Mathematical Problems in Engineering

Volume 2014, Article ID 540253, 12 pages

http://dx.doi.org/10.1155/2014/540253

## On the Construction of and Binary Matrices with Good Implementation Properties for Lightweight Block Ciphers and Hash Functions

^{1}Department of Computer Engineering, Trakya University, 22030 Edirne, Turkey^{2}Department of Computer Engineering, Ondokuz Mayis University, 55139 Samsun, Turkey^{3}Institute of Applied Mathematics, Middle East Technical University, 06531 Ankara, Turkey^{4}Software Engineering Department, Kirklareli University, 39000 Kırklareli, Turkey^{5}Department of Computer Engineering, Namık Kemal University, 59860 Çorlu, Turkey

Received 16 June 2014; Revised 9 October 2014; Accepted 13 October 2014; Published 2 November 2014

Academic Editor: Kwok-Wo Wong

Copyright © 2014 Muharrem Tolga Sakallı et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

#### Abstract

We present an algebraic construction based on state transform matrix (companion matrix) for (where , being a positive integer) binary matrices with high branch number and low number of fixed points. We also provide examples for and binary matrices having advantages on implementation issues in lightweight block ciphers and hash functions. The powers of the companion matrix for an irreducible polynomial over with degree 5 and 4 are used in finite field Hadamard or circulant manner to construct and binary matrices, respectively. Moreover, the binary matrices are constructed to have good software and hardware implementation properties. To the best of our knowledge, this is the first study for (where , being a positive integer) binary matrices with high branch number and low number of fixed points.

#### 1. Introduction

Modern block ciphers are made of several rounds. Each of these consists of confusion and diffusion layers. Confusion and diffusion are two principles of the operation of a secure cipher as identified by Shannon [1]. Many block ciphers use linear transformations together with nonlinear substitution boxes (S-boxes) to implement Shannon’s principles. In addition, many block ciphers use S-boxes based on the inversion mapping in a finite field [2, 3]. In a block cipher, a linear transformation is employed to provide the required diffusion. The linear transformation guarantees all the output bits to depend on all the input bits after few rounds. The substitution layer or nonlinear layer provides the necessary confusion making this dependency complex and nonlinear [4]. A linear transformation provides diffusion by mixing bits of the fixed size input block to produce the corresponding output block of the same size [5]. The two existing techniques of measuring diffusion for linear transformations are the branch number [6] and the number of fixed points [5]. The branch number denotes the minimum number of active S-boxes for any two consecutive rounds and represents diffusion rate and measures security against linear and differential cryptanalysis. To achieve better diffusion property, many modern ciphers use linear transformations with high branch number. On the other hand, the number of fixed points provides an indication of how well the linear transformation effectively changes the value of the input block when producing the output block. The basis of the idea is that there is no diffusion at fixed points since the input blocks at these points are left intact by the linear transformation. Note that the expected number of fixed points in a random linear transformation is one [5].

Many block ciphers use maximum distance separable (MDS) and maximum distance binary linear (MDBL) codes as diffusion layers in their round function. The AES [7] and Khazad [8] use MDS codes; the Camellia [9] and ARIA [10] use MDBL codes. It is known that MDS matrices do not give a compact implementation in hardware, for example, AES. Most diffusion layers are linear transformations having matrix representations over or . The binary matrices, having matrix representation over , are employed as diffusion layers in block ciphers like Camellia and ARIA. An advantage of using such binary matrices in the design of block ciphers compared with MDS codes is the implementation phase where only XOR operations are needed while MDS matrices may need XOR operations, table look-ups, and xtime calls [11]. Furthermore, the and binary matrices used in Camellia and ARIA have the maximum branch numbers 5 and 8, respectively, and are therefore called MDBL codes [4]. In [12, 13], an algebraic construction method to generate , , and binary matrices of maximum branch number was given. There is no general method for binary matrices where , being a positive integer. Constructing diffusion layers with high branch numbers, low number of fixed points, and low-cost hardware/software implementations is an open problem for lightweight block ciphers and hash functions.

