## 1 Introduction

Maximum distance separable (MDS) matrices incorporate diffusion layers in block ciphers and hash functions and are one of the vital constituents of modern age ciphers like Advanced Encryption Standard (AES) [5], Twofish [19, 20], SHARK [16], Square [4], Khazad [2], Clefia [27] and MDS-AES [15]. The stream cipher MUGI [24] uses MDS matrix in its linear transformations. MDS matrices are also used in the design of hash functions. Hash functions like Maelstrom [6], Grøstl [7] and PHOTON family of light weight hash functions [8] use MDS matrices as main part of their diffusion layers. MDS matrices, in general, have a large description and thus induces costly implementations both in hardware and software. It is nontrivial to find MDS matrices which could be used in lightweight cryptography.

It is difficult to define what an *optimal matrix* is in terms of implementation.
In the SAC 2004 paper [12], Junod and Vaudenay studied MDS matrices *M* under the angle of efficiency and defined
two mathematical criteria namely

- (1)how to increase the number of occurrences of ones,
- (2)how to minimize the number of occurrences of other distinct elements.

They proved some optimality results relative to these two criteria.

### Our contribution.

The techniques used in [12] to solve these above mentioned combinatorial problems for the construction of
*d* for *d* up to 8 and it seems difficult
to extend their techniques to solve the same combinatorial problems for higher values of *d*.
In this paper, we further investigate these combinatorial problems in the light
of *design theory* and propose more generalized results.
In [12], the authors mentioned that
maximum number of ones in *bi-regular* matrices having almost *d*, the authors of [12] proposed a construction that can guarantee

In a bi-regular matrix, there does not exist any *almost-bi-regular* matrix. An almost-bi-regular matrix is a matrix all of whose entries are either 1 or blank and all of whose

- (a)the construction of an almost-bi-regular matrix with maximum possible number of ones,
- (b)fill the blank entries with non-one entries so that the resulting matrix would become MDS.

To make the resulting MDS matrix an efficient one, we require that the description of the matrix should be very low, i.e.

- (i)the number of distinct entries should be as low as possible,
- (ii)the number of low hamming weight entries should be as high as possible.

These two criteria were mentioned in [12] by introducing two mathematical notations, *M*.

In this paper, we observe an interesting connection between the number of ones in almost-bi-regular matrices
and incidence matrices of Balanced Incomplete Block Design (BIBD).
Using results on BIBD, we exactly compute the maximum number of ones in *v* and *b* also, we compute an upper bound
on the maximum number of ones in any

We propose another simple technique of construction of *bi-regular* matrices and MDS matrices using *Latin squares*.
Using the structure of Latin squares, it is shown that bi-regular matrices and MDS matrices can be constructed
by judicious selection of elements.
This paper shows that if *d*, then
construction of *q* is any prime power,
we compute tight lower bound of *M* having *d* up to 8.

### Previous work.

Nearly all the ciphers use predefined MDS matrices to incorporate the diffusion property.
In some ciphers, however, the possibility of random selection of MDS matrices with some constraints is provided [26].
In this context, we would like to mention that
in the papers [1, 17, 13, 12, 26, 8, 9, 10, 11], different constructions
of MDS matrices are provided. In [8], the
authors constructed lightweight MDS matrices from companion matrices by
exhaustive search. In [9], new involutory MDS matrices were constructed using properties
of Cauchy matrices over additive subgroup of *circulant matrices* over *Involutory* MDS matrices using Vandermonde matrices were constructed in [17, 13].
New involutory MDS matrices using properties of Cauchy matrices were constructed in [26].
Recently in [1], the authors have constructed MDS matrices based on shortened BCH codes.

The organization of the paper is as follows:
In Section 2, we provide definitions and preliminaries.
In Section 3, we study the construction of almost-bi-regular matrices with maximum
number of ones using properties of BIBDs.
In Section 4, we study *v* and *b* and
construct *d* up to 21.
In Section 5,
we study the *M* having maximum number of ones
and propose the minimum value of *q* is any prime power.
In that section, we also study the construction of bi-regular matrices from Latin squares.
In Section 6, we propose new and efficient *d* up to 8 having maximum number of ones and minimum number of other distinct elements.
We conclude the paper in Section 7.

