MDS matrix

About: MDS matrix is a research topic. Over the lifetime, 102 publications have been published within this topic receiving 2000 citations.

Construction of lightweight involutory MDS matrices

Abstract: In this paper, we propose an efficient method to find lightweight involutory MDS matrices. To obtain involutory matrices, we give a necessary and sufficient condition for judging the involutory MDS property and propose a search method. For the $$n\times n$$ involutory MDS matrices over $${\mathbb {F}}_{2^m}$$ , the amount of computation is reduced from $$2^{mn^2}$$ to $$2^{(mn^2)/2}$$ . Especially, we can exhaustively search for involutory MDS matrices when $$n=4$$ , and for larger n, we add additional restrictions to reduce the search range. As for finding lightweight ones, we use the permutation-equivalent class to extend the input such that the efficiency of the heuristic designed by Xiang et al. can be improved. Applying our method, we obtain a class of $$16\times 16$$ binary MDS matrices with branch number 5, which can be implemented with only 35 XOR gates. The results even reach the same implementation cost as the lightest non-involutory MDS matrix up to now. Concerning lightweight binary matrices with order 32, it is hard to obtain optimal results through search. Hence, we construct $$32\times 32$$ matrices with the lightweight $$16 \times 16$$ matrices that we found. In this way, we obtain two classes of $$ 4 \times 4 $$ involutory MDS matrices whose entries are $$ 8 \times 8 $$ binary matrices with 70 XOR gates while the previous lightest matrices with the same size cost 78 XOR gates. Moreover, we also generalize our search method to general cases and it is provable that the approach is feasible for MDS matrices of order 6 and 8 to achieve efficient search.

Differential Cryptanalysis and Linear Distinguisher of Full-Round Zorro.

Abstract: Zorro is an AES-like lightweight block cipher proposed in CHES 2013, which only uses 4 S-boxes per round. The designers showed the resistance of the cipher against various attacks and concluded the cipher has a large security margin. Recently, Guo et. al [1] have given a key recovery attack on full-round Zorro by using the internal differential characteristics. However, the attack only works for 2 out of 2 keys. In this paper, the secret key selected randomly from the whole key space can be recovered with a time complexity of 2 full-round Zorro encryptions and a data complexity of 2 chosen plaintexts. We first observe that the fourth power of the MDS matrix used in Zorro equals to the identity matrix. Moveover, several iterated differential characteristics and iterated linear trails are found due to the interesting property. We select three characteristics with the largest probability to give a key recovery attack on Zorro and a linear trail with the largest correlation to show a a linear distinguishing attack with 2 known plaintexts. The results show that the security of Zorro against linear and differential cryptanalysis evaluated by designers is insufficient and the block cipher Zorro is far from a random permutation.

A Few Negative Results on Constructions of MDS Matrices Using Low XOR Matrices

Abstract: This paper studies some low XOR matrices systematically. Some known low XOR matrices are companion, DSI and sparse DSI matrices. Companion matrices have been well studied now whereas DSI and sparse DSI are newly proposed matrices. There are very few results on these matrices. This paper presents some new mathematical results and rediscovers some existing results on DSI and sparse DSI matrices. Furthermore, we start from a matrix with the minimum number of fixed XORs required, which is one, to construct any recursive MDS matrix. We call such matrices 1-XOR matrices. No family of low XOR matrices can have lesser fixed XORs than 1-XOR matrices. We then move on to 2-XOR and provide some impossibility results for matrices of order 5 and 6 to compute recursive MDS matrices. Finally, this paper shows the non-existence of 8-MDS sparse DSI matrix of order 8 over the field \(\mathbb {F}_{2^8}\).

Orthogonal MDS Diffusion Matrices over Galois Rings

Abstract: MDS matrices are important components in block cipher algorithm design, which provide diffusion of input bits. Recently, many constructions of MDS matrices focused on lightweight constructions. All MDS matrices constructions were over Galois field. In this paper, we give new construction of MDS matrices which is over Galois ring \(GR(2^n,k)=\mathbb {Z}_{2^n}[x]/(f(x))\), where f(x) is a basic irreducible polynomial of degree k over \(\mathbb {Z}_{2^n}\). We first construct Hadamard matrices over \(U(GR(2^n,k))\) by adding some signs on the entries of the matrices (i.e. performing entry-wise multiplication with enabling Hadamard \((1,-1)\)-matrices). We give complete enumerations of \(4 \times 4\) and \(8 \times 8\) enabling Hadamard \((1,-1)\)-matrices. We prove that there is no \(2 \times 2\) orthogonal MDS matrix over Galois ring \(GR(2^n,k)\) and construct \(4 \times 4\) orthogonal MDS matrices over \(GR(2^n,k)\).

New concepts in design of lightweight MDS diffusion layers

Abstract: Diffusion layers are an important part of most symmetric ciphers and MDS matrices can be used to construct perfect diffusion layers. However, there are few techniques for constructing these matrices with low implementation cost in software/hardware. In this article, we try to give some construction methods of MDS matrices with at least the following properties: Easy implementation, dynamic use and constructing a large family of MDS matrices from one 0, 1)-matrix which is a block-wise MDS matrix. For this purpose, we define an equivalence relation between rings and based on this definition, we classify and determine MDS matrices over equivalent rings. At first, we construct a new family of MDS matrices only with XORs and right or left shifts. Then, we construct another family of MDS matrices with XORs and cyclic shifts operations. Finally, we construct a family of lightweight MDS matrices with the same implementation cost as their inverses for the use in block ciphers.