Nonlinear Diffusion Layers∗

In the practice of block cipher design, there seems to have grown a consensus about the diffusion function that designers choose linear functions with large branch numbers to achieve provable bounds against differential and linear cryptanalysis. In this paper, we propose two types of nonlinear functions as alternative diffusing components. One is based on a nonlinear code with parameters (16,256,6) which is known as a Kerdock code. The other is a general construction of nonlinear functions based on the T-functions, in particular, two automatons with modular addition operations. We show that the nonlinear functions possess good diffusion properties; specifically, the nonlinear function based on a Kerdock code has a better branch number than any linear counterparts, while the automatons achieve the same branch number as a linear near-MDS matrix. The advantage of adopting nonlinear diffusion layers in block ciphers is that, those functions provide extra confusion effect while a comparable performance in the diffusion effect is maintained. As an illustration, we show the application of the nonlinear diffusion functions in two example ciphers, where a 4-round differential characteristic with the optimal number of active Sboxes has a probability significantly lower (2 and 2 times, respectively) than that of a similar cipher with a linear diffusion layer. As a result, it sheds light upon an alternative strategy of designing lightweight building blocks.