More Constructions of Light MDS Transforms Based on Known MDS Circulant Matrices

Abstract

Maximum distance separable (MDS) codes have the maximum branch number in cryptography, and they are generally used in diffusion layers of symmetric ciphers. The diffusion layer of the Advanced Encryption Standard (AES) uses the circulant MDS matrix with the row element of $\left\{2;3;1;1\right\}$ in ${\mathbb{F}}_{2^8}$. It is the simplest MDS matrix in ${\mathbb{F}}_{2^n}^4$, recorded as $\mathit{A}=Circ\left(2;3;1;1\right)$. In this paper, we study the more extensive MDS constructions of $\mathit{A}$ in ${\mathbb{F}}_{2^n}^4$. By transforming the element multiplication operation in the finite field into the bit-level operation, we propose a multivariable operation definition based on simple operations, such as cyclic shift, shift, and XOR. We apply this multivariable operation to more lightweight MDS constructions of $\mathit{A}$ and discuss the classification of the MDS clusters. We also give an example of the MDS cluster of $\mathit{A}$. Without changing the structure, elements, and the implementation cost of the known MDS matrix, the number of existing MDS transformations is expanded to $n^2/2$ times that of its original. The constructions in this paper provide rich component materials for the design of lightweight cryptographic algorithms.

1. Introduction

The design of modern cryptographic algorithms generally follows the principles of confusion and diffusion [1]. Diffusion layers are critical components of symmetric ciphers. It is an important means to achieve complex relationships between plaintexts and ciphertexts. By using the diffusion layer, each bit of the plaintext will affect multiple bits of the ciphertext, thus ensuring the security of the cryptographic algorithm. Maximum distance separable (MDS) codes have the maximum number of branches, so they are often used in cryptography to construct optimal diffusion layers of block ciphers, stream ciphers, and hash algorithms. For instance, the diffusion layer of the Advanced Encryption Standard (AES [2]) uses the simplest MDS matrix over ${\mathbb{F}}_{2^{4n}}$, which is a circulant MDS matrix with a row element of $\left\{2;3;1;1\right\}$ in ${\mathbb{F}}_{2^{8 }}$, recorded as $\mathit{A}=Circ\left(2;3;1;1\right)$. The diffusion layer of SM4 [3] uses the MDS transformation based on a 32-bit rotational-XOR operation. In cryptographic literature, numerous papers [4,5,6,7,8,9,10,11,12,13,14,15,16,17] have studied various aspects of MDS diffusion layers, including their structure, from mathematical viewpoints on rings and fields, as well as minimizing their implementation costs in software and/or hardware applications. For example, Mirzaee et al. [12] placed lightweight multiplication on MDS matrices in fields; Xiang et al. [14,15] proposed MDS matrices as the best implementations produced by various algorithms up to now and [16,17] provided some nonlinear MDS diffusion layers.

Currently, for known MDS matrices on ${\mathbb{F}}_{2^{n }}$, the operations and quantities are limited by irreducible polynomials in the finite field. In order to obtain more MDS diffusion layers from MDS matrices on fields, it is necessary to change the matrix form or component element, such by as replacing specific elements of the matrix with different primitive elements in the finite field so as to construct different MDS transformations [18]. For these simple MDS matrices, the manner by which to construct many more, and more extensive, MDS transformations, without changing their forms, component elements, and implementation costs, is of particular significance for the enrichment of the cognition of MDS and the improving of the adaptability of MDS diffusion layers.

This paper studies the more extensive MDS construction that is based on the circulant MDS matrix $Circ\left(2;3;1;1\right)$ (abbreviated as $\mathit{A}$). With the aid of introducing a parametric map, defined by transforming the multiplication operation of $\mathit{A}$ elements in ${\mathbb{F}}_{2^{n }}$ into bitwise multivariable operation with cyclic shift and XOR, we extend the operation of matrix $\mathit{A}$ to obtain more $4\times 4$ MDS diffusion layers. We use the definition of the multivariable parametric map to obtain more MDS constructions based on $\mathit{A}$, and we propose the connection between MDS clusters and the equivalence classification. Then, examples of the MDS cluster based on $\mathit{A}$ over ${\mathbb{F}}_{2^8}^4$ are given. All such MDS constructions proposed in this paper have equally low-cost implementations, and the number of MDS is expanded to $n^2/2$ times that of the original construction. These constructions we proposed can be widely applied to the design of lightweight cryptographic algorithms which is for the purpose of constraining resources, such as IoTs and wireless communication environments.

This article is organized as follows: In Section 2, we give preliminary notations and definitions. Section 3 provides theoretical conclusions and examples for more extensive MDS constructions of $\mathit{A}$, and Section 4 is devoted to the conclusion.

2. Notations and Definitions

The binary digit 0 or 1 is called “1 bit” or “bit”. Without losing generality, we specify that the most significant bit of data is always on the far left of its binary digits, and the lowest significant bit of data is always on the rightmost of its binary digits.

