 Welcome to the first invited talk of FAC this year. We are happy to have Gregor Lerner here. So Gregor is well known for his contributions to symmetric cryptography, in particular lightweight cryptography. He's a co-designer of many lightweight block ciphers like present, prints or recently skinny. However, this time he will speak how to analyze these ciphers and how to break them. Thank you very much. Thank you for having me. It's a nice honor for me to give this invited talk. Yeah, I'm going to talk about invariant text. It's based on a series of works that we published in the last five, six years. And so I mentioned many people here. Probably I forgot some. It's louder. It's probably I forgot some. I'm sorry for this, but so it's not only my work, but it's joined with many other people. I already gave this talk several times, similar talks several times, so I had the impression maybe it's boring for some of you might have seen previous editions. So I tried to add a few new things. I don't have a breakthrough new results that I'm going to present. I'm going to add three insider information that maybe at least I think nobody except the people I mentioned should know about this. Maybe there's something new for everybody, I hope. So the ideas I'm going to work on explain about these invariant text and I'm going to start with introduction, the general problem, the general setup, and then start with the first version, which was this invariant subspace text, which we developed, and then the generalization, which is this non-linear attack. And then finally, I'm going to explain how you could potentially avoid these attacks in the future. And we'll see if this works out. And one of the insider information says maybe it's not so easy as we were hoping. Okay, let's see. Okay, so Florian mentioned, I worked a lot on lightweight ciphers and I think one of, so there's of course the impact that this might be more efficient and nice and whatever, but I think one of the real impacts of this lightweight crypto, we have many proposals that probably will never be used. Many of them are mine and probably none of them will ever be used in practice, but what I think is nice from this lightweight crypto is that we really focused on designs which are reduced, so everything that is not really needed for security is thrown away. And in a way, this tells us, or maybe it tells us how not to design ciphers that are secure. So I think this is one nice insight of all this lightweight trend that we had in recent years. And from this perspective, I think that NIST, at least for the research, made a not good favor to us by saying that they want only well understood designs, which means all these nice new designs that get broken and we understand more. This is maybe not going to happen with NIST, but then again, I'm not sure that all the people listen to this. All the designers, I know some, including myself, we didn't take this too serious. So I hope there are some new ideas also there. So I'm mainly focusing, because this is all I know, I'm going to focus on this key alternating ciphers. So I'm talking about block ciphers, where you have a round function and you have an X or in between with the round keys. I think, that's maybe a bold claim, but I think many of these ideas take over to other scenarios as well. For example, if you have partial non-linear layer, maybe fiscal structures, and many of these things can be adapted, and also to cryptographic permutations that might also be relevant for those. But I'm focusing mainly on this case. I'm also not focusing too much on tweakable ciphers, but also it's possible to adapt many of the results. And even more, I'm going to consider this case. It will be, especially at the very end of the talk, it will play a role in how the round function is actually designed, a SP network where each round function is composed of two layers, one consists of small S-boxes and another one is a linear mapping of f2 to the n. Okay, so far, I think. That's very general. And now, one of these things that happened in lightweight crypto in particular is that we don't have a key scheduling. In many new designs, the key scheduling is gone and we use the same round keys or maybe alternating round keys for just derived from the master key. And so the only thing we have is round constants to make the rounds different because this is clearly something we need, otherwise it's broken immediately. So this is something that many of the ciphers have, and this is also maybe one of the reasons why all these in-oriented things started. So if all these ciphers would have a bit more of a key scheduling, none of these results would ever happen, I think. So that's one of the things where this minimizing is nice because we kind of see things that we didn't see before. Is this a good idea to have these round keys just identical up to a constant? I think, yeah, you have to be careful. That's basically what all this work is about. If you do this, you have to be careful in how you choose the constants and also at least at the very end we get some ideas, some conditions on how you should pick these constants. Often they are chosen in a very ad hoc way. I know this from my designs as well. The last thing you would do is, okay, shit, we need some round constants. And then at the last minute, you write down some round constants that are very efficient to implement, and sometimes this is not a good idea. I mean, it's good for me because I have all these publications, but it's not good for the design. Okay, so you