Elsevier

Discrete Applied Mathematics

Volume 304, 15 December 2021, Pages 384-396
Discrete Applied Mathematics

Recursive MDS matrices over finite commutative rings

https://doi.org/10.1016/j.dam.2021.08.016Get rights and content

Abstract

Recursive MDS matrices are used for the design of linear diffusion layers in lightweight cryptographic applications. Most of the works on the construction of recursive MDS matrices either consider matrices over finite fields or block matrices over GL(m,F2). In the first case, there have been works on the direct construction of recursive MDS matrices. The latter case is hard to deal with because of its non-commutative nature. There has not been any serious attempt to look for recursive MDS matrices over finite commutative rings, in particular over local rings of even characteristic. In this work, we present several methods for the construction of recursive MDS companion matrices over finite commutative rings. The main tools are the simple expressions for the determinant of (generalized) Vandermonde and linearized matrices. We show that the determinant of a linearized matrix over a finite commutative ring of prime characteristic can be expressed in a simple form. We discuss a technique called subring construction with which MDS matrices over product rings can be constructed using MDS matrices over subrings. We give a few examples of recursive MDS companion matrices over local rings of even characteristic. We also discuss some results on the nonexistence of recursive MDS matrices over certain rings for some parameter choices.

Introduction

Linear diffusion layer is an essential component in many block ciphers and hash functions, whose primary role is to provide resistance against linear and differential attacks. One way to achieve this is to model linear diffusion layer as a matrix with a property that a small change in the input makes a maximum change in its output. This can be achieved by using MDS matrices. For example, a circulant MDS matrix is used in the Advanced Encryption Standard (AES) [8] block cipher in its MixColumn operation.

The aim of lightweight cryptography is to build ciphers that have a small footprint in hardware, low energy consumption, low power requirements, low latency and high throughput. To reduce the chip area, recursive MDS matrices are proposed which can be implemented in a serialized manner (see Definition 1).

Definition 1

Let r be a positive integer. A matrix L is said to be recursive MDS or r-MDS if the matrix Lr is MDS. If L is r-MDS then we say L yields an MDS matrix.

The matrix Lr can be implemented by recursively executing the implementation of L, requiring r many clock cycles. Such matrices based on the companion matrices were first used in the PHOTON [13] family of hash functions because they can be implemented by a simple LFSR. If L is a companion matrix (see Definition 5) and r-MDS, then we say L as r-MDS companion matrix. The main advantage of r-MDS companion matrix is that only the last row of it accounts for its hardware implementation, hence these are more suitable for lightweight applications. Later Generalized-Feistel-Structure (GFS) [31] and Sparse Diagonal-Serial-Invertible (SpDSI) [30] matrices are proposed. Over the period of time, there have been many works on the construction of recursive MDS matrices. Most of the works employ three different approaches or a combination of them.

Symbolic computation: Some early studies for MDS matrices choose the matrix entries from F2[X]. By symbolically computing the determinants of all square submatrices, and replacing X with a suitable field element αF2m or a linear transformation such that the resultant matrix becomes MDS. For instance, see [1], [27], [31].

Ad-hoc search: In search for efficiently implementable MDS matrices, some works focus on matrices where the entries can be implemented by fewer XOR gates. In [4], [12] symbolic computation and ad-hoc search ideas are used to find lightweight MDS matrices. In [22], [31], the authors obtained some lightweight recursive MDS matrices by increasing the number of iterations. However, these matrices are not useful for low latency purposes. For some small parameter values, exhaustive search for various types of (recursive) MDS matrices was considered in [18]. Some recent works on the general construction of efficient MDS matrices are proposed in [25], [28]. We refer to [14] for a survey on the construction of various types of cryptographically significant MDS matrices.

Direct constriction: Coding theoretic techniques are used to directly construct recursive MDS matrices. In [2] Augot et al. used shortened BCH codes, and in [5] Berger used Gabidulin codes in their methods. Then in a series of works [15], [16], [17], the authors have presented several methods for the construction of r-MDS companion matrices over finite fields. If we see all these direct constructions are restricted over finite fields. The idea of constructing MDS matrices over finite commutative rings is not fully explored yet, although numerous advances have been already made in defining MDS diffusion matrices over Galois rings [29], modules [9] and matrix polynomial ring [32].

In this paper, we propose several methods for the direct construction of recursive MDS matrices defined over finite commutative rings. First, we give a condition for the similarity of a companion matrix with a diagonal matrix. In that case, the companion matrix is expressible in terms of the diagonal matrix and a Vandermonde matrix. Then using the known determinant expressions for Vandermonde and linearized matrices, we propose different methods for the direct construction of r-MDS companion matrices in Section 4. These results can be viewed as a generalization of the results in [16] and [17] where the underlying algebraic structure was finite fields. The determinant expression of a linearized matrix over finite fields is well-known [23, Lemma 3.51]. In Section 3, we derive an analogous result for the case of a commutative ring of prime characteristic.

In Section 5, we propose a technique called subring construction with which we can construct MDS matrices over product rings using MDS matrices over subrings and vice-versa. This can be viewed as a generalization of the technique known as subfield construction (see [19]).

