Propagation of Subspaces in Primitives with Monomial Sboxes: Applications to Rescue and Variants of the AES

. Motivated by progress in the field of zero-knowledge proofs, so-called Arithmetization-Oriented (AO) symmetric primitives have started to appear in the literature, such as MiMC , Poseidon or Rescue . Due to the design constraints implied by this setting, these algorithms are defined using simple operations over large (possibly prime) fields. In particular, many rely on simple low-degree monomials for their non-linear layers, essentially using x 7→ x 3 as an S-box. In this paper, we show that the structure of the material injected in each round (be it subkeys in a block cipher or round constants in a public permutation) could allow a specific pattern, whereby a well-defined affine space is mapped to another by the round function, and then to another, etc. Such chains of one-dimensional subspaces always exist over 2 rounds, and they can be extended to an arbitrary number of rounds, for any linear layer, provided that the round-constants are well chosen. As a consequence, for several ciphers like Rescue , or a variant of AES with a monomial Sbox, there exist some round-key sequences for which the cipher has an abnormally high differential uniformity, exceeding the size of the Sbox alphabet. Well-known security arguments, in particular based on the wide-trail strategy, have been reused in the AO setting by many designers. Unfortunately, our results show that such a traditional study may not be sufficient to guarantee security. To illustrate this, we present two new primitives (the tweakable block cipher Snare and the permutation-based hash function Stir ) that are built using state-of-the-art security arguments, but which are actually deeply flawed. Indeed, the key schedule of Snare ensures the presence of a subspace chain that significantly simplifies an algebraic attack against it, and the round constants of Stir force the presence of a subspace chain aligned with the rate and capacity of the permutation. This in turns implies the existence of many easy-to-find solutions to the so-called CICO problem.


Introduction
The emergence of cryptographic protocols with advanced functionalities, such as fully homomorphic encryption, multi-party computation and new types of proof systems, is asking for new symmetric primitives offering better performances than the standard algorithms in the context of these specific applications.Most notably, the use of primitives that are defined over finite fields of odd characteristic, in particular over large prime fields, is desirable in many such applications.For example, STARKs [BBHR18] are most efficient over fields F p such that p − 1 is a multiple of a large power of 2, while other schemes rely on pairing-friendly elliptic curves and need primitives defined over the corresponding fields [GW20].Furthermore, in the context of side-channel resistance, primitives operating on a prime field have been shown to be well-suited for efficient masking [MMMS23].
However, while there are many new designs, this area suffers from a lack of cryptanalysis.Some design principles governing the choice of the Sbox or of the linear layer in an SPN can certainly be directly transposed to any finite field, but some properties inherent to arithmetization-orientation may introduce new weaknesses in the primitives: • While this might look like a minor change at first glance, the size and the characteristic of the underlying field may strongly affect the security, as was exhibited in [BCD + 20].For instance, it was shown that the complexities of integral attacks depend on the sizes of multiplicative subgroups of the involved finite field [EGL + 20, BCP23, LAW + 23].
• While the number of rounds of these primitives is usually decided by the complexity of attacks based on solving polynomial systems, estimating this complexity is harder than it looks.Indeed, it is tied to the specific model used to encode the evaluation of the primitive as an equation, or as a system of multi-variate equations, and this model is not unique.It has been shown for instance in [ACG + 19] and [BBLP22], that some of these primitives were much more vulnerable to such attacks than anticipated because of a clever re-writing of the involved equations.
An in-depth security evaluation of these primitives and of their design principles is therefore necessary to achieve the same level of confidence as the one we have in primitives defined over binary fields, after decades of research in cryptanalysis.As we are now faced with several proposals of arithmetization-oriented primitives, there is a clear need to analyze their respective security levels and potential weaknesses.
This need is all the more crucial as arithmetization-oriented primitives are defined for a very broad number of different parameters.While there are only 3 versions of the AES, most arithmetization-oriented primitives are defined for any prime p, and for any block size (i.e. they operate on F m p , where m can be as low as 2 or higher than 10).Even for a given set of parameters, authors sometimes give implementers the freedom to choose better components for their use case, e.g. to use an MDS matrix that is more efficient according to some metrics.In fact, the authors of Rescue explicitly stated in [AKM + 22, Section 4.1] that "Rescue-Prime is secure when instantiated with any MDS matrix".This substantially increases the attack surface, and one can wonder whether all these choices provide the same security.For example, it was found in [BCD + 20] that some matrices could be weak if used in Poseidon, a direction much more thoroughly explored in [KR21].
In this context, our work investigates the potential weaknesses coming from the use of monomial mappings, x → x α over a finite field, as Sboxes.Many primitives, like MiMC or Rescue, use as Sboxes "pure" monomial functions because they operate on a prime field.This differs from the AES Sbox [AES01], which consists of a monomial mapping, i.e., x → x α over F 2 8 , composed with an F 2 -linear affine function which has very little influence on the resistance to statistical attacks (see e.g.[CR15]), but thwarts potential attacks exploiting a simple algebraic representation of the Sbox [DR02].However, when the Sbox operates on a prime field, this simple method cannot be used anymore to make the univariate polynomial representation of the Sbox more complex.
Our contributions.Our study therefore focuses on Monomial-Based SPNs (shortened into monomial-based SPNs), i.e., families of permutations whose round function follows the SPN construction with a monomial Sbox over F q and a linear layer defined by a matrix with entries in the same field.This includes, for example, Rescue and its variants [AAB + 20, SAD20, AKM + 22], but also a variant of the AES where the F 2 -linear affine function composed with the inverse mapping in F 2 8 is removed.We show that, for any such primitive, there exist some round-constants (or round-keys) such that, at the end of each round, the image of an F q -affine subspace of dimension 1 is still an affine subspace.Even if this particular property involves a subspace of dimension 1 only, it is worth noting that, in the context of arithmetization-oriented primitives, the Sbox alphabet is large, typically of size 2 32 or more, which implies that the property affects a large number of inputs.
Moreover, for some of these round-constants, any even number of rounds of the primitive is an affine function on this affine subspace, in the particular cases where the Sbox is an involution (e.g. the inversion in F q ) or where two consecutive rounds of the primitive use Sboxes which are the inverse of each other, like in Rescue, where the Sbox in all even rounds corresponds to x → x 3 and the Sbox in all odd rounds to its inverse.
The proportion of such weak round-constants (resp.round-keys) is very small.This implies that the property does not provide an attack on real instances of the primitive, when the round-constants are randomly chosen or when the round-keys are derived from a well-defined key-schedule.However, it points out that the security level offered by this type of primitives highly depends on the choice of the round-keys, which appears to be very problematic since their security mainly relies on arguments derived from analyses on average over all round-key sequences.As an illustration of this, we exhibit some examples where the fixed-key maximal differential probability of the permutation (aka differential uniformity) is much higher than expected from the maximal expected differential probability.This result generalizes and explains the observations made in [BCL + 20] on Rescue: for instance, [BCL + 20] enlightens "the oddity of the behaviour" of an instance of the cipher whose differential uniformity significantly increases between two rounds.
The existence of weak round-keys usually does not threaten the security of well-specified primitives.However, it raises a worrying issue since weak round-constants could be chosen intentionally, in order to insert a backdoor in the primitive.Indeed, we exhibit two such examples, a hash function and a tweakable block cipher, in which a hidden backdoor makes some attack feasible.For the hash function, we target its inner permutation and ensure the existence of solutions for the so-called CICO problem that are trivial to find for the malicious designer.The tweakable block cipher illustrates that the existence of chains of affine subspaces over the primitive can be used within the Malicious framework [PW20] to introduce a backdoor which greatly reduces the complexity of key recovery.Our aim with these algorithms is to show the importance of substantially restricting the space in which implementers can choose primitive variants.
Organization of the paper.The following section defines the general structure of monomial-based SPNs, and provides some examples.Section 3 analyzes the propagation of affine subspaces through such permutations, with a particular focus on subspaces of dimension 1.This property implies that, when two consecutive rounds of the primitive use Sboxes which are the inverse of each other, there always exist some round-constants for which the differential uniformity is very high: Section 4 exhibits examples of such instances of a variant of the AES whose differential uniformity behaves in an unexpected way.Finally, Section 5 shows how the existence of such a chain of affine subspaces can be used to insert a backdoor in a symmetric primitive, and describes a permutation (Stir) that can be used to build a backdoored hash function, and a backdoored tweakable block cipher (Snare).

