Abstract
Many modern block ciphers use maximum distance separable (MDS) matrices as the main part of their diffusion layers. In this paper, we propose a very efficient new class of diffusion layers constructed from several rounds of Feistellike structures whose round functions are linear. We investigate the requirements of the underlying linear functions to achieve the maximal branch number for the proposed 4×4 words diffusion layer, which is an indication of the highest level of security with respect to linear and differential attacks. We try to extend our results for up to 8×8 words diffusion layers. The proposed diffusion layers only require simple operations such as wordlevel XORs, rotations, and they have simple inverses. They can replace the diffusion layer of several block ciphers and hash functions in the literature to increase their security, and performance. Furthermore, it can be deployed in the design of new efficient lightweight block ciphers and hash functions in future.
Introduction
Block ciphers are one of the most important building blocks in many security protocols. Modern block ciphers are cascades of several rounds where every round consists of confusion and diffusion layers. In many block ciphers, while the confusion layer is often realized as a parallel application of nonlinear substitution boxes (Sboxes), the diffusion layer is built from a linear transformation. The diffusion layer plays an efficacious role in providing resistance against the most wellknown attacks on block ciphers, such as differential cryptanalysis (DC) [2], and linear cryptanalysis (LC) [8].
When considering a wordbased linear transformation, where the word size is equal to the input/output size of the Sbox, the branch number provides a lower bound on the number of active Sboxes throughout the diffusion layer for differential and linear attacks. The goal for a designer is to maximize this number, in order to diffuse the nonlinear properties of the SBoxes faster to the subsequent rounds of the cipher. The faster this nonlinearity spreads, the less number of rounds the cipher requires to become secure against linear and differential attacks. It has been shown that the maximal branch number for a linear transformation of s words is s+1 and diffusion layers with maximal branch number can be achieved by using MDS matrices [4].
An MDS matrix (Maximum Distance Separable) is a matrix representing a function with certain diffusion properties that have useful applications in cryptography. Technically, an m×n matrix A over a finite field K is an MDS matrix if it is the transformation matrix of a linear transformation f(x)=Ax from K ^{n} to K ^{m} such that no two different (m+n)tuples of the form (x,f(x)) coincide in n or more components. Equivalently, the set of all (m+n)tuples (x,f(x)) is an MDS code, i.e. a linear code that reaches the Singleton bound.
In 1994, Vaudenay [11, 12] suggested using MDS matrices in cryptographic primitives to produce what he called multipermutations, notnecessarily linear functions with the same property. These functions have what he called perfect diffusion: changing t of the inputs change at least m−t+1 of the outputs. He showed how to exploit imperfect diffusion to cryptanalyze functions that are not multipermutations. MDS matrices were later used in many block ciphers such as Square, SHARK, AES, Twofish and Hierocrypt and in the stream cipher MUGI and the cryptographic hash function Whirlpool.
The common approach to construct MDS matrices is to extract them from MDS codes such as Reed–Solomon codes [7]. However, constructing MDS diffusion layers with lowcost implementations is a challenge for designers. Another problem arises when MDS diffusion layers are exploited in substitutionpermutation networks (SPN), where the MDS matrix is used in the encryption and its inverse is used in the decryption process. Thus, constructing MDS matrices with lowcost inverse is of great importance.
In this paper, we propose a new method to construct lowcost diffusion layers with an extra property that their inverse can also be implemented efficiently. We call the proposed layer a recursive diffusion layer. It is constructed from several rounds of Feistellike structures whose round functions are linear. It consists of simple linear operations such as shift, rotation and XOR with very similar inversion operations. We are going to elaborate on the conditions for the underlying linear function to be an MDS matrix using one or multiple such linear functions by proposing a systematic method to find them. We believe that our proposed solution would be a rather simple recipe for designing a diffusion layer with maximal branch number and will be useful for future designs of cryptographic algorithms.
