CryptoDB
Design of a Linear Layer Optimised for Bitsliced 32-bit Implementation
| Authors: |
|
|---|---|
| Download: | |
| Abstract: | The linear layer of block ciphers plays an important role in their security In particular, ciphers designed following the wide-trail strategy use the branch number of the linear layer to derive bounds on the probability of linear and differential trails. At FSE 2014, the LS-design construction was introduced as a simple and regular structure to design bitsliced block ciphers. It considers the internal state as a bit matrix, and applies alternatively an identical S-Box on all the columns, and an identical L-Box on all the lines. Security bounds are derived from the branch number of the L-Box.In this paper, we focus on bitsliced linear layers inspired by the LS-design construction and the Spook AEAD algorithm. We study the construction of bitsliced linear transformations with efficient implementations using XORs and rotations (optimized for bitsliced ciphers implemented on 32-bit processors), and a high branch number. In order to increase the density of the activity patterns, the linear layer is designed on the whole state, rather than using multiple parallel copies of an L-Box. Our main result is a linear layer for 128-bit ciphers with branch number 21, improving upon the best 32-bit transformation with branch number 12, and the one of Spook with branch number 16. |
BibTeX
@article{tosc-2024-34021,
title={Design of a Linear Layer Optimised for Bitsliced 32-bit Implementation},
journal={IACR Transactions on Symmetric Cryptology},
publisher={Ruhr-Universität Bochum},
volume={024 No. 1},
pages={441-458},
url={https://tosc.iacr.org/index.php/ToSC/article/view/11412},
doi={10.46586/tosc.v2024.i1.441-458},
author={Gaëtan Leurent and Clara Pernot},
year=2024
}