Proving Resistance Against Inﬁnitely Long Subspace Trails: How to Choose the Linear Layer

. Designing cryptographic permutations and block ciphers using a substitution-permutation network (SPN) approach where the nonlinear part does not cover the entire state has recently gained attention due to favorable implementation characteristics in various scenarios. For word-oriented partial SPN (P-SPN) schemes with a ﬁxed linear layer, our goal is to better understand how the details of the linear layer aﬀect the security of the construction. In this paper, we derive conditions that allow us to either set up or prevent attacks based on inﬁnitely long truncated diﬀerentials with probability 1. Our analysis is rather broad compared to earlier independent work on this problem since we consider (1) both invariant and non-invariant/iterative trails, and (2) trails with and without active S-boxes. For these cases, we provide rigorous suﬃcient and necessary conditions for the matrix that deﬁnes the linear layer to prevent the analyzed attacks. On the practical side, we present a tool that can determine whether a given linear layer is vulnerable based on these results. Furthermore, we propose a suﬃcient condition for the linear layer that, if satisﬁed, ensures that no inﬁnitely long truncated diﬀerential exists. This condition is related to the degree and the irreducibility of the minimal polynomial of the matrix that deﬁnes the linear layer. Besides P-SPN schemes, our observations may also have a crucial impact on the Hades design strategy, which mixes rounds with full S-box layers and rounds with partial S-box layers.


Introduction
Modern cryptography developed many techniques that go well beyond solving traditional confidentiality and authenticity problems in two-party communications.This includes practical applications of secure multi-party computation (MPC), (fully) homomorphic encryption (FHE), and zero-knowledge (ZK) proofs using symmetric primitives.Designs of primitives in symmetric cryptography for these applications are usually led by heuristics such as simplifying their arithmetic representations or linear operations being more efficient than nonlinear ones in these scenarios.The latter example is also used in the context of masking, a widespread countermeasure against side-channel attacks in which all the computations are performed on shared secrets.

Choosing the Linear Layer in Partial SPN Schemes
Some of the recalled designs (e.g., LowMC, Zorro, HadesMiMC and Poseidon) reach the goal of minimizing the total number of multiplications by making use of rounds with a partial S-box layer.These designs are called partial substitution-permutation network (P-SPN) schemes.They are a variant of SPN schemes, in which an input block is transformed into an output block by applying several alternating rounds of substitution boxes and affine permutations to provide confusion and diffusion.For a t-word SPN scheme over a fixed finite field, the substitution layer usually consists of t parallel (independent) nonlinear functions, called S-boxes.In many cases, the permutation layer is a linear operation defined by the multiplication of the state with a t × t matrix.In the case of a partial substitution-permutation network (P-SPN), however, part of the substitution layer is replaced by an identity mapping, leading to practical advantages for applications in which nonlinear operations are more expensive than linear operations.This approach was proposed and applied to AES with Zorro in [GGNPS13]: reducing the number of S-boxes per round from 16 to only 4 (to compensate, the number of rounds has been increased to 24).A similar approach has then been considered in LowMC [ARS + 15].LowMC is a family of block ciphers that combines an incomplete S-box layer with a strong linear layer to provide security and be competitive in applications like MPC, FHE, or ZK.
Many strategies proposed in the literature to guarantee security for SPN schemes are no longer applicable to P-SPN schemes and have to be replaced by more ad-hoc approaches.This includes the well-known wide trail strategy [DR02], which is one of the main techniques for achieving security against various statistical attacks, as the differential [BS91,BS93] and linear [Mat93] ones.Instead of choosing larger S-boxes with strong properties, the wide trail strategy aims to design the linear round transformations so that the minimum number of active S-boxes over multiple rounds is increased.This strategy is directly applicable in the case in which the nonlinear layer is (almost) full.In the case in which the nonlinear layer covers less than half of the state, a dedicated strategy is instead required and tools such as mixed integer linear programming (MILP) or SAT solvers can be used in order to find a good estimation of the minimum number of active S-boxes over multiple rounds. 1n the case of Zorro, the heuristic argument proposed by the designers turned out to be insufficient, as iterative differential and linear characteristics were later found and used to break the full construction [WWGY14, BDD + 15].Similarly, the authors of LowMC chose the number of rounds to guarantee that no differential or linear characteristic can cover the entire function with non-negligible probability.However, they do not provide similarly strong security arguments against other attack vectors, including algebraic attacks, and key-recovery attacks on LowMC have thus been found [DLMW15].
A crucial difference between Zorro and LowMC regards the fact that Zorro uses the same linear layer in all rounds, whereas LowMC uses different pseudo-randomly generated linear layers for each round.Both these two strategies have their advantages and disadvantages.For example, even if the second strategy may provide security against statistical attacks (as discussed in [ARS + 15]), it has some drawbacks.First, the computation time or memory may become a problem, even when considering the optimizations proposed in [KPP + 17, DKP + 19].Secondly, the security analysis against other attacks may become harder, since the linear layer is different in each round.Further, a poor (but valid with respect to the specification) choice of the linear layers can significantly reduce the security, as shown concretely in [DLMW15].Finally, the possibility to have different matrices at every round can be exploited in order to insert a backdoor, as recently shown in [PW20] in the case of a tweakable version of LowMC.

Our Contribution and Related Work
Automated characteristic search tools and dedicated key-recovery algorithms for SP networks with partial nonlinear layers have been presented in [BDD + 15], where the authors propose generic techniques for differential and linear cryptanalysis.As a main result, this tool can be used to understand how many rounds a given scheme requires to be secure.However, focusing on the matrix that defines the fixed linear layer in a P-SPN scheme like Zorro, it is not clear which properties this matrix must satisfy to prevent cryptanalytic attacks in general.
Our Goal.While we cannot hope to tackle this question in its generality, we aim at a relevant subset of undesirable properties that can lead to attacks: infinitely long truncated differentials with probability 1 [Knu94], or equivalently infinitely long subspace trails [GRR16a,GRR17], i.e., the existence of a nontrivial subspace U ⊆ F t q of inputs (where q = 2 n or q = p n for a prime p ≥ 3 and n ∈ N) that is mapped into a proper (affine) subspace of the state space over any number of rounds.

Impact of Subspace Trails on Hades-Like Schemes.
While such a subspace trail on its own represents a distinguisher (i.e., its existence can be exploited to distinguish the analyzed P-SPN scheme from a pseudo-random permutation), it can also be the starting point for an attack.As a concrete example, a preimage attack on the hash function Poseidon based on the existence of such trails has recently been shown in [BCD + 20, Sect.6.2].The attacked hash function is based on the Hades design strategy [GLR + 20b], which uses external rounds with full S-box layers and middle rounds with partial S-box layers.The linear layer is defined as the multiplication with a fixed MDS matrix, where no other properties were originally required on such a matrix.Thus, in the case of a "weak" MDS matrix (i.e., a matrix that does not satisfy the properties proposed in this work), an attacker can potentially choose an input space of texts for which no S-box is activated in the rounds with partial S-box layers.This weakness was exploited for the particular matrices used in [GKR + 19, GKR + 21], where attacks on the corresponding hash functions have been found [BCD + 20, KR21].

