Paper 2023/1803
Design of a Linear Layer Optimised for Bitsliced 32-bit Implementation
Abstract
The linear layer of block ciphers plays an important role in their security. In particular, ciphers designed following the wide-trail strategy use the branch number of the linear layer to derive bounds on the probability of linear and differential trails. At FSE 2014, the LS-design construction was introduced as a simple and regular structure to design bitsliced block ciphers. It considers the internal state as a bit matrix, and applies alternatively an identical S-Box on all the columns, and an identical L-Box on all the lines. Security bounds are derived from the branch number of the L-Box. In this paper, we focus on bitsliced linear layers inspired by the LS-design construction and the Spook AEAD algorithm. We study the construction of bitsliced linear transformations with efficient implementations using XORs and rotations (optimized for bitsliced ciphers implemented on 32-bit processors), and a high branch number. In order to increase the density of the activity patterns, the linear layer is designed on the whole state, rather than using multiple parallel copies of an L-Box. Our main result is a linear layer for 128-bit ciphers with branch number 21, improving upon the best 32-bit transformation with branch number 12, and the one of Spook with branch number 16.
Metadata
- Available format(s)
-
PDF
- Category
- Secret-key cryptography
- Publication info
- Preprint.
- Keywords
- Bitsliced cipherLinear layerBranch number
- Contact author(s)
-
gaetan leurent @ inria fr
clara pernot @ inria fr - History
- 2023-11-24: approved
- 2023-11-22: received
- See all versions
- Short URL
- https://ia.cr/2023/1803
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2023/1803,
author = {Gaëtan Leurent and Clara Pernot},
title = {Design of a Linear Layer Optimised for Bitsliced 32-bit Implementation},
howpublished = {Cryptology {ePrint} Archive, Paper 2023/1803},
year = {2023},
url = {https://eprint.iacr.org/2023/1803}
}
