# Showing papers on "MDS matrix published in 2013"

••

02 Sep 2013TL;DR: In this article, the authors studied the properties of MDS matrices and provided an insight of why Serial(z 0,…,z d − 1) d leads to an MDS matrix.

Abstract: Maximum distance separable (MDS) matrices have applications not only in coding theory but also are of great importance in the design of block ciphers and hash functions. It is highly nontrivial to find MDS matrices which could be used in lightweight cryptography. In a crypto 2011 paper, Guo et. al. proposed a new MDS matrix Serial(1,2,1,4)4 over \(\mathbb{F}_{2^8}\). This representation has a compact hardware implementation of the AES MixColumn operation. No general study of MDS properties of this newly introduced construction of the form Serial(z 0,…,z d − 1) d over \(\mathbb{F}_{2^n}\) for arbitrary d and n is available in the literature. In this paper we study some properties of MDS matrices and provide an insight of why Serial(z 0,…,z d − 1) d leads to an MDS matrix. For efficient hardware implementation, we aim to restrict the values of z i ’s in {1,α,α 2,α + 1}, such that Serial(z 0,…,z d − 1) d is MDS for d = 4 and 5, where α is the root of the constructing polynomial of \(\mathbb{F}_{2^n}\). We also propose more generic constructions of MDS matrices e.g. we construct lightweight 4 ×4 and 5 ×5 MDS matrices over \(\mathbb{F}_{2^n}\) for all n ≥ 4. An algorithm is presented to check if a given matrix is MDS. The algorithm follows from the basic properties of MDS matrix and is easy to implement.

51 citations

••

22 Jun 2013TL;DR: An algorithm to construct involutory MDS matrices with low Hamming weight elements to minimize primitive operations such as exclusive-or, table look-ups and xtime operations is provided.

Abstract: Maximum distance separable (MDS) matrices have applications not only in coding theory but also are of great importance in the design of block ciphers and hash functions. It is highly nontrivial to find MDS matrices which is involutory and efficient. In a paper in 1997, Youssef et. al. proposed an involutory MDS matrix construction using Cauchy matrix. In this paper we study properties of Cauchy matrices and propose generic constructions of low implementation cost MDS matrices based on Cauchy matrices. In a 2009 paper, Nakahara and Abrahao proposed a 16 ×16 involutory MDS matrix over \(\mathbb{F}_{2^8}\) by using a Cauchy matrix which was used in MDS-AES design. Authors claimed that their construction by itself guarantees that the resulting matrix is MDS and involutory. But the authors didn’t justify their claim. In this paper we study and prove that this proposed matrix is not an MDS matrix. Note that this matrix has been designed to be used in the block cipher MDS-AES, which may now have severe weaknesses. We provide an algorithm to construct involutory MDS matrices with low Hamming weight elements to minimize primitive operations such as exclusive-or, table look-ups and xtime operations. In a 2012 paper, Sajadieh et. al. provably constructed involutory MDS matrices which were also Hadamard in a finite field by using two Vandermonde matrices. We show that the same matrices can be constructed by using Cauchy matrices and provide a much simpler proof of their construction.

39 citations

••

07 Jul 2013TL;DR: A new algorithm is presented to find MDS matrices that are well suited for use as a diffusion layer in lightweight block ciphers and using an recursive construction, it is possible to obtain matrices with a very compact description.

Abstract: This article presents a new algorithm to find MDS matrices that are well suited for use as a diffusion layer in lightweight block ciphers. Using an recursive construction, it is possible to obtain matrices with a very compact description. Classical field multiplications can also be replaced by simple F2-linear transformations (combinations of XORs and shifts) which are much lighter. Using this algorithm, it was possible to design a 16×16 matrix on a 5-bit alphabet, yielding an efficient 80-bit diffusion layer with maximal branch number.

