DOCSLIB.ORG

Cryptographically Significant Mds Matrices Over Finite Fields: a Brief Survey and Some Generalized Results

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Cryptographically Significant Mds Matrices Over Finite Fields: a Brief Survey and Some Generalized Results Advances in Mathematics of Communications doi:10.3934/amc.2019045 Volume 13, No. 4, 2019, 779{843 CRYPTOGRAPHICALLY SIGNIFICANT MDS MATRICES OVER FINITE FIELDS: A BRIEF SURVEY AND SOME GENERALIZED RESULTS Kishan Chand Gupta Applied Statistics Unit Indian Statistical Institute 203, B.T. Road, Kolkata-700108, India Sumit Kumar Pandey∗ Ashoka University Sonepat, Haryana, India Indranil Ghosh Ray School of Engineering and Mathematical Sciences, City University London London EC1V 0HB, United Kingdom Susanta Samanta Applied Statistics Unit Indian Statistical Institute 203, B.T. Road, Kolkata-700108, India Abstract. A matrix is MDS or super-regular if and only if every square sub- matrices of it are nonsingular. MDS matrices provide perfect diffusion in block ciphers and hash functions. In this paper we provide a brief survey on crypto- graphically significant MDS matrices - a first to the best of our knowledge. In addition to providing a summary of existing results, we make several contribu- tions. We exhibit some deep and nontrivial interconnections between different constructions of MDS matrices. For example, we prove that all known Van- dermonde constructions are basically equivalent to Cauchy constructions. We prove some folklore results which are used in MDS matrix literature. Wherever possible, we provide some simpler alternative proofs. We do not discuss effi- ciency issues or hardware implementations; however, the theory accumulated and discussed here should provide an easy guide towards efficient implementa- tions. 1. Introduction Claude Shannon, in his paper \Communication Theory of Secrecy Systems" [60] introduced the concept of confusion and diffusion which play key roles in the design of block ciphers and hash functions. The idea of confusion is to make the statistical relation between the ciphertext and the message too complex to be exploited by the attacker and it is achieved by nonlinear functions like S-boxes and Boolean functions. Diffusion ensures that each bit of the message and each bit of the secret key influence many bits of the ciphertext and after a few rounds all the output bits depend on all the input bits. One possibility of formalizing the notion of perfect diffusion is 2010 Mathematics Subject Classification: Primary: 58F15, 58F17; Secondary: 53C35. Key words and phrases: Diffusion, involutory matrix, MDS matrix, orthogonal matrix, branch number, Cauchy matrix, Vandermonde matrix. ∗ Corresponding author: Sumit Kumar Pandey. 779 c 2019 AIMS 780 K. C. Gupta, S. K. Pandey, I. G. Ray and S. Samanta the concept of multipermutation, which was introduced in [59, 65]. Another way to define it is using branch numbers and Maximum Distance Separable (MDS) matrices [15]. In [30, 31, 32], Heys and Tavares showed that the replacement of the permutation layer of Substitution Permutation Networks (SPNs) with a diffusive linear transformation improves the avalanche characteristics of the block cipher, which increases the cipher's resistance to differential and linear cryptanalysis. Thus the main application of MDS matrix in cryptography is in designing block ciphers and hash functions that provide security against differential and linear cryptanalysis. MDS matrices offer diffusion properties and is one of the vital constituents of modern age ciphers and hash functions. The idea of MDS matrix comes from MDS code and in this survey we will discuss the construction of MDS matrices. A great deal of research on MDS matrices with cryptography in mind has been done during the period 1994 to 1998. In the year 1994, Schnorr and Vaudenay [59] introduced multipermutations as formalization of diffusion layer. In 1995, Vaud- ney [65] showed the usefulness of multipermutation in the design of cryptographic primitives. During 1994 to 1996 Heys and Tavares [30, 31, 32] showed that the re- placement of the permutation layer of Substitution Permutation Networks (SPNs) with a diffusive linear transformation improves the avalanche characteristics of the block cipher, which increases the cipher's resistance to differential and linear crypt- analysis. In the year 1996 Rijmen et. al. were the first to use MDS matrices in the cipher SHARK [50] and later in the 1997, Daemen et. al. used MDS matrices in the cipher SQUARE [14]. Then in the year 1998, Daemen and Rijmen used circulant MDS matrix in the cipher AES[15]. During the period 1998 to 1999, Schneier et. al. used MDS matrix in the block cipher Twofish [57, 58]. Now the usefulness of MDS matrices in the diffusion layer is well established. The stream cipher MUGI [66] uses AES MDS matrix in its linear transformations. MDS matrices are also used in the design of hash functions. Hash functions like Whirlpool [5, 61], SPN-Hash [12], Maelstrom [16], Grφstl [17] and the PHOTON [19] family of light weight hash functions use MDS matrices for their diffusion layers. In 2011 the authors of hash function