Showing papers on "Differential cryptanalysis published in 2014"

LS-Designs: Bitslice Encryption for Efficient Masked Software Implementations

Abstract: Side-channel analysis is an important issue for the security of embedded cryptographic devices, and masking is one of the most investigated solutions to mitigate such attacks. In this context, efficient masking has recently been considered as a possible criteria for new block cipher designs. Previous proposals in this direction were applicable to different types of masking schemes (e.g. Boolean and polynomial). In this paper, we study possible optimizations when specializing the designs to Boolean masking. For this purpose, we first observe that bitslice ciphers have interesting properties for improving both the efficiency and the regularity of masked software implementations. Next we specify a family of block ciphers (denoted as LS-designs) that can systematically take advantage of bitslicing in a principled manner. Eventually, we evaluate both the security and performance of such designs and two of their instances, confirming excellent properties for physically secure applications.

Linear hulls with correlation zero and linear cryptanalysis of block ciphers

Abstract: Linear cryptanalysis, along with differential cryptanalysis, is an important tool to evaluate the security of block ciphers. This work introduces a novel extension of linear cryptanalysis: zero-correlation linear cryptanalysis, a technique applicable to many block cipher constructions. It is based on linear approximations with a correlation value of exactly zero. For a permutation on n bits, an algorithm of complexity 2 n-1 is proposed for the exact evaluation of correlation. Non-trivial zero-correlation linear approximations are demonstrated for various block cipher structures including AES, balanced Feistel networks, Skipjack, CLEFIA, and CAST256. As an example, using the zero-correlation linear cryptanalysis, a key-recovery attack is shown on 6 rounds of AES-192 and AES-256 as well as 13 rounds of CLEFIA-256.

Differential Analysis of Block Ciphers SIMON and SPECK

Abstract: In this paper we continue the previous line of research on the analysis of the differential properties of the lightweight block ciphers Simon and Speck. We apply a recently proposed technique for automatic search for differential trails in ARX ciphers and improve the trails in Simon32 and Simon48 previously reported as best. We further extend the search technique for the case of differentials and improve the best previously reported differentials on Simon32, Simon48 and Simon64 by exploiting more effectively the strong differential effect of the cipher. We also present improved trails and differentials on Speck32, Speck48 and Speck64. Using these new results we improve the currently best known attacks on several versions of Simon and Speck. A second major contribution of the paper is a graph based algorithm (linear time) for the computation of the exact differential probability of the main building block of Simon: an AND operation preceded by two bitwise shift operations. This gives us a better insight into the differential property of the Simon round function and differential effect in the cipher. Our algorithm is general and works for any rotation constants. The presented techniques are generic and are therefore applicable to a broader class of ARX designs.

Differential Cryptanalysis of Round-Reduced Simon and Speck

Abstract: This paper presents differential attacks on Simon and Speck, two families of lightweight block ciphers that were presented by the U.S. National Security Agency in June 2013. We describe attacks on up to slightly more than half the number of rounds. While our analysis is only of academic interest, it demonstrates the drawback of the intensive optimizations in Simon and Speck.

Scrutinizing and Improving Impossible Differential Attacks: Applications to CLEFIA, Camellia, LBlock and Simon

Abstract: Impossible differential cryptanalysis has shown to be a very powerful form of cryptanalysis against block ciphers. These attacks, even if extensively used, remain not fully understood because of their high technicality. Indeed, numerous are the applications where mistakes have been discovered or where the attacks lack optimality. This paper aims in a first step at formalizing and improving this type of attacks and in a second step at applying our work to block ciphers based on the Feistel construction. In this context, we derive generic complexity analysis formulas for mounting such attacks and develop new ideas for optimizing impossible differential cryptanalysis. These ideas include for example the testing of parts of the internal state for reducing the number of involved key bits. We also develop in a more general way the concept of using multiple differential paths, an idea introduced before in a more restrained context. These advances lead to the improvement of previous attacks against well known ciphers such as CLEFIA-128 and Camellia, while also to new attacks against 23-round LBlock and all members of the Simon family.