Infinitely Long Subspace Trails: Necessary & Sufficient Conditions for P-SPN Schemes.
We present sufficient and necessary conditions that the matrix defining the linear layer must satisfy to guarantee that no infinitely long (nontrivial) subspace trails exist.Specifically, we analyze (1) the case without active S-boxes in which the input of the S-box is constant, or equivalently, the input difference is equal to zero (see Section 3 and Section 4), and (2) the case with active S-boxes in which the input of the S-box can take any possible value (see Section 6).
In both cases, we work independently of the round keys and round constants, and we show how to construct an infinitely long subspace trail if it exists.We note that the first case is independent of the details of the S-box.In the second case, we distinguish between S-boxes with nontrivial linear structures and S-boxes without them.If the S-boxes do not have any nontrivial linear structures (which is often the case), the only possible infinitely long subspace trails with/without active S-boxes are the ones studied in this paper.
In the particular case in which the matrix is diagonalizable, the infinitely long subspace trail (if existent) is always related to the eigenspaces of the matrix.This is not surprising since the relation between the eigenvalues and eigenvectors of the linear layer matrix and the existence of an infinitely long (invariant) subspace trail is already known in the literature.Such a relation was e.g.pointed out in [AÅBL12], and later on generalized in [Bey18].In more detail, the results in [AÅBL12] were found by analyzing the invariant subspace trails of PRINTcipher (which was presented one year before in [LAAZ11]), while the result in [Bey18] was found as a generalization and improvement of the nonlinear invariant subspace attack on Midori-64 [TLS16].However, all these results focus only on SPN schemes and invariant subspaces.Consequently, this analysis heavily depends on the effect of the key (namely, the invariant subspace only holds in the case of weak keys) and, in general, on the details of the S-box, which is not the case here.For example, if the subkeys are defined as the sum of the master key and a round constant, the existence of such an invariant subspace can be prevented by carefully choosing the round constants, as shown in [BCLR17].
More generally, the infinitely long subspace trails (if existent) are always related to the invariant subspaces of the matrix M defining the linear layer, namely the subspaces X that remain invariant when applying the matrix multiplication: M • X = X .These subspaces can be found via the primary decomposition theorem, which allows splitting the full space F t q into a direct sum of invariant and independent subspaces for M .This is possible by computing the Frobenius normal form of the matrix (as recalled in Section 2).
Besides nontrivial infinitely long invariant subspace trails, our analysis also covers iterative subspace trails.A subspace trail is invariant if it is related to the invariant subspaces of M , and not invariant if it is related to the invariant subspaces of M l for l ≥ 2 (where M l = µ • M for each µ ∈ F q ).In the last case, we call the subspace trail iterative.In both cases, examples are provided to present and support the results.
To summarize, both in the case with active and without active S-boxes, we present rigorous necessary and sufficient conditions which guarantee that no infinitely long (invariant or iterative) subspace trail exists.As a final result, we can present a sufficient (but in general not necessary) condition for the linear layer that -if satisfied -ensures that no infinitely long truncated differential exists.This condition is related to the degree and the irreducibility of the minimal polynomial of the matrix that defines the linear layer.Dedicated Tool.Together with our theoretical observations, we also provide practical Sage implementations based on our results.Given a square matrix, the tool can detect the vulnerabilities described in this paper (invariant and iterative trails), both in the case with and without active S-boxes and for binary and prime fields.We make our implementation available online. 2he tool is split into three different algorithms to cover all our results.The vulnerability of a single matrix can be evaluated quickly.To better understand the number of vulnerable matrices for given dimensions and field sizes, we applied our tool to large sets of pseudorandomly sampled matrices.These tests show that the number of vulnerable matrices is in general small (and slightly larger than 10% only in a few particular cases).Details about the tool and the results are given in Section 5 and Section 7.

Preliminaries
Notation.We denote the finite fields we are working with by F q , where q = 2 n or q = p n for a prime p ≥ 3 and n ∈ N.For brevity, and where there is no difference regarding the results, we abuse the notation F instead of F q .We denote subspaces with calligraphic letters (e.g., S).Further, we use the superscript notation together with parentheses to differentiate subspaces with similar properties (e.g., S (i) ).Given a subspace S ⊆ F t , we denote by S c ⊆ F t a complementary subspace such that S ⊕ S c = F t .We recall that two cosets S + a and S + b are equal if and only if a − b ∈ S ⊆ F t .We use the symbol ⊕ together with two spaces to denote the direct sum of two spaces.Given v, w ∈ F t , the span v, w ⊆ F t is always defined with respect to the space F, that is, We denote by {e 1 , . . ., e t } the unit vectors of F t q (i.e., e i has a single 1 in the i-th word).Matrices are denoted by non-calligraphic letters.The entry of a vector x ∈ F t is denoted by x[i] for i ∈ {1, . . ., t}, while the entry of a matrix M in the j-th column of the i-th row is denoted by M i,j .Given an arbitrary subspace X ⊆ F t and a matrix M , let

Partial SPN Schemes
In this paper, we will focus on P-SPN block ciphers and permutations over (F t q , +, •).3All our results are independent of the round keys and constants.For this reason, in the following we do not clearly distinguish between block ciphers and unkeyed permutations, and we just refer to them using the term schemes.
Partial SPN (P-SPN) Schemes.We denote the application of r rounds of a t-word P-SPN scheme by E r : F t → F t .For every input x = (x 1 , . . ., x t ) ∈ F t , the output is defined by and c (i) is a publicly known round constant or a secret round key for i ∈ {0, . . ., r}.
Let 1 ≤ s < t/2 be the number of S-boxes per round. 4We denote by R the composition of the S-box layer and of the linear layer, i.e., we have R : where S i : F → F for i ∈ {1, . . ., s} is a nonlinear permutation, and hence t − s input words are unaffected by the S-box layer, which is the only difference to classical SPN schemes.We also assume that the s S-boxes are applied to the first s words (note that given any P-SPN scheme with the S-boxes in fixed positions, it is always possible to find an equivalent representation such that the S-boxes are applied to the first s words).
The linear layer M (•) is defined by the multiplication with an invertible matrix M ∈ F t×t , that is, M (x) = M • x.In the following, we assume that the matrix M ensures full diffusion after a finite number of rounds, in the sense that there exists an r ∈ N such that every word of the internal state after the application of r rounds depends on every input word x 1 , . . ., x t .For example, the smallest integer r that satisfies the previous condition for an MDS matrix is 1, for the linear layer in AES it is 2, while it does not exist for a diagonal matrix.We refer to [BJK + 16a, BJK + 16b, App.D] for a more detailed analysis about this concept.
Before going on, we point out that all word-wise (aligned) P-SPN schemes can be written in the above way.
Hades-Like Schemes.The recently proposed Hades strategy [GLR + 20b] combines both SPN and partial SPN schemes.In particular, the initial R f and the final R f rounds contain full S-box layers, for a total of R F = 2R f rounds with full S-box layers.However, in the middle of the construction, R P rounds with partial S-box layers are used.

Invariant Subspaces and Subspace Trails
Subspace Trails.Subspace trails were first defined in [GRR16a], and they are strictly related to truncated differential attacks, as shown in [LTW18].
Definition 1 (Subspace Trail).Let (U 1 , . . ., U r+1 ) denote a collection of r + 1 nontrivial subspaces with dim(U i ) ≤ dim(U i+1 ) < t.If for each i ∈ {1, . . ., r} and for each a i ∈ F t there exists a i+1 ∈ U c i+1 such that ) is a subspace trail of length r for the function If the relations hold with equality, the subspace trail is called a constant-dimensional subspace trail.
In the entire paper, we sometimes refer to a subspace trail (U 1 , . . ., U r+1 ) as a subspace trail "generated" by U 1 .Before going on, we mention that the link between truncated differential trails and subspace trails is recalled in Appendix A.
Invariant Subspace Trails.We use the term "invariant subspace trail" for referring to a subspace trail in which the subspace is invariant (that is, U i = U j for each i, j = 1, . . ., r).
Definition 2 (Invariant Subspace Trail).Let U ⊂ F t be a subspace.U generates an rround invariant subspace trail for the function We point out that this is not the original definition introduced in [LAAZ11] and reconsidered e.g. in [LMR15].In these cases, the authors consider SPN schemes, and the existence of an invariant subspace is related to the existence of weak keys.In particular, given a weak key k (with k = k (0) , . . ., k (r) , where k (j) is the j-th round key), a (nontrivial) subspace I ⊂ F t generates an invariant subspace trail of length r for the round function . ., r} there exist a 0 , a 1 , . . ., a r ∈ F t such that R (k (i) ) (I + a i ) = R(I + a i ) + k (i) = I + a i+1 for each i ∈ {0, 1, . . ., r − 1}.In our case, this restriction is not mandatory anymore, and we are free to work independently of the value of the secret key.
Iterative (Constant-Dimensional) Subspace Trails.We now introduce the concept of infinitely long iterative (constant-dimensional) subspace trails.
Definition 3 (Iterative Subspace Trail).Let (V 1 , V 2 , . . ., V l ) be a constant-dimensional subspace trail for l rounds with dim(V i ) < t.We call this subspace trail an infinitely long iterative (constant-dimensional) subspace trail of period l for the considered scheme if it repeats itself an arbitrary number of times, i.e., if is a subspace trail.
Clearly, an invariant subspace trail is also an iterative subspace trail for the case of P-SPN schemes (under the previous assumptions), while not every iterative subspace trail is also an invariant subspace trail.At the same time, the following result holds.Proposition 1. Working over F t , let (V 1 , . . ., V l ) be an infinitely long iterative subspace trail of period l.
To the best of our knowledge, no example of infinitely long iterative constant-dimensional subspace trails for SPN schemes is given in the literature.However, a poor choice of the linear layer allows to find them for the case of P-SPN schemes.

