On the Construction of and Binary Matrices with Good Implementation

Hindawi Publishing Corporation Mathematical Problems in Engineering Volume 2014, Article ID 540253, 12 pages http://dx.doi.org/10.1155/2014/540253

Research Article On the Construction of 20 × 20 and 24 × 24 Binary Matrices with Good Implementation Properties for Lightweight Block Ciphers and Hash Functions

Muharrem Tolga SakallJ,1 Sedat Akleylek,2,3 Bora Aslan,4 Ercan BuluG,5 and Fatma BüyüksaraçoLlu SakallJ1

1 Department of Computer Engineering, Trakya University, 22030 Edirne, Turkey 2 Department of Computer Engineering, Ondokuz Mayis University, 55139 Samsun, Turkey 3 Institute of Applied Mathematics, Middle East Technical University, 06531 Ankara, Turkey 4 Software Engineering Department, Kirklareli University, 39000 Kırklareli, Turkey 5 Department of Computer Engineering, Namık Kemal University, 59860 C¸orlu, Turkey

Correspondence should be addressed to Sedat Akleylek; [email protected]

Received 16 June 2014; Revised 9 October 2014; Accepted 13 October 2014; Published 2 November 2014

Academic Editor: Kwok-Wo Wong

Copyright © 2014 Muharrem Tolga Sakallı et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

𝑘 We present an algebraic construction based on state transform matrix (companion matrix) for 𝑛×𝑛(where 𝑛 =2̸ , 𝑘 being a positive integer) binary matrices with high branch number and low number of fixed points. We also provide examples for 20×20 and 24×24 binary matrices having advantages on implementation issues in lightweight block ciphers and hash functions. The powers of the companion matrix for an irreducible polynomial over GF(2) with degree 5 and 4 are used in finite field Hadamard or circulant manner to construct 20 × 20 and 24 × 24 binary matrices, respectively. Moreover, the binary matrices are constructed to have good 𝑘 software and hardware implementation properties. To the best of our knowledge, this is the first study for 𝑛×𝑛(where 𝑛 =2̸ , 𝑘 being a positive integer) binary matrices with high branch number and low number of fixed points.

1. Introduction thesamesize[5]. The two existing techniques of measuring diffusion for linear transformations are the branch number Modern block ciphers are made of several rounds. Each of [6]andthenumberoffixedpoints[5]. The branch number these consists of confusion and diffusion layers. Confusion denotes the minimum number of active S-boxes for any two and diffusion are two principles of the operation of a secure consecutive rounds and represents diffusion rate and mea- cipher as identified by Shannon [1]. Many block ciphers use sures security against linear and differential cryptanalysis. linear transformations together with nonlinear substitution To achieve better diffusion property, many modern ciphers boxes (S-boxes) to implement Shannon’s principles. In addi- use linear transformations with high branch number. On the tion, many block ciphers use S-boxes based on the inversion other hand, the number of fixed points provides an indication mappinginafinitefield[2, 3]. In a block cipher, a linear of how well the linear transformation effectively changes the transformation is employed to provide the required diffusion. value of the input block when producing the output block. The linear transformation guarantees all the output bits to The basis of the idea is that there is no diffusion at fixed points depend on all the input bits after few rounds. The substitution since the input blocks at these points are left intact by the layer or nonlinear layer provides the necessary confusion lineartransformation.Notethattheexpectednumberoffixed making this dependency complex and nonlinear [4]. A linear points in a random linear transformation is one [5]. transformation provides diffusion by mixing bits of the fixed Many block ciphers use maximum distance separable size input block to produce the corresponding output block of (MDS) and maximum distance binary linear (MDBL) codes 2 Mathematical Problems in Engineering as diffusion layers in their round function. The AES [7]and matrices with the powers of the companion matrix for an Khazad [8] use MDS codes; the Camellia [9]andARIA irreducible polynomial over GF(2) of degree 5 and 6×6 [10] use MDBL codes. It is known that MDS matrices do circulant matrices with the powers of the companion matrix notgiveacompactimplementationinhardware,forexam- for an irreducible polynomial over GF(2) of degree 4 to ple, AES. Most diffusion layers are linear transformations generate 20 × 20 (involutory and noninvolutory) and 24 × 24 (2𝑚) (2) having matrix representations over GF or GF .The binary matrices (noninvolutory) of branch numbers 8 and (2) binary matrices, having matrix representation over GF ,are 10 with low number of fixed points, respectively. Also, the employed as diffusion layers in block ciphers like Camellia binary matrices are constructed to have suitable software and andARIA.Anadvantageofusingsuchbinarymatricesin hardware implementation properties for lightweight block the design of block ciphers compared with MDS codes is ciphers. Note that the binary matrices with these sizes have theimplementationphasewhereonlyXORoperationsare not been studied in the literature well enough, which may needed while MDS matrices may need XOR operations, table allow us to design a lightweight block cipher with 80-bit and look-ups, and xtime calls [11]. Furthermore, the 8×8and 96-bit block sizes if these matrices are used with 4-bit S-boxes. 16 × 16 binary matrices used in Camellia and ARIA have themaximumbranchnumbers5and8,respectively,andare This paper is organized as follows: Section 2 describes the therefore called MDBL codes [4]. In [12, 13], an algebraic required mathematical background and an introduction to construction method to generate 8×8, 16 × 16,and32 × the proposed method. In Section 3,theproposedmethodis 32 binary matrices of maximum branch number was given. given and examples are provided with good cryptographic There is no general method for 𝑛×𝑛binary matrices where properties. Security assessment of lightweight block cipher 𝑘 𝑛 =2̸ , 𝑘 being a positive integer. Constructing diffusion using the proposed diffusion layer is analyzed in Section 4. layers with high branch numbers, low number of fixed points, Conclusion is given in Section 5. In Appendices A, B,andC and low-cost hardware/software implementations is an open implementation details of given examples are discussed. problem for lightweight block ciphers and hash functions. In recent years, lightweight cryptography has attracted a lot of attention from the crypto community since the use of resource constraint devices has been increasing. There are 2. Preliminaries several lightweight block cipher constructions with 80-bit In this section, we give the mathematical background and a and 96-bit block sizes in the literature [14–17]. However, these view of the proposed method. proposals neglect important real-world constraints except a 𝑚 𝑚 Let GF(2 )≅GF(2)/ ⟨𝑝(𝑥)⟩ ,where𝑝(𝑥)𝑚 =𝑎 𝑥 + small chip area and they have different deficiencies as listed ⋅⋅⋅ + 𝑎1𝑥+𝑎0 is an irreducible polynomial over GF(2) with below: degree 𝑚.Let𝐶𝑚 be the companion matrix for the irreducible polynomial over GF(2) with degree 𝑚.Thepowersof𝐶𝑚 can 𝑚 (i) the lack of efficiency on low-cost processors, be considered as the nonzero elements of GF(2 ) [18, 19]. Then, the matrix 𝐶𝑚 canbeviewedasapolynomial,thatis, (ii) a vast amount of program memory storage, 2 2 𝑀:𝑥,𝑀 :𝑥,.... This is the core part of the proposed 𝑝(𝑥) (iii) high execution times due to the high number of method.Notethatthismultiplicationismodulo and rank of these matrices is the extension degree 𝑚. The identity rounds, 2𝑚−1 matrix can be obtained by 𝐶𝑚 (iv) the lack of security assessment in detail.

