Building the dynamic diffusion layer for SPN block ciphers based on direct exponent and scalar multiplication

— Maximum Distance Separable (MDS) matrices have been applied not only in coding theory but also in the design of block ciphers and hash functions. In this paper, we propose algorithms for building a dynamic diffusion layer for SPN block ciphers based on the direct exponent and scalar multiplication. The proposed dynamic algorithms contribute to improving the security of SPN block ciphers against strong attacks on block ciphers such as linear attacks, differential attacks.


INTRODUCTION
In cryptography, confusion and diffusion are two indispensable properties of a secure cipher. The simplest way to achieve these properties is a substitution-permutation network. This network takes as input a plaintext block and a secret key and applies many transformation "rounds" or "layers" of substitution boxes (S-boxes) and permutation boxes (P-boxes) to create cipher text block.
MDS matrices play a very important role in block cipher design, especially substitutionpermutation network (SPN). Therefore, they have been used for many ciphers today. To improve the security of block ciphers, there are some methods for making dynamically these ciphers such asmake dynamically at the substitution layer, at the diffusion layer or both.
For the method making dynamically at diffusion layer, there are some works in the literature about this direction. In [3] and [8], the authors generated key-dependent MDS matrices for each round of encryption to build a keydependent diffusion layer. In [3], permutation and scalar multiplication [1] of the rows of the matrix are used, where scalar multiplication and permutation are generated from a secret key and a random bit generator function. In [8] dynamic MDS matrices are also generated using scalar multiplication [1] for each round, where a secret key and a random bit generator are generated by the scalar multiplication. In [9], a dynamic block cipher was proposed. This cipher is made dynamically at both substitution and permutation layers by a bank of substitution boxes and keydependent MDS matrices.
In addition, there are some other methods for a block cipher with a dynamic diffusion layer in the literature. In [19], the authors proposed a dynamic block cipher with a variable size block encryption algorithm using a dynamic-key mechanism. This cipher was designed with an unlimited size of the key, a dynamic keydependent permutation and a changing size of the encryption block in each round. In [22], a dynamic SPN block cipher was proposed based on AES (denoted DRAES). In which, a rotation transform is made dynamically where an amount for rotating depends on the data (plaintext and ciphertext) in AddRoundKey and depends on the key in the key extension of AES. In [24], the AES block cipher was made dynamically at the diffusion layer. In particulaly, instead of using a static MixColumn transformation, the approach is to use a dynamic MixColumn transformation based on key-dependent DNA structures and processes. In [30], the authors proposed two methods of increasing the security of AES block ciphers: using the dynamic MixColumns transformation which uses a dynamic MDS matrix by a 3D chaos mapping.
In this paper, we propose algorithms to build a dynamic diffusion layer for SPN block ciphers based on the direct exponent and scalar multiplication. These transformations are capable of preserving the good cryptographic properties of the MDS matrix when made dynamically [4,6,7]. In [3,8], the authors also used these transformations but the algorithms in [3,8] are either quite complex or do not mention the problem of preserving the good cryptographic properties of the MDS matrix when made dynamically. Therefore, our proposed dynamic algorithms will contribute to improving the security of the SPN block cipher against strong attacks on the block ciphers such as the linear attack and differential attack.
The paper is organized as follows. In Section 2, preliminaries and related works are introduced. Section 3 presents algorithms for building a dynamic diffusion layer for SPN block ciphers based on the direct exponent and scalar multiplication. Section 4 includes some security analysis for dynamic SPN block ciphers after applying the above algorithms. And conclusions of the paper are in Section 5.

C. MDS matrix
The MDS matrices provide the property of perfect diffusion so they have useful applications in block ciphers and hash functions. MDS matrices come from coding theory with maximal distance separable codes. In coding theory, there are the following important theorems about MDS matrices:  The definition of a direct exponent of an MDS matrix was introduced by Ghulam Murtaza and Nassar Ikram [1]. The authors gave the direct exponent definition, as follows: In [4], we showed that the direct exponent transformation is capable of preserving many of the good cryptographic properties of the MDS matrix, such asMDS, Involutory, Symmetric, Recursive, the number of 1's and distinct elements in the matrix, Circulant and circulant-like.
In [5], the cycle ( ) of the direct exponent of an MDS matrix was shown.
In [6], we also showed that the direct exponent is also able to preserve the number of fixed points and coefficient of fixed points [11] of the MDS matrix.
. In [7], we expand the definition of scalar multiplication given by the authors in [1]. Let We showed that the scalar multiplication is capable of preserving the involutory property of MDS matrices.
In [7], we also showed the cycle of scalar multiplication.