have to be aware of these symmetries, which are basically a special case of this invariant subspace, or invariant subspaces and the generalization of these invariants. So what you don't want, for example, just to give an easy example, is that if you have a plain text where the first half and the second half are identical and maybe you have a key, which is also this form, first half of the master key is equal to the second half of the master key, you don't want that all these encrypting any of these plain texts with any of these keys leads to a ciphertext, which is something you don't want, because it's easy at least for these weak keys to distinguish the block cipher from a random permutation. It's not going to happen for a random permutation with very high probability, and so this is something you don't want. And I think the right abstraction from this very concrete setting is that you talk about invariant subspaces. So why is it a subspace? Because you can write down linear equations. So it's being symmetric. It's something you can characterize by writing down linear equations. So generalizing this, you end up in a fine linear subspaces and then one more abstraction is a fine subspaces. So you don't want a subspace of plain texts encrypted under some weak keys to end up in the same subspace for the ciphertext that would again not happen for random permutation, so that's something we want to avoid. So the question is nice, do these things happen? So here's a list of ciphers that get broken with invariant subspace attacks. So maybe it's not complete, but that's also not the point. The main point is that it happens. And just to see a trend, I asked Excel to plot how this is going, and I don't know what happened here, so... Something tweaked and was fixed again for a short time and it broke. And then I also looked at, okay, how is this going to continue? And in Excel you can easily ask, okay, what is the prediction for the future? And it goes like this. So there's 2020, we're almost there. It's a bit outdated maybe, but we should see a lot of publications soon, I think. And that's for 2026, and we have 370 ciphers being broken with this. So actually these invariant attacks are much more dangerous than quantum or this quantum. That's the real threat. We'll see if this happens. Okay, and here's the first insider information I wanted to share, which is something that we found by designing PRIDE. So PRIDE is the cipher we designed for being optimized for being efficient on 8-bit and 16-bit CPUs. So embedded devices that run software and then PRIDE should be efficient on those. So we tried, in particular, to find the linear layer which is very efficiently implemented on those devices. And then three days before the submission, I got this email from Benedict Rees in one of the courses. It's in German, I know, but I wanted to keep it authentic, so this is the email I got. It says, so this is from him to me, the subject is PRIDE test vectors. So he just, because we need this in the submission, he computed test vectors. And then he asked, is this a problem to be, is there something to be worried about? And he says, this is the test vector he computed. And then the point is in the ciphertext, there are all these zeros. At first reply, no, no, I guess that's a coincidence. But then I sort of maybe think about for a second time, and then, of course, it turns out this is an example of an invariant subspace that we fixed just in time. So it's good for PRIDE that this was emailed three days before, but actually, if you look at the prediction, what's going to happen. So the point being, if what would happen, if you would not have found this, then PRIDE would be broken, of course, yeah. So this is why this line is, if you would not have fixed it. And now the interesting thing is what happens if you do the same prediction as before. And actually, it's like this. So this means, because we fixed PRIDE, 100 other ciphers will be broken. Sometimes you, it's this butterfly thing. Sometimes you do changes and it's unclear. You are not aware of the effects. So that's the first insight information I want to, I'm sorry for this. Okay, good. Okay, let's get a bit more into details. So the first invariant subspace attack that was published under this name was an attack on this print cipher. But actually there are previous attacks in the same way, where basically the main, where they are not so, where they did not became so popular is maybe because they were missing the targets. So partitioning attack is something, partitioning cryptanalysis is something that is a general form of invariant subspace attacks. And also nonlinear approximation was there before. And also did not really find enough targets to become as visible as it should have been. So this is the attack on print cipher, just to give you an idea of how these things look like. So this is print cipher. Looks a bit like present. It's maybe not the coincidence. And so what happens if you fix, I hope it's visible, if you fix some of these bits to zero and one, this is the input for one round, and you also fix some bits in the key, which is x odd, and you carefully check, then you will see that this is the same thing after one round as the input. So the input and the output of one round, they share the same linear equations or affine equations. And then because it's iterative, it's going to work through the whole cipher, and this is actually one example of an invariant attack, just to have it more concrete, and get a bit of an idea of what this means, this