The wide-trail strategy is one of the important approaches to design round transformations of block ciphers that combine 0 0 ⋅⋅⋅ 0 𝑎 efficiency and resistance against linear and differential crypt- 0 1 0 ⋅⋅⋅ 0 𝑎 analysis. It results in simple and strong security arguments. 1 𝐶 =(0 1 ⋅⋅⋅ 0 𝑎2 ). However, this approach does not help in designing efficient 𝑚 . . . . (1) diffusion layers (with a suitable number of active S-boxes). In . . d . . this respect, the diffusion layers constructed and the method 00⋅⋅⋅1𝑎𝑚−1 giveninthisstudyaimtoprovideanalternativestructurefor 𝑘 the block ciphers with input size different than 2 . In this study, an algebraic method based on state trans- form matrix (companion matrix) to construct binary matri- 4 ces with good implementation properties for lightweight In this study we focus on the finite fields(2 GF ) and 5 block ciphers and hash functions is given. The emphasis GF(2 ),wheretheirreduciblepolynomialsoverGF(2) are, 𝑘 4 5 2 is given to 𝑛×𝑛binary matrices where 𝑛 =2̸ and respectively, 𝑥 +𝑥+1and 𝑥 +𝑥 +1. Now we give an example 4 𝑘 is a positive integer. The proposed method can also be on how to obtain the elements of GF(2 ). considered as a generalization and different interpretation 4 4 ofthemethodsgivenin[12, 13]sinceitworksforany𝑛. Example 1. Let GF(2 )≅GF(2)/ ⟨𝑝(𝑥)⟩,where𝑝(𝑥) =𝑥 + This method uses 4×4finite field Hadamard (FFHadamard) 𝑥+1is the irreducible polynomial over GF(2).Then, Mathematical Problems in Engineering 3

0001 0010 1000 1001 0011 0100 𝐶 =( ),𝐶2 =( ),...,𝐶15 =( ). 4 0100 4 1001 4 0010 (2) 0010 0100 0001

𝑖 6×6matrices with the elements of 𝐶4,where1≤𝑖≤ Definition 5. An 𝑛×𝑛circulant matrix with the elements of 4 𝑚 2 −1, can be transformed to 24 × 24 binary matrices by GF(2 ) canbegivenasfollows: substituting the powers of 𝐶4 with their corresponding 4×4 𝑎 𝑎 ⋅⋅⋅ 𝑎 𝑎 binary matrices. Similarly, 4×4matrices with the elements 1 2 𝑛−1 𝑛 𝑖 5 𝑎𝑛 𝑎1 ⋅⋅⋅ 𝑎𝑛−2 𝑎𝑛−1 of 𝐶5,where1≤𝑖≤2 −1, can be transformed to 20 × 20 𝐶 (𝑎 ,𝑎 ,...,𝑎 )=(𝑎𝑛−1 𝑎𝑛 ⋅⋅⋅ 𝑎𝑛−3 𝑎𝑛−2). binary matrices by substituting the powers of 5 with their circ 1 2 𝑛 . . . . (6) corresponding 5×5binary matrices. . . d . . Now we recall some facts on the linear transformations. 𝑎2 𝑎3 ⋅⋅⋅ 𝑎𝑛 𝑎1 The linear transformations of diffusion layers used in most block ciphers are represented as matrices. Hence, a linear 𝑚 𝑛 𝑚 𝑛 Note that Remark 4 is also applicable in this case. In transformation 𝐴 : ({0, 1} ) 󳨃→({0,1}) canbedefined Lemma 6, the construction of involutory 4×4FFHadamard as follows: matrix is given.

