Some approaches to construct MDS matrices over a finite field

Similar documents
Perfect Diffusion Primitives for Block Ciphers

Finite Fields. Mike Reiter

Generalized hyper-bent functions over GF(p)

Galois fields/1. (M3) There is an element 1 (not equal to 0) such that a 1 = a for all a.

Direct Construction of Recursive MDS Diffusion Layers using Shortened BCH Codes

Elementary maths for GMT

Direct Construction of Recursive MDS Diffusion Layers using Shortened BCH Codes. Daniel Augot and Matthieu Finiasz

Chapter 4 Finite Fields

MATRIX ALGEBRA AND SYSTEMS OF EQUATIONS. + + x 1 x 2. x n 8 (4) 3 4 2

Cyclic codes: overview

Analysis of Some Quasigroup Transformations as Boolean Functions

G Solution (10 points) Using elementary row operations, we transform the original generator matrix as follows.

Introduction to Modern Cryptography. (1) Finite Groups, Rings and Fields. (2) AES - Advanced Encryption Standard

Section VI.33. Finite Fields

Criterion of maximal period of a trinomial over nontrivial Galois ring of odd characteristic

Linear Systems and Matrices

Information Theory. Lecture 7

Criterion of period maximality of trinomial over nontrivial Galois ring of odd characteristic

Some results on the existence of t-all-or-nothing transforms over arbitrary alphabets

Chapter 4 Mathematics of Cryptography

New algebraic decoding method for the (41, 21,9) quadratic residue code

On values of vectorial Boolean functions and related problems in APN functions

Direct Construction of Lightweight Rotational-XOR MDS Diffusion Layers

Reducing the Complexity of Normal Basis Multiplication

Gurgen Khachatrian Martun Karapetyan

Coding Theory and Applications. Solved Exercises and Problems of Cyclic Codes. Enes Pasalic University of Primorska Koper, 2013

Quasi-reducible Polynomials

William Stallings Copyright 2010

Outline. MSRI-UP 2009 Coding Theory Seminar, Week 2. The definition. Link to polynomials

Direct construction of quasi-involutory recursive-like MDS matrices from 2-cyclic codes

Mathematical Foundations of Cryptography

arxiv: v1 [cs.it] 12 Jun 2016

A Polynomial Description of the Rijndael Advanced Encryption Standard

EE 229B ERROR CONTROL CODING Spring 2005

Three Ways to Test Irreducibility

Least Period of Linear Recurring Sequences over a Finite Field

Math 312/ AMS 351 (Fall 17) Sample Questions for Final

MATRICES AND MATRIX OPERATIONS

1 Multiply Eq. E i by λ 0: (λe i ) (E i ) 2 Multiply Eq. E j by λ and add to Eq. E i : (E i + λe j ) (E i )

Math Camp Lecture 4: Linear Algebra. Xiao Yu Wang. Aug 2010 MIT. Xiao Yu Wang (MIT) Math Camp /10 1 / 88

New Construction of Single Cycle T-function Families

A New Class of Bent Negabent Boolean Functions

Rings. EE 387, Notes 7, Handout #10

Subquadratic Computational Complexity Schemes for Extended Binary Field Multiplication Using Optimal Normal Bases

The BCH Bound. Background. Parity Check Matrix for BCH Code. Minimum Distance of Cyclic Codes

3. Coding theory 3.1. Basic concepts

Linear Algebra and Vector Analysis MATH 1120

Mathematical Olympiad Training Polynomials

Chapter 1 Vector Spaces

On complete permutation polynomials 1

Linear Algebra review Powers of a diagonalizable matrix Spectral decomposition

Stream Ciphers and Number Theory

Linear Algebra review Powers of a diagonalizable matrix Spectral decomposition

Matrix operations Linear Algebra with Computer Science Application

COMPUTER ARITHMETIC. 13/05/2010 cryptography - math background pp. 1 / 162

AES side channel attacks protection using random isomorphisms

Constructions of Nonbinary Quasi-Cyclic LDPC Codes: A Finite Field Approach

Review of Vectors and Matrices

Groups, Rings, and Finite Fields. Andreas Klappenecker. September 12, 2002

Algebra. Modular arithmetic can be handled mathematically by introducing a congruence relation on the integers described in the above example.