Notations
Let x be an array of s nbit elements x=[x _{0(n)},x _{1(n)},…,x _{ s−1(n)}]. The number of nonzero elements in x is denoted by w(x), also known as the Hamming weight of x. The following notations are used throughout this paper:
For a diffusion layer D applicable on x, we have the following definitions:
Definition 1
([4])
The differential branch number of a linear diffusion layer D is defined as
We know that the linear function D can be shown as a binary matrix B, and D ^{t} is a linear function obtained from B ^{t}, where B ^{t} is the transposition of B.
Definition 2
([4])
The linear branch number of a linear diffusion layer D is defined as:
It is well known that for a diffusion layer acting on sword inputs, the maximal β _{ d } and β _{ l } are s+1 [4]. A diffusion layer D taking its maximal β _{ d } and β _{ l } is called a perfect or MDS diffusion layer. Furthermore, a diffusion layer with β _{ d }=β _{ l }=s is called an almost perfect diffusion layer [4].
Our Contribution
In this paper, we define the notion of a recursive diffusion layer, and we propose a method to construct such perfect diffusion layers.
Definition 3
A diffusion layer D with s words x _{ i } as the input and s words y _{ i } as the output is called a recursive diffusion layer if it can be represented in the following form:
where F _{0},F _{1},…,F _{ s−1} are arbitrary linear functions.
An advantage of this structure is that the inverse of D is very similar to D and does not require the inverse of F _{ i } functions. The inverse can be computed as:
As an example, consider a 2round Feistel structure with a linear round function L as a recursive diffusion layer with s=2. The input–output relation for this diffusion layer is
The quarterround function of the stream cipher Salsa20 is an example of a nonlinear recursive diffusion layer [1].
Also, the lightweight hash function PHOTON [5] and the block cipher LED [6] use MDS matrices based on Eq. (1). In these ciphers, an m×m MDS matrix B ^{m} was designed based on the following matrix B for the performance purposes:
By matrix B, one element of m inputs is updated and other elements are shifted. If we use B ^{m}, all inputs are updated, but we must check if this matrix is MDS. One example for m=4 is the PHOTON matrix working over GF(2^{8}):
In this paper, we propose a new approach to design linear recursive diffusion layers with the maximal branch number in which F _{ i }’s are composed of one or two linear functions and a number of XOR operations. The design of the proposed diffusion layer is based on the invertibility of some simple linear functions in GF(2). Linear functions in this diffusion layer can be designed to be lowcost for different sizes of the input words, thus the proposed diffusion layer might be appropriate for resourceconstrained devices, such as RFID tags. Although these recursive diffusion layers are not involutory, they have similar inverses with the same computational complexity.
This paper proceeds as follows: In Sect. 2, we introduce the general structure of our proposed recursive diffusion layer. Then, for one of its instances, we systematically investigate the required conditions for the underlying linear function to achieve the maximal branch number. In Sect. 3, we propose some other recursive diffusion layers with less than 8 input words and only one linear function. We use two linear functions to have a perfect recursive diffusion layer for s>4 in Sect. 4. Finally, we conclude the paper in Sect. 5.
The Proposed Diffusion Layer
In this section, we introduce a new perfect linear diffusion layer with a recursive structure. The diffusion layer D takes s words x _{ i } for i={0,1,…,s−1} as input, and returns s words y _{ i } for i={0,1,…,s−1} as output. So, we can represent this diffusion layer as
The first class of the proposed diffusion layer D is represented in Fig. 1, where L is a linear function, α _{ k },β _{ k }∈{0,1}, α _{0}=1 and β _{0}=0. This diffusion layer can be represented in the form of Eq. (1) in which the F _{ i } functions are all the same and can be represented as
To guarantee the maximal branch number for D, the linear function L and the coefficients α _{ j } and β _{ j } must satisfy some necessary conditions. Conditions on L are expressed in this section and those of α _{ j }’s and β _{ j }’s are expressed in Sect. 3. The diffusion layer described by Eq. (3) is an instance that satisfies the necessary conditions on α _{ j }, and β _{ j } with s=4. In the rest of this section, we concentrate on the diffusion layers of this form and show that we can find invertible linear functions L such that D becomes a perfect diffusion layer.
