Wave-Shaped Round Functions and Primitive Groups

Round functions used as building blocks for iterated block ciphers, both in the case of Substitution-Permutation Networks (SPN) and Feistel Networks (FN), are often obtained as the composition of diﬀerent layers which provide confusion and diﬀusion, and key additions. The bijectiv-ity of any encryption function, crucial in order to make the decryption possible, is guaranteed by the use of invertible layers or by the Feistel structure. In this work a new family of ciphers, called wave ciphers , is introduced. In wave ciphers, round functions feature wave functions , which are vectorial Boolean functions obtained as the composition of non-invertible layers, where the confusion layer enlarges the message which returns to its original size after the diﬀusion layer is applied. This is motivated by the fact that relaxing the requirement that all the layers are invertible allows to consider more functions which are optimal with regard to non-linearity. In particular it allows to consider injective APN S-boxes. In order to guarantee eﬃcient decryption we propose to use wave functions in Feistel Networks. With regard to security, the immunity from some group-theoretical attacks is investigated. In particular, it is shown how to avoid that the group generated by the round functions acts imprimitively, which represents a serious ﬂaw for the cipher. The primitivity of this group is derived as a consequence of a more general result, which allows to reduce the problem


Introduction
Most modern block ciphers belong to two families of symmetric cryptosystems, i.e.Substitution-Permutation Networks (SPN) and Feistel Networks (FN), and are obtained as composition of round functions.Each round function is a key-dependent permutation of the plaintext space, designed in such a way to provide both confusion and diffusion (see [32]).Confusion is provided most of the times by means of a nonlinear layer which applies Boolean functions, called S-boxes, whereas a linear map, called diffusion layer, provides diffusion.In order to perform decryption, invertible layers and the Feistel structure are used in SPN and FN, respectively.In the framework of SPNs, which have been widely studied in last years, especially after the selection process for the NIST standard AES [20], decryption is performed by applying in reverse order the inverse of each layer of the cipher.In the case of FNs, it is the Feistel structure itself that guarantees a fast decryption.

Motivation and design principles
It is well-known that the non-linearity of the confusion layer is a crucial parameter for the security of the cipher.In particular, in order to prevent statistical attacks (e.g.differential [8] and linear [26] cryptanalysis), block ciphers' designers are interested in invertible S-boxes reaching the best possible differential uniformity, which is two.Functions satisfying such property are called almost-perfect non-linear (APN) [27] and are extensively studied.Unfortunately, APN permutations are known only when the dimension s of the input space for the S-box is an odd number, except for the case of the Dillon's function (s = 6) [9], which nowadays represents the only isolated case [15].It has been shown that no permutation with s = 4 is APN [13,24] and the problem is still without answers for s ≥ 8. On the other hand, the cases when s ∈ {4, 8} are the most used for implementation reasons.In this paper we show how to define ciphers whose S-boxes are injective APN functions with s inputs, s even.We do this by considering non-invertible S-boxes, focusing on injective confusion layers which enlarge the message.Notice that a similar approach is considered in the block cipher CAST-128, where 8 × 32 are used [1].After the confusion layer is applied, a surjective diffusion layer reduces the message to its original size.By appending a key addition to the previous layers, we obtain a vectorial Boolean function which we call a wave function.Consequently a wave cipher is a block cipher featuring wave functions in its structure.In order to guarantee an efficient decryption, we propose to use wave functions inside an FN-like framework.The opposite scenario has been considered in DES [22] and Picaro [30], where an expanding linear layer is followed by a compressing confusion layer.
Algebraic security Algebraic attacks might also represent serious threats, as we elaborate further below.It is possible to link some algebraic properties of confusion / diffusion layers and some algebraic weaknesses of the corresponding cipher.Firstly, in 1975 Coppersmith and Grossman [19] considered a set of functions which can be used to define a block cipher and, by studying the permutation group generated by those, they opened the way to a new branch of research focused on group-theoretical properties which can reveal weaknesses of the cipher itself.As it has been proved in [25], if such a group is too small, then the cipher is vulnerable to birthday-paradox attacks.Recently, in [12] the authors proved that if such group is contained in an isomorphic image of the affine group of the message space induced by a hidden sum, then it is possible to embed a dangerous trapdoor on it.More relevant in [28], Paterson built a DES-like cipher, resistant to both linear and differential cryptanalysis, whose encryption functions generate an imprimitive group and showed how the knowledge of this trapdoor can be turned into an efficient attack to the cipher.For this reason, a branch of research in Symmetric Cryptography is focused on showing that the group generated by the encryption functions of a given cipher is primitive and not of affine type (see [4,5,6,11,17,18,31,33,34,35]).In this sense, our purpose is to give sufficient conditions for the primitivity of the group generated by the round functions of a wave cipher.These conditions result naturally from our general investigation of the link between the primitivity of the group generated by the rounds of an SPN and that of an FN.In particular, we prove a general result which links the primitivity of the group generated by the round functions of an FN and the primitivity of the group generated by the rounds of an SPN-like cipher, whose round functions are the ones performed within each round of the FN.In this paper we aim at proving that it is possible to define a new family of block ciphers, which may feature injective APN S-Boxes of even size, whose round functions generate a primitive group.We propose a general framework for block ciphers which produces provably secure ciphers, under some cryptographic assumptions, with respect to the imprimitivity attack.In order to prove the security of the given wave cipher with respect to other classical statistical attacks (e.g.linear and differential cryptanalysis), it is needed to analyse the single instance under consideration.