Monomial-Based SPNs
In this paper, we focus on families of permutations which follow the SPN construction.1These permutations can be used in different settings: for instance, together with a key schedule, as block ciphers, or within the sponge construction as hash functions.In this second case, the data injected during each round corresponds to public round-constants, instead of secret round-keys.These permutations operate on F m q where q is a prime power and m is the number of field elements (i.e., the number of blocks) in the internal state.In the particular context of arithmetization-oriented primitives, typical values for q which are implementation-friendly are q = 2 k or q = p where p ≈ 2 k , and k ≥ 32 (and can be as high as k = 256 in some cases), see e.g.[AAB + 20].Our work then focuses on SPNs, called monomial-based SPNs, whose round functions are defined as follows (see Figure 1).Definition 1. (Monomial-Based SPN) Let q be a prime power and m a positive integer.Let α be an integer with gcd(q − 1, α) = 1 and M be an m × m nonsingular matrix with coefficients in F q .For any round constant r ∈ F m q , R(q, m, α, M, r) denotes the round function with round constant r of a monomial-based substitution-permutation network (monomial-based SPN) defined over F m q whose substitution function consists of the concatenation of m copies of S : x → x α over F q and whose linear layer corresponds to M (see Figure 1).
We impose that gcd(q − 1, α) = 1, to ensure that S is bijective.In arithmetizationoriented primitives, we usually have α = 3 or α = 5.In the whole paper, the non-linear permutation of F m q obtained by applying S on each coordinate in parallel is denoted S. The matrix that defines the linear layer is often chosen as an MDS matrix, i.e., (Id m , M ) generates a [2m, m]-MDS code over F q , in order to maximize the diffusion within the cipher.For the sake of simplicity, M will also refer to the linear function corresponding to the multiplication by this matrix.

Rescue.
Rescue is a family of permutations proposed by Aly et al. [AAB + 20].Its Sbox is defined as a power mapping over a prime field, i.e., q = p in the previous notation.One specificity of Rescue is that the Sbox layer S in every round with an even index2 corresponds to the concatenation of m copies of S, while the Sbox layer in every odd round corresponds to its inverse S −1 = (S −1 , . . ., S −1 ) where S −1 : x → x 1/α .Here, a round is defined as a single application of the round function, i.e., with a single Sbox layer (S or S −1 ).It is worth noting that, in some other works, a round corresponds to the successive application of two round functions, one with S and one with S −1 .
More detailed specifications of a hash function named Rescue-Prime, based on this design, are presented in [SAD20].Rescue-Prime follows the sponge construction and its core permutation, Rescue-XLIX, which corresponds to two successive rounds of Rescue, i.e. the composition of R(p, m, α, M, r) and a similar transformation with an inverse 3 Sbox layer, R(p, m, α −1 , M, r ′ ), where p is a large prime and α is the smallest integer coprime with (p − 1).The MDS matrix M is derived from the row-echelon form of an m × 2m Vandermonde matrix.The sequence of round-constants is obtained by applying Shake-256 to a fixed ASCII string.More recently, a new variant of this hash function was described in [AKM + 22], called "Rescue-Prime-Optimized".It differs from Rescue-Prime in subtle ways: the operations are reordered, and the MDS matrix uses a different structure to enable significant performance improvements in a specific context.

Modified AES, Vision and AES-Prime.
A slightly modified round function of the AES can be written as R(2 8 , 16, 254, M ).The only difference between this and the AES round function is that, in the AES, the Sbox consists of the composition of the power mapping x → x 254 with an additional F 2 -affine function defined over the vector space F 8 2 .The keyed permutation Vision has been proposed by Aly et al. [AAB + 20] in the specific case of binary fields.Its round function has a similar structure as in the AES except that the linear layer M is MDS, while in the AES, it corresponds to an interleaving construction based on a smaller MDS matrix [ADK + 14].Exactly as in the AES, the inversion in F 2 k is followed by an additional F 2 -affine function.
Instead of using a power mapping over F 2 k as an Sbox, composing it with an F 2 -affine function seems to be a cheap safeguard to avoid a very simple representation over F 2 k .However, this technique does not apply anymore when the Sbox operates on a prime field.The recently proposed variant of the AES over F p with p = 2 7 − 1, named AES-Prime [MMMS23], can also be seen as a monomial-based SPN.Indeed, it uses an Sbox of the form x → x α + c, and the constant addition can be seen as part of the key schedule.
All these examples motivate the study of the round functions described in Definition 1.

Chains of Affine Subspaces
An affine space of dimension d ≤ m in F m q is defined by a basis, i.e. a family of d linearly independent vectors in F m q , {v 1 , v 2 , . . ., v d }, and by a single vector a in F m q , called the offset.These (d + 1) vectors define the affine space V as follows: The goal of this section is to exhibit affine subspaces of a form such that their images by the round function are also affine spaces.Furthermore, in the case of a subspace of dimension 1, we show that, under some conditions on the round constants and the vectors defining the subspace, applying the round function again still yields an affine space.
Step by step, it is possible to create chains of subspaces of arbitrary length which propagate through a cipher using such round constants."Chains" vs. "Trails".Our notion of subspace chains is related to the notion of invariant subspaces used in previous attacks, but differs on some key aspects.First, the subspaces we investigate are not invariant under the round function, but instead they are mapped to another subspace.In fact, invariant subspaces such as those in [GJN + 16, LMR15] are particular cases of subspace chains.For this reason, the tools that have been previously developed for checking whether a given choice of the round constants guarantees that invariant subspace do not exist, like the algorithm presented in [BCLR17], cannot be applied in our context.
Another related notion is the notion of "subspace trail" defined in [GRR16] and analyzed in [LTW18].But this is a stronger property than a subspace chain: it means that any coset of a given subspace is mapped to a coset of the output subspace, while we need this property for a single coset.We thus use the term "chain" rather than "trail" to avoid confusion.

