Mind the Middle Layer: The HADES Design Strategy Revisited

Nathan Keller, Asaf Rosemarin

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

5 Scopus citations


The HADES design strategy combines the classical SPN construction with the Partial SPN (PSPN) construction, in which at every encryption round, the non-linear layer is applied to only a part of the state. In a HADES design, a middle layer that consists of PSPN rounds is surrounded by outer layers of SPN rounds. The security arguments of HADES with respect to statistical attacks use only the SPN rounds, disregarding the PSPN rounds. This allows the designers to not pose any restriction on the MDS matrix used as the linear mixing operation. In this paper we show that the choice of the MDS matrix significantly affects the security level provided by HADES designs. If the MDS is chosen properly, then the security level of the scheme against differential and linear attacks is significantly higher than claimed by the designers. On the other hand, weaker choices of the MDS allow for extremely large invariant subspaces that pass the entire middle layer without activating any non-linear operation (a.k.a. S-box). We showcase our results on the Starkad and Poseidon instantiations of HADES. For Poseidon, we significantly improve the lower bounds on the number of active S-boxes with respect to both differential and linear cryptanalysis provided by the designers – for example, from 28 to 60 active S-boxes for the t= 6 variant. For Starkad, we show that for any variant with t (i.e., the number of S-boxes in each round) divisible by 4, the cipher admits a huge invariant subspace that passes any number of PSPN rounds without activating any S-box (e.g., a subspace of size 2 1134 for the t= 24 variant). Furthermore, for various choices of the parameters, this invariant subspace can be used to mount a preimage attack on the hash function that breakes its security claims. On the other hand, we show that the problem can be fixed easily by replacing t with any value that is not divisible by four. Following our paper, the designers of Starkad and Poseidon amended their design, by adding requirements which ensure that the MDS matrix is chosen properly.

Original languageEnglish
Title of host publicationAdvances in Cryptology – EUROCRYPT 2021 - 40th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings
EditorsAnne Canteaut, François-Xavier Standaert
PublisherSpringer Science and Business Media Deutschland GmbH
Number of pages29
ISBN (Print)9783030778859
StatePublished - 2021
Event40th Annual International Conference on the Theory and Applications of Cryptographic Techniques, EUROCRYPT 2021 - Zagreb, Croatia
Duration: 17 Oct 202121 Oct 2021

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume12697 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349


Conference40th Annual International Conference on the Theory and Applications of Cryptographic Techniques, EUROCRYPT 2021

Bibliographical note

Funding Information:
Research supported by the European Research Council under the ERC starting grant agreement number 757731 (LightCrypt) and by the BIU Center for Research in Applied Cryptography and Cyber Security in conjunction with the Israel National Cyber Bureau in the Prime Minister’s Office.

Publisher Copyright:
© 2021, International Association for Cryptologic Research.


Dive into the research topics of 'Mind the Middle Layer: The HADES Design Strategy Revisited'. Together they form a unique fingerprint.

Cite this