Applications of design theory for the constructions of MDS matrices for lightweight cryptography

Kishan Chand Gupta 1 , Sumit Kumar Pandey 2  and Indranil Ghosh Ray 1
  • 1 Applied Statistics Unit, Indian Statistical Institute, 203, B.T. Road, Kolkata, India
  • 2 School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore, Singapore
Kishan Chand Gupta, Sumit Kumar Pandey
  • Corresponding author
  • School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore, Singapore
  • Email
  • Search for other articles:
  • degruyter.comGoogle Scholar
and Indranil Ghosh Ray

Abstract

In this paper, we observe simple yet subtle interconnections among design theory, coding theory and cryptography. Maximum distance separable (MDS) matrices have applications not only in coding theory but are also of great importance in the design of block ciphers and hash functions. It is nontrivial to find MDS matrices which could be used in lightweight cryptography. In the SAC 2004 paper [], Junod and Vaudenay considered bi-regular matrices which are useful objects to build MDS matrices. Bi-regular matrices are those matrices all of whose entries are nonzero and all of whose 2×2 submatrices are nonsingular. Therefore MDS matrices are bi-regular matrices, but the converse is not true. They proposed the constructions of efficient MDS matrices by studying the two major aspects of a d×d bi-regular matrix M, namely v1(M), i.e. the number of occurrences of 1 in M, and c1(M), i.e. the number of distinct elements in M other than 1. They calculated the maximum number of ones that can occur in a d×d bi-regular matrices, i.e. v1d,d for d up to 8, but with their approach, finding v1d,d for d9 seems difficult.

In this paper, we explore the connection between the maximum number of ones in bi-regular matrices and the incidence matrices of Balanced Incomplete Block Design (BIBD). In this paper, tools are developed to compute v1d,d for arbitrary d. Using these results, we construct a restrictive version of d×d bi-regular matrices, introducing by calling almost-bi-regular matrices, having v1d,d ones for d21. Since, the number of ones in any d×d MDS matrix cannot exceed the maximum number of ones in a d×d bi-regular matrix, our results provide an upper bound on the number of ones in any d×d MDS matrix.

We observe an interesting connection between Latin squares and bi-regular matrices and study the conditions under which a Latin square becomes a bi-regular matrix and finally construct MDS matrices from Latin squares. Also a lower bound of c1(M) is computed for d×d bi-regular matrices M such that v1(M)=v1d,d, where d=q2+q+1 and q is any prime power. Finally, d×d efficient MDS matrices are constructed for d up to 8 from bi-regular matrices having maximum number of ones and minimum number of other distinct elements for lightweight applications.

1 Introduction

Maximum distance separable (MDS) matrices incorporate diffusion layers in block ciphers and hash functions and are one of the vital constituents of modern age ciphers like Advanced Encryption Standard (AES) [5], Twofish [19, 20], SHARK [16], Square [4], Khazad [2], Clefia [27] and MDS-AES [15]. The stream cipher MUGI [24] uses MDS matrix in its linear transformations. MDS matrices are also used in the design of hash functions. Hash functions like Maelstrom [6], Grøstl [7] and PHOTON family of light weight hash functions [8] use MDS matrices as main part of their diffusion layers. MDS matrices, in general, have a large description and thus induces costly implementations both in hardware and software. It is nontrivial to find MDS matrices which could be used in lightweight cryptography.

It is difficult to define what an optimal matrix is in terms of implementation. In the SAC 2004 paper [12], Junod and Vaudenay studied MDS matrices M under the angle of efficiency and defined two mathematical criteria namely v1(M), i.e. the number of occurrences of ones and c1(M), i.e. the number of other distinct elements in the matrix. These lead to two very interesting combinatorial problems:

  1. (1)how to increase the number of occurrences of ones,
  2. (2)how to minimize the number of occurrences of other distinct elements.

They proved some optimality results relative to these two criteria.

Our contribution.

The techniques used in [12] to solve these above mentioned combinatorial problems for the construction of d×d MDS matrices were very specific to the dimension d for d up to 8 and it seems difficult to extend their techniques to solve the same combinatorial problems for higher values of d. In this paper, we further investigate these combinatorial problems in the light of design theory and propose more generalized results. In [12], the authors mentioned that maximum number of ones in d×d MDS matrices is close to dd but no generalized method is yet known to construct d×dbi-regular matrices having almost dd ones. A bi-regular matrix is a matrix all of whose entries are nonzero and all of whose 2×2 submatrices are nonsingular. It is evident from the definition that an MDS matrix is a bi-regular matrix, but the converse is not true. For higher values of d, the authors of [12] proposed a construction that can guarantee 3d-3 ones (see [12, Lemma 3]) in a d×d bi-regular matrix.

In a bi-regular matrix, there does not exist any 2×2 submatrix all of whose four entries are the same (otherwise this submatrix would be a singular matrix). If we replace all non-one entries with blank in a bi-regular matrix, we get another matrix, which we call almost-bi-regular matrix. An almost-bi-regular matrix is a matrix all of whose entries are either 1 or blank and all of whose 2×2 submatrices contain at most three ones. To get an MDS matrix with maximum possible number of ones, one approach would be to start with an almost-bi-regular matrix with maximum possible number of ones and then replace blanks with suitable non-one values so that the resulting matrix would become MDS. This approach requires two important steps:

  1. (a)the construction of an almost-bi-regular matrix with maximum possible number of ones,
  2. (b)fill the blank entries with non-one entries so that the resulting matrix would become MDS.

To make the resulting MDS matrix an efficient one, we require that the description of the matrix should be very low, i.e.

  1. (i)the number of distinct entries should be as low as possible,
  2. (ii)the number of low hamming weight entries should be as high as possible.

These two criteria were mentioned in [12] by introducing two mathematical notations, v1(M) which indicates number of ones and c1(M) which indicates number of distinct entries, for a bi-regular matrix M.

In this paper, we observe an interesting connection between the number of ones in almost-bi-regular matrices and incidence matrices of Balanced Incomplete Block Design (BIBD). Using results on BIBD, we exactly compute the maximum number of ones in v×b almost-bi-regular matrix whenever there exists (v,b,r,k,1)-BIBD. For arbitrary v and b also, we compute an upper bound on the maximum number of ones in any v×b almost-bi-regular matrix. Since the number of ones in a v×b MDS matrix cannot exceed the maximum number of ones in a v×b almost bi-regular matrix, our result gives an upper bound on the number of ones in any v×b MDS matrix. Moreover, this paper provides exact upper bounds on the number of ones for d×d almost-bi-regular matrix for d21.

We propose another simple technique of construction of bi-regular matrices and MDS matrices using Latin squares. Using the structure of Latin squares, it is shown that bi-regular matrices and MDS matrices can be constructed by judicious selection of elements. This paper shows that if v1d,d is multiple of d, then construction of d×d bi-regular matrices with maximum number of ones starting from Latin squares may be more useful. When d=q2+q+1, where q is any prime power, we compute tight lower bound of c1(M) for d×d bi-regular matrices M having v1d,d ones. Finally, d×d bi-regular matrices are proposed which are having maximum number of ones and minimum number of other elements. Moreover, efficient d×d MDS matrices are constructed from these bi-regular matrices for d up to 8.

Previous work.

Nearly all the ciphers use predefined MDS matrices to incorporate the diffusion property. In some ciphers, however, the possibility of random selection of MDS matrices with some constraints is provided [26]. In this context, we would like to mention that in the papers [1, 17, 13, 12, 26, 8, 9, 10, 11], different constructions of MDS matrices are provided. In [8], the authors constructed lightweight MDS matrices from companion matrices by exhaustive search. In [9], new involutory MDS matrices were constructed using properties of Cauchy matrices over additive subgroup of 𝔽2n and its equivalence with Vandermonde matrices based construction under some constraints was proved. In [10], the authors provably constructed new MDS matrices from companion matrices over 𝔽2n. In [11], the authors constructed new MDS matrices from circulant matrices over 𝔽2n. Efficient 4×4 and 8×8 MDS matrices to be used in block ciphers were constructed in [12]. Involutory MDS matrices using Vandermonde matrices were constructed in [17, 13]. New involutory MDS matrices using properties of Cauchy matrices were constructed in [26]. Recently in [1], the authors have constructed MDS matrices based on shortened BCH codes.

The organization of the paper is as follows: In Section 2, we provide definitions and preliminaries. In Section 3, we study the construction of almost-bi-regular matrices with maximum number of ones using properties of BIBDs. In Section 4, we study v1v,b for arbitrary v and b and construct d×d almost-bi-regular matrices having maximum number of ones for d up to 21. In Section 5, we study the d×d bi-regular matrix M having maximum number of ones and propose the minimum value of c1(M), where d=q2+q+1 and q is any prime power. In that section, we also study the construction of bi-regular matrices from Latin squares. In Section 6, we propose new and efficient d×d MDS matrices for d up to 8 having maximum number of ones and minimum number of other distinct elements. We conclude the paper in Section 7.

2 Definition and preliminaries

2.1 MDS code and MDS matrices

An MDS matrix provides diffusion properties that have useful applications in cryptography. The idea comes from coding theory, in particular from maximum distance separable (MDS) code. Let C be an [n,k,d] code. Then n-kd-1. Codes with n-k=d-1 are called maximum distance separable code, or MDS code for short.

Definition 1.

Let 𝔽 be a finite field and let p and q be two integers. Let xM×x be a mapping from 𝔽p to 𝔽q defined by the q×p matrix M. We say that it is an MDS matrix if the set of all pairs (x,M×x) is an MDS code, i.e. a linear code of dimension p, length p+q and minimal distance q+1.

The following theorem characterizes MDS matrices.

Theorem 2 ([14, p. 321]).

An [n,k,d] code C with generator matrix G=[I|A], where A is a k×(n-k) matrix, is MDS if and only if every square submatrix (formed from any i rows and any i columns, for any i=1,2,,min{k,n-k}) of A is nonsingular.

From the above theorem, it is evident that a square matrix A is an MDS matrix if and only if every square submatrices of A is nonsingular. It is easy to check that the MDS property remains invariant under the two elementary row (or column) operations, namely permutations of rows (or columns) and multiplying a row (or column) of a matrix by a scalar except zero. Also the MDS property is invariant under transpose operation. So we provide the following lemma without proof.

Lemma 3.

If A is an MDS matrix over F, then A, obtained by multiplying a row (or column) of A by any cF¯* (nonzero elements of algebraic closure of F) or by permutations of rows (or columns) is MDS. Also if A is MDS, so is AT.

2.2 Bi-regular matrices

In [12], the authors used bi-regular arrays to build MDS matrices. We call it as bi-regular matrix and define it slightly differently but equivalently.

Definition 4 (Bi-regular matrix).

A matrix is called bi-regular if all entries of the matrix are nonzero and all of its 2×2 submatrices are nonsingular.

Our target is to maximize the number of occurrences of ones in an MDS matrix. One approach may be to construct the bi-regular matrix with maximum number of ones and then to check its MDS property. So, we first take a matrix M=((mi,j)), where mi,j is kept blank for all values of i and j. Next, we put the maximum number of ones in this matrix such that in any 2×2 submatrix, not all positions are assigned to 1. We refer to such matrices as almost-bi-regular matrices. It may be noted that with judicious choices of other elements in the blank positions of almost-bi-regular matrices, bi-regular matrices may be constructed.

Definition 5 (Almost-bi-regular matrix).

A matrix with entries either 1 or blank is almost-bi-regular if in any of its 2×2 submatrices, there are at most three ones.

The significance of putting the maximum possible number of ones while constructing almost-bi-regular matrix is that no more 1 can be put in the matrix without violating the almost-bi-regular property. But, it has to be noted that an almost-bi-regular matrix saturated with ones may not guarantee that it contains maximum number of ones (see Remark 3). In Section 3 and Section 4, we will develop techniques to construct an almost-bi-regular matrix with maximum number of ones. Next, we replace all blank entries of the almost-bi-regular matrix by judicious choices of elements from 𝔽¯* other than 1 to make it a bi-regular matrix and then check its MDS property. No algorithm is known to select elements except exhaustive search. It may be noted that, as we construct d×d MDS matrices M with maximum number (i.e. v1d,d) of ones with low value of c1(M), search space gets reduced drastically. For example, to construct a 4×4 MDS matrix over 𝔽28, the size of search space is 28×16=2128, but for the 4×4 matrix of Figure 7, the size of search space becomes 28×2=216.

For an efficient implementation of perfect diffusion layer, it is desirable to have the maximum number of ones and the minimum number of different entries in the MDS matrix. In [12], the authors studied these two properties on bi-regular matrices and proposed some bounds.

