A theoretical analysis of generalized invariants of bijective S-boxes

This article provides a rigorous mathematical treatment of generalized (GNI) and closedloop invariants (CLI), which extend the standard notion of nonlinear invariants used in the cryptanalysis of block ciphers. We first introduce the concept of an active cycle set, which is useful for defining standard invariants of concatenated S-boxes. We also present an algorithm for finding the cycle decomposition of a substitution layer provided the knowledge of the cycle decomposition of the constituent S-boxes. Employing the cycle decomposition of a bijective S-box, we precisely characterize the cardinality of its generalized and CLIs. We demonstrate that quadratic invariants (especially useful for mounting practical attacks in cases when the linear layer is an orthogonal matrix) might not exist for many S-boxes used in practice, whereas there are many quadratic invariants of generalized type. For generalized invariants, we draw an important conclusion that these invariants are not affine invariant, and therefore for two affine permutations A(1), A(2) over F-2(m) the set of generalized invariants of S is not necessarily the same as for A(1) o S o A(2). In the context of closed-loop invariants, it is shown that the inverse mapping S(x) = x(-1) over F-2(4) admits quadratic CLIs that additionally possess linear structures, whereas for m > 4 there are no quadratic CLIs of S(x) = x(-1) over F-2m. Moreover, we identify the existence of both standard and closed-loop invariants for the so-called MiMC (Minimal Multiplicative Complexity) [1] design, which uses an S-box layer based on the permutation S(x) = x(3) over F-2m (m odd). We present a method to specify these invariants even when m is prime, for which the authors [1] claimed resistance against a type of invariant attacks-subfield attacks.