Stanislav S. Malakhov

DOI: https://doi.org/10.48550/arXiv.2110.13325

2021-12-07

Abstract:The present paper focuses on the construction of a set of submatrices of a circulant matrix such that it is a smaller set to verify that the circulant matrix is an MDS (maximum distance separable) one, comparing to the complete set of square submatrices needed in general case. The general MDS verification method requires to test for singular submatrices: if at least one square submatrix is singular the matrix is not MDS. However, the complexity of the general method dramatically increases for matrices of a greater dimension. We develop an algorithm that constructs a smaller subset of submatrices thanks to a simple structure of circulant matrices. The algorithm proposed in the paper reduces the size of the testing set by approximately two matrix orders.

Numerical Analysis

Susanta Samanta

2024-10-01

Abstract:The optimal branch number of MDS matrices has established their importance in designing diffusion layers for various block ciphers and hash functions. As a result, numerous matrix structures, including Hadamard and circulant matrices, have been proposed for constructing MDS matrices. Also, in the literature, significant attention is typically given to identifying MDS candidates with optimal implementations or proposing new constructions across different orders. However, this paper takes a different approach by not emphasizing efficiency issues or introducing new constructions. Instead, its primary objective is to enumerate Hadamard MDS and involutory Hadamard MDS matrices of order $4$ within the field $\mathbb{F}_{2^r}$. Specifically, it provides an explicit formula for the count of both Hadamard MDS and involutory Hadamard MDS matrices of order $4$ over $\mathbb{F}_{2^r}$. Additionally, it derives the count of Hadamard Near-MDS (NMDS) and involutory Hadamard NMDS matrices, each with exactly one zero in each row, of order $4$ over $\mathbb{F}_{2^r}$. Furthermore, the paper discusses some circulant-like matrices for constructing NMDS matrices and proves that when $n$ is even, any $2n \times 2n$ Type-II circulant-like matrix can never be an NMDS matrix. While it is known that NMDS matrices may be singular, this paper establishes that singular Hadamard matrices can never be NMDS matrices. Moreover, it proves that there exist exactly two orthogonal Type-I circulant-like matrices of order $4$ over $\mathbb{F}_{2^r}$.

Cryptography and Security,Information Theory

Tapas Chatterjee,Ayantika Laha

2024-06-23

Abstract:In $2014$, Gupta and Ray proved that the circulant involutory matrices over the finite field $\mathbb{F}_{2^m}$ can not be maximum distance separable (MDS). This non-existence also extends to circulant orthogonal matrices of order $2^d \times 2^d$ over finite fields of characteristic $2$. These findings inspired many authors to generalize the circulant property for constructing lightweight MDS matrices with practical applications in mind. Recently, in $2022,$ Chatterjee and Laha initiated a study of circulant matrices by considering semi-involutory and semi-orthogonal properties. Expanding on their work, this article delves into circulant matrices possessing these characteristics over the finite field $\mathbb{F}_{2^m}.$ Notably, we establish a correlation between the trace of associated diagonal matrices and the MDS property of the matrix. We prove that this correlation holds true for even order semi-orthogonal matrices and semi-involutory matrices of all orders. Additionally, we provide examples that for circulant, semi-orthogonal matrices of odd orders over a finite field with characteristic $2$, the trace of associated diagonal matrices may possess non-zero values.

