## Abstract
In particular, ciphers designed following the **wide-trail strategy** use the branch number of the linear layer to derive bounds on the probability of linear and differential trails.

At FSE 2014, the **LS-design** construction was introduced as a simple and regular structure to design bitsliced block ciphers. It considers the internal state as a bit matrix, and applies alternatively an identical S-Box on all the columns, and an identical L-Box on all the lines.

We study the construction of bitsliced linear transformations with **efficient implementations** using XORs and rotations (optimized for bitsliced ciphers implemented on 32-bit processors), and a **high branch number**.

Our main result is a linear layer for 128-bit ciphers with branch number 21, improving upon the best 32-bit transformation with branch number 12, and the one of Spook with branch number 16.

## 1 Introduction
### 1.1 Design strategies for SPN ciphers

We consider an SPN cipher with $\ell$ parallel SBoxes, each operating on $s$ bits; the block size is $n = \ell s$ (see Figure 1). In this paper, we denote $\mathbb{B}_s$ the set of all $s$-bit elements: $B_s = \{0, 1\}^s$. The internal state is considered as an element in $B^{\ell}_s = (\{0, 1\}^s)^{\ell}$, i.e., a sequence of $\ell$ $s$-bit elements $x = (x_0, x_1, \dots, x_{\ell−1})$. We define the Hamming weight of $x$ as $|x| = \#\{i \in \{0, 1, \dots , \ell − 1\} : x_i \neq 0\}$(Hamming weight over $\mathbb{B}^{\ell}_s$).

#### 1.1.1 The Wide-Trail Strategy

The differential branch number of a linear transformation $\Lambda$ is defined as
$$
\cal B_d(\Lambda) = \text{min}_{x\neq 0}(|\Lambda(x)|+|x|).
$$
This is an important security property, measuring the diffusion of a linear layer: any non-trivial differential characteristics in two consecutive rounds has at least $\cal B_d(\Lambda)$ active SBoxes [DR01, Theorem 1]. Therefore, if the SBox has differential uniformity $\delta$, the probability of any $r$-round differential trail is at most $(\delta/2^s)^{\cal B_d\cdot\lfloor r/2 \rfloor}$.

Similarly, the linear branch number is defined as

$$\cal B_l(\Lambda) = \text{min}_{x\neq 0}(|\Lambda^{\top}(x)|+|x|),$$

where $\Lambda^{\top}$ is the linear transformation whose matrix representation over $\mathbb{F}_2$ is the transpose of the matrix representation of $\Lambda$ (note that we must consider the matrix representation as an $\ell s \times \ell s$ matrix over $\mathbb{F}_2$, not as an $\ell \times \ell$ matrix over $\mathbb{F}_{2^s}$ ). Any non-trivial linear trail in two consecutive rounds has at least $\cal B_l(\Lambda)$ active SBoxes. Therefore, if the SBox has linearity $\lambda$, the expected squared correlation of any $r$-round linear trail is at most $(\lambda^2/2^{2s})^{\cal B_l\cdot \lfloor r/2 \rfloor} =(\lambda/2^{s})^{2\cal B_l\cdot \lfloor r/2 \rfloor}$.

We have $2 \leq \cal B_d(\Lambda) \leq \ell + 1$ and $2 \leq \cal B_l(\Lambda) \leq \ell + 1$. A linear layer is called an MDS matrix when $\cal B_d(\Lambda) = \ell + 1$; this condition is equivalent to $\cal B_l(\Lambda) = \ell + 1$. Besides, when the linear layer is orthogonal (i.e. when $\Lambda^{\top} = \Lambda^{-1}$), we have $\cal B_l(\Lambda) = \cal B_d(\Lambda)$.

#### 1.1.2 Bitsliced Ciphers and LS-Designs

Conceptually, a software implementation of an SPN cipher uses a memory cell for each SBox input ($\ell$ memory units of $s$ bits), Alternatively, SPN ciphers can be implemented in a bitsliced way with $s$ memory units of $\ell$ bits.

The LS-designs [GLSV15] are a family of ciphers optimized for bitsliced implementation. The state is considered as an $s \times \ell$ matrix of bits; the SBox layer applies the same **SBox** $S : \mathbb{B}_s \to \mathbb{B}_s$ on each column, and the linear layer applies a fixed **LBox** $L : \mathbb{B}_{\ell} \to \mathbb{B}_{\ell}$ on each line.

#### 1.1.3 Spook

Spook [BBB+20] is an AEAD scheme using primitives that build upon the ideas of LS-designs.

First, the LBox is designed so that it has an efficient implementation using XORs and rotations, rather than using table lookups. 

