 Welcome to this presentation. This is about Hades, which is a generalization of substitution permutation networks. And this is joint work together with Lorenzo, Reinhardt, Christian and Dragosh. And my name is Markus. So let me first give you a very short overview where we currently are at. So we have many general purpose ciphers and they are used for many use cases. For instance, for pure encryption, AES, we like to use AES and this is perfectly fine. However, recently there appeared many new use cases. For instance, MPC or Starks or FHE. And these use cases benefit from certain properties. For instance, the multiplication count may be important, but also the multiplication depth. And also, this is another difference, they tend to work directly over large prime fields. And if I say large, then I mean prime numbers in a range of 2 to the 128, for example. So this leads us to the fact that existing primitives, like the AES for instance, are not very well suited for many of these new use cases. And the idea is there to design something which is good in these scenarios. However, let me say that this idea is in general not extremely new. So for instance, there is this low MC cipher from 2015 and this construction is actually already designed to minimize the number of multiplications. However, the multiplications in F2, which is a lot smaller than the large prime fields I've talked about before. And another problem of low MC and of PSPN ciphers in general, I will then talk about PSPN and what this actually is. So another problem of these networks is that they are not very easy to analyze from a security point of view. And hence the question remains, can we build something which is much easier to analyze, at least against sum attacks, and which is also so what we can also use to optimize the number of multiplications or also other metrics, for example. Okay, so what is a partial SPN? And I will now begin with the classical substitution permutation network, which is shown on the left side. So for example, shark from 1996 is a classical substitution permutation network. And what this means is that in the nonlinear layer, the S boxes are applied to the whole state. And then there's the fine layer, and then there is again a nonlinear layer and so on. And this is done for a couple of rounds. But the main property here or the main difference to the other constructions then is that the S boxes are applied to the whole state. And if we go one step further, we can see this partial substitution permutation network, for example, Zorro from 2013 or this Loeumsee from 2015. And the main difference here is that the S boxes are only applied to part of the state in the nonlinear layer. And the rest of the state remains unchanged. So this is an identity function for the rest of the state. But of course, the fine layers are still applied to the whole state. And if we go another step further, we have a mix between these two. And this is the Hader strategy, which I will talk about in this presentation. And basically, the idea is to mix the classical SPN with the partial SPN. So we have full nonlinear layers, so to say, at the beginning and at the end of the construction. But in the middle, we have these partial rounds where basically only a single S box is applied in each round. So this is the idea of Haders. But why are we actually doing this? So we already talked about that partial SPNs, like Loeumsee, for instance, are more difficult to analyze from a statistical point of view. And if we don't have the tools, this may also be true for FISC networks. So what we would like to do instead is to use very well-known techniques. And one such possibility is to use the white trail strategy. This was originally used for the AES. And the idea of this approach is to basically use a certain construction and together with a certain matrix in order to guarantee security against differential and linear attacks, which are two kinds of statistically attacks. And we use exactly this strategy to protect Haders against some statistically differential linear attacks. However, the problem is that due to this approach, we need full nonlinear layers. So we need S boxes being applied to the full state. And this is rather expensive in our setting. We'll talk about this also later. So what? The expensive part. Okay, so let me now, after this short introduction, talk about the Haders design strategy. And I will first talk about these full rounds, so where the S boxes are applied to the whole state in the nonlinear layer. And we'll then talk about the partial rounds where only one S box or limited number of S boxes is applied in the nonlinear layer. And finally, we then combine these two things and show the resulting construction. Okay, so first about the full nonlinear layer. This is used against some statistically attacks, so namely against differential and linear attacks, however, we also we also conjecture security against other, other statistically attacks. And in order to do it, we need a specific matrix. And this now brings me to this expensive part in our setting. And then we also talk about this later. So in our setting is NPC setting, we try to minimize the number of nonconstant multiplications because they are quite expensive. However, multiplications with fixed constants tend to be way cheaper in our setting. And so we have, we can basically choose an expensive matrix, so to say. And what we do is, we indeed choose the best matrix from a statistical point of view. And this is the MDS matrix. This has also a very large branch number. So we can basically minimize the number of full rounds we need in order to get security against these classes of statistically attacks. And this is exactly what we use the full rounds for. Of course, also for the algebraic attacks, but this is their main reason, so to say, especially when compared to partial SPNs where we use no full rounds. Okay, so this