1 Introduction

Many symmetric key cryptographic primitives, e.g., block ciphers, compression functions of hash functions, and core functions of authenticated encryptions, have been proposed. Specifically, AES [1] is one of the most common block ciphers. The state is represented as a \(4 \times 4\) matrix whose elements take 8-bit values. After AES was standardized by NIST, many AES-like primitives have been proposed [2, 5, 10, 17, 1921]. Their state is represented as an \(n \times m\) matrix, and its elements take not only 8-bit values. We call such primitives (nm)-AES-like primitives. PHOTON [19] can be considered as (5, 5), (6, 6), \(\ldots \), (8, 8)-AES-like primitives, and PRIMATEs [2], Fides [5], Grøstl [17], LED [20], and Prøst [21] adopt various (nm)-AES-like primitives other than (4, 4)-AES-like primitives, for example.

Table 1. Lower bounds of 4-round (nm)-AES-like primitives when \(n \le m\).
Full size table

Recently, many lightweight primitives have been proposed, and they are expected to perform well in area-constrained and low-power environments as well as high-end environments. MixColumns in the original AES adopts a \(4 \times 4\) Maximum Distance Separable code (MDS) matrix and its elements only take ‘1’, ‘2’, and ‘3’, which is one of the best choices with respect to the cost of multiplication in a Galois field and branch number [30]. However, if the area is very constrained, even the multiplication of an MDS matrix becomes disadvantage for lightweight implementation. There are two methods for reducing the cost of multiplication for both lightweight and high-end environments. One involves a recursive approach [2, 19, 20] and the other involves a binary matrix similar to Camellia P-function [3, 5, 31]. In the recursive approach, an MDS matrix is generated by an iterating lightweight matrix, and it is superior to classical MDS matrices for area-constrained lightweight implementation. However, the execution time tends to be slow, which means that it also requires high power consumption because of the recursive operation [15]. On the other hand, the use of a binary matrix is also superior to classical MDS matrices for both constrained and non-constrained environments because it can be implemented only by element-wise XORsFootnote 1. Unfortunately, the branch number of a binary matrix is lower than that of an MDS matrix. For instance, when \(\mathcal{B}\) denotes the differential and linear branch number of the matrix, AES-like primitives guarantee at least \(\mathcal{B}^2\) active S-boxes in 4-round differential and linear characteristics [10]. Therefore, AES-like primitives with a binary matrix have fewer active S-boxes than those with an MDS matrix, and it requires more rounds to guarantee security against several cryptanalyses.

Our Contribution. In this paper, we focus on binary matrices and discuss useful cryptographic properties of binary matrices. We specifically focus on AES-like primitives with binary MixColumns, whose output is computed using a binary matrix.

If the number of active S-boxes per specific number of rounds increases, we can efficiently guarantee that the block cipher with fewer rounds has immunity against several cryptanalyses. In previous design criteria, we only care about the branch number of binary matrices because the classical proof only guarantees \(\mathcal{B}^2\) active S-boxes in the 4-round characteristic. However, we argue that the classical lower bound is not tight for some binary matrices. Namely, there are binary matrices such that the lower bound is more than \(\mathcal{B}^2\).

In this paper, we exhaustively search \(n \times n\) binary matrices with \(n \in \{4,5,\ldots ,8\}\) and show some instances whose lower bound is more than \(\mathcal{B}^2\). We first discuss cryptographic properties of binary matrices. Then, we propose an algorithm to evaluate a more accurate lower bound by using these properties. Our algorithm efficiently evaluates the lower bound for a given binary matrix, and some matrices enhance the lower bound from \(\mathcal{B}^2\) to \(\mathcal{B}(\mathcal{B}+2)\). Specifically, our algorithm finds some binary matrices whose lower bounds become 16, 17, 24, 24, and 32 for \(n=4,5,6,7,\) and 8, respectively. We summarize the enhanced lower bounds in Table 1. Since the highest branch number of binary matrices is 4 for \(n \in \{4,5,\ldots ,7\}\), the classical proof only guarantees 16 active S-boxes. Moreover, since the highest branch number is 5 for \(n = 8\), the classical proof only guarantees 25 active S-boxes. Therefore, we can enhance the lower bounds for \(n \in \{5,6,7,8\}\). We also evaluate the limit of the enhancement. We guarantee that the enhancement in Table 1 is maximized for all (nn)-AES-like primitives with \(n \in \{4,5,\ldots ,8\}\). Moreover, for all (nm)-AES-like primitives with \(n < m\), we also guarantee that the enhancement is maximized for \(n \in \{4,5,6,8\}\).