invariant attacks. So this is how it could look like in a cipher. So that lead to a probability, one distinguisher for the whole cipher, and if you do the counting, it's the 50 out of these two to the 80 keys a week. So that's, I think, significant. And then the abstraction is that, okay, what actually happened is that we have a subspace U, that's a linear subspace, and the constant A, which makes it an affine, a subspace that's mapped under the round function to a different coset, so a different translation of the same subspace. And then if you have a key, which is kind of pushing this different subspace again back to the original, then it becomes iterative and will work for all the rounds. And this is one of the cases where it's really easy where it really helps if all the round keys are the same, because this is a linear equation, which has to be, so this is a linear conditions for all, or affine conditions for all round keys. And if you have different round keys, these equations would add up and probably you would end up with only one or zero keys that fulfill all these equations. But because all the round keys are the same, well, you do not get any additional equations and if one round key fulfills these equations all the round keys will do it. Okay, so the next question was basically how to detect it automatically. So for printCypher we really stared at the blackboard for a long time and some, oh, we saw this, we finally found this attack and the question is how can we do it automatically? So that was the next thing and I briefly explained how to detect those things automatically. So this is the same thing in the picture and I'll use the picture also to explain this algorithm. So we have, the whole thing is the space of all possible states of the Cypher and then we have affine subspace which under the round function is mapped to an affine subspace, a coset of the same subspace and then the key addition is going to put it back and it's iterative. So it's the same thing on the slide before just as a picture. The idea of how to detect these things automatically was published in 2015 and the idea is relatively simple. I think you try to guess a subspace, a subset of these invariant subspace and then try to discover those also in a picture how it works. So the idea is I have this round function and the nice thing about this algorithm is it's very generic. It doesn't matter what your round function is. It could be anything. You just need an efficient implementation of the round function and it's inverse and you can run this attack. The bad thing is it's not efficient but it's very generic. So what you do is you guess a few elements in the state space and you hope that all these elements that you guessed are actually inside the invariant subspace. And then if this is the case you're going just to map all these elements in the function f and you're going to get some set here. But because you're looking and you're trying to find an invariant subspace you know if this is correct then all these sets should also be within this invariant subspace. And because it's closed under taking linear it's a subspace. So the subspace spent by this set should be again contained in the invariant subspace. So the picture, I hope it's clear if I draw some rectangle it's supposed to be a subspace and if it looks more it's just a set. So this thing is supposed to be the linear span of this set. And then you have more elements and you map them back and you get another set and again you look at the linear span spanned by all these elements and you continue doing so. And now if your guess was correct the point is that this is going to be stabilized. At some point it will not add any more elements when you do this computing the linear span of this at some point it will stabilize and you found your subspace. So that's relatively easy. And if your guess is incorrect then it will stabilize when you have the full space. Because of course the full space is invariant but this is trivial and not helpful for anything but this is what's going to happen. So that's relatively efficient. You have to given one guess it's relatively efficient to do this mapping back and forth so you're not going to map the full set all the time just some random elements and you have to be a bit careful with probabilities that you're going to detect wrong things but it's easy to implement and relatively easy to analyze. So the bad thing is the running time. So if I have block lengths N and I want to detect something of dimension D then at least a two dimensional space otherwise I don't have any linear hull to form so I have to guess two elements in the space and I have to guess a third element which is the offset which means I have to guess basically three elements in the space and the probability for one of them for an element to be in the space of dimension D is 2 to the D minus N and then I need this three times and then the expected running time is the time of guesses I have to do to do the three times N minus D so even if N is small if you have a block size of small dimension let's say 64 bits and you're looking for a really high dimensional thing let's say 32 dimensional invariant subspace that's a lot three times 32 which is 96 maybe and it's 2 to the 96 that's nothing you can do efficiently so one thing is you are mostly interesting for the case where the round keys are identical and you only have round constants and then you want this subspace to be invariant of all these rounds meaning for all these different round constants