Abstract
In the present paper, we investigate the problem of constructing MDS matrices with as few bit XOR operations as possible. The key contribution of the present paper is constructing MDS matrices with entries in the set of \(m\times m\) non-singular matrices over \(\mathbb {F}_2\) directly, and the linear transformations we used to construct MDS matrices are not assumed pairwise commutative. With this method, it is shown that circulant involutory MDS matrices, which have been proved do not exist over the finite field \(\mathbb {F}_{2^m}\), can be constructed by using non-commutative entries. Some constructions of \(4\times 4\) and \(5\times 5\) circulant involutory MDS matrices are given when \(m=4,8\). To the best of our knowledge, it is the first time that circulant involutory MDS matrices have been constructed. Furthermore, some lower bounds on XORs that required to evaluate one row of circulant and Hadamard MDS matrices of order 4 are given when \(m=4,8\). Some constructions achieving the bound are also given, which have fewer XORs than previous constructions.
You have full access to this open access chapter, Download conference paper PDF
Similar content being viewed by others
Keywords
1 Introduction
Linear diffusion layer is an important component of symmetric cryptography which provides internal dependency for symmetric cryptography algorithms. The performance of a diffusion layer is measured by branch number. Using a diffusion layer with bigger branch number in cryptography provides better resistance to differential and linear attack. As for lightweight cryptography, which is aiming to provide security in a limited resource environment, the cost of implementing an linear diffusion layer is also of importance. With the rapid development of lightweight cryptography, it is of particular interest to investigate the problem of constructing lightweight linear diffusion with bigger branch number.
A linear diffusion layer is a linear transformation over \((\mathbb {F}_2^m)^n\), where m is the bit length of an S-box and n is the number of S-boxes that the linear diffusion layer acts on. Note that every linear transformation can be represented by a matrix, then a linear diffusion layer is often represented by a \(n\times n\) matrix and the entries can be viewed as linear transformations over \(\mathbb {F}_2^m\). The maximum branch number of a \(n\times n\) matrix over \((\mathbb {F}_2^m)^n\) is \(n+1\). A linear diffusion layer with maximum branch number is called a perfect diffusion layers or a Maximal Distance Separable (MDS) matrix. An MDS matrix is a linear multipermutation [22].
A common way to construct MDS matrices is using MDS codes over finite fields. Multiplication with elements in finite fields is a basic operation in the evaluation of a matrix over finite fields. Usually, this operation is heavy in implementation. To improve its implementation efficiency, it is often constructing a matrix with fewer different elements of finite fields and choosing elements of finite fields with lower Hamming weight. Therefore, some matrices can be defined by fewer elements are preferred, such as circulant matrix and Hadamard matrix. The diffusion layer of AES is an typical example of this construction method. It is a \(4\times 4\) circulant MDS matrix over \(\mathbb {F}_{2^8}\).
Another main method to construct lightweight MDS matrices is recursive construction. The main idea is that firstly constructing a linear transformation which is sparse and compact in implementation, and then composing it several times to get an MDS matrix. This method is first used in the design of Photon lightweight hash family [10] and LED lightweight block cipher [9], and then attracted lots of attentions. The method is extended by using linear transformations instead of multiplications of elements in finite fields in [20]. Then the work is improved by using linear transformations with fewer XORs in [23], where some extreme lightweight MDS matrices are given. A method is given to get rid of expensive symbolic computations of the above method for constructing larger recursive MDS matrices in [1]. The method is also further investigated in [12]. The construction of recursive MDS matrices also has a relation with coding theory. It is shown that recursive MDS matrices can be constructed from Gabidulin codes [4], and also can be obtained directly from shortened MDS cyclic codes [2].
However, a recursive MDS matrix may leads to high latency since it has to run several rounds to get outputs. Then how to construct lightweight MDS matrices without using recursive construction is an interesting problem needs further study. Some works revisit the method of constructing MDS matrices over finite fields by choosing elements whose multiplication’s implementation efficiency can be further improved. Recently, it is shown that the choice of the irreducible polynomial used to compute multiplication with elements over finite fields has a great influence of the efficiency [19]. This property is further investigated in [21], where algorithms are designed to search lightweight MDS matrices with few XORs that required to evaluate one row of the corresponding matrix. Several constructions and their comparisons with previous constructions are also given in [21].
Our Contributions. In the present paper, we investigate the problem of constructing MDS matrices with as few bit XOR operations as possible. Note that multiplication with elements of the finite field \(\mathbb {F}_{2^m}\) is only a special type of linear transformations over \(\mathbb {F}_2^m\). Moreover, there exist many other linear transformations over \(\mathbb {F}_2^m\) which can not be represented by multiplication with elements over \(\mathbb {F}_{2^m}\). Therefore, constructing matrices over the space of linear transformations over \(\mathbb {F}_2^m\) may leads to new constructions of lightweight MDS matrices.
In previous constructions, the entries used to construct MDS matrices are pairwise commutative, such as MDS matrices over finite fields, or assumed pairwise commutative, such as recursive MDS matrices with elements being linear transformations [20, 23]. Note that a matrix over a commutative ring is non-singular if and only if its determinant is a unity in the ring, then the assumption is convenient for charactering MDS matrices since the determinants of square sub-matrices can be computed.
However, the restriction of choosing commutative linear transformations may lose MDS matrices with fewer XORs. Then we do not assume the linear transformations over \(\mathbb {F}_2^m\) that used to construct MDS matrices are pairwise commutative in the present paper.
The strategy we used to determine whether a construction is MDS is computing all its square sub-matrices’ rank. Then it is too complex to construct MDS matrices with larger order. In symmetric cryptography algorithms, the most often used S-boxes are 4-bit and 8-bit S-boxes, and it is often use diffusion layers of order 4. Therefore, we focus on constructing \(4\times 4\) MDS matrices with entries in the space of linear transformations over \(\mathbb {F}_2^4\) and \(\mathbb {F}_2^8\) in the present paper.