Definition 6 ([12]).

Let M=((mi,j)) be a q×p bi-regular matrix over the field 𝔽.

  1. Let v1(M) denote the number of pairs (i,j) such that mi,j is equal to 1. We call it the number of occurrences of 1. Also, let v1q,p be the maximum value of v1(M) over all q×p bi-regular matrices M.
  2. Let c(M) be the cardinality of {mi,j:i=1,,q,j=1,,p}. This is called the number of distinct entries. Also let cq,p be the minimum value of c(M) over all q×p bi-regular matrices M.
  3. If v1(M)>0, let c1(M)=c(M)-1; otherwise c1(M)=c(M). This is called the number of nontrivial entries.

For example, for the matrix

M=(αα+1111αα+1111αα+1α+111α),

where α is the root of the generating polynomial x8+x4+x3+x+1 of 𝔽28, which is used in the mixColumn operation in AES [5], we have v1(M)=8 and c1(M)=2.

Remark 7.

The high value of v1 and the low value of c and c1 are desirable for constructing efficient MDS matrices.

From [12], we have the following fact.

Fact 1.

[12] The following hold:

  1. (a)v1p,q=v1q,p.
  2. (b)v1p,q increases with p and q.

In the next lemma, we state some results from [12, Lemma 1].

Lemma 8 ([12, Lemma 1]).

The following hold:

  1. (a)v13,p=p+3 for all p3.
  2. (b)v14,4=9, v15,5=12, v16,6=16, v17,7=21 and v18,8=24.

2.3 Balanced Incomplete Block Design (BIBD)

In this paper, we show an interesting connection between almost-bi-regular matrices and incidence matrices of BIBDs. Although the notations v1(M) and v1q,p were used for bi-regular matrices in [12], we use them (abuse of notations!), from here onwards, for almost-bi-regular matrices also for the same purpose. Thus, in the context of bi-regular matrices, v1(M) represents the number of ones in the bi-regular matrix M and v1q,p represents the maximum value of v1(M) over all q×p bi-regular matrices M. Similarly, in the context of almost-bi-regular matrices, v1(M) represents the number of ones in the almost-bi-regular matrix M and v1q,p represents the maximum value of v1(M) over all q×p almost-bi-regular matrices M. It is proved in this paper that for v×b almost-bi-regular matrices, v1v,b=bk whenever there exists (v,b,r,k,λ)-BIBD where λ=1. We also provide a tight upper bound of v1d,d for any value of d. Using these techniques, we provide very simple and alternative proof of optimality results of [12] which are given in Lemma 8. We propose techniques to construct any d×d matrix M where v1(M) is either v1d,d or very close to it.

Remark 9.

The existence of an almost-bi-regular matrix with l ones may not guarantee the existence of a bi-regular matrix with the same number of ones, i.e. l ones. But the converse is always true; the existence of a bi-regular matrix with l ones always guarantees the existence of an almost-bi-regular matrix with the same number of ones. Constructing almost-bi-regular matrix from bi-regular matrix is straightforward - replace all non-one elements from the bi-regular matrix with the blank symbol. The new matrix will be almost-bi-regular matrix.

Definition 10 ([23]).

A design is a pair (X,𝒜) such that the following properties are satisfied:

  1. X is a set of elements called points,
  2. 𝒜 is a collection (i.e. multiset) of nonempty subsets of X called blocks.

If two blocks in a design are identical, they are said to be repeated blocks. This is why 𝒜 is referred to as a multiset of blocks rather than a set.

Definition 11 ([23]).

Let v, k and λ be positive integers such that v>k2. A (v,k,λ)- balanced incomplete block design (which we abbreviate (v,k,λ)-BIBD) is a design such that the following properties are satisfied:

  1. (1)|X|=v,
  2. (2)each block contains exactly k points,
  3. (3)every pair of distinct points is contained in exactly λ blocks.

In the following two lemmas, we record two important properties of a BIBD.

Lemma 12 ([23]).

In a (v,k,λ)-BIBD, every element occurs in exactly r=λ(v-1)(k-1) blocks. The value r is often called the replication number of the BIBD.

Lemma 13 ([23]).

A (v,k,λ)-BIBD has exactly b blocks, where b=vrk=λ(v2-v)(k2-k).

Definition 14 ([23]).

A BIBD in which b=v (or, equivalently, r=k or λ(v-1)=k2-k) is called a symmetric BIBD.

For example, in a (7,3,1)-BIBD, X={1,2,3,4,5,6,7} and

𝒜={{1,2,3},{1,4,5},{1,6,7},{2,4,6},{2,5,7},{3,4,7},{3,5,6}}.

Here v=|X|=7 and b=|𝒜|=7. It is a symmetric BIBD as v=b. Also r=k=3.

Lemma 15 ([23]).

Suppose that (X,A) is a symmetric (v,k,λ)-BIBD and denote A={A0,,Av-1}. Suppose that 0i,jv-1, ij. Then |AiAj|=λ.

In this paper, a special kind of symmetric BIBDs, called projective planes, will be used for constructions of almost-bi-regular matrices.

Definition 16 (Projective plane, [23]).

A (d2+d+1,d+1,1)-BIBD with d2 is called a projective plane of order d.

It may be noted that although a (3,2,1)-BIBD exists, this is not regarded as a projective plane of order 1 (also see [23]). Here we mention one very important result on projective plane which is crucial in our work.

Theorem 17 ([23]).

For every prime power q2, there exists a (symmetric) (q2+q+1,q+1,1)-BIBD (i.e. a projective plane of order q).

In this paper, we will use the notation (v,b,r,k,λ)-BIBD to record the values of all five parameters. Note that for a projective plane, i.e. a (d2+d+1,d+1,1)-BIBD,

r=v-1k-1=d2+d+1-1d=d+1

and

b=vrk=(d2+d+1)×(d+1)(d+1)=d2+d+1.

So we call it (d2+d+1,d2+d+1,d+1,d+1,1)-BIBD.

It is often convenient to represent a BIBD by means of an incidence matrix.

Definition 18 (Incidence matrix, [23]).

Let (X,𝒜) be a design with X={x0,,xv-1}, 𝒜={A0,,Ab-1}. The incidence matrix of (X,𝒜) is the v×b matrix M=((mi,j)) defined by the rule

mi,j={1,if xiAj,0,if xiAj,for any i{0,1,,v-1} and j{0,1,,b-1}.

For constructions of MDS matrices, we use a slightly modified version of incidence matrix, which we call derived-incidence matrix.

Definition 19 (Derived-incidence matrix).

If all zeros of an incidence matrix are replaced by a special symbol blank, the derived matrix is called derived-incidence matrix.

Fact 2 ([23]).

The incidence matrix M of a (v,b,r,k,λ)-BIBD (or the derived-incidence matrix M obtained from M) satisfies the following properties:

  1. (1)Every column of M (or M) contains exactly k ones.
  2. (2)Every row of M (or M) contains exactly r ones;
  3. (3)Two distinct rows of M (or M) both contain ones in exactly λ columns.

2.4 Jensen’s inequality

Theorem 20 ([22]).

Suppose that f is a continuous and strictly convex function on the interval I. Suppose further that i=0b-1ti=1, 0<ti and 0ib-1. Then f(i=0b-1tiki)i=0b-1tif(ki), where kiI, 0ib-1. Further, equality occurs if and only if k0=k1==kb-1.

If we take the convex function f(x)=x(x-1)2 and use Jensen’s inequality, Lemma 21 can be verified easily.

Lemma 21.

Let i=0b-1ki=n, where all ki are positive integers. Then

b×nb×(nb-1)2i=0b-1(ki2).

If nb=k is an integer, then

b×(k2)i=0b-1(ki2).

Proof.

Let f(x)=x(x-1)2. Also let ti=1b for all i{0,,b-1}. So,

f(i=0b-1tiki)=f(nb)=nb×(nb-1)2.

Also i=0b-1tif(ki)=1bi=0b-1(ki2). Thus from Theorem 20,

nb×(nb-1)21bi=0b-1(ki2).

Hence we have proved the result. ∎

3 Finding v1v,b where (v,b,k,r,1) is a BIBD

One approach for constructing an MDS matrix is to construct first an almost-bi-regular matrix with l ones and then assign nonzero field elements other than 1 to the rest of the positions of the matrix. If the resultant matrix is MDS, return that MDS matrix, else return failure. The above mentioned process can be repeated iteratively

  1. (a)by trying all possible nonzero elements other than 1 for fixed l,
  2. (b)through all choices of l starting from maximum number of ones that matrix can accommodate till 0.

For efficiency, in the resultant MDS matrix M, it is desired to have a high value of v1 and a low value of c1 as much as possible. In [12], the authors computed the maximum number of occurrences of 1 in a d×d matrix, i.e. v1d,d for d up to 8 and also determined the position of ones in the corresponding bi-regular matrices. With their approach, determining v1d,d seems difficult for higher values of d.

In this section, we study the connection between the incidence matrix of BIBD and the almost-bi-regular matrix and propose techniques to compute the value of v1v,b whenever there exists a (v,b,r,k,1)-BIBD. In the following lemma, we show that the derived-incidence matrix of (v,b,r,k,λ)-BIBD is an almost-bi-regular matrix whenever λ=1. Not only that, this section furthermore shows that the maximum number of ones which can be put in a v×b almost-bi-regular matrix is equal to the number of ones in the derived-incidence matrix of (v,b,r,k,1)-BIBD. The equality in the number of ones in both the almost-bi-regular matrix and the derived-incidence matrix of (v,b,r,k,1)-BIBD seems obvious considering the fact that the derived-incidence matrix of (v,b,r,k,λ)-BIBD is an almost-bi-regular matrix whenever λ=1. But, this section presents something more: the maximality of ones. To the best of our knowledge, the literature on BIBDs deals only with the existence and constructions, while this section provides a result which proves that those constructions, in fact, yield the maximum number of ones as well.

Lemma 1.

The derived-incidence matrix of (v,b,r,k,λ)-BIBD is an almost-bi-regular matrix if and only if λ=1.

Proof.

Let us consider the (v,b,r,k,λ)-BIBD, where λ=1. Let the set of elements and the set of blocks of this BIBD be X={x0,,xv-1} and 𝒜={A0,,Ab-1}, respectively. Let the corresponding v×b derived-incidence matrix be M=((mi,j)). So, from the definition of the derived-incidence matrix, mi,j=1 if xiAj for any i{0,1,,v-1} and j{0,1,,b-1}; otherwise mi,j is blank.

Let us consider any arbitrary 2×2 submatrix

M1=(ms1,t1ms1,t2ms2,t1ms2,t2)

of M. Note that not all elements of the submatrix are 1 because then we will get msi,tj=1 for i,j{1,2}. This implies that the elements xs1 and xs2 are contained simultaneously in two blocks At1 and At2, which is a contradiction to the fact that λ=1, i.e. a pair of elements can be contained in only one block. So all four elements of any 2×2 submatrix of M are not 1. Thus M is almost-bi-regular.

If λ>1, then some pair of elements, say xs1 and xs2, will occur in at least two blocks, say, At1 and At2. Thus in the 2×2 submatrix M1 all four entries are 1. So M is not almost-bi-regular. ∎

Remark 2.

Let M be the derived-incidence matrix of a BIBD with λ=1. We cannot add any more 1 in the matrix M without disturbing the almost-bi-regular property. For example, suppose that the (i,j)-th entry is blank and let us fill the (i,j)-th entry by 1. Also, let us consider any other element of the block Aj, say, xk. The elements xi and xk must be contained in some block, say, Al. So, mk,l=mk,j=mi,l=mi,j=1. So clearly the 2×2 submatrix formed by taking the k-th row, the i-th row, the l-th column and the j-th column of the matrix M is not almost-bi-regular.

Remark 3.

Let M be any almost-bi-regular matrix such that no more 1 can be added in the matrix without disturbing the almost-bi-regular property. Note that this condition does not always guarantee that an almost-bi-regular matrix has maximum number of ones.

(1111111),

no more 1 can be placed without disturbing the bi-regular property. Here the number of occurrences of 1 is 7, but we know v14,4=9 and the corresponding matrix may be

(111111111).

Remark 4.

Let M=((mi,j)) be any v×b almost-bi-regular matrix. Let us associate the element xi corresponding to the i-th row and the block Aj corresponding to the j-th column, where i{0,,v-1} and j{0,,b-1}. Let us consider the design (X,𝒜), where X={x0,,xv-1} and 𝒜={A0,,Ab-1} such that mi,j=1 if and only if xiAj. So M is the derived-incidence matrix of the design (X,𝒜). Note that, since M is almost-bi-regular, any pair of elements will occur in at most one of the blocks of 𝒜, i.e. |AiAj|1 for all i,j{0,,b-1} and ij.

