Cryptographically significant MDS matrices based on circulant and circulant-like matrices for lightweight applications

Abstract

MDS matrices incorporate diffusion layers in block ciphers and hash functions. MDS matrices are in general not sparse and have a large description and thus induce costly implementations both in hardware and software. It is also nontrivial to find MDS matrices which could be used in lightweight cryptography. In the AES MixColumn operation, a circulant MDS matrix is used which is efficient as its elements are of low hamming weights, but no general constructions and study of MDS matrices from d×d circulant matrices for arbitrary d is available in the literature. In a SAC 2004 paper, Junod et al. constructed a new class of efficient matrices whose submatrices were circulant matrices and they coined the term circulating-like matrices for these new class of matrices. We call these matrices as Type-I circulant-like matrices. In this paper we introduce a new type of circulant-like matrices which are involutory by construction and we call them Type-II circulant-like matrices.

We study the MDS properties of d×d circulant, Type-I and Type-II circulant-like matrices and construct new and efficient MDS matrices which are suitable for lightweight cryptography for d up to 8. We also consider orthogonal and involutory properties of such matrices and study the construction of efficient MDS matrices whose inverses are also efficient. We explore some interesting and useful properties of circulant, Type-I and Type-II circulant-like matrices which are prevalent in many parts of mathematics and computer science.

Appendices

Appendix A

The matrix A=C i r c(1,1,α ⁻¹,1,α ⁻²,α ⁻¹+α ⁻²,1+α ⁻¹,1+α ⁻¹) of Proposition 4over \(\mathbb {F}_{2^{8}}\) with generating polynomial x ⁸+x ⁴+x ³+x ²+1 can be implemented in the following way. The idea of the implementation is taken from [8, page 54]. This implementation requires 71 XORs, 10 temporary variables and 24 x t i m e_i n v operations (or 24 table lookup), which is the multiplication by α ⁻¹.

$$\begin{array}{@{}rcl@{}} t &=& a[0] \oplus a[1] \oplus a[2] \oplus a[3] \oplus a[4] \oplus a[5] \oplus a[6] \oplus a[7];\text{/* a is the input vector */}\\ u0&=&a[0];u1=a[1];u2=a[2];u3=a[3];u4=a[4];u5=a[5]; \\ z&=& a[4] \oplus a[5]; v = a[2] \oplus z; w= a[2] \oplus a[5] \oplus a[6] \oplus a[7]; w=xtime\_inv[w]; \\ z&=&xtime\_inv[xtime\_inv[[z]]; a[0] = v \oplus w \oplus z \oplus t;\\ z&=& a[5] \oplus a[6]; v = a[3] \oplus z; w= a[3] \oplus a[6] \oplus a[7] \oplus u0; w=xtime\_inv[w]; \\ z&=&xtime\_inv[xtime\_inv[[z]]; a[1] = v \oplus w \oplus z \oplus t;\\ z&=& a[6] \oplus a[7]; v = a[4] \oplus z; w= a[4] \oplus a[7] \oplus u0 \oplus u1; w=xtime\_inv[w]; \\ z&=&xtime\_inv[xtime\_inv[[z]]; a[2] = v \oplus w \oplus z \oplus t;\\ z&= &a[7] \oplus u0; v = a[5] \oplus z; w= a[5] \oplus u0 \oplus u1 \oplus u2; w=xtime\_inv[w];\\ z&=&xtime\_inv[xtime\_inv[[z]]; a[3] = v \oplus w \oplus z \oplus t;\\ z&=& u0 \oplus u1; v = a[6] \oplus z; w= a[6] \oplus u1 \oplus u2 \oplus u3; w=xtime\_inv[w]; \\ \end{array} $$

$$\begin{array}{@{}rcl@{}} z&=&xtime\_inv[xtime\_inv[[z]]; a[4] = v \oplus w \oplus z \oplus t;\\ z&= &u1 \oplus u2; v = a[7] \oplus z; w= a[7] \oplus u2 \oplus u3 \oplus u4; w=xtime\_inv[w];\\ z&=&xtime\_inv[xtime\_inv[[z]]; a[5] = v \oplus w \oplus z \oplus t;\\ z&= &u2 \oplus u3; v = u0 \oplus z; w= u0 \oplus u3 \oplus u4 \oplus u5; w=xtime\_inv[w];\\ z&=&xtime\_inv[xtime\_inv[[z]]; a[6] = v \oplus w \oplus z \oplus t;\\ z&=& u3 \oplus u4; v = u1 \oplus z; w= u1 \oplus u4 \oplus u5 \oplus u6; w=xtime\_inv[w];\\ z&=&xtime\_inv[xtime\_inv[[z]]; a[7] = v \oplus w \oplus z \oplus t; \end{array} $$

Appendix B

The matrix M=C i r c(1 _x ,1 _x ,2 _x ,1 _x ,5 _x ,8 _x ,9 _x ,4 _x ) proposed in [31] can be implemented in the following way. This implementation requires 71 XORs, 12 temporary variables and 48 xtime (or 48 table lookup) operations.

