 Thanks for the introduction. So today this talk is about block ciphers and in particular how to prevent the invariant attack on block ciphers. And first of all I have to give some basic definitions so that everyone knows what these invariant attacks are. So for this we consider a permutation on n bits called E and we say that a subset S of F2 to the n is an invariant set under E if this whole every element out of S is mapped to another element out of S under E or if the whole set S is mapped to its complement in F2 to the n. And to put it in a nice picture here you can see that in this first case S has to be stable under E or if we are in the second case every element of S is mapped outside of S which means that for the inverse function every element outside of S must be mapped into S. And if we are in the second case it becomes clear that the size of S must be the same as the size of the complement. To put it in other words we can define this invariant set equivalently by a Boolean function G which is the indicator function of the set S and then we have that for all x G evaluated on E of x equals G of x or for all x G of E of x equals G of x plus 1. And this leads to the motivation of the definition of an invariant function. And we say that the Boolean function G on n bits for which G evaluated on E plus G is constant is called an invariant for E. And we use this term invariant in the remainder of this talk. So since we talk about block cipher we now want to give, we want to explain what our invariant attacks on block ciphers and if we consider such a cipher E on n bits then we can look at each keyed instance so E of k or E k and by definition of a block cipher each keyed instance must be a permutation on f2 to the n. And so we are in the case where we have defined what invariants are and to give some examples for instance we can always have the empty set as our invariant set which would correspond to the all zero function G or we can define the whole f2 to the n as our invariant set which would correspond to the all one constant function G. And we will call these invariants a trivial invariant. And another possible way might be the case that this invariant set is a linear or it's in a fine subspace U and this was the first kind of invariant attack that was discovered and it was called the invariant subspace attack presented by Leander et al in 2011. And this is a very special case whenever we are in the general case of not restricting to an affine space then we are in the so-called non-linear invariant attack which was presented last year at Asia Crypt. And if for some keys one can find non-trivial invariants for the keyed instance of the cipher then we would say that this cipher is vulnerable to the non-linear invariant attack. And all keys which allow for these attack are called v keys for the cipher. So how is it problematic to have such an invariant in the cipher? So the problem is that this can be turned into a distinguisher. So suppose that we know a non-trivial invariant g for ek and this knowledge of this invariant allows it to distinguish it from a random permutation in the following way. Suppose we have given oracle access to either the instance or the random permutation. The adversary can choose d plane text m1 up to md and then check if for all those plane text g evaluated on O of m plus G of m is constant. And this should hold if we have an invariant g for ek. So if this holds true then it is more likely that we have given the keyed instance instead of a random permutation. And recently many lightweight ciphers were broken by the invariant attack so which means that a significant fraction of v keys was found. And some years ago this was for the invariant subspace attack. There was the attack on print cipher. And the recent attacks they used to generalize a non-linear invariant attack. So this leads to our main goal here of this work which is how to prevent against the attack. So the main goal is that given a block cipher show that there exist no v keys. In other words for any k there are only the trivial invariance for the keyed instance or we can only find the trivial invariance for the keyed instance. And we consider lightweight block ciphers here. And we do the following simplification. First of all we look at substitution permutation networks and we make the assumption that the adversary uses the same invariant for all layers. So we consider only those invariants g that are both invariant for the S-box layer s and for all the linear layers plus the key addition. This means that we stay in the same invariant set after applying the S-box layer and after applying the linear parts in each round. So we can iterate this invariant over the rounds. And all real attacks we know so far exploit such an iterative structure. The intuition is that it would be really hard if one would use invariants over the whole round because one has to find an invariant over n bits and since the round usually has a quite good diffusion then it would be very hard to find such an invariant. So this is why we make this simplification here. So after I've given this introduction I first want to talk about lightweight SPNs and how to prove resistance against invariant attacks for given lightweight substitution permutation networks and in the second part I would like to give some more design criteria on the linear layer and on the choice of the particular round constants. So first we would like to understand the structure of the invariants that are invariants for all these linear parts in the rounds. So suppose we have given an invariant G which is invariant for two linear layers plus the round key additions then by using the definition of the invariant property and putting together those equations we would get that G must also be an invariant for the addition of the sum of two round keys for each two round keys for which such that G is invariant for L plus this round key addition. And for those of