Keywords

1 Introduction

Linear diffusion layer is an important component of symmetric cryptography which provides internal dependency for symmetric cryptography algorithms. The performance of a diffusion layer is measured by branch number. Using a diffusion layer with bigger branch number in cryptography provides better resistance to differential and linear attack. As for lightweight cryptography, which is aiming to provide security in a limited resource environment, the cost of implementing an linear diffusion layer is also of importance. With the rapid development of lightweight cryptography, it is of particular interest to investigate the problem of constructing lightweight linear diffusion with bigger branch number.

A linear diffusion layer is a linear transformation over \((\mathbb {F}_2^m)^n\), where m is the bit length of an S-box and n is the number of S-boxes that the linear diffusion layer acts on. Note that every linear transformation can be represented by a matrix, then a linear diffusion layer is often represented by a \(n\times n\) matrix and the entries can be viewed as linear transformations over \(\mathbb {F}_2^m\). The maximum branch number of a \(n\times n\) matrix over \((\mathbb {F}_2^m)^n\) is \(n+1\). A linear diffusion layer with maximum branch number is called a perfect diffusion layers or a Maximal Distance Separable (MDS) matrix. An MDS matrix is a linear multipermutation [22].

A common way to construct MDS matrices is using MDS codes over finite fields. Multiplication with elements in finite fields is a basic operation in the evaluation of a matrix over finite fields. Usually, this operation is heavy in implementation. To improve its implementation efficiency, it is often constructing a matrix with fewer different elements of finite fields and choosing elements of finite fields with lower Hamming weight. Therefore, some matrices can be defined by fewer elements are preferred, such as circulant matrix and Hadamard matrix. The diffusion layer of AES is an typical example of this construction method. It is a \(4\times 4\) circulant MDS matrix over \(\mathbb {F}_{2^8}\).

Another main method to construct lightweight MDS matrices is recursive construction. The main idea is that firstly constructing a linear transformation which is sparse and compact in implementation, and then composing it several times to get an MDS matrix. This method is first used in the design of Photon lightweight hash family [10] and LED lightweight block cipher [9], and then attracted lots of attentions. The method is extended by using linear transformations instead of multiplications of elements in finite fields in [20]. Then the work is improved by using linear transformations with fewer XORs in [23], where some extreme lightweight MDS matrices are given. A method is given to get rid of expensive symbolic computations of the above method for constructing larger recursive MDS matrices in [1]. The method is also further investigated in [12]. The construction of recursive MDS matrices also has a relation with coding theory. It is shown that recursive MDS matrices can be constructed from Gabidulin codes [4], and also can be obtained directly from shortened MDS cyclic codes [2].

However, a recursive MDS matrix may leads to high latency since it has to run several rounds to get outputs. Then how to construct lightweight MDS matrices without using recursive construction is an interesting problem needs further study. Some works revisit the method of constructing MDS matrices over finite fields by choosing elements whose multiplication’s implementation efficiency can be further improved. Recently, it is shown that the choice of the irreducible polynomial used to compute multiplication with elements over finite fields has a great influence of the efficiency [19]. This property is further investigated in [21], where algorithms are designed to search lightweight MDS matrices with few XORs that required to evaluate one row of the corresponding matrix. Several constructions and their comparisons with previous constructions are also given in [21].

Our Contributions. In the present paper, we investigate the problem of constructing MDS matrices with as few bit XOR operations as possible. Note that multiplication with elements of the finite field \(\mathbb {F}_{2^m}\) is only a special type of linear transformations over \(\mathbb {F}_2^m\). Moreover, there exist many other linear transformations over \(\mathbb {F}_2^m\) which can not be represented by multiplication with elements over \(\mathbb {F}_{2^m}\). Therefore, constructing matrices over the space of linear transformations over \(\mathbb {F}_2^m\) may leads to new constructions of lightweight MDS matrices.

In previous constructions, the entries used to construct MDS matrices are pairwise commutative, such as MDS matrices over finite fields, or assumed pairwise commutative, such as recursive MDS matrices with elements being linear transformations [20, 23]. Note that a matrix over a commutative ring is non-singular if and only if its determinant is a unity in the ring, then the assumption is convenient for charactering MDS matrices since the determinants of square sub-matrices can be computed.

However, the restriction of choosing commutative linear transformations may lose MDS matrices with fewer XORs. Then we do not assume the linear transformations over \(\mathbb {F}_2^m\) that used to construct MDS matrices are pairwise commutative in the present paper.

The strategy we used to determine whether a construction is MDS is computing all its square sub-matrices’ rank. Then it is too complex to construct MDS matrices with larger order. In symmetric cryptography algorithms, the most often used S-boxes are 4-bit and 8-bit S-boxes, and it is often use diffusion layers of order 4. Therefore, we focus on constructing \(4\times 4\) MDS matrices with entries in the space of linear transformations over \(\mathbb {F}_2^4\) and \(\mathbb {F}_2^8\) in the present paper.

The first result is that circulant involutory MDS matrices can be constructed with our method. Circulant involutory MDS matrices can be implemented efficiently and the same circuit can be used both in encryption and decryption. However, it has been proved in [13, 16] that there do not exist circulant involutory MDS matrices over the finite field \(\mathbb {F}_{2^m}\). In fact, the proof is only valid when the entries of the matrix are pairwise commute. This property is satisfied by previous construction methods but not our method.

We show that there exist circulant involutory MDS matrices over the space of linear transformations over \(\mathbb {F}_2^m\). Some constructions are also given. To the best of our knowledge, it is the first time that circulant involutory MDS matrices have been constructed. For \(4\times 4\) circulant involutory MDS matrices constructed in the present paper, the fewest sum of XORs of one row’s entries is \(m+1, m=4,8\). Moreover, we also construct \(4\times 4\) orthogonal circulant MDS matrix, which is also proved do not exist over finite fields [13].

