Direct construction of quasi-involutory recursive-like MDS matrices - PowerPoint PPT Presentation

Involutory recursive MDS matrices Quasi-involutory recursive-like MDS matrices Implementations Direct construction of quasi-involutory recursive-like MDS matrices from 2 -cyclic codes Cauchois Victor 1 Loidreau Pierre 1 Merkiche Nabil 23 1 DGA-MI / IRMAR 2 DGA-IP 3 Sorbonnes Universit´ e, UPMC, LIP6 FSE 2017 March 6, 2017 Cauchois, Loidreau, Merkiche Involutory recursive diffusion layers 1 / 22

Involutory recursive MDS matrices Quasi-involutory recursive-like MDS matrices Implementations Motivations Definition MDS matrices are matrices such that any minor is non singular. MDS matrices are widely used in Blockciphers and Hash functions. Lightweight designs ⇒ circulant or recursive matrices. Involutory matrices ⇒ Both encryption and decryption with the same structure. No circulant involutory MDS matrix [GR14]. Cauchois, Loidreau, Merkiche Involutory recursive diffusion layers 2 / 22

Involutory recursive MDS matrices Quasi-involutory recursive-like MDS matrices Implementations Agenda Recursive involutory MDS matrix ? We propose a new direct construction of MDS matrices that are recursive-like and quasi-involutory. Implementations and results Cauchois, Loidreau, Merkiche Involutory recursive diffusion layers 3 / 22

Plan Involutory recursive MDS matrices 1 Quasi-involutory recursive-like MDS matrices 2 Implementations 3

Involutory recursive MDS matrices Quasi-involutory recursive-like MDS matrices Implementations Recursive matrices m − 1 From g ( X ) = X m + g i X i ∈ F 2 n [ X ] , we build the matrix : � i =0   0 1 0 . . . 0 . . ... ... ... . .   . . C g =     0 0 1 . . . . . .   g 0 g 1 . . . g m − 2 g m − 1 Definition M is a recursive matrix ⇔ ∃ g ∈ F 2 n [ X ] monic of degree m such that M = C m g Cauchois, Loidreau, Merkiche Involutory recursive diffusion layers 4 / 22

Involutory recursive MDS matrices Quasi-involutory recursive-like MDS matrices Implementations Companion matrices   X mod g ( X ) X 2 mod g ( X )   C g =  .  .   .   X m mod g ( X ) Successive powers of companion matrices have a similar description :  X i  mod g ( X ) X i +1 mod g ( X )   C i g =  , ∀ i ∈ N  .  .   .  X i + m − 1 mod g ( X ) Cauchois, Loidreau, Merkiche Involutory recursive diffusion layers 5 / 22

Involutory recursive MDS matrices Quasi-involutory recursive-like MDS matrices Implementations Redundancy matrices of cyclic codes Let C be a [2 m, m ] 2 n cyclic code. It has a circulant generator matrix :   0 0 g 0 g 1 . . . g m . . . 0 0 g 0 g 1 . . . g m . . .   G =  . .  ... ... ... ... ... . .   . .   0 0 . . . g 0 g 1 . . . g m Assume g m = 1 , this code has a systematic generator matrix shaped as : X m  mod g ( X ) 1 0 0  . . . ...  X m +1  mod g ( X ) 0 1 0 ˜   G =  . . .  ... ... . . .   . . .   X 2 m − 1 mod g ( X ) 0 . . . 0 1 Cauchois, Loidreau, Merkiche Involutory recursive diffusion layers 6 / 22

Involutory recursive MDS matrices Quasi-involutory recursive-like MDS matrices Implementations Involutory recursive MDS matrices ? A recursive matrix C m g is an involutory matrix if C 2 m = I m g Construct MDS cyclic codes ⇒ BCH codes. No element of even order in F 2 n ⇒ No BCH code yielding involutory recursive MDS matrix. Cauchois, Loidreau, Merkiche Involutory recursive diffusion layers 7 / 22

Plan Involutory recursive MDS matrices 1 Quasi-involutory recursive-like MDS matrices 2 Implementations 3

Involutory recursive MDS matrices Quasi-involutory recursive-like MDS matrices Implementations Skewing polynomial rings Let θ : x �→ x [1] the squaring in F 2 2 m . Definition The ring of 2 -polynomials, F 2 2 m [ X, θ ] , is defined as the set { � i a i X i , a i ∈ F 2 2 m } together with : Addition : usual polynomial addition. Multiplication : X ∗ a = θ ( a ) ∗ X = a [1] ∗ X . Cauchois, Loidreau, Merkiche Involutory recursive diffusion layers 8 / 22

Involutory recursive MDS matrices Quasi-involutory recursive-like MDS matrices Implementations Skewing powers of companion matrices Let g � X � = X m + � m − 1 i =0 g i X i ∈ F 2 2 m [ X, θ ] . Theorem X i   mod ∗ g � X � X i +1 mod ∗ g � X �   C [ i − 1] C [ i − 2] . . . C [1] g C g =  .  g g .   .   X i + m − 1 mod ∗ g � X � Definition M is a recursive-like matrix ⇔ ∃ g ∈ F 2 2 m [ X, θ ] monic of degree m such that M = C [ m − 1] C [ m − 2] . . . C [1] g C g g g Cauchois, Loidreau, Merkiche Involutory recursive diffusion layers 9 / 22

