Bounds on Differential and Linear Branch Number of Permutations

Transcription

1 Bouds o Differetial ad Liear Brach Number of Permutatios umata arkar ad Habeeb yed TC Iovatio Labs Hyderabad, INDIA sumata.sarkar1@tcs.com habeeb.syed@tcs.com Abstract. Noliear permutatios (-boxes) are key compoets i block ciphers. The differetial brach umber measures the diffusio power of a permutatio, whereas the liear brach umber measures resistace agaist liear cryptaalysis. There has ot bee much aalysis doe o the differetial brach umber of oliear permutatios of F 2, although it has bee well studied i case of liear permutatios. imilarly upper bouds for the liear brach umber have also ot bee studied i geeral. I this paper we obtai bouds for both the differetial ad the liear brach umber of permutatios (both liear ad oliear) of F 2. We also prove that i the case of F 4 2, the maximum differetial brach umber ca be achieved oly by affie permutatios. Keywords: Permutatio, -box, differetial brach umber, liear brach umber, block cipher, Griesmer boud. 1 Itroductio A basic desig priciple of a block cipher cosists of cofusio ad diffusio as suggested by hao [14]. Cofusio layer makes the relatio betwee key ad the ciphertext as complex as possible, whereas the diffusio layer spreads plaitext statistics across the ciphertext. o far there have bee several costructios of block ciphers, ad equal efforts have bee made to break them. I the process literature has bee eriched by proposals of elegat cryptaalysis techiques, for istace, differetial cryptaalysis [] ad liear cryptaalysis [12]. The latter two cryptaalysis methods led to the desig kow as wide-trail strategy [6]. This desig costructs roud trasformatios of block ciphers with efficiecy ad provides resistace agaist the differetial ad the liear cryptaalysis. This strategy also explais how the differetial brach umber is related to the umber of active -boxes. Recetly lightweight cryptography has gaied huge attetio from both the idustry ad the academia. There have bee several proposals of lightweight ciphers so far, which are mostly based o symmetric cryptography. I this work Correspodig author

2 we are iterested i block ciphers. ome examples of lightweight block ciphers are CLEFIA [15] ad PREENT [4]; both are icluded i the IO/IEC stadard. There are may block ciphers which follow the desig of ubstitutio- Permutatio-Network (PN), for example, AE [7]. I this model, -boxes are used to achieve the cofusio property, whereas i geeral MD matrices are used as the diffusio layer of a block cipher. MD matrices geerate MD codes which achieve the highest possible miimum distace, thus MD matrices have the highest possible diffusio power. I the same ote we fid the desig of PREENT very iterestig. It has removed the usual diffusio layer that is ormally implemeted by a MD matrix. Thus savig a cosiderable amout of hardware cost. It uses a 4 4 -box that has the followig properties: differetial brach umber is, differetial uiformity is 4 (the highest possible), oliearity is 4 (the highest possible), algebraic degree is. Oe roud fuctio of PREENT is comprised of 16 such -boxes followed by a liear bit-wise permutatio L : F 64 2 F The role of this liear permutatio is to mix up the outputs of the -boxes which become the iput to the ext roud. As bit-wise permutatio ca be implemeted by wires oly, so this reduces the umber of gates required for the whole desig. Recetly a lightweight block cipher GIFT [2] has also appeared which relies o the same desig priciple as of PREENT. k i k i+1 Fig. 1. Roud fuctio of PREENT (image source: [9]) PREENT (i 2007) used the diffusio property of a -box. This costructio idea will succeed provided the -box has high differetial brach umber alog with the other cryptographic properties. However after PREENT, through the last 10 years, o attempt has bee made to aalyze how far a -box ca diffuse. We cosider this problem ad provide a upper boud for the differetial brach umber of permutatios i geeral. To the best of our kowledge this is the first 2