Notation.
In what follows, we always use the following notation.First, q is a prime power and m is an integer.Then, for any x ∈ F m q , its support supp(x) is the set of the indices of its nonzero coordinates, i.e., supp(x) := {i, 0 ≤ i ≤ m − 1 : x i ̸ = 0}.Its weight wt(x) is the size of supp(x).

Canonical Representation of Affine Subspaces
Let V = a + ⟨v⟩ be a subspace of dimension 1 in F m q .Obviously, there are many pairs (a, v) which define the same subspace.In order to have a unique basis/offset representation of affine spaces of dimension 1, we define a canonical representation as follows.
• Since multiplying the basis vector by any nonzero scalar leaves the subspace invariant, the value of v on its first nonzero coordinate, i S , is set to 1.Note that such an i S always exists since v ̸ = 0.
• The offset is then chosen such that it vanishes on this very same coordinate i S .This is always possible because the offset can be defined as any a ′ = a + λv with λ ∈ F q , and there is a unique vector a ′ whose coordinate in position i S is 0, since v i S ̸ = 0.
For subspaces of higher dimension, the canonical representation is obtained by choosing the matrix formed by the basis vectors and the offset vector in reduced row-echelon form.

Separable Affine Subspaces
One of the key points conditioning the existence of chains of affine subspaces is the fact that an affine subspace is separable in the sense of the following definition.4 Definition 2 (Separable affine subspace).An affine space V of dimension d in F m q with canonical representation v 0 + ⟨v 1 , . . ., Note that the previous condition involves both the basis vector and the offset v 0 .The canonical representation is defined in such a way that, if V is separable for some representation, then it is separable for its canonical representation.

Multiplicative Sboxes
The following Sbox property plays a crucial role in subspace propagations.

Definition 3 (Multiplicative Sbox
).An Sbox S : F q → F q is said to be multiplicative if there exists a function π : Considering the more general case where S(xy) = S(1)π(x)π ′ (y) for two different functions π and π ′ would not be relevant.Indeed, π is defined up to a multiplicative constant since, for any λ ∈ F * q , (λπ, λ −1 π ′ ) satisfies the property too.Then, if we set π(1) = 1, we can easily deduce that π = π ′ by using that S(1 × x) = S(x × 1).
The following proposition shows that the multiplicative Sboxes over F q correspond to power permutations (up to a multiplicative constant).
Proposition 1.A bijective mapping S : F q → F q is multiplicative if and only if S(x) = cx k for some scalar c ∈ F q and some integer k with gcd(k, q − 1) = 1.
Let us now denote by α a primitive element in F q .Then, for any i, 0 1) .
Since π(α) cannot be zero, there exists some integer k such that We deduce that, for all i, 0 ≤ i ≤ q − 2, which equivalently means that, for all x ∈ F * q , S(x) = S(1)x k .Moreover, gcd(k, q − 1) = 1 since S is bijective.
Therefore, in the rest of the paper, we will focus on the case where the Sbox is a power mapping (since the multiplicative constant does not have any cryptographic relevance).

Image of a Separable Affine Subspace by the Round Function
Theorem 1.Let F be the round function R(q, m, α, M, r) for any round constants.Let S denote its Sbox layer and V = a + ⟨v 1 , ..., v d ⟩ a separable subspace of F m q , i.e., the supports of the (d + 1) vectors a and v i are pairwise disjoint.Then, F (V ) is the affine subspace Moreover, for any x 1 , . . ., x d ∈ F q , we have Since the supports of all vectors a and v i are disjoint, only one term among the (d+1) terms in the sum a j + d i=1 x i v i,j does not vanish.Therefore, for any coordinate j, we have where the last equality comes from the fact that S is a power mapping (and thus a multiplicative function).It follows that Then, by linearity, we can directly deduce M S(x) = M S(a) , to which we add r on both sides to obtain

Chaining Separable Affine Subspaces
Theorem 1 shows that a separable affine subspace is always mapped to an affine subspace.However, there is no guarantee that the resulting subspace is separable too, which would be needed in order to reiterate the process and get a chain of subspaces.
We argue in Appendix E that it is rather unlikely that the image of a subspace of dimension 2 or more is separable.In the rest of the paper, we focus on affine subspaces of dimension 1, which still contain many elements since q is large in the context of arithmetization-oriented primitives.The following corollary provides a necessary and sufficient condition under which the image of a separable subspace is a separable subspace too.It is an immediate consequence of Theorem 1 and of the definition of separable subspace.
Corollary 1.Let F be the round function R(q, m, α, M, r) with round constant r and Sbox layer S. Let V = a + ⟨v⟩ be a separable subspace of dimension 1.Then, F (V ) is a separable subspace if and only if there exists where [M S(v)] i denotes the i-th coordinate of the vector M S(v).
This condition is always satisfied when M S(v) has weight 1.Therefore, for any monomial-based SPN and any choice of the round constants, there exists some affine subspace V whose image by the round transformation is separable, which implies that the image of V after two rounds is still an affine subspace.
On the other hand, for any monomial-based SPN, and for any choice of v and a in F m q , v ̸ = 0, there exist several round constants such that the image of V = a + ⟨v⟩ after two rounds is still an affine subspace.We then deduce the following theorem, i.e. for any choice of Sbox and linear layer, and for any number of rounds, there always exist weak round-constants, for which an affine subspace of dimension 1 is mapped to an affine subspace.This holds even if the Sbox and the linear layer vary with the round, as in Rescue.
Theorem 2. Let P be a monomial-based SPN defined by the composition of N round functions R(q, m, α t , M, r t ) for 0 ≤ t < N .Then, for any separable affine subspace of dimension 1, a + ⟨v⟩, there exist some sequences of round-constants (r 0 , . . ., r N −1 ) such that P (a + ⟨v⟩) is an affine subspace.These weak round-constants include those satisfying, for some λ where a 0 = a, M i denotes the i-th row of matrix M , and S t (resp.S t ) denotes the Sbox (resp.Sbox layer) at Round t .
Moreover, for any x ∈ F q , the image of (a + xv) after N rounds equals Proof.The proof by induction on the number of rounds is a direct consequence of Theorem 1 and Corollary 1. Indeed, the result holds for N = 1 for any value of the round-constant r 0 , and we have that, after one round, Assume that the result holds after the first t rounds, i.e., the image of (a + xv) equals a t + π t (x)v t .Let v t+1 = M S t (v t ).The fact that the constant r t at Round t satisfies for all i ∈ supp(v t+1 ) equivalently means that the restriction to supp(v t+1 ) of vanishes.It follows that a t+1 + ⟨v t+1 ⟩ is separable.Then, Theorem 1 applies, and we get that the image of (a t + π t (x)v t ) after the (t + 1)th round-function, F t , is given by A similar result holds if different linear layers are used in the successive rounds, but we made the assumption of a single matrix for the sake of simplicity.
The weak round-constants described in Theorem 2 are exactly those ensuring a chain of separable affine subspaces of dimension 1 through the N rounds of the primitive.However, the image of an affine subspace after N rounds may be a subspace even if some of the intermediate sets are non-separable subspaces, or even not subspaces.This is why the condition in Theorem 2 is a sufficient condition only.Finding a more general condition which captures all situations seems much more difficult.
When the Sboxes satisfy that S 2k+1 = S −1 2k for all k, like in Rescue, or if the same involutive Sbox is used at every round, we even obtain a stronger property since there are some round-constants for which the restriction of the permutation to (a + ⟨v⟩) is affine.
Corollary 2. Let N be an even integer and let P be a monomial-based SPN defined by the composition of N round functions R(q, m, α t , M, r t ) for 0 ≤ t < N with α 2k α 2k+1 ≡ 1 mod (q − 1) for all k < N/2.Then, for any separable affine subspace of dimension 1, a + ⟨v⟩, there exist some sequences of round-constants (r 0 , . . ., r N −1 ) such that P is affine on a + ⟨v⟩.
These weak round-constants include those satisfying and a 0 = a.In this case, for any x, y ∈ F q , P (a + xv) Proof.This follows directly from Theorem 2 applied to the case λ 1 = . . .= λ N −1 = 0. We then have, for all t ≤ N , that π t (x) = x αt if t is odd, and π t (x) = x otherwise.