Involutory recursive MDS matrices Quasi-involutory recursive-like MDS matrices Implementations Redundancy matrices of 2 -cyclic codes Let C be a [2 m, m ] 2 2 m 2 -cyclic code. It has a circulant generator matrix : g 0 g 1 . . . g m 0 . . . 0   g [1] g [1] g [1] 0 . . . . . . 0 m  0 1  G =  . .  ... ... ... ... ... . .   . .   g [ m − 1] g [ m − 1] g [ m − 1] 0 . . . 0 . . . m 0 1 Assume g m = 1 , this code has a systematic generator matrix shaped as :  X m  mod ∗ g � X � 1 0 . . . 0 ...  X m +1  mod ∗ g � X � 0 1 0 ˜   G = . . .  ... ...  . . .   . . .   X 2 m − 1 mod ∗ g � X � 0 0 1 . . . Cauchois, Loidreau, Merkiche Involutory recursive diffusion layers 10 / 22

Involutory recursive MDS matrices Quasi-involutory recursive-like MDS matrices Implementations Quasi-involutory Recursive-like MDS matrices A recursive-like matrix is a quasi-involutory matrix if C [2 m − 1] C [2 m − 2] . . . C [1] g C g = I m g g � [ m ] � C [ m − 1] C [ m − 2] . . . C [1] ( C [ m − 1] C [ m − 2] . . . C [1] g C g ) = I m g C g g g g g g yields a quasi-involutory recursive-like matrix if X 2 m − 1 mod ∗ g � X � = 0 There exist [2 m, m ] 2 2 m 2 -cyclic MDS matrix whose a redundancy matrix of a systematic generator matrix is quasi-involutory. Cauchois, Loidreau, Merkiche Involutory recursive diffusion layers 11 / 22

Involutory recursive MDS matrices Quasi-involutory recursive-like MDS matrices Implementations 2 -cyclic Gabidulin codes Let λ be a normal element in F 2 2 m . The following matrix is the parity-check matrix of a Maximum Rank Distance (thus MDS) 2 -cyclic code, C :  λ [0] λ [1] λ [2 m − 1]  . . . λ [1] λ [2] λ [0] . . .   H λ =  . .  ... ... . .   . .   λ [ m − 1] λ [ m ] λ [ m − 2] . . . All roots of g unique monic polynomial generating C are roots of X 2 m − 1 ⇒ X 2 m − 1 mod ∗ g � X � = 0 . Thus g yields a quasi-involutory recursive-like matrix. Cauchois, Loidreau, Merkiche Involutory recursive diffusion layers 12 / 22

Involutory recursive MDS matrices Quasi-involutory recursive-like MDS matrices Implementations Direct Construction Choose a normal element λ ∈ F 2 2 m . 1 Define 2  λ [0] λ [ m − 1]   λ [ m ] λ [2 m − 1]  . . . . . . . . . . ... ... H λ, 1 = . .  and H λ, 2 = . .     . . . .    λ [ m − 1] λ [2 m − 2] λ [2 m − 1] λ [ m − 2] . . . . . . Compute H λ = ( H λ, 1 | H λ, 2 ) 3 Compute M = H λ, 2 H − 1 λ, 1 . The inverse matrix is N = M [ m ] . 4 Compute C g from the first line of M . 5 M is then a quasi-involutory recursive-like MDS matrix, recursively generated by C g . Cauchois, Loidreau, Merkiche Involutory recursive diffusion layers 13 / 22

Involutory recursive MDS matrices Quasi-involutory recursive-like MDS matrices Implementations An example with small parameters m = 4 Let β be a a root of the irreducible polynomial x 8 + x 4 + x 3 + x 2 + 1 ( 0x11c ) . β is a generator of the multiplication group of F 2 8 . We chose to consider the normal element λ = β 21 . We compute H β 21 :  β 21 β 42 β 84 β 168 β 81 β 162 β 69 β 138  β 42 β 84 β 168 β 81 β 162 β 69 β 138 β 21    β 84 β 168 β 81 β 162 β 69 β 138 β 21 β 42    β 168 β 81 β 162 β 69 β 138 β 21 β 42 β 84 Hence the MDS matrix M is written :  β 199 β 96 β 52 β 123  β 190 β 218 β 231 β 125   M =  β 194 β 227 β 224 β 66    β 76 β 54 β 217 β 28 Cauchois, Loidreau, Merkiche Involutory recursive diffusion layers 14 / 22

Involutory recursive MDS matrices Quasi-involutory recursive-like MDS matrices Implementations An example with small parameters m = 4 Its inverse matrix is N = M [4] and is written :  β 124 β 6 β 67 β 183  β 235 β 173 β 126 β 215   N =  β 44 β 62 β 14 β 36    β 196 β 99 β 157 β 193 The companion matrix which recursively generates M is associated with g � X � = β 199 + β 96 X + β 52 X 2 + β 123 X 3 + X 4 and is written :   0 1 0 0 0 0 1 0   C g =   0 0 0 1   β 199 β 96 β 52 β 123 Cauchois, Loidreau, Merkiche Involutory recursive diffusion layers 15 / 22

Plan Involutory recursive MDS matrices 1 Quasi-involutory recursive-like MDS matrices 2 Implementations 3