Let ${\mathbb{F}}_{2^n}$ be the finite field with $2^n$ elements and ${\mathbb{F}}_2^n$ be the $n$-dimensional linear space over ${\mathbb{F}}_2$. We denote the multiplication in ${\mathbb{F}}_{2^n}$ by $·$ and the addition in ${\mathbb{F}}_{2^n}$ by $\oplus$. The operation “$<<<t$” represents the left cyclic shift for $t$ bits, and “&” denotes bitwise and operation. $x{|}_{t }$ denotes the $t$-th bit of $x$. “$\times$” is the ordinary multiplication function.

For any $\mathrm{X}=\left({\mathrm{x}}_0,{\mathrm{x}}_1,\dots ,{\mathrm{x}}_{\mathrm{n}-1}\right)\in {\mathbb{F}}_{2^{\mathrm{n}}}^{\mathrm{m}}$, the weight (denoted by $\mathrm{wt}\left(\mathrm{X}\right)$) of $X$ over ${\mathbb{F}}_{2^{\mathrm{n}}}$ is defined as

$$\mathrm{wt}\left(\mathrm{X}\right)=\left|\left\{\mathrm{i}:1\le \mathrm{i}\le \mathrm{m},{\mathrm{x}}_{\mathrm{i}}\ne 0\right\}\right|.$$

Let $\mathrm{F}$ be a map on ${\mathbb{F}}_{2^{\mathrm{n}}}^{\mathrm{m}}$. The branch number (denoted by ${\mathrm{Br}}_{\mathrm{n}}\left(\mathrm{F}\right)$, or $\mathrm{Br}\left(\mathrm{F}\right)$) of $\mathrm{F}$ over ${\mathbb{F}}_{2^{\mathrm{n}}}$ is defined as

$${\mathrm{Br}}_{\mathrm{n}}\left(\mathrm{F}\right)=\underset{\mathrm{X},\mathrm{Y}\in {\mathbb{F}}_{2^{\mathrm{n}}}^{\mathrm{m}}, \mathrm{X}\ne \mathrm{Y}}{\min }\left\{\mathrm{wt}\left(\mathrm{X}\oplus \mathrm{Y}\right)+\mathrm{wt}\left(\mathrm{F}\left(\mathrm{X}\right)\oplus \mathrm{F}\left(\mathrm{Y}\right)\right)\right\}.$$

Definition 1.

Let $F$ be a map on ${\mathbb{F}}_{2^n}^m$. $F$ is called MDS (over ${\mathbb{F}}_{2^n}$) if $Br\left(F\right)=m+1$.

In this paper, we investigate the $4\times 4$ circulant MDS matrix $Circ\left(2;3;1;1\right)$ used in the diffusion layer of AES, which is an MDS transformation with the simplest matrix form on ${\mathbb{F}}_{2^8}^4$. Its implementation cost is less than 92 XOR logic gates [14]. The circulant MDS matrix $Circ\left(2;3;1;1\right)$ on ${\mathbb{F}}_{2^n}^4$ is denoted as $\mathit{A}$.

$$\mathit{A}=\left[\begin{array}{cc}\begin{array}{c}\begin{array}{cc}2& 3\\ 1& 2\end{array}\\ \begin{array}{cc}1& 1\\ 3& 1\end{array}\end{array}& \begin{array}{c}\begin{array}{cc}1& 1\\ 3& 1\end{array}\\ \begin{array}{cc}2& 3\\ 1& 2\end{array}\end{array}\end{array}\right]$$

Let $X=\left(x_0,x_1,\dots ,x_3\right)\in {\mathbb{F}}_{2^n}^4$ be the input, and $Y=\left(y_0,y_1,\dots ,y_3\right)\in {\mathbb{F}}_{2^n}^4$ be the output; then, the operation of $\mathit{A}$ is expressed as follows:

$$\left[\begin{array}{c}\begin{array}{c}{y}_0\\ y_1\end{array}\\ y_2\\ y_3\end{array}\right]=\left[\begin{array}{cc}\begin{array}{c}\begin{array}{cc}2& 3\\ 1& 2\end{array}\\ \begin{array}{cc}1& 1\\ 3& 1\end{array}\end{array}& \begin{array}{c}\begin{array}{cc}1& 1\\ 3& 1\end{array}\\ \begin{array}{cc}2& 3\\ 1& 2\end{array}\end{array}\end{array}\right]\left[\begin{array}{c}\begin{array}{c}{x}_0\\ x_1\end{array}\\ x_2\\ x_3\end{array}\right]$$

that is,

$$y_0=2·x_0\oplus 3·x_1\oplus 1·x_2\oplus 1·x_3$$

$$y_1=1·x_0\oplus 2·x_1\oplus 3·x_2\oplus 1·x_3$$

$$y_2=1·x_0\oplus 1·x_1\oplus 2·x_2\oplus 3·x_3$$

$$y_3=3·x_0\oplus 1·x_1\oplus 1·x_2\oplus 2·x_3$$

where both $x_i$ and $y_i$ are $n$-bit, and $3·x_i=2·x_i\oplus x_i$, $i\in \left\{0, 1, 2, 3\right\}$.

