Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [mds]

An MDS matrix (Maximum Distance Separable) is a matrix representing a function with certain diffusion properties that have useful applications in cryptography.

Technically, an $m\times n$ matrix $A$ over a finite field $K$ is an MDS matrix if it is the transformation matrix of a linear transformation $f(x)=Ax$ from $K^n$ to $K^m$ such that no two different $(m+n)$-tuples of the form $(x,f(x))$ coincide in n or more components. Equivalently, the set of all $(m+n)$-tuples $(x,f(x))$ is an MDS code, i.e. a linear code that reaches the Singleton bound.

40 questions
12
votes
2 answers

Is standardizing a modified AES a good idea?

"Recently" the Ukraine standardized a new block cipher Kalyna, which according to the abstract of"A New Encryption Standard of Ukraine: The Kalyna Block Cipher" by Oliynykov et al. (warning: the paper contains a lot of test-vectors) is basically a…
SEJPM
  • 46,697
  • 9
  • 103
  • 214
10
votes
1 answer

How to calculate active s-boxes from branch number?

If MDS in AES has branch number 5 (so 5 active s-boxes in 2 rounds), wouldn't that mean 4 rounds of AES has $5*2=10$ active s-boxes? AES paper says it has 25 ($5^2$?) active s-boxes in 4 rounds. How to calculate minimal active s-boxes from branch…
LightBit
  • 1,741
  • 14
  • 28
9
votes
1 answer

How 2 rounds in AES achieve full diffusion?

I have read somewhere that 2 rounds is AES provide full diffusion. So I looked it up to find out what it exactly meant. In The Design of Rijndael page 41, section 3.5 and it states that: Two rounds of Rijndael provide 'full diffusion' in the…
Anton Paragas
  • 411
  • 2
  • 8
8
votes
2 answers

How to check that AES Matrix is MDS?

I want to understand how can I prove that M matrix in AES is MDS. I know that a matrix is MDS if every determinant of every square submatrix is different from 0. I don't get this. How much submatrix does it have? If I swap rows or columns, does…
Robert NN
  • 115
  • 5
7
votes
1 answer

How was the MDS matrix used in AES chosen?

$$\begin{pmatrix}2&3&1&1\\ 1&2&3&1\\ 1&1&2&3\\ 3&1&1&2\end{pmatrix}$$ In the above MDS matrix used in AES encryption, why are the numbers $2$,$3$ and $1$ chosen? Why not any other number?
spanipelagic
  • 73
  • 1
  • 6
6
votes
1 answer

How to find the AES branch number?

By definition, branch number Definition: The branch number of a linear transformation $F$ is $$min_{a\neq0}(W(a) + W(F(a)))$$ Source here (7.3.1) For AES MixColumns $a \in GF(2^8)^4$ since the input is the four bytes in a column of the state.…
Sasha
  • 63
  • 1
  • 4
6
votes
1 answer

Active S-boxes for AES with 8x8 MDS matrix

One way to enhance the security of AES is by increasing the number of active S-boxes. Larger MDS matrices are used to increase the number of active S-boxes. Using a $4\times4$ MDS matrix results in 25 active S-boxes after 4 rounds. How many S-boxes…
hardyrama
  • 2,288
  • 1
  • 17
  • 41
6
votes
1 answer

Rijndael S-boxes: Where do the $\mu$ and $\nu$ polynomial ring elements come from?

I've asked some other questions before about Rijndael's S-boxes, and step by step I'm coming to an understanding; but those steps often guide me to new questions. I did some lines of code to understand how these S-boxes work implementing $S(z) =…
srgblnch
  • 737
  • 5
  • 13
6
votes
1 answer

How can I calculate the Rijndael SBox?

I would like to implement the Rijndael subBytes() operation using calculation instead of tables, because I like to play with this on different wordsizes, as an academical exercice, to see what the table would look like. The first part is a…
srgblnch
  • 737
  • 5
  • 13
6
votes
2 answers

Choice of reduction polynomial in Whirlpool's internal cipher

Whirlpool is an interesting little hash function in the Miyaguchi-Preneel family. In my mind, it's most interesting feature is the design of internal cipher W, where the distinction between key and message is dropped, providing a symmetric symmetric…
Cryptographeur
  • 4,357
  • 2
  • 29
  • 40
5
votes
1 answer

A Lightweight Matrix Suggestion for MixColumns State of AES

We know that the matrix in the MixColumns state of AES is the circulant MDS matrix $C=circ(2,3,1,1)$ which is defined over $GF(2^8)$ with the irreducible polynomial $f=x^{8}+x^{4}+x^{3}+x+1$. Let we show the elements of $GF(2^8)$ with positive…
Amin235
  • 229
  • 3
  • 11
5
votes
1 answer

What is the branch number of this matrix?

We have the following matrix: $$\begin{pmatrix}0&1&1&1\\ 1&0&1&1\\ 1&1&0&1\\ 1&1&1&0\end{pmatrix}$$ What is the branch number? Is this a MDS marix?
LightBit
  • 1,741
  • 14
  • 28
4
votes
2 answers

How to find the inverse of a 3x3 MDS matrix

I implemented a block cipher similar to AES. But the reason I can't decrypt is that I can't get the inverse MDS matrix. The MDS matrix I used is a 3x3 MDS matrix on $GF(2^8) \implies GF(2^8)$ like AES \begin{bmatrix} 1 & 2 &2 \\ 2 & 2 & 1\\ 2 & 1 &…
user80075
  • 41
  • 1
4
votes
0 answers

How to decide which diffusion scheme is better for a block cipher design

There are several schemes that can be used to achieve the diffusion property in a block cipher. Schemes include MDS code, Bit permutation, Byte/ Nibble permutation, Diffusion Matrix, Diffusion Switching Mechanism. The amount of diffusion offered by…
Radium
  • 187
  • 7
4
votes
1 answer

Is it possible to construct a $3*3$ MDS matrix in $GF(2^4)$?

I'm trying to construct a minimal MDS matrix for a toy cipher. I'm not entirely sure, how the various code parameters are tied to my block size, and how exactly is the binary matrix formed, when you have a generator polynomial. I'm also having a…
Kalapeli
  • 43
  • 2
1
2 3