A New BISON-like Construction Block Cipher: DBISON

Abstract

At EUROCRYPT 2019, a new block cipher algorithm called BISON was proposed by Canteaut et al. which uses a novel structure named as Whitened Swap-Or-Not (WSN). Unlike the traditional wide trail strategy, the differential and linear properties of this algorithm can be easily determined. However, the encryption speed of the BISON algorithm is quite low due to a large number of iterative rounds needed to ensure certain security margins. Commonly, denoting by n is the data block length, this design requires 3n encryption rounds. Moreover, the block size n of BISON is always odd, which is not convenient for operations performed on a byte level. In order to overcome these issues, we propose a new block cipher, named DBISON, which more efficiently employs the ideas of double layers typical to the BISON-like construction. More precisely, DBISON divides the input into two parts of size n/2 bits and performs the round computations in parallel, which leads to an increased encryption speed. In particular, the data block length n of DBISON can be even, which gives certain additional implementation benefits over BISON. Furthermore, the resistance of DBISON against differential and linear attacks is also investigated. It is shown the maximal differential probability (MDP) is 1/2^n-1 for n encryption rounds and that the maximal linear probability (MLP) is strictly less than 1/2^n-1 when (n/2+3) iterative encryption rounds are used. These estimates are very close to the ideal values when n is close to 256.

1. Introduction

Block ciphers play an important role in the area of data storage and secure transmission in an open internet environment. During the past three decades, block ciphers have received a lot of attention from academic and industrial community.

Generally, security and implementation efficiency can be considered as the most crucial aspects in the design of block ciphers. To achieve sufficient security margins, block ciphers commonly employ multiple encryption rounds for the purpose of achieving a satisfactory level of diffusion and confusion [1]. On the other hand, the internal structure of a block cipher is also importance since it directly affects the implementation cost and performance in both hardware and software. Currently, the most prominent block ciphers employ diverse structures such as Feistel [2, 3], SPN [4], MISTY [5] and Lai-Massey [6], among others. A very common approach is to implement a block cipher as a substitution permutation network (SPN), which was extensively used in many prominent block ciphers, including AES [4, 7] whose design additionally embeds the concept of wide trail strategy[8]. One important issue with this design rationale regards the problem of determining the differential or linear properties of a given cipher, which is considered to be quite a difficult task. More specifically, in order to ensure good resistance against differential and linear cryptanalysis, the so-called branch number of diffusion (linear) layer and the cryptographic properties of the S-boxes (used in the substitution layer) have to be taken into account [9, 10]. Due to the iterative structure of block ciphers and an exponential growth of possible differential/linear patterns, the exact security estimates are not easy to specify. An alternative design rationale of constructing block ciphers that achieve an optimal security level (under the ideal model assumption) was introduced in [11]. This method uses the so-called Whitened Swap-Or-Not (WSN) construction, which itself is based on the Swap-or-Not method introduced in [12] and applicable in the settings when the internal functions are kept secret. Furthermore, instead of the need for a set of random Boolean functions for the Swap-or-Not method, the WSN approach [11] requires only two public random n-variable Boolean functions to achieve full security. Actually, there are very few known instances of WSN and an encryption algorithm based on this approach was specified in [12] but later broken by Vaudenay [13]. Another example of using the WSN method is the BISON block cipher, which was proposed by Canteaut et al. at EUROCRYPT 2019 [14]. The design of BISON implements XOR-ing of the round keys by using a quadratic bent function. Additionally, BISON seems to be resistant against differential cryptanalysis [15], linear cryptanalysis [16], and algebraic cryptanalysis [17] provided that the number of rounds is approximately 3n, where n is the data block length and n is odd. In particular, the MDP value of BISON can be easily evaluated without the exact details about its components, which is completely different to the wide trail strategy.

Consequently, the encryption speed of BISON is quite low due to a large number of rounds used and a large n-bit input size. For instance, assuming that n=127 implies that there are 381 rounds and additionally one needs to implement a large 126-bit nonlinear function which is quite demanding. To overcome these issues, we propose a new block cipher that borrows the design ideas from BISON, named DBISON. More specifically, the length of data block of DBISON is even and therefore the input x can be divided into two halves x_L and x_R which are then processed in parallel using a similar structure as in Feistel networks. The details of round operations are given in Fig. 1 and, additionally, the used parameters are described in Definition 4. Notice that, to complete the round operation, the left and right branch are swapped but in the final round the swap operation is not performed.

Fig. 1. The round function of DBISON

It will be shown that DBISON is resistant against both differential and linear cryptanalysis when the number of rounds r reaches n. More specifically, we show that the MDP value equals 1/2^n-1 when n encryption rounds are used, whereas the MLP is strictly less than 1/2^n-1 if at least (n/2+3) encryption rounds are applied. It is worth mentioning that the MDP can almost reach the ideal value 1/2ⁿ if the size of data block n is close to 256. A comparison between BISON and DBISON is given in Table 1. However, to ensure that the algebraic degree of DBISON attains its maximal value n, the number of rounds is approximately 3n. DBISON offers a significant advantage over BISON in terms of encryption/decryption speed since the input size is divided into two halves (each having n/2 bits) which are processed in parallel.

Table 1. Comparison of BISON and DBISON

The rest of this paper are organized as follows. In Section 2, the DBISON block cipher is fully described. In Section 3, the differential cryptanalysis against DBISON is examined and the estimates of its MDP are provided. In Section 4, the resistance of DBISON against linear cryptanalysis is analyzed and the bounds on its MLP are derived. In Section 5, certain specific instances of DBISON are specified. Some concluding remarks can be found in Section 6.

2. Preliminaries

Definition 1^[18] Let F be a function from F₂ⁿ into F₂ⁿ. For any u, v ∈ F₂ⁿ, define \(\begin{aligned}W_{F}(u, v)=\sum_{x \in F_{2}^{n}}(-1)^{u \bullet x \oplus v \bullet F(x)}\end{aligned}\), where • denotes the inner product in F₂ⁿ, that is u•x = u₁x₁ ⊕ u₂x₂ ⊕ ... ⊕ u_nx_n. The multiset {W_F (u,v) | u, v∈ F₂ⁿ} is called the Walsh spectrum of F.

Definition 2^[19] The r -round differential characteristic of an iterative block cipher is denoted as Ω = (δ₀,δ₁, ...,δ_r). Assuming that the round keys k₁,k₂,...,k_r are independent and uniform, the differential characteristic probability DP(Ω) is defined as \(\begin{aligned}\mathrm{DP}(\Omega)=\prod_{i=1}^{r} \mathrm{DP}\left(\delta_{i-1}, \delta_{i}\right)\end{aligned}\), i.e. it is the probability that the difference between input pair is δ₀ and the difference between intermediate state (y_i,y_i^*) is δ_i, 1 ≤ i ≤ r.

Definition 3^[19] The r -round linear characteristic of an iterative block cipher is denoted as θ = (θ₀,θ₁,...,θ_r). Assuming that the round keys k₁,k₂,...,k_r are independent and uniform, the linear characteristic probability LP(θ) is defined by \(\begin{aligned}\operatorname{LP}(\theta)=\prod_{i=1}^{r} \operatorname{LP}\left(\theta_{i-1}, \theta_{i}\right)\end{aligned}\), i.e. the probability that the input mask is θ₀ and the mask of an intermediate state y_i is θ_i, 1 ≤ i ≤ r.

For the input and output difference (α,β), it is a difficult task to compute the MDP of (α,β), even for a small number of rounds. However, computing the MDP of an r-round differential characteristic Ω = (δ₀,δ₁,...,δ_r) is an easier task, and the MDP of Ω also reflects the ability of the cipher to resist differential cryptanalysis. A similar reasoning applies when the MLP values is considered, thus having an initial mask (a,b) and an r-round linear trail θ = (θ₀,θ₁,...,θ_r). We will investigate in detail the properties of DBISON in this context, hence its resistance against differential and linear cryptanalysis by providing the estimates on MDP and MLP using Ω and θ, respectively.

Definition 4 Let the data block length of DBISON be n = 4m + 2, where m is a positive integer. The input x of any encryption round is divided into the left half and right half, i.e. x = (x_L,x_R). The i-th round function F_ki,wi (x): F₂ⁿ→ F₂ⁿ is defined as

F_ki,wi (x) = (x_L ⊕ x_R ⊕ f_iR (w_iR ⊕ Φ_kiR (x_L ⊕ x_R))k_iR, x_L ⊕ f_iL (w_iL ⊕ Φ_kiL (x_L))k_iL),        (1)

where k_i = (k_iL,k_iR), w_i = (w_iL,w_iR) are round keys ( w_i is the whitened key), and f_iL and f_iR are bent functions with n/2-1 variables. Moreover, Φ_kiL, Φ_kiR : F₂^n/2 → F₂^n/2-1 are linear functions and ker Φ_kiL = {0, k_iL}, ker Φ_kiR = {0, k_iR}, where k_iL and k_iR are generated by two LFSRs so that k_iL ≠ 0 and k_iR ≠ 0, respectively.

Remark 1 The analysis in this work follows two basic assumptions of symmetric cryptanalysis, i.e. the whitened keys are linearly independent, and the round keys satisfy the so-called random equivalence hypothesis.

3. Differential cryptanalysis of DBISON block cipher

The derivative of a function f in direction α is defined as D_αf(x) = f(x)⊕f(x⊕α). A successful application of differential cryptanalysis against block ciphers heavily relies on the differential properties of its substitution layer. The round function F of a block cipher with n -bit input and output can be viewed as a vectorial Boolean function F : F₂ⁿ → F₂ⁿ. The behavior of the derivatives of F are described by the Differential Distribution Table (DDT) of F, whose entries are

DDT_F[α,β] = |{x ∈ F₂ⁿ | F(x)⊕F(x⊕α) = β}|,

where α ∈ F₂ⁿ is referred to as the input difference and β ∈ F₂ⁿ as the output difference.

In this context, we are primarily interested in the DDT of the round function F_ki,wi (x), which can be calculated explicitly using Theorem 1 below.

