We expect Fugue implementations to benefit from many of the current trends in computer archi- tectures. Specifically, below we comment briefly about the inherent parallelizability of Fugue and the potential for significant speedup using Multi-media extension to common architectures.
Parallelism. Just like the AES round function, the FugueSMIXoperation consists of sixteen nearly-independent threads. Namely, each of the sixteen bytes that are involved can be used independently to compute a 16-byte vector (with upto seven non-zero bytes) and the result of the
SMIXtransformation is just the xor of all these sixteen vectors. A multi-threaded architecture can take advantage of this inherent parallelism by assigning different input bytes to different threads.
Advanced byte-manipulation. Fugue implementations will also benefit from architectures such as AltiVec or SSE that allow parallel lookups and byte permutations in vectors. Using these tools was reported to allow an order of magnitude improvement for the software performance of the AES-based Whirlpool [7], and the performance gains for Fugue should similar. In fact, Fugue stands to benefit even more from byte-permutation instructions than AES, since the SMIX
Part III
Security Analysis
7
The Super-Mix Matrix and Related Linear Codes
The 16×16 matrixNrepresenting the Super-Mix linear transformation is associated with some linear codes that will be useful in the analysis of Fugue. Specifically, viewing (some of) the rows of N as parity check equations leads to linear codes that are either MDS or close to it. Recall that a linear code of dimensionkand lengthn(i.e., an [n, k]-code) has a minimum distance of at mostn−k+ 1, and a linear code that attains this minimum distance is calledmaximum distance separable, or MDS code. Below we provide some background on linear codes and then discuss the codes that are associated with the Super-Mix matrixN.
7.1 Linear Codes
An [n, k] linear code over a field F is given by n−k linearly independent parity check equations over F inn variables. Representing these equations by a (n−k)×nparity check matrixH, the corresponding code C consists of all the column vectors c of length nsuch that H·c= 0. Since the rank ofH is at mostn−k, there must exist a non-zero column vector cof weight n−k+ 1 (or less) such thatH·c= 0. Hence the minimum distance ofCis at most n−k+ 1. (We remind the reader that the weight of a vector is the number of non-zero entries in it, and for linear codes the minimum distance of a code is same as the minimum weight of its non-zero codewords.) Moreover, if H has any (n−k)×(n−k) sub-matrix of less than full rank, then there is a non-zero vectorc
of weight at mostn−ksuch thatH·c= 0. It follows that the minimum distance ofCisn−k+ 1 if and only if every (n−k)×(n−k) sub-matrix of H is of full rank. As we mentioned above, such codes are called MDS.
Below we will also be interested in codes that are not MDS, butalmost-MDS, i.e. where the minimum distance is close to n−k+ 1. Recalling that the minimum distance of C equals the size ofthe smallest non-empty set of columns that are NOT linearly independent, motivates the following definitions:
Definition 7.1 Fix an[n, k]linear codeCwith a parity-check matrixH, and an integerm≤n−k. Themin-rankm of C is the minimum rank among all (n−k)×m sub-matrices of H. We further
define maxmin-rank(C) as the largest m for which min-rankm=m.
Observing thatmin-rankm =m if and only if every size-m subsets of columns ofH is linearly
independent, we have the following lemma:
Below we will sometimes find it useful to consider also min-rankm for integers m larger than
the minimum distance of C. Specifically, we use it to bound the number of codewords in C with certain specified indexes fixed to zero.
Lemma 7.3 Let C be a [n, k]-code, let I be some fixed subset of the indexes 1 through n, and denote m=n− |I|. Then the dimension of the linear subspace L={c∈ C : ci= 0 for all i∈I} is at most m−min-rankm(C).
Proof: Below we denote by cI the vector c restricted to the indexes in I, and by cI¯ the vector
c excluding all the indexes inI. Consider nowH, the (n−k)×nparity-check matrix of C. We denote by HI the sub-matrix of H consisting only of the columns corresponding to indexes in I,
and by HI¯we denote the sub-matrix obtained by excluding all these columns.
Clearly for every vectorcwe haveH·c=HI·cI +HI¯·cI¯, which means that whencI = 0 then
H·c=HI¯·cI¯. Hence we can re-write our linear subspace as L={c: cI = 0 and HI¯·cI¯= 0}. Moreover, since the entries corresponding toI must be fixed to zero, then this space has the same dimension as its projection on ¯I, namely
dim(L) = dimncI¯: HI¯·cI¯= 0
o
Now, HI¯ is an (n−k)×m sub-matrix ofH, so it has rank at least min-rankm(C), which means
that its null space has dimension at most m−min-rankm(C).