𝑎11 𝑎12 ⋅⋅⋅ 𝑎1𝑛 𝑥1 Lemma 6. Let 𝐴 be a 4×4FFHadamard matrix with distinct 𝑎 𝑎 ⋅⋅⋅ 𝑎 𝑥 𝑚 𝑇 21 22 2𝑛 2 elements of GF(2 )−{0}.Then𝐴 is involutory if and only if 𝐴 (𝑥) =𝐴⋅𝑥 =( . . . )⋅( . ), (3) 4 . . d . . ∑𝑖=1 𝑎𝑖 =1. 𝑎 𝑎 ⋅⋅⋅ 𝑎 𝑥 𝑛1 𝑛2 𝑛𝑛 𝑛 4 2 4 Proof. The identity matrix satisfies ∑𝑖=1 𝑎𝑖 =1and ∑𝑖=1 𝑎𝑖 = −1 𝑇 𝑥=(𝑥,𝑥 ,...,𝑥 )𝑇 𝑥 ∈ {0, 1}𝑚 𝑖 = 1,...,𝑛 1.Since𝐴 is unitary (𝐴 =𝐴)and symmetric (𝐴 = 𝐴 ),the where 1 2 𝑛 and 𝑖 , . 𝐴 Also 𝑛 represents the number of S-boxes in a diffusion layer matrix is involutory: 𝐴,wherethesizeofeachinputandoutputis𝑚-bit [4]. 𝑎1 𝑎2 𝑎3 𝑎4 𝑎1 𝑎2 𝑎3 𝑎4 𝑎 𝑎 𝑎 𝑎 𝑎 𝑎 𝑎 𝑎 Definition 2 (see [6]). The differential and linear branch 𝐴2 =( 2 1 4 3)⋅( 2 1 4 3) 𝑛×𝑛 𝐴 : ({0,𝑚 1} )𝑛 󳨃→({0,1}𝑚)𝑛 𝑎3 𝑎4 𝑎1 𝑎2 𝑎3 𝑎4 𝑎1 𝑎2 numbers of an matrix are 𝑎 𝑎 𝑎 𝑎 𝑎 𝑎 𝑎 𝑎 defined by 4 3 2 1 4 3 2 1 4 𝑇 𝑚 𝑛 2 𝐵𝑑 (𝐴) = min {𝑤𝑡 (𝑥) +𝑤𝑡(𝐴⋅𝑥 )|𝑥∈({0, 1} ) − {0}}, ∑𝑎𝑖 000 𝑖=1 𝑇 𝑇 𝑚 𝑛 ( 4 ) (7) 𝐵𝑙 (𝐴) = min {𝑤𝑡 (𝑥) +𝑤𝑡(𝐴 ⋅𝑥 )|𝑥∈({0, 1} ) − {0}}, ( 2 ) ( 0 ∑𝑎𝑖 00) ( ) (4) = ( 𝑖=1 ) . ( 4 ) ( 00∑𝑎2 0 ) where 𝑤𝑡(𝑥) isthenumberofnonzerocomponentsin𝑥, ( 𝑖 ) 𝑖=1 respectively. 4 2 000∑𝑎𝑖 Definition 3. Let 𝑛 be a power of 2. An 𝑛×𝑛finite ( 𝑖=1 ) field Hadamard (FFHadamard) matrix with the elements of 𝑚 GF(2 ) canbegivenasfollows: In this study, 20 × 20 binary matrices are constructed 𝑎1 𝑎2 ⋅⋅⋅ 𝑎𝑛−1 𝑎𝑛 by using 4×4FFHadamard matrices with the elements 𝑎2 𝑎1 ⋅⋅⋅ 𝑎𝑛 𝑎𝑛−1 5 (𝑎 ,𝑎 ,...,𝑎 )=( ). of GF(2 ) and also 24 × 24 noninvolutory binary matrices had 1 2 𝑛 . . . . (5) . . d . . are constructed by using 6×6matrices with the elements 4 𝑎𝑛 𝑎𝑛−1 ⋅⋅⋅ 𝑎2 𝑎1 of GF(2 ).The20 × 20 binary matrices constructed are both involutory and noninvolutory with minimum number Remark 4. Note that one can also divide the FFHadamard of fixed points. Involutory transformations can make the matrix into the submatrices. For example, for 4×4 decryption process the same as the encryption process. Thus 𝐴𝐵 FFHadamard matrix, we have had(𝑎1,𝑎2,𝑎3,𝑎4)=(𝐵𝐴), the encryption and decryption can be implemented by the 𝑎 𝑎 𝑎 𝑎 𝐴=(1 2 ) 𝐵=(3 4 ) 𝐴 where 𝑎2 𝑎1 and 𝑎4 𝑎3 .Thematrices and same module and with equal speeds. However, noninvolutory 𝐵 have Toeplitz matrix properties. We use this observation transformations constructed in this study are aimed at having while constructing a diffusion layer. close encryption and decryption speeds. An input block is a 4 Mathematical Problems in Engineering fixed point of a transformation if the input block equals its 3. The Proposed Method output block. Clearly, in this context, there is no diffusion at the fixed points since the input blocks at these points are left In this section, we explain our strategy by using the defini- intact by the linear transformation. Therefore, if the number tions given in Section 2. Then, we give algebraic construction 20 × 20 24 × 24 of fixed points in a linear transformation greatly exceeds of and binary matrices. The construction theexpectednumberforarandomlineartransformation, procedure has four main steps. then this is an indication of poor diffusion of the linear 𝐶 transformation. Note that the expected number of fixed Step 1. Construct companion (state transform) matrix 𝑚 for agivenirreduciblepolynomial𝑝(𝑥) of degree 𝑚.Notethat points in a random linear transformation is one [5]. Consider 𝐶 𝑚×𝑚 an input block to a linear transformation formed by 𝑚-bit 𝑚 is an matrix. (2𝑚) values in the field GF and let the linear transformation 𝑠 1≤𝑠 ≤2𝑚 −1 𝑛×𝑛 𝐴=(𝑎 ) 𝑎 ∈ (2) Step 2. Choose some integers 𝑖’s with 𝑖 and matrix be an matrix 𝑖𝑗 𝑛×𝑛,where 𝑖𝑗 GF or 𝑠𝑖 𝑚 compute the corresponding 𝐶𝑚’s. Note that the selection of 𝑎𝑖𝑗 ∈ GF(2 ) and 𝐼 is an 𝑛×𝑛identity matrix. Then, the set of 𝑠𝑖’s depends on the Hamming weight of each row of the big all fixed points for that linear transformation, which can be matrix 𝐷. represented by a nonsingular matrix 𝐴,canbeobtainedby 𝑇 (𝐴 + 𝐼) ⋅𝑥 =0 𝑠1 𝑠2 𝑠ℓ solving the following equation: , where 0 is the Step 3. Construct 𝐷 by using had(𝐶𝑚,𝐶𝑚,...,𝐶𝑚) or 𝑛 𝑠1 𝑠2 𝑠ℓ all zero vector of length . Hence, the number of fixed points circ(𝐶𝑚,𝐶𝑚,...,𝐶𝑚),whereℓ is a positive integer. Choose canbegivenas matrix 𝐷 whose Hamming weight of the each row is as small as possible. This condition helps us to have low-cost (XOR 𝑚(𝑛−rank(𝐴+𝐼)) friendly) hardware implementations. 𝐹𝐴 =2 . (8) Step 4. Check whether the branch and the number of fixed It is obvious that if the matrix (𝐴 + 𝐼) has bigger rank, the points are satisfactory. matrix 𝐴 has lower number of fixed points. This algorithm can be easily implemented on a computer. The results given in this study are obtained by using Magma Remark 7. The existence of fixed points in the round function Computational Algebra System [24]. With the help of Magma of block ciphers is used as the basis for some cryptographic Computational Algebra System, one can evaluate hundreds of 20 × 20 24 × 24 attacks and these attacks use fixed points that exist across or binary matrices in a second. one or more rounds [5]. The block ciphers DES, SAFER K, Blowfish, GOST, DEAL, and KeeLog were previously found Remark 8. Note that the diffusion layers proposed in this vulnerable to attacks based on the existence of fixed points study can be implemented by only XOR operations whereas [20–23]. For SPN ciphers, the existence of fixed points in a other diffusion layers like MDS (maximum distance separa- linear transformation hints at the presence of 1-round self- ble) matrices may use table look-ups, xtime calls, and so forth iterating differential characteristic. It should be also noted [11].Thus,performingtheproposeddiffusionlayersgivesus that not all fixed points are useful in constructing a self- better implementation properties. iterating characteristic. The usefulness of a fixed point, in this 20 × 20 case, depends on its interaction with the subsequent nonlin- 3.1. Algebraic Construction of Cryptographically Good 𝑛×𝑛 ear transformation. If the input difference is a fixed point, Binary Matrices. The maximum branch number of then the linear transformation will replicate this difference binary matrices is equal to the maximum distance of binary [2𝑛, 𝑛] 𝑛× into the same S-boxes in the next round. In this context, when linear codes. The exact maximum distance for 𝑛 𝑛≤18 designing a block cipher, the linear transformation should be ( ) binary matrices is known. For example, the maximum branch number and also the upper bound for considered with the S-boxes and self-iterating characteristics 8×8 20 × 20 shouldbesearched.Thedesignershoulddecideonthenum- matrices are 5 [4]. binary matrix with a branch number 9 is known and the upper bound is 10 in theory. Note berofroundsoftheblockcipheraccordingtosomefurther that there is no theoretical bound for the involutory binary investigations (e.g., the resistance of the linear transformation matrices in view of branch number. The method presented against other attacks like impossible differential cryptanalysis herein is successful for generating 20 × 20 involutory and and truncated differential cryptanalysis). To ensure that the noninvolutory binary matrices of branch number 8. Also, largenumberoffixedpointsdoesnottriggeranattackto 20 × 20 involutory and noninvolutory binary matrices are thecipherwheretheconstructionisusedasabuildingblock constructed such that the rank of 𝐴+𝐼matrix is the highest depends on the cipher. What we expect is that the cipher itself achievable rank, which is 10 for 20 × 20 involutory binary should behave like a random permutation. Therefore, if the matrices and 20 for 20 × 20 noninvolutory binary matrices. cipher itself does not have many fixed points then it would 20 × 20 𝐴 = In Example 11,a involutory binary matrix ( Binary be almost impossible to exploit the large number of fixed 𝐴−1 4×4 points of the matrix used in the cipher. Therefore, the other Binary) is constructed from a involutory FFHadamard 𝐴 building blocks of the cipher should not leverage and extend matrix that satisfies four restrictions simultaneously such the fixed points of the matrix to the high level structure of that the cipher. Otherwise the cipher may be vulnerable to some (i) the 4×4matrix 𝐴 should be involutory as given in self-similarity attack such as reflection attacks. Lemma 6, Mathematical Problems in Engineering 5

20 × 20 𝐴 (ii) the binary matrix Binary transformed from Hadamard matrix. Therefore, the main idea of the method is the 4×4involutory matrix 𝐴 should be of differential to reduce search space and construct binary matrices of high and linear branch number 8, branch number.