39 citations

••

07 Dec 2013TL;DR: This paper presents a generic construction of MDS recursive diffusion layers as proposed but bridging this construction with the theory of Gabidulin codes, which has the property to be not only MDS but also MRD (Maximum Rank Distance).

Abstract: Many recent block ciphers use Maximum Distance Separable (MDS) matrices in their diffusion layer. The main objective of this operation is to spread as much as possible the differences between the outputs of nonlinear Sboxes. So they generally act at nibble or at byte level. The MDS matrices are associated to MDS codes of ratio 1/2. The most famous example is the MixColumns operation of the AES block cipher.
In this example, the MDS matrix was carefully chosen to obtain compact and efficient implementations in software and hardware. However, this MDS matrix is dedicated to 8-bit words, and is not always adapted to lightweight applications. Recently, several studies have been devoted to the construction of recursive diffusion layers. Such a method allows to apply an MDS matrix using an iterative process which looks like a Feistel network with linear functions instead of nonlinear.
In this paper, we present a generic construction of MDS recursive diffusion layers as proposed in [1], [7], [10], [12], [15] but bridging this construction with the theory of Gabidulin codes. This construction uses Gabidulin codes which have the property to be not only MDS but also MRD (Maximum Rank Distance). This fact gives an additional property to diffusion layers which seems interesting for cryptographic applications.

36 citations

••

TL;DR: A modified AES with S-boxes bank to be acted like rotor mechanism and dynamic key MDS matrix (SDK-AES) is introduced in this article, which makes AES key dependent and resist the frequency attack.

Abstract: Abstract—With computers, security is only a matter of software. The Internet has made computer security much more difficult than it used to be. In this paper, we introduce modified AES with S-boxes bank to be acted like rotor mechanism and dynamic key MDS matrix (SDK-AES). In this paper we try to make AES key dependent and resist the frequency attack. The SDK-AES algorithm is compared with AES and gives excellent results from the viewpoint of the security characteristics and the statistics of the ciphertext. Also, we apply the randomness tests to the SDK-AES algorithm and the results shown that the new design passes all tests which proven its security.

17 citations

•

TL;DR: This paper restricts the values of z i ’s in {1,α,α 2,α + 1}, such that Serial(z 0,…,z d − 1) d is MDS for d = 4 and 5, where α is the root of the constructing polynomial of \(\mathbb{F}_{2^n}\).

Abstract: Maximum distance separable (MDS) matrices have applications not only in coding theory but also are of great importance in the design of block ciphers and hash functions. It is highly nontrivial to find MDS matrices which could be used in lightweight cryptography. In a crypto 2011 paper, Guo et. al. proposed a new MDS matrix Serial(1, 2, 1, 4) over F28 . This representation has a compact hardware implementation of the AES MixColumn operation. No general study of MDS properties of this newly introduced construction of the form Serial(z0, . . . , zd−1) d over F2n for arbitrary d and n is available in the literature. In this paper we study some properties of MDS matrices and provide an insight of why Serial(z0, . . . , zd−1) d leads to an MDS matrix. For efficient hardware implementation, we aim to restrict the values of zi’s in {1, α, α, α+1}, such that Serial(z0, . . . , zd−1) d is MDS for d = 4 and 5, where α is the root of the constructing polynomial of F2n . We also propose more generic constructions of MDS matrices e.g. we construct lightweight 4× 4 and 5× 5 MDS matrices over F2n for all n ≥ 4. An algorithm is presented to check if a given matrix is MDS. The algorithm directly follows from the basic properties of MDS matrix and is easy to implement.

8 citations

•

TL;DR: Zhang et al. as discussed by the authors showed that the security of Zorro against linear and differential cryptanalysis evaluated by designers is insufficient and the block cipher is far from a random permutation.