Jim Lambers MAT 610 Summer Session Lecture 1 Notes

ANALYTICAL MATHEMATICS FOR APPLICATIONS 2018 LECTURE NOTES 3

Well known bent functions satisfy both SAC and PC(l) for all l n, b not necessarily SAC(k) nor PC(l) of order k for k 1. On the other hand, balancedne

7.1 Definitions and Generator Polynomials

M 2 + s 2. Note that the required matrix A when M 2 + s 2 was also obtained earlier by Gordon [2]. (2.2) x -alxn-l-aex n-2 an

Algebra Review 2. 1 Fields. A field is an extension of the concept of a group.

Mathematics for Cryptography

Lecture Notes in Linear Algebra

Math Linear Algebra Final Exam Review Sheet

Differential properties of power functions

Commutative Rings and Fields

17 Galois Fields Introduction Primitive Elements Roots of Polynomials... 8

EE512: Error Control Coding

Lightweight Multiplication in GF (2 n ) with Applications to MDS Matrices

B. Encryption using quasigroup

Fundamental Theorem of Algebra

Three Ways to Test Irreducibility

Graduate Mathematical Economics Lecture 1

Homework 10 M 373K by Mark Lindberg (mal4549)

Undergraduate Mathematical Economics Lecture 1

OR MSc Maths Revision Course

A field F is a set of numbers that includes the two numbers 0 and 1 and satisfies the properties:

Ranks of Hadamard Matrices and Equivalence of Sylvester Hadamard and Pseudo-Noise Matrices

Lemma 8: Suppose the N by N matrix A has the following block upper triangular form:

Abstract Algebra, Second Edition, by John A. Beachy and William D. Blair. Corrections and clarifications

Materials engineering Collage \\ Ceramic & construction materials department Numerical Analysis \\Third stage by \\ Dalya Hekmat

Affine equivalence in the AES round function

Chapter 6 Reed-Solomon Codes. 6.1 Finite Field Algebra 6.2 Reed-Solomon Codes 6.3 Syndrome Based Decoding 6.4 Curve-Fitting Based Decoding

Problem Set (T) If A is an m n matrix, B is an n p matrix and D is a p s matrix, then show

Constructions of Quadratic Bent Functions in Polynomial Forms

Rings. Chapter 1. Definition 1.2. A commutative ring R is a ring in which multiplication is commutative. That is, ab = ba for all a, b R.

On transitive polynomials modulo integers

Introduction to Matrix Algebra

Solution to Homework 8, Math 2568

EE512: Error Control Coding

Quadratic Equations from APN Power Functions

On permutation automorphism groups of q-ary Hamming codes

Matrix Arithmetic. j=1

MATH2210 Notebook 2 Spring 2018

On one class of permutation polynomials over finite fields of characteristic two *

Transcription:

2017 6 Å 31 Å 2 ¹ June 2017 Communication on Applied Mathematics and Computation Vol.31 No.2 DOI 10.3969/j.issn.1006-6330.2017.02.001 Some approaches to construct MDS matrices over a finite field BELOV A V, LOS A B, ROZHKOV M I (National Research University Higher School of Economics, Moscow 101000, Russia) Abstract The paper examines some approaches to construct the square maximum distance separable (MDS) matrices over a finite field. This class of matrices is widely used as diffuse maps when building block type cryptographic algorithms and hash functions. Some classes of circulant MDS matrices of size 4 4 and matrices with the maximum number of units are presented. Key words maximum distance separable (MDS) matrix; MDS code; data protection algorithms 2010 Mathematics Subject Classification 15B33 Chinese Library Classification O151.21 Ë MDS Ï Ç ÉÈ BELOV A V, LOS A B, ROZHKOV M I ( 101000, ) ¼ MDS ÆÁ Æ À² Áà ±» ½ ¾ ³º ² 4 MDS Á «4 MDS Á ÌÎÆ MDS Á MDS µ ¾ 2010 Ê Í 15B33 Ð Ê Í O151.21 Å A ÄÍ 1006-6330(2017)02-0143-10 0 Introduction The paper considers the problem of constructing a square n n matrix A = A n n over a finite field F q = GF(q), where the determinant of any square submatrix is nonzero. For such matrices, the set {(x, A x) x (F q ) n } is a linear code of dimension n, the block length of 2n and a minimum code distance n+1, i.e., this code achieves the upper bound of the singleton Received 2016-10-17; Revised 2017-01-04 Corresponding author BELOV A V, research interest is matrix theory. E-mail: avbelov@hse.ru