According to the general understanding, the operations of matrix $\mathit{A}$ are multiplication and addition in ${\mathbb{F}}_{2^n}$. For a map $f$ on ${\mathbb{F}}_{2^n}$ up to the choice of the monic irreducible polynomial of degree $n$, the double multiplication on ${\mathbb{F}}_{2^n}$ recorded as $xtim{e}_f\left(x\right)=2·x$ has a representation as follows:

Lemma 1.

Suppose that $f=x^n+a_0{x}^{n-1}+a_1{x}^{n-1}+\cdots +a_{n-2}x+1$ is a monic irreducible polynomial of degree $n$, where $a_i\in {\mathbb{F}}_2, i=0,1,\dots ,n-2$. Let $a_{n-1}=0$, and the corresponding coeffcient $\left(a_0, a_1, \cdots ,a_{n-1 }\right)$ is denoted as $\alpha$ in ${\mathbb{F}}_{2^n}$. Then,

$$xtim{e}_f\left(x\right)=(x<<<1)\oplus ((x<<<1){|}_{n-1}\times \alpha ), x\in {\mathbb{F}}_{2^n}.$$

(1)

According to Equation (1), the operation of matrix $\mathit{A}$ can be written in the following Equation (2), with a left cyclic shift and XOR operations based on a parameter $\alpha$.

Let $z_0=x_0\oplus x_1$, $z_1=x_1\oplus x_2$, $z_2=x_2\oplus x_3$, $z_3=x_3\oplus x_0$; then, the operation of A is also expressed as follows:

$$\begin{gathered} y_0=(z_0<<<1)\oplus x_1\oplus x_2\oplus x_3\oplus ((z_0<<<1){|}_{n-1}\times \alpha ) \\ {y}_1=(z_1<<<1)\oplus x_2\oplus x_3\oplus x_0\oplus ((z_1<<<1){|}_{n-1}\times \alpha ) \\ {y}_2=(z_2<<<1)\oplus x_3\oplus x_0\oplus x_1\oplus ((z_2<<<1){|}_{n-1}\times \alpha ) \\ {y}_3=(z_3<<<1)\oplus x_0\oplus x_1\oplus x_2\oplus ((z_3<<<1){|}_{n-1}\times \alpha ) \end{gathered}$$

(2)

Whether the operation in Equation (2) is an MDS transformation depends on $\alpha$.

Definition 2.

The data $\alpha \in {\mathbb{F}}_{2^n}$ is called the MDS-generating element of $\mathit{A}$ on ${\mathbb{F}}_{2^n}^4$, or for short, the MDS-generating element of $\mathit{A}$, if $\alpha$ makes Equation (2) into an MDS transformation.

Obviously, the $n$-bit data $\left(a_0, a_1, \cdots , a_{n-2 },0\right)$ corresponding to every monic irreducible polynomial $x^n+a_0{x}^{n-1}+a_1{x}^{n-1}+\cdots +a_{n-2}x+1$ in ${\mathbb{F}}_{2^n}$ is the MDS-generating element of $\mathit{A}$. It can be predicted that the number of MDS-generating elements of $\mathit{A}$ is not less than the number of monic irreducible polynomials of degree $n$, which is indeed the case, as shown in Example 1.

Since the MDS-generating elements of $\mathit{A}$ can be obtained according to the operations form of Equation (2), which is no longer limited to irreducible polynomials of degree $n$ in ${\mathbb{F}}_{2^n}$, it is necessary to redefine $xtim{e}_f\left(x\right)=2·x$, that is, to define the $xtim{e}_{\alpha }\left(x\right)$ operation for parameter $\alpha$ in ${\mathbb{F}}_{2^n}$ as follows:

$$xtim{e}_{\mathsf{\alpha }}\left(x\right)=(x<<<1)\oplus ((x<<<1){|}_{n-1}\times \alpha )$$

(3)

Next, we show how to generate more MDS transformations using each MDS-generating element of $\mathit{A}$.

Let $h_{i,j}\left(\alpha \right): \mathbb{Z}\times \mathbb{Z}\times {\mathbb{F}}_{2^n}\to {\mathbb{F}}_{2^n}$ be a parametric function with two parameter variables $\left(i,j\right)$ about the input $\alpha \in {\mathbb{F}}_{2^{n }}$. We parametrically extend the operation rule of the $xtim{e}_{\alpha }\left(x\right)$ of Equation (3) and introduce $xtim{e}_{h_{i,j}^{\alpha }}\left(x\right)$.

Definition 3.