4×4 𝐴 Remark 10. If one wants to construct an involutory 20 × (iii) the involutory matrix should be chosen such 20 that the rank of the (𝐴 + 𝐼) matrix should be 2, which binary matrix and uses it with 4-bit S-boxes, then the 240 (𝐷+𝐼) is in fact the highest achievable rank (𝑛/2 for an 𝑛×𝑛 minimumnumberoffixedpointis since the rank of 5 𝑛/2 𝑛×𝑛 involutory matrix). Since the elements of GF(2 ) are matrixbecomesatmost10(oratmost for an used to construct the 20 × 20 binary matrix, the rank involutory binary matrix). In this respect, this matrix has of the matrix (𝐴 +𝐼)becomes 10. Thus, if it is aspossiblethelowestnumberoffixedpoints.Forexample, Binary 216 used as 80-bit to 80-bit linear transformation, where the AES includes fixed points though the diffusion layer 4 each input element is in GF(2 ),thebinarylinear of the AES (shiftrows + mixcolumns) is not involutory5 [ ]. 40 transformation includes 2 fixed points, Noninvolutory diffusion layers may provide less number of fixed points as shown in Example 12 (one fixed point). 5 (iv) the elements 4×4matrix 𝐴 in GF(2 ) should be cho- Example 11. Let sensuchthateachrowandcolumnofthetransformed 31 18 3 27 binary matrix should have the Hamming weight 𝐶5 𝐶5 𝐶5 𝐶5 equal to 7, which provides suitable implementation 18 31 27 3 𝐶5 𝐶5 𝐶5 𝐶5 properties. ( ) 𝐴= (𝐶31,𝐶18,𝐶3,𝐶27)=( ) . had 5 5 5 5 𝐶3 𝐶27 𝐶31 𝐶18 Remark 9. If we want to construct a 20 × 20 binary matrix of 5 5 5 5 branch number 8 with minimum Hamming weight (in each 𝐶27 𝐶3 𝐶18 𝐶31 row and column), then we need to focus on a binary matrix ( 5 5 5 5 ) which has Hamming weight 7 in each row and column. That 20 324 (9) means in random search we should search (𝐶(20, 7)) ≈2 binary matrices whereas our search space in the proposed be an involutory 4×4 FFHadamard matrix, which is also MDS 5 5 method is 𝐶(31, 4) = 31465,where2 −1 = 31represents matrix over the finite field(2 GF ) defined by the primitive 5 2 the number of 5×5binary matrices (different elements) polynomial 𝑝(𝑥) =𝑥 +𝑥 +1;thatis,thebranchnumberof used in the construction and obtained by using the primitive the 4×4matrix is 5. It can be transformed into the 20 × 20 5 2 polynomial 𝑥 +𝑥 +1and 4 represents the first 4 elements in binary matrix satisfying the restrictions above as follows:

10000100010010010101 [ ] [01000110000001011010] [ ] [00100011010010101000] [ ] [00010001101001010100] [ ] [00001000110100101010] [ ] [10001100001010100100] [ ] [11000010001101000010] [ ] [01101001000100000101] [ ] [00110000101010010010] [ ] [00011000010101001001] 𝐴 = [ ] . Binary [00100101011000010001] (10) [ ] [00010110100100011000] [ ] [ ] [00101010000010001101] [ ] [10010101000001000110] [ ] [01001010100000100011] [10101001001000110000] [ ] [11010000101100001000] [ ] [ ] [01000001010110100100] [10100100100011000010] [01010010010001100001]

20 × 20 𝐴 4×4 Note that binary matrix, Binary given in Example 11, noninvolutory binary matrix is constructed from requires 120 XOR operations in the implementation for noninvolutory matrix 𝐵 that satisfies three restrictions simul- both encryption and decryption. In Example 12,a20 × 20 taneously such that 6 Mathematical Problems in Engineering

20 × 20 𝐵 (i) the binary matrix, Binary,transformedfrom Example 12. Let the 4×4noninvolutory matrix 𝐵 should be of 31 27 9 differential and linear branch number 8, 𝐶5 𝐶5 𝐶5 𝐶5 31 9 27 𝐶5 𝐶5 𝐶5 𝐶5 (ii) the rank of 4×4noninvolutory matrix 𝐵 should be 31 27 9 ( ) 𝐵=had (𝐶5 ,𝐶5,𝐶5 ,𝐶5)=( 27 9 31 ) . 4, which is in fact the highest achievable rank (𝑛 for 𝐶5 𝐶5 𝐶5 𝐶5 5 𝑛×𝑛matrix). Since the elements of GF(2 ) are used 20 × 20 𝐶9 𝐶27 𝐶 𝐶31 to construct the binary matrix, the rank of ( 5 5 5 5 ) the matrix (𝐵 +𝐼)becomes 20. Therefore, if it is Binary (11) used as 80-bit to 80-bit linear transformation, where (24) each input element is in GF ,thebinarylinear be a noninvolutory 4×4FFHadamard matrix, which is 5 transformation includes only one fixed point, alsoMDSmatrixoverthefinitefieldGF(2 ) defined by the 𝑝(𝑥)5 =𝑥 +𝑥2 +1 5 primitive polynomial ;thatis,thebranch (iii) the elements of 4×4matrix 𝐵 in GF(2 ) should number of the 4×4matrix is 5. It can be transformed into be chosen such that the constructed binary matrix the 20 × 20 binary matrix satisfying the restrictions above as should have suitable implementation properties. follows:

10000000011010101100 [ ] [01000100001101010110] [ ] [00100010010100000111] [ ] [00010001001010010011] [ ] [00001000100101011001] [ ] [ ] [00001100000110010101] [ ] [10000010001011011010] [ ] [01001001000011101000] [ ] [ ] [00100000101001110100] [ ] [00010000011100101010] 𝐵 = [ ] . Binary [10101011001000000001] (12) [ ] [ ] [11010101100100010000] [ ] [01000001110010001001] [ ] [10100100110001000100] [ ] [01010110010000100010] [ ] [ ] [01100101010000110000] [ ] [10110110101000001000] [ ] [00111010000100100100] [ ] [10011101000010000010] [11001010100001000001]

20×20 𝐵 Note that the binary matrix Binary given in Example 12 noninvolutory binary matrices are constructed such that the andtheinverseof20 × 20 binary matrix (Appendix A) rank of (𝐷 + 𝐼) matrix is as possible as high rank. Also, require 124 XOR operations and 140 XOR operations in the when constructing 24 × 24 binary matrices, 6×6circulant 4 implementation for encryption and decryption, respectively. matrices with the elements of GF(2 ) are used. In Example 13, a 24 × 4 noninvolutory binary matrix is constructed from a 6×6circulant matrix 𝐷 that satisfies three restrictions 3.2. Algebraic Construction of Cryptographically Good 24 × simultaneously such that 24 Binary Matrices. The exact maximum distance (upper 24 × 24 𝐷 bound) and therefore maximum branch number for 24 × 24 (i) the binary matrix, Binary,transformedfrom 6×6 𝐶 binary matrices are 12 [4]. The method presented herein the circulant matrix should be of differential is successful for generating 24 × 24 noninvolutory binary and linear branch number 10, matrices of branch number 10. Note that there is no known (ii) the 6×6circulant matrix 𝐶 should be chosen such 24 × 24 binary matrices of branch number 10 or more. 24 × 24 that the rank of the (𝐷 + 𝐼) matrix should be 5, which Mathematical Problems in Engineering 7