was about the full rounds, the full nonlinear layer. What about the partial nonlinear layer? So differential linear attacks are solved by these full rounds. And we also conjecture security against other statistical attacks. However, algebraic attacks still remain an issue here. And the bad thing about these new use cases, such as the NPC use case, is that they tend to benefit from a very simple algebraic structure. And this makes algebraic or may make algebraic attacks much more powerful. So we have to focus on that during our analysis. And what we can observe here is that the degree is very likely to increase in the same way during the full rounds and also during the partial rounds. So what we do is we mainly use the partial rounds to get security against algebraic attacks. Of course, high degree is not the only thing we need. We also need the polynomial to be dense, but this is done in more analysis in the paper. But the partial rounds basically can be added many, many times because they only contain one S-box. So that's not so expensive in our setting. However, we still may need many, many partial rounds. However, there are optimizations if this is the case. Okay, so now we have talked about the full rounds and about the partial rounds. Now we combine these two things and we arrive at the construction, which is shown at the right side here. We have a symmetric construction. So we have the same number of full rounds at the beginning and at the end. And in the middle, we have these RP rounds, which are the partial rounds. So given then some state size, for instance, we can also modify or change the number of full rounds and the number of partial rounds in order to optimize the construction for different metrics. And in the following presentation, we will denote the S-box size by this small n in bits, which will be 128 in most cases. And the number of S-boxes in the full rounds or the number of cells, if we are talking about the substitution implementation network, is denoted by t. And if we have many partial rounds, which may be the case, and if I say many, there may be, for instance, 80 partial rounds for certain instantiations, then we can make use of recent optimizations. And if we do that, this is actually much cheaper than using just the plain construction. And more details can be found in this paper from 2019. So the problem is here, the nice thing, but also the problem is that we can change many things about the design. So for instance, we can change the S-box size and we can also change the number of cells almost freely. So this is good, but it means that cryptanalysis gets harder. So we have to focus on some instantiations. And what we did is that we focused on prime fields only. And this is also important for a later part of the presentation. So we only define this construction or paper over prime fields. Okay, so now let me talk about this concrete instantiation of our construction and also about very briefly about cryptanalysis. So what is this concrete instantiation? We use a prime field where prime number is approximately to the 128, so 128 bits large. We use one single S-box in the partial rounds and the S-box is f of x equals to x cubed. So basically the cube S-box. And for the matrix and the linear rounds, we use a Cauchy matrix with a very specific starting sequence. And more details are found in the paper. And I will also talk about this towards the end of the presentation because this also may make a difference regarding the final security. So if you see the S-box, the cube S-box, then you probably immediately see that the inverse is quite expensive, especially if we increase P. But for our setting, we only need the encryption direction. So for this NPC setting, so this is actually not a problem here. Okay, cryptanalysis, very briefly, we have two security levels we focused on. We have the state size security, which means that basically for a 1000-bit state, we want to have 1000 bits of security. And we have the S-box size security, which means that if we use a 128-bit S-box, we want to have a security of approximately 128 bits. So we focus only on this security level, which should be equal to the S-box size. And in our setting and in our instantiations later, the key size is approximately 128 bits always. So we want to have a security of 128 bits and not a full state security here. Okay, so very shortly about statistical attacks, we use the white trail strategy and an MDS matrix for security against differential linear attacks. And you also, based on these results, you also estimate the complexity of other statistical attacks. But what about algebraic attacks? So there are many different kinds. There's, for instance, interpolation attacks or group databases attacks, and various strategies. So we also estimate the security of the construction against these types of attacks. And, yeah, and more details are then also found in the paper, of course, much more details. Okay, but let me now come to the use case, the actual use case of haters or of this construction haters mimsy, which is the NPC use case. Now let me first talk about the use case itself before I talk about the construction we use. So this is a very large application area. And the security, the setting is a secret sharing based NPC system. So data is shared as elements of this very large prime field. And we transfer the data by evaluating block cipher calls on this data. So traditional algorithms like the AS are not very efficient. So we use this new constructions instead. And we want to avoid having many cipher text for stored shares. So we do basically a single block cipher evaluation for multiple shares. And that's also the reason for which we have, for instance, an S box size of S box size of 128 bits, and then multiple S boxes. So we increase the number of cells basically, and these are the the different shares then. And if we arrive, or if we come to such a