# Showing papers on "MDS matrix published in 2017"

••

TL;DR: This work proposes a tool named LIGHTER, based on two related algorithms, that produces optimized implementations of small functions and outperforms the area-optimized synthesis of the state-of-the-art academic tool ABC for non-linear permutations.

Abstract: We study the synthesis of small functions used as building blocks in lightweight cryptographic designs in terms of hardware implementations. This phase most notably appears during the ASIC implementation of cryptographic primitives. The quality of this step directly affects the output circuit, and while general tools exist to carry out this task, most of them belong to proprietary software suites and apply heuristics to any size of functions. In this work, we focus on small functions (4- and 8-bit mappings) and look for their optimal implementations on a specific weighted instructions set which allows fine tuning of the technology. We propose a tool named LIGHTER, based on two related algorithms, that produces optimized implementations of small functions. To demonstrate the validity and usefulness of our tool, we applied it to two practical cases: first, linear permutations that define diffusion in most of SPN ciphers; second, non-linear 4-bit permutations that are used in many lightweight block ciphers. For linear permutations, we exhibit several new MDS diffusion matrices lighter than the state-of-the-art, and we also decrease the implementation cost of several already known MDS matrices. As for non-linear permutations, LIGHTER outperforms the area-optimized synthesis of the state-of-the-art academic tool ABC. Smaller circuits can also be reached when ABC and LIGHTER are used jointly.

76 citations

••

KAIST

^{1}TL;DR: This work shows that the Short-Dot scheme is optimal if an Maximum Distance Separable (MDS) matrix is fixed, and proposes a new encoding scheme that can achieve a strictly larger sparsity than the existing schemes.

Abstract: Coded computation is a framework for providing redundancy in distributed computing systems to make them robust to slower nodes, or stragglers. In a recent work of Lee et al., the authors propose a coded computation scheme for distributedly computing A x x in the presence of stragglers. The proposed algorithm first encodes the data matrix A to obtain an encoded matrix F. It then computes F x x using distributed processors, waits for some subset of the processors to finish their computations, and decodes A x x from the partial computation results. In another recent work, Dutta et al. explore a new tradeoff between the sparsity of the encoded matrix F and the number of processors to wait to compute A x x. They show that one can introduce a large number of zeros into F to reduce the computational overheads while maintaining the number of processors to wait relatively low. Hence, one can potentially further speed up the distributed computation. In this work, motivated by this observation, we study the sparsity of the encoded matrix for coded computation. Our goal is to characterize the fundamental limits on the sparsity level. We first show that the Short-Dot scheme is optimal if an Maximum Distance Separable (MDS) matrix is fixed. Further, by also designing this MDS matrix, we propose a new encoding scheme that can achieve a strictly larger sparsity than the existing schemes. We also provide an information-theoretic upper bound on the sparsity.

49 citations

••

TL;DR: This paper characterize the polynomials that yield recursive MDS matrices in a more general setting and proposes three methods for obtaining them, paving the way for new direct constructions.

Abstract: MDS matrices are of great importance in the design of block ciphers and hash functions. MDS matrices are not sparse and have a large description and thus induce costly implementation in software/hardware. To overcome this problem, in particular for applications in light-weight cryptography, it was proposed by Guo et al. to use recursive MDS matrices. A recursive MDS matrix is an MDS matrix which can be expressed as a power of some companion matrix. Following the work of Guo et al., some ad-hoc search techniques are proposed to find recursive MDS matrices which are suitable for hardware/software implementation. In another direction, coding theoretic techniques are used to directly construct recursive MDS matrices: Berger technique uses Gabidulin codes and Augot et al. technique uses shortened BCH codes. In this paper, we first characterize the polynomials that yield recursive MDS matrices in a more general setting. Based on this we provide three methods for obtaining such polynomials. Moreover, the recursive MDS matrices obtained using shortened BCH codes can also be obtained with our first method. In fact we get a larger set of polynomials than the method which uses shortened BCH codes. Our other methods appear similar to the method which uses Gabidulin codes. We get a new infinite class of recursive MDS matrices from one of the proposed methods. Although we propose three methods for the direct construction of recursive MDS matrices, our characterization results pave the way for new direct constructions.