Second, Clyde-128 differs from LS-designs by using an interleaved LBox operating on two $\ell$-bit registers at once, rather than independently on each register.

### 1.2 Our Results

We extend the construction of Spook by considering a linear layer that **operates on 3 or 4 words** at a time, rather than 2. This presents two difficulties, compared to what was done by the Spook designers: bounding the **branch number** of such a linear layer requires a lot of **computation**, and the techniques to obtain an **efficient implementation** of the **inverse** are not applicable with those parameters.

![linear_compare.png](attachment:image.png)

> motivation to the problem, then give the solution, then the main result

## 2 Linear Transformations Based on XORs and Rotations

### 2.1 Operating on a Single Word

A circulant matrix can be identified with a polynomial in $\mathbb{F}_2[X]/(X^\ell + 1)$, by taking the content of the first row as the coefficients; the product of two circulant matrices is the same as the polynomial **product in the ring** $\mathbb{F}_2[X]/(X^\ell + 1)$.

In terms of implementation, a naive implementation of the LBox $L_{32}$ would require 10 XORs and 10 rotations:

$$
\begin{aligned}
L_{32}(x) = x &\oplus (x \gg 1) \oplus (x \gg 3) \oplus (x \gg 4)\\ &\oplus (x \gg 5) \oplus (x \gg 6) \\
 &\oplus (x \gg 7) \oplus (x \gg 9)\\ 
 &\oplus (x \gg 11) \oplus (x \gg 15) \oplus (x \gg 16)
\end{aligned}
$$

However, the implementation of Algorithm 2 requires only 5 XORs and 5 rotations, by reusing some intermediate variables.

**Algorithm 2: $L_{32}$ LBox**

**Input**: $x$

$$
\begin{aligned}
a & \leftarrow x \oplus \text{rot}(x, 1) \\
b & \leftarrow a \oplus \text{rot}(a, 4) \\
a & \leftarrow b \oplus \text{rot}(a, 9) \\
b & \leftarrow a \oplus \text{rot}(x, 3) \\
\text{return } & b \oplus \text{rot}(a, 6)
\end{aligned}
$$

### 2.2 Operating on Several Words

On the other hand, Spook uses an *interleaving* construction: the linear transformation is defined on two words simultaneously. This generalization includes linear transformation with a **better branch number**.

In general, a linear transformation $L$ operating on $w$ words (with $w$ dividing $s$) based on XORs and rotations corresponds to a $\ell w \times \ell w$ matrix with $\ell \times \ell$ circulant blocks $M_{i,j}$.

$$
L = \begin{pmatrix}
M_{1,1} & \cdots & M_{1,w} \\
\vdots & \ddots & \vdots \\
M_{w,1} & \cdots & M_{w,w}
\end{pmatrix}
$$

$$
L : \mathbb{B}^{w}_\ell \to \mathbb{B}^{w}_\ell
$$

$$
(x_1, \ldots, x_w) \mapsto (y_1, \ldots, y_w)
$$

$$
y_i = \sum M_{i,j} x_j
$$

### 2.3 Differential and Linear Branch Numbers

An important property of LBoxes built from a circulant matrix $\bar{L}$ is that the linear and differential branch numbers are equal.

We use the following notation for a circulant matrix $C$, with $c_0, \ldots, c_{w\ell-1} \in \mathbb{B} = \{0, 1\}$:

$$
C = \text{Circ}(c_0, c_1, \ldots, c_{w\ell-1}) = 
\begin{pmatrix}
c_0 & c_1 & \cdots & c_{w\ell-1} \\
c_{w\ell-1} & c_0 & \cdots & c_{w\ell-2} \\
\vdots & \vdots & \ddots & \vdots \\
c_1 & c_2 & \cdots & c_0
\end{pmatrix}
$$

In particular, we have:

$$
C^{\top} = \text{Circ}(c_0, c_1, \ldots, c_{w\ell-1})^{\top} = \text{Circ}(c_0, c_{w\ell-1}, \ldots, c_1)
$$

### 2.4 Search for Good LBoxes

Finding the branch number of $L$ is equivalent to finding the value $x \neq 0$ that minimizes $|L(x)| + |x|$. A naive approach does exhaustive search over all possible $x$; this is practical for a 32-bit linear transformation.

An improved variant tries $x$ by increasing weight: if $|L(x)| + |x| \geq b$ for all $x$ with $|x| \leq b - 2$, then the branch number is at least $b$ (because $L$ is invertible). We define the set $X_h = \{x \in \mathbb{F}_{2^w}^\ell : |x| \leq h\}$ of words of weight at most $h$.