so actually it's easy to see and I'll explain something similar later in more detail that all the round constants have to be in this space and this means the only thing you're left that you have to guess is actually this offset which reduces the running time from guessing three elements to guessing one element correctly and now for this case that I just mentioned 64 bit block size 32 dimensional space this is efficient it will detect something it's still not satisfactory because for many applications it's not it's not good enough so I actually don't know if I have time for this but okay then lunch is later I'll explain one application to give you another application of how these subspace could look so this is Robin at Ice Cream which are Cyphers that are following this LS design which I think is a very nice approach to design efficient lightweight Cyphers and the point here is that they are easy to mask so that's also where the name comes from Robin is the small brother of Batman and he wears a mask that's where the name comes from so the representation is like this each bit is each square is one bit and you would store columns if you want to implement this Cypher you would store columns in registers and so you have S-boxes in linear layer and the idea is that S-boxes work on rows so you'll have an application of S-boxes in this direction and then you'll have linear layers so that's how the Cypher works and then you will have wrong constants here in this case of this Robin and Ice Cream you will add some wrong constants only on one register, why only on one register because it's more efficient to exploit you save some some instructions okay so and now if you run this algorithm that I just presented on this design it will actually very fast find this 32 dimensional subspace and also for sorrow you could do the same and it will also detect some weaknesses and then one problem with this automatic tool is it will always detect the minimal invariant subspace because then it stabilizes and it's not going to find more but as an attacker you're actually interested in finding the largest subspace but so there it's again going down and sinking to understand why this happens and then most of the time you are able to generalize and see what is the structural weakness that actually allows this subspace to be invariant so this is the reason this is the subspace that happens in Robin it's something in the S-box so it's an 8-bit S-box and it maps those values to those values the first side may be not so interesting the first thing is that these 8 values are the same as these 8 values so that's an invariant set and actually it's a subspace so zero is contained that's good for a subspace and then whenever you take two elements here and you add them it's going to be again in the set so this is a subspace and actually one way of representing these 8 values is the first bit can be anything then you call the second bit A the third bit B then to zeros then the third the second bit is repeated and another zero and then the X of the two so that's one possible representation of this subspace which has dimension three three dimensional invariant subspace for the S-box okay and I'll note this AB and for the output you get some alpha beta it's different but the same same structure so now what you can do is you can put this structure in each of the colors so I'm going to put some bit here and another bit here I'm going to put two zeros here then I'm going to repeat this bit and another zero here and so on and I do this for all the rows so now we'll try to see what happens if I encrypt a plaintext of this form with Roman so the first thing is these S-boxes because I just showed that this is invariant for the S-box in each of the columns if you start within the subspace you're going to stay there so the only thing that happens is that this A and B gets replaced by alpha and beta that's all that happens to the plaintext so basically this happens for the S-box layer so after the whole S-box layer this subspace is going to map to itself and then the next thing is the linear layer which is going to apply to the columns and so for the first column there's something in the first column and after the linear layer there's something else in the column representation stays the same in the second column you have all these alphas and this is where my latech skills stopped so you get something different but I'll still call it alpha I couldn't there was too much this is the different value it's L of alpha deal with this so the same for beta if I apply L to it I get some L of beta then I have zero here and because it's a linear mapping it will stay zero so zero is moved to zero that stays the same here and now this is the same input as here and because we apply the same linear layer we get the same output so now this alpha is really the same as this alpha as before and then zero again and now this is the axle of those two columns and because it's a linear mapping the output is again the axle of the outputs so it's also invariant for the linear layer so it's invariant for the S-box it's invariant for the linear layer and then we have the wrong constant but the bad thing is the wrong constants are there where I don't care anyway what the state is and so it's invariant for the whole cipher and it repeats and this is why it's broken okay so far we discussed this and now the question is how can we generalize this and there are many ways to generalize I think so the first point and I'm going to discuss a bit about this is not focus