Showing papers on "MDS matrix published in 2018"

MDS Matrices over Small Fields: A Proof of the GM-MDS Conjecture

Abstract: An MDS matrix is a matrix whose minors all have full rank. A question arising in coding theory is, what zero patterns can MDS matrices have. There is a natural combinatorial necessary condition (called the MDS condition) which is necessary over any field, and sufficient over very large fields by a probabilistic argument. Dau et al. (ISIT 2014) conjectured that the MDS condition is sufficient over small fields as well, and gave an algebraic conjecture which would imply this. In this work, we prove this conjecture.

MDS Matrices with Lightweight Circuits

Abstract: MDS matrices are an important element for the design of block ciphers such as the AES. In recent years, there has been a lot of work on the construction of MDS matrices with a low implementation cost, in the context of lightweight cryptography. Most of the previous efforts focused on local optimization, constructing MDS matrices with coefficients that can be efficiently computed. In particular, this led to a matrix with a direct xor count of only 106, while a direct implementation of the MixColumn matrix of the AES requires 152 bitwise xors. More recently, techniques based on global optimization have been introduced, where the implementation can reuse some intermediate variables. In particular, Kranz et al. used optimization tools to find a good implementation from the description of an MDS matrix. They have lowered the cost of implementing the MixColumn matrix to 97 bitwise xors, and proposed a new matrix with only 72 bitwise xors, the lowest cost known so far. In this work we propose a different approach to global optimization. Instead of looking for an optimized circuit of a given matrix, we run a search through a space of circuits, to find optimal circuits yielding MDS matrices. This results in MDS matrices with an even lower cost, with only 67 bitwise xors.

ShiftRows Alternatives for AES-like Ciphers and Optimal Cell Permutations for Midori and Skinny

Abstract: We study possible alternatives for ShiftRows to be used as cell permutations in AES-like ciphers. As observed during the design process of the block cipher Midori, when using a matrix with a non-optimal branch number for the MixColumns operation, the choice of the cell permutation, i.e., an alternative for ShiftRows, can actually improve the security of the primitive. In contrast, when using an MDS matrix it is known that one cannot increase the minimum number of active S-boxes by deviating from the ShiftRows-type permutation. However, finding the optimal choice for the cell permutation for a given, non-optimal, MixColumns operation is a highly non-trivial problem. In this work, we propose techniques to speed up the search for the optimal cell permutations significantly. As case studies, we apply those techniques to Midori and Skinny and provide possible alternatives for their cell permutations. We finally state an easy-to-verify sufficient condition on a cell permutation, to be used as an alternative in Midori, that attains a high number of active S-boxes and thus provides good resistance against differential and linear attacks.

MDS matrices over small fields: A proof of the GM-MDS conjecture

Abstract: An MDS matrix is a matrix whose minors all have full rank. A question arising in coding theory is what zero patterns can MDS matrices have. There is a natural combinatorial characterization (called the MDS condition) which is necessary over any field, as well as sufficient over very large fields by a probabilistic argument. Dau et al. (ISIT 2014) conjectured that the MDS condition is sufficient over small fields as well, where the construction of the matrix is algebraic instead of probabilistic. This is known as the GM-MDS conjecture. Concretely, if a $k \times n$ zero pattern satisfies the MDS condition, then they conjecture that there exists an MDS matrix with this zero pattern over any field of size $|\mathbb{F}| \ge n+k-1$. In recent years, this conjecture was proven in several special cases. In this work, we resolve the conjecture.

Lightweight MDS Serial-Type Matrices with Minimal Fixed XOR Count

Abstract: Many block ciphers and hash functions require the diffusion property of Maximum Distance Separable (MDS) matrices. Serial matrices with the MDS property obtain a trade-off between area requirement and clock cycle performance to meet the needs of lightweight cryptography. In this paper, we propose a new class of serial-type matrices called Diagonal-Serial Invertible (DSI) matrices with the sparse property. These matrices have a fixed XOR count (contributed by the connecting XORs) which is half that of existing matrices. We prove that for matrices of order 4, our construction gives the matrix with the lowest possible fixed XOR cost. We also introduce the Reversible Implementation (RI) property, which allows the inverse matrix to be implemented using the similar hardware resource as the forward matrix, even when the two matrices have different finite field entries. This allows us to search for serial-type matrices which are lightweight in both directions by just focusing on the forward direction. We obtain MDS matrices which outperform existing lightweight (involutory) matrices.