$$\begin{array}{@{}rcl@{}} t &=& a[0] \oplus a[1] \oplus a[2] \oplus a[3] \oplus a[4] \oplus a[5] \oplus a[6] \oplus a[7];\text{/* a is the input vector */}\\ u0&=&a[0];u1=a[1];u2=a[2];u3=a[3];u4=a[4];u5=a[5]; u6=a[6];\\ v &=& a[4] \oplus a[7]; w= a[5] \oplus a[6];y = xtime[a[2]]; z= a[2] \oplus a[5] \oplus a[7]; v=xtime[xtime[v]];\\ w&=&xtime[xtime[xtime[z]]];a[0] = t \oplus v \oplus w \oplus y \oplus z;\\ v &=& a[5] \oplus u0; w= a[6] \oplus a[7];y = xtime[a[3]]; z= a[3] \oplus a[6] \oplus u0; v=xtime[xtime[v]];\\ w&=&xtime[xtime[xtime[z]]];a[1] = t \oplus v \oplus w \oplus y \oplus z;\\ v &=& a[6] \oplus u1; w= a[7] \oplus u0;y = xtime[a[4]]; z= a[4] \oplus a[7] \oplus u1; v=xtime[xtime[v]];\\ w&=&xtime[xtime[xtime[z]]];a[2] = t \oplus v \oplus w \oplus y \oplus z;\\ v &=& a[7] \oplus u2; w= u0 \oplus u1;y = xtime[a[5]]; z= a[5] \oplus u0 \oplus u2; v=xtime[xtime[v]];\\ w&=&xtime[xtime[xtime[z]]];a[3] = t \oplus v \oplus w \oplus y \oplus z;\\ v &=& u0 \oplus u3; w= u1 \oplus u2;y = xtime[a[6]]; z= a[6] \oplus u1 \oplus u3; v=xtime[xtime[v]];\\ w&=&xtime[xtime[xtime[z]]];a[4] = t \oplus v \oplus w \oplus y \oplus z;\\ v &=& u1 \oplus u4; w= u2 \oplus u3;y = xtime[a[7]]; z= a[7] \oplus u2 \oplus u4; v=xtime[xtime[v]];\\ w&=&xtime[xtime[xtime[z]]];a[5] = t \oplus v \oplus w \oplus y \oplus z;\\ v &=& u2 \oplus u5; w= u3 \oplus u4;y = xtime[u0]; z= u0 \oplus u3 \oplus u5; v=xtime[xtime[v]]; \\ w&=&xtime[xtime[xtime[z]]];a[6] = t \oplus v \oplus w \oplus y \oplus z;\\ v &=& u3 \oplus u6; w= u4 \oplus u5;y = xtime[u1]; z= u1 \oplus u4 \oplus u6; v=xtime[xtime[v]];\\ w&=&xtime[xtime[xtime[z]]];a[7]= t \oplus v \oplus w \oplus y \oplus z; \end{array} $$

Appendix C

The matrix A=T y p e I(α,C i r c(1, 1 +α ⁻¹,α)) proposed in [18] can be implemented in the following way. The implementation involves 14 XORs, 4 xtimes and 3 x t i m e_i n vs (or 7 table lookups) and also 5 temporary variables:

$$\begin{array}{@{}rcl@{}} t &=& a[0] \oplus a[1] \oplus a[2] \oplus a[3];u1=a[1];u2=a[2]\\ v &=& xtime[a[0]]; a[0] = a[0] \oplus v \oplus t; \\ v &=& xtime[a[3]]; w=xtime\_inv[a[2]];a[1] = a[3] \oplus v \oplus w \oplus t;\\ v &=& xtime[u1]; w=xtime\_inv[a[3]];a[2] = u1 \oplus v \oplus w \oplus t;\\ v &=& xtime[u2]; w=xtime\_inv[u1];a[3] = u2 \oplus v \oplus w \oplus t;\\ \end{array} $$

Appendix D

The matrix A=T y p e I(1+α,C i r c(1,α+α ⁻¹,1+α)) of Table 6 can be implemented in the following way. The implementation involves 16 XORs, 4 xtimes and 3 x t i m e_i n vs (or 7 table lookups) and also 6 temporary variables:

$$\begin{array}{@{}rcl@{}} t &=& a[0] \oplus a[1] \oplus a[2] \oplus a[3];u1=a[1];u2=a[2]\\ v &=& xtime[a[0]]; a[0] = v \oplus t; \\ v &=& a[2]\oplus [3]; y = xtime[v]; w = xtime\_inv[a[2]];a[1] = a[2] \oplus y \oplus w \oplus t;\\ x &=& u1 \oplus a[3]; y = xtime[x]; w = xtime\_inv[a[3]];a[2] = a[3] \oplus y \oplus w \oplus t;\\ x &=& v \oplus x; y = xtime[x]; w = xtime\_inv[u1];a[3] = u1 \oplus y \oplus w \oplus t;\\ \end{array} $$

Appendix E

Let us consider the MDS matrix M=A ⁴ where A=S e r i a l(1,α,1,α ²)=\( \left (\begin {array}{cccc} 0 & 1 & 0 & 0 \\ 0 & 0 & 1 & 0 \\ 0 & 0 & 0 & 1 \\ 1 & \alpha & 1 & \alpha ^{2} \end {array} \right ) \)and α is the root of the irreducible polynomial x ⁸+x ⁴+x ³+x+1. The implementation of A, as given below, requires 3 XORs, 3 xtimes and 5 temps. So implementation of M requires 12 XORs, 12 xtimes and 5 temps. The implementation of multiplication by A is as follows:

$$\begin{array}{@{}rcl@{}} u0 &=& a[0]; u1=a[1]; u2=a[2]; a[0] = a[1]; a[1] = a[2]; a[2] = a[3]; \\ u &=& xtime[u1]; v = xtime[xtime[a[3]]]; a[3]= u0 \oplus u \oplus u2 \oplus v; \end{array} $$