on subspaces only but some maybe invariant sets more general you can look at statistical variants and after the break this Christoph is going to talk about how you can maybe generalize a bit to not something which happens in probability one you can also allow the subspace to change so you have one subspace that's mapped to a different subspace after one round and again it's a different subspace and so on so you maybe have something like a subspace trail the name is used for something else but I think the idea was something like this and you can also think about how can you deal with non-trivial key scheduling especially those two the last two things together might lead to other texts on Cypher's where you actually do have a key scheduling but I'm only going to focus on what happens if you try to generalize to not only having subspaces but maybe invariant sets this is something we published I published together with Joske and you on AsiaCrypt 16 and it did not develop like the storyline it suggests so from the picture it seems like a super trivial thing to do so this is what we had before and now we don't want to focus on subspaces only but we just want to focus on some invariant sets so that's the whole idea the point is you can easily generalize all the attacks but I think it's only meaningful when you have first of all some target to actually exploit this generalization and also some way to efficiently or exhaustively check for all these attacks otherwise you can always say I have some strange behavior and then all the attacks will fit to this but I think it's too general it's important to find the generalization which kind of allows you to do some things and this is invariant subspaces of this type so in invariant subspace in non-linear invariant attacks it's actually easier to not think about the set but to think about the functions that keeps things invariant so the following was the definition that we proposed so if I have this round function which maps n bits to n bits we are thinking about the Boolean function so this is only output one bit and we call this a non-linear invariant for this function f if this equation holds so if g evaluated on the output is the same as g evaluated for the input so it's maybe it's complimented and the link to the picture with this g should be the g basically is the indicator function of this invariant set so you look at the you look at the set and you define a function g, it's the Boolean function it's only 0 and 1 and you define it to be 1 if you're in this set and you define it to be 0 in this set and then that's the link to the picture so an invariant set can be modeled nicer I think as an invariant function okay so that's what this explanation is for so you look at the support of the function and then the support and its compliment are going to be invariant okay and you can do again and the nice thing is again there are ciphers which you can break with this it's the ice cream midori and also scream the version of scream which was really unlucky I think for the screen designers because version 2 was safe and version 1 was safe and version 3 because that is a small change in the sbox was then attackable and the nice thing with this attack is that you can extend this to an attack on the modes so it really gives you well before this invariant subspace attack I always thought of it as just a distinguisher but you don't want but actually you cannot use it a lot for key recovery because it happens with probability 1 guessing keys and computing backwards is not going to help here you can really extend this to cipher attacks only attacks in some modes and it has very low complexity if you have weak keys then it's really efficient so this is just a summary of these results for scream for example you have 2 to the 96 weak keys out of 2 to the 128 keys and then you can recover one quarter of the plaintext bits with very small time with zero time okay so I'm skipping all the details here so I'm not explaining how this happens and why this works so if you want the details you have to look into the paper and also there's a nice explanation why this attack actually works so for the S-box it's relatively easy to see why it works for the S-box but then luckily it also works for the linear layer luckily for us it also works for the linear layer and this is explained in the paper what is the structural weakness that makes this happen so here's the second insider information I already said that this was not developed like I explained now so it was not like we looked in this picture okay let's look into Inverient Set but it was simply the different so this is what we Yoskitodo was visiting RUB and I guess this was end of 15 beginning of 16 maybe beginning of 16 and we were working on division property so and so just a brief recall what division property is I'm going to be very brief on this so you have a set X and it has the division property so the N is the block length and K is an integer if summing up over all these elements X in the set X X to the U will add up to 0 so the priority is 0 where this X to the U is I hope it's clear it doesn't matter just think of X to the U as you want some X to the U the weight of U is greater the weight of U should be smaller than K so for all vectors U is smaller than K this sum is going to evaluate to 0 another way of saying this is that you can take any function of the U smaller than K and F evaluated on all these elements in the set and you add them up it will give you a 0 so this is one way of simple variant of this