2 Preliminaries

2.1 Definitions

Notations. Let \(x=(x_1,x_2,\ldots ,x_n)\) be an n-dimensional vector over \(\mathbb {F}_{2^\ell }\). Let \(x[j] = (x_1[j], x_2[j], \ldots , x_n[j])\) be an n-dimensional vector over \(\mathbb {F}_2\), where \(x_i[j]\) denotes the jth bit in \(x_i\). Let \(\tilde{x} \in (\mathbb {F}_2)^n\) be the truncation of \(x \in (\mathbb {F}_{2^\ell })^n\) such that the ith element of \(\tilde{x}\), i.e., \(\tilde{x}_i\) takes 0 if \(x_i = 0\) and takes 1 if \(x_i \ne 0\). The Hamming weight of \(x_i \in \mathbb {F}_{2^\ell }\) is calculated as \(hw(x_i) = \sum _{j=1}^{\ell } x_i[j]\), where the addition is calculated over \(\mathbb {Z}\). Moreover, the Hamming weight of \(x \in (\mathbb {F}_{2^\ell })^n\) is calculated based on the truncated vector, i.e., it is calculated as \(hw(x) = \sum _{i=1}^{n} \tilde{x}_i\). For any \(a \in \mathbb {F}_2^n\) and \(b \in \mathbb {F}_2^n\), let \(a \succeq b\) if \(a \vee b = a\), where \(\vee \) denotes a bit-wise OR. Note that an element in \(\mathbb {F}_{2^\ell }\) is represented as an \(\ell \)-bit vector in \(\mathbb {F}_2^\ell \), and it is naturally converted using an appropriate basis.

Active S-boxes. When we evaluate security against differential and linear cryptanalyses, we often evaluate the number of active S-boxes. An S-box that has a non-zero input difference is called a differentially active S-box , and an S-box that has a non-zero output linear mask is called a linearly active S-box . We can show the “provable security” against the differential and linear cryptanalyses by guaranteeing the lower bound of the number of active S-boxes.

The Substitution Permutation Network (SPN) cipher based on the wide trail design strategy [12] consists of a confusion layer and diffusion layer, where parallel applications of S-boxes and matrix multiplications are used in the confusion layer and diffusion layer, respectively. When \(\ell \)-bit S-boxes are applied in the confusion layer, the diffusion matrix M is represented as \((\mathbb {F}_{2^\ell })^{n \times n}\) matrix. Let \(x \in (\mathbb {F}_{2^\ell })^n\) be the input of the diffusion represented by an M. Then, the output is calculated as \(y^T = M x^T\). To evaluate the security of the diffusion matrix, we often focus on the branch number.

Definition 1

(Branch Number [30]). Let M be an \(n \times n\) matrix over \(\mathbb {F}_{2^\ell }\). Then, a differential branch number of M is defined as \(\mathcal{B}_d = \min \{ hw(x) + hw(M x^T) \mid x \in (\mathbb {F}_{2^\ell })^n \setminus \{0\} \}\). Similarly, a linear branch number of M is defined as \(\mathcal{B}_l = \min \{ hw(yM) + hw(y) \mid y \in (\mathbb {F}_{2^\ell })^n \setminus \{0\} \}\).

Note that \(\mathcal{B}_d\) and \(\mathcal{B}_\ell \) is always less than or equal to \(n+1\). In the following sections, we only consider differential cryptanalysis unless otherwise noted. For linear cryptanalysis, similar discussion can be made because of the duality of these cryptanalyses [27].

We call that two \(n \times n\) matrices M and \(M'\) are permutation-homomorphic [24] to each other if there is a row permutation \(\rho \) and a column permutation \(\gamma \) satisfying \(\rho (\gamma (M))=\gamma (\rho (M))=M'\).

Lemma 1

[24]. Let M and \(M'\) be matrices that are permutation-homomorphic to each other. Then M and \(M'\) have the same differential and linear branch number.

In cryptographic applications, an MDS matrix has good properties and is defined in the context of coding theory. Its definition is equivalent as the following theorem for our context.

Theorem 1

[30]. Let M be an \(n \times n\) MDS matrix, the differential and linear branch number is \(n+1\).

It is very useful to use the MDS matrix in the diffusion layer since the branch number takes the maximum possible value. However, it is inefficient for lightweight implementation because the multiplication by the MDS matrix requires the multiplication in a Galois field. On the other hand, if all elements of the matrix consist of binary elements, we can efficiently implement the multiplication because it only requires \(\ell \)-bitwise XORs. Unfortunately, such a binary matrix does not generate an MDS matrix except for the trivial MDS matrix, i.e., \(n=1\). Nevertheless, there are concrete ciphers that adopt binary matrices. For example, Camellia uses an \(8 \times 8\) binary matrix [3], and the designers showed that the maximum branch number of \(8 \times 8\) binary matrices is 5 from computation using a PC. Kwon et al. summarized the maximum branch number of binary matrix with \(n=4, 5,6,7,\) and 8 as 4, 4, 4, 4, and 5, respectively, and they call such matrices Maximum Distance Binary Linear (MDBL) matrices [25].

2.2 AES-Like Primitives

The state of AES is represented as a \(4 \times 4\) matrix whose elements take 8-bit values, i.e., the block length is 128 bits. Many cryptographic primitives use similar state expressions, and we call them AES-like primitives [2, 5, 10, 17, 1921].

We only focus on the property of AES-like primitives independent of a choice of S-boxes. For convenience, let \(\ell \) be the bit length of the input and output of an S-box. We introduce (nm)-AES-like primitives, where the numbers of rows and columns are scaled like [8].