7 15 3 14 11 2 is in fact the highest achievable rank satisfying the 𝐶4 𝐶4 𝐶4 𝐶4 𝐶4 𝐶4 4 2 7 15 3 14 11 previous restriction. Since the elements of GF(2 ) are 𝐶4 𝐶4 𝐶4 𝐶4 𝐶4 𝐶4 used to construct the 24 × 24 binary matrix, the rank ( ) (𝐶11 𝐶2 𝐶7 𝐶15 𝐶3 𝐶14) of the matrix (𝐷 +𝐼)becomes 20. Thus, if it is ( 4 4 4 4 4 4 ) Binary ( ) used as 96-bit to 96-bit linear transformation, where ( ) 4 = (𝐶14 𝐶11 𝐶2 𝐶7 𝐶15 𝐶3 ) (13) each input element is in GF(2 ),thebinarylinear ( 4 4 4 4 4 4 ) 16 ( ) transformation includes 2 fixed points. ( 3 14 11 2 7 15) 𝐶4 𝐶4 𝐶4 𝐶4 𝐶4 𝐶4 4 (iii) The elements of 6×6matrix 𝐷 in GF(2 ) should 𝐶15 𝐶3 𝐶14 𝐶11 𝐶2 𝐶7 be chosen such that the constructed binary matrix ( 4 4 4 4 4 4 ) should have suitable implementation properties. be a 6×6circulant matrix, which is of branch number 6 over 4 Example 13. Let finitefieldGF(2 ) definedbytheprimitivepolynomial𝑝(𝑥) = 4 𝑥 +𝑥+1. It can be transformed into the 24×24 binary matrix 𝐷= (𝐶7,𝐶15,𝐶3,𝐶14,𝐶11,𝐶2) circ 4 4 4 4 4 4 satisfying the restrictions above as follows:

110110000100110001110010 [ ] [101101000110001011000011] [ ] [010100100011000111101001] [101000011001100011110100] [ ] [001011011000010011000111] [ ] [001110110100011000101100] [ ] [100101010010001100011110] [ ] [010010100001100110001111] [ ] [011100101101100001001100] [ ] [110000111011010001100010] [ ] [111010010101001000110001] [ ] [111101001010000110011000] 𝐷 = [ ] . Binary [110001110010110110000100] (14) [ ] [001011000011101101000110] [ ] [000111101001010100100011] [ ] [100011110100101000011001] [ ] [010011000111001011011000] [ ] [011000101100001110110100] [ ] [001100011110100101010010] [ ] [100110001111010010100001] [ ] [100001001100011100101101] [ ] [010001100010110000111011] [001000110001111010010101] [000110011000111101001010]

Note that in a straight coding the 24 × 24 binary matrix, given a nonzero input difference, and a linearly active S-box 𝐷 Binary given in Example 13,requires240XORoperationsin is defined as an S-box given a nonzero output mask. In this the implementation for both encryption and decryption. The study, S-boxes are assumed to be bijective mappings defined 𝑚 required number of XOR operations can be reduced to 186 by on GF(2 ) and round keys are assumed to be independent adding 6 temporary variables to the implementation for both and random uniform. Thus the number of active S-boxes is encryptionanddecryption(AppendicesB and C). not affected by the key addition layer. The branch number of a diffusion layer is the minimum number of active S-boxes in the 2-round SPN (substitution permutation network). We 𝑝 𝑞 4. Security Assessment of an Assumed follow the method defined in [25, 26]. Let 𝐷 and 𝐿 be the the maximum probabilities of the differential and linear char- Lightweight Block Cipher with 80-Bit or 2𝑟 𝑟⋅𝛽 acteristic for 2𝑟-round SPN, respectively. Let 𝑝𝐷 ≤𝑝 and 96-Bit Block Size 2𝑟 𝑟⋅𝛽 𝑞𝐿 ≤𝑞 ,where𝑝, 𝑞,and𝛽 denote the maximum differential In this section, we focus on the security analysis of the probability for the S-box, the maximum linear probability for assumed block cipher using the proposed linear transfor- the S-box, and branch number for the diffusion layer used mation. A differentially active S-box is defined as an S-box in a block cipher, respectively. In this study, an SPN structure 8 Mathematical Problems in Engineering consisting of a number of rounds of the same 20 4-bit S-boxes differential and linear probabilities of 10-round SPN are −2 5⋅10 −100 −96 connected by a 20 × 20 binary matrix is considered for 80-bit bounded by (2 ) =2 ≤2 . block size. Figure 1 shows one round function of an assumed block cipher. Note that the maximum differential and linear −2 5. Conclusion probabilities of the S-box are assumed to be 2 which is 4×4 the best value for S-boxes [27]. Then, the maximum In this study, an algebraic method based on state transform 𝑝 probabilities of the differential, 𝐷, and linear characteristic, matrix (companion matrix) to construct 𝑛×𝑛binary matri- 𝑞 2𝑟 𝐿,for -round SPN are as follows: ces with good implementation properties for lightweight block ciphers and hash functions is given. The proposed method can also be considered as a generalization and 2𝑟 −2 𝑟⋅𝛽𝐴 2𝑟 −2 𝑟⋅𝛽𝐴 𝑝𝐷 ≤(2 ) ,𝑞𝐿 ≤(2 ) , (15) differentinterpretationofthemethodsgivenin[12, 13] since it works for any 𝑛.For20 × 20 and 24 × 24 binary matrices, examples are provided with good implementation where 𝛽𝐴 denotes the branch number of 20×20 binary matrix properties. The binary matrices are also constructed to have assumed for the lightweight block cipher demonstrated in suitable software and hardware implementation properties Figure 1. The maximum differential and linear probabilities for lightweight block ciphers. In other words, by using −2 1⋅8 −16 of 2-round SPN are bounded by (2 ) =2 since the the proposed method, the matrices have smaller hardware branch number of the binary matrix is assumed to be 8 and implementations in view of the required number of XOR thus the number of minimum active S-box is 8 in the 2-round gates. Note that the binary matrices with these sizes have not SPN. In Table 1,thelowerboundsforthenumberofactive been studied in the literature well enough, which may allow 80 96 S-boxes and the upper bounds for the probabilities for linear us to design a lightweight block cipher with -bit and - 4 and differential probabilities in each round size are computed bitblocksizesifthesematricesareusedwith -bit S-boxes. 20 × 20 for the assumed block cipher of 80-bit and 96-bit block sizes. binary matrix given in Example 12 has only one fixed In this context, the minimum number of rounds needed point and branch number 8. for the lightweight block cipher with 80-bit block size to be secure against differential and linear cryptanalysis is 10 Appendices because the maximum differential and linear probabilities −2 5⋅8 −80 −80 of 10-round SPN are bounded by (2 ) =2 ≤2 . A. Inverse of the 20×20 Binary Matrix Given in Similarly, if an SPN structure consisting of a number of Example 12 roundsofthesame244-bit S-boxes connected by a 24 × 24 96 20 × 20 𝐵−1 binary matrix is considered for -bit block size, then The inverse of the binary matrix ( Binary)given the minimum number of rounds needed for the lightweight in Example 12 canbeconstructedbytransforming4×4 2 3 29 11 block cipher to be secure against differential and linear FFHadamard matrix had(𝐶5,𝐶5,𝐶5 ,𝐶5 ) into the binary cryptanalysis is again obtained as 10 because the maximum form as given below:

00010001001010010011 [00001000100101011001] [ ] [10010001010000111111] [ ] [01001100101000001111] [ ] [00100010010100000111] [ ] [00100000101001110100] [ ] [00010000011100101010] [ ] [00101100101111100001] [ ] [10010010010111110000] [ ] [01001001000011101000] 𝐵−1 = [ ] . Binary [10100100110001000100] (A.1) [ ] [01010110010000100010] [ ] [00001111111001000101] [ ] [10000011110100110010] [ ] [01000001110010001001] [ ] [10011101000010000010] [ ] [11001010100001000001] [ ] [11111000010010110010] [01111100001001001001] [00111010000100100100] Mathematical Problems in Engineering 9

Key addition layer

S1 S2 ··· S20

(S-box layer)

20 × 20 binary matrix (diffusion layer)

Figure 1: One round function of an assumed lightweight block cipher.

Table 1: The lower bounds for the number of active S-boxes and the upper bounds for the linear and differential probabilities for the assumed block cipher of 80-bit and 96-bit block size.