Detecting Chains of Separable Subspaces
Theorem 2 provides a sufficient condition for a given separable subspace of dimension 1 to propagate through a monomial-based SPN.In Appendix A, we use this result to estimate the number of weak round-constants.However, such statistical arguments cannot be used to assess the security of a well-specified primitive.To this end, we devised Algorithm 1, which checks the existence of such a chain of separable subspaces, works as follows.First, compute all pairs of separable affine subspaces V and W such that W is the image of V under the round function F .This guarantees that the image of V after two rounds is an affine subspace.Checking whether the image of W after one additional round is still separable or not, we can construct the (potentially empty) list of all chains of three consecutive separable spaces.If this list is not empty, then we may have found an abnormally long chain.
Since only a few pairs of separable subspaces are images of each other by F , the most expensive part of the algorithm is the first one.Finding all separable V = a + ⟨v⟩ and W = F (a) + ⟨w⟩ such that F (V ) = W can be done by first fixing the respective supports I 1 and I 2 of v and w.We can then assume that a + ⟨v⟩ is the canonical representation of V , implying that v i S = 1 for i S = min I 1 and supp(a) = {0, . . ., m − 1} \ I 1 .As in Theorem 2, the fact that W is separable means that there exists λ ∈ F q such that the support of b = F (a) − λw is included in {0, . . ., m − 1} \ I 2 .Since the support of a vector is invariant under S, we can define x and c by x i = v α i and c i = a α i for all 0 ≤ i < m.Then, the condition in Theorem 2 holds if and only if there exists λ ∈ F q such that (2) This corresponds to a quadratic system of 2m equations with 2m unknowns: the (m − 1) unknown coordinates of x and c, the m possibly nonzero coordinates of w and b, and λ.
We have implemented this algorithm in SAGE. 5 It can successfully identify the subspace chain in the Stir permutation defined in Section 5.2.For these parameters, System (2) turns out to have exactly one solution for each valid pair of supports (I 1 , I 2 ).
Algorithm 1 Algorithm for finding all chains of separable one-dimensional affine subspaces over three rounds.
Compute the list L of all pairs of possible supports (I 1 , I 2 ) for a pair (x, M x). for all satisfy (2) using a Gröbner basis algorithm.for all (c, x, b, w, λ) solutions of the previous system do if b + ⟨w⟩ maps to yet another separable space through the next round then v i ← (x i ) 1/α and a i ← (c i ) 1/α for all 0 ≤ i < m. a + ⟨v⟩ and its successive images form a chain of separable subspaces.end if end for end for

High Differential Uniformities of monomial-based SPNs
The previous analysis was originally motivated by some anomalies in the fixed-key maximal differential probability of some small instances of the block cipher Rescue that were pointed out in [BCL + 20].As we will see, these anomalies are side effects of particular subspace chains.This observation can be pushed further, and we will show that it is in fact possible to trigger much more sophisticated patterns.Before going further, let us recall some definitions.
Definition 4 (DDT and differential uniformity [Nyb94]).Let F : F n q → F n q .The DDT (difference distribution table) of F is an array of size q n × q n whose coefficients are: It is worth noting that, for a keyed function such as a block cipher, the fixed-key maximal differential probability coincides with the differential uniformity of the function defined by a specific key.

Fixed-Key Maximal Differential Probability of some monomialbased SPNs
When the Sbox alphabet q is large, computing the differential uniformity becomes unfeasible.Instead, in the case of an iterated permutation, an alternative approach could be to derive some upper bounds on the differential uniformity of the function from some properties of its building-blocks.However, all known results in this direction rely on some strong assumptions, typically on the fact that the sequence of differences through the permutation is a Markov chain [LMM91].This kind of results (e.g.[DR02, HLL + 01, PSLL03, CR15]) may be relevant for keyed primitives since they usually provide some information on the maximum expected differential probability (MEDP) of the whole family of permutations.However, the MEDP has no practical significance in several contexts, for example, when a specific instance of the family is used as an inner permutation in a sponge, like in Rescue-Prime.In that case, the expected maximum differential probability (EMDP, instead of MEDP) would be much more relevant, and these two quantities may significantly differ as pointed out in [CDL16, Page 378].
Even for a keyed primitive like a block cipher, the average probability of a given differential often provides little information on the behavior of the primitive with respect to differential cryptanalysis.Indeed, as extensively analyzed in [BR22], many ciphers are vulnerable to differential cryptanalysis only for some keys.It is therefore important to estimate the differential uniformity of the fixed-key primitive, even for a block cipher.The notion of quasi-differential trails recently introduced in [BR22] provides a very elegant framework for computing fixed-key probabilities of differential trails for iterated functions.But, its complexity is expensive, especially when focusing on differentials instead of trails.
Still, experiments are possible for toy ciphers with a very small block size, as was shown in [BCL + 20].Their experimental results on variants of Rescue with small p are summarized in Figure 2, which was obtained using a reference implementation of this cipher-and thus using a proper key derivation algorithm.As we can see, for p = 13, one instance has its differential uniformity decrease as expected for the first 3 rounds but then spike at the 4th to reach a value just under 1.5p.Unfortunately (from the designer's point if view), abnormally high differential uniformity are compatible with a strong round-constant generation.
As illustrated by the following proposition, such a high differential uniformity can be explained by the presence of chains of affine subspaces.
Proposition 2. Let N be an even integer and let P be the permutation defined by the composition of N round functions R(q, m, α t , M t , r t ) for 1 ≤ t ≤ N with α 2k α 2k+1 ≡ 1 mod (q − 1) for all k < N/2.Then, there exist some round constants for which P has differential uniformity at least q, such as those defined in Corollary 2 for some pair (a, v).
Proof.For any sequence of round-constants satisfying the relation given in Corollary 2 for (a, v), there exists v N such that P (a + xv) − P (a + yv) = (x − y)v N for any x, y ∈ F q .So, for all x ∈ F q , P (a

