Influence of the Linear Layer on the Algebraic Degree in SP-Networks

We consider SPN schemes, i.e., schemes whose non-linear layer is defined as the parallel application of t ≥ 1 independent S-Boxes over F2n and whose linear layer is defined by the multiplication with a (n · t) × (n · t) matrix over F2. Even if the algebraic representation of a scheme depends on all its components, upper bounds on the growth of the algebraic degree in the literature usually only consider the details of the non-linear layer. Hence a natural question arises: (how) do the details of the linear layer influence the growth of the algebraic degree? We show that the linear layer plays a crucial role in the growth of the algebraic degree and present a new upper bound on the algebraic degree in SP-networks. As main results, we prove that in the case of low-degree round functions with large S-Boxes: (a) an initial exponential growth of the algebraic degree can be followed by a linear growth until the maximum algebraic degree is reached; (b) the rate of the linear growth is proportional to the degree of the linear layer over F2n . Besides providing a theoretical insight, our analysis is particularly relevant for assessing the security of cryptographic permutations designed to be competitive in applications like MPC, FHE, SNARKs, and STARKs, including permutations based on the Hades design strategy. We have verified our findings on small-scale instances and we have compared them against the currently best results in the literature, showing a substantial improvement of upper bounds on the algebraic degree in case of low-degree round functions with large S-Boxes.


Introduction
Most modern block ciphers and cryptographic permutations over F N 2 , for N = n · t, are based on the iteration of a round function. In many cases, the round function is composed of two main components, a non-linear layer S and a linear layer M (including the addition of round constants). The non-linear layer S is defined as the parallel application of t independent non-linear functions over F n 2 . The linear layer M is defined via the multiplication with a (n · t) × (n · t) matrix over F2. This design strategy is called a Substitution-Permutation-Network (SPN). The particular combination of these two building blocks, their details and the number of rounds are chosen to guarantee security against all possible means of analysis present in the literature, while at the same time achieving good performance in the target applications. Regarding the security aspect, the analysis of symmetric schemes can Influence of the Linear Layer on Statistical Analysis. For statistical analysis, the impact of the linear layer on the security against this means of analysis is well studied in the literature. If the linear layer of a scheme is defined by the multplication with a t × t matrix over F2n , an upper bound of the probability of differential trails can be found by considering both the maximum differential probability of the involved S-Boxes (namely, the maximum probability that a non-zero input difference is mapped into an output difference) and the branch number of the linear layer (that is, the maximum number of active S-Boxes over two consecutive rounds). This is known as the wide-trail design strategy [DR01,DR02a]. Analogous results hold for the case of linear trails. If the linear layer does not admit an equivalent representation as a t × t matrix over F2n , statistical analysis that makes use of this alignment is frustrated after a few rounds, but, e.g., the wide trail design strategy does not apply anymore. In this scenario, differential/linear bounds are often obtained by computer-aided proofs.

Influence of the Linear Layer on Algebraic Analysis. Contrary to statistical
analysis, the influence of the linear layer on the security against algebraic analysis is not well researched in the literature. Focusing on schemes over F N 2 , let's consider, e.g., higher-order differential cryptanalysis [Lai94,Knu94], probably one of the most powerful cryptanalytic methods for symmetric primitives over F N 2 with low-degree building blocks. Given an instance of a (keyed or keyless) cryptographic permutation P : F N 2 → F N 2 , higher-order differential cryptanalysis exploits the fact that if the algebraic degree of P is strictly smaller than N − 1 then for any (proper) vector subspace V ⊆ F N 2 with dimension strictly greater than the algebraic degree of P and for any v ∈ F N 2 , we have x∈V⊕v P (x) = 0. Since the same property does not, in general, hold for a permutation drawn at random, it is possible to distinguish a given (keyed or keyless) permutation from a random permutation. The idea was first introduced by Lai [Lai94], albeit without a concrete application. Knudsen [Knu94] then used higher-order differentials to analyze low-degree ciphers which were deemed secure against standard differential cryptanalysis. The crucial problem in higher-order differential distinguishers against iterated constructions is the analysis of the growth of the algebraic degree. Currently, the best generic upper bound for the growth of the algebraic degree is given in [BCD11], where authors upper bound the algebraic degree of the composition of two functions over F t 2 n . More recently, for the particular case in which the round function is defined as a low-degree polynomial over F 2 N , a more accurate estimate on the minimum number of rounds to reach maximum algebraic degree has been proposed in [EGL + 20]. However, in all these cases, the details of the linear layer are not taken into account.
The Scope of our Results. We pick up this problem, and we show how the details of the linear layer influence the growth of the algebraic degree in SPN schemes. As main results Influence of the Linear Layer on the Algebraic Degree in SP-Networks prove a linear upper bound on the growth of the degree that improves the exponential one proposed in [BCD11]; • we analyze the impact of the linear layer on the growth of the degree. That is, we prove that the rate of the linear growth is proportional to the degree of the linear layer when written as a linear function over F t 2 n . We point out that this is not only of theoretical interest. Indeed, motivated by new applications such as secure Multi-Party Computation (MPC), Fully Homomorphic Encryption (FHE) and Zero-Knowledge proofs (ZKP), the need for symmetric encryption schemes with a simple natural algebraic description has become ever more apparent. This is an active area of research, and many dedicated symmetric encryption schemes that aim for simple arithmetization or directly aim for a small number of multiplications in F2n or Fp, for large n and prime p (usually, 2 n , p ≈ 2 128 ), have recently been proposed in the literature.  [DGGK21]. Many of these proposed schemes use "algebraically simple" S-Boxes, e.g., based on a power mapping x → x d for a small odd integer d ≥ 3. In these schemes, our bounds are most competitive against other state-of-the-art bounds and, furthermore, they help to establish a more accurate estimate for the number of rounds that guarantee security in future MPC-/FHE-/ZKP-friendly designs.
Nomenclature. Since we do not make any assumption about the round-keys, our results equally apply to keyed and keyless permutations. Thus in this paper we refer to both by using the term "schemes". In this nomenclature, e.g., an SPN scheme is a family of permutations built from an SPN construction parametrized by secret keys or publicly known constants.