Decomposition Theorem & Frobenius Normal Form
In this section, we recall several notions from linear algebra useful for presenting our results, starting with the concept of eigenvalues and eigenspaces.Definition 4. Given an invertible matrix M ∈ F t×t , the subspace Definition 5. M ∈ F t×t is a diagonalizable matrix if and only if there exists an (invertible) matrix P ∈ F t×t and there exist λ 1 , . . ., λ t ∈ F t such that

and
(2) for each polynomial p ∈ F[x] that is annihilating (in the sense that p(M ) Proposition 2 ([Kai08, Theorem 1]).Let M ∈ F t×t be an invertible matrix with the minimal polynomial φ.There exists (at least) one vector v ∈ F t such that By definition, det(M ) = (−1) t • ψ(0).Moreover, (1) the minimal polynomial divides the characteristic polynomial (which implies that deg(φ) ≤ deg(ψ) = t), and (2) an eigenvalue of the matrix is a root of both the minimal and of the characteristic polynomial, and vice-versa (i.e., each root is an eigenvalue).
Definition 8. Let M ∈ F t×t be an invertible matrix and let V ⊆ F t be a subspace.V is said to be M -invariant if and only if M • V = V.
Definition 9. Let M ∈ F t×t be an invertible matrix and let V ⊆ F t be a subspace.
• V is said to be directly indecomposable if there are As is well-known, not all matrices are diagonalizable.When working over a field F, there always exists an invertible matrix Q ∈ F t×t such that F := Q −1 • M • Q is in the Frobenius normal form.The Frobenius normal form can be exploited to easily compute the characteristic and the minimal polynomial of a given matrix.It can also be used to split the full space F t into independent subspaces that are invariant through the matrix M .Definition 10.Let M ∈ F t×t .The Frobenius normal form of M is the matrix F ∈ F t×t for which there exists an invertible matrix Q ∈ F t×t such that

and
(2) p l corresponds to the minimal polynomial φ of M and ψ Note that given a companion matrix C i over F ti , we have that e 1 Ci generates the full subspace F ti , since p i (e 1 ) = e 2 , p i (e 2 ) = e 3 , . . ., p i (e ti−2 ) = e ti−1 , p i (e ti−1 ) = e ti are linearly independent, while Theorem 1 (Primary Decomposition Theorem [Hog16, Sect.6.4] -[Kai08, Theorem 3]).Let M ∈ F t×t be an invertible matrix.Let φ ∈ F[x] be its minimal polynomial such that where α i ≥ 1 and p i (•), p j (•) are monic, irreducible, and relatively prime.The subspace F t can be rewritten as a direct sum decomposition where for each j ∈ {1, . . ., m} (where ker(X) is the kernel of the matrix X ∈ F t×t ) such that 1.A i are M -invariant for each i, and

the minimal polynomial of a linear operator M i induced on
We emphasize that the previous decomposition does not imply that there are no nontrivial subspaces of A i that are M -invariant.For example, consider a 3 × 3 matrix M = diag(1, 1, 2).In such a case the minimal polynomial is φ(x) = (x − 1) • (x − 2), and F 3 = A 1 ⊕ A 2 , where A 1 = e 1 , e 2 and A 2 = e 3 .At the same time, while A 2 is "irreducible", it is easy to find subspaces of A 1 that are invariant through M , namely all subspaces of dimension one of the form

Infinitely Long Invariant Subspace Trails for P-SPN Schemes (Without Active S-Boxes)
Focusing on P-SPN schemes which use the same linear layer in each round (e.g., Zorro [GGNPS13]), here we study the properties that the matrix that defines the linear layer must satisfy in order to prevent infinitely long invariant subspace trails without active S-boxes.

Preliminary Results
Due to the fact that the nonlinear layer is only partial in P-SPN schemes, parts of the state go through the S-box layer unchanged.In particular, if the nonlinear layer consists of s ≥ 1 S-boxes (applied to the first s words) and t − s ≥ 1 identity functions, it is always possible to find an initial subspace such that no S-box is active (at least) in the first max 1, t−s s rounds.Note that t−s s ≥ 1 if and only if s < t/2 .Indeed, if the matrix that defines the linear layer has maximum branch number and if s ≥ t/2 , then at least one S-box is active every two rounds (however, since s < t, then it is always possible to choose the initial subspace such that no S-box is active in the first round).
By choosing texts in the same coset of for each j ∈ {1, . . ., dim (S)} and where M 0 = I is the identity matrix, no S-box is active in the first max 1, t−s s rounds.We formalize this result in the following definition.
Definition 11.Consider the case of a P-SPN scheme over F t with 1 ≤ s < t S-boxes applied to the first s words defined as in Eq. (1).Let S (i) ⊆ F t be defined as Lemma 1.Given a P-SPN scheme over F t with s S-boxes applied to the first s words defined as in Eq. (1), let S (i) be defined as in Definition 11.For each i ≥ 1, Proof.Let x ∈ S (1) .By definition, x ∈ S (2) if and only if Moreover, the following result holds.
Lemma 2. Consider the case of a P-SPN scheme over F t with 1 ≤ s < t S-boxes applied to the first s words as in Eq. (1), and let S (i) be defined as before.Let R ≥ t−s s be the (positive) integer such that dim S (R) ≥ 1 and dim S (R+1) = 0 (where R = ∞ if dim S (r) ≥ 1 for each r ≥ 1).For each r ≤ R, the collection is a subspace trail for the first r rounds generated by S (r) without active S-boxes.
• The S-box layer only changes the coset.Indeed, the first s words of M i • S (r) + a are constant, due to the definition of S (r) and due to the fact that the S-box layer is composed of s nonlinear functions and t − s identity functions.Hence, • Since the linear layer is a linear operation, • Finally, the last key or constant addition only changes the coset.
This well-known result (see e.g.[ARS + 15, Sect.5.1] or [GGNPS13, Sect.4.1]) does not require any assumption on the matrix M that defines the linear layer.In the following, we will explore in which cases it is possible to set up an infinitely long subspace trail.In order to do this, we start by reconsidering some results already published in the literature.

Infinitely Long Invariant Subspace Trails via Eigenspaces of M
As it is well-known in the literature [AÅBL12,Bey18], invariant subspace trails can be set up by exploiting the eigenspaces of the matrix M that defines the linear layer.Proposition 3. Given a P-SPN scheme over F t with s S-boxes per round defined as in Eq. (1), let M ∈ F t×t be the invertible matrix defining the linear layer.Let λ 1 , . . ., λ τ ∈ F be its eigenvalues and let P 1 , . . ., P τ ⊆ F t be the corresponding eigenspaces.Let I = P 1 ∩ e s+1 , . . ., e t , . . ., P τ ∩ e s+1 , . . ., e t .
If 1 ≤ dim(I) < t, then I ⊆ F t generates a (nontrivial) infinitely long invariant subspace trail without active S-boxes.Proof.To prove the previous result, we have to show that for each a ∈ F t there exists b ∈ F t such that M • S(I + a) = I + b.Hence, we omit the key and constant additions since they only change the coset.First of all, note that no S-box is active since I ⊆ e s+1 , . . ., e t , and thus only the coset changes through the S-box layer.Secondly, since P i is an eigenspace of the linear layer M for each i ∈ {1, . . ., τ }, it follows that P i ∩ e s+1 , . . ., e t remains invariant through it.The result follows immediately.
Examples.Consider a P-SPN scheme over F 4 p with s = 1 for a prime p ≥ 101.If the 4 × 4 matrix M is T generates an infinitely long invariant subspace trail.Indeed, note that (0, 1, −1, 1) T is an eigenvector of M and (0, 1, −1, 1) T ∩ e 2 , e 3 , e 4 = (0, 1, −1, 1) T .Hence, this is a concrete example of the result given in the previous theorem, and it is independent of the branch number of M (e.g., such a 4 × 4 matrix is MDS matrix for each p ≥ 101).As a second example, if the only eigenspace are given by (1, 1, 1, 1) T and (1, −1, 1, −1) T (with eigenvalues equal to 7 and −1, respectively).Neither of them satisfies the results of the theorem just given.Hence, there exist matrices which provide security against invariant subspace trails without active S-boxes even if they have eigenspaces.

