Bitwise Linear Mappings with Good Cryptographic Properties and Efficient Implementation

Noname manuscript No. (will be inserted by the editor) Bitwise Linear Mappings with Good Cryptographic Properties and Efficient Implementation S. M. Dehnavi A. Mahmoodi Rishakani M. R. Mirzaee Shamsabad Received: date / Accepted: date Abstract Linear mappings are crucial components of symmetric ciphers. A special type of linear mappings are (0,)-matrices which have been used in symmetric ciphers such as ARIA, E2 and Camellia as diffusion layers with efficient implementation. Bitwise linear maps are also used in symmetric ciphers such as SHA family of hash functions and HC family of stream ciphers. In this article, we investigate a special kind of linear mappings: based upon this study, we propose several linear mappings with only XOR and rotation operations. The corresponding matrices of these mappings can be used in either the former case as (0,)-matrices of maximal branch number or in the latter case as linear mappings with good cryptographic properties. The proposed mappings and their corresponding matrices can be efficiently implemented both in software and hardware. Keywords (0,)-matrix Bitwise linear map Branch number Diffusion layer Symmetric cipher Introduction Linear mappings are crucial components of symmetric ciphers. MDS matrices are used as diffusion layers in symmetric ciphers [9 3]. Another type of diffusion layers are (0,)-matrices. This type of matrices are used in symmetric ciphers such as ARIA [2], E2 [5] and Camellia [] as diffusion layers with low S. M. Dehnavi Department of Mathematical and Computer Sciences, Kharazmi University, Tehran, Iran E-mail: std dehnavism@khu.ac.ir A. Mahmoodi Rishakani Department of Sciences, Shahid Rajaee Teacher Training University, Tehran, Iran M. R. Mirzaee Shamsabad Department of Mathematics and Computer Science, Shahid Bahonar University, Kerman, Iran

2 S. M. Dehnavi et al. implementation cost. Bitwise linear maps are also used in symmetric ciphers such as SHA family [6] of hash functions and HC family [7,8] of stream ciphers. In this article, we examine a special type of (bitwise) linear mappings: based upon this investigation, we propose several linear mappings. The corresponding matrices of these mappings can be used as (0,)-matrices of maximal branch number with low implementation cost. Also, these mappings can be applied as linear mappings with good cryptographic properties. The presented mappings or their corresponding matrices can be efficiently implemented both in software and hardware: in comparison to [3, 4, 4] our proposed mappings have lower implementation costs. In Section 2 we present preliminary notations and definitions. Section 3 is devoted to main theorem of the paper. Section 4 examines the implementation of the proposed mappings. In Section 5 we present a block cipher with large blocks, based on the proposed mappings. 2 Notations and Definitions Hamming weight of a natural number or binary vector x is denoted by w(x). The i-th bit of a natural number or a binary vector x is denoted by x i. The notation is used for AND operation, for left rotation operation and for XOR operation. The all-one vector is denoted by and the zero vector by 0. The finite field of order 2 t is denoted by F 2 t. There is a one-to-one correspondence between Z 2 n, the ring of integers modulo 2 n and F n Cartesian product of n copies of F 2 : φ : F n 2 Z 2 n, n x = (x n,..., x 0 ) φ(x) = x i 2 i. We use this correspondence throughout the paper. Every function f : F2 m F 2 is called a Boolean function and every function f : F2 m F2 n with n > is called a vectorial Boolean function or a Boolean map. Such a function can be represented as (f n,..., f 0 ): the Boolean function f i : F2 m F 0 i < n, is called the i-th component of f. We denote the set of all n n matrices over F 2 by M n (F 2 ). A function f : F2 n F2 n with the property i=0 f(x y) = f(x) f(y), x, y F n is called a (bitwise) linear map. Obviously, there is a matrix in M n (F 2 ) which we denote by M f such that Here, M T f is the transpose of M f. f(x) = xm T f, x F n 2.

