Branch number

In cryptography, the branch number is a numerical value that characterizes the amount of diffusion introduced by a vectorial Boolean function that maps an input vector to output vector. For the case of a linear the value of the differential branch number is produced by:

applying nonzero values of to the input of ;
calculating for each input value the Hamming weight , and adding weights and together;
selecting the smallest combined weight across for all nonzero input values:.

If both and have components, the result is obviously limited on the high side by the value . A high branch number suggests higher resistance to the differential cryptanalysis: the small variations of input will produce large changes on the output and in order to obtain small variations of the output, large changes of the input value will be required.
The term was introduced by Daemen and Rijmen in early 2000s and quickly became a typical tool to assess the diffusion properties of the transformations.

Mathematics

The branch number concept is not limited to the linear transformations, Daemen and Rijmen provided two general metrics:

differential branch number, where the minimum is obtained over inputs of that are constructed by independently sweeping all the values of two nonzero and unequal vectors, : ;
for linear branch number, the independent candidates and are independently swept; they should be nonzero and correlated with respect to :.