Cryptography and Security

Kishan Chand Gupta,Sumit Kumar Pandey,Susanta Samanta

DOI: https://doi.org/10.1007/s12095-023-00667-x

2023-07-28

Abstract:The optimal branch number of MDS matrices makes them a preferred choice for designing diffusion layers in many block ciphers and hash functions. However, in lightweight cryptography, Near-MDS (NMDS) matrices with sub-optimal branch numbers offer a better balance between security and efficiency as a diffusion layer, compared to MDS matrices. In this paper, we study NMDS matrices, exploring their construction in both recursive and nonrecursive settings. We provide several theoretical results and explore the hardware efficiency of the construction of NMDS matrices. Additionally, we make comparisons between the results of NMDS and MDS matrices whenever possible. For the recursive approach, we study the DLS matrices and provide some theoretical results on their use. Some of the results are used to restrict the search space of the DLS matrices. We also show that over a field of characteristic 2, any sparse matrix of order $n\geq 4$ with fixed XOR value of 1 cannot be an NMDS when raised to a power of $k\leq n$. Following that, we use the generalized DLS (GDLS) matrices to provide some lightweight recursive NMDS matrices of several orders that perform better than the existing matrices in terms of hardware cost or the number of iterations. For the nonrecursive construction of NMDS matrices, we study various structures, such as circulant and left-circulant matrices, and their generalizations: Toeplitz and Hankel matrices. In addition, we prove that Toeplitz matrices of order $n>4$ cannot be simultaneously NMDS and involutory over a field of characteristic 2. Finally, we use GDLS matrices to provide some lightweight NMDS matrices that can be computed in one clock cycle. The proposed nonrecursive NMDS matrices of orders 4, 5, 6, 7, and 8 can be implemented with 24, 50, 65, 96, and 108 XORs over $\mathbb{F}_{2^4}$, respectively.

Cryptography and Security

Tapas Chatterjee,Ayantika Laha

2024-06-22

Abstract:Circulant Maximum Distance Separable (MDS) matrices have gained significant importance due to their applications in the diffusion layer of the AES block cipher. In $2013$, Gupta and Ray established that circulant involutory matrices of order greater than $3$ cannot be MDS. This finding prompted a generalization of circulant matrices and the involutory property of matrices by various authors. In $2016$, Liu and Sim introduced cyclic matrices by changing the permutation of circulant matrices. In $1961,$ Friedman introduced $g$-circulant matrices which form a subclass of cyclic matrices. In this article, we first discuss $g$-circulant matrices with involutory and MDS properties. We prove that $g$-circulant involutory matrices of order $k \times k$ cannot be MDS unless $g \equiv -1 \pmod k.$ Next, we delve into $g$-circulant semi-involutory and semi-orthogonal matrices with entries from finite fields. We establish that the $k$-th power of the associated diagonal matrices of a $g$-circulant semi-orthogonal (semi-involutory) matrix of order $k \times k$ results in a scalar matrix. These findings can be viewed as an extension of the results concerning circulant matrices established by Chatterjee {\it{et al.}} in $2022.$

Cryptography and Security

Kishan Chand Gupta,Sumit Kumar Pandey,Susanta Samanta

2024-04-08

Abstract:The optimal branch number of MDS matrices makes them a preferred choice for designing diffusion layers in many block ciphers and hash functions. Consequently, various methods have been proposed for designing MDS matrices, including search and direct methods. While exhaustive search is suitable for small order MDS matrices, direct constructions are preferred for larger orders due to the vast search space involved. In the literature, there has been extensive research on the direct construction of MDS matrices using both recursive and nonrecursive methods. On the other hand, in lightweight cryptography, Near-MDS (NMDS) matrices with sub-optimal branch numbers offer a better balance between security and efficiency as a diffusion layer compared to MDS matrices. However, no direct construction method is available in the literature for constructing recursive NMDS matrices. This paper introduces some direct constructions of NMDS matrices in both nonrecursive and recursive settings. Additionally, it presents some direct constructions of nonrecursive MDS matrices from the generalized Vandermonde matrices. We propose a method for constructing involutory MDS and NMDS matrices using generalized Vandermonde matrices. Furthermore, we prove some folklore results that are used in the literature related to the NMDS code.

Information Theory,Cryptography and Security

Yogesh Kumar,P.R.Mishra,Susanta Samanta,Atul Gaur

DOI: https://doi.org/10.1007/s12190-024-02142-z

2024-06-17

Abstract:Maximum distance separable (MDS) matrices play a crucial role not only in coding theory but also in the design of block ciphers and hash functions. Of particular interest are involutory MDS matrices, which facilitate the use of a single circuit for both encryption and decryption in hardware implementations. In this article, we present several characterizations of involutory MDS matrices of even order. Additionally, we introduce a new matrix form for obtaining all involutory MDS matrices of even order and compare it with other matrix forms available in the literature. We then propose a technique to systematically construct all $4 \times 4$ involutory MDS matrices over a finite field $\mathbb{F}_{2^m}$. This method significantly reduces the search space by focusing on involutory MDS class representative matrices, leading to the generation of all such matrices within a substantially smaller set compared to considering all $4 \times 4$ involutory matrices. Specifically, our approach involves searching for these representative matrices within a set of cardinality $(2^m-1)^5$. Through this method, we provide an explicit enumeration of the total number of $4 \times 4$ involutory MDS matrices over $\mathbb{F}_{2^m}$ for $m=3,4,\ldots,8$.

Cryptography and Security

Yogesh Kumar,P. R. Mishra,Susanta Samanta,Atul Gaur

DOI: https://doi.org/10.1007/s12190-024-02142-z

2024-06-16

Journal of Applied Mathematics and Computing

Abstract:Maximum distance separable (MDS) matrices play a crucial role not only in coding theory but also in the design of block ciphers and hash functions. Of particular interest are involutory MDS matrices, which facilitate the use of a single circuit for both encryption and decryption in hardware implementations. In this article, we present several characterizations of involutory MDS matrices of even order. Additionally, we introduce a new matrix form for obtaining all involutory MDS matrices of even order and compare it with other matrix forms available in the literature. We then propose a technique to systematically construct all involutory MDS matrices over a finite field . This method significantly reduces the search space by focusing on involutory MDS class representative matrices, leading to the generation of all such matrices within a substantially smaller set compared to considering all involutory matrices. Specifically, our approach involves searching for these representative matrices within a set of cardinality . Through this method, we provide an explicit enumeration of the total number of involutory MDS matrices over for .

mathematics, applied

Daniel Augot,Matthieu Finiasz

DOI: https://doi.org/10.48550/arXiv.1412.4626

2014-12-15

Abstract:MDS matrices allow to build optimal linear diffusion layers in block ciphers. However, MDS matrices cannot be sparse and usually have a large description, inducing costly software/hardware implementations. Recursive MDS matrices allow to solve this problem by focusing on MDS matrices that can be computed as a power of a simple companion matrix, thus having a compact description suitable even for constrained environ- ments. However, up to now, finding recursive MDS matrices required to perform an exhaustive search on families of companion matrices, thus limiting the size of MDS matrices one could look for. In this article we propose a new direct construction based on shortened BCH codes, al- lowing to efficiently construct such matrices for whatever parameters. Unfortunately, not all recursive MDS matrices can be obtained from BCH codes, and our algorithm is not always guaranteed to find the best matrices for a given set of parameters.

Cryptography and Security,Information Theory

Yu Tian,Xiutao Feng,Guangrong Li

2024-09-05

Abstract:In recent years, the Substitution-Permutation Network has emerged as a crucial structure for constructing symmetric key ciphers. Composed primarily of linear matrices and nonlinear S-boxes, it offers a robust foundation for cryptographic security. Among the various metrics used to assess the cryptographic properties of linear matrices, the branch number stands out as a particularly important index. Matrices with an optimal branch number are referred to as MDS matrices and are highly prized in the field of cryptography. In this paper we delve into the construction of lightweight MDS matrices. We commence implementation trees of MDS matrices, which is a vital tool for understanding and manipulating their implementations, and then present an algorithm that efficiently enumerates all the lightest MDS matrices based on the word representation. As results, we obtain a series of ultra-lightweight $4\times 4$ MDS matrices, remarkably, 4-bit input MDS matrices with 35 XOR operations and 8-bit input ones with 67 XOR operations . These matrices represent the most comprehensive lightweight MDS matrices available to date. Furthermore, we craft some involution $4\times 4$ MDS matrices with a mere 68 XOR <a class="link-external link-http" href="http://gates.To" rel="external noopener nofollow">this http URL</a> our best knowledge, they are the best up to date. In the realm of higher-order MDS matrices, we have successfully constructed $5\times 5$ and $6\times 6$ matrices with 114 and 148 XOR gates respectively. These findings outperform the current state-of-the-art.

Cryptography and Security

Tapas Chatterjee,Ayantika Laha

2024-06-19

Abstract:In symmetric cryptography, maximum distance separable (MDS) matrices with computationally simple inverses have wide applications. Many block ciphers like AES, SQUARE, SHARK, and hash functions like PHOTON use an MDS matrix in the diffusion layer. In this article, we first characterize all $3 \times 3$ irreducible semi-involutory matrices over the finite field of characteristic $2$. Using this matrix characterization, we provide a necessary and sufficient condition to construct MDS semi-involutory matrices using only their diagonal entries and the entries of an associated diagonal matrix. Finally, we count the number of $3 \times 3$ semi-involutory MDS matrices over any finite field of characteristic $2$.

Cryptography and Security

Yogesh Kumar,P.R.Mishra,Susanta Samanta,Kishan Chand Gupta,Atul Gaur

DOI: https://doi.org/10.3934/amc.2024033

2024-08-13

Abstract:In this paper, we propose two algorithms for a hybrid construction of all $n\times n$ MDS and involutory MDS matrices over a finite field $\mathbb{F}_{p^m}$, respectively. The proposed algorithms effectively narrow down the search space to identify $(n-1) \times (n-1)$ MDS matrices, facilitating the generation of all $n \times n$ MDS and involutory MDS matrices over $\mathbb{F}_{p^m}$. To the best of our knowledge, existing literature lacks methods for generating all $n\times n$ MDS and involutory MDS matrices over $\mathbb{F}_{p^m}$. In our approach, we introduce a representative matrix form for generating all $n\times n$ MDS and involutory MDS matrices over $\mathbb{F}_{p^m}$. The determination of these representative MDS matrices involves searching through all $(n-1)\times (n-1)$ MDS matrices over $\mathbb{F}_{p^m}$. Our contributions extend to proving that the count of all $3\times 3$ MDS matrices over $\mathbb{F}_{2^m}$ is precisely $(2^m-1)^5(2^m-2)(2^m-3)(2^{2m}-9\cdot 2^m+21)$. Furthermore, we explicitly provide the count of all $4\times 4$ MDS and involutory MDS matrices over $\mathbb{F}_{2^m}$ for $m=2, 3, 4$.

Cryptography and Security

Tran Thi Luong,Nguyen Van Long,Bay Vo

DOI: https://doi.org/10.1371/journal.pone.0304873

IF: 3.7

2024-06-21

PLoS ONE

Abstract:Block cipher is a cryptographic field that is now widely applied in various domains. Besides its security, deployment issues, implementation costs, and flexibility across different platforms are also crucial in practice. From an efficiency perspective, the linear layer is often the slowest transformation and requires significant implementation costs in block ciphers. Many current works employ lookup table techniques for linear layers, but they are quite costly and do not save memory storage space for the lookup tables. In this paper, we propose a novel lookup table technique to reduce memory storage when executing software. This technique is applied to the linear layer of block ciphers with recursive Maximum Distance Separable (MDS) matrices, Hadamard MDS matrices, and circulant MDS matrices of considerable sizes (e.g. sizes of 16, 32, 64, and so on). The proposed lookup table technique leverages the recursive property of linear matrices and the similarity in elements of Hadamard or circulant MDS matrices, allowing the construction of a lookup table for a submatrix instead of the entire linear matrix. The proposed lookup table technique enables the execution of the diffusion layer with unchanged computational complexity (number of XOR operations and memory accesses) compared to conventional lookup table implementations but allows a substantial reduction in memory storage for the pre-computed tables, potentially reducing the storage needed by 4 or 8 times or more. The memory storage will be reduced even more as the size of the MDS matrix increases. For instance, analysis shows that when the matrix size is 64, the memory storage ratio with the proposed lookup table technique decreases by 87.5% compared to the conventional lookup table technique. This method also allows for more flexible software implementations of large-sized linear layers across different environments.

Jie Li,Camilla Hollanti

DOI: https://doi.org/10.1109/tifs.2022.3147638

IF: 7.231

2022-01-01

IEEE Transactions on Information Forensics and Security

Abstract:In this paper, we study the problem of private and secure distributed matrix multiplication (PSDMM), where a user having a private matrix $A$ and $N$ non-colluding servers sharing a library of $L$ ($L&gt;1$ ) matrices $B^{(0)}, B^{(1)},ldots,B^{(L-1)}$ , for which the user wishes to compute $AB^{( heta)}$ for some $ heta in [0, L$ ) without revealing any information of the matrix $A$ to the servers, and keeping the index $ heta $ private to the servers. Previous work is limited to the case that the shared library (i.e., the matrices $B^{(0)}, B^{(1)},ldots,B^{(L-1)}$ ) is stored across the servers in a replicated form and schemes are very scarce in the literature, there is still much room for improvement. In this paper, we propose two PSDMM schemes, where one is limited to the case that the shared library is stored across the servers in a replicated form but has a better performance than state-of-the-art schemes in that it can achieve a smaller recovery threshold and download cost. The other one focuses on the case that the shared library is stored across the servers in an MDS-coded form, which requires less storage in the servers. The second PSDMM code does not subsume the first one even if the underlying MDS code is degraded to a repetition code as they are totally two different schemes.

computer science, theory & methods,engineering, electrical & electronic

Jinbao Zhu,Songze Li,Jie Li

DOI: https://doi.org/10.1109/tifs.2023.3249565

IF: 7.231

2023-03-08

IEEE Transactions on Information Forensics and Security

Abstract:We study two problems of private matrix multiplication, over a distributed computing system consisting of a master node, and multiple servers that collectively store a family of public matrices using Maximum-Distance-Separable (MDS) codes. In the first problem of Private and Secure Matrix Multiplication (PSMM) from colluding servers, the master intends to compute the product of its confidential matrix with a target matrix stored on the servers, without revealing any information about and the index of target matrix to some colluding servers. In the second problem of Fully Private Matrix Multiplication (FPMM) from colluding servers, the matrix is also selected from another family of public matrices stored at the servers in MDS form. In this case, the indices of the two target matrices should both be kept private from colluding servers. We develop novel strategies for the two PSMM and FPMM problems, which simultaneously guarantee information-theoretic data/index privacy and computation correctness. We compare the proposed PSMM strategy with a previous PSMM strategy with a weaker privacy guarantee (non-colluding servers), and demonstrate substantial improvements over the previous strategy in terms of communication and computation overheads. Moreover, compared with a baseline FPMM strategy that uses the idea of Private Information Retrieval (PIR) to directly retrieve the desired matrix multiplication, the proposed FPMM strategy significantly reduces storage overhead, but slightly incurs large communication and computation overheads.

computer science, theory & methods,engineering, electrical & electronic

X.-Q. Jin,Y.-M. Wei,H.-S. Tam

DOI: https://doi.org/10.1007/s10092-005-0100-6

2005-01-01

CALCOLO

Abstract:Linear systems with M-matrices occur in a wide variety of areas including numerical partial differential equations, input-output production and growth models in economics, linear complementarity problems in operations research and Markov chains in stochastic analysis.In this paper, we propose a new preconditioner for solving a system with symmetric positive definite M-matrix by the preconditioned conjugate gradient (PCG) method. We show that our preconditioner increases the convergence rate of the PCG method and reduces the operation cost. Numerical results are given.

Charles Bordenave,Simon Coste,Raj Rao Nadakuditi

DOI: https://doi.org/10.1007/s10208-022-09568-6

IF: 3.4388

2022-06-15

Foundations of Computational Mathematics

Abstract:We study the matrix completion problem: an underlying matrix P is low rank, with incoherent singular vectors, and a random matrix A is equal to P on a (uniformly) random subset of entries of size dn . All other entries of A are equal to zero. The goal is to retrieve information on P from the observation of A . Let be the random matrix where each entry of A is multiplied by an independent -Bernoulli random variable with parameter 1/2. This paper is about when, how and why the non-Hermitian eigen-spectra of the matrices and captures more of the relevant information about the principal component structure of A than the eigen-spectra of and . We show that the eigenvalues of the asymmetric matrices and with modulus greater than a detection threshold are asymptotically equal to the eigenvalues of and and that the associated eigenvectors are aligned as well. The central surprise is that by intentionally inducing asymmetry and additional randomness via the matrix, we can extract more information than if we had worked with the singular value decomposition (SVD) of A . The associated detection threshold is asymptotically exact and is non-universal since it explicitly depends on the element-wise distribution of the underlying matrix P . We show that reliable, statistically optimal but not perfect matrix recovery, via a universal data-driven algorithm, is possible above this detection threshold using the information extracted from the asymmetric eigen-decompositions. Averaging the left and right eigenvectors provably improves estimation accuracy but not the detection threshold. Our results encompass the very sparse regime where d is of order 1 where matrix completion via the SVD of A fails or produces unreliable recovery. We define another variant of this asymmetric principal component analysis procedure that bypasses the randomization step and has a detection threshold that is smaller by a constant factor but with a computational cost that is larger by a polynomial factor of the number of observed entries. Both detection thresholds allow to go beyond the barrier due to the well-known information theoretical limit for exact matrix completion found in the literature.

mathematics, applied,computer science, theory & methods

Huck Bennett,Karthik Gajulapalli,Alexander Golovnev,Evelyn Warton

2024-07-20

Abstract:We study the Matrix Multiplication Verification Problem (MMV) where the goal is, given three $n \times n$ matrices $A$, $B$, and $C$ as input, to decide whether $AB = C$. A classic randomized algorithm by Freivalds (MFCS, 1979) solves MMV in $\widetilde{O}(n^2)$ time, and a longstanding challenge is to (partially) derandomize it while still running in faster than matrix multiplication time (i.e., in $o(n^{\omega})$ time). To that end, we give two algorithms for MMV in the case where $AB - C$ is sparse. Specifically, when $AB - C$ has at most $O(n^{\delta})$ non-zero entries for a constant $0 \leq \delta < 2$, we give (1) a deterministic $O(n^{\omega - \varepsilon})$-time algorithm for constant $\varepsilon = \varepsilon(\delta) > 0$, and (2) a randomized $\widetilde{O}(n^2)$-time algorithm using $\delta/2 \cdot \log_2 n + O(1)$ random bits. The former algorithm is faster than the deterministic algorithm of Künnemann (ESA, 2018) when $\delta \geq 1.056$, and the latter algorithm uses fewer random bits than the algorithm of Kimbrel and Sinha (IPL, 1993), which runs in the same time and uses $\log_2 n + O(1)$ random bits (in turn fewer than Freivalds's algorithm). We additionally study the complexity of MMV. We first show that all algorithms in a natural class of deterministic linear algebraic algorithms for MMV (including ours) require $\Omega(n^{\omega})$ time. We also show a barrier to proving a super-quadratic running time lower bound for matrix multiplication (and hence MMV) under the Strong Exponential Time Hypothesis (SETH). Finally, we study relationships between natural variants and special cases of MMV (with respect to deterministic $\widetilde{O}(n^2)$-time reductions).

Data Structures and Algorithms

Okko Makkonen

2024-04-26

Abstract:In this paper, we propose a new secure distributed matrix multiplication (SDMM) scheme using the inner product partitioning. We construct a scheme with a minimal number of workers and no redundancy, and another scheme with redundancy against stragglers. Unlike previous constructions in the literature, we do not utilize algebraic methods such as locally repairable codes or algebraic geometry codes. Our construction, which is based on generalized Reed-Solomon codes, improves the flexibility of the field size as it does not assume any divisibility constraints among the different parameters. We achieve a minimal number of workers by efficiently canceling all interference terms with a suitable orthogonal decoding vector. Finally, we discuss how the MDS conjecture impacts the smallest achievable field size for SDMM schemes and show that our construction almost achieves the bound given by the conjecture.

Information Theory

Anastasios Zouzias

DOI: https://doi.org/10.1007/978-3-642-31594-7_71

2012-02-26

Abstract:In this paper, we generalize Spencer's hyperbolic cosine algorithm to the matrix-valued setting. We apply the proposed algorithm to several problems by analyzing its computational efficiency under two special cases of matrices; one in which the matrices have a group structure and an other in which they have rank-one. As an application of the former case, we present a deterministic algorithm that, given the multiplication table of a finite group of size $n$, it constructs an expanding Cayley graph of logarithmic degree in near-optimal O(n^2 log^3 n) time. For the latter case, we present a fast deterministic algorithm for spectral sparsification of positive semi-definite matrices, which implies an improved deterministic algorithm for spectral graph sparsification of dense graphs. In addition, we give an elementary connection between spectral sparsification of positive semi-definite matrices and element-wise matrix sparsification. As a consequence, we obtain improved element-wise sparsification algorithms for diagonally dominant-like matrices.

Data Structures and Algorithms,Discrete Mathematics