3 ever work which gives otrivial bouds o diffusio power of -boxes. O the other had it is also crucial to have -boxes with high liear brach umber i order to resist the liear cryptaalysis. o we study the differetial brach umber of permutatios i cojuctio with the liear brach umber. Below we summarize our cotributios. Our cotributios I ectio 4, we preset bouds o the differetial brach umber of ay permutatio of F 2. We completely characterize permutatios of F 4 2 i terms of the differetial brach umber. I [1] huge computatioal effort was made i order to characterize cryptographic properties of 4 4 -boxes. I their search they cosidered 16 optimal 4 4 -boxes from [10] ad showed that the maximum possible differetial brach umber of such a -box is. However, from this search it is ot clear whether is the maximum for all 4 4 -boxes. I Theorem 4, we prove that if a permutatio of F 4 2 has differetial brach umber 4 the it is affie, which shows (Theorem 5) that i fact for ay 4 4 -box, the maximum possible differetial brach umber is. Further i Theorem 6, we prove that for ay permutatio over F 2, for 5, its differetial brach umber is upper bouded by 2. There is a boud kow as Griesmer boud [8] which applies oly to liear permutatios, whereas our boud works o ay permutatio. We compare these two bouds i Table, ad observe that values are very close to each other. We also study bouds o the liear brach umber of permutatios of F 2. It turs out that for a liear permutatio of F 2, the maximum value of the liear brach umber matches with the maximum value of the differetial brach umber (see Theorem 1). For ay permutatio of F 2, the liear brach umber is upper bouded by (see Theorem ). 2 Prelimiaries Deote by F 2 the fiite field of two elemets {0, 1} ad by F 2 the -dimesioal vector space over F 2. For ay x F 2 the Hammig weight of x, deoted by wt(x) is the umber of 1 s i x. Bitwise XOR is deoted by ad for ay x, y F 2 their dot product x t y is simply the usual ier product x 0 y 0 x 1 y 1. We ow brig i some otatios which will be frequetly used. For i = 0,..., 1 deote by e i, the elemet of F 2 which has 1 i the i-th positio, ad 0 elsewhere. Note that the set {e 0,..., e 1 } forms a basis of F 2. Further, the elemet of F 2 with all 1 is deoted by ē. To illustrate let = 4, the we have e 0 = (1, 0, 0, 0), e 1 = (0, 1, 0, 0), e 2 = (0, 0, 1, 0), e = (0, 0, 0, 1), ad ē = (1, 1, 1, 1). A -box is a permutatio : F 2 F 2 which is (strictly) oliear. We deote by GL(, F 2 ) (or simply by GL()) the set of liear permutatios of F 2. Clearly GL() is a proper subset of set of all permutatios of F 2 ad by defiitio a -box is a permutatio of F 2 which is ot i GL(). For a

4 secure desig, -box eeds to satisfy several properties such as high oliearity, high differetial uiformity, high algebraic degree, etc [5]. We ow recall the otios of correlatio matrices, liear ad differetial brach umbers. ee [7] for detailed discussio o these. Cosider a permutatio φ of F 2. For ay α, β F 2 the correlatio coefficiet of φ with respect to (α, β) is give by C φ (α, β) = x F 2 αt x β t φ(x) ( 1) It is easy to see that 2 C φ (α, β) 2. ee [7, Ch 7] for detailed discussio o correlatio matrices of Boolea fuctios ad their properties. We defie the correlatio matrix C φ of φ as the 2 2 matrix idexed by α, β F 2 i which the etry i the cell (α, β) is give by C φ (α, β): C φ = [C α,β ] 2 2 where C α,β = C φ (α, β) (2) Next we recall some defiitios related to brach umbers of permutatios. Defiitio 1. For ay φ of F 2, its differetial brach umber (respectively liear brach umber) is deoted by β d (φ) (respectively β l (φ)) ad defied as ad β d (φ) := mi x,x F 2, x x {wt(x x ) + wt(φ(x) φ(x ))}, β l (φ) := mi {wt(α) + wt(β)}. α,β F 2, C φ(α,β) 0 where C φ (α, β) is the correlatio coefficiet as i (1). If φ is a liear permutatio of F 2, the there exists a biary ivertible matrix M such that φ(x) = Mx for every x F 2. I this case β d (φ) ad β l (φ) ca be simplified as i the followig lemma [7, Ch 9]. Lemma 1. Let φ be a liear permutatio of F 2 give by M GL(, F 2 ). The, β d (φ) = mi + wt(mα)} α F 2,α 0{wt(α) () β l (φ) = mi α F,α 0{wt(α) + wt(mt α)}. 2 (4) For ay φ Π() it is easy to see that β d (φ) is 2 ad β l (φ) 2. Also, β d (φ) = β d (φ 1 ) ad β l (φ) = β l (φ 1 ). It is iterestig to ote that the differetial brach umber is related to the differece distributio table (DDT). DDT of a permutatio φ of F 2 deoted by D φ is a matrix of order 2 2. uppose for the iput differece δ, the output differece of the permutatio φ is, i.e., φ(x) φ(x δ) =. Let D φ (δ, ) be the umber solutios of φ(x) φ(x δ) =, the the (δ, )-th elemet of DDT (1) 4

5 Table 1. DDT of -Box 40825B719A6CDEF A B C D E F δ A B C D E F is D φ (δ, ). I Table 1, we preset the differece distributio table of the -box φ = 40825B719A6CDEF. The the differetial brach umber ca be redefied as β d (φ) := mi {wt(δ) + wt( )}. δ 0, 0,D φ (δ, ) 0 For example, it is clear from the DDT of the differetial brach umber of 40825B719A6CDEF is 2. Oe of the basic otio i the study of permutatios is that of affie equivalece. This equivalece preserves various cryptographic properties like oliearity, differetial uiformity, algebraic degree (more tha oe), etc. Defiitio 2 (Affie Equivalece). Let φ, φ be two permutatios of F 2. We say that φ is affie equivalet to φ if there exist A, B GL(, F 2 ), ad c, d F 2 such that φ (x) = B φ[a x c] d, for all x F 2. (5) Affie equivalece preserves may properties of -boxes, such as uiformity, oliearity, degree, but it does ot preserve brach umber i geeral. For istace, the followig two affie equivalet -boxes (i Table 2) have differet differetial brach umber. Here ad are related as (x) = B (x), where B is a matrix with the rows {(1, 0, 0, 1), (0, 1, 0, 0), (0, 0, 1, 0), (0, 0, 0, 1)}. Note that β d () =, whereas β d ( ) = 2, although they are affie equivalet. The -box is used i PREENT. 5