Related Work in the Literature
We focus on iterated schemes, that is, schemes consisting of several iterations of the same round function. Algebraic analysis, like interpolation or higher-order differential and integral distinguishers, is based on bounding the (algebraic) degree of the analyzed scheme, which is in general a difficult task. Here, we recall the main results in the literature that focus on this problem. For a more detailed discussion and comparison of different approaches to bounding the algebraic degree we refer to [CXZZ21].

Theoretical Bounds on the Algebraic Degree
A naive bound for the algebraic degree of the composition of two functions F, G : If iterated, this bound leads to an exponential bound on the algebraic degree for the composition of more than two functions and a first estimate about the minimum number of rounds to reach maximum algebraic degree in SPN schemes. For an SPN scheme defined over F t 2 n with S-Box layer of algebraic degree δ, it follows that at least rounds are required to reach maximum degree (note that the affine layer does not increase the algebraic degree). [BCD11]. The naive exponential bound, however, does not reflect the real growth of the algebraic degree when considering iterated schemes, and the problem of estimating the growth of the algebraic degree has therefore been studied in the literature. After the initial work of Canteaut and Videau [CV02], a tighter upper bound was presented by Boura, Canteaut, and De Cannière in [BCD11]. In there, the authors deduce a new bound Carlos Cid, Lorenzo Grassi, Aldo Gunsing, Reinhard Lüftenegger, Christian Rechberger and Markus Schofnegger 3

Result by Boura, Canteaut and De Cannière
for the algebraic degree of iterated permutations for SPN schemes over F t 2 n , which includes functions that have a number of t ≥ 1 balanced S-Boxes over F2n as their non-linear layer. The bound in [BCD11] only relies on the algebraic degree of the S-Box, and no assumption on the linear layer is made. To apply the result presented in [BCD11], one has to determine a particular parameter γ, that depends on the details of the S-Box. As we discuss in Section 4.1, for an S-Box over F2n the cost for computing γ is exponential in n. This means, for large S-Boxes (e.g., n ≥ 64) it is infeasible to determine γ computationally and a further study of the analyzed scheme is necessary. However, theoretically bounding γ is in general a difficult task. Apart from the bound of Boura, Canteaut and De Cannière, in a follow-up work Boura and Canteaut studied the influence of F −1 on the algebraic degree of deg(G • F ) [BC13]. As main result, they discuss how the algebraic degrees of F −1 and F affect each other, which subsequently allows them to bound the algebraic degree of G • F by means of the degrees of G and F −1 . [Car20]. More recently, Carlet [Car20] presented a bound on the algebraic degree of G • F by working with the indicators of the graphs GF and

Result by Carlet
In this work, Carlet bounds the algebraic degree of G • F via the degree of G and the degree of the indicator function of GF . However, the bounds in [Car20] require evaluating the degree of large quantities of products of coordinate functions (see [Car20,Theorem 5]) and, to the best of our knowledge, it is unclear if the bounds in [Car20] practically improve upon the ones in [BCD11] if the function F in G • F is bijective. In this scenario, the deduced bound on the algebraic degree of G • F is essentially the same as in [BC13] (see discussion after Corollary 5 in [Car20]). Division Property. A generalization of integral and higher-order differential distinguishers is the division property [Tod15], proposed by Todo at Eurocrypt 2015.
The division property generalizes integral cryptanalysis and higher-order differential distinguishers in the sense that it is interested in the sum of this quantity taken over all vectors of X ⊆ F n 2 . To the best of our knowledge and at the current state of the art, the division property can only provide useful bounds on the algebraic degree for small n. Indeed, currently it is infeasible to apply the two-/three-subset bit-based division property [TM16, FTIM17, WHT + 18, HSWW20] to large S-Boxes (i.e., of size bigger than 12 bits to the best of our knowledge). Hence, such a tool does not seem to be useful in the case of schemes defined over F t 2 n for large n (as targeted in this paper), and a theoretical estimation is hence crucial.
Algebraic Degree in MiMC-Like Schemes. MiMC [AGR + 16, GRR + 16] is a scheme natively defined over F 2 N , where the S-Box is given by the cube function x → x 3 . Only recently a new upper bound on the algebraic degree of MiMC-like schemes (that is, of schemes defined over F 2 N via a round function of degree d ≥ 3) has been proposed in [EGL + 20] at Asiacrypt 2020. More precisely, the authors show that when the round function can be described as a low-degree polynomial function over F 2 N of degree at most d, the algebraic degree δ(r) of r iterations of the round function grows linearly with the number of rounds, i.e., δ(r) ≤ log 2 (d r + 1). This observation implies that at least log d (2 N −1 − 1) rounds are required for reaching maximum algebraic degree. As a concrete application, [EGL + 20] shows that the number of rounds in MiMC needs to be increased by several percent to resist all known cryptanalysis. Nevertheless, the authors of [EGL + 20] do not provide any statements about how to generalize their findings to SPN schemes.