Linear Mappings with Good Cryptographic Properties 3 Let f : F n 2 F n 2 be a linear map. The differential branch number of f is defined as b d f = min{w(x) + w(f(x))} = min {w(x) + w(xm f T )}. x 0 x 0 The linear branch number of f is defined as b l f = min x 0 {w(x) + w(xm f )}. If we have b d f = bl f, then we say that the branch number of f is bd f and denote it by b f. Let n be a natural number. We define L n = {f : F2 2n F2 2n : f(x) = (x i j ), 0 i <... < i t < 2 n, t = mod 2, t > }. Let f be in L n. It is not hard to see that the rows of M f are cyclic shifts of each other and any row of M f has t ones: in this case we write w f = t. Example Consider the linear mapping f L 2 with f : F 4 2 F 4 We have f(x) = x (x ) (x 3). f(x 3, x x, x 0 ) = (x 2 x 0 x 3, x x 3 x x 0 x 2 x, x 3 x x 0 ), or equivalently, f(x) = xmf T = (x 3, x x, x 0 ) 0 0 0 0. Here, w f = 3. We denote the r times composition of a mapping f by itself by f (r). For example we have f (3) (x) = f f f(x). We denote by o f the order of a linear invertible mapping: o f is the least natural number such that f (o f ) is the identity function. The number of fixed points of a mapping f, i.e. the points with property f(x) = x, is denoted by p f. The complement of a binary vector x is denoted by x. Let R be a finite commutative ring with identity. We denote by R the set of all invertible elements of R, by R[x] the ring of polynomials over R R[x] <p(x)> and by the ring of polynomials modulo a polynomial p(x) R[x]. Let p(x) R[x]; we denote by w(p) the number of terms in standard representation of p(x).

4 S. M. Dehnavi et al. 3 Main Theorem In this section, we investigate some properties of L n from mathematical viewpoint and lay a theoretical foundation for applications presented in following sections. Theorem Let f L n with Then, f(x) = (x i j ), 0 i <... < i t < 2 n, t = mod 2, t >. a) The order of f is a power of two and f = f (2n ). b)f(x) = f(x) and for any r < 2 n we have f(x r) = f(x) r. c) w(x) = w(f(x)) mod 2. d) b d f = bl f. e) b f = 0 mod 2, and 4 b f t +. f) max x {w(x) + w(f(x))} = 2 n+ b f. g) The number of fixed points of f is a power of two and 2 p f 2 n. Proof a) We have and by induction, f (2) (x) = f (2n) (x) = (x (2i j mod 2 n )), (x (2 n i j mod 2 n )). Since x (2 n i j mod 2 n ) = x for every x F 2n 2 and t is odd, then which means that o f f (2n) (x) = x, x F 2n is a power of two, f is invertible and f (x) = f (2n ) (x), x F 2n 2. b) We note that for every natural number r and every odd natural number q we have (x r) = x r, r < 2 n,

Linear Mappings with Good Cryptographic Properties 5 q x i = i= q x i. This means that f(x) = f(x). c) Let e k be the binary representation of 2 k for every nonnegative integer k. We prove the fact by induction on the weight of the input. We have f(0) = 0 and f(e k ) = e k+ij, 0 k < 2 n. mod 2 n This means that w(f(e k )) = t, 0 k < 2 n, which is an odd number. Now suppose that the induction hypothesis is true for k = r, r < 2 n. We prove that for every x F2 2n with w(x) = r + we have i= w(x) = w(f(x)) mod 2. We know that there exist 0 j < 2 n and x F 2n 2 such that x = x e j. By the identity w(x y) = w(x) + w(y) 2w(x y), we get Now by induction hypothesis and () we have w(x y) = w(x) + w(y) mod 2. () w(f(x)) = w(f(x e j )) = w(f(x )) + w(f(e j )) mod 2 = w(x ) + w(e j ) mod 2 = w(x e j ) mod 2 d) We know that = w(x) mod 2. f(x 2 n,..., x 0 ) = (y 2 n,..., y 0 ), with y s = x s+2 n ij, 0 s < 2 n. mod 2 n For f L n, corresponding to Mf T, we have f (x 2n,..., x 0 ) = (z 2n,..., z 0 ), with z s = x s+ij, 0 s < 2 n. mod 2 n