Description of the paper
The paper is organised as follows: • In Section 2 our notation is presented, as well as some basic definitions and results concerning the non-linearity of Boolean functions and primitive permutations group.In particular, after having presented the main differences between SPNs and FNs, we introduce a notion of classical round function, which allows to describe formally both cipher families in a unified way, provided the round key is used as a translation (i.e., the key addition is the usual XOR).
• Section 3 includes our definitions of wave functions and wave ciphers.We also show an example of an APN 4 × 5 S-box, which is suitable for building a strong wave function.
• In Section 4 a group-theoretical result is shown, which, as a consequence, links the primitivity of the action of an SPN with that of an FN (Theorem 4.5).Thanks to Theorem 4.5, we prove that the group generated by the round functions of a wave cipher is primitive under some standard cryptographic assumptions on the underlying wave functions (Theorem 4.9).
• In Section 5 it is designed a concrete example of 64-bit wave cipher by selecting an APN 4 × 5 S-box and a 40 × 32 diffusion layer, and its resistance against differential and linear cryptanalysis is proved.
• Section 6 concludes the paper and discusses some open problems.

Notation and preliminaries
Throughout this paper we use the postfix notation for every function evaluation, i.e. if f is a function and x an element in the domain of f , we denote by xf the evaluation of f in x.We denote by Im f the range of f and by Y f −1 the pre-image of a set Y .
A block cipher Φ is a family of key-dependent permutations where M is the message space, K the key space, and M ≤ K .The permutation E K is called the encryption function induced by the master key K.The block cipher Φ is called an iterated block cipher if there exists r ∈ N such that for each K ∈ K the encryption function E K is the composition of r round functions, i.e.
To provide efficiency, each round function is the composition of a public component provided by the designers, and a private component derived from the user-provided key by means of a public procedure known as keyschedule.
In the theory of modern iterated block cipher, two frameworks are mainly considered: Substitution-Permutation Networks (see e.g.AES [20], SERPENT [2], PRESENT [10]) and Feistel Networks (see e.g.Camelia [3], GOST [21]).Figure 1 depicts the more general framework of SPNs, FNs and their round functions; one can note that inside the round function of an FN, a function called F-function is applied to a half of the state.In both cases, the principles of confusion and diffusion suggested by Shannon [32] are implemented by considering each round function / F-function as the composition of key-induced permutation as well as non-linear confusion layers and linear diffusion layers, which are invertible in the case of SPNs and preferably (but not necessarily) invertible in the case of FNs.We now define a class of round functions for iterated block ciphers which is large enough to include the round functions of well-established SPNs e.g.AES, PRESENT, SERPENT, and the F-function of FNs like Camelia.Notice that, for sake of simplicity, atypical rounds are not considered in this description.
Let n ∈ N and let us denote V = (F 2 ) n .Let us suppose dim(V ) = n = bs and let us write where for 1 ≤ j ≤ b, dim(V j ) = s and ⊕ represents the direct sum of vector subspaces.The subspaces V j 's are called bricks.We denote by Sym(V ) the symmetric group acting on V , i.e. the group of all permutations on V .Let us also denote by AGL(V ) the group of all affine permutations of V , which is a primitive maximal subgroup of Sym(V ).
is a non-linear permutation (parallel S-box) which acts in parallel way on each V j , i.e.
The maps γ j ∶ V j → V j are traditionally called S-boxes, • λ ∈ Sym(V ) is a linear map, • σ k ∶ V → V, x ↦ x + k represents the addition with the round key k, where + is the usual bitwise XOR.
When used inside block ciphers, the round keys in V are derived by the designerprovided key-scheduling function from the master key K ∈ K. Since, as we will discuss later in detail, studying the role of the key-schedule is out of the scopes of this paper, one can simply suppose that round keys are stochastically independent randomly-generated vectors in V .
In modern literature, terms "SPN" and "FN" may refer to a very diverse variety of ciphers.For the purposes of this paper we choose to focus only on ciphers with a XOR-based key addition.For this reason, saying SPN we refer to any cipher {E K K ∈ K} ⊆ Sym(M) having an SPN-like structure with M = V and having classical round functions on V as round functions, and saying FN to any cipher {E K K ∈ K} ⊆ Sym(M) having an FN-like structure with M = V × V and having classical round functions on V as F-functions.Notice that SPNs featuring a XORbased key addition have been also called translation-based ciphers in [18].
It is well-established that the security from standard statistical attacks comes from the interaction between the high non-linearity of the confusion layer and the avalanche effect guaranteed by the diffusion layer.The following section is a quick overview on one of the most used notions of non-linearity for Boolean functions, which is mainly used to prevent differential cryptanalysis [8] and other statistical attacks.

