Some approaches to construct MDS matrices over a finite field

Transcription

1 Å 31 Å 2 ¹ June 2017 Communication on Applied Mathematics and Computation Vol.31 No.2 DOI /j.issn Some approaches to construct MDS matrices over a finite field BELOV A V, LOS A B, ROZHKOV M I (National Research University Higher School of Economics, Moscow , Russia) Abstract The paper examines some approaches to construct the square maximum distance separable (MDS) matrices over a finite field. This class of matrices is widely used as diffuse maps when building block type cryptographic algorithms and hash functions. Some classes of circulant MDS matrices of size 4 4 and matrices with the maximum number of units are presented. Key words maximum distance separable (MDS) matrix; MDS code; data protection algorithms 2010 Mathematics Subject Classification 15B33 Chinese Library Classification O Ë MDS Ï Ç ÉÈ BELOV A V, LOS A B, ROZHKOV M I ( , ) ¼ MDS ÆÁ Æ À² Áà ±» ½ ¾ ³º ² 4 MDS Á «4 MDS Á ÌÎÆ MDS Á MDS µ ¾ 2010 Ê Í 15B33 Ð Ê Í O Å A ÄÍ (2017) Introduction The paper considers the problem of constructing a square n n matrix A = A n n over a finite field F q = GF(q), where the determinant of any square submatrix is nonzero. For such matrices, the set {(x, A x) x (F q ) n } is a linear code of dimension n, the block length of 2n and a minimum code distance n+1, i.e., this code achieves the upper bound of the singleton Received ; Revised Corresponding author BELOV A V, research interest is matrix theory. avbelov@hse.ru

2 144 Communication on Applied Mathematics and Computation Vol. 31 for the code distance and it is called the maximum distance separable (MDS) code. In this connection, the corresponding matrix A is called an MDS matrix. This class of matrices is widely used in the construction of the block type cryptographic algorithms and the hash functions of a data protection. To implement methods for constructing MDS matrices, an MDS matrix with a maximum number of elements equal to 1 and a minimal number of distinct elements not equal to 1 is considered. Matrices over the field GF(q) = GF(2 t ) are also considered. Now the most active researches are carried out for constructing MDS matrices of a special type, for example, circulant matrices (Hadamard matrices) [1-7]. The basic algebraic concepts used in the article are given in [8-9]. 1 Equivalent matrices It is a promising idea to build a whole class of MDS matrices {A} from the initial matrix A using just the transformations that preserve the MDS property. Examples of such transformations are the multiplication of the row (column) by an arbitrary nonzero element of the field, the permutation of rows (columns), and the transpose of the matrix. Definition 1 MDS matrices A and B are called equivalent (A B) if one of them can be obtained from the other by multiplying its rows and columns by nonzero elements of the field. For the MDS matrix M whose first row and column elements are units, let M be the submatrix obtained by deleting the first row and the first column of the matrix M. Statement 1 (i) Any MDS matrix A = (a ij ) is equivalent to the matrix whose first row and first column elements are units. (ii) Matrices A and B are equivalent if and only if A = B. (iii) Let M = (m ij ) be an n n MDS matrix. Then, the capacity of the containing equivalence class is equal to {M} = (q 1) 2n 1. Proof (i) follows from the fact that all elements of matrix A are different from zero (a ij 0). In one direction, (ii) is obvious. Let A B, p 1, p 2,, p n and q 1, q 2,, q n be the multipliers, respectively, of rows and columns of the matrix A to obtain the matrix B. In this case, we get p 1 q 1 = p 1 q 2 = = p 1 q n = 1, q 1 p 1 = q 1 p 2 = q 1 p 3 = = q 1 p n = 1. Therefore, if we divide the elements of the equality by p 1, we get q 1 = q 2 = = q n = (p 1 ) 1, p 2 = p 3 = p n = = p 1. Thus, the elements of the submatrix A do not change and A = B.