division property and so the resource question that we had was visiting at REWIS can we overcome one S-box without guessing the entire key so let me be more specific you imagine you have this S-box which is maybe high degree and you have some division property like this so this 3 means you have a set here where any quadratic function evaluated on X will add up to 0 that's the division property 3N the idea was okay maybe we can evaluate something on Y can we test this division property on Y without guessing the whole key and it would be nice because it would speed up key recovery or maybe allow it to add one more round so we tried this and the idea was the following let's try to find the function G which you evaluate on this intermediate value set which fulfills two things so first of all it should G should not depend on all bits in a non-linear way because if this is the case if it does not depend on all bits of set then actually you have Y you don't have to guess the whole key and you can evaluate this and then evaluate G of this thing without guessing the entire key and the second thing is we wanted that G of set equals some other function F of X which in this F should be quadratic why because we know if F is quadratic F of X is quadratic and we sum up all these values we get 0 so we have a distinction following from the division property so just a different function G of set which equals to F of X and this F should be quadratic and then I would guess some parts of the key bits which are required to compute this G of set and then add up all these values G of set and if it's 0 this partial key guess was correct so I think it was a good try and then we searched for many candidates and we looked at many S boxes is this going to happen what are the conditions so if I look at this code back now it was really stupid things we tried but it was a super inefficient just running through all possible functions in a stupid way you can do these things much better and then we found this so if this is the scream S box it fulfilled something like this X1 times X2 plus and so on is this one so in this case it was really a coincidence this F and the G are basically identical just by X it happens oh that's interesting that's cool maybe that's something to okay maybe it's just a coincidence can we do something with it and I didn't know okay maybe it's just something to follow up on it's complicated and there's all this linear layer and it's going to destroy this for sure and then one month later I got this email from Josuke and he said I have some new results and I would like to publish this and this was then Josuke went home and discussed with you and this basically sent the complete paper to me so my contribution to this non-linear tech was actually a bit limited maybe it was luck to find this I think it's a very nice observation that this also works for the linear layer and then it ended up in this paper that I tried to explain earlier okay so last part how to prevent these attacks so I said this is non-linear in the tech which is quite general and now you would like to be sure that your cipher is secure against this and I already explained that there's this automatic algorithm which is not efficient so maybe we need something better and this algorithm is not even efficient if you try to adapt this algorithm that I explained to invariant sets it basically breaks down immediately because the main idea was to look at this linear span and you cannot do this because you're not looking into invariant subspace okay so we need some new ideas how to prevent these attacks now we are changing from a techer's perspective to a designer's perspective to a way to choose our round constants probably in a sound way that allows you to be sure there's nothing you have to worry about okay this corresponding paper which appeared at crypto 17 and so there's this question mark and I'll explain why there's a question mark it's a satisfactory answer for the designers and I think we were very happy with this okay I'll explain this is the last insider information is this question mark so I think finding some very general arguments is really complicated so we decided to restrict the considerations of preventing these attacks to a special case but actually the special case is mainly motivated by all the attacks up to then which are in this invariant attacks are really of this form and also the ones I explained previously is of this form so we have this SPN layer and we have an invariant which is invariant for the S-Box layer and invariant for the linear layer the linear layer including the key addition so it's invariant for both that's not necessary you know you can easily in principle have an invariant which is invariant for for one round without being invariant for both parts so anything which is invariant for both parts is invariant for the whole round which is invariant for the whole round has to be invariant for both parts but as all the attacks were of this form it seems like a natural way to look at these things so we are considering only invariants which are invariant for the S-Box and for the linear layer and then the linear layer including this key addition so one exception is the best paper from last Asia Crip which actually has attacks but ok that's very nice but we couldn't consider this because it was after all work and I'm not going to go into details here but it's very nice ok so why is this nice from a kind of trying to find arguments perspective how does it help to have this invariant under both things the nice thing is ok so we want this invariant G so what we want is G should be invariant under this linear layer G of X is the same as G of L of X plus Ki because G should be invariant under this so the linear layer including the key addition should be invariant under G so this should be true for all round keys so it should be true for all round keys Ki and it should also be true for this KJ INJ any possible choices of rounds so and then if you add up those two equations you see that actually G of L of X plus Ki G of L of X plus KJ plus this constant so it's the same thing and then you do replace L of X by maybe Y prime and then Y prime by Y plus Ki and so you end up with this equation so that means for all Y G has to fulfill G of Y plus this element here has to be the same as G of Y and this is what we call in linear structure for G so linear structure is like a derivative of your Boolean function constant and this is what happens here and actually if you look at the set of all these derivatives all these alphas this derivative is constant they form a linear space it's again a subspace if you have two of them then the sum is also going to be one of them yes and similar similar computation also shows that if you have these conditions and you have this K of I plus K of J should be a linear structure and also L applied to this thing should be so that's what I'm summarizing here so these linear structures of this invariant G have to contain all these differences of round keys and they also have to be invariant under L and this is really the key point because this allows you to in an easy way to check if this is possible or not and now again these differences if you have a proper key scheduling these differences could be very complicated but if you have this simple key scheduling that they explained where all the round keys only differ by constants this difference of two consecutive round keys to round keys is again a constant so it's just a constant and actually this is another open question what happens if you have maybe a linear key scheduling probably you're still able to say something and maybe do similar arguments as here but for at least for sure for this simple case of identical round keys it's very simple and you get the constant here so then if you want to see if you can find these invariants all you have to do is you look at the set of all these differences of round constants and you look at the smallest L invariant space containing all these differences and if you're lucky this space is big why is it good if it's big because it's a strong restriction for your invariant so the linear structures of this invariant you're looking for has to contain this space that it's easy to compute and now the nice thing is if this dimension of this space is n-1 then you know is n-1 or larger so n-1 or n it's easy to see that then such an invariant cannot exist so the nice thing is it's easy to compute you can easily compute this dimension and check if dimension is high enough you're done you're safe and for example this allows to easily prove then that for LED and also for skinny some variants of skinny these attacks will not work and you can do a bit more of linear algebra look at the rational economical form whatever this is of the linear layer so you look at its matrix and look at its economical form and then there's a notion of invariant factors for linear mapping and actually they will basically determine how many round constants you need in order to make this argument work so I'm not going to go into details but that's conceptually easy take the linear layer and compute this rational economical form and then you know how many round constants you have to pick and then you pick round constants and you compute this dimension of this set WL and if it's full dimension you know nobody can attack this thing with invariant attacks so I think it was nice I was very happy with this the nice thing is works independent of the linear of the S-box so for any S-box it's going to be fine it's really a question of it's really a property of the linear layer only okay so let's give these examples so here's the last insider information I think I'll finish in time so this is the but so I'm going to explain the question mark so I said maybe this is not a satisfactory answer and the point is this so I said we are looking at invariants the S-box layer and another linear layer including the key addition and then I claimed it also works for any S-box it's independent of the S-box you can choose the S-box as you want and it's still going to work so this analysis is very simple and nice so let's do some cosmetic this is something that Christoph Bayerle pointed out to me a few weeks ago and I think it's nice and this is what I wanted to share and it's nice and also not nice but okay let's do some cosmetic changes so I have this S-box layer so I try to maybe it's not three S-boxes but some S-boxes and I have the linear layer and I am looking for an invariant for this part and an invariant for this part so let's get rid of this boundary between these two invariants and add some identity there so I choose the linear mapping T and it's inverse and then I added nothing here in the middle so this is identity so T is linear but then instead of having it in the middle I'm going to split it in two parts so T I'm going to think of T as being part of the S-box and I think of T inverse and this direct product of these T inverse mappings as part of the linear layer so nothing changes the same cipher but I have a different