Lower bounds on XORs that required to evaluate one row of circulant (noninvolution) MDS matrices, involutory Hadamard MDS matrices and Hadamard (noninvolution) MDS matrices are also investigated. We show that for circulant MDS matrices with the first row’s entries are [IIAB], the fewest sum of XORs of A and B is 3. For involutory Hadamard MDS matrices, the fewest sum (the fewest sum we get) of the XORs of entries in the first row is \(m+2\) for \(m=4\) (\(m=8\)). For Hadamard MDS matrices, the fewest sum of XORs of one row’s entries is 4 for \(m=4\) and the fewest sum we get of XORs of one row’s entries is 5 for \(m=8\). Lower bounds on the entries of “optimal” \(4\times 4\) MDS matrices is also characterized.

Outline of This Paper. The present paper is organized as follows. In Sect. 2, we give some preliminaries. A general bound on XORs that required to evaluate one row of circulant and Hadamard MDS matrices is also given. In Sect. 3, we investigate the construction of lightweight involutory, non-involutory and orthogonal circulant MDS matrices. In Sect. 4, we investigate the construction of lightweight involutory and non-involutory Hadamard MDS matrices. Comparisons with previous constructions are given at the end of the section. In Sect. 5, we investigate the construction of lightweight “optimal” \(4\times 4\) MDS matrices. A short conclusion is given in Sect. 6.

2 Preliminaries and a General Bound

A map \(A: \mathbb {F}_2^m\rightarrow \mathbb {F}_2^m\) is called linear if \(A(x+y)=A(x)+A(y)\) for \(x,y\in \mathbb {F}_2^m\). Fixed a basis of \(\mathbb {F}_2^m\) over \(\mathbb {F}_2\), a linear map over \(\mathbb {F}_2^m\) can be represented by an \(m\times m\) matrix over \(\mathbb {F}_2\), which is also denoted by A. Then \(A(x)=A\cdot x\), where \(x=(x_1,\ldots ,x_m)\in \mathbb {F}_2^m\) is viewed as a column vector throughout this paper. A linear map is a permutation over \(\mathbb {F}_2^m\) if and only if its matrix representation is non-singular. The notation \(GL(m, S)\) denotes the set of all \(m\times m\) non-singular matrices with entries in S.

For \(a,b\in \mathbb {F}_2\), \(a+b\) is called the bit XOR operation. For \(A\in GL(m,\mathbb {F}_2)\), \(\#A\) denotes the number of XOR operations that required to evaluate \(A\cdot x\) directly, where \(x\in \mathbb {F}_2^m\), and we call A has \(\#A\) XOR operations. It is easy to see that \(\#A\) equals the number of XORs in A(x) and hence

$$\#A=\sum \limits _{i=1}^m (\omega (A[i])-1),$$

where \(\omega (A[i])\) means the number of nonzero entries in the i-th row of A. For \(A\in GL(m,\mathbb {F}_2)\), a simplified representation of A is given by extracting the nonzero positions in each row of A. For example, [2, 3, 4, [1,4]] is the representation of the following matrix.

$$\begin{aligned} \left( \begin{array}{c@{\quad }c@{\quad }c@{\quad }c} 0&{}1&{}0&{}0\\ 0&{}0&{}1&{}0\\ 0&{}0&{}0&{}1\\ 1 &{}0&{}0&{}1\\ \end{array} \right) \!, \end{aligned}$$

and it is a matrix with 1 XOR operation.

Every linear diffusion can be represented by a matrix as follows

$$\begin{aligned} L=\left( \begin{array}{c@{\quad }c@{\quad }c@{\quad }c} L_{1,1}&{}L_{1,2}&{}\cdots &{}L_{1,n}\\ L_{2,1}&{}L_{2,2}&{}\cdots &{}L_{2,n}\\ \vdots &{}\vdots &{}\cdots &{}\vdots \\ L_{n,1}&{}L_{n,2}&{}\cdots &{}L_{n,n}\\ \end{array} \right) \!, \end{aligned}$$

where \(L_{i,j}\) is an \(m\times m\) matrix over \(\mathbb {F}_2\) for \(1\le i,j\le n\). For \(X=(x_1,\ldots ,x_n)\in (\mathbb {F}_{2}^{m})^{n}\),

$$L(X)=(\sum \limits _{i=1}^n L_{1,i}(x_i), \ldots , \sum \limits _{i=1}^n L_{n,i}(x_i)),$$

where \(L_{i,j}(x_k)=L_{i,j}\cdot x_k\), for \(1\le i,j\le n, 1\le k\le m\). A linear diffusion L defined as above is called involutory if \(L\circ L(X)=X\) for all \(X\in (\mathbb {F}_2^m)^n\), which is equivalent to that \(L^2\) is the identity matrix of order mn.

For \(X=(x_1,\ldots ,x_n)\in (\mathbb {F}_{2}^{m})^{n}\), the bundle weight of X, which is denoted by \(\omega _b(X)\), is defined as the number of nonzero entries of X. This means

$$\omega _b(X)=|\{x_i: x_i\ne 0, 1\le i\le n\}|.$$

The branch number of L is defined as

$$\min \{\omega _b(X)+\omega _b(L(X))\mid X\in (\mathbb {F}_{2}^{m})^{n}, X\ne 0\}.$$

The upper bound on the branch number of L is \(n+1\), and a matrix achieved the bound is called an MDS matrix.

Square sub-matrices of L of order t means the following matrices

$$L(J,K)=(L_{j_l,k_p}, 1\le l,p\le t)$$

where \(J=[j_1,\ldots ,j_t]\) and \(K=[k_1,\ldots ,k_t]\) are two sequence of length t, and \(1\le j_1<\ldots <j_t\le n\), \(1\le k_1,\ldots ,k_t\le n\). Note that \(L(J,K)\cdot (x_1,\ldots ,x_t)=0\) does not have nonzero solutions if and only if L(JK) is of full rank. Then the following result holds, which is proved in [5].

Theorem 1

Let \(L=(L_{i,j}), 1\le i,j\le n\), and the entries of L are \(m\times m\) matrices over \(\mathbb {F}_2\). Then L is an MDS matrix if and only if all square sub-matrices of L of order t are of full rank for \(1\le t\le n\).

