scispace - formally typeset
Search or ask a question
Journal ArticleDOI

On Compact Cauchy Matrices for Substitution-Permutation Networks

01 Jul 2015-IEEE Transactions on Computers (IEEE)-Vol. 64, Iss: 7, pp 2098-2102
TL;DR: A new method to construct and count efficient MDS matrices for substitution-permutation networks (SPNs) is provided and an interesting class of Cauchy matrices is identified which has the fewest different entries and is thus more favorable for implementation.
Abstract: Maximum distance separable (MDS) matrices are widely used in the design of block ciphers. However, it is highly nontrival to find MDS matrices which could be used in practice. This paper focuses on the design of efficient MDS matrices for substitution-permutation networks (SPNs). We provide a new method to construct and count these MDS matrices. Moreover, we identified an interesting class of Cauchy matrices (named compact Cauchy matrices) which has the fewest different entries and is thus more favorable for implementation. Finally, we prove that all compact Cauchy matrices could be modified into an involution compact Cauchy matrix, and show how to maximize the occurrences of entry “1” in a compact Cauchy matrix.
Citations
More filters
Book ChapterDOI
08 Mar 2015
TL;DR: In this article, the authors provide new methods to look for lightweight MDS matrices, and in particular involutory ones, by proving many new properties and equivalence classes for various MDS matrix constructions such as circulant, Hadamard, Cauchy, and Hadhamard-Cauchy.
Abstract: In this article, we provide new methods to look for lightweight MDS matrices, and in particular involutory ones. By proving many new properties and equivalence classes for various MDS matrices constructions such as circulant, Hadamard, Cauchy and Hadamard-Cauchy, we exhibit new search algorithms that greatly reduce the search space and make lightweight MDS matrices of rather high dimension possible to find. We also explain why the choice of the irreducible polynomial might have a significant impact on the lightweightness, and in contrary to the classical belief, we show that the Hamming weight has no direct impact. Even though we focused our studies on involutory MDS matrices, we also obtained results for non-involutory MDS matrices. Overall, using Hadamard or Hadamard-Cauchy constructions, we provide the (involutory or non-involutory) MDS matrices with the least possible XOR gates for the classical dimensions \(4 \times 4\), \(8 \times 8\), \(16 \times 16\) and \(32 \times 32\) in \(\mathrm {GF}(2^4)\) and \(\mathrm {GF}(2^8)\). Compared to the best known matrices, some of our new candidates save up to 50 % on the amount of XOR gates required for an hardware implementation. Finally, our work indicates that involutory MDS matrices are really interesting building blocks for designers as they can be implemented with almost the same number of XOR gates as non-involutory MDS matrices, the latter being usually non-lightweight when the inverse matrix is required.

75 citations

Book ChapterDOI
20 Mar 2016
TL;DR: With this method, it is shown that circulant involutory MDS matrices, which have been proved do not exist over the finite field $$\mathbb {F}_{2^m}$$, can be constructed by using non-commutative entries.
Abstract: In the present paper, we investigate the problem of constructing MDS matrices with as few bit XOR operations as possible. The key contribution of the present paper is constructing MDS matrices with entries in the set of $$m\times m$$ non-singular matrices over $$\mathbb {F}_2$$ directly, and the linear transformations we used to construct MDS matrices are not assumed pairwise commutative. With this method, it is shown that circulant involutory MDS matrices, which have been proved do not exist over the finite field $$\mathbb {F}_{2^m}$$, can be constructed by using non-commutative entries. Some constructions of $$4\times 4$$ and $$5\times 5$$ circulant involutory MDS matrices are given when $$m=4,8$$. To the best of our knowledge, it is the first time that circulant involutory MDS matrices have been constructed. Furthermore, some lower bounds on XORs that required to evaluate one row of circulant and Hadamard MDS matrices of order 4 are given when $$m=4,8$$. Some constructions achieving the bound are also given, which have fewer XORs than previous constructions.

57 citations


Additional excerpts

  • ...(3) m = 8, A = [[3, 5], 8, 1, 3, 4, 2, 6, [2, 7]], B = A = [3, [6, 8], [1, 4], 5, 1, 7, 8, 2]....