Our Contribution
As main contribution, we present a new theoretical upper bound on the algebraic degree for SPN schemes over F t 2 n in Theorem 1. In more detail, we consider SPN 4 Influence of the Linear Layer on the Algebraic Degree in SP-Networks Finite field with 2 n elements F t 2 n t-fold cartesian product of F 2 n n S-Box size in bits t Number of words in the SPN N := n · t State size in bits d Word-level degree (over F 2 n ) of the S-Boxes δ Algebraic degree (over F 2 ) of the S-Boxes l := 2 l ′ Degree of the linear layer (over F 2 n ) d Word-level degree (over F 2 n ) of the round function schemes over F t 2 n for n ≥ 3 and t ≥ 2, where • the S-Boxes are defined via invertible non-linear polynomial functions over F2n of univariate degree d ≥ 3 and algebraic degree δ ≥ 2; • the linear layer is defined as the multiplication with an invertible matrix in F n·t×n·t 2 . We denote by l = 2 l ′ the degree of the corresponding function over F2n .
In Section 2.2 we give more details about the definition of an SPN scheme and the involved degrees δ, d, l and d. As a quick reference, Table 1 provides a more comprehensive overview about the parameters in our results. In Theorem 1 we prove that the algebraic degree δ(r) after r rounds is upper-bounded by It follows that at least rounds are necessary to reach maximum algebraic degree n · t − 1, see Section 3.1. Our results have been practically verified on small-scale schemes. Section 5 is devoted to a more detailed discussion of our practical experiments. Moreover, our results match the ones given in [EGL + 20] for the particular case t = 1.
Comparison with Related Work. As discussed above, there are two possible approaches for estimating the growth of the algebraic degree in SPN schemes: theoretical bounds, like the one by Boura, Canteaut and De Cannière [BCD11] and tool-based bounds, like the division property. However, both approaches have inherent limitations when applied to SPN schemes defined over F t 2 n for large n (as targeted in this paper and important for MPC-/FHE-/ZKP-friendly schemes): in the first approach, the degree of the S-Box over F2n and the alignment of the scheme (hence, the degree of the linear layer over F2n ) are not taken into account. While this could be an advantage in the sense that such results apply to a large class of schemes, the resulting estimation of the growth of the algebraic degree is far from being optimal when applied to schemes over F t 2 n with large and low-degree S-Boxes; in the second approach, the tools cannot tackle large S-Boxes (i.e., n ≥ 12). Our new results include both scenarios. A concrete comparison between our new bound on the algebraic degree and the one proposed in [BCD11] for an SPN scheme over

Preliminaries
In this section, we recall the most important results about polynomial representations of Boolean functions and we recall the definition of SPN and iterated Even-Mansour schemes. We also introduce the classification of weak-arranged and strong-arranged SPN schemes.

Polynomial Representations over Binary Extension Fields
We denote addition (and subtraction) in binary extension fields and polynomial rings over binary extension fields by the symbol ⊕. For n, t ∈ N, every function F : F t 2 n → F2n can be uniquely represented by a polynomial over F2n in t variables with maximum degree 2 n − 1 in each variable, i.e., as for certain φ(v) ∈ F2n . We refer to this representation as the word-level representation. At the same time, the function F can be written as an n-tuple (F1, . . . , Fn) of functions Fi : F N 2 → F2 and thus admits a unique representation as an n-tuple (F1, . . . , Fn) of polynomials over F2 in N := n · t variables with maximum degree 1 in each variable. Here, Fi takes the form where the coefficients ρi(u) ∈ F2 can be computed by the Moebius transform with a time complexity of O(N · 2 N ) additive operations. We call this alternative description the bit-level representation of F . Combining Equations (3), for 1 ≤ i ≤ n, into a single polynomial representation leads to a description of F as a single polynomial in N = n · t variables, but now with coefficients in F n 2 , instead of F2. Whenever we refer to the degree of a single variable in F (or Fi), we shall speak of the univariate degree. In contrast, the degree of F (or Fi) as a multivariate polynomial shall be called its multivariate degree, or just its degree. We denote functions F : as Boolean functions and hence functions of the form F : F n 2 → F n 2 , for n ∈ N, as vectorial Boolean functions. We only work with vectorial Boolean functions where n = m. The unique polynomial representation of a Boolean function is called its algebraic normal form (ANF), which we emphasize with the following definition.
Definition 1. Let F : F n 2 → F2 be a Boolean function. The algebraic normal form (ANF) of F is the unique representation as a polynomial over F2 in n variables and with maximum univariate degree 1, as given in Eq. (3). The algebraic degree δ(F ) of F is the degree of this representation as a multivariate polynomial over F2.
When the function F is clear from the context, we also write δ instead of δ(F ). If G : F n 2 → F n 2 is a vectorial Boolean function and (G1, . . . , Gn) is its representation as an n-tuple of multivariate polynomials over F2, then its algebraic degree δ(G) is defined as the maximal algebraic degree of its coordinate functions Gi, i.e., as δ(G) = max 1≤i≤n δ(Gi). The link between the algebraic degree and the univariate degree of a vectorial Boolean function is well-known, e.g., it is established in [CCZ98, Sect. 2.2]: due to the isomorphism of F2-vector spaces F2n ∼ = F n 2 , every function over F n 2 can be considered as a function over F2n and thus admits a representation as a univariate polynomial over F2n . Hence, the algebraic degree of a vectorial Boolean function can be computed from its univariate representation. Eq. (4) makes this link explicit: Let F : F2n → F2n be a function over F2n and let F (X) = 2 n −1 i=0 φi · X i denote the corresponding univariate polynomial description over F2n . The algebraic degree δ(F ) of F as a vectorial Boolean function is the maximum over all Hamming weights 1 of exponents of non-vanishing monomials, that is Lastly, we recall that the algebraic degree of an invertible function F over F n 2 is at most n − 1, while the univariate polynomial representation of F over F2n has degree at most 2 n − 2.