Notions of non-linearity for Boolean functions
Let f ∶ (F 2 ) s → (F 2 ) t be a vectorial Boolean function and u ∈ (F 2 ) s .The derivative of f in the direction u, denoted by fu , is the function The following definitions can give an estimate of the non-linearity of f (see [27]).
The difference distribution table (DDT) of f is the integer table The differential uniformity of f is and It is well-known that δ(f ) ≥ 2, and functions reaching the bound δ(f ) = 2 are called almost perfect non-linear (APN).Furthermore, it is easy to show that, if f is δ-differentially uniform, then for each u ∈ (F 2 ) s ∖ {0} The requirement of Definition 2.2 is essentially a condition on the pre-images of the derivatives of f .Alternative definitions focused on the images of the derivatives of f has been given e.g. in [16,18].In particular, a function f satisfying . It is straightforward to verify that if f is δ-differentially uniform, then it is also weakly δdifferentially uniform.

Group generated by the round functions
As already explained in Section 1, statistical attacks are just some of the issues that can threaten block ciphers.Several researchers have shown in recent years that also algebraic attacks can be effective.In this paper we focus on a particular group-theoretical attack, described in [28], based on a undesirable property of the permutation group generated by the round functions of a cipher, the imprimitivity.
Let Φ = {E K K ∈ K} ⊆ Sym(M) be an r-round iterated block cipher.We have stressed that the group generated by all encryption functions can reveal weaknesses of the cipher.However, the study of Γ(Φ) is not an easy task in general, since it strongly depends on the key-scheduling function (for an example of a key-schedule related study, see [7]).Hence one focuses on a group which is strictly related to Γ(Φ), which allows to ignore the effect of the keyschedule.For this reason, we do not discuss any key-schedule from now on.Since each permutation E K is the composition of r round functions where all the possible round keys for round h are considered, and so the group

Imprimitive groups
We recall some basic notions from permutation group theory.Let G be a finite group acting on the set M. For each g ∈ G and v ∈ M we denote the action of g on v as vg.We denote by vG = {vg g ∈ G} the orbit of v ∈ M and by In particular any B ∈ B is called an imprimitivity block.The group G is primitive in its action on M (or G acts primitively on M) if G is transitive and there exists no block system.Otherwise, the group G is imprimitive in its action on M (or G acts imprimitively on M).We recall the following well-known results which will be useful in the remainder of the paper, and whose proofs may be found e.g. in [14].
Lemma 2.3.A block of imprimitivity is the orbit vH of a proper subgroup H < G that properly contains the stabiliser G v , for some v ∈ M. Lemma 2.4.If T is a transitive subgroup of G, then a block system for G is also a block system for T .Lemma 2.5.Let us assume that M is a finite vector space over F 2 and T its translation group, i.e.
The group T is transitive and imprimitive on M.Moreover, for any proper and non-trivial subgroup U of (M, +), {U + v v ∈ M} is a block system.

