Branch number explained

In cryptography, the branch number is a numerical value that characterizes the amount of diffusion introduced by a vectorial Boolean function that maps an input vector to output vector

F(a)

. For the (usual) case of a linear the value of the differential branch number is produced by:

applying nonzero values of (i.e., values that have at least one non-zero component of the vector) to the input of ;

(number of nonzero components), and adding weights

W(a)

and

W(F(a))

together;

selecting the smallest combined weight across for all nonzero input values:

B_d(F)=\underset{a\ne0}{min}(W(a)+W(F(a)))

.If both and

F(a)

have components, the result is obviously limited on the high side by the value

s+1

(this "perfect" result is achieved when any single nonzero component in makes all components of

F(a)

to be non-zero). A high branch number suggests higher resistance to the differential cryptanalysis: the small variations of input will produce large changes on the output and in order to obtain small variations of the output, large changes of the input value will be required.

The term was introduced by Daemen and Rijmen in early 2000s and quickly became a typical tool to assess the diffusion properties of the transformations.

Mathematics

The branch number concept is not limited to the linear transformations, Daemen and Rijmen provided two general metrics:

differential branch number, where the minimum is obtained over inputs of that are constructed by independently sweeping all the values of two nonzero and unequal vectors, (

⊕

is a component-by-component exclusive-or):

B_d(F)=\underset{a\neb}{min}(W(a ⊕ b)+W(F(a) ⊕ F(b))

;

for linear branch number, the independent candidates

\alpha

and

\beta

are independently swept; they should be nonzero and correlated with respect to (the

LAT(\alpha,\beta)

coefficient of the linear approximation table of should be nonzero):

B_l(F)=\underset{\alpha\ne0,\beta,LAT(\alpha,\beta)\ne0}{min}(W(\alpha)+W(\beta))

.^[1]

Sources

Book: Thomas Peyrin . Meicheng . Liu . Siang Meng . Sim . 25 July 2016 . Fast Software Encryption: 23rd International Conference, FSE 2016, Bochum, Germany, March 20-23, 2016, Revised Selected Papers . Springer . 101–121 . 978-3-662-52993-5 . Branch Number of the Diffusion Layer . 1008648217 . https://books.google.com/books?id=xUG8DAAAQBAJ&pg=PA105.
Book: Information Security Practice and Experience . Zhang . Wentao . Wu . Wenling . Feng . Dengguo . Su . Bozhan . Some New Observations on the SMS4 Block Cipher in the Chinese WAPI Standard . Lecture Notes in Computer Science . 2009 . 5451 . 324–335 . Springer Berlin Heidelberg . 0302-9743 . 1611-3349 . 10.1007/978-3-642-00843-6_28 . 978-3-642-00842-9 . https://books.google.com/books?id=h13tzZqbcDcC&pg=PA327.
Book: Joan . Daemen . Vincent . Rijmen . 9 March 2013 . The Design of Rijndael: AES - The Advanced Encryption Standard . Springer Science & Business Media . 978-3-662-04722-4 . 1259405449 .

Notes and References

Web site: SAGE . S-Boxes and Their Algebraic Representations . sagemath.org . . 25 April 2023.