Showing papers on "MDS matrix published in 2014"
••23 Sep 2014
TL;DR: In this article, the authors proposed a new comparison metric, the figure of adversarial merit FOAM, which combines the inherent security provided by cryptographic structures and components with their implementation properties, and applied this new metric to meaningful use cases by studying Substitution-Permutation Network permutations that are suited for hardware implementations.
Abstract: In this article, we propose a new comparison metric, the figure of adversarial merit FOAM, which combines the inherent security provided by cryptographic structures and components with their implementation properties. To the best of our knowledge, this is the first such metric proposed to ensure a fairer comparison of cryptographic designs. We then apply this new metric to meaningful use cases by studying Substitution-Permutation Network permutations that are suited for hardware implementations, and we provide new results on hardware-friendly cryptographic building blocks. For practical reasons, we considered linear and differential attacks and we restricted ourselves to fully serial and round-based implementations. We explore several design strategies, from the geometry of the internal state to the size of the S-box, the field size of the diffusion layer or even the irreducible polynomial defining the finite field. We finally test all possible strategies to provide designers an exhaustive approach in building hardware-friendly cryptographic primitives according to area or FOAM metrics, also introducing a model for predicting the hardware performance of round-based or serial-based implementations. In particular, we exhibit new diffusion matrices circulant or serial that are surprisingly more efficient than the current best known, such as the ones used in AES , LED and PHOTON .
TL;DR: The design of Fugue is proof-oriented: the various components are designed in such a way as to allow proofs of security, and yet be efficient to implement, and it is proved that current attack methods cannot find collisions in Fugue any faster than the trivial birthday attack.
Abstract: We describe Fugue, a hash function supporting inputs of length upto 2 − 1 bits and hash outputs of length upto 512 bits. Notably, Fugue is not based on a compression function. Rather, it is directly a hash function that supports variable-length inputs. The starting point for Fugue is the hash function Grindahl, but it extends that design to protect against the kind of attacks that were developed for Grindahl, as well as earlier hash functions like SHA-1. A key enhancement is the design of a much stronger round function which replaces the AES round function of Grindahl, using better codes (over longer words) than the AES 4× 4 MDS matrix. Also, Fugue makes judicious use of this new round function on a much larger internal state. The design of Fugue is proof-oriented: the various components are designed in such a way as to allow proofs of security, and yet be efficient to implement. As a result, we can prove that current attack methods cannot find collisions in Fugue any faster than the trivial birthday attack. Although the proof is computer assisted, the assistance is limited to computing ranks of various matrices.
••03 Mar 2014
TL;DR: In this article, a direct construction based on shortened BCH codes is proposed, allowing to efficiently construct recursive MDS matrices for any given set of parameters, however, not all recursive matrices can be obtained from BCH code, and their algorithm is not always guaranteed to find the best matrices.
Abstract: MDS matrices allow to build optimal linear diffusion layers in block ciphers. However, MDS matrices cannot be sparse and usually have a large description, inducing costly software/hardware implementations. Recursive MDS matrices allow to solve this problem by focusing on MDS matrices that can be computed as a power of a simple companion matrix, thus having a compact description suitable even for constrained environments. However, up to now, finding recursive MDS matrices required to perform an exhaustive search on families of companion matrices, thus limiting the size of MDS matrices one could look for. In this article we propose a new direct construction based on shortened BCH codes, allowing to efficiently construct such matrices for whatever parameters. Unfortunately, not all recursive MDS matrices can be obtained from BCH codes, and our algorithm is not always guaranteed to find the best matrices for a given set of parameters.
••05 May 2014
TL;DR: This paper studies and constructs efficient d ×d circulant MDS matrices for d up to 8 and considers their inverses, which are essential for SPN networks and proves that circulants MDS matrix can not be involutory.
Abstract: Maximum distance separable (MDS) matrices have applications not only in coding theory but are also of great importance in the design of block ciphers and hash functions. It is highly nontrivial to find MDS matrices which could be used in lightweight cryptography. In this paper we study and construct efficient d ×d circulant MDS matrices for d up to 8 and consider their inverses, which are essential for SPN networks. We explore some interesting and useful properties of circulant matrices which are prevalent in many parts of mathematics and computer science. We prove that circulant MDS matrix can not be involutory. We also prove that 2 d ×2 d circulant matrix can not be both orthogonal and MDS.
TL;DR: A new algebraic construction method based on MDS codes for 8×8 and 16×16 involutory and non-involutory binary matrices of branch numbers 5 and 8, respectively is presented.
Abstract: Maximum Distance Separable MDS and Maximum Distance Binary Linear MDBL codes are used as diffusion layers in the design of the well-known block ciphers like the Advanced Encryption Standard, Khazad, Camellia, and ARIA. The reason for the use of these codes in the design of block ciphers is that they provide optimal diffusion effect to meet security of a round function of a block cipher. On the other hand, the constructions of these diffusion layers are various. For example, whereas the Advanced Encryption Standard uses a 4×4 MDS matrix over GF28, ARIA uses a 16×16 involutory binary matrix over GF28. The most important cryptographic property of a diffusion layer is the branch number of that diffusion layer, which represents the diffusion rate and measures security against linear and differential cryptanalysis. Therefore, MDS and Maximum Distance Binary Linear codes, which provide maximum branch number for a diffusion layer, are preferred in the design of block ciphers as diffusion layers. In this paper, we present a new algebraic construction method based on MDS codes for 8×8 and 16×16 involutory and non-involutory binary matrices of branch numbers 5 and 8, respectively. By using this construction method, we also show some examples of these diffusion layers. Copyright © 2012 John Wiley & Sons, Ltd.