Theorem 1 Using (1), the round function of DBISON can be rewritten as

F(x) = (x_L ⊕ x_R ⊕ f_R (w_R ⊕ Φ_kR (x_L ⊕ x_R))k_R, x_L ⊕ f_L (w_L ⊕ Φ_kL (x_L))k_L).       (2)

Then DDT_F[α,β] can be specified as follows:

1) DDT_F[α,β] = 2ⁿ if β = (α_L ⊕ α_R,α_L) and α ∈ {0, (0,k_R), (k_L,k_L), (k_L,k_L ⊕ k_R)}.

2) DDT_F[α,β] = 2^n-1 if β = (α_L ⊕ α_R,α_L) and (α_L⊕ α_R,α_L) ∈ {(0,α_L), (k_R,α_L)_, (α_L ⊕ α_R,0), (α_L ⊕ α_R,k_L) | α_L ∉ {0,k_L}, α_L ⊕ α_R ∉ {0,k_R}}, or β = (α_L ⊕ α_R,α_L) ⊕ (0,k_L), α_L ⊕ α_R ∈ {0,k_R} and α_L ∉ {0,k_L}, or β = {α_L ⊕ α_R,α_L) ⊕ (k_R,0), α_L ⊕ α_R ∉ {0,k_R} and α_L ∈ {0,k_L}.

3) DDT_F[α,β] = 2^n-2 if β = (α_L ⊕ α_R,α_L) ⊕ γ, γ ∈ {0, (0,k_L), (k_R,0), (k_R,k_L)} and α_L ⊕ α_R ∉ {0,k_R}, α_L ∉ {0,k_L}.

4) Otherwise, DDT_F[α,β] = 0.

Proof Using the definitions of DDT and F(x), DDT_F[α,β] can be deduced as:

DDT_F[α,β] = |{x ∈ F₂ⁿ|(D_{ΦkR (αL ⊕ αR)} f_R(w_R ⊕ Φ_kR (x_L ⊕ x_R))k_R, D_{ΦkL (αL)} f_L(w_L ⊕ Φ_kL (x_L))k_L) = (α_L ⊕ α_R,α_L) ⊕ β}|.       (3)

Clearly, DDT_F[α,β] = 0 if (α_L ⊕ α_R,α_L) ⊕ β ∉ {0, (0,k_L), (k_R,0), (k_R,k_L)}:=K^*.

In the following, we split our analysis of (α_L ⊕ α_R,α_L)⊕ β into four cases.

Case 1. β = (α_L ⊕ α_R,α_L).

By (3) and k_L ≠ 0, k_R ≠ 0, it can be deduced that

DDT_F[α,β] = |{x ∈ F₂ⁿ|D_{ΦkR (αL ⊕ αR)} f_R(w_R ⊕ Φ_kR (x_L ⊕ x_R)) = 0 and D_{ΦkL (αL)} f_L(w_L ⊕ Φ_kL (x_L)) = 0}|.

① Φ_kR (α_L ⊕ α_R) ≠ 0 and Φ_kL (α_L) ≠0. Denote w_L ⊕ Φ_kL (x_L) by x′_L.

Since f_L is a bent function, thus |{x′_L ∈ F₂^n/2-1|D_{ΦkL (αL)} f_L(x′_L)=0}|=2^n/2-2. Furthermore, Φ_kL is a linear function from F₂^n/2 to F₂^n/2-1 and ker Φ_kL = {0, k_L}, and therefore |A_L|:=|{x_L ∈ F₂^n/2| D_{ΦkL (αL)} f_L(w_L ⊕ Φ_kL (x_L))=0}| = 2^n/2-1. For any a_i ∈ A_L, i = 1,2,...,2^n/2-1, |{x_R ∈ F₂^n/2|D_{ΦkR (αL ⊕ αR)} f_R(w_R ⊕ Φ_kR (a_i ⊕ x_R))=0}| = 2^n/2-1 since Φ_kR (α_L ⊕ α_R) ≠ 0 and f_R is a bent function. Therefore, DDT_F[α,β] = 2^n/2-1 x 2^n/2-1 = 2^n-1.

② Φ_kR (α_L ⊕ α_R) ≠ 0 and Φ_kL (α_L) = 0. DDT_F[α,β] = 2^n/2 x 2^n/2-1 = 2^n-1.

③ Φ_kR (α_L ⊕ α_R) = 0 and Φ_kL (α_L) ≠ 0. DDT_F[α,β] = 2^n/2-1 x 2^n/2 = 2^n-1.

④ Φ_kR (α_L ⊕ α_R) = 0 and Φ_kL (α_L) = 0. DDT_F[α,β] = 2^n/2 x 2^n/2 = 2ⁿ.

To summarize, when β = (α_L ⊕ α_R,α_L) is satisfied then DDT_F[α,β] can be computed as follows:

\(\begin{aligned}\operatorname{DDT}_{F}[\alpha, \beta]=\left\{\begin{array}{l}2^{n}, \quad \text { if } \alpha \in\left\{\mathbf{0},\left(\mathbf{0}, k_{R}\right),\left(k_{L}, k_{L}\right),\left(k_{L}, k_{L} \oplus k_{R}\right)\right\}, \\ 2^{n-1}, \text { if }\left(\alpha_{L} \notin\left\{\mathbf{0}, k_{L}\right\} \text { and } \alpha_{L} \oplus \alpha_{R} \in\left\{\mathbf{0}, k_{R}\right\}\right) \text { or }\left(\alpha_{L} \in\left\{\mathbf{0}, k_{L}\right\} \text { and } \alpha_{L} \oplus \alpha_{R} \notin\left\{\mathbf{0}, k_{R}\right\}\right), \\ 2^{n-2}, \text { if } \alpha_{L} \notin\left\{\mathbf{0}, k_{L}\right\} \text { and } \alpha_{L} \oplus \alpha_{R} \notin\left\{\mathbf{0}, k_{R}\right\} .\end{array}\right.\end{aligned}\)       (4)

The same method can be used to address the remaining cases, and the following results are then obtained.

Case 2. β = (α_L ⊕ α_R,α_L) ⊕ (0,k_L).

\(\begin{aligned}\operatorname{DDT}_{F}[\alpha, \beta]=\left\{\begin{array}{ll}2^{n-1}, & \text { if } \alpha_{L} \notin\left\{\mathbf{0}, k_{L}\right\} \text { and } \alpha_{L} \oplus \alpha_{R} \in\left\{\mathbf{0}, k_{R}\right\} \\ 2^{n-2}, & \text { if } \alpha_{L} \notin\left\{\mathbf{0}, k_{L}\right\} \text { and } \alpha_{L} \oplus \alpha_{R} \notin\left\{\mathbf{0}, k_{R}\right\}, \\ 0, & \text { if } \alpha_{L} \in\left\{\mathbf{0}, k_{L}\right\} .\end{array}\right.\end{aligned}\)       (5)

Case 3. β = (α_L ⊕ α_R,α_L) ⊕ (k_R,0).

\(\begin{aligned}\operatorname{DDT}_{F}[\alpha, \beta]=\left\{\begin{array}{ll}2^{n-1}, & \text { if } \alpha_{L} \in\left\{\mathbf{0}, k_{L}\right\} \text { and } \alpha_{L} \oplus \alpha_{R} \notin\left\{\mathbf{0}, k_{R}\right\}, \\ 2^{n-2}, & \text { if } \alpha_{L} \notin\left\{\mathbf{0}, k_{L}\right\} \text { and } \alpha_{L} \oplus \alpha_{R} \notin\left\{\mathbf{0}, k_{R}\right\}, \\ 0, & \text { if } \alpha_{L} \oplus \alpha_{R} \in\left\{\mathbf{0}, k_{R}\right\} .\end{array}\right.\end{aligned}\)       (6)

Case 4. β = (α_L ⊕ α_R,α_L) ⊕ (k_R,k_L).

\(\begin{aligned}\operatorname{DDT}_{F}[\alpha, \beta]=\left\{\begin{array}{ll}2^{n-2}, & \text { if } \alpha_{L} \notin\left\{\mathbf{0}, k_{L}\right\} \text { and } \alpha_{L} \oplus \alpha_{R} \notin\left\{\mathbf{0}, k_{R}\right\} \\ 0, & \text { if } \alpha_{L} \in\left\{\mathbf{0}, k_{L}\right\} \text { or } \alpha_{L} \oplus \alpha_{R} \in\left\{\mathbf{0}, k_{R}\right\}\end{array}\right.\end{aligned}\)       (7)

By (4), (5), (6), and (7), the DDT of F(x) can be obtained.#

Moreover, we consider the differential properties when the round function is applied iteratively. It is well-known that the probability of a differential characteristic of Markov cipher [20] can be easily calculated. In what follows, we first prove that DBISON is a Markov cipher.

Lemma 1 The round function F_k,w(x) of DBISON has the following property

Pr_w[F_k,w(x) ⊕ F_k,w(x ⊕ α) = β] = Pr_x[F_k,w(x) ⊕ F_k,w(x ⊕ α) = β].       (8)

Proof Let A_w := {w ∈ F₂^n-2|F_k,w(x) ⊕ F_k,w(x ⊕ α) = β}, A_x := {x ∈ F₂ⁿ|F_k,w(x) ⊕ F_k,w(x ⊕ α) = β}.

More specifically,

A_w = {w ∈ F₂^n-2|(D_{ΦkR (αL ⊕ αR)} f_R(w_R ⊕ Φ_kR (x_L ⊕ x_R))k_R, D_{ΦkL (αL)} f_L(w_L ⊕ Φ_kL (x_L))k_L) = (α_L ⊕ α_R,α_L) ⊕ β}.

A_x = {x ∈ F₂ⁿ | (D_{ΦkR (αL ⊕ αR)} f_R(w_R ⊕ Φ_kR (x_L ⊕ x_R))k_R, D_{ΦkL (αL)} f_L(w_L ⊕ Φ_kL (x_L))k_L) = (α_L ⊕ α_R,α_L) ⊕ β}.

If (α_L ⊕ α_R,α_L) ⊕ β ∉ K^*, then |A_w| = |A_x| = 0, and (8) holds. If (α_L ⊕ α_R,α_L) ⊕ β ∈ K^*, then |A_w| and |A_x| are calculated as below.

Case 1. β =(α_L ⊕ α_R,α_L).