6 x A B C D E F (x) C 5 6 B 9 0 A D E F (x) C D A 5 B E F 9 2 Table 2. Affie equivalet -boxes with differet differetial brach umbers. O the other had, if A ad B are permutatio matrices 1 the the correspodig affie equivalece class preserves the brach umber [1]. We state this as the followig lemma. Lemma 2. If φ ad φ 1 are two affie equivalet permutatios of F 2 such that φ 1 (x) = B φ[a x c] d, for all x F 2, where A ad B are permutatio matrix, ad c, d F 2, the β d (φ) = β d (φ 1 ) ad β l (φ) = β l (φ 1 ). Bouds o Liear Brach Number First we cosider the case of liear permutatios of F 2. I this case we have the followig coectio betwee the liear ad the differetial brach umbers of such permutatios. Theorem 1. For liear permutatios of F 2 the maximum differetial brach umber is equal to the maximum liear brach umber. Proof. uppose φ be a liear permutatio of F 2, the there exists a matrix M GL(, F 2 ) such that φ(x) = Mx for every x F 2. Cosider the permutatio φ t defied as φ t (x) = M t x for x F 2. Usig Lemma 1 we see that β d (φ) = β l (φ t ) from which the result follows. Remark 1. The best kow boud for the differetial brach umber of a liear permutatio is Griesmer boud (see ectio 4). Above theorem suggests that this is also the best boud for the liear brach umber of such permutatios. Later i Theorem 6 we preset ew a boud o the differetial brach umber of more geeral permutatios of F 2 which is quite comparable to Griesmer boud i case liear permutatios. It is pertiet to metio here some results similar to Theorem 1 i case of permutatios of F q whe q = 2 m for m > 1. These results alog with proofs ca be foud i [7]. We preset some of them here for sake of completeess. I [7] authors cosider a permutatio of F q as a budled permutatio of F m 2 with budle size m, i.e., if ψ is such permutatio the it is defied as ψ(x 0,..., x 1 ) = (y 0,..., y 1 ) (6) where (x 0,..., x 1 ), (y 0,..., y 1 ) F 2m. The otio of brach umbers (liear ad differetial) are defied with respect to the budle size. With these authors prove the followig theorem [7, Theorem B.1.2]. 1 A matrix obtaied by permutig rows (or colums) of a idetity matrix. 6

7 Theorem 2. Let ψ : F m 2 F m 2 be a budled permutatio as i (6). The ψ has maximal differetial brach umber if ad oly if it has maximal liear brach umber. If ψ is a liear permutatio of F q give by osigular matrix N over F q, i.e., ψ(x) = Nx, the Theorem 2 simply meas that the matrix N is MD if ad oly if its traspose is also MD. Note that Theorem 2 goes beyod liear permutatios ad icludes all permutatio of F q. However, a importat poit to be oted here is that Theorem 2 is applicable for budled permutatios of F m 2 of budle size m > 1 ad is ot applicable to our results which ivolve permutatios of F 2. I the followig we will see that such a ice coectio is elusive i case of permutatios of F 2. To cotiue our results from Theorem 1 we ow prove a boud o the liear brach umber of geeral permutatios. To preset our results we eed some facts related to Boolea fuctios which we recall here. A variable Boolea fuctio is map ϕ : F 2 F 2. We say that ϕ is balaced if #{x F 2 : ϕ(x) = 0} = #{x F 2 : ϕ(x) = 1} = 2 1. The map ϕ is said to be r th order Correlatio Immue (r-ci) if ( 1) αt x ϕ(x) = 0, (7) x F 2 for all α F 2 such that 1 wt(α) r. If ϕ is balaced ad r-ci the it said to be r resiliet Boolea fuctio. I our study Boolea fuctios occur as coordiate fuctios of a permutatio φ of F 2. The liear brach umber of φ ad the resiliecy order of its coordiate fuctios is itercoected as follows. uppose that φ is a permutatio of F 2 give by φ(x) = (φ 0 (x),..., φ 1 (x)) where x F 2 ad each of φ 0,..., φ 1 is a coordiate Boolea fuctio. If β l (φ) = r the, by defiitio for ay α, β F 2 C φ (α, β) = 0 wheever 2 wt(α) + wt(β) r 1. I particular if we choose β = e i B, the the above equatio implies that C φ (α, e i ) = ( 1) αt x φ i(x) = 0 wheever 1 wt(α) r 2, (8) x F 2 which meas that φ i is (r 2) CI Boolea fuctio. Also, φ i is balaced sice it is a coordiate fuctio of a permutatio. Thus we see that each φ i is a r 2 resiliet Boolea fuctio. I a utshell this is our observatio: Lemma. Let φ = (φ 0,..., φ 1 ) be a permutatio of F 2. For every 0 i 1 the coordiate fuctio φ i is β l (φ) 2 resiliet Boolea fuctio. We also recall the otio of degree of a Boolea fuctio. Give a Boolea fuctio ϕ of variables there exist a uique polyomial P (X 0,..., X 1 ) 7