6 S. M. Dehnavi et al. Define ϕ : F 2n 2 F 2n ϕ(x 2 n, x 2 n 2,..., x x, x 0 ) = (x, x..., x 2 n 2, x 2 n, x 0 ). We note that for every x F 2n 2 we have w(x) = w(ϕ(x)). Also because and Now w(f (x)) = w(f(ϕ(x))), (f (x)) 0 = (f(ϕ(x)) 0, x F 2n (f (x)) s = (f(ϕ(x)) 2n s, 0 < s < 2 n. b d f = min{w(x) + w(f(x))} x 0 = min{w(ϕ(x)) + w(f(ϕ(x)))} x 0 = min x 0 {w(x) + w(f (x))} = b d f = b l f. e) By Case c, b f is even. Besides, f is a permutation and for every x F 2n 2 with w(x) = we have w(f(x)) = t. So 4 b f t +. f) We have So, from Case b, b f = min{w(x) + w(f(x))}. x 0 2 n+ b f = max x 0 {2n w(x) + 2 n w(f(x))} = max{w(x) + w(f(x))} x 0 = max{w(x) + w(f(x))}. x g) We know that fixed points of every linear mapping construct a linear subspace of F2 2n and so p f would be a power of two. Now since f(0) = 0 and f() = and f cannot be the identity function, we get 2 p f 2 n. We know that in designing bitwise linear maps, the most desirable targets are F2 6, F2 32 and F2 64, because almost all of the modern processors are 6, 32 or 64-bits. Also, in the case of (0,)-matrices, these numbers are suitable. We have verified the following lemma by programming:

Linear Mappings with Good Cryptographic Properties 7 Lemma Let and f t (x) = g t (x) = Then we have i=0 i=0 f t : F 6 2 F 6 ( ( i(i + ) x 2 ( ( i(i + ) x 2 g t : F 32 2 F 32 )) mod 6, t = 2, 4, 6, )) mod 3 t = 2, 4, 6, 8, 0. b ft = t + 2, t = 2, 4, 6, and b gt = t + 2, t = 2, 4, 6, 8, 0. We know that f 6 and g 0 are mappings of maximal (known) branch number [5,6]. As a practical application, suppose that m is a natural number: the matrix M g0 is a (0,)-matrix that can be viewed as a matrix over F 2 m. So, the branch number of M g0 with respect to m-bit words [3] would be 2. In some applications in symmetric cryptography, like the case of block ciphers with SPN structure, we should know the inverse of mappings. In the following examples, we present linear mappings of maximal branch number with the property that the implementation cost for the mapping itself and its inverse are the same. Example 2 We have found the following mapping in L 4 by programming: with f : F 6 2 F 6 f(x) = x (x ) (x 2) (x 3) (x 4) (x ) (x 4), f (x) = x (x 2) (x 5) (x 2) (x 3) (x 4) (x 5). The mappings f anf f have the following properties p f = p f = 2, b f = b f = 8, w f = w f = 7. We know that b f is the maximal value [5,6] and p f is the minimum value.