As shown in Fig. 2, this diffusion layer has a Feistellike (GFN) structure, i.e.,
The inverse transformation, D ^{−1}, has a very simple structure and does not require the inversion of the linear function L. The inverse of D is
D and D ^{−1} are different, but they have the same structure and properties. To show that D has the maximal branch number, first we introduce some lemmas and theorems.
If L(x) can be written as a⋅x in a finite field, then Eq. (3) can be expressed as a matrix representation as below:
We can construct MDS matrix similar to PHOTON matrix by the proposed diffusion layer. In Eq. (1), if F _{ i }(x _{1},x _{2},x _{3})=F _{0}(x _{1},x _{2},x _{3})=L(x _{1})⊕x _{2}⊕L ^{2}(x _{3}), where L(x)=2x and x∈GF(2^{8}), PHOTON MDS matrix is obtained [5]. If we change B to Eq. (3), and define L(x)=2x, we have
Theorem 4
([4])
A Boolean function F has maximal differential branch number if, and only if it has maximal linear branch number.
As a result of Theorem 4, if we prove that the diffusion layer D represented in Eq. (3) has the maximal differential branch number, its linear branch number will be maximal too. Thus, in the following, we focus on the differential branch number.
Lemma 5
A linear functions L(x) is invertible if, and only if for any nonzero value a, \(L(a)\not=0\).
Proof
For any linear function L(x), we have L(0)=0. If there exists \(a\not =0\) such that L(a)=0, then L(x) is not invertible. On the other hand, suppose a=0 is the unique zero of L(x), and L(x) is not invertible. So, there exist two values b and c (\(b\not=c\)) such that L(b)=L(c). Since L(x) is a linear function, we have L(b⊕c)=L(b)⊕L(c)=0, while \(b\oplus c\not=0\). This contradicts the assumption that a=0 is the unique zero of L(x). □
Lemma 6
Assume the linear operator \(\mathcal{L}_{i}\) corresponds to the linear function L _{ i }(x). If the linear operator \(\mathcal{L}_{3}\) can be represented as the multiplication of two operators \(\mathcal{L}_{1}\) and \(\mathcal{L}_{2}\), then the corresponding linear function L _{3}(x)=L _{2}(L _{1}(x)) is invertible if, and only if the linear functions L _{1}(x) and L _{2}(x) are invertible.
Proof
If L _{1}(x) and L _{2}(x) are invertible, clearly L _{3}(x) is invertible too. On the other hand, if L _{3}(x) is invertible then L _{1}(x) must be invertible, otherwise, there are distinct x _{1}, and x _{2} such that L _{1}(x _{1})=L _{1}(x _{2}). Thus, L _{3}(x _{1})=L _{2}(L _{1}(x _{1}))=L _{2}(L _{1}(x _{2}))=L _{3}(x _{2}) which contradicts the invertibility of L _{3}(x). The invertibility of L _{2}(x) is proved in the same way. □
Example 1
We can rewrite the linear function L _{3}(x)=L ^{3}(x)⊕x (\(\mathcal{L}_{3}=\mathcal{L}^{3} \oplus I\)) as L _{3}(x)=L _{2}(L _{1}(x)), where L _{1}(x)=L(x)⊕x (\(\mathcal {L}_{1}=\mathcal{L} \oplus I\)) and L _{2}(x)=L ^{2}(x)⊕L(x)⊕x (\(\mathcal{L}_{2}=\mathcal{L}^{2} \oplus \mathcal{L} \oplus I\)). Thus, the invertibility of L _{3}(x) is equivalent to the invertibility of the two linear functions L _{1}(x) and L _{2}(x).
Theorem 7
For the diffusion layer represented in Eq. (3), if the four linear functions L(x), x⊕L(x), x⊕L ^{3}(x) and x⊕L ^{7}(x) are invertible, then this diffusion layer is perfect.
