Construction of Recursive MDS Diffusion Layers from Gabidulin Codes

Abstract

Many recent block ciphers use Maximum Distance Separable (MDS) matrices in their diffusion layer. The main objective of this operation is to spread as much as possible the differences between the outputs of nonlinear Sboxes. So they generally act at nibble or at byte level. The MDS matrices are associated to MDS codes of ratio 1/2. The most famous example is the MixColumns operation of the AES block cipher.In this example, the MDS matrix was carefully chosen to obtain compact and efficient implementations in software and hardware. However, this MDS matrix is dedicated to 8-bit words, and is not always adapted to lightweight applications. Recently, several studies have been devoted to the construction of recursive diffusion layers. Such a method allows to apply an MDS matrix using an iterative process which looks like a Feistel network with linear functions instead of nonlinear.In this paper, we present a generic construction of MDS recursive diffusion layers as proposed in [1], [7], [10], [12], [15] but bridging this construction with the theory of Gabidulin codes. This construction uses Gabidulin codes which have the property to be not only MDS but also MRD (Maximum Rank Distance). This fact gives an additional property to diffusion layers which seems interesting for cryptographic applications.