The first result is that circulant involutory MDS matrices can be constructed with our method. Circulant involutory MDS matrices can be implemented efficiently and the same circuit can be used both in encryption and decryption. However, it has been proved in [13, 16] that there do not exist circulant involutory MDS matrices over the finite field \(\mathbb {F}_{2^m}\). In fact, the proof is only valid when the entries of the matrix are pairwise commute. This property is satisfied by previous construction methods but not our method.
We show that there exist circulant involutory MDS matrices over the space of linear transformations over \(\mathbb {F}_2^m\). Some constructions are also given. To the best of our knowledge, it is the first time that circulant involutory MDS matrices have been constructed. For \(4\times 4\) circulant involutory MDS matrices constructed in the present paper, the fewest sum of XORs of one row’s entries is \(m+1, m=4,8\). Moreover, we also construct \(4\times 4\) orthogonal circulant MDS matrix, which is also proved do not exist over finite fields [13].
Lower bounds on XORs that required to evaluate one row of circulant (noninvolution) MDS matrices, involutory Hadamard MDS matrices and Hadamard (noninvolution) MDS matrices are also investigated. We show that for circulant MDS matrices with the first row’s entries are [I, I, A, B], the fewest sum of XORs of A and B is 3. For involutory Hadamard MDS matrices, the fewest sum (the fewest sum we get) of the XORs of entries in the first row is \(m+2\) for \(m=4\) (\(m=8\)). For Hadamard MDS matrices, the fewest sum of XORs of one row’s entries is 4 for \(m=4\) and the fewest sum we get of XORs of one row’s entries is 5 for \(m=8\). Lower bounds on the entries of “optimal” \(4\times 4\) MDS matrices is also characterized.
Outline of This Paper. The present paper is organized as follows. In Sect. 2, we give some preliminaries. A general bound on XORs that required to evaluate one row of circulant and Hadamard MDS matrices is also given. In Sect. 3, we investigate the construction of lightweight involutory, non-involutory and orthogonal circulant MDS matrices. In Sect. 4, we investigate the construction of lightweight involutory and non-involutory Hadamard MDS matrices. Comparisons with previous constructions are given at the end of the section. In Sect. 5, we investigate the construction of lightweight “optimal” \(4\times 4\) MDS matrices. A short conclusion is given in Sect. 6.
2 Preliminaries and a General Bound
A map \(A: \mathbb {F}_2^m\rightarrow \mathbb {F}_2^m\) is called linear if \(A(x+y)=A(x)+A(y)\) for \(x,y\in \mathbb {F}_2^m\). Fixed a basis of \(\mathbb {F}_2^m\) over \(\mathbb {F}_2\), a linear map over \(\mathbb {F}_2^m\) can be represented by an \(m\times m\) matrix over \(\mathbb {F}_2\), which is also denoted by A. Then \(A(x)=A\cdot x\), where \(x=(x_1,\ldots ,x_m)\in \mathbb {F}_2^m\) is viewed as a column vector throughout this paper. A linear map is a permutation over \(\mathbb {F}_2^m\) if and only if its matrix representation is non-singular. The notation \(GL(m, S)\) denotes the set of all \(m\times m\) non-singular matrices with entries in S.
For \(a,b\in \mathbb {F}_2\), \(a+b\) is called the bit XOR operation. For \(A\in GL(m,\mathbb {F}_2)\), \(\#A\) denotes the number of XOR operations that required to evaluate \(A\cdot x\) directly, where \(x\in \mathbb {F}_2^m\), and we call A has \(\#A\) XOR operations. It is easy to see that \(\#A\) equals the number of XORs in A(x) and hence
where \(\omega (A[i])\) means the number of nonzero entries in the i-th row of A. For \(A\in GL(m,\mathbb {F}_2)\), a simplified representation of A is given by extracting the nonzero positions in each row of A. For example, [2, 3, 4, [1,4]] is the representation of the following matrix.
and it is a matrix with 1 XOR operation.
Every linear diffusion can be represented by a matrix as follows
where \(L_{i,j}\) is an \(m\times m\) matrix over \(\mathbb {F}_2\) for \(1\le i,j\le n\). For \(X=(x_1,\ldots ,x_n)\in (\mathbb {F}_{2}^{m})^{n}\),
where \(L_{i,j}(x_k)=L_{i,j}\cdot x_k\), for \(1\le i,j\le n, 1\le k\le m\). A linear diffusion L defined as above is called involutory if \(L\circ L(X)=X\) for all \(X\in (\mathbb {F}_2^m)^n\), which is equivalent to that \(L^2\) is the identity matrix of order mn.
For \(X=(x_1,\ldots ,x_n)\in (\mathbb {F}_{2}^{m})^{n}\), the bundle weight of X, which is denoted by \(\omega _b(X)\), is defined as the number of nonzero entries of X. This means
The branch number of L is defined as
The upper bound on the branch number of L is \(n+1\), and a matrix achieved the bound is called an MDS matrix.
Square sub-matrices of L of order t means the following matrices
where \(J=[j_1,\ldots ,j_t]\) and \(K=[k_1,\ldots ,k_t]\) are two sequence of length t, and \(1\le j_1<\ldots <j_t\le n\), \(1\le k_1,\ldots ,k_t\le n\). Note that \(L(J,K)\cdot (x_1,\ldots ,x_t)=0\) does not have nonzero solutions if and only if L(J, K) is of full rank. Then the following result holds, which is proved in [5].
Theorem 1
Let \(L=(L_{i,j}), 1\le i,j\le n\), and the entries of L are \(m\times m\) matrices over \(\mathbb {F}_2\). Then L is an MDS matrix if and only if all square sub-matrices of L of order t are of full rank for \(1\le t\le n\).
According to Theorem 1, the computation would be complicated when n is large. Then in the present paper we focus on \(4\times 4\) matrices, which are widely used in cryptography. More precisely, we construct lightweight MDS matrices using circulant matrix and Hadamard matrix. Both of them can be defined by the first row’s entries and hence can be implemented efficiently.
2.1 A General Bound
In this subsection, we give a general bound of XORs on circulant and Hadamard MDS matrices.