you who are familiar with the notion of linear structures see that this is just another way of saying that K i plus K j is a linear structure of G. And here you can recall this definition of a linear structure so the linear structures of G are defined as all points alpha such that the derivative of G at point alpha is constant. So this leads to the following requirements on an invariant G that fulfills our assumption here. First of all G has to be an invariant for the S-box layer because we want to stay in the invariant set after applying the S-box layer. And the second requirement boils down to these two points here that first of all the linear structures of G must contain all the round key differences K i plus K j. And the second point is that this L S G must be an invariant space under L and this is from the fact that this L S G is itself a subspace. So and this leads to the question how does the key schedule look like because this condition is depending on the actual choice of the round keys. And since we focus on lightweight substitution layers we look at those cases here where a very simple key schedule is employed. So in lots of lightweight cyphers a very simple key schedule is employed where in fact we have the same round key and add around specific constants to this key. So each round key is defined as a master key plus the addition of a round specific constant. And when we have this and we look at the sum of two round keys then this is equal to the sum of the round constants because the addition of the K cancels out. And then the requirement is that the addition of the round constants lies in the linear structures of G. So the main condition on the invariant is now that first of all G has to be an invariant for the S box layer. And secondly requirement is that when we look at the smallest L invariant subspace of F 2 to the N that contains all this round constant differences then this must be a subset of the linear structures of G. And this is in fact this condition which we have shown here phrased in other words. So in the following we denote this space WL of the set of the difference of round constants as the smallest L invariant subspace which contains these elements. And now what is the important observation here is that this condition is now independent of the actual key. And we can analyze it even if we don't know the key because the round constants are publicly known. And when we want to prove that such non-trivial invariants don't exist then we rely on this important observation. So whenever we assume that the S box layer has no component of algebraic degree 1 which is a good assumption because whenever a block cipher uses an S box which has a component of degree 1 then the cipher would already be broken using linear crypt analysis. So in principle no block ciphers should have such an S box. And whenever this is true then if we can show that the dimension of the smallest L invariant subspace containing the difference of the round constants is greater or equal to n minus 1 where n is the block length then there are only the trivial invariants that fulfill these two main requirements. Why is this the case? So if the dimension of this WL space is greater or equal to n minus 1 then the dimension of the linear structures of G must also be greater or equal to n minus 1 because the WL space is a subset of LSG but then this means that G is linear or a fine because we know that whenever the linear structures of G are at least 2 to the n minus 1 elements then the function itself must have degree 1. And since we know that the S box layer does not have a linear or a fine component this means that G must be trivial because otherwise G cannot be invariant for the S box layer. And this means that whenever the dimension of the WL space is greater or equal to n minus 1 the invariant attack does not apply. And this holds for any reasonable choice of the S box layer. So this is independent of the S box the only thing we have to require is that we don't have a component of algebraic degree 1. Now we look at some block ciphers. So first of all we looked at skinny 64 and computed this invariant subspace and we found out that the dimension of this is 64 and the block length is also 64 so by this observation here the attack does not apply. If you look at prints then we see that the dimension is only 56 so the dimension is too low. So for the Romantis 7 which is a lightweight tweakable version of prints this dimension is even lower and for Midori 64 this dimension is even more lower it's just dimension 16 and too low. So does it mean we cannot say anything here? So we can say if we use additional properties of the S box layer. So using the fact that the dimension is not too low here and considering the actual choice of the S box we are still able to prove that in prints at 1 to 7 the attack does not apply. And now this is not any more independent of the choice of the S box. For Midori 64 the dimension is just too low and we are not able to prove any resistance here which should not be possible because Midori 64 is broken by a nonlinear invariant attack. Okay so this was the first part on how to prove the resistance. The next part is about giving design criteria on how designers should build the linear layer and how they should choose the round constants. So you can spot a very different behavior in these ciphers so for instance if you look at skinny the round constants that are chosen are very sparse. So in particular if we look at the differences there are only non-zero at the first 2 nibbles and still the dimension is full it's 64. When we look at prints at Mantis the round constants are very dense and in fact they were derived from fractional digits of pi so they look very random but the dimension of the invariant subspace is quite low here. So this leads to the question are the constants for prints at Mantis just unluckily chosen or is there some inherent behavior in the structure that leads