Proof
We show that the differential branch number of this diffusion layer is 5. First, the 4 words of the output are directly represented as functions of the 4 words of the input:
In the proof, we look at all different cases for the Hamming weight of the input. In other words, we show that if the Hamming weight of the input is m=1,2,3,4, then the Hamming weight of the output is greater than or equal to 5−m. Each case will pose different conditions on L which in the end can be summarized to the condition given in the theorem. The diffusion layer represented in Eq. (3) is invertible. Consider m=4, then all of the 4 words in the input are active, and we are sure at least one of the output words is active too. Thus, the theorem is correct for m=4. The remainder of the proof is performed for the 3 cases of w(Δ(x))=m, for m=1,2,3 separately. In each of these cases, some conditions are forced on the linear function L.
Case 1: w(△x)=1
To study this case, first the subcase
is analyzed. For this subcase, Eq. (5) is simplified to:
If D is a perfect diffusion layer, then △y _{0}, △y _{1}, △y _{2}, and △y _{3} must be nonzero. Clearly, △y _{0} is nonzero and based on Lemma 5, the conditions for △y _{1}, △y _{2}, and △y _{3} to be nonzero are that the linear functions I⊕L, L ^{2}, and I⊕L ^{2}⊕L ^{3} must be invertible. Note that based on Lemma 6 the invertibility of L yields the invertibility of L ^{2}. Considering Lemma 6, if the other three subcases are studied, it is induced that the linear functions x⊕L(x)⊕L ^{2}(x) and x⊕L(x)⊕L ^{3}(x) must also be invertible.
Case 2: w(△x)=2
In this case, there exist exactly two active words in the input difference, and we obtain some conditions on the linear function L to guarantee the branch number 5 for D. In the following, we only analyze the subcase
With this assumption, Eq. (5) is simplified to
To show that w(△y) is greater than or equal to 3, we must find some conditions on L such that if one of the △y _{ i }’s is zero, then the other three △y _{ j }’s cannot be zero. Let △y _{0}=0, then
If △x _{0} is replaced in the last three equations of Eq. (6), we obtain △y _{1}, △y _{2} and △y _{3} as follows:
Obviously, △y _{1} is not zero. Furthermore, considering Lemma 5, for △y _{2} to be nonzero, we conclude that the function x⊕L(x) must be invertible. For △y _{1}⇒△y _{3}, L ^{2}(x) is invertible. This condition was already obtained in the Case 1. We continue this procedure for △y _{1}=0.
From the previous subcase, we know that if △y _{0}=0, then \(\triangle y_{1}\not=0\). Thus, we conclude that △y _{0} and △y _{1} cannot be simultaneously zero. Therefore, by contraposition, we obtain that if △y _{1}=0, then \(\triangle y_{0}\not=0\). So, we only check △y _{2} and △y _{3}. From the third equation in Eq. (6), we have
x⊕L(x) is invertible, thus we conclude that with the two active words △x _{0} and △x _{1} in the input, △y _{1} and △y _{2} cannot be zero simultaneously. With the same procedure, we can prove that △y _{1}, and △y _{3} cannot be zero simultaneously.
Here we only gave the proof for the case (\(\triangle x_{0},\triangle x_{1}\not=0\), △x _{2}=△x _{3}=0). We performed the proof procedure for the other cases, and no new condition was added to the previous set of conditions in Case 1.
Case 3: w(△x)=3
In this case, assuming three active words in the input, we show that the output has at least 2 nonzero words. Here, only the case
is analyzed. The result holds for the other three cases with w(△x)=3. Let rewrite Eq. (5) for △x _{3}=0 as follows:
When △y _{0}=△y _{1}=0, from the first two lines of Eq. (7), △x _{0} and △x _{1} are obtained as the function of △x _{2}.
Now, replacing △x _{0}=△x _{2}⊕L ^{2}(△x _{2}) and △x _{1}=L(△x _{2}) into △y _{2} and △y _{3} yields
From Case 1, we know that the functions x⊕L(x) are invertible. Therefore, △y _{2}, and △y _{3} are nonzero. If the other subcases with three active words in the input are investigated, it is easy to see that no new condition is added to the present conditions on L. Finally, we conclude that the diffusion layer D presented in Fig. 1 is perfect if the linear functions
are invertible. We know that L _{3}(L _{2}(x))=x⊕L ^{3}(x) and L _{5}(L _{4}(L _{2}(x)))=x⊕L ^{7}(x). Thus, by Lemma 6, we can summarize the necessary conditions on the linear function L as the invertibility of L(x), (I⊕L)(x), (I⊕L ^{3})(x), and (I⊕L ^{7})(x). □
Next, we need a simple method to check whether a linear function L satisfies the conditions of Theorem 7 or not. For this purpose, we use the binary matrix representation of L. Assume that x _{ i } is an nbit word. Hence, we can represent a linear function L with an n×n matrix A with elements in GF(2). As a result of Lemma 5, if L is invertible, A is not singular over GF(2) (\(\mathbf{A}\not=0\)). To investigate whether a linear function L satisfies the conditions of Theorem 7, we construct the corresponding matrix A _{ n×n } from L, and check the nonsingularity of the matrices A, I⊕A, I⊕A ^{3}, and I⊕A ^{7} in GF(2).
In the following, we construct concrete functions L which are lightweight and satisfy the conditions mentioned in Theorem 7. For example, the functions L(x)=x, L(x)=x≫a and L(x)=x⋙a are the examples of the most lightweight linear functions. However, they do not satisfy Theorem 7 conditions, because at least one of the two functions L(x) and x⊕L(x) are not invertible. A set of candidates for lightweight linear functions can be expressed as:
If (a+b)n, then L(x) is invertible [15]. The remaining conditions x⊕L(x), x⊕L ^{3}(x) and x⊕L ^{7}(x) have to be checked. Although the linear function in Eq. (8) has a complicated inverse, it does not require circular shift which is considered as an advantage for this function. Note that circular shift is not supported by some compilers. Another proposal for L(x) is
The linear function in Eq. (9), for a>n/2, has a lightweight inverse L(x _{(n)})=(x _{(n)}⋙b)⊕(x _{(n)}⋙b)≫a which will be used in diffusion layer proposed in Sect. 4.
We introduce some lightweight linear functions with nbit inputs/outputs in Table 1 which satisfy the conditions of Theorem 7. Note that for n=8, there does not exist any linear function of the form Eq. (8) or Eq. (9) satisfying conditions of Theorem 7.
Application of the Proposed Diffusion Layer in Current Block Ciphers
Together with designing new lightweight block ciphers, the proposed diffusion layer can also be applied to diffuse the nonlinearity of bigsize Sboxes. One of these block ciphers is MMB [3] that uses 32bit Sboxes. Each round of MMB is composed of four transformations:

σ: bitwise XOR of the intermediate value and the round key.

γ: modular multiplication of each 32bit word of the intermediate value with a fixed 32bit constant G _{ i } modulo 2^{32}−1.

η: an operation on two of the four input words.

θ: the only diffusion operation in MMB which is an involutory binary matrix as below:
$$ \mathbf{B} = \left(\begin{array}{c@{\quad}c@{\quad}c@{\quad}c} 1 & 1 & 0 & 1\\ 1& 1 & 1 & 0\\ 0 & 1 & 1 & 1\\ 1& 0 & 1 & 1\\ \end{array}\right) $$
We can use the proposed diffusion layer with L(x _{(32)})=(x _{(32)}≪3)⊕(x _{(32)}≫1) instead of the diffusion layer used in the block cipher MMB. If we use the proposed diffusion layer in this cipher, it becomes stronger against differential and linear attacks, because branch number of the binary matrix of MMB is 4 while branch number of the proposed diffusion layer is 5. This change also prevents the attacks presented against this block cipher in [13]. By computer simulations in C using a PC with CPU: 2.93 GHz and RAM: 2 GB, we observed that this modification reduces the performance of MMB by making it 30 % slower in the software implementations. This was achieved by comparing the running time of the protocol for 1 million encryptions.