\(\begin{aligned}A_{w}=\left\{w_{L} \in F_{2}^{n / 2-1} \mid D_{\Phi_{k_{L}}\left(\alpha_{L}\right)} f_{L}\left(w_{L} \oplus \Phi_{k_{L}}\left(x_{L}\right)\right)=0\right\} \times\left\{w_{R} \in F_{2}^{n / 2-1} \mid D_{\Phi_{k_{R}}\left(\alpha_{L} \oplus \alpha_{R}\right)} f_{R}\left(w_{R} \oplus \Phi_{k_{R}}\left(x_{L} \oplus x_{R}\right)\right)=0\right\}.\end{aligned}\)

Denote \(\begin{aligned}w_{L} \oplus \Phi_{k_{L}}\left(x_{L}\right)=u w_{R} \oplus \Phi_{k_{R}}\left(x_{L} \oplus x_{R}\right)=v\end{aligned}\), then

 \(\begin{aligned} A_{w} & =\left\{u \oplus \Phi_{k_{L}}\left(x_{L}\right) \in F_{2}^{n / 2-1} \mid D_{\Phi_{k_{L}}\left(\alpha_{L}\right)} f_{L}(u)=0\right\} \times\left\{v \oplus \Phi_{k_{R}}\left(x_{L} \oplus x_{R}\right) \in F_{2}^{n / 2-1} \mid D_{\Phi_{k_{R}}\left(\alpha_{L} \oplus \alpha_{R}\right)} f_{R}(v)=0\right\} \\ & =\left[\Phi_{k_{L}}\left(x_{L}\right) \oplus\left(F_{2}^{n / 2-1}-\operatorname{supp}\left(D_{\Phi_{k_{L}}\left(\alpha_{L}\right)} f_{L}\right)\right)\right] \times\left[\Phi_{k_{R}}\left(x_{L} \oplus x_{R}\right) \oplus\left(F_{2}^{n / 2-1}-\operatorname{supp}\left(D_{\Phi_{k_{R}}\left(\alpha_{L} \oplus \alpha_{R}\right)} f_{R}\right)\right)\right] .\end{aligned}\)

Thus,

\(\begin{aligned}\operatorname{Pr}_{w}\left[F_{k, w}(x) \oplus F_{k, w}(x \oplus \alpha)=\beta\right]=\frac{\left|A_{w}\right|}{\left|F_{2}^{n-2}\right|}=\frac{\left(2^{n / 2-1}-\left|\operatorname{supp}\left(D_{\Phi_{k_{L}}\left(\alpha_{L}\right)} f_{L}\right)\right|\right)\left(2^{n / 2-1}-\left|\operatorname{supp}\left(D_{\Phi_{k_{R}}\left(\alpha_{L} \oplus \alpha_{R}\right)} f_{R}\right)\right|\right)}{2^{n-2}}.\end{aligned}\)

On the other hand, |A_x| can be calculated as follows.

\(\begin{aligned}A_{x}=\left\{\left(x_{L}, x_{R}\right) \in F_{2}^{n} \mid D_{\Phi_{k_{R}}\left(\alpha_{L} \oplus \alpha_{R}\right)} f_{R}\left(w_{R} \oplus \Phi_{k_{R}}\left(x_{L} \oplus x_{R}\right)\right)=0 \text { and } D_{\Phi_{k_{L}}\left(\alpha_{L}\right)} f_{L}\left(w_{L} \oplus \Phi_{k_{L}}\left(x_{L}\right)\right)=0\right\}.\end{aligned}\)\(\begin{aligned}\text {If}\; \Phi_{k_{L}}\left(\alpha_{L}\right)=\mathbf{0}, \text {then }\; \left|\operatorname{supp}\left(D_{\Phi_{k_{L}}\left(\alpha_{L}\right)} f_{L}\right)\right|=0 \; \text {and}\; \left|A_{L}\right|=2^{n / 2}. \text {If} \;\Phi_{k_{L}}\left(\alpha_{L}\right) \neq \mathbf{0}\end{aligned}\)   it, can be deduced that \(\begin{aligned}\left|\operatorname{supp}\left(D_{\Phi_{k_{L}}\left(\alpha_{L}\right)} f_{L}\right)\right|=0\; and\; \left|A_{L}\right|=2^{n / 2}.\end{aligned}\) If \(\begin{aligned}\Phi_{k_{L}}\left(\alpha_{L}\right) \neq \mathbf{0}\end{aligned}\), it can be deduced that \(\begin{aligned}\left|\operatorname{supp}\left(D_{\Phi_{\kappa_{L}}\left(\alpha_{L}\right)} f_{L}\right)\right|=2^{n / 2-2}\end{aligned}\) since f_L is a bent function, and |A_L| = 2^n/2-1(see Theorem 1). In both cases, \(\begin{aligned}\left|A_{L}\right|=2^{n / 2}-2\left|\operatorname{supp}\left(D_{\Phi_{k_{L}}\left(\alpha_{L}\right)} f_{L}\right)\right|\end{aligned}\).

For any a_i ∈ A_L, i = 1,2,...,2^n/2-1, if \(\begin{aligned}\Phi_{k_{R}}\left(\alpha_{L} \oplus \alpha_{R}\right)=\mathbf{0}\end{aligned}\), then \(\begin{aligned}\left|\operatorname{supp}\left(D_{\Phi_{k_{R}}\left(\alpha_{L} \oplus \alpha_{R}\right)} f_{R}\right)\right|=0\end{aligned}\) and \(\begin{aligned}\left|\left\{x_{R} \in F_{2}^{n / 2} \mid D_{\Phi_{k_{R}}\left(\alpha_{L} \oplus \alpha_{R}\right)} f_{R}\left(w_{R} \oplus \Phi_{k_{R}}\left(a_{i} \oplus x_{R}\right)\right)=0\right\}\right|=2^{n / 2}\end{aligned}\). If \(\begin{aligned}\Phi_{k_{R}}\left(\alpha_{L} \oplus \alpha_{R}\right) \neq \mathbf{0}\end{aligned}\), it can be deduced that \(\begin{aligned}\left|\operatorname{supp}\left(D_{\Phi_{k_{R}}\left(\alpha_{L} \oplus \alpha_{R}\right)} f_{R}\right)\right|=2^{n / 2-2}\end{aligned}\), and \(\begin{aligned}\left|\left\{x_{R} \in F_{2}^{n / 2} \mid D_{\Phi_{k_{R}}\left(\alpha_{L} \oplus \alpha_{R}\right)} f_{R}\left(w_{R} \oplus \Phi_{k_{R}}\left(a_{i} \oplus x_{R}\right)\right)=0\right\}\right|=2^{n / 2-1}\end{aligned}\). In both cases, \(\begin{aligned}\left|\left\{x_{R} \in F_{2}^{n / 2} \mid D_{\Phi_{k_{R}}\left(\alpha_{L} \oplus \alpha_{R}\right)} f_{R}\left(w_{R} \oplus \Phi_{k_{R}}\left(a_{i} \oplus x_{R}\right)\right)=0\right\}\right|=2^{n / 2}-2\left|\operatorname{supp}\left(D_{\Phi_{k_{R}}\left(\alpha_{L} \oplus \alpha_{R}\right)} f_{R}\right)\right|\end{aligned}\).

To summarize, \(\begin{aligned}\left|A_{x}\right|=\left(2^{n / 2}-2\left|\operatorname{supp}\left(D_{\Phi_{k_{L}}\left(\alpha_{L}\right)} f_{L}\right)\right|\right)\left(2^{n / 2}-2\left|\operatorname{supp}\left(D_{\Phi_{k_{R}}\left(\alpha_{L} \oplus \alpha_{R}\right)} f_{R}\right)\right|\right)\end{aligned}\), thus (8) holds. The similar results are easily verified for the remaining cases.#

Corollary 1 Let E_k,w^r denote the r-round encryption of DBISON, where its i-th round function is \(\begin{aligned}F_{k_{i}, w_{i}}(x)\end{aligned}\) and using the round keys k₁,k₂,...,k_r. Then, we have

\(\begin{aligned}\operatorname{Pr}_{w, x}\left[E_{k, w}^{r}(x) \oplus E_{k, w}^{r}\left(x \oplus \delta_{0}\right)=\delta_{r}\right]=\prod_{i=1}^{r} \operatorname{Pr}_{w, x}\left[F_{k_{i}, w_{i}}(x) \oplus F_{k_{i}, w_{i}}\left(x \oplus \delta_{i-1}\right)=\delta_{i}\right]\end{aligned}\).

To describe the necessary conditions under which Ω = (δ₀,δ₁,...,δ_r) is a valid differential characteristic and to compute the MDP of DBISON, we need to introduce a new operation.

Definition 5 Let λ_L, λ_R ∈ {0,1}, (k_L,k_R) ∈ F₂ⁿ, k_L ∈ F₂^n/2, k_R ∈ F₂^n/2. We define a “product’’ between (λ_L,λ_R) and (k_L,k_R) as (λ_L,λ_R)∗(k_L,k_R) = (λ_Lk_L,λ_Rk_R ).

By Corollary 1, the probability of having the differential characteristic Ω = (δ₀,δ₁,...,δ_r) after r rounds is \(\begin{aligned}\mathrm{DP}(\Omega)=\prod_{i=1}^{r} \mathrm{DP}\left[\delta_{i-1}, \delta_{i}\right]\end{aligned}\). In particular, DP(Ω) = 0 if and only if there is 0 ≤ j ≤ r, such that DP[δ_j-1,δ_j] = 0. By Theorem 1, DDT_F[δ_i-1,δ_i] = 0 if

δ_i ∉ {(δ_(i-1)L + δ_(i-1)R,δ_(i-1)L) ⊕ γ | γ ∈ {0, (0,k_iL), (k_iR,0), (k_iR,k_iL)}},

which means DP[δ_i-1,δ_i] = 0. Moreover, a valid differential characteristic Ω = (δ₀,δ₁,...,δ_r) should have the following form.

Ω = (δ₀,δ₁,...,δ_r) , δ_i = (δ_(i-1)L ⊕ δ_(i-1)R,δ_(i-1)L) ⊕ (λ_iL,λ_iR)∗(k_iR,k_iL),       (9)

where λ_iL,λ_iR ∈ {0,1}, and k_i = (k_iL,k_iR) is the round key.

Theorem 2 For n-round DBISON, if the round keys satisfy k_iR ∉ {k_(i-1)L,k_(i+1)L}, then there is no nontrivial differential characteristic whose probability equals 1.