Application to a Variant of AES
This behaviour can be observed in other monomial-based SPNs.As an illustration, we consider a variant of AES [AES01] where the Sbox corresponds to the monomial x −1 (with the convention that 0 −1 = 0).Thus, the only difference with AES is that the F 2 -affine transformation applied at the end of the AES Sbox has been removed. Let ) denote the subkey inserted at the end of Round t, 1 ≤ t ≤ N .This AES variant6 follows the model analyzed in Theorem 2, where k 0 is added at the satisfy a t,j = 0 for all j ∈ supp(v t ) and all 0 ≤ t < N − 1, we have In particular, in this case, DDT P [αv 0 , αv N ] ≥ 2 k for all α ∈ F 2 k .
Figure 3(a) shows how the differential uniformity of the monomial-based variant of AES varies with the number of rounds, for a round-key sequence chosen according to the conditions defined in Proposition 3.These results have been obtained for a small-scaled variant of the cipher, where the Sbox operates on a field of size q = 2 6 , and the inner state contains m = 2 elements.For any even number of rounds, the permutation has differential uniformity slightly higher than the size of the Sbox alphabet, while for any odd number of rounds, it is close to the expected value of the differential uniformity for a random permutation, namely 11.5 (see Corollary 3).
In fact, an even stranger behaviour can be observed for some round-keys, where spikes in the differential uniformity can occur every 2 or 3 rounds.This behaviour relies on the following property of the inverse mapping, which holds in characteristic 2 only.Proof.The right-hand side of the equation can be rewritten as Based on this lemma, we can exhibit some round-keys for which the monomial-based variant of AES after three rounds is affine on a given affine subspace.
Proposition 4. Let P be the function corresponding to three rounds of the monomial-based variant of AES.Let v 0 be a nonzero element in F m 2 k .Assume that the round-keys are defined by Then, for all x in F 2 k such that x ̸ = 0 and x ̸ = b −1 , we have that In particular, for all x and α such that x ̸ ∈ {0, α, b −1 , α + b −1 }, we have and, for all x ∈ F 2 k , we have Proof.Let us first compute the values a t as defined in Theorem 2 where a 0 = 0, λ 1 = −b, λ 2 = −b −1 and λ 3 = −c.Then we get that, for all 1 ≤ t ≤ 3, because of the choice of the round-keys.Therefore, these round-keys satisfy the conditions given in Theorem 2. It follows that the image of k 0 + ⟨v 0 ⟩ after N rounds of P equals ⟨v N ⟩, for 1 ≤ N ≤ 3.Moreover, the image after N rounds of each individual element (xv leading to π 3 (x) = b(xb + 1) + c.We deduce that, for any α ∈ F 2 k , the equation In order to show how much control a malevolent designer could have over the differential uniformity of such an SPN, we combine the previous proposition and Proposition 3 to exhibit a round-key sequence for which any given binary message is encoded in the curve representing the evolution of the differential uniformity of the iterated permutation, as in Figure 3(b).The round-keys are chosen to guarantee that the image after N rounds of k 0 + ⟨v 0 ⟩ equals ⟨v N ⟩.Moreover, we make some specific choice to ensure that the permutation is an affine function on this subspace after some rounds.Indeed, if we assume that the function after t rounds is affine on ⟨v t ⟩, • choosing k t+1 = 0 and k t+2 = cv t+2 for some c implies that the function after (t + 2) rounds is affine on ⟨v t+2 ⟩.The variation of the differential uniformity between Rounds t and (t + 2) then looks like "high, low, high", a dit (•) in Morse code.
This algorithm, applied to a small-scaled version of the monomial-based variant of the AES, with m = 2 and q = 2 6 , then enables us to exhibit a round-key sequence for which the differential uniformity varies through the rounds as depicted on Figure 3(b).

Purposeful Weaknesses Against Chains of Subspaces
In this section, we exhibit some other weaknesses that may arise from the existence of chains of subspaces.While our attacks can a priori not be applied to functions satisfying the full description of e.g.Rescue with its original key-schedule, or Rescue-Prime with randomly chosen round-constants, we show how to build primitives that could allow such attacks.Our aim is to illustrate the fact that the arguments currently used when discussing the security of arithmetization-oriented primitives are not sufficient for assessing their real security level, since the very same arguments apply to the following weak primitives.In summary, security arguments in this area usually boil down to a simple wide trail argument against differential and linear attacks coupled with a complexity analysis of algebraic attacks.There should a priori not be anything wrong with this approach, but we argue here that other attack vectors are not properly captured by such analyses.First, we present in Section 5.1 how to ensure the presence of a subspace chain in a permutation or block cipher using a slight variant of the Rescue round function. 7Using this tool, we construct a permutation intended to build a sponge-based hash function, Stir, (Section 5.2).Using the extra freedom given by the choice of arbitrary round constants, we ensure the presence of a chain of affine subspaces that, thanks to their structure, enables trivial solutions for the CICO problem (whose definition we will recall).
Then, we apply the Malicious framework [PW20] to construct Snare, a backdoored tweakable block cipher over a large prime field (Section 5.3), which reuses the overall structure of Rescue but uses a different key schedule, and a specific linear layer.Based on similar ideas to those in Malicious-AES and Boomslang [BBFL22], Snare weaponizes subspace chains to enforce the existence of a specific invariant subspace, whose presence is used to significantly speed-up a key-recovery attack.
For the sake of simplicity, these two primitives are defined over a field with odd characteristic, i.e., q is not a power of 2.

Forcing a Subspace Chain
Consider a potential chain V 0 → V 1 → V 2 ... → V N for a monomial-based SPN with round function R(q, m, α, M, r t ).Using the notation of Section 3, we may write V t = {a t + xv t , x ∈ F q } for all 0 ≤ t ≤ N .Where appropriate, the first index denotes the round number and the second one denotes the index of the coordinate.Recall that Rescue uses both S and S −1 .We write S t = S whenever t is even and S −1 whenever t is odd.
By adding together the relationships between consecutive separable affine spaces and the conditions described in Section 3.5 guaranteeing that they do in fact chain, we obtain a system of equations over this chain, where the pairs (r t , λ t+1 ) are chosen in order to satisfy the conditions in Theorem 2, namely To ensure that the subspace chain happens, we choose M such that all v t , 0 ≤ t < N , are equal to a unique vector u with u m−1 = 0 (the importance of this last requirement will become obvious in Section 5.2).It must also be such that there exists a scalar µ verifying: (3) A vector u satisfying Equation (3) is a priori not an eigenvector of M , which makes it more difficult to detect.The fact that Rescue uses both S and S −1 limits our possible choices for u.In order to simplify this task, we will try to get u such that S(u) = S −1 (u).Since S(x) = x α , we need solutions8 of x α 2 = x, so that the coordinates of u will be (α 2 − 1)-th roots of unity.Since α and q are both odd when p ̸ = 2, it holds that gcd(α 2 − 1, q − 1) ≥ 2, and we can always find gcd(α 2 − 1, q − 1)-th primitive roots of unity.As said above, it is better if u is not an eigenvector of M , which implies that its nonzero coefficients should take different values.9Not only that, if we define u as a succession of 1 and −1 (as 2nd roots of unity) with 0 as its last coefficient, u would still be an eigenvector of M , due to the fact that 1 α = 1 and (−1) α = −1.Instead, we can be a little more subtle by using gcd(α 2 − 1, q − 1)-th roots of unity that would not make u an eigenvector.10 Example 1 (Computation of u).Let us use the parameters of the permutations in the ZK Hash Bounties [Eth21], i.e. p = 1844674407370955155, α = 3 and m = 3.This gives gcd(α 2 − 1, p − 1) = 4, and we are able to define u using ρ, a 4-th primitive root of unity, among 2 possible choices in F p , both verifying ρ 2 = −1.For instance, we choose u = (1, ρ, 0) T .We then have S(u) = S −1 (u) = (1, −ρ, 0) T .Now that the space in which u must live is specified, we need to find M such that Equation (3) holds for such a u, i.e. such that M • S(u) = µu for some µ ∈ F q .A usual method to construct MDS matrices is based on so-called Cauchy matrices.