The lower bounds for the number of active S-boxes The upper bounds for the linear and differential probabilities Round 80-bit block cipher 96-bit block cipher 80-bit block cipher 96-bit block cipher −16 −20 28 10 2 2 −18 −22 39 11 2 2 −32 −40 41620 2 2 −34 −42 51721 2 2 −48 −60 62430 2 2 −50 −62 72531 2 2 −64 −80 83240 2 2 −66 −82 93341 2 2 −80 −100 10 40 50 2 2 −82 −102 11 41 51 2 2 −96 −120 12 48 60 2 2

B. Implementation of the 24×24 Binary Matrix 𝑇5 =𝑥5 ⊕𝑥10 ⊕𝑥19 ⊕𝑥20, Given in Example 13 𝑦0 =𝑇0 ⊕𝑥0 ⊕𝑥1 ⊕𝑥9 ⊕𝑥12 ⊕𝑥17 ⊕𝑥19 ⊕𝑥22, If the 24 × 24 binary matrix given in Example 13 is imple- 4 𝐷 4 𝑦1 =𝑇1 ⊕𝑥2 ⊕𝑥3 ⊕𝑥5 ⊕𝑥10 ⊕𝑥16 ⊕𝑥17 ⊕𝑥22, mented with -bit XORs, then Binary is represented by - 𝐷 ⋅𝑥 = 𝑦 bitXORsofbinaryvectorsasfollows: Binary , 𝑇 𝑇 𝑦2 =𝑇2 ⊕𝑥3 ⊕𝑥10 ⊕𝑥11 ⊕𝑥17 ⊕𝑥18 ⊕𝑥20 ⊕𝑥23, where 𝑥=(𝑥0,𝑥1,...,𝑥31) and 𝑦=(𝑦0,𝑦1,...,𝑦31) with 𝑥 ,𝑦 ∈ (24) 𝑖 = 0,1,...,31 𝑇 ,𝑇 ,...,𝑇 𝑖 𝑖 GF , . Note also that 0 1 5 𝑦3 =𝑇3 ⊕𝑥0 ⊕𝑥7 ⊕𝑥8 ⊕𝑥16 ⊕𝑥17 ⊕𝑥18 ⊕𝑥19, aretemporaryvariablesusedtoreducethenumberofXOR operations from 240 XOR to 186 XOR. Then, 𝑦4 =𝑇4 ⊕𝑥2 ⊕𝑥4 ⊕𝑥5 ⊕𝑥13 ⊕𝑥16 ⊕𝑥21 ⊕𝑥23,

𝑇0 =𝑥3 ⊕𝑥4 ⊕𝑥13 ⊕𝑥18, 𝑦5 =𝑇0 ⊕𝑥2 ⊕𝑥6 ⊕𝑥7 ⊕𝑥9 ⊕𝑥14 ⊕𝑥20 ⊕𝑥21,

𝑇1 =𝑥0 ⊕𝑥9 ⊕𝑥14 ⊕𝑥23, 𝑦6 =𝑇5 ⊕𝑥0 ⊕𝑥3 ⊕𝑥7 ⊕𝑥14 ⊕𝑥15 ⊕𝑥21 ⊕𝑥22,

𝑇2 =𝑥1 ⊕𝑥6 ⊕𝑥15 ⊕𝑥16, 𝑦7 =𝑇2 ⊕𝑥4 ⊕𝑥11 ⊕𝑥12 ⊕𝑥20 ⊕𝑥21 ⊕𝑥22 ⊕𝑥23,

𝑇3 =𝑥2 ⊕𝑥11 ⊕𝑥12 ⊕𝑥21, 𝑦8 =𝑇3 ⊕𝑥1 ⊕𝑥3 ⊕𝑥6 ⊕𝑥8 ⊕𝑥9 ⊕𝑥17 ⊕𝑥20,

𝑇4 =𝑥7 ⊕𝑥8 ⊕𝑥17 ⊕𝑥22, 𝑦9 =𝑇4 ⊕𝑥0 ⊕𝑥1 ⊕𝑥6 ⊕𝑥10 ⊕𝑥11 ⊕𝑥13 ⊕𝑥18, 10 Mathematical Problems in Engineering

𝑦10 =𝑇1 ⊕𝑥1 ⊕𝑥2 ⊕𝑥4 ⊕𝑥7 ⊕𝑥11 ⊕𝑥18 ⊕𝑥19, 𝑦19 =𝑇0 ⊕𝑥0 ⊕𝑥8 ⊕𝑥9 ⊕𝑥10 ⊕𝑥11 ⊕𝑥16 ⊕𝑥23,

𝑦11 =𝑇5 ⊕𝑥0 ⊕𝑥1 ⊕𝑥2 ⊕𝑥3 ⊕𝑥8 ⊕𝑥15 ⊕𝑥16, 𝑦20 =𝑇1 ⊕𝑥5 ⊕𝑥8 ⊕𝑥13 ⊕𝑥15 ⊕𝑥18 ⊕𝑥20 ⊕𝑥21,

𝑦12 =𝑇2 ⊕𝑥0 ⊕𝑥5 ⊕𝑥7 ⊕𝑥10 ⊕𝑥12 ⊕𝑥13 ⊕𝑥21, 𝑦21 =𝑇5 ⊕𝑥1 ⊕𝑥6 ⊕𝑥12 ⊕𝑥13 ⊕𝑥18 ⊕𝑥22 ⊕𝑥23,

𝑦13 =𝑇3 ⊕𝑥4 ⊕𝑥5 ⊕𝑥10 ⊕𝑥14 ⊕𝑥15 ⊕𝑥17 ⊕𝑥22, 𝑦22 =𝑇3 ⊕𝑥6 ⊕𝑥7 ⊕𝑥13 ⊕𝑥14 ⊕𝑥16 ⊕𝑥19 ⊕𝑥23,

𝑦14 =𝑇0 ⊕𝑥5 ⊕𝑥6 ⊕𝑥8 ⊕𝑥11 ⊕𝑥15 ⊕𝑥22 ⊕𝑥23, 𝑦23 =𝑇4 ⊕𝑥3 ⊕𝑥4 ⊕𝑥12 ⊕𝑥13 ⊕𝑥14 ⊕𝑥15 ⊕𝑥20. (B.1) 𝑦15 =𝑇1 ⊕𝑥4 ⊕𝑥5 ⊕𝑥6 ⊕𝑥7 ⊕𝑥12 ⊕𝑥19 ⊕𝑥20, 𝑦 =𝑇 ⊕𝑥 ⊕𝑥 ⊕𝑥 ⊕𝑥 ⊕𝑥 ⊕𝑥 ⊕𝑥 , 16 5 1 4 9 11 14 16 17 C. Inverse of 24 × 24 Binary Matrix Given in

𝑦17 =𝑇2 ⊕𝑥2 ⊕𝑥8 ⊕𝑥9 ⊕𝑥14 ⊕𝑥18 ⊕𝑥19 ⊕𝑥21, Example 13 and Implementation Details 24 × 24 𝑦18 =𝑇4 ⊕𝑥2 ⊕𝑥3 ⊕𝑥9 ⊕𝑥10 ⊕𝑥12 ⊕𝑥15 ⊕𝑥19, The inverse of the binary matrix given in Example 13 −1 is constructed from the 6×6circulant matrix 𝐷 = 11 14 14 2 9 15 circ(𝐶4 ,𝐶4 ,𝐶4 ,𝐶4,𝐶4,𝐶4 ) as follows:

011111001100001001011000 [ ] [110000100010001111110100] [ ] [111000010001100101110010] [111110001000010010110001] [ ] [100001111100110000100101] [ ] [010011000010001000111111] [ ] [001011100001000110010111] [ ] [000111111000100001001011] [ ] [010110000111110011000010] [ ] [111101001100001000100011] [ ] [011100101110000100011001] [ ] [101100011111100010000100] 𝐷−1 = [ ] . Binary [001001011000011111001100] (C.1) [ ] [001111110100110000100010] [ ] [100101110010111000010001] [ ] [010010110001111110001000] [ ] [110000100101100001111100] [ ] [001000111111010011000010] [ ] [000110010111001011100001] [ ] [100001001011000111111000] [ ] [110011000010010110000111] [ ] [001000100011111101001100] [000100011001011100101110] [100010000100101100011111]

𝐷−1 ⋅𝑥=𝑦 𝑥=(𝑥,𝑥 ,...,𝑥 )𝑇 𝑦= 𝑇 =𝑥 ⊕𝑥 ⊕𝑥 ⊕𝑥 , Let Binary ,where 0 1 31 and 5 13 14 15 20 𝑇 4 (𝑦0,𝑦1,...,𝑦31) with 𝑥𝑖,𝑦𝑖 ∈ GF(2 ), 𝑖 = 0,1,...,31.Note 𝑦0 =𝑇0 ⊕𝑥1 ⊕𝑥4 ⊕𝑥5 ⊕𝑥14 ⊕𝑥17 ⊕𝑥19 ⊕𝑥20, also that 𝑇0,𝑇1,...,𝑇5 are temporary variables used to reduce thenumberofXORoperationsfrom240XORsto186XORs. 𝑦 =𝑇 ⊕𝑥 ⊕𝑥 ⊕𝑥 ⊕𝑥 ⊕𝑥 ⊕𝑥 ⊕𝑥 , Then, 1 1 6 10 14 15 16 17 21

𝑦2 =𝑇1 ⊕𝑥2 ⊕𝑥7 ⊕𝑥11 ⊕𝑥12 ⊕𝑥15 ⊕𝑥17 ⊕𝑥22, 𝑇0 =𝑥2 ⊕𝑥3 ⊕𝑥8 ⊕𝑥9,

𝑦3 =𝑇1 ⊕𝑥2 ⊕𝑥3 ⊕𝑥4 ⊕𝑥8 ⊕𝑥13 ⊕𝑥16 ⊕𝑥23, 𝑇1 =𝑥0 ⊕𝑥1 ⊕𝑥18 ⊕𝑥19,

𝑇2 =𝑥5 ⊕𝑥6 ⊕𝑥7 ⊕𝑥12, 𝑦4 =𝑇2 ⊕𝑥0 ⊕𝑥8 ⊕𝑥9 ⊕𝑥13 ⊕𝑥18 ⊕𝑥21 ⊕𝑥23,

𝑇3 =𝑥4 ⊕𝑥21 ⊕𝑥22 ⊕𝑥23, 𝑦5 =𝑇3 ⊕𝑥1 ⊕𝑥5 ⊕𝑥10 ⊕𝑥14 ⊕𝑥18 ⊕𝑥19 ⊕𝑥20,

𝑇4 =𝑥10 ⊕𝑥11 ⊕𝑥16 ⊕𝑥17, 𝑦6 =𝑇3 ⊕𝑥2 ⊕𝑥5 ⊕𝑥6 ⊕𝑥11 ⊕𝑥15 ⊕𝑥16 ⊕𝑥19, Mathematical Problems in Engineering 11

𝑦7 =𝑇2 ⊕𝑥3 ⊕𝑥4 ⊕𝑥8 ⊕𝑥17 ⊕𝑥20 ⊕𝑥22 ⊕𝑥23, [5]M.R.Z’aba,Analysis of linear relationships in block ciphers [Ph.D. thesis], Queensland University of Technology, Brisbane, 𝑦8 =𝑇4 ⊕𝑥1 ⊕𝑥3 ⊕𝑥4 ⊕𝑥9 ⊕𝑥12 ⊕𝑥13 ⊕𝑥22, Australia, 2010. [6] J. Daemen and V. Rijmen, The Design of Rijndael: AES-The 𝑦9 =𝑇0 ⊕𝑥0 ⊕𝑥1 ⊕𝑥5 ⊕𝑥14 ⊕𝑥18 ⊕𝑥22 ⊕𝑥23, Advanced Encryption Standard, Springer, Berlin, Germany, 𝑦10 =𝑇0 ⊕𝑥1 ⊕𝑥6 ⊕𝑥10 ⊕𝑥15 ⊕𝑥19 ⊕𝑥20 ⊕𝑥23, 2002. [7] FIPS 197, Advanced Encryption Standard,USNationalInstitute 𝑦11 =𝑇0 ⊕𝑥0 ⊕𝑥7 ⊕𝑥10 ⊕𝑥11 ⊕𝑥12 ⊕𝑥16 ⊕𝑥21, of Standards and Technology, 2001. [8] P. S. L. M. Barreto and V. Rijmen, “The Khazad legacy-level 𝑦12 =𝑇5 ⊕𝑥2 ⊕𝑥5 ⊕𝑥7 ⊕𝑥8 ⊕𝑥16 ⊕𝑥17 ⊕𝑥21, block cipher,” in Proceedings of the 1st Open NESSIE Workshop, 𝑦13 =𝑇2 ⊕𝑥2 ⊕𝑥3 ⊕𝑥4 ⊕𝑥9 ⊕𝑥13 ⊕𝑥18 ⊕𝑥22, 2000. [9] K. Aoki, T. Ichikawa, M. Kanda et al., “Camellia: a 128-bit block 𝑦14 =𝑇2 ⊕𝑥0 ⊕𝑥3 ⊕𝑥10 ⊕𝑥13 ⊕𝑥14 ⊕𝑥19 ⊕𝑥23, cipher suitable for multiple platforms—design and analysis,” 𝑦 =𝑇 ⊕𝑥 ⊕𝑥 ⊕𝑥 ⊕𝑥 ⊕𝑥 ⊕𝑥 ⊕𝑥 , in Proceedings of the 7th Annual International Workshop on 15 5 1 4 6 7 11 12 16 Selected Areas in Cryptography (SAC ’00),vol.2012ofLecture Notes in Computer Science, pp. 39–56, 2000. 𝑦16 =𝑇1 ⊕𝑥6 ⊕𝑥9 ⊕𝑥11 ⊕𝑥12 ⊕𝑥17 ⊕𝑥20 ⊕𝑥21, [10] D. Kwon, J. Kim, S. Park et al., “New block cipher: ARIA,” 𝑦17 =𝑇4 ⊕𝑥2 ⊕𝑥6 ⊕𝑥7 ⊕𝑥8 ⊕𝑥9 ⊕𝑥13 ⊕𝑥22, in Information Security and Cryptology—ICISC 2003,vol.2971 of Lecture Notes in Computer Science, pp. 432–445, Springer, 𝑦18 =𝑇4 ⊕𝑥3 ⊕𝑥4 ⊕𝑥7 ⊕𝑥9 ⊕𝑥14 ⊕𝑥18 ⊕𝑥23, Berlin, Germany, 2004. 𝑦 =𝑇 ⊕𝑥 ⊕𝑥 ⊕𝑥 ⊕𝑥 ⊕𝑥 ⊕𝑥 ⊕𝑥 , [11] J. Nakahara Jr. and E.´ Abrahao,˜ “A new involutory MDS matrix 19 4 0 5 8 15 18 19 20 for the AES,” International Journal of Network Security,vol.9, no. 2, pp. 109–116, 2009. 𝑦20 =𝑇3 ⊕𝑥0 ⊕𝑥1 ⊕𝑥5 ⊕𝑥10 ⊕𝑥13 ⊕𝑥15 ⊕𝑥16, [12] B. Aslan and M. T. Sakallı, “Algebraic construction of crypto- 𝑦21 =𝑇5 ⊕𝑥2 ⊕𝑥6 ⊕𝑥10 ⊕𝑥11 ⊕𝑥12 ⊕𝑥17 ⊕𝑥21, graphically good binary linear transformations,” Security and Communication Networks,vol.7,no.1,pp.53–63,2014. 𝑦 =𝑇 ⊕𝑥 ⊕𝑥 ⊕𝑥 ⊕𝑥 ⊕𝑥 ⊕𝑥 ⊕𝑥 , 22 5 3 7 8 11 18 21 22 [13]M.T.SakallıandB.Aslan,“Onthealgebraicconstructionof cryptographically good 32 × 32 binary linear transformations,” 𝑦23 =𝑇3 ⊕𝑥0 ⊕𝑥9 ⊕𝑥12 ⊕𝑥14 ⊕𝑥15 ⊕𝑥19 ⊕𝑥20. Journal of Computational and Applied Mathematics,vol.259,pp. (C.2) 485–494, 2014. [14]R.Beaulieu,D.Shors,J.Smith,S.Treatman-Clark,B.Weeks, Conflict of Interests and L. Wingers, “The simon and speck families of lightweight block ciphers,” Cryptology ePrint Archive, Report 2013/404, The authors declare that there is no conflict of interests 2013. regarding the publication of this paper. [15] H. Yap, K. Khoo, A. Poschmann, and M. Henricksen, “EPCBC—a block cipher suitable for electronic product code encryption,” in CryptologyandNetworkSecurity:Proceedings Acknowledgments of the 10th International Conference, CANS 2011, Sanya, China, ¨ December 10–12, 2011,vol.7092ofLecture Notes in Computer Sedat Akleylek is partially supported by OMU under the Science, pp. 76–97, Springer, Berlin, Germany, 2011. Grant no. PYO.MUH.1904.12.014. The authors thank the anonymous referees for their detailed and very helpful com- [16] F. Karakoc, H. Demirci, and A. E. Harmanci, “ITUbee: a soft- ware oriented lightweight block cipher,” in Lightweight Cryp- ments and for bringing reference [26]toourattention.The tography for Security and Privacy: 2nd International Workshop, authors also thank Orhun Kara for his valuable comments on LightSec2013,Gebze,Turkey,May6-7,2013,RevisedSelected thediscussionofRemark 7. Papers, vol. 8162, pp. 16–27, Springer, Berlin, Germany, 2013. [17] F. X. Standaert, G. Piret, N. Gershenfeld, and J.-J. Quisquater, References “SEA: a scalable encryption algorithm for small embedded applications,” in Smart Card Research and Advanced Applica- [1] C. E. Shannon, “Communication theory of secrecy systems,” tions,vol.3928ofLecture Notes in Computer Science, pp. 222– The Bell System Technical Journal,vol.28,pp.656–715,1949. 236, Springer, Berlin, Germany, 2006. [2] O. Karaahmetoglu,˘ M. T. Sakallı, E. Bulus¸, and I. Tutanescu,˘ [18] R. J. McEliece, Finite Fields for Computer Scientists and Engi- “A new method to determine algebraic expression of power neers, Kluwer Academic Publishers, Dordrecht, The Nether- mapping based S-boxes,” Information Processing Letters, vol. 113, lands, 1987. no.7,pp.229–235,2013. [19] R. Lidl and H. Niederreiter, Finite Fields (Encyclopedia of [3]A.M.YoussefandS.E.Tavares,“AffineequivalenceintheAES MathematicsanditsApplications), Addison-Wesley, Reading, round function,” Discrete Applied Mathematics,vol.148,no.2, Mass, USA, 1983. pp. 161–170, 2005. [20] N. T. Courtois, G. V. Bard, and D. Wagner, “Algebraic and slide [4]D.Kwon,S.H.Sung,J.H.Song,andS.Park,“Designofblock attacks on KeeLoq,” in Fast Software Encryption,vol.5086of ciphers and coding theory,” Trends in Mathematics,vol.8,no.1, Lecture Notes in Computer Science, pp. 97–115, Springer, Berlin, pp.13–20,2005. Germany, 2008. 12 Mathematical Problems in Engineering