In recent years, lightweight cryptography has attracted a lot of attention from the crypto community since the use of resource constraint devices has been increasing. There are several lightweight block cipher constructions with 80-bit and 96-bit block sizes in the literature [14–17]. However, these proposals neglect important real-world constraints except a small chip area and they have different deficiencies as listed below:(i)the lack of efficiency on low-cost processors,(ii)a vast amount of program memory storage,(iii)high execution times due to the high number of rounds,(iv)the lack of security assessment in detail.The wide-trail strategy is one of the important approaches to design round transformations of block ciphers that combine efficiency and resistance against linear and differential cryptanalysis. It results in simple and strong security arguments. However, this approach does not help in designing efficient diffusion layers (with a suitable number of active S-boxes). In this respect, the diffusion layers constructed and the method given in this study aim to provide an alternative structure for the block ciphers with input size different than .

In this study, an algebraic method based on state transform matrix (companion matrix) to construct binary matrices with good implementation properties for lightweight block ciphers and hash functions is given. The emphasis is given to binary matrices where and is a positive integer. The proposed method can also be considered as a generalization and different interpretation of the methods given in [12, 13] since it works for any . This method uses finite field Hadamard (FFHadamard) matrices with the powers of the companion matrix for an irreducible polynomial over of degree 5 and circulant matrices with the powers of the companion matrix for an irreducible polynomial over of degree 4 to generate (involutory and noninvolutory) and binary matrices (noninvolutory) of branch numbers 8 and 10 with low number of fixed points, respectively. Also, the binary matrices are constructed to have suitable software and hardware implementation properties for lightweight block ciphers. Note that the binary matrices with these sizes have not been studied in the literature well enough, which may allow us to design a lightweight block cipher with 80-bit and 96-bit block sizes if these matrices are used with 4-bit S-boxes.

This paper is organized as follows: Section 2 describes the required mathematical background and an introduction to the proposed method. In Section 3, the proposed method is given and examples are provided with good cryptographic properties. Security assessment of lightweight block cipher using the proposed diffusion layer is analyzed in Section 4. Conclusion is given in Section 5. In Appendices A, B, and C implementation details of given examples are discussed.

#### 2. Preliminaries

In this section, we give the mathematical background and a view of the proposed method.

Let , where is an irreducible polynomial over with degree . Let be the companion matrix for the irreducible polynomial over with degree . The powers of can be considered as the nonzero elements of [18, 19]. Then, the matrix can be viewed as a polynomial, that is, . This is the core part of the proposed method. Note that this multiplication is modulo and rank of these matrices is the extension degree . The identity matrix can be obtained by In this study we focus on the finite fields and , where the irreducible polynomials over are, respectively, and . Now we give an example on how to obtain the elements of .

*Example 1. *Let , where is the irreducible polynomial over . Then,

matrices with the elements of , where , can be transformed to binary matrices by substituting the powers of with their corresponding binary matrices. Similarly, matrices with the elements of , where , can be transformed to binary matrices by substituting the powers of with their corresponding binary matrices.

Now we recall some facts on the linear transformations. The linear transformations of diffusion layers used in most block ciphers are represented as matrices. Hence, a linear transformation can be defined as follows: where and , . Also represents the number of S-boxes in a diffusion layer , where the size of each input and output is -bit [4].

*Definition 2 (see [6]). *The differential and linear branch numbers of an matrix are defined by
where is the number of nonzero components in , respectively.

*Definition 3. *Let be a power of 2. An finite field Hadamard (FFHadamard) matrix with the elements of can be given as follows:

*Remark 4. *Note that one can also divide the FFHadamard matrix into the submatrices. For example, for FFHadamard matrix, we have , where and . The matrices and have Toeplitz matrix properties. We use this observation while constructing a diffusion layer.

*Definition 5. *An circulant matrix with the elements of can be given as follows:

Note that Remark 4 is also applicable in this case. In Lemma 6, the construction of involutory FFHadamard matrix is given.

