Four by four MDS matrices with the fewest XOR gates based on words

Abstract: <p style='text-indent:20px;'>MDS matrices play an important role in the design of block ciphers, and constructing MDS matrices with fewer xor gates is of significant interest for lightweight ciphers. For this topic, Duval and Leurent proposed an approach to construct MDS matrices by using three linear operations in ToSC 2018. Taking words as elements, they found <inline-formula><tex-math id="M1">\begin{document}$ 16\times16 $\end{document}</tex-math></inline-formula> and <inlin… Show more

“…However, the complexity of their search techniques for finding an MDS matrix with sw-XOR cost equal to 8n + 2 is prohibitively high. In fact, as reported in [WLTZ21], the size of the search space is ≥ 2 43 even for the case of n = 4. Apparently, the search problem in the domain of block matrices over GL(n, F 2 ) looks huge and appears difficult to exhaust.…”

“…The construction of lightweight MDS matrices proposed in [DL18] showed a minimal approach, that can ensure achieving MDS matrices which are of low cost. This approach was taken up by [WLTZ21] that extended it by treating the linear operations as the multiplications by the three types of elementary matrices. It is well-known that any non-singular matrix over F 2 n can be decomposed as a product of elementary matrices.…”

“…The g-XOR metric gives the optimal implementation in terms of XOR gate count, but it does not have a nice mathematical structure as compared to sw-XOR or s-XOR metrics. In [WLTZ21], the authors introduced the concept of path. The path of a matrix is an ordered list of elementary (block) matrices of Type III that appear in a special form of the matrix decomposition.…”

“…In this process, the authors of [WLTZ21] also made some initial observations on the equivalence of paths. In this paper, we first rephrase some of the basic results presented in [WLTZ21] by including Type I elementary block matrices. This brings more clarity on the connection between matrices and their path.…”

“…Recently, considering matrix decomposition as a product of elementary block matrices, a new XOR count metric called sequential XOR count based on words was proposed in [WLTZ21]. Let M ∈ M(n, m) be a non-singular block matrix of order m over M n .…”

On the Lower Bound of Cost of MDS Matrices

“…However, the complexity of their search techniques for finding an MDS matrix with sw-XOR cost equal to 8n + 2 is prohibitively high. In fact, as reported in [WLTZ21], the size of the search space is ≥ 2 43 even for the case of n = 4. Apparently, the search problem in the domain of block matrices over GL(n, F 2 ) looks huge and appears difficult to exhaust.…”

“…The construction of lightweight MDS matrices proposed in [DL18] showed a minimal approach, that can ensure achieving MDS matrices which are of low cost. This approach was taken up by [WLTZ21] that extended it by treating the linear operations as the multiplications by the three types of elementary matrices. It is well-known that any non-singular matrix over F 2 n can be decomposed as a product of elementary matrices.…”

“…The g-XOR metric gives the optimal implementation in terms of XOR gate count, but it does not have a nice mathematical structure as compared to sw-XOR or s-XOR metrics. In [WLTZ21], the authors introduced the concept of path. The path of a matrix is an ordered list of elementary (block) matrices of Type III that appear in a special form of the matrix decomposition.…”

“…In this process, the authors of [WLTZ21] also made some initial observations on the equivalence of paths. In this paper, we first rephrase some of the basic results presented in [WLTZ21] by including Type I elementary block matrices. This brings more clarity on the connection between matrices and their path.…”

“…Recently, considering matrix decomposition as a product of elementary block matrices, a new XOR count metric called sequential XOR count based on words was proposed in [WLTZ21]. Let M ∈ M(n, m) be a non-singular block matrix of order m over M n .…”

On the Lower Bound of Cost of MDS Matrices

On the Construction Structures of $$3 \times 3$$ Involutory MDS Matrices over $$\mathbb {F}_{2^{m}}$$

On the counting of involutory MDS matrices