8 S. M. Dehnavi et al. Example 3 We have found the following mapping in L 5 by programming: with f : F 32 2 F 32 f(x) = x (x 8) (x 9) (x 2) (x 22) (x 24) (x 25) (x 26) (x 28) (x 29) (x 30), f (x) = (x 2) (x 4) (x 5) (x 7) (x 8) (x 0) (x 5) (x 6) (x 7) (x 9) (x 26). The mappings f anf f have the following properties p f = p f = 2, b f = b f = 2, w f = w f =. We know that b f is the maximal (known) value [5,6] and p f is the minimum value. 4 Implementation In this section, we examine some algebraic properties of L n and based on this investigation, we present linear mappings with efficient implementation in software and hardware. There is a natural one-to-one correspondence between F 2 n and which maps a = (a 2n,..., a, a 0 ) F 2 n, to 2 n i=0 a i x i F 2 [x] < x 2n >. F 2 [x] <x 2n > Moreover, there is a similar correspondence between mappings in L n and invertible elements of 2 [x] F <x 2n > \ {xi : 0 i < 2 n } which maps f(x) = (x i j ), 0 i <... < i t < 2 n, t = mod 2, t >, to x i j. Now it is easy to verify that for every a F2 2n, f(a) corresponds to ( 2 ) n a i x i x i j mod (x 2n ). i=0

Linear Mappings with Good Cryptographic Properties 9 Example 4 Consider f L 3 as f : F 8 2 F 8 f(x) = x (x 2) (x 5). Let a = (, 0, 0, 0,,, 0, 0). We have f(a) = (0, 0,, 0,,,, ). If we correspond the mappings in L 3 with invertible polynomials in F 2[x] <x 8 > \{xi : 0 i < 8} and the vectors in F2 8 with polynomials in F2[x] <x 8 >, then f(a) corresponds to fa mod (x 8 ). In fact we have fa mod (x 8 ) = ( x 2 x 5 )(x 2 x 3 x 7 ) mod (x 8 ) = x x 2 x 3 x 5, which corresponds to (0, 0,, 0,,,, ). Note Let n be a natural number and R be the ring R = {p R : w(p) = mod 2}. F 2[x]. We have <x 2n > Example 5 Let f : F 6 2 F 6 f (x) = (x 3) (x 4) (x 9), and f 2 : F 6 2 F 6 It is straightforward to verify that f 2 (x) = x (x 7) (x 3). f f 2 (x) = x (x 3) (x 4) (x 6) (x 9) (x 0) (x ). Now, considering the corresponding polynomials in we have p = x 3 x 4 x 9, p 2 = x 7 x 3, F 2 [x] <x 6 >, p p 2 mod (x 6 ) = x x 3 x 4 x 6 x 9 x 0 x, which corresponds to f f 2.

0 S. M. Dehnavi et al. From the algebraic viewpoint, R = (L n,, ) is a finite commutative ring with identity. Here is the operator of composition of functions and L n = {f : F 2n 2 F 2n 2 : f(x) = (x i j ), 0 i <... < i t < 2 n, 0 t < 2 n }. We note that t in the above definition is a nonnegative integer and the case t = 0 means that the zero function is contained in L n. Let R 2 = F2[x] ( <x 2n >, G = (F2 n, ) and G 2 = F2 [x] ). <x 2n >, Obviously, G is an R -module with scalar product fa := f(a), a F2 n, f L n, and G 2 is an R 2 -module with natural scalar product. With regard to previous discussions, the proof of next theorem is easy. Theorem 2 As stated above, G is an R -module and G 2 is an R 2 -module. There is an isomorphism of modules between these two modules. Further, a) We have the one-to-one corrspondence with the property ψ( ψ : R 2 \ {x} L n, x i j ) = (x i j ), ψ(p p 2 ) = ψ(p ) ψ(p 2 ), p, p 2 R 2. b) Let a = (a 2n,..., a, a 0 ) be in F2 2n. There is also a one-to-one correspondence between {f(a) : a F2 2n } and {ψ(f)a mod (x 2n ) : a = 2 n i=0 a i x i }. Based upon the previous mathematical investigation, we were motivated to search multiplication of polynomials or composition of functions. We found some mappings of this type and of maximal branch number by programming. These mappings have lower implementation costs compared to what is presented in cryptographic literature [3, 4, 4], up to our knowledge. Example 6 Consider the linear mappings We have p f = 2 and b f = 2. f, f f 3, f : F 32 2 F 32 f (x) = x (x ) (x 2), f 2 (x) = x (x 2) (x 7), f 3 (x) = x (x 4) (x 0), f(x) = f f 2 f 3 (x).