S-box now and I also have a different linear layer and the point is that so nothing happened but the linear layer is different and that means that if I compute the if I did this job of choosing the constant by looking at the rational canonical form of this thing and everything was nice I get high dimension everything is good it doesn't mean anything about the linear about the rational canonical form and all this dimension for this new linear layer so the argument might work for this one but it might not work for this one and it's the same cipher and there's no reason why the attacker has to stick to this one that's a bit bad and maybe and that's the last point I wanted to make maybe that's actually something we it's not just only for this case but so we but I think a way of all that's in the paper is correct it's not like this is a mistake in the paper that is a better way of phrasing is maybe that we have a security argument for an exact representation of this cipher so it's this representation meaning this these boundaries basically between the S-box and the linear layer where you can do your security argument but this boundary is very arbitrary and like I said it's just a cosmetic change and you put some parts of the linear layer within the S-box or some parts out of the S-box in the linear layer for the attacker it doesn't make a difference but the argument breaks down and I think this is something that is not only for this case of invariant attacks but that's something that's maybe more general that we often actually focus maybe too much on the specific representation of the cipher because everything else will become even more difficult but that's not nice I think it's a good one of the questions of course can you move this restriction can you find an argument which will work for all these linear layers so it's not an arbitrary linear layer so it's still the T's the thing is of a certain form and maybe you can still try to lift the security arguments for this I don't know yet okay and that's all I want to say thank you very much are there any questions for Krieger? so everyone is hungry I have a question yeah? do you have ideas how to overcome this? no no because to me it seems if you're allowing to do this you can also cancel the round constants to some extent you can cancel the round constants you can move it to the S-box yeah but then your proof says it's working for every S-box yes you can do this but then of course you really you can do this but then you need a different the invariant has to work for all S-boxes but now the S-box is always the same and you want the same S-box it's different so each S-box will be different potentially because actually the T for simplicity this is the same T but there's no reason to take the same T for all the S-boxes and if you move the round constants within one round and again different S-boxes in different rounds I wouldn't do this you can but it's not going to help at your your clip paper in 2015 you mentioned that those that are on ice cream and others can be interpreted in the related case setting like is it true for other variant of the invariant attacks can we redefine them in the related I don't know I don't remember that we wrote something like this so what was the okay I'm asking you what was the idea you mentioned that the invariant attack on ice cream and there were three target ciphers and you mentioned that another interpretation is that we can say that the cipher can be broken immediately in the related key setting in the related key model I think this was particular to those ciphers I don't think it's so you can consider wiki as a self related key I think something like that I don't think it generalizes to the whole space of possible invariant attacks so I think it's particular the question was what does it mean for permutations I don't know what security for permutations how do you argue this anyway I have to say you use it in construct I know and I think it's nice but I think the what does differential crypto analysis mean for permutations for me it's very unclear but I think again so at least they mean it's not hermetic I guess even mansour yes so for even mansour maybe it could be I guess it again depends on the mode and the exact location of the subspace so you use this as a cipher yes so then again I guess it would be allow you to distinguish the is it likely that there are exploitable invariant subspaces it's not less likely for permutations then basically I think from a design perspective that you have a key where you can find a subspace you know there's no weak subkeys because there's no keys so that was my question now I got your question so I think I mean if you look at the invariant subspace or these attacks we have here what happens a lot of the times is that the zero key is actually weak and now the zero key would directly if this would be a permutation would be the cipher with the zero key round constants yeah but I mean taking zero key that you have round constants and still the zero key is going to be in many cases the zero key is in this class of weakies which then would be the case for that's directly the same situation for permutations I think zero key is exactly what you you still have the round constants in the permutation and you have the round constant in the block cipher so of course there is less freedom but so from the examples I think you should also check for no just to asking for it yes but you're right there is less freedom some more questions for Gregor okay then let's thank Gregor again