3 No. 2 BELOV A V, et al.: Some approaches to construct MDS matrices 145 Let us prove (iii). Given (i), without loss of generality, assume that the first row and column of the matrix M are units. Let p 1, p 2,, p n and q 1, q 2,, q n be the multipliers, respectively, of rows and columns of the matrix M, M 1 the transformed matrix, α, α 2, α 3,, α n elements of the first column and α, β 2, β 3,, β n elements of the first row of the matrix M 1. We get α = p 1 q 1, α i = q 1 p i, β i = p 1 q i, i = 2, 3,, n. Therefore, p i = p 1α i α, q i = q 1β i, i = 2, 3,, n. α Thus, for any set of nonzero elements α, α 2, α 3,, α n, β 2, β 3,, β n, the number of the sets is equal to (q 1) 2n 1, there are p 1, p 2,, p n and q 1, q 2,, q n which correspond to the specified set. If the elements α, α 2, α 3,, α n, β 2, β 3,, β n, are fixed, then the elements of the matrix M 1 = (b ij ) are completely determined by the specified items and the original matrix M, The proof is complete. ( p1 α i b ij = m ij p i q j = m ij α q1β ) j = m ij α ( αi β ) j. α In particular, for 2 2 matrices, representatives of the equivalence classes are the matrices of the form ( α ), α 0, α 1. The number of classes is q 2. The capacity of each class is (q 1) 3. 2 Circulant MDS matrices The circulant matrix M = cir(a 0, a 1,, a n 1 ) is uniquely determined by the polynomial f(x) = a 0 + a 1 x + a 2 x a n 1 x n 1. Coefficients of the polynomial are equal to the elements of the first row of the matrix. Note that det(m) 0 if and only if the polynomial f(x) is invertible in the ring F q [x]/(x n 1) of polynomials modulo a polynomial x n 1. In this case, the inverse matrix will also be circulant, i.e., M 1 = cir(b 0, b 1,, b n 1 ), where the first line coincides with the polynomial coefficients, g(x) = b 0 + b 1 x + b 2 x b n 1 x n 1, where g(x) is the inverse to the polynomial f(x), i.e., f(x) g(x) 1 mod (x n 1).

4 146 Communication on Applied Mathematics and Computation Vol. 31 In addition, without loss of generality, we can assume that a n 1 = 1 since any circulant matrix can be obtained from the matrix with a n 1 = 1 by nonzero element multiplication. Further, we consider the MDS matrix M = cir(a, b, c, 1) over a field GF(q), where q = p t, p is a prime number, a 0, b 0, and c 0. Conditions under which the 2 2 minors of matrix M are not equal to zero are a 2 b, ab c, a 2 c 2, ac 1, b 2 ac, bc a, b 2 1, c 2 b. Since b 2 1, the existence of the inverse matrix M 1, i.e., the mutual simplicity of the polynomials f(x) = a + bx + cx 2 + x 3 and x 4 1 is equivalent to the following relations: a + b + c + 1 0, a b + c 1 0, b /{1 + (a c)α 1, 1 + (a c)α 2 }, where α 1 and α 2 are the roots of the equation x = 0 in the field GF(q). The matrix M 1 is circulant. The conditions for the absence of zero elements in matrix M 1 are equivalent to the absence of such elements in one of its rows or columns. It is known that the elements of the first column of the matrix M 1, up to a nonzero multiplier equal to det(m), are given by minors of size 3 3 corresponding to the first row of the matrix M, namely a b c M 1 = 1 a b c 1 a, M 2 = 1 b c c a b b 1 a, M 3 = 1 a c c 1 b b c a, M 4 = 1 a b c 1 a. b c 1 Then, we get the following relations: det(m 1 ) = a 3 2ab + b 2 c ac 2 + c 0, ( a b 2 2 )b + a3 ac + 1 0, c c det(m 2 ) = b 3 2abc + a 2 + c 2 b 0, b 3 (2ac + 1)b + a 2 + c 2 0, det(m 3 ) = c 3 2bc a 2 c + ab 2 + a 0, ( c b 2 2 ac + a)b c3 a + 1 0, det(m 4 ) = a 2 b + bc 2 b 2 2ac + 1 0, b 2 (a 2 + c 2 )b + 2ac 1 0. Note that when a nonzero element a is fixed, one of the equations has a degree 3 (relatively unknown b), all others have degree 2. Thus, the full set of restrictions on the elements of the MDS matrix M has the following form: where c 0, a /A(c) = {0, ±c, c 1 }, b /B(a, c), B(a, c) = B 1 (a, c) B 2 (a, c) B 3 (a, c) B 4 (a, c), B 1 (a, c) = {0, ±1, (a + c + 1), a + c 1, a 2, c 2, ca 1, ac 1 };