In Theorem 8, we will show that the derived-incidence matrices of BIBDs with λ=1 contain the maximum number of ones maintaining the almost-bi-regular property. But before that, we study some crucial properties of almost-bi-regular matrices and derived-incidence matrices of BIBDs with λ=1 in Lemma 5, Lemma 6 and Lemma 7.

Lemma 5.

Let M be the derived-incidence matrix of a design (X,A), where |X|=v and |A|=b. Also for an element xX, let us define the set Sx as follows: Sx={(x,y,A):x,yA and AA,yX}. If M is almost-bi-regular matrix, then |Sx|v-1.

Proof.

An element x can form maximum v-1 pairs (x,y) with all different v-1 elements. More than v-1 pairs involving x amounts to repetition of some pair in more than one blocks, but since M is almost-bi-regular matrix, any pair of elements (x,y) occurs at most once. Hence we have proved the result. ∎

Lemma 6.

Let M be the derived-incidence matrix of a design (X,A), where |X|=v and |A|=b. Also let us define the set S as follows: S={(x,y,A):x,yA and AA}. If M is an almost-bi-regular matrix, then |S|(v2).

Proof.

Since M is an almost-bi-regular matrix, any pair of elements (x,y) occurs at most in one of the blocks of 𝒜. So if (x,y,Ai)𝒮, then (x,y) will not be contained in any blocks of 𝒜 except Ai. Since there are (v2) pairs that can be formed from the elements of X, we have |𝒮|(v2). ∎

Lemma 7.

Let the design (X,A) be a (v,b,r,k,1)-BIBD and define S by S={(x,y,A):x,yA and AA}. Then |S|=(v2).

Proof.

Note that in a (v,b,r,k,1)-BIBD, every pair of elements of X occurs exactly in one block. So, |𝒮|=(v2). Alternatively, each block has k elements. Hence, each block contributes (k2) elements in 𝒮. Since there are b blocks, we have

|𝒮|=(k2)×b=k(k-1)2×vrk=k(k-1)2×v×(v-1)(k-1)×k=v(v-1)2=(v2).

Theorem 8.

Let there exist some (v,b,r,k,1)-BIBD whose derived-incidence matrix is M. Then M has the maximum number of ones, i.e. v1v,b is the number of ones and v1v,b=bk.

Proof.

Let (X,𝒜) be the (v,b,r,k,1)-BIBD. From Lemma 1 and Fact 2, M is almost-bi-regular matrix with bk ones. From Lemma 7, |𝒮|=(v2), where 𝒮={(x,y,A):x,yA for some A𝒜}.

Let, if possible, there be a v×b almost-bi-regular matrix M having (bk+1) ones. For the matrix M, let the corresponding design be (X,𝒜), where 𝒜={A0,,Ab-1}. Similar to 𝒮, let us define the set 𝒮 as follows:

𝒮={(x,y,A):x,yA for some A𝒜}.

Let M′′ be the matrix obtained by replacing one occurrence of 1 by blank from, say, the p-th column of M which has at least two elements. Now M′′ has b×k ones. For the matrix M′′, let the corresponding design be (X,𝒜′′), where 𝒜′′={A0′′,,Ab-1′′}. Let us define the set 𝒮′′ as follows:

𝒮′′={(x,y,A):x,yA for some A𝒜′′}.

So, |Ai|=|Ai′′| for i=0,,p-1,p+1,,b-1 and |Ap|=|Ap′′|+1. Let |Ai′′|=ki′′ for i=0,,b-1. Hence, the number of elements in M′′ is b×k=i=0b-1ki′′. Also, the block Ai′′ contributes (ki′′2) elements in 𝒮′′. So,

|𝒮′′|=i=0b-1(ki′′2).

From Lemma 21,

i=0b-1(ki′′2)b×(k2)=(v2)=|𝒮|.

So, |𝒮′′||𝒮|. Also, |𝒮|=|𝒮′′|+|Ap′′|. So, |𝒮|>|𝒮|=(v2), a contradiction to Lemma 6. ∎

Corollary 9.

Let d=q2+q+1, where q is any prime power. Then v1d,d=(q2+q+1)×(q+1).

Proof.

Let us consider the (v,b,r,k,λ)-BIBD, where v=b=q2+q+1, r=k=q+1 and λ=1, and let M be its derived-incidence matrix. From Theorem 17, such a BIBD exists for any prime power q. From Lemma 1, M is almost-bi-regular and from Theorem 8, the number of ones in M is vd,d=(q2+q+1)×(q+1). ∎

Remark 10.

From Corollary 9, if q=3, then d=32+3+1=13 and thus v113,13=13×(3+1)=52 and the corresponding matrix is given in Figure 4. Similarly, when q=22=4, then d=42+4+1=21 and thus v121,21=21×(4+1)=105 and the corresponding matrix is given in Figure 15 of Appendix A.3.

Let M be an almost-bi-regular matrix having maximum number of ones and also let the corresponding design be (X,𝒜). If (X,𝒜) is a BIBD, then for any two elements of X, say xs and xt, there always exists a block A of 𝒜 such that xs,xtA. If (X,𝒜) is not a BIBD, then such a block may not exist. For example, let us consider the 6×6 matrix of Figure 1. This matrix is an almost-bi-regular matrix with maximum number of ones, but the pair (x0,x1) does not occur in any block. Note that Theorem 8 can compute the value v1v,b if there exists a (v,b,r,k,λ)-BIBD, where λ=1.

Figure 1

    Example of 6×6 almost-bi-regular matrices having sixteend ones which is maximum.

    Citation: Journal of Mathematical Cryptology 11, 2; 10.1515/jmc-2016-0013

    4 Some results on v1v,b for arbitrary v and b

    In this section, we study some upper bounds of v1v,b for arbitrary v and b. We also determine v1d,d for d up to 21. In doing so, we first develop tools which are useful. For simplicity and compactness of expression, here we first introduce some notations, definitions and discuss few crucial properties, some of which resemble properties of previous section.

    4.1 A few more definitions and notations

    Let M=(mij) be a v×b matrix. Let Ri=(mi0,mi1,,mi(b-1)) and Cj=(m0j,m1j,,m(v-1)j), i.e. the i-th row and the j-th column, respectively. We assume that 0iv-1 and 0jb-1.

    We define RiCj=mij=CjRi. If mij is 1, we say RiCj=CjRi=1, else 0. If RiCj=CjRi=1, we say that the row Ri makes an intersection with the column Cj and vice versa.

    We define RiRk={j:0jb-1 and RiCj=RkCj=1}, i.e. the index set corresponding to these blocks containing both the elements corresponding to Ri and Rk. Similarly, we define

    CiCk={j:0jv-1 and CiRj=CkRj=1},

    i.e. the set of elements that are contained in both the blocks corresponding to Ci and Ck.

    Let ij. If |RiRj|1, then we say that the row Ri makes pair with the row Rj. Similarly, if |CiCj|1, then we say that the column Ci makes pair with the column Cj. It may be noted that for almost-bi-regular matrices |RiRj|1 and |CiCj|1 for all distinct indices i,j, which directly follows from the definition of almost-bi-regular matrices. So we have the following lemma.

    Lemma 1.

    Let M be a v×b matrix. Then M is an almost-bi-regular matrix if and only if |RiRk|1 for all 0i<kv-1 and |CiCk|1 for all 0i<kb-1.

    Set |Ri|=|RiRi|, i.e. the number of columns which intersect with the row Ri, and similarly |Ci|=|CiCi| which denotes the number of rows which intersect with the column Ci. Let max(|C|)=max{|Ci|}i=0b-1 and max(|R|)=max{|Ri|}i=0v-1. In a similar manner, we define min(|C|)=min{|Ci|}i=0b-1 and min(|R|)=min{|Ri|}i=0v-1. The following two lemmas give interpretations of |Ri| and |Cj|, respectively.

    Lemma 2.

    Let M be a v×b almost-bi-regular matrix. Then the row Ri contains l ones if and only if |Ri|=l.

    Proof.

    Let J={0,1,,b-1}. Suppose that |Ri|=|RiRi|=l. By definition,

    RiRi={j:0jb-1 and |RiCj|=1}.

    Let J1=RiRi={j1,j2,,jl}J. Then we have RiCj=mij=1 if and only if jJ1. Hence we obtain that Ri=(mi0,mi1,,mi(b-1)) contains |J1|=l ones. Conversely, suppose that Ri=(mi0,mi1,,mi(b-1)) contains l ones. Let J1={j1,,jn}J be the set of indices such that mij=1 if and only if jJ1. So, |J1|=l. Moreover, |RiCj|=1 if and only if jJ1. Therefore, RiRi=J1 and thus |Ri|=|RiRi|=|J1|=l. ∎

    Similarly, we have the following lemma.

    Lemma 3.

    Let M be a v×b almost-bi-regular matrix. Then the column Ci contains l ones if and only if |Ci|=l.

    In the following lemma, we study the correlation between the number of intersections and the number of pairs that the row Ri makes with different columns and rows, respectively, in an almost-bi-regular matrix.

    Lemma 4.

    Let M be a v×b almost-bi-regular matrix. Suppose that the row Ri makes intersections with exactly l columns, Cj1,Cj2,,Cjl. If |Cjk|=ck, for 1kl, then the row Ri makes pair with exactly k=1l(ck-1) rows.

    Proof.

    Let J1(jk)=CjkCjk. Since |Cjk|=ck, it follows that |J1(jk)|=ck. Since Ri intersects with column Cjk, we obtain iJ1(jk). Let

    J1¯=(jk)J1(jk){i}.

    So, |J1¯|(jk)=ck-1.

    Now, we show that J1¯(jm)J1¯=(jn) for all 1m<nl. If not, there exists ti for some r,s such that 1r<sl, 0tv-1 and tJ1¯(jr)J1¯(js). Therefore, |RtCjr|=|RtCjs|=1 which then implies mtjr=mtjs=1. Since Ri makes pair with columns Cjr and Cjs, we have |RiCjr|=|RiCjs|=1 which then implies mijr=mijs=1. Consider a 2×2 submatrix formed by the rows Ri,Rt and columns Cjr,Cjs. The entries of this submatrix will be mijr,mijs,mtjr,mtjs and all are 1, a contradiction. Hence,

    J1¯(jm)J1¯=(jn)

    for all 1m<nl.

    Choose any tJ1¯(jk). Since tJ1¯(jk), we have |RtCjk|=1. Moreover, |RiCjk|=1 and thus jkRiRt. Therefore, |RiRt|1, but from Lemma 1, |RiRt|1 which then implies |RiRt|=1. Hence, the row Ri makes pair with the row Rt. Conversely, suppose that Ri makes pair with some row Rt. Then |RiRt|=1. Let zRiRt. Then |RiCz|=|RtCz|=1 and therefore tCzCz. Since Ri makes pair with Cz, it follows that z{j1,j2,,jl}. Thus tJ1¯(jk) for some 1kl. Therefore the row Ri makes pair with the row Rt if and only if tJ1¯(jk) for some 1kl.

    Let J1=k=1lJ1¯(jk). As J1¯(jm)J1¯=(jn) for all 1m<nl, we have

    |J1|=k=1l|J1¯|(jk)=k=1l(ck-1).

    Therefore, the row Ri makes pair with k=1l(ck-1) rows. ∎

    Similarly, by interchanging rows and columns, we have the following lemma.

    Lemma 5.

    Let M be a v×b almost-bi-regular matrix. Suppose that the column Ci makes intersections with exactly l rows, say Rj1,Rj2,,Rjl. If |Rjk|=rk, then the column Ci makes pair with exactly k=1l(rk-1) columns.

    In a v×b almost-bi-regular matrix, any row can make pair with at most v-1 rows and similarly any column can make pair with at most b-1 columns. So we have the following two lemmas which are similar to Lemma 6 but in a different setting.

    Lemma 6.

    Let M be a v×b almost-bi-regular matrix. Suppose that |Ci|=ki for 0ib-1. Then

    i=0b-1(ki2)(v2).

    Proof.

    Let CiCi={j1,j2,,jki} and i={(jr,js):1r<ski}. We now show that mn= for all 0m<nb-1. If not, then for some 0m<nb-1 and for some 0p<qv-1, the tuple (p,q) is an element of mn. So, p,qCmCm and p,qCnCn. Thus

    |RpCm|=|RqCm|=|RpCn|=|RqCn|=1

    which then implies there exists a 2×2 submatrix all of whose entries are 1, a contradiction. Hence mn= for all 0m<nb-1.

