On Invariant Subspaces in the Lai–Massey Scheme and a Primitivity Reduction

In symmetric cryptography, the round functions used as building blocks for iterated block ciphers are obtained as the composition of different layers acting as a sequence of bijective transformations providing global increasing complexity. The study of the conditions on such layers which make the group generated by the round functions of a block cipher a primitive group has been addressed in the past years, both in the case of Substitution Permutation Networks and Feistel Networks, giving to block cipher designers the recipe to avoid the imprimitivity attack, which exploits the invariance of some subspaces during the encryption. In the case of Lai–Massey schemes, where both Substitution Permutation Network and Feistel Network features are combined, the resistance against imprimitivity attacks has been a long-standing open problem. In this paper we consider a generalization of such a scheme and we prove its resistance against the imprimitivity attack. Our solution is obtained as a consequence of a more general result in which the problem of proving the primitivity of a generalized Lai–Massey scheme is reduced to the simpler one of proving the primitivity of the group generated by the round functions of a strictly related Substitution Permutation Network. We prove how this implies a reduction in the computational cost of invariant-subspace search.


Introduction
Until the selection of the Advanced Encryption Standard [DR02], Feistel Networks (FN) have probably been the most popular design framework for iterated block ciphers, whereas today they share the stage with Substitution Permutation Networks (SPN).Feistel Networks are characterized by the clever idea of splitting the message into two halves, say left part and right part, and applying in each round a key-dependent non-linear transformation called F-function to the right part, which is successively mixed with the left part, just before the two halves are swapped [Fei73].As a notable feature, FNs do not require the F-function to be invertible in order to perform decryption.The framework of SPNs is instead composed by a sequence of carefully designed key-dependent round functions composed by confusion and diffusion invertible layers acting on the whole block.If, on the one hand, SPNs' minimalistic design allows a simple description and consequently a more careful security assessment, on the other, the structure of FNs gives the designers more freedom in the choice of the layers intervening during the encryption, although keeping confusion and diffusion confined only in half of the block in a single round.The Lai-Massey scheme (LM) [Vau99], introduced after the design of IDEA [LM91], perfectly combines the advantages of both frameworks, splitting the message into two halves but mixing the left and right part of the state and consequently accelerating both diffusion and confusion.Its pseudo-randomness behavior, its security against impossible differential cryptanalysis and other generic attacks has been addressed in recent years [YPL11,GJ14,LLH15,LLZ17].
In this paper we focus on the study of a group containing the group generated by the round functions of a general Lai-Massey cipher, proving its resistance against the imprimitivity attack [Pat99] provided that its inner layers satisfy certain wellestablished conditions.Little is known, indeed, on the group-theoretical security of such a design strategy, whereas the one of SPNs and FNs has been addressed in several works in the last decades.One remarkable exception is a paper due to Wernsdorf [Wer01] which shows that the multiply-addition box at the center of the round of IDEA generates the alternating group on F 32 2 and where it is conjectured that also the entire rounds of IDEA generate the alternating group.
The topic of our research, i.e. the group generated by the round functions, was first defined in 1975 by Coppersmith and Grossman [CG75] and gained more popularity when, in 1999, Paterson introduced the imprimitivity attack showing that in a DES-like cipher may exist a partition of the message space which is invariant under the action of the group Γ generated by the encryption functions, i.e. a block system for Γ, whose knowledge can be exploited to attack the cipher.After this, the resistance of many known ciphers to this attack has been proved [SW08, CDVS09, SW15, ACS17, ACTT18].In Aragona et al. [ACC + 19, Theorem 4.5], the authors showed that the primitivity of the group generated by the rounds of an FN can be reduced to the primitivity of the group generated by the rounds of an SPN whose round functions are the ones implemented as F-functions within each round of the FN, proving, in fact, that the primitivity of structure of an FN, in spite of its complexity, can be inherited from a simpler design.We prove here, using a similar approach, that the primitivity of the group generated by the rounds of an SPN implies the one of a group containing the group generated by the rounds of an LM which features in its structure the same key-dependent transformation acting in the SPN.Our result is referred to the closest group containing the actual group generated by the round functions of an LM for which a convenient algebraic description of the generators can be provided.
Organization of the paper.In Section 2 we introduce the notation and the preliminary results, and present our algebraic model of Lai-Massey scheme which is the subject of the study.In Section 3 we prove the primitivity reduction from the LM to the SPN.