Imprimivity attack
The cryptanalysts' interest into the imprimitivity of the group generated by the round functions of a block cipher arise from the study performed in [28], where it is showed how the imprimitivity of the group can be exploited to construct a trapdoor that may be hard to detect.In particular, the author gave an example of a DES-like cipher, which can be easily broken since its round functions generate an imprimitive group, but which is resistant to both linear and differential cryptanalysis.

Wave ciphers
The aim of this section is to define ciphers whose inner layers are not necessarily invertible, in order to use APN vectorial Boolean functions as S-boxes (even when the S-box input size is four or eight).We focus on the case of wave-shaped round functions, which feature a first layer which enlarges the state, a second which reduces its size, and a key addition.These round functions are employed in the place of classical round functions for both SPNs and FNs.To do so, let us recall that n = bs ∈ N and V = (F 2 ) n , where The subspaces W j 's, as the subspaces V j 's, are called What follows is a generalisation of the concept of classical round function.
acts in parallel way on each V j , i.e.
The maps γ j ∶ V j → W j are called S-boxes; • λ ∶ W → V is a surjective linear map; • σ k ∶ V → V, x ↦ x + k is the round key addition.Notice that, although the hypothesis of each layer being singularly invertible may be relaxed, decryption is granted only if each wave function is overall invertible.The following result gives a condition on the confusion and diffusion layers which ensures that a wave function is a permutation.Lemma 3.2.Let ε k = γλσ k be a wave function.The following are equivalent:

Using a 4x5 APN function
The function γ 1 ∶ (F 2 ) 4 → (F 2 ) 5 displayed in Figure 3 represents an example of a 4x5 injective function, which is APN, as it can be noted looking at its DDT displayed in Table 1 in the last page of this paper.Each vector is interpreted as a binary number, most significant bit first, and then represented using the hexadecimal notation (e.g.(0, 0, 0, 1) = 1 x ).With an eye on using this function as an S-box for a wave function, one has to verify that there exists a diffusion layer satisfying the hypothesis of Lemma 3.2.It holds Im(γ 1 ) ⊂ (F 2 ) 5 ; moreover it is easy to check that {a + b a, b ∈ Im(γ 1 )} = 31, and the missing vector in (F 2 ) 5 is ξ def = 11 x .A possible way to design a cipher whose confusion layer applies in parallel b copies of the S-box γ 1 is to determine a diffusion layer λ whose null space is Span F2 {(ξ, 0, . . ., 0), (0, ξ, 0, . . ., 0), . . ., (0, 0, . . ., ξ)}, where 0 denotes the zero vector in (F 2 ) 5 .The hypothesis 1 of Lemma 3.2 is satisfied, hence all the produced wave functions are bijective.Such a diffusion layer features a parallel kernel, i.e.
This important feature will be also exploited in the following sections.Notice that it is not hard to find examples of such APN functions.Indeed, it is possible to construct an APN map γ ∶ (F 2 ) n → (F 2 ) n+1 by considering first a function defined over (F 2 ) n and then extending its image to (F 2 ) n+1 by adding an extra bit.Otherwise it is possible to embed (F 2 ) n into (F 2 ) n+1 and then consider an APN map defined over (F 2 ) n+1 .The map γ 1 has been obtained using the first approach on the power function x ↦ x −1 .