8 i variables over F 2 such that ϕ(x 0,..., x 1 ) = P (x 0,..., x 1 ) for every (x 0,..., x 1 ) F 2. uch a polyomial is called Algebraic Normal Form of ϕ ad the total degree of P is called algebraic degree (or simply degree) of ϕ. Note that deg(ϕ) = 0 oly for costat fuctios ad deg(ϕ) = 1 if ϕ is affie. For ay Boolea fuctio ϕ its resiliecy order ad its degree are coected as follows, which is kow as iegethaler boud [16]. If ϕ is a variable r resiliet Boolea fuctio the deg(ϕ) 1 r. (9) Usig the coectio i Lemma ad (9) we obtai bouds o the liear brach umber of permutatios of F 2. Theorem. For ay oliear permutatio φ of F 2 we have β l (φ) 1. Proof. First we show that β l (φ) ad the that oly liear permutatios have β l (φ) =. Let φ = (φ 0,..., φ 1 ) be a permutatio of F 2 with coordiate Boolea fuctios {φ 0,..., φ 1 }. uppose φ i {φ 0,..., φ 1 } be ay coordiate fuctio. If β l (φ) +1 the from Lemma it follows that the fuctio φ i is r resiliet where r ( + 1) 2 = 1. By iegethaler boud (9) we must have deg(φ i ) ( 1) ( 1) = 0. O the other had, if deg(φ i ) = 0 the φ i is a costat fuctio which is impossible because φ i a coordiate fuctio of a permutatio of F 2 ad hece eed to be balaced. This cotradictio shows that β l (φ). Usig same kid of argumet oe ca easily see that if β l (φ) = the deg(φ i ) 1 for every 0 i 1, which implies that it is affie ad hece φ itself is affie. As a cosequece it follows that if φ is a oliear permutatio of F 2 the β l (φ) 1. Next we focus o bouds for the differetial brach umber of geeral permutatios of F 2. 4 Bouds o Differetial Brach Number It is trivial to check that for ay permutatio φ of F 2, we have β d (φ) 2. For liear permutatios, some upper boud ca be easily obtaied from codig theory. If L : F 2 F 2 is liear permutatio, the the set C = {(x, L(x)) : x F 2 } forms a [2, ] liear code, ad its miimum distace is actually the differetial brach umber of L. A [N, K] liear code has miimum distace d N K + 1 (igleto Boud). The codes which achieve the igleto Boud are called MD codes. Therefore, the differetial brach umber of L is bouded by + 1. However, it is kow that there is o otrivial biary MD code [11], which meas that there is o liear permutatio defied over F 2 havig the differetial brach umber + 1. Thaks to Griesmer boud we ca have further bouds [8]. 8

9 Lemma 4 (Griesmer Boud). Let [N, K] be a biary liear code with the miimum distace d the K 1 d N 2 i. i=0 I this sectio we preset a boud o the differetial brach umber of a arbitrary permutatio of F 2. We begi with followig remark which will be useful i our proofs. Remark 2. Let φ be a permutatio of F 2 such that φ(0) = c for some c 0 F 2. The for the permutatio φ defied as φ (x) = φ(x) c it is easy to see that β d (φ) = β d (φ ) ad φ (0) = 0. Thus while derivig bouds o the differetial brach umbers we ca simply cosider permutatios φ such that φ(0) = 0. uppose q is a power of prime, ad L : F q F q is a liear permutatio. It is a well kow fact [11] that β d (L) + 1 wheever q 2. Next, let φ be a arbitrary permutatio of F 2. If β d (φ) = + 1 the by Defiitio 1 ad Remark 2 we get wt(e i 0) + wt(φ(e i ) φ(0)) = wt(e i ) + wt(φ(e i )) + 1, which implies that wt(φ(e i )) for i = 0, However, this is impossible because there is precisely oe elemet ē F 2 with wt(ē ) =. Hece we must have β d (φ) < + 1. This gives us a trivial boud o the differetial brach umber of permutatios of F 2 as follows. Lemma 5. For ay permutatio φ of F 2 we have β d (φ) < + 1. I the remaiig part of this sectio we sharpe the boud i Lemma 5. To make proofs easy we cosider the case of permutatios over F 4 2 ad the case of permutatios over F 2, 5 separately. 4.1 Differetial Brach Number of Permutatios of F 4 2 I this sectio we cosider permutatios defied o F 4 2 which are used to desig 4 4 -boxes. Here we show that if the differetial brach umber of a permutatio of F 4 2 is 4 the it is ecessarily affie ad hece the differetial brach umber of ay 4 4 -box is bouded above by. Lemma 6. uppose φ : F 4 2 F 4 2 is a permutatio with φ(0) = 0 ad β d (φ) = 4. The the followig coditios hold for x F 4 2 C1. if wt(x) = 4 the wt (φ(x)) = 4, C2. if wt(x) = 1 the wt (φ(x)) =, C. if wt(x) = 2 the wt (φ(x)) = 2, C4. if wt(x) = the wt (φ(x)) = 1. 9