Group-theoretical cryptanalysis
2.1.Preliminaries.Let us introduce our notation and some preliminary results.
2.1.1.Spaces.Let n be a non-negative integer and V def = F n 2 be the n-dimensional vector space over F 2 .We denote by Sym(V ) the symmetric group acting on V and by 1 its identity.The map 0 : V → V denotes the null function.The group of the translations on V, i.e. the group of the maps is denoted by T n , whereas the group of translations on V × V is denoted by T 2n , where the translation σ (v,w) acts on (x, y) as (x, y)σ (v,w) = (x + v, y + w).Let us also denote by AGL(V ) the group of all affine permutations of V and by GL(V ) the group of the linear ones.
2.1.2.Groups.Let G be a finite group acting on a set M .For each g ∈ G and v ∈ M we denote the action of g on v as vg.The group G is said to be transitive and G-invariant if for any B ∈ B and g ∈ G it holds Bg ∈ B. Any non-trivial and G-invariant partition B of M is called a block system for G.In particular any B ∈ B is called an imprimitivity block.The group G is primitive in its action on M (or G acts primitively on M ) if G is transitive and there exists no block system.Otherwise, the group G is imprimitive in its action on M (or G acts imprimitively on M ).We recall here some well-known results that will be useful in the remainder of this paper [Cam99].
Lemma 2.1.If T ≤ G is transitive, then a block system for G is also a block system for T .Lemma 2.2.Let M be a finite vector space over F 2 and T its translation group.Then T is transitive and imprimitive on M .A block system U for T is composed by the cosets of a non-trivial and proper subgroup U < (M, +), i.e.
2.1.3.Goursat's Lemma.To prove our results, we need to determine a block system for V ×V .In order to do so, we use the following characterization of subgroups of the direct product of two groups in terms of suitable sections of the direct factors [Gou89].

Theorem 2.3. Let G 1 and G 2 be two groups. There exists a bijection between
(1) the set of all subgroups of the direct product G 1 × G 2 , and (2) the set of all triples (A/B, C/D, ψ), where

be uniquely written as
Note that the isomorphism ψ : A/B → C/D is induced by a homomorphism ϕ : A → C such that (a + B)ψ = aϕ + D for any a ∈ A, and Bϕ ≤ D. Such homomorphism is not unique.

Corollary 2.4 ([ACC + 19]). Using notation of Theorem 2.3, given any homomorphism ϕ inducing ψ, we have
(1) 2.1.4.Ciphers.A block cipher Φ is a family of key-dependent permutations where M is the message space, K the key space, and |M | ≤ |K|.The permutation E K is called the encryption function induced by the master key K.The block cipher Φ is called an iterated block cipher if there exists r ∈ N such that for each K ∈ K the encryption function E K is obtained as the composition of r round functions, i.e.E K = ε 1,K ε 2,K . . .ε r,K .To provide efficiency, each round function is the composition of a public component provided by the designers, and a private component derived from the user-provided key by means of a public procedure known as key-schedule.The group called the group generated by the round functions of Φ, is studied to prevent grouptheoretical attacks [KRS88, Pat99, CCS17].
An iterated block cipher Φ is called an r-round Substitution Permutation Network (SPN) if M = V and for each 1 ≤ i ≤ r we have where ρ ∈ Sym(V ) \ AGL(V ) is designed to provided both Shannon's principle of confusion and diffusion [Sha49].