Abstract: Zorro is an AES-like lightweight block cipher proposed in CHES 2013, which only uses 4 S-boxes per round. The designers showed the resistance of the cipher against various attacks and concluded the cipher has a large security margin. Recently, Guo et. al [1] have given a key recovery attack on full-round Zorro by using the internal differential characteristics. However, the attack only works for 2 out of 2 keys. In this paper, the secret key selected randomly from the whole key space can be recovered with a time complexity of 2 full-round Zorro encryptions and a data complexity of 2 chosen plaintexts. We first observe that the fourth power of the MDS matrix used in Zorro equals to the identity matrix. Moveover, several iterated differential characteristics and iterated linear trails are found due to the interesting property. We select three characteristics with the largest probability to give a key recovery attack on Zorro and a linear trail with the largest correlation to show a a linear distinguishing attack with 2 known plaintexts. The results show that the security of Zorro against linear and differential cryptanalysis evaluated by designers is insufficient and the block cipher Zorro is far from a random permutation.

4 citations

••

11 Mar 2013

TL;DR: WIDEA is a family of block ciphers designed by Junod and Macchetti in 2009 as an extension of IDEA to larger block sizes and larger key sizes.

Abstract: WIDEA is a family of block ciphers designed by Junod and Macchetti in 2009 as an extension of IDEA to larger block sizes (256 and 512 bits for the main instances WIDEA-\(4\) and WIDEA-\(8\)) and larger key sizes (512 and 1024 bits, respectively). WIDEA-\(w\) is composed of \(w\) parallel copies of the IDEA block cipher, with an MDS matrix to provide diffusion between them. An important motivation was to use WIDEA to design a hash function.

3 citations

•

TL;DR: In this paper, a structural analysis of AES-128 was performed and it was shown that the full AES-256 cannot be proven secure unless the exact coefficients of the MDS matrix and the S-Box differential properties are taken into account since its structure is vulnerable to a related key differential attack.

Abstract: While the symmetric-key cryptography community has now a good experience on how to build a secure and efficient fixed permutation, it remains an open problem how to design a key-schedule for block ciphers, as shown by the numerous candidates broken in the related-key model or in a hash function setting. Provable security against differential and linear cryptanalysis in the related-key scenario is an important step towards a better understanding of its construction. Using a structural analysis, we show that the full AES-128 cannot be proven secure unless the exact coefficients of the MDS matrix and the S-Box differential properties are taken into account since its structure is vulnerable to a related-key differential attack. We then exhibit a chosen-key distinguisher for AES-128 reduced to 9 rounds, which solves an open problem of the symmetric community. We obtain these results by revisiting algorithmic theory and graph-based ideas to compute all the best differential characteristics in SPN ciphers, with a special focus on AES-like ciphers subject to related-keys. We use a variant of Dijkstra’s algorithm to efficiently find the most efficient related-key attacks on SPN ciphers with an algorithm linear in the number of rounds.

01 Jan 2013

TL;DR: This paper introduces a new symmetric cryptosystem based on IDEA system that can encrypt blocks of plaintext of length 512 bits into blocks of the same length.

Abstract: The increasing ubiquity of information technologies in all aspects of human life makes security issues one of the most critical aspects of system design. In this paper we introduce a new symmetric cryptosystem based on IDEA system. The plaintext block is divided into basic sub-blocks each of thirty-two bits in length. The new Proposal can encrypt blocks of plaintext of length 512 bits into blocks of the same length. The key length is 1024 bits. The total number of rounds is 16. It uses modulo 32 2

01 Jan 2013

TL;DR: A new symmetric cryptosystem having a key dependent operation, enhanced by a rotor with controlled user identification ID and user key with optimal MDS matrix is given.

Abstract: Nowadays, cryptography plays a major role in protecting the information of technology applications. This paper gives a new symmetric cryptosystem having a key dependent operation, enhanced by a rotor with controlled user identification ID and user key. The plaintext block is divided into basic Gaussian subblocks each of thirty-two bits in length. The new Proposal uses optimal MDS matrix. The new Proposal can encrypt blocks of plaintext of length 512 bits into blocks of the same length. Also the key length is 512 bits. The total number of rounds is sixteen rounds. It uses