5 No. 2 BELOV A V, et al.: Some approaches to construct MDS matrices 147 B 2 (a, c) = {± ac} = {±β}, where β is the root of the equation x 2 = ac in a field GF(q); B 3 (a, c) = {1 + (a c)α 1, 1 + (a c)α 2 }, where α 1 and α 2 are the roots of the equation x 2 +1 = 0 in a field GF(q); B 4 (a, c) is the set of roots of equations det(m i ) = 0 (i = 1, 2, 3, 4), where a and c are nonzero constants. For the sets, estimates of their power are 2 A(c) 4, 3 B 1 (a, c) 9, 0 B 2 (a, c) 2, 0 B 3 (a, c) 2, 0 B 4 (a, c) 9, 3 B(a, c) 22. get Then, for the total number K of choices a, b, c, and the corresponding MDS matrix, we (q 1)(q 4)(q 22) K (q 1)(q 2)(q 3). For the field GF(q = 2 t ), the above constraints are simplified. For the matrix M = cir(a, b, 1, 1), they take the form of det(m 1 ) = b 2 + a + a , det(m 2 ) = b 3 + b + a , det(m 3 ) = ab 2 + a 2 + a + 1 0, det(m 4 ) = b 2 + (a 2 + 1)b + 1 0, a /A = {0, 1}, b /B(a), where B(a) = B 1 (a) B 2 (a) B 3 (a) B 4 (a), B 1 (a) = {0, 1, a, a 2, a 1 }; B 2 (a) = {a S }, where S = q 2 (β = as is the root of the equation x 2 = a in a field GF(q)); B 3 (a) = ; B 4 (a) is the set of roots of equations det(m i ) = 0 (i = 1, 2, 3, 4), where a is a nonzero constant. For the sets, estimates of their power are A = 2, 3 B 1 (a) 5, B 2 (a) = 1, B 3 (a) = 0, 0 B 4 (a) 9, 3 B(a) 15. For the total number K of choices a, b, and the corresponding MDS matrix M = cir(a, b, 1, 1), we get (q 2)(q 15) K (q 2)(q 3). Assume that the elements of the field GF(2 t ) = F 2 [x]/f(x) are binary polynomials. The operations with these polynomials are carried out modulo an irreducible polynomial f(x) = f 0 + f 1 x + + f t 1 x t 1 + f t x t, f 0 = f t = 1