## 2 Definition and preliminaries

### 2.1 MDS code and MDS matrices

An MDS matrix provides diffusion properties that have useful applications in cryptography.
The idea comes from coding theory, in particular from maximum distance separable (MDS) code.
Let *C* be an

Let *p* and *q* be two integers. Let *M*. We say that
it is an MDS matrix if the set of all pairs *p*, length

The following theorem characterizes MDS matrices.

*An $[n,k,d]$ code C with generator matrix $G=\left[I\right|A]$, where A is a
$k\times \left(n-k\right)$ matrix, is MDS if and only if every square submatrix (formed from any i rows
and any i columns, for any $i=1,2,\dots ,\mathrm{min}\{k,n-k\}$) of A is nonsingular.*

From the above theorem, it is evident that a square matrix *A* is an MDS matrix
if and only if every square submatrices of *A* is nonsingular.
It is easy to check that the MDS property remains invariant under
the two elementary row (or column) operations, namely permutations of rows (or columns) and
multiplying a row (or column) of a matrix by a scalar except zero.
Also the MDS property is invariant under transpose operation.
So we provide the following lemma without proof.

*If A is an MDS matrix over *

### 2.2 Bi-regular matrices

In [12], the authors used bi-regular arrays to build MDS matrices. We call it as bi-regular matrix and define it slightly differently but equivalently.

A matrix is called bi-regular if all entries of the matrix are nonzero and all of its

Our target is to maximize the number of occurrences of ones in an MDS matrix.
One approach may be to construct the *bi-regular* matrix with maximum number of ones and then to check its MDS property.
So, we first take a matrix *i* and *j*.
Next, we put the maximum number of ones in this matrix such that in any *almost-bi-regular* matrices.
It may be noted that with judicious choices of other elements in the blank
positions of almost-bi-regular matrices, bi-regular matrices may be constructed.

A matrix with entries either 1 or blank is almost-bi-regular if
in any of its

The significance of putting the maximum possible number of ones while
constructing almost-bi-regular matrix is that
no more 1 can be put in the matrix without violating the almost-bi-regular property.
But, it has to be noted that an almost-bi-regular matrix saturated with ones may not guarantee that
it contains maximum number of ones (see Remark 3).
In Section 3 and Section 4,
we will develop techniques to construct an almost-bi-regular matrix
with maximum number of ones. Next, we replace all blank entries of the almost-bi-regular matrix
by judicious choices of elements from *M* with maximum number (i.e.

For an efficient implementation of perfect diffusion layer, it is desirable to have the maximum number of ones and the minimum number of different entries in the MDS matrix. In [12], the authors studied these two properties on bi-regular matrices and proposed some bounds.

Let

- •Let
denote the number of pairs${v}_{1}\left(M\right)$ such that$(i,j)$ is equal to 1. We call it the number of occurrences of 1. Also, let${m}_{i,j}$ be the maximum value of${v}_{1}^{q,p}$ over all${v}_{1}\left(M\right)$ bi-regular matrices$q\times p$ *M*. - •Let
be the cardinality of$c\left(M\right)$ . This is called the number of distinct entries. Also let$\{{m}_{i,j}:i=1,\dots ,q,j=1,\dots ,p\}$ be the minimum value of${c}^{q,p}$ over all$c\left(M\right)$ bi-regular matrices$q\times p$ *M*. - •If
, let${v}_{1}\left(M\right)>0$ ; otherwise${c}_{1}\left(M\right)=c\left(M\right)-1$ . This is called the number of nontrivial entries.${c}_{1}\left(M\right)=c\left(M\right)$

For example, for the matrix

where α is the root of the generating polynomial *mixColumn* operation in AES [5], we have

The high value of *c* and

From [12], we have the following fact.

[12] The following hold:

- (a)
.${v}_{1}^{p,q}={v}_{1}^{q,p}$ - (b)
increases with${v}_{1}^{p,q}$ *p*and*q*.

In the next lemma, we state some results from [12, Lemma 1].

