Skip to main content
SpringerLink
Log in

Construction of lightweight involutory MDS matrices

  • Published:
Designs, Codes and Cryptography Aims and scope Submit manuscript

Abstract

In this paper, we propose an efficient method to find lightweight involutory MDS matrices. To obtain involutory matrices, we give a necessary and sufficient condition for judging the involutory MDS property and propose a search method. For the \(n\times n\) involutory MDS matrices over \({\mathbb {F}}_{2^m}\), the amount of computation is reduced from \(2^{mn^2}\) to \(2^{(mn^2)/2}\). Especially, we can exhaustively search for involutory MDS matrices when \(n=4\), and for larger n, we add additional restrictions to reduce the search range. As for finding lightweight ones, we use the permutation-equivalent class to extend the input such that the efficiency of the heuristic designed by Xiang et al. can be improved. Applying our method, we obtain a class of \(16\times 16\) binary MDS matrices with branch number 5, which can be implemented with only 35 XOR gates. The results even reach the same implementation cost as the lightest non-involutory MDS matrix up to now. Concerning lightweight binary matrices with order 32, it is hard to obtain optimal results through search. Hence, we construct \(32\times 32\) matrices with the lightweight \(16 \times 16\) matrices that we found. In this way, we obtain two classes of \( 4 \times 4 \) involutory MDS matrices whose entries are \( 8 \times 8 \) binary matrices with 70 XOR gates while the previous lightest matrices with the same size cost 78 XOR gates. Moreover, we also generalize our search method to general cases and it is provable that the approach is feasible for MDS matrices of order 6 and 8 to achieve efficient search.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Altawy R., Youssef A.M.: Preimage analysis of the Maelstrom-0 hash function. In: Security, Privacy, and Applied Cryptography Engineering, pp. 113–126. Springer (2015).

  2. Banik S., Funabiki Y., Isobe T.: More results on shortest linear programs. In: IWSEC 2019, pp. 109–128. Springer (2019).

  3. Barreto P.S.L.M., Nikov V., Nikova S., Rijmen V., Tischhauser E.: Whirlwind: a new cryptographic hash function. Des. Codes Cryptogr. 56(2), 141–162 (2010).

    Article  MathSciNet  Google Scholar 

  4. Beierle C., Kranz T., Leander G.: Lightweight multiplication in \(\rm GF(2^n)\) with applications to MDS matrices. In: CRYPTO 2016, pp. 625–653. Springer (2016).

  5. Blaum M., Roth R.M.: On lowest density MDS codes. IEEE Trans. Inf. Theory 45(1), 46–59 (1999).

    Article  MathSciNet  Google Scholar 

  6. Boyar J., Peralta R.: A new combinational logic minimization technique with applications to cryptology. Exp. Algorithms 2010, 178–189 (2010).

    Article  Google Scholar 

  7. Boyar J., Matthews P., Peralta R.: Logic minimization techniques with applications to cryptology. J. Cryptol. 26(2), 280–312 (2013).

    Article  MathSciNet  Google Scholar 

  8. Choy J., Yap H., Khoo K., Guo J., Peyrin T., Poschmann A., Tan C.H.: SPN-Hash: improving the provable resistance against differential collision attacks. In: AFRICACRYPT 2012, pp. 270–286. Springer (2012).

  9. Cui T., Jin C., Kong Z.: On compact Cauchy matrices for substitution-permutation networks. J. Comput. 7(10), 2098–2102 (2015).

    MathSciNet  MATH  Google Scholar 

  10. Daemen J., Rijmen V.: The Design of Rijndael: AES—The Advanced Encryption Standard. Springer, New York (2002).

    Book  Google Scholar 

  11. Duval S., Leurent G.: MDS matrices with lightweight circuits. IACR Trans. Symmetric Cryptol. 2018(2), 48–78 (2018).

    Article  Google Scholar 

  12. Guo J., Peyrin T., Poschmann A.: The PHOTON family of lightweight hash functions. In: CRYPTO 2011, pp. 222–239. Springer (2011).

  13. Guo Z., Liu R., Gao S., Wu W., Lin D.: Direct construction of optimal rotational-XOR diffusion primitives. IACR Trans. Symmetric Cryptol. 2017(4), 169–187 (2017).

    Article  Google Scholar 

  14. Gupta K.C., Ray I.G.: On constructions of involutory MDS matrices. In: AFRICA-CRYPT 2013, pp. 43–60. Springer (2013).

  15. Gupta K.C., Ray I.G.: Cryptographically significant MDS matrices based on circulant and circulant-like matrices for lightweight applications. Cryptogr. Commun. 7(2), 257–287 (2015).

