Recursive Diffusion Layers for Block Ciphers and Hash Functions Mahdi Sajadieh1, Mohammad Dakhilalian1, Hamid Mala2, and Pouyan Sepehrdad3 ? 1 Cryptography & System Security Research Laboratory, Department of Electrical and Computer Engineering, Isfahan University of Technology, Isfahan, Iran 2 Department of Information Technology Engineering, University of Isfahan, Isfahan, Iran 3 EPFL, Lausanne, Switzerland fsadjadieh@ec, [email protected], [email protected], [email protected] Abstract. Many modern block ciphers use maximum distance separa- ble (MDS) matrices as the main part of their diffusion layers. In this paper, we propose a new class of diffusion layers constructed from sev- eral rounds of Feistel-like structures whose round functions are linear. We investigate the requirements of the underlying linear functions to achieve the maximal branch number for the proposed 4×4 words diffusion layer. The proposed diffusion layers only require word-level XORs, rotations, and they have simple inverses. They can be replaced in the diffusion layer of the block ciphers MMB and Hierocrypt to increase their security and performance, respectively. Finally, we try to extend our results for up to 8 × 8 words diffusion layers. Keywords: Block ciphers, Diffusion layer, Branch number, Provable security 1 Introduction Block ciphers are one of the most important building blocks in many security protocols. Modern block ciphers are cascades of several rounds and each round consists of confusion and diffusion layers. In many block ciphers, non-linear sub- stitution boxes (S-boxes) form the confusion layer, and a linear transformation provides the required diffusion. The diffusion layer plays an efficacious role in providing resistance against the most well-known attacks on block ciphers, such as differential cryptanalysis (DC) [2] and linear cryptanalysis (LC) [11]. In 1994, Vaudenay [15, 16] suggested using MDS matrices in cryptographic primitives to produce what he called multipermutations, not-necessarily linear functions with this same property. These functions have what he called perfect ? This work has been supported in part by the European Commission through the ICT program under contract ICT-2007-216646 ECRYPT II. diffusion. He showed how to exploit imperfect diffusion to cryptanalyze functions that are not multipermutations. This notion was later used by Daemen named as the branch number. Block ciphers exploiting diffusion layers with small branch number may suffer from critical weaknesses against DC and LC, even though their substitution layers consist of S-boxes with strong non-linear properties. Two main strategies for designing block ciphers are Feistel-like and substitu- tion permutation network (SPN) structures. In the last 2 decades, from these two families several structures have been proposed with provable security against DC and LC. Three rounds of Feistel structure [12, 9], five rounds of RC6-like struc- ture [6] and SDS (substitution-diffusion-substitution) structure with a perfect or almost perfect diffusion layer are examples of such structures [10]. 1.1 Notations Let x be an array of s n-bit elements x = [x0(n); x1(n); ··· ; xs−1(n)]. The number of non-zero elements in x is denoted by w(x) and is known as the Hamming weight of x. The following notations are used throughout this paper: ⊕ : The bit-wise XOR operation & : The bit-wise AND operation Li : Any linear function `i : The linear operator corresponding to the linear function Li (L1 ⊕ L2)(x): L1(x) ⊕ L2(x) L1L2(x): L1(L2(x)) 2 L1(x): L1(L1(x)) I(·) function : Identity function, I(x) = x x m (x : Shift of a bit string x by m bits to the right (left) m) x o m (x n : Circular shift of a bit string x by m bits to the right (left) m) j · j : Determinant of a matrix in GF(2) ajb : Concatenation of two bit strings a and b x(n) : An n-bit value x For a diffusion layer D applicable on x, we have the following definitions: Definition 1 ([4]). The differential branch number of a linear diffusion layer D is defined as: βd(D) = minfw(x) + w(D(x))g x6=0 We know that the linear function D can be shown as a binary matrix B, and Dt is a linear function obtained from Bt, where Bt is the transposition of B. Definition 2 ([4]). The linear branch number of a linear diffusion layer D is defined as: t βl(D) = minfw(x) + w(D (x))g x6=0 2 It is well known that for a diffusion layer acting on s-word inputs, the maximal βd and βl are s+ 1 [4]. A diffusion layer D taking its maximal βd and βl is called a perfect or MDS diffusion layer. Furthermore, a diffusion layer with βd = βl = s is called an almost perfect diffusion layer [10]. 