Cryptanalysis of Reduced-round SIMON32 and SIMON48

Abstract: SIMON family is one of the recent lightweight block cipher designs introduced by NSA. So far there have been several cryptanalytic results on this cipher by means of differential, linear and impossible differential cryptanalysis. In this paper, we study the security of SIMON32, SIMON48/72 and SIMON48/96 by using integral, zero-correlation linear and impossible differential cryptanalysis. Firstly, we present a novel experimental approach to construct the best known integral distinguishers of SIMON32. The small block size, 32 bits, of SIMON32 enables us to experimentally find a 15-round integral distinguisher, based on which we present a key recovery attack on 21-round SIMON32, while previous best results only achieved 19 rounds. Moreover, we attack 20-round SIMON32, 20-round SIMON48/72 and 21-round SIMON48/96 based on 11 and 12-round zero-correlation linear hulls of SIMON32 and SIMON48 respectively. Finally, we propose new impossible differential attacks which improve the previous impossible differential attacks. Our analysis shows that SIMON maintains enough security margin.

Scrutinizing and Improving Impossible Differential Attacks: Applications to CLEFIA, Camellia, LBlock and Simon (Full Version)

Abstract: Impossible differential cryptanalysis has shown to be a very powerful form of cryptanalysis against block ciphers. These attacks, even if extensively used, remain not fully understood because of their high technicality. Indeed, numerous are the applications where mistakes have been discovered or where the attacks lack optimality. This paper aims in a first step at formalizing and improving this type of attacks and in a second step at applying our work to block ciphers based on the Feistel construction. In this context, we derive generic complexity analysis formulas for mounting such attacks and develop new ideas for optimizing impossible differential cryptanalysis. These ideas include for example the testing of parts of the internal state for reducing the number of involved key bits. We also develop in a more general way the concept of using multiple differential paths, an idea introduced before in a more restrained context. These advances lead to the improvement of previous attacks against well known ciphers such as CLEFIA-128 and Camellia, while also to new attacks against 23-round LBlock and all members of the Simon family.

Automatic Search for Differential Trails in ARX Ciphers

Abstract: We propose a tool for automatic search for differential trails in ARX ciphers. By introducing the concept of a partial difference distribution table (pDDT) we extend Matsui’s algorithm, originally proposed for DES-like ciphers, to the class of ARX ciphers. To the best of our knowledge this is the first application of Matsui’s algorithm to ciphers that do not have S-boxes. The tool is applied to the block ciphers TEA, XTEA, SPECK and RAIDEN. For RAIDEN we find an iterative characteristic on all 32 rounds that can be used to break the full cipher using standard differential cryptanalysis. This is the first cryptanalysis of the cipher in a non-related key setting. Differential trails on 9, 10 and 13 rounds are found for SPECK32, SPECK48 and SPECK64 respectively. The 13 round trail covers half of the total number of rounds. These are the first public results on the security analysis of SPECK. For TEA multiple full (i.e. not truncated) differential trails are reported for the first time, while for XTEA we confirm the previous best known trail reported by Hong et al.,. We also show closed formulas for computing the exact additive differential probabilities of the left and right shift operations.

Parametric Trojans for Fault-Injection Attacks on Cryptographic Hardware

Abstract: We propose two extremely stealthy hardware Trojans that facilitate fault-injection attacks in cryptographic blocks. The Trojans are carefully inserted to modify the electrical characteristics of predetermined transistors in a circuit by altering parameters such as doping concentration and do pant area. These Trojans are activated with very low probability under the presence of a slightly reduced supply voltage (0.001 for 20% Vdd reduction). We demonstrate the effectiveness of the Trojans by utilizing them to inject faults into an ASIC implementation of the recently introduced lightweight cipher PRINCE. Full circuit-level simulation followed by differential cryptanalysis demonstrate that the secret key can be reconstructed after around 5 fault-injections.

Links between Truncated Differential and Multidimensional Linear Properties of Block Ciphers and Underlying Attack Complexities

Abstract: The mere number of various apparently different statistical attacks on block ciphers has raised the question about their relationships which would allow to classify them and determine those that give essentially complementary information about the security of block ciphers. While mathematical links between some statistical attacks have been derived in the last couple of years, the important link between general truncated differential and multidimensional linear attacks has been missing. In this work we close this gap. The new link is then exploited to relate the complexities of chosen-plaintext and known-plaintext distinguishing attacks of differential and linear types, and further, to explore the relations between the key-recovery attacks. Our analysis shows that a statistical saturation attack is the same as a truncated differential attack, which allows us, for the first time, to provide a justifiable analysis of the complexity of the statistical saturation attack and discuss its validity on 24 rounds of the PRESENT block cipher. By studying the data, time and memory complexities of a multidimensional linear key-recovery attack and its relation with a truncated differential one, we also show that in most cases a known-plaintext attack can be transformed into a less costly chosen-plaintext attack. In particular, we show that there is a differential attack in the chosen-plaintext model on 26 rounds of PRESENT with less memory complexity than the best previous attack, which assumes known plaintext. The links between the statistical attacks discussed in this paper give further examples of attacks where the method used to sample the data required by the statistical test is more differentiating than the method used for finding the distinguishing property.