*The following hold:*

- (a)
${v}_{1}^{3,p}=p+3$ *for all* .$p\ge 3$ - (b)
,${v}_{1}^{4,4}=9$ ,${v}_{1}^{5,5}=12$ ,${v}_{1}^{6,6}=16$ ${v}_{1}^{7,7}=21$ *and* .${v}_{1}^{8,8}=24$

### 2.3 Balanced Incomplete Block Design (BIBD)

In this paper, we show an interesting connection between almost-bi-regular matrices and incidence matrices of BIBDs. Although the notations *M* and *M*. Similarly, in the context of almost-bi-regular matrices, *M* and *M*. It is proved in this paper that for *d*.
Using these techniques, we provide very simple and alternative proof of optimality results of [12] which are given in Lemma 8.
We propose techniques to construct any *M* where

The existence of an almost-bi-regular matrix with *l* ones may not guarantee the existence of a bi-regular matrix with the same number of ones, i.e. *l* ones. But the converse is always true; the existence of a bi-regular matrix with *l* ones always guarantees the existence of an almost-bi-regular matrix with the same number of ones. Constructing almost-bi-regular matrix from bi-regular matrix is straightforward - replace all non-one elements from the bi-regular matrix with the blank symbol. The new matrix will be almost-bi-regular matrix.

A design is a pair

- •
*X*is a set of elements called points, - •
is a collection (i.e. multiset) of nonempty subsets of$\mathcal{A}$ *X*called blocks.

If two blocks in a design are identical, they are said to be *repeated blocks*.
This is why *multiset* of blocks rather than a set.

Let *v*, *k* and λ be positive integers such that

- (1)
,$\left|X\right|=v$ - (2)each block contains exactly
*k*points, - (3)every pair of distinct points is contained in exactly λ blocks.

In the following two lemmas, we record two important properties of a BIBD.

*In a *

*r*is often called the replication number of the BIBD.

*A $(v,k,\lambda )$-BIBD has exactly b blocks, where $b=\frac{vr}{k}=\frac{\lambda \left({v}^{2}-v\right)}{\left({k}^{2}-k\right)}$.*

A BIBD in which

For example, in a

Here

*Suppose that *

In this paper, a special kind of symmetric BIBDs, called *projective planes*, will be used for constructions of almost-bi-regular matrices.

A *d*.

It may be noted that although a

*For every prime power *

*q*).

In this paper, we will use the notation

and

So we call it

It is often convenient to represent a BIBD by means of an *incidence matrix*.

Let

For constructions of MDS matrices, we use a slightly modified version of incidence matrix, which we call *derived-incidence matrix*.

If all zeros of an incidence matrix are replaced by a special symbol blank, the derived matrix is called derived-incidence matrix.

The incidence matrix *M* of a *M*) satisfies the following
properties:

- (1)Every column of
*M*(or ) contains exactly${M}^{\prime}$ *k*ones. - (2)Every row of
*M*(or ) contains exactly${M}^{\prime}$ *r*ones; - (3)Two distinct rows of
*M*(or ) both contain ones in exactly λ columns.${M}^{\prime}$

### 2.4 Jensen’s inequality

*Suppose that f is a continuous and strictly convex function on the interval I.
Suppose further that *

If we take the convex function

*Let *

*If *

Let

Also

Hence we have proved the result. ∎

## 3 Finding ${v}_{1}^{v,b}$ where $(v,b,k,r,1)$ is a BIBD

One approach for constructing an MDS matrix is to construct first an almost-bi-regular matrix with *l* ones and
then assign nonzero field elements other than 1 to the rest of the positions of the matrix. If the
resultant matrix is MDS, return that MDS matrix, else return failure. The above mentioned process can be repeated
iteratively

- (a)by trying all possible nonzero elements other than 1 for fixed
*l*, - (b)through all choices of
*l*starting from maximum number of ones that matrix can accommodate till 0.

For efficiency, in the resultant MDS matrix *M*, it is desired
to have a high value of *d* up to 8 and also determined the position
of ones in the corresponding bi-regular matrices. With their approach, determining *d*.

In this section, we study the connection between the incidence matrix of BIBD
and the almost-bi-regular matrix and propose techniques to
compute the value of

*The derived-incidence matrix of *

Let us consider the

Let us consider any arbitrary

of *M*. Note that not all elements of the submatrix are 1 because then
we will get *M* are not 1. Thus *M* is almost-bi-regular.

If *M* is not almost-bi-regular.
∎

Let *M* be the derived-incidence matrix of a BIBD with *M* without disturbing the almost-bi-regular property.
For example, suppose that the *k*-th row, the *i*-th row, the *l*-th column and the *j*-th column of the matrix *M* is not almost-bi-regular.