Let $t=(x<<<i)$ and $t_{n-1-j}$ = $(x<<<i){|}_{n-1-j}$, $x=(x_0{x}_1\dots x_{n-1})\in {\mathbb{F}}_2^n$. $xtim{e}_{h_{i,j}^{\alpha }}\left(x\right)$ is defined as

$$xtim{e}_{h_{i,j}^{\alpha }}\left(x\right)=(x<<<i)\oplus ((x<<<i){|}_{n-1-j}\times h_{i,j}\left(\alpha \right))$$

(4)

where $0\le i\le n-1, 0\le j\le n-1$.

Now we use the $xtim{e}_{h_{i,j}^{\alpha }}\left(x\right)$ operation defined in Equation (4) to replace the $2·x$ operation in $\mathit{A}$. Then, we obtain Equation (5), which is parametric with 3 parameter variables, $\left(i,j,\alpha \right)\in \mathbb{Z}\times \mathbb{Z}\times {\mathbb{F}}_{2^n}$ for $\mathit{A}$, denoted by $A_{h_{i,j}^{\alpha }}$.

Let the input be $X=\left(x_0,x_1,x_2,x_3\right)\in {\mathbb{F}}_{2^n}^4$, and the output be $Y=\left(y_0,y_1,y_2,y_3\right)\in {\mathbb{F}}_{2^n}^4$; let

$$z_0=x_0\oplus x_1, z_1=x_1\oplus x_2, z_2=x_2\oplus x_3, z_3=x_3\oplus x_0.$$

Then, $Y=A_{h_{i,j}^{\alpha }}\left(X\right)$ is defined as follows:

$$\begin{gathered} y_0=(z_0<<<i)\oplus x_1\oplus x_2\oplus x_3\oplus ((z_0<<<i){|}_{n-1-j}\times h_{i,j}\left(\alpha \right)) \\ {y}_1=(z_1<<<i)\oplus x_2\oplus x_3\oplus x_0\oplus ((z_1<<<i){|}_{n-1-j}\times h_{i,j}\left(\alpha \right)) \\ {y}_2=(z_2<<<i)\oplus x_3\oplus x_0\oplus x_1\oplus ((z_2<<<i){|}_{n-1-j}\times h_{i,j}\left(\alpha \right)) \\ {y}_3=(z_3<<<i)\oplus x_0\oplus x_1\oplus x_2\oplus ((z_3<<<i){|}_{n-1-j}\times h_{i,j}\left(\alpha \right)) \end{gathered}$$

(5)

According to the definition of $A_{h_{i,j}^{\alpha }}$, set $\left(i,j\right)=\left(1,0\right)$, $h_{1,0}\left(\alpha \right)=\alpha$, then $A_{h_{1,0}^{\alpha }}$ is the operation of $\mathit{A}$ in Equation (2). Note that the MDS diffusion layer of AES is the operation of $\mathit{A}$ in ${\mathbb{F}}_{2^8}$ with the irreducible polynomial $f=0\times 11b$, that is, $h_{1,0}\left(\alpha \right)=0\mathrm{x}1a$ in Equation (5).

In this paper, let $h_{1,0}\left(\alpha \right)$ be an identity transformation of $\alpha$.

3. Extended Constructions and Theoretical Aspects of the Known MDS

In order to determine whether $A_{h_{i,j}^{\alpha }}$ generates an MDS transformation of $\mathit{A}$ on ${\mathbb{F}}_{2^n}^4$, we have Theorem 1.

Theorem 1.

Let$\left(i,j,\alpha \right)\in \mathbb{Z}\times \mathbb{Z}\times {\mathbb{F}}_{2^n}$, where$0\le i, j<n$. If$i$is an even number, then$A_{h_{i,j}^{\alpha }}$cannot generate an MDS.

Proof of Theorem 1.

According to the definition of $Y=A_{h_{i,j}^{\alpha }}\left(X\right)$, let $X=\left(x_0,x_1,x_2,x_3\right)\in {\mathbb{F}}_{2^n}^4$, $Y=\left(y_0,y_1,y_2,y_3\right)\in {\mathbb{F}}_{2^n}^4$, and $x_0\ne 0$, $x_1,x_2,x_3=0$. Suppose that $\left(x_0<<<i\right){|}_{n-1-j}=0$; then, we have

$$y_0=(x_0<<<i), y_1=x_0, y_2=x_0, y_3=x_0 \oplus (x_0<<<i).$$

For $y_3$, while $i$ is an even number, if we can find some $x_0\ne 0$ satisfying $x_0 \oplus (x_0<<<i)=0$, then $Br\left(A_{h_{i,j}^{\alpha }}\right)\le 4$. According to Definition 1, we know that $A_{h_{i,j}^{\alpha }}$ cannot generate an MDS.

