 Hello and greetings from the city of Graz here in Austria. My name is Reinhard Luchtenegger and I'm going to talk about our work influence of the linear layer on the algebraic degree in substitution permutation networks. This is a joint work together with Carlos, back then affiliated with Royal Holloway University in London, Lorenzo and Aldo from the Radbaud University in the Netherlands Christian and Markus from our research group here at Graz University of Technology. Since the rest of the presentation is devoted to the ideas of how we arrived at our results, let me first address the point why our results are important. Well, studying the algebraic degree is a classical and important topic in symmetric cryptanalysis because the algebraic degree is often one of the key data that determines the cost of several types of algebraic cryptanalysis. I'm speaking here of interpolation cryptanalysis, higher order differentials and also equation solving over F2. The only problem is in practice we don't know the exact algebraic degree of fully fledged cryptographic permutations. It just quickly becomes too expensive to evaluate the degree exactly. This is the reason why we resort to establishing upper bounds on the algebraic degree rather than trying to evaluate it exactly. All right, let me jump right in the middle of things and let me state the main result of our article. We present and prove a new upper bound on the algebraic degree in substitution permutation networks. What is special about our bound is besides the degree of the nonlinear layer it also considers the degree of the linear layer for its estimate on the algebraic degree. And it is fair to say this is something which is particularly new in the literature because other state-of-the-art bounds do not use this property for estimates. And most notably our bound is considerably tighter than state-of-the-art bounds in case of substitution permutation networks with low degree round functions and large S-boxes. On the contrary, our bound may not improve state-of-the-art bounds for SPNs with small S-boxes or high degree round functions. The thing is, recent symmetric crypto designs, for example used in zero-knowledge proof protocols, often build upon SPNs with large S-boxes. So the particular relevance of our bound therefore lies in this domain and it may well lie with future designs in this domain as well. And coming to the actual comparison, we compare our bound with the bound of Christina Bure, Anne Canto and Christophe de Canierre which is arguably the currently best theoretic upper bound on the algebraic degree and often gives the best theoretical results in literature. I will refer to this bound as the B-C-D bound throughout this presentation. Before I am going to present the actual results, let me quickly clarify our nomenclature. First of all, we are dealing with SPNs over F2 to the N to the T. See also the frame title here. Now, if you want, the figure in the upper left half of the frame depicts one round of an SPN and indicates that the number of words in the SPN is denoted by T. Furthermore, L denominated the degree of the linear layer and with degree here, I mean the word level degree. Each S-box in the SPN operates over F2 to the N and thus we have the following two options. First, we look at an S-box from the word level meaning seeing it as operating over F2 to the N, the finite field with 2 to the N elements. In this case, the word level degree of the S-box is denoted by D. The second option is we look at an S-box from the bit level. In fact, meaning seeing it as operating over the n-fold Cartesian product of F2. By doing this, we say the S-box size is n bits and we denote by delta the algebraic degree of the S-box. As a remark from my side, these different levels of representation are a bit intricate, so to say and I will give some more motivation on this point in the later slides. Until then, I invite you to bear with me. If you'd ask me about the visualization of our results in a single slide, I'd probably answer with this one. The diagram shows several bounds on the algebraic degree of an SPN over F2 to the 33 with 8 words and with the cubing function, the S-box function. Now in this diagram, the horizontal black dashed line shows the maximum algebraic degree whereas the blue line shows the BCD bound. For the other lines, they depict our bound on the algebraic degree for various degrees of the linear layer ranging from 1 to 8 here. Maybe one particular novum of our bound you can see in this diagram. You see, there are potentially two phases of algebraic degree growth. A phase of exponential growth for the first few rounds followed by a phase of linear growth for the remaining rounds. Now the novum of our bound is, it makes these two phases visible. You will see this also in a later slide when I give a precise formulation of our bound on the algebraic degree. Another important point to highlight here is the linear growth is all the more prominent, the lower the degree of the linear layer is. The red line here, for example, corresponds to a linear layer with degree 1 and exhibits the longest phase of linear growth in this diagram. As a final remark, you can observe a gradual shift of emphasis from linear growth to exponential growth as the degree of the linear layer increases. Not only the algebraic degree per se is important, but also the number of rounds in an SPN to reach maximum algebraic degree. The following table shows a comparison of the minimum number of rounds to reach maximum algebraic degree for various SPN parameters. The S-box function in this example is again the cubing function and the linear layer is just defined by ordinary matrix multiplication with a certain MDS matrix. Hence the linear layer has degree 1. Now the table compares the number of rounds derived from our bound and the BCD bounds and in addition it shows practical results for a concrete linear layer given by the multiplication with a MDS matrix. The important point