Definition 2

((nm)-AES-Like Primitives). The AES-like primitives are parameterized by n and m, where the state is represented as an \(n \times m\) matrix and \(m \ge n\). The round function consists of four component functions: SubBytes, ShiftRows, MixColumns, and AddRoundKey. Each function is defined as follows:

  • SubBytes (\( SB\)) substitutes each \(\ell \)-bit value in the matrix into another \(\ell \)-bit value by an S-box.

  • ShiftRows (\( SR\)) rotates each \(\ell \)-bit value located at row i by i positions to the left.

  • MixColumns (\( MC\)) diffuses n \(\ell \)-bit values within each column by a linear function.

  • AddRoundKey (\( AK\)) XORs the round key with the state.

Then, the round function of an AES-like primitive is defined as

$$\begin{aligned} Y \leftarrow ({ MC} \circ { SR} \circ { SB})(X) \oplus RK, \end{aligned}$$

where X, Y, and RK denote the input, output, and round key, respectively. When a cryptographic permutation is designed, a constant is XORed to the matrix state instead of a round key.

We also focus on the following MixColumns.

Definition 3

(Binary MixColumns). When the AES-like primitive uses a binary matrix in the MixColumns, we call such MixColumns binary MixColumns.

Fig. 1.
figure 1

Proof for 4-round AES-like primitives

Full size image

Figure 1 shows 4-round AES-like primitives, which are equivalently transformed with regard to counting the number of active S-boxes. When analyzing 4-round AES-like primitives, we divide the primitive into three layers; front, middle, and back, as shown in Fig. 1. We often focus on the so-called super-S-box [13, 18], which is defined as follows.

Definition 4

(Super-S-box). Let a super-S-box consist of two S-box layers and one MixColumns. First, n S-boxes are applied. Then, a diffusion matrix M is applied. Finally, n S-boxes are applied again.

If the branch number of M is \(\mathcal{B}\), an active super-S-box has at least \(\mathcal{B}\) active S-boxes. Moreover, both the front and the back layers of the AES-like primitives have m super-S-boxes, respectively.

Number of Active S-boxes. A good property of AES-like primitives is that the number of active S-boxes in the 4-round characteristic independent of a choice of S-boxes and AddRoundKey can be guaranteedFootnote 2. First, all (nm)-AES-like primitives have the following characteristic.

Lemma 2

Let M be an \(n \times n\) matrix over \(\mathbb {F}_{2^\ell }\). Let \(\mathcal{B}\) be the branch number of M. When M is adopted in MixColumns of AES-like primitives, there is always a 4-round characteristic whose number of active S-boxes is lower than or equal to \((n+1)\mathcal{B}\) active S-boxes.

Proof

Let us focus on the middle layer in Fig. 1. Since the branch number of M is \(\mathcal{B}\), there is always a 4-round characteristic satisfying \(hw(X_0)+hw(Y_0)=\mathcal{B}\). Then, \(hw(X_0)+hw(Y_0)\) super-S-boxes are active, and each super-S-box has at most \(n+1\) active S-boxes. Therefore, there is always a 4-round characteristic whose number of active S-boxes has at most

$$\begin{aligned} (n+1)hw(X_0)+(n+1)hw(Y_0) = (n+1)(hw(X_0)+hw(Y_0)) = (n+1)\mathcal{B}. \end{aligned}$$

   \(\square \)

Next, let us consider the lower bound of the number of active S-boxes.

Lemma 3

[11]. Let M be an \(n \times n\) matrix over \(\mathbb {F}_{2^\ell }\). Let \(\mathcal{B}\) be the branch number of M. When M is applied to the MixColumns in AES-like primitives, there are at least \(\mathcal{B}^2\) active S-boxes in the 4-round characteristic.

Lemmas 2 and 3 derive the following theorem.

Theorem 2

Assuming that M is an MDS matrix with branch number \(\mathcal{B}\), there are at least \(\mathcal{B}^2\) active S-boxes in the 4-round characteristic, and it is tight.

Theorem 2 shows that there is no MDS matrix in which the minimum number of active S-boxes is more than \(\mathcal{B}^2\) in the 4-round characteristic. However, if binary MixColumns is used, there is a possibility that the minimum number of active S-boxes is more than \(\mathcal{B}^2\) because \(\mathcal{B}^2<(n+1)\mathcal{B}\). For instance, if a \(5 \times 5\) binary matrix is used, \(\mathcal{B}^2=16\) and \((n+1)\mathcal{B}=24\), and there is a possibility that the minimum number of active S-boxes can be improved to 24.

3 Properties of Binary Matrices

We now discuss useful properties of binary matrices. Let \(x \in (\mathbb {F}_{2^\ell })^n \setminus \{0\}\) be the input difference. Specifically, we focus on the propagation \(x \xrightarrow {M} Mx^T\). Assume that the branch number of M is \(\mathcal{B}\), i.e., \(hw(\tilde{x}) + hw(\widetilde{Mx^T})\) is at least \(\mathcal{B}\). Then, an enhanced propagation is defined as follows.

