An algebraic approach to symmetric linear layers in cryptographic primitives

Subterranean 2.0 is a permutation-based cipher suite which works with a 257 bit-state. It is designed for lightweight cryptography, and it scores very well with respect to energy consumption. Its security has been investigated by the designers against well-known attack vectors. A possible point of concern is the relatively low order of its linear layer, which equals 256. In the past, such properties have been exploited by invariant subspace attacks. We define linear mappings with a similar structure as the linear layer of Subterranean as SC-compositions. In this work, we explore finding SC-compositions with a higher order than 256. We rely on concepts from abstract algebra and number theory to understand the relation between the order and the bit-states of SC-compositions. Using a 257 bit-state as done in Subterranean is an unfortunate choice for designing such SC-compositions with a high order. We present two examples with different bit-states, each having a significantly higher order than 256.


Introduction
Subterranean 2.0 [5] is a permutation-based cipher suite designed for lightweight cryptography which performs very well with respect to energy consumption.Its round function works on a 257 bit-state, and it consists of the composition of a linear and non-linear layer.In this paper, we focus on the linear layer of Subterranean, which consists of a composition of two invertible linear maps denoted by π s and θ s .The map θ s belongs to the group of invertible 257 × 257-circulant matrices denoted by C * 257 , and π s belongs to the group which the designers call the multiplicative shuffles denoted by S 257 .These maps will be explained in detail in this paper.It was shown in [5] that the order of π s • θ s equals 256, which is relatively low.Having a low order for the linear layer of a permutation could be exploited by invariant subspace attacks [3].This however is not necessarily of direct concern, as many other conditions must also be satisfied for invariant subspace attacks to be effective.Still it is interesting from a mathematical point of view to better understand the algebraic structure of the linear layer of Subterranean to explain why the order is low.This will also help to design compositions of the form π • θ with higher order, where π ∈ S m (m-dimensional multiplicative shuffles) and θ ∈ C * m (m-dimensional invertible circulant matrices), and where we allow bit-states m to be different than 257.We define such a composition as an m-bit SC-composition.Studying SC-compositions can be useful for future work when designing linear layers used in Subterranean-like permutations.
The main goal of this paper is to gain insight in the relation between the bit-state m and the possible magnitudes of the order of m-bit SC-compositions, where we consider all finite fields instead of just the binary field F 2 .We do so by looking into the algebraic structure of the groups S m and C * m .Especially circulant matrices have a rich algebraic structure from which a lot of symmetric features can be extracted.Besides in Subterranean 2.0, circulant matrices are also used in many well-known cryptographic primitives like the Advanced Encryption Standard (AES) [6] and in LEDACRYPT [2], which is a code-based post-quantum cryptographic primitive.There are also many lattice-based cryptographic primitives which rely on rings whose algebraic structure is very similar to the ones of circulant matrices, like NTRU [8], SABER [14], CRYSTALS-KYBER [4] and CRYSTALS-DILITHIUM [12].

Our contribution
In this paper, we present a mathematical framework based on abstract algebra to study the algebraic properties of SC-compositions.This framework was used for constructing two upper bounds and a lower bound for the order of SC-compositions, which provides insight in the relation between the bit-states, the underlying field, and the order.We show that the order of the linear layer of Subterranean, which equals 256, can also be deduced using these bounds.Moreover, we use these bounds together with the theory of Mersenne prime numbers to construct two examples of SC-compositions with different bit-states, each having a higher order than 256.For example, choosing m = 191, we constructed an SCcomposition of order 5.24 • 10 6 , which has higher order than 256 while having less states than 257.

Outline
In Section 2, we introduce multiplicative shuffles and circulant matrices, together with a basic treatment of their algebraic structure.We also discuss the ring of circulant matrices of dimension m over the field F using the well-known result that this ring is isomorphic to F[X]/ X m −1 .From this result, we deduce some algebraic properties of circulant matrices, like invertibility and how to compute the order when assuming F is a finite field.
In Section 3, we show that the group G m , defined as the product group of S m and C * m , is actually a semidirect product of these groups.Combining this observation with the mathematical framework of circulant matrices, we manage to find a lower bound and two upper bounds for the order of SC-compositions.We also show how these bounds can be used to determine the order of the linear layer of Subterranean, which clearly demonstrates the relation between the order, the bit-state and the cardinality of the underlying finite field.More on (semidirect) groups can be found in [1] and [10].
In Section 4, we provide two examples of SC-compositions over F 2 on different states with a high order.We use the theory of Mersenne prime numbers and the second upper bound of Section 3 to find these compositions.

