文摘
AES is one of the most common block ciphers and many AES-like primitives have been proposed. Recently, many lightweight symmetric-key cryptographic primitives have also been proposed. Some such primitives require the diffusion using element-wise XORs, which are called binary matrices in this paper, rather than that using MDS matrices because the element-wise XOR is efficiently implemented in a lightweight environment. However, since the branch number of binary matrices is generally lower than that of MDS matrices, such primitives require more rounds to guarantee security against several cryptanalyses. In this paper, we focus on binary matrices and discuss useful cryptographic properties of binary matrices. Specifically, we focus on AES-like primitives with binary MixColumns, whose output is computed using a binary matrix. One of the benefit of AES-like primitives is that four rounds guarantee \(\mathcal{B}^2\) differentially and linearly active S-boxes, where \(\mathcal{B}\) denotes the branch number of the matrix. We argue that there is a binary MixColumns in which the lower bound of the number of active S-boxes is more than \(\mathcal{B}^2\) in the 4-round characteristic. For some binary matrices, the lower bound is improved from \(\mathcal{B}^2\) to \(\mathcal{B}(\mathcal{B}+2)\).