Let *M* be any almost-bi-regular matrix such that no more 1 can be added in the matrix without disturbing the almost-bi-regular property.
Note that this condition does not always guarantee that an almost-bi-regular matrix has maximum number of ones.

no more 1 can be placed without
disturbing the bi-regular property.
Here the number of occurrences of 1 is 7, but we know

Let *i*-th row and the block *j*-th column, where *M* is the derived-incidence matrix of the design *M* is almost-bi-regular,
any pair of elements will occur in at most one of the blocks of

In Theorem 8, we will show that the derived-incidence matrices of BIBDs with

*Let M be the derived-incidence matrix of a design *

An element *x* can form maximum *x* amounts to repetition of some pair in more than one
blocks, but since *M* is almost-bi-regular matrix, any pair of elements

*Let M be the derived-incidence matrix of a design *

Since *M* is an almost-bi-regular matrix, any pair of elements *X*, we have

*Let the design *

Note that in a *X* occurs exactly in one block.
So, *k* elements.
Hence, each block contributes *b*
blocks, we have

*Let there exist some *

Let *M* is almost-bi-regular matrix with *bk* ones.
From Lemma 7,

Let, if possible, there be a

Let *p*-th column of

So,

From Lemma 21,

So,

*Let $d={q}^{2}+q+1$, where q is any prime power. Then ${v}_{1}^{d,d}=\left({q}^{2}+q+1\right)\times \left(q+1\right)$.*

Let us consider the *M* be its derived-incidence matrix.
From Theorem 17, such a BIBD exists for any prime power *q*.
From Lemma 1, *M* is almost-bi-regular
and from Theorem 8, the number of ones in *M* is

From Corollary 9, if

Let *M* be an almost-bi-regular matrix having maximum number of ones and also let the corresponding design be
*X*,
say *A* of

## 4 Some results on ${v}_{1}^{v,b}$ for arbitrary *v* and *b*

In this section, we study some upper bounds of *v* and *b*.
We also determine *d* up to 21.
In doing so, we first develop tools which are useful.
For simplicity and compactness of expression, here we first introduce some notations, definitions
and discuss few crucial properties, some of which resemble properties of previous section.

### 4.1 A few more definitions and notations

Let *i*-th row and the *j*-th column, respectively. We assume that

We define *intersection* with the column

We define

i.e. the set of elements that are contained in both the blocks
corresponding to

Let *pair* with the row *pair* with the column

*Let M be a *

Set *intersect* with the row *intersect* with the column

*Let M be a *

Let

Let *l* ones.
Let

Similarly, we have the following lemma.

*Let M be a *

In the following lemma, we study the correlation between the number of *intersections* and the
number of *pairs* that the row

*Let M be a *

Let

So,

Now, we show that

for all

Choose any

Let

Therefore, the row

Similarly, by interchanging rows and columns, we have the following lemma.

*Let M be a *

In a

*Let M be a *

Let

which then implies there exists a

Let

Hence the lemma. ∎

Similarly, by interchanging rows and columns, we have the following lemma.

*Let M be a *

Now we define

Let *b* and *v* be two non-negative integers. We define

In Theorem 13, we study the upper bound of

*If *

*If *

Now we introduce another term,

Let

In the next lemma, we show that

*We have
*

If

Let

From Lemma 10,

If

### 4.2 Some important bounds

In Theorem 13 and its corollary,
we provide a tight upper bound of *d*.

*We have
*

Let

from Lemma 7, and

from Lemma 6. From Jensen’s inequality, when (1) holds, we get

Solving the above inequality, we get

So,

Similarly, when (2) holds, we get

*We have*

Putting

For any prime power *q*, there exists a projective plane which is a symmetric

Also, note that, from Theorem 8,
*q*,

Similarly, when

In the next theorem,
we study the upper bound of *M*
where one of its columns contains *k* ones.

*Let M be a *

We consider two cases.

*Case *
If

If

*Case *
If

*M*can be at most

If *M* can be at most

Let *M* contains exactly *k* ones in column *M*, say *M*, say

In the matrix

In the matrix

Thus, the total number of ones in matrix *M* can be at most

(from Theorem 13). ∎

In analyzing *r* rows (columns) of a *k* ones. In the next two theorems, we explore lower bound on number of such rows (columns).

