1 | 2 | 3 | |||
4 | 5 | 6 | |||
7 | 8 | 9 | |||
10 | 11 | 12 | |||
13 | 14 | 15 |
MDS matrices are widely used in block ciphers. Constructing lightweight MDS matrices is one of the research focuses of lightweight cryptography. In this paper, we define a new operation called the Copy operation by using registers. It is a generalization of Type 3 elementary operations (add a row to another one multiplied by a nonzero number). It is shown that any nonsingular matrix can be obtained by Copy operations and Multiplication operations from the identity matrix I (a Copy Block Implementation of the matrix). Thus we introduce a new metric called gw-xor using Copy Block Implementations to construct lightweight MDS matrices with respect to low xor gates. Compared with sw-xor, the gw-xor count is a better approximation of the optimal implementation cost, and in particular it may be a better approximation of the optimal implementation cost than s-xor. By searching the potential paths of Copy operations that can obtain formal MDS matrices (i.e., matrices with indeterminate elements and each determinant of square submatrix of any order is a nonzero polynomial in these indeterminates), we find 52 classes 16×16 and 32×32 binary MDS matrices with 35 and 67 xor gates respectively, which are the best known results. Furthermore, by considering the depth of MDS matrices, we find more 4×4 MDS matrices over F2n with the lowest xor gates at depths 3, 4, 5.
Citation: |
Table 1.
An implementation of the matrix
1 | 2 | 3 | |||
4 | 5 | 6 | |||
7 | 8 | 9 | |||
10 | 11 | 12 | |||
13 | 14 | 15 |
Table 2.
Comparison of metrics, where
Table 3.
The potential paths for
No | Representative path | No | Representative path |
1 | 2 | ||
3 | 4 | ||
5 | 6 | ||
7 | 8 | ||
9 | 10 | ||
11 | 12 | ||
13 | 14 | ||
15 | 16 | ||
17 | 18 |
Table 4.
The 52 classes of MDS matrices with
No. | Path | ||
1 [24] | |||
2 [24] | |||
3 [24] | |||
4 [24] | |||
5 | |||
6 | |||
7 [24] | |||
8 [24] | |||
9 [10,24] | |||
10 [24] | |||
11 [10,24] | |||
12 [24] | |||
13 | |||
14 | |||
15 | |||
16 | |||
17 | |||
18 | |||
19 | |||
20 | |||
21 | |||
22 | |||
23 | |||
24 | |||
25 | |||
26 | |||
27 | |||
28 | |||
29 | |||
30 | |||
31 | |||
32 | |||
33 | |||
34 | |||
35 | |||
36 | |||
37 | |||
38 | |||
39 | |||
40 | |||
41 | |||
42 | |||
43 | |||
44 | |||
45 | |||
46 | |||
47 | |||
48 | |||
49 | |||
50 | |||
51 | |||
52 | |||
Here |
Table 5.
The depth calculation of
Copy operation | Transformation | Depth | Copy operation | Transformation | Depth |
- | [0, 0, 0, 0] | - | [3, 1, 2, 0] | ||
[0, 0, 1, 0] | [3, 1, 2, 4] | ||||
- | [0, 0, 1, 0] | [3, 1, 2, 5] | |||
[0, 1, 1, 0] | [3, 1, 2, 6] | ||||
[0, 2, 1, 0] | - | [3, 1, 2, 6] | |||
[3, 1, 1, 0] | [3, 6, 2, 6] | ||||
- | [3, 1, 1, 0] | - | [3, 6, 2, 6] | ||
[3, 1, 2, 0] | [7, 6, 2, 6] |
Table 6.
The depth calculation of the path
Copy operation | Transformation | Depth | Copy operation | Transformation | Depth |
[0, 0, 1, 0] | [2, 1, 2, 3] | ||||
[0, 1, 1, 0] | [2, 1, 2, 4] | ||||
[2, 1, 1, 0] | [2, 4, 2, 4] | ||||
[2, 1, 2, 0] | [5, 4, 2, 4] |
Table 7.
