17642 IEEE INTERNET OF THINGS JOURNAL, VOL. 11, NO.

10, 15 MAY 2024

Differential-Invariant Subspace Cryptanalysis—A

Real-Time Attack Against IoT-Friendly
Word-Based Block Ciphers
Ting Cui , Yi Zhang , Jiyan Zhang , Chenhui Jin , and Shiwei Chen

Abstract—This article considers a new cryptanalysis called nonlinear layers (e.g., smaller scale S-boxes, structural-based
differential-invariant subspace cryptanalysis, which can be used to S-boxes, fewer bit-slice-gate S-boxes, etc.) are often employed
evaluate the security of IoT-friendly word-based block ciphers. in lightweight block ciphers at the cost of better security
This cryptanalysis estimates the behavior of differential prop-
agation for particularly chosen input differences, and applies properties. As a result, such lightweight block ciphers target
to the ciphers contain only the word-based components, e.g., for IoT scenario are often designed more aggressively than the
word-based S-boxes, word-based linear mappings, etc. First, this traditional block ciphers, and some of them have nearly got
article proves that, for any word-based block cipher, if the S- broken due to adopting these weak components without full
box causes the differential-invariant subspace property, it then evaluation [8], [9], [10].
indicates a full-round distinguisher with probability 1, even if the
target cipher is believed to be resistant enough against traditional For more than three decades, differential cryptanalysis [11]
differential or linear cryptanalysis. Second, a class of linear- and linear cryptanalysis [12] have been two most important
equivalent S-boxes meeting the differential-invariant subspace cryptanalysis to evaluate the statistical property of symmetric
property are constructed as L ◦ S ◦ L−1 , where L is any invertible cryptography primitives. In the early years, most of the early
linear mapping and S is a group of S-boxes in parallel. Finally, work often bounded a primitive’s security by the maximum
as application, we provide a full-round differential-invariant
subspace distinguisher for the variant Midori128 (the only transition probability of a single differential (or linear) char-
difference is that the variant version utilizes only one single-type acter [13], [14]. Recently, more and more researchers realize
S-box instead of four types). This distinguishing is experimentally that the cluster of single differential (or linear) characters
verified and could be executed within negligible time. always indicates a more accurate security bound [15], [16].
Index Terms—Cryptanalysis, differential-invariant subspace It has to say that people already have a well-established
cryptanalysis, lightweight cryptography, word-based block cryptanalytic toolbox after developing for decades, building
cipher. significant confidence in the security estimation of block
cipher designs. However, while lightweight designs meet
the security requirements of existing cryptanalytic toolbox,
I. I NTRODUCTION some aggressive change in the designs might raise new
cryptanalysis methods and finally lead to insecurity. For
N THE last several decades, block ciphers have been one
I of the most important cryptographic primitives. Since the
propositions of the DES and AES, a huge amount of research
example, the binary (or so-called word-based) diffusion layers
is popular with design of IoT-friendly ciphers. However, a
potential weakness may be found, which the binary diffu-
has been done on the design and the cryptanalysis aspects of sion layers could lead to the clusters with greater transition
block ciphers. Driven by new potential lightweight applica- probabilities [17].
tions like the Internet of Things, RFID, etc., many new designs So more security requirements appear, most of which can be
of block ciphers have been proposed, such as PRESENT [1], deduced from the properties of S-boxes. As known for all, the
KATAN [2], KLEIN [3], LED [4], Piccolo [5], PRINCE [6], so-called differential uniformity and linearity criteria on the
and Midori [7], to name a few. design of the S-box are two significant design requirements
Sometimes, the components are specifically tailored to meet against differential cryptanalysis and linear cryptanalysis. A
the requirements of implementation-friendly design in such huge amount of previous research on S-boxes makes our
block ciphers. In particular, some energy-efficient linear layers exhibit quite long. We may refer [18], which summarized very
(e.g., serial-MDS, almost MDS, bit-level shuffle, etc.) and detailed design criteria for S-boxes.
Manuscript received 10 December 2023; revised 12 January 2024; accepted Overall, to design a lightweight and security ciphers, more
22 January 2024. Date of publication 25 January 2024; date of current version research on new cryptanalysis methods and security require-
9 May 2024. This work was supported in part by the National Natural ments of designs, especially requirements for S-box, is cried
Science Foundation of China under Grant 62372463 and Grant 62302518, and
in part by the Natural Science Foundation of Henan Province under Grant for nowadays.
222300420100. (Corresponding author: Jiyan Zhang.) Related Works: In recent proposed cryptanalysis, some
The authors are with the Department of Applied Mathematics, PLA focus on the invariant properties of iterative block ciphers. The
SSF Information Engineering University, Zhengzhou 450000, Henan, China
(e-mail: [email protected]). most famous examples include the invariant subspace attack
Digital Object Identifier 10.1109/JIOT.2024.3358346 and the nonlinear invariant attack.
2327-4662 
c 2024 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See https://www.ieee.org/publications/rights/index.html for more information.
Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY WARANGAL. Downloaded on January 10,2025 at 10:04:58 UTC from IEEE Xplore. Restrictions apply.
 CUI et al.: DIFFERENTIAL-INVARIANT SUBSPACE CRYPTANALYSIS—A REAL-TIME ATTACK 17643

