Exhaustive Search for Various Types of MDS Matrices

Exhaustive Search for Various Types of MDS Matrices

MDS matrices are used in the design of diffusion layers in many block ciphers and hash functions due to their optimal branch number. But MDS matrices, in general, have costly implementations. So in search for efficiently implementable MDS matrices, there have been many proposals. In particular, cir...

Full description

Bibliographic Details
Main Authors: Abhishek Kesarwani, Santanu Sarkar, Ayineedi Venkateswarlu
Format: Article
Language:English
Published: Ruhr-Universität Bochum 2019-09-01
Series:IACR Transactions on Symmetric Cryptology
Subjects:
Diffusion Layer
MDS Matrix
Circulant Matrix
Hadamard Matrix
Recursive MDS Matrix
Companion Matrix
Online Access:https://tosc.iacr.org/index.php/ToSC/article/view/8364
id doaj-36e5152ac9b145b9a56c565c5e764802
record_format Article
spelling doaj-36e5152ac9b145b9a56c565c5e7648022021-04-02T15:11:02ZengRuhr-Universität BochumIACR Transactions on Symmetric Cryptology2519-173X2019-09-012019310.13154/tosc.v2019.i3.231-256Exhaustive Search for Various Types of MDS MatricesAbhishek Kesarwani0Santanu Sarkar1Ayineedi Venkateswarlu2Department of Mathematics, Indian Institute of Technology Madras, Chennai - 600036, INDIADepartment of Mathematics, Indian Institute of Technology Madras, Chennai - 600036, INDIAComputer Science Unit, Indian Statistical Institute, Chennai Centre, Chennai - 600029, INDIA MDS matrices are used in the design of diffusion layers in many block ciphers and hash functions due to their optimal branch number. But MDS matrices, in general, have costly implementations. So in search for efficiently implementable MDS matrices, there have been many proposals. In particular, circulant, Hadamard, and recursive MDS matrices from companion matrices have been widely studied. In a recent work, recursive MDS matrices from sparse DSI matrices are studied, which are of interest due to their low fixed cost in hardware implementation. In this paper, we present results on the exhaustive search for (recursive) MDS matrices over GL(4, F2). Specifically, circulant MDS matrices of order 4, 5, 6, 7, 8; Hadamard MDS matrices of order 4, 8; recursive MDS matrices from companion matrices of order 4; recursive MDS matrices from sparse DSI matrices of order 4, 5, 6, 7, 8 are considered. It is to be noted that the exhaustive search is impractical with a naive approach. We first use some linear algebra tools to restrict the search to a smaller domain and then apply some space-time trade-off techniques to get the solutions. From the set of solutions in the restricted domain, one can easily generate all the solutions in the full domain. From the experimental results, we can see the (non) existence of (involutory) MDS matrices for the choices mentioned above. In particular, over GL(4, F2), we provide companion matrices of order 4 that yield involutory MDS matrices, circulant MDS matrices of order 8, and establish the nonexistence of involutory circulant MDS matrices of order 6, 8, circulant MDS matrices of order 7, sparse DSI matrices of order 4 that yield involutory MDS matrices, and sparse DSI matrices of order 5, 6, 7, 8 that yield MDS matrices. To the best of our knowledge, these results were not known before. For the choices mentioned above, if such MDS matrices exist, we provide base sets of MDS matrices, from which all the MDS matrices with the least cost (with respect to d-XOR and s-XOR counts) can be obtained. We also take this opportunity to present some results on the search for sparse DSI matrices over finite fields that yield MDS matrices. We establish that there is no sparse DSI matrix S of order 8 over F28 such that S8 is MDS. https://tosc.iacr.org/index.php/ToSC/article/view/8364Diffusion LayerMDS MatrixCirculant MatrixHadamard MatrixRecursive MDS MatrixCompanion Matrix
collection DOAJ
language English
format Article
sources DOAJ
author Abhishek Kesarwani
Santanu Sarkar
Ayineedi Venkateswarlu
spellingShingle Abhishek Kesarwani
Santanu Sarkar
Ayineedi Venkateswarlu
Exhaustive Search for Various Types of MDS Matrices
IACR Transactions on Symmetric Cryptology
Diffusion Layer
MDS Matrix
Circulant Matrix
Hadamard Matrix
Recursive MDS Matrix
Companion Matrix
author_facet Abhishek Kesarwani
Santanu Sarkar
Ayineedi Venkateswarlu
author_sort Abhishek Kesarwani
title Exhaustive Search for Various Types of MDS Matrices
title_short Exhaustive Search for Various Types of MDS Matrices
title_full Exhaustive Search for Various Types of MDS Matrices
title_fullStr Exhaustive Search for Various Types of MDS Matrices
title_full_unstemmed Exhaustive Search for Various Types of MDS Matrices
title_sort exhaustive search for various types of mds matrices
publisher Ruhr-Universität Bochum
series IACR Transactions on Symmetric Cryptology
issn 2519-173X
publishDate 2019-09-01
description MDS matrices are used in the design of diffusion layers in many block ciphers and hash functions due to their optimal branch number. But MDS matrices, in general, have costly implementations. So in search for efficiently implementable MDS matrices, there have been many proposals. In particular, circulant, Hadamard, and recursive MDS matrices from companion matrices have been widely studied. In a recent work, recursive MDS matrices from sparse DSI matrices are studied, which are of interest due to their low fixed cost in hardware implementation. In this paper, we present results on the exhaustive search for (recursive) MDS matrices over GL(4, F2). Specifically, circulant MDS matrices of order 4, 5, 6, 7, 8; Hadamard MDS matrices of order 4, 8; recursive MDS matrices from companion matrices of order 4; recursive MDS matrices from sparse DSI matrices of order 4, 5, 6, 7, 8 are considered. It is to be noted that the exhaustive search is impractical with a naive approach. We first use some linear algebra tools to restrict the search to a smaller domain and then apply some space-time trade-off techniques to get the solutions. From the set of solutions in the restricted domain, one can easily generate all the solutions in the full domain. From the experimental results, we can see the (non) existence of (involutory) MDS matrices for the choices mentioned above. In particular, over GL(4, F2), we provide companion matrices of order 4 that yield involutory MDS matrices, circulant MDS matrices of order 8, and establish the nonexistence of involutory circulant MDS matrices of order 6, 8, circulant MDS matrices of order 7, sparse DSI matrices of order 4 that yield involutory MDS matrices, and sparse DSI matrices of order 5, 6, 7, 8 that yield MDS matrices. To the best of our knowledge, these results were not known before. For the choices mentioned above, if such MDS matrices exist, we provide base sets of MDS matrices, from which all the MDS matrices with the least cost (with respect to d-XOR and s-XOR counts) can be obtained. We also take this opportunity to present some results on the search for sparse DSI matrices over finite fields that yield MDS matrices. We establish that there is no sparse DSI matrix S of order 8 over F28 such that S8 is MDS.
topic Diffusion Layer
MDS Matrix
Circulant Matrix
Hadamard Matrix
Recursive MDS Matrix
Companion Matrix
url https://tosc.iacr.org/index.php/ToSC/article/view/8364
work_keys_str_mv AT abhishekkesarwani exhaustivesearchforvarioustypesofmdsmatrices
AT santanusarkar exhaustivesearchforvarioustypesofmdsmatrices
AT ayineedivenkateswarlu exhaustivesearchforvarioustypesofmdsmatrices
_version_ 1721560438861201408

Similar Items