Definition 5 (Cauchy Matrices)
. A matrix M of size (m × m) is a Cauchy matrix if and only if there exist scalars σ 1 , σ 2 , ..., σ m , τ 1 , τ 2 , ..., τ m such that, for all 1 ≤ i, j ≤ m, σ i + τ j is nonzero and Choosing a good M for our purpose then consists in finding distinct σ 1 , σ 2 , ..., σ m , τ 1 , τ 2 , ..., τ m which verify the constraints in Equation (3).These constraints correspond to m non-linear equations with 2m + 1 unknowns (including µ).By multiplying each line , and setting m = 3 for readability, we obtain: This gives m equations, m − 1 of which have degree m − 1 with the last one having degree m − 2. We can see that solving this system is not hard when m is small, as is typically the case.Moreover, by fixing µ and τ 1 , ..., τ m , we get m independent univariate equations of degree m − 1 (except for the last one which is of degree m − 2).
In practice, we can sample µ and distinct τ 1 , ...τ m randomly until the univariate solver natively present in SAGE [The20] finds a distinct solution for each equation such that for all 1 ≤ i ≤ m, 1 ≤ j ≤ m, σ i ̸ = τ j .We have found that sampling one tuple is usually enough.The code in SAGE used to generate such matrices is given in Appendix B.1.

The Weak Hash Function Stir
The CICO problem.Before introducing the specification of Stir, we recall the CICO problem and its role in the security analysis of permutations [BDPA11].As we will see later, the existence of a chain of subspaces makes the resolution of this problem easier.
The state-of-the-art problem used to analyze sponge functions is the CICO (Constrainedinput constrained-output) problem.It has to be difficult to solve, otherwise the security of the hash function may be compromised.It is often used as a proxy to estimate the security provided by a public permutation as, for instance, the complexity of a key recovery does not apply in this context.It is actually the problem that had to be solved for the ZK Hash Function Cryptanalysis Bounties 2021 organized by Ethereum [Eth21], which was tackled in [BBLP22].The CICO problem is defined as follows.
Definition 6 (CICO Problem).Let f : F m q → F m q be a mapping, and c < m an integer.We define the CICO problem as finding x ∈ F m q such that the last c coordinates of x and of f (x) are equal to zero.
Crucially, the set of elements of F m q whose last c coordinates are 0 is a separable affine space of dimension (m − c).In a more limited scope, we may consider the separable affine spaces of dimension 1 whose last c coordinates of the basis vector and of the offset are 0. Specification.Stir is a hash function following the sponge construction.Its inner permutation operates on tuples of m elements of F p , where p is a prime.The specification of this permutation is very similar to that of Rescue: its even rounds consist of a layer of S-boxes x → x α , followed by a multiplication of the state by an MDS matrix M , and then a round-constant addition.Its odd rounds are very similar, except that the S-box layer is replaced by its inverse defined as explained below.As we can choose the round constant freely, we can enforce the existence of subspace chains.
Here, we consider a potential chain of affine subspaces of dimension 1, V t = a t + ⟨u⟩, for 0 ≤ l ≤ N , where u is defined as in Section 5.1, i.e., it satisfies Equation (3).If the last coordinates of a 0 and a N are equal to 0, then each input in V 0 = a 0 + ⟨u⟩ is a solution of the CICO problem.Ensuring that the subspaces V t , 0 ≤ t ≤ N form a chain of separable affine subspaces for Stir then boils down to finding appropriate round constants.
Since u was chosen so that all of its coordinates are nonzero (as roots of unity), except the last one, and since we are interested in inputs with their last coordinates always equal to 0, we can take a 0 = 0.The round constants r 0 , r 1 , ..., r N −2 are then determined by the conditions of Theorem 2. Since all v t are equal to u and supp(u) ⊆ {0, . . ., m − 2}, the conditions can be rewritten as: there exist λ 1 , . . ., λ N −1 such that where M i denotes the ith row of M .
In order to compute r t , we can randomly sample r t,0 as well as r t,m−1 (the latter does not have any constraint) in F p , and then insert the expression of λ t+1 in the other equations, which yields explicit formulas to compute r t , for all 0 ≤ t < N − 1: There is a small exception for the last round, since r N −1,m−1 must be chosen in order to have a N,m−1 = 0, and thus to ensure the existence of many simple solutions for the CICO problem.This gives, similarly to the other coefficients: Finally, by construction, these choices of M and r t guarantee that the linear subspace V 0 is mapped to the output affine subspace V N , both having their last coordinate always equal to 0. Thus, the designer has access to p solutions to the CICO problem that are all included in the same subspace.
Stir has been designed such that there exists a chain of subspaces propagating through the function, starting from a linear subspace V 0 = ⟨u⟩, and with affine subspaces V t = a t + ⟨u⟩ in all intermediate states.Instead, if we want V 0 and V N to be affine subspaces too, i.e., with a 0 and a N nonzero, we have to find a nonzero vector a 0 whose last coordinate vanishes and which satisfies supp(a 0 ) ∩ supp(u) = ∅.This implies that |supp(u)| ≤ m − 2, and requires m ≥ 5 when M is MDS, as shown by the following lemma.Lemma 2. Let M be an m × m-MDS matrix over F q and S be a nonlinear layer over F m q .If there exists u ∈ F m q such that M • S(u) = µu for some µ ̸ = 0, then Thus, if it is also required that |supp(u)| ≤ m − 2, then we need that m ≥ 5.By comparison with a uniformly random sampling, the round constants in Stir satisfy m − 2 constraints at each round (resp.m − 1 constraints at the last round).This is similar to sampling, for all t, the restriction of r t to supp(u), (r t ) |supp(u) , randomly in an affine space of basis (u) |supp(u) and of offset −M • S(a t ) |supp(u) .This pattern seems a priori hardly recognizable, especially when m = 3, since each vector r t only has one linear constraint among its coordinates.However, Algorithm 1 successfully detects the existence of a chain of subspaces through the permutation, as can be checked with our implementation of Stir in SAGE .