10 Proof. ice β d (φ) = 4, ad φ(0) = 0, ay ozero x F 4 2 must satisfy wt(x) + wt(φ(x)) 4. (10) Immediate cosequece of this is that wt(φ(e i )) = or wt(φ(e i )) = 4 as wt(e i ) = 1 for ay 0 i. uppose wt(φ(e i )) = 4 for some i, the for ay j i we have wt(e i e j ) + wt(φ(e i ) φ(e j )) = < 4, cotradictig (10). Hece C2 follows. Next let x F 4 2 with wt(x) = 2. The, 2 wt(φ(x)) 4 by (10). ice φ maps all weight 1 elemets to weight elemets ad φ is a permutatio, so wt(φ(x)). uppose that wt(φ(x)) = 4. Choose e i such that wt(e i x) = 1, ad sice wt(φ(e i )) = we must have wt(e i x) + wt(φ(e i ) φ(x)) = = 2 < 4, agai cotradictig (10); hece it follows that wt(φ(x)) = 2. This cocludes the proof of C. Now let s prove C4. Cosider x with wt(x) =. By C2 ad C, we have wt((x)) 2,. This leaves ope the possibility that wt(φ(x)) = 1 or 4. If wt(φ(x)) = 4, cosider a elemet x with wt(x ) = 2 ad wt(x x ) = 1. The wt(x x ) + wt(φ(x) φ(x )) = < 4, a cotradictio. o wt(φ(x)) = 1. Fially, C2, C, C4 imply that wt(φ(x)) = 4, whe wt(x) = 4. Above theorem leads to the followig characterizatio of permutatios φ of F 4 2 for which β d (φ) = 4. Theorem 4. Let φ : F 4 2 F 4 2 be a permutatio with β d (φ) = 4. The φ is affie. Proof. As per Remark 2 we prove the result for φ(0) = 0. ice β d (φ) = 4 ad φ(0) = 0, φ satisfies C1, C2, C, C4 ( of Lemma 6). Note that the set of 1-weight vectors {e 0, e 1, e 2, e } form a basis of F 4 2 ad by C2 the correspodig image set {φ(e 0 ), φ(e 1 ), φ(e 2 ), φ(e )} cotais all the -weight vectors of F 4 2. Note that {φ(e 0 ), φ(e 1 ), φ(e 2 ), φ(e )} also forms a basis of F 4 2. Recall that the permutatio φ is a liear map iff φ(c 0 e 0 c 1 e 1 c 2 e 2 c e ) = c 0 φ(e 0 ) c 1 φ(e 1 ) c 2 φ(e 2 ) c φ(e ) holds for all (c 0, c 1, c 2, c ) F 4 2. As wt(φ(e 0 e 1 e 2 e )) = 4 (by C1 of Lemma 6), ad wt(φ(e 0 ) φ(e 1 ) φ(e 2 ) φ(e )) = 4, the φ(e 0 e 1 e 2 e ) = φ(e 0 ) φ(e 1 ) φ(e 2 ) φ(e ). 10

11 I the followig we will use the fact that φ(e i ) φ(e j ) has weight 2, ad φ(e i ) φ(e j ) φ(e k ) has weight 1. The set {φ(e 0 ), φ(e 1 ), φ(e 2 ), φ(e )} forms a basis ad wt(φ(e i e j )) = 2 (by C of Lemma 6), the φ(e i e j ) ca be writte as φ(e i e j ) = φ(e l ) φ(e r ), for some l ad r. If liearity does ot hold for (e i e j ) the (i, j) (l, r). If i = l (ad j r), the wt(e j e i e j ) + wt(φ(e j ) φ(e i e j )) = wt(e i ) + wt(φ(e j ) φ(e i ) φ(e r )) = < 4, a cotradictio. The case j = r ca be treated similarly. Next if l, r / {i, j}, the wt(e j e i e j ) + wt(φ(e j ) φ(e i e j )) = wt(e i ) + wt(φ(e j ) φ(e l ) φ(e r )) = < 4, which cotradicts the fact that β d (φ) = 4. Therefore, for ay liear combiatios of the form e i e j we must have φ(e i e j ) = φ(e i ) φ(e j ). We ow cosider liear combiatios of the form e i e j e k. By C4 of Lemma 6, we have wt(φ(e i e j e k )) = 1. As {φ(e 0 ), φ(e 1 ), φ(e 2 ), φ(e )} forms a basis, so we ca write φ(e i e j e k ) = φ(e l ) φ(e r ) φ(e t ). uppose that liearity does ot hold for e i e j e k, the (i, j, k) (l, r, t). Note that we must have {i, j, k} {l, r, t} = 2. Assume that i = l ad j = r. The wt(e i e k e i e j e k ) + wt(φ(e i e k ) φ(e i e j e k )) = wt(e j ) + wt(φ(e i ) φ(e k ) φ(e i ) φ(e j ) φ(e t )) = wt(e j ) + wt(φ(e k ) φ(e j ) φ(e t )) = < 4, a cotradictio. Therefore, for ay liear combiatios of the form e i e j e k we must have φ(e i e j e k ) = φ(e i ) φ(e j ) φ(e k ). Thus we coclude that φ is liear, ad the theorem follows. Recall that, by defiitio a -box is a strictly oliear permutatio of F 2. Usig Lemma 5 ad Theorem 4 we get the followig strict upper boud o the differetial brach umber of 4 4 -boxes. Theorem 5. The maximum possible differetial brach umber of a 4 4 -box is. 11