144 Communication on Applied Mathematics and Computation Vol. 31 for the code distance and it is called the maximum distance separable (MDS) code. In this connection, the corresponding matrix A is called an MDS matrix. This class of matrices is widely used in the construction of the block type cryptographic algorithms and the hash functions of a data protection. To implement methods for constructing MDS matrices, an MDS matrix with a maximum number of elements equal to 1 and a minimal number of distinct elements not equal to 1 is considered. Matrices over the field GF(q) = GF(2 t ) are also considered. Now the most active researches are carried out for constructing MDS matrices of a special type, for example, circulant matrices (Hadamard matrices) [1-7]. The basic algebraic concepts used in the article are given in [8-9]. 1 Equivalent matrices It is a promising idea to build a whole class of MDS matrices {A} from the initial matrix A using just the transformations that preserve the MDS property. Examples of such transformations are the multiplication of the row (column) by an arbitrary nonzero element of the field, the permutation of rows (columns), and the transpose of the matrix. Definition 1 MDS matrices A and B are called equivalent (A B) if one of them can be obtained from the other by multiplying its rows and columns by nonzero elements of the field. For the MDS matrix M whose first row and column elements are units, let M be the submatrix obtained by deleting the first row and the first column of the matrix M. Statement 1 (i) Any MDS matrix A = (a ij ) is equivalent to the matrix whose first row and first column elements are units. (ii) Matrices A and B are equivalent if and only if A = B. (iii) Let M = (m ij ) be an n n MDS matrix. Then, the capacity of the containing equivalence class is equal to {M} = (q 1) 2n 1. Proof (i) follows from the fact that all elements of matrix A are different from zero (a ij 0). In one direction, (ii) is obvious. Let A B, p 1, p 2,, p n and q 1, q 2,, q n be the multipliers, respectively, of rows and columns of the matrix A to obtain the matrix B. In this case, we get p 1 q 1 = p 1 q 2 = = p 1 q n = 1, q 1 p 1 = q 1 p 2 = q 1 p 3 = = q 1 p n = 1. Therefore, if we divide the elements of the equality by p 1, we get q 1 = q 2 = = q n = (p 1 ) 1, p 2 = p 3 = p n = = p 1. Thus, the elements of the submatrix A do not change and A = B.

No. 2 BELOV A V, et al.: Some approaches to construct MDS matrices 145 Let us prove (iii). Given (i), without loss of generality, assume that the first row and column of the matrix M are units. Let p 1, p 2,, p n and q 1, q 2,, q n be the multipliers, respectively, of rows and columns of the matrix M, M 1 the transformed matrix, α, α 2, α 3,, α n elements of the first column and α, β 2, β 3,, β n elements of the first row of the matrix M 1. We get α = p 1 q 1, α i = q 1 p i, β i = p 1 q i, i = 2, 3,, n. Therefore, p i = p 1α i α, q i = q 1β i, i = 2, 3,, n. α Thus, for any set of nonzero elements α, α 2, α 3,, α n, β 2, β 3,, β n, the number of the sets is equal to (q 1) 2n 1, there are p 1, p 2,, p n and q 1, q 2,, q n which correspond to the specified set. If the elements α, α 2, α 3,, α n, β 2, β 3,, β n, are fixed, then the elements of the matrix M 1 = (b ij ) are completely determined by the specified items and the original matrix M, The proof is complete. ( p1 α i b ij = m ij p i q j = m ij α q1β ) j = m ij α ( αi β ) j. α In particular, for 2 2 matrices, representatives of the equivalence classes are the matrices of the form ( 1 1 1 α ), α 0, α 1. The number of classes is q 2. The capacity of each class is (q 1) 3. 2 Circulant MDS matrices The circulant matrix M = cir(a 0, a 1,, a n 1 ) is uniquely determined by the polynomial f(x) = a 0 + a 1 x + a 2 x 2 + + a n 1 x n 1. Coefficients of the polynomial are equal to the elements of the first row of the matrix. Note that det(m) 0 if and only if the polynomial f(x) is invertible in the ring F q [x]/(x n 1) of polynomials modulo a polynomial x n 1. In this case, the inverse matrix will also be circulant, i.e., M 1 = cir(b 0, b 1,, b n 1 ), where the first line coincides with the polynomial coefficients, g(x) = b 0 + b 1 x + b 2 x 2 + + b n 1 x n 1, where g(x) is the inverse to the polynomial f(x), i.e., f(x) g(x) 1 mod (x n 1).

