224 research outputs found
Recursive Diffusion Layers for Block Ciphers and Hash Functions
Many modern block ciphers use maximum distance separable (MDS) matrices as the main part of their diffusion layers. In this paper, we propose a new class of diffusion layers constructed from several rounds of Feistel-like structures whose round functions are linear. We investigate the requirements of the underlying linear functions to achieve the maximal branch number for the proposed 4*4 words diffusion layer. The proposed diffusion layers only require word-level XORs, rotations, and they have simple inverses. They can be replaced in the diffusion layer of the block ciphers MMB and Hierocrypt to increase their security and performance, respectively. Finally, we try to extend our results for up to 8*8 words diffusion layers
Exhaustive Search for Small Dimension Recursive MDS Diffusion Layers for Block Ciphers and Hash Functions
This article presents a new algorithm to find MDS matrices that are well
suited for use as a diffusion layer in lightweight block ciphers. Using an
recursive construction, it is possible to obtain matrices with a very compact
description. Classical field multiplications can also be replaced by simple
F2-linear transformations (combinations of XORs and shifts) which are much
lighter. Using this algorithm, it was possible to design a 16x16 matrix on a
5-bit alphabet, yielding an efficient 80-bit diffusion layer with maximal
branch number.Comment: Published at ISIT 201
Systematization of a 256-bit lightweight block cipher Marvin
In a world heavily loaded by information, there is a great need for keeping
specific information secure from adversaries. The rapid growth in the research
field of lightweight cryptography can be seen from the list of the number of
lightweight stream as well as block ciphers that has been proposed in the
recent years. This paper focuses only on the subject of lightweight block
ciphers. In this paper, we have proposed a new 256 bit lightweight block cipher
named as Marvin, that belongs to the family of Extended LS designs.Comment: 12 pages,6 figure
Direct Construction of Recursive MDS Diffusion Layers using Shortened BCH Codes
MDS matrices allow to build optimal linear diffusion layers in block ciphers.
However, MDS matrices cannot be sparse and usually have a large description,
inducing costly software/hardware implementations. Recursive MDS matrices allow
to solve this problem by focusing on MDS matrices that can be computed as a
power of a simple companion matrix, thus having a compact description suitable
even for constrained environ- ments. However, up to now, finding recursive MDS
matrices required to perform an exhaustive search on families of companion
matrices, thus limiting the size of MDS matrices one could look for. In this
article we propose a new direct construction based on shortened BCH codes, al-
lowing to efficiently construct such matrices for whatever parameters.
Unfortunately, not all recursive MDS matrices can be obtained from BCH codes,
and our algorithm is not always guaranteed to find the best matrices for a
given set of parameters.Comment: Best paper award; Carlos Cid and Christian Rechberger. 21st
International Workshop on Fast Software Encryption, FSE 2014, Mar 2014,
London, United Kingdom. springe
On the Direct Construction of MDS and Near-MDS Matrices
The optimal branch number of MDS matrices makes them a preferred choice for
designing diffusion layers in many block ciphers and hash functions.
Consequently, various methods have been proposed for designing MDS matrices,
including search and direct methods. While exhaustive search is suitable for
small order MDS matrices, direct constructions are preferred for larger orders
due to the vast search space involved. In the literature, there has been
extensive research on the direct construction of MDS matrices using both
recursive and nonrecursive methods. On the other hand, in lightweight
cryptography, Near-MDS (NMDS) matrices with sub-optimal branch numbers offer a
better balance between security and efficiency as a diffusion layer compared to
MDS matrices. However, no direct construction method is available in the
literature for constructing recursive NMDS matrices. This paper introduces some
direct constructions of NMDS matrices in both nonrecursive and recursive
settings. Additionally, it presents some direct constructions of nonrecursive
MDS matrices from the generalized Vandermonde matrices. We propose a method for
constructing involutory MDS and NMDS matrices using generalized Vandermonde
matrices. Furthermore, we prove some folklore results that are used in the
literature related to the NMDS code
On the Construction of Near-MDS Matrices
The optimal branch number of MDS matrices makes them a preferred choice for
designing diffusion layers in many block ciphers and hash functions. However,
in lightweight cryptography, Near-MDS (NMDS) matrices with sub-optimal branch
numbers offer a better balance between security and efficiency as a diffusion
layer, compared to MDS matrices. In this paper, we study NMDS matrices,
exploring their construction in both recursive and nonrecursive settings. We
provide several theoretical results and explore the hardware efficiency of the
construction of NMDS matrices. Additionally, we make comparisons between the
results of NMDS and MDS matrices whenever possible. For the recursive approach,
we study the DLS matrices and provide some theoretical results on their use.
