Journal of Applied Computer Science & Mathematics, Issue 2/2017, vol.11, No. 24, Suceava Secure and Efficient Diffusion Layers for Block Ciphers 1Manoj KUMAR, 2Pratibha YADAV, 3SK PAL, 4Anupama PANIGRAHI 1,2Scientific Analysis Group, DRDO, Metcalfe House Complex, Delhi-110 054, India 3Dte. of Information Technology & Cyber Security, DRDO Bhawan, Rajaji Marg, New Delhi-110 011, India 4Department of Mathematics, University of Delhi, Delhi-110 007, India [email protected], [email protected], [email protected], [email protected] Abstract–Modern block ciphers are designed to meet confusion functions [13]. Bit permutation is used for best performance in and diffusion criteria. Substitution and permutation layers are hardware platforms and nibble permutation is mostly used for used in the round function for this purpose. In this paper, we software implementations. We search for the combinations of present a number of choices for diffusion layer by using circular circular shift and XOR operations with minimum number of shift and XOR operations. These two operations are most shifts to provide the maximum value of branch number. efficient for software implementations. We test all possible combinations of circular shift and XOR operations for 16-bit and Diffusion layers of this kind have been used to design some 32-bit words. We search for optimal number of circular shifts to Feistel and generalized Feistel based block ciphers. SMS4 provide the maximum value of branch number. We also search block cipher uses a combination of circular shifts and XOR's for secure diffusion layers with efficient inversion for SPN based on 32-bit words [6] and lightweight block cipher FeW uses two block ciphers. We categorize the diffusion layers according to the combinations of these operations for 16-bit words in its value of their branch number. Finally, we suggest a list of secure diffusion layer [9]. To the best of our knowledge, there is no and efficient diffusion layers for new block cipher proposals. We SPN based block cipher so far which uses this type of diffusion also compare the security of a model block cipher using one of layer. For SPN structures, we also require inversion of a these diffusion layers with other lightweight block ciphers. diffusion layer. Therefore, we search for the diffusion layers Keywords: Block Cipher, Branch Number, Diffusion Layer, with efficient inversion. We propose a model block cipher Permutation. which uses one of these diffusion layers. We compare its differential bounds with other lightweight block ciphers. I. INTRODUCTION Remaining part of the paper is divided into four sections. We discuss the basic structures and describe the diffusion layer Modern block ciphers are the most widely used of some prominent block ciphers in section 2. We search for cryptographic primitives for real world applications. We have the diffusion layers with minimum number of circular shift and various modes of operation to build other crypto primitives XOR operations and maximum possible value of branch like hash function and stream cipher out of a block cipher [8]. number in section 3. Section 4 provides the secure and efficient Block ciphers are designed to meet the confusion and diffusion diffusion layers for SPN structure based designs and suggests criterion given by C.E. Shannon in 1949 [14]. These are still a list of the optimal diffusion layers. In section 5, We provide the best known design principles to propose a new block the security comparison of our model cipher with other cipher. In general, a block cipher encrypts n -bit plaintext lightweight block ciphers. using k -bit key and generates n -bit ciphertext after r rounds. In each round, we apply a round function consisting of three II. BLOCK CIPHER layers namely round key addition, substitution (confusion) and permutation (diffusion) layer [11]. Substitution layer uses a Block ciphers have come across a long and fascinating non-linear substitution box (S-box) to meet the confusion journey. There are two major landmarks in the journey of criterion and diffusion layer uses the MDS matrices and block cipher evolution: adoption of Data Encryption Standard bit/byte/nibble permutations. Feistel and SPN (Substitution (DES) and selection of Advanced Encryption Standard (AES). Permutation Network) are two basic design structures [2]. A) Basic Design Components Diffusion layer of modern block ciphers are constructed using Feistel and SPN are two basic structures which are used in the MDS matrices (e.g. AES) [5], bit permutation (e.g. DES & the majority of block cipher designs. In Feistel structure, round PRESENT) [10] [3] and nibble permutation (e.g. LBlock and function comprising key addition, substitution and FeW) [17] [9]. Diffusion