On the direct construction of recursive MDS matrices

Abstract

MDS matrices allow to build optimal linear diffusion layers in the design of block ciphers and hash functions. There has been a lot of study in designing efficient MDS matrices suitable for software and/or hardware implementations. In particular recursive MDS matrices are considered for resource constrained environments. Such matrices can be expressed as a power of simple companion matrices, i.e., an MDS matrix \(M = C_g^k\) for some companion matrix corresponding to a monic polynomial \(g(X) \in \mathbb {F}_q[X]\) of degree k. In this paper, we first show that for a monic polynomial g(X) of degree \(k\ge 2\), the matrix \(M = C_g^k\) is MDS if and only if g(X) has no nonzero multiple of degree \(\le 2k-1\) and weight \(\le k\). This characterization answers the issues raised by Augot et al. in FSE-2014 paper to some extent. We then revisit the algorithm given by Augot et al. to find all recursive MDS matrices that can be obtained from a class of BCH codes (which are also MDS) and propose an improved algorithm. We identify exactly what candidates in this class of BCH codes yield recursive MDS matrices. So the computation can be confined to only those potential candidate polynomials, and thus greatly reducing the complexity. As a consequence we are able to provide formulae for the number of such recursive MDS matrices, whereas in FSE-2014 paper, the same numbers are provided by exhaustively searching for some small parameter choices. We also present a few ideas making the search faster for finding efficient recursive MDS matrices in this class. Using our approach, it is possible to exhaustively search this class for larger parameter choices which was not possible earlier. We also present our search results for the case \(k=8\) and \(q=2^{16}\).

Appendix 1: Hardware implementation of recursive MDS diffusion layers

We will now discuss the number of XOR gates required for a serial implementation of a recursive MDS diffusion layer in hardware. Of course the actual cost may depend on the other components/tools used in the design. And also a particular instance of a recursive MDS matrix can have a better implementation than the general method that is considered in our analysis. So our analysis may not be giving the cost of an optimal implementation or applicable to all situations. We try to emphasize the cost of a recursive MDS matrix as a stand alone implementation in hardware. Let \(M = C_g^k\) be a recursive MDS matrix, where \(C_g = \text{ Companion }(a_0,a_1,\ldots ,a_{k-1})\). For a column vector \(\mathbf{v} = (v_0, v_1, \ldots , v_{k-1})\) in \(\mathbb {F}_q^k\), we have

$$\begin{aligned} C_g\cdot \mathbf{v} = (v_1,v_2,\ldots ,v_{k-1},v_k), \end{aligned}$$

where \(v_k = a_0 v_0 + a_1 v_1 + \cdots + a_{k-1} v_{k-1}\). So the computed value \(v_k\) is placed in the vacant location, shifting the elements in the vector \((v_0, v_1, \ldots , v_{k-1})\) by one position. So this would require k field element multiplications (corresponding to the elements \(a_0,a_1,\ldots ,a_{k-1}\)) and \((k-1)\) summations in \(\mathbb {F}_q\). We need \(s(k-1)\) many XOR gates to implement the \((k-1)\) summations, and the total cost will be

$$\begin{aligned} s(k-1) + \sum _{i=0}^{k-1} \rho (a_i), \end{aligned}$$

where \(\rho (a_i)\) denote the cost of implementing multiplication by \(a_i\) in \(\mathbb {F}_q\). We can get the required output \(M\mathbf{v}\) by applying k iterations of \(C_g\) recursively. The total cost will depend only on the coefficients of the connection polynomial g of \(C_g\) and so we denote

$$\begin{aligned} \rho (g) = \sum _{i=0}^{k-1} \rho (a_i). \end{aligned}$$

(7)

Let us now see the number of XOR gates required to implement a field element multiplication through an example. For this purpose we take \(s=8\) and consider the field \(\mathbb {F}_{2^8}\) with the constructing polynomial \(1 +\theta ^3 + \theta ^4 + \theta ^5 + \theta ^8\) (which is irreducible but not primitive). Let \(z = (z_7 \theta ^7 + z_6 \theta ^6 + \cdots + z_1 \theta + z_0)\), where \(z_0,\ldots ,z_7\) are binary variables. We have

$$\begin{aligned} \theta \cdot z = z_6 \theta ^7 + z_5 \theta ^6 + (z_4+z_7) \theta ^5 + (z_3+z_7) \theta ^4 + (z_2+z_7) \theta ^3 + z_1 \theta ^2 + z_0 \theta + z_7. \end{aligned}$$

Thus we can implement the multiplication by \(\theta \) (in \(\mathbb {F}_{2^8}\)) by using 3 XOR gates. Now let us take \(\eta = \theta ^7 + \theta ^4 + \theta ^3 + \theta ^2 \in \mathbb {F}_{2^8}\). We have

$$\begin{aligned} \eta \cdot z= & {} (\theta ^7 + \theta ^4 + \theta ^3 + \theta ^2)\cdot z\\= & {} z_0\theta ^7 + z_7 \theta ^6 + z_6 \theta ^5 + (z_5+z_0)\theta ^4 + (z_4+z_0)\theta ^3+(z_3+z_0)\theta ^2 + z_2 \theta + z_1, \end{aligned}$$

The multiplication by \(\eta \) in \(\mathbb {F}_{2^8}\) can be implemented in hardware by using only 3 XOR gates. If we use \(1 +\theta ' + \theta '^2 + \theta '^4 + \theta '^6 + \theta '^7 +\theta '^8\) to construct the finite field \(\mathbb {F}_{2^8}\) then the number of XOR gates required to implement the multiplication by nonzero elements other than 1 is at least 5.

The finite field \(\mathbb {F}_{2^s}\) can be constructed using any irreducible polynomial of degree s over \(\mathbb {F}_2\), and we can also have a tower of extensions to get finally \(\mathbb {F}_{2^s}\) when s is not a prime. Thus we have a variety of possibilities to construct the finite field \(\mathbb {F}_{2^s}\). We can use any such construction for \(\mathbb {F}_{2^s}\) in the implementation of the Algorithm 1 to get \(\mathcal {N}_k\) recursive MDS matrices. So in search for an optimal recursive MDS matrix in this class one needs to try all possible ways to construct the finite field \(\mathbb {F}_{2^s}\).