••10 Jun 2014
TL;DR: Zhang et al. as mentioned in this paper showed that the security of Zorro against linear and differential cryptanalysis evaluated by designers is insufficient, and that the secret key selected randomly from the whole key space can be recovered much faster than the brute-force attack.
Abstract: Zorro is an AES-like lightweight block cipher proposed in CHES 2013, which only uses 4 S-boxes per round. The designers showed the resistance of the cipher against various attacks and concluded the cipher has a large security margin. Recently, Guo et. al  have given a key recovery attack on full-round Zorro by using the internal differential characteristics. However, the attack only works for 264 out of 2128 keys. In this paper, the secret key selected randomly from the whole key space can be recovered much faster than the brute-force attack. We first observe that the fourth power of the MDS matrix used in Zorro(or AES) equals to the identity matrix. Moveover, several iterated differential characteristics and iterated linear trails are found due to the interesting property. We select three characteristics with the largest probability to give the key recovery attack on Zorro and a linear trail with the largest correlation to show a linear distinguishing attack with 2105.3 known plaintexts. The results show that the security of Zorro against linear and differential cryptanalysis evaluated by designers is insufficient and the security margin of Zorro is not enough.
22 Dec 2014
TL;DR: This article defines an equivalence relation between rings and based on this definition, MDS matrices are classified and determine over equivalent rings and constructs a family of lightweight M DS matrices with the same implementation cost as their inverses for the use in block ciphers.
Abstract: Diffusion layers are an important part of most symmetric ciphers and MDS matrices can be used to construct perfect diffusion layers. However, there are few techniques for constructing these matrices with low implementation cost in software/hardware. In this article, we try to give some construction methods of MDS matrices with at least the following properties: Easy implementation, dynamic use and constructing a large family of MDS matrices from one 0, 1)-matrix which is a block-wise MDS matrix. For this purpose, we define an equivalence relation between rings and based on this definition, we classify and determine MDS matrices over equivalent rings. At first, we construct a new family of MDS matrices only with XORs and right or left shifts. Then, we construct another family of MDS matrices with XORs and cyclic shifts operations. Finally, we construct a family of lightweight MDS matrices with the same implementation cost as their inverses for the use in block ciphers.
TL;DR: An generic algorithm to find out a low-cost matrix, which can be multiplied k times to obtain a given MDS mapping, which is optimized for using in cryptography and shown an explicit case study on the MDS mapped of the hash function PHOTON to obtain the ‘Serial’.
Abstract: The Maximum Distance Separable (MDS) mapping, used in cryptography deploys complex Galois field multiplications, which consume lots of area in hardware, making it a costly primitive for lightweight cryptography. Recently in lightweight hash function: PHOTON, a matrix denoted as ‘Serial’, which required less area for multiplication, has been multiplied 4 times to achieve a lightweight MDS mapping. But no efficient method has been proposed so far to synthesize such a serial matrix or to find the required number of repetitive multiplications needed to be performed for a given MDS mapping. In this paper, first we provide an generic algorithm to find out a low-cost matrix, which can be multiplied k times to obtain a given MDS mapping. Further, we optimize the algorithm for using in cryptography and show an explicit case study on the MDS mapping of the hash function PHOTON to obtain the ‘Serial’. The work also presents quite a few results which may be interesting for lightweight implementation.
TL;DR: A generic construction of classical MDS matrices that are not recursively computed, but that are strong symmetric in order to either accelerate their evaluation with a minimal number of look-up tables, or to perform this evaluation in a circuit.
Abstract: Many recent block ciphers use Maximum Distance Separable (MDS) matrices in their diffusion layer. The main objective of this operation is to spread as much as possible the differences between the outputs of nonlinear Sboxes. So they generally act at nibble or at byte level. The MDS matrices are associated to MDS codes of ratio 1/2. The most famous example is the MixColumns operation of the AES block cipher. In this example, the MDS matrix was carefully chosen to obtain compact and efficient implementations. However, this MDS matrix is dedicated to 8-bit words, and is not always adapted to lightweight applications. Recently, several studies have been devoted to the construction of recursive diffusion layers. Such a method allows to apply an MDS matrix using an iterative process which looks like a Feistel network with linear functions instead of nonlinear. Our approach is quite different. We present a generic construction of classical MDS matrices that are not recursively computed, but that are strong symmetric in order to either accelerate their evaluation with a minimal number of look-up tables, or to perform this evaluation with a minimal number of gates in a circuit. We call this particular kind of matrices "dyadic matrices", since they are related to dyadic codes. We study some basic properties of such matrices. We introduce a generic construction of involutive dyadic MDS matrices from Reed Solomon codes. Finally, we discuss the implementation aspects of these dyadic MDS matrices in order to build efficient block ciphers.