Design of a Linear Layer Optimised for Bitsliced 32-bit Implementation

The linear layer of block ciphers plays an important role in their security. In particular, ciphers designed following the wide -trail strategy use the branch number of the linear layer to derive bounds on the probability of linear and differential trails. At FSE 2014, the LS -design construction was introduced as a simple and regular structure to design bitsliced block ciphers. It considers the internal state as a bit matrix, and applies alternatively an identical S -Box on all the columns, and an identical L -Box on all the lines. Security bounds are derived from the branch number of the L -Box. In this paper, we focus on bitsliced linear layers inspired by the LS -design construction and the Spook AEAD algorithm. We study the construction of bitsliced linear transformations with efficient implementations using XORs and rotations (optimized for bitsliced ciphers implemented on 32 -bit processors), and a high branch number. In order to increase the density of the activity patterns, the linear layer is designed on the whole state, rather than using multiple parallel copies of an L -Box. Our main result is a linear layer for 128 -bit ciphers with branch number 21, improving upon the best 32 -bit transformation with branch number 12, and the one of Spook with branch number 16.