A Necessary and Sufficient Condition for the Existence of Infinitely Long Invariant Subspace Trails (Without Active S-boxes)
As shown in Section 2.3, a subspace does not have to be an eigenspace of a matrix M in order to be M -invariant.In particular, as we have seen in Theorem 1, the space F t can be rewritten as a direct sum decomposition where -among other properties -all subspaces A i are M -invariant.Here we generalize the previous result by replacing the eigenspaces of the matrix with the subspaces A i , which lead us to a necessary and sufficient condition.
Theorem 2. Given a P-SPN scheme over F t with s S-boxes defined as in Eq. (1), let M ∈ F t×t be the invertible matrix that defines the linear layer.A subspace I, where 1 ≤ dim(I) < t, generates an infinitely long invariant subspace trail without active S-boxes if and only if I ⊆ S (1) and I = (M • I).In particular, I ⊆ S (1) ∩ M • S (1) .
Proof.We work with differences.That is, instead of proving that each coset of I is mapped into a coset of I after one round, we are going to prove that given two elements in the same coset of I (namely, an input difference in I), then the corresponding output elements are still in the same coset of I (namely, the output difference lies in I), i.e., given x, y We use this approach in the entire paper.The fact that a subspace I ⊆ S (1) such that I = M • I generates an infinitely long invariant subspace trail without active S-boxes is trivial.Indeed, the definition of S (1) (which implies that no S-box is active) together with the fact that I = M • I implies the result.Vice-versa, here we show that given an infinitely long invariant subspace trail I without active S-boxes, it must satisfy I ⊆ S (1) and I = M • I. To do this, observe that all pairs of texts which do not activate any S-box in the next round are in the same coset of S (1) (by its definition).Focusing on the linear layer, note that a subspace X is invariant if and only if M • X = X .The result follows immediately.
Finally, we prove that ), where M is a linear operation.As a result, I ⊆ (M • S (1) ) since I = M • I. Theorem 3. Given a P-SPN scheme over F t with s S-boxes defined as in Eq. (1), let M ∈ F t×t be the invertible matrix that defines the linear layer.Let {A 1 , . . ., A m } be the primary decomposition of F t with respect to the matrix M , as defined in Theorem 1, i.e., a collection of M -invariant independent subspaces in F t such that F t = i A i .Let {X 1 , . . ., X m } be a collection of subspaces defined as (4) A subspace I, where 1 ≤ dim(I) < t, generates an infinitely long invariant subspace trail without active S-boxes if and only if Note that the condition A i ∩ e s+1 , . . ., e t can be replaced by the condition A i ∩ S (1) .
Proof.Proving that I = P 1 , P 2 , . . ., P m generates an infinitely long invariant subspace trail without active S-boxes is trivial.Indeed, by definition of P i , no S-box is active (since . ., e t for i ∈ {1, . . ., m}).The fact that I is M -invariant follows from the fact that all P i are M -invariant subspaces of X i (by assumption).Hence, every input difference in I is mapped into an output difference in I.
Vice-versa, assume that I generates an infinitely long invariant subspace trail without active S-boxes.Let Obviously, all P i are subspaces.First of all, note that all P i are subspaces of e s+1 , . . ., e t , since no S-box is active by definition of I. Indeed, if there exists a nontrivial P i such that P i ∩ e 1 , . . ., e s = {0}, then eventually at least one S-box is active (remember that we are working with differences and that I generates an infinitely long subspace trail), which contradicts the assumption that no S-box is active.Secondly, note that and to I (since it generates an infinitely long subspace trail), which implies that M •x ∈ (A i ∩I) = P i .Moreover, I = P 1 , P 2 , . . ., P m since A i ∩ A j = {0} for i = j, and since follows from the fact that P i ⊆ X i and P i = M • P i , as in the proof of Theorem 2. Proposition 4.Under the assumptions of the previous theorem, let X (0) i := A i ∩ e s+1 , . . ., e t .For j ≥ 1, we define Finally, note that the index l i such that for each j ≥ l i is always finite.Indeed, in the case in which dim(X i , since at each step the dimension of X (j) i either remains constant or decreases by 1.

Corollary 1. The infinitely long invariant subspace trail without active S-boxes presented in Proposition 3 satisfies Theorem 3. The two results are equivalent if the matrix is diagonalizable.
Proof.The invariant subspace considered in Proposition 3 is equal to the one considered in Theorem 3 under the condition This concludes the proof.
Before going on, we highlight that Theorem 3 and Proposition 3 are not equivalent, in the sense that there are matrices M that admit infinitely long invariant subspace trails which are independent of their eigenspaces.A concrete example is given by the Cauchy matrix M generated as in [GKR + 19, GKR + 21] (recalled in Section 4.1) for t = 24 and F 2 n , where n = 63.As shown in [KR21, Page 20], the subspace S (5) defined as in Eq. (3) satisfies M • S (5) = S (5) and (M • x)[1] = 0 for all x ∈ S (5) .At the same time, the subspace S (5) is not related to any eigenspaces of M j for j ∈ {1, . . ., 5}.

Iterative Subspace Trails Without Active S-Boxes
The previous results can be generalized to obtain a necessary and sufficient condition regarding the existence of infinitely long iterative subspace trails without active S-boxes.
Proposition 5. Given a P-SPN scheme over F t with s S-boxes defined as in Eq. (1), let M ∈ F t×t be the invertible matrix that defines the linear layer.A subspace I, where 1 ≤ dim(I) < t, generates an infinitely long iterative (non-invariant) subspace trail of period l ≥ 2 without active S-boxes if and only if I ⊆ S (l) and I = M l • I .In particular, I ⊆ S (l) ∩ M l • S (l) . 5  The proof is a simple generalization of the one given for Theorem 2. Proposition 6.Given a P-SPN scheme over F t with s S-boxes defined as in Eq. (1), let M ∈ F t×t be the invertible matrix that defines the linear layer.Let {A m } be the primary decomposition of F t with respect to the matrix M l , as defined in Theorem 1, that is, a collection of M l -invariant independent subspaces in F t for which For each l ≥ 2, let {X 1 , . . ., X m } be a collection of subspaces defined as A subspace I, where 1 ≤ dim(I) < t, generates an infinitely long iterative subspace trail without active S-boxes of period l ≥ 2 if and only if Proof.The proof of this result is equivalent to the one given in Theorem 3. In particular, the condition P i ⊆ S (l) guarantees that no S-box is active in (I, M • I, . . ., M l−1 • I) by definition of S (l) , and the subspace I is l-round invariant, since each subspace Connection to the Existence of Invariant Subspace Trails.One may wonder if there exists an example of a P-SPN scheme for which there exists no infinitely long invariant subspace trail, but at the same time there exists an infinitely long iterative subspace trail without active S-boxes.As we are going to show, this is not possible.Proposition 7. Consider a P-SPN scheme over F t with s S-boxes defined as in Eq. (1).An infinitely long iterative subspace trail without active S-boxes can only exist if there exists an infinitely long invariant subspace trail without active S-boxes.
This does not mean that iterative subspace trails without active S-boxes are useless.Indeed, let (V 1 , . . ., V l ) be an infinitely long iterative subspace trail of period l without active S-boxes.If dim(V i ) < dim( V 1 , . . ., V l ) (note: strictly less), then the data cost of setting up the iterative subspace trail may be smaller than the cost of setting up an invariant subspace trail.This can be crucial in scenarios in which there is a limitation on the data allowed for an attack.

Linear Layers with Low Multiplicative Order
As a first concrete example, we consider the case of a linear layer defined via a matrix with low multiplicative order.Definition 12. Let M ∈ F t×t be an invertible matrix.M has a multiplicative order equal to l ≥ 1 if and only if l is the smallest (positive) integer for which there exists µ ∈ F \ {0} such that M l = µ • I, where I ∈ F t×t is the identity matrix.Proposition 8. Given a P-SPN scheme over F t defined as in Eq. (1), let M ∈ F t×t be the invertible matrix defining the linear layer.If the multiplicative order of M is l such that 2 ≤ l ≤ R (that is, M l = µ • I for a certain µ ∈ F \ {0}), where R ≥ t−s s is defined as in Lemma 2, then S (l) generates an infinitely long iterative subspace trail of period l.
Proof.To prove the result, it is sufficient to see that S (l) , M • S (l) , . . ., M l−1 • S (l) is an iterative subspace trail without active S-boxes.This is a consequence of the fact that l) , and because no S-boxes are active by the definition of S (l) .

Cauchy Matrices in [GKR
where

Linear Layers with Low-Degree Minimal Polynomials
As we have just seen, a matrix M has a low multiplicative order if there exists a small l such that M l = µ • I, or equivalently M l − µ • I = 0. Given the polynomial p(x) = x l − µ, it is easy to see that p(•) annihilates the entire space, since Hence, the minimal polynomial of M divides p(•).A generalization of the previous result is given in the following proposition.
Proposition 9. Given a P-SPN scheme over F t defined as in Eq. (1), let M ∈ F t×t be the invertible matrix that defines the linear layer.Let φ be the minimal polynomial of M , and let l be its degree.Assume l is "low", namely l satisfies 2 ≤ l ≤ R (where R ≥ t−s s is defined as in Lemma 2).Moreover, let 1 ≤ h ≤ l be a divisor of l (and let l ≥ 1 such that l = l • h).Assume that the minimal polynomial is of the form i.e., only monomials whose exponents are a multiple of h appear.Let us define I as where S (l) is defined as in Eq. (3).If 1 ≤ dim(I) < t, I generates an infinitely long iterative subspace trail of period h (invariant if h = 1) without active S-boxes.
Note that the special case h = l corresponds to the one presented in Proposition 8.
Proof.The proof is similar to the one already presented in Proposition 8, noting that: 1. ∀i = 0, 1, . . ., h − 1: The fact that no S-box is active follows from the definition of S (l) .

A Concrete Example: The Starkad Matrix
A concrete example for this case is given by the matrix used for Starkad over F 2 63 with t = 24, built by using the definition given in Eq. ( 5) in Section 4.1.Indeed, the minimal polynomial of this matrix is for particular α 4 , α 2 , α 0 ∈ F 2 63 .Following Proposition 9, we see that l = 6, h = 2, l = 3.An iterative subspace trail can thus be constructed, as also shown in [KR21].