III. PROPOSING ALGORITHMS TO BUILD DYNAMIC DIFFUSION LAYERS FOR BLOCK CIPHER
Suppose that it is necessary to build a dynamic diffusion layer for a SPN block cipher consisting of rounds. Assume that the encryption key is of length bits where must be large enough that a key brute force attack cannot perform, for example, the encryption key in AES has lengths of 128, 192, or 256 bits.
Here, two transformations are used: direct exponent (denoted by ) or scalar multiplication (denoted by ).
Dynamic MDS matrices that are dependent on a given secret key of length ( ≥ 128) are created. Assume that the SPN block cipher is performed over the field (2 ). Two following dynamic algorithms for building the dynamic diffusion layer of the SPN block cipher are proposed.

A.
Dynamic algorithm 1: each secret key generates only one new MDS matrix used for every round

Description
Algorithm idea: In this dynamic algorithm, assume that there is a given MDS matrix and a secret key , MDS matrix transformations are used to generate a new MDS matrix from the original matrix and depend on that secret key. This new key-dependent MDS matrix will be used in the diffusion layer for every round of the encryption process. In this algorithm, the first key bit of the key is used to determine which matrix transformation is used (in practice, it is possible to increase the key by one bit at the beginning so as not to affect the key bits used for encryption/decryption process).
For the direct exponent and the MDS matrix , it is possible to find a cycle (1 < ≤ ) of direct 2 (0 ≤ ≤ − 1) exponent of this matrix. Of course, one should choose a matrix that has the cycle = (maximum) and has good cryptographic properties (see Theorem 3).

Algorithm 1.
INPUT: A secret key , An MDS matrix of size over (2 ).
OUTPUT: An MDS matrix generated from and . The matrix will be used in the diffusion layer for every round of the encryption process.
Detailed steps are as follows: Step 1: Take the first bit of the key to determine which matrix transformation is used in this algorithm: If it is 0, then choose the transformation as .
If it is 1, then choose the transformation as .
Step 2: If the result of step 1 is then execute: + Step 2.1. Get the next bits of (and is the corresponding number), where is the bit length in the binary representation of . Take = .
+ Step 2.2. Find the direct 2 exponent matrix of the original matrix, obtain = 2 .
If the result of step 1 is then execute: 3. Take consecutively non-zero bit segments (each has bits) of the key (i.e., if there is a segment where its bits are all zero, right rotate by one bit until you get the segment where its bits are not concurrently zero). Take such segments. Convert those -bit segments to a non-zero element ∈ (2 ), 0 ≤ ≤ − 1. The result of the algorithm: is the matrix , this matrix will be used for the diffusion layer in every round of the encryption process. This matrix preserves some good properties of the original matrix (depending on the transformation that is used).

Encryption and decryption process
Both parties participating in communication will keep publicly and secretly as follows: Public: The encryption/decryption algorithm, the original MDS matrix (of size ), and the dynamic algorithm 1 (Algorithm 1).
Secret: The secret key .
Before implementing the encryption/decryption for any message, both parties must perform Algorithm 1 with the secret key and the original MDS matrix to create the dynamic MDS matrix . In addition, they need to calculate the inverse matrix of to serve the decryption process (unless is involutory).
After that, the two participants could start the communication. They will encrypt messages using the SPN algorithm with the matrix used in the diffusion layer for every round of the encryption process. The decryption process is done with the inverse matrix of .
Later when the parties want to change the secret key with another key, they must perform Algorithm 1 again to create a new MDS matrix depending on the new key.

B.
Dynamic algorithm 2: each secret key generates two new MDS matrices used alternating in rounds

Description
Algorithm idea: In this dynamic algorithm, assume that there are two given MDS matrices , and a secret key , MDS matrix transformations are used to generate two new MDS matrices from the original matrix and depend on that secret key. MDS matrix transformations can be or . Two new MDS matrices dependent on the secret key will be used alternating in the diffusion layer for every round in the encryption process. In this algorithm, the first two key bits of the key are used to determine which matrix transformation is used (in practice, it is possible to increase the key by two bits at the beginning so as not to affect the key bits used for encryption/decryption process).
OUTPUT: Two MDS matrices , generated from , and . The two matrices , will be used alternating in the diffusion layer for every round in the encryption process.
Detailed steps are as follows: Step 1: Take the first two bits of the key to determine which matrix transformation is used in this algorithm: If they are 10, then choose the transformation as .
If they are 01, then choose the transformation as .
If they are 00 or 11, then choose both and .
Step 2: If the result of step 1 is then execute: + Step 2.1. Get the next bits of (and is the corresponding number), where is the bit length in the binary representation of . Take 1 = . Get last bits of (and ′ is the corresponding number) and determine 2 = ′ . + Step 2.2. Find the direct 2 1 exponent matrix of the original matrix, obtain = 2 1 , and the direct 2 2 exponent matrix of the original matrix, obtain = 2 2 .
If the result of step 1 is then execute: + Step 2.3. Take the next bits nonconcurrently equal to 0 of and switch the bits to element 1 ∈ (2 ). So 1 ≠ 0 ∈ (2 ). If the above bits are all equal to 0, then right rotate by 1 bit of until obtain r bits for 1 ≠ 0. Take the last bits of and switch this bits to element 2 ∈ (2 ). If 2 = 0 ∈ (2 ), then left rotate by 1 bit until obtain element 2 ≠ 0 ∈ (2 ).
Then convert this string to an integer, denoted by , taking = , so 0 ≤ ≤ − 1. Get the next bits (by the rightto-left direction) at the end of the bit sequence (after step 2.3). Then convert this string to an integer, denoted by ′ , taking = ′ , thus 0 ≤ ≤ − 1. We specify that the rows and columns of the matrix , will be numbered from 0 to − 1. + Step 2.6. Multiplying all elements of row of by element 1 , and all elements of column of by element 1 over field (2 ), we obtain a new matrix, denoted by . Next, multiplying all row elements of by element 2 , and all elements of column of by element 2 over field (2 ), we obtain a new matrix, denoted by .
If the result of step 1 is both and then (apply to and to ): Step 2.7. Take the next bits of (and is the corresponding number), where is the bit length in the binary representation of . Take = . Take the last bits of and convert this string of bits to the element ∈ (2 ). If = 0 ∈ (2 ) then left rotate 1 bit until obtain element ≠ 0 ∈ (2 ).

+
Step 2.8. Find the direct 2 exponent matrix of the original matrix , yielding = 2 . Find the element = −1 ∈ (2 ). + Step 2.9. Take the next bits at the beginning of (after step 2.7), where is the bit length in the binary representation of . Then convert this string to an integer, denoted by , taking = , so 0 ≤ ≤ − 1. The results of the algorithm: are two matrices , . The two matrices will be used alternating in the diffusion layer for every round in the encryption process. For example, matrix is used in odd rounds such as1, 3, 5, ...; matrix will be used in even rounds like 2, 4, 6, … Note. In Algorithm 2, if we want the transformation to have the largest cycle as possible (≤ 255) by the key , then in step 2.7, we need to traverse by the secret key . For each , element = −1 ∈ (2 ) will be calculated, as well ( ), ( ). Then, in order to make the cycle of as large as possible by the key , we will choose by the key such that ( ) or ( ) is the largest among the elements found from . In fact, in step 2.10, we use two vectors: is a vector with only the ℎ component equal to , the rest is all equal to 1; is a vector with only the ℎ component equal to , the rest is all equal to 1.

Encryption and decryption process
Both parties participating in communication will keep publicly and secretly as follows: Public: The encryption/decryption algorithm, the two original MDS matrices , (of size ), and the dynamic algorithm 2 (Algorithm 2). Secret: The secret key .
Before implementing the encryption/decryption for any message, both parties must perform Algorithm 2 with the secret key and the original MDS matrices to create two dynamic MDS matrices , . In addition, they need to calculate two inverse matrices of anh to serve the decryption process.
After that, the two participants could start the communication. They will encrypt messages using the SPN algorithm with the two matrices and used alternating in the diffusion layer for every round in the encryption process. The decryption process is done with the inverse matrices of and .
Later when the parties want to change the secret key with another key, they must perform Algorithm 2 again to create a new MDS matrix depending on the new key.

ALGORITHMS
We analyze the ability of SPN block ciphers after using the above dynamic algorithms against strong attacks on block ciphers such as differential and linear attacks.
Linear attack [12,14] is a known-plaintext attack, that requires a large number of plaintext and ciphertext pairs corresponding to a key unknown to find. Differential attack [12,13] is a chosen-ciphertext attack based on collecting ciphertexts created from given plaintexts. Both of these attacks are based on knowing each element in the structure of the block cipher. When we use matrix transformations to make the diffusion layer dynamic, the cryptanalysts will lose information about the diffusion layer of the block cipher, and the complexity of cryptanalysis is increasing. Thus, the linear and differential attack will be much more difficult to do because of dynamic MDS matrices.
More specifically, for the proposed algorithms, although the original MDS matrices are public, the problem is that cryptanalysts don't know which matrix will be used for every round (for the Algorithm). 1) and also don't know which matrices are used in which round of the encryption/decryption process (for Algorithm 2). Moreover, they don't know when we use which algorithm. The reason is that these algorithms and these matrices are chosen depending on the secret key that is not known by cryptanalysts.
On the other hand, since the matrix transformations preserve some MDS properties, we always have the matrices or , as MDS ones. This makes adversaries who can know or , , still face the largest branch number.
Suppose that the cryptanalysts found a lot of plaintext/ciphertext pairs to serve their attack. To predict the MDS matrices used in the rounds, they must rely on unknown keys or they must exhaustively search for the possible MDS matrices. Thus, with the obtained data, they will try with each of these MDS matrices for cryptanalysis. The result is that the computation complexity increases significantly (under the exhaustive method). Specifically: Computation complexity for cryptanalysis of dynamic block cipher = (Computation complexity for cryptanalysis of static block cipher) × (the number of possible dynamic MDS matrices).
Furthermore, according to Shannon [15], the solution's unique interval of a cryptosystem is defined as the minimum number of ciphertext characters on which the cryptanalysts can uniquely find the secret key. In practice, the designers want the solution unique interval to be as large as possible to increase the security of the block cipher. The solution unique interval is defined by: Thus, the larger the key space, the larger the solution unique interval.
For block ciphers that are made dynamically at the diffusion layer, since the diffusion layer or dynamic MDS matrices are hidden, there are two secret parameters: first is the secret key, and the other is the dynamic MDS matrices. Thus, it is clear that the dynamic cases increase the key space thanks to the dynamic MDS matrices, and thus increase the security of the block cipher significantly.
For the two proposed algorithms, it can be seen that: Algorithm 1 is simpler than Algorithm 2, but in terms of security, Algorithm 2 has higher security than Algorithm 1, because in Algorithm 2 we use two MDS matrices instead of one matrix as in Algorithm 1. Moreover, these two matrices are used alternately through rounds, so the cryptanalysts have to find out one more thing to see which matrix is used in which round. Of course, the cryptanalysts do not have any basis for predicting this information. The ability to apply the above algorithms will depend on the real needs of users.
It can be seen that, with dynamic MDS matrices, the diffusion layer in block cipher becomes much more unpredictable, thus increasing the strength of the block cipher. Table 1 provides a comparison between the proposed dynamic methods for the SPN block ciphers (Algorithm 1, Algorithm 2) with the dynamic methods proposed in [3] and [8]. In this paper, we propose algorithms to build a dynamic diffusion layer for SPN block ciphers based on the direct exponent and scalar multiplication transformation. These transformations are capable of preserving the good cryptographic properties of the MDS matrix when made dynamically. Therefore, the proposed dynamic algorithms contribute to improving the security of the SPN block ciphers against strong attacks on the block cipher such as a linear attack and differential attack.