According to Theorem 1, the computation would be complicated when n is large. Then in the present paper we focus on \(4\times 4\) matrices, which are widely used in cryptography. More precisely, we construct lightweight MDS matrices using circulant matrix and Hadamard matrix. Both of them can be defined by the first row’s entries and hence can be implemented efficiently.

2.1 A General Bound

In this subsection, we give a general bound of XORs on circulant and Hadamard MDS matrices.

A matrix is called circulant if each row is rotated to the right of the preceding row by one entry. Then for a \(4\times 4\) circulant matrix, we means

$$\begin{aligned} Circ(A,B,C,D)=\left( \begin{array}{c@{\quad }c@{\quad }c@{\quad }c} A&{}B&{}C&{}D\\ D&{}A&{}B&{}C\\ C&{}D&{}A&{}B\\ B&{}C&{}D&{}A\\ \end{array} \right) \!, \end{aligned}$$

where \(A,B,C,D\in GL(m,\mathbb {F}_2)\).

A \(2^k\times 2^k\) matrix H is called a Hadamard matrix if it can be represented as

$$\begin{aligned} \left( \begin{array}{cc} H_1,&{}H_2\\ H_2,&{}H_1 \end{array}\right) \!, \end{aligned}$$

where \(H_1,H_2\) are two \(2^{k-1}\times 2^{k-1}\) Hadamard matrices. Then for a \(4\times 4\) Hadamard matrix, we means

$$\begin{aligned} Had(A,B,C,D)=\left( \begin{array}{cccc} A,&{}B,&{}C,&{}D\\ B,&{}A,&{}D,&{}C\\ C,&{}D,&{}A,&{}B\\ D,&{}C,&{}B,&{}A\\ \end{array} \right) \!, \end{aligned}$$

where \(A,B,C,D\in GL(m,\mathbb {F}_2)\).

Remember that our aim is constructing MDS matrices with as few XOR operations as possible. Then we prefer linear transformations with no XORs. However, the following results limits the amounts of such linear transformations used in our constructions.

Lemma 1

Let \(L=\left( \begin{array}{cc} L_1,&{} L_2\\ L_3,&{} L_4 \end{array} \right) ,\) \(L_i\in GL(m,\mathbb {F}_2), 1\le i\le 4\). If \(\mathrm {rank}(L)=2m\), then \(\sum \limits _{i=1}^4\#L_i\ge 1\).

Proof

Assume \(\#L_i=0\), \(1\le i\le 4\). Then for \(1\le i\le 4\), each row and each column of \(L_i\) has exactly one entry equals 1 since \(L_i\) are non-singular. This means every entry of \(\sum \limits _{j=1}^m L_i[j]\) equals to 1. Therefore, every entry of \(\sum \limits _{i=1}^{2m}L[i]\) equals to 0, which means \(\mathrm {rank}(L)< 2m\) and we complete the proof.    \(\square \)

Then we have the following result.

Theorem 2

  1. 1.

    Let \(L=Circ(A,B,C,D)\) be a circulant MDS matrix, where \(A,B,C,D\in GL(m,\mathbb {F}_2)\). Then \(\#A+\#B+\#C+\#D\ge 2\).

  2. 2.

    Let \(L=Had(A,B,C,D)\) be a Hadamard MDS matrix, where \(A,B,C,D\in GL(m,\mathbb {F}_2)\). Then \(\#A+\#B+\#C+\#D\ge 3\).

Proof

Let \(L=Circ(A,B,C,D)\) be a circulant MDS matrix. Assume

$$\#A+\#B+\#C+\#D\le 1.$$

Then there are at least 3 entries with 0 XORs in the first row. Without loss of generality, we suppose \(\#A=\#B=\#C=0\). Then according to Lemma 1, it holds

$$\begin{aligned} \mathrm {rank}(L([1,2],[2,3]))=\mathrm {rank}(\left( \begin{array}{cc} B&{},C\\ A&{},B \end{array} \right) )<2m. \end{aligned}$$

This is a contradiction since L is an MDS matrix. The other cases can be proved similarly.

Let \(L=Had(A,B,C,D)\) be a Hadamard MDS matrix. Assume

$$\begin{aligned} \#A+\#B+\#C+\#D\le 2. \end{aligned}$$

Then there are at least 2 entries with 0 XORs in the first row. Without loss of generality, we suppose \(\#A=\#C=0\). Then according to Lemma 1, it holds

$$\begin{aligned}\mathrm {rank}(L([1,3],[1,3]))=\mathrm {rank}(\left( \begin{array}{cc} A&{},C\\ C&{},A \end{array} \right) )<2m. \end{aligned}$$

This is a contradiction since L is an MDS matrix. The other cases can be proved similarly.    \(\square \)

The above result means that there are at most two entries with no XORs in one row of a circulant MDS matrix, and there are at most one entry with no XORs in one row of a Hadamard MDS matrix. We suppose \(L[1,1]=I\) in our constructions, where I denotes the identity matrix throughout this paper.

3 Lightweight Circulant MDS Matrices

In this section, we investigate the construction of lightweight circulant involutory, non-involutory and orthogonal MDS matrices respectively.

3.1 Constructing Circulant Involutory MDS Matrices

First, we have the following result.

Lemma 2

Let \(L=Circ(I,A,B,C)\) be a circulant matrix, where \(A,B,C\in GL(m,\mathbb {F}_{2})\). Then L is an involution if and only if the following equalities hold:

$$\begin{aligned}AB=BA, BC=CB, A^2=C^2, AC+CA=B^2.\end{aligned}$$

Proof

By matrix multiplication, it can be checked that

$$\begin{aligned} \begin{array}{lll} L^2&{}=&{}Circ(I,A,B,C)\cdot Circ(I,A,B,C)\\ &{}=&{}Circ(I+AC+CA+B^2,BC+CB,A^2+C^2,AB+BA).\\ \end{array} \end{aligned}$$

On the other hand, L is an involution if and only if \(L^2=Circ(I,0,0,0).\) Therefore, L is an involution if and only if

$$\begin{aligned} AB=BA, BC=CB, A^2=C^2, AC+CA=B^2 \end{aligned}$$

hold simultaneously.    \(\square \)

We give a general construction of circulant involutory matrix in the following result. For \(A\in GL(m,\mathbb {F}_2)\), the multiplication order of A is defined as the minimum positive integer d such that \(A^d=I\).