The invariant subspace attack was introduced by subspace property holds for the S-box S, we can always
Leander et al. [19] in the context of the PRINTcipher. In decompose S into the so-called ASA construction, which
their attack, they defined an affine subspace a ⊕ V of {0, 1}mn , was provided by Biryukov et al. in 2001. As an appli-
such that for the encryption function Ek , it holds cation, a variant of Midori128 (which employs only
one single S-box instead of four) is broken practically,
Ek (a ⊕ V) = a ⊕ V. regardless of its key schedule setting.
Then, a ⊕ V is called an invariant subspace of Ek , the keys k Organization: Section II introduces some basic nota-
for which the equation holds will be called weak keys. tions and definitions. Section III introduces the basic idea
The nonlinear invariant attack was proposed at of differential-invariant subspace cryptanalysis. Section IV
ASIACRYPT 2016. Todo et al. [8] introduced the nonlinear focuses on the differential-invariant subspace property of the
invariant attack against several lightweight block ciphers. A S-boxes, and Section V describes an attack on the variant
Boolean function f : {0, 1}mn → {0, 1} is called a nonlinear Midori128. Finally, Section VI concludes this article.
invariant for Ek if and only if there exists a constant c ∈ {0, 1}
such that for all x ∈ {0, 1}mn , it holds II. F UNDAMENTALS
Symbols in this article.
f (x) ⊕ f (Ek (x)) = c n Word scale of a word-based cipher.
where the constant c depends on the key k. ⊕ XOR operation.
Our Contribution: In this article, we introduce a new g◦f Composition of f and g, i.e., g ◦ f (x) = g( f (x)).
cryptanalytic technique which considers the invariant sub- 1 Identity mapping, i.e., ∀x, 1(x) = x.
space property in the differential propagations, named the 0 Zero mapping, i.e., ∀x, 0(x) = 0.
differential-invariant subspace attack. Such attack aims at Mτ Transpose of matrix M.
word-based block ciphers, i.e., those ciphers contain only M(n) Set of all mappings over {0, 1}n .
word-based operations (e.g., SKINNY [20], Liliput [21], dim(V) Dimension of the linear subspace V.
LBlock [22], E2 [23], etc.). Our contribution includes the #• Cardinality of the set •.
following.
1) In our cryptanalysis, we take into consideration a new A. Word-Based Block Cipher
kind of invariant property for the first time, named the In this article, we mainly consider the word-based block
differential-invariant subspace property. This property cipher and the word size is assumed to be n. The iterative
estimates the existence of a subspace V of {0, 1}mn , such round E employs one unified n-bit S-box S, and the operation
that for an mn-bit block cipher, if the input difference is to connect one n-bit dataline with another one is word-wise
chosen from a subspace V, the output differences always XOR. To characterize such a block cipher, we first introduce
fall into the same subspace, i.e., the concept of the so-called word-based block cipher.
Definition 1: Let F = ( fi,j )m×m be a matrix defined over
Ek (x) ⊕ Ek (x ⊕ V) = V. M(n), then for any input X = (x1 , x2 , . . . , xm ) ∈ {0, 1}nm ,
On the other hand, the probability that random per- Y = F(X) := (y1 , y2 , . . . , ym ) is defined by yi = ⊕ fi,j (xj ),
1≤j≤m
mutations have this property is about 2m(dim(V)−n) . where M(n) denotes the set of all mappings over {0, 1}n .
Therefore, attackers can immediately execute a distin- Let E be one single round of an mn-bit width iterative block
guishing attack practically. By the way, different from cipher, and FE be a matrix over M(n), if the equation E(X) =
the invariant subspace attack and the nonlinear invariant FE (X) holds for any choice of X = (x1 , x2 , . . . , xm ), then FE
attack, this new attack is a chosen-plaintext attack which is called the matrix representation of E.
is key-independent. Definition 2: Let E be one single round of an mn-bit
2) As mentioned above, many recent block ciphers have iterative block cipher and FE = ( fi,j )m×m is the matrix
been designed for lightweight applications, adopting representation of E, if there exists an n-bit permutation S, such
more aggressive designs to achieve better performance. that fi,j ∈ {0, 1, S} for any 1 ≤ i, j ≤ m, then E is called a
Among them, several ciphers deploy only word- word-based block cipher, and n is called the word size.
based operations for all rounds. Our attack builds Example 1: Let E0 be the iterative round of a block cipher
the differential-invariant subspaces of these word-based (see Fig. 1), four identical S-boxes are applied to each branch
ciphers from those of the word-based operations. of the input (x1 , x2 , x3 , x4 ) in parallel, and then the output is
Particularly, the differential-invariant subspaces of the S- run through a linear mapping L, which is defined by
boxes are trivially converted into single round functions, ⎛ ⎞ ⎛ ⎞
0 1 1 1 a1
and are iterative over an arbitrary number of iterative ⎜1 0 1 1⎟ ⎜a2 ⎟
rounds. L(a1 , a2 , a3 , a4 ) = ⎜
⎝1 1 0 1⎠ × ⎝a3 ⎠.
⎟ ⎜ ⎟
3) We estimate the differential-invariant subspace property
1 1 1 0 a4
of the S-boxes. For a given S-box, we provide a ⎛ ⎞
method to find the possible differential-invariant sub- 0 S S S
space. Furthermore, we build the link between the ⎜S 0 S S⎟
Then, the matrix representation FE0 = ⎜ ⎝S S 0 S⎠.
⎟
differential-invariant subspace and the differential distri-
bution table, we point out that if the differential-invariant S S S 0
Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY WARANGAL. Downloaded on January 10,2025 at 10:04:58 UTC from IEEE Xplore. Restrictions apply.
 17644 IEEE INTERNET OF THINGS JOURNAL, VOL. 11, NO. 10, 15 MAY 2024

Definition 4: Let S : {0, 1}n → {0, 1}n be an n-bit bijective

S-box, if there exists a nontrivial subspace V  {0, 1}n , such
that for any α ∈ V, it holds
PrS (α → β) = 1
β∈V

then V is called a differential-invariant subspace of S.