Feistel Networks with wave functions
Since our goal is to use the previously defined wave functions inside a cipher, we now define a wave cipher as an FN whose F-function is a wave function.Feistel Network's straightforward decryption encourages this choice.
Before defining wave ciphers, we generalise a standard security requirement for diffusion layers [18] to the case of surjective maps.Definition 3.4.A wall of V (resp.W) is any non-trivial and proper sum of bricks of V (resp.W ). A surjective linear transformation λ ∶ W → V is a proper diffusion layer if for any wall W ′ = ⊕ j∈I W j of W and V ′ = ⊕ j∈I V j of V , where I ⊂ {1, . . ., b}, then In other terms, if π ∶ W → W Ker λ is the canonical projection of W onto W Ker(λ), λ is proper if there exists no wall We are now ready to define our new class of block ciphers, having M = V × V as message space.In what follows, 0 n and 1 n denote the zero matrix of size n × n and the identity matrix of size n respectively.Moreover, for any given ).The latter is called the Feistel operator induced by f and, as we will discuss further, allows to give an algebraic description of FNs.
Definition 3.5.An r-round wave cipher Φ is a family of encryption functions {E K K ∈ K} ⊆ Sym(V ×V ) such that for each K ∈ K the map E K is the composition of r functions.More precisely E K = ε 1,K ε 2,K . . .ε r,K , where ε i,K = γλσ ki is an n-bit wave function such that • λ is a proper diffusion layer, • the key-schedule K → V r , K ↦ (k 1 , k 2 , . . ., k r ), is surjective w.r.t.any round.
The function ρ def = γλ is called the generating function of the cipher.
Let us notice that the ciphers previously introduced are FNs featuring a wave function as F-function.Indeed, given where the operator ε i,K induces the Feistel structure, as shown in Figure 4. Moreover ε i,K is invertible with the following inverse

Figure 4: Feistel structure of wave ciphers
It is indeed an easy check that Note that, as for any FN, the inverse ε i,K −1 of the round function ε i,K does not involve the inverse of the wave function ε i,K .
Let ρ be the generating function of a wave cipher Φ, and ρ the corresponding Feistel operator Then ε i,K = ρ σ (0,ki) , and so ⟨ T (0,n) , ρ ⟩ is the group generated by the round functions of the wave cipher Φ.

Group-theoretical study of Wave ciphers
In this section, first we show a group-theoretical result which, as consequence, links the primitivity for a Substitution-Permutation Network and the primitivity for a Feistel Network having respectively round functions and F-functions with the same structure.By exploiting this result we prove that the group generated by the round functions of a wave cipher is primitive under some reasonable cryptographic assumptions on the underlying wave functions.

Security reduction
Let us consider the group generated by the rounds of an FN which uses as Ffunctions the round functions of a primitive SPN.Here we prove a group-theoretical result which implies the primitivity of this group under the assumption that the wave functions are invertible.In particular this result is used to show that the group generated by the round functions of a wave cipher is primitive if the group1 generated by the round functions of an SPN-like cipher having as round functions the same wave functions is primitive, as depicted in Fig. 5.