146 Communication on Applied Mathematics and Computation Vol. 31 In addition, without loss of generality, we can assume that a n 1 = 1 since any circulant matrix can be obtained from the matrix with a n 1 = 1 by nonzero element multiplication. Further, we consider the MDS matrix M = cir(a, b, c, 1) over a field GF(q), where q = p t, p is a prime number, a 0, b 0, and c 0. Conditions under which the 2 2 minors of matrix M are not equal to zero are a 2 b, ab c, a 2 c 2, ac 1, b 2 ac, bc a, b 2 1, c 2 b. Since b 2 1, the existence of the inverse matrix M 1, i.e., the mutual simplicity of the polynomials f(x) = a + bx + cx 2 + x 3 and x 4 1 is equivalent to the following relations: a + b + c + 1 0, a b + c 1 0, b /{1 + (a c)α 1, 1 + (a c)α 2 }, where α 1 and α 2 are the roots of the equation x 2 + 1 = 0 in the field GF(q). The matrix M 1 is circulant. The conditions for the absence of zero elements in matrix M 1 are equivalent to the absence of such elements in one of its rows or columns. It is known that the elements of the first column of the matrix M 1, up to a nonzero multiplier equal to det(m), are given by minors of size 3 3 corresponding to the first row of the matrix M, namely a b c M 1 = 1 a b c 1 a, M 2 = 1 b c c a b b 1 a, M 3 = 1 a c c 1 b b c a, M 4 = 1 a b c 1 a. b c 1 Then, we get the following relations: det(m 1 ) = a 3 2ab + b 2 c ac 2 + c 0, ( a b 2 2 )b + a3 ac + 1 0, c c det(m 2 ) = b 3 2abc + a 2 + c 2 b 0, b 3 (2ac + 1)b + a 2 + c 2 0, det(m 3 ) = c 3 2bc a 2 c + ab 2 + a 0, ( c b 2 2 ac + a)b c3 a + 1 0, det(m 4 ) = a 2 b + bc 2 b 2 2ac + 1 0, b 2 (a 2 + c 2 )b + 2ac 1 0. Note that when a nonzero element a is fixed, one of the equations has a degree 3 (relatively unknown b), all others have degree 2. Thus, the full set of restrictions on the elements of the MDS matrix M has the following form: where c 0, a /A(c) = {0, ±c, c 1 }, b /B(a, c), B(a, c) = B 1 (a, c) B 2 (a, c) B 3 (a, c) B 4 (a, c), B 1 (a, c) = {0, ±1, (a + c + 1), a + c 1, a 2, c 2, ca 1, ac 1 };

No. 2 BELOV A V, et al.: Some approaches to construct MDS matrices 147 B 2 (a, c) = {± ac} = {±β}, where β is the root of the equation x 2 = ac in a field GF(q); B 3 (a, c) = {1 + (a c)α 1, 1 + (a c)α 2 }, where α 1 and α 2 are the roots of the equation x 2 +1 = 0 in a field GF(q); B 4 (a, c) is the set of roots of equations det(m i ) = 0 (i = 1, 2, 3, 4), where a and c are nonzero constants. For the sets, estimates of their power are 2 A(c) 4, 3 B 1 (a, c) 9, 0 B 2 (a, c) 2, 0 B 3 (a, c) 2, 0 B 4 (a, c) 9, 3 B(a, c) 22. get Then, for the total number K of choices a, b, c, and the corresponding MDS matrix, we (q 1)(q 4)(q 22) K (q 1)(q 2)(q 3). For the field GF(q = 2 t ), the above constraints are simplified. For the matrix M = cir(a, b, 1, 1), they take the form of det(m 1 ) = b 2 + a + a 3 + 1 0, det(m 2 ) = b 3 + b + a 2 + 1 0, det(m 3 ) = ab 2 + a 2 + a + 1 0, det(m 4 ) = b 2 + (a 2 + 1)b + 1 0, a /A = {0, 1}, b /B(a), where B(a) = B 1 (a) B 2 (a) B 3 (a) B 4 (a), B 1 (a) = {0, 1, a, a 2, a 1 }; B 2 (a) = {a S }, where S = q 2 (β = as is the root of the equation x 2 = a in a field GF(q)); B 3 (a) = ; B 4 (a) is the set of roots of equations det(m i ) = 0 (i = 1, 2, 3, 4), where a is a nonzero constant. For the sets, estimates of their power are A = 2, 3 B 1 (a) 5, B 2 (a) = 1, B 3 (a) = 0, 0 B 4 (a) 9, 3 B(a) 15. For the total number K of choices a, b, and the corresponding MDS matrix M = cir(a, b, 1, 1), we get (q 2)(q 15) K (q 2)(q 3). Assume that the elements of the field GF(2 t ) = F 2 [x]/f(x) are binary polynomials. The operations with these polynomials are carried out modulo an irreducible polynomial f(x) = f 0 + f 1 x + + f t 1 x t 1 + f t x t, f 0 = f t = 1