here is for a fixed state size, here denoted by capital N, it is reasonable to say our bound becomes tighter and tighter as the number of words T decreases and hence the S-box size N increases. You can see this as you move down in this table. At the same time, the table shows the growing advantage of our bounds over the BCD bounds as the S-box size increases. So here is another table showing the same comparisons as before but this time for an even Mansoor based permutation and for various degrees of the linear layer. In a nutshell, an even Mansoor construction is an SPN with only one large word and thus only one large S-box. It is this case where the difference between our bound and the BCD bounds is most substantial for example. So maybe two important points to remark here. First, the comparison with the concrete linear layer in the first third of the table namely with a dense linearized polynomial of a certain degree shows an exact match of the number of rounds to reach maximum algebraic degree predicted by our theoretical bound with the number of rounds derived from practical experiments. The second point refers to the behavior we have already seen in the very first diagram. Namely as the degree of the linear layer increases the number of rounds to reach maximum algebraic degree decreases. This suggests that the degree of the linear layer substantially influences the algebraic degree growth and that you can think of our bound as quantifying this influence. Well, I've promised some motivation regarding the different levels of representation for functions, right? Let me do this now. Every function over a finite field can be represented as a polynomial. What's more, due to the esomorphism of F2 vector spaces as indicated here in the frame title we have different levels of representation. For example, if you consider the state of an SPN or F2 to the n to the t from the bit level then you have Nt output bits and each such output bit can be represented as a polynomial in Nt variables with maximum degree 1 in each variable. When we speak of the algebraic degree then it is exactly this bit level representation we refer to. So in more technical speech this means every such output bit can be represented as an element within this quotient ring given here in the topmost figure. Another perspective is since the S-boxes in an SPN might be naturally defined over F2 to the n it is natural to view those n bits as belonging together hence giving you t words with n bits each. From this point of view every such word can be represented as a polynomial in t variables with maximum degree 2 to the n minus 1 in each variable. Again, the stated quotient ring here in the middle figure is a more formal way to express this fact. Lastly, you can consider the state of an SPN as a single element in the large binary extension field F2 to the nt. This perspective would then give rise to a univariate polynomial representation with maximum degree 2 to the nt minus 1. As the BCT bound is often our benchmark let me quickly motivate this bound. First consider a function F that is defined as the parallel application of t S-boxes each operating over F2 to the n. Then for any function g the algebraic degree of g composed with F is upper bounded by this expression here. Here the parameter gamma is a constant that depends on the details of the S-box and can in theory at least be computed from the specs of the S-boxes. As I will also speak of the naive bound or the naive exponential bound compare the BCT bound with the most generic bound on the compositional degree. This most generic bound here is just given by the product of the respective individual degrees. Then iterating this naive bound leads to the naive exponential bound because in each iteration the respective degrees just keep on multiplying thus leading to an exponential bound in the end. Of course the BCT bound as stated here and as stated in the original research article just considers the composition of two functions which is why we are going to extend the BCT bound as stated here to the composition of more than two functions. Let's have a look at the outcome of this extension. Now we are considering several iterations of the composition of a non-linear S-box layer F with arbitrary affine functions mi. We call the resulting function e to the r where r denotes the number of iterations. Now applying the BCT bound iteratively to this function e to the r and combining it with the naive exponential bound gives us the following bound on the algebraic degree. For a certain number of iterations here called r0 the naive exponential bound will be better than the BCT bound. See the first case. Afterwards we obtain the bound given in the second case here. I may draw your attention to the particular expression of this bound here. Namely the fractional term here is an inverse exponential expression and subtracting this inverse exponential expression from n then describes a kind of saturation process. This saturation process is probably best illustrated with the following example. The example considers the catcher F permutation with a state size of 1600 bits. Now in the diagram the blue graph depicts the naive exponential bound on the algebraic degree and the red graph shows the iterated BCT bound as described on the previous slide. Just to mention the data for the red graph is taken from the research article by Christina Burra, Ancanto and Christophe de Canierre. Now what you can clearly see in this diagram is this saturating behavior of the BCT bound as the number of rounds increases. I am however a bit hesitant to give an explanation of this saturating behavior as I suspect it stems from the particular connection of the algebraic degree of a permutation with the degree of its inverse permutation. An example of this connection is it takes as many rounds to reach maximum algebraic degree in forward direction as it takes in backward direction. The point here is it could be interesting to explore this