Lemma 3

Suppose \(A,C\in GL(m, \mathbb {F}_2)\) with \(A^2=C^2=I\), and the multiplication order of \(A+C\) equals \(4k-2\) for some integer k with \(k>1\). Let \(B=(A+C)^{2k}\). Then the matrix Circ(IABC) is an involution.

Proof

Let \(B=(A+C)^{2k}\). Note that

$$\begin{aligned} A^2=C^2=I, \end{aligned}$$

then according to Lemma 2, we only need to prove that ABC satisfy the following equalities

$$\begin{aligned} AB=BA, BC=CB, AC+CA=B^2. \end{aligned}$$

First, it is easy to see that

$$\begin{aligned} (A+C)^2=A^2+AC+CA+C^2=AC+CA. \end{aligned}$$

Then we have

$$B=(A+C)^{2k}=(AC+CA)^k.$$

Therefore,

$$\begin{aligned} \begin{array}{lll} AB&{}=&{}A(AC+CA)^k\\ &{}=&{}A(AC+CA)(AC+CA)^{k-1}\\ &{}=&{}(A^2C+ACA)(AC+CA)^{k-1}\\ &{}=&{}(CA^2+ACA)(AC+CA)^{k-1}\\ &{}=&{}(CA+AC)A(AC+CA)^{k-1}\\ &{}=&{} \cdots \\ &{}=&{}(AC+CA)^{k}A\\ &{}=&{}BA. \end{array} \end{aligned}$$

Similarly, it can be checked that

$$BC=CB.$$

Note that \((A+C)^{4k-2}=I\), then we have

$$\begin{aligned} B^2=(A+C)^{4k}=(A+C)^2=AC+CA. \end{aligned}$$

According to Lemma 2, we have \(Circ(I,A,(A+C)^{2k},C)\) is an involution.    \(\square \)

Remark 1

If \(k=1\), then the multiplication order of \(A+C\) equals 2 and \(B=(A+C)^2=I\). In this case, \(L=Circ(I,A,I,C)\) constructed as above is also a circulant involution. However, it is not an MDS matrix since \(\mathrm {rank}(L([1,3], [1,3]))<2m\). Then we always suppose \(k>1\) since we want to construct circulant involutory MDS matrices.

Using above results, our searching strategy is as follows. Firstly, we get the set S which contains all involutory matrix from the set which we want to search. Then for each pair of \((A,C)\in S\times S\), we compute the multiplication order d of \(A+C\). If \(d \text{ mod } 4=2\), then let \(B=(A+C)^{\frac{d}{2}+1}\), and test whether Circ(IABC) is MDS by Theorem 1.

When \(m=4\), we search AC over \(GL(4,\mathbb {F}_2)\). There exist AC such that Circ(IABC) is MDS. The fewest sum of XORs of one rows’ entries of an MDS involutory Circ(IABC) constructed as above is 5. There are 48 pairs of AC with this property. These 48 matrices are of the type Circ(IABC) and Circ(ICBA) for 24 different pairs of AC.

When \(m=8\), we search AC over all \(8\times 8\) non-singular matrices over \(\mathbb {F}_2\) with less than or equal to 3 bit XOR operations. The fewest sum of XORs of one rows’ entries of an MDS Circ(IABC) constructed as above is 9. There are 40320 pairs of AC satisfy this property. For all these pairs of AC, Circ(ICBA) are also circulant involutory MDS matrices.

Theorem 3

Their exist \(A,B,C\in GL(m,\mathbb {F}_2)\), \(m=4,8\), such that \(Circ(I,A,B,C)\) is an involutory MDS matrix. Furthermore, the following statements hold.

  1. 1.

    When \(m=4\), circulant involutory MDS matrices constructed with the above method satisfy \(\#A+\#B+\#C\ge 5\).

  2. 2.

    When \(m=8\), if \(\#A\le 3\) and \(\#C\le 3\), then circulant involutory MDS matrices constructed with the above method satisfy \(\#A+\#B+\#C\ge 9\).

Example 1

Examples of ABC such that Circ(IABC) are circulant involutory MDS matrices with \(\#A+\#B+\#C=m+1\).Footnote 1

  1. (1)

    \(m=4\), \(A=[1, 2, [1, 3], [1, 2, 4]]\), \(C=[4, 3, 2, 1]\), \(B=(A+C)^4=[2, [1, 2], [3, 4], 3]\).

  2. (2)

    \(m=8\), \(A=[1, 2, [1, 3], [1, 2, 4], 6, 5, 8, 7]\), \(C=[5, 8, [2, 6], 7, 1, [3, 8], 4, 2]\), and \(B=(A+C)^{16}=[[7, 8], 1, 7, [3, 8], [2, 4], [1, 4], 6, 5]\).

We further investigate the construction of \(5\times 5\) circulant involutory MDS matrices. In order to simplify our characterization, we investigate \(5\times 5\) circulant matrices of the type Circ(IABBA), where \(A,B\in GL(m,\mathbb {F}_2)\). Concerning the property of involutory of Circ(IABBC), it is easy to prove the following result.

Lemma 4

Let \(L=Circ(I,A,B,B,A)\) be a circulant matrix, where \(A,B\in GL(m,\mathbb {F}_{2})\). Then L is an involution if and only if \(A^2=AB+BA=B^2\).

We give constructions by exhaustive searching for AB with the following method. The method is often used hereafter in the paper, and we give a detailed general description here.

The following result is helpful. It can be proved via elementary linear algebra and we omit the proof here.

Lemma 5

Suppose \(A,B,C\in GL(m,\mathbb {F}_2)\) are \(m\times m\) non-singular matrices over \(\mathbb {F}_2\). Then the following statements hold.

  1. (1)

    \(\left( \begin{array}{cc} I,&{}A\\ B,&{}C\\ \end{array} \right) \) is of full rank if and only if \(\mathrm {rank}(BA+C)=m\).

  2. (2)

    \(\left( \begin{array}{cc} A,&{}I\\ B,&{}C\\ \end{array} \right) \) is of full rank if and only if \(\mathrm {rank}(CA+B)=m\).

