Four by four MDS matrices with the fewest XOR gates based on words

<p style='text-indent:20px;'>MDS matrices play an important role in the design of block ciphers, and constructing MDS matrices with fewer xor gates is of significant interest for lightweight ciphers. For this topic, Duval and Leurent proposed an approach to construct MDS matrices by using three linear operations in ToSC 2018. Taking words as elements, they found <inline-formula><tex-math id="M1">\begin{document}$ 16\times16 $\end{document}</tex-math></inline-formula> and <inline-formula><tex-math id="M2">\begin{document}$ 32\times 32 $\end{document}</tex-math></inline-formula> MDS matrices over <inline-formula><tex-math id="M3">\begin{document}$ \mathbb{F}_2 $\end{document}</tex-math></inline-formula> with only <inline-formula><tex-math id="M4">\begin{document}$ 35 $\end{document}</tex-math></inline-formula> xor gates and <inline-formula><tex-math id="M5">\begin{document}$ 67 $\end{document}</tex-math></inline-formula> xor gates respectively, which are also the best known implementations up to now. Based on the same observation as their work, we consider three linear operations as three kinds of elementary linear operations of matrices, and obtain more MDS matrices with <inline-formula><tex-math id="M6">\begin{document}$ 35 $\end{document}</tex-math></inline-formula> and <inline-formula><tex-math id="M7">\begin{document}$ 67 $\end{document}</tex-math></inline-formula> xor gates. In addition, some <inline-formula><tex-math id="M8">\begin{document}$ 16\times16 $\end{document}</tex-math></inline-formula> or <inline-formula><tex-math id="M9">\begin{document}$ 32\times32 $\end{document}</tex-math></inline-formula> involutory MDS matrices with only <inline-formula><tex-math id="M10">\begin{document}$ 36 $\end{document}</tex-math></inline-formula> or <inline-formula><tex-math id="M11">\begin{document}$ 72 $\end{document}</tex-math></inline-formula> xor gates over <inline-formula><tex-math id="M12">\begin{document}$ \mathbb{F}_2 $\end{document}</tex-math></inline-formula> are also proposed, which are better than previous results. Moreover, our method can be extended to general linear groups, and we prove that the lower bound of the sequential xor count based on words for <inline-formula><tex-math id="M13">\begin{document}$ 4 \times 4 $\end{document}</tex-math></inline-formula> MDS matrix over general linear groups is <inline-formula><tex-math id="M14">\begin{document}$ 8n+2 $\end{document}</tex-math></inline-formula>.</p>

Enhancing advance encryption standard security based on dual dynamic XOR table and MixColumns transformation

An efficient approach to secure information is critically needed at present. Cryptography remains the best approach to achieve security. On this basis, the National Institute of Standards and Technology (NIST) selected Rijndael, which is a symmetric block cipher, as the advanced encryption standard (AES). The MixColumns transformation of this cipher is the most important function within the linear unit and the major source of diffusion. Dynamic MixColumns transformation can be used to enhance the AES security. In this study, a method to enhance the AES security is developed on the basis of two methods. The first method is an extension of a previous study entitled “A novel Approach for Enhancing Security of Advance Encryption Standard using Private XOR Table and 3D chaotic regarding to Software quality Factor.” In the current study, the fixed XOR operation in AES rounds is replaced with a dual dynamic XOR table by using a 3D chaotic map. The dual dynamic XOR table is based on 4 bits; one is used for even rounds, and the other is used for odd rounds. The second method is dynamic MixColumns transformation, where the maximum distance separable (MDS) matrix of the MixColumns transformation, which is fixed and public in every round, is changed with a dynamic MDS matrix, which is private, by using a 3D chaotic map. A 3D chaotic map is used to generate secret keys. These replacements enhance the AES security, particularly the resistance against attacks. Diehard and NIST tests, entropy, correlation coefficient, and histogram are used for security analysis of the proposed method. C++ is used to implement the proposed and original algorithms. MATLAB and LINX are used for the security analysis. Results show that the proposed method is better than the original AES.

Applying Horner's Rule to Optimize Lightweight MDS Matrices

This article is concerned with the problem of constructing lightweight MDS matrices. The authors present a new construction of 4 × 4 MDS matrices over GL(F2, m) for any integer m. They give sufficient and necessary conditions to determine whether the construction is an MDS matrix. Further, for any even number m ≥ 4, they construct lightweight MDS matrices in this structure. Applying Horner's rule to implement MDS matrices, the authors constructions need only 8+4×3×m XOR operations.

Constructing Low-latency Involutory MDS Matrices with Lightweight Circuits

MDS matrices are important building blocks providing diffusion functionality for the design of many symmetric-key primitives. In recent years, continuous efforts are made on the construction of MDS matrices with small area footprints in the context of lightweight cryptography. Just recently, Duval and Leurent (ToSC 2018/FSE 2019) reported some 32 × 32 binary MDS matrices with branch number 5, which can be implemented with only 67 XOR gates, whereas the previously known lightest ones of the same size cost 72 XOR gates.In this article, we focus on the construction of lightweight involutory MDS matrices, which are even more desirable than ordinary MDS matrices, since the same circuit can be reused when the inverse is required. In particular, we identify some involutory MDS matrices which can be realized with only 78 XOR gates with depth 4, whereas the previously known lightest involutory MDS matrices cost 84 XOR gates with the same depth. Notably, the involutory MDS matrix we find is much smaller than the AES MixColumns operation, which requires 97 XOR gates with depth 8 when implemented as a block of combinatorial logic that can be computed in one clock cycle. However, with respect to latency, the AES MixColumns operation is superior to our 78-XOR involutory matrices, since the AES MixColumns can be implemented with depth 3 by using more XOR gates.We prove that the depth of a 32 × 32 MDS matrix with branch number 5 (e.g., the AES MixColumns operation) is at least 3. Then, we enhance Boyar’s SLP-heuristic algorithm with circuit depth awareness, such that the depth of its output circuit is limited. Along the way, we give a formula for computing the minimum achievable depth of a circuit implementing the summation of a set of signals with given depths, which is of independent interest. We apply the new SLP heuristic to a large set of lightweight involutory MDS matrices, and we identify a depth 3 involutory MDS matrix whose implementation costs 88 XOR gates, which is superior to the AES MixColumns operation with respect to both lightweightness and latency, and enjoys the extra involution property.

MDS Matrices with Lightweight Circuits

MDS matrices are an important element for the design of block ciphers such as the AES. In recent years, there has been a lot of work on the construction of MDS matrices with a low implementation cost, in the context of lightweight cryptography. Most of the previous efforts focused on local optimization, constructing MDS matrices with coefficients that can be efficiently computed. In particular, this led to a matrix with a direct xor count of only 106, while a direct implementation of the MixColumn matrix of the AES requires 152 bitwise xors. More recently, techniques based on global optimization have been introduced, where the implementation can reuse some intermediate variables. In particular, Kranz et al. used optimization tools to find a good implementation from the description of an MDS matrix. They have lowered the cost of implementing the MixColumn matrix to 97 bitwise xors, and proposed a new matrix with only 72 bitwise xors, the lowest cost known so far. In this work we propose a different approach to global optimization. Instead of looking for an optimized circuit of a given matrix, we run a search through a space of circuits, to find optimal circuits yielding MDS matrices. This results in MDS matrices with an even lower cost, with only 67 bitwise xors.

ShiftRows Alternatives for AES-like Ciphers and Optimal Cell Permutations for Midori and Skinny

We study possible alternatives for ShiftRows to be used as cell permutations in AES-like ciphers. As observed during the design process of the block cipher Midori, when using a matrix with a non-optimal branch number for the MixColumns operation, the choice of the cell permutation, i.e., an alternative for ShiftRows, can actually improve the security of the primitive. In contrast, when using an MDS matrix it is known that one cannot increase the minimum number of active S-boxes by deviating from the ShiftRows-type permutation. However, finding the optimal choice for the cell permutation for a given, non-optimal, MixColumns operation is a highly non-trivial problem. In this work, we propose techniques to speed up the search for the optimal cell permutations significantly. As case studies, we apply those techniques to Midori and Skinny and provide possible alternatives for their cell permutations. We finally state an easy-to-verify sufficient condition on a cell permutation, to be used as an alternative in Midori, that attains a high number of active S-boxes and thus provides good resistance against differential and linear attacks.