New Subquadratic Algorithms for Constructing Lightweight Hadamard MDS Matrices (Full Version) Tianshuo Conga, Ximing Fub,c,<, Xuting Zhoue, Yuli Zoud and Haining Fane aInstitute for Advanced Study, Tsinghua University, Beijing, China bThe Chinese University of Hong Kong, Shenzhen, Shenzhen, China cUniversity of Science and Technology of China, Hefei, China dAlibaba Local Life Service Lab, Shanghai, China eDepartment of Computer Science and Technology,Tsinghua University, Beijing, China ARTICLEINFO ABSTRACT Keywords: Maximum Distance Separable (MDS) Matrix plays a crucial role in designing cryptosystems. In this Lightweight cryptography paper we mainly talk about constructing lightweight Hadamard MDS matrices based on subquadratic MDS matrix multipliers over GF.24/. We firstly propose subquadratic Hadamard matrix-vector product formulae Hadamard matrix (HMVP), and provide two new XOR count metrics. To the best of our knowledge, subquadratic Involution multipliers have not been used to construct MDS matrices. Furthermore, combined with HMVP Subquadratic matrix-vector product formulae we design a construction algorithm to find lightweight Hadamard MDS matrices under our XOR count metric. Applying our algorithms, we successfully find MDS matrices with the state-of- the-art fewest XOR counts for 4×4 and 8×8 involutory and non-involutory MDS matrices. Experiment results show that our candidates save up to 40:63~ and 10:34~ XOR gates for 8×8 and 4×4 matrices over GF.24/ respectively. 1. Introduction cryption and decryption. The diffusion layers of AES, Grøstl, WHIRLPOOL use circulant matrices. The diffusion layer of KHAZAD With the rapid development and application of source re- uses Hadamard matrix. In [9], authors propose compact Cauchy stricted equipment like Radio Frequency Identification (RFID), matrices which have the fewest different entries, they prove lightweight ciphers have attracted great attention, such as that all compact Cauchy matrices could be improved into Trivium Grain v1 MICKEY 2.0 stream ciphers [13], [22], [1] self-inverse ones. In [33], the application of Toeplitz ma- LED CLEFIA and block ciphers [19], [36], etc. Confusion layer trices in lightweight diffusion layers was discussed. The au- and diffusion layer play crucial roles in designing symmet- thors prove that Toeplitz matrices could not be both MDS ric ciphers in terms of security and efficiency. The branch and involutory, they give the result of 4 × 4 involutory MDS number is the primary factor for the performance of dif- matrix with small number of XOR operations. It is proved fusion layers. Maximum Distance Separable (MDS) ma- in [37] that there are equivalent classes of various MDS ma- trix has the biggest branch number and hence provides the trices, for example there are 30 equivalent classes of 8 × best resistance to differential and linear attacks. As a con- 8 Hadamard matrices. In [24], the authors propose a tool sequence, lightweight MDS matrices have been applied in named LIGHTER to produce optimized implementations of diffusion layers to provide better security and hardware per- small functions in lightweight cryptographic designs. They formances: Block cipher Shark [32] firstly utilizes MDS ma- find 4 × 4 and 8 × 8 involutory and non-involutory MDS AES 8 trix; [11] uses a 4 × 4 matrix over GF.2 /, which oc- matrices over GF.24/ and GF.28/ with fewer XOR counts. cupies a wealth of hardware area resources; 4 × 4 matrix The GF.2c/ multiplication can be represented as a matrix- LED in is hardware-friendly. MDS matrices are also widely vector product and MDS matrices usually appear in matrix- CLEFIA used as diffusion layers in other block ciphers such as , vector multiplication, so the method to design multiplier can FOX [25], KHAZAD [2], ANUBIS [3], Square [10], Twofish [35], also be adapted to design MDS matrices. A typical hardware Joltik [23]; some stream ciphers [12] and hash functions [17, evaluation of the given MDS matrix is the total number of 18, 29]. 