16 citations

••

03 Jul 2017TL;DR: This study leads to improving the known bounds of XOR counts of \(8\times 8\) M DS matrices by obtaining Toeplitz MDS matrices with lower XORcounts over \(\mathbb {F}_{2^4}\) and \(\ mathbb {f}_{ 2^8}\).

Abstract: This work considers the problem of constructing efficient MDS matrices over the field \(\mathbb {F}_{2^m}\) Efficiency is measured by the metric XOR count which was introduced by Khoo et al in CHES 2014 Recently Sarkar and Syed (ToSC Vol 1, 2016) have shown the existence of \(4\times 4\) Toeplitz MDS matrices with optimal XOR counts In this paper, we present some characterizations of Toeplitz matrices in light of MDS property Our study leads to improving the known bounds of XOR counts of \(8\times 8\) MDS matrices by obtaining Toeplitz MDS matrices with lower XOR counts over \(\mathbb {F}_{2^4}\) and \(\mathbb {F}_{2^8}\)

14 citations

••

TL;DR: In this article, it was shown that for a monic polynomial g(X) of degree ≥ 2, the matrix m = C_g^k$$M=Cgk is MDS if and only if m has no nonzero multiple of degree

Abstract: MDS matrices allow to build optimal linear diffusion layers in the design of block ciphers and hash functions. There has been a lot of study in designing efficient MDS matrices suitable for software and/or hardware implementations. In particular recursive MDS matrices are considered for resource constrained environments. Such matrices can be expressed as a power of simple companion matrices, i.e., an MDS matrix $$M = C_g^k$$M=Cgk for some companion matrix corresponding to a monic polynomial $$g(X) \in \mathbb {F}_q[X]$$g(X)źFq[X] of degree k. In this paper, we first show that for a monic polynomial g(X) of degree $$k\ge 2$$kź2, the matrix $$M = C_g^k$$M=Cgk is MDS if and only if g(X) has no nonzero multiple of degree $$\le 2k-1$$≤2k-1 and weight $$\le k$$≤k. This characterization answers the issues raised by Augot et al. in FSE-2014 paper to some extent. We then revisit the algorithm given by Augot et al. to find all recursive MDS matrices that can be obtained from a class of BCH codes (which are also MDS) and propose an improved algorithm. We identify exactly what candidates in this class of BCH codes yield recursive MDS matrices. So the computation can be confined to only those potential candidate polynomials, and thus greatly reducing the complexity. As a consequence we are able to provide formulae for the number of such recursive MDS matrices, whereas in FSE-2014 paper, the same numbers are provided by exhaustively searching for some small parameter choices. We also present a few ideas making the search faster for finding efficient recursive MDS matrices in this class. Using our approach, it is possible to exhaustively search this class for larger parameter choices which was not possible earlier. We also present our search results for the case $$k=8$$k=8 and $$q=2^{16}$$q=216.

13 citations

•

11 Dec 2017

TL;DR: In this article, the authors proposed a Dynamic Mix Column Transformation (DCT) based on the default MDS Matrix of AES and mbit additional key, where m is a variable length that does not exceed the product of 31.97 and one less the number of encryption rounds.

Abstract: MDS Matrix has an important role in the design of Rijndael Cipher and is the most expensive component of the cipher. It is also used as a perfect diffusion primitive in some other block ciphers. In this paper, we propose a replacement of Mix Column Transformation in AES by equivalent Dynamic Mix Column Transformation. A Dynamic Mix Column Transformation comprises dynamic MDS Matrices which are based on default MDS Matrix of AES and mbit additional key. Here m is a variable length that does not exceed the product of 31.97 and one less the number of encryption rounds. This mechanism increases a brute force attack complexity by m-bit to the original key and enforces the attackers to design new frameworks for different modern cryptanalytic techniques applicable to the cipher. We also present efficient implementation of this technique in Texas Instrument’s DSP C64x+ with no extra cost to default AES and in Xilinx Spartan3 FPGA with no change in AES throughput. We also briefly analyze the security achieved over it.