A matrix is called circulant if each row is rotated to the right of the preceding row by one entry. Then for a \(4\times 4\) circulant matrix, we means
where \(A,B,C,D\in GL(m,\mathbb {F}_2)\).
A \(2^k\times 2^k\) matrix H is called a Hadamard matrix if it can be represented as
where \(H_1,H_2\) are two \(2^{k-1}\times 2^{k-1}\) Hadamard matrices. Then for a \(4\times 4\) Hadamard matrix, we means
where \(A,B,C,D\in GL(m,\mathbb {F}_2)\).
Remember that our aim is constructing MDS matrices with as few XOR operations as possible. Then we prefer linear transformations with no XORs. However, the following results limits the amounts of such linear transformations used in our constructions.
Lemma 1
Let \(L=\left( \begin{array}{cc} L_1,&{} L_2\\ L_3,&{} L_4 \end{array} \right) ,\) \(L_i\in GL(m,\mathbb {F}_2), 1\le i\le 4\). If \(\mathrm {rank}(L)=2m\), then \(\sum \limits _{i=1}^4\#L_i\ge 1\).
Proof
Assume \(\#L_i=0\), \(1\le i\le 4\). Then for \(1\le i\le 4\), each row and each column of \(L_i\) has exactly one entry equals 1 since \(L_i\) are non-singular. This means every entry of \(\sum \limits _{j=1}^m L_i[j]\) equals to 1. Therefore, every entry of \(\sum \limits _{i=1}^{2m}L[i]\) equals to 0, which means \(\mathrm {rank}(L)< 2m\) and we complete the proof. \(\square \)
Then we have the following result.
Theorem 2
-
1.
Let \(L=Circ(A,B,C,D)\) be a circulant MDS matrix, where \(A,B,C,D\in GL(m,\mathbb {F}_2)\). Then \(\#A+\#B+\#C+\#D\ge 2\).
-
2.
Let \(L=Had(A,B,C,D)\) be a Hadamard MDS matrix, where \(A,B,C,D\in GL(m,\mathbb {F}_2)\). Then \(\#A+\#B+\#C+\#D\ge 3\).
Proof
Let \(L=Circ(A,B,C,D)\) be a circulant MDS matrix. Assume
Then there are at least 3 entries with 0 XORs in the first row. Without loss of generality, we suppose \(\#A=\#B=\#C=0\). Then according to Lemma 1, it holds
This is a contradiction since L is an MDS matrix. The other cases can be proved similarly.
Let \(L=Had(A,B,C,D)\) be a Hadamard MDS matrix. Assume
Then there are at least 2 entries with 0 XORs in the first row. Without loss of generality, we suppose \(\#A=\#C=0\). Then according to Lemma 1, it holds
This is a contradiction since L is an MDS matrix. The other cases can be proved similarly. \(\square \)
The above result means that there are at most two entries with no XORs in one row of a circulant MDS matrix, and there are at most one entry with no XORs in one row of a Hadamard MDS matrix. We suppose \(L[1,1]=I\) in our constructions, where I denotes the identity matrix throughout this paper.
3 Lightweight Circulant MDS Matrices
In this section, we investigate the construction of lightweight circulant involutory, non-involutory and orthogonal MDS matrices respectively.
3.1 Constructing Circulant Involutory MDS Matrices
First, we have the following result.
Lemma 2
Let \(L=Circ(I,A,B,C)\) be a circulant matrix, where \(A,B,C\in GL(m,\mathbb {F}_{2})\). Then L is an involution if and only if the following equalities hold:
Proof
By matrix multiplication, it can be checked that
On the other hand, L is an involution if and only if \(L^2=Circ(I,0,0,0).\) Therefore, L is an involution if and only if
hold simultaneously. \(\square \)
We give a general construction of circulant involutory matrix in the following result. For \(A\in GL(m,\mathbb {F}_2)\), the multiplication order of A is defined as the minimum positive integer d such that \(A^d=I\).
Lemma 3
Suppose \(A,C\in GL(m, \mathbb {F}_2)\) with \(A^2=C^2=I\), and the multiplication order of \(A+C\) equals \(4k-2\) for some integer k with \(k>1\). Let \(B=(A+C)^{2k}\). Then the matrix Circ(I, A, B, C) is an involution.
Proof
Let \(B=(A+C)^{2k}\). Note that
then according to Lemma 2, we only need to prove that A, B, C satisfy the following equalities
First, it is easy to see that
Then we have
Therefore,
Similarly, it can be checked that
Note that \((A+C)^{4k-2}=I\), then we have
According to Lemma 2, we have \(Circ(I,A,(A+C)^{2k},C)\) is an involution. \(\square \)
Remark 1
If \(k=1\), then the multiplication order of \(A+C\) equals 2 and \(B=(A+C)^2=I\). In this case, \(L=Circ(I,A,I,C)\) constructed as above is also a circulant involution. However, it is not an MDS matrix since \(\mathrm {rank}(L([1,3], [1,3]))<2m\). Then we always suppose \(k>1\) since we want to construct circulant involutory MDS matrices.
Using above results, our searching strategy is as follows. Firstly, we get the set S which contains all involutory matrix from the set which we want to search. Then for each pair of \((A,C)\in S\times S\), we compute the multiplication order d of \(A+C\). If \(d \text{ mod } 4=2\), then let \(B=(A+C)^{\frac{d}{2}+1}\), and test whether Circ(I, A, B, C) is MDS by Theorem 1.
When \(m=4\), we search A, C over \(GL(4,\mathbb {F}_2)\). There exist A, C such that Circ(I, A, B, C) is MDS. The fewest sum of XORs of one rows’ entries of an MDS involutory Circ(I, A, B, C) constructed as above is 5. There are 48 pairs of A, C with this property. These 48 matrices are of the type Circ(I, A, B, C) and Circ(I, C, B, A) for 24 different pairs of A, C.
When \(m=8\), we search A, C over all \(8\times 8\) non-singular matrices over \(\mathbb {F}_2\) with less than or equal to 3 bit XOR operations. The fewest sum of XORs of one rows’ entries of an MDS Circ(I, A, B, C) constructed as above is 9. There are 40320 pairs of A, C satisfy this property. For all these pairs of A, C, Circ(I, C, B, A) are also circulant involutory MDS matrices.
Theorem 3
Their exist \(A,B,C\in GL(m,\mathbb {F}_2)\), \(m=4,8\), such that \(Circ(I,A,B,C)\) is an involutory MDS matrix. Furthermore, the following statements hold.
-
1.
When \(m=4\), circulant involutory MDS matrices constructed with the above method satisfy \(\#A+\#B+\#C\ge 5\).
-
2.
When \(m=8\), if \(\#A\le 3\) and \(\#C\le 3\), then circulant involutory MDS matrices constructed with the above method satisfy \(\#A+\#B+\#C\ge 9\).
Example 1
Examples of A, B, C such that Circ(I, A, B, C) are circulant involutory MDS matrices with \(\#A+\#B+\#C=m+1\).Footnote 1
-
(1)
\(m=4\), \(A=[1, 2, [1, 3], [1, 2, 4]]\), \(C=[4, 3, 2, 1]\), \(B=(A+C)^4=[2, [1, 2], [3, 4], 3]\).
-
(2)
\(m=8\), \(A=[1, 2, [1, 3], [1, 2, 4], 6, 5, 8, 7]\), \(C=[5, 8, [2, 6], 7, 1, [3, 8], 4, 2]\), and \(B=(A+C)^{16}=[[7, 8], 1, 7, [3, 8], [2, 4], [1, 4], 6, 5]\).
We further investigate the construction of \(5\times 5\) circulant involutory MDS matrices. In order to simplify our characterization, we investigate \(5\times 5\) circulant matrices of the type Circ(I, A, B, B, A), where \(A,B\in GL(m,\mathbb {F}_2)\). Concerning the property of involutory of Circ(I, A, B, B, C), it is easy to prove the following result.
Lemma 4
Let \(L=Circ(I,A,B,B,A)\) be a circulant matrix, where \(A,B\in GL(m,\mathbb {F}_{2})\). Then L is an involution if and only if \(A^2=AB+BA=B^2\).
We give constructions by exhaustive searching for A, B with the following method. The method is often used hereafter in the paper, and we give a detailed general description here.
The following result is helpful. It can be proved via elementary linear algebra and we omit the proof here.
Lemma 5
Suppose \(A,B,C\in GL(m,\mathbb {F}_2)\) are \(m\times m\) non-singular matrices over \(\mathbb {F}_2\). Then the following statements hold.
-
(1)
\(\left( \begin{array}{cc} I,&{}A\\ B,&{}C\\ \end{array} \right) \) is of full rank if and only if \(\mathrm {rank}(BA+C)=m\).
-
(2)
\(\left( \begin{array}{cc} A,&{}I\\ B,&{}C\\ \end{array} \right) \) is of full rank if and only if \(\mathrm {rank}(CA+B)=m\).
-
(3)
\(\left( \begin{array}{cc} A,&{}B\\ I,&{}C\\ \end{array} \right) \) is of full rank if and only if \(\mathrm {rank}(AC+B)=m\).
-
(4)
\(\left( \begin{array}{cc} A,&{}B\\ C,&{}I\\ \end{array} \right) \) is of full rank if and only if \(\mathrm {rank}(BC+A)=m\).
Let \(L=Circ(I,A,B,B,A)\). According to Theorem 1, if L is MDS, then all its square sub-matrices are of full rank. According to Lemma 5, we have the following fact by investigating all square sub-matrices of order 2. If L is MDS, then the following matrices are non-singular:
Note that \(A^2+I\) is non-singular if and only if \(A+I\) is non-singular. Then the conditions can be simplified as the following matrices are non-singular:
Based on the above observations, we have the following searching strategy. First, note that both A and B should satisfy \(\mathrm {rank}(X+I)=m, X=A,B\). The equalities that both A and B satisfied are called general rules. Then we can select the candidate set of A and B from the set we want to search over by using general rules, which means
The for \(A\in S_{A,B}\), we can get the candidate set of B by using the other conditions that should be satisfied, which means
At last, for \(B\in S_B\), we test whether L is MDS by Theorem 1.
When \(m=4\), we search A, B over \(GL(4,\mathbb {F}_2)\). The fewest XORs of one row’s entries of an involutory MDS Circ(I, A, B, B, A) is 4. There are 24 pairs of A, B such that Circ(I, A, B, B, A) are involutory circulant MDS matrices with \(\#A+\#B=2\). These 24 MDS matrices are of the type \(Circ(I,A,A^{T},A^{T},A)\) and \(Circ(I,A^{T},A,A,A^{T})\) for 12 different A.
When \(m=8\), we search A, B over \(GL(8,\mathbb {F}_2)\) with \(\#A+\#B\le 3\). No involutory MDS matrix returns. Therefore, if Circ(I, A, B, B, A) is an involutory MDS matrix, then \(\#A+\#B\ge 4\).
Then we have the following result.
Theorem 4
Their exist \(A,B\in GL(m,\mathbb {F}_2)\), \(m=4,8\), such that \(Circ(I,A,B,B,A)\) is an \(5\times 5\) involutory MDS matrix. Furthermore, if Circ(I, A, B, B, A) is an involutory MDS matrix, then \(\#A+\#B\ge \frac{m}{2}\).
Similar as the method “Subfield construction"that used in [6, 19, 21], it is easy to construct involutory MDS Circ(I, A, B, B, A) over \(\mathbb {F}_2^8\) with \(\#A+\#B=4\), since we have constructed involutory MDS Circ(I, A, B, B, A) over \(\mathbb {F}_2^4\) with \(\#A+\#B=2\). Let \(X\in GL(4,\mathbb {F}_2)\), \(\#X=1\) and \(Circ(I,X,X^T,X^T,X)\) is an involutory MDS matrix. Then \(Circ(I,A,A^{T},A^{T},A)\) is also an involutory MDS matrix, where \(A\in GL(8,\mathbb {F}_2)\) of the following form
Then we can construct 24 circulant involutory MDS by using the above method and the searching result when \(m=4\).