6 148 Communication on Applied Mathematics and Computation Vol. 31 over the field F 2. Theorem 1 Let GF(q) = GF(2 t ), t > 6. Then, M = cir(a, b, 1, 1) is an MDS matrix if one of the conditions occurs: (i) a = x + c (c F 2 ), b = a + 1; (ii) a = x + c (c F 2 ), b = x 2 + c + 1; (iii) a = x + c (c F 2 ), b = x 2 + x + ε (ε F 2 ); (iv) 1 deg(a(x)) = deg(b(x)) < t 1 3, a b. Proof Let one of conditions (i) (iv) hold. We substitute the pair (a(x), b(x)) in the polynomial det(m i ) for (a, b). Then, it is easy to verify that the degree of nonlinearity of any polynomial det(m i ) will be enclosed within 3 deg(det(m i )) t 2. Therefore, det(m i ) 0, i = 1, 2, 3, 4. The fulfillment of other conditions is checked directly. The proof is complete. b a, ab 1, b a 2, b 2 a Note 1 This statement remains valid for any irreducible polynomial f(x), deg(f) = t, t > 6, specifying the field GF(2 t ) = F 2 [x]/f(x). It follows from Theorem 1(i) that the MDS matrix of the form cir(a, b, 1, 1) is the case when a = x, b = x + 1, GF(2 t ) = F 2 [x]/f(x), f(x) is an irreducible binary polynomial of degree t > 6. For the case of the field GF(256), a similar example is given in [1] MDS matrix with maximum number of units It is known that the maximum number of unit elements of 4 4 MDS matrix is 9 and the minimum number of distinct non-unit elements is equal to 2 [1]. In this regard, we will explore the conditions under which the matrix M of the form a M = 1 a 1 b 1 b a b a is an MDS one. Considering the minors of the first and the second orders, we have restrictions on the elements of the matrix: a /{0, ±1}, b /{0, 1, a, a 1, a 2, ± a}.

7 No. 2 BELOV A V, et al.: Some approaches to construct MDS matrices 149 Consider the five submatrices of the third order: M 1 corresponds to deletion of the first row and the first column; M 2 corresponds to deletion of the first row and the second column; M 3 corresponds to deletion of the second row and the second column; M 4 corresponds to deletion of the second row and the third column; M 5 corresponds to deletion of the second row and the fourth column. The analysis shows that any of the 16 minors of the third order with the accuracy to a sign coincides with the determinant some of the preceding submatrix. In this case, the nonzero of all minors of the third order is equivalent to the followings: f 1 (a, b) = det(m 1 ) = a 3 + b 3 3ab + 1 0, f 2 (a, b) = det(m 2 ) = a 2 + b 2 ab a b + 1 0, f 3 (a, b) = det(m 3 ) = a 3 ab 2a + b + 1 0, f 4 (a, b) = det(m 4 ) = a 2 b 2a b + 2 0, f 5 (a, b) = det(m 5 ) = b 2 a a 2 2b + a Next, we have det(m) = (a 2 + ab + a 3)f 2 (a, b), f 3 (a, b) = (a 1)(a 2 + a b 1), f 4 (a, b) = (a 1)(ab + b 2). Hence, when a 0 and f 2 (a, b) 0, the condition det(m) 0 is equivalent to the inequality b 3a 1 a 1. Besides, when a ±1, the condition f 3 (a, b) 0 is equivalent to the inequality b a 2 + a 1, and the condition f 4 (a, b) 0 is equivalent to the inequality b 2(a + 1) 1. Note that M 1 is equal to cir(b, a, 1) up to permutation of the rows. Then, the condition f 1 (a, b) 0 is equivalent to the mutual simplicity of the polynomials b+ax+x 2 and x 3 1 = (x 1)(x 2 + x+1). Taking into account that a 1, this implies that f 1 (a, b) = det(m 1 ) 0 is equivalent to the following conditions: b (a + 1) and (b 1)(a 1) 1 is not a root of the equation x 2 + x + 1 = 0. The latter condition is equivalent to the relation f 2 (a, b) = a 2 + b 2 ab a b