Definition 5

(Enhanced Propagation). For a binary matrix \(M \in (\mathbb {F}_{2^\ell })^{n\times n}\) with branch number \(\mathcal{B}\), \(x \in (\mathbb {F}_{2^\ell })^n \setminus \{0\}\) denotes the input difference of the diffusion by M. We say that the propagation \(x \xrightarrow {M} Mx^T\) is an enhanced propagation, when \(hw(\tilde{x}) + hw(\widetilde{Mx^T}) > \mathcal{B}\).

When we consider all possible propagations from x, the minimum of \(hw(\tilde{x}) + hw(\widetilde{Mx^T})\) is \(\mathcal{B}\) because of the branch number. However, some propagations have \(hw(\tilde{x}) + hw(\widetilde{Mx^T})>\mathcal{B}\). Moreover, we define the following two propagations.

Definition 6

(Direct and Indirect Propagations). For a binary matrix \(M\in (\mathbb {F}_{2^\ell })^{n\times n}\), \(x \in (\mathbb {F}_{2^\ell })^n \setminus \{0\}\) denotes the input difference of the diffusion by M. We say that the propagation \(x \xrightarrow {M} Mx^T\) is a direct (resp. indirect) propagation, when \(\widetilde{Mx^T} = M \tilde{x}^T\) (resp. \(\widetilde{Mx^T} \ne M \tilde{x}^T\)).

In the direct propagation, \(\widetilde{Mx^T}\) can be directly calculated from \(\tilde{x}\) as \(M \tilde{x}^T\). In the indirect propagation, we cannot calculate \(\widetilde{Mx^T}\) from only \(\tilde{x}\) and have to calculate it from the difference x.

3.1 Indirect Branch Number

We now want to evaluate the propagation \(x \xrightarrow {M} Mx^T\), and let us consider the condition in which the propagation becomes an enhanced propagation. We first define a variant of the branch number as follows.

Definition 7

(Indirect Branch Number). Let M be an \(n \times n\) binary matrix over \(\mathbb {F}_{2^\ell }\). Let \(x \in (\mathbb {F}_{2^\ell })^n \setminus \{0\}\) be the input difference of the diffusion by M. For all indirect propagations, i.e., all \(x \xrightarrow {M} Mx^T\) satisfying \(\widetilde{Mx^T} \ne M \tilde{x}^T\), the indirect branch number denotes the minimum of \(hw(\tilde{x}) + hw(\widetilde{Mx^T})\).

We can obtain a useful lemma about the indirect branch number.

Lemma 4

Let M be an \(n \times n\) binary matrix over \(\mathbb {F}_{2^\ell }\). Let \(\mathcal{B}\) be the branch number of M, and assume \(\mathcal{B}>2\). Then, the indirect branch number is at least \(\mathcal{B}+2\).

Proof

Let y be the output vector, i.e., \(y^T = M x^T\). When the propagation \(x \xrightarrow {M} y\) is indirect propagation, i.e., \(\tilde{y}^T \ne M \tilde{x}^T\), there are always two non-zero x[i] and x[j] satisfying \(x[i] \ne x[j]\), and \(hw(\tilde{x}) \ge hw(x[i] \vee x[j])\). Similarly, let \(y[i]^T = Mx[i]^T\) and \(y[j]^T = Mx[j]^T\), and \(hw(\tilde{y}) \ge hw(y[i] \vee y[j])\). Without loss of generality, assume \(hw(x[j])+hw(y[j]) \ge hw(x[i])+hw(y[i])\).

First, assuming that \(hw(x[j])+hw(y[j]) \ge \mathcal{B}+2\), the sum of the Hamming weight of \(\tilde{x}\) and that of \(\tilde{y}\) is at least \(\mathcal{B}+2\).

Second, assume that \(hw(x[j])+hw(y[j]) = \mathcal{B}+1\). When \(x[j] \nsucceq x[i]\), \(hw(x[i] \vee x[j]) \ge hw(x[j]) + 1\). Moreover, when \(y[j] \nsucceq y[i]\), \(hw(y[i] \vee y[j]) \ge hw(y[j]) + 1\). Therefore, when \(x[j] \nsucceq x[i]\) or \(y[j] \nsucceq y[i]\), the sum of the Hamming weight of \(\tilde{x}\) and that of \(\tilde{y}\) is at least \(\mathcal{B}+2\) because

$$\begin{aligned} hw(x[i] \vee x[j]) + hw(y[i] \vee y[j]) \ge hw(x[j])+hw(y[j])+1 = \mathcal{B}+2. \end{aligned}$$

Finally, when \(x[j] \succeq x[i]\) and \(y[j] \succeq y[i]\),

$$\begin{aligned} hw(x[i] \oplus x[j]) + hw(y[i] \oplus y[j])&= hw(x[j]) - hw(x[i]) + hw(y[j]) - hw(y[i]) \\&\le \mathcal{B}+1-\mathcal{B}=1, \end{aligned}$$

where \((y[i] \oplus y[j])^T=M(x[i] \oplus x[j])^T\). Therefore, this is contradictory because the branch number is greater than 2.