148 Communication on Applied Mathematics and Computation Vol. 31 over the field F 2. Theorem 1 Let GF(q) = GF(2 t ), t > 6. Then, M = cir(a, b, 1, 1) is an MDS matrix if one of the conditions occurs: (i) a = x + c (c F 2 ), b = a + 1; (ii) a = x + c (c F 2 ), b = x 2 + c + 1; (iii) a = x + c (c F 2 ), b = x 2 + x + ε (ε F 2 ); (iv) 1 deg(a(x)) = deg(b(x)) < t 1 3, a b. Proof Let one of conditions (i) (iv) hold. We substitute the pair (a(x), b(x)) in the polynomial det(m i ) for (a, b). Then, it is easy to verify that the degree of nonlinearity of any polynomial det(m i ) will be enclosed within 3 deg(det(m i )) t 2. Therefore, det(m i ) 0, i = 1, 2, 3, 4. The fulfillment of other conditions is checked directly. The proof is complete. b a, ab 1, b a 2, b 2 a Note 1 This statement remains valid for any irreducible polynomial f(x), deg(f) = t, t > 6, specifying the field GF(2 t ) = F 2 [x]/f(x). It follows from Theorem 1(i) that the MDS matrix of the form cir(a, b, 1, 1) is the case when a = x, b = x + 1, GF(2 t ) = F 2 [x]/f(x), f(x) is an irreducible binary polynomial of degree t > 6. For the case of the field GF(256), a similar example is given in [1]. 3 4 4 MDS matrix with maximum number of units It is known that the maximum number of unit elements of 4 4 MDS matrix is 9 and the minimum number of distinct non-unit elements is equal to 2 [1]. In this regard, we will explore the conditions under which the matrix M of the form a 1 1 1 M = 1 a 1 b 1 b a 1 1 1 b a is an MDS one. Considering the minors of the first and the second orders, we have restrictions on the elements of the matrix: a /{0, ±1}, b /{0, 1, a, a 1, a 2, ± a}.

No. 2 BELOV A V, et al.: Some approaches to construct MDS matrices 149 Consider the five submatrices of the third order: M 1 corresponds to deletion of the first row and the first column; M 2 corresponds to deletion of the first row and the second column; M 3 corresponds to deletion of the second row and the second column; M 4 corresponds to deletion of the second row and the third column; M 5 corresponds to deletion of the second row and the fourth column. The analysis shows that any of the 16 minors of the third order with the accuracy to a sign coincides with the determinant some of the preceding submatrix. In this case, the nonzero of all minors of the third order is equivalent to the followings: f 1 (a, b) = det(m 1 ) = a 3 + b 3 3ab + 1 0, f 2 (a, b) = det(m 2 ) = a 2 + b 2 ab a b + 1 0, f 3 (a, b) = det(m 3 ) = a 3 ab 2a + b + 1 0, f 4 (a, b) = det(m 4 ) = a 2 b 2a b + 2 0, f 5 (a, b) = det(m 5 ) = b 2 a a 2 2b + a + 1 0. Next, we have det(m) = (a 2 + ab + a 3)f 2 (a, b), f 3 (a, b) = (a 1)(a 2 + a b 1), f 4 (a, b) = (a 1)(ab + b 2). Hence, when a 0 and f 2 (a, b) 0, the condition det(m) 0 is equivalent to the inequality b 3a 1 a 1. Besides, when a ±1, the condition f 3 (a, b) 0 is equivalent to the inequality b a 2 + a 1, and the condition f 4 (a, b) 0 is equivalent to the inequality b 2(a + 1) 1. Note that M 1 is equal to cir(b, a, 1) up to permutation of the rows. Then, the condition f 1 (a, b) 0 is equivalent to the mutual simplicity of the polynomials b+ax+x 2 and x 3 1 = (x 1)(x 2 + x+1). Taking into account that a 1, this implies that f 1 (a, b) = det(m 1 ) 0 is equivalent to the following conditions: b (a + 1) and (b 1)(a 1) 1 is not a root of the equation x 2 + x + 1 = 0. The latter condition is equivalent to the relation f 2 (a, b) = a 2 + b 2 ab a b + 1 0.