8 150 Communication on Applied Mathematics and Computation Vol. 31 Thus, we have the full set of restrictions a /{0, ±1}, b /B(a) = B 1 (a) B 2 (a) B 3 (a) B 4 (a), where B 1 (a) = {0, 1, a, a 1, a 2, a 2 +a 1, (a+1), 2(a+1) 1, 3a 1 a 1}, B 2 (a) = {± a}, B 3 (a) is the set of solutions of the equation f 2 (a, b) = a 2 + b 2 ab a b + 1 = 0, B 4 (a) = {a 1 (1 + (a 1) a + 1), a 1 (1 (a 1) a + 1)} is the set of solutions of the equation f 5 (a, b) = b 2 a a 2 2b + a + 1 = 0 (relatively unknown b, element a is fixed). We have 3 B 1 (a) 9, 0 B 2 (a) 2, 0 B 3 (a) 2, 0 B 4 (a) 2, 3 B(a) 15. Hence, we have the total number K of pairs (a, b), resulting MDS matrix: (q 3)(q 15) K (q 2)(q 3). Theorem 2 Let GF(q) = GF(2 t ) = F 2 [x]/f(x), t 8, 1 deg(a(x)) 3, and 1 deg(b(x)) 2. Then, the matrix M is an MDS matrix if and only if one of the conditions is true: (i) a = x + c (c {0, 1}), b = x 2 + x; (ii) a = x 2, b {x + 1, x 2 + x, x 2 + x + 1}; (iii) a = x 2 + 1, b {x, x 2 + x, x 2 + x + 1}; (iv) a = x 2 + x + c (c {0, 1}), b {x, x + 1, x 2 + ε} (ε {0, 1}); (v) deg(a(x)) = 3, 1 deg(b(x)) 2. Proof The proof is a direct verification of the previously listed conditions. Bring it for the cases (iv) and (v). Let a = x 2 + x + c, b = x 2 + ε. Then, deg(b 2 a + a 2 + a + 1) = deg((x 2 + ε)(x 2 + x + c) + x 4 + x 2 + c + x 2 + x + c + 1) = deg(x 3 + cx 2 + ε(x 2 + x + c) + x + 1) = 3. Hence, the polynomial f 5 (a, b) = b 2 a+a 2 +a+1 has no null values. Similarly, deg(f 2 (a, b)) = deg(a 2 + b 2 + ab + a + b + 1) = 4 and the polynomial f 2 (a, b) has no null values either. Let deg(a(x)) = 3 and deg(b(x)) = 1. Then, deg(b 2 a+a 2 +a+1) = deg(a 2 ) = 6 and the polynomial f 5 (a, b) = b 2 a+a 2 +a+1 has no null values. Similarly, deg(a 2 +b 2 +ab+a+b+1) = 6 and the polynomial f 2 (a, b) has no null values either. Let deg(a(x)) = 3 and deg(b(x)) = 2. Then, we have deg(b 2 a + a 2 + a + 1) = 7. Thus the polynomial f 5 (a, b) has no null values. Similarly, deg(a 2 +b 2 +ab+a+b+1) = 6. Thus the polynomial f 2 (a, b) has no null values either.

9 No. 2 BELOV A V, et al.: Some approaches to construct MDS matrices 151 Conditions b /{a, a + 1, a 2, a 2 + a + 1}, b 2 a, ab 1 are checked directly. The remaining cases are treated in a similar way. Note 2 This statement is true for any irreducible polynomial f(x) specifying the field GF(2 t ) = F 2 [x]/f(x). An element a GF(q) is called quadratic non-residue if the equation x 2 = a has no solutions in the field GF(q). It is known when q is odd, half of the nonzero elements are quadratic non-residue. When q is even, equation specified above always has a solution (x = a q/2 ). Therefore, all elements of the field are quadratic residue. Theorem 3 Let each of the elements 3, 2, 5, 7 be the quadratic non-residue in the field GF(q), q = p t, p > 3. Suppose that for all a GF(q)\{0, ±1}, (a + 1) is quadratic non-residue and b = a + 1. Then, the matrix M is an MDS matrix. Proof The proof is carried out by checking the above general restrictions on the elements of the MDS matrix M. We will give some parts of it only. Let a + 1 = a 1. Then, a 2 + a 1 = 0, 4(a ) 2 = 5. 5 is a quadratic residue. Let a + 1 = a 2 + a 1. Then, a 2 = 2. 2 is a residue. Let a + 1 = 3a 1 a 1. Then, 2a 2 + 2a 3 = 0, 4(a ) 2 = 7. 7 is a residue. Similarly, it is established that a + 1 cannot coincide with any other element of the set B 1 (a). Let a + 1 = a. Then, a 2 + 2a + 1 = a, a 2 + a + 1 = 0, 4(a ) 2 = 3. 3 is a residue. Note that when (a, b) = (a, a + 1), the equality f 2 (a, b) = a 2 + b 2 ab a b + 1 = 0 is equivalent to the equality a 2 a + 1 = 0 which fails because 3 is a non-residue. We now show that the pair (a, b) = (a, a + 1) does not satisfy the equation f 5 (a, b) = b 2 a 2b a 2 + a + 1 = 0. If f 5 (a, b) = 0, we have b 2 a 2b a 2 + a + 1 = 0, b 2 2b a 1 a a 1 = 0, (b a 1 ) 2 = a + a 2 a 1 1 = a 2 (a 3 a 2 a + 1), (b a 1 ) 2 = a 2 (a 1)(a 2 1) = a 2 (a 1) 2 (a + 1), a 2 (a 1) 2 (b a 1 ) 2 = a + 1,