The Backdoored Tweakable Block Cipher Snare
We now use the variant of the Malicious framework presented in [BBFL22] to design a backdoored tweakable block cipher, Snare, based on the existence of chain of subspaces over the cipher.The Malicious framework provides a generic construction of a secure tweakable block cipher for which a specific tweak T ⋆ acts as a backdoor for recovering the secret key.An interesting feature of this framework is that discovering this backdoor is computationally difficult, even if its general form is known.
Specification.Snare encrypts a tuple of m elements of F p using a key K and a tweak T in F p , where p is a prime with a bitlength larger than the intended security level.In what follows, we let11 m = 3.The round function reuses the inner permutation of Stir, where the round-constant addition is replaced by the addition of a round key and of a round-tweak.
Each round-key is an element of F 2 p which is added to the first two branches of the internal state.The coordinates of the round-key used during Round t are obtained from a key-state K t ∈ F p by setting rk 0,t = K t and rk 1,t = ρ K t , where ρ is defined as in Section 5.1.In order to prevent slide attacks, and more generally to ensure that the rounds are different from one another, the key state is updated by a simple affine function at each round, namely K t+1 = A t K t + t, where t is the round counter interpreted as an element of F p , and each A t is a pseudo-randomly generated element of F p that is part of the specification, e.g. it can be generated using the output of Shake [SHA15].We simply set K 0 to be the master key.
The round tweak is an element of F p which is added to the last branch of the internal state.It corresponds to the addition of a round constant r t and a value derived from the master tweak T using an extendable output function H, like Shake: (rt 0 , . . ., rt N ) = H(T ) .
The way we derive elements of F p from the output of Shake is much like the way the original Rescue designers derive their round constants from a short seed, simply by interpreting byte chunks as integers the same order of magnitude as p and reducing them modulo p.The backdoor is inserted in the cipher by choosing a secret master tweak T ⋆ and computing the values (rt ⋆ 0 , . . ., rt ⋆ N ) = H(T ⋆ ).The round-constants are then chosen as r t = −rt ⋆ t for all 0 ≤ t < N .The number of rounds is chosen following the same rules as Rescue.The first two rounds of Snare is depicted on Figure 4. .
It was generated as explained in Section 5.1, using the code in Appendix B.1.We generated the A t pseudo-randomly using a built-in function of SAGE, namely F.random_element with F = GF(p).As the details of the A t do not matter for our purposes, they could be generated in any other way.
Opening its Backdoor.Let X t be the internal state of Snare at the beginning of Round t, so that with e 3 = (0, 0, 1) T , as indeed the key injection was chosen so as to be aligned with u.For the malicious tweak T ⋆ , the last term vanishes.Then, as M was chosen so as to satisfy Equation (3), we have that, for any X t = x t u, with x t ∈ F p , where d = α if i is even, d = 1/α otherwise.As we can see, X t+1 is then also a multiple of u.Indeed, a simple induction shows that if the plaintext is in ⟨u⟩, then all the successive internal states of the block cipher are in the same space with probability 1, including the ciphertext.In other words, ⟨u⟩ is an invariant subspace of the round function.While the existence of this invariant subspace when all (r t + rt t ) vanish can be easily detected, recovering the malicious tweak T ⋆ is difficult since it requires finding a preimage for H.When the master tweak differs from T ⋆ , the probability that (r t + rt t ) vanishes for a given round is 1/p, assuming that rt t is sampled from a uniform distribution over F p .Then, ⟨u⟩ very unlikely to be an invariant subspace over N rounds when T ̸ = T ⋆ .
Using SAGE, the get_alphas, rescue_XLIX_permutation and other functions from a reference implementation12 , as well as the aforementioned matrix M , we were able to experimentally test Snare and show that it does work as intended.In particular, we verified that the images of several multiples of u by this instance of Snare are of the form µu for the malicious tweak T ⋆ , and that it is not the case when T ̸ = T ⋆ .
Beyond the fact that this property is a trivial distinguisher for the block cipher, it also significantly impacts key recovery.One of the main attacks targeting arithmetizationoriented primitives is based on modeling the relation between the successive internal states using non-linear equations, and then solving those using a dedicated tool (e.g. a Gröbner bases solver) in order to recover a secret key, or a preimage, etc.In practice, this attack is often the one deciding the total number of rounds.For Snare, it is possible to greatly simplify this attack using the property highlighted in Equation (6).
Let us recall the principle of the general attack that could be applied to any variant of Rescue.The idea is to write a set of nonlinear equations for each pair of rounds (assuming the total number of rounds is even), namely those modeling that, for even t, We also need to add the equation K t+1 = A t K t + t in each round in order to track the evolution of the key state.Then, we can fix X 0 and X N using a known plaintext/ciphertext pair, and solve the system in order to recover the intermediate values X t as well as the master K 0 .This basic attack should not work: the number of rounds of Snare is chosen using the same rules as for Rescue, and the security analysis done by the authors of this algorithm shows that such an attack is not faster than a brute-force search for the key.
However, suppose now that an attacker aware of the backdoor uses specifically a plaintext of the form x 0 u.Then, they can deduce from their knowledge of the backdoor that X t is of the form x t u at each round, which allows a significant speed up of the attack.Indeed, instead of introducing a system with m equations and m variables modeling the internal state at each even round, we only need to introduce one for each: and the same one as before for the key schedule.This greatly simplifies the system, and decreases its resolution time.It is actually equivalent to the previous model over a single branch, and where the linear layer M corresponds to the multiplication by a scalar µ.For an attacker unaware of the hidden structure, the system of equations will remain hidden: only people familiar with the backdoor can effectively recover the key.
For N rounds (with N even), assuming that we have access to a plaintext/ciphertext pair with a plaintext of our choice, we can solve the system by computing one of its Gröbner bases in lexicographical order, with the master key as the variable of maximum order.Then, we can extract a univariate polynomial equation verified by the master key and solve it, yielding a small number of candidates which includes the key.Replacing all of the K t by their linear expression in K 0 yields N/2 equations of degree α over N/2 variables (the (N/2 − 1) intermediate x t and the master key K 0 ).
We were able to solve this system for small numbers of rounds, as a verification of its correctness, using a toy implementation in SAGE.Experimentally, it seems that the degree of regularity d reg achieves Macaulay's bound (see [BFS15]).This is different from the polynomial systems studied in the original Rescue-Prime paper, most likely due to the fact that we introduce the master key as an additional variable.Using the formula in [BFS15] and Macaulay's bound for the degree of regularity, the complexity of F 5 (with Strassen's algorithm in O(n ω ) with ω ≈ 2.807) can be bounded by and, using the probabilistic methods in [FGHR14], the complexity of FGLM with the same parameters is bounded by O (N/2)α ωN/2 .The complexity bounds for the more general system use the same expressions, with mN instead of N .By dividing the number of variables and equations by m, we get a time complexity that is essentially the m-th root of the one in the general attack, effectively breaking the security of a potential implementation of Snare by a wide margin, even though the expected security claims based on e.g. the wide trail strategy and the usual complexity bounds would apply.