Some of the results are used to restrict the search space of the DLS matrices.
We also show that over a field of characteristic 2, any sparse matrix of order
with fixed XOR value of 1 cannot be an NMDS when raised to a power of
. Following that, we use the generalized DLS (GDLS) matrices to
provide some lightweight recursive NMDS matrices of several orders that perform
better than the existing matrices in terms of hardware cost or the number of
iterations. For the nonrecursive construction of NMDS matrices, we study
various structures, such as circulant and left-circulant matrices, and their
generalizations: Toeplitz and Hankel matrices. In addition, we prove that
Toeplitz matrices of order cannot be simultaneously NMDS and involutory
over a field of characteristic 2. Finally, we use GDLS matrices to provide some
lightweight NMDS matrices that can be computed in one clock cycle. The proposed
nonrecursive NMDS matrices of orders 4, 5, 6, 7, and 8 can be implemented with
24, 50, 65, 96, and 108 XORs over , respectively
Lightweight Design Choices for LED-like Block Ciphers
Serial matrices are a preferred choice for building diffusion layers of lightweight block ciphers as one just needs to implement the last row of such a matrix. In this work we analyze a new class of serial matrices which are the lightest possible serial matrix that can be used to build diffusion layers. With this new matrix we show that block ciphers like LED can be implemented with a reduced area in hardware designs, though it has to be cycled for more iterations. Further, we suggest the usage of an alternative S-box to the standard S-box used in LED with similar cryptographic robustness, albeit having lesser area footprint. Finally, we combine these ideas in an end-end FPGA based prototype of LED. We show that with these optimizations, there is a reduction of in area footprint of one round implementation of LED
The Design Space of Lightweight Cryptography
International audienceFor constrained devices, standard cryptographic algorithms can be too big, too slow or too energy-consuming. The area of lightweight cryptography studies new algorithms to overcome these problems. In this paper, we will focus on symmetric-key encryption, authentication and hashing. Instead of providing a full overview of this area of research, we will highlight three interesting topics. Firstly, we will explore the generic security of lightweight constructions. In particular, we will discuss considerations for key, block and tag sizes, and explore the topic of instantiating a pseudorandom permutation (PRP) with a non-ideal block cipher construction. This is inspired by the increasing prevalence of lightweight designs that are not secure against related-key attacks, such as PRINCE, PRIDE or Chaskey. Secondly, we explore the efficiency of cryptographic primitives. In particular, we investigate the impact on efficiency when the input size of a primitive doubles. Lastly, we provide some considerations for cryptographic design. We observe that applications do not always use cryptographic algorithms as they were intended, which negatively impacts the security and/or efficiency of the resulting implementations
Design of Lightweight Linear Diffusion Layers from Near-MDS Matrices
Near-MDS matrices provide better trade-offs between security and efficiency compared to constructions based on MDS matrices, which are favored for hardwareoriented designs. We present new designs of lightweight linear diffusion layers by constructing lightweight near-MDS matrices. Firstly generic n×n near-MDS circulant matrices are found for 5 ≤ n ≤9. Secondly, the implementation cost of instantiations of the generic near-MDS matrices is examined. Surprisingly, for n = 7, 8, it turns out that some proposed near-MDS circulant matrices of order n have the lowest XOR count among all near-MDS matrices of the same order. Further, for n = 5, 6, we present near-MDS matrices of order n having the lowest XOR count as well. The proposed matrices, together with previous construction of order less than five, lead to solutions of n×n near-MDS matrices with the lowest XOR count over finite fields F2m for 2 ≤ n ≤ 8 and 4 ≤ m ≤ 2048. Moreover, we present some involutory near-MDS matrices of order 8 constructed from Hadamard matrices. Lastly, the security of the proposed linear layers is studied by calculating lower bounds on the number of active S-boxes. It is shown that our linear layers with a well-chosen nonlinear layer can provide sufficient security against differential and linear cryptanalysis
- …