Efficient Recursive Diffusion Layers for Block Ciphers and Hash Functions

Sajadieh, Mahdi; Dakhilalian, Mohammad; Mala, Hamid; Sepehrdad, Pouyan

doi:10.1007/s00145-013-9163-8

Cited by 13 publications

(7 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The authors also proposed recursive matrices of sizes 4, 5, 6, and 7 that are very lightweight, along with their corresponding number of XORs. In [ 33 ], the authors introduced a novel diffusion layers class that is highly effective, consisting of multiple Feistel-like structures. They investigated some linear functions to reach the optimal branch number for the diffusion layer of 4×4 words.…”

Section: Related Workmentioning

confidence: 99%

“…There have been a large number of studies focused on generating small-size recursive MDS matrices, such as MDS matrices with a size of 4. These matrices have advantages in hardware implementation [ 31 , 33 , 34 ]. However, software implementation exploiting the recursiveness of these matrices does not seem to have received much attention, especially in terms of using pre-computed lookup tables.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Efficient implementation of the linear layer of block ciphers with large MDS matrices based on a new lookup table technique

Luong,

Van Long,

2024

PLoS ONE

View full text Add to dashboard Cite

Block cipher is a cryptographic field that is now widely applied in various domains. Besides its security, deployment issues, implementation costs, and flexibility across different platforms are also crucial in practice. From an efficiency perspective, the linear layer is often the slowest transformation and requires significant implementation costs in block ciphers. Many current works employ lookup table techniques for linear layers, but they are quite costly and do not save memory storage space for the lookup tables. In this paper, we propose a novel lookup table technique to reduce memory storage when executing software. This technique is applied to the linear layer of block ciphers with recursive Maximum Distance Separable (MDS) matrices, Hadamard MDS matrices, and circulant MDS matrices of considerable sizes (e.g. sizes of 16, 32, 64, and so on). The proposed lookup table technique leverages the recursive property of linear matrices and the similarity in elements of Hadamard or circulant MDS matrices, allowing the construction of a lookup table for a submatrix instead of the entire linear matrix. The proposed lookup table technique enables the execution of the diffusion layer with unchanged computational complexity (number of XOR operations and memory accesses) compared to conventional lookup table implementations but allows a substantial reduction in memory storage for the pre-computed tables, potentially reducing the storage needed by 4 or 8 times or more. The memory storage will be reduced even more as the size of the MDS matrix increases. For instance, analysis shows that when the matrix size is 64, the memory storage ratio with the proposed lookup table technique decreases by 87.5% compared to the conventional lookup table technique. This method also allows for more flexible software implementations of large-sized linear layers across different environments.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Efficient implementation of the linear layer of block ciphers with large MDS matrices based on a new lookup table technique

Luong,

Van Long,

2024

PLoS ONE

View full text Add to dashboard Cite

show abstract

“…Diffusion layers of symmetric ciphers AES [7], Twofish [27] and SNOW [9] apply MDS matrices with entries in finite fields. In the papers [23,24,5], the authors tried to improve the efficiency of MDS matrices. However, implementation costs of MDS matrices of large dimensions (i.e.…”

Section: Introductionmentioning

confidence: 99%

“…, 2, 3, 4, 5, 6, 8, 11, 15, 20), circ(0,1,2,3,4,7,8,14,21,24,27), circ(0, 1, 2, 3, 4, 8, 9, 10, 12, 15, 17), circ(0, 1, 2, 3, 4, 9, 10, 11, 13, 16, 30), circ(0, 1, 2, 3, 4, 13, 15, 18, 20, 24, 31), circ(0, 1, 2, 3, 4, 13, 16, 17, 18, 22, 25), circ(0, 1, 2, 3, 5, 6, 8, 9, 15, 21, 29), circ(0, 1, 2, 3, 5, 6, 7, 14, 16, 29, 30). Now, we focus on efficient implementation of CBMs using the method of matrix decomposition.…”

mentioning

confidence: 99%

Cryptographic properties of cyclic binary matrices

Rishakani¹,

Dehnavi²,

Shamsabad³

et al. 2021

Advances in Mathematics of Communications

View full text Add to dashboard Cite

Many modern symmetric ciphers apply MDS or almost MDS matrices as diffusion layers. The performance of a diffusion layer depends on its diffusion property measured by branch number and implementation cost which is usually measured by the number of XORs required. As the implementation cost of MDS matrices of large dimensions is high, some symmetric ciphers use binary matrices as diffusion layers to trade-off efficiency versus diffusion property. In the current paper, we investigate cyclic binary matrices (CBMs for short), mathematically. Based upon this theorical study, we provide efficient matrices with provable lower bound on branch number and minimal number of fixed-points. We consider the product of sparse CBMs to construct efficiently implementable matrices with the desired cryptographic properties.

show abstract

“…This approach is rather natural since, in differential attacks, cryptanalysts usually start by searching for a differential characteristic with the fewest possible active Sboxes. Therefore, the construction of MDS diffusion layers with an efficient implementation has been investigated by several authors, e.g., [22,3,1].…”

Section: Introductionmentioning

confidence: 99%

Differential Attacks Against SPN: A Thorough Analysis

Canteaut

Roué

2015

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. This work aims at determining when the two-round maximum expected differential probability in an SPN with an MDS diffusion layer is achieved by a differential having the fewest possible active Sboxes. This question arises from the fact that minimum-weight differentials include the best differentials for the AES and several variants. However, we exhibit some SPN for which the two-round MEDP is achieved by some differentials involving a number of active Sboxes which exceeds the branch number of the linear layer. On the other hand, we also prove that, for some particular families of Sboxes, the two-round MEDP is always achieved for minimum-weight differentials.

show abstract

Efficient Recursive Diffusion Layers for Block Ciphers and Hash Functions

Cited by 13 publications

References 11 publications

Efficient implementation of the linear layer of block ciphers with large MDS matrices based on a new lookup table technique

Efficient implementation of the linear layer of block ciphers with large MDS matrices based on a new lookup table technique

Cryptographic properties of cyclic binary matrices

Differential Attacks Against SPN: A Thorough Analysis

Contact Info

Product

Resources

About