In order to get more circulant involutory MDS matrices, we searching A over \(GL(8,\mathbb {F}_2)\) with \(\#A=2\). We get 20160 A such that \(Circ(I,A,A^T,A^T,A)\) are involutory MDS matrices and \(\#A+\#A^{T}=4\).
Example 2
Examples of A, B such that Circ(I, A, B, B, A) are circulant involutory MDS matrices with \(\#A+\#B=\frac{m}{2}\).
-
(1)
\(m=4\), \(A=[2, 3, 4, [1, 3]]\), \(B=A^T=[4, 1, [2, 4], 3]\).
-
(2)
\(m=8\), \(X=[2, 3, 4, [1, 3]]\), \(A=\left[ \begin{array}{cc} X,&{} 0\\ 0,&{} X \end{array}\right] =[2, 3, 4, [1, 3], 6, 7, 8, [5, 7]]\), \(B=A^T=[4, 1, [2, 4], 3, 8, 5, [6, 8], 7]\).
-
(3)
\(m=8\), \(A=[[3, 5], 8, 1, 3, 4, 2, 6, [2, 7]]\), \(B=A^T=[3, [6, 8], [1, 4], 5, 1, 7, 8, 2]\).
It is interesting that \(5\times 5\) circulant involutory MDS matrices can be constructed with only 3 different entries. We have tried some other methods to construct circulant involutory MDS matrices with higher order. However, we do not get an circulant involutory MDS matrix with order large than or equal to 6 until present. We leave it as an open problem.
Problem 1
Construct \(n\times n\) circulant involutory MDS matrices over \(GL(m,\mathbb {F}_2)\) or prove that they do not exist, where \(n\ge 6\), \(m=4,8\).
3.2 Constructing Circulant Non-involutory MDS Matrices
In this subsection, we want to construct non-involutory MDS matrices with as few XORs as possible. We consider circulant matrices of the type
since it has the most many entries with no XORs in one row.
The searching strategy is similar as previous subsection. If Circ(I, I, A, B) is MDS, then the following matrices are non-singular:
When \(m=4\), we search A, B over \(GL(4,\mathbb {F}_2)\). The fewest XORs of one row’s entries of an MDS Circ(I, I, A, B) is 3. Their are 48 pair of (A, B) such that Circ(I, I, A, B) are MDS matrices with \(\#A+\#B=3\). These 48 matrices are of the type \(Circ(I,I,A,A^{-2})\) and \(Circ(I,I,A^{-2},A)\) for 24 different A.
When \(m=8\), we search A, B over all \(8\times 8\) non-singular matrices over \(\mathbb {F}_2\) with 1 bit XOR. No MDS matrix returns. This means if Circ(I, I, A, B) is an MDS matrix over \(GL(8,\mathbb {F}_2)\), then either A or B has at least 2 XORs, and hence \(\#A+\#B\ge 3\). Therefore, the following result hold.
Theorem 5
Let \(L=Circ(I,I,A,B)\), where \(A,B\in GL(m,\mathbb {F}_2)\), \(m=4,8\). If L is an MDS matrix, then \(\#A+\#B\ge 3\).
In order to get circulant MDS matrix with the above equality holds when \(m=8\), we let \(B=A^{-2}\) and search A over all \(8\times 8\) non-singular matrices over \(\mathbb {F}_2\) with 1 bit XOR. At last, we get 80640 A such that \(Circ(I,I,A,A^{-2})\) are MDS matrices with \(\#A+\#A^{-2}=3\). Furthermore, \(Circ(I,I,A^{-2},A)\) are also MDS matrices for all these A.
Example 3
Examples of A, B such that Circ(I, I, A, B) and Circ(I, I, B, A) are MDS matrices with \(\#A+\#B=3\).
-
(1)
\(m=4\), \(A=[2, 3, 4, [1, 4]]\), \(B=A^{-2}=[[2, 3], [3, 4], 1, 2]\).
-
(2)
\(m=8\), \(A=[2, 3, 4, 5, 6, 7, 8, [1, 3]],\) \(B=A^{-2}=[[1, 7], [2, 8], 1, 2, 3, 4, 5, 6]\).
3.3 Constructing Circulant Orthogonal MDS Matrices
A square matrix L is called orthogonal if \(L^{-1}=L^T\), where \(L^T\) is the transpose of L. It is proven in [13] there do not exist \(2^d\times 2^d\) circulant orthogonal MDS matrix over finite fields. In this subsection, we show that \(4\times 4\) circulant orthogonal MDS matrices can also be constructed with non-commutative entries.
Firstly, note that for \(L=Circ(I,A,B,C)\), where \(A,B,C\in \mathbb {F}_{2^m}\), it holds \(L^{T}=Circ(I,C^T,B^T,A^T)\). This means one have to implement new entries \(A^{T},B^{T},C^{T}\) in decryption circuit when L is orthogonal. In order to simplify implementation, we let \(A,B,C\in GL(m,\mathbb {F}_2)\) are symmetric matrices, which means \(A=A^{T},B=B^T,C=C^T\). Then it holds
and it is easy to prove the following result.
Lemma 6
Let \(L=Circ(I,A,B,C)\) be a circulant matrix, where \(A,B,C\in GL(m,\mathbb {F}_2)\) are symmetric matrices. Then L is orthogonal if and only if the following equalities hold:
If \(L=Circ(I,A,B,C)\) is MDS, then the following matrices are non-singular:
When \(m=4\), we search symmetric A, B, C over \(GL(4,\mathbb {F}_2)\). The fewest XORs of one row’s entries of an orthogonal MDS Circ(I, A, B, C) is 8. Their are 24 triples of A, B, C such that Circ(I, A, B, C) are orthogonal MDS matrices with \(\#A+\#B+\#C=8\). Then we have the following result.