SPN Schemes
Here we recall the concept of SPN schemes, and we fix the notation used in the rest of the article. Let E r k : F t 2 n → F t 2 n denote the application of r rounds of an SPN scheme under a fixed (secret or publicly known) key k ∈ F t 2 n with n ≥ 3, t ≥ 2, and N := n · t. For every x = (x1, . . . , xt) ∈ F t 2 n we write The subkeys k0, . . . , kr ∈ F t 2 n may be derived from the master key k ∈ F t 2 n by means of a key schedule, or they may just as well be randomly chosen elements. Here, R denotes the composition of the S-Box and the linear layer, i.e., we have R : where all Si : F2n → F2n are assumed to be invertible non-linear polynomial S-Boxes of degree d ≥ 3 defined as defined by the multiplication with an invertible (n · t) × (n · t) matrix M with coefficients in F2. We remark, every (n · t) × (n · t) matrix M over F2 gives rise to an F2n -linear function over F t 2 n . Moreover, every F2n -linear function over F t 2 n can be written as a function with M i,j;h ∈ F2n for each i, j, h. In other words, each Mi,j is a linearized polynomial over F2n with respect to the variable xj, and Mi is a sum of linearized polynomials over F2n . In the following, we denote by l := 2 l ′ the degree of M as a function over We always assume that the linear layer M ensures full diffusion after a finite number of rounds, in the sense that there exists an r ∈ N such that every output word after r rounds depends on every input word x1, . . . , xt. E.g., the smallest integer r that satisfies the previous condition for an MDS

Classification: Strong-Arranged vs. Weak-Arranged SPN Schemes
We recall that for each n, t ≥ 1, every matrix in F t×t 2 n admits an equivalent representation as a matrix in F n·t×n·t 2 , while the opposite does not hold in general. Let us introduce the following definition.
Definition 2. Let t ≥ 2 and let n ≥ 3, and let M : F t 2 n → F t 2 n be an invertible F2n -linear function, represented as in Eq. (8). We say that M is ( We note, deg(L1), deg(L2) are the degrees of L1, L2 when represented as in Eq. (8).
The same remark applies for the condition L1, L2 ̸ = M . Thereby, we exclude decompositions with L1 = M and M ′ = Id (Id being the identity function). We often just say that M is (ir)reducible instead of (n, t)-(ir)reducible, the context will provide enough clarification. Every SPN scheme admits an equivalent representation in which the defining matrix M for the linear layer is irreducible. Indeed, if this is not the case, it is sufficient to incorporate L1 and L2 from Eq. (9) into the non-linear layer S, that is 8 Influence of the Linear Layer on the Algebraic Degree in SP-Networks and to adjust the round constants. We point out that this procedure may change the degrees d and l, but not the degree d of the round function.
As a concrete example, consider the AES. Its S-Box over F 2 8 is defined as for a certain linear functionL over F 2 8 of degree strictly bigger than 1. In the equivalent representation in whichL and x → x 2 would be incorporated in the linear layer of AES (and so the AES S-Box would be x → x 127 over F 2 8 ), the obtained linear layer would not be irreducible anymore with respect to the definition just given. Motivated by above discussion, we can assume that the linear layer M in an SPN scheme over F t 2 n is (n, t)-irreducible. On the Degree of the Linearized Polynomial. Given a matrix M ∈ F (n·t)×(n·t) 2 , the naive way to find its polynomial representation over F2n is by interpolation. The polynomial Mi,j contains only n different monomials (see Eq. (8)). Hence, t · n + 1 input/output pairs suffice to recover the polynomial representation of each Mi, and thus M . Moreover, given the polynomial representation of an F2n -linear function over F t 2 n (as in Eq. (8)), the simplest possible way to check if it is invertible or not is by finding the corresponding matrix over F , and check if its determinant is non-zero.

Growth of the Algebraic Degree in SPN Schemes
In this section we prove a new upper bound on the growth of the algebraic degree in SPN schemes. Our proof proceeds analogously for SPN-derived block ciphers and permutations, respectively, by assuming fixed and publicly known constants in the latter case and fixed secret keys in the former one.

Minimum Number of Rounds for Preventing Higher-Order Differential Distinguishers
Here, we provide a minimum number of rounds to reach maximum algebraic degree in SPN schemes. We show that this number matches the minimum number of rounds needed to provide security against the interpolation analysis [JK97]. A lower bound on the number of rounds to prevent higher-order differential distinguishers is given by independent of the (secret or publicly known) key k.
Carlos Cid, Lorenzo Grassi, Aldo Gunsing, Reinhard Lüftenegger, Christian Rechberger and Markus Schofnegger 9 Proof. To reach maximum algebraic degree n · t − 1 the polynomial representation of E r k over F2n must contain a monomial with algebraic degree n in t − 1 variables and algebraic degree n − 1 in one variable. This happens if E r k contains a word-level monomial with univariate degree 2 n − 1 in t − 1 variables and univariate degree 2 n−1 − 1 in one variable. Since the multivariate degree of E r k after r ≥ 1 rounds is upper bounded by d r−1 · d (we note, the final linear layer does not affect the algebraic degree), we obtain as a necessary condition on the number of rounds to reach maximum algebraic degree n · t − 1. Rearranging for r yields r ≥ 1 + log d t · (2 n − 1) − 2 n−1 − log d (d).

Algebraic Degree of SPN Schemes
As main result of this paper, we prove the following upper bound on the growth of the degree for SPN schemes.
Theorem 1. Let n ≥ 3 and t ≥ 1. Consider r rounds of an SPN scheme E r k over F t 2 n as defined in Eq. (5), where l = 2 l ′ ≥ 1 is the degree of the linear layer and with the additional assumption that all S-Boxes S1, . . . , St are defined via the same invertible non-linear function S of univariate degree d ≥ 3 and algebraic degree δ ≥ 2.
Let d be the degree of the round function.
Let Rexp := 1 + ⌊log δ (t)⌋. Then, the algebraic degree of E r k after r rounds, denoted by δ(r), is upper-bounded by independent of the (secret or publicly known) key k and until the maximum algebraic degree n · t − 1 is reached.
This means that after an initial exponential growth for the first Rexp := 1 + ⌊log δ (t)⌋ rounds, the growth of the degree is upper bounded by a linear growth of the form where the linear rate t · log 2 (d) is proportional to the number of words t and to the degree d of the round function, which is related to the degrees d and l of the S-Boxes and of the linear layer over F2n .
Idea of the proof. The roadmap for the proof of Theorem 1 reads as follows: 1. Lemma 1 makes a statement about which monomials can occur in the polynomial representation of the encryption function; 2. In Lemma 2 we prove that the algebraic degree grows as fast as δ r in the first Rexp := 1 + ⌊log δ (t)⌋ rounds; this shows that the naive exponential bound can indeed be achieved; 3. Lemma 3 provides the linear growth for the latter rounds by involving the logarithmic function instead of the hamming weights, resulting in the bound δ(r) ≤ t · log 2 d r−1 ·d t + 1 .