Let us recall that
Let ρ be any element in Sym(V ), ρ be the corresponding Feistel operator, and let Γ def = ⟨ T (0,n) , ρ ⟩.Since we aim at characterising imprimitivity blocks for Γ using Lemma 2.4 and Lemma 2.5, we need to individuate a transitive subgroup of Γ.For this reason, the following alternative presentation of Γ is useful.
Hence for each k ∈ V it holds ρσ (0,k) = σ (k,0) ρ, and consequently σ (k,0) ∈ Γ. Therefore for each Being T (n,n) a transitive subgroup of Γ and noticing that the subgroups of T (n,n) are of the form {σ u ∶ u ∈ U }, where U is a subgroup of V × V , we obtain the following.
Lemma 4.2.If Γ is imprimivitive in its action on V × V , then a block system is made of the cosets of a subgroup of V × V , i.e. it is where U is a non-trivial and proper subgroup of V × V .
According to Lemma 4.2, in order to prove that Γ is primitive it is sufficient to prove that no subgroup of V × V is a block.The following theorem, due to Goursat [23,, characterises the subgroups of the direct product of two groups in terms of suitable sections of the direct factors (see also [29]).We apply this result to the additive group V × V .Theorem 4.3 (Goursat's Lemma [23]).Let G 1 and G 2 be two groups.There exists a bijection between 1. the set of all subgroups of the direct product G 1 × G 2 , and 2. the set of all triples (A B, C D, ψ), where • D is a normal subgroup of C, and In this bijection, each subgroup of G 1 × G 2 can be uniquely written as Note that the isomorphism ψ ∶ A B → C D is induced by a homomorphism ϕ ∶ A → C such that (a + B)ψ = aϕ + D for any a ∈ A, and Bϕ ≤ D. Such homomorphism is not unique.Lemma 4.4.In the above notation, given any homomorphism ϕ inducing ψ, we have Proof.Note first that the right-hand side of ( 1) is contained in U ψ , since for a ∈ A and d ∈ D we have (a + B)ψ = aϕ Moreover U ψ is contained in the right-hand side of (1).Indeed, if (a, c) ∈ U ψ we have aϕ This is our main result of this section.
Theorem 4.5.Let ρ ∈ Sym(V ) ∖ AGL(V ), ρ be the corresponding Feistel operator, and denote by Γ = ⟨ T n , ρ ⟩ and by Before proving Theorem 4.5, we show how this group-theoretical result can be helpful to us.Let Φ = {E K K ∈ K} ⊆ Sym(V × V ) be an r-round wave block cipher with a bijective generating function ρ = γλ.By Remark 3.6 one has that Γ ∞ (Φ) = ⟨ T (0,n) , ρ ⟩ is the group generated by the round functions of the wave cipher Φ.Moreover, ⟨ T n , ρ ⟩ is the group generated by the wave-shaped round functions of an SPN-like cipher whose round functions are ε i,K = ρ σ (0,ki) .Therefore, from Theorem 4.5, next result directly follows.
Proof of Theorem 4.5.Let us suppose that Γ = ⟨ T (0,n) , ρ ⟩ = ⟨ T (n,n) , ρ ⟩ is imprimitive, so there exists a non-trivial and proper subgroup for some that is Hence, it holds x = aϕ + d, and considering a = 0, we obtain D ≤ A. Otherwise, considering d = 0, we obtain Aϕ ≤ A. Similarly, we have for some , we can consider v ′ 1 = 0ρ and v ′ 2 = 0.In this case, for any a ∈ A and d ∈ D there exist x ∈ A and y ∈ D such that Hence we have x = aρ + aϕ + d + 0ρ.Substituting x = aϕ + d in xϕ + y and being ϕ a homomorphism, it holds y = a + aρϕ + aϕ 2 + dϕ + 0ρϕ.Then, considering a = 0, we obtain y = dϕ, and thus Dϕ ≤ D. Now, in the general case, letting for some . By Lemma 4.4 and by ( 4), for any a ∈ A and d ∈ D there exist x ∈ A and y ∈ D such that that is, Then, considering a = 0, we obtain (d + v 2 )ρ = y + dϕ + v 2 ρ.Since Dϕ ≤ D, then y + dϕ ∈ D and so Note that we obtain the equality since ρ is a permutation.If D ≠ {0}, (F 2 ) n , then we proved that the imprimitivity of Γ implies the imprimitivity of Γ.To complete the proof, it remains to consider the cases D = (F 2 ) n and D = {0}.
[D = (F 2 ) n ] We proved that D ≤ A, and from the hypotheses holds that D ≤ C and ψ is an isomorphism between A B and C D. Since D = (F 2 ) n , we have First, note that in this case Bϕ = {0}.Moreover, by Lemma 4.4, and by (4) for any a ∈ A there exists x ∈ A such that Proceedings as before, it holds Note that for any a ∈ B ≤ A, aϕ = 0 and so we obtain a + v 2 ρ = v 2 ρ for any a ∈ B, that is, B = {0}.Therefore, if D = {0}, also B = {0} and so ϕ = ψ is an isomorphism between A and C.Moreover, since Aϕ is contained in both A and C, then A = C and ϕ is an automorphism of A.
If A is a proper subgroup of (F 2 ) n , then by ( 5) and since both a + aϕ 2 and aϕ belong to A we have and so Γ is imprimitive.If A = (F 2 ) n , in equation ( 5) we can consider v 2 = 0 since aϕ + v 2 is an element of A = (F 2 ) n , so we have Since the function x + xϕ 2 is linear, we proved that ρ ∈ AGL(V ), which is a contradiction.