Immediately, we have the following observation.
Observation 1: Let V be a k-dimensional differential-
Fig. 1. Round function of a word-based ciphers E0 . invariant subspace of S, then for any β0 ∈ V, it holds
PrS (α → β0 ) = 1.
α∈V
Example 2: Let E0 be the iterative round of the block cipher
LBLOCK (see Fig. 2), then the input X = (x1 , . . . , x16 ) and Proof: By the definition of differential-invariant subspace,
the output Y = (y1 , . . . , y16 ) satisfy the following equation: we have
⎛ ⎞ ⎛ ⎞
Y = FE0 (X)
⎝ PrS (α → β)⎠ = 2k · 1 = ⎝ PrS (α → β)⎠
where FE0 = ( fi,j )m×m is the matrix representation of E0 , and α∈V β∈V β∈V α∈{0,1}n

S, (i, j) ∈ I which indicates that
fi,j =
0, otherwise.
PrS (α → β) = 0
(The S-box of LBLOCK is denoted by S, and the 2-tuple set I β∈V α∈{0,1}n \V
= {(1, 9), (2, 10), (3, 11), (4, 12), (5, 13), (6, 14), (7, 15), (8,
16), (9, 7), (9, 10), (10, 8), (10, 12), (11, 1), (11, 9), (12, 2), i.e., for any α ∈ {0, 1}n \ V and β0 ∈ V, we have PrS (α →
(12, 11), (13, 3), (13, 14), (14, 4), (14, 16), (15, 5), (15, 13), β0 ) = 0
(16, 6), (16, 15)}). PrS (α → β0 )
Typical examples of word-based block ciphers include not α∈V
only many (Generalized) Feistel-like ciphers but also several
well-known SPN ciphers. Benefited to low cost of diffusion = PrS (α → β0 ) − PrS (α → β0 )
α∈{0,1}n α∈{0,1}n \V
operations, a word-based block cipher seems to be a quite
favorable choice for designers of lightweight block ciphers. = 1.
We point later that when designers adopt such a structure, Thus, we end the proof.
they should be careful to choose the S-boxes to avoid the The differential-invariant subspace V could be treated as a
differential-invariant subspace property. subspace of {0, 1, . . . , 2n − 1}, if the input difference of S is
chosen from V, then any possible output difference always
B. Review of the Differential Distribution Table falls into the same subspace as well. In addition, if the output
The proposals of differential attack [11] and linear difference of S falls into the subspace V, then one predicts
attack [12] impose basic criteria on the design of S-boxes. In that the input difference is also chosen from V.
the design of most block ciphers, the differential and linear
properties of S-boxes were evaluated carefully. III. F RAMEWORK OF D IFFERENTIAL -I NVARIANT
The differential attack exploits the nonuniform distribution S UBSPACE C RYPTANALYSIS
of the output differences when the inputs are chosen with In this section, we always assume that differential-invariant
a fixed difference. In order to check whether an S-box- subspace property holds for the bijective S-box, the rationality
based block cipher resists differential attacks, the differential of this hypothesis will be discussed later. On this basis, the
probability of the S-box is proposed to identify the ability of core idea starts.
an S-box regarding differential attacks. Differential-invariant subspace cryptanalysis considers the
Definition 3 [11]: Let f : {0, 1}n → {0, 1}n be a vectorial behavior of a differential property. Particularly, it checks
Boolean function, a ∈ {0, 1}n , b ∈ {0, 1}n , then m data branches in which differences are chosen from the
1 differential-invariant subspace, i.e., we choose
Prf (a → b) = #{x ∈ {0, 1}n : f (x) ⊕ f (x ⊕ a) = b}
2n
(α1 , α2 , . . . , αm ) ∈ Vm
is said to be the probability of differential a → b.
By these definitions, for any vectorial mapping f , the as our input difference, where V indicates the differential-
differential a → b is possible if and only if Prf (a → b) > 0. invariant subspace of our S-box.
If we arrange the values of Prf (a, b) for all differential pairs According to its definition, a word-based block cipher E
(a → b) in a 2n × 2n table, which we called the Differential contains only one kind of S-box S with its width one word-
Distribution Table of f . The entry at the position (a, b) in the wise, word-based shuffles, and word-based XORs (the constant
DDT is defined by DDTf (a, b) = Prf (a → b). XOR makes no effect on the differential property, so we ignore

Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY WARANGAL. Downloaded on January 10,2025 at 10:04:58 UTC from IEEE Xplore. Restrictions apply.
 CUI et al.: DIFFERENTIAL-INVARIANT SUBSPACE CRYPTANALYSIS—A REAL-TIME ATTACK 17645

Fig. 2. Round function of LBLOCK.

