 So welcome to this presentation. This will be about proving the resistance against the infinity long subspace trace and more specifically on how to choose the linear layer in a partial SPN scheme. But this is joint work together with Lorenzo and Christian, and my name is Markus. So let me first start by giving you a short overview. So we will first talk about the motivation, why is this important. Then we'll talk about partial SPN schemes. After that there's a short introduction to subspace trails, and then I'll give the results of the people and main results, namely infinity long subspace trails with inactive and with active S-boxes. So we consider these two cases separately. And at the end I'll talk about some practical results from our work. So let's start. Recently there has been some popularity about things for example zero-knowledge use cases and multi-body computation scenarios. And in these use cases some schemes are quite popular, namely schemes which are based on partial SPN-like structures or which are even partial SPNs. So these schemes include for example Hades-Mimsi or Poseidon or Starcut. But unfortunately there have been some vulnerabilities in these schemes, and they were found for example in these two papers or in a crypto paper and in a Eurocrypt paper. But these vulnerabilities are only for some particular cases, so for some of the proposed instances, but not for all of them. So the goal in this work is to answer the question how to essentially guarantee security in general for any such partial SPN-like scheme. All right, but what is a partial SPN scheme? So let me first start with an SPN scheme, the substitution permutation network. So this is a classical one, we have some inputs, then we have a nonlinear layer, after that an affine layer and so on. And we do this for a finite number of rounds. So the state size is t in this example here, and we also use t as boxes in each state. So essentially a full nonlinear layer. And the affine function or the affine layer is mostly a multiplication by some matrix, so the linear layer plus the addition of a round constant or a round key. And this is an SPN, and if we have a partial SPN, then what we do is essentially we include, instead of having a full nonlinear layer, we have a partial nonlinear layer. So in this example, we use only one S-box instead of four S-boxes, but everything else stays the same. So most importantly, the affine layer stays the same. All right, so the question we try to answer in this work is which properties does the linear layer M have to satisfy in order to prevent infinitely long truncated differences with probability one? And they actually relate it to subspace trace as we'll see in a minute. But first, what is a subspace trail? Well, if you consider, for example, this set of subspaces here, you want to use R plus one, and these are all proper subspaces, then if this relation here holds, so if essentially the round function applied to some of these subspaces plus constant value here in F is a subspace of the following subspace plus, again, some value, then we call this set here an R-round subspace trail. So this is not yet infinitely long, this is just an ordinary subspace trail for this specific round function R. And further, if all these U's here are the same, then we say that the subspace trail is invariant. And we can also go further and talk about iterative subspace trails. So, for example, if we have these V's here and though these are subspaces again, proper subspaces, and if they repeat themselves after some rounds, for example, with a period of R, then we talk about an iterative, so an infinitely long subspace trail, which is iterative. And what is the relation between truncated differences with probability one and with subspace trails? So we essentially have this relation here, which already has been started in a literature before and essentially it allows us to focus on differences rather than two different inputs, for example. And this also simplifies a lot of our results because essentially we focus purely on subspace trails instead of these differences in both the analysis and also in our tools. All right, so if we come back to our PSPN schemes, so, for example, if we consider S, so this S here as the solution set of these equations essentially, so we want to have some zero here and for example, the zero is now a zero difference. So we want to have some zero difference here, some zero difference also here and some zero difference here since the S boxes are then not active. But in general, the dimension of this solution set here is one and what happens is that the absolute difference in X zero would be zero, same as here in this round, and also here, but we don't know if it's the zero here. So probably not, but it may also be zero here and essentially the results or results show how to construct the linear layer such that we have a non-zero difference here such that we are safe essentially because we can always do this. And it's well formatted in more detail here, but essentially it's the same as before. We just build S such that we produce these zeros. We can of course only do this with this method for a finite number of rounds since we lose the freedom then and essentially this is then a subspace tray with no active S boxes. But of course with this approach only we can't do this for an infinite number of rounds just for the finite number of rounds. And this is always possible here for partial SPN schemes. So what are then infinitely long subspace trays with these inactive S boxes? This is the first part. And first we focus on the properties of the linear layer. So for example, if we have some matrix M which is used as the linear layer and we have some eigenvalues here and we have some eigenspaces then we know from linear algebra that essentially if we take some element of these eigenspaces and we multiply the matrix by this element then essentially the result will be the same element times some eigenvalue here, so magnitude of that. And if we now consider an initial subspace here denoted by IS which is essentially generated by these