To further reduce the search space, we observe that if $|L(x)| + |x| \leq b$ then $|x| \leq b/2$ or $|L(x)| \leq b/2$. Therefore, to show that the branch number is at least $b$ it is sufficient to exhaustively search all $x$ in $X_{\lfloor b/2 \rfloor}$ and in $\{L^{-1}(x) : x \in X_{\lfloor b/2 \rfloor}\}$.

![compute_branch_number.png](attachment:image.png)

### 2.6 Known Results

We now summarize the state of the art on efficient LBoxes defined for $ l = 32 $-bit words.

**Operating on 1 word** [Leu19]. When operating on one word, there are around $ 2^{31} / 32 = 2^{26} $ invertible circulant matrices up to equivalence by rotation. The branch number of a candidate can be computed with at most $ 2 \times |X_6| \approx 2^{21.1} $ operations, assuming it is smaller than 12.

**Operating on 2 words [BBB+20, Leu19].** When operating on two words, exhaustive search is no longer possible. The Spook authors ran a search for random circulant matrices, and the best branch number obtained was 16. They also found an LBox with branch number 16 with **efficient implementation** and efficient inverse, which is used in Spook;

## 3 Search for New Linear Transformations

This should increase the branch number that we can achieve, but there are two issues that make the previous methods inapplicable:

- The algorithm to compute the branch number described in Section $2.4$ is not applicable to $w > 2$;
- The birthday search described in Section $2.5$ to find a matrix with efficient implementation and efficient inverse is not applicable to $w > 2$.

### 3.1 Computing the Branch Number Efficiently

In particular, we observe that the algorithm described in Section $2.4$ is actually the classical Brouwer-Zimmermann [Zim96, BBF+ 06] minimum distance algorithm, applied to the code generated by $I∥L̄$. As far as we know this is the best deterministic algorithm to compute the branch number of an arbitrary linear code, but coding theory offers **probabilistic algorithms** that are more efficient.

#### 3.1.1 Information Set Decoding Algorithm

More specifically, we use an Information Set Decoding (ISD)  algorithm [Pra62] to find a non-zero codeword with the lowest possible weight.

This is an iterative algorithm which, given a matrix, a weight $w$, a number of iterations $t$, and a parameter $d$, returns a codeword of weight $w$ if it finds one.

**Case $w = 1$.**

We assume that there is a word $W$ of weight $w$ in the code. Each iteration tries to find such a word, and succeeds with some probability $p$. Each iteration works as follows. First, starting from the matrix $L̄$, a random permutation of the columns is performed, and a Gaussian reduction is performed. After the permutation, the $l$ columns on the left are called an information set.



We hope that $W$ has weight exactly $1$ in the information set. This happens with probability:
$$
p = \frac{{\ell \choose w-1} \times {\ell \choose 1}}{ {2\ell \choose w}} 
$$
In this case, $W$ is one of the rows of the matrix, if the matrix is in row echelon form. We have a good probability to find $W$ after $1/p$ iterations: after $(1/p) \times \epsilon$ iterations, we find it with probability $1 - (1 - p)^{(1/p) \times \epsilon} \approx 1 - e^{-\epsilon}$.

Knowing that the complexity of this algorithm is dominated by the Gaussian elimination, we consider combinations of $d$ rows. We therefore increase the probability of finding a word of weight $w$ if one exists. This succeeds if $W$ has weight lower or equal than $d$ in the information set. The success probability is:
$$
p = \sum_{j=1}^d\frac{{\ell \choose w-j} \times {\ell \choose j}}{ {2\ell \choose w}} 
$$

![set_decoding_algorithm.png](attachment:image.png)

## 3.3 Implementing the Inverse

**Simultaneous Search of $L$ and $L^{−1}$.** we generate matrices using a sequence of operations $x_i \leftarrow x_{a_i} \oplus \text{rot}(x_{b_i}, r_i)$, and then, for candidates with a high branch number, we look for an efficient implementation of their inverse.  

**Heuristic Search of Good Implementation.**  We use the notation $|x|_2$ to denote the binary Hamming weight (as opposed to the Hamming weight $|x|$ over $\mathbb{B}_w$). A naive implementation of an LBox $L$ requires $|L(1)|_2$ rotations and $|L(1)|_2 - 1$ XORs, but we can use heuristics to find a more efficient implementation.

Our approach is to start with the target $L(1)$ and to decompose it into several words. For simplicity, we only count the number of XORs in an implementation. We start with the following decomposition:

$x = a \oplus (a \ggg r) \oplus b$. Given a target $x$, we iterate over all $r$ $(1 \leq r < wl)$ and we construct a value $a$ to obtain a small value $|a|_2 + |b|_2$ with $b = x \oplus a \oplus (a \ggg r)$.

A good candidate is $z = x \land (x \lll r)$; when $z$ and $z \ggg r$ are disjoint we take $a = z$ and obtain $|b|_2 = |x|_2 - 2|a|_2$ with $|a|_2 + |b|_2$ minimal. In general, we use a greedy algorithm to iteratively build $a$.

We can implement $a$ and $b$ naively, and we obtain an implementation of $x$ with cost $(|a|_2 - 1) + (|b|_2 - 1) + 2$; most of the time this is smaller than the cost of a naive implementation $(|x|_2 - 1)$. We can often further reduce the cost of the implementation by recursively decomposing $a$ and $b$.

We consider the following decompositions:

$x_i = a \oplus (a \ggg r) \oplus b$. We exhaustively consider all $x_i$'s (and $r$) and use the same decomposition as above. This reduces the implementation cost if $|a|_2 + |b|_2 < |x_i|_2$. The new vector to decompose is $(x_0, \ldots, x_{i-1}, x_{i+1}, \ldots, x_v, a, b)$.

$x_i = a \oplus (x_j \ggg r)$. We exhaustively consider all pairs $(x_i, x_j)$ and all values $r$, and define $a = x_i \oplus x_j \ggg r$. If $|a|_2 + 1 < |x_i|_2$ this reduces the implementation cost. The new vector to decompose is $(x_0, \ldots, x_{i-1}, x_{i+1}, \ldots, x_v, a)$.

$x_i = a \oplus b$, $x_j = (a \ggg r) \oplus c$. We exhaustively consider all pairs $(x_i, x_j)$ and all values $r$, and define $a = x_i \land (x_j \lll r)$, $b = x_i \oplus a$, $c = x_j \oplus (a \ggg r)$. We have $|b|_2 = |x_i|_2 - |a|_2$ and $|c|_2 = |x_j|_2 - |a|_2$, so that this reduces the implementation cost when $|a|_2 > 1$. 

The new vector to decompose is $(x_0, \ldots, x_{i-1}, x_{i+1}, \ldots, x_{j-1}, x_{j+1}, \ldots, x_v, a, b, c)$.

#### code for decompose


The state format is $((x_1,x_2,\dots,x_v),v)$, when start the state is $((x_1),1)$. Here is the transition condition and equation. Here $i,j \in \set{r| 0\leq k \leq v, k\in \mathbb{Z}}$ $, 0\leq r \leq \text{WORD\_SIZE}, r\in \mathbb{Z}$



End condition
- $x_{i} = 1 \lll r $ : $((x_1,\dots,x_{i},\dots,x_v),v) \to ((x_1,\dots,x_{i-1},x_{i+1},\dots,x_v),v-1)$ 
- $x_{i}=x_{j} \lll r$ : $((x_1,\dots,x_{i},\dots,x_v),v) \to ((x_1,\dots,x_{i-1},x_{i+1},\dots,x_v),v-1)$ 


transmit state

- $x_i=a\oplus (a\ggg r)\oplus b, a=x_i\land(x_i
  \lll r), a\land(a\ggg r)=0$: $((x_1,\dots,x_{i},\dots,x_v),v) \to ((x_1,\dots,a,\dots,x_v,b),v+1)$

### 4.2 Considering 4 Words

We found an LBox operating on four 32-bit words with branch **number 21** and an efficient implementation (**24 rotations and 24 XORs**).

The implementation of the inverse has been found using the strategy described in Section 3.3: it has **76 rotations and 72 XORs**. 


## 4 Results

### 4.1 Considering 3 Words

We found an LBox operating on **three 32-bit** words with **branch number 19** and an efficient implementation (**18 rotations and 18 XORs**).

The implementation of the inverse has been found using the strategy described in Section 3.3: it has 42 rotations and 39 XORs.

## 5 Conclusion

We obtain a 128-bit linear transformation which is a very good candidate for the linear layer of a bitsliced 128-bit cipher with 32 4-bit SBoxes. It has an efficient implementation as a series of 32-bit XORs and rotations, and a branch number of 21.

As a comparison, our new linear layer has a better branch number than the one used in Spook (with branch number 16), and the implementation in the forward direction has the same efficiency. However, the **inverse** is about **three time** more **expensive**. 


We had to solve two problems. Firstly, how to compute efficiently the branch number of a linear transformation? For this, we used tools from coding theory: an **Information Set Decoding algorithm** is used to compute the branch number of a linear transformation. Secondly, how to find linear transformations with an efficient implementation and/or whose inverse has an efficient implementation? To do this, we proposed **linear transformations from sequences** of XORs and rotations of 32-bit words.