Conditions on SPN-like wave ciphers
In the light of Theorem 4.5, given a wave cipher Φ whose generating function ρ is invertible, we obtain that the group Γ ∞ (Φ) is primitive if we manage to prove that the group ⟨ T n , ρ ⟩ is primitive.The latter represents the group generated by the rounds of an SPN-like cipher featuring wave functions in the place of classical round functions.Although for such a cipher it may be difficult to compute the computational inverse of the encryption functions, since it has an SPN structure with non-invertible layers, we can still study its theoretical properties.In this section we underline which properties of the generating function ρ guarantee that ⟨ T n , ρ ⟩ is primitive.From now on let us assume that ρ ∈ Sym(V ).
Let ρ = γλ be the generating function of a wave cipher.We can always assume that γ maps 0 into 0, since it is possible to add 0γ to the round key of the previous round.Then, since λ is linear, it holds 0ρ = 0.
In the following, we define a generalisation of the notion of strong anti-invariance given in [18], which is a condition in our second main theorem.Let us recall that, as in Section 3, Definition 4.7.Let j ∈ {1, 2, . . ., b}, γ j ∶ V j → W j be an S-box such that 0γ j = 0, and λ ∶ W → V be a surjective linear map.Given 0 ≤ δ < s, γ j is δ-non-invariant with respect to λ if for any proper subspaces V ′ < V j and W ′ < W j such that Notice that if 0 ≤ δ < δ ′ < s and γ j is δ ′ -non-invariant w.r.t.λ, then it is also δ-non-invariant w.r.t.λ.Lemma 4.8.Let ρ = γλ ∈ Sym(V ) be the generating function of a wave cipher.Then ⟨ T n , ρ ⟩ is imprimitive if and only if there exists a proper and non-trivial subgroup U of V such that The following is the main result of this section.Theorem 4.9.Let ρ = γλ ∈ Sym(V ) be the generating function of a wave cipher Φ.If there exists 1 ≤ δ < s such that for each j ∈ {1, 2, . . ., b} the S-box γ j is • δ-non-invariant with respect to λ, Proof.Suppose that ⟨T n , ρ⟩ is imprimitive.For the Lemma 4.8, a block system is of the form {U + v v ∈ V }, for any proper non-trivial subgroup U of V .Since U is an imprimitivity block and ρ ∈ ⟨T n , ρ⟩, U ρ = U + v for some v ∈ V .Moreover, since 0ρ = 0, we obtain U + v = U , and consequently U ρ = U γλ = U. Moreover and so U γ + Ker λ is a subspace of W .For 1 ≤ j ≤ b, let π j ∶ V → V j be the j-th projection with respect to the decomposition V = V 1 ⊕ . . .⊕ V b , and I def = { j j ∈ {1, . . ., b}, U π j ≠ {0}}.Then two cases are possible: either U ∩ V j = V j for each j ∈ I, or there exists j ∈ I such that U ∩ V j ≠ V j .
In the first case U = ⊕ j∈I V j is a wall.From (6) it holds Since γ is a parallel transformation, we have Thus, from (7) and ( 8) it follows that which is a contradiction since λ is proper.
Notice that in the proof of Theorem 4.9 we actually exploited that every S-box is 2 δ -weakly differentially uniform.Hence, we also proved the more general following result.
The hypothesis of each S-box being δ-non-invariant w.r.t.λ in Theorem 4.9 can be weakened by adding a reasonable requirement on the diffusion layer.However, for this result does not exist an alternative version using the weak differential uniformity.
Theorem 4.11.Let ρ = γλ ∈ Sym(V ) be the generating function of a wave cipher Φ.If there exists 1 ≤ δ < s such that for each j ∈ {1, 2, . . ., b} the S-box γ j is • (δ − 1)-non-invariant with respect to λ, and if the diffusion layer is such that Proof.The proof proceeds exactly as that of Theorem 4.9.In this slightly different setting induced from a further requirement on λ, we can conclude that U ∩V j ≠ {0}.Indeed, being and having dim(U λ −1 ∩ W j ) ≥ s − δ and dim(Ker λ ∩ W j ) < s − δ, there must be a non-zero element in (U ∩ V j )γ j , and consequently a non-zero element z ∈ U ∩ V j .Then, reasoning as before, using Lemma 4.8 one can prove that Im(γ jz ) ⊂ U λ −1 ∩W j and Im(γ jz ) ≥ 2 s−δ .Moreover, 0 ∉ Im(γ jz ), since z ≠ 0 and γ j is injective.Hence and therefore dim(U λ −1 ∩ W j ) ≥ s − δ + 1.The hypothesis of (δ − 1)-non-invariance of γ j leads to a contradiction, hence the desired holds.
5 The security analysis of a concrete instance of wave-cipher In the previous sections we have introduced a new framework for block ciphers, called wave ciphers, and studied its security with respect to the imprimitivity attack.In particular we primarily aimed at determining sufficient conditions on the choice of the layers which guarantee the resistance of each wave cipher satisfying such conditions against a dangerous algebraic attack.Nevertheless also statistical attacks may represent a threat for the security of these ciphers.However, as already mentioned in Sec. 1, security against statistical attack has to be established considering a specific instance of wave cipher.For this reason, we design a concrete example of a real-world dimension wave cipher by selecting an APN S-box and a proper diffusion layer, and we analyse its resistance against differential and linear