2-input XOR gates cost because an addition operation over The method of constructing MDS matrices is mainly con- GF.2/ could be realized by a 2-input Exclusive Or (XOR) sidered from two perspectives: structure and involution. Two gate, and addition operation over GF.2c/ can be realized by networks are widely used in block ciphers, subtitution-per- c 2-input XOR gates with one XOR gate delay. Minimizing mutation networks (SPNs) and Feistel structure. Matrix with the number of XOR gates needed in matrix-vector multipli- lightweight inverse matrix could be used in SPNs and hardware- cation has always been a concern [28, 5]. Bit parallel GF.2c/ friendly involutory MDS matrices could be used in Feistel multipliers could be classified into two categories: quadratic structures because of the identical process of Feistel’s en- and subquadratic multipliers [15]. Quadratic multipliers are <Corresponding author built on the straightforward computation and they have high [email protected] (T. Cong); [email protected] (X. space complexity [30, 31, 34, 21]. Subquadratic multiplica- Fu); [email protected] (X. Zhou); [email protected] (Y. tion algorithms could be utilized to design low space com- Zou); [email protected] (H. Fan) plexity GF.2c/ multipliers for large c [4, 16, 6, 26]. In this ORCID(s): TS Cong et al.: Preprint submitted to Elsevier Page 1 of 10 Construction of Lightweight MDS Matrices work, we design lightweight MDS matrices using the sub- Definition 2 (Branch number). For a linear invertible map- quadratic Toeplitz matrix-vector product formulae in [14] ping 휃 : [GF.2m/]n → [GF.2m/]n, the branch number is (TMVP). B.휃/ = min .wh.x/ + wh.휃.x//: (1) x≠ 1.1. Our Contributions 0 The goal in this work is to construct lightweight involu- Definition 3 (Best diffusion). The diffusion is denoted as the tory and non-involutory MDS matrices by using subquadratic best diffusion when the branch number Hadamard matrix-vector product formulae. To the best of our knowledge, this approach has not been used to design B.휃/ = n + 1: (2) MDS matrices with low XOR count before. Considering lightweightness, we mainly consider MDS If the mapping 휃 is a matrix M, then M is called an MDS matrices over small fields. We construct four kinds of MDS matrix. matrices, which are involutory and non-involutory 4 × 4 and 8 × 8 Hadamard matrices over GF.24/. We propose two new When the input x’s hamming weight is equal to 1, and w 휃 x f n XOR count metrics and use the subquadratic algorithms to h. // , the diffusion matrix’s maximum branch num- n construct lightweight MDS matrices over GF.24/ defined by ber is + 1. Reference [11] gives a property to find MDS M three irreducible polynomials under our new metrics. Com- matrix: A matrix is MDS if and only if every square sub- M parison with the best results of previous work is shown in matrix of is nonsingular. Table 1. The known lower bounds are from [24] (FSE2017), 2.2. Hadamard Matrix which are the benchmarks in our experiment. Inv. with the Hadamard matrix is a specially structured matrix. Let check mark means involutions. Hk;k = .hi;j/ be a k × k Hadamard matrix, where k = r 2 ; r = 1; 2; 5, .hi;j/ is the .i; j/-th element and 0 f i; j f Table 1 k h h ⊕ Summary table of the MDS matrices * 1, then i;j = 푖⊕푗 holds, denotes the bit-wise XOR, h ; h ; 5 ; h 0 1 k*1 are the elements in the first row. Hence, Dimension Inv. XOR count [24] Comparison the elements in Hk;k are determined by its first row, so the H h ; 5 ; h 4 × 4 ✓ 58 63 7:94~ Hadamard matrix can also be denoted by had. 0 k*1/. h ; h ; h ; h 8 × 8 ✓ 282 424 33:49~ An example of 4 × 4 Hadamard matrix had. 0 1 2 3/ is 4 × 4 52 58 10:34~ shown as 8 × 8 228 384 40:63~ h h h h ` 0 1 2 3a rh h h h s H 1 0 3 2 : The rest of this paper is organised as follows. Section 2 4;4 = rh h h h s r 2 3 0 1s briefly introduces some basic concepts such as background ph h h h q knowledge of MDS matrices and subquadratic TMVP for- 3 2 1 0 mulae. Section 3 begins by laying out the applications of Definition 4 (Involutory Matrix [20]). A k × k square ma- 2 HMVP to Hadamard matrices, and introduces the search- trix H is called an involutory matrix if H = Ik;k, where ing process of involutions and non-involutions. Section 4 Ik;k is the k × k identity matrix. presents the experiment parameters and searching results of the algorithm. Meanwhile we compare our MDS matrices The advantage in applying involutory MDS matrices is with the previous results to show the efficiency. Finally, Sec- its free inverse implementation. tion 5 concludes this paper. 2.3. Subquadratic TMVP Formulae A matrix is denoted as a Toeplitz matrix if the elements 2. Preliminaries on the line parallel to the main diagonal are constant. An In this section, some basic concepts and subquadratic example of 4 × 4 Toeplitz matrix is HMVP formulae will be introduced. The elements of the t t t t Hadamard matrix in our work all belong to the finite field ` 0 1 2 3a c rt t t t s GF.2 / generated by degree-c irreducible polynomial p.x/, T 4 0 1 2 : c = rt t t t s which is denoted as GF.2 /_p.x/. We use hexadecimal form r 5 4 0 1s pt t t t q to denote p.x/ and the elements in matrices.