1.2 Our contribution In this paper, we define the notion of a recursive diffusion layer and propose a method to construct such perfect diffusion layers. Definition 3. A diffusion layer D with s words xi as the input, and s words yi as the output is called a recursive diffusion layer if it can be represented in the following form: 8 y0 = x0 ⊕ F0(x1; x2; : : : ; xs−1) > <> y1 = x1 ⊕ F1(x2; x3; : : : ; xs−1; y0) D : (1) . > . > : ys−1 = xs−1 ⊕ Fs−1(y0; y1; : : : ; ys−2) where F0, F1,::: , Fs−1 are arbitrary functions. As an example, consider a 2-round Feistel structure with a linear round function L as a recursive diffusion layer with s = 2. The input-output relation for this diffusion layer is: y = x ⊕ L(x ) D : 0 0 1 y1 = x1 ⊕ L(y0) The quarter-round function of Salsa20 is also an example of a non-linear recursive diffusion layer [1]. 8 > y1 = x1 ⊕ ((x0 + x3) <<< 7) <> y = x ⊕ ((x + y ) <<< 9) D : 2 2 0 1 y3 = x3 ⊕ ((y1 + y2) <<< 13) > : y0 = x0 ⊕ ((y2 + y3) <<< 18) Also, the lightweight hash function PHOTON [5] and the block cipher LED [7] use MDS matrices based on Eq. (1). In these ciphers, an m × m MDS matrix Bm was designed based on the following matrix B for the performance purposes: 0 0 1 0 ··· 0 1 B 0 0 1 ··· 0 C B C B . .. C B = B . C B C @ 0 0 0 ··· 1 A Z0 Z1 Z2 ··· Zm−1 3 By matrix B, one elements of m inputs is updated and other elements are shifted. If we use Bm, all inputs are updated, but we must check if this matrix is MDS. One example for m = 4 is the PHOTON matrix working over GF(24): 00 1 0 01 0 1 2 1 4 1 B0 0 1 0C B 4 9 6 17C B = B C ) B4 = B C @0 0 0 1A @17 38 24 66A 1 2 1 4 66 149 100 11 In this paper, we propose a new approach to design linear recursive diffusion layers with the maximal branch number in which Fi's are composed of one or two linear functions and a number of XOR operations. The design of the proposed diffusion layer is based on the invertibility of some simple linear functions in GF(2). Linear functions in this diffusion layer can be designed to be low-cost for different sizes of the input words, thus the proposed diffusion layer might be appropriate for resource-constrained devices, such as RFID tags. Although these recursive diffusion layers are not involutory, they have similar inverses with the same computational complexity. Another approach which is not recursive was picked by Junod and Vaudenay in [8] to design efficient MDS matrices. This paper proceeds as follows: In Section 2, we introduce the general struc- ture of our proposed recursive diffusion layer. Then, for one of its instances, we systematically investigate the required conditions for the underlying linear function to achieve the maximal branch number. In Section 3, we propose some other recursive diffusion layers with less than 8 input words and only one linear function. We use two linear functions to have a perfect recursive diffusion layer for s > 4 in Section 4. Finally, we conclude the paper in Section 5. 2 The Proposed Diffusion Layer In this section, we introduce a new perfect linear diffusion layer with a recursive structure. The diffusion layer D takes s words xi for i = f0; 1; : : : ; s−1g as input, and returns s words yi for i = f0; 1; : : : ; s − 1g as output. So, we can represent this diffusion layer as: y0jy1j · · · jys−1 = D(x0jx1j · · · jxs−1) The first class of the proposed diffusion layer D is represented in Fig. 1, where L is a linear function, αk; βk 2 f0; 1g, α0 = 1, and β0 = 0. This diffusion layer can be represented in the form of Eq. (1) in which the Fi functions are all the same and can be represented as s−1 0s−1 1 M M Fi(x1; x2; : : : ; xs−1) = αjxj ⊕ L @ βjxjA j=1 j=1 To guarantee the maximal branch number for D, the linear function L and the coefficients αj and βj must satisfy some necessary conditions. Conditions 4 1: Input : s n-bit words x0; : : : ; xs−1 2: Output : s n-bit words y0; : : : ; xs−1 3: for i = 0 to s − 1 do 4: yi = xi 5: end for 6: for i = 0 to s − 1 do s−1 s−1 ! M M 7: yi = α[(j−i) mod s]yj ⊕ L β[(j−i) mod s]yj j=0 j=0 8: end for Fig. 1. The first class of the recursive diffusion layers on L are expressed in this section and those of αj's and βj's are expressed in Section 3.