    Article  MathSciNet  Google Scholar 

  16. Güzel G.G., Sakallı M.T., Akleylek S., Rijmen V., Çngellenmiş Y.: A new matrix form to generate all \(3\times 3\) involutory MDS matrices over \({\mathbb{F}}_{2^m}\). Inf. Process. Lett. 147, 61–68 (2019).

    Article  Google Scholar 

  17. Jean J., Peyrin T., Sim S.M., Tourteaux J.: Optimizing implementations of lightweight building blocks. IACR Trans. Symmetric Cryptol. 2017(4), 130–168 (2017).

    Article  Google Scholar 

  18. Khoo K., Peyrin T., Poschmann A., Yap H.: FOAM: searching for hardware optimal SPN structures and components with a fair comparison. Cryptogr. Hardware Embed. Syst. 2014, 433–456 (2014).

    MATH  Google Scholar 

  19. Kölsch L.: Xor-counts and lightweight multiplication with fixed elements in binary finite fields. In: EUROCRYPT 2019, pp. 285–312. Springer (2019).

  20. Kranz T., Leander G., Stoffelen K., Wiemer F.: Shorter linear straight-line programs for MDS matrices. IACR Trans. Symmetric Cryptol. 2017(4), 188–211 (2017).

    Article  Google Scholar 

  21. Li Y., Wang M.: On the construction of lightweight circulant involutory MDS matrices. IACR Trans. Symmetric Cryptol. 2016(1), 121–139 (2016).

    MATH  Google Scholar 

  22. Li Q., Wu B., Liu Z.: Direct constructions of (involutory) MDS matrices from block Vandermonde and Cauchy-like matrices. In: WAIFI 2018, pp. 275–290. Springer (2018).

  23. Li S., Sun S., Li C., Wei Z., Hu L.: Constructing low-latency involutory MDS matrices with lightweight circuits. IACR Trans. Symmetric Cryptol. 2019(1), 84–117 (2019).

    Article  Google Scholar 

  24. Liu M., Sim S.M.: Lightweight MDS generalized circulant matrices. IACR Trans. Symmetric Cryptol. 2016(1), 101–120 (2016).

    MATH  Google Scholar 

  25. Maximov A., Ekdahl P.: New circuit minimization techniques for smaller and faster AES Sboxes. IACR Trans. Cryptogr. Hardware Embed. Syst. 2019(4), 91–125 (2019).

    Article  Google Scholar 

  26. Paar, C.: Optimized arithmetic for reed-solomon encoders. In: Proceedings of IEEE International Symposium on Information Theory 1997, p. 250 (1997).

  27. Reyhani-Masoleh A., Taha M.M.I., Ashmawy D.: Smashing the implementation records of AES S-Box. IACR Trans. Cryptogr. Hardware Embed. Syst. 2018(2), 298–336 (2018).

    Article  Google Scholar 

  28. Sajadieh M.: On construction of involutory MDS matrices from Vandermonde matrices in GF(2, q). Des. Codes Cryptogr. 64(3), 287–308 (2012).

    Article  MathSciNet  Google Scholar 

  29. Sarkar S., Syed H.: Lightweight diffusion layer: importance of Toeplitz matrices. IACR Trans. Symmetric Cryptol. 2016(1), 95–113 (2016).

    Article  Google Scholar 

  30. Shannon C.E.: Communication theory of secrecy systems. Bell Syst. Techn. J. 28(4), 656–715 (1949).

    Article  MathSciNet  Google Scholar 

  31. Sim S.M., Khoo K., Oggier F.E., Peyrin T.: Lightweight MDS involution matrices. In: Fast Software Encryption 2015, pp. 471–493. Springer (2015).

  32. Tan Q., Peyrin T.: Improved heuristics for short linear programs. IACR Trans. Cryptogr. Hardware Embed. Syst. 2020(1), 203–230 (2020).

    Google Scholar 

  33. Visconti A., Schiavo C.V., Peralta R.: Improved upper bounds for the excepted circuit complexity of dense systems of linear equations over GF(2). Inf. Process. Lett. 137, 1–5 (2018).

    Article  Google Scholar 

  34. Watanabe D., Furuya S., Yoshida H., Takaragi K., Preneel B.: A new keystream generator MUGI. In: Fast Software Encryption 2002, pp. 179–184. Springer (2002).

  35. Xiang Z., Zeng X., Lin D., Bao Z., Zhang S.: Optimizing implementations of linear layers. IACR Trans. Symmetric Cryptol. 2020(2), 120–145 (2020).

    Article  Google Scholar 

  36. Zhou L., Wang L., Sun Y.: On efficient constructions of lightweight MDS matrices. IACR Trans. Symmetric Cryptol. 2018(1), 180–200 (2018).

    Article  Google Scholar 

Download references

Acknowledgements

The authors would like to thank the anonymous reviewers for their valuable comments and helpful suggestions which improved both the quality and presentation of this paper. The work was supported by Application Foundation Frontier Project of Wuhan Science and Technology Bureau under Grant 2020010601012189 and National Natural Science Foundation of China under Grant 61761166010.