Table 8. The statistical results
Depth | Cost | Number of MDS matrices | Depth | Cost | Number of MDS matrices |
- | 35 | 52 | - | 67 | 52 |
5 | 35 | 2 | 5 | 67 | 2 |
4 | 37 | 4 | 4 | 69 | 4 |
3 | 41 | 2 | 3 | 77 | 2 |
[1] | J. P. Aumasson, L. Henzen, W. Meier et al., QUARK: A lightweight hash, Cryptographic Hardware and Embedded Systems-CHES 2010, 6225 (2010), 1-15. doi: 10.1007/978-3-642-15031-9_1. |
[2] | S. Banik, Y. Funabiki and T. Isobe, More results on shortest linear programs, Advances in Information and Computer Security-IWSEC 2019, 11689 (2019), 109-128. doi: 10.1007/978-3-030-26834-3_7. |
[3] | A. Bogdanov, M. Knezevic, G. Leander et al., SPONGENT: A lightweight hash function, Cryptographic Hardware and Embedded Systems-CHES 2011, Lecture Notes in Computer Science, 6917 (2011), 312-325. doi: 10.1007/978-3-642-23951-9_21. |
[4] | A. Bogdanov, L. R. Knudsen, G. Leander, C. Paar, A. Poschmann, M. J. B. Robshaw, Y. Seurin and C. Vikkelsoe, PRESENT: An ultra-lightweight block cipher, Cryptographic Hardware and Embedded Systems-CHES 2007, 4727 (2007), 450-466. doi: 10.1007/978-3-540-74735-2_31. |
[5] | J. Boyar, P. Matthews and R. Peralta, On the shortest linear straight-line program for computing linear forms, Mathematical Foundations of Computer Science 2008, 33rd International Symposium, In MFCS 2008, 5162 (2008), 168-179. doi: 10.1007/978-3-540-85238-4_13. |
[6] | J. Boyar, P. Matthews and R. Peralta, Logic minimization techniques with applications to cryptology,, J. Cryptology, 26 (2013), 280-312. doi: 10.1007/s00145-012-9124-7. |
[7] | J. Daemen and V. Rijmen, The wide trail design strategy, Cryptography and Coding, 8th IMA International Conference, 2260 (2001), 222-238. doi: 10.1007/3-540-45325-3_20. |
[8] | J. Daemen and V. Rijmen, The Design of Rijndael: AES - The Advanced Encryption Standard, Information Security and Cryptography, Springer, 2002. doi: 10.1007/978-3-662-04722-4. |
[9] | C. De Cannière, O. Dunkelman and M. Knezevic, KATAN and KTANTAN - A family of small and efficient hardware-oriented block ciphers, Cryptographic Hardware and Embedded Systems-CHES 2009, 5747 (2009), 272-288. doi: 10.1007/978-3-642-04138-9_20. |
[10] | S. Duval and G. Leurent, MDS matrices with lightweight circuits, IACR Trans. Symmetric Cryptol., 2018 (2018), 48-78. doi: 10.46586/tosc.v2018.i2.48-78. |
[11] | J. Guo, T. Peyrin and A. Poschmann, The PHOTON family of lightweight hash functions, Advances in Cryptology-CRYPTO 2011, 6841 (2011), 222-239. doi: 10.1007/978-3-642-22792-9_13. |
[12] | K. C. Gupta and I. G. Ray, On constructions of involutory MDS matrices, Progress in Cryptology-AFRICACRYPT 2013, 7918 (2013), 43-60. doi: 10.1007/978-3-642-38553-7_3. |
[13] | H. M. Heys and S. E. Tavares, The design of substitution-permutation networks resistant to differential and linear cryptanalysis, CCS'94, Proceedings of the 2nd ACM Conference on Computer and Communications Security, (1994), 148-155. |
[14] | J. Jean, T. Peyrin, S. M. Sim and J. Tourteaux, Optimizing implementations of lightweight building blocks, IACR Trans. Symmetric Cryptol., 2017 (2017), 130-168. doi: 10.46586/tosc.v2017.i4.130-168. |
[15] | K. Khoo, T. Peyrin, A. T. Poschmann et al., FOAM: Searching for hardware-optimal SPN structures and components with a fair comparison, Cryptographic Hardware and Embedded Systems-CHES 2014, 8731 (2014), 433-450. doi: 10.1007/978-3-662-44709-3_24. |
[16] | T. Kranz, G. Leander, K. Stoffelen and F. Wiemer, Shorter linear straight-line programs for MDS matrices, IACR Trans. Symmetric Cryptol., 2017 (2017), 188-211. doi: 10.46586/tosc.v2017.i4.188-211. |
[17] | S. Li, S. Sun, C. Li, Z. Wei and L. Hu, Constructing low-latency involutory MDS matrices with lightweight circuits, IACR Trans. Symmetric Cryptol., 2019 (2019), 84-117. doi: 10.46586/tosc.v2019.i1.84-117. |
[18] | Y. Li and M. Wang, On the construction of lightweight circulant involutory MDS matrices, Fast Software Encryption 2016, 9783 (2016), 121-139. doi: 10.1007/978-3-662-52993-5_7. |
[19] | M. Liu and S. M. Sim, Lightweight MDS generalized circulant matrices, Fast Software Encryption 2016, 9783 (2016), 101-120. doi: 10.1007/978-3-662-52993-5_6. |
[20] | F. J. MacWilliams and N. J. A. Sloane, The theory of error correcting codes, North-Holland Mathematical Library, Amsterdam-New York Oxford: North-Holland Publishing Company, 16 (1977), 317-329. |
[21] | C. Paar, Optimized arithmetic for reed-solomon encoders, In: Proceedings of IEEE International Symposium on Information Theory, (1997), 250-250. doi: 10.1109/ISIT.1997.613165. |
[22] | B. Ray, S. Douglas, S. Jason et al., The SIMON and SPECK families of lightweight block ciphers, Cryptology ePrint Archive, Report (2013), 414-414. Available from: http://eprint.iacr.org/2013/404. |
[23] | S. M. Sim, K. Khoo, F. Oggier and T. Peyrin, Lightweight MDS involution matrices, In: Fast Software Encryption 2015, 9054 (2015), 471-493. doi: 10.1007/978-3-662-48116-5_23. |
[24] | S. Wang, Y. Li, S. Tian et al., Four by four MDS matrices with the fewest XOR gates based on words, Advances in Mathematics of Communications, 2021. doi: 10.3934/amc.2021025. |
[25] | Z. Xiang, X. Zeng, D. Lin, Z. Bao and S. Zhang, Optimizing implementations of linear layers, IACR Trans. Symmetric Cryptol., 2020 (2020), 120-145. doi: 10.13154/tosc.v2020.i2.120-145. |
[26] | Y. Yang, X. Zeng and S. Wang, Construction of lightweight involutory MDS matrices, Des. Codes Cryptogr., 89 (2021), 1453-1483. doi: 10.1007/s10623-021-00879-3. |
The implementation of the path
The circuit implementation in Example 4