layer is designed to optimize the permutation layers is applied on half of the input block in each security bounds of a block cipher from cryptanalytic attacks. round (Fig. 1). In SPN structure, round function consisting of Our Contributions: A number of research papers have been these layers is applied iteratively on the full input block (Fig. published on diffusion layers for block ciphers and hash 2). DOI: 10.4316/JACSM.201702002 15 Computer Science Section boxes in a differential/linear trail and we get the maximum impact of substitution layer. We now discuss the diffusion layers of some prominent block cipher like DES, AES, SMS4, PRESENT and FeW. B) Diffusion Layer of Block Ciphers Data Encryption Standard (DES) is a Feistel structure based block cipher [10]. DES is the first and most widely used block cipher in commercial applications. It takes 64-bit plaintext and divides it into two equal halves of size 32-bit each. Round function takes 32-bit as input and returns a 32-bit output, Fig. 1 Feistel structure which is XORed with 32 bits of other half. Round function in DES comprises of key addition, application of S-box and bit permutation. Diffusion layer of DES uses bit permutation which makes it the most suitable design for hardware implementations. Advances Encryption Standard (AES) is an SPN structure based block cipher [5]. It encrypts 128-bit block using 128-bit key. Round function is applied on the full 128-bit block which consists of add round key, substitute byte, shift rows and mix column operations. Diffusion layer of AES is a combination of shift rows and mix columns operations. MDS matrix is used in the mix column operation which has maximum value of branch number. AES is designed for optimal usage in both software and hardware based environments. SMS4 is a 128-bit block cipher used in Chinese WAPI standard [6]. It is a 4-branch generalized Feistel structure Fig. 2 SPN structure based design. It divides the 128-bit block into four 32-bit In general, a round function consists of three layers which branches. Its round function takes 32-bit input which is the are described below: XOR of three 32-bit branches and one 32-bit round key. There is an application of 8-bit S-box in the round function. Diffusion a) Key Addition Layer layer applies a combination of circular shift and XOR We have a k -bit key K which is known as the master key. operations on 32-bit word A and outputs the 32-bit word B We apply a key expansion algorithm and generate the required as follows: number of round subkeys. In general, we use the bitwise XOR operation to mix the round subkey with input data in this layer. BA=⊕⊕⊕( AŒŒ 2) ( A 10) ( A Œ 18) ⊕ ( A Œ 24) PRESENT is an ultra-lightweight block cipher which is b) Substitution Layer recommended as a lightweight encryption standard by This layer uses a non-linear function known as substitution ISO/IEC in 2008 [3]. Its design is based on SPN structure. Its box (S-box). We carefully chose an S-box which satisfies the round function processes the full 64-bit input block using 80- required cryptographic properties like non-linearity, avalanche bit key. Diffusion layer of PRESENT uses the bit permutation and bit independence criterion [12]. There are two standard on 64-bit register which makes it a hardware friendly design. sizes of S-box which are used in general: 4x4 and 8x8. We FeW is a lightweight block cipher based on Feistel-M have 4-bit input and 4-bit of output for a 4x4 S-box while the structure [9]. It takes 64-bit input and generates the 64-bit input and output size for the 8x8 S-box is 8-bit. We store the ciphertext using 80-bit key. It divides the 64-bit input into four S-box as a look up table and use it to substitute a 4-bit or 8-bit 16-bit branches. After bitwise addition of round keys, its round nibble by another 4-bit or 8-bit nibble. function swaps the least significant byte of the last two branches and applies a 4-bit S-box in parallel. Diffusion layer c) Permutation (Diffusion) Layer uses two different combinations of circular shift and XOR Permutation layer serves as the backbone of a block cipher. operations inside the round function on 16-bit branches as This layer is used for quick diffusion of input bits. We use this follows: layer to maximize the security of a block cipher from basic BA=⊕⊕⊕( AŒŒ 1) ( A 5) ( A Œ 9) ⊕ ( A Œ 12) cryptanalytic attacks like differential and linear attack. In =⊕⊕⊕⊕ substitution layer, S-boxes with maximal differential and BAAAAA(ŒŒŒ 4) ( 7) ( 11) ( Œ 15) linear probabilities are used [7]. Diffusion layer spreads the non-zero bits/nibbles which increases the number of active S- C) Importance of a Diffusion Layer 16 Journal of Applied Computer Science & Mathematics, Issue 2/2017, vol.11, No.