Linear Mappings with Good Cryptographic Properties Note 2 Let m and s be natural numbers and M M m (F 2 ). A rough estimation for the number of XOR operations needed in implementing the action of M on s-bit words is the total number of one entries in M. Now, it is clear that for any (0,)-matrix M in M 32 (F 2 ) with maximal (known) branch number 2, the total number of one entries is lower bounded by 32 = 352 and the lower buond for XOR s needed for implementation of M is 32 0 = 320: the mapping in Example 3 has this property. Note that we have not done any other optimizations. The matrix that corresponds to the mapping of Example 6 can be implemented just with 2 3 32 = 92 XOR s without optimization, which is the best, up to our knowledge. 5 Block Ciphers with Large Block Size In this section, we verify further algebraic properties of L n and propose a block ciher with large block size. The proof of the following lemma is easy. Lemma 2 Let n be a natural number and p are χ 0, χ F 2[x] <x 2n > such that p = χ 0 x 2n χ. F 2 [x]. We know that there <x 2n+ > We have In particular, w(p mod (x 2n )) = w(χ χ 0 ). w(p) w(p mod (x 2n )). Theorem 3 Suppose that n, t with t = mod 2, t > and 0 i <... < i t < 2 n are natural numbers and the mapping f L n with f : F 2n 2 F 2n f(x) = (x i j ), is given. Consider the mapping g L n+ with g : F 2n+ 2 F 2n+ g(x) = (x i j ). Then we have b g b f, and in the case that b f = t +, we have b g = b f.

2 S. M. Dehnavi et al. F Proof Suppose that a is a nonzero element in 2 [x]. Let the corresponding polynomial of f in 2[x] <x 2n+ > F <x 2n > be p. We know that there are χ 0, χ F2[x] <x 2n > such that a = χ 0 x 2n χ. We distinguish two cases: a) χ χ 0 : In this case g(a) is equivalent to We know that pa mod (x 2n+ ). w(pa mod (x 2n+ )) = w(p(χ 0 x 2n χ ) mod (x 2n+ )) w(p(χ 0 χ ) mod (x 2n )), by Lemma 2. Now by the above discussion, equation () and the fact that χ 0 χ 0, we have w(a) + w(g(a)) w(χ ) + w(χ 0 ) + w(p(χ 0 χ ) mod (x 2n )) b) χ = χ 0 = χ: Let w(χ χ 0 ) + w(p(χ 0 χ ) mod (x 2n )) b f. pχ mod (x 2n+ ) = γ 0 x 2n γ, and γ = γ 0 γ. It is not hard to see that On the other hand, Thus, pa mod (x 2n+ ) = γ x 2n γ. pχ mod (x 2n ) = γ. w(a) + w(g(a)) = 2w(χ) + w(pa mod (x 2n+ )) = 2w(χ) + 2w(pχ mod (x 2n )) 2b f b f. F Since the above discussion is true for every nonzero a in 2[x], so we <x 2n+ > have b g b f. Since for any a F2 2n+ with w(a) =, we have w(a) + w(g(a)) = t +, then for the case that b f = t +, we have b g = b f.