Improved Differential Cryptanalysis of Round-Reduced Speck

Abstract: Simon and Speck are families of lightweight block ciphers designed by the U.S. National Security Agency and published in 2013. Each of the families contains 10 variants, supporting a wide range of block and key sizes. Since the publication of Simon and Speck, several research papers analyzed their security using various cryptanalytic techniques. The best previously published attacks on all the 20 round-reduced ciphers are differential attacks, and are described in two papers (presented at FSE 2014) by Abed et al. and Biryukov et al.

Multiple Differential Cryptanalysis of Round-Reduced PRINCE

Abstract: PRINCE is a lightweight block cipher proposed by Borghoff et al. at Asiacrypt 2012. Due to its originality, novel design and low number of rounds, it has already attracted the attention of a large number of cryptanalysts. Several results on reduced versions have been published to date; the best one is an attack on \(8\) rounds out of the total number of \(12\). In this paper we improve this result by two rounds: we provide an attack on \(10\) rounds of the cipher with a data complexity of \(2^{57.94}\) and a time complexity of \(2^{60.62}\), corresponding to \(118.56\) security bits, instead of \(126\) for the generic attacks. Our attack uses multiple differentials and exploits some properties of PRINCE for recovering the whole key. PRINCE is defined as a member of a family of ciphers, differing by the choice of an Sbox among a distinguished set. We also show that the security offered by all the members of the family is not equivalent, by identifying an Sbox for which our attack can be extended up to \(11\) rounds with a data complexity of \(2^{59.81}\) and a time complexity of \(2^{62.43}\).

Zero-correlation linear cryptanalysis of reduced-round LBlock

Abstract: Zero-correlation linear attack is a new method developed by Bogdanov et al. (ASIACRYPT 2012. LNCS, Springer, Berlin, 2012) for the cryptanalysis of block ciphers. In this paper we adapt the matrix method to find zero-correlation linear approximations. Then we present several zero-correlation linear approximations for 14 rounds of LBlock and describe a cryptanalysis for a reduced 22-round version of LBlock. After biclique attacks on LBlock revealed weaknesses in its key schedule, its designers presented a new version of the cipher with a revised key schedule. The attack presented in this paper does not exploit the structure of the key schedule or S-boxes used in the cipher. As a result, it is applicable to both variants of the LBlock as well as the block ciphers with analogous structures like TWINE. Moreover, we performed simulations on a small variant LBlock and present the first experimental results on the theoretical model of the multidimensional zero-correlation linear cryptanalysis method.

Study of S-box properties in block cipher

Abstract: In the field of cryptography, the substitution box (S-box) becomes the most widely used ciphers. The process of creating new and powerful S-boxes never end. Various methods are proposed to make the S-box becomes strongest and hard to attack. The strength or weakness of S-box will be determined through the analysis of S-box properties. However, the analysis of the properties of the S-box in block ciphers is still lacking because there is no specific guidelines and technique based on S-box properties. Hence, the cipher is easier to attack by an adversary if the S-box properties are not robust. The purpose of this paper is to describe and review of the S-box properties in block ciphers. As a result, for future work, a new model for analysis S-box properties will be proposed. The model can be used to analysis the properties to determine the strength and weakness of any S-boxes.

Khudra: A New Lightweight Block Cipher for FPGAs

Abstract: The paper shows that designing lightweight block ciphers for the increasingly popular Field Programmable Gate Arrays (FPGAs) needs a new revisit. It shows that due to the underlying FPGA architecture many popular techniques for lightweight block ciphers which work on Application Specific Integrated Circuits (ASICs) does not apply to FPGAs. The paper identifies new methods and design criteria for lightweight block ciphers operating on FPGAs. Using these guidelines, a new block cipher Khudra based on the recursive Feistel structure is designed, which has a 64 bit block size and 80 bits of key. Rigorous cryptanalysis, ranging from linear and differential cryptanalysis to more powerful attacks like impossible differential, related key attacks etc. have been performed to justify that 18 rounds of Khudra provide sufficient security margin. Finally, the cipher has been implemented in two different flavors, Khudra-I and Khudra-II, on low cost FPGAs like Xilinx Spartan-III XC3S400 and extensively compared with other contemporary ciphers like PRESENT, Piccolo and compact implementations of other standard cipher like AES, Camellia etc. The implementation results show that Khudra requires at least around 45% less slices and 29% less AT product compared to round wise implementation of any of the contemporary lightweight block cipher.

Cryptanalysis of image scrambling based on chaotic sequences and Vigenère cipher

Abstract: Recently, an image scrambling scheme based on chaos theory and Vigenere cipher was proposed. The scrambling process is firstly to shift each pixel by sorting a chaotic sequence as Vigenere cipher, and then the pixel positions are shuffled by sorting another chaotic sequence. In this study, we analyze the security weakness of this scheme. By applying the combination of chosen-plaintext attack and differential attack, we propose two efficient cryptanalysis methods. Results show that all the keystream can be revealed. The original image scrambling scheme can be remedied by leveraging the MD5 hash value of the plain image as the initial condition of the chaotic system.

Rotational Rebound Attacks on Reduced Skein

Abstract: In this paper we combine two powerful methods of symmetric cryptanalysis: rotational cryptanalysis and the rebound attack. Rotational cryptanalysis was designed for the analysis of bit-oriented designs like ARX (Addition-Rotation-XOR) schemes. It has been applied to several hash functions and block ciphers, including the new standard SHA-3 (Keccak). The rebound attack is a start-from-the-middle approach for finding differential paths and conforming pairs in byte-oriented designs like Substitution-Permutation networks and AES. We apply our new compositional attack to the reduced version of the hash function Skein, a finalist of the SHA-3 competition. Our attack penetrates more than two thirds of the Skein core--the cipher Threefish, and made the designers to change the submission in order to prevent it. The rebound part of our attack has been significantly enhanced to deliver results on the largest number of rounds. We also use neutral bits and message modification methods from the practice of collision search in MD5 and SHA-1 hash functions. These methods push the rotational property through more rounds than previous analysis suggested, and eventually establish a distinguishing property for the reduced Threefish cipher. We formally prove that such a property cannot be found for an ideal cipher within the complexity limits of our attack. The complexity estimates are supported by extensive experiments.

Analysis of BLAKE2

Abstract: We present a thorough security analysis of the hash function family BLAKE2, a recently proposed and already in use tweaked version of the SHA-3 finalist BLAKE. We study how existing attacks on BLAKE apply to BLAKE2 and to what extent the modifications impact the attacks. We design and run two improved searches for (impossible) differential attacks — the outcomes suggest higher number of attacked rounds in the case of impossible differentials (in fact we improve the best results for BLAKE as well), and slightly higher for the differential attacks on the hash/compression function (which gives an insight into the quality of the tweaks). We emphasize the importance of each of the modifications, in particular we show that an improper initialization could lead to collisions and near-collisions for the full-round compression function. We analyze the permutation of the new hash function and give rotational attacks and internal differentials for the whole design. We conclude that the tweaks in BLAKE2 were chosen properly and, despite having weaknesses in the theoretical attack frameworks of permutations and of fully-chosen state input compression functions, the hash function of BLAKE2 has only slightly lower (in terms of attacked rounds) security margin than BLAKE.

A theoretical study of Kolmogorov-Smirnov distinguishers: Side-channel analysis vs. differential cryptanalysis

Abstract: In this paper, we carry out a detailed mathematical study of two theoretical distinguishers based on the Kolmogorov-Smirnov (KS) distance. This includes a proof of soundness and the derivation of closed-form expressions, which can be split into two factors: one depending only on the noise and the other on the confusion coefficient of Fei, Luo and Ding. This allows one to have a deeper understanding of the relative influences of the signal-to-noise ratio and the confusion coefficient on the distinguisher’s performance. Moreover, one is able to directly compare distinguishers based on their closed-form expressions instead of using evaluation metric that might obscure the actual performance and favor one distinguisher over the other. Furthermore, we formalize the link between the confusion coefficient and differential cryptanalysis, which shows that the stronger an S-box is resistant to differential attacks the weaker it is against side-channel attacks, and vice versa.