  3. (3)

    \(\left( \begin{array}{cc} A,&{}B\\ I,&{}C\\ \end{array} \right) \) is of full rank if and only if \(\mathrm {rank}(AC+B)=m\).

  4. (4)

    \(\left( \begin{array}{cc} A,&{}B\\ C,&{}I\\ \end{array} \right) \) is of full rank if and only if \(\mathrm {rank}(BC+A)=m\).

Let \(L=Circ(I,A,B,B,A)\). According to Theorem 1, if L is MDS, then all its square sub-matrices are of full rank. According to Lemma 5, we have the following fact by investigating all square sub-matrices of order 2. If L is MDS, then the following matrices are non-singular:

$$A+I, A^2+I, B+I, B^2+I, A^2+B, A+B^2, A+B.$$

Note that \(A^2+I\) is non-singular if and only if \(A+I\) is non-singular. Then the conditions can be simplified as the following matrices are non-singular:

$$A+I, B+I,A+B^2, A^2+B,A+B.$$

Based on the above observations, we have the following searching strategy. First, note that both A and B should satisfy \(\mathrm {rank}(X+I)=m, X=A,B\). The equalities that both A and B satisfied are called general rules. Then we can select the candidate set of A and B from the set we want to search over by using general rules, which means

$$S_{A,B}:=\{X : X\in S_{search} \mid \mathrm {rank}(X+I)=m\}.$$

The for \(A\in S_{A,B}\), we can get the candidate set of B by using the other conditions that should be satisfied, which means

$$\begin{aligned} \begin{array}{lll} S_{B}&{}:=&{}\{B : B\in S_{A,B}\mid \mathrm {rank}(A+B)=m\wedge \mathrm {rank}(A^2+B)=m \wedge \mathrm {rank}(A+B^2)=m\\ &{} &{}\wedge A^2=AB+BA \wedge A^2=B^2\}. \end{array} \end{aligned}$$

At last, for \(B\in S_B\), we test whether L is MDS by Theorem 1.

When \(m=4\), we search AB over \(GL(4,\mathbb {F}_2)\). The fewest XORs of one row’s entries of an involutory MDS Circ(IABBA) is 4. There are 24 pairs of AB such that Circ(IABBA) are involutory circulant MDS matrices with \(\#A+\#B=2\). These 24 MDS matrices are of the type \(Circ(I,A,A^{T},A^{T},A)\) and \(Circ(I,A^{T},A,A,A^{T})\) for 12 different A.

When \(m=8\), we search AB over \(GL(8,\mathbb {F}_2)\) with \(\#A+\#B\le 3\). No involutory MDS matrix returns. Therefore, if Circ(IABBA) is an involutory MDS matrix, then \(\#A+\#B\ge 4\).

Then we have the following result.

Theorem 4

Their exist \(A,B\in GL(m,\mathbb {F}_2)\), \(m=4,8\), such that \(Circ(I,A,B,B,A)\) is an \(5\times 5\) involutory MDS matrix. Furthermore, if Circ(IABBA) is an involutory MDS matrix, then \(\#A+\#B\ge \frac{m}{2}\).

Similar as the method “Subfield construction"that used in [6, 19, 21], it is easy to construct involutory MDS Circ(IABBA) over \(\mathbb {F}_2^8\) with \(\#A+\#B=4\), since we have constructed involutory MDS Circ(IABBA) over \(\mathbb {F}_2^4\) with \(\#A+\#B=2\). Let \(X\in GL(4,\mathbb {F}_2)\), \(\#X=1\) and \(Circ(I,X,X^T,X^T,X)\) is an involutory MDS matrix. Then \(Circ(I,A,A^{T},A^{T},A)\) is also an involutory MDS matrix, where \(A\in GL(8,\mathbb {F}_2)\) of the following form

$$\begin{aligned} A=\left[ \begin{array}{cc} X,&{} 0\\ 0,&{} X \end{array}\right] . \end{aligned}$$

Then we can construct 24 circulant involutory MDS by using the above method and the searching result when \(m=4\).

In order to get more circulant involutory MDS matrices, we searching A over \(GL(8,\mathbb {F}_2)\) with \(\#A=2\). We get 20160 A such that \(Circ(I,A,A^T,A^T,A)\) are involutory MDS matrices and \(\#A+\#A^{T}=4\).

Example 2

Examples of AB such that Circ(IABBA) are circulant involutory MDS matrices with \(\#A+\#B=\frac{m}{2}\).

  1. (1)

    \(m=4\), \(A=[2, 3, 4, [1, 3]]\), \(B=A^T=[4, 1, [2, 4], 3]\).

  2. (2)

    \(m=8\), \(X=[2, 3, 4, [1, 3]]\), \(A=\left[ \begin{array}{cc} X,&{} 0\\ 0,&{} X \end{array}\right] =[2, 3, 4, [1, 3], 6, 7, 8, [5, 7]]\), \(B=A^T=[4, 1, [2, 4], 3, 8, 5, [6, 8], 7]\).

  3. (3)

    \(m=8\), \(A=[[3, 5], 8, 1, 3, 4, 2, 6, [2, 7]]\), \(B=A^T=[3, [6, 8], [1, 4], 5, 1, 7, 8, 2]\).

It is interesting that \(5\times 5\) circulant involutory MDS matrices can be constructed with only 3 different entries. We have tried some other methods to construct circulant involutory MDS matrices with higher order. However, we do not get an circulant involutory MDS matrix with order large than or equal to 6 until present. We leave it as an open problem.

Problem 1

Construct \(n\times n\) circulant involutory MDS matrices over \(GL(m,\mathbb {F}_2)\) or prove that they do not exist, where \(n\ge 6\), \(m=4,8\).

3.2 Constructing Circulant Non-involutory MDS Matrices

In this subsection, we want to construct non-involutory MDS matrices with as few XORs as possible. We consider circulant matrices of the type

$$Circ(I,I,A,B),$$

since it has the most many entries with no XORs in one row.