to this low dimension. And the fact is that it is a property of the linear layer itself. So when we look at how this smallest invariant subspace that contains an element C is computed you see that this is spanned by the powers of L of C and this means that when we look at the dimension of WLC that this equals the smallest number D for which there exists D plus 1 coefficients in F2 such that the polynomial defined by these coefficients evaluated on L of C equals 0. And in other words this means that the dimension of WLC equals the degree of the minimal annihilating polynomial of C which is just defined as the polynomial of smallest degree whenever it is evaluated on L of C it evaluates to 0. And this leads to the first important theorem is there exists a C such that the dimension of WLC equals a number D if and only if a D is the degree of the divisor of the minimal polynomial of L because the minimal annihilating polynomial of any element is always a divisor of the minimal polynomial of the linear layer. And from this it immediately follows that the maximal dimension we can get for one constant C is the degree of the minimal polynomial of the linear layer. So we have a natural restriction depending on the given linear layer how much this dimension can be. So now if you look at some examples for skinny the minimal polynomial has degree 16 and it splits in x plus 1 to the power of 16 and so it follows that there always exists a constant C such that the smallest L invariant subspace containing C can take dimensions from 1 up to 16. For prints the minimal polynomial splits into these factors and the degree of the minimal polynomial equals 20 so there exists a constant C such that the dimension of the subspace equals at most so at 20 and it cannot be more than 20 but you can in principle have any dimension up to 20. Formantis and Midori is a minimal polynomial only has degree 6 so that means you cannot get a dimension higher than 6. And this is why this dimension is lower for Mantis and Midori. So now we want to consider more round constants here and first of all what is important here is that we now use some linear algebra to express this dimension in the general case. So first whenever we have the degree of the minimal polynomial equal to n we know that there exists a basis such that the matrix of L is equal to the companion matrix of the minimal polynomial where the companion matrix is defined here depending on the coefficients of the polynomial. And in general using linear algebra there always exists a basis such that the matrix of L decomposes into a block diagonal matrix of companion matrices of polynomials q1 up to qr and these polynomials can be ordered in a way that qr divides qr minus 1 divides qr minus 2 and so on till it divides q1 which is equal to the minimal polynomial of L. So here we have the companion matrix of the minimal polynomial of L. And this decomposition is in fact unique and these q1 up to qr are called the invariant factors of L. And the important thing we have shown in our work is that these invariant factor decomposition expresses how many constants you need to obtain the full dimension. So suppose we have given this invariant factor decomposition of our invariant factors then one can show that for any number of constants t the maximal dimension we can of this WL space for t constants we can get is the sum of the degree of the largest invariant factors of L. And in particular this means that one needs at least our elements to obtain the maximal dimension f2 to the n. So if we look at the examples for prints we can compute the invariant factor decomposition in this way and one can show, one can see that the maximal dimension you can get here is from 5 constants is 58 so prints uses 5 round constant differences so we cannot get better than dimension 58. And since we have 8 invariant factors we need at least 8 elements to get the full space. For Mantis and Midori we have 16 invariant factors which means that we need at least 16 elements to get the full space. Here we understand how the dimension looks like for 7 and 8 constants. So here is a nice graph which shows that relation how the maximal dimension increases when we increase the number of constants we use. As the next part we have proven what happens when we choose random round constants because often randomly chosen round constants are applied. And so we were interested in the probability that t uniformly chosen constants generate the whole space. And this again can be computed from the invariant factors, here I have given the graph which shows that whenever you hit the minimal number of elements you need then the probability to get the whole space increases rapidly when we add more constants. More details on that can be found in the paper. So to conclude the talk for these lightweight SPNs with a very simple key schedule we have given an easy algorithmic way to prove the resistance against the large class of invariant attack. For those of you who did not understand all the technical details it's important to remember this simple algorithm which gets this input the linear layer, the round constant differences and you have to check if the dimension of the linear space which is spent by the powers of L evaluated on these constant differences. You check if this dimension is greater or equal to n minus 1 and whenever this is the case then the attack does not apply. And second using linear algebra we gave design criteria on the linear layer which depends on the invariant factors and how designers should choose the round constants in this way. Previously the constant were often chosen in a talk manner so now we really have an indication how round constant should be chosen. Future work is can we avoid the restriction of using the same invariant for each of these building blocks of the cipher so now all these invariant attacks rely on this restriction. Okay thanks for your attention feel free to ask any questions.