Theorem 6
There exist symmetric \(A,B,C\in GL(4,\mathbb {F}_2)\) such that \(Circ(I,A,B,C)\) is an orthogonal MDS matrix. Furthermore, if Circ(I, A, B, C) is an orthogonal MDS matrix, then \(\#A+\#B+\#C\ge 8\).
Example 4
Example of A, B, C such that Circ(I, A, B, C) is an orthogonal circulant MDS matrix \(\#A+\#B+\#C = 2m\).
-
(1)
\(m=4\), \(A=[1, 2, 4, [3, 4]]\), \(B=[[1, 4], [2, 3, 4], [2, 3], [1, 2, 4]]\), \(C=[2, [1, 2], 3, 4]\).
-
(2)
\(m=8\), \(A=\left[ \begin{array}{cc} A_1,&{} 0\\ 0,&{} A_1 \end{array}\right] \), \(B=\left[ \begin{array}{cc} B_1,&{} 0\\ 0,&{} B_1 \end{array}\right] \), \(C=\left[ \begin{array}{cc} C_1,&{} 0\\ 0,&{} C_1 \end{array}\right] \), where \(A_1,B_1,C_1\) are the A, B, C in the above item.
4 Lightweight Hadamard MDS Matrices
In this section, we investigate the construction of lightweight Hadamard involutory and non-involutory MDS matrices respectively.
4.1 Constructing Hadamard Involutory MDS Matrices
In the case of a, b, c are elements of finite fields, Had(1, a, b, c) is an involution if and only if \(a^2+b^2=c^2\). In the case of \(A,B,C\in GL(m,\mathbb {F}_2)\), we have the following result.
Lemma 7
Let \(A,B,C\in GL(m,\mathbb {F}_2)\). Then \(L=Had(I,A,B,C)\) is an involution if and only if A, B, C are pairwise commutative and \(A^2+B^2=C^2\).
Proof
By matrix multiplication, it can be checked that
Therefore, L is an involution if and only if \(L^2=Had(I,0,0,0)\), which is equivalent to
hold simultaneously. \(\square \)
When \(m=4\), we search A, B, C over \(GL(4,\mathbb {F}_2)\) as previous. The fewest XORs of one row’s entries of an involutory MDS Had(I, A, B, C) is 6. There are 144 triples of A, B, C such that Had(I, A, B, C) are involutory MDS matrices with \(\#A+\#B+\#C=6\). These 144 matrices are of the type \(Had(I,A_1,A_2,A_3)\), where \((A_1,A_2,A_3)\) is a permutation of \((A,A^{-1},A+A^{-1})\) for 24 different A.
When \(m=8\), we also consider Hadamard matrix of the type
where \(A\in GL(m,\mathbb {F}_2)\). According to the above lemma, L is an involution. We use the method in [20, 23] to characterize whether L is MDS. By computing the determinants of all the square sub-matrices of L and factorizing these polynomials, we get that L is an MDS matrix if and only if all the following matrices are non-singular:
Then we search A over \(GL(8,\mathbb {F}_2)\) with \(\#A\le 3\). The fewest XORs of one row’s entries of an involutory MDS \(Had(I,A,A^{-1},A+A^{-1})\) is 10. We get 80640 A such that \(Had(I,A,A^{-1},A+A^{-1})\) are involutory MDS matrices with \(\#A+\#A^{-1}+\#(A+A^{-1})=10\).
We also have searched some other types of Hadamard matrices. However, we do not get a Hadamard involutory matrix with one row’s XORs less then 10 until present.
Theorem 7
-
1.
Let \(A,B,C\in GL(4,\mathbb {F}_2)\). If \(L=Had(I,A,B,C)\) is an MDS involution matrix, then \(\#A+\#B+\#C\ge 6\).
-
2.
Let \(A\in GL(8,\mathbb {F}_2)\) with \(\#A\le 3\). If \(L=Had(I,A,A^{-1},A+A^{-1})\) is an MDS involution matrix, then \(\#A+\#A^{-1}+\#(A+A^{-1})\ge 10\).
Example 5
Examples of A, B, C such that Had(I, A, B, C) are involutory MDS matrices with \(\#A+\#B+\#C=m+2\).
-
(1)
\(m=4\), \(A=[2, [1, 3], 4, [2, 3]]\), \(B=A^{-1}=[[1, 2, 4], 1, [1, 4], 3]\), \(C=A+A^{-1}=[[1, 4], 3, 1, 2]\).
-
(2)
\(m=8\), \(A=[2, 3, 4, 5, 6, 7, 8, [1, 3]]\), \(B=A^{-1}=[[2, 8], 1, 2, 3, 4, 5, 6, 7]\), \(C=A+A^{-1}=[8, [1, 3], [2, 4], [3, 5], [4, 6], [5, 7], [6, 8], [1, 3, 7]]\).
4.2 Constructing Non-involutory Hadamard MDS Matrices
In this subsection, we want to construct non-involutory Hadamard MDS matrix with as few XORs as possible. The searching strategy is similar as previous. If Had(I, A, B, C) is MDS, then the following matrices are non-singular:
When \(m=4\), we search A, B, C over \(GL(4,\mathbb {F}_2)\). The fewest XORs of one rows’ entries of an MDS Had(I, A, B, C) is 4. There are 72 triples of A, B, C such that Had(I, A, B, C) are MDS matrices with \(\#A+\#B+\#C=4\). These 72 matrices are of the type \(Had(I,A_1,A_2,A_3)\), where \((A_1,A_2,A_3)\) is a permutation of \((A,A^{T},A+A^{T})\) for 12 different A.
When \(m=8\), we search A over \(GL(8,\mathbb {F}_2)\) with \(\#A\le 2\). The fewest XORs of one rows’ entries of an MDS \(Had(I, A, A^{T},A+A^T)\) is 8.
In order to get Hadamard MDS matrices with fewer XORs in one row, we investigate Hadamard matrices of the type \(Had(I,A,A^T,B)\). According to our searching, if \(\#A\le 1\) and \(\#B\le 2\), then there are no MDS \(Had(I,A,A^T,B)\). Then we have the following result.
Theorem 8
-
1.
