**Specifying cycles of minimal length for commonly used linear layers in block ciphers**

*Guoqiang Deng and Yongzhuang Wei and Xuefeng Duan and Enes Pasalic and Samir Hodzic*

**Abstract: **With the advances of Internet-of-Things (IoT) applications in smart cities and the pervasiveness of network devices with limited resources, lightweight block ciphers have achieved rapid development recently.
Due to their relatively simple key schedule, nonlinear invariant attacks have been successfully applied to several families of lightweight block ciphers.
This attack relies on the existence of a nonlinear invariant $g:\F_2^n \rightarrow \F_2$ for the round function $F_k$ so that $g(x) + g(F_k(x))$ is constant for any input value $x$.
Whereas invariants of the entire $S$-box layer has been studied in terms of the corresponding cycle structure [TLS16,WRP20] (assuming the use of bijective S-boxes), a similar analysis for the linear layer has not been performed yet.
In this article, we provide a theoretical analysis for specifying the minimal length of cycles for commonly used linear permutations (implementing linear layers) in lightweight block ciphers. Namely, using a suitable matrix representation, we exactly specify the minimal cycle lengths for those (efficiently implemented) linear layers that employ ShiftRows, Rotational-XOR and circular Boolean matrix operations which can be found in many well-known families of block ciphers. These results are practically useful for the purpose of finding nonlinear invariants of the entire encryption rounds since these can be specified using the intersection of cycles corresponding to the linear and S-box layer. We also apply our theoretical analysis practically and specify minimal cycle lengths of linear layers for certain families of block ciphers including some NIST candidates.

**Category / Keywords: **secret-key cryptography / Cyclic shift; XOR; Cycle of linear layer; Permutation matrix; Nonlinear invariant

**Date: **received 23 Sep 2020

**Contact author: **enes pasalic6 at gmail com

**Available format(s): **PDF | BibTeX Citation

**Version: **20200925:184707 (All versions of this report)

**Short URL: **ia.cr/2020/1163

[ Cryptology ePrint archive ]