Third, assuming that \(hw(x[j])+hw(y[j]) = \mathcal{B}\), \(hw(x[i])+hw(y[i]) = \mathcal{B}\). Without loss of generality, assume \(hw(x[j]) \ge hw(x[i])\). When \(hw(x[i])=hw(x[j])\), \(hw(x[i] \vee x[j]) \ge hw(x[j])+1\) because \(x[i] \ne x[j]\). Moreover, \(hw(y[i] \vee y[j]) \ge hw(y[j])+1\) because \(y[i] \ne y[j]\). Therefore, the sum of the Hamming weight of \(\tilde{x}\) and that of \(\tilde{y}\) is at least \(\mathcal{B}+2\) because

$$\begin{aligned} hw(x[i] \vee x[j]) + hw(y[i] \vee y[j]) \ge hw(x[j])+1+hw(y[j])+1 = \mathcal{B}+2. \end{aligned}$$

When \(hw(x[i])+1=hw(x[j])\), then \(hw(y[i])=hw(y[j])+1\). If \(x[j] \nsucceq x[i]\), \(hw(x[i] \vee x[j]) \ge hw(x[j]) + 1=hw(x[i])+2\). Moreover, if \(y[i] \nsucceq y[j]\), \(hw(y[i] \vee y[j]) \ge hw(y[i]) + 1=hw(y[j])+2\). Therefore, when \(x[j] \nsucceq x[i]\) or \(y[i] \nsucceq y[j]\), the sum of the Hamming weight of \(\tilde{x}\) and that of \(\tilde{y}\) is at least \(\mathcal{B}+2\). Finally, when \(x[j] \succeq x[i]\) and \(y[i] \succeq y[j]\),

$$\begin{aligned} hw(x[i] \oplus x[j]) + hw(y[i] \oplus y[j])&= hw(x[j]) - hw(x[i]) + hw(y[i]) - hw(y[j]) \\&= 1+1=2. \end{aligned}$$

Therefore, this is contradictory because the branch number is greater than 2. When \(hw(x[i])+2 \le hw(x[j])\), then the sum of the Hamming weight of \(\tilde{x}\) and that of \(\tilde{y}\) is at least \(\mathcal{B}+2\) because

$$\begin{aligned} hw(x[i] \vee x[j]) + hw(y[i] \vee y[j]) \ge hw(x[i])+2+hw(y[i]) = \mathcal{B}+2. \end{aligned}$$

   \(\square \)

Lemma 4 shows that the indirect propagation is always an enhanced propagation when \(\mathcal{B}>2\).

3.2 Propagation on Restricted Input and Output Differences

When we consider the propagation \(x \xrightarrow {M} Mx^T\), \(hw(\tilde{x}) + hw(\widetilde{Mx^T})\) is generally lower-bounded by branch number. However, if Hamming weight of input difference or that of output difference is restricted, it is not always lower-bounded by the branch number, i.e., it may have higher lower bounds.

Lemma 5

Let M be an \(n \times n\) binary matrix over \(\mathbb {F}_{2^\ell }\). Let \(\mathcal{B}\) be the branch number. Let \(x \in (\mathbb {F}_{2^\ell })^n \setminus \{0\}\) be the input difference of the diffusion by M. Then, assuming that \(hw(\tilde{x}) \le 2\),

$$\begin{aligned} hw(\tilde{x}) + hw(\widetilde{Mx^T})&\ge hw(\tilde{x}) + hw(M \tilde{x}^T). \end{aligned}$$

Similarly, assuming that \(hw(\widetilde{Mx^T}) \le 2\),

$$\begin{aligned} hw(\tilde{x}) + hw(\widetilde{Mx^T})&\ge hw(M^{-1} (\widetilde{Mx})^T) + hw(\widetilde{Mx^T}). \end{aligned}$$

Proof

We prove the first part of the lemma. Both left- and right-hand sides of the inequality include the term \(hw(\tilde{x})\); thus, it is sufficient to prove \(hw(\widetilde{Mx^T})\ge hw(M\tilde{x}^T)\). Both \(\widetilde{Mx^T}\) and \(M\tilde{x}^T\) can be regarded as a truncated difference, so we focus on these truncated differences. For the right-hand side, \(M\tilde{x}^T\), only \(\mathbb {F}_2\)-operations are performed. For the left-hand side, \(\widetilde{Mx^T}\), we need to consider the following steps; 1. convert the truncated difference to (full) difference, 2. multiply matrix M, and 3. reconvert the difference to truncated difference. Therefore, we need to consider the following “special” operation for truncated differences 0 and 1: \(0\oplus 0=0\), \(0\oplus 1=1\), \(1\oplus 0=1\), and \(1\oplus 1=0\) or 1. Recall that we are evaluating Hamming weight. Thus, when \(1\oplus 1=1\), the left-hand side is greater than the right-hand side; otherwise they are equal. The second part of the lemma can be obtained to substitute x and M with \(Mx^T\) and \(M^{-1}\), respectively.    \(\square \)

Assuming that the Hamming weight of the input difference or that of the output difference is at most 2, Lemma 5 shows that \(hw(\tilde{x}) + hw(\widetilde{Mx^T})\) can be lower-bounded by the corresponding direct propagation. Therefore, we can effectively guarantee the lower bound of \(hw(\tilde{x}) + hw(\widetilde{Mx^T})\). Specifically, let us consider the time complexity to guarantee the lower bound. Then, the time complexity is O(n) when the Hamming weight is at most 1, and it is \(O(n(n-1))\) when the Hamming weight is at most 2.