for the input difference chosen from Vm

E r (X0 ) ⊕ E r (X0 ⊕ 0 )
= E r−1 (E(X0 )) ⊕ E r−1 (E(X0 ⊕ 0 ))
= E r−1 (X1 ) ⊕ E r−1 (X1 ⊕ 1 )
Fig. 3. Invariant subspace properties of basic operations.
= ···
= E(Xr−1 ) ⊕ E(Xr−1 ⊕ r−1 )) ∈ Vm .
the subkey XOR for simplicity), then for any input differences This invariant could be preserved over an arbitrary number
chosen from V, the output differences will always belong to of rounds and immediately leads to a distinguishing attack.
the same subspace. Distinguishing Attack: Assume that we have a nontrivial
Three properties of these basic operations in E are summa- subspace V  {0, 1}n that is a differential-invariant subspace
rized as follows. for the S-box S of a word-based block cipher E r as defined
1) Note that V is a subspace of {0, 1}n , then for any α, β ∈ before, then Vm is a differential-invariant subspace of E r .
V, we always have α⊕β ∈ V, i.e., if both the differences Let  = {P ⊕ α : α ∈ Vm } be N = 2m×dim(V) plaintexts.
at two branches are chosen from V, then the XOR of Then E r (X1 ) ⊕ E r (X2 ) falls into the Cartesian product Vm for
these two differences still keeps in the same subspace. all pairs of (X1 , X2 ) ∈  × . For any pair of (X1 , X2 ) ∈
2) As Definition 1 defines, if the input difference of an  ×  and random permutation R : {0, 1}mn → {0, 1}mn , the
bijective S-box is chosen from V, then the output probability that R(X1 )⊕R(X2 ) ∈ × falls into Vm is merely
difference(s) always fall into the same space V. 2−m×(n−dim(V)) . Therefore, we can practically distinguish the
3) Trivially, since the word-level shuffle only moves the block cipher E r from random permutations under a chosen-
ith branch into the jth position in-whole (the posi- plaintext attack.
tions i, j are determined by the shuffle), so if the Since the differential-invariant subspace property could lead
input difference at the ith branch is chosen from V, to serious security problems, it must be avoided when a
the output difference at the jth output branch keeps word-based block cipher is about to be designed. The next
unchanged. section further studies the existence of the property and
These properties are illustrated in Fig. 3. focuses on what kind of S-boxes produce it.
By its definition of word-based block cipher, we may
conclude that any entry in the matrix representation of E is IV. D IFFERENTIAL -I NVARIANT S UBSPACES OF S-B OX
chosen from 0, 1, or S, therefore, each of the output branches
Owing to the analysis above, the existence of differential-
of one round function E, y• , could be calculated by
invariant subspace directly leads to a practical distinguishing
attack for the word-based block cipher. Therefore, two of the
y• = ⊕ (xj ) ⊕ ⊕ S(xk )
j∈I1 k∈I2 most important questions left are as follows.
1) How to detect the differential-invariant subspace of a
where I1 , I2 indicate two subsets of {1, 2, . . . , m}. given S-box?
As a result, for the ith round input data Xi ∈ {0, 1}mn and 2) What is the structure of the S-boxes that contain
its difference i ∈ Vm , it turns out that the ith round output differential-invariant subspaces?
difference We will handle these two problems in this section.
i+1 = E(Xi ) ⊕ E(Xi ⊕ i ) ∈ Vm .
A. Finding Differential-Invariant Subspaces of Given S-Box
For briefness, we denote Xi = E(Xi−1 ), consequently, for For the first question, we start from the definition of
r-round iterative of E, we check the output differences of E r differential-invariant subspace.

Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY WARANGAL. Downloaded on January 10,2025 at 10:04:58 UTC from IEEE Xplore. Restrictions apply.
 17646 IEEE INTERNET OF THINGS JOURNAL, VOL. 11, NO. 10, 15 MAY 2024

Theorem 1: Let V be a differential-invariant subspace of an Algorithm 1: Searching for Nontrivial Subspace for n-Bit
n-bit bijective S-box S and i ∈ V, if PrS (i → j) > 0, then we S-Box
have j ∈ V. Input: n-bit S-box S[N];  // N = 2n
Proof: Since i ∈ V, then we have Output:  = {V|∀a ∈ V, b∈V PrS [a → b] = 1}
1 Store the differential distribution table D[N][N] of S;
for a ∈ Fn2 \{0} do
PrS (i → j) = 1 2
3 record[i] ← 0 (i = 0, 1, . . . , N − 1); // if i ∈ Va , then
j∈V record[i] = 1
4 Va [length] ← a; record[a] = 1; // Add the first
which indicates that { j : PrS (i → j) > 0} ⊂ V. element into Va
Therefore, for any i ∈ V, we need to add the element j 5 length ← 0; // Va has (length + 1) elements
into the subspace V if PrS (i → j) > 0. More precisely, if 6 point ← 0; // Add possible elements from Va [point]
7 while 1 do
we confirm that {i1 , i2 , . . . , ir } ⊂ V, we may check all the 8 for i ← 0 to N − 1 do
nonzero entries in the i1 , i2 , . . . , ir th row of DDTS , the column 9 if record[i] = 0 then
coordinates of these entries are denoted by j1 , j2 , . . . , jk , then 10 if D[Va [point]][i] = 0 or D[i][Va [point]] = 0 then
11 length ← length + 1;
we update the subspace V by 12 Va [length] ← i;
13 record[i] ← 1; // Add new nonzero
Span < i1 , i2 , . . . , ir , j1 , j2 , . . . , jk > element i into Va
14 end
where Span < i1 , i2 , . . . , ir , j1 , j2 , . . . , jk > denotes the space 15 end
extended by i1 , i2 , . . . , ir , j1 , j2 , . . . , jk . 16 point ← point + 1; // Update the starting
point
This subspace recursively grows until for any i ∈ V, the 17 end
column coordinates of all nonzero entries in the ith row of 18 if point = length + 1 then
DDT, fall into the subspace V. If we finally get V = {0, 1}n , 19 if length = N − 2 or length = 0 then
20 break; // Jump out if Va is a trivial
then we successfully find a differential-invariant subspace of subspace
the target S-box S. 21 else
Specifically, we conclude the process above in Algorithm 1. 22 Figure out Va ’s dimension dim and its maximal
linearly independent vector group
basis[0], . . . , basis[dim − 1] by Gaussian
B. Mathematical Description of Differential-Invariant elimination;
23 temp ← length; // temp records Va ’s
Subspace current length
n
for b ∈ F2 \{0} do
In this section, we take a deeper look at the differential- 24
25 if b can be linearly represented by
invariant subspace property of the S-box. Our goal is to basis[0], . . . , basis[dim − 1] and record[i] = 0
characterize the structure of the S-boxes with such a property. then
Our journey starts from testing the linear-equivalence [24]. 26 length ← length + 1;
27 Va [length] ← b;
Let S and S be two n-bit S-boxes, if there exist two linear 28 record[b] ← 1; // Fill Va into a
mappings L0 and L1 , such that subspace
29 end
S (x) = L1 ◦ S ◦ L0 (x) 30 end
31 if temp = length then
then S and S are called linear-equivalent (LE) [24]. Under 32 length ← length + 1; Va [length] ← 0;
the LE framework, the basic properties of S-boxes, such as 33 Store Va into ;
34 break; // Va is a target subspace
maximum differential probability, linear correlation properties, generated from a
algebraic degree, etc., remain invariant. We can establish a 35 end
relation between DDTS and DDTS . 36 end
37 end
Lemma 1: Let M0 , M1 be two invertible n × n matrices, if 38 end
S and S be two LE S-boxes and S (x) = M1 ◦ S ◦ M0 (x), then 39 end
we have 40 Output ;

DDTS (i, j) = DDTS M0 × i, M1−1 × j .

