Proving Resistance Against Invariant Attacks: How to Choose the Round Constants

  • Christof Beierle
  • Anne Canteaut
  • Gregor Leander
  • Yann Rotella
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10402)


Many lightweight block ciphers apply a very simple key schedule in which the round keys only differ by addition of a round-specific constant. Generally, there is not much theory on how to choose appropriate constants. In fact, several of those schemes were recently broken using invariant attacks, i.e., invariant subspace or nonlinear invariant attacks. This work analyzes the resistance of such ciphers against invariant attacks and reveals the precise mathematical properties that render those attacks applicable. As a first practical consequence, we prove that some ciphers including Prince, Skinny-64 and \(\textsf {Mantis}_{\mathsf {7}}\) are not vulnerable to invariant attacks. Also, we show that the invariant factors of the linear layer have a major impact on the resistance against those attacks. Most notably, if the number of invariant factors of the linear layer is small (e.g., if its minimal polynomial has a high degree), we can easily find round constants which guarantee the resistance to all types of invariant attacks, independently of the choice of the S-box layer. We also explain how to construct optimal round constants for a given, but arbitrary, linear layer.


Block cipher Nonlinear invariant Invariant subspace attack Linear layer Round constants Mantis Midori Prince Skinny LED 



This work was partially supported by the DFG Research Training Group GRK 1817 Ubicrypt and the French Agence Nationale de la recherche through the BRUTUS project under contract ANR-14-CE28-0015.

Supplementary material


  1. 1.
    Beierle, C., Jean, J., Kölbl, S., Leander, G., Moradi, A., Peyrin, T., Sasaki, Y., Sasdrich, P., Sim, S.M.: The SKINNY family of block ciphers and its low-latency variant MANTIS. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp. 123–153. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-53008-5_5 CrossRefGoogle Scholar
  2. 2.
    Borghoff, J., et al.: PRINCE - a low-latency block cipher for pervasive computing applications. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-34961-4_14 Google Scholar
  3. 3.
    Carlet, C.: Boolean functions for cryptography and error correcting codes. In: Crama, Y., Hammer, P. (eds.) Boolean Methods and Models. Cambridge University Press (2007)Google Scholar
  4. 4.
    Chaigneau, C., Fuhr, T., Gilbert, H., Jean, J., Reinhard, J.R.: Cryptanalysis of NORX v2.0. IACR Trans. Symmetric Cryptol. 2017(1), 156–174 (2017). doi: 10.13154/tosc.v2017.i1.156-174 Google Scholar
  5. 5.
    Dawson, E., Wu, C.: On the linear structure of symmetric Boolean functions. Australas. J. Comb. 16, 239–243 (1997)zbMATHGoogle Scholar
  6. 6.
    Dummit, D.S., Foote, R.M.: Abstract Algebra. Wiley, Hoboken (2004)zbMATHGoogle Scholar
  7. 7.
    Gantmacher, F.R.: The Theory of Matrices. Chelsea Publishing Company, New York (1959)zbMATHGoogle Scholar
  8. 8.
    Giesbrecht, M.: Nearly optimal algorithms for canonical matrix forms. SIAM J. Comput. 24(5), 948–969 (1995)MathSciNetCrossRefzbMATHGoogle Scholar
  9. 9.
    Guo, J., Jean, J., Nikolic, I., Qiao, K., Sasaki, Y., Sim, S.M.: Invariant subspace attack against Midori64 and the resistance criteria for S-box designs. IACR Trans. Symmetric Cryptol. 2016(1), 33–56 (2016). doi: 10.13154/tosc.v2016.i1.33-56 Google Scholar
  10. 10.
    Guo, J., Peyrin, T., Poschmann, A., Robshaw, M.: The LED block cipher. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 326–341. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-23951-9_22 CrossRefGoogle Scholar
  11. 11.
    Herstein, I.N.: Topics in Algebra. Wiley, Lexington (1975)zbMATHGoogle Scholar
  12. 12.
    Jean, J.: Cryptanalysis of Haraka. IACR Trans. Symmetric Cryptol. 2016(1), 1–12 (2016). doi: 10.13154/tosc.v2016.i1.1-12 Google Scholar
  13. 13.
    Lai, X.: Additive and linear structures of cryptographic functions. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 75–85. Springer, Heidelberg (1995). doi: 10.1007/3-540-60590-8_6 CrossRefGoogle Scholar
  14. 14.
    Leander, G., Abdelraheem, M.A., AlKhzaimi, H., Zenner, E.: A cryptanalysis of PRINTcipher: the invariant subspace attack. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 206–221. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-22792-9_12 CrossRefGoogle Scholar
  15. 15.
    Leander, G., Minaud, B., Rønjom, S.: A generic approach to invariant subspace attacks: cryptanalysis of Robin, iSCREAM and Zorro. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 254–283. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-46800-5_11 Google Scholar
  16. 16.
    Lidl, R., Niederreiter, H.: Finite Fields. Cambridge University Press, Cambridge (1983)zbMATHGoogle Scholar
  17. 17.
    Rønjom, S.: Invariant subspaces in Simpira. Cryptology ePrint Archive, Report 2016/248 (2016).
  18. 18.
    Stein, W.A.: The Sage Development Team: Sage Mathematics Software (2016).
  19. 19.
    Todo, Y., Leander, G., Sasaki, Y.: Nonlinear invariant attack. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10032, pp. 3–33. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-53890-6_1 CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2017

Authors and Affiliations

  • Christof Beierle
    • 1
  • Anne Canteaut
    • 2
  • Gregor Leander
    • 1
  • Yann Rotella
    • 2
  1. 1.Horst Görtz Institute for IT SecurityRuhr-Universität BochumBochumGermany
  2. 2.InriaParisFrance

Personalised recommendations