Notation
Given a ring R, we denote the group of invertible elements of R by R * .The algebraic closure of a field F is denoted as F. For L a field extension of F, the degree of the extension is expressed as [L : F].A finite field of order q is denoted as F q or GF(q).The set of m-roots of unity in a specified (algebraically closed) field is denoted as μ m .
Let us cover the notation for matrices and vectors over some field F. The group of m×minvertible matrices over F is denoted by GL m (F).I m is the m × m-identity matrix.F n is the n-dimensional vector space over F. We index the coordinate of a (column) vector v ∈ F n from 0 to n − 1. Naturally, for 0 For f in some finite group G, we denote the order of f by ord(f ).For the specific case that g is in some multiplicative group (Z/mZ) * , we denote the multiplicative order of g as ord m (g).Moreover, gcd and lcm represent the greatest common divisor and the least common multiple respectively.
Remark 1 Using the above notation, the linear layer of Subterranean consists of the composition where π s and θ s are defined as follows: for all 0 ≤ i < 257 and v ∈ F 257 2 .Observe that the maps π s and θ s are described coordinatewise.We let the index modulo 257 be the corresponding number representative between 0 and 256, as this is also the range of the index.For example, if i = 77, then 12 • 77 = 924 ≡ 153 mod 257, which means that the 77-th coordinate of the vector π s (v) equals v 153 .

Multiplicative shuffles & circulant matrices
In this section, we introduce multiplicative shuffles and circulant matrices which are linear maps and generalizations of π s and θ s respectively.

Multiplicative shuffles
Definition 1 (Multiplicative Shuffle [5]) Let g ∈ (Z/mZ) * .The multiplicative shuffle with shuffling factor g (over a field F) is a linear map π g : F m → F m defined as the map for all 0 ≤ i < m.We denote the set of multiplicative shuffles by S m .

Multiplicative shuffles have the following properties:
π g is invertible for all g ∈ (Z/mZ) * ; - These statements imply that S m is a finite commutative group under matrix multiplication which is isomorphic to the group (Z/mZ) * by the map This immediately implies the identity ord(π g ) = ord m (g). ( Remark 2 In Subterranean 2.0, we have the parameters m = 257 and F = F 2 .The linear component π s of the linear layer of Subterranean equals π 12 using the above notation.

Circulant matrices
Definition 2 (Circulant Matrix) A circulant matrix V over the field F is an m×m-matrix of the form The set of m × m circulant matrices is denoted by C F,m or simply C m when F is clear from the context.The set of invertible circulant matrices is denoted by C * F,m (or C * m ).
Remark 3 A circulant matrix is uniquely determined by the first column vector v := (v 0 , ..., v m−1 ) T .For this reason, we can denote a circulant matrix V in the above definition by circ(v).
C F,m forms a commutative ring under matrix addition and multiplication.We present the following well-known ring isomorphism.
is an isomorphism of rings.Remark 4 The circulant matrix θ s used in Subterranean is represented by the polynomial The isomorphism m implies that we can derive algebraic properties of C F,m by studying the ring F[X]/ X m − 1 .We study the algebraic properties of these rings where we restrict to the case where m is coprime to the characteristic of F. The reason for this is due to the well-known result that the polynomial X m − 1 is separable in F[X] if and only if m is coprime to the characteristic of F (see for example [11]).
Let us first consider the case where μ m ⊆ F.
Theorem 2 ([13]) Assume that μ m ⊆ F and that m is coprime to the characteristic of F.
Then the map is an isomorphism of rings.
Remark 5 For a finite field F q , we have that μ m ⊆ F q if and only if q ≡ 1 mod m (See [11, Theorem 2.47(ii)]).
Remark 6 The splitting of F[X]/ X m − 1 as in the above theorem is an important result for this research.For this, it is absolutely necessary to assume for m to be coprime to char(F), as otherwise the splitting does not work.The reason for this is that the splitting is constructed using the Chinese Remainder Theorem for rings (see [10]), which requires the modulus to be an intersection of a family of ideals which are pairwise coprime.This is not possible when m is not coprime to char(F).
In cryptography, we usually consider the binary field F 2 .Hence for large m, we have by the above remark that μ m is not contained in F 2 , for which Theorem 2 does not directly apply.However, Theorem 2 is still useful to gain insight in these cases.
To show this, we introduce the following notation.For g ∈ F[X], we denote the ideal g viewed in F[X] by g F .When viewed in L[X] where L is a field extension of F, we denote the ideal in L[X] generated by g by g L .