12 The paper [1] followed the work of [10] to search for optimal 4 4 -boxes i the affie equivalet classes. The maximum differetial brach umber i the affie equivalet classes of the 16 optimal 4 4 -boxes from [10] is. As this search did ot cosider the so-called o-optimal -boxes, the questio of the maximal differetial brach umber of ay 4 4 -box remaied uaswered. Theorem 5 settles this questio. We ow give a family of liear permutatios L of F 2 with β d (L ) = 4. Defiitio of these permutatios varies slightly depedig o whether is eve or odd. ice these permutatios are liear we specify their actio o basis B = {e 0,..., e 1 } of F 2 ad the maps exted liearly to other elemets of F 2. Example 1. Let be a eve iteger. The liear permutatio L of F 2, defied o the basis B as L (e i ) = ē e i (11) has β d (L ) = 4 ad it is also ivolutio. Further, observe that matrix represetig the map L is symmetric from which it follows that β l (L ) = 4. Next we give a family of liear permutatios with the differetial brach umber 4 defied over F 2 for odd values of Example 2. Let be a odd iteger. The liear permutatio L of F 2, defied o basis B as ē e i e i+1 if 0 i 2 L (e i ) = ē e 1 e 0 if i = 1 has the differetial brach umber 4. I both cases it is easy to show that the set {L (e 0 ),..., L (e 1 )} is a basis of F 2 assertig that the maps L ideed are bijectios. The fact that β d (L ) = 4 ca also be easily checked from the Defiitio 1 of the differetial brach umber for liear maps. Next we preset bouds for permutatios of F 2, for Differetial Brach Number of Permutatios of F 2, for 5 I this sectio we preset bouds o the differetial brach umber of a geeral permutatio of F 2. I the remaider of this paper we assume that 5 uless specified otherwise. We begi with some iitial observatios. uppose that x F 2 with wt(x) = δ for some δ 1. The x ca be expressed as x = ē e x1... e xδ for uique set of elemets e x1,... e xδ B. Usig this oe ca easily see the followig fact which we will be usig frequetly i this paper: Fact 1 For x, x F m 2 with x x, wt(x) δ ad wt(x ) δ we have wt(x x ) δ + δ. 12

13 Lemma 7. Let φ be a permutatio of F 2 with φ(0) = 0 ad the differetial brach umber β d (φ) = β + 1 for some 1 β 1. The we have for 0 i 1 β wt(φ(e i )) 2 β + 1 (12) ad for 0 i j 1, (β + 1) wt(φ(e i ) φ(e j )) 2 β. (1) Proof. From the defiitio of the differetial brach umber it follows that wt(φ(e i )) β, (14) as φ(0) = 0. The usig x = φ(e i ), x = φ(e j ) i Fact 1 we get Agai for every pair of idices i j wt(φ(e i ) φ(e j )) 2β. (15) wt(φ(e i ) φ(e j )) (β + 1). (16) Usig (14) ad (16) i Fact 1 we get (12). Further combiig (15) ad (16) we get (1). Lemma 8. Let δ be a iteger such that 1 δ. Deote by Wδ the followig set Wδ = {x F 2 : wt(x) = δ}. (17) The for ay x, x Wδ we have wt(x x ) = 2k for some 1 k δ. Further suppose V Wδ defied as the V δ. V = {x W δ : wt(x x ) = 2δ for all x V} Proof. First claim is obvious. To see secod part, first observe that give ay x Wδ there exist a uique set of elemets {e x1..., e xδ } B such that x = ē e x1 e xδ. A elemet y Wδ is i V if ad oly if {e y1..., e yδ } {e x1..., e xδ } = for every elemet x already i V. Cosequetly, we have V δ as required. Usig the above observatios we prove the followig boud o the differetial brach umber of a permutatio of F 2. Theorem 6. If 5 the for ay permutatio φ of F 2 we have β d (φ) 2. (18) 1

