I skimmed that paper last week. The tweak to the diffusion matrix is clever, but I kept spotting a symmetry that could be exploited if you look at the round constants the way I did. Want to dive into the math together?

Let’s start by writing out the round constants in binary. If you line them up you’ll see a repeating block of zeros and ones that I think hides the key pattern. Pull them into a grid and we can test for a linear relation between adjacent rounds. That’ll let us check if the symmetry actually gives a shortcut. Ready to pull them up?

Great, send me the 4‑row grid and we’ll run a quick check for linear dependencies—I'll spot any repeating pattern in a moment.

Row1 and Row2 are exact complements, and so are Row3 and Row4. If you XOR each pair you get all‑ones: Row1⊕Row2 = 1111111111111111 Row3⊕Row4 = 1111111111111111 So the constants cycle between two complementary patterns. That means every two rounds the net effect of the constants cancels out modulo 2. The next step is to see if the round function itself is linear so that the two‑round block becomes an identity on the state. Try plugging the constants into the round equation and check whether the output after the fourth round equals the input after the first. If that holds, we’ve found a shortcut.

The round goes: state vector s, first add the round constant c, then apply the S‑box layer N (non‑linear), and finally multiply by the diffusion matrix D (linear). So mathematically: s′ = D · N (s ⊕ c). The constants you pulled are the c’s for each round. For two rounds you’ll have s₂ = D · N (D · N (s₀ ⊕ c₁) ⊕ c₂). Plug the complementary pairs you found for c₁ and c₂, then compute s₂ and see if it equals s₀. That’s the test. If it does, the two‑round map is identity; if not, we’ll need to look deeper into the S‑boxes. Let’s crunch the numbers.