9 citations

••

29 Nov 2017TL;DR: This work improves the previous 5-round Meet-in-the-Middle (MitM) attack on Kuznyechik by presenting a 6-round attack using the MitM with differential enumeration technique.

Abstract: Kuznyechik is an SPN block cipher that has been chosen recently to be standardized by the Russian federation as a new GOST cipher. The cipher employs a 256-bit key which is used to generate ten 128-bit round keys. The encryption procedure updates the 16-byte state by iterating the round function for nine rounds. In this work, we improve the previous 5-round Meet-in-the-Middle (MitM) attack on Kuznyechik by presenting a 6-round attack using the MitM with differential enumeration technique. Unlike previous distinguishers which utilize only the structural properties of the Maximum Distance Separable (MDS) linear transformation layer of the cipher, our 3-round distinguisher is computed based on the exact values of the coefficients of this MDS transformation. More specifically, first, we identified the MDS matrix that is utilized in this cipher. Then, we find all the relations that relate between subset of the inputs and outputs of this linear transformation. Finally, we utilized one of these relations in order to find the best distinguisher that can optimize the time complexity of the attack. Also, instead of placing the distinguisher in the middle rounds of the cipher as in the previous 5-round attack, we place it at the first 3 rounds which allows us to convert the attack from the chosen ciphertext model to the chosen plaintext model. Then, to extend the distinguisher by 3 rounds, we performed the matching between the offline and online phases around the linear transformation instead of matching on a state byte.

7 citations

••

TL;DR: The authors propose a mathematical description of the truncated impossible differentials and provide two efficient algorithms to compute the DPMs for both bit-shuffles and matrices over GF(2 n ).

Abstract: This study concentrates on finding all truncated impossible differentials in substitution-permutation networks (SPNs) ciphers. Instead of using the miss-in-the-middle approach, the authors propose a mathematical description of the truncated impossible differentials. First, they prove that all truncated impossible differentials in an r
+ 1 rounds SPN cipher could be obtained by searching entry `0' in D
(
P
)
r
, where D
(
P
) denotes the differential pattern matrix (DPM) of P
-layer, thus the length of impossible differentials of an SPN cipher is upper bounded by the minimum integer r
such that there is no entry `0' in D
(
P
)
r
. Second, they provide two efficient algorithms to compute the DPMs for both bit-shuffles and matrices over GF(2
n
). Using these tools they prove that the longest truncated impossible differentials in SPN structure is 2-round, if the P
-layer is designed as an maximum distance separable (MDS) matrix. Finally, all truncated impossible differentials of advanced encryption standard (AES), ARIA, AES-MDS, PRESENT, MAYA and Puffin are obtained.

7 citations

••

TL;DR: This work significantly improves the performance and flexibility of the construction SPF and proposes a discarding algorithm to drop the symbols that are not the elements of the format thus preserving it.

Abstract: The construction SPF, presented in Inscrypt-2016 was the first known SPN based format-preserving encryption algorithm. In this work, we significantly improve its performance and flexibility. We term this new construction as eSPF. Unlike SPF, all the basic transformations of eSPF are defined under the field \(\mathbb {F}_p\). This allows us to use a MDS matrix instead of the binary matrix used in SPF. The optimal diffusion of MDS matrix leads to an efficient and secure design. However, this change leads to violations in the message format. To mitigate this, we propose a discarding algorithm to drop the symbols that are not the elements of the format thus preserving it.