Proof Assume Ω = (δ₀,δ₁,...,δ_n) is a nontrivial differential characteristic in (9) and DP[Ω] = 1, thus DP(δ_{i −1},δ_i) = 1, i = 1,2,...,n. Especially, DP(δ₀,δ₁) = DP( δ₁,δ₂) = 1. By Theorem 1, DP[δ₀,δ₁] = 1 if and only if δ₁ = (δ_0L ⊕ δ_0R,δ_0L) and δ₀ ∈ {0,(0,k_1R), (k_1L,k_1L), (k_1L,k_1L ⊕ k_1R)}.

If δ₀ = 0, by Theorem 1, it can be deduced that δ₁ = δ₂ = ...= δ_n = 0, thus Ω is a trivial differential characteristic that holds with probability 1, which contradicts the assumption.

If δ₀ = (0,k_1R), then δ₁ = (0 ⊕ k_1R,0). Using DP (δ₁,δ₂) = 1 and Theorem 1, we have

(k_1R,0) = δ₁ ∈ {0, (0,k_2R), (K_2L,k_2L), (k_2L,k_2L ⊕ k_2R)}.

This contradicts the conditions that k_1R ≠ 0 and k_1R ≠ k_2L.

If δ₀ = (k_1L,k_1L), then δ₁ = (k_1L ⊕ k_1L,k_1L) = (0,k_1L). From DP (δ₁,δ₂) = 1 and Theorem 1, it can be deduced that

(0,k_1L) = δ₁ ∈ {0, (0,k_2R), (K_2L,k_2L), (k_2L,k_2L ⊕ k_2R)}.

This contradicts the conditions that k_iL ≠ 0 and k_2R ≠ k_1L.

If δ₀ = (k_1L,k_1L ⊕ k_1R), then δ₁ = (k_1L ⊕ k_1R ⊕ k_1L,k_1L) = (k_1R,k_1L). Using DP (δ₁,δ₂) = 1 and Theorem 1, it can be deduced that

(k_1R,k_1L) = δ₁ ∈ {0, (0,k_2R), (K_2L,k_2L), (k_2L,k_2L ⊕ k_2R)}.

Again, this violates the conditions that k_1R ≠ 0 and k_1R ≠ k_2L.

From the above cases, it can be concluded that there is no nontrivial differential characteristic with probability 1.#

To prove that DBISON is resistant against differential cryptanalysis, we need to analyze its MDP.

Theorem 3 For the differential characteristic Ω given by (9), we have:

1) If there is δ_j = 0 and δ_j+1 ≠ 0, then DP [Ω] = 0.

2) If there is δ_j = 0 and δ_j-1 ≠ 0 , then DP [Ω] = 0.

Proof

1) By (9), using δ_j = 0 and δ_j+1 ≠ 0, it can be deduced that

δ_j+1 = (λ_jL,λ_jR)*(k_jR,k_jL) ∈ {((k_jR,0), (0,k_jL), (k_jR,k_jL)} .

If δ_j+1 = (k_jR,0), then DDT[δ_j,δ_j+1] ≠ 2ⁿ since δ_j+1 ≠ (δ_jL ⊕ δ_jR,δ_jL). Also, DDT[δ_j,δ_j+1] ≠ 2^n-2, since we can represent δ_j+1 = (δ_jL ⊕ δ_jR,δ_jL) ⊕ (k_jR,0) and the assumption δ_jL = 0 contradicts Thereom 1. Moreover, DDT[δ_j,δ_j+1] ≠ 2^n-1, since δ_j+1 ≠ (δ_jL ⊕ δ_jR,δ_jL), δ_j+1 ≠ (δ_jL ⊕ δ_jR,δ_jL) ⊕ (0,k_jL), and representing δ_j+1 = (δ_jL ⊕ δ_jR,δ_jL) ⊕ (k_jR,0) along with δ_jL ⊕ δ_jR = 0 implies that DDT[δ_j,δ_j+1] ≠ 2^n-1.

If δ_j+1 = (0,k_jL) , then DDT[δ_j,δ_j+1] ≠ 2ⁿ since δ_j+1 ≠ (δ_jL ⊕ δ_jR,δ_jL). Similarly, DDT[δ_j,δ_j+1] ≠ 2^n-2 since δ_j+1 = (δ_jL ⊕ δ_jR,δ_jL) ⊕ (0,k_jL) and δ_jL = 0 . Also, DDT[δ_j,δ_j+1] ≠ 2^n-1 since δ_j+1 ≠ (δ_jL ⊕ δ_jR,δ_jL), δ_j+1 ≠ (δ_jL ⊕ δ_jR,δ_jL) ⊕ (k_jR,0) and expressing δ_j+1 = (δ_jL ⊕ δ_jR,δ_jL) ⊕ (0,k_jL) along with the assumption δ_jL = 0 proves the claim.

If δ_j+1 = (k_jR,k_jL), then DDT[δ_j,δ_j+1] ≠ 2ⁿ since δ_j+1 ≠ (δ_jL ⊕ δ_jR,δ_jL). Also, DDT[δ_j,δ_j+1] ≠ 2^n-2 since δ_j+1 = (δ_jL ⊕ δ_jR,δ_jL) ⊕ (k_jR,k_jL) but δ_jL = 0. Finally, DDT[δ_j,δ_j+1] ≠ 2^n-1 since δ_j+1 ≠ (δ_jL ⊕ δ_jR,δ_jL), δ_j+1 ≠ (δ_jL ⊕ δ_jR,δ_jL) ⊕ (0,k_jL) and δ_j+1 ≠ (δ_jL ⊕ δ_jR,δ_jL) ⊕ (k_jR,0).

Therefore, DP[δ_j,δ_j+1] = 0, and moreover DP[Ω] = 0.

The proof of 2) is similar to the proof of 1). #

Actually, from the result of Theorem 3, we only need to consider Ω in (9) when δ_i ≠ 0, i = 1,2,...,n.

Theorem 4 For n-round DBISON, let Ω be the n-round differential characteristics given by (9) with δ_i ≠ 0, i = 1,2,...,n. Let also the round keys satisfy k_iR ∉ {k_(i-1)L,k_iL,k_(i+1)L,k_iL ⊕ k_(i-1)L}.

If there is δ_j-1 such that DP[δ_j-1,δ_j] = 1, then DP[δ_j-2,δ_j-1] ≠ 1 and DP[δ_j,δ_j+1] ≠ 1.

Proof By Theorem 1 and using δ_i ≠ 0, i = 1,2,...,n, it is clear that DP[δ_j-1,δ_j] = 1 if and only if δ_j = (δ_(j-1)L ⊕ δ_(j-1)R,δ_(j-1)L) and δ_j−1 ∈ {(0,k_jR), (k_jL,k_jL), (k_jL,k_jL ⊕ k_jR)}. DP[δ_j,δ_j+1] ≠ 1 can be proved using reduction to the absurd, the proof of DP[δ_j-2,δ_j-1] ≠ 1 is similar, thus it is omitted here.

Now, assuming that DP[δ_j,δ_j+1] = 1, by Theorem 1, DP[δ_j,δ_j+1] = 1 if and only if δ_j+1 = (δ_jL ⊕ δ_jR,δ_jL) and \(\begin{aligned}\delta_{j} \in A_{\delta_{j}}:=\left\{\left(\mathbf{0}, k_{(j+1) R}\right),\left(k_{(j+1) L}, k_{(j+1) L}\right),\left(k_{(j+1) L}, k_{(j+1) L} \oplus k_{(j+1) R}\right)\right\}\end{aligned}\).

If δ_j−1 = (0,k_jR), using that DP[δ_j-1,δ_j] = 1, we get δ_j = (0 ⊕ k_jR, 0) = (k_jR,0). Combining this with DPDP[δ_j,δ_j+1] = 1, we have \(\begin{aligned}\left(k_{j R}, \mathbf{0}\right)=\delta_{j} \in A_{\delta_{j}}\end{aligned}\) which contradicts the condition that k_iR ≠ k_(i+1)L.

If δ_j-1 = (k_jL,k_jL), using that DP[δ_j-1,δ_j] = 1, we get δ_j = (k_jL ⊕ k_jL,k_jL) = (0,k_jL).

Combining this with DP[δ_j,δ_j+1] = 1, we have \(\begin{aligned}\left(\mathbf{0}, k_{j L}\right)=\delta_{j} \in A_{\delta_{j}}\end{aligned}\) which contradicts the condition that k_iR ≠ k_(i-1)L.

If δ_j-1 = (k_jL,k_jL ⊕ k_jR), using that DP[δ_j-1,δ_j] = 1, we get

δ_j = (k_jL ⊕ k_jR ⊕ k_jL,k_jL) = (k_jR,k_jL).

Again, combining this with DP[δ_j, δ_j+1] = 1, we have \(\begin{aligned}\left(k_{j R}, k_{j L}\right)=\delta_{j} \in A_{\delta_{j}}\end{aligned}\) which contradicts the condition that k_iR ≠ k_(i+1)L.

Therefore, the assumption that DP[δ_j,δ_j+1] = 1 does not hold, thus DP[δ_j,δ_j+1] ≠ 1. #

By Theorem 4, we know that any two consecutive factors of \(\begin{aligned}\mathrm{DP}[\Omega]=\prod_{i=1}^{n} \mathrm{DP}\left[\delta_{i-1}, \delta_{i}\right]\end{aligned}\) cannot be 1 simultaneously, hence there are at most n/2 multiplicative factors that are equal 1. Moreover, because DP[δ_i-1,δ_i] ∈ {0, 1/2², 1/2, 1}, it is clear that DP[Ω] ≤ 2^-n/2.

Theorem 5 For n-round DBISON, let Ω be the n-round differential characteristic given by (9), with δ_i ≠ 0, i = 1,2,...,n. Let the round keys satisfy:

k_iR ∉ {k_(i-1)L,k_iL,k_(i+1)L,k_(i-1)L ⊕ k_iL,k_(i-2)R} and k_iL ≠ k_(i+1)L.

If DP[δ_i-2,δ_i-1] = DP[δ_i,δ_i+1] = 1, then DP[δ_i-1,δ_i] ≠ 1/2.

Proof Assume DP[δ_i-1,δ_i] = 1/2. By Theorem 1, DP[δ_i-1,δ_i] = 1/2 if and only if one of the following cases occurs.