Combined algebraic and truncated differential cryptanalysis on reduced-round SIMON

Abstract: Recently, two families of ultra-lightweight block ciphers were proposed, SIMON and SPECK, which come in a variety of block and key sizes (Beaulieu et al., 2013). They are designed to offer excellent performance for hardware and software implementations (Beaulieu et al., 2013; Aysu et al., 2014). In this paper, we study the resistance of SIMON-64/128 with respect to algebraic attacks. Its round function has very low Multiplicative Complexity (MC) (Boyar et al., 2000; Boyar and Peralta, 2010) and very low non-linearity (Boyar et al., 2013; Courtois et al., 2011) since the only non-linear component is the bitwise multiplication operation. Such ciphers are expected to be very good candidates to be broken by algebraic attacks and combinations with truncated differentials (additional work by the same authors). We algebraically encode the cipher and then using guess-then-determine techniques, we try to solve the underlying system using either a SAT solver (Bard et al., 2007) or by ElimLin algorithm (Courtois et al., 2012b). We consider several settings where P-C pairs that satisfy certain properties are available, such as low Hamming distance or follow a strong truncated differential property (Knudsen, 1995). We manage to break faster than brute force up to 10(/44) rounds for most cases we have tried. Surprisingly, no key guessing is required if pairs which satisfy a strong truncated differential property are available. This reflects the power of combining truncated differentials with algebraic attacks in ciphers of low non-linearity and shows that such ciphers require a large number of rounds to be secure.

Low-Data Complexity Biclique Cryptanalysis of Block Ciphers With Application to Piccolo and HIGHT

Abstract: In this paper, we present a framework for biclique cryptanalysis of block ciphers which extremely requires a low amount of data To that end, we enjoy a new representation of biclique attack based on a new concept of cutset that describes our attack more clearly Then, an algorithm for choosing two differential characteristics is presented to simultaneously minimize the data complexity and control the computational complexity Then, we characterize those block ciphers that are vulnerable to this technique and among them, we apply this attack on lightweight block ciphers Piccolo-80, Piccolo-128, and HIGHT The data complexity of these attacks is only 16-plaintext-ciphertext pairs, which is considerably less than the existing cryptanalytic results In all the attacks, the computational complexity remains the same as the previous ones or even it is slightly improved

Blind Fault Attack against SPN Ciphers

Abstract: This paper presents a novel fault attack against Substitution Permutation Networks. The main advantage of the method is an absence of necessity to know the exact cipher's input and output values. The attack relies only on the number of faulty cipher texts originated from the same unknown plaintext. The underlying model is a multiple bit-set or bit-reset faults injected several times at the same intermediate round state. This method can be applied against any round thus any round key can be extracted. The attack was shown to be efficient by simulation against several SPN block ciphers.

Differential-Linear Cryptanalysis Revisited

Abstract: Block ciphers are arguably the most widely used type of cryptographic primitives. We are not able to assess the security of a block cipher as such, but only its security against known attacks. The two main classes of attacks are linear and differential attacks and their variants. While a fundamental link between differential and linear cryptanalysis was already given in 1994 by Chabaud and Vaudenay, these attacks have been studied independently. Only recently, in 2013, Blondeau and Nyberg used the link to compute the probability of a differential given the correlations of many linear approximations. On the cryptanalytical side, differential and linear attacks have been applied on different parts of the cipher and then combined to one distinguisher over the cipher. This method is known since 1994 when Langford and Hellman presented the first differential-linear cryptanalysis of the DES. In this paper we take the natural step and apply the theoretical link between linear and differential cryptanalysis to differential-linear cryptanalysis to develop a concise theory of this method. We give an exact expression of the bias of a differential-linear approximation in a closed form under the sole assumption that the two parts of the cipher are independent. We also show how, under a clear assumption, to approximate the bias efficiently, and perform experiments on it. In this sense, by stating minimal assumptions, we hereby complement and unify the previous approaches proposed by Biham et al. in 2002-2003, Liu et al. in 2009, and Lu in 2012, to the study of the method of differential-linear cryptanalysis.

Genetic Algorithm with elitism for cryptanalysis of Vigenere cipher

Abstract: In today's world, with increasing usage of computer networks and internet, the importance of network, computer and information security is obvious. One of the widely used approaches for information security is Cryptography. Cryptanalysis is a way to break the cipher text without having the encryption key. This paper describes a method of deciphering encrypted messages of Vigenere cipher cryptosystems by Genetic Algorithm using elitism with a novel fitness function. Roulette wheel method, two point crossover and cross mutation is used for selection and for the generation of the new population. We conclude that the proposed algorithm can reduce the time complexity and gives better results for such optimization problems.

Deciphering a novel image cipher based on mixed transformed Logistic maps

Abstract: Since John von Neumann suggested utilizing Logistic map as a random number generator in 1947, a great number of encryption schemes based on Logistic map and/or its variants have been proposed. This paper re-evaluates the security of an image cipher based on transformed logistic maps and proves that the image cipher can be deciphered efficiently under two different conditions: 1) two pairs of known plain-images and the corresponding cipher-images with computational complexity of $O(2^{18}+L)$; 2) two pairs of chosen plain-images and the corresponding cipher-images with computational complexity of $O(L)$, where $L$ is the number of pixels in the plain-image. In contrast, the required condition in the previous deciphering method is eighty-seven pairs of chosen plain-images and the corresponding cipher-images with computational complexity of $O(2^{7}+L)$. In addition, three other security flaws existing in most Logistic-map-based ciphers are also reported.

Some Insights into Differential Cryptanalysis of Grain v1

Abstract: As far as the Differential Cryptanalysis of reduced round Grain v1 is concerned, the best results were those published by Knellwolf et al. in Asiacrypt 2011. In an extended version of the paper, it was shown that it was possible to retrieve (i) 5 expressions in the Secret Key bits for a variant of Grain v1 that employs 97 rounds (in place of 160) in its Key Scheduling process using 227 chosen IVs and (ii) 1 expression in Secret Key bits for a variant that employs 104 rounds in its Key Scheduling using 235 chosen IVs. The authors had arrived at the values of these Secret Key expressions by observing certain biases in the keystream bits generated by the chosen IVs. These biases were observed purely experimentally and no theoretical justification was provided for the same. In this paper, we will revisit Knellwolf’s attacks on Grain v1 and try to provide a theoretical framework that will serve to prove the correctness of these attacks. We will also look at open problems which may possibly pave way for further research on Differential Cryptanalysis of Grain v1.

Improved Impossible Differential Attacks against Round-Reduced LBlock

Abstract: Impossible differential attacks are among the most powerful forms of cryptanalysis against block ciphers. We present in this paper an in-depth complexity analysis of these attacks. We show an unified way to mount such attacks and provide generic formulas for estimating their time, data and memory complexities. LBlock is a well studied lightweight block cipher with respect to impossible differential attacks. While previous single-key cryptanalysis reached up to 22 rounds, by applying our method we are able to break 23 rounds with time complexity $2^{75.36}$ and data complexity $2^{59}$. Other time/data trade-offs are equally possible. This is to our knowledge the best (non-exhaustive search like) cryptanalysis of this function in the single-key model.

Improved cryptanalysis combining differential and artificial neural network schemes

Abstract: In this work we show the application of a neural cryptanalysis approach to S-DES input-output-key data to test if it is capable of mapping the relations among these elements. The results show that, even with a small amount of samples (about 0,8% of all data), the neural network was able to map the relation between inputs, keys and outputs and to obtain the correct values for the key bits k 0 , k 1 and k 4 . By applying differential cryptanalysis techniques on the key space, it was possible to show that there is an explanation about the neural network partial success with some key bits. After implementing new s-boxes, which are more resistant to the differential attack, the neural network was not able to point out bits of the key any more. We believe that this new methodology of attack and repair assessment using neural networks has the potential to contribute in the future analysis of other cryptographic algorithms.

Algebraic construction of cryptographically good binary linear transformations

Abstract: Maximum Distance Separable MDS and Maximum Distance Binary Linear MDBL codes are used as diffusion layers in the design of the well-known block ciphers like the Advanced Encryption Standard, Khazad, Camellia, and ARIA. The reason for the use of these codes in the design of block ciphers is that they provide optimal diffusion effect to meet security of a round function of a block cipher. On the other hand, the constructions of these diffusion layers are various. For example, whereas the Advanced Encryption Standard uses a 4×4 MDS matrix over GF28, ARIA uses a 16×16 involutory binary matrix over GF28. The most important cryptographic property of a diffusion layer is the branch number of that diffusion layer, which represents the diffusion rate and measures security against linear and differential cryptanalysis. Therefore, MDS and Maximum Distance Binary Linear codes, which provide maximum branch number for a diffusion layer, are preferred in the design of block ciphers as diffusion layers. In this paper, we present a new algebraic construction method based on MDS codes for 8×8 and 16×16 involutory and non-involutory binary matrices of branch numbers 5 and 8, respectively. By using this construction method, we also show some examples of these diffusion layers. Copyright © 2012 John Wiley & Sons, Ltd.