Designs, Codes and Cryptography, 22, 65–87, 2001. c  2001 Kluwer Academic Publishers, Boston. Manufactured in The Netherlands. Linear Frameworks for Block Ciphers JOAN DAEMEN daemen.j@protonworld.com Proton World International, Zweefvliegtuigstraat 10, B-1130 Brussel, Belgium LARS R. KNUDSEN lars.knudsen@ii.uib.no University of Bergen, Department of Informatics, Hoyteknologisenteret, N-5020 Bergen, Norway VINCENT RIJMEN * vincent.rijmen@esat.kuleuven.ac.be Katholieke Universiteit Leuven , Dept. ESAT, SISTA/COSIC Lab, Kard. Mercierlaan 94, B-3001 Heverlee, Belgium Communicated by: P. C. van Oorschot Received April 23, 1998; Revised January 19, 1999; Accepted June 8, 1999 Abstract. In this paper we generalize the structure of the ciphers Shark, Square, BKSQ, Crypton and Rijndael. We show that the linear components play an essential role in the effect of the nonlinear S-boxes in providing resistance against differential and linear cryptanalysis and provide upper bounds for the probability of differential characteristics and the correlation of linear approximations for the general structure. We show how good linear components can be constructed efficiently from Maximum-Distance Separable codes. The presented block cipher structure can make optimal use of a wide range of processor word lengths and its parallelism allows very fast dedicated hardware implementations. Ciphers with variable block length can be constructed by varying certain parameters in the presented structure. Keywords: block ciphers, substitution-linear transformation networks, MDS codes, Rijndael 1. Introduction Many papers have been published on the design of nonlinear functions and S-boxes, which are considered the most important components of ciphers and hash functions. In this paper we concentrate on the linear components in cipher structures, their interactions and their role in providing resistance against differential and linear cryptanalysis. The generation of S-boxes that are part of the presented structure and round key schedules are out of the scope of this paper. We realize that carelessly chosen S-boxes or key schedules allow efficient attacks. The cipher structures presented in this paper are similar to the classical Substitution- Permutation structure [7]. Instead of permutations our constructions exhibit more general linear transformations. The main goal of this paper is to demonstrate that resistance against linear and differential cryptanalysis can be efficiently obtained by combining linear com- ponents with non-linear components, both selected according to very simple criteria. There are several examples of ciphers (e.g, SAFER [14], SAFER+ [15] and TWOPRIME [6]) that use linear transformations. However, the transformations they use, produce a * F. W. O. Postdoctoral Researcher, sponsored by the Fund for Scientific Research—Flanders (Belgium)