150 Communication on Applied Mathematics and Computation Vol. 31 Thus, we have the full set of restrictions a /{0, ±1}, b /B(a) = B 1 (a) B 2 (a) B 3 (a) B 4 (a), where B 1 (a) = {0, 1, a, a 1, a 2, a 2 +a 1, (a+1), 2(a+1) 1, 3a 1 a 1}, B 2 (a) = {± a}, B 3 (a) is the set of solutions of the equation f 2 (a, b) = a 2 + b 2 ab a b + 1 = 0, B 4 (a) = {a 1 (1 + (a 1) a + 1), a 1 (1 (a 1) a + 1)} is the set of solutions of the equation f 5 (a, b) = b 2 a a 2 2b + a + 1 = 0 (relatively unknown b, element a is fixed). We have 3 B 1 (a) 9, 0 B 2 (a) 2, 0 B 3 (a) 2, 0 B 4 (a) 2, 3 B(a) 15. Hence, we have the total number K of pairs (a, b), resulting MDS matrix: (q 3)(q 15) K (q 2)(q 3). Theorem 2 Let GF(q) = GF(2 t ) = F 2 [x]/f(x), t 8, 1 deg(a(x)) 3, and 1 deg(b(x)) 2. Then, the matrix M is an MDS matrix if and only if one of the conditions is true: (i) a = x + c (c {0, 1}), b = x 2 + x; (ii) a = x 2, b {x + 1, x 2 + x, x 2 + x + 1}; (iii) a = x 2 + 1, b {x, x 2 + x, x 2 + x + 1}; (iv) a = x 2 + x + c (c {0, 1}), b {x, x + 1, x 2 + ε} (ε {0, 1}); (v) deg(a(x)) = 3, 1 deg(b(x)) 2. Proof The proof is a direct verification of the previously listed conditions. Bring it for the cases (iv) and (v). Let a = x 2 + x + c, b = x 2 + ε. Then, deg(b 2 a + a 2 + a + 1) = deg((x 2 + ε)(x 2 + x + c) + x 4 + x 2 + c + x 2 + x + c + 1) = deg(x 3 + cx 2 + ε(x 2 + x + c) + x + 1) = 3. Hence, the polynomial f 5 (a, b) = b 2 a+a 2 +a+1 has no null values. Similarly, deg(f 2 (a, b)) = deg(a 2 + b 2 + ab + a + b + 1) = 4 and the polynomial f 2 (a, b) has no null values either. Let deg(a(x)) = 3 and deg(b(x)) = 1. Then, deg(b 2 a+a 2 +a+1) = deg(a 2 ) = 6 and the polynomial f 5 (a, b) = b 2 a+a 2 +a+1 has no null values. Similarly, deg(a 2 +b 2 +ab+a+b+1) = 6 and the polynomial f 2 (a, b) has no null values either. Let deg(a(x)) = 3 and deg(b(x)) = 2. Then, we have deg(b 2 a + a 2 + a + 1) = 7. Thus the polynomial f 5 (a, b) has no null values. Similarly, deg(a 2 +b 2 +ab+a+b+1) = 6. Thus the polynomial f 2 (a, b) has no null values either.

No. 2 BELOV A V, et al.: Some approaches to construct MDS matrices 151 Conditions b /{a, a + 1, a 2, a 2 + a + 1}, b 2 a, ab 1 are checked directly. The remaining cases are treated in a similar way. Note 2 This statement is true for any irreducible polynomial f(x) specifying the field GF(2 t ) = F 2 [x]/f(x). An element a GF(q) is called quadratic non-residue if the equation x 2 = a has no solutions in the field GF(q). It is known when q is odd, half of the nonzero elements are quadratic non-residue. When q is even, equation specified above always has a solution (x = a q/2 ). Therefore, all elements of the field are quadratic residue. Theorem 3 Let each of the elements 3, 2, 5, 7 be the quadratic non-residue in the field GF(q), q = p t, p > 3. Suppose that for all a GF(q)\{0, ±1}, (a + 1) is quadratic non-residue and b = a + 1. Then, the matrix M is an MDS matrix. Proof The proof is carried out by checking the above general restrictions on the elements of the MDS matrix M. We will give some parts of it only. Let a + 1 = a 1. Then, a 2 + a 1 = 0, 4(a + 2 1 ) 2 = 5. 5 is a quadratic residue. Let a + 1 = a 2 + a 1. Then, a 2 = 2. 2 is a residue. Let a + 1 = 3a 1 a 1. Then, 2a 2 + 2a 3 = 0, 4(a + 2 1 ) 2 = 7. 7 is a residue. Similarly, it is established that a + 1 cannot coincide with any other element of the set B 1 (a). Let a + 1 = a. Then, a 2 + 2a + 1 = a, a 2 + a + 1 = 0, 4(a + 2 1 ) 2 = 3. 3 is a residue. Note that when (a, b) = (a, a + 1), the equality f 2 (a, b) = a 2 + b 2 ab a b + 1 = 0 is equivalent to the equality a 2 a + 1 = 0 which fails because 3 is a non-residue. We now show that the pair (a, b) = (a, a + 1) does not satisfy the equation f 5 (a, b) = b 2 a 2b a 2 + a + 1 = 0. If f 5 (a, b) = 0, we have b 2 a 2b a 2 + a + 1 = 0, b 2 2b a 1 a + 1 + a 1 = 0, (b a 1 ) 2 = a + a 2 a 1 1 = a 2 (a 3 a 2 a + 1), (b a 1 ) 2 = a 2 (a 1)(a 2 1) = a 2 (a 1) 2 (a + 1), a 2 (a 1) 2 (b a 1 ) 2 = a + 1,

152 Communication on Applied Mathematics and Computation Vol. 31 a + 1 is a residue. This contradicts the conditions of the theorem. The examples of the fields GF(p) satisfying the conditions of the theorem are p = 293, p = 947, p = 3 797. 4 Conclusions The paper describes new classes of circulant 4 4 MDS matrices, and also matrices with the maximum number of units (nine) and the minimum number of distinct non-unit elements (two). Upper and lower estimates of the number of MDS matrices of the type in question for an arbitrary field GF(q) are obtained. The new classes of MDS matrices over the field GF(2 t ) whose elements (as binary polynomials) have a small degree of nonlinearity (Theorems 1 and 2) are constructed. For a field GF(q), the class of MDS matrices having only two non-unit elements a, b with the simplest analytical relationship b = a + 1 (Theorem 3) is described. It would be interesting to search for other simple (polynomial) connection between these elements preserving MDS property. References [1] Junod P, Vaudenay S. Perfect diffusion primitives for block ciphers: building efficient MDS matrices [M]// Handschuh H, Hasan M A. Proceedings of the 11th International Conference on Selected Areas in Cryptography. Heidelberg/Berlin: Springer-Verlag, 2004: 84-99. [2] Augot D, Finiasz M. Exhaustive search for small dimension recursive MDS diffusion layers for block ciphers and hash functions [C]// Proceedings of the IEEE International Simposium on Information Theory (ISIT). New York: IEEE, 2013: 1551-1555. [3] Gupta K C, Ray I G. On constructions of MDS matrices from companion matrices for lightweight cryptography [M]// Cuzzocrea A, Kittl C, Simos D E, Weippl E, Xu L. Security Engineering and Intelligence Informatics. Heidelberg/Berlin: Springer-Verlag, 2013: 29-43. [4] Murtaza G, Ikram N. New methods of generating MDS matrices [C]// Proceedings of International Cryptology Workshop and Conference, 2008. [5] Markov V, Nechaev A. Generalized BCH-theorem and linear recursive MDS-codes [C]// Proceedings of 12th International Workshop on Algebraic and Combinatorial Coding Theory (ACCT-2010), Novosibirsk, Russia, 2010. [6] Couselo E, Gonzalez S, Markov V, Nechaev A. Recursive MDS-codes and recursive differentiable quasigroups [J]. Discrete Math Appl, 1998, 8(3): 217-245. [7] Couselo E, Gonzalez S, Markov V, Nechaev A. Parameters of recursive MDS-codes [J]. Discrete Math Appl, 2000, 10(5): 433-453. [8] Lidl R, Niderrayter G. Konechnye Polya [M]. Moscow: Mir, 1988. (in Russian) [9] Berlekèmp È. Algebraicheskaya Teoriya Kodirovaniya [M]. Moscow: Mir, 1971. (in Russian)

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback