Block Ciphers – Focus on the Linear Layer (feat. PRIDE)

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8616)


The linear layer is a core component in any substitution-permutation network block cipher. Its design significantly influences both the security and the efficiency of the resulting block cipher. Surprisingly, not many general constructions are known that allow to choose trade-offs between security and efficiency. Especially, when compared to Sboxes, it seems that the linear layer is crucially understudied. In this paper, we propose a general methodology to construct good, sometimes optimal, linear layers allowing for a large variety of trade-offs. We give several instances of our construction and on top underline its value by presenting a new block cipher. PRIDE is optimized for 8-bit micro-controllers and significantly outperforms all academic solutions both in terms of code size and cycle count.


block cipher linear layer wide-trail embedded processors 


  1. 1.
    AES. Advanced Encryption Standard. FIPS PUB 197, Federal Information Processing Standards Publication (2001)Google Scholar
  2. 2.
    Albrecht, M.R., Driessen, B., Kavun, E.B., Leander, G., Paar, C., Yalçın, T.: Block Ciphers – Focus On The Linear Layer (feat. PRIDE): Full Version. IACR Cryptology ePrint Archive, 2014:453 (2014)Google Scholar
  3. 3.
    Anderson, R., Biham, E., Knudsen, L.: Serpent: A Proposal for the Advanced Encryption Standard (1998)Google Scholar
  4. 4.
    Atmel AVR. ATmega8 Datasheet,
  5. 5.
    Augot, D., Finiasz, M.: Direct Construction of Recursive MDS Diffusion Layers using Shortened BCH Codes. In: Fast Software Encryption (FSE). LNCS. Springer (to appear, 2014)Google Scholar
  6. 6.
    AVRAES: The AES block cipher on AVR controllers,
  7. 7.
    Barreto, P.S.L.M., Nikov, V., Nikova, S., Rijmen, V., Tischhauser, E.: Whirlwind: A New Cryptographic Hash Function. Des. Codes Cryptography 56(2-3), 141–162 (2010)MathSciNetCrossRefzbMATHGoogle Scholar
  8. 8.
    Barreto, P.S.L.M., Rijmen, V.: The Anubis Block Cipher. Submission to the NESSIE project (2001)Google Scholar
  9. 9.
    Barreto, P.S.L.M., Rijmen, V.: The Khazad Legacy-level Block Cipher. Submission to the NESSIE project (2001)Google Scholar
  10. 10.
    Beaulieu, R., Shors, D., Smith, J., Treatman-Clark, S., Weeks, B., Wingers, L.: The SIMON and SPECK Families of Lightweight Block Ciphers. IACR Cryptology ePrint Archive, 2013:414 (2013)Google Scholar
  11. 11.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Keccak Specifications (2009)Google Scholar
  12. 12.
    Biham, E., Shamir, A.: Differential Cryptanalysis of DES-like Cryptosystems. In: Menezes, A., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 2–21. Springer, Heidelberg (1991)Google Scholar
  13. 13.
    Biryukov, A.: DES-X (or DESX). In: Encyclopedia of Cryptography and Security, 2nd edn., p. 331. Springer (2011)Google Scholar
  14. 14.
    Biryukov, A., De Cannière, C., Braeken, A., Preneel, B.: A Toolbox for Cryptanalysis: Linear and Affine Equivalence Algorithms. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 33–50. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  15. 15.
    Bogdanov, A., Knudsen, L.R., Leander, G., Paar, C., Poschmann, A., Robshaw, M.J.B., Seurin, Y., Vikkelsø, C.: PRESENT: An Ultra-Lightweight Block Cipher. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 450–466. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  16. 16.
    Borghoff, J., et al.: PRINCE – A Low-Latency Block Cipher for Pervasive Computing Applications - Extended Abstract. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 208–225. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  17. 17.
    Brinkmann, M., Leander, G.: On the Classification of APN Functions Up to Dimension Five. Des. Codes Cryptography 49(1-3), 273–288 (2008)MathSciNetCrossRefzbMATHGoogle Scholar
  18. 18.
    Carlet, C.: Vectorial Boolean Functions for Cryptography. In: Boolean Methods and Models. Cambridge University Press (2010)Google Scholar
  19. 19.
    Daemen, J.: Cipher and Hash Function Design, Strategies Based On Linear and Differential Cryptanalysis. PhD thesis, Katholieke Universiteit Leuven (1995)Google Scholar
  20. 20.
    Daemen, J., Knudsen, L., Rijmen, V.: The Block Cipher SQUARE. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 149–165. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  21. 21.
    Daemen, J., Rijmen, V.: The Wide Trail Design Strategy. In: Honary, B. (ed.) Cryptography and Coding 2001. LNCS, vol. 2260, pp. 222–238. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  22. 22.
    DES: Data Encryption Standard. FIPS PUB 46, Federal Information Processing Standards Publication (1977)Google Scholar
  23. 23.
    Eisenbarth, T., et al.: Compact Implementation and Performance Evaluation of Block Ciphers in ATtiny Devices. In: Mitrokotsa, A., Vaudenay, S. (eds.) AFRICACRYPT 2012. LNCS, vol. 7374, pp. 172–187. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  24. 24.
    Engels, S., Kavun, E.B., Mihajloska, H., Paar, C., Yalçın, T.: A Non-Linear/Linear Instruction Set Extension for Lightweight Block Ciphers. In: ARITH’21: 21st IEEE Symposium on Computer Arithmetics. IEEE Computer Society (2013)Google Scholar
  25. 25.
    Gauravaram, P., Knudsen, L., Matusiewicz, K., Mendel, F., Rechberger, C., Schläer, M., Thomsen, S.: Grøstl. SHA-3 Final-round Candidate (2009)Google Scholar
  26. 26.
    Gong, Z., Nikova, S., Law, Y.W.: KLEIN: A New Family of Lightweight Block Ciphers. In: Juels, A., Paar, C. (eds.) RFIDSec 2011. LNCS, vol. 7055, pp. 1–18. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  27. 27.
    Grassl, M.: Bounds On the Minimum Distance of Linear Codes and Quantum Codes (2007),
  28. 28.
    Grosso, V., Leurent, G., Standaert, F.-X., Varıcı, K.: LS-Designs: Bitslice Encryption for Efficient Masked Software Implementations. In: Fast Software Encryption (FSE). LNCS. Springer (to appear, 2014)Google Scholar
  29. 29.
    Guo, J., Peyrin, T., Poschmann, A.: The PHOTON Family of Lightweight Hash Functions. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 222–239. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  30. 30.
    Guo, J., Peyrin, T., Poschmann, A., Robshaw, M.J.B.: The LED Block Cipher. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 326–341. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  31. 31.
    Intel. Advanced Encryption Standard Instructions, Intel AES-NI (2008)Google Scholar
  32. 32.
    Karakoç, F., Demirci, H., Harmancı, A.E.: ITUbee: A Software Oriented Lightweight Block Cipher. In: Avoine, G., Kara, O. (eds.) LightSec 2013. LNCS, vol. 8162, pp. 16–27. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  33. 33.
    Kavun, E.B., Leander, G., Yalçın, T.: A Reconfigurable Architecture for Searching Optimal Software Code to Implement Block Cipher Permutation Matrices. In: International Conference on ReConFigurable Computing and FPGAs (ReConFig). IEEE Computer Society (2013)Google Scholar
  34. 34.
    Kilian, J., Rogaway, P.: How to Protect DES Against Exhaustive Key Search (An Analysis of DESX). J. Cryptology 14(1), 17–35 (2001)MathSciNetCrossRefzbMATHGoogle Scholar
  35. 35.
    Knežević, M., Nikov, V., Rombouts, P.: Low-Latency Encryption – Is “Lightweight = Light + Wait”? In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 426–446. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  36. 36.
    Leander, G., Poschmann, A.: On the Classification of 4 Bit S-Boxes. In: Carlet, C., Sunar, B. (eds.) WAIFI 2007. LNCS, vol. 4547, pp. 159–176. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  37. 37.