Proof of Theorem 1 3.3.1 About the (Initial) Exponential Growth
Lemma 1.
Proof. We obtain where the second equality holds since (x ⊕ y) 2 k = x 2 k ⊕ y 2 k for each x, y ∈ F2n and each k ∈ N. Hence, we conclude that only monomial products of the form The next lemma shows that the naive exponential bound δ r for the algebraic degree is not only a trivial bound but can indeed be achieved. Proof. The idea is to observe the growth of the algebraic degree with the help of Lemma 1. After the first round, all monomials X d ′ 1 , . . . , X d ′ t are present in the polynomial representation of E r k and have algebraic degree δ. According to Lemma 1, after one more round all monomials of the form (i1, . . . , i δ ∈ {1, . . . , t}) are present in the encryption polynomial and have algebraic degree δ 2 if i1, . . . , i δ are pairwise different. To see why they have algebraic degree δ 2 , we note that: (a) raising a (word-level) monomial of E r k to the power of 2 k , k ∈ N, does not change its algebraic degree, and (b) if two (word-level) monomials mα 1 , mα 2 of E r k do not contain any shared variable, the algebraic degree of the product mα 1 · mα 2 is the sum of the respective algebraic degrees. In the same way as before, after another round, all monomials of the form (i1, . . . , i δ 2 ∈ {1, . . . , t}) appear in the encryption polynomial and have algebraic degree δ 3 if i1, . . . , i δ 2 are pairwise different. Continuing this way, we conclude that the algebraic degree grows as fast as δ r until all t variables are exhausted, i.e., until δ r = δ · t, or equivalently, for the first ⌊log δ (δ · t)⌋ = 1 + ⌊log δ (t)⌋ rounds.

Lemma 3. Let the same conditions as in Theorem 1 hold. Then, the algebraic degree of E r k after r rounds, denoted by δ(r), is upper-bounded by
Proof. Since the word-level degree of a single output word of E r k after r rounds is upper bounded by d r−1 · d (we note, the final linear layer does not affect the algebraic degree) the algebraic degree δ(r) of E r k after r rounds can be upper bounded by where we use the fact that the algebraic degree of a monomial X e 1 1 · . . . · X e t t is given by We observe that 2 w − 1 is the smallest number with hamming weight w ∈ N. This means that 2 hw(e i ) − 1 ≤ ei, hence hw(ei) ≤ log 2 (ei + 1) and for a ∈ [0, 1]. This is commonly generalized by induction to ai · xi whenever t i=1 ai = 1 and ai ∈ [0, 1] for all i. Therefore where the last inequality holds because t i=1 ei ≤ d r−1 · d and the fact that the logarithm is an increasing function. Combining this with the initial equation results in the desired

Discussion of Theorem 1
Forward versus Backward Direction. As originally proved in Corollary 3 of [BC13], given a fixed key k, the algebraic degrees of E r k and its compositional inverse E −r k are related in a particular way: the algebraic degree of E r k is maximal (i.e. n · t − 1) if and only if the algebraic degree of E −r k is maximal. As an immediate consequence we state the following observation: the number of rounds to reach maximal algebraic degree in the forward and in the backward direction is the same. This fact is particularly surprising if one direction of an SPN scheme is defined via low-degree S-Boxes, while the inverse direction is built from S-Boxes of high degree. For example, for the S-Box function S(x) = x 3 over F2n the inverse function is given by S −1 (x) = x (2 n+1 −1)/3 . Here, S has algebraic degree 2, while S −1 has algebraic degree (n + 1)/2.

Remarks on implicit assumptions.
According to the remark about the connection of forward and backward direction below, it suffices to focus only on one direction of the scheme when attempting to reach maximal algebraic degree. We focus on the forward direction. Furthermore, our analysis is independent of the concrete instantiation of the linear layer, besides assuming it is invertible and it ensures full diffusion after a finite number of rounds. Implicitly, our proof assumes the strongest possible linear layer, i.e., a linear layer that guarantees full diffusion after one round and whose corresponding linearized polynomial is full. Therefore, depending on the instantiation of the linear layer, the algebraic degree might grow slower than we predict, but never faster. Theorem 1 can easily be generalized to the case in which the S-Boxes are defined via different invertible functions, under the assumption that they all have the same univariate degree d and the same algebraic degree δ.

Relation to Iterated Even-Mansour Schemes. The authors of [EGL + 20] state
in Section 3.3 that for an iterated Even-Mansour scheme whose round function can be described by a low-degree polynomial that "[...] if the round function can be described by a polynomial of low univariate degree d over F2n , we expect a linear behavior in [the algebraic degree] δ lin (r): δ lin (r) ≤ ⌊log 2 (d r + 1)⌋ ≈ r · log 2 (d)".
However, no formal proof of this expectation is given in [EGL + 20]. Our Theorem 1 comprises this situation as special case t = 1 and l = 1; thus we not only prove but also generalize the result in [EGL + 20]. Indeed, in Theorem 1 the case t = l = 1 corresponds to iterated Even-Mansour schemes and hence the algebraic degree δ(r) after r rounds is upper bounded by log 2 (d r + 1).
Comparison with Interpolation Analysis. The previous bound on the necessary number of rounds matches the number of rounds needed to guarantee security against the interpolation analysis [JK97] introduced by Jakobsen and Knudsen at FSE 1997. The goal of an interpolation analysis is to construct the polynomial that describes the encryption or decryption function. Hence, if the number of monomials is too large, such a polynomial cannot be constructed faster than via a brute force search. Since the number of monomials can be estimated by means of the given the degree of the function, the designers must guarantee that the polynomial that represents the scheme is of maximum degree and full (or at least dense) to guarantee security against this type of cryptanalysis.

