Symmetric cryptographic primitives are often exposed to invariances: deterministic relations between plaintexts and ciphertexts that propagate through the primitive. Recent invariant subspace attacks have shown that these can be a serious issue. One way to mitigate invariant subspace attacks is at the primitive level, namely by proper use of round constants (Beierle et al., CRYPTO 2017). In this work, we investigate how to thwart invariance exploitation at the mode level, namely by assuring that a mode never evaluates its underlying primitive under any invariance. We first formalize the use of invariant cryptographic permutations from a security perspective, and analyze the Even-Mansour block cipher construction. We further demonstrate how the model composes, and apply it to the keyed sponge construction. The security analyses exactly pinpoint how the presence of linear invariances affects the bounds compared with analyses in the random permutation model. As such, they give an exact indication how invariances can be exploited. From a practical side, we apply the derived security bounds to the case where the Even-Mansour construction is instantiated with the 512-bit ChaCha permutation, and derive a distinguishing attack against Even-Mansour-ChaCha in \(2^{128}\) queries, faster than the birthday bound. Comparable results are derived for instantiation using the 200-bit Keccak permutation without round constants (attack in \(2^{50}\) queries), the 1024-bit CubeHash permutation (attack in \(2^{256}\) queries), and the 384-bit Gimli permutation without round constants (attack in \(2^{96}\) queries). The attacks do not invalidate the security of the permutations themselves, but rather they demonstrate the tightness of our bounds and confirm that care should be taken when employing a cryptographic primitive that has nontrivial linear invariances.

对称密码原语经常暴露于不变性：通过原语传播的明文和密文之间的确定性关系。最近的不变子空间攻击表明，这可能是一个严重的问题。缓解不变子空间攻击的一种方法是在原始级别上，即通过适当使用舍入常量（Beierle等人，CRYPTO 2017）。在这项工作中，我们研究如何在模式级别阻止不变性开发，即通过确保模式在任何不变性下都不会评估其基础图元。我们首先从安全角度正式使用不变密码排列，然后分析Even-Mansour分组密码结构。我们进一步演示了模型是如何构成的，并将其应用于带键的海绵构造。与随机排列模型中的分析相比，安全性分析准确地指出了线性不变性的存在如何影响边界。因此，它们给出了确切的指示如何利用不变性。从实际的角度来看，我们将导出的安全范围应用于使用512位ChaCha置换实例化Even-Mansour构造的情况，并在\（2 ^ {128} \ ）查询，快过生日。使用不带舍入常量的200位Keccak置换（在\（2 ^ {50} \）查询中发生攻击），在1024位CubeHash置换（在\（2 ^ {256} \中进行攻击）查询），以及没有舍入常数的384位Gimli排列（在\（2 ^ {96} \中进行攻击）查询）。攻击不会使排列本身的安全性失效，而是会证明我们边界的紧密性，并确认在使用具有非平凡线性不变性的密码原语时应格外小心。