[21] S. Vaudenay, “Related-key attack against triple encryption based on fixed points,” in Proceedings of the International Conference on Security and Cryptography (SECRYPT ’11),pp.59–67,July 2011. [22] A. Bay, A. Mashatan, and S. Vaudenay, “A related-key attack against multiple encryption based on fixed points,”in E-Business and Telecommunications: International Joint Conference, ICETE 2011,Seville,Spain,July18–21,2011,RevisedSelectedPapers,vol. 314 of Communications in Computer and Information Science, pp. 264–280, Springer, Berlin, Germany, 2012. [23] I. Dinur, O. Dunkelmann, and A. Shamir, “Improved attacks on full GOST,” in Fast Software Encryption: 19th International Workshop, FSE 2012, Washington, DC, USA, March 19–21, 2012. Revised Selected Papers,vol.7549ofLecture Notes in Computer Science, pp. 9–28, Springer, Berlin, Germany, 2012. [24] W. Bosma, J. Cannon, and C. Playoust, “The Magma algebra system I: the user language,” Journal of Symbolic Computation, vol. 24, no. 3-4, pp. 235–265, 1997. [25] B. W. Koo, H. S. Jang, and J. H. Song, “On constructing of a 32×32 binary matrix as a diffusion layer for a 256-bit block cipher,” in Information Security and Cryptology—ICISC 2006, vol. 4296 of Lecture Notes in Computer Science,pp.51–64, Springer, Berlin, Germany, 2006. [26]S.Hong,S.Lee,J.Lim,J.Sung,D.Cheon,andI.Cho,“Provable security against differential and linear cryptanalysis for the SPN structure,”in Fast Software Encryption,vol.1978ofLecture Notes in Computer Science, pp. 273–283, Springer, Berlin, Germany, 2001. [27] M.-J. O. Saarinen, “Cryptographic analysis of all 4×4-bit S- boxes,” in Selected Areas in Cryptography,vol.7118ofLecture Notes in Computer Science, pp. 118–133, Springer, Berlin, Ger- many, 2012. Advances in Advances in Journal of Journal of Operations Research Decision Sciences Applied Mathematics Algebra Probability and Statistics Hindawi Publishing Corporation Hindawi Publishing Corporation Hindawi Publishing Corporation Hindawi Publishing Corporation Hindawi Publishing Corporation http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014

The Scientific International Journal of World Journal Differential Equations Hindawi Publishing Corporation Hindawi Publishing Corporation http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014

Submit your manuscripts at http://www.hindawi.com

International Journal of Advances in Combinatorics Mathematical Physics Hindawi Publishing Corporation Hindawi Publishing Corporation http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014

Journal of Journal of Mathematical Problems Abstract and Discrete Dynamics in Complex Analysis Mathematics in Engineering Applied Analysis Nature and Society Hindawi Publishing Corporation Hindawi Publishing Corporation Hindawi Publishing Corporation Hindawi Publishing Corporation Hindawi Publishing Corporation http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014

International Journal of Journal of Mathematics and Mathematical Discrete Mathematics Sciences

Journal of International Journal of Journal of Function Spaces Stochastic Analysis Optimization Hindawi Publishing Corporation Hindawi Publishing Corporation Volume 2014 Hindawi Publishing Corporation Hindawi Publishing Corporation Hindawi Publishing Corporation http://www.hindawi.com Volume 2014 http://www.hindawi.com http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014 http://www.hindawi.com Volume 2014