A Generic Example via the Eigenspaces of M l
Finally, we show a concrete example of a matrix that satisfies the previous result.Consider a matrix M whose minimal polynomial is defined as in Eq. ( 6), that is, , and assume h ≥ 2. This polynomial is related to φ (y) = l i=0 α i•h • y i by replacing y with x h .By definition, note that if φ is the minimal polynomial of M , then φ is a multiple of the minimal polynomial of M h .Moreover, remember that every solution ŷ of φ (namely, such that φ (ŷ) = 0) is an eigenvalue of M l and that each solution x of φ is an eigenvalue of M .Since the finite field F is not algebraically closed, given a zero ŷ of φ as before, it is possible that there is no x that satisfies (x) h = ŷ, which is related to the existence of an eigenspace of the matrix M l that is not an eigenspace of M .In more details, if E is an eigenspace of M with eigenvalue λ, then E is also an eigenspace of M l with eigenvalue λ l , i.e., M Working over a space which is not algebraically closed, the other direction is not true in general.Here we exploit these facts in order to present a more generic example of an iterative subspace trail.Lemma 3. Given a P-SPN scheme over F t with s S-boxes defined as in Eq. (1), let M ∈ F t×t be the invertible matrix that defines the linear layer.Let λ τ ∈ F t be the eigenvalues of M l for some l ≥ 1, and let P (l) 1 , . . ., P (l) τ ⊆ F t be their corresponding eigenspaces (where τ ≤ t).The subspace I defined as I := S (l) ∩P (l) 1 , S (l) ∩P (l) 2 , . . ., S (l) ∩ P (l) τ generates an infinitely long iterative subspace trail of period l with no active S-box.
Proof.The proof of this result is analogous to the one proposed for Proposition 8.In particular, it is sufficient to note that no S-box is active due to the definition of S (l) (see Eq. ( 3)), and that the subspace trail is iterative with a period equal to l since I (l) is constructed via the eigenspaces of M l .
We point out that this result includes the case in which the matrix has a low multiplicative order, or more formally, the condition stated in Lemma 3 implies the condition stated in Proposition 8. Indeed, let l ≥ 2 be the smallest integer such that M l = µ • I. Then e 1 , . . ., e t are all eigenvectors of M l with eigenvalue µ.Given S (l) constructed as in Eq. (3) such that no S-box is active in the first l rounds, then S (l) is an invariant subspace of M l , since e 1 , . . ., e t is an eigenspace of M l corresponding to the eigenvalue µ.It follows that S (l) , M • S (l) , M 2 • S (l) , . . ., M l−1 • S (l) is an infinitely long iterative (constant-dimensional) subspace trail.
We remark that the two conditions are not equivalent (that is, the condition stated in Proposition 8 does in general not imply the condition stated in Lemma 3), as shown in the following concrete example.
Example.Consider the circulant matrix M = circ(a, b, c, d) over F 4 .Its eigenvalues and eigenvectors are equal to and is a quadratic residue modulo p, 7 while the eigenvalues and eigenvectors of M 2 are given by Since x → x 2 is not a permutation over F p for any prime p ≥ 3 (see Hermite's criterion), it is possible that there exist a, b, c, d, is a quadratic non-residue.As a concrete example, by taking a This fact can be exploited in order to construct a matrix M that is not a multiple of the identity and for which an infinitely long iterative subspace trail exists.Given a P-SPN scheme over (F p ) 5 with s = 1, an example of such a matrix is for particular values of a, b, c, d, x, y, w, z j ∈ F p such that (1) the matrix is invertible and it provides full diffusion (at word level after a finite number of rounds) for cryptographic purposes and (2) the circulant matrix circ(a, b, c, d) has only two eigenvalues.The iterative (non-invariant) subspace trail is thus given by I = (0, 0, 1, 0, −1) , where M 2 • I = I and where M 2 = µ • I for each µ ∈ F p .Finally, note that M 2 is not necessarily equal to a multiple of the identity.For example, note that (M 2 ) 1,5 = 0, where M 2 1,5 = xy 0 + y 0 a + y 1 b + y 0 c + y 1 d is different from 0 by appropriately choosing the entries.

Practical Tests (Without Active S-Boxes)
In this section, we first present an algorithm which can be used to find vulnerabilities and to detect weak matrices (with respect to the attacks presented before).Moreover, we test several matrices over F p and over F 2 n to give an idea of the number of these matrices.

Algorithm for Detecting Weak Matrices
In order to find the vulnerabilities, we use the results given in Theorem 3 and Proposition 4. In more detail, we first decompose the full space into (potentially smaller) M -invariant subspaces, that is, F t = m i=1 A i , where this decomposition results from Theorem 1.For this purpose, we need the minimal polynomial of the matrix obtained by the Frobenius normal form.We then take the intersection of these subspaces with the unit vectors at the identity positions of the nonlinear layer, i.e., X (0) i = A i ∩ e s+1 , . . ., e t .Now we apply Proposition 4 to each of these subspaces X (0) i , which means reducing the dimensions 7 By definition, x ∈ Fp is a quadratic residue modulo p if y ∈ Fp such that x = y 2 , while it is a quadratic non-residue otherwise.
8 E.g., given (a, b, c, d) Algorithm 1: Determining the existence of invariant infinitely long subspace trails without active S-boxes, using Theorem 3 and Proposition 4.
Data: P-SPN scheme over F t with s S-boxes applied to the first s words.
Result: 1 if an invariant infinitely long subspace trail without active S-boxes exists, 0 otherwise.1 Obtain A 1 , A 2 , . . ., A m using Theorem 1. of these subspaces until the dimension becomes either zero or until the subspace has a nonzero dimension and does not change when applying the matrix multiplication.These final subspaces are P i for i ∈ {1, . . ., m}.We now build the space I = P 1 , P 2 , . . ., P m and report that the matrix is vulnerable with respect to infinitely long invariant subspace trails if and only if dim(I) > 0. The detailed steps are shown as a pseudo code in Algorithm 1.We emphasize that, while Algorithm 1 only detects infinitely long invariant subspace trails, this is sufficient in order to also prevent infinitely long iterative subspace trails.We refer to Proposition 7 for more details.

Computational Cost of Algorithm 1. The complexity of computing the Frobenius normal
form is an element of O(t 3 ) for a t × t matrix [Sto98].Moreover, since m ≤ t and since the dimension of each A i can be reduced at most t times, the complexity of the loop is an element of O(t 2 ).Hence, the computational cost is an element of O(t 3 + t 2 ) = O(t 3 ).
Computational Cost in Practice.In our practical runtime tests, we focus on prime fields F p for p ≥ 3 and we use Sage.To give some concrete numbers, for log 2 (p) = 16, the test for a single matrix takes about 4 milliseconds for t = 4, while it takes about 30 milliseconds for t = 16 (using an Intel Xeon E5-2699v4 with a maximum clock frequency of 3.60 GHz).

Percentage of Weak Linear Layers
We implemented Algorithm 1 in Sage and used it to get an idea of the percentage of matrices that are vulnerable to the attack without active S-boxes presented in Section 3.
Different Classes of Matrices.For concrete use cases, we set s = 1 and we focus on two scenarios, namely random invertible matrices and random Cauchy matrices.9As the source for randomness we use Sage's random engine in both cases (and for choosing

Concrete Results.
The sample size for all tests was set to 100 000 and the results are given in Table 1 and Table 2.We used different values for p for each specified range.We can immediately see that the size of p (or n) has a significant impact on the number of vulnerable matrices.Specifically, increasing p (or n) tends to result in a higher probability for a matrix to be secure against the attacks presented here.We can observe that this is also true when keeping N = n • t constant.For example, (n, t) = (16, 4) results in a very different probability compared to (n, t) = (8, 8) (similar for (n, t) = (8, 3) and (n, t) = (6, 4), or for (n, t) = (12, 8) and (n, t) = (8, 12)).However, even for small fields, a secure matrix can easily be found by just testing a small number of matrices with our tool.

Infinitely Long Subspace Trails for P-SPN Schemes (Active S-Boxes)
Until now, we focused on the case in which no S-box is active.Here, we analyze the scenario in which S-boxes are active.
Assumption on the S-Box.From now on, we only work with S-boxes that do not have any nontrivial linear structures.That is, for an S-box S over F, we assume that it is not possible to find nontrivial subspaces U, V ⊂ F (that is, U, V = {0}, F) such that for each u ∈ F there exists v ∈ F such that S(U + u) = V + v.If the S-box has no nontrivial linear structures, there are only two essential subspace trails ({0} → {0} and F → F) when working at word level, as was shown in [LTW18].Under this assumption, one can work independently of the details of the S-box.For example, both the AES S-box and the cube one (x → x 3 ) satisfy this assumption.This choice is made both in order to simplify the presentation and since many of the S-boxes used in the literature satisfy this assumption.Note that given an infinitely long subspace trail with probability 1, the following facts hold.
• If the S-box does not have any nontrivial linear structure, then each S-box can either be fully active or fully passive (equivalently, each input of the S-boxes either takes all possible values or is constant).
• If the S-box has a nontrivial linear structure, then it is possible that the input of the S-boxes can take values only in a specific nontrivial affine subspace.
It follows that the infinitely long subspace trails analyzed in the following can be constructed for all possible S-boxes.However, if the S-box has a nontrivial linear structure, then other infinitely long subspace trails may exist as well.

Preliminary Results: Subspace Trails & Truncated Differentials
We first present a generic result regarding the minimum number of rounds for which it is possible to set up a subspace trail with a probability of 1.
Proposition 10.Given a partial SPN scheme over F t with s S-boxes defined as in Eq. (1), let R ≥ t−s s be the (positive) integer defined as in Lemma 2 (namely, dim S (R) ≥ 1 and dim S (R+1) = 0).Let R < ∞ be a finite number.There exists a subspace trail with probability 1 on at least R + t−s s rounds, defined by where S (i) is defined as in Eq. (3) and where A (i) := M (e 1 ), . . ., M (e s ), M • A (i−1) for i ≥ 1 (where As for Lemma 2, this well-known result (whose proof can be found in Appendix A) only depends on the number of S-boxes, and no assumption on the matrix M is made.Like in the case presented in Section 3.1, note that depending on the details of the linear layer, a longer subspace trail of dimension 1 can be set up.

Infinitely Long Invariant Subspace Trails with Active S-Boxes via the Eigenspaces of M
Using the approach from Section 3.2, here we present some simple examples of infinitely long invariant subspace trails with active S-boxes based on the eigenspaces of the matrix M .For this purpose, let us first introduce the concept of "compatible" subspaces.
Definition 13.Let s ∈ {1, . . ., t − 1} be an integer.Let V ⊆ F t be a subspace and let I ⊆ {1, . . ., s}.We say that the subspace V is I-compatible if and only if If there exists I ⊆ {1, . . ., s} such that V is I-compatible, then I is unique, in the sense that V cannot be J-compatible for any J = I.At the same time, note that it is possible that there is no I such that V is I-compatible.For example, working over (F p ) t for a prime p ≥ 3 and t ≥ 3, consider the subspace V = e 1 + 2 • e 2 .If s = 1, we can immediately see that there is no I such that the subspace V is I-compatible.Proposition 11.Given a P-SPN scheme over F t with s S-boxes defined as in Eq. (1), let M ∈ F t×t be the invertible matrix defining the linear layer.Let λ 1 , . . ., λ τ ∈ F be the eigenvalues of M , and let P 1 , . . ., P τ ⊆ F t be the corresponding eigenspaces (where τ ≤ t).Let I = {ι 1 , . . ., ι |I| } ⊆ {1, . . ., s} be the indices of the active S-boxes (where I = ∅), and where P h is a subspace10 of P h for h ∈ {1, . . ., τ }.If 1 ≤ dim(I) < t and if I is Icompatible, then I generates an infinitely long invariant subspace trail with active S-boxes.
Proof.Since I is I-compatible, the first condition in Definition 13 ensures that the l-th S-box is not active if l / ∈ I.For each i-th active S-box, where i ∈ I, the second condition in Definition 13 implies that the entire space e i is included in I.The consequence is that, when applying the S-box, the subspace remains the same.
As for the results given in the previous sections, this subspace remains invariant through the linear layer since it is defined via the eigenspaces of M .Hence, I results in an infinitely long invariant subspace trail.
Note that the number of active S-boxes in the previous subspace trail is proportional to the number of rounds (so, potentially "infinite").As before, we emphasize that, in general, the previous observation provides only a sufficient condition.

Example.
Let ω ∈ {0, 1}.Given a P-SPN scheme with s = 1, consider the following 4 × 4 matrix M defined over a field F p for p ≥ 3: where a = 0.A proper choice of a, b, c and M •,• provides invertibility and "full diffusion" (at word level after a finite number of rounds) for cryptographic purposes.The subspace where M • e 1 = v and M • v = e 1 , is invariant under the round transformation for any number of rounds.Indeed, since the first word can take every value and because the S-box is applied only to this word, I remains invariant (note that the S-box is active).Hence, this is a concrete example of an infinitely long invariant subspace trail with active S-boxes, where P 1 = v + e 1 and P 2 = v − e 1 are the eigenspaces of the matrix M that satisfy the conditions given in the previous theorem.Lastly, we remark that matrices of the form Eq. ( 7) are currently used in the literature.For example, the circulant almost-MDS matrix over F 2 n defined as circ(0,1,1,1) is used in Midori [BBI + 15] and QARMA [Ava17].

A Necessary and Sufficient Condition for the Existence of Infinitely Long Invariant Subspace Trails with Active S-boxes
As done before, the natural step is to replace the eigenspaces of M with subspaces that are M -invariant.As a main result, in this section we present a necessary and sufficient condition that allows to discard "weak" matrices with respect to invariant subspaces with and without active S-boxes.
Theorem 4. Given a P-SPN scheme over F t with s S-boxes defined as in Eq. (1), let M ∈ F t×t be the invertible matrix that defines the linear layer.Assume that the S-box has no (nontrivial) linear structure.Let I ⊆ {1, . . ., s} be the positions of the active S-boxes (note that I = ∅ is also possible, that is, we do not require |I| ≥ 1).A subspace I with 1 ≤ dim(I) < t generates an infinitely long invariant subspace trail (with active S-boxes if |I| ≥ 1) if and only if I is both M -invariant and I-compatible.
Proof.The case I = ∅ corresponds to the case analyzed in Theorem 2. Hence, here we assume |I| ≥ 1 (where Our approach is based on the strategy proposed for Theorem 3 and Proposition 11.We first show that an M -invariant and I-compatible subspace generates an infinitely long invariant subspace trail with active S-boxes.The proof is almost equal to the one given for Proposition 11.The only difference is that the condition that I is related to the eigenspaces of M is replaced by the more generic assumption that I is an M -invariant subspace.At the same time, since I is I-compatible (i.e., e i1 , e i2 , . . ., e i |I| ⊆ I and I ⊆ e i1 , e i2 , . . ., e i |I| , e s+1 , . . ., e t ), every i-th S-box is active if and only if i ∈ I, and inactive otherwise.We recall that for an active S-box the input difference can take each possible value in F, and for an inactive S-box the input difference is equal to zero.
Vice-versa, assume that a subspace I generates an infinitely long invariant subspace trail with active S-boxes.First of all, this can happen if and only if it satisfies the condition I = M • I. Indeed, by contradiction, if there exists x ∈ I such that M • x / ∈ I, then I would not be M -invariant.Moreover, since the subspace trail is M -invariant and with active S-boxes, each S-box can only be either constant or active.In particular, only two scenarios are possible.Either the input difference (and the output difference) of the S-box is equal to zero11 or the input (and the output) of the S-box is active.Since the S-box does not have any linear structure, other cases are not compatible with the hypothesis of an invariant subspace trail with active S-boxes.Hence, there must exist I ⊆ {1, . . ., s} such that I is I-compatible.
As expected, the result presented in Proposition 11 satisfies the previous theorem.This is due to the fact that the subspace I defined in Proposition 11 is related to the eigenspaces of M , which satisfy the condition I = M • I.We formulate the following corollary.

Corollary 2. The infinitely long subspace trail with active S-boxes presented in Proposition 11 satisfies Theorem 4.
A generalization of Proposition 11 (by replacing the eigenspaces with the generic invariant subspaces of M ) is given in the following Theorem.
Theorem 5. Given a P-SPN scheme over F t with s S-boxes defined as in Eq. (1), let M ∈ F t×t be the invertible matrix that defines the linear layer.Assume that the S-box has no (nontrivial) linear structure.Let {A 1 , A 2 , . . ., A m } be the primary decomposition of F t with respect to the matrix M , as defined in Theorem 1.
A subspace I, where 1 ≤ dim(I) < t, generates an infinitely long invariant subspace trail with active S-boxes only in positions I = {i 1 , . . ., i |I| } ⊆ {1, 2, . . ., s} (that is, where the i-th S-box is active if and only if i ∈ I) if and only if I = P 1 , P 2 , . . ., P m , where 1. for each i ∈ {1, . . ., m}: P i ⊆ A i ∩ e i1 , e i2 , . . ., e i |I| , e s+1 , . . ., e t is an M -invariant subspace, and Proof.The proof of this theorem is a consequence of the result given in Theorem 4 and in Theorem 1.In particular, due to the argument given in Theorem 4, we immediately see that I = P 1 , P 2 , . . ., P m , where I is both M -invariant and I-compatible, generates an infinitely long invariant subspace trail with active S-boxes.Vice-versa, if a subspace generates an infinitely long invariant subspace trail with active S-boxes, then it must be M -invariant and I-compatible, due to Theorem 4 and due to the fact that the S-box has no nontrivial linear structure.The particular shape of I is due to Theorem 1.Following the proof of Theorem 3, let All P i are M -invariant subspaces.In particular, we have that I = P 1 , P 2 , . . ., P m since all A i are independent (in the sense that A i ∩ A j = {0}) and since F t = i A i .
We emphasize that in general it is not trivial to give a precise "description/shape" of the subspaces P i .This is due to the fact that we have two conditions, first all P i have to be M -invariant and secondly the full subspace I must be I-compatible.For example, there may be two subspaces A i , A j such that they are both M -invariant and such that • neither A i nor A j are I-compatible, but In such a case, the span A i , A j can generate an infinitely long invariant subspace with active S-boxes, but not the two subspaces A i , A j .As a concrete example working over F t p for a prime p 1 and t ≥ 3, consider the subspace V = e 1 + 2 • e 2 and W = e 1 − e 2 , and assume that they are both M -invariant for a particular matrix M .If s = 1, it is not hard to see that neither V nor W are I-compatible, while V, W = e 1 , e 2 is obviously {1}-compatible.Hence, while in the case without active S-boxes we can work independently on the subspaces A i (obtained as the decomposition of the F t ), here it is not possible.
A special (trivial) case of the previous theorem is given in the following corollary.
Corollary 3. Given a P-SPN scheme over F t with s S-boxes defined as in Eq. (1), let M ∈ F t×t be the invertible matrix that defines the linear layer.Let {A 1 , A 2 , . . ., A m } be the primary decomposition of F t with respect to the matrix M .If there exists I ⊆ {1, . . ., s} and a subspace A i such that A i is I-compatible, then A i generates an infinitely long invariant subspace trail with active S-boxes.
An Example for Showing the Difference Between Inactive and Active S-Boxes.Finally, one may ask if there exist P-SPN schemes which are vulnerable to subspace trails with active S-boxes, but not to trails without active S-boxes.Assuming a P-SPN scheme with s = 1, an example for a matrix fulfilling these properties is given by the 4 × 4 MDS matrix over F p for p ≥ 101.In such a case, I = (1, 0, 0, 0) T , (0, 1, 0, 2) T , (0, 0, 1, p − 1) T generates an infinitely long invariant subspace trail with active S-boxes.Using our proposed tool, it is possible to see that no infinitely long invariant or iterative subspace trail without active S-boxes exists.

Infinitely Long Iterative Subspace Trails with Active S-Boxes
Here we generalize the previous results in order to cover the case of iterative subspace trails with active S-boxes.
Theorem 6.Given a P-SPN scheme over F t with s S-boxes defined as in Eq. (1), let M ∈ F t×t be the invertible matrix that defines the linear layer.Assume that the S-box has no (nontrivial) linear structure.Let l ≥ 1 be the period of the iterative subspace trail.For each j ∈ {1, 2, . . ., l}, let I j ⊆ {1, . . ., s} be the positions of the active S-boxes (note that I j = ∅ is also possible, that is, we do not require |I j | ≥ 1) at the (r + 1)-th round for r = j mod l.A subspace I of dimension 1 ≤ dim(I) < t generates an infinitely long iterative subspace trail (with active S-boxes if at least one I j satisfies |I j | ≥ 1) of period l if and only if (1) M j • I is I j -compatible for j ∈ {0, 1, . . ., l − 1}; (2) Proof.This result is a generalization of Theorem 4. In particular, I forms an l-round invariant subspace trail, i.e., a trail that is equal every l rounds.Hence, all l-round iterative subspace trails are of the form {I, M • I, M 2 • I, . . ., M l−1 • I}.Since we assume that the S-box has no (nontrivial) linear structure, such a trail has active S-boxes if and only if the first condition (namely, for each j ∈ {1, 2, . . ., l} there exists I j such that M j−1 • I is I j compatible) is satisfied.
We highlight that the active S-boxes are not forced to be in an active position (it is also possible that no S-box is active in some rounds).Moreover, the following result holds.Theorem 7. Given a P-SPN scheme over F t with s S-boxes defined as in Eq. (1), let M ∈ F t×t be the invertible matrix that defines the linear layer.Assume that the S-box has no (nontrivial) linear structure.Let l ≥ 2, and let m } be the primary decomposition of F t with respect to the matrix M l , as defined in Theorem 1.

About Iterative Subspace Trails with Active S-Boxes
Due to the results presented in Proposition 7, one may ask if there exist nontrivial iterative subspace trails with active S-boxes, namely P-SPN schemes for which there exist iterative subspace trails with active S-boxes but no subspace trails without active S-boxes or invariant subspace trails with active S-boxes.For this purpose, consider a P-SPN scheme over F 3 p (for s = 1 and t = 3), where the linear layer is defined by the matrix The (nontrivial) subspace trail T is iterative (since V 0 is a proper subspace of F 3 p and V 0 = M 3 • V 0 ) with active S-boxes.Since dim( V 0 , V 1 , V 2 ) = 3, it is not possible to set up an invariant subspace trail via the previous iterative subspace trail.Moreover, using the results and the tools presented in the paper, it is possible to show that (e.g., for p = 251) no invariant subspace trail (either with or without active S-boxes) can cover an infinite number of rounds.

Practical Tests (Active S-Boxes)
The results given in Theorem 5 to Theorem 7 seem hard to exploit in practice.A direct construction of the infinitely long subspace trail with active S-boxes is indeed missing.Without that, the cost of evaluating all subspaces I would likely be too large, since one has to compute all possible subspaces of A 1 , A 2 , . . ., A m .Here, we fix this problem by proposing two algorithms, namely one for the case of infinitely long invariant subspace trails and one for the case of iterative trails (both with active S-boxes).Further, we test several matrices over F p and over F 2 n to get an idea of the number of "weak" matrices.
Before going on, we emphasize again that we work under the assumption that the S-box has no linear structure.This assumption is crucial in order to have only two cases, namely the case in which the input of the S-box is constant and the case in which the input of the S-box is active (namely, the input can take any possible value).Since the S-box is a permutation, these two cases remain unchanged through the S-box.In other words, if the input is neither constant nor active, all information is lost when applying the S-box.This is not the case if the S-box has a linear structure.
generates an infinitely long invariant subspace trail for the S-box positions in I s , where j = max(j i ).However, if this condition is not fulfilled for some i, then and hence the dimension of I increased by 1.If the condition is never fulfilled, the largest possible dimension t will be reached after a finite number of iterations.In this case, it follows that no infinitely long invariant subspace trail with active S-boxes exists (apart from the trivial one) for the particular set of active S-box positions I s chosen in the first step.
A pseudo code for this procedure is given in Algorithm 2. Note that in the first step, an input space has to be chosen based on some particular unit vectors.In the original approach [LMR15], this quickly becomes too expensive due to the large number of unit vectors in the nonlinear parts of the designs being considered.However, in our setting we focus on word-based designs, and further the number of S-boxes s is often small (e.g., s = 1 for HadesMiMC/Poseidon).Hence, we are able to determine if an invariant subspace trail with active S-boxes exists by evaluating all possibilities in a reasonable amount of time -an advantage that is not related to our algorithm, but to the setting we consider.Proof.Let v ∈ F t \ {0} such that φ (M ) • v = 0 for a certain polynomial φ for which deg(φ ) < deg(φ).In such a case, {v, M • v, . . ., M deg(φ)−1 • v} are not linearly independent.
In particular, the subspace we have that φ V = φ divides φ.However, this is not possible, since φ is irreducible.It follows that each monic polynomial φ ∈ F[x] such that φ (M ) • v = 0 and deg(φ ) ≤ deg(φ) has the same degree as φ.
Next, we have to prove that φ = φ.As before, let v ∈ F t \ {0} such that φ (M ) • v = 0 for a certain monic polynomial φ where d = deg(φ ) = deg(φ) and φ = φ.It follows that there are two linear combinations of {v, M • v, . . ., M d • v} that are equal to zero, one induced by φ and one induced by φ (note that they are different since φ = φ and since the two polynomials are monic, that is, φ is not a multiple of φ).Hence, there exists a linear combination of {v, M • v, . . ., M d−1 • v} that is equal to zero.12Thus, there also exists a polynomial φ of degree strictly less than d for which φ (M ) • v = 0.Such a polynomial is a nontrivial divisor of φ, which leads to a contradiction.
Based on this result, we can prove the following proposition.
Proposition 13.Given a P-SPN scheme over F t with s S-boxes defined as in Eq. (1), let M ∈ F t×t be the invertible matrix that defines the linear layer.Assume that the S-box has no (nontrivial) linear structure.If the minimal polynomial φ of M has maximum degree t and is irreducible, there is no infinitely long invariant subspace trail with/without active S-boxes.
Proof.Due to Proposition 12 and since deg which implies that S is a trivial subspace.Hence, there is no nontrivial subspace S in F t that generates an infinitely long invariant subspace trail both in the case with and without active S-boxes (under the assumption that the S-box has no nontrivial linear structure).
Note that this result does not imply security against infinitely long iterative subspace trails with active S-boxes.Indeed, as shown in the example given in Eq. (8), there are matrices for which there exists an infinitely long iterative subspace trail with active S-boxes but no infinitely long invariant subspace trails.In order to guarantee security against all infinitely long subspace trails (under the assumption that the S-box has no nontrivial linear structure), we propose the following result.
Theorem 8. Let l ≥ 1.Given a P-SPN scheme over F t with s S-boxes defined as in Eq. (1), let M ∈ F t×t be the invertible matrix that defines the linear layer.Assume that the S-box has no (nontrivial) linear structure.If all the minimal polynomials of M, M 2 , . . ., M l are of maximum degree t and irreducible, then there is no infinitely long subspace trail with/without active S-boxes of period less than or equal to l.
The proof is a simple generalization of the previous results, by keeping in mind that an iterative subspace trail of period l ≥ 2 is an l-round invariant subspace trail.Discussion.Lastly, one may ask how many matrices satisfy the required property just given.Assume an irreducible polynomial φ ∈ F[x] of degree t.Working with matrices over F t×t q , it is always possible to associate a companion matrix C to such a minimal polynomial, as given in Definition 10 (the characteristic polynomial and the minimal polynomial are equal in this case).Hence, all matrices M similar to C (i.e., all matrices M of the form A −1 • C • A for an invertible matrix A) satisfy Proposition 13 by construction.
For this reason, here we focus on the case of MDS matrices.We practically evaluated the percentage of Cauchy MDS matrices which satisfy the condition given in Proposition 13.The results are shown in Table 5.For each of the tests, we set the sample size to 10 000.It is possible to observe that increasing the state size leads to a lower probability of the matrix to satisfy the condition given in Proposition 13.In any case, we recall that the condition just given is only a sufficient condition, that is, a matrix does not have to satisfy it in order to provide security against the attacks studied in this paper.