4 Number of Active S-boxes in AES-Like Primitives with Binary MixColumns

From Lemma 2, there is always a 4-round characteristic whose number of active S-boxes is lower than or equal to \((n+1)\mathcal{B}\), and the use of MDS matrices is the best choice because \(\mathcal{B}^2 = \mathcal{B}(n+1)\). However, if a binary MixColumns is used, there is a gap between \(\mathcal{B}^2\) and \(\mathcal{B}(n+1)\) since \(\mathcal{B}<n+1\). In this section, we guarantee more accurate lower bound of the number of active S-boxes in the 4-round characteristic. Note that our proof is independent of the choice of S-boxes.

4.1 Intuition of Idea

First, we revisit the proof that there are at least \(\mathcal{B}^2\) differentially and linearly active S-boxes in the 4-round characteristic of the AES-like primitives. We focus on the propagation in the middle layer, and we assume that the ith MixColumns is active. Then \(hw(\tilde{x}) + hw(\widetilde{Mx^T})\) is at least \(\mathcal{B}\), and there are at least \(\mathcal{B}\) active super-S-boxes in the 4-round characteristic because of the property of \({ SR}\). Since every active super-S-box has \(\mathcal{B}\) active S-boxes, there are at least \(\mathcal{B}^2\) active S-boxes in the 4-round characteristic.

Now, we consider an AES-like primitive whose MixColumns uses a binary matrix with branch number \(\mathcal{B}\).

First, we consider the case in which there is an indirect propagation in the middle layer. Since the indirect branch number is \(\mathcal{B}+2\) from Lemma 4, there are at least \(\mathcal{B}+2\) active super-S-boxes in the 4-round characteristic. This also implies that there are at least \(\mathcal{B}(\mathcal{B}+2)\) active S-boxes in the 4-round characteristic.

Fig. 2.
figure 2

Proof Strategy. When the number of active MixColumns is at most two (see the left figure), we use a binary matrix M such that super-S-boxes in the front and back layers always have enhanced propagation. When the number of active MixColumns is at least three (see the right figure), we use an M such that the characteristics always have many active super-S-boxes.

Full size image

Next, we consider the case in which there is an only direct propagation in the middle layer. We focus on the number of active MixColumns in the middle layer, and i active MixColumns denote the case in which i MixColumns are active in the middle layer. Then, the minimum number of active S-boxes is proven using different methods depending on the number of active MixColumns. In more detail, let us consider the following cases, where the notation in Fig. 1 is used, and Fig. 2 shows the outline. First, we assume i active MixColumns with \(i \le 2\). Then, at most two elements in \(W_i\) and \(Z_i\) are active for any i because of the construction of \({ SR}\). Therefore, we effectively guarantee the minimum number of active S-boxes in every super-S-box using Lemma 5. Next, we assume i active MixColumns with \(i \ge 3\). We choose binary matrices such that the number of active super-S-boxes is beyond \(\mathcal{B}\) for all characteristics.

Section 4.2 shows an algorithm to efficiently evaluate a more accurate lower bound of a given binary matrix.

4.2 Algorithm to Obtain Accurate Lower Bound

figure a

We guarantee the lower bound for a given binary matrix \(M \in \mathbb {F}_{2^\ell }^{n \times n}\), and Algorithm 1, the validity of which is shown later in this section, shows the procedure to evaluate a more accurate lower bound. Here, \( AS_i\) and \( ASS_i\) are defined as follows.

Definition 8

( \( A S_i\) : Accurate lower bound of number of active S-boxes under i active MixColumns on direct propagation). We only consider the 4-round characteristic whose propagation does not have the indirect propagation. For any characteristic with i active MixColumns in the middle layer, \( A S_i\) denotes the accurate lower bound of the number of active S-boxes in the 4-round characteristic.

Definition 9

( \( A SS_i\) : Accurate lower bound of number of active super-S-boxes under i active MixColumns on direct propagation). We only consider the 4-round characteristic whose propagation does not have the indirect propagation in the middle layer. For any characteristic with i active MixColumns in the middle layer, \( A SS_i\) denotes the accurate lower bound of the number of active super-S-boxes in the 4-round characteristic.

Both \({ A S_i}\) and \({ A SS_i}\) only focus on characteristics whose middle layer has direct propagations. Moreover, \({ A S_i}\) only focuses on the characteristic whose super-S-boxes have direct propagations, but the bound \(\mathcal{B} \times { A SS_i}\) takes into account characteristics whose super-S-boxes have indirect propagations. Therefore, \(\mathcal{B} \times { A SS_i} \le { A S_i}\). Moreover, \( A SS_i\) monotonically increases as a value of i.

For any binary matrix M with branch number \(\mathcal{B}\), the number of active S-boxes in the 4-round characteristic is lower-bounded by

$$\begin{aligned} \min \{ \mathcal{B} \times { A SS_1}, \mathcal{B}(\mathcal{B}+2) \}. \end{aligned}$$
(1)

Here, \(\mathcal{B} \times { A SS_1}\) and \(\mathcal{B}(\mathcal{B}+2)\) denote the lower bound in which the middle layer has an only direct propagation and indirect propagation, respectively. Note that since \({ A SS_1} = \mathcal{B}\), the number of active S-boxes is lower-bounded by \(\mathcal{B} \times { A SS_1}=\mathcal{B}^2\).

