{"id":"https://openalex.org/W4389622033","doi":"https://doi.org/10.46586/tosc.v2023.i4.270-298","title":"Propagation of Subspaces in Primitives with Monomial Sboxes: Applications to Rescue and Variants of the AES","display_name":"Propagation of Subspaces in Primitives with Monomial Sboxes: Applications to Rescue and Variants of the AES","publication_year":2023,"publication_date":"2023-12-08","ids":{"openalex":"https://openalex.org/W4389622033","doi":"https://doi.org/10.46586/tosc.v2023.i4.270-298"},"language":"en","primary_location":{"id":"doi:10.46586/tosc.v2023.i4.270-298","is_oa":true,"landing_page_url":"https://doi.org/10.46586/tosc.v2023.i4.270-298","pdf_url":"https://tosc.iacr.org/index.php/ToSC/article/download/11288/10823","source":{"id":"https://openalex.org/S4210236173","display_name":"IACR Transactions on Symmetric Cryptology","issn_l":"2519-173X","issn":["2519-173X"],"is_oa":true,"is_in_doaj":true,"is_core":true,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IACR Transactions on Symmetric Cryptology","raw_type":"journal-article"},"type":"article","indexed_in":["crossref","doaj"],"open_access":{"is_oa":true,"oa_status":"diamond","oa_url":"https://tosc.iacr.org/index.php/ToSC/article/download/11288/10823","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":null,"display_name":"Aur\u00e9lien Boeuf","orcid":null},"institutions":[{"id":"https://openalex.org/I1326498283","display_name":"Institut national de recherche en sciences et technologies du num\u00e9rique","ror":"https://ror.org/02kvxyf05","country_code":"FR","type":"government","lineage":["https://openalex.org/I1326498283"]}],"countries":["FR"],"is_corresponding":false,"raw_author_name":"Aur\u00e9lien Boeuf","raw_affiliation_strings":["Inria, Paris, France"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Inria, Paris, France","institution_ids":["https://openalex.org/I1326498283"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5050062480","display_name":"Anne Canteaut","orcid":"https://orcid.org/0000-0002-6292-8336"},"institutions":[{"id":"https://openalex.org/I1326498283","display_name":"Institut national de recherche en sciences et technologies du num\u00e9rique","ror":"https://ror.org/02kvxyf05","country_code":"FR","type":"government","lineage":["https://openalex.org/I1326498283"]}],"countries":["FR"],"is_corresponding":false,"raw_author_name":"Anne Canteaut","raw_affiliation_strings":["Inria, Paris, France"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Inria, Paris, France","institution_ids":["https://openalex.org/I1326498283"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5077352004","display_name":"L\u00e9o Perrin","orcid":"https://orcid.org/0000-0002-4722-7005"},"institutions":[{"id":"https://openalex.org/I1326498283","display_name":"Institut national de recherche en sciences et technologies du num\u00e9rique","ror":"https://ror.org/02kvxyf05","country_code":"FR","type":"government","lineage":["https://openalex.org/I1326498283"]}],"countries":["FR"],"is_corresponding":false,"raw_author_name":"L\u00e9o Perrin","raw_affiliation_strings":["Inria, Paris, France"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Inria, Paris, France","institution_ids":["https://openalex.org/I1326498283"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":3,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":0.3263,"has_fulltext":true,"cited_by_count":2,"citation_normalized_percentile":{"value":0.66996277,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":{"min":91,"max":98},"biblio":{"volume":"2023","issue":"4","first_page":"270","last_page":"298"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10951","display_name":"Cryptographic Implementations and Security","score":0.9983000159263611,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10951","display_name":"Cryptographic Implementations and Security","score":0.9983000159263611,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12122","display_name":"Physical Unclonable Functions (PUFs) and Hardware Security","score":0.9905999898910522,"subfield":{"id":"https://openalex.org/subfields/1708","display_name":"Hardware and Architecture"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11130","display_name":"Coding theory and cryptography","score":0.989300012588501,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/block-cipher","display_name":"Block cipher","score":0.7027641534805298},{"id":"https://openalex.org/keywords/monomial","display_name":"Monomial","score":0.6659358739852905},{"id":"https://openalex.org/keywords/linear-subspace","display_name":"Linear subspace","score":0.546421468257904},{"id":"https://openalex.org/keywords/permutation","display_name":"Permutation (music)","score":0.5458794236183167},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.49646836519241333},{"id":"https://openalex.org/keywords/cipher","display_name":"Cipher","score":0.49276426434516907},{"id":"https://openalex.org/keywords/mathematical-proof","display_name":"Mathematical proof","score":0.4911617934703827},{"id":"https://openalex.org/keywords/theoretical-computer-science","display_name":"Theoretical computer science","score":0.47662222385406494},{"id":"https://openalex.org/keywords/simple","display_name":"Simple (philosophy)","score":0.4746447205543518},{"id":"https://openalex.org/keywords/affine-transformation","display_name":"Affine transformation","score":0.4655405282974243},{"id":"https://openalex.org/keywords/hash-function","display_name":"Hash function","score":0.44850364327430725},{"id":"https://openalex.org/keywords/discrete-mathematics","display_name":"Discrete mathematics","score":0.4340072274208069},{"id":"https://openalex.org/keywords/affine-space","display_name":"Affine space","score":0.42384666204452515},{"id":"https://openalex.org/keywords/mathematics","display_name":"Mathematics","score":0.4131048619747162},{"id":"https://openalex.org/keywords/algorithm","display_name":"Algorithm","score":0.3097406029701233},{"id":"https://openalex.org/keywords/cryptography","display_name":"Cryptography","score":0.2802680730819702},{"id":"https://openalex.org/keywords/pure-mathematics","display_name":"Pure mathematics","score":0.15382254123687744},{"id":"https://openalex.org/keywords/encryption","display_name":"Encryption","score":0.10273933410644531}],"concepts":[{"id":"https://openalex.org/C106544461","wikidata":"https://www.wikidata.org/wiki/Q543151","display_name":"Block cipher","level":3,"score":0.7027641534805298},{"id":"https://openalex.org/C11252640","wikidata":"https://www.wikidata.org/wiki/Q243723","display_name":"Monomial","level":2,"score":0.6659358739852905},{"id":"https://openalex.org/C12362212","wikidata":"https://www.wikidata.org/wiki/Q728435","display_name":"Linear subspace","level":2,"score":0.546421468257904},{"id":"https://openalex.org/C21308566","wikidata":"https://www.wikidata.org/wiki/Q7169365","display_name":"Permutation (music)","level":2,"score":0.5458794236183167},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.49646836519241333},{"id":"https://openalex.org/C2780221543","wikidata":"https://www.wikidata.org/wiki/Q4681865","display_name":"Cipher","level":3,"score":0.49276426434516907},{"id":"https://openalex.org/C108710211","wikidata":"https://www.wikidata.org/wiki/Q11538","display_name":"Mathematical proof","level":2,"score":0.4911617934703827},{"id":"https://openalex.org/C80444323","wikidata":"https://www.wikidata.org/wiki/Q2878974","display_name":"Theoretical computer science","level":1,"score":0.47662222385406494},{"id":"https://openalex.org/C2780586882","wikidata":"https://www.wikidata.org/wiki/Q7520643","display_name":"Simple (philosophy)","level":2,"score":0.4746447205543518},{"id":"https://openalex.org/C92757383","wikidata":"https://www.wikidata.org/wiki/Q382497","display_name":"Affine transformation","level":2,"score":0.4655405282974243},{"id":"https://openalex.org/C99138194","wikidata":"https://www.wikidata.org/wiki/Q183427","display_name":"Hash function","level":2,"score":0.44850364327430725},{"id":"https://openalex.org/C118615104","wikidata":"https://www.wikidata.org/wiki/Q121416","display_name":"Discrete mathematics","level":1,"score":0.4340072274208069},{"id":"https://openalex.org/C173110770","wikidata":"https://www.wikidata.org/wiki/Q382698","display_name":"Affine space","level":3,"score":0.42384666204452515},{"id":"https://openalex.org/C33923547","wikidata":"https://www.wikidata.org/wiki/Q395","display_name":"Mathematics","level":0,"score":0.4131048619747162},{"id":"https://openalex.org/C11413529","wikidata":"https://www.wikidata.org/wiki/Q8366","display_name":"Algorithm","level":1,"score":0.3097406029701233},{"id":"https://openalex.org/C178489894","wikidata":"https://www.wikidata.org/wiki/Q8789","display_name":"Cryptography","level":2,"score":0.2802680730819702},{"id":"https://openalex.org/C202444582","wikidata":"https://www.wikidata.org/wiki/Q837863","display_name":"Pure mathematics","level":1,"score":0.15382254123687744},{"id":"https://openalex.org/C148730421","wikidata":"https://www.wikidata.org/wiki/Q141090","display_name":"Encryption","level":2,"score":0.10273933410644531},{"id":"https://openalex.org/C111472728","wikidata":"https://www.wikidata.org/wiki/Q9471","display_name":"Epistemology","level":1,"score":0.0},{"id":"https://openalex.org/C2524010","wikidata":"https://www.wikidata.org/wiki/Q8087","display_name":"Geometry","level":1,"score":0.0},{"id":"https://openalex.org/C138885662","wikidata":"https://www.wikidata.org/wiki/Q5891","display_name":"Philosophy","level":0,"score":0.0},{"id":"https://openalex.org/C24890656","wikidata":"https://www.wikidata.org/wiki/Q82811","display_name":"Acoustics","level":1,"score":0.0},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.0},{"id":"https://openalex.org/C121332964","wikidata":"https://www.wikidata.org/wiki/Q413","display_name":"Physics","level":0,"score":0.0},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.0}],"mesh":[],"locations_count":4,"locations":[{"id":"doi:10.46586/tosc.v2023.i4.270-298","is_oa":true,"landing_page_url":"https://doi.org/10.46586/tosc.v2023.i4.270-298","pdf_url":"https://tosc.iacr.org/index.php/ToSC/article/download/11288/10823","source":{"id":"https://openalex.org/S4210236173","display_name":"IACR Transactions on Symmetric Cryptology","issn_l":"2519-173X","issn":["2519-173X"],"is_oa":true,"is_in_doaj":true,"is_core":true,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IACR Transactions on Symmetric Cryptology","raw_type":"journal-article"},{"id":"pmh:oai:HAL:hal-04277002v1","is_oa":true,"landing_page_url":"https://inria.hal.science/hal-04277002","pdf_url":"https://hal.science/hal-04361453/document","source":{"id":"https://openalex.org/S4306402512","display_name":"HAL (Le Centre pour la Communication Scientifique Directe)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I1294671590","host_organization_name":"Centre National de la Recherche Scientifique","host_organization_lineage":["https://openalex.org/I1294671590"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"ISSN: 2519-173X","raw_type":"info:eu-repo/semantics/article"},{"id":"pmh:oai:HAL:hal-04361453v1","is_oa":true,"landing_page_url":"https://hal.science/hal-04361453","pdf_url":"https://hal.science/hal-04361453/file/ToSC2023_4_11.pdf","source":{"id":"https://openalex.org/S4306402512","display_name":"HAL (Le Centre pour la Communication Scientifique Directe)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I1294671590","host_organization_name":"Centre National de la Recherche Scientifique","host_organization_lineage":["https://openalex.org/I1294671590"],"host_organization_lineage_names":[],"type":"repository"},"license":"other-oa","license_id":"https://openalex.org/licenses/other-oa","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"ISSN: 2519-173X","raw_type":"info:eu-repo/semantics/article"},{"id":"pmh:oai:doaj.org/article:27b57fd95a5a4881a5efcc3f5047cde7","is_oa":true,"landing_page_url":"https://doaj.org/article/27b57fd95a5a4881a5efcc3f5047cde7","pdf_url":null,"source":{"id":"https://openalex.org/S4306401280","display_name":"DOAJ (DOAJ: Directory of Open Access Journals)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by-sa","license_id":"https://openalex.org/licenses/cc-by-sa","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"IACR Transactions on Symmetric Cryptology, Vol 2023, Iss 4 (2023)","raw_type":"article"}],"best_oa_location":{"id":"doi:10.46586/tosc.v2023.i4.270-298","is_oa":true,"landing_page_url":"https://doi.org/10.46586/tosc.v2023.i4.270-298","pdf_url":"https://tosc.iacr.org/index.php/ToSC/article/download/11288/10823","source":{"id":"https://openalex.org/S4210236173","display_name":"IACR Transactions on Symmetric Cryptology","issn_l":"2519-173X","issn":["2519-173X"],"is_oa":true,"is_in_doaj":true,"is_core":true,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IACR Transactions on Symmetric Cryptology","raw_type":"journal-article"},"sustainable_development_goals":[],"awards":[{"id":"https://openalex.org/G2360901479","display_name":null,"funder_award_id":"ANR-21-CE39-0012","funder_id":"https://openalex.org/F4320320883","funder_display_name":"Agence Nationale de la Recherche"}],"funders":[{"id":"https://openalex.org/F4320320883","display_name":"Agence Nationale de la Recherche","ror":"https://ror.org/00rbzpz17"}],"has_content":{"pdf":true,"grobid_xml":false},"content_urls":{"pdf":"https://content.openalex.org/works/W4389622033.pdf"},"referenced_works_count":48,"referenced_works":["https://openalex.org/W17122945","https://openalex.org/W1492328052","https://openalex.org/W1499170444","https://openalex.org/W1528065150","https://openalex.org/W1556212265","https://openalex.org/W1572032991","https://openalex.org/W1583066872","https://openalex.org/W1978695162","https://openalex.org/W2045479946","https://openalex.org/W2111902481","https://openalex.org/W2117414032","https://openalex.org/W2185342914","https://openalex.org/W2243712200","https://openalex.org/W2474422174","https://openalex.org/W2552640487","https://openalex.org/W2573138350","https://openalex.org/W2575957737","https://openalex.org/W2619630761","https://openalex.org/W2728494734","https://openalex.org/W2792542066","https://openalex.org/W2794982701","https://openalex.org/W2947157832","https://openalex.org/W2947269470","https://openalex.org/W2952237254","https://openalex.org/W2972668960","https://openalex.org/W3009904134","https://openalex.org/W3011201404","https://openalex.org/W3013174546","https://openalex.org/W3013936684","https://openalex.org/W3046699118","https://openalex.org/W3048736713","https://openalex.org/W3091014139","https://openalex.org/W3091095283","https://openalex.org/W3091883733","https://openalex.org/W3133710726","https://openalex.org/W3204374715","https://openalex.org/W4231852103","https://openalex.org/W4236635680","https://openalex.org/W4236843922","https://openalex.org/W4253496694","https://openalex.org/W4295067264","https://openalex.org/W4307649440","https://openalex.org/W4312547397","https://openalex.org/W4312786043","https://openalex.org/W4365808111","https://openalex.org/W4365808218","https://openalex.org/W4385654519","https://openalex.org/W4388554180"],"related_works":["https://openalex.org/W1638546798","https://openalex.org/W2117179505","https://openalex.org/W4389575897","https://openalex.org/W1524307340","https://openalex.org/W3080116368","https://openalex.org/W2150878966","https://openalex.org/W1980393268","https://openalex.org/W2896396044","https://openalex.org/W2044735134","https://openalex.org/W140343426"],"abstract_inverted_index":{"Motivated":[0],"by":[1,33,110,205],"progress":[2],"in":[3,18,79,85,92,191,201,300],"the":[4,19,29,73,76,111,146,174,183,186,195,202,238,257,263,278,284,292,297,303,310],"field":[5],"of":[6,75,121,138,161,185,260,265,281,286,296,305],"zero-knowledge":[7],"proofs,":[8],"so-called":[9,311],"Arithmetization-Oriented":[10],"(AO)":[11],"symmetric":[12],"primitives":[13,231],"have":[14,198],"started":[15],"to":[16,28,108,116,134,221,309],"appear":[17],"literature,":[20],"such":[21,213],"as":[22,65],"MiMC,":[23],"Poseidon":[24],"or":[25,89,158],"Rescue.":[26],"Due":[27],"design":[30],"constraints":[31],"implied":[32],"this":[34,68],"setting,":[35],"these":[36],"algorithms":[37],"are":[38,148,244,252],"defined":[39],"using":[40,61,246],"simple":[41,53],"operations":[42],"over":[43,126],"large":[44],"(possibly":[45],"prime)":[46],"fields.":[47],"In":[48],"particular,":[49],"many":[50,206,306],"rely":[51],"on":[52,194],"low-degree":[54],"monomials":[55],"for":[56,140,153,172],"their":[57],"non-linear":[58],"layers,":[59],"essentially":[60],"x":[62],"\u21a6":[63],"x3":[64],"an":[66,135,177,272],"S-box.In":[67],"paper,":[69],"we":[70,227],"show":[71,211],"that":[72,145,212,243,269],"structure":[74],"material":[77],"injected":[78],"each":[80],"round":[81,90,112,279],"(be":[82],"it":[83],"subkeys":[84],"a":[86,93,98,102,151,159,164,214,266,287],"block":[87,234],"cipher":[88,175,235],"constants":[91,280],"public":[94],"permutation)":[95],"could":[96],"allow":[97],"specific":[99],"pattern,":[100],"whereby":[101],"well-defined":[103],"affine":[104],"space":[105],"is":[106],"mapped":[107],"another":[109],"function,":[113],"and":[114,129,237,277,294],"then":[115],"another,":[117],"etc.":[118],"Such":[119],"chains":[120],"one-dimensional":[122],"subspaces":[123],"always":[124],"exist":[125,168],"2":[127],"rounds,":[128,139],"they":[130],"can":[131],"be":[132,219],"extended":[133],"arbitrary":[136],"number":[137],"any":[141],"linear":[142],"layer,":[143],"provided":[144],"round-constants":[147],"well":[149],"chosen.As":[150],"consequence,":[152],"several":[154],"ciphers":[155],"like":[156],"Rescue,":[157],"variant":[160],"AES":[162],"with":[163,291],"monomial":[165],"Sbox,":[166],"there":[167],"some":[169],"round-key":[170],"sequences":[171],"which":[173,251],"has":[176],"abnormally":[178],"high":[179],"differential":[180],"uniformity,":[181],"exceeding":[182],"size":[184],"Sbox":[187],"alphabet.Well-known":[188],"security":[189,248],"arguments,":[190,249],"particular":[192],"based":[193],"wide-trail":[196],"strategy,":[197],"been":[199],"reused":[200],"AO":[203],"setting":[204],"designers.":[207],"Unfortunately,":[208],"our":[209],"results":[210],"traditional":[215],"study":[216],"may":[217],"not":[218],"sufficient":[220],"guarantee":[222],"security.":[223],"To":[224],"illustrate":[225],"this,":[226],"present":[228],"two":[229],"new":[230],"(the":[232],"tweakable":[233],"Snare":[236,261],"permutation-based":[239],"hash":[240],"function":[241],"Stir)":[242],"built":[245],"state-of-the-art":[247],"but":[250],"actually":[253],"deeply":[254],"flawed.":[255],"Indeed,":[256],"key":[258],"schedule":[259],"ensures":[262],"presence":[264,285],"subspace":[267,288],"chain":[268,289],"significantly":[270],"simplifies":[271],"algebraic":[273],"attack":[274],"against":[275],"it,":[276],"Stir":[282],"force":[283],"aligned":[290],"rate":[293],"capacity":[295],"permutation.":[298],"This":[299],"turns":[301],"implies":[302],"existence":[304],"easy-to-find":[307],"solutions":[308],"CICO":[312],"problem.":[313]},"counts_by_year":[{"year":2026,"cited_by_count":1},{"year":2025,"cited_by_count":1}],"updated_date":"2026-06-11T09:08:48.828518","created_date":"2025-10-10T00:00:00"}