Recursive Diffusion Layers foryBlock Ciphers and Hash Functions

Mahdi Sajadieh, Mohammad Dakhilalian, Hamid Mala and Pouyan SepehrdadPouyan Sepehrdad

Isfahan University of Technology, Isfahan, IranIsfahan University, Isfahan, Iran

EPFL, Lausanne, Switzerland

Happy Persian New Year!

Outline

• Lightweight Algorithms and Diffusion Layers• Lightweight Algorithms and Diffusion Layers

• Designing A Recursive Diffusion LayerDesigning A Recursive Diffusion Layer

• Designing A Diffusion Layer with One Linear Function

• Designing A Diffusion Layer with Two Linear Functions

• Conclusion

3

Lightweight Algorithms and Diffusion Layersy

• Most block ciphers: A round consists of confusion and pdiffusion layers.

• The confusion layer: often uses small S-boxes.

• The diffusion layer: plays an efficacious role in providing• The diffusion layer: plays an efficacious role in providing resistance against DC and LC.

• Diffusion layers must– have large branch numbers.

b ffi i b h h l d i– be efficient, both the layer and its reverse.

4

Lightweight Algorithms and Diffusion Layersy

• Lightweight block ciphers:g g p– New ciphers appear everyday in the literature.– Compete over the throughput and GE.

Not providing the same level of security (LC DC AC)– Not providing the same level of security (LC, DC, AC).– Does the comparison make sense?

• Designing lightweight and efficient diffusion layers:– Efficient and perfect recursive Feistel-like diffusion layers. – We design one without any finite fields operationsWe design one without any finite fields operations.– Only have “XOR”s and “Shift” or “Rotations”.– LED and PHOTON: a nice and efficient MDS diffusion layer.

5

Designing A Recursive Diffusion Layer

• Maximal branch number• Length of the input words be changeable• Have a very simple inverse• An efficient linear functions F.

6

Designing A Recursive Diffusion Layer

7

Some Instances of Recursive Diffusion Layersy

• Feistel with a linear F

• Salsa20 (non linear )

• PHOTON matrixPHOTON matrix

8

The Proposed Regular s n-bit Words Diffusion Layery

• In the main pseudo code: ),...,,(),...,,( 1210121 −− = ssi xxxFxxxF

9

A Regular 4×4 In/Out Diffusion Layerwith Perfect Diffusion

⎪⎧ ⊕⊕⊕⊕=

⎪⎧ ⊕⊕⊕⊕= )()( 201233313200 yyLyyyxxxLxxxy

⎪⎪⎩

⎪⎪⎨

⊕⊕⊕⊕=⊕⊕⊕⊕=⊕⊕⊕⊕=

⇒

⎪⎪⎩

⎪⎪⎨

⊕⊕⊕⊕=⊕⊕⊕⊕=⊕⊕⊕⊕= −

)()()(

:

)()()(

:

312300

023011

1301221

202133

131022

020311

xxLxxyxyxLxyyxyxLyyyx

D

yyLyyxyyxLyyxyyxLyxxy

D

10

A Regular 4×4 In/Out Diffusion Layerwith Perfect Diffusion

11

Conditions on L: Maximal Branch Number

• Outputs based on inputs

• The linear functions must be invertible for maximal branch number:

12

Some Linear Functions1))3(()( >>>>>⊕= xxxL 1)1)2&(()( >>>>>⊕= xxxL 1))15(()( >>>>>⊕= xxxL 15))31(()( >>>>>⊕= xxxL 1))63(()( >>>>>⊕= xxxL

• Large number of linear functions satisfying the conditions, some are:some are:

• Without any circular shift:

13

Replacement of Some Diffusion Layers

• MDS_H of Hierocrypt– Performance two times better

• Binary matrix of MMBBinary matrix of MMB– Branch number of the MMB diffusion layer increases to 5.

• prevents the attacks [SAC’09] presented on this block cipher.P f i d d b 10%– Performance is decreased by 10%.

• PHOTON ⎞⎜⎛⎞

⎜⎛ 3 1 2 10 0 1 0

– If L(x)=2x in GF(24) , the matrix is:

⎟⎟⎟⎟

⎠⎜⎜⎜⎜⎜

⎝

=⇒

⎟⎟⎟⎟

⎠⎜⎜⎜⎜⎜

⎝

=

20 6 30 13

13 3 11 4

4 1 7 3 B

3 1 2 1

1 0 0 0

0 1 0 0 B 4

14

All Other Regular Diffusion Layers

For s > 4, no diffusion layer was found with only one linear function.

15

All Other Regular Diffusion Layers

.

16

Non-regular Recursive Diffusion Layers

• In the non-regular diffusion layers: Fi’s are different.– Use only one linear function.y

• The space for a complete search is for an s input/output diffusion layer.

22s2

17

Non-regular Recursive Diffusion Layers

• After a complete search

– For s = 3, the one with the least number of XORs:

⎪⎧ ⊕⊕= 2100 xxxy

For s = 4 the one with the least number of XORs:

⎪⎩

⎪⎨

⊕⊕=⊕⊕⊕=

1022

20211

yyxy)xL(yxxy:D

– For s = 4, the one with the least number of XORs:

⎪⎪⎨

⎧⊕⊕⊕⊕=

⊕⊕⊕=)(

)(

: 020311

32100

yxLyxxyxLxxxy

D

⎪⎪⎩

⎨

⊕⊕⊕=⊕⊕⊕⊕=)(

)(

02133

130322

yLyyxyyxLyxxy

• For s > 4, a complete search is too costly.18

Regular Recursive Diffusion Layers with Two Linear Functions

• If L1 and L2 do not have any relation, the analysis is hard.

or

19

Regular Diffusion Layer for s > 4

• The linear functions which must be invertible:

20

Conclusion

• We introduced some efficient and perfect recursive diffusion layers.

• Found all regular s input/output recursive diffusion layers with s < 8 and one linear function.

• Found all non-regular s input/output recursive diffusion layers with • s < 5 and one linear function.

• Found some efficient regular s input/output recursive diffusion layers with s < 9 and two linear function.

• A good candidate for designing new block ciphers or hash functions.

21

Q i ?Questions?