Abstract
MDS matrices are important building blocks providing diffusion functionality for the design of many symmetric-key primitives. In recent years, continuous efforts are made on the construction of MDS matrices with small area footprints in the context of lightweight cryptography. Just recently, Duval and Leurent (ToSC 2018/FSE 2019) reported some 32 × 32 binary MDS matrices with branch number 5, which can be implemented with only 67 XOR gates, whereas the previously known lightest ones of the same size cost 72 XOR gates.In this article, we focus on the construction of lightweight involutory MDS matrices, which are even more desirable than ordinary MDS matrices, since the same circuit can be reused when the inverse is required. In particular, we identify some involutory MDS matrices which can be realized with only 78 XOR gates with depth 4, whereas the previously known lightest involutory MDS matrices cost 84 XOR gates with the same depth. Notably, the involutory MDS matrix we find is much smaller than the AES MixColumns operation, which requires 97 XOR gates with depth 8 when implemented as a block of combinatorial logic that can be computed in one clock cycle. However, with respect to latency, the AES MixColumns operation is superior to our 78-XOR involutory matrices, since the AES MixColumns can be implemented with depth 3 by using more XOR gates.We prove that the depth of a 32 × 32 MDS matrix with branch number 5 (e.g., the AES MixColumns operation) is at least 3. Then, we enhance Boyar’s SLP-heuristic algorithm with circuit depth awareness, such that the depth of its output circuit is limited. Along the way, we give a formula for computing the minimum achievable depth of a circuit implementing the summation of a set of signals with given depths, which is of independent interest. We apply the new SLP heuristic to a large set of lightweight involutory MDS matrices, and we identify a depth 3 involutory MDS matrix whose implementation costs 88 XOR gates, which is superior to the AES MixColumns operation with respect to both lightweightness and latency, and enjoys the extra involution property.
Highlights
The development of pervasive computing and the demand for low-cost security have stimulated intensive researches on the design of lightweight symmetric-key cryptographicLicensed under Creative Commons License CC-BY 4.0
In this work, we focus on the lightweight constructions, where the full Maximal Distance Separable (MDS) matrix is implemented as a block of combinatorial logic circuit such that it can be computed in one clock cycle
Just recently in ToSC 2018/FSE 2019, Duval and Leurent reported some 32 × 32 binary MDS matrices which can be implemented with only 67 XOR gates by searching through a set of circuits ordered by hardware cost and optimizing globally [DL18], whereas the previously known lightest ones of the same size cost 72 XOR gates [KLSW17]
Summary
Licensed under Creative Commons License CC-BY 4.0. Received: 2018-11-23, Accepted: 2019-01-23, Published: 2019-03-08 algorithms. It is not an easy task to find lightweight MDS matrices, and it may be too luxury to use an MDS matrix in a design targeting resource constrained devices In such situations, the designers compromise by employing almost MDS matrices [BBI+15, Ava17], or linear operations that can be realized with several bitwise XORs [BJK+16], or even bit-level permutations which can be implemented with a proper wiring [BKL+07]. The designers compromise by employing almost MDS matrices [BBI+15, Ava17], or linear operations that can be realized with several bitwise XORs [BJK+16], or even bit-level permutations which can be implemented with a proper wiring [BKL+07] Such design strategy more often than not leads to a significant increase of the number of rounds, and complicates the security proof remarkably. The idea of reusing involutory components in both encryption and decryption has already been applied in some designs [BR00, SPR+04, BCG+12]
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
