Designs, Codes and Cryptography

, Volume 82, Issue 1–2, pp 77–94 | Cite as

On the direct construction of recursive MDS matrices

  • Kishan Chand Gupta
  • Sumit Kumar Pandey
  • Ayineedi VenkateswarluEmail author


MDS matrices allow to build optimal linear diffusion layers in the design of block ciphers and hash functions. There has been a lot of study in designing efficient MDS matrices suitable for software and/or hardware implementations. In particular recursive MDS matrices are considered for resource constrained environments. Such matrices can be expressed as a power of simple companion matrices, i.e., an MDS matrix \(M = C_g^k\) for some companion matrix corresponding to a monic polynomial \(g(X) \in \mathbb {F}_q[X]\) of degree k. In this paper, we first show that for a monic polynomial g(X) of degree \(k\ge 2\), the matrix \(M = C_g^k\) is MDS if and only if g(X) has no nonzero multiple of degree \(\le 2k-1\) and weight \(\le k\). This characterization answers the issues raised by Augot et al. in FSE-2014 paper to some extent. We then revisit the algorithm given by Augot et al. to find all recursive MDS matrices that can be obtained from a class of BCH codes (which are also MDS) and propose an improved algorithm. We identify exactly what candidates in this class of BCH codes yield recursive MDS matrices. So the computation can be confined to only those potential candidate polynomials, and thus greatly reducing the complexity. As a consequence we are able to provide formulae for the number of such recursive MDS matrices, whereas in FSE-2014 paper, the same numbers are provided by exhaustively searching for some small parameter choices. We also present a few ideas making the search faster for finding efficient recursive MDS matrices in this class. Using our approach, it is possible to exhaustively search this class for larger parameter choices which was not possible earlier. We also present our search results for the case \(k=8\) and \(q=2^{16}\).


Diffusion layer MDS codes Recursive MDS matrices Companion matrices Cyclic Codes BCH codes Shortened Codes 

Mathematics Subject Classification

94A60 94B15 14G50 11T71 



We thank the anonymous reviewers for their valuable comments and suggestions. Major part of the work was done when the second author was at C. R. Rao AIMSCS, Hyderabad, India.


  1. 1.
    Augot D., Finiasz M.: Exhaustive search for small dimension recursive MDS diffusion layers for block ciphers and hash functions. In: Proceedings of the 2013 IEEE International Symposium on Information Theory, pp. 1551–1555 (2013).Google Scholar
  2. 2.
    Augot D., Finiasz M.: Direct construction of recursive MDS diffusion layers using shortened BCH codes. In: FSE 2014, LNCS, vol. 8540, pp. 3–17. Springer, Heidelberg (2015). Also available
  3. 3.
    Berger T.P.: Construction of recursive MDS diffusion layers from Gabidulin codes. In: INDOCRYPT 2013. LNCS, vol. 8250, pp. 274–285. Springer, Heidelberg (2013).Google Scholar
  4. 4.
    Daemen J., Rijmen V.: The design of Rijndael: AES—the advanced encryption standard. In: Information Security and Cryptography. Springer, Heidelberg (2002).Google Scholar
  5. 5.
    Guo J., Peyrin T., Poschmann A.: The PHOTON Family of Lightweight Hash Functions. In: CRYPTO 2011. LNCS, vol. 6841, pp. 222–239. Springer, Heidelberg (2011).Google Scholar
  6. 6.
    Guo J., Peyrin T., Poschmann A., Robshaw M.J.B.: The LED block cipher. In: CHES 2011. LNCS, vol. 6917, pp. 326–341. Springer, Heidelberg (2011).Google Scholar
  7. 7.
    Junod P., Vaudenay S.: Perfect diffusion primitives for block ciphers. In: SAC 2004. LNCS, vol. 3357, pp. 84–99. Springer, Heidelberg (2004).Google Scholar
  8. 8.
    Junod P., Vaudenay S.: FOX: a new family of block ciphers. In: SAC 2004. LNCS, vol. 3357, pp. 114–129. Springer, Heidelberg (2004).Google Scholar
  9. 9.
    Lidl R., Niederreiter H.: Finite Fields, 2nd edn. Cambridge University Press, Cambridge (1997).Google Scholar
  10. 10.
    MacWilliams F.J., Sloane N.J.A.: The Theory of Error-Correcting Codes. North Holland Publishing Co., Amsterdam (1988).Google Scholar
  11. 11.
    Sajadieh M., Dakhilalian M., Mala H., Sepehrdad P.: Recursive diffusion layers for block ciphers and hash functions. In: FSE 2012. LNCS, vol. 7549, pp. 385–401. Springer, Heidelberg (2012).Google Scholar
  12. 12.
    Wu S., Wang M., Wu W.: Recursive diffusion layers for (lightweight) block ciphers and hash functions. In: SAC 2013. LNCS, vol. 7707, pp. 355–371, Springer, Heidelberg (2013).Google Scholar

Copyright information

© Springer Science+Business Media New York 2016

Authors and Affiliations

  • Kishan Chand Gupta
    • 1
  • Sumit Kumar Pandey
    • 2
  • Ayineedi Venkateswarlu
    • 3
    Email author
  1. 1.Applied Statistics UnitIndian Statistical InstituteKolkataIndia
  2. 2.R. C. Bose Centre for Cryptology and SecurityIndian Statistical InstituteKolkataIndia
  3. 3.Computer Science UnitIndian Statistical Institute - Chennai CentreChennaiIndia

Personalised recommendations