*In a $v\times b$ almost-bi-regular matrix, if there are r rows ( $r\le v$) each containing k ones, then the number of columns needed to accommodate such r rows should be at least*

Let the minimum number of columns required to accommodate such *r* rows be *c*.
Consider the *M* where each row contains exactly *k* ones.
Suppose that, in the matrix *M*, column *M* to be almost-bi-regular matrix, it is required that

- (1)
(from Lemma 7),$r\left(\frac{k}{2}\right)\le \left(\frac{c}{2}\right)$ - (2)
(from Lemma 6).${\sum}_{i=0}^{c-1}\left(\frac{{k}_{i}}{2}\right)\le \left(\frac{r}{2}\right)$

For (1) to hold, it is required that

and hence

From Jensen’s inequality, when (2) holds, we get

From above inequality, we get

From (a) and (b), we conclude that

as desired. ∎

Similarly by interchanging rows and columns, we have the following theorem.

*In a $v\times b$ almost-bi-regular matrix, if there are c columns ( $c\le b$) each containing k ones,
then the number of rows needed to accommodate such c columns should be at least*

### 4.3 Finding ${v}_{1}^{d,d}$ for *d* up to 21

For *q* is any prime power, *d*, let *q* be the lowest prime power such that

*We have
*

Since

From Corollary 14,

To complete the proof, we provide the corresponding matrices in Figure 2 and Figure 3. ∎

*We have
*

If

From Lemma 12,

If

If

but in this case, the maximum number of ones cannot exceed

Another form of

This form corresponds to the circulant matrices and MDS matrices can be constructed
from this almost-bi-regular matrix (see [11]). In Section 5,
we provide an alternative way to construct MDS matrices using Latin squares, which resemble this form (see Figure 11 and Figure 12).
Note that no

*We have*

- (a)
,${v}_{1}^{9,9}=29$ - (b)
${v}_{1}^{10,10}=34$ *and* ,${v}_{1}^{12,12}=45$ - (c)
,${v}_{1}^{11,11}=39$ - (d)
.${v}_{1}^{13,13}=52$

(a)
If

(Theorem 16). From Lemma 12,

If

but in this case, the maximum number of ones cannot exceed

(b)
It can be proved similarly as it was proved for

(c)
If

If

If

(d) See Remark 10. ∎

We observe that for *d* up to 20, *q*, where *q* is the smallest prime such that

*We have *

If

If

It may be noted that if a

*We have
*

If

If

If

If possible, then there exists a *M* which contains 62 ones. Since

Let *M*. It is easy to check that

Let the column *M* yields a

Now, construct a matrix *M* such that *M*. Consider the matrix *A* constructed by taking the first fourteen rows and the first fourteen columns of the matrix *A* is a *A*, each column makes pair with twelve other columns and similarly,
each row makes pair with twelve other rows (see Remark 24).
By the construction of *A*, consider the rows *A*, either

Hence we have

*We have
*

If

If possible, then there exists a *M* with 68 ones. It is easy to see that *M* will contain 80 ones). So,

Let *M*. It is easy to check that

Without loss of generality, assume that

Consider the rows which contain five ones. Let these rows be

Let *M* then makes pairs with at least

Hence,

*We have
*

If

If

If

If possible, then there exists a *M* having 75 ones. It is easy to see that *M* will contain 85 ones). So,

Suppose that *M*. It is easy to check that

Since

Let

Now, consider a

Hence we have

*We have*

- (a)
,${v}_{1}^{18,18}=81$ - (b)
,${v}_{1}^{19,19}=88$ - (c)
.${v}_{1}^{21,21}=105$

(a)
By using a similar argument as used for the case

(b)
If

If

If

If possible, then there exists a *M* with 89 ones. It can be easily shown that then *M*, there will be exactly thirteen rows and thirteen columns which contain five ones and remaining 6 rows and columns containing four ones. To accommodate thirteen rows having five ones each, at least

Hence we have

(c) See Remark 10. ∎

Let *q* be a power of a prime number. Now, we calculate

*Let *

*q*is a prime power. Then

Let

Suppose that *q* is a prime power. If

If possible, then there exists a *M* which contains

Hence we have

*We have
*

From Theorem 29, taking

Here, we close this section by summarizing the results of this section
in Table 1 for

Efficient *d* up to 21.