Another block cipher where we can replace the diffusion layer by the proposed one is Hierocrypt [9]. Hierocrypt does not explicitly use bigsize Sboxes, but it constructs 32 bit Sboxes by using nested SPN structure together with four 8bit Sboxes and the MDS_{ L } matrix. For diffusion within those 32bit Sboxes, a 16×16 binary matrix called MDS_{ H } is used, which is MDS for four 32bit inputs. If we use our proposed diffusion layer with the same L(x), instead of the MDS_{ H } [9], we can achieve a 2 times faster implementation with the same level of security.
AES Mixcolumn layer has a simple implementation. As another comparison, we decided to replace the MDS_{ H } matrix in Hierocrypt with the MDS matrix of AES. But since MDS code of AES is over GF(2^{8}) and the inputs of MDS_{ H } are four 32bit words, we modified the corresponding irreducible polynomial in AES and replaced it with x ^{32}+x ^{7}+x ^{5}+x ^{3}+x ^{2}+x+1 [10] to work over GF(2^{32}), which would still remain MDS. We call this new construction, sch _{1}. As another construction, we replaced the MDS_{ H } in Hierocrypt with the MDS code we proposed above in our solution and we called it sch _{2}. We observed that sch _{2} still brings on 5 % better performance compared to sch _{1}.
Other Desirable Structures for the Proposed Diffusion Layer
In Sect. 2, the general form of the proposed diffusion layer was introduced in Fig. 1. Then, by assuming a special case of α _{ i }’s and β _{ i }’s, an instance of this diffusion layer was given in Eq. (3). In this section, we obtain all sets of α _{ i }’s and β _{ i }’s such that the diffusion layer of Fig. 1 becomes perfect. We know some properties of α _{ i }’s and β _{ i }’s; for instance if all the words of the output are directly represented as a function of input words, a function of each x _{ i } (0≤i≤s−1) must appear in each equation. Another necessary condition is obtained for two active words of the input. Assume there exist only two indices i,j such that x _{ i }, \(x_{j}\not= 0\). If we write each two output words y _{ p }, y _{ q } in a direct form as a function of x _{ i } and x _{ j }, we obtain
If
then, y _{ p }=0 is equivalent to y _{ q }=0. Thus, the minimum number of active words in the input and output is less than or equal to s and the branch number will not reach the maximal value s+1. This procedure must be repeated for 3, and more active words in the input. As an extension, we can use Lemma 3 of [10].
Lemma 8
([10])
Assume the diffusion layer has m inputs/outputs bits, and \(\mathcal {L}\) is the linear operator of L(x), and I is the linear operator of I(x). Moreover, ML _{ D } is an m×m matrix representation of the operator of the diffusion layer. If D is perfect, then all the submatrices of ML _{ D } are nonsingular.
If we construct the ML _{ D } of Eq. (3), we have
when calculating 69 submatrix determinants of ML _{ D }, we observe that these submatrices are nonsingular only if L fulfills the condition of Theorem 7. However, by following this procedure, it is complicated to obtain all sets of α _{ i }’s and β _{ i }’s analytically. So, by systematizing the method based on Lemma 8, we performed a computer simulation to obtain all sets of α _{ i }’s, and β _{ i }’s in the diffusion layer in Fig. 1 that yield a perfect diffusion. We searched for all α _{ i }’s and β _{ i }’s that make the diffusion layer of Fig. 1 a perfect diffusion layer. This procedure was repeated for s=2,3,…,8. We found one set of (α _{ i }, β _{ i }) for s=2, four sets for s=3, and four sets for s=4. The obtained diffusion layers along with the conditions on the underlying linear function L are reported in Table 2. We observed that for s=5, 6, 7, 8 the diffusion layer introduced in Fig. 1 cannot be perfect.
Note that some linear functions in Table 1 such as L(x _{(64)})=(x _{(64)}≪15)⊕(x _{(64)}≫1) are not suitable for diffusion layers, since x _{(64)}⊕L ^{15}(x _{(64)}) must be invertible.