We first calculate \({ A S_1}\) to obtain a more accurate lower bound. Since \({ A S_1}\) only focuses on the characteristic whose propagations do not have indirect propagations and there is at most one active MixColumns, it can be computed by counting the number of Hamming weights of the column vector of M and \(M^{-1}\) by considering the computation of the multiplication by M and \(M^{-1}\).

$$\begin{aligned} { A S_1} = \min _{\tilde{x} \in \mathbb {F}_2^n \setminus \{0\}} \left\{ \sum _{i=1}^n (hw((M^{-1})_i) \tilde{x}_i + hw(M_i) (M \tilde{x}^T)_i) \right\} , \end{aligned}$$

Note that \(M_i\) and \((M^{-1})_i\) denote the ith column vector in M and \(M^{-1}\), respectively, and \({ A S_1}\) does not depend on the position of the active MixColumns in the middle layer. Therefore, we can obtain \({ A S_1}\) with \(O(2^{n})\) time complexity. Since Lemma 5 enables us only to consider the case of direct propagations, we can replace \(\mathcal{B} \times { A SS_1}\) with \(\min \{{ A S_1}, \mathcal{B} \times { A SS_2}\}\) in (1). Then, the number of active S-boxes is lower-bounded by

$$\begin{aligned} \min \{ { A S_1}, \mathcal{B} \times { A SS_2}, \mathcal{B}(\mathcal{B}+2) \}. \end{aligned}$$
(2)

Note that there is always a characteristic whose number of active S-boxes is \({ A S_1}\). Therefore, \({ A S_1}\) is a tight lower bound if \({ A S_1} \le \min \{ \mathcal{B} \times { A SS_2}, \mathcal{B}(\mathcal{B}+2)\}\). Otherwise, \(\min \{ \mathcal{B} \times { A SS_2}, \mathcal{B}(\mathcal{B}+2)\}\) is a new lower bound, but we do not guarantee whether or not it is tight.

When \({ A S_1} > \mathcal{B} \times { A SS_2}\), there is a possibility that the lower bound can be further improved. Lemma 5 shows that we can replace \(\mathcal{B} \times { A SS_2}\) with \(\min \{{ A S_2}, \mathcal{B} \times { A SS_3}\}\) in (2). Then, the number of active S-boxes is lower-bounded by

$$\begin{aligned} \min \{ { A S_1}, { A S_2}, \mathcal{B} \times { A SS_3}, \mathcal{B}(\mathcal{B}+2) \}. \end{aligned}$$
(3)

Since both \({ A S_2}\) and \({ A SS_2}\) depend on truncated differentials of two active MixColumns and the difference between positions of two active MixColumns, we can obtain them with \(O( (n-1) \times 2^{2n})\) time complexity. Similarly, since \({ A SS_3}\) depends on truncated differentials of three active MixColumns and the difference among positions of three active MixColumns, we can obtain it with \(O( (n-1)(n-2) \times 2^{3n})\) time complexity. Note that there are always characteristics whose number of active S-boxes is \({ A S_2}\). Therefore, \(\min \{ { A S_1}, { A S_2} \}\) is a tight lower bound if \(\min \{ { A S_1}, { A S_2} \} \le \min \{ \mathcal{B} \times { A SS_3}, \mathcal{B}(\mathcal{B}+2) \}\). Otherwise, \(\min \{ \mathcal{B} \times { A SS_3}, \mathcal{B}(\mathcal{B}+2) \}\) is a new lower bound, but we cannot guarantee whether or not it is tight. Note that tightness is not efficiently guaranteed because we cannot use Lemma 5 for three active MixColumns.

For linear cryptanalysis, we also execute the same procedure for the binary matrix \(M^T\) because of the duality between differential and linear cryptanalyses (see Appendix A).

5 Best Binary Matrices

We now want to evaluate all \(n \times n\) binary matrices and efficiently obtain binary matrices whose number of active S-boxes is maximized in the 4-round characteristic.

5.1 Efficient Search

The number of \(n \times n\) binary matrices is \(2^{n^2}\), and e.g., since \(2^{64}\) for \(n=8\), it is infeasible to exhaustively evaluate all matrices. However, in the application to MixColumns, we usually prefer to use binary matrices with the highest branch number. Therefore, we exhaustively search binary matrices with the highest branch number from \(n=4\) to \(n=8\) by using a similar technique to that by Guo et al. [16].

Fact 1

For binary matrices with \(n=4,5,6,7,\) and 8, the numbers of binary matrices with the highest differential and linear branch number are \(4!\approx 2^{4.6}\), \(22\times 5!\approx 2^{11.4}\), \(49032\times 6!\approx 2^{25.1}\), \(279631988 \times 7!\approx 2^{40.4}\), and \(18527040 \times 8! \approx 2^{39.4}\), respectively.

Moreover, we only consider invertible binary matrices.

Table 2. \({ A S_1}\) of all MDBL matrices with \(n=4,5,\ldots ,8\).
Full size table

Algorithm 1 requires much time complexity. Note that there is always a characteristic whose number of active S-boxes is equal to \({ A S_1}\). Then, the lower bound of the number of active S-boxes is always upper-bounded by at most \({ A S_1}\). Therefore, we first exhaustively search all binary matrices with the highest branch number and only evaluate \({ A S_1}\). Table 2 shows \({ A S_1}\), where columns in DC and those in LC have \({ A S_1}\) of M and that of \(M^T\), respectively. Columns in DC corresponds to the case for differential characteristics and columns in LC corresponds to the case for linear characteristics. Moreover, Table 2 does not include the case in which \({ A S_1}\) for DC is greater than that for LC. When the number of columns is greater than or equal to the number of rows, we can calculate \({ A S_1}\) independent of the number of columns. Therefore, from Table 2, we obtain the following fact.

Fact 2

For all 4-round (nm)-AES-like primitives, \({ A S_1}\) is upper-bounded by 16, 17, 24, 25, and 32 for \(n=4,5,6,7,\) and 8, respectively.

Therefore, there are not exist binary matrices such that the lower bound is 17, 18, 25, 26, and 33 for \(n=4,5,6,7,\) and 8, respectively.

Finally, we exhaustively search all \(n \times n\) binary matrices. First, we evaluate \({ A S_1}\), and if \({ A S_1}\) is not maximum possible, we prune the matrix. Then, we evaluate the accurate lower bound by using Algorithm 1. If we can find a binary matrix whose lower bound is the same as \({ A S}_1\), it is one of the best binary matrices. On the other hand, if we cannot find such a matrix, we also evaluate binary matrices whose \({ A S_1}\) is not maximum possible by using Algorithm 1.

5.2 Examples

Table 3 shows each example of binary matrices with an enhanced lower bound.

When \(n=4\), there is no binary matrix such that the lower bound of the number of active S-boxes is enhanced. On the other hand, for \(n>4\), we find such matrices. Specifically, when \(n=5,6,\) and 8, the enhancement is maximized because of Fact 2. When \(n=7\), we cannot obtain binary matrices such that the number of active S-boxes is lower-bounded by 25. However, for \(m=n\), we also exhaustively evaluate the lower bound of \({ A S_2}\) and \({ A S_3}\) because there is always a characteristic whose number of active S-boxes is \({ A S_2}\) or \({ A S_3}\). As a result, since there is no binary matrix such that the number of active S-boxes is lower-bounded by 25, the enhancement is maximized. For (7, m)-AES-like primitives with \(7 < m\), it may be possible that the number of active S-boxes is lower-bounded by 25. However, since Lemma 4 only guarantees \(4 \times 6=24\) active S-boxes, we have to consider the indirect propagation in the middle layer if we guarantee that the number of active S-boxes is lower-bounded by 25.

5.3 Future Work

Essentially, binary matrices with enhanced lower bound tends to have high Hamming weight. For the lightweight implementation, it is important to consider binary matrices that we can compute the multiplication with low XOR count. We have to consider good trade-off.

Table 3. Examples of binary matrices with enhanced lower bound.
Full size table

Our algorithm deeply utilizes the structure of an AES-like primitive and its properties, and this accelerates the algorithm to compute the bounds and derives good matrices. On the other hand, our algorithm is customized for 4-round AES-like primitives, and the mixed-integer linear programming approach [28] seems useful for more round primitives.

We focused on the number of active S-boxes, which implies “provable security” [22] against differential and linear cryptanalyses. Towards the ultimate security against differential and linear cryptanalysis, there is a long way to evaluate our construction. Differential [26], linear hull [29], and plateau characteristics [14] are the topic of this area. Moreover, a “good” cipher should have a similar security level for each cryptanalysis. Therefore, the next problem we need to analyze is to confirm security against other cryptanalyses, e.g., impossible differential [4], integral [23], and zero-correlation cryptanalyses [6].

6 Conclusion

We investigated the number of active S-boxes in differential and linear characteristics for 4-round AES-like primitive with binary MixColumns. The number is lower-bounded by \(\mathcal{B}^2\) when the branch number of the binary MixColumns is \(\mathcal{B}\). However, we showed that the lower bound is not always tight for AES-like primitives with binary MixColumns. To analyze the bound, we first introduced enhanced propagation and (in)direct propagations, and showed useful properties of binary matrix. Then, we showed how to evaluate an accurate lower bound for a given binary matrix. As a result, we showed that some binary matrices enhance the lower bound from \(\mathcal{B}^2\) to \(\mathcal{B}(\mathcal{B}+2)\). Specifically, for (nm)-AES-like primitives with \(n=5,6,7,\) and 8, we find binary matrices whose lower bound is 17, 24, 24, and 32, respectively. Moreover, we also evaluated the limit of the enhancement, and the enhancement is maximized for all (nn)-AES-like primitives with \(n \in \{4,5,\ldots ,8\}\). Moreover, for all (nm)-AES-like primitives with \(n < m\), we also guarantee that the enhancement is maximized for \(n \in \{4,5,6,8\}\).