2.2.
A model for the Lai-Massey scheme.We introduce here our algebraic description of the Lai-Massey scheme [LM91] as presented by Vaudenay [Vau99].
By the assumption on the key-schedule, we can always assume without loss of generality that 0ρ = 0, provided that, in each round, the value (0ρπ, 0ρ) is added to the round key of the previous iteration.It is well known that, for security concerns, the function π is required to be an orthomorphism [Vau99].However, we do not make use of this hypothesis in our analysis.We strongly use, instead, the assumption that such a function is linear.
The general round function of a Lai-Massey cipher is displayed in Fig. 1.Notice that the previous formal definition coincides with the classical definition given by Vaudenay [Vau99].Indeed, given (x, y) ∈ V × V we have Moreover, it is easy to check that ε i,K is invertible with the following inverse where Note that, as in the Feistel Network case, the inverse ε i,K −1 of the round function ε i,K of a Lai-Massey cipher does not involve the inverse of ρ.We have nonetheless assumed that ρ is bijective, since in our result it is used as the generator of a group.It is worth mentioning that even if IDEA was the starting point for the definition of the LM framework, it does not fit in the presentation of Definition 2.5, since e.g. in IDEA the round key is mixed to the state by using operations different from the XOR.
Let us define the group which clearly contains the group ρ π, T 2n generated by the round functions of a Lai-Massey cipher.Notice that considering every possible translation in T 2n in Eq.( 2) implicitly means that the study is carried out without considering the role of the particular choice of the key-schedule.This is however a common practice in the study of the primitivity of the groups generated by the rounds of a cipher, except for one recent result [ACC20].
In the following section we will prove our main contribution, i.e. that Γ(LM(ρ, π)) is primitive provided that ρ, T n is primitive.It is worth mentioning again that ρ, T n is the group generated by the round functions of the SPN whose function ρ is the same that composes the building block for the round functions of the LM.In this sense, the primitivity of a Lai-Massey scheme is reduced to the one of the corresponding SPN.

The primitivity reduction
(3) Notice that we can always assume (v , w ) = (v, w)f.
In the following result we assume the existence of a linear block U for ρ.In this case we have Moreover, it is easy to check that U is a linear block also for ρ −1 , from which we obtain We use Theorem 2.3 and Corollary 2.4 to provide an useful decomposition of U .The explicit dependence of all the groups from ρ is here omitted.(1) D ≤ A; (2) Aϕ ≤ A; (3) Dϕ ≤ D. If a = 0, then y = dϕ + d, and consequently dϕ ∈ D, which proves (3).
We now use the previous lemma to show our main result on the primitivity of the Lai-Massey scheme.Notice that the result is valid for any choice of π.
Proof.It is enough to prove that ρ, T 2n is primitive.Let us assume that it is imprimitive, i.e. that there exists a block system U for ρ, T 2n .Then, from Lemma 2.2, the block system is U = {U + (v, w) | (v, w) ∈ V × V } for a non-trivial proper subspace U of V ×V .Since U is a linear block for ρ, we have that for each (v, w) ∈ V ×V and for each a ∈ A and d ∈ D there exist x ∈ A and y ∈ D such that (a + v, aϕ From Lemma 3.2 we have dϕ ∈ D, and therefore, since ρ is bijective, we obtain the equality In the case under consideration, i.e. when D = {0}, the claim is proved by showing that {A + v | v ∈ V } is a block system.This is addressed in the remainder of the proof.Let us prove that A is non-trivial and proper.If A = {0}, then C = D = {0}, and so also B = {0}, therefore U is trivial, a contradiction.To conclude, let us assume A = F n 2 .From Eq. (4), setting v = w = 0, we obtain that aϕ 2 = (a + aϕ)ρ.If a ∈ A is a fixed point of ϕ, i.e. a = aϕ, then (a + aϕ)ρ = 0, and so aϕ 2 = 0. Therefore a = 0, since ϕ is an automorphism.We have proved that ϕ is fixed-point free, except for the trivial one a = 0, from which it follows that 1 + ϕ is injective and, since Aϕ ≤ A, we have {a + aϕ | a ∈ A} = A = F n 2 .Therefore ρ is linear on F n 2 , a contradiction.We have already observed that ρ, T n is the group Γ ∞ (Φ) generated by the rounds of the Substitution Permutation Network Φ whose i-th round function is ε i,K = ρσ ki for some ρ = γλ ∈ Sym(V ) \ AGL(V ).The conditions which prove Γ ∞ (Φ) primitive in the case of the SPNs has been extensively studied, due to the popularity of the design framework.It has been proved that the primitivity is

Lemma 3. 2 .
Let U ≤ V × V , and let A, B, C, D ≤ V and ϕ : A → C an homomorphism such that U = {(a, aϕ + d) | a ∈ A, d ∈ D}.Let us assume that U is a linear block for ρ.Then the following conditions hold: