Design of Lightweight Linear Diffusion Layers from Near-MDS Matrices

Near-MDS matrices provide better trade-offs between security and efficiency compared to constructions based on MDS matrices, which are favored for hardwareoriented designs. We present new designs of lightweight linear diffusion layers by constructing lightweight near-MDS matrices. Firstly generic n×n near-MDS circulant matrices are found for 5 ≤ n ≤9. Secondly, the implementation cost of instantiations of the generic near-MDS matrices is examined. Surprisingly, for n = 7, 8, it turns out that some proposed near-MDS circulant matrices of order n have the lowest XOR count among all near-MDS matrices of the same order. Further, for n = 5, 6, we present near-MDS matrices of order n having the lowest XOR count as well. The proposed matrices, together with previous construction of order less than five, lead to solutions of n×n near-MDS matrices with the lowest XOR count over finite fields F2m for 2 ≤ n ≤ 8 and 4 ≤ m ≤ 2048. Moreover, we present some involutory near-MDS matrices of order 8 constructed from Hadamard matrices. Lastly, the security of the proposed linear layers is studied by calculating lower bounds on the number of active S-boxes. It is shown that our linear layers with a well-chosen nonlinear layer can provide sufficient security against differential and linear cryptanalysis

Direct construction of quasi-involutory recursive-like MDS matrices from 2-cyclic codes

A good linear diffusion layer is a prerequisite in the design of block ciphers. Usually it is obtained by combining matrices with optimal diffusion property over the Sbox alphabet. These matrices are constructed either directly using some algebraic properties or by enumerating a search space, testing the optimal diffusion property for every element. For implementation purposes, two types of structures are considered: Structures where all the rows derive from the first row and recursive structures built from powers of companion matrices. In this paper, we propose a direct construction for new recursive-like MDS matrices. We show they are quasi-involutory in the sense that the matrix-vector product with the matrix or with its inverse can be implemented by clocking a same LFSR-like architecture. As a direct construction, performances do not outperform the best constructions found with exhaustive search. However, as a new type of construction, it offers alternatives for MDS matrices design

Truncated Differential Attacks: New Insights and 10-round Attacks on QARMA

Truncated differential attacks were introduced by Knudsen in 1994 [1]. They are a well-known family that has arguably received less attention than some other variants of differential attacks. This paper gives some new insight on truncated differential attacks and provides the best-known attacks on both variants of the lightweight cipher QARMA, in the single tweak model, reaching for the first time 10 rounds while contradicting the security claims of this reduced version. These attacks use some new truncated distinguishers as well as some evolved key-recovery techniques

Construction of MDS Matrices from Generalized Feistel Structures

This paper investigates the construction of MDS matrices with generalized Feistel structures (GFS). The approach developed by this paper consists in deriving MDS matrices from the product of several sparser ones. This can be seen as a generalization to several matrices of the recursive construction which derives MDS matrices as the powers of a single companion matrix. The first part of this paper gives some theoretical results on the iteration of GFS. In second part, using GFS and primitive matrices, we propose some types of sparse matrices that are called extended primitive GFS (EGFS) matrices. Then, by applying binary linear functions to several round of EGFS matrices, lightweight $4\times 4$, $6\times 6$ and $8\times 8$ MDS matrices are proposed which are implemented with $67$, $156$ and $260$ XOR for $8$-bit input, respectively. The results match the best known lightweight $4\times 4$ MDS matrix and improve the best known $6\times 6$ and $8\times 8$ MDS matrices. Moreover, we propose $8\times 8$ Near-MDS matrices such that the implementation cost of the proposed matrices are $108$ and $204$ XOR for 4 and $8$-bit input, respectively. Although none of the presented matrices are involutions, the implementation cost of the inverses of the proposed matrices is equal to the implementation cost of the given matrices. Furthermore, the construction presented in this paper is relatively general and can be applied for other matrix dimensions and finite fields as well

The QARMA Block Cipher Family. Almost MDS Matrices Over Rings With Zero Divisors, Nearly Symmetric Even-Mansour Constructions With Non-Involutory Central Rounds, and Search Heuristics for Low-Latency S-Boxes

This paper introduces QARMA, a new family of lightweight tweakable block ciphers targeted at applications such as memory encryption, the generation of very short tags for hardware-assisted prevention of software exploitation, and the construction of keyed hash functions. QARMA is inspired by reflection ciphers such as PRINCE, to which it adds a tweaking input, and MANTIS. However, QARMA differs from previous reflector constructions in that it is a three-round Even-Mansour scheme instead of a FX-construction, and its middle permutation is non-involutory and keyed. We introduce and analyse a family of Almost MDS matrices defined over a ring with zero divisors that allows us to encode rotations in its operation while maintaining the minimal latency associated to {0, 1}-matrices. The purpose of all these design choices is to harden the cipher against various classes of attacks. We also describe new S-Box search heuristics aimed at minimising the critical path. QARMA exists in 64- and 128-bit block sizes, where block and tweak size are equal, and keys are twice as long as the blocks. We argue that QARMA provides sufficient security margins within the constraints determined by the mentioned applications, while still achieving best-in-class latency. Implementation results on a state-of-the art manufacturing process are reported. Finally, we propose a technique to extend the length of the tweak by using, for instance, a universal hash function, which can also be used to strengthen the security of QARMA

A new hybrid method combining search and direct based construction ideas to generate all 4 × 4 involutory maximum distance separable (MDS) matrices over binary field extensions

This article presents a new hybrid method (combining search based methods and direct construction methods) to generate all $4 \times 4$4×4 involutory maximum distance separable (MDS) matrices over $\mathbf{F}_{2^m}$F2m . The proposed method reduces the search space complexity at the level of $$\sqrt n$$ n, where n represents the number of all $4 \times 4$4×4 invertible matrices over $\mathbf{F}_{2^m}$F2m to be searched for. Hence, this enables us to generate all $4 \times 4$4×4 involutory MDS matrices over $\mathbf{F}_{2^3}$F23 and $\mathbf{F}_{2^4}$F24 . After applying global optimization technique that supports higher Exclusive-OR (XOR) gates (e.g., XOR3, XOR4) to the generated matrices, to the best of our knowledge, we generate the lightest involutory/non-involutory MDS matrices known over $\mathbf{F}_{2^3}$F23 , $\mathbf{F}_{2^4}$F24 and $\mathbf{F}_{2^8}$F28 in terms of XOR count. In this context, we present new $4 \times 4$4×4 involutory MDS matrices over $\mathbf{F}_{2^3}$F23 , $\mathbf{F}_{2^4}$F24 and $\mathbf{F}_{2^8}$F28 , which can be implemented by 13 XOR operations with depth 5, 25 XOR operations with depth 5 and 42 XOR operations with depth 4, respectively. Finally, we denote a new property of Hadamard matrix, i.e., (involutory and MDS) Hadamard matrix form is, in fact, a representative matrix form that can be used to generate a small subset of all $2^k\times 2^k$2k×2k involutory MDS matrices, where k > 1. For k = 1, Hadamard matrix form can be used to generate all involutory MDS matrices

Proceedings of AUTOMATA 2011 : 17th International Workshop on Cellular Automata and Discrete Complex Systems

International audienceThe proceedings contain full (reviewed) papers and short (non reviewed) papers that were presented at the workshop