Let \(A,B,C\in GL(4,\mathbb {F}_2)\). If \(L=Had(I,A,B,C)\) is an MDS matrix, then \(\#A+\#B+\#C\ge 4\).
-
2.
Let \(A,B\in GL(8,\mathbb {F}_2)\). If \(L=Had(I,A,A^{T},B)\) is an MDS matrix, then \(\#A+\#A^T+\#B\ge 5\).
In order to get MDS \(Had(I, A, A^T, B)\) with \(\#A+\#A^{T}+\#B=5\), we choose A with \(\#A=2\) and \(\mathrm {rank}(A+I)=8\) randomly, and then test whether there exist B with \(\#B=1\) such that \(Had(I, A, A^T, B)\) is MDS. We repeat the process several times and get 622 pairs of \(A,B\in GL(8,\mathbb {F}_2)\), such that \(Had(I, A, A^{T}, B)\) is MDS and \(\#A+\#A^T+\#B=5\).
Example 6
Examples of A, B, C such that Had(I, A, B, C) are MDS matrices with the bounds in the above theorem hold.
-
(1)
\(m=4\), \(A=[2, 3, 4, [1, 3]]\), \(B=A^{T}=[4, 1, [2, 4], 3]\), \(C=A+A^{T}=[[2, 4], [1, 3], 2, 1]\).
-
(2)
\(m=8\), \(A=[2, 3, 4, [1, 5], 8, 7, 5, [3, 6]]\), \(B=A^{T}=[4, 1, [2, 8], 3, [4, 7], 8, 6, 5]\), \(C=[[4, 7], 6, 5, 8, 7, 1, 2, 3].\)
We give comparisons of our constructions with previous constructions in Tables 1, 2 and 3 respectively.
The lower bounds on XORs of circulant and Hadamard MDS matrices given in Sects. 3 and 4 are under the supposition \(L[1,1]=I\). Therefore, it is possible to improve the previous lower bounds when \(L[1,1]\ne I\). However, we have the following result with searching, which shows that the lower bounds can not be improved when \(m=4\).
Theorem 9
Let \(A_i\in GL(4,\mathbb {F}_2)\), and \(\mathcal {A}=\sum \limits _{i=1}^4\#A_i\). Then the following statements hold.
-
1.
If \(Circ(A_1,A_2,A_3,A_4)\) is a circulant MDS matrix, then \(\mathcal {A}\ge 3\).
-
2.
If \(Circ(A_1,A_2,A_3,A_4)\) is a circulant involutory MDS matrix, then \(\mathcal {A}\ge 5\).
-
3.
If \(Had(A_1,A_2,A_3,A_4)\) is a Hadamard MDS matrix, then \(\mathcal {A}\ge 4\).
-
4.
If \(Had(A_1,A_2,A_3,A_4)\) is a Hadamard involutory MDS matrix, then \(\mathcal {A}\ge 6\).
5 Lightweight “Optimal” \(4\times 4\) MDS Matrices
It is proven in [17] that the highest possible number of 1 and the lowest possible number of different entries for a \(4\times 4\) MDS matrix over finite fields are 9 and 3 respectively. The matrix with the two properties hold simultaneously are called “optimal" in their presentation slides. The following matrix
is an example of “optimal” matrix which is given in [17]. Similarly as above, we investigate the following special matrix,
where \(A,B\in GL(m,\mathbb {F}_2)\) are \(m\times m\) non-singular matrices over \(\mathbb {F}_2\).
If L is MDS, then the following matrices are non-singular:
When \(m=4\), we search A, B over \(GL(4,\mathbb {F}_2)\), which is the set of all \(4\times 4\) non-singular matrices over \(\mathbb {F}_2\). The fewest XORs of “optimal” MDS matrices is 13. There are 24 pairs of \(A,B\in GL(m,\mathbb {F}_2)\) such that the corresponding constructions are MDS matrices with \(4\#A+3\#B=13\). All these pairs satisfy \(B=A^{-2}\).
When \(m=8\), we search A, B over the set of all \(8\times 8\) non-singular matrices over \(\mathbb {F}_2\) with 1 bit XOR operation. No MDS matrix returns. This means if L is a “optimal” MDS matrix over \(GL(8,\mathbb {F}_2)\), then either A or B has at least 2 XORs, and hence \(\#L\ge 10\).
Then we have the following result.
Theorem 10
Let L be a matrix constructed as above, where \(A,B\in GL(m,\mathbb {F}_2)\), \(m=4,8\). If L is an MDS matrix, then
In order to get “optimal” matrices over \(GL(8,\mathbb {F}_2)\) with 10 XORs, we let \(B=A^{-2}\) and search A over all \(8\times 8\) non-singular matrices over \(\mathbb {F}_2\) with 1 bit XOR operation. We get 40320 \(A\in GL(8,\mathbb {F}_2)\) such that the corresponding constructions are “optimal” MDS matrices with 10 XORs.
It is interesting that “optimal” \(4\times 4\) MDS matrices over \(GL(8,\mathbb {F}_2)\) has fewer XORs than “optimal” \(4\times 4\) MDS matrices over \(GL(4,\mathbb {F}_2)\).
Example 7
Examples of A, B such that L are “optimal” MDS matrices with the bounds in the above result hold.
-
(1)
Let \(A=[[2, 3], 4, 2, 1]\), \(B=A^{-2}=[2, [1, 3], [1, 3, 4], 3]\). Then L constructed as above is an MDS matrix with \(4\#A+3\#B=13\).
-
(2)
Let \(A=[4, 5, 6, 8, 3, [4, 7], 1, 2]\), \(B=A^{-2}=[[1, 6], 4, 2, 7, 8, 5, [3, 7], 1]\). Then L constructed as above is an MDS matrix with \(4\#A+3\#B=10\).
6 Conclusion
In the present paper, we mainly investigate the construction of \(4\times 4\) lightweight MDS matrices with entries in the set of \(m\times m\) non-singular matrices over \(\mathbb {F}_2\). With this method, circulant, Hadamard and involutory Hadamard MDS matrices with fewer XORs than previous constructions are given. Moreover, circulant involutory MDS matrices are also constructed with our method. Constructing lightweight MDS matrices of large order with the method of the present paper is an interesting problem need further study.
