Design of Lightweight Linear Diffusion Layers from Near-MDS Matrices

Near-MDS matrices provide better trade-offs between security and efficiency compared to constructions based on MDS matrices, which are favored for hardwareoriented designs. We present new designs of lightweight linear diffusion layers by constructing lightweight near-MDS matrices. Firstly generic n × n near-MDS circulant matrices are found for 5 ≤ n ≤9. Secondly, the implementation cost of instantiations of the generic near-MDS matrices is examined. Surprisingly, for n = 7 , 8, it turns out that some proposed near-MDS circulant matrices of order n have the lowest XOR count among all near-MDS matrices of the same order. Further, for n = 5 , 6, we present near-MDS matrices of order n having the lowest XOR count as well. The proposed matrices, together with previous construction of order less than five, lead to solutions of n × n near-MDS matrices with the lowest XOR count over finite fields F 2 m for 2 ≤ n ≤ 8 and 4 ≤ m ≤ 2048. Moreover, we present some involutory near-MDS matrices of order 8 constructed from Hadamard matrices. Lastly, the security of the proposed linear layers is studied by calculating lower bounds on the number of active S-boxes. It is shown that our linear layers with a well-chosen nonlinear layer can provide sufficient security against differential and linear cryptanalysis.

[1]  Dawu Gu,et al.  Differential and Linear Cryptanalysis Using Mixed-Integer Linear Programming , 2011, Inscrypt.

[2]  Wenling Wu,et al.  Recursive Diffusion Layers for (Lightweight) Block Ciphers and Hash Functions , 2012, Selected Areas in Cryptography.

[3]  Thomas Peyrin,et al.  FOAM: Searching for Hardware-Optimal SPN Structures and Components with a Fair Comparison , 2014, CHES.

[4]  Serge Vaudenay,et al.  On the Need for Multipermutations: Cryptanalysis of MD4 and SAFER , 1994, FSE.

[5]  Thierry P. Berger,et al.  Construction of Recursive MDS Diffusion Layers from Gabidulin Codes , 2013, INDOCRYPT.

[6]  Andrey Bogdanov,et al.  Fides: Lightweight Authenticated Cipher with Side-Channel Resistance for Constrained Hardware , 2013, CHES.

[7]  Thomas Peyrin,et al.  The LED Block Cipher , 2011, IACR Cryptol. ePrint Arch..

[8]  Mitsuru Matsui,et al.  Linear Cryptanalysis Method for DES Cipher , 1994, EUROCRYPT.

[9]  Sumanta Sarkar,et al.  Lightweight Diffusion Layer: Importance of Toeplitz Matrices , 2016, IACR Trans. Symmetric Cryptol..

[10]  Siang Meng Sim,et al.  Lightweight MDS Generalized Circulant Matrices , 2016, FSE.

[11]  A. Youssef On the Design of Linear Transformations for Substitution Permutation Encryption Networks , 2007 .

[12]  Joan Daemen,et al.  Cipher and hash function design strategies based on linear and differential cryptanalysis , 1995 .

[13]  Bogdanov Andrey,et al.  Midori: A Block Cipher for Low Energy , 2016 .

[14]  Mahdi Sajadieh,et al.  On construction of involutory MDS matrices from Vandermonde Matrices in GF(2q) , 2011, Designs, Codes and Cryptography.

[15]  Thomas Peyrin,et al.  The SKINNY Family of Block Ciphers and its Low-Latency Variant MANTIS , 2016, IACR Cryptol. ePrint Arch..

[16]  R. G. Swan,et al.  Factorization of polynomials over finite fields. , 1962 .

[17]  Christof Paar,et al.  Block Ciphers - Focus on the Linear Layer (feat. PRIDE) , 2014, CRYPTO.

[18]  B. Sundar Rajan,et al.  A Matrix Characterization of Near - MDS codes , 2006, Ars Comb..

[19]  Thomas Peyrin,et al.  Optimizing Implementations of Lightweight Building Blocks , 2017, IACR Trans. Symmetric Cryptol..

[20]  Mahdi Sajadieh,et al.  Recursive Diffusion Layers for Block Ciphers and Hash Functions , 2012, FSE.

[21]  Vincent Rijmen,et al.  Codes and provable security of ciphers , 2009 .

[22]  Daniel Augot,et al.  Direct Construction of Recursive MDS Diffusion Layers Using Shortened BCH Codes , 2014, FSE.

[23]  Gregor Leander,et al.  Lightweight Multiplication in GF(2^n) with Applications to MDS Matrices , 2016, CRYPTO.

[24]  Kishan Chand Gupta,et al.  Cryptographically significant MDS matrices based on circulant and circulant-like matrices for lightweight applications , 2014, Cryptography and Communications.

[25]  Khoongming Khoo,et al.  New Applications of Differential Bounds of the SDS Structure , 2008, ISC.

[26]  Thomas Peyrin,et al.  The PHOTON Family of Lightweight Hash Functions , 2011, IACR Cryptol. ePrint Arch..

[27]  Frédérique E. Oggier,et al.  Lightweight MDS Involution Matrices , 2015, FSE.

[28]  Chenhui Jin,et al.  On Compact Cauchy Matrices for Substitution-Permutation Networks , 2015, IEEE Transactions on Computers.

[29]  Stefan M. Dodunekov Applications of Near MDS Codes in Cryptography , 2009, Enhancing Cryptographic Primitives with Techniques from Error Correcting Codes.

[30]  Serge Vaudenay,et al.  Perfect Diffusion Primitives for Block Ciphers , 2004, Selected Areas in Cryptography.

[31]  Claude E. Shannon,et al.  Communication theory of secrecy systems , 1949, Bell Syst. Tech. J..

[32]  Eli Biham,et al.  Differential cryptanalysis of DES-like cryptosystems , 1990, Journal of Cryptology.

[33]  Daniel Augot,et al.  Exhaustive search for small dimension recursive MDS diffusion layers for block ciphers and hash functions , 2013, 2013 IEEE International Symposium on Information Theory.

[34]  Yongqiang Li,et al.  On the Construction of Lightweight Circulant Involutory MDS Matrices , 2016, FSE.

[35]  Ronald L. Rivest,et al.  Introduction to Algorithms, 3rd Edition , 2009 .

[36]  Vincent Rijmen,et al.  The Design of Rijndael: AES - The Advanced Encryption Standard , 2002 .