Advances in Mathematics of Communications doi:10.3934/amc.2019045 Volume 13, No. 4, 2019, 779{843 CRYPTOGRAPHICALLY SIGNIFICANT MDS MATRICES OVER FINITE FIELDS: A BRIEF SURVEY AND SOME GENERALIZED RESULTS Kishan Chand Gupta Applied Statistics Unit Indian Statistical Institute 203, B.T. Road, Kolkata-700108, India Sumit Kumar Pandey∗ Ashoka University Sonepat, Haryana, India Indranil Ghosh Ray School of Engineering and Mathematical Sciences, City University London London EC1V 0HB, United Kingdom Susanta Samanta Applied Statistics Unit Indian Statistical Institute 203, B.T. Road, Kolkata-700108, India Abstract. A matrix is MDS or super-regular if and only if every square sub- matrices of it are nonsingular. MDS matrices provide perfect diffusion in block ciphers and hash functions. In this paper we provide a brief survey on crypto- graphically significant MDS matrices - a first to the best of our knowledge. In addition to providing a summary of existing results, we make several contribu- tions. We exhibit some deep and nontrivial interconnections between different constructions of MDS matrices. For example, we prove that all known Van- dermonde constructions are basically equivalent to Cauchy constructions. We prove some folklore results which are used in MDS matrix literature. Wherever possible, we provide some simpler alternative proofs. We do not discuss effi- ciency issues or hardware implementations; however, the theory accumulated and discussed here should provide an easy guide towards efficient implementa- tions. 1. Introduction Claude Shannon, in his paper \Communication Theory of Secrecy Systems" [60] introduced the concept of confusion and diffusion which play key roles in the design of block ciphers and hash functions. The idea of confusion is to make the statistical relation between the ciphertext and the message too complex to be exploited by the attacker and it is achieved by nonlinear functions like S-boxes and Boolean functions. Diffusion ensures that each bit of the message and each bit of the secret key influence many bits of the ciphertext and after a few rounds all the output bits depend on all the input bits. One possibility of formalizing the notion of perfect diffusion is 2010 Mathematics Subject Classification: Primary: 58F15, 58F17; Secondary: 53C35. Key words and phrases: Diffusion, involutory matrix, MDS matrix, orthogonal matrix, branch number, Cauchy matrix, Vandermonde matrix. ∗ Corresponding author: Sumit Kumar Pandey. 779 c 2019 AIMS 780 K. C. Gupta, S. K. Pandey, I. G. Ray and S. Samanta the concept of multipermutation, which was introduced in [59, 65]. Another way to define it is using branch numbers and Maximum Distance Separable (MDS) matrices [15]. In [30, 31, 32], Heys and Tavares showed that the replacement of the permutation layer of Substitution Permutation Networks (SPNs) with a diffusive linear transformation improves the avalanche characteristics of the block cipher, which increases the cipher's resistance to differential and linear cryptanalysis. Thus the main application of MDS matrix in cryptography is in designing block ciphers and hash functions that provide security against differential and linear cryptanalysis. MDS matrices offer diffusion properties and is one of the vital constituents of modern age ciphers and hash functions. The idea of MDS matrix comes from MDS code and in this survey we will discuss the construction of MDS matrices. A great deal of research on MDS matrices with cryptography in mind has been done during the period 1994 to 1998. In the year 1994, Schnorr and Vaudenay [59] introduced multipermutations as formalization of diffusion layer. In 1995, Vaud- ney [65] showed the usefulness of multipermutation in the design of cryptographic primitives. During 1994 to 1996 Heys and Tavares [30, 31, 32] showed that the re- placement of the permutation layer of Substitution Permutation Networks (SPNs) with a diffusive linear transformation improves the avalanche characteristics of the block cipher, which increases the cipher's resistance to differential and linear crypt- analysis. In the year 1996 Rijmen et. al. were the first to use MDS matrices in the cipher SHARK [50] and later in the 1997, Daemen et. al. used MDS matrices in the cipher SQUARE [14]. Then in the year 1998, Daemen and Rijmen used circulant MDS matrix in the cipher AES[15]. During the period 1998 to 1999, Schneier et. al. used MDS matrix in the block cipher Twofish [57, 58]. Now the usefulness of MDS matrices in the diffusion layer is well established. The stream cipher MUGI [66] uses AES MDS matrix in its linear transformations. MDS matrices are also used in the design of hash functions. Hash functions like Whirlpool [5, 61], SPN-Hash [12], Maelstrom [16], Grφstl [17] and the PHOTON [19] family of light weight hash functions use MDS matrices for their diffusion layers. In 2011 the authors of hash function PHOTON [19] and block cipher LED [20] used MDS matrices constructed from companion matrices, which opened a new area of research in the construction of MDS matrices for lightweight cryptography. We provide a brief sketch of the construction of cryptographically significant MDS matrices. There are two main approaches in constructing MDS matrices - nonrecursive and recursive. In recursive constructions, we generally start with a companion matrix A of order n, with proper choice of coefficients of the character- istic polynomial such that An is an MDS matrix. Recursive constructions are very popular for lightweight applications. In nonrecursive constructions, constructed matrices are themselves MDS. Another way to classify the techniques used to find MDS matrices is based on whether the matrix is constructed directly or a search method is employed by enu- merating some search space. Direct constructions use algebraic properties to find MDS matrices. While in search methods, elements of the matrix are judiciously selected and it is checked if the matrix is MDS or not. It may be noted that the problem of verifying whether a matrix is MDS or not, is NP-complete. Hence, the search technique is useful only for finding MDS matrices of small orders. There are two main direct methods for constructing nonrecursive MDS matrices - one is from a Cauchy matrix and the other is from two Vandermonde matrices. These methods provide MDS matrices of any order, but these matrices are generally Advances in Mathematics of Communications Volume 13, No. 4 (2019), 779{843 A brief survey on MDS matrices 781 not efficient for implementation. So, we use the search method in nonrecursive constructions that output efficiently implementable MDS matrices. One popular technique for such constructions is to search for elements of a circulant matrix. AES[15] uses a circulant MDS matrix. There are several circulant-like matrices [24] and generalized circulant matrices [44] which are also used in such constructions. Toeplitz matrices and Hankel matrices are deeply interconnected with circulant matrices. Recently, Toeplitz matrices have been used to construct MDS matrices [55, 56]. Similar to circulant, circulant-like and generalized circulant MDS matrices, search methods are used to construct Toeplitz MDS matrices. As in nonrecursive constructions, there are several direct recursive constructions as well. However, as before, they are not so efficient for implementation and search methods provide efficient MDS matrices of low order. In the general context of implementation of block ciphers, we note that if an ef- ficient MDS matrix M used in encryption, happens to be involutory or orthogonal, then its inverse M −1 applied for decryption will also be efficient. So, it is of special interest to find efficient MDS matrices which are also involutory or orthogonal. Our contribution: We believe that this is the first survey on MDS matrices. While most of the results in this paper are already known, some results and insights are new. In Theorem 5.1 we provide a nontrivial and deep interconnection between all the known Cauchy based constructions and their corresponding Vandermonde based constructions. In [24], it was proved that Type-I circulant-like MDS matrices of even order can not be involutory or orthogonal but the case of odd orders were not discussed. In Lemma 6.14 and Lemma 6.16 we prove that Type-I circulant-like MDS matrices of odd order are neither orthogonal nor involutory. In Lemma 1 of [44], the authors provided a necessary and sufficient condition for the equivalence between two circulant matrices. In Lemma 6.22 we provide a simpler alternative proof. In Remark 30 we point out the interconnection that a left-circulant matrix is nothing but a row-permutated circulant matrix. It may be noted here that a left- circulant matrix is symmetric while a circulant matrix is not. Using this intercon- nection, we propose an idea to find involutory left-circulant MDS matrices of order n, where n is not a power of 2. In [44] it was proved that left-circulant matrices of order 2n are not involutory. In Theorem 6.19, we show that this result easily follows from the above interconnection and known results on circulant matrices. A similar connection shows up between Hankel and Toeplitz matrices. A Hankel matrix is a row-permuted form of a corresponding Toeplitz matrix. By itself, a Toeplitz matrix is not symmetric. However, the corresponding Hankel matrix is symmetric. MDS matrices have been constructed from Toeplitz matrices in [55, 56]. In Section7, we use the above interconnection to easily extend these constructions for MDS matrices from Hankel matrices. As in the case of circulant matrices, we use the above interconnection to prove Theorem 7.5 stating that a Hankel matrix of order 2n is not involutory. We prove some folklore results which are often used in literature mostly without formal proofs. For example, in Corollary2 and Corollary3, we prove that if A is MDS, then AT and A−1 are also MDS. In Lemma 2.5 we show that if A is an MDS 0 matrix over F2r , then A , obtained by multiplying a row (or column) of A with any ∗ c 2 F2r is MDS as well.