Conclusions
Our analysis shows that monomial-based Sboxes over large finite fields may introduce weaknesses due to the existence of chains of affine subspaces of dimension 1 through the primitive, for some round-constants (or round-keys).Such chains lead to some abnormal behaviour, including a very high differential uniformity for some fixed keys.These weak keys (or weak round-constants) may also be chosen intentionally, opening the path towards backdoored primitives.This points out that the arguments currently used for assessing the security of the recently proposed arithmetization-oriented primitives are not enough, and that a more in-depth analysis is required.These issues are especially worrying in the case of arithmetization-oriented primitives operating on prime fields.Over binary fields, a classical method to avoid such threats consists in composing a monomial Sbox with an F 2 -affine transformation, like in the AES.But this simple technique cannot be used anymore when the Sbox operates on a prime field.Monomial transformations are then the only known general families of Sboxes over F p having low differential uniformity and linearity, and good performance.Therefore, the search for good Sboxes over F p with a more complex univariate representation is an interesting direction which would offer some better choices to the designers of arithmetization-oriented primitives and avoid the risk related to weak round-constants.
Another conclusion we draw from our results is the importance of limiting the freedom of the implementers of such primitives.Indeed, as the latter might be tempted to tweak the designs to suit their specific implementation constraints, authors must clearly specify which changes are safe and which are not.Therefore, (q − 1) choices remain for each of the (w − 1) other coordinates of v and q choices remain for each of the (m − w) other coordinates of a. Hence: Then, the probability that a sequence of round-constants is such that there exists a separable affine subspace that propagates through N rounds as described in Theorem 2, can be approximated by (2 m − 1)q −(m−1)⌊ N −3 2 ⌋ , which is marginal for practical values of q and N .As a consequence, round constants picked randomly can be safely expected to effectively thwart such patterns.

B.1 Matrix Generation.
The following SAGE code to generates matrices that can be used as linear layers for Snare.
For brevity, and due to the extremely low probability of collision, we do not test whether all coefficients are distinct, but a more thorough program should.# Choose some rho that is a gcd ( alpha **2 -1 , p -1) -th root of unity .

C Differential Properties of Random Functions
In order to investigate the differential properties of functions of F n q , we must first establish a baseline: what is the expected differential behaviour of a random function of this set?
The distribution of the coefficients in the DDT of a permutation on F n 2 is well-known, it has for instance been studied in [O'C94, DR07, DR05].Each entry in the DDT can be approximated by a random variable, all of them being independent and identically distributed.They follow a Poisson distribution with parameter 2 −1 and the expected value of the maximal coefficient is 2n.
However, due to their much rarer relevance, differences defined in arbitrary groups, different from (F n 2 , +), have received less attention.To the best of our knowledge, the only paper that deals with such quantities is [HO99].While its authors consider differentials for the modular addition, they unfortunately focus on Z/2 n Z, which is not the type of ring we consider.Nevertheless, their main result is that the DDT coefficients of a permutation in such a ring behave like independent and identically distributed random variables that follow a Poisson distribution with parameter 1.
The following conjecture argues that the situation is the same in the case of F p = Z/pZ and any finite field, as soon as the characteristic is not 2. Conjecture 1.Let F q be a finite field of characteristic p > 2 and F be a permutation of F q picked uniformly at random.Its DDT coefficients that correspond to non-zero input differences can be accurately modeled as independent and identically distributed variables following a Poisson distribution with parameter 1, with the caveat that DDT F (α, β) = DDT F (−α, −β).
This conjecture follows simply from modeling ∆ a F : x → F (x + a) − F (x) as a random function of F q and from remarking that ∆ a F (x) = −∆ −a F (x + a) As the independence of the variables cannot be proved, we cannot call this result a theorem and stick with "conjecture".Nevertheless, it is backed by our experiments (see Appendix D.1).
A consequence of Conjecture 1 is that the maximum coefficient of the DDT is the maximum out of about (q − 1) 2 /2 independent Poisson variables.Then, the bound established in [HO99] is easily adapted in F q as follows.
Corollary 3. Let F q be a finite field of characteristic p > 2. The probability that the differential uniformity of a permutation of F m q is upper bounded by B(q, m) = 2 ln (q m −1) 2 2 ln ln (q m −1) 2 2 converges to 1 as q m increases, where ln is the Neperian logarithm.
This quantity only depends on q m , the size of the set on which the permutation operates.Most notably, it takes the same value for permutations of F m q and permutations of F q m .

D.1 Conjecture 1.
Conjecture 1 states that the entries of the DDT of a random permutation follow a Poisson distribution.In order to test it, we have computed the differential spectra of multiple permutations picked uniformly at random for q = p 2 and for various values of p.The result is given in Figure 5.As we can see, even for small values of p, the entries do behave like independent and identically distributed random variables following a Poisson distribution with parameter 1.

D.2 Corollary 3.
Corollary 3, based on Conjecture 1 is all the more plausible in light of our experimental results detailed in Table 1: this table compares the bound from Corollary 3 and the exact differential uniformities for 100 randomly generated permutations of F 2 p where p takes each prime value between 2 3 and 2 5 .

E Chaining subspaces of higher dimension
As previously mentioned, it is rather unlikely that the image of a subspace of dimension 2 or more is separable.The following proposition shows, as a special case, that this cannot occur when the linear layer is MDS if F (a) + ⟨M S(v 1 ), . . ., M S(v d )⟩ is the canonical representation of F (V ).
Proposition 5. Let S be a substitution layer corresponding to m copies of an Sbox S over F q , and M be an MDS matrix over F q .For any v 1 and v 2 in F m q such that supp(v 1 ) ∩ supp(v 2 ) = ∅, we have supp (M S(v 1 )) ∩ supp (M S(v 2 )) ̸ = ∅ .
Proof.Suppose that v 1 and v 2 have disjoint supports.It obviously follows that wt(v 1 ) + wt(v 2 ) ≤ m .
It may obviously happen that F (a) + ⟨M S(v 1 ), . . ., M S(v d )⟩ is not the canonical representation of F (V ), and that the fact that F (V ) is separable can be deduced by considering other basis vector.However, finding an explicit formula generalizing the one-dimensional case seems very difficult, and an algorithmic approach seems more promising.

Figure 2 :
Figure 2: The evolution of the differential uniformity of several Rescue instances with m = 2 through their rounds, divided by B(p, m) (see Appendix C).Each color corresponds to a different prime characteristic p, from 13 to 61.

Figure 3 :
Figure 3: (a) Differential uniformity of the monomial-based variant of AES where the key is chosen as detailed in Proposition 3 to get a spike at every even round.(b) Differential uniformity which encodes "MERRYXMAS" in Morse code, without spaces.Blue lines separate letters.

Figure 4 :
Figure 4: The first two rounds of Snare.

Figure 5 :
Figure 5: Distribution of the DDT coefficients of some permutations picked uniformly at random.

Table 1 :
Differential uniformities of pseudo-randomly generated permutations of F 2 p .