Open Problems
As already mentioned, several problems are still open for future research.They are summarized in the following.
• The goal of this work is to guarantee that the choice of the matrix M prevents infinitely long subspace trails.As a next step, given a matrix for which no infinitely long subspace trail exists, one may ask how many rounds are needed in order to activate at least one S-box.In our practical tests regarding this issue, and when focusing on s = 1, we observed that t + ε rounds for ε ∈ {0, 1} are in general sufficient with high probability.We leave the open problem to find an upper bound on the number of rounds needed for reaching this goal that depends both on (1) the details of the matrix defining the scheme and (2) the number of S-boxes per round.
• If the analyzed S-box has a nontrivial linear structure (namely, there exist nontrivial linear structures U, V such that for each u there exists a certain v such that S(U +u) = V + v), then it is potentially possible to extend the result given in this paper for the case of active S-boxes in order to include this case as well.
• Here, we only considered the case of linear layers defined as invertible matrices over F t×t q .In the binary case (i.e., q = 2 n ), it could be interesting to extend our results to the case in which the linear layer M is defined as where L i,j (z) = n−1 h=0 λ (i,j) h • z 2 h are linearized polynomials (which can be efficiently computed over a binary field) and where z ∈ F.
in the schemes we consider, since in these schemes the number of S-boxes per round (i.e., s) tends to be small.
Computational Cost in Practice.We used the same hardware as for the practical tests in Section 5.2, i.e., an Intel Xeon E5-2699v4 with a maximum clock frequency of 3.60 GHz.Again, we evaluate the performance of Algorithm 3 when using matrices over prime fields and for n = 16, t ∈ {4, 12}, and l = 2t.For t = 4, Algorithm 3 takes about 40 milliseconds.For t = 12, Algorithm 3 takes about 1 second.

C.1 Starkad and Poseidon Matrices
In addition to the statistical tests described in Section 5, we also used our tool for the Cauchy matrices using specific starting sequences defined for Starkad and Poseidon [GKR + 21].We recall that the matrix M over F 2 n for Starkad and the matrix M over F p for Poseidon are defined by where x i = i, y i = i + t, and i ∈ [0, t − 1].Comparison with Related Results.When using our tool for matrices with various sizes (i.e., different values for t), we can observe that some matrices over F 2 n (i.e., the matrices used for Starkad) are vulnerable to the attacks described in this paper.We can also observe, however, that matrices over F p using the same t values are not vulnerable.The detailed results for some instances are shown in Table 6.These results are not new in the literature, since similar conclusions have already been shown in [KR21, BCD + 20].Moreover, in [KR21] the authors explain how to modify the choice of x i and y j in Eq. (10) in order to fix this problem.This solution consists in changing the starting sequences for the Cauchy generation method.For completeness, we also tested our algorithm for the matrices suggested in [KR21].As expected, we arrive at the same conclusion, namely, that it is not possible to set up infinitely long subspace trails without active S-boxes for the Cauchy matrices proposed in [KR21].

C.2 Zorro Matrix
We also evaluated the Zorro [GGNPS13] matrix with our tool.Zorro is a variant of AES where only 4 S-boxes (at the first row) are applied per round.In our setting, Zorro is a P-SPN scheme over (F 2 8 ) 16 with s = 4 where the linear layer is defined by a 16 × 16 matrix, where ∀x ∈ (F 2 8 where again I is the 4 × 4 identity matrix, and where 2 ≡ X ∈ F 2 8 and 3 ≡ X + 1 ∈ F 2 8 .As expected, using our tool, we found that there exists no infinitely long (iterative or invariant) subspace trail for this matrix, neither with nor without active S-boxes. 13 + 21] -An Example from the Literature.An example has recently been pointed out in[KR21] and [BCD + 20].In these papers, the authors focus on the Cauchy matrix M ∈ (F 2 n ) t×t proposed in [GKR + 21] and defined as

10 return 1 :
Discard the matrix M (due to existence of an invariant subspace trail generated by I -Theorem 3).11 return 0: No infinitely long subspace trail without active S-boxes found.
)16 :M Zorro • x := M C • SR • x, Iis the 4 × 4 identity matrix, 0 is the 4 × 4 null matrix, and Hence, the previous result applies perfectly to this case.For the concrete definition of such a subspace we refer to [KR21, Sect.5.2].
t} and t ≤ r ≤ p − t.Such a matrix is used as the linear layer of some Hades-like permutations, namely Starkad π and Poseidon π [GKR + 21].In [YMT97, Sect.3.2] and in [KR21, BCD + 20], the authors prove that if t = 2 τ , the previous matrix has a multiplicative order equal to 2, namely that M 2 is a multiple of the identity.6 [Nag51]he Legendre symbol), which happens if p = 3, 5 mod 8 (we refer to[Nag51]for more details).Hence, while M 2 has always four eigenvalues, it is possible that M has only two eigenvalues for certain values of a, b, c, d ∈ F p . 8

Table 1 :
Percentage of vulnerable matrices for Algorithm 1 and orders t, when considering prime fields F p .

Table 2 :
Percentage of vulnerable matrices for Algorithm 1 and orders t, when considering binary fields F 2 n .
e.g. the prime numbers).In the first scenario, we create a matrix space, sample random matrices, and finally determine if they are invertible.In the second scenario, we generate Cauchy matrices using random (and valid) starting sequences.We tested all matrices using both prime fields and binary fields, focusing on square matrices of order t ∈ {3, 4, 8, 12} and on F 2 n and F p with n ∈ {4, 6, 8, 12, 16} and log 2 (p) ∈ {4, 6, 8, 12, 16}, respectively.Moreover, we tested our algorithm on the concrete matrices used to instantiate Starkad and Poseidon.We present these results in Appendix C.1.

Table 3 :
Percentage of vulnerable matrices using Algorithm 1, Algorithm 2, Algorithm 3 over prime fields F t p .We denote by "Sx" and "Vx" the security and vulnerability w.r.t.Algorithm x, respectively (e.g., S1 denotes security w.r.t.Algorithm 1, while V2 denotes vulnerability w.r.t.Algorithm 2).For Algorithm 3, we use a maximum period of l = 2t.
[LMR15] as in the approach described in[LMR15], we keep increasing the dimension of the subspace until it stabilizes.For this purpose, we keep including M j • e i to the space for the active S-box positions for j ≥ 1.Indeed, note that if we require that I = M • I and if x ∈ I, it follows that M j • x ∈ I.3.If for every active S-box position i there exists a j i ≥ 1 s.t.M ji+h • e i ∈ I for h ≥ 1, I = e ι1 , M • e ι1 , . . ., M j • e ι1 , . . ., e ι |I| , M • e ι |I| , . . ., M j • e ι |I|

Table 4 :
Percentage of vulnerable matrices using Algorithm 1, Algorithm 2, Algorithm 3 over binary fields F t 2 n .We denote by "Sx" and "Vx" the security and vulnerability w.r.t.Algorithm x, respectively (e.g., S1 denotes security w.r.t.Algorithm 1, while V2 denotes vulnerability w.r.t.Algorithm 2).For Algorithm 3, we use a maximum period of l = 2t.

Table 6 :
Vulnerable matrices for Algorithm 1 and orders t and field sizes n = log 2 (p) when considering the Starkad and Poseidon specifications.