MDS matrix

Represents a function with diffusion properties useful in cryptography

An MDS matrix (maximum distance separable) is a matrix representing a function with certain diffusion properties that have useful applications in cryptography. Technically, an m × n {\displaystyle m\times n} matrix A {\displaystyle A} over a finite field K {\displaystyle K} is an MDS matrix if it is the transformation matrix of a linear transformation f ( x ) = A x {\displaystyle f(x)=Ax} from K n {\displaystyle K^{n}} to K m {\displaystyle K^{m}} such that no two different ( m + n ) {\displaystyle (m+n)} -tuples of the form ( x , f ( x ) ) {\displaystyle (x,f(x))} coincide in n {\displaystyle n} or more components. Equivalently, the set of all ( m + n ) {\displaystyle (m+n)} -tuples ( x , f ( x ) ) {\displaystyle (x,f(x))} is an MDS code, i.e., a linear code that reaches the Singleton bound.

Let A ~ = ( I n A ) {\displaystyle {\tilde {A}}={\begin{pmatrix}\mathrm {I} _{n}\\\hline \mathrm {A} \end{pmatrix}}} be the matrix obtained by joining the identity matrix I n {\displaystyle \mathrm {I} _{n}} to A {\displaystyle A} . Then a necessary and sufficient condition for a matrix A {\displaystyle A} to be MDS is that every possible n × n {\displaystyle n\times n} submatrix obtained by removing m {\displaystyle m} rows from A ~ {\displaystyle {\tilde {A}}} is non-singular. This is also equivalent to the following: all the sub-determinants of the matrix A {\displaystyle A} are non-zero. Then a binary matrix A {\displaystyle A} (namely over the field with two elements) is never MDS unless it has only one row or only one column with all components 1 {\displaystyle 1} .

Reed–Solomon codes have the MDS property and are frequently used to obtain the MDS matrices used in cryptographic algorithms.

Serge Vaudenay suggested using MDS matrices in cryptographic primitives to produce what he called multipermutations, not-necessarily linear functions with this same property.[1] These functions have what he called perfect diffusion: changing t {\displaystyle t} of the inputs changes at least m t + 1 {\displaystyle m-t+1} of the outputs. He showed how to exploit imperfect diffusion to cryptanalyze functions that are not multipermutations.

MDS matrices are used for diffusion in such block ciphers as AES, SHARK, Square, Twofish, Anubis, KHAZAD, Manta, Hierocrypt, Kalyna, Camellia and HADESMiMC, and in the stream cipher MUGI and the cryptographic hash function Whirlpool, Poseidon.

References

  1. ^ Vaudenay, Serge (1995), Preneel, Bart (ed.), "On the need for multipermutations: Cryptanalysis of MD4 and SAFER", Fast Software Encryption, vol. 1008, Berlin, Heidelberg: Springer Berlin Heidelberg, pp. 286–297, doi:10.1007/3-540-60590-8_22, ISBN 978-3-540-60590-4, retrieved 2023-07-17
  • Vincent Rijmen; Joan Daemen; Bart Preneel; Antoon Bosselaers; Erik De Win (February 1996). The Cipher SHARK (PDF/PostScript). 3rd International Workshop on Fast Software Encryption (FSE '96). Cambridge: Springer-Verlag. pp. 99–111. Retrieved 2007-03-06.
  • Bruce Schneier; John Kelsey; Doug Whiting; David Wagner; Chris Hall; Niels Ferguson (June 15, 1998). "The Twofish Encryption Algorithm" (PDF/PostScript). Retrieved 2007-03-04.
  • v
  • t
  • e