Let $x_0=\left(x_{0,0},x_{0,1},\dots ,x_{0,n-1}\right)\in {\mathbb{F}}_2^n$, $\left(x_0<<<i\right)=\left(x_{0,i},x_{0,i+1},\dots ,x_{0,n-1},x_{0,0},\dots ,x_{0,i-1}\right)$, we have

$$\begin{gathered} x_0 \oplus (x_0<<<i) \\ =\left(x_{0,0},x_{0,1}, \dots , x_{0,n-1-i},x_{0,n-i}, x_{0,n-i+1},\dots ,x_{0,n-1}\right)\oplus \\ \left(x_{0,i},x_{0,i+1},\dots ,x_{0,n-1}, x_{0,0}, x_{0,1},\dots ,x_{0,i-1}\right). \end{gathered}$$

Now, we define the following permutation (denoted by $P$) constructed by the corresponding bits’ $n$ positions of the binary sequence of the rightmost operand in the operation shown above.

$$P: \left(0, 1, \dots ,n-1\right)\to \left(i, i+1, \dots , n-1, 0, 1, \dots , i-1\right)$$

Because $i$ is an even number, for $P$ there exist two or more permutable subgroups with element $x_{0,\sigma }\ne x_{0,l}$, in which the subscripts σ and $l$ mean that $x_{0,\sigma }$ and $x_{0,l}$ belong to different subgroups, respectively.

Suppose $\left(x_0<<<i\right){|}_{n-1-j}=x_{0,l}=0$. For $P$, we choose the permutable subgroup which contains element $x_{0,l}$ and another permutable subgroup with element $x_{0,\sigma }\ne x_{0,l}$. Let us investigate the following two cases:

(1) If $l=2\mathrm{k}$ and $x_{0,2t+1}=x_{0,\sigma }$, $0\le k\le n/2$, $0\le t\le \frac{n}{2}-1$,

(2) If $l=2k+1$ and $x_{0,2t}=x_{0,\sigma }$, $0\le k\le \frac{n}{2}-1$, $0\le t\le n/2$.

Since $x_{0,l}=0$, if $x_{0,2t+1}=x_{0,\sigma }=1$, or $x_{0,2t}=x_{0,\sigma }=1$, and let the other bits be 0, then $x_0\ne 0$, and we have $y_3=x_0 \oplus (x_0<<<i)=0$. □

According to the proof of Theorem 1, if $i$ is an odd number, then the permutable subgroups of $P$ degenerate into a full permutation which contains all elements $\left(x_{0,0},x_{0,1},\dots ,x_{0,n-1}\right)$. In this case, if $x_0 \oplus (x_0<<<i)=0$, then we can derive that $x_{0,i}=x_{0,l}=0$, or $x_{0,i}=x_{0,l}=1$, where $i=0, 1, \cdots , n-1$. Then, we have Corollary 1.

Corollary 1.

Let $i$ be an odd number. If $x\ne 0\in {\mathbb{F}}_2^n$ and $wt\left(x\right)\ne n$, then $x \oplus (x<<<i)\ne 0$.

Lemma 1.

Let $i=2k+1$, $0\le k\le \frac{n}{2}-1$, $0\le j\le n-1$ in $h_{i,j}\left(\alpha \right)$. If $h_{i,j}\left(\alpha \right)$ makes $A_{h_{i,j}^{\alpha }}$ an MDS, for the input $x\ne 0\in {\mathbb{F}}_{2^n}$ $0\le l\le n-1$, let

$$t_0=(x<<<i)\oplus ((x<<<i){|}_{n-1-j-l}\times (h_{i,j}\left(\alpha \right)<<<l))$$

$$t_1=x \oplus (x<<<i)\oplus ((x<<<i){|}_{n-1-j-l}\times (h_{i,j}\left(\alpha \right)<<<l)),$$

then $t_0\ne 0$ and $t_1\ne 0$.

Proof of Lemma 1.

Let $\beta =h_{i,j}\left(\alpha \right)$, where $i$ is an odd number; then, we have Equation (6), $x\ne 0$.

$$\begin{array}{c}{t}_0=\left(x<<<i\right)\oplus (\left(x<<<i\right){|}_{n-1-j-l}\times (\beta <<<l))\\ t_1=x \oplus (x<<<i)\oplus ((x<<<i){|}_{n-1-j-l}\times (\beta <<<l))\end{array}$$

(6)

According to Corollary 1, we know $x \oplus (x<<<i)\ne 0$ if $\left(x<<<i\right){|}_{n-1-j-l}=0$. Then, we just need to prove Equation (7) if $\left(x<<<i\right){|}_{n-1-j-l}\ne 0$.

$$\begin{array}{c}{t}_0=\left(x<<<i\right)\oplus \left( \beta <<<l\right)\ne 0\\ t_1=x \oplus (x<<<i)\oplus \left( \beta <<<l\right)\ne 0\end{array}$$

(7)

Note that $A_{h_{i,j}^{\alpha }}$ is an MDS; if $\left(x<<<i\right){|}_{n-1-j}\ne 0$, then $\left(x<<<i\right)\oplus \beta \ne 0$ and $x \oplus (x<<<i)\oplus \beta \ne 0$. So, we have Equation (8).