connection of forward and backward degree because our bound, as it is formulated now, does not incorporate this link yet. I do not exclude the possibility to establish this link but at least for now leave it open as future work. Before I am going to present our bound on the algebraic degree let me emphasize the polynomial representation of linear functions. The main point here is f2 linear functions correspond with f2 linearized polynomials. A linearized polynomial in this context is a polynomial with terms only having powers of 2 as exponents. Given a certain linear function L over f2 to the n we can represent it as polynomial of the following form given here. So note that the exponents here are only powers of 2. The same holds true for linear functions over f2 to the n to the t. In this case we arrive at a multivariate polynomial that is linearized in each variable. Now if we translate these observations to SPNs then it is exactly this multivariate linearized representation that defines the degree of the linear layer. With all these observations about different polynomial representations at hand we are now ready to digest the formulation of our new upper bound on the algebraic degree. The basic strategy of how we arrive at our bound is we observe the degree on two levels simultaneously namely the bit level and the word level. The connection between those two levels is as follows. Given this univariate polynomial f here the word level degree here denoted by deck of f is just the usual degree of this polynomial. The point is there is a well-known link to the bit level degree or algebraic degree delta of f here and this link is given by the maximum of the hamming weight of exponents on the word level and of course we are only considering such exponents with non-zero coefficient. The following example should illustrate this. Given the polynomial x to the 12 plus x to the 7 plus 1 you get the following two degrees. The word level degree is just the ordinary degree of the polynomial namely 12 while since the hamming weight in this context here denotes the number of non-zero binary digits in the base 2 expansion we can observe that the algebraic degree in this example here is 3. Let's have a look at the actual formulation of our bound. The basic setup is the same as what we have seen for the bcd bound. This function f here describes the parallel application of TS boxes each operating over f2 to the n. The functions mi are just arbitrary linear or refined functions all having the same degrees. Again we will bound the algebraic degree of e to the r which is the iterated composition of f with mi. Now our bound on the algebraic degree of e to the r states the algebraic degree is upper bounded by the naive exponential bound given by delta to the r for a certain number of initial rounds. This point I mean is nothing new so far. It is this second expression here which is the actual contribution of our bound. You can see this second expression here incorporates the word-level degree of both the linear functions mi and the non-linear functions f and thus contains the respective degrees l and d in its estimate. What's important here is this second expression is linear in the number of rounds and thus describes the phase of linear growth of the algebraic degree. I suggest let's have a closer look at this linear growth. When we speak of the influence of the linear layer on the algebraic degree it's worth mentioning the linear layer per se does not influence the algebraic degree. Even if the linear layer has a high word-level degree after all its algebraic degree is still at most one. So one way to frame this influence could be the linear layer helps the non-linear layer to exhaust its exponential potential. Let's explicate this point with the following example here. We take the cubing function represented by the polynomial f composite with a linearized polynomial l and iterate this composition three times. As a result we arrive at e3 here. Now l will be a dense linearized polynomial of degree 1, 2 and 4. The point is as the degree of l increases also the algebraic degree of e3 increases. Eventually for the case of a linearized polynomial with degree 4 here in the bottom line the degree growth is already exponential in this example. We come back to the diagram from the very beginning of the presentation. With all that has been said about the influence of the linear layer on the algebraic degree this diagram may reinforce these observations. As observed on the previous slide the degree of the linear layer helps the non-linear layer to exhaust its exponential potential. You can see this as you jump between the lines from right to left. The diagram shows the higher the degree of the linear layer is the more the algebraic degree may grow exponentially. I deliberately say here may grow exponentially because of course the growth also depends on the concrete structure of the linear layer. Nevertheless the point here is clear. Our bound helps to quantify the influence of the linear layer on the algebraic degree. As a final remark let me state some open problems and directions for future work. First of all since our bound only considers the degree of the linear layer it can be interesting to study how the concrete structure of the linear layer influences the algebraic degree growth. Then we expect that more can be said about the algebraic degree growth if we consider partial experience. And as a last work item there is this connection between forward degree and backward degree for permutations. And since our bound does not exploit this connection yet it can also be interesting to try to capture it. Alright this is the end of my presentation. I appreciated the opportunity to talk about our result influence of the linear layer on the algebraic degree in substitution permutation networks. Thanks for your time and once again greetings from the city of Graz in Austria and looking forward to meeting some of you at the conference in Athens. Bye bye.