Iterative Application of the Bound in [BCD11]
The bounds on the algebraic degree in [BCD11] are stated for the composition of two functions which means that the application to iterated SPN schemes (which often comprise the composition of several dozen functions) requires an ad-hoc analysis of the analyzed scheme. Here, we first provide a closed formuala for the bound in [BCD11, Theorem 2] when extended to the composition of more than two functions, which provides the basis for our comparisons in Section 5. The bound given by Boura, Canteaut, and De Cannière in [BCD11, Theorem 2] states the following: Let F be a function from F N 2 to F N 2 corresponding to the concatenation of t smaller balanced 2 S-Boxes S1, . . . , St defined over F n 2 . Then, for any function G from F N 2 to F N 2 , it holds 2 A function f : F n 2 → F m 2 is said to be balanced if each element in F m 2 has exactly 2 n−m preimages. For n = m, an S-Box is balanced iff it is invertible.
and δi is defined as the maximal algebraic degree of the product of any i coordinates of any of the smaller S-Boxes. We emphasize that γ and δi depend on the details of the S-Box. Namely, two S-Boxes with the same algebraic degree can have in general different γ. The result in [BC13, Theorem 2] uses the algebraic degree of the compositional inverses S −1 j , 1 ≤ j ≤ t, for a bound on the algebraic degree of G • F . Under the same assumptions as above this result leads to the same bound as stated in Eq. (16), with the additional upper bound on γ Using an upper bound on γ for bounding the algebraic degree of G • F in Eq. (16) could lead to a less tight bound on deg(G • F ) than using the exact value of γ. However, Eq. (18) has the advantage that it only uses known facts about the involved functions and thus a bound on deg(G • F ) can be computed straight away. The same remark applies to another bound in [BC13, Corollary 2], which works with the algebraic degree of F −1 and is given by In Proposition 2, we derive a direct upper bound of the algebraic degree of SPN schemes in the simple but most common case where all S-Boxes are equal. With "direct" upper bound we mean that we iteratively apply (16) to the round functions of an SPN scheme and thus obtain a closed-form statement about the algebraic degree after a certain number of rounds (and not only for the composition of two functions as stated in [BCD11]).

Proposition 2.
Let F be a function from F N 2 to F N 2 corresponding to the concatenation of t copies of a balanced S-Box S over F2n with algebraic degree δ ≥ 2. For any affine functions L1, L2, . . . , Lr from F N 2 to F N 2 and any integer r ≥ 1 consider the SPN scheme Er from F N 2 to F N 2 defined as

Then the algebraic degree δ(r) of E after r rounds is upper-bounded by
independent of the (secret or publicly known) key k, where is the minimum number of rounds for security against higher-order differential distinguishers and where γ is defined as in Eq. (17).
The proof of Proposition 2 can be found in Appendix A. The strategy we adopt to prove Proposition 2 is similar to the one proposed by Biryukov, Khovratovich, and Perrin [BKP16]. In there, authors focused on the case in which all S-Boxes have maximum algebraic degree δ = n − 1, while here we do not need this restriction. We point out one more time that the details of the linear layer are not taken into account and do not influence the bound just given.

Influence of the Linear Layer on the Algebraic Degree in SP-Networks
Cost of Computing γ. The growth of the degree predicted in (16) depends on the value of γ. Computing γ can be very expensive for large S-Boxes. Indeed, one has to consider all possible combinations of the product of any i coordinates of the given S-Boxes, which implies a lower bound on the cost of order In the case in which t different S-Boxes are used, the previous cost must be multiplied by t. This means that for large S-Boxes (e.g., n ≥ 64) it is infeasible to determine γ computationally and a further analysis of the scheme is necessary. Our results in Section 3 do not have this limitation. They depend on known parameters of the scheme and can be computed straight away.

Comparison and Impact of the Linear Layer
Comparison. For a better insight when the bound R SPN improves upon the one given by R [BCD11] we ask the following question: For which values of n, t, d, l and δ is R SPN ≥ R [BCD11] satisfied? Substituting the corresponding expressions we obtain the following inequality Using the relations γ · δ − 1 ≥ γ − 1 and γ · δ − 1 ≥ δ − 1 (note that δ ≥ 2), an upper bound for R [BCD11] is given by Focusing on the case n ≫ 1, the condition R SPN ≥ R [BCD11] is satisfied if (approximately) 1 + log d (t · (2 n − 1)) − log d (d) ≈ n · log d (2) + log d (t) ≥ 1 + log δ (n · t) + log 2 (n · t), or to put it another way, if n · log d (2) + log d (t)
It is easy to see that for any fixed values of d, δ, l and t, the previous inequality can be satisfied if n is large enough.
Impact of the Linear Layer. According to Theorem 1, after an exponential growth, the algebraic degree grows at most linearly with a rate equal to t · log 2 (d). If l = 1 (and thus d = d) the degree l of the linear layer does not infuence the algebraic degree. However, if l ≥ 2, the initial exponential growth can take place for more than Rexp; as an extreme case, if l is close to its maximum possible value 2 n−1 , the linear growth may never occur. A concrete example of these facts is given in Fig. 1. Concluding, the details of the linear layer play a crucial role in the growth of the (algebraic) degree.

Practical Results
In this section, we present our practical results on SPN schemes over (F2n ) t (defined as in Section 3) with low-degree and large S-Boxes. Assuming d = d · l, we focus on the two cases (1) l = 1, t ≥ 2; and (2) l ≥ 2, t = 1. This allows us to emphasize the impact of t and l independently. Since the approach we take is the same for all of our tests, we will first describe it.
Carlos Cid, Lorenzo Grassi, Aldo Gunsing, Reinhard Lüftenegger, Christian Rechberger and Markus Schofnegger 15 Algorithm 1: Evaluating the zero sum property of an SPN scheme E r k over (F 2 n ) t using different input subspaces.
Data: SPN scheme E r k using r rounds, with S-Box size n and t words, dimension D of the subspace, number of tests n T . Result: True if a zero sum is found in all tests, False otherwise. 1 for i ← 1 to n T do 2 Randomly distribute D active bits among the N = n · t possible positions, resulting in the input vector space V ⊆ F N 2 .

4
Randomly sample key k.

5
Fix E r k using c 1 , . . . , c r and k.

Test Methodology
Instead of computing the ANF of a (keyed or keyless) permutation (which is quite expensive already for small field sizes 3 ), we evaluate the zero-sum property for multiple random input vector spaces. For this purpose, we wrote a custom program in C++. 4 For random keys and constants, given an input subspace of dimension D ≤ N − 1, where N = n · t, we look for the minimum number of rounds r for which the corresponding sum of the outputs is different from zero. Such a number corresponds to (1) the minimum number of rounds for reaching algebraic degree δ = D + 1, and (2) the minimum number of rounds for preventing higher-order differential distinguishers for D = N − 1.
To avoid a bias by weak keys or "bad" round constants, we have repeated the tests multiple times (with new random keys, round constants, and input subspaces). We illustrate the approach in Algorithm 1 using a keyed permutation.

Number of Subspaces of Dimension D.
We emphasize, if the algebraic degree of an SPN scheme E r k after r rounds is δ(r), then summing over all evaluations from any vector space of dimension D ≥ δ(r) + 1 always results in a zero sum, i.e., x∈V E r k (x ⊕ v) = 0 for a generic (fixed) v. However, the converse is not true in general. That is, having a zero sum over a vector space of dimension D, does in general not imply that the algebraic degree is δ(r) = D − 1. Indeed, δ(r) could be higher, and the zero sum could occur merely due to the specific structure of the vector space and the analyzed function. Evaluating the zero sum property for all affine subspaces of dimension D is actually infeasible. Indeed, when working over (Fp) N , for any prime p and N ∈ N, the number of different subspaces of dimension D ≤ N is Influence of the Linear Layer on the Algebraic Degree in SP-Networks Table 2: Theoretical lower bound and practical number of rounds for preventing higherorder differential distinguishers on SPN schemes over (F 2 n ) t for several values of n and t ≥ 2 (where N = n · t). The chosen S-Box is the cube function S(x) = x 3 . For the practical number of rounds, we consider both the case of an MDS matrix and the case of a matrix that provides the "worst" possible diffusion (e.g., a sparse matrix as in Eq. (23)). R [BCD11] is computed assuming γ = (n + 1)/2. as shown, e.g., in [Hog16], which is out of practical range even for small values of p, N, D. For this reason, we have to limit ourselves to evaluate the zero sum property for a limited number of subspaces only. However, in our practical tests we observed that a small number of tests for each of the possible combinations of active bits is sufficient to derive a stable number (e.g., around 10 tests for each combination). Indeed, for example, we observed no differences when using an input subspace of dimension N − 1 and changing the position of the single inactive bit in multiple tests. The practical number of rounds to prevent higher-order differential distinguishers we report is the smallest number of rounds among all tested keys and round constants. This means that potentially a higher number of rounds can be cryptanalyzed by choosing the keys and round constants in a particular way.

Randomization of Active Bits.
Depending on the position of the active bits, the final results may be very different. For example, significant differences arise when considering a fixed number of active bits in a single word and the same number of active bits split over multiple words. In order to counteract this problem, we choose the input subspaces randomly such that the position of active bits is also randomized. As a concrete example, consider t = 2 with d = 3 and arbitrary n. Clearly, after one round the algebraic degree is upper-bounded by δ = 2, and indeed, when activating 2 bits in the same word, we do not get a zero sum. However, if we activate one bit in each of the two words (i.e., in total also 2 bits), we do get a zero sum, since only products of at most δ = hw(d) = 2 bit variables from the same word occur in the polynomial representation. Hence, we randomize the input subspaces in our tests.
Computational Cost in Practice. In our practical tests we observed that with very few trials we already reach a stable number for the algebraic degree after a certain number of rounds. It is however crucial to test every possible combination of active words, since this has a significant impact on the final result. Concretely, we fix the number of tests to 100 for "feasible" numbers of active bits (i.e., around 30). For the larger tests, we fix the number to 10. While this may seem like a small sample size, we could not observe any differences when testing more often with lower numbers of bits. As for the concrete runtime, it largely depends on the number of active bits, but also on additional properties like the tested degree. E.g., x 3 can be evaluated faster than x 7 for a given S-Box input x. Practically, a test with 30 active bits can thus take several hours depending on the concrete tested construction.

Results for SPN Schemes with t ≥ 2, l = 1 and S-Boxes of the form S(x) = x d
In our experiments, we focus on a SHARK-like scheme [RDP + 96] with power maps as S-Box functions. More specifically, we focus on SPN schemes over (F2n ) t where the S-Box function S : F2n → F2n is given by S(x) = x d and the mixing layer is defined as the multiplication of the t state words with an invertible t × t matrix over F2n . The choice of n and d is governed by the requirement gcd(d, 2 n − 1) = 1, ensuring that S(x) = x d is a permutation of F2n . For the S-Box S(x) = x 3 , we report our results on the minimum number of rounds to prevent higher-order differential distinguishers in Table 2. We observe that the number of rounds that can be covered by a higher-order differential distinguisher is always close to the one predicted by our formula (in some cases a little higher, but never smaller). Moreover, especially when the size of the S-Box is not too small, the round number R SPN predicted by our formula is significantly larger than R [BCD11] . Furthermore, our results of small-scale experiments on the growth of the algebraic degree (according to the test methodology in Section 5.1) for S(x) = x 3 and S(x) = x 7 are depicted in Fig. 2 and Fig. 3, respectively. Note that the tests made for Table 2 and, e.g., Fig. 2    Determining γ. To use the results from [BCD11] for our comparisons we need to determine the parameter γ (see also Eq. (17)). Since an exact computation of γ is too expensive for most instances we use, we derive an upper bound on γ and use this upper bound as a benchmark. By definition of γ, it holds where q = ⌊(n − 1)/δ⌋ and δ = hw(d) is the algebraic degree of the S-Box. For the particular case S(x) = x 3 only odd values for n are allowed (to guarantee gcd(2 n − 1, 3) = 1) and thus we obtain n − 1 = q · 2. Hence, We assume γ = (n + 1)/2 to compute the theoretical values for R [BCD11] . We also refer to [EGL + 20, Lemma 3], where authors support this assumption by practical experiments for each odd n ≤ 33.