    Let ={(p,q):0p<qv-1}. It is easy to check that i=0b-1i and therefore |i=0b-1i|||=(v2). Since mn=, we have

    |i=0b-1i|=i=0b-1|i|=i=0b-1(ki2)||=(v2).

    Hence the lemma. ∎

    Similarly, by interchanging rows and columns, we have the following lemma.

    Lemma 7.

    Let M be a v×b almost-bi-regular matrix. Suppose that |Ri|=ki for 0iv-1. Then

    i=0v-1(ki2)(b2).

    Now we define b(v), which is crucial for determining the upper bound of v1v,b.

    Definition 8.

    Let b and v be two non-negative integers. We define b(v)=b+b2+4bv(v-1)2.

    In Theorem 13, we study the upper bound of v1v,b. Before that, we study two important properties of b(v) in Lemma 9 and Lemma 10, which can be verified by elementary arithmetic.

    Lemma 9.

    If 1vb, then min(Fv(b),Fb(v))=Fb(v).

    Lemma 10.

    If 1v and 1b, then Fb(v+1)-Fb(v)1.

    Now we introduce another term, 𝒢d(d), which helps in determining maximum number of ones in a matrix where some row or column previously contains a fixed number of ones.

    Definition 11.

    Let d1. We define 𝒢d(d)=2d-1 and 𝒢d(k)=k+d-1+d-1(d-k) for 0kd-1.

    In the next lemma, we show that 𝒢d(k) is monotone decreasing.

    Lemma 12.

    We have Gd(k+1)Gd(k) for d2 and 0kd-1.

    Proof.

    If 0kd-2, then

    𝒢d(k+1)-𝒢d(k)=1+d-1(d-k-1)-d-1(d-k).

    Let d-1=b and d-k-1=a. Since d2 and 0kd-2, we have b1 and 1d-k-1=ad-1. Therefore,

    𝒢d(k+1)-𝒢d(k)=1+b(a)-b(a+1).

    From Lemma 10, 𝒢d(k+1)-𝒢d(k)1-1=0.

    If k=d-1, then

    𝒢d(k+1)-𝒢d(k)=2d-1-(d-1)-d+1-d-1(1)=1-(d-1)=2-d0.

    4.2 Some important bounds

    In Theorem 13 and its corollary, we provide a tight upper bound of v1v,b and v1d,d for all values of v,b and d.

    Theorem 13.

    We have v1v,bmin(Fv(b),Fb(v)).

    Proof.

    Let v1v,b=n. Also let |Ri|=ri and |Ci|=ci. Then

    i=0v-1ri=n,i=0v-1(ri2)(b2)

    from Lemma 7, and

    i=0b-1ci=n,i=0b-1(ci2)(v2)

    from Lemma 6. From Jensen’s inequality, when (1) holds, we get

    v×(nv2)i=0v-1(ri2)(b2).

    Solving the above inequality, we get n2-nv-bv(b-1)0 which then implies

    nv+v2+4vb(b-1)2.

    So,

    nv+v2+4vb(b-1)2=v(b).

    Similarly, when (2) holds, we get nb(v). Thus, nmin(v(b),b(v)). ∎

    Corollary 14.

    We have

    v1d,dd×1+4d-32.

    Proof.

    Putting v=b=d in Corollary 13, we get

    v1d,dd(d)=d×1+4d-32.

    Remark 15.

    For any prime power q, there exists a projective plane which is a symmetric (q2+q+1,q2+q+1,q+1,q+1,1)-BIBD. From Corollary 14,

    v1(q2+q+1,q2+q+1)(q2+q+1)×1+4(q2+q+1)-32=(q2+q+1)×(q+1).

    Also, note that, from Theorem 8, v1(q2+q+1,q2+q+1)=(q2+q+1)×(q+1). So, when d=q2+q+1 for some prime power q,

    v1d,d=d×1+4d-32.

    Similarly, when (v,b,r,k,1)-BIBD exists, v1v,b=b(v).

    In the next theorem, we study the upper bound of v1(M) for a d×d matrix M where one of its columns contains k ones.

    Theorem 16.

    Let M be a d×d almost-bi-regular matrix with one column having k occurrences of 1. Then v1(M)Gd(k).

    Proof.

    We consider two cases.

    Case d=1. If k=0, then

    𝒢d(k)=k+d-1+d-1(d-k)=0+1-1+0(1)=0.

    If k=1, then

    𝒢d(k)=2d-1=1.

    Case d2. If k=0, then the maximum number of ones in M can be at most d(d-1). From Lemma 9,

    d(d-1)d-1(d)<k+d-1+d-1(d-k)=𝒢d(k).

    If k=d, then the maximum number of ones in M can be at most d+d-1=2d-1=𝒢d(k).

    Let 1kd-1. Without loss of generality, assume that the matrix M contains exactly k ones in column C0. We further assume that |RiC0|=1 for all 0ik-1 and |RjC0|=0 for all kjd-1. Consider a submatrix of M, say M1, formed by rows R0,R1,,Rk-1 and columns C0,C1,C2,,Cd-1. Consider another submatrix of M, say M2, formed by rows Rk,Rk+1,,Rd-1 and columns C0,C1,,Cd-1. Since any submatrix of an almost-bi-regular matrix is almost-bi-regular, therefore M1 and M2 also will be almost-bi-regular.

    In the matrix M1, the column C0 makes pair with the rows R0,R1,,Rk-1, i.e. |RiC0|=1 for all 0ik-1. Therefore, |Cj|1 for all 1jd-1. If not, then say |Ct|2 for some 1td-1. Since |Ct|2, there exists at least two rows Rj1,Rj2 for some 0j1<j2k-1 such that |Rj1Ct|=|Rj2Ct|=1. So, tRj1Rj2. But 0Rj1Rj2 (as |Rj1C0|=|Rj2C0|=1). Thus we have {0,t}Rj1Rj2 which implies |Rj1Rj2|2, a contradiction (by Lemma 1). Hence |Cj|1 for all 1jd-1. So the total number of ones in the matrix M1 will be at most i=0d-1|Ci|=k+d-1.

    In the matrix M2, the column C0 contains no ones, i.e. |C0|=0. Consider the d-k×d-1 submatrix M2¯ of the matrix M2 formed by rows Rk,,Rd-1 and columns C1,,Cd-1. Since M2 is almost-bi-regular, therefore M¯2 also is almost-bi-regular. Hence, the maximum number of ones in M¯2 can be v1d-k,d-1.

    Thus, the total number of ones in matrix M can be at most

    k+d-1+v1d-k,d-1k+d-1+d-1(d-k)=𝒢d(k)

    (from Theorem 13). ∎

    In analyzing v1d,d, we often encounter situations where we need to determine the number of columns (rows) needed to accommodate some r rows (columns) of a v×b almost-bi-regular matrix, each containing, say, k ones. In the next two theorems, we explore lower bound on number of such rows (columns).

    Theorem 17.

    In a v×b almost-bi-regular matrix, if there are r rows (rv) each containing k ones, then the number of columns needed to accommodate such r rows should be at least

    max(1+1+4rk(k-1)2,rk2r+k-1).

    Proof.

    Let the minimum number of columns required to accommodate such r rows be c. Consider the r×c submatrix M where each row contains exactly k ones. Suppose that, in the matrix M, column Ci contains ki ones. Then i=0c-1ki=rk. For M to be almost-bi-regular matrix, it is required that

    1. (1)r(k2)(c2) (from Lemma 7),
    2. (2)i=0c-1(ki2)(r2) (from Lemma 6).

    For (1) to hold, it is required that rk(k-1)c(c-1) which then implies c2-c-rk(k-1)0. Thus,

    c1+1+4rk(k-1)2

    and hence

    c1+1+4rk(k-1)2.

    From Jensen’s inequality, when (2) holds, we get

    rk(rk-c)2ci=0c-1(ki2)(r2).

    From above inequality, we get crk2r+k-1 and hence

    crk2r+k-1.

    From (a) and (b), we conclude that

    cmax(1+1+4rk(k-1)2,rk2r+k-1),

    as desired. ∎

    Similarly by interchanging rows and columns, we have the following theorem.

    Theorem 18.

    In a v×b almost-bi-regular matrix, if there are c columns (cb) each containing k ones, then the number of rows needed to accommodate such c columns should be at least

    max(1+1+4ck(k-1)2,ck2c+k-1).

    4.3 Finding v1d,d for d up to 21

    For d=q2+q+1, where q is any prime power, v1d,d can be computed using Corollary 9. With this technique we handle the case when d=32+3+1=13 and d=42+4+1=21. For arbitrary d, let q be the lowest prime power such that d<q2+q+1. To design the d×d almost-bi-regular matrices, one approach may be to start by taking the derived-incidence matrix corresponding to the (q2+q+1,q2+q+1,q+1,q+1,1)-BIBD and then by reducing (q2+q+1-d) rows and columns so that minimum number of ones are removed. We show that using this technique, d×d almost-bi-regular matrices with v1d,d ones can be constructed for any value of d<21 except for d=14 and 15. The cases when d{14,15} are dealt in Lemma 23 and Lemma 25.

    Lemma 19 (Alternative proof of some results of part (b) of Lemma 8).

    We have v12,2=3, v13,3=6, v14,4=9, v15,5=12, v16,6=16 and v17,7=21.

    Proof.

    Since (3,3,2,2,1)-BIBD exists, it follows from Theorem 8 that v13,3=6 and the corresponding almost-bi-regular matrix is given in Figure 2. From Corollary 9, v17,7=7×(2+1)=21. The derived-incidence matrix of (7,7,3,3,1)-BIBD given in Figure 3.

    From Corollary 14,

    v12,22×1+4×2-32=3,
    v16,66×1+4×6-32=16,
    v15,55×1+4×5-32=12,
    v14,44×1+4×4-32=9.

    To complete the proof, we provide the corresponding matrices in Figure 2 and Figure 3. ∎

    Figure 2

      Examples of d×d almost-bi-regular matrices having maximum number of ones for d=3,2.

      Citation: Journal of Mathematical Cryptology 11, 2; 10.1515/jmc-2016-0013

      Figure 3

        Examples of d×d almost-bi-regular matrices having maximum number of ones for d=7,6,5,4.

        Citation: Journal of Mathematical Cryptology 11, 2; 10.1515/jmc-2016-0013

        Lemma 20 (Alternative proof of one result of part (b) of Lemma 8).

        We have v18,8=24.

        Proof.

        If max(|C|)=5, then from Theorem 16,

        𝒢8(5)=5+7+7(3)=12+10=22.

        From Lemma 12, 𝒢8(j)𝒢8(5) for j5. Hence, any 8×8 almost-bi-regular matrix having max(|C|)5 can have at most 22 ones.

        If max(|C|)=4, then

        𝒢8(4)=4+7+7(4)=11+13=24.

        If max(|C|)=3, then

        𝒢8(3)=3+7+7(5)=10+15=25,

        but in this case, the maximum number of ones cannot exceed 3×8=24. So, possible maximum value of ones in almost-bi-regular matrix of size 8 is 24 and it can be achieved when max(|C|)=4 or max(|C|)=3. The construction for such a matrix is shown in Figure 4. ∎

        Figure 4

          Examples of 13×13 and 8×8 almost-bi-regular matrices having maximum number of ones.

          Citation: Journal of Mathematical Cryptology 11, 2; 10.1515/jmc-2016-0013

          Remark 21.

          Another form of 8×8 almost-bi-regular matrix with v18,8 ones is

          (111111111111111111111111).

          This form corresponds to the circulant matrices and MDS matrices can be constructed from this almost-bi-regular matrix (see [11]). In Section 5, we provide an alternative way to construct MDS matrices using Latin squares, which resemble this form (see Figure 11 and Figure 12). Note that no 8×8 MDS matrix over 𝔽28 is found which is of the form as given in Figure 4 (see Remark 1).

          Lemma 22.

          We have

          1. (a)v19,9=29,
          2. (b)v110,10=34 and v112,12=45,
          3. (c)v111,11=39,
          4. (d)v113,13=52.

          Proof.

          (a) If max(|C|)=5, then

          𝒢9(5)=5+8+8(4)=13+14=27

          (Theorem 16). From Lemma 12, 𝒢9(j)𝒢9(5) for j5. Hence, any 9×9 almost-bi-regular matrix having max(|C|)5 can have at most 27 ones. If max(|C|)=4, then

          𝒢9(4)=4+8+8(5)=12+17=29.

          If max(|C|)=3, then

          𝒢9(3)=3+8+8(6)=11+20=31,

          but in this case, the maximum number of ones cannot exceed 3×9=27. So, the possible maximum value of ones in almost-bi-regular matrix of size 9 is 29 and it can be achieved when max(|C|)=4. The construction for such matrix is shown in appendix. Such a construction is given in Figure 14 of Appendix A.2.