As we can see in Fig. 1, and its instances presented in Table 2, there exists some kind of regularity in the equations defining y _{ i }’s, in the sense that the form of y _{ i+1} is determined by the form of y _{ i }, and vice versa (F _{ i }’s are all the same in Eq. (1)). However, we can present some nonregular recursive diffusion layers with a more general form (F _{ i }’s are different) as in Fig. 3, where A _{ i,j },B _{ i,j }∈{0,1}.
If A _{ i,j }=α _{(j−i)mods }, and B _{ i,j }=β _{(j−i)mods }, then Fig. 3 is equivalent to Fig. 1. The main property of this new structure is that it still has one linear function L, and a simple structure for the inverse. For example, if s=4, then, the diffusion layer D is
We searched the entire space for s=3 and s=4 (the order of search is 2^{2s(s−1)}). For s=3, we found 196 structures with branch number 4, and for s=4, 1634 structures with branch number 5. The conditions on linear functions that caused maximal branch number, are different for each structure. Among the 196 structures for s=3, the structure with the minimum number of operations (only 7 XORs, and one L evaluation) is the following:
where L(x) and x⊕L(x) must be invertible.
This relation is useful to enlarge the first linear function of the hash function JH for 3 inputs [14]. For s=4, we did not find any D with the number of L evaluations less than four. However, the one with the minimum number of XORs is given as below:
Searching the whole space for s=5,6,… is too time consuming (note that for s=5 the order of search has complexity 2^{40}), and we could not search all the space for s≥5.
Increasing the Number of Linear Functions
In Sect. 3, we observed that for s>4 we cannot design a regular recursive diffusion layer in the form of Fig. 1 with only one linear function L. In this section, we increase the number of linear functions to overcome the regular structure of the diffusion layer of Eq. (3). A new structure is represented in Fig. 4, where α _{ k },β _{ k },γ _{ k }∈{0,1}, k∈{0,1,…,s−1}, α _{0}=1,β _{0}=0 and γ _{0}=0.
If L _{1} and L _{2} are two distinct linear functions, Fig. 4 is too complicated to easily obtain conditions on L _{1} and L _{2} that make it a perfect diffusion layer (the order of search for s input/output is 2^{3(s−1)}). To obtain simplified conditions for a maximal branch number, let L _{1} and L _{2} have a simple relation like \(L_{2}(x)=L_{1}^{2}(x)\) or \(L_{2}(x)=L_{1}^{1}(x)\). For the linear functions in Eq. (8), L ^{2}(x) is more complex in comparison to L(x). However, there exist some linear functions in the form of Eq. (9) such that L ^{−1}(x) is simpler than L ^{2}(x). As an example, for L(x _{(32)})=(x _{(32)}⊕x _{(32)}≫31)⋘1, we have L ^{−1}(x _{(32)})=((x _{(32)}⋙1)⊕(x _{(32)}⋙1)≫31), but L ^{2}(x _{(32)})=(x _{(32)}⊕(x _{(32)}≫31)⋘1)⊕((x _{(32)}⋘1)≫31)⋘1.
In Table 3, we introduce some recursive diffusion layers with (L _{1}=L and L _{2}=L ^{−1}) or (L _{1}=L and L _{2}=L ^{2}) that have maximal branch numbers. These diffusion layers are obtained similar to that of Table 2. In this table, for each case, only y _{0} is presented. Other y _{ i }’s can be easily obtained from Fig. 4, since the F _{ i }’s are all the same.
If the 14 linear functions:
are invertible (all irreducible polynomials up to degree 13), then all the diffusion layers introduced in Table 3 are perfect. One example for a 32bit linear function satisfying these conditions is
Conclusion
In this paper, we proposed a new family of efficient diffusion layers (recursive diffusion layers) which are constructed using several rounds of Feistellike structures whose round functions are linear. The proposed diffusion layers are very efficient and have simple inverses, thus they can be deployed to improve the security or performance of some of the current block ciphers and hash functions and in the design of the future lightweight block ciphers and hash functions, even providing provable security against differential and linear attacks. For a fixed structure, we determined the required conditions for its underlying linear function to be perfectly secure with respect to linear and differential attacks. Then, for the number of words in input (output) less than eight, we extended our approach, and found all the instances of the perfect recursive diffusion layers with the general form described in Fig. 1. Also, we proposed some other diffusion layers with nonregular forms. Finally, diffusion layers with two linear functions were proposed. By using two linear functions, we designed perfect recursive diffusion layers for higher number of words.
