diffusion layer

The diffusion layer plays an important role in a block cipher. Some block ciphers, such as ARIA, Camellia, and Skinny use binary matrices as diffusion layers which can be efficiently implemented in hardware and software. In this paper, the goal is to propose some new binary matrices with suitable values for the active S-boxes for R rounds. Firstly, some new $16 \times 16$ matrices are proposed whose software implementations are better than the corresponding one for the ARIA block cipher. Also, the values for the minimum active S-boxes for these matrices are greater than the corresponding values for the ARIA block cipher for $R>5$.To design $32 \times 32$ matrices, a structure with a special form is proposed. Using this structure, a $32\times 32$ binary matrix is proposed which guarantees at least 48 active S-boxes for 8 rounds of an SPN structure with this matrix as its diffusion layer. By extending this structure, a $32\times 32$ non-binary matrix is presented which results in at least 60 active S-boxes after 8 rounds.

In terms of security, MDS matrices are one of the best choices for diffusion layer of block ciphers. However, as these matrices grow in size, their software implementation becomes a challenge. In this paper, to benefit from the properties of MDS matrices and avoid the mentioned challenge, we use 4*4 MDS matrices to build some 16*16 matrices with low number of zero elements. We show that if these matrices are used as diffusion layer of software-based SPN structures, the resulting block ciphers have similar properties as AES in software implementation complexity (i.e. the number of required CPU instructions) and resistance against linear and differential attacks. Moreover, the best impossible differential and square distinguishers for the proposed 16*16 structures have similar length as SPN structures with 16*16 MDS matrices. Thus, the new structures outperform AES with respect to the impossible differential and square attacks. Additionally, we show that if the proposed SPN structure uses the AES key schedule, its results for the differential related-key attacks are better than those for AES. We also extend the idea and use 4*4 MDS matrices to design 24*24 and 32*32 matrices with acceptable properties for SPN structure design. Finally, we extend the idea to propose some matrices for Feistel structures with SP-type F-functions. We show that the resulting structures are more secure than the improved type-II GFS.

Linear diffusion layer is an important part of lightweight block ciphers and hash functions. This paper presents an efficient class of lightweight 4x4 MDS matrices such that the implementation cost of them and their corresponding inverses are equal. The main target of the paper is hardware oriented cryptographic primitives and the implementation cost is measured in terms of the required number of XORs. Firstly, we mathematically characterize the MDS property of a class of matrices (derived from the product of binary matrices and companion matrices of $\sigma$-LFSRs aka recursive diffusion layers) whose implementation cost is $10m+4$ XORs for 4 <= m <= 8, where $m$ is the bit length of inputs. Then, based on the mathematical investigation, we further extend the search space and propose new families of 4x 4 MDS matrices with 8m+4 and 8m+3 XOR implementation cost. The lightest MDS matrices by our new approach have the same implementation cost as the lightest existent matrix.