MDS matrix

About: MDS matrix is a research topic. Over the lifetime, 102 publications have been published within this topic receiving 2000 citations.

Lightweight MDS Serial-Type Matrices with Minimal Fixed XOR Count

Abstract: Many block ciphers and hash functions require the diffusion property of Maximum Distance Separable (MDS) matrices. Serial matrices with the MDS property obtain a trade-off between area requirement and clock cycle performance to meet the needs of lightweight cryptography. In this paper, we propose a new class of serial-type matrices called Diagonal-Serial Invertible (DSI) matrices with the sparse property. These matrices have a fixed XOR count (contributed by the connecting XORs) which is half that of existing matrices. We prove that for matrices of order 4, our construction gives the matrix with the lowest possible fixed XOR cost. We also introduce the Reversible Implementation (RI) property, which allows the inverse matrix to be implemented using the similar hardware resource as the forward matrix, even when the two matrices have different finite field entries. This allows us to search for serial-type matrices which are lightweight in both directions by just focusing on the forward direction. We obtain MDS matrices which outperform existing lightweight (involutory) matrices.

Exhaustive Search for Various Types of MDS Matrices

Abstract: MDS matrices are used in the design of diffusion layers in many block ciphers and hash functions due to their optimal branch number. But MDS matrices, in general, have costly implementations. So in search for efficiently implementable MDS matrices, there have been many proposals. In particular, circulant, Hadamard, and recursive MDS matrices from companion matrices have been widely studied. In a recent work, recursive MDS matrices from sparse DSI matrices are studied, which are of interest due to their low fixed cost in hardware implementation. In this paper, we present results on the exhaustive search for (recursive) MDS matrices over GL(4, F2). Specifically, circulant MDS matrices of order 4, 5, 6, 7, 8; Hadamard MDS matrices of order 4, 8; recursive MDS matrices from companion matrices of order 4; recursive MDS matrices from sparse DSI matrices of order 4, 5, 6, 7, 8 are considered. It is to be noted that the exhaustive search is impractical with a naive approach. We first use some linear algebra tools to restrict the search to a smaller domain and then apply some space-time trade-off techniques to get the solutions. From the set of solutions in the restricted domain, one can easily generate all the solutions in the full domain. From the experimental results, we can see the (non) existence of (involutory) MDS matrices for the choices mentioned above. In particular, over GL(4, F2), we provide companion matrices of order 4 that yield involutory MDS matrices, circulant MDS matrices of order 8, and establish the nonexistence of involutory circulant MDS matrices of order 6, 8, circulant MDS matrices of order 7, sparse DSI matrices of order 4 that yield involutory MDS matrices, and sparse DSI matrices of order 5, 6, 7, 8 that yield MDS matrices. To the best of our knowledge, these results were not known before. For the choices mentioned above, if such MDS matrices exist, we provide base sets of MDS matrices, from which all the MDS matrices with the least cost (with respect to d-XOR and s-XOR counts) can be obtained. We also take this opportunity to present some results on the search for sparse DSI matrices over finite fields that yield MDS matrices. We establish that there is no sparse DSI matrix S of order 8 over F28 such that S8 is MDS.

Direct Exponent and Scalar Multiplication Classes of an MDS Matrix.

Abstract: Ghulam Murtaza, Nassar Ikram 1,2 National University of Sciences and Technology, Pakistan azarmurtaza@hotmail.com dr_nassar_ikram@yahoo.com Abstract. An MDS matrix is an important building block adopted by different algorithms that provides diffusion and therefore, has been an area of active research. In this paper, we present an idea of direct exponent and direct square of a matrix. We prove that direct square of an MDS matrix results in an MDS matrix whereas direct exponent may not be an MDS matrix. We also delineate direct exponent class and scalar multiplication class of an MDS matrix and determine the number of elements in these classes. In the end, we discuss the standing of design properties of a cryptographic primitive by replacing MDS matrix by dynamic one.

On Constructions of MDS Matrices from Companion Matrices for Lightweight Cryptography.

Abstract: Maximum distance separable (MDS) matrices have applications not only in coding theory but also are of great importance in the design of block ciphers and hash functions. It is highly nontrivial to find MDS matrices which could be used in lightweight cryptography. In a crypto 2011 paper, Guo et. al. proposed a new MDS matrix Serial(1, 2, 1, 4) over F28 . This representation has a compact hardware implementation of the AES MixColumn operation. No general study of MDS properties of this newly introduced construction of the form Serial(z0, . . . , zd−1) d over F2n for arbitrary d and n is available in the literature. In this paper we study some properties of MDS matrices and provide an insight of why Serial(z0, . . . , zd−1) d leads to an MDS matrix. For efficient hardware implementation, we aim to restrict the values of zi’s in {1, α, α, α+1}, such that Serial(z0, . . . , zd−1) d is MDS for d = 4 and 5, where α is the root of the constructing polynomial of F2n . We also propose more generic constructions of MDS matrices e.g. we construct lightweight 4× 4 and 5× 5 MDS matrices over F2n for all n ≥ 4. An algorithm is presented to check if a given matrix is MDS. The algorithm directly follows from the basic properties of MDS matrix and is easy to implement.

SPF: A New Family of Efficient Format-Preserving Encryption Algorithms

Abstract: Commonly used encryption methods treat the plaintext merely as a stream of bits, disregarding any specific format that the data might have. In many situations, it is desirable and essential to have the ciphertext follow the same format as the plaintext. Moreover, ciphertext length expansion is also not allowed in these situations. Encryption of credit card numbers and social security numbers are the two most common examples of this requirement. Format-Preserving Encryption (FPE) is a symmetric key cryptographic primitive that is used to achieve this functionality. Initiated by the work of Black and Rogaway (CT-RSA 2002), many academic solutions have been proposed in literature that have focused on designing efficient FPE schemes. However, almost all the existing FPE schemes are based on Feistel construction and have efficiency issues.