    [...]

  • ...(2) Let A = [4, 5, 6, 8, 3, [4, 7], 1, 2], B = A−2 = [[1, 6], 4, 2, 7, 8, 5, [3, 7], 1]....

    [...]

  • ...(2) m = 8, A = [2, 3, 4, [1, 5], 8, 7, 5, [3, 6]], B = A = [4, 1, [2, 8], 3, [4, 7], 8, 6, 5], C = [[4, 7], 6, 5, 8, 7, 1, 2, 3]....

    [...]

  • ...(2) m = 8, A = [1, 2, [1, 3], [1, 2, 4], 6, 5, 8, 7], C = [5, 8, [2, 6], 7, 1, [3, 8], 4, 2], and B = (A + C)(16) = [[7, 8], 1, 7, [3, 8], [2, 4], [1, 4], 6, 5]....

    [...]

  • ...(2) m = 8, X = [2, 3, 4, [1, 3]], A = [ X, 0 0, X ] = [2, 3, 4, [1, 3], 6, 7, 8, [5, 7]], B =...

    [...]

Journal ArticleDOI
TL;DR: A brief survey on cryptographically significant MDS matrices - a first to the best of the authors' knowledge, and proves that all known Vandermonde constructions are basically equivalent to Cauchy constructions.
Abstract: A matrix is MDS or super-regular if and only if every square submatrices of it are nonsingular. MDS matrices provide perfect diffusion in block ciphers and hash functions. In this paper we provide a brief survey on cryptographically significant MDS matrices - a first to the best of our knowledge. In addition to providing a summary of existing results, we make several contributions. We exhibit some deep and nontrivial interconnections between different constructions of MDS matrices. For example, we prove that all known Vandermonde constructions are basically equivalent to Cauchy constructions. We prove some folklore results which are used in MDS matrix literature. Wherever possible, we provide some simpler alternative proofs. We do not discuss efficiency issues or hardware implementations; however, the theory accumulated and discussed here should provide an easy guide towards efficient implementations.

17 citations

BookDOI
01 Jan 2015
TL;DR: Two new attacks on TWINE-128 reduced to 25 rounds are presented that have a slightly higher overall complexity than the 25round attack presented by Wang and Wu at ACISP 2014, but a lower data complexity.
Abstract: TWINE is a recent lightweight block cipher based on a Feistel structure. We first present two new attacks on TWINE-128 reduced to 25 rounds that have a slightly higher overall complexity than the 25round attack presented by Wang and Wu at ACISP 2014, but a lower data complexity. Then, we introduce alternative representations of both the round function of this block cipher and of a sequence of 4 rounds. LBlock, another lightweight block cipher, turns out to exhibit the same behaviour. Then, we illustrate how this alternative representation can shed new light on the security of TWINE by deriving high probability iterated truncated differential trails covering 4 rounds with probability 2−16. The importance of these is shown by combining different truncated differential trails to attack 23-rounds TWINE-128 and by giving a tighter lower bound on the high probability of some differentials by clustering differential characteristics following one of these truncated trails. A comparison between these high probability differentials and those recently found in a variant of LBlock by Leurent highlights the importance of considering the whole distribution of the coefficients in the difference distribution table of a S-Box and not only their maximum value.

17 citations

Posted Content
TL;DR: In this paper, the authors provide new methods to look for lightweight MDS matrices, and in particular involutory ones, by proving many new properties and equivalence classes for various MDS matrix constructions such as circulant, Hadamard, Cauchy, and Hadhamard-Cauchy.
Abstract: In this article, we provide new methods to look for lightweight MDS matrices, and in particular involutory ones. By proving many new properties and equivalence classes for various MDS matrices constructions such as circulant, Hadamard, Cauchy and Hadamard-Cauchy, we exhibit new search algorithms that greatly reduce the search space and make lightweight MDS matrices of rather high dimension possible to find. We also explain why the choice of the irreducible polynomial might have a significant impact on the lightweightness, and in contrary to the classical belief, we show that the Hamming weight has no direct impact. Even though we focused our studies on involutory MDS matrices, we also obtained results for non-involutory MDS matrices. Overall, using Hadamard or Hadamard-Cauchy constructions, we provide the (involutory or non-involutory) MDS matrices with the least possible XOR gates for the classical dimensions \(4 \times 4\), \(8 \times 8\), \(16 \times 16\) and \(32 \times 32\) in \(\mathrm {GF}(2^4)\) and \(\mathrm {GF}(2^8)\). Compared to the best known matrices, some of our new candidates save up to 50 % on the amount of XOR gates required for an hardware implementation. Finally, our work indicates that involutory MDS matrices are really interesting building blocks for designers as they can be implemented with almost the same number of XOR gates as non-involutory MDS matrices, the latter being usually non-lightweight when the inverse matrix is required.