eigenspaces intersected with these E's here and each E essentially means where it's defined here that if we have a difference then we only have it where we have no S boxes because we use S S boxes. So essentially these are the unit vectors at the positions where there are no S boxes. And if we build such a space then from this definition here of course IS generates an infinitely long invariant subspace trait. And with an example we can also see this so we have here the nonlinear layer and remember that the S boxes in this example here only apply to the first to it also we are working over prime field here. Then if we have this nonlinear layer times the matrix or some matrix plus the round key in that case then we will know since zero so this value here is an eigenvector of M we will know that the subspace which is generated by this eigenvector generates an infinitely long invariant subspace trait. And note that this is very important that we have a zero at the first position since it essentially means that the S box here doesn't change the result or is not active. But this is not enough because what happens for example if the matrix or the matrix thread they have no eigenspaces and this is indeed the case for some of the star cut matrices analyzed in this work here and then the eigenspace condition is not sufficient and the matrix might still be vulnerable. So what we need is something stronger and this is formulated here and it's actually not so complicated so essentially IS so the initial space generates an infinitely long invariant subspace trait if and only if this condition here is fulfilled so essentially it means that some subspace is invariant through the matrix this is this condition here and this subspace has to be so IS has to be a subspace of this subspace here and we can also generalize this to iterative long traits if we just replace the matrix M by the matrix to the power of L so it replaces with the power of the matrix and also from from our paper also if there is no invariant subspace trait then there also is that there is no iterative subspace trait either all right so how do we actually find these M invariant subspaces which fulfill essentially this condition here well it turns out there's a theorem so the primary decomposition theorem and I will not go into detail here but essentially it allows us to split the full space here into the composition so into M invariant subspaces these AIs here and they are M invariant since this condition here holds so what we can do in order to find infinitely long subspace traits is we first apply this theorem in order to find all the M invariant AIs and then we use the decomposition to find the traits where we just define these subspaces here where we again use the AIs and intersect them with these AIs we need them such that we actually tell the system that no S-boxes must be activated here so first as S-boxes are inactive and then we just compute new spaces until they stabilize so either we have this stabilization here or we reach eventually a dimension which is zero and the proof to why that works is in the paper but essentially at the end we know that the matrix M is invulnerable with respect to this input space here if and only if the final dimension is greater than zero otherwise there are no vulnerabilities at least when talking about inactive S-boxes and this can also be generalized if we go so if we want to find iterative traits then we just replace again the matrix M by a power of it and indeed the initial subspace is then L-round invariant so this was about inactive S-boxes now let me also talk about the active S-boxes so here we search for infinitely long subspace traits with active S-boxes and first again so the intuitive approach of it so we know if we have active S-boxes that they must not change the space otherwise it doesn't work of course and so the intuitive approach would be to ensure that each of the inactive S-boxes they are actually inactive but if an S-box is active then the space generated a single unit vector at its position so for example the space generated the first S-box here at the first position this space has to be fully included in the initial subspace so this space is generated by a unit vector and if these two conditions here are fulfilled then what we have in the end is that the active S-boxes do not change the subspace and in more detail we have the following condition here so again we have an initial initial subspace here so this p1, p2 and so on and this is here essentially has some additional conditions for example we have this large i here which contains the indices of active S-boxes and for this set here for the is set if both of these conditions are fulfilled and these are essentially the conditions from the previous slide here just written down formally so if the initial subspace is intersected with essentially the positions of the active S-boxes and the positions of the inactive S-boxes is the initial subspace and if for every of the active S-boxes we have the space generated by it is fully included in IS then essentially IS generates an infinity long invariant subspace trail with active S-boxes with respect to the active S-box positions in this set here and yeah what this essentially means is that we allow to activate words only where active S-boxes are allowed so where we allow them as a sign or attacker and if an S-box is active then every possible output of this S-box is also an element of the space here so when applying the S-boxes now the subspace IS essentially remains the same but there are some problems with this approach so for example computing all the possible piece so these subspaces here sorry this is not very easy because it depends on the size of the field it quickly gets very expensive and we cannot directly construct the initial subspace so we would need something like exhaustive search also provides only sufficient conditions so a matrix which does not satisfy these conditions might still be vulnerable somehow if we have such a method and what's also a problem is that the method for the inactive trace so with these AIs does not