PHOTON [19] and block cipher LED [20] used MDS matrices constructed from companion matrices, which opened a new area of research in the construction of MDS matrices for lightweight cryptography. We provide a brief sketch of the construction of cryptographically significant MDS matrices. There are two main approaches in constructing MDS matrices - nonrecursive and recursive. In recursive constructions, we generally start with a companion matrix A of order n, with proper choice of coefficients of the character- istic polynomial such that An is an MDS matrix. Recursive constructions are very popular for lightweight applications. In nonrecursive constructions, constructed matrices are themselves MDS. Another way to classify the techniques used to find MDS matrices is based on whether the matrix is constructed directly or a search method is employed by enu- merating some search space. Direct constructions use algebraic properties to find MDS matrices. While in search methods, elements of the matrix are judiciously selected and it is checked if the matrix is MDS or not. It may be noted that the problem of verifying whether a matrix is MDS or not, is NP-complete. Hence, the search technique is useful only for finding MDS matrices of small orders. There are two main direct methods for constructing nonrecursive MDS matrices - one is from a Cauchy matrix and the other is from two Vandermonde matrices. These methods provide MDS matrices of any order, but these matrices are generally Advances in Mathematics of Communications Volume 13, No. 4 (2019), 779{843 A brief survey on MDS matrices 781 not efficient for implementation. So, we use the search method in nonrecursive constructions that output efficiently implementable MDS matrices. One popular technique for such constructions is to search for elements of a circulant matrix. AES[15] uses a circulant MDS matrix. There are several circulant-like matrices [24] and generalized circulant matrices [44] which are also used in such constructions. Toeplitz matrices and Hankel matrices are deeply interconnected with circulant matrices. Recently, Toeplitz matrices have been used to construct MDS matrices [55, 56]. Similar to circulant, circulant-like and generalized circulant MDS matrices, search methods are used to construct Toeplitz MDS matrices. As in nonrecursive constructions, there are several direct recursive constructions as well. However, as before, they are not so efficient for implementation and search methods provide efficient MDS matrices of low order. In the general context of implementation of block ciphers, we note that if an ef- ficient MDS matrix M used in encryption, happens to be involutory or orthogonal, then its inverse M −1 applied for decryption will also be efficient. So, it is of special interest to find efficient MDS matrices which are also involutory or orthogonal. Our contribution: We believe that this is the first survey on MDS matrices. While most of the results in this paper are already known, some results and insights are new. In Theorem 5.1 we provide a nontrivial and deep interconnection between all the known Cauchy based constructions and their corresponding Vandermonde based constructions. In [24], it was proved that Type-I circulant-like MDS matrices of even order can not be involutory or orthogonal but the case of odd orders were not discussed. In Lemma 6.14 and Lemma 6.16 we prove that Type-I circulant-like MDS matrices of odd order are neither orthogonal nor involutory. In Lemma 1 of [44], the authors provided a necessary and sufficient condition for the equivalence between two circulant matrices. In Lemma 6.22 we provide a simpler alternative proof. In Remark 30 we point out the interconnection that a left-circulant matrix is nothing but a row-permutated circulant matrix. It may be noted here that a left- circulant matrix is symmetric while a circulant matrix is not. Using this intercon- nection, we propose an idea to find involutory left-circulant MDS matrices of order n, where n is not a power of 2. In [44] it was proved that left-circulant matrices of order 2n are not involutory. In Theorem 6.19, we show that this result easily follows from the above interconnection and known results on circulant matrices. A similar connection shows up between Hankel and Toeplitz matrices. A Hankel matrix is a row-permuted form of a corresponding Toeplitz matrix. By itself, a Toeplitz matrix is not symmetric. However, the corresponding Hankel matrix is symmetric. MDS matrices have been constructed from Toeplitz matrices in [55, 56]. In Section7, we use the above interconnection to easily extend these constructions for MDS matrices from Hankel matrices. As in the case of circulant matrices, we use the above interconnection to prove Theorem 7.5 stating that a Hankel matrix of order 2n is not involutory. We prove some folklore results which are often used in literature mostly without formal proofs. For example, in Corollary2 and Corollary3, we prove that if A is MDS, then AT and A−1 are also MDS. In Lemma 2.5 we show that if A is an MDS 0 matrix over F2r , then A , obtained by multiplying a row (or column) of A with any ∗ c 2 F2r is MDS as well.
Load more

Recommended publications
  • 1111: Linear Algebra I
    1111: Linear Algebra I Dr. Vladimir Dotsenko (Vlad) Lecture 11 Dr. Vladimir Dotsenko (Vlad) 1111: Linear Algebra I Lecture 11 1 / 13 Previously on. Theorem. Let A be an n × n-matrix, and b a vector with n entries. The following statements are equivalent: (a) the homogeneous system Ax = 0 has only the trivial solution x = 0; (b) the reduced row echelon form of A is In; (c) det(A) 6= 0; (d) the matrix A is invertible; (e) the system Ax = b has exactly one solution. A very important consequence (finite dimensional Fredholm alternative): For an n × n-matrix A, the system Ax = b either has exactly one solution for every b, or has infinitely many solutions for some choices of b and no solutions for some other choices. In particular, to prove that Ax = b has solutions for every b, it is enough to prove that Ax = 0 has only the trivial solution. Dr. Vladimir Dotsenko (Vlad) 1111: Linear Algebra I Lecture 11 2 / 13 An example for the Fredholm alternative Let us consider the following question: Given some numbers in the first row, the last row, the first column, and the last column of an n × n-matrix, is it possible to fill the numbers in all the remaining slots in a way that each of them is the average of its 4 neighbours? This is the \discrete Dirichlet problem", a finite grid approximation to many foundational questions of mathematical physics. Dr. Vladimir Dotsenko (Vlad) 1111: Linear Algebra I Lecture 11 3 / 13 An example for the Fredholm alternative For instance, for n = 4 we may face the following problem: find a; b; c; d to put in the matrix 0 4 3 0 1:51 B 1 a b -1C B C @0:5 c d 2 A 2:1 4 2 1 so that 1 a = 4 (3 + 1 + b + c); 1 8b = 4 (a + 0 - 1 + d); >c = 1 (a + 0:5 + d + 4); > 4 < 1 d = 4 (b + c + 2 + 2): > > This is a system with 4:> equations and 4 unknowns.
    [Show full text]
  • MATRIX OPERATORS and the KLEIN FOUR GROUP Ginés R Pérez Teruel
    Palestine Journal of Mathematics Vol. 9(1)(2020) , 402–410 © Palestine Polytechnic University-PPU 2020 MATRIX OPERATORS AND THE KLEIN FOUR GROUP Ginés R Pérez Teruel Communicated by José Luis López Bonilla MSC 2010 Classifications: Primary 15B99,15A24; Secondary 20K99. Keywords and phrases: Klein Four Group; Per-symmetric Matrices; Matrix Algebra. I am in debt to C. Caravello for useful comments and suggestions. Abstract. In this note we show that the set of operators, S = fI; T; P; T ◦ P g that consists of the identity I, the usual transpose T , the per-transpose P and their product T ◦ P , forms a Klein Four-Group with the composition. With the introduced framework, we study in detail the properties of bisymmetric, centrosymmetric matrices and other algebraic structures, and we provide new definitions and results concerning these structures. In particular, we show that the per-tansposition allows to define a degenerate inner product of vectors, a cross product and a dyadic product of vectors with some interesting properties. In the last part of the work, we provide another realization of the Klein Group involving the tensorial product of some 2 × 2 matrices. 1 Introduction and background n×m Definition 1.1. Let A 2 R . If A = [aij] for all 1 ≤ i ≤ n, 1 ≤ j ≤ m, then P (A) is the per-transpose of A, and operation defined by P [aij] = [am−j+1;n−i+1] (1.1) Consequently, P (A) 2 Rm×n. Here, we list some properties: (i) P ◦ P (A) = A (ii) P (A ± B) = P (A) ± P (B) if A, B 2 Rn×m (iii) P (αA) = αP (A) if α 2 R (iv) P (AB) = P (B)P (A) if A 2 Rm×n, B 2 Rn×p (v) P ◦ T (A) = T ◦ P (A) where T (A) is the transpose of A (vi) det(P (A)) = det(A) (vii) P (A)−1 = P (A−1) if det(A) =6 0 The proofs of these properties follow directly from the definition.
    [Show full text]
  • Seminar VII for the Course GROUP THEORY in PHYSICS Micael Flohr
    Seminar VII for the course GROUP THEORY IN PHYSICS Mic~ael Flohr The classical Lie groups 25. January 2005 MATRIX LIE GROUPS Most Lie groups one ever encouters in physics are realized as matrix Lie groups and thus as subgroups of GL(n, R) or GL(n, C). This is the group of invertibel n × n matrices with coefficients in R or C, respectively. This is a Lie group, since it forms as an open subset of the vector space of n × n matrices a manifold. Matrix multiplication is certainly a differentiable map, as is taking the inverse via Cramer’s rule. The only condition defining the open 2 subset is that the determinat must not be zero, which implies that dimKGL(n, K) = n is the same as the one of the vector space Mn(K). However, GL(n, R) is not connected, because we cannot move continuously from a matrix with determinant less than zero to one with determinant larger than zero. It is worth mentioning that gl(n, K) is the vector space of all n × n matrices over the field K, equipped with the standard commutator as Lie bracket. We can describe most other Lie groups as subgroups of GL(n, K) for either K = R or K = C. There are two ways to do so. Firstly, one can give restricting equations to the coefficients of the matrices. Secondly, one can find subgroups of the automorphisms of V =∼ Kn, which conserve a given structure on Kn. In the following, we give some examples for this: SL(n, K).
    [Show full text]
  • VHDL Implementation of Twofish Algorithm
    VHDL Implementation of Twofish Algorithm Purnima Gehlot Richa Sharma S. R. Biradar Mody Institute of Mody Institute of Mody Institute of Technology Technology Technology and Science and Science and Science Laxmangarh, Sikar Laxmangarh, Sikar Laxmangarh, Sikar Rajasthan,India Rajasthan,India Rajasthan,India [email protected] [email protected] [email protected] which consists of two modules of function g, one MDS i.e. maximum ABSTRACT distance separable matrix,a PHT i.e. pseudo hadamard transform and Every day hundreds and thousands of people interact electronically, two adders of 32-bit for one round. To increase the complexity of the whether it is through emails, e-commerce, etc. through internet. For algorithm we can perform Endian function over the input bit stream. sending sensitive messages over the internet, we need security. In this Different modules of twofish algorithms are: paper a security algorithms, Twofish (Symmetric key cryptographic algorithm) [1] has been explained. All the important modules of 2.1 ENDIAN FUNCTION Twofish algorithm, which are Function F and g, MDS, PHT, are implemented on Xilinx – 6.1 xst software and there delay calculations Endian Function is a transformation of the input data. It is used as an interface between the input data provided to the circuit and the rest has been done on FPGA families which are Spartan2, Spartan2E and of the cipher. It can be used with all the key-sizes [5]. Here 128-bit VirtexE. input is divided into 16 bytes from byte0 to byte15 and are rearranged to get the output of 128-bit. Keywords Twofish, MDS, PHT, symmetric key, Function F and g.
    [Show full text]
  • Inertia of the Matrix [(Pi + Pj) ]
    isid/ms/2013/12 October 20, 2013 http://www.isid.ac.in/estatmath/eprints r Inertia of the matrix [(pi + pj) ] Rajendra Bhatia and Tanvi Jain Indian Statistical Institute, Delhi Centre 7, SJSS Marg, New Delhi{110 016, India r INERTIA OF THE MATRIX [(pi + pj) ] RAJENDRA BHATIA* AND TANVI JAIN** Abstract. Let p1; : : : ; pn be positive real numbers. It is well r known that for every r < 0 the matrix [(pi + pj) ] is positive def- inite. Our main theorem gives a count of the number of positive and negative eigenvalues of this matrix when r > 0: Connections with some other matrices that arise in Loewner's theory of oper- ator monotone functions and in the theory of spline interpolation are discussed. 1. Introduction Let p1; p2; : : : ; pn be distinct positive real numbers. The n×n matrix 1 C = [ ] is known as the Cauchy matrix. The special case pi = i pi+pj 1 gives the Hilbert matrix H = [ i+j ]: Both matrices have been studied by several authors in diverse contexts and are much used as test matrices in numerical analysis. The Cauchy matrix is known to be positive definite. It possessesh ai ◦r 1 stronger property: for each r > 0 the entrywise power C = r (pi+pj ) is positive definite. (See [4] for a proof.) The object of this paper is to study positivity properties of the related family of matrices r Pr = [(pi + pj) ]; r ≥ 0: (1) The inertia of a Hermitian matrix A is the triple In(A) = (π(A); ζ(A); ν(A)) ; in which π(A); ζ(A) and ν(A) stand for the number of positive, zero, and negative eigenvalues of A; respectively.
    [Show full text]
  • Matrices That Are Similar to Their Inverses
    116 THE MATHEMATICAL GAZETTE Matrices that are similar to their inverses GRIGORE CÃLUGÃREANU 1. Introduction In a group G, an element which is conjugate with its inverse is called real, i.e. the element and its inverse belong to the same conjugacy class. An element is called an involution if it is of order 2. With these notions it is easy to formulate the following questions. 1) Which are the (finite) groups all of whose elements are real ? 2) Which are the (finite) groups such that the identity and involutions are the only real elements ? 3) Which are the (finite) groups in which the real elements form a subgroup closed under multiplication? According to specialists, these (general) questions cannot be solved in any reasonable way. For example, there are numerous families of groups all of whose elements are real, like the symmetric groups Sn. There are many solvable groups whose elements are all real, and one can prove that any finite solvable group occurs as a subgroup of a solvable group whose elements are all real. As for question 2, note that in any Abelian group (conjugations are all the identity function), the only real elements are the identity and the involutions, and they form a subgroup. There are non-abelian examples as well, like a Suzuki 2-group. Question 3 is similar to questions 1 and 2. Therefore the abstract study of reality questions in finite groups is unlikely to have a good outcome. This may explain why in the existing bibliography there are only specific studies (see [1, 2, 3, 4]).
    [Show full text]
  • Centro-Invertible Matrices Linear Algebra and Its Applications, 434 (2011) Pp144-151
    References • R.S. Wikramaratna, The centro-invertible matrix:a new type of matrix arising in pseudo-random number generation, Centro-invertible Matrices Linear Algebra and its Applications, 434 (2011) pp144-151. [doi:10.1016/j.laa.2010.08.011]. Roy S Wikramaratna, RPS Energy [email protected] • R.S. Wikramaratna, Theoretical and empirical convergence results for additive congruential random number generators, Reading University (Conference in honour of J. Comput. Appl. Math., 233 (2010) 2302-2311. Nancy Nichols' 70th birthday ) [doi: 10.1016/j.cam.2009.10.015]. 2-3 July 2012 Career Background Some definitions … • Worked at Institute of Hydrology, 1977-1984 • I is the k by k identity matrix – Groundwater modelling research and consultancy • J is the k by k matrix with ones on anti-diagonal and zeroes – P/t MSc at Reading 1980-82 (Numerical Solution of PDEs) elsewhere • Worked at Winfrith, Dorset since 1984 – Pre-multiplication by J turns a matrix ‘upside down’, reversing order of terms in each column – UKAEA (1984 – 1995), AEA Technology (1995 – 2002), ECL Technology (2002 – 2005) and RPS Energy (2005 onwards) – Post-multiplication by J reverses order of terms in each row – Oil reservoir engineering, porous medium flow simulation and 0 0 0 1 simulator development 0 0 1 0 – Consultancy to Oil Industry and to Government J = = ()j 0 1 0 0 pq • Personal research interests in development and application of numerical methods to solve engineering 1 0 0 0 j =1 if p + q = k +1 problems, and in mathematical and numerical analysis
    [Show full text]
  • A Complete Bibliography of Publications in Linear Algebra and Its Applications: 2010–2019
    A Complete Bibliography of Publications in Linear Algebra and its Applications: 2010{2019 Nelson H. F. Beebe University of Utah Department of Mathematics, 110 LCB 155 S 1400 E RM 233 Salt Lake City, UT 84112-0090 USA Tel: +1 801 581 5254 FAX: +1 801 581 4148 E-mail: [email protected], [email protected], [email protected] (Internet) WWW URL: http://www.math.utah.edu/~beebe/ 12 March 2021 Version 1.74 Title word cross-reference KY14, Rim12, Rud12, YHH12, vdH14]. 24 [KAAK11]. 2n − 3[BCS10,ˇ Hil13]. 2 × 2 [CGRVC13, CGSCZ10, CM14, DW11, DMS10, JK11, KJK13, MSvW12, Yan14]. (−1; 1) [AAFG12].´ (0; 1) 2 × 2 × 2 [Ber13b]. 3 [BBS12b, NP10, Ghe14a]. (2; 2; 0) [BZWL13, Bre14, CILL12, CKAC14, Fri12, [CI13, PH12]. (A; B) [PP13b]. (α, β) GOvdD14, GX12a, Kal13b, KK14, YHH12]. [HW11, HZM10]. (C; λ; µ)[dMR12].(`; m) p 3n2 − 2 2n3=2 − 3n [MR13]. [DFG10]. (H; m)[BOZ10].(κ, τ) p 3n2 − 2 2n3=23n [MR14a]. 3 × 3 [CSZ10, CR10c]. (λ, 2) [BBS12b]. (m; s; 0) [Dru14, GLZ14, Sev14]. 3 × 3 × 2 [Ber13b]. [GH13b]. (n − 3) [CGO10]. (n − 3; 2; 1) 3 × 3 × 3 [BH13b]. 4 [Ban13a, BDK11, [CCGR13]. (!) [CL12a]. (P; R)[KNS14]. BZ12b, CK13a, FP14, NSW13, Nor14]. 4 × 4 (R; S )[Tre12].−1 [LZG14]. 0 [AKZ13, σ [CJR11]. 5 Ano12-30, CGGS13, DLMZ14, Wu10a]. 1 [BH13b, CHY12, KRH14, Kol13, MW14a]. [Ano12-30, AHL+14, CGGS13, GM14, 5 × 5 [BAD09, DA10, Hil12a, Spe11]. 5 × n Kal13b, LM12, Wu10a]. 1=n [CNPP12]. [CJR11]. 6 1 <t<2 [Seo14]. 2 [AIS14, AM14, AKA13, [DK13c, DK11, DK12a, DK13b, Kar11a].
    [Show full text]
  • The Whirlpool Secure Hash Function
    Cryptologia, 30:55–67, 2006 Copyright Taylor & Francis Group, LLC ISSN: 0161-1194 print DOI: 10.1080/01611190500380090 The Whirlpool Secure Hash Function WILLIAM STALLINGS Abstract In this paper, we describe Whirlpool, which is a block-cipher-based secure hash function. Whirlpool produces a hash code of 512 bits for an input message of maximum length less than 2256 bits. The underlying block cipher, based on the Advanced Encryption Standard (AES), takes a 512-bit key and oper- ates on 512-bit blocks of plaintext. Whirlpool has been endorsed by NESSIE (New European Schemes for Signatures, Integrity, and Encryption), which is a European Union-sponsored effort to put forward a portfolio of strong crypto- graphic primitives of various types. Keywords advanced encryption standard, block cipher, hash function, sym- metric cipher, Whirlpool Introduction In this paper, we examine the hash function Whirlpool [1]. Whirlpool was developed by Vincent Rijmen, a Belgian who is co-inventor of Rijndael, adopted as the Advanced Encryption Standard (AES); and by Paulo Barreto, a Brazilian crypto- grapher. Whirlpool is one of only two hash functions endorsed by NESSIE (New European Schemes for Signatures, Integrity, and Encryption) [13].1 The NESSIE project is a European Union-sponsored effort to put forward a portfolio of strong cryptographic primitives of various types, including block ciphers, symmetric ciphers, hash functions, and message authentication codes. Background An essential element of most digital signature and message authentication schemes is a hash function. A hash function accepts a variable-size message M as input and pro- duces a fixed-size hash code HðMÞ, sometimes called a message digest, as output.
    [Show full text]
  • On the Construction of Lightweight Circulant Involutory MDS Matrices⋆
    On the Construction of Lightweight Circulant Involutory MDS Matrices? Yongqiang Lia;b, Mingsheng Wanga a. State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China b. Science and Technology on Communication Security Laboratory, Chengdu, China [email protected] [email protected] Abstract. In the present paper, we investigate the problem of con- structing MDS matrices with as few bit XOR operations as possible. The key contribution of the present paper is constructing MDS matrices with entries in the set of m × m non-singular matrices over F2 directly, and the linear transformations we used to construct MDS matrices are not assumed pairwise commutative. With this method, it is shown that circulant involutory MDS matrices, which have been proved do not exist over the finite field F2m , can be constructed by using non-commutative entries. Some constructions of 4 × 4 and 5 × 5 circulant involutory MDS matrices are given when m = 4; 8. To the best of our knowledge, it is the first time that circulant involutory MDS matrices have been constructed. Furthermore, some lower bounds on XORs that required to evaluate one row of circulant and Hadamard MDS matrices of order 4 are given when m = 4; 8. Some constructions achieving the bound are also given, which have fewer XORs than previous constructions. Keywords: MDS matrix, circulant involutory matrix, Hadamard ma- trix, lightweight 1 Introduction Linear diffusion layer is an important component of symmetric cryptography which provides internal dependency for symmetric cryptography algorithms. The performance of a diffusion layer is measured by branch number.
    [Show full text]
  • Determinants
    12 PREFACECHAPTER I DETERMINANTS The notion of a determinant appeared at the end of 17th century in works of Leibniz (1646–1716) and a Japanese mathematician, Seki Kova, also known as Takakazu (1642–1708). Leibniz did not publish the results of his studies related with determinants. The best known is his letter to l’Hospital (1693) in which Leibniz writes down the determinant condition of compatibility for a system of three linear equations in two unknowns. Leibniz particularly emphasized the usefulness of two indices when expressing the coefficients of the equations. In modern terms he actually wrote about the indices i, j in the expression xi = j aijyj. Seki arrived at the notion of a determinant while solving the problem of finding common roots of algebraic equations. In Europe, the search for common roots of algebraic equations soon also became the main trend associated with determinants. Newton, Bezout, and Euler studied this problem. Seki did not have the general notion of the derivative at his disposal, but he actually got an algebraic expression equivalent to the derivative of a polynomial. He searched for multiple roots of a polynomial f(x) as common roots of f(x) and f (x). To find common roots of polynomials f(x) and g(x) (for f and g of small degrees) Seki got determinant expressions. The main treatise by Seki was published in 1674; there applications of the method are published, rather than the method itself. He kept the main method in secret confiding only in his closest pupils. In Europe, the first publication related to determinants, due to Cramer, ap- peared in 1750.
    [Show full text]
  • Fast Approximation Algorithms for Cauchy Matrices, Polynomials and Rational Functions
    City University of New York (CUNY) CUNY Academic Works Computer Science Technical Reports CUNY Academic Works 2013 TR-2013011: Fast Approximation Algorithms for Cauchy Matrices, Polynomials and Rational Functions Victor Y. Pan How does access to this work benefit ou?y Let us know! More information about this work at: https://academicworks.cuny.edu/gc_cs_tr/386 Discover additional works at: https://academicworks.cuny.edu This work is made publicly available by the City University of New York (CUNY). Contact: [email protected] Fast Approximation Algorithms for Cauchy Matrices, Polynomials and Rational Functions ? Victor Y. Pan Department of Mathematics and Computer Science Lehman College and the Graduate Center of the City University of New York Bronx, NY 10468 USA [email protected], home page: http://comet.lehman.cuny.edu/vpan/ Abstract. The papers [MRT05], [CGS07], [XXG12], and [XXCBa] have combined the advanced FMM techniques with transformations of matrix structures (traced back to [P90]) in order to devise numerically stable algorithms that approximate the solutions of Toeplitz, Hankel, Toeplitz- like, and Hankel-like linear systems of equations in nearly linear arith- metic time, versus classical cubic time and quadratic time of the previous advanced algorithms. We show that the power of these approximation al- gorithms can be extended to yield similar results for computations with other matrices that have displacement structure, which includes Van- dermonde and Cauchy matrices, as well as to polynomial and rational evaluation and interpolation. The resulting decrease of the running time of the known approximation algorithms is again by order of magnitude, from quadratic to nearly linear.
    [Show full text]