          (b) It can be proved similarly as it was proved for v18,8 and v19,9. The constructions for such 10×10 and 12×12 almost-bi-regular matrices with 34 and 45 ones have been shown in Figure 14 of Appendix A.2.

          (c) If max(|C|)=5, then

          𝒢11(5)=5+10+10(6)=15+23=38.

          If max(|C|)=4, then

          𝒢11(4)=4+10+10(7)=14+26=40.

          If max(|C|)=3, then the maximum number of ones cannot exceed 3×11=33. So, v111,1140. Now, we show that v111,1140. If possible, then there will be at least seven rows (or columns) which contain four ones each. If so, then from Theorem 17 (or Theorem 18), the minimum number of columns (or rows) required to accommodate such rows (or columns) is 12 which is not possible. Hence v111,1139. The construction for an 11×11 almost-bi-regular matrix with 39 ones is shown in Figure 14 of Appendix A.2.

          (d) See Remark 10. ∎

          We observe that for d up to 20, d×d almost-bi-regular matrices with maximum number of ones can be constructed starting from a projective plane of order q, where q is the smallest prime such that d<q2+q+1 except for d=14 and 15. These two special cases are dealt with in the following lemma. It may be noted that 15×15 and 14×14 matrices formed from the 16×16 matrix of Figure 17 of Appendix A.3 will contain 60 and 53 ones. In Figure 5, we present 15×15 and 14×14 matrices containing 61 and 56 ones, respectively.

          Lemma 23.

          We have v114,14=56.

          Proof.

          If max(|C|)=5, then

          𝒢14(5)=5+13+13(9)=18+37=55.

          If max(|C|)=4, then the maximum number of ones cannot exceed 56. If max(|C|)=3, then the maximum number of ones cannot exceed 3×14=42. So, v114,1456. The construction for a 14×14 almost-bi-regular matrix with 56 ones is shown in Figure 5. ∎

          Remark 24.

          It may be noted that if a 14×14 matrix contains 56 ones, then from Lemma 23, all its rows and columns should contain exactly four ones. Also each row (column) makes twelve pairs with twelve other rows (columns) (from Lemma 4 or Lemma 5).

          Lemma 25.

          We have v115,15=61.

          Proof.

          If max(|C|)=6, then

          𝒢15(6)=6+14+14(9)=20+39=59.

          If max(|C|)=5, then

          𝒢15(5)=5+14+14(10)=19+43=62.

          If max(|C|)=4, then the maximum number of ones cannot exceed 4×15=60. So, v115,1562. Now, we show that v115,1562.

          If possible, then there exists a 15×15 almost-bi-regular matrix M which contains 62 ones. Since max(|C|)=5, there exists a column, say Ci, such that |Ci|=5. If min(|R|)4, then, from Lemma 5, the column Ci makes at least 5×(4-1)=15 pairs with other columns. Since there are fifteen columns, each column can have at most fourteen pairs with other columns. Thus, a contradiction. So, min(|R|)3. Similarly, we can show that max(|R|)=5 and min(|C|)3.

          Let min(|C|)2. Suppose that the column Ck contains exactly two ones, i.e. |Ck|=2. Let Rl be the row which contains minimum number of ones. Since min(|R|)3, we have |Rl|3. Consider the 14×14 almost-bi-regular matrix M obtained by removing the row Rl and the column Ck from M. It is easy to check that M contains at least 62-(2+3)=57 ones, a contradiction (because v114,14=56). Hence, min(|C|)3, which then implies min(|C|)=3. Similarly, it can be shown that min(|R|)=3.

          Let the column Cm and the row Rn contain three ones, i.e. |Cm|=|Rn|=3. If |CmRn|=1, then removing Cm and Rn from the matrix M yields a 14×14 almost-bi-regular matrix M which has 62-(3+3-1)=57 ones, a contradiction. Hence, |CmRn|=0.

          Now, construct a matrix M^ after rearranging the columns and rows of the matrix M such that C14 and R14 in the matrix M^ are Cm and Rn, respectively, of the matrix M. Consider the matrix A constructed by taking the first fourteen rows and the first fourteen columns of the matrix M^. It is easy to check that A is a 14×14 almost-bi-regular matrix having 62-(3+3)=56 ones. In A, each column makes pair with twelve other columns and similarly, each row makes pair with twelve other rows (see Remark 24). By the construction of M^, the column C14 and the row R14 contain three ones with the condition that |C14R14|=0. Let C14C14={j1,j2,j3}, where 0j1<j2<j313. In the matrix A, consider the rows Rj1,Rj2 and Rj3. From the previous discussion, in the matrix A, either |Rj1Rj2|=0 or |Rj1Rj3|=0 but not both (because Rj1 makes pair with twelve other rows). Without loss of generality, assume that |Rj1Rj2|=1. But, in the matrix M^, both |Rj1C14|=1 and |Rj2C14|=1. Therefore in the matrix M^, |Rj1Rj2|=2, a contradiction.

          Hence we have v115,1562. The construction of a 15×15 almost-bi-regular matrix with 61 ones is shown in Figure 5. ∎

          Figure 5

            Examples of d×d almost-bi-regular matrices Md, d=15,14, with v1(M15)=v115,15=61 and v1(M14)=v114,14=56.

            Citation: Journal of Mathematical Cryptology 11, 2; 10.1515/jmc-2016-0013

            Lemma 26.

            We have v116,16=67.

            Proof.

            If max(|C|)=6, then 𝒢16(6)=6+15+15(10)=66. If max(|C|)=5, then 𝒢16(5)=68. If max(|C|)=4, then the maximum number of ones cannot exceed 64. Now, we prove that v116,1668.

            If possible, then there exists a 16×16 almost-bi-regular matrix M with 68 ones. It is easy to see that max(|C|)=max(|R|)=5, min(|C|)5 and min(|R|)5 (otherwise M will contain 80 ones). So, min(|C|)4 and min(|R|)4.

            Let min(|C|)3 and min(|R|)3. Suppose that the column Cj and the row Rk has three ones. Construct a matrix M after removing Cj and Rk from M. It is easy to check that M is a 15×15 almost-bi-regular matrix with at least 68-(3+3)=62 ones, a contradiction (since v115,15=61). Hence, either min(|C|)4 or min(|R|)4 which then implies either min(|C|)=4 or min(|R|)=4.

            Without loss of generality, assume that min(|C|)=4. Then there will be exactly four columns containing five ones and twelve columns containing four ones. Moreover, there will be at least four rows containing five ones.

            Consider the rows which contain five ones. Let these rows be Rk1,Rk2,Rk3,Rk4. The number of columns required to accommodate these rows is at least max(10,13)=13 (see Theorem 17). Let Cj1,Cj2,,Cj13 be the columns which accommodate these rows.

            Let |Cji|=5 for some i{1,,13}. Then consider the row Rkl{Rk1,Rk2,Rk3,Rk4} which satisfies |CjiRkl|=1. Since min(|C|)=4, the row Rkl in the matrix M then makes pairs with at least 4+3×4=16 other rows (Lemma 4), a contradiction (a row can make pair with at most fifteen other rows). Hence none of Cj1,Cj2,,Cj13 can contain five ones. So, there will be at least thirteen columns which contain four ones, but from the above discussion (fourth paragraph of this proof), there are exactly twelve columns containing four ones, a contradiction.

            Hence, v116,1668. The construction of a 16×16 almost-bi-regular matrix with 67 ones is shown in Figure 17 of Appendix A.3. ∎

            Lemma 27.

            We have v117,17=74.

            Proof.

            If max(|C|)=6, then

            𝒢17(6)=6+16+16(11)=22+50=72.

            If max(|C|)=5, then

            𝒢17(5)=5+16+16(12)=21+54=75.

            If max(|C|)=4, then the maximum number of ones cannot exceed 4×17=68. Now, we show that v117,1775.

            If possible, then there exists a 17×17 almost-bi-regular matrix M having 75 ones. It is easy to see that max(|C|)=max(|R|)=5, min(|C|)5 and min(|R|)5 (otherwise M will contain 85 ones). So, min(|C|)4 and min(|R|)4.

            Suppose that min(|C|)3 or min(|R|)3. Without loss of generality, assume that min(|C|)=3. Suppose that the column Cj contains three ones and the row Rk has four ones. Construct a matrix M after removing Cj and Rk from M. It is easy to check that M is a 16×16 almost-bi-regular matrix with at least 75-(4+3)=68 ones, a contradiction (since v116,16=67). Hence, min(|C|)4 and min(|R|)4 which then implies min(|C|)=4 and min(|R|)=4.

            Since min(|C|)=min(|R|)=4, there will be exactly seven columns and rows containing five ones and the remaining ten columns and rows containing four ones.

            Let Rk1,Rk2,,Rk10 be rows which contain four ones. Let Cj1,Cj2,,Cj10 be columns which contain four ones. If |CjiRkl|=1 for some 1i,l10, then construct a 16×16 matrix M by removing Cji and Rkl. It is easy to observe that M is an almost-bi-regular matrix with 75-(4+4-1)=68 ones, a contradiction (since v116,16=67). Hence |CjiRkl|=0 for all 1i,l10.

            Now, consider a 10×7 matrix M^ formed by rows Rk1,,Rk10 and columns different from Cj1,,Cj10. Since |CjiRkl|=0, each row in M^ will contain four ones. Hence M^ contains 4×10=40 ones, but from Theorem 13, v110,726, a contradiction.

            Hence we have v117,1775. The construction of a 17×17 almost-bi-regular matrix with 74 ones is shown in Figure 17 of Appendix A.3. ∎

            Lemma 28.

            We have

            1. (a)v118,18=81,
            2. (b)v119,19=88,
            3. (c)v121,21=105.

            Proof.

            (a) By using a similar argument as used for the case v117,1775, it can be shown that v118,1882. The construction of a 18×18 almost-bi-regular matrix with 81 ones is shown in Figure 16 of Appendix A.3.

            (b) If max(|C|)=6, then

            𝒢19(6)=6+18+18(13)=24+62=86.

            If max(|C|)=5, then

            𝒢19(5)=5+18+18(14)=23+66=89.

            If max(|C|)=4, then the maximum number of ones cannot exceed 4×19=76. Now, we show that v119,1989.

            If possible, then there exists a 19×19 almost-bi-regular matrix M with 89 ones. It can be easily shown that then max(|C|)=max(|R|)=5 and min(|C|)=min(|R|)=4. In the matrix M, there will be exactly thirteen rows and thirteen columns which contain five ones and remaining 6 rows and columns containing four ones. To accommodate thirteen rows having five ones each, at least max(17,20)=20 columns (Theorem 17) are required, a contradiction.

            Hence we have v119,1989. The construction of a 19×19 almost-bi-regular matrix with 88 ones is shown in Figure 16 of Appendix A.3.

            (c) See Remark 10. ∎

            Let q=1 or q be a power of a prime number. Now, we calculate v1d,d when d=q2+q. Note than when d=q2+q+1, we get a BIBD structure such that v1d,d=(q+1)d.

            Theorem 29.

            Let d=q2+q, where q=1 or q is a prime power. Then

            v1d,d=(q2+q+1)(q+1)-2(q+1)+1=q2(q+2).

            Proof.

            Let q=1. Then v12,2=3.

            Suppose that q is a prime power. If max(|C|)=q+2, then by elementary arithmetic, it can be proved that 𝒢q2+q(q+2)<(q2+q+1)(q+1)-2(q+1)+1. If max(|C|)=q, then the maximum number of ones cannot exceed q2(q+1). Hence, to get v1d,dq2(q+2), both max(|C|) and max(|R|) should be equal to q+1. Now, we show that if max(|C|)=q+1, then v1d,dq2(q+2).

            If possible, then there exists a d×d almost-bi-regular matrix M which contains q2(q+2)+1 ones. Since max(|R|)=q+1, there will be at least q2+1 rows containing q+1 ones. Then by Theorem 17, the number of columns required to accommodate such rows will be at least q2+q+1, a contradiction.

            Hence we have v1d,dq2(q+2). Now, we show that v1d,d=q2(q+2). Since d+1=q2+q+1, there exists a (d+1)×(d+1) almost-bi-regular matrix M^ containing q+1 ones in each row and in each column. So, M^ contains (q+1)(d+1) ones. Remove a column Cj and a row Rk from M^ such that |CjRk|=1 (such a column and row will definitely exist). The remaining matrix will be a d×d almost-bi-regular matrix with (d+1)(q+1)-(2(q+1)-1)=(q2+q+1)(q+1)-2(q+1)+1 ones. ∎

            Corollary 30.

            We have v120,20=96.

            Proof.

            From Theorem 29, taking q=22=4, we get v120,20=96. The construction of a 20×20 almost-bi-regular matrix with 96 ones is shown in Figure 15 of Appendix A.3. ∎

            Here, we close this section by summarizing the results of this section in Table 1 for d×d almost-bi-regular matrices where d21. For 8<d<13, the values of v1d,d are computed and the corresponding d×d almost-bi-regular matrices are given in Appendix A.2. For 13<d21, the d×d almost-bi-regular matrices are given in Appendix A.3. For d8 and d=13 the almost-bi-regular matrices are given in Figure 2, Figure 3 and Figure 4.

            Table 1

            Efficient d×d almost-bi-regular matrices for d up to 21.

            Dimension d×dv1d,dUpper bound of v1d,d, i.e. d×12(1+4×d-3) (see Corollary 14)Number of ones in the construction using [12, Lemmas 1 and 3]For illustrations see
            3×3666Figure 2
            4×4999Figure 3
            5×5121212Figure 3
            6×6161615Figure 3
            7×7212121Figure 3
            8×8242424Figure 4
            9×9293024Figure 14
            10×10343527Figure 14
            11×11394030Figure 14
            12×12454633Figure 14
            13×13525236Figure 4
            14×14565739Figure 5
            15×15616442Figure 5
            16×16677045Figure 17
            17×17747748Figure 17
            18×18818351Figure 16
            19×19889054Figure 16
            20×20969757Figure 15
            21×2110510560Figure 15

            5 Some results on c1(M) where M is a bi-regular matrix having maximum number of ones

            In Section 4, we have constructed d×d almost-bi-regular matrices M with v1d,d ones. So, next we try to fill the remaining blank positions of these almost-bi-regular matrices M with minimum number of distinct elements other than 1 and 0 (i.e. with minimum c1(M)) in such a way that the bi-regular property is maintained. We denote these d×d bi-regular matrices by Md. In Lemma 1, we provide a tight lower bound of c1(Md) for d×d bi-regular matrices Md, where v1(Md)=v1d,d and d=q2+q+1, where q is any prime power.

            Lemma 1.

            Let d=q2+q+1, where q is any prime power. Also, let Md be a d×d bi-regular matrix having v1d,d ones. Then c1(Md)q2.

            Proof.

            Let Md=((mi,j)) be the d×d almost-bi-regular matrix having v1d,d=(q+1)×(q2+q+1) ones and also let the corresponding design be (X,𝒜), where X={x0,,xq2+q} and 𝒜={A0,,Aq2+q}. So, (X,𝒜) is a (q2+q+1,q2+q+1,q+1,q+1,1)-BIBD and let Md be its derived-incidence matrix.

            Each row and column of the matrix Md contains (q+1) ones. So in each row and column there are (q2+q+1)-(q+1)=q2 blank positions. Let, if possible, c1(Md)<q2. So, in all rows and columns, some element (apart from 1) will occur more than once.

            Let in the j-th column, the i1-th and i2-th blank positions be filled by some element a. Let the i1-th and i2-th rows correspond to the elements xi1 and xi2, respectively. Since (X,𝒜) is a BIBD, it follows that xi1 and xi2 must occur simultaneously in any one of the blocks, say Ak. So mi1,k=mi2,k=1. Thus the 2×2 submatrix formed by the i1-th and i2-th rows and j-th and k-th columns will be of the form (1a1a) (up to the permutations of columns) which is singular.

            Similarly, let in the i-th row, two blank positions, say j1 and j2, be filled with a. From Lemma 15, any pair of blocks contain exactly one element. So, Aj1 and Aj2 must contain some element, say xl. So, ml,j1=ml,j2=1. Thus the 2×2 submatrix formed by the i-th and l-th rows and j1-th and j2-th columns will be of the form (11aa) (up to the permutations of rows) which is singular. Thus, the minimum number of distinct elements cannot be less than q2. ∎

            In the next lemma, we propose good upper bounds of c1(Md) for d×d matrices Md for d=3,4,5,6,7,8,13, where v1(Md)=v1d,d, and using these matrices, we construct d×d MDS matrices Md in Section 6 for d up to 7.

            For d=8, 8×8 almost-bi-regular matrices with v18,8 ones can be constructed starting from a derived-incidence matrix of (13,13,4,4,1)-BIBD as discussed in Lemma 20, but bi-regular matrices formed from these almost-bi-regular matrices may not finally become MDS. We tried to construct MDS matrix starting from such a matrix M8(e0,e1,e2,e3,e4) as given in Figure 8, but no such MDS matrices were found for any choices of elements ei (also see Remark 1). At the end of this section, we construct 8×8 MDS matrices with v18,8 ones using Latin squares.

            Lemma 2.

            For d×d bi-regular matrices Md, d=2,3,4,5,6,7,8,13, having v1d,d ones, we have c1(M2)=1, c1(M3)=1, c1(M4)2, c1(M5)3, c1(M6)4, c1(M7)=4, c1(M8)5 and c1(M13)=9.

            Proof.

            The matrix M3 is constructed from the derived-incidence matrix of (3,3,2,2,1)-BIBD, and note that c1(M3)=1 and c1(M2)=1 is evident from Figure 6. The matrix M7 corresponds to the derived-incidence matrix of (7,7,3,3,1)-BIBD and from Lemma 1, c1(M7)4. From the 7×7 bi-regular matrix of Figure 7, it is evident that c1(M7)=4. That c1(M6)4, c1(M5)3 and c1(M4)2 is evident from Figure 7. The matrix M13 corresponds to the derived-incidence matrix of (13,13,4,4,1)-BIBD and from Lemma 1, c1(M13)9. From the 13×13 bi-regular matrix of Figure 8, it is evident that c1(M13)=9. From Figure 8, it is clear that c1(M8)5. ∎

            Figure 6

              Examples of d×d bi-regular matrices Md, d=3,2, having maximum number of ones with c1(M2)=1, c1(M3)=1.

              Citation: Journal of Mathematical Cryptology 11, 2; 10.1515/jmc-2016-0013

              Figure 7

                Examples of d×d bi-regular matrices having maximum number of ones for d=7,6,5,4 with c1(M4)=2, c1(M5)=3, c1(M6)=4 and c1(M7)=4.

                Citation: Journal of Mathematical Cryptology 11, 2; 10.1515/jmc-2016-0013

                Figure 8

                  Examples of d×d bi-regular matrices having maximum number of ones for d=13 and 8 with c1(M13)=9 and c1(M8)5.

                  Citation: Journal of Mathematical Cryptology 11, 2; 10.1515/jmc-2016-0013

                  Construction of bi-regular matrices from Latin squares.

                  We observe an interesting connection between Latin squares and bi-regular matrices, which may give an easy method to construct efficient d×d MDS matrices whenever v1d,d is a multiple of d. We construct such efficient MDS matrices for d=3 and 8. It may be noted that in both the cases v1d,d is multiple of d.

                  A Latin square of order d with entries from a d-set X is a d×d matrix Ld in which every cell contains an element of X such that every row of Ld is a permutation of X and every column of Ld is a permutation of X. In our construction, X is a subset of 𝔽2n. In the following lemma, we study an important property of Latin square which is crucial in the construction of bi-regular matrix.

                  Lemma 3.

                  All Latin squares of order d with entries from a d-set XF2n will be bi-regular matrices if and only if a2bc and abcd for any a,b,c,dX.

                  Proof.

                  Let Ld be a d×d matrix which is some Latin square with entries from a d-set X𝔽2n such that a2bc and abcd for all a,b,c,dX. It may be noted that for any such matrix Ld, the determinants of all 2×2 submatrices are of the form (a2+b2), (a2+bc) and (ab+cd), where a,b,c,dX. Since all elements of X are distinct, a2b2 and in characteristic 2, a2+b20 for any two a,bX. Similarly from the given conditions, we have a2+bc0 and ab+cd0 for a,b,c,dX. Thus all 2×2 submatrices are nonsingular. So Ld is bi-regular. The reverse direction of the proof is immediate. ∎

                  Let Ld be a Latin square of order d with elements from a d-set X𝔽2n satisfying the conditions of Lemma 3. So, Ld is a bi-regular matrix. Note that if 1X, then v1(Ld)=d. Our target is to increase the number of ones and reduce the number of other distinct elements in Ld without disturbing the bi-regular property of Ld. It may be noted that if for some a,bX, there exists no 2×2 submatrix of Ld having determinant a2+b2, then we may replace both a and b by 1 provided determinants of these 2×2 submatrices of Ld involving a or b or both remains nonzero after these replacements. It is easy to observe that if v1d,d/d=t, then by replacing tt suitable elements of Ld by 1, we may construct a bi-regular matrix Ld such that v1(Ld)=t×dt×d provided the determinants of 2×2 submatrices of Ld involving these t elements remains nonzero after these replacements.

                  Note that if v1d,d is not a multiple of d, then the bi-regular matrix with v1d,d ones cannot be constructed using some Latin square Ld as described above, but in such cases c1(Ld) may be reduced to the minimum value. For example, let us consider the 4×4 Latin square L4 of Figure 9.

                  Also t=v14,4/4=9/4=2. Now by setting c=d=1 in Figure 9, we construct a 4×4 bi-regular matrix L4 with v1(L4)=2×4=8 (see Figure 10). In this case c1(L4)=2 which is minimum.

                  Figure 9

                    A 4×4 Latin square.

                    Citation: Journal of Mathematical Cryptology 11, 2; 10.1515/jmc-2016-0013

                    Figure 10

                      A 4×4 bi-regular matrix with eight ones but minimum number of other distinct elements.

                      Citation: Journal of Mathematical Cryptology 11, 2; 10.1515/jmc-2016-0013

                      Remark 4.

                      In the diffusion layer of AES [5], i.e. in the mixcolumn operation, a 4×4 circulant MDS matrix Circ(02x,03x,01x,01x) over 𝔽28 is used. This matrix can be constructed from Figure 10 by setting a=02x and b=03x.

                      If v1d,d is a multiple of d, say t×d, then a d×d bi-regular matrix with v1d,d ones may be designed by setting t out of d elements to 1. Let us consider the 3×3 and 8×8 Latin squares of Figure 11.

                      Figure 11

                        A 3×3 and an 8×8 Latin square.

                        Citation: Journal of Mathematical Cryptology 11, 2; 10.1515/jmc-2016-0013

                        We know that v13,3=6=2×3. Now by setting a=b=1, we construct a 3×3 bi-regular matrix with maximum number of ones and minimum number of other elements (see Figure 12) and we denote this matrix by L3(c). It is easy to verify that in 𝔽2n (n>2), the matrix L3(c) of Figure 12 becomes MDS for all values of c other that 0 and 1.

                        Similarly by setting a=b=d=1 in the 8×8 matrix, we can construct an 8×8 bi-regular matrix with v18,8=3×8=24 ones and five other elements (see Figure 12) and we denote this matrix by L8(c,e,f,g,h). In 𝔽28, represented by the irreducible polynomial x8+x4+x3+x2+1, if we take c=02x, e=04x, f=06x and g=h=03x, then the 8×8 matrix L8(02x,04x,06x,03x,03x) of Figure 12 becomes MDS.

                        Figure 12

                          A 3×3 and an 8×8 bi-regular matrix with maximum number of ones.

                          Citation: Journal of Mathematical Cryptology 11, 2; 10.1515/jmc-2016-0013

                          Remark 5.

                          The 8×8 matrix of Figure 12 is a circulant matrix. With judicious choices of elements, the 8×8 bi-regular matrix of Figure 12 can be converted to a circulant MDS matrix. Note that, using techniques of [11, 3, 21], a similar kind of circulant MDS matrices can be constructed.

                          Note that, using this technique, it may not be possible to convert any d×d Latin square into a d×d bi-regular matrix with maximum number of ones (see Figure 13). It is easy to observe that in the 8×8 Latin square of Figure 13, if more than one element is set to 1, then the bi-regular property will be disturbed. So, in this case, this Latin square can be converted into a bi-regular matrix with maximum eight number of ones.

                          Figure 13

                            An 8×8 Latin square where one element can be set to be 1 without disturbing the bi-regular property.

                            Citation: Journal of Mathematical Cryptology 11, 2; 10.1515/jmc-2016-0013

                            6 Efficient MDS matrices

                            In this section, we propose d×d MDS matrices for d up to 8 from bi-regular matrices designed in Section 5. In Table 2, we present some d×d MDS matrices over 𝔽28 for d up to 8 having v1d,d ones. Also, any matrix of Table 2 can be implemented with less number of multiplication tables which may be advantageous for a system where constraints on processor are more than that on memory. Although all matrices Md of Table 2 are efficient, their inverses may not be efficient. So implementing these matrices for Lai–Massey networks or hash functions may be suitable.

                            Table 2

                            The d×dcirculant MDS matrices over 𝔽28 with generating polynomial x8+x7+x6+x5+x4+x3+1 for d=3,4,5,6,7 and with generating polynomial x8+x4+x3+x2+1 for d=8.

                            Dimension d×dMDS matricesCost of implementationsFor illustrations see
                            3×3M3(02x)6 XORs, 3 table lookups and 4 tempFigure 6
                            4×4M4(03x,04x)12 XORs, 7 table lookups and 4 tempsFigure 7
                            M4(02x,05x)12 XORs, 7 table lookups and 6 tempsFigure 7
                            5×5M5(02x,03x,09x)20 XORs, 13 table lookups and 8 tempsFigure 7
                            M5(02x,03x,08x)20 XORs, 13 table lookups and 8 tempsFigure 7
                            6×6M6(03x,09x,0ax,0ex)30 XORs, 20 table lookups and 10 tempsFigure 7
                            M6(05x,06x,0ex,0fx)30 XORs, 20 table lookups and 10 tempsFigure 7
                            7×7M7(03x,09x,0ax,0ex)42 XORs, 28 table lookups and 11 tempsFigure 7
                            M7(05x,06x,0ex,0fx)42 XORs, 28 table lookups and 11 tempsFigure 7
                            8×8L8(02x,04x,06x,03x,03x)56 XORs, 40 table lookups and 11 tempsFigure 12
                            Remark 1.

                            We exhaustively searched for 8×8 MDS matrices of the form M8(e0,e1,e2,e3,e4) (see Figure 8) over 𝔽28, but no MDS matrix of this form is found. It may be noted that in [12], an 8×8 almost-bi-regular matrix with maximum number of ones similar to the 8×8 matrix of Figure 4 was proposed, but no MDS matrix based on that form was reported. In Figure 12 of Section 5, we have constructed 8×8 bi-regular matrices with maximum number of ones and five distinct elements from the 8×8 Latin square of Figure 11. With this construction, MDS matrices can be formed (see Remark 5). For similar kind of constructions also, see [11].

                            Remark 2.

                            The matrix M7(03x,09x,0ax,0ex) of Table 2 is implemented in Appendix A.1. The idea of this implementation is taken from [5]. The other matrices of Table 2 and Table 3 can be implemented similarly.

                            6.1 Comparison with other existing matrices

                            In the following table (Table 3), we compare the cost of implementations of few of our proposed matrices and some existing matrices which are used in several ciphers and hash functions.

                            Table 3

                            Comparison between some good matrices of this paper and some other matrices.

                            Cost of implementation
                            DimensionTypeMatrix#XOR#table#table-lookup#tempComments
                            4×4M4M4(03x,04x)12276Table 2
                            circulantCirc(02x,03x,01x,01x)12286see [5]
                            recursiveSerial(1,α,1,α2)412286see [8]
                            companionSerial(1,α,1,1+α)412286see [10, 18]
                            Serial(α,1,1,α2)412286see [10, 25]
                            5×5M5M5(02x,03x,09x)203138Table 2
                            circulantCirc(01x,01x,02x,03x,02x)202158see [11]
                            6×6M6M6(03x,09x,0ax,0ex)3042010Table 2
                            circulantCirc(01x,01x,02x,03x,05x,07x)3042410see [11]
                            7×7M7M7(03x,09x,0ax,0ex)4242811Table 2
                            circulantCirc(01x,01x,02x,01x,05x,04x,06x)4242811see [11]
                            8×8L8L8(02x,04x,06x,03x,03x)5644011Figure 12
                            circulantCirc(01x,01x,02x-1,01x,04x-1,06x-1,03x-1,03x-1)5644011see [11]

                            7 Conclusion

                            MDS matrices provide optimal diffusion components which can be used as building blocks of cryptographic primitives, like block ciphers and hash functions. Multiplication by 1 over the finite field is trivial and so matrices with more occurrences of ones may have more compact and improved footprint which is desirable for lightweight applications. Also, matrices with less number of other distinct elements may be implemented efficiently using table lookup. Towards this, two combinatorial problems were studied by Junod and Vaudenay in [12], namely, how to maximize the number of ones and how to minimize other distinct elements in a bi-regular matrix. They calculated the maximum number of ones that can occur in d×d MDS matrices for d up to 8. They also computed some important bounds on the number of distinct elements in d×d MDS matrices. But for higher values of d, using their techniques seems difficult.

                            We have observed simple yet subtle interconnections between the number of ones in MDS matrices and the incidence matrices of Balanced Incomplete Block Design (BIBD). This observation gives a generalize technique to solve these combinatorial problems for any values of d for all practical purpose. We have exactly computed the maximum number of ones in a v×b MDS matrix whenever there exists (v,b,r,k,1)-BIBD. We have computed the upper bound of v1v,b for any value of v and b. Using these results, in this paper we have provided d×d almost-bi-regular matrices M for d up to 21 having maximum number of ones. Techniques used in this paper can be extended for higher values of d. We also compute the minimum number of distinct elements for these d×d bi-regular matrices having v1d,d ones, where d=q2+q+1 and q is any prime power.

                            We have proposed another technique to construct bi-regular matrices and MDS matrices using Latin squares. We have shown that using the structure of Latin squares, bi-regular matrices and MDS matrices can be constructed by judicial selection of elements. Although this is a very easy method, yet this method does not guarantee the maximum occurrences of ones in all cases. We have shown that if v1d,d is a multiple of d, then our method may be useful to construct d×d bi-regular matrices with maximum number of ones. From bi-regular matrices, finally we have constructed efficient d×d MDS matrices for d up to 8.

                            ApendixA.1.

                            We provide an implementation of the matrix M7(03x,09x,0ax,0ex) proposed in Table 2. This implementation requires 42 XORs, 11 temporary variables and 28 table lookups in four multiplication tables, say, tab_03, tab_09, tab_0a, and tab_0e corresponding to the multiplication by 03x, 09x, 0ax and 0ex, respectively.

                            u0 = a[0]; u1 = a[1]; u2 = a[2]; u3 = a[3]; u4 = a[4]; u5 = a[5]; u6 = a[6]; /* a is the input vector */ u = tab_03[a[3]]; v = tab_09[a[4]], w = tab_0a[a[5]]; x = tab_0e[a[6]]; a[0] = u0 u1 u2 u v w x; u = tab_03[a[2]]; v = tab_09[a[3]], w = tab_0a[a[6]]; x = tab_0e[a[1]]; a[1] = u0 u4 u5 u v w x; u = tab_03[a[4]]; v = tab_09[a[5]], w = tab_0a[a[1]]; x = tab_0e[a[2]]; a[2] = u0 u3 u6 u v w x; u = tab_03[a[1]]; v = tab_09[a[6]], w = tab_0a[a[0]]; x = tab_0e[a[5]]; a[3] = u2 u3 u4 u v w x; u = tab_03[a[0]]; v = tab_09[a[1]], w = tab_0a[a[3]]; x = tab_0e[a[4]]; a[4] = u2 u5 u6 u v w x; u = tab_03[a[5]]; v = tab_09[a[0]], w = tab_0a[a[2]]; x = tab_0e[a[3]]; a[5] = u1 u4 u6 u v w x; u = tab_03[a[6]]; v = tab_09[a[2]], w = tab_0a[a[4]]; x = tab_0e[a[0]]; a[6] = u1 u3 u5 u v w x;

                            A.2.

                            From Corollary 9, v113,13=52. Let us consider the derived-incidence matrix of (13,13,4,4,1)-BIBD in Figure 4 having v113,13 ones. By elimination of suitable rows and columns from this matrix so that the minimum number of occurrences of 1 is canceled, we form d×d matrices for d=12,11,10 and 9. For d=8 the corresponding matrix is given in Figure 4.

                            Figure 14

                              Examples of d×d almost-bi-regular matrices Md, d=12,11,10,9, with v1(Md)=v1d,d=d×1+4d-32-1.

                              Citation: Journal of Mathematical Cryptology 11, 2; 10.1515/jmc-2016-0013

                              A.3.

                              From Corollary 9, we have v121,21=105. Let us consider the derived-incidence matrix of projective plane (222+22+1,22+1,1) i.e. (21,21,5,5,1)-BIBD in Figure 15 having v121,21 ones. By elimination of suitable rows and columns from this matrix so that the minimum number of occurrences of 1 is cancelled, we form d×d matrices for d=20,19,18,17,16.

                              Figure 15

                                Examples of d×d almost-bi-regular matrices Md, d=21,20, with v1(M21)=v121,21=105 and v1(M20)=v120,20=96.

                                Citation: Journal of Mathematical Cryptology 11, 2; 10.1515/jmc-2016-0013

                                Figure 16

                                  Examples of d×d almost-bi-regular matrices Md, d=19,18, with v1(M19)=v119,19=88 and v1(M18)=v118,18=81.

                                  Citation: Journal of Mathematical Cryptology 11, 2; 10.1515/jmc-2016-0013

                                  Figure 17

                                    Examples of d×d almost-bi-regular matrices Md, d=17,16, with v1(M17)=v117,17=74 and v1(M16)=v116,16=67.

                                    Citation: Journal of Mathematical Cryptology 11, 2; 10.1515/jmc-2016-0013

                                    Acknowledgements

                                    Major part of the work was done when the second author was at R. C. Bose Centre for Cryptology & Security, Indian Statistical Institute, 203, B.T. Road, Kolkata-700108, India.

                                    References

                                    • [1]

                                      D. Augot and M. Finiasz, Direct construction of recursive MDS diffusion layers using shortened BCH codes, Fast Software Encryption (FSE 2014), Lecture Notes in Comput. Sci. 8540, Springer, Berlin (2015), 3–17.

                                    • [2]

                                      P. Barreto and V. Rijmen, The Khazad legacy-level block cipher, submission to the NESSIE Project (2000), http://cryptonessie.org.

                                    • [3]

                                      P. S. L. M. Barreto and V. Rijmen, Whirlpool, Encyclopedia of Cryptography and Security. Second Edition, Springer, New York (2011), 1384–1385.

                                    • [4]

                                      J. Daemen, L. R. Knudsen and V. Rijmen, The block cipher square, Fast Software Encryption (FSE 1997), Lecture Notes in Comput. Sci. 1267, Springer, Berlin (1997), 149–165.

                                    • [5]

                                      J. Daemen and V. Rijmen, The Design of Rijndael: AES – The Advanced Encryption Standard, Springer, Berlin, 2002.

                                    • [6]

                                      G. D. Filho, P. Barreto and V. Rijmen, The Maelstrom-0 hash function, Proceedings of the 6th Brazilian Symposium on Information and Computer Systems Security (2006); available at http://www.lbd.dcc.ufmg.br/colecoes/sbseg/2006/0017.pdf.

                                    • [7]

                                      P. Gauravaram, L. R. Knudsen, K. Matusiewicz, F. Mendel, C. Rechberger, M. Schlaffer and S. Thomsen, Grøstl – A SHA-3 candidate, submission to NIST (2008), http://www.groestl.info.

                                    • [8]

                                      J. Guo, T. Peyrin and A. Poschmann, The PHOTON family of lightweight hash functions, Advances in Cryptology (CRYPTO 2011), Lecture Notes in Comput. Sci. 6841, Springer, Berlin (2011), 222–239.

                                    • [9]

                                      K. C. Gupta and I. G. Ray, On constructions of involutory MDS matrices, Progress in Cryptology (AFRICACRYPT 2013), Lecture Notes in Comput. Sci. 7918, Springer, Berlin (2013), 43–60.

                                    • [10]

                                      K. C. Gupta and I. G. Ray, On constructions of MDS matrices from companion matrices for lightweight cryptography, Security Engineering and Intelligence Informatics (CD-ARES 2013), Lecture Notes in Comput. Sci. 8128, Springer, Berlin (2013), 29–43.

                                    • [11]

                                      K. C. Gupta and I. G. Ray, On constructions of circulant MDS matrices for lightweight cryptography, Information Security Practice and Experience (ISPEC 2014), Lecture Notes in Comput. Sci. 8434, Springer, Berlin (2014), 564–576.

                                    • [12]

                                      P. Junod and S. Vaudenay, Perfect diffusion primitives for block ciphers building efficient MDS matrices, Selected Areas in Cryptography (Waterloo 2004), Lecture Notes in Comput. Sci. 3357, Springer, Berlin (2005), 84–99.

