There one often has a small number of rounds (since it’s with fixed parameters, its hard to tell if we should think of this number as a constant or as log n) which combine “mixing/diffusion” operators that can be linear, and then simple local non linear operations.

Interestingly, what is believed in the block cipher community is that for many of these ciphers, there is no non trivial attack. That means that if the cipher is a random function on n bits from a collection of 2^k functions (n is known as the block length, and k as the key length) then it should not be distinguished from a random (in some cases even, though this is not explicitly stated) permutation in time less than 2^k. If k is superlinear in n, then this time is not just polynomial in 2^n but super-polynomial.

Lastly, as indicated in this discussion, things might be somewhat easier when you’re trying to prove just a super-linear lower bound, as compared to lowerbounds better than n*log n.

In fact, Valant has shown a non-natural property of (multi-bit output) functions that implies that they cannot have a circuit of size and . This is that there is a constant so for every function that is -sparse (i.e. each output of depends on at most coordinates), the probability that agrees with on a random input is at most $2^{-\epsilon n}$.

There is also a variant of this for *linear* functions talking about *linear* circuits (all operations are linear in some field). There the property becomes that the matrix cannot be written as where has at most non zero elements in each column, and has rank at most . If $f$ has this property we say that it is *rigid* and this implies that it has no linear-operation circuits of linear size and logarithmic depth.

Alekhnovich argued that this property is not natural in the following paper:

http://www.math.ias.edu/~misha/papers/average.ps

Note that there indeed the hard cases for this approach are random “low complexity” functions, obtained by taking a random low rank matrix and adding noise to it.

]]>