    Lee, R.B., Fışkıran, M., Wang, M., Hilewitz, Y., Chen, Y.-Y.: PAX: A Cryptographic Processor with Parallel Table Lookup and Wordsize Scalability. Princeton University Department of Electrical Engineering Technical Report CE-L2007-010 (2007)Google Scholar
  38. 38.
    Lee, R.B., Shi, Z., Yang, X.: Efficient Permutation Instructions for Fast Software Cryptography. IEEE Micro 21(6), 56–69 (2001)CrossRefGoogle Scholar
  39. 39.
    Lim, C.H., Korkishko, T.: mCrypton – A Lightweight Block Cipher for Security of Low-Cost RFID Tags and Sensors. In: Song, J.-S., Kwon, T., Yung, M. (eds.) WISA 2005. LNCS, vol. 3786, pp. 243–258. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  40. 40.
    Lin, S., Costello, D.J. (eds.): Error Control Coding, 2nd edn. Prentice Hall (2004)Google Scholar
  41. 41.
    Matsui, M.: Linear Cryptanalysis Method for DES Cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994)CrossRefGoogle Scholar
  42. 42.
    McGregor, J.P., Lee, R.B.: Architectural Enhancements for Fast Subword Permutations with Repetitions in Cryptographic Applications. In: 19th International Conference on Computer Design (ICCD 2001), pp. 453–461 (2001)Google Scholar
  43. 43.
    Nyberg, K.: Differentially Uniform Mappings for Cryptography. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 55–64. Springer, Heidelberg (1994)CrossRefGoogle Scholar
  44. 44.
    PIC. 12-Bit Core Instruction SetGoogle Scholar
  45. 45.
  46. 46.
    Saarinen, M.-J.O.: Cryptographic Analysis of All 4 × 4-Bit S-Boxes. In: Miri, A., Vaudenay, S. (eds.) SAC 2011. LNCS, vol. 7118, pp. 118–133. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  47. 47.
    Sajadieh, M., Dakhilalian, M., Mala, H., Sepehrdad, P.: Recursive Diffusion Layers for Block Ciphers and Hash Functions. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 385–401. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  48. 48.
    Shi, Z.J., Yang, X., Lee, R.B.: Alternative Application-Specific Processor Architectures for Fast Arbitrary Bit Permutations. IJES 3(4), 219–228 (2008)CrossRefGoogle Scholar
  49. 49.
    Shirai, T., Shibutani, K., Akishita, T., Moriai, S., Iwata, T.: The 128-Bit Blockcipher CLEFIA (Extended Abstract). In: Biryukov, A. (ed.) FSE 2007. LNCS, vol. 4593, pp. 181–195. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  50. 50.
    Standaert, F.-X., Piret, G., Gershenfeld, N., Quisquater, J.-J.: SEA: A Scalable Encryption Algorithm for Small Embedded Applications. In: Domingo-Ferrer, J., Posegga, J., Schreckling, D. (eds.) CARDIS 2006. LNCS, vol. 3928, pp. 222–236. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  51. 51.
    Suzaki, T., Minematsu, K., Morioka, S., Kobayashi, E.: TWINE: A Lightweight Block Cipher for Multiple Platforms. In: Knudsen, L.R., Wu, H. (eds.) SAC 2012. LNCS, vol. 7707, pp. 339–354. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  52. 52.
    Ullrich, M., De Cannière, C., Indesteege, S., Küçük, Ö., Mouha, N., Preneel, B.: Finding Optimal Bitsliced Implementations of 4 ×4-Bit S-boxes. In: Symmetric Key Encryption Workshop (2011)Google Scholar
  53. 53.
    Wu, S., Wang, M., Wu, W.: Recursive Diffusion Layers for (Lightweight) Block Ciphers and Hash Functions. In: Knudsen, L.R., Wu, H. (eds.) SAC 2012. LNCS, vol. 7707, pp. 355–371. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  54. 54.
    Wu, W., Zhang, L.: LBlock: A Lightweight Block Cipher. In: Lopez, J., Tsudik, G. (eds.) ACNS 2011. LNCS, vol. 6715, pp. 327–344. Springer, Heidelberg (2011)CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2014

Authors and Affiliations

  1. 1.Information Security GroupRoyal Holloway, University of LondonUK
  2. 2.Infineon AG, NeubibergGermany
  3. 3.Horst Görtz Institute for IT SecurityRuhr-Universität BochumGermany
  4. 4.University of Information Science and TechnologyOhridMacedonia

Personalised recommendations