Proposition 1 We have that g
Proof The case for g = 0 is trivial.If g is non-zero with deg(g) = 0, then g is a constant polynomial with value in F which implies that g F = F and g L = L, thus immediately proving the statement.Now assume that deg(g) > 0. Observe that g F ⊆ g L which shows the inclusion " ⊆ ".
We will show that the inclusion " ⊇ " is also true.[7] (this is equivalent to stating that F[X] is a Euclidean space).Another consequence is that t 1 and t 2 are unique in F[X], and thus also unique in L[X].But then t 1 = h and t 2 = 0, which in particularly implies that h ∈ F[X].Hence f ∈ g F , which shows the inclusion " ⊇ ".

by the Division Algorithm for Polynomials
The above proposition implies that we have a natural injective homomorphism Theorem 3 Let L be a field extension of F such that μ m ⊆ L and m coprime to the characteristic of F. Then the map is an injective homomorphism of rings.
Proof Note that we have the injective homomorphism Since μ m ⊆ L, we have by Theorem 2 that CRT m : L Hence the composition CRT m • ι is an injective ring homomorphism, which is also the same map as (2).This concludes the proof.
Theorem 4 Let m be coprime to char(F).Then Proof This is a direct consequence of the injectivity of (2).

Corollary 1 Let m be coprime to char(F), and let
Then for all t ∈ Z >0 , the polynomial g(X) = f (X t ) is also invertible modulo X m − 1.
Proof Let x ∈ μ m and define x * := x t ∈ μ m .Observe that g(x) = f (x t ) = f (x * ) = 0 since f is invertible.The proof follows since this is true for all x ∈ μ m .
Remark 7 For a polynomial f ∈ F[X], we denote ord(f ) as the order f modulo X m − 1.
Proposition 2 Let m be coprime to char(F), and let Proof This is a trivial result of the injective homomorphism (2).

Corollary 2 Let m be coprime to char(F), and let
Then for all t ∈ Z >0 , we have that ord(f (X t )) | ord(f ).
Proof By the above proposition, we have that ord(f Proposition 3 Let F = F q and let m ∈ Z >0 such q and m are coprime.Then for each f ∈ F q [X] invertible modulo X m − 1, we have that ord(f ) | q ord m (q) − 1.

Composing multiplicative shuffles & circulant matrices
In this section, we study the order or linear maps of the form where π g ∈ S m and θ ∈ C * m , which we earlier referred to as m-bit SC-compositions.We make the assumption that m is a prime number different than the characteristic p of F q , as this assumption simplifies some proof.We derive a lower bound and two upper bounds of the order of SC-compositions using the results in the previous sections.

Group composition of S m and C * m
Both S m and C * m are subgroups of GL m (F q ).We consider the composition group For the remainder of this section, circulant matrices in C * m are expressed in terms of their polynomial representation in F[X]/ X m − 1 .

Lemma 1 Consider the monomial X t in C *
m where t < m, and let π g ∈ S m .Then Proof We prove this by showing that π g • X t = X gt • π g , which we do by considering these as maps acting on the vector space F m q .Let 0 ≤ j < m and s ∈ F m q .Looking at the mappings coordinate-wise, we obtain On the other hand, we have that which coincides with (π g •X t (s)) j .Since this is true for all 0 ≤ j < m, we have the desired equality.

Remark 8
The above lemma is equivalent and even slightly more general than Lemma 3 in [5].
Lemma 2 For θ ∈ C * m and π g ∈ S m , we have Proof In Lemma 1, this result has been proven for θ of the form X j for j > 0. This argument expands to all C * m by linear expansion and by linearity of the map Proof Observe that that the only linear map which is both contained in S m and C * m is the identity map, hence S m ∩ C * m = {I m }.All elements in G m can be expressed as finite products of elements in S m and C * m .Using this observation together with Lemma 2, we can conclude that C * m is a normal subgroup of G m .This concludes the proof.
Using the above theorem, we can already derive a lower bound for SC-compositions.( Proof Since G m = S m C * m by the above theorem, we have by Remark 9 that every element in G m is of the form π g • θ for unique π g ∈ S m and θ ∈ • * m .Also, we have the quotient group m in the quotient group, which has order ord π g .Hence ord π g must divide ord π g • θ , which concludes the proof. Remark 10 By identity (1), we can rewrite (4) as ord m (g) | ord(π g • θ).

Invariant circulant resultant
From Theorem 6, we have that where we define θ g = (π g • θ) ord m (g) .In this subsection, we derive an explicit expression for θ g .

Proposition 4
For all integers j > 0, we have where g −1 is the inverse of g in (Z/mZ) * , and where represents composition, not a product.
Proof We proceed by induction on j .For j = 1, the result is trivial.Now assume this is true for j = k for some k > 1 and consider j = k + 1. Observe that By Lemma 2, we get By substituting ( 9) into ( 6), we obtain the identity i , which concludes the induction hypothesis.
Proposition 5 Consider the subgroup g of (Z/mZ) * .Then where represents composition.In particular, θ g ∈ C * m .
Proof We have from Proposition 4 and (1) respectively.Observe that Observe that reordering within the product sign is possible because C * m is a commutative group, which proves the equation.
Corollary 1 implies that θ(X γ ) is indeed contained in C * m , which concludes the proof.
The expression θ g plays an important role in determining the multiplicative order of π g • θ, for which we give a separate definition.