The searching strategy is similar as previous subsection. If Circ(IIAB) is MDS, then the following matrices are non-singular:

$$A+I, B+I, A+B, AB+I, A^2+B, A+B^2.$$

When \(m=4\), we search AB over \(GL(4,\mathbb {F}_2)\). The fewest XORs of one row’s entries of an MDS Circ(IIAB) is 3. Their are 48 pair of (AB) such that Circ(IIAB) are MDS matrices with \(\#A+\#B=3\). These 48 matrices are of the type \(Circ(I,I,A,A^{-2})\) and \(Circ(I,I,A^{-2},A)\) for 24 different A.

When \(m=8\), we search AB over all \(8\times 8\) non-singular matrices over \(\mathbb {F}_2\) with 1 bit XOR. No MDS matrix returns. This means if Circ(IIAB) is an MDS matrix over \(GL(8,\mathbb {F}_2)\), then either A or B has at least 2 XORs, and hence \(\#A+\#B\ge 3\). Therefore, the following result hold.

Theorem 5

Let \(L=Circ(I,I,A,B)\), where \(A,B\in GL(m,\mathbb {F}_2)\), \(m=4,8\). If L is an MDS matrix, then \(\#A+\#B\ge 3\).

In order to get circulant MDS matrix with the above equality holds when \(m=8\), we let \(B=A^{-2}\) and search A over all \(8\times 8\) non-singular matrices over \(\mathbb {F}_2\) with 1 bit XOR. At last, we get 80640 A such that \(Circ(I,I,A,A^{-2})\) are MDS matrices with \(\#A+\#A^{-2}=3\). Furthermore, \(Circ(I,I,A^{-2},A)\) are also MDS matrices for all these A.

Example 3

Examples of AB such that Circ(IIAB) and Circ(IIBA) are MDS matrices with \(\#A+\#B=3\).

  1. (1)

    \(m=4\), \(A=[2, 3, 4, [1, 4]]\), \(B=A^{-2}=[[2, 3], [3, 4], 1, 2]\).

  2. (2)

    \(m=8\), \(A=[2, 3, 4, 5, 6, 7, 8, [1, 3]],\) \(B=A^{-2}=[[1, 7], [2, 8], 1, 2, 3, 4, 5, 6]\).

3.3 Constructing Circulant Orthogonal MDS Matrices

A square matrix L is called orthogonal if \(L^{-1}=L^T\), where \(L^T\) is the transpose of L. It is proven in [13] there do not exist \(2^d\times 2^d\) circulant orthogonal MDS matrix over finite fields. In this subsection, we show that \(4\times 4\) circulant orthogonal MDS matrices can also be constructed with non-commutative entries.

Firstly, note that for \(L=Circ(I,A,B,C)\), where \(A,B,C\in \mathbb {F}_{2^m}\), it holds \(L^{T}=Circ(I,C^T,B^T,A^T)\). This means one have to implement new entries \(A^{T},B^{T},C^{T}\) in decryption circuit when L is orthogonal. In order to simplify implementation, we let \(A,B,C\in GL(m,\mathbb {F}_2)\) are symmetric matrices, which means \(A=A^{T},B=B^T,C=C^T\). Then it holds

$$L^{T}=Circ(I,C^T,B^T,A^T)=Circ(I,C,B,A),$$

and it is easy to prove the following result.

Lemma 6

Let \(L=Circ(I,A,B,C)\) be a circulant matrix, where \(A,B,C\in GL(m,\mathbb {F}_2)\) are symmetric matrices. Then L is orthogonal if and only if the following equalities hold:

$$\begin{aligned} A^2+B^2=C^2, AC=CA, A+C=BA+CB, A+C=AB+BC. \end{aligned}$$

If \(L=Circ(I,A,B,C)\) is MDS, then the following matrices are non-singular:

$$B+I, B+A^2, B+C^2, AC+I, AB+C.$$

When \(m=4\), we search symmetric ABC over \(GL(4,\mathbb {F}_2)\). The fewest XORs of one row’s entries of an orthogonal MDS Circ(IABC) is 8. Their are 24 triples of ABC such that Circ(IABC) are orthogonal MDS matrices with \(\#A+\#B+\#C=8\). Then we have the following result.

Theorem 6

There exist symmetric \(A,B,C\in GL(4,\mathbb {F}_2)\) such that \(Circ(I,A,B,C)\) is an orthogonal MDS matrix. Furthermore, if Circ(IABC) is an orthogonal MDS matrix, then \(\#A+\#B+\#C\ge 8\).

Example 4

Example of ABC such that Circ(IABC) is an orthogonal circulant MDS matrix \(\#A+\#B+\#C = 2m\).

  1. (1)

    \(m=4\), \(A=[1, 2, 4, [3, 4]]\), \(B=[[1, 4], [2, 3, 4], [2, 3], [1, 2, 4]]\), \(C=[2, [1, 2], 3, 4]\).

  2. (2)

    \(m=8\), \(A=\left[ \begin{array}{cc} A_1,&{} 0\\ 0,&{} A_1 \end{array}\right] \), \(B=\left[ \begin{array}{cc} B_1,&{} 0\\ 0,&{} B_1 \end{array}\right] \), \(C=\left[ \begin{array}{cc} C_1,&{} 0\\ 0,&{} C_1 \end{array}\right] \), where \(A_1,B_1,C_1\) are the ABC in the above item.

4 Lightweight Hadamard MDS Matrices

In this section, we investigate the construction of lightweight Hadamard involutory and non-involutory MDS matrices respectively.

4.1 Constructing Hadamard Involutory MDS Matrices

In the case of abc are elements of finite fields, Had(1, abc) is an involution if and only if \(a^2+b^2=c^2\). In the case of \(A,B,C\in GL(m,\mathbb {F}_2)\), we have the following result.

Lemma 7

Let \(A,B,C\in GL(m,\mathbb {F}_2)\). Then \(L=Had(I,A,B,C)\) is an involution if and only if ABC are pairwise commutative and \(A^2+B^2=C^2\).