Influence of the Linear Layer.
To understand how the linear layer influences the minimum number of rounds to prevent higher-order differential distinguishers, in our practical tests we consider two extreme cases: (1) we evaluate the case in which the linear layer is defined as the multiplication with an MDS matrix (for parameters n and t that allow us to do so 5 ), which corresponds to the case of the "strongest" linear layer from a diffusion point of view; (2) we also evaluate the case in which the linear layer is "weak", which could happen if it is defined by the multiplication with a matrix containing a large number of zero coefficients. For this second case, we used a t × t matrix M with coefficients Mr,c given by 5 An MDS matrix over F t×t 2 n exists if the condition log 2 (2t + 1) ≤ n (i.e., t ≤ 2 n−1 − 1) is satisfied.  where the sparse case grows slightly slower than the dense case. In fact, when only looking at the minimum number of rounds required to prevent higher-order differential distinguishers as in Table 3, almost all results coincide: the only exception is the case of n = 33, l = 32 where a sparse linear polynomial requires one extra round. A more substantial difference is found between the round number R SPN predicted by our formula and R [BCD11] , where the latter does not depend on l and is significantly smaller. For the difference in test methodology regarding Table 3 and the graph in Fig. 4 the same remark as in Section 5.2 applies. Special Case: M (x) = µ · x l . Finally, we discuss the case in which the linearized polynomial is of the form M (x) = µ · x l for l = 2 l ′ and µ ∈ F2n \ {0}. We remember that this function is always invertible over F2n (x → x 2 is always invertible, due to gcd(2, 2 n − 1) = 1). Here, the value of l does not have any influence on the tests and the results are the same as for strong-arranged SPN schemes (i.e., for l = 1). This becomes evident when having a look at the relation between word-level degree and algebraic degree in Eq. (4). Exponentiating a monomial m e = X e 1 1 · . . . · X e t t to the power of 2 l ′ is in fact only an l ′ -shift of all (non-zero) digits in the base-2 expansion of e, hence This means, the word-level degree is increased by a factor of l = 2 l ′ , but the algebraic degree remains the same. While the case M (x) = µ · x l , for l = 2 l ′ , can be considered a degenerate case of a linear layer, the results of our experiments for this case do not contradict Theorem 1. We emphasize once more, the statement in Theorem 1 is an upper bound, and that the growth of the degree can be slower than predicted (which is true for every upper bound in the literature).

Possible Applications of Theorem 1
After the last advances in [BCD11], [BC13], and in [Car20], our findings extend the canon of theoretical bounds for the growth of the algebraic degree in SPN schemes by Carlos Cid, Lorenzo Grassi, Aldo Gunsing, Reinhard Lüftenegger, Christian Rechberger and Markus Schofnegger 21 an improved bound, see Theorem 1. While the currently best bounds are more generic than our bound, our results substantially improve existing state-of-the-art bounds when considering SPN schemes with large S-Boxes and for which the degrees of both the non-linear layer and the linear layer are low, as is often the case in schemes for MPC-/FHE-/ZKP-applications. In these domain specific schemes, it is most often algebraic cryptanalysis, in particular higher-order differential distinguishers, that dominates the overall security arguments. Thus, a better understanding of the growth of the algebraic degree is not only vital for the security assessment of schemes for MPC-/FHE-/ZKP-applications but also for navigating design choices towards a more solid theoretical foundation.

HadesMiMC, Poseidon and Starkad. As a concrete application, HadesMiMC
[GLR + 20] is probably the most suitable candidate to apply our results. In particular, even if both HadesMiMC and Poseidon are designed over (Fp) t , there is no reason why a scheme based on the Hades strategy cannot be designed over (F2n ) t . As a concrete example, we refer to Starkad [GKR + 21], a variant of Poseidon defined over (F2n ) t . Moreover, our upper bound for the growth of the algebraic degree plays an important role in higher-order differential distinguishers of SPN schemes over F t 2 n that do not exploit the largest non-trivial vector subspace (i.e., F n·t−1 2 ), but subspaces of smaller dimension than the state size n · t. This is not only of theoretical interest, but it applies to all cases in which the security level is smaller than the size of the full scheme, a scenario that is common for schemes recently proposed for MPC/FHE/ZKPapplications.

Schemes for MPC-/FHE-/ZKP-Applications.
As we have seen in Section 2.2.1, the degree of a generic invertible (n · t) × (n · t) matrix with coefficients in F2 is in general very high when represented as a linearized polynomial over F2n . In this case (namely, l ≈ 2 n−1 ), our bound does not improve the naive exponential bound. However, the situation is different for schemes used in MPC-/FHE-/ZKP-applications. In such applications, both the linear layer and the non-linear one are naturally defined over F2n . One performance metric of schemes for MPC-/FHE-/ZKP-applications is, e.g., a minimal number of multiplications in F2n , which is why usually linearized polynomials of low degree over F2n are used as linear layers. Concrete examples are Jarvis, and more recently the follow-up design Vision. Jarvis is an EM scheme over F2n (analyzed in [ACG + 19]) with a linearized polynomial of degree 4 as linear layer. Compared to the possible maximum degree 2 127 , the degree of this linearized polynomial is low. In a similar way, the linear layer of Vision is defined. Consequently, in the case of SPN schemes with l ≥ 2 designed for MPC-/FHE-/ZKPapplications , we expect that our results provide a better estimation of the algebraic degree than the naive exponential bound and the bound in [BC13], since in this scenario the linear layer usually has low degree when represented as a linearized polynomial over F2n .