                                    • [13]

                                      J. Lacan and J. Fimes, Systematic MDS erasure codes based on Vandermonde matrices, IEEE Commun. Lett. 8 (2004), no. 9, 570–572.

                                    • [14]

                                      F. J. MacWilliams and N. J. A. Sloane, The Theory of Error Correcting Codes, North Holland, Amsterdam, 1986.

                                    • [15]

                                      J. Nakahara, Jr. and E. Abrahao, A new involutory MDS matrix for the AES, Int. J. Netw. Secur. 9 (2009), no. 2, 109–116.

                                    • [16]

                                      V. Rijmen, J. Daemen, B. Preneel, A. Bosselaers and E. D. Win, The cipher SHARK, Fast Software Encryption (FSE 1996), Lecture Notes in Comput. Sci. 1039, Springer, Berlin (1996), 99–112.

                                    • [17]

                                      M. Sajadieh, M. Dakhilalian, H. Mala and B. Omoomi, On construction of involutory MDS matrices from Vandermonde matrices in GF ( 2 q ) {{\rm GF}(2^{q})}, Des. Codes Cryptogr. 64 (2012), no. 3, 287–308.

                                    • [18]

                                      M. Sajadieh, M. Dakhilalian, H. Mala and P. Sepehrdad, Recursive diffusion layers for block ciphers and hash functions, Fast Software Encryption (FSE 2012), Lecture Notes in Comput. Sci. 7549, Springer, Berlin (2012), 385–401.

                                    • [19]

                                      B. Schneier, J. Kelsey, D. Whiting, D. Wagner, C. Hall and N. Ferguson, Twofish: A 128-bit block cipher, First Advanced Encryption Standard (AES) Candidate Conference, National Institute for Standards and Technology, Gaithersburg (1998); available at https://www.schneier.com/academic/paperfiles/paper-twofish-paper.pdf.

                                    • [20]

                                      B. Schneier, J. Kelsey, D. Whiting, D. Wagner, C. Hall and N. Ferguson, The Twofish Encryption Algorithm, John Wiley & Sons, New York, 1999.

                                    • [21]

                                      T. Shiraj and K. Shibutani, On the diffusion matrix employed in the Whirlpool hashing function, preprint (2003), https://www.cosic.esat.kuleuven.be/nessie/reports/phase2/whirlpool-20030311.pdf.

                                    • [22]

                                      D. R. Stinson, Cryptography: Theory and Practice, CRC Press, Boca Raton, 1995.

                                    • [23]

                                      D. R. Stinson, Combinatorial Designs: Constructions and Analysis, Springer, New York, 2003.

                                    • [24]

                                      D. Watanabe, S. Furuya, H. Yoshida, K. Takaragi and B. Preneel, A new keystream generator MUGI, Fast Software Encryption (FSE 2002), Lecture Notes in Comput. Sci. 2365, Springer, Berlin (2002), 179–194.

                                    • [25]

                                      S. Wu, M. Wang and W. Wu, Recursive diffusion layers for (lightweight) block ciphers and hash functions, Selected Areas in Cryptography (SAC 2012), Lecture Notes in Comput. Sci. 7707, Springer, Berlin (2013), 355–371.

                                    • [26]

                                      A. M. Youssef, S. Mister and S. E. Tavares, On the design of linear transformations for substitution permutation encryption networks, Workshop on Selected Areas in Cryptography (SAC 1997), Carleton University, Ottawa (1997), 40–48.

                                    • [27]

                                      Sony Corporation, The 128-bit block cipher CLEFIA Algorithm Specification (2007), http://www.sony.co.jp/Products/cryptography/clefia/download/data/clefia-spec-1.0.pdf.

                                    If the inline PDF is not rendering correctly, you can download the PDF file here.

                                    • [1]

                                      D. Augot and M. Finiasz, Direct construction of recursive MDS diffusion layers using shortened BCH codes, Fast Software Encryption (FSE 2014), Lecture Notes in Comput. Sci. 8540, Springer, Berlin (2015), 3–17.

                                    • [2]

                                      P. Barreto and V. Rijmen, The Khazad legacy-level block cipher, submission to the NESSIE Project (2000), http://cryptonessie.org.

                                    • [3]

                                      P. S. L. M. Barreto and V. Rijmen, Whirlpool, Encyclopedia of Cryptography and Security. Second Edition, Springer, New York (2011), 1384–1385.

                                    • [4]

                                      J. Daemen, L. R. Knudsen and V. Rijmen, The block cipher square, Fast Software Encryption (FSE 1997), Lecture Notes in Comput. Sci. 1267, Springer, Berlin (1997), 149–165.

                                    • [5]

                                      J. Daemen and V. Rijmen, The Design of Rijndael: AES – The Advanced Encryption Standard, Springer, Berlin, 2002.

                                    • [6]

                                      G. D. Filho, P. Barreto and V. Rijmen, The Maelstrom-0 hash function, Proceedings of the 6th Brazilian Symposium on Information and Computer Systems Security (2006); available at http://www.lbd.dcc.ufmg.br/colecoes/sbseg/2006/0017.pdf.

                                    • [7]

                                      P. Gauravaram, L. R. Knudsen, K. Matusiewicz, F. Mendel, C. Rechberger, M. Schlaffer and S. Thomsen, Grøstl – A SHA-3 candidate, submission to NIST (2008), http://www.groestl.info.

                                    • [8]

                                      J. Guo, T. Peyrin and A. Poschmann, The PHOTON family of lightweight hash functions, Advances in Cryptology (CRYPTO 2011), Lecture Notes in Comput. Sci. 6841, Springer, Berlin (2011), 222–239.

                                    • [9]

                                      K. C. Gupta and I. G. Ray, On constructions of involutory MDS matrices, Progress in Cryptology (AFRICACRYPT 2013), Lecture Notes in Comput. Sci. 7918, Springer, Berlin (2013), 43–60.

                                    • [10]

                                      K. C. Gupta and I. G. Ray, On constructions of MDS matrices from companion matrices for lightweight cryptography, Security Engineering and Intelligence Informatics (CD-ARES 2013), Lecture Notes in Comput. Sci. 8128, Springer, Berlin (2013), 29–43.

                                    • [11]

                                      K. C. Gupta and I. G. Ray, On constructions of circulant MDS matrices for lightweight cryptography, Information Security Practice and Experience (ISPEC 2014), Lecture Notes in Comput. Sci. 8434, Springer, Berlin (2014), 564–576.

                                    • [12]

                                      P. Junod and S. Vaudenay, Perfect diffusion primitives for block ciphers building efficient MDS matrices, Selected Areas in Cryptography (Waterloo 2004), Lecture Notes in Comput. Sci. 3357, Springer, Berlin (2005), 84–99.

                                    • [13]

                                      J. Lacan and J. Fimes, Systematic MDS erasure codes based on Vandermonde matrices, IEEE Commun. Lett. 8 (2004), no. 9, 570–572.

                                    • [14]

                                      F. J. MacWilliams and N. J. A. Sloane, The Theory of Error Correcting Codes, North Holland, Amsterdam, 1986.

                                    • [15]

                                      J. Nakahara, Jr. and E. Abrahao, A new involutory MDS matrix for the AES, Int. J. Netw. Secur. 9 (2009), no. 2, 109–116.

                                    • [16]

                                      V. Rijmen, J. Daemen, B. Preneel, A. Bosselaers and E. D. Win, The cipher SHARK, Fast Software Encryption (FSE 1996), Lecture Notes in Comput. Sci. 1039, Springer, Berlin (1996), 99–112.

                                    • [17]

                                      M. Sajadieh, M. Dakhilalian, H. Mala and B. Omoomi, On construction of involutory MDS matrices from Vandermonde matrices in GF ( 2 q ) {{\rm GF}(2^{q})}, Des. Codes Cryptogr. 64 (2012), no. 3, 287–308.

                                    • [18]

                                      M. Sajadieh, M. Dakhilalian, H. Mala and P. Sepehrdad, Recursive diffusion layers for block ciphers and hash functions, Fast Software Encryption (FSE 2012), Lecture Notes in Comput. Sci. 7549, Springer, Berlin (2012), 385–401.

                                    • [19]

                                      B. Schneier, J. Kelsey, D. Whiting, D. Wagner, C. Hall and N. Ferguson, Twofish: A 128-bit block cipher, First Advanced Encryption Standard (AES) Candidate Conference, National Institute for Standards and Technology, Gaithersburg (1998); available at https://www.schneier.com/academic/paperfiles/paper-twofish-paper.pdf.

                                    • [20]

                                      B. Schneier, J. Kelsey, D. Whiting, D. Wagner, C. Hall and N. Ferguson, The Twofish Encryption Algorithm, John Wiley & Sons, New York, 1999.

                                    • [21]

                                      T. Shiraj and K. Shibutani, On the diffusion matrix employed in the Whirlpool hashing function, preprint (2003), https://www.cosic.esat.kuleuven.be/nessie/reports/phase2/whirlpool-20030311.pdf.

                                    • [22]

                                      D. R. Stinson, Cryptography: Theory and Practice, CRC Press, Boca Raton, 1995.

                                    • [23]

                                      D. R. Stinson, Combinatorial Designs: Constructions and Analysis, Springer, New York, 2003.

                                    • [24]

                                      D. Watanabe, S. Furuya, H. Yoshida, K. Takaragi and B. Preneel, A new keystream generator MUGI, Fast Software Encryption (FSE 2002), Lecture Notes in Comput. Sci. 2365, Springer, Berlin (2002), 179–194.

                                    • [25]

                                      S. Wu, M. Wang and W. Wu, Recursive diffusion layers for (lightweight) block ciphers and hash functions, Selected Areas in Cryptography (SAC 2012), Lecture Notes in Comput. Sci. 7707, Springer, Berlin (2013), 355–371.

                                    • [26]

                                      A. M. Youssef, S. Mister and S. E. Tavares, On the design of linear transformations for substitution permutation encryption networks, Workshop on Selected Areas in Cryptography (SAC 1997), Carleton University, Ottawa (1997), 40–48.

                                    • [27]

                                      Sony Corporation, The 128-bit block cipher CLEFIA Algorithm Specification (2007), http://www.sony.co.jp/Products/cryptography/clefia/download/data/clefia-spec-1.0.pdf.

                                    OPEN ACCESS

                                    Journal + Issues

                                    JMC is a forum for original research articles in the area of mathematical cryptology. Works in the theory of cryptology and articles linking mathematics with cryptology are welcome. Submissions from all areas of mathematics significant for cryptology are published, including but not limited to, algebra, algebraic geometry, coding theory, combinatorics, number theory, probability and stochastic processes.

                                    Search

                                    • Example of 6×6 almost-bi-regular matrices having sixteend ones which is maximum.

                                    • Examples of d×d almost-bi-regular matrices having maximum number of ones for d=3,2.

                                    • Examples of d×d almost-bi-regular matrices having maximum number of ones for d=7,6,5,4.

                                    • Examples of 13×13 and 8×8 almost-bi-regular matrices having maximum number of ones.

                                    • Examples of d×d almost-bi-regular matrices Md, d=15,14, with v1(M15)=v115,15=61 and v1(M14)=v114,14=56.

                                    • Examples of d×d bi-regular matrices Md, d=3,2, having maximum number of ones with c1(M2)=1, c1(M3)=1.

                                    • Examples of d×d bi-regular matrices having maximum number of ones for d=7,6,5,4 with c1(M4)=2, c1(M5)=3, c1(M6)=4 and c1(M7)=4.

                                    • Examples of d×d bi-regular matrices having maximum number of ones for d=13 and 8 with c1(M13)=9 and c1(M8)5.

                                    • A 4×4 Latin square.

                                    • A 4×4 bi-regular matrix with eight ones but minimum number of other distinct elements.

                                    • A 3×3 and an 8×8 Latin square.

                                    • A 3×3 and an 8×8 bi-regular matrix with maximum number of ones.

                                    • An 8×8 Latin square where one element can be set to be 1 without disturbing the bi-regular property.

                                    • Examples of d×d almost-bi-regular matrices Md, d=12,11,10,9, with v1(Md)=v1d,d=d×1+4d-32-1.

                                    • Examples of d×d almost-bi-regular matrices Md, d=21,20, with v1(M21)=v121,21=105 and v1(M20)=v120,20=96.

                                    • Examples of d×d almost-bi-regular matrices Md, d=19,18, with v1(M19)=v119,19=88 and v1(M18)=v118,18=81.

                                    • Examples of d×d almost-bi-regular matrices Md, d=17,16, with v1(M17)=v117,17=74 and v1(M16)=v116,16=67.