@article{Wei_Ye_Wu_Pasalic_2018, title={Generalized Nonlinear Invariant Attack and a New Design Criterion for Round Constants}, volume={2018}, url={https://tosc.iacr.org/index.php/ToSC/article/view/7361}, DOI={10.13154/tosc.v2018.i4.62-79}, abstractNote={<p>The nonlinear invariant attack was introduced at ASIACRYPT 2016 by Todo <em>et al.</em>. The attack has received extensive attention of cryptographic community due to its practical application on the full-round block ciphers SCREAM, iSCREAM, and Midori64. However, the attack heavily relies on the choice of round constants and it becomes inefficient in the case these constants nonlinearly affect the so-called nonlinear invariants. In this article, to eliminate the impact from the round constants, a generalized nonlinear invariant attack which uses a pair of constants in the input of nonlinear invariants is proposed. The efficiency of this extended framework is practically confirmed by mounting a distinguishing attack on a variant of full-round iSCREAM cipher under a class of 2<sup>80</sup> weak keys. The considered variant of iSCREAM is however resistant against nonlinear invariant attack of Todo <em>et al.</em>. Furthermore, we investigate the resistance of block ciphers against generalized nonlinear invariant attacks with respect to the choice of round constants in an extended framework. We introduce a useful concept of <em>closed-loop invariants</em> of the substitution box (S-box) and show that the choice of robust round constants is closely related to the existence of linear structure of the closed-loop invariants of the substitution layer. In particular, we demonstrate that the design criteria for the round constants in Beierle <em>et al.</em>’s work at CRYPTO 2017 is not an optimal strategy. The round constants selected using this method may induce certain weaknesses that can be exploited in our generalized nonlinear invariant attack model. This scenario is efficiently demonstrated in the case of a slightly modified variant of the Midori64 block cipher.</p>}, number={4}, journal={IACR Transactions on Symmetric Cryptology}, author={Wei, Yongzhuang and Ye, Tao and Wu, Wenling and Pasalic, Enes}, year={2018}, month={Dec.}, pages={62–79} }