Case 1.

δ_i = (δ_(i-1)L ⊕ δ_(i-1)R,δ_(i-1)L) ∈ {(0,δ_(i-1)L), (k_iR,δ_(i-1)L), (δ_(i-1)L ⊕ δ_(i-1)R,0), (δ_(i-1)L ⊕ δ_(i-1)R,k_iL) |δ_(i-1)L ∉ {0,k_iL}, δ_(i-1)L ⊕ δ_(i-1)R ∉ {0,k_iR}} := A₁.

Using DP[δ_i,δ_i+1] = 1, we get \(\begin{aligned}\delta_{i} \in A_{\delta_{i}}:=\left\{\left(\mathbf{0}, k_{(i+1) R}\right),\left(k_{(i+1) L}, k_{(i+1) L}\right),\left(k_{(i+1) L}, k_{(i+1) L} \oplus k_{(i+1) R}\right)\right\}\end{aligned}\). Due to the conditions that the round keys satisfy, \(\begin{aligned}A_{1} \cap A_{\delta_{i}} \neq \varnothing\end{aligned}\) if and only if δ_(i-1)L = k_(i+1)R. However, using DP[δ_i-2,δ_i-1] = 1, we get δ_(i-1)L = δ_(i-2)L ⊕ δ_(i-2)R ∈ {k_(i-1)R,0} which means k_(i+1)R = k_(i-1)R, a contradiction.

Case 2. δ_i = (δ_(i-1)L ⊕ δ_(i-1)R,δ_(i-1)L) ⊕ (0,k_iL), δ_(i-1)L ⊕ δ_(i-1)R ∈ {0,k_iR} and δ_(i-1)L ∉ {0,k_iL}.

In this case, δ_i ∈ {(0,δ_(i-1)L ⊕ k_iL), (k_iR,δ_(i-1)L ⊕ k_iL)|δ_(i-1)L ∉ (0,k_iL}} := A₂. Using DP[δ_i,δ_i+1] = 1, we get \(\begin{aligned}\delta_{i} \in A_{\delta_{i}} \cdot A_{1} \cap A_{\delta_{i}} \neq \varnothing\end{aligned}\) if and only if δ_(i-1)L ⊕ k_iL = k_(i+1)R. However, since DP[δ_i-2,δ_i-1] = 1, then δ_(i-1)L = δ_(i-2)L ⊕ δ_(i-2)R ∈ {k_(i-1)R,0} which implies that k_iL = k_(i+1)R ⊕ k_(i-1)R or k_(i-1)R, a contradiction.

Case 3. δ_i = (δ_(i-1)L ⊕ δ_(i-1)R,δ_(i-1)L) ⊕ (k_iR,0), δ_(i-1)L ⊕ δ_(i-1)R ∉ {0,k_iR} and δ_(i-1)L ∈ {0,k_iL}.

In this case, δ_i ∈ {(δ_(i-1)L ⊕ δ_(i-1)R ⊕ k_iR,0), (δ_(i-1)L ⊕ δ_(i-1)R ⊕ k_iR,k_iL)|δ_(i-1)L ⊕ δ_(i-1)R ∉ {0,k_iR}} := A₃. By DP[δ_i,δ_i+1] = 1, we have \(\begin{aligned}\delta_{i} \in A_{\delta_{i}}\end{aligned}\). Then, the conditions imposed on the round keys imply that \(\begin{aligned}A_{3} \cap A_{\delta_{i}}=\varnothing\end{aligned}\).

To summarize, the assumption DP[δ_i-1,δ_i] = 1/2 cannot hold. #

Remark 2 For n-round DBISON, let Ω be the n-round differential characteristic given by (9) with δ_i ≠ 0, i = 1,2,...,n. Assuming that the round keys satisfy the conditions of Theorem 5, we cannot possibly have the case DP[Ω] = 1 × (1/2) × 1 × (1/2) × 1....

Theorem 6 For n-round DBISON, let Ω be the n-round differential characteristic given by (9) with δ_i ≠ 0, i = 1,2,...,n. Assume that the round keys satisfy

1) k_iR ∉ {k_(i-1)L, k_iL, k_(i+2)L, k_(i-2)L ⊕ k_(i-1)L, k_(i-1)L ⊕ k_iL,k_iL ⊕ k_(i+2)L,k_(i-1)R}.

2) k_iL ∉ {k_(i-2)L, k_(i-1)L, k_iR ⊕ k_(i+1)R, k_(i+1)R ⊕ k_(i+2)R}.

3) k_(i-1)L ⊕ k_iL ≠ k_iR ⊕ k_(i+1)R.

If DP[δ_i-2,δ_i-1] = DP[δ_i,δ_i+1] = 1, then DP[δ_i-1,δ_i] ≠ 1/2².

Proof Assume DP[δ_i-1,δ_i] = 1/2². By Theorem 1, DP[δ_i-1,δ_i] = 1/2² if and only if one of the following cases occurs.

Case 1. δ_i =(δ_(i-1)L ⊕ δ_(i-1)R, δ_(i-1)L)_, δ_(i-1)L ∉ {0,k_iL} and δ_(i-1)L ⊕ δ_(i-1)R ∉ {0,k_iR}

Using DP[δ_i-2,δ_i-1] = DP[δ_i,δ_i+1] = 1, one can deduce:

δ_i+1 = (δ_iL ⊕ δ_iR,δ_iL) = (δ_(i-1)R, δ_(i-1)L ⊕ δ_(i-1)R) = (δ_(i-2)L, δ_(i-2)R),

where δ_iL ∈ {0,k_(i+1)L} := B₁, and δ_(i-2)R ∈ {k_(i-1)R,k_(i-1)L,k_(i-1)L ⊕ k_(i-1)R} := B₂. The conditions on the round keys imply that B₁ ∩ B₂ = ∅, which contradicts the fact that δ_iL = δ_(i-2)R.

Case 2. δ_i =(δ_(i-1)L ⊕ δ_(i-1)R,δ_(i-1)L) ⊕ (0,k_iL)_, δ_(i-1)L ∉ {0,k_iL} and δ_(i-1)L ⊕ δ_(i-1)R ∉ {0,k_iR}

Using DP[δ_i-2,δ_i-1] = DP[δ_i,δ_i+1] = 1, we get the following equation

δ_i+1 = (δ_iL ⊕ δ_iR,δ_iL) = (δ_(i-1)R ⊕ k_iL,δ_(i-1)L ⊕ δ_(i-1)R) = (δ_(i-2)L ⊕ k_iL,δ_(i-2)R),

where δ_iL ⊕ δ_iR ∈ {0,k_(i+1)R} := B₃, and δ_(i-2)L ⊕ k_iL ∈ {k_iL,k_(i-1)L ⊕ k_iL} := B₄. The conditions on the round keys imply that B₃ ∩ B₄ = ∅, which contradicts the fact that δ_iL ⊕ δ_iR = δ_(i-2)L⊕ k_iL.

Case 3. δ_i =(δ_(i-1)L ⊕ δ_(i-1)R,δ_(i-1)L) ⊕ (k_iR,0)_, δ_(i-1)L ∉ {0,k_iL} and δ_(i-1)L ⊕ δ_(i-1)R ∉ {0,k_iR}

Using DP[δ_i-2,δ_i-1] = DP[δ_i,δ_i+1] = 1, we have

δ_i+1 = (δ_iL ⊕ δ_iR,δ_iL) = (δ_(i-1)R ⊕ k_iR,δ_(i-1)L ⊕ δ_(i-1)R ⊕ k_iR) = (δ_(i-2)L ⊕ k_iR, δ_(i-2)R ⊕ k_iR),

where δ_iL ⊕ δ_iR ∈ B₃, and δ_(i-2)L ⊕ k_iL ∈ {k_iR,k_(i-1)L ⊕ k_iR} := B₅. The assumptions on the round keys give that B₃ ∩ B₅ = ∅, which contradicts δ_iL ⊕ δ_iR = δ_(i-2)L ⊕ k_iR.

Case 4. δ_i =(δ_(i-1)L ⊕ δ_(i-1)R,δ_(i-1)L) ⊕ (k_iR,k_iL)_, δ_(i-1)L ∉ {0,k_iL} and δ_(i-1)L ⊕ δ_(i-1)R ∉ {0,k_iR}

Again, using DP[δ_i-2,δ_i-1] = DP[δ_i,δ_i+1] = 1, we obtain

δ_i+1 = (δ_iL ⊕ δ_iR,δ_iL) = (δ_(i-1)R ⊕ k_iR ⊕ k_iL,δ_(i-1)L ⊕ δ_(i-1)R ⊕ k_iR) = (δ_(i-2)L ⊕ k_iR ⊕ k_iL,δ_(i-2)R ⊕ k_iR), where δ_iL ⊕ δ_iR ∈ B₃, and δ_(i-2)L ⊕ k_iR ⊕ k_iL∈ {k_iR ⊕ k_iL,k_iR ⊕ k_(i-1)L ⊕ k_iL} := B₆. Similarly as above, we get B₃ ∩ B₆ = ∅ which contradicts δ_iL ⊕ δ_iR = δ_(i-2)L ⊕ k_iR ⊕ k_iL.

Therefore, the assumption that DP[δ_i-1,δ_i] = 1/2² cannot hold. #

Remark 3 For n-round DBISON, let Ω denote the n-round differential haracteristic given by (9) with δ_i ≠ 0, i = 1,2,...,n. Assuming that the round keys satisfy conditions in Theorem 6, it is impossible to have DP[Ω]=1 × (1/2²) × (1/2²) × 1... .

Theorem 7 For n-round DBISON, let Ω be the n-round differential characteristic given by (9), with δ_i ≠ 0, i = 1,2,...,n. Assume that the round keys satisfy k_iR ∉ {k_(i+1)R,k_iL,k_(i+1)L} and k_iL ∉ {k_(i+1)R,k_iR ⊕ k_(i+1)R}. If DP[δ_i-1,δ_i] = DP[δ_i+2,δ_i+3] = 1, then the following equalities cannot hold: DP[δ_i,δ_i+1] = DP[δ_i+1,δ_i+2] = 1/2.

Proof By Theorem 1, the conditions on the round keys, and DP[δ_i-1,δ_i] = 1, one can deduce that DP[δ_i,δ_i+1] =1/2 if and only if δ_i-1 = (k_iL,k_iL), δ_i = (0,k_iL) , and δ_i+1 = (k_iL ⊕ k_(i+1)R,0).

Furthermore, DP[δ_i+1,δ_i+2] = 1/2 holds if and only if δ_i+2 = (k_iL ⊕ k_(i+1)R ⊕ k_(i+2)R,k_iL ⊕ k_(i+1)R) or δ_i+2 = (k_iL ⊕ k_(i+1)R,k_iL ⊕ k_(i+2)L ⊕ k_(i+1)R).

IF δ_i+2 = (k_iL ⊕ k_(i+1)R ⊕ k_(i+2)R,k_iL ⊕ k_(i+1)R), then from Theorem 1 and D[δ_i+2,δ_i+3] = 1, it can be easily verified that

δ_i+3 = (δ_(i+2)L ⊕ δ_(i+2)R,δ_(i+2)L) and δ_i+2 ∈ {(0,k_(i+3)R), (k_(i+3)L,k_(i+3)L), (k_(i+3)L,k_(i+3)R ⊕ k_(i+3)L)}.

This means that

(k_iL ⊕ k_(i+1)R ⊕ k_(i+2)R,k_iL ⊕ k_(i+1)R) ∈ {(0,k_(i+3)R), (k_(i+3)L,k_(i+3)L), (k_(i+3)L,k_(i+3)R ⊕ k_(i+3)L)},

which contradicts the assumptions on the round keys. If δ_i+2 = (k_iL ⊕ k_(i+1)R,k_iL ⊕ k_(i+2)L ⊕ k_(i+1)R), a similar conclusion is valid. #

Generalizing the conclusions given in Theorem 7, we observe the following.

Remark 4 For n-round DBISON, let Ω be the n-round differential characteristic given by (9) with δ_i ≠ 0, i = 1,2,...,n. Assuming that the round keys k_i = (k_iL,k_iR) satisfy the conditions that k_iR is linearly independent from k_iL,k_(i+1)L,...,k_(i+l-2)L and k_iL is linearly independent from k_iR,k_(i+1)R,...,k_(i+l-2)R, then DP[δ_i,δ_i+1] = DP[δ_i+1,δ_i+2] = ... = DP[δ_i+l-2,δ_i+l-1] = \(\begin{aligned}\frac{1}{2}\end{aligned}\) and DP[δ_i-1,δ_i] = DP[δ_i+l-1,δ_i+l] = 1 cannot hold.

By Remarks 2, 3, 4, for n-round DBISON (whose round keys satisfy certain conditions) and Ω described by (9) with δ_i ≠ 0, i = 1,2,...,n, if there exists a differential characteristic of the form

\(\begin{aligned}\mathrm{DP}[\Omega]=\prod_{i=1}^{n} \operatorname{DP}\left[\delta_{i-1}, \delta_{i}\right]=1 \times(1 / 2) \times\left(1 / 2^{2}\right) \times 1 \times(1 / 2) \times\left(1 / 2^{2}\right) \times 1 \ldots\end{aligned}\),

then the probability of this differential characteristic is maximal. Then,

\(\begin{aligned}\prod_{i=1}^{n} \mathrm{DP}\left[\delta_{i-1}, \delta_{i}\right]=1 \times(1 / 2) \times\left(1 / 2^{2}\right) \times 1 \times(1 / 2) \times\left(1 / 2^{2}\right) \times 1 \ldots=1^{[n / 3\rceil}(1 / 2)^{\lceil(n-1) / 3\rceil}\left(1 / 2^{2}\right)^{[(n-2) / 3\rceil}:=h(n)\end{aligned}\).

Table 2 gives some values of h(n) for different n. Most notably, h(n)= 1/2ⁿ if n is divisible by 6, otherwise, h(n) = 1/2^n-1.

Table 2. Values of h(n)

Remark 5 For n-round DBISON, we have MDP ≤ 1/2^n-1 when the round keys satisfy the conditions given in the previous theorems. Therefore, we conclude that n-round DBISON is resistant against differential cryptanalysis.

4. Linear cryptanalysis of the DBISON block cipher

To evaluate the resistance of DBISON against linear cryptanalysis, we need to specify the linear approximation table (LAT) of the round function F_k,w (x). Recall that F_k,w (x) was defined in (1), where the linear functions \(\begin{aligned}\Phi_{k_{i L}}\end{aligned}\) and \(\begin{aligned}\Phi_{k_{i R}}\end{aligned}\) are given by:

\(\begin{aligned}\begin{array}{l}\Phi_{k_{L}}\left(x_{L}\right)=\left(x_{L_{\left.L_{(k L}\right)}} k_{L} \oplus x_{L}\right)\left[1, \ldots, i\left(k_{L}\right)-1, i\left(k_{L}\right)+1, \ldots, n / 2\right], \\ \Phi_{k_{R}}\left(x_{R}\right)=\left(x_{R_{i\left(k_{k}\right)}} k_{R} \oplus x_{R}\right)\left[1, \ldots, i\left(k_{R}\right)-1, i\left(k_{R}\right)+1, \ldots, n / 2\right]\end{array}\end{aligned}\)       (10)

where i(k_L) and i(k_R) denote the indices of the lowest bit which is set to 1 in k_L, k_R, respectively. Moreover, it is easy to deduce that \(\begin{aligned}\Phi_{k_{L}}\end{aligned}\) and \(\begin{aligned}\Phi_{k_{R}}\end{aligned}\) are both linear functions, Ker \(\begin{aligned}\Phi_{k_{L}}=\{0,k_L\}\end{aligned}\), and Ker \(\begin{aligned}\Phi_{k_{R}}=\{0, k_R\}\end{aligned}\). In particular, the notation

\(\begin{aligned}\left(x_{i\left(k_{L}\right)} k_{L} \oplus x_{L}\right)\left[1, \ldots, i\left(k_{L}\right)-1, i\left(k_{L}\right)+1, \ldots, n / 2\right]\end{aligned}\)

refers to an (n/2-1)-bit vector, which consists of the bits of \(\begin{aligned}x_{i\left(k_{L}\right)} k_{L} \oplus x_{L}\end{aligned}\) except for the i(k_L)_th bit.

Theorem 8 For the round function F_k,w (x) of DBISON, which is defined by (2) and (10), the entries of LAT of F_k,w (x) are determined as:

1) \(\begin{aligned}\operatorname{LAT}_{F_{k, w}}[a, b]=2^{n-1}\end{aligned}\), if b_L • k_R = b_R • k_L = 0, a_R = b_L and a_L ⊕ b_L ⊕ b_R = 0.

2) \(\begin{aligned}\operatorname{LAT}_{F_{k, w}}[a, b]= \pm 2^{(3 n / 2-1) / 2}\end{aligned}\), if b_L • k_R = 0, b_R • k_L = 1, a_R = b_L and a_L ⊕ b_L ⊕ b_R = 0.

3) \(\begin{aligned}\operatorname{LAT}_{F_{k, w}}[a, b] \in\left(-2^{(3 n / 2-1) / 2}, 2^{(3 n / 2-1) / 2}\right)\end{aligned}\), if b_L • k_R = 1 and (a_L ⊕ b_L)•k_R = 0.

4) Otherwise, \(\begin{aligned}\operatorname{LAT}_{F_{k, w}}[a, b]=0\end{aligned}\).

Proof By Definition 1, it is clear that

\(\begin{aligned}\begin{array}{l}\operatorname{LAT}_{F_{k, w}}[a, b]:=\left|\left\{x \in F_{2}^{n} \mid a \bullet x \oplus b \bullet F_{k, w}(x)=0\right\}\right|-2^{n-1}=\frac{1}{2} W_{F_{k, w}}(a, b) . \\ W_{F_{k, w}}(a, b):=\sum_{x \in F_{2}^{n}}(-1)^{a \cdot x \oplus b \cdot F_{k, w}(x)} \\ =\sum_{x \in F_{2}^{n}}(-1)^{a_{L} \cdot x_{L} \oplus a_{R} \bullet x_{R} \oplus b_{L} \cdot\left(x_{L} \oplus x_{R} \oplus f_{R}\left(w_{R} \oplus \Phi_{k_{R}}\left(x_{L} \oplus x_{R}\right)\right) k_{R}\right) \oplus b_{R} \cdot\left(x_{L} \oplus f_{L}\left(w_{L} \oplus \Phi_{k_{L}}\left(x_{L}\right)\right) k_{L}\right)} \\ =\sum_{x_{L} \in F_{2}^{n / 2}}(-1)^{\left(a_{L} \oplus b_{L} \oplus b_{R}\right) \cdot x_{L} \oplus f_{L}\left(w_{L} \oplus \Phi_{k_{L}}\left(x_{L}\right)\right) b_{R} \bullet k_{L}} \sum_{x_{R} \in F_{2}^{n / 2}}(-1)^{\left(a_{R} \oplus b_{L}\right) \cdot x_{R} \oplus f_{R}\left(w_{R} \oplus \Phi_{k_{R}}\left(x_{L}\right) \oplus \Phi_{k_{R}}\left(x_{R}\right)\right) b_{L} \bullet k_{R}} . \\\end{array}\end{aligned}\)

According to the value of b_L • k_R, \(\begin{aligned}W_{F_{k, w}}\end{aligned}\) (a,b) can be calculated in the following cases.

Case 1. b_L • k_R = 0.

In this case, \(\begin{aligned}W_{F_{k, w}}(a, b)=\sum_{x_{L} \in F_{2}^{n / 2}}(-1)^{\left(a_{L} \oplus b_{L} \oplus b_{R}\right) \cdot x_{L} \oplus f_{L}\left(w_{L} \oplus \Phi_{k_{L}}\left(x_{L}\right)\right) b_{R} \cdot k_{L}} \sum_{x_{R} \in F_{2}^{n / 2}}(-1)^{\left(a_{R} \oplus b_{L}\right) \cdot x_{R}}:=W_{1}\end{aligned}\).

If a_R ≠ b_L, then \(\begin{aligned}\sum_{x_{R} \in F_{2}^{n / 2}}(-1)^{\left(a_{R} \oplus b_{L}\right) \cdot x_{R}}=0\end{aligned}\), thus W₁ = 0.

If a_R = b_L, then \(\begin{aligned}W_{1}=2^{n / 2} \sum_{x_{L} \in F_{2}^{n / 2}}(-1)^{\left(a_{L} \oplus b_{L} \oplus b_{R}\right) \cdot x_{L} \oplus f_{L}\left(w_{L} \oplus \Phi_{k_{L}}\left(x_{L}\right)\right) b_{R} \cdot k_{L}}\end{aligned}\). On the one hand, if b_R • k_L = 0, then \(\begin{aligned}W_{1}=2^{n / 2} \sum_{x_{L} \in F_{2}^{n / 2}}(-1)^{\left(a_{L} \oplus b_{L} \oplus b_{R}\right) \cdot x_{L}}=\left\{\begin{array}{ll}0, & \text { if } a_{L} \oplus b_{L} \oplus b_{R} \neq \mathbf{0}, \\ 2^{n}, & \text { if } a_{L} \oplus b_{L} \oplus b_{R}=\mathbf{0}.\end{array}\right.\end{aligned}\). On the other hand, if b_R • k_L = 1, then \(\begin{aligned}W_{1}=2^{n / 2} \sum_{x_{L} \in F_{2}^{n / 2}}(-1)^{\left(a_{L} \oplus b_{L} \oplus b_{R}\right) \cdot x_{L} \oplus f_{L}\left(w_{L} \oplus \Phi_{k_{L}}\left(x_{L}\right)\right)}\end{aligned}\). Assuming that \(\begin{aligned}\Phi_{k_{L}}\left(x_{L}\right)=y_{L}\end{aligned}\), using that \(\begin{aligned}\Phi_{k_{L}}\end{aligned}\) is linear and Ker \(\begin{aligned}\Phi_{k_{L}}=\left\{\mathbf{0}, k_{L}\right\}\end{aligned}\), we obtain

\(\begin{aligned} \sum_{x_{L} \in F_{2}^{n / 2}}(-1)^{\left(a_{L} \oplus b_{L} \oplus b_{R}\right) \cdot x_{L} \oplus f_{L}\left(w_{L} \oplus \Phi_{k_{L}}\left(x_{L}\right)\right)} & =\sum_{y_{L} \in F_{2}^{n / 2-1}}(-1)^{\left(a_{L} \oplus b_{L} \oplus b_{R}\right) \cdot y_{L}^{\prime} \oplus f_{L}\left(w_{L} \oplus y_{L}\right)}+\sum_{y_{L} \in F_{2}^{n / 2-1}}(-1)^{\left(a_{L} \oplus b_{L} \oplus b_{R}\right) \cdot\left(y_{L}^{\prime} \oplus k_{L}\right) \oplus f_{L}\left(w_{L} \oplus y_{L}\right)} \\ & =\left[1+(-1)^{\left(a_{L} \oplus b_{L} \oplus b_{R}\right) \cdot k_{L}}\right] \sum_{y_{L} \in F_{2}^{n / 2-1}}(-1)^{\left(a_{L} \oplus b_{L} \oplus b_{R}\right) \cdot y_{L}^{\prime} \oplus f_{L}\left(w_{L} \oplus y_{L}\right)}\end{aligned}\),

where y′_L is the same as y with an additional bit set to zero at position i(k_L). Furthermore, if (a_L ⊕ b_L ⊕ b_R)•k_L = 1, then W₁ = 2^n/2 x 0 = 0. if (a_L ⊕ b_L ⊕b_R)•k_L = 0, then

\(\begin{aligned}W_{1}=2^{n / 2+1} \sum_{y_{L} \in F_{2}^{n / 2-1}}(-1)^{\left(a_{L} \oplus b_{L} \oplus b_{R}\right) \cdot y_{L}^{\prime} \oplus f_{L}\left(w_{L} \oplus y_{L}\right)}\end{aligned}\)

Let w_L ⊕ y_L = u_L, and accordingly \(\begin{aligned}W_{1}=2^{n / 2+1}(-1)^{\left(a_{L}^{\prime} \oplus b_{L}^{*} \oplus b_{R}^{*}\right) \cdot w_{L}} \sum_{u_{L} \in F_{2}^{m / 2-1}}(-1)^{\left(a_{L}^{\prime} \oplus b_{L}^{\prime} \oplus b_{R}^{\prime}\right) \cdot u_{L} \oplus f_{L}\left(u_{L}\right)}\end{aligned}\), where a^"_L is an (n/2-1)-dimensional vector obtained by removing the bit in position i(k_L) of a_L.

Since f_L is a bent function, then W₁ = 2^n/2+1(-1)^{(a″_L⊕b″_L⊕b″_R)•w_L} (±2^(n/2-1)/2) = ±2^(3n/2+1)/2.

Case 2. b_L • k_R = 1.

\(\begin{aligned}W_{F_{k, w}}(a, b)=\sum_{x_{L} \in F_{2}^{n / 2}}(-1)^{\left(a_{L} \oplus b_{L} \oplus b_{R}\right) \cdot x_{L} \oplus f_{L}\left(w_{L} \oplus \Phi_{k_{L}}\left(x_{L}\right)\right) b_{R} \bullet k_{L}} \sum_{x_{R} \in F_{2}^{n / 2}}(-1)^{\left(a_{R} \oplus b_{L}\right) \bullet x_{R} \oplus f_{R}\left(w_{R} \oplus \Phi_{k_{R}}\left(x_{L}\right) \oplus \Phi_{k_{R}}\left(x_{R}\right)\right)}\end{aligned}\)

For any fixed x_L ∈ F₂^n/2, it can be calculated that

\(\begin{aligned}\sum_{x_{R} \in F_{2}^{n / 2}}(-1)^{\left(a_{R} \oplus b_{L}\right) \cdot x_{R} \oplus f_{R}\left(w_{R} \oplus \Phi_{k_{R}}\left(x_{L}\right) \oplus \Phi_{k_{R}}\left(x_{R}\right)\right)}=\left\{\begin{array}{ll}0, & \text { if }\left(a_{R} \oplus b_{L}\right) \bullet k_{R}=1, \\ \pm(-1)^{\left(a_{R}^{*} \oplus b_{L}^{\prime \prime}\right) \cdot\left(w_{R} \oplus \Phi_{k_{R}}\left(x_{L}\right)\right)} 2^{(n / 2+1) / 2}, & \text { if }\left(a_{R} \oplus b_{L}\right) \bullet k_{R}=0\end{array}\right.\end{aligned}\).

Thus, if (a_R ⊕ b_L)•k_R = 1, then \(\begin{aligned}W_{F_{k, w}}(a, b)=2^{n / 2} \times 0=0\left(a_{R} \oplus b_{L}\right) \bullet k_{R}=0\end{aligned}\), then

\(\begin{aligned}W_{F_{k, w}}(a, b)= \pm 2^{(n / 2+1) / 2} \sum_{x_{L} \in F_{2}^{n / 2}}(-1)^{\left(a_{L} \oplus b_{L} \oplus b_{R}\right) \cdot x_{L} \oplus f_{L}\left(w_{L} \oplus \Phi_{k_{L}}\left(x_{L}\right)\right) b_{R} \bullet k_{L} \oplus\left(a_{R}^{*} \oplus b_{L}^{\prime}\right) \cdot\left(w_{R} \oplus \Phi_{k_{R}}\left(x_{L}\right)\right)}\end{aligned}\).

Thus, \(\begin{aligned}-2^{(3 n / 2+1) / 2} \leq W_{F_{k, w}}(a, b) \leq 2^{(3 n / 2+1) / 2}\end{aligned}\), where the equalities hold if and only if for all x_L ∈ F₂^n/2, we have

\(\begin{aligned}\left(a_{R}^{\prime \prime} \oplus b_{L}^{\prime \prime}\right) \bullet\left(w_{R} \oplus \Phi_{k_{R}}\left(x_{L}\right)\right) \oplus\left(a_{L} \oplus b_{L} \oplus b_{R}\right) \bullet x_{L} \oplus f_{L}\left(w_{L} \oplus \Phi_{k_{L}}\left(x_{L}\right)\right) b_{R} \bullet k_{L}=0 \; \text {or} \;1 \end{aligned}\)

The probability that these extreme cases occurring is very small, thus we can suppose \(\begin{aligned}-2^{(3 n / 2+1) / 2}<W_{F_{k, w}}(a, b)<2^{(3 n / 2+1) / 2}\end{aligned}\). #

Theorem 9 For DBISON cipher, let its round function F_k,w(x) be given by (2) and (10). If the number of rounds is r = n/2+3, then we have MLP < 2^-(n-1) for n > 4.

Proof Assume that there exists a nontrivial linear characteristic θ = (θ₀,θ₁,...,θ_n/2+3). In particular, let the linear characteristic θ^* = (θ₀,θ₁,...,θ_n/2) be such that LP(θ_i-1,θ_i) = 1, i = 1,2,...,n/2. By Theorem 8, we have LP(θ_i-1,θ_i) = 1 if and only if θ_iL • k_iR = θ_iR • k_iL = 0, θ_iL = θ_(i-1)R and θ_iR = θ_(i-1)L ⊕ θ_(i-1)R. Note that there are two constraints (two-bit constraint conditions) for each round subkey, i.e. θ_iL • k_iR = θ_iR • k_iL = 0. In this case, considering n/2 rounds, the cardinality of a weak subkey set (satisfying the constraint conditions) should be only 2ⁿ x 2^-2x(n/2) = 1 on average. On the other hand, if there are n/2+3 - n/2 = 3 rounds, then the linear characteristic θ^* = (θ_n/2,θ_n/2+1,θ_n/2+2,θ_n/2+3) exists with probability [2^-(n/2-1)]³ = 2^-(3n/2-3). Therefore, MLP < 2^-(n-1) for n > 4.

Remark 6. To resist algebraic attacks, the default round number should be at least 3n.

5. DBISON instances and implementation results

In this section, we discuss our implementation of DBISON encryption algorithm with input block size of 10 bits, where the generations of round keys, whitened keys and round constants are also specified. Similarly to the standard BISON encryption algorithm, the bent function used in this instance of DBISON is the quadratic function f(X₁,X₂) = X₁ • X₂, where X_i ∈ F₂⁵. The differential uniformity and nonlinearity for round-reduced versions of DBISON consisting of 30 rounds (alternatively 10 or 20 rounds) and for different instances (specifying different secret keys via LFSRs) are given. The truth table of one particular instance and the intermediate values for 30 encryption rounds are given in Appendix A and B, respectively.

Assume that the input bit string for DBISON is x = (x₁₀,x₉,...,x₁), which is divided into two parts, i.e. x_L = (x₁₀,x₉,...,x₆) and X_R = (x₅,x₄,...,x₁). The first encryption round is described below.

• The encryption operation for the left branch includes the following five steps.

1) The left key k_L is derived from the state of an LFSR, where the primitive polynomial used is x⁵ + x² + 1, and the initial state belongs to F₂⁵∖{0}.

2) \(\begin{aligned}\Phi_{k_{L}}\left(x_{L}\right)=\left(x_{L_{L\left(k_{L}\right)}} k_{L} \oplus x_{L}\right)\left[1, \ldots, i\left(k_{L}\right)-1, i\left(k_{L}\right)+1, \ldots, 5\right]\end{aligned}\).

3) The left whitened key w_L is derived from the state of another LFSR, where the primitive polynomial used is x⁴ + x³ + 1, and the initial state is fixed by (1, 0, 0, 0). The round constant C_L is derived from the state of the same LFSR, and the initial state is given by (0, 0, 0, 1).

4) \(\begin{aligned}\Phi_{k_{L}}\left(x_{L}\right) \oplus w_{L} \oplus C_{L}=\left(y_{4}, y_{3}, y_{2}, y_{1}\right)\end{aligned}\), f(y₄,y₃,y₂,y₁) = y₄y₂ ⊕ y₃y₁ ⊕ b_L, and b_L = 0 for the first r/2 rounds, and b_L = 1 for the remaining r/2 rounds, where r is the number of rounds.

5) The value of x_L ⊕ f(y₄,y₃,y₂,y₁)k_L is calculated.

• The encryption operation for the right branch contains the five portions below. In particular, the input string for the right branch is x_L⊕ x_R, denote it as x′_R.

1) The right-hand part of the key k_R is derived from the state of an LFSR, where the primitive polynomial used is given by x⁵ + x³ + 1, and the initial state belongs to F₂⁵∖{0}.

2) \(\begin{aligned}\Phi_{k_{R}}\left(x_{R}^{\prime}\right)=\left(x_{R_{i\left(k_{R}\right)}^{\prime}}^{\prime} k_{R} \oplus x_{R}^{\prime}\right)\left[1, \ldots, i\left(k_{R}\right)-1, i\left(k_{R}\right)+1, \ldots, 5\right]\end{aligned}\).

3) The right-hand part of the whitened key w_R is derived from the state of another LFSR, the primitive polynomial used is given by x⁴ + x +1, and the initial state is fixed by (1, 0, 0, 1). The round constant C_R is derived from the state of the same LFSR, and the initial state is fixed by (0, 0, 0, 1).

4) \(\begin{aligned}\Phi_{k_{R}}\left(x_{R}^{\prime}\right) \oplus w_{R} \oplus C_{R}=\left(y_{4}^{\prime}, y_{3}^{\prime}, y_{2}^{\prime}, y_{1}^{\prime}\right)\end{aligned}\), f(y'₄,y'₃,y'₂,y'₁) = y'₄y'₂⊕y'₃y'₁⊕b_R, and b_R = 0 for the first r/2 rounds and b_R = 1 for the remaining r/2 rounds, where r is the number of rounds.

5) The value of x'_R ⊕ f(y'₄,y'₃,y'₂,y'₁)k_R is calculated.

Finally, the output value of the first round is (x'_R ⊕ f(y'₄,y'₃,y'₂,y'₁)k_R, x_L ⊕ f(y₄,y₃,y₂,y₁)k_L). Similarly, in the second round, k, w and C are also derived from the states of the corresponding LFSRs in the next clock, and so on. More specifically, the initial state of the LFSR for deriving k_L in the first encryption round is fixed to any value in F₂⁵∖{0}. On the other hand, the initial state of the LFSR for deriving k_R in the first round, selects another value k_L in F₂⁵∖{0}. This gives in total 930 instances (different keys) of DBISON which we have checked. The differential uniformities and nonlinearities of these instances for DBISON that implements 10, 20 and 30 encryption rounds are verified, respectively. These results are described in Fig. 2 and Fig. 3. In particular, the horizontal axis represents the value of the differential uniformity (nonlinearity), whereas the vertical axis is the number of instances whose differential uniformity (nonlinearity) is fixed.

Fig. 2(a). The differential uniformities of 10-round DBISON

Fig. 2(b). The nonlinearities of 10-round DBISON

Fig. 3(a). The differential uniformities of 30-round DBISON

Fig. 3(b). The nonlinearities of 30-round DBISON

In Fig. 2, for DBISON consisting of 10 encryption rounds, the differential uniformity is mainly distributed among the values 12, 14, 16 and 18. Actually, these values have a percentage of approximately 92.26%. On the other hand, the maximal nonlinearity that has been achieved in the simulations is 440. Also, the nonlinearity in the range between 384 and 440 stands for the percentage of approximately 95.91%. In fact, it means that these functions achieve relatively high nonlinearity. (note that the nonlinearity of bent functions is 496, and the nonlinearity of almost optimal functions is 480 when n=10.) Moreover, the best differential uniformity of these instances is 14, and the nonlinearity is 440, which is quite close to the almost optimal functions. This illustrates that most of these DBISON instances have quite good differential uniformity and nonlinearity, though only 10 encryption rounds are considered.

Fig. 3(a) illustrates that the differential uniformity takes values 12 and 14 with the percentage of approximately 93.51%, when the number of rounds is 30. The nonlinearity distribution is given in Fig. 3(b) and the nonlinearities between 428 and 442 occur with the percentage of approximately 95.2%. There exist many DBISON instances, using 30 rounds, whose differential uniformity equals 12 and having nonlinearity 442. The truth table of one of these instances is given in Appendix A, whereas the test vectors for each round are provided in Appendix B.

In addition, the differential uniformities and nonlinearities of DBISON instances using 20 rounds can be found in Appendix C. Comparing the 20-round and 30-round results, it is clear that their performances are quite close (of course 30-round DBISON is somewhat better). Of course, all DBISON instances are balanced bijections. Therefore, DBISON has quite good cryptographic performance.

Similarly to the encryption operation, the decryptions of left branch and right branch are also performed in parallel. More precisely, let \(\begin{aligned}\tau_{L}\left(x_{L}\right)=x_{L} \oplus f_{L}\left(w_{L} \oplus \Phi_{k_{L}}\left(x_{L}\right)\right) k_{L}\end{aligned}\), \(\begin{aligned}\tau_{R}\left(x_{R}\right)=x_{R} \oplus f_{R}\left(w_{R} \oplus \Phi_{k_{R}}\left(x_{R}\right)\right) k_{R}, x_{L}, \quad x_{R} \in F_{2}^{n / 2}\end{aligned}\), x_L, x_R ∈ F₂^n/2 . Then, τ_L and τ_R can be derived as below. For any x_L ∈ F₂^n/2,

\(\begin{aligned} \tau_{L} \circ \tau_{L}\left(x_{L}\right) & =\tau_{L}\left(x_{L} \oplus f_{L}\left(w_{L} \oplus \Phi_{k_{L}}\left(x_{L}\right)\right) k_{L}\right) \\ & =x_{L} \oplus f_{L}\left(w_{L} \oplus \Phi_{k_{L}}\left(x_{L}\right)\right) k_{L} \oplus f_{L}\left(w_{L} \oplus \Phi_{k_{L}}\left(x_{L} \oplus f_{L}\left(w_{L} \oplus \Phi_{k_{L}}\left(x_{L}\right)\right) k_{L}\right)\right) k_{L}\end{aligned}\).

If \(\begin{aligned}f_{L}\left(w_{L} \oplus \Phi_{k_{L}}\left(x_{L}\right)\right)=0\end{aligned}\), it is clear that τ_L ∘ τ_L(x_L) = x_L. If \(\begin{aligned}f_{L}\left(w_{L} \oplus \Phi_{k_{L}}\left(x_{L}\right)\right)=1\end{aligned}\), then we have

\(\begin{aligned}\tau_{L} \circ \tau_{L}\left(x_{L}\right)=x_{L} \oplus k_{L} \oplus f_{L}\left(w_{L} \oplus \Phi_{k_{L}}\left(x_{L} \oplus k_{L}\right)\right) k_{L}=x_{L} \oplus k_{L} \oplus f_{L}\left(w_{L} \oplus \Phi_{k_{L}}\left(x_{L}\right)\right) k_{L}=x_{L}\end{aligned}\),

because \(\begin{aligned}\operatorname{Ker} \Phi_{k_{L}}=\left\{\mathbf{0}, k_{L}\right\}\end{aligned}\). Thus, τ_L is involutory, and this also holds for τ_R.

Note that the round function F(x) of DBISON can be represented as F(x) = (τ_R(x_L ⊕ x_R), τ_L(x_L)). Then, the output of the left branch is y_L = τ_R(x_L⊕ x_R), and the output of the right branch is y_R = τ_L(x_L) . Since both τ_L and τ_R are involutory, we have x_L = τ_L(y_R), x_L ⊕ x_R = τ_R(y_L), that is, x_R = τ_R(y_L) ⊕ τ_L(y_R). The round decryption function is F^-1(y) = (τ_L(y_R), τ_R(y_L) ⊕ τ_L(y_R)), see Fig. 4. Therefore, the decryption process actually uses the reversed encryption round keys.

Fig. 4. The decryption round function F^-1(y) of DBISON

6. Conclusion

In this paper, a new block cipher DBISON has been proposed, which employs double layers of a BISON-like construction. Compared to the original BISON cipher, DBISON divides the input into two halves and the nonlinear round function is computed in parallel, which results in a better performance in both software and hardware. Moreover, DBISON consisting of 3n rounds is provably resistant against differential and linear attacks. More precisely, it is shown the MDP is 1/2^n-1 for n encryption rounds, and the MLP is strictly less than 1/2^n-1 when (n/2+3) encryption rounds are used. Actually, if we select the data block size n = 258, then both MDP and MLP of DBISON are very close to the ideal value.

Appendix