really work here since the subspace may involve multiple AIs sorry there's a typo here so this does not work here and for an efficient algorithm we cannot really use this method so what do we do then our approach is actually based on something already given in the literature and it's a constructive strategy so we first start with an i which is generated by the active S-box positions since we know that these unit vectors they have to be contained in the full space in the sorry not in the full space but in the initial space and now if we choose these vectors here these spaces here we just keep increasing the dimension until it stabilizes under M and what we do here is again we add the vectors M to the power so M to the power of J times EI since we know that by definition these must be contained in the initial subspace and then if for every S-box or every position essentially we have that that essentially all those are contained in these i so the matrix to the power times some unit vector active position and so on then the subspace which is generated the subspace trail which is generated by this initial subspace here generates an infinitely long subspace trail invariant subspace trail with active S-box position with active S-boxes in these positions here so again we have this set where essentially denote where we want to have the active S-boxes and just the notation so this J here this the single J is the maximum J for all those JIs we need for each of the positions but if the previous condition is not fulfilled so we don't have this condition here then it doesn't stabilize really and instead of stabilizing it gets the dimension of the space we work with gets larger and essentially it's the dimensions before plus one and this means that eventually the largest possible dimension T will be reached with this method and in this case so if we reach the maximum dimension then no infinitely long invariant subspace trail with active S-boxes with active S-boxes exists for the S-boxes chosen in this capital I here and this can be generalized also to infinity long iterative trails by using multiple sets I so what does that mean so instead of allowing only a fixed number of active S-boxes or a fixed set of active S-boxes we change this set with every round since we don't have an invariant trail we don't want to have an invariant trail but an iterative trail so it may its subspaces may be different from round to round so let me also give some practical results so we consider a very generic SPN scheme where we again have a round function defined by a nonlinear layer and then some affine layer we have only one S-box per round and we focus on prime fields and in the paper there are also results for binary fields and we focus on two classes of matrices namely random invertible matrices and random cushy matrices which are NDS so first about the inactive S-boxes so we see that essentially the field size plays a significant role and in particular if the field size is low so for example if we have a 4-bit field T is the state size 4 then we have a very considerable percentage of vulnerable matrices in both cases so for random invertible matrices but also for cushy matrices but if the field size is larger so for example 16 bits or 8 bits or 12 bits then we see that the percentage of vulnerable matrices is very low and the results are similar in the case of active S-boxes so again the percentage is higher if we consider small fields and it starts to get low if we consider larger fields which means essentially if we have a scheme where the field size is quite large then without testing the percentage of the matrix being vulnerable is quite low all right so if we basically include all of the results we have in the paper so which means infinitely long invariance trace, iterative trace both for the case of inactive S-boxes and active S-boxes we see that we have for example around 16 percent of vulnerable so around 16 percent of the matrices are vulnerable if we consider again smaller fields but again if we essentially increase the field size the percentage of a matrix being vulnerable gets quite low again but still higher since here we consider all the results of the paper not just inactive or active S-boxes and of course we have to fix some period up to which we search for the trace the iterative one so let me summarize with a sufficient condition which we also give and with a short summary here so a sufficient condition we have seen before that all the results we analyze essentially need M invariant subspaces so the idea is that we could just guarantee that no M invariant subspace exists and this is possible by the following theorem and we have to prove in the paper so essentially if all the minimal polynomials of the matrix M M to the power of 2 until some fixed period again if all these minimal polynomials are of maximum degree and also irreducible then there is no infinitely long subspace traded with or without active S-boxes of period less than or equal to L so what this theorem allows us is to basically easily check if we can use a matrix but the condition is always efficient which means that there are some secure matrices which do not fulfill this condition but are still secure so as a summary we have determined conditions for the security of linear layers in partial SPN schemes and we consider both prime fields and also binary fields and both inactive S-boxes and also active S-boxes more details are given in the full paper so which includes proofs to these theorems but also algorithms and tools and the tools are also available here under this URL here and let me also mention the differential attacks so we consider truncated differences with probability 1 in our paper but differential attacks are not the only concern and indeed algebraic attacks may also be important to consider because essentially we can exploit the degree grows slower if we consider such these subspaces and this has also been discussed in this crypto paper here and finally the results allowed us to fix some potential issues with Hades-Mimsi but also with Poseidon and Starkott thank you very much