Author information

Authors and Affiliations

  1. Faculty of Mathematics and Statistics, Hubei Key Laboratory of Applied Mathematics, Hubei University, Wuhan, 430062, China

    Yumeng Yang, Xiangyong Zeng & Shi Wang

Authors
  1. Yumeng Yang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Xiangyong Zeng
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Shi Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Xiangyong Zeng.

Additional information

Communicated by M. Paterson.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Appendices

The costs of different permutation-equivalent matrices

We optimize the \(4\times 4\) MDS matrices over \({\mathbb {F}}_{2^4}\) from [4]. For each permutation-equivalent matrix, we run Xiang et al.’s algorithm 100 times and return the lowest cost. Let P and Q be row and column permutation respectively. The arrays [a,b,c,d] are employed to represent \(4 \times 4\) permutation matrices, where abcd are the position of the non-zero element in each row. The costs of a part of permutation-equivalent matrices are listed as follows.

  1. 1.

    P = [1,2,3,4], Q = [1,2,3,4], Cost = 42;

  2. 2.

    P = [1,2,3,4], Q = [1,2,4,3], Cost = 42;

  3. 3.

    P = [1,2,3,4], Q = [1,3,2,4], Cost = 42;

  4. 4.

    P = [1,2,3,4], Q = [1,3,4,2], Cost = 41;

  5. 5.

    P = [1,2,3,4], Q = [1,4,2,3], Cost = 43;

  6. 6.

    P = [1,2,3,4], Q = [1,4,3,2], Cost = 42;

  7. 7.

    P = [1,2,3,4], Q = [2,1,3,4], Cost = 42;

  8. 8.

    P = [1,2,3,4], Q = [2,1,4,3], Cost = 42;

  9. 9.

    P = [1,2,3,4], Q = [2,3,1,4], Cost = 41;

  10. 10.

    P = [1,2,3,4], Q = [2,3,4,1], Cost = 42;

  11. 11.

    P = [1,2,3,4], Q = [2,4,1,3], Cost = 42;

  12. 12.

    P = [1,2,3,4], Q = [2,4,3,1], Cost = 42;

  13. 13.

    P = [1,2,3,4], Q = [3,1,2,4], Cost = 43;

  14. 14.

    P = [1,2,3,4], Q = [3,1,4,2], Cost = 42;

  15. 15.

    P = [1,2,3,4], Q = [3,2,1,4], Cost = 42;

  16. 16.

    P = [1,2,3,4], Q = [3,2,4,1], Cost = 41;

  17. 17.

    P = [1,2,3,4], Q = [3,4,1,2], Cost = 43;

  18. 18.

    P = [1,2,3,4], Q = [3,4,2,1], Cost = 42;

  19. 19.

    P = [1,2,3,4], Q = [4,1,2,3], Cost = 42;

  20. 20.

    P = [1,2,3,4], Q = [4,1,3,2], Cost = 41;

Optimal implementations

Table 6 The optimal implementation of the lightest \( 16 \times 16 \) matrix with 35 XOR gates, where \( (x_{0},x_{1},\ldots ,x_{15}) \) denotes the input vector and \( (y_{0},y_{1},\ldots ,y_{15}) \) denotes the output vector
Full size table
Table 7 The optimal implementation of the lightest \( 32 \times 32 \) matrix from Construction 1
Full size table
Table 8 The optimal implementation of the lightest \( 32 \times 32 \) matrix from Construction 2
Full size table

Other lightweight \(4 \times 4\) involutory MDS matrices

Table 9 \(4 \times 4\) involutory MDS matrices with 36 XOR gates
Full size table

Optimization of the best matrices in this paper with different algorithms

Table 10 Implementation costs of involutory MDS matrices in \(\mathrm {M}_{4}(\mathrm {GL(4,{\mathbb {F}}_{2})})\) under different optimization tools
Full size table
Table 11 Implementation costs of involutory MDS matrices in \(\mathrm {M}_{4}(\mathrm {GL(8,{\mathbb {F}}_{2})})\) under different optimization tools
Full size table

The implementation of lightweight \(8 \times 8\) involutory MDS matrices

Table 12 The optimal implementation of \(8\times 8\) matrix in Example 1
Full size table

Lightweight involutory MDS matrices

Table 13 \(6 \times 6 \) involutory MDS matrices over \({\mathbb {F}}_{2^{8}} \)
Full size table

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Yang, Y., Zeng, X. & Wang, S. Construction of lightweight involutory MDS matrices. Des. Codes Cryptogr. 89, 1453–1483 (2021). https://doi.org/10.1007/s10623-021-00879-3

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10623-021-00879-3

Keywords

Mathematics Subject Classification

Search

Navigation