9 citations

References
More filters
Book
01 Jan 1977
TL;DR: This book presents an introduction to BCH Codes and Finite Fields, and methods for Combining Codes, and discusses self-dual Codes and Invariant Theory, as well as nonlinear Codes, Hadamard Matrices, Designs and the Golay Code.
Abstract: Linear Codes. Nonlinear Codes, Hadamard Matrices, Designs and the Golay Code. An Introduction to BCH Codes and Finite Fields. Finite Fields. Dual Codes and Their Weight Distribution. Codes, Designs and Perfect Codes. Cyclic Codes. Cyclic Codes: Idempotents and Mattson-Solomon Polynomials. BCH Codes. Reed-Solomon and Justesen Codes. MDS Codes. Alternant, Goppa and Other Generalized BCH Codes. Reed-Muller Codes. First-Order Reed-Muller Codes. Second-Order Reed-Muller, Kerdock and Preparata Codes. Quadratic-Residue Codes. Bounds on the Size of a Code. Methods for Combining Codes. Self-dual Codes and Invariant Theory. The Golay Codes. Association Schemes. Appendix A. Tables of the Best Codes Known. Appendix B. Finite Geometries. Bibliography. Index.

10,083 citations

Book
14 Feb 2002
TL;DR: The underlying mathematics and the wide trail strategy as the basic design idea are explained in detail and the basics of differential and linear cryptanalysis are reworked.
Abstract: 1. The Advanced Encryption Standard Process.- 2. Preliminaries.- 3. Specification of Rijndael.- 4. Implementation Aspects.- 5. Design Philosophy.- 6. The Data Encryption Standard.- 7. Correlation Matrices.- 8. Difference Propagation.- 9. The Wide Trail Strategy.- 10. Cryptanalysis.- 11. Related Block Ciphers.- Appendices.- A. Propagation Analysis in Galois Fields.- A.1.1 Difference Propagation.- A.l.2 Correlation.- A. 1.4 Functions that are Linear over GF(2).- A.2.1 Difference Propagation.- A.2.2 Correlation.- A.2.4 Functions that are Linear over GF(2).- A.3.3 Dual Bases.- A.4.2 Relationship Between Trace Patterns and Selection Patterns.- A.4.4 Illustration.- A.5 Rijndael-GF.- B. Trail Clustering.- B.1 Transformations with Maximum Branch Number.- B.2 Bounds for Two Rounds.- B.2.1 Difference Propagation.- B.2.2 Correlation.- B.3 Bounds for Four Rounds.- B.4 Two Case Studies.- B.4.1 Differential Trails.- B.4.2 Linear Trails.- C. Substitution Tables.- C.1 SRD.- C.2 Other Tables.- C.2.1 xtime.- C.2.2 Round Constants.- D. Test Vectors.- D.1 KeyExpansion.- D.2 Rijndael(128,128).- D.3 Other Block Lengths and Key Lengths.- E. Reference Code.

3,444 citations


"On Compact Cauchy Matrices for Subs..." refers background in this paper

  • ...The new layer replaces the Shift-Rows and Mix-Columns operations by a 16 16 Cauchy matrix in every round, which improved the overall security of AES....

    [...]

  • ...An substitution-permutation network (SPN) is a cascade of diffusion and confusion layers, which are widely used in effective implementation and security evaluation of well-known block ciphers [7], [8], [13]....

    [...]