Notes
- 1.
More examples of circulant involutory MDS matrices with \(\#A+\#B+\#C=m+1\) are given in the appendix of the extended version of the paper [14].
References
Augot, D., Finiasz, M.: Exhaustive search for small dimension recursive MDS diffusion layers for block ciphers and hash functions. In: Proceedings of 2013 IEEE International Symposium on Information Theory (ISIT), pp. 1551–1555. IEEE (2013)
Augot, D., Finiasz, M.: Direct construction of recursive MDS diffusion layers using shortened BCH codes. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 3–17. Springer, Heidelberg (2015)
Barreto, P., Rijmen, V.: The anubis block cipher. Submission to the NESSIE Project (2000)
Berger, T.P.: Construction of recursive MDS diffusion layers from Gabidulin codes. In: Paul, G., Vaudenay, S. (eds.) INDOCRYPT 2013. LNCS, vol. 8250, pp. 274–285. Springer, Heidelberg (2013)
Blaum, M., Roth, R.M.: On lowest density MDS codes. IEEE Trans. Inf. Theory 45(1), 46–59 (1999)
Choy, J., Yap, H., Khoo, K., Guo, J., Peyrin, T., Poschmann, A., Tan, C.H.: SPN-Hash: improving the provable resistance against differential collision attacks. In: Mitrokotsa, A., Vaudenay, S. (eds.) AFRICACRYPT 2012. LNCS, vol. 7374, pp. 270–286. Springer, Heidelberg (2012)
Cui, T., Jin, C.I., Kong, Z.: On compact Cauchy matrices for substitution permutation networks. IEEE Trans. Comput. 99, 1 (2014). Preprint
Daemen, J., Rijmen, V.: The Design of Rijndael: AES - The Advanced Encryption Standard. Springer, Heidelberg (2002)
Guo, J., Peyrin, T., Poschmann, A., Robshaw, M.: The LED block cipher. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 326–341. Springer, Heidelberg (2011)
Guo, J., Peyrin, T., Poschmann, A.: The PHOTON family of lightweight hash functions. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 222–239. Springer, Heidelberg (2011)
Chand Gupta, K., Ghosh Ray, I.: On constructions of involutory MDS matrices. In: Youssef, A., Nitaj, A., Hassanien, A.E. (eds.) AFRICACRYPT 2013. LNCS, vol. 7918, pp. 43–60. Springer, Heidelberg (2013)
Gupta, K.C., Ray, I.G.: On constructions of MDS matrices from companion matrices for lightweight cryptography. In: Cuzzocrea, A., Kittl, C., Simos, D.E., Weippl, E., Xu, L. (eds.) CD-ARES Workshops 2013. LNCS, vol. 8128, pp. 29–43. Springer, Heidelberg (2013)
Gupta, K.C., Ray, I.G.: Cryptographically significant MDS matrices based on circulant and circulant-like matrices for lightweight applications. Crypt. Commun. 7, 257–287 (2015)
Li, Y., Wang, M.: On the construction of lightweight circulant involutory MDS matrices (Extend version). In: FSE 2016. http://eprint.iacr.org/2016/406
Jean, J., Nikolić, I., Peyrin, T.: Joltik v1.1. Submission to the CAESAR competition (2014). http://www1.spms.ntu.edu.sg/~syllab/Joltik
Nakahara Jr., J., Abraho, I.: A new involutory MDS matrix for the AES. Int. J. Netw. Secur. 9(2), 109–116 (2009)
Junod, P., Vaudenay, S.: Perfect diffusion primitives for block ciphers. In: Handschuh, H., Hasan, M.A. (eds.) SAC 2004. LNCS, vol. 3357, pp. 84–99. Springer, Heidelberg (2004)
Kavun, E.B., Lauridsen, M.M., Leander, G., Rechberger, C., Schwabe, P., Yalc, T.: Prøstv1.1. Submission to the CAESAR competition (2014). http://competitions.cr.yp.to/round1/proestv11.pdf
Khoo, K., Peyrin, T., Poschmann, A.Y., Yap, H.: FOAM: searching for hardware-optimal SPN structures and components with a fair comparison. In: Batina, L., Robshaw, M. (eds.) CHES 2014. LNCS, vol. 8731, pp. 433–450. Springer, Heidelberg (2014)
Sajadieh, M., Dakhilalian, M., Mala, H., Sepehrdad, P.: Recursive diffusion layers for block ciphers and hash functions. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 385–401. Springer, Heidelberg (2012)
Sim, S.M., Khoo, K., Oggier, F., Peyrin, T.: Lightweight MDS involution matrices. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 471–493. Springer, Heidelberg (2015)
Vaudenay, S.: On the need for multipermutations: cryptanalysis of MD4 and SAFER. In: Preneel, Bart (ed.) FSE 1994. LNCS, vol. 1008, pp. 286–297. Springer, Heidelberg (1994)
Wu, S., Wang, M., Wu, W.: Recursive diffusion layers for (lightweight) block ciphers and hash functions. In: Knudsen, L.R., Wu, H. (eds.) SAC 2012. LNCS, vol. 7707, pp. 355–371. Springer, Heidelberg (2013)
Acknowledgements
The authors are very grateful to the anonymous reviewers for their valuable comments. This work was supported by the 973 project under Grant (2013CB834203), by the National Science Foundation of China (No. 61303255, No. 61379142).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 International Association for Cryptologic Research
About this paper
Cite this paper
Li, Y., Wang, M. (2016). On the Construction of Lightweight Circulant Involutory MDS Matrices. In: Peyrin, T. (eds) Fast Software Encryption. FSE 2016. Lecture Notes in Computer Science(), vol 9783. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-52993-5_7
Download citation
DOI: https://doi.org/10.1007/978-3-662-52993-5_7
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-52992-8
Online ISBN: 978-3-662-52993-5
eBook Packages: Computer ScienceComputer Science (R0)