Lemma 6. *Let be a FFHadamard matrix with distinct elements of . Then is involutory if and only if .*

*Proof. *The identity matrix satisfies and . Since is unitary and symmetric , the matrix is involutory:

In this study, binary matrices are constructed by using FFHadamard matrices with the elements of and also noninvolutory binary matrices are constructed by using matrices with the elements of . The binary matrices constructed are both involutory and noninvolutory with minimum number of fixed points. Involutory transformations can make the decryption process the same as the encryption process. Thus the encryption and decryption can be implemented by the same module and with equal speeds. However, noninvolutory transformations constructed in this study are aimed at having close encryption and decryption speeds. An input block is a fixed point of a transformation if the input block equals its output block. Clearly, in this context, there is no diffusion at the fixed points since the input blocks at these points are left intact by the linear transformation. Therefore, if the number of fixed points in a linear transformation greatly exceeds the expected number for a random linear transformation, then this is an indication of poor diffusion of the linear transformation. Note that the expected number of fixed points in a random linear transformation is one [5]. Consider an input block to a linear transformation formed by -bit values in the field and let the linear transformation matrix be an matrix , where or and is an identity matrix. Then, the set of all fixed points for that linear transformation, which can be represented by a nonsingular matrix , can be obtained by solving the following equation: , where 0 is the all zero vector of length . Hence, the number of fixed points can be given as It is obvious that if the matrix has bigger rank, the matrix has lower number of fixed points.

*Remark 7. *The existence of fixed points in the round function of block ciphers is used as the basis for some cryptographic attacks and these attacks use fixed points that exist across one or more rounds [5]. The block ciphers DES, SAFER K, Blowfish, GOST, DEAL, and KeeLog were previously found vulnerable to attacks based on the existence of fixed points [20–23]. For SPN ciphers, the existence of fixed points in a linear transformation hints at the presence of 1-round self-iterating differential characteristic. It should be also noted that not all fixed points are useful in constructing a self-iterating characteristic. The usefulness of a fixed point, in this case, depends on its interaction with the subsequent nonlinear transformation. If the input difference is a fixed point, then the linear transformation will replicate this difference into the same S-boxes in the next round. In this context, when designing a block cipher, the linear transformation should be considered with the S-boxes and self-iterating characteristics should be searched. The designer should decide on the number of rounds of the block cipher according to some further investigations (e.g., the resistance of the linear transformation against other attacks like impossible differential cryptanalysis and truncated differential cryptanalysis). To ensure that the large number of fixed points does not trigger an attack to the cipher where the construction is used as a building block depends on the cipher. What we expect is that the cipher itself should behave like a random permutation. Therefore, if the cipher itself does not have many fixed points then it would be almost impossible to exploit the large number of fixed points of the matrix used in the cipher. Therefore, the other building blocks of the cipher should not leverage and extend the fixed points of the matrix to the high level structure of the cipher. Otherwise the cipher may be vulnerable to some self-similarity attack such as reflection attacks.

#### 3. The Proposed Method

In this section, we explain our strategy by using the definitions given in Section 2. Then, we give algebraic construction of and binary matrices. The construction procedure has four main steps.

*Step **1.* Construct companion (state transform) matrix for a given irreducible polynomial of degree . Note that is an matrix.

*Step **2.* Choose some integers ’s with and compute the corresponding ’s. Note that the selection of ’s depends on the Hamming weight of each row of the big matrix .

*Step **3.* Construct by using or , where is a positive integer. Choose matrix whose Hamming weight of the each row is as small as possible. This condition helps us to have low-cost (XOR friendly) hardware implementations.

*Step **4.* Check whether the branch and the number of fixed points are satisfactory.

This algorithm can be easily implemented on a computer. The results given in this study are obtained by using Magma Computational Algebra System [24]. With the help of Magma Computational Algebra System, one can evaluate hundreds of or binary matrices in a second.

*Remark 8. *Note that the diffusion layers proposed in this study can be implemented by only XOR operations whereas other diffusion layers like MDS (maximum distance separable) matrices may use table look-ups, xtime calls, and so forth [11]. Thus, performing the proposed diffusion layers gives us better implementation properties.

##### 3.1. Algebraic Construction of Cryptographically Good Binary Matrices

The maximum branch number of binary matrices is equal to the maximum distance of binary linear codes. The exact maximum distance for () binary matrices is known. For example, the maximum branch number and also the upper bound for matrices are 5 [4]. binary matrix with a branch number 9 is known and the upper bound is 10 in theory. Note that there is no theoretical bound for the involutory binary matrices in view of branch number. The method presented herein is successful for generating involutory and noninvolutory binary matrices of branch number 8. Also, involutory and noninvolutory binary matrices are constructed such that the rank of matrix is the highest achievable rank, which is 10 for involutory binary matrices and 20 for noninvolutory binary matrices. In Example 11, a involutory binary matrix () is constructed from a involutory FFHadamard matrix that satisfies four restrictions simultaneously such that(i)the matrix should be involutory as given in Lemma 6,(ii)the binary matrix transformed from the involutory matrix should be of differential and linear branch number 8,(iii)the involutory matrix should be chosen such that the rank of the matrix should be 2, which is in fact the highest achievable rank ( for an involutory matrix). Since the elements of are used to construct the binary matrix, the rank of the matrix becomes 10. Thus, if it is used as -bit to -bit linear transformation, where each input element is in , the binary linear transformation includes fixed points,(iv)the elements matrix in should be chosen such that each row and column of the transformed binary matrix should have the Hamming weight equal to 7, which provides suitable implementation properties.

*Remark 9. *If we want to construct a binary matrix of branch number 8 with minimum Hamming weight (in each row and column), then we need to focus on a binary matrix which has Hamming weight 7 in each row and column. That means in random search we should search binary matrices whereas our search space in the proposed method is , where represents the number of binary matrices (different elements) used in the construction and obtained by using the primitive polynomial and 4 represents the first 4 elements in Hadamard matrix. Therefore, the main idea of the method is to reduce search space and construct binary matrices of high branch number.

*Remark 10. *If one wants to construct an involutory binary matrix and uses it with 4-bit S-boxes, then the minimum number of fixed point is since the rank of matrix becomes at most 10 (or at most for an involutory binary matrix). In this respect, this matrix has as possible the lowest number of fixed points. For example, the AES includes fixed points though the diffusion layer of the AES (shiftrows + mixcolumns) is not involutory [5]. Noninvolutory diffusion layers may provide less number of fixed points as shown in Example 12 (one fixed point).

*Example 11. *Let
be an involutory FFHadamard matrix, which is also MDS matrix over the finite field defined by the primitive polynomial ; that is, the branch number of the matrix is 5. It can be transformed into the binary matrix satisfying the restrictions above as follows:Note that binary matrix, given in Example 11, requires 120 XOR operations in the implementation for both encryption and decryption. In Example 12, a noninvolutory binary matrix is constructed from noninvolutory matrix that satisfies three restrictions simultaneously such that(i)the binary matrix, , transformed from the noninvolutory matrix should be of differential and linear branch number 8,(ii)the rank of noninvolutory matrix should be 4, which is in fact the highest achievable rank ( for matrix). Since the elements of are used to construct the binary matrix, the rank of the matrix becomes 20. Therefore, if it is used as -bit to -bit linear transformation, where each input element is in , the binary linear transformation includes only one fixed point,(iii)the elements of matrix in should be chosen such that the constructed binary matrix should have suitable implementation properties.

*Example 12. *Let
be a noninvolutory FFHadamard matrix, which is also MDS matrix over the finite field defined by the primitive polynomial ; that is, the branch number of the matrix is 5. It can be transformed into the binary matrix satisfying the restrictions above as follows:Note that the binary matrix given in Example 12 and the inverse of binary matrix (Appendix A) require 124 XOR operations and 140 XOR operations in the implementation for encryption and decryption, respectively.

##### 3.2. Algebraic Construction of Cryptographically Good Binary Matrices

The exact maximum distance (upper bound) and therefore maximum branch number for binary matrices are 12 [4]. The method presented herein is successful for generating noninvolutory binary matrices of branch number 10. Note that there is no known binary matrices of branch number 10 or more. noninvolutory binary matrices are constructed such that the rank of matrix is as possible as high rank. Also, when constructing binary matrices, circulant matrices with the elements of are used. In Example 13, a noninvolutory binary matrix is constructed from a circulant matrix that satisfies three restrictions simultaneously such that(i)the binary matrix, , transformed from the circulant matrix should be of differential and linear branch number 10,(ii)the circulant matrix should be chosen such that the rank of the matrix should be 5, which is in fact the highest achievable rank satisfying the previous restriction. Since the elements of are used to construct the binary matrix, the rank of the matrix becomes 20. Thus, if it is used as -bit to -bit linear transformation, where each input element is in , the binary linear transformation includes fixed points.(iii)The elements of matrix in should be chosen such that the constructed binary matrix should have suitable implementation properties.