  • ...Circulant 4 4 GF ð28Þ AES [8] No Vandermonde 4 Nð4 N 10Þ GF ð28Þ Anubis [18] No Ad hoc 4 4 GF ð28Þ IDEA NXT [12] No Recursive 4 4 GF ð28Þ PHOTON [9] No Hadamard 4 4 GF ð28Þ Khazad [19] Yes CCM 4 4 GF ð28Þ This paper This paper Yes...

    [...]

  • ...In [10], by a random search of Cauchy-type MDS matrices, the authors proposed a new, large diffusion layer for the AES block cipher....

    [...]

  • ...The concept of MDS matrix comes from MDS codes in error-correcting codes [16], The application in secret-key algorithms has been suggested by Vaudenay in [17], and then adopted by many famous block ciphers, e.g., SHARK [13], Square [7], AES [8]....

    [...]

Book ChapterDOI
20 Jan 1997
TL;DR: A new 128-bit block cipher called Square, which concentrates on the resistance against differential and linear cryptanalysis, and the publication of the resulting cipher for public scrutiny is published.
Abstract: In this paper we present a new 128-bit block cipher called Square. The original design of Square concentrates on the resistance against differential and linear cryptanalysis. However, after the initial design a dedicated attack was mounted that forced us to augment the number of rounds. The goal of this paper is the publication of the resulting cipher for public scrutiny. A C implementation of Square is available that runs at 2.63 MByte/s on a 100 MHz Pentium. Our M68HC05 Smart Card implementation fits in 547 bytes and takes less than 2 msec. (4 MHz Clock). The high degree of parallellism allows hardware implementations in the Gbit/s range today.

759 citations


"On Compact Cauchy Matrices for Subs..." refers background in this paper

  • ...An substitution-permutation network (SPN) is a cascade of diffusion and confusion layers, which are widely used in effective implementation and security evaluation of well-known block ciphers [7], [8], [13]....

    [...]

Book ChapterDOI
14 Aug 2011
TL;DR: The PHOTON lightweight hash function as mentioned in this paper uses a sponge-like construction as domain extension algorithm and an AES-like primitive as internal unkeyed permutation to obtain the most compact hash function known, reaching areas very close to the theoretical optimum.
Abstract: RFID security is currently one of the major challenges cryptography has to face, often solved by protocols assuming that an ontag hash function is available. In this article we present the PHOTON lightweight hash-function family, available in many different flavors and suitable for extremely constrained devices such as passive RFID tags. Our proposal uses a sponge-like construction as domain extension algorithm and an AES-like primitive as internal unkeyed permutation. This allows us to obtain the most compact hash function known so far (about 1120 GE for 64-bit collision resistance security), reaching areas very close to the theoretical optimum (derived from the minimal internal state memory size). Moreover, the speed achieved by PHOTON also compares quite favorably to its competitors. This is mostly due to the fact that unlike for previously proposed schemes, our proposal is very simple to analyze and one can derive tight AES-like bounds on the number of active Sboxes. This kind of AES-like primitive is usually not well suited for ultra constrained environments, but we describe in this paper a new method for generating the column mixing layer in a serial way, lowering drastically the area required. Finally, we slightly extend the sponge framework in order to offer interesting trade-offs between speed and preimage security for small messages, the classical use-case in hardware.

426 citations

Book ChapterDOI
21 Feb 1996
TL;DR: Shark as discussed by the authors combines highly nonlinear substitution boxes and maximum distance separable error correcting codes (MDS-codes) to guarantee a good diffusion and is resistant against differential and linear cryptanalysis after a small number of rounds.
Abstract: We present the new block cipher SHARK. This cipher combines highly non-linear substitution boxes and maximum distance separable error correcting codes (MDS-codes) to guarantee a good diffusion. The cipher is resistant against differential and linear cryptanalysis after a small number of rounds. The structure of SHARK is such that a fast software implementation is possible, both for the encryption and the decryption. Our C-implementation of SHARK runs more than four times faster than SAFER and IDEA on a 64-bit architecture.

220 citations

Trending Questions (1)
How many Oscars did matrix win?

Finally, we prove that all compact Cauchy matrices could be modified into an involution compact Cauchy matrix, and show how to maximize the occurrences of entry “1” in a compact Cauchy matrix.