7 citations

••

12 Dec 2017TL;DR: It is proved that there is no \(2 \times 2\) orthogonal MDS matrix over Galois ring \(GR(2^n,k)\) and there are complete enumerations of \(4 \times 4\) and \(8 \times 8\) enabling Hadamard matrices.

Abstract: MDS matrices are important components in block cipher algorithm design, which provide diffusion of input bits. Recently, many constructions of MDS matrices focused on lightweight constructions. All MDS matrices constructions were over Galois field. In this paper, we give new construction of MDS matrices which is over Galois ring \(GR(2^n,k)=\mathbb {Z}_{2^n}[x]/(f(x))\), where f(x) is a basic irreducible polynomial of degree k over \(\mathbb {Z}_{2^n}\). We first construct Hadamard matrices over \(U(GR(2^n,k))\) by adding some signs on the entries of the matrices (i.e. performing entry-wise multiplication with enabling Hadamard \((1,-1)\)-matrices). We give complete enumerations of \(4 \times 4\) and \(8 \times 8\) enabling Hadamard \((1,-1)\)-matrices. We prove that there is no \(2 \times 2\) orthogonal MDS matrix over Galois ring \(GR(2^n,k)\) and construct \(4 \times 4\) orthogonal MDS matrices over \(GR(2^n,k)\).

4 citations

••

17 Mar 2017

TL;DR: The characteristics of permutation group in the lightest circulant MDS matrices above are found: they possess characteristics of symmetric group S4, and for a kind of particular M DS matrices, they can even form a Klein four-group in some ways.

Abstract: 4 x 4 MDS (Maximal Distance Separable) matrices with few XORs have a wide range of applications in many mainstream lightweight ciphers. For 4 x 4 circulant MDS matrices over GL(4,F2), they have at least 12 XOR operations. In this paper, by traversing their structure characteristics, the utter construction and the numeration of the lightest circulant MDS matrices are firstly investigated. Then the overall structure and the diagrams of these matrices are given. Finally the characteristics of permutation group in the lightest circulant MDS matrices above are found: they possess characteristics of symmetric group S4, and for a kind of particular MDS matrices, they can even form a Klein four-group in some ways.

••

TL;DR: It is proved that the proposed MDS matrices with a small number of both different elements and XOR gates are efficient in terms of implementation performance, and it is shown that the multi-MDS matrix generator inherits the dynamical properties of the high-dimensional Cat map, improving the resistance of diffusion layers against the powerful techniques of cryptanalysis.

Abstract: Maximum distance separable (MDS) matrices are employed to create diffusion layers in block ciphers and hash functions. MDS matrices are generated by linear codes to reduce the cost for software or hardware implementations. However, linear codes can only generate a limited number of MDS matrices in a finite field. As a consequence, many block ciphers adopt the same matrices. This paper describes the design of a generator to create a large number of different MDS matrices at the same time by changing parameters of the high-dimensional Cat Map, named a multi-MDS matrix generator. We identify three types of Cat matrices which can be used to construct a multi-MDS matrix generator. In addition, we prove that the proposed MDS matrices with a small number of both different elements and XOR gates are efficient in terms of implementation performance. Finally, we show that the multi-MDS matrix generator inherits the dynamical properties of the high-dimensional Cat map, improving the resistance of diffusion layers against the powerful techniques of cryptanalysis.

••

01 Jun 2017

TL;DR: The process of encryption and decryption by dynamic MDS matrices is proven to be calculated more quickly by salvaging the original M DS matrices.

Abstract: MDS (Maximum Distance Separable) matrices have an important role in the design of block ciphers and hash functions. The methods for transforming an MDS matrix into other ones to create dynamic MDS matrix for use have been proposed by many authors in the literature. In this paper, dynamic MDS matrices generated from direct exponent and scalar multiplication transformations are studied in the term of calculating effectively the outputs of the dynamic MDS matrices based on original MDS matrices when the inputs are known, as well as the calculating effectively the inputs of the dynamic MDS matrices based on original MDS matrices when the outputs are known. The process of encryption and decryption by dynamic MDS matrices is proven to be calculated more quickly by salvaging the original MDS matrices. In addition, a way for calculating quickly the direct exponent of MDS matrices based on a lookup table is presented.