construction, we then, of course, we also want to compare it with similar constructions, such as the older mimsy or the very recent rescue or so. Okay, so first about the cost metric, I've also hinted, I've already hinted about before. So linear defined functions are almost free. So for instance, additions, however, nonlinear functions, so multiplications with non constant multiplications, they are very expensive. So and yeah, about these multiplications, they're actually required. They require communication between the parties in this NPC setting. So the total number of multiplications of the resulting construction of haters is a good estimate for the final complexity. And this is what we use then, to basically determine the right number of RF rounds and RP rounds. The additions are free in this setting, but they can still influence the cost. So for instance, if there are many, many additions, they have an impact on the computational cost, of course. Okay, so what we want to have as a conclusion is we want to have a small number of multiplications, this is very crucial to reduce the overhead. The depth may also be important, but it's about the number of multiplications here. And we can have different tradeoffs and different round numbers. And about these round numbers, let me just give you a few examples. So for instance, if we have a text or state size of 512 bits, and the S-box size security, so 128 bits, then you can see here we use six full rounds basically and 71 partial rounds. If we increase the security or the state size, sorry, to approximately 4000 bits, then in the S-box size security level, we have, for instance, six full rounds and 71 partial rounds. And now you maybe know why I've talked about these optimizations for the partial rounds because 71 is quite significant. And here it becomes very important to use these optimizations. Also, of course, for these numbers here. So after having shown you maybe some instances, we can have a look at some benchmarks of Haters-Mimsi and other site for the constructions in this MPC setting. And let me first say that all tests are done over a local area network for various cell numbers here 2432. More examples can then be found and the larger table can be found in the paper, of course. The total size or state size is 128 times T. And we use this Mimsi construction in a counter mode. And let me also say here or emphasize that the security of rescue is actually larger because it's a state size security level, not an S-box size security level. Okay, but if we have a look here, for instance, for T equals to two, we can see that Haters-Mimsi is quite good when it comes to throughput and also to communication per element. We can see that this also holds for T equals to four and for T equals to 32. It's not the best in the latency section. So Mimsi is better here and rescue is better here. However, here for 32, so for very for a high number of cells, it's also better in the latency. But again, the performance of rescue may be better actually, especially regarding the throughput here. If we consider an S-box size security level, but we couldn't find the numbers for these. So we use the state size security level. Okay, let me briefly also talk about open problems and future work. So there are of course, more use cases which can benefit from this Haters strategy. This for instance, two, there's the Stark use case and there are two constructions of permutation Starkat Pi and Poseidon Pi. And they're used for the hash functions Starkat and Poseidon, which are shown in this paper from 2019. And they also use this Haters strategy with full rounds at the beginning at the end, and partial rounds in the middle. Of course, for future work, more cryptanalysis would be better, specifically, maybe to improve the understanding of higher already French attacks over FP, then to improve the understanding also of the difference of the cryptanalytic difference cryptanalytic difference, sorry, between the full rounds and the partial rounds. So this may be very important also. And if we have a better understanding, maybe even better tradeoffs are possible. And another thing which has to be considered here is the properties basically of the linear layer. And I will now shortly talk about these because there have been some results since the submission of this paper. So as properties of the linear layer, let us recall first that the linear layer of this Haters construction, we use the multiplication with an MDS matrix. And for this MDS matrix, we use a very specific generation sequence, namely it's a Cauchy matrix with a very specific starting sequence. And if we do this over F2 to the end, so our binary fields, then there are some problems. So for instance, if T, so the number of cells is a power of two, then the square of the matrix use is a multiple of the identity matrix. And what this means is that there exists some subspace here that is invariant for the partial rounds, which means that no as using this fact, no S boxes are active in the partial rounds over an arbitrary number of partial rounds actually. So this is a major problem, but it works for binary fields and it does not work for prime fields here. So Haters Mimsi or construction is actually not affected by this. So at least we don't know a way here. More details about this are given in these two very recent papers. And one possible solution is for instance, to change the generation sequence of the Cauchy matrix. But we emphasize again that this works over prime prime fields here, not over binary fields. Sorry, it works over binary fields, not over prime fields. However, there are new results also for arbitrary matrices. So not only for Cauchy matrices, and they also they also hold for prime fields, but still we don't know a way to to exploit these results to attack Haters Mimsi. And yeah, these new results can be found in in this paper here. So thank you very much.