14 Proof. First it is easy to see that 2 =, ad hece we substitute the boud i (18) by to make the proof easy. O the cotrary to (18) assume that β d (φ) + 1. Usig β = i Lemma 7 we get wt(φ(e i )) (19) for 0 i 1, ad ( + 1) wt(φ(e i ) φ(e j )) 2 (20) for 0 i j 1. Now, recall that the iteger ca be writte as = + r (21) for a uique r such that 0 r 2. We prove our claim separately for each value of r. Case 1. r = 2. From (19) we have ad substitutig = + 2 i this we get 2 1 which is a cotradictio. Case 2. r = 1. I this case, by substitutig = + 1 the iequalities (19) ad (20) become the followig equalities wt(φ(e i )) = (22) wt(φ(e i ) φ(e j )) = 2 Note that both idetities i (22) must be satisfied by all the elemets of the set {φ(e 0 ),..., φ(e 1 )}. We show that this is impossible. ice wt(φ(e i )) = for all 0 i 1, we are i the situatio of Lemma 8 with φ(e i ) Wδ where δ =. Cosequetly, we see that there ca be at most = elemets φ(e r ), φ(e s ), φ(e t ) for which the latter idetity i (22) ca hold. O the other had, sice 5, there exists at least two basis elemets e u ad e v apart from e r, e s, e t, ad by Lemma 8 we will have wt(φ(e u ) φ(e v )) 2 (δ 1) < 2 which cotradicts (22). Case. r = 0. I this case we have = ad the iequalities (19), (20) simplify to wt(φ(e i )) = or + 1 (2) 14

15 wt(φ(e i ) φ(e j )) = 1 or (24) Note that for every elemet of {φ(e 0 ),..., φ(e 1 )} there are oly two possibilities for wt(φ(e i )) as i (2). First we show that wt(φ(e i )) = wt(φ(e j )) = + 1 caot hold, for i j, otherwise usig x = φ(e i ), x = φ(e j ) ad δ = δ = 1 i Fact 1 we get wt(φ(e i ) φ(e j )) 2( 1) = 2 < 1 cotradictig (24). Thus there ca be at most oe elemet φ(e i ) such that wt(φ(e i ) = + 1. Without loss of geerality assume that wt(φ(e0 )) = + 1, the it follows from (2) that for i = 1,..., 1 the weights of wt(φ((e i )) satisfy wt(φ(e i )) =. (25) Thus, we are i situatio of Lemma 8 with φ(e 1 ),..., φ(e 1 ) Wδ for δ =. Hece there ca be oly three elemets φ(e r ), φ(e s ), φ(e t ), 1 r s t 1 such that for ay two idices i, j {r, s, t} wt(φ(e i ) φ(e j )) = 2 δ = 2 holds. ice 5 there exist at least oe elemet e k, where k 0 ad also k / {r, s, t}. The for ay i {r, s, t} we must have (by Lemma 8) wt(φ(e k ) φ(e i )) 2(δ 1), which meas that wt(φ(e k ) φ(e i )) 2 2 < 1, cotradictig (24). This cocludes the proof of Case ad also of the theorem. 4. Compariso with Griesmer Boud Recall that Griesmer boud (Lemma 4) is applicable to liear permutatios oly. Notably our boud as i (18) works for ay permutatio. The Table shows differet with correspodig values of Griesmer Boud ad our boud (18). It is oticeable that our boud is very close to Griesmer boud, ad i fact matchig for some small values of. The Griesmer boud is ot sharp, for example for a [8, 4] biary liear code the maximum possible miimum distace d is 5 (see [1]), whereas the Griesmer boud says d 6. Our boud for the differetial brach umber of permutatios of F 8 2 is also 6. At this momet we also do ot kow the existece of ay oliear permutatio with the differetial brach umber 6, ad i geeral for F 2 with 5, it is ot kow whether there is ay oliear permutatio for which the boud of the differetial brach umber is achieved. We suspect that like Griesmer boud our boud is also ot sharp i geeral. 15

16 Griesmer Boud Our Boud Table. Compariso betwee the differetial brach umber of liear permutatios obtaied from Griesmer boud ad that of geeral permutatios obtaied from our boud (18). 5 Coclusios I this paper we have aalyzed the differetial ad the lear brach umbers of permutatios. We have theoretically proved that 4 4 -boxes ca have the maximum differetial brach umber. This is importat for the desigers who are aimig to costruct lightweight block ciphers followig the desig like PREENT. We have also preseted upper bouds o both the liear ad the differetial brach umbers for permutatios over F 2, for geeral. We feel that there is still a scope of improvig these bouds. We showed that the maximum differetial brach umber ad the maximum liear brach umber of lier permutatios match. However, it is ot kow whether the same happes for oliear permutatios as well. It will be iterestig to pursue the followig questio. Questio 1. Ca a -box achieve both the maximum liear ad differetial brach umbers? As we have see that the differetial brach umber is associated with differece distributio table, whereas the liear brach umber is associated with the correlatio matrix. Therefore, if there is a relatio betwee these two matrices, the probably we have the aswer to Questio 1. I fact [17] has show that there is a relatioship betwee the DDT ad the correlatio matrix (i a differet form). Let C 2 φ deote the followig matrix which is derived from the correlatio matrix of φ. Recall from (1) that the correlatio coefficiet of φ with respect to (α, β) is give 16