Differential cryptanalysis
The S-box of Fig. 3 is APN, hence all its non-trivial differential probabilities are equal to 2 −3 and any 3-round differential trail has at least 2 active S-boxes, the worst case being the one forming the pattern 1-0-1, occurring when the XOR with the left part of the difference cancels out the output difference of the F-function for the first round.Consequently, the probability of each 3-round differential trail is upper bounded by 2 −3 2 = 2 −6 .

Linear cryptanalysis
In the case of linear cryptanalysis, the bias of all linear approximations is less or equal than 2 −2 .Recalling Matsui's Piling-up Lemma [26], the maximal bias of a linear approximation of three rounds involving two active S-boxes is Consequently we can bound the maximal bias of a 48-round linear approximation by e 48 = 2 15 × e 16 3 = 2 15 × (2 −3 ) 16 = 2 −33 .Matsui shows in [26] that the number of known plaintexts required in the attack is approximatively e −2 , where e denotes the maximal bias of a linear approximation.Therefore an attacker needs approximately 2 66 known plaintexts to mount a keyrecovery linear attack against a 48-round encryption of our instance of wave cipher.

Other comments
It is worth noting that, although the proposed cipher features S-boxes with an odd number of output bits, the size of the block is a power of two, which represents the optimal case for implementation needs.For example, the disadvantage of considering an FN featuring 5 × 5 APN S-boxes in place of 4 × 5 S-boxes would be twofold in terms of keeping the cipher lightweight: from one hand, the size of the block would not be a power of two; from the other hand, a 5 × 5 APN S-box requires the storage of 32 values, twice the ones needed for a 4 × 5 S-box.

Conclusions and open problems
In this work we proposed a new family of ciphers, called wave ciphers, whose round functions are the composition of layers not all invertible.The round functions of a wave cipher are wave functions, vectorial Boolean functions obtained as the composition of injective non-linear confusion layers enlarging the message, surjective linear diffusion layers reducing the message size, and a key addition.Relaxing the requirement that the S-boxes are permutations allowed to consider APN functions to build confusion layers.In particular we gave an example of a 4 × 5 APN Sbox.We proposed to use wave functions as F-functions of Feistel Networks, where computing inverse functions is not required in order to perform decryption.With regard to their security we showed that, under the assumption that the generating function is invertible, and under suitable non-linearity properties of the Boolean functions involved, the group generated by the round functions of a wave ciphers acts primitively.Finally, we presented a concrete example of 64-bit wave cipher and we proved its resistance against differential and linear cryptanalysis, as well as the imprimitivity attack.
Our new construction leaves several problems open, such as determining conditions on the wave functions to ensure that the group generated by the round functions of a wave cipher is the alternating group, or studying the resistance of instances of wave ciphers with respect to other more sophisticated statistical attacks on the wave-shaped structure.Moreover, to the best of our knowledge, s×t APN functions with s < t are not very much investigated in literature.Finally note that, in order to prove that Γ ∞ (Φ) = ⟨ T (0,n) , ρ ⟩ is primitive, we adopted the strategy of considering an SPN having as round functions the same wave functions of Φ, and we used Theorem 4.5 to deduce the primitivity of Γ ∞ (Φ) from the primitivity of ⟨T n , ρ⟩.This forced us to suppose ρ ∈ Sym(V ).However, the bijectivity of ρ is not required to define a wave cipher.For this reason, one of our interests is to prove the same result in more general hypotheses on ρ.

Figure 1 :
Figure 1: Round function of an SPN and of an FN

Figure 2
Figure 2 depicts the composition of two consecutive wave functions.

Figure 5 :
Figure 5: Feistel to SPN reduction ), we can assume v 1 = 0 and v 2 = 0ρ.With reference to Lemma 4.4 and its notation, we have U = {(a, aϕ + d) a ∈ A, d ∈ D}, and by (2), for any a ∈ A and d ∈ D there exist x ∈ A and y ∈ D such that