Stanislav S. Malakhov

DOI: https://doi.org/10.1007/s12095-024-00746-7

2024-10-03

Cryptography and Communications

Abstract:MDS matrices are used in symmetric cryptography to hinder differential and linear cryptanalysis. This article proposes and examines a new deterministic method that accelerates circulant matrix MDS testing and the search for circulant MDS matrices. The method is to ascertain the MDS property via computing the determinants of only those submatrices that lie in a suitable subset of square submatrices constructed in advance. It is shown that for circulant matrices, this new method reduces thirteenfold the MDS confirmation time and searches for MDS matrices 8 times faster compared to the general method employing all square submatrices. The article also proves that the constructed set can be arranged in a manner that comprises all the submatrices needed for the Laplace expansion of the determinant of any submatrix within the subset. Experiments show that the Laplace expansion allows a further two to seven times speed-up of the MDS testing. Via proposed techniques, several circulant MDS matrices were found including matrices over and matrices over and with many multiplicative identity element entries, a few different elements of the low Hamming weight and efficient inverses. Besides that, empirical probability mass functions were found for the random variables representing the least dimension of singular submatrices of circulant matrices of two chosen forms over .

computer science, theory & methods,mathematics, applied

Susanta Samanta

2024-10-01

Abstract:The optimal branch number of MDS matrices has established their importance in designing diffusion layers for various block ciphers and hash functions. As a result, numerous matrix structures, including Hadamard and circulant matrices, have been proposed for constructing MDS matrices. Also, in the literature, significant attention is typically given to identifying MDS candidates with optimal implementations or proposing new constructions across different orders. However, this paper takes a different approach by not emphasizing efficiency issues or introducing new constructions. Instead, its primary objective is to enumerate Hadamard MDS and involutory Hadamard MDS matrices of order $4$ within the field $\mathbb{F}_{2^r}$. Specifically, it provides an explicit formula for the count of both Hadamard MDS and involutory Hadamard MDS matrices of order $4$ over $\mathbb{F}_{2^r}$. Additionally, it derives the count of Hadamard Near-MDS (NMDS) and involutory Hadamard NMDS matrices, each with exactly one zero in each row, of order $4$ over $\mathbb{F}_{2^r}$. Furthermore, the paper discusses some circulant-like matrices for constructing NMDS matrices and proves that when $n$ is even, any $2n \times 2n$ Type-II circulant-like matrix can never be an NMDS matrix. While it is known that NMDS matrices may be singular, this paper establishes that singular Hadamard matrices can never be NMDS matrices. Moreover, it proves that there exist exactly two orthogonal Type-I circulant-like matrices of order $4$ over $\mathbb{F}_{2^r}$.

Cryptography and Security,Information Theory

Yogesh Kumar,P.R.Mishra,Susanta Samanta,Atul Gaur

DOI: https://doi.org/10.1007/s12190-024-02142-z

2024-06-17

Abstract:Maximum distance separable (MDS) matrices play a crucial role not only in coding theory but also in the design of block ciphers and hash functions. Of particular interest are involutory MDS matrices, which facilitate the use of a single circuit for both encryption and decryption in hardware implementations. In this article, we present several characterizations of involutory MDS matrices of even order. Additionally, we introduce a new matrix form for obtaining all involutory MDS matrices of even order and compare it with other matrix forms available in the literature. We then propose a technique to systematically construct all $4 \times 4$ involutory MDS matrices over a finite field $\mathbb{F}_{2^m}$. This method significantly reduces the search space by focusing on involutory MDS class representative matrices, leading to the generation of all such matrices within a substantially smaller set compared to considering all $4 \times 4$ involutory matrices. Specifically, our approach involves searching for these representative matrices within a set of cardinality $(2^m-1)^5$. Through this method, we provide an explicit enumeration of the total number of $4 \times 4$ involutory MDS matrices over $\mathbb{F}_{2^m}$ for $m=3,4,\ldots,8$.

Cryptography and Security

Tapas Chatterjee,Ayantika Laha

2024-06-23

Abstract:In $2014$, Gupta and Ray proved that the circulant involutory matrices over the finite field $\mathbb{F}_{2^m}$ can not be maximum distance separable (MDS). This non-existence also extends to circulant orthogonal matrices of order $2^d \times 2^d$ over finite fields of characteristic $2$. These findings inspired many authors to generalize the circulant property for constructing lightweight MDS matrices with practical applications in mind. Recently, in $2022,$ Chatterjee and Laha initiated a study of circulant matrices by considering semi-involutory and semi-orthogonal properties. Expanding on their work, this article delves into circulant matrices possessing these characteristics over the finite field $\mathbb{F}_{2^m}.$ Notably, we establish a correlation between the trace of associated diagonal matrices and the MDS property of the matrix. We prove that this correlation holds true for even order semi-orthogonal matrices and semi-involutory matrices of all orders. Additionally, we provide examples that for circulant, semi-orthogonal matrices of odd orders over a finite field with characteristic $2$, the trace of associated diagonal matrices may possess non-zero values.

Cryptography and Security

Yogesh Kumar,P.R.Mishra,Susanta Samanta,Kishan Chand Gupta,Atul Gaur

DOI: https://doi.org/10.3934/amc.2024033

2024-08-13

Abstract:In this paper, we propose two algorithms for a hybrid construction of all $n\times n$ MDS and involutory MDS matrices over a finite field $\mathbb{F}_{p^m}$, respectively. The proposed algorithms effectively narrow down the search space to identify $(n-1) \times (n-1)$ MDS matrices, facilitating the generation of all $n \times n$ MDS and involutory MDS matrices over $\mathbb{F}_{p^m}$. To the best of our knowledge, existing literature lacks methods for generating all $n\times n$ MDS and involutory MDS matrices over $\mathbb{F}_{p^m}$. In our approach, we introduce a representative matrix form for generating all $n\times n$ MDS and involutory MDS matrices over $\mathbb{F}_{p^m}$. The determination of these representative MDS matrices involves searching through all $(n-1)\times (n-1)$ MDS matrices over $\mathbb{F}_{p^m}$. Our contributions extend to proving that the count of all $3\times 3$ MDS matrices over $\mathbb{F}_{2^m}$ is precisely $(2^m-1)^5(2^m-2)(2^m-3)(2^{2m}-9\cdot 2^m+21)$. Furthermore, we explicitly provide the count of all $4\times 4$ MDS and involutory MDS matrices over $\mathbb{F}_{2^m}$ for $m=2, 3, 4$.

Cryptography and Security

Yogesh Kumar,P. R. Mishra,Susanta Samanta,Atul Gaur

DOI: https://doi.org/10.1007/s12190-024-02142-z

2024-06-16

Journal of Applied Mathematics and Computing

Abstract:Maximum distance separable (MDS) matrices play a crucial role not only in coding theory but also in the design of block ciphers and hash functions. Of particular interest are involutory MDS matrices, which facilitate the use of a single circuit for both encryption and decryption in hardware implementations. In this article, we present several characterizations of involutory MDS matrices of even order. Additionally, we introduce a new matrix form for obtaining all involutory MDS matrices of even order and compare it with other matrix forms available in the literature. We then propose a technique to systematically construct all involutory MDS matrices over a finite field . This method significantly reduces the search space by focusing on involutory MDS class representative matrices, leading to the generation of all such matrices within a substantially smaller set compared to considering all involutory matrices. Specifically, our approach involves searching for these representative matrices within a set of cardinality . Through this method, we provide an explicit enumeration of the total number of involutory MDS matrices over for .

mathematics, applied

Hong Xu,Lin Tan,Xuejia Lai

DOI: https://doi.org/10.1007/978-3-319-06320-1_40

2014-01-01

Abstract:Maximum distance separable (MDS) matrices are widely used in the diffusion layers of block ciphers and hash functions. Recently, Guo, Sajadieh and Wu et al. proposed to use recursive methods to construct MDS matrices from linear feedback shift registers, and Wu et al. presented some very compact MDS matrices constructed from cascade of several linear feedback shift registers. However, some of the MDS matrices constructed by them do not have simple inverses. In this paper, we further present some compact MDS matrices which have simple inverses. The cost is almost the same as Wu et al.'s, and the inverses are also MDS matrices and can be efficiently implemented as themselves.

Kishan Chand Gupta,Sumit Kumar Pandey,Susanta Samanta

DOI: https://doi.org/10.1007/s12095-023-00667-x

2023-07-28

Abstract:The optimal branch number of MDS matrices makes them a preferred choice for designing diffusion layers in many block ciphers and hash functions. However, in lightweight cryptography, Near-MDS (NMDS) matrices with sub-optimal branch numbers offer a better balance between security and efficiency as a diffusion layer, compared to MDS matrices. In this paper, we study NMDS matrices, exploring their construction in both recursive and nonrecursive settings. We provide several theoretical results and explore the hardware efficiency of the construction of NMDS matrices. Additionally, we make comparisons between the results of NMDS and MDS matrices whenever possible. For the recursive approach, we study the DLS matrices and provide some theoretical results on their use. Some of the results are used to restrict the search space of the DLS matrices. We also show that over a field of characteristic 2, any sparse matrix of order $n\geq 4$ with fixed XOR value of 1 cannot be an NMDS when raised to a power of $k\leq n$. Following that, we use the generalized DLS (GDLS) matrices to provide some lightweight recursive NMDS matrices of several orders that perform better than the existing matrices in terms of hardware cost or the number of iterations. For the nonrecursive construction of NMDS matrices, we study various structures, such as circulant and left-circulant matrices, and their generalizations: Toeplitz and Hankel matrices. In addition, we prove that Toeplitz matrices of order $n>4$ cannot be simultaneously NMDS and involutory over a field of characteristic 2. Finally, we use GDLS matrices to provide some lightweight NMDS matrices that can be computed in one clock cycle. The proposed nonrecursive NMDS matrices of orders 4, 5, 6, 7, and 8 can be implemented with 24, 50, 65, 96, and 108 XORs over $\mathbb{F}_{2^4}$, respectively.

Cryptography and Security

Tapas Chatterjee,Ayantika Laha

2024-06-22

Abstract:Circulant Maximum Distance Separable (MDS) matrices have gained significant importance due to their applications in the diffusion layer of the AES block cipher. In $2013$, Gupta and Ray established that circulant involutory matrices of order greater than $3$ cannot be MDS. This finding prompted a generalization of circulant matrices and the involutory property of matrices by various authors. In $2016$, Liu and Sim introduced cyclic matrices by changing the permutation of circulant matrices. In $1961,$ Friedman introduced $g$-circulant matrices which form a subclass of cyclic matrices. In this article, we first discuss $g$-circulant matrices with involutory and MDS properties. We prove that $g$-circulant involutory matrices of order $k \times k$ cannot be MDS unless $g \equiv -1 \pmod k.$ Next, we delve into $g$-circulant semi-involutory and semi-orthogonal matrices with entries from finite fields. We establish that the $k$-th power of the associated diagonal matrices of a $g$-circulant semi-orthogonal (semi-involutory) matrix of order $k \times k$ results in a scalar matrix. These findings can be viewed as an extension of the results concerning circulant matrices established by Chatterjee {\it{et al.}} in $2022.$

Cryptography and Security

Yu Tian,Xiutao Feng,Guangrong Li

2024-09-05

Abstract:In recent years, the Substitution-Permutation Network has emerged as a crucial structure for constructing symmetric key ciphers. Composed primarily of linear matrices and nonlinear S-boxes, it offers a robust foundation for cryptographic security. Among the various metrics used to assess the cryptographic properties of linear matrices, the branch number stands out as a particularly important index. Matrices with an optimal branch number are referred to as MDS matrices and are highly prized in the field of cryptography. In this paper we delve into the construction of lightweight MDS matrices. We commence implementation trees of MDS matrices, which is a vital tool for understanding and manipulating their implementations, and then present an algorithm that efficiently enumerates all the lightest MDS matrices based on the word representation. As results, we obtain a series of ultra-lightweight $4\times 4$ MDS matrices, remarkably, 4-bit input MDS matrices with 35 XOR operations and 8-bit input ones with 67 XOR operations . These matrices represent the most comprehensive lightweight MDS matrices available to date. Furthermore, we craft some involution $4\times 4$ MDS matrices with a mere 68 XOR <a class="link-external link-http" href="http://gates.To" rel="external noopener nofollow">this http URL</a> our best knowledge, they are the best up to date. In the realm of higher-order MDS matrices, we have successfully constructed $5\times 5$ and $6\times 6$ matrices with 114 and 148 XOR gates respectively. These findings outperform the current state-of-the-art.

Cryptography and Security

Kishan Chand Gupta,Sumit Kumar Pandey,Susanta Samanta

2024-04-08

Abstract:The optimal branch number of MDS matrices makes them a preferred choice for designing diffusion layers in many block ciphers and hash functions. Consequently, various methods have been proposed for designing MDS matrices, including search and direct methods. While exhaustive search is suitable for small order MDS matrices, direct constructions are preferred for larger orders due to the vast search space involved. In the literature, there has been extensive research on the direct construction of MDS matrices using both recursive and nonrecursive methods. On the other hand, in lightweight cryptography, Near-MDS (NMDS) matrices with sub-optimal branch numbers offer a better balance between security and efficiency as a diffusion layer compared to MDS matrices. However, no direct construction method is available in the literature for constructing recursive NMDS matrices. This paper introduces some direct constructions of NMDS matrices in both nonrecursive and recursive settings. Additionally, it presents some direct constructions of nonrecursive MDS matrices from the generalized Vandermonde matrices. We propose a method for constructing involutory MDS and NMDS matrices using generalized Vandermonde matrices. Furthermore, we prove some folklore results that are used in the literature related to the NMDS code.

Information Theory,Cryptography and Security

Daniel Augot,Matthieu Finiasz

DOI: https://doi.org/10.48550/arXiv.1412.4626

2014-12-15

Abstract:MDS matrices allow to build optimal linear diffusion layers in block ciphers. However, MDS matrices cannot be sparse and usually have a large description, inducing costly software/hardware implementations. Recursive MDS matrices allow to solve this problem by focusing on MDS matrices that can be computed as a power of a simple companion matrix, thus having a compact description suitable even for constrained environ- ments. However, up to now, finding recursive MDS matrices required to perform an exhaustive search on families of companion matrices, thus limiting the size of MDS matrices one could look for. In this article we propose a new direct construction based on shortened BCH codes, al- lowing to efficiently construct such matrices for whatever parameters. Unfortunately, not all recursive MDS matrices can be obtained from BCH codes, and our algorithm is not always guaranteed to find the best matrices for a given set of parameters.

Cryptography and Security,Information Theory

Tapas Chatterjee,Ayantika Laha

2024-06-19

Abstract:In symmetric cryptography, maximum distance separable (MDS) matrices with computationally simple inverses have wide applications. Many block ciphers like AES, SQUARE, SHARK, and hash functions like PHOTON use an MDS matrix in the diffusion layer. In this article, we first characterize all $3 \times 3$ irreducible semi-involutory matrices over the finite field of characteristic $2$. Using this matrix characterization, we provide a necessary and sufficient condition to construct MDS semi-involutory matrices using only their diagonal entries and the entries of an associated diagonal matrix. Finally, we count the number of $3 \times 3$ semi-involutory MDS matrices over any finite field of characteristic $2$.

Cryptography and Security

Huck Bennett,Karthik Gajulapalli,Alexander Golovnev,Evelyn Warton

2024-07-20

Abstract:We study the Matrix Multiplication Verification Problem (MMV) where the goal is, given three $n \times n$ matrices $A$, $B$, and $C$ as input, to decide whether $AB = C$. A classic randomized algorithm by Freivalds (MFCS, 1979) solves MMV in $\widetilde{O}(n^2)$ time, and a longstanding challenge is to (partially) derandomize it while still running in faster than matrix multiplication time (i.e., in $o(n^{\omega})$ time). To that end, we give two algorithms for MMV in the case where $AB - C$ is sparse. Specifically, when $AB - C$ has at most $O(n^{\delta})$ non-zero entries for a constant $0 \leq \delta < 2$, we give (1) a deterministic $O(n^{\omega - \varepsilon})$-time algorithm for constant $\varepsilon = \varepsilon(\delta) > 0$, and (2) a randomized $\widetilde{O}(n^2)$-time algorithm using $\delta/2 \cdot \log_2 n + O(1)$ random bits. The former algorithm is faster than the deterministic algorithm of Künnemann (ESA, 2018) when $\delta \geq 1.056$, and the latter algorithm uses fewer random bits than the algorithm of Kimbrel and Sinha (IPL, 1993), which runs in the same time and uses $\log_2 n + O(1)$ random bits (in turn fewer than Freivalds's algorithm). We additionally study the complexity of MMV. We first show that all algorithms in a natural class of deterministic linear algebraic algorithms for MMV (including ours) require $\Omega(n^{\omega})$ time. We also show a barrier to proving a super-quadratic running time lower bound for matrix multiplication (and hence MMV) under the Strong Exponential Time Hypothesis (SETH). Finally, we study relationships between natural variants and special cases of MMV (with respect to deterministic $\widetilde{O}(n^2)$-time reductions).

Data Structures and Algorithms

Weijun Fang,Shu-Tao Xia,Fang-Wei Fu

DOI: https://doi.org/10.1109/tit.2021.3085768

IF: 2.5

2021-01-01

IEEE Transactions on Information Theory

Abstract:The parameters of a q-ary MDS Euclidean self-dual codes are completely determined by its length and the construction of MDS Euclidean self-dual codes with new length has been widely investigated in recent years. In this paper, we give a further study on the construction of MDS Euclidean self-dual codes via generalized Reed-Solomon (GRS) codes and their extended codes. The main idea of our construction is to choose suitable evaluation points such that the corresponding (extended) GRS codes are Euclidean self-dual. Firstly, we consider the evaluation set consists of two disjoint subsets, one of which is based on the trace function, the other one is a union of a subspace and its cosets. Then four new families of MDS Euclidean self-dual codes are constructed. Secondly, we give a simple but useful lemma to ensure that the symmetric difference of two intersecting subsets of finite fields can be taken as the desired evaluation set. Based on this lemma, we generalize our first construction and provide two new families of MDS Euclidean self-dual codes. Finally, by using two multiplicative subgroups and their cosets which have nonempty intersection, we present three generic constructions of MDS Euclidean self-dual codes with flexible parameters. Several new families of MDS Euclidean self-dual codes are explicitly constructed.

Chaoyun Li,Qingju Wang

DOI: https://doi.org/10.13154/tosc.v2017.i1.129-155

2017-01-01

Abstract:Near-MDS matrices provide better trade-offs between security and efficiency compared to constructions based on MDS matrices, which are favored for hardwareoriented designs. We present new designs of lightweight linear diffusion layers by constructing lightweight near-MDS matrices. Firstly generic n×n near-MDS circulant matrices are found for 5 ≤ n ≤9. Secondly, the implementation cost of instantiations of the generic near-MDS matrices is examined. Surprisingly, for n = 7, 8, it turns out that some proposed near-MDS circulant matrices of order n have the lowest XOR count among all near-MDS matrices of the same order. Further, for n = 5, 6, we present near-MDS matrices of order n having the lowest XOR count as well. The proposed matrices, together with previous construction of order less than five, lead to solutions of n×n near-MDS matrices with the lowest XOR count over finite fields F2m for 2 ≤ n ≤ 8 and 4 ≤ m ≤ 2048. Moreover, we present some involutory near-MDS matrices of order 8 constructed from Hadamard matrices. Lastly, the security of the proposed linear layers is studied by calculating lower bounds on the number of active S-boxes. It is shown that our linear layers with a well-chosen nonlinear layer can provide sufficient security against differential and linear cryptanalysis.

Charles Bordenave,Simon Coste,Raj Rao Nadakuditi

DOI: https://doi.org/10.1007/s10208-022-09568-6

IF: 3.4388

2022-06-15

Foundations of Computational Mathematics

Abstract:We study the matrix completion problem: an underlying matrix P is low rank, with incoherent singular vectors, and a random matrix A is equal to P on a (uniformly) random subset of entries of size dn . All other entries of A are equal to zero. The goal is to retrieve information on P from the observation of A . Let be the random matrix where each entry of A is multiplied by an independent -Bernoulli random variable with parameter 1/2. This paper is about when, how and why the non-Hermitian eigen-spectra of the matrices and captures more of the relevant information about the principal component structure of A than the eigen-spectra of and . We show that the eigenvalues of the asymmetric matrices and with modulus greater than a detection threshold are asymptotically equal to the eigenvalues of and and that the associated eigenvectors are aligned as well. The central surprise is that by intentionally inducing asymmetry and additional randomness via the matrix, we can extract more information than if we had worked with the singular value decomposition (SVD) of A . The associated detection threshold is asymptotically exact and is non-universal since it explicitly depends on the element-wise distribution of the underlying matrix P . We show that reliable, statistically optimal but not perfect matrix recovery, via a universal data-driven algorithm, is possible above this detection threshold using the information extracted from the asymmetric eigen-decompositions. Averaging the left and right eigenvectors provably improves estimation accuracy but not the detection threshold. Our results encompass the very sparse regime where d is of order 1 where matrix completion via the SVD of A fails or produces unreliable recovery. We define another variant of this asymmetric principal component analysis procedure that bypasses the randomization step and has a detection threshold that is smaller by a constant factor but with a computational cost that is larger by a polynomial factor of the number of observed entries. Both detection thresholds allow to go beyond the barrier due to the well-known information theoretical limit for exact matrix completion found in the literature.

mathematics, applied,computer science, theory & methods

Okko Makkonen

2024-04-26

Abstract:In this paper, we propose a new secure distributed matrix multiplication (SDMM) scheme using the inner product partitioning. We construct a scheme with a minimal number of workers and no redundancy, and another scheme with redundancy against stragglers. Unlike previous constructions in the literature, we do not utilize algebraic methods such as locally repairable codes or algebraic geometry codes. Our construction, which is based on generalized Reed-Solomon codes, improves the flexibility of the field size as it does not assume any divisibility constraints among the different parameters. We achieve a minimal number of workers by efficiently canceling all interference terms with a suitable orthogonal decoding vector. Finally, we discuss how the MDS conjecture impacts the smallest achievable field size for SDMM schemes and show that our construction almost achieves the bound given by the conjecture.

Information Theory

Zhengchi Ma,Rong Ma

2024-11-26

Abstract:Estimating singular subspaces from noisy matrices is a fundamental problem with wide-ranging applications across various fields. Driven by the challenges of data integration and multi-view analysis, this study focuses on estimating shared (left) singular subspaces across multiple matrices within a low-rank matrix denoising framework. A common approach for this task is to perform singular value decomposition on the stacked matrix (Stack-SVD), which is formed by concatenating all the individual matrices. We establish that Stack-SVD achieves minimax rate-optimality when the true (left) singular subspaces of the signal matrices are identical. Our analysis reveals some phase transition phenomena in the estimation problem as a function of the underlying signal-to-noise ratio, highlighting how the interplay among multiple matrices collectively determines the fundamental limits of estimation. We then tackle the more complex scenario where the true singular subspaces are only partially shared across matrices. For various cases of partial sharing, we rigorously characterize the conditions under which Stack-SVD remains effective, achieves minimax optimality, or fails to deliver consistent estimates, offering theoretical insights into its practical applicability. To overcome Stack-SVD's limitations in partial sharing scenarios, we propose novel estimators and an efficient algorithm to identify shared and unshared singular vectors, and prove their minimax rate-optimality. Extensive simulation studies and real-world data applications demonstrate the numerous advantages of our proposed approaches.

Statistics Theory,Methodology,Machine Learning

Zhenyue Zhang,Hongyuan Zha

1996-01-01

Abstract:We extenda cubicallyconvergentmethodfor theHermitianeigenvalueproblem 7] to thecaseofcomputingthesingularvaluedecompositionofa generalmatrix. We proposeanalgorithm that only uses matrix-matrix multiplications and QR decompositions. We examine several of the subtleties in the derivation of the algorithm, and we also present a rigorous convergenceanalysis.1. Introduction. This paper is a continuation of 7], where a cubically convergent method for the Hermitian eigenvalue problem was proposed. We will extend the ideas developed there to design algorithms for computing the singular subspaces and the singular value decomposition (SVD) of a general matrix A. At rst glance this kind of extension appears to be almosttrivialand maynot seem to deserve a separate discussion. One reason might be that when facing with the problem of computing singular subspaces and SVD of A, we can always use two …