In Section 6, we give a few examples of r-MDS companion matrices over finite commutative rings, in particular over quotient rings and Galois rings. We also establish some results on the non-existence of MDS matrices over certain rings assuming that the MDS conjecture is true. The direct methods do not guarantee to provide lightweight recursive MDS matrices, however by heuristic search, we found a 4-MDS companion matrix of order 4 over quotient ring (see Example 2), that has the low hardware cost.

Finally, we conclude this paper in Section 7.

Section snippets

Codes over finite commutative rings

In this section, we present some basic results on codes over finite commutative rings. Let R be a finite commutative ring with identity and U(R) be the set of unit elements in R. Let the number of elements in R be |R|=q. Let R[X] be the ring of polynomials over R in the indeterminate X. A matrix MM(n,R) is nonsingular if and only if the determinant of M is an element of U(R), and let GL(n,R) be the set of all n×n nonsingular matrices over R. Throughout this paper, we shall mean R a finite

Vandermonde & linearized determinants

In this section, we discuss some useful determinant expressions of special matrices, namely, Vandermonde, generalized Vandermonde and linearized matrices over R.

Definition 6

Let h=(h0,h1,,hn1) be an n-tuple over R. Then the Vandermonde matrix V(h) corresponding to h is given by V(h)=hjii,j=0n1, and its determinant can be expressed as follows. det(V(h))=0i<jn1hjhi.

Definition 7

Let h=(h0,h1,,hn1) be an n-tuple over R. Let Z={r1,r2,,rn} be an increasing sequence of non-negative integers. Then the generalized

r-MDS companion matrices

In this section, we discuss some methods for the direct construction of r-MDS companion matrices over R. We consider companion matrices which are diagonalizable and satisfy certain conditions for this purpose. The methods use similar ideas from [16], [17]. Let MM(n,R) be a matrix with characteristic polynomial det(XInM)=f(X). In the following theorem we give a condition on the matrix M for it to be similar to a companion matrix.

Theorem 4

See [26, Theorems 1& 2]

Let MM(n,R) and det(XInM)=f(X). Then the matrix M is similar to

Subring construction

In this section we present a technique for constructing MDS matrices over product rings using MDS matrices over subrings. First, let us recall the direct product of two rings where the elements will be in tuple form. Let R1 and R2 be two finite commutative rings with identity. The direct product of rings R1 and R2 is defined as R=R1×R2. Then it is easy to see that R is also a finite commutative ring under component-wise addition and multiplication with identity element 1=(1R1,1R2). An element u

Non-existence results and some examples

In this section, we discuss MDS matrices over some rings like quotient rings, Galois rings which are of practical interest (see [12, Section 6.3] and [29]). We first consider a quotient ring of the form R=F2[X]/(m(X)) for some polynomial m(X)=p1t1(X)p2t2(X)pktk(X), where tiN and pi(X)F2[X] is a monic irreducible polynomial of degree si>0, 1ik. The ring F2[X]/(p1t1(X)p2t2(X)pktk(X)) is isomorphic to the direct product of local rings F2[X]/(piti(X)), with maximal ideal Ji=(pi(X))/(piti(X))

Conclusion

In this paper, we have discussed several methods for the direct construction of r-MDS companion matrices. With our methods, it is possible to construct MDS matrices for large parameter choices. It is well known that the determinant of a linearized matrix over a finite field has a simple expression. We have shown that the determinant of a linearized matrix over a commutative ring of prime characteristic can also be expressed similarly. We have also shown some results on the non-existence of

References (32)

  • DongXue-Dong et al.

    Matrix characterization of MDS linear codes over modules

    Linear Algebra Appl.

    (1998)
  • ProkipVolodymyr

    On similarity of matrices over commutative rings

    Linear Algebra Appl.

    (2005)
  • AugotDaniel et al.

    Exhaustive search for small dimension recursive MDS diffusion layers for block ciphers and hash functions

  • AugotDaniel et al.

    Direct construction of recursive MDS diffusion layers using shortened BCH codes

  • BallSimeon

    MDS codes

    (2013)
  • BeierleChristof et al.

    Lightweight multiplication in GF(2n) with applications to MDS matrices

  • BergerThierry P.

    Construction of recursive MDS diffusion layers from gabidulin codes

  • BiniGilberto et al.
  • ChoyJiali et al.

    SPN-hash: Improving the provable resistance against differential collision attacks

  • DaemenJoan et al.
  • DoughertySteven T.

    Algebraic Coding Theory over Finite Commutative Rings

    (2017)
  • DoughertySteven T. et al.

    Independence of vectors in codes over rings

    Des. Codes Cryptogr.

    (2009)
  • DuvalSébastien et al.

    MDS matrices with lightweight circuits

    IACR Trans. Symmetric Cryptol.

    (2018)
  • GuoJian et al.

    The PHOTON family of lightweight hash functions

  • GuptaKishan Chand et al.

    Cryptographically significant MDS matrices over finite fields: A brief survey and some generalized results

    Adv. Math. Commun.

    (2019)
  • GuptaKishan Chand et al.

    On the direct construction of recursive MDS matrices

    Des. Codes Cryptogr.

    (2017)
  • Cited by (3)

    View full text