*Example 13. *Let
be a circulant matrix, which is of branch number 6 over finite field defined by the primitive polynomial . It can be transformed into the binary matrix satisfying the restrictions above as follows:Note that in a straight coding the binary matrix, given in Example 13, requires 240 XOR operations in the implementation for both encryption and decryption. The required number of XOR operations can be reduced to 186 by adding 6 temporary variables to the implementation for both encryption and decryption (Appendices B and C).

#### 4. Security Assessment of an Assumed Lightweight Block Cipher with 80-Bit or 96-Bit Block Size

In this section, we focus on the security analysis of the assumed block cipher using the proposed linear transformation. A differentially active S-box is defined as an S-box given a nonzero input difference, and a linearly active S-box is defined as an S-box given a nonzero output mask. In this study, S-boxes are assumed to be bijective mappings defined on and round keys are assumed to be independent and random uniform. Thus the number of active S-boxes is not affected by the key addition layer. The branch number of a diffusion layer is the minimum number of active S-boxes in the -round SPN (substitution permutation network). We follow the method defined in [25, 26]. Let and be the the maximum probabilities of the differential and linear characteristic for -round SPN, respectively. Let and , where , , and denote the maximum differential probability for the S-box, the maximum linear probability for the S-box, and branch number for the diffusion layer used in a block cipher, respectively. In this study, an SPN structure consisting of a number of rounds of the same 20 -bit S-boxes connected by a binary matrix is considered for -bit block size. Figure 1 shows one round function of an assumed block cipher. Note that the maximum differential and linear probabilities of the S-box are assumed to be which is the best value for S-boxes [27]. Then, the maximum probabilities of the differential, , and linear characteristic, , for -round SPN are as follows: where denotes the branch number of binary matrix assumed for the lightweight block cipher demonstrated in Figure 1. The maximum differential and linear probabilities of -round SPN are bounded by since the branch number of the binary matrix is assumed to be 8 and thus the number of minimum active S-box is 8 in the -round SPN. In Table 1, the lower bounds for the number of active S-boxes and the upper bounds for the probabilities for linear and differential probabilities in each round size are computed for the assumed block cipher of 80-bit and 96-bit block sizes.

In this context, the minimum number of rounds needed for the lightweight block cipher with -bit block size to be secure against differential and linear cryptanalysis is 10 because the maximum differential and linear probabilities of -round SPN are bounded by . Similarly, if an SPN structure consisting of a number of rounds of the same 24 -bit S-boxes connected by a binary matrix is considered for -bit block size, then the minimum number of rounds needed for the lightweight block cipher to be secure against differential and linear cryptanalysis is again obtained as 10 because the maximum differential and linear probabilities of -round SPN are bounded by .

#### 5. Conclusion

In this study, an algebraic method based on state transform matrix (companion matrix) to construct binary matrices with good implementation properties for lightweight block ciphers and hash functions is given. The proposed method can also be considered as a generalization and different interpretation of the methods given in [12, 13] since it works for any . For and binary matrices, examples are provided with good implementation properties. The binary matrices are also constructed to have suitable software and hardware implementation properties for lightweight block ciphers. In other words, by using the proposed method, the matrices have smaller hardware implementations in view of the required number of XOR gates. Note that the binary matrices with these sizes have not been studied in the literature well enough, which may allow us to design a lightweight block cipher with -bit and -bit block sizes if these matrices are used with -bit S-boxes. binary matrix given in Example 12 has only one fixed point and branch number 8.

#### Appendices

#### A. Inverse of the Binary Matrix Given in Example 12

The inverse of the binary matrix () given in Example 12 can be constructed by transforming FFHadamard matrix into the binary form as given below:

#### B. Implementation of the Binary Matrix Given in Example 13

If the binary matrix given in Example 13 is implemented with -bit XORs, then is represented by -bit XORs of binary vectors as follows: , where and with , . Note also that are temporary variables used to reduce the number of XOR operations from 240 XOR to 186 XOR. Then,

#### C. Inverse of Binary Matrix Given in Example 13 and Implementation Details

The inverse of the binary matrix given in Example 13 is constructed from the circulant matrix as follows:Let , where and with , . Note also that are temporary variables used to reduce the number of XOR operations from 240 XORs to 186 XORs. Then,

#### Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

#### Acknowledgments

Sedat Akleylek is partially supported by OMÜ under the Grant no. PYO.MUH.1904.12.014. The authors thank the anonymous referees for their detailed and very helpful comments and for bringing reference [26] to our attention. The authors also thank Orhun Kara for his valuable comments on the discussion of Remark 7.

#### References

- C. E. Shannon, “Communication theory of secrecy systems,”
*The Bell System Technical Journal*, vol. 28, pp. 656–715, 1949. View at Publisher · View at Google Scholar · View at Zentralblatt MATH · View at MathSciNet - O. Karaahmetoğlu, M. T. Sakallı, E. Buluş, and I. Tutănescu, “A new method to determine algebraic expression of power mapping based S-boxes,”
*Information Processing Letters*, vol. 113, no. 7, pp. 229–235, 2013. View at Publisher · View at Google Scholar · View at MathSciNet - A. M. Youssef and S. E. Tavares, “Affine equivalence in the AES round function,”
*Discrete Applied Mathematics*, vol. 148, no. 2, pp. 161–170, 2005. View at Publisher · View at Google Scholar · View at MathSciNet · View at Scopus - D. Kwon, S. H. Sung, J. H. Song, and S. Park, “Design of block ciphers and coding theory,”
*Trends in Mathematics*, vol. 8, no. 1, pp. 13–20, 2005. View at Google Scholar - M. R. Z'aba,
*Analysis of linear relationships in block ciphers [Ph.D. thesis]*, Queensland University of Technology, Brisbane, Australia, 2010. - J. Daemen and V. Rijmen,
*The Design of Rijndael: AES-The Advanced Encryption Standard*, Springer, Berlin, Germany, 2002. View at Publisher · View at Google Scholar · View at MathSciNet - FIPS 197,
*Advanced Encryption Standard*, US National Institute of Standards and Technology, 2001. - P. S. L. M. Barreto and V. Rijmen, “The Khazad legacy-level block cipher,” in
*Proceedings of the 1st Open NESSIE Workshop*, 2000. - K. Aoki, T. Ichikawa, M. Kanda et al., “Camellia: a 128-bit block cipher suitable for multiple platforms—design and analysis,” in
*Proceedings of the 7th Annual International Workshop on Selected Areas in Cryptography (SAC '00)*, vol. 2012 of*Lecture Notes in Computer Science*, pp. 39–56, 2000. - D. Kwon, J. Kim, S. Park et al., “New block cipher: ARIA,” in
*Information Security and Cryptology—ICISC 2003*, vol. 2971 of*Lecture Notes in Computer Science*, pp. 432–445, Springer, Berlin, Germany, 2004. View at Google Scholar - J. Nakahara Jr. and É. Abrahão, “A new involutory MDS matrix for the AES,”
*International Journal of Network Security*, vol. 9, no. 2, pp. 109–116, 2009. View at Google Scholar · View at Scopus - B. Aslan and M. T. Sakallı, “Algebraic construction of cryptographically good binary linear transformations,”
*Security and Communication Networks*, vol. 7, no. 1, pp. 53–63, 2014. View at Google Scholar - M. T. Sakallı and B. Aslan, “On the algebraic construction of cryptographically good $32\times 32$ binary linear transformations,”
*Journal of Computational and Applied Mathematics*, vol. 259, pp. 485–494, 2014. View at Publisher · View at Google Scholar · View at MathSciNet · View at Scopus - R. Beaulieu, D. Shors, J. Smith, S. Treatman-Clark, B. Weeks, and L. Wingers, “The simon and speck families of lightweight block ciphers,”