Direct Constructions of (Involutory) MDS Matrices from Block Vandermonde and Cauchy-Like Matrices

Abstract: MDS matrices are important components in the design of linear diffusion layers of many block ciphers and hash functions. Recently, there have been a lot of work on searching and construction of lightweight MDS matrices, most of which are based on matrices of special types over finite fields. Among all those work, Cauchy matrices and Vandermonde matrices play an important role since they can provide direct constructions of MDS matrices. In this paper, we consider constructing MDS matrices based on block Vandermonde matrices. We find that previous constructions based on Vandermonde matrices over finite fields can be directly generalized if the building blocks are pairwise commutative. Different from previous proof method, the MDS property of a matrix constructed by two block Vandermonde matrices is confirmed adopting a Lagrange interpolation technique, which also sheds light on a relationship between it and an MDS block Cauchy matrix. Those constructions generalize previous ones over finite fields as well, but our proofs are much simpler. Furthermore, we present a new type of block matrices called block Cauchy-like matrices, from which MDS matrices can also be constructed. More interestingly, those matrices turn out to have relations with MDS matrices constructed from block Vandermonde matrices and the so-called reversed block Vandermonde matrices. For all these constructions, we can also obtain involutory MDS matrices under certain conditions. Computational experiments show that lightweight involutory MDS matrices can be obtained from our constructions.

On Efficient Constructions of Lightweight MDS Matrices

Abstract: The paper investigates the maximum distance separable (MDS) matrix over the matrix polynomial residue ring. Firstly, by analyzing the minimal polynomials of binary matrices with 1 XOR count and element-matrices with few XOR counts, we present an efficient method for constructing MDS matrices with as few XOR counts as possible. Comparing with previous constructions, our corresponding constructions only cost 1 minute 27 seconds to 7 minutes, while previous constructions cost 3 days to 4 weeks. Secondly, we discuss the existence of several types of involutory MDS matrices and propose an efficient necessary-and-sufficient condition for identifying a Hadamard matrix being involutory. According to the condition, each involutory Hadamard matrix over a polynomial residue ring can be accurately and efficiently searched. Furthermore, we devise an efficient algorithm for constructing involutory Hadamard MDS matrices with as few XOR counts as possible. We obtain many new involutory Hadamard MDS matrices with much fewer XOR counts than optimal results reported before.

A proof of the GM-MDS conjecture.

Abstract: An MDS matrix is a matrix whose minors all have full rank. A question arising in coding theory is what zero patterns can MDS matrices have. There is a natural combinatorial characterization (called the MDS condition) which is necessary over any field, as well as sufficient over very large fields by a probabilistic argument. Dau et al. (ISIT 2014) conjectured that the MDS condition is sufficient over small fields as well, where the construction of the matrix is algebraic instead of probabilistic. This is known as the GM-MDS conjecture. Concretely, if a $k \times n$ zero pattern satisfies the MDS condition, then they conjecture that there exists an MDS matrix with this zero pattern over any field of size $|\mathbb{F}| \ge n+k-1$. In recent years, this conjecture was proven in several special cases. In this work, we resolve the conjecture.

A proof of the GM-MDS conjecture

Abstract: An MDS matrix is a matrix whose minors all have full rank. A question arising in coding theory is what zero patterns can MDS matrices have. There is a natural combinatorial characterization (called the MDS condition) which is necessary over any field, as well as sufficient over very large fields by a probabilistic argument. Dau et al. (ISIT 2014) conjectured that the MDS condition is sufficient over small fields as well, where the construction of the matrix is algebraic instead of probabilistic. This is known as the GM-MDS conjecture. Concretely, if a $k \times n$ zero pattern satisfies the MDS condition, then they conjecture that there exists an MDS matrix with this zero pattern over any field of size $|\mathbb{F}| \ge n+k-1$. In recent years, this conjecture was proven in several special cases. In this work, we resolve the conjecture.

Lightweight Recursive MDS Matrices with Generalized Feistel Network

Abstract: Maximum distance separable (MDS) matrices are often used to construct optimal linear diffusion layers in many block ciphers. With the development of lightweight cryptography, the recursive MDS matrices play as good candidates. The recursive MDS matrices can be computed as powers of sparse matrices. In this paper, we consider searching recursive MDS matrices from Generalized Feistel Structure (GFN) matrices. The advantage of constructing MDS matrices based on GFN matrices mainly displays two aspects. First, the recursive GFN MDS matrix can be implemented by parallel computation that would reduce the running time. Second, the inverse matrix of recursive GFN MDS matrix is also a recursive GFN MDS matrix and they have the same XOR count. We provide some computational experiments to show we do find some lightweight \(4\times 4\) and \(8\times 8\) recursive GFN MDS matrices over \(\mathbb {F}_{2^{n}}\). Especially, the \(8\times 8\) recursive GFN MDS matrices over \(\mathbb {F}_{2^{8}}\) have lower XOR count than the previous recursive MDS matrices.