Linear Mappings with Good Cryptographic Properties 3 Example 7 (A Block Cipher with Large Block Size) Consider with f = f f 2 f 3 and f, f, f f 3 : F2 64 F2 64 f (x) = x (x ) (x 2), f 2 (x) = x (x 2) (x 7), f 3 (x) = x (x 4) (x 0). By Theorem 3 and Example 6, b f = 2. Consider M f as a (0,)-matrix over F 2 6; the branch number of M f with respect to 6-bit words would be 2. Now we can design a block cipher with Feistel scheme and with internal SPN structure. The internal structure consists of subkey XORing, a layer of 64 parallel Sboxes and diffusion layer M f. If we use the inverse map over F2 6 as the Sbox, then the probability of differential and linear characteristics of one round of the proposed cipher is bounded by 2 4 2 = 2 68. Since the block size is 2048 bits, so, 2 rounds of this type has practical security against differential and linear cryptanalysis. Because our purpose in this article is not designing a cipher, so we did not present a key schedule for the presented cipher, although it can be designed with the aid of its round. The proposed cipher suits modern 64-bit processors. References. K. Aoki, T. Ichikawa, M. Kanda, M. Matsui, S. Moriai, J. Nakajima and T. Tokita, Camellia: a 28-bit block cipher suitable for multiple platforms - design and analysis, in Proceedings of the 7th Annual International Workshop on Selected Areas in Cryptography (SAC 00), vol. 202 of Lecture Notes in Computer Science, pp. 39-56, 2000. 2. Daesung Kwon, Jaesung Kim, S. Park, Sangwoo Park, Soo Hak Sung, Yaekwon Sohn, Jung Hwan Song, Yongjin Yeom, E-Joong Yoon, Sangjin Lee, Jaewon Lee, Seongtaek Chee, Daewan Han, and Jin Hong, New block cipher: ARIA, in Information Security and Cryptology-ICISC 2003, vol. 297 of Lecture Notes in Computer Science, pp. 432-445, Springer, Berlin, Germany, 2004. 3. B. Aslan and M. T. Sakall, Algebraic construction of cryptographically good binary linear transformations, Security and Communication Networks, vol. 7, no., pp. 53-63, 204. 4. M. T. Sakall and B. Aslan, On the algebraic construction of cryptographically good 32 32 binary linear transformations, Journal of Computational and Applied Mathematics, vol. 259, pp. 485-494, 204.

4 S. M. Dehnavi et al. 5. M. Kanda, S. Moriai, K. Aoki, H. Ueda, Y. Takashima, K. Ohta, and T. Matsumoto, E2 - A New 28-bit Block Cipher, IEICE Transactions Fundamentals - Special Section on Cryptography and Information Security, vol. E83-A no., pp. 48-59, 2000. 6. Secure Hash Standard, FIPS PUB 80-4, available via http://csrc.nist.gov/publications/fips/fips80-4/fips-80-4.pdf 7. Wu, Hongjun, A New Stream Cipher HC-256. Fast Software Encryption - FSE 2004, LNCS 307: 226-244. 8. Wu, Hongjun (2004). The Stream Cipher HC-28 available via http://www.ecrypt.eu.org/stream/p3ciphers/hc/hc28 p3.pdf 9. J. Daemen, V. Rijmen, AES proposal: Rijndael. Selected as the Advanced Encryption Standard. Available from http://nist.gov/aes 0. B. Schneier, J. Kelsey, D. Whiting, D. Wagner, C. Hall, N. Ferguson, Twofish: A 28-bit Block Cipher; 5 June, 998. P. Ekdahl, T. Johansson, SNOW a new stream cipher, Proceedings of first NESSIE Workshop, Heverlee, Belgium, 2000 2. Chinese State Bureau of Cryptography Administration, Cryptographic algorithms SMS4 used in wireless LAN products, available at: http://www.oscca.gov.cn/doc/6/news- 06.htm 3. A Mahmoodi Rishakani, S. M. Dehnavi, M. R. Mirzaee Shamsabad, Hamidreza Maimani, Einollah Pasha, New concepts in design of lightweight MDS diffusion layers, th International ISC Conference on Information Security and Cryptology (ISCISC), 204 4. Bon Wook Koo, Hwan Seok Jang, Jung Hwan Song, On Constructing of a 32 32 Binary Matrix as a Diffusion Layer for a 256-Bit Block Cipher, Information Security and Cryptology - ICISC 2006. 5. Markus Grassl, Bounds on the Minimum Distance of Linear Codes and Quantum Codes, 2009, Available at http://www.codetables.de 6. Wolfgang Ch. Schmid and Rudolf Schurer, MinT, the online database for optimal parameters of (t, m, s)-nets, 2009, Available via http://mint.sbg.ac.at