Analysis of Toeplitz MDS Matrices

Abstract

This work considers the problem of constructing efficient MDS matrices over the field \(\mathbb {F}_{2^m}\). Efficiency is measured by the metric XOR count which was introduced by Khoo et al. in CHES 2014. Recently Sarkar and Syed (ToSC Vol. 1, 2016) have shown the existence of \(4\times 4\) Toeplitz MDS matrices with optimal XOR counts. In this paper, we present some characterizations of Toeplitz matrices in light of MDS property. Our study leads to improving the known bounds of XOR counts of \(8\times 8\) MDS matrices by obtaining Toeplitz MDS matrices with lower XOR counts over \(\mathbb {F}_{2^4}\) and \(\mathbb {F}_{2^8}\).

Appendices

A   Proofs and Example

Proof of Lemma 1

Proof

Consider the following \(d\times d\) submatrix A.

$$\begin{aligned} A = \begin{bmatrix} m_{i_0,j_0}&m_{i_0,j_1}&\ldots&m_{i_0, j_{d-1}}\\ m_{i_1,j_0}&m_{i_1,j_1}&\ldots&m_{i_1, j_{d-1}}\\ \vdots&\vdots&\vdots&\vdots \\ m_{i_{d-1},j_0}&m_{i_{d-1},j_1}&\ldots&m_{i_{d-1}, j_{d-1}} \end{bmatrix}. \end{aligned}$$

Applying (4), we get the form of this matrix as

$$\begin{aligned} A = \begin{bmatrix} a_{j_0-i_0}&a_{j_1-i_0}&\ldots&a_{j_{d-1}-i_0}\\ a_{j_0-i_1}&a_{j_1-i_1}&\ldots&a_{j_{d-1}-i_1}\\ \vdots&\vdots&\vdots&\vdots \\ a_{j_0-i_{d-1}}&a_{j_1-i_{d-1}}&\ldots&a_{j_{d-1}-i_{d-1}} \end{bmatrix}. \end{aligned}$$

(20)

If \(j_0-i_0 \ge 0\), then A is equal to the following submatrix whose first row belongs to the first row of the main matrix T:

$$\begin{aligned} T_{sub} = \begin{bmatrix} m_{0,j_0-i_0}&m_{0,j_1-i_0}&\ldots&m_{0,j_{d-1}-i_0} \\ m_{i_1-i_0,j_0-i_0}&m_{i_1-i_0,j_1-i_0}&\ldots&m_{i_1-i_0,j_{d-1}-i_0} \\ \vdots&\vdots&\vdots&\vdots \\ m_{i_{d-1}-i_0,j_0-i_0}&m_{i_{d-1}-i_0,j_1-i_0}&\ldots&m_{i_{d-1}-i_0,j_{d-1}-i_0} \end{bmatrix}. \end{aligned}$$

On the other hand, if \(j_0-i_0 < 0\), then (20) is equal to the following matrix whose first column belongs to the first column of the main matrix T:

$$\begin{aligned} T_{sub} = \begin{bmatrix} m_{i_0-j_0,0}&m_{i_0-j_0,j_1-j_0}&\ldots&m_{i_0-j_0,j_{d-1}-j_0} \\ m_{i_1-j_0,0}&m_{i_1-j_0,j_1-j_0}&\ldots&m_{i_1-j_0,j_{d-1}-j_0} \\ \vdots&\vdots&\vdots&\vdots \\ m_{i_{d-1}-j_0,0}&m_{i_{d-1}-j_0,j_1-j_0}&\ldots&m_{i_{d-1}-j_0,j_{d-1}-j_0} \end{bmatrix}. \end{aligned}$$

   \(\square \)

Proof of Lemma 2

Proof

As \(i + j \le n-1\), in the \((i+j)\)-th row (row and column number starts from 0), \(a_{-j}\) appears in the i-th column, i.e., both \(a_i\) and \(a_{-j}\) are in the same column. Again in the \((i+j)\)-th row, \(a_{-i}\) appears in the j-th column, i.e., \(a_{-i}\) and \(a_{j}\) are in the same column. Therefore, the \(2 \times 2\) submatrix of T formed by the \(0, (i+j)\)-th row and i, j-th column is \(\left[ \begin{array}{cc} a_i &{} a_j\\ a_{-j} &{} a_{-i} \end{array}\right] \). The determinant of this is \(a_i a_{-i} + a_j a_{-j} = 0\) by hypothesis.    \(\square \)

Proof of Lemma 3

Proof

It is easy to check that given an MDS matrix \(M = [m_{i,j}]_{n\times n}\) and \(\beta \in \mathbb {F}_{2^m}^*\) the matrix \(\beta M = [\beta \, m_{i,j}]_{n\times n}\) is also MDS. From [8] it is known that in a \(8 \times 8\) MDS matrix, 1 can occur at most 24 times. So if there is an element \(\beta \) in an \(8 \times 8\) MDS matrix V that occurs more than 24 times, then \(\beta ^{-1} V\) contains 1 more than 24 times, a contradiction.    \(\square \)

Example 2

Suppose \(\alpha \) is a primitive root of \(X^4+X+1 = 0\) that generates \(GF(2^4)\). Consider

$$\begin{aligned} x_0 = 1,&\quad y_0 = \alpha + 1, \\ x_1 = \alpha ,&\quad y_1 = x_0+y_0+x_1, \\ x_2 = x_0,&\quad y_2 = y_0. \end{aligned}$$

Then the following is a Cauchy-Toeplitz matrix

$$\begin{bmatrix} a^{3} + 1&1&a^{3} + 1 \\ 1&a^{3} + 1&1 \\ a^{3} + 1&1&a^{3} + 1 \end{bmatrix}.$$

B    Figures and Tables

Table 2. Number of submatrices of general matrices, and number of general and Toeplitz submatrices of Toeplitz matrices.

Fig. 1.

If the value of \(a_i\) occurs more than 24 times then the whole subtree rooted at \(a_i\) is pruned.

Fig. 2.

If the value of \(a_i\) satisfies (17), all the subtrees rooted at this \(a_i\) and its subsequent siblings are pruned.