Dimension | Upper bound of | Number of ones in the construction using [12, Lemmas 1 and 3] | For illustrations see | |

6 | 6 | 6 | Figure 2 | |

9 | 9 | 9 | Figure 3 | |

12 | 12 | 12 | Figure 3 | |

16 | 16 | 15 | Figure 3 | |

21 | 21 | 21 | Figure 3 | |

24 | 24 | 24 | Figure 4 | |

29 | 30 | 24 | Figure 14 | |

34 | 35 | 27 | Figure 14 | |

39 | 40 | 30 | Figure 14 | |

45 | 46 | 33 | Figure 14 | |

52 | 52 | 36 | Figure 4 | |

56 | 57 | 39 | Figure 5 | |

61 | 64 | 42 | Figure 5 | |

67 | 70 | 45 | Figure 17 | |

74 | 77 | 48 | Figure 17 | |

81 | 83 | 51 | Figure 16 | |

88 | 90 | 54 | Figure 16 | |

96 | 97 | 57 | Figure 15 | |

105 | 105 | 60 | Figure 15 |

## 5 Some results on ${c}_{1}\left(M\right)$ where *M* is a bi-regular matrix having maximum number of ones

In Section 4, we have constructed *M* with *M*
with minimum number of distinct elements other than 1 and 0 (i.e. with minimum *q* is any prime power.

*Let $d={q}^{2}+q+1$, where q is any prime power.
Also, let ${M}_{d}$ be a $d\times d$ bi-regular matrix having ${v}_{1}^{d,d}$ ones.
Then ${c}_{1}\left({M}_{d}\right)\ge {q}^{2}$.*

Let

Each row and column of the matrix

Let in the *j*-th column, the *a*.
Let the *j*-th and *k*-th columns will be of the form

Similarly, let in the *i*-th row, two blank positions, say *a*.
From Lemma 15, any pair of blocks contain exactly one element. So, *i*-th and *l*-th rows and

In the next lemma, we propose good upper bounds of *d* up to 7.

For

*For *

The matrix

### Construction of bi-regular matrices from Latin squares.

We observe an interesting connection between Latin squares and bi-regular matrices,
which may give an easy method to construct efficient *d*. We construct such efficient MDS matrices for *d*.

A Latin square of order *d* with entries from a *d*-set *X* is a *X* such that every row of *X* and every column of *X*.
In our construction, *X* is a subset of

*All Latin squares of order d with entries from a d-set *

Let *d*-set
*X* are distinct,

Let *d* with elements from a *d*-set *a* and *b* by 1 provided determinants of these
*a* or *b* or both remains nonzero after these replacements.
It is easy to observe that
if

Note that if *d*, then the bi-regular matrix with

Also

In the diffusion layer of AES [5], i.e. in the mixcolumn operation, a

If *d*, say *t* out of *d* elements to 1.
Let us consider the

We know that *c* other that 0 and 1.

Similarly by setting

The

Note that, using this technique, it may not be possible to convert any

## 6 Efficient MDS matrices

In this section, we propose *d* up to 8 from bi-regular matrices
designed in Section 5.
In Table 2, we present some *d* up to 8 having

The *circulant MDS matrices* over

Dimension | MDS matrices | Cost of implementations | For illustrations see |
---|---|---|---|

6 XORs, 3 table lookups and 4 temp | Figure 6 | ||

12 XORs, 7 table lookups and 4 temps | Figure 7 | ||

12 XORs, 7 table lookups and 6 temps | Figure 7 | ||

20 XORs, 13 table lookups and 8 temps | Figure 7 | ||

20 XORs, 13 table lookups and 8 temps | Figure 7 | ||

30 XORs, 20 table lookups and 10 temps | Figure 7 | ||

30 XORs, 20 table lookups and 10 temps | Figure 7 | ||

42 XORs, 28 table lookups and 11 temps | Figure 7 | ||

42 XORs, 28 table lookups and 11 temps | Figure 7 | ||

56 XORs, 40 table lookups and 11 temps | Figure 12 |

We exhaustively searched for

The matrix

### 6.1 Comparison with other existing matrices

In the following table (Table 3), we compare the cost of implementations of few of our proposed matrices and some existing matrices which are used in several ciphers and hash functions.

Comparison between some good matrices of this paper and some other matrices.

Cost of implementation | |||||||
---|---|---|---|---|---|---|---|

Dimension | Type | Matrix | Comments | ||||

12 | 2 | 7 | 6 | Table 2 | |||

circulant | 12 | 2 | 8 | 6 | see [5] | ||

recursive | 12 | 2 | 8 | 6 | see [8] | ||

companion | 12 | 2 | 8 | 6 | see [10, 18] | ||

12 | 2 | 8 | 6 | see [10, 25] | |||

20 | 3 | 13 | 8 | Table 2 | |||

circulant | 20 | 2 | 15 | 8 | see [11] | ||

30 | 4 | 20 | 10 | Table 2 | |||

circulant | 30 | 4 | 24 | 10 | see [11] | ||

42 | 4 | 28 | 11 | Table 2 | |||

circulant | 42 | 4 | 28 | 11 | see [11] | ||

56 | 4 | 40 | 11 | Figure 12 | |||

circulant | 56 | 4 | 40 | 11 | see [11] |

## 7 Conclusion

MDS matrices provide optimal diffusion components which can be used as building blocks of cryptographic
primitives, like block ciphers and hash functions.
Multiplication by 1 over the finite field is trivial and
so matrices with more occurrences of ones may have more compact and improved
footprint which is desirable for lightweight applications. Also, matrices with less number of other
distinct elements may be implemented efficiently using table lookup.
Towards this, two combinatorial problems
were studied by Junod and Vaudenay in [12], namely,
how to maximize the number of ones and how to minimize other distinct elements in a bi-regular matrix.
They calculated the maximum number of ones that can occur in *d* up to 8. They also computed some important bounds on
the number of distinct elements in *d*, using their techniques
seems difficult.

We have observed simple yet subtle interconnections between the number of ones in MDS matrices
and the incidence matrices of Balanced Incomplete Block Design (BIBD).
This observation gives a generalize technique to solve these combinatorial problems for any values of *d* for all practical purpose.
We have exactly computed the maximum number of ones in a *v* and *b*. Using these results, in this paper we have provided
*M* for *d* up to 21
having maximum number of ones.
Techniques used in this paper can be extended for higher values of *d*.
We also compute the minimum number of distinct elements for these *q* is any prime power.

We have proposed another technique to construct bi-regular matrices
and MDS matrices using Latin squares. We have shown that using the structure of Latin
squares, bi-regular matrices and MDS matrices can be constructed by judicial selection
of elements. Although this is a very easy method, yet this method does not guarantee
the maximum occurrences of ones in all cases.
We have shown that if *d*, then
our method may be useful to construct *d* up to 8.

We provide an implementation of the matrix

u0 = a[0]; u1 = a[1]; u2 = a[2]; u3 = a[3]; u4 = a[4]; u5 = a[5]; u6 = a[6];
/* a is the input vector */
u = tab_03[a[3]]; v = tab_09[a[4]], w = tab_0a[a[5]]; x = tab_0e[a[6]];
a[0] = u0

From Corollary 9,

From Corollary 9, we have

Major part of the work was done when the second author was at R. C. Bose Centre for Cryptology & Security, Indian Statistical Institute, 203, B.T. Road, Kolkata-700108, India.

## References

- [1]↑
D. Augot and M. Finiasz, Direct construction of recursive MDS diffusion layers using shortened BCH codes, Fast Software Encryption (FSE 2014), Lecture Notes in Comput. Sci. 8540, Springer, Berlin (2015), 3–17.

- [2]↑
P. Barreto and V. Rijmen, The Khazad legacy-level block cipher, submission to the NESSIE Project (2000), http://cryptonessie.org.

- [3]↑
P. S. L. M. Barreto and V. Rijmen, Whirlpool, Encyclopedia of Cryptography and Security. Second Edition, Springer, New York (2011), 1384–1385.

- [4]↑
J. Daemen, L. R. Knudsen and V. Rijmen, The block cipher square, Fast Software Encryption (FSE 1997), Lecture Notes in Comput. Sci. 1267, Springer, Berlin (1997), 149–165.

- [5]↑
J. Daemen and V. Rijmen, The Design of Rijndael: AES – The Advanced Encryption Standard, Springer, Berlin, 2002.

- [6]↑
G. D. Filho, P. Barreto and V. Rijmen, The Maelstrom-0 hash function, Proceedings of the 6th Brazilian Symposium on Information and Computer Systems Security (2006); available at http://www.lbd.dcc.ufmg.br/colecoes/sbseg/2006/0017.pdf.

- [7]↑
P. Gauravaram, L. R. Knudsen, K. Matusiewicz, F. Mendel, C. Rechberger, M. Schlaffer and S. Thomsen, Grøstl – A SHA-3 candidate, submission to NIST (2008), http://www.groestl.info.

- [8]↑
J. Guo, T. Peyrin and A. Poschmann, The PHOTON family of lightweight hash functions, Advances in Cryptology (CRYPTO 2011), Lecture Notes in Comput. Sci. 6841, Springer, Berlin (2011), 222–239.

- [9]↑
K. C. Gupta and I. G. Ray, On constructions of involutory MDS matrices, Progress in Cryptology (AFRICACRYPT 2013), Lecture Notes in Comput. Sci. 7918, Springer, Berlin (2013), 43–60.

- [10]↑
K. C. Gupta and I. G. Ray, On constructions of MDS matrices from companion matrices for lightweight cryptography, Security Engineering and Intelligence Informatics (CD-ARES 2013), Lecture Notes in Comput. Sci. 8128, Springer, Berlin (2013), 29–43.

- [11]↑
K. C. Gupta and I. G. Ray, On constructions of circulant MDS matrices for lightweight cryptography, Information Security Practice and Experience (ISPEC 2014), Lecture Notes in Comput. Sci. 8434, Springer, Berlin (2014), 564–576.

- [12]↑
P. Junod and S. Vaudenay, Perfect diffusion primitives for block ciphers building efficient MDS matrices, Selected Areas in Cryptography (Waterloo 2004), Lecture Notes in Comput. Sci. 3357, Springer, Berlin (2005), 84–99.

- [13]↑
J. Lacan and J. Fimes, Systematic MDS erasure codes based on Vandermonde matrices, IEEE Commun. Lett. 8 (2004), no. 9, 570–572.

- [14]↑
F. J. MacWilliams and N. J. A. Sloane, The Theory of Error Correcting Codes, North Holland, Amsterdam, 1986.

- [15]↑
J. Nakahara, Jr. and E. Abrahao, A new involutory MDS matrix for the AES, Int. J. Netw. Secur. 9 (2009), no. 2, 109–116.

- [16]↑
V. Rijmen, J. Daemen, B. Preneel, A. Bosselaers and E. D. Win, The cipher SHARK, Fast Software Encryption (FSE 1996), Lecture Notes in Comput. Sci. 1039, Springer, Berlin (1996), 99–112.

- [17]↑
M. Sajadieh, M. Dakhilalian, H. Mala and B. Omoomi, On construction of involutory MDS matrices from Vandermonde matrices in GF ( 2 q ) {{\rm GF}(2^{q})}, Des. Codes Cryptogr. 64 (2012), no. 3, 287–308.

- [18]↑
M. Sajadieh, M. Dakhilalian, H. Mala and P. Sepehrdad, Recursive diffusion layers for block ciphers and hash functions, Fast Software Encryption (FSE 2012), Lecture Notes in Comput. Sci. 7549, Springer, Berlin (2012), 385–401.

- [19]↑
B. Schneier, J. Kelsey, D. Whiting, D. Wagner, C. Hall and N. Ferguson, Twofish: A 128-bit block cipher, First Advanced Encryption Standard (AES) Candidate Conference, National Institute for Standards and Technology, Gaithersburg (1998); available at https://www.schneier.com/academic/paperfiles/paper-twofish-paper.pdf.

- [20]↑
B. Schneier, J. Kelsey, D. Whiting, D. Wagner, C. Hall and N. Ferguson, The Twofish Encryption Algorithm, John Wiley & Sons, New York, 1999.

- [21]↑
T. Shiraj and K. Shibutani, On the diffusion matrix employed in the Whirlpool hashing function, preprint (2003), https://www.cosic.esat.kuleuven.be/nessie/reports/phase2/whirlpool-20030311.pdf.

- [24]↑
D. Watanabe, S. Furuya, H. Yoshida, K. Takaragi and B. Preneel, A new keystream generator MUGI, Fast Software Encryption (FSE 2002), Lecture Notes in Comput. Sci. 2365, Springer, Berlin (2002), 179–194.

- [25]↑
S. Wu, M. Wang and W. Wu, Recursive diffusion layers for (lightweight) block ciphers and hash functions, Selected Areas in Cryptography (SAC 2012), Lecture Notes in Comput. Sci. 7707, Springer, Berlin (2013), 355–371.

- [26]↑
A. M. Youssef, S. Mister and S. E. Tavares, On the design of linear transformations for substitution permutation encryption networks, Workshop on Selected Areas in Cryptography (SAC 1997), Carleton University, Ottawa (1997), 40–48.

- [27]↑
Sony Corporation, The 128-bit block cipher CLEFIA Algorithm Specification (2007), http://www.sony.co.jp/Products/cryptography/clefia/download/data/clefia-spec-1.0.pdf.