Proof: We assume that DDTS (i, j) = DS (i, j)/2n

thus, we arrive at
DS (i, j)
= #{x : S (x) ⊕ S (x ⊕ i) = j} DDTS (i, j) = DDTS M0 × i, M1−1 × j .
= #{x : M1 ◦ S ◦ M0 (x) ⊕ M1 ◦ S ◦ M0 (x ⊕ i) = j}
  Theorem 2: Let V be a k-dimensional (1 ≤ k < n)
= # x : S ◦ M0 (x) ⊕ S ◦ M0 (x ⊕ i) = M1−1 × j) . differential-invariant subspace of an n-bit S-box S, then there
Denote M0 (x) by a new variant y, then it follows: exists an S-box S LE with S, such that for any 0 ≤ i ≤ 2k − 1
  and 2k ≤ j ≤ 2n − 1, it holds DDTS (i, j) = DDTS (j, i) = 0.
DS (i, j) = # y : S(y) ⊕ S(y ⊕ M0 (i)) = M1−1 × j) Proof: Let {η1 , η2 , . . . , ηk } be a basis of V, since V ⊂
{0, 1}n , then there exist n−k vectors θ1 , θ2 , . . . , θn−k such that
= DS M0 × i, M1−1 × j {η1 , η2 , . . . , ηk , θ1 , θ2 , . . . , θn−k } forms a basis of {0, 1}n .

Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY WARANGAL. Downloaded on January 10,2025 at 10:04:58 UTC from IEEE Xplore. Restrictions apply.
 CUI et al.: DIFFERENTIAL-INVARIANT SUBSPACE CRYPTANALYSIS—A REAL-TIME ATTACK 17647

Fig. 4. DDT of S := P−1 ◦ S ◦ P.

Fig. 5. Schematic of S-box satisfying the differential-invariant subspace

Let {ε1 , ε2 , . . . , εn } be the unit basis of {0, 1}n , and we can property.
find a matrix Pn×n , such that
Proof: ⇒ If the S-box S has a differential-invariant
(η1 , η2 , . . . , ηk , θ1 , θ2 , . . . , θn−k ) = (ε1 , ε2 , . . . , εn ) × P. subspace
Denote S = P−1 ◦ S ◦ P, for any i ∈ V, we assume that
V1 = Span < η1 , η2 , . . . , ηk >⊂ {0, 1}n
i = (η1 , . . . , ηk , θ1 , . . . , θn−k ) × (i1 , i2 , . . . , ik , 0, . . . , 0)τ
then, based on the proof of Theorem 2, there exists a linear
then we have transformation P : {0, 1}n → {0, 1}n satisfying that, for any
i = (i1 , . . . , ik , 0, . . . , 0) ∈ {0, 1}n , (P−1 ◦ S ◦ P)(i) can be
P−1 × i written as
 
= P−1 × (ε1 , . . . , εn ) × P × (i1 , . . . , ik , 0, . . . , 0)τ
j = (j1 , . . . , jk , 0, . . . , 0) ∈ {0, 1}n .
= (ε1 , . . . , εn ) × P−1 × P × (i1 , . . . , ik , 0, . . . , 0)τ
= (ε1 , . . . , εn ) × (i1 , . . . , ik , 0, . . . , 0)τ . Similarly, for any i = (0, . . . , 0, i1 , . . . , in−k ) ∈ {0, 1}n , (P−1 ◦
S ◦ P)(i) can be written as
In other words, we have
    j = (0, . . . , 0, j1 , . . . , jn−k ) ∈ {0, 1}n .
P−1 × i : i ∈ V = 0, 1, . . . , 2k − 1
Thus, (P−1 ◦ S ◦ P)(x1 ||x2 ) = S1 (x1 )||S2 (x2 ) holds for any
= Span < ε1 , ε2 , . . . , εk >:= V. x1 ∈ {0, 1}k , x2 ∈ {0, 1}(n−k) .
According to Lemma 1, for any (i, j) ∈ V × V, we have ⇐ if P−1 ◦ S ◦ P = S1 ||S2 , then, for all i =
(i1 , . . . , ik , 0, . . . , 0) ∈ {0, 1}n , denoted S1 ((i1 , . . . , ik ))
DDTS (i, j) = DDTS (P × i, P × j). as (j1 , . . . , jk ) ∈ {0, 1}k , it turns out S(i) = P ×
(j1 , . . . , jk , 0, . . . , 0)τ × P−1 . So S has a differential-invariant
Consequently, we have subspace spanned by all (j1 , . . . , jk , 0, . . . , 0).
DDTS (i, j) = DDTS P−1 × i, P−1 × j . By the analysis above, if S contains a k-dimensional
differential-invariant subspace, then we always find a k-bit S-
Since V is a differential-invariant subspace, for any i ∈ V box S1 and an (n − k)-bit S-box S2 , such that S is LE with
(or equivalently, P−1 × i ∈ V), we have the S-box constructed by connecting S1 and S2 in parallel (see
Fig. 5). Actually, for any linear permutation P : {0, 1}n →
1 = DDTS (i, j) {0, 1}n , according to Theorem 3, the linear equivalent S-box
j∈V P−1 ◦S◦P will have a k-dimensional and an (n−k)-dimensional
= DDTS P−1 × i, P−1 × j differential-invariant subspaces.
j∈V If the differential-invariant subspace property holds for a
P−1 ×j:=k
4-bit S-box, the minimum of k and 4 − k could only be 1 or 2.
P−1 ×i:=r Since any 1 × 1 or 2 × 2 S-box is linear, it follows that such
= DDTS (r, k). linearity will be detected by the Walsh spectrum of the S-box.
k∈V
Thus, if the 4 × 4 S-box is chosen from the optimal S-boxes,
The DDT of S is shown schematically in Fig. 4. we will never meet with the differential-invariant subspace
Interestingly, this structure is quite similar to the ASA con- regarding 4-bit word size of the entire cipher.
struction, which was mentioned in Alex Biryukov and Adi Accordingly, for an 8 × 8 S-box S8 , we assume that it
Shamir’s work [25]. contains a differential-invariant subspace, then the dimension k
The following theorem is spontaneously turned out from is probably equal to 1, 2, 3, or 4, which indicates that S8 is LE
Theorem 2. with (1/7, 2/6, 3/5, 4/4)-bit S-boxes in parallel. Consequently,
Theorem 3: The n-bit S-box S has a differential-invariant we may declare that the maximum differential probability of
subspace if and only if there exist a linear permutation S8 never exceed the bound of optimal 4-bit S-boxes.
P : {0, 1}n → {0, 1}n , a k-bit bijective S-box S1 and an (n−k)- An interesting observation is that for a word-based block
bit bijective S-box S2 such that P−1 ◦S◦P = S1 ||S2 , 0 < k < n. cipher, the word-size may take different values. For example,

Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY WARANGAL. Downloaded on January 10,2025 at 10:04:58 UTC from IEEE Xplore. Restrictions apply.
 17648 IEEE INTERNET OF THINGS JOURNAL, VOL. 11, NO. 10, 15 MAY 2024

TABLE I
S H U F F L E C E L L IN M I D O R I 128

Fig. 6. Structures of 8-bit S-boxes in Midori128.

TABLE II
a 64-bit traditional Feistel block cipher could be trivially D IFFERENTIAL -I NVARIANT S UBSPACES OF 8-B IT
S-B OXES IN M I D O R I 128
treated as a word-based block cipher whose word-size is 32-
bit. Apparently, if its round function could also be treated as
a 4/8-bit word-based function, then the entire block cipher is
also a 4/8-bit word-based block cipher. For this reason, we
need to check all the potential word-sizes for a block cipher
and Algorithm 1 might be helpful.

V. A PPLICATIONS ShuffleCell: The ith cell of the state si is updated by

In this section, we focus on the application of differential- sπ(i) , where π is defined by Table I.
invariant subspace attacks. We test the S-boxes of some MixColumn: M is applied to every 32-bit column of the
popular block ciphers, i.e., Midori64, SKINNY, Lblock, state State, i.e., for i = 0, 4, 8, 12
Liliput, etc. Neither of their S-boxes have the differential-
(si , si+1 , si+2 , si+3 )τ ← M × (si , si+1 , si+2 , si+3 )τ
invariant subspace property.
However, all the four S-boxes of Midori128 satisfy the where the binary matrix M is defined as
differential-invariant subspace property. Therefore, we take the ⎛ ⎞
variant Midori128 [7] as our example. It is worthwhile to 0 1 1 1
⎜1 0 1 1⎟
declaration that our attack is applied on its variants instead M=⎜ ⎝1 1 0
⎟.
of the original version, and the original version is still strong 1⎠
enough against our attack. 1 1 1 0
KeyAdd: The round key RKi is XORed to a state State.
A. Overview of Midori128 It is clear that Midori128 is a word-based block cipher
that operates on 8-bit words.
Midori is an AES-like cipher, published at ASIACRYPT
2015 [7]. They have been advertised as one of the first
lightweight ciphers optimized concerning the energy con- B. Differential-Invariant Subspaces of SSbi
sumed by the circuit per bit in encryption or decryption We take a closer look at the 8-bit S-boxes of Midori128,
operation. The proposal consists of two algorithms: 1) namely, SSbi (i = 0, 1, 2, 3). Each output bit permuta-
Midori64 and 2) Midori128. In this part, we consider tion is taken as the inverse of the corresponding input bit
only the 128-bit size version. permutation to keep the involution property. Hence, the S-
The round function of Midori consists of the S-layer and box SSbi is exactly LE with the S-box constructed by
the P-layer and uses the following 4 × 4 array called state as connecting two Sb1 in parallel as we discuss in Section IV-B,
a data expression: which indicates differential-invariant subspaces. The concrete
⎛ ⎞ differential-invariant subspaces of SSbi listed in Table II are
s 0 s4 s8 s12
⎜s1 s5 turned out by Algorithm 1.
s9 s13 ⎟
State = ⎜⎝s2 s6 s10 s14 ⎠
⎟ If we assume that all the 8-bit S-boxes in Midori128 are
fixed as SSb0 and choose input differential from V16 1 , then
s3 s7 s11 s15
after the encryption of the entire cipher, each branch of the
where the size of each cell is 8-bit for Midori128. A 128-bit output difference at bit position 0, 2, 5, 7 always is 0. This
plaintext P is loaded into the state. property was verified by a simple programming work, and
The round function of Midori consists of an S-layer the distinguishing could be executed at the cost of negligible
SubCell, a P-layer ShuffleCell and MixColumn, and resources. In other cases, if all S-boxes in Midori128 are
a key-addition layer KeyAdd. Each layer updates the 128-bit fixed as SSb1 , SSb2 , or SSb3 , then the corresponding variants
state State as follows. of Midori128 all have the invariant property.
SubCell: Four 8 × 8 S-boxes SSb0 , SSb1 , SSb2 , and We do not provide an explicit security analysis for these
SSb3 are applied to every 8-bit cell of the state State of variants (whose S-boxes are fixed as SSb0 , SSb1 , SSb2 ,
Midori128 in parallel. Each SSbi consists of input and or SSb3 ), as most of the security arguments (e.g., against
output bit permutations and a predefined 4-bit S-box Sb1 as differential cryptanalysis, linear cryptanalysis, impossible dif-
shown in Fig. 6. In this article, we assume that all the S-boxes ferential cryptanalysis, boomerang-type attack, etc.) for these
used in Midori128 keep the same, i.e., we can choose any variants differ from those for Midori128 only in the number
one out of these four constructions. of rounds. In other words, iterating more encryption rounds

Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY WARANGAL. Downloaded on January 10,2025 at 10:04:58 UTC from IEEE Xplore. Restrictions apply.
 CUI et al.: DIFFERENTIAL-INVARIANT SUBSPACE CRYPTANALYSIS—A REAL-TIME ATTACK 17649

will bridge the small gap between the security arguments S-box is allowed to be used, Algorithm 1 in this article will
for these variants and Midori128, but cannot defend the be a helpful tool to evaluate the relative property.
differential-invariant subspace attack in that this attack does An interesting observation is that we may also explore the
not care about the number of rounds. linear version of the invariant subspace, i.e., for a given S-box
However, it should be noted that the original version S, we may check the existence of a subspace ν ∈ {0, 1}n such
of Midori128 employs four S-boxes at one time in its that for any α ∈ ν, it holds
iterative round and their differential-invariant subspace are not ⎡ ⎤2
equal. So the original Midori128 is not our defined word-
⎣ (−1)α·x⊕γ ·S(x) ⎦ = 2n .
based block cipher, and has no differential-invariant subspace
γ ∈ν x∈{0,1}n
property.
Through the application in this section, we suggest the Then, the discussion will be executed in a very similar way.
designers of block ciphers who intend to produce a word-based We hope that the new cryptanalysis proposed in this article is
block cipher to be more cautious of the choice of the S-boxes. helpful for evaluating the security of word-based block ciphers
against differential and linear cryptanalysis, and also useful in
C. Relationship Between Truncated Differential and the design of word-based block ciphers.
Differential-Invariant Subspace Attack
The truncated differential cryptanalysis is an important ACKNOWLEDGMENT
extension of differential cryptanalysis is the so-called trun- The authors would like to thank the editors and anonymous
cated differential attack, first proposed by Knudsen [26]. The reviewers for their valuable suggestions and thank Kaiyuan
prerequisite to launch a truncated differential cryptanalysis is Wang for his programming work.
to find truncated differential trails. A truncated differential trail
is an abstraction of a differential trail in which we only retain R EFERENCES
whether a difference exists or not, i.e., each difference variable
[1] A. Bogdanov et al., “PRESENT: An ultra-lightweight block
is encoded by a Boolean variable. In our instance above, it cipher,” in Proc. Int. Workshop Cryptogr. Hardw. Embedded Syst.,
could be classified into the category of truncated differential, 2007, pp. 450–466.
however, it does not indicates that our attack is a special case [2] C. De Canniere, O. Dunkelman, and M. Knežević, “KATAN and
of truncated differential cryptanalysis. KTANTAN—A family of small and efficient hardware-oriented block
ciphers,” in Proc. Int. Workshop Cryptogr. Hardw. Embedded Syst., 2009,
One replaces the S-box SSbi in Midori128 with a more pp. 272–288.
general construction P−1 ◦(Sb1 ||Sb1 )◦P, where P : {0, 1}8 → [3] Z. Gong, S. Nikova, and Y. W. Law, “KLEIN: A new family of
{0, 1}8 is any linear permutation (including some linear lightweight block ciphers,” in Proc. Int. Workshop Radio Freq. Identif.,
Secur. Privacy Issues, 2011, pp. 1–18.
permutations with good cryptographic properties like MDS [4] J. Guo, T. Peyrin, A. Poschmann, and M. Robshaw, “The LED block
matrices), then, according to Theorem 3, the new S-box will cipher,” in Proc. Int. Workshop Cryptogr. Hardw. Embedded Syst., 2011,
remain two differential-invariant subspaces as well. Therefore, pp. 326–341.
[5] K. Shibutani, T. Isobe, H. Hiwatari, A. Mitsuda, T. Akishita, and
all these corresponding variants of Midori128, where all S- T. Shirai, “Piccolo: An ultra-lightweight blockcipher,” in Proc. Int.
boxes are fixed as P−1 ◦ (Sb1 ||Sb1 ) ◦ P, will have their Workshop Cryptogr. Hardw. Embedded Syst., 2011, pp. 342–357.
respective differential-invariant subspace properties. Yet in this [6] J. Borghoff et al., “PRINCE—A low-latency block cipher for pervasive
computing applications,” in Proc. Int. Conf. Theory Appl. Cryptol. Inf.
construction, we can never encode such differential behavior Secur., 2012, pp. 208–225.
by a Boolean variable, which indicates that our cryptanalysis is [7] S. Banik et al., “Midori: A block cipher for low energy,” in Proc. Int.
indeed different from the truncated differential cryptanalysis. Conf. Theory Appl. Cryptol. Inf. Secur., 2015, pp. 411–436.
[8] Y. Todo, G. Leander, and Y. Sasaki, “Nonlinear invariant attack: Practical
attack on full SCREAM, iSCREAM, and Midori64,” in Proc. Int. Conf.
VI. C ONCLUSION AND D ISCUSSION Theory Appl. Cryptol. Inf. Secur., 2016, pp. 3–33.
[9] J. Guo, J. Jean, I. Nikolić, K. Qiao, Y. Sasaki, and S. M. Sim,
In this article, we take into consideration a new cryptanal- “Invariant subspace attack against Midori64 and the resistance criteria
ysis called differential-invariant subspace cryptanalysis. This for S-box designs,” Cryptol. ePrint Arch., IACR, Bellevue, WA, USA,
Rep. 2016/973, 2016.
kind of cryptanalysis applies to the word-based block ciphers, [10] A. Mirzaie, S. Ahmadi, and M. R. Aref, “Integral cryptanalysis of round-
if the input difference is chosen from the Cartesian product of reduced shadow-32 for IoT nodes,” IEEE Internet Things J., early access,
the differential-invariant subspace, then the output differences Oct. 24, 2023, doi: 10.1109/JIOT.2023.3327176.
[11] E. Biham and A. Shamir, “Differential cryptanalysis of DES-like
bypass the entire block cipher and will always be trapped in the cryptosystems,” J. Cryptol., vol. 4, pp. 3–72, Jan. 1991.
same subspace. Such a property could be used to distinguish [12] M. Matsui, “Linear cryptanalysis method for DES cipher,” in Proc.
the target block cipher from random permutations. Workshop Theory Appl. Cryptogr. Techn., 1993, pp. 386–397.
[13] K. Nyberg and L. R. Knudsen, “Provable security against a differential
Since a word-based block cipher is a favorable choice for attack,” J. Cryptol., vol. 8, pp. 27–37, Dec. 1995.
the designers of lightweight block ciphers, it must take careful [14] J. Daemen and V. Rijmen, “The wide trail design strategy,” in Proc.
of the S-boxes in case of a differential-invariant subspace IMA Int. Conf. Cryptogr. Coding, 2001, pp. 222–238.
[15] G. Leurent, C. Pernot, and A. Schrottenloher, “Clustering effect in
property. The S-boxes in the form of P−1 ◦ (S1 ||S2 ) ◦ P, SIMON and SIMECK,” in Proc. Int. Conf. Theory Appl. Cryptol. Inf.
though carrying a involution property, should be discarded. Secur., 2021, pp. 272–302.
With some area cost, applying more than one kind of S- [16] H. Liu, W. Zhang, J. Zhang, and X. Sun, “Clustering of dif-
ferentials in CRAFT with correlation matrices,” Int. J. Intell.
box at the same time might be a general strategy against the Syst., vol. 37, no. 12, pp. 12113–12134, 2022. [Online]. Available:
differential-invariant subspace attack. But if only one kind of https://onlinelibrary.wiley.com/doi/abs/10.1002/int.23078

Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY WARANGAL. Downloaded on January 10,2025 at 10:04:58 UTC from IEEE Xplore. Restrictions apply.
 17650 IEEE INTERNET OF THINGS JOURNAL, VOL. 11, NO. 10, 15 MAY 2024

[17] T. Cui, Y. Mao, Y. Yang, Y. Zhang, J. Zhang, and C. Jin, “Congruent Yi Zhang is currently pursuing the Ph.D. degree with PLA SSF Information
differential cluster for binary SPN ciphers,” IEEE Trans. Inf. Forensics Engineering University, Zhengzhou, China.
Security, vol. 19, pp. 2385–2397, 2024. His research interest includes cryptanalysis of block ciphers.
[18] Z. Bao, J. Guo, S. Ling, and Y. Sasaki, “PEIGEN—A platform for
evaluation, implementation, and generation of S-boxes,” IACR Trans.
Symmetric Cryptol., vol. 2019, no. 1, pp. 330–394, 2019.
[19] G. Leander, M. A. Abdelraheem, H. AlKhzaimi, and E. Zenner, “A
cryptanalysis of PRINTcipher: The invariant subspace attack,” in Proc.
Annu. Cryptol. Conf., 2011, pp. 206–221. Jiyan Zhang received the Ph.D. degree from PLA SSF Information
[20] C. Beierle et al., “The SKINNY family of block ciphers and its low- Engineering University, Zhengzhou, China, in 2022.
latency variant MANTIS,” in Proc. Annu. Int. Cryptol. Conf., 2016, He is currently a Lecturer with PLA SSF Information Engineering
pp. 123–153. University. He has published papers in highly ranked journals, such as IEEE
[21] T. P. Berger, J. Francq, M. Minier, and G. Thomas, “Extended gener- T RANSACTIONS ON I NFORMATION F ORENSICS AND S ECURITY and IEEE
alized Feistel networks using matrix representation to propose a new T RANSACTIONS ON I NFORMATION T HEORY. His research interest includes
lightweight block cipher: Lilliput,” IEEE Trans. Comput., vol. 65, no. 7, cryptanalysis of symmetry ciphers and the Internet of Things.
pp. 2074–2089, Jul. 2016. Dr. Zhang is a reviewer of several international journals and conferences.
[22] W. Wu and L. Zhang, “LBlock: A lightweight block cipher,” in Proc.
Int. Conf. Appl. Cryptogr. Netw. Secur., 2011, pp. 327–344.
[23] M. Kanda et al., “E2–a new 128-bit block cipher,” IEICE Trans. Fundam.
Electron., Commun. Comput. Sci., vol. 83, no. 1, pp. 48–59, 2000.
[24] A. Biryukov, C. De Canniere, A. Braeken, and B. Preneel, “A toolbox
for cryptanalysis: Linear and affine equivalence algorithms,” in Proc.
Int. Conf. Theory Appl. Cryptogr. Techn., 2003, pp. 33–50. Chenhui Jin received the Ph.D. degree from the Institute of Information
[25] A. Biryukov and A. Shamir, “Structural cryptanalysis of Science and Technology, Zhengzhou, China, in 2000.
SASAS,” in Proc. Int. Conf. Theory Appl. Cryptogr. Techn., 2001, He is currently a Professor and a Ph.D. Supervisor with PLA SSF
pp. 395–405. Information Engineering University, Zhengzhou. His research interests include
[26] L. R. Knudsen, “Truncated and higher order differentials,” in Proc. Int. cryptography, information security, and cyberspace security.
Workshop Fast Softw. Encrypt., 1995, pp. 196–211.

Ting Cui received the Ph.D. degree from the Institute of Information Science Shiwei Chen received the Ph.D. degree from the Institute of Information
and Technology, Zhengzhou, China, in 2013. Science and Technology, Zhengzhou, China, in 2013.
He is currently a Professor with PLA SSF Information Engineering She is currently an Associate Professor with PLA SSF Information
University, Zhengzhou. His current research interests include symmetry cipher Engineering University, Zhengzhou. Her current research interests include
designs and cryptanalysis. hash function and block cipher.

Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY WARANGAL. Downloaded on January 10,2025 at 10:04:58 UTC from IEEE Xplore. Restrictions apply.