbb {F}\) using the well-known result that this ring is isomorphic to \(\mathbb {F}[X] / \langle X^{m} - 1 \rangle \). From this result, we deduce some algebraic properties of circulant matrices, like invertibility and how to compute the order when assuming \(\mathbb {F}\) is a finite field.

In Section 3, we show that the group \(\mathcal {G}_{m}\), defined as the product group of \(\mathcal {S}_{m}\) and \(\mathcal {C}_{m}^{*}\), is actually a semidirect product of these groups. Combining this observation with the mathematical framework of circulant matrices, we manage to find a lower bound and two upper bounds for the order of SC-compositions. We also show how these bounds can be used to determine the order of the linear layer of Subterranean, which clearly demonstrates the relation between the order, the bit-state and the cardinality of the underlying finite field. More on (semidirect) groups can be found in [1] and [10].

In Section 4, we provide two examples of SC-compositions over \(\mathbb {F}_{2}\) on different states with a high order. We use the theory of Mersenne prime numbers and the second upper bound of Section 3 to find these compositions.

1.3 Notation

Given a ring R, we denote the group of invertible elements of R by R^∗. The algebraic closure of a field \(\mathbb {F}\) is denoted as \(\overline {\mathbb {F}}\). For \(\mathbb {L}\) a field extension of \(\mathbb {F}\), the degree of the extension is expressed as \([\mathbb {L} : \mathbb {F}]\). A finite field of order q is denoted as \(\mathbb {F}_{q}\) or GF(q). The set of m-roots of unity in a specified (algebraically closed) field is denoted as μ_m.

Let us cover the notation for matrices and vectors over some field \(\mathbb {F}\). The group of m × m-invertible matrices over \(\mathbb {F}\) is denoted by \(\operatorname {GL}_{m}(\mathbb {F})\). I_m is the m × m-identity matrix. \(\mathbb {F}^{n}\) is the n-dimensional vector space over \(\mathbb {F}\). We index the coordinate of a (column) vector \(v \in \mathbb {F}^{n}\) from 0 to n − 1. Naturally, for 0 ≤ i ≤ n − 1, v_i is the i-th coordinate of v.

For f in some finite group G, we denote the order of f by ord(f). For the specific case that g is in some multiplicative group \((\mathbb {Z} / m \mathbb {Z})^{*}\), we denote the multiplicative order of g as ord_m(g). Moreover, \(\gcd \) and lcm represent the greatest common divisor and the least common multiple respectively.

Remark 1

Using the above notation, the linear layer of Subterranean consists of the composition

$$ \begin{array}{@{}rcl@{}} \pi_{\textbf{s}} \circ \theta_{\textbf{s}}: \mathbb{F}_{2}^{257} \to \mathbb{F}_{2}^{257}, \end{array} $$

where π_s and 𝜃_s are defined as follows:

$$ \begin{array}{@{}rcl@{}} \left( \theta_{\textbf{s}}(v) \right)_{i} &=& v_{i} + v_{i+3 \bmod 257} + v_{i+8 \bmod 257} \\ \left( \pi_{\textbf{s}}(v) \right)_{i} &=& v_{12i \bmod 257}, \end{array} $$

for all 0 ≤ i < 257 and \(v \in \mathbb {F}_{2}^{257}\). Observe that the maps π_s and 𝜃_s are described coordinate-wise. We let the index modulo 257 be the corresponding number representative between 0 and 256, as this is also the range of the index. For example, if i = 77, then 12 ⋅ 77 = 924 ≡ 153 mod 257, which means that the 77-th coordinate of the vector π_s(v) equals v₁₅₃.

2 Multiplicative shuffles & circulant matrices

In this section, we introduce multiplicative shuffles and circulant matrices which are linear maps and generalizations of π_s and 𝜃_s respectively.

2.1 Multiplicative shuffles

Definition 1 (Multiplicative Shuffle 5)

Let \(g \in (\mathbb {Z} / m \mathbb {Z})^{*}\). The multiplicative shuffle with shuffling factor g (over a field \(\mathbb {F}\)) is a linear map \(\pi _{g} : \mathbb {F}^{m} \to \mathbb {F}^{m}\) defined as the map

$$ \begin{array}{@{}rcl@{}} \pi_{g} : s_{i} \leftarrow s_{g \cdot i \bmod m}, \end{array} $$

for all 0 ≤ i < m. We denote the set of multiplicative shuffles by \(\mathcal {S}_{m}\).

Multiplicative shuffles have the following properties:

• π_g is invertible for all \(g \in (\mathbb {Z} / m \mathbb {Z})^{*}\);

• π₁ = id;

• \(\pi _{g} \circ \pi _{g^{\prime }} = \pi _{g^{\prime }} \circ \pi _{g} = \pi _{g \cdot g^{\prime } \bmod m}\) for all \(g,g^{\prime } \in (\mathbb {Z} / m \mathbb {Z})^{*}\).

These statements imply that \(\mathcal {S}_{m}\) is a finite commutative group under matrix multiplication which is isomorphic to the group \((\mathbb {Z} / m \mathbb {Z})^{*}\) by the map

$$ \begin{array}{@{}rcl@{}} (\mathbb{Z} / m \mathbb{Z})^{*} \to \mathcal{S}_{m}, \ g \mapsto \pi_{g}. \end{array} $$

This immediately implies the identity

$$ \begin{array}{@{}rcl@{}} \text{ord}(\pi_{g}) = \operatorname{ord}_{m}(g). \end{array} $$

(1)

Remark 2

In Subterranean 2.0, we have the parameters m = 257 and \(\mathbb {F} = \mathbb {F}_{2}\). The linear component π_s of the linear layer of Subterranean equals π₁₂ using the above notation.

2.2 Circulant matrices

Definition 2 (Circulant Matrix)

A circulant matrix V over the field \(\mathbb {F}\) is an m × m-matrix of the form

$$ \begin{array}{@{}rcl@{}} V = \begin{pmatrix} v_{0} & v_{m-1} & {\cdots} & v_{2} & v_{1} \\ v_{1} & v_{0} & {\cdots} & v_{3} & v_{2} \\ {\vdots} & {\vdots} & {\ddots} & {\vdots} & {\vdots} \\ v_{m-2} & v_{m-3} & {\cdots} & v_{0} & v_{m-1} \\ v_{m-1} & v_{m-2} & {\cdots} & v_{1} & v_{0} \end{pmatrix}, \end{array} $$

The set of m × m circulant matrices is denoted by \(\mathcal {C}_{\mathbb {F},m}\) or simply \(\mathcal {C}_{m}\) when \(\mathbb {F}\) is clear from the context. The set of invertible circulant matrices is denoted by \(\mathcal {C}^{*}_{\mathbb {F},m}\) (or \(\mathcal {C}^{*}_{m}\)).

Remark 3

A circulant matrix is uniquely determined by the first column vector v := (v₀,...,v_m− 1)^T. For this reason, we can denote a circulant matrix V in the above definition by circ(v).

\(\mathcal {C}_{\mathbb {F},m}\) forms a commutative ring under matrix addition and multiplication. We present the following well-known ring isomorphism.

Theorem 1 ([9, Theorem 4.])

The map

$$ \begin{array}{@{}rcl@{}} {\Phi}_{m} : \mathcal{C}_{\mathbb{F},m} \to \mathbb{F}[X] / \langle X^{m}-1 \rangle, \ \text{circ}(v) \mapsto \sum\limits_{i=0}^{m-1} v_{i} X^{i} \bmod \langle X^{m}-1 \rangle, \end{array} $$

is an isomorphism of rings.

Remark 4

The circulant matrix 𝜃_s used in Subterranean is represented by the polynomial X²⁵⁴ + X²⁴⁹ + 1.

The isomorphism Φ_m implies that we can derive algebraic properties of \(\mathcal {C}_{\mathbb {F},m}\) by studying the ring \(\mathbb {F}[X] / \langle X^{m} - 1 \rangle \). We study the algebraic properties of these rings where we restrict to the case where m is coprime to the characteristic of \(\mathbb {F}\). The reason for this is due to the well-known result that the polynomial X^m − 1 is separable in \(\mathbb {F}[X]\) if and only if m is coprime to the characteristic of \(\mathbb {F}\) (see for example [11]).

Let us first consider the case where \(\mu _{m} \subseteq \mathbb {F}\).

Theorem 2 (13)

Assume that \(\mu _{m} \subseteq \mathbb {F}\) and that m is coprime to the characteristic of \(\mathbb {F}\). Then the map

$$ \begin{array}{@{}rcl@{}} \text{CRT}_{m} : \mathbb{F}[X] / \langle X^{m} - 1 \rangle \to \bigoplus_{\zeta \in \mu_{m}} \mathbb{F}, \ f \mapsto (f(\zeta))_{\zeta \in \mu_{m}}, \end{array} $$

is an isomorphism of rings.

Remark 5

For a finite field \(\mathbb {F}_{q}\), we have that \(\mu _{m} \subseteq \mathbb {F}_{q}\) if and only if q ≡ 1 mod m (See [11, Theorem 2.47(ii)]).

Remark 6

The splitting of \(\mathbb {F}[X] / \langle X^{m} - 1 \rangle \) as in the above theorem is an important result for this research. For this, it is absolutely necessary to assume for m to be coprime to \(\text {char}(\mathbb {F})\), as otherwise the splitting does not work. The reason for this is that the splitting is constructed using the Chinese Remainder Theorem for rings (see [10]), which requires the modulus to be an intersection of a family of ideals which are pairwise coprime. This is not possible when m is not coprime to \(\text {char}(\mathbb {F})\).

In cryptography, we usually consider the binary field \(\mathbb {F}_{2}\). Hence for large m, we have by the above remark that μ_m is not contained in \(\mathbb {F}_{2}\), for which Theorem 2 does not directly apply. However, Theorem 2 is still useful to gain insight in these cases.

To show this, we introduce the following notation. For \(g \in \mathbb {F}[X]\), we denote the ideal 〈g〉 viewed in \(\mathbb {F}[X]\) by \(\langle g \rangle _{\mathbb {F}}\). When viewed in \(\mathbb {L}[X]\) where \(\mathbb {L}\) is a field extension of \(\mathbb {F}\), we denote the ideal in \(\mathbb {L}[X]\) generated by g by \(\langle g \rangle _{\mathbb {L}}\).

Proposition 1

We have that \(\langle g \rangle _{\mathbb {F}} = \langle g \rangle _{\mathbb {L}} \cap \mathbb {F}[X]\).

Proof

The case for g = 0 is trivial. If g is non-zero with \(\deg (g) = 0\), then g is a constant polynomial with value in \(\mathbb {F}\) which implies that \(\langle g \rangle _{\mathbb {F}} = \mathbb {F}\) and \(\langle g \rangle _{\mathbb {L}} = \mathbb {L}\), thus immediately proving the statement.

Now assume that \(\deg (g) > 0\). Observe that \(\langle g \rangle _{\mathbb {F}} \subseteq \langle g \rangle _{\mathbb {L}}\) which shows the inclusion \("\subseteq "\).

We will show that the inclusion \("\supseteq "\) is also true. Let \(f \in \langle g \rangle _{\mathbb {L}} \cap \mathbb {F}[X]\). Since \(f \in \langle g \rangle _{\mathbb {L}}\), there exists a polynomial \(h \in \mathbb {L}[X]\) such that f = g ⋅ h. Also, since \(f \in \mathbb {F}[X]\), there exists polynomials \(t_{1}, t_{2} \in \mathbb {F}[X]\) such that \(\deg (t_{2}) < \deg (g)\) and f = g ⋅ t₁ + t₂ by the Division Algorithm for Polynomials [7] (this is equivalent to stating that \(\mathbb {F}[X]\) is a Euclidean space). Another consequence is that t₁ and t₂ are unique in \(\mathbb {F}[X]\), and thus also unique in \(\mathbb {L}[X]\). But then t₁ = h and t₂ = 0, which in particularly implies that \(h \in \mathbb {F}[X]\). Hence \(f \in \langle g \rangle _{\mathbb {F}}\), which shows the inclusion \("\supseteq "\). □

The above proposition implies that we have a natural injective homomorphism

$$ \begin{array}{@{}rcl@{}} \iota : \mathbb{F}[X] / \langle g \rangle_{\mathbb{F}} \to \mathbb{L}[X] / \langle g \rangle_{\mathbb{L}}, \ f \bmod \langle g \rangle_{\mathbb{F}} \mapsto f \bmod \langle g \rangle_{\mathbb{L}}. \end{array} $$

Theorem 3

Let \(\mathbb {L}\) be a field extension of \(\mathbb {F}\) such that \(\mu _{m} \subseteq \mathbb {L}\) and m coprime to the characteristic of \(\mathbb {F}\). Then the map

$$ \begin{array}{@{}rcl@{}} \mathbb{F}[X] / \langle X^{m} - 1 \rangle \to \bigoplus_{\zeta \in \mu_{m}} \mathbb{L}, \ f \mapsto (f(\zeta))_{\zeta \in \mu_{m}}, \end{array} $$

(2)

is an injective homomorphism of rings.

Proof

Note that we have the injective homomorphism

$$ \begin{array}{@{}rcl@{}} \iota : \mathbb{F}[X] / \langle X^{m} - 1 \rangle \to \mathbb{L}[X] / \langle X^{m} - 1 \rangle. \end{array} $$

Since \(\mu _{m} \subseteq \mathbb {L}\), we have by Theorem 2 that \(\operatorname {CRT}_{m} : \mathbb {L}[X] / \langle X^{m} - 1 \rangle \to \bigoplus _{\zeta \in \mu _{m}} \mathbb {L}\) is a ring isomorphism. Hence the composition CRT_m ∘ ι is an injective ring homomorphism, which is also the same map as (2). This concludes the proof. □

Theorem 4

Let m be coprime to \(\text {char}(\mathbb {F})\). Then \(f \in \mathbb {F}[X]\) is invertible modulo X^m − 1 if and only if f(ζ)≠ 0 for all ζ ∈ μ_m.

Proof

This is a direct consequence of the injectivity of (2). □

Corollary 1

Let m be coprime to \(\text {char}(\mathbb {F})\), and let \(f \in \mathbb {F}[X]\) be invertible modulo X^m − 1. Then for all \(t \in \mathbb {Z}_{>0}\), the polynomial g(X) = f(X^t) is also invertible modulo X^m − 1.

Proof

Let x ∈ μ_m and define x_∗ := x^t ∈ μ_m. Observe that g(x) = f(x^t) = f(x_∗)≠ 0 since f is invertible. The proof follows since this is true for all x ∈ μ_m. □

Remark 7

For a polynomial \(f \in \mathbb {F}[X]\), we denote ord(f) as the order f modulo X^m − 1.

Proposition 2

Let m be coprime to \(\text {char}(\mathbb {F})\), and let \(f \in \mathbb {F}[X]\) be invertible modulo X^m − 1. Then

$$ \begin{array}{@{}rcl@{}} \text{ord}(f) = \text{lcm}(\text{ord}(f(\zeta) \in \mathbb{F}(\mu_{m})) : \zeta \in \mu_{m}). \end{array} $$

Proof

This is a trivial result of the injective homomorphism (2). □

Corollary 2

Let m be coprime to \(\text {char}(\mathbb {F})\), and let \(f \in \mathbb {F}[X]\) be invertible modulo X^m − 1. Then for all \(t \in \mathbb {Z}_{>0}\), we have that ord(f(X^t))∣ord(f).

Proof

By the above proposition, we have that ord(f(ζ))∣ord(f), which means that ord(f(ζ^t))∣ord(f) since ζ^t ∈ μ_m for all \(t \in \mathbb {Z}_{>0}\) and ζ ∈ μ_m. Hence ord(f(X^t))∣ord(f). □

Proposition 3

Let \(\mathbb {F} = \mathbb {F}_{q}\) and let \(m \in \mathbb {Z}_{>0}\) such q and m are coprime. Then for each \(f \in \mathbb {F}_{q}[X]\) invertible modulo X^m − 1, we have that \(\text {ord}(f) \mid q^{\text {ord}_{m}(q)} - 1\).