17 by C φ (α, β) = αt x β t φ(x) ( 1) x F 2 Now defie C 2 φ = [C2 φ (α, β)] 2 2 as the matrix whose (α, β)-th elemet is give by (C φ (α, β)) 2. The we have the followig relatio as metioed i [17, Lemma 2 (iii)] C 2 φ = H D φ H, (26) where H is the Hadamard matrix of order 2 2. It will be iterestig to explore (26) i order to establish a relatioship betwee the liear ad the differetial brach umbers. Refereces 1. Bouds o the miimum distace of liear codes over GF(2). codetables.de/bklc/tables.php?q=2&0=1&1=256&k0=1&k1=256. Accessed: August 25, Baik,. K. Padey, T. Peyri, Y. asaki,. M. im, ad Y. Todo. Gift: a small preset. I Iteratioal Coferece o Cryptographic Hardware ad Embedded ystems, pages priger, E. Biham ad A. hamir. Differetial cryptaalysis of DE-like cryptosystems. I Proceedigs of the 10th Aual Iteratioal Cryptology Coferece o Advaces i Cryptology, CRYPTO 90, pages 2 21, Lodo, UK, UK, priger-verlag. 4. A. Bogdaov, L. R. Kudse, G. Leader, C. Paar, A. Poschma, M. J. B. Robshaw, Y. euri, ad C. Vikkelsoe. PREENT: A Ultra-Lightweight Block Cipher. I P. Paillier ad I. Verbauwhede, editors, Cryptographic Hardware ad Embedded ystems - CHE 2007, volume 4727 of LNC, pages priger, C. Carlet. Vectorial Boolea fuctios for cryptography. I P. H. Y. Crama, editor, Boolea Methods ad Models. Cambridge Uiversity Press, J. Daeme ad V. Rijme. The wide trail desig strategy. I B. Hoary, editor, Cryptography ad Codig, 8th IMA Iteratioal Coferece, Cirecester, UK, December 17-19, 2001, Proceedigs, volume 2260 of Lecture Notes i Computer ciece, pages priger, J. Daeme ad V. Rijme. The Desig of Rijdael: AE - The Advaced Ecryptio tadard. Iformatio ecurity ad Cryptography. priger, J. Griesmer. A boud for error-correctig codes. IBM Joural of Research Developmet, 7:52 542, J. Jea. TikZ for Cryptographers G. Leader ad A. Poschma. O the classificatio of 4 bit -boxes. I C. Carlet ad B. uar, editors, Arithmetic of Fiite Fields, First Iteratioal Workshop, WAIFI 2007, Madrid, pai, Jue 21-22, 2007, Proceedigs, volume 4547 of Lecture Notes i Computer ciece, pages priger, F. J. Macwilliams ad N. J. A. loae. The Theory of Error-Correctig Codes (North-Hollad Mathematical Library). North Hollad, Jauary M. Matsui. Liear cryptaalysis method for DE cipher. I Workshop o the Theory ad Applicatio of Cryptographic Techiques o Advaces i Cryptology, EUROCRYPT 9, pages 86 97, ecaucus, NJ, UA, priger-verlag New York, Ic. 17

18 1. M. O. aarie. Cryptographic aalysis of all 4 4-bit -boxes. I A. Miri ad. Vaudeay, editors, elected Areas i Cryptography - 18th Iteratioal Workshop, AC 2011, Toroto, ON, Caada, August 11-12, 2011, Revised elected Papers, volume 7118 of Lecture Notes i Computer ciece, pages priger, C. E. hao. Commuicatio theory of secrecy systems. Bell ystem Techical Joural, Vol 28, pp , October T. hirai, K. hibutai, T. Akishita,. Moriai, ad T. Iwata. The 128-Bit Blockcipher CLEFIA (Exteded Abstract). I A. Biryukov, editor, Fast oftware Ecryptio, 14th Iteratioal Workshop, FE 2007, Luxembourg, Luxembourg, March 26-28, 2007, Revised elected Papers, volume 459 of Lecture Notes i Computer ciece, pages priger, T. iegethaler. Correlatio-immuity of oliear combiig fuctios for cryptographic applicatios (corresp.). IEEE Trasactios o Iformatio theory, 0(5): , X. Zhag, Y. Zheg, ad H. Imai. Relatig differetial distributio tables to other properties of of substitutio boxes. Des. Codes Cryptography, 19(1):45 6,