References
 [1]
D.J. Bernstein, The Salsa20 Stream Cipher (2005). http://www.ecrypt.eu.org/stream/salsa20p2.html
 [2]
E. Biham, A. Shamir, Differential Cryptanalysis of DESLike Cryptosystems, in CRYPTO’90. Lecture Notes in Computer Science, vol. 537 (Springer, Berlin, 1990), pp. 2–21
 [3]
J. Daemen, Cipher and Hash function design strategies based on linear and differential cryptanalysis. Ph.D. thesis, Elektrotechniek Katholieke Universiteit Leuven, Belgium (1995)
 [4]
J. Daemen, V. Rijmen, The Design of Rijndael: AES—The Advanced Encryption Standard (Springer, Berlin, 2002)
 [5]
J. Guo, T. Peyrin, A. Poschmann, The PHOTON family of lightweight Hash functions, in CRYPTO’11. Lecture Notes in Computer Science, vol. 6841 (Springer, Berlin, 2011), pp. 222–239
 [6]
J. Guo, T. Peyrin, A. Poschmann, M. Robshaw, The LED block cipher, in CHES’11. Lecture Notes in Computer Science, vol. 6917 (Springer, Berlin, 2011), pp. 326–341
 [7]
S. Lin, D. Costello, Error control coding: fundamentals and applications (Prentice Hall, New York, 2004)
 [8]
M. Matsui, Linear cryptanalysis method for DES cipher, in EUROCRYPT’93. Lecture Notes in Computer Science, vol. 765 (Springer, Berlin, 1993), pp. 386–397
 [9]
K. Ohkuma, H. Muratani, F. Sano, S. Kawamura, The block cipher hierocrypt, in SAC’01. Lecture Notes in Computer Science, vol. 2012 (Springer, Berlin, 2001), pp. 72–88
 [10]
M. Sajadieh, M. Dakhilalian, H. Mala, Perfect involutory diffusion layers based on invertibility of some linear functions. IET Inf. Secur. J. 5(1), 228–236 (2011)
 [11]
C. Schnorr, S. Vaudenay, Black box cryptoanalysis of Hash networks based on multipermutations, in EUROCRYPT’94. Lecture Notes in Computer Science, vol. 950 (Springer, Berlin, 1994), pp. 47–57
 [12]
S. Vaudenay, On the need for multipermutations: cryptanalysis of MD4 and SAFER, in FSE’94. Lecture Notes in Computer Science, vol. 1008 (Springer, Berlin, 1994), pp. 286–297
 [13]
M. Wang, J. Nakahara, Y. Sun, Cryptanalysis of the full MMB block cipher, in SAC’09. Lecture Notes in Computer Science, vol. 5867 (Springer, Berlin, 2009), pp. 231–248
 [14]
H. Wu, The Hash Function JH (2008). http://icsd.i2r.astar.edu.sg/staff/hongjun/jh/jh.pdf
 [15]
G. Zeng, K. He, W. Han, A Trinomial Type of σLFSR Oriented Toward Software Implementation. Science in China Series FInformation Sciences, vol. 50 (Springer, Berlin, 2007), pp. 359–372
Author information
Affiliations
Corresponding author
Additional information
This paper was solicited by the EditorsinChief as one of the best papers from FSE 2012, based on the recommendation of the program committee.
Rights and permissions
About this article
Cite this article
Sajadieh, M., Dakhilalian, M., Mala, H. et al. Efficient Recursive Diffusion Layers for Block Ciphers and Hash Functions. J Cryptol 28, 240–256 (2015). https://doi.org/10.1007/s0014501391638
Received:
Published:
Issue Date:
Key words
 Block ciphers
 Diffusion layer
 Branch number
 MDS matrix