••

01 Oct 2017

TL;DR: A new metric based on the order of the matrix to measure the security of diffusion layer consisting MDS matrix over a finite field extension is proposed and related experimental results are given.

Abstract: In recent years, lightweight cryptography has become essential especially for the resource-constrained devices to ensure data protection and security. The selection of suitable cryptographic algorithm which is directly linked to requirements of the system will have dynamically effect on following such metrics like performance of the device, hardware resource cost, the area, speed, efficiency, computation latency, communication bandwidth. This paper aims to provide a comprehensive survey on the lightweight block ciphers that were given in the literature and throw a light on the future research directions. Then, the focus is given to the diffusion layers in view of construction methods and efficiency. A new metric based on the order of the matrix to measure the security of diffusion layer consisting MDS matrix over a finite field extension is proposed and related experimental results are given. Key schedule of the lightweight block ciphers is analyzed.

••

TL;DR: The connection between the maximum number of one in bi-regular matrices and the incidence matrices of Balanced Incomplete Block Design (BIBD) is explored and an upper bound on the number of ones in any d × d {d\times d} MDS matrix is provided.

Abstract: Abstract In this paper, we observe simple yet subtle interconnections among design theory, coding theory and cryptography. Maximum distance separable (MDS) matrices have applications not only in coding theory but are also of great importance in the design of block ciphers and hash functions. It is nontrivial to find MDS matrices which could be used in lightweight cryptography. In the SAC 2004 paper [12], Junod and Vaudenay considered bi-regular matrices which are useful objects to build MDS matrices. Bi-regular matrices are those matrices all of whose entries are nonzero and all of whose 2 × 2 {2\times 2} submatrices are nonsingular. Therefore MDS matrices are bi-regular matrices, but the converse is not true. They proposed the constructions of efficient MDS matrices by studying the two major aspects of a d × d {d\times d} bi-regular matrix M, namely v 1 ( M ) {v_{1}(M)} , i.e. the number of occurrences of 1 in M, and c 1 ( M ) {c_{1}(M)} , i.e. the number of distinct elements in M other than 1. They calculated the maximum number of ones that can occur in a d × d {d\times d} bi-regular matrices, i.e. v 1 d , d {v_{1}^{d,d}} for d up to 8, but with their approach, finding v 1 d , d {v_{1}^{d,d}} for d ≥ 9 {d\geq 9} seems difficult. In this paper, we explore the connection between the maximum number of ones in bi-regular matrices and the incidence matrices of Balanced Incomplete Block Design (BIBD). In this paper, tools are developed to compute v 1 d , d {v_{1}^{d,d}} for arbitrary d. Using these results, we construct a restrictive version of d × d {d\times d} bi-regular matrices, introducing by calling almost-bi-regular matrices, having v 1 d , d {v_{1}^{d,d}} ones for d ≤ 21 {d\leq 21} . Since, the number of ones in any d × d {d\times d} MDS matrix cannot exceed the maximum number of ones in a d × d {d\times d} bi-regular matrix, our results provide an upper bound on the number of ones in any d × d {d\times d} MDS matrix. We observe an interesting connection between Latin squares and bi-regular matrices and study the conditions under which a Latin square becomes a bi-regular matrix and finally construct MDS matrices from Latin squares. Also a lower bound of c 1 ( M ) {c_{1}(M)} is computed for d × d {d\times d} bi-regular matrices M such that v 1 ( M ) = v 1 d , d {v_{1}(M)=v_{1}^{d,d}} , where d = q 2 + q + 1 {d=q^{2}+q+1} and q is any prime power. Finally, d × d {d\times d} efficient MDS matrices are constructed for d up to 8 from bi-regular matrices having maximum number of ones and minimum number of other distinct elements for lightweight applications.