10 152 Communication on Applied Mathematics and Computation Vol. 31 a + 1 is a residue. This contradicts the conditions of the theorem. The examples of the fields GF(p) satisfying the conditions of the theorem are p = 293, p = 947, p = Conclusions The paper describes new classes of circulant 4 4 MDS matrices, and also matrices with the maximum number of units (nine) and the minimum number of distinct non-unit elements (two). Upper and lower estimates of the number of MDS matrices of the type in question for an arbitrary field GF(q) are obtained. The new classes of MDS matrices over the field GF(2 t ) whose elements (as binary polynomials) have a small degree of nonlinearity (Theorems 1 and 2) are constructed. For a field GF(q), the class of MDS matrices having only two non-unit elements a, b with the simplest analytical relationship b = a + 1 (Theorem 3) is described. It would be interesting to search for other simple (polynomial) connection between these elements preserving MDS property. References [1] Junod P, Vaudenay S. Perfect diffusion primitives for block ciphers: building efficient MDS matrices [M]// Handschuh H, Hasan M A. Proceedings of the 11th International Conference on Selected Areas in Cryptography. Heidelberg/Berlin: Springer-Verlag, 2004: [2] Augot D, Finiasz M. Exhaustive search for small dimension recursive MDS diffusion layers for block ciphers and hash functions [C]// Proceedings of the IEEE International Simposium on Information Theory (ISIT). New York: IEEE, 2013: [3] Gupta K C, Ray I G. On constructions of MDS matrices from companion matrices for lightweight cryptography [M]// Cuzzocrea A, Kittl C, Simos D E, Weippl E, Xu L. Security Engineering and Intelligence Informatics. Heidelberg/Berlin: Springer-Verlag, 2013: [4] Murtaza G, Ikram N. New methods of generating MDS matrices [C]// Proceedings of International Cryptology Workshop and Conference, [5] Markov V, Nechaev A. Generalized BCH-theorem and linear recursive MDS-codes [C]// Proceedings of 12th International Workshop on Algebraic and Combinatorial Coding Theory (ACCT-2010), Novosibirsk, Russia, [6] Couselo E, Gonzalez S, Markov V, Nechaev A. Recursive MDS-codes and recursive differentiable quasigroups [J]. Discrete Math Appl, 1998, 8(3): [7] Couselo E, Gonzalez S, Markov V, Nechaev A. Parameters of recursive MDS-codes [J]. Discrete Math Appl, 2000, 10(5): [8] Lidl R, Niderrayter G. Konechnye Polya [M]. Moscow: Mir, (in Russian) [9] Berlekèmp È. Algebraicheskaya Teoriya Kodirovaniya [M]. Moscow: Mir, (in Russian)