Proof

By matrix multiplication, it can be checked that

$$\begin{aligned} \begin{array}{lll} L^2&{}=&{}Had(I,A,B,C)\cdot Had(I,A,B,C)\\ &{}=&{}Had(I+A^2+B^2+C^2,BC+CB,AC+CA,AB+BA).\\ \end{array} \end{aligned}$$

Therefore, L is an involution if and only if \(L^2=Had(I,0,0,0)\), which is equivalent to

$$AB=BA, BC=CB, AC=CA, A^2+B^2=C^2$$

hold simultaneously.    \(\square \)

When \(m=4\), we search ABC over \(GL(4,\mathbb {F}_2)\) as previous. The fewest XORs of one row’s entries of an involutory MDS Had(IABC) is 6. There are 144 triples of ABC such that Had(IABC) are involutory MDS matrices with \(\#A+\#B+\#C=6\). These 144 matrices are of the type \(Had(I,A_1,A_2,A_3)\), where \((A_1,A_2,A_3)\) is a permutation of \((A,A^{-1},A+A^{-1})\) for 24 different A.

When \(m=8\), we also consider Hadamard matrix of the type

$$L=Had(I, A, A^{-1}, A+A^{-1}),$$

where \(A\in GL(m,\mathbb {F}_2)\). According to the above lemma, L is an involution. We use the method in [20, 23] to characterize whether L is MDS. By computing the determinants of all the square sub-matrices of L and factorizing these polynomials, we get that L is an MDS matrix if and only if all the following matrices are non-singular:

$$A,A+I,A^2+A+I,A^3+A+I,A^3+A^2+I.$$

Then we search A over \(GL(8,\mathbb {F}_2)\) with \(\#A\le 3\). The fewest XORs of one row’s entries of an involutory MDS \(Had(I,A,A^{-1},A+A^{-1})\) is 10. We get 80640 A such that \(Had(I,A,A^{-1},A+A^{-1})\) are involutory MDS matrices with \(\#A+\#A^{-1}+\#(A+A^{-1})=10\).

We also have searched some other types of Hadamard matrices. However, we do not get a Hadamard involutory matrix with one row’s XORs less then 10 until present.

Theorem 7

  1. 1.

    Let \(A,B,C\in GL(4,\mathbb {F}_2)\). If \(L=Had(I,A,B,C)\) is an MDS involution matrix, then \(\#A+\#B+\#C\ge 6\).

  2. 2.

    Let \(A\in GL(8,\mathbb {F}_2)\) with \(\#A\le 3\). If \(L=Had(I,A,A^{-1},A+A^{-1})\) is an MDS involution matrix, then \(\#A+\#A^{-1}+\#(A+A^{-1})\ge 10\).

Example 5

Examples of ABC such that Had(IABC) are involutory MDS matrices with \(\#A+\#B+\#C=m+2\).

  1. (1)

    \(m=4\), \(A=[2, [1, 3], 4, [2, 3]]\), \(B=A^{-1}=[[1, 2, 4], 1, [1, 4], 3]\), \(C=A+A^{-1}=[[1, 4], 3, 1, 2]\).

  2. (2)

    \(m=8\), \(A=[2, 3, 4, 5, 6, 7, 8, [1, 3]]\), \(B=A^{-1}=[[2, 8], 1, 2, 3, 4, 5, 6, 7]\), \(C=A+A^{-1}=[8, [1, 3], [2, 4], [3, 5], [4, 6], [5, 7], [6, 8], [1, 3, 7]]\).

4.2 Constructing Non-involutory Hadamard MDS Matrices

In this subsection, we want to construct non-involutory Hadamard MDS matrix with as few XORs as possible. The searching strategy is similar as previous. If Had(IABC) is MDS, then the following matrices are non-singular:

$$A+I, B+I, C+I, AB + C, AC + B,BA + C,BC + A,CB + A,CA + B.$$

When \(m=4\), we search ABC over \(GL(4,\mathbb {F}_2)\). The fewest XORs of one rows’ entries of an MDS Had(IABC) is 4. There are 72 triples of ABC such that Had(IABC) are MDS matrices with \(\#A+\#B+\#C=4\). These 72 matrices are of the type \(Had(I,A_1,A_2,A_3)\), where \((A_1,A_2,A_3)\) is a permutation of \((A,A^{T},A+A^{T})\) for 12 different A.

When \(m=8\), we search A over \(GL(8,\mathbb {F}_2)\) with \(\#A\le 2\). The fewest XORs of one rows’ entries of an MDS \(Had(I, A, A^{T},A+A^T)\) is 8.

In order to get Hadamard MDS matrices with fewer XORs in one row, we investigate Hadamard matrices of the type \(Had(I,A,A^T,B)\). According to our searching, if \(\#A\le 1\) and \(\#B\le 2\), then there are no MDS \(Had(I,A,A^T,B)\). Then we have the following result.

Theorem 8

  1. 1.

    Let \(A,B,C\in GL(4,\mathbb {F}_2)\). If \(L=Had(I,A,B,C)\) is an MDS matrix, then \(\#A+\#B+\#C\ge 4\).

  2. 2.

    Let \(A,B\in GL(8,\mathbb {F}_2)\). If \(L=Had(I,A,A^{T},B)\) is an MDS matrix, then \(\#A+\#A^T+\#B\ge 5\).

In order to get MDS \(Had(I, A, A^T, B)\) with \(\#A+\#A^{T}+\#B=5\), we choose A with \(\#A=2\) and \(\mathrm {rank}(A+I)=8\) randomly, and then test whether there exist B with \(\#B=1\) such that \(Had(I, A, A^T, B)\) is MDS. We repeat the process several times and get 622 pairs of \(A,B\in GL(8,\mathbb {F}_2)\), such that \(Had(I, A, A^{T}, B)\) is MDS and \(\#A+\#A^T+\#B=5\).

Table 1. Comparisons with previous constructions of non-involutory MDS matrices
Full size table
Table 2. Comparisons with previous constructions of involutory MDS matrices
Full size table
Table 3. Comparisons of MDS matrices over \(\mathbb {F}_2^4\) and \(\mathbb {F}_{2^4}\)
Full size table

Example 6

Examples of ABC such that Had(IABC) are MDS matrices with the bounds in the above theorem hold.

  1. (1)

    \(m=4\), \(A=[2, 3, 4, [1, 3]]\), \(B=A^{T}=[4, 1, [2, 4], 3]\), \(C=A+A^{T}=[[2, 4], [1, 3], 2, 1]\).

  2. (2)

    \(m=8\), \(A=[2, 3, 4, [1, 5], 8, 7, 5, [3, 6]]\), \(B=A^{T}=[4, 1, [2, 8], 3, [4, 7], 8, 6, 5]\), \(C=[[4, 7], 6, 5, 8, 7, 1, 2, 3].\)

We give comparisons of our constructions with previous constructions in Tables 1, 2 and 3 respectively.

The lower bounds on XORs of circulant and Hadamard MDS matrices given in Sects. 3 and 4 are under the supposition \(L[1,1]=I\). Therefore, it is possible to improve the previous lower bounds when \(L[1,1]\ne I\). However, we have the following result with searching, which shows that the lower bounds can not be improved when \(m=4\).

Theorem 9

Let \(A_i\in GL(4,\mathbb {F}_2)\), and \(\mathcal {A}=\sum \limits _{i=1}^4\#A_i\). Then the following statements hold.

  1. 1.

    If \(Circ(A_1,A_2,A_3,A_4)\) is a circulant MDS matrix, then \(\mathcal {A}\ge 3\).

  2. 2.

    If \(Circ(A_1,A_2,A_3,A_4)\) is a circulant involutory MDS matrix, then \(\mathcal {A}\ge 5\).

  3. 3.

    If \(Had(A_1,A_2,A_3,A_4)\) is a Hadamard MDS matrix, then \(\mathcal {A}\ge 4\).

  4. 4.

    If \(Had(A_1,A_2,A_3,A_4)\) is a Hadamard involutory MDS matrix, then \(\mathcal {A}\ge 6\).

5 Lightweight “Optimal” \(4\times 4\) MDS Matrices

It is proven in [17] that the highest possible number of 1 and the lowest possible number of different entries for a \(4\times 4\) MDS matrix over finite fields are 9 and 3 respectively. The matrix with the two properties hold simultaneously are called “optimal" in their presentation slides. The following matrix

$$\begin{aligned} \left( \begin{array}{c@{\quad }c@{\quad }c@{\quad }c} a&{}1&{}1&{}1\\ 1&{}1&{}b&{}a\\ 1&{}a&{}1&{}b\\ 1&{}b&{}a&{}1\\ \end{array} \right) \end{aligned}$$

is an example of “optimal” matrix which is given in [17]. Similarly as above, we investigate the following special matrix,

$$\begin{aligned} L=\left( \begin{array}{c@{\quad }c@{\quad }c@{\quad }c} A&{}I&{}I&{}I\\ I&{}I&{}B&{}A\\ I&{}A&{}I&{}B\\ I&{}B&{}A&{}I\\ \end{array} \right) \!, \end{aligned}$$

where \(A,B\in GL(m,\mathbb {F}_2)\) are \(m\times m\) non-singular matrices over \(\mathbb {F}_2\).

If L is MDS, then the following matrices are non-singular:

$$A+I, B+I,A+B, A+B^2, A^2+B, AB+I.$$

When \(m=4\), we search AB over \(GL(4,\mathbb {F}_2)\), which is the set of all \(4\times 4\) non-singular matrices over \(\mathbb {F}_2\). The fewest XORs of “optimal” MDS matrices is 13. There are 24 pairs of \(A,B\in GL(m,\mathbb {F}_2)\) such that the corresponding constructions are MDS matrices with \(4\#A+3\#B=13\). All these pairs satisfy \(B=A^{-2}\).

When \(m=8\), we search AB over the set of all \(8\times 8\) non-singular matrices over \(\mathbb {F}_2\) with 1 bit XOR operation. No MDS matrix returns. This means if L is a “optimal” MDS matrix over \(GL(8,\mathbb {F}_2)\), then either A or B has at least 2 XORs, and hence \(\#L\ge 10\).

Then we have the following result.

Theorem 10

Let L be a matrix constructed as above, where \(A,B\in GL(m,\mathbb {F}_2)\), \(m=4,8\). If L is an MDS matrix, then

$$\begin{aligned} 4\#A+3\#B\ge \left\{ \begin{array}{ll} 13,&{}\quad m=4;\\ 10,&{}\quad m=8. \end{array}\right. \end{aligned}$$

In order to get “optimal” matrices over \(GL(8,\mathbb {F}_2)\) with 10 XORs, we let \(B=A^{-2}\) and search A over all \(8\times 8\) non-singular matrices over \(\mathbb {F}_2\) with 1 bit XOR operation. We get 40320 \(A\in GL(8,\mathbb {F}_2)\) such that the corresponding constructions are “optimal” MDS matrices with 10 XORs.

It is interesting that “optimal” \(4\times 4\) MDS matrices over \(GL(8,\mathbb {F}_2)\) has fewer XORs than “optimal” \(4\times 4\) MDS matrices over \(GL(4,\mathbb {F}_2)\).

Example 7

Examples of AB such that L are “optimal” MDS matrices with the bounds in the above result hold.

  1. (1)

    Let \(A=[[2, 3], 4, 2, 1]\), \(B=A^{-2}=[2, [1, 3], [1, 3, 4], 3]\). Then L constructed as above is an MDS matrix with \(4\#A+3\#B=13\).

  2. (2)

    Let \(A=[4, 5, 6, 8, 3, [4, 7], 1, 2]\), \(B=A^{-2}=[[1, 6], 4, 2, 7, 8, 5, [3, 7], 1]\). Then L constructed as above is an MDS matrix with \(4\#A+3\#B=10\).

6 Conclusion

In the present paper, we mainly investigate the construction of \(4\times 4\) lightweight MDS matrices with entries in the set of \(m\times m\) non-singular matrices over \(\mathbb {F}_2\). With this method, circulant, Hadamard and involutory Hadamard MDS matrices with fewer XORs than previous constructions are given. Moreover, circulant involutory MDS matrices are also constructed with our method. Constructing lightweight MDS matrices of large order with the method of the present paper is an interesting problem need further study.