*Cryptology ePrint Archive, Report*2013/404, 2013. View at Google Scholar - H. Yap, K. Khoo, A. Poschmann, and M. Henricksen, “EPCBC—a block cipher suitable for electronic product code encryption,” in
*Cryptology and Network Security: Proceedings of the 10th International Conference, CANS 2011, Sanya, China, December 10–12, 2011*, vol. 7092 of*Lecture Notes in Computer Science*, pp. 76–97, Springer, Berlin, Germany, 2011. View at Publisher · View at Google Scholar - F. Karakoc, H. Demirci, and A. E. Harmanci, “ITUbee: a software oriented lightweight block cipher,” in
*Lightweight Cryptography for Security and Privacy: 2nd International Workshop, LightSec 2013, Gebze, Turkey, May 6-7, 2013, Revised Selected Papers*, vol. 8162, pp. 16–27, Springer, Berlin, Germany, 2013. View at Publisher · View at Google Scholar - F. X. Standaert, G. Piret, N. Gershenfeld, and J.-J. Quisquater, “SEA: a scalable encryption algorithm for small embedded applications,” in
*Smart Card Research and Advanced Applications*, vol. 3928 of*Lecture Notes in Computer Science*, pp. 222–236, Springer, Berlin, Germany, 2006. View at Publisher · View at Google Scholar - R. J. McEliece,
*Finite Fields for Computer Scientists and Engineers*, Kluwer Academic Publishers, Dordrecht, The Netherlands, 1987. View at Publisher · View at Google Scholar · View at MathSciNet - R. Lidl and H. Niederreiter,
*Finite Fields (Encyclopedia of Mathematics and its Applications)*, Addison-Wesley, Reading, Mass, USA, 1983. View at MathSciNet - N. T. Courtois, G. V. Bard, and D. Wagner, “Algebraic and slide attacks on KeeLoq,” in
*Fast Software Encryption*, vol. 5086 of*Lecture Notes in Computer Science*, pp. 97–115, Springer, Berlin, Germany, 2008. View at Publisher · View at Google Scholar - S. Vaudenay, “Related-key attack against triple encryption based on fixed points,” in
*Proceedings of the International Conference on Security and Cryptography (SECRYPT '11)*, pp. 59–67, July 2011. View at Scopus - A. Bay, A. Mashatan, and S. Vaudenay, “A related-key attack against multiple encryption based on fixed points,” in
*E-Business and Telecommunications: International Joint Conference, ICETE 2011, Seville, Spain, July 18–21, 2011, Revised Selected Papers*, vol. 314 of*Communications in Computer and Information Science*, pp. 264–280, Springer, Berlin, Germany, 2012. View at Publisher · View at Google Scholar - I. Dinur, O. Dunkelmann, and A. Shamir, “Improved attacks on full GOST,” in
*Fast Software Encryption: 19th International Workshop, FSE 2012, Washington, DC, USA, March 19–21, 2012. Revised Selected Papers*, vol. 7549 of*Lecture Notes in Computer Science*, pp. 9–28, Springer, Berlin, Germany, 2012. View at Publisher · View at Google Scholar - W. Bosma, J. Cannon, and C. Playoust, “The Magma algebra system I: the user language,”
*Journal of Symbolic Computation*, vol. 24, no. 3-4, pp. 235–265, 1997. View at Publisher · View at Google Scholar · View at MathSciNet · View at Scopus - B. W. Koo, H. S. Jang, and J. H. Song, “On constructing of a 32×32 binary matrix as a diffusion layer for a 256-bit block cipher,” in
*Information Security and Cryptology—ICISC 2006*, vol. 4296 of*Lecture Notes in Computer Science*, pp. 51–64, Springer, Berlin, Germany, 2006. View at Google Scholar - S. Hong, S. Lee, J. Lim, J. Sung, D. Cheon, and I. Cho, “Provable security against differential and linear cryptanalysis for the SPN structure,” in
*Fast Software Encryption*, vol. 1978 of*Lecture Notes in Computer Science*, pp. 273–283, Springer, Berlin, Germany, 2001. View at Publisher · View at Google Scholar - M.-J. O. Saarinen, “Cryptographic analysis of all $4\times 4$-bit S-boxes,” in
*Selected Areas in Cryptography*, vol. 7118 of*Lecture Notes in Computer Science*, pp. 118–133, Springer, Berlin, Germany, 2012. View at Publisher · View at Google Scholar