Definition 4
For θ ∈ C * m , we define the g-invariant circulant resultant θ g of θ as where represents composition.

Order of the invariant circulant resultant
In this subsection, we provide two upper bounds for θ g in terms of m, θ and char(F q ) := p.These upper bounds are derived independent of each other.
Proof By Corollary 2, we have that ord(θ(X t )) | ord(θ) for any t ∈ Z >0 .Using this result, we get In contrast to the first upper bound, the second upper bound does not rely on θ , and is instead based on field extensions of F q .For this, we first define a weaker version of the discrete logarithm.

Definition 5
Let G be a finite group, S be a subgroup of G and g an element in G.The discrete group log of g over S is defined as Some Galois theory is also required for the proof of the second upper bound.Lemma 3 (Galois Theory for Finite Fields [7]) Define the map σ : F p → F p , x → x p .Then for t ∈ Z >0 , we have that x ∈ GF(p t ) if and only if σ t (x) = x.Theorem 8 (Second Upper Bound) Let g be a subgroup of (Z/mZ) * .Then ord θ g | q dlog g (q) − 1.
Proof Let ζ ∈ μ m and let σ be as defined in Lemma 3. Since all coefficients of θ g are contained in F q , we have for all t ∈ Z >0 that Observe that θ g (X γ ) = θ g (X) for all γ ∈ g .Since q dlog g (q) ∈ g , we have which implies that θ g (ζ ) ∈ GF q dlog g (q) by Lemma 3. Note that θ g (ζ ) ∈ GF q dlog g (q) * since θ g is invertible in F q [X]/ X m − 1 , from which Lagrange's theorem implies Since this is true for all ζ ∈ μ m , we conclude from Proposition 2.2 that ord(θ g ) | q dlog g (q) − 1.
For the case that m is prime, we can alternatively compute the discrete group log as follows: Lemma 4 Let m be a prime number different from p, then dlog g (q) = min t ∈ Z >0 : ord m (q) gcd(t, ord m (q)) ord m (g) .
Proof Since m is prime, (Z/mZ) * is cyclic.Note that in a finite cyclic group G, we have for a, b ∈ G that a ∈ b if and only if ord(a) | ord(b).Observe that ord m q t = ord m (q) gcd(t, ord m (q)) , which concludes the proof.
Remark 12 Lemma 4 is also valid when m is of the form ρ k or 2ρ k with ρ an odd prime different from p.This is because for these values of m, the group (Z/mZ) * is also cyclic.

Revisiting the order of the linear layer of subterranean
We mathematically derive the order of the linear layer of Subterranean, which equals 256, using the lower and the second upper bound discussed above.This provides insight in the algebraic structure in the design of the linear layer of Subterranean.

Higher order linear layers
In this section, we show how to construct a certain class of high order SC-compositions using the above results together with the theory of Mersenne prime numbers.We restrict ourselves to the binary field F 2 .
Mersenne prime numbers are prime numbers of the form 2 k − 1.For such a Mersenne prime number, we define k to be a Mersenne exponent.Note that these Mersenne exponents are always prime numbers.
We present two examples of SC-compositions on different states using the above theorem.These order can all be computed and verified by Magma or Sage using brute force methods.Example 1 shows an SC-composition of 367 states, which is not much higher than 257 states used in Subterranean, but having a significant higher order than 256.The second example is a very interesting one, as this shows that there are SC-compositions with less states than 257, while also having a significantly higher order than 256.

Concluding remarks
An interesting follow-up research topic is to see whether we can find 257-bit SCcompositions with orders exceeding 256.From the above results, we know that for such a composition, the order of π g ∈ S 257 cannot exceed 16.Since 256 = 2 8 does not have large Mersenne exponents in its decomposition, Theorem 4 does not apply.A computational based approach should be considered here.For such linear layers, it would be interesting to also do a security analysis using the modified Subterranean design, and compare the results to the performance of the original Subterranean 2.0 design.
When not being bound to 257 bit-states, one can consider compositions of different states which can exploit the presented bounds to analytically construct high order SCcompositions, similar to Theorem 4. This might lead to results which can be used for future designs.
Corollary 1, thus concluding the proof.It turns out that G m is a semidirect product of S m and C * m .Let us revisit this concept.Remark 9 A semidirect product G = H N have the property that for every g ∈ G, there are unique h ∈ H and n ∈ N such that g = hn.
Definition 3Let G be a group with identity element e.Let H be a subgroup, and N be a normal subgroup of G. Then G is a semidirect product of H acting on N if G = NH and N ∩ H = {e}.This is denoted by G = H N .