$$\begin{array}{c}{t}_0<<<l=\left(x<<<i+l\right)\oplus \left( \beta <<<l\right)\ne 0\\ t_1<<<l=(x<<<l) \oplus (x<<<i+l)\oplus \left( \beta <<<l\right)\ne 0\end{array}$$

(8)

Let $w=\left(x<<<l\right)\ne 0$, based on Equation (8), we can obtain Equation (9) if $\left(w<<<i\right){|}_{n-1-j}\ne 0$ (that is $\left(x<<<i\right){|}_{n-1-j-l}\ne 0$).

$$\begin{array}{c}{t^{\prime }}_0=t_0<<<l=\left(w<<<i\right)\oplus \left( \beta <<<l\right)\ne 0\\ {t^{\prime }}_1=t_1<<<l=w \oplus (w<<<i)\oplus \left( \beta <<<l\right)\ne 0\end{array}$$

(9)

In Equation (9), we can replace the input x with w.

Now, we have $t_0\ne 0$ and $t_1\ne 0$. □

According to Lemma 1, we have Theorem 2.

Theorem 2.

Let$i=2k+1$,$0\le k\le \frac{n}{2}-1$,$0\le j\le n-1$in$h_{i,j}\left(\alpha \right)$. If$h_{i,j}\left(\alpha \right)$makes$A_{h_{i,j}^{\alpha }}$an MDS, for any$0\le l\le n-1$, assign$h_{i, \left(j+l\right)mod n}\left(\alpha \right)=(h_{i,j}\left(\alpha \right)<<<l)$, then$A_{h_{i,\left(j+l\right)mod n}^{\alpha }}$is an MDS.

Next, we give the construction of composite permutation $\phi$ based on the constructed permutation $\vartheta$ and inverse permutation ${\vartheta }^{-1}$, and the transformational relations between $h_{i_0,j}\left(\alpha \right)$ and $h_{i_1,j}\left(\alpha \right)$.

Theorem 3.

Let$i_e=2k_e+1$, $0\le k_e\le \frac{n}{2}-1$, $0\le j\le n-1$in$h_{i_e,j}\left(\alpha \right)$with $e\in \left\{0,1\right\}$. If each of$h_{i_e,j}\left(\alpha \right)$makes$A_{h_{i_e,j}^{\alpha }}$an MDS, respectively, then there exists a map$\phi$:${\mathbb{F}}_{2^n}$→ ${\mathbb{F}}_{2^n}$satisfying$h_{i_1,j}\left(\alpha \right)=\phi \left( h_{i_0,j}\left(\alpha \right)\right)$.

Proof of Theorem 3.

Now, we construct a map $\vartheta$ on ${\mathbb{F}}_{2^n}$: for every α and ${\tau }_{\alpha }=\vartheta \left( h_{i_0,0}\left(\alpha \right)\right)$, let parameters $\left(i,j,h_{i,j}\left(\alpha \right)\right):=\left(i_1,0,{\tau }_{\alpha }\right)$ be related to Equation (5), which makes $Br\left(A_{h_{i_1,0}^{{\tau }_{\alpha }}}\right)=5$ hold, and conversely, for every α and ${\sigma }_{\alpha }={\vartheta }^{-1}\left( h_{i_1,0}\left(\alpha \right)\right)$, let parameters $\left(i,j,h_{i,j}\left(\alpha \right)\right):=\left(i_0,0,{\sigma }_{\alpha }\right)$ be related to Equation (5) which makes $Br\left(A_{h_{i_0,0}^{{\sigma }_{\alpha }}}\right)=5$ hold.

Suppose $h_{i_k,0}\left(\alpha \right)=\left(t_0,t_1,\dots ,t_{n-1}\right)\in {\mathbb{F}}_2^n$ with $k\in \left\{0,1\right\}$; next, we construct a kind of map $P_{i_k}$: ${\mathbb{F}}_2^n$ → ${\mathbb{F}}_{2^n}^n$; this means

$$\begin{array}{l}\left(t_0,t_1,\dots ,t_{n-1}\right) \to \\ \left(1\times i_k\times t_0,\left(2\times i_k\right)mod n)\times t_1,\dots ,\left(\left(n-1\right)\times i_k\right)mod n\times t_{n-2}, 0\right)\end{array}$$

Then, we use $P_{i_k}$ to define the following permutation $\vartheta$(${\mathbb{F}}_{2^n}$ → ${\mathbb{F}}_{2^n}$) and its inverse permutation ${\vartheta }^{-1}$(${\mathbb{F}}_{2^n}$ → ${\mathbb{F}}_{2^n}$) about data elements in ${\mathbb{F}}_2^n$:

(a) Let the binary digits of $h_{i_0,0}\left(\alpha \right)$ be the n-bit input element of $P_{i_0}$, the positions of the data in the sequence ${\mathscr{H}}_1:=\left(1\times i_1,\left(2\times i_1\right)mod n), \dots ,\left(\left(n-1\right)\times i_1\right)mod n), 0\right)$, which is the same with all non-zero data mapped from $P_{i_0}$ to ${\mathbb{F}}_n$ marked as 1; the other positions are marked as 0, then we can obtain an n-bit position identification value about ${\mathscr{H}}_1$, denoted by ${\tau }_{\alpha }\in {\mathbb{F}}_{2^n}$, and define $\vartheta \left(h_{i_0,0}\left(\alpha \right)\right)={\tau }_{\alpha }$;

(b) Let the binary digits of $h_{i_1,0}\left(\alpha \right)$ be the $n$-bit input element of $P_{i_1}$, the positions of the data in the sequence ${\mathscr{H}}_0:=\left(1\times i_0,\left(2\times i_0\right)mod n), \dots ,\left(\left(n-1\right)\times i_0\right)mod n), 0\right)$ which is the same with all non-zero data mapped from $P_{i_1}$ to ${\mathbb{F}}_n$ marked as 1; the other positions are marked as 0; then we can obtain an $n$-bit position identification value for ${\mathscr{H}}_0$, denoted by ${\mathsf{\sigma }}_{\alpha }\in {\mathbb{F}}_{2^n}$, and define ${\vartheta }^{-1}\left(h_{i_1,0}\left(\alpha \right)\right)={\mathsf{\sigma }}_{\alpha }$.

For all the $0\le j\le n-1$, by combining the permutation $\vartheta$ constructed above with the left cyclic shift operation of Theorem 2, the composite transformation $\phi$ from $\vartheta$ and “$<<<$” is obtained, and we have Theorem 3. □

Theorem 3 is the crucial theorem of the current paper. In the latter part, we provide some concrete instances based upon Theorem 3. By combining Theorem 2 and Theorem 3, we obtain Theorem 4.

Theorem 4.

For every parameter of each group$\left(i,j \right)\in \mathbb{Z}\times \mathbb{Z}$, $i=2k+1$, $0\le k\le \frac{n}{2}-1$, $0\le j\le n-1$, there exists a mapping$h_{i,j}: {\mathbb{F}}_{2^n}\to {\mathbb{F}}_{2^n}$, which maps each generating element$\alpha \in {\mathbb{F}}_{2^n}$one by one to$h_{i,j}\left(\alpha \right)\in {\mathbb{F}}_{2^{n }}$, such that$A_{h_{i,j}^{\alpha }}$is an MDS.

According to the previous conclusions, for every given parameter group $\left(i,j\right):=\left(I,J\right)$, $A_{h_{i,j}^{\alpha }}$ traverses all MDS-generating elements to make the MDS cluster partition of $\mathit{A}$, and we can obtain the MDS cluster {$A_{h_{i=I,j=J}^{\alpha }}$} of $\mathit{A}$. For every given parameter group $\left(i,\alpha \right):=\left(I,V\right)$. $A_{h_{i,j}^{\alpha }}$ traverses all $0\le j\le n-1$ values to make the MDS cluster partition of $\mathit{A}$, and we can obtain the MDS cluster {$A_{h_{i=I,j}^{\alpha =V}}$} of $\mathit{A}$. Regarding the qualities, we have Proposition 1.

Proposition 1.

Let $i=2k+1$, $0\le k\le \frac{n}{2}-1$, $0\le j\le n-1$, and $\alpha$ be an MDS-generating element of $\mathit{A}$ in ${\mathbb{F}}_{2^n}$. For all $\alpha$, the parameter variable $\left(i,j\right)$ generates an MDS equivalence class division of $\mathit{A}$.

We know that the number of $n$-order monic irreducible polynomials is $\left(n\right)=$ $\frac{1}{n}{\displaystyle \sum }_{d|n}\mu \left(d\right)2^{\frac{n}{d}}$, $n\ge 1$, and $\mu \left(n\right)$ is an Mertens function. On the basis of Theorem 4, we have Corollary 2.

Corollary 2.

According to the number of all possible values of $i$ and $j$, the number of the MDS (denoted by $M\left(n\right)$) constructed by $A_{h_{i,j}^{\alpha }}$ of $\mathit{A}$ in ${\mathbb{F}}_{2^n}$ satisfies $M\left(n\right)\ge \frac{n}{ 2}{\displaystyle \sum }_{d|n}\mu \left(d\right)2^{\frac{n}{d}}$, where $n\ge 2$. Then, the number of existing MDSs is expanded to $n^2/2$ times that of the original.

Note that the number of the monic irreducible polynomials of degree 8 defined in ${\mathbb{F}}_{2^8}$ is equal to 30 by the formula $N\left(n\right)$. According to computer searching, there are 36 generating elements of $\mathit{A}$ in ${\mathbb{F}}_{2^{\mathrm{n}}}$, which shows that Equations (2) and (5), defined by the bit-level operation, expand the operational connotation of $\mathit{A}$ in ${\mathbb{F}}_{2^{\mathrm{n}}}$.

According to the MDS-generating elements of $\mathit{A}$ in ${\mathbb{F}}_{2^8}$, by Theorem 4, we obtain that the total number of MDSs constructed by the operation $A_{h_{i,j}^{\alpha }}$ of $\mathit{A}$ in ${\mathbb{F}}_{2^8}$ is 1152 (= 4 × 8 × 36).

Example 1.

All 36 MDS-generating elements {$h_{1,0}\left(\alpha \right)$} of $\mathit{A}$ in ${\mathbb{F}}_{2^8}$ are listed below.

0x04, 0x16, 0x1a, 0x1c, 0x2a, 0x2c, 0x38, 0x3e, 0x40, 0x4c, 0x54, 0x5e,

0x62, 0x64, 0x68, 0x70, 0x76, 0x7a, 0x86, 0x8a, 0x8c, 0x9e, 0xa2, 0xa8,

0xb0, 0xba, 0xbc, 0xc2, 0xce, 0xd0, 0xd6, 0xdc, 0xe6, 0xf2, 0xf4, 0xf8.

Once we determine the generating elements of $\mathit{A}$ in ${\mathbb{F}}_{2^n}$, for all operation $A_{h_{i,j}^{\alpha }}$ of $\mathit{A}$ in ${\mathbb{F}}_{2^n}$, by Theorem 2 and Theorem 3, we can obtain the transformational relations between clusters of $\left\{h_{i,j}\left(\alpha \right)\right\}$, and derive the total number of MDSs from $\mathit{A}$.

Example 2.

Based on the 36 data points {$h_{1,0}\left(\alpha \right)$} in Example 1, respectively, we can obtain the derived 36 data points {$h_{3,0}\left(\alpha \right)$} in ${\mathbb{F}}_{2^8}$, as shown below:

0x40, 0x58, 0x1a, 0x52, 0x8a, 0xc2, 0x92, 0xda, 0x04, 0x46, 0x54, 0x5e,

0x8c, 0xc4, 0x86, 0x94, 0xdc, 0x9e, 0x68, 0x2a, 0x62, 0x7a, 0xa8, 0xa2,

0xb0, 0xba, 0xf2, 0x2c, 0x6e, 0x34, 0x7c, 0x76, 0xec, 0xbc, 0xf4, 0xb6.

Regarding the map $\vartheta$ definition of Theorem 3, one could verify the correctness of the derived data set shown in Example 2. Then, we show the verification process for the first 2 elements in Example 1, and the other cases are similar.

• For the first element ${\mathrm{h}}_{1,0}\left(\mathsf{\alpha }\right)=0\mathrm{x}04$ in Example 1, let its binary bits $\left(0 0 0 0 0 1 0 0\right)$ be the input of map ${\mathrm{P}}_{{\mathrm{i}}_0}$; then, the output is $\left(0 0 0 0 0 6 0 0\right)$. For ${\mathscr{H}}_1:=\left(3 6 1 4 7 2 5 0\right)$, the same with all non-zero data (only “6”) mapped from ${\mathrm{P}}_{{\mathrm{i}}_0}$ to ${\mathbb{F}}_8$ are marked as 1, the other positions are marked as 0; then, we can obtain the n-bit position identification value $\left(0 1 0 0 0 0 0 0\right)$ as ${\mathrm{h}}_{3,0}\left(0\mathrm{x}04\right)=\vartheta \left({\mathrm{h}}_{1,0}\left(0\mathrm{x}04\right)\right)=0\mathrm{x}40$.
• For the second element $h_{1,0}\left(\alpha \right)=0\mathrm{x}16$ in Example 1, let its binary bits $\left(0 0 0 1 0 1 1 0\right)$ be the input of map $P_{i_0}$; then, the output is $\left(0 0 0 \mathbf{4} 0 \mathbf{6} \mathbf{7} 0\right)$. For ${\mathscr{H}}_1:=\left(3 \mathbf{6} 1 \mathbf{4} \mathbf{7} 2 5 0\right)$, the same with all non-zero data “4, 6, 7” mapped from $P_{i_0}$ to ${\mathbb{F}}_8$ are marked as 1; the other positions are marked as 0. Then, we can obtain the n-bit position identification value $\left(0 \mathbf{1} 0 \mathbf{1} \mathbf{1} 0 0 0\right)$ as $h_{3,0}\left(0\mathrm{x}16\right)=\vartheta \left(h_{1,0}\left(0\mathrm{x}16\right)\right)=0\times 58$.

4. Conclusions

The circulant MDS matrix used in the diffusion layer of the AES algorithm is simple and efficient. Based on the known lightweight MDS matrix on ${\mathbb{F}}_{2^{n }}^4$, by constructing permutation-based parameters, we can obtain a large number of lightweight parametrical MDS transformations, which expands the design idea of MDS from static to dynamic and increases the number of MDSs from a single one to a large batch at one time. The constructions in this paper provide rich component materials for the design of lightweight cryptographic algorithms, which have low-cost implementations for the purpose of constraining resources, such as IoT and wireless communication environments.