Proof

We conclude from [11, Theorem 2.47(ii)] that \([\mathbb {F}_{q}(\mu _{m}) : \mathbb {F}_{q}] = \text {ord}_{m}(q)\). From this, we have that \(\# \mathbb {F}_{q}(\mu _{m})^{*} = q^{\text {ord}_{m}(q)} - 1\). By Theorem 3 and Lagrange’s theorem, we have that \(\text {ord}(f(\zeta )) \mid q^{\text {ord}_{m}(q)} - 1\) for all ζ ∈ μ_m. From Proposition 2, we conclude that ord(f) must indeed divide \(q^{\text {ord}_{m}(q)} - 1\), which concludes the proof. □

3 Composing multiplicative shuffles & circulant matrices

In this section, we study the order or linear maps of the form

$$ \begin{array}{@{}rcl@{}} \pi_{g} \circ \theta : {\mathbb{F}_{q}^{m}} \to {\mathbb{F}_{q}^{m}}, \end{array} $$

(3)

where \(\pi _{g} \in \mathcal {S}_{m}\) and \(\theta \in \mathcal {C}^{*}_{m}\), which we earlier referred to as m-bit SC-compositions. We make the assumption that m is a prime number different than the characteristic p of \(\mathbb {F}_{q}\), as this assumption simplifies some proof. We derive a lower bound and two upper bounds of the order of SC-compositions using the results in the previous sections.

3.1 Group composition of \(\mathcal {S}_{m}\) and \(\mathcal {C}_{m}^{*}\)

Both \(\mathcal {S}_{m}\) and \(\mathcal {C}^{*}_{m}\) are subgroups of \(\operatorname {GL}_{m}(\mathbb {F}_{q})\). We consider the composition group \(\mathcal {G}_{m} = \mathcal {S}_{m} \cdot \mathcal {C}^{*}_{m} < \operatorname {GL}_{m}(\mathbb {F}_{q})\).

For the remainder of this section, circulant matrices in \(\mathcal {C}_{m}^{*}\) are expressed in terms of their polynomial representation in \(\mathbb {F}[X] / \langle X^{m}-1 \rangle \).

Lemma 1

Consider the monomial X^t in \(\mathcal {C}^{*}_{m}\) where t < m, and let \(\pi _{g} \in \mathcal {S}_{m}\). Then

$$ \begin{array}{@{}rcl@{}} \pi_{g} \circ X^{t} \circ \pi_{g}^{-1} = X^{gt \bmod m}. \end{array} $$

Proof

We prove this by showing that π_g ∘ X^t = X^gt ∘ π_g, which we do by considering these as maps acting on the vector space \({\mathbb {F}_{q}^{m}}\).

Let 0 ≤ j < m and \(s \in {\mathbb {F}_{q}^{m}}\). Looking at the mappings coordinate-wise, we obtain

$$ \begin{array}{@{}rcl@{}} (\pi_{g} \circ X^{t}(s))_{j} = (X^{t}(s))_{g^{-1} j \bmod m} = s_{g^{-1} j - t \bmod m}. \end{array} $$

On the other hand, we have that

$$ \begin{array}{@{}rcl@{}} \left( X^{gt \bmod m} \circ \pi_{g}(s) \right)_{j} = (\pi_{g}(s))_{j - gt \bmod m} = s_{g^{-1}(j - gt) \bmod m} = s_{g^{-1} j - t \bmod m}, \end{array} $$

which coincides with (π_g ∘ X^t(s))_j. Since this is true for all 0 ≤ j < m, we have the desired equality. □

Remark 8

The above lemma is equivalent and even slightly more general than Lemma 3 in [5].

Lemma 2

For \(\theta \in \mathcal {C}_{m}^{*}\) and \(\pi _{g} \in \mathcal {S}_{m}\), we have

$$ \begin{array}{@{}rcl@{}} \pi_{g} \circ \theta \circ \pi_{g}^{-1} = \theta(X^{g}). \end{array} $$

Moreover, \(\pi _{g} \circ \theta \circ \pi _{g}^{-1} \in \mathcal {C}_{m}^{*} \).

Proof

In Lemma 1, this result has been proven for 𝜃 of the form X^j for j > 0. This argument expands to all \(\mathcal {C}_{m}^{*}\) by linear expansion and by linearity of the map \(f \mapsto \pi _{g} \circ f \circ \pi _{g}^{-1}\). Observe that \(\theta (X^{g}) \in \mathcal {C}_{m}^{*}\) when \(\theta \in \mathcal {C}_{m}^{*}\) by Corollary 1, thus concluding the proof. □

It turns out that \(\mathcal {G}_{m}\) is a semidirect product of \(\mathcal {S}_{m}\) and \(\mathcal {C}^{*}_{m}\). Let us revisit this concept.

Definition 3

Let G be a group with identity element e. Let H be a subgroup, and N be a normal subgroup of G. Then G is a semidirect product of H acting on N if G = NH and N ∩ H = {e}. This is denoted by \(G = H \ltimes N\).

Remark 9

A semidirect product \(G = H \ltimes N\) have the property that for every g ∈ G, there are unique h ∈ H and n ∈ N such that g = hn.

Theorem 5

Let \(\mathcal {G}_{m} = \mathcal {S}_{m} \cdot \mathcal {C}^{*}_{m} < \text {GL}_{m}(\mathbb {F}_{q})\). Then \(\mathcal {G}_{m}\) is a semidirect product of \(\mathcal {S}_{m}\) acting on \(\mathcal {C}^{*}_{m}\), or equivalently \(\mathcal {G}_{m} = \mathcal {S}_{m} \ltimes \mathcal {C}^{*}_{m}\).

Proof

Observe that that the only linear map which is both contained in \(\mathcal {S}_{m}\) and \(\mathcal {C}^{*}_{m}\) is the identity map, hence \(\mathcal {S}_{m} \cap \mathcal {C}^{*}_{m} = \{ I_{m} \}\).

All elements in \(\mathcal {G}_{m}\) can be expressed as finite products of elements in \(\mathcal {S}_{m}\) and \(\mathcal {C}^{*}_{m}\). Using this observation together with Lemma 2, we can conclude that \(\mathcal {C}^{*}_{m}\) is a normal subgroup of \(\mathcal {G}_{m}\). This concludes the proof. □

Using the above theorem, we can already derive a lower bound for SC-compositions.

Theorem 6 (Lower Bound)

We have

$$ \begin{array}{@{}rcl@{}} \text{ord} \left( \pi_{g} \right) \mid \operatorname{ord} \left( \pi_{g} \circ \theta \right). \end{array} $$

(4)

Proof

Since \(\mathcal {G}_{m} = \mathcal {S}_{m} \ltimes \mathcal {C}^{*}_{m}\) by the above theorem, we have by Remark 9 that every element in \(\mathcal {G}_{m}\) is of the form π_g ∘ 𝜃 for unique \(\pi _{g} \in \mathcal {S}_{m}\) and \(\theta \in \circ ^{*}_{m}\). Also, we have the quotient group \(\mathcal {G}_{m} / \mathcal {C}^{*}_{m} \cong \mathcal {S}_{m}\). Note that \(\pi _{g} \circ \theta \equiv \pi _{g} \bmod \mathcal {C}^{*}_{m}\) in the quotient group, which has order \(\text {ord} \left (\pi _{g} \right )\). Hence \(\text {ord} \left (\pi _{g} \right )\) must divide \(\text {ord} \left (\pi _{g} \circ \theta \right )\), which concludes the proof. □

Remark 10

By identity (1), we can rewrite (4) as ord_m(g)∣ord(π_g ∘ 𝜃).

3.2 Invariant circulant resultant

From Theorem 6, we have that

$$ \begin{array}{@{}rcl@{}} \text{ord} (\pi_{g} \circ \theta) = \text{ord}_{m}(g) \cdot \text{ord}(\theta_{g}), \end{array} $$

(5)

where we define \(\theta _{g} = (\pi _{g} \circ \theta )^{\text {ord}_{m}(g)}\). In this subsection, we derive an explicit expression for 𝜃_g.

Proposition 4

For all integers j > 0, we have

$$ (\pi_{g} \circ \theta)^{j} = {\pi_{g}^{j}} \circ \left( \prod\limits_{i = 0}^{j - 1} \theta \left( X^{(g^{-1})^{i}} \right) \right), $$

where g^− 1 is the inverse of g in \((\mathbb {Z} / m \mathbb {Z})^{*}\), and where \(\prod \) represents composition, not a product.

Proof

We proceed by induction on j. For j = 1, the result is trivial. Now assume this is true for j = k for some k > 1 and consider j = k + 1. Observe that

$$ \begin{array}{@{}rcl@{}} (\pi_{g} \circ \theta)^{k + 1} = (\pi_{g} \circ \theta)^{k} \circ (\pi_{g} \circ \theta) = {\pi_{g}^{k}} \circ \left( \prod\limits_{i = 0}^{k - 1} \theta \left( X^{(g^{-1})^{i}} \right) \right) \circ (\pi_{g} \circ \theta). \end{array} $$

(6)

By Lemma 2, we get

$$ \begin{array}{@{}rcl@{}} \left( \prod\limits_{i = 0}^{k - 1} \theta \left( X^{(g^{-1})^{i}} \right) \right) \circ \pi_{g} &=& \pi_{g} \circ \left( \prod\limits_{i = 0}^{k - 1} \theta \left( X^{g^{-1} (g^{-1})^{i} } \right) \right) \end{array} $$

(7)

$$ \begin{array}{@{}rcl@{}} &=& \pi_{g} \circ \left( \prod\limits_{i = 0}^{k - 1} \theta \left( X^{(g^{-1})^{i + 1}} \right) \right) \end{array} $$

(8)

$$ \begin{array}{@{}rcl@{}} &=& \pi_{g} \circ \left( \prod\limits_{i = 1}^{k} \theta \left( X^{(g^{-1})^{i}} \right) \right). \end{array} $$

(9)

By substituting (9) into (6), we obtain the identity

$$ \begin{array}{@{}rcl@{}} {\pi_{g}^{k}} \circ \left( \prod\limits_{i = 0}^{k - 1} \theta \left( X^{(g^{-1})^{i}} \right) \right) \circ (\pi_{g} \circ \theta) &= {\pi_{g}^{k}} \circ \pi_{g} \circ \left( {\prod}_{i = 1}^{k} \theta \left( X^{(g^{-1})^{i}} \right) \right) \circ \theta\\ &= \pi_{g}^{k+1} \circ \left( {\prod}_{i = 0}^{k} \theta \left( X^{(g^{-1})^{i}} \right) \right), \end{array} $$

which concludes the induction hypothesis. □

Proposition 5

Consider the subgroup 〈g〉 of \((\mathbb {Z} / m \mathbb {Z})^{*}\). Then

$$ \begin{array}{@{}rcl@{}} \theta_{g} = \prod\limits_{\gamma \in \langle g \rangle} \theta(X^{\gamma}), \end{array} $$

where \(\prod \) represents composition. In particular, \(\theta _{g} \in \mathcal {C}^{*}_{m}\).

Proof

We have

$$ \begin{array}{@{}rcl@{}} (\pi_{g} \circ \theta)^{\operatorname{ord}_{m}(g)} = \pi_{g}^{\operatorname{ord}_{m}(g)} \circ \left( \prod\limits_{i = 0}^{\operatorname{ord}_{m}(g) - 1} \theta \left( X^{\left( g^{-1} \right)^{i}} \right) \right) = \prod\limits_{i = 0}^{\operatorname{ord}_{m}(g) - 1} \theta \left( X^{\left( g^{-1} \right)^{i}} \right), \end{array} $$

from Proposition 4 and (1) respectively. Observe that

$$ \begin{array}{@{}rcl@{}} \left\{ (g^{-1})^{i} : 0 \leq i \leq \text{ord}_{m}(g) - 1 \right\} = \left\{ g^{i} : 0 \leq i \leq \text{ord}_{m}(g) - 1 \right\} = \langle g \rangle. \end{array} $$

Hence

$$ \begin{array}{@{}rcl@{}} \prod\limits_{i = 0}^{\text{ord}_{m}(g)- 1} \theta \left( X^{(g^{-1})^{i} } \right) = \prod\limits_{\gamma \in \langle g \rangle} \theta(X^{\gamma}). \end{array} $$

Observe that reordering within the product sign is possible because \(\mathcal {C}^{*}_{m}\) is a commutative group, which proves the equation.

Corollary 1 implies that 𝜃(X^γ) is indeed contained in \(\mathcal {C}^{*}_{m}\), which concludes the proof. □

The expression 𝜃_g plays an important role in determining the multiplicative order of π_g ∘ 𝜃, for which we give a separate definition.

Definition 4

For \(\theta \in \mathcal {C}^{*}_{m}\), we define the g-invariant circulant resultant𝜃_g of 𝜃 as

$$ \begin{array}{@{}rcl@{}} \theta_{g} := \prod\limits_{\gamma \in \langle g \rangle} \theta \left( X^{\gamma} \right), \end{array} $$

where \(\prod \) represents composition.

3.3 Order of the invariant circulant resultant

In this subsection, we provide two upper bounds for 𝜃_g in terms of m, 𝜃 and \(\text {char}(\mathbb {F}_{q}) := p\). These upper bounds are derived independent of each other.

Theorem 7 (First Upper Bound)

Let m be coprime to p. Then for all \(\theta \in \mathcal {C}^{*}_{m}\) and \(g \in (\mathbb {Z} / m \mathbb {Z})^{*}\), we have

$$ \begin{array}{@{}rcl@{}} \text{ord}(\theta_{g}) \mid \text{ord}(\theta). \end{array} $$

Proof

By Corollary 2, we have that ord(𝜃(X^t))∣ord(𝜃) for any \(t \in \mathbb {Z}_{>0}\). Using this result, we get

$$ \begin{array}{@{}rcl@{}} \theta_{g}^{\text{ord}(\theta)} = \left( \prod\limits_{\gamma \in \langle g \rangle} \theta(X^{\gamma}) \right)^{\text{ord}(\theta)} = \prod\limits_{\gamma \in \langle g \rangle} \theta(X^{\gamma})^{\text{ord}(\theta)} = \prod\limits_{\gamma \in \langle g \rangle} 1 = 1, \end{array} $$

hence ord(𝜃_g)∣ord(𝜃). □

In contrast to the first upper bound, the second upper bound does not rely on 𝜃, and is instead based on field extensions of \(\mathbb {F}_{q}\). For this, we first define a weaker version of the discrete logarithm.

Definition 5

Let G be a finite group, S be a subgroup of G and g an element in G. The discrete group log of g over S is defined as

$$ \begin{array}{@{}rcl@{}} \text{dlog}_{S}(g) := \min \left( t \in \mathbb{Z}_{>0} : g^{t} \in S \right). \end{array} $$

Remark 11

Observe that if S is a normal subgroup of G, then dlog_S(g) = ord(gS ∈ G/S).

Some Galois theory is also required for the proof of the second upper bound.

Lemma 3 (Galois Theory for Finite Fields 7)

Define the map \(\sigma : \overline {\mathbb {F}}_{p} \to \overline {\mathbb {F}}_{p}, \ x \mapsto x^{p}\). Then for \(t \in \mathbb {Z}_{>0}\), we have that x ∈GF(p^t) if and only if σ^t(x) = x.

Theorem 8 (Second Upper Bound)

Let 〈g〉 be a subgroup of \((\mathbb {Z} / m \mathbb {Z})^{*}\). Then

$$ \begin{array}{@{}rcl@{}} \text{ord} \left( \theta_{g} \right) \mid q^{\text{dlog}_{\langle g \rangle} (q)} - 1. \end{array} $$

Proof

Let ζ ∈ μ_m and let σ be as defined in Lemma 3. Since all coefficients of 𝜃_g are contained in \(\mathbb {F}_{q}\), we have for all \(t \in \mathbb {Z}_{>0}\) that

$$ \begin{array}{@{}rcl@{}} \sigma^{\log_{p}(q) \cdot t} \left( \theta_{g}(\zeta) \right) = \theta_{g} \left( \sigma^{\log_{p}(q) \cdot t} (\zeta) \right) = \theta_{g} \left( \zeta^{p^{\log_{p}(q) \cdot t}} \right) = \theta_{g} \left( \zeta^{q^{t}} \right). \end{array} $$

Observe that 𝜃_g(X^γ) = 𝜃_g(X) for all γ ∈〈g〉. Since \(q^{\text {dlog}_{\langle g \rangle }(q)} \in \langle g \rangle \), we have

$$ \begin{array}{@{}rcl@{}} \theta_{g} \left( \zeta^{q^{\text{dlog}_{\langle g \rangle}(q)}} \right) = \theta_{g}(\zeta ), \end{array} $$

which implies that \(\theta _{g}(\zeta ) \in \text {GF} \left (q^{\text {dlog}_{\langle g \rangle }(q)} \right )\) by Lemma 3. Note that \(\theta _{g}(\zeta ) \in \text {GF} \left (q^{\text {dlog}_{\langle g \rangle }(q)} \right )^{*}\) since 𝜃_g is invertible in \(\mathbb {F}_{q}[X] / \langle X^{m}-1 \rangle \), from which Lagrange’s theorem implies

$$ \begin{array}{@{}rcl@{}} \text{ord} \left( \theta_{g}(\zeta) \in \overline{\mathbb{F}}^{*}_{p} \right) \mid q^{\text{dlog}_{\langle g \rangle} (q)} - 1. \end{array} $$

Since this is true for all ζ ∈ μ_m, we conclude from Proposition 2.2 that \(\text {ord}(\theta _{g}) \mid q^{\text {dlog}_{\langle g \rangle } (q)} - 1\). □

For the case that m is prime, we can alternatively compute the discrete group log as follows:

Lemma 4

Let m be a prime number different from p, then

$$ \begin{array}{@{}rcl@{}} \text{dlog}_{\langle g \rangle}(q) = \min \left( t \in \mathbb{Z}_{>0} : \left. \frac{\text{ord}_{m}(q)}{\gcd(t, \text{ord}_{m}(q))} \right\vert \text{ord}_{m}(g) \right). \end{array} $$

Proof

Since m is prime, \((\mathbb {Z} / m \mathbb {Z})^{*}\) is cyclic. Note that in a finite cyclic group G, we have for a,b ∈ G that a ∈〈b〉 if and only if ord(a)∣ord(b). Observe that

$$ \begin{array}{@{}rcl@{}} \text{ord}_{m} \left( q^{t} \right) = \frac{\text{ord}_{m} (q)}{\gcd(t, \text{ord}_{m}(q))}, \end{array} $$

which concludes the proof. □

Remark 12

Lemma 4 is also valid when m is of the form ρ^k or 2ρ^k with ρ an odd prime different from p. This is because for these values of m, the group \((\mathbb {Z} / m \mathbb {Z})^{*}\) is also cyclic.

3.4 Revisiting the order of the linear layer of subterranean

We mathematically derive the order of the linear layer of Subterranean, which equals 256, using the lower and the second upper bound discussed above. This provides insight in the algebraic structure in the design of the linear layer of Subterranean.

Lemma 5

Consider the binary field \(\mathbb {F}_{2}\) and let m be a prime number of the form 2^k + 1. For \(g \in (\mathbb {Z} / m \mathbb {Z})^{*}\), if ord_m(g) ≥ord_m(2), then

$$ \begin{array}{@{}rcl@{}} \text{ord}(\theta_{g}) = 1. \end{array} $$

Proof

Since m is prime, \((\mathbb {Z} / m \mathbb {Z})^{*}\) is a cyclic group with order m − 1 = 2^k. By Lagrange’s theorem, we have that ord_m(2)∣ord_m(g) whenever ord_m(g) ≥ord_m(2), thus dlog_〈g〉(2) = 1. From Theorem 8, we conclude that

$$ \begin{array}{@{}rcl@{}} \text{ord}(\theta_{g}) \mid 2^{\text{dlog}_{\langle g \rangle}(2)} - 1 = 2^{1}-1 = 1, \end{array} $$

which implies ord(𝜃_g) = 1. □

Corollary 3

The order of the linear layer of Subterranean 2.0 Cipher Suite equals 256.

Proof

The linear layer of Subterranean 2.0 consists of the composition \(\pi _{\textbf {s}} \circ \theta _{\textbf {s}} : \mathbb {F}_{2}^{257} \to \mathbb {F}_{2}^{257}\), where π_s = π₁₂ and 𝜃_s is represented by the polynomial 1 + X²⁴⁹ + X²⁵⁴. Observe that ord₂₅₇(12) = 256 > 16 = ord₂₅₇(2), which by Lemma 3.4 implies that ord(𝜃₁₂) = 1. Hence we have that

$$ \begin{array}{@{}rcl@{}} \text{ord}(\pi_{12} \circ \theta_{\textbf{s}}) = \text{ord}_{257}(12) \cdot \text{ord}(\theta_{12}) = 256 \cdot 1 = 256. \end{array} $$

□

4 Higher order linear layers

In this section, we show how to construct a certain class of high order SC-compositions using the above results together with the theory of Mersenne prime numbers. We restrict ourselves to the binary field \(\mathbb {F}_{2}\).

Mersenne prime numbers are prime numbers of the form 2^k − 1. For such a Mersenne prime number, we define k to be a Mersenne exponent. Note that these Mersenne exponents are always prime numbers.

Theorem 9

Let the underlying field be the binary field \(\mathbb {F}_{2}\), and let \(m \in \mathbb {Z}_{>0}\) and \(g \in (\mathbb {Z} / m \mathbb {Z})^{*}\) satisfying the following conditions:

1. 1.

   m − 1 = α ⋅ μ where μ is a Mersenne exponent and α < μ (α does not need to be prime);

2. 2.

   μ∣ord_m(2);

3. 3.

   ord_m(g) = α.

Then for any \(\theta \in \mathcal {C}^{*}_{m}\) such that 𝜃_g≠I_m, we have

$$ \begin{array}{@{}rcl@{}} \text{ord}(\pi_{g} \circ \theta) = \alpha \cdot (2^{\mu} - 1). \end{array} $$

Proof

By (5), we are only required to show that ord(𝜃_g) = 2^μ − 1. Note that μ does not divide ord_m(g) since μ does not divide α. However, \(\frac {\text {ord}_{m}(2)}{\mu }\) does divide ord_m(g), since ord_m(2)∣m − 1 = α ⋅ μ and μ∣ord_m(2). Combining this observation with the formula in Lemma 4, we conclude that dlog_〈g〉(2) = μ. Hence by Theorem 8, we have that ord(𝜃_g)∣2^μ − 1. Because μ is a Mersenne exponent, 2^μ − 1 is a Mersenne prime number and thus a prime number. This means that ord(𝜃_g) is either 1 or 2^μ − 1. Since 𝜃_g≠I_m, we have that ord(𝜃_g)≠ 1, which means that ord(𝜃_g) = 2^μ − 1. This concludes the proof. □

We present two examples of SC-compositions on different states using the above theorem. These order can all be computed and verified by Magma or Sage using brute force methods.

4.1 Example 1: (m,π _g,𝜃) = (367,π ₂₈₄,X ⁸ + X ³ + 1)

We get the following results for m = 367:

	value	prime decomposition
m	367	367
\(\#(\mathbb {Z} / m \mathbb {Z})^{*}\)	366	2 ⋅ 3 ⋅ 61
ordm(2)	183	3 ⋅ 61

For \(g = 283 \in (\mathbb {Z} / 267 \mathbb {Z})^{*}\), we get the following data:

g	284
ordm(g)	6
〈g〉	{1,83,84,283,284,366}
dlog〈g〉(2)	61

Let 𝜃 = X⁸ + X³ + 1, which is invertible in \(\mathbb {F}_{2}[X] / \langle X^{367} - 1 \rangle \). By computation, we verified that 𝜃₂₈₄≠ 1.

Thus taking π_g = π₂₈₄ and 𝜃 = X⁸ + X³ + 1, we have by Theorem 4 that

$$ \begin{array}{@{}rcl@{}} \text{ord}(\pi_{284} \circ \theta) = 6 \cdot \left( 2^{61}-1 \right) = 13 835 058 055 282 163 706 \approx 1.38 \cdot 10^{19}. \end{array} $$

Example 1 shows an SC-composition of 367 states, which is not much higher than 257 states used in Subterranean, but having a significant higher order than 256. The second example is a very interesting one, as this shows that there are SC-compositions with less states than 257, while also having a significantly higher order than 256.

4.2 Example 2: (m,π _g,𝜃) = (191,π ₈₂,X ⁸ + X ³ + 1)

We get the following results for m = 191:

	value	prime decomposition
m	191	191
\(\#(\mathbb {Z} / m \mathbb {Z})^{*}\)	190	2 ⋅ 5 ⋅ 19
ordm(2)	95	5 ⋅ 19

For \(g = 82 \in (\mathbb {Z} / 191 \mathbb {Z})^{*}\), we get the following data:

g	82
ordm(g)	10
〈g〉	{1,7,39,49,82,109,142,152,184,190}
dlog〈g〉(2)	19

Let 𝜃 = X⁸ + X³ + 1, which is invertible in \(\mathbb {F}_{2}[X] / \langle X^{191} - 1 \rangle \). By computation, we verified that ord(𝜃₈₂)≠ 1.

Thus taking π_g = π₈₂ and 𝜃 = X⁸ + X³ + 1, we have by Theorem 4 that

$$ \begin{array}{@{}rcl@{}} \text{ord}(\pi_{82} \circ \theta) = 10 \cdot (2^{19}-1) = 5 242 870 \approx 5.24 \cdot 10^{6}. \end{array} $$

5 Concluding remarks

An interesting follow-up research topic is to see whether we can find 257-bit SC-compositions with orders exceeding 256. From the above results, we know that for such a composition, the order of \(\pi _{g} \in \mathcal {S}_{257}\) cannot exceed 16. Since 256 = 2⁸ does not have large Mersenne exponents in its decomposition, Theorem 4 does not apply. A computational based approach should be considered here. For such linear layers, it would be interesting to also do a security analysis using the modified Subterranean design, and compare the results to the performance of the original Subterranean 2.0 design.

When not being bound to 257 bit-states, one can consider compositions of different states which can exploit the presented bounds to analytically construct high order SC-compositions, similar to Theorem 4. This might lead to results which can be used for future designs.